]> git.ipfire.org Git - thirdparty/grsecurity-scrape.git/blame - test/grsecurity-3.1-4.2.5-201511021814.patch
projects / thirdparty / grsecurity-scrape.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Auto commit, 1 new patch{es}.
[thirdparty/grsecurity-scrape.git] / test / grsecurity-3.1-4.2.5-201511021814.patch
CommitLineData
0a2b3309
PK		 1diff --git a/Documentation/dontdiff b/Documentation/dontdiff
2index 9de9813..1462492 100644
3--- a/Documentation/dontdiff
4+++ b/Documentation/dontdiff
5@@ -3,9 +3,11 @@
6 *.bc
7 *.bin
8 *.bz2
9+*.c.[012]*.*
10 *.cis
11 *.cpio
12 *.csp
13+*.dbg
14 *.dsp
15 *.dvi
16 *.elf
17@@ -15,6 +17,7 @@
18 *.gcov
19 *.gen.S
20 *.gif
21+*.gmo
22 *.grep
23 *.grp
24 *.gz
25@@ -51,14 +54,17 @@
26 *.tab.h
27 *.tex
28 *.ver
29+*.vim
30 *.xml
31 *.xz
32 *_MODULES
33+*_reg_safe.h
34 *_vga16.c
35 *~
36 \#*#
37 *.9
38-.*
39+.[^g]*
40+.gen*
41 .*.d
42 .mm
43 53c700_d.h
44@@ -72,9 +78,11 @@ Image
45 Module.markers
46 Module.symvers
47 PENDING
48+PERF*
49 SCCS
50 System.map*
51 TAGS
52+TRACEEVENT-CFLAGS
53 aconf
54 af_names.h
55 aic7*reg.h*
56@@ -83,6 +91,7 @@ aic7*seq.h*
57 aicasm
58 aicdb.h*
59 altivec*.c
60+ashldi3.S
61 asm-offsets.h
62 asm_offsets.h
63 autoconf.h*
64@@ -95,32 +104,40 @@ bounds.h
65 bsetup
66 btfixupprep
67 build
68+builtin-policy.h
69 bvmlinux
70 bzImage*
71 capability_names.h
72 capflags.c
73 classlist.h*
74+clut_vga16.c
75+common-cmds.h
76 comp*.log
77 compile.h*
78 conf
79 config
80 config-*
81 config_data.h*
82+config.c
83 config.mak
84 config.mak.autogen
85+config.tmp
86 conmakehash
87 consolemap_deftbl.c*
88 cpustr.h
89 crc32table.h*
90 cscope.*
91 defkeymap.c
92+devicetable-offsets.h
93 devlist.h*
94 dnotify_test
95 docproc
96 dslm
97+dtc-lexer.lex.c
98 elf2ecoff
99 elfconfig.h*
100 evergreen_reg_safe.h
101+exception_policy.conf
102 fixdep
103 flask.h
104 fore200e_mkfirm
105@@ -128,12 +145,15 @@ fore200e_pca_fw.c*
106 gconf
107 gconf.glade.h
108 gen-devlist
109+gen-kdb_cmds.c
110 gen_crc32table
111 gen_init_cpio
112 generated
113 genheaders
114 genksyms
115 *_gray256.c
116+hash
117+hid-example
118 hpet_example
119 hugepage-mmap
120 hugepage-shm
121@@ -148,14 +168,14 @@ int32.c
122 int4.c
123 int8.c
124 kallsyms
125-kconfig
126+kern_constants.h
127 keywords.c
128 ksym.c*
129 ksym.h*
130 kxgettext
131 lex.c
132 lex.*.c
133-linux
134+lib1funcs.S
135 logo_*.c
136 logo_*_clut224.c
137 logo_*_mono.c
138@@ -165,14 +185,15 @@ mach-types.h
139 machtypes.h
140 map
141 map_hugetlb
142-media
143 mconf
144+mdp
145 miboot*
146 mk_elfconfig
147 mkboot
148 mkbugboot
149 mkcpustr
150 mkdep
151+mkpiggy
152 mkprep
153 mkregtable
154 mktables
155@@ -188,6 +209,8 @@ oui.c*
156 page-types
157 parse.c
158 parse.h
159+parse-events*
160+pasyms.h
161 patches*
162 pca200e.bin
163 pca200e_ecd.bin2
164@@ -197,6 +220,7 @@ perf-archive
165 piggyback
166 piggy.gzip
167 piggy.S
168+pmu-*
169 pnmtologo
170 ppc_defs.h*
171 pss_boot.h
172@@ -206,7 +230,12 @@ r200_reg_safe.h
173 r300_reg_safe.h
174 r420_reg_safe.h
175 r600_reg_safe.h
176+randomize_layout_hash.h
177+randomize_layout_seed.h
178+realmode.lds
179+realmode.relocs
180 recordmcount
181+regdb.c
182 relocs
183 rlim_names.h
184 rn50_reg_safe.h
185@@ -216,8 +245,12 @@ series
186 setup
187 setup.bin
188 setup.elf
189+signing_key*
190+size_overflow_hash.h
191 sImage
192+slabinfo
193 sm_tbl*
194+sortextable
195 split-include
196 syscalltab.h
197 tables.c
198@@ -227,6 +260,7 @@ tftpboot.img
199 timeconst.h
200 times.h*
201 trix_boot.h
202+user_constants.h
203 utsrelease.h*
204 vdso-syms.lds
205 vdso.lds
206@@ -238,13 +272,17 @@ vdso32.lds
207 vdso32.so.dbg
208 vdso64.lds
209 vdso64.so.dbg
210+vdsox32.lds
211+vdsox32-syms.lds
212 version.h*
213 vmImage
214 vmlinux
215 vmlinux-*
216 vmlinux.aout
217 vmlinux.bin.all
218+vmlinux.bin.bz2
219 vmlinux.lds
220+vmlinux.relocs
221 vmlinuz
222 voffset.h
223 vsyscall.lds
224@@ -252,9 +290,12 @@ vsyscall_32.lds
225 wanxlfw.inc
226 uImage
227 unifdef
228+utsrelease.h
229 wakeup.bin
230 wakeup.elf
231 wakeup.lds
232+x509*
233 zImage*
234 zconf.hash.c
235+zconf.lex.c
236 zoffset.h
237diff --git a/Documentation/kbuild/makefiles.txt b/Documentation/kbuild/makefiles.txt
238index 13f888a..250729b 100644
239--- a/Documentation/kbuild/makefiles.txt
240+++ b/Documentation/kbuild/makefiles.txt
241@@ -23,10 +23,11 @@ This document describes the Linux kernel Makefiles.
242 === 4 Host Program support
243 --- 4.1 Simple Host Program
244 --- 4.2 Composite Host Programs
245- --- 4.3 Using C++ for host programs
246- --- 4.4 Controlling compiler options for host programs
247- --- 4.5 When host programs are actually built
248- --- 4.6 Using hostprogs-$(CONFIG_FOO)
249+ --- 4.3 Defining shared libraries
250+ --- 4.4 Using C++ for host programs
251+ --- 4.5 Controlling compiler options for host programs
252+ --- 4.6 When host programs are actually built
253+ --- 4.7 Using hostprogs-$(CONFIG_FOO)
254
255 === 5 Kbuild clean infrastructure
256
257@@ -643,7 +644,29 @@ Both possibilities are described in the following.
258 Finally, the two .o files are linked to the executable, lxdialog.
259 Note: The syntax <executable>-y is not permitted for host-programs.
260
261---- 4.3 Using C++ for host programs
262+--- 4.3 Defining shared libraries
263+
264+ Objects with extension .so are considered shared libraries, and
265+ will be compiled as position independent objects.
266+ Kbuild provides support for shared libraries, but the usage
267+ shall be restricted.
268+ In the following example the libkconfig.so shared library is used
269+ to link the executable conf.
270+
271+ Example:
272+ #scripts/kconfig/Makefile
273+ hostprogs-y := conf
274+ conf-objs := conf.o libkconfig.so
275+ libkconfig-objs := expr.o type.o
276+
277+ Shared libraries always require a corresponding -objs line, and
278+ in the example above the shared library libkconfig is composed by
279+ the two objects expr.o and type.o.
280+ expr.o and type.o will be built as position independent code and
281+ linked as a shared library libkconfig.so. C++ is not supported for
282+ shared libraries.
283+
284+--- 4.4 Using C++ for host programs
285
286 kbuild offers support for host programs written in C++. This was
287 introduced solely to support kconfig, and is not recommended
288@@ -666,7 +689,7 @@ Both possibilities are described in the following.
289 qconf-cxxobjs := qconf.o
290 qconf-objs := check.o
291
292---- 4.4 Controlling compiler options for host programs
293+--- 4.5 Controlling compiler options for host programs
294
295 When compiling host programs, it is possible to set specific flags.
296 The programs will always be compiled utilising $(HOSTCC) passed
297@@ -694,7 +717,7 @@ Both possibilities are described in the following.
298 When linking qconf, it will be passed the extra option
299 "-L$(QTDIR)/lib".
300
301---- 4.5 When host programs are actually built
302+--- 4.6 When host programs are actually built
303
304 Kbuild will only build host-programs when they are referenced
305 as a prerequisite.
306@@ -725,7 +748,7 @@ Both possibilities are described in the following.
307 This will tell kbuild to build lxdialog even if not referenced in
308 any rule.
309
310---- 4.6 Using hostprogs-$(CONFIG_FOO)
311+--- 4.7 Using hostprogs-$(CONFIG_FOO)
312
313 A typical pattern in a Kbuild file looks like this:
314
315diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
316index 1d6f045..2714987 100644
317--- a/Documentation/kernel-parameters.txt
318+++ b/Documentation/kernel-parameters.txt
319@@ -1244,6 +1244,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
320 Format: <unsigned int> such that (rxsize & ~0x1fffc0) == 0.
321 Default: 1024
322
323+ grsec_proc_gid= [GRKERNSEC_PROC_USERGROUP] Chooses GID to
324+ ignore grsecurity's /proc restrictions
325+
326+ grsec_sysfs_restrict= Format: 0 | 1
327+ Default: 1
328+ Disables GRKERNSEC_SYSFS_RESTRICT if enabled in config
329+
330 hashdist= [KNL,NUMA] Large hashes allocated during boot
331 are distributed across NUMA nodes. Defaults on
332 for 64-bit NUMA, off otherwise.
333@@ -2364,6 +2371,10 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
334 noexec=on: enable non-executable mappings (default)
335 noexec=off: disable non-executable mappings
336
337+ nopcid [X86-64]
338+ Disable PCID (Process-Context IDentifier) even if it
339+ is supported by the processor.
340+
341 nosmap [X86]
342 Disable SMAP (Supervisor Mode Access Prevention)
343 even if it is supported by processor.
344@@ -2662,6 +2673,30 @@ bytes respectively. Such letter suffixes can also be entirely omitted.
345 the specified number of seconds. This is to be used if
346 your oopses keep scrolling off the screen.
347
348+ pax_nouderef [X86] disables UDEREF. Most likely needed under certain
349+ virtualization environments that don't cope well with the
350+ expand down segment used by UDEREF on X86-32 or the frequent
351+ page table updates on X86-64.
352+
353+ pax_sanitize_slab=
354+ Format: { 0 | 1 | off | fast | full }
355+ Options '0' and '1' are only provided for backward
356+ compatibility, 'off' or 'fast' should be used instead.
357+ 0|off : disable slab object sanitization
358+ 1|fast: enable slab object sanitization excluding
359+ whitelisted slabs (default)
360+ full : sanitize all slabs, even the whitelisted ones
361+
362+ pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
363+
364+ pax_extra_latent_entropy
365+ Enable a very simple form of latent entropy extraction
366+ from the first 4GB of memory as the bootmem allocator
367+ passes the memory pages to the buddy allocator.
368+
369+ pax_weakuderef [X86-64] enables the weaker but faster form of UDEREF
370+ when the processor supports PCID.
371+
372 pcbit= [HW,ISDN]
373
374 pcd. [PARIDE]
375diff --git a/Documentation/sysctl/kernel.txt b/Documentation/sysctl/kernel.txt
376index 6fccb69..60c7c7a 100644
377--- a/Documentation/sysctl/kernel.txt
378+++ b/Documentation/sysctl/kernel.txt
379@@ -41,6 +41,7 @@ show up in /proc/sys/kernel:
380 - kptr_restrict
381 - kstack_depth_to_print [ X86 only ]
382 - l2cr [ PPC only ]
383+- modify_ldt [ X86 only ]
384 - modprobe ==> Documentation/debugging-modules.txt
385 - modules_disabled
386 - msg_next_id [ sysv ipc ]
387@@ -391,6 +392,20 @@ This flag controls the L2 cache of G3 processor boards. If
388
389 ==============================================================
390
391+modify_ldt: (X86 only)
392+
393+Enables (1) or disables (0) the modify_ldt syscall. Modifying the LDT
394+(Local Descriptor Table) may be needed to run a 16-bit or segmented code
395+such as Dosemu or Wine. This is done via a system call which is not needed
396+to run portable applications, and which can sometimes be abused to exploit
397+some weaknesses of the architecture, opening new vulnerabilities.
398+
399+This sysctl allows one to increase the system's security by disabling the
400+system call, or to restore compatibility with specific applications when it
401+was already disabled.
402+
403+==============================================================
404+
405 modules_disabled:
406
407 A toggle value indicating if modules are allowed to be loaded
408diff --git a/Makefile b/Makefile
409index 96076dc..451272d 100644
410--- a/Makefile
411+++ b/Makefile
412@@ -298,7 +298,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH" ]; then echo $$BASH; \
413 HOSTCC = gcc
414 HOSTCXX = g++
415 HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -std=gnu89
416-HOSTCXXFLAGS = -O2
417+HOSTCFLAGS = -W -Wno-unused-parameter -Wno-missing-field-initializers -fno-delete-null-pointer-checks
418+HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
419+HOSTCXXFLAGS = -O2 -Wall -W -Wno-array-bounds
420
421 ifeq ($(shell $(HOSTCC) -v 2>&1 | grep -c "clang version"), 1)
422 HOSTCFLAGS += -Wno-unused-value -Wno-unused-parameter \
423@@ -434,8 +436,8 @@ export RCS_TAR_IGNORE := --exclude SCCS --exclude BitKeeper --exclude .svn \
424 # Rules shared between *config targets and build targets
425
426 # Basic helpers built in scripts/
427-PHONY += scripts_basic
428-scripts_basic:
429+PHONY += scripts_basic gcc-plugins
430+scripts_basic: gcc-plugins
431 $(Q)$(MAKE) $(build)=scripts/basic
432 $(Q)rm -f .tmp_quiet_recordmcount
433
434@@ -615,6 +617,74 @@ endif
435 # Tell gcc to never replace conditional load with a non-conditional one
436 KBUILD_CFLAGS += $(call cc-option,--param=allow-store-data-races=0)
437
438+ifndef DISABLE_PAX_PLUGINS
439+ifeq ($(call cc-ifversion, -ge, 0408, y), y)
440+PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCXX)" "$(HOSTCXX)" "$(CC)")
441+else
442+PLUGINCC := $(shell $(CONFIG_SHELL) $(srctree)/scripts/gcc-plugin.sh "$(HOSTCC)" "$(HOSTCXX)" "$(CC)")
443+endif
444+ifneq ($(PLUGINCC),)
445+ifdef CONFIG_PAX_CONSTIFY_PLUGIN
446+CONSTIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/constify_plugin.so -DCONSTIFY_PLUGIN
447+endif
448+ifdef CONFIG_PAX_MEMORY_STACKLEAK
449+STACKLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/stackleak_plugin.so -DSTACKLEAK_PLUGIN
450+STACKLEAK_PLUGIN_CFLAGS += -fplugin-arg-stackleak_plugin-track-lowest-sp=100
451+endif
452+ifdef CONFIG_KALLOCSTAT_PLUGIN
453+KALLOCSTAT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kallocstat_plugin.so
454+endif
455+ifdef CONFIG_PAX_KERNEXEC_PLUGIN
456+KERNEXEC_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/kernexec_plugin.so
457+KERNEXEC_PLUGIN_CFLAGS += -fplugin-arg-kernexec_plugin-method=$(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD) -DKERNEXEC_PLUGIN
458+KERNEXEC_PLUGIN_AFLAGS := -DKERNEXEC_PLUGIN
459+endif
460+ifdef CONFIG_GRKERNSEC_RANDSTRUCT
461+RANDSTRUCT_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/randomize_layout_plugin.so -DRANDSTRUCT_PLUGIN
462+ifdef CONFIG_GRKERNSEC_RANDSTRUCT_PERFORMANCE
463+RANDSTRUCT_PLUGIN_CFLAGS += -fplugin-arg-randomize_layout_plugin-performance-mode
464+endif
465+endif
466+ifdef CONFIG_CHECKER_PLUGIN
467+ifeq ($(call cc-ifversion, -ge, 0406, y), y)
468+CHECKER_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/checker_plugin.so -DCHECKER_PLUGIN
469+endif
470+endif
471+COLORIZE_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/colorize_plugin.so
472+ifdef CONFIG_PAX_SIZE_OVERFLOW
473+SIZE_OVERFLOW_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/size_overflow_plugin/size_overflow_plugin.so -DSIZE_OVERFLOW_PLUGIN
474+endif
475+ifdef CONFIG_PAX_LATENT_ENTROPY
476+LATENT_ENTROPY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/latent_entropy_plugin.so -DLATENT_ENTROPY_PLUGIN
477+endif
478+ifdef CONFIG_PAX_MEMORY_STRUCTLEAK
479+STRUCTLEAK_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/structleak_plugin.so -DSTRUCTLEAK_PLUGIN
480+endif
481+INITIFY_PLUGIN_CFLAGS := -fplugin=$(objtree)/tools/gcc/initify_plugin.so -DINITIFY_PLUGIN
482+GCC_PLUGINS_CFLAGS := $(CONSTIFY_PLUGIN_CFLAGS) $(STACKLEAK_PLUGIN_CFLAGS) $(KALLOCSTAT_PLUGIN_CFLAGS)
483+GCC_PLUGINS_CFLAGS += $(KERNEXEC_PLUGIN_CFLAGS) $(CHECKER_PLUGIN_CFLAGS) $(COLORIZE_PLUGIN_CFLAGS)
484+GCC_PLUGINS_CFLAGS += $(SIZE_OVERFLOW_PLUGIN_CFLAGS) $(LATENT_ENTROPY_PLUGIN_CFLAGS) $(STRUCTLEAK_PLUGIN_CFLAGS)
485+GCC_PLUGINS_CFLAGS += $(INITIFY_PLUGIN_CFLAGS)
486+GCC_PLUGINS_CFLAGS += $(RANDSTRUCT_PLUGIN_CFLAGS)
487+GCC_PLUGINS_AFLAGS := $(KERNEXEC_PLUGIN_AFLAGS)
488+export PLUGINCC GCC_PLUGINS_CFLAGS GCC_PLUGINS_AFLAGS CONSTIFY_PLUGIN LATENT_ENTROPY_PLUGIN_CFLAGS
489+ifeq ($(KBUILD_EXTMOD),)
490+gcc-plugins:
491+ $(Q)$(MAKE) $(build)=tools/gcc
492+else
493+gcc-plugins: ;
494+endif
495+else
496+gcc-plugins:
497+ifeq ($(call cc-ifversion, -ge, 0405, y), y)
498+ $(error Your gcc installation does not support plugins. If the necessary headers for plugin support are missing, they should be installed. On Debian, apt-get install gcc-<ver>-plugin-dev. If you choose to ignore this error and lessen the improvements provided by this patch, re-run make with the DISABLE_PAX_PLUGINS=y argument.))
499+else
500+ $(Q)echo "warning, your gcc version does not support plugins, you should upgrade it to gcc 4.5 at least"
501+endif
502+ $(Q)echo "PAX_MEMORY_STACKLEAK, constification, PAX_LATENT_ENTROPY and other features will be less secure. PAX_SIZE_OVERFLOW will not be active."
503+endif
504+endif
505+
506 ifdef CONFIG_READABLE_ASM
507 # Disable optimizations that make assembler listings hard to read.
508 # reorder blocks reorders the control in the function
509@@ -714,7 +784,7 @@ KBUILD_CFLAGS += $(call cc-option, -gsplit-dwarf, -g)
510 else
511 KBUILD_CFLAGS += -g
512 endif
513-KBUILD_AFLAGS += -Wa,-gdwarf-2
514+KBUILD_AFLAGS += -Wa,--gdwarf-2
515 endif
516 ifdef CONFIG_DEBUG_INFO_DWARF4
517 KBUILD_CFLAGS += $(call cc-option, -gdwarf-4,)
518@@ -886,7 +956,7 @@ export mod_sign_cmd
519
520
521 ifeq ($(KBUILD_EXTMOD),)
522-core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
523+core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
524
525 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
526 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
527@@ -936,6 +1006,8 @@ endif
528
529 # The actual objects are generated when descending,
530 # make sure no implicit rule kicks in
531+$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
532+$(filter-out $(init-y),$(vmlinux-deps)): KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
533 $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
534
535 # Handle descending into subdirectories listed in $(vmlinux-dirs)
536@@ -945,7 +1017,7 @@ $(sort $(vmlinux-deps)): $(vmlinux-dirs) ;
537 # Error messages still appears in the original language
538
539 PHONY += $(vmlinux-dirs)
540-$(vmlinux-dirs): prepare scripts
541+$(vmlinux-dirs): gcc-plugins prepare scripts
542 $(Q)$(MAKE) $(build)=$@
543
544 define filechk_kernel.release
545@@ -988,10 +1060,13 @@ prepare1: prepare2 $(version_h) include/generated/utsrelease.h \
546
547 archprepare: archheaders archscripts prepare1 scripts_basic
548
549+prepare0: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
550+prepare0: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
551 prepare0: archprepare FORCE
552 $(Q)$(MAKE) $(build)=.
553
554 # All the preparing..
555+prepare: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
556 prepare: prepare0
557
558 # Generate some files
559@@ -1099,6 +1174,8 @@ all: modules
560 # using awk while concatenating to the final file.
561
562 PHONY += modules
563+modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
564+modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
565 modules: $(vmlinux-dirs) $(if $(KBUILD_BUILTIN),vmlinux) modules.builtin
566 $(Q)$(AWK) '!x[$$0]++' $(vmlinux-dirs:%=$(objtree)/%/modules.order) > $(objtree)/modules.order
567 @$(kecho) ' Building modules, stage 2.';
568@@ -1114,7 +1191,7 @@ modules.builtin: $(vmlinux-dirs:%=%/modules.builtin)
569
570 # Target to prepare building external modules
571 PHONY += modules_prepare
572-modules_prepare: prepare scripts
573+modules_prepare: gcc-plugins prepare scripts
574
575 # Target to install modules
576 PHONY += modules_install
577@@ -1180,7 +1257,10 @@ MRPROPER_FILES += .config .config.old .version .old_version \
578 Module.symvers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS \
579 signing_key.priv signing_key.x509 x509.genkey \
580 extra_certificates signing_key.x509.keyid \
581- signing_key.x509.signer vmlinux-gdb.py
582+ signing_key.x509.signer vmlinux-gdb.py \
583+ tools/gcc/size_overflow_plugin/size_overflow_hash_aux.h \
584+ tools/gcc/size_overflow_plugin/size_overflow_hash.h \
585+ tools/gcc/randomize_layout_seed.h
586
587 # clean - Delete most, but leave enough to build external modules
588 #
589@@ -1219,7 +1299,7 @@ distclean: mrproper
590 @find $(srctree) $(RCS_FIND_IGNORE) \
591 \( -name '*.orig' -o -name '*.rej' -o -name '*~' \
592 -o -name '*.bak' -o -name '#*#' -o -name '.*.orig' \
593- -o -name '.*.rej' -o -name '*%' -o -name 'core' \) \
594+ -o -name '.*.rej' -o -name '*.so' -o -name '*%' -o -name 'core' \) \
595 -type f -print | xargs rm -f
596
597
598@@ -1385,6 +1465,8 @@ PHONY += $(module-dirs) modules
599 $(module-dirs): crmodverdir $(objtree)/Module.symvers
600 $(Q)$(MAKE) $(build)=$(patsubst _module_%,%,$@)
601
602+modules: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
603+modules: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
604 modules: $(module-dirs)
605 @$(kecho) ' Building modules, stage 2.';
606 $(Q)$(MAKE) -f $(srctree)/scripts/Makefile.modpost
607@@ -1525,17 +1607,21 @@ else
608 target-dir = $(if $(KBUILD_EXTMOD),$(dir $<),$(dir $@))
609 endif
610
611-%.s: %.c prepare scripts FORCE
612+%.s: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
613+%.s: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
614+%.s: %.c gcc-plugins prepare scripts FORCE
615 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
616 %.i: %.c prepare scripts FORCE
617 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
618-%.o: %.c prepare scripts FORCE
619+%.o: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
620+%.o: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
621+%.o: %.c gcc-plugins prepare scripts FORCE
622 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
623 %.lst: %.c prepare scripts FORCE
624 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
625-%.s: %.S prepare scripts FORCE
626+%.s: %.S gcc-plugins prepare scripts FORCE
627 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
628-%.o: %.S prepare scripts FORCE
629+%.o: %.S gcc-plugins prepare scripts FORCE
630 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
631 %.symtypes: %.c prepare scripts FORCE
632 $(Q)$(MAKE) $(build)=$(build-dir) $(target-dir)$(notdir $@)
633@@ -1547,11 +1633,15 @@ endif
634 $(build)=$(build-dir)
635 # Make sure the latest headers are built for Documentation
636 Documentation/: headers_install
637-%/: prepare scripts FORCE
638+%/: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
639+%/: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
640+%/: gcc-plugins prepare scripts FORCE
641 $(cmd_crmodverdir)
642 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
643 $(build)=$(build-dir)
644-%.ko: prepare scripts FORCE
645+%.ko: KBUILD_CFLAGS += $(GCC_PLUGINS_CFLAGS)
646+%.ko: KBUILD_AFLAGS += $(GCC_PLUGINS_AFLAGS)
647+%.ko: gcc-plugins prepare scripts FORCE
648 $(cmd_crmodverdir)
649 $(Q)$(MAKE) KBUILD_MODULES=$(if $(CONFIG_MODULES),1) \
650 $(build)=$(build-dir) $(@:.ko=.o)
651diff --git a/arch/alpha/include/asm/atomic.h b/arch/alpha/include/asm/atomic.h
652index 8f8eafb..3405f46 100644
653--- a/arch/alpha/include/asm/atomic.h
654+++ b/arch/alpha/include/asm/atomic.h
655@@ -239,4 +239,14 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
656 #define atomic_dec(v) atomic_sub(1,(v))
657 #define atomic64_dec(v) atomic64_sub(1,(v))
658
659+#define atomic64_read_unchecked(v) atomic64_read(v)
660+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
661+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
662+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
663+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
664+#define atomic64_inc_unchecked(v) atomic64_inc(v)
665+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
666+#define atomic64_dec_unchecked(v) atomic64_dec(v)
667+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
668+
669 #endif /* _ALPHA_ATOMIC_H */
670diff --git a/arch/alpha/include/asm/cache.h b/arch/alpha/include/asm/cache.h
671index ad368a9..fbe0f25 100644
672--- a/arch/alpha/include/asm/cache.h
673+++ b/arch/alpha/include/asm/cache.h
674@@ -4,19 +4,19 @@
675 #ifndef __ARCH_ALPHA_CACHE_H
676 #define __ARCH_ALPHA_CACHE_H
677
678+#include <linux/const.h>
679
680 /* Bytes per L1 (data) cache line. */
681 #if defined(CONFIG_ALPHA_GENERIC) || defined(CONFIG_ALPHA_EV6)
682-# define L1_CACHE_BYTES 64
683 # define L1_CACHE_SHIFT 6
684 #else
685 /* Both EV4 and EV5 are write-through, read-allocate,
686 direct-mapped, physical.
687 */
688-# define L1_CACHE_BYTES 32
689 # define L1_CACHE_SHIFT 5
690 #endif
691
692+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
693 #define SMP_CACHE_BYTES L1_CACHE_BYTES
694
695 #endif
696diff --git a/arch/alpha/include/asm/elf.h b/arch/alpha/include/asm/elf.h
697index 968d999..d36b2df 100644
698--- a/arch/alpha/include/asm/elf.h
699+++ b/arch/alpha/include/asm/elf.h
700@@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
701
702 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
703
704+#ifdef CONFIG_PAX_ASLR
705+#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
706+
707+#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
708+#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
709+#endif
710+
711 /* $0 is set by ld.so to a pointer to a function which might be
712 registered using atexit. This provides a mean for the dynamic
713 linker to call DT_FINI functions for shared libraries that have
714diff --git a/arch/alpha/include/asm/pgalloc.h b/arch/alpha/include/asm/pgalloc.h
715index aab14a0..b4fa3e7 100644
716--- a/arch/alpha/include/asm/pgalloc.h
717+++ b/arch/alpha/include/asm/pgalloc.h
718@@ -29,6 +29,12 @@ pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
719 pgd_set(pgd, pmd);
720 }
721
722+static inline void
723+pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
724+{
725+ pgd_populate(mm, pgd, pmd);
726+}
727+
728 extern pgd_t *pgd_alloc(struct mm_struct *mm);
729
730 static inline void
731diff --git a/arch/alpha/include/asm/pgtable.h b/arch/alpha/include/asm/pgtable.h
732index a9a1195..e9b8417 100644
733--- a/arch/alpha/include/asm/pgtable.h
734+++ b/arch/alpha/include/asm/pgtable.h
735@@ -101,6 +101,17 @@ struct vm_area_struct;
736 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
737 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
738 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
739+
740+#ifdef CONFIG_PAX_PAGEEXEC
741+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
742+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
743+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
744+#else
745+# define PAGE_SHARED_NOEXEC PAGE_SHARED
746+# define PAGE_COPY_NOEXEC PAGE_COPY
747+# define PAGE_READONLY_NOEXEC PAGE_READONLY
748+#endif
749+
750 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
751
752 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
753diff --git a/arch/alpha/kernel/module.c b/arch/alpha/kernel/module.c
754index 2fd00b7..cfd5069 100644
755--- a/arch/alpha/kernel/module.c
756+++ b/arch/alpha/kernel/module.c
757@@ -160,7 +160,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs, const char *strtab,
758
759 /* The small sections were sorted to the end of the segment.
760 The following should definitely cover them. */
761- gp = (u64)me->module_core + me->core_size - 0x8000;
762+ gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
763 got = sechdrs[me->arch.gotsecindex].sh_addr;
764
765 for (i = 0; i < n; i++) {
766diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c
767index 36dc91a..6769cb0 100644
768--- a/arch/alpha/kernel/osf_sys.c
769+++ b/arch/alpha/kernel/osf_sys.c
770@@ -1295,10 +1295,11 @@ SYSCALL_DEFINE1(old_adjtimex, struct timex32 __user *, txc_p)
771 generic version except that we know how to honor ADDR_LIMIT_32BIT. */
772
773 static unsigned long
774-arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
775- unsigned long limit)
776+arch_get_unmapped_area_1(struct file *filp, unsigned long addr, unsigned long len,
777+ unsigned long limit, unsigned long flags)
778 {
779 struct vm_unmapped_area_info info;
780+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
781
782 info.flags = 0;
783 info.length = len;
784@@ -1306,6 +1307,7 @@ arch_get_unmapped_area_1(unsigned long addr, unsigned long len,
785 info.high_limit = limit;
786 info.align_mask = 0;
787 info.align_offset = 0;
788+ info.threadstack_offset = offset;
789 return vm_unmapped_area(&info);
790 }
791
792@@ -1338,20 +1340,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
793 merely specific addresses, but regions of memory -- perhaps
794 this feature should be incorporated into all ports? */
795
796+#ifdef CONFIG_PAX_RANDMMAP
797+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
798+#endif
799+
800 if (addr) {
801- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
802+ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(addr), len, limit, flags);
803 if (addr != (unsigned long) -ENOMEM)
804 return addr;
805 }
806
807 /* Next, try allocating at TASK_UNMAPPED_BASE. */
808- addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
809- len, limit);
810+ addr = arch_get_unmapped_area_1 (filp, PAGE_ALIGN(current->mm->mmap_base), len, limit, flags);
811+
812 if (addr != (unsigned long) -ENOMEM)
813 return addr;
814
815 /* Finally, try allocating in low memory. */
816- addr = arch_get_unmapped_area_1 (PAGE_SIZE, len, limit);
817+ addr = arch_get_unmapped_area_1 (filp, PAGE_SIZE, len, limit, flags);
818
819 return addr;
820 }
821diff --git a/arch/alpha/mm/fault.c b/arch/alpha/mm/fault.c
822index 4a905bd..0a4da53 100644
823--- a/arch/alpha/mm/fault.c
824+++ b/arch/alpha/mm/fault.c
825@@ -52,6 +52,124 @@ __load_new_mm_context(struct mm_struct *next_mm)
826 __reload_thread(pcb);
827 }
828
829+#ifdef CONFIG_PAX_PAGEEXEC
830+/*
831+ * PaX: decide what to do with offenders (regs->pc = fault address)
832+ *
833+ * returns 1 when task should be killed
834+ * 2 when patched PLT trampoline was detected
835+ * 3 when unpatched PLT trampoline was detected
836+ */
837+static int pax_handle_fetch_fault(struct pt_regs *regs)
838+{
839+
840+#ifdef CONFIG_PAX_EMUPLT
841+ int err;
842+
843+ do { /* PaX: patched PLT emulation #1 */
844+ unsigned int ldah, ldq, jmp;
845+
846+ err = get_user(ldah, (unsigned int *)regs->pc);
847+ err |= get_user(ldq, (unsigned int *)(regs->pc+4));
848+ err |= get_user(jmp, (unsigned int *)(regs->pc+8));
849+
850+ if (err)
851+ break;
852+
853+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
854+ (ldq & 0xFFFF0000U) == 0xA77B0000U &&
855+ jmp == 0x6BFB0000U)
856+ {
857+ unsigned long r27, addr;
858+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
859+ unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
860+
861+ addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
862+ err = get_user(r27, (unsigned long *)addr);
863+ if (err)
864+ break;
865+
866+ regs->r27 = r27;
867+ regs->pc = r27;
868+ return 2;
869+ }
870+ } while (0);
871+
872+ do { /* PaX: patched PLT emulation #2 */
873+ unsigned int ldah, lda, br;
874+
875+ err = get_user(ldah, (unsigned int *)regs->pc);
876+ err |= get_user(lda, (unsigned int *)(regs->pc+4));
877+ err |= get_user(br, (unsigned int *)(regs->pc+8));
878+
879+ if (err)
880+ break;
881+
882+ if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
883+ (lda & 0xFFFF0000U) == 0xA77B0000U &&
884+ (br & 0xFFE00000U) == 0xC3E00000U)
885+ {
886+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
887+ unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
888+ unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
889+
890+ regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
891+ regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
892+ return 2;
893+ }
894+ } while (0);
895+
896+ do { /* PaX: unpatched PLT emulation */
897+ unsigned int br;
898+
899+ err = get_user(br, (unsigned int *)regs->pc);
900+
901+ if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
902+ unsigned int br2, ldq, nop, jmp;
903+ unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
904+
905+ addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
906+ err = get_user(br2, (unsigned int *)addr);
907+ err |= get_user(ldq, (unsigned int *)(addr+4));
908+ err |= get_user(nop, (unsigned int *)(addr+8));
909+ err |= get_user(jmp, (unsigned int *)(addr+12));
910+ err |= get_user(resolver, (unsigned long *)(addr+16));
911+
912+ if (err)
913+ break;
914+
915+ if (br2 == 0xC3600000U &&
916+ ldq == 0xA77B000CU &&
917+ nop == 0x47FF041FU &&
918+ jmp == 0x6B7B0000U)
919+ {
920+ regs->r28 = regs->pc+4;
921+ regs->r27 = addr+16;
922+ regs->pc = resolver;
923+ return 3;
924+ }
925+ }
926+ } while (0);
927+#endif
928+
929+ return 1;
930+}
931+
932+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
933+{
934+ unsigned long i;
935+
936+ printk(KERN_ERR "PAX: bytes at PC: ");
937+ for (i = 0; i < 5; i++) {
938+ unsigned int c;
939+ if (get_user(c, (unsigned int *)pc+i))
940+ printk(KERN_CONT "???????? ");
941+ else
942+ printk(KERN_CONT "%08x ", c);
943+ }
944+ printk("\n");
945+}
946+#endif
947
948 /*
949 * This routine handles page faults. It determines the address,
950@@ -132,8 +250,29 @@ retry:
951 good_area:
952 si_code = SEGV_ACCERR;
953 if (cause < 0) {
954- if (!(vma->vm_flags & VM_EXEC))
955+ if (!(vma->vm_flags & VM_EXEC)) {
956+
957+#ifdef CONFIG_PAX_PAGEEXEC
958+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
959+ goto bad_area;
960+
961+ up_read(&mm->mmap_sem);
962+ switch (pax_handle_fetch_fault(regs)) {
963+
964+#ifdef CONFIG_PAX_EMUPLT
965+ case 2:
966+ case 3:
967+ return;
968+#endif
969+
970+ }
971+ pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
972+ do_group_exit(SIGKILL);
973+#else
974 goto bad_area;
975+#endif
976+
977+ }
978 } else if (!cause) {
979 /* Allow reads even for write-only mappings */
980 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
981diff --git a/arch/arc/Kconfig b/arch/arc/Kconfig
982index bd4670d..920c97a 100644
983--- a/arch/arc/Kconfig
984+++ b/arch/arc/Kconfig
985@@ -485,6 +485,7 @@ config ARC_DBG_TLB_MISS_COUNT
986 bool "Profile TLB Misses"
987 default n
988 select DEBUG_FS
989+ depends on !GRKERNSEC_KMEM
990 help
991 Counts number of I and D TLB Misses and exports them via Debugfs
992 The counters can be cleared via Debugfs as well
993diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig
994index ede2526..9e12300 100644
995--- a/arch/arm/Kconfig
996+++ b/arch/arm/Kconfig
997@@ -1770,7 +1770,7 @@ config ALIGNMENT_TRAP
998
999 config UACCESS_WITH_MEMCPY
1000 bool "Use kernel mem{cpy,set}() for {copy_to,clear}_user()"
1001- depends on MMU
1002+ depends on MMU && !PAX_MEMORY_UDEREF
1003 default y if CPU_FEROCEON
1004 help
1005 Implement faster copy_to_user and clear_user methods for CPU
1006@@ -2006,6 +2006,7 @@ config KEXEC
1007 bool "Kexec system call (EXPERIMENTAL)"
1008 depends on (!SMP || PM_SLEEP_SMP)
1009 depends on !CPU_V7M
1010+ depends on !GRKERNSEC_KMEM
1011 help
1012 kexec is a system call that implements the ability to shutdown your
1013 current kernel, and to start another kernel. It is like a reboot
1014diff --git a/arch/arm/Kconfig.debug b/arch/arm/Kconfig.debug
1015index a2e16f9..b26e911 100644
1016--- a/arch/arm/Kconfig.debug
1017+++ b/arch/arm/Kconfig.debug
1018@@ -7,6 +7,7 @@ config ARM_PTDUMP
1019 depends on DEBUG_KERNEL
1020 depends on MMU
1021 select DEBUG_FS
1022+ depends on !GRKERNSEC_KMEM
1023 ---help---
1024 Say Y here if you want to show the kernel pagetable layout in a
1025 debugfs file. This information is only useful for kernel developers
1026diff --git a/arch/arm/include/asm/atomic.h b/arch/arm/include/asm/atomic.h
1027index e22c119..abe7041 100644
1028--- a/arch/arm/include/asm/atomic.h
1029+++ b/arch/arm/include/asm/atomic.h
1030@@ -18,17 +18,41 @@
1031 #include <asm/barrier.h>
1032 #include <asm/cmpxchg.h>
1033
1034+#ifdef CONFIG_GENERIC_ATOMIC64
1035+#include <asm-generic/atomic64.h>
1036+#endif
1037+
1038 #define ATOMIC_INIT(i) { (i) }
1039
1040 #ifdef __KERNEL__
1041
1042+#ifdef CONFIG_THUMB2_KERNEL
1043+#define REFCOUNT_TRAP_INSN "bkpt 0xf1"
1044+#else
1045+#define REFCOUNT_TRAP_INSN "bkpt 0xf103"
1046+#endif
1047+
1048+#define _ASM_EXTABLE(from, to) \
1049+" .pushsection __ex_table,\"a\"\n"\
1050+" .align 3\n" \
1051+" .long " #from ", " #to"\n" \
1052+" .popsection"
1053+
1054 /*
1055 * On ARM, ordinary assignment (str instruction) doesn't clear the local
1056 * strex/ldrex monitor on some implementations. The reason we can use it for
1057 * atomic_set() is the clrex or dummy strex done on every exception return.
1058 */
1059 #define atomic_read(v) ACCESS_ONCE((v)->counter)
1060+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
1061+{
1062+ return ACCESS_ONCE(v->counter);
1063+}
1064 #define atomic_set(v,i) (((v)->counter) = (i))
1065+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
1066+{
1067+ v->counter = i;
1068+}
1069
1070 #if __LINUX_ARM_ARCH__ >= 6
1071
1072@@ -38,26 +62,50 @@
1073 * to ensure that the update happens.
1074 */
1075
1076-#define ATOMIC_OP(op, c_op, asm_op) \
1077-static inline void atomic_##op(int i, atomic_t *v) \
1078+#ifdef CONFIG_PAX_REFCOUNT
1079+#define __OVERFLOW_POST \
1080+ " bvc 3f\n" \
1081+ "2: " REFCOUNT_TRAP_INSN "\n"\
1082+ "3:\n"
1083+#define __OVERFLOW_POST_RETURN \
1084+ " bvc 3f\n" \
1085+" mov %0, %1\n" \
1086+ "2: " REFCOUNT_TRAP_INSN "\n"\
1087+ "3:\n"
1088+#define __OVERFLOW_EXTABLE \
1089+ "4:\n" \
1090+ _ASM_EXTABLE(2b, 4b)
1091+#else
1092+#define __OVERFLOW_POST
1093+#define __OVERFLOW_POST_RETURN
1094+#define __OVERFLOW_EXTABLE
1095+#endif
1096+
1097+#define __ATOMIC_OP(op, suffix, c_op, asm_op, post_op, extable) \
1098+static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
1099 { \
1100 unsigned long tmp; \
1101 int result; \
1102 \
1103 prefetchw(&v->counter); \
1104- __asm__ __volatile__("@ atomic_" #op "\n" \
1105+ __asm__ __volatile__("@ atomic_" #op #suffix "\n" \
1106 "1: ldrex %0, [%3]\n" \
1107 " " #asm_op " %0, %0, %4\n" \
1108+ post_op \
1109 " strex %1, %0, [%3]\n" \
1110 " teq %1, #0\n" \
1111-" bne 1b" \
1112+" bne 1b\n" \
1113+ extable \
1114 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1115 : "r" (&v->counter), "Ir" (i) \
1116 : "cc"); \
1117 } \
1118
1119-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
1120-static inline int atomic_##op##_return(int i, atomic_t *v) \
1121+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, _unchecked, c_op, asm_op, , )\
1122+ __ATOMIC_OP(op, , c_op, asm_op##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
1123+
1124+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op, post_op, extable) \
1125+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
1126 { \
1127 unsigned long tmp; \
1128 int result; \
1129@@ -65,12 +113,14 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1130 smp_mb(); \
1131 prefetchw(&v->counter); \
1132 \
1133- __asm__ __volatile__("@ atomic_" #op "_return\n" \
1134+ __asm__ __volatile__("@ atomic_" #op "_return" #suffix "\n" \
1135 "1: ldrex %0, [%3]\n" \
1136 " " #asm_op " %0, %0, %4\n" \
1137+ post_op \
1138 " strex %1, %0, [%3]\n" \
1139 " teq %1, #0\n" \
1140-" bne 1b" \
1141+" bne 1b\n" \
1142+ extable \
1143 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1144 : "r" (&v->counter), "Ir" (i) \
1145 : "cc"); \
1146@@ -80,6 +130,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1147 return result; \
1148 }
1149
1150+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op, , )\
1151+ __ATOMIC_OP_RETURN(op, , c_op, asm_op##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
1152+
1153 static inline int atomic_cmpxchg(atomic_t *ptr, int old, int new)
1154 {
1155 int oldval;
1156@@ -115,12 +168,24 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1157 __asm__ __volatile__ ("@ atomic_add_unless\n"
1158 "1: ldrex %0, [%4]\n"
1159 " teq %0, %5\n"
1160-" beq 2f\n"
1161-" add %1, %0, %6\n"
1162+" beq 4f\n"
1163+" adds %1, %0, %6\n"
1164+
1165+#ifdef CONFIG_PAX_REFCOUNT
1166+" bvc 3f\n"
1167+"2: " REFCOUNT_TRAP_INSN "\n"
1168+"3:\n"
1169+#endif
1170+
1171 " strex %2, %1, [%4]\n"
1172 " teq %2, #0\n"
1173 " bne 1b\n"
1174-"2:"
1175+"4:"
1176+
1177+#ifdef CONFIG_PAX_REFCOUNT
1178+ _ASM_EXTABLE(2b, 4b)
1179+#endif
1180+
1181 : "=&r" (oldval), "=&r" (newval), "=&r" (tmp), "+Qo" (v->counter)
1182 : "r" (&v->counter), "r" (u), "r" (a)
1183 : "cc");
1184@@ -131,14 +196,36 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1185 return oldval;
1186 }
1187
1188+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *ptr, int old, int new)
1189+{
1190+ unsigned long oldval, res;
1191+
1192+ smp_mb();
1193+
1194+ do {
1195+ __asm__ __volatile__("@ atomic_cmpxchg_unchecked\n"
1196+ "ldrex %1, [%3]\n"
1197+ "mov %0, #0\n"
1198+ "teq %1, %4\n"
1199+ "strexeq %0, %5, [%3]\n"
1200+ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1201+ : "r" (&ptr->counter), "Ir" (old), "r" (new)
1202+ : "cc");
1203+ } while (res);
1204+
1205+ smp_mb();
1206+
1207+ return oldval;
1208+}
1209+
1210 #else /* ARM_ARCH_6 */
1211
1212 #ifdef CONFIG_SMP
1213 #error SMP not supported on pre-ARMv6 CPUs
1214 #endif
1215
1216-#define ATOMIC_OP(op, c_op, asm_op) \
1217-static inline void atomic_##op(int i, atomic_t *v) \
1218+#define __ATOMIC_OP(op, suffix, c_op, asm_op) \
1219+static inline void atomic_##op##suffix(int i, atomic##suffix##_t *v) \
1220 { \
1221 unsigned long flags; \
1222 \
1223@@ -147,8 +234,11 @@ static inline void atomic_##op(int i, atomic_t *v) \
1224 raw_local_irq_restore(flags); \
1225 } \
1226
1227-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
1228-static inline int atomic_##op##_return(int i, atomic_t *v) \
1229+#define ATOMIC_OP(op, c_op, asm_op) __ATOMIC_OP(op, , c_op, asm_op) \
1230+ __ATOMIC_OP(op, _unchecked, c_op, asm_op)
1231+
1232+#define __ATOMIC_OP_RETURN(op, suffix, c_op, asm_op) \
1233+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t *v)\
1234 { \
1235 unsigned long flags; \
1236 int val; \
1237@@ -161,6 +251,9 @@ static inline int atomic_##op##_return(int i, atomic_t *v) \
1238 return val; \
1239 }
1240
1241+#define ATOMIC_OP_RETURN(op, c_op, asm_op) __ATOMIC_OP_RETURN(op, , c_op, asm_op)\
1242+ __ATOMIC_OP_RETURN(op, _unchecked, c_op, asm_op)
1243+
1244 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1245 {
1246 int ret;
1247@@ -175,6 +268,11 @@ static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
1248 return ret;
1249 }
1250
1251+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
1252+{
1253+ return atomic_cmpxchg((atomic_t *)v, old, new);
1254+}
1255+
1256 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
1257 {
1258 int c, old;
1259@@ -196,16 +294,38 @@ ATOMIC_OPS(sub, -=, sub)
1260
1261 #undef ATOMIC_OPS
1262 #undef ATOMIC_OP_RETURN
1263+#undef __ATOMIC_OP_RETURN
1264 #undef ATOMIC_OP
1265+#undef __ATOMIC_OP
1266
1267 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
1268+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
1269+{
1270+ return xchg(&v->counter, new);
1271+}
1272
1273 #define atomic_inc(v) atomic_add(1, v)
1274+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
1275+{
1276+ atomic_add_unchecked(1, v);
1277+}
1278 #define atomic_dec(v) atomic_sub(1, v)
1279+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
1280+{
1281+ atomic_sub_unchecked(1, v);
1282+}
1283
1284 #define atomic_inc_and_test(v) (atomic_add_return(1, v) == 0)
1285+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
1286+{
1287+ return atomic_add_return_unchecked(1, v) == 0;
1288+}
1289 #define atomic_dec_and_test(v) (atomic_sub_return(1, v) == 0)
1290 #define atomic_inc_return(v) (atomic_add_return(1, v))
1291+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
1292+{
1293+ return atomic_add_return_unchecked(1, v);
1294+}
1295 #define atomic_dec_return(v) (atomic_sub_return(1, v))
1296 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
1297
1298@@ -216,6 +336,14 @@ typedef struct {
1299 long long counter;
1300 } atomic64_t;
1301
1302+#ifdef CONFIG_PAX_REFCOUNT
1303+typedef struct {
1304+ long long counter;
1305+} atomic64_unchecked_t;
1306+#else
1307+typedef atomic64_t atomic64_unchecked_t;
1308+#endif
1309+
1310 #define ATOMIC64_INIT(i) { (i) }
1311
1312 #ifdef CONFIG_ARM_LPAE
1313@@ -232,6 +360,19 @@ static inline long long atomic64_read(const atomic64_t *v)
1314 return result;
1315 }
1316
1317+static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
1318+{
1319+ long long result;
1320+
1321+ __asm__ __volatile__("@ atomic64_read_unchecked\n"
1322+" ldrd %0, %H0, [%1]"
1323+ : "=&r" (result)
1324+ : "r" (&v->counter), "Qo" (v->counter)
1325+ );
1326+
1327+ return result;
1328+}
1329+
1330 static inline void atomic64_set(atomic64_t *v, long long i)
1331 {
1332 __asm__ __volatile__("@ atomic64_set\n"
1333@@ -240,6 +381,15 @@ static inline void atomic64_set(atomic64_t *v, long long i)
1334 : "r" (&v->counter), "r" (i)
1335 );
1336 }
1337+
1338+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
1339+{
1340+ __asm__ __volatile__("@ atomic64_set_unchecked\n"
1341+" strd %2, %H2, [%1]"
1342+ : "=Qo" (v->counter)
1343+ : "r" (&v->counter), "r" (i)
1344+ );
1345+}
1346 #else
1347 static inline long long atomic64_read(const atomic64_t *v)
1348 {
1349@@ -254,6 +404,19 @@ static inline long long atomic64_read(const atomic64_t *v)
1350 return result;
1351 }
1352
1353+static inline long long atomic64_read_unchecked(const atomic64_unchecked_t *v)
1354+{
1355+ long long result;
1356+
1357+ __asm__ __volatile__("@ atomic64_read_unchecked\n"
1358+" ldrexd %0, %H0, [%1]"
1359+ : "=&r" (result)
1360+ : "r" (&v->counter), "Qo" (v->counter)
1361+ );
1362+
1363+ return result;
1364+}
1365+
1366 static inline void atomic64_set(atomic64_t *v, long long i)
1367 {
1368 long long tmp;
1369@@ -268,29 +431,57 @@ static inline void atomic64_set(atomic64_t *v, long long i)
1370 : "r" (&v->counter), "r" (i)
1371 : "cc");
1372 }
1373+
1374+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
1375+{
1376+ long long tmp;
1377+
1378+ prefetchw(&v->counter);
1379+ __asm__ __volatile__("@ atomic64_set_unchecked\n"
1380+"1: ldrexd %0, %H0, [%2]\n"
1381+" strexd %0, %3, %H3, [%2]\n"
1382+" teq %0, #0\n"
1383+" bne 1b"
1384+ : "=&r" (tmp), "=Qo" (v->counter)
1385+ : "r" (&v->counter), "r" (i)
1386+ : "cc");
1387+}
1388 #endif
1389
1390-#define ATOMIC64_OP(op, op1, op2) \
1391-static inline void atomic64_##op(long long i, atomic64_t *v) \
1392+#undef __OVERFLOW_POST_RETURN
1393+#define __OVERFLOW_POST_RETURN \
1394+ " bvc 3f\n" \
1395+" mov %0, %1\n" \
1396+" mov %H0, %H1\n" \
1397+ "2: " REFCOUNT_TRAP_INSN "\n"\
1398+ "3:\n"
1399+
1400+#define __ATOMIC64_OP(op, suffix, op1, op2, post_op, extable) \
1401+static inline void atomic64_##op##suffix(long long i, atomic64##suffix##_t *v)\
1402 { \
1403 long long result; \
1404 unsigned long tmp; \
1405 \
1406 prefetchw(&v->counter); \
1407- __asm__ __volatile__("@ atomic64_" #op "\n" \
1408+ __asm__ __volatile__("@ atomic64_" #op #suffix "\n" \
1409 "1: ldrexd %0, %H0, [%3]\n" \
1410 " " #op1 " %Q0, %Q0, %Q4\n" \
1411 " " #op2 " %R0, %R0, %R4\n" \
1412+ post_op \
1413 " strexd %1, %0, %H0, [%3]\n" \
1414 " teq %1, #0\n" \
1415-" bne 1b" \
1416+" bne 1b\n" \
1417+ extable \
1418 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1419 : "r" (&v->counter), "r" (i) \
1420 : "cc"); \
1421 } \
1422
1423-#define ATOMIC64_OP_RETURN(op, op1, op2) \
1424-static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1425+#define ATOMIC64_OP(op, op1, op2) __ATOMIC64_OP(op, _unchecked, op1, op2, , ) \
1426+ __ATOMIC64_OP(op, , op1, op2##s, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
1427+
1428+#define __ATOMIC64_OP_RETURN(op, suffix, op1, op2, post_op, extable) \
1429+static inline long long atomic64_##op##_return##suffix(long long i, atomic64##suffix##_t *v) \
1430 { \
1431 long long result; \
1432 unsigned long tmp; \
1433@@ -298,13 +489,15 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1434 smp_mb(); \
1435 prefetchw(&v->counter); \
1436 \
1437- __asm__ __volatile__("@ atomic64_" #op "_return\n" \
1438+ __asm__ __volatile__("@ atomic64_" #op "_return" #suffix "\n" \
1439 "1: ldrexd %0, %H0, [%3]\n" \
1440 " " #op1 " %Q0, %Q0, %Q4\n" \
1441 " " #op2 " %R0, %R0, %R4\n" \
1442+ post_op \
1443 " strexd %1, %0, %H0, [%3]\n" \
1444 " teq %1, #0\n" \
1445-" bne 1b" \
1446+" bne 1b\n" \
1447+ extable \
1448 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter) \
1449 : "r" (&v->counter), "r" (i) \
1450 : "cc"); \
1451@@ -314,6 +507,9 @@ static inline long long atomic64_##op##_return(long long i, atomic64_t *v) \
1452 return result; \
1453 }
1454
1455+#define ATOMIC64_OP_RETURN(op, op1, op2) __ATOMIC64_OP_RETURN(op, _unchecked, op1, op2, , ) \
1456+ __ATOMIC64_OP_RETURN(op, , op1, op2##s, __OVERFLOW_POST_RETURN, __OVERFLOW_EXTABLE)
1457+
1458 #define ATOMIC64_OPS(op, op1, op2) \
1459 ATOMIC64_OP(op, op1, op2) \
1460 ATOMIC64_OP_RETURN(op, op1, op2)
1461@@ -323,7 +519,12 @@ ATOMIC64_OPS(sub, subs, sbc)
1462
1463 #undef ATOMIC64_OPS
1464 #undef ATOMIC64_OP_RETURN
1465+#undef __ATOMIC64_OP_RETURN
1466 #undef ATOMIC64_OP
1467+#undef __ATOMIC64_OP
1468+#undef __OVERFLOW_EXTABLE
1469+#undef __OVERFLOW_POST_RETURN
1470+#undef __OVERFLOW_POST
1471
1472 static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
1473 long long new)
1474@@ -351,6 +552,31 @@ static inline long long atomic64_cmpxchg(atomic64_t *ptr, long long old,
1475 return oldval;
1476 }
1477
1478+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, long long old,
1479+ long long new)
1480+{
1481+ long long oldval;
1482+ unsigned long res;
1483+
1484+ smp_mb();
1485+
1486+ do {
1487+ __asm__ __volatile__("@ atomic64_cmpxchg_unchecked\n"
1488+ "ldrexd %1, %H1, [%3]\n"
1489+ "mov %0, #0\n"
1490+ "teq %1, %4\n"
1491+ "teqeq %H1, %H4\n"
1492+ "strexdeq %0, %5, %H5, [%3]"
1493+ : "=&r" (res), "=&r" (oldval), "+Qo" (ptr->counter)
1494+ : "r" (&ptr->counter), "r" (old), "r" (new)
1495+ : "cc");
1496+ } while (res);
1497+
1498+ smp_mb();
1499+
1500+ return oldval;
1501+}
1502+
1503 static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
1504 {
1505 long long result;
1506@@ -376,21 +602,35 @@ static inline long long atomic64_xchg(atomic64_t *ptr, long long new)
1507 static inline long long atomic64_dec_if_positive(atomic64_t *v)
1508 {
1509 long long result;
1510- unsigned long tmp;
1511+ u64 tmp;
1512
1513 smp_mb();
1514 prefetchw(&v->counter);
1515
1516 __asm__ __volatile__("@ atomic64_dec_if_positive\n"
1517-"1: ldrexd %0, %H0, [%3]\n"
1518-" subs %Q0, %Q0, #1\n"
1519-" sbc %R0, %R0, #0\n"
1520+"1: ldrexd %1, %H1, [%3]\n"
1521+" subs %Q0, %Q1, #1\n"
1522+" sbcs %R0, %R1, #0\n"
1523+
1524+#ifdef CONFIG_PAX_REFCOUNT
1525+" bvc 3f\n"
1526+" mov %Q0, %Q1\n"
1527+" mov %R0, %R1\n"
1528+"2: " REFCOUNT_TRAP_INSN "\n"
1529+"3:\n"
1530+#endif
1531+
1532 " teq %R0, #0\n"
1533-" bmi 2f\n"
1534+" bmi 4f\n"
1535 " strexd %1, %0, %H0, [%3]\n"
1536 " teq %1, #0\n"
1537 " bne 1b\n"
1538-"2:"
1539+"4:\n"
1540+
1541+#ifdef CONFIG_PAX_REFCOUNT
1542+ _ASM_EXTABLE(2b, 4b)
1543+#endif
1544+
1545 : "=&r" (result), "=&r" (tmp), "+Qo" (v->counter)
1546 : "r" (&v->counter)
1547 : "cc");
1548@@ -414,13 +654,25 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
1549 " teq %0, %5\n"
1550 " teqeq %H0, %H5\n"
1551 " moveq %1, #0\n"
1552-" beq 2f\n"
1553+" beq 4f\n"
1554 " adds %Q0, %Q0, %Q6\n"
1555-" adc %R0, %R0, %R6\n"
1556+" adcs %R0, %R0, %R6\n"
1557+
1558+#ifdef CONFIG_PAX_REFCOUNT
1559+" bvc 3f\n"
1560+"2: " REFCOUNT_TRAP_INSN "\n"
1561+"3:\n"
1562+#endif
1563+
1564 " strexd %2, %0, %H0, [%4]\n"
1565 " teq %2, #0\n"
1566 " bne 1b\n"
1567-"2:"
1568+"4:\n"
1569+
1570+#ifdef CONFIG_PAX_REFCOUNT
1571+ _ASM_EXTABLE(2b, 4b)
1572+#endif
1573+
1574 : "=&r" (val), "+r" (ret), "=&r" (tmp), "+Qo" (v->counter)
1575 : "r" (&v->counter), "r" (u), "r" (a)
1576 : "cc");
1577@@ -433,10 +685,13 @@ static inline int atomic64_add_unless(atomic64_t *v, long long a, long long u)
1578
1579 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
1580 #define atomic64_inc(v) atomic64_add(1LL, (v))
1581+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1LL, (v))
1582 #define atomic64_inc_return(v) atomic64_add_return(1LL, (v))
1583+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1LL, (v))
1584 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
1585 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
1586 #define atomic64_dec(v) atomic64_sub(1LL, (v))
1587+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1LL, (v))
1588 #define atomic64_dec_return(v) atomic64_sub_return(1LL, (v))
1589 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
1590 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
1591diff --git a/arch/arm/include/asm/barrier.h b/arch/arm/include/asm/barrier.h
1592index 6c2327e..85beac4 100644
1593--- a/arch/arm/include/asm/barrier.h
1594+++ b/arch/arm/include/asm/barrier.h
1595@@ -67,7 +67,7 @@
1596 do { \
1597 compiletime_assert_atomic_type(*p); \
1598 smp_mb(); \
1599- ACCESS_ONCE(*p) = (v); \
1600+ ACCESS_ONCE_RW(*p) = (v); \
1601 } while (0)
1602
1603 #define smp_load_acquire(p) \
1604diff --git a/arch/arm/include/asm/cache.h b/arch/arm/include/asm/cache.h
1605index 75fe66b..ba3dee4 100644
1606--- a/arch/arm/include/asm/cache.h
1607+++ b/arch/arm/include/asm/cache.h
1608@@ -4,8 +4,10 @@
1609 #ifndef __ASMARM_CACHE_H
1610 #define __ASMARM_CACHE_H
1611
1612+#include <linux/const.h>
1613+
1614 #define L1_CACHE_SHIFT CONFIG_ARM_L1_CACHE_SHIFT
1615-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
1616+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
1617
1618 /*
1619 * Memory returned by kmalloc() may be used for DMA, so we must make
1620@@ -24,5 +26,6 @@
1621 #endif
1622
1623 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
1624+#define __read_only __attribute__ ((__section__(".data..read_only")))
1625
1626 #endif
1627diff --git a/arch/arm/include/asm/cacheflush.h b/arch/arm/include/asm/cacheflush.h
1628index 4812cda..9da8116 100644
1629--- a/arch/arm/include/asm/cacheflush.h
1630+++ b/arch/arm/include/asm/cacheflush.h
1631@@ -116,7 +116,7 @@ struct cpu_cache_fns {
1632 void (*dma_unmap_area)(const void *, size_t, int);
1633
1634 void (*dma_flush_range)(const void *, const void *);
1635-};
1636+} __no_const;
1637
1638 /*
1639 * Select the calling method
1640diff --git a/arch/arm/include/asm/checksum.h b/arch/arm/include/asm/checksum.h
1641index 5233151..87a71fa 100644
1642--- a/arch/arm/include/asm/checksum.h
1643+++ b/arch/arm/include/asm/checksum.h
1644@@ -37,7 +37,19 @@ __wsum
1645 csum_partial_copy_nocheck(const void *src, void *dst, int len, __wsum sum);
1646
1647 __wsum
1648-csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1649+__csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr);
1650+
1651+static inline __wsum
1652+csum_partial_copy_from_user(const void __user *src, void *dst, int len, __wsum sum, int *err_ptr)
1653+{
1654+ __wsum ret;
1655+ pax_open_userland();
1656+ ret = __csum_partial_copy_from_user(src, dst, len, sum, err_ptr);
1657+ pax_close_userland();
1658+ return ret;
1659+}
1660+
1661+
1662
1663 /*
1664 * Fold a partial checksum without adding pseudo headers
1665diff --git a/arch/arm/include/asm/cmpxchg.h b/arch/arm/include/asm/cmpxchg.h
1666index 1692a05..1835802 100644
1667--- a/arch/arm/include/asm/cmpxchg.h
1668+++ b/arch/arm/include/asm/cmpxchg.h
1669@@ -107,6 +107,10 @@ static inline unsigned long __xchg(unsigned long x, volatile void *ptr, int size
1670 (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), \
1671 sizeof(*(ptr))); \
1672 })
1673+#define xchg_unchecked(ptr, x) ({ \
1674+ (__typeof__(*(ptr)))__xchg((unsigned long)(x), (ptr), \
1675+ sizeof(*(ptr))); \
1676+})
1677
1678 #include <asm-generic/cmpxchg-local.h>
1679
1680diff --git a/arch/arm/include/asm/cpuidle.h b/arch/arm/include/asm/cpuidle.h
1681index 0f84249..8e83c55 100644
1682--- a/arch/arm/include/asm/cpuidle.h
1683+++ b/arch/arm/include/asm/cpuidle.h
1684@@ -32,7 +32,7 @@ struct device_node;
1685 struct cpuidle_ops {
1686 int (*suspend)(int cpu, unsigned long arg);
1687 int (*init)(struct device_node *, int cpu);
1688-};
1689+} __no_const;
1690
1691 struct of_cpuidle_method {
1692 const char *method;
1693diff --git a/arch/arm/include/asm/domain.h b/arch/arm/include/asm/domain.h
1694index 6ddbe44..b5e38b1a 100644
1695--- a/arch/arm/include/asm/domain.h
1696+++ b/arch/arm/include/asm/domain.h
1697@@ -48,18 +48,37 @@
1698 * Domain types
1699 */
1700 #define DOMAIN_NOACCESS 0
1701-#define DOMAIN_CLIENT 1
1702 #ifdef CONFIG_CPU_USE_DOMAINS
1703+#define DOMAIN_USERCLIENT 1
1704+#define DOMAIN_KERNELCLIENT 1
1705 #define DOMAIN_MANAGER 3
1706+#define DOMAIN_VECTORS DOMAIN_USER
1707 #else
1708+
1709+#ifdef CONFIG_PAX_KERNEXEC
1710 #define DOMAIN_MANAGER 1
1711+#define DOMAIN_KERNEXEC 3
1712+#else
1713+#define DOMAIN_MANAGER 1
1714+#endif
1715+
1716+#ifdef CONFIG_PAX_MEMORY_UDEREF
1717+#define DOMAIN_USERCLIENT 0
1718+#define DOMAIN_UDEREF 1
1719+#define DOMAIN_VECTORS DOMAIN_KERNEL
1720+#else
1721+#define DOMAIN_USERCLIENT 1
1722+#define DOMAIN_VECTORS DOMAIN_USER
1723+#endif
1724+#define DOMAIN_KERNELCLIENT 1
1725+
1726 #endif
1727
1728 #define domain_val(dom,type) ((type) << (2*(dom)))
1729
1730 #ifndef __ASSEMBLY__
1731
1732-#ifdef CONFIG_CPU_USE_DOMAINS
1733+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
1734 static inline void set_domain(unsigned val)
1735 {
1736 asm volatile(
1737@@ -68,15 +87,7 @@ static inline void set_domain(unsigned val)
1738 isb();
1739 }
1740
1741-#define modify_domain(dom,type) \
1742- do { \
1743- struct thread_info *thread = current_thread_info(); \
1744- unsigned int domain = thread->cpu_domain; \
1745- domain &= ~domain_val(dom, DOMAIN_MANAGER); \
1746- thread->cpu_domain = domain | domain_val(dom, type); \
1747- set_domain(thread->cpu_domain); \
1748- } while (0)
1749-
1750+extern void modify_domain(unsigned int dom, unsigned int type);
1751 #else
1752 static inline void set_domain(unsigned val) { }
1753 static inline void modify_domain(unsigned dom, unsigned type) { }
1754diff --git a/arch/arm/include/asm/elf.h b/arch/arm/include/asm/elf.h
1755index d2315ff..f60b47b 100644
1756--- a/arch/arm/include/asm/elf.h
1757+++ b/arch/arm/include/asm/elf.h
1758@@ -117,7 +117,14 @@ int dump_task_regs(struct task_struct *t, elf_gregset_t *elfregs);
1759 the loader. We need to make sure that it is out of the way of the program
1760 that it will "exec", and that there is sufficient room for the brk. */
1761
1762-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1763+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1764+
1765+#ifdef CONFIG_PAX_ASLR
1766+#define PAX_ELF_ET_DYN_BASE 0x00008000UL
1767+
1768+#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1769+#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
1770+#endif
1771
1772 /* When the program starts, a1 contains a pointer to a function to be
1773 registered with atexit, as per the SVR4 ABI. A value of 0 means we
1774diff --git a/arch/arm/include/asm/fncpy.h b/arch/arm/include/asm/fncpy.h
1775index de53547..52b9a28 100644
1776--- a/arch/arm/include/asm/fncpy.h
1777+++ b/arch/arm/include/asm/fncpy.h
1778@@ -81,7 +81,9 @@
1779 BUG_ON((uintptr_t)(dest_buf) & (FNCPY_ALIGN - 1) || \
1780 (__funcp_address & ~(uintptr_t)1 & (FNCPY_ALIGN - 1))); \
1781 \
1782+ pax_open_kernel(); \
1783 memcpy(dest_buf, (void const *)(__funcp_address & ~1), size); \
1784+ pax_close_kernel(); \
1785 flush_icache_range((unsigned long)(dest_buf), \
1786 (unsigned long)(dest_buf) + (size)); \
1787 \
1788diff --git a/arch/arm/include/asm/futex.h b/arch/arm/include/asm/futex.h
1789index 5eed828..365e018 100644
1790--- a/arch/arm/include/asm/futex.h
1791+++ b/arch/arm/include/asm/futex.h
1792@@ -46,6 +46,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1793 if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
1794 return -EFAULT;
1795
1796+ pax_open_userland();
1797+
1798 smp_mb();
1799 /* Prefetching cannot fault */
1800 prefetchw(uaddr);
1801@@ -63,6 +65,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1802 : "cc", "memory");
1803 smp_mb();
1804
1805+ pax_close_userland();
1806+
1807 *uval = val;
1808 return ret;
1809 }
1810@@ -94,6 +98,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1811 return -EFAULT;
1812
1813 preempt_disable();
1814+ pax_open_userland();
1815+
1816 __asm__ __volatile__("@futex_atomic_cmpxchg_inatomic\n"
1817 "1: " TUSER(ldr) " %1, [%4]\n"
1818 " teq %1, %2\n"
1819@@ -104,6 +110,8 @@ futex_atomic_cmpxchg_inatomic(u32 *uval, u32 __user *uaddr,
1820 : "r" (oldval), "r" (newval), "r" (uaddr), "Ir" (-EFAULT)
1821 : "cc", "memory");
1822
1823+ pax_close_userland();
1824+
1825 *uval = val;
1826 preempt_enable();
1827
1828@@ -131,6 +139,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1829 preempt_disable();
1830 #endif
1831 pagefault_disable();
1832+ pax_open_userland();
1833
1834 switch (op) {
1835 case FUTEX_OP_SET:
1836@@ -152,6 +161,7 @@ futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
1837 ret = -ENOSYS;
1838 }
1839
1840+ pax_close_userland();
1841 pagefault_enable();
1842 #ifndef CONFIG_SMP
1843 preempt_enable();
1844diff --git a/arch/arm/include/asm/kmap_types.h b/arch/arm/include/asm/kmap_types.h
1845index 83eb2f7..ed77159 100644
1846--- a/arch/arm/include/asm/kmap_types.h
1847+++ b/arch/arm/include/asm/kmap_types.h
1848@@ -4,6 +4,6 @@
1849 /*
1850 * This is the "bare minimum". AIO seems to require this.
1851 */
1852-#define KM_TYPE_NR 16
1853+#define KM_TYPE_NR 17
1854
1855 #endif
1856diff --git a/arch/arm/include/asm/mach/dma.h b/arch/arm/include/asm/mach/dma.h
1857index 9e614a1..3302cca 100644
1858--- a/arch/arm/include/asm/mach/dma.h
1859+++ b/arch/arm/include/asm/mach/dma.h
1860@@ -22,7 +22,7 @@ struct dma_ops {
1861 int (*residue)(unsigned int, dma_t *); /* optional */
1862 int (*setspeed)(unsigned int, dma_t *, int); /* optional */
1863 const char *type;
1864-};
1865+} __do_const;
1866
1867 struct dma_struct {
1868 void *addr; /* single DMA address */
1869diff --git a/arch/arm/include/asm/mach/map.h b/arch/arm/include/asm/mach/map.h
1870index f98c7f3..e5c626d 100644
1871--- a/arch/arm/include/asm/mach/map.h
1872+++ b/arch/arm/include/asm/mach/map.h
1873@@ -23,17 +23,19 @@ struct map_desc {
1874
1875 /* types 0-3 are defined in asm/io.h */
1876 enum {
1877- MT_UNCACHED = 4,
1878- MT_CACHECLEAN,
1879- MT_MINICLEAN,
1880+ MT_UNCACHED_RW = 4,
1881+ MT_CACHECLEAN_RO,
1882+ MT_MINICLEAN_RO,
1883 MT_LOW_VECTORS,
1884 MT_HIGH_VECTORS,
1885- MT_MEMORY_RWX,
1886+ __MT_MEMORY_RWX,
1887 MT_MEMORY_RW,
1888- MT_ROM,
1889- MT_MEMORY_RWX_NONCACHED,
1890+ MT_MEMORY_RX,
1891+ MT_ROM_RX,
1892+ MT_MEMORY_RW_NONCACHED,
1893+ MT_MEMORY_RX_NONCACHED,
1894 MT_MEMORY_RW_DTCM,
1895- MT_MEMORY_RWX_ITCM,
1896+ MT_MEMORY_RX_ITCM,
1897 MT_MEMORY_RW_SO,
1898 MT_MEMORY_DMA_READY,
1899 };
1900diff --git a/arch/arm/include/asm/outercache.h b/arch/arm/include/asm/outercache.h
1901index 563b92f..689d58e 100644
1902--- a/arch/arm/include/asm/outercache.h
1903+++ b/arch/arm/include/asm/outercache.h
1904@@ -39,7 +39,7 @@ struct outer_cache_fns {
1905 /* This is an ARM L2C thing */
1906 void (*write_sec)(unsigned long, unsigned);
1907 void (*configure)(const struct l2x0_regs *);
1908-};
1909+} __no_const;
1910
1911 extern struct outer_cache_fns outer_cache;
1912
1913diff --git a/arch/arm/include/asm/page.h b/arch/arm/include/asm/page.h
1914index 4355f0e..cd9168e 100644
1915--- a/arch/arm/include/asm/page.h
1916+++ b/arch/arm/include/asm/page.h
1917@@ -23,6 +23,7 @@
1918
1919 #else
1920
1921+#include <linux/compiler.h>
1922 #include <asm/glue.h>
1923
1924 /*
1925@@ -114,7 +115,7 @@ struct cpu_user_fns {
1926 void (*cpu_clear_user_highpage)(struct page *page, unsigned long vaddr);
1927 void (*cpu_copy_user_highpage)(struct page *to, struct page *from,
1928 unsigned long vaddr, struct vm_area_struct *vma);
1929-};
1930+} __no_const;
1931
1932 #ifdef MULTI_USER
1933 extern struct cpu_user_fns cpu_user;
1934diff --git a/arch/arm/include/asm/pgalloc.h b/arch/arm/include/asm/pgalloc.h
1935index 19cfab5..3f5c7e9 100644
1936--- a/arch/arm/include/asm/pgalloc.h
1937+++ b/arch/arm/include/asm/pgalloc.h
1938@@ -17,6 +17,7 @@
1939 #include <asm/processor.h>
1940 #include <asm/cacheflush.h>
1941 #include <asm/tlbflush.h>
1942+#include <asm/system_info.h>
1943
1944 #define check_pgt_cache() do { } while (0)
1945
1946@@ -43,6 +44,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1947 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
1948 }
1949
1950+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1951+{
1952+ pud_populate(mm, pud, pmd);
1953+}
1954+
1955 #else /* !CONFIG_ARM_LPAE */
1956
1957 /*
1958@@ -51,6 +57,7 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
1959 #define pmd_alloc_one(mm,addr) ({ BUG(); ((pmd_t *)2); })
1960 #define pmd_free(mm, pmd) do { } while (0)
1961 #define pud_populate(mm,pmd,pte) BUG()
1962+#define pud_populate_kernel(mm,pmd,pte) BUG()
1963
1964 #endif /* CONFIG_ARM_LPAE */
1965
1966@@ -128,6 +135,19 @@ static inline void pte_free(struct mm_struct *mm, pgtable_t pte)
1967 __free_page(pte);
1968 }
1969
1970+static inline void __section_update(pmd_t *pmdp, unsigned long addr, pmdval_t prot)
1971+{
1972+#ifdef CONFIG_ARM_LPAE
1973+ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1974+#else
1975+ if (addr & SECTION_SIZE)
1976+ pmdp[1] = __pmd(pmd_val(pmdp[1]) | prot);
1977+ else
1978+ pmdp[0] = __pmd(pmd_val(pmdp[0]) | prot);
1979+#endif
1980+ flush_pmd_entry(pmdp);
1981+}
1982+
1983 static inline void __pmd_populate(pmd_t *pmdp, phys_addr_t pte,
1984 pmdval_t prot)
1985 {
1986diff --git a/arch/arm/include/asm/pgtable-2level-hwdef.h b/arch/arm/include/asm/pgtable-2level-hwdef.h
1987index 5e68278..1869bae 100644
1988--- a/arch/arm/include/asm/pgtable-2level-hwdef.h
1989+++ b/arch/arm/include/asm/pgtable-2level-hwdef.h
1990@@ -27,7 +27,7 @@
1991 /*
1992 * - section
1993 */
1994-#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1995+#define PMD_SECT_PXN (_AT(pmdval_t, 1) << 0) /* v7 */
1996 #define PMD_SECT_BUFFERABLE (_AT(pmdval_t, 1) << 2)
1997 #define PMD_SECT_CACHEABLE (_AT(pmdval_t, 1) << 3)
1998 #define PMD_SECT_XN (_AT(pmdval_t, 1) << 4) /* v6 */
1999@@ -39,6 +39,7 @@
2000 #define PMD_SECT_nG (_AT(pmdval_t, 1) << 17) /* v6 */
2001 #define PMD_SECT_SUPER (_AT(pmdval_t, 1) << 18) /* v6 */
2002 #define PMD_SECT_AF (_AT(pmdval_t, 0))
2003+#define PMD_SECT_RDONLY (_AT(pmdval_t, 0))
2004
2005 #define PMD_SECT_UNCACHED (_AT(pmdval_t, 0))
2006 #define PMD_SECT_BUFFERED (PMD_SECT_BUFFERABLE)
2007@@ -68,6 +69,7 @@
2008 * - extended small page/tiny page
2009 */
2010 #define PTE_EXT_XN (_AT(pteval_t, 1) << 0) /* v6 */
2011+#define PTE_EXT_PXN (_AT(pteval_t, 1) << 2) /* v7 */
2012 #define PTE_EXT_AP_MASK (_AT(pteval_t, 3) << 4)
2013 #define PTE_EXT_AP0 (_AT(pteval_t, 1) << 4)
2014 #define PTE_EXT_AP1 (_AT(pteval_t, 2) << 4)
2015diff --git a/arch/arm/include/asm/pgtable-2level.h b/arch/arm/include/asm/pgtable-2level.h
2016index aeddd28..207745c 100644
2017--- a/arch/arm/include/asm/pgtable-2level.h
2018+++ b/arch/arm/include/asm/pgtable-2level.h
2019@@ -127,6 +127,9 @@
2020 #define L_PTE_SHARED (_AT(pteval_t, 1) << 10) /* shared(v6), coherent(xsc3) */
2021 #define L_PTE_NONE (_AT(pteval_t, 1) << 11)
2022
2023+/* Two-level page tables only have PXN in the PGD, not in the PTE. */
2024+#define L_PTE_PXN (_AT(pteval_t, 0))
2025+
2026 /*
2027 * These are the memory types, defined to be compatible with
2028 * pre-ARMv6 CPUs cacheable and bufferable bits: n/a,n/a,C,B
2029diff --git a/arch/arm/include/asm/pgtable-3level.h b/arch/arm/include/asm/pgtable-3level.h
2030index a745a2a..481350a 100644
2031--- a/arch/arm/include/asm/pgtable-3level.h
2032+++ b/arch/arm/include/asm/pgtable-3level.h
2033@@ -80,6 +80,7 @@
2034 #define L_PTE_USER (_AT(pteval_t, 1) << 6) /* AP[1] */
2035 #define L_PTE_SHARED (_AT(pteval_t, 3) << 8) /* SH[1:0], inner shareable */
2036 #define L_PTE_YOUNG (_AT(pteval_t, 1) << 10) /* AF */
2037+#define L_PTE_PXN (_AT(pteval_t, 1) << 53) /* PXN */
2038 #define L_PTE_XN (_AT(pteval_t, 1) << 54) /* XN */
2039 #define L_PTE_DIRTY (_AT(pteval_t, 1) << 55)
2040 #define L_PTE_SPECIAL (_AT(pteval_t, 1) << 56)
2041@@ -91,10 +92,12 @@
2042 #define L_PMD_SECT_SPLITTING (_AT(pmdval_t, 1) << 56)
2043 #define L_PMD_SECT_NONE (_AT(pmdval_t, 1) << 57)
2044 #define L_PMD_SECT_RDONLY (_AT(pteval_t, 1) << 58)
2045+#define PMD_SECT_RDONLY PMD_SECT_AP2
2046
2047 /*
2048 * To be used in assembly code with the upper page attributes.
2049 */
2050+#define L_PTE_PXN_HIGH (1 << (53 - 32))
2051 #define L_PTE_XN_HIGH (1 << (54 - 32))
2052 #define L_PTE_DIRTY_HIGH (1 << (55 - 32))
2053
2054diff --git a/arch/arm/include/asm/pgtable.h b/arch/arm/include/asm/pgtable.h
2055index f403541..b10df68 100644
2056--- a/arch/arm/include/asm/pgtable.h
2057+++ b/arch/arm/include/asm/pgtable.h
2058@@ -33,6 +33,9 @@
2059 #include <asm/pgtable-2level.h>
2060 #endif
2061
2062+#define ktla_ktva(addr) (addr)
2063+#define ktva_ktla(addr) (addr)
2064+
2065 /*
2066 * Just any arbitrary offset to the start of the vmalloc VM area: the
2067 * current 8MB value just means that there will be a 8MB "hole" after the
2068@@ -48,6 +51,9 @@
2069 #define LIBRARY_TEXT_START 0x0c000000
2070
2071 #ifndef __ASSEMBLY__
2072+extern pteval_t __supported_pte_mask;
2073+extern pmdval_t __supported_pmd_mask;
2074+
2075 extern void __pte_error(const char *file, int line, pte_t);
2076 extern void __pmd_error(const char *file, int line, pmd_t);
2077 extern void __pgd_error(const char *file, int line, pgd_t);
2078@@ -56,6 +62,48 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2079 #define pmd_ERROR(pmd) __pmd_error(__FILE__, __LINE__, pmd)
2080 #define pgd_ERROR(pgd) __pgd_error(__FILE__, __LINE__, pgd)
2081
2082+#define __HAVE_ARCH_PAX_OPEN_KERNEL
2083+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
2084+
2085+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2086+#include <asm/domain.h>
2087+#include <linux/thread_info.h>
2088+#include <linux/preempt.h>
2089+
2090+static inline int test_domain(int domain, int domaintype)
2091+{
2092+ return ((current_thread_info()->cpu_domain) & domain_val(domain, 3)) == domain_val(domain, domaintype);
2093+}
2094+#endif
2095+
2096+#ifdef CONFIG_PAX_KERNEXEC
2097+static inline unsigned long pax_open_kernel(void) {
2098+#ifdef CONFIG_ARM_LPAE
2099+ /* TODO */
2100+#else
2101+ preempt_disable();
2102+ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC));
2103+ modify_domain(DOMAIN_KERNEL, DOMAIN_KERNEXEC);
2104+#endif
2105+ return 0;
2106+}
2107+
2108+static inline unsigned long pax_close_kernel(void) {
2109+#ifdef CONFIG_ARM_LPAE
2110+ /* TODO */
2111+#else
2112+ BUG_ON(test_domain(DOMAIN_KERNEL, DOMAIN_MANAGER));
2113+ /* DOMAIN_MANAGER = "client" under KERNEXEC */
2114+ modify_domain(DOMAIN_KERNEL, DOMAIN_MANAGER);
2115+ preempt_enable_no_resched();
2116+#endif
2117+ return 0;
2118+}
2119+#else
2120+static inline unsigned long pax_open_kernel(void) { return 0; }
2121+static inline unsigned long pax_close_kernel(void) { return 0; }
2122+#endif
2123+
2124 /*
2125 * This is the lowest virtual address we can permit any user space
2126 * mapping to be mapped at. This is particularly important for
2127@@ -75,8 +123,8 @@ extern void __pgd_error(const char *file, int line, pgd_t);
2128 /*
2129 * The pgprot_* and protection_map entries will be fixed up in runtime
2130 * to include the cachable and bufferable bits based on memory policy,
2131- * as well as any architecture dependent bits like global/ASID and SMP
2132- * shared mapping bits.
2133+ * as well as any architecture dependent bits like global/ASID, PXN,
2134+ * and SMP shared mapping bits.
2135 */
2136 #define _L_PTE_DEFAULT L_PTE_PRESENT | L_PTE_YOUNG
2137
2138@@ -307,7 +355,7 @@ static inline pte_t pte_mknexec(pte_t pte)
2139 static inline pte_t pte_modify(pte_t pte, pgprot_t newprot)
2140 {
2141 const pteval_t mask = L_PTE_XN | L_PTE_RDONLY | L_PTE_USER |
2142- L_PTE_NONE | L_PTE_VALID;
2143+ L_PTE_NONE | L_PTE_VALID | __supported_pte_mask;
2144 pte_val(pte) = (pte_val(pte) & ~mask) | (pgprot_val(newprot) & mask);
2145 return pte;
2146 }
2147diff --git a/arch/arm/include/asm/psci.h b/arch/arm/include/asm/psci.h
2148index c25ef3e..735f14b 100644
2149--- a/arch/arm/include/asm/psci.h
2150+++ b/arch/arm/include/asm/psci.h
2151@@ -32,7 +32,7 @@ struct psci_operations {
2152 int (*affinity_info)(unsigned long target_affinity,
2153 unsigned long lowest_affinity_level);
2154 int (*migrate_info_type)(void);
2155-};
2156+} __no_const;
2157
2158 extern struct psci_operations psci_ops;
2159 extern struct smp_operations psci_smp_ops;
2160diff --git a/arch/arm/include/asm/smp.h b/arch/arm/include/asm/smp.h
2161index 2f3ac1b..67182ae0 100644
2162--- a/arch/arm/include/asm/smp.h
2163+++ b/arch/arm/include/asm/smp.h
2164@@ -108,7 +108,7 @@ struct smp_operations {
2165 int (*cpu_disable)(unsigned int cpu);
2166 #endif
2167 #endif
2168-};
2169+} __no_const;
2170
2171 struct of_cpu_method {
2172 const char *method;
2173diff --git a/arch/arm/include/asm/thread_info.h b/arch/arm/include/asm/thread_info.h
2174index bd32ede..bd90a0b 100644
2175--- a/arch/arm/include/asm/thread_info.h
2176+++ b/arch/arm/include/asm/thread_info.h
2177@@ -74,9 +74,9 @@ struct thread_info {
2178 .flags = 0, \
2179 .preempt_count = INIT_PREEMPT_COUNT, \
2180 .addr_limit = KERNEL_DS, \
2181- .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2182- domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2183- domain_val(DOMAIN_IO, DOMAIN_CLIENT), \
2184+ .cpu_domain = domain_val(DOMAIN_USER, DOMAIN_USERCLIENT) | \
2185+ domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT) | \
2186+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT), \
2187 }
2188
2189 #define init_thread_info (init_thread_union.thread_info)
2190@@ -152,7 +152,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2191 #define TIF_SYSCALL_AUDIT 9
2192 #define TIF_SYSCALL_TRACEPOINT 10
2193 #define TIF_SECCOMP 11 /* seccomp syscall filtering active */
2194-#define TIF_NOHZ 12 /* in adaptive nohz mode */
2195+/* within 8 bits of TIF_SYSCALL_TRACE
2196+ * to meet flexible second operand requirements
2197+ */
2198+#define TIF_GRSEC_SETXID 12
2199+#define TIF_NOHZ 13 /* in adaptive nohz mode */
2200 #define TIF_USING_IWMMXT 17
2201 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
2202 #define TIF_RESTORE_SIGMASK 20
2203@@ -166,10 +170,11 @@ extern int vfp_restore_user_hwstate(struct user_vfp __user *,
2204 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
2205 #define _TIF_SECCOMP (1 << TIF_SECCOMP)
2206 #define _TIF_USING_IWMMXT (1 << TIF_USING_IWMMXT)
2207+#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
2208
2209 /* Checks for any syscall work in entry-common.S */
2210 #define _TIF_SYSCALL_WORK (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
2211- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
2212+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | _TIF_GRSEC_SETXID)
2213
2214 /*
2215 * Change these and you break ASM code in entry-common.S
2216diff --git a/arch/arm/include/asm/tls.h b/arch/arm/include/asm/tls.h
2217index 5f833f7..76e6644 100644
2218--- a/arch/arm/include/asm/tls.h
2219+++ b/arch/arm/include/asm/tls.h
2220@@ -3,6 +3,7 @@
2221
2222 #include <linux/compiler.h>
2223 #include <asm/thread_info.h>
2224+#include <asm/pgtable.h>
2225
2226 #ifdef __ASSEMBLY__
2227 #include <asm/asm-offsets.h>
2228@@ -89,7 +90,9 @@ static inline void set_tls(unsigned long val)
2229 * at 0xffff0fe0 must be used instead. (see
2230 * entry-armv.S for details)
2231 */
2232+ pax_open_kernel();
2233 *((unsigned int *)0xffff0ff0) = val;
2234+ pax_close_kernel();
2235 #endif
2236 }
2237
2238diff --git a/arch/arm/include/asm/uaccess.h b/arch/arm/include/asm/uaccess.h
2239index 74b17d0..7e6da4b 100644
2240--- a/arch/arm/include/asm/uaccess.h
2241+++ b/arch/arm/include/asm/uaccess.h
2242@@ -18,6 +18,7 @@
2243 #include <asm/domain.h>
2244 #include <asm/unified.h>
2245 #include <asm/compiler.h>
2246+#include <asm/pgtable.h>
2247
2248 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
2249 #include <asm-generic/uaccess-unaligned.h>
2250@@ -70,11 +71,38 @@ extern int __put_user_bad(void);
2251 static inline void set_fs(mm_segment_t fs)
2252 {
2253 current_thread_info()->addr_limit = fs;
2254- modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_CLIENT : DOMAIN_MANAGER);
2255+ modify_domain(DOMAIN_KERNEL, fs ? DOMAIN_KERNELCLIENT : DOMAIN_MANAGER);
2256 }
2257
2258 #define segment_eq(a, b) ((a) == (b))
2259
2260+#define __HAVE_ARCH_PAX_OPEN_USERLAND
2261+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
2262+
2263+static inline void pax_open_userland(void)
2264+{
2265+
2266+#ifdef CONFIG_PAX_MEMORY_UDEREF
2267+ if (segment_eq(get_fs(), USER_DS)) {
2268+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_UDEREF));
2269+ modify_domain(DOMAIN_USER, DOMAIN_UDEREF);
2270+ }
2271+#endif
2272+
2273+}
2274+
2275+static inline void pax_close_userland(void)
2276+{
2277+
2278+#ifdef CONFIG_PAX_MEMORY_UDEREF
2279+ if (segment_eq(get_fs(), USER_DS)) {
2280+ BUG_ON(test_domain(DOMAIN_USER, DOMAIN_NOACCESS));
2281+ modify_domain(DOMAIN_USER, DOMAIN_NOACCESS);
2282+ }
2283+#endif
2284+
2285+}
2286+
2287 #define __addr_ok(addr) ({ \
2288 unsigned long flag; \
2289 __asm__("cmp %2, %0; movlo %0, #0" \
2290@@ -198,8 +226,12 @@ extern int __get_user_64t_4(void *);
2291
2292 #define get_user(x, p) \
2293 ({ \
2294+ int __e; \
2295 might_fault(); \
2296- __get_user_check(x, p); \
2297+ pax_open_userland(); \
2298+ __e = __get_user_check((x), (p)); \
2299+ pax_close_userland(); \
2300+ __e; \
2301 })
2302
2303 extern int __put_user_1(void *, unsigned int);
2304@@ -244,8 +276,12 @@ extern int __put_user_8(void *, unsigned long long);
2305
2306 #define put_user(x, p) \
2307 ({ \
2308+ int __e; \
2309 might_fault(); \
2310- __put_user_check(x, p); \
2311+ pax_open_userland(); \
2312+ __e = __put_user_check((x), (p)); \
2313+ pax_close_userland(); \
2314+ __e; \
2315 })
2316
2317 #else /* CONFIG_MMU */
2318@@ -269,6 +305,7 @@ static inline void set_fs(mm_segment_t fs)
2319
2320 #endif /* CONFIG_MMU */
2321
2322+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
2323 #define access_ok(type, addr, size) (__range_ok(addr, size) == 0)
2324
2325 #define user_addr_max() \
2326@@ -286,13 +323,17 @@ static inline void set_fs(mm_segment_t fs)
2327 #define __get_user(x, ptr) \
2328 ({ \
2329 long __gu_err = 0; \
2330+ pax_open_userland(); \
2331 __get_user_err((x), (ptr), __gu_err); \
2332+ pax_close_userland(); \
2333 __gu_err; \
2334 })
2335
2336 #define __get_user_error(x, ptr, err) \
2337 ({ \
2338+ pax_open_userland(); \
2339 __get_user_err((x), (ptr), err); \
2340+ pax_close_userland(); \
2341 (void) 0; \
2342 })
2343
2344@@ -368,13 +409,17 @@ do { \
2345 #define __put_user(x, ptr) \
2346 ({ \
2347 long __pu_err = 0; \
2348+ pax_open_userland(); \
2349 __put_user_err((x), (ptr), __pu_err); \
2350+ pax_close_userland(); \
2351 __pu_err; \
2352 })
2353
2354 #define __put_user_error(x, ptr, err) \
2355 ({ \
2356+ pax_open_userland(); \
2357 __put_user_err((x), (ptr), err); \
2358+ pax_close_userland(); \
2359 (void) 0; \
2360 })
2361
2362@@ -474,11 +519,44 @@ do { \
2363
2364
2365 #ifdef CONFIG_MMU
2366-extern unsigned long __must_check __copy_from_user(void *to, const void __user *from, unsigned long n);
2367-extern unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n);
2368-extern unsigned long __must_check __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2369-extern unsigned long __must_check __clear_user(void __user *addr, unsigned long n);
2370-extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned long n);
2371+extern unsigned long __must_check __size_overflow(3) ___copy_from_user(void *to, const void __user *from, unsigned long n);
2372+extern unsigned long __must_check __size_overflow(3) ___copy_to_user(void __user *to, const void *from, unsigned long n);
2373+
2374+static inline unsigned long __must_check __size_overflow(3) __copy_from_user(void *to, const void __user *from, unsigned long n)
2375+{
2376+ unsigned long ret;
2377+
2378+ check_object_size(to, n, false);
2379+ pax_open_userland();
2380+ ret = ___copy_from_user(to, from, n);
2381+ pax_close_userland();
2382+ return ret;
2383+}
2384+
2385+static inline unsigned long __must_check __copy_to_user(void __user *to, const void *from, unsigned long n)
2386+{
2387+ unsigned long ret;
2388+
2389+ check_object_size(from, n, true);
2390+ pax_open_userland();
2391+ ret = ___copy_to_user(to, from, n);
2392+ pax_close_userland();
2393+ return ret;
2394+}
2395+
2396+extern unsigned long __must_check __size_overflow(3) __copy_to_user_std(void __user *to, const void *from, unsigned long n);
2397+extern unsigned long __must_check __size_overflow(2) ___clear_user(void __user *addr, unsigned long n);
2398+extern unsigned long __must_check __size_overflow(2) __clear_user_std(void __user *addr, unsigned long n);
2399+
2400+static inline unsigned long __must_check __clear_user(void __user *addr, unsigned long n)
2401+{
2402+ unsigned long ret;
2403+ pax_open_userland();
2404+ ret = ___clear_user(addr, n);
2405+ pax_close_userland();
2406+ return ret;
2407+}
2408+
2409 #else
2410 #define __copy_from_user(to, from, n) (memcpy(to, (void __force *)from, n), 0)
2411 #define __copy_to_user(to, from, n) (memcpy((void __force *)to, from, n), 0)
2412@@ -487,6 +565,9 @@ extern unsigned long __must_check __clear_user_std(void __user *addr, unsigned l
2413
2414 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2415 {
2416+ if ((long)n < 0)
2417+ return n;
2418+
2419 if (access_ok(VERIFY_READ, from, n))
2420 n = __copy_from_user(to, from, n);
2421 else /* security hole - plug it */
2422@@ -496,6 +577,9 @@ static inline unsigned long __must_check copy_from_user(void *to, const void __u
2423
2424 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2425 {
2426+ if ((long)n < 0)
2427+ return n;
2428+
2429 if (access_ok(VERIFY_WRITE, to, n))
2430 n = __copy_to_user(to, from, n);
2431 return n;
2432diff --git a/arch/arm/include/uapi/asm/ptrace.h b/arch/arm/include/uapi/asm/ptrace.h
2433index 5af0ed1..cea83883 100644
2434--- a/arch/arm/include/uapi/asm/ptrace.h
2435+++ b/arch/arm/include/uapi/asm/ptrace.h
2436@@ -92,7 +92,7 @@
2437 * ARMv7 groups of PSR bits
2438 */
2439 #define APSR_MASK 0xf80f0000 /* N, Z, C, V, Q and GE flags */
2440-#define PSR_ISET_MASK 0x01000010 /* ISA state (J, T) mask */
2441+#define PSR_ISET_MASK 0x01000020 /* ISA state (J, T) mask */
2442 #define PSR_IT_MASK 0x0600fc00 /* If-Then execution state mask */
2443 #define PSR_ENDIAN_MASK 0x00000200 /* Endianness state mask */
2444
2445diff --git a/arch/arm/kernel/armksyms.c b/arch/arm/kernel/armksyms.c
2446index 5e5a51a..b21eeef 100644
2447--- a/arch/arm/kernel/armksyms.c
2448+++ b/arch/arm/kernel/armksyms.c
2449@@ -58,7 +58,7 @@ EXPORT_SYMBOL(arm_delay_ops);
2450
2451 /* networking */
2452 EXPORT_SYMBOL(csum_partial);
2453-EXPORT_SYMBOL(csum_partial_copy_from_user);
2454+EXPORT_SYMBOL(__csum_partial_copy_from_user);
2455 EXPORT_SYMBOL(csum_partial_copy_nocheck);
2456 EXPORT_SYMBOL(__csum_ipv6_magic);
2457
2458@@ -97,9 +97,9 @@ EXPORT_SYMBOL(mmiocpy);
2459 #ifdef CONFIG_MMU
2460 EXPORT_SYMBOL(copy_page);
2461
2462-EXPORT_SYMBOL(__copy_from_user);
2463-EXPORT_SYMBOL(__copy_to_user);
2464-EXPORT_SYMBOL(__clear_user);
2465+EXPORT_SYMBOL(___copy_from_user);
2466+EXPORT_SYMBOL(___copy_to_user);
2467+EXPORT_SYMBOL(___clear_user);
2468
2469 EXPORT_SYMBOL(__get_user_1);
2470 EXPORT_SYMBOL(__get_user_2);
2471diff --git a/arch/arm/kernel/cpuidle.c b/arch/arm/kernel/cpuidle.c
2472index 318da33..373689f 100644
2473--- a/arch/arm/kernel/cpuidle.c
2474+++ b/arch/arm/kernel/cpuidle.c
2475@@ -19,7 +19,7 @@ extern struct of_cpuidle_method __cpuidle_method_of_table[];
2476 static const struct of_cpuidle_method __cpuidle_method_of_table_sentinel
2477 __used __section(__cpuidle_method_of_table_end);
2478
2479-static struct cpuidle_ops cpuidle_ops[NR_CPUS];
2480+static struct cpuidle_ops cpuidle_ops[NR_CPUS] __read_only;
2481
2482 /**
2483 * arm_cpuidle_simple_enter() - a wrapper to cpu_do_idle()
2484diff --git a/arch/arm/kernel/entry-armv.S b/arch/arm/kernel/entry-armv.S
2485index cb4fb1e..dc7fcaf 100644
2486--- a/arch/arm/kernel/entry-armv.S
2487+++ b/arch/arm/kernel/entry-armv.S
2488@@ -50,6 +50,87 @@
2489 9997:
2490 .endm
2491
2492+ .macro pax_enter_kernel
2493+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2494+ @ make aligned space for saved DACR
2495+ sub sp, sp, #8
2496+ @ save regs
2497+ stmdb sp!, {r1, r2}
2498+ @ read DACR from cpu_domain into r1
2499+ mov r2, sp
2500+ @ assume 8K pages, since we have to split the immediate in two
2501+ bic r2, r2, #(0x1fc0)
2502+ bic r2, r2, #(0x3f)
2503+ ldr r1, [r2, #TI_CPU_DOMAIN]
2504+ @ store old DACR on stack
2505+ str r1, [sp, #8]
2506+#ifdef CONFIG_PAX_KERNEXEC
2507+ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2508+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2509+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2510+#endif
2511+#ifdef CONFIG_PAX_MEMORY_UDEREF
2512+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2513+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2514+#endif
2515+ @ write r1 to current_thread_info()->cpu_domain
2516+ str r1, [r2, #TI_CPU_DOMAIN]
2517+ @ write r1 to DACR
2518+ mcr p15, 0, r1, c3, c0, 0
2519+ @ instruction sync
2520+ instr_sync
2521+ @ restore regs
2522+ ldmia sp!, {r1, r2}
2523+#endif
2524+ .endm
2525+
2526+ .macro pax_open_userland
2527+#ifdef CONFIG_PAX_MEMORY_UDEREF
2528+ @ save regs
2529+ stmdb sp!, {r0, r1}
2530+ @ read DACR from cpu_domain into r1
2531+ mov r0, sp
2532+ @ assume 8K pages, since we have to split the immediate in two
2533+ bic r0, r0, #(0x1fc0)
2534+ bic r0, r0, #(0x3f)
2535+ ldr r1, [r0, #TI_CPU_DOMAIN]
2536+ @ set current DOMAIN_USER to DOMAIN_CLIENT
2537+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2538+ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2539+ @ write r1 to current_thread_info()->cpu_domain
2540+ str r1, [r0, #TI_CPU_DOMAIN]
2541+ @ write r1 to DACR
2542+ mcr p15, 0, r1, c3, c0, 0
2543+ @ instruction sync
2544+ instr_sync
2545+ @ restore regs
2546+ ldmia sp!, {r0, r1}
2547+#endif
2548+ .endm
2549+
2550+ .macro pax_close_userland
2551+#ifdef CONFIG_PAX_MEMORY_UDEREF
2552+ @ save regs
2553+ stmdb sp!, {r0, r1}
2554+ @ read DACR from cpu_domain into r1
2555+ mov r0, sp
2556+ @ assume 8K pages, since we have to split the immediate in two
2557+ bic r0, r0, #(0x1fc0)
2558+ bic r0, r0, #(0x3f)
2559+ ldr r1, [r0, #TI_CPU_DOMAIN]
2560+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2561+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2562+ @ write r1 to current_thread_info()->cpu_domain
2563+ str r1, [r0, #TI_CPU_DOMAIN]
2564+ @ write r1 to DACR
2565+ mcr p15, 0, r1, c3, c0, 0
2566+ @ instruction sync
2567+ instr_sync
2568+ @ restore regs
2569+ ldmia sp!, {r0, r1}
2570+#endif
2571+ .endm
2572+
2573 .macro pabt_helper
2574 @ PABORT handler takes pt_regs in r2, fault address in r4 and psr in r5
2575 #ifdef MULTI_PABORT
2576@@ -92,11 +173,15 @@
2577 * Invalid mode handlers
2578 */
2579 .macro inv_entry, reason
2580+
2581+ pax_enter_kernel
2582+
2583 sub sp, sp, #S_FRAME_SIZE
2584 ARM( stmib sp, {r1 - lr} )
2585 THUMB( stmia sp, {r0 - r12} )
2586 THUMB( str sp, [sp, #S_SP] )
2587 THUMB( str lr, [sp, #S_LR] )
2588+
2589 mov r1, #\reason
2590 .endm
2591
2592@@ -152,7 +237,11 @@ ENDPROC(__und_invalid)
2593 .macro svc_entry, stack_hole=0, trace=1
2594 UNWIND(.fnstart )
2595 UNWIND(.save {r0 - pc} )
2596+
2597+ pax_enter_kernel
2598+
2599 sub sp, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2600+
2601 #ifdef CONFIG_THUMB2_KERNEL
2602 SPFIX( str r0, [sp] ) @ temporarily saved
2603 SPFIX( mov r0, sp )
2604@@ -167,7 +256,12 @@ ENDPROC(__und_invalid)
2605 ldmia r0, {r3 - r5}
2606 add r7, sp, #S_SP - 4 @ here for interlock avoidance
2607 mov r6, #-1 @ "" "" "" ""
2608+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2609+ @ offset sp by 8 as done in pax_enter_kernel
2610+ add r2, sp, #(S_FRAME_SIZE + \stack_hole + 4)
2611+#else
2612 add r2, sp, #(S_FRAME_SIZE + \stack_hole - 4)
2613+#endif
2614 SPFIX( addeq r2, r2, #4 )
2615 str r3, [sp, #-4]! @ save the "real" r0 copied
2616 @ from the exception stack
2617@@ -371,6 +465,9 @@ ENDPROC(__fiq_abt)
2618 .macro usr_entry, trace=1
2619 UNWIND(.fnstart )
2620 UNWIND(.cantunwind ) @ don't unwind the user space
2621+
2622+ pax_enter_kernel_user
2623+
2624 sub sp, sp, #S_FRAME_SIZE
2625 ARM( stmib sp, {r1 - r12} )
2626 THUMB( stmia sp, {r0 - r12} )
2627@@ -481,7 +578,9 @@ __und_usr:
2628 tst r3, #PSR_T_BIT @ Thumb mode?
2629 bne __und_usr_thumb
2630 sub r4, r2, #4 @ ARM instr at LR - 4
2631+ pax_open_userland
2632 1: ldrt r0, [r4]
2633+ pax_close_userland
2634 ARM_BE8(rev r0, r0) @ little endian instruction
2635
2636 @ r0 = 32-bit ARM instruction which caused the exception
2637@@ -515,11 +614,15 @@ __und_usr_thumb:
2638 */
2639 .arch armv6t2
2640 #endif
2641+ pax_open_userland
2642 2: ldrht r5, [r4]
2643+ pax_close_userland
2644 ARM_BE8(rev16 r5, r5) @ little endian instruction
2645 cmp r5, #0xe800 @ 32bit instruction if xx != 0
2646 blo __und_usr_fault_16 @ 16bit undefined instruction
2647+ pax_open_userland
2648 3: ldrht r0, [r2]
2649+ pax_close_userland
2650 ARM_BE8(rev16 r0, r0) @ little endian instruction
2651 add r2, r2, #2 @ r2 is PC + 2, make it PC + 4
2652 str r2, [sp, #S_PC] @ it's a 2x16bit instr, update
2653@@ -549,7 +652,8 @@ ENDPROC(__und_usr)
2654 */
2655 .pushsection .text.fixup, "ax"
2656 .align 2
2657-4: str r4, [sp, #S_PC] @ retry current instruction
2658+4: pax_close_userland
2659+ str r4, [sp, #S_PC] @ retry current instruction
2660 ret r9
2661 .popsection
2662 .pushsection __ex_table,"a"
2663@@ -769,7 +873,7 @@ ENTRY(__switch_to)
2664 THUMB( str lr, [ip], #4 )
2665 ldr r4, [r2, #TI_TP_VALUE]
2666 ldr r5, [r2, #TI_TP_VALUE + 4]
2667-#ifdef CONFIG_CPU_USE_DOMAINS
2668+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2669 ldr r6, [r2, #TI_CPU_DOMAIN]
2670 #endif
2671 switch_tls r1, r4, r5, r3, r7
2672@@ -778,7 +882,7 @@ ENTRY(__switch_to)
2673 ldr r8, =__stack_chk_guard
2674 ldr r7, [r7, #TSK_STACK_CANARY]
2675 #endif
2676-#ifdef CONFIG_CPU_USE_DOMAINS
2677+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2678 mcr p15, 0, r6, c3, c0, 0 @ Set domain register
2679 #endif
2680 mov r5, r0
2681diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
2682index b48dd4f..9f9a72f 100644
2683--- a/arch/arm/kernel/entry-common.S
2684+++ b/arch/arm/kernel/entry-common.S
2685@@ -11,18 +11,46 @@
2686 #include <asm/assembler.h>
2687 #include <asm/unistd.h>
2688 #include <asm/ftrace.h>
2689+#include <asm/domain.h>
2690 #include <asm/unwind.h>
2691
2692+#include "entry-header.S"
2693+
2694 #ifdef CONFIG_NEED_RET_TO_USER
2695 #include <mach/entry-macro.S>
2696 #else
2697 .macro arch_ret_to_user, tmp1, tmp2
2698+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2699+ @ save regs
2700+ stmdb sp!, {r1, r2}
2701+ @ read DACR from cpu_domain into r1
2702+ mov r2, sp
2703+ @ assume 8K pages, since we have to split the immediate in two
2704+ bic r2, r2, #(0x1fc0)
2705+ bic r2, r2, #(0x3f)
2706+ ldr r1, [r2, #TI_CPU_DOMAIN]
2707+#ifdef CONFIG_PAX_KERNEXEC
2708+ @ set type of DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2709+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2710+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2711+#endif
2712+#ifdef CONFIG_PAX_MEMORY_UDEREF
2713+ @ set current DOMAIN_USER to DOMAIN_UDEREF
2714+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2715+ orr r1, r1, #(domain_val(DOMAIN_USER, DOMAIN_UDEREF))
2716+#endif
2717+ @ write r1 to current_thread_info()->cpu_domain
2718+ str r1, [r2, #TI_CPU_DOMAIN]
2719+ @ write r1 to DACR
2720+ mcr p15, 0, r1, c3, c0, 0
2721+ @ instruction sync
2722+ instr_sync
2723+ @ restore regs
2724+ ldmia sp!, {r1, r2}
2725+#endif
2726 .endm
2727 #endif
2728
2729-#include "entry-header.S"
2730-
2731-
2732 .align 5
2733 /*
2734 * This is the fast syscall return path. We do as little as
2735@@ -174,6 +202,12 @@ ENTRY(vector_swi)
2736 USER( ldr scno, [lr, #-4] ) @ get SWI instruction
2737 #endif
2738
2739+ /*
2740+ * do this here to avoid a performance hit of wrapping the code above
2741+ * that directly dereferences userland to parse the SWI instruction
2742+ */
2743+ pax_enter_kernel_user
2744+
2745 adr tbl, sys_call_table @ load syscall table pointer
2746
2747 #if defined(CONFIG_OABI_COMPAT)
2748diff --git a/arch/arm/kernel/entry-header.S b/arch/arm/kernel/entry-header.S
2749index 1a0045a..9b4f34d 100644
2750--- a/arch/arm/kernel/entry-header.S
2751+++ b/arch/arm/kernel/entry-header.S
2752@@ -196,6 +196,60 @@
2753 msr cpsr_c, \rtemp @ switch back to the SVC mode
2754 .endm
2755
2756+ .macro pax_enter_kernel_user
2757+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2758+ @ save regs
2759+ stmdb sp!, {r0, r1}
2760+ @ read DACR from cpu_domain into r1
2761+ mov r0, sp
2762+ @ assume 8K pages, since we have to split the immediate in two
2763+ bic r0, r0, #(0x1fc0)
2764+ bic r0, r0, #(0x3f)
2765+ ldr r1, [r0, #TI_CPU_DOMAIN]
2766+#ifdef CONFIG_PAX_MEMORY_UDEREF
2767+ @ set current DOMAIN_USER to DOMAIN_NOACCESS
2768+ bic r1, r1, #(domain_val(DOMAIN_USER, 3))
2769+#endif
2770+#ifdef CONFIG_PAX_KERNEXEC
2771+ @ set current DOMAIN_KERNEL to DOMAIN_KERNELCLIENT
2772+ bic r1, r1, #(domain_val(DOMAIN_KERNEL, 3))
2773+ orr r1, r1, #(domain_val(DOMAIN_KERNEL, DOMAIN_KERNELCLIENT))
2774+#endif
2775+ @ write r1 to current_thread_info()->cpu_domain
2776+ str r1, [r0, #TI_CPU_DOMAIN]
2777+ @ write r1 to DACR
2778+ mcr p15, 0, r1, c3, c0, 0
2779+ @ instruction sync
2780+ instr_sync
2781+ @ restore regs
2782+ ldmia sp!, {r0, r1}
2783+#endif
2784+ .endm
2785+
2786+ .macro pax_exit_kernel
2787+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
2788+ @ save regs
2789+ stmdb sp!, {r0, r1}
2790+ @ read old DACR from stack into r1
2791+ ldr r1, [sp, #(8 + S_SP)]
2792+ sub r1, r1, #8
2793+ ldr r1, [r1]
2794+
2795+ @ write r1 to current_thread_info()->cpu_domain
2796+ mov r0, sp
2797+ @ assume 8K pages, since we have to split the immediate in two
2798+ bic r0, r0, #(0x1fc0)
2799+ bic r0, r0, #(0x3f)
2800+ str r1, [r0, #TI_CPU_DOMAIN]
2801+ @ write r1 to DACR
2802+ mcr p15, 0, r1, c3, c0, 0
2803+ @ instruction sync
2804+ instr_sync
2805+ @ restore regs
2806+ ldmia sp!, {r0, r1}
2807+#endif
2808+ .endm
2809+
2810 #ifndef CONFIG_THUMB2_KERNEL
2811 .macro svc_exit, rpsr, irq = 0
2812 .if \irq != 0
2813@@ -215,6 +269,9 @@
2814 blne trace_hardirqs_off
2815 #endif
2816 .endif
2817+
2818+ pax_exit_kernel
2819+
2820 msr spsr_cxsf, \rpsr
2821 #if defined(CONFIG_CPU_V6) || defined(CONFIG_CPU_32v6K)
2822 @ We must avoid clrex due to Cortex-A15 erratum #830321
2823@@ -291,6 +348,9 @@
2824 blne trace_hardirqs_off
2825 #endif
2826 .endif
2827+
2828+ pax_exit_kernel
2829+
2830 ldr lr, [sp, #S_SP] @ top of the stack
2831 ldrd r0, r1, [sp, #S_LR] @ calling lr and pc
2832
2833diff --git a/arch/arm/kernel/fiq.c b/arch/arm/kernel/fiq.c
2834index 059c3da..8e45cfc 100644
2835--- a/arch/arm/kernel/fiq.c
2836+++ b/arch/arm/kernel/fiq.c
2837@@ -95,7 +95,10 @@ void set_fiq_handler(void *start, unsigned int length)
2838 void *base = vectors_page;
2839 unsigned offset = FIQ_OFFSET;
2840
2841+ pax_open_kernel();
2842 memcpy(base + offset, start, length);
2843+ pax_close_kernel();
2844+
2845 if (!cache_is_vipt_nonaliasing())
2846 flush_icache_range((unsigned long)base + offset, offset +
2847 length);
2848diff --git a/arch/arm/kernel/head.S b/arch/arm/kernel/head.S
2849index 29e2991..7bc5757 100644
2850--- a/arch/arm/kernel/head.S
2851+++ b/arch/arm/kernel/head.S
2852@@ -467,7 +467,7 @@ __enable_mmu:
2853 mov r5, #(domain_val(DOMAIN_USER, DOMAIN_MANAGER) | \
2854 domain_val(DOMAIN_KERNEL, DOMAIN_MANAGER) | \
2855 domain_val(DOMAIN_TABLE, DOMAIN_MANAGER) | \
2856- domain_val(DOMAIN_IO, DOMAIN_CLIENT))
2857+ domain_val(DOMAIN_IO, DOMAIN_KERNELCLIENT))
2858 mcr p15, 0, r5, c3, c0, 0 @ load domain access register
2859 mcr p15, 0, r4, c2, c0, 0 @ load page table pointer
2860 #endif
2861diff --git a/arch/arm/kernel/module-plts.c b/arch/arm/kernel/module-plts.c
2862index 097e2e2..3927085 100644
2863--- a/arch/arm/kernel/module-plts.c
2864+++ b/arch/arm/kernel/module-plts.c
2865@@ -30,17 +30,12 @@ struct plt_entries {
2866 u32 lit[PLT_ENT_COUNT];
2867 };
2868
2869-static bool in_init(const struct module *mod, u32 addr)
2870-{
2871- return addr - (u32)mod->module_init < mod->init_size;
2872-}
2873-
2874 u32 get_module_plt(struct module *mod, unsigned long loc, Elf32_Addr val)
2875 {
2876 struct plt_entries *plt, *plt_end;
2877 int c, *count;
2878
2879- if (in_init(mod, loc)) {
2880+ if (within_module_init(loc, mod)) {
2881 plt = (void *)mod->arch.init_plt->sh_addr;
2882 plt_end = (void *)plt + mod->arch.init_plt->sh_size;
2883 count = &mod->arch.init_plt_count;
2884diff --git a/arch/arm/kernel/module.c b/arch/arm/kernel/module.c
2885index efdddcb..35e58f6 100644
2886--- a/arch/arm/kernel/module.c
2887+++ b/arch/arm/kernel/module.c
2888@@ -38,17 +38,47 @@
2889 #endif
2890
2891 #ifdef CONFIG_MMU
2892-void *module_alloc(unsigned long size)
2893+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
2894 {
2895- void *p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2896- GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
2897+ void *p;
2898+
2899+ if (!size || (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) && PAGE_ALIGN(size) > MODULES_END - MODULES_VADDR))
2900+ return NULL;
2901+
2902+ p = __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
2903+ GFP_KERNEL, prot, 0, NUMA_NO_NODE,
2904 __builtin_return_address(0));
2905 if (!IS_ENABLED(CONFIG_ARM_MODULE_PLTS) || p)
2906 return p;
2907 return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END,
2908- GFP_KERNEL, PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
2909+ GFP_KERNEL, prot, 0, NUMA_NO_NODE,
2910 __builtin_return_address(0));
2911 }
2912+
2913+void *module_alloc(unsigned long size)
2914+{
2915+
2916+#ifdef CONFIG_PAX_KERNEXEC
2917+ return __module_alloc(size, PAGE_KERNEL);
2918+#else
2919+ return __module_alloc(size, PAGE_KERNEL_EXEC);
2920+#endif
2921+
2922+}
2923+
2924+#ifdef CONFIG_PAX_KERNEXEC
2925+void module_memfree_exec(void *module_region)
2926+{
2927+ module_memfree(module_region);
2928+}
2929+EXPORT_SYMBOL(module_memfree_exec);
2930+
2931+void *module_alloc_exec(unsigned long size)
2932+{
2933+ return __module_alloc(size, PAGE_KERNEL_EXEC);
2934+}
2935+EXPORT_SYMBOL(module_alloc_exec);
2936+#endif
2937 #endif
2938
2939 int
2940diff --git a/arch/arm/kernel/patch.c b/arch/arm/kernel/patch.c
2941index 69bda1a..755113a 100644
2942--- a/arch/arm/kernel/patch.c
2943+++ b/arch/arm/kernel/patch.c
2944@@ -66,6 +66,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
2945 else
2946 __acquire(&patch_lock);
2947
2948+ pax_open_kernel();
2949 if (thumb2 && __opcode_is_thumb16(insn)) {
2950 *(u16 *)waddr = __opcode_to_mem_thumb16(insn);
2951 size = sizeof(u16);
2952@@ -97,6 +98,7 @@ void __kprobes __patch_text_real(void *addr, unsigned int insn, bool remap)
2953 *(u32 *)waddr = insn;
2954 size = sizeof(u32);
2955 }
2956+ pax_close_kernel();
2957
2958 if (waddr != addr) {
2959 flush_kernel_vmap_range(waddr, twopage ? size / 2 : size);
2960diff --git a/arch/arm/kernel/process.c b/arch/arm/kernel/process.c
2961index f192a2a..1a40523 100644
2962--- a/arch/arm/kernel/process.c
2963+++ b/arch/arm/kernel/process.c
2964@@ -105,8 +105,8 @@ void __show_regs(struct pt_regs *regs)
2965
2966 show_regs_print_info(KERN_DEFAULT);
2967
2968- print_symbol("PC is at %s\n", instruction_pointer(regs));
2969- print_symbol("LR is at %s\n", regs->ARM_lr);
2970+ printk("PC is at %pA\n", (void *)instruction_pointer(regs));
2971+ printk("LR is at %pA\n", (void *)regs->ARM_lr);
2972 printk("pc : [<%08lx>] lr : [<%08lx>] psr: %08lx\n"
2973 "sp : %08lx ip : %08lx fp : %08lx\n",
2974 regs->ARM_pc, regs->ARM_lr, regs->ARM_cpsr,
2975@@ -283,12 +283,6 @@ unsigned long get_wchan(struct task_struct *p)
2976 return 0;
2977 }
2978
2979-unsigned long arch_randomize_brk(struct mm_struct *mm)
2980-{
2981- unsigned long range_end = mm->brk + 0x02000000;
2982- return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
2983-}
2984-
2985 #ifdef CONFIG_MMU
2986 #ifdef CONFIG_KUSER_HELPERS
2987 /*
2988@@ -304,7 +298,7 @@ static struct vm_area_struct gate_vma = {
2989
2990 static int __init gate_vma_init(void)
2991 {
2992- gate_vma.vm_page_prot = PAGE_READONLY_EXEC;
2993+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
2994 return 0;
2995 }
2996 arch_initcall(gate_vma_init);
2997@@ -333,91 +327,13 @@ const char *arch_vma_name(struct vm_area_struct *vma)
2998 return is_gate_vma(vma) ? "[vectors]" : NULL;
2999 }
3000
3001-/* If possible, provide a placement hint at a random offset from the
3002- * stack for the sigpage and vdso pages.
3003- */
3004-static unsigned long sigpage_addr(const struct mm_struct *mm,
3005- unsigned int npages)
3006-{
3007- unsigned long offset;
3008- unsigned long first;
3009- unsigned long last;
3010- unsigned long addr;
3011- unsigned int slots;
3012-
3013- first = PAGE_ALIGN(mm->start_stack);
3014-
3015- last = TASK_SIZE - (npages << PAGE_SHIFT);
3016-
3017- /* No room after stack? */
3018- if (first > last)
3019- return 0;
3020-
3021- /* Just enough room? */
3022- if (first == last)
3023- return first;
3024-
3025- slots = ((last - first) >> PAGE_SHIFT) + 1;
3026-
3027- offset = get_random_int() % slots;
3028-
3029- addr = first + (offset << PAGE_SHIFT);
3030-
3031- return addr;
3032-}
3033-
3034-static struct page *signal_page;
3035-extern struct page *get_signal_page(void);
3036-
3037-static const struct vm_special_mapping sigpage_mapping = {
3038- .name = "[sigpage]",
3039- .pages = &signal_page,
3040-};
3041-
3042 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
3043 {
3044 struct mm_struct *mm = current->mm;
3045- struct vm_area_struct *vma;
3046- unsigned long npages;
3047- unsigned long addr;
3048- unsigned long hint;
3049- int ret = 0;
3050-
3051- if (!signal_page)
3052- signal_page = get_signal_page();
3053- if (!signal_page)
3054- return -ENOMEM;
3055-
3056- npages = 1; /* for sigpage */
3057- npages += vdso_total_pages;
3058
3059 down_write(&mm->mmap_sem);
3060- hint = sigpage_addr(mm, npages);
3061- addr = get_unmapped_area(NULL, hint, npages << PAGE_SHIFT, 0, 0);
3062- if (IS_ERR_VALUE(addr)) {
3063- ret = addr;
3064- goto up_fail;
3065- }
3066-
3067- vma = _install_special_mapping(mm, addr, PAGE_SIZE,
3068- VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
3069- &sigpage_mapping);
3070-
3071- if (IS_ERR(vma)) {
3072- ret = PTR_ERR(vma);
3073- goto up_fail;
3074- }
3075-
3076- mm->context.sigpage = addr;
3077-
3078- /* Unlike the sigpage, failure to install the vdso is unlikely
3079- * to be fatal to the process, so no error check needed
3080- * here.
3081- */
3082- arm_install_vdso(mm, addr + PAGE_SIZE);
3083-
3084- up_fail:
3085+ mm->context.sigpage = (PAGE_OFFSET + (get_random_int() % 0x3FFEFFE0)) & 0xFFFFFFFC;
3086 up_write(&mm->mmap_sem);
3087- return ret;
3088+ return 0;
3089 }
3090 #endif
3091diff --git a/arch/arm/kernel/psci.c b/arch/arm/kernel/psci.c
3092index f90fdf4..24e8c84 100644
3093--- a/arch/arm/kernel/psci.c
3094+++ b/arch/arm/kernel/psci.c
3095@@ -26,7 +26,7 @@
3096 #include <asm/psci.h>
3097 #include <asm/system_misc.h>
3098
3099-struct psci_operations psci_ops;
3100+struct psci_operations psci_ops __read_only;
3101
3102 static int (*invoke_psci_fn)(u32, u32, u32, u32);
3103 typedef int (*psci_initcall_t)(const struct device_node *);
3104diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
3105index ef9119f..31995a3 100644
3106--- a/arch/arm/kernel/ptrace.c
3107+++ b/arch/arm/kernel/ptrace.c
3108@@ -928,10 +928,19 @@ static void tracehook_report_syscall(struct pt_regs *regs,
3109 regs->ARM_ip = ip;
3110 }
3111
3112+#ifdef CONFIG_GRKERNSEC_SETXID
3113+extern void gr_delayed_cred_worker(void);
3114+#endif
3115+
3116 asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
3117 {
3118 current_thread_info()->syscall = scno;
3119
3120+#ifdef CONFIG_GRKERNSEC_SETXID
3121+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
3122+ gr_delayed_cred_worker();
3123+#endif
3124+
3125 /* Do the secure computing check first; failures should be fast. */
3126 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
3127 if (secure_computing() == -1)
3128diff --git a/arch/arm/kernel/reboot.c b/arch/arm/kernel/reboot.c
3129index 3826935..8ed63ed 100644
3130--- a/arch/arm/kernel/reboot.c
3131+++ b/arch/arm/kernel/reboot.c
3132@@ -122,6 +122,7 @@ void machine_power_off(void)
3133
3134 if (pm_power_off)
3135 pm_power_off();
3136+ while (1);
3137 }
3138
3139 /*
3140diff --git a/arch/arm/kernel/setup.c b/arch/arm/kernel/setup.c
3141index 36c18b7..0d78292 100644
3142--- a/arch/arm/kernel/setup.c
3143+++ b/arch/arm/kernel/setup.c
3144@@ -108,21 +108,23 @@ EXPORT_SYMBOL(elf_hwcap);
3145 unsigned int elf_hwcap2 __read_mostly;
3146 EXPORT_SYMBOL(elf_hwcap2);
3147
3148+pteval_t __supported_pte_mask __read_only;
3149+pmdval_t __supported_pmd_mask __read_only;
3150
3151 #ifdef MULTI_CPU
3152-struct processor processor __read_mostly;
3153+struct processor processor __read_only;
3154 #endif
3155 #ifdef MULTI_TLB
3156-struct cpu_tlb_fns cpu_tlb __read_mostly;
3157+struct cpu_tlb_fns cpu_tlb __read_only;
3158 #endif
3159 #ifdef MULTI_USER
3160-struct cpu_user_fns cpu_user __read_mostly;
3161+struct cpu_user_fns cpu_user __read_only;
3162 #endif
3163 #ifdef MULTI_CACHE
3164-struct cpu_cache_fns cpu_cache __read_mostly;
3165+struct cpu_cache_fns cpu_cache __read_only;
3166 #endif
3167 #ifdef CONFIG_OUTER_CACHE
3168-struct outer_cache_fns outer_cache __read_mostly;
3169+struct outer_cache_fns outer_cache __read_only;
3170 EXPORT_SYMBOL(outer_cache);
3171 #endif
3172
3173@@ -253,9 +255,13 @@ static int __get_cpu_architecture(void)
3174 * Register 0 and check for VMSAv7 or PMSAv7 */
3175 unsigned int mmfr0 = read_cpuid_ext(CPUID_EXT_MMFR0);
3176 if ((mmfr0 & 0x0000000f) >= 0x00000003 ||
3177- (mmfr0 & 0x000000f0) >= 0x00000030)
3178+ (mmfr0 & 0x000000f0) >= 0x00000030) {
3179 cpu_arch = CPU_ARCH_ARMv7;
3180- else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3181+ if ((mmfr0 & 0x0000000f) == 0x00000005 || (mmfr0 & 0x0000000f) == 0x00000004) {
3182+ __supported_pte_mask |= L_PTE_PXN;
3183+ __supported_pmd_mask |= PMD_PXNTABLE;
3184+ }
3185+ } else if ((mmfr0 & 0x0000000f) == 0x00000002 ||
3186 (mmfr0 & 0x000000f0) == 0x00000020)
3187 cpu_arch = CPU_ARCH_ARMv6;
3188 else
3189diff --git a/arch/arm/kernel/signal.c b/arch/arm/kernel/signal.c
3190index 586eef2..61aabd4 100644
3191--- a/arch/arm/kernel/signal.c
3192+++ b/arch/arm/kernel/signal.c
3193@@ -24,8 +24,6 @@
3194
3195 extern const unsigned long sigreturn_codes[7];
3196
3197-static unsigned long signal_return_offset;
3198-
3199 #ifdef CONFIG_CRUNCH
3200 static int preserve_crunch_context(struct crunch_sigframe __user *frame)
3201 {
3202@@ -390,8 +388,7 @@ setup_return(struct pt_regs *regs, struct ksignal *ksig,
3203 * except when the MPU has protected the vectors
3204 * page from PL0
3205 */
3206- retcode = mm->context.sigpage + signal_return_offset +
3207- (idx << 2) + thumb;
3208+ retcode = mm->context.sigpage + (idx << 2) + thumb;
3209 } else
3210 #endif
3211 {
3212@@ -597,33 +594,3 @@ do_work_pending(struct pt_regs *regs, unsigned int thread_flags, int syscall)
3213 } while (thread_flags & _TIF_WORK_MASK);
3214 return 0;
3215 }
3216-
3217-struct page *get_signal_page(void)
3218-{
3219- unsigned long ptr;
3220- unsigned offset;
3221- struct page *page;
3222- void *addr;
3223-
3224- page = alloc_pages(GFP_KERNEL, 0);
3225-
3226- if (!page)
3227- return NULL;
3228-
3229- addr = page_address(page);
3230-
3231- /* Give the signal return code some randomness */
3232- offset = 0x200 + (get_random_int() & 0x7fc);
3233- signal_return_offset = offset;
3234-
3235- /*
3236- * Copy signal return handlers into the vector page, and
3237- * set sigreturn to be a pointer to these.
3238- */
3239- memcpy(addr + offset, sigreturn_codes, sizeof(sigreturn_codes));
3240-
3241- ptr = (unsigned long)addr + offset;
3242- flush_icache_range(ptr, ptr + sizeof(sigreturn_codes));
3243-
3244- return page;
3245-}
3246diff --git a/arch/arm/kernel/smp.c b/arch/arm/kernel/smp.c
3247index 3d6b782..8b3baeb 100644
3248--- a/arch/arm/kernel/smp.c
3249+++ b/arch/arm/kernel/smp.c
3250@@ -76,7 +76,7 @@ enum ipi_msg_type {
3251
3252 static DECLARE_COMPLETION(cpu_running);
3253
3254-static struct smp_operations smp_ops;
3255+static struct smp_operations smp_ops __read_only;
3256
3257 void __init smp_set_ops(struct smp_operations *ops)
3258 {
3259diff --git a/arch/arm/kernel/tcm.c b/arch/arm/kernel/tcm.c
3260index b10e136..cb5edf9 100644
3261--- a/arch/arm/kernel/tcm.c
3262+++ b/arch/arm/kernel/tcm.c
3263@@ -64,7 +64,7 @@ static struct map_desc itcm_iomap[] __initdata = {
3264 .virtual = ITCM_OFFSET,
3265 .pfn = __phys_to_pfn(ITCM_OFFSET),
3266 .length = 0,
3267- .type = MT_MEMORY_RWX_ITCM,
3268+ .type = MT_MEMORY_RX_ITCM,
3269 }
3270 };
3271
3272@@ -362,7 +362,9 @@ no_dtcm:
3273 start = &__sitcm_text;
3274 end = &__eitcm_text;
3275 ram = &__itcm_start;
3276+ pax_open_kernel();
3277 memcpy(start, ram, itcm_code_sz);
3278+ pax_close_kernel();
3279 pr_debug("CPU ITCM: copied code from %p - %p\n",
3280 start, end);
3281 itcm_present = true;
3282diff --git a/arch/arm/kernel/traps.c b/arch/arm/kernel/traps.c
3283index d358226..bfd4019 100644
3284--- a/arch/arm/kernel/traps.c
3285+++ b/arch/arm/kernel/traps.c
3286@@ -65,7 +65,7 @@ static void dump_mem(const char *, const char *, unsigned long, unsigned long);
3287 void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame)
3288 {
3289 #ifdef CONFIG_KALLSYMS
3290- printk("[<%08lx>] (%ps) from [<%08lx>] (%pS)\n", where, (void *)where, from, (void *)from);
3291+ printk("[<%08lx>] (%pA) from [<%08lx>] (%pA)\n", where, (void *)where, from, (void *)from);
3292 #else
3293 printk("Function entered at [<%08lx>] from [<%08lx>]\n", where, from);
3294 #endif
3295@@ -267,6 +267,8 @@ static arch_spinlock_t die_lock = __ARCH_SPIN_LOCK_UNLOCKED;
3296 static int die_owner = -1;
3297 static unsigned int die_nest_count;
3298
3299+extern void gr_handle_kernel_exploit(void);
3300+
3301 static unsigned long oops_begin(void)
3302 {
3303 int cpu;
3304@@ -309,6 +311,9 @@ static void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
3305 panic("Fatal exception in interrupt");
3306 if (panic_on_oops)
3307 panic("Fatal exception");
3308+
3309+ gr_handle_kernel_exploit();
3310+
3311 if (signr)
3312 do_exit(signr);
3313 }
3314@@ -870,7 +875,11 @@ void __init early_trap_init(void *vectors_base)
3315 kuser_init(vectors_base);
3316
3317 flush_icache_range(vectors, vectors + PAGE_SIZE * 2);
3318- modify_domain(DOMAIN_USER, DOMAIN_CLIENT);
3319+
3320+#ifndef CONFIG_PAX_MEMORY_UDEREF
3321+ modify_domain(DOMAIN_USER, DOMAIN_USERCLIENT);
3322+#endif
3323+
3324 #else /* ifndef CONFIG_CPU_V7M */
3325 /*
3326 * on V7-M there is no need to copy the vector table to a dedicated
3327diff --git a/arch/arm/kernel/vmlinux.lds.S b/arch/arm/kernel/vmlinux.lds.S
3328index 8b60fde..8d986dd 100644
3329--- a/arch/arm/kernel/vmlinux.lds.S
3330+++ b/arch/arm/kernel/vmlinux.lds.S
3331@@ -37,7 +37,7 @@
3332 #endif
3333
3334 #if (defined(CONFIG_SMP_ON_UP) && !defined(CONFIG_DEBUG_SPINLOCK)) || \
3335- defined(CONFIG_GENERIC_BUG)
3336+ defined(CONFIG_GENERIC_BUG) || defined(CONFIG_PAX_REFCOUNT)
3337 #define ARM_EXIT_KEEP(x) x
3338 #define ARM_EXIT_DISCARD(x)
3339 #else
3340@@ -120,6 +120,8 @@ SECTIONS
3341 #ifdef CONFIG_DEBUG_RODATA
3342 . = ALIGN(1<<SECTION_SHIFT);
3343 #endif
3344+ _etext = .; /* End of text section */
3345+
3346 RO_DATA(PAGE_SIZE)
3347
3348 . = ALIGN(4);
3349@@ -150,8 +152,6 @@ SECTIONS
3350
3351 NOTES
3352
3353- _etext = .; /* End of text and rodata section */
3354-
3355 #ifndef CONFIG_XIP_KERNEL
3356 # ifdef CONFIG_ARM_KERNMEM_PERMS
3357 . = ALIGN(1<<SECTION_SHIFT);
3358diff --git a/arch/arm/kvm/arm.c b/arch/arm/kvm/arm.c
3359index f9c341c..7430436 100644
3360--- a/arch/arm/kvm/arm.c
3361+++ b/arch/arm/kvm/arm.c
3362@@ -57,7 +57,7 @@ static unsigned long hyp_default_vectors;
3363 static DEFINE_PER_CPU(struct kvm_vcpu *, kvm_arm_running_vcpu);
3364
3365 /* The VMID used in the VTTBR */
3366-static atomic64_t kvm_vmid_gen = ATOMIC64_INIT(1);
3367+static atomic64_unchecked_t kvm_vmid_gen = ATOMIC64_INIT(1);
3368 static u8 kvm_next_vmid;
3369 static DEFINE_SPINLOCK(kvm_vmid_lock);
3370
3371@@ -372,7 +372,7 @@ void force_vm_exit(const cpumask_t *mask)
3372 */
3373 static bool need_new_vmid_gen(struct kvm *kvm)
3374 {
3375- return unlikely(kvm->arch.vmid_gen != atomic64_read(&kvm_vmid_gen));
3376+ return unlikely(kvm->arch.vmid_gen != atomic64_read_unchecked(&kvm_vmid_gen));
3377 }
3378
3379 /**
3380@@ -405,7 +405,7 @@ static void update_vttbr(struct kvm *kvm)
3381
3382 /* First user of a new VMID generation? */
3383 if (unlikely(kvm_next_vmid == 0)) {
3384- atomic64_inc(&kvm_vmid_gen);
3385+ atomic64_inc_unchecked(&kvm_vmid_gen);
3386 kvm_next_vmid = 1;
3387
3388 /*
3389@@ -422,7 +422,7 @@ static void update_vttbr(struct kvm *kvm)
3390 kvm_call_hyp(__kvm_flush_vm_context);
3391 }
3392
3393- kvm->arch.vmid_gen = atomic64_read(&kvm_vmid_gen);
3394+ kvm->arch.vmid_gen = atomic64_read_unchecked(&kvm_vmid_gen);
3395 kvm->arch.vmid = kvm_next_vmid;
3396 kvm_next_vmid++;
3397
3398@@ -1110,7 +1110,7 @@ struct kvm_vcpu *kvm_mpidr_to_vcpu(struct kvm *kvm, unsigned long mpidr)
3399 /**
3400 * Initialize Hyp-mode and memory mappings on all CPUs.
3401 */
3402-int kvm_arch_init(void *opaque)
3403+int kvm_arch_init(const void *opaque)
3404 {
3405 int err;
3406 int ret, cpu;
3407diff --git a/arch/arm/lib/clear_user.S b/arch/arm/lib/clear_user.S
3408index 1710fd7..ec3e014 100644
3409--- a/arch/arm/lib/clear_user.S
3410+++ b/arch/arm/lib/clear_user.S
3411@@ -12,14 +12,14 @@
3412
3413 .text
3414
3415-/* Prototype: int __clear_user(void *addr, size_t sz)
3416+/* Prototype: int ___clear_user(void *addr, size_t sz)
3417 * Purpose : clear some user memory
3418 * Params : addr - user memory address to clear
3419 * : sz - number of bytes to clear
3420 * Returns : number of bytes NOT cleared
3421 */
3422 ENTRY(__clear_user_std)
3423-WEAK(__clear_user)
3424+WEAK(___clear_user)
3425 stmfd sp!, {r1, lr}
3426 mov r2, #0
3427 cmp r1, #4
3428@@ -44,7 +44,7 @@ WEAK(__clear_user)
3429 USER( strnebt r2, [r0])
3430 mov r0, #0
3431 ldmfd sp!, {r1, pc}
3432-ENDPROC(__clear_user)
3433+ENDPROC(___clear_user)
3434 ENDPROC(__clear_user_std)
3435
3436 .pushsection .text.fixup,"ax"
3437diff --git a/arch/arm/lib/copy_from_user.S b/arch/arm/lib/copy_from_user.S
3438index 7a235b9..73a0556 100644
3439--- a/arch/arm/lib/copy_from_user.S
3440+++ b/arch/arm/lib/copy_from_user.S
3441@@ -17,7 +17,7 @@
3442 /*
3443 * Prototype:
3444 *
3445- * size_t __copy_from_user(void *to, const void *from, size_t n)
3446+ * size_t ___copy_from_user(void *to, const void *from, size_t n)
3447 *
3448 * Purpose:
3449 *
3450@@ -89,11 +89,11 @@
3451
3452 .text
3453
3454-ENTRY(__copy_from_user)
3455+ENTRY(___copy_from_user)
3456
3457 #include "copy_template.S"
3458
3459-ENDPROC(__copy_from_user)
3460+ENDPROC(___copy_from_user)
3461
3462 .pushsection .fixup,"ax"
3463 .align 0
3464diff --git a/arch/arm/lib/copy_page.S b/arch/arm/lib/copy_page.S
3465index 6ee2f67..d1cce76 100644
3466--- a/arch/arm/lib/copy_page.S
3467+++ b/arch/arm/lib/copy_page.S
3468@@ -10,6 +10,7 @@
3469 * ASM optimised string functions
3470 */
3471 #include <linux/linkage.h>
3472+#include <linux/const.h>
3473 #include <asm/assembler.h>
3474 #include <asm/asm-offsets.h>
3475 #include <asm/cache.h>
3476diff --git a/arch/arm/lib/copy_to_user.S b/arch/arm/lib/copy_to_user.S
3477index 9648b06..19c333c 100644
3478--- a/arch/arm/lib/copy_to_user.S
3479+++ b/arch/arm/lib/copy_to_user.S
3480@@ -17,7 +17,7 @@
3481 /*
3482 * Prototype:
3483 *
3484- * size_t __copy_to_user(void *to, const void *from, size_t n)
3485+ * size_t ___copy_to_user(void *to, const void *from, size_t n)
3486 *
3487 * Purpose:
3488 *
3489@@ -93,11 +93,11 @@
3490 .text
3491
3492 ENTRY(__copy_to_user_std)
3493-WEAK(__copy_to_user)
3494+WEAK(___copy_to_user)
3495
3496 #include "copy_template.S"
3497
3498-ENDPROC(__copy_to_user)
3499+ENDPROC(___copy_to_user)
3500 ENDPROC(__copy_to_user_std)
3501
3502 .pushsection .text.fixup,"ax"
3503diff --git a/arch/arm/lib/csumpartialcopyuser.S b/arch/arm/lib/csumpartialcopyuser.S
3504index 1d0957e..f708846 100644
3505--- a/arch/arm/lib/csumpartialcopyuser.S
3506+++ b/arch/arm/lib/csumpartialcopyuser.S
3507@@ -57,8 +57,8 @@
3508 * Returns : r0 = checksum, [[sp, #0], #0] = 0 or -EFAULT
3509 */
3510
3511-#define FN_ENTRY ENTRY(csum_partial_copy_from_user)
3512-#define FN_EXIT ENDPROC(csum_partial_copy_from_user)
3513+#define FN_ENTRY ENTRY(__csum_partial_copy_from_user)
3514+#define FN_EXIT ENDPROC(__csum_partial_copy_from_user)
3515
3516 #include "csumpartialcopygeneric.S"
3517
3518diff --git a/arch/arm/lib/delay.c b/arch/arm/lib/delay.c
3519index 8044591..c9b2609 100644
3520--- a/arch/arm/lib/delay.c
3521+++ b/arch/arm/lib/delay.c
3522@@ -29,7 +29,7 @@
3523 /*
3524 * Default to the loop-based delay implementation.
3525 */
3526-struct arm_delay_ops arm_delay_ops = {
3527+struct arm_delay_ops arm_delay_ops __read_only = {
3528 .delay = __loop_delay,
3529 .const_udelay = __loop_const_udelay,
3530 .udelay = __loop_udelay,
3531diff --git a/arch/arm/lib/uaccess_with_memcpy.c b/arch/arm/lib/uaccess_with_memcpy.c
3532index 4b39af2..9ae747d 100644
3533--- a/arch/arm/lib/uaccess_with_memcpy.c
3534+++ b/arch/arm/lib/uaccess_with_memcpy.c
3535@@ -85,7 +85,7 @@ pin_page_for_write(const void __user *_addr, pte_t **ptep, spinlock_t **ptlp)
3536 return 1;
3537 }
3538
3539-static unsigned long noinline
3540+static unsigned long noinline __size_overflow(3)
3541 __copy_to_user_memcpy(void __user *to, const void *from, unsigned long n)
3542 {
3543 int atomic;
3544@@ -136,7 +136,7 @@ out:
3545 }
3546
3547 unsigned long
3548-__copy_to_user(void __user *to, const void *from, unsigned long n)
3549+___copy_to_user(void __user *to, const void *from, unsigned long n)
3550 {
3551 /*
3552 * This test is stubbed out of the main function above to keep
3553@@ -150,7 +150,7 @@ __copy_to_user(void __user *to, const void *from, unsigned long n)
3554 return __copy_to_user_memcpy(to, from, n);
3555 }
3556
3557-static unsigned long noinline
3558+static unsigned long noinline __size_overflow(2)
3559 __clear_user_memset(void __user *addr, unsigned long n)
3560 {
3561 if (unlikely(segment_eq(get_fs(), KERNEL_DS))) {
3562@@ -190,7 +190,7 @@ out:
3563 return n;
3564 }
3565
3566-unsigned long __clear_user(void __user *addr, unsigned long n)
3567+unsigned long ___clear_user(void __user *addr, unsigned long n)
3568 {
3569 /* See rational for this in __copy_to_user() above. */
3570 if (n < 64)
3571diff --git a/arch/arm/mach-exynos/suspend.c b/arch/arm/mach-exynos/suspend.c
3572index f572219..2cf36d5 100644
3573--- a/arch/arm/mach-exynos/suspend.c
3574+++ b/arch/arm/mach-exynos/suspend.c
3575@@ -732,8 +732,10 @@ void __init exynos_pm_init(void)
3576 tmp |= pm_data->wake_disable_mask;
3577 pmu_raw_writel(tmp, S5P_WAKEUP_MASK);
3578
3579- exynos_pm_syscore_ops.suspend = pm_data->pm_suspend;
3580- exynos_pm_syscore_ops.resume = pm_data->pm_resume;
3581+ pax_open_kernel();
3582+ *(void **)&exynos_pm_syscore_ops.suspend = pm_data->pm_suspend;
3583+ *(void **)&exynos_pm_syscore_ops.resume = pm_data->pm_resume;
3584+ pax_close_kernel();
3585
3586 register_syscore_ops(&exynos_pm_syscore_ops);
3587 suspend_set_ops(&exynos_suspend_ops);
3588diff --git a/arch/arm/mach-mvebu/coherency.c b/arch/arm/mach-mvebu/coherency.c
3589index e46e9ea..9141c83 100644
3590--- a/arch/arm/mach-mvebu/coherency.c
3591+++ b/arch/arm/mach-mvebu/coherency.c
3592@@ -117,7 +117,7 @@ static void __init armada_370_coherency_init(struct device_node *np)
3593
3594 /*
3595 * This ioremap hook is used on Armada 375/38x to ensure that PCIe
3596- * memory areas are mapped as MT_UNCACHED instead of MT_DEVICE. This
3597+ * memory areas are mapped as MT_UNCACHED_RW instead of MT_DEVICE. This
3598 * is needed as a workaround for a deadlock issue between the PCIe
3599 * interface and the cache controller.
3600 */
3601@@ -130,7 +130,7 @@ armada_pcie_wa_ioremap_caller(phys_addr_t phys_addr, size_t size,
3602 mvebu_mbus_get_pcie_mem_aperture(&pcie_mem);
3603
3604 if (pcie_mem.start <= phys_addr && (phys_addr + size) <= pcie_mem.end)
3605- mtype = MT_UNCACHED;
3606+ mtype = MT_UNCACHED_RW;
3607
3608 return __arm_ioremap_caller(phys_addr, size, mtype, caller);
3609 }
3610diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
3611index b6443a4..20a0b74 100644
3612--- a/arch/arm/mach-omap2/board-n8x0.c
3613+++ b/arch/arm/mach-omap2/board-n8x0.c
3614@@ -569,7 +569,7 @@ static int n8x0_menelaus_late_init(struct device *dev)
3615 }
3616 #endif
3617
3618-struct menelaus_platform_data n8x0_menelaus_platform_data __initdata = {
3619+struct menelaus_platform_data n8x0_menelaus_platform_data __initconst = {
3620 .late_init = n8x0_menelaus_late_init,
3621 };
3622
3623diff --git a/arch/arm/mach-omap2/omap-mpuss-lowpower.c b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3624index 79f49d9..70bf184 100644
3625--- a/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3626+++ b/arch/arm/mach-omap2/omap-mpuss-lowpower.c
3627@@ -86,7 +86,7 @@ struct cpu_pm_ops {
3628 void (*resume)(void);
3629 void (*scu_prepare)(unsigned int cpu_id, unsigned int cpu_state);
3630 void (*hotplug_restart)(void);
3631-};
3632+} __no_const;
3633
3634 static DEFINE_PER_CPU(struct omap4_cpu_pm_info, omap4_pm_info);
3635 static struct powerdomain *mpuss_pd;
3636@@ -105,7 +105,7 @@ static void dummy_cpu_resume(void)
3637 static void dummy_scu_prepare(unsigned int cpu_id, unsigned int cpu_state)
3638 {}
3639
3640-struct cpu_pm_ops omap_pm_ops = {
3641+static struct cpu_pm_ops omap_pm_ops __read_only = {
3642 .finish_suspend = default_finish_suspend,
3643 .resume = dummy_cpu_resume,
3644 .scu_prepare = dummy_scu_prepare,
3645diff --git a/arch/arm/mach-omap2/omap-smp.c b/arch/arm/mach-omap2/omap-smp.c
3646index 5305ec7..6d74045 100644
3647--- a/arch/arm/mach-omap2/omap-smp.c
3648+++ b/arch/arm/mach-omap2/omap-smp.c
3649@@ -19,6 +19,7 @@
3650 #include <linux/device.h>
3651 #include <linux/smp.h>
3652 #include <linux/io.h>
3653+#include <linux/irq.h>
3654 #include <linux/irqchip/arm-gic.h>
3655
3656 #include <asm/smp_scu.h>
3657diff --git a/arch/arm/mach-omap2/omap-wakeupgen.c b/arch/arm/mach-omap2/omap-wakeupgen.c
3658index e1d2e99..d9b3177 100644
3659--- a/arch/arm/mach-omap2/omap-wakeupgen.c
3660+++ b/arch/arm/mach-omap2/omap-wakeupgen.c
3661@@ -330,7 +330,7 @@ static int irq_cpu_hotplug_notify(struct notifier_block *self,
3662 return NOTIFY_OK;
3663 }
3664
3665-static struct notifier_block __refdata irq_hotplug_notifier = {
3666+static struct notifier_block irq_hotplug_notifier = {
3667 .notifier_call = irq_cpu_hotplug_notify,
3668 };
3669
3670diff --git a/arch/arm/mach-omap2/omap_device.c b/arch/arm/mach-omap2/omap_device.c
3671index 4cb8fd9..5ce65bc 100644
3672--- a/arch/arm/mach-omap2/omap_device.c
3673+++ b/arch/arm/mach-omap2/omap_device.c
3674@@ -504,7 +504,7 @@ void omap_device_delete(struct omap_device *od)
3675 struct platform_device __init *omap_device_build(const char *pdev_name,
3676 int pdev_id,
3677 struct omap_hwmod *oh,
3678- void *pdata, int pdata_len)
3679+ const void *pdata, int pdata_len)
3680 {
3681 struct omap_hwmod *ohs[] = { oh };
3682
3683@@ -532,7 +532,7 @@ struct platform_device __init *omap_device_build(const char *pdev_name,
3684 struct platform_device __init *omap_device_build_ss(const char *pdev_name,
3685 int pdev_id,
3686 struct omap_hwmod **ohs,
3687- int oh_cnt, void *pdata,
3688+ int oh_cnt, const void *pdata,
3689 int pdata_len)
3690 {
3691 int ret = -ENOMEM;
3692diff --git a/arch/arm/mach-omap2/omap_device.h b/arch/arm/mach-omap2/omap_device.h
3693index 78c02b3..c94109a 100644
3694--- a/arch/arm/mach-omap2/omap_device.h
3695+++ b/arch/arm/mach-omap2/omap_device.h
3696@@ -72,12 +72,12 @@ int omap_device_idle(struct platform_device *pdev);
3697 /* Core code interface */
3698
3699 struct platform_device *omap_device_build(const char *pdev_name, int pdev_id,
3700- struct omap_hwmod *oh, void *pdata,
3701+ struct omap_hwmod *oh, const void *pdata,
3702 int pdata_len);
3703
3704 struct platform_device *omap_device_build_ss(const char *pdev_name, int pdev_id,
3705 struct omap_hwmod **oh, int oh_cnt,
3706- void *pdata, int pdata_len);
3707+ const void *pdata, int pdata_len);
3708
3709 struct omap_device *omap_device_alloc(struct platform_device *pdev,
3710 struct omap_hwmod **ohs, int oh_cnt);
3711diff --git a/arch/arm/mach-omap2/omap_hwmod.c b/arch/arm/mach-omap2/omap_hwmod.c
3712index 486cc4d..8d1a0b7 100644
3713--- a/arch/arm/mach-omap2/omap_hwmod.c
3714+++ b/arch/arm/mach-omap2/omap_hwmod.c
3715@@ -199,10 +199,10 @@ struct omap_hwmod_soc_ops {
3716 int (*init_clkdm)(struct omap_hwmod *oh);
3717 void (*update_context_lost)(struct omap_hwmod *oh);
3718 int (*get_context_lost)(struct omap_hwmod *oh);
3719-};
3720+} __no_const;
3721
3722 /* soc_ops: adapts the omap_hwmod code to the currently-booted SoC */
3723-static struct omap_hwmod_soc_ops soc_ops;
3724+static struct omap_hwmod_soc_ops soc_ops __read_only;
3725
3726 /* omap_hwmod_list contains all registered struct omap_hwmods */
3727 static LIST_HEAD(omap_hwmod_list);
3728diff --git a/arch/arm/mach-omap2/powerdomains43xx_data.c b/arch/arm/mach-omap2/powerdomains43xx_data.c
3729index 95fee54..cfa9cf1 100644
3730--- a/arch/arm/mach-omap2/powerdomains43xx_data.c
3731+++ b/arch/arm/mach-omap2/powerdomains43xx_data.c
3732@@ -10,6 +10,7 @@
3733
3734 #include <linux/kernel.h>
3735 #include <linux/init.h>
3736+#include <asm/pgtable.h>
3737
3738 #include "powerdomain.h"
3739
3740@@ -129,7 +130,9 @@ static int am43xx_check_vcvp(void)
3741
3742 void __init am43xx_powerdomains_init(void)
3743 {
3744- omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
3745+ pax_open_kernel();
3746+ *(void **)&omap4_pwrdm_operations.pwrdm_has_voltdm = am43xx_check_vcvp;
3747+ pax_close_kernel();
3748 pwrdm_register_platform_funcs(&omap4_pwrdm_operations);
3749 pwrdm_register_pwrdms(powerdomains_am43xx);
3750 pwrdm_complete_init();
3751diff --git a/arch/arm/mach-omap2/wd_timer.c b/arch/arm/mach-omap2/wd_timer.c
3752index ff0a68c..b312aa0 100644
3753--- a/arch/arm/mach-omap2/wd_timer.c
3754+++ b/arch/arm/mach-omap2/wd_timer.c
3755@@ -110,7 +110,9 @@ static int __init omap_init_wdt(void)
3756 struct omap_hwmod *oh;
3757 char *oh_name = "wd_timer2";
3758 char *dev_name = "omap_wdt";
3759- struct omap_wd_timer_platform_data pdata;
3760+ static struct omap_wd_timer_platform_data pdata = {
3761+ .read_reset_sources = prm_read_reset_sources
3762+ };
3763
3764 if (!cpu_class_is_omap2() || of_have_populated_dt())
3765 return 0;
3766@@ -121,8 +123,6 @@ static int __init omap_init_wdt(void)
3767 return -EINVAL;
3768 }
3769
3770- pdata.read_reset_sources = prm_read_reset_sources;
3771-
3772 pdev = omap_device_build(dev_name, id, oh, &pdata,
3773 sizeof(struct omap_wd_timer_platform_data));
3774 WARN(IS_ERR(pdev), "Can't build omap_device for %s:%s.\n",
3775diff --git a/arch/arm/mach-shmobile/platsmp-apmu.c b/arch/arm/mach-shmobile/platsmp-apmu.c
3776index b0790fc..71eb21f 100644
3777--- a/arch/arm/mach-shmobile/platsmp-apmu.c
3778+++ b/arch/arm/mach-shmobile/platsmp-apmu.c
3779@@ -22,6 +22,7 @@
3780 #include <asm/proc-fns.h>
3781 #include <asm/smp_plat.h>
3782 #include <asm/suspend.h>
3783+#include <asm/pgtable.h>
3784 #include "common.h"
3785 #include "platsmp-apmu.h"
3786
3787@@ -233,6 +234,8 @@ static int shmobile_smp_apmu_enter_suspend(suspend_state_t state)
3788
3789 void __init shmobile_smp_apmu_suspend_init(void)
3790 {
3791- shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
3792+ pax_open_kernel();
3793+ *(void **)&shmobile_suspend_ops.enter = shmobile_smp_apmu_enter_suspend;
3794+ pax_close_kernel();
3795 }
3796 #endif
3797diff --git a/arch/arm/mach-shmobile/pm-r8a7740.c b/arch/arm/mach-shmobile/pm-r8a7740.c
3798index 34608fc..344d7c0 100644
3799--- a/arch/arm/mach-shmobile/pm-r8a7740.c
3800+++ b/arch/arm/mach-shmobile/pm-r8a7740.c
3801@@ -11,6 +11,7 @@
3802 #include <linux/console.h>
3803 #include <linux/io.h>
3804 #include <linux/suspend.h>
3805+#include <asm/pgtable.h>
3806
3807 #include "common.h"
3808 #include "pm-rmobile.h"
3809@@ -117,7 +118,9 @@ static int r8a7740_enter_suspend(suspend_state_t suspend_state)
3810
3811 static void r8a7740_suspend_init(void)
3812 {
3813- shmobile_suspend_ops.enter = r8a7740_enter_suspend;
3814+ pax_open_kernel();
3815+ *(void **)&shmobile_suspend_ops.enter = r8a7740_enter_suspend;
3816+ pax_close_kernel();
3817 }
3818 #else
3819 static void r8a7740_suspend_init(void) {}
3820diff --git a/arch/arm/mach-shmobile/pm-sh73a0.c b/arch/arm/mach-shmobile/pm-sh73a0.c
3821index a7e4668..83334f33 100644
3822--- a/arch/arm/mach-shmobile/pm-sh73a0.c
3823+++ b/arch/arm/mach-shmobile/pm-sh73a0.c
3824@@ -9,6 +9,7 @@
3825 */
3826
3827 #include <linux/suspend.h>
3828+#include <asm/pgtable.h>
3829 #include "common.h"
3830
3831 #ifdef CONFIG_SUSPEND
3832@@ -20,7 +21,9 @@ static int sh73a0_enter_suspend(suspend_state_t suspend_state)
3833
3834 static void sh73a0_suspend_init(void)
3835 {
3836- shmobile_suspend_ops.enter = sh73a0_enter_suspend;
3837+ pax_open_kernel();
3838+ *(void **)&shmobile_suspend_ops.enter = sh73a0_enter_suspend;
3839+ pax_close_kernel();
3840 }
3841 #else
3842 static void sh73a0_suspend_init(void) {}
3843diff --git a/arch/arm/mach-tegra/cpuidle-tegra20.c b/arch/arm/mach-tegra/cpuidle-tegra20.c
3844index 7469347..1ecc350 100644
3845--- a/arch/arm/mach-tegra/cpuidle-tegra20.c
3846+++ b/arch/arm/mach-tegra/cpuidle-tegra20.c
3847@@ -177,7 +177,7 @@ static int tegra20_idle_lp2_coupled(struct cpuidle_device *dev,
3848 bool entered_lp2 = false;
3849
3850 if (tegra_pending_sgi())
3851- ACCESS_ONCE(abort_flag) = true;
3852+ ACCESS_ONCE_RW(abort_flag) = true;
3853
3854 cpuidle_coupled_parallel_barrier(dev, &abort_barrier);
3855
3856diff --git a/arch/arm/mach-tegra/irq.c b/arch/arm/mach-tegra/irq.c
3857index 3b9098d..15b390f 100644
3858--- a/arch/arm/mach-tegra/irq.c
3859+++ b/arch/arm/mach-tegra/irq.c
3860@@ -20,6 +20,7 @@
3861 #include <linux/cpu_pm.h>
3862 #include <linux/interrupt.h>
3863 #include <linux/io.h>
3864+#include <linux/irq.h>
3865 #include <linux/irqchip/arm-gic.h>
3866 #include <linux/irq.h>
3867 #include <linux/kernel.h>
3868diff --git a/arch/arm/mach-ux500/pm.c b/arch/arm/mach-ux500/pm.c
3869index 8538910..2f39bc4 100644
3870--- a/arch/arm/mach-ux500/pm.c
3871+++ b/arch/arm/mach-ux500/pm.c
3872@@ -10,6 +10,7 @@
3873 */
3874
3875 #include <linux/kernel.h>
3876+#include <linux/irq.h>
3877 #include <linux/irqchip/arm-gic.h>
3878 #include <linux/delay.h>
3879 #include <linux/io.h>
3880diff --git a/arch/arm/mach-zynq/platsmp.c b/arch/arm/mach-zynq/platsmp.c
3881index f66816c..228b951 100644
3882--- a/arch/arm/mach-zynq/platsmp.c
3883+++ b/arch/arm/mach-zynq/platsmp.c
3884@@ -24,6 +24,7 @@
3885 #include <linux/io.h>
3886 #include <asm/cacheflush.h>
3887 #include <asm/smp_scu.h>
3888+#include <linux/irq.h>
3889 #include <linux/irqchip/arm-gic.h>
3890 #include "common.h"
3891
3892diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig
3893index 7c6b976..055db09 100644
3894--- a/arch/arm/mm/Kconfig
3895+++ b/arch/arm/mm/Kconfig
3896@@ -446,6 +446,7 @@ config CPU_32v5
3897
3898 config CPU_32v6
3899 bool
3900+ select CPU_USE_DOMAINS if CPU_V6 && MMU && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3901 select TLS_REG_EMUL if !CPU_32v6K && !MMU
3902
3903 config CPU_32v6K
3904@@ -600,6 +601,7 @@ config CPU_CP15_MPU
3905
3906 config CPU_USE_DOMAINS
3907 bool
3908+ depends on !ARM_LPAE && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
3909 help
3910 This option enables or disables the use of domain switching
3911 via the set_fs() function.
3912@@ -818,7 +820,7 @@ config NEED_KUSER_HELPERS
3913
3914 config KUSER_HELPERS
3915 bool "Enable kuser helpers in vector page" if !NEED_KUSER_HELPERS
3916- depends on MMU
3917+ depends on MMU && (!(CPU_V6 || CPU_V6K || CPU_V7) || GRKERNSEC_OLD_ARM_USERLAND)
3918 default y
3919 help
3920 Warning: disabling this option may break user programs.
3921@@ -832,7 +834,7 @@ config KUSER_HELPERS
3922 See Documentation/arm/kernel_user_helpers.txt for details.
3923
3924 However, the fixed address nature of these helpers can be used
3925- by ROP (return orientated programming) authors when creating
3926+ by ROP (Return Oriented Programming) authors when creating
3927 exploits.
3928
3929 If all of the binaries and libraries which run on your platform
3930diff --git a/arch/arm/mm/alignment.c b/arch/arm/mm/alignment.c
3931index 9769f1e..16aaa55 100644
3932--- a/arch/arm/mm/alignment.c
3933+++ b/arch/arm/mm/alignment.c
3934@@ -216,10 +216,12 @@ union offset_union {
3935 #define __get16_unaligned_check(ins,val,addr) \
3936 do { \
3937 unsigned int err = 0, v, a = addr; \
3938+ pax_open_userland(); \
3939 __get8_unaligned_check(ins,v,a,err); \
3940 val = v << ((BE) ? 8 : 0); \
3941 __get8_unaligned_check(ins,v,a,err); \
3942 val |= v << ((BE) ? 0 : 8); \
3943+ pax_close_userland(); \
3944 if (err) \
3945 goto fault; \
3946 } while (0)
3947@@ -233,6 +235,7 @@ union offset_union {
3948 #define __get32_unaligned_check(ins,val,addr) \
3949 do { \
3950 unsigned int err = 0, v, a = addr; \
3951+ pax_open_userland(); \
3952 __get8_unaligned_check(ins,v,a,err); \
3953 val = v << ((BE) ? 24 : 0); \
3954 __get8_unaligned_check(ins,v,a,err); \
3955@@ -241,6 +244,7 @@ union offset_union {
3956 val |= v << ((BE) ? 8 : 16); \
3957 __get8_unaligned_check(ins,v,a,err); \
3958 val |= v << ((BE) ? 0 : 24); \
3959+ pax_close_userland(); \
3960 if (err) \
3961 goto fault; \
3962 } while (0)
3963@@ -254,6 +258,7 @@ union offset_union {
3964 #define __put16_unaligned_check(ins,val,addr) \
3965 do { \
3966 unsigned int err = 0, v = val, a = addr; \
3967+ pax_open_userland(); \
3968 __asm__( FIRST_BYTE_16 \
3969 ARM( "1: "ins" %1, [%2], #1\n" ) \
3970 THUMB( "1: "ins" %1, [%2]\n" ) \
3971@@ -273,6 +278,7 @@ union offset_union {
3972 " .popsection\n" \
3973 : "=r" (err), "=&r" (v), "=&r" (a) \
3974 : "0" (err), "1" (v), "2" (a)); \
3975+ pax_close_userland(); \
3976 if (err) \
3977 goto fault; \
3978 } while (0)
3979@@ -286,6 +292,7 @@ union offset_union {
3980 #define __put32_unaligned_check(ins,val,addr) \
3981 do { \
3982 unsigned int err = 0, v = val, a = addr; \
3983+ pax_open_userland(); \
3984 __asm__( FIRST_BYTE_32 \
3985 ARM( "1: "ins" %1, [%2], #1\n" ) \
3986 THUMB( "1: "ins" %1, [%2]\n" ) \
3987@@ -315,6 +322,7 @@ union offset_union {
3988 " .popsection\n" \
3989 : "=r" (err), "=&r" (v), "=&r" (a) \
3990 : "0" (err), "1" (v), "2" (a)); \
3991+ pax_close_userland(); \
3992 if (err) \
3993 goto fault; \
3994 } while (0)
3995diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c
3996index 71b3d33..8af9ade 100644
3997--- a/arch/arm/mm/cache-l2x0.c
3998+++ b/arch/arm/mm/cache-l2x0.c
3999@@ -44,7 +44,7 @@ struct l2c_init_data {
4000 void (*configure)(void __iomem *);
4001 void (*unlock)(void __iomem *, unsigned);
4002 struct outer_cache_fns outer_cache;
4003-};
4004+} __do_const;
4005
4006 #define CACHE_LINE_SIZE 32
4007
4008diff --git a/arch/arm/mm/context.c b/arch/arm/mm/context.c
4009index 845769e..4278fd7 100644
4010--- a/arch/arm/mm/context.c
4011+++ b/arch/arm/mm/context.c
4012@@ -43,7 +43,7 @@
4013 #define NUM_USER_ASIDS ASID_FIRST_VERSION
4014
4015 static DEFINE_RAW_SPINLOCK(cpu_asid_lock);
4016-static atomic64_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
4017+static atomic64_unchecked_t asid_generation = ATOMIC64_INIT(ASID_FIRST_VERSION);
4018 static DECLARE_BITMAP(asid_map, NUM_USER_ASIDS);
4019
4020 static DEFINE_PER_CPU(atomic64_t, active_asids);
4021@@ -178,7 +178,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
4022 {
4023 static u32 cur_idx = 1;
4024 u64 asid = atomic64_read(&mm->context.id);
4025- u64 generation = atomic64_read(&asid_generation);
4026+ u64 generation = atomic64_read_unchecked(&asid_generation);
4027
4028 if (asid != 0) {
4029 /*
4030@@ -208,7 +208,7 @@ static u64 new_context(struct mm_struct *mm, unsigned int cpu)
4031 */
4032 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, cur_idx);
4033 if (asid == NUM_USER_ASIDS) {
4034- generation = atomic64_add_return(ASID_FIRST_VERSION,
4035+ generation = atomic64_add_return_unchecked(ASID_FIRST_VERSION,
4036 &asid_generation);
4037 flush_context(cpu);
4038 asid = find_next_zero_bit(asid_map, NUM_USER_ASIDS, 1);
4039@@ -240,14 +240,14 @@ void check_and_switch_context(struct mm_struct *mm, struct task_struct *tsk)
4040 cpu_set_reserved_ttbr0();
4041
4042 asid = atomic64_read(&mm->context.id);
4043- if (!((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS)
4044+ if (!((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS)
4045 && atomic64_xchg(&per_cpu(active_asids, cpu), asid))
4046 goto switch_mm_fastpath;
4047
4048 raw_spin_lock_irqsave(&cpu_asid_lock, flags);
4049 /* Check that our ASID belongs to the current generation. */
4050 asid = atomic64_read(&mm->context.id);
4051- if ((asid ^ atomic64_read(&asid_generation)) >> ASID_BITS) {
4052+ if ((asid ^ atomic64_read_unchecked(&asid_generation)) >> ASID_BITS) {
4053 asid = new_context(mm, cpu);
4054 atomic64_set(&mm->context.id, asid);
4055 }
4056diff --git a/arch/arm/mm/fault.c b/arch/arm/mm/fault.c
4057index 0d629b8..01867c8 100644
4058--- a/arch/arm/mm/fault.c
4059+++ b/arch/arm/mm/fault.c
4060@@ -25,6 +25,7 @@
4061 #include <asm/system_misc.h>
4062 #include <asm/system_info.h>
4063 #include <asm/tlbflush.h>
4064+#include <asm/sections.h>
4065
4066 #include "fault.h"
4067
4068@@ -138,6 +139,31 @@ __do_kernel_fault(struct mm_struct *mm, unsigned long addr, unsigned int fsr,
4069 if (fixup_exception(regs))
4070 return;
4071
4072+#ifdef CONFIG_PAX_MEMORY_UDEREF
4073+ if (addr < TASK_SIZE) {
4074+ if (current->signal->curr_ip)
4075+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4076+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4077+ else
4078+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
4079+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4080+ }
4081+#endif
4082+
4083+#ifdef CONFIG_PAX_KERNEXEC
4084+ if ((fsr & FSR_WRITE) &&
4085+ (((unsigned long)_stext <= addr && addr < init_mm.end_code) ||
4086+ (MODULES_VADDR <= addr && addr < MODULES_END)))
4087+ {
4088+ if (current->signal->curr_ip)
4089+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4090+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
4091+ else
4092+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
4093+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
4094+ }
4095+#endif
4096+
4097 /*
4098 * No handler, we'll have to terminate things with extreme prejudice.
4099 */
4100@@ -173,6 +199,13 @@ __do_user_fault(struct task_struct *tsk, unsigned long addr,
4101 }
4102 #endif
4103
4104+#ifdef CONFIG_PAX_PAGEEXEC
4105+ if (fsr & FSR_LNX_PF) {
4106+ pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
4107+ do_group_exit(SIGKILL);
4108+ }
4109+#endif
4110+
4111 tsk->thread.address = addr;
4112 tsk->thread.error_code = fsr;
4113 tsk->thread.trap_no = 14;
4114@@ -400,6 +433,33 @@ do_page_fault(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
4115 }
4116 #endif /* CONFIG_MMU */
4117
4118+#ifdef CONFIG_PAX_PAGEEXEC
4119+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
4120+{
4121+ long i;
4122+
4123+ printk(KERN_ERR "PAX: bytes at PC: ");
4124+ for (i = 0; i < 20; i++) {
4125+ unsigned char c;
4126+ if (get_user(c, (__force unsigned char __user *)pc+i))
4127+ printk(KERN_CONT "?? ");
4128+ else
4129+ printk(KERN_CONT "%02x ", c);
4130+ }
4131+ printk("\n");
4132+
4133+ printk(KERN_ERR "PAX: bytes at SP-4: ");
4134+ for (i = -1; i < 20; i++) {
4135+ unsigned long c;
4136+ if (get_user(c, (__force unsigned long __user *)sp+i))
4137+ printk(KERN_CONT "???????? ");
4138+ else
4139+ printk(KERN_CONT "%08lx ", c);
4140+ }
4141+ printk("\n");
4142+}
4143+#endif
4144+
4145 /*
4146 * First Level Translation Fault Handler
4147 *
4148@@ -547,9 +607,22 @@ do_DataAbort(unsigned long addr, unsigned int fsr, struct pt_regs *regs)
4149 const struct fsr_info *inf = fsr_info + fsr_fs(fsr);
4150 struct siginfo info;
4151
4152+#ifdef CONFIG_PAX_MEMORY_UDEREF
4153+ if (addr < TASK_SIZE && is_domain_fault(fsr)) {
4154+ if (current->signal->curr_ip)
4155+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4156+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4157+ else
4158+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to access userland memory at %08lx\n", current->comm, task_pid_nr(current),
4159+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()), addr);
4160+ goto die;
4161+ }
4162+#endif
4163+
4164 if (!inf->fn(addr, fsr & ~FSR_LNX_PF, regs))
4165 return;
4166
4167+die:
4168 pr_alert("Unhandled fault: %s (0x%03x) at 0x%08lx\n",
4169 inf->name, fsr, addr);
4170 show_pte(current->mm, addr);
4171@@ -574,15 +647,104 @@ hook_ifault_code(int nr, int (*fn)(unsigned long, unsigned int, struct pt_regs *
4172 ifsr_info[nr].name = name;
4173 }
4174
4175+asmlinkage int sys_sigreturn(struct pt_regs *regs);
4176+asmlinkage int sys_rt_sigreturn(struct pt_regs *regs);
4177+
4178 asmlinkage void __exception
4179 do_PrefetchAbort(unsigned long addr, unsigned int ifsr, struct pt_regs *regs)
4180 {
4181 const struct fsr_info *inf = ifsr_info + fsr_fs(ifsr);
4182 struct siginfo info;
4183+ unsigned long pc = instruction_pointer(regs);
4184+
4185+ if (user_mode(regs)) {
4186+ unsigned long sigpage = current->mm->context.sigpage;
4187+
4188+ if (sigpage <= pc && pc < sigpage + 7*4) {
4189+ if (pc < sigpage + 3*4)
4190+ sys_sigreturn(regs);
4191+ else
4192+ sys_rt_sigreturn(regs);
4193+ return;
4194+ }
4195+ if (pc == 0xffff0f60UL) {
4196+ /*
4197+ * PaX: __kuser_cmpxchg64 emulation
4198+ */
4199+ // TODO
4200+ //regs->ARM_pc = regs->ARM_lr;
4201+ //return;
4202+ }
4203+ if (pc == 0xffff0fa0UL) {
4204+ /*
4205+ * PaX: __kuser_memory_barrier emulation
4206+ */
4207+ // dmb(); implied by the exception
4208+ regs->ARM_pc = regs->ARM_lr;
4209+ return;
4210+ }
4211+ if (pc == 0xffff0fc0UL) {
4212+ /*
4213+ * PaX: __kuser_cmpxchg emulation
4214+ */
4215+ // TODO
4216+ //long new;
4217+ //int op;
4218+
4219+ //op = FUTEX_OP_SET << 28;
4220+ //new = futex_atomic_op_inuser(op, regs->ARM_r2);
4221+ //regs->ARM_r0 = old != new;
4222+ //regs->ARM_pc = regs->ARM_lr;
4223+ //return;
4224+ }
4225+ if (pc == 0xffff0fe0UL) {
4226+ /*
4227+ * PaX: __kuser_get_tls emulation
4228+ */
4229+ regs->ARM_r0 = current_thread_info()->tp_value[0];
4230+ regs->ARM_pc = regs->ARM_lr;
4231+ return;
4232+ }
4233+ }
4234+
4235+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4236+ else if (is_domain_fault(ifsr) || is_xn_fault(ifsr)) {
4237+ if (current->signal->curr_ip)
4238+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", &current->signal->curr_ip, current->comm, task_pid_nr(current),
4239+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
4240+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
4241+ else
4242+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to execute %s memory at %08lx\n", current->comm, task_pid_nr(current),
4243+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()),
4244+ pc >= TASK_SIZE ? "non-executable kernel" : "userland", pc);
4245+ goto die;
4246+ }
4247+#endif
4248+
4249+#ifdef CONFIG_PAX_REFCOUNT
4250+ if (fsr_fs(ifsr) == FAULT_CODE_DEBUG) {
4251+#ifdef CONFIG_THUMB2_KERNEL
4252+ unsigned short bkpt;
4253+
4254+ if (!probe_kernel_address(pc, bkpt) && cpu_to_le16(bkpt) == 0xbef1) {
4255+#else
4256+ unsigned int bkpt;
4257+
4258+ if (!probe_kernel_address(pc, bkpt) && cpu_to_le32(bkpt) == 0xe12f1073) {
4259+#endif
4260+ current->thread.error_code = ifsr;
4261+ current->thread.trap_no = 0;
4262+ pax_report_refcount_overflow(regs);
4263+ fixup_exception(regs);
4264+ return;
4265+ }
4266+ }
4267+#endif
4268
4269 if (!inf->fn(addr, ifsr | FSR_LNX_PF, regs))
4270 return;
4271
4272+die:
4273 pr_alert("Unhandled prefetch abort: %s (0x%03x) at 0x%08lx\n",
4274 inf->name, ifsr, addr);
4275
4276diff --git a/arch/arm/mm/fault.h b/arch/arm/mm/fault.h
4277index cf08bdf..772656c 100644
4278--- a/arch/arm/mm/fault.h
4279+++ b/arch/arm/mm/fault.h
4280@@ -3,6 +3,7 @@
4281
4282 /*
4283 * Fault status register encodings. We steal bit 31 for our own purposes.
4284+ * Set when the FSR value is from an instruction fault.
4285 */
4286 #define FSR_LNX_PF (1 << 31)
4287 #define FSR_WRITE (1 << 11)
4288@@ -22,6 +23,17 @@ static inline int fsr_fs(unsigned int fsr)
4289 }
4290 #endif
4291
4292+/* valid for LPAE and !LPAE */
4293+static inline int is_xn_fault(unsigned int fsr)
4294+{
4295+ return ((fsr_fs(fsr) & 0x3c) == 0xc);
4296+}
4297+
4298+static inline int is_domain_fault(unsigned int fsr)
4299+{
4300+ return ((fsr_fs(fsr) & 0xD) == 0x9);
4301+}
4302+
4303 void do_bad_area(unsigned long addr, unsigned int fsr, struct pt_regs *regs);
4304 unsigned long search_exception_table(unsigned long addr);
4305
4306diff --git a/arch/arm/mm/init.c b/arch/arm/mm/init.c
4307index 8a63b4c..6b04370 100644
4308--- a/arch/arm/mm/init.c
4309+++ b/arch/arm/mm/init.c
4310@@ -710,7 +710,46 @@ void free_tcmmem(void)
4311 {
4312 #ifdef CONFIG_HAVE_TCM
4313 extern char __tcm_start, __tcm_end;
4314+#endif
4315
4316+#ifdef CONFIG_PAX_KERNEXEC
4317+ unsigned long addr;
4318+ pgd_t *pgd;
4319+ pud_t *pud;
4320+ pmd_t *pmd;
4321+ int cpu_arch = cpu_architecture();
4322+ unsigned int cr = get_cr();
4323+
4324+ if (cpu_arch >= CPU_ARCH_ARMv6 && (cr & CR_XP)) {
4325+ /* make pages tables, etc before .text NX */
4326+ for (addr = PAGE_OFFSET; addr < (unsigned long)_stext; addr += SECTION_SIZE) {
4327+ pgd = pgd_offset_k(addr);
4328+ pud = pud_offset(pgd, addr);
4329+ pmd = pmd_offset(pud, addr);
4330+ __section_update(pmd, addr, PMD_SECT_XN);
4331+ }
4332+ /* make init NX */
4333+ for (addr = (unsigned long)__init_begin; addr < (unsigned long)_sdata; addr += SECTION_SIZE) {
4334+ pgd = pgd_offset_k(addr);
4335+ pud = pud_offset(pgd, addr);
4336+ pmd = pmd_offset(pud, addr);
4337+ __section_update(pmd, addr, PMD_SECT_XN);
4338+ }
4339+ /* make kernel code/rodata RX */
4340+ for (addr = (unsigned long)_stext; addr < (unsigned long)__init_begin; addr += SECTION_SIZE) {
4341+ pgd = pgd_offset_k(addr);
4342+ pud = pud_offset(pgd, addr);
4343+ pmd = pmd_offset(pud, addr);
4344+#ifdef CONFIG_ARM_LPAE
4345+ __section_update(pmd, addr, PMD_SECT_RDONLY);
4346+#else
4347+ __section_update(pmd, addr, PMD_SECT_APX|PMD_SECT_AP_WRITE);
4348+#endif
4349+ }
4350+ }
4351+#endif
4352+
4353+#ifdef CONFIG_HAVE_TCM
4354 poison_init_mem(&__tcm_start, &__tcm_end - &__tcm_start);
4355 free_reserved_area(&__tcm_start, &__tcm_end, -1, "TCM link");
4356 #endif
4357diff --git a/arch/arm/mm/ioremap.c b/arch/arm/mm/ioremap.c
4358index 0c81056..97279f7 100644
4359--- a/arch/arm/mm/ioremap.c
4360+++ b/arch/arm/mm/ioremap.c
4361@@ -405,9 +405,9 @@ __arm_ioremap_exec(phys_addr_t phys_addr, size_t size, bool cached)
4362 unsigned int mtype;
4363
4364 if (cached)
4365- mtype = MT_MEMORY_RWX;
4366+ mtype = MT_MEMORY_RX;
4367 else
4368- mtype = MT_MEMORY_RWX_NONCACHED;
4369+ mtype = MT_MEMORY_RX_NONCACHED;
4370
4371 return __arm_ioremap_caller(phys_addr, size, mtype,
4372 __builtin_return_address(0));
4373diff --git a/arch/arm/mm/mmap.c b/arch/arm/mm/mmap.c
4374index 407dc78..047ce9d 100644
4375--- a/arch/arm/mm/mmap.c
4376+++ b/arch/arm/mm/mmap.c
4377@@ -59,6 +59,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4378 struct vm_area_struct *vma;
4379 int do_align = 0;
4380 int aliasing = cache_is_vipt_aliasing();
4381+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4382 struct vm_unmapped_area_info info;
4383
4384 /*
4385@@ -81,6 +82,10 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4386 if (len > TASK_SIZE)
4387 return -ENOMEM;
4388
4389+#ifdef CONFIG_PAX_RANDMMAP
4390+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4391+#endif
4392+
4393 if (addr) {
4394 if (do_align)
4395 addr = COLOUR_ALIGN(addr, pgoff);
4396@@ -88,8 +93,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4397 addr = PAGE_ALIGN(addr);
4398
4399 vma = find_vma(mm, addr);
4400- if (TASK_SIZE - len >= addr &&
4401- (!vma || addr + len <= vma->vm_start))
4402+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4403 return addr;
4404 }
4405
4406@@ -99,6 +103,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
4407 info.high_limit = TASK_SIZE;
4408 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4409 info.align_offset = pgoff << PAGE_SHIFT;
4410+ info.threadstack_offset = offset;
4411 return vm_unmapped_area(&info);
4412 }
4413
4414@@ -112,6 +117,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4415 unsigned long addr = addr0;
4416 int do_align = 0;
4417 int aliasing = cache_is_vipt_aliasing();
4418+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
4419 struct vm_unmapped_area_info info;
4420
4421 /*
4422@@ -132,6 +138,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4423 return addr;
4424 }
4425
4426+#ifdef CONFIG_PAX_RANDMMAP
4427+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4428+#endif
4429+
4430 /* requesting a specific address */
4431 if (addr) {
4432 if (do_align)
4433@@ -139,8 +149,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4434 else
4435 addr = PAGE_ALIGN(addr);
4436 vma = find_vma(mm, addr);
4437- if (TASK_SIZE - len >= addr &&
4438- (!vma || addr + len <= vma->vm_start))
4439+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
4440 return addr;
4441 }
4442
4443@@ -150,6 +159,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
4444 info.high_limit = mm->mmap_base;
4445 info.align_mask = do_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
4446 info.align_offset = pgoff << PAGE_SHIFT;
4447+ info.threadstack_offset = offset;
4448 addr = vm_unmapped_area(&info);
4449
4450 /*
4451@@ -183,14 +193,30 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
4452 {
4453 unsigned long random_factor = 0UL;
4454
4455+#ifdef CONFIG_PAX_RANDMMAP
4456+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4457+#endif
4458+
4459 if (current->flags & PF_RANDOMIZE)
4460 random_factor = arch_mmap_rnd();
4461
4462 if (mmap_is_legacy()) {
4463 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4464+
4465+#ifdef CONFIG_PAX_RANDMMAP
4466+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4467+ mm->mmap_base += mm->delta_mmap;
4468+#endif
4469+
4470 mm->get_unmapped_area = arch_get_unmapped_area;
4471 } else {
4472 mm->mmap_base = mmap_base(random_factor);
4473+
4474+#ifdef CONFIG_PAX_RANDMMAP
4475+ if (mm->pax_flags & MF_PAX_RANDMMAP)
4476+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4477+#endif
4478+
4479 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4480 }
4481 }
4482diff --git a/arch/arm/mm/mmu.c b/arch/arm/mm/mmu.c
4483index 870838a..070df1d 100644
4484--- a/arch/arm/mm/mmu.c
4485+++ b/arch/arm/mm/mmu.c
4486@@ -41,6 +41,22 @@
4487 #include "mm.h"
4488 #include "tcm.h"
4489
4490+#if defined(CONFIG_CPU_USE_DOMAINS) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
4491+void modify_domain(unsigned int dom, unsigned int type)
4492+{
4493+ struct thread_info *thread = current_thread_info();
4494+ unsigned int domain = thread->cpu_domain;
4495+ /*
4496+ * DOMAIN_MANAGER might be defined to some other value,
4497+ * use the arch-defined constant
4498+ */
4499+ domain &= ~domain_val(dom, 3);
4500+ thread->cpu_domain = domain | domain_val(dom, type);
4501+ set_domain(thread->cpu_domain);
4502+}
4503+EXPORT_SYMBOL(modify_domain);
4504+#endif
4505+
4506 /*
4507 * empty_zero_page is a special page that is used for
4508 * zero-initialized data and COW.
4509@@ -242,7 +258,15 @@ __setup("noalign", noalign_setup);
4510 #define PROT_PTE_S2_DEVICE PROT_PTE_DEVICE
4511 #define PROT_SECT_DEVICE PMD_TYPE_SECT|PMD_SECT_AP_WRITE
4512
4513-static struct mem_type mem_types[] = {
4514+#ifdef CONFIG_PAX_KERNEXEC
4515+#define L_PTE_KERNEXEC L_PTE_RDONLY
4516+#define PMD_SECT_KERNEXEC PMD_SECT_RDONLY
4517+#else
4518+#define L_PTE_KERNEXEC L_PTE_DIRTY
4519+#define PMD_SECT_KERNEXEC PMD_SECT_AP_WRITE
4520+#endif
4521+
4522+static struct mem_type mem_types[] __read_only = {
4523 [MT_DEVICE] = { /* Strongly ordered / ARMv6 shared device */
4524 .prot_pte = PROT_PTE_DEVICE | L_PTE_MT_DEV_SHARED |
4525 L_PTE_SHARED,
4526@@ -271,19 +295,19 @@ static struct mem_type mem_types[] = {
4527 .prot_sect = PROT_SECT_DEVICE,
4528 .domain = DOMAIN_IO,
4529 },
4530- [MT_UNCACHED] = {
4531+ [MT_UNCACHED_RW] = {
4532 .prot_pte = PROT_PTE_DEVICE,
4533 .prot_l1 = PMD_TYPE_TABLE,
4534 .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4535 .domain = DOMAIN_IO,
4536 },
4537- [MT_CACHECLEAN] = {
4538- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4539+ [MT_CACHECLEAN_RO] = {
4540+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_RDONLY,
4541 .domain = DOMAIN_KERNEL,
4542 },
4543 #ifndef CONFIG_ARM_LPAE
4544- [MT_MINICLEAN] = {
4545- .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN | PMD_SECT_MINICACHE,
4546+ [MT_MINICLEAN_RO] = {
4547+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_MINICACHE | PMD_SECT_XN | PMD_SECT_RDONLY,
4548 .domain = DOMAIN_KERNEL,
4549 },
4550 #endif
4551@@ -291,15 +315,15 @@ static struct mem_type mem_types[] = {
4552 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4553 L_PTE_RDONLY,
4554 .prot_l1 = PMD_TYPE_TABLE,
4555- .domain = DOMAIN_USER,
4556+ .domain = DOMAIN_VECTORS,
4557 },
4558 [MT_HIGH_VECTORS] = {
4559 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4560 L_PTE_USER | L_PTE_RDONLY,
4561 .prot_l1 = PMD_TYPE_TABLE,
4562- .domain = DOMAIN_USER,
4563+ .domain = DOMAIN_VECTORS,
4564 },
4565- [MT_MEMORY_RWX] = {
4566+ [__MT_MEMORY_RWX] = {
4567 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4568 .prot_l1 = PMD_TYPE_TABLE,
4569 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4570@@ -312,17 +336,30 @@ static struct mem_type mem_types[] = {
4571 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4572 .domain = DOMAIN_KERNEL,
4573 },
4574- [MT_ROM] = {
4575- .prot_sect = PMD_TYPE_SECT,
4576+ [MT_MEMORY_RX] = {
4577+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4578+ .prot_l1 = PMD_TYPE_TABLE,
4579+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4580+ .domain = DOMAIN_KERNEL,
4581+ },
4582+ [MT_ROM_RX] = {
4583+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_RDONLY,
4584 .domain = DOMAIN_KERNEL,
4585 },
4586- [MT_MEMORY_RWX_NONCACHED] = {
4587+ [MT_MEMORY_RW_NONCACHED] = {
4588 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4589 L_PTE_MT_BUFFERABLE,
4590 .prot_l1 = PMD_TYPE_TABLE,
4591 .prot_sect = PMD_TYPE_SECT | PMD_SECT_AP_WRITE,
4592 .domain = DOMAIN_KERNEL,
4593 },
4594+ [MT_MEMORY_RX_NONCACHED] = {
4595+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC |
4596+ L_PTE_MT_BUFFERABLE,
4597+ .prot_l1 = PMD_TYPE_TABLE,
4598+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4599+ .domain = DOMAIN_KERNEL,
4600+ },
4601 [MT_MEMORY_RW_DTCM] = {
4602 .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY |
4603 L_PTE_XN,
4604@@ -330,9 +367,10 @@ static struct mem_type mem_types[] = {
4605 .prot_sect = PMD_TYPE_SECT | PMD_SECT_XN,
4606 .domain = DOMAIN_KERNEL,
4607 },
4608- [MT_MEMORY_RWX_ITCM] = {
4609- .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_DIRTY,
4610+ [MT_MEMORY_RX_ITCM] = {
4611+ .prot_pte = L_PTE_PRESENT | L_PTE_YOUNG | L_PTE_KERNEXEC,
4612 .prot_l1 = PMD_TYPE_TABLE,
4613+ .prot_sect = PMD_TYPE_SECT | PMD_SECT_KERNEXEC,
4614 .domain = DOMAIN_KERNEL,
4615 },
4616 [MT_MEMORY_RW_SO] = {
4617@@ -544,9 +582,14 @@ static void __init build_mem_type_table(void)
4618 * Mark cache clean areas and XIP ROM read only
4619 * from SVC mode and no access from userspace.
4620 */
4621- mem_types[MT_ROM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4622- mem_types[MT_MINICLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4623- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4624+ mem_types[MT_ROM_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4625+#ifdef CONFIG_PAX_KERNEXEC
4626+ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4627+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4628+ mem_types[MT_MEMORY_RX_ITCM].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4629+#endif
4630+ mem_types[MT_MINICLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4631+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_APX|PMD_SECT_AP_WRITE;
4632 #endif
4633
4634 /*
4635@@ -563,13 +606,17 @@ static void __init build_mem_type_table(void)
4636 mem_types[MT_DEVICE_WC].prot_pte |= L_PTE_SHARED;
4637 mem_types[MT_DEVICE_CACHED].prot_sect |= PMD_SECT_S;
4638 mem_types[MT_DEVICE_CACHED].prot_pte |= L_PTE_SHARED;
4639- mem_types[MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4640- mem_types[MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4641+ mem_types[__MT_MEMORY_RWX].prot_sect |= PMD_SECT_S;
4642+ mem_types[__MT_MEMORY_RWX].prot_pte |= L_PTE_SHARED;
4643 mem_types[MT_MEMORY_RW].prot_sect |= PMD_SECT_S;
4644 mem_types[MT_MEMORY_RW].prot_pte |= L_PTE_SHARED;
4645+ mem_types[MT_MEMORY_RX].prot_sect |= PMD_SECT_S;
4646+ mem_types[MT_MEMORY_RX].prot_pte |= L_PTE_SHARED;
4647 mem_types[MT_MEMORY_DMA_READY].prot_pte |= L_PTE_SHARED;
4648- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_S;
4649- mem_types[MT_MEMORY_RWX_NONCACHED].prot_pte |= L_PTE_SHARED;
4650+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_S;
4651+ mem_types[MT_MEMORY_RW_NONCACHED].prot_pte |= L_PTE_SHARED;
4652+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_S;
4653+ mem_types[MT_MEMORY_RX_NONCACHED].prot_pte |= L_PTE_SHARED;
4654 }
4655 }
4656
4657@@ -580,15 +627,20 @@ static void __init build_mem_type_table(void)
4658 if (cpu_arch >= CPU_ARCH_ARMv6) {
4659 if (cpu_arch >= CPU_ARCH_ARMv7 && (cr & CR_TRE)) {
4660 /* Non-cacheable Normal is XCB = 001 */
4661- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
4662+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
4663+ PMD_SECT_BUFFERED;
4664+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
4665 PMD_SECT_BUFFERED;
4666 } else {
4667 /* For both ARMv6 and non-TEX-remapping ARMv7 */
4668- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |=
4669+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |=
4670+ PMD_SECT_TEX(1);
4671+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |=
4672 PMD_SECT_TEX(1);
4673 }
4674 } else {
4675- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4676+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4677+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= PMD_SECT_BUFFERABLE;
4678 }
4679
4680 #ifdef CONFIG_ARM_LPAE
4681@@ -609,6 +661,8 @@ static void __init build_mem_type_table(void)
4682 user_pgprot |= PTE_EXT_PXN;
4683 #endif
4684
4685+ user_pgprot |= __supported_pte_mask;
4686+
4687 for (i = 0; i < 16; i++) {
4688 pteval_t v = pgprot_val(protection_map[i]);
4689 protection_map[i] = __pgprot(v | user_pgprot);
4690@@ -626,21 +680,24 @@ static void __init build_mem_type_table(void)
4691
4692 mem_types[MT_LOW_VECTORS].prot_l1 |= ecc_mask;
4693 mem_types[MT_HIGH_VECTORS].prot_l1 |= ecc_mask;
4694- mem_types[MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4695- mem_types[MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4696+ mem_types[__MT_MEMORY_RWX].prot_sect |= ecc_mask | cp->pmd;
4697+ mem_types[__MT_MEMORY_RWX].prot_pte |= kern_pgprot;
4698 mem_types[MT_MEMORY_RW].prot_sect |= ecc_mask | cp->pmd;
4699 mem_types[MT_MEMORY_RW].prot_pte |= kern_pgprot;
4700+ mem_types[MT_MEMORY_RX].prot_sect |= ecc_mask | cp->pmd;
4701+ mem_types[MT_MEMORY_RX].prot_pte |= kern_pgprot;
4702 mem_types[MT_MEMORY_DMA_READY].prot_pte |= kern_pgprot;
4703- mem_types[MT_MEMORY_RWX_NONCACHED].prot_sect |= ecc_mask;
4704- mem_types[MT_ROM].prot_sect |= cp->pmd;
4705+ mem_types[MT_MEMORY_RW_NONCACHED].prot_sect |= ecc_mask;
4706+ mem_types[MT_MEMORY_RX_NONCACHED].prot_sect |= ecc_mask;
4707+ mem_types[MT_ROM_RX].prot_sect |= cp->pmd;
4708
4709 switch (cp->pmd) {
4710 case PMD_SECT_WT:
4711- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WT;
4712+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WT;
4713 break;
4714 case PMD_SECT_WB:
4715 case PMD_SECT_WBWA:
4716- mem_types[MT_CACHECLEAN].prot_sect |= PMD_SECT_WB;
4717+ mem_types[MT_CACHECLEAN_RO].prot_sect |= PMD_SECT_WB;
4718 break;
4719 }
4720 pr_info("Memory policy: %sData cache %s\n",
4721@@ -854,7 +911,7 @@ static void __init create_mapping(struct map_desc *md)
4722 return;
4723 }
4724
4725- if ((md->type == MT_DEVICE || md->type == MT_ROM) &&
4726+ if ((md->type == MT_DEVICE || md->type == MT_ROM_RX) &&
4727 md->virtual >= PAGE_OFFSET &&
4728 (md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) {
4729 pr_warn("BUG: mapping for 0x%08llx at 0x%08lx out of vmalloc space\n",
4730@@ -1224,18 +1281,15 @@ void __init arm_mm_memblock_reserve(void)
4731 * called function. This means you can't use any function or debugging
4732 * method which may touch any device, otherwise the kernel _will_ crash.
4733 */
4734+
4735+static char vectors[PAGE_SIZE * 2] __read_only __aligned(PAGE_SIZE);
4736+
4737 static void __init devicemaps_init(const struct machine_desc *mdesc)
4738 {
4739 struct map_desc map;
4740 unsigned long addr;
4741- void *vectors;
4742
4743- /*
4744- * Allocate the vector page early.
4745- */
4746- vectors = early_alloc(PAGE_SIZE * 2);
4747-
4748- early_trap_init(vectors);
4749+ early_trap_init(&vectors);
4750
4751 for (addr = VMALLOC_START; addr; addr += PMD_SIZE)
4752 pmd_clear(pmd_off_k(addr));
4753@@ -1248,7 +1302,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4754 map.pfn = __phys_to_pfn(CONFIG_XIP_PHYS_ADDR & SECTION_MASK);
4755 map.virtual = MODULES_VADDR;
4756 map.length = ((unsigned long)_etext - map.virtual + ~SECTION_MASK) & SECTION_MASK;
4757- map.type = MT_ROM;
4758+ map.type = MT_ROM_RX;
4759 create_mapping(&map);
4760 #endif
4761
4762@@ -1259,14 +1313,14 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4763 map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS);
4764 map.virtual = FLUSH_BASE;
4765 map.length = SZ_1M;
4766- map.type = MT_CACHECLEAN;
4767+ map.type = MT_CACHECLEAN_RO;
4768 create_mapping(&map);
4769 #endif
4770 #ifdef FLUSH_BASE_MINICACHE
4771 map.pfn = __phys_to_pfn(FLUSH_BASE_PHYS + SZ_1M);
4772 map.virtual = FLUSH_BASE_MINICACHE;
4773 map.length = SZ_1M;
4774- map.type = MT_MINICLEAN;
4775+ map.type = MT_MINICLEAN_RO;
4776 create_mapping(&map);
4777 #endif
4778
4779@@ -1275,7 +1329,7 @@ static void __init devicemaps_init(const struct machine_desc *mdesc)
4780 * location (0xffff0000). If we aren't using high-vectors, also
4781 * create a mapping at the low-vectors virtual address.
4782 */
4783- map.pfn = __phys_to_pfn(virt_to_phys(vectors));
4784+ map.pfn = __phys_to_pfn(virt_to_phys(&vectors));
4785 map.virtual = 0xffff0000;
4786 map.length = PAGE_SIZE;
4787 #ifdef CONFIG_KUSER_HELPERS
4788@@ -1335,8 +1389,10 @@ static void __init kmap_init(void)
4789 static void __init map_lowmem(void)
4790 {
4791 struct memblock_region *reg;
4792+#ifndef CONFIG_PAX_KERNEXEC
4793 phys_addr_t kernel_x_start = round_down(__pa(_stext), SECTION_SIZE);
4794 phys_addr_t kernel_x_end = round_up(__pa(__init_end), SECTION_SIZE);
4795+#endif
4796
4797 /* Map all the lowmem memory banks. */
4798 for_each_memblock(memory, reg) {
4799@@ -1349,11 +1405,48 @@ static void __init map_lowmem(void)
4800 if (start >= end)
4801 break;
4802
4803+#ifdef CONFIG_PAX_KERNEXEC
4804+ map.pfn = __phys_to_pfn(start);
4805+ map.virtual = __phys_to_virt(start);
4806+ map.length = end - start;
4807+
4808+ if (map.virtual <= (unsigned long)_stext && ((unsigned long)_end < (map.virtual + map.length))) {
4809+ struct map_desc kernel;
4810+ struct map_desc initmap;
4811+
4812+ /* when freeing initmem we will make this RW */
4813+ initmap.pfn = __phys_to_pfn(__pa(__init_begin));
4814+ initmap.virtual = (unsigned long)__init_begin;
4815+ initmap.length = _sdata - __init_begin;
4816+ initmap.type = __MT_MEMORY_RWX;
4817+ create_mapping(&initmap);
4818+
4819+ /* when freeing initmem we will make this RX */
4820+ kernel.pfn = __phys_to_pfn(__pa(_stext));
4821+ kernel.virtual = (unsigned long)_stext;
4822+ kernel.length = __init_begin - _stext;
4823+ kernel.type = __MT_MEMORY_RWX;
4824+ create_mapping(&kernel);
4825+
4826+ if (map.virtual < (unsigned long)_stext) {
4827+ map.length = (unsigned long)_stext - map.virtual;
4828+ map.type = __MT_MEMORY_RWX;
4829+ create_mapping(&map);
4830+ }
4831+
4832+ map.pfn = __phys_to_pfn(__pa(_sdata));
4833+ map.virtual = (unsigned long)_sdata;
4834+ map.length = end - __pa(_sdata);
4835+ }
4836+
4837+ map.type = MT_MEMORY_RW;
4838+ create_mapping(&map);
4839+#else
4840 if (end < kernel_x_start) {
4841 map.pfn = __phys_to_pfn(start);
4842 map.virtual = __phys_to_virt(start);
4843 map.length = end - start;
4844- map.type = MT_MEMORY_RWX;
4845+ map.type = __MT_MEMORY_RWX;
4846
4847 create_mapping(&map);
4848 } else if (start >= kernel_x_end) {
4849@@ -1377,7 +1470,7 @@ static void __init map_lowmem(void)
4850 map.pfn = __phys_to_pfn(kernel_x_start);
4851 map.virtual = __phys_to_virt(kernel_x_start);
4852 map.length = kernel_x_end - kernel_x_start;
4853- map.type = MT_MEMORY_RWX;
4854+ map.type = __MT_MEMORY_RWX;
4855
4856 create_mapping(&map);
4857
4858@@ -1390,6 +1483,7 @@ static void __init map_lowmem(void)
4859 create_mapping(&map);
4860 }
4861 }
4862+#endif
4863 }
4864 }
4865
4866diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
4867index c011e22..92a0260 100644
4868--- a/arch/arm/net/bpf_jit_32.c
4869+++ b/arch/arm/net/bpf_jit_32.c
4870@@ -20,6 +20,7 @@
4871 #include <asm/cacheflush.h>
4872 #include <asm/hwcap.h>
4873 #include <asm/opcodes.h>
4874+#include <asm/pgtable.h>
4875
4876 #include "bpf_jit_32.h"
4877
4878@@ -72,54 +73,38 @@ struct jit_ctx {
4879 #endif
4880 };
4881
4882+#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
4883+int bpf_jit_enable __read_only;
4884+#else
4885 int bpf_jit_enable __read_mostly;
4886+#endif
4887
4888-static inline int call_neg_helper(struct sk_buff *skb, int offset, void *ret,
4889- unsigned int size)
4890-{
4891- void *ptr = bpf_internal_load_pointer_neg_helper(skb, offset, size);
4892-
4893- if (!ptr)
4894- return -EFAULT;
4895- memcpy(ret, ptr, size);
4896- return 0;
4897-}
4898-
4899-static u64 jit_get_skb_b(struct sk_buff *skb, int offset)
4900+static u64 jit_get_skb_b(struct sk_buff *skb, unsigned offset)
4901 {
4902 u8 ret;
4903 int err;
4904
4905- if (offset < 0)
4906- err = call_neg_helper(skb, offset, &ret, 1);
4907- else
4908- err = skb_copy_bits(skb, offset, &ret, 1);
4909+ err = skb_copy_bits(skb, offset, &ret, 1);
4910
4911 return (u64)err << 32 | ret;
4912 }
4913
4914-static u64 jit_get_skb_h(struct sk_buff *skb, int offset)
4915+static u64 jit_get_skb_h(struct sk_buff *skb, unsigned offset)
4916 {
4917 u16 ret;
4918 int err;
4919
4920- if (offset < 0)
4921- err = call_neg_helper(skb, offset, &ret, 2);
4922- else
4923- err = skb_copy_bits(skb, offset, &ret, 2);
4924+ err = skb_copy_bits(skb, offset, &ret, 2);
4925
4926 return (u64)err << 32 | ntohs(ret);
4927 }
4928
4929-static u64 jit_get_skb_w(struct sk_buff *skb, int offset)
4930+static u64 jit_get_skb_w(struct sk_buff *skb, unsigned offset)
4931 {
4932 u32 ret;
4933 int err;
4934
4935- if (offset < 0)
4936- err = call_neg_helper(skb, offset, &ret, 4);
4937- else
4938- err = skb_copy_bits(skb, offset, &ret, 4);
4939+ err = skb_copy_bits(skb, offset, &ret, 4);
4940
4941 return (u64)err << 32 | ntohl(ret);
4942 }
4943@@ -199,8 +184,10 @@ static void jit_fill_hole(void *area, unsigned int size)
4944 {
4945 u32 *ptr;
4946 /* We are guaranteed to have aligned memory. */
4947+ pax_open_kernel();
4948 for (ptr = area; size >= sizeof(u32); size -= sizeof(u32))
4949 *ptr++ = __opcode_to_mem_arm(ARM_INST_UDF);
4950+ pax_close_kernel();
4951 }
4952
4953 static void build_prologue(struct jit_ctx *ctx)
4954@@ -556,6 +543,9 @@ static int build_body(struct jit_ctx *ctx)
4955 case BPF_LD | BPF_B | BPF_ABS:
4956 load_order = 0;
4957 load:
4958+ /* the interpreter will deal with the negative K */
4959+ if ((int)k < 0)
4960+ return -ENOTSUPP;
4961 emit_mov_i(r_off, k, ctx);
4962 load_common:
4963 ctx->seen |= SEEN_DATA | SEEN_CALL;
4964@@ -570,18 +560,6 @@ load_common:
4965 condt = ARM_COND_HI;
4966 }
4967
4968- /*
4969- * test for negative offset, only if we are
4970- * currently scheduled to take the fast
4971- * path. this will update the flags so that
4972- * the slowpath instruction are ignored if the
4973- * offset is negative.
4974- *
4975- * for loard_order == 0 the HI condition will
4976- * make loads at offset 0 take the slow path too.
4977- */
4978- _emit(condt, ARM_CMP_I(r_off, 0), ctx);
4979-
4980 _emit(condt, ARM_ADD_R(r_scratch, r_off, r_skb_data),
4981 ctx);
4982
4983diff --git a/arch/arm/plat-iop/setup.c b/arch/arm/plat-iop/setup.c
4984index 5b217f4..c23f40e 100644
4985--- a/arch/arm/plat-iop/setup.c
4986+++ b/arch/arm/plat-iop/setup.c
4987@@ -24,7 +24,7 @@ static struct map_desc iop3xx_std_desc[] __initdata = {
4988 .virtual = IOP3XX_PERIPHERAL_VIRT_BASE,
4989 .pfn = __phys_to_pfn(IOP3XX_PERIPHERAL_PHYS_BASE),
4990 .length = IOP3XX_PERIPHERAL_SIZE,
4991- .type = MT_UNCACHED,
4992+ .type = MT_UNCACHED_RW,
4993 },
4994 };
4995
4996diff --git a/arch/arm/plat-omap/sram.c b/arch/arm/plat-omap/sram.c
4997index a5bc92d..0bb4730 100644
4998--- a/arch/arm/plat-omap/sram.c
4999+++ b/arch/arm/plat-omap/sram.c
5000@@ -93,6 +93,8 @@ void __init omap_map_sram(unsigned long start, unsigned long size,
5001 * Looks like we need to preserve some bootloader code at the
5002 * beginning of SRAM for jumping to flash for reboot to work...
5003 */
5004+ pax_open_kernel();
5005 memset_io(omap_sram_base + omap_sram_skip, 0,
5006 omap_sram_size - omap_sram_skip);
5007+ pax_close_kernel();
5008 }
5009diff --git a/arch/arm64/Kconfig.debug b/arch/arm64/Kconfig.debug
5010index d6285ef..b684dac 100644
5011--- a/arch/arm64/Kconfig.debug
5012+++ b/arch/arm64/Kconfig.debug
5013@@ -10,6 +10,7 @@ config ARM64_PTDUMP
5014 bool "Export kernel pagetable layout to userspace via debugfs"
5015 depends on DEBUG_KERNEL
5016 select DEBUG_FS
5017+ depends on !GRKERNSEC_KMEM
5018 help
5019 Say Y here if you want to show the kernel pagetable layout in a
5020 debugfs file. This information is only useful for kernel developers
5021diff --git a/arch/arm64/include/asm/atomic.h b/arch/arm64/include/asm/atomic.h
5022index 7047051..44e8675 100644
5023--- a/arch/arm64/include/asm/atomic.h
5024+++ b/arch/arm64/include/asm/atomic.h
5025@@ -252,5 +252,15 @@ static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
5026 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
5027 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
5028
5029+#define atomic64_read_unchecked(v) atomic64_read(v)
5030+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5031+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5032+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5033+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5034+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5035+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5036+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5037+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5038+
5039 #endif
5040 #endif
5041diff --git a/arch/arm64/include/asm/barrier.h b/arch/arm64/include/asm/barrier.h
5042index 0fa47c4..b167938 100644
5043--- a/arch/arm64/include/asm/barrier.h
5044+++ b/arch/arm64/include/asm/barrier.h
5045@@ -44,7 +44,7 @@
5046 do { \
5047 compiletime_assert_atomic_type(*p); \
5048 barrier(); \
5049- ACCESS_ONCE(*p) = (v); \
5050+ ACCESS_ONCE_RW(*p) = (v); \
5051 } while (0)
5052
5053 #define smp_load_acquire(p) \
5054diff --git a/arch/arm64/include/asm/percpu.h b/arch/arm64/include/asm/percpu.h
5055index 4fde8c1..441f84f 100644
5056--- a/arch/arm64/include/asm/percpu.h
5057+++ b/arch/arm64/include/asm/percpu.h
5058@@ -135,16 +135,16 @@ static inline void __percpu_write(void *ptr, unsigned long val, int size)
5059 {
5060 switch (size) {
5061 case 1:
5062- ACCESS_ONCE(*(u8 *)ptr) = (u8)val;
5063+ ACCESS_ONCE_RW(*(u8 *)ptr) = (u8)val;
5064 break;
5065 case 2:
5066- ACCESS_ONCE(*(u16 *)ptr) = (u16)val;
5067+ ACCESS_ONCE_RW(*(u16 *)ptr) = (u16)val;
5068 break;
5069 case 4:
5070- ACCESS_ONCE(*(u32 *)ptr) = (u32)val;
5071+ ACCESS_ONCE_RW(*(u32 *)ptr) = (u32)val;
5072 break;
5073 case 8:
5074- ACCESS_ONCE(*(u64 *)ptr) = (u64)val;
5075+ ACCESS_ONCE_RW(*(u64 *)ptr) = (u64)val;
5076 break;
5077 default:
5078 BUILD_BUG();
5079diff --git a/arch/arm64/include/asm/pgalloc.h b/arch/arm64/include/asm/pgalloc.h
5080index 7642056..bffc904 100644
5081--- a/arch/arm64/include/asm/pgalloc.h
5082+++ b/arch/arm64/include/asm/pgalloc.h
5083@@ -46,6 +46,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5084 set_pud(pud, __pud(__pa(pmd) | PMD_TYPE_TABLE));
5085 }
5086
5087+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
5088+{
5089+ pud_populate(mm, pud, pmd);
5090+}
5091+
5092 #endif /* CONFIG_PGTABLE_LEVELS > 2 */
5093
5094 #if CONFIG_PGTABLE_LEVELS > 3
5095diff --git a/arch/arm64/include/asm/uaccess.h b/arch/arm64/include/asm/uaccess.h
5096index 07e1ba44..ec8cbbb 100644
5097--- a/arch/arm64/include/asm/uaccess.h
5098+++ b/arch/arm64/include/asm/uaccess.h
5099@@ -99,6 +99,7 @@ static inline void set_fs(mm_segment_t fs)
5100 flag; \
5101 })
5102
5103+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
5104 #define access_ok(type, addr, size) __range_ok(addr, size)
5105 #define user_addr_max get_fs
5106
5107diff --git a/arch/arm64/mm/dma-mapping.c b/arch/arm64/mm/dma-mapping.c
5108index d16a1ce..a5acc60 100644
5109--- a/arch/arm64/mm/dma-mapping.c
5110+++ b/arch/arm64/mm/dma-mapping.c
5111@@ -134,7 +134,7 @@ static void __dma_free_coherent(struct device *dev, size_t size,
5112 phys_to_page(paddr),
5113 size >> PAGE_SHIFT);
5114 if (!freed)
5115- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
5116+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
5117 }
5118
5119 static void *__dma_alloc(struct device *dev, size_t size,
5120diff --git a/arch/avr32/include/asm/cache.h b/arch/avr32/include/asm/cache.h
5121index c3a58a1..78fbf54 100644
5122--- a/arch/avr32/include/asm/cache.h
5123+++ b/arch/avr32/include/asm/cache.h
5124@@ -1,8 +1,10 @@
5125 #ifndef __ASM_AVR32_CACHE_H
5126 #define __ASM_AVR32_CACHE_H
5127
5128+#include <linux/const.h>
5129+
5130 #define L1_CACHE_SHIFT 5
5131-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5132+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5133
5134 /*
5135 * Memory returned by kmalloc() may be used for DMA, so we must make
5136diff --git a/arch/avr32/include/asm/elf.h b/arch/avr32/include/asm/elf.h
5137index 0388ece..87c8df1 100644
5138--- a/arch/avr32/include/asm/elf.h
5139+++ b/arch/avr32/include/asm/elf.h
5140@@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpregset_t;
5141 the loader. We need to make sure that it is out of the way of the program
5142 that it will "exec", and that there is sufficient room for the brk. */
5143
5144-#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5145+#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
5146
5147+#ifdef CONFIG_PAX_ASLR
5148+#define PAX_ELF_ET_DYN_BASE 0x00001000UL
5149+
5150+#define PAX_DELTA_MMAP_LEN 15
5151+#define PAX_DELTA_STACK_LEN 15
5152+#endif
5153
5154 /* This yields a mask that user programs can use to figure out what
5155 instruction set this CPU supports. This could be done in user space,
5156diff --git a/arch/avr32/include/asm/kmap_types.h b/arch/avr32/include/asm/kmap_types.h
5157index 479330b..53717a8 100644
5158--- a/arch/avr32/include/asm/kmap_types.h
5159+++ b/arch/avr32/include/asm/kmap_types.h
5160@@ -2,9 +2,9 @@
5161 #define __ASM_AVR32_KMAP_TYPES_H
5162
5163 #ifdef CONFIG_DEBUG_HIGHMEM
5164-# define KM_TYPE_NR 29
5165+# define KM_TYPE_NR 30
5166 #else
5167-# define KM_TYPE_NR 14
5168+# define KM_TYPE_NR 15
5169 #endif
5170
5171 #endif /* __ASM_AVR32_KMAP_TYPES_H */
5172diff --git a/arch/avr32/mm/fault.c b/arch/avr32/mm/fault.c
5173index c035339..e1fa594 100644
5174--- a/arch/avr32/mm/fault.c
5175+++ b/arch/avr32/mm/fault.c
5176@@ -41,6 +41,23 @@ static inline int notify_page_fault(struct pt_regs *regs, int trap)
5177
5178 int exception_trace = 1;
5179
5180+#ifdef CONFIG_PAX_PAGEEXEC
5181+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5182+{
5183+ unsigned long i;
5184+
5185+ printk(KERN_ERR "PAX: bytes at PC: ");
5186+ for (i = 0; i < 20; i++) {
5187+ unsigned char c;
5188+ if (get_user(c, (unsigned char *)pc+i))
5189+ printk(KERN_CONT "???????? ");
5190+ else
5191+ printk(KERN_CONT "%02x ", c);
5192+ }
5193+ printk("\n");
5194+}
5195+#endif
5196+
5197 /*
5198 * This routine handles page faults. It determines the address and the
5199 * problem, and then passes it off to one of the appropriate routines.
5200@@ -178,6 +195,16 @@ bad_area:
5201 up_read(&mm->mmap_sem);
5202
5203 if (user_mode(regs)) {
5204+
5205+#ifdef CONFIG_PAX_PAGEEXEC
5206+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
5207+ if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
5208+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
5209+ do_group_exit(SIGKILL);
5210+ }
5211+ }
5212+#endif
5213+
5214 if (exception_trace && printk_ratelimit())
5215 printk("%s%s[%d]: segfault at %08lx pc %08lx "
5216 "sp %08lx ecr %lu\n",
5217diff --git a/arch/blackfin/Kconfig.debug b/arch/blackfin/Kconfig.debug
5218index f3337ee..15b6f8d 100644
5219--- a/arch/blackfin/Kconfig.debug
5220+++ b/arch/blackfin/Kconfig.debug
5221@@ -18,6 +18,7 @@ config DEBUG_VERBOSE
5222 config DEBUG_MMRS
5223 tristate "Generate Blackfin MMR tree"
5224 select DEBUG_FS
5225+ depends on !GRKERNSEC_KMEM
5226 help
5227 Create a tree of Blackfin MMRs via the debugfs tree. If
5228 you enable this, you will find all MMRs laid out in the
5229diff --git a/arch/blackfin/include/asm/cache.h b/arch/blackfin/include/asm/cache.h
5230index 568885a..f8008df 100644
5231--- a/arch/blackfin/include/asm/cache.h
5232+++ b/arch/blackfin/include/asm/cache.h
5233@@ -7,6 +7,7 @@
5234 #ifndef __ARCH_BLACKFIN_CACHE_H
5235 #define __ARCH_BLACKFIN_CACHE_H
5236
5237+#include <linux/const.h>
5238 #include <linux/linkage.h> /* for asmlinkage */
5239
5240 /*
5241@@ -14,7 +15,7 @@
5242 * Blackfin loads 32 bytes for cache
5243 */
5244 #define L1_CACHE_SHIFT 5
5245-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5246+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5247 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5248
5249 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5250diff --git a/arch/cris/include/arch-v10/arch/cache.h b/arch/cris/include/arch-v10/arch/cache.h
5251index aea2718..3639a60 100644
5252--- a/arch/cris/include/arch-v10/arch/cache.h
5253+++ b/arch/cris/include/arch-v10/arch/cache.h
5254@@ -1,8 +1,9 @@
5255 #ifndef _ASM_ARCH_CACHE_H
5256 #define _ASM_ARCH_CACHE_H
5257
5258+#include <linux/const.h>
5259 /* Etrax 100LX have 32-byte cache-lines. */
5260-#define L1_CACHE_BYTES 32
5261 #define L1_CACHE_SHIFT 5
5262+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5263
5264 #endif /* _ASM_ARCH_CACHE_H */
5265diff --git a/arch/cris/include/arch-v32/arch/cache.h b/arch/cris/include/arch-v32/arch/cache.h
5266index 7caf25d..ee65ac5 100644
5267--- a/arch/cris/include/arch-v32/arch/cache.h
5268+++ b/arch/cris/include/arch-v32/arch/cache.h
5269@@ -1,11 +1,12 @@
5270 #ifndef _ASM_CRIS_ARCH_CACHE_H
5271 #define _ASM_CRIS_ARCH_CACHE_H
5272
5273+#include <linux/const.h>
5274 #include <arch/hwregs/dma.h>
5275
5276 /* A cache-line is 32 bytes. */
5277-#define L1_CACHE_BYTES 32
5278 #define L1_CACHE_SHIFT 5
5279+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5280
5281 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
5282
5283diff --git a/arch/frv/include/asm/atomic.h b/arch/frv/include/asm/atomic.h
5284index 102190a..5334cea 100644
5285--- a/arch/frv/include/asm/atomic.h
5286+++ b/arch/frv/include/asm/atomic.h
5287@@ -181,6 +181,16 @@ static inline void atomic64_dec(atomic64_t *v)
5288 #define atomic64_cmpxchg(v, old, new) (__cmpxchg_64(old, new, &(v)->counter))
5289 #define atomic64_xchg(v, new) (__xchg_64(new, &(v)->counter))
5290
5291+#define atomic64_read_unchecked(v) atomic64_read(v)
5292+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5293+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5294+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5295+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5296+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5297+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5298+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5299+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5300+
5301 static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
5302 {
5303 int c, old;
5304diff --git a/arch/frv/include/asm/cache.h b/arch/frv/include/asm/cache.h
5305index 2797163..c2a401df9 100644
5306--- a/arch/frv/include/asm/cache.h
5307+++ b/arch/frv/include/asm/cache.h
5308@@ -12,10 +12,11 @@
5309 #ifndef __ASM_CACHE_H
5310 #define __ASM_CACHE_H
5311
5312+#include <linux/const.h>
5313
5314 /* bytes per L1 cache line */
5315 #define L1_CACHE_SHIFT (CONFIG_FRV_L1_CACHE_SHIFT)
5316-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5317+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5318
5319 #define __cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
5320 #define ____cacheline_aligned __attribute__((aligned(L1_CACHE_BYTES)))
5321diff --git a/arch/frv/include/asm/kmap_types.h b/arch/frv/include/asm/kmap_types.h
5322index 43901f2..0d8b865 100644
5323--- a/arch/frv/include/asm/kmap_types.h
5324+++ b/arch/frv/include/asm/kmap_types.h
5325@@ -2,6 +2,6 @@
5326 #ifndef _ASM_KMAP_TYPES_H
5327 #define _ASM_KMAP_TYPES_H
5328
5329-#define KM_TYPE_NR 17
5330+#define KM_TYPE_NR 18
5331
5332 #endif
5333diff --git a/arch/frv/mm/elf-fdpic.c b/arch/frv/mm/elf-fdpic.c
5334index 836f147..4cf23f5 100644
5335--- a/arch/frv/mm/elf-fdpic.c
5336+++ b/arch/frv/mm/elf-fdpic.c
5337@@ -61,6 +61,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5338 {
5339 struct vm_area_struct *vma;
5340 struct vm_unmapped_area_info info;
5341+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
5342
5343 if (len > TASK_SIZE)
5344 return -ENOMEM;
5345@@ -73,8 +74,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5346 if (addr) {
5347 addr = PAGE_ALIGN(addr);
5348 vma = find_vma(current->mm, addr);
5349- if (TASK_SIZE - len >= addr &&
5350- (!vma || addr + len <= vma->vm_start))
5351+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
5352 goto success;
5353 }
5354
5355@@ -85,6 +85,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
5356 info.high_limit = (current->mm->start_stack - 0x00200000);
5357 info.align_mask = 0;
5358 info.align_offset = 0;
5359+ info.threadstack_offset = offset;
5360 addr = vm_unmapped_area(&info);
5361 if (!(addr & ~PAGE_MASK))
5362 goto success;
5363diff --git a/arch/hexagon/include/asm/cache.h b/arch/hexagon/include/asm/cache.h
5364index 69952c18..4fa2908 100644
5365--- a/arch/hexagon/include/asm/cache.h
5366+++ b/arch/hexagon/include/asm/cache.h
5367@@ -21,9 +21,11 @@
5368 #ifndef __ASM_CACHE_H
5369 #define __ASM_CACHE_H
5370
5371+#include <linux/const.h>
5372+
5373 /* Bytes per L1 cache line */
5374-#define L1_CACHE_SHIFT (5)
5375-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5376+#define L1_CACHE_SHIFT 5
5377+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5378
5379 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5380
5381diff --git a/arch/ia64/Kconfig b/arch/ia64/Kconfig
5382index 42a91a7..29d446e 100644
5383--- a/arch/ia64/Kconfig
5384+++ b/arch/ia64/Kconfig
5385@@ -518,6 +518,7 @@ source "drivers/sn/Kconfig"
5386 config KEXEC
5387 bool "kexec system call"
5388 depends on !IA64_HP_SIM && (!SMP || HOTPLUG_CPU)
5389+ depends on !GRKERNSEC_KMEM
5390 help
5391 kexec is a system call that implements the ability to shutdown your
5392 current kernel, and to start another kernel. It is like a reboot
5393diff --git a/arch/ia64/Makefile b/arch/ia64/Makefile
5394index 970d0bd..e750b9b 100644
5395--- a/arch/ia64/Makefile
5396+++ b/arch/ia64/Makefile
5397@@ -98,5 +98,6 @@ endef
5398 archprepare: make_nr_irqs_h FORCE
5399 PHONY += make_nr_irqs_h FORCE
5400
5401+make_nr_irqs_h: KBUILD_CFLAGS := $(filter-out $(GCC_PLUGINS_CFLAGS),$(KBUILD_CFLAGS))
5402 make_nr_irqs_h: FORCE
5403 $(Q)$(MAKE) $(build)=arch/ia64/kernel include/generated/nr-irqs.h
5404diff --git a/arch/ia64/include/asm/atomic.h b/arch/ia64/include/asm/atomic.h
5405index 0bf0350..2ad1957 100644
5406--- a/arch/ia64/include/asm/atomic.h
5407+++ b/arch/ia64/include/asm/atomic.h
5408@@ -193,4 +193,14 @@ atomic64_add_negative (__s64 i, atomic64_t *v)
5409 #define atomic64_inc(v) atomic64_add(1, (v))
5410 #define atomic64_dec(v) atomic64_sub(1, (v))
5411
5412+#define atomic64_read_unchecked(v) atomic64_read(v)
5413+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
5414+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
5415+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
5416+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
5417+#define atomic64_inc_unchecked(v) atomic64_inc(v)
5418+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
5419+#define atomic64_dec_unchecked(v) atomic64_dec(v)
5420+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
5421+
5422 #endif /* _ASM_IA64_ATOMIC_H */
5423diff --git a/arch/ia64/include/asm/barrier.h b/arch/ia64/include/asm/barrier.h
5424index 843ba43..fa118fb 100644
5425--- a/arch/ia64/include/asm/barrier.h
5426+++ b/arch/ia64/include/asm/barrier.h
5427@@ -66,7 +66,7 @@
5428 do { \
5429 compiletime_assert_atomic_type(*p); \
5430 barrier(); \
5431- ACCESS_ONCE(*p) = (v); \
5432+ ACCESS_ONCE_RW(*p) = (v); \
5433 } while (0)
5434
5435 #define smp_load_acquire(p) \
5436diff --git a/arch/ia64/include/asm/cache.h b/arch/ia64/include/asm/cache.h
5437index 988254a..e1ee885 100644
5438--- a/arch/ia64/include/asm/cache.h
5439+++ b/arch/ia64/include/asm/cache.h
5440@@ -1,6 +1,7 @@
5441 #ifndef _ASM_IA64_CACHE_H
5442 #define _ASM_IA64_CACHE_H
5443
5444+#include <linux/const.h>
5445
5446 /*
5447 * Copyright (C) 1998-2000 Hewlett-Packard Co
5448@@ -9,7 +10,7 @@
5449
5450 /* Bytes per L1 (data) cache line. */
5451 #define L1_CACHE_SHIFT CONFIG_IA64_L1_CACHE_SHIFT
5452-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5453+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5454
5455 #ifdef CONFIG_SMP
5456 # define SMP_CACHE_SHIFT L1_CACHE_SHIFT
5457diff --git a/arch/ia64/include/asm/elf.h b/arch/ia64/include/asm/elf.h
5458index 5a83c5c..4d7f553 100644
5459--- a/arch/ia64/include/asm/elf.h
5460+++ b/arch/ia64/include/asm/elf.h
5461@@ -42,6 +42,13 @@
5462 */
5463 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
5464
5465+#ifdef CONFIG_PAX_ASLR
5466+#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
5467+
5468+#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
5469+#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
5470+#endif
5471+
5472 #define PT_IA_64_UNWIND 0x70000001
5473
5474 /* IA-64 relocations: */
5475diff --git a/arch/ia64/include/asm/pgalloc.h b/arch/ia64/include/asm/pgalloc.h
5476index f5e70e9..624fad5 100644
5477--- a/arch/ia64/include/asm/pgalloc.h
5478+++ b/arch/ia64/include/asm/pgalloc.h
5479@@ -39,6 +39,12 @@ pgd_populate(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
5480 pgd_val(*pgd_entry) = __pa(pud);
5481 }
5482
5483+static inline void
5484+pgd_populate_kernel(struct mm_struct *mm, pgd_t * pgd_entry, pud_t * pud)
5485+{
5486+ pgd_populate(mm, pgd_entry, pud);
5487+}
5488+
5489 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
5490 {
5491 return quicklist_alloc(0, GFP_KERNEL, NULL);
5492@@ -57,6 +63,12 @@ pud_populate(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
5493 pud_val(*pud_entry) = __pa(pmd);
5494 }
5495
5496+static inline void
5497+pud_populate_kernel(struct mm_struct *mm, pud_t * pud_entry, pmd_t * pmd)
5498+{
5499+ pud_populate(mm, pud_entry, pmd);
5500+}
5501+
5502 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long addr)
5503 {
5504 return quicklist_alloc(0, GFP_KERNEL, NULL);
5505diff --git a/arch/ia64/include/asm/pgtable.h b/arch/ia64/include/asm/pgtable.h
5506index 9f3ed9e..c99b418 100644
5507--- a/arch/ia64/include/asm/pgtable.h
5508+++ b/arch/ia64/include/asm/pgtable.h
5509@@ -12,7 +12,7 @@
5510 * David Mosberger-Tang <davidm@hpl.hp.com>
5511 */
5512
5513-
5514+#include <linux/const.h>
5515 #include <asm/mman.h>
5516 #include <asm/page.h>
5517 #include <asm/processor.h>
5518@@ -139,6 +139,17 @@
5519 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5520 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5521 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
5522+
5523+#ifdef CONFIG_PAX_PAGEEXEC
5524+# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
5525+# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5526+# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
5527+#else
5528+# define PAGE_SHARED_NOEXEC PAGE_SHARED
5529+# define PAGE_READONLY_NOEXEC PAGE_READONLY
5530+# define PAGE_COPY_NOEXEC PAGE_COPY
5531+#endif
5532+
5533 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
5534 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
5535 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
5536diff --git a/arch/ia64/include/asm/spinlock.h b/arch/ia64/include/asm/spinlock.h
5537index 45698cd..e8e2dbc 100644
5538--- a/arch/ia64/include/asm/spinlock.h
5539+++ b/arch/ia64/include/asm/spinlock.h
5540@@ -71,7 +71,7 @@ static __always_inline void __ticket_spin_unlock(arch_spinlock_t *lock)
5541 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
5542
5543 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
5544- ACCESS_ONCE(*p) = (tmp + 2) & ~1;
5545+ ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
5546 }
5547
5548 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
5549diff --git a/arch/ia64/include/asm/uaccess.h b/arch/ia64/include/asm/uaccess.h
5550index 4f3fb6cc..254055e 100644
5551--- a/arch/ia64/include/asm/uaccess.h
5552+++ b/arch/ia64/include/asm/uaccess.h
5553@@ -70,6 +70,7 @@
5554 && ((segment).seg == KERNEL_DS.seg \
5555 || likely(REGION_OFFSET((unsigned long) (addr)) < RGN_MAP_LIMIT))); \
5556 })
5557+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
5558 #define access_ok(type, addr, size) __access_ok((addr), (size), get_fs())
5559
5560 /*
5561@@ -241,12 +242,24 @@ extern unsigned long __must_check __copy_user (void __user *to, const void __use
5562 static inline unsigned long
5563 __copy_to_user (void __user *to, const void *from, unsigned long count)
5564 {
5565+ if (count > INT_MAX)
5566+ return count;
5567+
5568+ if (!__builtin_constant_p(count))
5569+ check_object_size(from, count, true);
5570+
5571 return __copy_user(to, (__force void __user *) from, count);
5572 }
5573
5574 static inline unsigned long
5575 __copy_from_user (void *to, const void __user *from, unsigned long count)
5576 {
5577+ if (count > INT_MAX)
5578+ return count;
5579+
5580+ if (!__builtin_constant_p(count))
5581+ check_object_size(to, count, false);
5582+
5583 return __copy_user((__force void __user *) to, from, count);
5584 }
5585
5586@@ -256,10 +269,13 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
5587 ({ \
5588 void __user *__cu_to = (to); \
5589 const void *__cu_from = (from); \
5590- long __cu_len = (n); \
5591+ unsigned long __cu_len = (n); \
5592 \
5593- if (__access_ok(__cu_to, __cu_len, get_fs())) \
5594+ if (__cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) { \
5595+ if (!__builtin_constant_p(n)) \
5596+ check_object_size(__cu_from, __cu_len, true); \
5597 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
5598+ } \
5599 __cu_len; \
5600 })
5601
5602@@ -267,11 +283,14 @@ __copy_from_user (void *to, const void __user *from, unsigned long count)
5603 ({ \
5604 void *__cu_to = (to); \
5605 const void __user *__cu_from = (from); \
5606- long __cu_len = (n); \
5607+ unsigned long __cu_len = (n); \
5608 \
5609 __chk_user_ptr(__cu_from); \
5610- if (__access_ok(__cu_from, __cu_len, get_fs())) \
5611+ if (__cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) { \
5612+ if (!__builtin_constant_p(n)) \
5613+ check_object_size(__cu_to, __cu_len, false); \
5614 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
5615+ } \
5616 __cu_len; \
5617 })
5618
5619diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
5620index b15933c..098b1c8 100644
5621--- a/arch/ia64/kernel/module.c
5622+++ b/arch/ia64/kernel/module.c
5623@@ -484,15 +484,39 @@ module_frob_arch_sections (Elf_Ehdr *ehdr, Elf_Shdr *sechdrs, char *secstrings,
5624 }
5625
5626 static inline int
5627+in_init_rx (const struct module *mod, uint64_t addr)
5628+{
5629+ return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
5630+}
5631+
5632+static inline int
5633+in_init_rw (const struct module *mod, uint64_t addr)
5634+{
5635+ return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
5636+}
5637+
5638+static inline int
5639 in_init (const struct module *mod, uint64_t addr)
5640 {
5641- return addr - (uint64_t) mod->module_init < mod->init_size;
5642+ return in_init_rx(mod, addr) || in_init_rw(mod, addr);
5643+}
5644+
5645+static inline int
5646+in_core_rx (const struct module *mod, uint64_t addr)
5647+{
5648+ return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
5649+}
5650+
5651+static inline int
5652+in_core_rw (const struct module *mod, uint64_t addr)
5653+{
5654+ return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
5655 }
5656
5657 static inline int
5658 in_core (const struct module *mod, uint64_t addr)
5659 {
5660- return addr - (uint64_t) mod->module_core < mod->core_size;
5661+ return in_core_rx(mod, addr) || in_core_rw(mod, addr);
5662 }
5663
5664 static inline int
5665@@ -675,7 +699,14 @@ do_reloc (struct module *mod, uint8_t r_type, Elf64_Sym *sym, uint64_t addend,
5666 break;
5667
5668 case RV_BDREL:
5669- val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
5670+ if (in_init_rx(mod, val))
5671+ val -= (uint64_t) mod->module_init_rx;
5672+ else if (in_init_rw(mod, val))
5673+ val -= (uint64_t) mod->module_init_rw;
5674+ else if (in_core_rx(mod, val))
5675+ val -= (uint64_t) mod->module_core_rx;
5676+ else if (in_core_rw(mod, val))
5677+ val -= (uint64_t) mod->module_core_rw;
5678 break;
5679
5680 case RV_LTV:
5681@@ -810,15 +841,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs, const char *strtab, unsigned int symind
5682 * addresses have been selected...
5683 */
5684 uint64_t gp;
5685- if (mod->core_size > MAX_LTOFF)
5686+ if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
5687 /*
5688 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
5689 * at the end of the module.
5690 */
5691- gp = mod->core_size - MAX_LTOFF / 2;
5692+ gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
5693 else
5694- gp = mod->core_size / 2;
5695- gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
5696+ gp = (mod->core_size_rx + mod->core_size_rw) / 2;
5697+ gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
5698 mod->arch.gp = gp;
5699 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
5700 }
5701diff --git a/arch/ia64/kernel/palinfo.c b/arch/ia64/kernel/palinfo.c
5702index c39c3cd..3c77738 100644
5703--- a/arch/ia64/kernel/palinfo.c
5704+++ b/arch/ia64/kernel/palinfo.c
5705@@ -980,7 +980,7 @@ static int palinfo_cpu_callback(struct notifier_block *nfb,
5706 return NOTIFY_OK;
5707 }
5708
5709-static struct notifier_block __refdata palinfo_cpu_notifier =
5710+static struct notifier_block palinfo_cpu_notifier =
5711 {
5712 .notifier_call = palinfo_cpu_callback,
5713 .priority = 0,
5714diff --git a/arch/ia64/kernel/sys_ia64.c b/arch/ia64/kernel/sys_ia64.c
5715index 41e33f8..65180b2a 100644
5716--- a/arch/ia64/kernel/sys_ia64.c
5717+++ b/arch/ia64/kernel/sys_ia64.c
5718@@ -28,6 +28,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5719 unsigned long align_mask = 0;
5720 struct mm_struct *mm = current->mm;
5721 struct vm_unmapped_area_info info;
5722+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
5723
5724 if (len > RGN_MAP_LIMIT)
5725 return -ENOMEM;
5726@@ -43,6 +44,13 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5727 if (REGION_NUMBER(addr) == RGN_HPAGE)
5728 addr = 0;
5729 #endif
5730+
5731+#ifdef CONFIG_PAX_RANDMMAP
5732+ if (mm->pax_flags & MF_PAX_RANDMMAP)
5733+ addr = mm->free_area_cache;
5734+ else
5735+#endif
5736+
5737 if (!addr)
5738 addr = TASK_UNMAPPED_BASE;
5739
5740@@ -61,6 +69,7 @@ arch_get_unmapped_area (struct file *filp, unsigned long addr, unsigned long len
5741 info.high_limit = TASK_SIZE;
5742 info.align_mask = align_mask;
5743 info.align_offset = 0;
5744+ info.threadstack_offset = offset;
5745 return vm_unmapped_area(&info);
5746 }
5747
5748diff --git a/arch/ia64/kernel/vmlinux.lds.S b/arch/ia64/kernel/vmlinux.lds.S
5749index dc506b0..39baade 100644
5750--- a/arch/ia64/kernel/vmlinux.lds.S
5751+++ b/arch/ia64/kernel/vmlinux.lds.S
5752@@ -171,7 +171,7 @@ SECTIONS {
5753 /* Per-cpu data: */
5754 . = ALIGN(PERCPU_PAGE_SIZE);
5755 PERCPU_VADDR(SMP_CACHE_BYTES, PERCPU_ADDR, :percpu)
5756- __phys_per_cpu_start = __per_cpu_load;
5757+ __phys_per_cpu_start = per_cpu_load;
5758 /*
5759 * ensure percpu data fits
5760 * into percpu page size
5761diff --git a/arch/ia64/mm/fault.c b/arch/ia64/mm/fault.c
5762index 70b40d1..01a9a28 100644
5763--- a/arch/ia64/mm/fault.c
5764+++ b/arch/ia64/mm/fault.c
5765@@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned long address)
5766 return pte_present(pte);
5767 }
5768
5769+#ifdef CONFIG_PAX_PAGEEXEC
5770+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
5771+{
5772+ unsigned long i;
5773+
5774+ printk(KERN_ERR "PAX: bytes at PC: ");
5775+ for (i = 0; i < 8; i++) {
5776+ unsigned int c;
5777+ if (get_user(c, (unsigned int *)pc+i))
5778+ printk(KERN_CONT "???????? ");
5779+ else
5780+ printk(KERN_CONT "%08x ", c);
5781+ }
5782+ printk("\n");
5783+}
5784+#endif
5785+
5786 # define VM_READ_BIT 0
5787 # define VM_WRITE_BIT 1
5788 # define VM_EXEC_BIT 2
5789@@ -151,8 +168,21 @@ retry:
5790 if (((isr >> IA64_ISR_R_BIT) & 1UL) && (!(vma->vm_flags & (VM_READ | VM_WRITE))))
5791 goto bad_area;
5792
5793- if ((vma->vm_flags & mask) != mask)
5794+ if ((vma->vm_flags & mask) != mask) {
5795+
5796+#ifdef CONFIG_PAX_PAGEEXEC
5797+ if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
5798+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
5799+ goto bad_area;
5800+
5801+ up_read(&mm->mmap_sem);
5802+ pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
5803+ do_group_exit(SIGKILL);
5804+ }
5805+#endif
5806+
5807 goto bad_area;
5808+ }
5809
5810 /*
5811 * If for any reason at all we couldn't handle the fault, make
5812diff --git a/arch/ia64/mm/hugetlbpage.c b/arch/ia64/mm/hugetlbpage.c
5813index f50d4b3..c7975ee 100644
5814--- a/arch/ia64/mm/hugetlbpage.c
5815+++ b/arch/ia64/mm/hugetlbpage.c
5816@@ -138,6 +138,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5817 unsigned long pgoff, unsigned long flags)
5818 {
5819 struct vm_unmapped_area_info info;
5820+ unsigned long offset = gr_rand_threadstack_offset(current->mm, file, flags);
5821
5822 if (len > RGN_MAP_LIMIT)
5823 return -ENOMEM;
5824@@ -161,6 +162,7 @@ unsigned long hugetlb_get_unmapped_area(struct file *file, unsigned long addr, u
5825 info.high_limit = HPAGE_REGION_BASE + RGN_MAP_LIMIT;
5826 info.align_mask = PAGE_MASK & (HPAGE_SIZE - 1);
5827 info.align_offset = 0;
5828+ info.threadstack_offset = offset;
5829 return vm_unmapped_area(&info);
5830 }
5831
5832diff --git a/arch/ia64/mm/init.c b/arch/ia64/mm/init.c
5833index 97e48b0..fc59c36 100644
5834--- a/arch/ia64/mm/init.c
5835+++ b/arch/ia64/mm/init.c
5836@@ -119,6 +119,19 @@ ia64_init_addr_space (void)
5837 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
5838 vma->vm_end = vma->vm_start + PAGE_SIZE;
5839 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
5840+
5841+#ifdef CONFIG_PAX_PAGEEXEC
5842+ if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
5843+ vma->vm_flags &= ~VM_EXEC;
5844+
5845+#ifdef CONFIG_PAX_MPROTECT
5846+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
5847+ vma->vm_flags &= ~VM_MAYEXEC;
5848+#endif
5849+
5850+ }
5851+#endif
5852+
5853 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5854 down_write(&current->mm->mmap_sem);
5855 if (insert_vm_struct(current->mm, vma)) {
5856@@ -279,7 +292,7 @@ static int __init gate_vma_init(void)
5857 gate_vma.vm_start = FIXADDR_USER_START;
5858 gate_vma.vm_end = FIXADDR_USER_END;
5859 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
5860- gate_vma.vm_page_prot = __P101;
5861+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
5862
5863 return 0;
5864 }
5865diff --git a/arch/m32r/include/asm/cache.h b/arch/m32r/include/asm/cache.h
5866index 40b3ee98..8c2c112 100644
5867--- a/arch/m32r/include/asm/cache.h
5868+++ b/arch/m32r/include/asm/cache.h
5869@@ -1,8 +1,10 @@
5870 #ifndef _ASM_M32R_CACHE_H
5871 #define _ASM_M32R_CACHE_H
5872
5873+#include <linux/const.h>
5874+
5875 /* L1 cache line size */
5876 #define L1_CACHE_SHIFT 4
5877-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5878+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5879
5880 #endif /* _ASM_M32R_CACHE_H */
5881diff --git a/arch/m32r/lib/usercopy.c b/arch/m32r/lib/usercopy.c
5882index 82abd15..d95ae5d 100644
5883--- a/arch/m32r/lib/usercopy.c
5884+++ b/arch/m32r/lib/usercopy.c
5885@@ -14,6 +14,9 @@
5886 unsigned long
5887 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5888 {
5889+ if ((long)n < 0)
5890+ return n;
5891+
5892 prefetch(from);
5893 if (access_ok(VERIFY_WRITE, to, n))
5894 __copy_user(to,from,n);
5895@@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
5896 unsigned long
5897 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
5898 {
5899+ if ((long)n < 0)
5900+ return n;
5901+
5902 prefetchw(to);
5903 if (access_ok(VERIFY_READ, from, n))
5904 __copy_user_zeroing(to,from,n);
5905diff --git a/arch/m68k/include/asm/cache.h b/arch/m68k/include/asm/cache.h
5906index 0395c51..5f26031 100644
5907--- a/arch/m68k/include/asm/cache.h
5908+++ b/arch/m68k/include/asm/cache.h
5909@@ -4,9 +4,11 @@
5910 #ifndef __ARCH_M68K_CACHE_H
5911 #define __ARCH_M68K_CACHE_H
5912
5913+#include <linux/const.h>
5914+
5915 /* bytes per L1 cache line */
5916 #define L1_CACHE_SHIFT 4
5917-#define L1_CACHE_BYTES (1<< L1_CACHE_SHIFT)
5918+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5919
5920 #define ARCH_DMA_MINALIGN L1_CACHE_BYTES
5921
5922diff --git a/arch/metag/include/asm/barrier.h b/arch/metag/include/asm/barrier.h
5923index 5a696e5..070490d 100644
5924--- a/arch/metag/include/asm/barrier.h
5925+++ b/arch/metag/include/asm/barrier.h
5926@@ -90,7 +90,7 @@ static inline void fence(void)
5927 do { \
5928 compiletime_assert_atomic_type(*p); \
5929 smp_mb(); \
5930- ACCESS_ONCE(*p) = (v); \
5931+ ACCESS_ONCE_RW(*p) = (v); \
5932 } while (0)
5933
5934 #define smp_load_acquire(p) \
5935diff --git a/arch/metag/mm/hugetlbpage.c b/arch/metag/mm/hugetlbpage.c
5936index 53f0f6c..2dc07fd 100644
5937--- a/arch/metag/mm/hugetlbpage.c
5938+++ b/arch/metag/mm/hugetlbpage.c
5939@@ -189,6 +189,7 @@ hugetlb_get_unmapped_area_new_pmd(unsigned long len)
5940 info.high_limit = TASK_SIZE;
5941 info.align_mask = PAGE_MASK & HUGEPT_MASK;
5942 info.align_offset = 0;
5943+ info.threadstack_offset = 0;
5944 return vm_unmapped_area(&info);
5945 }
5946
5947diff --git a/arch/microblaze/include/asm/cache.h b/arch/microblaze/include/asm/cache.h
5948index 4efe96a..60e8699 100644
5949--- a/arch/microblaze/include/asm/cache.h
5950+++ b/arch/microblaze/include/asm/cache.h
5951@@ -13,11 +13,12 @@
5952 #ifndef _ASM_MICROBLAZE_CACHE_H
5953 #define _ASM_MICROBLAZE_CACHE_H
5954
5955+#include <linux/const.h>
5956 #include <asm/registers.h>
5957
5958 #define L1_CACHE_SHIFT 5
5959 /* word-granular cache in microblaze */
5960-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
5961+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
5962
5963 #define SMP_CACHE_BYTES L1_CACHE_BYTES
5964
5965diff --git a/arch/mips/Kconfig b/arch/mips/Kconfig
5966index 199a835..822b487 100644
5967--- a/arch/mips/Kconfig
5968+++ b/arch/mips/Kconfig
5969@@ -2591,6 +2591,7 @@ source "kernel/Kconfig.preempt"
5970
5971 config KEXEC
5972 bool "Kexec system call"
5973+ depends on !GRKERNSEC_KMEM
5974 help
5975 kexec is a system call that implements the ability to shutdown your
5976 current kernel, and to start another kernel. It is like a reboot
5977diff --git a/arch/mips/cavium-octeon/dma-octeon.c b/arch/mips/cavium-octeon/dma-octeon.c
5978index d8960d4..77dbd31 100644
5979--- a/arch/mips/cavium-octeon/dma-octeon.c
5980+++ b/arch/mips/cavium-octeon/dma-octeon.c
5981@@ -199,7 +199,7 @@ static void octeon_dma_free_coherent(struct device *dev, size_t size,
5982 if (dma_release_from_coherent(dev, order, vaddr))
5983 return;
5984
5985- swiotlb_free_coherent(dev, size, vaddr, dma_handle);
5986+ swiotlb_free_coherent(dev, size, vaddr, dma_handle, attrs);
5987 }
5988
5989 static dma_addr_t octeon_unity_phys_to_dma(struct device *dev, phys_addr_t paddr)
5990diff --git a/arch/mips/include/asm/atomic.h b/arch/mips/include/asm/atomic.h
5991index 26d4363..3c9a82e 100644
5992--- a/arch/mips/include/asm/atomic.h
5993+++ b/arch/mips/include/asm/atomic.h
5994@@ -22,15 +22,39 @@
5995 #include <asm/cmpxchg.h>
5996 #include <asm/war.h>
5997
5998+#ifdef CONFIG_GENERIC_ATOMIC64
5999+#include <asm-generic/atomic64.h>
6000+#endif
6001+
6002 #define ATOMIC_INIT(i) { (i) }
6003
6004+#ifdef CONFIG_64BIT
6005+#define _ASM_EXTABLE(from, to) \
6006+" .section __ex_table,\"a\"\n" \
6007+" .dword " #from ", " #to"\n" \
6008+" .previous\n"
6009+#else
6010+#define _ASM_EXTABLE(from, to) \
6011+" .section __ex_table,\"a\"\n" \
6012+" .word " #from ", " #to"\n" \
6013+" .previous\n"
6014+#endif
6015+
6016 /*
6017 * atomic_read - read atomic variable
6018 * @v: pointer of type atomic_t
6019 *
6020 * Atomically reads the value of @v.
6021 */
6022-#define atomic_read(v) ACCESS_ONCE((v)->counter)
6023+static inline int atomic_read(const atomic_t *v)
6024+{
6025+ return ACCESS_ONCE(v->counter);
6026+}
6027+
6028+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6029+{
6030+ return ACCESS_ONCE(v->counter);
6031+}
6032
6033 /*
6034 * atomic_set - set atomic variable
6035@@ -39,47 +63,77 @@
6036 *
6037 * Atomically sets the value of @v to @i.
6038 */
6039-#define atomic_set(v, i) ((v)->counter = (i))
6040+static inline void atomic_set(atomic_t *v, int i)
6041+{
6042+ v->counter = i;
6043+}
6044
6045-#define ATOMIC_OP(op, c_op, asm_op) \
6046-static __inline__ void atomic_##op(int i, atomic_t * v) \
6047+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6048+{
6049+ v->counter = i;
6050+}
6051+
6052+#ifdef CONFIG_PAX_REFCOUNT
6053+#define __OVERFLOW_POST \
6054+ " b 4f \n" \
6055+ " .set noreorder \n" \
6056+ "3: b 5f \n" \
6057+ " move %0, %1 \n" \
6058+ " .set reorder \n"
6059+#define __OVERFLOW_EXTABLE \
6060+ "3:\n" \
6061+ _ASM_EXTABLE(2b, 3b)
6062+#else
6063+#define __OVERFLOW_POST
6064+#define __OVERFLOW_EXTABLE
6065+#endif
6066+
6067+#define __ATOMIC_OP(op, suffix, asm_op, extable) \
6068+static inline void atomic_##op##suffix(int i, atomic##suffix##_t * v) \
6069 { \
6070 if (kernel_uses_llsc && R10000_LLSC_WAR) { \
6071 int temp; \
6072 \
6073 __asm__ __volatile__( \
6074- " .set arch=r4000 \n" \
6075- "1: ll %0, %1 # atomic_" #op " \n" \
6076- " " #asm_op " %0, %2 \n" \
6077+ " .set mips3 \n" \
6078+ "1: ll %0, %1 # atomic_" #op #suffix "\n" \
6079+ "2: " #asm_op " %0, %2 \n" \
6080 " sc %0, %1 \n" \
6081 " beqzl %0, 1b \n" \
6082+ extable \
6083 " .set mips0 \n" \
6084 : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6085 : "Ir" (i)); \
6086 } else if (kernel_uses_llsc) { \
6087 int temp; \
6088 \
6089- do { \
6090- __asm__ __volatile__( \
6091- " .set "MIPS_ISA_LEVEL" \n" \
6092- " ll %0, %1 # atomic_" #op "\n" \
6093- " " #asm_op " %0, %2 \n" \
6094- " sc %0, %1 \n" \
6095- " .set mips0 \n" \
6096- : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6097- : "Ir" (i)); \
6098- } while (unlikely(!temp)); \
6099+ __asm__ __volatile__( \
6100+ " .set "MIPS_ISA_LEVEL" \n" \
6101+ "1: ll %0, %1 # atomic_" #op #suffix "\n" \
6102+ "2: " #asm_op " %0, %2 \n" \
6103+ " sc %0, %1 \n" \
6104+ " beqz %0, 1b \n" \
6105+ extable \
6106+ " .set mips0 \n" \
6107+ : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6108+ : "Ir" (i)); \
6109 } else { \
6110 unsigned long flags; \
6111 \
6112 raw_local_irq_save(flags); \
6113- v->counter c_op i; \
6114+ __asm__ __volatile__( \
6115+ "2: " #asm_op " %0, %1 \n" \
6116+ extable \
6117+ : "+r" (v->counter) : "Ir" (i)); \
6118 raw_local_irq_restore(flags); \
6119 } \
6120 }
6121
6122-#define ATOMIC_OP_RETURN(op, c_op, asm_op) \
6123-static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6124+#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, _unchecked, asm_op##u, ) \
6125+ __ATOMIC_OP(op, , asm_op, __OVERFLOW_EXTABLE)
6126+
6127+#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op, extable) \
6128+static inline int atomic_##op##_return##suffix(int i, atomic##suffix##_t * v) \
6129 { \
6130 int result; \
6131 \
6132@@ -89,12 +143,15 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6133 int temp; \
6134 \
6135 __asm__ __volatile__( \
6136- " .set arch=r4000 \n" \
6137- "1: ll %1, %2 # atomic_" #op "_return \n" \
6138- " " #asm_op " %0, %1, %3 \n" \
6139+ " .set mips3 \n" \
6140+ "1: ll %1, %2 # atomic_" #op "_return" #suffix"\n" \
6141+ "2: " #asm_op " %0, %1, %3 \n" \
6142 " sc %0, %2 \n" \
6143 " beqzl %0, 1b \n" \
6144- " " #asm_op " %0, %1, %3 \n" \
6145+ post_op \
6146+ extable \
6147+ "4: " #asm_op " %0, %1, %3 \n" \
6148+ "5: \n" \
6149 " .set mips0 \n" \
6150 : "=&r" (result), "=&r" (temp), \
6151 "+" GCC_OFF_SMALL_ASM() (v->counter) \
6152@@ -102,26 +159,33 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6153 } else if (kernel_uses_llsc) { \
6154 int temp; \
6155 \
6156- do { \
6157- __asm__ __volatile__( \
6158- " .set "MIPS_ISA_LEVEL" \n" \
6159- " ll %1, %2 # atomic_" #op "_return \n" \
6160- " " #asm_op " %0, %1, %3 \n" \
6161- " sc %0, %2 \n" \
6162- " .set mips0 \n" \
6163- : "=&r" (result), "=&r" (temp), \
6164- "+" GCC_OFF_SMALL_ASM() (v->counter) \
6165- : "Ir" (i)); \
6166- } while (unlikely(!result)); \
6167+ __asm__ __volatile__( \
6168+ " .set "MIPS_ISA_LEVEL" \n" \
6169+ "1: ll %1, %2 # atomic_" #op "_return" #suffix "\n" \
6170+ "2: " #asm_op " %0, %1, %3 \n" \
6171+ " sc %0, %2 \n" \
6172+ post_op \
6173+ extable \
6174+ "4: " #asm_op " %0, %1, %3 \n" \
6175+ "5: \n" \
6176+ " .set mips0 \n" \
6177+ : "=&r" (result), "=&r" (temp), \
6178+ "+" GCC_OFF_SMALL_ASM() (v->counter) \
6179+ : "Ir" (i)); \
6180 \
6181 result = temp; result c_op i; \
6182 } else { \
6183 unsigned long flags; \
6184 \
6185 raw_local_irq_save(flags); \
6186- result = v->counter; \
6187- result c_op i; \
6188- v->counter = result; \
6189+ __asm__ __volatile__( \
6190+ " lw %0, %1 \n" \
6191+ "2: " #asm_op " %0, %1, %2 \n" \
6192+ " sw %0, %1 \n" \
6193+ "3: \n" \
6194+ extable \
6195+ : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6196+ : "Ir" (i)); \
6197 raw_local_irq_restore(flags); \
6198 } \
6199 \
6200@@ -130,16 +194,21 @@ static __inline__ int atomic_##op##_return(int i, atomic_t * v) \
6201 return result; \
6202 }
6203
6204-#define ATOMIC_OPS(op, c_op, asm_op) \
6205- ATOMIC_OP(op, c_op, asm_op) \
6206- ATOMIC_OP_RETURN(op, c_op, asm_op)
6207+#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, _unchecked, asm_op##u, , ) \
6208+ __ATOMIC_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
6209
6210-ATOMIC_OPS(add, +=, addu)
6211-ATOMIC_OPS(sub, -=, subu)
6212+#define ATOMIC_OPS(op, asm_op) \
6213+ ATOMIC_OP(op, asm_op) \
6214+ ATOMIC_OP_RETURN(op, asm_op)
6215+
6216+ATOMIC_OPS(add, add)
6217+ATOMIC_OPS(sub, sub)
6218
6219 #undef ATOMIC_OPS
6220 #undef ATOMIC_OP_RETURN
6221+#undef __ATOMIC_OP_RETURN
6222 #undef ATOMIC_OP
6223+#undef __ATOMIC_OP
6224
6225 /*
6226 * atomic_sub_if_positive - conditionally subtract integer from atomic variable
6227@@ -149,7 +218,7 @@ ATOMIC_OPS(sub, -=, subu)
6228 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6229 * The function returns the old value of @v minus @i.
6230 */
6231-static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6232+static __inline__ int atomic_sub_if_positive(int i, atomic_t *v)
6233 {
6234 int result;
6235
6236@@ -159,7 +228,7 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6237 int temp;
6238
6239 __asm__ __volatile__(
6240- " .set arch=r4000 \n"
6241+ " .set "MIPS_ISA_LEVEL" \n"
6242 "1: ll %1, %2 # atomic_sub_if_positive\n"
6243 " subu %0, %1, %3 \n"
6244 " bltz %0, 1f \n"
6245@@ -208,8 +277,26 @@ static __inline__ int atomic_sub_if_positive(int i, atomic_t * v)
6246 return result;
6247 }
6248
6249-#define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
6250-#define atomic_xchg(v, new) (xchg(&((v)->counter), (new)))
6251+static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6252+{
6253+ return cmpxchg(&v->counter, old, new);
6254+}
6255+
6256+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old,
6257+ int new)
6258+{
6259+ return cmpxchg(&(v->counter), old, new);
6260+}
6261+
6262+static inline int atomic_xchg(atomic_t *v, int new)
6263+{
6264+ return xchg(&v->counter, new);
6265+}
6266+
6267+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
6268+{
6269+ return xchg(&(v->counter), new);
6270+}
6271
6272 /**
6273 * __atomic_add_unless - add unless the number is a given value
6274@@ -237,6 +324,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6275
6276 #define atomic_dec_return(v) atomic_sub_return(1, (v))
6277 #define atomic_inc_return(v) atomic_add_return(1, (v))
6278+static __inline__ int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6279+{
6280+ return atomic_add_return_unchecked(1, v);
6281+}
6282
6283 /*
6284 * atomic_sub_and_test - subtract value from variable and test result
6285@@ -258,6 +349,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6286 * other cases.
6287 */
6288 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
6289+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6290+{
6291+ return atomic_add_return_unchecked(1, v) == 0;
6292+}
6293
6294 /*
6295 * atomic_dec_and_test - decrement by 1 and test
6296@@ -282,6 +377,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6297 * Atomically increments @v by 1.
6298 */
6299 #define atomic_inc(v) atomic_add(1, (v))
6300+static __inline__ void atomic_inc_unchecked(atomic_unchecked_t *v)
6301+{
6302+ atomic_add_unchecked(1, v);
6303+}
6304
6305 /*
6306 * atomic_dec - decrement and test
6307@@ -290,6 +389,10 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6308 * Atomically decrements @v by 1.
6309 */
6310 #define atomic_dec(v) atomic_sub(1, (v))
6311+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
6312+{
6313+ atomic_sub_unchecked(1, v);
6314+}
6315
6316 /*
6317 * atomic_add_negative - add and test if negative
6318@@ -311,54 +414,77 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
6319 * @v: pointer of type atomic64_t
6320 *
6321 */
6322-#define atomic64_read(v) ACCESS_ONCE((v)->counter)
6323+static inline long atomic64_read(const atomic64_t *v)
6324+{
6325+ return ACCESS_ONCE(v->counter);
6326+}
6327+
6328+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6329+{
6330+ return ACCESS_ONCE(v->counter);
6331+}
6332
6333 /*
6334 * atomic64_set - set atomic variable
6335 * @v: pointer of type atomic64_t
6336 * @i: required value
6337 */
6338-#define atomic64_set(v, i) ((v)->counter = (i))
6339+static inline void atomic64_set(atomic64_t *v, long i)
6340+{
6341+ v->counter = i;
6342+}
6343
6344-#define ATOMIC64_OP(op, c_op, asm_op) \
6345-static __inline__ void atomic64_##op(long i, atomic64_t * v) \
6346+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6347+{
6348+ v->counter = i;
6349+}
6350+
6351+#define __ATOMIC64_OP(op, suffix, asm_op, extable) \
6352+static inline void atomic64_##op##suffix(long i, atomic64##suffix##_t * v) \
6353 { \
6354 if (kernel_uses_llsc && R10000_LLSC_WAR) { \
6355 long temp; \
6356 \
6357 __asm__ __volatile__( \
6358- " .set arch=r4000 \n" \
6359- "1: lld %0, %1 # atomic64_" #op " \n" \
6360- " " #asm_op " %0, %2 \n" \
6361+ " .set "MIPS_ISA_LEVEL" \n" \
6362+ "1: lld %0, %1 # atomic64_" #op #suffix "\n" \
6363+ "2: " #asm_op " %0, %2 \n" \
6364 " scd %0, %1 \n" \
6365 " beqzl %0, 1b \n" \
6366+ extable \
6367 " .set mips0 \n" \
6368 : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6369 : "Ir" (i)); \
6370 } else if (kernel_uses_llsc) { \
6371 long temp; \
6372 \
6373- do { \
6374- __asm__ __volatile__( \
6375- " .set "MIPS_ISA_LEVEL" \n" \
6376- " lld %0, %1 # atomic64_" #op "\n" \
6377- " " #asm_op " %0, %2 \n" \
6378- " scd %0, %1 \n" \
6379- " .set mips0 \n" \
6380- : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6381- : "Ir" (i)); \
6382- } while (unlikely(!temp)); \
6383+ __asm__ __volatile__( \
6384+ " .set "MIPS_ISA_LEVEL" \n" \
6385+ "1: lld %0, %1 # atomic64_" #op #suffix "\n" \
6386+ "2: " #asm_op " %0, %2 \n" \
6387+ " scd %0, %1 \n" \
6388+ " beqz %0, 1b \n" \
6389+ extable \
6390+ " .set mips0 \n" \
6391+ : "=&r" (temp), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6392+ : "Ir" (i)); \
6393 } else { \
6394 unsigned long flags; \
6395 \
6396 raw_local_irq_save(flags); \
6397- v->counter c_op i; \
6398+ __asm__ __volatile__( \
6399+ "2: " #asm_op " %0, %1 \n" \
6400+ extable \
6401+ : "+" GCC_OFF_SMALL_ASM() (v->counter) : "Ir" (i)); \
6402 raw_local_irq_restore(flags); \
6403 } \
6404 }
6405
6406-#define ATOMIC64_OP_RETURN(op, c_op, asm_op) \
6407-static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6408+#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, _unchecked, asm_op##u, ) \
6409+ __ATOMIC64_OP(op, , asm_op, __OVERFLOW_EXTABLE)
6410+
6411+#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op, extable) \
6412+static inline long atomic64_##op##_return##suffix(long i, atomic64##suffix##_t * v)\
6413 { \
6414 long result; \
6415 \
6416@@ -368,12 +494,15 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6417 long temp; \
6418 \
6419 __asm__ __volatile__( \
6420- " .set arch=r4000 \n" \
6421+ " .set mips3 \n" \
6422 "1: lld %1, %2 # atomic64_" #op "_return\n" \
6423- " " #asm_op " %0, %1, %3 \n" \
6424+ "2: " #asm_op " %0, %1, %3 \n" \
6425 " scd %0, %2 \n" \
6426 " beqzl %0, 1b \n" \
6427- " " #asm_op " %0, %1, %3 \n" \
6428+ post_op \
6429+ extable \
6430+ "4: " #asm_op " %0, %1, %3 \n" \
6431+ "5: \n" \
6432 " .set mips0 \n" \
6433 : "=&r" (result), "=&r" (temp), \
6434 "+" GCC_OFF_SMALL_ASM() (v->counter) \
6435@@ -381,27 +510,35 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6436 } else if (kernel_uses_llsc) { \
6437 long temp; \
6438 \
6439- do { \
6440- __asm__ __volatile__( \
6441- " .set "MIPS_ISA_LEVEL" \n" \
6442- " lld %1, %2 # atomic64_" #op "_return\n" \
6443- " " #asm_op " %0, %1, %3 \n" \
6444- " scd %0, %2 \n" \
6445- " .set mips0 \n" \
6446- : "=&r" (result), "=&r" (temp), \
6447- "=" GCC_OFF_SMALL_ASM() (v->counter) \
6448- : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter) \
6449- : "memory"); \
6450- } while (unlikely(!result)); \
6451+ __asm__ __volatile__( \
6452+ " .set "MIPS_ISA_LEVEL" \n" \
6453+ "1: lld %1, %2 # atomic64_" #op "_return" #suffix "\n"\
6454+ "2: " #asm_op " %0, %1, %3 \n" \
6455+ " scd %0, %2 \n" \
6456+ " beqz %0, 1b \n" \
6457+ post_op \
6458+ extable \
6459+ "4: " #asm_op " %0, %1, %3 \n" \
6460+ "5: \n" \
6461+ " .set mips0 \n" \
6462+ : "=&r" (result), "=&r" (temp), \
6463+ "=" GCC_OFF_SMALL_ASM() (v->counter) \
6464+ : "Ir" (i), GCC_OFF_SMALL_ASM() (v->counter) \
6465+ : "memory"); \
6466 \
6467 result = temp; result c_op i; \
6468 } else { \
6469 unsigned long flags; \
6470 \
6471 raw_local_irq_save(flags); \
6472- result = v->counter; \
6473- result c_op i; \
6474- v->counter = result; \
6475+ __asm__ __volatile__( \
6476+ " ld %0, %1 \n" \
6477+ "2: " #asm_op " %0, %1, %2 \n" \
6478+ " sd %0, %1 \n" \
6479+ "3: \n" \
6480+ extable \
6481+ : "=&r" (result), "+" GCC_OFF_SMALL_ASM() (v->counter) \
6482+ : "Ir" (i)); \
6483 raw_local_irq_restore(flags); \
6484 } \
6485 \
6486@@ -410,16 +547,23 @@ static __inline__ long atomic64_##op##_return(long i, atomic64_t * v) \
6487 return result; \
6488 }
6489
6490-#define ATOMIC64_OPS(op, c_op, asm_op) \
6491- ATOMIC64_OP(op, c_op, asm_op) \
6492- ATOMIC64_OP_RETURN(op, c_op, asm_op)
6493+#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, _unchecked, asm_op##u, , ) \
6494+ __ATOMIC64_OP_RETURN(op, , asm_op, __OVERFLOW_POST, __OVERFLOW_EXTABLE)
6495
6496-ATOMIC64_OPS(add, +=, daddu)
6497-ATOMIC64_OPS(sub, -=, dsubu)
6498+#define ATOMIC64_OPS(op, asm_op) \
6499+ ATOMIC64_OP(op, asm_op) \
6500+ ATOMIC64_OP_RETURN(op, asm_op)
6501+
6502+ATOMIC64_OPS(add, dadd)
6503+ATOMIC64_OPS(sub, dsub)
6504
6505 #undef ATOMIC64_OPS
6506 #undef ATOMIC64_OP_RETURN
6507+#undef __ATOMIC64_OP_RETURN
6508 #undef ATOMIC64_OP
6509+#undef __ATOMIC64_OP
6510+#undef __OVERFLOW_EXTABLE
6511+#undef __OVERFLOW_POST
6512
6513 /*
6514 * atomic64_sub_if_positive - conditionally subtract integer from atomic
6515@@ -430,7 +574,7 @@ ATOMIC64_OPS(sub, -=, dsubu)
6516 * Atomically test @v and subtract @i if @v is greater or equal than @i.
6517 * The function returns the old value of @v minus @i.
6518 */
6519-static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6520+static __inline__ long atomic64_sub_if_positive(long i, atomic64_t *v)
6521 {
6522 long result;
6523
6524@@ -440,7 +584,7 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6525 long temp;
6526
6527 __asm__ __volatile__(
6528- " .set arch=r4000 \n"
6529+ " .set "MIPS_ISA_LEVEL" \n"
6530 "1: lld %1, %2 # atomic64_sub_if_positive\n"
6531 " dsubu %0, %1, %3 \n"
6532 " bltz %0, 1f \n"
6533@@ -489,9 +633,26 @@ static __inline__ long atomic64_sub_if_positive(long i, atomic64_t * v)
6534 return result;
6535 }
6536
6537-#define atomic64_cmpxchg(v, o, n) \
6538- ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
6539-#define atomic64_xchg(v, new) (xchg(&((v)->counter), (new)))
6540+static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6541+{
6542+ return cmpxchg(&v->counter, old, new);
6543+}
6544+
6545+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old,
6546+ long new)
6547+{
6548+ return cmpxchg(&(v->counter), old, new);
6549+}
6550+
6551+static inline long atomic64_xchg(atomic64_t *v, long new)
6552+{
6553+ return xchg(&v->counter, new);
6554+}
6555+
6556+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
6557+{
6558+ return xchg(&(v->counter), new);
6559+}
6560
6561 /**
6562 * atomic64_add_unless - add unless the number is a given value
6563@@ -521,6 +682,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6564
6565 #define atomic64_dec_return(v) atomic64_sub_return(1, (v))
6566 #define atomic64_inc_return(v) atomic64_add_return(1, (v))
6567+#define atomic64_inc_return_unchecked(v) atomic64_add_return_unchecked(1, (v))
6568
6569 /*
6570 * atomic64_sub_and_test - subtract value from variable and test result
6571@@ -542,6 +704,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6572 * other cases.
6573 */
6574 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
6575+#define atomic64_inc_and_test_unchecked(v) atomic64_add_return_unchecked(1, (v)) == 0)
6576
6577 /*
6578 * atomic64_dec_and_test - decrement by 1 and test
6579@@ -566,6 +729,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6580 * Atomically increments @v by 1.
6581 */
6582 #define atomic64_inc(v) atomic64_add(1, (v))
6583+#define atomic64_inc_unchecked(v) atomic64_add_unchecked(1, (v))
6584
6585 /*
6586 * atomic64_dec - decrement and test
6587@@ -574,6 +738,7 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
6588 * Atomically decrements @v by 1.
6589 */
6590 #define atomic64_dec(v) atomic64_sub(1, (v))
6591+#define atomic64_dec_unchecked(v) atomic64_sub_unchecked(1, (v))
6592
6593 /*
6594 * atomic64_add_negative - add and test if negative
6595diff --git a/arch/mips/include/asm/barrier.h b/arch/mips/include/asm/barrier.h
6596index 7ecba84..21774af 100644
6597--- a/arch/mips/include/asm/barrier.h
6598+++ b/arch/mips/include/asm/barrier.h
6599@@ -133,7 +133,7 @@
6600 do { \
6601 compiletime_assert_atomic_type(*p); \
6602 smp_mb(); \
6603- ACCESS_ONCE(*p) = (v); \
6604+ ACCESS_ONCE_RW(*p) = (v); \
6605 } while (0)
6606
6607 #define smp_load_acquire(p) \
6608diff --git a/arch/mips/include/asm/cache.h b/arch/mips/include/asm/cache.h
6609index b4db69f..8f3b093 100644
6610--- a/arch/mips/include/asm/cache.h
6611+++ b/arch/mips/include/asm/cache.h
6612@@ -9,10 +9,11 @@
6613 #ifndef _ASM_CACHE_H
6614 #define _ASM_CACHE_H
6615
6616+#include <linux/const.h>
6617 #include <kmalloc.h>
6618
6619 #define L1_CACHE_SHIFT CONFIG_MIPS_L1_CACHE_SHIFT
6620-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6621+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
6622
6623 #define SMP_CACHE_SHIFT L1_CACHE_SHIFT
6624 #define SMP_CACHE_BYTES L1_CACHE_BYTES
6625diff --git a/arch/mips/include/asm/elf.h b/arch/mips/include/asm/elf.h
6626index f19e890..a4f8177 100644
6627--- a/arch/mips/include/asm/elf.h
6628+++ b/arch/mips/include/asm/elf.h
6629@@ -417,6 +417,13 @@ extern const char *__elf_platform;
6630 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
6631 #endif
6632
6633+#ifdef CONFIG_PAX_ASLR
6634+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6635+
6636+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6637+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6638+#endif
6639+
6640 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
6641 struct linux_binprm;
6642 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
6643diff --git a/arch/mips/include/asm/exec.h b/arch/mips/include/asm/exec.h
6644index c1f6afa..38cc6e9 100644
6645--- a/arch/mips/include/asm/exec.h
6646+++ b/arch/mips/include/asm/exec.h
6647@@ -12,6 +12,6 @@
6648 #ifndef _ASM_EXEC_H
6649 #define _ASM_EXEC_H
6650
6651-extern unsigned long arch_align_stack(unsigned long sp);
6652+#define arch_align_stack(x) ((x) & ~0xfUL)
6653
6654 #endif /* _ASM_EXEC_H */
6655diff --git a/arch/mips/include/asm/hw_irq.h b/arch/mips/include/asm/hw_irq.h
6656index 9e8ef59..1139d6b 100644
6657--- a/arch/mips/include/asm/hw_irq.h
6658+++ b/arch/mips/include/asm/hw_irq.h
6659@@ -10,7 +10,7 @@
6660
6661 #include <linux/atomic.h>
6662
6663-extern atomic_t irq_err_count;
6664+extern atomic_unchecked_t irq_err_count;
6665
6666 /*
6667 * interrupt-retrigger: NOP for now. This may not be appropriate for all
6668diff --git a/arch/mips/include/asm/local.h b/arch/mips/include/asm/local.h
6669index 8feaed6..1bd8a64 100644
6670--- a/arch/mips/include/asm/local.h
6671+++ b/arch/mips/include/asm/local.h
6672@@ -13,15 +13,25 @@ typedef struct
6673 atomic_long_t a;
6674 } local_t;
6675
6676+typedef struct {
6677+ atomic_long_unchecked_t a;
6678+} local_unchecked_t;
6679+
6680 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
6681
6682 #define local_read(l) atomic_long_read(&(l)->a)
6683+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
6684 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
6685+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
6686
6687 #define local_add(i, l) atomic_long_add((i), (&(l)->a))
6688+#define local_add_unchecked(i, l) atomic_long_add_unchecked((i), (&(l)->a))
6689 #define local_sub(i, l) atomic_long_sub((i), (&(l)->a))
6690+#define local_sub_unchecked(i, l) atomic_long_sub_unchecked((i), (&(l)->a))
6691 #define local_inc(l) atomic_long_inc(&(l)->a)
6692+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
6693 #define local_dec(l) atomic_long_dec(&(l)->a)
6694+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
6695
6696 /*
6697 * Same as above, but return the result value
6698@@ -71,6 +81,51 @@ static __inline__ long local_add_return(long i, local_t * l)
6699 return result;
6700 }
6701
6702+static __inline__ long local_add_return_unchecked(long i, local_unchecked_t * l)
6703+{
6704+ unsigned long result;
6705+
6706+ if (kernel_uses_llsc && R10000_LLSC_WAR) {
6707+ unsigned long temp;
6708+
6709+ __asm__ __volatile__(
6710+ " .set mips3 \n"
6711+ "1:" __LL "%1, %2 # local_add_return \n"
6712+ " addu %0, %1, %3 \n"
6713+ __SC "%0, %2 \n"
6714+ " beqzl %0, 1b \n"
6715+ " addu %0, %1, %3 \n"
6716+ " .set mips0 \n"
6717+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6718+ : "Ir" (i), "m" (l->a.counter)
6719+ : "memory");
6720+ } else if (kernel_uses_llsc) {
6721+ unsigned long temp;
6722+
6723+ __asm__ __volatile__(
6724+ " .set mips3 \n"
6725+ "1:" __LL "%1, %2 # local_add_return \n"
6726+ " addu %0, %1, %3 \n"
6727+ __SC "%0, %2 \n"
6728+ " beqz %0, 1b \n"
6729+ " addu %0, %1, %3 \n"
6730+ " .set mips0 \n"
6731+ : "=&r" (result), "=&r" (temp), "=m" (l->a.counter)
6732+ : "Ir" (i), "m" (l->a.counter)
6733+ : "memory");
6734+ } else {
6735+ unsigned long flags;
6736+
6737+ local_irq_save(flags);
6738+ result = l->a.counter;
6739+ result += i;
6740+ l->a.counter = result;
6741+ local_irq_restore(flags);
6742+ }
6743+
6744+ return result;
6745+}
6746+
6747 static __inline__ long local_sub_return(long i, local_t * l)
6748 {
6749 unsigned long result;
6750@@ -118,6 +173,8 @@ static __inline__ long local_sub_return(long i, local_t * l)
6751
6752 #define local_cmpxchg(l, o, n) \
6753 ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6754+#define local_cmpxchg_unchecked(l, o, n) \
6755+ ((long)cmpxchg_local(&((l)->a.counter), (o), (n)))
6756 #define local_xchg(l, n) (atomic_long_xchg((&(l)->a), (n)))
6757
6758 /**
6759diff --git a/arch/mips/include/asm/page.h b/arch/mips/include/asm/page.h
6760index 89dd7fe..a123c97 100644
6761--- a/arch/mips/include/asm/page.h
6762+++ b/arch/mips/include/asm/page.h
6763@@ -118,7 +118,7 @@ extern void copy_user_highpage(struct page *to, struct page *from,
6764 #ifdef CONFIG_CPU_MIPS32
6765 typedef struct { unsigned long pte_low, pte_high; } pte_t;
6766 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
6767- #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
6768+ #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
6769 #else
6770 typedef struct { unsigned long long pte; } pte_t;
6771 #define pte_val(x) ((x).pte)
6772diff --git a/arch/mips/include/asm/pgalloc.h b/arch/mips/include/asm/pgalloc.h
6773index b336037..5b874cc 100644
6774--- a/arch/mips/include/asm/pgalloc.h
6775+++ b/arch/mips/include/asm/pgalloc.h
6776@@ -37,6 +37,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6777 {
6778 set_pud(pud, __pud((unsigned long)pmd));
6779 }
6780+
6781+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
6782+{
6783+ pud_populate(mm, pud, pmd);
6784+}
6785 #endif
6786
6787 /*
6788diff --git a/arch/mips/include/asm/pgtable.h b/arch/mips/include/asm/pgtable.h
6789index ae85694..4cdbba8 100644
6790--- a/arch/mips/include/asm/pgtable.h
6791+++ b/arch/mips/include/asm/pgtable.h
6792@@ -20,6 +20,9 @@
6793 #include <asm/io.h>
6794 #include <asm/pgtable-bits.h>
6795
6796+#define ktla_ktva(addr) (addr)
6797+#define ktva_ktla(addr) (addr)
6798+
6799 struct mm_struct;
6800 struct vm_area_struct;
6801
6802diff --git a/arch/mips/include/asm/thread_info.h b/arch/mips/include/asm/thread_info.h
6803index 9c0014e..5101ef5 100644
6804--- a/arch/mips/include/asm/thread_info.h
6805+++ b/arch/mips/include/asm/thread_info.h
6806@@ -100,6 +100,9 @@ static inline struct thread_info *current_thread_info(void)
6807 #define TIF_SECCOMP 4 /* secure computing */
6808 #define TIF_NOTIFY_RESUME 5 /* callback before returning to user */
6809 #define TIF_RESTORE_SIGMASK 9 /* restore signal mask in do_signal() */
6810+/* li takes a 32bit immediate */
6811+#define TIF_GRSEC_SETXID 10 /* update credentials on syscall entry/exit */
6812+
6813 #define TIF_USEDFPU 16 /* FPU was used by this task this quantum (SMP) */
6814 #define TIF_MEMDIE 18 /* is terminating due to OOM killer */
6815 #define TIF_NOHZ 19 /* in adaptive nohz mode */
6816@@ -135,14 +138,16 @@ static inline struct thread_info *current_thread_info(void)
6817 #define _TIF_USEDMSA (1<<TIF_USEDMSA)
6818 #define _TIF_MSA_CTX_LIVE (1<<TIF_MSA_CTX_LIVE)
6819 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
6820+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
6821
6822 #define _TIF_WORK_SYSCALL_ENTRY (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
6823 _TIF_SYSCALL_AUDIT | \
6824- _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP)
6825+ _TIF_SYSCALL_TRACEPOINT | _TIF_SECCOMP | \
6826+ _TIF_GRSEC_SETXID)
6827
6828 /* work to do in syscall_trace_leave() */
6829 #define _TIF_WORK_SYSCALL_EXIT (_TIF_NOHZ | _TIF_SYSCALL_TRACE | \
6830- _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT)
6831+ _TIF_SYSCALL_AUDIT | _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
6832
6833 /* work to do on interrupt/exception return */
6834 #define _TIF_WORK_MASK \
6835@@ -150,7 +155,7 @@ static inline struct thread_info *current_thread_info(void)
6836 /* work to do on any return to u-space */
6837 #define _TIF_ALLWORK_MASK (_TIF_NOHZ | _TIF_WORK_MASK | \
6838 _TIF_WORK_SYSCALL_EXIT | \
6839- _TIF_SYSCALL_TRACEPOINT)
6840+ _TIF_SYSCALL_TRACEPOINT | _TIF_GRSEC_SETXID)
6841
6842 /*
6843 * We stash processor id into a COP0 register to retrieve it fast
6844diff --git a/arch/mips/include/asm/uaccess.h b/arch/mips/include/asm/uaccess.h
6845index 5305d69..1da2bf5 100644
6846--- a/arch/mips/include/asm/uaccess.h
6847+++ b/arch/mips/include/asm/uaccess.h
6848@@ -146,6 +146,7 @@ static inline bool eva_kernel_access(void)
6849 __ok == 0; \
6850 })
6851
6852+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
6853 #define access_ok(type, addr, size) \
6854 likely(__access_ok((addr), (size), __access_mask))
6855
6856diff --git a/arch/mips/kernel/binfmt_elfn32.c b/arch/mips/kernel/binfmt_elfn32.c
6857index 1188e00..41cf144 100644
6858--- a/arch/mips/kernel/binfmt_elfn32.c
6859+++ b/arch/mips/kernel/binfmt_elfn32.c
6860@@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
6861 #undef ELF_ET_DYN_BASE
6862 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
6863
6864+#ifdef CONFIG_PAX_ASLR
6865+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6866+
6867+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6868+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6869+#endif
6870+
6871 #include <asm/processor.h>
6872 #include <linux/module.h>
6873 #include <linux/elfcore.h>
6874diff --git a/arch/mips/kernel/binfmt_elfo32.c b/arch/mips/kernel/binfmt_elfo32.c
6875index 9287678..f870e47 100644
6876--- a/arch/mips/kernel/binfmt_elfo32.c
6877+++ b/arch/mips/kernel/binfmt_elfo32.c
6878@@ -70,6 +70,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_NFPREG];
6879 #undef ELF_ET_DYN_BASE
6880 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
6881
6882+#ifdef CONFIG_PAX_ASLR
6883+#define PAX_ELF_ET_DYN_BASE (TASK_IS_32BIT_ADDR ? 0x00400000UL : 0x00400000UL)
6884+
6885+#define PAX_DELTA_MMAP_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6886+#define PAX_DELTA_STACK_LEN (TASK_IS_32BIT_ADDR ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
6887+#endif
6888+
6889 #include <asm/processor.h>
6890
6891 #include <linux/module.h>
6892diff --git a/arch/mips/kernel/i8259.c b/arch/mips/kernel/i8259.c
6893index 74f6752..f3d7a47 100644
6894--- a/arch/mips/kernel/i8259.c
6895+++ b/arch/mips/kernel/i8259.c
6896@@ -205,7 +205,7 @@ spurious_8259A_irq:
6897 printk(KERN_DEBUG "spurious 8259A interrupt: IRQ%d.\n", irq);
6898 spurious_irq_mask |= irqmask;
6899 }
6900- atomic_inc(&irq_err_count);
6901+ atomic_inc_unchecked(&irq_err_count);
6902 /*
6903 * Theoretically we do not have to handle this IRQ,
6904 * but in Linux this does not cause problems and is
6905diff --git a/arch/mips/kernel/irq-gt641xx.c b/arch/mips/kernel/irq-gt641xx.c
6906index 44a1f79..2bd6aa3 100644
6907--- a/arch/mips/kernel/irq-gt641xx.c
6908+++ b/arch/mips/kernel/irq-gt641xx.c
6909@@ -110,7 +110,7 @@ void gt641xx_irq_dispatch(void)
6910 }
6911 }
6912
6913- atomic_inc(&irq_err_count);
6914+ atomic_inc_unchecked(&irq_err_count);
6915 }
6916
6917 void __init gt641xx_irq_init(void)
6918diff --git a/arch/mips/kernel/irq.c b/arch/mips/kernel/irq.c
6919index 8eb5af8..2baf465 100644
6920--- a/arch/mips/kernel/irq.c
6921+++ b/arch/mips/kernel/irq.c
6922@@ -34,17 +34,17 @@ void ack_bad_irq(unsigned int irq)
6923 printk("unexpected IRQ # %d\n", irq);
6924 }
6925
6926-atomic_t irq_err_count;
6927+atomic_unchecked_t irq_err_count;
6928
6929 int arch_show_interrupts(struct seq_file *p, int prec)
6930 {
6931- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
6932+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
6933 return 0;
6934 }
6935
6936 asmlinkage void spurious_interrupt(void)
6937 {
6938- atomic_inc(&irq_err_count);
6939+ atomic_inc_unchecked(&irq_err_count);
6940 }
6941
6942 void __init init_IRQ(void)
6943@@ -58,6 +58,8 @@ void __init init_IRQ(void)
6944 }
6945
6946 #ifdef CONFIG_DEBUG_STACKOVERFLOW
6947+
6948+extern void gr_handle_kernel_exploit(void);
6949 static inline void check_stack_overflow(void)
6950 {
6951 unsigned long sp;
6952@@ -73,6 +75,7 @@ static inline void check_stack_overflow(void)
6953 printk("do_IRQ: stack overflow: %ld\n",
6954 sp - sizeof(struct thread_info));
6955 dump_stack();
6956+ gr_handle_kernel_exploit();
6957 }
6958 }
6959 #else
6960diff --git a/arch/mips/kernel/pm-cps.c b/arch/mips/kernel/pm-cps.c
6961index 0614717..002fa43 100644
6962--- a/arch/mips/kernel/pm-cps.c
6963+++ b/arch/mips/kernel/pm-cps.c
6964@@ -172,7 +172,7 @@ int cps_pm_enter_state(enum cps_pm_state state)
6965 nc_core_ready_count = nc_addr;
6966
6967 /* Ensure ready_count is zero-initialised before the assembly runs */
6968- ACCESS_ONCE(*nc_core_ready_count) = 0;
6969+ ACCESS_ONCE_RW(*nc_core_ready_count) = 0;
6970 coupled_barrier(&per_cpu(pm_barrier, core), online);
6971
6972 /* Run the generated entry code */
6973diff --git a/arch/mips/kernel/process.c b/arch/mips/kernel/process.c
6974index f2975d4..f61d355 100644
6975--- a/arch/mips/kernel/process.c
6976+++ b/arch/mips/kernel/process.c
6977@@ -541,18 +541,6 @@ out:
6978 return pc;
6979 }
6980
6981-/*
6982- * Don't forget that the stack pointer must be aligned on a 8 bytes
6983- * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
6984- */
6985-unsigned long arch_align_stack(unsigned long sp)
6986-{
6987- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
6988- sp -= get_random_int() & ~PAGE_MASK;
6989-
6990- return sp & ALMASK;
6991-}
6992-
6993 static void arch_dump_stack(void *info)
6994 {
6995 struct pt_regs *regs;
6996diff --git a/arch/mips/kernel/ptrace.c b/arch/mips/kernel/ptrace.c
6997index e933a30..0d02625 100644
6998--- a/arch/mips/kernel/ptrace.c
6999+++ b/arch/mips/kernel/ptrace.c
7000@@ -785,6 +785,10 @@ long arch_ptrace(struct task_struct *child, long request,
7001 return ret;
7002 }
7003
7004+#ifdef CONFIG_GRKERNSEC_SETXID
7005+extern void gr_delayed_cred_worker(void);
7006+#endif
7007+
7008 /*
7009 * Notification of system call entry/exit
7010 * - triggered by current->work.syscall_trace
7011@@ -803,6 +807,11 @@ asmlinkage long syscall_trace_enter(struct pt_regs *regs, long syscall)
7012 tracehook_report_syscall_entry(regs))
7013 ret = -1;
7014
7015+#ifdef CONFIG_GRKERNSEC_SETXID
7016+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
7017+ gr_delayed_cred_worker();
7018+#endif
7019+
7020 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
7021 trace_sys_enter(regs, regs->regs[2]);
7022
7023diff --git a/arch/mips/kernel/sync-r4k.c b/arch/mips/kernel/sync-r4k.c
7024index 2242bdd..b284048 100644
7025--- a/arch/mips/kernel/sync-r4k.c
7026+++ b/arch/mips/kernel/sync-r4k.c
7027@@ -18,8 +18,8 @@
7028 #include <asm/mipsregs.h>
7029
7030 static atomic_t count_start_flag = ATOMIC_INIT(0);
7031-static atomic_t count_count_start = ATOMIC_INIT(0);
7032-static atomic_t count_count_stop = ATOMIC_INIT(0);
7033+static atomic_unchecked_t count_count_start = ATOMIC_INIT(0);
7034+static atomic_unchecked_t count_count_stop = ATOMIC_INIT(0);
7035 static atomic_t count_reference = ATOMIC_INIT(0);
7036
7037 #define COUNTON 100
7038@@ -58,13 +58,13 @@ void synchronise_count_master(int cpu)
7039
7040 for (i = 0; i < NR_LOOPS; i++) {
7041 /* slaves loop on '!= 2' */
7042- while (atomic_read(&count_count_start) != 1)
7043+ while (atomic_read_unchecked(&count_count_start) != 1)
7044 mb();
7045- atomic_set(&count_count_stop, 0);
7046+ atomic_set_unchecked(&count_count_stop, 0);
7047 smp_wmb();
7048
7049 /* this lets the slaves write their count register */
7050- atomic_inc(&count_count_start);
7051+ atomic_inc_unchecked(&count_count_start);
7052
7053 /*
7054 * Everyone initialises count in the last loop:
7055@@ -75,11 +75,11 @@ void synchronise_count_master(int cpu)
7056 /*
7057 * Wait for all slaves to leave the synchronization point:
7058 */
7059- while (atomic_read(&count_count_stop) != 1)
7060+ while (atomic_read_unchecked(&count_count_stop) != 1)
7061 mb();
7062- atomic_set(&count_count_start, 0);
7063+ atomic_set_unchecked(&count_count_start, 0);
7064 smp_wmb();
7065- atomic_inc(&count_count_stop);
7066+ atomic_inc_unchecked(&count_count_stop);
7067 }
7068 /* Arrange for an interrupt in a short while */
7069 write_c0_compare(read_c0_count() + COUNTON);
7070@@ -112,8 +112,8 @@ void synchronise_count_slave(int cpu)
7071 initcount = atomic_read(&count_reference);
7072
7073 for (i = 0; i < NR_LOOPS; i++) {
7074- atomic_inc(&count_count_start);
7075- while (atomic_read(&count_count_start) != 2)
7076+ atomic_inc_unchecked(&count_count_start);
7077+ while (atomic_read_unchecked(&count_count_start) != 2)
7078 mb();
7079
7080 /*
7081@@ -122,8 +122,8 @@ void synchronise_count_slave(int cpu)
7082 if (i == NR_LOOPS-1)
7083 write_c0_count(initcount);
7084
7085- atomic_inc(&count_count_stop);
7086- while (atomic_read(&count_count_stop) != 2)
7087+ atomic_inc_unchecked(&count_count_stop);
7088+ while (atomic_read_unchecked(&count_count_stop) != 2)
7089 mb();
7090 }
7091 /* Arrange for an interrupt in a short while */
7092diff --git a/arch/mips/kernel/traps.c b/arch/mips/kernel/traps.c
7093index 8ea28e6..c8873d5 100644
7094--- a/arch/mips/kernel/traps.c
7095+++ b/arch/mips/kernel/traps.c
7096@@ -697,7 +697,18 @@ asmlinkage void do_ov(struct pt_regs *regs)
7097 siginfo_t info;
7098
7099 prev_state = exception_enter();
7100- die_if_kernel("Integer overflow", regs);
7101+ if (unlikely(!user_mode(regs))) {
7102+
7103+#ifdef CONFIG_PAX_REFCOUNT
7104+ if (fixup_exception(regs)) {
7105+ pax_report_refcount_overflow(regs);
7106+ exception_exit(prev_state);
7107+ return;
7108+ }
7109+#endif
7110+
7111+ die("Integer overflow", regs);
7112+ }
7113
7114 info.si_code = FPE_INTOVF;
7115 info.si_signo = SIGFPE;
7116diff --git a/arch/mips/kvm/mips.c b/arch/mips/kvm/mips.c
7117index cd4c129..290c518 100644
7118--- a/arch/mips/kvm/mips.c
7119+++ b/arch/mips/kvm/mips.c
7120@@ -1016,7 +1016,7 @@ long kvm_arch_vm_ioctl(struct file *filp, unsigned int ioctl, unsigned long arg)
7121 return r;
7122 }
7123
7124-int kvm_arch_init(void *opaque)
7125+int kvm_arch_init(const void *opaque)
7126 {
7127 if (kvm_mips_callbacks) {
7128 kvm_err("kvm: module already exists\n");
7129diff --git a/arch/mips/mm/fault.c b/arch/mips/mm/fault.c
7130index 852a41c..75b9d38 100644
7131--- a/arch/mips/mm/fault.c
7132+++ b/arch/mips/mm/fault.c
7133@@ -31,6 +31,23 @@
7134
7135 int show_unhandled_signals = 1;
7136
7137+#ifdef CONFIG_PAX_PAGEEXEC
7138+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7139+{
7140+ unsigned long i;
7141+
7142+ printk(KERN_ERR "PAX: bytes at PC: ");
7143+ for (i = 0; i < 5; i++) {
7144+ unsigned int c;
7145+ if (get_user(c, (unsigned int *)pc+i))
7146+ printk(KERN_CONT "???????? ");
7147+ else
7148+ printk(KERN_CONT "%08x ", c);
7149+ }
7150+ printk("\n");
7151+}
7152+#endif
7153+
7154 /*
7155 * This routine handles page faults. It determines the address,
7156 * and the problem, and then passes it off to one of the appropriate
7157@@ -207,6 +224,14 @@ bad_area:
7158 bad_area_nosemaphore:
7159 /* User mode accesses just cause a SIGSEGV */
7160 if (user_mode(regs)) {
7161+
7162+#ifdef CONFIG_PAX_PAGEEXEC
7163+ if (cpu_has_rixi && (mm->pax_flags & MF_PAX_PAGEEXEC) && !write && address == instruction_pointer(regs)) {
7164+ pax_report_fault(regs, (void *)address, (void *)user_stack_pointer(regs));
7165+ do_group_exit(SIGKILL);
7166+ }
7167+#endif
7168+
7169 tsk->thread.cp0_badvaddr = address;
7170 tsk->thread.error_code = write;
7171 if (show_unhandled_signals &&
7172diff --git a/arch/mips/mm/mmap.c b/arch/mips/mm/mmap.c
7173index 5c81fdd..db158d3 100644
7174--- a/arch/mips/mm/mmap.c
7175+++ b/arch/mips/mm/mmap.c
7176@@ -59,6 +59,7 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7177 struct vm_area_struct *vma;
7178 unsigned long addr = addr0;
7179 int do_color_align;
7180+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
7181 struct vm_unmapped_area_info info;
7182
7183 if (unlikely(len > TASK_SIZE))
7184@@ -84,6 +85,11 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7185 do_color_align = 1;
7186
7187 /* requesting a specific address */
7188+
7189+#ifdef CONFIG_PAX_RANDMMAP
7190+ if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
7191+#endif
7192+
7193 if (addr) {
7194 if (do_color_align)
7195 addr = COLOUR_ALIGN(addr, pgoff);
7196@@ -91,14 +97,14 @@ static unsigned long arch_get_unmapped_area_common(struct file *filp,
7197 addr = PAGE_ALIGN(addr);
7198
7199 vma = find_vma(mm, addr);
7200- if (TASK_SIZE - len >= addr &&
7201- (!vma || addr + len <= vma->vm_start))
7202+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
7203 return addr;
7204 }
7205
7206 info.length = len;
7207 info.align_mask = do_color_align ? (PAGE_MASK & shm_align_mask) : 0;
7208 info.align_offset = pgoff << PAGE_SHIFT;
7209+ info.threadstack_offset = offset;
7210
7211 if (dir == DOWN) {
7212 info.flags = VM_UNMAPPED_AREA_TOPDOWN;
7213@@ -160,45 +166,34 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7214 {
7215 unsigned long random_factor = 0UL;
7216
7217+#ifdef CONFIG_PAX_RANDMMAP
7218+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7219+#endif
7220+
7221 if (current->flags & PF_RANDOMIZE)
7222 random_factor = arch_mmap_rnd();
7223
7224 if (mmap_is_legacy()) {
7225 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
7226+
7227+#ifdef CONFIG_PAX_RANDMMAP
7228+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7229+ mm->mmap_base += mm->delta_mmap;
7230+#endif
7231+
7232 mm->get_unmapped_area = arch_get_unmapped_area;
7233 } else {
7234 mm->mmap_base = mmap_base(random_factor);
7235+
7236+#ifdef CONFIG_PAX_RANDMMAP
7237+ if (mm->pax_flags & MF_PAX_RANDMMAP)
7238+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7239+#endif
7240+
7241 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
7242 }
7243 }
7244
7245-static inline unsigned long brk_rnd(void)
7246-{
7247- unsigned long rnd = get_random_int();
7248-
7249- rnd = rnd << PAGE_SHIFT;
7250- /* 8MB for 32bit, 256MB for 64bit */
7251- if (TASK_IS_32BIT_ADDR)
7252- rnd = rnd & 0x7ffffful;
7253- else
7254- rnd = rnd & 0xffffffful;
7255-
7256- return rnd;
7257-}
7258-
7259-unsigned long arch_randomize_brk(struct mm_struct *mm)
7260-{
7261- unsigned long base = mm->brk;
7262- unsigned long ret;
7263-
7264- ret = PAGE_ALIGN(base + brk_rnd());
7265-
7266- if (ret < mm->brk)
7267- return mm->brk;
7268-
7269- return ret;
7270-}
7271-
7272 int __virt_addr_valid(const volatile void *kaddr)
7273 {
7274 return pfn_valid(PFN_DOWN(virt_to_phys(kaddr)));
7275diff --git a/arch/mips/net/bpf_jit_asm.S b/arch/mips/net/bpf_jit_asm.S
7276index dabf417..0be1d6d 100644
7277--- a/arch/mips/net/bpf_jit_asm.S
7278+++ b/arch/mips/net/bpf_jit_asm.S
7279@@ -62,7 +62,9 @@ sk_load_word_positive:
7280 is_offset_in_header(4, word)
7281 /* Offset within header boundaries */
7282 PTR_ADDU t1, $r_skb_data, offset
7283+ .set reorder
7284 lw $r_A, 0(t1)
7285+ .set noreorder
7286 #ifdef CONFIG_CPU_LITTLE_ENDIAN
7287 # if defined(__mips_isa_rev) && (__mips_isa_rev >= 2)
7288 wsbh t0, $r_A
7289@@ -90,7 +92,9 @@ sk_load_half_positive:
7290 is_offset_in_header(2, half)
7291 /* Offset within header boundaries */
7292 PTR_ADDU t1, $r_skb_data, offset
7293+ .set reorder
7294 lh $r_A, 0(t1)
7295+ .set noreorder
7296 #ifdef CONFIG_CPU_LITTLE_ENDIAN
7297 # if defined(__mips_isa_rev) && (__mips_isa_rev >= 2)
7298 wsbh t0, $r_A
7299diff --git a/arch/mips/sgi-ip27/ip27-nmi.c b/arch/mips/sgi-ip27/ip27-nmi.c
7300index a2358b4..7cead4f 100644
7301--- a/arch/mips/sgi-ip27/ip27-nmi.c
7302+++ b/arch/mips/sgi-ip27/ip27-nmi.c
7303@@ -187,9 +187,9 @@ void
7304 cont_nmi_dump(void)
7305 {
7306 #ifndef REAL_NMI_SIGNAL
7307- static atomic_t nmied_cpus = ATOMIC_INIT(0);
7308+ static atomic_unchecked_t nmied_cpus = ATOMIC_INIT(0);
7309
7310- atomic_inc(&nmied_cpus);
7311+ atomic_inc_unchecked(&nmied_cpus);
7312 #endif
7313 /*
7314 * Only allow 1 cpu to proceed
7315@@ -233,7 +233,7 @@ cont_nmi_dump(void)
7316 udelay(10000);
7317 }
7318 #else
7319- while (atomic_read(&nmied_cpus) != num_online_cpus());
7320+ while (atomic_read_unchecked(&nmied_cpus) != num_online_cpus());
7321 #endif
7322
7323 /*
7324diff --git a/arch/mips/sni/rm200.c b/arch/mips/sni/rm200.c
7325index a046b30..6799527 100644
7326--- a/arch/mips/sni/rm200.c
7327+++ b/arch/mips/sni/rm200.c
7328@@ -270,7 +270,7 @@ spurious_8259A_irq:
7329 "spurious RM200 8259A interrupt: IRQ%d.\n", irq);
7330 spurious_irq_mask |= irqmask;
7331 }
7332- atomic_inc(&irq_err_count);
7333+ atomic_inc_unchecked(&irq_err_count);
7334 /*
7335 * Theoretically we do not have to handle this IRQ,
7336 * but in Linux this does not cause problems and is
7337diff --git a/arch/mips/vr41xx/common/icu.c b/arch/mips/vr41xx/common/icu.c
7338index 41e873b..34d33a7 100644
7339--- a/arch/mips/vr41xx/common/icu.c
7340+++ b/arch/mips/vr41xx/common/icu.c
7341@@ -653,7 +653,7 @@ static int icu_get_irq(unsigned int irq)
7342
7343 printk(KERN_ERR "spurious ICU interrupt: %04x,%04x\n", pend1, pend2);
7344
7345- atomic_inc(&irq_err_count);
7346+ atomic_inc_unchecked(&irq_err_count);
7347
7348 return -1;
7349 }
7350diff --git a/arch/mips/vr41xx/common/irq.c b/arch/mips/vr41xx/common/irq.c
7351index ae0e4ee..e8f0692 100644
7352--- a/arch/mips/vr41xx/common/irq.c
7353+++ b/arch/mips/vr41xx/common/irq.c
7354@@ -64,7 +64,7 @@ static void irq_dispatch(unsigned int irq)
7355 irq_cascade_t *cascade;
7356
7357 if (irq >= NR_IRQS) {
7358- atomic_inc(&irq_err_count);
7359+ atomic_inc_unchecked(&irq_err_count);
7360 return;
7361 }
7362
7363@@ -84,7 +84,7 @@ static void irq_dispatch(unsigned int irq)
7364 ret = cascade->get_irq(irq);
7365 irq = ret;
7366 if (ret < 0)
7367- atomic_inc(&irq_err_count);
7368+ atomic_inc_unchecked(&irq_err_count);
7369 else
7370 irq_dispatch(irq);
7371 if (!irqd_irq_disabled(idata) && chip->irq_unmask)
7372diff --git a/arch/mn10300/proc-mn103e010/include/proc/cache.h b/arch/mn10300/proc-mn103e010/include/proc/cache.h
7373index 967d144..db12197 100644
7374--- a/arch/mn10300/proc-mn103e010/include/proc/cache.h
7375+++ b/arch/mn10300/proc-mn103e010/include/proc/cache.h
7376@@ -11,12 +11,14 @@
7377 #ifndef _ASM_PROC_CACHE_H
7378 #define _ASM_PROC_CACHE_H
7379
7380+#include <linux/const.h>
7381+
7382 /* L1 cache */
7383
7384 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
7385 #define L1_CACHE_NENTRIES 256 /* number of entries in each way */
7386-#define L1_CACHE_BYTES 16 /* bytes per entry */
7387 #define L1_CACHE_SHIFT 4 /* shift for bytes per entry */
7388+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
7389 #define L1_CACHE_WAYDISP 0x1000 /* displacement of one way from the next */
7390
7391 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
7392diff --git a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7393index bcb5df2..84fabd2 100644
7394--- a/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7395+++ b/arch/mn10300/proc-mn2ws0050/include/proc/cache.h
7396@@ -16,13 +16,15 @@
7397 #ifndef _ASM_PROC_CACHE_H
7398 #define _ASM_PROC_CACHE_H
7399
7400+#include <linux/const.h>
7401+
7402 /*
7403 * L1 cache
7404 */
7405 #define L1_CACHE_NWAYS 4 /* number of ways in caches */
7406 #define L1_CACHE_NENTRIES 128 /* number of entries in each way */
7407-#define L1_CACHE_BYTES 32 /* bytes per entry */
7408 #define L1_CACHE_SHIFT 5 /* shift for bytes per entry */
7409+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT) /* bytes per entry */
7410 #define L1_CACHE_WAYDISP 0x1000 /* distance from one way to the next */
7411
7412 #define L1_CACHE_TAG_VALID 0x00000001 /* cache tag valid bit */
7413diff --git a/arch/openrisc/include/asm/cache.h b/arch/openrisc/include/asm/cache.h
7414index 4ce7a01..449202a 100644
7415--- a/arch/openrisc/include/asm/cache.h
7416+++ b/arch/openrisc/include/asm/cache.h
7417@@ -19,11 +19,13 @@
7418 #ifndef __ASM_OPENRISC_CACHE_H
7419 #define __ASM_OPENRISC_CACHE_H
7420
7421+#include <linux/const.h>
7422+
7423 /* FIXME: How can we replace these with values from the CPU...
7424 * they shouldn't be hard-coded!
7425 */
7426
7427-#define L1_CACHE_BYTES 16
7428 #define L1_CACHE_SHIFT 4
7429+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7430
7431 #endif /* __ASM_OPENRISC_CACHE_H */
7432diff --git a/arch/parisc/include/asm/atomic.h b/arch/parisc/include/asm/atomic.h
7433index 226f8ca9..9d9b87d 100644
7434--- a/arch/parisc/include/asm/atomic.h
7435+++ b/arch/parisc/include/asm/atomic.h
7436@@ -273,6 +273,16 @@ static inline long atomic64_dec_if_positive(atomic64_t *v)
7437 return dec;
7438 }
7439
7440+#define atomic64_read_unchecked(v) atomic64_read(v)
7441+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
7442+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
7443+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
7444+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
7445+#define atomic64_inc_unchecked(v) atomic64_inc(v)
7446+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
7447+#define atomic64_dec_unchecked(v) atomic64_dec(v)
7448+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
7449+
7450 #endif /* !CONFIG_64BIT */
7451
7452
7453diff --git a/arch/parisc/include/asm/cache.h b/arch/parisc/include/asm/cache.h
7454index 47f11c7..3420df2 100644
7455--- a/arch/parisc/include/asm/cache.h
7456+++ b/arch/parisc/include/asm/cache.h
7457@@ -5,6 +5,7 @@
7458 #ifndef __ARCH_PARISC_CACHE_H
7459 #define __ARCH_PARISC_CACHE_H
7460
7461+#include <linux/const.h>
7462
7463 /*
7464 * PA 2.0 processors have 64-byte cachelines; PA 1.1 processors have
7465@@ -15,13 +16,13 @@
7466 * just ruin performance.
7467 */
7468 #ifdef CONFIG_PA20
7469-#define L1_CACHE_BYTES 64
7470 #define L1_CACHE_SHIFT 6
7471 #else
7472-#define L1_CACHE_BYTES 32
7473 #define L1_CACHE_SHIFT 5
7474 #endif
7475
7476+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
7477+
7478 #ifndef __ASSEMBLY__
7479
7480 #define SMP_CACHE_BYTES L1_CACHE_BYTES
7481diff --git a/arch/parisc/include/asm/elf.h b/arch/parisc/include/asm/elf.h
7482index 78c9fd3..42fa66a 100644
7483--- a/arch/parisc/include/asm/elf.h
7484+++ b/arch/parisc/include/asm/elf.h
7485@@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration... */
7486
7487 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
7488
7489+#ifdef CONFIG_PAX_ASLR
7490+#define PAX_ELF_ET_DYN_BASE 0x10000UL
7491+
7492+#define PAX_DELTA_MMAP_LEN 16
7493+#define PAX_DELTA_STACK_LEN 16
7494+#endif
7495+
7496 /* This yields a mask that user programs can use to figure out what
7497 instruction set this CPU supports. This could be done in user space,
7498 but it's not easy, and we've already done it here. */
7499diff --git a/arch/parisc/include/asm/pgalloc.h b/arch/parisc/include/asm/pgalloc.h
7500index 3edbb9f..08fef28 100644
7501--- a/arch/parisc/include/asm/pgalloc.h
7502+++ b/arch/parisc/include/asm/pgalloc.h
7503@@ -61,6 +61,11 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
7504 (__u32)(__pa((unsigned long)pmd) >> PxD_VALUE_SHIFT));
7505 }
7506
7507+static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmd)
7508+{
7509+ pgd_populate(mm, pgd, pmd);
7510+}
7511+
7512 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm, unsigned long address)
7513 {
7514 pmd_t *pmd = (pmd_t *)__get_free_pages(GFP_KERNEL|__GFP_REPEAT,
7515@@ -97,6 +102,7 @@ static inline void pmd_free(struct mm_struct *mm, pmd_t *pmd)
7516 #define pmd_alloc_one(mm, addr) ({ BUG(); ((pmd_t *)2); })
7517 #define pmd_free(mm, x) do { } while (0)
7518 #define pgd_populate(mm, pmd, pte) BUG()
7519+#define pgd_populate_kernel(mm, pmd, pte) BUG()
7520
7521 #endif
7522
7523diff --git a/arch/parisc/include/asm/pgtable.h b/arch/parisc/include/asm/pgtable.h
7524index f93c4a4..cfd5663 100644
7525--- a/arch/parisc/include/asm/pgtable.h
7526+++ b/arch/parisc/include/asm/pgtable.h
7527@@ -231,6 +231,17 @@ static inline void purge_tlb_entries(struct mm_struct *mm, unsigned long addr)
7528 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
7529 #define PAGE_COPY PAGE_EXECREAD
7530 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
7531+
7532+#ifdef CONFIG_PAX_PAGEEXEC
7533+# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
7534+# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
7535+# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
7536+#else
7537+# define PAGE_SHARED_NOEXEC PAGE_SHARED
7538+# define PAGE_COPY_NOEXEC PAGE_COPY
7539+# define PAGE_READONLY_NOEXEC PAGE_READONLY
7540+#endif
7541+
7542 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
7543 #define PAGE_KERNEL_EXEC __pgprot(_PAGE_KERNEL_EXEC)
7544 #define PAGE_KERNEL_RWX __pgprot(_PAGE_KERNEL_RWX)
7545diff --git a/arch/parisc/include/asm/uaccess.h b/arch/parisc/include/asm/uaccess.h
7546index 0abdd4c..1af92f0 100644
7547--- a/arch/parisc/include/asm/uaccess.h
7548+++ b/arch/parisc/include/asm/uaccess.h
7549@@ -243,10 +243,10 @@ static inline unsigned long __must_check copy_from_user(void *to,
7550 const void __user *from,
7551 unsigned long n)
7552 {
7553- int sz = __compiletime_object_size(to);
7554+ size_t sz = __compiletime_object_size(to);
7555 int ret = -EFAULT;
7556
7557- if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n))
7558+ if (likely(sz == (size_t)-1 || !__builtin_constant_p(n) || sz >= n))
7559 ret = __copy_from_user(to, from, n);
7560 else
7561 copy_from_user_overflow();
7562diff --git a/arch/parisc/kernel/module.c b/arch/parisc/kernel/module.c
7563index 3c63a82..b1d6ee9 100644
7564--- a/arch/parisc/kernel/module.c
7565+++ b/arch/parisc/kernel/module.c
7566@@ -98,16 +98,38 @@
7567
7568 /* three functions to determine where in the module core
7569 * or init pieces the location is */
7570+static inline int in_init_rx(struct module *me, void *loc)
7571+{
7572+ return (loc >= me->module_init_rx &&
7573+ loc < (me->module_init_rx + me->init_size_rx));
7574+}
7575+
7576+static inline int in_init_rw(struct module *me, void *loc)
7577+{
7578+ return (loc >= me->module_init_rw &&
7579+ loc < (me->module_init_rw + me->init_size_rw));
7580+}
7581+
7582 static inline int in_init(struct module *me, void *loc)
7583 {
7584- return (loc >= me->module_init &&
7585- loc <= (me->module_init + me->init_size));
7586+ return in_init_rx(me, loc) || in_init_rw(me, loc);
7587+}
7588+
7589+static inline int in_core_rx(struct module *me, void *loc)
7590+{
7591+ return (loc >= me->module_core_rx &&
7592+ loc < (me->module_core_rx + me->core_size_rx));
7593+}
7594+
7595+static inline int in_core_rw(struct module *me, void *loc)
7596+{
7597+ return (loc >= me->module_core_rw &&
7598+ loc < (me->module_core_rw + me->core_size_rw));
7599 }
7600
7601 static inline int in_core(struct module *me, void *loc)
7602 {
7603- return (loc >= me->module_core &&
7604- loc <= (me->module_core + me->core_size));
7605+ return in_core_rx(me, loc) || in_core_rw(me, loc);
7606 }
7607
7608 static inline int in_local(struct module *me, void *loc)
7609@@ -367,13 +389,13 @@ int module_frob_arch_sections(CONST Elf_Ehdr *hdr,
7610 }
7611
7612 /* align things a bit */
7613- me->core_size = ALIGN(me->core_size, 16);
7614- me->arch.got_offset = me->core_size;
7615- me->core_size += gots * sizeof(struct got_entry);
7616+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
7617+ me->arch.got_offset = me->core_size_rw;
7618+ me->core_size_rw += gots * sizeof(struct got_entry);
7619
7620- me->core_size = ALIGN(me->core_size, 16);
7621- me->arch.fdesc_offset = me->core_size;
7622- me->core_size += fdescs * sizeof(Elf_Fdesc);
7623+ me->core_size_rw = ALIGN(me->core_size_rw, 16);
7624+ me->arch.fdesc_offset = me->core_size_rw;
7625+ me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
7626
7627 me->arch.got_max = gots;
7628 me->arch.fdesc_max = fdescs;
7629@@ -391,7 +413,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
7630
7631 BUG_ON(value == 0);
7632
7633- got = me->module_core + me->arch.got_offset;
7634+ got = me->module_core_rw + me->arch.got_offset;
7635 for (i = 0; got[i].addr; i++)
7636 if (got[i].addr == value)
7637 goto out;
7638@@ -409,7 +431,7 @@ static Elf64_Word get_got(struct module *me, unsigned long value, long addend)
7639 #ifdef CONFIG_64BIT
7640 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
7641 {
7642- Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
7643+ Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
7644
7645 if (!value) {
7646 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
7647@@ -427,7 +449,7 @@ static Elf_Addr get_fdesc(struct module *me, unsigned long value)
7648
7649 /* Create new one */
7650 fdesc->addr = value;
7651- fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
7652+ fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
7653 return (Elf_Addr)fdesc;
7654 }
7655 #endif /* CONFIG_64BIT */
7656@@ -839,7 +861,7 @@ register_unwind_table(struct module *me,
7657
7658 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
7659 end = table + sechdrs[me->arch.unwind_section].sh_size;
7660- gp = (Elf_Addr)me->module_core + me->arch.got_offset;
7661+ gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
7662
7663 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
7664 me->arch.unwind_section, table, end, gp);
7665diff --git a/arch/parisc/kernel/sys_parisc.c b/arch/parisc/kernel/sys_parisc.c
7666index 5aba01a..47cdd5a 100644
7667--- a/arch/parisc/kernel/sys_parisc.c
7668+++ b/arch/parisc/kernel/sys_parisc.c
7669@@ -92,6 +92,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7670 unsigned long task_size = TASK_SIZE;
7671 int do_color_align, last_mmap;
7672 struct vm_unmapped_area_info info;
7673+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
7674
7675 if (len > task_size)
7676 return -ENOMEM;
7677@@ -109,6 +110,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7678 goto found_addr;
7679 }
7680
7681+#ifdef CONFIG_PAX_RANDMMAP
7682+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7683+#endif
7684+
7685 if (addr) {
7686 if (do_color_align && last_mmap)
7687 addr = COLOR_ALIGN(addr, last_mmap, pgoff);
7688@@ -127,6 +132,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
7689 info.high_limit = mmap_upper_limit();
7690 info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
7691 info.align_offset = shared_align_offset(last_mmap, pgoff);
7692+ info.threadstack_offset = offset;
7693 addr = vm_unmapped_area(&info);
7694
7695 found_addr:
7696@@ -146,6 +152,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7697 unsigned long addr = addr0;
7698 int do_color_align, last_mmap;
7699 struct vm_unmapped_area_info info;
7700+ unsigned long offset = gr_rand_threadstack_offset(current->mm, filp, flags);
7701
7702 #ifdef CONFIG_64BIT
7703 /* This should only ever run for 32-bit processes. */
7704@@ -170,6 +177,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7705 }
7706
7707 /* requesting a specific address */
7708+#ifdef CONFIG_PAX_RANDMMAP
7709+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
7710+#endif
7711+
7712 if (addr) {
7713 if (do_color_align && last_mmap)
7714 addr = COLOR_ALIGN(addr, last_mmap, pgoff);
7715@@ -187,6 +198,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
7716 info.high_limit = mm->mmap_base;
7717 info.align_mask = last_mmap ? (PAGE_MASK & (SHM_COLOUR - 1)) : 0;
7718 info.align_offset = shared_align_offset(last_mmap, pgoff);
7719+ info.threadstack_offset = offset;
7720 addr = vm_unmapped_area(&info);
7721 if (!(addr & ~PAGE_MASK))
7722 goto found_addr;
7723@@ -252,6 +264,13 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
7724 mm->mmap_legacy_base = mmap_legacy_base();
7725 mm->mmap_base = mmap_upper_limit();
7726
7727+#ifdef CONFIG_PAX_RANDMMAP
7728+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
7729+ mm->mmap_legacy_base += mm->delta_mmap;
7730+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
7731+ }
7732+#endif
7733+
7734 if (mmap_is_legacy()) {
7735 mm->mmap_base = mm->mmap_legacy_base;
7736 mm->get_unmapped_area = arch_get_unmapped_area;
7737diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c
7738index b99b39f..e3915ae 100644
7739--- a/arch/parisc/kernel/traps.c
7740+++ b/arch/parisc/kernel/traps.c
7741@@ -722,9 +722,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs)
7742
7743 down_read(&current->mm->mmap_sem);
7744 vma = find_vma(current->mm,regs->iaoq[0]);
7745- if (vma && (regs->iaoq[0] >= vma->vm_start)
7746- && (vma->vm_flags & VM_EXEC)) {
7747-
7748+ if (vma && (regs->iaoq[0] >= vma->vm_start)) {
7749 fault_address = regs->iaoq[0];
7750 fault_space = regs->iasq[0];
7751
7752diff --git a/arch/parisc/mm/fault.c b/arch/parisc/mm/fault.c
7753index 15503ad..4b1b8b6 100644
7754--- a/arch/parisc/mm/fault.c
7755+++ b/arch/parisc/mm/fault.c
7756@@ -16,6 +16,7 @@
7757 #include <linux/interrupt.h>
7758 #include <linux/module.h>
7759 #include <linux/uaccess.h>
7760+#include <linux/unistd.h>
7761
7762 #include <asm/traps.h>
7763
7764@@ -50,7 +51,7 @@ int show_unhandled_signals = 1;
7765 static unsigned long
7766 parisc_acctyp(unsigned long code, unsigned int inst)
7767 {
7768- if (code == 6 || code == 16)
7769+ if (code == 6 || code == 7 || code == 16)
7770 return VM_EXEC;
7771
7772 switch (inst & 0xf0000000) {
7773@@ -136,6 +137,116 @@ parisc_acctyp(unsigned long code, unsigned int inst)
7774 }
7775 #endif
7776
7777+#ifdef CONFIG_PAX_PAGEEXEC
7778+/*
7779+ * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
7780+ *
7781+ * returns 1 when task should be killed
7782+ * 2 when rt_sigreturn trampoline was detected
7783+ * 3 when unpatched PLT trampoline was detected
7784+ */
7785+static int pax_handle_fetch_fault(struct pt_regs *regs)
7786+{
7787+
7788+#ifdef CONFIG_PAX_EMUPLT
7789+ int err;
7790+
7791+ do { /* PaX: unpatched PLT emulation */
7792+ unsigned int bl, depwi;
7793+
7794+ err = get_user(bl, (unsigned int *)instruction_pointer(regs));
7795+ err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
7796+
7797+ if (err)
7798+ break;
7799+
7800+ if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
7801+ unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
7802+
7803+ err = get_user(ldw, (unsigned int *)addr);
7804+ err |= get_user(bv, (unsigned int *)(addr+4));
7805+ err |= get_user(ldw2, (unsigned int *)(addr+8));
7806+
7807+ if (err)
7808+ break;
7809+
7810+ if (ldw == 0x0E801096U &&
7811+ bv == 0xEAC0C000U &&
7812+ ldw2 == 0x0E881095U)
7813+ {
7814+ unsigned int resolver, map;
7815+
7816+ err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
7817+ err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
7818+ if (err)
7819+ break;
7820+
7821+ regs->gr[20] = instruction_pointer(regs)+8;
7822+ regs->gr[21] = map;
7823+ regs->gr[22] = resolver;
7824+ regs->iaoq[0] = resolver | 3UL;
7825+ regs->iaoq[1] = regs->iaoq[0] + 4;
7826+ return 3;
7827+ }
7828+ }
7829+ } while (0);
7830+#endif
7831+
7832+#ifdef CONFIG_PAX_EMUTRAMP
7833+
7834+#ifndef CONFIG_PAX_EMUSIGRT
7835+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
7836+ return 1;
7837+#endif
7838+
7839+ do { /* PaX: rt_sigreturn emulation */
7840+ unsigned int ldi1, ldi2, bel, nop;
7841+
7842+ err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
7843+ err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
7844+ err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
7845+ err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
7846+
7847+ if (err)
7848+ break;
7849+
7850+ if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
7851+ ldi2 == 0x3414015AU &&
7852+ bel == 0xE4008200U &&
7853+ nop == 0x08000240U)
7854+ {
7855+ regs->gr[25] = (ldi1 & 2) >> 1;
7856+ regs->gr[20] = __NR_rt_sigreturn;
7857+ regs->gr[31] = regs->iaoq[1] + 16;
7858+ regs->sr[0] = regs->iasq[1];
7859+ regs->iaoq[0] = 0x100UL;
7860+ regs->iaoq[1] = regs->iaoq[0] + 4;
7861+ regs->iasq[0] = regs->sr[2];
7862+ regs->iasq[1] = regs->sr[2];
7863+ return 2;
7864+ }
7865+ } while (0);
7866+#endif
7867+
7868+ return 1;
7869+}
7870+
7871+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
7872+{
7873+ unsigned long i;
7874+
7875+ printk(KERN_ERR "PAX: bytes at PC: ");
7876+ for (i = 0; i < 5; i++) {
7877+ unsigned int c;
7878+ if (get_user(c, (unsigned int *)pc+i))
7879+ printk(KERN_CONT "???????? ");
7880+ else
7881+ printk(KERN_CONT "%08x ", c);
7882+ }
7883+ printk("\n");
7884+}
7885+#endif
7886+
7887 int fixup_exception(struct pt_regs *regs)
7888 {
7889 const struct exception_table_entry *fix;
7890@@ -234,8 +345,33 @@ retry:
7891
7892 good_area:
7893
7894- if ((vma->vm_flags & acc_type) != acc_type)
7895+ if ((vma->vm_flags & acc_type) != acc_type) {
7896+
7897+#ifdef CONFIG_PAX_PAGEEXEC
7898+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
7899+ (address & ~3UL) == instruction_pointer(regs))
7900+ {
7901+ up_read(&mm->mmap_sem);
7902+ switch (pax_handle_fetch_fault(regs)) {
7903+
7904+#ifdef CONFIG_PAX_EMUPLT
7905+ case 3:
7906+ return;
7907+#endif
7908+
7909+#ifdef CONFIG_PAX_EMUTRAMP
7910+ case 2:
7911+ return;
7912+#endif
7913+
7914+ }
7915+ pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
7916+ do_group_exit(SIGKILL);
7917+ }
7918+#endif
7919+
7920 goto bad_area;
7921+ }
7922
7923 /*
7924 * If for any reason at all we couldn't handle the fault, make
7925diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
7926index 5ef2711..21be2c3 100644
7927--- a/arch/powerpc/Kconfig
7928+++ b/arch/powerpc/Kconfig
7929@@ -415,6 +415,7 @@ config PPC64_SUPPORTS_MEMORY_FAILURE
7930 config KEXEC
7931 bool "kexec system call"
7932 depends on (PPC_BOOK3S || FSL_BOOKE || (44x && !SMP))
7933+ depends on !GRKERNSEC_KMEM
7934 help
7935 kexec is a system call that implements the ability to shutdown your
7936 current kernel, and to start another kernel. It is like a reboot
7937diff --git a/arch/powerpc/include/asm/atomic.h b/arch/powerpc/include/asm/atomic.h
7938index 512d278..d31fadd 100644
7939--- a/arch/powerpc/include/asm/atomic.h
7940+++ b/arch/powerpc/include/asm/atomic.h
7941@@ -12,6 +12,11 @@
7942
7943 #define ATOMIC_INIT(i) { (i) }
7944
7945+#define _ASM_EXTABLE(from, to) \
7946+" .section __ex_table,\"a\"\n" \
7947+ PPC_LONG" " #from ", " #to"\n" \
7948+" .previous\n"
7949+
7950 static __inline__ int atomic_read(const atomic_t *v)
7951 {
7952 int t;
7953@@ -21,39 +26,80 @@ static __inline__ int atomic_read(const atomic_t *v)
7954 return t;
7955 }
7956
7957+static __inline__ int atomic_read_unchecked(const atomic_unchecked_t *v)
7958+{
7959+ int t;
7960+
7961+ __asm__ __volatile__("lwz%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
7962+
7963+ return t;
7964+}
7965+
7966 static __inline__ void atomic_set(atomic_t *v, int i)
7967 {
7968 __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
7969 }
7970
7971-#define ATOMIC_OP(op, asm_op) \
7972-static __inline__ void atomic_##op(int a, atomic_t *v) \
7973+static __inline__ void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7974+{
7975+ __asm__ __volatile__("stw%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
7976+}
7977+
7978+#ifdef CONFIG_PAX_REFCOUNT
7979+#define __REFCOUNT_OP(op) op##o.
7980+#define __OVERFLOW_PRE \
7981+ " mcrxr cr0\n"
7982+#define __OVERFLOW_POST \
7983+ " bf 4*cr0+so, 3f\n" \
7984+ "2: .long 0x00c00b00\n" \
7985+ "3:\n"
7986+#define __OVERFLOW_EXTABLE \
7987+ "\n4:\n"
7988+ _ASM_EXTABLE(2b, 4b)
7989+#else
7990+#define __REFCOUNT_OP(op) op
7991+#define __OVERFLOW_PRE
7992+#define __OVERFLOW_POST
7993+#define __OVERFLOW_EXTABLE
7994+#endif
7995+
7996+#define __ATOMIC_OP(op, suffix, pre_op, asm_op, post_op, extable) \
7997+static inline void atomic_##op##suffix(int a, atomic##suffix##_t *v) \
7998 { \
7999 int t; \
8000 \
8001 __asm__ __volatile__( \
8002-"1: lwarx %0,0,%3 # atomic_" #op "\n" \
8003+"1: lwarx %0,0,%3 # atomic_" #op #suffix "\n" \
8004+ pre_op \
8005 #asm_op " %0,%2,%0\n" \
8006+ post_op \
8007 PPC405_ERR77(0,%3) \
8008 " stwcx. %0,0,%3 \n" \
8009 " bne- 1b\n" \
8010+ extable \
8011 : "=&r" (t), "+m" (v->counter) \
8012 : "r" (a), "r" (&v->counter) \
8013 : "cc"); \
8014 } \
8015
8016-#define ATOMIC_OP_RETURN(op, asm_op) \
8017-static __inline__ int atomic_##op##_return(int a, atomic_t *v) \
8018+#define ATOMIC_OP(op, asm_op) __ATOMIC_OP(op, , , asm_op, , ) \
8019+ __ATOMIC_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8020+
8021+#define __ATOMIC_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
8022+static inline int atomic_##op##_return##suffix(int a, atomic##suffix##_t *v)\
8023 { \
8024 int t; \
8025 \
8026 __asm__ __volatile__( \
8027 PPC_ATOMIC_ENTRY_BARRIER \
8028-"1: lwarx %0,0,%2 # atomic_" #op "_return\n" \
8029+"1: lwarx %0,0,%2 # atomic_" #op "_return" #suffix "\n" \
8030+ pre_op \
8031 #asm_op " %0,%1,%0\n" \
8032+ post_op \
8033 PPC405_ERR77(0,%2) \
8034 " stwcx. %0,0,%2 \n" \
8035 " bne- 1b\n" \
8036+ extable \
8037 PPC_ATOMIC_EXIT_BARRIER \
8038 : "=&r" (t) \
8039 : "r" (a), "r" (&v->counter) \
8040@@ -62,6 +108,9 @@ static __inline__ int atomic_##op##_return(int a, atomic_t *v) \
8041 return t; \
8042 }
8043
8044+#define ATOMIC_OP_RETURN(op, asm_op) __ATOMIC_OP_RETURN(op, , , asm_op, , )\
8045+ __ATOMIC_OP_RETURN(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8046+
8047 #define ATOMIC_OPS(op, asm_op) ATOMIC_OP(op, asm_op) ATOMIC_OP_RETURN(op, asm_op)
8048
8049 ATOMIC_OPS(add, add)
8050@@ -69,42 +118,29 @@ ATOMIC_OPS(sub, subf)
8051
8052 #undef ATOMIC_OPS
8053 #undef ATOMIC_OP_RETURN
8054+#undef __ATOMIC_OP_RETURN
8055 #undef ATOMIC_OP
8056+#undef __ATOMIC_OP
8057
8058 #define atomic_add_negative(a, v) (atomic_add_return((a), (v)) < 0)
8059
8060-static __inline__ void atomic_inc(atomic_t *v)
8061-{
8062- int t;
8063+/*
8064+ * atomic_inc - increment atomic variable
8065+ * @v: pointer of type atomic_t
8066+ *
8067+ * Automatically increments @v by 1
8068+ */
8069+#define atomic_inc(v) atomic_add(1, (v))
8070+#define atomic_inc_return(v) atomic_add_return(1, (v))
8071
8072- __asm__ __volatile__(
8073-"1: lwarx %0,0,%2 # atomic_inc\n\
8074- addic %0,%0,1\n"
8075- PPC405_ERR77(0,%2)
8076-" stwcx. %0,0,%2 \n\
8077- bne- 1b"
8078- : "=&r" (t), "+m" (v->counter)
8079- : "r" (&v->counter)
8080- : "cc", "xer");
8081+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
8082+{
8083+ atomic_add_unchecked(1, v);
8084 }
8085
8086-static __inline__ int atomic_inc_return(atomic_t *v)
8087+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
8088 {
8089- int t;
8090-
8091- __asm__ __volatile__(
8092- PPC_ATOMIC_ENTRY_BARRIER
8093-"1: lwarx %0,0,%1 # atomic_inc_return\n\
8094- addic %0,%0,1\n"
8095- PPC405_ERR77(0,%1)
8096-" stwcx. %0,0,%1 \n\
8097- bne- 1b"
8098- PPC_ATOMIC_EXIT_BARRIER
8099- : "=&r" (t)
8100- : "r" (&v->counter)
8101- : "cc", "xer", "memory");
8102-
8103- return t;
8104+ return atomic_add_return_unchecked(1, v);
8105 }
8106
8107 /*
8108@@ -117,43 +153,38 @@ static __inline__ int atomic_inc_return(atomic_t *v)
8109 */
8110 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
8111
8112-static __inline__ void atomic_dec(atomic_t *v)
8113+static __inline__ int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
8114 {
8115- int t;
8116-
8117- __asm__ __volatile__(
8118-"1: lwarx %0,0,%2 # atomic_dec\n\
8119- addic %0,%0,-1\n"
8120- PPC405_ERR77(0,%2)\
8121-" stwcx. %0,0,%2\n\
8122- bne- 1b"
8123- : "=&r" (t), "+m" (v->counter)
8124- : "r" (&v->counter)
8125- : "cc", "xer");
8126+ return atomic_add_return_unchecked(1, v) == 0;
8127 }
8128
8129-static __inline__ int atomic_dec_return(atomic_t *v)
8130+/*
8131+ * atomic_dec - decrement atomic variable
8132+ * @v: pointer of type atomic_t
8133+ *
8134+ * Atomically decrements @v by 1
8135+ */
8136+#define atomic_dec(v) atomic_sub(1, (v))
8137+#define atomic_dec_return(v) atomic_sub_return(1, (v))
8138+
8139+static __inline__ void atomic_dec_unchecked(atomic_unchecked_t *v)
8140 {
8141- int t;
8142-
8143- __asm__ __volatile__(
8144- PPC_ATOMIC_ENTRY_BARRIER
8145-"1: lwarx %0,0,%1 # atomic_dec_return\n\
8146- addic %0,%0,-1\n"
8147- PPC405_ERR77(0,%1)
8148-" stwcx. %0,0,%1\n\
8149- bne- 1b"
8150- PPC_ATOMIC_EXIT_BARRIER
8151- : "=&r" (t)
8152- : "r" (&v->counter)
8153- : "cc", "xer", "memory");
8154-
8155- return t;
8156+ atomic_sub_unchecked(1, v);
8157 }
8158
8159 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8160 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
8161
8162+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
8163+{
8164+ return cmpxchg(&(v->counter), old, new);
8165+}
8166+
8167+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
8168+{
8169+ return xchg(&(v->counter), new);
8170+}
8171+
8172 /**
8173 * __atomic_add_unless - add unless the number is a given value
8174 * @v: pointer of type atomic_t
8175@@ -171,11 +202,27 @@ static __inline__ int __atomic_add_unless(atomic_t *v, int a, int u)
8176 PPC_ATOMIC_ENTRY_BARRIER
8177 "1: lwarx %0,0,%1 # __atomic_add_unless\n\
8178 cmpw 0,%0,%3 \n\
8179- beq- 2f \n\
8180- add %0,%2,%0 \n"
8181+ beq- 2f \n"
8182+
8183+#ifdef CONFIG_PAX_REFCOUNT
8184+" mcrxr cr0\n"
8185+" addo. %0,%2,%0\n"
8186+" bf 4*cr0+so, 4f\n"
8187+"3:.long " "0x00c00b00""\n"
8188+"4:\n"
8189+#else
8190+ "add %0,%2,%0 \n"
8191+#endif
8192+
8193 PPC405_ERR77(0,%2)
8194 " stwcx. %0,0,%1 \n\
8195 bne- 1b \n"
8196+"5:"
8197+
8198+#ifdef CONFIG_PAX_REFCOUNT
8199+ _ASM_EXTABLE(3b, 5b)
8200+#endif
8201+
8202 PPC_ATOMIC_EXIT_BARRIER
8203 " subf %0,%2,%0 \n\
8204 2:"
8205@@ -248,6 +295,11 @@ static __inline__ int atomic_dec_if_positive(atomic_t *v)
8206 }
8207 #define atomic_dec_if_positive atomic_dec_if_positive
8208
8209+#define smp_mb__before_atomic_dec() smp_mb()
8210+#define smp_mb__after_atomic_dec() smp_mb()
8211+#define smp_mb__before_atomic_inc() smp_mb()
8212+#define smp_mb__after_atomic_inc() smp_mb()
8213+
8214 #ifdef __powerpc64__
8215
8216 #define ATOMIC64_INIT(i) { (i) }
8217@@ -261,37 +313,60 @@ static __inline__ long atomic64_read(const atomic64_t *v)
8218 return t;
8219 }
8220
8221+static __inline__ long atomic64_read_unchecked(const atomic64_unchecked_t *v)
8222+{
8223+ long t;
8224+
8225+ __asm__ __volatile__("ld%U1%X1 %0,%1" : "=r"(t) : "m"(v->counter));
8226+
8227+ return t;
8228+}
8229+
8230 static __inline__ void atomic64_set(atomic64_t *v, long i)
8231 {
8232 __asm__ __volatile__("std%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
8233 }
8234
8235-#define ATOMIC64_OP(op, asm_op) \
8236-static __inline__ void atomic64_##op(long a, atomic64_t *v) \
8237+static __inline__ void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
8238+{
8239+ __asm__ __volatile__("std%U0%X0 %1,%0" : "=m"(v->counter) : "r"(i));
8240+}
8241+
8242+#define __ATOMIC64_OP(op, suffix, pre_op, asm_op, post_op, extable) \
8243+static inline void atomic64_##op##suffix(long a, atomic64##suffix##_t *v)\
8244 { \
8245 long t; \
8246 \
8247 __asm__ __volatile__( \
8248 "1: ldarx %0,0,%3 # atomic64_" #op "\n" \
8249+ pre_op \
8250 #asm_op " %0,%2,%0\n" \
8251+ post_op \
8252 " stdcx. %0,0,%3 \n" \
8253 " bne- 1b\n" \
8254+ extable \
8255 : "=&r" (t), "+m" (v->counter) \
8256 : "r" (a), "r" (&v->counter) \
8257 : "cc"); \
8258 }
8259
8260-#define ATOMIC64_OP_RETURN(op, asm_op) \
8261-static __inline__ long atomic64_##op##_return(long a, atomic64_t *v) \
8262+#define ATOMIC64_OP(op, asm_op) __ATOMIC64_OP(op, , , asm_op, , ) \
8263+ __ATOMIC64_OP(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8264+
8265+#define __ATOMIC64_OP_RETURN(op, suffix, pre_op, asm_op, post_op, extable)\
8266+static inline long atomic64_##op##_return##suffix(long a, atomic64##suffix##_t *v)\
8267 { \
8268 long t; \
8269 \
8270 __asm__ __volatile__( \
8271 PPC_ATOMIC_ENTRY_BARRIER \
8272 "1: ldarx %0,0,%2 # atomic64_" #op "_return\n" \
8273+ pre_op \
8274 #asm_op " %0,%1,%0\n" \
8275+ post_op \
8276 " stdcx. %0,0,%2 \n" \
8277 " bne- 1b\n" \
8278+ extable \
8279 PPC_ATOMIC_EXIT_BARRIER \
8280 : "=&r" (t) \
8281 : "r" (a), "r" (&v->counter) \
8282@@ -300,6 +375,9 @@ static __inline__ long atomic64_##op##_return(long a, atomic64_t *v) \
8283 return t; \
8284 }
8285
8286+#define ATOMIC64_OP_RETURN(op, asm_op) __ATOMIC64_OP_RETURN(op, , , asm_op, , )\
8287+ __ATOMIC64_OP_RETURN(op, _unchecked, __OVERFLOW_PRE, __REFCOUNT_OP(asm_op), __OVERFLOW_POST, __OVERFLOW_EXTABLE)
8288+
8289 #define ATOMIC64_OPS(op, asm_op) ATOMIC64_OP(op, asm_op) ATOMIC64_OP_RETURN(op, asm_op)
8290
8291 ATOMIC64_OPS(add, add)
8292@@ -307,40 +385,33 @@ ATOMIC64_OPS(sub, subf)
8293
8294 #undef ATOMIC64_OPS
8295 #undef ATOMIC64_OP_RETURN
8296+#undef __ATOMIC64_OP_RETURN
8297 #undef ATOMIC64_OP
8298+#undef __ATOMIC64_OP
8299+#undef __OVERFLOW_EXTABLE
8300+#undef __OVERFLOW_POST
8301+#undef __OVERFLOW_PRE
8302+#undef __REFCOUNT_OP
8303
8304 #define atomic64_add_negative(a, v) (atomic64_add_return((a), (v)) < 0)
8305
8306-static __inline__ void atomic64_inc(atomic64_t *v)
8307-{
8308- long t;
8309+/*
8310+ * atomic64_inc - increment atomic variable
8311+ * @v: pointer of type atomic64_t
8312+ *
8313+ * Automatically increments @v by 1
8314+ */
8315+#define atomic64_inc(v) atomic64_add(1, (v))
8316+#define atomic64_inc_return(v) atomic64_add_return(1, (v))
8317
8318- __asm__ __volatile__(
8319-"1: ldarx %0,0,%2 # atomic64_inc\n\
8320- addic %0,%0,1\n\
8321- stdcx. %0,0,%2 \n\
8322- bne- 1b"
8323- : "=&r" (t), "+m" (v->counter)
8324- : "r" (&v->counter)
8325- : "cc", "xer");
8326+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
8327+{
8328+ atomic64_add_unchecked(1, v);
8329 }
8330
8331-static __inline__ long atomic64_inc_return(atomic64_t *v)
8332+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
8333 {
8334- long t;
8335-
8336- __asm__ __volatile__(
8337- PPC_ATOMIC_ENTRY_BARRIER
8338-"1: ldarx %0,0,%1 # atomic64_inc_return\n\
8339- addic %0,%0,1\n\
8340- stdcx. %0,0,%1 \n\
8341- bne- 1b"
8342- PPC_ATOMIC_EXIT_BARRIER
8343- : "=&r" (t)
8344- : "r" (&v->counter)
8345- : "cc", "xer", "memory");
8346-
8347- return t;
8348+ return atomic64_add_return_unchecked(1, v);
8349 }
8350
8351 /*
8352@@ -353,36 +424,18 @@ static __inline__ long atomic64_inc_return(atomic64_t *v)
8353 */
8354 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
8355
8356-static __inline__ void atomic64_dec(atomic64_t *v)
8357+/*
8358+ * atomic64_dec - decrement atomic variable
8359+ * @v: pointer of type atomic64_t
8360+ *
8361+ * Atomically decrements @v by 1
8362+ */
8363+#define atomic64_dec(v) atomic64_sub(1, (v))
8364+#define atomic64_dec_return(v) atomic64_sub_return(1, (v))
8365+
8366+static __inline__ void atomic64_dec_unchecked(atomic64_unchecked_t *v)
8367 {
8368- long t;
8369-
8370- __asm__ __volatile__(
8371-"1: ldarx %0,0,%2 # atomic64_dec\n\
8372- addic %0,%0,-1\n\
8373- stdcx. %0,0,%2\n\
8374- bne- 1b"
8375- : "=&r" (t), "+m" (v->counter)
8376- : "r" (&v->counter)
8377- : "cc", "xer");
8378-}
8379-
8380-static __inline__ long atomic64_dec_return(atomic64_t *v)
8381-{
8382- long t;
8383-
8384- __asm__ __volatile__(
8385- PPC_ATOMIC_ENTRY_BARRIER
8386-"1: ldarx %0,0,%1 # atomic64_dec_return\n\
8387- addic %0,%0,-1\n\
8388- stdcx. %0,0,%1\n\
8389- bne- 1b"
8390- PPC_ATOMIC_EXIT_BARRIER
8391- : "=&r" (t)
8392- : "r" (&v->counter)
8393- : "cc", "xer", "memory");
8394-
8395- return t;
8396+ atomic64_sub_unchecked(1, v);
8397 }
8398
8399 #define atomic64_sub_and_test(a, v) (atomic64_sub_return((a), (v)) == 0)
8400@@ -415,6 +468,16 @@ static __inline__ long atomic64_dec_if_positive(atomic64_t *v)
8401 #define atomic64_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
8402 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
8403
8404+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
8405+{
8406+ return cmpxchg(&(v->counter), old, new);
8407+}
8408+
8409+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
8410+{
8411+ return xchg(&(v->counter), new);
8412+}
8413+
8414 /**
8415 * atomic64_add_unless - add unless the number is a given value
8416 * @v: pointer of type atomic64_t
8417@@ -430,13 +493,29 @@ static __inline__ int atomic64_add_unless(atomic64_t *v, long a, long u)
8418
8419 __asm__ __volatile__ (
8420 PPC_ATOMIC_ENTRY_BARRIER
8421-"1: ldarx %0,0,%1 # __atomic_add_unless\n\
8422+"1: ldarx %0,0,%1 # atomic64_add_unless\n\
8423 cmpd 0,%0,%3 \n\
8424- beq- 2f \n\
8425- add %0,%2,%0 \n"
8426+ beq- 2f \n"
8427+
8428+#ifdef CONFIG_PAX_REFCOUNT
8429+" mcrxr cr0\n"
8430+" addo. %0,%2,%0\n"
8431+" bf 4*cr0+so, 4f\n"
8432+"3:.long " "0x00c00b00""\n"
8433+"4:\n"
8434+#else
8435+ "add %0,%2,%0 \n"
8436+#endif
8437+
8438 " stdcx. %0,0,%1 \n\
8439 bne- 1b \n"
8440 PPC_ATOMIC_EXIT_BARRIER
8441+"5:"
8442+
8443+#ifdef CONFIG_PAX_REFCOUNT
8444+ _ASM_EXTABLE(3b, 5b)
8445+#endif
8446+
8447 " subf %0,%2,%0 \n\
8448 2:"
8449 : "=&r" (t)
8450diff --git a/arch/powerpc/include/asm/barrier.h b/arch/powerpc/include/asm/barrier.h
8451index 51ccc72..35de789 100644
8452--- a/arch/powerpc/include/asm/barrier.h
8453+++ b/arch/powerpc/include/asm/barrier.h
8454@@ -76,7 +76,7 @@
8455 do { \
8456 compiletime_assert_atomic_type(*p); \
8457 smp_lwsync(); \
8458- ACCESS_ONCE(*p) = (v); \
8459+ ACCESS_ONCE_RW(*p) = (v); \
8460 } while (0)
8461
8462 #define smp_load_acquire(p) \
8463diff --git a/arch/powerpc/include/asm/cache.h b/arch/powerpc/include/asm/cache.h
8464index 0dc42c5..b80a3a1 100644
8465--- a/arch/powerpc/include/asm/cache.h
8466+++ b/arch/powerpc/include/asm/cache.h
8467@@ -4,6 +4,7 @@
8468 #ifdef __KERNEL__
8469
8470 #include <asm/reg.h>
8471+#include <linux/const.h>
8472
8473 /* bytes per L1 cache line */
8474 #if defined(CONFIG_8xx) || defined(CONFIG_403GCX)
8475@@ -23,7 +24,7 @@
8476 #define L1_CACHE_SHIFT 7
8477 #endif
8478
8479-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
8480+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
8481
8482 #define SMP_CACHE_BYTES L1_CACHE_BYTES
8483
8484diff --git a/arch/powerpc/include/asm/elf.h b/arch/powerpc/include/asm/elf.h
8485index ee46ffe..b36c98c 100644
8486--- a/arch/powerpc/include/asm/elf.h
8487+++ b/arch/powerpc/include/asm/elf.h
8488@@ -30,6 +30,18 @@
8489
8490 #define ELF_ET_DYN_BASE 0x20000000
8491
8492+#ifdef CONFIG_PAX_ASLR
8493+#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
8494+
8495+#ifdef __powerpc64__
8496+#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
8497+#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
8498+#else
8499+#define PAX_DELTA_MMAP_LEN 15
8500+#define PAX_DELTA_STACK_LEN 15
8501+#endif
8502+#endif
8503+
8504 #define ELF_CORE_EFLAGS (is_elf2_task() ? 2 : 0)
8505
8506 /*
8507diff --git a/arch/powerpc/include/asm/exec.h b/arch/powerpc/include/asm/exec.h
8508index 8196e9c..d83a9f3 100644
8509--- a/arch/powerpc/include/asm/exec.h
8510+++ b/arch/powerpc/include/asm/exec.h
8511@@ -4,6 +4,6 @@
8512 #ifndef _ASM_POWERPC_EXEC_H
8513 #define _ASM_POWERPC_EXEC_H
8514
8515-extern unsigned long arch_align_stack(unsigned long sp);
8516+#define arch_align_stack(x) ((x) & ~0xfUL)
8517
8518 #endif /* _ASM_POWERPC_EXEC_H */
8519diff --git a/arch/powerpc/include/asm/kmap_types.h b/arch/powerpc/include/asm/kmap_types.h
8520index 5acabbd..7ea14fa 100644
8521--- a/arch/powerpc/include/asm/kmap_types.h
8522+++ b/arch/powerpc/include/asm/kmap_types.h
8523@@ -10,7 +10,7 @@
8524 * 2 of the License, or (at your option) any later version.
8525 */
8526
8527-#define KM_TYPE_NR 16
8528+#define KM_TYPE_NR 17
8529
8530 #endif /* __KERNEL__ */
8531 #endif /* _ASM_POWERPC_KMAP_TYPES_H */
8532diff --git a/arch/powerpc/include/asm/local.h b/arch/powerpc/include/asm/local.h
8533index b8da913..c02b593 100644
8534--- a/arch/powerpc/include/asm/local.h
8535+++ b/arch/powerpc/include/asm/local.h
8536@@ -9,21 +9,65 @@ typedef struct
8537 atomic_long_t a;
8538 } local_t;
8539
8540+typedef struct
8541+{
8542+ atomic_long_unchecked_t a;
8543+} local_unchecked_t;
8544+
8545 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
8546
8547 #define local_read(l) atomic_long_read(&(l)->a)
8548+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
8549 #define local_set(l,i) atomic_long_set(&(l)->a, (i))
8550+#define local_set_unchecked(l,i) atomic_long_set_unchecked(&(l)->a, (i))
8551
8552 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
8553+#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
8554 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
8555+#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
8556 #define local_inc(l) atomic_long_inc(&(l)->a)
8557+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
8558 #define local_dec(l) atomic_long_dec(&(l)->a)
8559+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
8560
8561 static __inline__ long local_add_return(long a, local_t *l)
8562 {
8563 long t;
8564
8565 __asm__ __volatile__(
8566+"1:" PPC_LLARX(%0,0,%2,0) " # local_add_return\n"
8567+
8568+#ifdef CONFIG_PAX_REFCOUNT
8569+" mcrxr cr0\n"
8570+" addo. %0,%1,%0\n"
8571+" bf 4*cr0+so, 3f\n"
8572+"2:.long " "0x00c00b00""\n"
8573+#else
8574+" add %0,%1,%0\n"
8575+#endif
8576+
8577+"3:\n"
8578+ PPC405_ERR77(0,%2)
8579+ PPC_STLCX "%0,0,%2 \n\
8580+ bne- 1b"
8581+
8582+#ifdef CONFIG_PAX_REFCOUNT
8583+"\n4:\n"
8584+ _ASM_EXTABLE(2b, 4b)
8585+#endif
8586+
8587+ : "=&r" (t)
8588+ : "r" (a), "r" (&(l->a.counter))
8589+ : "cc", "memory");
8590+
8591+ return t;
8592+}
8593+
8594+static __inline__ long local_add_return_unchecked(long a, local_unchecked_t *l)
8595+{
8596+ long t;
8597+
8598+ __asm__ __volatile__(
8599 "1:" PPC_LLARX(%0,0,%2,0) " # local_add_return\n\
8600 add %0,%1,%0\n"
8601 PPC405_ERR77(0,%2)
8602@@ -101,6 +145,8 @@ static __inline__ long local_dec_return(local_t *l)
8603
8604 #define local_cmpxchg(l, o, n) \
8605 (cmpxchg_local(&((l)->a.counter), (o), (n)))
8606+#define local_cmpxchg_unchecked(l, o, n) \
8607+ (cmpxchg_local(&((l)->a.counter), (o), (n)))
8608 #define local_xchg(l, n) (xchg_local(&((l)->a.counter), (n)))
8609
8610 /**
8611diff --git a/arch/powerpc/include/asm/mman.h b/arch/powerpc/include/asm/mman.h
8612index 8565c25..2865190 100644
8613--- a/arch/powerpc/include/asm/mman.h
8614+++ b/arch/powerpc/include/asm/mman.h
8615@@ -24,7 +24,7 @@ static inline unsigned long arch_calc_vm_prot_bits(unsigned long prot)
8616 }
8617 #define arch_calc_vm_prot_bits(prot) arch_calc_vm_prot_bits(prot)
8618
8619-static inline pgprot_t arch_vm_get_page_prot(unsigned long vm_flags)
8620+static inline pgprot_t arch_vm_get_page_prot(vm_flags_t vm_flags)
8621 {
8622 return (vm_flags & VM_SAO) ? __pgprot(_PAGE_SAO) : __pgprot(0);
8623 }
8624diff --git a/arch/powerpc/include/asm/page.h b/arch/powerpc/include/asm/page.h
8625index 71294a6..9e40aca 100644
8626--- a/arch/powerpc/include/asm/page.h
8627+++ b/arch/powerpc/include/asm/page.h
8628@@ -227,8 +227,9 @@ extern long long virt_phys_offset;
8629 * and needs to be executable. This means the whole heap ends
8630 * up being executable.
8631 */
8632-#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
8633- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8634+#define VM_DATA_DEFAULT_FLAGS32 \
8635+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
8636+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8637
8638 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
8639 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8640@@ -256,6 +257,9 @@ extern long long virt_phys_offset;
8641 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
8642 #endif
8643
8644+#define ktla_ktva(addr) (addr)
8645+#define ktva_ktla(addr) (addr)
8646+
8647 #ifndef CONFIG_PPC_BOOK3S_64
8648 /*
8649 * Use the top bit of the higher-level page table entries to indicate whether
8650diff --git a/arch/powerpc/include/asm/page_64.h b/arch/powerpc/include/asm/page_64.h
8651index d908a46..3753f71 100644
8652--- a/arch/powerpc/include/asm/page_64.h
8653+++ b/arch/powerpc/include/asm/page_64.h
8654@@ -172,15 +172,18 @@ do { \
8655 * stack by default, so in the absence of a PT_GNU_STACK program header
8656 * we turn execute permission off.
8657 */
8658-#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
8659- VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8660+#define VM_STACK_DEFAULT_FLAGS32 \
8661+ (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
8662+ VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8663
8664 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
8665 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
8666
8667+#ifndef CONFIG_PAX_PAGEEXEC
8668 #define VM_STACK_DEFAULT_FLAGS \
8669 (is_32bit_task() ? \
8670 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
8671+#endif
8672
8673 #include <asm-generic/getorder.h>
8674
8675diff --git a/arch/powerpc/include/asm/pgalloc-64.h b/arch/powerpc/include/asm/pgalloc-64.h
8676index 4b0be20..c15a27d 100644
8677--- a/arch/powerpc/include/asm/pgalloc-64.h
8678+++ b/arch/powerpc/include/asm/pgalloc-64.h
8679@@ -54,6 +54,7 @@ static inline void pgd_free(struct mm_struct *mm, pgd_t *pgd)
8680 #ifndef CONFIG_PPC_64K_PAGES
8681
8682 #define pgd_populate(MM, PGD, PUD) pgd_set(PGD, PUD)
8683+#define pgd_populate_kernel(MM, PGD, PUD) pgd_populate((MM), (PGD), (PUD))
8684
8685 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
8686 {
8687@@ -71,6 +72,11 @@ static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
8688 pud_set(pud, (unsigned long)pmd);
8689 }
8690
8691+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
8692+{
8693+ pud_populate(mm, pud, pmd);
8694+}
8695+
8696 #define pmd_populate(mm, pmd, pte_page) \
8697 pmd_populate_kernel(mm, pmd, page_address(pte_page))
8698 #define pmd_populate_kernel(mm, pmd, pte) pmd_set(pmd, (unsigned long)(pte))
8699@@ -173,6 +179,7 @@ extern void __tlb_remove_table(void *_table);
8700 #endif
8701
8702 #define pud_populate(mm, pud, pmd) pud_set(pud, (unsigned long)pmd)
8703+#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
8704
8705 static inline void pmd_populate_kernel(struct mm_struct *mm, pmd_t *pmd,
8706 pte_t *pte)
8707diff --git a/arch/powerpc/include/asm/pgtable.h b/arch/powerpc/include/asm/pgtable.h
8708index 11a3863..108f194 100644
8709--- a/arch/powerpc/include/asm/pgtable.h
8710+++ b/arch/powerpc/include/asm/pgtable.h
8711@@ -2,6 +2,7 @@
8712 #define _ASM_POWERPC_PGTABLE_H
8713 #ifdef __KERNEL__
8714
8715+#include <linux/const.h>
8716 #ifndef __ASSEMBLY__
8717 #include <linux/mmdebug.h>
8718 #include <linux/mmzone.h>
8719diff --git a/arch/powerpc/include/asm/pte-hash32.h b/arch/powerpc/include/asm/pte-hash32.h
8720index 62cfb0c..50c6402 100644
8721--- a/arch/powerpc/include/asm/pte-hash32.h
8722+++ b/arch/powerpc/include/asm/pte-hash32.h
8723@@ -20,6 +20,7 @@
8724 #define _PAGE_HASHPTE 0x002 /* hash_page has made an HPTE for this pte */
8725 #define _PAGE_USER 0x004 /* usermode access allowed */
8726 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
8727+#define _PAGE_EXEC _PAGE_GUARDED
8728 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
8729 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
8730 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
8731diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h
8732index af56b5c..f86f3f6 100644
8733--- a/arch/powerpc/include/asm/reg.h
8734+++ b/arch/powerpc/include/asm/reg.h
8735@@ -253,6 +253,7 @@
8736 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
8737 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
8738 #define DSISR_NOHPTE 0x40000000 /* no translation found */
8739+#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
8740 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
8741 #define DSISR_ISSTORE 0x02000000 /* access was a store */
8742 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
8743diff --git a/arch/powerpc/include/asm/smp.h b/arch/powerpc/include/asm/smp.h
8744index 825663c..f9e9134 100644
8745--- a/arch/powerpc/include/asm/smp.h
8746+++ b/arch/powerpc/include/asm/smp.h
8747@@ -51,7 +51,7 @@ struct smp_ops_t {
8748 int (*cpu_disable)(void);
8749 void (*cpu_die)(unsigned int nr);
8750 int (*cpu_bootable)(unsigned int nr);
8751-};
8752+} __no_const;
8753
8754 extern void smp_send_debugger_break(void);
8755 extern void start_secondary_resume(void);
8756diff --git a/arch/powerpc/include/asm/spinlock.h b/arch/powerpc/include/asm/spinlock.h
8757index 4dbe072..b803275 100644
8758--- a/arch/powerpc/include/asm/spinlock.h
8759+++ b/arch/powerpc/include/asm/spinlock.h
8760@@ -204,13 +204,29 @@ static inline long __arch_read_trylock(arch_rwlock_t *rw)
8761 __asm__ __volatile__(
8762 "1: " PPC_LWARX(%0,0,%1,1) "\n"
8763 __DO_SIGN_EXTEND
8764-" addic. %0,%0,1\n\
8765- ble- 2f\n"
8766+
8767+#ifdef CONFIG_PAX_REFCOUNT
8768+" mcrxr cr0\n"
8769+" addico. %0,%0,1\n"
8770+" bf 4*cr0+so, 3f\n"
8771+"2:.long " "0x00c00b00""\n"
8772+#else
8773+" addic. %0,%0,1\n"
8774+#endif
8775+
8776+"3:\n"
8777+ "ble- 4f\n"
8778 PPC405_ERR77(0,%1)
8779 " stwcx. %0,0,%1\n\
8780 bne- 1b\n"
8781 PPC_ACQUIRE_BARRIER
8782-"2:" : "=&r" (tmp)
8783+"4:"
8784+
8785+#ifdef CONFIG_PAX_REFCOUNT
8786+ _ASM_EXTABLE(2b,4b)
8787+#endif
8788+
8789+ : "=&r" (tmp)
8790 : "r" (&rw->lock)
8791 : "cr0", "xer", "memory");
8792
8793@@ -286,11 +302,27 @@ static inline void arch_read_unlock(arch_rwlock_t *rw)
8794 __asm__ __volatile__(
8795 "# read_unlock\n\t"
8796 PPC_RELEASE_BARRIER
8797-"1: lwarx %0,0,%1\n\
8798- addic %0,%0,-1\n"
8799+"1: lwarx %0,0,%1\n"
8800+
8801+#ifdef CONFIG_PAX_REFCOUNT
8802+" mcrxr cr0\n"
8803+" addico. %0,%0,-1\n"
8804+" bf 4*cr0+so, 3f\n"
8805+"2:.long " "0x00c00b00""\n"
8806+#else
8807+" addic. %0,%0,-1\n"
8808+#endif
8809+
8810+"3:\n"
8811 PPC405_ERR77(0,%1)
8812 " stwcx. %0,0,%1\n\
8813 bne- 1b"
8814+
8815+#ifdef CONFIG_PAX_REFCOUNT
8816+"\n4:\n"
8817+ _ASM_EXTABLE(2b, 4b)
8818+#endif
8819+
8820 : "=&r"(tmp)
8821 : "r"(&rw->lock)
8822 : "cr0", "xer", "memory");
8823diff --git a/arch/powerpc/include/asm/thread_info.h b/arch/powerpc/include/asm/thread_info.h
8824index 7efee4a..48d47cc 100644
8825--- a/arch/powerpc/include/asm/thread_info.h
8826+++ b/arch/powerpc/include/asm/thread_info.h
8827@@ -101,6 +101,8 @@ static inline struct thread_info *current_thread_info(void)
8828 #if defined(CONFIG_PPC64)
8829 #define TIF_ELF2ABI 18 /* function descriptors must die! */
8830 #endif
8831+/* mask must be expressable within 16 bits to satisfy 'andi' instruction reqs */
8832+#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */
8833
8834 /* as above, but as bit values */
8835 #define _TIF_SYSCALL_TRACE (1<<TIF_SYSCALL_TRACE)
8836@@ -119,9 +121,10 @@ static inline struct thread_info *current_thread_info(void)
8837 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
8838 #define _TIF_EMULATE_STACK_STORE (1<<TIF_EMULATE_STACK_STORE)
8839 #define _TIF_NOHZ (1<<TIF_NOHZ)
8840+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
8841 #define _TIF_SYSCALL_DOTRACE (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | \
8842 _TIF_SECCOMP | _TIF_SYSCALL_TRACEPOINT | \
8843- _TIF_NOHZ)
8844+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
8845
8846 #define _TIF_USER_WORK_MASK (_TIF_SIGPENDING | _TIF_NEED_RESCHED | \
8847 _TIF_NOTIFY_RESUME | _TIF_UPROBE | \
8848diff --git a/arch/powerpc/include/asm/uaccess.h b/arch/powerpc/include/asm/uaccess.h
8849index 2a8ebae..5643c6f 100644
8850--- a/arch/powerpc/include/asm/uaccess.h
8851+++ b/arch/powerpc/include/asm/uaccess.h
8852@@ -58,6 +58,7 @@
8853
8854 #endif
8855
8856+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
8857 #define access_ok(type, addr, size) \
8858 (__chk_user_ptr(addr), \
8859 __access_ok((__force unsigned long)(addr), (size), get_fs()))
8860@@ -318,52 +319,6 @@ do { \
8861 extern unsigned long __copy_tofrom_user(void __user *to,
8862 const void __user *from, unsigned long size);
8863
8864-#ifndef __powerpc64__
8865-
8866-static inline unsigned long copy_from_user(void *to,
8867- const void __user *from, unsigned long n)
8868-{
8869- unsigned long over;
8870-
8871- if (access_ok(VERIFY_READ, from, n))
8872- return __copy_tofrom_user((__force void __user *)to, from, n);
8873- if ((unsigned long)from < TASK_SIZE) {
8874- over = (unsigned long)from + n - TASK_SIZE;
8875- return __copy_tofrom_user((__force void __user *)to, from,
8876- n - over) + over;
8877- }
8878- return n;
8879-}
8880-
8881-static inline unsigned long copy_to_user(void __user *to,
8882- const void *from, unsigned long n)
8883-{
8884- unsigned long over;
8885-
8886- if (access_ok(VERIFY_WRITE, to, n))
8887- return __copy_tofrom_user(to, (__force void __user *)from, n);
8888- if ((unsigned long)to < TASK_SIZE) {
8889- over = (unsigned long)to + n - TASK_SIZE;
8890- return __copy_tofrom_user(to, (__force void __user *)from,
8891- n - over) + over;
8892- }
8893- return n;
8894-}
8895-
8896-#else /* __powerpc64__ */
8897-
8898-#define __copy_in_user(to, from, size) \
8899- __copy_tofrom_user((to), (from), (size))
8900-
8901-extern unsigned long copy_from_user(void *to, const void __user *from,
8902- unsigned long n);
8903-extern unsigned long copy_to_user(void __user *to, const void *from,
8904- unsigned long n);
8905-extern unsigned long copy_in_user(void __user *to, const void __user *from,
8906- unsigned long n);
8907-
8908-#endif /* __powerpc64__ */
8909-
8910 static inline unsigned long __copy_from_user_inatomic(void *to,
8911 const void __user *from, unsigned long n)
8912 {
8913@@ -387,6 +342,10 @@ static inline unsigned long __copy_from_user_inatomic(void *to,
8914 if (ret == 0)
8915 return 0;
8916 }
8917+
8918+ if (!__builtin_constant_p(n))
8919+ check_object_size(to, n, false);
8920+
8921 return __copy_tofrom_user((__force void __user *)to, from, n);
8922 }
8923
8924@@ -413,6 +372,10 @@ static inline unsigned long __copy_to_user_inatomic(void __user *to,
8925 if (ret == 0)
8926 return 0;
8927 }
8928+
8929+ if (!__builtin_constant_p(n))
8930+ check_object_size(from, n, true);
8931+
8932 return __copy_tofrom_user(to, (__force const void __user *)from, n);
8933 }
8934
8935@@ -430,6 +393,92 @@ static inline unsigned long __copy_to_user(void __user *to,
8936 return __copy_to_user_inatomic(to, from, size);
8937 }
8938
8939+#ifndef __powerpc64__
8940+
8941+static inline unsigned long __must_check copy_from_user(void *to,
8942+ const void __user *from, unsigned long n)
8943+{
8944+ unsigned long over;
8945+
8946+ if ((long)n < 0)
8947+ return n;
8948+
8949+ if (access_ok(VERIFY_READ, from, n)) {
8950+ if (!__builtin_constant_p(n))
8951+ check_object_size(to, n, false);
8952+ return __copy_tofrom_user((__force void __user *)to, from, n);
8953+ }
8954+ if ((unsigned long)from < TASK_SIZE) {
8955+ over = (unsigned long)from + n - TASK_SIZE;
8956+ if (!__builtin_constant_p(n - over))
8957+ check_object_size(to, n - over, false);
8958+ return __copy_tofrom_user((__force void __user *)to, from,
8959+ n - over) + over;
8960+ }
8961+ return n;
8962+}
8963+
8964+static inline unsigned long __must_check copy_to_user(void __user *to,
8965+ const void *from, unsigned long n)
8966+{
8967+ unsigned long over;
8968+
8969+ if ((long)n < 0)
8970+ return n;
8971+
8972+ if (access_ok(VERIFY_WRITE, to, n)) {
8973+ if (!__builtin_constant_p(n))
8974+ check_object_size(from, n, true);
8975+ return __copy_tofrom_user(to, (__force void __user *)from, n);
8976+ }
8977+ if ((unsigned long)to < TASK_SIZE) {
8978+ over = (unsigned long)to + n - TASK_SIZE;
8979+ if (!__builtin_constant_p(n))
8980+ check_object_size(from, n - over, true);
8981+ return __copy_tofrom_user(to, (__force void __user *)from,
8982+ n - over) + over;
8983+ }
8984+ return n;
8985+}
8986+
8987+#else /* __powerpc64__ */
8988+
8989+#define __copy_in_user(to, from, size) \
8990+ __copy_tofrom_user((to), (from), (size))
8991+
8992+static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
8993+{
8994+ if ((long)n < 0 || n > INT_MAX)
8995+ return n;
8996+
8997+ if (!__builtin_constant_p(n))
8998+ check_object_size(to, n, false);
8999+
9000+ if (likely(access_ok(VERIFY_READ, from, n)))
9001+ n = __copy_from_user(to, from, n);
9002+ else
9003+ memset(to, 0, n);
9004+ return n;
9005+}
9006+
9007+static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
9008+{
9009+ if ((long)n < 0 || n > INT_MAX)
9010+ return n;
9011+
9012+ if (likely(access_ok(VERIFY_WRITE, to, n))) {
9013+ if (!__builtin_constant_p(n))
9014+ check_object_size(from, n, true);
9015+ n = __copy_to_user(to, from, n);
9016+ }
9017+ return n;
9018+}
9019+
9020+extern unsigned long copy_in_user(void __user *to, const void __user *from,
9021+ unsigned long n);
9022+
9023+#endif /* __powerpc64__ */
9024+
9025 extern unsigned long __clear_user(void __user *addr, unsigned long size);
9026
9027 static inline unsigned long clear_user(void __user *addr, unsigned long size)
9028diff --git a/arch/powerpc/kernel/Makefile b/arch/powerpc/kernel/Makefile
9029index 12868b1..5155667 100644
9030--- a/arch/powerpc/kernel/Makefile
9031+++ b/arch/powerpc/kernel/Makefile
9032@@ -14,6 +14,11 @@ CFLAGS_prom_init.o += -fPIC
9033 CFLAGS_btext.o += -fPIC
9034 endif
9035
9036+CFLAGS_REMOVE_cputable.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9037+CFLAGS_REMOVE_prom_init.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9038+CFLAGS_REMOVE_btext.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9039+CFLAGS_REMOVE_prom.o = $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9040+
9041 ifdef CONFIG_FUNCTION_TRACER
9042 # Do not trace early boot code
9043 CFLAGS_REMOVE_cputable.o = -pg -mno-sched-epilog
9044@@ -26,6 +31,8 @@ CFLAGS_REMOVE_ftrace.o = -pg -mno-sched-epilog
9045 CFLAGS_REMOVE_time.o = -pg -mno-sched-epilog
9046 endif
9047
9048+CFLAGS_REMOVE_prom_init.o += $(LATENT_ENTROPY_PLUGIN_CFLAGS)
9049+
9050 obj-y := cputable.o ptrace.o syscalls.o \
9051 irq.o align.o signal_32.o pmc.o vdso.o \
9052 process.o systbl.o idle.o \
9053diff --git a/arch/powerpc/kernel/exceptions-64e.S b/arch/powerpc/kernel/exceptions-64e.S
9054index 3e68d1c..72a5ee6 100644
9055--- a/arch/powerpc/kernel/exceptions-64e.S
9056+++ b/arch/powerpc/kernel/exceptions-64e.S
9057@@ -1010,6 +1010,7 @@ storage_fault_common:
9058 std r14,_DAR(r1)
9059 std r15,_DSISR(r1)
9060 addi r3,r1,STACK_FRAME_OVERHEAD
9061+ bl save_nvgprs
9062 mr r4,r14
9063 mr r5,r15
9064 ld r14,PACA_EXGEN+EX_R14(r13)
9065@@ -1018,8 +1019,7 @@ storage_fault_common:
9066 cmpdi r3,0
9067 bne- 1f
9068 b ret_from_except_lite
9069-1: bl save_nvgprs
9070- mr r5,r3
9071+1: mr r5,r3
9072 addi r3,r1,STACK_FRAME_OVERHEAD
9073 ld r4,_DAR(r1)
9074 bl bad_page_fault
9075diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S
9076index 0a0399c2..262a2e6 100644
9077--- a/arch/powerpc/kernel/exceptions-64s.S
9078+++ b/arch/powerpc/kernel/exceptions-64s.S
9079@@ -1591,10 +1591,10 @@ handle_page_fault:
9080 11: ld r4,_DAR(r1)
9081 ld r5,_DSISR(r1)
9082 addi r3,r1,STACK_FRAME_OVERHEAD
9083+ bl save_nvgprs
9084 bl do_page_fault
9085 cmpdi r3,0
9086 beq+ 12f
9087- bl save_nvgprs
9088 mr r5,r3
9089 addi r3,r1,STACK_FRAME_OVERHEAD
9090 lwz r4,_DAR(r1)
9091diff --git a/arch/powerpc/kernel/irq.c b/arch/powerpc/kernel/irq.c
9092index 4509603..cdb491f 100644
9093--- a/arch/powerpc/kernel/irq.c
9094+++ b/arch/powerpc/kernel/irq.c
9095@@ -460,6 +460,8 @@ void migrate_irqs(void)
9096 }
9097 #endif
9098
9099+extern void gr_handle_kernel_exploit(void);
9100+
9101 static inline void check_stack_overflow(void)
9102 {
9103 #ifdef CONFIG_DEBUG_STACKOVERFLOW
9104@@ -472,6 +474,7 @@ static inline void check_stack_overflow(void)
9105 pr_err("do_IRQ: stack overflow: %ld\n",
9106 sp - sizeof(struct thread_info));
9107 dump_stack();
9108+ gr_handle_kernel_exploit();
9109 }
9110 #endif
9111 }
9112diff --git a/arch/powerpc/kernel/module_32.c b/arch/powerpc/kernel/module_32.c
9113index c94d2e0..992a9ce 100644
9114--- a/arch/powerpc/kernel/module_32.c
9115+++ b/arch/powerpc/kernel/module_32.c
9116@@ -158,7 +158,7 @@ int module_frob_arch_sections(Elf32_Ehdr *hdr,
9117 me->arch.core_plt_section = i;
9118 }
9119 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
9120- pr_err("Module doesn't contain .plt or .init.plt sections.\n");
9121+ pr_err("Module $s doesn't contain .plt or .init.plt sections.\n", me->name);
9122 return -ENOEXEC;
9123 }
9124
9125@@ -188,11 +188,16 @@ static uint32_t do_plt_call(void *location,
9126
9127 pr_debug("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
9128 /* Init, or core PLT? */
9129- if (location >= mod->module_core
9130- && location < mod->module_core + mod->core_size)
9131+ if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
9132+ (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
9133 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
9134- else
9135+ else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
9136+ (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
9137 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
9138+ else {
9139+ printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
9140+ return ~0UL;
9141+ }
9142
9143 /* Find this entry, or if that fails, the next avail. entry */
9144 while (entry->jump[0]) {
9145@@ -296,7 +301,7 @@ int apply_relocate_add(Elf32_Shdr *sechdrs,
9146 }
9147 #ifdef CONFIG_DYNAMIC_FTRACE
9148 module->arch.tramp =
9149- do_plt_call(module->module_core,
9150+ do_plt_call(module->module_core_rx,
9151 (unsigned long)ftrace_caller,
9152 sechdrs, module);
9153 #endif
9154diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
9155index 64e6e9d..cf90ed5 100644
9156--- a/arch/powerpc/kernel/process.c
9157+++ b/arch/powerpc/kernel/process.c
9158@@ -1033,8 +1033,8 @@ void show_regs(struct pt_regs * regs)
9159 * Lookup NIP late so we have the best change of getting the
9160 * above info out without failing
9161 */
9162- printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
9163- printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
9164+ printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
9165+ printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
9166 #endif
9167 show_stack(current, (unsigned long *) regs->gpr[1]);
9168 if (!user_mode(regs))
9169@@ -1550,10 +1550,10 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
9170 newsp = stack[0];
9171 ip = stack[STACK_FRAME_LR_SAVE];
9172 if (!firstframe || ip != lr) {
9173- printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
9174+ printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
9175 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
9176 if ((ip == rth) && curr_frame >= 0) {
9177- printk(" (%pS)",
9178+ printk(" (%pA)",
9179 (void *)current->ret_stack[curr_frame].ret);
9180 curr_frame--;
9181 }
9182@@ -1573,7 +1573,7 @@ void show_stack(struct task_struct *tsk, unsigned long *stack)
9183 struct pt_regs *regs = (struct pt_regs *)
9184 (sp + STACK_FRAME_OVERHEAD);
9185 lr = regs->link;
9186- printk("--- interrupt: %lx at %pS\n LR = %pS\n",
9187+ printk("--- interrupt: %lx at %pA\n LR = %pA\n",
9188 regs->trap, (void *)regs->nip, (void *)lr);
9189 firstframe = 1;
9190 }
9191@@ -1609,49 +1609,3 @@ void notrace __ppc64_runlatch_off(void)
9192 mtspr(SPRN_CTRLT, ctrl);
9193 }
9194 #endif /* CONFIG_PPC64 */
9195-
9196-unsigned long arch_align_stack(unsigned long sp)
9197-{
9198- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
9199- sp -= get_random_int() & ~PAGE_MASK;
9200- return sp & ~0xf;
9201-}
9202-
9203-static inline unsigned long brk_rnd(void)
9204-{
9205- unsigned long rnd = 0;
9206-
9207- /* 8MB for 32bit, 1GB for 64bit */
9208- if (is_32bit_task())
9209- rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
9210- else
9211- rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
9212-
9213- return rnd << PAGE_SHIFT;
9214-}
9215-
9216-unsigned long arch_randomize_brk(struct mm_struct *mm)
9217-{
9218- unsigned long base = mm->brk;
9219- unsigned long ret;
9220-
9221-#ifdef CONFIG_PPC_STD_MMU_64
9222- /*
9223- * If we are using 1TB segments and we are allowed to randomise
9224- * the heap, we can put it above 1TB so it is backed by a 1TB
9225- * segment. Otherwise the heap will be in the bottom 1TB
9226- * which always uses 256MB segments and this may result in a
9227- * performance penalty.
9228- */
9229- if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
9230- base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
9231-#endif
9232-
9233- ret = PAGE_ALIGN(base + brk_rnd());
9234-
9235- if (ret < mm->brk)
9236- return mm->brk;
9237-
9238- return ret;
9239-}
9240-
9241diff --git a/arch/powerpc/kernel/ptrace.c b/arch/powerpc/kernel/ptrace.c
9242index f21897b..28c0428 100644
9243--- a/arch/powerpc/kernel/ptrace.c
9244+++ b/arch/powerpc/kernel/ptrace.c
9245@@ -1762,6 +1762,10 @@ long arch_ptrace(struct task_struct *child, long request,
9246 return ret;
9247 }
9248
9249+#ifdef CONFIG_GRKERNSEC_SETXID
9250+extern void gr_delayed_cred_worker(void);
9251+#endif
9252+
9253 /*
9254 * We must return the syscall number to actually look up in the table.
9255 * This can be -1L to skip running any syscall at all.
9256@@ -1774,6 +1778,11 @@ long do_syscall_trace_enter(struct pt_regs *regs)
9257
9258 secure_computing_strict(regs->gpr[0]);
9259
9260+#ifdef CONFIG_GRKERNSEC_SETXID
9261+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
9262+ gr_delayed_cred_worker();
9263+#endif
9264+
9265 if (test_thread_flag(TIF_SYSCALL_TRACE) &&
9266 tracehook_report_syscall_entry(regs))
9267 /*
9268@@ -1805,6 +1814,11 @@ void do_syscall_trace_leave(struct pt_regs *regs)
9269 {
9270 int step;
9271
9272+#ifdef CONFIG_GRKERNSEC_SETXID
9273+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
9274+ gr_delayed_cred_worker();
9275+#endif
9276+
9277 audit_syscall_exit(regs);
9278
9279 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
9280diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
9281index da50e0c..5ff6307 100644
9282--- a/arch/powerpc/kernel/signal_32.c
9283+++ b/arch/powerpc/kernel/signal_32.c
9284@@ -1009,7 +1009,7 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
9285 /* Save user registers on the stack */
9286 frame = &rt_sf->uc.uc_mcontext;
9287 addr = frame;
9288- if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
9289+ if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9290 sigret = 0;
9291 tramp = current->mm->context.vdso_base + vdso32_rt_sigtramp;
9292 } else {
9293diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
9294index c7c24d2..1bf7039 100644
9295--- a/arch/powerpc/kernel/signal_64.c
9296+++ b/arch/powerpc/kernel/signal_64.c
9297@@ -754,7 +754,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, struct pt_regs *regs
9298 current->thread.fp_state.fpscr = 0;
9299
9300 /* Set up to return from userspace. */
9301- if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
9302+ if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
9303 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
9304 } else {
9305 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
9306diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c
9307index 37de90f..12472ac 100644
9308--- a/arch/powerpc/kernel/traps.c
9309+++ b/arch/powerpc/kernel/traps.c
9310@@ -36,6 +36,7 @@
9311 #include <linux/debugfs.h>
9312 #include <linux/ratelimit.h>
9313 #include <linux/context_tracking.h>
9314+#include <linux/uaccess.h>
9315
9316 #include <asm/emulated_ops.h>
9317 #include <asm/pgtable.h>
9318@@ -142,6 +143,8 @@ static unsigned __kprobes long oops_begin(struct pt_regs *regs)
9319 return flags;
9320 }
9321
9322+extern void gr_handle_kernel_exploit(void);
9323+
9324 static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
9325 int signr)
9326 {
9327@@ -191,6 +194,9 @@ static void __kprobes oops_end(unsigned long flags, struct pt_regs *regs,
9328 panic("Fatal exception in interrupt");
9329 if (panic_on_oops)
9330 panic("Fatal exception");
9331+
9332+ gr_handle_kernel_exploit();
9333+
9334 do_exit(signr);
9335 }
9336
9337@@ -1139,6 +1145,26 @@ void __kprobes program_check_exception(struct pt_regs *regs)
9338 enum ctx_state prev_state = exception_enter();
9339 unsigned int reason = get_reason(regs);
9340
9341+#ifdef CONFIG_PAX_REFCOUNT
9342+ unsigned int bkpt;
9343+ const struct exception_table_entry *entry;
9344+
9345+ if (reason & REASON_ILLEGAL) {
9346+ /* Check if PaX bad instruction */
9347+ if (!probe_kernel_address(regs->nip, bkpt) && bkpt == 0xc00b00) {
9348+ current->thread.trap_nr = 0;
9349+ pax_report_refcount_overflow(regs);
9350+ /* fixup_exception() for PowerPC does not exist, simulate its job */
9351+ if ((entry = search_exception_tables(regs->nip)) != NULL) {
9352+ regs->nip = entry->fixup;
9353+ return;
9354+ }
9355+ /* fixup_exception() could not handle */
9356+ goto bail;
9357+ }
9358+ }
9359+#endif
9360+
9361 /* We can now get here via a FP Unavailable exception if the core
9362 * has no FPU, in that case the reason flags will be 0 */
9363
9364diff --git a/arch/powerpc/kernel/vdso.c b/arch/powerpc/kernel/vdso.c
9365index b457bfa..9018cde 100644
9366--- a/arch/powerpc/kernel/vdso.c
9367+++ b/arch/powerpc/kernel/vdso.c
9368@@ -34,6 +34,7 @@
9369 #include <asm/vdso.h>
9370 #include <asm/vdso_datapage.h>
9371 #include <asm/setup.h>
9372+#include <asm/mman.h>
9373
9374 #undef DEBUG
9375
9376@@ -179,7 +180,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
9377 vdso_base = VDSO32_MBASE;
9378 #endif
9379
9380- current->mm->context.vdso_base = 0;
9381+ current->mm->context.vdso_base = ~0UL;
9382
9383 /* vDSO has a problem and was disabled, just don't "enable" it for the
9384 * process
9385@@ -199,7 +200,7 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
9386 vdso_base = get_unmapped_area(NULL, vdso_base,
9387 (vdso_pages << PAGE_SHIFT) +
9388 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
9389- 0, 0);
9390+ 0, MAP_PRIVATE | MAP_EXECUTABLE);
9391 if (IS_ERR_VALUE(vdso_base)) {
9392 rc = vdso_base;
9393 goto fail_mmapsem;
9394diff --git a/arch/powerpc/kvm/powerpc.c b/arch/powerpc/kvm/powerpc.c
9395index e5dde32..557af3d 100644
9396--- a/arch/powerpc/kvm/powerpc.c
9397+++ b/arch/powerpc/kvm/powerpc.c
9398@@ -1404,7 +1404,7 @@ void kvmppc_init_lpid(unsigned long nr_lpids_param)
9399 }
9400 EXPORT_SYMBOL_GPL(kvmppc_init_lpid);
9401
9402-int kvm_arch_init(void *opaque)
9403+int kvm_arch_init(const void *opaque)
9404 {
9405 return 0;
9406 }
9407diff --git a/arch/powerpc/lib/usercopy_64.c b/arch/powerpc/lib/usercopy_64.c
9408index 5eea6f3..5d10396 100644
9409--- a/arch/powerpc/lib/usercopy_64.c
9410+++ b/arch/powerpc/lib/usercopy_64.c
9411@@ -9,22 +9,6 @@
9412 #include <linux/module.h>
9413 #include <asm/uaccess.h>
9414
9415-unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
9416-{
9417- if (likely(access_ok(VERIFY_READ, from, n)))
9418- n = __copy_from_user(to, from, n);
9419- else
9420- memset(to, 0, n);
9421- return n;
9422-}
9423-
9424-unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
9425-{
9426- if (likely(access_ok(VERIFY_WRITE, to, n)))
9427- n = __copy_to_user(to, from, n);
9428- return n;
9429-}
9430-
9431 unsigned long copy_in_user(void __user *to, const void __user *from,
9432 unsigned long n)
9433 {
9434@@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *to, const void __user *from,
9435 return n;
9436 }
9437
9438-EXPORT_SYMBOL(copy_from_user);
9439-EXPORT_SYMBOL(copy_to_user);
9440 EXPORT_SYMBOL(copy_in_user);
9441
9442diff --git a/arch/powerpc/mm/fault.c b/arch/powerpc/mm/fault.c
9443index a67c6d7..a662e6d 100644
9444--- a/arch/powerpc/mm/fault.c
9445+++ b/arch/powerpc/mm/fault.c
9446@@ -34,6 +34,10 @@
9447 #include <linux/context_tracking.h>
9448 #include <linux/hugetlb.h>
9449 #include <linux/uaccess.h>
9450+#include <linux/slab.h>
9451+#include <linux/pagemap.h>
9452+#include <linux/compiler.h>
9453+#include <linux/unistd.h>
9454
9455 #include <asm/firmware.h>
9456 #include <asm/page.h>
9457@@ -68,6 +72,33 @@ static inline int notify_page_fault(struct pt_regs *regs)
9458 }
9459 #endif
9460
9461+#ifdef CONFIG_PAX_PAGEEXEC
9462+/*
9463+ * PaX: decide what to do with offenders (regs->nip = fault address)
9464+ *
9465+ * returns 1 when task should be killed
9466+ */
9467+static int pax_handle_fetch_fault(struct pt_regs *regs)
9468+{
9469+ return 1;
9470+}
9471+
9472+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
9473+{
9474+ unsigned long i;
9475+
9476+ printk(KERN_ERR "PAX: bytes at PC: ");
9477+ for (i = 0; i < 5; i++) {
9478+ unsigned int c;
9479+ if (get_user(c, (unsigned int __user *)pc+i))
9480+ printk(KERN_CONT "???????? ");
9481+ else
9482+ printk(KERN_CONT "%08x ", c);
9483+ }
9484+ printk("\n");
9485+}
9486+#endif
9487+
9488 /*
9489 * Check whether the instruction at regs->nip is a store using
9490 * an update addressing form which will update r1.
9491@@ -227,7 +258,7 @@ int __kprobes do_page_fault(struct pt_regs *regs, unsigned long address,
9492 * indicate errors in DSISR but can validly be set in SRR1.
9493 */
9494 if (trap == 0x400)
9495- error_code &= 0x48200000;
9496+ error_code &= 0x58200000;
9497 else
9498 is_write = error_code & DSISR_ISSTORE;
9499 #else
9500@@ -384,12 +415,16 @@ good_area:
9501 * "undefined". Of those that can be set, this is the only
9502 * one which seems bad.
9503 */
9504- if (error_code & 0x10000000)
9505+ if (error_code & DSISR_GUARDED)
9506 /* Guarded storage error. */
9507 goto bad_area;
9508 #endif /* CONFIG_8xx */
9509
9510 if (is_exec) {
9511+#ifdef CONFIG_PPC_STD_MMU
9512+ if (error_code & DSISR_GUARDED)
9513+ goto bad_area;
9514+#endif
9515 /*
9516 * Allow execution from readable areas if the MMU does not
9517 * provide separate controls over reading and executing.
9518@@ -484,6 +519,23 @@ bad_area:
9519 bad_area_nosemaphore:
9520 /* User mode accesses cause a SIGSEGV */
9521 if (user_mode(regs)) {
9522+
9523+#ifdef CONFIG_PAX_PAGEEXEC
9524+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
9525+#ifdef CONFIG_PPC_STD_MMU
9526+ if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
9527+#else
9528+ if (is_exec && regs->nip == address) {
9529+#endif
9530+ switch (pax_handle_fetch_fault(regs)) {
9531+ }
9532+
9533+ pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
9534+ do_group_exit(SIGKILL);
9535+ }
9536+ }
9537+#endif
9538+
9539 _exception(SIGSEGV, regs, code, address);
9540 goto bail;
9541 }
9542diff --git a/arch/powerpc/mm/mmap.c b/arch/powerpc/mm/mmap.c
9543index 0f0502e..bc3e7a3 100644
9544--- a/arch/powerpc/mm/mmap.c
9545+++ b/arch/powerpc/mm/mmap.c
9546@@ -86,6 +86,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9547 {
9548 unsigned long random_factor = 0UL;
9549
9550+#ifdef CONFIG_PAX_RANDMMAP
9551+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9552+#endif
9553+
9554 if (current->flags & PF_RANDOMIZE)
9555 random_factor = arch_mmap_rnd();
9556
9557@@ -95,9 +99,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9558 */
9559 if (mmap_is_legacy()) {
9560 mm->mmap_base = TASK_UNMAPPED_BASE;
9561+
9562+#ifdef CONFIG_PAX_RANDMMAP
9563+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9564+ mm->mmap_base += mm->delta_mmap;
9565+#endif
9566+
9567 mm->get_unmapped_area = arch_get_unmapped_area;
9568 } else {
9569 mm->mmap_base = mmap_base(random_factor);
9570+
9571+#ifdef CONFIG_PAX_RANDMMAP
9572+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9573+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9574+#endif
9575+
9576 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
9577 }
9578 }
9579diff --git a/arch/powerpc/mm/slice.c b/arch/powerpc/mm/slice.c
9580index 0f432a7..abfe841 100644
9581--- a/arch/powerpc/mm/slice.c
9582+++ b/arch/powerpc/mm/slice.c
9583@@ -105,7 +105,7 @@ static int slice_area_is_free(struct mm_struct *mm, unsigned long addr,
9584 if ((mm->task_size - len) < addr)
9585 return 0;
9586 vma = find_vma(mm, addr);
9587- return (!vma || (addr + len) <= vma->vm_start);
9588+ return check_heap_stack_gap(vma, addr, len, 0);
9589 }
9590
9591 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
9592@@ -277,6 +277,12 @@ static unsigned long slice_find_area_bottomup(struct mm_struct *mm,
9593 info.align_offset = 0;
9594
9595 addr = TASK_UNMAPPED_BASE;
9596+
9597+#ifdef CONFIG_PAX_RANDMMAP
9598+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9599+ addr += mm->delta_mmap;
9600+#endif
9601+
9602 while (addr < TASK_SIZE) {
9603 info.low_limit = addr;
9604 if (!slice_scan_available(addr, available, 1, &addr))
9605@@ -410,6 +416,11 @@ unsigned long slice_get_unmapped_area(unsigned long addr, unsigned long len,
9606 if (fixed && addr > (mm->task_size - len))
9607 return -ENOMEM;
9608
9609+#ifdef CONFIG_PAX_RANDMMAP
9610+ if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
9611+ addr = 0;
9612+#endif
9613+
9614 /* If hint, make sure it matches our alignment restrictions */
9615 if (!fixed && addr) {
9616 addr = _ALIGN_UP(addr, 1ul << pshift);
9617diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c
9618index d966bbe..372124a 100644
9619--- a/arch/powerpc/platforms/cell/spufs/file.c
9620+++ b/arch/powerpc/platforms/cell/spufs/file.c
9621@@ -280,9 +280,9 @@ spufs_mem_mmap_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
9622 return VM_FAULT_NOPAGE;
9623 }
9624
9625-static int spufs_mem_mmap_access(struct vm_area_struct *vma,
9626+static ssize_t spufs_mem_mmap_access(struct vm_area_struct *vma,
9627 unsigned long address,
9628- void *buf, int len, int write)
9629+ void *buf, size_t len, int write)
9630 {
9631 struct spu_context *ctx = vma->vm_file->private_data;
9632 unsigned long offset = address - vma->vm_start;
9633diff --git a/arch/s390/Kconfig.debug b/arch/s390/Kconfig.debug
9634index c56878e..073d04e 100644
9635--- a/arch/s390/Kconfig.debug
9636+++ b/arch/s390/Kconfig.debug
9637@@ -21,6 +21,7 @@ config S390_PTDUMP
9638 bool "Export kernel pagetable layout to userspace via debugfs"
9639 depends on DEBUG_KERNEL
9640 select DEBUG_FS
9641+ depends on !GRKERNSEC_KMEM
9642 ---help---
9643 Say Y here if you want to show the kernel pagetable layout in a
9644 debugfs file. This information is only useful for kernel developers
9645diff --git a/arch/s390/include/asm/atomic.h b/arch/s390/include/asm/atomic.h
9646index adbe380..adb7516 100644
9647--- a/arch/s390/include/asm/atomic.h
9648+++ b/arch/s390/include/asm/atomic.h
9649@@ -317,4 +317,14 @@ static inline long long atomic64_dec_if_positive(atomic64_t *v)
9650 #define atomic64_dec_and_test(_v) (atomic64_sub_return(1, _v) == 0)
9651 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
9652
9653+#define atomic64_read_unchecked(v) atomic64_read(v)
9654+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
9655+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
9656+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
9657+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
9658+#define atomic64_inc_unchecked(v) atomic64_inc(v)
9659+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
9660+#define atomic64_dec_unchecked(v) atomic64_dec(v)
9661+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
9662+
9663 #endif /* __ARCH_S390_ATOMIC__ */
9664diff --git a/arch/s390/include/asm/barrier.h b/arch/s390/include/asm/barrier.h
9665index e6f8615..4a66339 100644
9666--- a/arch/s390/include/asm/barrier.h
9667+++ b/arch/s390/include/asm/barrier.h
9668@@ -42,7 +42,7 @@
9669 do { \
9670 compiletime_assert_atomic_type(*p); \
9671 barrier(); \
9672- ACCESS_ONCE(*p) = (v); \
9673+ ACCESS_ONCE_RW(*p) = (v); \
9674 } while (0)
9675
9676 #define smp_load_acquire(p) \
9677diff --git a/arch/s390/include/asm/cache.h b/arch/s390/include/asm/cache.h
9678index 4d7ccac..d03d0ad 100644
9679--- a/arch/s390/include/asm/cache.h
9680+++ b/arch/s390/include/asm/cache.h
9681@@ -9,8 +9,10 @@
9682 #ifndef __ARCH_S390_CACHE_H
9683 #define __ARCH_S390_CACHE_H
9684
9685-#define L1_CACHE_BYTES 256
9686+#include <linux/const.h>
9687+
9688 #define L1_CACHE_SHIFT 8
9689+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9690 #define NET_SKB_PAD 32
9691
9692 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9693diff --git a/arch/s390/include/asm/elf.h b/arch/s390/include/asm/elf.h
9694index 3ad48f2..64cc6f3 100644
9695--- a/arch/s390/include/asm/elf.h
9696+++ b/arch/s390/include/asm/elf.h
9697@@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
9698 (STACK_TOP / 3 * 2) : \
9699 (STACK_TOP / 3 * 2) & ~((1UL << 32) - 1))
9700
9701+#ifdef CONFIG_PAX_ASLR
9702+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
9703+
9704+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
9705+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26)
9706+#endif
9707+
9708 /* This yields a mask that user programs can use to figure out what
9709 instruction set this CPU supports. */
9710
9711diff --git a/arch/s390/include/asm/exec.h b/arch/s390/include/asm/exec.h
9712index c4a93d6..4d2a9b4 100644
9713--- a/arch/s390/include/asm/exec.h
9714+++ b/arch/s390/include/asm/exec.h
9715@@ -7,6 +7,6 @@
9716 #ifndef __ASM_EXEC_H
9717 #define __ASM_EXEC_H
9718
9719-extern unsigned long arch_align_stack(unsigned long sp);
9720+#define arch_align_stack(x) ((x) & ~0xfUL)
9721
9722 #endif /* __ASM_EXEC_H */
9723diff --git a/arch/s390/include/asm/uaccess.h b/arch/s390/include/asm/uaccess.h
9724index 9dd4cc4..36f4b84 100644
9725--- a/arch/s390/include/asm/uaccess.h
9726+++ b/arch/s390/include/asm/uaccess.h
9727@@ -59,6 +59,7 @@ static inline int __range_ok(unsigned long addr, unsigned long size)
9728 __range_ok((unsigned long)(addr), (size)); \
9729 })
9730
9731+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
9732 #define access_ok(type, addr, size) __access_ok(addr, size)
9733
9734 /*
9735@@ -278,6 +279,10 @@ static inline unsigned long __must_check
9736 copy_to_user(void __user *to, const void *from, unsigned long n)
9737 {
9738 might_fault();
9739+
9740+ if ((long)n < 0)
9741+ return n;
9742+
9743 return __copy_to_user(to, from, n);
9744 }
9745
9746@@ -307,10 +312,14 @@ __compiletime_warning("copy_from_user() buffer size is not provably correct")
9747 static inline unsigned long __must_check
9748 copy_from_user(void *to, const void __user *from, unsigned long n)
9749 {
9750- unsigned int sz = __compiletime_object_size(to);
9751+ size_t sz = __compiletime_object_size(to);
9752
9753 might_fault();
9754- if (unlikely(sz != -1 && sz < n)) {
9755+
9756+ if ((long)n < 0)
9757+ return n;
9758+
9759+ if (unlikely(sz != (size_t)-1 && sz < n)) {
9760 copy_from_user_overflow();
9761 return n;
9762 }
9763diff --git a/arch/s390/kernel/module.c b/arch/s390/kernel/module.c
9764index 0c1a679..e1df357 100644
9765--- a/arch/s390/kernel/module.c
9766+++ b/arch/s390/kernel/module.c
9767@@ -159,11 +159,11 @@ int module_frob_arch_sections(Elf_Ehdr *hdr, Elf_Shdr *sechdrs,
9768
9769 /* Increase core size by size of got & plt and set start
9770 offsets for got and plt. */
9771- me->core_size = ALIGN(me->core_size, 4);
9772- me->arch.got_offset = me->core_size;
9773- me->core_size += me->arch.got_size;
9774- me->arch.plt_offset = me->core_size;
9775- me->core_size += me->arch.plt_size;
9776+ me->core_size_rw = ALIGN(me->core_size_rw, 4);
9777+ me->arch.got_offset = me->core_size_rw;
9778+ me->core_size_rw += me->arch.got_size;
9779+ me->arch.plt_offset = me->core_size_rx;
9780+ me->core_size_rx += me->arch.plt_size;
9781 return 0;
9782 }
9783
9784@@ -279,7 +279,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9785 if (info->got_initialized == 0) {
9786 Elf_Addr *gotent;
9787
9788- gotent = me->module_core + me->arch.got_offset +
9789+ gotent = me->module_core_rw + me->arch.got_offset +
9790 info->got_offset;
9791 *gotent = val;
9792 info->got_initialized = 1;
9793@@ -302,7 +302,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9794 rc = apply_rela_bits(loc, val, 0, 64, 0);
9795 else if (r_type == R_390_GOTENT ||
9796 r_type == R_390_GOTPLTENT) {
9797- val += (Elf_Addr) me->module_core - loc;
9798+ val += (Elf_Addr) me->module_core_rw - loc;
9799 rc = apply_rela_bits(loc, val, 1, 32, 1);
9800 }
9801 break;
9802@@ -315,7 +315,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9803 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
9804 if (info->plt_initialized == 0) {
9805 unsigned int *ip;
9806- ip = me->module_core + me->arch.plt_offset +
9807+ ip = me->module_core_rx + me->arch.plt_offset +
9808 info->plt_offset;
9809 ip[0] = 0x0d10e310; /* basr 1,0; lg 1,10(1); br 1 */
9810 ip[1] = 0x100a0004;
9811@@ -334,7 +334,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9812 val - loc + 0xffffUL < 0x1ffffeUL) ||
9813 (r_type == R_390_PLT32DBL &&
9814 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
9815- val = (Elf_Addr) me->module_core +
9816+ val = (Elf_Addr) me->module_core_rx +
9817 me->arch.plt_offset +
9818 info->plt_offset;
9819 val += rela->r_addend - loc;
9820@@ -356,7 +356,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9821 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
9822 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
9823 val = val + rela->r_addend -
9824- ((Elf_Addr) me->module_core + me->arch.got_offset);
9825+ ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
9826 if (r_type == R_390_GOTOFF16)
9827 rc = apply_rela_bits(loc, val, 0, 16, 0);
9828 else if (r_type == R_390_GOTOFF32)
9829@@ -366,7 +366,7 @@ static int apply_rela(Elf_Rela *rela, Elf_Addr base, Elf_Sym *symtab,
9830 break;
9831 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
9832 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
9833- val = (Elf_Addr) me->module_core + me->arch.got_offset +
9834+ val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
9835 rela->r_addend - loc;
9836 if (r_type == R_390_GOTPC)
9837 rc = apply_rela_bits(loc, val, 1, 32, 0);
9838diff --git a/arch/s390/kernel/process.c b/arch/s390/kernel/process.c
9839index 8f587d8..0642516b 100644
9840--- a/arch/s390/kernel/process.c
9841+++ b/arch/s390/kernel/process.c
9842@@ -200,27 +200,3 @@ unsigned long get_wchan(struct task_struct *p)
9843 }
9844 return 0;
9845 }
9846-
9847-unsigned long arch_align_stack(unsigned long sp)
9848-{
9849- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
9850- sp -= get_random_int() & ~PAGE_MASK;
9851- return sp & ~0xf;
9852-}
9853-
9854-static inline unsigned long brk_rnd(void)
9855-{
9856- /* 8MB for 32bit, 1GB for 64bit */
9857- if (is_32bit_task())
9858- return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
9859- else
9860- return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
9861-}
9862-
9863-unsigned long arch_randomize_brk(struct mm_struct *mm)
9864-{
9865- unsigned long ret;
9866-
9867- ret = PAGE_ALIGN(mm->brk + brk_rnd());
9868- return (ret > mm->brk) ? ret : mm->brk;
9869-}
9870diff --git a/arch/s390/mm/mmap.c b/arch/s390/mm/mmap.c
9871index 6e552af..3e608a1 100644
9872--- a/arch/s390/mm/mmap.c
9873+++ b/arch/s390/mm/mmap.c
9874@@ -239,6 +239,10 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9875 {
9876 unsigned long random_factor = 0UL;
9877
9878+#ifdef CONFIG_PAX_RANDMMAP
9879+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9880+#endif
9881+
9882 if (current->flags & PF_RANDOMIZE)
9883 random_factor = arch_mmap_rnd();
9884
9885@@ -248,9 +252,21 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
9886 */
9887 if (mmap_is_legacy()) {
9888 mm->mmap_base = mmap_base_legacy(random_factor);
9889+
9890+#ifdef CONFIG_PAX_RANDMMAP
9891+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9892+ mm->mmap_base += mm->delta_mmap;
9893+#endif
9894+
9895 mm->get_unmapped_area = s390_get_unmapped_area;
9896 } else {
9897 mm->mmap_base = mmap_base(random_factor);
9898+
9899+#ifdef CONFIG_PAX_RANDMMAP
9900+ if (mm->pax_flags & MF_PAX_RANDMMAP)
9901+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
9902+#endif
9903+
9904 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
9905 }
9906 }
9907diff --git a/arch/score/include/asm/cache.h b/arch/score/include/asm/cache.h
9908index ae3d59f..f65f075 100644
9909--- a/arch/score/include/asm/cache.h
9910+++ b/arch/score/include/asm/cache.h
9911@@ -1,7 +1,9 @@
9912 #ifndef _ASM_SCORE_CACHE_H
9913 #define _ASM_SCORE_CACHE_H
9914
9915+#include <linux/const.h>
9916+
9917 #define L1_CACHE_SHIFT 4
9918-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9919+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9920
9921 #endif /* _ASM_SCORE_CACHE_H */
9922diff --git a/arch/score/include/asm/exec.h b/arch/score/include/asm/exec.h
9923index f9f3cd5..58ff438 100644
9924--- a/arch/score/include/asm/exec.h
9925+++ b/arch/score/include/asm/exec.h
9926@@ -1,6 +1,6 @@
9927 #ifndef _ASM_SCORE_EXEC_H
9928 #define _ASM_SCORE_EXEC_H
9929
9930-extern unsigned long arch_align_stack(unsigned long sp);
9931+#define arch_align_stack(x) (x)
9932
9933 #endif /* _ASM_SCORE_EXEC_H */
9934diff --git a/arch/score/kernel/process.c b/arch/score/kernel/process.c
9935index a1519ad3..e8ac1ff 100644
9936--- a/arch/score/kernel/process.c
9937+++ b/arch/score/kernel/process.c
9938@@ -116,8 +116,3 @@ unsigned long get_wchan(struct task_struct *task)
9939
9940 return task_pt_regs(task)->cp0_epc;
9941 }
9942-
9943-unsigned long arch_align_stack(unsigned long sp)
9944-{
9945- return sp;
9946-}
9947diff --git a/arch/sh/include/asm/cache.h b/arch/sh/include/asm/cache.h
9948index ef9e555..331bd29 100644
9949--- a/arch/sh/include/asm/cache.h
9950+++ b/arch/sh/include/asm/cache.h
9951@@ -9,10 +9,11 @@
9952 #define __ASM_SH_CACHE_H
9953 #ifdef __KERNEL__
9954
9955+#include <linux/const.h>
9956 #include <linux/init.h>
9957 #include <cpu/cache.h>
9958
9959-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
9960+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
9961
9962 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
9963
9964diff --git a/arch/sh/mm/mmap.c b/arch/sh/mm/mmap.c
9965index 6777177..cb5e44f 100644
9966--- a/arch/sh/mm/mmap.c
9967+++ b/arch/sh/mm/mmap.c
9968@@ -36,6 +36,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9969 struct mm_struct *mm = current->mm;
9970 struct vm_area_struct *vma;
9971 int do_colour_align;
9972+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
9973 struct vm_unmapped_area_info info;
9974
9975 if (flags & MAP_FIXED) {
9976@@ -55,6 +56,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9977 if (filp || (flags & MAP_SHARED))
9978 do_colour_align = 1;
9979
9980+#ifdef CONFIG_PAX_RANDMMAP
9981+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
9982+#endif
9983+
9984 if (addr) {
9985 if (do_colour_align)
9986 addr = COLOUR_ALIGN(addr, pgoff);
9987@@ -62,14 +67,13 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr,
9988 addr = PAGE_ALIGN(addr);
9989
9990 vma = find_vma(mm, addr);
9991- if (TASK_SIZE - len >= addr &&
9992- (!vma || addr + len <= vma->vm_start))
9993+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
9994 return addr;
9995 }
9996
9997 info.flags = 0;
9998 info.length = len;
9999- info.low_limit = TASK_UNMAPPED_BASE;
10000+ info.low_limit = mm->mmap_base;
10001 info.high_limit = TASK_SIZE;
10002 info.align_mask = do_colour_align ? (PAGE_MASK & shm_align_mask) : 0;
10003 info.align_offset = pgoff << PAGE_SHIFT;
10004@@ -85,6 +89,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10005 struct mm_struct *mm = current->mm;
10006 unsigned long addr = addr0;
10007 int do_colour_align;
10008+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10009 struct vm_unmapped_area_info info;
10010
10011 if (flags & MAP_FIXED) {
10012@@ -104,6 +109,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10013 if (filp || (flags & MAP_SHARED))
10014 do_colour_align = 1;
10015
10016+#ifdef CONFIG_PAX_RANDMMAP
10017+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10018+#endif
10019+
10020 /* requesting a specific address */
10021 if (addr) {
10022 if (do_colour_align)
10023@@ -112,8 +121,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10024 addr = PAGE_ALIGN(addr);
10025
10026 vma = find_vma(mm, addr);
10027- if (TASK_SIZE - len >= addr &&
10028- (!vma || addr + len <= vma->vm_start))
10029+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10030 return addr;
10031 }
10032
10033@@ -135,6 +143,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10034 VM_BUG_ON(addr != -ENOMEM);
10035 info.flags = 0;
10036 info.low_limit = TASK_UNMAPPED_BASE;
10037+
10038+#ifdef CONFIG_PAX_RANDMMAP
10039+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10040+ info.low_limit += mm->delta_mmap;
10041+#endif
10042+
10043 info.high_limit = TASK_SIZE;
10044 addr = vm_unmapped_area(&info);
10045 }
10046diff --git a/arch/sparc/include/asm/atomic_64.h b/arch/sparc/include/asm/atomic_64.h
10047index 4082749..fd97781 100644
10048--- a/arch/sparc/include/asm/atomic_64.h
10049+++ b/arch/sparc/include/asm/atomic_64.h
10050@@ -15,18 +15,38 @@
10051 #define ATOMIC64_INIT(i) { (i) }
10052
10053 #define atomic_read(v) ACCESS_ONCE((v)->counter)
10054+static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
10055+{
10056+ return ACCESS_ONCE(v->counter);
10057+}
10058 #define atomic64_read(v) ACCESS_ONCE((v)->counter)
10059+static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
10060+{
10061+ return ACCESS_ONCE(v->counter);
10062+}
10063
10064 #define atomic_set(v, i) (((v)->counter) = i)
10065+static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
10066+{
10067+ v->counter = i;
10068+}
10069 #define atomic64_set(v, i) (((v)->counter) = i)
10070+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
10071+{
10072+ v->counter = i;
10073+}
10074
10075-#define ATOMIC_OP(op) \
10076-void atomic_##op(int, atomic_t *); \
10077-void atomic64_##op(long, atomic64_t *);
10078+#define __ATOMIC_OP(op, suffix) \
10079+void atomic_##op##suffix(int, atomic##suffix##_t *); \
10080+void atomic64_##op##suffix(long, atomic64##suffix##_t *);
10081
10082-#define ATOMIC_OP_RETURN(op) \
10083-int atomic_##op##_return(int, atomic_t *); \
10084-long atomic64_##op##_return(long, atomic64_t *);
10085+#define ATOMIC_OP(op) __ATOMIC_OP(op, ) __ATOMIC_OP(op, _unchecked)
10086+
10087+#define __ATOMIC_OP_RETURN(op, suffix) \
10088+int atomic_##op##_return##suffix(int, atomic##suffix##_t *); \
10089+long atomic64_##op##_return##suffix(long, atomic64##suffix##_t *);
10090+
10091+#define ATOMIC_OP_RETURN(op) __ATOMIC_OP_RETURN(op, ) __ATOMIC_OP_RETURN(op, _unchecked)
10092
10093 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
10094
10095@@ -35,13 +55,23 @@ ATOMIC_OPS(sub)
10096
10097 #undef ATOMIC_OPS
10098 #undef ATOMIC_OP_RETURN
10099+#undef __ATOMIC_OP_RETURN
10100 #undef ATOMIC_OP
10101+#undef __ATOMIC_OP
10102
10103 #define atomic_dec_return(v) atomic_sub_return(1, v)
10104 #define atomic64_dec_return(v) atomic64_sub_return(1, v)
10105
10106 #define atomic_inc_return(v) atomic_add_return(1, v)
10107+static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
10108+{
10109+ return atomic_add_return_unchecked(1, v);
10110+}
10111 #define atomic64_inc_return(v) atomic64_add_return(1, v)
10112+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
10113+{
10114+ return atomic64_add_return_unchecked(1, v);
10115+}
10116
10117 /*
10118 * atomic_inc_and_test - increment and test
10119@@ -52,6 +82,10 @@ ATOMIC_OPS(sub)
10120 * other cases.
10121 */
10122 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
10123+static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
10124+{
10125+ return atomic_inc_return_unchecked(v) == 0;
10126+}
10127 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
10128
10129 #define atomic_sub_and_test(i, v) (atomic_sub_return(i, v) == 0)
10130@@ -61,25 +95,60 @@ ATOMIC_OPS(sub)
10131 #define atomic64_dec_and_test(v) (atomic64_sub_return(1, v) == 0)
10132
10133 #define atomic_inc(v) atomic_add(1, v)
10134+static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
10135+{
10136+ atomic_add_unchecked(1, v);
10137+}
10138 #define atomic64_inc(v) atomic64_add(1, v)
10139+static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
10140+{
10141+ atomic64_add_unchecked(1, v);
10142+}
10143
10144 #define atomic_dec(v) atomic_sub(1, v)
10145+static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
10146+{
10147+ atomic_sub_unchecked(1, v);
10148+}
10149 #define atomic64_dec(v) atomic64_sub(1, v)
10150+static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
10151+{
10152+ atomic64_sub_unchecked(1, v);
10153+}
10154
10155 #define atomic_add_negative(i, v) (atomic_add_return(i, v) < 0)
10156 #define atomic64_add_negative(i, v) (atomic64_add_return(i, v) < 0)
10157
10158 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
10159+static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
10160+{
10161+ return cmpxchg(&v->counter, old, new);
10162+}
10163 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
10164+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
10165+{
10166+ return xchg(&v->counter, new);
10167+}
10168
10169 static inline int __atomic_add_unless(atomic_t *v, int a, int u)
10170 {
10171- int c, old;
10172+ int c, old, new;
10173 c = atomic_read(v);
10174 for (;;) {
10175- if (unlikely(c == (u)))
10176+ if (unlikely(c == u))
10177 break;
10178- old = atomic_cmpxchg((v), c, c + (a));
10179+
10180+ asm volatile("addcc %2, %0, %0\n"
10181+
10182+#ifdef CONFIG_PAX_REFCOUNT
10183+ "tvs %%icc, 6\n"
10184+#endif
10185+
10186+ : "=r" (new)
10187+ : "0" (c), "ir" (a)
10188+ : "cc");
10189+
10190+ old = atomic_cmpxchg(v, c, new);
10191 if (likely(old == c))
10192 break;
10193 c = old;
10194@@ -90,20 +159,35 @@ static inline int __atomic_add_unless(atomic_t *v, int a, int u)
10195 #define atomic64_cmpxchg(v, o, n) \
10196 ((__typeof__((v)->counter))cmpxchg(&((v)->counter), (o), (n)))
10197 #define atomic64_xchg(v, new) (xchg(&((v)->counter), new))
10198+static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
10199+{
10200+ return xchg(&v->counter, new);
10201+}
10202
10203 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
10204 {
10205- long c, old;
10206+ long c, old, new;
10207 c = atomic64_read(v);
10208 for (;;) {
10209- if (unlikely(c == (u)))
10210+ if (unlikely(c == u))
10211 break;
10212- old = atomic64_cmpxchg((v), c, c + (a));
10213+
10214+ asm volatile("addcc %2, %0, %0\n"
10215+
10216+#ifdef CONFIG_PAX_REFCOUNT
10217+ "tvs %%xcc, 6\n"
10218+#endif
10219+
10220+ : "=r" (new)
10221+ : "0" (c), "ir" (a)
10222+ : "cc");
10223+
10224+ old = atomic64_cmpxchg(v, c, new);
10225 if (likely(old == c))
10226 break;
10227 c = old;
10228 }
10229- return c != (u);
10230+ return c != u;
10231 }
10232
10233 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
10234diff --git a/arch/sparc/include/asm/barrier_64.h b/arch/sparc/include/asm/barrier_64.h
10235index 809941e..b443309 100644
10236--- a/arch/sparc/include/asm/barrier_64.h
10237+++ b/arch/sparc/include/asm/barrier_64.h
10238@@ -60,7 +60,7 @@ do { __asm__ __volatile__("ba,pt %%xcc, 1f\n\t" \
10239 do { \
10240 compiletime_assert_atomic_type(*p); \
10241 barrier(); \
10242- ACCESS_ONCE(*p) = (v); \
10243+ ACCESS_ONCE_RW(*p) = (v); \
10244 } while (0)
10245
10246 #define smp_load_acquire(p) \
10247diff --git a/arch/sparc/include/asm/cache.h b/arch/sparc/include/asm/cache.h
10248index 5bb6991..5c2132e 100644
10249--- a/arch/sparc/include/asm/cache.h
10250+++ b/arch/sparc/include/asm/cache.h
10251@@ -7,10 +7,12 @@
10252 #ifndef _SPARC_CACHE_H
10253 #define _SPARC_CACHE_H
10254
10255+#include <linux/const.h>
10256+
10257 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long long)
10258
10259 #define L1_CACHE_SHIFT 5
10260-#define L1_CACHE_BYTES 32
10261+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
10262
10263 #ifdef CONFIG_SPARC32
10264 #define SMP_CACHE_BYTES_SHIFT 5
10265diff --git a/arch/sparc/include/asm/elf_32.h b/arch/sparc/include/asm/elf_32.h
10266index a24e41f..47677ff 100644
10267--- a/arch/sparc/include/asm/elf_32.h
10268+++ b/arch/sparc/include/asm/elf_32.h
10269@@ -114,6 +114,13 @@ typedef struct {
10270
10271 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
10272
10273+#ifdef CONFIG_PAX_ASLR
10274+#define PAX_ELF_ET_DYN_BASE 0x10000UL
10275+
10276+#define PAX_DELTA_MMAP_LEN 16
10277+#define PAX_DELTA_STACK_LEN 16
10278+#endif
10279+
10280 /* This yields a mask that user programs can use to figure out what
10281 instruction set this cpu supports. This can NOT be done in userspace
10282 on Sparc. */
10283diff --git a/arch/sparc/include/asm/elf_64.h b/arch/sparc/include/asm/elf_64.h
10284index 370ca1e..d4f4a98 100644
10285--- a/arch/sparc/include/asm/elf_64.h
10286+++ b/arch/sparc/include/asm/elf_64.h
10287@@ -189,6 +189,13 @@ typedef struct {
10288 #define ELF_ET_DYN_BASE 0x0000010000000000UL
10289 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
10290
10291+#ifdef CONFIG_PAX_ASLR
10292+#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
10293+
10294+#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
10295+#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
10296+#endif
10297+
10298 extern unsigned long sparc64_elf_hwcap;
10299 #define ELF_HWCAP sparc64_elf_hwcap
10300
10301diff --git a/arch/sparc/include/asm/pgalloc_32.h b/arch/sparc/include/asm/pgalloc_32.h
10302index a3890da..f6a408e 100644
10303--- a/arch/sparc/include/asm/pgalloc_32.h
10304+++ b/arch/sparc/include/asm/pgalloc_32.h
10305@@ -35,6 +35,7 @@ static inline void pgd_set(pgd_t * pgdp, pmd_t * pmdp)
10306 }
10307
10308 #define pgd_populate(MM, PGD, PMD) pgd_set(PGD, PMD)
10309+#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
10310
10311 static inline pmd_t *pmd_alloc_one(struct mm_struct *mm,
10312 unsigned long address)
10313diff --git a/arch/sparc/include/asm/pgalloc_64.h b/arch/sparc/include/asm/pgalloc_64.h
10314index 5e31871..13469c6 100644
10315--- a/arch/sparc/include/asm/pgalloc_64.h
10316+++ b/arch/sparc/include/asm/pgalloc_64.h
10317@@ -21,6 +21,7 @@ static inline void __pgd_populate(pgd_t *pgd, pud_t *pud)
10318 }
10319
10320 #define pgd_populate(MM, PGD, PUD) __pgd_populate(PGD, PUD)
10321+#define pgd_populate_kernel(MM, PGD, PMD) pgd_populate((MM), (PGD), (PMD))
10322
10323 static inline pgd_t *pgd_alloc(struct mm_struct *mm)
10324 {
10325@@ -38,6 +39,7 @@ static inline void __pud_populate(pud_t *pud, pmd_t *pmd)
10326 }
10327
10328 #define pud_populate(MM, PUD, PMD) __pud_populate(PUD, PMD)
10329+#define pud_populate_kernel(MM, PUD, PMD) pud_populate((MM), (PUD), (PMD))
10330
10331 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
10332 {
10333diff --git a/arch/sparc/include/asm/pgtable.h b/arch/sparc/include/asm/pgtable.h
10334index 59ba6f6..4518128 100644
10335--- a/arch/sparc/include/asm/pgtable.h
10336+++ b/arch/sparc/include/asm/pgtable.h
10337@@ -5,4 +5,8 @@
10338 #else
10339 #include <asm/pgtable_32.h>
10340 #endif
10341+
10342+#define ktla_ktva(addr) (addr)
10343+#define ktva_ktla(addr) (addr)
10344+
10345 #endif
10346diff --git a/arch/sparc/include/asm/pgtable_32.h b/arch/sparc/include/asm/pgtable_32.h
10347index f06b36a..bca3189 100644
10348--- a/arch/sparc/include/asm/pgtable_32.h
10349+++ b/arch/sparc/include/asm/pgtable_32.h
10350@@ -51,6 +51,9 @@ unsigned long __init bootmem_init(unsigned long *pages_avail);
10351 #define PAGE_SHARED SRMMU_PAGE_SHARED
10352 #define PAGE_COPY SRMMU_PAGE_COPY
10353 #define PAGE_READONLY SRMMU_PAGE_RDONLY
10354+#define PAGE_SHARED_NOEXEC SRMMU_PAGE_SHARED_NOEXEC
10355+#define PAGE_COPY_NOEXEC SRMMU_PAGE_COPY_NOEXEC
10356+#define PAGE_READONLY_NOEXEC SRMMU_PAGE_RDONLY_NOEXEC
10357 #define PAGE_KERNEL SRMMU_PAGE_KERNEL
10358
10359 /* Top-level page directory - dummy used by init-mm.
10360@@ -63,18 +66,18 @@ extern unsigned long ptr_in_current_pgd;
10361
10362 /* xwr */
10363 #define __P000 PAGE_NONE
10364-#define __P001 PAGE_READONLY
10365-#define __P010 PAGE_COPY
10366-#define __P011 PAGE_COPY
10367+#define __P001 PAGE_READONLY_NOEXEC
10368+#define __P010 PAGE_COPY_NOEXEC
10369+#define __P011 PAGE_COPY_NOEXEC
10370 #define __P100 PAGE_READONLY
10371 #define __P101 PAGE_READONLY
10372 #define __P110 PAGE_COPY
10373 #define __P111 PAGE_COPY
10374
10375 #define __S000 PAGE_NONE
10376-#define __S001 PAGE_READONLY
10377-#define __S010 PAGE_SHARED
10378-#define __S011 PAGE_SHARED
10379+#define __S001 PAGE_READONLY_NOEXEC
10380+#define __S010 PAGE_SHARED_NOEXEC
10381+#define __S011 PAGE_SHARED_NOEXEC
10382 #define __S100 PAGE_READONLY
10383 #define __S101 PAGE_READONLY
10384 #define __S110 PAGE_SHARED
10385diff --git a/arch/sparc/include/asm/pgtsrmmu.h b/arch/sparc/include/asm/pgtsrmmu.h
10386index ae51a11..eadfd03 100644
10387--- a/arch/sparc/include/asm/pgtsrmmu.h
10388+++ b/arch/sparc/include/asm/pgtsrmmu.h
10389@@ -111,6 +111,11 @@
10390 SRMMU_EXEC | SRMMU_REF)
10391 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
10392 SRMMU_EXEC | SRMMU_REF)
10393+
10394+#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
10395+#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
10396+#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
10397+
10398 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
10399 SRMMU_DIRTY | SRMMU_REF)
10400
10401diff --git a/arch/sparc/include/asm/setup.h b/arch/sparc/include/asm/setup.h
10402index 29d64b1..4272fe8 100644
10403--- a/arch/sparc/include/asm/setup.h
10404+++ b/arch/sparc/include/asm/setup.h
10405@@ -55,8 +55,8 @@ int handle_ldf_stq(u32 insn, struct pt_regs *regs);
10406 void handle_ld_nf(u32 insn, struct pt_regs *regs);
10407
10408 /* init_64.c */
10409-extern atomic_t dcpage_flushes;
10410-extern atomic_t dcpage_flushes_xcall;
10411+extern atomic_unchecked_t dcpage_flushes;
10412+extern atomic_unchecked_t dcpage_flushes_xcall;
10413
10414 extern int sysctl_tsb_ratio;
10415 #endif
10416diff --git a/arch/sparc/include/asm/spinlock_64.h b/arch/sparc/include/asm/spinlock_64.h
10417index 9689176..63c18ea 100644
10418--- a/arch/sparc/include/asm/spinlock_64.h
10419+++ b/arch/sparc/include/asm/spinlock_64.h
10420@@ -92,14 +92,19 @@ static inline void arch_spin_lock_flags(arch_spinlock_t *lock, unsigned long fla
10421
10422 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
10423
10424-static void inline arch_read_lock(arch_rwlock_t *lock)
10425+static inline void arch_read_lock(arch_rwlock_t *lock)
10426 {
10427 unsigned long tmp1, tmp2;
10428
10429 __asm__ __volatile__ (
10430 "1: ldsw [%2], %0\n"
10431 " brlz,pn %0, 2f\n"
10432-"4: add %0, 1, %1\n"
10433+"4: addcc %0, 1, %1\n"
10434+
10435+#ifdef CONFIG_PAX_REFCOUNT
10436+" tvs %%icc, 6\n"
10437+#endif
10438+
10439 " cas [%2], %0, %1\n"
10440 " cmp %0, %1\n"
10441 " bne,pn %%icc, 1b\n"
10442@@ -112,10 +117,10 @@ static void inline arch_read_lock(arch_rwlock_t *lock)
10443 " .previous"
10444 : "=&r" (tmp1), "=&r" (tmp2)
10445 : "r" (lock)
10446- : "memory");
10447+ : "memory", "cc");
10448 }
10449
10450-static int inline arch_read_trylock(arch_rwlock_t *lock)
10451+static inline int arch_read_trylock(arch_rwlock_t *lock)
10452 {
10453 int tmp1, tmp2;
10454
10455@@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
10456 "1: ldsw [%2], %0\n"
10457 " brlz,a,pn %0, 2f\n"
10458 " mov 0, %0\n"
10459-" add %0, 1, %1\n"
10460+" addcc %0, 1, %1\n"
10461+
10462+#ifdef CONFIG_PAX_REFCOUNT
10463+" tvs %%icc, 6\n"
10464+#endif
10465+
10466 " cas [%2], %0, %1\n"
10467 " cmp %0, %1\n"
10468 " bne,pn %%icc, 1b\n"
10469@@ -136,13 +146,18 @@ static int inline arch_read_trylock(arch_rwlock_t *lock)
10470 return tmp1;
10471 }
10472
10473-static void inline arch_read_unlock(arch_rwlock_t *lock)
10474+static inline void arch_read_unlock(arch_rwlock_t *lock)
10475 {
10476 unsigned long tmp1, tmp2;
10477
10478 __asm__ __volatile__(
10479 "1: lduw [%2], %0\n"
10480-" sub %0, 1, %1\n"
10481+" subcc %0, 1, %1\n"
10482+
10483+#ifdef CONFIG_PAX_REFCOUNT
10484+" tvs %%icc, 6\n"
10485+#endif
10486+
10487 " cas [%2], %0, %1\n"
10488 " cmp %0, %1\n"
10489 " bne,pn %%xcc, 1b\n"
10490@@ -152,7 +167,7 @@ static void inline arch_read_unlock(arch_rwlock_t *lock)
10491 : "memory");
10492 }
10493
10494-static void inline arch_write_lock(arch_rwlock_t *lock)
10495+static inline void arch_write_lock(arch_rwlock_t *lock)
10496 {
10497 unsigned long mask, tmp1, tmp2;
10498
10499@@ -177,7 +192,7 @@ static void inline arch_write_lock(arch_rwlock_t *lock)
10500 : "memory");
10501 }
10502
10503-static void inline arch_write_unlock(arch_rwlock_t *lock)
10504+static inline void arch_write_unlock(arch_rwlock_t *lock)
10505 {
10506 __asm__ __volatile__(
10507 " stw %%g0, [%0]"
10508@@ -186,7 +201,7 @@ static void inline arch_write_unlock(arch_rwlock_t *lock)
10509 : "memory");
10510 }
10511
10512-static int inline arch_write_trylock(arch_rwlock_t *lock)
10513+static inline int arch_write_trylock(arch_rwlock_t *lock)
10514 {
10515 unsigned long mask, tmp1, tmp2, result;
10516
10517diff --git a/arch/sparc/include/asm/thread_info_32.h b/arch/sparc/include/asm/thread_info_32.h
10518index 229475f..2fca9163 100644
10519--- a/arch/sparc/include/asm/thread_info_32.h
10520+++ b/arch/sparc/include/asm/thread_info_32.h
10521@@ -48,6 +48,7 @@ struct thread_info {
10522 struct reg_window32 reg_window[NSWINS]; /* align for ldd! */
10523 unsigned long rwbuf_stkptrs[NSWINS];
10524 unsigned long w_saved;
10525+ unsigned long lowest_stack;
10526 };
10527
10528 /*
10529diff --git a/arch/sparc/include/asm/thread_info_64.h b/arch/sparc/include/asm/thread_info_64.h
10530index bde5982..9cbb56d 100644
10531--- a/arch/sparc/include/asm/thread_info_64.h
10532+++ b/arch/sparc/include/asm/thread_info_64.h
10533@@ -59,6 +59,8 @@ struct thread_info {
10534 struct pt_regs *kern_una_regs;
10535 unsigned int kern_una_insn;
10536
10537+ unsigned long lowest_stack;
10538+
10539 unsigned long fpregs[(7 * 256) / sizeof(unsigned long)]
10540 __attribute__ ((aligned(64)));
10541 };
10542@@ -180,12 +182,13 @@ register struct thread_info *current_thread_info_reg asm("g6");
10543 #define TIF_NEED_RESCHED 3 /* rescheduling necessary */
10544 /* flag bit 4 is available */
10545 #define TIF_UNALIGNED 5 /* allowed to do unaligned accesses */
10546-/* flag bit 6 is available */
10547+#define TIF_GRSEC_SETXID 6 /* update credentials on syscall entry/exit */
10548 #define TIF_32BIT 7 /* 32-bit binary */
10549 #define TIF_NOHZ 8 /* in adaptive nohz mode */
10550 #define TIF_SECCOMP 9 /* secure computing */
10551 #define TIF_SYSCALL_AUDIT 10 /* syscall auditing active */
10552 #define TIF_SYSCALL_TRACEPOINT 11 /* syscall tracepoint instrumentation */
10553+
10554 /* NOTE: Thread flags >= 12 should be ones we have no interest
10555 * in using in assembly, else we can't use the mask as
10556 * an immediate value in instructions such as andcc.
10557@@ -205,12 +208,17 @@ register struct thread_info *current_thread_info_reg asm("g6");
10558 #define _TIF_SYSCALL_AUDIT (1<<TIF_SYSCALL_AUDIT)
10559 #define _TIF_SYSCALL_TRACEPOINT (1<<TIF_SYSCALL_TRACEPOINT)
10560 #define _TIF_POLLING_NRFLAG (1<<TIF_POLLING_NRFLAG)
10561+#define _TIF_GRSEC_SETXID (1<<TIF_GRSEC_SETXID)
10562
10563 #define _TIF_USER_WORK_MASK ((0xff << TI_FLAG_WSAVED_SHIFT) | \
10564 _TIF_DO_NOTIFY_RESUME_MASK | \
10565 _TIF_NEED_RESCHED)
10566 #define _TIF_DO_NOTIFY_RESUME_MASK (_TIF_NOTIFY_RESUME | _TIF_SIGPENDING)
10567
10568+#define _TIF_WORK_SYSCALL \
10569+ (_TIF_SYSCALL_TRACE | _TIF_SECCOMP | _TIF_SYSCALL_AUDIT | \
10570+ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
10571+
10572 #define is_32bit_task() (test_thread_flag(TIF_32BIT))
10573
10574 /*
10575diff --git a/arch/sparc/include/asm/uaccess.h b/arch/sparc/include/asm/uaccess.h
10576index bd56c28..4b63d83 100644
10577--- a/arch/sparc/include/asm/uaccess.h
10578+++ b/arch/sparc/include/asm/uaccess.h
10579@@ -1,5 +1,6 @@
10580 #ifndef ___ASM_SPARC_UACCESS_H
10581 #define ___ASM_SPARC_UACCESS_H
10582+
10583 #if defined(__sparc__) && defined(__arch64__)
10584 #include <asm/uaccess_64.h>
10585 #else
10586diff --git a/arch/sparc/include/asm/uaccess_32.h b/arch/sparc/include/asm/uaccess_32.h
10587index 64ee103..388aef0 100644
10588--- a/arch/sparc/include/asm/uaccess_32.h
10589+++ b/arch/sparc/include/asm/uaccess_32.h
10590@@ -47,6 +47,7 @@
10591 #define __user_ok(addr, size) ({ (void)(size); (addr) < STACK_TOP; })
10592 #define __kernel_ok (segment_eq(get_fs(), KERNEL_DS))
10593 #define __access_ok(addr, size) (__user_ok((addr) & get_fs().seg, (size)))
10594+#define access_ok_noprefault(type, addr, size) access_ok((type), (addr), (size))
10595 #define access_ok(type, addr, size) \
10596 ({ (void)(type); __access_ok((unsigned long)(addr), size); })
10597
10598@@ -313,27 +314,46 @@ unsigned long __copy_user(void __user *to, const void __user *from, unsigned lon
10599
10600 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
10601 {
10602- if (n && __access_ok((unsigned long) to, n))
10603+ if ((long)n < 0)
10604+ return n;
10605+
10606+ if (n && __access_ok((unsigned long) to, n)) {
10607+ if (!__builtin_constant_p(n))
10608+ check_object_size(from, n, true);
10609 return __copy_user(to, (__force void __user *) from, n);
10610- else
10611+ } else
10612 return n;
10613 }
10614
10615 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
10616 {
10617+ if ((long)n < 0)
10618+ return n;
10619+
10620+ if (!__builtin_constant_p(n))
10621+ check_object_size(from, n, true);
10622+
10623 return __copy_user(to, (__force void __user *) from, n);
10624 }
10625
10626 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
10627 {
10628- if (n && __access_ok((unsigned long) from, n))
10629+ if ((long)n < 0)
10630+ return n;
10631+
10632+ if (n && __access_ok((unsigned long) from, n)) {
10633+ if (!__builtin_constant_p(n))
10634+ check_object_size(to, n, false);
10635 return __copy_user((__force void __user *) to, from, n);
10636- else
10637+ } else
10638 return n;
10639 }
10640
10641 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
10642 {
10643+ if ((long)n < 0)
10644+ return n;
10645+
10646 return __copy_user((__force void __user *) to, from, n);
10647 }
10648
10649diff --git a/arch/sparc/include/asm/uaccess_64.h b/arch/sparc/include/asm/uaccess_64.h
10650index ea6e9a2..5703598 100644
10651--- a/arch/sparc/include/asm/uaccess_64.h
10652+++ b/arch/sparc/include/asm/uaccess_64.h
10653@@ -10,6 +10,7 @@
10654 #include <linux/compiler.h>
10655 #include <linux/string.h>
10656 #include <linux/thread_info.h>
10657+#include <linux/kernel.h>
10658 #include <asm/asi.h>
10659 #include <asm/spitfire.h>
10660 #include <asm-generic/uaccess-unaligned.h>
10661@@ -76,6 +77,11 @@ static inline int __access_ok(const void __user * addr, unsigned long size)
10662 return 1;
10663 }
10664
10665+static inline int access_ok_noprefault(int type, const void __user * addr, unsigned long size)
10666+{
10667+ return 1;
10668+}
10669+
10670 static inline int access_ok(int type, const void __user * addr, unsigned long size)
10671 {
10672 return 1;
10673@@ -250,8 +256,15 @@ unsigned long copy_from_user_fixup(void *to, const void __user *from,
10674 static inline unsigned long __must_check
10675 copy_from_user(void *to, const void __user *from, unsigned long size)
10676 {
10677- unsigned long ret = ___copy_from_user(to, from, size);
10678+ unsigned long ret;
10679
10680+ if ((long)size < 0 || size > INT_MAX)
10681+ return size;
10682+
10683+ if (!__builtin_constant_p(size))
10684+ check_object_size(to, size, false);
10685+
10686+ ret = ___copy_from_user(to, from, size);
10687 if (unlikely(ret))
10688 ret = copy_from_user_fixup(to, from, size);
10689
10690@@ -267,8 +280,15 @@ unsigned long copy_to_user_fixup(void __user *to, const void *from,
10691 static inline unsigned long __must_check
10692 copy_to_user(void __user *to, const void *from, unsigned long size)
10693 {
10694- unsigned long ret = ___copy_to_user(to, from, size);
10695+ unsigned long ret;
10696
10697+ if ((long)size < 0 || size > INT_MAX)
10698+ return size;
10699+
10700+ if (!__builtin_constant_p(size))
10701+ check_object_size(from, size, true);
10702+
10703+ ret = ___copy_to_user(to, from, size);
10704 if (unlikely(ret))
10705 ret = copy_to_user_fixup(to, from, size);
10706 return ret;
10707diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile
10708index 7cf9c6e..6206648 100644
10709--- a/arch/sparc/kernel/Makefile
10710+++ b/arch/sparc/kernel/Makefile
10711@@ -4,7 +4,7 @@
10712 #
10713
10714 asflags-y := -ansi
10715-ccflags-y := -Werror
10716+#ccflags-y := -Werror
10717
10718 extra-y := head_$(BITS).o
10719
10720diff --git a/arch/sparc/kernel/process_32.c b/arch/sparc/kernel/process_32.c
10721index 50e7b62..79fae35 100644
10722--- a/arch/sparc/kernel/process_32.c
10723+++ b/arch/sparc/kernel/process_32.c
10724@@ -123,14 +123,14 @@ void show_regs(struct pt_regs *r)
10725
10726 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
10727 r->psr, r->pc, r->npc, r->y, print_tainted());
10728- printk("PC: <%pS>\n", (void *) r->pc);
10729+ printk("PC: <%pA>\n", (void *) r->pc);
10730 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10731 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
10732 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
10733 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10734 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
10735 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
10736- printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
10737+ printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
10738
10739 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
10740 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
10741@@ -167,7 +167,7 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
10742 rw = (struct reg_window32 *) fp;
10743 pc = rw->ins[7];
10744 printk("[%08lx : ", pc);
10745- printk("%pS ] ", (void *) pc);
10746+ printk("%pA ] ", (void *) pc);
10747 fp = rw->ins[6];
10748 } while (++count < 16);
10749 printk("\n");
10750diff --git a/arch/sparc/kernel/process_64.c b/arch/sparc/kernel/process_64.c
10751index 46a5964..a35c62c 100644
10752--- a/arch/sparc/kernel/process_64.c
10753+++ b/arch/sparc/kernel/process_64.c
10754@@ -161,7 +161,7 @@ static void show_regwindow(struct pt_regs *regs)
10755 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
10756 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
10757 if (regs->tstate & TSTATE_PRIV)
10758- printk("I7: <%pS>\n", (void *) rwk->ins[7]);
10759+ printk("I7: <%pA>\n", (void *) rwk->ins[7]);
10760 }
10761
10762 void show_regs(struct pt_regs *regs)
10763@@ -170,7 +170,7 @@ void show_regs(struct pt_regs *regs)
10764
10765 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
10766 regs->tpc, regs->tnpc, regs->y, print_tainted());
10767- printk("TPC: <%pS>\n", (void *) regs->tpc);
10768+ printk("TPC: <%pA>\n", (void *) regs->tpc);
10769 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
10770 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
10771 regs->u_regs[3]);
10772@@ -183,7 +183,7 @@ void show_regs(struct pt_regs *regs)
10773 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
10774 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
10775 regs->u_regs[15]);
10776- printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
10777+ printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
10778 show_regwindow(regs);
10779 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
10780 }
10781@@ -278,7 +278,7 @@ void arch_trigger_all_cpu_backtrace(bool include_self)
10782 ((tp && tp->task) ? tp->task->pid : -1));
10783
10784 if (gp->tstate & TSTATE_PRIV) {
10785- printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
10786+ printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
10787 (void *) gp->tpc,
10788 (void *) gp->o7,
10789 (void *) gp->i7,
10790diff --git a/arch/sparc/kernel/prom_common.c b/arch/sparc/kernel/prom_common.c
10791index 79cc0d1..ec62734 100644
10792--- a/arch/sparc/kernel/prom_common.c
10793+++ b/arch/sparc/kernel/prom_common.c
10794@@ -144,7 +144,7 @@ static int __init prom_common_nextprop(phandle node, char *prev, char *buf)
10795
10796 unsigned int prom_early_allocated __initdata;
10797
10798-static struct of_pdt_ops prom_sparc_ops __initdata = {
10799+static struct of_pdt_ops prom_sparc_ops __initconst = {
10800 .nextprop = prom_common_nextprop,
10801 .getproplen = prom_getproplen,
10802 .getproperty = prom_getproperty,
10803diff --git a/arch/sparc/kernel/ptrace_64.c b/arch/sparc/kernel/ptrace_64.c
10804index 9ddc492..27a5619 100644
10805--- a/arch/sparc/kernel/ptrace_64.c
10806+++ b/arch/sparc/kernel/ptrace_64.c
10807@@ -1060,6 +1060,10 @@ long arch_ptrace(struct task_struct *child, long request,
10808 return ret;
10809 }
10810
10811+#ifdef CONFIG_GRKERNSEC_SETXID
10812+extern void gr_delayed_cred_worker(void);
10813+#endif
10814+
10815 asmlinkage int syscall_trace_enter(struct pt_regs *regs)
10816 {
10817 int ret = 0;
10818@@ -1070,6 +1074,11 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs)
10819 if (test_thread_flag(TIF_NOHZ))
10820 user_exit();
10821
10822+#ifdef CONFIG_GRKERNSEC_SETXID
10823+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
10824+ gr_delayed_cred_worker();
10825+#endif
10826+
10827 if (test_thread_flag(TIF_SYSCALL_TRACE))
10828 ret = tracehook_report_syscall_entry(regs);
10829
10830@@ -1088,6 +1097,11 @@ asmlinkage void syscall_trace_leave(struct pt_regs *regs)
10831 if (test_thread_flag(TIF_NOHZ))
10832 user_exit();
10833
10834+#ifdef CONFIG_GRKERNSEC_SETXID
10835+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
10836+ gr_delayed_cred_worker();
10837+#endif
10838+
10839 audit_syscall_exit(regs);
10840
10841 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
10842diff --git a/arch/sparc/kernel/smp_64.c b/arch/sparc/kernel/smp_64.c
10843index 19cd08d..ff21e99 100644
10844--- a/arch/sparc/kernel/smp_64.c
10845+++ b/arch/sparc/kernel/smp_64.c
10846@@ -891,7 +891,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
10847 return;
10848
10849 #ifdef CONFIG_DEBUG_DCFLUSH
10850- atomic_inc(&dcpage_flushes);
10851+ atomic_inc_unchecked(&dcpage_flushes);
10852 #endif
10853
10854 this_cpu = get_cpu();
10855@@ -915,7 +915,7 @@ void smp_flush_dcache_page_impl(struct page *page, int cpu)
10856 xcall_deliver(data0, __pa(pg_addr),
10857 (u64) pg_addr, cpumask_of(cpu));
10858 #ifdef CONFIG_DEBUG_DCFLUSH
10859- atomic_inc(&dcpage_flushes_xcall);
10860+ atomic_inc_unchecked(&dcpage_flushes_xcall);
10861 #endif
10862 }
10863 }
10864@@ -934,7 +934,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
10865 preempt_disable();
10866
10867 #ifdef CONFIG_DEBUG_DCFLUSH
10868- atomic_inc(&dcpage_flushes);
10869+ atomic_inc_unchecked(&dcpage_flushes);
10870 #endif
10871 data0 = 0;
10872 pg_addr = page_address(page);
10873@@ -951,7 +951,7 @@ void flush_dcache_page_all(struct mm_struct *mm, struct page *page)
10874 xcall_deliver(data0, __pa(pg_addr),
10875 (u64) pg_addr, cpu_online_mask);
10876 #ifdef CONFIG_DEBUG_DCFLUSH
10877- atomic_inc(&dcpage_flushes_xcall);
10878+ atomic_inc_unchecked(&dcpage_flushes_xcall);
10879 #endif
10880 }
10881 __local_flush_dcache_page(page);
10882diff --git a/arch/sparc/kernel/sys_sparc_32.c b/arch/sparc/kernel/sys_sparc_32.c
10883index 646988d..b88905f 100644
10884--- a/arch/sparc/kernel/sys_sparc_32.c
10885+++ b/arch/sparc/kernel/sys_sparc_32.c
10886@@ -54,7 +54,7 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10887 if (len > TASK_SIZE - PAGE_SIZE)
10888 return -ENOMEM;
10889 if (!addr)
10890- addr = TASK_UNMAPPED_BASE;
10891+ addr = current->mm->mmap_base;
10892
10893 info.flags = 0;
10894 info.length = len;
10895diff --git a/arch/sparc/kernel/sys_sparc_64.c b/arch/sparc/kernel/sys_sparc_64.c
10896index 30e7ddb..266a3b0 100644
10897--- a/arch/sparc/kernel/sys_sparc_64.c
10898+++ b/arch/sparc/kernel/sys_sparc_64.c
10899@@ -89,13 +89,14 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10900 struct vm_area_struct * vma;
10901 unsigned long task_size = TASK_SIZE;
10902 int do_color_align;
10903+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10904 struct vm_unmapped_area_info info;
10905
10906 if (flags & MAP_FIXED) {
10907 /* We do not accept a shared mapping if it would violate
10908 * cache aliasing constraints.
10909 */
10910- if ((flags & MAP_SHARED) &&
10911+ if ((filp || (flags & MAP_SHARED)) &&
10912 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10913 return -EINVAL;
10914 return addr;
10915@@ -110,6 +111,10 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10916 if (filp || (flags & MAP_SHARED))
10917 do_color_align = 1;
10918
10919+#ifdef CONFIG_PAX_RANDMMAP
10920+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10921+#endif
10922+
10923 if (addr) {
10924 if (do_color_align)
10925 addr = COLOR_ALIGN(addr, pgoff);
10926@@ -117,22 +122,28 @@ unsigned long arch_get_unmapped_area(struct file *filp, unsigned long addr, unsi
10927 addr = PAGE_ALIGN(addr);
10928
10929 vma = find_vma(mm, addr);
10930- if (task_size - len >= addr &&
10931- (!vma || addr + len <= vma->vm_start))
10932+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10933 return addr;
10934 }
10935
10936 info.flags = 0;
10937 info.length = len;
10938- info.low_limit = TASK_UNMAPPED_BASE;
10939+ info.low_limit = mm->mmap_base;
10940 info.high_limit = min(task_size, VA_EXCLUDE_START);
10941 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
10942 info.align_offset = pgoff << PAGE_SHIFT;
10943+ info.threadstack_offset = offset;
10944 addr = vm_unmapped_area(&info);
10945
10946 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
10947 VM_BUG_ON(addr != -ENOMEM);
10948 info.low_limit = VA_EXCLUDE_END;
10949+
10950+#ifdef CONFIG_PAX_RANDMMAP
10951+ if (mm->pax_flags & MF_PAX_RANDMMAP)
10952+ info.low_limit += mm->delta_mmap;
10953+#endif
10954+
10955 info.high_limit = task_size;
10956 addr = vm_unmapped_area(&info);
10957 }
10958@@ -150,6 +161,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10959 unsigned long task_size = STACK_TOP32;
10960 unsigned long addr = addr0;
10961 int do_color_align;
10962+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
10963 struct vm_unmapped_area_info info;
10964
10965 /* This should only ever run for 32-bit processes. */
10966@@ -159,7 +171,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10967 /* We do not accept a shared mapping if it would violate
10968 * cache aliasing constraints.
10969 */
10970- if ((flags & MAP_SHARED) &&
10971+ if ((filp || (flags & MAP_SHARED)) &&
10972 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
10973 return -EINVAL;
10974 return addr;
10975@@ -172,6 +184,10 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10976 if (filp || (flags & MAP_SHARED))
10977 do_color_align = 1;
10978
10979+#ifdef CONFIG_PAX_RANDMMAP
10980+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
10981+#endif
10982+
10983 /* requesting a specific address */
10984 if (addr) {
10985 if (do_color_align)
10986@@ -180,8 +196,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10987 addr = PAGE_ALIGN(addr);
10988
10989 vma = find_vma(mm, addr);
10990- if (task_size - len >= addr &&
10991- (!vma || addr + len <= vma->vm_start))
10992+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
10993 return addr;
10994 }
10995
10996@@ -191,6 +206,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
10997 info.high_limit = mm->mmap_base;
10998 info.align_mask = do_color_align ? (PAGE_MASK & (SHMLBA - 1)) : 0;
10999 info.align_offset = pgoff << PAGE_SHIFT;
11000+ info.threadstack_offset = offset;
11001 addr = vm_unmapped_area(&info);
11002
11003 /*
11004@@ -203,6 +219,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
11005 VM_BUG_ON(addr != -ENOMEM);
11006 info.flags = 0;
11007 info.low_limit = TASK_UNMAPPED_BASE;
11008+
11009+#ifdef CONFIG_PAX_RANDMMAP
11010+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11011+ info.low_limit += mm->delta_mmap;
11012+#endif
11013+
11014 info.high_limit = STACK_TOP32;
11015 addr = vm_unmapped_area(&info);
11016 }
11017@@ -259,10 +281,14 @@ unsigned long get_fb_unmapped_area(struct file *filp, unsigned long orig_addr, u
11018 EXPORT_SYMBOL(get_fb_unmapped_area);
11019
11020 /* Essentially the same as PowerPC. */
11021-static unsigned long mmap_rnd(void)
11022+static unsigned long mmap_rnd(struct mm_struct *mm)
11023 {
11024 unsigned long rnd = 0UL;
11025
11026+#ifdef CONFIG_PAX_RANDMMAP
11027+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
11028+#endif
11029+
11030 if (current->flags & PF_RANDOMIZE) {
11031 unsigned long val = get_random_int();
11032 if (test_thread_flag(TIF_32BIT))
11033@@ -275,7 +301,7 @@ static unsigned long mmap_rnd(void)
11034
11035 void arch_pick_mmap_layout(struct mm_struct *mm)
11036 {
11037- unsigned long random_factor = mmap_rnd();
11038+ unsigned long random_factor = mmap_rnd(mm);
11039 unsigned long gap;
11040
11041 /*
11042@@ -288,6 +314,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
11043 gap == RLIM_INFINITY ||
11044 sysctl_legacy_va_layout) {
11045 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
11046+
11047+#ifdef CONFIG_PAX_RANDMMAP
11048+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11049+ mm->mmap_base += mm->delta_mmap;
11050+#endif
11051+
11052 mm->get_unmapped_area = arch_get_unmapped_area;
11053 } else {
11054 /* We know it's 32-bit */
11055@@ -299,6 +331,12 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
11056 gap = (task_size / 6 * 5);
11057
11058 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
11059+
11060+#ifdef CONFIG_PAX_RANDMMAP
11061+ if (mm->pax_flags & MF_PAX_RANDMMAP)
11062+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
11063+#endif
11064+
11065 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
11066 }
11067 }
11068diff --git a/arch/sparc/kernel/syscalls.S b/arch/sparc/kernel/syscalls.S
11069index bb00089..e0ea580 100644
11070--- a/arch/sparc/kernel/syscalls.S
11071+++ b/arch/sparc/kernel/syscalls.S
11072@@ -62,7 +62,7 @@ sys32_rt_sigreturn:
11073 #endif
11074 .align 32
11075 1: ldx [%g6 + TI_FLAGS], %l5
11076- andcc %l5, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11077+ andcc %l5, _TIF_WORK_SYSCALL, %g0
11078 be,pt %icc, rtrap
11079 nop
11080 call syscall_trace_leave
11081@@ -194,7 +194,7 @@ linux_sparc_syscall32:
11082
11083 srl %i3, 0, %o3 ! IEU0
11084 srl %i2, 0, %o2 ! IEU0 Group
11085- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11086+ andcc %l0, _TIF_WORK_SYSCALL, %g0
11087 bne,pn %icc, linux_syscall_trace32 ! CTI
11088 mov %i0, %l5 ! IEU1
11089 5: call %l7 ! CTI Group brk forced
11090@@ -218,7 +218,7 @@ linux_sparc_syscall:
11091
11092 mov %i3, %o3 ! IEU1
11093 mov %i4, %o4 ! IEU0 Group
11094- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11095+ andcc %l0, _TIF_WORK_SYSCALL, %g0
11096 bne,pn %icc, linux_syscall_trace ! CTI Group
11097 mov %i0, %l5 ! IEU0
11098 2: call %l7 ! CTI Group brk forced
11099@@ -233,7 +233,7 @@ ret_sys_call:
11100
11101 cmp %o0, -ERESTART_RESTARTBLOCK
11102 bgeu,pn %xcc, 1f
11103- andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT|_TIF_NOHZ), %g0
11104+ andcc %l0, _TIF_WORK_SYSCALL, %g0
11105 ldx [%sp + PTREGS_OFF + PT_V9_TNPC], %l1 ! pc = npc
11106
11107 2:
11108diff --git a/arch/sparc/kernel/traps_32.c b/arch/sparc/kernel/traps_32.c
11109index 4f21df7..0a374da 100644
11110--- a/arch/sparc/kernel/traps_32.c
11111+++ b/arch/sparc/kernel/traps_32.c
11112@@ -44,6 +44,8 @@ static void instruction_dump(unsigned long *pc)
11113 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
11114 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
11115
11116+extern void gr_handle_kernel_exploit(void);
11117+
11118 void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11119 {
11120 static int die_counter;
11121@@ -76,15 +78,17 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11122 count++ < 30 &&
11123 (((unsigned long) rw) >= PAGE_OFFSET) &&
11124 !(((unsigned long) rw) & 0x7)) {
11125- printk("Caller[%08lx]: %pS\n", rw->ins[7],
11126+ printk("Caller[%08lx]: %pA\n", rw->ins[7],
11127 (void *) rw->ins[7]);
11128 rw = (struct reg_window32 *)rw->ins[6];
11129 }
11130 }
11131 printk("Instruction DUMP:");
11132 instruction_dump ((unsigned long *) regs->pc);
11133- if(regs->psr & PSR_PS)
11134+ if(regs->psr & PSR_PS) {
11135+ gr_handle_kernel_exploit();
11136 do_exit(SIGKILL);
11137+ }
11138 do_exit(SIGSEGV);
11139 }
11140
11141diff --git a/arch/sparc/kernel/traps_64.c b/arch/sparc/kernel/traps_64.c
11142index d21cd62..00a4a17 100644
11143--- a/arch/sparc/kernel/traps_64.c
11144+++ b/arch/sparc/kernel/traps_64.c
11145@@ -79,7 +79,7 @@ static void dump_tl1_traplog(struct tl1_traplog *p)
11146 i + 1,
11147 p->trapstack[i].tstate, p->trapstack[i].tpc,
11148 p->trapstack[i].tnpc, p->trapstack[i].tt);
11149- printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
11150+ printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
11151 }
11152 }
11153
11154@@ -99,6 +99,12 @@ void bad_trap(struct pt_regs *regs, long lvl)
11155
11156 lvl -= 0x100;
11157 if (regs->tstate & TSTATE_PRIV) {
11158+
11159+#ifdef CONFIG_PAX_REFCOUNT
11160+ if (lvl == 6)
11161+ pax_report_refcount_overflow(regs);
11162+#endif
11163+
11164 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
11165 die_if_kernel(buffer, regs);
11166 }
11167@@ -117,11 +123,16 @@ void bad_trap(struct pt_regs *regs, long lvl)
11168 void bad_trap_tl1(struct pt_regs *regs, long lvl)
11169 {
11170 char buffer[32];
11171-
11172+
11173 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
11174 0, lvl, SIGTRAP) == NOTIFY_STOP)
11175 return;
11176
11177+#ifdef CONFIG_PAX_REFCOUNT
11178+ if (lvl == 6)
11179+ pax_report_refcount_overflow(regs);
11180+#endif
11181+
11182 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
11183
11184 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
11185@@ -1151,7 +1162,7 @@ static void cheetah_log_errors(struct pt_regs *regs, struct cheetah_err_info *in
11186 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
11187 printk("%s" "ERROR(%d): ",
11188 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
11189- printk("TPC<%pS>\n", (void *) regs->tpc);
11190+ printk("TPC<%pA>\n", (void *) regs->tpc);
11191 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
11192 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
11193 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
11194@@ -1758,7 +1769,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
11195 smp_processor_id(),
11196 (type & 0x1) ? 'I' : 'D',
11197 regs->tpc);
11198- printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
11199+ printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
11200 panic("Irrecoverable Cheetah+ parity error.");
11201 }
11202
11203@@ -1766,7 +1777,7 @@ void cheetah_plus_parity_error(int type, struct pt_regs *regs)
11204 smp_processor_id(),
11205 (type & 0x1) ? 'I' : 'D',
11206 regs->tpc);
11207- printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
11208+ printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
11209 }
11210
11211 struct sun4v_error_entry {
11212@@ -1839,8 +1850,8 @@ struct sun4v_error_entry {
11213 /*0x38*/u64 reserved_5;
11214 };
11215
11216-static atomic_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
11217-static atomic_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
11218+static atomic_unchecked_t sun4v_resum_oflow_cnt = ATOMIC_INIT(0);
11219+static atomic_unchecked_t sun4v_nonresum_oflow_cnt = ATOMIC_INIT(0);
11220
11221 static const char *sun4v_err_type_to_str(u8 type)
11222 {
11223@@ -1932,7 +1943,7 @@ static void sun4v_report_real_raddr(const char *pfx, struct pt_regs *regs)
11224 }
11225
11226 static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
11227- int cpu, const char *pfx, atomic_t *ocnt)
11228+ int cpu, const char *pfx, atomic_unchecked_t *ocnt)
11229 {
11230 u64 *raw_ptr = (u64 *) ent;
11231 u32 attrs;
11232@@ -1990,8 +2001,8 @@ static void sun4v_log_error(struct pt_regs *regs, struct sun4v_error_entry *ent,
11233
11234 show_regs(regs);
11235
11236- if ((cnt = atomic_read(ocnt)) != 0) {
11237- atomic_set(ocnt, 0);
11238+ if ((cnt = atomic_read_unchecked(ocnt)) != 0) {
11239+ atomic_set_unchecked(ocnt, 0);
11240 wmb();
11241 printk("%s: Queue overflowed %d times.\n",
11242 pfx, cnt);
11243@@ -2048,7 +2059,7 @@ out:
11244 */
11245 void sun4v_resum_overflow(struct pt_regs *regs)
11246 {
11247- atomic_inc(&sun4v_resum_oflow_cnt);
11248+ atomic_inc_unchecked(&sun4v_resum_oflow_cnt);
11249 }
11250
11251 /* We run with %pil set to PIL_NORMAL_MAX and PSTATE_IE enabled in %pstate.
11252@@ -2101,7 +2112,7 @@ void sun4v_nonresum_overflow(struct pt_regs *regs)
11253 /* XXX Actually even this can make not that much sense. Perhaps
11254 * XXX we should just pull the plug and panic directly from here?
11255 */
11256- atomic_inc(&sun4v_nonresum_oflow_cnt);
11257+ atomic_inc_unchecked(&sun4v_nonresum_oflow_cnt);
11258 }
11259
11260 static void sun4v_tlb_error(struct pt_regs *regs)
11261@@ -2120,9 +2131,9 @@ void sun4v_itlb_error_report(struct pt_regs *regs, int tl)
11262
11263 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
11264 regs->tpc, tl);
11265- printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
11266+ printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
11267 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
11268- printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
11269+ printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
11270 (void *) regs->u_regs[UREG_I7]);
11271 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
11272 "pte[%lx] error[%lx]\n",
11273@@ -2143,9 +2154,9 @@ void sun4v_dtlb_error_report(struct pt_regs *regs, int tl)
11274
11275 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
11276 regs->tpc, tl);
11277- printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
11278+ printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
11279 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
11280- printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
11281+ printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
11282 (void *) regs->u_regs[UREG_I7]);
11283 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
11284 "pte[%lx] error[%lx]\n",
11285@@ -2362,13 +2373,13 @@ void show_stack(struct task_struct *tsk, unsigned long *_ksp)
11286 fp = (unsigned long)sf->fp + STACK_BIAS;
11287 }
11288
11289- printk(" [%016lx] %pS\n", pc, (void *) pc);
11290+ printk(" [%016lx] %pA\n", pc, (void *) pc);
11291 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
11292 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
11293 int index = tsk->curr_ret_stack;
11294 if (tsk->ret_stack && index >= graph) {
11295 pc = tsk->ret_stack[index - graph].ret;
11296- printk(" [%016lx] %pS\n", pc, (void *) pc);
11297+ printk(" [%016lx] %pA\n", pc, (void *) pc);
11298 graph++;
11299 }
11300 }
11301@@ -2386,6 +2397,8 @@ static inline struct reg_window *kernel_stack_up(struct reg_window *rw)
11302 return (struct reg_window *) (fp + STACK_BIAS);
11303 }
11304
11305+extern void gr_handle_kernel_exploit(void);
11306+
11307 void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11308 {
11309 static int die_counter;
11310@@ -2414,7 +2427,7 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11311 while (rw &&
11312 count++ < 30 &&
11313 kstack_valid(tp, (unsigned long) rw)) {
11314- printk("Caller[%016lx]: %pS\n", rw->ins[7],
11315+ printk("Caller[%016lx]: %pA\n", rw->ins[7],
11316 (void *) rw->ins[7]);
11317
11318 rw = kernel_stack_up(rw);
11319@@ -2429,8 +2442,10 @@ void __noreturn die_if_kernel(char *str, struct pt_regs *regs)
11320 }
11321 if (panic_on_oops)
11322 panic("Fatal exception");
11323- if (regs->tstate & TSTATE_PRIV)
11324+ if (regs->tstate & TSTATE_PRIV) {
11325+ gr_handle_kernel_exploit();
11326 do_exit(SIGKILL);
11327+ }
11328 do_exit(SIGSEGV);
11329 }
11330 EXPORT_SYMBOL(die_if_kernel);
11331diff --git a/arch/sparc/kernel/unaligned_64.c b/arch/sparc/kernel/unaligned_64.c
11332index 62098a8..547ab2c 100644
11333--- a/arch/sparc/kernel/unaligned_64.c
11334+++ b/arch/sparc/kernel/unaligned_64.c
11335@@ -297,7 +297,7 @@ static void log_unaligned(struct pt_regs *regs)
11336 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
11337
11338 if (__ratelimit(&ratelimit)) {
11339- printk("Kernel unaligned access at TPC[%lx] %pS\n",
11340+ printk("Kernel unaligned access at TPC[%lx] %pA\n",
11341 regs->tpc, (void *) regs->tpc);
11342 }
11343 }
11344diff --git a/arch/sparc/lib/Makefile b/arch/sparc/lib/Makefile
11345index 3269b02..64f5231 100644
11346--- a/arch/sparc/lib/Makefile
11347+++ b/arch/sparc/lib/Makefile
11348@@ -2,7 +2,7 @@
11349 #
11350
11351 asflags-y := -ansi -DST_DIV0=0x02
11352-ccflags-y := -Werror
11353+#ccflags-y := -Werror
11354
11355 lib-$(CONFIG_SPARC32) += ashrdi3.o
11356 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
11357diff --git a/arch/sparc/lib/atomic_64.S b/arch/sparc/lib/atomic_64.S
11358index 05dac43..76f8ed4 100644
11359--- a/arch/sparc/lib/atomic_64.S
11360+++ b/arch/sparc/lib/atomic_64.S
11361@@ -15,11 +15,22 @@
11362 * a value and does the barriers.
11363 */
11364
11365-#define ATOMIC_OP(op) \
11366-ENTRY(atomic_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11367+#ifdef CONFIG_PAX_REFCOUNT
11368+#define __REFCOUNT_OP(op) op##cc
11369+#define __OVERFLOW_IOP tvs %icc, 6;
11370+#define __OVERFLOW_XOP tvs %xcc, 6;
11371+#else
11372+#define __REFCOUNT_OP(op) op
11373+#define __OVERFLOW_IOP
11374+#define __OVERFLOW_XOP
11375+#endif
11376+
11377+#define __ATOMIC_OP(op, suffix, asm_op, post_op) \
11378+ENTRY(atomic_##op##suffix) /* %o0 = increment, %o1 = atomic_ptr */ \
11379 BACKOFF_SETUP(%o2); \
11380 1: lduw [%o1], %g1; \
11381- op %g1, %o0, %g7; \
11382+ asm_op %g1, %o0, %g7; \
11383+ post_op \
11384 cas [%o1], %g1, %g7; \
11385 cmp %g1, %g7; \
11386 bne,pn %icc, BACKOFF_LABEL(2f, 1b); \
11387@@ -29,11 +40,15 @@ ENTRY(atomic_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11388 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11389 ENDPROC(atomic_##op); \
11390
11391-#define ATOMIC_OP_RETURN(op) \
11392-ENTRY(atomic_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11393+#define ATOMIC_OP(op) __ATOMIC_OP(op, , op, ) \
11394+ __ATOMIC_OP(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_IOP)
11395+
11396+#define __ATOMIC_OP_RETURN(op, suffix, asm_op, post_op) \
11397+ENTRY(atomic_##op##_return##suffix) /* %o0 = increment, %o1 = atomic_ptr */\
11398 BACKOFF_SETUP(%o2); \
11399 1: lduw [%o1], %g1; \
11400- op %g1, %o0, %g7; \
11401+ asm_op %g1, %o0, %g7; \
11402+ post_op \
11403 cas [%o1], %g1, %g7; \
11404 cmp %g1, %g7; \
11405 bne,pn %icc, BACKOFF_LABEL(2f, 1b); \
11406@@ -43,6 +58,9 @@ ENTRY(atomic_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11407 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11408 ENDPROC(atomic_##op##_return);
11409
11410+#define ATOMIC_OP_RETURN(op) __ATOMIC_OP_RETURN(op, , op, ) \
11411+ __ATOMIC_OP_RETURN(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_IOP)
11412+
11413 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
11414
11415 ATOMIC_OPS(add)
11416@@ -50,13 +68,16 @@ ATOMIC_OPS(sub)
11417
11418 #undef ATOMIC_OPS
11419 #undef ATOMIC_OP_RETURN
11420+#undef __ATOMIC_OP_RETURN
11421 #undef ATOMIC_OP
11422+#undef __ATOMIC_OP
11423
11424-#define ATOMIC64_OP(op) \
11425-ENTRY(atomic64_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11426+#define __ATOMIC64_OP(op, suffix, asm_op, post_op) \
11427+ENTRY(atomic64_##op##suffix) /* %o0 = increment, %o1 = atomic_ptr */ \
11428 BACKOFF_SETUP(%o2); \
11429 1: ldx [%o1], %g1; \
11430- op %g1, %o0, %g7; \
11431+ asm_op %g1, %o0, %g7; \
11432+ post_op \
11433 casx [%o1], %g1, %g7; \
11434 cmp %g1, %g7; \
11435 bne,pn %xcc, BACKOFF_LABEL(2f, 1b); \
11436@@ -66,11 +87,15 @@ ENTRY(atomic64_##op) /* %o0 = increment, %o1 = atomic_ptr */ \
11437 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11438 ENDPROC(atomic64_##op); \
11439
11440-#define ATOMIC64_OP_RETURN(op) \
11441-ENTRY(atomic64_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11442+#define ATOMIC64_OP(op) __ATOMIC64_OP(op, , op, ) \
11443+ __ATOMIC64_OP(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_XOP)
11444+
11445+#define __ATOMIC64_OP_RETURN(op, suffix, asm_op, post_op) \
11446+ENTRY(atomic64_##op##_return##suffix) /* %o0 = increment, %o1 = atomic_ptr */\
11447 BACKOFF_SETUP(%o2); \
11448 1: ldx [%o1], %g1; \
11449- op %g1, %o0, %g7; \
11450+ asm_op %g1, %o0, %g7; \
11451+ post_op \
11452 casx [%o1], %g1, %g7; \
11453 cmp %g1, %g7; \
11454 bne,pn %xcc, BACKOFF_LABEL(2f, 1b); \
11455@@ -80,6 +105,9 @@ ENTRY(atomic64_##op##_return) /* %o0 = increment, %o1 = atomic_ptr */ \
11456 2: BACKOFF_SPIN(%o2, %o3, 1b); \
11457 ENDPROC(atomic64_##op##_return);
11458
11459+#define ATOMIC64_OP_RETURN(op) __ATOMIC64_OP_RETURN(op, , op, ) \
11460+i __ATOMIC64_OP_RETURN(op, _unchecked, __REFCOUNT_OP(op), __OVERFLOW_XOP)
11461+
11462 #define ATOMIC64_OPS(op) ATOMIC64_OP(op) ATOMIC64_OP_RETURN(op)
11463
11464 ATOMIC64_OPS(add)
11465@@ -87,7 +115,12 @@ ATOMIC64_OPS(sub)
11466
11467 #undef ATOMIC64_OPS
11468 #undef ATOMIC64_OP_RETURN
11469+#undef __ATOMIC64_OP_RETURN
11470 #undef ATOMIC64_OP
11471+#undef __ATOMIC64_OP
11472+#undef __OVERFLOW_XOP
11473+#undef __OVERFLOW_IOP
11474+#undef __REFCOUNT_OP
11475
11476 ENTRY(atomic64_dec_if_positive) /* %o0 = atomic_ptr */
11477 BACKOFF_SETUP(%o2)
11478diff --git a/arch/sparc/lib/ksyms.c b/arch/sparc/lib/ksyms.c
11479index 8069ce1..c2e23c4 100644
11480--- a/arch/sparc/lib/ksyms.c
11481+++ b/arch/sparc/lib/ksyms.c
11482@@ -101,7 +101,9 @@ EXPORT_SYMBOL(__clear_user);
11483 /* Atomic counter implementation. */
11484 #define ATOMIC_OP(op) \
11485 EXPORT_SYMBOL(atomic_##op); \
11486-EXPORT_SYMBOL(atomic64_##op);
11487+EXPORT_SYMBOL(atomic_##op##_unchecked); \
11488+EXPORT_SYMBOL(atomic64_##op); \
11489+EXPORT_SYMBOL(atomic64_##op##_unchecked);
11490
11491 #define ATOMIC_OP_RETURN(op) \
11492 EXPORT_SYMBOL(atomic_##op##_return); \
11493@@ -110,6 +112,8 @@ EXPORT_SYMBOL(atomic64_##op##_return);
11494 #define ATOMIC_OPS(op) ATOMIC_OP(op) ATOMIC_OP_RETURN(op)
11495
11496 ATOMIC_OPS(add)
11497+EXPORT_SYMBOL(atomic_add_ret_unchecked);
11498+EXPORT_SYMBOL(atomic64_add_ret_unchecked);
11499 ATOMIC_OPS(sub)
11500
11501 #undef ATOMIC_OPS
11502diff --git a/arch/sparc/mm/Makefile b/arch/sparc/mm/Makefile
11503index 30c3ecc..736f015 100644
11504--- a/arch/sparc/mm/Makefile
11505+++ b/arch/sparc/mm/Makefile
11506@@ -2,7 +2,7 @@
11507 #
11508
11509 asflags-y := -ansi
11510-ccflags-y := -Werror
11511+#ccflags-y := -Werror
11512
11513 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o gup.o
11514 obj-y += fault_$(BITS).o
11515diff --git a/arch/sparc/mm/fault_32.c b/arch/sparc/mm/fault_32.c
11516index c399e7b..2387414 100644
11517--- a/arch/sparc/mm/fault_32.c
11518+++ b/arch/sparc/mm/fault_32.c
11519@@ -22,6 +22,9 @@
11520 #include <linux/interrupt.h>
11521 #include <linux/kdebug.h>
11522 #include <linux/uaccess.h>
11523+#include <linux/slab.h>
11524+#include <linux/pagemap.h>
11525+#include <linux/compiler.h>
11526
11527 #include <asm/page.h>
11528 #include <asm/pgtable.h>
11529@@ -156,6 +159,277 @@ static unsigned long compute_si_addr(struct pt_regs *regs, int text_fault)
11530 return safe_compute_effective_address(regs, insn);
11531 }
11532
11533+#ifdef CONFIG_PAX_PAGEEXEC
11534+#ifdef CONFIG_PAX_DLRESOLVE
11535+static void pax_emuplt_close(struct vm_area_struct *vma)
11536+{
11537+ vma->vm_mm->call_dl_resolve = 0UL;
11538+}
11539+
11540+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
11541+{
11542+ unsigned int *kaddr;
11543+
11544+ vmf->page = alloc_page(GFP_HIGHUSER);
11545+ if (!vmf->page)
11546+ return VM_FAULT_OOM;
11547+
11548+ kaddr = kmap(vmf->page);
11549+ memset(kaddr, 0, PAGE_SIZE);
11550+ kaddr[0] = 0x9DE3BFA8U; /* save */
11551+ flush_dcache_page(vmf->page);
11552+ kunmap(vmf->page);
11553+ return VM_FAULT_MAJOR;
11554+}
11555+
11556+static const struct vm_operations_struct pax_vm_ops = {
11557+ .close = pax_emuplt_close,
11558+ .fault = pax_emuplt_fault
11559+};
11560+
11561+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
11562+{
11563+ int ret;
11564+
11565+ INIT_LIST_HEAD(&vma->anon_vma_chain);
11566+ vma->vm_mm = current->mm;
11567+ vma->vm_start = addr;
11568+ vma->vm_end = addr + PAGE_SIZE;
11569+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
11570+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
11571+ vma->vm_ops = &pax_vm_ops;
11572+
11573+ ret = insert_vm_struct(current->mm, vma);
11574+ if (ret)
11575+ return ret;
11576+
11577+ ++current->mm->total_vm;
11578+ return 0;
11579+}
11580+#endif
11581+
11582+/*
11583+ * PaX: decide what to do with offenders (regs->pc = fault address)
11584+ *
11585+ * returns 1 when task should be killed
11586+ * 2 when patched PLT trampoline was detected
11587+ * 3 when unpatched PLT trampoline was detected
11588+ */
11589+static int pax_handle_fetch_fault(struct pt_regs *regs)
11590+{
11591+
11592+#ifdef CONFIG_PAX_EMUPLT
11593+ int err;
11594+
11595+ do { /* PaX: patched PLT emulation #1 */
11596+ unsigned int sethi1, sethi2, jmpl;
11597+
11598+ err = get_user(sethi1, (unsigned int *)regs->pc);
11599+ err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
11600+ err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
11601+
11602+ if (err)
11603+ break;
11604+
11605+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
11606+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
11607+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
11608+ {
11609+ unsigned int addr;
11610+
11611+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
11612+ addr = regs->u_regs[UREG_G1];
11613+ addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11614+ regs->pc = addr;
11615+ regs->npc = addr+4;
11616+ return 2;
11617+ }
11618+ } while (0);
11619+
11620+ do { /* PaX: patched PLT emulation #2 */
11621+ unsigned int ba;
11622+
11623+ err = get_user(ba, (unsigned int *)regs->pc);
11624+
11625+ if (err)
11626+ break;
11627+
11628+ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
11629+ unsigned int addr;
11630+
11631+ if ((ba & 0xFFC00000U) == 0x30800000U)
11632+ addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
11633+ else
11634+ addr = regs->pc + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11635+ regs->pc = addr;
11636+ regs->npc = addr+4;
11637+ return 2;
11638+ }
11639+ } while (0);
11640+
11641+ do { /* PaX: patched PLT emulation #3 */
11642+ unsigned int sethi, bajmpl, nop;
11643+
11644+ err = get_user(sethi, (unsigned int *)regs->pc);
11645+ err |= get_user(bajmpl, (unsigned int *)(regs->pc+4));
11646+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
11647+
11648+ if (err)
11649+ break;
11650+
11651+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11652+ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
11653+ nop == 0x01000000U)
11654+ {
11655+ unsigned int addr;
11656+
11657+ addr = (sethi & 0x003FFFFFU) << 10;
11658+ regs->u_regs[UREG_G1] = addr;
11659+ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
11660+ addr += (((bajmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11661+ else
11662+ addr = regs->pc + ((((bajmpl | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11663+ regs->pc = addr;
11664+ regs->npc = addr+4;
11665+ return 2;
11666+ }
11667+ } while (0);
11668+
11669+ do { /* PaX: unpatched PLT emulation step 1 */
11670+ unsigned int sethi, ba, nop;
11671+
11672+ err = get_user(sethi, (unsigned int *)regs->pc);
11673+ err |= get_user(ba, (unsigned int *)(regs->pc+4));
11674+ err |= get_user(nop, (unsigned int *)(regs->pc+8));
11675+
11676+ if (err)
11677+ break;
11678+
11679+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11680+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
11681+ nop == 0x01000000U)
11682+ {
11683+ unsigned int addr, save, call;
11684+
11685+ if ((ba & 0xFFC00000U) == 0x30800000U)
11686+ addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
11687+ else
11688+ addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
11689+
11690+ err = get_user(save, (unsigned int *)addr);
11691+ err |= get_user(call, (unsigned int *)(addr+4));
11692+ err |= get_user(nop, (unsigned int *)(addr+8));
11693+ if (err)
11694+ break;
11695+
11696+#ifdef CONFIG_PAX_DLRESOLVE
11697+ if (save == 0x9DE3BFA8U &&
11698+ (call & 0xC0000000U) == 0x40000000U &&
11699+ nop == 0x01000000U)
11700+ {
11701+ struct vm_area_struct *vma;
11702+ unsigned long call_dl_resolve;
11703+
11704+ down_read(&current->mm->mmap_sem);
11705+ call_dl_resolve = current->mm->call_dl_resolve;
11706+ up_read(&current->mm->mmap_sem);
11707+ if (likely(call_dl_resolve))
11708+ goto emulate;
11709+
11710+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
11711+
11712+ down_write(&current->mm->mmap_sem);
11713+ if (current->mm->call_dl_resolve) {
11714+ call_dl_resolve = current->mm->call_dl_resolve;
11715+ up_write(&current->mm->mmap_sem);
11716+ if (vma)
11717+ kmem_cache_free(vm_area_cachep, vma);
11718+ goto emulate;
11719+ }
11720+
11721+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
11722+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
11723+ up_write(&current->mm->mmap_sem);
11724+ if (vma)
11725+ kmem_cache_free(vm_area_cachep, vma);
11726+ return 1;
11727+ }
11728+
11729+ if (pax_insert_vma(vma, call_dl_resolve)) {
11730+ up_write(&current->mm->mmap_sem);
11731+ kmem_cache_free(vm_area_cachep, vma);
11732+ return 1;
11733+ }
11734+
11735+ current->mm->call_dl_resolve = call_dl_resolve;
11736+ up_write(&current->mm->mmap_sem);
11737+
11738+emulate:
11739+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
11740+ regs->pc = call_dl_resolve;
11741+ regs->npc = addr+4;
11742+ return 3;
11743+ }
11744+#endif
11745+
11746+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
11747+ if ((save & 0xFFC00000U) == 0x05000000U &&
11748+ (call & 0xFFFFE000U) == 0x85C0A000U &&
11749+ nop == 0x01000000U)
11750+ {
11751+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
11752+ regs->u_regs[UREG_G2] = addr + 4;
11753+ addr = (save & 0x003FFFFFU) << 10;
11754+ addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
11755+ regs->pc = addr;
11756+ regs->npc = addr+4;
11757+ return 3;
11758+ }
11759+ }
11760+ } while (0);
11761+
11762+ do { /* PaX: unpatched PLT emulation step 2 */
11763+ unsigned int save, call, nop;
11764+
11765+ err = get_user(save, (unsigned int *)(regs->pc-4));
11766+ err |= get_user(call, (unsigned int *)regs->pc);
11767+ err |= get_user(nop, (unsigned int *)(regs->pc+4));
11768+ if (err)
11769+ break;
11770+
11771+ if (save == 0x9DE3BFA8U &&
11772+ (call & 0xC0000000U) == 0x40000000U &&
11773+ nop == 0x01000000U)
11774+ {
11775+ unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
11776+
11777+ regs->u_regs[UREG_RETPC] = regs->pc;
11778+ regs->pc = dl_resolve;
11779+ regs->npc = dl_resolve+4;
11780+ return 3;
11781+ }
11782+ } while (0);
11783+#endif
11784+
11785+ return 1;
11786+}
11787+
11788+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
11789+{
11790+ unsigned long i;
11791+
11792+ printk(KERN_ERR "PAX: bytes at PC: ");
11793+ for (i = 0; i < 8; i++) {
11794+ unsigned int c;
11795+ if (get_user(c, (unsigned int *)pc+i))
11796+ printk(KERN_CONT "???????? ");
11797+ else
11798+ printk(KERN_CONT "%08x ", c);
11799+ }
11800+ printk("\n");
11801+}
11802+#endif
11803+
11804 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
11805 int text_fault)
11806 {
11807@@ -226,6 +500,24 @@ good_area:
11808 if (!(vma->vm_flags & VM_WRITE))
11809 goto bad_area;
11810 } else {
11811+
11812+#ifdef CONFIG_PAX_PAGEEXEC
11813+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
11814+ up_read(&mm->mmap_sem);
11815+ switch (pax_handle_fetch_fault(regs)) {
11816+
11817+#ifdef CONFIG_PAX_EMUPLT
11818+ case 2:
11819+ case 3:
11820+ return;
11821+#endif
11822+
11823+ }
11824+ pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
11825+ do_group_exit(SIGKILL);
11826+ }
11827+#endif
11828+
11829 /* Allow reads even for write-only mappings */
11830 if (!(vma->vm_flags & (VM_READ | VM_EXEC)))
11831 goto bad_area;
11832diff --git a/arch/sparc/mm/fault_64.c b/arch/sparc/mm/fault_64.c
11833index dbabe57..d34d315 100644
11834--- a/arch/sparc/mm/fault_64.c
11835+++ b/arch/sparc/mm/fault_64.c
11836@@ -23,6 +23,9 @@
11837 #include <linux/percpu.h>
11838 #include <linux/context_tracking.h>
11839 #include <linux/uaccess.h>
11840+#include <linux/slab.h>
11841+#include <linux/pagemap.h>
11842+#include <linux/compiler.h>
11843
11844 #include <asm/page.h>
11845 #include <asm/pgtable.h>
11846@@ -76,7 +79,7 @@ static void __kprobes bad_kernel_pc(struct pt_regs *regs, unsigned long vaddr)
11847 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
11848 regs->tpc);
11849 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
11850- printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
11851+ printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
11852 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
11853 dump_stack();
11854 unhandled_fault(regs->tpc, current, regs);
11855@@ -279,6 +282,466 @@ static void noinline __kprobes bogus_32bit_fault_tpc(struct pt_regs *regs)
11856 show_regs(regs);
11857 }
11858
11859+#ifdef CONFIG_PAX_PAGEEXEC
11860+#ifdef CONFIG_PAX_DLRESOLVE
11861+static void pax_emuplt_close(struct vm_area_struct *vma)
11862+{
11863+ vma->vm_mm->call_dl_resolve = 0UL;
11864+}
11865+
11866+static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
11867+{
11868+ unsigned int *kaddr;
11869+
11870+ vmf->page = alloc_page(GFP_HIGHUSER);
11871+ if (!vmf->page)
11872+ return VM_FAULT_OOM;
11873+
11874+ kaddr = kmap(vmf->page);
11875+ memset(kaddr, 0, PAGE_SIZE);
11876+ kaddr[0] = 0x9DE3BFA8U; /* save */
11877+ flush_dcache_page(vmf->page);
11878+ kunmap(vmf->page);
11879+ return VM_FAULT_MAJOR;
11880+}
11881+
11882+static const struct vm_operations_struct pax_vm_ops = {
11883+ .close = pax_emuplt_close,
11884+ .fault = pax_emuplt_fault
11885+};
11886+
11887+static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
11888+{
11889+ int ret;
11890+
11891+ INIT_LIST_HEAD(&vma->anon_vma_chain);
11892+ vma->vm_mm = current->mm;
11893+ vma->vm_start = addr;
11894+ vma->vm_end = addr + PAGE_SIZE;
11895+ vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
11896+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
11897+ vma->vm_ops = &pax_vm_ops;
11898+
11899+ ret = insert_vm_struct(current->mm, vma);
11900+ if (ret)
11901+ return ret;
11902+
11903+ ++current->mm->total_vm;
11904+ return 0;
11905+}
11906+#endif
11907+
11908+/*
11909+ * PaX: decide what to do with offenders (regs->tpc = fault address)
11910+ *
11911+ * returns 1 when task should be killed
11912+ * 2 when patched PLT trampoline was detected
11913+ * 3 when unpatched PLT trampoline was detected
11914+ */
11915+static int pax_handle_fetch_fault(struct pt_regs *regs)
11916+{
11917+
11918+#ifdef CONFIG_PAX_EMUPLT
11919+ int err;
11920+
11921+ do { /* PaX: patched PLT emulation #1 */
11922+ unsigned int sethi1, sethi2, jmpl;
11923+
11924+ err = get_user(sethi1, (unsigned int *)regs->tpc);
11925+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
11926+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
11927+
11928+ if (err)
11929+ break;
11930+
11931+ if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
11932+ (sethi2 & 0xFFC00000U) == 0x03000000U &&
11933+ (jmpl & 0xFFFFE000U) == 0x81C06000U)
11934+ {
11935+ unsigned long addr;
11936+
11937+ regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
11938+ addr = regs->u_regs[UREG_G1];
11939+ addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
11940+
11941+ if (test_thread_flag(TIF_32BIT))
11942+ addr &= 0xFFFFFFFFUL;
11943+
11944+ regs->tpc = addr;
11945+ regs->tnpc = addr+4;
11946+ return 2;
11947+ }
11948+ } while (0);
11949+
11950+ do { /* PaX: patched PLT emulation #2 */
11951+ unsigned int ba;
11952+
11953+ err = get_user(ba, (unsigned int *)regs->tpc);
11954+
11955+ if (err)
11956+ break;
11957+
11958+ if ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30480000U) {
11959+ unsigned long addr;
11960+
11961+ if ((ba & 0xFFC00000U) == 0x30800000U)
11962+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
11963+ else
11964+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
11965+
11966+ if (test_thread_flag(TIF_32BIT))
11967+ addr &= 0xFFFFFFFFUL;
11968+
11969+ regs->tpc = addr;
11970+ regs->tnpc = addr+4;
11971+ return 2;
11972+ }
11973+ } while (0);
11974+
11975+ do { /* PaX: patched PLT emulation #3 */
11976+ unsigned int sethi, bajmpl, nop;
11977+
11978+ err = get_user(sethi, (unsigned int *)regs->tpc);
11979+ err |= get_user(bajmpl, (unsigned int *)(regs->tpc+4));
11980+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
11981+
11982+ if (err)
11983+ break;
11984+
11985+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
11986+ ((bajmpl & 0xFFFFE000U) == 0x81C06000U || (bajmpl & 0xFFF80000U) == 0x30480000U) &&
11987+ nop == 0x01000000U)
11988+ {
11989+ unsigned long addr;
11990+
11991+ addr = (sethi & 0x003FFFFFU) << 10;
11992+ regs->u_regs[UREG_G1] = addr;
11993+ if ((bajmpl & 0xFFFFE000U) == 0x81C06000U)
11994+ addr += (((bajmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
11995+ else
11996+ addr = regs->tpc + ((((bajmpl | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
11997+
11998+ if (test_thread_flag(TIF_32BIT))
11999+ addr &= 0xFFFFFFFFUL;
12000+
12001+ regs->tpc = addr;
12002+ regs->tnpc = addr+4;
12003+ return 2;
12004+ }
12005+ } while (0);
12006+
12007+ do { /* PaX: patched PLT emulation #4 */
12008+ unsigned int sethi, mov1, call, mov2;
12009+
12010+ err = get_user(sethi, (unsigned int *)regs->tpc);
12011+ err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
12012+ err |= get_user(call, (unsigned int *)(regs->tpc+8));
12013+ err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
12014+
12015+ if (err)
12016+ break;
12017+
12018+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12019+ mov1 == 0x8210000FU &&
12020+ (call & 0xC0000000U) == 0x40000000U &&
12021+ mov2 == 0x9E100001U)
12022+ {
12023+ unsigned long addr;
12024+
12025+ regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
12026+ addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
12027+
12028+ if (test_thread_flag(TIF_32BIT))
12029+ addr &= 0xFFFFFFFFUL;
12030+
12031+ regs->tpc = addr;
12032+ regs->tnpc = addr+4;
12033+ return 2;
12034+ }
12035+ } while (0);
12036+
12037+ do { /* PaX: patched PLT emulation #5 */
12038+ unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
12039+
12040+ err = get_user(sethi, (unsigned int *)regs->tpc);
12041+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
12042+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
12043+ err |= get_user(or1, (unsigned int *)(regs->tpc+12));
12044+ err |= get_user(or2, (unsigned int *)(regs->tpc+16));
12045+ err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
12046+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
12047+ err |= get_user(nop, (unsigned int *)(regs->tpc+28));
12048+
12049+ if (err)
12050+ break;
12051+
12052+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12053+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
12054+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12055+ (or1 & 0xFFFFE000U) == 0x82106000U &&
12056+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
12057+ sllx == 0x83287020U &&
12058+ jmpl == 0x81C04005U &&
12059+ nop == 0x01000000U)
12060+ {
12061+ unsigned long addr;
12062+
12063+ regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
12064+ regs->u_regs[UREG_G1] <<= 32;
12065+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
12066+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
12067+ regs->tpc = addr;
12068+ regs->tnpc = addr+4;
12069+ return 2;
12070+ }
12071+ } while (0);
12072+
12073+ do { /* PaX: patched PLT emulation #6 */
12074+ unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
12075+
12076+ err = get_user(sethi, (unsigned int *)regs->tpc);
12077+ err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
12078+ err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
12079+ err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
12080+ err |= get_user(or, (unsigned int *)(regs->tpc+16));
12081+ err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
12082+ err |= get_user(nop, (unsigned int *)(regs->tpc+24));
12083+
12084+ if (err)
12085+ break;
12086+
12087+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12088+ (sethi1 & 0xFFC00000U) == 0x03000000U &&
12089+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12090+ sllx == 0x83287020U &&
12091+ (or & 0xFFFFE000U) == 0x8A116000U &&
12092+ jmpl == 0x81C04005U &&
12093+ nop == 0x01000000U)
12094+ {
12095+ unsigned long addr;
12096+
12097+ regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
12098+ regs->u_regs[UREG_G1] <<= 32;
12099+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
12100+ addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
12101+ regs->tpc = addr;
12102+ regs->tnpc = addr+4;
12103+ return 2;
12104+ }
12105+ } while (0);
12106+
12107+ do { /* PaX: unpatched PLT emulation step 1 */
12108+ unsigned int sethi, ba, nop;
12109+
12110+ err = get_user(sethi, (unsigned int *)regs->tpc);
12111+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
12112+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12113+
12114+ if (err)
12115+ break;
12116+
12117+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12118+ ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
12119+ nop == 0x01000000U)
12120+ {
12121+ unsigned long addr;
12122+ unsigned int save, call;
12123+ unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
12124+
12125+ if ((ba & 0xFFC00000U) == 0x30800000U)
12126+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
12127+ else
12128+ addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12129+
12130+ if (test_thread_flag(TIF_32BIT))
12131+ addr &= 0xFFFFFFFFUL;
12132+
12133+ err = get_user(save, (unsigned int *)addr);
12134+ err |= get_user(call, (unsigned int *)(addr+4));
12135+ err |= get_user(nop, (unsigned int *)(addr+8));
12136+ if (err)
12137+ break;
12138+
12139+#ifdef CONFIG_PAX_DLRESOLVE
12140+ if (save == 0x9DE3BFA8U &&
12141+ (call & 0xC0000000U) == 0x40000000U &&
12142+ nop == 0x01000000U)
12143+ {
12144+ struct vm_area_struct *vma;
12145+ unsigned long call_dl_resolve;
12146+
12147+ down_read(&current->mm->mmap_sem);
12148+ call_dl_resolve = current->mm->call_dl_resolve;
12149+ up_read(&current->mm->mmap_sem);
12150+ if (likely(call_dl_resolve))
12151+ goto emulate;
12152+
12153+ vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
12154+
12155+ down_write(&current->mm->mmap_sem);
12156+ if (current->mm->call_dl_resolve) {
12157+ call_dl_resolve = current->mm->call_dl_resolve;
12158+ up_write(&current->mm->mmap_sem);
12159+ if (vma)
12160+ kmem_cache_free(vm_area_cachep, vma);
12161+ goto emulate;
12162+ }
12163+
12164+ call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
12165+ if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
12166+ up_write(&current->mm->mmap_sem);
12167+ if (vma)
12168+ kmem_cache_free(vm_area_cachep, vma);
12169+ return 1;
12170+ }
12171+
12172+ if (pax_insert_vma(vma, call_dl_resolve)) {
12173+ up_write(&current->mm->mmap_sem);
12174+ kmem_cache_free(vm_area_cachep, vma);
12175+ return 1;
12176+ }
12177+
12178+ current->mm->call_dl_resolve = call_dl_resolve;
12179+ up_write(&current->mm->mmap_sem);
12180+
12181+emulate:
12182+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12183+ regs->tpc = call_dl_resolve;
12184+ regs->tnpc = addr+4;
12185+ return 3;
12186+ }
12187+#endif
12188+
12189+ /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
12190+ if ((save & 0xFFC00000U) == 0x05000000U &&
12191+ (call & 0xFFFFE000U) == 0x85C0A000U &&
12192+ nop == 0x01000000U)
12193+ {
12194+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12195+ regs->u_regs[UREG_G2] = addr + 4;
12196+ addr = (save & 0x003FFFFFU) << 10;
12197+ addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
12198+
12199+ if (test_thread_flag(TIF_32BIT))
12200+ addr &= 0xFFFFFFFFUL;
12201+
12202+ regs->tpc = addr;
12203+ regs->tnpc = addr+4;
12204+ return 3;
12205+ }
12206+
12207+ /* PaX: 64-bit PLT stub */
12208+ err = get_user(sethi1, (unsigned int *)addr);
12209+ err |= get_user(sethi2, (unsigned int *)(addr+4));
12210+ err |= get_user(or1, (unsigned int *)(addr+8));
12211+ err |= get_user(or2, (unsigned int *)(addr+12));
12212+ err |= get_user(sllx, (unsigned int *)(addr+16));
12213+ err |= get_user(add, (unsigned int *)(addr+20));
12214+ err |= get_user(jmpl, (unsigned int *)(addr+24));
12215+ err |= get_user(nop, (unsigned int *)(addr+28));
12216+ if (err)
12217+ break;
12218+
12219+ if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
12220+ (sethi2 & 0xFFC00000U) == 0x0B000000U &&
12221+ (or1 & 0xFFFFE000U) == 0x88112000U &&
12222+ (or2 & 0xFFFFE000U) == 0x8A116000U &&
12223+ sllx == 0x89293020U &&
12224+ add == 0x8A010005U &&
12225+ jmpl == 0x89C14000U &&
12226+ nop == 0x01000000U)
12227+ {
12228+ regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
12229+ regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
12230+ regs->u_regs[UREG_G4] <<= 32;
12231+ regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
12232+ regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
12233+ regs->u_regs[UREG_G4] = addr + 24;
12234+ addr = regs->u_regs[UREG_G5];
12235+ regs->tpc = addr;
12236+ regs->tnpc = addr+4;
12237+ return 3;
12238+ }
12239+ }
12240+ } while (0);
12241+
12242+#ifdef CONFIG_PAX_DLRESOLVE
12243+ do { /* PaX: unpatched PLT emulation step 2 */
12244+ unsigned int save, call, nop;
12245+
12246+ err = get_user(save, (unsigned int *)(regs->tpc-4));
12247+ err |= get_user(call, (unsigned int *)regs->tpc);
12248+ err |= get_user(nop, (unsigned int *)(regs->tpc+4));
12249+ if (err)
12250+ break;
12251+
12252+ if (save == 0x9DE3BFA8U &&
12253+ (call & 0xC0000000U) == 0x40000000U &&
12254+ nop == 0x01000000U)
12255+ {
12256+ unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
12257+
12258+ if (test_thread_flag(TIF_32BIT))
12259+ dl_resolve &= 0xFFFFFFFFUL;
12260+
12261+ regs->u_regs[UREG_RETPC] = regs->tpc;
12262+ regs->tpc = dl_resolve;
12263+ regs->tnpc = dl_resolve+4;
12264+ return 3;
12265+ }
12266+ } while (0);
12267+#endif
12268+
12269+ do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
12270+ unsigned int sethi, ba, nop;
12271+
12272+ err = get_user(sethi, (unsigned int *)regs->tpc);
12273+ err |= get_user(ba, (unsigned int *)(regs->tpc+4));
12274+ err |= get_user(nop, (unsigned int *)(regs->tpc+8));
12275+
12276+ if (err)
12277+ break;
12278+
12279+ if ((sethi & 0xFFC00000U) == 0x03000000U &&
12280+ (ba & 0xFFF00000U) == 0x30600000U &&
12281+ nop == 0x01000000U)
12282+ {
12283+ unsigned long addr;
12284+
12285+ addr = (sethi & 0x003FFFFFU) << 10;
12286+ regs->u_regs[UREG_G1] = addr;
12287+ addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
12288+
12289+ if (test_thread_flag(TIF_32BIT))
12290+ addr &= 0xFFFFFFFFUL;
12291+
12292+ regs->tpc = addr;
12293+ regs->tnpc = addr+4;
12294+ return 2;
12295+ }
12296+ } while (0);
12297+
12298+#endif
12299+
12300+ return 1;
12301+}
12302+
12303+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
12304+{
12305+ unsigned long i;
12306+
12307+ printk(KERN_ERR "PAX: bytes at PC: ");
12308+ for (i = 0; i < 8; i++) {
12309+ unsigned int c;
12310+ if (get_user(c, (unsigned int *)pc+i))
12311+ printk(KERN_CONT "???????? ");
12312+ else
12313+ printk(KERN_CONT "%08x ", c);
12314+ }
12315+ printk("\n");
12316+}
12317+#endif
12318+
12319 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
12320 {
12321 enum ctx_state prev_state = exception_enter();
12322@@ -353,6 +816,29 @@ retry:
12323 if (!vma)
12324 goto bad_area;
12325
12326+#ifdef CONFIG_PAX_PAGEEXEC
12327+ /* PaX: detect ITLB misses on non-exec pages */
12328+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
12329+ !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
12330+ {
12331+ if (address != regs->tpc)
12332+ goto good_area;
12333+
12334+ up_read(&mm->mmap_sem);
12335+ switch (pax_handle_fetch_fault(regs)) {
12336+
12337+#ifdef CONFIG_PAX_EMUPLT
12338+ case 2:
12339+ case 3:
12340+ return;
12341+#endif
12342+
12343+ }
12344+ pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
12345+ do_group_exit(SIGKILL);
12346+ }
12347+#endif
12348+
12349 /* Pure DTLB misses do not tell us whether the fault causing
12350 * load/store/atomic was a write or not, it only says that there
12351 * was no match. So in such a case we (carefully) read the
12352diff --git a/arch/sparc/mm/hugetlbpage.c b/arch/sparc/mm/hugetlbpage.c
12353index 131eaf4..285ea31 100644
12354--- a/arch/sparc/mm/hugetlbpage.c
12355+++ b/arch/sparc/mm/hugetlbpage.c
12356@@ -25,8 +25,10 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
12357 unsigned long addr,
12358 unsigned long len,
12359 unsigned long pgoff,
12360- unsigned long flags)
12361+ unsigned long flags,
12362+ unsigned long offset)
12363 {
12364+ struct mm_struct *mm = current->mm;
12365 unsigned long task_size = TASK_SIZE;
12366 struct vm_unmapped_area_info info;
12367
12368@@ -35,15 +37,22 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *filp,
12369
12370 info.flags = 0;
12371 info.length = len;
12372- info.low_limit = TASK_UNMAPPED_BASE;
12373+ info.low_limit = mm->mmap_base;
12374 info.high_limit = min(task_size, VA_EXCLUDE_START);
12375 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
12376 info.align_offset = 0;
12377+ info.threadstack_offset = offset;
12378 addr = vm_unmapped_area(&info);
12379
12380 if ((addr & ~PAGE_MASK) && task_size > VA_EXCLUDE_END) {
12381 VM_BUG_ON(addr != -ENOMEM);
12382 info.low_limit = VA_EXCLUDE_END;
12383+
12384+#ifdef CONFIG_PAX_RANDMMAP
12385+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12386+ info.low_limit += mm->delta_mmap;
12387+#endif
12388+
12389 info.high_limit = task_size;
12390 addr = vm_unmapped_area(&info);
12391 }
12392@@ -55,7 +64,8 @@ static unsigned long
12393 hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12394 const unsigned long len,
12395 const unsigned long pgoff,
12396- const unsigned long flags)
12397+ const unsigned long flags,
12398+ const unsigned long offset)
12399 {
12400 struct mm_struct *mm = current->mm;
12401 unsigned long addr = addr0;
12402@@ -70,6 +80,7 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12403 info.high_limit = mm->mmap_base;
12404 info.align_mask = PAGE_MASK & ~HPAGE_MASK;
12405 info.align_offset = 0;
12406+ info.threadstack_offset = offset;
12407 addr = vm_unmapped_area(&info);
12408
12409 /*
12410@@ -82,6 +93,12 @@ hugetlb_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
12411 VM_BUG_ON(addr != -ENOMEM);
12412 info.flags = 0;
12413 info.low_limit = TASK_UNMAPPED_BASE;
12414+
12415+#ifdef CONFIG_PAX_RANDMMAP
12416+ if (mm->pax_flags & MF_PAX_RANDMMAP)
12417+ info.low_limit += mm->delta_mmap;
12418+#endif
12419+
12420 info.high_limit = STACK_TOP32;
12421 addr = vm_unmapped_area(&info);
12422 }
12423@@ -96,6 +113,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
12424 struct mm_struct *mm = current->mm;
12425 struct vm_area_struct *vma;
12426 unsigned long task_size = TASK_SIZE;
12427+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
12428
12429 if (test_thread_flag(TIF_32BIT))
12430 task_size = STACK_TOP32;
12431@@ -111,19 +129,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
12432 return addr;
12433 }
12434
12435+#ifdef CONFIG_PAX_RANDMMAP
12436+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
12437+#endif
12438+
12439 if (addr) {
12440 addr = ALIGN(addr, HPAGE_SIZE);
12441 vma = find_vma(mm, addr);
12442- if (task_size - len >= addr &&
12443- (!vma || addr + len <= vma->vm_start))
12444+ if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
12445 return addr;
12446 }
12447 if (mm->get_unmapped_area == arch_get_unmapped_area)
12448 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
12449- pgoff, flags);
12450+ pgoff, flags, offset);
12451 else
12452 return hugetlb_get_unmapped_area_topdown(file, addr, len,
12453- pgoff, flags);
12454+ pgoff, flags, offset);
12455 }
12456
12457 pte_t *huge_pte_alloc(struct mm_struct *mm,
12458diff --git a/arch/sparc/mm/init_64.c b/arch/sparc/mm/init_64.c
12459index 4ac88b7..bac6cb2 100644
12460--- a/arch/sparc/mm/init_64.c
12461+++ b/arch/sparc/mm/init_64.c
12462@@ -187,9 +187,9 @@ unsigned long sparc64_kern_sec_context __read_mostly;
12463 int num_kernel_image_mappings;
12464
12465 #ifdef CONFIG_DEBUG_DCFLUSH
12466-atomic_t dcpage_flushes = ATOMIC_INIT(0);
12467+atomic_unchecked_t dcpage_flushes = ATOMIC_INIT(0);
12468 #ifdef CONFIG_SMP
12469-atomic_t dcpage_flushes_xcall = ATOMIC_INIT(0);
12470+atomic_unchecked_t dcpage_flushes_xcall = ATOMIC_INIT(0);
12471 #endif
12472 #endif
12473
12474@@ -197,7 +197,7 @@ inline void flush_dcache_page_impl(struct page *page)
12475 {
12476 BUG_ON(tlb_type == hypervisor);
12477 #ifdef CONFIG_DEBUG_DCFLUSH
12478- atomic_inc(&dcpage_flushes);
12479+ atomic_inc_unchecked(&dcpage_flushes);
12480 #endif
12481
12482 #ifdef DCACHE_ALIASING_POSSIBLE
12483@@ -469,10 +469,10 @@ void mmu_info(struct seq_file *m)
12484
12485 #ifdef CONFIG_DEBUG_DCFLUSH
12486 seq_printf(m, "DCPageFlushes\t: %d\n",
12487- atomic_read(&dcpage_flushes));
12488+ atomic_read_unchecked(&dcpage_flushes));
12489 #ifdef CONFIG_SMP
12490 seq_printf(m, "DCPageFlushesXC\t: %d\n",
12491- atomic_read(&dcpage_flushes_xcall));
12492+ atomic_read_unchecked(&dcpage_flushes_xcall));
12493 #endif /* CONFIG_SMP */
12494 #endif /* CONFIG_DEBUG_DCFLUSH */
12495 }
12496diff --git a/arch/tile/Kconfig b/arch/tile/Kconfig
12497index 9def1f5..cf0cabc 100644
12498--- a/arch/tile/Kconfig
12499+++ b/arch/tile/Kconfig
12500@@ -204,6 +204,7 @@ source "kernel/Kconfig.hz"
12501
12502 config KEXEC
12503 bool "kexec system call"
12504+ depends on !GRKERNSEC_KMEM
12505 ---help---
12506 kexec is a system call that implements the ability to shutdown your
12507 current kernel, and to start another kernel. It is like a reboot
12508diff --git a/arch/tile/include/asm/atomic_64.h b/arch/tile/include/asm/atomic_64.h
12509index 0496970..1a57e5f 100644
12510--- a/arch/tile/include/asm/atomic_64.h
12511+++ b/arch/tile/include/asm/atomic_64.h
12512@@ -105,6 +105,16 @@ static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
12513
12514 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
12515
12516+#define atomic64_read_unchecked(v) atomic64_read(v)
12517+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
12518+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
12519+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
12520+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
12521+#define atomic64_inc_unchecked(v) atomic64_inc(v)
12522+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
12523+#define atomic64_dec_unchecked(v) atomic64_dec(v)
12524+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
12525+
12526 #endif /* !__ASSEMBLY__ */
12527
12528 #endif /* _ASM_TILE_ATOMIC_64_H */
12529diff --git a/arch/tile/include/asm/cache.h b/arch/tile/include/asm/cache.h
12530index 6160761..00cac88 100644
12531--- a/arch/tile/include/asm/cache.h
12532+++ b/arch/tile/include/asm/cache.h
12533@@ -15,11 +15,12 @@
12534 #ifndef _ASM_TILE_CACHE_H
12535 #define _ASM_TILE_CACHE_H
12536
12537+#include <linux/const.h>
12538 #include <arch/chip.h>
12539
12540 /* bytes per L1 data cache line */
12541 #define L1_CACHE_SHIFT CHIP_L1D_LOG_LINE_SIZE()
12542-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12543+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12544
12545 /* bytes per L2 cache line */
12546 #define L2_CACHE_SHIFT CHIP_L2_LOG_LINE_SIZE()
12547diff --git a/arch/tile/include/asm/uaccess.h b/arch/tile/include/asm/uaccess.h
12548index 0a9c4265..bfb62d1 100644
12549--- a/arch/tile/include/asm/uaccess.h
12550+++ b/arch/tile/include/asm/uaccess.h
12551@@ -429,9 +429,9 @@ static inline unsigned long __must_check copy_from_user(void *to,
12552 const void __user *from,
12553 unsigned long n)
12554 {
12555- int sz = __compiletime_object_size(to);
12556+ size_t sz = __compiletime_object_size(to);
12557
12558- if (likely(sz == -1 || sz >= n))
12559+ if (likely(sz == (size_t)-1 || sz >= n))
12560 n = _copy_from_user(to, from, n);
12561 else
12562 copy_from_user_overflow();
12563diff --git a/arch/tile/mm/hugetlbpage.c b/arch/tile/mm/hugetlbpage.c
12564index c034dc3..cf1cc96 100644
12565--- a/arch/tile/mm/hugetlbpage.c
12566+++ b/arch/tile/mm/hugetlbpage.c
12567@@ -174,6 +174,7 @@ static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
12568 info.high_limit = TASK_SIZE;
12569 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
12570 info.align_offset = 0;
12571+ info.threadstack_offset = 0;
12572 return vm_unmapped_area(&info);
12573 }
12574
12575@@ -191,6 +192,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
12576 info.high_limit = current->mm->mmap_base;
12577 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
12578 info.align_offset = 0;
12579+ info.threadstack_offset = 0;
12580 addr = vm_unmapped_area(&info);
12581
12582 /*
12583diff --git a/arch/um/Makefile b/arch/um/Makefile
12584index 098ab33..fc54a33 100644
12585--- a/arch/um/Makefile
12586+++ b/arch/um/Makefile
12587@@ -73,6 +73,10 @@ USER_CFLAGS = $(patsubst $(KERNEL_DEFINES),,$(patsubst -I%,,$(KBUILD_CFLAGS))) \
12588 -D_FILE_OFFSET_BITS=64 -idirafter include \
12589 -D__KERNEL__ -D__UM_HOST__
12590
12591+ifdef CONSTIFY_PLUGIN
12592+USER_CFLAGS += -fplugin-arg-constify_plugin-no-constify
12593+endif
12594+
12595 #This will adjust *FLAGS accordingly to the platform.
12596 include $(ARCH_DIR)/Makefile-os-$(OS)
12597
12598diff --git a/arch/um/include/asm/cache.h b/arch/um/include/asm/cache.h
12599index 19e1bdd..3665b77 100644
12600--- a/arch/um/include/asm/cache.h
12601+++ b/arch/um/include/asm/cache.h
12602@@ -1,6 +1,7 @@
12603 #ifndef __UM_CACHE_H
12604 #define __UM_CACHE_H
12605
12606+#include <linux/const.h>
12607
12608 #if defined(CONFIG_UML_X86) && !defined(CONFIG_64BIT)
12609 # define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
12610@@ -12,6 +13,6 @@
12611 # define L1_CACHE_SHIFT 5
12612 #endif
12613
12614-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12615+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12616
12617 #endif
12618diff --git a/arch/um/include/asm/kmap_types.h b/arch/um/include/asm/kmap_types.h
12619index 2e0a6b1..a64d0f5 100644
12620--- a/arch/um/include/asm/kmap_types.h
12621+++ b/arch/um/include/asm/kmap_types.h
12622@@ -8,6 +8,6 @@
12623
12624 /* No more #include "asm/arch/kmap_types.h" ! */
12625
12626-#define KM_TYPE_NR 14
12627+#define KM_TYPE_NR 15
12628
12629 #endif
12630diff --git a/arch/um/include/asm/page.h b/arch/um/include/asm/page.h
12631index 71c5d13..4c7b9f1 100644
12632--- a/arch/um/include/asm/page.h
12633+++ b/arch/um/include/asm/page.h
12634@@ -14,6 +14,9 @@
12635 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
12636 #define PAGE_MASK (~(PAGE_SIZE-1))
12637
12638+#define ktla_ktva(addr) (addr)
12639+#define ktva_ktla(addr) (addr)
12640+
12641 #ifndef __ASSEMBLY__
12642
12643 struct page;
12644diff --git a/arch/um/include/asm/pgtable-3level.h b/arch/um/include/asm/pgtable-3level.h
12645index 2b4274e..754fe06 100644
12646--- a/arch/um/include/asm/pgtable-3level.h
12647+++ b/arch/um/include/asm/pgtable-3level.h
12648@@ -58,6 +58,7 @@
12649 #define pud_present(x) (pud_val(x) & _PAGE_PRESENT)
12650 #define pud_populate(mm, pud, pmd) \
12651 set_pud(pud, __pud(_PAGE_TABLE + __pa(pmd)))
12652+#define pud_populate_kernel(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
12653
12654 #ifdef CONFIG_64BIT
12655 #define set_pud(pudptr, pudval) set_64bit((u64 *) (pudptr), pud_val(pudval))
12656diff --git a/arch/um/kernel/process.c b/arch/um/kernel/process.c
12657index 68b9119..f72353c 100644
12658--- a/arch/um/kernel/process.c
12659+++ b/arch/um/kernel/process.c
12660@@ -345,22 +345,6 @@ int singlestepping(void * t)
12661 return 2;
12662 }
12663
12664-/*
12665- * Only x86 and x86_64 have an arch_align_stack().
12666- * All other arches have "#define arch_align_stack(x) (x)"
12667- * in their asm/exec.h
12668- * As this is included in UML from asm-um/system-generic.h,
12669- * we can use it to behave as the subarch does.
12670- */
12671-#ifndef arch_align_stack
12672-unsigned long arch_align_stack(unsigned long sp)
12673-{
12674- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
12675- sp -= get_random_int() % 8192;
12676- return sp & ~0xf;
12677-}
12678-#endif
12679-
12680 unsigned long get_wchan(struct task_struct *p)
12681 {
12682 unsigned long stack_page, sp, ip;
12683diff --git a/arch/unicore32/include/asm/cache.h b/arch/unicore32/include/asm/cache.h
12684index ad8f795..2c7eec6 100644
12685--- a/arch/unicore32/include/asm/cache.h
12686+++ b/arch/unicore32/include/asm/cache.h
12687@@ -12,8 +12,10 @@
12688 #ifndef __UNICORE_CACHE_H__
12689 #define __UNICORE_CACHE_H__
12690
12691-#define L1_CACHE_SHIFT (5)
12692-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
12693+#include <linux/const.h>
12694+
12695+#define L1_CACHE_SHIFT 5
12696+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
12697
12698 /*
12699 * Memory returned by kmalloc() may be used for DMA, so we must make
12700diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig
12701index b3a1a5d..8dbc2d6 100644
12702--- a/arch/x86/Kconfig
12703+++ b/arch/x86/Kconfig
12704@@ -35,13 +35,12 @@ config X86
12705 select ARCH_MIGHT_HAVE_PC_SERIO
12706 select ARCH_SUPPORTS_ATOMIC_RMW
12707 select ARCH_SUPPORTS_DEFERRED_STRUCT_PAGE_INIT
12708- select ARCH_SUPPORTS_INT128 if X86_64
12709+ select ARCH_SUPPORTS_INT128 if X86_64 && !PAX_SIZE_OVERFLOW
12710 select ARCH_SUPPORTS_NUMA_BALANCING if X86_64
12711 select ARCH_USE_BUILTIN_BSWAP
12712 select ARCH_USE_CMPXCHG_LOCKREF if X86_64
12713 select ARCH_USE_QUEUED_RWLOCKS
12714 select ARCH_USE_QUEUED_SPINLOCKS
12715- select ARCH_WANTS_DYNAMIC_TASK_STRUCT
12716 select ARCH_WANT_FRAME_POINTERS
12717 select ARCH_WANT_IPC_PARSE_VERSION if X86_32
12718 select ARCH_WANT_OPTIONAL_GPIOLIB
12719@@ -85,7 +84,7 @@ config X86
12720 select HAVE_ARCH_TRACEHOOK
12721 select HAVE_ARCH_TRANSPARENT_HUGEPAGE
12722 select HAVE_BPF_JIT if X86_64
12723- select HAVE_CC_STACKPROTECTOR
12724+ select HAVE_CC_STACKPROTECTOR if X86_64 || !PAX_MEMORY_UDEREF
12725 select HAVE_CMPXCHG_DOUBLE
12726 select HAVE_CMPXCHG_LOCAL
12727 select HAVE_CONTEXT_TRACKING if X86_64
12728@@ -274,7 +273,7 @@ config X86_64_SMP
12729
12730 config X86_32_LAZY_GS
12731 def_bool y
12732- depends on X86_32 && !CC_STACKPROTECTOR
12733+ depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
12734
12735 config ARCH_HWEIGHT_CFLAGS
12736 string
12737@@ -646,6 +645,7 @@ config SCHED_OMIT_FRAME_POINTER
12738
12739 menuconfig HYPERVISOR_GUEST
12740 bool "Linux guest support"
12741+ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_GUEST || (GRKERNSEC_CONFIG_VIRT_HOST && GRKERNSEC_CONFIG_VIRT_XEN)
12742 ---help---
12743 Say Y here to enable options for running Linux under various hyper-
12744 visors. This option enables basic hypervisor detection and platform
12745@@ -1014,6 +1014,7 @@ config VM86
12746
12747 config X86_16BIT
12748 bool "Enable support for 16-bit segments" if EXPERT
12749+ depends on !GRKERNSEC
12750 default y
12751 ---help---
12752 This option is required by programs like Wine to run 16-bit
12753@@ -1182,6 +1183,7 @@ choice
12754
12755 config NOHIGHMEM
12756 bool "off"
12757+ depends on !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12758 ---help---
12759 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
12760 However, the address space of 32-bit x86 processors is only 4
12761@@ -1218,6 +1220,7 @@ config NOHIGHMEM
12762
12763 config HIGHMEM4G
12764 bool "4GB"
12765+ depends on !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
12766 ---help---
12767 Select this if you have a 32-bit processor and between 1 and 4
12768 gigabytes of physical RAM.
12769@@ -1270,7 +1273,7 @@ config PAGE_OFFSET
12770 hex
12771 default 0xB0000000 if VMSPLIT_3G_OPT
12772 default 0x80000000 if VMSPLIT_2G
12773- default 0x78000000 if VMSPLIT_2G_OPT
12774+ default 0x70000000 if VMSPLIT_2G_OPT
12775 default 0x40000000 if VMSPLIT_1G
12776 default 0xC0000000
12777 depends on X86_32
12778@@ -1290,7 +1293,6 @@ config X86_PAE
12779
12780 config ARCH_PHYS_ADDR_T_64BIT
12781 def_bool y
12782- depends on X86_64 || X86_PAE
12783
12784 config ARCH_DMA_ADDR_T_64BIT
12785 def_bool y
12786@@ -1724,6 +1726,7 @@ source kernel/Kconfig.hz
12787
12788 config KEXEC
12789 bool "kexec system call"
12790+ depends on !GRKERNSEC_KMEM
12791 ---help---
12792 kexec is a system call that implements the ability to shutdown your
12793 current kernel, and to start another kernel. It is like a reboot
12794@@ -1906,7 +1909,9 @@ config X86_NEED_RELOCS
12795
12796 config PHYSICAL_ALIGN
12797 hex "Alignment value to which kernel should be aligned"
12798- default "0x200000"
12799+ default "0x1000000"
12800+ range 0x200000 0x1000000 if PAX_KERNEXEC && X86_PAE
12801+ range 0x400000 0x1000000 if PAX_KERNEXEC && !X86_PAE
12802 range 0x2000 0x1000000 if X86_32
12803 range 0x200000 0x1000000 if X86_64
12804 ---help---
12805@@ -1989,6 +1994,7 @@ config COMPAT_VDSO
12806 def_bool n
12807 prompt "Disable the 32-bit vDSO (needed for glibc 2.3.3)"
12808 depends on X86_32 || IA32_EMULATION
12809+ depends on !PAX_PAGEEXEC && !PAX_SEGMEXEC && !PAX_KERNEXEC && !PAX_MEMORY_UDEREF
12810 ---help---
12811 Certain buggy versions of glibc will crash if they are
12812 presented with a 32-bit vDSO that is not mapped at the address
12813@@ -2053,6 +2059,22 @@ config CMDLINE_OVERRIDE
12814 This is used to work around broken boot loaders. This should
12815 be set to 'N' under normal conditions.
12816
12817+config DEFAULT_MODIFY_LDT_SYSCALL
12818+ bool "Allow userspace to modify the LDT by default"
12819+ default y
12820+
12821+ ---help---
12822+ Modifying the LDT (Local Descriptor Table) may be needed to run a
12823+ 16-bit or segmented code such as Dosemu or Wine. This is done via
12824+ a system call which is not needed to run portable applications,
12825+ and which can sometimes be abused to exploit some weaknesses of
12826+ the architecture, opening new vulnerabilities.
12827+
12828+ For this reason this option allows one to enable or disable the
12829+ feature at runtime. It is recommended to say 'N' here to leave
12830+ the system protected, and to enable it at runtime only if needed
12831+ by setting the sys.kernel.modify_ldt sysctl.
12832+
12833 source "kernel/livepatch/Kconfig"
12834
12835 endmenu
12836diff --git a/arch/x86/Kconfig.cpu b/arch/x86/Kconfig.cpu
12837index 6983314..54ad7e8 100644
12838--- a/arch/x86/Kconfig.cpu
12839+++ b/arch/x86/Kconfig.cpu
12840@@ -319,7 +319,7 @@ config X86_PPRO_FENCE
12841
12842 config X86_F00F_BUG
12843 def_bool y
12844- depends on M586MMX || M586TSC || M586 || M486
12845+ depends on (M586MMX || M586TSC || M586 || M486) && !PAX_KERNEXEC
12846
12847 config X86_INVD_BUG
12848 def_bool y
12849@@ -327,7 +327,7 @@ config X86_INVD_BUG
12850
12851 config X86_ALIGNMENT_16
12852 def_bool y
12853- depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || MELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12854+ depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
12855
12856 config X86_INTEL_USERCOPY
12857 def_bool y
12858@@ -369,7 +369,7 @@ config X86_CMPXCHG64
12859 # generates cmov.
12860 config X86_CMOV
12861 def_bool y
12862- depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12863+ depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
12864
12865 config X86_MINIMUM_CPU_FAMILY
12866 int
12867diff --git a/arch/x86/Kconfig.debug b/arch/x86/Kconfig.debug
12868index d8c0d32..28e3117 100644
12869--- a/arch/x86/Kconfig.debug
12870+++ b/arch/x86/Kconfig.debug
12871@@ -69,6 +69,7 @@ config X86_PTDUMP
12872 bool "Export kernel pagetable layout to userspace via debugfs"
12873 depends on DEBUG_KERNEL
12874 select DEBUG_FS
12875+ depends on !GRKERNSEC_KMEM
12876 ---help---
12877 Say Y here if you want to show the kernel pagetable layout in a
12878 debugfs file. This information is only useful for kernel developers
12879@@ -89,7 +90,7 @@ config EFI_PGT_DUMP
12880 config DEBUG_RODATA
12881 bool "Write protect kernel read-only data structures"
12882 default y
12883- depends on DEBUG_KERNEL
12884+ depends on DEBUG_KERNEL && BROKEN
12885 ---help---
12886 Mark the kernel read-only data as write-protected in the pagetables,
12887 in order to catch accidental (and incorrect) writes to such const
12888@@ -107,7 +108,7 @@ config DEBUG_RODATA_TEST
12889
12890 config DEBUG_SET_MODULE_RONX
12891 bool "Set loadable kernel module data as NX and text as RO"
12892- depends on MODULES
12893+ depends on MODULES && BROKEN
12894 ---help---
12895 This option helps catch unintended modifications to loadable
12896 kernel module's text and read-only data. It also prevents execution
12897@@ -359,6 +360,7 @@ config X86_DEBUG_FPU
12898 config PUNIT_ATOM_DEBUG
12899 tristate "ATOM Punit debug driver"
12900 select DEBUG_FS
12901+ depends on !GRKERNSEC_KMEM
12902 select IOSF_MBI
12903 ---help---
12904 This is a debug driver, which gets the power states
12905diff --git a/arch/x86/Makefile b/arch/x86/Makefile
12906index 118e6de..e02efff 100644
12907--- a/arch/x86/Makefile
12908+++ b/arch/x86/Makefile
12909@@ -65,9 +65,6 @@ ifeq ($(CONFIG_X86_32),y)
12910 # CPU-specific tuning. Anything which can be shared with UML should go here.
12911 include arch/x86/Makefile_32.cpu
12912 KBUILD_CFLAGS += $(cflags-y)
12913-
12914- # temporary until string.h is fixed
12915- KBUILD_CFLAGS += -ffreestanding
12916 else
12917 BITS := 64
12918 UTS_MACHINE := x86_64
12919@@ -116,6 +113,9 @@ else
12920 KBUILD_CFLAGS += $(call cc-option,-maccumulate-outgoing-args)
12921 endif
12922
12923+# temporary until string.h is fixed
12924+KBUILD_CFLAGS += -ffreestanding
12925+
12926 # Make sure compiler does not have buggy stack-protector support.
12927 ifdef CONFIG_CC_STACKPROTECTOR
12928 cc_has_sp := $(srctree)/scripts/gcc-x86_$(BITS)-has-stack-protector.sh
12929@@ -184,6 +184,7 @@ archheaders:
12930 $(Q)$(MAKE) $(build)=arch/x86/entry/syscalls all
12931
12932 archprepare:
12933+ $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
12934 ifeq ($(CONFIG_KEXEC_FILE),y)
12935 $(Q)$(MAKE) $(build)=arch/x86/purgatory arch/x86/purgatory/kexec-purgatory.c
12936 endif
12937@@ -267,3 +268,9 @@ define archhelp
12938 echo ' FDARGS="..." arguments for the booted kernel'
12939 echo ' FDINITRD=file initrd for the booted kernel'
12940 endef
12941+
12942+define OLD_LD
12943+
12944+*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
12945+*** Please upgrade your binutils to 2.18 or newer
12946+endef
12947diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile
12948index 57bbf2f..b100fce 100644
12949--- a/arch/x86/boot/Makefile
12950+++ b/arch/x86/boot/Makefile
12951@@ -58,6 +58,9 @@ clean-files += cpustr.h
12952 # ---------------------------------------------------------------------------
12953
12954 KBUILD_CFLAGS := $(USERINCLUDE) $(REALMODE_CFLAGS) -D_SETUP
12955+ifdef CONSTIFY_PLUGIN
12956+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
12957+endif
12958 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
12959 GCOV_PROFILE := n
12960
12961diff --git a/arch/x86/boot/bitops.h b/arch/x86/boot/bitops.h
12962index 878e4b9..20537ab 100644
12963--- a/arch/x86/boot/bitops.h
12964+++ b/arch/x86/boot/bitops.h
12965@@ -26,7 +26,7 @@ static inline int variable_test_bit(int nr, const void *addr)
12966 u8 v;
12967 const u32 *p = (const u32 *)addr;
12968
12969- asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
12970+ asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
12971 return v;
12972 }
12973
12974@@ -37,7 +37,7 @@ static inline int variable_test_bit(int nr, const void *addr)
12975
12976 static inline void set_bit(int nr, void *addr)
12977 {
12978- asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
12979+ asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
12980 }
12981
12982 #endif /* BOOT_BITOPS_H */
12983diff --git a/arch/x86/boot/boot.h b/arch/x86/boot/boot.h
12984index bd49ec6..94c7f58 100644
12985--- a/arch/x86/boot/boot.h
12986+++ b/arch/x86/boot/boot.h
12987@@ -84,7 +84,7 @@ static inline void io_delay(void)
12988 static inline u16 ds(void)
12989 {
12990 u16 seg;
12991- asm("movw %%ds,%0" : "=rm" (seg));
12992+ asm volatile("movw %%ds,%0" : "=rm" (seg));
12993 return seg;
12994 }
12995
12996diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile
12997index 0a291cd..9686efc 100644
12998--- a/arch/x86/boot/compressed/Makefile
12999+++ b/arch/x86/boot/compressed/Makefile
13000@@ -30,6 +30,9 @@ KBUILD_CFLAGS += $(cflags-y)
13001 KBUILD_CFLAGS += -mno-mmx -mno-sse
13002 KBUILD_CFLAGS += $(call cc-option,-ffreestanding)
13003 KBUILD_CFLAGS += $(call cc-option,-fno-stack-protector)
13004+ifdef CONSTIFY_PLUGIN
13005+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
13006+endif
13007
13008 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
13009 GCOV_PROFILE := n
13010diff --git a/arch/x86/boot/compressed/efi_stub_32.S b/arch/x86/boot/compressed/efi_stub_32.S
13011index a53440e..c3dbf1e 100644
13012--- a/arch/x86/boot/compressed/efi_stub_32.S
13013+++ b/arch/x86/boot/compressed/efi_stub_32.S
13014@@ -46,16 +46,13 @@ ENTRY(efi_call_phys)
13015 * parameter 2, ..., param n. To make things easy, we save the return
13016 * address of efi_call_phys in a global variable.
13017 */
13018- popl %ecx
13019- movl %ecx, saved_return_addr(%edx)
13020- /* get the function pointer into ECX*/
13021- popl %ecx
13022- movl %ecx, efi_rt_function_ptr(%edx)
13023+ popl saved_return_addr(%edx)
13024+ popl efi_rt_function_ptr(%edx)
13025
13026 /*
13027 * 3. Call the physical function.
13028 */
13029- call *%ecx
13030+ call *efi_rt_function_ptr(%edx)
13031
13032 /*
13033 * 4. Balance the stack. And because EAX contain the return value,
13034@@ -67,15 +64,12 @@ ENTRY(efi_call_phys)
13035 1: popl %edx
13036 subl $1b, %edx
13037
13038- movl efi_rt_function_ptr(%edx), %ecx
13039- pushl %ecx
13040+ pushl efi_rt_function_ptr(%edx)
13041
13042 /*
13043 * 10. Push the saved return address onto the stack and return.
13044 */
13045- movl saved_return_addr(%edx), %ecx
13046- pushl %ecx
13047- ret
13048+ jmpl *saved_return_addr(%edx)
13049 ENDPROC(efi_call_phys)
13050 .previous
13051
13052diff --git a/arch/x86/boot/compressed/efi_thunk_64.S b/arch/x86/boot/compressed/efi_thunk_64.S
13053index 630384a..278e788 100644
13054--- a/arch/x86/boot/compressed/efi_thunk_64.S
13055+++ b/arch/x86/boot/compressed/efi_thunk_64.S
13056@@ -189,8 +189,8 @@ efi_gdt64:
13057 .long 0 /* Filled out by user */
13058 .word 0
13059 .quad 0x0000000000000000 /* NULL descriptor */
13060- .quad 0x00af9a000000ffff /* __KERNEL_CS */
13061- .quad 0x00cf92000000ffff /* __KERNEL_DS */
13062+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
13063+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
13064 .quad 0x0080890000000000 /* TS descriptor */
13065 .quad 0x0000000000000000 /* TS continued */
13066 efi_gdt64_end:
13067diff --git a/arch/x86/boot/compressed/head_32.S b/arch/x86/boot/compressed/head_32.S
13068index 8ef964d..fcfb8aa 100644
13069--- a/arch/x86/boot/compressed/head_32.S
13070+++ b/arch/x86/boot/compressed/head_32.S
13071@@ -141,10 +141,10 @@ preferred_addr:
13072 addl %eax, %ebx
13073 notl %eax
13074 andl %eax, %ebx
13075- cmpl $LOAD_PHYSICAL_ADDR, %ebx
13076+ cmpl $____LOAD_PHYSICAL_ADDR, %ebx
13077 jge 1f
13078 #endif
13079- movl $LOAD_PHYSICAL_ADDR, %ebx
13080+ movl $____LOAD_PHYSICAL_ADDR, %ebx
13081 1:
13082
13083 /* Target address to relocate to for decompression */
13084diff --git a/arch/x86/boot/compressed/head_64.S b/arch/x86/boot/compressed/head_64.S
13085index b0c0d16..3b44ff8 100644
13086--- a/arch/x86/boot/compressed/head_64.S
13087+++ b/arch/x86/boot/compressed/head_64.S
13088@@ -95,10 +95,10 @@ ENTRY(startup_32)
13089 addl %eax, %ebx
13090 notl %eax
13091 andl %eax, %ebx
13092- cmpl $LOAD_PHYSICAL_ADDR, %ebx
13093+ cmpl $____LOAD_PHYSICAL_ADDR, %ebx
13094 jge 1f
13095 #endif
13096- movl $LOAD_PHYSICAL_ADDR, %ebx
13097+ movl $____LOAD_PHYSICAL_ADDR, %ebx
13098 1:
13099
13100 /* Target address to relocate to for decompression */
13101@@ -323,10 +323,10 @@ preferred_addr:
13102 addq %rax, %rbp
13103 notq %rax
13104 andq %rax, %rbp
13105- cmpq $LOAD_PHYSICAL_ADDR, %rbp
13106+ cmpq $____LOAD_PHYSICAL_ADDR, %rbp
13107 jge 1f
13108 #endif
13109- movq $LOAD_PHYSICAL_ADDR, %rbp
13110+ movq $____LOAD_PHYSICAL_ADDR, %rbp
13111 1:
13112
13113 /* Target address to relocate to for decompression */
13114@@ -435,8 +435,8 @@ gdt:
13115 .long gdt
13116 .word 0
13117 .quad 0x0000000000000000 /* NULL descriptor */
13118- .quad 0x00af9a000000ffff /* __KERNEL_CS */
13119- .quad 0x00cf92000000ffff /* __KERNEL_DS */
13120+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
13121+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
13122 .quad 0x0080890000000000 /* TS descriptor */
13123 .quad 0x0000000000000000 /* TS continued */
13124 gdt_end:
13125diff --git a/arch/x86/boot/compressed/misc.c b/arch/x86/boot/compressed/misc.c
13126index e28437e..6a17460 100644
13127--- a/arch/x86/boot/compressed/misc.c
13128+++ b/arch/x86/boot/compressed/misc.c
13129@@ -242,7 +242,7 @@ static void handle_relocations(void *output, unsigned long output_len)
13130 * Calculate the delta between where vmlinux was linked to load
13131 * and where it was actually loaded.
13132 */
13133- delta = min_addr - LOAD_PHYSICAL_ADDR;
13134+ delta = min_addr - ____LOAD_PHYSICAL_ADDR;
13135 if (!delta) {
13136 debug_putstr("No relocation needed... ");
13137 return;
13138@@ -324,7 +324,7 @@ static void parse_elf(void *output)
13139 Elf32_Ehdr ehdr;
13140 Elf32_Phdr *phdrs, *phdr;
13141 #endif
13142- void *dest;
13143+ void *dest, *prev;
13144 int i;
13145
13146 memcpy(&ehdr, output, sizeof(ehdr));
13147@@ -351,13 +351,16 @@ static void parse_elf(void *output)
13148 case PT_LOAD:
13149 #ifdef CONFIG_RELOCATABLE
13150 dest = output;
13151- dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
13152+ dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
13153 #else
13154 dest = (void *)(phdr->p_paddr);
13155 #endif
13156 memcpy(dest,
13157 output + phdr->p_offset,
13158 phdr->p_filesz);
13159+ if (i)
13160+ memset(prev, 0xff, dest - prev);
13161+ prev = dest + phdr->p_filesz;
13162 break;
13163 default: /* Ignore other PT_* */ break;
13164 }
13165@@ -419,7 +422,7 @@ asmlinkage __visible void *decompress_kernel(void *rmode, memptr heap,
13166 error("Destination address too large");
13167 #endif
13168 #ifndef CONFIG_RELOCATABLE
13169- if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
13170+ if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
13171 error("Wrong destination address");
13172 #endif
13173
13174diff --git a/arch/x86/boot/cpucheck.c b/arch/x86/boot/cpucheck.c
13175index 1fd7d57..0f7d096 100644
13176--- a/arch/x86/boot/cpucheck.c
13177+++ b/arch/x86/boot/cpucheck.c
13178@@ -125,9 +125,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13179 u32 ecx = MSR_K7_HWCR;
13180 u32 eax, edx;
13181
13182- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13183+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13184 eax &= ~(1 << 15);
13185- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13186+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13187
13188 get_cpuflags(); /* Make sure it really did something */
13189 err = check_cpuflags();
13190@@ -140,9 +140,9 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13191 u32 ecx = MSR_VIA_FCR;
13192 u32 eax, edx;
13193
13194- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13195+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13196 eax |= (1<<1)|(1<<7);
13197- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13198+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13199
13200 set_bit(X86_FEATURE_CX8, cpu.flags);
13201 err = check_cpuflags();
13202@@ -153,12 +153,12 @@ int check_cpu(int *cpu_level_ptr, int *req_level_ptr, u32 **err_flags_ptr)
13203 u32 eax, edx;
13204 u32 level = 1;
13205
13206- asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13207- asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
13208- asm("cpuid"
13209+ asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
13210+ asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
13211+ asm volatile("cpuid"
13212 : "+a" (level), "=d" (cpu.flags[0])
13213 : : "ecx", "ebx");
13214- asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13215+ asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
13216
13217 err = check_cpuflags();
13218 } else if (err == 0x01 &&
13219diff --git a/arch/x86/boot/header.S b/arch/x86/boot/header.S
13220index 16ef025..91e033b 100644
13221--- a/arch/x86/boot/header.S
13222+++ b/arch/x86/boot/header.S
13223@@ -438,10 +438,14 @@ setup_data: .quad 0 # 64-bit physical pointer to
13224 # single linked list of
13225 # struct setup_data
13226
13227-pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
13228+pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
13229
13230 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
13231+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
13232+#define VO_INIT_SIZE (VO__end - VO__text - __PAGE_OFFSET - ____LOAD_PHYSICAL_ADDR)
13233+#else
13234 #define VO_INIT_SIZE (VO__end - VO__text)
13235+#endif
13236 #if ZO_INIT_SIZE > VO_INIT_SIZE
13237 #define INIT_SIZE ZO_INIT_SIZE
13238 #else
13239diff --git a/arch/x86/boot/memory.c b/arch/x86/boot/memory.c
13240index db75d07..8e6d0af 100644
13241--- a/arch/x86/boot/memory.c
13242+++ b/arch/x86/boot/memory.c
13243@@ -19,7 +19,7 @@
13244
13245 static int detect_memory_e820(void)
13246 {
13247- int count = 0;
13248+ unsigned int count = 0;
13249 struct biosregs ireg, oreg;
13250 struct e820entry *desc = boot_params.e820_map;
13251 static struct e820entry buf; /* static so it is zeroed */
13252diff --git a/arch/x86/boot/video-vesa.c b/arch/x86/boot/video-vesa.c
13253index ba3e100..6501b8f 100644
13254--- a/arch/x86/boot/video-vesa.c
13255+++ b/arch/x86/boot/video-vesa.c
13256@@ -201,6 +201,7 @@ static void vesa_store_pm_info(void)
13257
13258 boot_params.screen_info.vesapm_seg = oreg.es;
13259 boot_params.screen_info.vesapm_off = oreg.di;
13260+ boot_params.screen_info.vesapm_size = oreg.cx;
13261 }
13262
13263 /*
13264diff --git a/arch/x86/boot/video.c b/arch/x86/boot/video.c
13265index 05111bb..a1ae1f0 100644
13266--- a/arch/x86/boot/video.c
13267+++ b/arch/x86/boot/video.c
13268@@ -98,7 +98,7 @@ static void store_mode_params(void)
13269 static unsigned int get_entry(void)
13270 {
13271 char entry_buf[4];
13272- int i, len = 0;
13273+ unsigned int i, len = 0;
13274 int key;
13275 unsigned int v;
13276
13277diff --git a/arch/x86/crypto/aes-x86_64-asm_64.S b/arch/x86/crypto/aes-x86_64-asm_64.S
13278index 9105655..41779c1 100644
13279--- a/arch/x86/crypto/aes-x86_64-asm_64.S
13280+++ b/arch/x86/crypto/aes-x86_64-asm_64.S
13281@@ -8,6 +8,8 @@
13282 * including this sentence is retained in full.
13283 */
13284
13285+#include <asm/alternative-asm.h>
13286+
13287 .extern crypto_ft_tab
13288 .extern crypto_it_tab
13289 .extern crypto_fl_tab
13290@@ -70,6 +72,8 @@
13291 je B192; \
13292 leaq 32(r9),r9;
13293
13294+#define ret pax_force_retaddr; ret
13295+
13296 #define epilogue(FUNC,r1,r2,r3,r4,r5,r6,r7,r8,r9) \
13297 movq r1,r2; \
13298 movq r3,r4; \
13299diff --git a/arch/x86/crypto/aesni-intel_asm.S b/arch/x86/crypto/aesni-intel_asm.S
13300index 6bd2c6c..368c93e 100644
13301--- a/arch/x86/crypto/aesni-intel_asm.S
13302+++ b/arch/x86/crypto/aesni-intel_asm.S
13303@@ -31,6 +31,7 @@
13304
13305 #include <linux/linkage.h>
13306 #include <asm/inst.h>
13307+#include <asm/alternative-asm.h>
13308
13309 /*
13310 * The following macros are used to move an (un)aligned 16 byte value to/from
13311@@ -217,7 +218,7 @@ enc: .octa 0x2
13312 * num_initial_blocks = b mod 4
13313 * encrypt the initial num_initial_blocks blocks and apply ghash on
13314 * the ciphertext
13315-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13316+* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13317 * are clobbered
13318 * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified
13319 */
13320@@ -227,8 +228,8 @@ enc: .octa 0x2
13321 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
13322 MOVADQ SHUF_MASK(%rip), %xmm14
13323 mov arg7, %r10 # %r10 = AAD
13324- mov arg8, %r12 # %r12 = aadLen
13325- mov %r12, %r11
13326+ mov arg8, %r15 # %r15 = aadLen
13327+ mov %r15, %r11
13328 pxor %xmm\i, %xmm\i
13329
13330 _get_AAD_loop\num_initial_blocks\operation:
13331@@ -237,17 +238,17 @@ _get_AAD_loop\num_initial_blocks\operation:
13332 psrldq $4, %xmm\i
13333 pxor \TMP1, %xmm\i
13334 add $4, %r10
13335- sub $4, %r12
13336+ sub $4, %r15
13337 jne _get_AAD_loop\num_initial_blocks\operation
13338
13339 cmp $16, %r11
13340 je _get_AAD_loop2_done\num_initial_blocks\operation
13341
13342- mov $16, %r12
13343+ mov $16, %r15
13344 _get_AAD_loop2\num_initial_blocks\operation:
13345 psrldq $4, %xmm\i
13346- sub $4, %r12
13347- cmp %r11, %r12
13348+ sub $4, %r15
13349+ cmp %r11, %r15
13350 jne _get_AAD_loop2\num_initial_blocks\operation
13351
13352 _get_AAD_loop2_done\num_initial_blocks\operation:
13353@@ -442,7 +443,7 @@ _initial_blocks_done\num_initial_blocks\operation:
13354 * num_initial_blocks = b mod 4
13355 * encrypt the initial num_initial_blocks blocks and apply ghash on
13356 * the ciphertext
13357-* %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13358+* %r10, %r11, %r15, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
13359 * are clobbered
13360 * arg1, %arg2, %arg3, %r14 are used as a pointer only, not modified
13361 */
13362@@ -452,8 +453,8 @@ _initial_blocks_done\num_initial_blocks\operation:
13363 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
13364 MOVADQ SHUF_MASK(%rip), %xmm14
13365 mov arg7, %r10 # %r10 = AAD
13366- mov arg8, %r12 # %r12 = aadLen
13367- mov %r12, %r11
13368+ mov arg8, %r15 # %r15 = aadLen
13369+ mov %r15, %r11
13370 pxor %xmm\i, %xmm\i
13371 _get_AAD_loop\num_initial_blocks\operation:
13372 movd (%r10), \TMP1
13373@@ -461,15 +462,15 @@ _get_AAD_loop\num_initial_blocks\operation:
13374 psrldq $4, %xmm\i
13375 pxor \TMP1, %xmm\i
13376 add $4, %r10
13377- sub $4, %r12
13378+ sub $4, %r15
13379 jne _get_AAD_loop\num_initial_blocks\operation
13380 cmp $16, %r11
13381 je _get_AAD_loop2_done\num_initial_blocks\operation
13382- mov $16, %r12
13383+ mov $16, %r15
13384 _get_AAD_loop2\num_initial_blocks\operation:
13385 psrldq $4, %xmm\i
13386- sub $4, %r12
13387- cmp %r11, %r12
13388+ sub $4, %r15
13389+ cmp %r11, %r15
13390 jne _get_AAD_loop2\num_initial_blocks\operation
13391 _get_AAD_loop2_done\num_initial_blocks\operation:
13392 PSHUFB_XMM %xmm14, %xmm\i # byte-reflect the AAD data
13393@@ -1280,7 +1281,7 @@ _esb_loop_\@:
13394 *
13395 *****************************************************************************/
13396 ENTRY(aesni_gcm_dec)
13397- push %r12
13398+ push %r15
13399 push %r13
13400 push %r14
13401 mov %rsp, %r14
13402@@ -1290,8 +1291,8 @@ ENTRY(aesni_gcm_dec)
13403 */
13404 sub $VARIABLE_OFFSET, %rsp
13405 and $~63, %rsp # align rsp to 64 bytes
13406- mov %arg6, %r12
13407- movdqu (%r12), %xmm13 # %xmm13 = HashKey
13408+ mov %arg6, %r15
13409+ movdqu (%r15), %xmm13 # %xmm13 = HashKey
13410 movdqa SHUF_MASK(%rip), %xmm2
13411 PSHUFB_XMM %xmm2, %xmm13
13412
13413@@ -1319,10 +1320,10 @@ ENTRY(aesni_gcm_dec)
13414 movdqa %xmm13, HashKey(%rsp) # store HashKey<<1 (mod poly)
13415 mov %arg4, %r13 # save the number of bytes of plaintext/ciphertext
13416 and $-16, %r13 # %r13 = %r13 - (%r13 mod 16)
13417- mov %r13, %r12
13418- and $(3<<4), %r12
13419+ mov %r13, %r15
13420+ and $(3<<4), %r15
13421 jz _initial_num_blocks_is_0_decrypt
13422- cmp $(2<<4), %r12
13423+ cmp $(2<<4), %r15
13424 jb _initial_num_blocks_is_1_decrypt
13425 je _initial_num_blocks_is_2_decrypt
13426 _initial_num_blocks_is_3_decrypt:
13427@@ -1372,16 +1373,16 @@ _zero_cipher_left_decrypt:
13428 sub $16, %r11
13429 add %r13, %r11
13430 movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte block
13431- lea SHIFT_MASK+16(%rip), %r12
13432- sub %r13, %r12
13433+ lea SHIFT_MASK+16(%rip), %r15
13434+ sub %r13, %r15
13435 # adjust the shuffle mask pointer to be able to shift 16-%r13 bytes
13436 # (%r13 is the number of bytes in plaintext mod 16)
13437- movdqu (%r12), %xmm2 # get the appropriate shuffle mask
13438+ movdqu (%r15), %xmm2 # get the appropriate shuffle mask
13439 PSHUFB_XMM %xmm2, %xmm1 # right shift 16-%r13 butes
13440
13441 movdqa %xmm1, %xmm2
13442 pxor %xmm1, %xmm0 # Ciphertext XOR E(K, Yn)
13443- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
13444+ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1
13445 # get the appropriate mask to mask out top 16-%r13 bytes of %xmm0
13446 pand %xmm1, %xmm0 # mask out top 16-%r13 bytes of %xmm0
13447 pand %xmm1, %xmm2
13448@@ -1410,9 +1411,9 @@ _less_than_8_bytes_left_decrypt:
13449 sub $1, %r13
13450 jne _less_than_8_bytes_left_decrypt
13451 _multiple_of_16_bytes_decrypt:
13452- mov arg8, %r12 # %r13 = aadLen (number of bytes)
13453- shl $3, %r12 # convert into number of bits
13454- movd %r12d, %xmm15 # len(A) in %xmm15
13455+ mov arg8, %r15 # %r13 = aadLen (number of bytes)
13456+ shl $3, %r15 # convert into number of bits
13457+ movd %r15d, %xmm15 # len(A) in %xmm15
13458 shl $3, %arg4 # len(C) in bits (*128)
13459 MOVQ_R64_XMM %arg4, %xmm1
13460 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
13461@@ -1451,7 +1452,8 @@ _return_T_done_decrypt:
13462 mov %r14, %rsp
13463 pop %r14
13464 pop %r13
13465- pop %r12
13466+ pop %r15
13467+ pax_force_retaddr
13468 ret
13469 ENDPROC(aesni_gcm_dec)
13470
13471@@ -1540,7 +1542,7 @@ ENDPROC(aesni_gcm_dec)
13472 * poly = x^128 + x^127 + x^126 + x^121 + 1
13473 ***************************************************************************/
13474 ENTRY(aesni_gcm_enc)
13475- push %r12
13476+ push %r15
13477 push %r13
13478 push %r14
13479 mov %rsp, %r14
13480@@ -1550,8 +1552,8 @@ ENTRY(aesni_gcm_enc)
13481 #
13482 sub $VARIABLE_OFFSET, %rsp
13483 and $~63, %rsp
13484- mov %arg6, %r12
13485- movdqu (%r12), %xmm13
13486+ mov %arg6, %r15
13487+ movdqu (%r15), %xmm13
13488 movdqa SHUF_MASK(%rip), %xmm2
13489 PSHUFB_XMM %xmm2, %xmm13
13490
13491@@ -1575,13 +1577,13 @@ ENTRY(aesni_gcm_enc)
13492 movdqa %xmm13, HashKey(%rsp)
13493 mov %arg4, %r13 # %xmm13 holds HashKey<<1 (mod poly)
13494 and $-16, %r13
13495- mov %r13, %r12
13496+ mov %r13, %r15
13497
13498 # Encrypt first few blocks
13499
13500- and $(3<<4), %r12
13501+ and $(3<<4), %r15
13502 jz _initial_num_blocks_is_0_encrypt
13503- cmp $(2<<4), %r12
13504+ cmp $(2<<4), %r15
13505 jb _initial_num_blocks_is_1_encrypt
13506 je _initial_num_blocks_is_2_encrypt
13507 _initial_num_blocks_is_3_encrypt:
13508@@ -1634,14 +1636,14 @@ _zero_cipher_left_encrypt:
13509 sub $16, %r11
13510 add %r13, %r11
13511 movdqu (%arg3,%r11,1), %xmm1 # receive the last <16 byte blocks
13512- lea SHIFT_MASK+16(%rip), %r12
13513- sub %r13, %r12
13514+ lea SHIFT_MASK+16(%rip), %r15
13515+ sub %r13, %r15
13516 # adjust the shuffle mask pointer to be able to shift 16-r13 bytes
13517 # (%r13 is the number of bytes in plaintext mod 16)
13518- movdqu (%r12), %xmm2 # get the appropriate shuffle mask
13519+ movdqu (%r15), %xmm2 # get the appropriate shuffle mask
13520 PSHUFB_XMM %xmm2, %xmm1 # shift right 16-r13 byte
13521 pxor %xmm1, %xmm0 # Plaintext XOR Encrypt(K, Yn)
13522- movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
13523+ movdqu ALL_F-SHIFT_MASK(%r15), %xmm1
13524 # get the appropriate mask to mask out top 16-r13 bytes of xmm0
13525 pand %xmm1, %xmm0 # mask out top 16-r13 bytes of xmm0
13526 movdqa SHUF_MASK(%rip), %xmm10
13527@@ -1674,9 +1676,9 @@ _less_than_8_bytes_left_encrypt:
13528 sub $1, %r13
13529 jne _less_than_8_bytes_left_encrypt
13530 _multiple_of_16_bytes_encrypt:
13531- mov arg8, %r12 # %r12 = addLen (number of bytes)
13532- shl $3, %r12
13533- movd %r12d, %xmm15 # len(A) in %xmm15
13534+ mov arg8, %r15 # %r15 = addLen (number of bytes)
13535+ shl $3, %r15
13536+ movd %r15d, %xmm15 # len(A) in %xmm15
13537 shl $3, %arg4 # len(C) in bits (*128)
13538 MOVQ_R64_XMM %arg4, %xmm1
13539 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
13540@@ -1715,7 +1717,8 @@ _return_T_done_encrypt:
13541 mov %r14, %rsp
13542 pop %r14
13543 pop %r13
13544- pop %r12
13545+ pop %r15
13546+ pax_force_retaddr
13547 ret
13548 ENDPROC(aesni_gcm_enc)
13549
13550@@ -1733,6 +1736,7 @@ _key_expansion_256a:
13551 pxor %xmm1, %xmm0
13552 movaps %xmm0, (TKEYP)
13553 add $0x10, TKEYP
13554+ pax_force_retaddr
13555 ret
13556 ENDPROC(_key_expansion_128)
13557 ENDPROC(_key_expansion_256a)
13558@@ -1759,6 +1763,7 @@ _key_expansion_192a:
13559 shufps $0b01001110, %xmm2, %xmm1
13560 movaps %xmm1, 0x10(TKEYP)
13561 add $0x20, TKEYP
13562+ pax_force_retaddr
13563 ret
13564 ENDPROC(_key_expansion_192a)
13565
13566@@ -1779,6 +1784,7 @@ _key_expansion_192b:
13567
13568 movaps %xmm0, (TKEYP)
13569 add $0x10, TKEYP
13570+ pax_force_retaddr
13571 ret
13572 ENDPROC(_key_expansion_192b)
13573
13574@@ -1792,6 +1798,7 @@ _key_expansion_256b:
13575 pxor %xmm1, %xmm2
13576 movaps %xmm2, (TKEYP)
13577 add $0x10, TKEYP
13578+ pax_force_retaddr
13579 ret
13580 ENDPROC(_key_expansion_256b)
13581
13582@@ -1905,6 +1912,7 @@ ENTRY(aesni_set_key)
13583 #ifndef __x86_64__
13584 popl KEYP
13585 #endif
13586+ pax_force_retaddr
13587 ret
13588 ENDPROC(aesni_set_key)
13589
13590@@ -1927,6 +1935,7 @@ ENTRY(aesni_enc)
13591 popl KLEN
13592 popl KEYP
13593 #endif
13594+ pax_force_retaddr
13595 ret
13596 ENDPROC(aesni_enc)
13597
13598@@ -1985,6 +1994,7 @@ _aesni_enc1:
13599 AESENC KEY STATE
13600 movaps 0x70(TKEYP), KEY
13601 AESENCLAST KEY STATE
13602+ pax_force_retaddr
13603 ret
13604 ENDPROC(_aesni_enc1)
13605
13606@@ -2094,6 +2104,7 @@ _aesni_enc4:
13607 AESENCLAST KEY STATE2
13608 AESENCLAST KEY STATE3
13609 AESENCLAST KEY STATE4
13610+ pax_force_retaddr
13611 ret
13612 ENDPROC(_aesni_enc4)
13613
13614@@ -2117,6 +2128,7 @@ ENTRY(aesni_dec)
13615 popl KLEN
13616 popl KEYP
13617 #endif
13618+ pax_force_retaddr
13619 ret
13620 ENDPROC(aesni_dec)
13621
13622@@ -2175,6 +2187,7 @@ _aesni_dec1:
13623 AESDEC KEY STATE
13624 movaps 0x70(TKEYP), KEY
13625 AESDECLAST KEY STATE
13626+ pax_force_retaddr
13627 ret
13628 ENDPROC(_aesni_dec1)
13629
13630@@ -2284,6 +2297,7 @@ _aesni_dec4:
13631 AESDECLAST KEY STATE2
13632 AESDECLAST KEY STATE3
13633 AESDECLAST KEY STATE4
13634+ pax_force_retaddr
13635 ret
13636 ENDPROC(_aesni_dec4)
13637
13638@@ -2342,6 +2356,7 @@ ENTRY(aesni_ecb_enc)
13639 popl KEYP
13640 popl LEN
13641 #endif
13642+ pax_force_retaddr
13643 ret
13644 ENDPROC(aesni_ecb_enc)
13645
13646@@ -2401,6 +2416,7 @@ ENTRY(aesni_ecb_dec)
13647 popl KEYP
13648 popl LEN
13649 #endif
13650+ pax_force_retaddr
13651 ret
13652 ENDPROC(aesni_ecb_dec)
13653
13654@@ -2443,6 +2459,7 @@ ENTRY(aesni_cbc_enc)
13655 popl LEN
13656 popl IVP
13657 #endif
13658+ pax_force_retaddr
13659 ret
13660 ENDPROC(aesni_cbc_enc)
13661
13662@@ -2534,6 +2551,7 @@ ENTRY(aesni_cbc_dec)
13663 popl LEN
13664 popl IVP
13665 #endif
13666+ pax_force_retaddr
13667 ret
13668 ENDPROC(aesni_cbc_dec)
13669
13670@@ -2561,6 +2579,7 @@ _aesni_inc_init:
13671 mov $1, TCTR_LOW
13672 MOVQ_R64_XMM TCTR_LOW INC
13673 MOVQ_R64_XMM CTR TCTR_LOW
13674+ pax_force_retaddr
13675 ret
13676 ENDPROC(_aesni_inc_init)
13677
13678@@ -2590,6 +2609,7 @@ _aesni_inc:
13679 .Linc_low:
13680 movaps CTR, IV
13681 PSHUFB_XMM BSWAP_MASK IV
13682+ pax_force_retaddr
13683 ret
13684 ENDPROC(_aesni_inc)
13685
13686@@ -2651,6 +2671,7 @@ ENTRY(aesni_ctr_enc)
13687 .Lctr_enc_ret:
13688 movups IV, (IVP)
13689 .Lctr_enc_just_ret:
13690+ pax_force_retaddr
13691 ret
13692 ENDPROC(aesni_ctr_enc)
13693
13694@@ -2777,6 +2798,7 @@ ENTRY(aesni_xts_crypt8)
13695 pxor INC, STATE4
13696 movdqu STATE4, 0x70(OUTP)
13697
13698+ pax_force_retaddr
13699 ret
13700 ENDPROC(aesni_xts_crypt8)
13701
13702diff --git a/arch/x86/crypto/blowfish-x86_64-asm_64.S b/arch/x86/crypto/blowfish-x86_64-asm_64.S
13703index 246c670..466e2d6 100644
13704--- a/arch/x86/crypto/blowfish-x86_64-asm_64.S
13705+++ b/arch/x86/crypto/blowfish-x86_64-asm_64.S
13706@@ -21,6 +21,7 @@
13707 */
13708
13709 #include <linux/linkage.h>
13710+#include <asm/alternative-asm.h>
13711
13712 .file "blowfish-x86_64-asm.S"
13713 .text
13714@@ -149,9 +150,11 @@ ENTRY(__blowfish_enc_blk)
13715 jnz .L__enc_xor;
13716
13717 write_block();
13718+ pax_force_retaddr
13719 ret;
13720 .L__enc_xor:
13721 xor_block();
13722+ pax_force_retaddr
13723 ret;
13724 ENDPROC(__blowfish_enc_blk)
13725
13726@@ -183,6 +186,7 @@ ENTRY(blowfish_dec_blk)
13727
13728 movq %r11, %rbp;
13729
13730+ pax_force_retaddr
13731 ret;
13732 ENDPROC(blowfish_dec_blk)
13733
13734@@ -334,6 +338,7 @@ ENTRY(__blowfish_enc_blk_4way)
13735
13736 popq %rbx;
13737 popq %rbp;
13738+ pax_force_retaddr
13739 ret;
13740
13741 .L__enc_xor4:
13742@@ -341,6 +346,7 @@ ENTRY(__blowfish_enc_blk_4way)
13743
13744 popq %rbx;
13745 popq %rbp;
13746+ pax_force_retaddr
13747 ret;
13748 ENDPROC(__blowfish_enc_blk_4way)
13749
13750@@ -375,5 +381,6 @@ ENTRY(blowfish_dec_blk_4way)
13751 popq %rbx;
13752 popq %rbp;
13753
13754+ pax_force_retaddr
13755 ret;
13756 ENDPROC(blowfish_dec_blk_4way)
13757diff --git a/arch/x86/crypto/camellia-aesni-avx-asm_64.S b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13758index ce71f92..1dce7ec 100644
13759--- a/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13760+++ b/arch/x86/crypto/camellia-aesni-avx-asm_64.S
13761@@ -16,6 +16,7 @@
13762 */
13763
13764 #include <linux/linkage.h>
13765+#include <asm/alternative-asm.h>
13766
13767 #define CAMELLIA_TABLE_BYTE_LEN 272
13768
13769@@ -191,6 +192,7 @@ roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
13770 roundsm16(%xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7,
13771 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm15,
13772 %rcx, (%r9));
13773+ pax_force_retaddr
13774 ret;
13775 ENDPROC(roundsm16_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
13776
13777@@ -199,6 +201,7 @@ roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
13778 roundsm16(%xmm4, %xmm5, %xmm6, %xmm7, %xmm0, %xmm1, %xmm2, %xmm3,
13779 %xmm12, %xmm13, %xmm14, %xmm15, %xmm8, %xmm9, %xmm10, %xmm11,
13780 %rax, (%r9));
13781+ pax_force_retaddr
13782 ret;
13783 ENDPROC(roundsm16_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
13784
13785@@ -780,6 +783,7 @@ __camellia_enc_blk16:
13786 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
13787 %xmm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 16(%rax));
13788
13789+ pax_force_retaddr
13790 ret;
13791
13792 .align 8
13793@@ -865,6 +869,7 @@ __camellia_dec_blk16:
13794 %xmm8, %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14,
13795 %xmm15, (key_table)(CTX), (%rax), 1 * 16(%rax));
13796
13797+ pax_force_retaddr
13798 ret;
13799
13800 .align 8
13801@@ -904,6 +909,7 @@ ENTRY(camellia_ecb_enc_16way)
13802 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13803 %xmm8, %rsi);
13804
13805+ pax_force_retaddr
13806 ret;
13807 ENDPROC(camellia_ecb_enc_16way)
13808
13809@@ -932,6 +938,7 @@ ENTRY(camellia_ecb_dec_16way)
13810 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13811 %xmm8, %rsi);
13812
13813+ pax_force_retaddr
13814 ret;
13815 ENDPROC(camellia_ecb_dec_16way)
13816
13817@@ -981,6 +988,7 @@ ENTRY(camellia_cbc_dec_16way)
13818 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13819 %xmm8, %rsi);
13820
13821+ pax_force_retaddr
13822 ret;
13823 ENDPROC(camellia_cbc_dec_16way)
13824
13825@@ -1092,6 +1100,7 @@ ENTRY(camellia_ctr_16way)
13826 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13827 %xmm8, %rsi);
13828
13829+ pax_force_retaddr
13830 ret;
13831 ENDPROC(camellia_ctr_16way)
13832
13833@@ -1234,6 +1243,7 @@ camellia_xts_crypt_16way:
13834 %xmm15, %xmm14, %xmm13, %xmm12, %xmm11, %xmm10, %xmm9,
13835 %xmm8, %rsi);
13836
13837+ pax_force_retaddr
13838 ret;
13839 ENDPROC(camellia_xts_crypt_16way)
13840
13841diff --git a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13842index 0e0b886..5a3123c 100644
13843--- a/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13844+++ b/arch/x86/crypto/camellia-aesni-avx2-asm_64.S
13845@@ -11,6 +11,7 @@
13846 */
13847
13848 #include <linux/linkage.h>
13849+#include <asm/alternative-asm.h>
13850
13851 #define CAMELLIA_TABLE_BYTE_LEN 272
13852
13853@@ -230,6 +231,7 @@ roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd:
13854 roundsm32(%ymm0, %ymm1, %ymm2, %ymm3, %ymm4, %ymm5, %ymm6, %ymm7,
13855 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14, %ymm15,
13856 %rcx, (%r9));
13857+ pax_force_retaddr
13858 ret;
13859 ENDPROC(roundsm32_x0_x1_x2_x3_x4_x5_x6_x7_y0_y1_y2_y3_y4_y5_y6_y7_cd)
13860
13861@@ -238,6 +240,7 @@ roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab:
13862 roundsm32(%ymm4, %ymm5, %ymm6, %ymm7, %ymm0, %ymm1, %ymm2, %ymm3,
13863 %ymm12, %ymm13, %ymm14, %ymm15, %ymm8, %ymm9, %ymm10, %ymm11,
13864 %rax, (%r9));
13865+ pax_force_retaddr
13866 ret;
13867 ENDPROC(roundsm32_x4_x5_x6_x7_x0_x1_x2_x3_y4_y5_y6_y7_y0_y1_y2_y3_ab)
13868
13869@@ -820,6 +823,7 @@ __camellia_enc_blk32:
13870 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
13871 %ymm15, (key_table)(CTX, %r8, 8), (%rax), 1 * 32(%rax));
13872
13873+ pax_force_retaddr
13874 ret;
13875
13876 .align 8
13877@@ -905,6 +909,7 @@ __camellia_dec_blk32:
13878 %ymm8, %ymm9, %ymm10, %ymm11, %ymm12, %ymm13, %ymm14,
13879 %ymm15, (key_table)(CTX), (%rax), 1 * 32(%rax));
13880
13881+ pax_force_retaddr
13882 ret;
13883
13884 .align 8
13885@@ -948,6 +953,7 @@ ENTRY(camellia_ecb_enc_32way)
13886
13887 vzeroupper;
13888
13889+ pax_force_retaddr
13890 ret;
13891 ENDPROC(camellia_ecb_enc_32way)
13892
13893@@ -980,6 +986,7 @@ ENTRY(camellia_ecb_dec_32way)
13894
13895 vzeroupper;
13896
13897+ pax_force_retaddr
13898 ret;
13899 ENDPROC(camellia_ecb_dec_32way)
13900
13901@@ -1046,6 +1053,7 @@ ENTRY(camellia_cbc_dec_32way)
13902
13903 vzeroupper;
13904
13905+ pax_force_retaddr
13906 ret;
13907 ENDPROC(camellia_cbc_dec_32way)
13908
13909@@ -1184,6 +1192,7 @@ ENTRY(camellia_ctr_32way)
13910
13911 vzeroupper;
13912
13913+ pax_force_retaddr
13914 ret;
13915 ENDPROC(camellia_ctr_32way)
13916
13917@@ -1349,6 +1358,7 @@ camellia_xts_crypt_32way:
13918
13919 vzeroupper;
13920
13921+ pax_force_retaddr
13922 ret;
13923 ENDPROC(camellia_xts_crypt_32way)
13924
13925diff --git a/arch/x86/crypto/camellia-x86_64-asm_64.S b/arch/x86/crypto/camellia-x86_64-asm_64.S
13926index 310319c..db3d7b5 100644
13927--- a/arch/x86/crypto/camellia-x86_64-asm_64.S
13928+++ b/arch/x86/crypto/camellia-x86_64-asm_64.S
13929@@ -21,6 +21,7 @@
13930 */
13931
13932 #include <linux/linkage.h>
13933+#include <asm/alternative-asm.h>
13934
13935 .file "camellia-x86_64-asm_64.S"
13936 .text
13937@@ -228,12 +229,14 @@ ENTRY(__camellia_enc_blk)
13938 enc_outunpack(mov, RT1);
13939
13940 movq RRBP, %rbp;
13941+ pax_force_retaddr
13942 ret;
13943
13944 .L__enc_xor:
13945 enc_outunpack(xor, RT1);
13946
13947 movq RRBP, %rbp;
13948+ pax_force_retaddr
13949 ret;
13950 ENDPROC(__camellia_enc_blk)
13951
13952@@ -272,6 +275,7 @@ ENTRY(camellia_dec_blk)
13953 dec_outunpack();
13954
13955 movq RRBP, %rbp;
13956+ pax_force_retaddr
13957 ret;
13958 ENDPROC(camellia_dec_blk)
13959
13960@@ -463,6 +467,7 @@ ENTRY(__camellia_enc_blk_2way)
13961
13962 movq RRBP, %rbp;
13963 popq %rbx;
13964+ pax_force_retaddr
13965 ret;
13966
13967 .L__enc2_xor:
13968@@ -470,6 +475,7 @@ ENTRY(__camellia_enc_blk_2way)
13969
13970 movq RRBP, %rbp;
13971 popq %rbx;
13972+ pax_force_retaddr
13973 ret;
13974 ENDPROC(__camellia_enc_blk_2way)
13975
13976@@ -510,5 +516,6 @@ ENTRY(camellia_dec_blk_2way)
13977
13978 movq RRBP, %rbp;
13979 movq RXOR, %rbx;
13980+ pax_force_retaddr
13981 ret;
13982 ENDPROC(camellia_dec_blk_2way)
13983diff --git a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
13984index c35fd5d..2d8c7db 100644
13985--- a/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
13986+++ b/arch/x86/crypto/cast5-avx-x86_64-asm_64.S
13987@@ -24,6 +24,7 @@
13988 */
13989
13990 #include <linux/linkage.h>
13991+#include <asm/alternative-asm.h>
13992
13993 .file "cast5-avx-x86_64-asm_64.S"
13994
13995@@ -281,6 +282,7 @@ __cast5_enc_blk16:
13996 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
13997 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
13998
13999+ pax_force_retaddr
14000 ret;
14001 ENDPROC(__cast5_enc_blk16)
14002
14003@@ -352,6 +354,7 @@ __cast5_dec_blk16:
14004 outunpack_blocks(RR3, RL3, RTMP, RX, RKM);
14005 outunpack_blocks(RR4, RL4, RTMP, RX, RKM);
14006
14007+ pax_force_retaddr
14008 ret;
14009
14010 .L__skip_dec:
14011@@ -388,6 +391,7 @@ ENTRY(cast5_ecb_enc_16way)
14012 vmovdqu RR4, (6*4*4)(%r11);
14013 vmovdqu RL4, (7*4*4)(%r11);
14014
14015+ pax_force_retaddr
14016 ret;
14017 ENDPROC(cast5_ecb_enc_16way)
14018
14019@@ -420,6 +424,7 @@ ENTRY(cast5_ecb_dec_16way)
14020 vmovdqu RR4, (6*4*4)(%r11);
14021 vmovdqu RL4, (7*4*4)(%r11);
14022
14023+ pax_force_retaddr
14024 ret;
14025 ENDPROC(cast5_ecb_dec_16way)
14026
14027@@ -430,10 +435,10 @@ ENTRY(cast5_cbc_dec_16way)
14028 * %rdx: src
14029 */
14030
14031- pushq %r12;
14032+ pushq %r14;
14033
14034 movq %rsi, %r11;
14035- movq %rdx, %r12;
14036+ movq %rdx, %r14;
14037
14038 vmovdqu (0*16)(%rdx), RL1;
14039 vmovdqu (1*16)(%rdx), RR1;
14040@@ -447,16 +452,16 @@ ENTRY(cast5_cbc_dec_16way)
14041 call __cast5_dec_blk16;
14042
14043 /* xor with src */
14044- vmovq (%r12), RX;
14045+ vmovq (%r14), RX;
14046 vpshufd $0x4f, RX, RX;
14047 vpxor RX, RR1, RR1;
14048- vpxor 0*16+8(%r12), RL1, RL1;
14049- vpxor 1*16+8(%r12), RR2, RR2;
14050- vpxor 2*16+8(%r12), RL2, RL2;
14051- vpxor 3*16+8(%r12), RR3, RR3;
14052- vpxor 4*16+8(%r12), RL3, RL3;
14053- vpxor 5*16+8(%r12), RR4, RR4;
14054- vpxor 6*16+8(%r12), RL4, RL4;
14055+ vpxor 0*16+8(%r14), RL1, RL1;
14056+ vpxor 1*16+8(%r14), RR2, RR2;
14057+ vpxor 2*16+8(%r14), RL2, RL2;
14058+ vpxor 3*16+8(%r14), RR3, RR3;
14059+ vpxor 4*16+8(%r14), RL3, RL3;
14060+ vpxor 5*16+8(%r14), RR4, RR4;
14061+ vpxor 6*16+8(%r14), RL4, RL4;
14062
14063 vmovdqu RR1, (0*16)(%r11);
14064 vmovdqu RL1, (1*16)(%r11);
14065@@ -467,8 +472,9 @@ ENTRY(cast5_cbc_dec_16way)
14066 vmovdqu RR4, (6*16)(%r11);
14067 vmovdqu RL4, (7*16)(%r11);
14068
14069- popq %r12;
14070+ popq %r14;
14071
14072+ pax_force_retaddr
14073 ret;
14074 ENDPROC(cast5_cbc_dec_16way)
14075
14076@@ -480,10 +486,10 @@ ENTRY(cast5_ctr_16way)
14077 * %rcx: iv (big endian, 64bit)
14078 */
14079
14080- pushq %r12;
14081+ pushq %r14;
14082
14083 movq %rsi, %r11;
14084- movq %rdx, %r12;
14085+ movq %rdx, %r14;
14086
14087 vpcmpeqd RTMP, RTMP, RTMP;
14088 vpsrldq $8, RTMP, RTMP; /* low: -1, high: 0 */
14089@@ -523,14 +529,14 @@ ENTRY(cast5_ctr_16way)
14090 call __cast5_enc_blk16;
14091
14092 /* dst = src ^ iv */
14093- vpxor (0*16)(%r12), RR1, RR1;
14094- vpxor (1*16)(%r12), RL1, RL1;
14095- vpxor (2*16)(%r12), RR2, RR2;
14096- vpxor (3*16)(%r12), RL2, RL2;
14097- vpxor (4*16)(%r12), RR3, RR3;
14098- vpxor (5*16)(%r12), RL3, RL3;
14099- vpxor (6*16)(%r12), RR4, RR4;
14100- vpxor (7*16)(%r12), RL4, RL4;
14101+ vpxor (0*16)(%r14), RR1, RR1;
14102+ vpxor (1*16)(%r14), RL1, RL1;
14103+ vpxor (2*16)(%r14), RR2, RR2;
14104+ vpxor (3*16)(%r14), RL2, RL2;
14105+ vpxor (4*16)(%r14), RR3, RR3;
14106+ vpxor (5*16)(%r14), RL3, RL3;
14107+ vpxor (6*16)(%r14), RR4, RR4;
14108+ vpxor (7*16)(%r14), RL4, RL4;
14109 vmovdqu RR1, (0*16)(%r11);
14110 vmovdqu RL1, (1*16)(%r11);
14111 vmovdqu RR2, (2*16)(%r11);
14112@@ -540,7 +546,8 @@ ENTRY(cast5_ctr_16way)
14113 vmovdqu RR4, (6*16)(%r11);
14114 vmovdqu RL4, (7*16)(%r11);
14115
14116- popq %r12;
14117+ popq %r14;
14118
14119+ pax_force_retaddr
14120 ret;
14121 ENDPROC(cast5_ctr_16way)
14122diff --git a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14123index e3531f8..e123f35 100644
14124--- a/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14125+++ b/arch/x86/crypto/cast6-avx-x86_64-asm_64.S
14126@@ -24,6 +24,7 @@
14127 */
14128
14129 #include <linux/linkage.h>
14130+#include <asm/alternative-asm.h>
14131 #include "glue_helper-asm-avx.S"
14132
14133 .file "cast6-avx-x86_64-asm_64.S"
14134@@ -295,6 +296,7 @@ __cast6_enc_blk8:
14135 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
14136 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
14137
14138+ pax_force_retaddr
14139 ret;
14140 ENDPROC(__cast6_enc_blk8)
14141
14142@@ -340,6 +342,7 @@ __cast6_dec_blk8:
14143 outunpack_blocks(RA1, RB1, RC1, RD1, RTMP, RX, RKRF, RKM);
14144 outunpack_blocks(RA2, RB2, RC2, RD2, RTMP, RX, RKRF, RKM);
14145
14146+ pax_force_retaddr
14147 ret;
14148 ENDPROC(__cast6_dec_blk8)
14149
14150@@ -358,6 +361,7 @@ ENTRY(cast6_ecb_enc_8way)
14151
14152 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14153
14154+ pax_force_retaddr
14155 ret;
14156 ENDPROC(cast6_ecb_enc_8way)
14157
14158@@ -376,6 +380,7 @@ ENTRY(cast6_ecb_dec_8way)
14159
14160 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14161
14162+ pax_force_retaddr
14163 ret;
14164 ENDPROC(cast6_ecb_dec_8way)
14165
14166@@ -386,19 +391,20 @@ ENTRY(cast6_cbc_dec_8way)
14167 * %rdx: src
14168 */
14169
14170- pushq %r12;
14171+ pushq %r14;
14172
14173 movq %rsi, %r11;
14174- movq %rdx, %r12;
14175+ movq %rdx, %r14;
14176
14177 load_8way(%rdx, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14178
14179 call __cast6_dec_blk8;
14180
14181- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14182+ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14183
14184- popq %r12;
14185+ popq %r14;
14186
14187+ pax_force_retaddr
14188 ret;
14189 ENDPROC(cast6_cbc_dec_8way)
14190
14191@@ -410,20 +416,21 @@ ENTRY(cast6_ctr_8way)
14192 * %rcx: iv (little endian, 128bit)
14193 */
14194
14195- pushq %r12;
14196+ pushq %r14;
14197
14198 movq %rsi, %r11;
14199- movq %rdx, %r12;
14200+ movq %rdx, %r14;
14201
14202 load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2,
14203 RD2, RX, RKR, RKM);
14204
14205 call __cast6_enc_blk8;
14206
14207- store_ctr_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14208+ store_ctr_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14209
14210- popq %r12;
14211+ popq %r14;
14212
14213+ pax_force_retaddr
14214 ret;
14215 ENDPROC(cast6_ctr_8way)
14216
14217@@ -446,6 +453,7 @@ ENTRY(cast6_xts_enc_8way)
14218 /* dst <= regs xor IVs(in dst) */
14219 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14220
14221+ pax_force_retaddr
14222 ret;
14223 ENDPROC(cast6_xts_enc_8way)
14224
14225@@ -468,5 +476,6 @@ ENTRY(cast6_xts_dec_8way)
14226 /* dst <= regs xor IVs(in dst) */
14227 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14228
14229+ pax_force_retaddr
14230 ret;
14231 ENDPROC(cast6_xts_dec_8way)
14232diff --git a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14233index 225be06..2885e731 100644
14234--- a/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14235+++ b/arch/x86/crypto/crc32c-pcl-intel-asm_64.S
14236@@ -45,6 +45,7 @@
14237
14238 #include <asm/inst.h>
14239 #include <linux/linkage.h>
14240+#include <asm/alternative-asm.h>
14241
14242 ## ISCSI CRC 32 Implementation with crc32 and pclmulqdq Instruction
14243
14244@@ -309,6 +310,7 @@ do_return:
14245 popq %rsi
14246 popq %rdi
14247 popq %rbx
14248+ pax_force_retaddr
14249 ret
14250
14251 ################################################################
14252@@ -330,7 +332,7 @@ ENDPROC(crc_pcl)
14253 ## PCLMULQDQ tables
14254 ## Table is 128 entries x 2 words (8 bytes) each
14255 ################################################################
14256-.section .rotata, "a", %progbits
14257+.section .rodata, "a", %progbits
14258 .align 8
14259 K_table:
14260 .long 0x493c7d27, 0x00000001
14261diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S
14262index 5d1e007..098cb4f 100644
14263--- a/arch/x86/crypto/ghash-clmulni-intel_asm.S
14264+++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S
14265@@ -18,6 +18,7 @@
14266
14267 #include <linux/linkage.h>
14268 #include <asm/inst.h>
14269+#include <asm/alternative-asm.h>
14270
14271 .data
14272
14273@@ -89,6 +90,7 @@ __clmul_gf128mul_ble:
14274 psrlq $1, T2
14275 pxor T2, T1
14276 pxor T1, DATA
14277+ pax_force_retaddr
14278 ret
14279 ENDPROC(__clmul_gf128mul_ble)
14280
14281@@ -101,6 +103,7 @@ ENTRY(clmul_ghash_mul)
14282 call __clmul_gf128mul_ble
14283 PSHUFB_XMM BSWAP DATA
14284 movups DATA, (%rdi)
14285+ pax_force_retaddr
14286 ret
14287 ENDPROC(clmul_ghash_mul)
14288
14289@@ -128,5 +131,6 @@ ENTRY(clmul_ghash_update)
14290 PSHUFB_XMM BSWAP DATA
14291 movups DATA, (%rdi)
14292 .Lupdate_just_ret:
14293+ pax_force_retaddr
14294 ret
14295 ENDPROC(clmul_ghash_update)
14296diff --git a/arch/x86/crypto/salsa20-x86_64-asm_64.S b/arch/x86/crypto/salsa20-x86_64-asm_64.S
14297index 9279e0b..c4b3d2c 100644
14298--- a/arch/x86/crypto/salsa20-x86_64-asm_64.S
14299+++ b/arch/x86/crypto/salsa20-x86_64-asm_64.S
14300@@ -1,4 +1,5 @@
14301 #include <linux/linkage.h>
14302+#include <asm/alternative-asm.h>
14303
14304 # enter salsa20_encrypt_bytes
14305 ENTRY(salsa20_encrypt_bytes)
14306@@ -789,6 +790,7 @@ ENTRY(salsa20_encrypt_bytes)
14307 add %r11,%rsp
14308 mov %rdi,%rax
14309 mov %rsi,%rdx
14310+ pax_force_retaddr
14311 ret
14312 # bytesatleast65:
14313 ._bytesatleast65:
14314@@ -889,6 +891,7 @@ ENTRY(salsa20_keysetup)
14315 add %r11,%rsp
14316 mov %rdi,%rax
14317 mov %rsi,%rdx
14318+ pax_force_retaddr
14319 ret
14320 ENDPROC(salsa20_keysetup)
14321
14322@@ -914,5 +917,6 @@ ENTRY(salsa20_ivsetup)
14323 add %r11,%rsp
14324 mov %rdi,%rax
14325 mov %rsi,%rdx
14326+ pax_force_retaddr
14327 ret
14328 ENDPROC(salsa20_ivsetup)
14329diff --git a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14330index 2f202f4..d9164d6 100644
14331--- a/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14332+++ b/arch/x86/crypto/serpent-avx-x86_64-asm_64.S
14333@@ -24,6 +24,7 @@
14334 */
14335
14336 #include <linux/linkage.h>
14337+#include <asm/alternative-asm.h>
14338 #include "glue_helper-asm-avx.S"
14339
14340 .file "serpent-avx-x86_64-asm_64.S"
14341@@ -618,6 +619,7 @@ __serpent_enc_blk8_avx:
14342 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14343 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14344
14345+ pax_force_retaddr
14346 ret;
14347 ENDPROC(__serpent_enc_blk8_avx)
14348
14349@@ -672,6 +674,7 @@ __serpent_dec_blk8_avx:
14350 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14351 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14352
14353+ pax_force_retaddr
14354 ret;
14355 ENDPROC(__serpent_dec_blk8_avx)
14356
14357@@ -688,6 +691,7 @@ ENTRY(serpent_ecb_enc_8way_avx)
14358
14359 store_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14360
14361+ pax_force_retaddr
14362 ret;
14363 ENDPROC(serpent_ecb_enc_8way_avx)
14364
14365@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_8way_avx)
14366
14367 store_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14368
14369+ pax_force_retaddr
14370 ret;
14371 ENDPROC(serpent_ecb_dec_8way_avx)
14372
14373@@ -720,6 +725,7 @@ ENTRY(serpent_cbc_dec_8way_avx)
14374
14375 store_cbc_8way(%rdx, %rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14376
14377+ pax_force_retaddr
14378 ret;
14379 ENDPROC(serpent_cbc_dec_8way_avx)
14380
14381@@ -738,6 +744,7 @@ ENTRY(serpent_ctr_8way_avx)
14382
14383 store_ctr_8way(%rdx, %rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14384
14385+ pax_force_retaddr
14386 ret;
14387 ENDPROC(serpent_ctr_8way_avx)
14388
14389@@ -758,6 +765,7 @@ ENTRY(serpent_xts_enc_8way_avx)
14390 /* dst <= regs xor IVs(in dst) */
14391 store_xts_8way(%rsi, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14392
14393+ pax_force_retaddr
14394 ret;
14395 ENDPROC(serpent_xts_enc_8way_avx)
14396
14397@@ -778,5 +786,6 @@ ENTRY(serpent_xts_dec_8way_avx)
14398 /* dst <= regs xor IVs(in dst) */
14399 store_xts_8way(%rsi, RC1, RD1, RB1, RE1, RC2, RD2, RB2, RE2);
14400
14401+ pax_force_retaddr
14402 ret;
14403 ENDPROC(serpent_xts_dec_8way_avx)
14404diff --git a/arch/x86/crypto/serpent-avx2-asm_64.S b/arch/x86/crypto/serpent-avx2-asm_64.S
14405index b222085..abd483c 100644
14406--- a/arch/x86/crypto/serpent-avx2-asm_64.S
14407+++ b/arch/x86/crypto/serpent-avx2-asm_64.S
14408@@ -15,6 +15,7 @@
14409 */
14410
14411 #include <linux/linkage.h>
14412+#include <asm/alternative-asm.h>
14413 #include "glue_helper-asm-avx2.S"
14414
14415 .file "serpent-avx2-asm_64.S"
14416@@ -610,6 +611,7 @@ __serpent_enc_blk16:
14417 write_blocks(RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14418 write_blocks(RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14419
14420+ pax_force_retaddr
14421 ret;
14422 ENDPROC(__serpent_enc_blk16)
14423
14424@@ -664,6 +666,7 @@ __serpent_dec_blk16:
14425 write_blocks(RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14426 write_blocks(RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14427
14428+ pax_force_retaddr
14429 ret;
14430 ENDPROC(__serpent_dec_blk16)
14431
14432@@ -684,6 +687,7 @@ ENTRY(serpent_ecb_enc_16way)
14433
14434 vzeroupper;
14435
14436+ pax_force_retaddr
14437 ret;
14438 ENDPROC(serpent_ecb_enc_16way)
14439
14440@@ -704,6 +708,7 @@ ENTRY(serpent_ecb_dec_16way)
14441
14442 vzeroupper;
14443
14444+ pax_force_retaddr
14445 ret;
14446 ENDPROC(serpent_ecb_dec_16way)
14447
14448@@ -725,6 +730,7 @@ ENTRY(serpent_cbc_dec_16way)
14449
14450 vzeroupper;
14451
14452+ pax_force_retaddr
14453 ret;
14454 ENDPROC(serpent_cbc_dec_16way)
14455
14456@@ -748,6 +754,7 @@ ENTRY(serpent_ctr_16way)
14457
14458 vzeroupper;
14459
14460+ pax_force_retaddr
14461 ret;
14462 ENDPROC(serpent_ctr_16way)
14463
14464@@ -772,6 +779,7 @@ ENTRY(serpent_xts_enc_16way)
14465
14466 vzeroupper;
14467
14468+ pax_force_retaddr
14469 ret;
14470 ENDPROC(serpent_xts_enc_16way)
14471
14472@@ -796,5 +804,6 @@ ENTRY(serpent_xts_dec_16way)
14473
14474 vzeroupper;
14475
14476+ pax_force_retaddr
14477 ret;
14478 ENDPROC(serpent_xts_dec_16way)
14479diff --git a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14480index acc066c..1559cc4 100644
14481--- a/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14482+++ b/arch/x86/crypto/serpent-sse2-x86_64-asm_64.S
14483@@ -25,6 +25,7 @@
14484 */
14485
14486 #include <linux/linkage.h>
14487+#include <asm/alternative-asm.h>
14488
14489 .file "serpent-sse2-x86_64-asm_64.S"
14490 .text
14491@@ -690,12 +691,14 @@ ENTRY(__serpent_enc_blk_8way)
14492 write_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14493 write_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14494
14495+ pax_force_retaddr
14496 ret;
14497
14498 .L__enc_xor8:
14499 xor_blocks(%rsi, RA1, RB1, RC1, RD1, RK0, RK1, RK2);
14500 xor_blocks(%rax, RA2, RB2, RC2, RD2, RK0, RK1, RK2);
14501
14502+ pax_force_retaddr
14503 ret;
14504 ENDPROC(__serpent_enc_blk_8way)
14505
14506@@ -750,5 +753,6 @@ ENTRY(serpent_dec_blk_8way)
14507 write_blocks(%rsi, RC1, RD1, RB1, RE1, RK0, RK1, RK2);
14508 write_blocks(%rax, RC2, RD2, RB2, RE2, RK0, RK1, RK2);
14509
14510+ pax_force_retaddr
14511 ret;
14512 ENDPROC(serpent_dec_blk_8way)
14513diff --git a/arch/x86/crypto/sha1_ssse3_asm.S b/arch/x86/crypto/sha1_ssse3_asm.S
14514index a410950..9dfe7ad 100644
14515--- a/arch/x86/crypto/sha1_ssse3_asm.S
14516+++ b/arch/x86/crypto/sha1_ssse3_asm.S
14517@@ -29,6 +29,7 @@
14518 */
14519
14520 #include <linux/linkage.h>
14521+#include <asm/alternative-asm.h>
14522
14523 #define CTX %rdi // arg1
14524 #define BUF %rsi // arg2
14525@@ -75,9 +76,9 @@
14526
14527 push %rbx
14528 push %rbp
14529- push %r12
14530+ push %r14
14531
14532- mov %rsp, %r12
14533+ mov %rsp, %r14
14534 sub $64, %rsp # allocate workspace
14535 and $~15, %rsp # align stack
14536
14537@@ -99,11 +100,12 @@
14538 xor %rax, %rax
14539 rep stosq
14540
14541- mov %r12, %rsp # deallocate workspace
14542+ mov %r14, %rsp # deallocate workspace
14543
14544- pop %r12
14545+ pop %r14
14546 pop %rbp
14547 pop %rbx
14548+ pax_force_retaddr
14549 ret
14550
14551 ENDPROC(\name)
14552diff --git a/arch/x86/crypto/sha256-avx-asm.S b/arch/x86/crypto/sha256-avx-asm.S
14553index 92b3b5d..0dc1dcb 100644
14554--- a/arch/x86/crypto/sha256-avx-asm.S
14555+++ b/arch/x86/crypto/sha256-avx-asm.S
14556@@ -49,6 +49,7 @@
14557
14558 #ifdef CONFIG_AS_AVX
14559 #include <linux/linkage.h>
14560+#include <asm/alternative-asm.h>
14561
14562 ## assume buffers not aligned
14563 #define VMOVDQ vmovdqu
14564@@ -460,6 +461,7 @@ done_hash:
14565 popq %r13
14566 popq %rbp
14567 popq %rbx
14568+ pax_force_retaddr
14569 ret
14570 ENDPROC(sha256_transform_avx)
14571
14572diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
14573index 570ec5e..cf2b625 100644
14574--- a/arch/x86/crypto/sha256-avx2-asm.S
14575+++ b/arch/x86/crypto/sha256-avx2-asm.S
14576@@ -50,6 +50,7 @@
14577
14578 #ifdef CONFIG_AS_AVX2
14579 #include <linux/linkage.h>
14580+#include <asm/alternative-asm.h>
14581
14582 ## assume buffers not aligned
14583 #define VMOVDQ vmovdqu
14584@@ -720,6 +721,7 @@ done_hash:
14585 popq %r12
14586 popq %rbp
14587 popq %rbx
14588+ pax_force_retaddr
14589 ret
14590 ENDPROC(sha256_transform_rorx)
14591
14592diff --git a/arch/x86/crypto/sha256-ssse3-asm.S b/arch/x86/crypto/sha256-ssse3-asm.S
14593index 2cedc44..5144899 100644
14594--- a/arch/x86/crypto/sha256-ssse3-asm.S
14595+++ b/arch/x86/crypto/sha256-ssse3-asm.S
14596@@ -47,6 +47,7 @@
14597 ########################################################################
14598
14599 #include <linux/linkage.h>
14600+#include <asm/alternative-asm.h>
14601
14602 ## assume buffers not aligned
14603 #define MOVDQ movdqu
14604@@ -471,6 +472,7 @@ done_hash:
14605 popq %rbp
14606 popq %rbx
14607
14608+ pax_force_retaddr
14609 ret
14610 ENDPROC(sha256_transform_ssse3)
14611
14612diff --git a/arch/x86/crypto/sha512-avx-asm.S b/arch/x86/crypto/sha512-avx-asm.S
14613index 565274d..af6bc08 100644
14614--- a/arch/x86/crypto/sha512-avx-asm.S
14615+++ b/arch/x86/crypto/sha512-avx-asm.S
14616@@ -49,6 +49,7 @@
14617
14618 #ifdef CONFIG_AS_AVX
14619 #include <linux/linkage.h>
14620+#include <asm/alternative-asm.h>
14621
14622 .text
14623
14624@@ -364,6 +365,7 @@ updateblock:
14625 mov frame_RSPSAVE(%rsp), %rsp
14626
14627 nowork:
14628+ pax_force_retaddr
14629 ret
14630 ENDPROC(sha512_transform_avx)
14631
14632diff --git a/arch/x86/crypto/sha512-avx2-asm.S b/arch/x86/crypto/sha512-avx2-asm.S
14633index 1f20b35..f25c8c1 100644
14634--- a/arch/x86/crypto/sha512-avx2-asm.S
14635+++ b/arch/x86/crypto/sha512-avx2-asm.S
14636@@ -51,6 +51,7 @@
14637
14638 #ifdef CONFIG_AS_AVX2
14639 #include <linux/linkage.h>
14640+#include <asm/alternative-asm.h>
14641
14642 .text
14643
14644@@ -678,6 +679,7 @@ done_hash:
14645
14646 # Restore Stack Pointer
14647 mov frame_RSPSAVE(%rsp), %rsp
14648+ pax_force_retaddr
14649 ret
14650 ENDPROC(sha512_transform_rorx)
14651
14652diff --git a/arch/x86/crypto/sha512-ssse3-asm.S b/arch/x86/crypto/sha512-ssse3-asm.S
14653index e610e29..ffcb5ed 100644
14654--- a/arch/x86/crypto/sha512-ssse3-asm.S
14655+++ b/arch/x86/crypto/sha512-ssse3-asm.S
14656@@ -48,6 +48,7 @@
14657 ########################################################################
14658
14659 #include <linux/linkage.h>
14660+#include <asm/alternative-asm.h>
14661
14662 .text
14663
14664@@ -363,6 +364,7 @@ updateblock:
14665 mov frame_RSPSAVE(%rsp), %rsp
14666
14667 nowork:
14668+ pax_force_retaddr
14669 ret
14670 ENDPROC(sha512_transform_ssse3)
14671
14672diff --git a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14673index 0505813..b067311 100644
14674--- a/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14675+++ b/arch/x86/crypto/twofish-avx-x86_64-asm_64.S
14676@@ -24,6 +24,7 @@
14677 */
14678
14679 #include <linux/linkage.h>
14680+#include <asm/alternative-asm.h>
14681 #include "glue_helper-asm-avx.S"
14682
14683 .file "twofish-avx-x86_64-asm_64.S"
14684@@ -284,6 +285,7 @@ __twofish_enc_blk8:
14685 outunpack_blocks(RC1, RD1, RA1, RB1, RK1, RX0, RY0, RK2);
14686 outunpack_blocks(RC2, RD2, RA2, RB2, RK1, RX0, RY0, RK2);
14687
14688+ pax_force_retaddr
14689 ret;
14690 ENDPROC(__twofish_enc_blk8)
14691
14692@@ -324,6 +326,7 @@ __twofish_dec_blk8:
14693 outunpack_blocks(RA1, RB1, RC1, RD1, RK1, RX0, RY0, RK2);
14694 outunpack_blocks(RA2, RB2, RC2, RD2, RK1, RX0, RY0, RK2);
14695
14696+ pax_force_retaddr
14697 ret;
14698 ENDPROC(__twofish_dec_blk8)
14699
14700@@ -342,6 +345,7 @@ ENTRY(twofish_ecb_enc_8way)
14701
14702 store_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14703
14704+ pax_force_retaddr
14705 ret;
14706 ENDPROC(twofish_ecb_enc_8way)
14707
14708@@ -360,6 +364,7 @@ ENTRY(twofish_ecb_dec_8way)
14709
14710 store_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14711
14712+ pax_force_retaddr
14713 ret;
14714 ENDPROC(twofish_ecb_dec_8way)
14715
14716@@ -370,19 +375,20 @@ ENTRY(twofish_cbc_dec_8way)
14717 * %rdx: src
14718 */
14719
14720- pushq %r12;
14721+ pushq %r14;
14722
14723 movq %rsi, %r11;
14724- movq %rdx, %r12;
14725+ movq %rdx, %r14;
14726
14727 load_8way(%rdx, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14728
14729 call __twofish_dec_blk8;
14730
14731- store_cbc_8way(%r12, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14732+ store_cbc_8way(%r14, %r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14733
14734- popq %r12;
14735+ popq %r14;
14736
14737+ pax_force_retaddr
14738 ret;
14739 ENDPROC(twofish_cbc_dec_8way)
14740
14741@@ -394,20 +400,21 @@ ENTRY(twofish_ctr_8way)
14742 * %rcx: iv (little endian, 128bit)
14743 */
14744
14745- pushq %r12;
14746+ pushq %r14;
14747
14748 movq %rsi, %r11;
14749- movq %rdx, %r12;
14750+ movq %rdx, %r14;
14751
14752 load_ctr_8way(%rcx, .Lbswap128_mask, RA1, RB1, RC1, RD1, RA2, RB2, RC2,
14753 RD2, RX0, RX1, RY0);
14754
14755 call __twofish_enc_blk8;
14756
14757- store_ctr_8way(%r12, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14758+ store_ctr_8way(%r14, %r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14759
14760- popq %r12;
14761+ popq %r14;
14762
14763+ pax_force_retaddr
14764 ret;
14765 ENDPROC(twofish_ctr_8way)
14766
14767@@ -430,6 +437,7 @@ ENTRY(twofish_xts_enc_8way)
14768 /* dst <= regs xor IVs(in dst) */
14769 store_xts_8way(%r11, RC1, RD1, RA1, RB1, RC2, RD2, RA2, RB2);
14770
14771+ pax_force_retaddr
14772 ret;
14773 ENDPROC(twofish_xts_enc_8way)
14774
14775@@ -452,5 +460,6 @@ ENTRY(twofish_xts_dec_8way)
14776 /* dst <= regs xor IVs(in dst) */
14777 store_xts_8way(%r11, RA1, RB1, RC1, RD1, RA2, RB2, RC2, RD2);
14778
14779+ pax_force_retaddr
14780 ret;
14781 ENDPROC(twofish_xts_dec_8way)
14782diff --git a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14783index 1c3b7ce..02f578d 100644
14784--- a/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14785+++ b/arch/x86/crypto/twofish-x86_64-asm_64-3way.S
14786@@ -21,6 +21,7 @@
14787 */
14788
14789 #include <linux/linkage.h>
14790+#include <asm/alternative-asm.h>
14791
14792 .file "twofish-x86_64-asm-3way.S"
14793 .text
14794@@ -258,6 +259,7 @@ ENTRY(__twofish_enc_blk_3way)
14795 popq %r13;
14796 popq %r14;
14797 popq %r15;
14798+ pax_force_retaddr
14799 ret;
14800
14801 .L__enc_xor3:
14802@@ -269,6 +271,7 @@ ENTRY(__twofish_enc_blk_3way)
14803 popq %r13;
14804 popq %r14;
14805 popq %r15;
14806+ pax_force_retaddr
14807 ret;
14808 ENDPROC(__twofish_enc_blk_3way)
14809
14810@@ -308,5 +311,6 @@ ENTRY(twofish_dec_blk_3way)
14811 popq %r13;
14812 popq %r14;
14813 popq %r15;
14814+ pax_force_retaddr
14815 ret;
14816 ENDPROC(twofish_dec_blk_3way)
14817diff --git a/arch/x86/crypto/twofish-x86_64-asm_64.S b/arch/x86/crypto/twofish-x86_64-asm_64.S
14818index a350c99..c1bac24 100644
14819--- a/arch/x86/crypto/twofish-x86_64-asm_64.S
14820+++ b/arch/x86/crypto/twofish-x86_64-asm_64.S
14821@@ -22,6 +22,7 @@
14822
14823 #include <linux/linkage.h>
14824 #include <asm/asm-offsets.h>
14825+#include <asm/alternative-asm.h>
14826
14827 #define a_offset 0
14828 #define b_offset 4
14829@@ -265,6 +266,7 @@ ENTRY(twofish_enc_blk)
14830
14831 popq R1
14832 movl $1,%eax
14833+ pax_force_retaddr
14834 ret
14835 ENDPROC(twofish_enc_blk)
14836
14837@@ -317,5 +319,6 @@ ENTRY(twofish_dec_blk)
14838
14839 popq R1
14840 movl $1,%eax
14841+ pax_force_retaddr
14842 ret
14843 ENDPROC(twofish_dec_blk)
14844diff --git a/arch/x86/entry/calling.h b/arch/x86/entry/calling.h
14845index f4e6308..7ba29a1 100644
14846--- a/arch/x86/entry/calling.h
14847+++ b/arch/x86/entry/calling.h
14848@@ -93,23 +93,26 @@ For 32-bit we have the following conventions - kernel is built with
14849 .endm
14850
14851 .macro SAVE_C_REGS_HELPER offset=0 rax=1 rcx=1 r8910=1 r11=1
14852+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14853+ movq %r12, R12+\offset(%rsp)
14854+#endif
14855 .if \r11
14856- movq %r11, 6*8+\offset(%rsp)
14857+ movq %r11, R11+\offset(%rsp)
14858 .endif
14859 .if \r8910
14860- movq %r10, 7*8+\offset(%rsp)
14861- movq %r9, 8*8+\offset(%rsp)
14862- movq %r8, 9*8+\offset(%rsp)
14863+ movq %r10, R10+\offset(%rsp)
14864+ movq %r9, R9+\offset(%rsp)
14865+ movq %r8, R8+\offset(%rsp)
14866 .endif
14867 .if \rax
14868- movq %rax, 10*8+\offset(%rsp)
14869+ movq %rax, RAX+\offset(%rsp)
14870 .endif
14871 .if \rcx
14872- movq %rcx, 11*8+\offset(%rsp)
14873+ movq %rcx, RCX+\offset(%rsp)
14874 .endif
14875- movq %rdx, 12*8+\offset(%rsp)
14876- movq %rsi, 13*8+\offset(%rsp)
14877- movq %rdi, 14*8+\offset(%rsp)
14878+ movq %rdx, RDX+\offset(%rsp)
14879+ movq %rsi, RSI+\offset(%rsp)
14880+ movq %rdi, RDI+\offset(%rsp)
14881 .endm
14882 .macro SAVE_C_REGS offset=0
14883 SAVE_C_REGS_HELPER \offset, 1, 1, 1, 1
14884@@ -128,76 +131,87 @@ For 32-bit we have the following conventions - kernel is built with
14885 .endm
14886
14887 .macro SAVE_EXTRA_REGS offset=0
14888- movq %r15, 0*8+\offset(%rsp)
14889- movq %r14, 1*8+\offset(%rsp)
14890- movq %r13, 2*8+\offset(%rsp)
14891- movq %r12, 3*8+\offset(%rsp)
14892- movq %rbp, 4*8+\offset(%rsp)
14893- movq %rbx, 5*8+\offset(%rsp)
14894+ movq %r15, R15+\offset(%rsp)
14895+ movq %r14, R14+\offset(%rsp)
14896+ movq %r13, R13+\offset(%rsp)
14897+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14898+ movq %r12, R12+\offset(%rsp)
14899+#endif
14900+ movq %rbp, RBP+\offset(%rsp)
14901+ movq %rbx, RBX+\offset(%rsp)
14902 .endm
14903 .macro SAVE_EXTRA_REGS_RBP offset=0
14904- movq %rbp, 4*8+\offset(%rsp)
14905+ movq %rbp, RBP+\offset(%rsp)
14906 .endm
14907
14908 .macro RESTORE_EXTRA_REGS offset=0
14909- movq 0*8+\offset(%rsp), %r15
14910- movq 1*8+\offset(%rsp), %r14
14911- movq 2*8+\offset(%rsp), %r13
14912- movq 3*8+\offset(%rsp), %r12
14913- movq 4*8+\offset(%rsp), %rbp
14914- movq 5*8+\offset(%rsp), %rbx
14915+ movq R15+\offset(%rsp), %r15
14916+ movq R14+\offset(%rsp), %r14
14917+ movq R13+\offset(%rsp), %r13
14918+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14919+ movq R12+\offset(%rsp), %r12
14920+#endif
14921+ movq RBP+\offset(%rsp), %rbp
14922+ movq RBX+\offset(%rsp), %rbx
14923 .endm
14924
14925 .macro ZERO_EXTRA_REGS
14926 xorl %r15d, %r15d
14927 xorl %r14d, %r14d
14928 xorl %r13d, %r13d
14929+#ifndef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14930 xorl %r12d, %r12d
14931+#endif
14932 xorl %ebp, %ebp
14933 xorl %ebx, %ebx
14934 .endm
14935
14936- .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1
14937+ .macro RESTORE_C_REGS_HELPER rstor_rax=1, rstor_rcx=1, rstor_r11=1, rstor_r8910=1, rstor_rdx=1, rstor_r12=1
14938+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
14939+ .if \rstor_r12
14940+ movq R12(%rsp), %r12
14941+ .endif
14942+#endif
14943 .if \rstor_r11
14944- movq 6*8(%rsp), %r11
14945+ movq R11(%rsp), %r11
14946 .endif
14947 .if \rstor_r8910
14948- movq 7*8(%rsp), %r10
14949- movq 8*8(%rsp), %r9
14950- movq 9*8(%rsp), %r8
14951+ movq R10(%rsp), %r10
14952+ movq R9(%rsp), %r9
14953+ movq R8(%rsp), %r8
14954 .endif
14955 .if \rstor_rax
14956- movq 10*8(%rsp), %rax
14957+ movq RAX(%rsp), %rax
14958 .endif
14959 .if \rstor_rcx
14960- movq 11*8(%rsp), %rcx
14961+ movq RCX(%rsp), %rcx
14962 .endif
14963 .if \rstor_rdx
14964- movq 12*8(%rsp), %rdx
14965+ movq RDX(%rsp), %rdx
14966 .endif
14967- movq 13*8(%rsp), %rsi
14968- movq 14*8(%rsp), %rdi
14969+ movq RSI(%rsp), %rsi
14970+ movq RDI(%rsp), %rdi
14971 .endm
14972 .macro RESTORE_C_REGS
14973- RESTORE_C_REGS_HELPER 1,1,1,1,1
14974+ RESTORE_C_REGS_HELPER 1,1,1,1,1,1
14975 .endm
14976 .macro RESTORE_C_REGS_EXCEPT_RAX
14977- RESTORE_C_REGS_HELPER 0,1,1,1,1
14978+ RESTORE_C_REGS_HELPER 0,1,1,1,1,0
14979 .endm
14980 .macro RESTORE_C_REGS_EXCEPT_RCX
14981- RESTORE_C_REGS_HELPER 1,0,1,1,1
14982+ RESTORE_C_REGS_HELPER 1,0,1,1,1,0
14983 .endm
14984 .macro RESTORE_C_REGS_EXCEPT_R11
14985- RESTORE_C_REGS_HELPER 1,1,0,1,1
14986+ RESTORE_C_REGS_HELPER 1,1,0,1,1,1
14987 .endm
14988 .macro RESTORE_C_REGS_EXCEPT_RCX_R11
14989- RESTORE_C_REGS_HELPER 1,0,0,1,1
14990+ RESTORE_C_REGS_HELPER 1,0,0,1,1,1
14991 .endm
14992 .macro RESTORE_RSI_RDI
14993- RESTORE_C_REGS_HELPER 0,0,0,0,0
14994+ RESTORE_C_REGS_HELPER 0,0,0,0,0,1
14995 .endm
14996 .macro RESTORE_RSI_RDI_RDX
14997- RESTORE_C_REGS_HELPER 0,0,0,0,1
14998+ RESTORE_C_REGS_HELPER 0,0,0,0,1,1
14999 .endm
15000
15001 .macro REMOVE_PT_GPREGS_FROM_STACK addskip=0
15002diff --git a/arch/x86/entry/entry_32.S b/arch/x86/entry/entry_32.S
15003index 21dc60a..844def1 100644
15004--- a/arch/x86/entry/entry_32.S
15005+++ b/arch/x86/entry/entry_32.S
15006@@ -157,13 +157,154 @@
15007 movl \reg, PT_GS(%esp)
15008 .endm
15009 .macro SET_KERNEL_GS reg
15010+
15011+#ifdef CONFIG_CC_STACKPROTECTOR
15012 movl $(__KERNEL_STACK_CANARY), \reg
15013+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
15014+ movl $(__USER_DS), \reg
15015+#else
15016+ xorl \reg, \reg
15017+#endif
15018+
15019 movl \reg, %gs
15020 .endm
15021
15022 #endif /* CONFIG_X86_32_LAZY_GS */
15023
15024-.macro SAVE_ALL
15025+.macro pax_enter_kernel
15026+#ifdef CONFIG_PAX_KERNEXEC
15027+ call pax_enter_kernel
15028+#endif
15029+.endm
15030+
15031+.macro pax_exit_kernel
15032+#ifdef CONFIG_PAX_KERNEXEC
15033+ call pax_exit_kernel
15034+#endif
15035+.endm
15036+
15037+#ifdef CONFIG_PAX_KERNEXEC
15038+ENTRY(pax_enter_kernel)
15039+#ifdef CONFIG_PARAVIRT
15040+ pushl %eax
15041+ pushl %ecx
15042+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
15043+ mov %eax, %esi
15044+#else
15045+ mov %cr0, %esi
15046+#endif
15047+ bts $X86_CR0_WP_BIT, %esi
15048+ jnc 1f
15049+ mov %cs, %esi
15050+ cmp $__KERNEL_CS, %esi
15051+ jz 3f
15052+ ljmp $__KERNEL_CS, $3f
15053+1: ljmp $__KERNEXEC_KERNEL_CS, $2f
15054+2:
15055+#ifdef CONFIG_PARAVIRT
15056+ mov %esi, %eax
15057+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
15058+#else
15059+ mov %esi, %cr0
15060+#endif
15061+3:
15062+#ifdef CONFIG_PARAVIRT
15063+ popl %ecx
15064+ popl %eax
15065+#endif
15066+ ret
15067+ENDPROC(pax_enter_kernel)
15068+
15069+ENTRY(pax_exit_kernel)
15070+#ifdef CONFIG_PARAVIRT
15071+ pushl %eax
15072+ pushl %ecx
15073+#endif
15074+ mov %cs, %esi
15075+ cmp $__KERNEXEC_KERNEL_CS, %esi
15076+ jnz 2f
15077+#ifdef CONFIG_PARAVIRT
15078+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
15079+ mov %eax, %esi
15080+#else
15081+ mov %cr0, %esi
15082+#endif
15083+ btr $X86_CR0_WP_BIT, %esi
15084+ ljmp $__KERNEL_CS, $1f
15085+1:
15086+#ifdef CONFIG_PARAVIRT
15087+ mov %esi, %eax
15088+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
15089+#else
15090+ mov %esi, %cr0
15091+#endif
15092+2:
15093+#ifdef CONFIG_PARAVIRT
15094+ popl %ecx
15095+ popl %eax
15096+#endif
15097+ ret
15098+ENDPROC(pax_exit_kernel)
15099+#endif
15100+
15101+ .macro pax_erase_kstack
15102+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15103+ call pax_erase_kstack
15104+#endif
15105+ .endm
15106+
15107+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
15108+/*
15109+ * ebp: thread_info
15110+ */
15111+ENTRY(pax_erase_kstack)
15112+ pushl %edi
15113+ pushl %ecx
15114+ pushl %eax
15115+
15116+ mov TI_lowest_stack(%ebp), %edi
15117+ mov $-0xBEEF, %eax
15118+ std
15119+
15120+1: mov %edi, %ecx
15121+ and $THREAD_SIZE_asm - 1, %ecx
15122+ shr $2, %ecx
15123+ repne scasl
15124+ jecxz 2f
15125+
15126+ cmp $2*16, %ecx
15127+ jc 2f
15128+
15129+ mov $2*16, %ecx
15130+ repe scasl
15131+ jecxz 2f
15132+ jne 1b
15133+
15134+2: cld
15135+ or $2*4, %edi
15136+ mov %esp, %ecx
15137+ sub %edi, %ecx
15138+
15139+ cmp $THREAD_SIZE_asm, %ecx
15140+ jb 3f
15141+ ud2
15142+3:
15143+
15144+ shr $2, %ecx
15145+ rep stosl
15146+
15147+ mov TI_task_thread_sp0(%ebp), %edi
15148+ sub $128, %edi
15149+ mov %edi, TI_lowest_stack(%ebp)
15150+
15151+ popl %eax
15152+ popl %ecx
15153+ popl %edi
15154+ ret
15155+ENDPROC(pax_erase_kstack)
15156+#endif
15157+
15158+.macro __SAVE_ALL _DS
15159 cld
15160 PUSH_GS
15161 pushl %fs
15162@@ -176,7 +317,7 @@
15163 pushl %edx
15164 pushl %ecx
15165 pushl %ebx
15166- movl $(__USER_DS), %edx
15167+ movl $\_DS, %edx
15168 movl %edx, %ds
15169 movl %edx, %es
15170 movl $(__KERNEL_PERCPU), %edx
15171@@ -184,6 +325,15 @@
15172 SET_KERNEL_GS %edx
15173 .endm
15174
15175+.macro SAVE_ALL
15176+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15177+ __SAVE_ALL __KERNEL_DS
15178+ pax_enter_kernel
15179+#else
15180+ __SAVE_ALL __USER_DS
15181+#endif
15182+.endm
15183+
15184 .macro RESTORE_INT_REGS
15185 popl %ebx
15186 popl %ecx
15187@@ -222,7 +372,7 @@ ENTRY(ret_from_fork)
15188 pushl $0x0202 # Reset kernel eflags
15189 popfl
15190 jmp syscall_exit
15191-END(ret_from_fork)
15192+ENDPROC(ret_from_fork)
15193
15194 ENTRY(ret_from_kernel_thread)
15195 pushl %eax
15196@@ -262,7 +412,15 @@ ret_from_intr:
15197 andl $SEGMENT_RPL_MASK, %eax
15198 #endif
15199 cmpl $USER_RPL, %eax
15200+
15201+#ifdef CONFIG_PAX_KERNEXEC
15202+ jae resume_userspace
15203+
15204+ pax_exit_kernel
15205+ jmp resume_kernel
15206+#else
15207 jb resume_kernel # not returning to v8086 or userspace
15208+#endif
15209
15210 ENTRY(resume_userspace)
15211 LOCKDEP_SYS_EXIT
15212@@ -274,8 +432,8 @@ ENTRY(resume_userspace)
15213 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
15214 # int/exception return?
15215 jne work_pending
15216- jmp restore_all
15217-END(ret_from_exception)
15218+ jmp restore_all_pax
15219+ENDPROC(ret_from_exception)
15220
15221 #ifdef CONFIG_PREEMPT
15222 ENTRY(resume_kernel)
15223@@ -287,7 +445,7 @@ need_resched:
15224 jz restore_all
15225 call preempt_schedule_irq
15226 jmp need_resched
15227-END(resume_kernel)
15228+ENDPROC(resume_kernel)
15229 #endif
15230
15231 /*
15232@@ -312,32 +470,44 @@ sysenter_past_esp:
15233 pushl $__USER_CS
15234 /*
15235 * Push current_thread_info()->sysenter_return to the stack.
15236- * A tiny bit of offset fixup is necessary: TI_sysenter_return
15237- * is relative to thread_info, which is at the bottom of the
15238- * kernel stack page. 4*4 means the 4 words pushed above;
15239- * TOP_OF_KERNEL_STACK_PADDING takes us to the top of the stack;
15240- * and THREAD_SIZE takes us to the bottom.
15241 */
15242- pushl ((TI_sysenter_return) - THREAD_SIZE + TOP_OF_KERNEL_STACK_PADDING + 4*4)(%esp)
15243+ pushl $0
15244
15245 pushl %eax
15246 SAVE_ALL
15247+ GET_THREAD_INFO(%ebp)
15248+ movl TI_sysenter_return(%ebp), %ebp
15249+ movl %ebp, PT_EIP(%esp)
15250 ENABLE_INTERRUPTS(CLBR_NONE)
15251
15252 /*
15253 * Load the potential sixth argument from user stack.
15254 * Careful about security.
15255 */
15256+ movl PT_OLDESP(%esp),%ebp
15257+
15258+#ifdef CONFIG_PAX_MEMORY_UDEREF
15259+ mov PT_OLDSS(%esp), %ds
15260+1: movl %ds:(%ebp), %ebp
15261+ push %ss
15262+ pop %ds
15263+#else
15264 cmpl $__PAGE_OFFSET-3, %ebp
15265 jae syscall_fault
15266 ASM_STAC
15267 1: movl (%ebp), %ebp
15268 ASM_CLAC
15269+#endif
15270+
15271 movl %ebp, PT_EBP(%esp)
15272 _ASM_EXTABLE(1b, syscall_fault)
15273
15274 GET_THREAD_INFO(%ebp)
15275
15276+#ifdef CONFIG_PAX_RANDKSTACK
15277+ pax_erase_kstack
15278+#endif
15279+
15280 testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%ebp)
15281 jnz sysenter_audit
15282 sysenter_do_call:
15283@@ -353,12 +523,24 @@ sysenter_after_call:
15284 testl $_TIF_ALLWORK_MASK, %ecx
15285 jnz sysexit_audit
15286 sysenter_exit:
15287+
15288+#ifdef CONFIG_PAX_RANDKSTACK
15289+ pushl %eax
15290+ movl %esp, %eax
15291+ call pax_randomize_kstack
15292+ popl %eax
15293+#endif
15294+
15295+ pax_erase_kstack
15296+
15297 /* if something modifies registers it must also disable sysexit */
15298 movl PT_EIP(%esp), %edx
15299 movl PT_OLDESP(%esp), %ecx
15300 xorl %ebp, %ebp
15301 TRACE_IRQS_ON
15302 1: mov PT_FS(%esp), %fs
15303+2: mov PT_DS(%esp), %ds
15304+3: mov PT_ES(%esp), %es
15305 PTGS_TO_GS
15306 ENABLE_INTERRUPTS_SYSEXIT
15307
15308@@ -372,6 +554,9 @@ sysenter_audit:
15309 pushl PT_ESI(%esp) /* a3: 5th arg */
15310 pushl PT_EDX+4(%esp) /* a2: 4th arg */
15311 call __audit_syscall_entry
15312+
15313+ pax_erase_kstack
15314+
15315 popl %ecx /* get that remapped edx off the stack */
15316 popl %ecx /* get that remapped esi off the stack */
15317 movl PT_EAX(%esp), %eax /* reload syscall number */
15318@@ -397,10 +582,16 @@ sysexit_audit:
15319 #endif
15320
15321 .pushsection .fixup, "ax"
15322-2: movl $0, PT_FS(%esp)
15323+4: movl $0, PT_FS(%esp)
15324+ jmp 1b
15325+5: movl $0, PT_DS(%esp)
15326+ jmp 1b
15327+6: movl $0, PT_ES(%esp)
15328 jmp 1b
15329 .popsection
15330- _ASM_EXTABLE(1b, 2b)
15331+ _ASM_EXTABLE(1b, 4b)
15332+ _ASM_EXTABLE(2b, 5b)
15333+ _ASM_EXTABLE(3b, 6b)
15334 PTGS_TO_GS_EX
15335 ENDPROC(entry_SYSENTER_32)
15336
15337@@ -410,6 +601,11 @@ ENTRY(entry_INT80_32)
15338 pushl %eax # save orig_eax
15339 SAVE_ALL
15340 GET_THREAD_INFO(%ebp)
15341+
15342+#ifdef CONFIG_PAX_RANDKSTACK
15343+ pax_erase_kstack
15344+#endif
15345+
15346 # system call tracing in operation / emulation
15347 testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%ebp)
15348 jnz syscall_trace_entry
15349@@ -429,6 +625,15 @@ syscall_exit:
15350 testl $_TIF_ALLWORK_MASK, %ecx # current->work
15351 jnz syscall_exit_work
15352
15353+restore_all_pax:
15354+
15355+#ifdef CONFIG_PAX_RANDKSTACK
15356+ movl %esp, %eax
15357+ call pax_randomize_kstack
15358+#endif
15359+
15360+ pax_erase_kstack
15361+
15362 restore_all:
15363 TRACE_IRQS_IRET
15364 restore_all_notrace:
15365@@ -483,14 +688,34 @@ ldt_ss:
15366 * compensating for the offset by changing to the ESPFIX segment with
15367 * a base address that matches for the difference.
15368 */
15369-#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
15370+#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
15371 mov %esp, %edx /* load kernel esp */
15372 mov PT_OLDESP(%esp), %eax /* load userspace esp */
15373 mov %dx, %ax /* eax: new kernel esp */
15374 sub %eax, %edx /* offset (low word is 0) */
15375+#ifdef CONFIG_SMP
15376+ movl PER_CPU_VAR(cpu_number), %ebx
15377+ shll $PAGE_SHIFT_asm, %ebx
15378+ addl $cpu_gdt_table, %ebx
15379+#else
15380+ movl $cpu_gdt_table, %ebx
15381+#endif
15382 shr $16, %edx
15383- mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
15384- mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
15385+
15386+#ifdef CONFIG_PAX_KERNEXEC
15387+ mov %cr0, %esi
15388+ btr $X86_CR0_WP_BIT, %esi
15389+ mov %esi, %cr0
15390+#endif
15391+
15392+ mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
15393+ mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
15394+
15395+#ifdef CONFIG_PAX_KERNEXEC
15396+ bts $X86_CR0_WP_BIT, %esi
15397+ mov %esi, %cr0
15398+#endif
15399+
15400 pushl $__ESPFIX_SS
15401 pushl %eax /* new kernel esp */
15402 /*
15403@@ -519,20 +744,18 @@ work_resched:
15404 movl TI_flags(%ebp), %ecx
15405 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
15406 # than syscall tracing?
15407- jz restore_all
15408+ jz restore_all_pax
15409 testb $_TIF_NEED_RESCHED, %cl
15410 jnz work_resched
15411
15412 work_notifysig: # deal with pending signals and
15413 # notify-resume requests
15414+ movl %esp, %eax
15415 #ifdef CONFIG_VM86
15416 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
15417- movl %esp, %eax
15418 jnz work_notifysig_v86 # returning to kernel-space or
15419 # vm86-space
15420 1:
15421-#else
15422- movl %esp, %eax
15423 #endif
15424 TRACE_IRQS_ON
15425 ENABLE_INTERRUPTS(CLBR_NONE)
15426@@ -553,7 +776,7 @@ work_notifysig_v86:
15427 movl %eax, %esp
15428 jmp 1b
15429 #endif
15430-END(work_pending)
15431+ENDPROC(work_pending)
15432
15433 # perform syscall exit tracing
15434 ALIGN
15435@@ -561,11 +784,14 @@ syscall_trace_entry:
15436 movl $-ENOSYS, PT_EAX(%esp)
15437 movl %esp, %eax
15438 call syscall_trace_enter
15439+
15440+ pax_erase_kstack
15441+
15442 /* What it returned is what we'll actually use. */
15443 cmpl $(NR_syscalls), %eax
15444 jnae syscall_call
15445 jmp syscall_exit
15446-END(syscall_trace_entry)
15447+ENDPROC(syscall_trace_entry)
15448
15449 # perform syscall exit tracing
15450 ALIGN
15451@@ -578,24 +804,28 @@ syscall_exit_work:
15452 movl %esp, %eax
15453 call syscall_trace_leave
15454 jmp resume_userspace
15455-END(syscall_exit_work)
15456+ENDPROC(syscall_exit_work)
15457
15458 syscall_fault:
15459+#ifdef CONFIG_PAX_MEMORY_UDEREF
15460+ push %ss
15461+ pop %ds
15462+#endif
15463 ASM_CLAC
15464 GET_THREAD_INFO(%ebp)
15465 movl $-EFAULT, PT_EAX(%esp)
15466 jmp resume_userspace
15467-END(syscall_fault)
15468+ENDPROC(syscall_fault)
15469
15470 syscall_badsys:
15471 movl $-ENOSYS, %eax
15472 jmp syscall_after_call
15473-END(syscall_badsys)
15474+ENDPROC(syscall_badsys)
15475
15476 sysenter_badsys:
15477 movl $-ENOSYS, %eax
15478 jmp sysenter_after_call
15479-END(sysenter_badsys)
15480+ENDPROC(sysenter_badsys)
15481
15482 .macro FIXUP_ESPFIX_STACK
15483 /*
15484@@ -607,8 +837,15 @@ END(sysenter_badsys)
15485 */
15486 #ifdef CONFIG_X86_ESPFIX32
15487 /* fixup the stack */
15488- mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
15489- mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
15490+#ifdef CONFIG_SMP
15491+ movl PER_CPU_VAR(cpu_number), %ebx
15492+ shll $PAGE_SHIFT_asm, %ebx
15493+ addl $cpu_gdt_table, %ebx
15494+#else
15495+ movl $cpu_gdt_table, %ebx
15496+#endif
15497+ mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
15498+ mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
15499 shl $16, %eax
15500 addl %esp, %eax /* the adjusted stack pointer */
15501 pushl $__KERNEL_DS
15502@@ -644,7 +881,7 @@ ENTRY(irq_entries_start)
15503 jmp common_interrupt
15504 .align 8
15505 .endr
15506-END(irq_entries_start)
15507+ENDPROC(irq_entries_start)
15508
15509 /*
15510 * the CPU automatically disables interrupts when executing an IRQ vector,
15511@@ -691,7 +928,7 @@ ENTRY(coprocessor_error)
15512 pushl $0
15513 pushl $do_coprocessor_error
15514 jmp error_code
15515-END(coprocessor_error)
15516+ENDPROC(coprocessor_error)
15517
15518 ENTRY(simd_coprocessor_error)
15519 ASM_CLAC
15520@@ -705,25 +942,25 @@ ENTRY(simd_coprocessor_error)
15521 pushl $do_simd_coprocessor_error
15522 #endif
15523 jmp error_code
15524-END(simd_coprocessor_error)
15525+ENDPROC(simd_coprocessor_error)
15526
15527 ENTRY(device_not_available)
15528 ASM_CLAC
15529 pushl $-1 # mark this as an int
15530 pushl $do_device_not_available
15531 jmp error_code
15532-END(device_not_available)
15533+ENDPROC(device_not_available)
15534
15535 #ifdef CONFIG_PARAVIRT
15536 ENTRY(native_iret)
15537 iret
15538 _ASM_EXTABLE(native_iret, iret_exc)
15539-END(native_iret)
15540+ENDPROC(native_iret)
15541
15542 ENTRY(native_irq_enable_sysexit)
15543 sti
15544 sysexit
15545-END(native_irq_enable_sysexit)
15546+ENDPROC(native_irq_enable_sysexit)
15547 #endif
15548
15549 ENTRY(overflow)
15550@@ -731,59 +968,59 @@ ENTRY(overflow)
15551 pushl $0
15552 pushl $do_overflow
15553 jmp error_code
15554-END(overflow)
15555+ENDPROC(overflow)
15556
15557 ENTRY(bounds)
15558 ASM_CLAC
15559 pushl $0
15560 pushl $do_bounds
15561 jmp error_code
15562-END(bounds)
15563+ENDPROC(bounds)
15564
15565 ENTRY(invalid_op)
15566 ASM_CLAC
15567 pushl $0
15568 pushl $do_invalid_op
15569 jmp error_code
15570-END(invalid_op)
15571+ENDPROC(invalid_op)
15572
15573 ENTRY(coprocessor_segment_overrun)
15574 ASM_CLAC
15575 pushl $0
15576 pushl $do_coprocessor_segment_overrun
15577 jmp error_code
15578-END(coprocessor_segment_overrun)
15579+ENDPROC(coprocessor_segment_overrun)
15580
15581 ENTRY(invalid_TSS)
15582 ASM_CLAC
15583 pushl $do_invalid_TSS
15584 jmp error_code
15585-END(invalid_TSS)
15586+ENDPROC(invalid_TSS)
15587
15588 ENTRY(segment_not_present)
15589 ASM_CLAC
15590 pushl $do_segment_not_present
15591 jmp error_code
15592-END(segment_not_present)
15593+ENDPROC(segment_not_present)
15594
15595 ENTRY(stack_segment)
15596 ASM_CLAC
15597 pushl $do_stack_segment
15598 jmp error_code
15599-END(stack_segment)
15600+ENDPROC(stack_segment)
15601
15602 ENTRY(alignment_check)
15603 ASM_CLAC
15604 pushl $do_alignment_check
15605 jmp error_code
15606-END(alignment_check)
15607+ENDPROC(alignment_check)
15608
15609 ENTRY(divide_error)
15610 ASM_CLAC
15611 pushl $0 # no error code
15612 pushl $do_divide_error
15613 jmp error_code
15614-END(divide_error)
15615+ENDPROC(divide_error)
15616
15617 #ifdef CONFIG_X86_MCE
15618 ENTRY(machine_check)
15619@@ -791,7 +1028,7 @@ ENTRY(machine_check)
15620 pushl $0
15621 pushl machine_check_vector
15622 jmp error_code
15623-END(machine_check)
15624+ENDPROC(machine_check)
15625 #endif
15626
15627 ENTRY(spurious_interrupt_bug)
15628@@ -799,7 +1036,7 @@ ENTRY(spurious_interrupt_bug)
15629 pushl $0
15630 pushl $do_spurious_interrupt_bug
15631 jmp error_code
15632-END(spurious_interrupt_bug)
15633+ENDPROC(spurious_interrupt_bug)
15634
15635 #ifdef CONFIG_XEN
15636 /*
15637@@ -906,7 +1143,7 @@ BUILD_INTERRUPT3(hyperv_callback_vector, HYPERVISOR_CALLBACK_VECTOR,
15638
15639 ENTRY(mcount)
15640 ret
15641-END(mcount)
15642+ENDPROC(mcount)
15643
15644 ENTRY(ftrace_caller)
15645 pushl %eax
15646@@ -936,7 +1173,7 @@ ftrace_graph_call:
15647 .globl ftrace_stub
15648 ftrace_stub:
15649 ret
15650-END(ftrace_caller)
15651+ENDPROC(ftrace_caller)
15652
15653 ENTRY(ftrace_regs_caller)
15654 pushf /* push flags before compare (in cs location) */
15655@@ -1034,7 +1271,7 @@ trace:
15656 popl %ecx
15657 popl %eax
15658 jmp ftrace_stub
15659-END(mcount)
15660+ENDPROC(mcount)
15661 #endif /* CONFIG_DYNAMIC_FTRACE */
15662 #endif /* CONFIG_FUNCTION_TRACER */
15663
15664@@ -1052,7 +1289,7 @@ ENTRY(ftrace_graph_caller)
15665 popl %ecx
15666 popl %eax
15667 ret
15668-END(ftrace_graph_caller)
15669+ENDPROC(ftrace_graph_caller)
15670
15671 .globl return_to_handler
15672 return_to_handler:
15673@@ -1100,14 +1337,17 @@ error_code:
15674 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
15675 REG_TO_PTGS %ecx
15676 SET_KERNEL_GS %ecx
15677- movl $(__USER_DS), %ecx
15678+ movl $(__KERNEL_DS), %ecx
15679 movl %ecx, %ds
15680 movl %ecx, %es
15681+
15682+ pax_enter_kernel
15683+
15684 TRACE_IRQS_OFF
15685 movl %esp, %eax # pt_regs pointer
15686 call *%edi
15687 jmp ret_from_exception
15688-END(page_fault)
15689+ENDPROC(page_fault)
15690
15691 /*
15692 * Debug traps and NMI can happen at the one SYSENTER instruction
15693@@ -1145,7 +1385,7 @@ debug_stack_correct:
15694 movl %esp, %eax # pt_regs pointer
15695 call do_debug
15696 jmp ret_from_exception
15697-END(debug)
15698+ENDPROC(debug)
15699
15700 /*
15701 * NMI is doubly nasty. It can happen _while_ we're handling
15702@@ -1184,6 +1424,9 @@ nmi_stack_correct:
15703 xorl %edx, %edx # zero error code
15704 movl %esp, %eax # pt_regs pointer
15705 call do_nmi
15706+
15707+ pax_exit_kernel
15708+
15709 jmp restore_all_notrace
15710
15711 nmi_stack_fixup:
15712@@ -1217,11 +1460,14 @@ nmi_espfix_stack:
15713 FIXUP_ESPFIX_STACK # %eax == %esp
15714 xorl %edx, %edx # zero error code
15715 call do_nmi
15716+
15717+ pax_exit_kernel
15718+
15719 RESTORE_REGS
15720 lss 12+4(%esp), %esp # back to espfix stack
15721 jmp irq_return
15722 #endif
15723-END(nmi)
15724+ENDPROC(nmi)
15725
15726 ENTRY(int3)
15727 ASM_CLAC
15728@@ -1232,17 +1478,17 @@ ENTRY(int3)
15729 movl %esp, %eax # pt_regs pointer
15730 call do_int3
15731 jmp ret_from_exception
15732-END(int3)
15733+ENDPROC(int3)
15734
15735 ENTRY(general_protection)
15736 pushl $do_general_protection
15737 jmp error_code
15738-END(general_protection)
15739+ENDPROC(general_protection)
15740
15741 #ifdef CONFIG_KVM_GUEST
15742 ENTRY(async_page_fault)
15743 ASM_CLAC
15744 pushl $do_async_page_fault
15745 jmp error_code
15746-END(async_page_fault)
15747+ENDPROC(async_page_fault)
15748 #endif
15749diff --git a/arch/x86/entry/entry_64.S b/arch/x86/entry/entry_64.S
15750index d330840..4f1925e 100644
15751--- a/arch/x86/entry/entry_64.S
15752+++ b/arch/x86/entry/entry_64.S
15753@@ -37,6 +37,8 @@
15754 #include <asm/smap.h>
15755 #include <asm/pgtable_types.h>
15756 #include <linux/err.h>
15757+#include <asm/pgtable.h>
15758+#include <asm/alternative-asm.h>
15759
15760 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
15761 #include <linux/elf-em.h>
15762@@ -54,6 +56,402 @@ ENTRY(native_usergs_sysret64)
15763 ENDPROC(native_usergs_sysret64)
15764 #endif /* CONFIG_PARAVIRT */
15765
15766+ .macro ljmpq sel, off
15767+#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
15768+ .byte 0x48; ljmp *1234f(%rip)
15769+ .pushsection .rodata
15770+ .align 16
15771+ 1234: .quad \off; .word \sel
15772+ .popsection
15773+#else
15774+ pushq $\sel
15775+ pushq $\off
15776+ lretq
15777+#endif
15778+ .endm
15779+
15780+ .macro pax_enter_kernel
15781+ pax_set_fptr_mask
15782+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15783+ call pax_enter_kernel
15784+#endif
15785+ .endm
15786+
15787+ .macro pax_exit_kernel
15788+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15789+ call pax_exit_kernel
15790+#endif
15791+ .endm
15792+
15793+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
15794+ENTRY(pax_enter_kernel)
15795+ pushq %rdi
15796+
15797+#ifdef CONFIG_PARAVIRT
15798+ PV_SAVE_REGS(CLBR_RDI)
15799+#endif
15800+
15801+#ifdef CONFIG_PAX_KERNEXEC
15802+ GET_CR0_INTO_RDI
15803+ bts $X86_CR0_WP_BIT,%rdi
15804+ jnc 3f
15805+ mov %cs,%edi
15806+ cmp $__KERNEL_CS,%edi
15807+ jnz 2f
15808+1:
15809+#endif
15810+
15811+#ifdef CONFIG_PAX_MEMORY_UDEREF
15812+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15813+ GET_CR3_INTO_RDI
15814+ cmp $0,%dil
15815+ jnz 112f
15816+ mov $__KERNEL_DS,%edi
15817+ mov %edi,%ss
15818+ jmp 111f
15819+112: cmp $1,%dil
15820+ jz 113f
15821+ ud2
15822+113: sub $4097,%rdi
15823+ bts $63,%rdi
15824+ SET_RDI_INTO_CR3
15825+ mov $__UDEREF_KERNEL_DS,%edi
15826+ mov %edi,%ss
15827+111:
15828+#endif
15829+
15830+#ifdef CONFIG_PARAVIRT
15831+ PV_RESTORE_REGS(CLBR_RDI)
15832+#endif
15833+
15834+ popq %rdi
15835+ pax_force_retaddr
15836+ retq
15837+
15838+#ifdef CONFIG_PAX_KERNEXEC
15839+2: ljmpq __KERNEL_CS,1b
15840+3: ljmpq __KERNEXEC_KERNEL_CS,4f
15841+4: SET_RDI_INTO_CR0
15842+ jmp 1b
15843+#endif
15844+ENDPROC(pax_enter_kernel)
15845+
15846+ENTRY(pax_exit_kernel)
15847+ pushq %rdi
15848+
15849+#ifdef CONFIG_PARAVIRT
15850+ PV_SAVE_REGS(CLBR_RDI)
15851+#endif
15852+
15853+#ifdef CONFIG_PAX_KERNEXEC
15854+ mov %cs,%rdi
15855+ cmp $__KERNEXEC_KERNEL_CS,%edi
15856+ jz 2f
15857+ GET_CR0_INTO_RDI
15858+ bts $X86_CR0_WP_BIT,%rdi
15859+ jnc 4f
15860+1:
15861+#endif
15862+
15863+#ifdef CONFIG_PAX_MEMORY_UDEREF
15864+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15865+ mov %ss,%edi
15866+ cmp $__UDEREF_KERNEL_DS,%edi
15867+ jnz 111f
15868+ GET_CR3_INTO_RDI
15869+ cmp $0,%dil
15870+ jz 112f
15871+ ud2
15872+112: add $4097,%rdi
15873+ bts $63,%rdi
15874+ SET_RDI_INTO_CR3
15875+ mov $__KERNEL_DS,%edi
15876+ mov %edi,%ss
15877+111:
15878+#endif
15879+
15880+#ifdef CONFIG_PARAVIRT
15881+ PV_RESTORE_REGS(CLBR_RDI);
15882+#endif
15883+
15884+ popq %rdi
15885+ pax_force_retaddr
15886+ retq
15887+
15888+#ifdef CONFIG_PAX_KERNEXEC
15889+2: GET_CR0_INTO_RDI
15890+ btr $X86_CR0_WP_BIT,%rdi
15891+ jnc 4f
15892+ ljmpq __KERNEL_CS,3f
15893+3: SET_RDI_INTO_CR0
15894+ jmp 1b
15895+4: ud2
15896+ jmp 4b
15897+#endif
15898+ENDPROC(pax_exit_kernel)
15899+#endif
15900+
15901+ .macro pax_enter_kernel_user
15902+ pax_set_fptr_mask
15903+#ifdef CONFIG_PAX_MEMORY_UDEREF
15904+ call pax_enter_kernel_user
15905+#endif
15906+ .endm
15907+
15908+ .macro pax_exit_kernel_user
15909+#ifdef CONFIG_PAX_MEMORY_UDEREF
15910+ call pax_exit_kernel_user
15911+#endif
15912+#ifdef CONFIG_PAX_RANDKSTACK
15913+ pushq %rax
15914+ pushq %r11
15915+ call pax_randomize_kstack
15916+ popq %r11
15917+ popq %rax
15918+#endif
15919+ .endm
15920+
15921+#ifdef CONFIG_PAX_MEMORY_UDEREF
15922+ENTRY(pax_enter_kernel_user)
15923+ pushq %rdi
15924+ pushq %rbx
15925+
15926+#ifdef CONFIG_PARAVIRT
15927+ PV_SAVE_REGS(CLBR_RDI)
15928+#endif
15929+
15930+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
15931+ GET_CR3_INTO_RDI
15932+ cmp $1,%dil
15933+ jnz 4f
15934+ sub $4097,%rdi
15935+ bts $63,%rdi
15936+ SET_RDI_INTO_CR3
15937+ jmp 3f
15938+111:
15939+
15940+ GET_CR3_INTO_RDI
15941+ mov %rdi,%rbx
15942+ add $__START_KERNEL_map,%rbx
15943+ sub phys_base(%rip),%rbx
15944+
15945+#ifdef CONFIG_PARAVIRT
15946+ cmpl $0, pv_info+PARAVIRT_enabled
15947+ jz 1f
15948+ pushq %rdi
15949+ i = 0
15950+ .rept USER_PGD_PTRS
15951+ mov i*8(%rbx),%rsi
15952+ mov $0,%sil
15953+ lea i*8(%rbx),%rdi
15954+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
15955+ i = i + 1
15956+ .endr
15957+ popq %rdi
15958+ jmp 2f
15959+1:
15960+#endif
15961+
15962+ i = 0
15963+ .rept USER_PGD_PTRS
15964+ movb $0,i*8(%rbx)
15965+ i = i + 1
15966+ .endr
15967+
15968+2: SET_RDI_INTO_CR3
15969+
15970+#ifdef CONFIG_PAX_KERNEXEC
15971+ GET_CR0_INTO_RDI
15972+ bts $X86_CR0_WP_BIT,%rdi
15973+ SET_RDI_INTO_CR0
15974+#endif
15975+
15976+3:
15977+
15978+#ifdef CONFIG_PARAVIRT
15979+ PV_RESTORE_REGS(CLBR_RDI)
15980+#endif
15981+
15982+ popq %rbx
15983+ popq %rdi
15984+ pax_force_retaddr
15985+ retq
15986+4: ud2
15987+ENDPROC(pax_enter_kernel_user)
15988+
15989+ENTRY(pax_exit_kernel_user)
15990+ pushq %rdi
15991+ pushq %rbx
15992+
15993+#ifdef CONFIG_PARAVIRT
15994+ PV_SAVE_REGS(CLBR_RDI)
15995+#endif
15996+
15997+ GET_CR3_INTO_RDI
15998+ ALTERNATIVE "jmp 1f", "", X86_FEATURE_PCID
15999+ cmp $0,%dil
16000+ jnz 3f
16001+ add $4097,%rdi
16002+ bts $63,%rdi
16003+ SET_RDI_INTO_CR3
16004+ jmp 2f
16005+1:
16006+
16007+ mov %rdi,%rbx
16008+
16009+#ifdef CONFIG_PAX_KERNEXEC
16010+ GET_CR0_INTO_RDI
16011+ btr $X86_CR0_WP_BIT,%rdi
16012+ jnc 3f
16013+ SET_RDI_INTO_CR0
16014+#endif
16015+
16016+ add $__START_KERNEL_map,%rbx
16017+ sub phys_base(%rip),%rbx
16018+
16019+#ifdef CONFIG_PARAVIRT
16020+ cmpl $0, pv_info+PARAVIRT_enabled
16021+ jz 1f
16022+ i = 0
16023+ .rept USER_PGD_PTRS
16024+ mov i*8(%rbx),%rsi
16025+ mov $0x67,%sil
16026+ lea i*8(%rbx),%rdi
16027+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd_batched)
16028+ i = i + 1
16029+ .endr
16030+ jmp 2f
16031+1:
16032+#endif
16033+
16034+ i = 0
16035+ .rept USER_PGD_PTRS
16036+ movb $0x67,i*8(%rbx)
16037+ i = i + 1
16038+ .endr
16039+2:
16040+
16041+#ifdef CONFIG_PARAVIRT
16042+ PV_RESTORE_REGS(CLBR_RDI)
16043+#endif
16044+
16045+ popq %rbx
16046+ popq %rdi
16047+ pax_force_retaddr
16048+ retq
16049+3: ud2
16050+ENDPROC(pax_exit_kernel_user)
16051+#endif
16052+
16053+ .macro pax_enter_kernel_nmi
16054+ pax_set_fptr_mask
16055+
16056+#ifdef CONFIG_PAX_KERNEXEC
16057+ GET_CR0_INTO_RDI
16058+ bts $X86_CR0_WP_BIT,%rdi
16059+ jc 110f
16060+ SET_RDI_INTO_CR0
16061+ or $2,%ebx
16062+110:
16063+#endif
16064+
16065+#ifdef CONFIG_PAX_MEMORY_UDEREF
16066+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
16067+ GET_CR3_INTO_RDI
16068+ cmp $0,%dil
16069+ jz 111f
16070+ sub $4097,%rdi
16071+ or $4,%ebx
16072+ bts $63,%rdi
16073+ SET_RDI_INTO_CR3
16074+ mov $__UDEREF_KERNEL_DS,%edi
16075+ mov %edi,%ss
16076+111:
16077+#endif
16078+ .endm
16079+
16080+ .macro pax_exit_kernel_nmi
16081+#ifdef CONFIG_PAX_KERNEXEC
16082+ btr $1,%ebx
16083+ jnc 110f
16084+ GET_CR0_INTO_RDI
16085+ btr $X86_CR0_WP_BIT,%rdi
16086+ SET_RDI_INTO_CR0
16087+110:
16088+#endif
16089+
16090+#ifdef CONFIG_PAX_MEMORY_UDEREF
16091+ ALTERNATIVE "jmp 111f", "", X86_FEATURE_PCID
16092+ btr $2,%ebx
16093+ jnc 111f
16094+ GET_CR3_INTO_RDI
16095+ add $4097,%rdi
16096+ bts $63,%rdi
16097+ SET_RDI_INTO_CR3
16098+ mov $__KERNEL_DS,%edi
16099+ mov %edi,%ss
16100+111:
16101+#endif
16102+ .endm
16103+
16104+ .macro pax_erase_kstack
16105+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16106+ call pax_erase_kstack
16107+#endif
16108+ .endm
16109+
16110+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16111+ENTRY(pax_erase_kstack)
16112+ pushq %rdi
16113+ pushq %rcx
16114+ pushq %rax
16115+ pushq %r11
16116+
16117+ GET_THREAD_INFO(%r11)
16118+ mov TI_lowest_stack(%r11), %rdi
16119+ mov $-0xBEEF, %rax
16120+ std
16121+
16122+1: mov %edi, %ecx
16123+ and $THREAD_SIZE_asm - 1, %ecx
16124+ shr $3, %ecx
16125+ repne scasq
16126+ jecxz 2f
16127+
16128+ cmp $2*8, %ecx
16129+ jc 2f
16130+
16131+ mov $2*8, %ecx
16132+ repe scasq
16133+ jecxz 2f
16134+ jne 1b
16135+
16136+2: cld
16137+ or $2*8, %rdi
16138+ mov %esp, %ecx
16139+ sub %edi, %ecx
16140+
16141+ cmp $THREAD_SIZE_asm, %rcx
16142+ jb 3f
16143+ ud2
16144+3:
16145+
16146+ shr $3, %ecx
16147+ rep stosq
16148+
16149+ mov TI_task_thread_sp0(%r11), %rdi
16150+ sub $256, %rdi
16151+ mov %rdi, TI_lowest_stack(%r11)
16152+
16153+ popq %r11
16154+ popq %rax
16155+ popq %rcx
16156+ popq %rdi
16157+ pax_force_retaddr
16158+ ret
16159+ENDPROC(pax_erase_kstack)
16160+#endif
16161+
16162 .macro TRACE_IRQS_IRETQ
16163 #ifdef CONFIG_TRACE_IRQFLAGS
16164 bt $9, EFLAGS(%rsp) /* interrupts off? */
16165@@ -89,7 +487,7 @@ ENDPROC(native_usergs_sysret64)
16166 .endm
16167
16168 .macro TRACE_IRQS_IRETQ_DEBUG
16169- bt $9, EFLAGS(%rsp) /* interrupts off? */
16170+ bt $X86_EFLAGS_IF_BIT, EFLAGS(%rsp) /* interrupts off? */
16171 jnc 1f
16172 TRACE_IRQS_ON_DEBUG
16173 1:
16174@@ -149,14 +547,6 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
16175 /* Construct struct pt_regs on stack */
16176 pushq $__USER_DS /* pt_regs->ss */
16177 pushq PER_CPU_VAR(rsp_scratch) /* pt_regs->sp */
16178- /*
16179- * Re-enable interrupts.
16180- * We use 'rsp_scratch' as a scratch space, hence irq-off block above
16181- * must execute atomically in the face of possible interrupt-driven
16182- * task preemption. We must enable interrupts only after we're done
16183- * with using rsp_scratch:
16184- */
16185- ENABLE_INTERRUPTS(CLBR_NONE)
16186 pushq %r11 /* pt_regs->flags */
16187 pushq $__USER_CS /* pt_regs->cs */
16188 pushq %rcx /* pt_regs->ip */
16189@@ -172,7 +562,27 @@ GLOBAL(entry_SYSCALL_64_after_swapgs)
16190 pushq %r11 /* pt_regs->r11 */
16191 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
16192
16193- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16194+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16195+ movq %r12, R12(%rsp)
16196+#endif
16197+
16198+ pax_enter_kernel_user
16199+
16200+#ifdef CONFIG_PAX_RANDKSTACK
16201+ pax_erase_kstack
16202+#endif
16203+
16204+ /*
16205+ * Re-enable interrupts.
16206+ * We use 'rsp_scratch' as a scratch space, hence irq-off block above
16207+ * must execute atomically in the face of possible interrupt-driven
16208+ * task preemption. We must enable interrupts only after we're done
16209+ * with using rsp_scratch:
16210+ */
16211+ ENABLE_INTERRUPTS(CLBR_NONE)
16212+
16213+ GET_THREAD_INFO(%rcx)
16214+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%rcx)
16215 jnz tracesys
16216 entry_SYSCALL_64_fastpath:
16217 #if __SYSCALL_MASK == ~0
16218@@ -205,9 +615,13 @@ entry_SYSCALL_64_fastpath:
16219 * flags (TIF_NOTIFY_RESUME, TIF_USER_RETURN_NOTIFY, etc) set is
16220 * very bad.
16221 */
16222- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16223+ GET_THREAD_INFO(%rcx)
16224+ testl $_TIF_ALLWORK_MASK, TI_flags(%rcx)
16225 jnz int_ret_from_sys_call_irqs_off /* Go to the slow path */
16226
16227+ pax_exit_kernel_user
16228+ pax_erase_kstack
16229+
16230 RESTORE_C_REGS_EXCEPT_RCX_R11
16231 movq RIP(%rsp), %rcx
16232 movq EFLAGS(%rsp), %r11
16233@@ -236,6 +650,9 @@ tracesys:
16234 call syscall_trace_enter_phase1
16235 test %rax, %rax
16236 jnz tracesys_phase2 /* if needed, run the slow path */
16237+
16238+ pax_erase_kstack
16239+
16240 RESTORE_C_REGS_EXCEPT_RAX /* else restore clobbered regs */
16241 movq ORIG_RAX(%rsp), %rax
16242 jmp entry_SYSCALL_64_fastpath /* and return to the fast path */
16243@@ -247,6 +664,8 @@ tracesys_phase2:
16244 movq %rax, %rdx
16245 call syscall_trace_enter_phase2
16246
16247+ pax_erase_kstack
16248+
16249 /*
16250 * Reload registers from stack in case ptrace changed them.
16251 * We don't reload %rax because syscall_trace_entry_phase2() returned
16252@@ -284,6 +703,8 @@ GLOBAL(int_with_check)
16253 andl %edi, %edx
16254 jnz int_careful
16255 andl $~TS_COMPAT, TI_status(%rcx)
16256+ pax_exit_kernel_user
16257+ pax_erase_kstack
16258 jmp syscall_return
16259
16260 /*
16261@@ -407,14 +828,14 @@ syscall_return_via_sysret:
16262 opportunistic_sysret_failed:
16263 SWAPGS
16264 jmp restore_c_regs_and_iret
16265-END(entry_SYSCALL_64)
16266+ENDPROC(entry_SYSCALL_64)
16267
16268
16269 .macro FORK_LIKE func
16270 ENTRY(stub_\func)
16271 SAVE_EXTRA_REGS 8
16272 jmp sys_\func
16273-END(stub_\func)
16274+ENDPROC(stub_\func)
16275 .endm
16276
16277 FORK_LIKE clone
16278@@ -434,7 +855,7 @@ return_from_execve:
16279 ZERO_EXTRA_REGS
16280 movq %rax, RAX(%rsp)
16281 jmp int_ret_from_sys_call
16282-END(stub_execve)
16283+ENDPROC(stub_execve)
16284 /*
16285 * Remaining execve stubs are only 7 bytes long.
16286 * ENTRY() often aligns to 16 bytes, which in this case has no benefits.
16287@@ -443,7 +864,7 @@ END(stub_execve)
16288 GLOBAL(stub_execveat)
16289 call sys_execveat
16290 jmp return_from_execve
16291-END(stub_execveat)
16292+ENDPROC(stub_execveat)
16293
16294 #if defined(CONFIG_X86_X32_ABI) || defined(CONFIG_IA32_EMULATION)
16295 .align 8
16296@@ -451,15 +872,15 @@ GLOBAL(stub_x32_execve)
16297 GLOBAL(stub32_execve)
16298 call compat_sys_execve
16299 jmp return_from_execve
16300-END(stub32_execve)
16301-END(stub_x32_execve)
16302+ENDPROC(stub32_execve)
16303+ENDPROC(stub_x32_execve)
16304 .align 8
16305 GLOBAL(stub_x32_execveat)
16306 GLOBAL(stub32_execveat)
16307 call compat_sys_execveat
16308 jmp return_from_execve
16309-END(stub32_execveat)
16310-END(stub_x32_execveat)
16311+ENDPROC(stub32_execveat)
16312+ENDPROC(stub_x32_execveat)
16313 #endif
16314
16315 /*
16316@@ -488,7 +909,7 @@ ENTRY(stub_x32_rt_sigreturn)
16317 SAVE_EXTRA_REGS 8
16318 call sys32_x32_rt_sigreturn
16319 jmp return_from_stub
16320-END(stub_x32_rt_sigreturn)
16321+ENDPROC(stub_x32_rt_sigreturn)
16322 #endif
16323
16324 /*
16325@@ -527,7 +948,7 @@ ENTRY(ret_from_fork)
16326 movl $0, RAX(%rsp)
16327 RESTORE_EXTRA_REGS
16328 jmp int_ret_from_sys_call
16329-END(ret_from_fork)
16330+ENDPROC(ret_from_fork)
16331
16332 /*
16333 * Build the entry stubs with some assembler magic.
16334@@ -542,7 +963,7 @@ ENTRY(irq_entries_start)
16335 jmp common_interrupt
16336 .align 8
16337 .endr
16338-END(irq_entries_start)
16339+ENDPROC(irq_entries_start)
16340
16341 /*
16342 * Interrupt entry/exit.
16343@@ -555,21 +976,13 @@ END(irq_entries_start)
16344 /* 0(%rsp): ~(interrupt number) */
16345 .macro interrupt func
16346 cld
16347- /*
16348- * Since nothing in interrupt handling code touches r12...r15 members
16349- * of "struct pt_regs", and since interrupts can nest, we can save
16350- * four stack slots and simultaneously provide
16351- * an unwind-friendly stack layout by saving "truncated" pt_regs
16352- * exactly up to rbp slot, without these members.
16353- */
16354- ALLOC_PT_GPREGS_ON_STACK -RBP
16355- SAVE_C_REGS -RBP
16356- /* this goes to 0(%rsp) for unwinder, not for saving the value: */
16357- SAVE_EXTRA_REGS_RBP -RBP
16358+ ALLOC_PT_GPREGS_ON_STACK
16359+ SAVE_C_REGS
16360+ SAVE_EXTRA_REGS
16361
16362- leaq -RBP(%rsp), %rdi /* arg1 for \func (pointer to pt_regs) */
16363+ movq %rsp, %rdi /* arg1 for \func (pointer to pt_regs) */
16364
16365- testb $3, CS-RBP(%rsp)
16366+ testb $3, CS(%rsp)
16367 jz 1f
16368 SWAPGS
16369 1:
16370@@ -584,6 +997,18 @@ END(irq_entries_start)
16371 incl PER_CPU_VAR(irq_count)
16372 cmovzq PER_CPU_VAR(irq_stack_ptr), %rsp
16373 pushq %rsi
16374+
16375+#ifdef CONFIG_PAX_MEMORY_UDEREF
16376+ testb $3, CS(%rdi)
16377+ jnz 1f
16378+ pax_enter_kernel
16379+ jmp 2f
16380+1: pax_enter_kernel_user
16381+2:
16382+#else
16383+ pax_enter_kernel
16384+#endif
16385+
16386 /* We entered an interrupt context - irqs are off: */
16387 TRACE_IRQS_OFF
16388
16389@@ -608,7 +1033,7 @@ ret_from_intr:
16390 /* Restore saved previous stack */
16391 popq %rsi
16392 /* return code expects complete pt_regs - adjust rsp accordingly: */
16393- leaq -RBP(%rsi), %rsp
16394+ movq %rsi, %rsp
16395
16396 testb $3, CS(%rsp)
16397 jz retint_kernel
16398@@ -630,6 +1055,8 @@ retint_swapgs: /* return to user-space */
16399 * The iretq could re-enable interrupts:
16400 */
16401 DISABLE_INTERRUPTS(CLBR_ANY)
16402+ pax_exit_kernel_user
16403+# pax_erase_kstack
16404 TRACE_IRQS_IRETQ
16405
16406 SWAPGS
16407@@ -648,6 +1075,21 @@ retint_kernel:
16408 jmp 0b
16409 1:
16410 #endif
16411+
16412+ pax_exit_kernel
16413+
16414+#if defined(CONFIG_EFI) && defined(CONFIG_PAX_KERNEXEC)
16415+ /* This is a quirk to allow IRQs/NMIs/MCEs during early EFI setup,
16416+ * namely calling EFI runtime services with a phys mapping. We're
16417+ * starting off with NOPs and patch in the real instrumentation
16418+ * (BTS/OR) before starting any userland process; even before starting
16419+ * up the APs.
16420+ */
16421+ ALTERNATIVE "", "pax_force_retaddr 16*8", X86_FEATURE_ALWAYS
16422+#else
16423+ pax_force_retaddr RIP
16424+#endif
16425+
16426 /*
16427 * The iretq could re-enable interrupts:
16428 */
16429@@ -689,15 +1131,15 @@ native_irq_return_ldt:
16430 SWAPGS
16431 movq PER_CPU_VAR(espfix_waddr), %rdi
16432 movq %rax, (0*8)(%rdi) /* RAX */
16433- movq (2*8)(%rsp), %rax /* RIP */
16434+ movq (2*8 + RIP-RIP)(%rsp), %rax /* RIP */
16435 movq %rax, (1*8)(%rdi)
16436- movq (3*8)(%rsp), %rax /* CS */
16437+ movq (2*8 + CS-RIP)(%rsp), %rax /* CS */
16438 movq %rax, (2*8)(%rdi)
16439- movq (4*8)(%rsp), %rax /* RFLAGS */
16440+ movq (2*8 + EFLAGS-RIP)(%rsp), %rax /* RFLAGS */
16441 movq %rax, (3*8)(%rdi)
16442- movq (6*8)(%rsp), %rax /* SS */
16443+ movq (2*8 + SS-RIP)(%rsp), %rax /* SS */
16444 movq %rax, (5*8)(%rdi)
16445- movq (5*8)(%rsp), %rax /* RSP */
16446+ movq (2*8 + RSP-RIP)(%rsp), %rax /* RSP */
16447 movq %rax, (4*8)(%rdi)
16448 andl $0xffff0000, %eax
16449 popq %rdi
16450@@ -738,7 +1180,7 @@ retint_signal:
16451 GET_THREAD_INFO(%rcx)
16452 jmp retint_with_reschedule
16453
16454-END(common_interrupt)
16455+ENDPROC(common_interrupt)
16456
16457 /*
16458 * APIC interrupts.
16459@@ -750,7 +1192,7 @@ ENTRY(\sym)
16460 .Lcommon_\sym:
16461 interrupt \do_sym
16462 jmp ret_from_intr
16463-END(\sym)
16464+ENDPROC(\sym)
16465 .endm
16466
16467 #ifdef CONFIG_TRACING
16468@@ -815,7 +1257,7 @@ apicinterrupt IRQ_WORK_VECTOR irq_work_interrupt smp_irq_work_interrupt
16469 /*
16470 * Exception entry points.
16471 */
16472-#define CPU_TSS_IST(x) PER_CPU_VAR(cpu_tss) + (TSS_ist + ((x) - 1) * 8)
16473+#define CPU_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r13)
16474
16475 .macro idtentry sym do_sym has_error_code:req paranoid=0 shift_ist=-1
16476 ENTRY(\sym)
16477@@ -862,6 +1304,12 @@ ENTRY(\sym)
16478 .endif
16479
16480 .if \shift_ist != -1
16481+#ifdef CONFIG_SMP
16482+ imul $TSS_size, PER_CPU_VAR(cpu_number), %r13d
16483+ lea cpu_tss(%r13), %r13
16484+#else
16485+ lea cpu_tss(%rip), %r13
16486+#endif
16487 subq $EXCEPTION_STKSZ, CPU_TSS_IST(\shift_ist)
16488 .endif
16489
16490@@ -905,7 +1353,7 @@ ENTRY(\sym)
16491
16492 jmp error_exit /* %ebx: no swapgs flag */
16493 .endif
16494-END(\sym)
16495+ENDPROC(\sym)
16496 .endm
16497
16498 #ifdef CONFIG_TRACING
16499@@ -947,8 +1395,9 @@ gs_change:
16500 2: mfence /* workaround */
16501 SWAPGS
16502 popfq
16503+ pax_force_retaddr
16504 ret
16505-END(native_load_gs_index)
16506+ENDPROC(native_load_gs_index)
16507
16508 _ASM_EXTABLE(gs_change, bad_gs)
16509 .section .fixup, "ax"
16510@@ -970,8 +1419,9 @@ ENTRY(do_softirq_own_stack)
16511 call __do_softirq
16512 leaveq
16513 decl PER_CPU_VAR(irq_count)
16514+ pax_force_retaddr
16515 ret
16516-END(do_softirq_own_stack)
16517+ENDPROC(do_softirq_own_stack)
16518
16519 #ifdef CONFIG_XEN
16520 idtentry xen_hypervisor_callback xen_do_hypervisor_callback has_error_code=0
16521@@ -1007,7 +1457,7 @@ ENTRY(xen_do_hypervisor_callback) /* do_hypervisor_callback(struct *pt_regs) */
16522 call xen_maybe_preempt_hcall
16523 #endif
16524 jmp error_exit
16525-END(xen_do_hypervisor_callback)
16526+ENDPROC(xen_do_hypervisor_callback)
16527
16528 /*
16529 * Hypervisor uses this for application faults while it executes.
16530@@ -1052,7 +1502,7 @@ ENTRY(xen_failsafe_callback)
16531 SAVE_C_REGS
16532 SAVE_EXTRA_REGS
16533 jmp error_exit
16534-END(xen_failsafe_callback)
16535+ENDPROC(xen_failsafe_callback)
16536
16537 apicinterrupt3 HYPERVISOR_CALLBACK_VECTOR \
16538 xen_hvm_callback_vector xen_evtchn_do_upcall
16539@@ -1101,8 +1551,36 @@ ENTRY(paranoid_entry)
16540 js 1f /* negative -> in kernel */
16541 SWAPGS
16542 xorl %ebx, %ebx
16543-1: ret
16544-END(paranoid_entry)
16545+1:
16546+#ifdef CONFIG_PAX_MEMORY_UDEREF
16547+ testb $3, CS+8(%rsp)
16548+ jnz 1f
16549+ pax_enter_kernel
16550+ jmp 2f
16551+1: pax_enter_kernel_user
16552+2:
16553+#else
16554+ pax_enter_kernel
16555+#endif
16556+ pax_force_retaddr
16557+ ret
16558+ENDPROC(paranoid_entry)
16559+
16560+ENTRY(paranoid_entry_nmi)
16561+ cld
16562+ SAVE_C_REGS 8
16563+ SAVE_EXTRA_REGS 8
16564+ movl $1, %ebx
16565+ movl $MSR_GS_BASE, %ecx
16566+ rdmsr
16567+ testl %edx, %edx
16568+ js 1f /* negative -> in kernel */
16569+ SWAPGS
16570+ xorl %ebx, %ebx
16571+1: pax_enter_kernel_nmi
16572+ pax_force_retaddr
16573+ ret
16574+ENDPROC(paranoid_entry_nmi)
16575
16576 /*
16577 * "Paranoid" exit path from exception stack. This is invoked
16578@@ -1119,19 +1597,26 @@ END(paranoid_entry)
16579 ENTRY(paranoid_exit)
16580 DISABLE_INTERRUPTS(CLBR_NONE)
16581 TRACE_IRQS_OFF_DEBUG
16582- testl %ebx, %ebx /* swapgs needed? */
16583+ testl $1, %ebx /* swapgs needed? */
16584 jnz paranoid_exit_no_swapgs
16585+#ifdef CONFIG_PAX_MEMORY_UDEREF
16586+ pax_exit_kernel_user
16587+#else
16588+ pax_exit_kernel
16589+#endif
16590 TRACE_IRQS_IRETQ
16591 SWAPGS_UNSAFE_STACK
16592 jmp paranoid_exit_restore
16593 paranoid_exit_no_swapgs:
16594+ pax_exit_kernel
16595 TRACE_IRQS_IRETQ_DEBUG
16596 paranoid_exit_restore:
16597 RESTORE_EXTRA_REGS
16598 RESTORE_C_REGS
16599 REMOVE_PT_GPREGS_FROM_STACK 8
16600+ pax_force_retaddr_bts
16601 INTERRUPT_RETURN
16602-END(paranoid_exit)
16603+ENDPROC(paranoid_exit)
16604
16605 /*
16606 * Save all registers in pt_regs, and switch gs if needed.
16607@@ -1149,7 +1634,18 @@ ENTRY(error_entry)
16608 SWAPGS
16609
16610 error_entry_done:
16611+#ifdef CONFIG_PAX_MEMORY_UDEREF
16612+ testb $3, CS+8(%rsp)
16613+ jnz 1f
16614+ pax_enter_kernel
16615+ jmp 2f
16616+1: pax_enter_kernel_user
16617+2:
16618+#else
16619+ pax_enter_kernel
16620+#endif
16621 TRACE_IRQS_OFF
16622+ pax_force_retaddr
16623 ret
16624
16625 /*
16626@@ -1199,7 +1695,7 @@ error_bad_iret:
16627 mov %rax, %rsp
16628 decl %ebx
16629 jmp error_entry_done
16630-END(error_entry)
16631+ENDPROC(error_entry)
16632
16633
16634 /*
16635@@ -1212,10 +1708,10 @@ ENTRY(error_exit)
16636 RESTORE_EXTRA_REGS
16637 DISABLE_INTERRUPTS(CLBR_NONE)
16638 TRACE_IRQS_OFF
16639- testl %eax, %eax
16640+ testl $1, %eax
16641 jnz retint_kernel
16642 jmp retint_user
16643-END(error_exit)
16644+ENDPROC(error_exit)
16645
16646 /* Runs on exception stack */
16647 ENTRY(nmi)
16648@@ -1269,6 +1765,8 @@ ENTRY(nmi)
16649 * other IST entries.
16650 */
16651
16652+ ASM_CLAC
16653+
16654 /* Use %rdx as our temp variable throughout */
16655 pushq %rdx
16656
16657@@ -1312,6 +1810,12 @@ ENTRY(nmi)
16658 pushq %r14 /* pt_regs->r14 */
16659 pushq %r15 /* pt_regs->r15 */
16660
16661+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
16662+ xorl %ebx, %ebx
16663+#endif
16664+
16665+ pax_enter_kernel_nmi
16666+
16667 /*
16668 * At this point we no longer need to worry about stack damage
16669 * due to nesting -- we're on the normal thread stack and we're
16670@@ -1322,12 +1826,19 @@ ENTRY(nmi)
16671 movq $-1, %rsi
16672 call do_nmi
16673
16674+ pax_exit_kernel_nmi
16675+
16676 /*
16677 * Return back to user mode. We must *not* do the normal exit
16678 * work, because we don't want to enable interrupts. Fortunately,
16679 * do_nmi doesn't modify pt_regs.
16680 */
16681 SWAPGS
16682+
16683+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
16684+ movq RBX(%rsp), %rbx
16685+#endif
16686+
16687 jmp restore_c_regs_and_iret
16688
16689 .Lnmi_from_kernel:
16690@@ -1449,6 +1960,7 @@ nested_nmi_out:
16691 popq %rdx
16692
16693 /* We are returning to kernel mode, so this cannot result in a fault. */
16694+# pax_force_retaddr_bts
16695 INTERRUPT_RETURN
16696
16697 first_nmi:
16698@@ -1522,20 +2034,22 @@ end_repeat_nmi:
16699 ALLOC_PT_GPREGS_ON_STACK
16700
16701 /*
16702- * Use paranoid_entry to handle SWAPGS, but no need to use paranoid_exit
16703+ * Use paranoid_entry_nmi to handle SWAPGS, but no need to use paranoid_exit
16704 * as we should not be calling schedule in NMI context.
16705 * Even with normal interrupts enabled. An NMI should not be
16706 * setting NEED_RESCHED or anything that normal interrupts and
16707 * exceptions might do.
16708 */
16709- call paranoid_entry
16710+ call paranoid_entry_nmi
16711
16712 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
16713 movq %rsp, %rdi
16714 movq $-1, %rsi
16715 call do_nmi
16716
16717- testl %ebx, %ebx /* swapgs needed? */
16718+ pax_exit_kernel_nmi
16719+
16720+ testl $1, %ebx /* swapgs needed? */
16721 jnz nmi_restore
16722 nmi_swapgs:
16723 SWAPGS_UNSAFE_STACK
16724@@ -1546,6 +2060,8 @@ nmi_restore:
16725 /* Point RSP at the "iret" frame. */
16726 REMOVE_PT_GPREGS_FROM_STACK 6*8
16727
16728+ pax_force_retaddr_bts
16729+
16730 /*
16731 * Clear "NMI executing". Set DF first so that we can easily
16732 * distinguish the remaining code between here and IRET from
16733@@ -1563,9 +2079,9 @@ nmi_restore:
16734 * mode, so this cannot result in a fault.
16735 */
16736 INTERRUPT_RETURN
16737-END(nmi)
16738+ENDPROC(nmi)
16739
16740 ENTRY(ignore_sysret)
16741 mov $-ENOSYS, %eax
16742 sysret
16743-END(ignore_sysret)
16744+ENDPROC(ignore_sysret)
16745diff --git a/arch/x86/entry/entry_64_compat.S b/arch/x86/entry/entry_64_compat.S
16746index a7e257d..3a6ad23 100644
16747--- a/arch/x86/entry/entry_64_compat.S
16748+++ b/arch/x86/entry/entry_64_compat.S
16749@@ -13,8 +13,10 @@
16750 #include <asm/irqflags.h>
16751 #include <asm/asm.h>
16752 #include <asm/smap.h>
16753+#include <asm/pgtable.h>
16754 #include <linux/linkage.h>
16755 #include <linux/err.h>
16756+#include <asm/alternative-asm.h>
16757
16758 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
16759 #include <linux/elf-em.h>
16760@@ -35,6 +37,32 @@ ENTRY(native_usergs_sysret32)
16761 ENDPROC(native_usergs_sysret32)
16762 #endif
16763
16764+ .macro pax_enter_kernel_user
16765+ pax_set_fptr_mask
16766+#ifdef CONFIG_PAX_MEMORY_UDEREF
16767+ call pax_enter_kernel_user
16768+#endif
16769+ .endm
16770+
16771+ .macro pax_exit_kernel_user
16772+#ifdef CONFIG_PAX_MEMORY_UDEREF
16773+ call pax_exit_kernel_user
16774+#endif
16775+#ifdef CONFIG_PAX_RANDKSTACK
16776+ pushq %rax
16777+ pushq %r11
16778+ call pax_randomize_kstack
16779+ popq %r11
16780+ popq %rax
16781+#endif
16782+ .endm
16783+
16784+ .macro pax_erase_kstack
16785+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
16786+ call pax_erase_kstack
16787+#endif
16788+ .endm
16789+
16790 /*
16791 * 32-bit SYSENTER instruction entry.
16792 *
16793@@ -65,20 +93,21 @@ ENTRY(entry_SYSENTER_compat)
16794 */
16795 SWAPGS_UNSAFE_STACK
16796 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
16797- ENABLE_INTERRUPTS(CLBR_NONE)
16798
16799 /* Zero-extending 32-bit regs, do not remove */
16800 movl %ebp, %ebp
16801 movl %eax, %eax
16802
16803- movl ASM_THREAD_INFO(TI_sysenter_return, %rsp, 0), %r10d
16804+ GET_THREAD_INFO(%r11)
16805+ movl TI_sysenter_return(%r11), %r11d
16806
16807 /* Construct struct pt_regs on stack */
16808 pushq $__USER32_DS /* pt_regs->ss */
16809 pushq %rbp /* pt_regs->sp */
16810 pushfq /* pt_regs->flags */
16811+ orl $X86_EFLAGS_IF,(%rsp)
16812 pushq $__USER32_CS /* pt_regs->cs */
16813- pushq %r10 /* pt_regs->ip = thread_info->sysenter_return */
16814+ pushq %r11 /* pt_regs->ip = thread_info->sysenter_return */
16815 pushq %rax /* pt_regs->orig_ax */
16816 pushq %rdi /* pt_regs->di */
16817 pushq %rsi /* pt_regs->si */
16818@@ -88,15 +117,37 @@ ENTRY(entry_SYSENTER_compat)
16819 cld
16820 sub $(10*8), %rsp /* pt_regs->r8-11, bp, bx, r12-15 not saved */
16821
16822+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16823+ movq %r12, R12(%rsp)
16824+#endif
16825+
16826+ pax_enter_kernel_user
16827+
16828+#ifdef CONFIG_PAX_RANDKSTACK
16829+ pax_erase_kstack
16830+#endif
16831+
16832+ ENABLE_INTERRUPTS(CLBR_NONE)
16833+
16834 /*
16835 * no need to do an access_ok check here because rbp has been
16836 * 32-bit zero extended
16837 */
16838+
16839+#ifdef CONFIG_PAX_MEMORY_UDEREF
16840+ addq pax_user_shadow_base, %rbp
16841+ ASM_PAX_OPEN_USERLAND
16842+#endif
16843+
16844 ASM_STAC
16845 1: movl (%rbp), %ebp
16846 _ASM_EXTABLE(1b, ia32_badarg)
16847 ASM_CLAC
16848
16849+#ifdef CONFIG_PAX_MEMORY_UDEREF
16850+ ASM_PAX_CLOSE_USERLAND
16851+#endif
16852+
16853 /*
16854 * Sysenter doesn't filter flags, so we need to clear NT
16855 * ourselves. To save a few cycles, we can check whether
16856@@ -106,8 +157,9 @@ ENTRY(entry_SYSENTER_compat)
16857 jnz sysenter_fix_flags
16858 sysenter_flags_fixed:
16859
16860- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16861- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16862+ GET_THREAD_INFO(%r11)
16863+ orl $TS_COMPAT, TI_status(%r11)
16864+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%r11)
16865 jnz sysenter_tracesys
16866
16867 sysenter_do_call:
16868@@ -123,9 +175,10 @@ sysenter_dispatch:
16869 call *ia32_sys_call_table(, %rax, 8)
16870 movq %rax, RAX(%rsp)
16871 1:
16872+ GET_THREAD_INFO(%r11)
16873 DISABLE_INTERRUPTS(CLBR_NONE)
16874 TRACE_IRQS_OFF
16875- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16876+ testl $_TIF_ALLWORK_MASK, TI_flags(%r11)
16877 jnz sysexit_audit
16878 sysexit_from_sys_call:
16879 /*
16880@@ -138,7 +191,9 @@ sysexit_from_sys_call:
16881 * This code path is still called 'sysexit' because it pairs
16882 * with 'sysenter' and it uses the SYSENTER calling convention.
16883 */
16884- andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16885+ pax_exit_kernel_user
16886+ pax_erase_kstack
16887+ andl $~TS_COMPAT, TI_status(%r11)
16888 movl RIP(%rsp), %ecx /* User %eip */
16889 movq RAX(%rsp), %rax
16890 RESTORE_RSI_RDI
16891@@ -194,6 +249,8 @@ sysexit_from_sys_call:
16892 movl %eax, %edi /* arg1 (RDI) <= syscall number (EAX) */
16893 call __audit_syscall_entry
16894
16895+ pax_erase_kstack
16896+
16897 /*
16898 * We are going to jump back to the syscall dispatch code.
16899 * Prepare syscall args as required by the 64-bit C ABI.
16900@@ -209,7 +266,7 @@ sysexit_from_sys_call:
16901 .endm
16902
16903 .macro auditsys_exit exit
16904- testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16905+ testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16906 jnz ia32_ret_from_sys_call
16907 TRACE_IRQS_ON
16908 ENABLE_INTERRUPTS(CLBR_NONE)
16909@@ -220,10 +277,11 @@ sysexit_from_sys_call:
16910 1: setbe %al /* 1 if error, 0 if not */
16911 movzbl %al, %edi /* zero-extend that into %edi */
16912 call __audit_syscall_exit
16913+ GET_THREAD_INFO(%r11)
16914 movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT), %edi
16915 DISABLE_INTERRUPTS(CLBR_NONE)
16916 TRACE_IRQS_OFF
16917- testl %edi, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16918+ testl %edi, TI_flags(%r11)
16919 jz \exit
16920 xorl %eax, %eax /* Do not leak kernel information */
16921 movq %rax, R11(%rsp)
16922@@ -249,7 +307,7 @@ sysenter_fix_flags:
16923
16924 sysenter_tracesys:
16925 #ifdef CONFIG_AUDITSYSCALL
16926- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16927+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
16928 jz sysenter_auditsys
16929 #endif
16930 SAVE_EXTRA_REGS
16931@@ -269,6 +327,9 @@ sysenter_tracesys:
16932 movl %eax, %eax /* zero extension */
16933
16934 RESTORE_EXTRA_REGS
16935+
16936+ pax_erase_kstack
16937+
16938 jmp sysenter_do_call
16939 ENDPROC(entry_SYSENTER_compat)
16940
16941@@ -311,7 +372,6 @@ ENTRY(entry_SYSCALL_compat)
16942 SWAPGS_UNSAFE_STACK
16943 movl %esp, %r8d
16944 movq PER_CPU_VAR(cpu_current_top_of_stack), %rsp
16945- ENABLE_INTERRUPTS(CLBR_NONE)
16946
16947 /* Zero-extending 32-bit regs, do not remove */
16948 movl %eax, %eax
16949@@ -331,16 +391,41 @@ ENTRY(entry_SYSCALL_compat)
16950 pushq $-ENOSYS /* pt_regs->ax */
16951 sub $(10*8), %rsp /* pt_regs->r8-11, bp, bx, r12-15 not saved */
16952
16953+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
16954+ movq %r12, R12(%rsp)
16955+#endif
16956+
16957+ pax_enter_kernel_user
16958+
16959+#ifdef CONFIG_PAX_RANDKSTACK
16960+ pax_erase_kstack
16961+#endif
16962+
16963+ ENABLE_INTERRUPTS(CLBR_NONE)
16964+
16965 /*
16966 * No need to do an access_ok check here because r8 has been
16967 * 32-bit zero extended:
16968 */
16969+
16970+#ifdef CONFIG_PAX_MEMORY_UDEREF
16971+ ASM_PAX_OPEN_USERLAND
16972+ movq pax_user_shadow_base, %r8
16973+ addq RSP(%rsp), %r8
16974+#endif
16975+
16976 ASM_STAC
16977 1: movl (%r8), %r9d
16978 _ASM_EXTABLE(1b, ia32_badarg)
16979 ASM_CLAC
16980- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
16981- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
16982+
16983+#ifdef CONFIG_PAX_MEMORY_UDEREF
16984+ ASM_PAX_CLOSE_USERLAND
16985+#endif
16986+
16987+ GET_THREAD_INFO(%r11)
16988+ orl $TS_COMPAT,TI_status(%r11)
16989+ testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r11)
16990 jnz cstar_tracesys
16991
16992 cstar_do_call:
16993@@ -358,13 +443,16 @@ cstar_dispatch:
16994 call *ia32_sys_call_table(, %rax, 8)
16995 movq %rax, RAX(%rsp)
16996 1:
16997+ GET_THREAD_INFO(%r11)
16998 DISABLE_INTERRUPTS(CLBR_NONE)
16999 TRACE_IRQS_OFF
17000- testl $_TIF_ALLWORK_MASK, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17001+ testl $_TIF_ALLWORK_MASK, TI_flags(%r11)
17002 jnz sysretl_audit
17003
17004 sysretl_from_sys_call:
17005- andl $~TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
17006+ pax_exit_kernel_user
17007+ pax_erase_kstack
17008+ andl $~TS_COMPAT, TI_status(%r11)
17009 RESTORE_RSI_RDI_RDX
17010 movl RIP(%rsp), %ecx
17011 movl EFLAGS(%rsp), %r11d
17012@@ -403,7 +491,7 @@ sysretl_audit:
17013
17014 cstar_tracesys:
17015 #ifdef CONFIG_AUDITSYSCALL
17016- testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17017+ testl $(_TIF_WORK_SYSCALL_ENTRY & ~_TIF_SYSCALL_AUDIT), TI_flags(%r11)
17018 jz cstar_auditsys
17019 #endif
17020 xchgl %r9d, %ebp
17021@@ -426,11 +514,19 @@ cstar_tracesys:
17022
17023 RESTORE_EXTRA_REGS
17024 xchgl %ebp, %r9d
17025+
17026+ pax_erase_kstack
17027+
17028 jmp cstar_do_call
17029 END(entry_SYSCALL_compat)
17030
17031 ia32_badarg:
17032 ASM_CLAC
17033+
17034+#ifdef CONFIG_PAX_MEMORY_UDEREF
17035+ ASM_PAX_CLOSE_USERLAND
17036+#endif
17037+
17038 movq $-EFAULT, RAX(%rsp)
17039 ia32_ret_from_sys_call:
17040 xorl %eax, %eax /* Do not leak kernel information */
17041@@ -462,14 +558,8 @@ ia32_ret_from_sys_call:
17042 */
17043
17044 ENTRY(entry_INT80_compat)
17045- /*
17046- * Interrupts are off on entry.
17047- * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
17048- * it is too small to ever cause noticeable irq latency.
17049- */
17050 PARAVIRT_ADJUST_EXCEPTION_FRAME
17051 SWAPGS
17052- ENABLE_INTERRUPTS(CLBR_NONE)
17053
17054 /* Zero-extending 32-bit regs, do not remove */
17055 movl %eax, %eax
17056@@ -488,8 +578,26 @@ ENTRY(entry_INT80_compat)
17057 cld
17058 sub $(6*8), %rsp /* pt_regs->bp, bx, r12-15 not saved */
17059
17060- orl $TS_COMPAT, ASM_THREAD_INFO(TI_status, %rsp, SIZEOF_PTREGS)
17061- testl $_TIF_WORK_SYSCALL_ENTRY, ASM_THREAD_INFO(TI_flags, %rsp, SIZEOF_PTREGS)
17062+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
17063+ movq %r12, R12(%rsp)
17064+#endif
17065+
17066+ pax_enter_kernel_user
17067+
17068+#ifdef CONFIG_PAX_RANDKSTACK
17069+ pax_erase_kstack
17070+#endif
17071+
17072+ /*
17073+ * Interrupts are off on entry.
17074+ * We do not frame this tiny irq-off block with TRACE_IRQS_OFF/ON,
17075+ * it is too small to ever cause noticeable irq latency.
17076+ */
17077+ ENABLE_INTERRUPTS(CLBR_NONE)
17078+
17079+ GET_THREAD_INFO(%r11)
17080+ orl $TS_COMPAT, TI_status(%r11)
17081+ testl $_TIF_WORK_SYSCALL_ENTRY, TI_flags(%r11)
17082 jnz ia32_tracesys
17083
17084 ia32_do_call:
17085@@ -524,6 +632,9 @@ ia32_tracesys:
17086 movl RDI(%rsp), %edi
17087 movl %eax, %eax /* zero extension */
17088 RESTORE_EXTRA_REGS
17089+
17090+ pax_erase_kstack
17091+
17092 jmp ia32_do_call
17093 END(entry_INT80_compat)
17094
17095diff --git a/arch/x86/entry/thunk_64.S b/arch/x86/entry/thunk_64.S
17096index efb2b93..8a9cb8e 100644
17097--- a/arch/x86/entry/thunk_64.S
17098+++ b/arch/x86/entry/thunk_64.S
17099@@ -8,6 +8,7 @@
17100 #include <linux/linkage.h>
17101 #include "calling.h"
17102 #include <asm/asm.h>
17103+#include <asm/alternative-asm.h>
17104
17105 /* rdi: arg1 ... normal C conventions. rax is saved/restored. */
17106 .macro THUNK name, func, put_ret_addr_in_rdi=0
17107@@ -62,6 +63,7 @@ restore:
17108 popq %rdx
17109 popq %rsi
17110 popq %rdi
17111+ pax_force_retaddr
17112 ret
17113 _ASM_NOKPROBE(restore)
17114 #endif
17115diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile
17116index e970320..c006fea 100644
17117--- a/arch/x86/entry/vdso/Makefile
17118+++ b/arch/x86/entry/vdso/Makefile
17119@@ -175,7 +175,7 @@ quiet_cmd_vdso = VDSO $@
17120 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
17121 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
17122
17123-VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
17124+VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv) \
17125 $(call cc-ldoption, -Wl$(comma)--build-id) -Wl,-Bsymbolic $(LTO_CFLAGS)
17126 GCOV_PROFILE := n
17127
17128diff --git a/arch/x86/entry/vdso/vdso2c.h b/arch/x86/entry/vdso/vdso2c.h
17129index 0224987..8deb742 100644
17130--- a/arch/x86/entry/vdso/vdso2c.h
17131+++ b/arch/x86/entry/vdso/vdso2c.h
17132@@ -12,7 +12,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
17133 unsigned long load_size = -1; /* Work around bogus warning */
17134 unsigned long mapping_size;
17135 ELF(Ehdr) *hdr = (ELF(Ehdr) *)raw_addr;
17136- int i;
17137+ unsigned int i;
17138 unsigned long j;
17139 ELF(Shdr) *symtab_hdr = NULL, *strtab_hdr, *secstrings_hdr,
17140 *alt_sec = NULL;
17141@@ -83,7 +83,7 @@ static void BITSFUNC(go)(void *raw_addr, size_t raw_len,
17142 for (i = 0;
17143 i < GET_LE(&symtab_hdr->sh_size) / GET_LE(&symtab_hdr->sh_entsize);
17144 i++) {
17145- int k;
17146+ unsigned int k;
17147 ELF(Sym) *sym = raw_addr + GET_LE(&symtab_hdr->sh_offset) +
17148 GET_LE(&symtab_hdr->sh_entsize) * i;
17149 const char *name = raw_addr + GET_LE(&strtab_hdr->sh_offset) +
17150diff --git a/arch/x86/entry/vdso/vma.c b/arch/x86/entry/vdso/vma.c
17151index 1c9f750..cfddb1a 100644
17152--- a/arch/x86/entry/vdso/vma.c
17153+++ b/arch/x86/entry/vdso/vma.c
17154@@ -19,10 +19,7 @@
17155 #include <asm/page.h>
17156 #include <asm/hpet.h>
17157 #include <asm/desc.h>
17158-
17159-#if defined(CONFIG_X86_64)
17160-unsigned int __read_mostly vdso64_enabled = 1;
17161-#endif
17162+#include <asm/mman.h>
17163
17164 void __init init_vdso_image(const struct vdso_image *image)
17165 {
17166@@ -101,6 +98,11 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17167 .pages = no_pages,
17168 };
17169
17170+#ifdef CONFIG_PAX_RANDMMAP
17171+ if (mm->pax_flags & MF_PAX_RANDMMAP)
17172+ calculate_addr = false;
17173+#endif
17174+
17175 if (calculate_addr) {
17176 addr = vdso_addr(current->mm->start_stack,
17177 image->size - image->sym_vvar_start);
17178@@ -111,14 +113,14 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17179 down_write(&mm->mmap_sem);
17180
17181 addr = get_unmapped_area(NULL, addr,
17182- image->size - image->sym_vvar_start, 0, 0);
17183+ image->size - image->sym_vvar_start, 0, MAP_EXECUTABLE);
17184 if (IS_ERR_VALUE(addr)) {
17185 ret = addr;
17186 goto up_fail;
17187 }
17188
17189 text_start = addr - image->sym_vvar_start;
17190- current->mm->context.vdso = (void __user *)text_start;
17191+ mm->context.vdso = text_start;
17192
17193 /*
17194 * MAYWRITE to allow gdb to COW and set breakpoints
17195@@ -163,15 +165,12 @@ static int map_vdso(const struct vdso_image *image, bool calculate_addr)
17196 hpet_address >> PAGE_SHIFT,
17197 PAGE_SIZE,
17198 pgprot_noncached(PAGE_READONLY));
17199-
17200- if (ret)
17201- goto up_fail;
17202 }
17203 #endif
17204
17205 up_fail:
17206 if (ret)
17207- current->mm->context.vdso = NULL;
17208+ current->mm->context.vdso = 0;
17209
17210 up_write(&mm->mmap_sem);
17211 return ret;
17212@@ -191,8 +190,8 @@ static int load_vdso32(void)
17213
17214 if (selected_vdso32->sym_VDSO32_SYSENTER_RETURN)
17215 current_thread_info()->sysenter_return =
17216- current->mm->context.vdso +
17217- selected_vdso32->sym_VDSO32_SYSENTER_RETURN;
17218+ (void __force_user *)(current->mm->context.vdso +
17219+ selected_vdso32->sym_VDSO32_SYSENTER_RETURN);
17220
17221 return 0;
17222 }
17223@@ -201,9 +200,6 @@ static int load_vdso32(void)
17224 #ifdef CONFIG_X86_64
17225 int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
17226 {
17227- if (!vdso64_enabled)
17228- return 0;
17229-
17230 return map_vdso(&vdso_image_64, true);
17231 }
17232
17233@@ -212,12 +208,8 @@ int compat_arch_setup_additional_pages(struct linux_binprm *bprm,
17234 int uses_interp)
17235 {
17236 #ifdef CONFIG_X86_X32_ABI
17237- if (test_thread_flag(TIF_X32)) {
17238- if (!vdso64_enabled)
17239- return 0;
17240-
17241+ if (test_thread_flag(TIF_X32))
17242 return map_vdso(&vdso_image_x32, true);
17243- }
17244 #endif
17245
17246 return load_vdso32();
17247@@ -231,15 +223,6 @@ int arch_setup_additional_pages(struct linux_binprm *bprm, int uses_interp)
17248 #endif
17249
17250 #ifdef CONFIG_X86_64
17251-static __init int vdso_setup(char *s)
17252-{
17253- vdso64_enabled = simple_strtoul(s, NULL, 0);
17254- return 0;
17255-}
17256-__setup("vdso=", vdso_setup);
17257-#endif
17258-
17259-#ifdef CONFIG_X86_64
17260 static void vgetcpu_cpu_init(void *arg)
17261 {
17262 int cpu = smp_processor_id();
17263diff --git a/arch/x86/entry/vsyscall/vsyscall_64.c b/arch/x86/entry/vsyscall/vsyscall_64.c
17264index 2dcc6ff..082dc7a 100644
17265--- a/arch/x86/entry/vsyscall/vsyscall_64.c
17266+++ b/arch/x86/entry/vsyscall/vsyscall_64.c
17267@@ -38,15 +38,13 @@
17268 #define CREATE_TRACE_POINTS
17269 #include "vsyscall_trace.h"
17270
17271-static enum { EMULATE, NATIVE, NONE } vsyscall_mode = EMULATE;
17272+static enum { EMULATE, NONE } vsyscall_mode = EMULATE;
17273
17274 static int __init vsyscall_setup(char *str)
17275 {
17276 if (str) {
17277 if (!strcmp("emulate", str))
17278 vsyscall_mode = EMULATE;
17279- else if (!strcmp("native", str))
17280- vsyscall_mode = NATIVE;
17281 else if (!strcmp("none", str))
17282 vsyscall_mode = NONE;
17283 else
17284@@ -264,8 +262,7 @@ do_ret:
17285 return true;
17286
17287 sigsegv:
17288- force_sig(SIGSEGV, current);
17289- return true;
17290+ do_group_exit(SIGKILL);
17291 }
17292
17293 /*
17294@@ -283,8 +280,8 @@ static struct vm_operations_struct gate_vma_ops = {
17295 static struct vm_area_struct gate_vma = {
17296 .vm_start = VSYSCALL_ADDR,
17297 .vm_end = VSYSCALL_ADDR + PAGE_SIZE,
17298- .vm_page_prot = PAGE_READONLY_EXEC,
17299- .vm_flags = VM_READ | VM_EXEC,
17300+ .vm_page_prot = PAGE_READONLY,
17301+ .vm_flags = VM_READ,
17302 .vm_ops = &gate_vma_ops,
17303 };
17304
17305@@ -325,10 +322,7 @@ void __init map_vsyscall(void)
17306 unsigned long physaddr_vsyscall = __pa_symbol(&__vsyscall_page);
17307
17308 if (vsyscall_mode != NONE)
17309- __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall,
17310- vsyscall_mode == NATIVE
17311- ? PAGE_KERNEL_VSYSCALL
17312- : PAGE_KERNEL_VVAR);
17313+ __set_fixmap(VSYSCALL_PAGE, physaddr_vsyscall, PAGE_KERNEL_VVAR);
17314
17315 BUILD_BUG_ON((unsigned long)__fix_to_virt(VSYSCALL_PAGE) !=
17316 (unsigned long)VSYSCALL_ADDR);
17317diff --git a/arch/x86/ia32/ia32_aout.c b/arch/x86/ia32/ia32_aout.c
17318index ae6aad1..719d6d9 100644
17319--- a/arch/x86/ia32/ia32_aout.c
17320+++ b/arch/x86/ia32/ia32_aout.c
17321@@ -153,6 +153,8 @@ static int aout_core_dump(struct coredump_params *cprm)
17322 unsigned long dump_start, dump_size;
17323 struct user32 dump;
17324
17325+ memset(&dump, 0, sizeof(dump));
17326+
17327 fs = get_fs();
17328 set_fs(KERNEL_DS);
17329 has_dumped = 1;
17330diff --git a/arch/x86/ia32/ia32_signal.c b/arch/x86/ia32/ia32_signal.c
17331index ae3a29a..cea65e9 100644
17332--- a/arch/x86/ia32/ia32_signal.c
17333+++ b/arch/x86/ia32/ia32_signal.c
17334@@ -216,7 +216,7 @@ asmlinkage long sys32_sigreturn(void)
17335 if (__get_user(set.sig[0], &frame->sc.oldmask)
17336 || (_COMPAT_NSIG_WORDS > 1
17337 && __copy_from_user((((char *) &set.sig) + 4),
17338- &frame->extramask,
17339+ frame->extramask,
17340 sizeof(frame->extramask))))
17341 goto badframe;
17342
17343@@ -336,7 +336,7 @@ static void __user *get_sigframe(struct ksignal *ksig, struct pt_regs *regs,
17344 sp -= frame_size;
17345 /* Align the stack pointer according to the i386 ABI,
17346 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
17347- sp = ((sp + 4) & -16ul) - 4;
17348+ sp = ((sp - 12) & -16ul) - 4;
17349 return (void __user *) sp;
17350 }
17351
17352@@ -381,10 +381,10 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
17353 } else {
17354 /* Return stub is in 32bit vsyscall page */
17355 if (current->mm->context.vdso)
17356- restorer = current->mm->context.vdso +
17357- selected_vdso32->sym___kernel_sigreturn;
17358+ restorer = (void __force_user *)(current->mm->context.vdso +
17359+ selected_vdso32->sym___kernel_sigreturn);
17360 else
17361- restorer = &frame->retcode;
17362+ restorer = frame->retcode;
17363 }
17364
17365 put_user_try {
17366@@ -394,7 +394,7 @@ int ia32_setup_frame(int sig, struct ksignal *ksig,
17367 * These are actually not used anymore, but left because some
17368 * gdb versions depend on them as a marker.
17369 */
17370- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
17371+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
17372 } put_user_catch(err);
17373
17374 if (err)
17375@@ -436,7 +436,7 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
17376 0xb8,
17377 __NR_ia32_rt_sigreturn,
17378 0x80cd,
17379- 0,
17380+ 0
17381 };
17382
17383 frame = get_sigframe(ksig, regs, sizeof(*frame), &fpstate);
17384@@ -459,16 +459,19 @@ int ia32_setup_rt_frame(int sig, struct ksignal *ksig,
17385
17386 if (ksig->ka.sa.sa_flags & SA_RESTORER)
17387 restorer = ksig->ka.sa.sa_restorer;
17388+ else if (current->mm->context.vdso)
17389+ /* Return stub is in 32bit vsyscall page */
17390+ restorer = (void __force_user *)(current->mm->context.vdso +
17391+ selected_vdso32->sym___kernel_rt_sigreturn);
17392 else
17393- restorer = current->mm->context.vdso +
17394- selected_vdso32->sym___kernel_rt_sigreturn;
17395+ restorer = frame->retcode;
17396 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
17397
17398 /*
17399 * Not actually used anymore, but left because some gdb
17400 * versions need it.
17401 */
17402- put_user_ex(*((u64 *)&code), (u64 __user *)frame->retcode);
17403+ put_user_ex(*((const u64 *)&code), (u64 __user *)frame->retcode);
17404 } put_user_catch(err);
17405
17406 err |= copy_siginfo_to_user32(&frame->info, &ksig->info);
17407diff --git a/arch/x86/ia32/sys_ia32.c b/arch/x86/ia32/sys_ia32.c
17408index 719cd70..72af944 100644
17409--- a/arch/x86/ia32/sys_ia32.c
17410+++ b/arch/x86/ia32/sys_ia32.c
17411@@ -49,18 +49,26 @@
17412
17413 #define AA(__x) ((unsigned long)(__x))
17414
17415+static inline loff_t compose_loff(unsigned int high, unsigned int low)
17416+{
17417+ loff_t retval = low;
17418+
17419+ BUILD_BUG_ON(sizeof retval != sizeof low + sizeof high);
17420+ __builtin_memcpy((unsigned char *)&retval + sizeof low, &high, sizeof high);
17421+ return retval;
17422+}
17423
17424 asmlinkage long sys32_truncate64(const char __user *filename,
17425- unsigned long offset_low,
17426- unsigned long offset_high)
17427+ unsigned int offset_low,
17428+ unsigned int offset_high)
17429 {
17430- return sys_truncate(filename, ((loff_t) offset_high << 32) | offset_low);
17431+ return sys_truncate(filename, compose_loff(offset_high, offset_low));
17432 }
17433
17434-asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
17435- unsigned long offset_high)
17436+asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned int offset_low,
17437+ unsigned int offset_high)
17438 {
17439- return sys_ftruncate(fd, ((loff_t) offset_high << 32) | offset_low);
17440+ return sys_ftruncate(fd, ((unsigned long) offset_high << 32) | offset_low);
17441 }
17442
17443 /*
17444@@ -69,8 +77,8 @@ asmlinkage long sys32_ftruncate64(unsigned int fd, unsigned long offset_low,
17445 */
17446 static int cp_stat64(struct stat64 __user *ubuf, struct kstat *stat)
17447 {
17448- typeof(ubuf->st_uid) uid = 0;
17449- typeof(ubuf->st_gid) gid = 0;
17450+ typeof(((struct stat64 *)0)->st_uid) uid = 0;
17451+ typeof(((struct stat64 *)0)->st_gid) gid = 0;
17452 SET_UID(uid, from_kuid_munged(current_user_ns(), stat->uid));
17453 SET_GID(gid, from_kgid_munged(current_user_ns(), stat->gid));
17454 if (!access_ok(VERIFY_WRITE, ubuf, sizeof(struct stat64)) ||
17455@@ -196,29 +204,29 @@ long sys32_fadvise64_64(int fd, __u32 offset_low, __u32 offset_high,
17456 __u32 len_low, __u32 len_high, int advice)
17457 {
17458 return sys_fadvise64_64(fd,
17459- (((u64)offset_high)<<32) | offset_low,
17460- (((u64)len_high)<<32) | len_low,
17461+ compose_loff(offset_high, offset_low),
17462+ compose_loff(len_high, len_low),
17463 advice);
17464 }
17465
17466 asmlinkage ssize_t sys32_readahead(int fd, unsigned off_lo, unsigned off_hi,
17467 size_t count)
17468 {
17469- return sys_readahead(fd, ((u64)off_hi << 32) | off_lo, count);
17470+ return sys_readahead(fd, compose_loff(off_hi, off_lo), count);
17471 }
17472
17473 asmlinkage long sys32_sync_file_range(int fd, unsigned off_low, unsigned off_hi,
17474 unsigned n_low, unsigned n_hi, int flags)
17475 {
17476 return sys_sync_file_range(fd,
17477- ((u64)off_hi << 32) | off_low,
17478- ((u64)n_hi << 32) | n_low, flags);
17479+ compose_loff(off_hi, off_low),
17480+ compose_loff(n_hi, n_low), flags);
17481 }
17482
17483 asmlinkage long sys32_fadvise64(int fd, unsigned offset_lo, unsigned offset_hi,
17484- size_t len, int advice)
17485+ int len, int advice)
17486 {
17487- return sys_fadvise64_64(fd, ((u64)offset_hi << 32) | offset_lo,
17488+ return sys_fadvise64_64(fd, compose_loff(offset_hi, offset_lo),
17489 len, advice);
17490 }
17491
17492@@ -226,6 +234,6 @@ asmlinkage long sys32_fallocate(int fd, int mode, unsigned offset_lo,
17493 unsigned offset_hi, unsigned len_lo,
17494 unsigned len_hi)
17495 {
17496- return sys_fallocate(fd, mode, ((u64)offset_hi << 32) | offset_lo,
17497- ((u64)len_hi << 32) | len_lo);
17498+ return sys_fallocate(fd, mode, compose_loff(offset_hi, offset_lo),
17499+ compose_loff(len_hi, len_lo));
17500 }
17501diff --git a/arch/x86/include/asm/alternative-asm.h b/arch/x86/include/asm/alternative-asm.h
17502index e7636ba..e1fb78a 100644
17503--- a/arch/x86/include/asm/alternative-asm.h
17504+++ b/arch/x86/include/asm/alternative-asm.h
17505@@ -18,6 +18,45 @@
17506 .endm
17507 #endif
17508
17509+#ifdef KERNEXEC_PLUGIN
17510+ .macro pax_force_retaddr_bts rip=0
17511+ btsq $63,\rip(%rsp)
17512+ .endm
17513+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
17514+ .macro pax_force_retaddr rip=0, reload=0
17515+ btsq $63,\rip(%rsp)
17516+ .endm
17517+ .macro pax_force_fptr ptr
17518+ btsq $63,\ptr
17519+ .endm
17520+ .macro pax_set_fptr_mask
17521+ .endm
17522+#endif
17523+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
17524+ .macro pax_force_retaddr rip=0, reload=0
17525+ .if \reload
17526+ pax_set_fptr_mask
17527+ .endif
17528+ orq %r12,\rip(%rsp)
17529+ .endm
17530+ .macro pax_force_fptr ptr
17531+ orq %r12,\ptr
17532+ .endm
17533+ .macro pax_set_fptr_mask
17534+ movabs $0x8000000000000000,%r12
17535+ .endm
17536+#endif
17537+#else
17538+ .macro pax_force_retaddr rip=0, reload=0
17539+ .endm
17540+ .macro pax_force_fptr ptr
17541+ .endm
17542+ .macro pax_force_retaddr_bts rip=0
17543+ .endm
17544+ .macro pax_set_fptr_mask
17545+ .endm
17546+#endif
17547+
17548 /*
17549 * Issue one struct alt_instr descriptor entry (need to put it into
17550 * the section .altinstructions, see below). This entry contains
17551@@ -50,7 +89,7 @@
17552 altinstruction_entry 140b,143f,\feature,142b-140b,144f-143f,142b-141b
17553 .popsection
17554
17555- .pushsection .altinstr_replacement,"ax"
17556+ .pushsection .altinstr_replacement,"a"
17557 143:
17558 \newinstr
17559 144:
17560@@ -86,7 +125,7 @@
17561 altinstruction_entry 140b,144f,\feature2,142b-140b,145f-144f,142b-141b
17562 .popsection
17563
17564- .pushsection .altinstr_replacement,"ax"
17565+ .pushsection .altinstr_replacement,"a"
17566 143:
17567 \newinstr1
17568 144:
17569diff --git a/arch/x86/include/asm/alternative.h b/arch/x86/include/asm/alternative.h
17570index 7bfc85b..65d1ec4 100644
17571--- a/arch/x86/include/asm/alternative.h
17572+++ b/arch/x86/include/asm/alternative.h
17573@@ -136,7 +136,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
17574 ".pushsection .altinstructions,\"a\"\n" \
17575 ALTINSTR_ENTRY(feature, 1) \
17576 ".popsection\n" \
17577- ".pushsection .altinstr_replacement, \"ax\"\n" \
17578+ ".pushsection .altinstr_replacement, \"a\"\n" \
17579 ALTINSTR_REPLACEMENT(newinstr, feature, 1) \
17580 ".popsection"
17581
17582@@ -146,7 +146,7 @@ static inline int alternatives_text_reserved(void *start, void *end)
17583 ALTINSTR_ENTRY(feature1, 1) \
17584 ALTINSTR_ENTRY(feature2, 2) \
17585 ".popsection\n" \
17586- ".pushsection .altinstr_replacement, \"ax\"\n" \
17587+ ".pushsection .altinstr_replacement, \"a\"\n" \
17588 ALTINSTR_REPLACEMENT(newinstr1, feature1, 1) \
17589 ALTINSTR_REPLACEMENT(newinstr2, feature2, 2) \
17590 ".popsection"
17591diff --git a/arch/x86/include/asm/apic.h b/arch/x86/include/asm/apic.h
17592index c839363..b9a8c43 100644
17593--- a/arch/x86/include/asm/apic.h
17594+++ b/arch/x86/include/asm/apic.h
17595@@ -45,7 +45,7 @@ static inline void generic_apic_probe(void)
17596
17597 #ifdef CONFIG_X86_LOCAL_APIC
17598
17599-extern unsigned int apic_verbosity;
17600+extern int apic_verbosity;
17601 extern int local_apic_timer_c2_ok;
17602
17603 extern int disable_apic;
17604diff --git a/arch/x86/include/asm/apm.h b/arch/x86/include/asm/apm.h
17605index 20370c6..a2eb9b0 100644
17606--- a/arch/x86/include/asm/apm.h
17607+++ b/arch/x86/include/asm/apm.h
17608@@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32 func, u32 ebx_in, u32 ecx_in,
17609 __asm__ __volatile__(APM_DO_ZERO_SEGS
17610 "pushl %%edi\n\t"
17611 "pushl %%ebp\n\t"
17612- "lcall *%%cs:apm_bios_entry\n\t"
17613+ "lcall *%%ss:apm_bios_entry\n\t"
17614 "setc %%al\n\t"
17615 "popl %%ebp\n\t"
17616 "popl %%edi\n\t"
17617@@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_asm(u32 func, u32 ebx_in,
17618 __asm__ __volatile__(APM_DO_ZERO_SEGS
17619 "pushl %%edi\n\t"
17620 "pushl %%ebp\n\t"
17621- "lcall *%%cs:apm_bios_entry\n\t"
17622+ "lcall *%%ss:apm_bios_entry\n\t"
17623 "setc %%bl\n\t"
17624 "popl %%ebp\n\t"
17625 "popl %%edi\n\t"
17626diff --git a/arch/x86/include/asm/atomic.h b/arch/x86/include/asm/atomic.h
17627index e916895..42d729d 100644
17628--- a/arch/x86/include/asm/atomic.h
17629+++ b/arch/x86/include/asm/atomic.h
17630@@ -28,6 +28,17 @@ static __always_inline int atomic_read(const atomic_t *v)
17631 }
17632
17633 /**
17634+ * atomic_read_unchecked - read atomic variable
17635+ * @v: pointer of type atomic_unchecked_t
17636+ *
17637+ * Atomically reads the value of @v.
17638+ */
17639+static __always_inline int __intentional_overflow(-1) atomic_read_unchecked(const atomic_unchecked_t *v)
17640+{
17641+ return ACCESS_ONCE((v)->counter);
17642+}
17643+
17644+/**
17645 * atomic_set - set atomic variable
17646 * @v: pointer of type atomic_t
17647 * @i: required value
17648@@ -40,6 +51,18 @@ static __always_inline void atomic_set(atomic_t *v, int i)
17649 }
17650
17651 /**
17652+ * atomic_set_unchecked - set atomic variable
17653+ * @v: pointer of type atomic_unchecked_t
17654+ * @i: required value
17655+ *
17656+ * Atomically sets the value of @v to @i.
17657+ */
17658+static __always_inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
17659+{
17660+ v->counter = i;
17661+}
17662+
17663+/**
17664 * atomic_add - add integer to atomic variable
17665 * @i: integer value to add
17666 * @v: pointer of type atomic_t
17667@@ -48,7 +71,29 @@ static __always_inline void atomic_set(atomic_t *v, int i)
17668 */
17669 static __always_inline void atomic_add(int i, atomic_t *v)
17670 {
17671- asm volatile(LOCK_PREFIX "addl %1,%0"
17672+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
17673+
17674+#ifdef CONFIG_PAX_REFCOUNT
17675+ "jno 0f\n"
17676+ LOCK_PREFIX "subl %1,%0\n"
17677+ "int $4\n0:\n"
17678+ _ASM_EXTABLE(0b, 0b)
17679+#endif
17680+
17681+ : "+m" (v->counter)
17682+ : "ir" (i));
17683+}
17684+
17685+/**
17686+ * atomic_add_unchecked - add integer to atomic variable
17687+ * @i: integer value to add
17688+ * @v: pointer of type atomic_unchecked_t
17689+ *
17690+ * Atomically adds @i to @v.
17691+ */
17692+static __always_inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
17693+{
17694+ asm volatile(LOCK_PREFIX "addl %1,%0\n"
17695 : "+m" (v->counter)
17696 : "ir" (i));
17697 }
17698@@ -62,7 +107,29 @@ static __always_inline void atomic_add(int i, atomic_t *v)
17699 */
17700 static __always_inline void atomic_sub(int i, atomic_t *v)
17701 {
17702- asm volatile(LOCK_PREFIX "subl %1,%0"
17703+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
17704+
17705+#ifdef CONFIG_PAX_REFCOUNT
17706+ "jno 0f\n"
17707+ LOCK_PREFIX "addl %1,%0\n"
17708+ "int $4\n0:\n"
17709+ _ASM_EXTABLE(0b, 0b)
17710+#endif
17711+
17712+ : "+m" (v->counter)
17713+ : "ir" (i));
17714+}
17715+
17716+/**
17717+ * atomic_sub_unchecked - subtract integer from atomic variable
17718+ * @i: integer value to subtract
17719+ * @v: pointer of type atomic_unchecked_t
17720+ *
17721+ * Atomically subtracts @i from @v.
17722+ */
17723+static __always_inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
17724+{
17725+ asm volatile(LOCK_PREFIX "subl %1,%0\n"
17726 : "+m" (v->counter)
17727 : "ir" (i));
17728 }
17729@@ -78,7 +145,7 @@ static __always_inline void atomic_sub(int i, atomic_t *v)
17730 */
17731 static __always_inline int atomic_sub_and_test(int i, atomic_t *v)
17732 {
17733- GEN_BINARY_RMWcc(LOCK_PREFIX "subl", v->counter, "er", i, "%0", "e");
17734+ GEN_BINARY_RMWcc(LOCK_PREFIX "subl", LOCK_PREFIX "addl", v->counter, "er", i, "%0", "e");
17735 }
17736
17737 /**
17738@@ -89,7 +156,27 @@ static __always_inline int atomic_sub_and_test(int i, atomic_t *v)
17739 */
17740 static __always_inline void atomic_inc(atomic_t *v)
17741 {
17742- asm volatile(LOCK_PREFIX "incl %0"
17743+ asm volatile(LOCK_PREFIX "incl %0\n"
17744+
17745+#ifdef CONFIG_PAX_REFCOUNT
17746+ "jno 0f\n"
17747+ LOCK_PREFIX "decl %0\n"
17748+ "int $4\n0:\n"
17749+ _ASM_EXTABLE(0b, 0b)
17750+#endif
17751+
17752+ : "+m" (v->counter));
17753+}
17754+
17755+/**
17756+ * atomic_inc_unchecked - increment atomic variable
17757+ * @v: pointer of type atomic_unchecked_t
17758+ *
17759+ * Atomically increments @v by 1.
17760+ */
17761+static __always_inline void atomic_inc_unchecked(atomic_unchecked_t *v)
17762+{
17763+ asm volatile(LOCK_PREFIX "incl %0\n"
17764 : "+m" (v->counter));
17765 }
17766
17767@@ -101,7 +188,27 @@ static __always_inline void atomic_inc(atomic_t *v)
17768 */
17769 static __always_inline void atomic_dec(atomic_t *v)
17770 {
17771- asm volatile(LOCK_PREFIX "decl %0"
17772+ asm volatile(LOCK_PREFIX "decl %0\n"
17773+
17774+#ifdef CONFIG_PAX_REFCOUNT
17775+ "jno 0f\n"
17776+ LOCK_PREFIX "incl %0\n"
17777+ "int $4\n0:\n"
17778+ _ASM_EXTABLE(0b, 0b)
17779+#endif
17780+
17781+ : "+m" (v->counter));
17782+}
17783+
17784+/**
17785+ * atomic_dec_unchecked - decrement atomic variable
17786+ * @v: pointer of type atomic_unchecked_t
17787+ *
17788+ * Atomically decrements @v by 1.
17789+ */
17790+static __always_inline void atomic_dec_unchecked(atomic_unchecked_t *v)
17791+{
17792+ asm volatile(LOCK_PREFIX "decl %0\n"
17793 : "+m" (v->counter));
17794 }
17795
17796@@ -115,7 +222,7 @@ static __always_inline void atomic_dec(atomic_t *v)
17797 */
17798 static __always_inline int atomic_dec_and_test(atomic_t *v)
17799 {
17800- GEN_UNARY_RMWcc(LOCK_PREFIX "decl", v->counter, "%0", "e");
17801+ GEN_UNARY_RMWcc(LOCK_PREFIX "decl", LOCK_PREFIX "incl", v->counter, "%0", "e");
17802 }
17803
17804 /**
17805@@ -128,7 +235,20 @@ static __always_inline int atomic_dec_and_test(atomic_t *v)
17806 */
17807 static __always_inline int atomic_inc_and_test(atomic_t *v)
17808 {
17809- GEN_UNARY_RMWcc(LOCK_PREFIX "incl", v->counter, "%0", "e");
17810+ GEN_UNARY_RMWcc(LOCK_PREFIX "incl", LOCK_PREFIX "decl", v->counter, "%0", "e");
17811+}
17812+
17813+/**
17814+ * atomic_inc_and_test_unchecked - increment and test
17815+ * @v: pointer of type atomic_unchecked_t
17816+ *
17817+ * Atomically increments @v by 1
17818+ * and returns true if the result is zero, or false for all
17819+ * other cases.
17820+ */
17821+static __always_inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
17822+{
17823+ GEN_UNARY_RMWcc_unchecked(LOCK_PREFIX "incl", v->counter, "%0", "e");
17824 }
17825
17826 /**
17827@@ -142,7 +262,7 @@ static __always_inline int atomic_inc_and_test(atomic_t *v)
17828 */
17829 static __always_inline int atomic_add_negative(int i, atomic_t *v)
17830 {
17831- GEN_BINARY_RMWcc(LOCK_PREFIX "addl", v->counter, "er", i, "%0", "s");
17832+ GEN_BINARY_RMWcc(LOCK_PREFIX "addl", LOCK_PREFIX "subl", v->counter, "er", i, "%0", "s");
17833 }
17834
17835 /**
17836@@ -152,7 +272,19 @@ static __always_inline int atomic_add_negative(int i, atomic_t *v)
17837 *
17838 * Atomically adds @i to @v and returns @i + @v
17839 */
17840-static __always_inline int atomic_add_return(int i, atomic_t *v)
17841+static __always_inline int __intentional_overflow(-1) atomic_add_return(int i, atomic_t *v)
17842+{
17843+ return i + xadd_check_overflow(&v->counter, i);
17844+}
17845+
17846+/**
17847+ * atomic_add_return_unchecked - add integer and return
17848+ * @i: integer value to add
17849+ * @v: pointer of type atomi_uncheckedc_t
17850+ *
17851+ * Atomically adds @i to @v and returns @i + @v
17852+ */
17853+static __always_inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
17854 {
17855 return i + xadd(&v->counter, i);
17856 }
17857@@ -164,15 +296,24 @@ static __always_inline int atomic_add_return(int i, atomic_t *v)
17858 *
17859 * Atomically subtracts @i from @v and returns @v - @i
17860 */
17861-static __always_inline int atomic_sub_return(int i, atomic_t *v)
17862+static __always_inline int __intentional_overflow(-1) atomic_sub_return(int i, atomic_t *v)
17863 {
17864 return atomic_add_return(-i, v);
17865 }
17866
17867 #define atomic_inc_return(v) (atomic_add_return(1, v))
17868+static __always_inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
17869+{
17870+ return atomic_add_return_unchecked(1, v);
17871+}
17872 #define atomic_dec_return(v) (atomic_sub_return(1, v))
17873
17874-static __always_inline int atomic_cmpxchg(atomic_t *v, int old, int new)
17875+static __always_inline int __intentional_overflow(-1) atomic_cmpxchg(atomic_t *v, int old, int new)
17876+{
17877+ return cmpxchg(&v->counter, old, new);
17878+}
17879+
17880+static __always_inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
17881 {
17882 return cmpxchg(&v->counter, old, new);
17883 }
17884@@ -182,6 +323,11 @@ static inline int atomic_xchg(atomic_t *v, int new)
17885 return xchg(&v->counter, new);
17886 }
17887
17888+static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
17889+{
17890+ return xchg(&v->counter, new);
17891+}
17892+
17893 /**
17894 * __atomic_add_unless - add unless the number is already a given value
17895 * @v: pointer of type atomic_t
17896@@ -193,12 +339,25 @@ static inline int atomic_xchg(atomic_t *v, int new)
17897 */
17898 static __always_inline int __atomic_add_unless(atomic_t *v, int a, int u)
17899 {
17900- int c, old;
17901+ int c, old, new;
17902 c = atomic_read(v);
17903 for (;;) {
17904- if (unlikely(c == (u)))
17905+ if (unlikely(c == u))
17906 break;
17907- old = atomic_cmpxchg((v), c, c + (a));
17908+
17909+ asm volatile("addl %2,%0\n"
17910+
17911+#ifdef CONFIG_PAX_REFCOUNT
17912+ "jno 0f\n"
17913+ "subl %2,%0\n"
17914+ "int $4\n0:\n"
17915+ _ASM_EXTABLE(0b, 0b)
17916+#endif
17917+
17918+ : "=r" (new)
17919+ : "0" (c), "ir" (a));
17920+
17921+ old = atomic_cmpxchg(v, c, new);
17922 if (likely(old == c))
17923 break;
17924 c = old;
17925@@ -207,6 +366,49 @@ static __always_inline int __atomic_add_unless(atomic_t *v, int a, int u)
17926 }
17927
17928 /**
17929+ * atomic_inc_not_zero_hint - increment if not null
17930+ * @v: pointer of type atomic_t
17931+ * @hint: probable value of the atomic before the increment
17932+ *
17933+ * This version of atomic_inc_not_zero() gives a hint of probable
17934+ * value of the atomic. This helps processor to not read the memory
17935+ * before doing the atomic read/modify/write cycle, lowering
17936+ * number of bus transactions on some arches.
17937+ *
17938+ * Returns: 0 if increment was not done, 1 otherwise.
17939+ */
17940+#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
17941+static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
17942+{
17943+ int val, c = hint, new;
17944+
17945+ /* sanity test, should be removed by compiler if hint is a constant */
17946+ if (!hint)
17947+ return __atomic_add_unless(v, 1, 0);
17948+
17949+ do {
17950+ asm volatile("incl %0\n"
17951+
17952+#ifdef CONFIG_PAX_REFCOUNT
17953+ "jno 0f\n"
17954+ "decl %0\n"
17955+ "int $4\n0:\n"
17956+ _ASM_EXTABLE(0b, 0b)
17957+#endif
17958+
17959+ : "=r" (new)
17960+ : "0" (c));
17961+
17962+ val = atomic_cmpxchg(v, c, new);
17963+ if (val == c)
17964+ return 1;
17965+ c = val;
17966+ } while (c);
17967+
17968+ return 0;
17969+}
17970+
17971+/**
17972 * atomic_inc_short - increment of a short integer
17973 * @v: pointer to type int
17974 *
17975@@ -220,14 +422,37 @@ static __always_inline short int atomic_inc_short(short int *v)
17976 }
17977
17978 /* These are x86-specific, used by some header files */
17979-#define atomic_clear_mask(mask, addr) \
17980- asm volatile(LOCK_PREFIX "andl %0,%1" \
17981- : : "r" (~(mask)), "m" (*(addr)) : "memory")
17982+static inline void atomic_clear_mask(unsigned int mask, atomic_t *v)
17983+{
17984+ asm volatile(LOCK_PREFIX "andl %1,%0"
17985+ : "+m" (v->counter)
17986+ : "r" (~(mask))
17987+ : "memory");
17988+}
17989
17990-#define atomic_set_mask(mask, addr) \
17991- asm volatile(LOCK_PREFIX "orl %0,%1" \
17992- : : "r" ((unsigned)(mask)), "m" (*(addr)) \
17993- : "memory")
17994+static inline void atomic_clear_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
17995+{
17996+ asm volatile(LOCK_PREFIX "andl %1,%0"
17997+ : "+m" (v->counter)
17998+ : "r" (~(mask))
17999+ : "memory");
18000+}
18001+
18002+static inline void atomic_set_mask(unsigned int mask, atomic_t *v)
18003+{
18004+ asm volatile(LOCK_PREFIX "orl %1,%0"
18005+ : "+m" (v->counter)
18006+ : "r" (mask)
18007+ : "memory");
18008+}
18009+
18010+static inline void atomic_set_mask_unchecked(unsigned int mask, atomic_unchecked_t *v)
18011+{
18012+ asm volatile(LOCK_PREFIX "orl %1,%0"
18013+ : "+m" (v->counter)
18014+ : "r" (mask)
18015+ : "memory");
18016+}
18017
18018 #ifdef CONFIG_X86_32
18019 # include <asm/atomic64_32.h>
18020diff --git a/arch/x86/include/asm/atomic64_32.h b/arch/x86/include/asm/atomic64_32.h
18021index b154de7..3dc335d 100644
18022--- a/arch/x86/include/asm/atomic64_32.h
18023+++ b/arch/x86/include/asm/atomic64_32.h
18024@@ -12,6 +12,14 @@ typedef struct {
18025 u64 __aligned(8) counter;
18026 } atomic64_t;
18027
18028+#ifdef CONFIG_PAX_REFCOUNT
18029+typedef struct {
18030+ u64 __aligned(8) counter;
18031+} atomic64_unchecked_t;
18032+#else
18033+typedef atomic64_t atomic64_unchecked_t;
18034+#endif
18035+
18036 #define ATOMIC64_INIT(val) { (val) }
18037
18038 #define __ATOMIC64_DECL(sym) void atomic64_##sym(atomic64_t *, ...)
18039@@ -37,21 +45,31 @@ typedef struct {
18040 ATOMIC64_DECL_ONE(sym##_386)
18041
18042 ATOMIC64_DECL_ONE(add_386);
18043+ATOMIC64_DECL_ONE(add_unchecked_386);
18044 ATOMIC64_DECL_ONE(sub_386);
18045+ATOMIC64_DECL_ONE(sub_unchecked_386);
18046 ATOMIC64_DECL_ONE(inc_386);
18047+ATOMIC64_DECL_ONE(inc_unchecked_386);
18048 ATOMIC64_DECL_ONE(dec_386);
18049+ATOMIC64_DECL_ONE(dec_unchecked_386);
18050 #endif
18051
18052 #define alternative_atomic64(f, out, in...) \
18053 __alternative_atomic64(f, f, ASM_OUTPUT2(out), ## in)
18054
18055 ATOMIC64_DECL(read);
18056+ATOMIC64_DECL(read_unchecked);
18057 ATOMIC64_DECL(set);
18058+ATOMIC64_DECL(set_unchecked);
18059 ATOMIC64_DECL(xchg);
18060 ATOMIC64_DECL(add_return);
18061+ATOMIC64_DECL(add_return_unchecked);
18062 ATOMIC64_DECL(sub_return);
18063+ATOMIC64_DECL(sub_return_unchecked);
18064 ATOMIC64_DECL(inc_return);
18065+ATOMIC64_DECL(inc_return_unchecked);
18066 ATOMIC64_DECL(dec_return);
18067+ATOMIC64_DECL(dec_return_unchecked);
18068 ATOMIC64_DECL(dec_if_positive);
18069 ATOMIC64_DECL(inc_not_zero);
18070 ATOMIC64_DECL(add_unless);
18071@@ -77,6 +95,21 @@ static inline long long atomic64_cmpxchg(atomic64_t *v, long long o, long long n
18072 }
18073
18074 /**
18075+ * atomic64_cmpxchg_unchecked - cmpxchg atomic64 variable
18076+ * @p: pointer to type atomic64_unchecked_t
18077+ * @o: expected value
18078+ * @n: new value
18079+ *
18080+ * Atomically sets @v to @n if it was equal to @o and returns
18081+ * the old value.
18082+ */
18083+
18084+static inline long long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long long o, long long n)
18085+{
18086+ return cmpxchg64(&v->counter, o, n);
18087+}
18088+
18089+/**
18090 * atomic64_xchg - xchg atomic64 variable
18091 * @v: pointer to type atomic64_t
18092 * @n: value to assign
18093@@ -112,6 +145,22 @@ static inline void atomic64_set(atomic64_t *v, long long i)
18094 }
18095
18096 /**
18097+ * atomic64_set_unchecked - set atomic64 variable
18098+ * @v: pointer to type atomic64_unchecked_t
18099+ * @n: value to assign
18100+ *
18101+ * Atomically sets the value of @v to @n.
18102+ */
18103+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long long i)
18104+{
18105+ unsigned high = (unsigned)(i >> 32);
18106+ unsigned low = (unsigned)i;
18107+ alternative_atomic64(set, /* no output */,
18108+ "S" (v), "b" (low), "c" (high)
18109+ : "eax", "edx", "memory");
18110+}
18111+
18112+/**
18113 * atomic64_read - read atomic64 variable
18114 * @v: pointer to type atomic64_t
18115 *
18116@@ -125,6 +174,19 @@ static inline long long atomic64_read(const atomic64_t *v)
18117 }
18118
18119 /**
18120+ * atomic64_read_unchecked - read atomic64 variable
18121+ * @v: pointer to type atomic64_unchecked_t
18122+ *
18123+ * Atomically reads the value of @v and returns it.
18124+ */
18125+static inline long long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v)
18126+{
18127+ long long r;
18128+ alternative_atomic64(read, "=&A" (r), "c" (v) : "memory");
18129+ return r;
18130+ }
18131+
18132+/**
18133 * atomic64_add_return - add and return
18134 * @i: integer value to add
18135 * @v: pointer to type atomic64_t
18136@@ -139,6 +201,21 @@ static inline long long atomic64_add_return(long long i, atomic64_t *v)
18137 return i;
18138 }
18139
18140+/**
18141+ * atomic64_add_return_unchecked - add and return
18142+ * @i: integer value to add
18143+ * @v: pointer to type atomic64_unchecked_t
18144+ *
18145+ * Atomically adds @i to @v and returns @i + *@v
18146+ */
18147+static inline long long atomic64_add_return_unchecked(long long i, atomic64_unchecked_t *v)
18148+{
18149+ alternative_atomic64(add_return_unchecked,
18150+ ASM_OUTPUT2("+A" (i), "+c" (v)),
18151+ ASM_NO_INPUT_CLOBBER("memory"));
18152+ return i;
18153+}
18154+
18155 /*
18156 * Other variants with different arithmetic operators:
18157 */
18158@@ -158,6 +235,14 @@ static inline long long atomic64_inc_return(atomic64_t *v)
18159 return a;
18160 }
18161
18162+static inline long long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
18163+{
18164+ long long a;
18165+ alternative_atomic64(inc_return_unchecked, "=&A" (a),
18166+ "S" (v) : "memory", "ecx");
18167+ return a;
18168+}
18169+
18170 static inline long long atomic64_dec_return(atomic64_t *v)
18171 {
18172 long long a;
18173@@ -182,6 +267,21 @@ static inline long long atomic64_add(long long i, atomic64_t *v)
18174 }
18175
18176 /**
18177+ * atomic64_add_unchecked - add integer to atomic64 variable
18178+ * @i: integer value to add
18179+ * @v: pointer to type atomic64_unchecked_t
18180+ *
18181+ * Atomically adds @i to @v.
18182+ */
18183+static inline long long atomic64_add_unchecked(long long i, atomic64_unchecked_t *v)
18184+{
18185+ __alternative_atomic64(add_unchecked, add_return_unchecked,
18186+ ASM_OUTPUT2("+A" (i), "+c" (v)),
18187+ ASM_NO_INPUT_CLOBBER("memory"));
18188+ return i;
18189+}
18190+
18191+/**
18192 * atomic64_sub - subtract the atomic64 variable
18193 * @i: integer value to subtract
18194 * @v: pointer to type atomic64_t
18195diff --git a/arch/x86/include/asm/atomic64_64.h b/arch/x86/include/asm/atomic64_64.h
18196index b965f9e..8e22dd3 100644
18197--- a/arch/x86/include/asm/atomic64_64.h
18198+++ b/arch/x86/include/asm/atomic64_64.h
18199@@ -22,6 +22,18 @@ static inline long atomic64_read(const atomic64_t *v)
18200 }
18201
18202 /**
18203+ * atomic64_read_unchecked - read atomic64 variable
18204+ * @v: pointer of type atomic64_unchecked_t
18205+ *
18206+ * Atomically reads the value of @v.
18207+ * Doesn't imply a read memory barrier.
18208+ */
18209+static inline long __intentional_overflow(-1) atomic64_read_unchecked(const atomic64_unchecked_t *v)
18210+{
18211+ return ACCESS_ONCE((v)->counter);
18212+}
18213+
18214+/**
18215 * atomic64_set - set atomic64 variable
18216 * @v: pointer to type atomic64_t
18217 * @i: required value
18218@@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64_t *v, long i)
18219 }
18220
18221 /**
18222+ * atomic64_set_unchecked - set atomic64 variable
18223+ * @v: pointer to type atomic64_unchecked_t
18224+ * @i: required value
18225+ *
18226+ * Atomically sets the value of @v to @i.
18227+ */
18228+static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
18229+{
18230+ v->counter = i;
18231+}
18232+
18233+/**
18234 * atomic64_add - add integer to atomic64 variable
18235 * @i: integer value to add
18236 * @v: pointer to type atomic64_t
18237@@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64_t *v, long i)
18238 */
18239 static __always_inline void atomic64_add(long i, atomic64_t *v)
18240 {
18241+ asm volatile(LOCK_PREFIX "addq %1,%0\n"
18242+
18243+#ifdef CONFIG_PAX_REFCOUNT
18244+ "jno 0f\n"
18245+ LOCK_PREFIX "subq %1,%0\n"
18246+ "int $4\n0:\n"
18247+ _ASM_EXTABLE(0b, 0b)
18248+#endif
18249+
18250+ : "=m" (v->counter)
18251+ : "er" (i), "m" (v->counter));
18252+}
18253+
18254+/**
18255+ * atomic64_add_unchecked - add integer to atomic64 variable
18256+ * @i: integer value to add
18257+ * @v: pointer to type atomic64_unchecked_t
18258+ *
18259+ * Atomically adds @i to @v.
18260+ */
18261+static __always_inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
18262+{
18263 asm volatile(LOCK_PREFIX "addq %1,%0"
18264 : "=m" (v->counter)
18265 : "er" (i), "m" (v->counter));
18266@@ -56,7 +102,29 @@ static __always_inline void atomic64_add(long i, atomic64_t *v)
18267 */
18268 static inline void atomic64_sub(long i, atomic64_t *v)
18269 {
18270- asm volatile(LOCK_PREFIX "subq %1,%0"
18271+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
18272+
18273+#ifdef CONFIG_PAX_REFCOUNT
18274+ "jno 0f\n"
18275+ LOCK_PREFIX "addq %1,%0\n"
18276+ "int $4\n0:\n"
18277+ _ASM_EXTABLE(0b, 0b)
18278+#endif
18279+
18280+ : "=m" (v->counter)
18281+ : "er" (i), "m" (v->counter));
18282+}
18283+
18284+/**
18285+ * atomic64_sub_unchecked - subtract the atomic64 variable
18286+ * @i: integer value to subtract
18287+ * @v: pointer to type atomic64_unchecked_t
18288+ *
18289+ * Atomically subtracts @i from @v.
18290+ */
18291+static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
18292+{
18293+ asm volatile(LOCK_PREFIX "subq %1,%0\n"
18294 : "=m" (v->counter)
18295 : "er" (i), "m" (v->counter));
18296 }
18297@@ -72,7 +140,7 @@ static inline void atomic64_sub(long i, atomic64_t *v)
18298 */
18299 static inline int atomic64_sub_and_test(long i, atomic64_t *v)
18300 {
18301- GEN_BINARY_RMWcc(LOCK_PREFIX "subq", v->counter, "er", i, "%0", "e");
18302+ GEN_BINARY_RMWcc(LOCK_PREFIX "subq", LOCK_PREFIX "addq", v->counter, "er", i, "%0", "e");
18303 }
18304
18305 /**
18306@@ -83,6 +151,27 @@ static inline int atomic64_sub_and_test(long i, atomic64_t *v)
18307 */
18308 static __always_inline void atomic64_inc(atomic64_t *v)
18309 {
18310+ asm volatile(LOCK_PREFIX "incq %0\n"
18311+
18312+#ifdef CONFIG_PAX_REFCOUNT
18313+ "jno 0f\n"
18314+ LOCK_PREFIX "decq %0\n"
18315+ "int $4\n0:\n"
18316+ _ASM_EXTABLE(0b, 0b)
18317+#endif
18318+
18319+ : "=m" (v->counter)
18320+ : "m" (v->counter));
18321+}
18322+
18323+/**
18324+ * atomic64_inc_unchecked - increment atomic64 variable
18325+ * @v: pointer to type atomic64_unchecked_t
18326+ *
18327+ * Atomically increments @v by 1.
18328+ */
18329+static __always_inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
18330+{
18331 asm volatile(LOCK_PREFIX "incq %0"
18332 : "=m" (v->counter)
18333 : "m" (v->counter));
18334@@ -96,7 +185,28 @@ static __always_inline void atomic64_inc(atomic64_t *v)
18335 */
18336 static __always_inline void atomic64_dec(atomic64_t *v)
18337 {
18338- asm volatile(LOCK_PREFIX "decq %0"
18339+ asm volatile(LOCK_PREFIX "decq %0\n"
18340+
18341+#ifdef CONFIG_PAX_REFCOUNT
18342+ "jno 0f\n"
18343+ LOCK_PREFIX "incq %0\n"
18344+ "int $4\n0:\n"
18345+ _ASM_EXTABLE(0b, 0b)
18346+#endif
18347+
18348+ : "=m" (v->counter)
18349+ : "m" (v->counter));
18350+}
18351+
18352+/**
18353+ * atomic64_dec_unchecked - decrement atomic64 variable
18354+ * @v: pointer to type atomic64_t
18355+ *
18356+ * Atomically decrements @v by 1.
18357+ */
18358+static __always_inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
18359+{
18360+ asm volatile(LOCK_PREFIX "decq %0\n"
18361 : "=m" (v->counter)
18362 : "m" (v->counter));
18363 }
18364@@ -111,7 +221,7 @@ static __always_inline void atomic64_dec(atomic64_t *v)
18365 */
18366 static inline int atomic64_dec_and_test(atomic64_t *v)
18367 {
18368- GEN_UNARY_RMWcc(LOCK_PREFIX "decq", v->counter, "%0", "e");
18369+ GEN_UNARY_RMWcc(LOCK_PREFIX "decq", LOCK_PREFIX "incq", v->counter, "%0", "e");
18370 }
18371
18372 /**
18373@@ -124,7 +234,7 @@ static inline int atomic64_dec_and_test(atomic64_t *v)
18374 */
18375 static inline int atomic64_inc_and_test(atomic64_t *v)
18376 {
18377- GEN_UNARY_RMWcc(LOCK_PREFIX "incq", v->counter, "%0", "e");
18378+ GEN_UNARY_RMWcc(LOCK_PREFIX "incq", LOCK_PREFIX "decq", v->counter, "%0", "e");
18379 }
18380
18381 /**
18382@@ -138,7 +248,7 @@ static inline int atomic64_inc_and_test(atomic64_t *v)
18383 */
18384 static inline int atomic64_add_negative(long i, atomic64_t *v)
18385 {
18386- GEN_BINARY_RMWcc(LOCK_PREFIX "addq", v->counter, "er", i, "%0", "s");
18387+ GEN_BINARY_RMWcc(LOCK_PREFIX "addq", LOCK_PREFIX "subq", v->counter, "er", i, "%0", "s");
18388 }
18389
18390 /**
18391@@ -150,6 +260,18 @@ static inline int atomic64_add_negative(long i, atomic64_t *v)
18392 */
18393 static __always_inline long atomic64_add_return(long i, atomic64_t *v)
18394 {
18395+ return i + xadd_check_overflow(&v->counter, i);
18396+}
18397+
18398+/**
18399+ * atomic64_add_return_unchecked - add and return
18400+ * @i: integer value to add
18401+ * @v: pointer to type atomic64_unchecked_t
18402+ *
18403+ * Atomically adds @i to @v and returns @i + @v
18404+ */
18405+static __always_inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
18406+{
18407 return i + xadd(&v->counter, i);
18408 }
18409
18410@@ -159,6 +281,10 @@ static inline long atomic64_sub_return(long i, atomic64_t *v)
18411 }
18412
18413 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
18414+static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
18415+{
18416+ return atomic64_add_return_unchecked(1, v);
18417+}
18418 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
18419
18420 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
18421@@ -166,6 +292,11 @@ static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
18422 return cmpxchg(&v->counter, old, new);
18423 }
18424
18425+static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
18426+{
18427+ return cmpxchg(&v->counter, old, new);
18428+}
18429+
18430 static inline long atomic64_xchg(atomic64_t *v, long new)
18431 {
18432 return xchg(&v->counter, new);
18433@@ -182,17 +313,30 @@ static inline long atomic64_xchg(atomic64_t *v, long new)
18434 */
18435 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
18436 {
18437- long c, old;
18438+ long c, old, new;
18439 c = atomic64_read(v);
18440 for (;;) {
18441- if (unlikely(c == (u)))
18442+ if (unlikely(c == u))
18443 break;
18444- old = atomic64_cmpxchg((v), c, c + (a));
18445+
18446+ asm volatile("add %2,%0\n"
18447+
18448+#ifdef CONFIG_PAX_REFCOUNT
18449+ "jno 0f\n"
18450+ "sub %2,%0\n"
18451+ "int $4\n0:\n"
18452+ _ASM_EXTABLE(0b, 0b)
18453+#endif
18454+
18455+ : "=r" (new)
18456+ : "0" (c), "ir" (a));
18457+
18458+ old = atomic64_cmpxchg(v, c, new);
18459 if (likely(old == c))
18460 break;
18461 c = old;
18462 }
18463- return c != (u);
18464+ return c != u;
18465 }
18466
18467 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
18468diff --git a/arch/x86/include/asm/barrier.h b/arch/x86/include/asm/barrier.h
18469index e51a8f8..ee075df 100644
18470--- a/arch/x86/include/asm/barrier.h
18471+++ b/arch/x86/include/asm/barrier.h
18472@@ -57,7 +57,7 @@
18473 do { \
18474 compiletime_assert_atomic_type(*p); \
18475 smp_mb(); \
18476- ACCESS_ONCE(*p) = (v); \
18477+ ACCESS_ONCE_RW(*p) = (v); \
18478 } while (0)
18479
18480 #define smp_load_acquire(p) \
18481@@ -74,7 +74,7 @@ do { \
18482 do { \
18483 compiletime_assert_atomic_type(*p); \
18484 barrier(); \
18485- ACCESS_ONCE(*p) = (v); \
18486+ ACCESS_ONCE_RW(*p) = (v); \
18487 } while (0)
18488
18489 #define smp_load_acquire(p) \
18490diff --git a/arch/x86/include/asm/bitops.h b/arch/x86/include/asm/bitops.h
18491index cfe3b95..d01b118 100644
18492--- a/arch/x86/include/asm/bitops.h
18493+++ b/arch/x86/include/asm/bitops.h
18494@@ -50,7 +50,7 @@
18495 * a mask operation on a byte.
18496 */
18497 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
18498-#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
18499+#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
18500 #define CONST_MASK(nr) (1 << ((nr) & 7))
18501
18502 /**
18503@@ -203,7 +203,7 @@ static inline void change_bit(long nr, volatile unsigned long *addr)
18504 */
18505 static inline int test_and_set_bit(long nr, volatile unsigned long *addr)
18506 {
18507- GEN_BINARY_RMWcc(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c");
18508+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "bts", *addr, "Ir", nr, "%0", "c");
18509 }
18510
18511 /**
18512@@ -249,7 +249,7 @@ static inline int __test_and_set_bit(long nr, volatile unsigned long *addr)
18513 */
18514 static inline int test_and_clear_bit(long nr, volatile unsigned long *addr)
18515 {
18516- GEN_BINARY_RMWcc(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c");
18517+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btr", *addr, "Ir", nr, "%0", "c");
18518 }
18519
18520 /**
18521@@ -302,7 +302,7 @@ static inline int __test_and_change_bit(long nr, volatile unsigned long *addr)
18522 */
18523 static inline int test_and_change_bit(long nr, volatile unsigned long *addr)
18524 {
18525- GEN_BINARY_RMWcc(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c");
18526+ GEN_BINARY_RMWcc_unchecked(LOCK_PREFIX "btc", *addr, "Ir", nr, "%0", "c");
18527 }
18528
18529 static __always_inline int constant_test_bit(long nr, const volatile unsigned long *addr)
18530@@ -343,7 +343,7 @@ static int test_bit(int nr, const volatile unsigned long *addr);
18531 *
18532 * Undefined if no bit exists, so code should check against 0 first.
18533 */
18534-static inline unsigned long __ffs(unsigned long word)
18535+static inline unsigned long __intentional_overflow(-1) __ffs(unsigned long word)
18536 {
18537 asm("rep; bsf %1,%0"
18538 : "=r" (word)
18539@@ -357,7 +357,7 @@ static inline unsigned long __ffs(unsigned long word)
18540 *
18541 * Undefined if no zero exists, so code should check against ~0UL first.
18542 */
18543-static inline unsigned long ffz(unsigned long word)
18544+static inline unsigned long __intentional_overflow(-1) ffz(unsigned long word)
18545 {
18546 asm("rep; bsf %1,%0"
18547 : "=r" (word)
18548@@ -371,7 +371,7 @@ static inline unsigned long ffz(unsigned long word)
18549 *
18550 * Undefined if no set bit exists, so code should check against 0 first.
18551 */
18552-static inline unsigned long __fls(unsigned long word)
18553+static inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
18554 {
18555 asm("bsr %1,%0"
18556 : "=r" (word)
18557@@ -434,7 +434,7 @@ static inline int ffs(int x)
18558 * set bit if value is nonzero. The last (most significant) bit is
18559 * at position 32.
18560 */
18561-static inline int fls(int x)
18562+static inline int __intentional_overflow(-1) fls(int x)
18563 {
18564 int r;
18565
18566@@ -476,7 +476,7 @@ static inline int fls(int x)
18567 * at position 64.
18568 */
18569 #ifdef CONFIG_X86_64
18570-static __always_inline int fls64(__u64 x)
18571+static __always_inline __intentional_overflow(-1) int fls64(__u64 x)
18572 {
18573 int bitpos = -1;
18574 /*
18575diff --git a/arch/x86/include/asm/boot.h b/arch/x86/include/asm/boot.h
18576index 4fa687a..4ca636f 100644
18577--- a/arch/x86/include/asm/boot.h
18578+++ b/arch/x86/include/asm/boot.h
18579@@ -6,7 +6,7 @@
18580 #include <uapi/asm/boot.h>
18581
18582 /* Physical address where kernel should be loaded. */
18583-#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
18584+#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
18585 + (CONFIG_PHYSICAL_ALIGN - 1)) \
18586 & ~(CONFIG_PHYSICAL_ALIGN - 1))
18587
18588diff --git a/arch/x86/include/asm/cache.h b/arch/x86/include/asm/cache.h
18589index 48f99f1..d78ebf9 100644
18590--- a/arch/x86/include/asm/cache.h
18591+++ b/arch/x86/include/asm/cache.h
18592@@ -5,12 +5,13 @@
18593
18594 /* L1 cache line size */
18595 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
18596-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
18597+#define L1_CACHE_BYTES (_AC(1,UL) << L1_CACHE_SHIFT)
18598
18599 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
18600+#define __read_only __attribute__((__section__(".data..read_only")))
18601
18602 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
18603-#define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
18604+#define INTERNODE_CACHE_BYTES (_AC(1,UL) << INTERNODE_CACHE_SHIFT)
18605
18606 #ifdef CONFIG_X86_VSMP
18607 #ifdef CONFIG_SMP
18608diff --git a/arch/x86/include/asm/checksum_32.h b/arch/x86/include/asm/checksum_32.h
18609index f50de69..2b0a458 100644
18610--- a/arch/x86/include/asm/checksum_32.h
18611+++ b/arch/x86/include/asm/checksum_32.h
18612@@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_generic(const void *src, void *dst,
18613 int len, __wsum sum,
18614 int *src_err_ptr, int *dst_err_ptr);
18615
18616+asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
18617+ int len, __wsum sum,
18618+ int *src_err_ptr, int *dst_err_ptr);
18619+
18620+asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
18621+ int len, __wsum sum,
18622+ int *src_err_ptr, int *dst_err_ptr);
18623+
18624 /*
18625 * Note: when you get a NULL pointer exception here this means someone
18626 * passed in an incorrect kernel address to one of these functions.
18627@@ -53,7 +61,7 @@ static inline __wsum csum_partial_copy_from_user(const void __user *src,
18628
18629 might_sleep();
18630 stac();
18631- ret = csum_partial_copy_generic((__force void *)src, dst,
18632+ ret = csum_partial_copy_generic_from_user((__force void *)src, dst,
18633 len, sum, err_ptr, NULL);
18634 clac();
18635
18636@@ -187,7 +195,7 @@ static inline __wsum csum_and_copy_to_user(const void *src,
18637 might_sleep();
18638 if (access_ok(VERIFY_WRITE, dst, len)) {
18639 stac();
18640- ret = csum_partial_copy_generic(src, (__force void *)dst,
18641+ ret = csum_partial_copy_generic_to_user(src, (__force void *)dst,
18642 len, sum, NULL, err_ptr);
18643 clac();
18644 return ret;
18645diff --git a/arch/x86/include/asm/cmpxchg.h b/arch/x86/include/asm/cmpxchg.h
18646index ad19841..0784041 100644
18647--- a/arch/x86/include/asm/cmpxchg.h
18648+++ b/arch/x86/include/asm/cmpxchg.h
18649@@ -14,8 +14,12 @@ extern void __cmpxchg_wrong_size(void)
18650 __compiletime_error("Bad argument size for cmpxchg");
18651 extern void __xadd_wrong_size(void)
18652 __compiletime_error("Bad argument size for xadd");
18653+extern void __xadd_check_overflow_wrong_size(void)
18654+ __compiletime_error("Bad argument size for xadd_check_overflow");
18655 extern void __add_wrong_size(void)
18656 __compiletime_error("Bad argument size for add");
18657+extern void __add_check_overflow_wrong_size(void)
18658+ __compiletime_error("Bad argument size for add_check_overflow");
18659
18660 /*
18661 * Constants for operation sizes. On 32-bit, the 64-bit size it set to
18662@@ -67,6 +71,38 @@ extern void __add_wrong_size(void)
18663 __ret; \
18664 })
18665
18666+#ifdef CONFIG_PAX_REFCOUNT
18667+#define __xchg_op_check_overflow(ptr, arg, op, lock) \
18668+ ({ \
18669+ __typeof__ (*(ptr)) __ret = (arg); \
18670+ switch (sizeof(*(ptr))) { \
18671+ case __X86_CASE_L: \
18672+ asm volatile (lock #op "l %0, %1\n" \
18673+ "jno 0f\n" \
18674+ "mov %0,%1\n" \
18675+ "int $4\n0:\n" \
18676+ _ASM_EXTABLE(0b, 0b) \
18677+ : "+r" (__ret), "+m" (*(ptr)) \
18678+ : : "memory", "cc"); \
18679+ break; \
18680+ case __X86_CASE_Q: \
18681+ asm volatile (lock #op "q %q0, %1\n" \
18682+ "jno 0f\n" \
18683+ "mov %0,%1\n" \
18684+ "int $4\n0:\n" \
18685+ _ASM_EXTABLE(0b, 0b) \
18686+ : "+r" (__ret), "+m" (*(ptr)) \
18687+ : : "memory", "cc"); \
18688+ break; \
18689+ default: \
18690+ __ ## op ## _check_overflow_wrong_size(); \
18691+ } \
18692+ __ret; \
18693+ })
18694+#else
18695+#define __xchg_op_check_overflow(ptr, arg, op, lock) __xchg_op(ptr, arg, op, lock)
18696+#endif
18697+
18698 /*
18699 * Note: no "lock" prefix even on SMP: xchg always implies lock anyway.
18700 * Since this is generally used to protect other memory information, we
18701@@ -165,6 +201,9 @@ extern void __add_wrong_size(void)
18702 #define xadd_sync(ptr, inc) __xadd((ptr), (inc), "lock; ")
18703 #define xadd_local(ptr, inc) __xadd((ptr), (inc), "")
18704
18705+#define __xadd_check_overflow(ptr, inc, lock) __xchg_op_check_overflow((ptr), (inc), xadd, lock)
18706+#define xadd_check_overflow(ptr, inc) __xadd_check_overflow((ptr), (inc), LOCK_PREFIX)
18707+
18708 #define __add(ptr, inc, lock) \
18709 ({ \
18710 __typeof__ (*(ptr)) __ret = (inc); \
18711diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h
18712index acdee09..a553db3 100644
18713--- a/arch/x86/include/asm/compat.h
18714+++ b/arch/x86/include/asm/compat.h
18715@@ -41,7 +41,7 @@ typedef s64 __attribute__((aligned(4))) compat_s64;
18716 typedef u32 compat_uint_t;
18717 typedef u32 compat_ulong_t;
18718 typedef u64 __attribute__((aligned(4))) compat_u64;
18719-typedef u32 compat_uptr_t;
18720+typedef u32 __user compat_uptr_t;
18721
18722 struct compat_timespec {
18723 compat_time_t tv_sec;
18724diff --git a/arch/x86/include/asm/cpufeature.h b/arch/x86/include/asm/cpufeature.h
18725index 3d6606f..300641d 100644
18726--- a/arch/x86/include/asm/cpufeature.h
18727+++ b/arch/x86/include/asm/cpufeature.h
18728@@ -214,7 +214,8 @@
18729 #define X86_FEATURE_PAUSEFILTER ( 8*32+13) /* AMD filtered pause intercept */
18730 #define X86_FEATURE_PFTHRESHOLD ( 8*32+14) /* AMD pause filter threshold */
18731 #define X86_FEATURE_VMMCALL ( 8*32+15) /* Prefer vmmcall to vmcall */
18732-
18733+#define X86_FEATURE_PCIDUDEREF ( 8*32+30) /* PaX PCID based UDEREF */
18734+#define X86_FEATURE_STRONGUDEREF (8*32+31) /* PaX PCID based strong UDEREF */
18735
18736 /* Intel-defined CPU features, CPUID level 0x00000007:0 (ebx), word 9 */
18737 #define X86_FEATURE_FSGSBASE ( 9*32+ 0) /* {RD/WR}{FS/GS}BASE instructions*/
18738@@ -222,7 +223,7 @@
18739 #define X86_FEATURE_BMI1 ( 9*32+ 3) /* 1st group bit manipulation extensions */
18740 #define X86_FEATURE_HLE ( 9*32+ 4) /* Hardware Lock Elision */
18741 #define X86_FEATURE_AVX2 ( 9*32+ 5) /* AVX2 instructions */
18742-#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Protection */
18743+#define X86_FEATURE_SMEP ( 9*32+ 7) /* Supervisor Mode Execution Prevention */
18744 #define X86_FEATURE_BMI2 ( 9*32+ 8) /* 2nd group bit manipulation extensions */
18745 #define X86_FEATURE_ERMS ( 9*32+ 9) /* Enhanced REP MOVSB/STOSB */
18746 #define X86_FEATURE_INVPCID ( 9*32+10) /* Invalidate Processor Context ID */
18747@@ -401,6 +402,7 @@ extern const char * const x86_bug_flags[NBUGINTS*32];
18748 #define cpu_has_eager_fpu boot_cpu_has(X86_FEATURE_EAGER_FPU)
18749 #define cpu_has_topoext boot_cpu_has(X86_FEATURE_TOPOEXT)
18750 #define cpu_has_bpext boot_cpu_has(X86_FEATURE_BPEXT)
18751+#define cpu_has_pcid boot_cpu_has(X86_FEATURE_PCID)
18752
18753 #if __GNUC__ >= 4
18754 extern void warn_pre_alternatives(void);
18755@@ -454,7 +456,8 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
18756
18757 #ifdef CONFIG_X86_DEBUG_STATIC_CPU_HAS
18758 t_warn:
18759- warn_pre_alternatives();
18760+ if (bit != X86_FEATURE_PCID && bit != X86_FEATURE_INVPCID && bit != X86_FEATURE_PCIDUDEREF)
18761+ warn_pre_alternatives();
18762 return false;
18763 #endif
18764
18765@@ -475,7 +478,7 @@ static __always_inline __pure bool __static_cpu_has(u16 bit)
18766 ".section .discard,\"aw\",@progbits\n"
18767 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
18768 ".previous\n"
18769- ".section .altinstr_replacement,\"ax\"\n"
18770+ ".section .altinstr_replacement,\"a\"\n"
18771 "3: movb $1,%0\n"
18772 "4:\n"
18773 ".previous\n"
18774@@ -510,7 +513,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18775 " .byte 5f - 4f\n" /* repl len */
18776 " .byte 3b - 2b\n" /* pad len */
18777 ".previous\n"
18778- ".section .altinstr_replacement,\"ax\"\n"
18779+ ".section .altinstr_replacement,\"a\"\n"
18780 "4: jmp %l[t_no]\n"
18781 "5:\n"
18782 ".previous\n"
18783@@ -545,7 +548,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18784 ".section .discard,\"aw\",@progbits\n"
18785 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
18786 ".previous\n"
18787- ".section .altinstr_replacement,\"ax\"\n"
18788+ ".section .altinstr_replacement,\"a\"\n"
18789 "3: movb $0,%0\n"
18790 "4:\n"
18791 ".previous\n"
18792@@ -560,7 +563,7 @@ static __always_inline __pure bool _static_cpu_has_safe(u16 bit)
18793 ".section .discard,\"aw\",@progbits\n"
18794 " .byte 0xff + (6f-5f) - (4b-3b)\n" /* size check */
18795 ".previous\n"
18796- ".section .altinstr_replacement,\"ax\"\n"
18797+ ".section .altinstr_replacement,\"a\"\n"
18798 "5: movb $1,%0\n"
18799 "6:\n"
18800 ".previous\n"
18801diff --git a/arch/x86/include/asm/desc.h b/arch/x86/include/asm/desc.h
18802index 4e10d73..7319a47 100644
18803--- a/arch/x86/include/asm/desc.h
18804+++ b/arch/x86/include/asm/desc.h
18805@@ -4,6 +4,7 @@
18806 #include <asm/desc_defs.h>
18807 #include <asm/ldt.h>
18808 #include <asm/mmu.h>
18809+#include <asm/pgtable.h>
18810
18811 #include <linux/smp.h>
18812 #include <linux/percpu.h>
18813@@ -17,6 +18,7 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
18814
18815 desc->type = (info->read_exec_only ^ 1) << 1;
18816 desc->type |= info->contents << 2;
18817+ desc->type |= info->seg_not_present ^ 1;
18818
18819 desc->s = 1;
18820 desc->dpl = 0x3;
18821@@ -35,19 +37,14 @@ static inline void fill_ldt(struct desc_struct *desc, const struct user_desc *in
18822 }
18823
18824 extern struct desc_ptr idt_descr;
18825-extern gate_desc idt_table[];
18826-extern struct desc_ptr debug_idt_descr;
18827-extern gate_desc debug_idt_table[];
18828-
18829-struct gdt_page {
18830- struct desc_struct gdt[GDT_ENTRIES];
18831-} __attribute__((aligned(PAGE_SIZE)));
18832-
18833-DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
18834+extern gate_desc idt_table[IDT_ENTRIES];
18835+extern const struct desc_ptr debug_idt_descr;
18836+extern gate_desc debug_idt_table[IDT_ENTRIES];
18837
18838+extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
18839 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
18840 {
18841- return per_cpu(gdt_page, cpu).gdt;
18842+ return cpu_gdt_table[cpu];
18843 }
18844
18845 #ifdef CONFIG_X86_64
18846@@ -72,8 +69,14 @@ static inline void pack_gate(gate_desc *gate, unsigned char type,
18847 unsigned long base, unsigned dpl, unsigned flags,
18848 unsigned short seg)
18849 {
18850- gate->a = (seg << 16) | (base & 0xffff);
18851- gate->b = (base & 0xffff0000) | (((0x80 | type | (dpl << 5)) & 0xff) << 8);
18852+ gate->gate.offset_low = base;
18853+ gate->gate.seg = seg;
18854+ gate->gate.reserved = 0;
18855+ gate->gate.type = type;
18856+ gate->gate.s = 0;
18857+ gate->gate.dpl = dpl;
18858+ gate->gate.p = 1;
18859+ gate->gate.offset_high = base >> 16;
18860 }
18861
18862 #endif
18863@@ -118,12 +121,16 @@ static inline void paravirt_free_ldt(struct desc_struct *ldt, unsigned entries)
18864
18865 static inline void native_write_idt_entry(gate_desc *idt, int entry, const gate_desc *gate)
18866 {
18867+ pax_open_kernel();
18868 memcpy(&idt[entry], gate, sizeof(*gate));
18869+ pax_close_kernel();
18870 }
18871
18872 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry, const void *desc)
18873 {
18874+ pax_open_kernel();
18875 memcpy(&ldt[entry], desc, 8);
18876+ pax_close_kernel();
18877 }
18878
18879 static inline void
18880@@ -137,7 +144,9 @@ native_write_gdt_entry(struct desc_struct *gdt, int entry, const void *desc, int
18881 default: size = sizeof(*gdt); break;
18882 }
18883
18884+ pax_open_kernel();
18885 memcpy(&gdt[entry], desc, size);
18886+ pax_close_kernel();
18887 }
18888
18889 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
18890@@ -210,7 +219,9 @@ static inline void native_set_ldt(const void *addr, unsigned int entries)
18891
18892 static inline void native_load_tr_desc(void)
18893 {
18894+ pax_open_kernel();
18895 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
18896+ pax_close_kernel();
18897 }
18898
18899 static inline void native_load_gdt(const struct desc_ptr *dtr)
18900@@ -247,8 +258,10 @@ static inline void native_load_tls(struct thread_struct *t, unsigned int cpu)
18901 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
18902 unsigned int i;
18903
18904+ pax_open_kernel();
18905 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
18906 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
18907+ pax_close_kernel();
18908 }
18909
18910 /* This intentionally ignores lm, since 32-bit apps don't have that field. */
18911@@ -280,7 +293,7 @@ static inline void clear_LDT(void)
18912 set_ldt(NULL, 0);
18913 }
18914
18915-static inline unsigned long get_desc_base(const struct desc_struct *desc)
18916+static inline unsigned long __intentional_overflow(-1) get_desc_base(const struct desc_struct *desc)
18917 {
18918 return (unsigned)(desc->base0 | ((desc->base1) << 16) | ((desc->base2) << 24));
18919 }
18920@@ -304,7 +317,7 @@ static inline void set_desc_limit(struct desc_struct *desc, unsigned long limit)
18921 }
18922
18923 #ifdef CONFIG_X86_64
18924-static inline void set_nmi_gate(int gate, void *addr)
18925+static inline void set_nmi_gate(int gate, const void *addr)
18926 {
18927 gate_desc s;
18928
18929@@ -314,14 +327,14 @@ static inline void set_nmi_gate(int gate, void *addr)
18930 #endif
18931
18932 #ifdef CONFIG_TRACING
18933-extern struct desc_ptr trace_idt_descr;
18934-extern gate_desc trace_idt_table[];
18935+extern const struct desc_ptr trace_idt_descr;
18936+extern gate_desc trace_idt_table[IDT_ENTRIES];
18937 static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
18938 {
18939 write_idt_entry(trace_idt_table, entry, gate);
18940 }
18941
18942-static inline void _trace_set_gate(int gate, unsigned type, void *addr,
18943+static inline void _trace_set_gate(int gate, unsigned type, const void *addr,
18944 unsigned dpl, unsigned ist, unsigned seg)
18945 {
18946 gate_desc s;
18947@@ -341,7 +354,7 @@ static inline void write_trace_idt_entry(int entry, const gate_desc *gate)
18948 #define _trace_set_gate(gate, type, addr, dpl, ist, seg)
18949 #endif
18950
18951-static inline void _set_gate(int gate, unsigned type, void *addr,
18952+static inline void _set_gate(int gate, unsigned type, const void *addr,
18953 unsigned dpl, unsigned ist, unsigned seg)
18954 {
18955 gate_desc s;
18956@@ -364,14 +377,14 @@ static inline void _set_gate(int gate, unsigned type, void *addr,
18957 #define set_intr_gate_notrace(n, addr) \
18958 do { \
18959 BUG_ON((unsigned)n > 0xFF); \
18960- _set_gate(n, GATE_INTERRUPT, (void *)addr, 0, 0, \
18961+ _set_gate(n, GATE_INTERRUPT, (const void *)addr, 0, 0, \
18962 __KERNEL_CS); \
18963 } while (0)
18964
18965 #define set_intr_gate(n, addr) \
18966 do { \
18967 set_intr_gate_notrace(n, addr); \
18968- _trace_set_gate(n, GATE_INTERRUPT, (void *)trace_##addr,\
18969+ _trace_set_gate(n, GATE_INTERRUPT, (const void *)trace_##addr,\
18970 0, 0, __KERNEL_CS); \
18971 } while (0)
18972
18973@@ -399,19 +412,19 @@ static inline void alloc_system_vector(int vector)
18974 /*
18975 * This routine sets up an interrupt gate at directory privilege level 3.
18976 */
18977-static inline void set_system_intr_gate(unsigned int n, void *addr)
18978+static inline void set_system_intr_gate(unsigned int n, const void *addr)
18979 {
18980 BUG_ON((unsigned)n > 0xFF);
18981 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
18982 }
18983
18984-static inline void set_system_trap_gate(unsigned int n, void *addr)
18985+static inline void set_system_trap_gate(unsigned int n, const void *addr)
18986 {
18987 BUG_ON((unsigned)n > 0xFF);
18988 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
18989 }
18990
18991-static inline void set_trap_gate(unsigned int n, void *addr)
18992+static inline void set_trap_gate(unsigned int n, const void *addr)
18993 {
18994 BUG_ON((unsigned)n > 0xFF);
18995 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
18996@@ -420,16 +433,16 @@ static inline void set_trap_gate(unsigned int n, void *addr)
18997 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
18998 {
18999 BUG_ON((unsigned)n > 0xFF);
19000- _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
19001+ _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
19002 }
19003
19004-static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
19005+static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
19006 {
19007 BUG_ON((unsigned)n > 0xFF);
19008 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
19009 }
19010
19011-static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
19012+static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
19013 {
19014 BUG_ON((unsigned)n > 0xFF);
19015 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
19016@@ -501,4 +514,17 @@ static inline void load_current_idt(void)
19017 else
19018 load_idt((const struct desc_ptr *)&idt_descr);
19019 }
19020+
19021+#ifdef CONFIG_X86_32
19022+static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
19023+{
19024+ struct desc_struct d;
19025+
19026+ if (likely(limit))
19027+ limit = (limit - 1UL) >> PAGE_SHIFT;
19028+ pack_descriptor(&d, base, limit, 0xFB, 0xC);
19029+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
19030+}
19031+#endif
19032+
19033 #endif /* _ASM_X86_DESC_H */
19034diff --git a/arch/x86/include/asm/desc_defs.h b/arch/x86/include/asm/desc_defs.h
19035index 278441f..b95a174 100644
19036--- a/arch/x86/include/asm/desc_defs.h
19037+++ b/arch/x86/include/asm/desc_defs.h
19038@@ -31,6 +31,12 @@ struct desc_struct {
19039 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
19040 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
19041 };
19042+ struct {
19043+ u16 offset_low;
19044+ u16 seg;
19045+ unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
19046+ unsigned offset_high: 16;
19047+ } gate;
19048 };
19049 } __attribute__((packed));
19050
19051diff --git a/arch/x86/include/asm/div64.h b/arch/x86/include/asm/div64.h
19052index ced283a..ffe04cc 100644
19053--- a/arch/x86/include/asm/div64.h
19054+++ b/arch/x86/include/asm/div64.h
19055@@ -39,7 +39,7 @@
19056 __mod; \
19057 })
19058
19059-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
19060+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
19061 {
19062 union {
19063 u64 v64;
19064diff --git a/arch/x86/include/asm/elf.h b/arch/x86/include/asm/elf.h
19065index f161c18..97d43e8 100644
19066--- a/arch/x86/include/asm/elf.h
19067+++ b/arch/x86/include/asm/elf.h
19068@@ -75,9 +75,6 @@ typedef struct user_fxsr_struct elf_fpxregset_t;
19069
19070 #include <asm/vdso.h>
19071
19072-#ifdef CONFIG_X86_64
19073-extern unsigned int vdso64_enabled;
19074-#endif
19075 #if defined(CONFIG_X86_32) || defined(CONFIG_COMPAT)
19076 extern unsigned int vdso32_enabled;
19077 #endif
19078@@ -250,7 +247,25 @@ extern int force_personality32;
19079 the loader. We need to make sure that it is out of the way of the program
19080 that it will "exec", and that there is sufficient room for the brk. */
19081
19082+#ifdef CONFIG_PAX_SEGMEXEC
19083+#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
19084+#else
19085 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
19086+#endif
19087+
19088+#ifdef CONFIG_PAX_ASLR
19089+#ifdef CONFIG_X86_32
19090+#define PAX_ELF_ET_DYN_BASE 0x10000000UL
19091+
19092+#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
19093+#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
19094+#else
19095+#define PAX_ELF_ET_DYN_BASE 0x400000UL
19096+
19097+#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
19098+#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_ADDR32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
19099+#endif
19100+#endif
19101
19102 /* This yields a mask that user programs can use to figure out what
19103 instruction set this CPU supports. This could be done in user space,
19104@@ -299,17 +314,13 @@ do { \
19105
19106 #define ARCH_DLINFO \
19107 do { \
19108- if (vdso64_enabled) \
19109- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
19110- (unsigned long __force)current->mm->context.vdso); \
19111+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
19112 } while (0)
19113
19114 /* As a historical oddity, the x32 and x86_64 vDSOs are controlled together. */
19115 #define ARCH_DLINFO_X32 \
19116 do { \
19117- if (vdso64_enabled) \
19118- NEW_AUX_ENT(AT_SYSINFO_EHDR, \
19119- (unsigned long __force)current->mm->context.vdso); \
19120+ NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso); \
19121 } while (0)
19122
19123 #define AT_SYSINFO 32
19124@@ -324,10 +335,10 @@ else \
19125
19126 #endif /* !CONFIG_X86_32 */
19127
19128-#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
19129+#define VDSO_CURRENT_BASE (current->mm->context.vdso)
19130
19131 #define VDSO_ENTRY \
19132- ((unsigned long)current->mm->context.vdso + \
19133+ (current->mm->context.vdso + \
19134 selected_vdso32->sym___kernel_vsyscall)
19135
19136 struct linux_binprm;
19137diff --git a/arch/x86/include/asm/emergency-restart.h b/arch/x86/include/asm/emergency-restart.h
19138index 77a99ac..39ff7f5 100644
19139--- a/arch/x86/include/asm/emergency-restart.h
19140+++ b/arch/x86/include/asm/emergency-restart.h
19141@@ -1,6 +1,6 @@
19142 #ifndef _ASM_X86_EMERGENCY_RESTART_H
19143 #define _ASM_X86_EMERGENCY_RESTART_H
19144
19145-extern void machine_emergency_restart(void);
19146+extern void machine_emergency_restart(void) __noreturn;
19147
19148 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
19149diff --git a/arch/x86/include/asm/floppy.h b/arch/x86/include/asm/floppy.h
19150index 1c7eefe..d0e4702 100644
19151--- a/arch/x86/include/asm/floppy.h
19152+++ b/arch/x86/include/asm/floppy.h
19153@@ -229,18 +229,18 @@ static struct fd_routine_l {
19154 int (*_dma_setup)(char *addr, unsigned long size, int mode, int io);
19155 } fd_routine[] = {
19156 {
19157- request_dma,
19158- free_dma,
19159- get_dma_residue,
19160- dma_mem_alloc,
19161- hard_dma_setup
19162+ ._request_dma = request_dma,
19163+ ._free_dma = free_dma,
19164+ ._get_dma_residue = get_dma_residue,
19165+ ._dma_mem_alloc = dma_mem_alloc,
19166+ ._dma_setup = hard_dma_setup
19167 },
19168 {
19169- vdma_request_dma,
19170- vdma_nop,
19171- vdma_get_dma_residue,
19172- vdma_mem_alloc,
19173- vdma_dma_setup
19174+ ._request_dma = vdma_request_dma,
19175+ ._free_dma = vdma_nop,
19176+ ._get_dma_residue = vdma_get_dma_residue,
19177+ ._dma_mem_alloc = vdma_mem_alloc,
19178+ ._dma_setup = vdma_dma_setup
19179 }
19180 };
19181
19182diff --git a/arch/x86/include/asm/fpu/internal.h b/arch/x86/include/asm/fpu/internal.h
19183index 3c3550c..ca9e4c3 100644
19184--- a/arch/x86/include/asm/fpu/internal.h
19185+++ b/arch/x86/include/asm/fpu/internal.h
19186@@ -97,8 +97,11 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
19187 #define user_insn(insn, output, input...) \
19188 ({ \
19189 int err; \
19190+ pax_open_userland(); \
19191 asm volatile(ASM_STAC "\n" \
19192- "1:" #insn "\n\t" \
19193+ "1:" \
19194+ __copyuser_seg \
19195+ #insn "\n\t" \
19196 "2: " ASM_CLAC "\n" \
19197 ".section .fixup,\"ax\"\n" \
19198 "3: movl $-1,%[err]\n" \
19199@@ -107,6 +110,7 @@ extern void fpstate_sanitize_xstate(struct fpu *fpu);
19200 _ASM_EXTABLE(1b, 3b) \
19201 : [err] "=r" (err), output \
19202 : "0"(0), input); \
19203+ pax_close_userland(); \
19204 err; \
19205 })
19206
19207@@ -186,9 +190,9 @@ static inline int copy_user_to_fregs(struct fregs_state __user *fx)
19208 static inline void copy_fxregs_to_kernel(struct fpu *fpu)
19209 {
19210 if (config_enabled(CONFIG_X86_32))
19211- asm volatile( "fxsave %[fx]" : [fx] "=m" (fpu->state.fxsave));
19212+ asm volatile( "fxsave %[fx]" : [fx] "=m" (fpu->state->fxsave));
19213 else if (config_enabled(CONFIG_AS_FXSAVEQ))
19214- asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state.fxsave));
19215+ asm volatile("fxsaveq %[fx]" : [fx] "=m" (fpu->state->fxsave));
19216 else {
19217 /* Using "rex64; fxsave %0" is broken because, if the memory
19218 * operand uses any extended registers for addressing, a second
19219@@ -205,15 +209,15 @@ static inline void copy_fxregs_to_kernel(struct fpu *fpu)
19220 * an extended register is needed for addressing (fix submitted
19221 * to mainline 2005-11-21).
19222 *
19223- * asm volatile("rex64/fxsave %0" : "=m" (fpu->state.fxsave));
19224+ * asm volatile("rex64/fxsave %0" : "=m" (fpu->state->fxsave));
19225 *
19226 * This, however, we can work around by forcing the compiler to
19227 * select an addressing mode that doesn't require extended
19228 * registers.
19229 */
19230 asm volatile( "rex64/fxsave (%[fx])"
19231- : "=m" (fpu->state.fxsave)
19232- : [fx] "R" (&fpu->state.fxsave));
19233+ : "=m" (fpu->state->fxsave)
19234+ : [fx] "R" (&fpu->state->fxsave));
19235 }
19236 }
19237
19238@@ -388,12 +392,16 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
19239 if (unlikely(err))
19240 return -EFAULT;
19241
19242+ pax_open_userland();
19243 __asm__ __volatile__(ASM_STAC "\n"
19244- "1:"XSAVE"\n"
19245+ "1:"
19246+ __copyuser_seg
19247+ XSAVE"\n"
19248 "2: " ASM_CLAC "\n"
19249 xstate_fault(err)
19250 : "D" (buf), "a" (-1), "d" (-1), "0" (err)
19251 : "memory");
19252+ pax_close_userland();
19253 return err;
19254 }
19255
19256@@ -402,17 +410,21 @@ static inline int copy_xregs_to_user(struct xregs_state __user *buf)
19257 */
19258 static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
19259 {
19260- struct xregs_state *xstate = ((__force struct xregs_state *)buf);
19261+ struct xregs_state *xstate = ((__force_kernel struct xregs_state *)buf);
19262 u32 lmask = mask;
19263 u32 hmask = mask >> 32;
19264 int err = 0;
19265
19266+ pax_open_userland();
19267 __asm__ __volatile__(ASM_STAC "\n"
19268- "1:"XRSTOR"\n"
19269+ "1:"
19270+ __copyuser_seg
19271+ XRSTOR"\n"
19272 "2: " ASM_CLAC "\n"
19273 xstate_fault(err)
19274 : "D" (xstate), "a" (lmask), "d" (hmask), "0" (err)
19275 : "memory"); /* memory required? */
19276+ pax_close_userland();
19277 return err;
19278 }
19279
19280@@ -429,7 +441,7 @@ static inline int copy_user_to_xregs(struct xregs_state __user *buf, u64 mask)
19281 static inline int copy_fpregs_to_fpstate(struct fpu *fpu)
19282 {
19283 if (likely(use_xsave())) {
19284- copy_xregs_to_kernel(&fpu->state.xsave);
19285+ copy_xregs_to_kernel(&fpu->state->xsave);
19286 return 1;
19287 }
19288
19289@@ -442,7 +454,7 @@ static inline int copy_fpregs_to_fpstate(struct fpu *fpu)
19290 * Legacy FPU register saving, FNSAVE always clears FPU registers,
19291 * so we have to mark them inactive:
19292 */
19293- asm volatile("fnsave %[fp]; fwait" : [fp] "=m" (fpu->state.fsave));
19294+ asm volatile("fnsave %[fp]; fwait" : [fp] "=m" (fpu->state->fsave));
19295
19296 return 0;
19297 }
19298@@ -471,7 +483,7 @@ static inline void copy_kernel_to_fpregs(union fpregs_state *fpstate)
19299 "fnclex\n\t"
19300 "emms\n\t"
19301 "fildl %P[addr]" /* set F?P to defined value */
19302- : : [addr] "m" (fpstate));
19303+ : : [addr] "m" (cpu_tss[raw_smp_processor_id()].x86_tss.sp0));
19304 }
19305
19306 __copy_kernel_to_fpregs(fpstate);
19307@@ -611,7 +623,7 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu)
19308 if (fpu.preload) {
19309 new_fpu->counter++;
19310 __fpregs_activate(new_fpu);
19311- prefetch(&new_fpu->state);
19312+ prefetch(new_fpu->state);
19313 } else {
19314 __fpregs_deactivate_hw();
19315 }
19316@@ -623,7 +635,7 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu)
19317 if (fpu_want_lazy_restore(new_fpu, cpu))
19318 fpu.preload = 0;
19319 else
19320- prefetch(&new_fpu->state);
19321+ prefetch(new_fpu->state);
19322 fpregs_activate(new_fpu);
19323 }
19324 }
19325@@ -643,7 +655,7 @@ switch_fpu_prepare(struct fpu *old_fpu, struct fpu *new_fpu, int cpu)
19326 static inline void switch_fpu_finish(struct fpu *new_fpu, fpu_switch_t fpu_switch)
19327 {
19328 if (fpu_switch.preload)
19329- copy_kernel_to_fpregs(&new_fpu->state);
19330+ copy_kernel_to_fpregs(new_fpu->state);
19331 }
19332
19333 /*
19334diff --git a/arch/x86/include/asm/fpu/types.h b/arch/x86/include/asm/fpu/types.h
19335index c49c517..0a6e089 100644
19336--- a/arch/x86/include/asm/fpu/types.h
19337+++ b/arch/x86/include/asm/fpu/types.h
19338@@ -189,7 +189,6 @@ union fpregs_state {
19339 struct fxregs_state fxsave;
19340 struct swregs_state soft;
19341 struct xregs_state xsave;
19342- u8 __padding[PAGE_SIZE];
19343 };
19344
19345 /*
19346@@ -199,6 +198,39 @@ union fpregs_state {
19347 */
19348 struct fpu {
19349 /*
19350+ * @state:
19351+ *
19352+ * In-memory copy of all FPU registers that we save/restore
19353+ * over context switches. If the task is using the FPU then
19354+ * the registers in the FPU are more recent than this state
19355+ * copy. If the task context-switches away then they get
19356+ * saved here and represent the FPU state.
19357+ *
19358+ * After context switches there may be a (short) time period
19359+ * during which the in-FPU hardware registers are unchanged
19360+ * and still perfectly match this state, if the tasks
19361+ * scheduled afterwards are not using the FPU.
19362+ *
19363+ * This is the 'lazy restore' window of optimization, which
19364+ * we track though 'fpu_fpregs_owner_ctx' and 'fpu->last_cpu'.
19365+ *
19366+ * We detect whether a subsequent task uses the FPU via setting
19367+ * CR0::TS to 1, which causes any FPU use to raise a #NM fault.
19368+ *
19369+ * During this window, if the task gets scheduled again, we
19370+ * might be able to skip having to do a restore from this
19371+ * memory buffer to the hardware registers - at the cost of
19372+ * incurring the overhead of #NM fault traps.
19373+ *
19374+ * Note that on modern CPUs that support the XSAVEOPT (or other
19375+ * optimized XSAVE instructions), we don't use #NM traps anymore,
19376+ * as the hardware can track whether FPU registers need saving
19377+ * or not. On such CPUs we activate the non-lazy ('eagerfpu')
19378+ * logic, which unconditionally saves/restores all FPU state
19379+ * across context switches. (if FPU state exists.)
19380+ */
19381+ union fpregs_state *state;
19382+ /*
19383 * @last_cpu:
19384 *
19385 * Records the last CPU on which this context was loaded into
19386@@ -255,43 +287,6 @@ struct fpu {
19387 * deal with bursty apps that only use the FPU for a short time:
19388 */
19389 unsigned char counter;
19390- /*
19391- * @state:
19392- *
19393- * In-memory copy of all FPU registers that we save/restore
19394- * over context switches. If the task is using the FPU then
19395- * the registers in the FPU are more recent than this state
19396- * copy. If the task context-switches away then they get
19397- * saved here and represent the FPU state.
19398- *
19399- * After context switches there may be a (short) time period
19400- * during which the in-FPU hardware registers are unchanged
19401- * and still perfectly match this state, if the tasks
19402- * scheduled afterwards are not using the FPU.
19403- *
19404- * This is the 'lazy restore' window of optimization, which
19405- * we track though 'fpu_fpregs_owner_ctx' and 'fpu->last_cpu'.
19406- *
19407- * We detect whether a subsequent task uses the FPU via setting
19408- * CR0::TS to 1, which causes any FPU use to raise a #NM fault.
19409- *
19410- * During this window, if the task gets scheduled again, we
19411- * might be able to skip having to do a restore from this
19412- * memory buffer to the hardware registers - at the cost of
19413- * incurring the overhead of #NM fault traps.
19414- *
19415- * Note that on modern CPUs that support the XSAVEOPT (or other
19416- * optimized XSAVE instructions), we don't use #NM traps anymore,
19417- * as the hardware can track whether FPU registers need saving
19418- * or not. On such CPUs we activate the non-lazy ('eagerfpu')
19419- * logic, which unconditionally saves/restores all FPU state
19420- * across context switches. (if FPU state exists.)
19421- */
19422- union fpregs_state state;
19423- /*
19424- * WARNING: 'state' is dynamically-sized. Do not put
19425- * anything after it here.
19426- */
19427 };
19428
19429 #endif /* _ASM_X86_FPU_H */
19430diff --git a/arch/x86/include/asm/futex.h b/arch/x86/include/asm/futex.h
19431index b4c1f54..e290c08 100644
19432--- a/arch/x86/include/asm/futex.h
19433+++ b/arch/x86/include/asm/futex.h
19434@@ -12,6 +12,7 @@
19435 #include <asm/smap.h>
19436
19437 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
19438+ typecheck(u32 __user *, uaddr); \
19439 asm volatile("\t" ASM_STAC "\n" \
19440 "1:\t" insn "\n" \
19441 "2:\t" ASM_CLAC "\n" \
19442@@ -20,15 +21,16 @@
19443 "\tjmp\t2b\n" \
19444 "\t.previous\n" \
19445 _ASM_EXTABLE(1b, 3b) \
19446- : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
19447+ : "=r" (oldval), "=r" (ret), "+m" (*(u32 __user *)____m(uaddr)) \
19448 : "i" (-EFAULT), "0" (oparg), "1" (0))
19449
19450 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
19451+ typecheck(u32 __user *, uaddr); \
19452 asm volatile("\t" ASM_STAC "\n" \
19453 "1:\tmovl %2, %0\n" \
19454 "\tmovl\t%0, %3\n" \
19455 "\t" insn "\n" \
19456- "2:\t" LOCK_PREFIX "cmpxchgl %3, %2\n" \
19457+ "2:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %2\n" \
19458 "\tjnz\t1b\n" \
19459 "3:\t" ASM_CLAC "\n" \
19460 "\t.section .fixup,\"ax\"\n" \
19461@@ -38,7 +40,7 @@
19462 _ASM_EXTABLE(1b, 4b) \
19463 _ASM_EXTABLE(2b, 4b) \
19464 : "=&a" (oldval), "=&r" (ret), \
19465- "+m" (*uaddr), "=&r" (tem) \
19466+ "+m" (*(u32 __user *)____m(uaddr)), "=&r" (tem) \
19467 : "r" (oparg), "i" (-EFAULT), "1" (0))
19468
19469 static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19470@@ -57,12 +59,13 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19471
19472 pagefault_disable();
19473
19474+ pax_open_userland();
19475 switch (op) {
19476 case FUTEX_OP_SET:
19477- __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
19478+ __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
19479 break;
19480 case FUTEX_OP_ADD:
19481- __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
19482+ __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
19483 uaddr, oparg);
19484 break;
19485 case FUTEX_OP_OR:
19486@@ -77,6 +80,7 @@ static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
19487 default:
19488 ret = -ENOSYS;
19489 }
19490+ pax_close_userland();
19491
19492 pagefault_enable();
19493
19494diff --git a/arch/x86/include/asm/hw_irq.h b/arch/x86/include/asm/hw_irq.h
19495index 6615032..9c233be 100644
19496--- a/arch/x86/include/asm/hw_irq.h
19497+++ b/arch/x86/include/asm/hw_irq.h
19498@@ -158,8 +158,8 @@ static inline void unlock_vector_lock(void) {}
19499 #endif /* CONFIG_X86_LOCAL_APIC */
19500
19501 /* Statistics */
19502-extern atomic_t irq_err_count;
19503-extern atomic_t irq_mis_count;
19504+extern atomic_unchecked_t irq_err_count;
19505+extern atomic_unchecked_t irq_mis_count;
19506
19507 extern void elcr_set_level_irq(unsigned int irq);
19508
19509diff --git a/arch/x86/include/asm/i8259.h b/arch/x86/include/asm/i8259.h
19510index ccffa53..3c90c87 100644
19511--- a/arch/x86/include/asm/i8259.h
19512+++ b/arch/x86/include/asm/i8259.h
19513@@ -62,7 +62,7 @@ struct legacy_pic {
19514 void (*init)(int auto_eoi);
19515 int (*irq_pending)(unsigned int irq);
19516 void (*make_irq)(unsigned int irq);
19517-};
19518+} __do_const;
19519
19520 extern struct legacy_pic *legacy_pic;
19521 extern struct legacy_pic null_legacy_pic;
19522diff --git a/arch/x86/include/asm/io.h b/arch/x86/include/asm/io.h
19523index cc9c61b..7b17f40 100644
19524--- a/arch/x86/include/asm/io.h
19525+++ b/arch/x86/include/asm/io.h
19526@@ -42,6 +42,7 @@
19527 #include <asm/page.h>
19528 #include <asm/early_ioremap.h>
19529 #include <asm/pgtable_types.h>
19530+#include <asm/processor.h>
19531
19532 #define build_mmio_read(name, size, type, reg, barrier) \
19533 static inline type name(const volatile void __iomem *addr) \
19534@@ -54,12 +55,12 @@ static inline void name(type val, volatile void __iomem *addr) \
19535 "m" (*(volatile type __force *)addr) barrier); }
19536
19537 build_mmio_read(readb, "b", unsigned char, "=q", :"memory")
19538-build_mmio_read(readw, "w", unsigned short, "=r", :"memory")
19539-build_mmio_read(readl, "l", unsigned int, "=r", :"memory")
19540+build_mmio_read(__intentional_overflow(-1) readw, "w", unsigned short, "=r", :"memory")
19541+build_mmio_read(__intentional_overflow(-1) readl, "l", unsigned int, "=r", :"memory")
19542
19543 build_mmio_read(__readb, "b", unsigned char, "=q", )
19544-build_mmio_read(__readw, "w", unsigned short, "=r", )
19545-build_mmio_read(__readl, "l", unsigned int, "=r", )
19546+build_mmio_read(__intentional_overflow(-1) __readw, "w", unsigned short, "=r", )
19547+build_mmio_read(__intentional_overflow(-1) __readl, "l", unsigned int, "=r", )
19548
19549 build_mmio_write(writeb, "b", unsigned char, "q", :"memory")
19550 build_mmio_write(writew, "w", unsigned short, "r", :"memory")
19551@@ -115,7 +116,7 @@ build_mmio_write(writeq, "q", unsigned long, "r", :"memory")
19552 * this function
19553 */
19554
19555-static inline phys_addr_t virt_to_phys(volatile void *address)
19556+static inline phys_addr_t __intentional_overflow(-1) virt_to_phys(volatile void *address)
19557 {
19558 return __pa(address);
19559 }
19560@@ -192,7 +193,7 @@ static inline void __iomem *ioremap(resource_size_t offset, unsigned long size)
19561 return ioremap_nocache(offset, size);
19562 }
19563
19564-extern void iounmap(volatile void __iomem *addr);
19565+extern void iounmap(const volatile void __iomem *addr);
19566
19567 extern void set_iounmap_nonlazy(void);
19568
19569@@ -200,6 +201,17 @@ extern void set_iounmap_nonlazy(void);
19570
19571 #include <asm-generic/iomap.h>
19572
19573+#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
19574+static inline int valid_phys_addr_range(unsigned long addr, size_t count)
19575+{
19576+ return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
19577+}
19578+
19579+static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
19580+{
19581+ return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
19582+}
19583+
19584 /*
19585 * Convert a virtual cached pointer to an uncached pointer
19586 */
19587diff --git a/arch/x86/include/asm/irqflags.h b/arch/x86/include/asm/irqflags.h
19588index b77f5ed..a2f791e 100644
19589--- a/arch/x86/include/asm/irqflags.h
19590+++ b/arch/x86/include/asm/irqflags.h
19591@@ -137,6 +137,11 @@ static inline notrace unsigned long arch_local_irq_save(void)
19592 swapgs; \
19593 sysretl
19594
19595+#define GET_CR0_INTO_RDI mov %cr0, %rdi
19596+#define SET_RDI_INTO_CR0 mov %rdi, %cr0
19597+#define GET_CR3_INTO_RDI mov %cr3, %rdi
19598+#define SET_RDI_INTO_CR3 mov %rdi, %cr3
19599+
19600 #else
19601 #define INTERRUPT_RETURN iret
19602 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
19603diff --git a/arch/x86/include/asm/kprobes.h b/arch/x86/include/asm/kprobes.h
19604index 4421b5d..8543006 100644
19605--- a/arch/x86/include/asm/kprobes.h
19606+++ b/arch/x86/include/asm/kprobes.h
19607@@ -37,13 +37,8 @@ typedef u8 kprobe_opcode_t;
19608 #define RELATIVEJUMP_SIZE 5
19609 #define RELATIVECALL_OPCODE 0xe8
19610 #define RELATIVE_ADDR_SIZE 4
19611-#define MAX_STACK_SIZE 64
19612-#define MIN_STACK_SIZE(ADDR) \
19613- (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
19614- THREAD_SIZE - (unsigned long)(ADDR))) \
19615- ? (MAX_STACK_SIZE) \
19616- : (((unsigned long)current_thread_info()) + \
19617- THREAD_SIZE - (unsigned long)(ADDR)))
19618+#define MAX_STACK_SIZE 64UL
19619+#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
19620
19621 #define flush_insn_slot(p) do { } while (0)
19622
19623diff --git a/arch/x86/include/asm/local.h b/arch/x86/include/asm/local.h
19624index 4ad6560..75c7bdd 100644
19625--- a/arch/x86/include/asm/local.h
19626+++ b/arch/x86/include/asm/local.h
19627@@ -10,33 +10,97 @@ typedef struct {
19628 atomic_long_t a;
19629 } local_t;
19630
19631+typedef struct {
19632+ atomic_long_unchecked_t a;
19633+} local_unchecked_t;
19634+
19635 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
19636
19637 #define local_read(l) atomic_long_read(&(l)->a)
19638+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
19639 #define local_set(l, i) atomic_long_set(&(l)->a, (i))
19640+#define local_set_unchecked(l, i) atomic_long_set_unchecked(&(l)->a, (i))
19641
19642 static inline void local_inc(local_t *l)
19643 {
19644- asm volatile(_ASM_INC "%0"
19645+ asm volatile(_ASM_INC "%0\n"
19646+
19647+#ifdef CONFIG_PAX_REFCOUNT
19648+ "jno 0f\n"
19649+ _ASM_DEC "%0\n"
19650+ "int $4\n0:\n"
19651+ _ASM_EXTABLE(0b, 0b)
19652+#endif
19653+
19654+ : "+m" (l->a.counter));
19655+}
19656+
19657+static inline void local_inc_unchecked(local_unchecked_t *l)
19658+{
19659+ asm volatile(_ASM_INC "%0\n"
19660 : "+m" (l->a.counter));
19661 }
19662
19663 static inline void local_dec(local_t *l)
19664 {
19665- asm volatile(_ASM_DEC "%0"
19666+ asm volatile(_ASM_DEC "%0\n"
19667+
19668+#ifdef CONFIG_PAX_REFCOUNT
19669+ "jno 0f\n"
19670+ _ASM_INC "%0\n"
19671+ "int $4\n0:\n"
19672+ _ASM_EXTABLE(0b, 0b)
19673+#endif
19674+
19675+ : "+m" (l->a.counter));
19676+}
19677+
19678+static inline void local_dec_unchecked(local_unchecked_t *l)
19679+{
19680+ asm volatile(_ASM_DEC "%0\n"
19681 : "+m" (l->a.counter));
19682 }
19683
19684 static inline void local_add(long i, local_t *l)
19685 {
19686- asm volatile(_ASM_ADD "%1,%0"
19687+ asm volatile(_ASM_ADD "%1,%0\n"
19688+
19689+#ifdef CONFIG_PAX_REFCOUNT
19690+ "jno 0f\n"
19691+ _ASM_SUB "%1,%0\n"
19692+ "int $4\n0:\n"
19693+ _ASM_EXTABLE(0b, 0b)
19694+#endif
19695+
19696+ : "+m" (l->a.counter)
19697+ : "ir" (i));
19698+}
19699+
19700+static inline void local_add_unchecked(long i, local_unchecked_t *l)
19701+{
19702+ asm volatile(_ASM_ADD "%1,%0\n"
19703 : "+m" (l->a.counter)
19704 : "ir" (i));
19705 }
19706
19707 static inline void local_sub(long i, local_t *l)
19708 {
19709- asm volatile(_ASM_SUB "%1,%0"
19710+ asm volatile(_ASM_SUB "%1,%0\n"
19711+
19712+#ifdef CONFIG_PAX_REFCOUNT
19713+ "jno 0f\n"
19714+ _ASM_ADD "%1,%0\n"
19715+ "int $4\n0:\n"
19716+ _ASM_EXTABLE(0b, 0b)
19717+#endif
19718+
19719+ : "+m" (l->a.counter)
19720+ : "ir" (i));
19721+}
19722+
19723+static inline void local_sub_unchecked(long i, local_unchecked_t *l)
19724+{
19725+ asm volatile(_ASM_SUB "%1,%0\n"
19726 : "+m" (l->a.counter)
19727 : "ir" (i));
19728 }
19729@@ -52,7 +116,7 @@ static inline void local_sub(long i, local_t *l)
19730 */
19731 static inline int local_sub_and_test(long i, local_t *l)
19732 {
19733- GEN_BINARY_RMWcc(_ASM_SUB, l->a.counter, "er", i, "%0", "e");
19734+ GEN_BINARY_RMWcc(_ASM_SUB, _ASM_ADD, l->a.counter, "er", i, "%0", "e");
19735 }
19736
19737 /**
19738@@ -65,7 +129,7 @@ static inline int local_sub_and_test(long i, local_t *l)
19739 */
19740 static inline int local_dec_and_test(local_t *l)
19741 {
19742- GEN_UNARY_RMWcc(_ASM_DEC, l->a.counter, "%0", "e");
19743+ GEN_UNARY_RMWcc(_ASM_DEC, _ASM_INC, l->a.counter, "%0", "e");
19744 }
19745
19746 /**
19747@@ -78,7 +142,7 @@ static inline int local_dec_and_test(local_t *l)
19748 */
19749 static inline int local_inc_and_test(local_t *l)
19750 {
19751- GEN_UNARY_RMWcc(_ASM_INC, l->a.counter, "%0", "e");
19752+ GEN_UNARY_RMWcc(_ASM_INC, _ASM_DEC, l->a.counter, "%0", "e");
19753 }
19754
19755 /**
19756@@ -92,7 +156,7 @@ static inline int local_inc_and_test(local_t *l)
19757 */
19758 static inline int local_add_negative(long i, local_t *l)
19759 {
19760- GEN_BINARY_RMWcc(_ASM_ADD, l->a.counter, "er", i, "%0", "s");
19761+ GEN_BINARY_RMWcc(_ASM_ADD, _ASM_SUB, l->a.counter, "er", i, "%0", "s");
19762 }
19763
19764 /**
19765@@ -105,6 +169,30 @@ static inline int local_add_negative(long i, local_t *l)
19766 static inline long local_add_return(long i, local_t *l)
19767 {
19768 long __i = i;
19769+ asm volatile(_ASM_XADD "%0, %1\n"
19770+
19771+#ifdef CONFIG_PAX_REFCOUNT
19772+ "jno 0f\n"
19773+ _ASM_MOV "%0,%1\n"
19774+ "int $4\n0:\n"
19775+ _ASM_EXTABLE(0b, 0b)
19776+#endif
19777+
19778+ : "+r" (i), "+m" (l->a.counter)
19779+ : : "memory");
19780+ return i + __i;
19781+}
19782+
19783+/**
19784+ * local_add_return_unchecked - add and return
19785+ * @i: integer value to add
19786+ * @l: pointer to type local_unchecked_t
19787+ *
19788+ * Atomically adds @i to @l and returns @i + @l
19789+ */
19790+static inline long local_add_return_unchecked(long i, local_unchecked_t *l)
19791+{
19792+ long __i = i;
19793 asm volatile(_ASM_XADD "%0, %1;"
19794 : "+r" (i), "+m" (l->a.counter)
19795 : : "memory");
19796@@ -121,6 +209,8 @@ static inline long local_sub_return(long i, local_t *l)
19797
19798 #define local_cmpxchg(l, o, n) \
19799 (cmpxchg_local(&((l)->a.counter), (o), (n)))
19800+#define local_cmpxchg_unchecked(l, o, n) \
19801+ (cmpxchg_local(&((l)->a.counter), (o), (n)))
19802 /* Always has a lock prefix */
19803 #define local_xchg(l, n) (xchg(&((l)->a.counter), (n)))
19804
19805diff --git a/arch/x86/include/asm/mman.h b/arch/x86/include/asm/mman.h
19806new file mode 100644
19807index 0000000..2bfd3ba
19808--- /dev/null
19809+++ b/arch/x86/include/asm/mman.h
19810@@ -0,0 +1,15 @@
19811+#ifndef _X86_MMAN_H
19812+#define _X86_MMAN_H
19813+
19814+#include <uapi/asm/mman.h>
19815+
19816+#ifdef __KERNEL__
19817+#ifndef __ASSEMBLY__
19818+#ifdef CONFIG_X86_32
19819+#define arch_mmap_check i386_mmap_check
19820+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags);
19821+#endif
19822+#endif
19823+#endif
19824+
19825+#endif /* X86_MMAN_H */
19826diff --git a/arch/x86/include/asm/mmu.h b/arch/x86/include/asm/mmu.h
19827index 364d274..e51b4bc 100644
19828--- a/arch/x86/include/asm/mmu.h
19829+++ b/arch/x86/include/asm/mmu.h
19830@@ -17,7 +17,19 @@ typedef struct {
19831 #endif
19832
19833 struct mutex lock;
19834- void __user *vdso;
19835+ unsigned long vdso;
19836+
19837+#ifdef CONFIG_X86_32
19838+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
19839+ unsigned long user_cs_base;
19840+ unsigned long user_cs_limit;
19841+
19842+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
19843+ cpumask_t cpu_user_cs_mask;
19844+#endif
19845+
19846+#endif
19847+#endif
19848
19849 atomic_t perf_rdpmc_allowed; /* nonzero if rdpmc is allowed */
19850 } mm_context_t;
19851diff --git a/arch/x86/include/asm/mmu_context.h b/arch/x86/include/asm/mmu_context.h
19852index 984abfe..9996c62 100644
19853--- a/arch/x86/include/asm/mmu_context.h
19854+++ b/arch/x86/include/asm/mmu_context.h
19855@@ -45,7 +45,7 @@ struct ldt_struct {
19856 * allocations, but it's not worth trying to optimize.
19857 */
19858 struct desc_struct *entries;
19859- int size;
19860+ unsigned int size;
19861 };
19862
19863 static inline void load_mm_ldt(struct mm_struct *mm)
19864@@ -86,26 +86,95 @@ void destroy_context(struct mm_struct *mm);
19865
19866 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
19867 {
19868+
19869+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19870+ if (!(static_cpu_has(X86_FEATURE_PCIDUDEREF))) {
19871+ unsigned int i;
19872+ pgd_t *pgd;
19873+
19874+ pax_open_kernel();
19875+ pgd = get_cpu_pgd(smp_processor_id(), kernel);
19876+ for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
19877+ set_pgd_batched(pgd+i, native_make_pgd(0));
19878+ pax_close_kernel();
19879+ }
19880+#endif
19881+
19882 #ifdef CONFIG_SMP
19883 if (this_cpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
19884 this_cpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
19885 #endif
19886 }
19887
19888+static inline void pax_switch_mm(struct mm_struct *next, unsigned int cpu)
19889+{
19890+
19891+#ifdef CONFIG_PAX_PER_CPU_PGD
19892+ pax_open_kernel();
19893+
19894+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19895+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF))
19896+ __clone_user_pgds(get_cpu_pgd(cpu, user), next->pgd);
19897+ else
19898+#endif
19899+
19900+ __clone_user_pgds(get_cpu_pgd(cpu, kernel), next->pgd);
19901+
19902+ __shadow_user_pgds(get_cpu_pgd(cpu, kernel) + USER_PGD_PTRS, next->pgd);
19903+
19904+ pax_close_kernel();
19905+
19906+ BUG_ON((__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL) != (read_cr3() & __PHYSICAL_MASK) && (__pa(get_cpu_pgd(cpu, user)) | PCID_USER) != (read_cr3() & __PHYSICAL_MASK));
19907+
19908+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19909+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
19910+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
19911+ u64 descriptor[2];
19912+ descriptor[0] = PCID_USER;
19913+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19914+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF)) {
19915+ descriptor[0] = PCID_KERNEL;
19916+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_CONTEXT) : "memory");
19917+ }
19918+ } else {
19919+ write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
19920+ if (static_cpu_has(X86_FEATURE_STRONGUDEREF))
19921+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
19922+ else
19923+ write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
19924+ }
19925+ } else
19926+#endif
19927+
19928+ load_cr3(get_cpu_pgd(cpu, kernel));
19929+#endif
19930+
19931+}
19932+
19933 static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19934 struct task_struct *tsk)
19935 {
19936 unsigned cpu = smp_processor_id();
19937+#if defined(CONFIG_X86_32) && defined(CONFIG_SMP) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19938+ int tlbstate = TLBSTATE_OK;
19939+#endif
19940
19941 if (likely(prev != next)) {
19942 #ifdef CONFIG_SMP
19943+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19944+ tlbstate = this_cpu_read(cpu_tlbstate.state);
19945+#endif
19946 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
19947 this_cpu_write(cpu_tlbstate.active_mm, next);
19948 #endif
19949 cpumask_set_cpu(cpu, mm_cpumask(next));
19950
19951 /* Re-load page tables */
19952+#ifdef CONFIG_PAX_PER_CPU_PGD
19953+ pax_switch_mm(next, cpu);
19954+#else
19955 load_cr3(next->pgd);
19956+#endif
19957 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
19958
19959 /* Stop flush ipis for the previous mm */
19960@@ -128,9 +197,31 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19961 */
19962 if (unlikely(prev->context.ldt != next->context.ldt))
19963 load_mm_ldt(next);
19964+
19965+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
19966+ if (!(__supported_pte_mask & _PAGE_NX)) {
19967+ smp_mb__before_atomic();
19968+ cpumask_clear_cpu(cpu, &prev->context.cpu_user_cs_mask);
19969+ smp_mb__after_atomic();
19970+ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
19971+ }
19972+#endif
19973+
19974+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
19975+ if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
19976+ prev->context.user_cs_limit != next->context.user_cs_limit))
19977+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19978+#ifdef CONFIG_SMP
19979+ else if (unlikely(tlbstate != TLBSTATE_OK))
19980+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
19981+#endif
19982+#endif
19983+
19984 }
19985+ else {
19986+ pax_switch_mm(next, cpu);
19987+
19988 #ifdef CONFIG_SMP
19989- else {
19990 this_cpu_write(cpu_tlbstate.state, TLBSTATE_OK);
19991 BUG_ON(this_cpu_read(cpu_tlbstate.active_mm) != next);
19992
19993@@ -147,13 +238,30 @@ static inline void switch_mm(struct mm_struct *prev, struct mm_struct *next,
19994 * tlb flush IPI delivery. We must reload CR3
19995 * to make sure to use no freed page tables.
19996 */
19997+
19998+#ifndef CONFIG_PAX_PER_CPU_PGD
19999 load_cr3(next->pgd);
20000 trace_tlb_flush(TLB_FLUSH_ON_TASK_SWITCH, TLB_FLUSH_ALL);
20001+#endif
20002+
20003 load_mm_cr4(next);
20004 load_mm_ldt(next);
20005+
20006+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20007+ if (!(__supported_pte_mask & _PAGE_NX))
20008+ cpumask_set_cpu(cpu, &next->context.cpu_user_cs_mask);
20009+#endif
20010+
20011+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
20012+#ifdef CONFIG_PAX_PAGEEXEC
20013+ if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
20014+#endif
20015+ set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
20016+#endif
20017+
20018 }
20019+#endif
20020 }
20021-#endif
20022 }
20023
20024 #define activate_mm(prev, next) \
20025diff --git a/arch/x86/include/asm/module.h b/arch/x86/include/asm/module.h
20026index e3b7819..b257c64 100644
20027--- a/arch/x86/include/asm/module.h
20028+++ b/arch/x86/include/asm/module.h
20029@@ -5,6 +5,7 @@
20030
20031 #ifdef CONFIG_X86_64
20032 /* X86_64 does not define MODULE_PROC_FAMILY */
20033+#define MODULE_PROC_FAMILY ""
20034 #elif defined CONFIG_M486
20035 #define MODULE_PROC_FAMILY "486 "
20036 #elif defined CONFIG_M586
20037@@ -57,8 +58,20 @@
20038 #error unknown processor family
20039 #endif
20040
20041-#ifdef CONFIG_X86_32
20042-# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
20043+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_BTS
20044+#define MODULE_PAX_KERNEXEC "KERNEXEC_BTS "
20045+#elif defined(CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR)
20046+#define MODULE_PAX_KERNEXEC "KERNEXEC_OR "
20047+#else
20048+#define MODULE_PAX_KERNEXEC ""
20049 #endif
20050
20051+#ifdef CONFIG_PAX_MEMORY_UDEREF
20052+#define MODULE_PAX_UDEREF "UDEREF "
20053+#else
20054+#define MODULE_PAX_UDEREF ""
20055+#endif
20056+
20057+#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
20058+
20059 #endif /* _ASM_X86_MODULE_H */
20060diff --git a/arch/x86/include/asm/nmi.h b/arch/x86/include/asm/nmi.h
20061index 5f2fc44..106caa6 100644
20062--- a/arch/x86/include/asm/nmi.h
20063+++ b/arch/x86/include/asm/nmi.h
20064@@ -36,26 +36,35 @@ enum {
20065
20066 typedef int (*nmi_handler_t)(unsigned int, struct pt_regs *);
20067
20068+struct nmiaction;
20069+
20070+struct nmiwork {
20071+ const struct nmiaction *action;
20072+ u64 max_duration;
20073+ struct irq_work irq_work;
20074+};
20075+
20076 struct nmiaction {
20077 struct list_head list;
20078 nmi_handler_t handler;
20079- u64 max_duration;
20080- struct irq_work irq_work;
20081 unsigned long flags;
20082 const char *name;
20083-};
20084+ struct nmiwork *work;
20085+} __do_const;
20086
20087 #define register_nmi_handler(t, fn, fg, n, init...) \
20088 ({ \
20089- static struct nmiaction init fn##_na = { \
20090+ static struct nmiwork fn##_nw; \
20091+ static const struct nmiaction init fn##_na = { \
20092 .handler = (fn), \
20093 .name = (n), \
20094 .flags = (fg), \
20095+ .work = &fn##_nw, \
20096 }; \
20097 __register_nmi_handler((t), &fn##_na); \
20098 })
20099
20100-int __register_nmi_handler(unsigned int, struct nmiaction *);
20101+int __register_nmi_handler(unsigned int, const struct nmiaction *);
20102
20103 void unregister_nmi_handler(unsigned int, const char *);
20104
20105diff --git a/arch/x86/include/asm/page.h b/arch/x86/include/asm/page.h
20106index 802dde3..9183e68 100644
20107--- a/arch/x86/include/asm/page.h
20108+++ b/arch/x86/include/asm/page.h
20109@@ -52,6 +52,7 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
20110 __phys_addr_symbol(__phys_reloc_hide((unsigned long)(x)))
20111
20112 #define __va(x) ((void *)((unsigned long)(x)+PAGE_OFFSET))
20113+#define __early_va(x) ((void *)((unsigned long)(x)+__START_KERNEL_map - phys_base))
20114
20115 #define __boot_va(x) __va(x)
20116 #define __boot_pa(x) __pa(x)
20117@@ -60,11 +61,21 @@ static inline void copy_user_page(void *to, void *from, unsigned long vaddr,
20118 * virt_to_page(kaddr) returns a valid pointer if and only if
20119 * virt_addr_valid(kaddr) returns true.
20120 */
20121-#define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
20122 #define pfn_to_kaddr(pfn) __va((pfn) << PAGE_SHIFT)
20123 extern bool __virt_addr_valid(unsigned long kaddr);
20124 #define virt_addr_valid(kaddr) __virt_addr_valid((unsigned long) (kaddr))
20125
20126+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
20127+#define virt_to_page(kaddr) \
20128+ ({ \
20129+ const void *__kaddr = (const void *)(kaddr); \
20130+ BUG_ON(!virt_addr_valid(__kaddr)); \
20131+ pfn_to_page(__pa(__kaddr) >> PAGE_SHIFT); \
20132+ })
20133+#else
20134+#define virt_to_page(kaddr) pfn_to_page(__pa(kaddr) >> PAGE_SHIFT)
20135+#endif
20136+
20137 #endif /* __ASSEMBLY__ */
20138
20139 #include <asm-generic/memory_model.h>
20140diff --git a/arch/x86/include/asm/page_32.h b/arch/x86/include/asm/page_32.h
20141index 904f528..b4d0d24 100644
20142--- a/arch/x86/include/asm/page_32.h
20143+++ b/arch/x86/include/asm/page_32.h
20144@@ -7,11 +7,17 @@
20145
20146 #define __phys_addr_nodebug(x) ((x) - PAGE_OFFSET)
20147 #ifdef CONFIG_DEBUG_VIRTUAL
20148-extern unsigned long __phys_addr(unsigned long);
20149+extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
20150 #else
20151-#define __phys_addr(x) __phys_addr_nodebug(x)
20152+static inline unsigned long __intentional_overflow(-1) __phys_addr(unsigned long x)
20153+{
20154+ return __phys_addr_nodebug(x);
20155+}
20156 #endif
20157-#define __phys_addr_symbol(x) __phys_addr(x)
20158+static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
20159+{
20160+ return __phys_addr(x);
20161+}
20162 #define __phys_reloc_hide(x) RELOC_HIDE((x), 0)
20163
20164 #ifdef CONFIG_FLATMEM
20165diff --git a/arch/x86/include/asm/page_64.h b/arch/x86/include/asm/page_64.h
20166index b3bebf9..cb419e7 100644
20167--- a/arch/x86/include/asm/page_64.h
20168+++ b/arch/x86/include/asm/page_64.h
20169@@ -7,9 +7,9 @@
20170
20171 /* duplicated to the one in bootmem.h */
20172 extern unsigned long max_pfn;
20173-extern unsigned long phys_base;
20174+extern const unsigned long phys_base;
20175
20176-static inline unsigned long __phys_addr_nodebug(unsigned long x)
20177+static inline unsigned long __intentional_overflow(-1) __phys_addr_nodebug(unsigned long x)
20178 {
20179 unsigned long y = x - __START_KERNEL_map;
20180
20181@@ -20,12 +20,14 @@ static inline unsigned long __phys_addr_nodebug(unsigned long x)
20182 }
20183
20184 #ifdef CONFIG_DEBUG_VIRTUAL
20185-extern unsigned long __phys_addr(unsigned long);
20186-extern unsigned long __phys_addr_symbol(unsigned long);
20187+extern unsigned long __intentional_overflow(-1) __phys_addr(unsigned long);
20188+extern unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long);
20189 #else
20190 #define __phys_addr(x) __phys_addr_nodebug(x)
20191-#define __phys_addr_symbol(x) \
20192- ((unsigned long)(x) - __START_KERNEL_map + phys_base)
20193+static inline unsigned long __intentional_overflow(-1) __phys_addr_symbol(unsigned long x)
20194+{
20195+ return x - __START_KERNEL_map + phys_base;
20196+}
20197 #endif
20198
20199 #define __phys_reloc_hide(x) (x)
20200diff --git a/arch/x86/include/asm/paravirt.h b/arch/x86/include/asm/paravirt.h
20201index d143bfa..30d1f41 100644
20202--- a/arch/x86/include/asm/paravirt.h
20203+++ b/arch/x86/include/asm/paravirt.h
20204@@ -560,7 +560,7 @@ static inline pmd_t __pmd(pmdval_t val)
20205 return (pmd_t) { ret };
20206 }
20207
20208-static inline pmdval_t pmd_val(pmd_t pmd)
20209+static inline __intentional_overflow(-1) pmdval_t pmd_val(pmd_t pmd)
20210 {
20211 pmdval_t ret;
20212
20213@@ -626,6 +626,18 @@ static inline void set_pgd(pgd_t *pgdp, pgd_t pgd)
20214 val);
20215 }
20216
20217+static inline void set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
20218+{
20219+ pgdval_t val = native_pgd_val(pgd);
20220+
20221+ if (sizeof(pgdval_t) > sizeof(long))
20222+ PVOP_VCALL3(pv_mmu_ops.set_pgd_batched, pgdp,
20223+ val, (u64)val >> 32);
20224+ else
20225+ PVOP_VCALL2(pv_mmu_ops.set_pgd_batched, pgdp,
20226+ val);
20227+}
20228+
20229 static inline void pgd_clear(pgd_t *pgdp)
20230 {
20231 set_pgd(pgdp, __pgd(0));
20232@@ -710,6 +722,21 @@ static inline void __set_fixmap(unsigned /* enum fixed_addresses */ idx,
20233 pv_mmu_ops.set_fixmap(idx, phys, flags);
20234 }
20235
20236+#ifdef CONFIG_PAX_KERNEXEC
20237+static inline unsigned long pax_open_kernel(void)
20238+{
20239+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
20240+}
20241+
20242+static inline unsigned long pax_close_kernel(void)
20243+{
20244+ return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
20245+}
20246+#else
20247+static inline unsigned long pax_open_kernel(void) { return 0; }
20248+static inline unsigned long pax_close_kernel(void) { return 0; }
20249+#endif
20250+
20251 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
20252
20253 #ifdef CONFIG_QUEUED_SPINLOCKS
20254@@ -933,7 +960,7 @@ extern void default_banner(void);
20255
20256 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
20257 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
20258-#define PARA_INDIRECT(addr) *%cs:addr
20259+#define PARA_INDIRECT(addr) *%ss:addr
20260 #endif
20261
20262 #define INTERRUPT_RETURN \
20263@@ -1003,6 +1030,21 @@ extern void default_banner(void);
20264 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_usergs_sysret64), \
20265 CLBR_NONE, \
20266 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_usergs_sysret64))
20267+
20268+#define GET_CR0_INTO_RDI \
20269+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
20270+ mov %rax,%rdi
20271+
20272+#define SET_RDI_INTO_CR0 \
20273+ call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
20274+
20275+#define GET_CR3_INTO_RDI \
20276+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
20277+ mov %rax,%rdi
20278+
20279+#define SET_RDI_INTO_CR3 \
20280+ call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
20281+
20282 #endif /* CONFIG_X86_32 */
20283
20284 #endif /* __ASSEMBLY__ */
20285diff --git a/arch/x86/include/asm/paravirt_types.h b/arch/x86/include/asm/paravirt_types.h
20286index a6b8f9f..fd61ef7 100644
20287--- a/arch/x86/include/asm/paravirt_types.h
20288+++ b/arch/x86/include/asm/paravirt_types.h
20289@@ -84,7 +84,7 @@ struct pv_init_ops {
20290 */
20291 unsigned (*patch)(u8 type, u16 clobber, void *insnbuf,
20292 unsigned long addr, unsigned len);
20293-};
20294+} __no_const __no_randomize_layout;
20295
20296
20297 struct pv_lazy_ops {
20298@@ -92,13 +92,13 @@ struct pv_lazy_ops {
20299 void (*enter)(void);
20300 void (*leave)(void);
20301 void (*flush)(void);
20302-};
20303+} __no_randomize_layout;
20304
20305 struct pv_time_ops {
20306 unsigned long long (*sched_clock)(void);
20307 unsigned long long (*steal_clock)(int cpu);
20308 unsigned long (*get_tsc_khz)(void);
20309-};
20310+} __no_const __no_randomize_layout;
20311
20312 struct pv_cpu_ops {
20313 /* hooks for various privileged instructions */
20314@@ -193,7 +193,7 @@ struct pv_cpu_ops {
20315
20316 void (*start_context_switch)(struct task_struct *prev);
20317 void (*end_context_switch)(struct task_struct *next);
20318-};
20319+} __no_const __no_randomize_layout;
20320
20321 struct pv_irq_ops {
20322 /*
20323@@ -216,7 +216,7 @@ struct pv_irq_ops {
20324 #ifdef CONFIG_X86_64
20325 void (*adjust_exception_frame)(void);
20326 #endif
20327-};
20328+} __no_randomize_layout;
20329
20330 struct pv_apic_ops {
20331 #ifdef CONFIG_X86_LOCAL_APIC
20332@@ -224,7 +224,7 @@ struct pv_apic_ops {
20333 unsigned long start_eip,
20334 unsigned long start_esp);
20335 #endif
20336-};
20337+} __no_const __no_randomize_layout;
20338
20339 struct pv_mmu_ops {
20340 unsigned long (*read_cr2)(void);
20341@@ -314,6 +314,7 @@ struct pv_mmu_ops {
20342 struct paravirt_callee_save make_pud;
20343
20344 void (*set_pgd)(pgd_t *pudp, pgd_t pgdval);
20345+ void (*set_pgd_batched)(pgd_t *pudp, pgd_t pgdval);
20346 #endif /* CONFIG_PGTABLE_LEVELS == 4 */
20347 #endif /* CONFIG_PGTABLE_LEVELS >= 3 */
20348
20349@@ -325,7 +326,13 @@ struct pv_mmu_ops {
20350 an mfn. We can tell which is which from the index. */
20351 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
20352 phys_addr_t phys, pgprot_t flags);
20353-};
20354+
20355+#ifdef CONFIG_PAX_KERNEXEC
20356+ unsigned long (*pax_open_kernel)(void);
20357+ unsigned long (*pax_close_kernel)(void);
20358+#endif
20359+
20360+} __no_randomize_layout;
20361
20362 struct arch_spinlock;
20363 #ifdef CONFIG_SMP
20364@@ -347,11 +354,14 @@ struct pv_lock_ops {
20365 struct paravirt_callee_save lock_spinning;
20366 void (*unlock_kick)(struct arch_spinlock *lock, __ticket_t ticket);
20367 #endif /* !CONFIG_QUEUED_SPINLOCKS */
20368-};
20369+} __no_randomize_layout;
20370
20371 /* This contains all the paravirt structures: we get a convenient
20372 * number for each function using the offset which we use to indicate
20373- * what to patch. */
20374+ * what to patch.
20375+ * shouldn't be randomized due to the "NEAT TRICK" in paravirt.c
20376+ */
20377+
20378 struct paravirt_patch_template {
20379 struct pv_init_ops pv_init_ops;
20380 struct pv_time_ops pv_time_ops;
20381@@ -360,7 +370,7 @@ struct paravirt_patch_template {
20382 struct pv_apic_ops pv_apic_ops;
20383 struct pv_mmu_ops pv_mmu_ops;
20384 struct pv_lock_ops pv_lock_ops;
20385-};
20386+} __no_randomize_layout;
20387
20388 extern struct pv_info pv_info;
20389 extern struct pv_init_ops pv_init_ops;
20390diff --git a/arch/x86/include/asm/pgalloc.h b/arch/x86/include/asm/pgalloc.h
20391index bf7f8b5..ca5799d 100644
20392--- a/arch/x86/include/asm/pgalloc.h
20393+++ b/arch/x86/include/asm/pgalloc.h
20394@@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(struct mm_struct *mm,
20395 pmd_t *pmd, pte_t *pte)
20396 {
20397 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
20398+ set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
20399+}
20400+
20401+static inline void pmd_populate_user(struct mm_struct *mm,
20402+ pmd_t *pmd, pte_t *pte)
20403+{
20404+ paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
20405 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
20406 }
20407
20408@@ -108,12 +115,22 @@ static inline void __pmd_free_tlb(struct mmu_gather *tlb, pmd_t *pmd,
20409
20410 #ifdef CONFIG_X86_PAE
20411 extern void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd);
20412+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
20413+{
20414+ pud_populate(mm, pudp, pmd);
20415+}
20416 #else /* !CONFIG_X86_PAE */
20417 static inline void pud_populate(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
20418 {
20419 paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
20420 set_pud(pud, __pud(_PAGE_TABLE | __pa(pmd)));
20421 }
20422+
20423+static inline void pud_populate_kernel(struct mm_struct *mm, pud_t *pud, pmd_t *pmd)
20424+{
20425+ paravirt_alloc_pmd(mm, __pa(pmd) >> PAGE_SHIFT);
20426+ set_pud(pud, __pud(_KERNPG_TABLE | __pa(pmd)));
20427+}
20428 #endif /* CONFIG_X86_PAE */
20429
20430 #if CONFIG_PGTABLE_LEVELS > 3
20431@@ -123,6 +140,12 @@ static inline void pgd_populate(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
20432 set_pgd(pgd, __pgd(_PAGE_TABLE | __pa(pud)));
20433 }
20434
20435+static inline void pgd_populate_kernel(struct mm_struct *mm, pgd_t *pgd, pud_t *pud)
20436+{
20437+ paravirt_alloc_pud(mm, __pa(pud) >> PAGE_SHIFT);
20438+ set_pgd(pgd, __pgd(_KERNPG_TABLE | __pa(pud)));
20439+}
20440+
20441 static inline pud_t *pud_alloc_one(struct mm_struct *mm, unsigned long addr)
20442 {
20443 return (pud_t *)get_zeroed_page(GFP_KERNEL|__GFP_REPEAT);
20444diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
20445index fd74a11..35fd5af 100644
20446--- a/arch/x86/include/asm/pgtable-2level.h
20447+++ b/arch/x86/include/asm/pgtable-2level.h
20448@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t *ptep , pte_t pte)
20449
20450 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20451 {
20452+ pax_open_kernel();
20453 *pmdp = pmd;
20454+ pax_close_kernel();
20455 }
20456
20457 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20458diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h
20459index cdaa58c..ae30f0d 100644
20460--- a/arch/x86/include/asm/pgtable-3level.h
20461+++ b/arch/x86/include/asm/pgtable-3level.h
20462@@ -92,12 +92,16 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20463
20464 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20465 {
20466+ pax_open_kernel();
20467 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
20468+ pax_close_kernel();
20469 }
20470
20471 static inline void native_set_pud(pud_t *pudp, pud_t pud)
20472 {
20473+ pax_open_kernel();
20474 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
20475+ pax_close_kernel();
20476 }
20477
20478 /*
20479@@ -116,9 +120,12 @@ static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
20480 static inline void native_pmd_clear(pmd_t *pmd)
20481 {
20482 u32 *tmp = (u32 *)pmd;
20483+
20484+ pax_open_kernel();
20485 *tmp = 0;
20486 smp_wmb();
20487 *(tmp + 1) = 0;
20488+ pax_close_kernel();
20489 }
20490
20491 static inline void pud_clear(pud_t *pudp)
20492diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
20493index 867da5b..7ec083d 100644
20494--- a/arch/x86/include/asm/pgtable.h
20495+++ b/arch/x86/include/asm/pgtable.h
20496@@ -47,6 +47,7 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
20497
20498 #ifndef __PAGETABLE_PUD_FOLDED
20499 #define set_pgd(pgdp, pgd) native_set_pgd(pgdp, pgd)
20500+#define set_pgd_batched(pgdp, pgd) native_set_pgd_batched(pgdp, pgd)
20501 #define pgd_clear(pgd) native_pgd_clear(pgd)
20502 #endif
20503
20504@@ -84,12 +85,53 @@ extern struct mm_struct *pgd_page_get_mm(struct page *page);
20505
20506 #define arch_end_context_switch(prev) do {} while(0)
20507
20508+#define pax_open_kernel() native_pax_open_kernel()
20509+#define pax_close_kernel() native_pax_close_kernel()
20510 #endif /* CONFIG_PARAVIRT */
20511
20512+#define __HAVE_ARCH_PAX_OPEN_KERNEL
20513+#define __HAVE_ARCH_PAX_CLOSE_KERNEL
20514+
20515+#ifdef CONFIG_PAX_KERNEXEC
20516+static inline unsigned long native_pax_open_kernel(void)
20517+{
20518+ unsigned long cr0;
20519+
20520+ preempt_disable();
20521+ barrier();
20522+ cr0 = read_cr0() ^ X86_CR0_WP;
20523+ BUG_ON(cr0 & X86_CR0_WP);
20524+ write_cr0(cr0);
20525+ barrier();
20526+ return cr0 ^ X86_CR0_WP;
20527+}
20528+
20529+static inline unsigned long native_pax_close_kernel(void)
20530+{
20531+ unsigned long cr0;
20532+
20533+ barrier();
20534+ cr0 = read_cr0() ^ X86_CR0_WP;
20535+ BUG_ON(!(cr0 & X86_CR0_WP));
20536+ write_cr0(cr0);
20537+ barrier();
20538+ preempt_enable_no_resched();
20539+ return cr0 ^ X86_CR0_WP;
20540+}
20541+#else
20542+static inline unsigned long native_pax_open_kernel(void) { return 0; }
20543+static inline unsigned long native_pax_close_kernel(void) { return 0; }
20544+#endif
20545+
20546 /*
20547 * The following only work if pte_present() is true.
20548 * Undefined behaviour if not..
20549 */
20550+static inline int pte_user(pte_t pte)
20551+{
20552+ return pte_val(pte) & _PAGE_USER;
20553+}
20554+
20555 static inline int pte_dirty(pte_t pte)
20556 {
20557 return pte_flags(pte) & _PAGE_DIRTY;
20558@@ -150,6 +192,11 @@ static inline unsigned long pud_pfn(pud_t pud)
20559 return (pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT;
20560 }
20561
20562+static inline unsigned long pgd_pfn(pgd_t pgd)
20563+{
20564+ return (pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT;
20565+}
20566+
20567 #define pte_page(pte) pfn_to_page(pte_pfn(pte))
20568
20569 static inline int pmd_large(pmd_t pte)
20570@@ -203,9 +250,29 @@ static inline pte_t pte_wrprotect(pte_t pte)
20571 return pte_clear_flags(pte, _PAGE_RW);
20572 }
20573
20574+static inline pte_t pte_mkread(pte_t pte)
20575+{
20576+ return __pte(pte_val(pte) | _PAGE_USER);
20577+}
20578+
20579 static inline pte_t pte_mkexec(pte_t pte)
20580 {
20581- return pte_clear_flags(pte, _PAGE_NX);
20582+#ifdef CONFIG_X86_PAE
20583+ if (__supported_pte_mask & _PAGE_NX)
20584+ return pte_clear_flags(pte, _PAGE_NX);
20585+ else
20586+#endif
20587+ return pte_set_flags(pte, _PAGE_USER);
20588+}
20589+
20590+static inline pte_t pte_exprotect(pte_t pte)
20591+{
20592+#ifdef CONFIG_X86_PAE
20593+ if (__supported_pte_mask & _PAGE_NX)
20594+ return pte_set_flags(pte, _PAGE_NX);
20595+ else
20596+#endif
20597+ return pte_clear_flags(pte, _PAGE_USER);
20598 }
20599
20600 static inline pte_t pte_mkdirty(pte_t pte)
20601@@ -426,6 +493,16 @@ pte_t *populate_extra_pte(unsigned long vaddr);
20602 #endif
20603
20604 #ifndef __ASSEMBLY__
20605+
20606+#ifdef CONFIG_PAX_PER_CPU_PGD
20607+extern pgd_t cpu_pgd[NR_CPUS][2][PTRS_PER_PGD];
20608+enum cpu_pgd_type {kernel = 0, user = 1};
20609+static inline pgd_t *get_cpu_pgd(unsigned int cpu, enum cpu_pgd_type type)
20610+{
20611+ return cpu_pgd[cpu][type];
20612+}
20613+#endif
20614+
20615 #include <linux/mm_types.h>
20616 #include <linux/mmdebug.h>
20617 #include <linux/log2.h>
20618@@ -577,7 +654,7 @@ static inline unsigned long pud_page_vaddr(pud_t pud)
20619 * Currently stuck as a macro due to indirect forward reference to
20620 * linux/mmzone.h's __section_mem_map_addr() definition:
20621 */
20622-#define pud_page(pud) pfn_to_page(pud_val(pud) >> PAGE_SHIFT)
20623+#define pud_page(pud) pfn_to_page((pud_val(pud) & PTE_PFN_MASK) >> PAGE_SHIFT)
20624
20625 /* Find an entry in the second-level page table.. */
20626 static inline pmd_t *pmd_offset(pud_t *pud, unsigned long address)
20627@@ -617,7 +694,7 @@ static inline unsigned long pgd_page_vaddr(pgd_t pgd)
20628 * Currently stuck as a macro due to indirect forward reference to
20629 * linux/mmzone.h's __section_mem_map_addr() definition:
20630 */
20631-#define pgd_page(pgd) pfn_to_page(pgd_val(pgd) >> PAGE_SHIFT)
20632+#define pgd_page(pgd) pfn_to_page((pgd_val(pgd) & PTE_PFN_MASK) >> PAGE_SHIFT)
20633
20634 /* to find an entry in a page-table-directory. */
20635 static inline unsigned long pud_index(unsigned long address)
20636@@ -632,7 +709,7 @@ static inline pud_t *pud_offset(pgd_t *pgd, unsigned long address)
20637
20638 static inline int pgd_bad(pgd_t pgd)
20639 {
20640- return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
20641+ return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
20642 }
20643
20644 static inline int pgd_none(pgd_t pgd)
20645@@ -655,7 +732,12 @@ static inline int pgd_none(pgd_t pgd)
20646 * pgd_offset() returns a (pgd_t *)
20647 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
20648 */
20649-#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
20650+#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
20651+
20652+#ifdef CONFIG_PAX_PER_CPU_PGD
20653+#define pgd_offset_cpu(cpu, type, address) (get_cpu_pgd(cpu, type) + pgd_index(address))
20654+#endif
20655+
20656 /*
20657 * a shortcut which implies the use of the kernel's pgd, instead
20658 * of a process's
20659@@ -666,6 +748,25 @@ static inline int pgd_none(pgd_t pgd)
20660 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
20661 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
20662
20663+#ifdef CONFIG_X86_32
20664+#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
20665+#else
20666+#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
20667+#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
20668+
20669+#ifdef CONFIG_PAX_MEMORY_UDEREF
20670+#ifdef __ASSEMBLY__
20671+#define pax_user_shadow_base pax_user_shadow_base(%rip)
20672+#else
20673+extern unsigned long pax_user_shadow_base;
20674+extern pgdval_t clone_pgd_mask;
20675+#endif
20676+#else
20677+#define pax_user_shadow_base (0UL)
20678+#endif
20679+
20680+#endif
20681+
20682 #ifndef __ASSEMBLY__
20683
20684 extern int direct_gbpages;
20685@@ -832,11 +933,24 @@ static inline void pmdp_set_wrprotect(struct mm_struct *mm,
20686 * dst and src can be on the same page, but the range must not overlap,
20687 * and must not cross a page boundary.
20688 */
20689-static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
20690+static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
20691 {
20692- memcpy(dst, src, count * sizeof(pgd_t));
20693+ pax_open_kernel();
20694+ while (count--)
20695+ *dst++ = *src++;
20696+ pax_close_kernel();
20697 }
20698
20699+#ifdef CONFIG_PAX_PER_CPU_PGD
20700+extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src);
20701+#endif
20702+
20703+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20704+extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src);
20705+#else
20706+static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src) {}
20707+#endif
20708+
20709 #define PTE_SHIFT ilog2(PTRS_PER_PTE)
20710 static inline int page_level_shift(enum pg_level level)
20711 {
20712diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
20713index b6c0b40..3535d47 100644
20714--- a/arch/x86/include/asm/pgtable_32.h
20715+++ b/arch/x86/include/asm/pgtable_32.h
20716@@ -25,9 +25,6 @@
20717 struct mm_struct;
20718 struct vm_area_struct;
20719
20720-extern pgd_t swapper_pg_dir[1024];
20721-extern pgd_t initial_page_table[1024];
20722-
20723 static inline void pgtable_cache_init(void) { }
20724 static inline void check_pgt_cache(void) { }
20725 void paging_init(void);
20726@@ -45,6 +42,12 @@ void paging_init(void);
20727 # include <asm/pgtable-2level.h>
20728 #endif
20729
20730+extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
20731+extern pgd_t initial_page_table[PTRS_PER_PGD];
20732+#ifdef CONFIG_X86_PAE
20733+extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
20734+#endif
20735+
20736 #if defined(CONFIG_HIGHPTE)
20737 #define pte_offset_map(dir, address) \
20738 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
20739@@ -59,12 +62,17 @@ void paging_init(void);
20740 /* Clear a kernel PTE and flush it from the TLB */
20741 #define kpte_clear_flush(ptep, vaddr) \
20742 do { \
20743+ pax_open_kernel(); \
20744 pte_clear(&init_mm, (vaddr), (ptep)); \
20745+ pax_close_kernel(); \
20746 __flush_tlb_one((vaddr)); \
20747 } while (0)
20748
20749 #endif /* !__ASSEMBLY__ */
20750
20751+#define HAVE_ARCH_UNMAPPED_AREA
20752+#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
20753+
20754 /*
20755 * kern_addr_valid() is (1) for FLATMEM and (0) for
20756 * SPARSEMEM and DISCONTIGMEM
20757diff --git a/arch/x86/include/asm/pgtable_32_types.h b/arch/x86/include/asm/pgtable_32_types.h
20758index 9fb2f2b..8e18c70 100644
20759--- a/arch/x86/include/asm/pgtable_32_types.h
20760+++ b/arch/x86/include/asm/pgtable_32_types.h
20761@@ -8,7 +8,7 @@
20762 */
20763 #ifdef CONFIG_X86_PAE
20764 # include <asm/pgtable-3level_types.h>
20765-# define PMD_SIZE (1UL << PMD_SHIFT)
20766+# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
20767 # define PMD_MASK (~(PMD_SIZE - 1))
20768 #else
20769 # include <asm/pgtable-2level_types.h>
20770@@ -46,6 +46,28 @@ extern bool __vmalloc_start_set; /* set once high_memory is set */
20771 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
20772 #endif
20773
20774+#ifdef CONFIG_PAX_KERNEXEC
20775+#ifndef __ASSEMBLY__
20776+extern unsigned char MODULES_EXEC_VADDR[];
20777+extern unsigned char MODULES_EXEC_END[];
20778+
20779+extern unsigned char __LOAD_PHYSICAL_ADDR[];
20780+#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
20781+static inline unsigned long __intentional_overflow(-1) ktla_ktva(unsigned long addr)
20782+{
20783+ return addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET;
20784+
20785+}
20786+static inline unsigned long __intentional_overflow(-1) ktva_ktla(unsigned long addr)
20787+{
20788+ return addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET;
20789+}
20790+#endif
20791+#else
20792+#define ktla_ktva(addr) (addr)
20793+#define ktva_ktla(addr) (addr)
20794+#endif
20795+
20796 #define MODULES_VADDR VMALLOC_START
20797 #define MODULES_END VMALLOC_END
20798 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
20799diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
20800index 2ee7811..afd76c0 100644
20801--- a/arch/x86/include/asm/pgtable_64.h
20802+++ b/arch/x86/include/asm/pgtable_64.h
20803@@ -16,11 +16,17 @@
20804
20805 extern pud_t level3_kernel_pgt[512];
20806 extern pud_t level3_ident_pgt[512];
20807+extern pud_t level3_vmalloc_start_pgt[512];
20808+extern pud_t level3_vmalloc_end_pgt[512];
20809+extern pud_t level3_vmemmap_pgt[512];
20810+extern pud_t level2_vmemmap_pgt[512];
20811 extern pmd_t level2_kernel_pgt[512];
20812 extern pmd_t level2_fixmap_pgt[512];
20813-extern pmd_t level2_ident_pgt[512];
20814-extern pte_t level1_fixmap_pgt[512];
20815-extern pgd_t init_level4_pgt[];
20816+extern pmd_t level2_ident_pgt[2][512];
20817+extern pte_t level1_modules_pgt[4][512];
20818+extern pte_t level1_fixmap_pgt[3][512];
20819+extern pte_t level1_vsyscall_pgt[512];
20820+extern pgd_t init_level4_pgt[512];
20821
20822 #define swapper_pg_dir init_level4_pgt
20823
20824@@ -62,7 +68,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
20825
20826 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
20827 {
20828+ pax_open_kernel();
20829 *pmdp = pmd;
20830+ pax_close_kernel();
20831 }
20832
20833 static inline void native_pmd_clear(pmd_t *pmd)
20834@@ -98,7 +106,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
20835
20836 static inline void native_set_pud(pud_t *pudp, pud_t pud)
20837 {
20838+ pax_open_kernel();
20839 *pudp = pud;
20840+ pax_close_kernel();
20841 }
20842
20843 static inline void native_pud_clear(pud_t *pud)
20844@@ -108,6 +118,13 @@ static inline void native_pud_clear(pud_t *pud)
20845
20846 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
20847 {
20848+ pax_open_kernel();
20849+ *pgdp = pgd;
20850+ pax_close_kernel();
20851+}
20852+
20853+static inline void native_set_pgd_batched(pgd_t *pgdp, pgd_t pgd)
20854+{
20855 *pgdp = pgd;
20856 }
20857
20858diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h
20859index e6844df..432b56e 100644
20860--- a/arch/x86/include/asm/pgtable_64_types.h
20861+++ b/arch/x86/include/asm/pgtable_64_types.h
20862@@ -60,11 +60,16 @@ typedef struct { pteval_t pte; } pte_t;
20863 #define MODULES_VADDR (__START_KERNEL_map + KERNEL_IMAGE_SIZE)
20864 #define MODULES_END _AC(0xffffffffff000000, UL)
20865 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
20866+#define MODULES_EXEC_VADDR MODULES_VADDR
20867+#define MODULES_EXEC_END MODULES_END
20868 #define ESPFIX_PGD_ENTRY _AC(-2, UL)
20869 #define ESPFIX_BASE_ADDR (ESPFIX_PGD_ENTRY << PGDIR_SHIFT)
20870 #define EFI_VA_START ( -4 * (_AC(1, UL) << 30))
20871 #define EFI_VA_END (-68 * (_AC(1, UL) << 30))
20872
20873+#define ktla_ktva(addr) (addr)
20874+#define ktva_ktla(addr) (addr)
20875+
20876 #define EARLY_DYNAMIC_PAGE_TABLES 64
20877
20878 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
20879diff --git a/arch/x86/include/asm/pgtable_types.h b/arch/x86/include/asm/pgtable_types.h
20880index 13f310b..f0ef42e 100644
20881--- a/arch/x86/include/asm/pgtable_types.h
20882+++ b/arch/x86/include/asm/pgtable_types.h
20883@@ -85,8 +85,10 @@
20884
20885 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20886 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
20887-#else
20888+#elif defined(CONFIG_KMEMCHECK) || defined(CONFIG_MEM_SOFT_DIRTY)
20889 #define _PAGE_NX (_AT(pteval_t, 0))
20890+#else
20891+#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
20892 #endif
20893
20894 #define _PAGE_PROTNONE (_AT(pteval_t, 1) << _PAGE_BIT_PROTNONE)
20895@@ -141,6 +143,9 @@ enum page_cache_mode {
20896 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
20897 _PAGE_ACCESSED)
20898
20899+#define PAGE_READONLY_NOEXEC PAGE_READONLY
20900+#define PAGE_SHARED_NOEXEC PAGE_SHARED
20901+
20902 #define __PAGE_KERNEL_EXEC \
20903 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
20904 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
20905@@ -148,7 +153,7 @@ enum page_cache_mode {
20906 #define __PAGE_KERNEL_RO (__PAGE_KERNEL & ~_PAGE_RW)
20907 #define __PAGE_KERNEL_RX (__PAGE_KERNEL_EXEC & ~_PAGE_RW)
20908 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_NOCACHE)
20909-#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
20910+#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
20911 #define __PAGE_KERNEL_VVAR (__PAGE_KERNEL_RO | _PAGE_USER)
20912 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
20913 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
20914@@ -194,7 +199,7 @@ enum page_cache_mode {
20915 #ifdef CONFIG_X86_64
20916 #define __PAGE_KERNEL_IDENT_LARGE_EXEC __PAGE_KERNEL_LARGE_EXEC
20917 #else
20918-#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
20919+#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
20920 #define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
20921 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
20922 #endif
20923@@ -233,7 +238,17 @@ static inline pgdval_t pgd_flags(pgd_t pgd)
20924 {
20925 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
20926 }
20927+#endif
20928
20929+#if CONFIG_PGTABLE_LEVELS == 3
20930+#include <asm-generic/pgtable-nopud.h>
20931+#endif
20932+
20933+#if CONFIG_PGTABLE_LEVELS == 2
20934+#include <asm-generic/pgtable-nopmd.h>
20935+#endif
20936+
20937+#ifndef __ASSEMBLY__
20938 #if CONFIG_PGTABLE_LEVELS > 3
20939 typedef struct { pudval_t pud; } pud_t;
20940
20941@@ -247,8 +262,6 @@ static inline pudval_t native_pud_val(pud_t pud)
20942 return pud.pud;
20943 }
20944 #else
20945-#include <asm-generic/pgtable-nopud.h>
20946-
20947 static inline pudval_t native_pud_val(pud_t pud)
20948 {
20949 return native_pgd_val(pud.pgd);
20950@@ -268,8 +281,6 @@ static inline pmdval_t native_pmd_val(pmd_t pmd)
20951 return pmd.pmd;
20952 }
20953 #else
20954-#include <asm-generic/pgtable-nopmd.h>
20955-
20956 static inline pmdval_t native_pmd_val(pmd_t pmd)
20957 {
20958 return native_pgd_val(pmd.pud.pgd);
20959@@ -362,7 +373,6 @@ typedef struct page *pgtable_t;
20960
20961 extern pteval_t __supported_pte_mask;
20962 extern void set_nx(void);
20963-extern int nx_enabled;
20964
20965 #define pgprot_writecombine pgprot_writecombine
20966 extern pgprot_t pgprot_writecombine(pgprot_t prot);
20967diff --git a/arch/x86/include/asm/preempt.h b/arch/x86/include/asm/preempt.h
20968index b12f810..aedcc13 100644
20969--- a/arch/x86/include/asm/preempt.h
20970+++ b/arch/x86/include/asm/preempt.h
20971@@ -84,7 +84,7 @@ static __always_inline void __preempt_count_sub(int val)
20972 */
20973 static __always_inline bool __preempt_count_dec_and_test(void)
20974 {
20975- GEN_UNARY_RMWcc("decl", __preempt_count, __percpu_arg(0), "e");
20976+ GEN_UNARY_RMWcc("decl", "incl", __preempt_count, __percpu_arg(0), "e");
20977 }
20978
20979 /*
20980diff --git a/arch/x86/include/asm/processor.h b/arch/x86/include/asm/processor.h
20981index 944f178..f2269de 100644
20982--- a/arch/x86/include/asm/processor.h
20983+++ b/arch/x86/include/asm/processor.h
20984@@ -136,7 +136,7 @@ struct cpuinfo_x86 {
20985 /* Index into per_cpu list: */
20986 u16 cpu_index;
20987 u32 microcode;
20988-};
20989+} __randomize_layout;
20990
20991 #define X86_VENDOR_INTEL 0
20992 #define X86_VENDOR_CYRIX 1
20993@@ -206,9 +206,21 @@ static inline void native_cpuid(unsigned int *eax, unsigned int *ebx,
20994 : "memory");
20995 }
20996
20997+/* invpcid (%rdx),%rax */
20998+#define __ASM_INVPCID ".byte 0x66,0x0f,0x38,0x82,0x02"
20999+
21000+#define INVPCID_SINGLE_ADDRESS 0UL
21001+#define INVPCID_SINGLE_CONTEXT 1UL
21002+#define INVPCID_ALL_GLOBAL 2UL
21003+#define INVPCID_ALL_NONGLOBAL 3UL
21004+
21005+#define PCID_KERNEL 0UL
21006+#define PCID_USER 1UL
21007+#define PCID_NOFLUSH (1UL << 63)
21008+
21009 static inline void load_cr3(pgd_t *pgdir)
21010 {
21011- write_cr3(__pa(pgdir));
21012+ write_cr3(__pa(pgdir) | PCID_KERNEL);
21013 }
21014
21015 #ifdef CONFIG_X86_32
21016@@ -305,11 +317,9 @@ struct tss_struct {
21017
21018 } ____cacheline_aligned;
21019
21020-DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss);
21021+extern struct tss_struct cpu_tss[NR_CPUS];
21022
21023-#ifdef CONFIG_X86_32
21024 DECLARE_PER_CPU(unsigned long, cpu_current_top_of_stack);
21025-#endif
21026
21027 /*
21028 * Save the original ist values for checking stack pointers during debugging
21029@@ -381,6 +391,7 @@ struct thread_struct {
21030 unsigned short ds;
21031 unsigned short fsindex;
21032 unsigned short gsindex;
21033+ unsigned short ss;
21034 #endif
21035 #ifdef CONFIG_X86_32
21036 unsigned long ip;
21037@@ -390,6 +401,9 @@ struct thread_struct {
21038 #endif
21039 unsigned long gs;
21040
21041+ /* Floating point and extended processor state */
21042+ struct fpu fpu;
21043+
21044 /* Save middle states of ptrace breakpoints */
21045 struct perf_event *ptrace_bps[HBP_NUM];
21046 /* Debug status used for traps, single steps, etc... */
21047@@ -415,13 +429,6 @@ struct thread_struct {
21048 unsigned long iopl;
21049 /* Max allowed port in the bitmap, in bytes: */
21050 unsigned io_bitmap_max;
21051-
21052- /* Floating point and extended processor state */
21053- struct fpu fpu;
21054- /*
21055- * WARNING: 'fpu' is dynamically-sized. It *MUST* be at
21056- * the end.
21057- */
21058 };
21059
21060 /*
21061@@ -463,10 +470,10 @@ static inline void native_swapgs(void)
21062 #endif
21063 }
21064
21065-static inline unsigned long current_top_of_stack(void)
21066+static inline unsigned long current_top_of_stack(unsigned int cpu)
21067 {
21068 #ifdef CONFIG_X86_64
21069- return this_cpu_read_stable(cpu_tss.x86_tss.sp0);
21070+ return cpu_tss[cpu].x86_tss.sp0;
21071 #else
21072 /* sp0 on x86_32 is special in and around vm86 mode. */
21073 return this_cpu_read_stable(cpu_current_top_of_stack);
21074@@ -709,20 +716,30 @@ static inline void spin_lock_prefetch(const void *x)
21075 #define TOP_OF_INIT_STACK ((unsigned long)&init_stack + sizeof(init_stack) - \
21076 TOP_OF_KERNEL_STACK_PADDING)
21077
21078+extern union fpregs_state init_fpregs_state;
21079+
21080 #ifdef CONFIG_X86_32
21081 /*
21082 * User space process size: 3GB (default).
21083 */
21084 #define TASK_SIZE PAGE_OFFSET
21085 #define TASK_SIZE_MAX TASK_SIZE
21086+
21087+#ifdef CONFIG_PAX_SEGMEXEC
21088+#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
21089+#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
21090+#else
21091 #define STACK_TOP TASK_SIZE
21092-#define STACK_TOP_MAX STACK_TOP
21093+#endif
21094+
21095+#define STACK_TOP_MAX TASK_SIZE
21096
21097 #define INIT_THREAD { \
21098 .sp0 = TOP_OF_INIT_STACK, \
21099 .vm86_info = NULL, \
21100 .sysenter_cs = __KERNEL_CS, \
21101 .io_bitmap_ptr = NULL, \
21102+ .fpu.state = &init_fpregs_state, \
21103 }
21104
21105 extern unsigned long thread_saved_pc(struct task_struct *tsk);
21106@@ -737,12 +754,7 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21107 * "struct pt_regs" is possible, but they may contain the
21108 * completely wrong values.
21109 */
21110-#define task_pt_regs(task) \
21111-({ \
21112- unsigned long __ptr = (unsigned long)task_stack_page(task); \
21113- __ptr += THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING; \
21114- ((struct pt_regs *)__ptr) - 1; \
21115-})
21116+#define task_pt_regs(tsk) ((struct pt_regs *)(tsk)->thread.sp0 - 1)
21117
21118 #define KSTK_ESP(task) (task_pt_regs(task)->sp)
21119
21120@@ -756,13 +768,13 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21121 * particular problem by preventing anything from being mapped
21122 * at the maximum canonical address.
21123 */
21124-#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
21125+#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
21126
21127 /* This decides where the kernel will search for a free chunk of vm
21128 * space during mmap's.
21129 */
21130 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
21131- 0xc0000000 : 0xFFFFe000)
21132+ 0xc0000000 : 0xFFFFf000)
21133
21134 #define TASK_SIZE (test_thread_flag(TIF_ADDR32) ? \
21135 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
21136@@ -773,7 +785,8 @@ extern unsigned long thread_saved_pc(struct task_struct *tsk);
21137 #define STACK_TOP_MAX TASK_SIZE_MAX
21138
21139 #define INIT_THREAD { \
21140- .sp0 = TOP_OF_INIT_STACK \
21141+ .sp0 = TOP_OF_INIT_STACK, \
21142+ .fpu.state = &init_fpregs_state, \
21143 }
21144
21145 /*
21146@@ -796,6 +809,10 @@ extern void start_thread(struct pt_regs *regs, unsigned long new_ip,
21147 */
21148 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
21149
21150+#ifdef CONFIG_PAX_SEGMEXEC
21151+#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
21152+#endif
21153+
21154 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
21155
21156 /* Get/set a process' ability to use the timestamp counter instruction */
21157@@ -841,7 +858,7 @@ static inline uint32_t hypervisor_cpuid_base(const char *sig, uint32_t leaves)
21158 return 0;
21159 }
21160
21161-extern unsigned long arch_align_stack(unsigned long sp);
21162+#define arch_align_stack(x) ((x) & ~0xfUL)
21163 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
21164
21165 void default_idle(void);
21166@@ -851,6 +868,6 @@ bool xen_set_default_idle(void);
21167 #define xen_set_default_idle 0
21168 #endif
21169
21170-void stop_this_cpu(void *dummy);
21171+void stop_this_cpu(void *dummy) __noreturn;
21172 void df_debug(struct pt_regs *regs, long error_code);
21173 #endif /* _ASM_X86_PROCESSOR_H */
21174diff --git a/arch/x86/include/asm/ptrace.h b/arch/x86/include/asm/ptrace.h
21175index 5fabf13..7388158 100644
21176--- a/arch/x86/include/asm/ptrace.h
21177+++ b/arch/x86/include/asm/ptrace.h
21178@@ -125,15 +125,16 @@ static inline int v8086_mode(struct pt_regs *regs)
21179 #ifdef CONFIG_X86_64
21180 static inline bool user_64bit_mode(struct pt_regs *regs)
21181 {
21182+ unsigned long cs = regs->cs & 0xffff;
21183 #ifndef CONFIG_PARAVIRT
21184 /*
21185 * On non-paravirt systems, this is the only long mode CPL 3
21186 * selector. We do not allow long mode selectors in the LDT.
21187 */
21188- return regs->cs == __USER_CS;
21189+ return cs == __USER_CS;
21190 #else
21191 /* Headers are too twisted for this to go in paravirt.h. */
21192- return regs->cs == __USER_CS || regs->cs == pv_info.extra_user_64bit_cs;
21193+ return cs == __USER_CS || cs == pv_info.extra_user_64bit_cs;
21194 #endif
21195 }
21196
21197@@ -180,9 +181,11 @@ static inline unsigned long regs_get_register(struct pt_regs *regs,
21198 * Traps from the kernel do not save sp and ss.
21199 * Use the helper function to retrieve sp.
21200 */
21201- if (offset == offsetof(struct pt_regs, sp) &&
21202- regs->cs == __KERNEL_CS)
21203- return kernel_stack_pointer(regs);
21204+ if (offset == offsetof(struct pt_regs, sp)) {
21205+ unsigned long cs = regs->cs & 0xffff;
21206+ if (cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS)
21207+ return kernel_stack_pointer(regs);
21208+ }
21209 #endif
21210 return *(unsigned long *)((unsigned long)regs + offset);
21211 }
21212diff --git a/arch/x86/include/asm/qrwlock.h b/arch/x86/include/asm/qrwlock.h
21213index ae0e241..e80b10b 100644
21214--- a/arch/x86/include/asm/qrwlock.h
21215+++ b/arch/x86/include/asm/qrwlock.h
21216@@ -7,8 +7,8 @@
21217 #define queue_write_unlock queue_write_unlock
21218 static inline void queue_write_unlock(struct qrwlock *lock)
21219 {
21220- barrier();
21221- ACCESS_ONCE(*(u8 *)&lock->cnts) = 0;
21222+ barrier();
21223+ ACCESS_ONCE_RW(*(u8 *)&lock->cnts) = 0;
21224 }
21225 #endif
21226
21227diff --git a/arch/x86/include/asm/realmode.h b/arch/x86/include/asm/realmode.h
21228index 9c6b890..5305f53 100644
21229--- a/arch/x86/include/asm/realmode.h
21230+++ b/arch/x86/include/asm/realmode.h
21231@@ -22,16 +22,14 @@ struct real_mode_header {
21232 #endif
21233 /* APM/BIOS reboot */
21234 u32 machine_real_restart_asm;
21235-#ifdef CONFIG_X86_64
21236 u32 machine_real_restart_seg;
21237-#endif
21238 };
21239
21240 /* This must match data at trampoline_32/64.S */
21241 struct trampoline_header {
21242 #ifdef CONFIG_X86_32
21243 u32 start;
21244- u16 gdt_pad;
21245+ u16 boot_cs;
21246 u16 gdt_limit;
21247 u32 gdt_base;
21248 #else
21249diff --git a/arch/x86/include/asm/reboot.h b/arch/x86/include/asm/reboot.h
21250index a82c4f1..ac45053 100644
21251--- a/arch/x86/include/asm/reboot.h
21252+++ b/arch/x86/include/asm/reboot.h
21253@@ -6,13 +6,13 @@
21254 struct pt_regs;
21255
21256 struct machine_ops {
21257- void (*restart)(char *cmd);
21258- void (*halt)(void);
21259- void (*power_off)(void);
21260+ void (* __noreturn restart)(char *cmd);
21261+ void (* __noreturn halt)(void);
21262+ void (* __noreturn power_off)(void);
21263 void (*shutdown)(void);
21264 void (*crash_shutdown)(struct pt_regs *);
21265- void (*emergency_restart)(void);
21266-};
21267+ void (* __noreturn emergency_restart)(void);
21268+} __no_const;
21269
21270 extern struct machine_ops machine_ops;
21271
21272diff --git a/arch/x86/include/asm/rmwcc.h b/arch/x86/include/asm/rmwcc.h
21273index 8f7866a..e442f20 100644
21274--- a/arch/x86/include/asm/rmwcc.h
21275+++ b/arch/x86/include/asm/rmwcc.h
21276@@ -3,7 +3,34 @@
21277
21278 #ifdef CC_HAVE_ASM_GOTO
21279
21280-#define __GEN_RMWcc(fullop, var, cc, ...) \
21281+#ifdef CONFIG_PAX_REFCOUNT
21282+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21283+do { \
21284+ asm_volatile_goto (fullop \
21285+ ";jno 0f\n" \
21286+ fullantiop \
21287+ ";int $4\n0:\n" \
21288+ _ASM_EXTABLE(0b, 0b) \
21289+ ";j" cc " %l[cc_label]" \
21290+ : : "m" (var), ## __VA_ARGS__ \
21291+ : "memory" : cc_label); \
21292+ return 0; \
21293+cc_label: \
21294+ return 1; \
21295+} while (0)
21296+#else
21297+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21298+do { \
21299+ asm_volatile_goto (fullop ";j" cc " %l[cc_label]" \
21300+ : : "m" (var), ## __VA_ARGS__ \
21301+ : "memory" : cc_label); \
21302+ return 0; \
21303+cc_label: \
21304+ return 1; \
21305+} while (0)
21306+#endif
21307+
21308+#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \
21309 do { \
21310 asm_volatile_goto (fullop "; j" cc " %l[cc_label]" \
21311 : : "m" (var), ## __VA_ARGS__ \
21312@@ -13,15 +40,46 @@ cc_label: \
21313 return 1; \
21314 } while (0)
21315
21316-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \
21317- __GEN_RMWcc(op " " arg0, var, cc)
21318+#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \
21319+ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc)
21320
21321-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \
21322- __GEN_RMWcc(op " %1, " arg0, var, cc, vcon (val))
21323+#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \
21324+ __GEN_RMWcc_unchecked(op " " arg0, var, cc)
21325+
21326+#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \
21327+ __GEN_RMWcc(op " %1, " arg0, antiop " %1, " arg0, var, cc, vcon (val))
21328+
21329+#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \
21330+ __GEN_RMWcc_unchecked(op " %1, " arg0, var, cc, vcon (val))
21331
21332 #else /* !CC_HAVE_ASM_GOTO */
21333
21334-#define __GEN_RMWcc(fullop, var, cc, ...) \
21335+#ifdef CONFIG_PAX_REFCOUNT
21336+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21337+do { \
21338+ char c; \
21339+ asm volatile (fullop \
21340+ ";jno 0f\n" \
21341+ fullantiop \
21342+ ";int $4\n0:\n" \
21343+ _ASM_EXTABLE(0b, 0b) \
21344+ "; set" cc " %1" \
21345+ : "+m" (var), "=qm" (c) \
21346+ : __VA_ARGS__ : "memory"); \
21347+ return c != 0; \
21348+} while (0)
21349+#else
21350+#define __GEN_RMWcc(fullop, fullantiop, var, cc, ...) \
21351+do { \
21352+ char c; \
21353+ asm volatile (fullop "; set" cc " %1" \
21354+ : "+m" (var), "=qm" (c) \
21355+ : __VA_ARGS__ : "memory"); \
21356+ return c != 0; \
21357+} while (0)
21358+#endif
21359+
21360+#define __GEN_RMWcc_unchecked(fullop, var, cc, ...) \
21361 do { \
21362 char c; \
21363 asm volatile (fullop "; set" cc " %1" \
21364@@ -30,11 +88,17 @@ do { \
21365 return c != 0; \
21366 } while (0)
21367
21368-#define GEN_UNARY_RMWcc(op, var, arg0, cc) \
21369- __GEN_RMWcc(op " " arg0, var, cc)
21370+#define GEN_UNARY_RMWcc(op, antiop, var, arg0, cc) \
21371+ __GEN_RMWcc(op " " arg0, antiop " " arg0, var, cc)
21372+
21373+#define GEN_UNARY_RMWcc_unchecked(op, var, arg0, cc) \
21374+ __GEN_RMWcc_unchecked(op " " arg0, var, cc)
21375+
21376+#define GEN_BINARY_RMWcc(op, antiop, var, vcon, val, arg0, cc) \
21377+ __GEN_RMWcc(op " %2, " arg0, antiop " %2, " arg0, var, cc, vcon (val))
21378
21379-#define GEN_BINARY_RMWcc(op, var, vcon, val, arg0, cc) \
21380- __GEN_RMWcc(op " %2, " arg0, var, cc, vcon (val))
21381+#define GEN_BINARY_RMWcc_unchecked(op, var, vcon, val, arg0, cc) \
21382+ __GEN_RMWcc_unchecked(op " %2, " arg0, var, cc, vcon (val))
21383
21384 #endif /* CC_HAVE_ASM_GOTO */
21385
21386diff --git a/arch/x86/include/asm/rwsem.h b/arch/x86/include/asm/rwsem.h
21387index cad82c9..2e5c5c1 100644
21388--- a/arch/x86/include/asm/rwsem.h
21389+++ b/arch/x86/include/asm/rwsem.h
21390@@ -64,6 +64,14 @@ static inline void __down_read(struct rw_semaphore *sem)
21391 {
21392 asm volatile("# beginning down_read\n\t"
21393 LOCK_PREFIX _ASM_INC "(%1)\n\t"
21394+
21395+#ifdef CONFIG_PAX_REFCOUNT
21396+ "jno 0f\n"
21397+ LOCK_PREFIX _ASM_DEC "(%1)\n"
21398+ "int $4\n0:\n"
21399+ _ASM_EXTABLE(0b, 0b)
21400+#endif
21401+
21402 /* adds 0x00000001 */
21403 " jns 1f\n"
21404 " call call_rwsem_down_read_failed\n"
21405@@ -85,6 +93,14 @@ static inline int __down_read_trylock(struct rw_semaphore *sem)
21406 "1:\n\t"
21407 " mov %1,%2\n\t"
21408 " add %3,%2\n\t"
21409+
21410+#ifdef CONFIG_PAX_REFCOUNT
21411+ "jno 0f\n"
21412+ "sub %3,%2\n"
21413+ "int $4\n0:\n"
21414+ _ASM_EXTABLE(0b, 0b)
21415+#endif
21416+
21417 " jle 2f\n\t"
21418 LOCK_PREFIX " cmpxchg %2,%0\n\t"
21419 " jnz 1b\n\t"
21420@@ -104,6 +120,14 @@ static inline void __down_write_nested(struct rw_semaphore *sem, int subclass)
21421 long tmp;
21422 asm volatile("# beginning down_write\n\t"
21423 LOCK_PREFIX " xadd %1,(%2)\n\t"
21424+
21425+#ifdef CONFIG_PAX_REFCOUNT
21426+ "jno 0f\n"
21427+ "mov %1,(%2)\n"
21428+ "int $4\n0:\n"
21429+ _ASM_EXTABLE(0b, 0b)
21430+#endif
21431+
21432 /* adds 0xffff0001, returns the old value */
21433 " test " __ASM_SEL(%w1,%k1) "," __ASM_SEL(%w1,%k1) "\n\t"
21434 /* was the active mask 0 before? */
21435@@ -155,6 +179,14 @@ static inline void __up_read(struct rw_semaphore *sem)
21436 long tmp;
21437 asm volatile("# beginning __up_read\n\t"
21438 LOCK_PREFIX " xadd %1,(%2)\n\t"
21439+
21440+#ifdef CONFIG_PAX_REFCOUNT
21441+ "jno 0f\n"
21442+ "mov %1,(%2)\n"
21443+ "int $4\n0:\n"
21444+ _ASM_EXTABLE(0b, 0b)
21445+#endif
21446+
21447 /* subtracts 1, returns the old value */
21448 " jns 1f\n\t"
21449 " call call_rwsem_wake\n" /* expects old value in %edx */
21450@@ -173,6 +205,14 @@ static inline void __up_write(struct rw_semaphore *sem)
21451 long tmp;
21452 asm volatile("# beginning __up_write\n\t"
21453 LOCK_PREFIX " xadd %1,(%2)\n\t"
21454+
21455+#ifdef CONFIG_PAX_REFCOUNT
21456+ "jno 0f\n"
21457+ "mov %1,(%2)\n"
21458+ "int $4\n0:\n"
21459+ _ASM_EXTABLE(0b, 0b)
21460+#endif
21461+
21462 /* subtracts 0xffff0001, returns the old value */
21463 " jns 1f\n\t"
21464 " call call_rwsem_wake\n" /* expects old value in %edx */
21465@@ -190,6 +230,14 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
21466 {
21467 asm volatile("# beginning __downgrade_write\n\t"
21468 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
21469+
21470+#ifdef CONFIG_PAX_REFCOUNT
21471+ "jno 0f\n"
21472+ LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
21473+ "int $4\n0:\n"
21474+ _ASM_EXTABLE(0b, 0b)
21475+#endif
21476+
21477 /*
21478 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
21479 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
21480@@ -208,7 +256,15 @@ static inline void __downgrade_write(struct rw_semaphore *sem)
21481 */
21482 static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
21483 {
21484- asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
21485+ asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
21486+
21487+#ifdef CONFIG_PAX_REFCOUNT
21488+ "jno 0f\n"
21489+ LOCK_PREFIX _ASM_SUB "%1,%0\n"
21490+ "int $4\n0:\n"
21491+ _ASM_EXTABLE(0b, 0b)
21492+#endif
21493+
21494 : "+m" (sem->count)
21495 : "er" (delta));
21496 }
21497@@ -218,7 +274,7 @@ static inline void rwsem_atomic_add(long delta, struct rw_semaphore *sem)
21498 */
21499 static inline long rwsem_atomic_update(long delta, struct rw_semaphore *sem)
21500 {
21501- return delta + xadd(&sem->count, delta);
21502+ return delta + xadd_check_overflow(&sem->count, delta);
21503 }
21504
21505 #endif /* __KERNEL__ */
21506diff --git a/arch/x86/include/asm/segment.h b/arch/x86/include/asm/segment.h
21507index 7d5a192..23ef1aa 100644
21508--- a/arch/x86/include/asm/segment.h
21509+++ b/arch/x86/include/asm/segment.h
21510@@ -82,14 +82,20 @@
21511 * 26 - ESPFIX small SS
21512 * 27 - per-cpu [ offset to per-cpu data area ]
21513 * 28 - stack_canary-20 [ for stack protector ] <=== cacheline #8
21514- * 29 - unused
21515- * 30 - unused
21516+ * 29 - PCI BIOS CS
21517+ * 30 - PCI BIOS DS
21518 * 31 - TSS for double fault handler
21519 */
21520+#define GDT_ENTRY_KERNEXEC_EFI_CS (1)
21521+#define GDT_ENTRY_KERNEXEC_EFI_DS (2)
21522+#define __KERNEXEC_EFI_CS (GDT_ENTRY_KERNEXEC_EFI_CS*8)
21523+#define __KERNEXEC_EFI_DS (GDT_ENTRY_KERNEXEC_EFI_DS*8)
21524+
21525 #define GDT_ENTRY_TLS_MIN 6
21526 #define GDT_ENTRY_TLS_MAX (GDT_ENTRY_TLS_MIN + GDT_ENTRY_TLS_ENTRIES - 1)
21527
21528 #define GDT_ENTRY_KERNEL_CS 12
21529+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 4
21530 #define GDT_ENTRY_KERNEL_DS 13
21531 #define GDT_ENTRY_DEFAULT_USER_CS 14
21532 #define GDT_ENTRY_DEFAULT_USER_DS 15
21533@@ -106,6 +112,12 @@
21534 #define GDT_ENTRY_PERCPU 27
21535 #define GDT_ENTRY_STACK_CANARY 28
21536
21537+#define GDT_ENTRY_PCIBIOS_CS 29
21538+#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
21539+
21540+#define GDT_ENTRY_PCIBIOS_DS 30
21541+#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
21542+
21543 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
21544
21545 /*
21546@@ -118,6 +130,7 @@
21547 */
21548
21549 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
21550+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
21551 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
21552 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3)
21553 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8 + 3)
21554@@ -129,7 +142,7 @@
21555 #define PNP_CS16 (GDT_ENTRY_PNPBIOS_CS16*8)
21556
21557 /* "Is this PNP code selector (PNP_CS32 or PNP_CS16)?" */
21558-#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == PNP_CS32)
21559+#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
21560
21561 /* data segment for BIOS: */
21562 #define PNP_DS (GDT_ENTRY_PNPBIOS_DS*8)
21563@@ -176,6 +189,8 @@
21564 #define GDT_ENTRY_DEFAULT_USER_DS 5
21565 #define GDT_ENTRY_DEFAULT_USER_CS 6
21566
21567+#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
21568+
21569 /* Needs two entries */
21570 #define GDT_ENTRY_TSS 8
21571 /* Needs two entries */
21572@@ -187,10 +202,12 @@
21573 /* Abused to load per CPU data from limit */
21574 #define GDT_ENTRY_PER_CPU 15
21575
21576+#define GDT_ENTRY_UDEREF_KERNEL_DS 16
21577+
21578 /*
21579 * Number of entries in the GDT table:
21580 */
21581-#define GDT_ENTRIES 16
21582+#define GDT_ENTRIES 17
21583
21584 /*
21585 * Segment selector values corresponding to the above entries:
21586@@ -200,7 +217,9 @@
21587 */
21588 #define __KERNEL32_CS (GDT_ENTRY_KERNEL32_CS*8)
21589 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
21590+#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
21591 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
21592+#define __UDEREF_KERNEL_DS (GDT_ENTRY_UDEREF_KERNEL_DS*8)
21593 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS*8 + 3)
21594 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8 + 3)
21595 #define __USER32_DS __USER_DS
21596diff --git a/arch/x86/include/asm/smap.h b/arch/x86/include/asm/smap.h
21597index ba665eb..0f72938 100644
21598--- a/arch/x86/include/asm/smap.h
21599+++ b/arch/x86/include/asm/smap.h
21600@@ -25,6 +25,18 @@
21601
21602 #include <asm/alternative-asm.h>
21603
21604+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21605+#define ASM_PAX_OPEN_USERLAND \
21606+ ALTERNATIVE "", "call __pax_open_userland", X86_FEATURE_STRONGUDEREF
21607+
21608+#define ASM_PAX_CLOSE_USERLAND \
21609+ ALTERNATIVE "", "call __pax_close_userland", X86_FEATURE_STRONGUDEREF
21610+
21611+#else
21612+#define ASM_PAX_OPEN_USERLAND
21613+#define ASM_PAX_CLOSE_USERLAND
21614+#endif
21615+
21616 #ifdef CONFIG_X86_SMAP
21617
21618 #define ASM_CLAC \
21619@@ -44,6 +56,37 @@
21620
21621 #include <asm/alternative.h>
21622
21623+#define __HAVE_ARCH_PAX_OPEN_USERLAND
21624+#define __HAVE_ARCH_PAX_CLOSE_USERLAND
21625+
21626+extern void __pax_open_userland(void);
21627+static __always_inline unsigned long pax_open_userland(void)
21628+{
21629+
21630+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21631+ asm volatile(ALTERNATIVE("", "call %P[open]", X86_FEATURE_STRONGUDEREF)
21632+ :
21633+ : [open] "i" (__pax_open_userland)
21634+ : "memory", "rax");
21635+#endif
21636+
21637+ return 0;
21638+}
21639+
21640+extern void __pax_close_userland(void);
21641+static __always_inline unsigned long pax_close_userland(void)
21642+{
21643+
21644+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21645+ asm volatile(ALTERNATIVE("", "call %P[close]", X86_FEATURE_STRONGUDEREF)
21646+ :
21647+ : [close] "i" (__pax_close_userland)
21648+ : "memory", "rax");
21649+#endif
21650+
21651+ return 0;
21652+}
21653+
21654 #ifdef CONFIG_X86_SMAP
21655
21656 static __always_inline void clac(void)
21657diff --git a/arch/x86/include/asm/smp.h b/arch/x86/include/asm/smp.h
21658index 222a6a3..839da8d 100644
21659--- a/arch/x86/include/asm/smp.h
21660+++ b/arch/x86/include/asm/smp.h
21661@@ -35,7 +35,7 @@ DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_core_map);
21662 /* cpus sharing the last level cache: */
21663 DECLARE_PER_CPU_READ_MOSTLY(cpumask_var_t, cpu_llc_shared_map);
21664 DECLARE_PER_CPU_READ_MOSTLY(u16, cpu_llc_id);
21665-DECLARE_PER_CPU_READ_MOSTLY(int, cpu_number);
21666+DECLARE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
21667
21668 static inline struct cpumask *cpu_llc_shared_mask(int cpu)
21669 {
21670@@ -68,7 +68,7 @@ struct smp_ops {
21671
21672 void (*send_call_func_ipi)(const struct cpumask *mask);
21673 void (*send_call_func_single_ipi)(int cpu);
21674-};
21675+} __no_const;
21676
21677 /* Globals due to paravirt */
21678 extern void set_cpu_sibling_map(int cpu);
21679@@ -182,14 +182,8 @@ extern unsigned disabled_cpus;
21680 extern int safe_smp_processor_id(void);
21681
21682 #elif defined(CONFIG_X86_64_SMP)
21683-#define raw_smp_processor_id() (this_cpu_read(cpu_number))
21684-
21685-#define stack_smp_processor_id() \
21686-({ \
21687- struct thread_info *ti; \
21688- __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
21689- ti->cpu; \
21690-})
21691+#define raw_smp_processor_id() (this_cpu_read(cpu_number))
21692+#define stack_smp_processor_id() raw_smp_processor_id()
21693 #define safe_smp_processor_id() smp_processor_id()
21694
21695 #endif
21696diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h
21697index c2e00bb..a10266e 100644
21698--- a/arch/x86/include/asm/stackprotector.h
21699+++ b/arch/x86/include/asm/stackprotector.h
21700@@ -49,7 +49,7 @@
21701 * head_32 for boot CPU and setup_per_cpu_areas() for others.
21702 */
21703 #define GDT_STACK_CANARY_INIT \
21704- [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x18),
21705+ [GDT_ENTRY_STACK_CANARY] = GDT_ENTRY_INIT(0x4090, 0, 0x17),
21706
21707 /*
21708 * Initialize the stackprotector canary value.
21709@@ -114,7 +114,7 @@ static inline void setup_stack_canary_segment(int cpu)
21710
21711 static inline void load_stack_canary_segment(void)
21712 {
21713-#ifdef CONFIG_X86_32
21714+#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
21715 asm volatile ("mov %0, %%gs" : : "r" (0));
21716 #endif
21717 }
21718diff --git a/arch/x86/include/asm/stacktrace.h b/arch/x86/include/asm/stacktrace.h
21719index 70bbe39..4ae2bd4 100644
21720--- a/arch/x86/include/asm/stacktrace.h
21721+++ b/arch/x86/include/asm/stacktrace.h
21722@@ -11,28 +11,20 @@
21723
21724 extern int kstack_depth_to_print;
21725
21726-struct thread_info;
21727+struct task_struct;
21728 struct stacktrace_ops;
21729
21730-typedef unsigned long (*walk_stack_t)(struct thread_info *tinfo,
21731- unsigned long *stack,
21732- unsigned long bp,
21733- const struct stacktrace_ops *ops,
21734- void *data,
21735- unsigned long *end,
21736- int *graph);
21737+typedef unsigned long walk_stack_t(struct task_struct *task,
21738+ void *stack_start,
21739+ unsigned long *stack,
21740+ unsigned long bp,
21741+ const struct stacktrace_ops *ops,
21742+ void *data,
21743+ unsigned long *end,
21744+ int *graph);
21745
21746-extern unsigned long
21747-print_context_stack(struct thread_info *tinfo,
21748- unsigned long *stack, unsigned long bp,
21749- const struct stacktrace_ops *ops, void *data,
21750- unsigned long *end, int *graph);
21751-
21752-extern unsigned long
21753-print_context_stack_bp(struct thread_info *tinfo,
21754- unsigned long *stack, unsigned long bp,
21755- const struct stacktrace_ops *ops, void *data,
21756- unsigned long *end, int *graph);
21757+extern walk_stack_t print_context_stack;
21758+extern walk_stack_t print_context_stack_bp;
21759
21760 /* Generic stack tracer with callbacks */
21761
21762@@ -40,7 +32,7 @@ struct stacktrace_ops {
21763 void (*address)(void *data, unsigned long address, int reliable);
21764 /* On negative return stop dumping */
21765 int (*stack)(void *data, char *name);
21766- walk_stack_t walk_stack;
21767+ walk_stack_t *walk_stack;
21768 };
21769
21770 void dump_trace(struct task_struct *tsk, struct pt_regs *regs,
21771diff --git a/arch/x86/include/asm/switch_to.h b/arch/x86/include/asm/switch_to.h
21772index d7f3b3b..3cc39f1 100644
21773--- a/arch/x86/include/asm/switch_to.h
21774+++ b/arch/x86/include/asm/switch_to.h
21775@@ -108,7 +108,7 @@ do { \
21776 "call __switch_to\n\t" \
21777 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
21778 __switch_canary \
21779- "movq %P[thread_info](%%rsi),%%r8\n\t" \
21780+ "movq "__percpu_arg([thread_info])",%%r8\n\t" \
21781 "movq %%rax,%%rdi\n\t" \
21782 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
21783 "jnz ret_from_fork\n\t" \
21784@@ -119,7 +119,7 @@ do { \
21785 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
21786 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
21787 [_tif_fork] "i" (_TIF_FORK), \
21788- [thread_info] "i" (offsetof(struct task_struct, stack)), \
21789+ [thread_info] "m" (current_tinfo), \
21790 [current_task] "m" (current_task) \
21791 __switch_canary_iparam \
21792 : "memory", "cc" __EXTRA_CLOBBER)
21793diff --git a/arch/x86/include/asm/sys_ia32.h b/arch/x86/include/asm/sys_ia32.h
21794index 82c34ee..940fa40 100644
21795--- a/arch/x86/include/asm/sys_ia32.h
21796+++ b/arch/x86/include/asm/sys_ia32.h
21797@@ -20,8 +20,8 @@
21798 #include <asm/ia32.h>
21799
21800 /* ia32/sys_ia32.c */
21801-asmlinkage long sys32_truncate64(const char __user *, unsigned long, unsigned long);
21802-asmlinkage long sys32_ftruncate64(unsigned int, unsigned long, unsigned long);
21803+asmlinkage long sys32_truncate64(const char __user *, unsigned int, unsigned int);
21804+asmlinkage long sys32_ftruncate64(unsigned int, unsigned int, unsigned int);
21805
21806 asmlinkage long sys32_stat64(const char __user *, struct stat64 __user *);
21807 asmlinkage long sys32_lstat64(const char __user *, struct stat64 __user *);
21808@@ -42,7 +42,7 @@ long sys32_vm86_warning(void);
21809 asmlinkage ssize_t sys32_readahead(int, unsigned, unsigned, size_t);
21810 asmlinkage long sys32_sync_file_range(int, unsigned, unsigned,
21811 unsigned, unsigned, int);
21812-asmlinkage long sys32_fadvise64(int, unsigned, unsigned, size_t, int);
21813+asmlinkage long sys32_fadvise64(int, unsigned, unsigned, int, int);
21814 asmlinkage long sys32_fallocate(int, int, unsigned,
21815 unsigned, unsigned, unsigned);
21816
21817diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h
21818index 225ee54..fae4566 100644
21819--- a/arch/x86/include/asm/thread_info.h
21820+++ b/arch/x86/include/asm/thread_info.h
21821@@ -36,7 +36,7 @@
21822 #ifdef CONFIG_X86_32
21823 # define TOP_OF_KERNEL_STACK_PADDING 8
21824 #else
21825-# define TOP_OF_KERNEL_STACK_PADDING 0
21826+# define TOP_OF_KERNEL_STACK_PADDING 16
21827 #endif
21828
21829 /*
21830@@ -50,27 +50,26 @@ struct task_struct;
21831 #include <linux/atomic.h>
21832
21833 struct thread_info {
21834- struct task_struct *task; /* main task structure */
21835 __u32 flags; /* low level flags */
21836 __u32 status; /* thread synchronous flags */
21837 __u32 cpu; /* current CPU */
21838 int saved_preempt_count;
21839 mm_segment_t addr_limit;
21840 void __user *sysenter_return;
21841+ unsigned long lowest_stack;
21842 unsigned int sig_on_uaccess_error:1;
21843 unsigned int uaccess_err:1; /* uaccess failed */
21844 };
21845
21846-#define INIT_THREAD_INFO(tsk) \
21847+#define INIT_THREAD_INFO \
21848 { \
21849- .task = &tsk, \
21850 .flags = 0, \
21851 .cpu = 0, \
21852 .saved_preempt_count = INIT_PREEMPT_COUNT, \
21853 .addr_limit = KERNEL_DS, \
21854 }
21855
21856-#define init_thread_info (init_thread_union.thread_info)
21857+#define init_thread_info (init_thread_union.stack)
21858 #define init_stack (init_thread_union.stack)
21859
21860 #else /* !__ASSEMBLY__ */
21861@@ -110,6 +109,7 @@ struct thread_info {
21862 #define TIF_SYSCALL_TRACEPOINT 28 /* syscall tracepoint instrumentation */
21863 #define TIF_ADDR32 29 /* 32-bit address space on 64 bits */
21864 #define TIF_X32 30 /* 32-bit native x86-64 binary */
21865+#define TIF_GRSEC_SETXID 31 /* update credentials on syscall entry/exit */
21866
21867 #define _TIF_SYSCALL_TRACE (1 << TIF_SYSCALL_TRACE)
21868 #define _TIF_NOTIFY_RESUME (1 << TIF_NOTIFY_RESUME)
21869@@ -133,17 +133,18 @@ struct thread_info {
21870 #define _TIF_SYSCALL_TRACEPOINT (1 << TIF_SYSCALL_TRACEPOINT)
21871 #define _TIF_ADDR32 (1 << TIF_ADDR32)
21872 #define _TIF_X32 (1 << TIF_X32)
21873+#define _TIF_GRSEC_SETXID (1 << TIF_GRSEC_SETXID)
21874
21875 /* work to do in syscall_trace_enter() */
21876 #define _TIF_WORK_SYSCALL_ENTRY \
21877 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_EMU | _TIF_SYSCALL_AUDIT | \
21878 _TIF_SECCOMP | _TIF_SINGLESTEP | _TIF_SYSCALL_TRACEPOINT | \
21879- _TIF_NOHZ)
21880+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
21881
21882 /* work to do in syscall_trace_leave() */
21883 #define _TIF_WORK_SYSCALL_EXIT \
21884 (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SINGLESTEP | \
21885- _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ)
21886+ _TIF_SYSCALL_TRACEPOINT | _TIF_NOHZ | _TIF_GRSEC_SETXID)
21887
21888 /* work to do on interrupt/exception return */
21889 #define _TIF_WORK_MASK \
21890@@ -154,7 +155,7 @@ struct thread_info {
21891 /* work to do on any return to user space */
21892 #define _TIF_ALLWORK_MASK \
21893 ((0x0000FFFF & ~_TIF_SECCOMP) | _TIF_SYSCALL_TRACEPOINT | \
21894- _TIF_NOHZ)
21895+ _TIF_NOHZ | _TIF_GRSEC_SETXID)
21896
21897 /* Only used for 64 bit */
21898 #define _TIF_DO_NOTIFY_MASK \
21899@@ -177,9 +178,11 @@ struct thread_info {
21900 */
21901 #ifndef __ASSEMBLY__
21902
21903+DECLARE_PER_CPU(struct thread_info *, current_tinfo);
21904+
21905 static inline struct thread_info *current_thread_info(void)
21906 {
21907- return (struct thread_info *)(current_top_of_stack() - THREAD_SIZE);
21908+ return this_cpu_read_stable(current_tinfo);
21909 }
21910
21911 static inline unsigned long current_stack_pointer(void)
21912@@ -195,14 +198,9 @@ static inline unsigned long current_stack_pointer(void)
21913
21914 #else /* !__ASSEMBLY__ */
21915
21916-#ifdef CONFIG_X86_64
21917-# define cpu_current_top_of_stack (cpu_tss + TSS_sp0)
21918-#endif
21919-
21920 /* Load thread_info address into "reg" */
21921 #define GET_THREAD_INFO(reg) \
21922- _ASM_MOV PER_CPU_VAR(cpu_current_top_of_stack),reg ; \
21923- _ASM_SUB $(THREAD_SIZE),reg ;
21924+ _ASM_MOV PER_CPU_VAR(current_tinfo),reg ;
21925
21926 /*
21927 * ASM operand which evaluates to a 'thread_info' address of
21928@@ -295,5 +293,12 @@ static inline bool is_ia32_task(void)
21929 extern void arch_task_cache_init(void);
21930 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
21931 extern void arch_release_task_struct(struct task_struct *tsk);
21932+
21933+#define __HAVE_THREAD_FUNCTIONS
21934+#define task_thread_info(task) (&(task)->tinfo)
21935+#define task_stack_page(task) ((task)->stack)
21936+#define setup_thread_stack(p, org) do {} while (0)
21937+#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
21938+
21939 #endif
21940 #endif /* _ASM_X86_THREAD_INFO_H */
21941diff --git a/arch/x86/include/asm/tlbflush.h b/arch/x86/include/asm/tlbflush.h
21942index cd79194..6a9956f 100644
21943--- a/arch/x86/include/asm/tlbflush.h
21944+++ b/arch/x86/include/asm/tlbflush.h
21945@@ -86,18 +86,44 @@ static inline void cr4_set_bits_and_update_boot(unsigned long mask)
21946
21947 static inline void __native_flush_tlb(void)
21948 {
21949+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21950+ u64 descriptor[2];
21951+
21952+ descriptor[0] = PCID_KERNEL;
21953+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_NONGLOBAL) : "memory");
21954+ return;
21955+ }
21956+
21957+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21958+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
21959+ unsigned int cpu = raw_get_cpu();
21960+
21961+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER);
21962+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL);
21963+ raw_put_cpu_no_resched();
21964+ return;
21965+ }
21966+#endif
21967+
21968 native_write_cr3(native_read_cr3());
21969 }
21970
21971 static inline void __native_flush_tlb_global_irq_disabled(void)
21972 {
21973- unsigned long cr4;
21974+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
21975+ u64 descriptor[2];
21976
21977- cr4 = this_cpu_read(cpu_tlbstate.cr4);
21978- /* clear PGE */
21979- native_write_cr4(cr4 & ~X86_CR4_PGE);
21980- /* write old PGE again and flush TLBs */
21981- native_write_cr4(cr4);
21982+ descriptor[0] = PCID_KERNEL;
21983+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_ALL_GLOBAL) : "memory");
21984+ } else {
21985+ unsigned long cr4;
21986+
21987+ cr4 = this_cpu_read(cpu_tlbstate.cr4);
21988+ /* clear PGE */
21989+ native_write_cr4(cr4 & ~X86_CR4_PGE);
21990+ /* write old PGE again and flush TLBs */
21991+ native_write_cr4(cr4);
21992+ }
21993 }
21994
21995 static inline void __native_flush_tlb_global(void)
21996@@ -118,6 +144,43 @@ static inline void __native_flush_tlb_global(void)
21997
21998 static inline void __native_flush_tlb_single(unsigned long addr)
21999 {
22000+ if (static_cpu_has(X86_FEATURE_INVPCID)) {
22001+ u64 descriptor[2];
22002+
22003+ descriptor[0] = PCID_KERNEL;
22004+ descriptor[1] = addr;
22005+
22006+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22007+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
22008+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) || addr >= TASK_SIZE_MAX) {
22009+ if (addr < TASK_SIZE_MAX)
22010+ descriptor[1] += pax_user_shadow_base;
22011+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
22012+ }
22013+
22014+ descriptor[0] = PCID_USER;
22015+ descriptor[1] = addr;
22016+ }
22017+#endif
22018+
22019+ asm volatile(__ASM_INVPCID : : "d"(&descriptor), "a"(INVPCID_SINGLE_ADDRESS) : "memory");
22020+ return;
22021+ }
22022+
22023+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22024+ if (static_cpu_has(X86_FEATURE_PCIDUDEREF)) {
22025+ unsigned int cpu = raw_get_cpu();
22026+
22027+ native_write_cr3(__pa(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
22028+ asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
22029+ native_write_cr3(__pa(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
22030+ raw_put_cpu_no_resched();
22031+
22032+ if (!static_cpu_has(X86_FEATURE_STRONGUDEREF) && addr < TASK_SIZE_MAX)
22033+ addr += pax_user_shadow_base;
22034+ }
22035+#endif
22036+
22037 asm volatile("invlpg (%0)" ::"r" (addr) : "memory");
22038 }
22039
22040diff --git a/arch/x86/include/asm/uaccess.h b/arch/x86/include/asm/uaccess.h
22041index a8df874..ef0e34f 100644
22042--- a/arch/x86/include/asm/uaccess.h
22043+++ b/arch/x86/include/asm/uaccess.h
22044@@ -7,6 +7,7 @@
22045 #include <linux/compiler.h>
22046 #include <linux/thread_info.h>
22047 #include <linux/string.h>
22048+#include <linux/spinlock.h>
22049 #include <asm/asm.h>
22050 #include <asm/page.h>
22051 #include <asm/smap.h>
22052@@ -29,7 +30,12 @@
22053
22054 #define get_ds() (KERNEL_DS)
22055 #define get_fs() (current_thread_info()->addr_limit)
22056+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
22057+void __set_fs(mm_segment_t x);
22058+void set_fs(mm_segment_t x);
22059+#else
22060 #define set_fs(x) (current_thread_info()->addr_limit = (x))
22061+#endif
22062
22063 #define segment_eq(a, b) ((a).seg == (b).seg)
22064
22065@@ -86,8 +92,36 @@ static inline bool __chk_range_not_ok(unsigned long addr, unsigned long size, un
22066 * checks that the pointer is in the user space range - after calling
22067 * this function, memory access functions may still return -EFAULT.
22068 */
22069-#define access_ok(type, addr, size) \
22070- likely(!__range_not_ok(addr, size, user_addr_max()))
22071+extern int _cond_resched(void);
22072+#define access_ok_noprefault(type, addr, size) (likely(!__range_not_ok(addr, size, user_addr_max())))
22073+#define access_ok(type, addr, size) \
22074+({ \
22075+ unsigned long __size = size; \
22076+ unsigned long __addr = (unsigned long)addr; \
22077+ bool __ret_ao = __range_not_ok(__addr, __size, user_addr_max()) == 0;\
22078+ if (__ret_ao && __size) { \
22079+ unsigned long __addr_ao = __addr & PAGE_MASK; \
22080+ unsigned long __end_ao = __addr + __size - 1; \
22081+ if (unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
22082+ while (__addr_ao <= __end_ao) { \
22083+ char __c_ao; \
22084+ __addr_ao += PAGE_SIZE; \
22085+ if (__size > PAGE_SIZE) \
22086+ _cond_resched(); \
22087+ if (__get_user(__c_ao, (char __user *)__addr)) \
22088+ break; \
22089+ if (type != VERIFY_WRITE) { \
22090+ __addr = __addr_ao; \
22091+ continue; \
22092+ } \
22093+ if (__put_user(__c_ao, (char __user *)__addr)) \
22094+ break; \
22095+ __addr = __addr_ao; \
22096+ } \
22097+ } \
22098+ } \
22099+ __ret_ao; \
22100+})
22101
22102 /*
22103 * The exception table consists of pairs of addresses relative to the
22104@@ -135,11 +169,13 @@ extern int __get_user_8(void);
22105 extern int __get_user_bad(void);
22106
22107 /*
22108- * This is a type: either unsigned long, if the argument fits into
22109- * that type, or otherwise unsigned long long.
22110+ * This is a type: either (un)signed int, if the argument fits into
22111+ * that type, or otherwise (un)signed long long.
22112 */
22113 #define __inttype(x) \
22114-__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22115+__typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0U), \
22116+ __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0ULL, 0LL),\
22117+ __builtin_choose_expr(__type_is_unsigned(__typeof__(x)), 0U, 0)))
22118
22119 /**
22120 * get_user: - Get a simple variable from user space.
22121@@ -178,10 +214,12 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22122 register __inttype(*(ptr)) __val_gu asm("%"_ASM_DX); \
22123 __chk_user_ptr(ptr); \
22124 might_fault(); \
22125+ pax_open_userland(); \
22126 asm volatile("call __get_user_%P3" \
22127 : "=a" (__ret_gu), "=r" (__val_gu) \
22128 : "0" (ptr), "i" (sizeof(*(ptr)))); \
22129 (x) = (__force __typeof__(*(ptr))) __val_gu; \
22130+ pax_close_userland(); \
22131 __ret_gu; \
22132 })
22133
22134@@ -189,13 +227,21 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22135 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
22136 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
22137
22138-
22139+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
22140+#define __copyuser_seg "gs;"
22141+#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
22142+#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
22143+#else
22144+#define __copyuser_seg
22145+#define __COPYUSER_SET_ES
22146+#define __COPYUSER_RESTORE_ES
22147+#endif
22148
22149 #ifdef CONFIG_X86_32
22150 #define __put_user_asm_u64(x, addr, err, errret) \
22151 asm volatile(ASM_STAC "\n" \
22152- "1: movl %%eax,0(%2)\n" \
22153- "2: movl %%edx,4(%2)\n" \
22154+ "1: "__copyuser_seg"movl %%eax,0(%2)\n" \
22155+ "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
22156 "3: " ASM_CLAC "\n" \
22157 ".section .fixup,\"ax\"\n" \
22158 "4: movl %3,%0\n" \
22159@@ -208,8 +254,8 @@ __typeof__(__builtin_choose_expr(sizeof(x) > sizeof(0UL), 0ULL, 0UL))
22160
22161 #define __put_user_asm_ex_u64(x, addr) \
22162 asm volatile(ASM_STAC "\n" \
22163- "1: movl %%eax,0(%1)\n" \
22164- "2: movl %%edx,4(%1)\n" \
22165+ "1: "__copyuser_seg"movl %%eax,0(%1)\n" \
22166+ "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
22167 "3: " ASM_CLAC "\n" \
22168 _ASM_EXTABLE_EX(1b, 2b) \
22169 _ASM_EXTABLE_EX(2b, 3b) \
22170@@ -260,7 +306,8 @@ extern void __put_user_8(void);
22171 __typeof__(*(ptr)) __pu_val; \
22172 __chk_user_ptr(ptr); \
22173 might_fault(); \
22174- __pu_val = x; \
22175+ __pu_val = (x); \
22176+ pax_open_userland(); \
22177 switch (sizeof(*(ptr))) { \
22178 case 1: \
22179 __put_user_x(1, __pu_val, ptr, __ret_pu); \
22180@@ -278,6 +325,7 @@ extern void __put_user_8(void);
22181 __put_user_x(X, __pu_val, ptr, __ret_pu); \
22182 break; \
22183 } \
22184+ pax_close_userland(); \
22185 __ret_pu; \
22186 })
22187
22188@@ -358,8 +406,10 @@ do { \
22189 } while (0)
22190
22191 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
22192+do { \
22193+ pax_open_userland(); \
22194 asm volatile(ASM_STAC "\n" \
22195- "1: mov"itype" %2,%"rtype"1\n" \
22196+ "1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
22197 "2: " ASM_CLAC "\n" \
22198 ".section .fixup,\"ax\"\n" \
22199 "3: mov %3,%0\n" \
22200@@ -367,8 +417,10 @@ do { \
22201 " jmp 2b\n" \
22202 ".previous\n" \
22203 _ASM_EXTABLE(1b, 3b) \
22204- : "=r" (err), ltype(x) \
22205- : "m" (__m(addr)), "i" (errret), "0" (err))
22206+ : "=r" (err), ltype (x) \
22207+ : "m" (__m(addr)), "i" (errret), "0" (err)); \
22208+ pax_close_userland(); \
22209+} while (0)
22210
22211 #define __get_user_size_ex(x, ptr, size) \
22212 do { \
22213@@ -392,7 +444,7 @@ do { \
22214 } while (0)
22215
22216 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
22217- asm volatile("1: mov"itype" %1,%"rtype"0\n" \
22218+ asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
22219 "2:\n" \
22220 _ASM_EXTABLE_EX(1b, 2b) \
22221 : ltype(x) : "m" (__m(addr)))
22222@@ -409,13 +461,24 @@ do { \
22223 int __gu_err; \
22224 unsigned long __gu_val; \
22225 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
22226- (x) = (__force __typeof__(*(ptr)))__gu_val; \
22227+ (x) = (__typeof__(*(ptr)))__gu_val; \
22228 __gu_err; \
22229 })
22230
22231 /* FIXME: this hack is definitely wrong -AK */
22232 struct __large_struct { unsigned long buf[100]; };
22233-#define __m(x) (*(struct __large_struct __user *)(x))
22234+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22235+#define ____m(x) \
22236+({ \
22237+ unsigned long ____x = (unsigned long)(x); \
22238+ if (____x < pax_user_shadow_base) \
22239+ ____x += pax_user_shadow_base; \
22240+ (typeof(x))____x; \
22241+})
22242+#else
22243+#define ____m(x) (x)
22244+#endif
22245+#define __m(x) (*(struct __large_struct __user *)____m(x))
22246
22247 /*
22248 * Tell gcc we read from memory instead of writing: this is because
22249@@ -423,8 +486,10 @@ struct __large_struct { unsigned long buf[100]; };
22250 * aliasing issues.
22251 */
22252 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
22253+do { \
22254+ pax_open_userland(); \
22255 asm volatile(ASM_STAC "\n" \
22256- "1: mov"itype" %"rtype"1,%2\n" \
22257+ "1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
22258 "2: " ASM_CLAC "\n" \
22259 ".section .fixup,\"ax\"\n" \
22260 "3: mov %3,%0\n" \
22261@@ -432,10 +497,12 @@ struct __large_struct { unsigned long buf[100]; };
22262 ".previous\n" \
22263 _ASM_EXTABLE(1b, 3b) \
22264 : "=r"(err) \
22265- : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
22266+ : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err));\
22267+ pax_close_userland(); \
22268+} while (0)
22269
22270 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
22271- asm volatile("1: mov"itype" %"rtype"0,%1\n" \
22272+ asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
22273 "2:\n" \
22274 _ASM_EXTABLE_EX(1b, 2b) \
22275 : : ltype(x), "m" (__m(addr)))
22276@@ -445,11 +512,13 @@ struct __large_struct { unsigned long buf[100]; };
22277 */
22278 #define uaccess_try do { \
22279 current_thread_info()->uaccess_err = 0; \
22280+ pax_open_userland(); \
22281 stac(); \
22282 barrier();
22283
22284 #define uaccess_catch(err) \
22285 clac(); \
22286+ pax_close_userland(); \
22287 (err) |= (current_thread_info()->uaccess_err ? -EFAULT : 0); \
22288 } while (0)
22289
22290@@ -475,8 +544,12 @@ struct __large_struct { unsigned long buf[100]; };
22291 * On error, the variable @x is set to zero.
22292 */
22293
22294+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22295+#define __get_user(x, ptr) get_user((x), (ptr))
22296+#else
22297 #define __get_user(x, ptr) \
22298 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
22299+#endif
22300
22301 /**
22302 * __put_user: - Write a simple value into user space, with less checking.
22303@@ -499,8 +572,12 @@ struct __large_struct { unsigned long buf[100]; };
22304 * Returns zero on success, or -EFAULT on error.
22305 */
22306
22307+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
22308+#define __put_user(x, ptr) put_user((x), (ptr))
22309+#else
22310 #define __put_user(x, ptr) \
22311 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
22312+#endif
22313
22314 #define __get_user_unaligned __get_user
22315 #define __put_user_unaligned __put_user
22316@@ -518,7 +595,7 @@ struct __large_struct { unsigned long buf[100]; };
22317 #define get_user_ex(x, ptr) do { \
22318 unsigned long __gue_val; \
22319 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
22320- (x) = (__force __typeof__(*(ptr)))__gue_val; \
22321+ (x) = (__typeof__(*(ptr)))__gue_val; \
22322 } while (0)
22323
22324 #define put_user_try uaccess_try
22325@@ -536,7 +613,7 @@ extern __must_check long strlen_user(const char __user *str);
22326 extern __must_check long strnlen_user(const char __user *str, long n);
22327
22328 unsigned long __must_check clear_user(void __user *mem, unsigned long len);
22329-unsigned long __must_check __clear_user(void __user *mem, unsigned long len);
22330+unsigned long __must_check __clear_user(void __user *mem, unsigned long len) __size_overflow(2);
22331
22332 extern void __cmpxchg_wrong_size(void)
22333 __compiletime_error("Bad argument size for cmpxchg");
22334@@ -547,18 +624,19 @@ extern void __cmpxchg_wrong_size(void)
22335 __typeof__(ptr) __uval = (uval); \
22336 __typeof__(*(ptr)) __old = (old); \
22337 __typeof__(*(ptr)) __new = (new); \
22338+ pax_open_userland(); \
22339 switch (size) { \
22340 case 1: \
22341 { \
22342 asm volatile("\t" ASM_STAC "\n" \
22343- "1:\t" LOCK_PREFIX "cmpxchgb %4, %2\n" \
22344+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgb %4, %2\n"\
22345 "2:\t" ASM_CLAC "\n" \
22346 "\t.section .fixup, \"ax\"\n" \
22347 "3:\tmov %3, %0\n" \
22348 "\tjmp 2b\n" \
22349 "\t.previous\n" \
22350 _ASM_EXTABLE(1b, 3b) \
22351- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22352+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22353 : "i" (-EFAULT), "q" (__new), "1" (__old) \
22354 : "memory" \
22355 ); \
22356@@ -567,14 +645,14 @@ extern void __cmpxchg_wrong_size(void)
22357 case 2: \
22358 { \
22359 asm volatile("\t" ASM_STAC "\n" \
22360- "1:\t" LOCK_PREFIX "cmpxchgw %4, %2\n" \
22361+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgw %4, %2\n"\
22362 "2:\t" ASM_CLAC "\n" \
22363 "\t.section .fixup, \"ax\"\n" \
22364 "3:\tmov %3, %0\n" \
22365 "\tjmp 2b\n" \
22366 "\t.previous\n" \
22367 _ASM_EXTABLE(1b, 3b) \
22368- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22369+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22370 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22371 : "memory" \
22372 ); \
22373@@ -583,14 +661,14 @@ extern void __cmpxchg_wrong_size(void)
22374 case 4: \
22375 { \
22376 asm volatile("\t" ASM_STAC "\n" \
22377- "1:\t" LOCK_PREFIX "cmpxchgl %4, %2\n" \
22378+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %4, %2\n"\
22379 "2:\t" ASM_CLAC "\n" \
22380 "\t.section .fixup, \"ax\"\n" \
22381 "3:\tmov %3, %0\n" \
22382 "\tjmp 2b\n" \
22383 "\t.previous\n" \
22384 _ASM_EXTABLE(1b, 3b) \
22385- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22386+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22387 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22388 : "memory" \
22389 ); \
22390@@ -602,14 +680,14 @@ extern void __cmpxchg_wrong_size(void)
22391 __cmpxchg_wrong_size(); \
22392 \
22393 asm volatile("\t" ASM_STAC "\n" \
22394- "1:\t" LOCK_PREFIX "cmpxchgq %4, %2\n" \
22395+ "1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgq %4, %2\n"\
22396 "2:\t" ASM_CLAC "\n" \
22397 "\t.section .fixup, \"ax\"\n" \
22398 "3:\tmov %3, %0\n" \
22399 "\tjmp 2b\n" \
22400 "\t.previous\n" \
22401 _ASM_EXTABLE(1b, 3b) \
22402- : "+r" (__ret), "=a" (__old), "+m" (*(ptr)) \
22403+ : "+r" (__ret), "=a" (__old), "+m" (*____m(ptr))\
22404 : "i" (-EFAULT), "r" (__new), "1" (__old) \
22405 : "memory" \
22406 ); \
22407@@ -618,6 +696,7 @@ extern void __cmpxchg_wrong_size(void)
22408 default: \
22409 __cmpxchg_wrong_size(); \
22410 } \
22411+ pax_close_userland(); \
22412 *__uval = __old; \
22413 __ret; \
22414 })
22415@@ -641,17 +720,6 @@ extern struct movsl_mask {
22416
22417 #define ARCH_HAS_NOCACHE_UACCESS 1
22418
22419-#ifdef CONFIG_X86_32
22420-# include <asm/uaccess_32.h>
22421-#else
22422-# include <asm/uaccess_64.h>
22423-#endif
22424-
22425-unsigned long __must_check _copy_from_user(void *to, const void __user *from,
22426- unsigned n);
22427-unsigned long __must_check _copy_to_user(void __user *to, const void *from,
22428- unsigned n);
22429-
22430 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
22431 # define copy_user_diag __compiletime_error
22432 #else
22433@@ -661,7 +729,7 @@ unsigned long __must_check _copy_to_user(void __user *to, const void *from,
22434 extern void copy_user_diag("copy_from_user() buffer size is too small")
22435 copy_from_user_overflow(void);
22436 extern void copy_user_diag("copy_to_user() buffer size is too small")
22437-copy_to_user_overflow(void) __asm__("copy_from_user_overflow");
22438+copy_to_user_overflow(void);
22439
22440 #undef copy_user_diag
22441
22442@@ -674,7 +742,7 @@ __copy_from_user_overflow(void) __asm__("copy_from_user_overflow");
22443
22444 extern void
22445 __compiletime_warning("copy_to_user() buffer size is not provably correct")
22446-__copy_to_user_overflow(void) __asm__("copy_from_user_overflow");
22447+__copy_to_user_overflow(void) __asm__("copy_to_user_overflow");
22448 #define __copy_to_user_overflow(size, count) __copy_to_user_overflow()
22449
22450 #else
22451@@ -689,10 +757,16 @@ __copy_from_user_overflow(int size, unsigned long count)
22452
22453 #endif
22454
22455+#ifdef CONFIG_X86_32
22456+# include <asm/uaccess_32.h>
22457+#else
22458+# include <asm/uaccess_64.h>
22459+#endif
22460+
22461 static inline unsigned long __must_check
22462 copy_from_user(void *to, const void __user *from, unsigned long n)
22463 {
22464- int sz = __compiletime_object_size(to);
22465+ size_t sz = __compiletime_object_size(to);
22466
22467 might_fault();
22468
22469@@ -714,12 +788,15 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
22470 * case, and do only runtime checking for non-constant sizes.
22471 */
22472
22473- if (likely(sz < 0 || sz >= n))
22474- n = _copy_from_user(to, from, n);
22475- else if(__builtin_constant_p(n))
22476- copy_from_user_overflow();
22477- else
22478- __copy_from_user_overflow(sz, n);
22479+ if (likely(sz != (size_t)-1 && sz < n)) {
22480+ if(__builtin_constant_p(n))
22481+ copy_from_user_overflow();
22482+ else
22483+ __copy_from_user_overflow(sz, n);
22484+ } else if (access_ok(VERIFY_READ, from, n))
22485+ n = __copy_from_user(to, from, n);
22486+ else if ((long)n > 0)
22487+ memset(to, 0, n);
22488
22489 return n;
22490 }
22491@@ -727,17 +804,18 @@ copy_from_user(void *to, const void __user *from, unsigned long n)
22492 static inline unsigned long __must_check
22493 copy_to_user(void __user *to, const void *from, unsigned long n)
22494 {
22495- int sz = __compiletime_object_size(from);
22496+ size_t sz = __compiletime_object_size(from);
22497
22498 might_fault();
22499
22500 /* See the comment in copy_from_user() above. */
22501- if (likely(sz < 0 || sz >= n))
22502- n = _copy_to_user(to, from, n);
22503- else if(__builtin_constant_p(n))
22504- copy_to_user_overflow();
22505- else
22506- __copy_to_user_overflow(sz, n);
22507+ if (likely(sz != (size_t)-1 && sz < n)) {
22508+ if(__builtin_constant_p(n))
22509+ copy_to_user_overflow();
22510+ else
22511+ __copy_to_user_overflow(sz, n);
22512+ } else if (access_ok(VERIFY_WRITE, to, n))
22513+ n = __copy_to_user(to, from, n);
22514
22515 return n;
22516 }
22517diff --git a/arch/x86/include/asm/uaccess_32.h b/arch/x86/include/asm/uaccess_32.h
22518index f5dcb52..da2c15b 100644
22519--- a/arch/x86/include/asm/uaccess_32.h
22520+++ b/arch/x86/include/asm/uaccess_32.h
22521@@ -40,9 +40,14 @@ unsigned long __must_check __copy_from_user_ll_nocache_nozero
22522 * anything, so this is accurate.
22523 */
22524
22525-static __always_inline unsigned long __must_check
22526+static __always_inline __size_overflow(3) unsigned long __must_check
22527 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
22528 {
22529+ if ((long)n < 0)
22530+ return n;
22531+
22532+ check_object_size(from, n, true);
22533+
22534 if (__builtin_constant_p(n)) {
22535 unsigned long ret;
22536
22537@@ -87,12 +92,16 @@ static __always_inline unsigned long __must_check
22538 __copy_to_user(void __user *to, const void *from, unsigned long n)
22539 {
22540 might_fault();
22541+
22542 return __copy_to_user_inatomic(to, from, n);
22543 }
22544
22545-static __always_inline unsigned long
22546+static __always_inline __size_overflow(3) unsigned long
22547 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
22548 {
22549+ if ((long)n < 0)
22550+ return n;
22551+
22552 /* Avoid zeroing the tail if the copy fails..
22553 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
22554 * but as the zeroing behaviour is only significant when n is not
22555@@ -143,6 +152,12 @@ static __always_inline unsigned long
22556 __copy_from_user(void *to, const void __user *from, unsigned long n)
22557 {
22558 might_fault();
22559+
22560+ if ((long)n < 0)
22561+ return n;
22562+
22563+ check_object_size(to, n, false);
22564+
22565 if (__builtin_constant_p(n)) {
22566 unsigned long ret;
22567
22568@@ -165,6 +180,10 @@ static __always_inline unsigned long __copy_from_user_nocache(void *to,
22569 const void __user *from, unsigned long n)
22570 {
22571 might_fault();
22572+
22573+ if ((long)n < 0)
22574+ return n;
22575+
22576 if (__builtin_constant_p(n)) {
22577 unsigned long ret;
22578
22579@@ -187,7 +206,10 @@ static __always_inline unsigned long
22580 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
22581 unsigned long n)
22582 {
22583- return __copy_from_user_ll_nocache_nozero(to, from, n);
22584+ if ((long)n < 0)
22585+ return n;
22586+
22587+ return __copy_from_user_ll_nocache_nozero(to, from, n);
22588 }
22589
22590 #endif /* _ASM_X86_UACCESS_32_H */
22591diff --git a/arch/x86/include/asm/uaccess_64.h b/arch/x86/include/asm/uaccess_64.h
22592index f2f9b39..2ae1bf8 100644
22593--- a/arch/x86/include/asm/uaccess_64.h
22594+++ b/arch/x86/include/asm/uaccess_64.h
22595@@ -10,6 +10,9 @@
22596 #include <asm/alternative.h>
22597 #include <asm/cpufeature.h>
22598 #include <asm/page.h>
22599+#include <asm/pgtable.h>
22600+
22601+#define set_fs(x) (current_thread_info()->addr_limit = (x))
22602
22603 /*
22604 * Copy To/From Userspace
22605@@ -23,8 +26,8 @@ copy_user_generic_string(void *to, const void *from, unsigned len);
22606 __must_check unsigned long
22607 copy_user_generic_unrolled(void *to, const void *from, unsigned len);
22608
22609-static __always_inline __must_check unsigned long
22610-copy_user_generic(void *to, const void *from, unsigned len)
22611+static __always_inline __must_check __size_overflow(3) unsigned long
22612+copy_user_generic(void *to, const void *from, unsigned long len)
22613 {
22614 unsigned ret;
22615
22616@@ -46,121 +49,170 @@ copy_user_generic(void *to, const void *from, unsigned len)
22617 }
22618
22619 __must_check unsigned long
22620-copy_in_user(void __user *to, const void __user *from, unsigned len);
22621+copy_in_user(void __user *to, const void __user *from, unsigned long len);
22622
22623 static __always_inline __must_check
22624-int __copy_from_user_nocheck(void *dst, const void __user *src, unsigned size)
22625+unsigned long __copy_from_user_nocheck(void *dst, const void __user *src, unsigned long size)
22626 {
22627- int ret = 0;
22628+ size_t sz = __compiletime_object_size(dst);
22629+ unsigned ret = 0;
22630+
22631+ if (size > INT_MAX)
22632+ return size;
22633+
22634+ check_object_size(dst, size, false);
22635+
22636+#ifdef CONFIG_PAX_MEMORY_UDEREF
22637+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22638+ return size;
22639+#endif
22640+
22641+ if (unlikely(sz != (size_t)-1 && sz < size)) {
22642+ if(__builtin_constant_p(size))
22643+ copy_from_user_overflow();
22644+ else
22645+ __copy_from_user_overflow(sz, size);
22646+ return size;
22647+ }
22648
22649 if (!__builtin_constant_p(size))
22650- return copy_user_generic(dst, (__force void *)src, size);
22651+ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
22652 switch (size) {
22653- case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
22654+ case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
22655 ret, "b", "b", "=q", 1);
22656 return ret;
22657- case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
22658+ case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
22659 ret, "w", "w", "=r", 2);
22660 return ret;
22661- case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
22662+ case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
22663 ret, "l", "k", "=r", 4);
22664 return ret;
22665- case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
22666+ case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22667 ret, "q", "", "=r", 8);
22668 return ret;
22669 case 10:
22670- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
22671+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22672 ret, "q", "", "=r", 10);
22673 if (unlikely(ret))
22674 return ret;
22675 __get_user_asm(*(u16 *)(8 + (char *)dst),
22676- (u16 __user *)(8 + (char __user *)src),
22677+ (const u16 __user *)(8 + (const char __user *)src),
22678 ret, "w", "w", "=r", 2);
22679 return ret;
22680 case 16:
22681- __get_user_asm(*(u64 *)dst, (u64 __user *)src,
22682+ __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
22683 ret, "q", "", "=r", 16);
22684 if (unlikely(ret))
22685 return ret;
22686 __get_user_asm(*(u64 *)(8 + (char *)dst),
22687- (u64 __user *)(8 + (char __user *)src),
22688+ (const u64 __user *)(8 + (const char __user *)src),
22689 ret, "q", "", "=r", 8);
22690 return ret;
22691 default:
22692- return copy_user_generic(dst, (__force void *)src, size);
22693+ return copy_user_generic(dst, (__force_kernel const void *)____m(src), size);
22694 }
22695 }
22696
22697 static __always_inline __must_check
22698-int __copy_from_user(void *dst, const void __user *src, unsigned size)
22699+unsigned long __copy_from_user(void *dst, const void __user *src, unsigned long size)
22700 {
22701 might_fault();
22702 return __copy_from_user_nocheck(dst, src, size);
22703 }
22704
22705 static __always_inline __must_check
22706-int __copy_to_user_nocheck(void __user *dst, const void *src, unsigned size)
22707+unsigned long __copy_to_user_nocheck(void __user *dst, const void *src, unsigned long size)
22708 {
22709- int ret = 0;
22710+ size_t sz = __compiletime_object_size(src);
22711+ unsigned ret = 0;
22712+
22713+ if (size > INT_MAX)
22714+ return size;
22715+
22716+ check_object_size(src, size, true);
22717+
22718+#ifdef CONFIG_PAX_MEMORY_UDEREF
22719+ if (!access_ok_noprefault(VERIFY_WRITE, dst, size))
22720+ return size;
22721+#endif
22722+
22723+ if (unlikely(sz != (size_t)-1 && sz < size)) {
22724+ if(__builtin_constant_p(size))
22725+ copy_to_user_overflow();
22726+ else
22727+ __copy_to_user_overflow(sz, size);
22728+ return size;
22729+ }
22730
22731 if (!__builtin_constant_p(size))
22732- return copy_user_generic((__force void *)dst, src, size);
22733+ return copy_user_generic((__force_kernel void *)____m(dst), src, size);
22734 switch (size) {
22735- case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
22736+ case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
22737 ret, "b", "b", "iq", 1);
22738 return ret;
22739- case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
22740+ case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
22741 ret, "w", "w", "ir", 2);
22742 return ret;
22743- case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
22744+ case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
22745 ret, "l", "k", "ir", 4);
22746 return ret;
22747- case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
22748+ case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22749 ret, "q", "", "er", 8);
22750 return ret;
22751 case 10:
22752- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
22753+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22754 ret, "q", "", "er", 10);
22755 if (unlikely(ret))
22756 return ret;
22757 asm("":::"memory");
22758- __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
22759+ __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
22760 ret, "w", "w", "ir", 2);
22761 return ret;
22762 case 16:
22763- __put_user_asm(*(u64 *)src, (u64 __user *)dst,
22764+ __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
22765 ret, "q", "", "er", 16);
22766 if (unlikely(ret))
22767 return ret;
22768 asm("":::"memory");
22769- __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
22770+ __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
22771 ret, "q", "", "er", 8);
22772 return ret;
22773 default:
22774- return copy_user_generic((__force void *)dst, src, size);
22775+ return copy_user_generic((__force_kernel void *)____m(dst), src, size);
22776 }
22777 }
22778
22779 static __always_inline __must_check
22780-int __copy_to_user(void __user *dst, const void *src, unsigned size)
22781+unsigned long __copy_to_user(void __user *dst, const void *src, unsigned long size)
22782 {
22783 might_fault();
22784 return __copy_to_user_nocheck(dst, src, size);
22785 }
22786
22787 static __always_inline __must_check
22788-int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22789+unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22790 {
22791- int ret = 0;
22792+ unsigned ret = 0;
22793
22794 might_fault();
22795+
22796+ if (size > INT_MAX)
22797+ return size;
22798+
22799+#ifdef CONFIG_PAX_MEMORY_UDEREF
22800+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22801+ return size;
22802+ if (!access_ok_noprefault(VERIFY_WRITE, dst, size))
22803+ return size;
22804+#endif
22805+
22806 if (!__builtin_constant_p(size))
22807- return copy_user_generic((__force void *)dst,
22808- (__force void *)src, size);
22809+ return copy_user_generic((__force_kernel void *)____m(dst),
22810+ (__force_kernel const void *)____m(src), size);
22811 switch (size) {
22812 case 1: {
22813 u8 tmp;
22814- __get_user_asm(tmp, (u8 __user *)src,
22815+ __get_user_asm(tmp, (const u8 __user *)src,
22816 ret, "b", "b", "=q", 1);
22817 if (likely(!ret))
22818 __put_user_asm(tmp, (u8 __user *)dst,
22819@@ -169,7 +221,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22820 }
22821 case 2: {
22822 u16 tmp;
22823- __get_user_asm(tmp, (u16 __user *)src,
22824+ __get_user_asm(tmp, (const u16 __user *)src,
22825 ret, "w", "w", "=r", 2);
22826 if (likely(!ret))
22827 __put_user_asm(tmp, (u16 __user *)dst,
22828@@ -179,7 +231,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22829
22830 case 4: {
22831 u32 tmp;
22832- __get_user_asm(tmp, (u32 __user *)src,
22833+ __get_user_asm(tmp, (const u32 __user *)src,
22834 ret, "l", "k", "=r", 4);
22835 if (likely(!ret))
22836 __put_user_asm(tmp, (u32 __user *)dst,
22837@@ -188,7 +240,7 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22838 }
22839 case 8: {
22840 u64 tmp;
22841- __get_user_asm(tmp, (u64 __user *)src,
22842+ __get_user_asm(tmp, (const u64 __user *)src,
22843 ret, "q", "", "=r", 8);
22844 if (likely(!ret))
22845 __put_user_asm(tmp, (u64 __user *)dst,
22846@@ -196,41 +248,58 @@ int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
22847 return ret;
22848 }
22849 default:
22850- return copy_user_generic((__force void *)dst,
22851- (__force void *)src, size);
22852+ return copy_user_generic((__force_kernel void *)____m(dst),
22853+ (__force_kernel const void *)____m(src), size);
22854 }
22855 }
22856
22857-static __must_check __always_inline int
22858-__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
22859+static __must_check __always_inline unsigned long
22860+__copy_from_user_inatomic(void *dst, const void __user *src, unsigned long size)
22861 {
22862 return __copy_from_user_nocheck(dst, src, size);
22863 }
22864
22865-static __must_check __always_inline int
22866-__copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
22867+static __must_check __always_inline unsigned long
22868+__copy_to_user_inatomic(void __user *dst, const void *src, unsigned long size)
22869 {
22870 return __copy_to_user_nocheck(dst, src, size);
22871 }
22872
22873-extern long __copy_user_nocache(void *dst, const void __user *src,
22874- unsigned size, int zerorest);
22875+extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
22876+ unsigned long size, int zerorest);
22877
22878-static inline int
22879-__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
22880+static inline unsigned long
22881+__copy_from_user_nocache(void *dst, const void __user *src, unsigned long size)
22882 {
22883 might_fault();
22884+
22885+ if (size > INT_MAX)
22886+ return size;
22887+
22888+#ifdef CONFIG_PAX_MEMORY_UDEREF
22889+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22890+ return size;
22891+#endif
22892+
22893 return __copy_user_nocache(dst, src, size, 1);
22894 }
22895
22896-static inline int
22897+static inline unsigned long
22898 __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
22899- unsigned size)
22900+ unsigned long size)
22901 {
22902+ if (size > INT_MAX)
22903+ return size;
22904+
22905+#ifdef CONFIG_PAX_MEMORY_UDEREF
22906+ if (!access_ok_noprefault(VERIFY_READ, src, size))
22907+ return size;
22908+#endif
22909+
22910 return __copy_user_nocache(dst, src, size, 0);
22911 }
22912
22913 unsigned long
22914-copy_user_handle_tail(char *to, char *from, unsigned len);
22915+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len) __size_overflow(3);
22916
22917 #endif /* _ASM_X86_UACCESS_64_H */
22918diff --git a/arch/x86/include/asm/word-at-a-time.h b/arch/x86/include/asm/word-at-a-time.h
22919index 5b238981..77fdd78 100644
22920--- a/arch/x86/include/asm/word-at-a-time.h
22921+++ b/arch/x86/include/asm/word-at-a-time.h
22922@@ -11,7 +11,7 @@
22923 * and shift, for example.
22924 */
22925 struct word_at_a_time {
22926- const unsigned long one_bits, high_bits;
22927+ unsigned long one_bits, high_bits;
22928 };
22929
22930 #define WORD_AT_A_TIME_CONSTANTS { REPEAT_BYTE(0x01), REPEAT_BYTE(0x80) }
22931diff --git a/arch/x86/include/asm/x86_init.h b/arch/x86/include/asm/x86_init.h
22932index 48d34d2..90671c7 100644
22933--- a/arch/x86/include/asm/x86_init.h
22934+++ b/arch/x86/include/asm/x86_init.h
22935@@ -129,7 +129,7 @@ struct x86_init_ops {
22936 struct x86_init_timers timers;
22937 struct x86_init_iommu iommu;
22938 struct x86_init_pci pci;
22939-};
22940+} __no_const;
22941
22942 /**
22943 * struct x86_cpuinit_ops - platform specific cpu hotplug setups
22944@@ -140,7 +140,7 @@ struct x86_cpuinit_ops {
22945 void (*setup_percpu_clockev)(void);
22946 void (*early_percpu_clock_init)(void);
22947 void (*fixup_cpu_id)(struct cpuinfo_x86 *c, int node);
22948-};
22949+} __no_const;
22950
22951 struct timespec;
22952
22953@@ -168,7 +168,7 @@ struct x86_platform_ops {
22954 void (*save_sched_clock_state)(void);
22955 void (*restore_sched_clock_state)(void);
22956 void (*apic_post_init)(void);
22957-};
22958+} __no_const;
22959
22960 struct pci_dev;
22961
22962@@ -177,12 +177,12 @@ struct x86_msi_ops {
22963 void (*teardown_msi_irq)(unsigned int irq);
22964 void (*teardown_msi_irqs)(struct pci_dev *dev);
22965 void (*restore_msi_irqs)(struct pci_dev *dev);
22966-};
22967+} __no_const;
22968
22969 struct x86_io_apic_ops {
22970 unsigned int (*read) (unsigned int apic, unsigned int reg);
22971 void (*disable)(void);
22972-};
22973+} __no_const;
22974
22975 extern struct x86_init_ops x86_init;
22976 extern struct x86_cpuinit_ops x86_cpuinit;
22977diff --git a/arch/x86/include/asm/xen/page.h b/arch/x86/include/asm/xen/page.h
22978index c44a5d5..7f83cfc 100644
22979--- a/arch/x86/include/asm/xen/page.h
22980+++ b/arch/x86/include/asm/xen/page.h
22981@@ -82,7 +82,7 @@ static inline int xen_safe_read_ulong(unsigned long *addr, unsigned long *val)
22982 * - get_phys_to_machine() is to be called by __pfn_to_mfn() only in special
22983 * cases needing an extended handling.
22984 */
22985-static inline unsigned long __pfn_to_mfn(unsigned long pfn)
22986+static inline unsigned long __intentional_overflow(-1) __pfn_to_mfn(unsigned long pfn)
22987 {
22988 unsigned long mfn;
22989
22990diff --git a/arch/x86/include/uapi/asm/e820.h b/arch/x86/include/uapi/asm/e820.h
22991index 0f457e6..5970c0a 100644
22992--- a/arch/x86/include/uapi/asm/e820.h
22993+++ b/arch/x86/include/uapi/asm/e820.h
22994@@ -69,7 +69,7 @@ struct e820map {
22995 #define ISA_START_ADDRESS 0xa0000
22996 #define ISA_END_ADDRESS 0x100000
22997
22998-#define BIOS_BEGIN 0x000a0000
22999+#define BIOS_BEGIN 0x000c0000
23000 #define BIOS_END 0x00100000
23001
23002 #define BIOS_ROM_BASE 0xffe00000
23003diff --git a/arch/x86/kernel/Makefile b/arch/x86/kernel/Makefile
23004index 0f15af4..501a76a 100644
23005--- a/arch/x86/kernel/Makefile
23006+++ b/arch/x86/kernel/Makefile
23007@@ -28,7 +28,7 @@ obj-y += time.o ioport.o ldt.o dumpstack.o nmi.o
23008 obj-y += setup.o x86_init.o i8259.o irqinit.o jump_label.o
23009 obj-$(CONFIG_IRQ_WORK) += irq_work.o
23010 obj-y += probe_roms.o
23011-obj-$(CONFIG_X86_32) += i386_ksyms_32.o
23012+obj-$(CONFIG_X86_32) += sys_i386_32.o i386_ksyms_32.o
23013 obj-$(CONFIG_X86_64) += sys_x86_64.o x8664_ksyms_64.o
23014 obj-$(CONFIG_X86_64) += mcount_64.o
23015 obj-$(CONFIG_X86_ESPFIX64) += espfix_64.o
23016diff --git a/arch/x86/kernel/acpi/boot.c b/arch/x86/kernel/acpi/boot.c
23017index 9393896..adbaa90 100644
23018--- a/arch/x86/kernel/acpi/boot.c
23019+++ b/arch/x86/kernel/acpi/boot.c
23020@@ -1333,7 +1333,7 @@ static void __init acpi_reduced_hw_init(void)
23021 * If your system is blacklisted here, but you find that acpi=force
23022 * works for you, please contact linux-acpi@vger.kernel.org
23023 */
23024-static struct dmi_system_id __initdata acpi_dmi_table[] = {
23025+static const struct dmi_system_id __initconst acpi_dmi_table[] = {
23026 /*
23027 * Boxes that need ACPI disabled
23028 */
23029@@ -1408,7 +1408,7 @@ static struct dmi_system_id __initdata acpi_dmi_table[] = {
23030 };
23031
23032 /* second table for DMI checks that should run after early-quirks */
23033-static struct dmi_system_id __initdata acpi_dmi_table_late[] = {
23034+static const struct dmi_system_id __initconst acpi_dmi_table_late[] = {
23035 /*
23036 * HP laptops which use a DSDT reporting as HP/SB400/10000,
23037 * which includes some code which overrides all temperature
23038diff --git a/arch/x86/kernel/acpi/sleep.c b/arch/x86/kernel/acpi/sleep.c
23039index d1daead..acd77e2 100644
23040--- a/arch/x86/kernel/acpi/sleep.c
23041+++ b/arch/x86/kernel/acpi/sleep.c
23042@@ -99,8 +99,12 @@ int x86_acpi_suspend_lowlevel(void)
23043 #else /* CONFIG_64BIT */
23044 #ifdef CONFIG_SMP
23045 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
23046+
23047+ pax_open_kernel();
23048 early_gdt_descr.address =
23049 (unsigned long)get_cpu_gdt_table(smp_processor_id());
23050+ pax_close_kernel();
23051+
23052 initial_gs = per_cpu_offset(smp_processor_id());
23053 #endif
23054 initial_code = (unsigned long)wakeup_long64;
23055diff --git a/arch/x86/kernel/acpi/wakeup_32.S b/arch/x86/kernel/acpi/wakeup_32.S
23056index 0c26b1b..a766e85 100644
23057--- a/arch/x86/kernel/acpi/wakeup_32.S
23058+++ b/arch/x86/kernel/acpi/wakeup_32.S
23059@@ -31,13 +31,11 @@ wakeup_pmode_return:
23060 # and restore the stack ... but you need gdt for this to work
23061 movl saved_context_esp, %esp
23062
23063- movl %cs:saved_magic, %eax
23064- cmpl $0x12345678, %eax
23065+ cmpl $0x12345678, saved_magic
23066 jne bogus_magic
23067
23068 # jump to place where we left off
23069- movl saved_eip, %eax
23070- jmp *%eax
23071+ jmp *(saved_eip)
23072
23073 bogus_magic:
23074 jmp bogus_magic
23075diff --git a/arch/x86/kernel/alternative.c b/arch/x86/kernel/alternative.c
23076index 25f9093..21d2827 100644
23077--- a/arch/x86/kernel/alternative.c
23078+++ b/arch/x86/kernel/alternative.c
23079@@ -20,6 +20,7 @@
23080 #include <asm/tlbflush.h>
23081 #include <asm/io.h>
23082 #include <asm/fixmap.h>
23083+#include <asm/boot.h>
23084
23085 int __read_mostly alternatives_patched;
23086
23087@@ -261,7 +262,9 @@ static void __init_or_module add_nops(void *insns, unsigned int len)
23088 unsigned int noplen = len;
23089 if (noplen > ASM_NOP_MAX)
23090 noplen = ASM_NOP_MAX;
23091+ pax_open_kernel();
23092 memcpy(insns, ideal_nops[noplen], noplen);
23093+ pax_close_kernel();
23094 insns += noplen;
23095 len -= noplen;
23096 }
23097@@ -289,6 +292,13 @@ recompute_jump(struct alt_instr *a, u8 *orig_insn, u8 *repl_insn, u8 *insnbuf)
23098 if (a->replacementlen != 5)
23099 return;
23100
23101+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23102+ if (orig_insn < (u8 *)_text || (u8 *)_einittext <= orig_insn)
23103+ orig_insn = (u8 *)ktva_ktla((unsigned long)orig_insn);
23104+ else
23105+ orig_insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23106+#endif
23107+
23108 o_dspl = *(s32 *)(insnbuf + 1);
23109
23110 /* next_rip of the replacement JMP */
23111@@ -364,6 +374,7 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
23112 {
23113 struct alt_instr *a;
23114 u8 *instr, *replacement;
23115+ u8 *vinstr, *vreplacement;
23116 u8 insnbuf[MAX_PATCH_LEN];
23117
23118 DPRINTK("alt table %p -> %p", start, end);
23119@@ -379,46 +390,71 @@ void __init_or_module apply_alternatives(struct alt_instr *start,
23120 for (a = start; a < end; a++) {
23121 int insnbuf_sz = 0;
23122
23123- instr = (u8 *)&a->instr_offset + a->instr_offset;
23124- replacement = (u8 *)&a->repl_offset + a->repl_offset;
23125+ vinstr = instr = (u8 *)&a->instr_offset + a->instr_offset;
23126+
23127+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23128+ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= instr &&
23129+ instr < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
23130+ instr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23131+ vinstr = (u8 *)ktla_ktva((unsigned long)instr);
23132+ } else if ((u8 *)_text <= instr && instr < (u8 *)_einittext) {
23133+ vinstr = (u8 *)ktla_ktva((unsigned long)instr);
23134+ } else {
23135+ instr = (u8 *)ktva_ktla((unsigned long)instr);
23136+ }
23137+#endif
23138+
23139+ vreplacement = replacement = (u8 *)&a->repl_offset + a->repl_offset;
23140+
23141+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23142+ if ((u8 *)_text - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR) <= replacement &&
23143+ replacement < (u8 *)_einittext - (____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR)) {
23144+ replacement += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23145+ vreplacement = (u8 *)ktla_ktva((unsigned long)replacement);
23146+ } else if ((u8 *)_text <= replacement && replacement < (u8 *)_einittext) {
23147+ vreplacement = (u8 *)ktla_ktva((unsigned long)replacement);
23148+ } else
23149+ replacement = (u8 *)ktva_ktla((unsigned long)replacement);
23150+#endif
23151+
23152 BUG_ON(a->instrlen > sizeof(insnbuf));
23153 BUG_ON(a->cpuid >= (NCAPINTS + NBUGINTS) * 32);
23154 if (!boot_cpu_has(a->cpuid)) {
23155 if (a->padlen > 1)
23156- optimize_nops(a, instr);
23157+ optimize_nops(a, vinstr);
23158
23159 continue;
23160 }
23161
23162- DPRINTK("feat: %d*32+%d, old: (%p, len: %d), repl: (%p, len: %d), pad: %d",
23163+ DPRINTK("feat: %d*32+%d, old: (%p/%p, len: %d), repl: (%p, len: %d), pad: %d",
23164 a->cpuid >> 5,
23165 a->cpuid & 0x1f,
23166- instr, a->instrlen,
23167- replacement, a->replacementlen, a->padlen);
23168+ instr, vinstr, a->instrlen,
23169+ vreplacement, a->replacementlen, a->padlen);
23170
23171- DUMP_BYTES(instr, a->instrlen, "%p: old_insn: ", instr);
23172- DUMP_BYTES(replacement, a->replacementlen, "%p: rpl_insn: ", replacement);
23173+ DUMP_BYTES(vinstr, a->instrlen, "%p: old_insn: ", vinstr);
23174+ DUMP_BYTES(vreplacement, a->replacementlen, "%p: rpl_insn: ", vreplacement);
23175
23176- memcpy(insnbuf, replacement, a->replacementlen);
23177+ memcpy(insnbuf, vreplacement, a->replacementlen);
23178 insnbuf_sz = a->replacementlen;
23179
23180 /* 0xe8 is a relative jump; fix the offset. */
23181 if (*insnbuf == 0xe8 && a->replacementlen == 5) {
23182- *(s32 *)(insnbuf + 1) += replacement - instr;
23183+ *(s32 *)(insnbuf + 1) += vreplacement - vinstr;
23184 DPRINTK("Fix CALL offset: 0x%x, CALL 0x%lx",
23185 *(s32 *)(insnbuf + 1),
23186- (unsigned long)instr + *(s32 *)(insnbuf + 1) + 5);
23187+ (unsigned long)vinstr + *(s32 *)(insnbuf + 1) + 5);
23188 }
23189
23190- if (a->replacementlen && is_jmp(replacement[0]))
23191- recompute_jump(a, instr, replacement, insnbuf);
23192+ if (a->replacementlen && is_jmp(vreplacement[0]))
23193+ recompute_jump(a, instr, vreplacement, insnbuf);
23194
23195 if (a->instrlen > a->replacementlen) {
23196 add_nops(insnbuf + a->replacementlen,
23197 a->instrlen - a->replacementlen);
23198 insnbuf_sz += a->instrlen - a->replacementlen;
23199 }
23200- DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", instr);
23201+ DUMP_BYTES(insnbuf, insnbuf_sz, "%p: final_insn: ", vinstr);
23202
23203 text_poke_early(instr, insnbuf, insnbuf_sz);
23204 }
23205@@ -434,10 +470,16 @@ static void alternatives_smp_lock(const s32 *start, const s32 *end,
23206 for (poff = start; poff < end; poff++) {
23207 u8 *ptr = (u8 *)poff + *poff;
23208
23209+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23210+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23211+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
23212+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23213+#endif
23214+
23215 if (!*poff || ptr < text || ptr >= text_end)
23216 continue;
23217 /* turn DS segment override prefix into lock prefix */
23218- if (*ptr == 0x3e)
23219+ if (*(u8 *)ktla_ktva((unsigned long)ptr) == 0x3e)
23220 text_poke(ptr, ((unsigned char []){0xf0}), 1);
23221 }
23222 mutex_unlock(&text_mutex);
23223@@ -452,10 +494,16 @@ static void alternatives_smp_unlock(const s32 *start, const s32 *end,
23224 for (poff = start; poff < end; poff++) {
23225 u8 *ptr = (u8 *)poff + *poff;
23226
23227+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
23228+ ptr += ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23229+ if (ptr < (u8 *)_text || (u8 *)_einittext <= ptr)
23230+ ptr -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
23231+#endif
23232+
23233 if (!*poff || ptr < text || ptr >= text_end)
23234 continue;
23235 /* turn lock prefix into DS segment override prefix */
23236- if (*ptr == 0xf0)
23237+ if (*(u8 *)ktla_ktva((unsigned long)ptr) == 0xf0)
23238 text_poke(ptr, ((unsigned char []){0x3E}), 1);
23239 }
23240 mutex_unlock(&text_mutex);
23241@@ -592,7 +640,7 @@ void __init_or_module apply_paravirt(struct paravirt_patch_site *start,
23242
23243 BUG_ON(p->len > MAX_PATCH_LEN);
23244 /* prep the buffer with the original instructions */
23245- memcpy(insnbuf, p->instr, p->len);
23246+ memcpy(insnbuf, (const void *)ktla_ktva((unsigned long)p->instr), p->len);
23247 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
23248 (unsigned long)p->instr, p->len);
23249
23250@@ -639,7 +687,7 @@ void __init alternative_instructions(void)
23251 if (!uniproc_patched || num_possible_cpus() == 1)
23252 free_init_pages("SMP alternatives",
23253 (unsigned long)__smp_locks,
23254- (unsigned long)__smp_locks_end);
23255+ PAGE_ALIGN((unsigned long)__smp_locks_end));
23256 #endif
23257
23258 apply_paravirt(__parainstructions, __parainstructions_end);
23259@@ -660,13 +708,17 @@ void __init alternative_instructions(void)
23260 * instructions. And on the local CPU you need to be protected again NMI or MCE
23261 * handlers seeing an inconsistent instruction while you patch.
23262 */
23263-void *__init_or_module text_poke_early(void *addr, const void *opcode,
23264+void *__kprobes text_poke_early(void *addr, const void *opcode,
23265 size_t len)
23266 {
23267 unsigned long flags;
23268 local_irq_save(flags);
23269- memcpy(addr, opcode, len);
23270+
23271+ pax_open_kernel();
23272+ memcpy((void *)ktla_ktva((unsigned long)addr), opcode, len);
23273 sync_core();
23274+ pax_close_kernel();
23275+
23276 local_irq_restore(flags);
23277 /* Could also do a CLFLUSH here to speed up CPU recovery; but
23278 that causes hangs on some VIA CPUs. */
23279@@ -688,36 +740,22 @@ void *__init_or_module text_poke_early(void *addr, const void *opcode,
23280 */
23281 void *text_poke(void *addr, const void *opcode, size_t len)
23282 {
23283- unsigned long flags;
23284- char *vaddr;
23285+ unsigned char *vaddr = (void *)ktla_ktva((unsigned long)addr);
23286 struct page *pages[2];
23287- int i;
23288+ size_t i;
23289
23290 if (!core_kernel_text((unsigned long)addr)) {
23291- pages[0] = vmalloc_to_page(addr);
23292- pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
23293+ pages[0] = vmalloc_to_page(vaddr);
23294+ pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
23295 } else {
23296- pages[0] = virt_to_page(addr);
23297+ pages[0] = virt_to_page(vaddr);
23298 WARN_ON(!PageReserved(pages[0]));
23299- pages[1] = virt_to_page(addr + PAGE_SIZE);
23300+ pages[1] = virt_to_page(vaddr + PAGE_SIZE);
23301 }
23302 BUG_ON(!pages[0]);
23303- local_irq_save(flags);
23304- set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
23305- if (pages[1])
23306- set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
23307- vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
23308- memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
23309- clear_fixmap(FIX_TEXT_POKE0);
23310- if (pages[1])
23311- clear_fixmap(FIX_TEXT_POKE1);
23312- local_flush_tlb();
23313- sync_core();
23314- /* Could also do a CLFLUSH here to speed up CPU recovery; but
23315- that causes hangs on some VIA CPUs. */
23316+ text_poke_early(addr, opcode, len);
23317 for (i = 0; i < len; i++)
23318- BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
23319- local_irq_restore(flags);
23320+ BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
23321 return addr;
23322 }
23323
23324@@ -771,7 +809,7 @@ int poke_int3_handler(struct pt_regs *regs)
23325 */
23326 void *text_poke_bp(void *addr, const void *opcode, size_t len, void *handler)
23327 {
23328- unsigned char int3 = 0xcc;
23329+ const unsigned char int3 = 0xcc;
23330
23331 bp_int3_handler = handler;
23332 bp_int3_addr = (u8 *)addr + sizeof(int3);
23333diff --git a/arch/x86/kernel/apic/apic.c b/arch/x86/kernel/apic/apic.c
23334index 307a498..783e96a 100644
23335--- a/arch/x86/kernel/apic/apic.c
23336+++ b/arch/x86/kernel/apic/apic.c
23337@@ -171,7 +171,7 @@ int first_system_vector = FIRST_SYSTEM_VECTOR;
23338 /*
23339 * Debug level, exported for io_apic.c
23340 */
23341-unsigned int apic_verbosity;
23342+int apic_verbosity;
23343
23344 int pic_mode;
23345
23346@@ -1864,7 +1864,7 @@ static inline void __smp_error_interrupt(struct pt_regs *regs)
23347 apic_write(APIC_ESR, 0);
23348 v = apic_read(APIC_ESR);
23349 ack_APIC_irq();
23350- atomic_inc(&irq_err_count);
23351+ atomic_inc_unchecked(&irq_err_count);
23352
23353 apic_printk(APIC_DEBUG, KERN_DEBUG "APIC error on CPU%d: %02x",
23354 smp_processor_id(), v);
23355diff --git a/arch/x86/kernel/apic/apic_flat_64.c b/arch/x86/kernel/apic/apic_flat_64.c
23356index de918c4..32eed23 100644
23357--- a/arch/x86/kernel/apic/apic_flat_64.c
23358+++ b/arch/x86/kernel/apic/apic_flat_64.c
23359@@ -154,7 +154,7 @@ static int flat_probe(void)
23360 return 1;
23361 }
23362
23363-static struct apic apic_flat = {
23364+static struct apic apic_flat __read_only = {
23365 .name = "flat",
23366 .probe = flat_probe,
23367 .acpi_madt_oem_check = flat_acpi_madt_oem_check,
23368@@ -260,7 +260,7 @@ static int physflat_probe(void)
23369 return 0;
23370 }
23371
23372-static struct apic apic_physflat = {
23373+static struct apic apic_physflat __read_only = {
23374
23375 .name = "physical flat",
23376 .probe = physflat_probe,
23377diff --git a/arch/x86/kernel/apic/apic_noop.c b/arch/x86/kernel/apic/apic_noop.c
23378index b205cdb..d8503ff 100644
23379--- a/arch/x86/kernel/apic/apic_noop.c
23380+++ b/arch/x86/kernel/apic/apic_noop.c
23381@@ -108,7 +108,7 @@ static void noop_apic_write(u32 reg, u32 v)
23382 WARN_ON_ONCE(cpu_has_apic && !disable_apic);
23383 }
23384
23385-struct apic apic_noop = {
23386+struct apic apic_noop __read_only = {
23387 .name = "noop",
23388 .probe = noop_probe,
23389 .acpi_madt_oem_check = NULL,
23390diff --git a/arch/x86/kernel/apic/bigsmp_32.c b/arch/x86/kernel/apic/bigsmp_32.c
23391index c4a8d63..fe893ac 100644
23392--- a/arch/x86/kernel/apic/bigsmp_32.c
23393+++ b/arch/x86/kernel/apic/bigsmp_32.c
23394@@ -147,7 +147,7 @@ static int probe_bigsmp(void)
23395 return dmi_bigsmp;
23396 }
23397
23398-static struct apic apic_bigsmp = {
23399+static struct apic apic_bigsmp __read_only = {
23400
23401 .name = "bigsmp",
23402 .probe = probe_bigsmp,
23403diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
23404index 5880b48..5085f3e 100644
23405--- a/arch/x86/kernel/apic/io_apic.c
23406+++ b/arch/x86/kernel/apic/io_apic.c
23407@@ -1682,7 +1682,7 @@ static unsigned int startup_ioapic_irq(struct irq_data *data)
23408 return was_pending;
23409 }
23410
23411-atomic_t irq_mis_count;
23412+atomic_unchecked_t irq_mis_count;
23413
23414 #ifdef CONFIG_GENERIC_PENDING_IRQ
23415 static bool io_apic_level_ack_pending(struct mp_chip_data *data)
23416@@ -1821,7 +1821,7 @@ static void ioapic_ack_level(struct irq_data *irq_data)
23417 * at the cpu.
23418 */
23419 if (!(v & (1 << (i & 0x1f)))) {
23420- atomic_inc(&irq_mis_count);
23421+ atomic_inc_unchecked(&irq_mis_count);
23422 eoi_ioapic_pin(cfg->vector, irq_data->chip_data);
23423 }
23424
23425@@ -1867,7 +1867,7 @@ static int ioapic_set_affinity(struct irq_data *irq_data,
23426 return ret;
23427 }
23428
23429-static struct irq_chip ioapic_chip __read_mostly = {
23430+static struct irq_chip ioapic_chip = {
23431 .name = "IO-APIC",
23432 .irq_startup = startup_ioapic_irq,
23433 .irq_mask = mask_ioapic_irq,
23434@@ -1936,7 +1936,7 @@ static void ack_lapic_irq(struct irq_data *data)
23435 ack_APIC_irq();
23436 }
23437
23438-static struct irq_chip lapic_chip __read_mostly = {
23439+static struct irq_chip lapic_chip = {
23440 .name = "local-APIC",
23441 .irq_mask = mask_lapic_irq,
23442 .irq_unmask = unmask_lapic_irq,
23443diff --git a/arch/x86/kernel/apic/msi.c b/arch/x86/kernel/apic/msi.c
23444index 1a9d735..c58b5c5 100644
23445--- a/arch/x86/kernel/apic/msi.c
23446+++ b/arch/x86/kernel/apic/msi.c
23447@@ -267,7 +267,7 @@ static void hpet_msi_write_msg(struct irq_data *data, struct msi_msg *msg)
23448 hpet_msi_write(data->handler_data, msg);
23449 }
23450
23451-static struct irq_chip hpet_msi_controller = {
23452+static irq_chip_no_const hpet_msi_controller __read_only = {
23453 .name = "HPET-MSI",
23454 .irq_unmask = hpet_msi_unmask,
23455 .irq_mask = hpet_msi_mask,
23456diff --git a/arch/x86/kernel/apic/probe_32.c b/arch/x86/kernel/apic/probe_32.c
23457index bda4886..f9c7195 100644
23458--- a/arch/x86/kernel/apic/probe_32.c
23459+++ b/arch/x86/kernel/apic/probe_32.c
23460@@ -72,7 +72,7 @@ static int probe_default(void)
23461 return 1;
23462 }
23463
23464-static struct apic apic_default = {
23465+static struct apic apic_default __read_only = {
23466
23467 .name = "default",
23468 .probe = probe_default,
23469diff --git a/arch/x86/kernel/apic/vector.c b/arch/x86/kernel/apic/vector.c
23470index 2683f36..0bdc74c 100644
23471--- a/arch/x86/kernel/apic/vector.c
23472+++ b/arch/x86/kernel/apic/vector.c
23473@@ -36,7 +36,7 @@ static struct irq_chip lapic_controller;
23474 static struct apic_chip_data *legacy_irq_data[NR_IRQS_LEGACY];
23475 #endif
23476
23477-void lock_vector_lock(void)
23478+void lock_vector_lock(void) __acquires(vector_lock)
23479 {
23480 /* Used to the online set of cpus does not change
23481 * during assign_irq_vector.
23482@@ -44,7 +44,7 @@ void lock_vector_lock(void)
23483 raw_spin_lock(&vector_lock);
23484 }
23485
23486-void unlock_vector_lock(void)
23487+void unlock_vector_lock(void) __releases(vector_lock)
23488 {
23489 raw_spin_unlock(&vector_lock);
23490 }
23491diff --git a/arch/x86/kernel/apic/x2apic_cluster.c b/arch/x86/kernel/apic/x2apic_cluster.c
23492index ab3219b..e8033eb 100644
23493--- a/arch/x86/kernel/apic/x2apic_cluster.c
23494+++ b/arch/x86/kernel/apic/x2apic_cluster.c
23495@@ -182,7 +182,7 @@ update_clusterinfo(struct notifier_block *nfb, unsigned long action, void *hcpu)
23496 return notifier_from_errno(err);
23497 }
23498
23499-static struct notifier_block __refdata x2apic_cpu_notifier = {
23500+static struct notifier_block x2apic_cpu_notifier = {
23501 .notifier_call = update_clusterinfo,
23502 };
23503
23504@@ -234,7 +234,7 @@ static void cluster_vector_allocation_domain(int cpu, struct cpumask *retmask,
23505 cpumask_and(retmask, mask, per_cpu(cpus_in_cluster, cpu));
23506 }
23507
23508-static struct apic apic_x2apic_cluster = {
23509+static struct apic apic_x2apic_cluster __read_only = {
23510
23511 .name = "cluster x2apic",
23512 .probe = x2apic_cluster_probe,
23513diff --git a/arch/x86/kernel/apic/x2apic_phys.c b/arch/x86/kernel/apic/x2apic_phys.c
23514index 3ffd925..8c0f5a8 100644
23515--- a/arch/x86/kernel/apic/x2apic_phys.c
23516+++ b/arch/x86/kernel/apic/x2apic_phys.c
23517@@ -90,7 +90,7 @@ static int x2apic_phys_probe(void)
23518 return apic == &apic_x2apic_phys;
23519 }
23520
23521-static struct apic apic_x2apic_phys = {
23522+static struct apic apic_x2apic_phys __read_only = {
23523
23524 .name = "physical x2apic",
23525 .probe = x2apic_phys_probe,
23526diff --git a/arch/x86/kernel/apic/x2apic_uv_x.c b/arch/x86/kernel/apic/x2apic_uv_x.c
23527index c8d9295..9af2d03 100644
23528--- a/arch/x86/kernel/apic/x2apic_uv_x.c
23529+++ b/arch/x86/kernel/apic/x2apic_uv_x.c
23530@@ -375,7 +375,7 @@ static int uv_probe(void)
23531 return apic == &apic_x2apic_uv_x;
23532 }
23533
23534-static struct apic __refdata apic_x2apic_uv_x = {
23535+static struct apic apic_x2apic_uv_x __read_only = {
23536
23537 .name = "UV large system",
23538 .probe = uv_probe,
23539diff --git a/arch/x86/kernel/apm_32.c b/arch/x86/kernel/apm_32.c
23540index 927ec92..de68f32 100644
23541--- a/arch/x86/kernel/apm_32.c
23542+++ b/arch/x86/kernel/apm_32.c
23543@@ -432,7 +432,7 @@ static DEFINE_MUTEX(apm_mutex);
23544 * This is for buggy BIOS's that refer to (real mode) segment 0x40
23545 * even though they are called in protected mode.
23546 */
23547-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
23548+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
23549 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
23550
23551 static const char driver_version[] = "1.16ac"; /* no spaces */
23552@@ -610,7 +610,10 @@ static long __apm_bios_call(void *_call)
23553 BUG_ON(cpu != 0);
23554 gdt = get_cpu_gdt_table(cpu);
23555 save_desc_40 = gdt[0x40 / 8];
23556+
23557+ pax_open_kernel();
23558 gdt[0x40 / 8] = bad_bios_desc;
23559+ pax_close_kernel();
23560
23561 apm_irq_save(flags);
23562 APM_DO_SAVE_SEGS;
23563@@ -619,7 +622,11 @@ static long __apm_bios_call(void *_call)
23564 &call->esi);
23565 APM_DO_RESTORE_SEGS;
23566 apm_irq_restore(flags);
23567+
23568+ pax_open_kernel();
23569 gdt[0x40 / 8] = save_desc_40;
23570+ pax_close_kernel();
23571+
23572 put_cpu();
23573
23574 return call->eax & 0xff;
23575@@ -686,7 +693,10 @@ static long __apm_bios_call_simple(void *_call)
23576 BUG_ON(cpu != 0);
23577 gdt = get_cpu_gdt_table(cpu);
23578 save_desc_40 = gdt[0x40 / 8];
23579+
23580+ pax_open_kernel();
23581 gdt[0x40 / 8] = bad_bios_desc;
23582+ pax_close_kernel();
23583
23584 apm_irq_save(flags);
23585 APM_DO_SAVE_SEGS;
23586@@ -694,7 +704,11 @@ static long __apm_bios_call_simple(void *_call)
23587 &call->eax);
23588 APM_DO_RESTORE_SEGS;
23589 apm_irq_restore(flags);
23590+
23591+ pax_open_kernel();
23592 gdt[0x40 / 8] = save_desc_40;
23593+ pax_close_kernel();
23594+
23595 put_cpu();
23596 return error;
23597 }
23598@@ -2039,7 +2053,7 @@ static int __init swab_apm_power_in_minutes(const struct dmi_system_id *d)
23599 return 0;
23600 }
23601
23602-static struct dmi_system_id __initdata apm_dmi_table[] = {
23603+static const struct dmi_system_id __initconst apm_dmi_table[] = {
23604 {
23605 print_if_true,
23606 KERN_WARNING "IBM T23 - BIOS 1.03b+ and controller firmware 1.02+ may be needed for Linux APM.",
23607@@ -2349,12 +2363,15 @@ static int __init apm_init(void)
23608 * code to that CPU.
23609 */
23610 gdt = get_cpu_gdt_table(0);
23611+
23612+ pax_open_kernel();
23613 set_desc_base(&gdt[APM_CS >> 3],
23614 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
23615 set_desc_base(&gdt[APM_CS_16 >> 3],
23616 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
23617 set_desc_base(&gdt[APM_DS >> 3],
23618 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
23619+ pax_close_kernel();
23620
23621 proc_create("apm", 0, NULL, &apm_file_ops);
23622
23623diff --git a/arch/x86/kernel/asm-offsets.c b/arch/x86/kernel/asm-offsets.c
23624index 8e3d22a1..37118b6 100644
23625--- a/arch/x86/kernel/asm-offsets.c
23626+++ b/arch/x86/kernel/asm-offsets.c
23627@@ -32,6 +32,8 @@ void common(void) {
23628 OFFSET(TI_flags, thread_info, flags);
23629 OFFSET(TI_status, thread_info, status);
23630 OFFSET(TI_addr_limit, thread_info, addr_limit);
23631+ OFFSET(TI_lowest_stack, thread_info, lowest_stack);
23632+ DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
23633
23634 BLANK();
23635 OFFSET(crypto_tfm_ctx_offset, crypto_tfm, __crt_ctx);
23636@@ -73,8 +75,26 @@ void common(void) {
23637 #endif
23638 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
23639 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
23640+
23641+#ifdef CONFIG_PAX_KERNEXEC
23642+ OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
23643 #endif
23644
23645+#ifdef CONFIG_PAX_MEMORY_UDEREF
23646+ OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
23647+ OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
23648+#ifdef CONFIG_X86_64
23649+ OFFSET(PV_MMU_set_pgd_batched, pv_mmu_ops, set_pgd_batched);
23650+#endif
23651+#endif
23652+
23653+#endif
23654+
23655+ BLANK();
23656+ DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
23657+ DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
23658+ DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
23659+
23660 #ifdef CONFIG_XEN
23661 BLANK();
23662 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
23663diff --git a/arch/x86/kernel/asm-offsets_64.c b/arch/x86/kernel/asm-offsets_64.c
23664index d8f42f9..a46f1fc 100644
23665--- a/arch/x86/kernel/asm-offsets_64.c
23666+++ b/arch/x86/kernel/asm-offsets_64.c
23667@@ -59,6 +59,7 @@ int main(void)
23668 BLANK();
23669 #undef ENTRY
23670
23671+ DEFINE(TSS_size, sizeof(struct tss_struct));
23672 OFFSET(TSS_ist, tss_struct, x86_tss.ist);
23673 OFFSET(TSS_sp0, tss_struct, x86_tss.sp0);
23674 BLANK();
23675diff --git a/arch/x86/kernel/cpu/Makefile b/arch/x86/kernel/cpu/Makefile
23676index 9bff687..5b899fb 100644
23677--- a/arch/x86/kernel/cpu/Makefile
23678+++ b/arch/x86/kernel/cpu/Makefile
23679@@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
23680 CFLAGS_REMOVE_perf_event.o = -pg
23681 endif
23682
23683-# Make sure load_percpu_segment has no stackprotector
23684-nostackp := $(call cc-option, -fno-stack-protector)
23685-CFLAGS_common.o := $(nostackp)
23686-
23687 obj-y := intel_cacheinfo.o scattered.o topology.o
23688 obj-y += common.o
23689 obj-y += rdrand.o
23690diff --git a/arch/x86/kernel/cpu/amd.c b/arch/x86/kernel/cpu/amd.c
23691index dd3a4ba..06672af 100644
23692--- a/arch/x86/kernel/cpu/amd.c
23693+++ b/arch/x86/kernel/cpu/amd.c
23694@@ -750,7 +750,7 @@ static void init_amd(struct cpuinfo_x86 *c)
23695 static unsigned int amd_size_cache(struct cpuinfo_x86 *c, unsigned int size)
23696 {
23697 /* AMD errata T13 (order #21922) */
23698- if ((c->x86 == 6)) {
23699+ if (c->x86 == 6) {
23700 /* Duron Rev A0 */
23701 if (c->x86_model == 3 && c->x86_mask == 0)
23702 size = 64;
23703diff --git a/arch/x86/kernel/cpu/bugs_64.c b/arch/x86/kernel/cpu/bugs_64.c
23704index 04f0fe5..3c0598c 100644
23705--- a/arch/x86/kernel/cpu/bugs_64.c
23706+++ b/arch/x86/kernel/cpu/bugs_64.c
23707@@ -10,6 +10,7 @@
23708 #include <asm/processor.h>
23709 #include <asm/mtrr.h>
23710 #include <asm/cacheflush.h>
23711+#include <asm/sections.h>
23712
23713 void __init check_bugs(void)
23714 {
23715@@ -18,6 +19,7 @@ void __init check_bugs(void)
23716 printk(KERN_INFO "CPU: ");
23717 print_cpu_info(&boot_cpu_data);
23718 #endif
23719+ set_memory_nx((unsigned long)_sinitdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sinitdata) >> PAGE_SHIFT);
23720 alternative_instructions();
23721
23722 /*
23723diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
23724index cb9e5df..0d25636 100644
23725--- a/arch/x86/kernel/cpu/common.c
23726+++ b/arch/x86/kernel/cpu/common.c
23727@@ -91,60 +91,6 @@ static const struct cpu_dev default_cpu = {
23728
23729 static const struct cpu_dev *this_cpu = &default_cpu;
23730
23731-DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
23732-#ifdef CONFIG_X86_64
23733- /*
23734- * We need valid kernel segments for data and code in long mode too
23735- * IRET will check the segment types kkeil 2000/10/28
23736- * Also sysret mandates a special GDT layout
23737- *
23738- * TLS descriptors are currently at a different place compared to i386.
23739- * Hopefully nobody expects them at a fixed place (Wine?)
23740- */
23741- [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
23742- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
23743- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
23744- [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
23745- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
23746- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
23747-#else
23748- [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
23749- [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23750- [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
23751- [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
23752- /*
23753- * Segments used for calling PnP BIOS have byte granularity.
23754- * They code segments and data segments have fixed 64k limits,
23755- * the transfer segment sizes are set at run time.
23756- */
23757- /* 32-bit code */
23758- [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
23759- /* 16-bit code */
23760- [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
23761- /* 16-bit data */
23762- [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
23763- /* 16-bit data */
23764- [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
23765- /* 16-bit data */
23766- [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
23767- /*
23768- * The APM segments have byte granularity and their bases
23769- * are set at run time. All have 64k limits.
23770- */
23771- /* 32-bit code */
23772- [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
23773- /* 16-bit code */
23774- [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
23775- /* data */
23776- [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
23777-
23778- [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23779- [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
23780- GDT_STACK_CANARY_INIT
23781-#endif
23782-} };
23783-EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
23784-
23785 static int __init x86_mpx_setup(char *s)
23786 {
23787 /* require an exact match without trailing characters */
23788@@ -287,6 +233,109 @@ static __always_inline void setup_smap(struct cpuinfo_x86 *c)
23789 }
23790 }
23791
23792+#ifdef CONFIG_PAX_MEMORY_UDEREF
23793+#ifdef CONFIG_X86_64
23794+static bool uderef_enabled __read_only = true;
23795+unsigned long pax_user_shadow_base __read_only;
23796+EXPORT_SYMBOL(pax_user_shadow_base);
23797+extern char pax_enter_kernel_user[];
23798+extern char pax_exit_kernel_user[];
23799+
23800+static int __init setup_pax_weakuderef(char *str)
23801+{
23802+ if (uderef_enabled)
23803+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23804+ return 1;
23805+}
23806+__setup("pax_weakuderef", setup_pax_weakuderef);
23807+#endif
23808+
23809+static int __init setup_pax_nouderef(char *str)
23810+{
23811+#ifdef CONFIG_X86_32
23812+ unsigned int cpu;
23813+ struct desc_struct *gdt;
23814+
23815+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
23816+ gdt = get_cpu_gdt_table(cpu);
23817+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
23818+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
23819+ gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
23820+ gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
23821+ }
23822+ loadsegment(ds, __KERNEL_DS);
23823+ loadsegment(es, __KERNEL_DS);
23824+ loadsegment(ss, __KERNEL_DS);
23825+#else
23826+ memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
23827+ memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
23828+ clone_pgd_mask = ~(pgdval_t)0UL;
23829+ pax_user_shadow_base = 0UL;
23830+ setup_clear_cpu_cap(X86_FEATURE_PCIDUDEREF);
23831+ uderef_enabled = false;
23832+#endif
23833+
23834+ return 0;
23835+}
23836+early_param("pax_nouderef", setup_pax_nouderef);
23837+#endif
23838+
23839+#ifdef CONFIG_X86_64
23840+static __init int setup_disable_pcid(char *arg)
23841+{
23842+ setup_clear_cpu_cap(X86_FEATURE_PCID);
23843+ setup_clear_cpu_cap(X86_FEATURE_INVPCID);
23844+
23845+#ifdef CONFIG_PAX_MEMORY_UDEREF
23846+ if (uderef_enabled)
23847+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23848+#endif
23849+
23850+ return 1;
23851+}
23852+__setup("nopcid", setup_disable_pcid);
23853+
23854+static void setup_pcid(struct cpuinfo_x86 *c)
23855+{
23856+ if (cpu_has(c, X86_FEATURE_PCID)) {
23857+ printk("PAX: PCID detected\n");
23858+ cr4_set_bits(X86_CR4_PCIDE);
23859+ } else
23860+ clear_cpu_cap(c, X86_FEATURE_INVPCID);
23861+
23862+ if (cpu_has(c, X86_FEATURE_INVPCID))
23863+ printk("PAX: INVPCID detected\n");
23864+
23865+#ifdef CONFIG_PAX_MEMORY_UDEREF
23866+ if (!uderef_enabled) {
23867+ printk("PAX: UDEREF disabled\n");
23868+ return;
23869+ }
23870+
23871+ if (!cpu_has(c, X86_FEATURE_PCID)) {
23872+ pax_open_kernel();
23873+ pax_user_shadow_base = 1UL << TASK_SIZE_MAX_SHIFT;
23874+ pax_close_kernel();
23875+ printk("PAX: slow and weak UDEREF enabled\n");
23876+ return;
23877+ }
23878+
23879+ set_cpu_cap(c, X86_FEATURE_PCIDUDEREF);
23880+
23881+ pax_open_kernel();
23882+ clone_pgd_mask = ~(pgdval_t)0UL;
23883+ pax_close_kernel();
23884+ if (pax_user_shadow_base)
23885+ printk("PAX: weak UDEREF enabled\n");
23886+ else {
23887+ set_cpu_cap(c, X86_FEATURE_STRONGUDEREF);
23888+ printk("PAX: strong UDEREF enabled\n");
23889+ }
23890+#endif
23891+
23892+}
23893+#endif
23894+
23895 /*
23896 * Some CPU features depend on higher CPUID levels, which may not always
23897 * be available due to CPUID level capping or broken virtualization
23898@@ -387,7 +436,7 @@ void switch_to_new_gdt(int cpu)
23899 {
23900 struct desc_ptr gdt_descr;
23901
23902- gdt_descr.address = (long)get_cpu_gdt_table(cpu);
23903+ gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
23904 gdt_descr.size = GDT_SIZE - 1;
23905 load_gdt(&gdt_descr);
23906 /* Reload the per-cpu base */
23907@@ -918,6 +967,20 @@ static void identify_cpu(struct cpuinfo_x86 *c)
23908 setup_smep(c);
23909 setup_smap(c);
23910
23911+#ifdef CONFIG_X86_32
23912+#ifdef CONFIG_PAX_PAGEEXEC
23913+ if (!(__supported_pte_mask & _PAGE_NX))
23914+ clear_cpu_cap(c, X86_FEATURE_PSE);
23915+#endif
23916+#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
23917+ clear_cpu_cap(c, X86_FEATURE_SEP);
23918+#endif
23919+#endif
23920+
23921+#ifdef CONFIG_X86_64
23922+ setup_pcid(c);
23923+#endif
23924+
23925 /*
23926 * The vendor-specific functions might have changed features.
23927 * Now we do "generic changes."
23928@@ -992,7 +1055,7 @@ void enable_sep_cpu(void)
23929 int cpu;
23930
23931 cpu = get_cpu();
23932- tss = &per_cpu(cpu_tss, cpu);
23933+ tss = cpu_tss + cpu;
23934
23935 if (!boot_cpu_has(X86_FEATURE_SEP))
23936 goto out;
23937@@ -1138,10 +1201,12 @@ static __init int setup_disablecpuid(char *arg)
23938 }
23939 __setup("clearcpuid=", setup_disablecpuid);
23940
23941+DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
23942+EXPORT_PER_CPU_SYMBOL(current_tinfo);
23943+
23944 #ifdef CONFIG_X86_64
23945-struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
23946-struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1,
23947- (unsigned long) debug_idt_table };
23948+struct desc_ptr idt_descr __read_only = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
23949+const struct desc_ptr debug_idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) debug_idt_table };
23950
23951 DEFINE_PER_CPU_FIRST(union irq_stack_union,
23952 irq_stack_union) __aligned(PAGE_SIZE) __visible;
23953@@ -1253,21 +1318,21 @@ EXPORT_PER_CPU_SYMBOL(current_task);
23954 DEFINE_PER_CPU(int, __preempt_count) = INIT_PREEMPT_COUNT;
23955 EXPORT_PER_CPU_SYMBOL(__preempt_count);
23956
23957+#ifdef CONFIG_CC_STACKPROTECTOR
23958+DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
23959+#endif
23960+
23961+#endif /* CONFIG_X86_64 */
23962+
23963 /*
23964 * On x86_32, vm86 modifies tss.sp0, so sp0 isn't a reliable way to find
23965 * the top of the kernel stack. Use an extra percpu variable to track the
23966 * top of the kernel stack directly.
23967 */
23968 DEFINE_PER_CPU(unsigned long, cpu_current_top_of_stack) =
23969- (unsigned long)&init_thread_union + THREAD_SIZE;
23970+ (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
23971 EXPORT_PER_CPU_SYMBOL(cpu_current_top_of_stack);
23972
23973-#ifdef CONFIG_CC_STACKPROTECTOR
23974-DEFINE_PER_CPU_ALIGNED(struct stack_canary, stack_canary);
23975-#endif
23976-
23977-#endif /* CONFIG_X86_64 */
23978-
23979 /*
23980 * Clear all 6 debug registers:
23981 */
23982@@ -1343,7 +1408,7 @@ void cpu_init(void)
23983 */
23984 load_ucode_ap();
23985
23986- t = &per_cpu(cpu_tss, cpu);
23987+ t = cpu_tss + cpu;
23988 oist = &per_cpu(orig_ist, cpu);
23989
23990 #ifdef CONFIG_NUMA
23991@@ -1375,7 +1440,6 @@ void cpu_init(void)
23992 wrmsrl(MSR_KERNEL_GS_BASE, 0);
23993 barrier();
23994
23995- x86_configure_nx();
23996 x2apic_setup();
23997
23998 /*
23999@@ -1427,7 +1491,7 @@ void cpu_init(void)
24000 {
24001 int cpu = smp_processor_id();
24002 struct task_struct *curr = current;
24003- struct tss_struct *t = &per_cpu(cpu_tss, cpu);
24004+ struct tss_struct *t = cpu_tss + cpu;
24005 struct thread_struct *thread = &curr->thread;
24006
24007 wait_for_master_cpu(cpu);
24008diff --git a/arch/x86/kernel/cpu/intel_cacheinfo.c b/arch/x86/kernel/cpu/intel_cacheinfo.c
24009index be4febc..f7af533 100644
24010--- a/arch/x86/kernel/cpu/intel_cacheinfo.c
24011+++ b/arch/x86/kernel/cpu/intel_cacheinfo.c
24012@@ -519,25 +519,23 @@ cache_private_attrs_is_visible(struct kobject *kobj,
24013 return 0;
24014 }
24015
24016+static struct attribute *amd_l3_attrs[4];
24017+
24018 static struct attribute_group cache_private_group = {
24019 .is_visible = cache_private_attrs_is_visible,
24020+ .attrs = amd_l3_attrs,
24021 };
24022
24023 static void init_amd_l3_attrs(void)
24024 {
24025 int n = 1;
24026- static struct attribute **amd_l3_attrs;
24027-
24028- if (amd_l3_attrs) /* already initialized */
24029- return;
24030
24031 if (amd_nb_has_feature(AMD_NB_L3_INDEX_DISABLE))
24032 n += 2;
24033 if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
24034 n += 1;
24035
24036- amd_l3_attrs = kcalloc(n, sizeof(*amd_l3_attrs), GFP_KERNEL);
24037- if (!amd_l3_attrs)
24038+ if (n > 1 && amd_l3_attrs[0]) /* already initialized */
24039 return;
24040
24041 n = 0;
24042@@ -547,8 +545,6 @@ static void init_amd_l3_attrs(void)
24043 }
24044 if (amd_nb_has_feature(AMD_NB_L3_PARTITIONING))
24045 amd_l3_attrs[n++] = &dev_attr_subcaches.attr;
24046-
24047- cache_private_group.attrs = amd_l3_attrs;
24048 }
24049
24050 const struct attribute_group *
24051@@ -559,7 +555,7 @@ cache_get_priv_group(struct cacheinfo *this_leaf)
24052 if (this_leaf->level < 3 || !nb)
24053 return NULL;
24054
24055- if (nb && nb->l3_cache.indices)
24056+ if (nb->l3_cache.indices)
24057 init_amd_l3_attrs();
24058
24059 return &cache_private_group;
24060diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c
24061index df919ff..3332bf7 100644
24062--- a/arch/x86/kernel/cpu/mcheck/mce.c
24063+++ b/arch/x86/kernel/cpu/mcheck/mce.c
24064@@ -47,6 +47,7 @@
24065 #include <asm/tlbflush.h>
24066 #include <asm/mce.h>
24067 #include <asm/msr.h>
24068+#include <asm/local.h>
24069
24070 #include "mce-internal.h"
24071
24072@@ -259,7 +260,7 @@ static void print_mce(struct mce *m)
24073 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
24074 m->cs, m->ip);
24075
24076- if (m->cs == __KERNEL_CS)
24077+ if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
24078 print_symbol("{%s}", m->ip);
24079 pr_cont("\n");
24080 }
24081@@ -292,10 +293,10 @@ static void print_mce(struct mce *m)
24082
24083 #define PANIC_TIMEOUT 5 /* 5 seconds */
24084
24085-static atomic_t mce_panicked;
24086+static atomic_unchecked_t mce_panicked;
24087
24088 static int fake_panic;
24089-static atomic_t mce_fake_panicked;
24090+static atomic_unchecked_t mce_fake_panicked;
24091
24092 /* Panic in progress. Enable interrupts and wait for final IPI */
24093 static void wait_for_panic(void)
24094@@ -319,7 +320,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24095 /*
24096 * Make sure only one CPU runs in machine check panic
24097 */
24098- if (atomic_inc_return(&mce_panicked) > 1)
24099+ if (atomic_inc_return_unchecked(&mce_panicked) > 1)
24100 wait_for_panic();
24101 barrier();
24102
24103@@ -327,7 +328,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24104 console_verbose();
24105 } else {
24106 /* Don't log too much for fake panic */
24107- if (atomic_inc_return(&mce_fake_panicked) > 1)
24108+ if (atomic_inc_return_unchecked(&mce_fake_panicked) > 1)
24109 return;
24110 }
24111 /* First print corrected ones that are still unlogged */
24112@@ -366,7 +367,7 @@ static void mce_panic(const char *msg, struct mce *final, char *exp)
24113 if (!fake_panic) {
24114 if (panic_timeout == 0)
24115 panic_timeout = mca_cfg.panic_timeout;
24116- panic(msg);
24117+ panic("%s", msg);
24118 } else
24119 pr_emerg(HW_ERR "Fake kernel panic: %s\n", msg);
24120 }
24121@@ -752,7 +753,7 @@ static int mce_timed_out(u64 *t, const char *msg)
24122 * might have been modified by someone else.
24123 */
24124 rmb();
24125- if (atomic_read(&mce_panicked))
24126+ if (atomic_read_unchecked(&mce_panicked))
24127 wait_for_panic();
24128 if (!mca_cfg.monarch_timeout)
24129 goto out;
24130@@ -1708,7 +1709,7 @@ static void unexpected_machine_check(struct pt_regs *regs, long error_code)
24131 }
24132
24133 /* Call the installed machine check handler for this CPU setup. */
24134-void (*machine_check_vector)(struct pt_regs *, long error_code) =
24135+void (*machine_check_vector)(struct pt_regs *, long error_code) __read_only =
24136 unexpected_machine_check;
24137
24138 /*
24139@@ -1731,7 +1732,9 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
24140 return;
24141 }
24142
24143+ pax_open_kernel();
24144 machine_check_vector = do_machine_check;
24145+ pax_close_kernel();
24146
24147 __mcheck_cpu_init_generic();
24148 __mcheck_cpu_init_vendor(c);
24149@@ -1745,7 +1748,7 @@ void mcheck_cpu_init(struct cpuinfo_x86 *c)
24150 */
24151
24152 static DEFINE_SPINLOCK(mce_chrdev_state_lock);
24153-static int mce_chrdev_open_count; /* #times opened */
24154+static local_t mce_chrdev_open_count; /* #times opened */
24155 static int mce_chrdev_open_exclu; /* already open exclusive? */
24156
24157 static int mce_chrdev_open(struct inode *inode, struct file *file)
24158@@ -1753,7 +1756,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
24159 spin_lock(&mce_chrdev_state_lock);
24160
24161 if (mce_chrdev_open_exclu ||
24162- (mce_chrdev_open_count && (file->f_flags & O_EXCL))) {
24163+ (local_read(&mce_chrdev_open_count) && (file->f_flags & O_EXCL))) {
24164 spin_unlock(&mce_chrdev_state_lock);
24165
24166 return -EBUSY;
24167@@ -1761,7 +1764,7 @@ static int mce_chrdev_open(struct inode *inode, struct file *file)
24168
24169 if (file->f_flags & O_EXCL)
24170 mce_chrdev_open_exclu = 1;
24171- mce_chrdev_open_count++;
24172+ local_inc(&mce_chrdev_open_count);
24173
24174 spin_unlock(&mce_chrdev_state_lock);
24175
24176@@ -1772,7 +1775,7 @@ static int mce_chrdev_release(struct inode *inode, struct file *file)
24177 {
24178 spin_lock(&mce_chrdev_state_lock);
24179
24180- mce_chrdev_open_count--;
24181+ local_dec(&mce_chrdev_open_count);
24182 mce_chrdev_open_exclu = 0;
24183
24184 spin_unlock(&mce_chrdev_state_lock);
24185@@ -2448,7 +2451,7 @@ static __init void mce_init_banks(void)
24186
24187 for (i = 0; i < mca_cfg.banks; i++) {
24188 struct mce_bank *b = &mce_banks[i];
24189- struct device_attribute *a = &b->attr;
24190+ device_attribute_no_const *a = &b->attr;
24191
24192 sysfs_attr_init(&a->attr);
24193 a->attr.name = b->attrname;
24194@@ -2555,7 +2558,7 @@ struct dentry *mce_get_debugfs_dir(void)
24195 static void mce_reset(void)
24196 {
24197 cpu_missing = 0;
24198- atomic_set(&mce_fake_panicked, 0);
24199+ atomic_set_unchecked(&mce_fake_panicked, 0);
24200 atomic_set(&mce_executing, 0);
24201 atomic_set(&mce_callin, 0);
24202 atomic_set(&global_nwo, 0);
24203diff --git a/arch/x86/kernel/cpu/mcheck/p5.c b/arch/x86/kernel/cpu/mcheck/p5.c
24204index 737b0ad..09ec66e 100644
24205--- a/arch/x86/kernel/cpu/mcheck/p5.c
24206+++ b/arch/x86/kernel/cpu/mcheck/p5.c
24207@@ -12,6 +12,7 @@
24208 #include <asm/tlbflush.h>
24209 #include <asm/mce.h>
24210 #include <asm/msr.h>
24211+#include <asm/pgtable.h>
24212
24213 /* By default disabled */
24214 int mce_p5_enabled __read_mostly;
24215@@ -55,7 +56,9 @@ void intel_p5_mcheck_init(struct cpuinfo_x86 *c)
24216 if (!cpu_has(c, X86_FEATURE_MCE))
24217 return;
24218
24219+ pax_open_kernel();
24220 machine_check_vector = pentium_machine_check;
24221+ pax_close_kernel();
24222 /* Make sure the vector pointer is visible before we enable MCEs: */
24223 wmb();
24224
24225diff --git a/arch/x86/kernel/cpu/mcheck/winchip.c b/arch/x86/kernel/cpu/mcheck/winchip.c
24226index 44f1382..315b292 100644
24227--- a/arch/x86/kernel/cpu/mcheck/winchip.c
24228+++ b/arch/x86/kernel/cpu/mcheck/winchip.c
24229@@ -11,6 +11,7 @@
24230 #include <asm/tlbflush.h>
24231 #include <asm/mce.h>
24232 #include <asm/msr.h>
24233+#include <asm/pgtable.h>
24234
24235 /* Machine check handler for WinChip C6: */
24236 static void winchip_machine_check(struct pt_regs *regs, long error_code)
24237@@ -28,7 +29,9 @@ void winchip_mcheck_init(struct cpuinfo_x86 *c)
24238 {
24239 u32 lo, hi;
24240
24241+ pax_open_kernel();
24242 machine_check_vector = winchip_machine_check;
24243+ pax_close_kernel();
24244 /* Make sure the vector pointer is visible before we enable MCEs: */
24245 wmb();
24246
24247diff --git a/arch/x86/kernel/cpu/microcode/core.c b/arch/x86/kernel/cpu/microcode/core.c
24248index 6236a54..532026d 100644
24249--- a/arch/x86/kernel/cpu/microcode/core.c
24250+++ b/arch/x86/kernel/cpu/microcode/core.c
24251@@ -460,7 +460,7 @@ mc_cpu_callback(struct notifier_block *nb, unsigned long action, void *hcpu)
24252 return NOTIFY_OK;
24253 }
24254
24255-static struct notifier_block __refdata mc_cpu_notifier = {
24256+static struct notifier_block mc_cpu_notifier = {
24257 .notifier_call = mc_cpu_callback,
24258 };
24259
24260diff --git a/arch/x86/kernel/cpu/microcode/intel.c b/arch/x86/kernel/cpu/microcode/intel.c
24261index 969dc17..a9c3fdd 100644
24262--- a/arch/x86/kernel/cpu/microcode/intel.c
24263+++ b/arch/x86/kernel/cpu/microcode/intel.c
24264@@ -237,13 +237,13 @@ static enum ucode_state request_microcode_fw(int cpu, struct device *device,
24265
24266 static int get_ucode_user(void *to, const void *from, size_t n)
24267 {
24268- return copy_from_user(to, from, n);
24269+ return copy_from_user(to, (const void __force_user *)from, n);
24270 }
24271
24272 static enum ucode_state
24273 request_microcode_user(int cpu, const void __user *buf, size_t size)
24274 {
24275- return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
24276+ return generic_load_microcode(cpu, (__force_kernel void *)buf, size, &get_ucode_user);
24277 }
24278
24279 static void microcode_fini_cpu(int cpu)
24280diff --git a/arch/x86/kernel/cpu/mtrr/main.c b/arch/x86/kernel/cpu/mtrr/main.c
24281index e7ed0d8..57a2ab9 100644
24282--- a/arch/x86/kernel/cpu/mtrr/main.c
24283+++ b/arch/x86/kernel/cpu/mtrr/main.c
24284@@ -72,7 +72,7 @@ static DEFINE_MUTEX(mtrr_mutex);
24285 u64 size_or_mask, size_and_mask;
24286 static bool mtrr_aps_delayed_init;
24287
24288-static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
24289+static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
24290
24291 const struct mtrr_ops *mtrr_if;
24292
24293diff --git a/arch/x86/kernel/cpu/mtrr/mtrr.h b/arch/x86/kernel/cpu/mtrr/mtrr.h
24294index 951884d..4796b75 100644
24295--- a/arch/x86/kernel/cpu/mtrr/mtrr.h
24296+++ b/arch/x86/kernel/cpu/mtrr/mtrr.h
24297@@ -25,7 +25,7 @@ struct mtrr_ops {
24298 int (*validate_add_page)(unsigned long base, unsigned long size,
24299 unsigned int type);
24300 int (*have_wrcomb)(void);
24301-};
24302+} __do_const;
24303
24304 extern int generic_get_free_region(unsigned long base, unsigned long size,
24305 int replace_reg);
24306diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c
24307index 9469dfa..2b026bc 100644
24308--- a/arch/x86/kernel/cpu/perf_event.c
24309+++ b/arch/x86/kernel/cpu/perf_event.c
24310@@ -1518,7 +1518,7 @@ static void __init pmu_check_apic(void)
24311
24312 }
24313
24314-static struct attribute_group x86_pmu_format_group = {
24315+static attribute_group_no_const x86_pmu_format_group = {
24316 .name = "format",
24317 .attrs = NULL,
24318 };
24319@@ -1617,7 +1617,7 @@ static struct attribute *events_attr[] = {
24320 NULL,
24321 };
24322
24323-static struct attribute_group x86_pmu_events_group = {
24324+static attribute_group_no_const x86_pmu_events_group = {
24325 .name = "events",
24326 .attrs = events_attr,
24327 };
24328@@ -2176,7 +2176,7 @@ valid_user_frame(const void __user *fp, unsigned long size)
24329 static unsigned long get_segment_base(unsigned int segment)
24330 {
24331 struct desc_struct *desc;
24332- int idx = segment >> 3;
24333+ unsigned int idx = segment >> 3;
24334
24335 if ((segment & SEGMENT_TI_MASK) == SEGMENT_LDT) {
24336 struct ldt_struct *ldt;
24337@@ -2194,7 +2194,7 @@ static unsigned long get_segment_base(unsigned int segment)
24338 if (idx > GDT_ENTRIES)
24339 return 0;
24340
24341- desc = raw_cpu_ptr(gdt_page.gdt) + idx;
24342+ desc = get_cpu_gdt_table(smp_processor_id()) + idx;
24343 }
24344
24345 return get_desc_base(desc);
24346@@ -2284,7 +2284,7 @@ perf_callchain_user(struct perf_callchain_entry *entry, struct pt_regs *regs)
24347 break;
24348
24349 perf_callchain_store(entry, frame.return_address);
24350- fp = frame.next_frame;
24351+ fp = (const void __force_user *)frame.next_frame;
24352 }
24353 }
24354
24355diff --git a/arch/x86/kernel/cpu/perf_event_amd_iommu.c b/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24356index 97242a9..cf9c30e 100644
24357--- a/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24358+++ b/arch/x86/kernel/cpu/perf_event_amd_iommu.c
24359@@ -402,7 +402,7 @@ static void perf_iommu_del(struct perf_event *event, int flags)
24360 static __init int _init_events_attrs(struct perf_amd_iommu *perf_iommu)
24361 {
24362 struct attribute **attrs;
24363- struct attribute_group *attr_group;
24364+ attribute_group_no_const *attr_group;
24365 int i = 0, j;
24366
24367 while (amd_iommu_v2_event_descs[i].attr.attr.name)
24368diff --git a/arch/x86/kernel/cpu/perf_event_intel.c b/arch/x86/kernel/cpu/perf_event_intel.c
24369index 1b09c42..521004d 100644
24370--- a/arch/x86/kernel/cpu/perf_event_intel.c
24371+++ b/arch/x86/kernel/cpu/perf_event_intel.c
24372@@ -3019,10 +3019,10 @@ __init int intel_pmu_init(void)
24373 x86_pmu.num_counters_fixed = max((int)edx.split.num_counters_fixed, 3);
24374
24375 if (boot_cpu_has(X86_FEATURE_PDCM)) {
24376- u64 capabilities;
24377+ u64 capabilities = x86_pmu.intel_cap.capabilities;
24378
24379- rdmsrl(MSR_IA32_PERF_CAPABILITIES, capabilities);
24380- x86_pmu.intel_cap.capabilities = capabilities;
24381+ if (rdmsrl_safe(MSR_IA32_PERF_CAPABILITIES, &x86_pmu.intel_cap.capabilities))
24382+ x86_pmu.intel_cap.capabilities = capabilities;
24383 }
24384
24385 intel_ds_init();
24386diff --git a/arch/x86/kernel/cpu/perf_event_intel_bts.c b/arch/x86/kernel/cpu/perf_event_intel_bts.c
24387index 43dd672..78c0562 100644
24388--- a/arch/x86/kernel/cpu/perf_event_intel_bts.c
24389+++ b/arch/x86/kernel/cpu/perf_event_intel_bts.c
24390@@ -252,7 +252,7 @@ static void bts_event_start(struct perf_event *event, int flags)
24391 __bts_event_start(event);
24392
24393 /* PMI handler: this counter is running and likely generating PMIs */
24394- ACCESS_ONCE(bts->started) = 1;
24395+ ACCESS_ONCE_RW(bts->started) = 1;
24396 }
24397
24398 static void __bts_event_stop(struct perf_event *event)
24399@@ -266,7 +266,7 @@ static void __bts_event_stop(struct perf_event *event)
24400 if (event->hw.state & PERF_HES_STOPPED)
24401 return;
24402
24403- ACCESS_ONCE(event->hw.state) |= PERF_HES_STOPPED;
24404+ ACCESS_ONCE_RW(event->hw.state) |= PERF_HES_STOPPED;
24405 }
24406
24407 static void bts_event_stop(struct perf_event *event, int flags)
24408@@ -274,7 +274,7 @@ static void bts_event_stop(struct perf_event *event, int flags)
24409 struct bts_ctx *bts = this_cpu_ptr(&bts_ctx);
24410
24411 /* PMI handler: don't restart this counter */
24412- ACCESS_ONCE(bts->started) = 0;
24413+ ACCESS_ONCE_RW(bts->started) = 0;
24414
24415 __bts_event_stop(event);
24416
24417diff --git a/arch/x86/kernel/cpu/perf_event_intel_cqm.c b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24418index 377e8f8..2982f48 100644
24419--- a/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24420+++ b/arch/x86/kernel/cpu/perf_event_intel_cqm.c
24421@@ -1364,7 +1364,9 @@ static int __init intel_cqm_init(void)
24422 goto out;
24423 }
24424
24425- event_attr_intel_cqm_llc_scale.event_str = str;
24426+ pax_open_kernel();
24427+ *(const char **)&event_attr_intel_cqm_llc_scale.event_str = str;
24428+ pax_close_kernel();
24429
24430 ret = intel_cqm_setup_rmid_cache();
24431 if (ret)
24432diff --git a/arch/x86/kernel/cpu/perf_event_intel_pt.c b/arch/x86/kernel/cpu/perf_event_intel_pt.c
24433index 183de71..bd34d52 100644
24434--- a/arch/x86/kernel/cpu/perf_event_intel_pt.c
24435+++ b/arch/x86/kernel/cpu/perf_event_intel_pt.c
24436@@ -116,16 +116,12 @@ static const struct attribute_group *pt_attr_groups[] = {
24437
24438 static int __init pt_pmu_hw_init(void)
24439 {
24440- struct dev_ext_attribute *de_attrs;
24441- struct attribute **attrs;
24442- size_t size;
24443- int ret;
24444+ static struct dev_ext_attribute de_attrs[ARRAY_SIZE(pt_caps)];
24445+ static struct attribute *attrs[ARRAY_SIZE(pt_caps)];
24446 long i;
24447
24448- attrs = NULL;
24449- ret = -ENODEV;
24450 if (!test_cpu_cap(&boot_cpu_data, X86_FEATURE_INTEL_PT))
24451- goto fail;
24452+ return -ENODEV;
24453
24454 for (i = 0; i < PT_CPUID_LEAVES; i++) {
24455 cpuid_count(20, i,
24456@@ -135,39 +131,25 @@ static int __init pt_pmu_hw_init(void)
24457 &pt_pmu.caps[CR_EDX + i*4]);
24458 }
24459
24460- ret = -ENOMEM;
24461- size = sizeof(struct attribute *) * (ARRAY_SIZE(pt_caps)+1);
24462- attrs = kzalloc(size, GFP_KERNEL);
24463- if (!attrs)
24464- goto fail;
24465-
24466- size = sizeof(struct dev_ext_attribute) * (ARRAY_SIZE(pt_caps)+1);
24467- de_attrs = kzalloc(size, GFP_KERNEL);
24468- if (!de_attrs)
24469- goto fail;
24470-
24471+ pax_open_kernel();
24472 for (i = 0; i < ARRAY_SIZE(pt_caps); i++) {
24473- struct dev_ext_attribute *de_attr = de_attrs + i;
24474+ struct dev_ext_attribute *de_attr = &de_attrs[i];
24475
24476- de_attr->attr.attr.name = pt_caps[i].name;
24477+ *(const char **)&de_attr->attr.attr.name = pt_caps[i].name;
24478
24479 sysfs_attr_init(&de_attr->attr.attr);
24480
24481- de_attr->attr.attr.mode = S_IRUGO;
24482- de_attr->attr.show = pt_cap_show;
24483- de_attr->var = (void *)i;
24484+ *(umode_t *)&de_attr->attr.attr.mode = S_IRUGO;
24485+ *(void **)&de_attr->attr.show = pt_cap_show;
24486+ *(void **)&de_attr->var = (void *)i;
24487
24488 attrs[i] = &de_attr->attr.attr;
24489 }
24490
24491- pt_cap_group.attrs = attrs;
24492+ *(struct attribute ***)&pt_cap_group.attrs = attrs;
24493+ pax_close_kernel();
24494
24495 return 0;
24496-
24497-fail:
24498- kfree(attrs);
24499-
24500- return ret;
24501 }
24502
24503 #define PT_CONFIG_MASK (RTIT_CTL_TSC_EN | RTIT_CTL_DISRETC)
24504@@ -929,7 +911,7 @@ static void pt_event_start(struct perf_event *event, int mode)
24505 return;
24506 }
24507
24508- ACCESS_ONCE(pt->handle_nmi) = 1;
24509+ ACCESS_ONCE_RW(pt->handle_nmi) = 1;
24510 event->hw.state = 0;
24511
24512 pt_config_buffer(buf->cur->table, buf->cur_idx,
24513@@ -946,7 +928,7 @@ static void pt_event_stop(struct perf_event *event, int mode)
24514 * Protect against the PMI racing with disabling wrmsr,
24515 * see comment in intel_pt_interrupt().
24516 */
24517- ACCESS_ONCE(pt->handle_nmi) = 0;
24518+ ACCESS_ONCE_RW(pt->handle_nmi) = 0;
24519 pt_config_start(false);
24520
24521 if (event->hw.state == PERF_HES_STOPPED)
24522diff --git a/arch/x86/kernel/cpu/perf_event_intel_rapl.c b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24523index 5cbd4e6..ee9388a 100644
24524--- a/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24525+++ b/arch/x86/kernel/cpu/perf_event_intel_rapl.c
24526@@ -486,7 +486,7 @@ static struct attribute *rapl_events_hsw_attr[] = {
24527 NULL,
24528 };
24529
24530-static struct attribute_group rapl_pmu_events_group = {
24531+static attribute_group_no_const rapl_pmu_events_group __read_only = {
24532 .name = "events",
24533 .attrs = NULL, /* patched at runtime */
24534 };
24535diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.c b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24536index 21b5e38..84f1f82 100644
24537--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24538+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.c
24539@@ -731,7 +731,7 @@ static void __init uncore_types_exit(struct intel_uncore_type **types)
24540 static int __init uncore_type_init(struct intel_uncore_type *type)
24541 {
24542 struct intel_uncore_pmu *pmus;
24543- struct attribute_group *attr_group;
24544+ attribute_group_no_const *attr_group;
24545 struct attribute **attrs;
24546 int i, j;
24547
24548diff --git a/arch/x86/kernel/cpu/perf_event_intel_uncore.h b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24549index 0f77f0a..d3c6b7d 100644
24550--- a/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24551+++ b/arch/x86/kernel/cpu/perf_event_intel_uncore.h
24552@@ -115,7 +115,7 @@ struct intel_uncore_box {
24553 struct uncore_event_desc {
24554 struct kobj_attribute attr;
24555 const char *config;
24556-};
24557+} __do_const;
24558
24559 ssize_t uncore_event_show(struct kobject *kobj,
24560 struct kobj_attribute *attr, char *buf);
24561diff --git a/arch/x86/kernel/cpuid.c b/arch/x86/kernel/cpuid.c
24562index 83741a7..bd3507d 100644
24563--- a/arch/x86/kernel/cpuid.c
24564+++ b/arch/x86/kernel/cpuid.c
24565@@ -170,7 +170,7 @@ static int cpuid_class_cpu_callback(struct notifier_block *nfb,
24566 return notifier_from_errno(err);
24567 }
24568
24569-static struct notifier_block __refdata cpuid_class_cpu_notifier =
24570+static struct notifier_block cpuid_class_cpu_notifier =
24571 {
24572 .notifier_call = cpuid_class_cpu_callback,
24573 };
24574diff --git a/arch/x86/kernel/crash_dump_64.c b/arch/x86/kernel/crash_dump_64.c
24575index afa64ad..dce67dd 100644
24576--- a/arch/x86/kernel/crash_dump_64.c
24577+++ b/arch/x86/kernel/crash_dump_64.c
24578@@ -36,7 +36,7 @@ ssize_t copy_oldmem_page(unsigned long pfn, char *buf,
24579 return -ENOMEM;
24580
24581 if (userbuf) {
24582- if (copy_to_user(buf, vaddr + offset, csize)) {
24583+ if (copy_to_user((char __force_user *)buf, vaddr + offset, csize)) {
24584 iounmap(vaddr);
24585 return -EFAULT;
24586 }
24587diff --git a/arch/x86/kernel/doublefault.c b/arch/x86/kernel/doublefault.c
24588index f6dfd93..892ade4 100644
24589--- a/arch/x86/kernel/doublefault.c
24590+++ b/arch/x86/kernel/doublefault.c
24591@@ -12,7 +12,7 @@
24592
24593 #define DOUBLEFAULT_STACKSIZE (1024)
24594 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
24595-#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
24596+#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
24597
24598 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
24599
24600@@ -22,7 +22,7 @@ static void doublefault_fn(void)
24601 unsigned long gdt, tss;
24602
24603 native_store_gdt(&gdt_desc);
24604- gdt = gdt_desc.address;
24605+ gdt = (unsigned long)gdt_desc.address;
24606
24607 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
24608
24609@@ -59,10 +59,10 @@ struct tss_struct doublefault_tss __cacheline_aligned = {
24610 /* 0x2 bit is always set */
24611 .flags = X86_EFLAGS_SF | 0x2,
24612 .sp = STACK_START,
24613- .es = __USER_DS,
24614+ .es = __KERNEL_DS,
24615 .cs = __KERNEL_CS,
24616 .ss = __KERNEL_DS,
24617- .ds = __USER_DS,
24618+ .ds = __KERNEL_DS,
24619 .fs = __KERNEL_PERCPU,
24620
24621 .__cr3 = __pa_nodebug(swapper_pg_dir),
24622diff --git a/arch/x86/kernel/dumpstack.c b/arch/x86/kernel/dumpstack.c
24623index 9c30acf..8cf2411 100644
24624--- a/arch/x86/kernel/dumpstack.c
24625+++ b/arch/x86/kernel/dumpstack.c
24626@@ -2,6 +2,9 @@
24627 * Copyright (C) 1991, 1992 Linus Torvalds
24628 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
24629 */
24630+#ifdef CONFIG_GRKERNSEC_HIDESYM
24631+#define __INCLUDED_BY_HIDESYM 1
24632+#endif
24633 #include <linux/kallsyms.h>
24634 #include <linux/kprobes.h>
24635 #include <linux/uaccess.h>
24636@@ -35,23 +38,21 @@ static void printk_stack_address(unsigned long address, int reliable,
24637
24638 void printk_address(unsigned long address)
24639 {
24640- pr_cont(" [<%p>] %pS\n", (void *)address, (void *)address);
24641+ pr_cont(" [<%p>] %pA\n", (void *)address, (void *)address);
24642 }
24643
24644 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
24645 static void
24646 print_ftrace_graph_addr(unsigned long addr, void *data,
24647 const struct stacktrace_ops *ops,
24648- struct thread_info *tinfo, int *graph)
24649+ struct task_struct *task, int *graph)
24650 {
24651- struct task_struct *task;
24652 unsigned long ret_addr;
24653 int index;
24654
24655 if (addr != (unsigned long)return_to_handler)
24656 return;
24657
24658- task = tinfo->task;
24659 index = task->curr_ret_stack;
24660
24661 if (!task->ret_stack || index < *graph)
24662@@ -68,7 +69,7 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
24663 static inline void
24664 print_ftrace_graph_addr(unsigned long addr, void *data,
24665 const struct stacktrace_ops *ops,
24666- struct thread_info *tinfo, int *graph)
24667+ struct task_struct *task, int *graph)
24668 { }
24669 #endif
24670
24671@@ -79,10 +80,8 @@ print_ftrace_graph_addr(unsigned long addr, void *data,
24672 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
24673 */
24674
24675-static inline int valid_stack_ptr(struct thread_info *tinfo,
24676- void *p, unsigned int size, void *end)
24677+static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
24678 {
24679- void *t = tinfo;
24680 if (end) {
24681 if (p < end && p >= (end-THREAD_SIZE))
24682 return 1;
24683@@ -93,14 +92,14 @@ static inline int valid_stack_ptr(struct thread_info *tinfo,
24684 }
24685
24686 unsigned long
24687-print_context_stack(struct thread_info *tinfo,
24688+print_context_stack(struct task_struct *task, void *stack_start,
24689 unsigned long *stack, unsigned long bp,
24690 const struct stacktrace_ops *ops, void *data,
24691 unsigned long *end, int *graph)
24692 {
24693 struct stack_frame *frame = (struct stack_frame *)bp;
24694
24695- while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
24696+ while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
24697 unsigned long addr;
24698
24699 addr = *stack;
24700@@ -112,7 +111,7 @@ print_context_stack(struct thread_info *tinfo,
24701 } else {
24702 ops->address(data, addr, 0);
24703 }
24704- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
24705+ print_ftrace_graph_addr(addr, data, ops, task, graph);
24706 }
24707 stack++;
24708 }
24709@@ -121,7 +120,7 @@ print_context_stack(struct thread_info *tinfo,
24710 EXPORT_SYMBOL_GPL(print_context_stack);
24711
24712 unsigned long
24713-print_context_stack_bp(struct thread_info *tinfo,
24714+print_context_stack_bp(struct task_struct *task, void *stack_start,
24715 unsigned long *stack, unsigned long bp,
24716 const struct stacktrace_ops *ops, void *data,
24717 unsigned long *end, int *graph)
24718@@ -129,7 +128,7 @@ print_context_stack_bp(struct thread_info *tinfo,
24719 struct stack_frame *frame = (struct stack_frame *)bp;
24720 unsigned long *ret_addr = &frame->return_address;
24721
24722- while (valid_stack_ptr(tinfo, ret_addr, sizeof(*ret_addr), end)) {
24723+ while (valid_stack_ptr(stack_start, ret_addr, sizeof(*ret_addr), end)) {
24724 unsigned long addr = *ret_addr;
24725
24726 if (!__kernel_text_address(addr))
24727@@ -138,7 +137,7 @@ print_context_stack_bp(struct thread_info *tinfo,
24728 ops->address(data, addr, 1);
24729 frame = frame->next_frame;
24730 ret_addr = &frame->return_address;
24731- print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
24732+ print_ftrace_graph_addr(addr, data, ops, task, graph);
24733 }
24734
24735 return (unsigned long)frame;
24736@@ -226,6 +225,8 @@ unsigned long oops_begin(void)
24737 EXPORT_SYMBOL_GPL(oops_begin);
24738 NOKPROBE_SYMBOL(oops_begin);
24739
24740+extern void gr_handle_kernel_exploit(void);
24741+
24742 void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
24743 {
24744 if (regs && kexec_should_crash(current))
24745@@ -247,7 +248,10 @@ void oops_end(unsigned long flags, struct pt_regs *regs, int signr)
24746 panic("Fatal exception in interrupt");
24747 if (panic_on_oops)
24748 panic("Fatal exception");
24749- do_exit(signr);
24750+
24751+ gr_handle_kernel_exploit();
24752+
24753+ do_group_exit(signr);
24754 }
24755 NOKPROBE_SYMBOL(oops_end);
24756
24757diff --git a/arch/x86/kernel/dumpstack_32.c b/arch/x86/kernel/dumpstack_32.c
24758index 464ffd6..01f2cda 100644
24759--- a/arch/x86/kernel/dumpstack_32.c
24760+++ b/arch/x86/kernel/dumpstack_32.c
24761@@ -61,15 +61,14 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24762 bp = stack_frame(task, regs);
24763
24764 for (;;) {
24765- struct thread_info *context;
24766+ void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
24767 void *end_stack;
24768
24769 end_stack = is_hardirq_stack(stack, cpu);
24770 if (!end_stack)
24771 end_stack = is_softirq_stack(stack, cpu);
24772
24773- context = task_thread_info(task);
24774- bp = ops->walk_stack(context, stack, bp, ops, data,
24775+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data,
24776 end_stack, &graph);
24777
24778 /* Stop if not on irq stack */
24779@@ -137,16 +136,17 @@ void show_regs(struct pt_regs *regs)
24780 unsigned int code_len = code_bytes;
24781 unsigned char c;
24782 u8 *ip;
24783+ unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(0)[(0xffff & regs->cs) >> 3]);
24784
24785 pr_emerg("Stack:\n");
24786 show_stack_log_lvl(NULL, regs, &regs->sp, 0, KERN_EMERG);
24787
24788 pr_emerg("Code:");
24789
24790- ip = (u8 *)regs->ip - code_prologue;
24791+ ip = (u8 *)regs->ip - code_prologue + cs_base;
24792 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
24793 /* try starting at IP */
24794- ip = (u8 *)regs->ip;
24795+ ip = (u8 *)regs->ip + cs_base;
24796 code_len = code_len - code_prologue + 1;
24797 }
24798 for (i = 0; i < code_len; i++, ip++) {
24799@@ -155,7 +155,7 @@ void show_regs(struct pt_regs *regs)
24800 pr_cont(" Bad EIP value.");
24801 break;
24802 }
24803- if (ip == (u8 *)regs->ip)
24804+ if (ip == (u8 *)regs->ip + cs_base)
24805 pr_cont(" <%02x>", c);
24806 else
24807 pr_cont(" %02x", c);
24808@@ -168,6 +168,7 @@ int is_valid_bugaddr(unsigned long ip)
24809 {
24810 unsigned short ud2;
24811
24812+ ip = ktla_ktva(ip);
24813 if (ip < PAGE_OFFSET)
24814 return 0;
24815 if (probe_kernel_address((unsigned short *)ip, ud2))
24816@@ -175,3 +176,15 @@ int is_valid_bugaddr(unsigned long ip)
24817
24818 return ud2 == 0x0b0f;
24819 }
24820+
24821+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
24822+void __used pax_check_alloca(unsigned long size)
24823+{
24824+ unsigned long sp = (unsigned long)&sp, stack_left;
24825+
24826+ /* all kernel stacks are of the same size */
24827+ stack_left = sp & (THREAD_SIZE - 1);
24828+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24829+}
24830+EXPORT_SYMBOL(pax_check_alloca);
24831+#endif
24832diff --git a/arch/x86/kernel/dumpstack_64.c b/arch/x86/kernel/dumpstack_64.c
24833index 5f1c626..1cba97e 100644
24834--- a/arch/x86/kernel/dumpstack_64.c
24835+++ b/arch/x86/kernel/dumpstack_64.c
24836@@ -153,12 +153,12 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24837 const struct stacktrace_ops *ops, void *data)
24838 {
24839 const unsigned cpu = get_cpu();
24840- struct thread_info *tinfo;
24841 unsigned long *irq_stack = (unsigned long *)per_cpu(irq_stack_ptr, cpu);
24842 unsigned long dummy;
24843 unsigned used = 0;
24844 int graph = 0;
24845 int done = 0;
24846+ void *stack_start;
24847
24848 if (!task)
24849 task = current;
24850@@ -179,7 +179,6 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24851 * current stack address. If the stacks consist of nested
24852 * exceptions
24853 */
24854- tinfo = task_thread_info(task);
24855 while (!done) {
24856 unsigned long *stack_end;
24857 enum stack_type stype;
24858@@ -202,7 +201,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24859 if (ops->stack(data, id) < 0)
24860 break;
24861
24862- bp = ops->walk_stack(tinfo, stack, bp, ops,
24863+ bp = ops->walk_stack(task, stack_end - EXCEPTION_STKSZ, stack, bp, ops,
24864 data, stack_end, &graph);
24865 ops->stack(data, "<EOE>");
24866 /*
24867@@ -210,6 +209,8 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24868 * second-to-last pointer (index -2 to end) in the
24869 * exception stack:
24870 */
24871+ if ((u16)stack_end[-1] != __KERNEL_DS)
24872+ goto out;
24873 stack = (unsigned long *) stack_end[-2];
24874 done = 0;
24875 break;
24876@@ -218,7 +219,7 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24877
24878 if (ops->stack(data, "IRQ") < 0)
24879 break;
24880- bp = ops->walk_stack(tinfo, stack, bp,
24881+ bp = ops->walk_stack(task, irq_stack, stack, bp,
24882 ops, data, stack_end, &graph);
24883 /*
24884 * We link to the next stack (which would be
24885@@ -240,7 +241,9 @@ void dump_trace(struct task_struct *task, struct pt_regs *regs,
24886 /*
24887 * This handles the process stack:
24888 */
24889- bp = ops->walk_stack(tinfo, stack, bp, ops, data, NULL, &graph);
24890+ stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
24891+ bp = ops->walk_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
24892+out:
24893 put_cpu();
24894 }
24895 EXPORT_SYMBOL(dump_trace);
24896@@ -347,8 +350,55 @@ int is_valid_bugaddr(unsigned long ip)
24897 {
24898 unsigned short ud2;
24899
24900- if (__copy_from_user(&ud2, (const void __user *) ip, sizeof(ud2)))
24901+ if (probe_kernel_address((unsigned short *)ip, ud2))
24902 return 0;
24903
24904 return ud2 == 0x0b0f;
24905 }
24906+
24907+#if defined(CONFIG_PAX_MEMORY_STACKLEAK) || defined(CONFIG_PAX_USERCOPY)
24908+void __used pax_check_alloca(unsigned long size)
24909+{
24910+ unsigned long sp = (unsigned long)&sp, stack_start, stack_end;
24911+ unsigned cpu, used;
24912+ char *id;
24913+
24914+ /* check the process stack first */
24915+ stack_start = (unsigned long)task_stack_page(current);
24916+ stack_end = stack_start + THREAD_SIZE;
24917+ if (likely(stack_start <= sp && sp < stack_end)) {
24918+ unsigned long stack_left = sp & (THREAD_SIZE - 1);
24919+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24920+ return;
24921+ }
24922+
24923+ cpu = get_cpu();
24924+
24925+ /* check the irq stacks */
24926+ stack_end = (unsigned long)per_cpu(irq_stack_ptr, cpu);
24927+ stack_start = stack_end - IRQ_STACK_SIZE;
24928+ if (stack_start <= sp && sp < stack_end) {
24929+ unsigned long stack_left = sp & (IRQ_STACK_SIZE - 1);
24930+ put_cpu();
24931+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24932+ return;
24933+ }
24934+
24935+ /* check the exception stacks */
24936+ used = 0;
24937+ stack_end = (unsigned long)in_exception_stack(cpu, sp, &used, &id);
24938+ stack_start = stack_end - EXCEPTION_STKSZ;
24939+ if (stack_end && stack_start <= sp && sp < stack_end) {
24940+ unsigned long stack_left = sp & (EXCEPTION_STKSZ - 1);
24941+ put_cpu();
24942+ BUG_ON(stack_left < 256 || size >= stack_left - 256);
24943+ return;
24944+ }
24945+
24946+ put_cpu();
24947+
24948+ /* unknown stack */
24949+ BUG();
24950+}
24951+EXPORT_SYMBOL(pax_check_alloca);
24952+#endif
24953diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c
24954index a102564..d1f0b73 100644
24955--- a/arch/x86/kernel/e820.c
24956+++ b/arch/x86/kernel/e820.c
24957@@ -803,8 +803,8 @@ unsigned long __init e820_end_of_low_ram_pfn(void)
24958
24959 static void early_panic(char *msg)
24960 {
24961- early_printk(msg);
24962- panic(msg);
24963+ early_printk("%s", msg);
24964+ panic("%s", msg);
24965 }
24966
24967 static int userdef __initdata;
24968diff --git a/arch/x86/kernel/early_printk.c b/arch/x86/kernel/early_printk.c
24969index eec40f5..4fee808 100644
24970--- a/arch/x86/kernel/early_printk.c
24971+++ b/arch/x86/kernel/early_printk.c
24972@@ -7,6 +7,7 @@
24973 #include <linux/pci_regs.h>
24974 #include <linux/pci_ids.h>
24975 #include <linux/errno.h>
24976+#include <linux/sched.h>
24977 #include <asm/io.h>
24978 #include <asm/processor.h>
24979 #include <asm/fcntl.h>
24980diff --git a/arch/x86/kernel/espfix_64.c b/arch/x86/kernel/espfix_64.c
24981index ce95676..af5c012 100644
24982--- a/arch/x86/kernel/espfix_64.c
24983+++ b/arch/x86/kernel/espfix_64.c
24984@@ -41,6 +41,7 @@
24985 #include <asm/pgalloc.h>
24986 #include <asm/setup.h>
24987 #include <asm/espfix.h>
24988+#include <asm/bug.h>
24989
24990 /*
24991 * Note: we only need 6*8 = 48 bytes for the espfix stack, but round
24992@@ -70,8 +71,10 @@ static DEFINE_MUTEX(espfix_init_mutex);
24993 #define ESPFIX_MAX_PAGES DIV_ROUND_UP(CONFIG_NR_CPUS, ESPFIX_STACKS_PER_PAGE)
24994 static void *espfix_pages[ESPFIX_MAX_PAGES];
24995
24996-static __page_aligned_bss pud_t espfix_pud_page[PTRS_PER_PUD]
24997- __aligned(PAGE_SIZE);
24998+static __page_aligned_rodata pud_t espfix_pud_page[PTRS_PER_PUD];
24999+static __page_aligned_rodata pmd_t espfix_pmd_page[PTRS_PER_PMD];
25000+static __page_aligned_rodata pte_t espfix_pte_page[PTRS_PER_PTE];
25001+static __page_aligned_rodata char espfix_stack_page[ESPFIX_MAX_PAGES][PAGE_SIZE];
25002
25003 static unsigned int page_random, slot_random;
25004
25005@@ -122,10 +125,19 @@ static void init_espfix_random(void)
25006 void __init init_espfix_bsp(void)
25007 {
25008 pgd_t *pgd_p;
25009+ pud_t *pud_p;
25010+ unsigned long index = pgd_index(ESPFIX_BASE_ADDR);
25011
25012 /* Install the espfix pud into the kernel page directory */
25013- pgd_p = &init_level4_pgt[pgd_index(ESPFIX_BASE_ADDR)];
25014- pgd_populate(&init_mm, pgd_p, (pud_t *)espfix_pud_page);
25015+ pgd_p = &init_level4_pgt[index];
25016+ pud_p = espfix_pud_page;
25017+ paravirt_alloc_pud(&init_mm, __pa(pud_p) >> PAGE_SHIFT);
25018+ set_pgd(pgd_p, __pgd(PGTABLE_PROT | __pa(pud_p)));
25019+
25020+#ifdef CONFIG_PAX_PER_CPU_PGD
25021+ clone_pgd_range(get_cpu_pgd(0, kernel) + index, swapper_pg_dir + index, 1);
25022+ clone_pgd_range(get_cpu_pgd(0, user) + index, swapper_pg_dir + index, 1);
25023+#endif
25024
25025 /* Randomize the locations */
25026 init_espfix_random();
25027@@ -170,35 +182,39 @@ void init_espfix_ap(int cpu)
25028 pud_p = &espfix_pud_page[pud_index(addr)];
25029 pud = *pud_p;
25030 if (!pud_present(pud)) {
25031- struct page *page = alloc_pages_node(node, PGALLOC_GFP, 0);
25032-
25033- pmd_p = (pmd_t *)page_address(page);
25034+ if (cpu)
25035+ pmd_p = page_address(alloc_pages_node(node, PGALLOC_GFP, 0));
25036+ else
25037+ pmd_p = espfix_pmd_page;
25038 pud = __pud(__pa(pmd_p) | (PGTABLE_PROT & ptemask));
25039 paravirt_alloc_pmd(&init_mm, __pa(pmd_p) >> PAGE_SHIFT);
25040 for (n = 0; n < ESPFIX_PUD_CLONES; n++)
25041 set_pud(&pud_p[n], pud);
25042- }
25043+ } else
25044+ BUG_ON(!cpu);
25045
25046 pmd_p = pmd_offset(&pud, addr);
25047 pmd = *pmd_p;
25048 if (!pmd_present(pmd)) {
25049- struct page *page = alloc_pages_node(node, PGALLOC_GFP, 0);
25050-
25051- pte_p = (pte_t *)page_address(page);
25052+ if (cpu)
25053+ pte_p = page_address(alloc_pages_node(node, PGALLOC_GFP, 0));
25054+ else
25055+ pte_p = espfix_pte_page;
25056 pmd = __pmd(__pa(pte_p) | (PGTABLE_PROT & ptemask));
25057 paravirt_alloc_pte(&init_mm, __pa(pte_p) >> PAGE_SHIFT);
25058 for (n = 0; n < ESPFIX_PMD_CLONES; n++)
25059 set_pmd(&pmd_p[n], pmd);
25060- }
25061+ } else
25062+ BUG_ON(!cpu);
25063
25064 pte_p = pte_offset_kernel(&pmd, addr);
25065- stack_page = page_address(alloc_pages_node(node, GFP_KERNEL, 0));
25066+ stack_page = espfix_stack_page[page];
25067 pte = __pte(__pa(stack_page) | (__PAGE_KERNEL_RO & ptemask));
25068 for (n = 0; n < ESPFIX_PTE_CLONES; n++)
25069 set_pte(&pte_p[n*PTE_STRIDE], pte);
25070
25071 /* Job is done for this CPU and any CPU which shares this page */
25072- ACCESS_ONCE(espfix_pages[page]) = stack_page;
25073+ ACCESS_ONCE_RW(espfix_pages[page]) = stack_page;
25074
25075 unlock_done:
25076 mutex_unlock(&espfix_init_mutex);
25077diff --git a/arch/x86/kernel/fpu/core.c b/arch/x86/kernel/fpu/core.c
25078index d25097c..e2df353 100644
25079--- a/arch/x86/kernel/fpu/core.c
25080+++ b/arch/x86/kernel/fpu/core.c
25081@@ -127,7 +127,7 @@ void __kernel_fpu_end(void)
25082 struct fpu *fpu = &current->thread.fpu;
25083
25084 if (fpu->fpregs_active)
25085- copy_kernel_to_fpregs(&fpu->state);
25086+ copy_kernel_to_fpregs(fpu->state);
25087 else
25088 __fpregs_deactivate_hw();
25089
25090@@ -238,7 +238,7 @@ static void fpu_copy(struct fpu *dst_fpu, struct fpu *src_fpu)
25091 * leak into the child task:
25092 */
25093 if (use_eager_fpu())
25094- memset(&dst_fpu->state.xsave, 0, xstate_size);
25095+ memset(&dst_fpu->state->xsave, 0, xstate_size);
25096
25097 /*
25098 * Save current FPU registers directly into the child
25099@@ -258,7 +258,7 @@ static void fpu_copy(struct fpu *dst_fpu, struct fpu *src_fpu)
25100 */
25101 preempt_disable();
25102 if (!copy_fpregs_to_fpstate(dst_fpu)) {
25103- memcpy(&src_fpu->state, &dst_fpu->state, xstate_size);
25104+ memcpy(src_fpu->state, dst_fpu->state, xstate_size);
25105 fpregs_deactivate(src_fpu);
25106 }
25107 preempt_enable();
25108@@ -285,7 +285,7 @@ void fpu__activate_curr(struct fpu *fpu)
25109 WARN_ON_FPU(fpu != &current->thread.fpu);
25110
25111 if (!fpu->fpstate_active) {
25112- fpstate_init(&fpu->state);
25113+ fpstate_init(fpu->state);
25114
25115 /* Safe to do for the current task: */
25116 fpu->fpstate_active = 1;
25117@@ -311,7 +311,7 @@ void fpu__activate_fpstate_read(struct fpu *fpu)
25118 fpu__save(fpu);
25119 } else {
25120 if (!fpu->fpstate_active) {
25121- fpstate_init(&fpu->state);
25122+ fpstate_init(fpu->state);
25123
25124 /* Safe to do for current and for stopped child tasks: */
25125 fpu->fpstate_active = 1;
25126@@ -344,7 +344,7 @@ void fpu__activate_fpstate_write(struct fpu *fpu)
25127 /* Invalidate any lazy state: */
25128 fpu->last_cpu = -1;
25129 } else {
25130- fpstate_init(&fpu->state);
25131+ fpstate_init(fpu->state);
25132
25133 /* Safe to do for stopped child tasks: */
25134 fpu->fpstate_active = 1;
25135@@ -368,7 +368,7 @@ void fpu__restore(struct fpu *fpu)
25136 /* Avoid __kernel_fpu_begin() right after fpregs_activate() */
25137 kernel_fpu_disable();
25138 fpregs_activate(fpu);
25139- copy_kernel_to_fpregs(&fpu->state);
25140+ copy_kernel_to_fpregs(fpu->state);
25141 fpu->counter++;
25142 kernel_fpu_enable();
25143 }
25144@@ -442,25 +442,25 @@ void fpu__clear(struct fpu *fpu)
25145 static inline unsigned short get_fpu_cwd(struct fpu *fpu)
25146 {
25147 if (cpu_has_fxsr) {
25148- return fpu->state.fxsave.cwd;
25149+ return fpu->state->fxsave.cwd;
25150 } else {
25151- return (unsigned short)fpu->state.fsave.cwd;
25152+ return (unsigned short)fpu->state->fsave.cwd;
25153 }
25154 }
25155
25156 static inline unsigned short get_fpu_swd(struct fpu *fpu)
25157 {
25158 if (cpu_has_fxsr) {
25159- return fpu->state.fxsave.swd;
25160+ return fpu->state->fxsave.swd;
25161 } else {
25162- return (unsigned short)fpu->state.fsave.swd;
25163+ return (unsigned short)fpu->state->fsave.swd;
25164 }
25165 }
25166
25167 static inline unsigned short get_fpu_mxcsr(struct fpu *fpu)
25168 {
25169 if (cpu_has_xmm) {
25170- return fpu->state.fxsave.mxcsr;
25171+ return fpu->state->fxsave.mxcsr;
25172 } else {
25173 return MXCSR_DEFAULT;
25174 }
25175diff --git a/arch/x86/kernel/fpu/init.c b/arch/x86/kernel/fpu/init.c
25176index d14e9ac..13442f0 100644
25177--- a/arch/x86/kernel/fpu/init.c
25178+++ b/arch/x86/kernel/fpu/init.c
25179@@ -42,7 +42,7 @@ static void fpu__init_cpu_generic(void)
25180 /* Flush out any pending x87 state: */
25181 #ifdef CONFIG_MATH_EMULATION
25182 if (!cpu_has_fpu)
25183- fpstate_init_soft(&current->thread.fpu.state.soft);
25184+ fpstate_init_soft(&current->thread.fpu.state->soft);
25185 else
25186 #endif
25187 asm volatile ("fninit");
25188@@ -143,42 +143,7 @@ static void __init fpu__init_system_generic(void)
25189 unsigned int xstate_size;
25190 EXPORT_SYMBOL_GPL(xstate_size);
25191
25192-/* Enforce that 'MEMBER' is the last field of 'TYPE': */
25193-#define CHECK_MEMBER_AT_END_OF(TYPE, MEMBER) \
25194- BUILD_BUG_ON(sizeof(TYPE) != offsetofend(TYPE, MEMBER))
25195-
25196-/*
25197- * We append the 'struct fpu' to the task_struct:
25198- */
25199-static void __init fpu__init_task_struct_size(void)
25200-{
25201- int task_size = sizeof(struct task_struct);
25202-
25203- /*
25204- * Subtract off the static size of the register state.
25205- * It potentially has a bunch of padding.
25206- */
25207- task_size -= sizeof(((struct task_struct *)0)->thread.fpu.state);
25208-
25209- /*
25210- * Add back the dynamically-calculated register state
25211- * size.
25212- */
25213- task_size += xstate_size;
25214-
25215- /*
25216- * We dynamically size 'struct fpu', so we require that
25217- * it be at the end of 'thread_struct' and that
25218- * 'thread_struct' be at the end of 'task_struct'. If
25219- * you hit a compile error here, check the structure to
25220- * see if something got added to the end.
25221- */
25222- CHECK_MEMBER_AT_END_OF(struct fpu, state);
25223- CHECK_MEMBER_AT_END_OF(struct thread_struct, fpu);
25224- CHECK_MEMBER_AT_END_OF(struct task_struct, thread);
25225-
25226- arch_task_struct_size = task_size;
25227-}
25228+union fpregs_state init_fpregs_state;
25229
25230 /*
25231 * Set up the xstate_size based on the legacy FPU context size.
25232@@ -331,7 +296,6 @@ void __init fpu__init_system(struct cpuinfo_x86 *c)
25233 fpu__init_system_generic();
25234 fpu__init_system_xstate_size_legacy();
25235 fpu__init_system_xstate();
25236- fpu__init_task_struct_size();
25237
25238 fpu__init_system_ctx_switch();
25239 }
25240diff --git a/arch/x86/kernel/fpu/regset.c b/arch/x86/kernel/fpu/regset.c
25241index dc60810..6c8a1fa 100644
25242--- a/arch/x86/kernel/fpu/regset.c
25243+++ b/arch/x86/kernel/fpu/regset.c
25244@@ -37,7 +37,7 @@ int xfpregs_get(struct task_struct *target, const struct user_regset *regset,
25245 fpstate_sanitize_xstate(fpu);
25246
25247 return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
25248- &fpu->state.fxsave, 0, -1);
25249+ &fpu->state->fxsave, 0, -1);
25250 }
25251
25252 int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
25253@@ -54,19 +54,19 @@ int xfpregs_set(struct task_struct *target, const struct user_regset *regset,
25254 fpstate_sanitize_xstate(fpu);
25255
25256 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
25257- &fpu->state.fxsave, 0, -1);
25258+ &fpu->state->fxsave, 0, -1);
25259
25260 /*
25261 * mxcsr reserved bits must be masked to zero for security reasons.
25262 */
25263- fpu->state.fxsave.mxcsr &= mxcsr_feature_mask;
25264+ fpu->state->fxsave.mxcsr &= mxcsr_feature_mask;
25265
25266 /*
25267 * update the header bits in the xsave header, indicating the
25268 * presence of FP and SSE state.
25269 */
25270 if (cpu_has_xsave)
25271- fpu->state.xsave.header.xfeatures |= XSTATE_FPSSE;
25272+ fpu->state->xsave.header.xfeatures |= XSTATE_FPSSE;
25273
25274 return ret;
25275 }
25276@@ -84,7 +84,7 @@ int xstateregs_get(struct task_struct *target, const struct user_regset *regset,
25277
25278 fpu__activate_fpstate_read(fpu);
25279
25280- xsave = &fpu->state.xsave;
25281+ xsave = &fpu->state->xsave;
25282
25283 /*
25284 * Copy the 48bytes defined by the software first into the xstate
25285@@ -113,7 +113,7 @@ int xstateregs_set(struct task_struct *target, const struct user_regset *regset,
25286
25287 fpu__activate_fpstate_write(fpu);
25288
25289- xsave = &fpu->state.xsave;
25290+ xsave = &fpu->state->xsave;
25291
25292 ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, xsave, 0, -1);
25293 /*
25294@@ -204,7 +204,7 @@ static inline u32 twd_fxsr_to_i387(struct fxregs_state *fxsave)
25295 void
25296 convert_from_fxsr(struct user_i387_ia32_struct *env, struct task_struct *tsk)
25297 {
25298- struct fxregs_state *fxsave = &tsk->thread.fpu.state.fxsave;
25299+ struct fxregs_state *fxsave = &tsk->thread.fpu.state->fxsave;
25300 struct _fpreg *to = (struct _fpreg *) &env->st_space[0];
25301 struct _fpxreg *from = (struct _fpxreg *) &fxsave->st_space[0];
25302 int i;
25303@@ -242,7 +242,7 @@ void convert_to_fxsr(struct task_struct *tsk,
25304 const struct user_i387_ia32_struct *env)
25305
25306 {
25307- struct fxregs_state *fxsave = &tsk->thread.fpu.state.fxsave;
25308+ struct fxregs_state *fxsave = &tsk->thread.fpu.state->fxsave;
25309 struct _fpreg *from = (struct _fpreg *) &env->st_space[0];
25310 struct _fpxreg *to = (struct _fpxreg *) &fxsave->st_space[0];
25311 int i;
25312@@ -280,7 +280,7 @@ int fpregs_get(struct task_struct *target, const struct user_regset *regset,
25313
25314 if (!cpu_has_fxsr)
25315 return user_regset_copyout(&pos, &count, &kbuf, &ubuf,
25316- &fpu->state.fsave, 0,
25317+ &fpu->state->fsave, 0,
25318 -1);
25319
25320 fpstate_sanitize_xstate(fpu);
25321@@ -311,7 +311,7 @@ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
25322
25323 if (!cpu_has_fxsr)
25324 return user_regset_copyin(&pos, &count, &kbuf, &ubuf,
25325- &fpu->state.fsave, 0,
25326+ &fpu->state->fsave, 0,
25327 -1);
25328
25329 if (pos > 0 || count < sizeof(env))
25330@@ -326,7 +326,7 @@ int fpregs_set(struct task_struct *target, const struct user_regset *regset,
25331 * presence of FP.
25332 */
25333 if (cpu_has_xsave)
25334- fpu->state.xsave.header.xfeatures |= XSTATE_FP;
25335+ fpu->state->xsave.header.xfeatures |= XSTATE_FP;
25336 return ret;
25337 }
25338
25339diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
25340index 50ec9af..bb871ca 100644
25341--- a/arch/x86/kernel/fpu/signal.c
25342+++ b/arch/x86/kernel/fpu/signal.c
25343@@ -54,7 +54,7 @@ static inline int check_for_xstate(struct fxregs_state __user *buf,
25344 static inline int save_fsave_header(struct task_struct *tsk, void __user *buf)
25345 {
25346 if (use_fxsr()) {
25347- struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
25348+ struct xregs_state *xsave = &tsk->thread.fpu.state->xsave;
25349 struct user_i387_ia32_struct env;
25350 struct _fpstate_ia32 __user *fp = buf;
25351
25352@@ -83,18 +83,18 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
25353
25354 /* Setup the bytes not touched by the [f]xsave and reserved for SW. */
25355 sw_bytes = ia32_frame ? &fx_sw_reserved_ia32 : &fx_sw_reserved;
25356- err = __copy_to_user(&x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes));
25357+ err = __copy_to_user(x->i387.sw_reserved, sw_bytes, sizeof(*sw_bytes));
25358
25359 if (!use_xsave())
25360 return err;
25361
25362- err |= __put_user(FP_XSTATE_MAGIC2, (__u32 *)(buf + xstate_size));
25363+ err |= __put_user(FP_XSTATE_MAGIC2, (__u32 __user *)(buf + xstate_size));
25364
25365 /*
25366 * Read the xfeatures which we copied (directly from the cpu or
25367 * from the state in task struct) to the user buffers.
25368 */
25369- err |= __get_user(xfeatures, (__u32 *)&x->header.xfeatures);
25370+ err |= __get_user(xfeatures, (__u32 __user *)&x->header.xfeatures);
25371
25372 /*
25373 * For legacy compatible, we always set FP/SSE bits in the bit
25374@@ -109,7 +109,7 @@ static inline int save_xstate_epilog(void __user *buf, int ia32_frame)
25375 */
25376 xfeatures |= XSTATE_FPSSE;
25377
25378- err |= __put_user(xfeatures, (__u32 *)&x->header.xfeatures);
25379+ err |= __put_user(xfeatures, (__u32 __user *)&x->header.xfeatures);
25380
25381 return err;
25382 }
25383@@ -118,6 +118,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
25384 {
25385 int err;
25386
25387+ buf = (struct xregs_state __user *)____m(buf);
25388 if (use_xsave())
25389 err = copy_xregs_to_user(buf);
25390 else if (use_fxsr())
25391@@ -152,7 +153,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
25392 */
25393 int copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
25394 {
25395- struct xregs_state *xsave = &current->thread.fpu.state.xsave;
25396+ struct xregs_state *xsave = &current->thread.fpu.state->xsave;
25397 struct task_struct *tsk = current;
25398 int ia32_fxstate = (buf != buf_fx);
25399
25400@@ -195,7 +196,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25401 struct user_i387_ia32_struct *ia32_env,
25402 u64 xfeatures, int fx_only)
25403 {
25404- struct xregs_state *xsave = &tsk->thread.fpu.state.xsave;
25405+ struct xregs_state *xsave = &tsk->thread.fpu.state->xsave;
25406 struct xstate_header *header = &xsave->header;
25407
25408 if (use_xsave()) {
25409@@ -228,6 +229,7 @@ sanitize_restored_xstate(struct task_struct *tsk,
25410 */
25411 static inline int copy_user_to_fpregs_zeroing(void __user *buf, u64 xbv, int fx_only)
25412 {
25413+ buf = (void __user *)____m(buf);
25414 if (use_xsave()) {
25415 if ((unsigned long)buf % 64 || fx_only) {
25416 u64 init_bv = xfeatures_mask & ~XSTATE_FPSSE;
25417@@ -308,9 +310,9 @@ static int __fpu__restore_sig(void __user *buf, void __user *buf_fx, int size)
25418 */
25419 fpu__drop(fpu);
25420
25421- if (__copy_from_user(&fpu->state.xsave, buf_fx, state_size) ||
25422+ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) ||
25423 __copy_from_user(&env, buf, sizeof(env))) {
25424- fpstate_init(&fpu->state);
25425+ fpstate_init(fpu->state);
25426 err = -1;
25427 } else {
25428 sanitize_restored_xstate(tsk, &env, xfeatures, fx_only);
25429diff --git a/arch/x86/kernel/fpu/xstate.c b/arch/x86/kernel/fpu/xstate.c
25430index 62fc001..5ce38be 100644
25431--- a/arch/x86/kernel/fpu/xstate.c
25432+++ b/arch/x86/kernel/fpu/xstate.c
25433@@ -93,14 +93,14 @@ EXPORT_SYMBOL_GPL(cpu_has_xfeatures);
25434 */
25435 void fpstate_sanitize_xstate(struct fpu *fpu)
25436 {
25437- struct fxregs_state *fx = &fpu->state.fxsave;
25438+ struct fxregs_state *fx = &fpu->state->fxsave;
25439 int feature_bit;
25440 u64 xfeatures;
25441
25442 if (!use_xsaveopt())
25443 return;
25444
25445- xfeatures = fpu->state.xsave.header.xfeatures;
25446+ xfeatures = fpu->state->xsave.header.xfeatures;
25447
25448 /*
25449 * None of the feature bits are in init state. So nothing else
25450@@ -402,7 +402,7 @@ void *get_xsave_addr(struct xregs_state *xsave, int xstate_feature)
25451 if (!boot_cpu_has(X86_FEATURE_XSAVE))
25452 return NULL;
25453
25454- xsave = &current->thread.fpu.state.xsave;
25455+ xsave = &current->thread.fpu.state->xsave;
25456 /*
25457 * We should not ever be requesting features that we
25458 * have not enabled. Remember that pcntxt_mask is
25459@@ -457,5 +457,5 @@ const void *get_xsave_field_ptr(int xsave_state)
25460 */
25461 fpu__save(fpu);
25462
25463- return get_xsave_addr(&fpu->state.xsave, xsave_state);
25464+ return get_xsave_addr(&fpu->state->xsave, xsave_state);
25465 }
25466diff --git a/arch/x86/kernel/ftrace.c b/arch/x86/kernel/ftrace.c
25467index 8b7b0a5..02219db 100644
25468--- a/arch/x86/kernel/ftrace.c
25469+++ b/arch/x86/kernel/ftrace.c
25470@@ -89,7 +89,7 @@ static unsigned long text_ip_addr(unsigned long ip)
25471 * kernel identity mapping to modify code.
25472 */
25473 if (within(ip, (unsigned long)_text, (unsigned long)_etext))
25474- ip = (unsigned long)__va(__pa_symbol(ip));
25475+ ip = (unsigned long)__va(__pa_symbol(ktla_ktva(ip)));
25476
25477 return ip;
25478 }
25479@@ -105,6 +105,8 @@ ftrace_modify_code_direct(unsigned long ip, unsigned const char *old_code,
25480 {
25481 unsigned char replaced[MCOUNT_INSN_SIZE];
25482
25483+ ip = ktla_ktva(ip);
25484+
25485 /*
25486 * Note: Due to modules and __init, code can
25487 * disappear and change, we need to protect against faulting
25488@@ -230,7 +232,7 @@ static int update_ftrace_func(unsigned long ip, void *new)
25489 unsigned char old[MCOUNT_INSN_SIZE];
25490 int ret;
25491
25492- memcpy(old, (void *)ip, MCOUNT_INSN_SIZE);
25493+ memcpy(old, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE);
25494
25495 ftrace_update_func = ip;
25496 /* Make sure the breakpoints see the ftrace_update_func update */
25497@@ -311,7 +313,7 @@ static int add_break(unsigned long ip, const char *old)
25498 unsigned char replaced[MCOUNT_INSN_SIZE];
25499 unsigned char brk = BREAKPOINT_INSTRUCTION;
25500
25501- if (probe_kernel_read(replaced, (void *)ip, MCOUNT_INSN_SIZE))
25502+ if (probe_kernel_read(replaced, (void *)ktla_ktva(ip), MCOUNT_INSN_SIZE))
25503 return -EFAULT;
25504
25505 /* Make sure it is what we expect it to be */
25506@@ -670,11 +672,11 @@ static unsigned char *ftrace_jmp_replace(unsigned long ip, unsigned long addr)
25507 /* Module allocation simplifies allocating memory for code */
25508 static inline void *alloc_tramp(unsigned long size)
25509 {
25510- return module_alloc(size);
25511+ return module_alloc_exec(size);
25512 }
25513 static inline void tramp_free(void *tramp)
25514 {
25515- module_memfree(tramp);
25516+ module_memfree_exec(tramp);
25517 }
25518 #else
25519 /* Trampolines can only be created if modules are supported */
25520@@ -753,7 +755,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25521 *tramp_size = size + MCOUNT_INSN_SIZE + sizeof(void *);
25522
25523 /* Copy ftrace_caller onto the trampoline memory */
25524+ pax_open_kernel();
25525 ret = probe_kernel_read(trampoline, (void *)start_offset, size);
25526+ pax_close_kernel();
25527 if (WARN_ON(ret < 0)) {
25528 tramp_free(trampoline);
25529 return 0;
25530@@ -763,6 +767,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25531
25532 /* The trampoline ends with a jmp to ftrace_return */
25533 jmp = ftrace_jmp_replace(ip, (unsigned long)ftrace_return);
25534+ pax_open_kernel();
25535 memcpy(trampoline + size, jmp, MCOUNT_INSN_SIZE);
25536
25537 /*
25538@@ -775,6 +780,7 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25539
25540 ptr = (unsigned long *)(trampoline + size + MCOUNT_INSN_SIZE);
25541 *ptr = (unsigned long)ops;
25542+ pax_close_kernel();
25543
25544 op_offset -= start_offset;
25545 memcpy(&op_ptr, trampoline + op_offset, OP_REF_SIZE);
25546@@ -792,7 +798,9 @@ create_trampoline(struct ftrace_ops *ops, unsigned int *tramp_size)
25547 op_ptr.offset = offset;
25548
25549 /* put in the new offset to the ftrace_ops */
25550+ pax_open_kernel();
25551 memcpy(trampoline + op_offset, &op_ptr, OP_REF_SIZE);
25552+ pax_close_kernel();
25553
25554 /* ALLOC_TRAMP flags lets us know we created it */
25555 ops->flags |= FTRACE_OPS_FL_ALLOC_TRAMP;
25556diff --git a/arch/x86/kernel/head64.c b/arch/x86/kernel/head64.c
25557index f129a9a..af8f6da 100644
25558--- a/arch/x86/kernel/head64.c
25559+++ b/arch/x86/kernel/head64.c
25560@@ -68,12 +68,12 @@ again:
25561 pgd = *pgd_p;
25562
25563 /*
25564- * The use of __START_KERNEL_map rather than __PAGE_OFFSET here is
25565- * critical -- __PAGE_OFFSET would point us back into the dynamic
25566+ * The use of __early_va rather than __va here is critical:
25567+ * __va would point us back into the dynamic
25568 * range and we might end up looping forever...
25569 */
25570 if (pgd)
25571- pud_p = (pudval_t *)((pgd & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
25572+ pud_p = (pudval_t *)(__early_va(pgd & PTE_PFN_MASK));
25573 else {
25574 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
25575 reset_early_page_tables();
25576@@ -83,13 +83,13 @@ again:
25577 pud_p = (pudval_t *)early_dynamic_pgts[next_early_pgt++];
25578 for (i = 0; i < PTRS_PER_PUD; i++)
25579 pud_p[i] = 0;
25580- *pgd_p = (pgdval_t)pud_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
25581+ *pgd_p = (pgdval_t)__pa(pud_p) + _KERNPG_TABLE;
25582 }
25583 pud_p += pud_index(address);
25584 pud = *pud_p;
25585
25586 if (pud)
25587- pmd_p = (pmdval_t *)((pud & PTE_PFN_MASK) + __START_KERNEL_map - phys_base);
25588+ pmd_p = (pmdval_t *)(__early_va(pud & PTE_PFN_MASK));
25589 else {
25590 if (next_early_pgt >= EARLY_DYNAMIC_PAGE_TABLES) {
25591 reset_early_page_tables();
25592@@ -99,7 +99,7 @@ again:
25593 pmd_p = (pmdval_t *)early_dynamic_pgts[next_early_pgt++];
25594 for (i = 0; i < PTRS_PER_PMD; i++)
25595 pmd_p[i] = 0;
25596- *pud_p = (pudval_t)pmd_p - __START_KERNEL_map + phys_base + _KERNPG_TABLE;
25597+ *pud_p = (pudval_t)__pa(pmd_p) + _KERNPG_TABLE;
25598 }
25599 pmd = (physaddr & PMD_MASK) + early_pmd_flags;
25600 pmd_p[pmd_index(address)] = pmd;
25601@@ -163,8 +163,6 @@ asmlinkage __visible void __init x86_64_start_kernel(char * real_mode_data)
25602
25603 clear_bss();
25604
25605- clear_page(init_level4_pgt);
25606-
25607 kasan_early_init();
25608
25609 for (i = 0; i < NUM_EXCEPTION_VECTORS; i++)
25610diff --git a/arch/x86/kernel/head_32.S b/arch/x86/kernel/head_32.S
25611index 0e2d96f..5889003 100644
25612--- a/arch/x86/kernel/head_32.S
25613+++ b/arch/x86/kernel/head_32.S
25614@@ -27,6 +27,12 @@
25615 /* Physical address */
25616 #define pa(X) ((X) - __PAGE_OFFSET)
25617
25618+#ifdef CONFIG_PAX_KERNEXEC
25619+#define ta(X) (X)
25620+#else
25621+#define ta(X) ((X) - __PAGE_OFFSET)
25622+#endif
25623+
25624 /*
25625 * References to members of the new_cpu_data structure.
25626 */
25627@@ -56,11 +62,7 @@
25628 * and small than max_low_pfn, otherwise will waste some page table entries
25629 */
25630
25631-#if PTRS_PER_PMD > 1
25632-#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
25633-#else
25634-#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
25635-#endif
25636+#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
25637
25638 /*
25639 * Number of possible pages in the lowmem region.
25640@@ -86,6 +88,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_PAGES) * PAGE_SIZE
25641 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
25642
25643 /*
25644+ * Real beginning of normal "text" segment
25645+ */
25646+ENTRY(stext)
25647+ENTRY(_stext)
25648+
25649+/*
25650 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
25651 * %esi points to the real-mode code as a 32-bit pointer.
25652 * CS and DS must be 4 GB flat segments, but we don't depend on
25653@@ -93,6 +101,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
25654 * can.
25655 */
25656 __HEAD
25657+
25658+#ifdef CONFIG_PAX_KERNEXEC
25659+ jmp startup_32
25660+/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
25661+.fill PAGE_SIZE-5,1,0xcc
25662+#endif
25663+
25664 ENTRY(startup_32)
25665 movl pa(stack_start),%ecx
25666
25667@@ -114,6 +129,66 @@ ENTRY(startup_32)
25668 2:
25669 leal -__PAGE_OFFSET(%ecx),%esp
25670
25671+#ifdef CONFIG_SMP
25672+ movl $pa(cpu_gdt_table),%edi
25673+ movl $__per_cpu_load,%eax
25674+ movw %ax,GDT_ENTRY_PERCPU * 8 + 2(%edi)
25675+ rorl $16,%eax
25676+ movb %al,GDT_ENTRY_PERCPU * 8 + 4(%edi)
25677+ movb %ah,GDT_ENTRY_PERCPU * 8 + 7(%edi)
25678+ movl $__per_cpu_end - 1,%eax
25679+ subl $__per_cpu_start,%eax
25680+ cmpl $0x100000,%eax
25681+ jb 1f
25682+ shrl $PAGE_SHIFT,%eax
25683+ orb $0x80,GDT_ENTRY_PERCPU * 8 + 6(%edi)
25684+1:
25685+ movw %ax,GDT_ENTRY_PERCPU * 8 + 0(%edi)
25686+ shrl $16,%eax
25687+ orb %al,GDT_ENTRY_PERCPU * 8 + 6(%edi)
25688+#endif
25689+
25690+#ifdef CONFIG_PAX_MEMORY_UDEREF
25691+ movl $NR_CPUS,%ecx
25692+ movl $pa(cpu_gdt_table),%edi
25693+1:
25694+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
25695+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
25696+ movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
25697+ addl $PAGE_SIZE_asm,%edi
25698+ loop 1b
25699+#endif
25700+
25701+#ifdef CONFIG_PAX_KERNEXEC
25702+ movl $pa(boot_gdt),%edi
25703+ movl $__LOAD_PHYSICAL_ADDR,%eax
25704+ movw %ax,GDT_ENTRY_BOOT_CS * 8 + 2(%edi)
25705+ rorl $16,%eax
25706+ movb %al,GDT_ENTRY_BOOT_CS * 8 + 4(%edi)
25707+ movb %ah,GDT_ENTRY_BOOT_CS * 8 + 7(%edi)
25708+ rorl $16,%eax
25709+
25710+ ljmp $(__BOOT_CS),$1f
25711+1:
25712+
25713+ movl $NR_CPUS,%ecx
25714+ movl $pa(cpu_gdt_table),%edi
25715+ addl $__PAGE_OFFSET,%eax
25716+1:
25717+ movb $0xc0,GDT_ENTRY_KERNEL_CS * 8 + 6(%edi)
25718+ movb $0xc0,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 6(%edi)
25719+ movw %ax,GDT_ENTRY_KERNEL_CS * 8 + 2(%edi)
25720+ movw %ax,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 2(%edi)
25721+ rorl $16,%eax
25722+ movb %al,GDT_ENTRY_KERNEL_CS * 8 + 4(%edi)
25723+ movb %al,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 4(%edi)
25724+ movb %ah,GDT_ENTRY_KERNEL_CS * 8 + 7(%edi)
25725+ movb %ah,GDT_ENTRY_KERNEXEC_KERNEL_CS * 8 + 7(%edi)
25726+ rorl $16,%eax
25727+ addl $PAGE_SIZE_asm,%edi
25728+ loop 1b
25729+#endif
25730+
25731 /*
25732 * Clear BSS first so that there are no surprises...
25733 */
25734@@ -209,8 +284,11 @@ ENTRY(startup_32)
25735 movl %eax, pa(max_pfn_mapped)
25736
25737 /* Do early initialization of the fixmap area */
25738- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
25739- movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
25740+#ifdef CONFIG_COMPAT_VDSO
25741+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
25742+#else
25743+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
25744+#endif
25745 #else /* Not PAE */
25746
25747 page_pde_offset = (__PAGE_OFFSET >> 20);
25748@@ -240,8 +318,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
25749 movl %eax, pa(max_pfn_mapped)
25750
25751 /* Do early initialization of the fixmap area */
25752- movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
25753- movl %eax,pa(initial_page_table+0xffc)
25754+#ifdef CONFIG_COMPAT_VDSO
25755+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
25756+#else
25757+ movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
25758+#endif
25759 #endif
25760
25761 #ifdef CONFIG_PARAVIRT
25762@@ -255,9 +336,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
25763 cmpl $num_subarch_entries, %eax
25764 jae bad_subarch
25765
25766- movl pa(subarch_entries)(,%eax,4), %eax
25767- subl $__PAGE_OFFSET, %eax
25768- jmp *%eax
25769+ jmp *pa(subarch_entries)(,%eax,4)
25770
25771 bad_subarch:
25772 WEAK(lguest_entry)
25773@@ -269,10 +348,10 @@ WEAK(xen_entry)
25774 __INITDATA
25775
25776 subarch_entries:
25777- .long default_entry /* normal x86/PC */
25778- .long lguest_entry /* lguest hypervisor */
25779- .long xen_entry /* Xen hypervisor */
25780- .long default_entry /* Moorestown MID */
25781+ .long ta(default_entry) /* normal x86/PC */
25782+ .long ta(lguest_entry) /* lguest hypervisor */
25783+ .long ta(xen_entry) /* Xen hypervisor */
25784+ .long ta(default_entry) /* Moorestown MID */
25785 num_subarch_entries = (. - subarch_entries) / 4
25786 .previous
25787 #else
25788@@ -362,6 +441,7 @@ default_entry:
25789 movl pa(mmu_cr4_features),%eax
25790 movl %eax,%cr4
25791
25792+#ifdef CONFIG_X86_PAE
25793 testb $X86_CR4_PAE, %al # check if PAE is enabled
25794 jz enable_paging
25795
25796@@ -390,6 +470,9 @@ default_entry:
25797 /* Make changes effective */
25798 wrmsr
25799
25800+ btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
25801+#endif
25802+
25803 enable_paging:
25804
25805 /*
25806@@ -457,14 +540,20 @@ is486:
25807 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
25808 movl %eax,%ss # after changing gdt.
25809
25810- movl $(__USER_DS),%eax # DS/ES contains default USER segment
25811+# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
25812 movl %eax,%ds
25813 movl %eax,%es
25814
25815 movl $(__KERNEL_PERCPU), %eax
25816 movl %eax,%fs # set this cpu's percpu
25817
25818+#ifdef CONFIG_CC_STACKPROTECTOR
25819 movl $(__KERNEL_STACK_CANARY),%eax
25820+#elif defined(CONFIG_PAX_MEMORY_UDEREF)
25821+ movl $(__USER_DS),%eax
25822+#else
25823+ xorl %eax,%eax
25824+#endif
25825 movl %eax,%gs
25826
25827 xorl %eax,%eax # Clear LDT
25828@@ -521,8 +610,11 @@ setup_once:
25829 * relocation. Manually set base address in stack canary
25830 * segment descriptor.
25831 */
25832- movl $gdt_page,%eax
25833+ movl $cpu_gdt_table,%eax
25834 movl $stack_canary,%ecx
25835+#ifdef CONFIG_SMP
25836+ addl $__per_cpu_load,%ecx
25837+#endif
25838 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
25839 shrl $16, %ecx
25840 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
25841@@ -559,7 +651,7 @@ early_idt_handler_common:
25842 cmpl $2,(%esp) # X86_TRAP_NMI
25843 je .Lis_nmi # Ignore NMI
25844
25845- cmpl $2,%ss:early_recursion_flag
25846+ cmpl $1,%ss:early_recursion_flag
25847 je hlt_loop
25848 incl %ss:early_recursion_flag
25849
25850@@ -597,8 +689,8 @@ early_idt_handler_common:
25851 pushl (20+6*4)(%esp) /* trapno */
25852 pushl $fault_msg
25853 call printk
25854-#endif
25855 call dump_stack
25856+#endif
25857 hlt_loop:
25858 hlt
25859 jmp hlt_loop
25860@@ -618,8 +710,11 @@ ENDPROC(early_idt_handler_common)
25861 /* This is the default interrupt "handler" :-) */
25862 ALIGN
25863 ignore_int:
25864- cld
25865 #ifdef CONFIG_PRINTK
25866+ cmpl $2,%ss:early_recursion_flag
25867+ je hlt_loop
25868+ incl %ss:early_recursion_flag
25869+ cld
25870 pushl %eax
25871 pushl %ecx
25872 pushl %edx
25873@@ -628,9 +723,6 @@ ignore_int:
25874 movl $(__KERNEL_DS),%eax
25875 movl %eax,%ds
25876 movl %eax,%es
25877- cmpl $2,early_recursion_flag
25878- je hlt_loop
25879- incl early_recursion_flag
25880 pushl 16(%esp)
25881 pushl 24(%esp)
25882 pushl 32(%esp)
25883@@ -664,29 +756,34 @@ ENTRY(setup_once_ref)
25884 /*
25885 * BSS section
25886 */
25887-__PAGE_ALIGNED_BSS
25888- .align PAGE_SIZE
25889 #ifdef CONFIG_X86_PAE
25890+.section .initial_pg_pmd,"a",@progbits
25891 initial_pg_pmd:
25892 .fill 1024*KPMDS,4,0
25893 #else
25894+.section .initial_page_table,"a",@progbits
25895 ENTRY(initial_page_table)
25896 .fill 1024,4,0
25897 #endif
25898+.section .initial_pg_fixmap,"a",@progbits
25899 initial_pg_fixmap:
25900 .fill 1024,4,0
25901+.section .empty_zero_page,"a",@progbits
25902 ENTRY(empty_zero_page)
25903 .fill 4096,1,0
25904+.section .swapper_pg_dir,"a",@progbits
25905 ENTRY(swapper_pg_dir)
25906+#ifdef CONFIG_X86_PAE
25907+ .fill 4,8,0
25908+#else
25909 .fill 1024,4,0
25910+#endif
25911
25912 /*
25913 * This starts the data section.
25914 */
25915 #ifdef CONFIG_X86_PAE
25916-__PAGE_ALIGNED_DATA
25917- /* Page-aligned for the benefit of paravirt? */
25918- .align PAGE_SIZE
25919+.section .initial_page_table,"a",@progbits
25920 ENTRY(initial_page_table)
25921 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
25922 # if KPMDS == 3
25923@@ -705,12 +802,20 @@ ENTRY(initial_page_table)
25924 # error "Kernel PMDs should be 1, 2 or 3"
25925 # endif
25926 .align PAGE_SIZE /* needs to be page-sized too */
25927+
25928+#ifdef CONFIG_PAX_PER_CPU_PGD
25929+ENTRY(cpu_pgd)
25930+ .rept 2*NR_CPUS
25931+ .fill 4,8,0
25932+ .endr
25933+#endif
25934+
25935 #endif
25936
25937 .data
25938 .balign 4
25939 ENTRY(stack_start)
25940- .long init_thread_union+THREAD_SIZE
25941+ .long init_thread_union+THREAD_SIZE-8
25942
25943 __INITRODATA
25944 int_msg:
25945@@ -738,7 +843,7 @@ fault_msg:
25946 * segment size, and 32-bit linear address value:
25947 */
25948
25949- .data
25950+.section .rodata,"a",@progbits
25951 .globl boot_gdt_descr
25952 .globl idt_descr
25953
25954@@ -747,7 +852,7 @@ fault_msg:
25955 .word 0 # 32 bit align gdt_desc.address
25956 boot_gdt_descr:
25957 .word __BOOT_DS+7
25958- .long boot_gdt - __PAGE_OFFSET
25959+ .long pa(boot_gdt)
25960
25961 .word 0 # 32-bit align idt_desc.address
25962 idt_descr:
25963@@ -758,7 +863,7 @@ idt_descr:
25964 .word 0 # 32 bit align gdt_desc.address
25965 ENTRY(early_gdt_descr)
25966 .word GDT_ENTRIES*8-1
25967- .long gdt_page /* Overwritten for secondary CPUs */
25968+ .long cpu_gdt_table /* Overwritten for secondary CPUs */
25969
25970 /*
25971 * The boot_gdt must mirror the equivalent in setup.S and is
25972@@ -767,5 +872,65 @@ ENTRY(early_gdt_descr)
25973 .align L1_CACHE_BYTES
25974 ENTRY(boot_gdt)
25975 .fill GDT_ENTRY_BOOT_CS,8,0
25976- .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
25977- .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
25978+ .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
25979+ .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
25980+
25981+ .align PAGE_SIZE_asm
25982+ENTRY(cpu_gdt_table)
25983+ .rept NR_CPUS
25984+ .quad 0x0000000000000000 /* NULL descriptor */
25985+ .quad 0x0000000000000000 /* 0x0b reserved */
25986+ .quad 0x0000000000000000 /* 0x13 reserved */
25987+ .quad 0x0000000000000000 /* 0x1b reserved */
25988+
25989+#ifdef CONFIG_PAX_KERNEXEC
25990+ .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
25991+#else
25992+ .quad 0x0000000000000000 /* 0x20 unused */
25993+#endif
25994+
25995+ .quad 0x0000000000000000 /* 0x28 unused */
25996+ .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
25997+ .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
25998+ .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
25999+ .quad 0x0000000000000000 /* 0x4b reserved */
26000+ .quad 0x0000000000000000 /* 0x53 reserved */
26001+ .quad 0x0000000000000000 /* 0x5b reserved */
26002+
26003+ .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
26004+ .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
26005+ .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
26006+ .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
26007+
26008+ .quad 0x0000000000000000 /* 0x80 TSS descriptor */
26009+ .quad 0x0000000000000000 /* 0x88 LDT descriptor */
26010+
26011+ /*
26012+ * Segments used for calling PnP BIOS have byte granularity.
26013+ * The code segments and data segments have fixed 64k limits,
26014+ * the transfer segment sizes are set at run time.
26015+ */
26016+ .quad 0x00409b000000ffff /* 0x90 32-bit code */
26017+ .quad 0x00009b000000ffff /* 0x98 16-bit code */
26018+ .quad 0x000093000000ffff /* 0xa0 16-bit data */
26019+ .quad 0x0000930000000000 /* 0xa8 16-bit data */
26020+ .quad 0x0000930000000000 /* 0xb0 16-bit data */
26021+
26022+ /*
26023+ * The APM segments have byte granularity and their bases
26024+ * are set at run time. All have 64k limits.
26025+ */
26026+ .quad 0x00409b000000ffff /* 0xb8 APM CS code */
26027+ .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
26028+ .quad 0x004093000000ffff /* 0xc8 APM DS data */
26029+
26030+ .quad 0x00c093000000ffff /* 0xd0 - ESPFIX SS */
26031+ .quad 0x0040930000000000 /* 0xd8 - PERCPU */
26032+ .quad 0x0040910000000017 /* 0xe0 - STACK_CANARY */
26033+ .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
26034+ .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
26035+ .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
26036+
26037+ /* Be sure this is zeroed to avoid false validations in Xen */
26038+ .fill PAGE_SIZE_asm - GDT_SIZE,1,0
26039+ .endr
26040diff --git a/arch/x86/kernel/head_64.S b/arch/x86/kernel/head_64.S
26041index 1d40ca8..4d38dbd 100644
26042--- a/arch/x86/kernel/head_64.S
26043+++ b/arch/x86/kernel/head_64.S
26044@@ -20,6 +20,8 @@
26045 #include <asm/processor-flags.h>
26046 #include <asm/percpu.h>
26047 #include <asm/nops.h>
26048+#include <asm/cpufeature.h>
26049+#include <asm/alternative-asm.h>
26050
26051 #ifdef CONFIG_PARAVIRT
26052 #include <asm/asm-offsets.h>
26053@@ -41,6 +43,12 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET)
26054 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
26055 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
26056 L3_START_KERNEL = pud_index(__START_KERNEL_map)
26057+L4_VMALLOC_START = pgd_index(VMALLOC_START)
26058+L3_VMALLOC_START = pud_index(VMALLOC_START)
26059+L4_VMALLOC_END = pgd_index(VMALLOC_END)
26060+L3_VMALLOC_END = pud_index(VMALLOC_END)
26061+L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
26062+L3_VMEMMAP_START = pud_index(VMEMMAP_START)
26063
26064 .text
26065 __HEAD
26066@@ -89,11 +97,33 @@ startup_64:
26067 * Fixup the physical addresses in the page table
26068 */
26069 addq %rbp, early_level4_pgt + (L4_START_KERNEL*8)(%rip)
26070+ addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
26071+ addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
26072+ addq %rbp, init_level4_pgt + (L4_VMALLOC_END*8)(%rip)
26073+ addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
26074+ addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
26075
26076- addq %rbp, level3_kernel_pgt + (510*8)(%rip)
26077- addq %rbp, level3_kernel_pgt + (511*8)(%rip)
26078+ addq %rbp, level3_ident_pgt + (0*8)(%rip)
26079+#ifndef CONFIG_XEN
26080+ addq %rbp, level3_ident_pgt + (1*8)(%rip)
26081+#endif
26082
26083+ addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
26084+
26085+ addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
26086+ addq %rbp, level3_kernel_pgt + ((L3_START_KERNEL+1)*8)(%rip)
26087+
26088+ addq %rbp, level2_ident_pgt + (0*8)(%rip)
26089+
26090+ addq %rbp, level2_fixmap_pgt + (0*8)(%rip)
26091+ addq %rbp, level2_fixmap_pgt + (1*8)(%rip)
26092+ addq %rbp, level2_fixmap_pgt + (2*8)(%rip)
26093+ addq %rbp, level2_fixmap_pgt + (3*8)(%rip)
26094+
26095+ addq %rbp, level2_fixmap_pgt + (504*8)(%rip)
26096+ addq %rbp, level2_fixmap_pgt + (505*8)(%rip)
26097 addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
26098+ addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
26099
26100 /*
26101 * Set up the identity mapping for the switchover. These
26102@@ -174,11 +204,12 @@ ENTRY(secondary_startup_64)
26103 * after the boot processor executes this code.
26104 */
26105
26106+ orq $-1, %rbp
26107 movq $(init_level4_pgt - __START_KERNEL_map), %rax
26108 1:
26109
26110- /* Enable PAE mode and PGE */
26111- movl $(X86_CR4_PAE | X86_CR4_PGE), %ecx
26112+ /* Enable PAE mode and PSE/PGE */
26113+ movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %ecx
26114 movq %rcx, %cr4
26115
26116 /* Setup early boot stage 4 level pagetables. */
26117@@ -199,10 +230,21 @@ ENTRY(secondary_startup_64)
26118 movl $MSR_EFER, %ecx
26119 rdmsr
26120 btsl $_EFER_SCE, %eax /* Enable System Call */
26121- btl $20,%edi /* No Execute supported? */
26122+ btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
26123 jnc 1f
26124 btsl $_EFER_NX, %eax
26125+ cmpq $-1, %rbp
26126+ je 1f
26127 btsq $_PAGE_BIT_NX,early_pmd_flags(%rip)
26128+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_PAGE_OFFSET(%rip)
26129+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_START(%rip)
26130+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMALLOC_END(%rip)
26131+ btsq $_PAGE_BIT_NX, init_level4_pgt + 8*L4_VMEMMAP_START(%rip)
26132+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*504(%rip)
26133+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*505(%rip)
26134+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*506(%rip)
26135+ btsq $_PAGE_BIT_NX, level2_fixmap_pgt + 8*507(%rip)
26136+ btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
26137 1: wrmsr /* Make changes effective */
26138
26139 /* Setup cr0 */
26140@@ -282,6 +324,7 @@ ENTRY(secondary_startup_64)
26141 * REX.W + FF /5 JMP m16:64 Jump far, absolute indirect,
26142 * address given in m16:64.
26143 */
26144+ pax_set_fptr_mask
26145 movq initial_code(%rip),%rax
26146 pushq $0 # fake return address to stop unwinder
26147 pushq $__KERNEL_CS # set correct cs
26148@@ -313,7 +356,7 @@ ENDPROC(start_cpu0)
26149 .quad INIT_PER_CPU_VAR(irq_stack_union)
26150
26151 GLOBAL(stack_start)
26152- .quad init_thread_union+THREAD_SIZE-8
26153+ .quad init_thread_union+THREAD_SIZE-16
26154 .word 0
26155 __FINITDATA
26156
26157@@ -393,7 +436,7 @@ early_idt_handler_common:
26158 call dump_stack
26159 #ifdef CONFIG_KALLSYMS
26160 leaq early_idt_ripmsg(%rip),%rdi
26161- movq 40(%rsp),%rsi # %rip again
26162+ movq 88(%rsp),%rsi # %rip again
26163 call __print_symbol
26164 #endif
26165 #endif /* EARLY_PRINTK */
26166@@ -422,6 +465,7 @@ ENDPROC(early_idt_handler_common)
26167 early_recursion_flag:
26168 .long 0
26169
26170+ .section .rodata,"a",@progbits
26171 #ifdef CONFIG_EARLY_PRINTK
26172 early_idt_msg:
26173 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
26174@@ -444,40 +488,67 @@ GLOBAL(name)
26175 __INITDATA
26176 NEXT_PAGE(early_level4_pgt)
26177 .fill 511,8,0
26178- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
26179+ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26180
26181 NEXT_PAGE(early_dynamic_pgts)
26182 .fill 512*EARLY_DYNAMIC_PAGE_TABLES,8,0
26183
26184- .data
26185+ .section .rodata,"a",@progbits
26186
26187-#ifndef CONFIG_XEN
26188 NEXT_PAGE(init_level4_pgt)
26189- .fill 512,8,0
26190-#else
26191-NEXT_PAGE(init_level4_pgt)
26192- .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26193 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
26194 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26195+ .org init_level4_pgt + L4_VMALLOC_START*8, 0
26196+ .quad level3_vmalloc_start_pgt - __START_KERNEL_map + _KERNPG_TABLE
26197+ .org init_level4_pgt + L4_VMALLOC_END*8, 0
26198+ .quad level3_vmalloc_end_pgt - __START_KERNEL_map + _KERNPG_TABLE
26199+ .org init_level4_pgt + L4_VMEMMAP_START*8, 0
26200+ .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26201 .org init_level4_pgt + L4_START_KERNEL*8, 0
26202 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
26203- .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
26204+ .quad level3_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26205+
26206+#ifdef CONFIG_PAX_PER_CPU_PGD
26207+NEXT_PAGE(cpu_pgd)
26208+ .rept 2*NR_CPUS
26209+ .fill 512,8,0
26210+ .endr
26211+#endif
26212
26213 NEXT_PAGE(level3_ident_pgt)
26214 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26215+#ifdef CONFIG_XEN
26216 .fill 511, 8, 0
26217+#else
26218+ .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
26219+ .fill 510,8,0
26220+#endif
26221+
26222+NEXT_PAGE(level3_vmalloc_start_pgt)
26223+ .fill 512,8,0
26224+
26225+NEXT_PAGE(level3_vmalloc_end_pgt)
26226+ .fill 512,8,0
26227+
26228+NEXT_PAGE(level3_vmemmap_pgt)
26229+ .fill L3_VMEMMAP_START,8,0
26230+ .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26231+
26232 NEXT_PAGE(level2_ident_pgt)
26233- /* Since I easily can, map the first 1G.
26234+ .quad level1_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
26235+ /* Since I easily can, map the first 2G.
26236 * Don't set NX because code runs from these pages.
26237 */
26238- PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
26239-#endif
26240+ PMDS(PMD_SIZE, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD - 1)
26241
26242 NEXT_PAGE(level3_kernel_pgt)
26243 .fill L3_START_KERNEL,8,0
26244 /* (2^48-(2*1024*1024*1024)-((2^39)*511))/(2^30) = 510 */
26245 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
26246- .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
26247+ .quad level2_fixmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
26248+
26249+NEXT_PAGE(level2_vmemmap_pgt)
26250+ .fill 512,8,0
26251
26252 NEXT_PAGE(level2_kernel_pgt)
26253 /*
26254@@ -494,31 +565,79 @@ NEXT_PAGE(level2_kernel_pgt)
26255 KERNEL_IMAGE_SIZE/PMD_SIZE)
26256
26257 NEXT_PAGE(level2_fixmap_pgt)
26258- .fill 506,8,0
26259- .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
26260- /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
26261- .fill 5,8,0
26262+ .quad level1_modules_pgt - __START_KERNEL_map + 0 * PAGE_SIZE + _KERNPG_TABLE
26263+ .quad level1_modules_pgt - __START_KERNEL_map + 1 * PAGE_SIZE + _KERNPG_TABLE
26264+ .quad level1_modules_pgt - __START_KERNEL_map + 2 * PAGE_SIZE + _KERNPG_TABLE
26265+ .quad level1_modules_pgt - __START_KERNEL_map + 3 * PAGE_SIZE + _KERNPG_TABLE
26266+ .fill 500,8,0
26267+ .quad level1_fixmap_pgt - __START_KERNEL_map + 0 * PAGE_SIZE + _KERNPG_TABLE
26268+ .quad level1_fixmap_pgt - __START_KERNEL_map + 1 * PAGE_SIZE + _KERNPG_TABLE
26269+ .quad level1_fixmap_pgt - __START_KERNEL_map + 2 * PAGE_SIZE + _KERNPG_TABLE
26270+ .quad level1_vsyscall_pgt - __START_KERNEL_map + _KERNPG_TABLE
26271+ /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
26272+ .fill 4,8,0
26273+
26274+NEXT_PAGE(level1_ident_pgt)
26275+ .fill 512,8,0
26276+
26277+NEXT_PAGE(level1_modules_pgt)
26278+ .fill 4*512,8,0
26279
26280 NEXT_PAGE(level1_fixmap_pgt)
26281+ .fill 3*512,8,0
26282+
26283+NEXT_PAGE(level1_vsyscall_pgt)
26284 .fill 512,8,0
26285
26286 #undef PMDS
26287
26288- .data
26289+ .align PAGE_SIZE
26290+ENTRY(cpu_gdt_table)
26291+ .rept NR_CPUS
26292+ .quad 0x0000000000000000 /* NULL descriptor */
26293+ .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
26294+ .quad 0x00af9b000000ffff /* __KERNEL_CS */
26295+ .quad 0x00cf93000000ffff /* __KERNEL_DS */
26296+ .quad 0x00cffb000000ffff /* __USER32_CS */
26297+ .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
26298+ .quad 0x00affb000000ffff /* __USER_CS */
26299+
26300+#ifdef CONFIG_PAX_KERNEXEC
26301+ .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
26302+#else
26303+ .quad 0x0 /* unused */
26304+#endif
26305+
26306+ .quad 0,0 /* TSS */
26307+ .quad 0,0 /* LDT */
26308+ .quad 0,0,0 /* three TLS descriptors */
26309+ .quad 0x0000f40000000000 /* node/CPU stored in limit */
26310+ /* asm/segment.h:GDT_ENTRIES must match this */
26311+
26312+#ifdef CONFIG_PAX_MEMORY_UDEREF
26313+ .quad 0x00cf93000000ffff /* __UDEREF_KERNEL_DS */
26314+#else
26315+ .quad 0x0 /* unused */
26316+#endif
26317+
26318+ /* zero the remaining page */
26319+ .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
26320+ .endr
26321+
26322 .align 16
26323 .globl early_gdt_descr
26324 early_gdt_descr:
26325 .word GDT_ENTRIES*8-1
26326 early_gdt_descr_base:
26327- .quad INIT_PER_CPU_VAR(gdt_page)
26328+ .quad cpu_gdt_table
26329
26330 ENTRY(phys_base)
26331 /* This must match the first entry in level2_kernel_pgt */
26332 .quad 0x0000000000000000
26333
26334 #include "../../x86/xen/xen-head.S"
26335-
26336- __PAGE_ALIGNED_BSS
26337+
26338+ .section .rodata,"a",@progbits
26339 NEXT_PAGE(empty_zero_page)
26340 .skip PAGE_SIZE
26341
26342diff --git a/arch/x86/kernel/i386_ksyms_32.c b/arch/x86/kernel/i386_ksyms_32.c
26343index 64341aa..b1e6632 100644
26344--- a/arch/x86/kernel/i386_ksyms_32.c
26345+++ b/arch/x86/kernel/i386_ksyms_32.c
26346@@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
26347 EXPORT_SYMBOL(cmpxchg8b_emu);
26348 #endif
26349
26350+EXPORT_SYMBOL_GPL(cpu_gdt_table);
26351+
26352 /* Networking helper routines. */
26353 EXPORT_SYMBOL(csum_partial_copy_generic);
26354+EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
26355+EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
26356
26357 EXPORT_SYMBOL(__get_user_1);
26358 EXPORT_SYMBOL(__get_user_2);
26359@@ -42,3 +46,11 @@ EXPORT_SYMBOL(empty_zero_page);
26360 EXPORT_SYMBOL(___preempt_schedule);
26361 EXPORT_SYMBOL(___preempt_schedule_notrace);
26362 #endif
26363+
26364+#ifdef CONFIG_PAX_KERNEXEC
26365+EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
26366+#endif
26367+
26368+#ifdef CONFIG_PAX_PER_CPU_PGD
26369+EXPORT_SYMBOL(cpu_pgd);
26370+#endif
26371diff --git a/arch/x86/kernel/i8259.c b/arch/x86/kernel/i8259.c
26372index 16cb827..372334f 100644
26373--- a/arch/x86/kernel/i8259.c
26374+++ b/arch/x86/kernel/i8259.c
26375@@ -110,7 +110,7 @@ static int i8259A_irq_pending(unsigned int irq)
26376 static void make_8259A_irq(unsigned int irq)
26377 {
26378 disable_irq_nosync(irq);
26379- io_apic_irqs &= ~(1<<irq);
26380+ io_apic_irqs &= ~(1UL<<irq);
26381 irq_set_chip_and_handler(irq, &i8259A_chip, handle_level_irq);
26382 enable_irq(irq);
26383 }
26384@@ -208,7 +208,7 @@ spurious_8259A_irq:
26385 "spurious 8259A interrupt: IRQ%d.\n", irq);
26386 spurious_irq_mask |= irqmask;
26387 }
26388- atomic_inc(&irq_err_count);
26389+ atomic_inc_unchecked(&irq_err_count);
26390 /*
26391 * Theoretically we do not have to handle this IRQ,
26392 * but in Linux this does not cause problems and is
26393@@ -349,14 +349,16 @@ static void init_8259A(int auto_eoi)
26394 /* (slave's support for AEOI in flat mode is to be investigated) */
26395 outb_pic(SLAVE_ICW4_DEFAULT, PIC_SLAVE_IMR);
26396
26397+ pax_open_kernel();
26398 if (auto_eoi)
26399 /*
26400 * In AEOI mode we just have to mask the interrupt
26401 * when acking.
26402 */
26403- i8259A_chip.irq_mask_ack = disable_8259A_irq;
26404+ *(void **)&i8259A_chip.irq_mask_ack = disable_8259A_irq;
26405 else
26406- i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
26407+ *(void **)&i8259A_chip.irq_mask_ack = mask_and_ack_8259A;
26408+ pax_close_kernel();
26409
26410 udelay(100); /* wait for 8259A to initialize */
26411
26412diff --git a/arch/x86/kernel/io_delay.c b/arch/x86/kernel/io_delay.c
26413index a979b5b..1d6db75 100644
26414--- a/arch/x86/kernel/io_delay.c
26415+++ b/arch/x86/kernel/io_delay.c
26416@@ -58,7 +58,7 @@ static int __init dmi_io_delay_0xed_port(const struct dmi_system_id *id)
26417 * Quirk table for systems that misbehave (lock up, etc.) if port
26418 * 0x80 is used:
26419 */
26420-static struct dmi_system_id __initdata io_delay_0xed_port_dmi_table[] = {
26421+static const struct dmi_system_id __initconst io_delay_0xed_port_dmi_table[] = {
26422 {
26423 .callback = dmi_io_delay_0xed_port,
26424 .ident = "Compaq Presario V6000",
26425diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c
26426index 37dae79..620dd84 100644
26427--- a/arch/x86/kernel/ioport.c
26428+++ b/arch/x86/kernel/ioport.c
26429@@ -6,6 +6,7 @@
26430 #include <linux/sched.h>
26431 #include <linux/kernel.h>
26432 #include <linux/capability.h>
26433+#include <linux/security.h>
26434 #include <linux/errno.h>
26435 #include <linux/types.h>
26436 #include <linux/ioport.h>
26437@@ -30,6 +31,12 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
26438 return -EINVAL;
26439 if (turn_on && !capable(CAP_SYS_RAWIO))
26440 return -EPERM;
26441+#ifdef CONFIG_GRKERNSEC_IO
26442+ if (turn_on && grsec_disable_privio) {
26443+ gr_handle_ioperm();
26444+ return -ENODEV;
26445+ }
26446+#endif
26447
26448 /*
26449 * If it's the first ioperm() call in this thread's lifetime, set the
26450@@ -54,7 +61,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on)
26451 * because the ->io_bitmap_max value must match the bitmap
26452 * contents:
26453 */
26454- tss = &per_cpu(cpu_tss, get_cpu());
26455+ tss = cpu_tss + get_cpu();
26456
26457 if (turn_on)
26458 bitmap_clear(t->io_bitmap_ptr, from, num);
26459@@ -105,6 +112,12 @@ SYSCALL_DEFINE1(iopl, unsigned int, level)
26460 if (level > old) {
26461 if (!capable(CAP_SYS_RAWIO))
26462 return -EPERM;
26463+#ifdef CONFIG_GRKERNSEC_IO
26464+ if (grsec_disable_privio) {
26465+ gr_handle_iopl();
26466+ return -ENODEV;
26467+ }
26468+#endif
26469 }
26470 regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12);
26471 t->iopl = level << 12;
26472diff --git a/arch/x86/kernel/irq.c b/arch/x86/kernel/irq.c
26473index c7dfe1b..146f63c 100644
26474--- a/arch/x86/kernel/irq.c
26475+++ b/arch/x86/kernel/irq.c
26476@@ -28,7 +28,7 @@ EXPORT_PER_CPU_SYMBOL(irq_stat);
26477 DEFINE_PER_CPU(struct pt_regs *, irq_regs);
26478 EXPORT_PER_CPU_SYMBOL(irq_regs);
26479
26480-atomic_t irq_err_count;
26481+atomic_unchecked_t irq_err_count;
26482
26483 /* Function pointer for generic interrupt vector handling */
26484 void (*x86_platform_ipi_callback)(void) = NULL;
26485@@ -144,9 +144,9 @@ int arch_show_interrupts(struct seq_file *p, int prec)
26486 seq_printf(p, "%10u ", irq_stats(j)->irq_hv_callback_count);
26487 seq_puts(p, " Hypervisor callback interrupts\n");
26488 #endif
26489- seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
26490+ seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
26491 #if defined(CONFIG_X86_IO_APIC)
26492- seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
26493+ seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
26494 #endif
26495 #ifdef CONFIG_HAVE_KVM
26496 seq_printf(p, "%*s: ", prec, "PIN");
26497@@ -198,7 +198,7 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
26498
26499 u64 arch_irq_stat(void)
26500 {
26501- u64 sum = atomic_read(&irq_err_count);
26502+ u64 sum = atomic_read_unchecked(&irq_err_count);
26503 return sum;
26504 }
26505
26506diff --git a/arch/x86/kernel/irq_32.c b/arch/x86/kernel/irq_32.c
26507index cd74f59..588af0b 100644
26508--- a/arch/x86/kernel/irq_32.c
26509+++ b/arch/x86/kernel/irq_32.c
26510@@ -23,6 +23,8 @@
26511
26512 #ifdef CONFIG_DEBUG_STACKOVERFLOW
26513
26514+extern void gr_handle_kernel_exploit(void);
26515+
26516 int sysctl_panic_on_stackoverflow __read_mostly;
26517
26518 /* Debugging check for stack overflow: is there less than 1KB free? */
26519@@ -33,13 +35,14 @@ static int check_stack_overflow(void)
26520 __asm__ __volatile__("andl %%esp,%0" :
26521 "=r" (sp) : "0" (THREAD_SIZE - 1));
26522
26523- return sp < (sizeof(struct thread_info) + STACK_WARN);
26524+ return sp < STACK_WARN;
26525 }
26526
26527 static void print_stack_overflow(void)
26528 {
26529 printk(KERN_WARNING "low stack detected by irq handler\n");
26530 dump_stack();
26531+ gr_handle_kernel_exploit();
26532 if (sysctl_panic_on_stackoverflow)
26533 panic("low stack detected by irq handler - check messages\n");
26534 }
26535@@ -71,10 +74,9 @@ static inline void *current_stack(void)
26536 static inline int
26537 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26538 {
26539- struct irq_stack *curstk, *irqstk;
26540+ struct irq_stack *irqstk;
26541 u32 *isp, *prev_esp, arg1, arg2;
26542
26543- curstk = (struct irq_stack *) current_stack();
26544 irqstk = __this_cpu_read(hardirq_stack);
26545
26546 /*
26547@@ -83,15 +85,19 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26548 * handler) we can't do that and just have to keep using the
26549 * current stack (which is the irq stack already after all)
26550 */
26551- if (unlikely(curstk == irqstk))
26552+ if (unlikely((void *)current_stack_pointer - (void *)irqstk < THREAD_SIZE))
26553 return 0;
26554
26555- isp = (u32 *) ((char *)irqstk + sizeof(*irqstk));
26556+ isp = (u32 *) ((char *)irqstk + sizeof(*irqstk) - 8);
26557
26558 /* Save the next esp at the bottom of the stack */
26559 prev_esp = (u32 *)irqstk;
26560 *prev_esp = current_stack_pointer();
26561
26562+#ifdef CONFIG_PAX_MEMORY_UDEREF
26563+ __set_fs(MAKE_MM_SEG(0));
26564+#endif
26565+
26566 if (unlikely(overflow))
26567 call_on_stack(print_stack_overflow, isp);
26568
26569@@ -102,6 +108,11 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26570 : "0" (irq), "1" (desc), "2" (isp),
26571 "D" (desc->handle_irq)
26572 : "memory", "cc", "ecx");
26573+
26574+#ifdef CONFIG_PAX_MEMORY_UDEREF
26575+ __set_fs(current_thread_info()->addr_limit);
26576+#endif
26577+
26578 return 1;
26579 }
26580
26581@@ -110,32 +121,18 @@ execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
26582 */
26583 void irq_ctx_init(int cpu)
26584 {
26585- struct irq_stack *irqstk;
26586-
26587 if (per_cpu(hardirq_stack, cpu))
26588 return;
26589
26590- irqstk = page_address(alloc_pages_node(cpu_to_node(cpu),
26591- THREADINFO_GFP,
26592- THREAD_SIZE_ORDER));
26593- per_cpu(hardirq_stack, cpu) = irqstk;
26594-
26595- irqstk = page_address(alloc_pages_node(cpu_to_node(cpu),
26596- THREADINFO_GFP,
26597- THREAD_SIZE_ORDER));
26598- per_cpu(softirq_stack, cpu) = irqstk;
26599-
26600- printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
26601- cpu, per_cpu(hardirq_stack, cpu), per_cpu(softirq_stack, cpu));
26602+ per_cpu(hardirq_stack, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
26603+ per_cpu(softirq_stack, cpu) = page_address(alloc_pages_node(cpu_to_node(cpu), THREADINFO_GFP, THREAD_SIZE_ORDER));
26604 }
26605
26606 void do_softirq_own_stack(void)
26607 {
26608- struct thread_info *curstk;
26609 struct irq_stack *irqstk;
26610 u32 *isp, *prev_esp;
26611
26612- curstk = current_stack();
26613 irqstk = __this_cpu_read(softirq_stack);
26614
26615 /* build the stack frame on the softirq stack */
26616@@ -145,7 +142,16 @@ void do_softirq_own_stack(void)
26617 prev_esp = (u32 *)irqstk;
26618 *prev_esp = current_stack_pointer();
26619
26620+#ifdef CONFIG_PAX_MEMORY_UDEREF
26621+ __set_fs(MAKE_MM_SEG(0));
26622+#endif
26623+
26624 call_on_stack(__do_softirq, isp);
26625+
26626+#ifdef CONFIG_PAX_MEMORY_UDEREF
26627+ __set_fs(current_thread_info()->addr_limit);
26628+#endif
26629+
26630 }
26631
26632 bool handle_irq(unsigned irq, struct pt_regs *regs)
26633diff --git a/arch/x86/kernel/irq_64.c b/arch/x86/kernel/irq_64.c
26634index bc4604e..0be227d 100644
26635--- a/arch/x86/kernel/irq_64.c
26636+++ b/arch/x86/kernel/irq_64.c
26637@@ -20,6 +20,8 @@
26638 #include <asm/idle.h>
26639 #include <asm/apic.h>
26640
26641+extern void gr_handle_kernel_exploit(void);
26642+
26643 int sysctl_panic_on_stackoverflow;
26644
26645 /*
26646@@ -63,6 +65,8 @@ static inline void stack_overflow_check(struct pt_regs *regs)
26647 irq_stack_top, irq_stack_bottom,
26648 estack_top, estack_bottom);
26649
26650+ gr_handle_kernel_exploit();
26651+
26652 if (sysctl_panic_on_stackoverflow)
26653 panic("low stack detected by irq handler - check messages\n");
26654 #endif
26655diff --git a/arch/x86/kernel/jump_label.c b/arch/x86/kernel/jump_label.c
26656index 26d5a55..063fef8 100644
26657--- a/arch/x86/kernel/jump_label.c
26658+++ b/arch/x86/kernel/jump_label.c
26659@@ -31,6 +31,8 @@ static void bug_at(unsigned char *ip, int line)
26660 * Something went wrong. Crash the box, as something could be
26661 * corrupting the kernel.
26662 */
26663+ ip = (unsigned char *)ktla_ktva((unsigned long)ip);
26664+ pr_warning("Unexpected op at %pS [%p] %s:%d\n", ip, ip, __FILE__, line);
26665 pr_warning("Unexpected op at %pS [%p] (%02x %02x %02x %02x %02x) %s:%d\n",
26666 ip, ip, ip[0], ip[1], ip[2], ip[3], ip[4], __FILE__, line);
26667 BUG();
26668@@ -51,7 +53,7 @@ static void __jump_label_transform(struct jump_entry *entry,
26669 * Jump label is enabled for the first time.
26670 * So we expect a default_nop...
26671 */
26672- if (unlikely(memcmp((void *)entry->code, default_nop, 5)
26673+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5)
26674 != 0))
26675 bug_at((void *)entry->code, __LINE__);
26676 } else {
26677@@ -59,7 +61,7 @@ static void __jump_label_transform(struct jump_entry *entry,
26678 * ...otherwise expect an ideal_nop. Otherwise
26679 * something went horribly wrong.
26680 */
26681- if (unlikely(memcmp((void *)entry->code, ideal_nop, 5)
26682+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), ideal_nop, 5)
26683 != 0))
26684 bug_at((void *)entry->code, __LINE__);
26685 }
26686@@ -75,13 +77,13 @@ static void __jump_label_transform(struct jump_entry *entry,
26687 * are converting the default nop to the ideal nop.
26688 */
26689 if (init) {
26690- if (unlikely(memcmp((void *)entry->code, default_nop, 5) != 0))
26691+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), default_nop, 5) != 0))
26692 bug_at((void *)entry->code, __LINE__);
26693 } else {
26694 code.jump = 0xe9;
26695 code.offset = entry->target -
26696 (entry->code + JUMP_LABEL_NOP_SIZE);
26697- if (unlikely(memcmp((void *)entry->code, &code, 5) != 0))
26698+ if (unlikely(memcmp((void *)ktla_ktva(entry->code), &code, 5) != 0))
26699 bug_at((void *)entry->code, __LINE__);
26700 }
26701 memcpy(&code, ideal_nops[NOP_ATOMIC5], JUMP_LABEL_NOP_SIZE);
26702diff --git a/arch/x86/kernel/kgdb.c b/arch/x86/kernel/kgdb.c
26703index d6178d9..598681f 100644
26704--- a/arch/x86/kernel/kgdb.c
26705+++ b/arch/x86/kernel/kgdb.c
26706@@ -228,7 +228,10 @@ static void kgdb_correct_hw_break(void)
26707 bp->attr.bp_addr = breakinfo[breakno].addr;
26708 bp->attr.bp_len = breakinfo[breakno].len;
26709 bp->attr.bp_type = breakinfo[breakno].type;
26710- info->address = breakinfo[breakno].addr;
26711+ if (breakinfo[breakno].type == X86_BREAKPOINT_EXECUTE)
26712+ info->address = ktla_ktva(breakinfo[breakno].addr);
26713+ else
26714+ info->address = breakinfo[breakno].addr;
26715 info->len = breakinfo[breakno].len;
26716 info->type = breakinfo[breakno].type;
26717 val = arch_install_hw_breakpoint(bp);
26718@@ -475,12 +478,12 @@ int kgdb_arch_handle_exception(int e_vector, int signo, int err_code,
26719 case 'k':
26720 /* clear the trace bit */
26721 linux_regs->flags &= ~X86_EFLAGS_TF;
26722- atomic_set(&kgdb_cpu_doing_single_step, -1);
26723+ atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
26724
26725 /* set the trace bit if we're stepping */
26726 if (remcomInBuffer[0] == 's') {
26727 linux_regs->flags |= X86_EFLAGS_TF;
26728- atomic_set(&kgdb_cpu_doing_single_step,
26729+ atomic_set_unchecked(&kgdb_cpu_doing_single_step,
26730 raw_smp_processor_id());
26731 }
26732
26733@@ -545,7 +548,7 @@ static int __kgdb_notify(struct die_args *args, unsigned long cmd)
26734
26735 switch (cmd) {
26736 case DIE_DEBUG:
26737- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
26738+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
26739 if (user_mode(regs))
26740 return single_step_cont(regs, args);
26741 break;
26742@@ -750,11 +753,11 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
26743 #endif /* CONFIG_DEBUG_RODATA */
26744
26745 bpt->type = BP_BREAKPOINT;
26746- err = probe_kernel_read(bpt->saved_instr, (char *)bpt->bpt_addr,
26747+ err = probe_kernel_read(bpt->saved_instr, (const void *)ktla_ktva(bpt->bpt_addr),
26748 BREAK_INSTR_SIZE);
26749 if (err)
26750 return err;
26751- err = probe_kernel_write((char *)bpt->bpt_addr,
26752+ err = probe_kernel_write((void *)ktla_ktva(bpt->bpt_addr),
26753 arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE);
26754 #ifdef CONFIG_DEBUG_RODATA
26755 if (!err)
26756@@ -767,7 +770,7 @@ int kgdb_arch_set_breakpoint(struct kgdb_bkpt *bpt)
26757 return -EBUSY;
26758 text_poke((void *)bpt->bpt_addr, arch_kgdb_ops.gdb_bpt_instr,
26759 BREAK_INSTR_SIZE);
26760- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
26761+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
26762 if (err)
26763 return err;
26764 if (memcmp(opc, arch_kgdb_ops.gdb_bpt_instr, BREAK_INSTR_SIZE))
26765@@ -792,13 +795,13 @@ int kgdb_arch_remove_breakpoint(struct kgdb_bkpt *bpt)
26766 if (mutex_is_locked(&text_mutex))
26767 goto knl_write;
26768 text_poke((void *)bpt->bpt_addr, bpt->saved_instr, BREAK_INSTR_SIZE);
26769- err = probe_kernel_read(opc, (char *)bpt->bpt_addr, BREAK_INSTR_SIZE);
26770+ err = probe_kernel_read(opc, ktla_ktva((char *)bpt->bpt_addr), BREAK_INSTR_SIZE);
26771 if (err || memcmp(opc, bpt->saved_instr, BREAK_INSTR_SIZE))
26772 goto knl_write;
26773 return err;
26774 knl_write:
26775 #endif /* CONFIG_DEBUG_RODATA */
26776- return probe_kernel_write((char *)bpt->bpt_addr,
26777+ return probe_kernel_write((void *)ktla_ktva(bpt->bpt_addr),
26778 (char *)bpt->saved_instr, BREAK_INSTR_SIZE);
26779 }
26780
26781diff --git a/arch/x86/kernel/kprobes/core.c b/arch/x86/kernel/kprobes/core.c
26782index 1deffe6..3be342a 100644
26783--- a/arch/x86/kernel/kprobes/core.c
26784+++ b/arch/x86/kernel/kprobes/core.c
26785@@ -120,9 +120,12 @@ __synthesize_relative_insn(void *from, void *to, u8 op)
26786 s32 raddr;
26787 } __packed *insn;
26788
26789- insn = (struct __arch_relative_insn *)from;
26790+ insn = (struct __arch_relative_insn *)ktla_ktva((unsigned long)from);
26791+
26792+ pax_open_kernel();
26793 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
26794 insn->op = op;
26795+ pax_close_kernel();
26796 }
26797
26798 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
26799@@ -168,7 +171,7 @@ int can_boost(kprobe_opcode_t *opcodes)
26800 kprobe_opcode_t opcode;
26801 kprobe_opcode_t *orig_opcodes = opcodes;
26802
26803- if (search_exception_tables((unsigned long)opcodes))
26804+ if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
26805 return 0; /* Page fault may occur on this address. */
26806
26807 retry:
26808@@ -260,12 +263,12 @@ __recover_probed_insn(kprobe_opcode_t *buf, unsigned long addr)
26809 * Fortunately, we know that the original code is the ideal 5-byte
26810 * long NOP.
26811 */
26812- memcpy(buf, (void *)addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
26813+ memcpy(buf, (void *)ktla_ktva(addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
26814 if (faddr)
26815 memcpy(buf, ideal_nops[NOP_ATOMIC5], 5);
26816 else
26817 buf[0] = kp->opcode;
26818- return (unsigned long)buf;
26819+ return ktva_ktla((unsigned long)buf);
26820 }
26821
26822 /*
26823@@ -367,7 +370,9 @@ int __copy_instruction(u8 *dest, u8 *src)
26824 /* Another subsystem puts a breakpoint, failed to recover */
26825 if (insn.opcode.bytes[0] == BREAKPOINT_INSTRUCTION)
26826 return 0;
26827+ pax_open_kernel();
26828 memcpy(dest, insn.kaddr, length);
26829+ pax_close_kernel();
26830
26831 #ifdef CONFIG_X86_64
26832 if (insn_rip_relative(&insn)) {
26833@@ -394,7 +399,9 @@ int __copy_instruction(u8 *dest, u8 *src)
26834 return 0;
26835 }
26836 disp = (u8 *) dest + insn_offset_displacement(&insn);
26837+ pax_open_kernel();
26838 *(s32 *) disp = (s32) newdisp;
26839+ pax_close_kernel();
26840 }
26841 #endif
26842 return length;
26843@@ -536,7 +543,7 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
26844 * nor set current_kprobe, because it doesn't use single
26845 * stepping.
26846 */
26847- regs->ip = (unsigned long)p->ainsn.insn;
26848+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
26849 preempt_enable_no_resched();
26850 return;
26851 }
26852@@ -553,9 +560,9 @@ static void setup_singlestep(struct kprobe *p, struct pt_regs *regs,
26853 regs->flags &= ~X86_EFLAGS_IF;
26854 /* single step inline if the instruction is an int3 */
26855 if (p->opcode == BREAKPOINT_INSTRUCTION)
26856- regs->ip = (unsigned long)p->addr;
26857+ regs->ip = ktla_ktva((unsigned long)p->addr);
26858 else
26859- regs->ip = (unsigned long)p->ainsn.insn;
26860+ regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
26861 }
26862 NOKPROBE_SYMBOL(setup_singlestep);
26863
26864@@ -640,7 +647,7 @@ int kprobe_int3_handler(struct pt_regs *regs)
26865 setup_singlestep(p, regs, kcb, 0);
26866 return 1;
26867 }
26868- } else if (*addr != BREAKPOINT_INSTRUCTION) {
26869+ } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
26870 /*
26871 * The breakpoint instruction was removed right
26872 * after we hit it. Another cpu has removed
26873@@ -687,6 +694,9 @@ static void __used kretprobe_trampoline_holder(void)
26874 " movq %rax, 152(%rsp)\n"
26875 RESTORE_REGS_STRING
26876 " popfq\n"
26877+#ifdef KERNEXEC_PLUGIN
26878+ " btsq $63,(%rsp)\n"
26879+#endif
26880 #else
26881 " pushf\n"
26882 SAVE_REGS_STRING
26883@@ -827,7 +837,7 @@ static void resume_execution(struct kprobe *p, struct pt_regs *regs,
26884 struct kprobe_ctlblk *kcb)
26885 {
26886 unsigned long *tos = stack_addr(regs);
26887- unsigned long copy_ip = (unsigned long)p->ainsn.insn;
26888+ unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
26889 unsigned long orig_ip = (unsigned long)p->addr;
26890 kprobe_opcode_t *insn = p->ainsn.insn;
26891
26892diff --git a/arch/x86/kernel/kprobes/opt.c b/arch/x86/kernel/kprobes/opt.c
26893index 7b3b9d1..e2478b91 100644
26894--- a/arch/x86/kernel/kprobes/opt.c
26895+++ b/arch/x86/kernel/kprobes/opt.c
26896@@ -79,6 +79,7 @@ found:
26897 /* Insert a move instruction which sets a pointer to eax/rdi (1st arg). */
26898 static void synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
26899 {
26900+ pax_open_kernel();
26901 #ifdef CONFIG_X86_64
26902 *addr++ = 0x48;
26903 *addr++ = 0xbf;
26904@@ -86,6 +87,7 @@ static void synthesize_set_arg1(kprobe_opcode_t *addr, unsigned long val)
26905 *addr++ = 0xb8;
26906 #endif
26907 *(unsigned long *)addr = val;
26908+ pax_close_kernel();
26909 }
26910
26911 asm (
26912@@ -342,7 +344,7 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
26913 * Verify if the address gap is in 2GB range, because this uses
26914 * a relative jump.
26915 */
26916- rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
26917+ rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
26918 if (abs(rel) > 0x7fffffff) {
26919 __arch_remove_optimized_kprobe(op, 0);
26920 return -ERANGE;
26921@@ -359,16 +361,18 @@ int arch_prepare_optimized_kprobe(struct optimized_kprobe *op,
26922 op->optinsn.size = ret;
26923
26924 /* Copy arch-dep-instance from template */
26925- memcpy(buf, &optprobe_template_entry, TMPL_END_IDX);
26926+ pax_open_kernel();
26927+ memcpy(buf, ktla_ktva(&optprobe_template_entry), TMPL_END_IDX);
26928+ pax_close_kernel();
26929
26930 /* Set probe information */
26931 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
26932
26933 /* Set probe function call */
26934- synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
26935+ synthesize_relcall(ktva_ktla(buf) + TMPL_CALL_IDX, optimized_callback);
26936
26937 /* Set returning jmp instruction at the tail of out-of-line buffer */
26938- synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
26939+ synthesize_reljump(ktva_ktla(buf) + TMPL_END_IDX + op->optinsn.size,
26940 (u8 *)op->kp.addr + op->optinsn.size);
26941
26942 flush_icache_range((unsigned long) buf,
26943@@ -393,7 +397,7 @@ void arch_optimize_kprobes(struct list_head *oplist)
26944 WARN_ON(kprobe_disabled(&op->kp));
26945
26946 /* Backup instructions which will be replaced by jump address */
26947- memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
26948+ memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
26949 RELATIVE_ADDR_SIZE);
26950
26951 insn_buf[0] = RELATIVEJUMP_OPCODE;
26952@@ -441,7 +445,7 @@ int setup_detour_execution(struct kprobe *p, struct pt_regs *regs, int reenter)
26953 /* This kprobe is really able to run optimized path. */
26954 op = container_of(p, struct optimized_kprobe, kp);
26955 /* Detour through copied instructions */
26956- regs->ip = (unsigned long)op->optinsn.insn + TMPL_END_IDX;
26957+ regs->ip = ktva_ktla((unsigned long)op->optinsn.insn) + TMPL_END_IDX;
26958 if (!reenter)
26959 reset_current_kprobe();
26960 preempt_enable_no_resched();
26961diff --git a/arch/x86/kernel/ksysfs.c b/arch/x86/kernel/ksysfs.c
26962index c2bedae..25e7ab60 100644
26963--- a/arch/x86/kernel/ksysfs.c
26964+++ b/arch/x86/kernel/ksysfs.c
26965@@ -184,7 +184,7 @@ out:
26966
26967 static struct kobj_attribute type_attr = __ATTR_RO(type);
26968
26969-static struct bin_attribute data_attr = {
26970+static bin_attribute_no_const data_attr __read_only = {
26971 .attr = {
26972 .name = "data",
26973 .mode = S_IRUGO,
26974diff --git a/arch/x86/kernel/kvmclock.c b/arch/x86/kernel/kvmclock.c
26975index 49487b4..a94a0d3 100644
26976--- a/arch/x86/kernel/kvmclock.c
26977+++ b/arch/x86/kernel/kvmclock.c
26978@@ -29,7 +29,7 @@
26979 #include <asm/x86_init.h>
26980 #include <asm/reboot.h>
26981
26982-static int kvmclock = 1;
26983+static int kvmclock __read_only = 1;
26984 static int msr_kvm_system_time = MSR_KVM_SYSTEM_TIME;
26985 static int msr_kvm_wall_clock = MSR_KVM_WALL_CLOCK;
26986
26987@@ -41,7 +41,7 @@ static int parse_no_kvmclock(char *arg)
26988 early_param("no-kvmclock", parse_no_kvmclock);
26989
26990 /* The hypervisor will put information about time periodically here */
26991-static struct pvclock_vsyscall_time_info *hv_clock;
26992+static struct pvclock_vsyscall_time_info hv_clock[NR_CPUS] __page_aligned_bss;
26993 static struct pvclock_wall_clock wall_clock;
26994
26995 /*
26996@@ -132,7 +132,7 @@ bool kvm_check_and_clear_guest_paused(void)
26997 struct pvclock_vcpu_time_info *src;
26998 int cpu = smp_processor_id();
26999
27000- if (!hv_clock)
27001+ if (!kvmclock)
27002 return ret;
27003
27004 src = &hv_clock[cpu].pvti;
27005@@ -159,7 +159,7 @@ int kvm_register_clock(char *txt)
27006 int low, high, ret;
27007 struct pvclock_vcpu_time_info *src;
27008
27009- if (!hv_clock)
27010+ if (!kvmclock)
27011 return 0;
27012
27013 src = &hv_clock[cpu].pvti;
27014@@ -219,7 +219,6 @@ static void kvm_shutdown(void)
27015 void __init kvmclock_init(void)
27016 {
27017 struct pvclock_vcpu_time_info *vcpu_time;
27018- unsigned long mem;
27019 int size, cpu;
27020 u8 flags;
27021
27022@@ -237,15 +236,8 @@ void __init kvmclock_init(void)
27023 printk(KERN_INFO "kvm-clock: Using msrs %x and %x",
27024 msr_kvm_system_time, msr_kvm_wall_clock);
27025
27026- mem = memblock_alloc(size, PAGE_SIZE);
27027- if (!mem)
27028- return;
27029- hv_clock = __va(mem);
27030- memset(hv_clock, 0, size);
27031-
27032 if (kvm_register_clock("primary cpu clock")) {
27033- hv_clock = NULL;
27034- memblock_free(mem, size);
27035+ kvmclock = 0;
27036 return;
27037 }
27038 pv_time_ops.sched_clock = kvm_clock_read;
27039@@ -286,7 +278,7 @@ int __init kvm_setup_vsyscall_timeinfo(void)
27040 struct pvclock_vcpu_time_info *vcpu_time;
27041 unsigned int size;
27042
27043- if (!hv_clock)
27044+ if (!kvmclock)
27045 return 0;
27046
27047 size = PAGE_ALIGN(sizeof(struct pvclock_vsyscall_time_info)*NR_CPUS);
27048diff --git a/arch/x86/kernel/ldt.c b/arch/x86/kernel/ldt.c
27049index 2bcc052..864eb84 100644
27050--- a/arch/x86/kernel/ldt.c
27051+++ b/arch/x86/kernel/ldt.c
27052@@ -11,6 +11,7 @@
27053 #include <linux/sched.h>
27054 #include <linux/string.h>
27055 #include <linux/mm.h>
27056+#include <linux/ratelimit.h>
27057 #include <linux/smp.h>
27058 #include <linux/slab.h>
27059 #include <linux/vmalloc.h>
27060@@ -21,6 +22,14 @@
27061 #include <asm/mmu_context.h>
27062 #include <asm/syscalls.h>
27063
27064+#ifdef CONFIG_GRKERNSEC
27065+int sysctl_modify_ldt __read_only = 0;
27066+#elif defined(CONFIG_DEFAULT_MODIFY_LDT_SYSCALL)
27067+int sysctl_modify_ldt __read_only = 1;
27068+#else
27069+int sysctl_modify_ldt __read_only = 0;
27070+#endif
27071+
27072 /* context.lock is held for us, so we don't need any locking. */
27073 static void flush_ldt(void *current_mm)
27074 {
27075@@ -109,6 +118,23 @@ int init_new_context(struct task_struct *tsk, struct mm_struct *mm)
27076 struct mm_struct *old_mm;
27077 int retval = 0;
27078
27079+ if (tsk == current) {
27080+ mm->context.vdso = 0;
27081+
27082+#ifdef CONFIG_X86_32
27083+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
27084+ mm->context.user_cs_base = 0UL;
27085+ mm->context.user_cs_limit = ~0UL;
27086+
27087+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
27088+ cpumask_clear(&mm->context.cpu_user_cs_mask);
27089+#endif
27090+
27091+#endif
27092+#endif
27093+
27094+ }
27095+
27096 mutex_init(&mm->context.lock);
27097 old_mm = current->mm;
27098 if (!old_mm) {
27099@@ -235,6 +261,14 @@ static int write_ldt(void __user *ptr, unsigned long bytecount, int oldmode)
27100 /* The user wants to clear the entry. */
27101 memset(&ldt, 0, sizeof(ldt));
27102 } else {
27103+
27104+#ifdef CONFIG_PAX_SEGMEXEC
27105+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
27106+ error = -EINVAL;
27107+ goto out;
27108+ }
27109+#endif
27110+
27111 if (!IS_ENABLED(CONFIG_X86_16BIT) && !ldt_info.seg_32bit) {
27112 error = -EINVAL;
27113 goto out;
27114@@ -276,6 +310,15 @@ asmlinkage int sys_modify_ldt(int func, void __user *ptr,
27115 {
27116 int ret = -ENOSYS;
27117
27118+ if (!sysctl_modify_ldt) {
27119+ printk_ratelimited(KERN_INFO
27120+ "Denied a call to modify_ldt() from %s[%d] (uid: %d)."
27121+ " Adjust sysctl if this was not an exploit attempt.\n",
27122+ current->comm, task_pid_nr(current),
27123+ from_kuid_munged(current_user_ns(), current_uid()));
27124+ return ret;
27125+ }
27126+
27127 switch (func) {
27128 case 0:
27129 ret = read_ldt(ptr, bytecount);
27130diff --git a/arch/x86/kernel/livepatch.c b/arch/x86/kernel/livepatch.c
27131index ff3c3101d..d7c0cd8 100644
27132--- a/arch/x86/kernel/livepatch.c
27133+++ b/arch/x86/kernel/livepatch.c
27134@@ -41,9 +41,10 @@ int klp_write_module_reloc(struct module *mod, unsigned long type,
27135 int ret, numpages, size = 4;
27136 bool readonly;
27137 unsigned long val;
27138- unsigned long core = (unsigned long)mod->module_core;
27139- unsigned long core_ro_size = mod->core_ro_size;
27140- unsigned long core_size = mod->core_size;
27141+ unsigned long core_rx = (unsigned long)mod->module_core_rx;
27142+ unsigned long core_rw = (unsigned long)mod->module_core_rw;
27143+ unsigned long core_size_rx = mod->core_size_rx;
27144+ unsigned long core_size_rw = mod->core_size_rw;
27145
27146 switch (type) {
27147 case R_X86_64_NONE:
27148@@ -66,11 +67,12 @@ int klp_write_module_reloc(struct module *mod, unsigned long type,
27149 return -EINVAL;
27150 }
27151
27152- if (loc < core || loc >= core + core_size)
27153+ if ((loc < core_rx || loc >= core_rx + core_size_rx) &&
27154+ (loc < core_rw || loc >= core_rw + core_size_rw))
27155 /* loc does not point to any symbol inside the module */
27156 return -EINVAL;
27157
27158- if (loc < core + core_ro_size)
27159+ if (loc < core_rx + core_size_rx)
27160 readonly = true;
27161 else
27162 readonly = false;
27163diff --git a/arch/x86/kernel/machine_kexec_32.c b/arch/x86/kernel/machine_kexec_32.c
27164index 469b23d..5449cfe 100644
27165--- a/arch/x86/kernel/machine_kexec_32.c
27166+++ b/arch/x86/kernel/machine_kexec_32.c
27167@@ -26,7 +26,7 @@
27168 #include <asm/cacheflush.h>
27169 #include <asm/debugreg.h>
27170
27171-static void set_idt(void *newidt, __u16 limit)
27172+static void set_idt(struct desc_struct *newidt, __u16 limit)
27173 {
27174 struct desc_ptr curidt;
27175
27176@@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16 limit)
27177 }
27178
27179
27180-static void set_gdt(void *newgdt, __u16 limit)
27181+static void set_gdt(struct desc_struct *newgdt, __u16 limit)
27182 {
27183 struct desc_ptr curgdt;
27184
27185@@ -216,7 +216,7 @@ void machine_kexec(struct kimage *image)
27186 }
27187
27188 control_page = page_address(image->control_code_page);
27189- memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
27190+ memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
27191
27192 relocate_kernel_ptr = control_page;
27193 page_list[PA_CONTROL_PAGE] = __pa(control_page);
27194diff --git a/arch/x86/kernel/mcount_64.S b/arch/x86/kernel/mcount_64.S
27195index 94ea120..4154cea 100644
27196--- a/arch/x86/kernel/mcount_64.S
27197+++ b/arch/x86/kernel/mcount_64.S
27198@@ -7,7 +7,7 @@
27199 #include <linux/linkage.h>
27200 #include <asm/ptrace.h>
27201 #include <asm/ftrace.h>
27202-
27203+#include <asm/alternative-asm.h>
27204
27205 .code64
27206 .section .entry.text, "ax"
27207@@ -148,8 +148,9 @@
27208 #ifdef CONFIG_DYNAMIC_FTRACE
27209
27210 ENTRY(function_hook)
27211+ pax_force_retaddr
27212 retq
27213-END(function_hook)
27214+ENDPROC(function_hook)
27215
27216 ENTRY(ftrace_caller)
27217 /* save_mcount_regs fills in first two parameters */
27218@@ -181,8 +182,9 @@ GLOBAL(ftrace_graph_call)
27219 #endif
27220
27221 GLOBAL(ftrace_stub)
27222+ pax_force_retaddr
27223 retq
27224-END(ftrace_caller)
27225+ENDPROC(ftrace_caller)
27226
27227 ENTRY(ftrace_regs_caller)
27228 /* Save the current flags before any operations that can change them */
27229@@ -253,7 +255,7 @@ GLOBAL(ftrace_regs_caller_end)
27230
27231 jmp ftrace_return
27232
27233-END(ftrace_regs_caller)
27234+ENDPROC(ftrace_regs_caller)
27235
27236
27237 #else /* ! CONFIG_DYNAMIC_FTRACE */
27238@@ -272,18 +274,20 @@ fgraph_trace:
27239 #endif
27240
27241 GLOBAL(ftrace_stub)
27242+ pax_force_retaddr
27243 retq
27244
27245 trace:
27246 /* save_mcount_regs fills in first two parameters */
27247 save_mcount_regs
27248
27249+ pax_force_fptr ftrace_trace_function
27250 call *ftrace_trace_function
27251
27252 restore_mcount_regs
27253
27254 jmp fgraph_trace
27255-END(function_hook)
27256+ENDPROC(function_hook)
27257 #endif /* CONFIG_DYNAMIC_FTRACE */
27258 #endif /* CONFIG_FUNCTION_TRACER */
27259
27260@@ -305,8 +309,9 @@ ENTRY(ftrace_graph_caller)
27261
27262 restore_mcount_regs
27263
27264+ pax_force_retaddr
27265 retq
27266-END(ftrace_graph_caller)
27267+ENDPROC(ftrace_graph_caller)
27268
27269 GLOBAL(return_to_handler)
27270 subq $24, %rsp
27271@@ -322,5 +327,7 @@ GLOBAL(return_to_handler)
27272 movq 8(%rsp), %rdx
27273 movq (%rsp), %rax
27274 addq $24, %rsp
27275+ pax_force_fptr %rdi
27276 jmp *%rdi
27277+ENDPROC(return_to_handler)
27278 #endif
27279diff --git a/arch/x86/kernel/module.c b/arch/x86/kernel/module.c
27280index 005c03e..7000fe4 100644
27281--- a/arch/x86/kernel/module.c
27282+++ b/arch/x86/kernel/module.c
27283@@ -75,17 +75,17 @@ static unsigned long int get_module_load_offset(void)
27284 }
27285 #endif
27286
27287-void *module_alloc(unsigned long size)
27288+static inline void *__module_alloc(unsigned long size, pgprot_t prot)
27289 {
27290 void *p;
27291
27292- if (PAGE_ALIGN(size) > MODULES_LEN)
27293+ if (!size || PAGE_ALIGN(size) > MODULES_LEN)
27294 return NULL;
27295
27296 p = __vmalloc_node_range(size, MODULE_ALIGN,
27297 MODULES_VADDR + get_module_load_offset(),
27298- MODULES_END, GFP_KERNEL | __GFP_HIGHMEM,
27299- PAGE_KERNEL_EXEC, 0, NUMA_NO_NODE,
27300+ MODULES_END, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO,
27301+ prot, 0, NUMA_NO_NODE,
27302 __builtin_return_address(0));
27303 if (p && (kasan_module_alloc(p, size) < 0)) {
27304 vfree(p);
27305@@ -95,6 +95,51 @@ void *module_alloc(unsigned long size)
27306 return p;
27307 }
27308
27309+void *module_alloc(unsigned long size)
27310+{
27311+
27312+#ifdef CONFIG_PAX_KERNEXEC
27313+ return __module_alloc(size, PAGE_KERNEL);
27314+#else
27315+ return __module_alloc(size, PAGE_KERNEL_EXEC);
27316+#endif
27317+
27318+}
27319+
27320+#ifdef CONFIG_PAX_KERNEXEC
27321+#ifdef CONFIG_X86_32
27322+void *module_alloc_exec(unsigned long size)
27323+{
27324+ struct vm_struct *area;
27325+
27326+ if (size == 0)
27327+ return NULL;
27328+
27329+ area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
27330+return area ? area->addr : NULL;
27331+}
27332+EXPORT_SYMBOL(module_alloc_exec);
27333+
27334+void module_memfree_exec(void *module_region)
27335+{
27336+ vunmap(module_region);
27337+}
27338+EXPORT_SYMBOL(module_memfree_exec);
27339+#else
27340+void module_memfree_exec(void *module_region)
27341+{
27342+ module_memfree(module_region);
27343+}
27344+EXPORT_SYMBOL(module_memfree_exec);
27345+
27346+void *module_alloc_exec(unsigned long size)
27347+{
27348+ return __module_alloc(size, PAGE_KERNEL_RX);
27349+}
27350+EXPORT_SYMBOL(module_alloc_exec);
27351+#endif
27352+#endif
27353+
27354 #ifdef CONFIG_X86_32
27355 int apply_relocate(Elf32_Shdr *sechdrs,
27356 const char *strtab,
27357@@ -105,14 +150,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
27358 unsigned int i;
27359 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
27360 Elf32_Sym *sym;
27361- uint32_t *location;
27362+ uint32_t *plocation, location;
27363
27364 DEBUGP("Applying relocate section %u to %u\n",
27365 relsec, sechdrs[relsec].sh_info);
27366 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
27367 /* This is where to make the change */
27368- location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
27369- + rel[i].r_offset;
27370+ plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
27371+ location = (uint32_t)plocation;
27372+ if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
27373+ plocation = (uint32_t *)ktla_ktva((unsigned long)plocation);
27374 /* This is the symbol it is referring to. Note that all
27375 undefined symbols have been resolved. */
27376 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
27377@@ -121,11 +168,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
27378 switch (ELF32_R_TYPE(rel[i].r_info)) {
27379 case R_386_32:
27380 /* We add the value into the location given */
27381- *location += sym->st_value;
27382+ pax_open_kernel();
27383+ *plocation += sym->st_value;
27384+ pax_close_kernel();
27385 break;
27386 case R_386_PC32:
27387 /* Add the value, subtract its position */
27388- *location += sym->st_value - (uint32_t)location;
27389+ pax_open_kernel();
27390+ *plocation += sym->st_value - location;
27391+ pax_close_kernel();
27392 break;
27393 default:
27394 pr_err("%s: Unknown relocation: %u\n",
27395@@ -170,21 +221,30 @@ int apply_relocate_add(Elf64_Shdr *sechdrs,
27396 case R_X86_64_NONE:
27397 break;
27398 case R_X86_64_64:
27399+ pax_open_kernel();
27400 *(u64 *)loc = val;
27401+ pax_close_kernel();
27402 break;
27403 case R_X86_64_32:
27404+ pax_open_kernel();
27405 *(u32 *)loc = val;
27406+ pax_close_kernel();
27407 if (val != *(u32 *)loc)
27408 goto overflow;
27409 break;
27410 case R_X86_64_32S:
27411+ pax_open_kernel();
27412 *(s32 *)loc = val;
27413+ pax_close_kernel();
27414 if ((s64)val != *(s32 *)loc)
27415 goto overflow;
27416 break;
27417 case R_X86_64_PC32:
27418 val -= (u64)loc;
27419+ pax_open_kernel();
27420 *(u32 *)loc = val;
27421+ pax_close_kernel();
27422+
27423 #if 0
27424 if ((s64)val != *(s32 *)loc)
27425 goto overflow;
27426diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c
27427index 113e707..0a690e1 100644
27428--- a/arch/x86/kernel/msr.c
27429+++ b/arch/x86/kernel/msr.c
27430@@ -39,6 +39,7 @@
27431 #include <linux/notifier.h>
27432 #include <linux/uaccess.h>
27433 #include <linux/gfp.h>
27434+#include <linux/grsecurity.h>
27435
27436 #include <asm/processor.h>
27437 #include <asm/msr.h>
27438@@ -105,6 +106,11 @@ static ssize_t msr_write(struct file *file, const char __user *buf,
27439 int err = 0;
27440 ssize_t bytes = 0;
27441
27442+#ifdef CONFIG_GRKERNSEC_KMEM
27443+ gr_handle_msr_write();
27444+ return -EPERM;
27445+#endif
27446+
27447 if (count % 8)
27448 return -EINVAL; /* Invalid chunk size */
27449
27450@@ -152,6 +158,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg)
27451 err = -EBADF;
27452 break;
27453 }
27454+#ifdef CONFIG_GRKERNSEC_KMEM
27455+ gr_handle_msr_write();
27456+ return -EPERM;
27457+#endif
27458 if (copy_from_user(&regs, uregs, sizeof regs)) {
27459 err = -EFAULT;
27460 break;
27461@@ -235,7 +245,7 @@ static int msr_class_cpu_callback(struct notifier_block *nfb,
27462 return notifier_from_errno(err);
27463 }
27464
27465-static struct notifier_block __refdata msr_class_cpu_notifier = {
27466+static struct notifier_block msr_class_cpu_notifier = {
27467 .notifier_call = msr_class_cpu_callback,
27468 };
27469
27470diff --git a/arch/x86/kernel/nmi.c b/arch/x86/kernel/nmi.c
27471index d05bd2e..f690edd 100644
27472--- a/arch/x86/kernel/nmi.c
27473+++ b/arch/x86/kernel/nmi.c
27474@@ -98,16 +98,16 @@ fs_initcall(nmi_warning_debugfs);
27475
27476 static void nmi_max_handler(struct irq_work *w)
27477 {
27478- struct nmiaction *a = container_of(w, struct nmiaction, irq_work);
27479+ struct nmiwork *n = container_of(w, struct nmiwork, irq_work);
27480 int remainder_ns, decimal_msecs;
27481- u64 whole_msecs = ACCESS_ONCE(a->max_duration);
27482+ u64 whole_msecs = ACCESS_ONCE(n->max_duration);
27483
27484 remainder_ns = do_div(whole_msecs, (1000 * 1000));
27485 decimal_msecs = remainder_ns / 1000;
27486
27487 printk_ratelimited(KERN_INFO
27488 "INFO: NMI handler (%ps) took too long to run: %lld.%03d msecs\n",
27489- a->handler, whole_msecs, decimal_msecs);
27490+ n->action->handler, whole_msecs, decimal_msecs);
27491 }
27492
27493 static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27494@@ -134,11 +134,11 @@ static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27495 delta = sched_clock() - delta;
27496 trace_nmi_handler(a->handler, (int)delta, thishandled);
27497
27498- if (delta < nmi_longest_ns || delta < a->max_duration)
27499+ if (delta < nmi_longest_ns || delta < a->work->max_duration)
27500 continue;
27501
27502- a->max_duration = delta;
27503- irq_work_queue(&a->irq_work);
27504+ a->work->max_duration = delta;
27505+ irq_work_queue(&a->work->irq_work);
27506 }
27507
27508 rcu_read_unlock();
27509@@ -148,7 +148,7 @@ static int nmi_handle(unsigned int type, struct pt_regs *regs, bool b2b)
27510 }
27511 NOKPROBE_SYMBOL(nmi_handle);
27512
27513-int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27514+int __register_nmi_handler(unsigned int type, const struct nmiaction *action)
27515 {
27516 struct nmi_desc *desc = nmi_to_desc(type);
27517 unsigned long flags;
27518@@ -156,7 +156,8 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27519 if (!action->handler)
27520 return -EINVAL;
27521
27522- init_irq_work(&action->irq_work, nmi_max_handler);
27523+ action->work->action = action;
27524+ init_irq_work(&action->work->irq_work, nmi_max_handler);
27525
27526 spin_lock_irqsave(&desc->lock, flags);
27527
27528@@ -174,9 +175,9 @@ int __register_nmi_handler(unsigned int type, struct nmiaction *action)
27529 * event confuses some handlers (kdump uses this flag)
27530 */
27531 if (action->flags & NMI_FLAG_FIRST)
27532- list_add_rcu(&action->list, &desc->head);
27533+ pax_list_add_rcu((struct list_head *)&action->list, &desc->head);
27534 else
27535- list_add_tail_rcu(&action->list, &desc->head);
27536+ pax_list_add_tail_rcu((struct list_head *)&action->list, &desc->head);
27537
27538 spin_unlock_irqrestore(&desc->lock, flags);
27539 return 0;
27540@@ -199,7 +200,7 @@ void unregister_nmi_handler(unsigned int type, const char *name)
27541 if (!strcmp(n->name, name)) {
27542 WARN(in_nmi(),
27543 "Trying to free NMI (%s) from NMI context!\n", n->name);
27544- list_del_rcu(&n->list);
27545+ pax_list_del_rcu((struct list_head *)&n->list);
27546 break;
27547 }
27548 }
27549@@ -481,6 +482,17 @@ static DEFINE_PER_CPU(int, update_debug_stack);
27550 dotraplinkage notrace void
27551 do_nmi(struct pt_regs *regs, long error_code)
27552 {
27553+
27554+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
27555+ if (!user_mode(regs)) {
27556+ unsigned long cs = regs->cs & 0xFFFF;
27557+ unsigned long ip = ktva_ktla(regs->ip);
27558+
27559+ if ((cs == __KERNEL_CS || cs == __KERNEXEC_KERNEL_CS) && ip <= (unsigned long)_etext)
27560+ regs->ip = ip;
27561+ }
27562+#endif
27563+
27564 if (this_cpu_read(nmi_state) != NMI_NOT_RUNNING) {
27565 this_cpu_write(nmi_state, NMI_LATCHED);
27566 return;
27567diff --git a/arch/x86/kernel/nmi_selftest.c b/arch/x86/kernel/nmi_selftest.c
27568index 6d9582e..f746287 100644
27569--- a/arch/x86/kernel/nmi_selftest.c
27570+++ b/arch/x86/kernel/nmi_selftest.c
27571@@ -43,7 +43,7 @@ static void __init init_nmi_testsuite(void)
27572 {
27573 /* trap all the unknown NMIs we may generate */
27574 register_nmi_handler(NMI_UNKNOWN, nmi_unk_cb, 0, "nmi_selftest_unk",
27575- __initdata);
27576+ __initconst);
27577 }
27578
27579 static void __init cleanup_nmi_testsuite(void)
27580@@ -66,7 +66,7 @@ static void __init test_nmi_ipi(struct cpumask *mask)
27581 unsigned long timeout;
27582
27583 if (register_nmi_handler(NMI_LOCAL, test_nmi_ipi_callback,
27584- NMI_FLAG_FIRST, "nmi_selftest", __initdata)) {
27585+ NMI_FLAG_FIRST, "nmi_selftest", __initconst)) {
27586 nmi_fail = FAILURE;
27587 return;
27588 }
27589diff --git a/arch/x86/kernel/paravirt-spinlocks.c b/arch/x86/kernel/paravirt-spinlocks.c
27590index 33ee3e0..da3519a 100644
27591--- a/arch/x86/kernel/paravirt-spinlocks.c
27592+++ b/arch/x86/kernel/paravirt-spinlocks.c
27593@@ -23,7 +23,7 @@ bool pv_is_native_spin_unlock(void)
27594 }
27595 #endif
27596
27597-struct pv_lock_ops pv_lock_ops = {
27598+struct pv_lock_ops pv_lock_ops __read_only = {
27599 #ifdef CONFIG_SMP
27600 #ifdef CONFIG_QUEUED_SPINLOCKS
27601 .queued_spin_lock_slowpath = native_queued_spin_lock_slowpath,
27602diff --git a/arch/x86/kernel/paravirt.c b/arch/x86/kernel/paravirt.c
27603index ebb5657..dde2f45 100644
27604--- a/arch/x86/kernel/paravirt.c
27605+++ b/arch/x86/kernel/paravirt.c
27606@@ -64,6 +64,9 @@ u64 _paravirt_ident_64(u64 x)
27607 {
27608 return x;
27609 }
27610+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
27611+PV_CALLEE_SAVE_REGS_THUNK(_paravirt_ident_64);
27612+#endif
27613
27614 void __init default_banner(void)
27615 {
27616@@ -150,16 +153,20 @@ unsigned paravirt_patch_default(u8 type, u16 clobbers, void *insnbuf,
27617
27618 if (opfunc == NULL)
27619 /* If there's no function, patch it with a ud2a (BUG) */
27620- ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
27621- else if (opfunc == _paravirt_nop)
27622+ ret = paravirt_patch_insns(insnbuf, len, (const char *)ktva_ktla((unsigned long)ud2a), ud2a+sizeof(ud2a));
27623+ else if (opfunc == (void *)_paravirt_nop)
27624 /* If the operation is a nop, then nop the callsite */
27625 ret = paravirt_patch_nop();
27626
27627 /* identity functions just return their single argument */
27628- else if (opfunc == _paravirt_ident_32)
27629+ else if (opfunc == (void *)_paravirt_ident_32)
27630 ret = paravirt_patch_ident_32(insnbuf, len);
27631- else if (opfunc == _paravirt_ident_64)
27632+ else if (opfunc == (void *)_paravirt_ident_64)
27633 ret = paravirt_patch_ident_64(insnbuf, len);
27634+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
27635+ else if (opfunc == (void *)__raw_callee_save__paravirt_ident_64)
27636+ ret = paravirt_patch_ident_64(insnbuf, len);
27637+#endif
27638
27639 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
27640 #ifdef CONFIG_X86_32
27641@@ -186,7 +193,7 @@ unsigned paravirt_patch_insns(void *insnbuf, unsigned len,
27642 if (insn_len > len || start == NULL)
27643 insn_len = len;
27644 else
27645- memcpy(insnbuf, start, insn_len);
27646+ memcpy(insnbuf, (const char *)ktla_ktva((unsigned long)start), insn_len);
27647
27648 return insn_len;
27649 }
27650@@ -310,7 +317,7 @@ enum paravirt_lazy_mode paravirt_get_lazy_mode(void)
27651 return this_cpu_read(paravirt_lazy_mode);
27652 }
27653
27654-struct pv_info pv_info = {
27655+struct pv_info pv_info __read_only = {
27656 .name = "bare hardware",
27657 .paravirt_enabled = 0,
27658 .kernel_rpl = 0,
27659@@ -321,16 +328,16 @@ struct pv_info pv_info = {
27660 #endif
27661 };
27662
27663-struct pv_init_ops pv_init_ops = {
27664+struct pv_init_ops pv_init_ops __read_only = {
27665 .patch = native_patch,
27666 };
27667
27668-struct pv_time_ops pv_time_ops = {
27669+struct pv_time_ops pv_time_ops __read_only = {
27670 .sched_clock = native_sched_clock,
27671 .steal_clock = native_steal_clock,
27672 };
27673
27674-__visible struct pv_irq_ops pv_irq_ops = {
27675+__visible struct pv_irq_ops pv_irq_ops __read_only = {
27676 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
27677 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
27678 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
27679@@ -342,7 +349,7 @@ __visible struct pv_irq_ops pv_irq_ops = {
27680 #endif
27681 };
27682
27683-__visible struct pv_cpu_ops pv_cpu_ops = {
27684+__visible struct pv_cpu_ops pv_cpu_ops __read_only = {
27685 .cpuid = native_cpuid,
27686 .get_debugreg = native_get_debugreg,
27687 .set_debugreg = native_set_debugreg,
27688@@ -405,21 +412,26 @@ NOKPROBE_SYMBOL(native_get_debugreg);
27689 NOKPROBE_SYMBOL(native_set_debugreg);
27690 NOKPROBE_SYMBOL(native_load_idt);
27691
27692-struct pv_apic_ops pv_apic_ops = {
27693+struct pv_apic_ops pv_apic_ops __read_only= {
27694 #ifdef CONFIG_X86_LOCAL_APIC
27695 .startup_ipi_hook = paravirt_nop,
27696 #endif
27697 };
27698
27699-#if defined(CONFIG_X86_32) && !defined(CONFIG_X86_PAE)
27700+#ifdef CONFIG_X86_32
27701+#ifdef CONFIG_X86_PAE
27702+/* 64-bit pagetable entries */
27703+#define PTE_IDENT PV_CALLEE_SAVE(_paravirt_ident_64)
27704+#else
27705 /* 32-bit pagetable entries */
27706 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_32)
27707+#endif
27708 #else
27709 /* 64-bit pagetable entries */
27710 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
27711 #endif
27712
27713-struct pv_mmu_ops pv_mmu_ops = {
27714+struct pv_mmu_ops pv_mmu_ops __read_only = {
27715
27716 .read_cr2 = native_read_cr2,
27717 .write_cr2 = native_write_cr2,
27718@@ -469,6 +481,7 @@ struct pv_mmu_ops pv_mmu_ops = {
27719 .make_pud = PTE_IDENT,
27720
27721 .set_pgd = native_set_pgd,
27722+ .set_pgd_batched = native_set_pgd_batched,
27723 #endif
27724 #endif /* CONFIG_PGTABLE_LEVELS >= 3 */
27725
27726@@ -489,6 +502,12 @@ struct pv_mmu_ops pv_mmu_ops = {
27727 },
27728
27729 .set_fixmap = native_set_fixmap,
27730+
27731+#ifdef CONFIG_PAX_KERNEXEC
27732+ .pax_open_kernel = native_pax_open_kernel,
27733+ .pax_close_kernel = native_pax_close_kernel,
27734+#endif
27735+
27736 };
27737
27738 EXPORT_SYMBOL_GPL(pv_time_ops);
27739diff --git a/arch/x86/kernel/paravirt_patch_64.c b/arch/x86/kernel/paravirt_patch_64.c
27740index 8aa0558..465512e 100644
27741--- a/arch/x86/kernel/paravirt_patch_64.c
27742+++ b/arch/x86/kernel/paravirt_patch_64.c
27743@@ -9,7 +9,11 @@ DEF_NATIVE(pv_irq_ops, save_fl, "pushfq; popq %rax");
27744 DEF_NATIVE(pv_mmu_ops, read_cr2, "movq %cr2, %rax");
27745 DEF_NATIVE(pv_mmu_ops, read_cr3, "movq %cr3, %rax");
27746 DEF_NATIVE(pv_mmu_ops, write_cr3, "movq %rdi, %cr3");
27747+
27748+#ifndef CONFIG_PAX_MEMORY_UDEREF
27749 DEF_NATIVE(pv_mmu_ops, flush_tlb_single, "invlpg (%rdi)");
27750+#endif
27751+
27752 DEF_NATIVE(pv_cpu_ops, clts, "clts");
27753 DEF_NATIVE(pv_cpu_ops, wbinvd, "wbinvd");
27754
27755@@ -62,7 +66,11 @@ unsigned native_patch(u8 type, u16 clobbers, void *ibuf,
27756 PATCH_SITE(pv_mmu_ops, read_cr3);
27757 PATCH_SITE(pv_mmu_ops, write_cr3);
27758 PATCH_SITE(pv_cpu_ops, clts);
27759+
27760+#ifndef CONFIG_PAX_MEMORY_UDEREF
27761 PATCH_SITE(pv_mmu_ops, flush_tlb_single);
27762+#endif
27763+
27764 PATCH_SITE(pv_cpu_ops, wbinvd);
27765 #if defined(CONFIG_PARAVIRT_SPINLOCKS) && defined(CONFIG_QUEUED_SPINLOCKS)
27766 case PARAVIRT_PATCH(pv_lock_ops.queued_spin_unlock):
27767diff --git a/arch/x86/kernel/pci-calgary_64.c b/arch/x86/kernel/pci-calgary_64.c
27768index 0497f71..7186c0d 100644
27769--- a/arch/x86/kernel/pci-calgary_64.c
27770+++ b/arch/x86/kernel/pci-calgary_64.c
27771@@ -1347,7 +1347,7 @@ static void __init get_tce_space_from_tar(void)
27772 tce_space = be64_to_cpu(readq(target));
27773 tce_space = tce_space & TAR_SW_BITS;
27774
27775- tce_space = tce_space & (~specified_table_size);
27776+ tce_space = tce_space & (~(unsigned long)specified_table_size);
27777 info->tce_space = (u64 *)__va(tce_space);
27778 }
27779 }
27780diff --git a/arch/x86/kernel/pci-iommu_table.c b/arch/x86/kernel/pci-iommu_table.c
27781index 35ccf75..7a15747 100644
27782--- a/arch/x86/kernel/pci-iommu_table.c
27783+++ b/arch/x86/kernel/pci-iommu_table.c
27784@@ -2,7 +2,7 @@
27785 #include <asm/iommu_table.h>
27786 #include <linux/string.h>
27787 #include <linux/kallsyms.h>
27788-
27789+#include <linux/sched.h>
27790
27791 #define DEBUG 1
27792
27793diff --git a/arch/x86/kernel/pci-swiotlb.c b/arch/x86/kernel/pci-swiotlb.c
27794index adf0392..88a7576 100644
27795--- a/arch/x86/kernel/pci-swiotlb.c
27796+++ b/arch/x86/kernel/pci-swiotlb.c
27797@@ -40,7 +40,7 @@ void x86_swiotlb_free_coherent(struct device *dev, size_t size,
27798 struct dma_attrs *attrs)
27799 {
27800 if (is_swiotlb_buffer(dma_to_phys(dev, dma_addr)))
27801- swiotlb_free_coherent(dev, size, vaddr, dma_addr);
27802+ swiotlb_free_coherent(dev, size, vaddr, dma_addr, attrs);
27803 else
27804 dma_generic_free_coherent(dev, size, vaddr, dma_addr, attrs);
27805 }
27806diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c
27807index c27cad7..cc494be 100644
27808--- a/arch/x86/kernel/process.c
27809+++ b/arch/x86/kernel/process.c
27810@@ -15,6 +15,7 @@
27811 #include <linux/dmi.h>
27812 #include <linux/utsname.h>
27813 #include <linux/stackprotector.h>
27814+#include <linux/kthread.h>
27815 #include <linux/tick.h>
27816 #include <linux/cpuidle.h>
27817 #include <trace/events/power.h>
27818@@ -37,7 +38,8 @@
27819 * section. Since TSS's are completely CPU-local, we want them
27820 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
27821 */
27822-__visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
27823+struct tss_struct cpu_tss[NR_CPUS] __visible ____cacheline_internodealigned_in_smp = {
27824+ [0 ... NR_CPUS-1] = {
27825 .x86_tss = {
27826 .sp0 = TOP_OF_INIT_STACK,
27827 #ifdef CONFIG_X86_32
27828@@ -55,6 +57,7 @@ __visible DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, cpu_tss) = {
27829 */
27830 .io_bitmap = { [0 ... IO_BITMAP_LONGS] = ~0 },
27831 #endif
27832+}
27833 };
27834 EXPORT_PER_CPU_SYMBOL(cpu_tss);
27835
27836@@ -75,17 +78,37 @@ void idle_notifier_unregister(struct notifier_block *n)
27837 EXPORT_SYMBOL_GPL(idle_notifier_unregister);
27838 #endif
27839
27840+struct kmem_cache *fpregs_state_cachep;
27841+EXPORT_SYMBOL(fpregs_state_cachep);
27842+
27843+void __init arch_task_cache_init(void)
27844+{
27845+ /* create a slab on which task_structs can be allocated */
27846+ fpregs_state_cachep =
27847+ kmem_cache_create("fpregs_state", xstate_size,
27848+ ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
27849+}
27850+
27851 /*
27852 * this gets called so that we can store lazy state into memory and copy the
27853 * current task into the new thread.
27854 */
27855 int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src)
27856 {
27857- memcpy(dst, src, arch_task_struct_size);
27858+ *dst = *src;
27859+
27860+ dst->thread.fpu.state = kmem_cache_alloc_node(fpregs_state_cachep, GFP_KERNEL, tsk_fork_get_node(src));
27861+ memcpy(dst->thread.fpu.state, src->thread.fpu.state, xstate_size);
27862
27863 return fpu__copy(&dst->thread.fpu, &src->thread.fpu);
27864 }
27865
27866+void arch_release_task_struct(struct task_struct *tsk)
27867+{
27868+ kmem_cache_free(fpregs_state_cachep, tsk->thread.fpu.state);
27869+ tsk->thread.fpu.state = NULL;
27870+}
27871+
27872 /*
27873 * Free current thread data structures etc..
27874 */
27875@@ -97,7 +120,7 @@ void exit_thread(void)
27876 struct fpu *fpu = &t->fpu;
27877
27878 if (bp) {
27879- struct tss_struct *tss = &per_cpu(cpu_tss, get_cpu());
27880+ struct tss_struct *tss = cpu_tss + get_cpu();
27881
27882 t->io_bitmap_ptr = NULL;
27883 clear_thread_flag(TIF_IO_BITMAP);
27884@@ -117,6 +140,9 @@ void flush_thread(void)
27885 {
27886 struct task_struct *tsk = current;
27887
27888+#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
27889+ loadsegment(gs, 0);
27890+#endif
27891 flush_ptrace_hw_breakpoint(tsk);
27892 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
27893
27894@@ -258,7 +284,7 @@ static void __exit_idle(void)
27895 void exit_idle(void)
27896 {
27897 /* idle loop has pid 0 */
27898- if (current->pid)
27899+ if (task_pid_nr(current))
27900 return;
27901 __exit_idle();
27902 }
27903@@ -311,7 +337,7 @@ bool xen_set_default_idle(void)
27904 return ret;
27905 }
27906 #endif
27907-void stop_this_cpu(void *dummy)
27908+__noreturn void stop_this_cpu(void *dummy)
27909 {
27910 local_irq_disable();
27911 /*
27912@@ -488,16 +514,40 @@ static int __init idle_setup(char *str)
27913 }
27914 early_param("idle", idle_setup);
27915
27916-unsigned long arch_align_stack(unsigned long sp)
27917-{
27918- if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
27919- sp -= get_random_int() % 8192;
27920- return sp & ~0xf;
27921-}
27922-
27923 unsigned long arch_randomize_brk(struct mm_struct *mm)
27924 {
27925 unsigned long range_end = mm->brk + 0x02000000;
27926 return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
27927 }
27928
27929+#ifdef CONFIG_PAX_RANDKSTACK
27930+void pax_randomize_kstack(struct pt_regs *regs)
27931+{
27932+ struct thread_struct *thread = &current->thread;
27933+ unsigned long time;
27934+
27935+ if (!randomize_va_space)
27936+ return;
27937+
27938+ if (v8086_mode(regs))
27939+ return;
27940+
27941+ rdtscl(time);
27942+
27943+ /* P4 seems to return a 0 LSB, ignore it */
27944+#ifdef CONFIG_MPENTIUM4
27945+ time &= 0x3EUL;
27946+ time <<= 2;
27947+#elif defined(CONFIG_X86_64)
27948+ time &= 0xFUL;
27949+ time <<= 4;
27950+#else
27951+ time &= 0x1FUL;
27952+ time <<= 3;
27953+#endif
27954+
27955+ thread->sp0 ^= time;
27956+ load_sp0(cpu_tss + smp_processor_id(), thread);
27957+ this_cpu_write(cpu_current_top_of_stack, thread->sp0);
27958+}
27959+#endif
27960diff --git a/arch/x86/kernel/process_32.c b/arch/x86/kernel/process_32.c
27961index f73c962..6589332 100644
27962--- a/arch/x86/kernel/process_32.c
27963+++ b/arch/x86/kernel/process_32.c
27964@@ -63,6 +63,7 @@ asmlinkage void ret_from_kernel_thread(void) __asm__("ret_from_kernel_thread");
27965 unsigned long thread_saved_pc(struct task_struct *tsk)
27966 {
27967 return ((unsigned long *)tsk->thread.sp)[3];
27968+//XXX return tsk->thread.eip;
27969 }
27970
27971 void __show_regs(struct pt_regs *regs, int all)
27972@@ -75,16 +76,15 @@ void __show_regs(struct pt_regs *regs, int all)
27973 if (user_mode(regs)) {
27974 sp = regs->sp;
27975 ss = regs->ss & 0xffff;
27976- gs = get_user_gs(regs);
27977 } else {
27978 sp = kernel_stack_pointer(regs);
27979 savesegment(ss, ss);
27980- savesegment(gs, gs);
27981 }
27982+ gs = get_user_gs(regs);
27983
27984 printk(KERN_DEFAULT "EIP: %04x:[<%08lx>] EFLAGS: %08lx CPU: %d\n",
27985 (u16)regs->cs, regs->ip, regs->flags,
27986- smp_processor_id());
27987+ raw_smp_processor_id());
27988 print_symbol("EIP is at %s\n", regs->ip);
27989
27990 printk(KERN_DEFAULT "EAX: %08lx EBX: %08lx ECX: %08lx EDX: %08lx\n",
27991@@ -131,21 +131,22 @@ void release_thread(struct task_struct *dead_task)
27992 int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
27993 unsigned long arg, struct task_struct *p, unsigned long tls)
27994 {
27995- struct pt_regs *childregs = task_pt_regs(p);
27996+ struct pt_regs *childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
27997 struct task_struct *tsk;
27998 int err;
27999
28000 p->thread.sp = (unsigned long) childregs;
28001 p->thread.sp0 = (unsigned long) (childregs+1);
28002+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
28003 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
28004
28005 if (unlikely(p->flags & PF_KTHREAD)) {
28006 /* kernel thread */
28007 memset(childregs, 0, sizeof(struct pt_regs));
28008 p->thread.ip = (unsigned long) ret_from_kernel_thread;
28009- task_user_gs(p) = __KERNEL_STACK_CANARY;
28010- childregs->ds = __USER_DS;
28011- childregs->es = __USER_DS;
28012+ savesegment(gs, childregs->gs);
28013+ childregs->ds = __KERNEL_DS;
28014+ childregs->es = __KERNEL_DS;
28015 childregs->fs = __KERNEL_PERCPU;
28016 childregs->bx = sp; /* function */
28017 childregs->bp = arg;
28018@@ -245,7 +246,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28019 struct fpu *prev_fpu = &prev->fpu;
28020 struct fpu *next_fpu = &next->fpu;
28021 int cpu = smp_processor_id();
28022- struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
28023+ struct tss_struct *tss = cpu_tss + cpu;
28024 fpu_switch_t fpu_switch;
28025
28026 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
28027@@ -264,6 +265,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28028 */
28029 lazy_save_gs(prev->gs);
28030
28031+#ifdef CONFIG_PAX_MEMORY_UDEREF
28032+ __set_fs(task_thread_info(next_p)->addr_limit);
28033+#endif
28034+
28035 /*
28036 * Load the per-thread Thread-Local Storage descriptor.
28037 */
28038@@ -307,9 +312,9 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28039 * current_thread_info().
28040 */
28041 load_sp0(tss, next);
28042- this_cpu_write(cpu_current_top_of_stack,
28043- (unsigned long)task_stack_page(next_p) +
28044- THREAD_SIZE);
28045+ this_cpu_write(current_task, next_p);
28046+ this_cpu_write(current_tinfo, &next_p->tinfo);
28047+ this_cpu_write(cpu_current_top_of_stack, next->sp0);
28048
28049 /*
28050 * Restore %gs if needed (which is common)
28051@@ -319,8 +324,6 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28052
28053 switch_fpu_finish(next_fpu, fpu_switch);
28054
28055- this_cpu_write(current_task, next_p);
28056-
28057 return prev_p;
28058 }
28059
28060@@ -350,4 +353,3 @@ unsigned long get_wchan(struct task_struct *p)
28061 } while (count++ < 16);
28062 return 0;
28063 }
28064-
28065diff --git a/arch/x86/kernel/process_64.c b/arch/x86/kernel/process_64.c
28066index a90ac95..ebac33e 100644
28067--- a/arch/x86/kernel/process_64.c
28068+++ b/arch/x86/kernel/process_64.c
28069@@ -157,9 +157,10 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
28070 struct pt_regs *childregs;
28071 struct task_struct *me = current;
28072
28073- p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE;
28074+ p->thread.sp0 = (unsigned long)task_stack_page(p) + THREAD_SIZE - 16;
28075 childregs = task_pt_regs(p);
28076 p->thread.sp = (unsigned long) childregs;
28077+ p->tinfo.lowest_stack = (unsigned long)task_stack_page(p) + 2 * sizeof(unsigned long);
28078 set_tsk_thread_flag(p, TIF_FORK);
28079 p->thread.io_bitmap_ptr = NULL;
28080
28081@@ -169,6 +170,8 @@ int copy_thread_tls(unsigned long clone_flags, unsigned long sp,
28082 p->thread.fs = p->thread.fsindex ? 0 : me->thread.fs;
28083 savesegment(es, p->thread.es);
28084 savesegment(ds, p->thread.ds);
28085+ savesegment(ss, p->thread.ss);
28086+ BUG_ON(p->thread.ss == __UDEREF_KERNEL_DS);
28087 memset(p->thread.ptrace_bps, 0, sizeof(p->thread.ptrace_bps));
28088
28089 if (unlikely(p->flags & PF_KTHREAD)) {
28090@@ -276,7 +279,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28091 struct fpu *prev_fpu = &prev->fpu;
28092 struct fpu *next_fpu = &next->fpu;
28093 int cpu = smp_processor_id();
28094- struct tss_struct *tss = &per_cpu(cpu_tss, cpu);
28095+ struct tss_struct *tss = cpu_tss + cpu;
28096 unsigned fsindex, gsindex;
28097 fpu_switch_t fpu_switch;
28098
28099@@ -327,6 +330,10 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28100 if (unlikely(next->ds | prev->ds))
28101 loadsegment(ds, next->ds);
28102
28103+ savesegment(ss, prev->ss);
28104+ if (unlikely(next->ss != prev->ss))
28105+ loadsegment(ss, next->ss);
28106+
28107 /*
28108 * Switch FS and GS.
28109 *
28110@@ -398,6 +405,7 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28111 * Switch the PDA and FPU contexts.
28112 */
28113 this_cpu_write(current_task, next_p);
28114+ this_cpu_write(current_tinfo, &next_p->tinfo);
28115
28116 /*
28117 * If it were not for PREEMPT_ACTIVE we could guarantee that the
28118@@ -410,6 +418,8 @@ __switch_to(struct task_struct *prev_p, struct task_struct *next_p)
28119 /* Reload esp0 and ss1. This changes current_thread_info(). */
28120 load_sp0(tss, next);
28121
28122+ this_cpu_write(cpu_current_top_of_stack, next->sp0);
28123+
28124 /*
28125 * Now maybe reload the debug registers and handle I/O bitmaps
28126 */
28127@@ -510,7 +520,6 @@ unsigned long get_wchan(struct task_struct *p)
28128
28129 if (!p || p == current || p->state == TASK_RUNNING)
28130 return 0;
28131-
28132 start = (unsigned long)task_stack_page(p);
28133 if (!start)
28134 return 0;
28135@@ -535,7 +544,10 @@ unsigned long get_wchan(struct task_struct *p)
28136 */
28137 top = start + THREAD_SIZE - TOP_OF_KERNEL_STACK_PADDING;
28138 top -= 2 * sizeof(unsigned long);
28139- bottom = start + sizeof(struct thread_info);
28140+ /* not adding sizeof(thread_info) since it's not located on the stack
28141+ with PaX patched in
28142+ */
28143+ bottom = start;
28144
28145 sp = READ_ONCE(p->thread.sp);
28146 if (sp < bottom || sp > top)
28147diff --git a/arch/x86/kernel/ptrace.c b/arch/x86/kernel/ptrace.c
28148index 9be72bc..f4329c5 100644
28149--- a/arch/x86/kernel/ptrace.c
28150+++ b/arch/x86/kernel/ptrace.c
28151@@ -186,10 +186,10 @@ unsigned long kernel_stack_pointer(struct pt_regs *regs)
28152 unsigned long sp = (unsigned long)&regs->sp;
28153 u32 *prev_esp;
28154
28155- if (context == (sp & ~(THREAD_SIZE - 1)))
28156+ if (context == ((sp + 8) & ~(THREAD_SIZE - 1)))
28157 return sp;
28158
28159- prev_esp = (u32 *)(context);
28160+ prev_esp = *(u32 **)(context);
28161 if (prev_esp)
28162 return (unsigned long)prev_esp;
28163
28164@@ -446,6 +446,20 @@ static int putreg(struct task_struct *child,
28165 if (child->thread.gs != value)
28166 return do_arch_prctl(child, ARCH_SET_GS, value);
28167 return 0;
28168+
28169+ case offsetof(struct user_regs_struct,ip):
28170+ /*
28171+ * Protect against any attempt to set ip to an
28172+ * impossible address. There are dragons lurking if the
28173+ * address is noncanonical. (This explicitly allows
28174+ * setting ip to TASK_SIZE_MAX, because user code can do
28175+ * that all by itself by running off the end of its
28176+ * address space.
28177+ */
28178+ if (value > TASK_SIZE_MAX)
28179+ return -EIO;
28180+ break;
28181+
28182 #endif
28183 }
28184
28185@@ -582,7 +596,7 @@ static void ptrace_triggered(struct perf_event *bp,
28186 static unsigned long ptrace_get_dr7(struct perf_event *bp[])
28187 {
28188 int i;
28189- int dr7 = 0;
28190+ unsigned long dr7 = 0;
28191 struct arch_hw_breakpoint *info;
28192
28193 for (i = 0; i < HBP_NUM; i++) {
28194@@ -816,7 +830,7 @@ long arch_ptrace(struct task_struct *child, long request,
28195 unsigned long addr, unsigned long data)
28196 {
28197 int ret;
28198- unsigned long __user *datap = (unsigned long __user *)data;
28199+ unsigned long __user *datap = (__force unsigned long __user *)data;
28200
28201 switch (request) {
28202 /* read the word at location addr in the USER area. */
28203@@ -901,14 +915,14 @@ long arch_ptrace(struct task_struct *child, long request,
28204 if ((int) addr < 0)
28205 return -EIO;
28206 ret = do_get_thread_area(child, addr,
28207- (struct user_desc __user *)data);
28208+ (__force struct user_desc __user *) data);
28209 break;
28210
28211 case PTRACE_SET_THREAD_AREA:
28212 if ((int) addr < 0)
28213 return -EIO;
28214 ret = do_set_thread_area(child, addr,
28215- (struct user_desc __user *)data, 0);
28216+ (__force struct user_desc __user *) data, 0);
28217 break;
28218 #endif
28219
28220@@ -1286,7 +1300,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
28221
28222 #ifdef CONFIG_X86_64
28223
28224-static struct user_regset x86_64_regsets[] __read_mostly = {
28225+static user_regset_no_const x86_64_regsets[] __read_only = {
28226 [REGSET_GENERAL] = {
28227 .core_note_type = NT_PRSTATUS,
28228 .n = sizeof(struct user_regs_struct) / sizeof(long),
28229@@ -1327,7 +1341,7 @@ static const struct user_regset_view user_x86_64_view = {
28230 #endif /* CONFIG_X86_64 */
28231
28232 #if defined CONFIG_X86_32 || defined CONFIG_IA32_EMULATION
28233-static struct user_regset x86_32_regsets[] __read_mostly = {
28234+static user_regset_no_const x86_32_regsets[] __read_only = {
28235 [REGSET_GENERAL] = {
28236 .core_note_type = NT_PRSTATUS,
28237 .n = sizeof(struct user_regs_struct32) / sizeof(u32),
28238@@ -1380,7 +1394,7 @@ static const struct user_regset_view user_x86_32_view = {
28239 */
28240 u64 xstate_fx_sw_bytes[USER_XSTATE_FX_SW_WORDS];
28241
28242-void update_regset_xstate_info(unsigned int size, u64 xstate_mask)
28243+void __init update_regset_xstate_info(unsigned int size, u64 xstate_mask)
28244 {
28245 #ifdef CONFIG_X86_64
28246 x86_64_regsets[REGSET_XSTATE].n = size / sizeof(u64);
28247@@ -1415,7 +1429,7 @@ static void fill_sigtrap_info(struct task_struct *tsk,
28248 memset(info, 0, sizeof(*info));
28249 info->si_signo = SIGTRAP;
28250 info->si_code = si_code;
28251- info->si_addr = user_mode(regs) ? (void __user *)regs->ip : NULL;
28252+ info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
28253 }
28254
28255 void user_single_step_siginfo(struct task_struct *tsk,
28256@@ -1449,6 +1463,10 @@ static void do_audit_syscall_entry(struct pt_regs *regs, u32 arch)
28257 }
28258 }
28259
28260+#ifdef CONFIG_GRKERNSEC_SETXID
28261+extern void gr_delayed_cred_worker(void);
28262+#endif
28263+
28264 /*
28265 * We can return 0 to resume the syscall or anything else to go to phase
28266 * 2. If we resume the syscall, we need to put something appropriate in
28267@@ -1556,6 +1574,11 @@ long syscall_trace_enter_phase2(struct pt_regs *regs, u32 arch,
28268
28269 BUG_ON(regs != task_pt_regs(current));
28270
28271+#ifdef CONFIG_GRKERNSEC_SETXID
28272+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
28273+ gr_delayed_cred_worker();
28274+#endif
28275+
28276 /*
28277 * If we stepped into a sysenter/syscall insn, it trapped in
28278 * kernel mode; do_debug() cleared TF and set TIF_SINGLESTEP.
28279@@ -1614,6 +1637,11 @@ void syscall_trace_leave(struct pt_regs *regs)
28280 */
28281 user_exit();
28282
28283+#ifdef CONFIG_GRKERNSEC_SETXID
28284+ if (unlikely(test_and_clear_thread_flag(TIF_GRSEC_SETXID)))
28285+ gr_delayed_cred_worker();
28286+#endif
28287+
28288 audit_syscall_exit(regs);
28289
28290 if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
28291diff --git a/arch/x86/kernel/pvclock.c b/arch/x86/kernel/pvclock.c
28292index 2f355d2..e75ed0a 100644
28293--- a/arch/x86/kernel/pvclock.c
28294+++ b/arch/x86/kernel/pvclock.c
28295@@ -51,11 +51,11 @@ void pvclock_touch_watchdogs(void)
28296 reset_hung_task_detector();
28297 }
28298
28299-static atomic64_t last_value = ATOMIC64_INIT(0);
28300+static atomic64_unchecked_t last_value = ATOMIC64_INIT(0);
28301
28302 void pvclock_resume(void)
28303 {
28304- atomic64_set(&last_value, 0);
28305+ atomic64_set_unchecked(&last_value, 0);
28306 }
28307
28308 u8 pvclock_read_flags(struct pvclock_vcpu_time_info *src)
28309@@ -105,11 +105,11 @@ cycle_t pvclock_clocksource_read(struct pvclock_vcpu_time_info *src)
28310 * updating at the same time, and one of them could be slightly behind,
28311 * making the assumption that last_value always go forward fail to hold.
28312 */
28313- last = atomic64_read(&last_value);
28314+ last = atomic64_read_unchecked(&last_value);
28315 do {
28316 if (ret < last)
28317 return last;
28318- last = atomic64_cmpxchg(&last_value, last, ret);
28319+ last = atomic64_cmpxchg_unchecked(&last_value, last, ret);
28320 } while (unlikely(last != ret));
28321
28322 return ret;
28323diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c
28324index 86db4bc..a50a54a 100644
28325--- a/arch/x86/kernel/reboot.c
28326+++ b/arch/x86/kernel/reboot.c
28327@@ -70,6 +70,11 @@ static int __init set_bios_reboot(const struct dmi_system_id *d)
28328
28329 void __noreturn machine_real_restart(unsigned int type)
28330 {
28331+
28332+#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF))
28333+ struct desc_struct *gdt;
28334+#endif
28335+
28336 local_irq_disable();
28337
28338 /*
28339@@ -97,7 +102,29 @@ void __noreturn machine_real_restart(unsigned int type)
28340
28341 /* Jump to the identity-mapped low memory code */
28342 #ifdef CONFIG_X86_32
28343- asm volatile("jmpl *%0" : :
28344+
28345+#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
28346+ gdt = get_cpu_gdt_table(smp_processor_id());
28347+ pax_open_kernel();
28348+#ifdef CONFIG_PAX_MEMORY_UDEREF
28349+ gdt[GDT_ENTRY_KERNEL_DS].type = 3;
28350+ gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
28351+ loadsegment(ds, __KERNEL_DS);
28352+ loadsegment(es, __KERNEL_DS);
28353+ loadsegment(ss, __KERNEL_DS);
28354+#endif
28355+#ifdef CONFIG_PAX_KERNEXEC
28356+ gdt[GDT_ENTRY_KERNEL_CS].base0 = 0;
28357+ gdt[GDT_ENTRY_KERNEL_CS].base1 = 0;
28358+ gdt[GDT_ENTRY_KERNEL_CS].base2 = 0;
28359+ gdt[GDT_ENTRY_KERNEL_CS].limit0 = 0xffff;
28360+ gdt[GDT_ENTRY_KERNEL_CS].limit = 0xf;
28361+ gdt[GDT_ENTRY_KERNEL_CS].g = 1;
28362+#endif
28363+ pax_close_kernel();
28364+#endif
28365+
28366+ asm volatile("ljmpl *%0" : :
28367 "rm" (real_mode_header->machine_real_restart_asm),
28368 "a" (type));
28369 #else
28370@@ -137,7 +164,7 @@ static int __init set_kbd_reboot(const struct dmi_system_id *d)
28371 /*
28372 * This is a single dmi_table handling all reboot quirks.
28373 */
28374-static struct dmi_system_id __initdata reboot_dmi_table[] = {
28375+static const struct dmi_system_id __initconst reboot_dmi_table[] = {
28376
28377 /* Acer */
28378 { /* Handle reboot issue on Acer Aspire one */
28379@@ -511,7 +538,7 @@ void __attribute__((weak)) mach_reboot_fixups(void)
28380 * This means that this function can never return, it can misbehave
28381 * by not rebooting properly and hanging.
28382 */
28383-static void native_machine_emergency_restart(void)
28384+static void __noreturn native_machine_emergency_restart(void)
28385 {
28386 int i;
28387 int attempt = 0;
28388@@ -631,13 +658,13 @@ void native_machine_shutdown(void)
28389 #endif
28390 }
28391
28392-static void __machine_emergency_restart(int emergency)
28393+static void __noreturn __machine_emergency_restart(int emergency)
28394 {
28395 reboot_emergency = emergency;
28396 machine_ops.emergency_restart();
28397 }
28398
28399-static void native_machine_restart(char *__unused)
28400+static void __noreturn native_machine_restart(char *__unused)
28401 {
28402 pr_notice("machine restart\n");
28403
28404@@ -646,7 +673,7 @@ static void native_machine_restart(char *__unused)
28405 __machine_emergency_restart(0);
28406 }
28407
28408-static void native_machine_halt(void)
28409+static void __noreturn native_machine_halt(void)
28410 {
28411 /* Stop other cpus and apics */
28412 machine_shutdown();
28413@@ -656,7 +683,7 @@ static void native_machine_halt(void)
28414 stop_this_cpu(NULL);
28415 }
28416
28417-static void native_machine_power_off(void)
28418+static void __noreturn native_machine_power_off(void)
28419 {
28420 if (pm_power_off) {
28421 if (!reboot_force)
28422@@ -665,9 +692,10 @@ static void native_machine_power_off(void)
28423 }
28424 /* A fallback in case there is no PM info available */
28425 tboot_shutdown(TB_SHUTDOWN_HALT);
28426+ unreachable();
28427 }
28428
28429-struct machine_ops machine_ops = {
28430+struct machine_ops machine_ops __read_only = {
28431 .power_off = native_machine_power_off,
28432 .shutdown = native_machine_shutdown,
28433 .emergency_restart = native_machine_emergency_restart,
28434diff --git a/arch/x86/kernel/reboot_fixups_32.c b/arch/x86/kernel/reboot_fixups_32.c
28435index c8e41e9..64049ef 100644
28436--- a/arch/x86/kernel/reboot_fixups_32.c
28437+++ b/arch/x86/kernel/reboot_fixups_32.c
28438@@ -57,7 +57,7 @@ struct device_fixup {
28439 unsigned int vendor;
28440 unsigned int device;
28441 void (*reboot_fixup)(struct pci_dev *);
28442-};
28443+} __do_const;
28444
28445 /*
28446 * PCI ids solely used for fixups_table go here
28447diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S
28448index 98111b3..73ca125 100644
28449--- a/arch/x86/kernel/relocate_kernel_64.S
28450+++ b/arch/x86/kernel/relocate_kernel_64.S
28451@@ -96,8 +96,7 @@ relocate_kernel:
28452
28453 /* jump to identity mapped page */
28454 addq $(identity_mapped - relocate_kernel), %r8
28455- pushq %r8
28456- ret
28457+ jmp *%r8
28458
28459 identity_mapped:
28460 /* set return address to 0 if not preserving context */
28461diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c
28462index 80f874b..b3eff67 100644
28463--- a/arch/x86/kernel/setup.c
28464+++ b/arch/x86/kernel/setup.c
28465@@ -111,6 +111,7 @@
28466 #include <asm/mce.h>
28467 #include <asm/alternative.h>
28468 #include <asm/prom.h>
28469+#include <asm/boot.h>
28470
28471 /*
28472 * max_low_pfn_mapped: highest direct mapped pfn under 4GB
28473@@ -206,10 +207,12 @@ EXPORT_SYMBOL(boot_cpu_data);
28474 #endif
28475
28476
28477-#if !defined(CONFIG_X86_PAE) || defined(CONFIG_X86_64)
28478-__visible unsigned long mmu_cr4_features;
28479+#ifdef CONFIG_X86_64
28480+__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE;
28481+#elif defined(CONFIG_X86_PAE)
28482+__visible unsigned long mmu_cr4_features __read_only = X86_CR4_PAE;
28483 #else
28484-__visible unsigned long mmu_cr4_features = X86_CR4_PAE;
28485+__visible unsigned long mmu_cr4_features __read_only;
28486 #endif
28487
28488 /* Boot loader ID and version as integers, for the benefit of proc_dointvec */
28489@@ -772,7 +775,7 @@ static void __init trim_bios_range(void)
28490 * area (640->1Mb) as ram even though it is not.
28491 * take them out.
28492 */
28493- e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
28494+ e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
28495
28496 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
28497 }
28498@@ -780,7 +783,7 @@ static void __init trim_bios_range(void)
28499 /* called before trim_bios_range() to spare extra sanitize */
28500 static void __init e820_add_kernel_range(void)
28501 {
28502- u64 start = __pa_symbol(_text);
28503+ u64 start = __pa_symbol(ktla_ktva((unsigned long)_text));
28504 u64 size = __pa_symbol(_end) - start;
28505
28506 /*
28507@@ -861,8 +864,8 @@ dump_kernel_offset(struct notifier_block *self, unsigned long v, void *p)
28508
28509 void __init setup_arch(char **cmdline_p)
28510 {
28511- memblock_reserve(__pa_symbol(_text),
28512- (unsigned long)__bss_stop - (unsigned long)_text);
28513+ memblock_reserve(__pa_symbol(ktla_ktva((unsigned long)_text)),
28514+ (unsigned long)__bss_stop - ktla_ktva((unsigned long)_text));
28515
28516 early_reserve_initrd();
28517
28518@@ -960,16 +963,16 @@ void __init setup_arch(char **cmdline_p)
28519
28520 if (!boot_params.hdr.root_flags)
28521 root_mountflags &= ~MS_RDONLY;
28522- init_mm.start_code = (unsigned long) _text;
28523- init_mm.end_code = (unsigned long) _etext;
28524- init_mm.end_data = (unsigned long) _edata;
28525+ init_mm.start_code = ktla_ktva((unsigned long)_text);
28526+ init_mm.end_code = ktla_ktva((unsigned long)_etext);
28527+ init_mm.end_data = (unsigned long)_edata;
28528 init_mm.brk = _brk_end;
28529
28530 mpx_mm_init(&init_mm);
28531
28532- code_resource.start = __pa_symbol(_text);
28533- code_resource.end = __pa_symbol(_etext)-1;
28534- data_resource.start = __pa_symbol(_etext);
28535+ code_resource.start = __pa_symbol(ktla_ktva((unsigned long)_text));
28536+ code_resource.end = __pa_symbol(ktla_ktva((unsigned long)_etext))-1;
28537+ data_resource.start = __pa_symbol(_sdata);
28538 data_resource.end = __pa_symbol(_edata)-1;
28539 bss_resource.start = __pa_symbol(__bss_start);
28540 bss_resource.end = __pa_symbol(__bss_stop)-1;
28541diff --git a/arch/x86/kernel/setup_percpu.c b/arch/x86/kernel/setup_percpu.c
28542index e4fcb87..9c06c55 100644
28543--- a/arch/x86/kernel/setup_percpu.c
28544+++ b/arch/x86/kernel/setup_percpu.c
28545@@ -21,19 +21,17 @@
28546 #include <asm/cpu.h>
28547 #include <asm/stackprotector.h>
28548
28549-DEFINE_PER_CPU_READ_MOSTLY(int, cpu_number);
28550+#ifdef CONFIG_SMP
28551+DEFINE_PER_CPU_READ_MOSTLY(unsigned int, cpu_number);
28552 EXPORT_PER_CPU_SYMBOL(cpu_number);
28553+#endif
28554
28555-#ifdef CONFIG_X86_64
28556 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
28557-#else
28558-#define BOOT_PERCPU_OFFSET 0
28559-#endif
28560
28561 DEFINE_PER_CPU_READ_MOSTLY(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
28562 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
28563
28564-unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
28565+unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
28566 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
28567 };
28568 EXPORT_SYMBOL(__per_cpu_offset);
28569@@ -66,7 +64,7 @@ static bool __init pcpu_need_numa(void)
28570 {
28571 #ifdef CONFIG_NEED_MULTIPLE_NODES
28572 pg_data_t *last = NULL;
28573- unsigned int cpu;
28574+ int cpu;
28575
28576 for_each_possible_cpu(cpu) {
28577 int node = early_cpu_to_node(cpu);
28578@@ -155,10 +153,10 @@ static inline void setup_percpu_segment(int cpu)
28579 {
28580 #ifdef CONFIG_X86_32
28581 struct desc_struct gdt;
28582+ unsigned long base = per_cpu_offset(cpu);
28583
28584- pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
28585- 0x2 | DESCTYPE_S, 0x8);
28586- gdt.s = 1;
28587+ pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
28588+ 0x83 | DESCTYPE_S, 0xC);
28589 write_gdt_entry(get_cpu_gdt_table(cpu),
28590 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
28591 #endif
28592@@ -219,6 +217,11 @@ void __init setup_per_cpu_areas(void)
28593 /* alrighty, percpu areas up and running */
28594 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
28595 for_each_possible_cpu(cpu) {
28596+#ifdef CONFIG_CC_STACKPROTECTOR
28597+#ifdef CONFIG_X86_32
28598+ unsigned long canary = per_cpu(stack_canary.canary, cpu);
28599+#endif
28600+#endif
28601 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
28602 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
28603 per_cpu(cpu_number, cpu) = cpu;
28604@@ -259,6 +262,12 @@ void __init setup_per_cpu_areas(void)
28605 */
28606 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
28607 #endif
28608+#ifdef CONFIG_CC_STACKPROTECTOR
28609+#ifdef CONFIG_X86_32
28610+ if (!cpu)
28611+ per_cpu(stack_canary.canary, cpu) = canary;
28612+#endif
28613+#endif
28614 /*
28615 * Up to this point, the boot CPU has been using .init.data
28616 * area. Reload any changed state for the boot CPU.
28617diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
28618index 71820c4..ad16f6b 100644
28619--- a/arch/x86/kernel/signal.c
28620+++ b/arch/x86/kernel/signal.c
28621@@ -189,7 +189,7 @@ static unsigned long align_sigframe(unsigned long sp)
28622 * Align the stack pointer according to the i386 ABI,
28623 * i.e. so that on function entry ((sp + 4) & 15) == 0.
28624 */
28625- sp = ((sp + 4) & -16ul) - 4;
28626+ sp = ((sp - 12) & -16ul) - 4;
28627 #else /* !CONFIG_X86_32 */
28628 sp = round_down(sp, 16) - 8;
28629 #endif
28630@@ -298,10 +298,9 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
28631 }
28632
28633 if (current->mm->context.vdso)
28634- restorer = current->mm->context.vdso +
28635- selected_vdso32->sym___kernel_sigreturn;
28636+ restorer = (void __force_user *)(current->mm->context.vdso + selected_vdso32->sym___kernel_sigreturn);
28637 else
28638- restorer = &frame->retcode;
28639+ restorer = (void __user *)&frame->retcode;
28640 if (ksig->ka.sa.sa_flags & SA_RESTORER)
28641 restorer = ksig->ka.sa.sa_restorer;
28642
28643@@ -315,7 +314,7 @@ __setup_frame(int sig, struct ksignal *ksig, sigset_t *set,
28644 * reasons and because gdb uses it as a signature to notice
28645 * signal handler stack frames.
28646 */
28647- err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
28648+ err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
28649
28650 if (err)
28651 return -EFAULT;
28652@@ -362,8 +361,10 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
28653 save_altstack_ex(&frame->uc.uc_stack, regs->sp);
28654
28655 /* Set up to return from userspace. */
28656- restorer = current->mm->context.vdso +
28657- selected_vdso32->sym___kernel_rt_sigreturn;
28658+ if (current->mm->context.vdso)
28659+ restorer = (void __force_user *)(current->mm->context.vdso + selected_vdso32->sym___kernel_rt_sigreturn);
28660+ else
28661+ restorer = (void __user *)&frame->retcode;
28662 if (ksig->ka.sa.sa_flags & SA_RESTORER)
28663 restorer = ksig->ka.sa.sa_restorer;
28664 put_user_ex(restorer, &frame->pretcode);
28665@@ -375,7 +376,7 @@ static int __setup_rt_frame(int sig, struct ksignal *ksig,
28666 * reasons and because gdb uses it as a signature to notice
28667 * signal handler stack frames.
28668 */
28669- put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
28670+ put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
28671 } put_user_catch(err);
28672
28673 err |= copy_siginfo_to_user(&frame->info, &ksig->info);
28674@@ -611,7 +612,12 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
28675 {
28676 int usig = ksig->sig;
28677 sigset_t *set = sigmask_to_save();
28678- compat_sigset_t *cset = (compat_sigset_t *) set;
28679+ sigset_t sigcopy;
28680+ compat_sigset_t *cset;
28681+
28682+ sigcopy = *set;
28683+
28684+ cset = (compat_sigset_t *) &sigcopy;
28685
28686 /* Set up the stack frame */
28687 if (is_ia32_frame()) {
28688@@ -622,7 +628,7 @@ setup_rt_frame(struct ksignal *ksig, struct pt_regs *regs)
28689 } else if (is_x32_frame()) {
28690 return x32_setup_rt_frame(ksig, cset, regs);
28691 } else {
28692- return __setup_rt_frame(ksig->sig, ksig, set, regs);
28693+ return __setup_rt_frame(ksig->sig, ksig, &sigcopy, regs);
28694 }
28695 }
28696
28697diff --git a/arch/x86/kernel/smp.c b/arch/x86/kernel/smp.c
28698index 15aaa69..66103af 100644
28699--- a/arch/x86/kernel/smp.c
28700+++ b/arch/x86/kernel/smp.c
28701@@ -334,7 +334,7 @@ static int __init nonmi_ipi_setup(char *str)
28702
28703 __setup("nonmi_ipi", nonmi_ipi_setup);
28704
28705-struct smp_ops smp_ops = {
28706+struct smp_ops smp_ops __read_only = {
28707 .smp_prepare_boot_cpu = native_smp_prepare_boot_cpu,
28708 .smp_prepare_cpus = native_smp_prepare_cpus,
28709 .smp_cpus_done = native_smp_cpus_done,
28710diff --git a/arch/x86/kernel/smpboot.c b/arch/x86/kernel/smpboot.c
28711index b1f3ed9c..b76221b 100644
28712--- a/arch/x86/kernel/smpboot.c
28713+++ b/arch/x86/kernel/smpboot.c
28714@@ -220,14 +220,17 @@ static void notrace start_secondary(void *unused)
28715
28716 enable_start_cpu0 = 0;
28717
28718-#ifdef CONFIG_X86_32
28719+ /* otherwise gcc will move up smp_processor_id before the cpu_init */
28720+ barrier();
28721+
28722 /* switch away from the initial page table */
28723+#ifdef CONFIG_PAX_PER_CPU_PGD
28724+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
28725+#else
28726 load_cr3(swapper_pg_dir);
28727+#endif
28728 __flush_tlb_all();
28729-#endif
28730
28731- /* otherwise gcc will move up smp_processor_id before the cpu_init */
28732- barrier();
28733 /*
28734 * Check TSC synchronization with the BP:
28735 */
28736@@ -808,16 +811,15 @@ void common_cpu_up(unsigned int cpu, struct task_struct *idle)
28737 alternatives_enable_smp();
28738
28739 per_cpu(current_task, cpu) = idle;
28740+ per_cpu(current_tinfo, cpu) = &idle->tinfo;
28741
28742 #ifdef CONFIG_X86_32
28743- /* Stack for startup_32 can be just as for start_secondary onwards */
28744 irq_ctx_init(cpu);
28745- per_cpu(cpu_current_top_of_stack, cpu) =
28746- (unsigned long)task_stack_page(idle) + THREAD_SIZE;
28747 #else
28748 clear_tsk_thread_flag(idle, TIF_FORK);
28749 initial_gs = per_cpu_offset(cpu);
28750 #endif
28751+ per_cpu(cpu_current_top_of_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
28752 }
28753
28754 /*
28755@@ -838,9 +840,11 @@ static int do_boot_cpu(int apicid, int cpu, struct task_struct *idle)
28756 unsigned long timeout;
28757
28758 idle->thread.sp = (unsigned long) (((struct pt_regs *)
28759- (THREAD_SIZE + task_stack_page(idle))) - 1);
28760+ (THREAD_SIZE - 16 + task_stack_page(idle))) - 1);
28761
28762+ pax_open_kernel();
28763 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
28764+ pax_close_kernel();
28765 initial_code = (unsigned long)start_secondary;
28766 stack_start = idle->thread.sp;
28767
28768@@ -992,6 +996,15 @@ int native_cpu_up(unsigned int cpu, struct task_struct *tidle)
28769
28770 common_cpu_up(cpu, tidle);
28771
28772+#ifdef CONFIG_PAX_PER_CPU_PGD
28773+ clone_pgd_range(get_cpu_pgd(cpu, kernel) + KERNEL_PGD_BOUNDARY,
28774+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28775+ KERNEL_PGD_PTRS);
28776+ clone_pgd_range(get_cpu_pgd(cpu, user) + KERNEL_PGD_BOUNDARY,
28777+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
28778+ KERNEL_PGD_PTRS);
28779+#endif
28780+
28781 /*
28782 * We have to walk the irq descriptors to setup the vector
28783 * space for the cpu which comes online. Prevent irq
28784diff --git a/arch/x86/kernel/step.c b/arch/x86/kernel/step.c
28785index 0ccb53a..fbc4759 100644
28786--- a/arch/x86/kernel/step.c
28787+++ b/arch/x86/kernel/step.c
28788@@ -44,7 +44,8 @@ unsigned long convert_ip_to_linear(struct task_struct *child, struct pt_regs *re
28789 addr += base;
28790 }
28791 mutex_unlock(&child->mm->context.lock);
28792- }
28793+ } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
28794+ addr = ktla_ktva(addr);
28795
28796 return addr;
28797 }
28798@@ -55,6 +56,9 @@ static int is_setting_trap_flag(struct task_struct *child, struct pt_regs *regs)
28799 unsigned char opcode[15];
28800 unsigned long addr = convert_ip_to_linear(child, regs);
28801
28802+ if (addr == -EINVAL)
28803+ return 0;
28804+
28805 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
28806 for (i = 0; i < copied; i++) {
28807 switch (opcode[i]) {
28808diff --git a/arch/x86/kernel/sys_i386_32.c b/arch/x86/kernel/sys_i386_32.c
28809new file mode 100644
28810index 0000000..5877189
28811--- /dev/null
28812+++ b/arch/x86/kernel/sys_i386_32.c
28813@@ -0,0 +1,189 @@
28814+/*
28815+ * This file contains various random system calls that
28816+ * have a non-standard calling sequence on the Linux/i386
28817+ * platform.
28818+ */
28819+
28820+#include <linux/errno.h>
28821+#include <linux/sched.h>
28822+#include <linux/mm.h>
28823+#include <linux/fs.h>
28824+#include <linux/smp.h>
28825+#include <linux/sem.h>
28826+#include <linux/msg.h>
28827+#include <linux/shm.h>
28828+#include <linux/stat.h>
28829+#include <linux/syscalls.h>
28830+#include <linux/mman.h>
28831+#include <linux/file.h>
28832+#include <linux/utsname.h>
28833+#include <linux/ipc.h>
28834+#include <linux/elf.h>
28835+
28836+#include <linux/uaccess.h>
28837+#include <linux/unistd.h>
28838+
28839+#include <asm/syscalls.h>
28840+
28841+int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
28842+{
28843+ unsigned long pax_task_size = TASK_SIZE;
28844+
28845+#ifdef CONFIG_PAX_SEGMEXEC
28846+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
28847+ pax_task_size = SEGMEXEC_TASK_SIZE;
28848+#endif
28849+
28850+ if (flags & MAP_FIXED)
28851+ if (len > pax_task_size || addr > pax_task_size - len)
28852+ return -EINVAL;
28853+
28854+ return 0;
28855+}
28856+
28857+/*
28858+ * Align a virtual address to avoid aliasing in the I$ on AMD F15h.
28859+ */
28860+static unsigned long get_align_mask(void)
28861+{
28862+ if (va_align.flags < 0 || !(va_align.flags & ALIGN_VA_32))
28863+ return 0;
28864+
28865+ if (!(current->flags & PF_RANDOMIZE))
28866+ return 0;
28867+
28868+ return va_align.mask;
28869+}
28870+
28871+unsigned long
28872+arch_get_unmapped_area(struct file *filp, unsigned long addr,
28873+ unsigned long len, unsigned long pgoff, unsigned long flags)
28874+{
28875+ struct mm_struct *mm = current->mm;
28876+ struct vm_area_struct *vma;
28877+ unsigned long pax_task_size = TASK_SIZE;
28878+ struct vm_unmapped_area_info info;
28879+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28880+
28881+#ifdef CONFIG_PAX_SEGMEXEC
28882+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
28883+ pax_task_size = SEGMEXEC_TASK_SIZE;
28884+#endif
28885+
28886+ pax_task_size -= PAGE_SIZE;
28887+
28888+ if (len > pax_task_size)
28889+ return -ENOMEM;
28890+
28891+ if (flags & MAP_FIXED)
28892+ return addr;
28893+
28894+#ifdef CONFIG_PAX_RANDMMAP
28895+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28896+#endif
28897+
28898+ if (addr) {
28899+ addr = PAGE_ALIGN(addr);
28900+ if (pax_task_size - len >= addr) {
28901+ vma = find_vma(mm, addr);
28902+ if (check_heap_stack_gap(vma, addr, len, offset))
28903+ return addr;
28904+ }
28905+ }
28906+
28907+ info.flags = 0;
28908+ info.length = len;
28909+ info.align_mask = filp ? get_align_mask() : 0;
28910+ info.align_offset = pgoff << PAGE_SHIFT;
28911+ info.threadstack_offset = offset;
28912+
28913+#ifdef CONFIG_PAX_PAGEEXEC
28914+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE)) {
28915+ info.low_limit = 0x00110000UL;
28916+ info.high_limit = mm->start_code;
28917+
28918+#ifdef CONFIG_PAX_RANDMMAP
28919+ if (mm->pax_flags & MF_PAX_RANDMMAP)
28920+ info.low_limit += mm->delta_mmap & 0x03FFF000UL;
28921+#endif
28922+
28923+ if (info.low_limit < info.high_limit) {
28924+ addr = vm_unmapped_area(&info);
28925+ if (!IS_ERR_VALUE(addr))
28926+ return addr;
28927+ }
28928+ } else
28929+#endif
28930+
28931+ info.low_limit = mm->mmap_base;
28932+ info.high_limit = pax_task_size;
28933+
28934+ return vm_unmapped_area(&info);
28935+}
28936+
28937+unsigned long
28938+arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
28939+ const unsigned long len, const unsigned long pgoff,
28940+ const unsigned long flags)
28941+{
28942+ struct vm_area_struct *vma;
28943+ struct mm_struct *mm = current->mm;
28944+ unsigned long addr = addr0, pax_task_size = TASK_SIZE;
28945+ struct vm_unmapped_area_info info;
28946+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
28947+
28948+#ifdef CONFIG_PAX_SEGMEXEC
28949+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
28950+ pax_task_size = SEGMEXEC_TASK_SIZE;
28951+#endif
28952+
28953+ pax_task_size -= PAGE_SIZE;
28954+
28955+ /* requested length too big for entire address space */
28956+ if (len > pax_task_size)
28957+ return -ENOMEM;
28958+
28959+ if (flags & MAP_FIXED)
28960+ return addr;
28961+
28962+#ifdef CONFIG_PAX_PAGEEXEC
28963+ if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
28964+ goto bottomup;
28965+#endif
28966+
28967+#ifdef CONFIG_PAX_RANDMMAP
28968+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
28969+#endif
28970+
28971+ /* requesting a specific address */
28972+ if (addr) {
28973+ addr = PAGE_ALIGN(addr);
28974+ if (pax_task_size - len >= addr) {
28975+ vma = find_vma(mm, addr);
28976+ if (check_heap_stack_gap(vma, addr, len, offset))
28977+ return addr;
28978+ }
28979+ }
28980+
28981+ info.flags = VM_UNMAPPED_AREA_TOPDOWN;
28982+ info.length = len;
28983+ info.low_limit = PAGE_SIZE;
28984+ info.high_limit = mm->mmap_base;
28985+ info.align_mask = filp ? get_align_mask() : 0;
28986+ info.align_offset = pgoff << PAGE_SHIFT;
28987+ info.threadstack_offset = offset;
28988+
28989+ addr = vm_unmapped_area(&info);
28990+ if (!(addr & ~PAGE_MASK))
28991+ return addr;
28992+ VM_BUG_ON(addr != -ENOMEM);
28993+
28994+bottomup:
28995+ /*
28996+ * A failed mmap() very likely causes application failure,
28997+ * so fall back to the bottom-up function here. This scenario
28998+ * can happen with large stack limits and large mmap()
28999+ * allocations.
29000+ */
29001+ return arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
29002+}
29003diff --git a/arch/x86/kernel/sys_x86_64.c b/arch/x86/kernel/sys_x86_64.c
29004index 10e0272..b4bb9a7 100644
29005--- a/arch/x86/kernel/sys_x86_64.c
29006+++ b/arch/x86/kernel/sys_x86_64.c
29007@@ -97,8 +97,8 @@ out:
29008 return error;
29009 }
29010
29011-static void find_start_end(unsigned long flags, unsigned long *begin,
29012- unsigned long *end)
29013+static void find_start_end(struct mm_struct *mm, unsigned long flags,
29014+ unsigned long *begin, unsigned long *end)
29015 {
29016 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT)) {
29017 unsigned long new_begin;
29018@@ -117,7 +117,7 @@ static void find_start_end(unsigned long flags, unsigned long *begin,
29019 *begin = new_begin;
29020 }
29021 } else {
29022- *begin = current->mm->mmap_legacy_base;
29023+ *begin = mm->mmap_legacy_base;
29024 *end = TASK_SIZE;
29025 }
29026 }
29027@@ -130,20 +130,24 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
29028 struct vm_area_struct *vma;
29029 struct vm_unmapped_area_info info;
29030 unsigned long begin, end;
29031+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
29032
29033 if (flags & MAP_FIXED)
29034 return addr;
29035
29036- find_start_end(flags, &begin, &end);
29037+ find_start_end(mm, flags, &begin, &end);
29038
29039 if (len > end)
29040 return -ENOMEM;
29041
29042+#ifdef CONFIG_PAX_RANDMMAP
29043+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
29044+#endif
29045+
29046 if (addr) {
29047 addr = PAGE_ALIGN(addr);
29048 vma = find_vma(mm, addr);
29049- if (end - len >= addr &&
29050- (!vma || addr + len <= vma->vm_start))
29051+ if (end - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
29052 return addr;
29053 }
29054
29055@@ -157,6 +161,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
29056 info.align_mask = get_align_mask();
29057 info.align_offset += get_align_bits();
29058 }
29059+ info.threadstack_offset = offset;
29060 return vm_unmapped_area(&info);
29061 }
29062
29063@@ -169,6 +174,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
29064 struct mm_struct *mm = current->mm;
29065 unsigned long addr = addr0;
29066 struct vm_unmapped_area_info info;
29067+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
29068
29069 /* requested length too big for entire address space */
29070 if (len > TASK_SIZE)
29071@@ -181,12 +187,15 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
29072 if (!test_thread_flag(TIF_ADDR32) && (flags & MAP_32BIT))
29073 goto bottomup;
29074
29075+#ifdef CONFIG_PAX_RANDMMAP
29076+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
29077+#endif
29078+
29079 /* requesting a specific address */
29080 if (addr) {
29081 addr = PAGE_ALIGN(addr);
29082 vma = find_vma(mm, addr);
29083- if (TASK_SIZE - len >= addr &&
29084- (!vma || addr + len <= vma->vm_start))
29085+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
29086 return addr;
29087 }
29088
29089@@ -200,6 +209,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
29090 info.align_mask = get_align_mask();
29091 info.align_offset += get_align_bits();
29092 }
29093+ info.threadstack_offset = offset;
29094 addr = vm_unmapped_area(&info);
29095 if (!(addr & ~PAGE_MASK))
29096 return addr;
29097diff --git a/arch/x86/kernel/tboot.c b/arch/x86/kernel/tboot.c
29098index 91a4496..42fc304 100644
29099--- a/arch/x86/kernel/tboot.c
29100+++ b/arch/x86/kernel/tboot.c
29101@@ -44,6 +44,7 @@
29102 #include <asm/setup.h>
29103 #include <asm/e820.h>
29104 #include <asm/io.h>
29105+#include <asm/tlbflush.h>
29106
29107 #include "../realmode/rm/wakeup.h"
29108
29109@@ -221,7 +222,7 @@ static int tboot_setup_sleep(void)
29110
29111 void tboot_shutdown(u32 shutdown_type)
29112 {
29113- void (*shutdown)(void);
29114+ void (* __noreturn shutdown)(void);
29115
29116 if (!tboot_enabled())
29117 return;
29118@@ -242,8 +243,9 @@ void tboot_shutdown(u32 shutdown_type)
29119 tboot->shutdown_type = shutdown_type;
29120
29121 switch_to_tboot_pt();
29122+ cr4_clear_bits(X86_CR4_PCIDE);
29123
29124- shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
29125+ shutdown = (void *)(unsigned long)tboot->shutdown_entry;
29126 shutdown();
29127
29128 /* should not reach here */
29129@@ -310,7 +312,7 @@ static int tboot_extended_sleep(u8 sleep_state, u32 val_a, u32 val_b)
29130 return -ENODEV;
29131 }
29132
29133-static atomic_t ap_wfs_count;
29134+static atomic_unchecked_t ap_wfs_count;
29135
29136 static int tboot_wait_for_aps(int num_aps)
29137 {
29138@@ -334,9 +336,9 @@ static int tboot_cpu_callback(struct notifier_block *nfb, unsigned long action,
29139 {
29140 switch (action) {
29141 case CPU_DYING:
29142- atomic_inc(&ap_wfs_count);
29143+ atomic_inc_unchecked(&ap_wfs_count);
29144 if (num_online_cpus() == 1)
29145- if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
29146+ if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
29147 return NOTIFY_BAD;
29148 break;
29149 }
29150@@ -422,7 +424,7 @@ static __init int tboot_late_init(void)
29151
29152 tboot_create_trampoline();
29153
29154- atomic_set(&ap_wfs_count, 0);
29155+ atomic_set_unchecked(&ap_wfs_count, 0);
29156 register_hotcpu_notifier(&tboot_cpu_notifier);
29157
29158 #ifdef CONFIG_DEBUG_FS
29159diff --git a/arch/x86/kernel/time.c b/arch/x86/kernel/time.c
29160index d39c091..1df4349 100644
29161--- a/arch/x86/kernel/time.c
29162+++ b/arch/x86/kernel/time.c
29163@@ -32,7 +32,7 @@ unsigned long profile_pc(struct pt_regs *regs)
29164
29165 if (!user_mode(regs) && in_lock_functions(pc)) {
29166 #ifdef CONFIG_FRAME_POINTER
29167- return *(unsigned long *)(regs->bp + sizeof(long));
29168+ return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
29169 #else
29170 unsigned long *sp =
29171 (unsigned long *)kernel_stack_pointer(regs);
29172@@ -41,11 +41,17 @@ unsigned long profile_pc(struct pt_regs *regs)
29173 * or above a saved flags. Eflags has bits 22-31 zero,
29174 * kernel addresses don't.
29175 */
29176+
29177+#ifdef CONFIG_PAX_KERNEXEC
29178+ return ktla_ktva(sp[0]);
29179+#else
29180 if (sp[0] >> 22)
29181 return sp[0];
29182 if (sp[1] >> 22)
29183 return sp[1];
29184 #endif
29185+
29186+#endif
29187 }
29188 return pc;
29189 }
29190diff --git a/arch/x86/kernel/tls.c b/arch/x86/kernel/tls.c
29191index 7fc5e84..c6e445a 100644
29192--- a/arch/x86/kernel/tls.c
29193+++ b/arch/x86/kernel/tls.c
29194@@ -139,6 +139,11 @@ int do_set_thread_area(struct task_struct *p, int idx,
29195 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
29196 return -EINVAL;
29197
29198+#ifdef CONFIG_PAX_SEGMEXEC
29199+ if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
29200+ return -EINVAL;
29201+#endif
29202+
29203 set_tls_desc(p, idx, &info, 1);
29204
29205 return 0;
29206@@ -256,7 +261,7 @@ int regset_tls_set(struct task_struct *target, const struct user_regset *regset,
29207
29208 if (kbuf)
29209 info = kbuf;
29210- else if (__copy_from_user(infobuf, ubuf, count))
29211+ else if (count > sizeof infobuf || __copy_from_user(infobuf, ubuf, count))
29212 return -EFAULT;
29213 else
29214 info = infobuf;
29215diff --git a/arch/x86/kernel/tracepoint.c b/arch/x86/kernel/tracepoint.c
29216index 1c113db..287b42e 100644
29217--- a/arch/x86/kernel/tracepoint.c
29218+++ b/arch/x86/kernel/tracepoint.c
29219@@ -9,11 +9,11 @@
29220 #include <linux/atomic.h>
29221
29222 atomic_t trace_idt_ctr = ATOMIC_INIT(0);
29223-struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
29224+const struct desc_ptr trace_idt_descr = { NR_VECTORS * 16 - 1,
29225 (unsigned long) trace_idt_table };
29226
29227 /* No need to be aligned, but done to keep all IDTs defined the same way. */
29228-gate_desc trace_idt_table[NR_VECTORS] __page_aligned_bss;
29229+gate_desc trace_idt_table[NR_VECTORS] __page_aligned_rodata;
29230
29231 static int trace_irq_vector_refcount;
29232 static DEFINE_MUTEX(irq_vector_mutex);
29233diff --git a/arch/x86/kernel/traps.c b/arch/x86/kernel/traps.c
29234index f579192..aed90b8 100644
29235--- a/arch/x86/kernel/traps.c
29236+++ b/arch/x86/kernel/traps.c
29237@@ -69,7 +69,7 @@
29238 #include <asm/proto.h>
29239
29240 /* No need to be aligned, but done to keep all IDTs defined the same way. */
29241-gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss;
29242+gate_desc debug_idt_table[NR_VECTORS] __page_aligned_rodata;
29243 #else
29244 #include <asm/processor-flags.h>
29245 #include <asm/setup.h>
29246@@ -77,7 +77,7 @@ gate_desc debug_idt_table[NR_VECTORS] __page_aligned_bss;
29247 #endif
29248
29249 /* Must be page-aligned because the real IDT is used in a fixmap. */
29250-gate_desc idt_table[NR_VECTORS] __page_aligned_bss;
29251+gate_desc idt_table[NR_VECTORS] __page_aligned_rodata;
29252
29253 DECLARE_BITMAP(used_vectors, NR_VECTORS);
29254 EXPORT_SYMBOL_GPL(used_vectors);
29255@@ -174,7 +174,7 @@ void ist_begin_non_atomic(struct pt_regs *regs)
29256 * will catch asm bugs and any attempt to use ist_preempt_enable
29257 * from double_fault.
29258 */
29259- BUG_ON((unsigned long)(current_top_of_stack() -
29260+ BUG_ON((unsigned long)(current_top_of_stack(smp_processor_id()) -
29261 current_stack_pointer()) >= THREAD_SIZE);
29262
29263 preempt_count_sub(HARDIRQ_OFFSET);
29264@@ -191,7 +191,7 @@ void ist_end_non_atomic(void)
29265 }
29266
29267 static nokprobe_inline int
29268-do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
29269+do_trap_no_signal(struct task_struct *tsk, int trapnr, const char *str,
29270 struct pt_regs *regs, long error_code)
29271 {
29272 if (v8086_mode(regs)) {
29273@@ -211,8 +211,20 @@ do_trap_no_signal(struct task_struct *tsk, int trapnr, char *str,
29274 if (!fixup_exception(regs)) {
29275 tsk->thread.error_code = error_code;
29276 tsk->thread.trap_nr = trapnr;
29277+
29278+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29279+ if (trapnr == X86_TRAP_SS && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
29280+ str = "PAX: suspicious stack segment fault";
29281+#endif
29282+
29283 die(str, regs, error_code);
29284 }
29285+
29286+#ifdef CONFIG_PAX_REFCOUNT
29287+ if (trapnr == X86_TRAP_OF)
29288+ pax_report_refcount_overflow(regs);
29289+#endif
29290+
29291 return 0;
29292 }
29293
29294@@ -251,7 +263,7 @@ static siginfo_t *fill_trap_info(struct pt_regs *regs, int signr, int trapnr,
29295 }
29296
29297 static void
29298-do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
29299+do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
29300 long error_code, siginfo_t *info)
29301 {
29302 struct task_struct *tsk = current;
29303@@ -275,7 +287,7 @@ do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
29304 if (show_unhandled_signals && unhandled_signal(tsk, signr) &&
29305 printk_ratelimit()) {
29306 pr_info("%s[%d] trap %s ip:%lx sp:%lx error:%lx",
29307- tsk->comm, tsk->pid, str,
29308+ tsk->comm, task_pid_nr(tsk), str,
29309 regs->ip, regs->sp, error_code);
29310 print_vma_addr(" in ", regs->ip);
29311 pr_cont("\n");
29312@@ -357,6 +369,11 @@ dotraplinkage void do_double_fault(struct pt_regs *regs, long error_code)
29313 tsk->thread.error_code = error_code;
29314 tsk->thread.trap_nr = X86_TRAP_DF;
29315
29316+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
29317+ if ((unsigned long)tsk->stack - regs->sp <= PAGE_SIZE)
29318+ die("grsec: kernel stack overflow detected", regs, error_code);
29319+#endif
29320+
29321 #ifdef CONFIG_DOUBLEFAULT
29322 df_debug(regs, error_code);
29323 #endif
29324@@ -473,11 +490,35 @@ do_general_protection(struct pt_regs *regs, long error_code)
29325 tsk->thread.error_code = error_code;
29326 tsk->thread.trap_nr = X86_TRAP_GP;
29327 if (notify_die(DIE_GPF, "general protection fault", regs, error_code,
29328- X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP)
29329+ X86_TRAP_GP, SIGSEGV) != NOTIFY_STOP) {
29330+
29331+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29332+ if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
29333+ die("PAX: suspicious general protection fault", regs, error_code);
29334+ else
29335+#endif
29336+
29337 die("general protection fault", regs, error_code);
29338+ }
29339 goto exit;
29340 }
29341
29342+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
29343+ if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
29344+ struct mm_struct *mm = tsk->mm;
29345+ unsigned long limit;
29346+
29347+ down_write(&mm->mmap_sem);
29348+ limit = mm->context.user_cs_limit;
29349+ if (limit < TASK_SIZE) {
29350+ track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
29351+ up_write(&mm->mmap_sem);
29352+ return;
29353+ }
29354+ up_write(&mm->mmap_sem);
29355+ }
29356+#endif
29357+
29358 tsk->thread.error_code = error_code;
29359 tsk->thread.trap_nr = X86_TRAP_GP;
29360
29361@@ -576,6 +617,9 @@ struct bad_iret_stack *fixup_bad_iret(struct bad_iret_stack *s)
29362 container_of(task_pt_regs(current),
29363 struct bad_iret_stack, regs);
29364
29365+ if ((current->thread.sp0 ^ (unsigned long)s) < THREAD_SIZE)
29366+ new_stack = s;
29367+
29368 /* Copy the IRET target to the new stack. */
29369 memmove(&new_stack->regs.ip, (void *)s->regs.sp, 5*8);
29370
29371diff --git a/arch/x86/kernel/tsc.c b/arch/x86/kernel/tsc.c
29372index dc9af7a..1bc625e 100644
29373--- a/arch/x86/kernel/tsc.c
29374+++ b/arch/x86/kernel/tsc.c
29375@@ -151,7 +151,7 @@ static void cyc2ns_write_end(int cpu, struct cyc2ns_data *data)
29376 */
29377 smp_wmb();
29378
29379- ACCESS_ONCE(c2n->head) = data;
29380+ ACCESS_ONCE_RW(c2n->head) = data;
29381 }
29382
29383 /*
29384diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c
29385index 6647624..2056791 100644
29386--- a/arch/x86/kernel/uprobes.c
29387+++ b/arch/x86/kernel/uprobes.c
29388@@ -978,7 +978,7 @@ arch_uretprobe_hijack_return_addr(unsigned long trampoline_vaddr, struct pt_regs
29389
29390 if (nleft != rasize) {
29391 pr_err("uprobe: return address clobbered: pid=%d, %%sp=%#lx, "
29392- "%%ip=%#lx\n", current->pid, regs->sp, regs->ip);
29393+ "%%ip=%#lx\n", task_pid_nr(current), regs->sp, regs->ip);
29394
29395 force_sig_info(SIGSEGV, SEND_SIG_FORCED, current);
29396 }
29397diff --git a/arch/x86/kernel/verify_cpu.S b/arch/x86/kernel/verify_cpu.S
29398index b9242ba..50c5edd 100644
29399--- a/arch/x86/kernel/verify_cpu.S
29400+++ b/arch/x86/kernel/verify_cpu.S
29401@@ -20,6 +20,7 @@
29402 * arch/x86/boot/compressed/head_64.S: Boot cpu verification
29403 * arch/x86/kernel/trampoline_64.S: secondary processor verification
29404 * arch/x86/kernel/head_32.S: processor startup
29405+ * arch/x86/kernel/acpi/realmode/wakeup.S: 32bit processor resume
29406 *
29407 * verify_cpu, returns the status of longmode and SSE in register %eax.
29408 * 0: Success 1: Failure
29409diff --git a/arch/x86/kernel/vm86_32.c b/arch/x86/kernel/vm86_32.c
29410index fc9db6e..2c5865d 100644
29411--- a/arch/x86/kernel/vm86_32.c
29412+++ b/arch/x86/kernel/vm86_32.c
29413@@ -44,6 +44,7 @@
29414 #include <linux/ptrace.h>
29415 #include <linux/audit.h>
29416 #include <linux/stddef.h>
29417+#include <linux/grsecurity.h>
29418
29419 #include <asm/uaccess.h>
29420 #include <asm/io.h>
29421@@ -150,7 +151,7 @@ struct pt_regs *save_v86_state(struct kernel_vm86_regs *regs)
29422 do_exit(SIGSEGV);
29423 }
29424
29425- tss = &per_cpu(cpu_tss, get_cpu());
29426+ tss = cpu_tss + get_cpu();
29427 current->thread.sp0 = current->thread.saved_sp0;
29428 current->thread.sysenter_cs = __KERNEL_CS;
29429 load_sp0(tss, &current->thread);
29430@@ -214,6 +215,14 @@ SYSCALL_DEFINE1(vm86old, struct vm86_struct __user *, v86)
29431
29432 if (tsk->thread.saved_sp0)
29433 return -EPERM;
29434+
29435+#ifdef CONFIG_GRKERNSEC_VM86
29436+ if (!capable(CAP_SYS_RAWIO)) {
29437+ gr_handle_vm86();
29438+ return -EPERM;
29439+ }
29440+#endif
29441+
29442 tmp = copy_vm86_regs_from_user(&info.regs, &v86->regs,
29443 offsetof(struct kernel_vm86_struct, vm86plus) -
29444 sizeof(info.regs));
29445@@ -238,6 +247,13 @@ SYSCALL_DEFINE2(vm86, unsigned long, cmd, unsigned long, arg)
29446 int tmp;
29447 struct vm86plus_struct __user *v86;
29448
29449+#ifdef CONFIG_GRKERNSEC_VM86
29450+ if (!capable(CAP_SYS_RAWIO)) {
29451+ gr_handle_vm86();
29452+ return -EPERM;
29453+ }
29454+#endif
29455+
29456 tsk = current;
29457 switch (cmd) {
29458 case VM86_REQUEST_IRQ:
29459@@ -318,7 +334,7 @@ static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk
29460 tsk->thread.saved_fs = info->regs32->fs;
29461 tsk->thread.saved_gs = get_user_gs(info->regs32);
29462
29463- tss = &per_cpu(cpu_tss, get_cpu());
29464+ tss = cpu_tss + get_cpu();
29465 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
29466 if (cpu_has_sep)
29467 tsk->thread.sysenter_cs = 0;
29468@@ -525,7 +541,7 @@ static void do_int(struct kernel_vm86_regs *regs, int i,
29469 goto cannot_handle;
29470 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
29471 goto cannot_handle;
29472- intr_ptr = (unsigned long __user *) (i << 2);
29473+ intr_ptr = (__force unsigned long __user *) (i << 2);
29474 if (get_user(segoffs, intr_ptr))
29475 goto cannot_handle;
29476 if ((segoffs >> 16) == BIOSSEG)
29477diff --git a/arch/x86/kernel/vmlinux.lds.S b/arch/x86/kernel/vmlinux.lds.S
29478index 00bf300..03e1c3b 100644
29479--- a/arch/x86/kernel/vmlinux.lds.S
29480+++ b/arch/x86/kernel/vmlinux.lds.S
29481@@ -26,6 +26,13 @@
29482 #include <asm/page_types.h>
29483 #include <asm/cache.h>
29484 #include <asm/boot.h>
29485+#include <asm/segment.h>
29486+
29487+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
29488+#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
29489+#else
29490+#define __KERNEL_TEXT_OFFSET 0
29491+#endif
29492
29493 #undef i386 /* in case the preprocessor is a 32bit one */
29494
29495@@ -69,30 +76,43 @@ jiffies_64 = jiffies;
29496
29497 PHDRS {
29498 text PT_LOAD FLAGS(5); /* R_E */
29499+#ifdef CONFIG_X86_32
29500+ module PT_LOAD FLAGS(5); /* R_E */
29501+#endif
29502+#ifdef CONFIG_XEN
29503+ rodata PT_LOAD FLAGS(5); /* R_E */
29504+#else
29505+ rodata PT_LOAD FLAGS(4); /* R__ */
29506+#endif
29507 data PT_LOAD FLAGS(6); /* RW_ */
29508-#ifdef CONFIG_X86_64
29509+ init.begin PT_LOAD FLAGS(6); /* RW_ */
29510 #ifdef CONFIG_SMP
29511 percpu PT_LOAD FLAGS(6); /* RW_ */
29512 #endif
29513- init PT_LOAD FLAGS(7); /* RWE */
29514-#endif
29515+ text.init PT_LOAD FLAGS(5); /* R_E */
29516+ text.exit PT_LOAD FLAGS(5); /* R_E */
29517+ init PT_LOAD FLAGS(6); /* RW_ */
29518 note PT_NOTE FLAGS(0); /* ___ */
29519 }
29520
29521 SECTIONS
29522 {
29523 #ifdef CONFIG_X86_32
29524- . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
29525- phys_startup_32 = startup_32 - LOAD_OFFSET;
29526+ . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
29527 #else
29528- . = __START_KERNEL;
29529- phys_startup_64 = startup_64 - LOAD_OFFSET;
29530+ . = __START_KERNEL;
29531 #endif
29532
29533 /* Text and read-only data */
29534- .text : AT(ADDR(.text) - LOAD_OFFSET) {
29535- _text = .;
29536+ .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
29537 /* bootstrapping code */
29538+#ifdef CONFIG_X86_32
29539+ phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29540+#else
29541+ phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29542+#endif
29543+ __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
29544+ _text = .;
29545 HEAD_TEXT
29546 . = ALIGN(8);
29547 _stext = .;
29548@@ -104,13 +124,47 @@ SECTIONS
29549 IRQENTRY_TEXT
29550 *(.fixup)
29551 *(.gnu.warning)
29552- /* End of text section */
29553- _etext = .;
29554 } :text = 0x9090
29555
29556- NOTES :text :note
29557+ . += __KERNEL_TEXT_OFFSET;
29558
29559- EXCEPTION_TABLE(16) :text = 0x9090
29560+#ifdef CONFIG_X86_32
29561+ . = ALIGN(PAGE_SIZE);
29562+ .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
29563+
29564+#ifdef CONFIG_PAX_KERNEXEC
29565+ MODULES_EXEC_VADDR = .;
29566+ BYTE(0)
29567+ . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
29568+ . = ALIGN(HPAGE_SIZE) - 1;
29569+ MODULES_EXEC_END = .;
29570+#endif
29571+
29572+ } :module
29573+#endif
29574+
29575+ .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
29576+ /* End of text section */
29577+ BYTE(0)
29578+ _etext = . - __KERNEL_TEXT_OFFSET;
29579+ }
29580+
29581+#ifdef CONFIG_X86_32
29582+ . = ALIGN(PAGE_SIZE);
29583+ .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
29584+ . = ALIGN(PAGE_SIZE);
29585+ *(.empty_zero_page)
29586+ *(.initial_pg_fixmap)
29587+ *(.initial_pg_pmd)
29588+ *(.initial_page_table)
29589+ *(.swapper_pg_dir)
29590+ } :rodata
29591+#endif
29592+
29593+ . = ALIGN(PAGE_SIZE);
29594+ NOTES :rodata :note
29595+
29596+ EXCEPTION_TABLE(16) :rodata
29597
29598 #if defined(CONFIG_DEBUG_RODATA)
29599 /* .text should occupy whole number of pages */
29600@@ -122,16 +176,20 @@ SECTIONS
29601
29602 /* Data */
29603 .data : AT(ADDR(.data) - LOAD_OFFSET) {
29604+
29605+#ifdef CONFIG_PAX_KERNEXEC
29606+ . = ALIGN(HPAGE_SIZE);
29607+#else
29608+ . = ALIGN(PAGE_SIZE);
29609+#endif
29610+
29611 /* Start of data section */
29612 _sdata = .;
29613
29614 /* init_task */
29615 INIT_TASK_DATA(THREAD_SIZE)
29616
29617-#ifdef CONFIG_X86_32
29618- /* 32 bit has nosave before _edata */
29619 NOSAVE_DATA
29620-#endif
29621
29622 PAGE_ALIGNED_DATA(PAGE_SIZE)
29623
29624@@ -174,12 +232,19 @@ SECTIONS
29625 . = ALIGN(__vvar_page + PAGE_SIZE, PAGE_SIZE);
29626
29627 /* Init code and data - will be freed after init */
29628- . = ALIGN(PAGE_SIZE);
29629 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
29630+ BYTE(0)
29631+
29632+#ifdef CONFIG_PAX_KERNEXEC
29633+ . = ALIGN(HPAGE_SIZE);
29634+#else
29635+ . = ALIGN(PAGE_SIZE);
29636+#endif
29637+
29638 __init_begin = .; /* paired with __init_end */
29639- }
29640+ } :init.begin
29641
29642-#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
29643+#ifdef CONFIG_SMP
29644 /*
29645 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
29646 * output PHDR, so the next output section - .init.text - should
29647@@ -190,12 +255,33 @@ SECTIONS
29648 "per-CPU data too large - increase CONFIG_PHYSICAL_START")
29649 #endif
29650
29651- INIT_TEXT_SECTION(PAGE_SIZE)
29652-#ifdef CONFIG_X86_64
29653- :init
29654+ . = ALIGN(PAGE_SIZE);
29655+ init_begin = .;
29656+ .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
29657+ VMLINUX_SYMBOL(_sinittext) = .;
29658+ INIT_TEXT
29659+ . = ALIGN(PAGE_SIZE);
29660+ } :text.init
29661+
29662+ /*
29663+ * .exit.text is discard at runtime, not link time, to deal with
29664+ * references from .altinstructions and .eh_frame
29665+ */
29666+ .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
29667+ EXIT_TEXT
29668+ VMLINUX_SYMBOL(_einittext) = .;
29669+
29670+#ifdef CONFIG_PAX_KERNEXEC
29671+ . = ALIGN(HPAGE_SIZE);
29672+#else
29673+ . = ALIGN(16);
29674 #endif
29675
29676- INIT_DATA_SECTION(16)
29677+ } :text.exit
29678+ . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
29679+
29680+ . = ALIGN(PAGE_SIZE);
29681+ INIT_DATA_SECTION(16) :init
29682
29683 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
29684 __x86_cpu_dev_start = .;
29685@@ -266,19 +352,12 @@ SECTIONS
29686 }
29687
29688 . = ALIGN(8);
29689- /*
29690- * .exit.text is discard at runtime, not link time, to deal with
29691- * references from .altinstructions and .eh_frame
29692- */
29693- .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
29694- EXIT_TEXT
29695- }
29696
29697 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
29698 EXIT_DATA
29699 }
29700
29701-#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
29702+#ifndef CONFIG_SMP
29703 PERCPU_SECTION(INTERNODE_CACHE_BYTES)
29704 #endif
29705
29706@@ -297,16 +376,10 @@ SECTIONS
29707 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
29708 __smp_locks = .;
29709 *(.smp_locks)
29710- . = ALIGN(PAGE_SIZE);
29711 __smp_locks_end = .;
29712+ . = ALIGN(PAGE_SIZE);
29713 }
29714
29715-#ifdef CONFIG_X86_64
29716- .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
29717- NOSAVE_DATA
29718- }
29719-#endif
29720-
29721 /* BSS */
29722 . = ALIGN(PAGE_SIZE);
29723 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
29724@@ -322,6 +395,7 @@ SECTIONS
29725 __brk_base = .;
29726 . += 64 * 1024; /* 64k alignment slop space */
29727 *(.brk_reservation) /* areas brk users have reserved */
29728+ . = ALIGN(HPAGE_SIZE);
29729 __brk_limit = .;
29730 }
29731
29732@@ -348,13 +422,12 @@ SECTIONS
29733 * for the boot processor.
29734 */
29735 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
29736-INIT_PER_CPU(gdt_page);
29737 INIT_PER_CPU(irq_stack_union);
29738
29739 /*
29740 * Build-time check on the image size:
29741 */
29742-. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
29743+. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
29744 "kernel image bigger than KERNEL_IMAGE_SIZE");
29745
29746 #ifdef CONFIG_SMP
29747diff --git a/arch/x86/kernel/x8664_ksyms_64.c b/arch/x86/kernel/x8664_ksyms_64.c
29748index a0695be..33e180c 100644
29749--- a/arch/x86/kernel/x8664_ksyms_64.c
29750+++ b/arch/x86/kernel/x8664_ksyms_64.c
29751@@ -34,8 +34,6 @@ EXPORT_SYMBOL(copy_user_generic_string);
29752 EXPORT_SYMBOL(copy_user_generic_unrolled);
29753 EXPORT_SYMBOL(copy_user_enhanced_fast_string);
29754 EXPORT_SYMBOL(__copy_user_nocache);
29755-EXPORT_SYMBOL(_copy_from_user);
29756-EXPORT_SYMBOL(_copy_to_user);
29757
29758 EXPORT_SYMBOL(copy_page);
29759 EXPORT_SYMBOL(clear_page);
29760@@ -77,3 +75,7 @@ EXPORT_SYMBOL(native_load_gs_index);
29761 EXPORT_SYMBOL(___preempt_schedule);
29762 EXPORT_SYMBOL(___preempt_schedule_notrace);
29763 #endif
29764+
29765+#ifdef CONFIG_PAX_PER_CPU_PGD
29766+EXPORT_SYMBOL(cpu_pgd);
29767+#endif
29768diff --git a/arch/x86/kernel/x86_init.c b/arch/x86/kernel/x86_init.c
29769index 3839628..2e5b5b35 100644
29770--- a/arch/x86/kernel/x86_init.c
29771+++ b/arch/x86/kernel/x86_init.c
29772@@ -92,7 +92,7 @@ struct x86_cpuinit_ops x86_cpuinit = {
29773 static void default_nmi_init(void) { };
29774 static int default_i8042_detect(void) { return 1; };
29775
29776-struct x86_platform_ops x86_platform = {
29777+struct x86_platform_ops x86_platform __read_only = {
29778 .calibrate_tsc = native_calibrate_tsc,
29779 .get_wallclock = mach_get_cmos_time,
29780 .set_wallclock = mach_set_rtc_mmss,
29781@@ -108,7 +108,7 @@ struct x86_platform_ops x86_platform = {
29782 EXPORT_SYMBOL_GPL(x86_platform);
29783
29784 #if defined(CONFIG_PCI_MSI)
29785-struct x86_msi_ops x86_msi = {
29786+struct x86_msi_ops x86_msi __read_only = {
29787 .setup_msi_irqs = native_setup_msi_irqs,
29788 .teardown_msi_irq = native_teardown_msi_irq,
29789 .teardown_msi_irqs = default_teardown_msi_irqs,
29790@@ -137,7 +137,7 @@ void arch_restore_msi_irqs(struct pci_dev *dev)
29791 }
29792 #endif
29793
29794-struct x86_io_apic_ops x86_io_apic_ops = {
29795+struct x86_io_apic_ops x86_io_apic_ops __read_only = {
29796 .read = native_io_apic_read,
29797 .disable = native_disable_io_apic,
29798 };
29799diff --git a/arch/x86/kvm/cpuid.c b/arch/x86/kvm/cpuid.c
29800index 2fbea25..9e0f8c7 100644
29801--- a/arch/x86/kvm/cpuid.c
29802+++ b/arch/x86/kvm/cpuid.c
29803@@ -206,15 +206,20 @@ int kvm_vcpu_ioctl_set_cpuid2(struct kvm_vcpu *vcpu,
29804 struct kvm_cpuid2 *cpuid,
29805 struct kvm_cpuid_entry2 __user *entries)
29806 {
29807- int r;
29808+ int r, i;
29809
29810 r = -E2BIG;
29811 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
29812 goto out;
29813 r = -EFAULT;
29814- if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
29815- cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
29816+ if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
29817 goto out;
29818+ for (i = 0; i < cpuid->nent; ++i) {
29819+ struct kvm_cpuid_entry2 cpuid_entry;
29820+ if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
29821+ goto out;
29822+ vcpu->arch.cpuid_entries[i] = cpuid_entry;
29823+ }
29824 vcpu->arch.cpuid_nent = cpuid->nent;
29825 kvm_apic_set_version(vcpu);
29826 kvm_x86_ops->cpuid_update(vcpu);
29827@@ -227,15 +232,19 @@ int kvm_vcpu_ioctl_get_cpuid2(struct kvm_vcpu *vcpu,
29828 struct kvm_cpuid2 *cpuid,
29829 struct kvm_cpuid_entry2 __user *entries)
29830 {
29831- int r;
29832+ int r, i;
29833
29834 r = -E2BIG;
29835 if (cpuid->nent < vcpu->arch.cpuid_nent)
29836 goto out;
29837 r = -EFAULT;
29838- if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
29839- vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
29840+ if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
29841 goto out;
29842+ for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
29843+ struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
29844+ if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
29845+ goto out;
29846+ }
29847 return 0;
29848
29849 out:
29850diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c
29851index 2392541a..2aefc2a 100644
29852--- a/arch/x86/kvm/emulate.c
29853+++ b/arch/x86/kvm/emulate.c
29854@@ -3851,7 +3851,7 @@ static int check_cr_write(struct x86_emulate_ctxt *ctxt)
29855 int cr = ctxt->modrm_reg;
29856 u64 efer = 0;
29857
29858- static u64 cr_reserved_bits[] = {
29859+ static const u64 cr_reserved_bits[] = {
29860 0xffffffff00000000ULL,
29861 0, 0, 0, /* CR3 checked later */
29862 CR4_RESERVED_BITS,
29863diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c
29864index 2a5ca97..ce8577a 100644
29865--- a/arch/x86/kvm/lapic.c
29866+++ b/arch/x86/kvm/lapic.c
29867@@ -56,7 +56,7 @@
29868 #define APIC_BUS_CYCLE_NS 1
29869
29870 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
29871-#define apic_debug(fmt, arg...)
29872+#define apic_debug(fmt, arg...) do {} while (0)
29873
29874 #define APIC_LVT_NUM 6
29875 /* 14 is the version for Xeon and Pentium 8.4.8*/
29876diff --git a/arch/x86/kvm/paging_tmpl.h b/arch/x86/kvm/paging_tmpl.h
29877index 0f67d7e..4b9fa11 100644
29878--- a/arch/x86/kvm/paging_tmpl.h
29879+++ b/arch/x86/kvm/paging_tmpl.h
29880@@ -343,7 +343,7 @@ retry_walk:
29881 if (unlikely(kvm_is_error_hva(host_addr)))
29882 goto error;
29883
29884- ptep_user = (pt_element_t __user *)((void *)host_addr + offset);
29885+ ptep_user = (pt_element_t __force_user *)((void *)host_addr + offset);
29886 if (unlikely(__copy_from_user(&pte, ptep_user, sizeof(pte))))
29887 goto error;
29888 walker->ptep_user[walker->level - 1] = ptep_user;
29889diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c
29890index 2d32b67..2cd298b 100644
29891--- a/arch/x86/kvm/svm.c
29892+++ b/arch/x86/kvm/svm.c
29893@@ -3586,7 +3586,11 @@ static void reload_tss(struct kvm_vcpu *vcpu)
29894 int cpu = raw_smp_processor_id();
29895
29896 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
29897+
29898+ pax_open_kernel();
29899 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
29900+ pax_close_kernel();
29901+
29902 load_TR_desc();
29903 }
29904
29905@@ -3982,6 +3986,10 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu)
29906 #endif
29907 #endif
29908
29909+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
29910+ __set_fs(current_thread_info()->addr_limit);
29911+#endif
29912+
29913 reload_tss(vcpu);
29914
29915 local_irq_disable();
29916diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
29917index aa9e8229..ab09cc4 100644
29918--- a/arch/x86/kvm/vmx.c
29919+++ b/arch/x86/kvm/vmx.c
29920@@ -1440,12 +1440,12 @@ static void vmcs_write64(unsigned long field, u64 value)
29921 #endif
29922 }
29923
29924-static void vmcs_clear_bits(unsigned long field, u32 mask)
29925+static void vmcs_clear_bits(unsigned long field, unsigned long mask)
29926 {
29927 vmcs_writel(field, vmcs_readl(field) & ~mask);
29928 }
29929
29930-static void vmcs_set_bits(unsigned long field, u32 mask)
29931+static void vmcs_set_bits(unsigned long field, unsigned long mask)
29932 {
29933 vmcs_writel(field, vmcs_readl(field) | mask);
29934 }
29935@@ -1705,7 +1705,11 @@ static void reload_tss(void)
29936 struct desc_struct *descs;
29937
29938 descs = (void *)gdt->address;
29939+
29940+ pax_open_kernel();
29941 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
29942+ pax_close_kernel();
29943+
29944 load_TR_desc();
29945 }
29946
29947@@ -1941,6 +1945,10 @@ static void vmx_vcpu_load(struct kvm_vcpu *vcpu, int cpu)
29948 vmcs_writel(HOST_TR_BASE, kvm_read_tr_base()); /* 22.2.4 */
29949 vmcs_writel(HOST_GDTR_BASE, gdt->address); /* 22.2.4 */
29950
29951+#ifdef CONFIG_PAX_PER_CPU_PGD
29952+ vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
29953+#endif
29954+
29955 rdmsrl(MSR_IA32_SYSENTER_ESP, sysenter_esp);
29956 vmcs_writel(HOST_IA32_SYSENTER_ESP, sysenter_esp); /* 22.2.3 */
29957 vmx->loaded_vmcs->cpu = cpu;
29958@@ -2232,7 +2240,7 @@ static void setup_msrs(struct vcpu_vmx *vmx)
29959 * reads and returns guest's timestamp counter "register"
29960 * guest_tsc = host_tsc + tsc_offset -- 21.3
29961 */
29962-static u64 guest_read_tsc(void)
29963+static u64 __intentional_overflow(-1) guest_read_tsc(void)
29964 {
29965 u64 host_tsc, tsc_offset;
29966
29967@@ -4459,7 +4467,10 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
29968 unsigned long cr4;
29969
29970 vmcs_writel(HOST_CR0, read_cr0() & ~X86_CR0_TS); /* 22.2.3 */
29971+
29972+#ifndef CONFIG_PAX_PER_CPU_PGD
29973 vmcs_writel(HOST_CR3, read_cr3()); /* 22.2.3 FIXME: shadow tables */
29974+#endif
29975
29976 /* Save the most likely value for this task's CR4 in the VMCS. */
29977 cr4 = cr4_read_shadow();
29978@@ -4486,7 +4497,7 @@ static void vmx_set_constant_host_state(struct vcpu_vmx *vmx)
29979 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
29980 vmx->host_idt_base = dt.address;
29981
29982- vmcs_writel(HOST_RIP, vmx_return); /* 22.2.5 */
29983+ vmcs_writel(HOST_RIP, ktla_ktva(vmx_return)); /* 22.2.5 */
29984
29985 rdmsr(MSR_IA32_SYSENTER_CS, low32, high32);
29986 vmcs_write32(HOST_IA32_SYSENTER_CS, low32);
29987@@ -6097,11 +6108,17 @@ static __init int hardware_setup(void)
29988 * page upon invalidation. No need to do anything if not
29989 * using the APIC_ACCESS_ADDR VMCS field.
29990 */
29991- if (!flexpriority_enabled)
29992- kvm_x86_ops->set_apic_access_page_addr = NULL;
29993+ if (!flexpriority_enabled) {
29994+ pax_open_kernel();
29995+ *(void **)&kvm_x86_ops->set_apic_access_page_addr = NULL;
29996+ pax_close_kernel();
29997+ }
29998
29999- if (!cpu_has_vmx_tpr_shadow())
30000- kvm_x86_ops->update_cr8_intercept = NULL;
30001+ if (!cpu_has_vmx_tpr_shadow()) {
30002+ pax_open_kernel();
30003+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
30004+ pax_close_kernel();
30005+ }
30006
30007 if (enable_ept && !cpu_has_vmx_ept_2m_page())
30008 kvm_disable_largepages();
30009@@ -6112,14 +6129,16 @@ static __init int hardware_setup(void)
30010 if (!cpu_has_vmx_apicv())
30011 enable_apicv = 0;
30012
30013+ pax_open_kernel();
30014 if (enable_apicv)
30015- kvm_x86_ops->update_cr8_intercept = NULL;
30016+ *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
30017 else {
30018- kvm_x86_ops->hwapic_irr_update = NULL;
30019- kvm_x86_ops->hwapic_isr_update = NULL;
30020- kvm_x86_ops->deliver_posted_interrupt = NULL;
30021- kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
30022+ *(void **)&kvm_x86_ops->hwapic_irr_update = NULL;
30023+ *(void **)&kvm_x86_ops->hwapic_isr_update = NULL;
30024+ *(void **)&kvm_x86_ops->deliver_posted_interrupt = NULL;
30025+ *(void **)&kvm_x86_ops->sync_pir_to_irr = vmx_sync_pir_to_irr_dummy;
30026 }
30027+ pax_close_kernel();
30028
30029 vmx_disable_intercept_for_msr(MSR_FS_BASE, false);
30030 vmx_disable_intercept_for_msr(MSR_GS_BASE, false);
30031@@ -6174,10 +6193,12 @@ static __init int hardware_setup(void)
30032 enable_pml = 0;
30033
30034 if (!enable_pml) {
30035- kvm_x86_ops->slot_enable_log_dirty = NULL;
30036- kvm_x86_ops->slot_disable_log_dirty = NULL;
30037- kvm_x86_ops->flush_log_dirty = NULL;
30038- kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
30039+ pax_open_kernel();
30040+ *(void **)&kvm_x86_ops->slot_enable_log_dirty = NULL;
30041+ *(void **)&kvm_x86_ops->slot_disable_log_dirty = NULL;
30042+ *(void **)&kvm_x86_ops->flush_log_dirty = NULL;
30043+ *(void **)&kvm_x86_ops->enable_log_dirty_pt_masked = NULL;
30044+ pax_close_kernel();
30045 }
30046
30047 return alloc_kvm_area();
30048@@ -8380,6 +8401,12 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
30049 "jmp 2f \n\t"
30050 "1: " __ex(ASM_VMX_VMRESUME) "\n\t"
30051 "2: "
30052+
30053+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
30054+ "ljmp %[cs],$3f\n\t"
30055+ "3: "
30056+#endif
30057+
30058 /* Save guest registers, load host registers, keep flags */
30059 "mov %0, %c[wordsize](%%" _ASM_SP ") \n\t"
30060 "pop %0 \n\t"
30061@@ -8432,6 +8459,11 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
30062 #endif
30063 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2)),
30064 [wordsize]"i"(sizeof(ulong))
30065+
30066+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
30067+ ,[cs]"i"(__KERNEL_CS)
30068+#endif
30069+
30070 : "cc", "memory"
30071 #ifdef CONFIG_X86_64
30072 , "rax", "rbx", "rdi", "rsi"
30073@@ -8445,7 +8477,7 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
30074 if (debugctlmsr)
30075 update_debugctlmsr(debugctlmsr);
30076
30077-#ifndef CONFIG_X86_64
30078+#ifdef CONFIG_X86_32
30079 /*
30080 * The sysexit path does not restore ds/es, so we must set them to
30081 * a reasonable value ourselves.
30082@@ -8454,8 +8486,18 @@ static void __noclone vmx_vcpu_run(struct kvm_vcpu *vcpu)
30083 * may be executed in interrupt context, which saves and restore segments
30084 * around it, nullifying its effect.
30085 */
30086- loadsegment(ds, __USER_DS);
30087- loadsegment(es, __USER_DS);
30088+ loadsegment(ds, __KERNEL_DS);
30089+ loadsegment(es, __KERNEL_DS);
30090+ loadsegment(ss, __KERNEL_DS);
30091+
30092+#ifdef CONFIG_PAX_KERNEXEC
30093+ loadsegment(fs, __KERNEL_PERCPU);
30094+#endif
30095+
30096+#ifdef CONFIG_PAX_MEMORY_UDEREF
30097+ __set_fs(current_thread_info()->addr_limit);
30098+#endif
30099+
30100 #endif
30101
30102 vcpu->arch.regs_avail = ~((1 << VCPU_REGS_RIP) | (1 << VCPU_REGS_RSP)
30103diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
30104index 373328b7..ebd267f 100644
30105--- a/arch/x86/kvm/x86.c
30106+++ b/arch/x86/kvm/x86.c
30107@@ -1842,8 +1842,8 @@ static int xen_hvm_config(struct kvm_vcpu *vcpu, u64 data)
30108 {
30109 struct kvm *kvm = vcpu->kvm;
30110 int lm = is_long_mode(vcpu);
30111- u8 *blob_addr = lm ? (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_64
30112- : (u8 *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
30113+ u8 __user *blob_addr = lm ? (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_64
30114+ : (u8 __user *)(long)kvm->arch.xen_hvm_config.blob_addr_32;
30115 u8 blob_size = lm ? kvm->arch.xen_hvm_config.blob_size_64
30116 : kvm->arch.xen_hvm_config.blob_size_32;
30117 u32 page_num = data & ~PAGE_MASK;
30118@@ -2733,6 +2733,8 @@ long kvm_arch_dev_ioctl(struct file *filp,
30119 if (n < msr_list.nmsrs)
30120 goto out;
30121 r = -EFAULT;
30122+ if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
30123+ goto out;
30124 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
30125 num_msrs_to_save * sizeof(u32)))
30126 goto out;
30127@@ -3093,7 +3095,7 @@ static int kvm_vcpu_ioctl_x86_set_debugregs(struct kvm_vcpu *vcpu,
30128
30129 static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
30130 {
30131- struct xregs_state *xsave = &vcpu->arch.guest_fpu.state.xsave;
30132+ struct xregs_state *xsave = &vcpu->arch.guest_fpu.state->xsave;
30133 u64 xstate_bv = xsave->header.xfeatures;
30134 u64 valid;
30135
30136@@ -3129,7 +3131,7 @@ static void fill_xsave(u8 *dest, struct kvm_vcpu *vcpu)
30137
30138 static void load_xsave(struct kvm_vcpu *vcpu, u8 *src)
30139 {
30140- struct xregs_state *xsave = &vcpu->arch.guest_fpu.state.xsave;
30141+ struct xregs_state *xsave = &vcpu->arch.guest_fpu.state->xsave;
30142 u64 xstate_bv = *(u64 *)(src + XSAVE_HDR_OFFSET);
30143 u64 valid;
30144
30145@@ -3173,7 +3175,7 @@ static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
30146 fill_xsave((u8 *) guest_xsave->region, vcpu);
30147 } else {
30148 memcpy(guest_xsave->region,
30149- &vcpu->arch.guest_fpu.state.fxsave,
30150+ &vcpu->arch.guest_fpu.state->fxsave,
30151 sizeof(struct fxregs_state));
30152 *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)] =
30153 XSTATE_FPSSE;
30154@@ -3198,7 +3200,7 @@ static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
30155 } else {
30156 if (xstate_bv & ~XSTATE_FPSSE)
30157 return -EINVAL;
30158- memcpy(&vcpu->arch.guest_fpu.state.fxsave,
30159+ memcpy(&vcpu->arch.guest_fpu.state->fxsave,
30160 guest_xsave->region, sizeof(struct fxregs_state));
30161 }
30162 return 0;
30163@@ -5788,7 +5790,7 @@ static struct notifier_block pvclock_gtod_notifier = {
30164 };
30165 #endif
30166
30167-int kvm_arch_init(void *opaque)
30168+int kvm_arch_init(const void *opaque)
30169 {
30170 int r;
30171 struct kvm_x86_ops *ops = opaque;
30172@@ -7217,7 +7219,7 @@ int kvm_arch_vcpu_ioctl_translate(struct kvm_vcpu *vcpu,
30173 int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30174 {
30175 struct fxregs_state *fxsave =
30176- &vcpu->arch.guest_fpu.state.fxsave;
30177+ &vcpu->arch.guest_fpu.state->fxsave;
30178
30179 memcpy(fpu->fpr, fxsave->st_space, 128);
30180 fpu->fcw = fxsave->cwd;
30181@@ -7234,7 +7236,7 @@ int kvm_arch_vcpu_ioctl_get_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30182 int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30183 {
30184 struct fxregs_state *fxsave =
30185- &vcpu->arch.guest_fpu.state.fxsave;
30186+ &vcpu->arch.guest_fpu.state->fxsave;
30187
30188 memcpy(fxsave->st_space, fpu->fpr, 128);
30189 fxsave->cwd = fpu->fcw;
30190@@ -7250,9 +7252,9 @@ int kvm_arch_vcpu_ioctl_set_fpu(struct kvm_vcpu *vcpu, struct kvm_fpu *fpu)
30191
30192 static void fx_init(struct kvm_vcpu *vcpu)
30193 {
30194- fpstate_init(&vcpu->arch.guest_fpu.state);
30195+ fpstate_init(vcpu->arch.guest_fpu.state);
30196 if (cpu_has_xsaves)
30197- vcpu->arch.guest_fpu.state.xsave.header.xcomp_bv =
30198+ vcpu->arch.guest_fpu.state->xsave.header.xcomp_bv =
30199 host_xcr0 | XSTATE_COMPACTION_ENABLED;
30200
30201 /*
30202@@ -7276,7 +7278,7 @@ void kvm_load_guest_fpu(struct kvm_vcpu *vcpu)
30203 kvm_put_guest_xcr0(vcpu);
30204 vcpu->guest_fpu_loaded = 1;
30205 __kernel_fpu_begin();
30206- __copy_kernel_to_fpregs(&vcpu->arch.guest_fpu.state);
30207+ __copy_kernel_to_fpregs(vcpu->arch.guest_fpu.state);
30208 trace_kvm_fpu(1);
30209 }
30210
30211@@ -7554,6 +7556,8 @@ bool kvm_vcpu_compatible(struct kvm_vcpu *vcpu)
30212
30213 struct static_key kvm_no_apic_vcpu __read_mostly;
30214
30215+extern struct kmem_cache *fpregs_state_cachep;
30216+
30217 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
30218 {
30219 struct page *page;
30220@@ -7570,11 +7574,14 @@ int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu)
30221 else
30222 vcpu->arch.mp_state = KVM_MP_STATE_UNINITIALIZED;
30223
30224- page = alloc_page(GFP_KERNEL | __GFP_ZERO);
30225- if (!page) {
30226- r = -ENOMEM;
30227+ r = -ENOMEM;
30228+ vcpu->arch.guest_fpu.state = kmem_cache_alloc(fpregs_state_cachep, GFP_KERNEL);
30229+ if (!vcpu->arch.guest_fpu.state)
30230 goto fail;
30231- }
30232+
30233+ page = alloc_page(GFP_KERNEL | __GFP_ZERO);
30234+ if (!page)
30235+ goto fail_free_fpregs;
30236 vcpu->arch.pio_data = page_address(page);
30237
30238 kvm_set_tsc_khz(vcpu, max_tsc_khz);
30239@@ -7628,6 +7635,9 @@ fail_mmu_destroy:
30240 kvm_mmu_destroy(vcpu);
30241 fail_free_pio_data:
30242 free_page((unsigned long)vcpu->arch.pio_data);
30243+fail_free_fpregs:
30244+ kmem_cache_free(fpregs_state_cachep, vcpu->arch.guest_fpu.state);
30245+ vcpu->arch.guest_fpu.state = NULL;
30246 fail:
30247 return r;
30248 }
30249@@ -7645,6 +7655,8 @@ void kvm_arch_vcpu_uninit(struct kvm_vcpu *vcpu)
30250 free_page((unsigned long)vcpu->arch.pio_data);
30251 if (!irqchip_in_kernel(vcpu->kvm))
30252 static_key_slow_dec(&kvm_no_apic_vcpu);
30253+ kmem_cache_free(fpregs_state_cachep, vcpu->arch.guest_fpu.state);
30254+ vcpu->arch.guest_fpu.state = NULL;
30255 }
30256
30257 void kvm_arch_sched_in(struct kvm_vcpu *vcpu, int cpu)
30258diff --git a/arch/x86/lguest/boot.c b/arch/x86/lguest/boot.c
30259index f2dc08c..d85d906 100644
30260--- a/arch/x86/lguest/boot.c
30261+++ b/arch/x86/lguest/boot.c
30262@@ -1341,9 +1341,10 @@ static __init int early_put_chars(u32 vtermno, const char *buf, int count)
30263 * Rebooting also tells the Host we're finished, but the RESTART flag tells the
30264 * Launcher to reboot us.
30265 */
30266-static void lguest_restart(char *reason)
30267+static __noreturn void lguest_restart(char *reason)
30268 {
30269 hcall(LHCALL_SHUTDOWN, __pa(reason), LGUEST_SHUTDOWN_RESTART, 0, 0);
30270+ BUG();
30271 }
30272
30273 /*G:050
30274diff --git a/arch/x86/lib/atomic64_386_32.S b/arch/x86/lib/atomic64_386_32.S
30275index 9b0ca8f..bb4af41 100644
30276--- a/arch/x86/lib/atomic64_386_32.S
30277+++ b/arch/x86/lib/atomic64_386_32.S
30278@@ -45,6 +45,10 @@ BEGIN(read)
30279 movl (v), %eax
30280 movl 4(v), %edx
30281 RET_ENDP
30282+BEGIN(read_unchecked)
30283+ movl (v), %eax
30284+ movl 4(v), %edx
30285+RET_ENDP
30286 #undef v
30287
30288 #define v %esi
30289@@ -52,6 +56,10 @@ BEGIN(set)
30290 movl %ebx, (v)
30291 movl %ecx, 4(v)
30292 RET_ENDP
30293+BEGIN(set_unchecked)
30294+ movl %ebx, (v)
30295+ movl %ecx, 4(v)
30296+RET_ENDP
30297 #undef v
30298
30299 #define v %esi
30300@@ -67,6 +75,20 @@ RET_ENDP
30301 BEGIN(add)
30302 addl %eax, (v)
30303 adcl %edx, 4(v)
30304+
30305+#ifdef CONFIG_PAX_REFCOUNT
30306+ jno 0f
30307+ subl %eax, (v)
30308+ sbbl %edx, 4(v)
30309+ int $4
30310+0:
30311+ _ASM_EXTABLE(0b, 0b)
30312+#endif
30313+
30314+RET_ENDP
30315+BEGIN(add_unchecked)
30316+ addl %eax, (v)
30317+ adcl %edx, 4(v)
30318 RET_ENDP
30319 #undef v
30320
30321@@ -74,6 +96,24 @@ RET_ENDP
30322 BEGIN(add_return)
30323 addl (v), %eax
30324 adcl 4(v), %edx
30325+
30326+#ifdef CONFIG_PAX_REFCOUNT
30327+ into
30328+1234:
30329+ _ASM_EXTABLE(1234b, 2f)
30330+#endif
30331+
30332+ movl %eax, (v)
30333+ movl %edx, 4(v)
30334+
30335+#ifdef CONFIG_PAX_REFCOUNT
30336+2:
30337+#endif
30338+
30339+RET_ENDP
30340+BEGIN(add_return_unchecked)
30341+ addl (v), %eax
30342+ adcl 4(v), %edx
30343 movl %eax, (v)
30344 movl %edx, 4(v)
30345 RET_ENDP
30346@@ -83,6 +123,20 @@ RET_ENDP
30347 BEGIN(sub)
30348 subl %eax, (v)
30349 sbbl %edx, 4(v)
30350+
30351+#ifdef CONFIG_PAX_REFCOUNT
30352+ jno 0f
30353+ addl %eax, (v)
30354+ adcl %edx, 4(v)
30355+ int $4
30356+0:
30357+ _ASM_EXTABLE(0b, 0b)
30358+#endif
30359+
30360+RET_ENDP
30361+BEGIN(sub_unchecked)
30362+ subl %eax, (v)
30363+ sbbl %edx, 4(v)
30364 RET_ENDP
30365 #undef v
30366
30367@@ -93,6 +147,27 @@ BEGIN(sub_return)
30368 sbbl $0, %edx
30369 addl (v), %eax
30370 adcl 4(v), %edx
30371+
30372+#ifdef CONFIG_PAX_REFCOUNT
30373+ into
30374+1234:
30375+ _ASM_EXTABLE(1234b, 2f)
30376+#endif
30377+
30378+ movl %eax, (v)
30379+ movl %edx, 4(v)
30380+
30381+#ifdef CONFIG_PAX_REFCOUNT
30382+2:
30383+#endif
30384+
30385+RET_ENDP
30386+BEGIN(sub_return_unchecked)
30387+ negl %edx
30388+ negl %eax
30389+ sbbl $0, %edx
30390+ addl (v), %eax
30391+ adcl 4(v), %edx
30392 movl %eax, (v)
30393 movl %edx, 4(v)
30394 RET_ENDP
30395@@ -102,6 +177,20 @@ RET_ENDP
30396 BEGIN(inc)
30397 addl $1, (v)
30398 adcl $0, 4(v)
30399+
30400+#ifdef CONFIG_PAX_REFCOUNT
30401+ jno 0f
30402+ subl $1, (v)
30403+ sbbl $0, 4(v)
30404+ int $4
30405+0:
30406+ _ASM_EXTABLE(0b, 0b)
30407+#endif
30408+
30409+RET_ENDP
30410+BEGIN(inc_unchecked)
30411+ addl $1, (v)
30412+ adcl $0, 4(v)
30413 RET_ENDP
30414 #undef v
30415
30416@@ -111,6 +200,26 @@ BEGIN(inc_return)
30417 movl 4(v), %edx
30418 addl $1, %eax
30419 adcl $0, %edx
30420+
30421+#ifdef CONFIG_PAX_REFCOUNT
30422+ into
30423+1234:
30424+ _ASM_EXTABLE(1234b, 2f)
30425+#endif
30426+
30427+ movl %eax, (v)
30428+ movl %edx, 4(v)
30429+
30430+#ifdef CONFIG_PAX_REFCOUNT
30431+2:
30432+#endif
30433+
30434+RET_ENDP
30435+BEGIN(inc_return_unchecked)
30436+ movl (v), %eax
30437+ movl 4(v), %edx
30438+ addl $1, %eax
30439+ adcl $0, %edx
30440 movl %eax, (v)
30441 movl %edx, 4(v)
30442 RET_ENDP
30443@@ -120,6 +229,20 @@ RET_ENDP
30444 BEGIN(dec)
30445 subl $1, (v)
30446 sbbl $0, 4(v)
30447+
30448+#ifdef CONFIG_PAX_REFCOUNT
30449+ jno 0f
30450+ addl $1, (v)
30451+ adcl $0, 4(v)
30452+ int $4
30453+0:
30454+ _ASM_EXTABLE(0b, 0b)
30455+#endif
30456+
30457+RET_ENDP
30458+BEGIN(dec_unchecked)
30459+ subl $1, (v)
30460+ sbbl $0, 4(v)
30461 RET_ENDP
30462 #undef v
30463
30464@@ -129,6 +252,26 @@ BEGIN(dec_return)
30465 movl 4(v), %edx
30466 subl $1, %eax
30467 sbbl $0, %edx
30468+
30469+#ifdef CONFIG_PAX_REFCOUNT
30470+ into
30471+1234:
30472+ _ASM_EXTABLE(1234b, 2f)
30473+#endif
30474+
30475+ movl %eax, (v)
30476+ movl %edx, 4(v)
30477+
30478+#ifdef CONFIG_PAX_REFCOUNT
30479+2:
30480+#endif
30481+
30482+RET_ENDP
30483+BEGIN(dec_return_unchecked)
30484+ movl (v), %eax
30485+ movl 4(v), %edx
30486+ subl $1, %eax
30487+ sbbl $0, %edx
30488 movl %eax, (v)
30489 movl %edx, 4(v)
30490 RET_ENDP
30491@@ -140,6 +283,13 @@ BEGIN(add_unless)
30492 adcl %edx, %edi
30493 addl (v), %eax
30494 adcl 4(v), %edx
30495+
30496+#ifdef CONFIG_PAX_REFCOUNT
30497+ into
30498+1234:
30499+ _ASM_EXTABLE(1234b, 2f)
30500+#endif
30501+
30502 cmpl %eax, %ecx
30503 je 3f
30504 1:
30505@@ -165,6 +315,13 @@ BEGIN(inc_not_zero)
30506 1:
30507 addl $1, %eax
30508 adcl $0, %edx
30509+
30510+#ifdef CONFIG_PAX_REFCOUNT
30511+ into
30512+1234:
30513+ _ASM_EXTABLE(1234b, 2f)
30514+#endif
30515+
30516 movl %eax, (v)
30517 movl %edx, 4(v)
30518 movl $1, %eax
30519@@ -183,6 +340,13 @@ BEGIN(dec_if_positive)
30520 movl 4(v), %edx
30521 subl $1, %eax
30522 sbbl $0, %edx
30523+
30524+#ifdef CONFIG_PAX_REFCOUNT
30525+ into
30526+1234:
30527+ _ASM_EXTABLE(1234b, 1f)
30528+#endif
30529+
30530 js 1f
30531 movl %eax, (v)
30532 movl %edx, 4(v)
30533diff --git a/arch/x86/lib/atomic64_cx8_32.S b/arch/x86/lib/atomic64_cx8_32.S
30534index db3ae854..b8ad0de 100644
30535--- a/arch/x86/lib/atomic64_cx8_32.S
30536+++ b/arch/x86/lib/atomic64_cx8_32.S
30537@@ -22,9 +22,16 @@
30538
30539 ENTRY(atomic64_read_cx8)
30540 read64 %ecx
30541+ pax_force_retaddr
30542 ret
30543 ENDPROC(atomic64_read_cx8)
30544
30545+ENTRY(atomic64_read_unchecked_cx8)
30546+ read64 %ecx
30547+ pax_force_retaddr
30548+ ret
30549+ENDPROC(atomic64_read_unchecked_cx8)
30550+
30551 ENTRY(atomic64_set_cx8)
30552 1:
30553 /* we don't need LOCK_PREFIX since aligned 64-bit writes
30554@@ -32,20 +39,33 @@ ENTRY(atomic64_set_cx8)
30555 cmpxchg8b (%esi)
30556 jne 1b
30557
30558+ pax_force_retaddr
30559 ret
30560 ENDPROC(atomic64_set_cx8)
30561
30562+ENTRY(atomic64_set_unchecked_cx8)
30563+1:
30564+/* we don't need LOCK_PREFIX since aligned 64-bit writes
30565+ * are atomic on 586 and newer */
30566+ cmpxchg8b (%esi)
30567+ jne 1b
30568+
30569+ pax_force_retaddr
30570+ ret
30571+ENDPROC(atomic64_set_unchecked_cx8)
30572+
30573 ENTRY(atomic64_xchg_cx8)
30574 1:
30575 LOCK_PREFIX
30576 cmpxchg8b (%esi)
30577 jne 1b
30578
30579+ pax_force_retaddr
30580 ret
30581 ENDPROC(atomic64_xchg_cx8)
30582
30583-.macro addsub_return func ins insc
30584-ENTRY(atomic64_\func\()_return_cx8)
30585+.macro addsub_return func ins insc unchecked=""
30586+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
30587 pushl %ebp
30588 pushl %ebx
30589 pushl %esi
30590@@ -61,26 +81,43 @@ ENTRY(atomic64_\func\()_return_cx8)
30591 movl %edx, %ecx
30592 \ins\()l %esi, %ebx
30593 \insc\()l %edi, %ecx
30594+
30595+.ifb \unchecked
30596+#ifdef CONFIG_PAX_REFCOUNT
30597+ into
30598+2:
30599+ _ASM_EXTABLE(2b, 3f)
30600+#endif
30601+.endif
30602+
30603 LOCK_PREFIX
30604 cmpxchg8b (%ebp)
30605 jne 1b
30606-
30607-10:
30608 movl %ebx, %eax
30609 movl %ecx, %edx
30610+
30611+.ifb \unchecked
30612+#ifdef CONFIG_PAX_REFCOUNT
30613+3:
30614+#endif
30615+.endif
30616+
30617 popl %edi
30618 popl %esi
30619 popl %ebx
30620 popl %ebp
30621+ pax_force_retaddr
30622 ret
30623-ENDPROC(atomic64_\func\()_return_cx8)
30624+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
30625 .endm
30626
30627 addsub_return add add adc
30628 addsub_return sub sub sbb
30629+addsub_return add add adc _unchecked
30630+addsub_return sub sub sbb _unchecked
30631
30632-.macro incdec_return func ins insc
30633-ENTRY(atomic64_\func\()_return_cx8)
30634+.macro incdec_return func ins insc unchecked=""
30635+ENTRY(atomic64_\func\()_return\unchecked\()_cx8)
30636 pushl %ebx
30637
30638 read64 %esi
30639@@ -89,20 +126,37 @@ ENTRY(atomic64_\func\()_return_cx8)
30640 movl %edx, %ecx
30641 \ins\()l $1, %ebx
30642 \insc\()l $0, %ecx
30643+
30644+.ifb \unchecked
30645+#ifdef CONFIG_PAX_REFCOUNT
30646+ into
30647+2:
30648+ _ASM_EXTABLE(2b, 3f)
30649+#endif
30650+.endif
30651+
30652 LOCK_PREFIX
30653 cmpxchg8b (%esi)
30654 jne 1b
30655-
30656-10:
30657 movl %ebx, %eax
30658 movl %ecx, %edx
30659+
30660+.ifb \unchecked
30661+#ifdef CONFIG_PAX_REFCOUNT
30662+3:
30663+#endif
30664+.endif
30665+
30666 popl %ebx
30667+ pax_force_retaddr
30668 ret
30669-ENDPROC(atomic64_\func\()_return_cx8)
30670+ENDPROC(atomic64_\func\()_return\unchecked\()_cx8)
30671 .endm
30672
30673 incdec_return inc add adc
30674 incdec_return dec sub sbb
30675+incdec_return inc add adc _unchecked
30676+incdec_return dec sub sbb _unchecked
30677
30678 ENTRY(atomic64_dec_if_positive_cx8)
30679 pushl %ebx
30680@@ -113,6 +167,13 @@ ENTRY(atomic64_dec_if_positive_cx8)
30681 movl %edx, %ecx
30682 subl $1, %ebx
30683 sbb $0, %ecx
30684+
30685+#ifdef CONFIG_PAX_REFCOUNT
30686+ into
30687+1234:
30688+ _ASM_EXTABLE(1234b, 2f)
30689+#endif
30690+
30691 js 2f
30692 LOCK_PREFIX
30693 cmpxchg8b (%esi)
30694@@ -122,6 +183,7 @@ ENTRY(atomic64_dec_if_positive_cx8)
30695 movl %ebx, %eax
30696 movl %ecx, %edx
30697 popl %ebx
30698+ pax_force_retaddr
30699 ret
30700 ENDPROC(atomic64_dec_if_positive_cx8)
30701
30702@@ -144,6 +206,13 @@ ENTRY(atomic64_add_unless_cx8)
30703 movl %edx, %ecx
30704 addl %ebp, %ebx
30705 adcl %edi, %ecx
30706+
30707+#ifdef CONFIG_PAX_REFCOUNT
30708+ into
30709+1234:
30710+ _ASM_EXTABLE(1234b, 3f)
30711+#endif
30712+
30713 LOCK_PREFIX
30714 cmpxchg8b (%esi)
30715 jne 1b
30716@@ -153,6 +222,7 @@ ENTRY(atomic64_add_unless_cx8)
30717 addl $8, %esp
30718 popl %ebx
30719 popl %ebp
30720+ pax_force_retaddr
30721 ret
30722 4:
30723 cmpl %edx, 4(%esp)
30724@@ -173,6 +243,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
30725 xorl %ecx, %ecx
30726 addl $1, %ebx
30727 adcl %edx, %ecx
30728+
30729+#ifdef CONFIG_PAX_REFCOUNT
30730+ into
30731+1234:
30732+ _ASM_EXTABLE(1234b, 3f)
30733+#endif
30734+
30735 LOCK_PREFIX
30736 cmpxchg8b (%esi)
30737 jne 1b
30738@@ -180,5 +257,6 @@ ENTRY(atomic64_inc_not_zero_cx8)
30739 movl $1, %eax
30740 3:
30741 popl %ebx
30742+ pax_force_retaddr
30743 ret
30744 ENDPROC(atomic64_inc_not_zero_cx8)
30745diff --git a/arch/x86/lib/checksum_32.S b/arch/x86/lib/checksum_32.S
30746index c1e6232..ebbeba7 100644
30747--- a/arch/x86/lib/checksum_32.S
30748+++ b/arch/x86/lib/checksum_32.S
30749@@ -28,7 +28,8 @@
30750 #include <linux/linkage.h>
30751 #include <asm/errno.h>
30752 #include <asm/asm.h>
30753-
30754+#include <asm/segment.h>
30755+
30756 /*
30757 * computes a partial checksum, e.g. for TCP/UDP fragments
30758 */
30759@@ -280,7 +281,22 @@ unsigned int csum_partial_copy_generic (const char *src, char *dst,
30760
30761 #define ARGBASE 16
30762 #define FP 12
30763-
30764+
30765+ENTRY(csum_partial_copy_generic_to_user)
30766+
30767+#ifdef CONFIG_PAX_MEMORY_UDEREF
30768+ pushl %gs
30769+ popl %es
30770+ jmp csum_partial_copy_generic
30771+#endif
30772+
30773+ENTRY(csum_partial_copy_generic_from_user)
30774+
30775+#ifdef CONFIG_PAX_MEMORY_UDEREF
30776+ pushl %gs
30777+ popl %ds
30778+#endif
30779+
30780 ENTRY(csum_partial_copy_generic)
30781 subl $4,%esp
30782 pushl %edi
30783@@ -299,7 +315,7 @@ ENTRY(csum_partial_copy_generic)
30784 jmp 4f
30785 SRC(1: movw (%esi), %bx )
30786 addl $2, %esi
30787-DST( movw %bx, (%edi) )
30788+DST( movw %bx, %es:(%edi) )
30789 addl $2, %edi
30790 addw %bx, %ax
30791 adcl $0, %eax
30792@@ -311,30 +327,30 @@ DST( movw %bx, (%edi) )
30793 SRC(1: movl (%esi), %ebx )
30794 SRC( movl 4(%esi), %edx )
30795 adcl %ebx, %eax
30796-DST( movl %ebx, (%edi) )
30797+DST( movl %ebx, %es:(%edi) )
30798 adcl %edx, %eax
30799-DST( movl %edx, 4(%edi) )
30800+DST( movl %edx, %es:4(%edi) )
30801
30802 SRC( movl 8(%esi), %ebx )
30803 SRC( movl 12(%esi), %edx )
30804 adcl %ebx, %eax
30805-DST( movl %ebx, 8(%edi) )
30806+DST( movl %ebx, %es:8(%edi) )
30807 adcl %edx, %eax
30808-DST( movl %edx, 12(%edi) )
30809+DST( movl %edx, %es:12(%edi) )
30810
30811 SRC( movl 16(%esi), %ebx )
30812 SRC( movl 20(%esi), %edx )
30813 adcl %ebx, %eax
30814-DST( movl %ebx, 16(%edi) )
30815+DST( movl %ebx, %es:16(%edi) )
30816 adcl %edx, %eax
30817-DST( movl %edx, 20(%edi) )
30818+DST( movl %edx, %es:20(%edi) )
30819
30820 SRC( movl 24(%esi), %ebx )
30821 SRC( movl 28(%esi), %edx )
30822 adcl %ebx, %eax
30823-DST( movl %ebx, 24(%edi) )
30824+DST( movl %ebx, %es:24(%edi) )
30825 adcl %edx, %eax
30826-DST( movl %edx, 28(%edi) )
30827+DST( movl %edx, %es:28(%edi) )
30828
30829 lea 32(%esi), %esi
30830 lea 32(%edi), %edi
30831@@ -348,7 +364,7 @@ DST( movl %edx, 28(%edi) )
30832 shrl $2, %edx # This clears CF
30833 SRC(3: movl (%esi), %ebx )
30834 adcl %ebx, %eax
30835-DST( movl %ebx, (%edi) )
30836+DST( movl %ebx, %es:(%edi) )
30837 lea 4(%esi), %esi
30838 lea 4(%edi), %edi
30839 dec %edx
30840@@ -360,12 +376,12 @@ DST( movl %ebx, (%edi) )
30841 jb 5f
30842 SRC( movw (%esi), %cx )
30843 leal 2(%esi), %esi
30844-DST( movw %cx, (%edi) )
30845+DST( movw %cx, %es:(%edi) )
30846 leal 2(%edi), %edi
30847 je 6f
30848 shll $16,%ecx
30849 SRC(5: movb (%esi), %cl )
30850-DST( movb %cl, (%edi) )
30851+DST( movb %cl, %es:(%edi) )
30852 6: addl %ecx, %eax
30853 adcl $0, %eax
30854 7:
30855@@ -376,7 +392,7 @@ DST( movb %cl, (%edi) )
30856
30857 6001:
30858 movl ARGBASE+20(%esp), %ebx # src_err_ptr
30859- movl $-EFAULT, (%ebx)
30860+ movl $-EFAULT, %ss:(%ebx)
30861
30862 # zero the complete destination - computing the rest
30863 # is too much work
30864@@ -389,34 +405,58 @@ DST( movb %cl, (%edi) )
30865
30866 6002:
30867 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
30868- movl $-EFAULT,(%ebx)
30869+ movl $-EFAULT,%ss:(%ebx)
30870 jmp 5000b
30871
30872 .previous
30873
30874+#ifdef CONFIG_PAX_MEMORY_UDEREF
30875+ pushl %ss
30876+ popl %ds
30877+ pushl %ss
30878+ popl %es
30879+#endif
30880+
30881 popl %ebx
30882 popl %esi
30883 popl %edi
30884 popl %ecx # equivalent to addl $4,%esp
30885 ret
30886-ENDPROC(csum_partial_copy_generic)
30887+ENDPROC(csum_partial_copy_generic_to_user)
30888
30889 #else
30890
30891 /* Version for PentiumII/PPro */
30892
30893 #define ROUND1(x) \
30894+ nop; nop; nop; \
30895 SRC(movl x(%esi), %ebx ) ; \
30896 addl %ebx, %eax ; \
30897- DST(movl %ebx, x(%edi) ) ;
30898+ DST(movl %ebx, %es:x(%edi)) ;
30899
30900 #define ROUND(x) \
30901+ nop; nop; nop; \
30902 SRC(movl x(%esi), %ebx ) ; \
30903 adcl %ebx, %eax ; \
30904- DST(movl %ebx, x(%edi) ) ;
30905+ DST(movl %ebx, %es:x(%edi)) ;
30906
30907 #define ARGBASE 12
30908-
30909+
30910+ENTRY(csum_partial_copy_generic_to_user)
30911+
30912+#ifdef CONFIG_PAX_MEMORY_UDEREF
30913+ pushl %gs
30914+ popl %es
30915+ jmp csum_partial_copy_generic
30916+#endif
30917+
30918+ENTRY(csum_partial_copy_generic_from_user)
30919+
30920+#ifdef CONFIG_PAX_MEMORY_UDEREF
30921+ pushl %gs
30922+ popl %ds
30923+#endif
30924+
30925 ENTRY(csum_partial_copy_generic)
30926 pushl %ebx
30927 pushl %edi
30928@@ -435,7 +475,7 @@ ENTRY(csum_partial_copy_generic)
30929 subl %ebx, %edi
30930 lea -1(%esi),%edx
30931 andl $-32,%edx
30932- lea 3f(%ebx,%ebx), %ebx
30933+ lea 3f(%ebx,%ebx,2), %ebx
30934 testl %esi, %esi
30935 jmp *%ebx
30936 1: addl $64,%esi
30937@@ -456,19 +496,19 @@ ENTRY(csum_partial_copy_generic)
30938 jb 5f
30939 SRC( movw (%esi), %dx )
30940 leal 2(%esi), %esi
30941-DST( movw %dx, (%edi) )
30942+DST( movw %dx, %es:(%edi) )
30943 leal 2(%edi), %edi
30944 je 6f
30945 shll $16,%edx
30946 5:
30947 SRC( movb (%esi), %dl )
30948-DST( movb %dl, (%edi) )
30949+DST( movb %dl, %es:(%edi) )
30950 6: addl %edx, %eax
30951 adcl $0, %eax
30952 7:
30953 .section .fixup, "ax"
30954 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
30955- movl $-EFAULT, (%ebx)
30956+ movl $-EFAULT, %ss:(%ebx)
30957 # zero the complete destination (computing the rest is too much work)
30958 movl ARGBASE+8(%esp),%edi # dst
30959 movl ARGBASE+12(%esp),%ecx # len
30960@@ -476,15 +516,22 @@ DST( movb %dl, (%edi) )
30961 rep; stosb
30962 jmp 7b
30963 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
30964- movl $-EFAULT, (%ebx)
30965+ movl $-EFAULT, %ss:(%ebx)
30966 jmp 7b
30967 .previous
30968
30969+#ifdef CONFIG_PAX_MEMORY_UDEREF
30970+ pushl %ss
30971+ popl %ds
30972+ pushl %ss
30973+ popl %es
30974+#endif
30975+
30976 popl %esi
30977 popl %edi
30978 popl %ebx
30979 ret
30980-ENDPROC(csum_partial_copy_generic)
30981+ENDPROC(csum_partial_copy_generic_to_user)
30982
30983 #undef ROUND
30984 #undef ROUND1
30985diff --git a/arch/x86/lib/clear_page_64.S b/arch/x86/lib/clear_page_64.S
30986index a2fe51b..507dab0 100644
30987--- a/arch/x86/lib/clear_page_64.S
30988+++ b/arch/x86/lib/clear_page_64.S
30989@@ -21,6 +21,7 @@ ENTRY(clear_page)
30990 movl $4096/8,%ecx
30991 xorl %eax,%eax
30992 rep stosq
30993+ pax_force_retaddr
30994 ret
30995 ENDPROC(clear_page)
30996
30997@@ -43,6 +44,7 @@ ENTRY(clear_page_orig)
30998 leaq 64(%rdi),%rdi
30999 jnz .Lloop
31000 nop
31001+ pax_force_retaddr
31002 ret
31003 ENDPROC(clear_page_orig)
31004
31005@@ -50,5 +52,6 @@ ENTRY(clear_page_c_e)
31006 movl $4096,%ecx
31007 xorl %eax,%eax
31008 rep stosb
31009+ pax_force_retaddr
31010 ret
31011 ENDPROC(clear_page_c_e)
31012diff --git a/arch/x86/lib/cmpxchg16b_emu.S b/arch/x86/lib/cmpxchg16b_emu.S
31013index 9b33024..e52ee44 100644
31014--- a/arch/x86/lib/cmpxchg16b_emu.S
31015+++ b/arch/x86/lib/cmpxchg16b_emu.S
31016@@ -7,6 +7,7 @@
31017 */
31018 #include <linux/linkage.h>
31019 #include <asm/percpu.h>
31020+#include <asm/alternative-asm.h>
31021
31022 .text
31023
31024@@ -43,11 +44,13 @@ ENTRY(this_cpu_cmpxchg16b_emu)
31025
31026 popfq
31027 mov $1, %al
31028+ pax_force_retaddr
31029 ret
31030
31031 .Lnot_same:
31032 popfq
31033 xor %al,%al
31034+ pax_force_retaddr
31035 ret
31036
31037 ENDPROC(this_cpu_cmpxchg16b_emu)
31038diff --git a/arch/x86/lib/copy_page_64.S b/arch/x86/lib/copy_page_64.S
31039index 009f982..9b3db5e 100644
31040--- a/arch/x86/lib/copy_page_64.S
31041+++ b/arch/x86/lib/copy_page_64.S
31042@@ -15,13 +15,14 @@ ENTRY(copy_page)
31043 ALTERNATIVE "jmp copy_page_regs", "", X86_FEATURE_REP_GOOD
31044 movl $4096/8, %ecx
31045 rep movsq
31046+ pax_force_retaddr
31047 ret
31048 ENDPROC(copy_page)
31049
31050 ENTRY(copy_page_regs)
31051 subq $2*8, %rsp
31052 movq %rbx, (%rsp)
31053- movq %r12, 1*8(%rsp)
31054+ movq %r13, 1*8(%rsp)
31055
31056 movl $(4096/64)-5, %ecx
31057 .p2align 4
31058@@ -34,7 +35,7 @@ ENTRY(copy_page_regs)
31059 movq 0x8*4(%rsi), %r9
31060 movq 0x8*5(%rsi), %r10
31061 movq 0x8*6(%rsi), %r11
31062- movq 0x8*7(%rsi), %r12
31063+ movq 0x8*7(%rsi), %r13
31064
31065 prefetcht0 5*64(%rsi)
31066
31067@@ -45,7 +46,7 @@ ENTRY(copy_page_regs)
31068 movq %r9, 0x8*4(%rdi)
31069 movq %r10, 0x8*5(%rdi)
31070 movq %r11, 0x8*6(%rdi)
31071- movq %r12, 0x8*7(%rdi)
31072+ movq %r13, 0x8*7(%rdi)
31073
31074 leaq 64 (%rsi), %rsi
31075 leaq 64 (%rdi), %rdi
31076@@ -64,7 +65,7 @@ ENTRY(copy_page_regs)
31077 movq 0x8*4(%rsi), %r9
31078 movq 0x8*5(%rsi), %r10
31079 movq 0x8*6(%rsi), %r11
31080- movq 0x8*7(%rsi), %r12
31081+ movq 0x8*7(%rsi), %r13
31082
31083 movq %rax, 0x8*0(%rdi)
31084 movq %rbx, 0x8*1(%rdi)
31085@@ -73,14 +74,15 @@ ENTRY(copy_page_regs)
31086 movq %r9, 0x8*4(%rdi)
31087 movq %r10, 0x8*5(%rdi)
31088 movq %r11, 0x8*6(%rdi)
31089- movq %r12, 0x8*7(%rdi)
31090+ movq %r13, 0x8*7(%rdi)
31091
31092 leaq 64(%rdi), %rdi
31093 leaq 64(%rsi), %rsi
31094 jnz .Loop2
31095
31096 movq (%rsp), %rbx
31097- movq 1*8(%rsp), %r12
31098+ movq 1*8(%rsp), %r13
31099 addq $2*8, %rsp
31100+ pax_force_retaddr
31101 ret
31102 ENDPROC(copy_page_regs)
31103diff --git a/arch/x86/lib/copy_user_64.S b/arch/x86/lib/copy_user_64.S
31104index 982ce34..8e14731 100644
31105--- a/arch/x86/lib/copy_user_64.S
31106+++ b/arch/x86/lib/copy_user_64.S
31107@@ -14,50 +14,7 @@
31108 #include <asm/alternative-asm.h>
31109 #include <asm/asm.h>
31110 #include <asm/smap.h>
31111-
31112-/* Standard copy_to_user with segment limit checking */
31113-ENTRY(_copy_to_user)
31114- GET_THREAD_INFO(%rax)
31115- movq %rdi,%rcx
31116- addq %rdx,%rcx
31117- jc bad_to_user
31118- cmpq TI_addr_limit(%rax),%rcx
31119- ja bad_to_user
31120- ALTERNATIVE_2 "jmp copy_user_generic_unrolled", \
31121- "jmp copy_user_generic_string", \
31122- X86_FEATURE_REP_GOOD, \
31123- "jmp copy_user_enhanced_fast_string", \
31124- X86_FEATURE_ERMS
31125-ENDPROC(_copy_to_user)
31126-
31127-/* Standard copy_from_user with segment limit checking */
31128-ENTRY(_copy_from_user)
31129- GET_THREAD_INFO(%rax)
31130- movq %rsi,%rcx
31131- addq %rdx,%rcx
31132- jc bad_from_user
31133- cmpq TI_addr_limit(%rax),%rcx
31134- ja bad_from_user
31135- ALTERNATIVE_2 "jmp copy_user_generic_unrolled", \
31136- "jmp copy_user_generic_string", \
31137- X86_FEATURE_REP_GOOD, \
31138- "jmp copy_user_enhanced_fast_string", \
31139- X86_FEATURE_ERMS
31140-ENDPROC(_copy_from_user)
31141-
31142- .section .fixup,"ax"
31143- /* must zero dest */
31144-ENTRY(bad_from_user)
31145-bad_from_user:
31146- movl %edx,%ecx
31147- xorl %eax,%eax
31148- rep
31149- stosb
31150-bad_to_user:
31151- movl %edx,%eax
31152- ret
31153-ENDPROC(bad_from_user)
31154- .previous
31155+#include <asm/pgtable.h>
31156
31157 /*
31158 * copy_user_generic_unrolled - memory copy with exception handling.
31159@@ -73,6 +30,7 @@ ENDPROC(bad_from_user)
31160 * eax uncopied bytes or 0 if successful.
31161 */
31162 ENTRY(copy_user_generic_unrolled)
31163+ ASM_PAX_OPEN_USERLAND
31164 ASM_STAC
31165 cmpl $8,%edx
31166 jb 20f /* less then 8 bytes, go to byte copy loop */
31167@@ -122,6 +80,8 @@ ENTRY(copy_user_generic_unrolled)
31168 jnz 21b
31169 23: xor %eax,%eax
31170 ASM_CLAC
31171+ ASM_PAX_CLOSE_USERLAND
31172+ pax_force_retaddr
31173 ret
31174
31175 .section .fixup,"ax"
31176@@ -175,6 +135,7 @@ ENDPROC(copy_user_generic_unrolled)
31177 * eax uncopied bytes or 0 if successful.
31178 */
31179 ENTRY(copy_user_generic_string)
31180+ ASM_PAX_OPEN_USERLAND
31181 ASM_STAC
31182 cmpl $8,%edx
31183 jb 2f /* less than 8 bytes, go to byte copy loop */
31184@@ -189,6 +150,8 @@ ENTRY(copy_user_generic_string)
31185 movsb
31186 xorl %eax,%eax
31187 ASM_CLAC
31188+ ASM_PAX_CLOSE_USERLAND
31189+ pax_force_retaddr
31190 ret
31191
31192 .section .fixup,"ax"
31193@@ -214,12 +177,15 @@ ENDPROC(copy_user_generic_string)
31194 * eax uncopied bytes or 0 if successful.
31195 */
31196 ENTRY(copy_user_enhanced_fast_string)
31197+ ASM_PAX_OPEN_USERLAND
31198 ASM_STAC
31199 movl %edx,%ecx
31200 1: rep
31201 movsb
31202 xorl %eax,%eax
31203 ASM_CLAC
31204+ ASM_PAX_CLOSE_USERLAND
31205+ pax_force_retaddr
31206 ret
31207
31208 .section .fixup,"ax"
31209@@ -235,6 +201,16 @@ ENDPROC(copy_user_enhanced_fast_string)
31210 * This will force destination/source out of cache for more performance.
31211 */
31212 ENTRY(__copy_user_nocache)
31213+
31214+#ifdef CONFIG_PAX_MEMORY_UDEREF
31215+ mov pax_user_shadow_base,%rcx
31216+ cmp %rcx,%rsi
31217+ jae 1f
31218+ add %rcx,%rsi
31219+1:
31220+#endif
31221+
31222+ ASM_PAX_OPEN_USERLAND
31223 ASM_STAC
31224 cmpl $8,%edx
31225 jb 20f /* less then 8 bytes, go to byte copy loop */
31226@@ -284,7 +260,9 @@ ENTRY(__copy_user_nocache)
31227 jnz 21b
31228 23: xorl %eax,%eax
31229 ASM_CLAC
31230+ ASM_PAX_CLOSE_USERLAND
31231 sfence
31232+ pax_force_retaddr
31233 ret
31234
31235 .section .fixup,"ax"
31236diff --git a/arch/x86/lib/csum-copy_64.S b/arch/x86/lib/csum-copy_64.S
31237index 7e48807..cc966ff 100644
31238--- a/arch/x86/lib/csum-copy_64.S
31239+++ b/arch/x86/lib/csum-copy_64.S
31240@@ -8,6 +8,7 @@
31241 #include <linux/linkage.h>
31242 #include <asm/errno.h>
31243 #include <asm/asm.h>
31244+#include <asm/alternative-asm.h>
31245
31246 /*
31247 * Checksum copy with exception handling.
31248@@ -52,7 +53,7 @@ ENTRY(csum_partial_copy_generic)
31249 .Lignore:
31250 subq $7*8, %rsp
31251 movq %rbx, 2*8(%rsp)
31252- movq %r12, 3*8(%rsp)
31253+ movq %r15, 3*8(%rsp)
31254 movq %r14, 4*8(%rsp)
31255 movq %r13, 5*8(%rsp)
31256 movq %rbp, 6*8(%rsp)
31257@@ -64,16 +65,16 @@ ENTRY(csum_partial_copy_generic)
31258 movl %edx, %ecx
31259
31260 xorl %r9d, %r9d
31261- movq %rcx, %r12
31262+ movq %rcx, %r15
31263
31264- shrq $6, %r12
31265+ shrq $6, %r15
31266 jz .Lhandle_tail /* < 64 */
31267
31268 clc
31269
31270 /* main loop. clear in 64 byte blocks */
31271 /* r9: zero, r8: temp2, rbx: temp1, rax: sum, rcx: saved length */
31272- /* r11: temp3, rdx: temp4, r12 loopcnt */
31273+ /* r11: temp3, rdx: temp4, r15 loopcnt */
31274 /* r10: temp5, rbp: temp6, r14 temp7, r13 temp8 */
31275 .p2align 4
31276 .Lloop:
31277@@ -107,7 +108,7 @@ ENTRY(csum_partial_copy_generic)
31278 adcq %r14, %rax
31279 adcq %r13, %rax
31280
31281- decl %r12d
31282+ decl %r15d
31283
31284 dest
31285 movq %rbx, (%rsi)
31286@@ -200,11 +201,12 @@ ENTRY(csum_partial_copy_generic)
31287
31288 .Lende:
31289 movq 2*8(%rsp), %rbx
31290- movq 3*8(%rsp), %r12
31291+ movq 3*8(%rsp), %r15
31292 movq 4*8(%rsp), %r14
31293 movq 5*8(%rsp), %r13
31294 movq 6*8(%rsp), %rbp
31295 addq $7*8, %rsp
31296+ pax_force_retaddr
31297 ret
31298
31299 /* Exception handlers. Very simple, zeroing is done in the wrappers */
31300diff --git a/arch/x86/lib/csum-wrappers_64.c b/arch/x86/lib/csum-wrappers_64.c
31301index 1318f75..44c30fd 100644
31302--- a/arch/x86/lib/csum-wrappers_64.c
31303+++ b/arch/x86/lib/csum-wrappers_64.c
31304@@ -52,10 +52,12 @@ csum_partial_copy_from_user(const void __user *src, void *dst,
31305 len -= 2;
31306 }
31307 }
31308+ pax_open_userland();
31309 stac();
31310- isum = csum_partial_copy_generic((__force const void *)src,
31311+ isum = csum_partial_copy_generic((const void __force_kernel *)____m(src),
31312 dst, len, isum, errp, NULL);
31313 clac();
31314+ pax_close_userland();
31315 if (unlikely(*errp))
31316 goto out_err;
31317
31318@@ -109,10 +111,12 @@ csum_partial_copy_to_user(const void *src, void __user *dst,
31319 }
31320
31321 *errp = 0;
31322+ pax_open_userland();
31323 stac();
31324- ret = csum_partial_copy_generic(src, (void __force *)dst,
31325+ ret = csum_partial_copy_generic(src, (void __force_kernel *)____m(dst),
31326 len, isum, NULL, errp);
31327 clac();
31328+ pax_close_userland();
31329 return ret;
31330 }
31331 EXPORT_SYMBOL(csum_partial_copy_to_user);
31332diff --git a/arch/x86/lib/getuser.S b/arch/x86/lib/getuser.S
31333index 46668cd..a3bdfb9 100644
31334--- a/arch/x86/lib/getuser.S
31335+++ b/arch/x86/lib/getuser.S
31336@@ -32,42 +32,93 @@
31337 #include <asm/thread_info.h>
31338 #include <asm/asm.h>
31339 #include <asm/smap.h>
31340+#include <asm/segment.h>
31341+#include <asm/pgtable.h>
31342+#include <asm/alternative-asm.h>
31343+
31344+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
31345+#define __copyuser_seg gs;
31346+#else
31347+#define __copyuser_seg
31348+#endif
31349
31350 .text
31351 ENTRY(__get_user_1)
31352+
31353+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31354 GET_THREAD_INFO(%_ASM_DX)
31355 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31356 jae bad_get_user
31357+
31358+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31359+ mov pax_user_shadow_base,%_ASM_DX
31360+ cmp %_ASM_DX,%_ASM_AX
31361+ jae 1234f
31362+ add %_ASM_DX,%_ASM_AX
31363+1234:
31364+#endif
31365+
31366+#endif
31367+
31368 ASM_STAC
31369-1: movzbl (%_ASM_AX),%edx
31370+1: __copyuser_seg movzbl (%_ASM_AX),%edx
31371 xor %eax,%eax
31372 ASM_CLAC
31373+ pax_force_retaddr
31374 ret
31375 ENDPROC(__get_user_1)
31376
31377 ENTRY(__get_user_2)
31378 add $1,%_ASM_AX
31379+
31380+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31381 jc bad_get_user
31382 GET_THREAD_INFO(%_ASM_DX)
31383 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31384 jae bad_get_user
31385+
31386+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31387+ mov pax_user_shadow_base,%_ASM_DX
31388+ cmp %_ASM_DX,%_ASM_AX
31389+ jae 1234f
31390+ add %_ASM_DX,%_ASM_AX
31391+1234:
31392+#endif
31393+
31394+#endif
31395+
31396 ASM_STAC
31397-2: movzwl -1(%_ASM_AX),%edx
31398+2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
31399 xor %eax,%eax
31400 ASM_CLAC
31401+ pax_force_retaddr
31402 ret
31403 ENDPROC(__get_user_2)
31404
31405 ENTRY(__get_user_4)
31406 add $3,%_ASM_AX
31407+
31408+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
31409 jc bad_get_user
31410 GET_THREAD_INFO(%_ASM_DX)
31411 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31412 jae bad_get_user
31413+
31414+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31415+ mov pax_user_shadow_base,%_ASM_DX
31416+ cmp %_ASM_DX,%_ASM_AX
31417+ jae 1234f
31418+ add %_ASM_DX,%_ASM_AX
31419+1234:
31420+#endif
31421+
31422+#endif
31423+
31424 ASM_STAC
31425-3: movl -3(%_ASM_AX),%edx
31426+3: __copyuser_seg movl -3(%_ASM_AX),%edx
31427 xor %eax,%eax
31428 ASM_CLAC
31429+ pax_force_retaddr
31430 ret
31431 ENDPROC(__get_user_4)
31432
31433@@ -78,10 +129,20 @@ ENTRY(__get_user_8)
31434 GET_THREAD_INFO(%_ASM_DX)
31435 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31436 jae bad_get_user
31437+
31438+#ifdef CONFIG_PAX_MEMORY_UDEREF
31439+ mov pax_user_shadow_base,%_ASM_DX
31440+ cmp %_ASM_DX,%_ASM_AX
31441+ jae 1234f
31442+ add %_ASM_DX,%_ASM_AX
31443+1234:
31444+#endif
31445+
31446 ASM_STAC
31447 4: movq -7(%_ASM_AX),%rdx
31448 xor %eax,%eax
31449 ASM_CLAC
31450+ pax_force_retaddr
31451 ret
31452 #else
31453 add $7,%_ASM_AX
31454@@ -90,10 +151,11 @@ ENTRY(__get_user_8)
31455 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
31456 jae bad_get_user_8
31457 ASM_STAC
31458-4: movl -7(%_ASM_AX),%edx
31459-5: movl -3(%_ASM_AX),%ecx
31460+4: __copyuser_seg movl -7(%_ASM_AX),%edx
31461+5: __copyuser_seg movl -3(%_ASM_AX),%ecx
31462 xor %eax,%eax
31463 ASM_CLAC
31464+ pax_force_retaddr
31465 ret
31466 #endif
31467 ENDPROC(__get_user_8)
31468@@ -103,6 +165,7 @@ bad_get_user:
31469 xor %edx,%edx
31470 mov $(-EFAULT),%_ASM_AX
31471 ASM_CLAC
31472+ pax_force_retaddr
31473 ret
31474 END(bad_get_user)
31475
31476@@ -112,6 +175,7 @@ bad_get_user_8:
31477 xor %ecx,%ecx
31478 mov $(-EFAULT),%_ASM_AX
31479 ASM_CLAC
31480+ pax_force_retaddr
31481 ret
31482 END(bad_get_user_8)
31483 #endif
31484diff --git a/arch/x86/lib/insn.c b/arch/x86/lib/insn.c
31485index 8f72b33..4667a46 100644
31486--- a/arch/x86/lib/insn.c
31487+++ b/arch/x86/lib/insn.c
31488@@ -20,8 +20,10 @@
31489
31490 #ifdef __KERNEL__
31491 #include <linux/string.h>
31492+#include <asm/pgtable_types.h>
31493 #else
31494 #include <string.h>
31495+#define ktla_ktva(addr) addr
31496 #endif
31497 #include <asm/inat.h>
31498 #include <asm/insn.h>
31499@@ -60,9 +62,9 @@ void insn_init(struct insn *insn, const void *kaddr, int buf_len, int x86_64)
31500 buf_len = MAX_INSN_SIZE;
31501
31502 memset(insn, 0, sizeof(*insn));
31503- insn->kaddr = kaddr;
31504- insn->end_kaddr = kaddr + buf_len;
31505- insn->next_byte = kaddr;
31506+ insn->kaddr = (void *)ktla_ktva((unsigned long)kaddr);
31507+ insn->end_kaddr = insn->kaddr + buf_len;
31508+ insn->next_byte = insn->kaddr;
31509 insn->x86_64 = x86_64 ? 1 : 0;
31510 insn->opnd_bytes = 4;
31511 if (x86_64)
31512diff --git a/arch/x86/lib/iomap_copy_64.S b/arch/x86/lib/iomap_copy_64.S
31513index 33147fe..12a8815 100644
31514--- a/arch/x86/lib/iomap_copy_64.S
31515+++ b/arch/x86/lib/iomap_copy_64.S
31516@@ -16,6 +16,7 @@
31517 */
31518
31519 #include <linux/linkage.h>
31520+#include <asm/alternative-asm.h>
31521
31522 /*
31523 * override generic version in lib/iomap_copy.c
31524@@ -23,5 +24,6 @@
31525 ENTRY(__iowrite32_copy)
31526 movl %edx,%ecx
31527 rep movsd
31528+ pax_force_retaddr
31529 ret
31530 ENDPROC(__iowrite32_copy)
31531diff --git a/arch/x86/lib/memcpy_64.S b/arch/x86/lib/memcpy_64.S
31532index 16698bb..971d300 100644
31533--- a/arch/x86/lib/memcpy_64.S
31534+++ b/arch/x86/lib/memcpy_64.S
31535@@ -36,6 +36,7 @@ ENTRY(memcpy)
31536 rep movsq
31537 movl %edx, %ecx
31538 rep movsb
31539+ pax_force_retaddr
31540 ret
31541 ENDPROC(memcpy)
31542 ENDPROC(__memcpy)
31543@@ -48,6 +49,7 @@ ENTRY(memcpy_erms)
31544 movq %rdi, %rax
31545 movq %rdx, %rcx
31546 rep movsb
31547+ pax_force_retaddr
31548 ret
31549 ENDPROC(memcpy_erms)
31550
31551@@ -132,6 +134,7 @@ ENTRY(memcpy_orig)
31552 movq %r9, 1*8(%rdi)
31553 movq %r10, -2*8(%rdi, %rdx)
31554 movq %r11, -1*8(%rdi, %rdx)
31555+ pax_force_retaddr
31556 retq
31557 .p2align 4
31558 .Lless_16bytes:
31559@@ -144,6 +147,7 @@ ENTRY(memcpy_orig)
31560 movq -1*8(%rsi, %rdx), %r9
31561 movq %r8, 0*8(%rdi)
31562 movq %r9, -1*8(%rdi, %rdx)
31563+ pax_force_retaddr
31564 retq
31565 .p2align 4
31566 .Lless_8bytes:
31567@@ -157,6 +161,7 @@ ENTRY(memcpy_orig)
31568 movl -4(%rsi, %rdx), %r8d
31569 movl %ecx, (%rdi)
31570 movl %r8d, -4(%rdi, %rdx)
31571+ pax_force_retaddr
31572 retq
31573 .p2align 4
31574 .Lless_3bytes:
31575@@ -175,5 +180,6 @@ ENTRY(memcpy_orig)
31576 movb %cl, (%rdi)
31577
31578 .Lend:
31579+ pax_force_retaddr
31580 retq
31581 ENDPROC(memcpy_orig)
31582diff --git a/arch/x86/lib/memmove_64.S b/arch/x86/lib/memmove_64.S
31583index ca2afdd..2e474fa 100644
31584--- a/arch/x86/lib/memmove_64.S
31585+++ b/arch/x86/lib/memmove_64.S
31586@@ -41,7 +41,7 @@ ENTRY(__memmove)
31587 jg 2f
31588
31589 .Lmemmove_begin_forward:
31590- ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; retq", X86_FEATURE_ERMS
31591+ ALTERNATIVE "", "movq %rdx, %rcx; rep movsb; pax_force_retaddr; retq", X86_FEATURE_ERMS
31592
31593 /*
31594 * movsq instruction have many startup latency
31595@@ -204,6 +204,7 @@ ENTRY(__memmove)
31596 movb (%rsi), %r11b
31597 movb %r11b, (%rdi)
31598 13:
31599+ pax_force_retaddr
31600 retq
31601 ENDPROC(__memmove)
31602 ENDPROC(memmove)
31603diff --git a/arch/x86/lib/memset_64.S b/arch/x86/lib/memset_64.S
31604index 2661fad..b584d5c 100644
31605--- a/arch/x86/lib/memset_64.S
31606+++ b/arch/x86/lib/memset_64.S
31607@@ -40,6 +40,7 @@ ENTRY(__memset)
31608 movl %edx,%ecx
31609 rep stosb
31610 movq %r9,%rax
31611+ pax_force_retaddr
31612 ret
31613 ENDPROC(memset)
31614 ENDPROC(__memset)
31615@@ -61,6 +62,7 @@ ENTRY(memset_erms)
31616 movq %rdx,%rcx
31617 rep stosb
31618 movq %r9,%rax
31619+ pax_force_retaddr
31620 ret
31621 ENDPROC(memset_erms)
31622
31623@@ -123,6 +125,7 @@ ENTRY(memset_orig)
31624
31625 .Lende:
31626 movq %r10,%rax
31627+ pax_force_retaddr
31628 ret
31629
31630 .Lbad_alignment:
31631diff --git a/arch/x86/lib/mmx_32.c b/arch/x86/lib/mmx_32.c
31632index e5e3ed8..d7c08c2 100644
31633--- a/arch/x86/lib/mmx_32.c
31634+++ b/arch/x86/lib/mmx_32.c
31635@@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
31636 {
31637 void *p;
31638 int i;
31639+ unsigned long cr0;
31640
31641 if (unlikely(in_interrupt()))
31642 return __memcpy(to, from, len);
31643@@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *from, size_t len)
31644 kernel_fpu_begin();
31645
31646 __asm__ __volatile__ (
31647- "1: prefetch (%0)\n" /* This set is 28 bytes */
31648- " prefetch 64(%0)\n"
31649- " prefetch 128(%0)\n"
31650- " prefetch 192(%0)\n"
31651- " prefetch 256(%0)\n"
31652+ "1: prefetch (%1)\n" /* This set is 28 bytes */
31653+ " prefetch 64(%1)\n"
31654+ " prefetch 128(%1)\n"
31655+ " prefetch 192(%1)\n"
31656+ " prefetch 256(%1)\n"
31657 "2: \n"
31658 ".section .fixup, \"ax\"\n"
31659- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31660+ "3: \n"
31661+
31662+#ifdef CONFIG_PAX_KERNEXEC
31663+ " movl %%cr0, %0\n"
31664+ " movl %0, %%eax\n"
31665+ " andl $0xFFFEFFFF, %%eax\n"
31666+ " movl %%eax, %%cr0\n"
31667+#endif
31668+
31669+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31670+
31671+#ifdef CONFIG_PAX_KERNEXEC
31672+ " movl %0, %%cr0\n"
31673+#endif
31674+
31675 " jmp 2b\n"
31676 ".previous\n"
31677 _ASM_EXTABLE(1b, 3b)
31678- : : "r" (from));
31679+ : "=&r" (cr0) : "r" (from) : "ax");
31680
31681 for ( ; i > 5; i--) {
31682 __asm__ __volatile__ (
31683- "1: prefetch 320(%0)\n"
31684- "2: movq (%0), %%mm0\n"
31685- " movq 8(%0), %%mm1\n"
31686- " movq 16(%0), %%mm2\n"
31687- " movq 24(%0), %%mm3\n"
31688- " movq %%mm0, (%1)\n"
31689- " movq %%mm1, 8(%1)\n"
31690- " movq %%mm2, 16(%1)\n"
31691- " movq %%mm3, 24(%1)\n"
31692- " movq 32(%0), %%mm0\n"
31693- " movq 40(%0), %%mm1\n"
31694- " movq 48(%0), %%mm2\n"
31695- " movq 56(%0), %%mm3\n"
31696- " movq %%mm0, 32(%1)\n"
31697- " movq %%mm1, 40(%1)\n"
31698- " movq %%mm2, 48(%1)\n"
31699- " movq %%mm3, 56(%1)\n"
31700+ "1: prefetch 320(%1)\n"
31701+ "2: movq (%1), %%mm0\n"
31702+ " movq 8(%1), %%mm1\n"
31703+ " movq 16(%1), %%mm2\n"
31704+ " movq 24(%1), %%mm3\n"
31705+ " movq %%mm0, (%2)\n"
31706+ " movq %%mm1, 8(%2)\n"
31707+ " movq %%mm2, 16(%2)\n"
31708+ " movq %%mm3, 24(%2)\n"
31709+ " movq 32(%1), %%mm0\n"
31710+ " movq 40(%1), %%mm1\n"
31711+ " movq 48(%1), %%mm2\n"
31712+ " movq 56(%1), %%mm3\n"
31713+ " movq %%mm0, 32(%2)\n"
31714+ " movq %%mm1, 40(%2)\n"
31715+ " movq %%mm2, 48(%2)\n"
31716+ " movq %%mm3, 56(%2)\n"
31717 ".section .fixup, \"ax\"\n"
31718- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31719+ "3:\n"
31720+
31721+#ifdef CONFIG_PAX_KERNEXEC
31722+ " movl %%cr0, %0\n"
31723+ " movl %0, %%eax\n"
31724+ " andl $0xFFFEFFFF, %%eax\n"
31725+ " movl %%eax, %%cr0\n"
31726+#endif
31727+
31728+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31729+
31730+#ifdef CONFIG_PAX_KERNEXEC
31731+ " movl %0, %%cr0\n"
31732+#endif
31733+
31734 " jmp 2b\n"
31735 ".previous\n"
31736 _ASM_EXTABLE(1b, 3b)
31737- : : "r" (from), "r" (to) : "memory");
31738+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31739
31740 from += 64;
31741 to += 64;
31742@@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
31743 static void fast_copy_page(void *to, void *from)
31744 {
31745 int i;
31746+ unsigned long cr0;
31747
31748 kernel_fpu_begin();
31749
31750@@ -166,42 +196,70 @@ static void fast_copy_page(void *to, void *from)
31751 * but that is for later. -AV
31752 */
31753 __asm__ __volatile__(
31754- "1: prefetch (%0)\n"
31755- " prefetch 64(%0)\n"
31756- " prefetch 128(%0)\n"
31757- " prefetch 192(%0)\n"
31758- " prefetch 256(%0)\n"
31759+ "1: prefetch (%1)\n"
31760+ " prefetch 64(%1)\n"
31761+ " prefetch 128(%1)\n"
31762+ " prefetch 192(%1)\n"
31763+ " prefetch 256(%1)\n"
31764 "2: \n"
31765 ".section .fixup, \"ax\"\n"
31766- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31767+ "3: \n"
31768+
31769+#ifdef CONFIG_PAX_KERNEXEC
31770+ " movl %%cr0, %0\n"
31771+ " movl %0, %%eax\n"
31772+ " andl $0xFFFEFFFF, %%eax\n"
31773+ " movl %%eax, %%cr0\n"
31774+#endif
31775+
31776+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31777+
31778+#ifdef CONFIG_PAX_KERNEXEC
31779+ " movl %0, %%cr0\n"
31780+#endif
31781+
31782 " jmp 2b\n"
31783 ".previous\n"
31784- _ASM_EXTABLE(1b, 3b) : : "r" (from));
31785+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
31786
31787 for (i = 0; i < (4096-320)/64; i++) {
31788 __asm__ __volatile__ (
31789- "1: prefetch 320(%0)\n"
31790- "2: movq (%0), %%mm0\n"
31791- " movntq %%mm0, (%1)\n"
31792- " movq 8(%0), %%mm1\n"
31793- " movntq %%mm1, 8(%1)\n"
31794- " movq 16(%0), %%mm2\n"
31795- " movntq %%mm2, 16(%1)\n"
31796- " movq 24(%0), %%mm3\n"
31797- " movntq %%mm3, 24(%1)\n"
31798- " movq 32(%0), %%mm4\n"
31799- " movntq %%mm4, 32(%1)\n"
31800- " movq 40(%0), %%mm5\n"
31801- " movntq %%mm5, 40(%1)\n"
31802- " movq 48(%0), %%mm6\n"
31803- " movntq %%mm6, 48(%1)\n"
31804- " movq 56(%0), %%mm7\n"
31805- " movntq %%mm7, 56(%1)\n"
31806+ "1: prefetch 320(%1)\n"
31807+ "2: movq (%1), %%mm0\n"
31808+ " movntq %%mm0, (%2)\n"
31809+ " movq 8(%1), %%mm1\n"
31810+ " movntq %%mm1, 8(%2)\n"
31811+ " movq 16(%1), %%mm2\n"
31812+ " movntq %%mm2, 16(%2)\n"
31813+ " movq 24(%1), %%mm3\n"
31814+ " movntq %%mm3, 24(%2)\n"
31815+ " movq 32(%1), %%mm4\n"
31816+ " movntq %%mm4, 32(%2)\n"
31817+ " movq 40(%1), %%mm5\n"
31818+ " movntq %%mm5, 40(%2)\n"
31819+ " movq 48(%1), %%mm6\n"
31820+ " movntq %%mm6, 48(%2)\n"
31821+ " movq 56(%1), %%mm7\n"
31822+ " movntq %%mm7, 56(%2)\n"
31823 ".section .fixup, \"ax\"\n"
31824- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31825+ "3:\n"
31826+
31827+#ifdef CONFIG_PAX_KERNEXEC
31828+ " movl %%cr0, %0\n"
31829+ " movl %0, %%eax\n"
31830+ " andl $0xFFFEFFFF, %%eax\n"
31831+ " movl %%eax, %%cr0\n"
31832+#endif
31833+
31834+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31835+
31836+#ifdef CONFIG_PAX_KERNEXEC
31837+ " movl %0, %%cr0\n"
31838+#endif
31839+
31840 " jmp 2b\n"
31841 ".previous\n"
31842- _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
31843+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31844
31845 from += 64;
31846 to += 64;
31847@@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
31848 static void fast_copy_page(void *to, void *from)
31849 {
31850 int i;
31851+ unsigned long cr0;
31852
31853 kernel_fpu_begin();
31854
31855 __asm__ __volatile__ (
31856- "1: prefetch (%0)\n"
31857- " prefetch 64(%0)\n"
31858- " prefetch 128(%0)\n"
31859- " prefetch 192(%0)\n"
31860- " prefetch 256(%0)\n"
31861+ "1: prefetch (%1)\n"
31862+ " prefetch 64(%1)\n"
31863+ " prefetch 128(%1)\n"
31864+ " prefetch 192(%1)\n"
31865+ " prefetch 256(%1)\n"
31866 "2: \n"
31867 ".section .fixup, \"ax\"\n"
31868- "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31869+ "3: \n"
31870+
31871+#ifdef CONFIG_PAX_KERNEXEC
31872+ " movl %%cr0, %0\n"
31873+ " movl %0, %%eax\n"
31874+ " andl $0xFFFEFFFF, %%eax\n"
31875+ " movl %%eax, %%cr0\n"
31876+#endif
31877+
31878+ " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
31879+
31880+#ifdef CONFIG_PAX_KERNEXEC
31881+ " movl %0, %%cr0\n"
31882+#endif
31883+
31884 " jmp 2b\n"
31885 ".previous\n"
31886- _ASM_EXTABLE(1b, 3b) : : "r" (from));
31887+ _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
31888
31889 for (i = 0; i < 4096/64; i++) {
31890 __asm__ __volatile__ (
31891- "1: prefetch 320(%0)\n"
31892- "2: movq (%0), %%mm0\n"
31893- " movq 8(%0), %%mm1\n"
31894- " movq 16(%0), %%mm2\n"
31895- " movq 24(%0), %%mm3\n"
31896- " movq %%mm0, (%1)\n"
31897- " movq %%mm1, 8(%1)\n"
31898- " movq %%mm2, 16(%1)\n"
31899- " movq %%mm3, 24(%1)\n"
31900- " movq 32(%0), %%mm0\n"
31901- " movq 40(%0), %%mm1\n"
31902- " movq 48(%0), %%mm2\n"
31903- " movq 56(%0), %%mm3\n"
31904- " movq %%mm0, 32(%1)\n"
31905- " movq %%mm1, 40(%1)\n"
31906- " movq %%mm2, 48(%1)\n"
31907- " movq %%mm3, 56(%1)\n"
31908+ "1: prefetch 320(%1)\n"
31909+ "2: movq (%1), %%mm0\n"
31910+ " movq 8(%1), %%mm1\n"
31911+ " movq 16(%1), %%mm2\n"
31912+ " movq 24(%1), %%mm3\n"
31913+ " movq %%mm0, (%2)\n"
31914+ " movq %%mm1, 8(%2)\n"
31915+ " movq %%mm2, 16(%2)\n"
31916+ " movq %%mm3, 24(%2)\n"
31917+ " movq 32(%1), %%mm0\n"
31918+ " movq 40(%1), %%mm1\n"
31919+ " movq 48(%1), %%mm2\n"
31920+ " movq 56(%1), %%mm3\n"
31921+ " movq %%mm0, 32(%2)\n"
31922+ " movq %%mm1, 40(%2)\n"
31923+ " movq %%mm2, 48(%2)\n"
31924+ " movq %%mm3, 56(%2)\n"
31925 ".section .fixup, \"ax\"\n"
31926- "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31927+ "3:\n"
31928+
31929+#ifdef CONFIG_PAX_KERNEXEC
31930+ " movl %%cr0, %0\n"
31931+ " movl %0, %%eax\n"
31932+ " andl $0xFFFEFFFF, %%eax\n"
31933+ " movl %%eax, %%cr0\n"
31934+#endif
31935+
31936+ " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
31937+
31938+#ifdef CONFIG_PAX_KERNEXEC
31939+ " movl %0, %%cr0\n"
31940+#endif
31941+
31942 " jmp 2b\n"
31943 ".previous\n"
31944 _ASM_EXTABLE(1b, 3b)
31945- : : "r" (from), "r" (to) : "memory");
31946+ : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
31947
31948 from += 64;
31949 to += 64;
31950diff --git a/arch/x86/lib/msr-reg.S b/arch/x86/lib/msr-reg.S
31951index c815564..303dcfa 100644
31952--- a/arch/x86/lib/msr-reg.S
31953+++ b/arch/x86/lib/msr-reg.S
31954@@ -2,6 +2,7 @@
31955 #include <linux/errno.h>
31956 #include <asm/asm.h>
31957 #include <asm/msr.h>
31958+#include <asm/alternative-asm.h>
31959
31960 #ifdef CONFIG_X86_64
31961 /*
31962@@ -34,6 +35,7 @@ ENTRY(\op\()_safe_regs)
31963 movl %edi, 28(%r10)
31964 popq %rbp
31965 popq %rbx
31966+ pax_force_retaddr
31967 ret
31968 3:
31969 movl $-EIO, %r11d
31970diff --git a/arch/x86/lib/putuser.S b/arch/x86/lib/putuser.S
31971index e0817a1..bc9cf66 100644
31972--- a/arch/x86/lib/putuser.S
31973+++ b/arch/x86/lib/putuser.S
31974@@ -15,7 +15,9 @@
31975 #include <asm/errno.h>
31976 #include <asm/asm.h>
31977 #include <asm/smap.h>
31978-
31979+#include <asm/segment.h>
31980+#include <asm/pgtable.h>
31981+#include <asm/alternative-asm.h>
31982
31983 /*
31984 * __put_user_X
31985@@ -29,55 +31,124 @@
31986 * as they get called from within inline assembly.
31987 */
31988
31989-#define ENTER GET_THREAD_INFO(%_ASM_BX)
31990-#define EXIT ASM_CLAC ; \
31991+#define ENTER
31992+#define EXIT ASM_CLAC ; \
31993+ pax_force_retaddr ; \
31994 ret
31995
31996+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
31997+#define _DEST %_ASM_CX,%_ASM_BX
31998+#else
31999+#define _DEST %_ASM_CX
32000+#endif
32001+
32002+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
32003+#define __copyuser_seg gs;
32004+#else
32005+#define __copyuser_seg
32006+#endif
32007+
32008 .text
32009 ENTRY(__put_user_1)
32010 ENTER
32011+
32012+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
32013+ GET_THREAD_INFO(%_ASM_BX)
32014 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
32015 jae bad_put_user
32016+
32017+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32018+ mov pax_user_shadow_base,%_ASM_BX
32019+ cmp %_ASM_BX,%_ASM_CX
32020+ jb 1234f
32021+ xor %ebx,%ebx
32022+1234:
32023+#endif
32024+
32025+#endif
32026+
32027 ASM_STAC
32028-1: movb %al,(%_ASM_CX)
32029+1: __copyuser_seg movb %al,(_DEST)
32030 xor %eax,%eax
32031 EXIT
32032 ENDPROC(__put_user_1)
32033
32034 ENTRY(__put_user_2)
32035 ENTER
32036+
32037+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
32038+ GET_THREAD_INFO(%_ASM_BX)
32039 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
32040 sub $1,%_ASM_BX
32041 cmp %_ASM_BX,%_ASM_CX
32042 jae bad_put_user
32043+
32044+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32045+ mov pax_user_shadow_base,%_ASM_BX
32046+ cmp %_ASM_BX,%_ASM_CX
32047+ jb 1234f
32048+ xor %ebx,%ebx
32049+1234:
32050+#endif
32051+
32052+#endif
32053+
32054 ASM_STAC
32055-2: movw %ax,(%_ASM_CX)
32056+2: __copyuser_seg movw %ax,(_DEST)
32057 xor %eax,%eax
32058 EXIT
32059 ENDPROC(__put_user_2)
32060
32061 ENTRY(__put_user_4)
32062 ENTER
32063+
32064+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
32065+ GET_THREAD_INFO(%_ASM_BX)
32066 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
32067 sub $3,%_ASM_BX
32068 cmp %_ASM_BX,%_ASM_CX
32069 jae bad_put_user
32070+
32071+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32072+ mov pax_user_shadow_base,%_ASM_BX
32073+ cmp %_ASM_BX,%_ASM_CX
32074+ jb 1234f
32075+ xor %ebx,%ebx
32076+1234:
32077+#endif
32078+
32079+#endif
32080+
32081 ASM_STAC
32082-3: movl %eax,(%_ASM_CX)
32083+3: __copyuser_seg movl %eax,(_DEST)
32084 xor %eax,%eax
32085 EXIT
32086 ENDPROC(__put_user_4)
32087
32088 ENTRY(__put_user_8)
32089 ENTER
32090+
32091+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
32092+ GET_THREAD_INFO(%_ASM_BX)
32093 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
32094 sub $7,%_ASM_BX
32095 cmp %_ASM_BX,%_ASM_CX
32096 jae bad_put_user
32097+
32098+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32099+ mov pax_user_shadow_base,%_ASM_BX
32100+ cmp %_ASM_BX,%_ASM_CX
32101+ jb 1234f
32102+ xor %ebx,%ebx
32103+1234:
32104+#endif
32105+
32106+#endif
32107+
32108 ASM_STAC
32109-4: mov %_ASM_AX,(%_ASM_CX)
32110+4: __copyuser_seg mov %_ASM_AX,(_DEST)
32111 #ifdef CONFIG_X86_32
32112-5: movl %edx,4(%_ASM_CX)
32113+5: __copyuser_seg movl %edx,4(_DEST)
32114 #endif
32115 xor %eax,%eax
32116 EXIT
32117diff --git a/arch/x86/lib/rwsem.S b/arch/x86/lib/rwsem.S
32118index 40027db..37bb69d 100644
32119--- a/arch/x86/lib/rwsem.S
32120+++ b/arch/x86/lib/rwsem.S
32121@@ -90,6 +90,7 @@ ENTRY(call_rwsem_down_read_failed)
32122 call rwsem_down_read_failed
32123 __ASM_SIZE(pop,) %__ASM_REG(dx)
32124 restore_common_regs
32125+ pax_force_retaddr
32126 ret
32127 ENDPROC(call_rwsem_down_read_failed)
32128
32129@@ -98,6 +99,7 @@ ENTRY(call_rwsem_down_write_failed)
32130 movq %rax,%rdi
32131 call rwsem_down_write_failed
32132 restore_common_regs
32133+ pax_force_retaddr
32134 ret
32135 ENDPROC(call_rwsem_down_write_failed)
32136
32137@@ -109,7 +111,8 @@ ENTRY(call_rwsem_wake)
32138 movq %rax,%rdi
32139 call rwsem_wake
32140 restore_common_regs
32141-1: ret
32142+1: pax_force_retaddr
32143+ ret
32144 ENDPROC(call_rwsem_wake)
32145
32146 ENTRY(call_rwsem_downgrade_wake)
32147@@ -119,5 +122,6 @@ ENTRY(call_rwsem_downgrade_wake)
32148 call rwsem_downgrade_wake
32149 __ASM_SIZE(pop,) %__ASM_REG(dx)
32150 restore_common_regs
32151+ pax_force_retaddr
32152 ret
32153 ENDPROC(call_rwsem_downgrade_wake)
32154diff --git a/arch/x86/lib/usercopy_32.c b/arch/x86/lib/usercopy_32.c
32155index 91d93b9..4b22130 100644
32156--- a/arch/x86/lib/usercopy_32.c
32157+++ b/arch/x86/lib/usercopy_32.c
32158@@ -42,11 +42,13 @@ do { \
32159 int __d0; \
32160 might_fault(); \
32161 __asm__ __volatile__( \
32162+ __COPYUSER_SET_ES \
32163 ASM_STAC "\n" \
32164 "0: rep; stosl\n" \
32165 " movl %2,%0\n" \
32166 "1: rep; stosb\n" \
32167 "2: " ASM_CLAC "\n" \
32168+ __COPYUSER_RESTORE_ES \
32169 ".section .fixup,\"ax\"\n" \
32170 "3: lea 0(%2,%0,4),%0\n" \
32171 " jmp 2b\n" \
32172@@ -98,7 +100,7 @@ EXPORT_SYMBOL(__clear_user);
32173
32174 #ifdef CONFIG_X86_INTEL_USERCOPY
32175 static unsigned long
32176-__copy_user_intel(void __user *to, const void *from, unsigned long size)
32177+__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
32178 {
32179 int d0, d1;
32180 __asm__ __volatile__(
32181@@ -110,36 +112,36 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
32182 " .align 2,0x90\n"
32183 "3: movl 0(%4), %%eax\n"
32184 "4: movl 4(%4), %%edx\n"
32185- "5: movl %%eax, 0(%3)\n"
32186- "6: movl %%edx, 4(%3)\n"
32187+ "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
32188+ "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
32189 "7: movl 8(%4), %%eax\n"
32190 "8: movl 12(%4),%%edx\n"
32191- "9: movl %%eax, 8(%3)\n"
32192- "10: movl %%edx, 12(%3)\n"
32193+ "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
32194+ "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
32195 "11: movl 16(%4), %%eax\n"
32196 "12: movl 20(%4), %%edx\n"
32197- "13: movl %%eax, 16(%3)\n"
32198- "14: movl %%edx, 20(%3)\n"
32199+ "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
32200+ "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
32201 "15: movl 24(%4), %%eax\n"
32202 "16: movl 28(%4), %%edx\n"
32203- "17: movl %%eax, 24(%3)\n"
32204- "18: movl %%edx, 28(%3)\n"
32205+ "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
32206+ "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
32207 "19: movl 32(%4), %%eax\n"
32208 "20: movl 36(%4), %%edx\n"
32209- "21: movl %%eax, 32(%3)\n"
32210- "22: movl %%edx, 36(%3)\n"
32211+ "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
32212+ "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
32213 "23: movl 40(%4), %%eax\n"
32214 "24: movl 44(%4), %%edx\n"
32215- "25: movl %%eax, 40(%3)\n"
32216- "26: movl %%edx, 44(%3)\n"
32217+ "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
32218+ "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
32219 "27: movl 48(%4), %%eax\n"
32220 "28: movl 52(%4), %%edx\n"
32221- "29: movl %%eax, 48(%3)\n"
32222- "30: movl %%edx, 52(%3)\n"
32223+ "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
32224+ "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
32225 "31: movl 56(%4), %%eax\n"
32226 "32: movl 60(%4), %%edx\n"
32227- "33: movl %%eax, 56(%3)\n"
32228- "34: movl %%edx, 60(%3)\n"
32229+ "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
32230+ "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
32231 " addl $-64, %0\n"
32232 " addl $64, %4\n"
32233 " addl $64, %3\n"
32234@@ -149,10 +151,116 @@ __copy_user_intel(void __user *to, const void *from, unsigned long size)
32235 " shrl $2, %0\n"
32236 " andl $3, %%eax\n"
32237 " cld\n"
32238+ __COPYUSER_SET_ES
32239 "99: rep; movsl\n"
32240 "36: movl %%eax, %0\n"
32241 "37: rep; movsb\n"
32242 "100:\n"
32243+ __COPYUSER_RESTORE_ES
32244+ ".section .fixup,\"ax\"\n"
32245+ "101: lea 0(%%eax,%0,4),%0\n"
32246+ " jmp 100b\n"
32247+ ".previous\n"
32248+ _ASM_EXTABLE(1b,100b)
32249+ _ASM_EXTABLE(2b,100b)
32250+ _ASM_EXTABLE(3b,100b)
32251+ _ASM_EXTABLE(4b,100b)
32252+ _ASM_EXTABLE(5b,100b)
32253+ _ASM_EXTABLE(6b,100b)
32254+ _ASM_EXTABLE(7b,100b)
32255+ _ASM_EXTABLE(8b,100b)
32256+ _ASM_EXTABLE(9b,100b)
32257+ _ASM_EXTABLE(10b,100b)
32258+ _ASM_EXTABLE(11b,100b)
32259+ _ASM_EXTABLE(12b,100b)
32260+ _ASM_EXTABLE(13b,100b)
32261+ _ASM_EXTABLE(14b,100b)
32262+ _ASM_EXTABLE(15b,100b)
32263+ _ASM_EXTABLE(16b,100b)
32264+ _ASM_EXTABLE(17b,100b)
32265+ _ASM_EXTABLE(18b,100b)
32266+ _ASM_EXTABLE(19b,100b)
32267+ _ASM_EXTABLE(20b,100b)
32268+ _ASM_EXTABLE(21b,100b)
32269+ _ASM_EXTABLE(22b,100b)
32270+ _ASM_EXTABLE(23b,100b)
32271+ _ASM_EXTABLE(24b,100b)
32272+ _ASM_EXTABLE(25b,100b)
32273+ _ASM_EXTABLE(26b,100b)
32274+ _ASM_EXTABLE(27b,100b)
32275+ _ASM_EXTABLE(28b,100b)
32276+ _ASM_EXTABLE(29b,100b)
32277+ _ASM_EXTABLE(30b,100b)
32278+ _ASM_EXTABLE(31b,100b)
32279+ _ASM_EXTABLE(32b,100b)
32280+ _ASM_EXTABLE(33b,100b)
32281+ _ASM_EXTABLE(34b,100b)
32282+ _ASM_EXTABLE(35b,100b)
32283+ _ASM_EXTABLE(36b,100b)
32284+ _ASM_EXTABLE(37b,100b)
32285+ _ASM_EXTABLE(99b,101b)
32286+ : "=&c"(size), "=&D" (d0), "=&S" (d1)
32287+ : "1"(to), "2"(from), "0"(size)
32288+ : "eax", "edx", "memory");
32289+ return size;
32290+}
32291+
32292+static unsigned long
32293+__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
32294+{
32295+ int d0, d1;
32296+ __asm__ __volatile__(
32297+ " .align 2,0x90\n"
32298+ "1: "__copyuser_seg" movl 32(%4), %%eax\n"
32299+ " cmpl $67, %0\n"
32300+ " jbe 3f\n"
32301+ "2: "__copyuser_seg" movl 64(%4), %%eax\n"
32302+ " .align 2,0x90\n"
32303+ "3: "__copyuser_seg" movl 0(%4), %%eax\n"
32304+ "4: "__copyuser_seg" movl 4(%4), %%edx\n"
32305+ "5: movl %%eax, 0(%3)\n"
32306+ "6: movl %%edx, 4(%3)\n"
32307+ "7: "__copyuser_seg" movl 8(%4), %%eax\n"
32308+ "8: "__copyuser_seg" movl 12(%4),%%edx\n"
32309+ "9: movl %%eax, 8(%3)\n"
32310+ "10: movl %%edx, 12(%3)\n"
32311+ "11: "__copyuser_seg" movl 16(%4), %%eax\n"
32312+ "12: "__copyuser_seg" movl 20(%4), %%edx\n"
32313+ "13: movl %%eax, 16(%3)\n"
32314+ "14: movl %%edx, 20(%3)\n"
32315+ "15: "__copyuser_seg" movl 24(%4), %%eax\n"
32316+ "16: "__copyuser_seg" movl 28(%4), %%edx\n"
32317+ "17: movl %%eax, 24(%3)\n"
32318+ "18: movl %%edx, 28(%3)\n"
32319+ "19: "__copyuser_seg" movl 32(%4), %%eax\n"
32320+ "20: "__copyuser_seg" movl 36(%4), %%edx\n"
32321+ "21: movl %%eax, 32(%3)\n"
32322+ "22: movl %%edx, 36(%3)\n"
32323+ "23: "__copyuser_seg" movl 40(%4), %%eax\n"
32324+ "24: "__copyuser_seg" movl 44(%4), %%edx\n"
32325+ "25: movl %%eax, 40(%3)\n"
32326+ "26: movl %%edx, 44(%3)\n"
32327+ "27: "__copyuser_seg" movl 48(%4), %%eax\n"
32328+ "28: "__copyuser_seg" movl 52(%4), %%edx\n"
32329+ "29: movl %%eax, 48(%3)\n"
32330+ "30: movl %%edx, 52(%3)\n"
32331+ "31: "__copyuser_seg" movl 56(%4), %%eax\n"
32332+ "32: "__copyuser_seg" movl 60(%4), %%edx\n"
32333+ "33: movl %%eax, 56(%3)\n"
32334+ "34: movl %%edx, 60(%3)\n"
32335+ " addl $-64, %0\n"
32336+ " addl $64, %4\n"
32337+ " addl $64, %3\n"
32338+ " cmpl $63, %0\n"
32339+ " ja 1b\n"
32340+ "35: movl %0, %%eax\n"
32341+ " shrl $2, %0\n"
32342+ " andl $3, %%eax\n"
32343+ " cld\n"
32344+ "99: rep; "__copyuser_seg" movsl\n"
32345+ "36: movl %%eax, %0\n"
32346+ "37: rep; "__copyuser_seg" movsb\n"
32347+ "100:\n"
32348 ".section .fixup,\"ax\"\n"
32349 "101: lea 0(%%eax,%0,4),%0\n"
32350 " jmp 100b\n"
32351@@ -207,41 +315,41 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
32352 int d0, d1;
32353 __asm__ __volatile__(
32354 " .align 2,0x90\n"
32355- "0: movl 32(%4), %%eax\n"
32356+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32357 " cmpl $67, %0\n"
32358 " jbe 2f\n"
32359- "1: movl 64(%4), %%eax\n"
32360+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32361 " .align 2,0x90\n"
32362- "2: movl 0(%4), %%eax\n"
32363- "21: movl 4(%4), %%edx\n"
32364+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32365+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32366 " movl %%eax, 0(%3)\n"
32367 " movl %%edx, 4(%3)\n"
32368- "3: movl 8(%4), %%eax\n"
32369- "31: movl 12(%4),%%edx\n"
32370+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32371+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32372 " movl %%eax, 8(%3)\n"
32373 " movl %%edx, 12(%3)\n"
32374- "4: movl 16(%4), %%eax\n"
32375- "41: movl 20(%4), %%edx\n"
32376+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32377+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32378 " movl %%eax, 16(%3)\n"
32379 " movl %%edx, 20(%3)\n"
32380- "10: movl 24(%4), %%eax\n"
32381- "51: movl 28(%4), %%edx\n"
32382+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32383+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32384 " movl %%eax, 24(%3)\n"
32385 " movl %%edx, 28(%3)\n"
32386- "11: movl 32(%4), %%eax\n"
32387- "61: movl 36(%4), %%edx\n"
32388+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32389+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32390 " movl %%eax, 32(%3)\n"
32391 " movl %%edx, 36(%3)\n"
32392- "12: movl 40(%4), %%eax\n"
32393- "71: movl 44(%4), %%edx\n"
32394+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32395+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32396 " movl %%eax, 40(%3)\n"
32397 " movl %%edx, 44(%3)\n"
32398- "13: movl 48(%4), %%eax\n"
32399- "81: movl 52(%4), %%edx\n"
32400+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32401+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32402 " movl %%eax, 48(%3)\n"
32403 " movl %%edx, 52(%3)\n"
32404- "14: movl 56(%4), %%eax\n"
32405- "91: movl 60(%4), %%edx\n"
32406+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32407+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32408 " movl %%eax, 56(%3)\n"
32409 " movl %%edx, 60(%3)\n"
32410 " addl $-64, %0\n"
32411@@ -253,9 +361,9 @@ __copy_user_zeroing_intel(void *to, const void __user *from, unsigned long size)
32412 " shrl $2, %0\n"
32413 " andl $3, %%eax\n"
32414 " cld\n"
32415- "6: rep; movsl\n"
32416+ "6: rep; "__copyuser_seg" movsl\n"
32417 " movl %%eax,%0\n"
32418- "7: rep; movsb\n"
32419+ "7: rep; "__copyuser_seg" movsb\n"
32420 "8:\n"
32421 ".section .fixup,\"ax\"\n"
32422 "9: lea 0(%%eax,%0,4),%0\n"
32423@@ -305,41 +413,41 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
32424
32425 __asm__ __volatile__(
32426 " .align 2,0x90\n"
32427- "0: movl 32(%4), %%eax\n"
32428+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32429 " cmpl $67, %0\n"
32430 " jbe 2f\n"
32431- "1: movl 64(%4), %%eax\n"
32432+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32433 " .align 2,0x90\n"
32434- "2: movl 0(%4), %%eax\n"
32435- "21: movl 4(%4), %%edx\n"
32436+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32437+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32438 " movnti %%eax, 0(%3)\n"
32439 " movnti %%edx, 4(%3)\n"
32440- "3: movl 8(%4), %%eax\n"
32441- "31: movl 12(%4),%%edx\n"
32442+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32443+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32444 " movnti %%eax, 8(%3)\n"
32445 " movnti %%edx, 12(%3)\n"
32446- "4: movl 16(%4), %%eax\n"
32447- "41: movl 20(%4), %%edx\n"
32448+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32449+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32450 " movnti %%eax, 16(%3)\n"
32451 " movnti %%edx, 20(%3)\n"
32452- "10: movl 24(%4), %%eax\n"
32453- "51: movl 28(%4), %%edx\n"
32454+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32455+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32456 " movnti %%eax, 24(%3)\n"
32457 " movnti %%edx, 28(%3)\n"
32458- "11: movl 32(%4), %%eax\n"
32459- "61: movl 36(%4), %%edx\n"
32460+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32461+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32462 " movnti %%eax, 32(%3)\n"
32463 " movnti %%edx, 36(%3)\n"
32464- "12: movl 40(%4), %%eax\n"
32465- "71: movl 44(%4), %%edx\n"
32466+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32467+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32468 " movnti %%eax, 40(%3)\n"
32469 " movnti %%edx, 44(%3)\n"
32470- "13: movl 48(%4), %%eax\n"
32471- "81: movl 52(%4), %%edx\n"
32472+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32473+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32474 " movnti %%eax, 48(%3)\n"
32475 " movnti %%edx, 52(%3)\n"
32476- "14: movl 56(%4), %%eax\n"
32477- "91: movl 60(%4), %%edx\n"
32478+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32479+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32480 " movnti %%eax, 56(%3)\n"
32481 " movnti %%edx, 60(%3)\n"
32482 " addl $-64, %0\n"
32483@@ -352,9 +460,9 @@ static unsigned long __copy_user_zeroing_intel_nocache(void *to,
32484 " shrl $2, %0\n"
32485 " andl $3, %%eax\n"
32486 " cld\n"
32487- "6: rep; movsl\n"
32488+ "6: rep; "__copyuser_seg" movsl\n"
32489 " movl %%eax,%0\n"
32490- "7: rep; movsb\n"
32491+ "7: rep; "__copyuser_seg" movsb\n"
32492 "8:\n"
32493 ".section .fixup,\"ax\"\n"
32494 "9: lea 0(%%eax,%0,4),%0\n"
32495@@ -399,41 +507,41 @@ static unsigned long __copy_user_intel_nocache(void *to,
32496
32497 __asm__ __volatile__(
32498 " .align 2,0x90\n"
32499- "0: movl 32(%4), %%eax\n"
32500+ "0: "__copyuser_seg" movl 32(%4), %%eax\n"
32501 " cmpl $67, %0\n"
32502 " jbe 2f\n"
32503- "1: movl 64(%4), %%eax\n"
32504+ "1: "__copyuser_seg" movl 64(%4), %%eax\n"
32505 " .align 2,0x90\n"
32506- "2: movl 0(%4), %%eax\n"
32507- "21: movl 4(%4), %%edx\n"
32508+ "2: "__copyuser_seg" movl 0(%4), %%eax\n"
32509+ "21: "__copyuser_seg" movl 4(%4), %%edx\n"
32510 " movnti %%eax, 0(%3)\n"
32511 " movnti %%edx, 4(%3)\n"
32512- "3: movl 8(%4), %%eax\n"
32513- "31: movl 12(%4),%%edx\n"
32514+ "3: "__copyuser_seg" movl 8(%4), %%eax\n"
32515+ "31: "__copyuser_seg" movl 12(%4),%%edx\n"
32516 " movnti %%eax, 8(%3)\n"
32517 " movnti %%edx, 12(%3)\n"
32518- "4: movl 16(%4), %%eax\n"
32519- "41: movl 20(%4), %%edx\n"
32520+ "4: "__copyuser_seg" movl 16(%4), %%eax\n"
32521+ "41: "__copyuser_seg" movl 20(%4), %%edx\n"
32522 " movnti %%eax, 16(%3)\n"
32523 " movnti %%edx, 20(%3)\n"
32524- "10: movl 24(%4), %%eax\n"
32525- "51: movl 28(%4), %%edx\n"
32526+ "10: "__copyuser_seg" movl 24(%4), %%eax\n"
32527+ "51: "__copyuser_seg" movl 28(%4), %%edx\n"
32528 " movnti %%eax, 24(%3)\n"
32529 " movnti %%edx, 28(%3)\n"
32530- "11: movl 32(%4), %%eax\n"
32531- "61: movl 36(%4), %%edx\n"
32532+ "11: "__copyuser_seg" movl 32(%4), %%eax\n"
32533+ "61: "__copyuser_seg" movl 36(%4), %%edx\n"
32534 " movnti %%eax, 32(%3)\n"
32535 " movnti %%edx, 36(%3)\n"
32536- "12: movl 40(%4), %%eax\n"
32537- "71: movl 44(%4), %%edx\n"
32538+ "12: "__copyuser_seg" movl 40(%4), %%eax\n"
32539+ "71: "__copyuser_seg" movl 44(%4), %%edx\n"
32540 " movnti %%eax, 40(%3)\n"
32541 " movnti %%edx, 44(%3)\n"
32542- "13: movl 48(%4), %%eax\n"
32543- "81: movl 52(%4), %%edx\n"
32544+ "13: "__copyuser_seg" movl 48(%4), %%eax\n"
32545+ "81: "__copyuser_seg" movl 52(%4), %%edx\n"
32546 " movnti %%eax, 48(%3)\n"
32547 " movnti %%edx, 52(%3)\n"
32548- "14: movl 56(%4), %%eax\n"
32549- "91: movl 60(%4), %%edx\n"
32550+ "14: "__copyuser_seg" movl 56(%4), %%eax\n"
32551+ "91: "__copyuser_seg" movl 60(%4), %%edx\n"
32552 " movnti %%eax, 56(%3)\n"
32553 " movnti %%edx, 60(%3)\n"
32554 " addl $-64, %0\n"
32555@@ -446,9 +554,9 @@ static unsigned long __copy_user_intel_nocache(void *to,
32556 " shrl $2, %0\n"
32557 " andl $3, %%eax\n"
32558 " cld\n"
32559- "6: rep; movsl\n"
32560+ "6: rep; "__copyuser_seg" movsl\n"
32561 " movl %%eax,%0\n"
32562- "7: rep; movsb\n"
32563+ "7: rep; "__copyuser_seg" movsb\n"
32564 "8:\n"
32565 ".section .fixup,\"ax\"\n"
32566 "9: lea 0(%%eax,%0,4),%0\n"
32567@@ -488,32 +596,36 @@ static unsigned long __copy_user_intel_nocache(void *to,
32568 */
32569 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
32570 unsigned long size);
32571-unsigned long __copy_user_intel(void __user *to, const void *from,
32572+unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
32573+ unsigned long size);
32574+unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
32575 unsigned long size);
32576 unsigned long __copy_user_zeroing_intel_nocache(void *to,
32577 const void __user *from, unsigned long size);
32578 #endif /* CONFIG_X86_INTEL_USERCOPY */
32579
32580 /* Generic arbitrary sized copy. */
32581-#define __copy_user(to, from, size) \
32582+#define __copy_user(to, from, size, prefix, set, restore) \
32583 do { \
32584 int __d0, __d1, __d2; \
32585 __asm__ __volatile__( \
32586+ set \
32587 " cmp $7,%0\n" \
32588 " jbe 1f\n" \
32589 " movl %1,%0\n" \
32590 " negl %0\n" \
32591 " andl $7,%0\n" \
32592 " subl %0,%3\n" \
32593- "4: rep; movsb\n" \
32594+ "4: rep; "prefix"movsb\n" \
32595 " movl %3,%0\n" \
32596 " shrl $2,%0\n" \
32597 " andl $3,%3\n" \
32598 " .align 2,0x90\n" \
32599- "0: rep; movsl\n" \
32600+ "0: rep; "prefix"movsl\n" \
32601 " movl %3,%0\n" \
32602- "1: rep; movsb\n" \
32603+ "1: rep; "prefix"movsb\n" \
32604 "2:\n" \
32605+ restore \
32606 ".section .fixup,\"ax\"\n" \
32607 "5: addl %3,%0\n" \
32608 " jmp 2b\n" \
32609@@ -538,14 +650,14 @@ do { \
32610 " negl %0\n" \
32611 " andl $7,%0\n" \
32612 " subl %0,%3\n" \
32613- "4: rep; movsb\n" \
32614+ "4: rep; "__copyuser_seg"movsb\n" \
32615 " movl %3,%0\n" \
32616 " shrl $2,%0\n" \
32617 " andl $3,%3\n" \
32618 " .align 2,0x90\n" \
32619- "0: rep; movsl\n" \
32620+ "0: rep; "__copyuser_seg"movsl\n" \
32621 " movl %3,%0\n" \
32622- "1: rep; movsb\n" \
32623+ "1: rep; "__copyuser_seg"movsb\n" \
32624 "2:\n" \
32625 ".section .fixup,\"ax\"\n" \
32626 "5: addl %3,%0\n" \
32627@@ -572,9 +684,9 @@ unsigned long __copy_to_user_ll(void __user *to, const void *from,
32628 {
32629 stac();
32630 if (movsl_is_ok(to, from, n))
32631- __copy_user(to, from, n);
32632+ __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
32633 else
32634- n = __copy_user_intel(to, from, n);
32635+ n = __generic_copy_to_user_intel(to, from, n);
32636 clac();
32637 return n;
32638 }
32639@@ -598,10 +710,9 @@ unsigned long __copy_from_user_ll_nozero(void *to, const void __user *from,
32640 {
32641 stac();
32642 if (movsl_is_ok(to, from, n))
32643- __copy_user(to, from, n);
32644+ __copy_user(to, from, n, __copyuser_seg, "", "");
32645 else
32646- n = __copy_user_intel((void __user *)to,
32647- (const void *)from, n);
32648+ n = __generic_copy_from_user_intel(to, from, n);
32649 clac();
32650 return n;
32651 }
32652@@ -632,60 +743,38 @@ unsigned long __copy_from_user_ll_nocache_nozero(void *to, const void __user *fr
32653 if (n > 64 && cpu_has_xmm2)
32654 n = __copy_user_intel_nocache(to, from, n);
32655 else
32656- __copy_user(to, from, n);
32657+ __copy_user(to, from, n, __copyuser_seg, "", "");
32658 #else
32659- __copy_user(to, from, n);
32660+ __copy_user(to, from, n, __copyuser_seg, "", "");
32661 #endif
32662 clac();
32663 return n;
32664 }
32665 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
32666
32667-/**
32668- * copy_to_user: - Copy a block of data into user space.
32669- * @to: Destination address, in user space.
32670- * @from: Source address, in kernel space.
32671- * @n: Number of bytes to copy.
32672- *
32673- * Context: User context only. This function may sleep if pagefaults are
32674- * enabled.
32675- *
32676- * Copy data from kernel space to user space.
32677- *
32678- * Returns number of bytes that could not be copied.
32679- * On success, this will be zero.
32680- */
32681-unsigned long _copy_to_user(void __user *to, const void *from, unsigned n)
32682+#ifdef CONFIG_PAX_MEMORY_UDEREF
32683+void __set_fs(mm_segment_t x)
32684 {
32685- if (access_ok(VERIFY_WRITE, to, n))
32686- n = __copy_to_user(to, from, n);
32687- return n;
32688+ switch (x.seg) {
32689+ case 0:
32690+ loadsegment(gs, 0);
32691+ break;
32692+ case TASK_SIZE_MAX:
32693+ loadsegment(gs, __USER_DS);
32694+ break;
32695+ case -1UL:
32696+ loadsegment(gs, __KERNEL_DS);
32697+ break;
32698+ default:
32699+ BUG();
32700+ }
32701 }
32702-EXPORT_SYMBOL(_copy_to_user);
32703+EXPORT_SYMBOL(__set_fs);
32704
32705-/**
32706- * copy_from_user: - Copy a block of data from user space.
32707- * @to: Destination address, in kernel space.
32708- * @from: Source address, in user space.
32709- * @n: Number of bytes to copy.
32710- *
32711- * Context: User context only. This function may sleep if pagefaults are
32712- * enabled.
32713- *
32714- * Copy data from user space to kernel space.
32715- *
32716- * Returns number of bytes that could not be copied.
32717- * On success, this will be zero.
32718- *
32719- * If some data could not be copied, this function will pad the copied
32720- * data to the requested size using zero bytes.
32721- */
32722-unsigned long _copy_from_user(void *to, const void __user *from, unsigned n)
32723+void set_fs(mm_segment_t x)
32724 {
32725- if (access_ok(VERIFY_READ, from, n))
32726- n = __copy_from_user(to, from, n);
32727- else
32728- memset(to, 0, n);
32729- return n;
32730+ current_thread_info()->addr_limit = x;
32731+ __set_fs(x);
32732 }
32733-EXPORT_SYMBOL(_copy_from_user);
32734+EXPORT_SYMBOL(set_fs);
32735+#endif
32736diff --git a/arch/x86/lib/usercopy_64.c b/arch/x86/lib/usercopy_64.c
32737index 0a42327..7a82465 100644
32738--- a/arch/x86/lib/usercopy_64.c
32739+++ b/arch/x86/lib/usercopy_64.c
32740@@ -18,6 +18,7 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
32741 might_fault();
32742 /* no memory constraint because it doesn't change any memory gcc knows
32743 about */
32744+ pax_open_userland();
32745 stac();
32746 asm volatile(
32747 " testq %[size8],%[size8]\n"
32748@@ -39,9 +40,10 @@ unsigned long __clear_user(void __user *addr, unsigned long size)
32749 _ASM_EXTABLE(0b,3b)
32750 _ASM_EXTABLE(1b,2b)
32751 : [size8] "=&c"(size), [dst] "=&D" (__d0)
32752- : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr),
32753+ : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(____m(addr)),
32754 [zero] "r" (0UL), [eight] "r" (8UL));
32755 clac();
32756+ pax_close_userland();
32757 return size;
32758 }
32759 EXPORT_SYMBOL(__clear_user);
32760@@ -54,12 +56,11 @@ unsigned long clear_user(void __user *to, unsigned long n)
32761 }
32762 EXPORT_SYMBOL(clear_user);
32763
32764-unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
32765+unsigned long copy_in_user(void __user *to, const void __user *from, unsigned long len)
32766 {
32767- if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
32768- return copy_user_generic((__force void *)to, (__force void *)from, len);
32769- }
32770- return len;
32771+ if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len))
32772+ return copy_user_generic((void __force_kernel *)____m(to), (void __force_kernel *)____m(from), len);
32773+ return len;
32774 }
32775 EXPORT_SYMBOL(copy_in_user);
32776
32777@@ -69,8 +70,10 @@ EXPORT_SYMBOL(copy_in_user);
32778 * it is not necessary to optimize tail handling.
32779 */
32780 __visible unsigned long
32781-copy_user_handle_tail(char *to, char *from, unsigned len)
32782+copy_user_handle_tail(char __user *to, char __user *from, unsigned long len)
32783 {
32784+ clac();
32785+ pax_close_userland();
32786 for (; len; --len, to++) {
32787 char c;
32788
32789@@ -79,10 +82,9 @@ copy_user_handle_tail(char *to, char *from, unsigned len)
32790 if (__put_user_nocheck(c, to, sizeof(char)))
32791 break;
32792 }
32793- clac();
32794
32795 /* If the destination is a kernel buffer, we always clear the end */
32796- if (!__addr_ok(to))
32797+ if (!__addr_ok(to) && (unsigned long)to >= TASK_SIZE_MAX + pax_user_shadow_base)
32798 memset(to, 0, len);
32799 return len;
32800 }
32801diff --git a/arch/x86/math-emu/fpu_aux.c b/arch/x86/math-emu/fpu_aux.c
32802index dd76a05..df65688 100644
32803--- a/arch/x86/math-emu/fpu_aux.c
32804+++ b/arch/x86/math-emu/fpu_aux.c
32805@@ -52,7 +52,7 @@ void fpstate_init_soft(struct swregs_state *soft)
32806
32807 void finit(void)
32808 {
32809- fpstate_init_soft(&current->thread.fpu.state.soft);
32810+ fpstate_init_soft(&current->thread.fpu.state->soft);
32811 }
32812
32813 /*
32814diff --git a/arch/x86/math-emu/fpu_entry.c b/arch/x86/math-emu/fpu_entry.c
32815index 3d8f2e4..ef7cf4e 100644
32816--- a/arch/x86/math-emu/fpu_entry.c
32817+++ b/arch/x86/math-emu/fpu_entry.c
32818@@ -677,7 +677,7 @@ int fpregs_soft_set(struct task_struct *target,
32819 unsigned int pos, unsigned int count,
32820 const void *kbuf, const void __user *ubuf)
32821 {
32822- struct swregs_state *s387 = &target->thread.fpu.state.soft;
32823+ struct swregs_state *s387 = &target->thread.fpu.state->soft;
32824 void *space = s387->st_space;
32825 int ret;
32826 int offset, other, i, tags, regnr, tag, newtop;
32827@@ -729,7 +729,7 @@ int fpregs_soft_get(struct task_struct *target,
32828 unsigned int pos, unsigned int count,
32829 void *kbuf, void __user *ubuf)
32830 {
32831- struct swregs_state *s387 = &target->thread.fpu.state.soft;
32832+ struct swregs_state *s387 = &target->thread.fpu.state->soft;
32833 const void *space = s387->st_space;
32834 int ret;
32835 int offset = (S387->ftop & 7) * 10, other = 80 - offset;
32836diff --git a/arch/x86/math-emu/fpu_system.h b/arch/x86/math-emu/fpu_system.h
32837index 5e044d5..d342fce 100644
32838--- a/arch/x86/math-emu/fpu_system.h
32839+++ b/arch/x86/math-emu/fpu_system.h
32840@@ -46,7 +46,7 @@ static inline struct desc_struct FPU_get_ldt_descriptor(unsigned seg)
32841 #define SEG_EXPAND_DOWN(s) (((s).b & ((1 << 11) | (1 << 10))) \
32842 == (1 << 10))
32843
32844-#define I387 (&current->thread.fpu.state)
32845+#define I387 (current->thread.fpu.state)
32846 #define FPU_info (I387->soft.info)
32847
32848 #define FPU_CS (*(unsigned short *) &(FPU_info->regs->cs))
32849diff --git a/arch/x86/mm/Makefile b/arch/x86/mm/Makefile
32850index a482d10..1a6edb5 100644
32851--- a/arch/x86/mm/Makefile
32852+++ b/arch/x86/mm/Makefile
32853@@ -33,3 +33,7 @@ obj-$(CONFIG_ACPI_NUMA) += srat.o
32854 obj-$(CONFIG_NUMA_EMU) += numa_emulation.o
32855
32856 obj-$(CONFIG_X86_INTEL_MPX) += mpx.o
32857+
32858+quote:="
32859+obj-$(CONFIG_X86_64) += uderef_64.o
32860+CFLAGS_uderef_64.o := $(subst $(quote),,$(CONFIG_ARCH_HWEIGHT_CFLAGS)) -fcall-saved-rax
32861diff --git a/arch/x86/mm/extable.c b/arch/x86/mm/extable.c
32862index 903ec1e..41b4708 100644
32863--- a/arch/x86/mm/extable.c
32864+++ b/arch/x86/mm/extable.c
32865@@ -2,16 +2,29 @@
32866 #include <linux/spinlock.h>
32867 #include <linux/sort.h>
32868 #include <asm/uaccess.h>
32869+#include <asm/boot.h>
32870
32871 static inline unsigned long
32872 ex_insn_addr(const struct exception_table_entry *x)
32873 {
32874- return (unsigned long)&x->insn + x->insn;
32875+ unsigned long reloc = 0;
32876+
32877+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32878+ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32879+#endif
32880+
32881+ return (unsigned long)&x->insn + x->insn + reloc;
32882 }
32883 static inline unsigned long
32884 ex_fixup_addr(const struct exception_table_entry *x)
32885 {
32886- return (unsigned long)&x->fixup + x->fixup;
32887+ unsigned long reloc = 0;
32888+
32889+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32890+ reloc = ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32891+#endif
32892+
32893+ return (unsigned long)&x->fixup + x->fixup + reloc;
32894 }
32895
32896 int fixup_exception(struct pt_regs *regs)
32897@@ -20,7 +33,7 @@ int fixup_exception(struct pt_regs *regs)
32898 unsigned long new_ip;
32899
32900 #ifdef CONFIG_PNPBIOS
32901- if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
32902+ if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
32903 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
32904 extern u32 pnp_bios_is_utter_crap;
32905 pnp_bios_is_utter_crap = 1;
32906@@ -145,6 +158,13 @@ void sort_extable(struct exception_table_entry *start,
32907 i += 4;
32908 p->fixup -= i;
32909 i += 4;
32910+
32911+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
32912+ BUILD_BUG_ON(!IS_ENABLED(CONFIG_BUILDTIME_EXTABLE_SORT));
32913+ p->insn -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32914+ p->fixup -= ____LOAD_PHYSICAL_ADDR - LOAD_PHYSICAL_ADDR;
32915+#endif
32916+
32917 }
32918 }
32919
32920diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c
32921index 9dc9098..938251a 100644
32922--- a/arch/x86/mm/fault.c
32923+++ b/arch/x86/mm/fault.c
32924@@ -14,12 +14,19 @@
32925 #include <linux/prefetch.h> /* prefetchw */
32926 #include <linux/context_tracking.h> /* exception_enter(), ... */
32927 #include <linux/uaccess.h> /* faulthandler_disabled() */
32928+#include <linux/unistd.h>
32929+#include <linux/compiler.h>
32930
32931 #include <asm/traps.h> /* dotraplinkage, ... */
32932 #include <asm/pgalloc.h> /* pgd_*(), ... */
32933 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
32934 #include <asm/fixmap.h> /* VSYSCALL_ADDR */
32935 #include <asm/vsyscall.h> /* emulate_vsyscall */
32936+#include <asm/tlbflush.h>
32937+
32938+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
32939+#include <asm/stacktrace.h>
32940+#endif
32941
32942 #define CREATE_TRACE_POINTS
32943 #include <asm/trace/exceptions.h>
32944@@ -121,7 +128,10 @@ check_prefetch_opcode(struct pt_regs *regs, unsigned char *instr,
32945 return !instr_lo || (instr_lo>>1) == 1;
32946 case 0x00:
32947 /* Prefetch instruction is 0x0F0D or 0x0F18 */
32948- if (probe_kernel_address(instr, opcode))
32949+ if (user_mode(regs)) {
32950+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
32951+ return 0;
32952+ } else if (probe_kernel_address(instr, opcode))
32953 return 0;
32954
32955 *prefetch = (instr_lo == 0xF) &&
32956@@ -155,7 +165,10 @@ is_prefetch(struct pt_regs *regs, unsigned long error_code, unsigned long addr)
32957 while (instr < max_instr) {
32958 unsigned char opcode;
32959
32960- if (probe_kernel_address(instr, opcode))
32961+ if (user_mode(regs)) {
32962+ if (__copy_from_user_inatomic(&opcode, (unsigned char __force_user *)(instr), 1))
32963+ break;
32964+ } else if (probe_kernel_address(instr, opcode))
32965 break;
32966
32967 instr++;
32968@@ -186,6 +199,34 @@ force_sig_info_fault(int si_signo, int si_code, unsigned long address,
32969 force_sig_info(si_signo, &info, tsk);
32970 }
32971
32972+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
32973+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
32974+#endif
32975+
32976+#ifdef CONFIG_PAX_EMUTRAMP
32977+static int pax_handle_fetch_fault(struct pt_regs *regs);
32978+#endif
32979+
32980+#ifdef CONFIG_PAX_PAGEEXEC
32981+static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
32982+{
32983+ pgd_t *pgd;
32984+ pud_t *pud;
32985+ pmd_t *pmd;
32986+
32987+ pgd = pgd_offset(mm, address);
32988+ if (!pgd_present(*pgd))
32989+ return NULL;
32990+ pud = pud_offset(pgd, address);
32991+ if (!pud_present(*pud))
32992+ return NULL;
32993+ pmd = pmd_offset(pud, address);
32994+ if (!pmd_present(*pmd))
32995+ return NULL;
32996+ return pmd;
32997+}
32998+#endif
32999+
33000 DEFINE_SPINLOCK(pgd_lock);
33001 LIST_HEAD(pgd_list);
33002
33003@@ -236,10 +277,27 @@ void vmalloc_sync_all(void)
33004 for (address = VMALLOC_START & PMD_MASK;
33005 address >= TASK_SIZE && address < FIXADDR_TOP;
33006 address += PMD_SIZE) {
33007+
33008+#ifdef CONFIG_PAX_PER_CPU_PGD
33009+ unsigned long cpu;
33010+#else
33011 struct page *page;
33012+#endif
33013
33014 spin_lock(&pgd_lock);
33015+
33016+#ifdef CONFIG_PAX_PER_CPU_PGD
33017+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
33018+ pgd_t *pgd = get_cpu_pgd(cpu, user);
33019+ pmd_t *ret;
33020+
33021+ ret = vmalloc_sync_one(pgd, address);
33022+ if (!ret)
33023+ break;
33024+ pgd = get_cpu_pgd(cpu, kernel);
33025+#else
33026 list_for_each_entry(page, &pgd_list, lru) {
33027+ pgd_t *pgd;
33028 spinlock_t *pgt_lock;
33029 pmd_t *ret;
33030
33031@@ -247,8 +305,14 @@ void vmalloc_sync_all(void)
33032 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
33033
33034 spin_lock(pgt_lock);
33035- ret = vmalloc_sync_one(page_address(page), address);
33036+ pgd = page_address(page);
33037+#endif
33038+
33039+ ret = vmalloc_sync_one(pgd, address);
33040+
33041+#ifndef CONFIG_PAX_PER_CPU_PGD
33042 spin_unlock(pgt_lock);
33043+#endif
33044
33045 if (!ret)
33046 break;
33047@@ -282,6 +346,12 @@ static noinline int vmalloc_fault(unsigned long address)
33048 * an interrupt in the middle of a task switch..
33049 */
33050 pgd_paddr = read_cr3();
33051+
33052+#ifdef CONFIG_PAX_PER_CPU_PGD
33053+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (pgd_paddr & __PHYSICAL_MASK));
33054+ vmalloc_sync_one(__va(pgd_paddr + PAGE_SIZE), address);
33055+#endif
33056+
33057 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
33058 if (!pmd_k)
33059 return -1;
33060@@ -378,11 +448,25 @@ static noinline int vmalloc_fault(unsigned long address)
33061 * happen within a race in page table update. In the later
33062 * case just flush:
33063 */
33064- pgd = pgd_offset(current->active_mm, address);
33065+
33066 pgd_ref = pgd_offset_k(address);
33067 if (pgd_none(*pgd_ref))
33068 return -1;
33069
33070+#ifdef CONFIG_PAX_PER_CPU_PGD
33071+ BUG_ON(__pa(get_cpu_pgd(smp_processor_id(), kernel)) != (read_cr3() & __PHYSICAL_MASK));
33072+ pgd = pgd_offset_cpu(smp_processor_id(), user, address);
33073+ if (pgd_none(*pgd)) {
33074+ set_pgd(pgd, *pgd_ref);
33075+ arch_flush_lazy_mmu_mode();
33076+ } else {
33077+ BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref));
33078+ }
33079+ pgd = pgd_offset_cpu(smp_processor_id(), kernel, address);
33080+#else
33081+ pgd = pgd_offset(current->active_mm, address);
33082+#endif
33083+
33084 if (pgd_none(*pgd)) {
33085 set_pgd(pgd, *pgd_ref);
33086 arch_flush_lazy_mmu_mode();
33087@@ -549,7 +633,7 @@ static int is_errata93(struct pt_regs *regs, unsigned long address)
33088 static int is_errata100(struct pt_regs *regs, unsigned long address)
33089 {
33090 #ifdef CONFIG_X86_64
33091- if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
33092+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
33093 return 1;
33094 #endif
33095 return 0;
33096@@ -576,9 +660,9 @@ static int is_f00f_bug(struct pt_regs *regs, unsigned long address)
33097 }
33098
33099 static const char nx_warning[] = KERN_CRIT
33100-"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
33101+"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
33102 static const char smep_warning[] = KERN_CRIT
33103-"unable to execute userspace code (SMEP?) (uid: %d)\n";
33104+"unable to execute userspace code (SMEP?) (uid: %d, task: %s, pid: %d)\n";
33105
33106 static void
33107 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
33108@@ -587,7 +671,7 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
33109 if (!oops_may_print())
33110 return;
33111
33112- if (error_code & PF_INSTR) {
33113+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
33114 unsigned int level;
33115 pgd_t *pgd;
33116 pte_t *pte;
33117@@ -598,13 +682,25 @@ show_fault_oops(struct pt_regs *regs, unsigned long error_code,
33118 pte = lookup_address_in_pgd(pgd, address, &level);
33119
33120 if (pte && pte_present(*pte) && !pte_exec(*pte))
33121- printk(nx_warning, from_kuid(&init_user_ns, current_uid()));
33122+ printk(nx_warning, from_kuid_munged(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
33123 if (pte && pte_present(*pte) && pte_exec(*pte) &&
33124 (pgd_flags(*pgd) & _PAGE_USER) &&
33125 (__read_cr4() & X86_CR4_SMEP))
33126- printk(smep_warning, from_kuid(&init_user_ns, current_uid()));
33127+ printk(smep_warning, from_kuid(&init_user_ns, current_uid()), current->comm, task_pid_nr(current));
33128 }
33129
33130+#ifdef CONFIG_PAX_KERNEXEC
33131+ if (init_mm.start_code <= address && address < init_mm.end_code) {
33132+ if (current->signal->curr_ip)
33133+ printk(KERN_EMERG "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
33134+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
33135+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
33136+ else
33137+ printk(KERN_EMERG "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n", current->comm, task_pid_nr(current),
33138+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
33139+ }
33140+#endif
33141+
33142 printk(KERN_ALERT "BUG: unable to handle kernel ");
33143 if (address < PAGE_SIZE)
33144 printk(KERN_CONT "NULL pointer dereference");
33145@@ -783,6 +879,22 @@ __bad_area_nosemaphore(struct pt_regs *regs, unsigned long error_code,
33146 return;
33147 }
33148 #endif
33149+
33150+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33151+ if (pax_is_fetch_fault(regs, error_code, address)) {
33152+
33153+#ifdef CONFIG_PAX_EMUTRAMP
33154+ switch (pax_handle_fetch_fault(regs)) {
33155+ case 2:
33156+ return;
33157+ }
33158+#endif
33159+
33160+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
33161+ do_group_exit(SIGKILL);
33162+ }
33163+#endif
33164+
33165 /* Kernel addresses are always protection faults: */
33166 if (address >= TASK_SIZE)
33167 error_code |= PF_PROT;
33168@@ -865,7 +977,7 @@ do_sigbus(struct pt_regs *regs, unsigned long error_code, unsigned long address,
33169 if (fault & (VM_FAULT_HWPOISON|VM_FAULT_HWPOISON_LARGE)) {
33170 printk(KERN_ERR
33171 "MCE: Killing %s:%d due to hardware memory corruption fault at %lx\n",
33172- tsk->comm, tsk->pid, address);
33173+ tsk->comm, task_pid_nr(tsk), address);
33174 code = BUS_MCEERR_AR;
33175 }
33176 #endif
33177@@ -917,6 +1029,107 @@ static int spurious_fault_check(unsigned long error_code, pte_t *pte)
33178 return 1;
33179 }
33180
33181+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
33182+static inline unsigned long get_limit(unsigned long segment)
33183+{
33184+ unsigned long __limit;
33185+
33186+ asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
33187+ return __limit + 1;
33188+}
33189+
33190+static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
33191+{
33192+ pte_t *pte;
33193+ pmd_t *pmd;
33194+ spinlock_t *ptl;
33195+ unsigned char pte_mask;
33196+
33197+ if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
33198+ !(mm->pax_flags & MF_PAX_PAGEEXEC))
33199+ return 0;
33200+
33201+ /* PaX: it's our fault, let's handle it if we can */
33202+
33203+ /* PaX: take a look at read faults before acquiring any locks */
33204+ if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
33205+ /* instruction fetch attempt from a protected page in user mode */
33206+ up_read(&mm->mmap_sem);
33207+
33208+#ifdef CONFIG_PAX_EMUTRAMP
33209+ switch (pax_handle_fetch_fault(regs)) {
33210+ case 2:
33211+ return 1;
33212+ }
33213+#endif
33214+
33215+ pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
33216+ do_group_exit(SIGKILL);
33217+ }
33218+
33219+ pmd = pax_get_pmd(mm, address);
33220+ if (unlikely(!pmd))
33221+ return 0;
33222+
33223+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
33224+ if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
33225+ pte_unmap_unlock(pte, ptl);
33226+ return 0;
33227+ }
33228+
33229+ if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
33230+ /* write attempt to a protected page in user mode */
33231+ pte_unmap_unlock(pte, ptl);
33232+ return 0;
33233+ }
33234+
33235+#ifdef CONFIG_SMP
33236+ if (likely(address > get_limit(regs->cs) && cpumask_test_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask)))
33237+#else
33238+ if (likely(address > get_limit(regs->cs)))
33239+#endif
33240+ {
33241+ set_pte(pte, pte_mkread(*pte));
33242+ __flush_tlb_one(address);
33243+ pte_unmap_unlock(pte, ptl);
33244+ up_read(&mm->mmap_sem);
33245+ return 1;
33246+ }
33247+
33248+ pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
33249+
33250+ /*
33251+ * PaX: fill DTLB with user rights and retry
33252+ */
33253+ __asm__ __volatile__ (
33254+ "orb %2,(%1)\n"
33255+#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
33256+/*
33257+ * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
33258+ * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
33259+ * page fault when examined during a TLB load attempt. this is true not only
33260+ * for PTEs holding a non-present entry but also present entries that will
33261+ * raise a page fault (such as those set up by PaX, or the copy-on-write
33262+ * mechanism). in effect it means that we do *not* need to flush the TLBs
33263+ * for our target pages since their PTEs are simply not in the TLBs at all.
33264+
33265+ * the best thing in omitting it is that we gain around 15-20% speed in the
33266+ * fast path of the page fault handler and can get rid of tracing since we
33267+ * can no longer flush unintended entries.
33268+ */
33269+ "invlpg (%0)\n"
33270+#endif
33271+ __copyuser_seg"testb $0,(%0)\n"
33272+ "xorb %3,(%1)\n"
33273+ :
33274+ : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
33275+ : "memory", "cc");
33276+ pte_unmap_unlock(pte, ptl);
33277+ up_read(&mm->mmap_sem);
33278+ return 1;
33279+}
33280+#endif
33281+
33282 /*
33283 * Handle a spurious fault caused by a stale TLB entry.
33284 *
33285@@ -1002,6 +1215,9 @@ int show_unhandled_signals = 1;
33286 static inline int
33287 access_error(unsigned long error_code, struct vm_area_struct *vma)
33288 {
33289+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
33290+ return 1;
33291+
33292 if (error_code & PF_WRITE) {
33293 /* write, present and write, not present: */
33294 if (unlikely(!(vma->vm_flags & VM_WRITE)))
33295@@ -1064,6 +1280,22 @@ __do_page_fault(struct pt_regs *regs, unsigned long error_code,
33296 tsk = current;
33297 mm = tsk->mm;
33298
33299+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
33300+ if (!user_mode(regs) && address < 2 * pax_user_shadow_base) {
33301+ if (!search_exception_tables(regs->ip)) {
33302+ printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n");
33303+ bad_area_nosemaphore(regs, error_code, address);
33304+ return;
33305+ }
33306+ if (address < pax_user_shadow_base) {
33307+ printk(KERN_EMERG "PAX: please report this to pageexec@freemail.hu\n");
33308+ printk(KERN_EMERG "PAX: faulting IP: %pS\n", (void *)regs->ip);
33309+ show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_EMERG);
33310+ } else
33311+ address -= pax_user_shadow_base;
33312+ }
33313+#endif
33314+
33315 /*
33316 * Detect and handle instructions that would cause a page fault for
33317 * both a tracked kernel page and a userspace page.
33318@@ -1188,6 +1420,11 @@ retry:
33319 might_sleep();
33320 }
33321
33322+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
33323+ if (pax_handle_pageexec_fault(regs, mm, address, error_code))
33324+ return;
33325+#endif
33326+
33327 vma = find_vma(mm, address);
33328 if (unlikely(!vma)) {
33329 bad_area(regs, error_code, address);
33330@@ -1199,18 +1436,24 @@ retry:
33331 bad_area(regs, error_code, address);
33332 return;
33333 }
33334- if (error_code & PF_USER) {
33335- /*
33336- * Accessing the stack below %sp is always a bug.
33337- * The large cushion allows instructions like enter
33338- * and pusha to work. ("enter $65535, $31" pushes
33339- * 32 pointers and then decrements %sp by 65535.)
33340- */
33341- if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
33342- bad_area(regs, error_code, address);
33343- return;
33344- }
33345+ /*
33346+ * Accessing the stack below %sp is always a bug.
33347+ * The large cushion allows instructions like enter
33348+ * and pusha to work. ("enter $65535, $31" pushes
33349+ * 32 pointers and then decrements %sp by 65535.)
33350+ */
33351+ if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
33352+ bad_area(regs, error_code, address);
33353+ return;
33354 }
33355+
33356+#ifdef CONFIG_PAX_SEGMEXEC
33357+ if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
33358+ bad_area(regs, error_code, address);
33359+ return;
33360+ }
33361+#endif
33362+
33363 if (unlikely(expand_stack(vma, address))) {
33364 bad_area(regs, error_code, address);
33365 return;
33366@@ -1330,3 +1573,292 @@ trace_do_page_fault(struct pt_regs *regs, unsigned long error_code)
33367 }
33368 NOKPROBE_SYMBOL(trace_do_page_fault);
33369 #endif /* CONFIG_TRACING */
33370+
33371+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33372+static bool pax_is_fetch_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address)
33373+{
33374+ struct mm_struct *mm = current->mm;
33375+ unsigned long ip = regs->ip;
33376+
33377+ if (v8086_mode(regs))
33378+ ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
33379+
33380+#ifdef CONFIG_PAX_PAGEEXEC
33381+ if (mm->pax_flags & MF_PAX_PAGEEXEC) {
33382+ if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR))
33383+ return true;
33384+ if (!(error_code & (PF_PROT | PF_WRITE)) && ip == address)
33385+ return true;
33386+ return false;
33387+ }
33388+#endif
33389+
33390+#ifdef CONFIG_PAX_SEGMEXEC
33391+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
33392+ if (!(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address))
33393+ return true;
33394+ return false;
33395+ }
33396+#endif
33397+
33398+ return false;
33399+}
33400+#endif
33401+
33402+#ifdef CONFIG_PAX_EMUTRAMP
33403+static int pax_handle_fetch_fault_32(struct pt_regs *regs)
33404+{
33405+ int err;
33406+
33407+ do { /* PaX: libffi trampoline emulation */
33408+ unsigned char mov, jmp;
33409+ unsigned int addr1, addr2;
33410+
33411+#ifdef CONFIG_X86_64
33412+ if ((regs->ip + 9) >> 32)
33413+ break;
33414+#endif
33415+
33416+ err = get_user(mov, (unsigned char __user *)regs->ip);
33417+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33418+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
33419+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33420+
33421+ if (err)
33422+ break;
33423+
33424+ if (mov == 0xB8 && jmp == 0xE9) {
33425+ regs->ax = addr1;
33426+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
33427+ return 2;
33428+ }
33429+ } while (0);
33430+
33431+ do { /* PaX: gcc trampoline emulation #1 */
33432+ unsigned char mov1, mov2;
33433+ unsigned short jmp;
33434+ unsigned int addr1, addr2;
33435+
33436+#ifdef CONFIG_X86_64
33437+ if ((regs->ip + 11) >> 32)
33438+ break;
33439+#endif
33440+
33441+ err = get_user(mov1, (unsigned char __user *)regs->ip);
33442+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33443+ err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
33444+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33445+ err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
33446+
33447+ if (err)
33448+ break;
33449+
33450+ if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
33451+ regs->cx = addr1;
33452+ regs->ax = addr2;
33453+ regs->ip = addr2;
33454+ return 2;
33455+ }
33456+ } while (0);
33457+
33458+ do { /* PaX: gcc trampoline emulation #2 */
33459+ unsigned char mov, jmp;
33460+ unsigned int addr1, addr2;
33461+
33462+#ifdef CONFIG_X86_64
33463+ if ((regs->ip + 9) >> 32)
33464+ break;
33465+#endif
33466+
33467+ err = get_user(mov, (unsigned char __user *)regs->ip);
33468+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
33469+ err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
33470+ err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
33471+
33472+ if (err)
33473+ break;
33474+
33475+ if (mov == 0xB9 && jmp == 0xE9) {
33476+ regs->cx = addr1;
33477+ regs->ip = (unsigned int)(regs->ip + addr2 + 10);
33478+ return 2;
33479+ }
33480+ } while (0);
33481+
33482+ return 1; /* PaX in action */
33483+}
33484+
33485+#ifdef CONFIG_X86_64
33486+static int pax_handle_fetch_fault_64(struct pt_regs *regs)
33487+{
33488+ int err;
33489+
33490+ do { /* PaX: libffi trampoline emulation */
33491+ unsigned short mov1, mov2, jmp1;
33492+ unsigned char stcclc, jmp2;
33493+ unsigned long addr1, addr2;
33494+
33495+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33496+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
33497+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
33498+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
33499+ err |= get_user(stcclc, (unsigned char __user *)(regs->ip + 20));
33500+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 21));
33501+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 23));
33502+
33503+ if (err)
33504+ break;
33505+
33506+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && (stcclc == 0xF8 || stcclc == 0xF9) && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33507+ regs->r11 = addr1;
33508+ regs->r10 = addr2;
33509+ if (stcclc == 0xF8)
33510+ regs->flags &= ~X86_EFLAGS_CF;
33511+ else
33512+ regs->flags |= X86_EFLAGS_CF;
33513+ regs->ip = addr1;
33514+ return 2;
33515+ }
33516+ } while (0);
33517+
33518+ do { /* PaX: gcc trampoline emulation #1 */
33519+ unsigned short mov1, mov2, jmp1;
33520+ unsigned char jmp2;
33521+ unsigned int addr1;
33522+ unsigned long addr2;
33523+
33524+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33525+ err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
33526+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
33527+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
33528+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
33529+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
33530+
33531+ if (err)
33532+ break;
33533+
33534+ if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33535+ regs->r11 = addr1;
33536+ regs->r10 = addr2;
33537+ regs->ip = addr1;
33538+ return 2;
33539+ }
33540+ } while (0);
33541+
33542+ do { /* PaX: gcc trampoline emulation #2 */
33543+ unsigned short mov1, mov2, jmp1;
33544+ unsigned char jmp2;
33545+ unsigned long addr1, addr2;
33546+
33547+ err = get_user(mov1, (unsigned short __user *)regs->ip);
33548+ err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
33549+ err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
33550+ err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
33551+ err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
33552+ err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
33553+
33554+ if (err)
33555+ break;
33556+
33557+ if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
33558+ regs->r11 = addr1;
33559+ regs->r10 = addr2;
33560+ regs->ip = addr1;
33561+ return 2;
33562+ }
33563+ } while (0);
33564+
33565+ return 1; /* PaX in action */
33566+}
33567+#endif
33568+
33569+/*
33570+ * PaX: decide what to do with offenders (regs->ip = fault address)
33571+ *
33572+ * returns 1 when task should be killed
33573+ * 2 when gcc trampoline was detected
33574+ */
33575+static int pax_handle_fetch_fault(struct pt_regs *regs)
33576+{
33577+ if (v8086_mode(regs))
33578+ return 1;
33579+
33580+ if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
33581+ return 1;
33582+
33583+#ifdef CONFIG_X86_32
33584+ return pax_handle_fetch_fault_32(regs);
33585+#else
33586+ if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
33587+ return pax_handle_fetch_fault_32(regs);
33588+ else
33589+ return pax_handle_fetch_fault_64(regs);
33590+#endif
33591+}
33592+#endif
33593+
33594+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
33595+void pax_report_insns(struct pt_regs *regs, void *pc, void *sp)
33596+{
33597+ long i;
33598+
33599+ printk(KERN_ERR "PAX: bytes at PC: ");
33600+ for (i = 0; i < 20; i++) {
33601+ unsigned char c;
33602+ if (get_user(c, (unsigned char __force_user *)pc+i))
33603+ printk(KERN_CONT "?? ");
33604+ else
33605+ printk(KERN_CONT "%02x ", c);
33606+ }
33607+ printk("\n");
33608+
33609+ printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
33610+ for (i = -1; i < 80 / (long)sizeof(long); i++) {
33611+ unsigned long c;
33612+ if (get_user(c, (unsigned long __force_user *)sp+i)) {
33613+#ifdef CONFIG_X86_32
33614+ printk(KERN_CONT "???????? ");
33615+#else
33616+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)))
33617+ printk(KERN_CONT "???????? ???????? ");
33618+ else
33619+ printk(KERN_CONT "???????????????? ");
33620+#endif
33621+ } else {
33622+#ifdef CONFIG_X86_64
33623+ if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))) {
33624+ printk(KERN_CONT "%08x ", (unsigned int)c);
33625+ printk(KERN_CONT "%08x ", (unsigned int)(c >> 32));
33626+ } else
33627+#endif
33628+ printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
33629+ }
33630+ }
33631+ printk("\n");
33632+}
33633+#endif
33634+
33635+/**
33636+ * probe_kernel_write(): safely attempt to write to a location
33637+ * @dst: address to write to
33638+ * @src: pointer to the data that shall be written
33639+ * @size: size of the data chunk
33640+ *
33641+ * Safely write to address @dst from the buffer at @src. If a kernel fault
33642+ * happens, handle that and return -EFAULT.
33643+ */
33644+long notrace probe_kernel_write(void *dst, const void *src, size_t size)
33645+{
33646+ long ret;
33647+ mm_segment_t old_fs = get_fs();
33648+
33649+ set_fs(KERNEL_DS);
33650+ pagefault_disable();
33651+ pax_open_kernel();
33652+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
33653+ pax_close_kernel();
33654+ pagefault_enable();
33655+ set_fs(old_fs);
33656+
33657+ return ret ? -EFAULT : 0;
33658+}
33659diff --git a/arch/x86/mm/gup.c b/arch/x86/mm/gup.c
33660index 81bf3d2..7ef25c2 100644
33661--- a/arch/x86/mm/gup.c
33662+++ b/arch/x86/mm/gup.c
33663@@ -268,7 +268,7 @@ int __get_user_pages_fast(unsigned long start, int nr_pages, int write,
33664 addr = start;
33665 len = (unsigned long) nr_pages << PAGE_SHIFT;
33666 end = start + len;
33667- if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
33668+ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ,
33669 (void __user *)start, len)))
33670 return 0;
33671
33672@@ -344,6 +344,10 @@ int get_user_pages_fast(unsigned long start, int nr_pages, int write,
33673 goto slow_irqon;
33674 #endif
33675
33676+ if (unlikely(!access_ok_noprefault(write ? VERIFY_WRITE : VERIFY_READ,
33677+ (void __user *)start, len)))
33678+ return 0;
33679+
33680 /*
33681 * XXX: batch / limit 'nr', to avoid large irq off latency
33682 * needs some instrumenting to determine the common sizes used by
33683diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
33684index eecb207a..e76b7f4 100644
33685--- a/arch/x86/mm/highmem_32.c
33686+++ b/arch/x86/mm/highmem_32.c
33687@@ -35,6 +35,8 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
33688 unsigned long vaddr;
33689 int idx, type;
33690
33691+ BUG_ON(pgprot_val(prot) & _PAGE_USER);
33692+
33693 preempt_disable();
33694 pagefault_disable();
33695
33696@@ -45,7 +47,11 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
33697 idx = type + KM_TYPE_NR*smp_processor_id();
33698 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
33699 BUG_ON(!pte_none(*(kmap_pte-idx)));
33700+
33701+ pax_open_kernel();
33702 set_pte(kmap_pte-idx, mk_pte(page, prot));
33703+ pax_close_kernel();
33704+
33705 arch_flush_lazy_mmu_mode();
33706
33707 return (void *)vaddr;
33708diff --git a/arch/x86/mm/hugetlbpage.c b/arch/x86/mm/hugetlbpage.c
33709index 42982b2..7168fc3 100644
33710--- a/arch/x86/mm/hugetlbpage.c
33711+++ b/arch/x86/mm/hugetlbpage.c
33712@@ -74,23 +74,24 @@ int pud_huge(pud_t pud)
33713 #ifdef CONFIG_HUGETLB_PAGE
33714 static unsigned long hugetlb_get_unmapped_area_bottomup(struct file *file,
33715 unsigned long addr, unsigned long len,
33716- unsigned long pgoff, unsigned long flags)
33717+ unsigned long pgoff, unsigned long flags, unsigned long offset)
33718 {
33719 struct hstate *h = hstate_file(file);
33720 struct vm_unmapped_area_info info;
33721-
33722+
33723 info.flags = 0;
33724 info.length = len;
33725 info.low_limit = current->mm->mmap_legacy_base;
33726 info.high_limit = TASK_SIZE;
33727 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
33728 info.align_offset = 0;
33729+ info.threadstack_offset = offset;
33730 return vm_unmapped_area(&info);
33731 }
33732
33733 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33734 unsigned long addr0, unsigned long len,
33735- unsigned long pgoff, unsigned long flags)
33736+ unsigned long pgoff, unsigned long flags, unsigned long offset)
33737 {
33738 struct hstate *h = hstate_file(file);
33739 struct vm_unmapped_area_info info;
33740@@ -102,6 +103,7 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33741 info.high_limit = current->mm->mmap_base;
33742 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
33743 info.align_offset = 0;
33744+ info.threadstack_offset = offset;
33745 addr = vm_unmapped_area(&info);
33746
33747 /*
33748@@ -114,6 +116,12 @@ static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
33749 VM_BUG_ON(addr != -ENOMEM);
33750 info.flags = 0;
33751 info.low_limit = TASK_UNMAPPED_BASE;
33752+
33753+#ifdef CONFIG_PAX_RANDMMAP
33754+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
33755+ info.low_limit += current->mm->delta_mmap;
33756+#endif
33757+
33758 info.high_limit = TASK_SIZE;
33759 addr = vm_unmapped_area(&info);
33760 }
33761@@ -128,10 +136,20 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
33762 struct hstate *h = hstate_file(file);
33763 struct mm_struct *mm = current->mm;
33764 struct vm_area_struct *vma;
33765+ unsigned long pax_task_size = TASK_SIZE;
33766+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
33767
33768 if (len & ~huge_page_mask(h))
33769 return -EINVAL;
33770- if (len > TASK_SIZE)
33771+
33772+#ifdef CONFIG_PAX_SEGMEXEC
33773+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
33774+ pax_task_size = SEGMEXEC_TASK_SIZE;
33775+#endif
33776+
33777+ pax_task_size -= PAGE_SIZE;
33778+
33779+ if (len > pax_task_size)
33780 return -ENOMEM;
33781
33782 if (flags & MAP_FIXED) {
33783@@ -140,19 +158,22 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
33784 return addr;
33785 }
33786
33787+#ifdef CONFIG_PAX_RANDMMAP
33788+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
33789+#endif
33790+
33791 if (addr) {
33792 addr = ALIGN(addr, huge_page_size(h));
33793 vma = find_vma(mm, addr);
33794- if (TASK_SIZE - len >= addr &&
33795- (!vma || addr + len <= vma->vm_start))
33796+ if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
33797 return addr;
33798 }
33799 if (mm->get_unmapped_area == arch_get_unmapped_area)
33800 return hugetlb_get_unmapped_area_bottomup(file, addr, len,
33801- pgoff, flags);
33802+ pgoff, flags, offset);
33803 else
33804 return hugetlb_get_unmapped_area_topdown(file, addr, len,
33805- pgoff, flags);
33806+ pgoff, flags, offset);
33807 }
33808 #endif /* CONFIG_HUGETLB_PAGE */
33809
33810diff --git a/arch/x86/mm/init.c b/arch/x86/mm/init.c
33811index 8533b46..8c83176 100644
33812--- a/arch/x86/mm/init.c
33813+++ b/arch/x86/mm/init.c
33814@@ -4,6 +4,7 @@
33815 #include <linux/swap.h>
33816 #include <linux/memblock.h>
33817 #include <linux/bootmem.h> /* for max_low_pfn */
33818+#include <linux/tboot.h>
33819
33820 #include <asm/cacheflush.h>
33821 #include <asm/e820.h>
33822@@ -17,6 +18,8 @@
33823 #include <asm/proto.h>
33824 #include <asm/dma.h> /* for MAX_DMA_PFN */
33825 #include <asm/microcode.h>
33826+#include <asm/desc.h>
33827+#include <asm/bios_ebda.h>
33828
33829 /*
33830 * We need to define the tracepoints somewhere, and tlb.c
33831@@ -615,7 +618,18 @@ void __init init_mem_mapping(void)
33832 early_ioremap_page_table_range_init();
33833 #endif
33834
33835+#ifdef CONFIG_PAX_PER_CPU_PGD
33836+ clone_pgd_range(get_cpu_pgd(0, kernel) + KERNEL_PGD_BOUNDARY,
33837+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
33838+ KERNEL_PGD_PTRS);
33839+ clone_pgd_range(get_cpu_pgd(0, user) + KERNEL_PGD_BOUNDARY,
33840+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
33841+ KERNEL_PGD_PTRS);
33842+ load_cr3(get_cpu_pgd(0, kernel));
33843+#else
33844 load_cr3(swapper_pg_dir);
33845+#endif
33846+
33847 __flush_tlb_all();
33848
33849 early_memtest(0, max_pfn_mapped << PAGE_SHIFT);
33850@@ -631,10 +645,40 @@ void __init init_mem_mapping(void)
33851 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
33852 * mmio resources as well as potential bios/acpi data regions.
33853 */
33854+
33855+#ifdef CONFIG_GRKERNSEC_KMEM
33856+static unsigned int ebda_start __read_only;
33857+static unsigned int ebda_end __read_only;
33858+#endif
33859+
33860 int devmem_is_allowed(unsigned long pagenr)
33861 {
33862- if (pagenr < 256)
33863+#ifdef CONFIG_GRKERNSEC_KMEM
33864+ /* allow BDA */
33865+ if (!pagenr)
33866 return 1;
33867+ /* allow EBDA */
33868+ if (pagenr >= ebda_start && pagenr < ebda_end)
33869+ return 1;
33870+ /* if tboot is in use, allow access to its hardcoded serial log range */
33871+ if (tboot_enabled() && ((0x60000 >> PAGE_SHIFT) <= pagenr) && (pagenr < (0x68000 >> PAGE_SHIFT)))
33872+ return 1;
33873+#else
33874+ if (!pagenr)
33875+ return 1;
33876+#ifdef CONFIG_VM86
33877+ if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
33878+ return 1;
33879+#endif
33880+#endif
33881+
33882+ if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
33883+ return 1;
33884+#ifdef CONFIG_GRKERNSEC_KMEM
33885+ /* throw out everything else below 1MB */
33886+ if (pagenr <= 256)
33887+ return 0;
33888+#endif
33889 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
33890 return 0;
33891 if (!page_is_ram(pagenr))
33892@@ -680,8 +724,127 @@ void free_init_pages(char *what, unsigned long begin, unsigned long end)
33893 #endif
33894 }
33895
33896+#ifdef CONFIG_GRKERNSEC_KMEM
33897+static inline void gr_init_ebda(void)
33898+{
33899+ unsigned int ebda_addr;
33900+ unsigned int ebda_size = 0;
33901+
33902+ ebda_addr = get_bios_ebda();
33903+ if (ebda_addr) {
33904+ ebda_size = *(unsigned char *)phys_to_virt(ebda_addr);
33905+ ebda_size <<= 10;
33906+ }
33907+ if (ebda_addr && ebda_size) {
33908+ ebda_start = ebda_addr >> PAGE_SHIFT;
33909+ ebda_end = min((unsigned int)PAGE_ALIGN(ebda_addr + ebda_size), (unsigned int)0xa0000) >> PAGE_SHIFT;
33910+ } else {
33911+ ebda_start = 0x9f000 >> PAGE_SHIFT;
33912+ ebda_end = 0xa0000 >> PAGE_SHIFT;
33913+ }
33914+}
33915+#else
33916+static inline void gr_init_ebda(void) { }
33917+#endif
33918+
33919 void free_initmem(void)
33920 {
33921+#ifdef CONFIG_PAX_KERNEXEC
33922+#ifdef CONFIG_X86_32
33923+ /* PaX: limit KERNEL_CS to actual size */
33924+ unsigned long addr, limit;
33925+ struct desc_struct d;
33926+ int cpu;
33927+#else
33928+ pgd_t *pgd;
33929+ pud_t *pud;
33930+ pmd_t *pmd;
33931+ unsigned long addr, end;
33932+#endif
33933+#endif
33934+
33935+ gr_init_ebda();
33936+
33937+#ifdef CONFIG_PAX_KERNEXEC
33938+#ifdef CONFIG_X86_32
33939+ limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
33940+ limit = (limit - 1UL) >> PAGE_SHIFT;
33941+
33942+ memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
33943+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
33944+ pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
33945+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
33946+ write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEXEC_KERNEL_CS, &d, DESCTYPE_S);
33947+ }
33948+
33949+ /* PaX: make KERNEL_CS read-only */
33950+ addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
33951+ if (!paravirt_enabled())
33952+ set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
33953+/*
33954+ for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
33955+ pgd = pgd_offset_k(addr);
33956+ pud = pud_offset(pgd, addr);
33957+ pmd = pmd_offset(pud, addr);
33958+ set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33959+ }
33960+*/
33961+#ifdef CONFIG_X86_PAE
33962+ set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
33963+/*
33964+ for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
33965+ pgd = pgd_offset_k(addr);
33966+ pud = pud_offset(pgd, addr);
33967+ pmd = pmd_offset(pud, addr);
33968+ set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
33969+ }
33970+*/
33971+#endif
33972+
33973+#ifdef CONFIG_MODULES
33974+ set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
33975+#endif
33976+
33977+#else
33978+ /* PaX: make kernel code/rodata read-only, rest non-executable */
33979+ set_memory_ro((unsigned long)_text, ((unsigned long)(_sdata - _text) >> PAGE_SHIFT));
33980+ set_memory_nx((unsigned long)_sdata, (__START_KERNEL_map + KERNEL_IMAGE_SIZE - (unsigned long)_sdata) >> PAGE_SHIFT);
33981+
33982+ for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
33983+ pgd = pgd_offset_k(addr);
33984+ pud = pud_offset(pgd, addr);
33985+ pmd = pmd_offset(pud, addr);
33986+ if (!pmd_present(*pmd))
33987+ continue;
33988+ if (addr >= (unsigned long)_text)
33989+ BUG_ON(!pmd_large(*pmd));
33990+ if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
33991+ BUG_ON(pmd_write(*pmd));
33992+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
33993+ else
33994+ BUG_ON(!(pmd_flags(*pmd) & _PAGE_NX));
33995+// set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
33996+ }
33997+
33998+ addr = (unsigned long)__va(__pa(__START_KERNEL_map));
33999+ end = addr + KERNEL_IMAGE_SIZE;
34000+ for (; addr < end; addr += PMD_SIZE) {
34001+ pgd = pgd_offset_k(addr);
34002+ pud = pud_offset(pgd, addr);
34003+ pmd = pmd_offset(pud, addr);
34004+ if (!pmd_present(*pmd))
34005+ continue;
34006+ if (addr >= (unsigned long)_text)
34007+ BUG_ON(!pmd_large(*pmd));
34008+ if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
34009+ BUG_ON(pmd_write(*pmd));
34010+// set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
34011+ }
34012+#endif
34013+
34014+ flush_tlb_all();
34015+#endif
34016+
34017 free_init_pages("unused kernel",
34018 (unsigned long)(&__init_begin),
34019 (unsigned long)(&__init_end));
34020diff --git a/arch/x86/mm/init_32.c b/arch/x86/mm/init_32.c
34021index 68aec42..95ad5d3 100644
34022--- a/arch/x86/mm/init_32.c
34023+++ b/arch/x86/mm/init_32.c
34024@@ -62,33 +62,6 @@ static noinline int do_test_wp_bit(void);
34025 bool __read_mostly __vmalloc_start_set = false;
34026
34027 /*
34028- * Creates a middle page table and puts a pointer to it in the
34029- * given global directory entry. This only returns the gd entry
34030- * in non-PAE compilation mode, since the middle layer is folded.
34031- */
34032-static pmd_t * __init one_md_table_init(pgd_t *pgd)
34033-{
34034- pud_t *pud;
34035- pmd_t *pmd_table;
34036-
34037-#ifdef CONFIG_X86_PAE
34038- if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
34039- pmd_table = (pmd_t *)alloc_low_page();
34040- paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
34041- set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
34042- pud = pud_offset(pgd, 0);
34043- BUG_ON(pmd_table != pmd_offset(pud, 0));
34044-
34045- return pmd_table;
34046- }
34047-#endif
34048- pud = pud_offset(pgd, 0);
34049- pmd_table = pmd_offset(pud, 0);
34050-
34051- return pmd_table;
34052-}
34053-
34054-/*
34055 * Create a page table and place a pointer to it in a middle page
34056 * directory entry:
34057 */
34058@@ -98,13 +71,28 @@ static pte_t * __init one_page_table_init(pmd_t *pmd)
34059 pte_t *page_table = (pte_t *)alloc_low_page();
34060
34061 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
34062+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
34063+ set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
34064+#else
34065 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
34066+#endif
34067 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
34068 }
34069
34070 return pte_offset_kernel(pmd, 0);
34071 }
34072
34073+static pmd_t * __init one_md_table_init(pgd_t *pgd)
34074+{
34075+ pud_t *pud;
34076+ pmd_t *pmd_table;
34077+
34078+ pud = pud_offset(pgd, 0);
34079+ pmd_table = pmd_offset(pud, 0);
34080+
34081+ return pmd_table;
34082+}
34083+
34084 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
34085 {
34086 int pgd_idx = pgd_index(vaddr);
34087@@ -209,6 +197,7 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
34088 int pgd_idx, pmd_idx;
34089 unsigned long vaddr;
34090 pgd_t *pgd;
34091+ pud_t *pud;
34092 pmd_t *pmd;
34093 pte_t *pte = NULL;
34094 unsigned long count = page_table_range_init_count(start, end);
34095@@ -223,8 +212,13 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
34096 pgd = pgd_base + pgd_idx;
34097
34098 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
34099- pmd = one_md_table_init(pgd);
34100- pmd = pmd + pmd_index(vaddr);
34101+ pud = pud_offset(pgd, vaddr);
34102+ pmd = pmd_offset(pud, vaddr);
34103+
34104+#ifdef CONFIG_X86_PAE
34105+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
34106+#endif
34107+
34108 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
34109 pmd++, pmd_idx++) {
34110 pte = page_table_kmap_check(one_page_table_init(pmd),
34111@@ -236,11 +230,20 @@ page_table_range_init(unsigned long start, unsigned long end, pgd_t *pgd_base)
34112 }
34113 }
34114
34115-static inline int is_kernel_text(unsigned long addr)
34116+static inline int is_kernel_text(unsigned long start, unsigned long end)
34117 {
34118- if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
34119- return 1;
34120- return 0;
34121+ if ((start >= ktla_ktva((unsigned long)_etext) ||
34122+ end <= ktla_ktva((unsigned long)_stext)) &&
34123+ (start >= ktla_ktva((unsigned long)_einittext) ||
34124+ end <= ktla_ktva((unsigned long)_sinittext)) &&
34125+
34126+#ifdef CONFIG_ACPI_SLEEP
34127+ (start >= (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
34128+#endif
34129+
34130+ (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
34131+ return 0;
34132+ return 1;
34133 }
34134
34135 /*
34136@@ -257,9 +260,10 @@ kernel_physical_mapping_init(unsigned long start,
34137 unsigned long last_map_addr = end;
34138 unsigned long start_pfn, end_pfn;
34139 pgd_t *pgd_base = swapper_pg_dir;
34140- int pgd_idx, pmd_idx, pte_ofs;
34141+ unsigned int pgd_idx, pmd_idx, pte_ofs;
34142 unsigned long pfn;
34143 pgd_t *pgd;
34144+ pud_t *pud;
34145 pmd_t *pmd;
34146 pte_t *pte;
34147 unsigned pages_2m, pages_4k;
34148@@ -292,8 +296,13 @@ repeat:
34149 pfn = start_pfn;
34150 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
34151 pgd = pgd_base + pgd_idx;
34152- for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
34153- pmd = one_md_table_init(pgd);
34154+ for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
34155+ pud = pud_offset(pgd, 0);
34156+ pmd = pmd_offset(pud, 0);
34157+
34158+#ifdef CONFIG_X86_PAE
34159+ paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
34160+#endif
34161
34162 if (pfn >= end_pfn)
34163 continue;
34164@@ -305,14 +314,13 @@ repeat:
34165 #endif
34166 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
34167 pmd++, pmd_idx++) {
34168- unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
34169+ unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
34170
34171 /*
34172 * Map with big pages if possible, otherwise
34173 * create normal page tables:
34174 */
34175 if (use_pse) {
34176- unsigned int addr2;
34177 pgprot_t prot = PAGE_KERNEL_LARGE;
34178 /*
34179 * first pass will use the same initial
34180@@ -323,11 +331,7 @@ repeat:
34181 _PAGE_PSE);
34182
34183 pfn &= PMD_MASK >> PAGE_SHIFT;
34184- addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
34185- PAGE_OFFSET + PAGE_SIZE-1;
34186-
34187- if (is_kernel_text(addr) ||
34188- is_kernel_text(addr2))
34189+ if (is_kernel_text(address, address + PMD_SIZE))
34190 prot = PAGE_KERNEL_LARGE_EXEC;
34191
34192 pages_2m++;
34193@@ -344,7 +348,7 @@ repeat:
34194 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
34195 pte += pte_ofs;
34196 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
34197- pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
34198+ pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
34199 pgprot_t prot = PAGE_KERNEL;
34200 /*
34201 * first pass will use the same initial
34202@@ -352,7 +356,7 @@ repeat:
34203 */
34204 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
34205
34206- if (is_kernel_text(addr))
34207+ if (is_kernel_text(address, address + PAGE_SIZE))
34208 prot = PAGE_KERNEL_EXEC;
34209
34210 pages_4k++;
34211@@ -475,7 +479,7 @@ void __init native_pagetable_init(void)
34212
34213 pud = pud_offset(pgd, va);
34214 pmd = pmd_offset(pud, va);
34215- if (!pmd_present(*pmd))
34216+ if (!pmd_present(*pmd)) // PAX TODO || pmd_large(*pmd))
34217 break;
34218
34219 /* should not be large page here */
34220@@ -533,12 +537,10 @@ void __init early_ioremap_page_table_range_init(void)
34221
34222 static void __init pagetable_init(void)
34223 {
34224- pgd_t *pgd_base = swapper_pg_dir;
34225-
34226- permanent_kmaps_init(pgd_base);
34227+ permanent_kmaps_init(swapper_pg_dir);
34228 }
34229
34230-pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL);
34231+pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL);
34232 EXPORT_SYMBOL_GPL(__supported_pte_mask);
34233
34234 /* user-defined highmem size */
34235@@ -788,10 +790,10 @@ void __init mem_init(void)
34236 ((unsigned long)&__init_end -
34237 (unsigned long)&__init_begin) >> 10,
34238
34239- (unsigned long)&_etext, (unsigned long)&_edata,
34240- ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
34241+ (unsigned long)&_sdata, (unsigned long)&_edata,
34242+ ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
34243
34244- (unsigned long)&_text, (unsigned long)&_etext,
34245+ ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
34246 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
34247
34248 /*
34249@@ -885,6 +887,7 @@ void set_kernel_text_rw(void)
34250 if (!kernel_set_to_readonly)
34251 return;
34252
34253+ start = ktla_ktva(start);
34254 pr_debug("Set kernel text: %lx - %lx for read write\n",
34255 start, start+size);
34256
34257@@ -899,6 +902,7 @@ void set_kernel_text_ro(void)
34258 if (!kernel_set_to_readonly)
34259 return;
34260
34261+ start = ktla_ktva(start);
34262 pr_debug("Set kernel text: %lx - %lx for read only\n",
34263 start, start+size);
34264
34265@@ -927,6 +931,7 @@ void mark_rodata_ro(void)
34266 unsigned long start = PFN_ALIGN(_text);
34267 unsigned long size = PFN_ALIGN(_etext) - start;
34268
34269+ start = ktla_ktva(start);
34270 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
34271 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
34272 size >> 10);
34273diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
34274index f9977a7..21a5082 100644
34275--- a/arch/x86/mm/init_64.c
34276+++ b/arch/x86/mm/init_64.c
34277@@ -136,7 +136,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
34278 * around without checking the pgd every time.
34279 */
34280
34281-pteval_t __supported_pte_mask __read_mostly = ~0;
34282+pteval_t __supported_pte_mask __read_only = ~_PAGE_NX;
34283 EXPORT_SYMBOL_GPL(__supported_pte_mask);
34284
34285 int force_personality32;
34286@@ -169,7 +169,12 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34287
34288 for (address = start; address <= end; address += PGDIR_SIZE) {
34289 const pgd_t *pgd_ref = pgd_offset_k(address);
34290+
34291+#ifdef CONFIG_PAX_PER_CPU_PGD
34292+ unsigned long cpu;
34293+#else
34294 struct page *page;
34295+#endif
34296
34297 /*
34298 * When it is called after memory hot remove, pgd_none()
34299@@ -180,6 +185,25 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34300 continue;
34301
34302 spin_lock(&pgd_lock);
34303+
34304+#ifdef CONFIG_PAX_PER_CPU_PGD
34305+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
34306+ pgd_t *pgd = pgd_offset_cpu(cpu, user, address);
34307+
34308+ if (!pgd_none(*pgd_ref) && !pgd_none(*pgd))
34309+ BUG_ON(pgd_page_vaddr(*pgd)
34310+ != pgd_page_vaddr(*pgd_ref));
34311+
34312+ if (removed) {
34313+ if (pgd_none(*pgd_ref) && !pgd_none(*pgd))
34314+ pgd_clear(pgd);
34315+ } else {
34316+ if (pgd_none(*pgd))
34317+ set_pgd(pgd, *pgd_ref);
34318+ }
34319+
34320+ pgd = pgd_offset_cpu(cpu, kernel, address);
34321+#else
34322 list_for_each_entry(page, &pgd_list, lru) {
34323 pgd_t *pgd;
34324 spinlock_t *pgt_lock;
34325@@ -188,6 +212,7 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34326 /* the pgt_lock only for Xen */
34327 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
34328 spin_lock(pgt_lock);
34329+#endif
34330
34331 if (!pgd_none(*pgd_ref) && !pgd_none(*pgd))
34332 BUG_ON(pgd_page_vaddr(*pgd)
34333@@ -201,7 +226,10 @@ void sync_global_pgds(unsigned long start, unsigned long end, int removed)
34334 set_pgd(pgd, *pgd_ref);
34335 }
34336
34337+#ifndef CONFIG_PAX_PER_CPU_PGD
34338 spin_unlock(pgt_lock);
34339+#endif
34340+
34341 }
34342 spin_unlock(&pgd_lock);
34343 }
34344@@ -234,7 +262,7 @@ static pud_t *fill_pud(pgd_t *pgd, unsigned long vaddr)
34345 {
34346 if (pgd_none(*pgd)) {
34347 pud_t *pud = (pud_t *)spp_getpage();
34348- pgd_populate(&init_mm, pgd, pud);
34349+ pgd_populate_kernel(&init_mm, pgd, pud);
34350 if (pud != pud_offset(pgd, 0))
34351 printk(KERN_ERR "PAGETABLE BUG #00! %p <-> %p\n",
34352 pud, pud_offset(pgd, 0));
34353@@ -246,7 +274,7 @@ static pmd_t *fill_pmd(pud_t *pud, unsigned long vaddr)
34354 {
34355 if (pud_none(*pud)) {
34356 pmd_t *pmd = (pmd_t *) spp_getpage();
34357- pud_populate(&init_mm, pud, pmd);
34358+ pud_populate_kernel(&init_mm, pud, pmd);
34359 if (pmd != pmd_offset(pud, 0))
34360 printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n",
34361 pmd, pmd_offset(pud, 0));
34362@@ -275,7 +303,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte)
34363 pmd = fill_pmd(pud, vaddr);
34364 pte = fill_pte(pmd, vaddr);
34365
34366+ pax_open_kernel();
34367 set_pte(pte, new_pte);
34368+ pax_close_kernel();
34369
34370 /*
34371 * It's enough to flush this one mapping.
34372@@ -337,14 +367,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
34373 pgd = pgd_offset_k((unsigned long)__va(phys));
34374 if (pgd_none(*pgd)) {
34375 pud = (pud_t *) spp_getpage();
34376- set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
34377- _PAGE_USER));
34378+ set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
34379 }
34380 pud = pud_offset(pgd, (unsigned long)__va(phys));
34381 if (pud_none(*pud)) {
34382 pmd = (pmd_t *) spp_getpage();
34383- set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
34384- _PAGE_USER));
34385+ set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
34386 }
34387 pmd = pmd_offset(pud, phys);
34388 BUG_ON(!pmd_none(*pmd));
34389@@ -585,7 +613,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
34390 prot);
34391
34392 spin_lock(&init_mm.page_table_lock);
34393- pud_populate(&init_mm, pud, pmd);
34394+ pud_populate_kernel(&init_mm, pud, pmd);
34395 spin_unlock(&init_mm.page_table_lock);
34396 }
34397 __flush_tlb_all();
34398@@ -626,7 +654,7 @@ kernel_physical_mapping_init(unsigned long start,
34399 page_size_mask);
34400
34401 spin_lock(&init_mm.page_table_lock);
34402- pgd_populate(&init_mm, pgd, pud);
34403+ pgd_populate_kernel(&init_mm, pgd, pud);
34404 spin_unlock(&init_mm.page_table_lock);
34405 pgd_changed = true;
34406 }
34407diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c
34408index 9c0ff04..9020d5f 100644
34409--- a/arch/x86/mm/iomap_32.c
34410+++ b/arch/x86/mm/iomap_32.c
34411@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long pfn, pgprot_t prot)
34412 type = kmap_atomic_idx_push();
34413 idx = type + KM_TYPE_NR * smp_processor_id();
34414 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
34415+
34416+ pax_open_kernel();
34417 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
34418+ pax_close_kernel();
34419+
34420 arch_flush_lazy_mmu_mode();
34421
34422 return (void *)vaddr;
34423diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
34424index b9c78f3..9ca7e24 100644
34425--- a/arch/x86/mm/ioremap.c
34426+++ b/arch/x86/mm/ioremap.c
34427@@ -59,8 +59,8 @@ static int __ioremap_check_ram(unsigned long start_pfn, unsigned long nr_pages,
34428 unsigned long i;
34429
34430 for (i = 0; i < nr_pages; ++i)
34431- if (pfn_valid(start_pfn + i) &&
34432- !PageReserved(pfn_to_page(start_pfn + i)))
34433+ if (pfn_valid(start_pfn + i) && (start_pfn + i >= 0x100 ||
34434+ !PageReserved(pfn_to_page(start_pfn + i))))
34435 return 1;
34436
34437 return 0;
34438@@ -332,7 +332,7 @@ EXPORT_SYMBOL(ioremap_prot);
34439 *
34440 * Caller must ensure there is only one unmapping for the same pointer.
34441 */
34442-void iounmap(volatile void __iomem *addr)
34443+void iounmap(const volatile void __iomem *addr)
34444 {
34445 struct vm_struct *p, *o;
34446
34447@@ -395,31 +395,37 @@ int __init arch_ioremap_pmd_supported(void)
34448 */
34449 void *xlate_dev_mem_ptr(phys_addr_t phys)
34450 {
34451- unsigned long start = phys & PAGE_MASK;
34452- unsigned long offset = phys & ~PAGE_MASK;
34453- void *vaddr;
34454+ phys_addr_t pfn = phys >> PAGE_SHIFT;
34455
34456- /* If page is RAM, we can use __va. Otherwise ioremap and unmap. */
34457- if (page_is_ram(start >> PAGE_SHIFT))
34458- return __va(phys);
34459+ if (page_is_ram(pfn)) {
34460+#ifdef CONFIG_HIGHMEM
34461+ if (pfn >= max_low_pfn)
34462+ return kmap_high(pfn_to_page(pfn));
34463+ else
34464+#endif
34465+ return __va(phys);
34466+ }
34467
34468- vaddr = ioremap_cache(start, PAGE_SIZE);
34469- /* Only add the offset on success and return NULL if the ioremap() failed: */
34470- if (vaddr)
34471- vaddr += offset;
34472-
34473- return vaddr;
34474+ return (void __force *)ioremap_cache(phys, 1);
34475 }
34476
34477 void unxlate_dev_mem_ptr(phys_addr_t phys, void *addr)
34478 {
34479- if (page_is_ram(phys >> PAGE_SHIFT))
34480+ phys_addr_t pfn = phys >> PAGE_SHIFT;
34481+
34482+ if (page_is_ram(pfn)) {
34483+#ifdef CONFIG_HIGHMEM
34484+ if (pfn >= max_low_pfn)
34485+ kunmap_high(pfn_to_page(pfn));
34486+#endif
34487 return;
34488+ }
34489
34490- iounmap((void __iomem *)((unsigned long)addr & PAGE_MASK));
34491+ iounmap((void __iomem __force *)addr);
34492 }
34493
34494-static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
34495+static pte_t __bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
34496+static pte_t *bm_pte __read_only = __bm_pte;
34497
34498 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
34499 {
34500@@ -455,8 +461,14 @@ void __init early_ioremap_init(void)
34501 early_ioremap_setup();
34502
34503 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
34504- memset(bm_pte, 0, sizeof(bm_pte));
34505- pmd_populate_kernel(&init_mm, pmd, bm_pte);
34506+ if (pmd_none(*pmd))
34507+#ifdef CONFIG_COMPAT_VDSO
34508+ pmd_populate_user(&init_mm, pmd, __bm_pte);
34509+#else
34510+ pmd_populate_kernel(&init_mm, pmd, __bm_pte);
34511+#endif
34512+ else
34513+ bm_pte = (pte_t *)pmd_page_vaddr(*pmd);
34514
34515 /*
34516 * The boot-ioremap range spans multiple pmds, for which
34517diff --git a/arch/x86/mm/kmemcheck/kmemcheck.c b/arch/x86/mm/kmemcheck/kmemcheck.c
34518index b4f2e7e..96c9c3e 100644
34519--- a/arch/x86/mm/kmemcheck/kmemcheck.c
34520+++ b/arch/x86/mm/kmemcheck/kmemcheck.c
34521@@ -628,9 +628,9 @@ bool kmemcheck_fault(struct pt_regs *regs, unsigned long address,
34522 * memory (e.g. tracked pages)? For now, we need this to avoid
34523 * invoking kmemcheck for PnP BIOS calls.
34524 */
34525- if (regs->flags & X86_VM_MASK)
34526+ if (v8086_mode(regs))
34527 return false;
34528- if (regs->cs != __KERNEL_CS)
34529+ if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
34530 return false;
34531
34532 pte = kmemcheck_pte_lookup(address);
34533diff --git a/arch/x86/mm/mmap.c b/arch/x86/mm/mmap.c
34534index 844b06d..f363c86 100644
34535--- a/arch/x86/mm/mmap.c
34536+++ b/arch/x86/mm/mmap.c
34537@@ -52,7 +52,7 @@ static unsigned long stack_maxrandom_size(void)
34538 * Leave an at least ~128 MB hole with possible stack randomization.
34539 */
34540 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
34541-#define MAX_GAP (TASK_SIZE/6*5)
34542+#define MAX_GAP (pax_task_size/6*5)
34543
34544 static int mmap_is_legacy(void)
34545 {
34546@@ -81,27 +81,40 @@ unsigned long arch_mmap_rnd(void)
34547 return rnd << PAGE_SHIFT;
34548 }
34549
34550-static unsigned long mmap_base(unsigned long rnd)
34551+static unsigned long mmap_base(struct mm_struct *mm, unsigned long rnd)
34552 {
34553 unsigned long gap = rlimit(RLIMIT_STACK);
34554+ unsigned long pax_task_size = TASK_SIZE;
34555+
34556+#ifdef CONFIG_PAX_SEGMEXEC
34557+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
34558+ pax_task_size = SEGMEXEC_TASK_SIZE;
34559+#endif
34560
34561 if (gap < MIN_GAP)
34562 gap = MIN_GAP;
34563 else if (gap > MAX_GAP)
34564 gap = MAX_GAP;
34565
34566- return PAGE_ALIGN(TASK_SIZE - gap - rnd);
34567+ return PAGE_ALIGN(pax_task_size - gap - rnd);
34568 }
34569
34570 /*
34571 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
34572 * does, but not when emulating X86_32
34573 */
34574-static unsigned long mmap_legacy_base(unsigned long rnd)
34575+static unsigned long mmap_legacy_base(struct mm_struct *mm, unsigned long rnd)
34576 {
34577- if (mmap_is_ia32())
34578+ if (mmap_is_ia32()) {
34579+
34580+#ifdef CONFIG_PAX_SEGMEXEC
34581+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
34582+ return SEGMEXEC_TASK_UNMAPPED_BASE;
34583+ else
34584+#endif
34585+
34586 return TASK_UNMAPPED_BASE;
34587- else
34588+ } else
34589 return TASK_UNMAPPED_BASE + rnd;
34590 }
34591
34592@@ -113,18 +126,29 @@ void arch_pick_mmap_layout(struct mm_struct *mm)
34593 {
34594 unsigned long random_factor = 0UL;
34595
34596+#ifdef CONFIG_PAX_RANDMMAP
34597+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
34598+#endif
34599 if (current->flags & PF_RANDOMIZE)
34600 random_factor = arch_mmap_rnd();
34601
34602- mm->mmap_legacy_base = mmap_legacy_base(random_factor);
34603+ mm->mmap_legacy_base = mmap_legacy_base(mm, random_factor);
34604
34605 if (mmap_is_legacy()) {
34606 mm->mmap_base = mm->mmap_legacy_base;
34607 mm->get_unmapped_area = arch_get_unmapped_area;
34608 } else {
34609- mm->mmap_base = mmap_base(random_factor);
34610+ mm->mmap_base = mmap_base(mm, random_factor);
34611 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
34612 }
34613+
34614+#ifdef CONFIG_PAX_RANDMMAP
34615+ if (mm->pax_flags & MF_PAX_RANDMMAP) {
34616+ mm->mmap_legacy_base += mm->delta_mmap;
34617+ mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
34618+ }
34619+#endif
34620+
34621 }
34622
34623 const char *arch_vma_name(struct vm_area_struct *vma)
34624diff --git a/arch/x86/mm/mmio-mod.c b/arch/x86/mm/mmio-mod.c
34625index 0057a7a..95c7edd 100644
34626--- a/arch/x86/mm/mmio-mod.c
34627+++ b/arch/x86/mm/mmio-mod.c
34628@@ -194,7 +194,7 @@ static void pre(struct kmmio_probe *p, struct pt_regs *regs,
34629 break;
34630 default:
34631 {
34632- unsigned char *ip = (unsigned char *)instptr;
34633+ unsigned char *ip = (unsigned char *)ktla_ktva(instptr);
34634 my_trace->opcode = MMIO_UNKNOWN_OP;
34635 my_trace->width = 0;
34636 my_trace->value = (*ip) << 16 | *(ip + 1) << 8 |
34637@@ -234,7 +234,7 @@ static void post(struct kmmio_probe *p, unsigned long condition,
34638 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
34639 void __iomem *addr)
34640 {
34641- static atomic_t next_id;
34642+ static atomic_unchecked_t next_id;
34643 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
34644 /* These are page-unaligned. */
34645 struct mmiotrace_map map = {
34646@@ -258,7 +258,7 @@ static void ioremap_trace_core(resource_size_t offset, unsigned long size,
34647 .private = trace
34648 },
34649 .phys = offset,
34650- .id = atomic_inc_return(&next_id)
34651+ .id = atomic_inc_return_unchecked(&next_id)
34652 };
34653 map.map_id = trace->id;
34654
34655@@ -290,7 +290,7 @@ void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
34656 ioremap_trace_core(offset, size, addr);
34657 }
34658
34659-static void iounmap_trace_core(volatile void __iomem *addr)
34660+static void iounmap_trace_core(const volatile void __iomem *addr)
34661 {
34662 struct mmiotrace_map map = {
34663 .phys = 0,
34664@@ -328,7 +328,7 @@ not_enabled:
34665 }
34666 }
34667
34668-void mmiotrace_iounmap(volatile void __iomem *addr)
34669+void mmiotrace_iounmap(const volatile void __iomem *addr)
34670 {
34671 might_sleep();
34672 if (is_enabled()) /* recheck and proper locking in *_core() */
34673diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c
34674index 4053bb5..b1ad3dc 100644
34675--- a/arch/x86/mm/numa.c
34676+++ b/arch/x86/mm/numa.c
34677@@ -506,7 +506,7 @@ static void __init numa_clear_kernel_node_hotplug(void)
34678 }
34679 }
34680
34681-static int __init numa_register_memblks(struct numa_meminfo *mi)
34682+static int __init __intentional_overflow(-1) numa_register_memblks(struct numa_meminfo *mi)
34683 {
34684 unsigned long uninitialized_var(pfn_align);
34685 int i, nid;
34686diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
34687index 727158c..54dd3ff 100644
34688--- a/arch/x86/mm/pageattr.c
34689+++ b/arch/x86/mm/pageattr.c
34690@@ -260,7 +260,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34691 */
34692 #ifdef CONFIG_PCI_BIOS
34693 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
34694- pgprot_val(forbidden) |= _PAGE_NX;
34695+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34696 #endif
34697
34698 /*
34699@@ -268,9 +268,10 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34700 * Does not cover __inittext since that is gone later on. On
34701 * 64bit we do not enforce !NX on the low mapping
34702 */
34703- if (within(address, (unsigned long)_text, (unsigned long)_etext))
34704- pgprot_val(forbidden) |= _PAGE_NX;
34705+ if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
34706+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34707
34708+#ifdef CONFIG_DEBUG_RODATA
34709 /*
34710 * The .rodata section needs to be read-only. Using the pfn
34711 * catches all aliases.
34712@@ -278,6 +279,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34713 if (within(pfn, __pa_symbol(__start_rodata) >> PAGE_SHIFT,
34714 __pa_symbol(__end_rodata) >> PAGE_SHIFT))
34715 pgprot_val(forbidden) |= _PAGE_RW;
34716+#endif
34717
34718 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
34719 /*
34720@@ -316,6 +318,13 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
34721 }
34722 #endif
34723
34724+#ifdef CONFIG_PAX_KERNEXEC
34725+ if (within(pfn, __pa(ktla_ktva((unsigned long)&_text)), __pa((unsigned long)&_sdata))) {
34726+ pgprot_val(forbidden) |= _PAGE_RW;
34727+ pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
34728+ }
34729+#endif
34730+
34731 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
34732
34733 return prot;
34734@@ -436,23 +445,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
34735 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
34736 {
34737 /* change init_mm */
34738+ pax_open_kernel();
34739 set_pte_atomic(kpte, pte);
34740+
34741 #ifdef CONFIG_X86_32
34742 if (!SHARED_KERNEL_PMD) {
34743+
34744+#ifdef CONFIG_PAX_PER_CPU_PGD
34745+ unsigned long cpu;
34746+#else
34747 struct page *page;
34748+#endif
34749
34750+#ifdef CONFIG_PAX_PER_CPU_PGD
34751+ for (cpu = 0; cpu < nr_cpu_ids; ++cpu) {
34752+ pgd_t *pgd = get_cpu_pgd(cpu, kernel);
34753+#else
34754 list_for_each_entry(page, &pgd_list, lru) {
34755- pgd_t *pgd;
34756+ pgd_t *pgd = (pgd_t *)page_address(page);
34757+#endif
34758+
34759 pud_t *pud;
34760 pmd_t *pmd;
34761
34762- pgd = (pgd_t *)page_address(page) + pgd_index(address);
34763+ pgd += pgd_index(address);
34764 pud = pud_offset(pgd, address);
34765 pmd = pmd_offset(pud, address);
34766 set_pte_atomic((pte_t *)pmd, pte);
34767 }
34768 }
34769 #endif
34770+ pax_close_kernel();
34771 }
34772
34773 static int
34774@@ -505,7 +528,8 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
34775 * up accordingly.
34776 */
34777 old_pte = *kpte;
34778- old_prot = req_prot = pgprot_large_2_4k(pte_pgprot(old_pte));
34779+ old_prot = pte_pgprot(old_pte);
34780+ req_prot = pgprot_large_2_4k(old_prot);
34781
34782 pgprot_val(req_prot) &= ~pgprot_val(cpa->mask_clr);
34783 pgprot_val(req_prot) |= pgprot_val(cpa->mask_set);
34784@@ -1176,7 +1200,9 @@ repeat:
34785 * Do we really change anything ?
34786 */
34787 if (pte_val(old_pte) != pte_val(new_pte)) {
34788+ pax_open_kernel();
34789 set_pte_atomic(kpte, new_pte);
34790+ pax_close_kernel();
34791 cpa->flags |= CPA_FLUSHTLB;
34792 }
34793 cpa->numpages = 1;
34794diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
34795index 188e3e0..5c75446 100644
34796--- a/arch/x86/mm/pat.c
34797+++ b/arch/x86/mm/pat.c
34798@@ -588,7 +588,7 @@ int free_memtype(u64 start, u64 end)
34799
34800 if (!entry) {
34801 pr_info("x86/PAT: %s:%d freeing invalid memtype [mem %#010Lx-%#010Lx]\n",
34802- current->comm, current->pid, start, end - 1);
34803+ current->comm, task_pid_nr(current), start, end - 1);
34804 return -EINVAL;
34805 }
34806
34807@@ -711,8 +711,8 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
34808
34809 while (cursor < to) {
34810 if (!devmem_is_allowed(pfn)) {
34811- pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx], PAT prevents it\n",
34812- current->comm, from, to - 1);
34813+ pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx] (%#010Lx), PAT prevents it\n",
34814+ current->comm, from, to - 1, cursor);
34815 return 0;
34816 }
34817 cursor += PAGE_SIZE;
34818@@ -782,7 +782,7 @@ int kernel_map_sync_memtype(u64 base, unsigned long size,
34819
34820 if (ioremap_change_attr((unsigned long)__va(base), id_sz, pcm) < 0) {
34821 pr_info("x86/PAT: %s:%d ioremap_change_attr failed %s for [mem %#010Lx-%#010Lx]\n",
34822- current->comm, current->pid,
34823+ current->comm, task_pid_nr(current),
34824 cattr_name(pcm),
34825 base, (unsigned long long)(base + size-1));
34826 return -EINVAL;
34827@@ -817,7 +817,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
34828 pcm = lookup_memtype(paddr);
34829 if (want_pcm != pcm) {
34830 pr_warn("x86/PAT: %s:%d map pfn RAM range req %s for [mem %#010Lx-%#010Lx], got %s\n",
34831- current->comm, current->pid,
34832+ current->comm, task_pid_nr(current),
34833 cattr_name(want_pcm),
34834 (unsigned long long)paddr,
34835 (unsigned long long)(paddr + size - 1),
34836@@ -838,7 +838,7 @@ static int reserve_pfn_range(u64 paddr, unsigned long size, pgprot_t *vma_prot,
34837 !is_new_memtype_allowed(paddr, size, want_pcm, pcm)) {
34838 free_memtype(paddr, paddr + size);
34839 pr_err("x86/PAT: %s:%d map pfn expected mapping type %s for [mem %#010Lx-%#010Lx], got %s\n",
34840- current->comm, current->pid,
34841+ current->comm, task_pid_nr(current),
34842 cattr_name(want_pcm),
34843 (unsigned long long)paddr,
34844 (unsigned long long)(paddr + size - 1),
34845diff --git a/arch/x86/mm/pat_rbtree.c b/arch/x86/mm/pat_rbtree.c
34846index 6393108..890adda 100644
34847--- a/arch/x86/mm/pat_rbtree.c
34848+++ b/arch/x86/mm/pat_rbtree.c
34849@@ -161,7 +161,7 @@ success:
34850
34851 failure:
34852 pr_info("x86/PAT: %s:%d conflicting memory types %Lx-%Lx %s<->%s\n",
34853- current->comm, current->pid, start, end,
34854+ current->comm, task_pid_nr(current), start, end,
34855 cattr_name(found_type), cattr_name(match->type));
34856 return -EBUSY;
34857 }
34858diff --git a/arch/x86/mm/pf_in.c b/arch/x86/mm/pf_in.c
34859index 9f0614d..92ae64a 100644
34860--- a/arch/x86/mm/pf_in.c
34861+++ b/arch/x86/mm/pf_in.c
34862@@ -148,7 +148,7 @@ enum reason_type get_ins_type(unsigned long ins_addr)
34863 int i;
34864 enum reason_type rv = OTHERS;
34865
34866- p = (unsigned char *)ins_addr;
34867+ p = (unsigned char *)ktla_ktva(ins_addr);
34868 p += skip_prefix(p, &prf);
34869 p += get_opcode(p, &opcode);
34870
34871@@ -168,7 +168,7 @@ static unsigned int get_ins_reg_width(unsigned long ins_addr)
34872 struct prefix_bits prf;
34873 int i;
34874
34875- p = (unsigned char *)ins_addr;
34876+ p = (unsigned char *)ktla_ktva(ins_addr);
34877 p += skip_prefix(p, &prf);
34878 p += get_opcode(p, &opcode);
34879
34880@@ -191,7 +191,7 @@ unsigned int get_ins_mem_width(unsigned long ins_addr)
34881 struct prefix_bits prf;
34882 int i;
34883
34884- p = (unsigned char *)ins_addr;
34885+ p = (unsigned char *)ktla_ktva(ins_addr);
34886 p += skip_prefix(p, &prf);
34887 p += get_opcode(p, &opcode);
34888
34889@@ -415,7 +415,7 @@ unsigned long get_ins_reg_val(unsigned long ins_addr, struct pt_regs *regs)
34890 struct prefix_bits prf;
34891 int i;
34892
34893- p = (unsigned char *)ins_addr;
34894+ p = (unsigned char *)ktla_ktva(ins_addr);
34895 p += skip_prefix(p, &prf);
34896 p += get_opcode(p, &opcode);
34897 for (i = 0; i < ARRAY_SIZE(reg_rop); i++)
34898@@ -470,7 +470,7 @@ unsigned long get_ins_imm_val(unsigned long ins_addr)
34899 struct prefix_bits prf;
34900 int i;
34901
34902- p = (unsigned char *)ins_addr;
34903+ p = (unsigned char *)ktla_ktva(ins_addr);
34904 p += skip_prefix(p, &prf);
34905 p += get_opcode(p, &opcode);
34906 for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
34907diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
34908index fb0a9dd..5ab49c4 100644
34909--- a/arch/x86/mm/pgtable.c
34910+++ b/arch/x86/mm/pgtable.c
34911@@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd)
34912 list_del(&page->lru);
34913 }
34914
34915-#define UNSHARED_PTRS_PER_PGD \
34916- (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
34917+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
34918+pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
34919
34920+void __shadow_user_pgds(pgd_t *dst, const pgd_t *src)
34921+{
34922+ unsigned int count = USER_PGD_PTRS;
34923
34924+ if (!pax_user_shadow_base)
34925+ return;
34926+
34927+ while (count--)
34928+ *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
34929+}
34930+#endif
34931+
34932+#ifdef CONFIG_PAX_PER_CPU_PGD
34933+void __clone_user_pgds(pgd_t *dst, const pgd_t *src)
34934+{
34935+ unsigned int count = USER_PGD_PTRS;
34936+
34937+ while (count--) {
34938+ pgd_t pgd;
34939+
34940+#ifdef CONFIG_X86_64
34941+ pgd = __pgd(pgd_val(*src++) | _PAGE_USER);
34942+#else
34943+ pgd = *src++;
34944+#endif
34945+
34946+#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
34947+ pgd = __pgd(pgd_val(pgd) & clone_pgd_mask);
34948+#endif
34949+
34950+ *dst++ = pgd;
34951+ }
34952+
34953+}
34954+#endif
34955+
34956+#ifdef CONFIG_X86_64
34957+#define pxd_t pud_t
34958+#define pyd_t pgd_t
34959+#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
34960+#define pgtable_pxd_page_ctor(page) true
34961+#define pgtable_pxd_page_dtor(page) do {} while (0)
34962+#define pxd_free(mm, pud) pud_free((mm), (pud))
34963+#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
34964+#define pyd_offset(mm, address) pgd_offset((mm), (address))
34965+#define PYD_SIZE PGDIR_SIZE
34966+#define mm_inc_nr_pxds(mm) do {} while (0)
34967+#define mm_dec_nr_pxds(mm) do {} while (0)
34968+#else
34969+#define pxd_t pmd_t
34970+#define pyd_t pud_t
34971+#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
34972+#define pgtable_pxd_page_ctor(page) pgtable_pmd_page_ctor(page)
34973+#define pgtable_pxd_page_dtor(page) pgtable_pmd_page_dtor(page)
34974+#define pxd_free(mm, pud) pmd_free((mm), (pud))
34975+#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
34976+#define pyd_offset(mm, address) pud_offset((mm), (address))
34977+#define PYD_SIZE PUD_SIZE
34978+#define mm_inc_nr_pxds(mm) mm_inc_nr_pmds(mm)
34979+#define mm_dec_nr_pxds(mm) mm_dec_nr_pmds(mm)
34980+#endif
34981+
34982+#ifdef CONFIG_PAX_PER_CPU_PGD
34983+static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
34984+static inline void pgd_dtor(pgd_t *pgd) {}
34985+#else
34986 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
34987 {
34988 BUILD_BUG_ON(sizeof(virt_to_page(pgd)->index) < sizeof(mm));
34989@@ -142,6 +207,7 @@ static void pgd_dtor(pgd_t *pgd)
34990 pgd_list_del(pgd);
34991 spin_unlock(&pgd_lock);
34992 }
34993+#endif
34994
34995 /*
34996 * List of all pgd's needed for non-PAE so it can invalidate entries
34997@@ -154,7 +220,7 @@ static void pgd_dtor(pgd_t *pgd)
34998 * -- nyc
34999 */
35000
35001-#ifdef CONFIG_X86_PAE
35002+#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
35003 /*
35004 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
35005 * updating the top-level pagetable entries to guarantee the
35006@@ -166,7 +232,7 @@ static void pgd_dtor(pgd_t *pgd)
35007 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
35008 * and initialize the kernel pmds here.
35009 */
35010-#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
35011+#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
35012
35013 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
35014 {
35015@@ -184,46 +250,48 @@ void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
35016 */
35017 flush_tlb_mm(mm);
35018 }
35019+#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
35020+#define PREALLOCATED_PXDS USER_PGD_PTRS
35021 #else /* !CONFIG_X86_PAE */
35022
35023 /* No need to prepopulate any pagetable entries in non-PAE modes. */
35024-#define PREALLOCATED_PMDS 0
35025+#define PREALLOCATED_PXDS 0
35026
35027 #endif /* CONFIG_X86_PAE */
35028
35029-static void free_pmds(struct mm_struct *mm, pmd_t *pmds[])
35030+static void free_pxds(struct mm_struct *mm, pxd_t *pxds[])
35031 {
35032 int i;
35033
35034- for(i = 0; i < PREALLOCATED_PMDS; i++)
35035- if (pmds[i]) {
35036- pgtable_pmd_page_dtor(virt_to_page(pmds[i]));
35037- free_page((unsigned long)pmds[i]);
35038- mm_dec_nr_pmds(mm);
35039+ for(i = 0; i < PREALLOCATED_PXDS; i++)
35040+ if (pxds[i]) {
35041+ pgtable_pxd_page_dtor(virt_to_page(pxds[i]));
35042+ free_page((unsigned long)pxds[i]);
35043+ mm_dec_nr_pxds(mm);
35044 }
35045 }
35046
35047-static int preallocate_pmds(struct mm_struct *mm, pmd_t *pmds[])
35048+static int preallocate_pxds(struct mm_struct *mm, pxd_t *pxds[])
35049 {
35050 int i;
35051 bool failed = false;
35052
35053- for(i = 0; i < PREALLOCATED_PMDS; i++) {
35054- pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
35055- if (!pmd)
35056+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
35057+ pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
35058+ if (!pxd)
35059 failed = true;
35060- if (pmd && !pgtable_pmd_page_ctor(virt_to_page(pmd))) {
35061- free_page((unsigned long)pmd);
35062- pmd = NULL;
35063+ if (pxd && !pgtable_pxd_page_ctor(virt_to_page(pxd))) {
35064+ free_page((unsigned long)pxd);
35065+ pxd = NULL;
35066 failed = true;
35067 }
35068- if (pmd)
35069- mm_inc_nr_pmds(mm);
35070- pmds[i] = pmd;
35071+ if (pxd)
35072+ mm_inc_nr_pxds(mm);
35073+ pxds[i] = pxd;
35074 }
35075
35076 if (failed) {
35077- free_pmds(mm, pmds);
35078+ free_pxds(mm, pxds);
35079 return -ENOMEM;
35080 }
35081
35082@@ -236,43 +304,47 @@ static int preallocate_pmds(struct mm_struct *mm, pmd_t *pmds[])
35083 * preallocate which never got a corresponding vma will need to be
35084 * freed manually.
35085 */
35086-static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
35087+static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
35088 {
35089 int i;
35090
35091- for(i = 0; i < PREALLOCATED_PMDS; i++) {
35092+ for(i = 0; i < PREALLOCATED_PXDS; i++) {
35093 pgd_t pgd = pgdp[i];
35094
35095 if (pgd_val(pgd) != 0) {
35096- pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
35097+ pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
35098
35099- pgdp[i] = native_make_pgd(0);
35100+ set_pgd(pgdp + i, native_make_pgd(0));
35101
35102- paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
35103- pmd_free(mm, pmd);
35104- mm_dec_nr_pmds(mm);
35105+ paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
35106+ pxd_free(mm, pxd);
35107+ mm_dec_nr_pxds(mm);
35108 }
35109 }
35110 }
35111
35112-static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
35113+static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
35114 {
35115- pud_t *pud;
35116+ pyd_t *pyd;
35117 int i;
35118
35119- if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
35120+ if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
35121 return;
35122
35123- pud = pud_offset(pgd, 0);
35124+#ifdef CONFIG_X86_64
35125+ pyd = pyd_offset(mm, 0L);
35126+#else
35127+ pyd = pyd_offset(pgd, 0L);
35128+#endif
35129
35130- for (i = 0; i < PREALLOCATED_PMDS; i++, pud++) {
35131- pmd_t *pmd = pmds[i];
35132+ for (i = 0; i < PREALLOCATED_PXDS; i++, pyd++) {
35133+ pxd_t *pxd = pxds[i];
35134
35135 if (i >= KERNEL_PGD_BOUNDARY)
35136- memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
35137- sizeof(pmd_t) * PTRS_PER_PMD);
35138+ memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
35139+ sizeof(pxd_t) * PTRS_PER_PMD);
35140
35141- pud_populate(mm, pud, pmd);
35142+ pyd_populate(mm, pyd, pxd);
35143 }
35144 }
35145
35146@@ -354,7 +426,7 @@ static inline void _pgd_free(pgd_t *pgd)
35147 pgd_t *pgd_alloc(struct mm_struct *mm)
35148 {
35149 pgd_t *pgd;
35150- pmd_t *pmds[PREALLOCATED_PMDS];
35151+ pxd_t *pxds[PREALLOCATED_PXDS];
35152
35153 pgd = _pgd_alloc();
35154
35155@@ -363,11 +435,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
35156
35157 mm->pgd = pgd;
35158
35159- if (preallocate_pmds(mm, pmds) != 0)
35160+ if (preallocate_pxds(mm, pxds) != 0)
35161 goto out_free_pgd;
35162
35163 if (paravirt_pgd_alloc(mm) != 0)
35164- goto out_free_pmds;
35165+ goto out_free_pxds;
35166
35167 /*
35168 * Make sure that pre-populating the pmds is atomic with
35169@@ -377,14 +449,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
35170 spin_lock(&pgd_lock);
35171
35172 pgd_ctor(mm, pgd);
35173- pgd_prepopulate_pmd(mm, pgd, pmds);
35174+ pgd_prepopulate_pxd(mm, pgd, pxds);
35175
35176 spin_unlock(&pgd_lock);
35177
35178 return pgd;
35179
35180-out_free_pmds:
35181- free_pmds(mm, pmds);
35182+out_free_pxds:
35183+ free_pxds(mm, pxds);
35184 out_free_pgd:
35185 _pgd_free(pgd);
35186 out:
35187@@ -393,7 +465,7 @@ out:
35188
35189 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
35190 {
35191- pgd_mop_up_pmds(mm, pgd);
35192+ pgd_mop_up_pxds(mm, pgd);
35193 pgd_dtor(pgd);
35194 paravirt_pgd_free(mm, pgd);
35195 _pgd_free(pgd);
35196@@ -544,6 +616,55 @@ void __init reserve_top_address(unsigned long reserve)
35197
35198 int fixmaps_set;
35199
35200+static void fix_user_fixmap(enum fixed_addresses idx, unsigned long address)
35201+{
35202+#ifdef CONFIG_X86_64
35203+ pgd_t *pgd;
35204+ pud_t *pud;
35205+ pmd_t *pmd;
35206+
35207+ switch (idx) {
35208+ default:
35209+ return;
35210+
35211+#ifdef CONFIG_X86_VSYSCALL_EMULATION
35212+ case VSYSCALL_PAGE:
35213+ break;
35214+#endif
35215+
35216+#ifdef CONFIG_PARAVIRT_CLOCK
35217+ case PVCLOCK_FIXMAP_BEGIN ... PVCLOCK_FIXMAP_END:
35218+ break;
35219+#endif
35220+ }
35221+
35222+ pgd = pgd_offset_k(address);
35223+ if (!(pgd_val(*pgd) & _PAGE_USER)) {
35224+#ifdef CONFIG_PAX_PER_CPU_PGD
35225+ unsigned int cpu;
35226+ pgd_t *pgd_cpu;
35227+
35228+ for_each_possible_cpu(cpu) {
35229+ pgd_cpu = pgd_offset_cpu(cpu, kernel, address);
35230+ set_pgd(pgd_cpu, __pgd(pgd_val(*pgd_cpu) | _PAGE_USER));
35231+
35232+ pgd_cpu = pgd_offset_cpu(cpu, user, address);
35233+ set_pgd(pgd_cpu, __pgd(pgd_val(*pgd_cpu) | _PAGE_USER));
35234+ }
35235+#endif
35236+ set_pgd(pgd, __pgd(pgd_val(*pgd) | _PAGE_USER));
35237+ }
35238+
35239+ pud = pud_offset(pgd, address);
35240+ if (!(pud_val(*pud) & _PAGE_USER))
35241+ set_pud(pud, __pud(pud_val(*pud) | _PAGE_USER));
35242+
35243+ pmd = pmd_offset(pud, address);
35244+ if (!(pmd_val(*pmd) & _PAGE_USER))
35245+ set_pmd(pmd, __pmd(pmd_val(*pmd) | _PAGE_USER));
35246+#endif
35247+}
35248+
35249 void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
35250 {
35251 unsigned long address = __fix_to_virt(idx);
35252@@ -554,6 +675,7 @@ void __native_set_fixmap(enum fixed_addresses idx, pte_t pte)
35253 }
35254 set_pte_vaddr(address, pte);
35255 fixmaps_set++;
35256+ fix_user_fixmap(idx, address);
35257 }
35258
35259 void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys,
35260@@ -620,9 +742,11 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot)
35261
35262 prot = pgprot_4k_2_large(prot);
35263
35264+ pax_open_kernel();
35265 set_pte((pte_t *)pmd, pfn_pte(
35266 (u64)addr >> PAGE_SHIFT,
35267 __pgprot(pgprot_val(prot) | _PAGE_PSE)));
35268+ pax_close_kernel();
35269
35270 return 1;
35271 }
35272diff --git a/arch/x86/mm/pgtable_32.c b/arch/x86/mm/pgtable_32.c
35273index 75cc097..79a097f 100644
35274--- a/arch/x86/mm/pgtable_32.c
35275+++ b/arch/x86/mm/pgtable_32.c
35276@@ -47,10 +47,13 @@ void set_pte_vaddr(unsigned long vaddr, pte_t pteval)
35277 return;
35278 }
35279 pte = pte_offset_kernel(pmd, vaddr);
35280+
35281+ pax_open_kernel();
35282 if (pte_val(pteval))
35283 set_pte_at(&init_mm, vaddr, pte, pteval);
35284 else
35285 pte_clear(&init_mm, vaddr, pte);
35286+ pax_close_kernel();
35287
35288 /*
35289 * It's enough to flush this one mapping.
35290diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
35291index 90555bf..f5f1828 100644
35292--- a/arch/x86/mm/setup_nx.c
35293+++ b/arch/x86/mm/setup_nx.c
35294@@ -5,8 +5,10 @@
35295 #include <asm/pgtable.h>
35296 #include <asm/proto.h>
35297
35298+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
35299 static int disable_nx;
35300
35301+#ifndef CONFIG_PAX_PAGEEXEC
35302 /*
35303 * noexec = on|off
35304 *
35305@@ -28,12 +30,17 @@ static int __init noexec_setup(char *str)
35306 return 0;
35307 }
35308 early_param("noexec", noexec_setup);
35309+#endif
35310+
35311+#endif
35312
35313 void x86_configure_nx(void)
35314 {
35315+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
35316 if (cpu_has_nx && !disable_nx)
35317 __supported_pte_mask |= _PAGE_NX;
35318 else
35319+#endif
35320 __supported_pte_mask &= ~_PAGE_NX;
35321 }
35322
35323diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c
35324index 90b924a..4197ac2 100644
35325--- a/arch/x86/mm/tlb.c
35326+++ b/arch/x86/mm/tlb.c
35327@@ -45,7 +45,11 @@ void leave_mm(int cpu)
35328 BUG();
35329 if (cpumask_test_cpu(cpu, mm_cpumask(active_mm))) {
35330 cpumask_clear_cpu(cpu, mm_cpumask(active_mm));
35331+
35332+#ifndef CONFIG_PAX_PER_CPU_PGD
35333 load_cr3(swapper_pg_dir);
35334+#endif
35335+
35336 /*
35337 * This gets called in the idle path where RCU
35338 * functions differently. Tracing normally
35339diff --git a/arch/x86/mm/uderef_64.c b/arch/x86/mm/uderef_64.c
35340new file mode 100644
35341index 0000000..3fda3f3
35342--- /dev/null
35343+++ b/arch/x86/mm/uderef_64.c
35344@@ -0,0 +1,37 @@
35345+#include <linux/mm.h>
35346+#include <asm/pgtable.h>
35347+#include <asm/uaccess.h>
35348+
35349+#ifdef CONFIG_PAX_MEMORY_UDEREF
35350+/* PaX: due to the special call convention these functions must
35351+ * - remain leaf functions under all configurations,
35352+ * - never be called directly, only dereferenced from the wrappers.
35353+ */
35354+void __used __pax_open_userland(void)
35355+{
35356+ unsigned int cpu;
35357+
35358+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
35359+ return;
35360+
35361+ cpu = raw_get_cpu();
35362+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_KERNEL);
35363+ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, user)) | PCID_USER | PCID_NOFLUSH);
35364+ raw_put_cpu_no_resched();
35365+}
35366+EXPORT_SYMBOL(__pax_open_userland);
35367+
35368+void __used __pax_close_userland(void)
35369+{
35370+ unsigned int cpu;
35371+
35372+ if (unlikely(!segment_eq(get_fs(), USER_DS)))
35373+ return;
35374+
35375+ cpu = raw_get_cpu();
35376+ BUG_ON((read_cr3() & ~PAGE_MASK) != PCID_USER);
35377+ write_cr3(__pa_nodebug(get_cpu_pgd(cpu, kernel)) | PCID_KERNEL | PCID_NOFLUSH);
35378+ raw_put_cpu_no_resched();
35379+}
35380+EXPORT_SYMBOL(__pax_close_userland);
35381+#endif
35382diff --git a/arch/x86/net/bpf_jit.S b/arch/x86/net/bpf_jit.S
35383index 4093216..44b6b83 100644
35384--- a/arch/x86/net/bpf_jit.S
35385+++ b/arch/x86/net/bpf_jit.S
35386@@ -8,6 +8,7 @@
35387 * of the License.
35388 */
35389 #include <linux/linkage.h>
35390+#include <asm/alternative-asm.h>
35391
35392 /*
35393 * Calling convention :
35394@@ -37,6 +38,7 @@ sk_load_word_positive_offset:
35395 jle bpf_slow_path_word
35396 mov (SKBDATA,%rsi),%eax
35397 bswap %eax /* ntohl() */
35398+ pax_force_retaddr
35399 ret
35400
35401 sk_load_half:
35402@@ -54,6 +56,7 @@ sk_load_half_positive_offset:
35403 jle bpf_slow_path_half
35404 movzwl (SKBDATA,%rsi),%eax
35405 rol $8,%ax # ntohs()
35406+ pax_force_retaddr
35407 ret
35408
35409 sk_load_byte:
35410@@ -68,6 +71,7 @@ sk_load_byte_positive_offset:
35411 cmp %esi,%r9d /* if (offset >= hlen) goto bpf_slow_path_byte */
35412 jle bpf_slow_path_byte
35413 movzbl (SKBDATA,%rsi),%eax
35414+ pax_force_retaddr
35415 ret
35416
35417 /* rsi contains offset and can be scratched */
35418@@ -89,6 +93,7 @@ bpf_slow_path_word:
35419 js bpf_error
35420 mov - MAX_BPF_STACK + 32(%rbp),%eax
35421 bswap %eax
35422+ pax_force_retaddr
35423 ret
35424
35425 bpf_slow_path_half:
35426@@ -97,12 +102,14 @@ bpf_slow_path_half:
35427 mov - MAX_BPF_STACK + 32(%rbp),%ax
35428 rol $8,%ax
35429 movzwl %ax,%eax
35430+ pax_force_retaddr
35431 ret
35432
35433 bpf_slow_path_byte:
35434 bpf_slow_path_common(1)
35435 js bpf_error
35436 movzbl - MAX_BPF_STACK + 32(%rbp),%eax
35437+ pax_force_retaddr
35438 ret
35439
35440 #define sk_negative_common(SIZE) \
35441@@ -125,6 +132,7 @@ sk_load_word_negative_offset:
35442 sk_negative_common(4)
35443 mov (%rax), %eax
35444 bswap %eax
35445+ pax_force_retaddr
35446 ret
35447
35448 bpf_slow_path_half_neg:
35449@@ -136,6 +144,7 @@ sk_load_half_negative_offset:
35450 mov (%rax),%ax
35451 rol $8,%ax
35452 movzwl %ax,%eax
35453+ pax_force_retaddr
35454 ret
35455
35456 bpf_slow_path_byte_neg:
35457@@ -145,6 +154,7 @@ sk_load_byte_negative_offset:
35458 .globl sk_load_byte_negative_offset
35459 sk_negative_common(1)
35460 movzbl (%rax), %eax
35461+ pax_force_retaddr
35462 ret
35463
35464 bpf_error:
35465@@ -155,4 +165,5 @@ bpf_error:
35466 mov - MAX_BPF_STACK + 16(%rbp),%r14
35467 mov - MAX_BPF_STACK + 24(%rbp),%r15
35468 leaveq
35469+ pax_force_retaddr
35470 ret
35471diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
35472index be2e7a2..e6960dd 100644
35473--- a/arch/x86/net/bpf_jit_comp.c
35474+++ b/arch/x86/net/bpf_jit_comp.c
35475@@ -14,7 +14,11 @@
35476 #include <asm/cacheflush.h>
35477 #include <linux/bpf.h>
35478
35479+#ifdef CONFIG_GRKERNSEC_BPF_HARDEN
35480+int bpf_jit_enable __read_only;
35481+#else
35482 int bpf_jit_enable __read_mostly;
35483+#endif
35484
35485 /*
35486 * assembly code in arch/x86/net/bpf_jit.S
35487@@ -176,7 +180,9 @@ static u8 add_2reg(u8 byte, u32 dst_reg, u32 src_reg)
35488 static void jit_fill_hole(void *area, unsigned int size)
35489 {
35490 /* fill whole space with int3 instructions */
35491+ pax_open_kernel();
35492 memset(area, 0xcc, size);
35493+ pax_close_kernel();
35494 }
35495
35496 struct jit_context {
35497@@ -1026,7 +1032,9 @@ common_load:
35498 pr_err("bpf_jit_compile fatal error\n");
35499 return -EFAULT;
35500 }
35501+ pax_open_kernel();
35502 memcpy(image + proglen, temp, ilen);
35503+ pax_close_kernel();
35504 }
35505 proglen += ilen;
35506 addrs[i] = proglen;
35507@@ -1103,7 +1111,6 @@ void bpf_int_jit_compile(struct bpf_prog *prog)
35508
35509 if (image) {
35510 bpf_flush_icache(header, image + proglen);
35511- set_memory_ro((unsigned long)header, header->pages);
35512 prog->bpf_func = (void *)image;
35513 prog->jited = true;
35514 }
35515@@ -1116,12 +1123,8 @@ void bpf_jit_free(struct bpf_prog *fp)
35516 unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
35517 struct bpf_binary_header *header = (void *)addr;
35518
35519- if (!fp->jited)
35520- goto free_filter;
35521+ if (fp->jited)
35522+ bpf_jit_binary_free(header);
35523
35524- set_memory_rw(addr, header->pages);
35525- bpf_jit_binary_free(header);
35526-
35527-free_filter:
35528 bpf_prog_unlock_free(fp);
35529 }
35530diff --git a/arch/x86/oprofile/backtrace.c b/arch/x86/oprofile/backtrace.c
35531index 4e664bd..2beeaa2 100644
35532--- a/arch/x86/oprofile/backtrace.c
35533+++ b/arch/x86/oprofile/backtrace.c
35534@@ -46,11 +46,11 @@ dump_user_backtrace_32(struct stack_frame_ia32 *head)
35535 struct stack_frame_ia32 *fp;
35536 unsigned long bytes;
35537
35538- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
35539+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
35540 if (bytes != 0)
35541 return NULL;
35542
35543- fp = (struct stack_frame_ia32 *) compat_ptr(bufhead[0].next_frame);
35544+ fp = (struct stack_frame_ia32 __force_kernel *) compat_ptr(bufhead[0].next_frame);
35545
35546 oprofile_add_trace(bufhead[0].return_address);
35547
35548@@ -92,7 +92,7 @@ static struct stack_frame *dump_user_backtrace(struct stack_frame *head)
35549 struct stack_frame bufhead[2];
35550 unsigned long bytes;
35551
35552- bytes = copy_from_user_nmi(bufhead, head, sizeof(bufhead));
35553+ bytes = copy_from_user_nmi(bufhead, (const char __force_user *)head, sizeof(bufhead));
35554 if (bytes != 0)
35555 return NULL;
35556
35557diff --git a/arch/x86/oprofile/nmi_int.c b/arch/x86/oprofile/nmi_int.c
35558index 1d2e639..f6ef82a 100644
35559--- a/arch/x86/oprofile/nmi_int.c
35560+++ b/arch/x86/oprofile/nmi_int.c
35561@@ -23,6 +23,7 @@
35562 #include <asm/nmi.h>
35563 #include <asm/msr.h>
35564 #include <asm/apic.h>
35565+#include <asm/pgtable.h>
35566
35567 #include "op_counter.h"
35568 #include "op_x86_model.h"
35569@@ -785,8 +786,11 @@ int __init op_nmi_init(struct oprofile_operations *ops)
35570 if (ret)
35571 return ret;
35572
35573- if (!model->num_virt_counters)
35574- model->num_virt_counters = model->num_counters;
35575+ if (!model->num_virt_counters) {
35576+ pax_open_kernel();
35577+ *(unsigned int *)&model->num_virt_counters = model->num_counters;
35578+ pax_close_kernel();
35579+ }
35580
35581 mux_init(ops);
35582
35583diff --git a/arch/x86/oprofile/op_model_amd.c b/arch/x86/oprofile/op_model_amd.c
35584index 50d86c0..7985318 100644
35585--- a/arch/x86/oprofile/op_model_amd.c
35586+++ b/arch/x86/oprofile/op_model_amd.c
35587@@ -519,9 +519,11 @@ static int op_amd_init(struct oprofile_operations *ops)
35588 num_counters = AMD64_NUM_COUNTERS;
35589 }
35590
35591- op_amd_spec.num_counters = num_counters;
35592- op_amd_spec.num_controls = num_counters;
35593- op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
35594+ pax_open_kernel();
35595+ *(unsigned int *)&op_amd_spec.num_counters = num_counters;
35596+ *(unsigned int *)&op_amd_spec.num_controls = num_counters;
35597+ *(unsigned int *)&op_amd_spec.num_virt_counters = max(num_counters, NUM_VIRT_COUNTERS);
35598+ pax_close_kernel();
35599
35600 return 0;
35601 }
35602diff --git a/arch/x86/oprofile/op_model_ppro.c b/arch/x86/oprofile/op_model_ppro.c
35603index d90528e..0127e2b 100644
35604--- a/arch/x86/oprofile/op_model_ppro.c
35605+++ b/arch/x86/oprofile/op_model_ppro.c
35606@@ -19,6 +19,7 @@
35607 #include <asm/msr.h>
35608 #include <asm/apic.h>
35609 #include <asm/nmi.h>
35610+#include <asm/pgtable.h>
35611
35612 #include "op_x86_model.h"
35613 #include "op_counter.h"
35614@@ -221,8 +222,10 @@ static void arch_perfmon_setup_counters(void)
35615
35616 num_counters = min((int)eax.split.num_counters, OP_MAX_COUNTER);
35617
35618- op_arch_perfmon_spec.num_counters = num_counters;
35619- op_arch_perfmon_spec.num_controls = num_counters;
35620+ pax_open_kernel();
35621+ *(unsigned int *)&op_arch_perfmon_spec.num_counters = num_counters;
35622+ *(unsigned int *)&op_arch_perfmon_spec.num_controls = num_counters;
35623+ pax_close_kernel();
35624 }
35625
35626 static int arch_perfmon_init(struct oprofile_operations *ignore)
35627diff --git a/arch/x86/oprofile/op_x86_model.h b/arch/x86/oprofile/op_x86_model.h
35628index 71e8a67..6a313bb 100644
35629--- a/arch/x86/oprofile/op_x86_model.h
35630+++ b/arch/x86/oprofile/op_x86_model.h
35631@@ -52,7 +52,7 @@ struct op_x86_model_spec {
35632 void (*switch_ctrl)(struct op_x86_model_spec const *model,
35633 struct op_msrs const * const msrs);
35634 #endif
35635-};
35636+} __do_const;
35637
35638 struct op_counter_config;
35639
35640diff --git a/arch/x86/pci/intel_mid_pci.c b/arch/x86/pci/intel_mid_pci.c
35641index 7553921..d631bd4 100644
35642--- a/arch/x86/pci/intel_mid_pci.c
35643+++ b/arch/x86/pci/intel_mid_pci.c
35644@@ -278,7 +278,7 @@ int __init intel_mid_pci_init(void)
35645 pci_mmcfg_late_init();
35646 pcibios_enable_irq = intel_mid_pci_irq_enable;
35647 pcibios_disable_irq = intel_mid_pci_irq_disable;
35648- pci_root_ops = intel_mid_pci_ops;
35649+ memcpy((void *)&pci_root_ops, &intel_mid_pci_ops, sizeof pci_root_ops);
35650 pci_soc_mode = 1;
35651 /* Continue with standard init */
35652 return 1;
35653diff --git a/arch/x86/pci/irq.c b/arch/x86/pci/irq.c
35654index 9bd1154..e9d4656 100644
35655--- a/arch/x86/pci/irq.c
35656+++ b/arch/x86/pci/irq.c
35657@@ -51,7 +51,7 @@ struct irq_router {
35658 struct irq_router_handler {
35659 u16 vendor;
35660 int (*probe)(struct irq_router *r, struct pci_dev *router, u16 device);
35661-};
35662+} __do_const;
35663
35664 int (*pcibios_enable_irq)(struct pci_dev *dev) = pirq_enable_irq;
35665 void (*pcibios_disable_irq)(struct pci_dev *dev) = pirq_disable_irq;
35666@@ -792,7 +792,7 @@ static __init int pico_router_probe(struct irq_router *r, struct pci_dev *router
35667 return 0;
35668 }
35669
35670-static __initdata struct irq_router_handler pirq_routers[] = {
35671+static __initconst const struct irq_router_handler pirq_routers[] = {
35672 { PCI_VENDOR_ID_INTEL, intel_router_probe },
35673 { PCI_VENDOR_ID_AL, ali_router_probe },
35674 { PCI_VENDOR_ID_ITE, ite_router_probe },
35675@@ -819,7 +819,7 @@ static struct pci_dev *pirq_router_dev;
35676 static void __init pirq_find_router(struct irq_router *r)
35677 {
35678 struct irq_routing_table *rt = pirq_table;
35679- struct irq_router_handler *h;
35680+ const struct irq_router_handler *h;
35681
35682 #ifdef CONFIG_PCI_BIOS
35683 if (!rt->signature) {
35684@@ -1092,7 +1092,7 @@ static int __init fix_acer_tm360_irqrouting(const struct dmi_system_id *d)
35685 return 0;
35686 }
35687
35688-static struct dmi_system_id __initdata pciirq_dmi_table[] = {
35689+static const struct dmi_system_id __initconst pciirq_dmi_table[] = {
35690 {
35691 .callback = fix_broken_hp_bios_irq9,
35692 .ident = "HP Pavilion N5400 Series Laptop",
35693diff --git a/arch/x86/pci/pcbios.c b/arch/x86/pci/pcbios.c
35694index 9b83b90..2c256c5 100644
35695--- a/arch/x86/pci/pcbios.c
35696+++ b/arch/x86/pci/pcbios.c
35697@@ -79,7 +79,7 @@ union bios32 {
35698 static struct {
35699 unsigned long address;
35700 unsigned short segment;
35701-} bios32_indirect __initdata = { 0, __KERNEL_CS };
35702+} bios32_indirect __initdata = { 0, __PCIBIOS_CS };
35703
35704 /*
35705 * Returns the entry point for the given service, NULL on error
35706@@ -92,37 +92,80 @@ static unsigned long __init bios32_service(unsigned long service)
35707 unsigned long length; /* %ecx */
35708 unsigned long entry; /* %edx */
35709 unsigned long flags;
35710+ struct desc_struct d, *gdt;
35711
35712 local_irq_save(flags);
35713- __asm__("lcall *(%%edi); cld"
35714+
35715+ gdt = get_cpu_gdt_table(smp_processor_id());
35716+
35717+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
35718+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
35719+ pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
35720+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
35721+
35722+ __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
35723 : "=a" (return_code),
35724 "=b" (address),
35725 "=c" (length),
35726 "=d" (entry)
35727 : "0" (service),
35728 "1" (0),
35729- "D" (&bios32_indirect));
35730+ "D" (&bios32_indirect),
35731+ "r"(__PCIBIOS_DS)
35732+ : "memory");
35733+
35734+ pax_open_kernel();
35735+ gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
35736+ gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
35737+ gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
35738+ gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
35739+ pax_close_kernel();
35740+
35741 local_irq_restore(flags);
35742
35743 switch (return_code) {
35744- case 0:
35745- return address + entry;
35746- case 0x80: /* Not present */
35747- printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
35748- return 0;
35749- default: /* Shouldn't happen */
35750- printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
35751- service, return_code);
35752+ case 0: {
35753+ int cpu;
35754+ unsigned char flags;
35755+
35756+ printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
35757+ if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
35758+ printk(KERN_WARNING "bios32_service: not valid\n");
35759 return 0;
35760+ }
35761+ address = address + PAGE_OFFSET;
35762+ length += 16UL; /* some BIOSs underreport this... */
35763+ flags = 4;
35764+ if (length >= 64*1024*1024) {
35765+ length >>= PAGE_SHIFT;
35766+ flags |= 8;
35767+ }
35768+
35769+ for (cpu = 0; cpu < nr_cpu_ids; cpu++) {
35770+ gdt = get_cpu_gdt_table(cpu);
35771+ pack_descriptor(&d, address, length, 0x9b, flags);
35772+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
35773+ pack_descriptor(&d, address, length, 0x93, flags);
35774+ write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
35775+ }
35776+ return entry;
35777+ }
35778+ case 0x80: /* Not present */
35779+ printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
35780+ return 0;
35781+ default: /* Shouldn't happen */
35782+ printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
35783+ service, return_code);
35784+ return 0;
35785 }
35786 }
35787
35788 static struct {
35789 unsigned long address;
35790 unsigned short segment;
35791-} pci_indirect = { 0, __KERNEL_CS };
35792+} pci_indirect __read_only = { 0, __PCIBIOS_CS };
35793
35794-static int pci_bios_present;
35795+static int pci_bios_present __read_only;
35796
35797 static int __init check_pcibios(void)
35798 {
35799@@ -131,11 +174,13 @@ static int __init check_pcibios(void)
35800 unsigned long flags, pcibios_entry;
35801
35802 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
35803- pci_indirect.address = pcibios_entry + PAGE_OFFSET;
35804+ pci_indirect.address = pcibios_entry;
35805
35806 local_irq_save(flags);
35807- __asm__(
35808- "lcall *(%%edi); cld\n\t"
35809+ __asm__("movw %w6, %%ds\n\t"
35810+ "lcall *%%ss:(%%edi); cld\n\t"
35811+ "push %%ss\n\t"
35812+ "pop %%ds\n\t"
35813 "jc 1f\n\t"
35814 "xor %%ah, %%ah\n"
35815 "1:"
35816@@ -144,7 +189,8 @@ static int __init check_pcibios(void)
35817 "=b" (ebx),
35818 "=c" (ecx)
35819 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
35820- "D" (&pci_indirect)
35821+ "D" (&pci_indirect),
35822+ "r" (__PCIBIOS_DS)
35823 : "memory");
35824 local_irq_restore(flags);
35825
35826@@ -189,7 +235,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35827
35828 switch (len) {
35829 case 1:
35830- __asm__("lcall *(%%esi); cld\n\t"
35831+ __asm__("movw %w6, %%ds\n\t"
35832+ "lcall *%%ss:(%%esi); cld\n\t"
35833+ "push %%ss\n\t"
35834+ "pop %%ds\n\t"
35835 "jc 1f\n\t"
35836 "xor %%ah, %%ah\n"
35837 "1:"
35838@@ -198,7 +247,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35839 : "1" (PCIBIOS_READ_CONFIG_BYTE),
35840 "b" (bx),
35841 "D" ((long)reg),
35842- "S" (&pci_indirect));
35843+ "S" (&pci_indirect),
35844+ "r" (__PCIBIOS_DS));
35845 /*
35846 * Zero-extend the result beyond 8 bits, do not trust the
35847 * BIOS having done it:
35848@@ -206,7 +256,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35849 *value &= 0xff;
35850 break;
35851 case 2:
35852- __asm__("lcall *(%%esi); cld\n\t"
35853+ __asm__("movw %w6, %%ds\n\t"
35854+ "lcall *%%ss:(%%esi); cld\n\t"
35855+ "push %%ss\n\t"
35856+ "pop %%ds\n\t"
35857 "jc 1f\n\t"
35858 "xor %%ah, %%ah\n"
35859 "1:"
35860@@ -215,7 +268,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35861 : "1" (PCIBIOS_READ_CONFIG_WORD),
35862 "b" (bx),
35863 "D" ((long)reg),
35864- "S" (&pci_indirect));
35865+ "S" (&pci_indirect),
35866+ "r" (__PCIBIOS_DS));
35867 /*
35868 * Zero-extend the result beyond 16 bits, do not trust the
35869 * BIOS having done it:
35870@@ -223,7 +277,10 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35871 *value &= 0xffff;
35872 break;
35873 case 4:
35874- __asm__("lcall *(%%esi); cld\n\t"
35875+ __asm__("movw %w6, %%ds\n\t"
35876+ "lcall *%%ss:(%%esi); cld\n\t"
35877+ "push %%ss\n\t"
35878+ "pop %%ds\n\t"
35879 "jc 1f\n\t"
35880 "xor %%ah, %%ah\n"
35881 "1:"
35882@@ -232,7 +289,8 @@ static int pci_bios_read(unsigned int seg, unsigned int bus,
35883 : "1" (PCIBIOS_READ_CONFIG_DWORD),
35884 "b" (bx),
35885 "D" ((long)reg),
35886- "S" (&pci_indirect));
35887+ "S" (&pci_indirect),
35888+ "r" (__PCIBIOS_DS));
35889 break;
35890 }
35891
35892@@ -256,7 +314,10 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35893
35894 switch (len) {
35895 case 1:
35896- __asm__("lcall *(%%esi); cld\n\t"
35897+ __asm__("movw %w6, %%ds\n\t"
35898+ "lcall *%%ss:(%%esi); cld\n\t"
35899+ "push %%ss\n\t"
35900+ "pop %%ds\n\t"
35901 "jc 1f\n\t"
35902 "xor %%ah, %%ah\n"
35903 "1:"
35904@@ -265,10 +326,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35905 "c" (value),
35906 "b" (bx),
35907 "D" ((long)reg),
35908- "S" (&pci_indirect));
35909+ "S" (&pci_indirect),
35910+ "r" (__PCIBIOS_DS));
35911 break;
35912 case 2:
35913- __asm__("lcall *(%%esi); cld\n\t"
35914+ __asm__("movw %w6, %%ds\n\t"
35915+ "lcall *%%ss:(%%esi); cld\n\t"
35916+ "push %%ss\n\t"
35917+ "pop %%ds\n\t"
35918 "jc 1f\n\t"
35919 "xor %%ah, %%ah\n"
35920 "1:"
35921@@ -277,10 +342,14 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35922 "c" (value),
35923 "b" (bx),
35924 "D" ((long)reg),
35925- "S" (&pci_indirect));
35926+ "S" (&pci_indirect),
35927+ "r" (__PCIBIOS_DS));
35928 break;
35929 case 4:
35930- __asm__("lcall *(%%esi); cld\n\t"
35931+ __asm__("movw %w6, %%ds\n\t"
35932+ "lcall *%%ss:(%%esi); cld\n\t"
35933+ "push %%ss\n\t"
35934+ "pop %%ds\n\t"
35935 "jc 1f\n\t"
35936 "xor %%ah, %%ah\n"
35937 "1:"
35938@@ -289,7 +358,8 @@ static int pci_bios_write(unsigned int seg, unsigned int bus,
35939 "c" (value),
35940 "b" (bx),
35941 "D" ((long)reg),
35942- "S" (&pci_indirect));
35943+ "S" (&pci_indirect),
35944+ "r" (__PCIBIOS_DS));
35945 break;
35946 }
35947
35948@@ -394,10 +464,13 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
35949
35950 DBG("PCI: Fetching IRQ routing table... ");
35951 __asm__("push %%es\n\t"
35952+ "movw %w8, %%ds\n\t"
35953 "push %%ds\n\t"
35954 "pop %%es\n\t"
35955- "lcall *(%%esi); cld\n\t"
35956+ "lcall *%%ss:(%%esi); cld\n\t"
35957 "pop %%es\n\t"
35958+ "push %%ss\n\t"
35959+ "pop %%ds\n"
35960 "jc 1f\n\t"
35961 "xor %%ah, %%ah\n"
35962 "1:"
35963@@ -408,7 +481,8 @@ struct irq_routing_table * pcibios_get_irq_routing_table(void)
35964 "1" (0),
35965 "D" ((long) &opt),
35966 "S" (&pci_indirect),
35967- "m" (opt)
35968+ "m" (opt),
35969+ "r" (__PCIBIOS_DS)
35970 : "memory");
35971 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
35972 if (ret & 0xff00)
35973@@ -432,7 +506,10 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
35974 {
35975 int ret;
35976
35977- __asm__("lcall *(%%esi); cld\n\t"
35978+ __asm__("movw %w5, %%ds\n\t"
35979+ "lcall *%%ss:(%%esi); cld\n\t"
35980+ "push %%ss\n\t"
35981+ "pop %%ds\n"
35982 "jc 1f\n\t"
35983 "xor %%ah, %%ah\n"
35984 "1:"
35985@@ -440,7 +517,8 @@ int pcibios_set_irq_routing(struct pci_dev *dev, int pin, int irq)
35986 : "0" (PCIBIOS_SET_PCI_HW_INT),
35987 "b" ((dev->bus->number << 8) | dev->devfn),
35988 "c" ((irq << 8) | (pin + 10)),
35989- "S" (&pci_indirect));
35990+ "S" (&pci_indirect),
35991+ "r" (__PCIBIOS_DS));
35992 return !(ret & 0xff00);
35993 }
35994 EXPORT_SYMBOL(pcibios_set_irq_routing);
35995diff --git a/arch/x86/platform/efi/efi_32.c b/arch/x86/platform/efi/efi_32.c
35996index ed5b673..24d2d53 100644
35997--- a/arch/x86/platform/efi/efi_32.c
35998+++ b/arch/x86/platform/efi/efi_32.c
35999@@ -61,11 +61,27 @@ pgd_t * __init efi_call_phys_prolog(void)
36000 struct desc_ptr gdt_descr;
36001 pgd_t *save_pgd;
36002
36003+#ifdef CONFIG_PAX_KERNEXEC
36004+ struct desc_struct d;
36005+#endif
36006+
36007 /* Current pgd is swapper_pg_dir, we'll restore it later: */
36008+#ifdef CONFIG_PAX_PER_CPU_PGD
36009+ save_pgd = get_cpu_pgd(smp_processor_id(), kernel);
36010+#else
36011 save_pgd = swapper_pg_dir;
36012+#endif
36013+
36014 load_cr3(initial_page_table);
36015 __flush_tlb_all();
36016
36017+#ifdef CONFIG_PAX_KERNEXEC
36018+ pack_descriptor(&d, 0, 0xFFFFF, 0x9B, 0xC);
36019+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
36020+ pack_descriptor(&d, 0, 0xFFFFF, 0x93, 0xC);
36021+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
36022+#endif
36023+
36024 gdt_descr.address = __pa(get_cpu_gdt_table(0));
36025 gdt_descr.size = GDT_SIZE - 1;
36026 load_gdt(&gdt_descr);
36027@@ -77,6 +93,14 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
36028 {
36029 struct desc_ptr gdt_descr;
36030
36031+#ifdef CONFIG_PAX_KERNEXEC
36032+ struct desc_struct d;
36033+
36034+ memset(&d, 0, sizeof d);
36035+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_CS, &d, DESCTYPE_S);
36036+ write_gdt_entry(get_cpu_gdt_table(0), GDT_ENTRY_KERNEXEC_EFI_DS, &d, DESCTYPE_S);
36037+#endif
36038+
36039 gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
36040 gdt_descr.size = GDT_SIZE - 1;
36041 load_gdt(&gdt_descr);
36042diff --git a/arch/x86/platform/efi/efi_64.c b/arch/x86/platform/efi/efi_64.c
36043index a0ac0f9..f41d324 100644
36044--- a/arch/x86/platform/efi/efi_64.c
36045+++ b/arch/x86/platform/efi/efi_64.c
36046@@ -96,6 +96,11 @@ pgd_t * __init efi_call_phys_prolog(void)
36047 vaddress = (unsigned long)__va(pgd * PGDIR_SIZE);
36048 set_pgd(pgd_offset_k(pgd * PGDIR_SIZE), *pgd_offset_k(vaddress));
36049 }
36050+
36051+#ifdef CONFIG_PAX_PER_CPU_PGD
36052+ load_cr3(swapper_pg_dir);
36053+#endif
36054+
36055 __flush_tlb_all();
36056
36057 return save_pgd;
36058@@ -119,6 +124,10 @@ void __init efi_call_phys_epilog(pgd_t *save_pgd)
36059
36060 kfree(save_pgd);
36061
36062+#ifdef CONFIG_PAX_PER_CPU_PGD
36063+ load_cr3(get_cpu_pgd(smp_processor_id(), kernel));
36064+#endif
36065+
36066 __flush_tlb_all();
36067 early_code_mapping_set_exec(0);
36068 }
36069@@ -148,8 +157,23 @@ int __init efi_setup_page_tables(unsigned long pa_memmap, unsigned num_pages)
36070 unsigned npages;
36071 pgd_t *pgd;
36072
36073- if (efi_enabled(EFI_OLD_MEMMAP))
36074+ if (efi_enabled(EFI_OLD_MEMMAP)) {
36075+ /* PaX: We need to disable the NX bit in the PGD, otherwise we won't be
36076+ * able to execute the EFI services.
36077+ */
36078+ if (__supported_pte_mask & _PAGE_NX) {
36079+ unsigned long addr = (unsigned long) __va(0);
36080+ pgd_t pe = __pgd(pgd_val(*pgd_offset_k(addr)) & ~_PAGE_NX);
36081+
36082+ pr_alert("PAX: Disabling NX protection for low memory map. Try booting without \"efi=old_map\"\n");
36083+#ifdef CONFIG_PAX_PER_CPU_PGD
36084+ set_pgd(pgd_offset_cpu(0, kernel, addr), pe);
36085+#endif
36086+ set_pgd(pgd_offset_k(addr), pe);
36087+ }
36088+
36089 return 0;
36090+ }
36091
36092 efi_scratch.efi_pgt = (pgd_t *)(unsigned long)real_mode_header->trampoline_pgd;
36093 pgd = __va(efi_scratch.efi_pgt);
36094diff --git a/arch/x86/platform/efi/efi_stub_32.S b/arch/x86/platform/efi/efi_stub_32.S
36095index 040192b..7d3300f 100644
36096--- a/arch/x86/platform/efi/efi_stub_32.S
36097+++ b/arch/x86/platform/efi/efi_stub_32.S
36098@@ -6,7 +6,9 @@
36099 */
36100
36101 #include <linux/linkage.h>
36102+#include <linux/init.h>
36103 #include <asm/page_types.h>
36104+#include <asm/segment.h>
36105
36106 /*
36107 * efi_call_phys(void *, ...) is a function with variable parameters.
36108@@ -20,7 +22,7 @@
36109 * service functions will comply with gcc calling convention, too.
36110 */
36111
36112-.text
36113+__INIT
36114 ENTRY(efi_call_phys)
36115 /*
36116 * 0. The function can only be called in Linux kernel. So CS has been
36117@@ -36,10 +38,24 @@ ENTRY(efi_call_phys)
36118 * The mapping of lower virtual memory has been created in prolog and
36119 * epilog.
36120 */
36121- movl $1f, %edx
36122- subl $__PAGE_OFFSET, %edx
36123- jmp *%edx
36124+#ifdef CONFIG_PAX_KERNEXEC
36125+ movl $(__KERNEXEC_EFI_DS), %edx
36126+ mov %edx, %ds
36127+ mov %edx, %es
36128+ mov %edx, %ss
36129+ addl $2f,(1f)
36130+ ljmp *(1f)
36131+
36132+__INITDATA
36133+1: .long __LOAD_PHYSICAL_ADDR, __KERNEXEC_EFI_CS
36134+.previous
36135+
36136+2:
36137+ subl $2b,(1b)
36138+#else
36139+ jmp 1f-__PAGE_OFFSET
36140 1:
36141+#endif
36142
36143 /*
36144 * 2. Now on the top of stack is the return
36145@@ -47,14 +63,8 @@ ENTRY(efi_call_phys)
36146 * parameter 2, ..., param n. To make things easy, we save the return
36147 * address of efi_call_phys in a global variable.
36148 */
36149- popl %edx
36150- movl %edx, saved_return_addr
36151- /* get the function pointer into ECX*/
36152- popl %ecx
36153- movl %ecx, efi_rt_function_ptr
36154- movl $2f, %edx
36155- subl $__PAGE_OFFSET, %edx
36156- pushl %edx
36157+ popl (saved_return_addr)
36158+ popl (efi_rt_function_ptr)
36159
36160 /*
36161 * 3. Clear PG bit in %CR0.
36162@@ -73,9 +83,8 @@ ENTRY(efi_call_phys)
36163 /*
36164 * 5. Call the physical function.
36165 */
36166- jmp *%ecx
36167+ call *(efi_rt_function_ptr-__PAGE_OFFSET)
36168
36169-2:
36170 /*
36171 * 6. After EFI runtime service returns, control will return to
36172 * following instruction. We'd better readjust stack pointer first.
36173@@ -88,35 +97,36 @@ ENTRY(efi_call_phys)
36174 movl %cr0, %edx
36175 orl $0x80000000, %edx
36176 movl %edx, %cr0
36177- jmp 1f
36178-1:
36179+
36180 /*
36181 * 8. Now restore the virtual mode from flat mode by
36182 * adding EIP with PAGE_OFFSET.
36183 */
36184- movl $1f, %edx
36185- jmp *%edx
36186+#ifdef CONFIG_PAX_KERNEXEC
36187+ movl $(__KERNEL_DS), %edx
36188+ mov %edx, %ds
36189+ mov %edx, %es
36190+ mov %edx, %ss
36191+ ljmp $(__KERNEL_CS),$1f
36192+#else
36193+ jmp 1f+__PAGE_OFFSET
36194+#endif
36195 1:
36196
36197 /*
36198 * 9. Balance the stack. And because EAX contain the return value,
36199 * we'd better not clobber it.
36200 */
36201- leal efi_rt_function_ptr, %edx
36202- movl (%edx), %ecx
36203- pushl %ecx
36204+ pushl (efi_rt_function_ptr)
36205
36206 /*
36207- * 10. Push the saved return address onto the stack and return.
36208+ * 10. Return to the saved return address.
36209 */
36210- leal saved_return_addr, %edx
36211- movl (%edx), %ecx
36212- pushl %ecx
36213- ret
36214+ jmpl *(saved_return_addr)
36215 ENDPROC(efi_call_phys)
36216 .previous
36217
36218-.data
36219+__INITDATA
36220 saved_return_addr:
36221 .long 0
36222 efi_rt_function_ptr:
36223diff --git a/arch/x86/platform/efi/efi_stub_64.S b/arch/x86/platform/efi/efi_stub_64.S
36224index 86d0f9e..6d499f4 100644
36225--- a/arch/x86/platform/efi/efi_stub_64.S
36226+++ b/arch/x86/platform/efi/efi_stub_64.S
36227@@ -11,6 +11,7 @@
36228 #include <asm/msr.h>
36229 #include <asm/processor-flags.h>
36230 #include <asm/page_types.h>
36231+#include <asm/alternative-asm.h>
36232
36233 #define SAVE_XMM \
36234 mov %rsp, %rax; \
36235@@ -88,6 +89,7 @@ ENTRY(efi_call)
36236 RESTORE_PGT
36237 addq $48, %rsp
36238 RESTORE_XMM
36239+ pax_force_retaddr 0, 1
36240 ret
36241 ENDPROC(efi_call)
36242
36243diff --git a/arch/x86/platform/intel-mid/intel-mid.c b/arch/x86/platform/intel-mid/intel-mid.c
36244index 01d54ea..ba1d71c 100644
36245--- a/arch/x86/platform/intel-mid/intel-mid.c
36246+++ b/arch/x86/platform/intel-mid/intel-mid.c
36247@@ -63,7 +63,7 @@ enum intel_mid_timer_options intel_mid_timer_options;
36248 /* intel_mid_ops to store sub arch ops */
36249 struct intel_mid_ops *intel_mid_ops;
36250 /* getter function for sub arch ops*/
36251-static void *(*get_intel_mid_ops[])(void) = INTEL_MID_OPS_INIT;
36252+static const void *(*get_intel_mid_ops[])(void) = INTEL_MID_OPS_INIT;
36253 enum intel_mid_cpu_type __intel_mid_cpu_chip;
36254 EXPORT_SYMBOL_GPL(__intel_mid_cpu_chip);
36255
36256@@ -71,9 +71,10 @@ static void intel_mid_power_off(void)
36257 {
36258 };
36259
36260-static void intel_mid_reboot(void)
36261+static void __noreturn intel_mid_reboot(void)
36262 {
36263 intel_scu_ipc_simple_command(IPCMSG_COLD_BOOT, 0);
36264+ BUG();
36265 }
36266
36267 static unsigned long __init intel_mid_calibrate_tsc(void)
36268diff --git a/arch/x86/platform/intel-mid/intel_mid_weak_decls.h b/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
36269index 3c1c386..59a68ed 100644
36270--- a/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
36271+++ b/arch/x86/platform/intel-mid/intel_mid_weak_decls.h
36272@@ -13,6 +13,6 @@
36273 /* For every CPU addition a new get_<cpuname>_ops interface needs
36274 * to be added.
36275 */
36276-extern void *get_penwell_ops(void);
36277-extern void *get_cloverview_ops(void);
36278-extern void *get_tangier_ops(void);
36279+extern const void *get_penwell_ops(void);
36280+extern const void *get_cloverview_ops(void);
36281+extern const void *get_tangier_ops(void);
36282diff --git a/arch/x86/platform/intel-mid/mfld.c b/arch/x86/platform/intel-mid/mfld.c
36283index 23381d2..8ddc10e 100644
36284--- a/arch/x86/platform/intel-mid/mfld.c
36285+++ b/arch/x86/platform/intel-mid/mfld.c
36286@@ -64,12 +64,12 @@ static void __init penwell_arch_setup(void)
36287 pm_power_off = mfld_power_off;
36288 }
36289
36290-void *get_penwell_ops(void)
36291+const void *get_penwell_ops(void)
36292 {
36293 return &penwell_ops;
36294 }
36295
36296-void *get_cloverview_ops(void)
36297+const void *get_cloverview_ops(void)
36298 {
36299 return &penwell_ops;
36300 }
36301diff --git a/arch/x86/platform/intel-mid/mrfl.c b/arch/x86/platform/intel-mid/mrfl.c
36302index aaca917..66eadbc 100644
36303--- a/arch/x86/platform/intel-mid/mrfl.c
36304+++ b/arch/x86/platform/intel-mid/mrfl.c
36305@@ -97,7 +97,7 @@ static struct intel_mid_ops tangier_ops = {
36306 .arch_setup = tangier_arch_setup,
36307 };
36308
36309-void *get_tangier_ops(void)
36310+const void *get_tangier_ops(void)
36311 {
36312 return &tangier_ops;
36313 }
36314diff --git a/arch/x86/platform/intel-quark/imr_selftest.c b/arch/x86/platform/intel-quark/imr_selftest.c
36315index 278e4da..35db1a9 100644
36316--- a/arch/x86/platform/intel-quark/imr_selftest.c
36317+++ b/arch/x86/platform/intel-quark/imr_selftest.c
36318@@ -55,7 +55,7 @@ static void __init imr_self_test_result(int res, const char *fmt, ...)
36319 */
36320 static void __init imr_self_test(void)
36321 {
36322- phys_addr_t base = virt_to_phys(&_text);
36323+ phys_addr_t base = virt_to_phys((void *)ktla_ktva((unsigned long)_text));
36324 size_t size = virt_to_phys(&__end_rodata) - base;
36325 const char *fmt_over = "overlapped IMR @ (0x%08lx - 0x%08lx)\n";
36326 int ret;
36327diff --git a/arch/x86/platform/olpc/olpc_dt.c b/arch/x86/platform/olpc/olpc_dt.c
36328index d6ee929..3637cb5 100644
36329--- a/arch/x86/platform/olpc/olpc_dt.c
36330+++ b/arch/x86/platform/olpc/olpc_dt.c
36331@@ -156,7 +156,7 @@ void * __init prom_early_alloc(unsigned long size)
36332 return res;
36333 }
36334
36335-static struct of_pdt_ops prom_olpc_ops __initdata = {
36336+static struct of_pdt_ops prom_olpc_ops __initconst = {
36337 .nextprop = olpc_dt_nextprop,
36338 .getproplen = olpc_dt_getproplen,
36339 .getproperty = olpc_dt_getproperty,
36340diff --git a/arch/x86/power/cpu.c b/arch/x86/power/cpu.c
36341index 9ab5279..8ba4611 100644
36342--- a/arch/x86/power/cpu.c
36343+++ b/arch/x86/power/cpu.c
36344@@ -134,11 +134,8 @@ static void do_fpu_end(void)
36345 static void fix_processor_context(void)
36346 {
36347 int cpu = smp_processor_id();
36348- struct tss_struct *t = &per_cpu(cpu_tss, cpu);
36349-#ifdef CONFIG_X86_64
36350- struct desc_struct *desc = get_cpu_gdt_table(cpu);
36351- tss_desc tss;
36352-#endif
36353+ struct tss_struct *t = cpu_tss + cpu;
36354+
36355 set_tss_desc(cpu, t); /*
36356 * This just modifies memory; should not be
36357 * necessary. But... This is necessary, because
36358@@ -147,10 +144,6 @@ static void fix_processor_context(void)
36359 */
36360
36361 #ifdef CONFIG_X86_64
36362- memcpy(&tss, &desc[GDT_ENTRY_TSS], sizeof(tss_desc));
36363- tss.type = 0x9; /* The available 64-bit TSS (see AMD vol 2, pg 91 */
36364- write_gdt_entry(desc, GDT_ENTRY_TSS, &tss, DESC_TSS);
36365-
36366 syscall_init(); /* This sets MSR_*STAR and related */
36367 #endif
36368 load_TR_desc(); /* This does ltr */
36369diff --git a/arch/x86/realmode/init.c b/arch/x86/realmode/init.c
36370index 0b7a63d..dff2199 100644
36371--- a/arch/x86/realmode/init.c
36372+++ b/arch/x86/realmode/init.c
36373@@ -68,7 +68,13 @@ void __init setup_real_mode(void)
36374 __va(real_mode_header->trampoline_header);
36375
36376 #ifdef CONFIG_X86_32
36377- trampoline_header->start = __pa_symbol(startup_32_smp);
36378+ trampoline_header->start = __pa_symbol(ktla_ktva((unsigned long)startup_32_smp));
36379+
36380+#ifdef CONFIG_PAX_KERNEXEC
36381+ trampoline_header->start -= LOAD_PHYSICAL_ADDR;
36382+#endif
36383+
36384+ trampoline_header->boot_cs = __BOOT_CS;
36385 trampoline_header->gdt_limit = __BOOT_DS + 7;
36386 trampoline_header->gdt_base = __pa_symbol(boot_gdt);
36387 #else
36388@@ -84,7 +90,7 @@ void __init setup_real_mode(void)
36389 *trampoline_cr4_features = __read_cr4();
36390
36391 trampoline_pgd = (u64 *) __va(real_mode_header->trampoline_pgd);
36392- trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd;
36393+ trampoline_pgd[0] = init_level4_pgt[pgd_index(__PAGE_OFFSET)].pgd & ~_PAGE_NX;
36394 trampoline_pgd[511] = init_level4_pgt[511].pgd;
36395 #endif
36396 }
36397diff --git a/arch/x86/realmode/rm/Makefile b/arch/x86/realmode/rm/Makefile
36398index 2730d77..2e4cd19 100644
36399--- a/arch/x86/realmode/rm/Makefile
36400+++ b/arch/x86/realmode/rm/Makefile
36401@@ -68,5 +68,8 @@ $(obj)/realmode.relocs: $(obj)/realmode.elf FORCE
36402
36403 KBUILD_CFLAGS := $(LINUXINCLUDE) $(REALMODE_CFLAGS) -D_SETUP -D_WAKEUP \
36404 -I$(srctree)/arch/x86/boot
36405+ifdef CONSTIFY_PLUGIN
36406+KBUILD_CFLAGS += -fplugin-arg-constify_plugin-no-constify
36407+endif
36408 KBUILD_AFLAGS := $(KBUILD_CFLAGS) -D__ASSEMBLY__
36409 GCOV_PROFILE := n
36410diff --git a/arch/x86/realmode/rm/header.S b/arch/x86/realmode/rm/header.S
36411index a28221d..93c40f1 100644
36412--- a/arch/x86/realmode/rm/header.S
36413+++ b/arch/x86/realmode/rm/header.S
36414@@ -30,7 +30,9 @@ GLOBAL(real_mode_header)
36415 #endif
36416 /* APM/BIOS reboot */
36417 .long pa_machine_real_restart_asm
36418-#ifdef CONFIG_X86_64
36419+#ifdef CONFIG_X86_32
36420+ .long __KERNEL_CS
36421+#else
36422 .long __KERNEL32_CS
36423 #endif
36424 END(real_mode_header)
36425diff --git a/arch/x86/realmode/rm/reboot.S b/arch/x86/realmode/rm/reboot.S
36426index d66c607..3def845 100644
36427--- a/arch/x86/realmode/rm/reboot.S
36428+++ b/arch/x86/realmode/rm/reboot.S
36429@@ -27,6 +27,10 @@ ENTRY(machine_real_restart_asm)
36430 lgdtl pa_tr_gdt
36431
36432 /* Disable paging to drop us out of long mode */
36433+ movl %cr4, %eax
36434+ andl $~X86_CR4_PCIDE, %eax
36435+ movl %eax, %cr4
36436+
36437 movl %cr0, %eax
36438 andl $~X86_CR0_PG, %eax
36439 movl %eax, %cr0
36440diff --git a/arch/x86/realmode/rm/trampoline_32.S b/arch/x86/realmode/rm/trampoline_32.S
36441index 48ddd76..c26749f 100644
36442--- a/arch/x86/realmode/rm/trampoline_32.S
36443+++ b/arch/x86/realmode/rm/trampoline_32.S
36444@@ -24,6 +24,12 @@
36445 #include <asm/page_types.h>
36446 #include "realmode.h"
36447
36448+#ifdef CONFIG_PAX_KERNEXEC
36449+#define ta(X) (X)
36450+#else
36451+#define ta(X) (pa_ ## X)
36452+#endif
36453+
36454 .text
36455 .code16
36456
36457@@ -38,8 +44,6 @@ ENTRY(trampoline_start)
36458
36459 cli # We should be safe anyway
36460
36461- movl tr_start, %eax # where we need to go
36462-
36463 movl $0xA5A5A5A5, trampoline_status
36464 # write marker for master knows we're running
36465
36466@@ -55,7 +59,7 @@ ENTRY(trampoline_start)
36467 movw $1, %dx # protected mode (PE) bit
36468 lmsw %dx # into protected mode
36469
36470- ljmpl $__BOOT_CS, $pa_startup_32
36471+ ljmpl *(trampoline_header)
36472
36473 .section ".text32","ax"
36474 .code32
36475@@ -66,7 +70,7 @@ ENTRY(startup_32) # note: also used from wakeup_asm.S
36476 .balign 8
36477 GLOBAL(trampoline_header)
36478 tr_start: .space 4
36479- tr_gdt_pad: .space 2
36480+ tr_boot_cs: .space 2
36481 tr_gdt: .space 6
36482 END(trampoline_header)
36483
36484diff --git a/arch/x86/realmode/rm/trampoline_64.S b/arch/x86/realmode/rm/trampoline_64.S
36485index dac7b20..72dbaca 100644
36486--- a/arch/x86/realmode/rm/trampoline_64.S
36487+++ b/arch/x86/realmode/rm/trampoline_64.S
36488@@ -93,6 +93,7 @@ ENTRY(startup_32)
36489 movl %edx, %gs
36490
36491 movl pa_tr_cr4, %eax
36492+ andl $~X86_CR4_PCIDE, %eax
36493 movl %eax, %cr4 # Enable PAE mode
36494
36495 # Setup trampoline 4 level pagetables
36496@@ -106,7 +107,7 @@ ENTRY(startup_32)
36497 wrmsr
36498
36499 # Enable paging and in turn activate Long Mode
36500- movl $(X86_CR0_PG | X86_CR0_WP | X86_CR0_PE), %eax
36501+ movl $(X86_CR0_PG | X86_CR0_PE), %eax
36502 movl %eax, %cr0
36503
36504 /*
36505diff --git a/arch/x86/realmode/rm/wakeup_asm.S b/arch/x86/realmode/rm/wakeup_asm.S
36506index 9e7e147..25a4158 100644
36507--- a/arch/x86/realmode/rm/wakeup_asm.S
36508+++ b/arch/x86/realmode/rm/wakeup_asm.S
36509@@ -126,11 +126,10 @@ ENTRY(wakeup_start)
36510 lgdtl pmode_gdt
36511
36512 /* This really couldn't... */
36513- movl pmode_entry, %eax
36514 movl pmode_cr0, %ecx
36515 movl %ecx, %cr0
36516- ljmpl $__KERNEL_CS, $pa_startup_32
36517- /* -> jmp *%eax in trampoline_32.S */
36518+
36519+ ljmpl *pmode_entry
36520 #else
36521 jmp trampoline_start
36522 #endif
36523diff --git a/arch/x86/tools/Makefile b/arch/x86/tools/Makefile
36524index 604a37e..e49702a 100644
36525--- a/arch/x86/tools/Makefile
36526+++ b/arch/x86/tools/Makefile
36527@@ -37,7 +37,7 @@ $(obj)/test_get_len.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/in
36528
36529 $(obj)/insn_sanity.o: $(srctree)/arch/x86/lib/insn.c $(srctree)/arch/x86/lib/inat.c $(srctree)/arch/x86/include/asm/inat_types.h $(srctree)/arch/x86/include/asm/inat.h $(srctree)/arch/x86/include/asm/insn.h $(objtree)/arch/x86/lib/inat-tables.c
36530
36531-HOST_EXTRACFLAGS += -I$(srctree)/tools/include
36532+HOST_EXTRACFLAGS += -I$(srctree)/tools/include -ggdb
36533 hostprogs-y += relocs
36534 relocs-objs := relocs_32.o relocs_64.o relocs_common.o
36535 PHONY += relocs
36536diff --git a/arch/x86/tools/relocs.c b/arch/x86/tools/relocs.c
36537index 0c2fae8..88d7719 100644
36538--- a/arch/x86/tools/relocs.c
36539+++ b/arch/x86/tools/relocs.c
36540@@ -1,5 +1,7 @@
36541 /* This is included from relocs_32/64.c */
36542
36543+#include "../../../include/generated/autoconf.h"
36544+
36545 #define ElfW(type) _ElfW(ELF_BITS, type)
36546 #define _ElfW(bits, type) __ElfW(bits, type)
36547 #define __ElfW(bits, type) Elf##bits##_##type
36548@@ -11,6 +13,7 @@
36549 #define Elf_Sym ElfW(Sym)
36550
36551 static Elf_Ehdr ehdr;
36552+static Elf_Phdr *phdr;
36553
36554 struct relocs {
36555 uint32_t *offset;
36556@@ -386,9 +389,39 @@ static void read_ehdr(FILE *fp)
36557 }
36558 }
36559
36560+static void read_phdrs(FILE *fp)
36561+{
36562+ unsigned int i;
36563+
36564+ phdr = calloc(ehdr.e_phnum, sizeof(Elf_Phdr));
36565+ if (!phdr) {
36566+ die("Unable to allocate %d program headers\n",
36567+ ehdr.e_phnum);
36568+ }
36569+ if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
36570+ die("Seek to %d failed: %s\n",
36571+ ehdr.e_phoff, strerror(errno));
36572+ }
36573+ if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
36574+ die("Cannot read ELF program headers: %s\n",
36575+ strerror(errno));
36576+ }
36577+ for(i = 0; i < ehdr.e_phnum; i++) {
36578+ phdr[i].p_type = elf_word_to_cpu(phdr[i].p_type);
36579+ phdr[i].p_offset = elf_off_to_cpu(phdr[i].p_offset);
36580+ phdr[i].p_vaddr = elf_addr_to_cpu(phdr[i].p_vaddr);
36581+ phdr[i].p_paddr = elf_addr_to_cpu(phdr[i].p_paddr);
36582+ phdr[i].p_filesz = elf_word_to_cpu(phdr[i].p_filesz);
36583+ phdr[i].p_memsz = elf_word_to_cpu(phdr[i].p_memsz);
36584+ phdr[i].p_flags = elf_word_to_cpu(phdr[i].p_flags);
36585+ phdr[i].p_align = elf_word_to_cpu(phdr[i].p_align);
36586+ }
36587+
36588+}
36589+
36590 static void read_shdrs(FILE *fp)
36591 {
36592- int i;
36593+ unsigned int i;
36594 Elf_Shdr shdr;
36595
36596 secs = calloc(ehdr.e_shnum, sizeof(struct section));
36597@@ -423,7 +456,7 @@ static void read_shdrs(FILE *fp)
36598
36599 static void read_strtabs(FILE *fp)
36600 {
36601- int i;
36602+ unsigned int i;
36603 for (i = 0; i < ehdr.e_shnum; i++) {
36604 struct section *sec = &secs[i];
36605 if (sec->shdr.sh_type != SHT_STRTAB) {
36606@@ -448,7 +481,7 @@ static void read_strtabs(FILE *fp)
36607
36608 static void read_symtabs(FILE *fp)
36609 {
36610- int i,j;
36611+ unsigned int i,j;
36612 for (i = 0; i < ehdr.e_shnum; i++) {
36613 struct section *sec = &secs[i];
36614 if (sec->shdr.sh_type != SHT_SYMTAB) {
36615@@ -479,9 +512,11 @@ static void read_symtabs(FILE *fp)
36616 }
36617
36618
36619-static void read_relocs(FILE *fp)
36620+static void read_relocs(FILE *fp, int use_real_mode)
36621 {
36622- int i,j;
36623+ unsigned int i,j;
36624+ uint32_t base;
36625+
36626 for (i = 0; i < ehdr.e_shnum; i++) {
36627 struct section *sec = &secs[i];
36628 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36629@@ -501,9 +536,22 @@ static void read_relocs(FILE *fp)
36630 die("Cannot read symbol table: %s\n",
36631 strerror(errno));
36632 }
36633+ base = 0;
36634+
36635+#ifdef CONFIG_X86_32
36636+ for (j = 0; !use_real_mode && j < ehdr.e_phnum; j++) {
36637+ if (phdr[j].p_type != PT_LOAD )
36638+ continue;
36639+ if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
36640+ continue;
36641+ base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
36642+ break;
36643+ }
36644+#endif
36645+
36646 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf_Rel); j++) {
36647 Elf_Rel *rel = &sec->reltab[j];
36648- rel->r_offset = elf_addr_to_cpu(rel->r_offset);
36649+ rel->r_offset = elf_addr_to_cpu(rel->r_offset) + base;
36650 rel->r_info = elf_xword_to_cpu(rel->r_info);
36651 #if (SHT_REL_TYPE == SHT_RELA)
36652 rel->r_addend = elf_xword_to_cpu(rel->r_addend);
36653@@ -515,7 +563,7 @@ static void read_relocs(FILE *fp)
36654
36655 static void print_absolute_symbols(void)
36656 {
36657- int i;
36658+ unsigned int i;
36659 const char *format;
36660
36661 if (ELF_BITS == 64)
36662@@ -528,7 +576,7 @@ static void print_absolute_symbols(void)
36663 for (i = 0; i < ehdr.e_shnum; i++) {
36664 struct section *sec = &secs[i];
36665 char *sym_strtab;
36666- int j;
36667+ unsigned int j;
36668
36669 if (sec->shdr.sh_type != SHT_SYMTAB) {
36670 continue;
36671@@ -555,7 +603,7 @@ static void print_absolute_symbols(void)
36672
36673 static void print_absolute_relocs(void)
36674 {
36675- int i, printed = 0;
36676+ unsigned int i, printed = 0;
36677 const char *format;
36678
36679 if (ELF_BITS == 64)
36680@@ -568,7 +616,7 @@ static void print_absolute_relocs(void)
36681 struct section *sec_applies, *sec_symtab;
36682 char *sym_strtab;
36683 Elf_Sym *sh_symtab;
36684- int j;
36685+ unsigned int j;
36686 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36687 continue;
36688 }
36689@@ -645,13 +693,13 @@ static void add_reloc(struct relocs *r, uint32_t offset)
36690 static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
36691 Elf_Sym *sym, const char *symname))
36692 {
36693- int i;
36694+ unsigned int i;
36695 /* Walk through the relocations */
36696 for (i = 0; i < ehdr.e_shnum; i++) {
36697 char *sym_strtab;
36698 Elf_Sym *sh_symtab;
36699 struct section *sec_applies, *sec_symtab;
36700- int j;
36701+ unsigned int j;
36702 struct section *sec = &secs[i];
36703
36704 if (sec->shdr.sh_type != SHT_REL_TYPE) {
36705@@ -697,7 +745,7 @@ static void walk_relocs(int (*process)(struct section *sec, Elf_Rel *rel,
36706 * kernel data and does not require special treatment.
36707 *
36708 */
36709-static int per_cpu_shndx = -1;
36710+static unsigned int per_cpu_shndx = ~0;
36711 static Elf_Addr per_cpu_load_addr;
36712
36713 static void percpu_init(void)
36714@@ -830,6 +878,23 @@ static int do_reloc32(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
36715 {
36716 unsigned r_type = ELF32_R_TYPE(rel->r_info);
36717 int shn_abs = (sym->st_shndx == SHN_ABS) && !is_reloc(S_REL, symname);
36718+ char *sym_strtab = sec->link->link->strtab;
36719+
36720+ /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
36721+ if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
36722+ return 0;
36723+
36724+#ifdef CONFIG_PAX_KERNEXEC
36725+ /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
36726+ if (!strcmp(sec_name(sym->st_shndx), ".text.end") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
36727+ return 0;
36728+ if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
36729+ return 0;
36730+ if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
36731+ return 0;
36732+ if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
36733+ return 0;
36734+#endif
36735
36736 switch (r_type) {
36737 case R_386_NONE:
36738@@ -968,7 +1033,7 @@ static int write32_as_text(uint32_t v, FILE *f)
36739
36740 static void emit_relocs(int as_text, int use_real_mode)
36741 {
36742- int i;
36743+ unsigned int i;
36744 int (*write_reloc)(uint32_t, FILE *) = write32;
36745 int (*do_reloc)(struct section *sec, Elf_Rel *rel, Elf_Sym *sym,
36746 const char *symname);
36747@@ -1078,10 +1143,11 @@ void process(FILE *fp, int use_real_mode, int as_text,
36748 {
36749 regex_init(use_real_mode);
36750 read_ehdr(fp);
36751+ read_phdrs(fp);
36752 read_shdrs(fp);
36753 read_strtabs(fp);
36754 read_symtabs(fp);
36755- read_relocs(fp);
36756+ read_relocs(fp, use_real_mode);
36757 if (ELF_BITS == 64)
36758 percpu_init();
36759 if (show_absolute_syms) {
36760diff --git a/arch/x86/um/mem_32.c b/arch/x86/um/mem_32.c
36761index 744afdc..a0b8a0d 100644
36762--- a/arch/x86/um/mem_32.c
36763+++ b/arch/x86/um/mem_32.c
36764@@ -20,7 +20,7 @@ static int __init gate_vma_init(void)
36765 gate_vma.vm_start = FIXADDR_USER_START;
36766 gate_vma.vm_end = FIXADDR_USER_END;
36767 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
36768- gate_vma.vm_page_prot = __P101;
36769+ gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
36770
36771 return 0;
36772 }
36773diff --git a/arch/x86/um/tls_32.c b/arch/x86/um/tls_32.c
36774index 48e3858..ab4458c 100644
36775--- a/arch/x86/um/tls_32.c
36776+++ b/arch/x86/um/tls_32.c
36777@@ -261,7 +261,7 @@ out:
36778 if (unlikely(task == current &&
36779 !t->arch.tls_array[idx - GDT_ENTRY_TLS_MIN].flushed)) {
36780 printk(KERN_ERR "get_tls_entry: task with pid %d got here "
36781- "without flushed TLS.", current->pid);
36782+ "without flushed TLS.", task_pid_nr(current));
36783 }
36784
36785 return 0;
36786diff --git a/arch/x86/xen/Kconfig b/arch/x86/xen/Kconfig
36787index 4841453..d59a203 100644
36788--- a/arch/x86/xen/Kconfig
36789+++ b/arch/x86/xen/Kconfig
36790@@ -9,6 +9,7 @@ config XEN
36791 select XEN_HAVE_PVMMU
36792 depends on X86_64 || (X86_32 && X86_PAE)
36793 depends on X86_LOCAL_APIC && X86_TSC
36794+ depends on !GRKERNSEC_CONFIG_AUTO || GRKERNSEC_CONFIG_VIRT_XEN
36795 help
36796 This is the Linux Xen port. Enabling this will allow the
36797 kernel to boot in a paravirtualized environment under the
36798diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c
36799index 777ad2f..fa43e03 100644
36800--- a/arch/x86/xen/enlighten.c
36801+++ b/arch/x86/xen/enlighten.c
36802@@ -129,8 +129,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
36803
36804 struct shared_info xen_dummy_shared_info;
36805
36806-void *xen_initial_gdt;
36807-
36808 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
36809 __read_mostly int xen_have_vector_callback;
36810 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
36811@@ -588,8 +586,7 @@ static void xen_load_gdt(const struct desc_ptr *dtr)
36812 {
36813 unsigned long va = dtr->address;
36814 unsigned int size = dtr->size + 1;
36815- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
36816- unsigned long frames[pages];
36817+ unsigned long frames[65536 / PAGE_SIZE];
36818 int f;
36819
36820 /*
36821@@ -637,8 +634,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
36822 {
36823 unsigned long va = dtr->address;
36824 unsigned int size = dtr->size + 1;
36825- unsigned pages = (size + PAGE_SIZE - 1) / PAGE_SIZE;
36826- unsigned long frames[pages];
36827+ unsigned long frames[(GDT_SIZE + PAGE_SIZE - 1) / PAGE_SIZE];
36828 int f;
36829
36830 /*
36831@@ -646,7 +642,7 @@ static void __init xen_load_gdt_boot(const struct desc_ptr *dtr)
36832 * 8-byte entries, or 16 4k pages..
36833 */
36834
36835- BUG_ON(size > 65536);
36836+ BUG_ON(size > GDT_SIZE);
36837 BUG_ON(va & ~PAGE_MASK);
36838
36839 for (f = 0; va < dtr->address + size; va += PAGE_SIZE, f++) {
36840@@ -1268,30 +1264,30 @@ static const struct pv_apic_ops xen_apic_ops __initconst = {
36841 #endif
36842 };
36843
36844-static void xen_reboot(int reason)
36845+static __noreturn void xen_reboot(int reason)
36846 {
36847 struct sched_shutdown r = { .reason = reason };
36848
36849- if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r))
36850- BUG();
36851+ HYPERVISOR_sched_op(SCHEDOP_shutdown, &r);
36852+ BUG();
36853 }
36854
36855-static void xen_restart(char *msg)
36856+static __noreturn void xen_restart(char *msg)
36857 {
36858 xen_reboot(SHUTDOWN_reboot);
36859 }
36860
36861-static void xen_emergency_restart(void)
36862+static __noreturn void xen_emergency_restart(void)
36863 {
36864 xen_reboot(SHUTDOWN_reboot);
36865 }
36866
36867-static void xen_machine_halt(void)
36868+static __noreturn void xen_machine_halt(void)
36869 {
36870 xen_reboot(SHUTDOWN_poweroff);
36871 }
36872
36873-static void xen_machine_power_off(void)
36874+static __noreturn void xen_machine_power_off(void)
36875 {
36876 if (pm_power_off)
36877 pm_power_off();
36878@@ -1444,8 +1440,11 @@ static void __ref xen_setup_gdt(int cpu)
36879 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry_boot;
36880 pv_cpu_ops.load_gdt = xen_load_gdt_boot;
36881
36882- setup_stack_canary_segment(0);
36883- switch_to_new_gdt(0);
36884+ setup_stack_canary_segment(cpu);
36885+#ifdef CONFIG_X86_64
36886+ load_percpu_segment(cpu);
36887+#endif
36888+ switch_to_new_gdt(cpu);
36889
36890 pv_cpu_ops.write_gdt_entry = xen_write_gdt_entry;
36891 pv_cpu_ops.load_gdt = xen_load_gdt;
36892@@ -1561,7 +1560,17 @@ asmlinkage __visible void __init xen_start_kernel(void)
36893 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
36894
36895 /* Work out if we support NX */
36896- x86_configure_nx();
36897+#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
36898+ if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
36899+ (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
36900+ unsigned l, h;
36901+
36902+ __supported_pte_mask |= _PAGE_NX;
36903+ rdmsr(MSR_EFER, l, h);
36904+ l |= EFER_NX;
36905+ wrmsr(MSR_EFER, l, h);
36906+ }
36907+#endif
36908
36909 /* Get mfn list */
36910 xen_build_dynamic_phys_to_machine();
36911@@ -1589,13 +1598,6 @@ asmlinkage __visible void __init xen_start_kernel(void)
36912
36913 machine_ops = xen_machine_ops;
36914
36915- /*
36916- * The only reliable way to retain the initial address of the
36917- * percpu gdt_page is to remember it here, so we can go and
36918- * mark it RW later, when the initial percpu area is freed.
36919- */
36920- xen_initial_gdt = &per_cpu(gdt_page, 0);
36921-
36922 xen_smp_init();
36923
36924 #ifdef CONFIG_ACPI_NUMA
36925diff --git a/arch/x86/xen/mmu.c b/arch/x86/xen/mmu.c
36926index dd151b2..3291e38 100644
36927--- a/arch/x86/xen/mmu.c
36928+++ b/arch/x86/xen/mmu.c
36929@@ -1835,7 +1835,11 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
36930 * L3_k[511] -> level2_fixmap_pgt */
36931 convert_pfn_mfn(level3_kernel_pgt);
36932
36933+ convert_pfn_mfn(level3_vmalloc_start_pgt);
36934+ convert_pfn_mfn(level3_vmalloc_end_pgt);
36935+ convert_pfn_mfn(level3_vmemmap_pgt);
36936 /* L3_k[511][506] -> level1_fixmap_pgt */
36937+ /* L3_k[511][507] -> level1_vsyscall_pgt */
36938 convert_pfn_mfn(level2_fixmap_pgt);
36939 }
36940 /* We get [511][511] and have Xen's version of level2_kernel_pgt */
36941@@ -1860,11 +1864,22 @@ void __init xen_setup_kernel_pagetable(pgd_t *pgd, unsigned long max_pfn)
36942 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
36943 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
36944 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
36945+ set_page_prot(level3_vmalloc_start_pgt, PAGE_KERNEL_RO);
36946+ set_page_prot(level3_vmalloc_end_pgt, PAGE_KERNEL_RO);
36947+ set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
36948 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
36949 set_page_prot(level2_ident_pgt, PAGE_KERNEL_RO);
36950+ set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
36951 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
36952 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
36953- set_page_prot(level1_fixmap_pgt, PAGE_KERNEL_RO);
36954+ set_page_prot(level1_modules_pgt[0], PAGE_KERNEL_RO);
36955+ set_page_prot(level1_modules_pgt[1], PAGE_KERNEL_RO);
36956+ set_page_prot(level1_modules_pgt[2], PAGE_KERNEL_RO);
36957+ set_page_prot(level1_modules_pgt[3], PAGE_KERNEL_RO);
36958+ set_page_prot(level1_fixmap_pgt[0], PAGE_KERNEL_RO);
36959+ set_page_prot(level1_fixmap_pgt[1], PAGE_KERNEL_RO);
36960+ set_page_prot(level1_fixmap_pgt[2], PAGE_KERNEL_RO);
36961+ set_page_prot(level1_vsyscall_pgt, PAGE_KERNEL_RO);
36962
36963 /* Pin down new L4 */
36964 pin_pagetable_pfn(MMUEXT_PIN_L4_TABLE,
36965@@ -2048,6 +2063,7 @@ static void __init xen_post_allocator_init(void)
36966 pv_mmu_ops.set_pud = xen_set_pud;
36967 #if CONFIG_PGTABLE_LEVELS == 4
36968 pv_mmu_ops.set_pgd = xen_set_pgd;
36969+ pv_mmu_ops.set_pgd_batched = xen_set_pgd;
36970 #endif
36971
36972 /* This will work as long as patching hasn't happened yet
36973@@ -2126,6 +2142,7 @@ static const struct pv_mmu_ops xen_mmu_ops __initconst = {
36974 .pud_val = PV_CALLEE_SAVE(xen_pud_val),
36975 .make_pud = PV_CALLEE_SAVE(xen_make_pud),
36976 .set_pgd = xen_set_pgd_hyper,
36977+ .set_pgd_batched = xen_set_pgd_hyper,
36978
36979 .alloc_pud = xen_alloc_pmd_init,
36980 .release_pud = xen_release_pmd_init,
36981diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c
36982index 8648438..18bac20 100644
36983--- a/arch/x86/xen/smp.c
36984+++ b/arch/x86/xen/smp.c
36985@@ -284,17 +284,13 @@ static void __init xen_smp_prepare_boot_cpu(void)
36986
36987 if (xen_pv_domain()) {
36988 if (!xen_feature(XENFEAT_writable_page_tables))
36989- /* We've switched to the "real" per-cpu gdt, so make
36990- * sure the old memory can be recycled. */
36991- make_lowmem_page_readwrite(xen_initial_gdt);
36992-
36993 #ifdef CONFIG_X86_32
36994 /*
36995 * Xen starts us with XEN_FLAT_RING1_DS, but linux code
36996 * expects __USER_DS
36997 */
36998- loadsegment(ds, __USER_DS);
36999- loadsegment(es, __USER_DS);
37000+ loadsegment(ds, __KERNEL_DS);
37001+ loadsegment(es, __KERNEL_DS);
37002 #endif
37003
37004 xen_filter_cpu_maps();
37005@@ -375,7 +371,7 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
37006 #ifdef CONFIG_X86_32
37007 /* Note: PVH is not yet supported on x86_32. */
37008 ctxt->user_regs.fs = __KERNEL_PERCPU;
37009- ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
37010+ savesegment(gs, ctxt->user_regs.gs);
37011 #endif
37012 memset(&ctxt->fpu_ctxt, 0, sizeof(ctxt->fpu_ctxt));
37013
37014@@ -383,8 +379,8 @@ cpu_initialize_context(unsigned int cpu, struct task_struct *idle)
37015 ctxt->user_regs.eip = (unsigned long)cpu_bringup_and_idle;
37016 ctxt->flags = VGCF_IN_KERNEL;
37017 ctxt->user_regs.eflags = 0x1000; /* IOPL_RING1 */
37018- ctxt->user_regs.ds = __USER_DS;
37019- ctxt->user_regs.es = __USER_DS;
37020+ ctxt->user_regs.ds = __KERNEL_DS;
37021+ ctxt->user_regs.es = __KERNEL_DS;
37022 ctxt->user_regs.ss = __KERNEL_DS;
37023
37024 xen_copy_trap_info(ctxt->trap_ctxt);
37025@@ -720,7 +716,7 @@ static const struct smp_ops xen_smp_ops __initconst = {
37026
37027 void __init xen_smp_init(void)
37028 {
37029- smp_ops = xen_smp_ops;
37030+ memcpy((void *)&smp_ops, &xen_smp_ops, sizeof smp_ops);
37031 xen_fill_possible_map();
37032 }
37033
37034diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S
37035index fd92a64..1f72641 100644
37036--- a/arch/x86/xen/xen-asm_32.S
37037+++ b/arch/x86/xen/xen-asm_32.S
37038@@ -99,7 +99,7 @@ ENTRY(xen_iret)
37039 pushw %fs
37040 movl $(__KERNEL_PERCPU), %eax
37041 movl %eax, %fs
37042- movl %fs:xen_vcpu, %eax
37043+ mov PER_CPU_VAR(xen_vcpu), %eax
37044 POP_FS
37045 #else
37046 movl %ss:xen_vcpu, %eax
37047diff --git a/arch/x86/xen/xen-head.S b/arch/x86/xen/xen-head.S
37048index 8afdfcc..79239db 100644
37049--- a/arch/x86/xen/xen-head.S
37050+++ b/arch/x86/xen/xen-head.S
37051@@ -41,6 +41,17 @@ ENTRY(startup_xen)
37052 #ifdef CONFIG_X86_32
37053 mov %esi,xen_start_info
37054 mov $init_thread_union+THREAD_SIZE,%esp
37055+#ifdef CONFIG_SMP
37056+ movl $cpu_gdt_table,%edi
37057+ movl $__per_cpu_load,%eax
37058+ movw %ax,__KERNEL_PERCPU + 2(%edi)
37059+ rorl $16,%eax
37060+ movb %al,__KERNEL_PERCPU + 4(%edi)
37061+ movb %ah,__KERNEL_PERCPU + 7(%edi)
37062+ movl $__per_cpu_end - 1,%eax
37063+ subl $__per_cpu_start,%eax
37064+ movw %ax,__KERNEL_PERCPU + 0(%edi)
37065+#endif
37066 #else
37067 mov %rsi,xen_start_info
37068 mov $init_thread_union+THREAD_SIZE,%rsp
37069diff --git a/arch/x86/xen/xen-ops.h b/arch/x86/xen/xen-ops.h
37070index 2292721..a9bb18e 100644
37071--- a/arch/x86/xen/xen-ops.h
37072+++ b/arch/x86/xen/xen-ops.h
37073@@ -16,8 +16,6 @@ void xen_syscall_target(void);
37074 void xen_syscall32_target(void);
37075 #endif
37076
37077-extern void *xen_initial_gdt;
37078-
37079 struct trap_info;
37080 void xen_copy_trap_info(struct trap_info *traps);
37081
37082diff --git a/arch/xtensa/variants/dc232b/include/variant/core.h b/arch/xtensa/variants/dc232b/include/variant/core.h
37083index 525bd3d..ef888b1 100644
37084--- a/arch/xtensa/variants/dc232b/include/variant/core.h
37085+++ b/arch/xtensa/variants/dc232b/include/variant/core.h
37086@@ -119,9 +119,9 @@
37087 ----------------------------------------------------------------------*/
37088
37089 #define XCHAL_ICACHE_LINESIZE 32 /* I-cache line size in bytes */
37090-#define XCHAL_DCACHE_LINESIZE 32 /* D-cache line size in bytes */
37091 #define XCHAL_ICACHE_LINEWIDTH 5 /* log2(I line size in bytes) */
37092 #define XCHAL_DCACHE_LINEWIDTH 5 /* log2(D line size in bytes) */
37093+#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
37094
37095 #define XCHAL_ICACHE_SIZE 16384 /* I-cache size in bytes or 0 */
37096 #define XCHAL_DCACHE_SIZE 16384 /* D-cache size in bytes or 0 */
37097diff --git a/arch/xtensa/variants/fsf/include/variant/core.h b/arch/xtensa/variants/fsf/include/variant/core.h
37098index 2f33760..835e50a 100644
37099--- a/arch/xtensa/variants/fsf/include/variant/core.h
37100+++ b/arch/xtensa/variants/fsf/include/variant/core.h
37101@@ -11,6 +11,7 @@
37102 #ifndef _XTENSA_CORE_H
37103 #define _XTENSA_CORE_H
37104
37105+#include <linux/const.h>
37106
37107 /****************************************************************************
37108 Parameters Useful for Any Code, USER or PRIVILEGED
37109@@ -112,9 +113,9 @@
37110 ----------------------------------------------------------------------*/
37111
37112 #define XCHAL_ICACHE_LINESIZE 16 /* I-cache line size in bytes */
37113-#define XCHAL_DCACHE_LINESIZE 16 /* D-cache line size in bytes */
37114 #define XCHAL_ICACHE_LINEWIDTH 4 /* log2(I line size in bytes) */
37115 #define XCHAL_DCACHE_LINEWIDTH 4 /* log2(D line size in bytes) */
37116+#define XCHAL_DCACHE_LINESIZE (_AC(1,UL) << XCHAL_DCACHE_LINEWIDTH) /* D-cache line size in bytes */
37117
37118 #define XCHAL_ICACHE_SIZE 8192 /* I-cache size in bytes or 0 */
37119 #define XCHAL_DCACHE_SIZE 8192 /* D-cache size in bytes or 0 */
37120diff --git a/block/bio.c b/block/bio.c
37121index d6e5ba3..2bb142c 100644
37122--- a/block/bio.c
37123+++ b/block/bio.c
37124@@ -1187,7 +1187,7 @@ struct bio *bio_copy_user_iov(struct request_queue *q,
37125 /*
37126 * Overflow, abort
37127 */
37128- if (end < start)
37129+ if (end < start || end - start > INT_MAX - nr_pages)
37130 return ERR_PTR(-EINVAL);
37131
37132 nr_pages += end - start;
37133@@ -1312,7 +1312,7 @@ struct bio *bio_map_user_iov(struct request_queue *q,
37134 /*
37135 * Overflow, abort
37136 */
37137- if (end < start)
37138+ if (end < start || end - start > INT_MAX - nr_pages)
37139 return ERR_PTR(-EINVAL);
37140
37141 nr_pages += end - start;
37142diff --git a/block/blk-iopoll.c b/block/blk-iopoll.c
37143index 0736729..2ec3b48 100644
37144--- a/block/blk-iopoll.c
37145+++ b/block/blk-iopoll.c
37146@@ -74,7 +74,7 @@ void blk_iopoll_complete(struct blk_iopoll *iop)
37147 }
37148 EXPORT_SYMBOL(blk_iopoll_complete);
37149
37150-static void blk_iopoll_softirq(struct softirq_action *h)
37151+static __latent_entropy void blk_iopoll_softirq(void)
37152 {
37153 struct list_head *list = this_cpu_ptr(&blk_cpu_iopoll);
37154 int rearm = 0, budget = blk_iopoll_budget;
37155diff --git a/block/blk-map.c b/block/blk-map.c
37156index da310a1..213b5c9 100644
37157--- a/block/blk-map.c
37158+++ b/block/blk-map.c
37159@@ -192,7 +192,7 @@ int blk_rq_map_kern(struct request_queue *q, struct request *rq, void *kbuf,
37160 if (!len || !kbuf)
37161 return -EINVAL;
37162
37163- do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
37164+ do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
37165 if (do_copy)
37166 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
37167 else
37168diff --git a/block/blk-softirq.c b/block/blk-softirq.c
37169index 53b1737..08177d2e 100644
37170--- a/block/blk-softirq.c
37171+++ b/block/blk-softirq.c
37172@@ -18,7 +18,7 @@ static DEFINE_PER_CPU(struct list_head, blk_cpu_done);
37173 * Softirq action handler - move entries to local list and loop over them
37174 * while passing them to the queue registered handler.
37175 */
37176-static void blk_done_softirq(struct softirq_action *h)
37177+static __latent_entropy void blk_done_softirq(void)
37178 {
37179 struct list_head *cpu_list, local_list;
37180
37181diff --git a/block/bsg.c b/block/bsg.c
37182index d214e92..9649863 100644
37183--- a/block/bsg.c
37184+++ b/block/bsg.c
37185@@ -140,16 +140,24 @@ static int blk_fill_sgv4_hdr_rq(struct request_queue *q, struct request *rq,
37186 struct sg_io_v4 *hdr, struct bsg_device *bd,
37187 fmode_t has_write_perm)
37188 {
37189+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37190+ unsigned char *cmdptr;
37191+
37192 if (hdr->request_len > BLK_MAX_CDB) {
37193 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
37194 if (!rq->cmd)
37195 return -ENOMEM;
37196- }
37197+ cmdptr = rq->cmd;
37198+ } else
37199+ cmdptr = tmpcmd;
37200
37201- if (copy_from_user(rq->cmd, (void __user *)(unsigned long)hdr->request,
37202+ if (copy_from_user(cmdptr, (void __user *)(unsigned long)hdr->request,
37203 hdr->request_len))
37204 return -EFAULT;
37205
37206+ if (cmdptr != rq->cmd)
37207+ memcpy(rq->cmd, cmdptr, hdr->request_len);
37208+
37209 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
37210 if (blk_verify_command(rq->cmd, has_write_perm))
37211 return -EPERM;
37212diff --git a/block/compat_ioctl.c b/block/compat_ioctl.c
37213index f678c73..f35aa18 100644
37214--- a/block/compat_ioctl.c
37215+++ b/block/compat_ioctl.c
37216@@ -156,7 +156,7 @@ static int compat_cdrom_generic_command(struct block_device *bdev, fmode_t mode,
37217 cgc = compat_alloc_user_space(sizeof(*cgc));
37218 cgc32 = compat_ptr(arg);
37219
37220- if (copy_in_user(&cgc->cmd, &cgc32->cmd, sizeof(cgc->cmd)) ||
37221+ if (copy_in_user(cgc->cmd, cgc32->cmd, sizeof(cgc->cmd)) ||
37222 get_user(data, &cgc32->buffer) ||
37223 put_user(compat_ptr(data), &cgc->buffer) ||
37224 copy_in_user(&cgc->buflen, &cgc32->buflen,
37225@@ -341,7 +341,7 @@ static int compat_fd_ioctl(struct block_device *bdev, fmode_t mode,
37226 err |= __get_user(f->spec1, &uf->spec1);
37227 err |= __get_user(f->fmt_gap, &uf->fmt_gap);
37228 err |= __get_user(name, &uf->name);
37229- f->name = compat_ptr(name);
37230+ f->name = (void __force_kernel *)compat_ptr(name);
37231 if (err) {
37232 err = -EFAULT;
37233 goto out;
37234diff --git a/block/genhd.c b/block/genhd.c
37235index 59a1395..54ff187 100644
37236--- a/block/genhd.c
37237+++ b/block/genhd.c
37238@@ -470,21 +470,24 @@ static char *bdevt_str(dev_t devt, char *buf)
37239
37240 /*
37241 * Register device numbers dev..(dev+range-1)
37242- * range must be nonzero
37243+ * Noop if @range is zero.
37244 * The hash chain is sorted on range, so that subranges can override.
37245 */
37246 void blk_register_region(dev_t devt, unsigned long range, struct module *module,
37247 struct kobject *(*probe)(dev_t, int *, void *),
37248 int (*lock)(dev_t, void *), void *data)
37249 {
37250- kobj_map(bdev_map, devt, range, module, probe, lock, data);
37251+ if (range)
37252+ kobj_map(bdev_map, devt, range, module, probe, lock, data);
37253 }
37254
37255 EXPORT_SYMBOL(blk_register_region);
37256
37257+/* undo blk_register_region(), noop if @range is zero */
37258 void blk_unregister_region(dev_t devt, unsigned long range)
37259 {
37260- kobj_unmap(bdev_map, devt, range);
37261+ if (range)
37262+ kobj_unmap(bdev_map, devt, range);
37263 }
37264
37265 EXPORT_SYMBOL(blk_unregister_region);
37266diff --git a/block/partitions/efi.c b/block/partitions/efi.c
37267index 26cb624..a49c3a5 100644
37268--- a/block/partitions/efi.c
37269+++ b/block/partitions/efi.c
37270@@ -293,14 +293,14 @@ static gpt_entry *alloc_read_gpt_entries(struct parsed_partitions *state,
37271 if (!gpt)
37272 return NULL;
37273
37274+ if (!le32_to_cpu(gpt->num_partition_entries))
37275+ return NULL;
37276+ pte = kcalloc(le32_to_cpu(gpt->num_partition_entries), le32_to_cpu(gpt->sizeof_partition_entry), GFP_KERNEL);
37277+ if (!pte)
37278+ return NULL;
37279+
37280 count = le32_to_cpu(gpt->num_partition_entries) *
37281 le32_to_cpu(gpt->sizeof_partition_entry);
37282- if (!count)
37283- return NULL;
37284- pte = kmalloc(count, GFP_KERNEL);
37285- if (!pte)
37286- return NULL;
37287-
37288 if (read_lba(state, le64_to_cpu(gpt->partition_entry_lba),
37289 (u8 *) pte, count) < count) {
37290 kfree(pte);
37291diff --git a/block/scsi_ioctl.c b/block/scsi_ioctl.c
37292index dda653c..028a13ee 100644
37293--- a/block/scsi_ioctl.c
37294+++ b/block/scsi_ioctl.c
37295@@ -67,7 +67,7 @@ static int scsi_get_bus(struct request_queue *q, int __user *p)
37296 return put_user(0, p);
37297 }
37298
37299-static int sg_get_timeout(struct request_queue *q)
37300+static int __intentional_overflow(-1) sg_get_timeout(struct request_queue *q)
37301 {
37302 return jiffies_to_clock_t(q->sg_timeout);
37303 }
37304@@ -227,8 +227,20 @@ EXPORT_SYMBOL(blk_verify_command);
37305 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
37306 struct sg_io_hdr *hdr, fmode_t mode)
37307 {
37308- if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
37309+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37310+ unsigned char *cmdptr;
37311+
37312+ if (rq->cmd != rq->__cmd)
37313+ cmdptr = rq->cmd;
37314+ else
37315+ cmdptr = tmpcmd;
37316+
37317+ if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
37318 return -EFAULT;
37319+
37320+ if (cmdptr != rq->cmd)
37321+ memcpy(rq->cmd, cmdptr, hdr->cmd_len);
37322+
37323 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
37324 return -EPERM;
37325
37326@@ -420,6 +432,8 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
37327 int err;
37328 unsigned int in_len, out_len, bytes, opcode, cmdlen;
37329 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
37330+ unsigned char tmpcmd[sizeof(rq->__cmd)];
37331+ unsigned char *cmdptr;
37332
37333 if (!sic)
37334 return -EINVAL;
37335@@ -458,9 +472,18 @@ int sg_scsi_ioctl(struct request_queue *q, struct gendisk *disk, fmode_t mode,
37336 */
37337 err = -EFAULT;
37338 rq->cmd_len = cmdlen;
37339- if (copy_from_user(rq->cmd, sic->data, cmdlen))
37340+
37341+ if (rq->cmd != rq->__cmd)
37342+ cmdptr = rq->cmd;
37343+ else
37344+ cmdptr = tmpcmd;
37345+
37346+ if (copy_from_user(cmdptr, sic->data, cmdlen))
37347 goto error;
37348
37349+ if (rq->cmd != cmdptr)
37350+ memcpy(rq->cmd, cmdptr, cmdlen);
37351+
37352 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
37353 goto error;
37354
37355diff --git a/crypto/ablkcipher.c b/crypto/ablkcipher.c
37356index b788f16..b4ffc5b 100644
37357--- a/crypto/ablkcipher.c
37358+++ b/crypto/ablkcipher.c
37359@@ -706,7 +706,7 @@ struct crypto_ablkcipher *crypto_alloc_ablkcipher(const char *alg_name,
37360 err:
37361 if (err != -EAGAIN)
37362 break;
37363- if (signal_pending(current)) {
37364+ if (fatal_signal_pending(current)) {
37365 err = -EINTR;
37366 break;
37367 }
37368diff --git a/crypto/algapi.c b/crypto/algapi.c
37369index 3c079b7..b603b34 100644
37370--- a/crypto/algapi.c
37371+++ b/crypto/algapi.c
37372@@ -335,7 +335,7 @@ static void crypto_wait_for_test(struct crypto_larval *larval)
37373 crypto_alg_tested(larval->alg.cra_driver_name, 0);
37374 }
37375
37376- err = wait_for_completion_interruptible(&larval->completion);
37377+ err = wait_for_completion_killable(&larval->completion);
37378 WARN_ON(err);
37379
37380 out:
37381diff --git a/crypto/api.c b/crypto/api.c
37382index afe4610..bbc147c 100644
37383--- a/crypto/api.c
37384+++ b/crypto/api.c
37385@@ -172,7 +172,7 @@ static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg)
37386 struct crypto_larval *larval = (void *)alg;
37387 long timeout;
37388
37389- timeout = wait_for_completion_interruptible_timeout(
37390+ timeout = wait_for_completion_killable_timeout(
37391 &larval->completion, 60 * HZ);
37392
37393 alg = larval->adult;
37394@@ -445,7 +445,7 @@ struct crypto_tfm *crypto_alloc_base(const char *alg_name, u32 type, u32 mask)
37395 err:
37396 if (err != -EAGAIN)
37397 break;
37398- if (signal_pending(current)) {
37399+ if (fatal_signal_pending(current)) {
37400 err = -EINTR;
37401 break;
37402 }
37403@@ -562,7 +562,7 @@ void *crypto_alloc_tfm(const char *alg_name,
37404 err:
37405 if (err != -EAGAIN)
37406 break;
37407- if (signal_pending(current)) {
37408+ if (fatal_signal_pending(current)) {
37409 err = -EINTR;
37410 break;
37411 }
37412diff --git a/crypto/cryptd.c b/crypto/cryptd.c
37413index 22ba81f..1acac67 100644
37414--- a/crypto/cryptd.c
37415+++ b/crypto/cryptd.c
37416@@ -63,7 +63,7 @@ struct cryptd_blkcipher_ctx {
37417
37418 struct cryptd_blkcipher_request_ctx {
37419 crypto_completion_t complete;
37420-};
37421+} __no_const;
37422
37423 struct cryptd_hash_ctx {
37424 struct crypto_shash *child;
37425@@ -80,7 +80,7 @@ struct cryptd_aead_ctx {
37426
37427 struct cryptd_aead_request_ctx {
37428 crypto_completion_t complete;
37429-};
37430+} __no_const;
37431
37432 static void cryptd_queue_worker(struct work_struct *work);
37433
37434diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
37435index 08ea286..d59fb4e 100644
37436--- a/crypto/crypto_user.c
37437+++ b/crypto/crypto_user.c
37438@@ -376,7 +376,7 @@ static struct crypto_alg *crypto_user_skcipher_alg(const char *name, u32 type,
37439 err = PTR_ERR(alg);
37440 if (err != -EAGAIN)
37441 break;
37442- if (signal_pending(current)) {
37443+ if (fatal_signal_pending(current)) {
37444 err = -EINTR;
37445 break;
37446 }
37447diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c
37448index 45e7d51..2967121 100644
37449--- a/crypto/pcrypt.c
37450+++ b/crypto/pcrypt.c
37451@@ -385,7 +385,7 @@ static int pcrypt_sysfs_add(struct padata_instance *pinst, const char *name)
37452 int ret;
37453
37454 pinst->kobj.kset = pcrypt_kset;
37455- ret = kobject_add(&pinst->kobj, NULL, name);
37456+ ret = kobject_add(&pinst->kobj, NULL, "%s", name);
37457 if (!ret)
37458 kobject_uevent(&pinst->kobj, KOBJ_ADD);
37459
37460diff --git a/crypto/scatterwalk.c b/crypto/scatterwalk.c
37461index ea5815c..5880da6 100644
37462--- a/crypto/scatterwalk.c
37463+++ b/crypto/scatterwalk.c
37464@@ -109,14 +109,20 @@ void scatterwalk_map_and_copy(void *buf, struct scatterlist *sg,
37465 {
37466 struct scatter_walk walk;
37467 struct scatterlist tmp[2];
37468+ void *realbuf = buf;
37469
37470 if (!nbytes)
37471 return;
37472
37473 sg = scatterwalk_ffwd(tmp, sg, start);
37474
37475- if (sg_page(sg) == virt_to_page(buf) &&
37476- sg->offset == offset_in_page(buf))
37477+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
37478+ if (object_starts_on_stack(buf))
37479+ realbuf = buf - current->stack + current->lowmem_stack;
37480+#endif
37481+
37482+ if (sg_page(sg) == virt_to_page(realbuf) &&
37483+ sg->offset == offset_in_page(realbuf))
37484 return;
37485
37486 scatterwalk_start(&walk, sg);
37487diff --git a/crypto/zlib.c b/crypto/zlib.c
37488index d51a30a..fb1f8af 100644
37489--- a/crypto/zlib.c
37490+++ b/crypto/zlib.c
37491@@ -95,10 +95,10 @@ static int zlib_compress_setup(struct crypto_pcomp *tfm, const void *params,
37492 zlib_comp_exit(ctx);
37493
37494 window_bits = tb[ZLIB_COMP_WINDOWBITS]
37495- ? nla_get_u32(tb[ZLIB_COMP_WINDOWBITS])
37496+ ? nla_get_s32(tb[ZLIB_COMP_WINDOWBITS])
37497 : MAX_WBITS;
37498 mem_level = tb[ZLIB_COMP_MEMLEVEL]
37499- ? nla_get_u32(tb[ZLIB_COMP_MEMLEVEL])
37500+ ? nla_get_s32(tb[ZLIB_COMP_MEMLEVEL])
37501 : DEF_MEM_LEVEL;
37502
37503 workspacesize = zlib_deflate_workspacesize(window_bits, mem_level);
37504diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c
37505index 8c2fe2f..fc47c12 100644
37506--- a/drivers/acpi/acpi_video.c
37507+++ b/drivers/acpi/acpi_video.c
37508@@ -398,7 +398,7 @@ static int video_disable_backlight_sysfs_if(
37509 return 0;
37510 }
37511
37512-static struct dmi_system_id video_dmi_table[] = {
37513+static const struct dmi_system_id video_dmi_table[] = {
37514 /*
37515 * Broken _BQC workaround http://bugzilla.kernel.org/show_bug.cgi?id=13121
37516 */
37517diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c
37518index 52dfd0d..8386baf 100644
37519--- a/drivers/acpi/acpica/hwxfsleep.c
37520+++ b/drivers/acpi/acpica/hwxfsleep.c
37521@@ -70,11 +70,12 @@ static acpi_status acpi_hw_sleep_dispatch(u8 sleep_state, u32 function_id);
37522 /* Legacy functions are optional, based upon ACPI_REDUCED_HARDWARE */
37523
37524 static struct acpi_sleep_functions acpi_sleep_dispatch[] = {
37525- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep),
37526- acpi_hw_extended_sleep},
37527- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep),
37528- acpi_hw_extended_wake_prep},
37529- {ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake), acpi_hw_extended_wake}
37530+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_sleep),
37531+ .extended_function = acpi_hw_extended_sleep},
37532+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake_prep),
37533+ .extended_function = acpi_hw_extended_wake_prep},
37534+ {.legacy_function = ACPI_HW_OPTIONAL_FUNCTION(acpi_hw_legacy_wake),
37535+ .extended_function = acpi_hw_extended_wake}
37536 };
37537
37538 /*
37539diff --git a/drivers/acpi/apei/apei-internal.h b/drivers/acpi/apei/apei-internal.h
37540index 16129c7..8b675cd 100644
37541--- a/drivers/acpi/apei/apei-internal.h
37542+++ b/drivers/acpi/apei/apei-internal.h
37543@@ -19,7 +19,7 @@ typedef int (*apei_exec_ins_func_t)(struct apei_exec_context *ctx,
37544 struct apei_exec_ins_type {
37545 u32 flags;
37546 apei_exec_ins_func_t run;
37547-};
37548+} __do_const;
37549
37550 struct apei_exec_context {
37551 u32 ip;
37552diff --git a/drivers/acpi/apei/ghes.c b/drivers/acpi/apei/ghes.c
37553index 2bfd53c..391e9a4 100644
37554--- a/drivers/acpi/apei/ghes.c
37555+++ b/drivers/acpi/apei/ghes.c
37556@@ -478,7 +478,7 @@ static void __ghes_print_estatus(const char *pfx,
37557 const struct acpi_hest_generic *generic,
37558 const struct acpi_hest_generic_status *estatus)
37559 {
37560- static atomic_t seqno;
37561+ static atomic_unchecked_t seqno;
37562 unsigned int curr_seqno;
37563 char pfx_seq[64];
37564
37565@@ -489,7 +489,7 @@ static void __ghes_print_estatus(const char *pfx,
37566 else
37567 pfx = KERN_ERR;
37568 }
37569- curr_seqno = atomic_inc_return(&seqno);
37570+ curr_seqno = atomic_inc_return_unchecked(&seqno);
37571 snprintf(pfx_seq, sizeof(pfx_seq), "%s{%u}" HW_ERR, pfx, curr_seqno);
37572 printk("%s""Hardware error from APEI Generic Hardware Error Source: %d\n",
37573 pfx_seq, generic->header.source_id);
37574diff --git a/drivers/acpi/bgrt.c b/drivers/acpi/bgrt.c
37575index a83e3c6..c3d617f 100644
37576--- a/drivers/acpi/bgrt.c
37577+++ b/drivers/acpi/bgrt.c
37578@@ -86,8 +86,10 @@ static int __init bgrt_init(void)
37579 if (!bgrt_image)
37580 return -ENODEV;
37581
37582- bin_attr_image.private = bgrt_image;
37583- bin_attr_image.size = bgrt_image_size;
37584+ pax_open_kernel();
37585+ *(void **)&bin_attr_image.private = bgrt_image;
37586+ *(size_t *)&bin_attr_image.size = bgrt_image_size;
37587+ pax_close_kernel();
37588
37589 bgrt_kobj = kobject_create_and_add("bgrt", acpi_kobj);
37590 if (!bgrt_kobj)
37591diff --git a/drivers/acpi/blacklist.c b/drivers/acpi/blacklist.c
37592index 278dc4b..976433d 100644
37593--- a/drivers/acpi/blacklist.c
37594+++ b/drivers/acpi/blacklist.c
37595@@ -51,7 +51,7 @@ struct acpi_blacklist_item {
37596 u32 is_critical_error;
37597 };
37598
37599-static struct dmi_system_id acpi_osi_dmi_table[] __initdata;
37600+static const struct dmi_system_id acpi_osi_dmi_table[] __initconst;
37601
37602 /*
37603 * POLICY: If *anything* doesn't work, put it on the blacklist.
37604@@ -172,7 +172,7 @@ static int __init dmi_enable_rev_override(const struct dmi_system_id *d)
37605 }
37606 #endif
37607
37608-static struct dmi_system_id acpi_osi_dmi_table[] __initdata = {
37609+static const struct dmi_system_id acpi_osi_dmi_table[] __initconst = {
37610 {
37611 .callback = dmi_disable_osi_vista,
37612 .ident = "Fujitsu Siemens",
37613diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
37614index 513e7230e..802015a 100644
37615--- a/drivers/acpi/bus.c
37616+++ b/drivers/acpi/bus.c
37617@@ -67,7 +67,7 @@ static int set_copy_dsdt(const struct dmi_system_id *id)
37618 }
37619 #endif
37620
37621-static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37622+static const struct dmi_system_id dsdt_dmi_table[] __initconst = {
37623 /*
37624 * Invoke DSDT corruption work-around on all Toshiba Satellite.
37625 * https://bugzilla.kernel.org/show_bug.cgi?id=14679
37626@@ -83,7 +83,7 @@ static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37627 {}
37628 };
37629 #else
37630-static struct dmi_system_id dsdt_dmi_table[] __initdata = {
37631+static const struct dmi_system_id dsdt_dmi_table[] __initconst = {
37632 {}
37633 };
37634 #endif
37635diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c
37636index c68e724..e863008 100644
37637--- a/drivers/acpi/custom_method.c
37638+++ b/drivers/acpi/custom_method.c
37639@@ -29,6 +29,10 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf,
37640 struct acpi_table_header table;
37641 acpi_status status;
37642
37643+#ifdef CONFIG_GRKERNSEC_KMEM
37644+ return -EPERM;
37645+#endif
37646+
37647 if (!(*ppos)) {
37648 /* parse the table header to get the table length */
37649 if (count <= sizeof(struct acpi_table_header))
37650diff --git a/drivers/acpi/device_pm.c b/drivers/acpi/device_pm.c
37651index 88dbbb1..90714c0 100644
37652--- a/drivers/acpi/device_pm.c
37653+++ b/drivers/acpi/device_pm.c
37654@@ -1045,6 +1045,8 @@ EXPORT_SYMBOL_GPL(acpi_subsys_freeze);
37655
37656 #endif /* CONFIG_PM_SLEEP */
37657
37658+static void acpi_dev_pm_detach(struct device *dev, bool power_off);
37659+
37660 static struct dev_pm_domain acpi_general_pm_domain = {
37661 .ops = {
37662 .runtime_suspend = acpi_subsys_runtime_suspend,
37663@@ -1061,6 +1063,7 @@ static struct dev_pm_domain acpi_general_pm_domain = {
37664 .restore_early = acpi_subsys_resume_early,
37665 #endif
37666 },
37667+ .detach = acpi_dev_pm_detach
37668 };
37669
37670 /**
37671@@ -1130,7 +1133,6 @@ int acpi_dev_pm_attach(struct device *dev, bool power_on)
37672 acpi_device_wakeup(adev, ACPI_STATE_S0, false);
37673 }
37674
37675- dev->pm_domain->detach = acpi_dev_pm_detach;
37676 return 0;
37677 }
37678 EXPORT_SYMBOL_GPL(acpi_dev_pm_attach);
37679diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
37680index 9d4761d..ece2163 100644
37681--- a/drivers/acpi/ec.c
37682+++ b/drivers/acpi/ec.c
37683@@ -1434,7 +1434,7 @@ static int ec_clear_on_resume(const struct dmi_system_id *id)
37684 return 0;
37685 }
37686
37687-static struct dmi_system_id ec_dmi_table[] __initdata = {
37688+static const struct dmi_system_id ec_dmi_table[] __initconst = {
37689 {
37690 ec_skip_dsdt_scan, "Compal JFL92", {
37691 DMI_MATCH(DMI_BIOS_VENDOR, "COMPAL"),
37692diff --git a/drivers/acpi/pci_slot.c b/drivers/acpi/pci_slot.c
37693index 139d9e4..9a9d799 100644
37694--- a/drivers/acpi/pci_slot.c
37695+++ b/drivers/acpi/pci_slot.c
37696@@ -195,7 +195,7 @@ static int do_sta_before_sun(const struct dmi_system_id *d)
37697 return 0;
37698 }
37699
37700-static struct dmi_system_id acpi_pci_slot_dmi_table[] __initdata = {
37701+static const struct dmi_system_id acpi_pci_slot_dmi_table[] __initconst = {
37702 /*
37703 * Fujitsu Primequest machines will return 1023 to indicate an
37704 * error if the _SUN method is evaluated on SxFy objects that
37705diff --git a/drivers/acpi/processor_driver.c b/drivers/acpi/processor_driver.c
37706index d9f7158..168e742 100644
37707--- a/drivers/acpi/processor_driver.c
37708+++ b/drivers/acpi/processor_driver.c
37709@@ -159,7 +159,7 @@ static int acpi_cpu_soft_notify(struct notifier_block *nfb,
37710 return NOTIFY_OK;
37711 }
37712
37713-static struct notifier_block __refdata acpi_cpu_notifier = {
37714+static struct notifier_block __refconst acpi_cpu_notifier = {
37715 .notifier_call = acpi_cpu_soft_notify,
37716 };
37717
37718diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
37719index d540f42..d5b32ac 100644
37720--- a/drivers/acpi/processor_idle.c
37721+++ b/drivers/acpi/processor_idle.c
37722@@ -910,7 +910,7 @@ static int acpi_processor_setup_cpuidle_states(struct acpi_processor *pr)
37723 {
37724 int i, count = CPUIDLE_DRIVER_STATE_START;
37725 struct acpi_processor_cx *cx;
37726- struct cpuidle_state *state;
37727+ cpuidle_state_no_const *state;
37728 struct cpuidle_driver *drv = &acpi_idle_driver;
37729
37730 if (!pr->flags.power_setup_done)
37731diff --git a/drivers/acpi/processor_pdc.c b/drivers/acpi/processor_pdc.c
37732index 7cfbda4..74f738c 100644
37733--- a/drivers/acpi/processor_pdc.c
37734+++ b/drivers/acpi/processor_pdc.c
37735@@ -173,7 +173,7 @@ static int __init set_no_mwait(const struct dmi_system_id *id)
37736 return 0;
37737 }
37738
37739-static struct dmi_system_id processor_idle_dmi_table[] __initdata = {
37740+static const struct dmi_system_id processor_idle_dmi_table[] __initconst = {
37741 {
37742 set_no_mwait, "Extensa 5220", {
37743 DMI_MATCH(DMI_BIOS_VENDOR, "Phoenix Technologies LTD"),
37744diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c
37745index 2f0d4db..b9e9b15 100644
37746--- a/drivers/acpi/sleep.c
37747+++ b/drivers/acpi/sleep.c
37748@@ -148,7 +148,7 @@ static int __init init_nvs_nosave(const struct dmi_system_id *d)
37749 return 0;
37750 }
37751
37752-static struct dmi_system_id acpisleep_dmi_table[] __initdata = {
37753+static const struct dmi_system_id acpisleep_dmi_table[] __initconst = {
37754 {
37755 .callback = init_old_suspend_ordering,
37756 .ident = "Abit KN9 (nForce4 variant)",
37757diff --git a/drivers/acpi/sysfs.c b/drivers/acpi/sysfs.c
37758index 0876d77b..3ba0127 100644
37759--- a/drivers/acpi/sysfs.c
37760+++ b/drivers/acpi/sysfs.c
37761@@ -423,11 +423,11 @@ static u32 num_counters;
37762 static struct attribute **all_attrs;
37763 static u32 acpi_gpe_count;
37764
37765-static struct attribute_group interrupt_stats_attr_group = {
37766+static attribute_group_no_const interrupt_stats_attr_group = {
37767 .name = "interrupts",
37768 };
37769
37770-static struct kobj_attribute *counter_attrs;
37771+static kobj_attribute_no_const *counter_attrs;
37772
37773 static void delete_gpe_attr_array(void)
37774 {
37775diff --git a/drivers/acpi/thermal.c b/drivers/acpi/thermal.c
37776index 6d4e44e..44fb839 100644
37777--- a/drivers/acpi/thermal.c
37778+++ b/drivers/acpi/thermal.c
37779@@ -1212,7 +1212,7 @@ static int thermal_psv(const struct dmi_system_id *d) {
37780 return 0;
37781 }
37782
37783-static struct dmi_system_id thermal_dmi_table[] __initdata = {
37784+static const struct dmi_system_id thermal_dmi_table[] __initconst = {
37785 /*
37786 * Award BIOS on this AOpen makes thermal control almost worthless.
37787 * http://bugzilla.kernel.org/show_bug.cgi?id=8842
37788diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
37789index 2922f1f..26b0c03 100644
37790--- a/drivers/acpi/video_detect.c
37791+++ b/drivers/acpi/video_detect.c
37792@@ -41,7 +41,6 @@ ACPI_MODULE_NAME("video");
37793 void acpi_video_unregister_backlight(void);
37794
37795 static bool backlight_notifier_registered;
37796-static struct notifier_block backlight_nb;
37797 static struct work_struct backlight_notify_work;
37798
37799 static enum acpi_backlight_type acpi_backlight_cmdline = acpi_backlight_undef;
37800@@ -284,6 +283,10 @@ static int acpi_video_backlight_notify(struct notifier_block *nb,
37801 return NOTIFY_OK;
37802 }
37803
37804+static const struct notifier_block backlight_nb = {
37805+ .notifier_call = acpi_video_backlight_notify,
37806+};
37807+
37808 /*
37809 * Determine which type of backlight interface to use on this system,
37810 * First check cmdline, then dmi quirks, then do autodetect.
37811@@ -314,8 +317,6 @@ enum acpi_backlight_type acpi_video_get_backlight_type(void)
37812 &video_caps, NULL);
37813 INIT_WORK(&backlight_notify_work,
37814 acpi_video_backlight_notify_work);
37815- backlight_nb.notifier_call = acpi_video_backlight_notify;
37816- backlight_nb.priority = 0;
37817 if (backlight_register_notifier(&backlight_nb) == 0)
37818 backlight_notifier_registered = true;
37819 init_done = true;
37820diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
37821index 790e0de..6bae378 100644
37822--- a/drivers/ata/libata-core.c
37823+++ b/drivers/ata/libata-core.c
37824@@ -102,7 +102,7 @@ static unsigned int ata_dev_set_xfermode(struct ata_device *dev);
37825 static void ata_dev_xfermask(struct ata_device *dev);
37826 static unsigned long ata_dev_blacklisted(const struct ata_device *dev);
37827
37828-atomic_t ata_print_id = ATOMIC_INIT(0);
37829+atomic_unchecked_t ata_print_id = ATOMIC_INIT(0);
37830
37831 struct ata_force_param {
37832 const char *name;
37833@@ -4800,7 +4800,7 @@ void ata_qc_free(struct ata_queued_cmd *qc)
37834 struct ata_port *ap;
37835 unsigned int tag;
37836
37837- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37838+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37839 ap = qc->ap;
37840
37841 qc->flags = 0;
37842@@ -4817,7 +4817,7 @@ void __ata_qc_complete(struct ata_queued_cmd *qc)
37843 struct ata_port *ap;
37844 struct ata_link *link;
37845
37846- WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37847+ BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
37848 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
37849 ap = qc->ap;
37850 link = qc->dev->link;
37851@@ -5924,6 +5924,7 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
37852 return;
37853
37854 spin_lock(&lock);
37855+ pax_open_kernel();
37856
37857 for (cur = ops->inherits; cur; cur = cur->inherits) {
37858 void **inherit = (void **)cur;
37859@@ -5937,8 +5938,9 @@ static void ata_finalize_port_ops(struct ata_port_operations *ops)
37860 if (IS_ERR(*pp))
37861 *pp = NULL;
37862
37863- ops->inherits = NULL;
37864+ *(struct ata_port_operations **)&ops->inherits = NULL;
37865
37866+ pax_close_kernel();
37867 spin_unlock(&lock);
37868 }
37869
37870@@ -6134,7 +6136,7 @@ int ata_host_register(struct ata_host *host, struct scsi_host_template *sht)
37871
37872 /* give ports names and add SCSI hosts */
37873 for (i = 0; i < host->n_ports; i++) {
37874- host->ports[i]->print_id = atomic_inc_return(&ata_print_id);
37875+ host->ports[i]->print_id = atomic_inc_return_unchecked(&ata_print_id);
37876 host->ports[i]->local_port_no = i + 1;
37877 }
37878
37879diff --git a/drivers/ata/libata-scsi.c b/drivers/ata/libata-scsi.c
37880index 0d7f0da..bc20aa6 100644
37881--- a/drivers/ata/libata-scsi.c
37882+++ b/drivers/ata/libata-scsi.c
37883@@ -4193,7 +4193,7 @@ int ata_sas_port_init(struct ata_port *ap)
37884
37885 if (rc)
37886 return rc;
37887- ap->print_id = atomic_inc_return(&ata_print_id);
37888+ ap->print_id = atomic_inc_return_unchecked(&ata_print_id);
37889 return 0;
37890 }
37891 EXPORT_SYMBOL_GPL(ata_sas_port_init);
37892diff --git a/drivers/ata/libata.h b/drivers/ata/libata.h
37893index f840ca1..edd6ef3 100644
37894--- a/drivers/ata/libata.h
37895+++ b/drivers/ata/libata.h
37896@@ -53,7 +53,7 @@ enum {
37897 ATA_DNXFER_QUIET = (1 << 31),
37898 };
37899
37900-extern atomic_t ata_print_id;
37901+extern atomic_unchecked_t ata_print_id;
37902 extern int atapi_passthru16;
37903 extern int libata_fua;
37904 extern int libata_noacpi;
37905diff --git a/drivers/ata/pata_arasan_cf.c b/drivers/ata/pata_arasan_cf.c
37906index 5d9ee99..8fa2585 100644
37907--- a/drivers/ata/pata_arasan_cf.c
37908+++ b/drivers/ata/pata_arasan_cf.c
37909@@ -865,7 +865,9 @@ static int arasan_cf_probe(struct platform_device *pdev)
37910 /* Handle platform specific quirks */
37911 if (quirk) {
37912 if (quirk & CF_BROKEN_PIO) {
37913- ap->ops->set_piomode = NULL;
37914+ pax_open_kernel();
37915+ *(void **)&ap->ops->set_piomode = NULL;
37916+ pax_close_kernel();
37917 ap->pio_mask = 0;
37918 }
37919 if (quirk & CF_BROKEN_MWDMA)
37920diff --git a/drivers/atm/adummy.c b/drivers/atm/adummy.c
37921index f9b983a..887b9d8 100644
37922--- a/drivers/atm/adummy.c
37923+++ b/drivers/atm/adummy.c
37924@@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct sk_buff *skb)
37925 vcc->pop(vcc, skb);
37926 else
37927 dev_kfree_skb_any(skb);
37928- atomic_inc(&vcc->stats->tx);
37929+ atomic_inc_unchecked(&vcc->stats->tx);
37930
37931 return 0;
37932 }
37933diff --git a/drivers/atm/ambassador.c b/drivers/atm/ambassador.c
37934index f1a9198..f466a4a 100644
37935--- a/drivers/atm/ambassador.c
37936+++ b/drivers/atm/ambassador.c
37937@@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev, tx_out * tx) {
37938 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
37939
37940 // VC layer stats
37941- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
37942+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
37943
37944 // free the descriptor
37945 kfree (tx_descr);
37946@@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
37947 dump_skb ("<<<", vc, skb);
37948
37949 // VC layer stats
37950- atomic_inc(&atm_vcc->stats->rx);
37951+ atomic_inc_unchecked(&atm_vcc->stats->rx);
37952 __net_timestamp(skb);
37953 // end of our responsibility
37954 atm_vcc->push (atm_vcc, skb);
37955@@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev, rx_out * rx) {
37956 } else {
37957 PRINTK (KERN_INFO, "dropped over-size frame");
37958 // should we count this?
37959- atomic_inc(&atm_vcc->stats->rx_drop);
37960+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
37961 }
37962
37963 } else {
37964@@ -1338,7 +1338,7 @@ static int amb_send (struct atm_vcc * atm_vcc, struct sk_buff * skb) {
37965 }
37966
37967 if (check_area (skb->data, skb->len)) {
37968- atomic_inc(&atm_vcc->stats->tx_err);
37969+ atomic_inc_unchecked(&atm_vcc->stats->tx_err);
37970 return -ENOMEM; // ?
37971 }
37972
37973diff --git a/drivers/atm/atmtcp.c b/drivers/atm/atmtcp.c
37974index 480fa6f..947067c 100644
37975--- a/drivers/atm/atmtcp.c
37976+++ b/drivers/atm/atmtcp.c
37977@@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37978 if (vcc->pop) vcc->pop(vcc,skb);
37979 else dev_kfree_skb(skb);
37980 if (dev_data) return 0;
37981- atomic_inc(&vcc->stats->tx_err);
37982+ atomic_inc_unchecked(&vcc->stats->tx_err);
37983 return -ENOLINK;
37984 }
37985 size = skb->len+sizeof(struct atmtcp_hdr);
37986@@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37987 if (!new_skb) {
37988 if (vcc->pop) vcc->pop(vcc,skb);
37989 else dev_kfree_skb(skb);
37990- atomic_inc(&vcc->stats->tx_err);
37991+ atomic_inc_unchecked(&vcc->stats->tx_err);
37992 return -ENOBUFS;
37993 }
37994 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
37995@@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc *vcc,struct sk_buff *skb)
37996 if (vcc->pop) vcc->pop(vcc,skb);
37997 else dev_kfree_skb(skb);
37998 out_vcc->push(out_vcc,new_skb);
37999- atomic_inc(&vcc->stats->tx);
38000- atomic_inc(&out_vcc->stats->rx);
38001+ atomic_inc_unchecked(&vcc->stats->tx);
38002+ atomic_inc_unchecked(&out_vcc->stats->rx);
38003 return 0;
38004 }
38005
38006@@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
38007 read_unlock(&vcc_sklist_lock);
38008 if (!out_vcc) {
38009 result = -EUNATCH;
38010- atomic_inc(&vcc->stats->tx_err);
38011+ atomic_inc_unchecked(&vcc->stats->tx_err);
38012 goto done;
38013 }
38014 skb_pull(skb,sizeof(struct atmtcp_hdr));
38015@@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc *vcc,struct sk_buff *skb)
38016 __net_timestamp(new_skb);
38017 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
38018 out_vcc->push(out_vcc,new_skb);
38019- atomic_inc(&vcc->stats->tx);
38020- atomic_inc(&out_vcc->stats->rx);
38021+ atomic_inc_unchecked(&vcc->stats->tx);
38022+ atomic_inc_unchecked(&out_vcc->stats->rx);
38023 done:
38024 if (vcc->pop) vcc->pop(vcc,skb);
38025 else dev_kfree_skb(skb);
38026diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c
38027index 6339efd..2b441d5 100644
38028--- a/drivers/atm/eni.c
38029+++ b/drivers/atm/eni.c
38030@@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
38031 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
38032 vcc->dev->number);
38033 length = 0;
38034- atomic_inc(&vcc->stats->rx_err);
38035+ atomic_inc_unchecked(&vcc->stats->rx_err);
38036 }
38037 else {
38038 length = ATM_CELL_SIZE-1; /* no HEC */
38039@@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
38040 size);
38041 }
38042 eff = length = 0;
38043- atomic_inc(&vcc->stats->rx_err);
38044+ atomic_inc_unchecked(&vcc->stats->rx_err);
38045 }
38046 else {
38047 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
38048@@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
38049 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
38050 vcc->dev->number,vcc->vci,length,size << 2,descr);
38051 length = eff = 0;
38052- atomic_inc(&vcc->stats->rx_err);
38053+ atomic_inc_unchecked(&vcc->stats->rx_err);
38054 }
38055 }
38056 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
38057@@ -770,7 +770,7 @@ rx_dequeued++;
38058 vcc->push(vcc,skb);
38059 pushed++;
38060 }
38061- atomic_inc(&vcc->stats->rx);
38062+ atomic_inc_unchecked(&vcc->stats->rx);
38063 }
38064 wake_up(&eni_dev->rx_wait);
38065 }
38066@@ -1230,7 +1230,7 @@ static void dequeue_tx(struct atm_dev *dev)
38067 DMA_TO_DEVICE);
38068 if (vcc->pop) vcc->pop(vcc,skb);
38069 else dev_kfree_skb_irq(skb);
38070- atomic_inc(&vcc->stats->tx);
38071+ atomic_inc_unchecked(&vcc->stats->tx);
38072 wake_up(&eni_dev->tx_wait);
38073 dma_complete++;
38074 }
38075diff --git a/drivers/atm/firestream.c b/drivers/atm/firestream.c
38076index 82f2ae0..f205c02 100644
38077--- a/drivers/atm/firestream.c
38078+++ b/drivers/atm/firestream.c
38079@@ -749,7 +749,7 @@ static void process_txdone_queue (struct fs_dev *dev, struct queue *q)
38080 }
38081 }
38082
38083- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
38084+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
38085
38086 fs_dprintk (FS_DEBUG_TXMEM, "i");
38087 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
38088@@ -816,7 +816,7 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
38089 #endif
38090 skb_put (skb, qe->p1 & 0xffff);
38091 ATM_SKB(skb)->vcc = atm_vcc;
38092- atomic_inc(&atm_vcc->stats->rx);
38093+ atomic_inc_unchecked(&atm_vcc->stats->rx);
38094 __net_timestamp(skb);
38095 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
38096 atm_vcc->push (atm_vcc, skb);
38097@@ -837,12 +837,12 @@ static void process_incoming (struct fs_dev *dev, struct queue *q)
38098 kfree (pe);
38099 }
38100 if (atm_vcc)
38101- atomic_inc(&atm_vcc->stats->rx_drop);
38102+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
38103 break;
38104 case 0x1f: /* Reassembly abort: no buffers. */
38105 /* Silently increment error counter. */
38106 if (atm_vcc)
38107- atomic_inc(&atm_vcc->stats->rx_drop);
38108+ atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
38109 break;
38110 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
38111 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
38112diff --git a/drivers/atm/fore200e.c b/drivers/atm/fore200e.c
38113index 75dde90..4309ead 100644
38114--- a/drivers/atm/fore200e.c
38115+++ b/drivers/atm/fore200e.c
38116@@ -932,9 +932,9 @@ fore200e_tx_irq(struct fore200e* fore200e)
38117 #endif
38118 /* check error condition */
38119 if (*entry->status & STATUS_ERROR)
38120- atomic_inc(&vcc->stats->tx_err);
38121+ atomic_inc_unchecked(&vcc->stats->tx_err);
38122 else
38123- atomic_inc(&vcc->stats->tx);
38124+ atomic_inc_unchecked(&vcc->stats->tx);
38125 }
38126 }
38127
38128@@ -1083,7 +1083,7 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
38129 if (skb == NULL) {
38130 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
38131
38132- atomic_inc(&vcc->stats->rx_drop);
38133+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38134 return -ENOMEM;
38135 }
38136
38137@@ -1126,14 +1126,14 @@ fore200e_push_rpd(struct fore200e* fore200e, struct atm_vcc* vcc, struct rpd* rp
38138
38139 dev_kfree_skb_any(skb);
38140
38141- atomic_inc(&vcc->stats->rx_drop);
38142+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38143 return -ENOMEM;
38144 }
38145
38146 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
38147
38148 vcc->push(vcc, skb);
38149- atomic_inc(&vcc->stats->rx);
38150+ atomic_inc_unchecked(&vcc->stats->rx);
38151
38152 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
38153
38154@@ -1211,7 +1211,7 @@ fore200e_rx_irq(struct fore200e* fore200e)
38155 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
38156 fore200e->atm_dev->number,
38157 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
38158- atomic_inc(&vcc->stats->rx_err);
38159+ atomic_inc_unchecked(&vcc->stats->rx_err);
38160 }
38161 }
38162
38163@@ -1656,7 +1656,7 @@ fore200e_send(struct atm_vcc *vcc, struct sk_buff *skb)
38164 goto retry_here;
38165 }
38166
38167- atomic_inc(&vcc->stats->tx_err);
38168+ atomic_inc_unchecked(&vcc->stats->tx_err);
38169
38170 fore200e->tx_sat++;
38171 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
38172diff --git a/drivers/atm/he.c b/drivers/atm/he.c
38173index a8da3a5..67cf6c2 100644
38174--- a/drivers/atm/he.c
38175+++ b/drivers/atm/he.c
38176@@ -1692,7 +1692,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
38177
38178 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
38179 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
38180- atomic_inc(&vcc->stats->rx_drop);
38181+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38182 goto return_host_buffers;
38183 }
38184
38185@@ -1719,7 +1719,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
38186 RBRQ_LEN_ERR(he_dev->rbrq_head)
38187 ? "LEN_ERR" : "",
38188 vcc->vpi, vcc->vci);
38189- atomic_inc(&vcc->stats->rx_err);
38190+ atomic_inc_unchecked(&vcc->stats->rx_err);
38191 goto return_host_buffers;
38192 }
38193
38194@@ -1771,7 +1771,7 @@ he_service_rbrq(struct he_dev *he_dev, int group)
38195 vcc->push(vcc, skb);
38196 spin_lock(&he_dev->global_lock);
38197
38198- atomic_inc(&vcc->stats->rx);
38199+ atomic_inc_unchecked(&vcc->stats->rx);
38200
38201 return_host_buffers:
38202 ++pdus_assembled;
38203@@ -2097,7 +2097,7 @@ __enqueue_tpd(struct he_dev *he_dev, struct he_tpd *tpd, unsigned cid)
38204 tpd->vcc->pop(tpd->vcc, tpd->skb);
38205 else
38206 dev_kfree_skb_any(tpd->skb);
38207- atomic_inc(&tpd->vcc->stats->tx_err);
38208+ atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
38209 }
38210 dma_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
38211 return;
38212@@ -2509,7 +2509,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38213 vcc->pop(vcc, skb);
38214 else
38215 dev_kfree_skb_any(skb);
38216- atomic_inc(&vcc->stats->tx_err);
38217+ atomic_inc_unchecked(&vcc->stats->tx_err);
38218 return -EINVAL;
38219 }
38220
38221@@ -2520,7 +2520,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38222 vcc->pop(vcc, skb);
38223 else
38224 dev_kfree_skb_any(skb);
38225- atomic_inc(&vcc->stats->tx_err);
38226+ atomic_inc_unchecked(&vcc->stats->tx_err);
38227 return -EINVAL;
38228 }
38229 #endif
38230@@ -2532,7 +2532,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38231 vcc->pop(vcc, skb);
38232 else
38233 dev_kfree_skb_any(skb);
38234- atomic_inc(&vcc->stats->tx_err);
38235+ atomic_inc_unchecked(&vcc->stats->tx_err);
38236 spin_unlock_irqrestore(&he_dev->global_lock, flags);
38237 return -ENOMEM;
38238 }
38239@@ -2574,7 +2574,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38240 vcc->pop(vcc, skb);
38241 else
38242 dev_kfree_skb_any(skb);
38243- atomic_inc(&vcc->stats->tx_err);
38244+ atomic_inc_unchecked(&vcc->stats->tx_err);
38245 spin_unlock_irqrestore(&he_dev->global_lock, flags);
38246 return -ENOMEM;
38247 }
38248@@ -2605,7 +2605,7 @@ he_send(struct atm_vcc *vcc, struct sk_buff *skb)
38249 __enqueue_tpd(he_dev, tpd, cid);
38250 spin_unlock_irqrestore(&he_dev->global_lock, flags);
38251
38252- atomic_inc(&vcc->stats->tx);
38253+ atomic_inc_unchecked(&vcc->stats->tx);
38254
38255 return 0;
38256 }
38257diff --git a/drivers/atm/horizon.c b/drivers/atm/horizon.c
38258index 527bbd5..96570c8 100644
38259--- a/drivers/atm/horizon.c
38260+++ b/drivers/atm/horizon.c
38261@@ -1018,7 +1018,7 @@ static void rx_schedule (hrz_dev * dev, int irq) {
38262 {
38263 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
38264 // VC layer stats
38265- atomic_inc(&vcc->stats->rx);
38266+ atomic_inc_unchecked(&vcc->stats->rx);
38267 __net_timestamp(skb);
38268 // end of our responsibility
38269 vcc->push (vcc, skb);
38270@@ -1170,7 +1170,7 @@ static void tx_schedule (hrz_dev * const dev, int irq) {
38271 dev->tx_iovec = NULL;
38272
38273 // VC layer stats
38274- atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
38275+ atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
38276
38277 // free the skb
38278 hrz_kfree_skb (skb);
38279diff --git a/drivers/atm/idt77252.c b/drivers/atm/idt77252.c
38280index 074616b..d6b3d5f 100644
38281--- a/drivers/atm/idt77252.c
38282+++ b/drivers/atm/idt77252.c
38283@@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, struct vc_map *vc)
38284 else
38285 dev_kfree_skb(skb);
38286
38287- atomic_inc(&vcc->stats->tx);
38288+ atomic_inc_unchecked(&vcc->stats->tx);
38289 }
38290
38291 atomic_dec(&scq->used);
38292@@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38293 if ((sb = dev_alloc_skb(64)) == NULL) {
38294 printk("%s: Can't allocate buffers for aal0.\n",
38295 card->name);
38296- atomic_add(i, &vcc->stats->rx_drop);
38297+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
38298 break;
38299 }
38300 if (!atm_charge(vcc, sb->truesize)) {
38301 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
38302 card->name);
38303- atomic_add(i - 1, &vcc->stats->rx_drop);
38304+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
38305 dev_kfree_skb(sb);
38306 break;
38307 }
38308@@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38309 ATM_SKB(sb)->vcc = vcc;
38310 __net_timestamp(sb);
38311 vcc->push(vcc, sb);
38312- atomic_inc(&vcc->stats->rx);
38313+ atomic_inc_unchecked(&vcc->stats->rx);
38314
38315 cell += ATM_CELL_PAYLOAD;
38316 }
38317@@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38318 "(CDC: %08x)\n",
38319 card->name, len, rpp->len, readl(SAR_REG_CDC));
38320 recycle_rx_pool_skb(card, rpp);
38321- atomic_inc(&vcc->stats->rx_err);
38322+ atomic_inc_unchecked(&vcc->stats->rx_err);
38323 return;
38324 }
38325 if (stat & SAR_RSQE_CRC) {
38326 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
38327 recycle_rx_pool_skb(card, rpp);
38328- atomic_inc(&vcc->stats->rx_err);
38329+ atomic_inc_unchecked(&vcc->stats->rx_err);
38330 return;
38331 }
38332 if (skb_queue_len(&rpp->queue) > 1) {
38333@@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38334 RXPRINTK("%s: Can't alloc RX skb.\n",
38335 card->name);
38336 recycle_rx_pool_skb(card, rpp);
38337- atomic_inc(&vcc->stats->rx_err);
38338+ atomic_inc_unchecked(&vcc->stats->rx_err);
38339 return;
38340 }
38341 if (!atm_charge(vcc, skb->truesize)) {
38342@@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38343 __net_timestamp(skb);
38344
38345 vcc->push(vcc, skb);
38346- atomic_inc(&vcc->stats->rx);
38347+ atomic_inc_unchecked(&vcc->stats->rx);
38348
38349 return;
38350 }
38351@@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, struct rsq_entry *rsqe)
38352 __net_timestamp(skb);
38353
38354 vcc->push(vcc, skb);
38355- atomic_inc(&vcc->stats->rx);
38356+ atomic_inc_unchecked(&vcc->stats->rx);
38357
38358 if (skb->truesize > SAR_FB_SIZE_3)
38359 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
38360@@ -1302,14 +1302,14 @@ idt77252_rx_raw(struct idt77252_dev *card)
38361 if (vcc->qos.aal != ATM_AAL0) {
38362 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
38363 card->name, vpi, vci);
38364- atomic_inc(&vcc->stats->rx_drop);
38365+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38366 goto drop;
38367 }
38368
38369 if ((sb = dev_alloc_skb(64)) == NULL) {
38370 printk("%s: Can't allocate buffers for AAL0.\n",
38371 card->name);
38372- atomic_inc(&vcc->stats->rx_err);
38373+ atomic_inc_unchecked(&vcc->stats->rx_err);
38374 goto drop;
38375 }
38376
38377@@ -1328,7 +1328,7 @@ idt77252_rx_raw(struct idt77252_dev *card)
38378 ATM_SKB(sb)->vcc = vcc;
38379 __net_timestamp(sb);
38380 vcc->push(vcc, sb);
38381- atomic_inc(&vcc->stats->rx);
38382+ atomic_inc_unchecked(&vcc->stats->rx);
38383
38384 drop:
38385 skb_pull(queue, 64);
38386@@ -1953,13 +1953,13 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38387
38388 if (vc == NULL) {
38389 printk("%s: NULL connection in send().\n", card->name);
38390- atomic_inc(&vcc->stats->tx_err);
38391+ atomic_inc_unchecked(&vcc->stats->tx_err);
38392 dev_kfree_skb(skb);
38393 return -EINVAL;
38394 }
38395 if (!test_bit(VCF_TX, &vc->flags)) {
38396 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
38397- atomic_inc(&vcc->stats->tx_err);
38398+ atomic_inc_unchecked(&vcc->stats->tx_err);
38399 dev_kfree_skb(skb);
38400 return -EINVAL;
38401 }
38402@@ -1971,14 +1971,14 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38403 break;
38404 default:
38405 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
38406- atomic_inc(&vcc->stats->tx_err);
38407+ atomic_inc_unchecked(&vcc->stats->tx_err);
38408 dev_kfree_skb(skb);
38409 return -EINVAL;
38410 }
38411
38412 if (skb_shinfo(skb)->nr_frags != 0) {
38413 printk("%s: No scatter-gather yet.\n", card->name);
38414- atomic_inc(&vcc->stats->tx_err);
38415+ atomic_inc_unchecked(&vcc->stats->tx_err);
38416 dev_kfree_skb(skb);
38417 return -EINVAL;
38418 }
38419@@ -1986,7 +1986,7 @@ idt77252_send_skb(struct atm_vcc *vcc, struct sk_buff *skb, int oam)
38420
38421 err = queue_skb(card, vc, skb, oam);
38422 if (err) {
38423- atomic_inc(&vcc->stats->tx_err);
38424+ atomic_inc_unchecked(&vcc->stats->tx_err);
38425 dev_kfree_skb(skb);
38426 return err;
38427 }
38428@@ -2009,7 +2009,7 @@ idt77252_send_oam(struct atm_vcc *vcc, void *cell, int flags)
38429 skb = dev_alloc_skb(64);
38430 if (!skb) {
38431 printk("%s: Out of memory in send_oam().\n", card->name);
38432- atomic_inc(&vcc->stats->tx_err);
38433+ atomic_inc_unchecked(&vcc->stats->tx_err);
38434 return -ENOMEM;
38435 }
38436 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
38437diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
38438index 65e6590..df77d04 100644
38439--- a/drivers/atm/iphase.c
38440+++ b/drivers/atm/iphase.c
38441@@ -1145,7 +1145,7 @@ static int rx_pkt(struct atm_dev *dev)
38442 status = (u_short) (buf_desc_ptr->desc_mode);
38443 if (status & (RX_CER | RX_PTE | RX_OFL))
38444 {
38445- atomic_inc(&vcc->stats->rx_err);
38446+ atomic_inc_unchecked(&vcc->stats->rx_err);
38447 IF_ERR(printk("IA: bad packet, dropping it");)
38448 if (status & RX_CER) {
38449 IF_ERR(printk(" cause: packet CRC error\n");)
38450@@ -1168,7 +1168,7 @@ static int rx_pkt(struct atm_dev *dev)
38451 len = dma_addr - buf_addr;
38452 if (len > iadev->rx_buf_sz) {
38453 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
38454- atomic_inc(&vcc->stats->rx_err);
38455+ atomic_inc_unchecked(&vcc->stats->rx_err);
38456 goto out_free_desc;
38457 }
38458
38459@@ -1318,7 +1318,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38460 ia_vcc = INPH_IA_VCC(vcc);
38461 if (ia_vcc == NULL)
38462 {
38463- atomic_inc(&vcc->stats->rx_err);
38464+ atomic_inc_unchecked(&vcc->stats->rx_err);
38465 atm_return(vcc, skb->truesize);
38466 dev_kfree_skb_any(skb);
38467 goto INCR_DLE;
38468@@ -1330,7 +1330,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38469 if ((length > iadev->rx_buf_sz) || (length >
38470 (skb->len - sizeof(struct cpcs_trailer))))
38471 {
38472- atomic_inc(&vcc->stats->rx_err);
38473+ atomic_inc_unchecked(&vcc->stats->rx_err);
38474 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
38475 length, skb->len);)
38476 atm_return(vcc, skb->truesize);
38477@@ -1346,7 +1346,7 @@ static void rx_dle_intr(struct atm_dev *dev)
38478
38479 IF_RX(printk("rx_dle_intr: skb push");)
38480 vcc->push(vcc,skb);
38481- atomic_inc(&vcc->stats->rx);
38482+ atomic_inc_unchecked(&vcc->stats->rx);
38483 iadev->rx_pkt_cnt++;
38484 }
38485 INCR_DLE:
38486@@ -2828,15 +2828,15 @@ static int ia_ioctl(struct atm_dev *dev, unsigned int cmd, void __user *arg)
38487 {
38488 struct k_sonet_stats *stats;
38489 stats = &PRIV(_ia_dev[board])->sonet_stats;
38490- printk("section_bip: %d\n", atomic_read(&stats->section_bip));
38491- printk("line_bip : %d\n", atomic_read(&stats->line_bip));
38492- printk("path_bip : %d\n", atomic_read(&stats->path_bip));
38493- printk("line_febe : %d\n", atomic_read(&stats->line_febe));
38494- printk("path_febe : %d\n", atomic_read(&stats->path_febe));
38495- printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
38496- printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
38497- printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
38498- printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
38499+ printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
38500+ printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
38501+ printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
38502+ printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
38503+ printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
38504+ printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
38505+ printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
38506+ printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
38507+ printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
38508 }
38509 ia_cmds.status = 0;
38510 break;
38511@@ -2941,7 +2941,7 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
38512 if ((desc == 0) || (desc > iadev->num_tx_desc))
38513 {
38514 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
38515- atomic_inc(&vcc->stats->tx);
38516+ atomic_inc_unchecked(&vcc->stats->tx);
38517 if (vcc->pop)
38518 vcc->pop(vcc, skb);
38519 else
38520@@ -3046,14 +3046,14 @@ static int ia_pkt_tx (struct atm_vcc *vcc, struct sk_buff *skb) {
38521 ATM_DESC(skb) = vcc->vci;
38522 skb_queue_tail(&iadev->tx_dma_q, skb);
38523
38524- atomic_inc(&vcc->stats->tx);
38525+ atomic_inc_unchecked(&vcc->stats->tx);
38526 iadev->tx_pkt_cnt++;
38527 /* Increment transaction counter */
38528 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
38529
38530 #if 0
38531 /* add flow control logic */
38532- if (atomic_read(&vcc->stats->tx) % 20 == 0) {
38533+ if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
38534 if (iavcc->vc_desc_cnt > 10) {
38535 vcc->tx_quota = vcc->tx_quota * 3 / 4;
38536 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
38537diff --git a/drivers/atm/lanai.c b/drivers/atm/lanai.c
38538index ce43ae3..969de38 100644
38539--- a/drivers/atm/lanai.c
38540+++ b/drivers/atm/lanai.c
38541@@ -1295,7 +1295,7 @@ static void lanai_send_one_aal5(struct lanai_dev *lanai,
38542 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
38543 lanai_endtx(lanai, lvcc);
38544 lanai_free_skb(lvcc->tx.atmvcc, skb);
38545- atomic_inc(&lvcc->tx.atmvcc->stats->tx);
38546+ atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
38547 }
38548
38549 /* Try to fill the buffer - don't call unless there is backlog */
38550@@ -1418,7 +1418,7 @@ static void vcc_rx_aal5(struct lanai_vcc *lvcc, int endptr)
38551 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
38552 __net_timestamp(skb);
38553 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
38554- atomic_inc(&lvcc->rx.atmvcc->stats->rx);
38555+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
38556 out:
38557 lvcc->rx.buf.ptr = end;
38558 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
38559@@ -1659,7 +1659,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38560 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
38561 "vcc %d\n", lanai->number, (unsigned int) s, vci);
38562 lanai->stats.service_rxnotaal5++;
38563- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38564+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38565 return 0;
38566 }
38567 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
38568@@ -1671,7 +1671,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38569 int bytes;
38570 read_unlock(&vcc_sklist_lock);
38571 DPRINTK("got trashed rx pdu on vci %d\n", vci);
38572- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38573+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38574 lvcc->stats.x.aal5.service_trash++;
38575 bytes = (SERVICE_GET_END(s) * 16) -
38576 (((unsigned long) lvcc->rx.buf.ptr) -
38577@@ -1683,7 +1683,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38578 }
38579 if (s & SERVICE_STREAM) {
38580 read_unlock(&vcc_sklist_lock);
38581- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38582+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38583 lvcc->stats.x.aal5.service_stream++;
38584 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
38585 "PDU on VCI %d!\n", lanai->number, vci);
38586@@ -1691,7 +1691,7 @@ static int handle_service(struct lanai_dev *lanai, u32 s)
38587 return 0;
38588 }
38589 DPRINTK("got rx crc error on vci %d\n", vci);
38590- atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
38591+ atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
38592 lvcc->stats.x.aal5.service_rxcrc++;
38593 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
38594 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
38595diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
38596index ddc4ceb..36e29aa 100644
38597--- a/drivers/atm/nicstar.c
38598+++ b/drivers/atm/nicstar.c
38599@@ -1632,7 +1632,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38600 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
38601 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
38602 card->index);
38603- atomic_inc(&vcc->stats->tx_err);
38604+ atomic_inc_unchecked(&vcc->stats->tx_err);
38605 dev_kfree_skb_any(skb);
38606 return -EINVAL;
38607 }
38608@@ -1640,7 +1640,7 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38609 if (!vc->tx) {
38610 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
38611 card->index);
38612- atomic_inc(&vcc->stats->tx_err);
38613+ atomic_inc_unchecked(&vcc->stats->tx_err);
38614 dev_kfree_skb_any(skb);
38615 return -EINVAL;
38616 }
38617@@ -1648,14 +1648,14 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38618 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
38619 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
38620 card->index);
38621- atomic_inc(&vcc->stats->tx_err);
38622+ atomic_inc_unchecked(&vcc->stats->tx_err);
38623 dev_kfree_skb_any(skb);
38624 return -EINVAL;
38625 }
38626
38627 if (skb_shinfo(skb)->nr_frags != 0) {
38628 printk("nicstar%d: No scatter-gather yet.\n", card->index);
38629- atomic_inc(&vcc->stats->tx_err);
38630+ atomic_inc_unchecked(&vcc->stats->tx_err);
38631 dev_kfree_skb_any(skb);
38632 return -EINVAL;
38633 }
38634@@ -1703,11 +1703,11 @@ static int ns_send(struct atm_vcc *vcc, struct sk_buff *skb)
38635 }
38636
38637 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
38638- atomic_inc(&vcc->stats->tx_err);
38639+ atomic_inc_unchecked(&vcc->stats->tx_err);
38640 dev_kfree_skb_any(skb);
38641 return -EIO;
38642 }
38643- atomic_inc(&vcc->stats->tx);
38644+ atomic_inc_unchecked(&vcc->stats->tx);
38645
38646 return 0;
38647 }
38648@@ -2024,14 +2024,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38649 printk
38650 ("nicstar%d: Can't allocate buffers for aal0.\n",
38651 card->index);
38652- atomic_add(i, &vcc->stats->rx_drop);
38653+ atomic_add_unchecked(i, &vcc->stats->rx_drop);
38654 break;
38655 }
38656 if (!atm_charge(vcc, sb->truesize)) {
38657 RXPRINTK
38658 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
38659 card->index);
38660- atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
38661+ atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
38662 dev_kfree_skb_any(sb);
38663 break;
38664 }
38665@@ -2046,7 +2046,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38666 ATM_SKB(sb)->vcc = vcc;
38667 __net_timestamp(sb);
38668 vcc->push(vcc, sb);
38669- atomic_inc(&vcc->stats->rx);
38670+ atomic_inc_unchecked(&vcc->stats->rx);
38671 cell += ATM_CELL_PAYLOAD;
38672 }
38673
38674@@ -2063,7 +2063,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38675 if (iovb == NULL) {
38676 printk("nicstar%d: Out of iovec buffers.\n",
38677 card->index);
38678- atomic_inc(&vcc->stats->rx_drop);
38679+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38680 recycle_rx_buf(card, skb);
38681 return;
38682 }
38683@@ -2087,7 +2087,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38684 small or large buffer itself. */
38685 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
38686 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
38687- atomic_inc(&vcc->stats->rx_err);
38688+ atomic_inc_unchecked(&vcc->stats->rx_err);
38689 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38690 NS_MAX_IOVECS);
38691 NS_PRV_IOVCNT(iovb) = 0;
38692@@ -2107,7 +2107,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38693 ("nicstar%d: Expected a small buffer, and this is not one.\n",
38694 card->index);
38695 which_list(card, skb);
38696- atomic_inc(&vcc->stats->rx_err);
38697+ atomic_inc_unchecked(&vcc->stats->rx_err);
38698 recycle_rx_buf(card, skb);
38699 vc->rx_iov = NULL;
38700 recycle_iov_buf(card, iovb);
38701@@ -2120,7 +2120,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38702 ("nicstar%d: Expected a large buffer, and this is not one.\n",
38703 card->index);
38704 which_list(card, skb);
38705- atomic_inc(&vcc->stats->rx_err);
38706+ atomic_inc_unchecked(&vcc->stats->rx_err);
38707 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38708 NS_PRV_IOVCNT(iovb));
38709 vc->rx_iov = NULL;
38710@@ -2143,7 +2143,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38711 printk(" - PDU size mismatch.\n");
38712 else
38713 printk(".\n");
38714- atomic_inc(&vcc->stats->rx_err);
38715+ atomic_inc_unchecked(&vcc->stats->rx_err);
38716 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
38717 NS_PRV_IOVCNT(iovb));
38718 vc->rx_iov = NULL;
38719@@ -2157,14 +2157,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38720 /* skb points to a small buffer */
38721 if (!atm_charge(vcc, skb->truesize)) {
38722 push_rxbufs(card, skb);
38723- atomic_inc(&vcc->stats->rx_drop);
38724+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38725 } else {
38726 skb_put(skb, len);
38727 dequeue_sm_buf(card, skb);
38728 ATM_SKB(skb)->vcc = vcc;
38729 __net_timestamp(skb);
38730 vcc->push(vcc, skb);
38731- atomic_inc(&vcc->stats->rx);
38732+ atomic_inc_unchecked(&vcc->stats->rx);
38733 }
38734 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
38735 struct sk_buff *sb;
38736@@ -2175,14 +2175,14 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38737 if (len <= NS_SMBUFSIZE) {
38738 if (!atm_charge(vcc, sb->truesize)) {
38739 push_rxbufs(card, sb);
38740- atomic_inc(&vcc->stats->rx_drop);
38741+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38742 } else {
38743 skb_put(sb, len);
38744 dequeue_sm_buf(card, sb);
38745 ATM_SKB(sb)->vcc = vcc;
38746 __net_timestamp(sb);
38747 vcc->push(vcc, sb);
38748- atomic_inc(&vcc->stats->rx);
38749+ atomic_inc_unchecked(&vcc->stats->rx);
38750 }
38751
38752 push_rxbufs(card, skb);
38753@@ -2191,7 +2191,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38754
38755 if (!atm_charge(vcc, skb->truesize)) {
38756 push_rxbufs(card, skb);
38757- atomic_inc(&vcc->stats->rx_drop);
38758+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38759 } else {
38760 dequeue_lg_buf(card, skb);
38761 skb_push(skb, NS_SMBUFSIZE);
38762@@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38763 ATM_SKB(skb)->vcc = vcc;
38764 __net_timestamp(skb);
38765 vcc->push(vcc, skb);
38766- atomic_inc(&vcc->stats->rx);
38767+ atomic_inc_unchecked(&vcc->stats->rx);
38768 }
38769
38770 push_rxbufs(card, sb);
38771@@ -2222,7 +2222,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38772 printk
38773 ("nicstar%d: Out of huge buffers.\n",
38774 card->index);
38775- atomic_inc(&vcc->stats->rx_drop);
38776+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38777 recycle_iovec_rx_bufs(card,
38778 (struct iovec *)
38779 iovb->data,
38780@@ -2273,7 +2273,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38781 card->hbpool.count++;
38782 } else
38783 dev_kfree_skb_any(hb);
38784- atomic_inc(&vcc->stats->rx_drop);
38785+ atomic_inc_unchecked(&vcc->stats->rx_drop);
38786 } else {
38787 /* Copy the small buffer to the huge buffer */
38788 sb = (struct sk_buff *)iov->iov_base;
38789@@ -2307,7 +2307,7 @@ static void dequeue_rx(ns_dev * card, ns_rsqe * rsqe)
38790 ATM_SKB(hb)->vcc = vcc;
38791 __net_timestamp(hb);
38792 vcc->push(vcc, hb);
38793- atomic_inc(&vcc->stats->rx);
38794+ atomic_inc_unchecked(&vcc->stats->rx);
38795 }
38796 }
38797
38798diff --git a/drivers/atm/solos-pci.c b/drivers/atm/solos-pci.c
38799index 74e18b0..f16afa0 100644
38800--- a/drivers/atm/solos-pci.c
38801+++ b/drivers/atm/solos-pci.c
38802@@ -838,7 +838,7 @@ static void solos_bh(unsigned long card_arg)
38803 }
38804 atm_charge(vcc, skb->truesize);
38805 vcc->push(vcc, skb);
38806- atomic_inc(&vcc->stats->rx);
38807+ atomic_inc_unchecked(&vcc->stats->rx);
38808 break;
38809
38810 case PKT_STATUS:
38811@@ -1116,7 +1116,7 @@ static uint32_t fpga_tx(struct solos_card *card)
38812 vcc = SKB_CB(oldskb)->vcc;
38813
38814 if (vcc) {
38815- atomic_inc(&vcc->stats->tx);
38816+ atomic_inc_unchecked(&vcc->stats->tx);
38817 solos_pop(vcc, oldskb);
38818 } else {
38819 dev_kfree_skb_irq(oldskb);
38820diff --git a/drivers/atm/suni.c b/drivers/atm/suni.c
38821index 0215934..ce9f5b1 100644
38822--- a/drivers/atm/suni.c
38823+++ b/drivers/atm/suni.c
38824@@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
38825
38826
38827 #define ADD_LIMITED(s,v) \
38828- atomic_add((v),&stats->s); \
38829- if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
38830+ atomic_add_unchecked((v),&stats->s); \
38831+ if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
38832
38833
38834 static void suni_hz(unsigned long from_timer)
38835diff --git a/drivers/atm/uPD98402.c b/drivers/atm/uPD98402.c
38836index 5120a96..e2572bd 100644
38837--- a/drivers/atm/uPD98402.c
38838+++ b/drivers/atm/uPD98402.c
38839@@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *dev,struct sonet_stats __user *arg,int ze
38840 struct sonet_stats tmp;
38841 int error = 0;
38842
38843- atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
38844+ atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
38845 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
38846 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
38847 if (zero && !error) {
38848@@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev *dev,unsigned int cmd,void __user *arg)
38849
38850
38851 #define ADD_LIMITED(s,v) \
38852- { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
38853- if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
38854- atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
38855+ { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
38856+ if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
38857+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
38858
38859
38860 static void stat_event(struct atm_dev *dev)
38861@@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev *dev)
38862 if (reason & uPD98402_INT_PFM) stat_event(dev);
38863 if (reason & uPD98402_INT_PCO) {
38864 (void) GET(PCOCR); /* clear interrupt cause */
38865- atomic_add(GET(HECCT),
38866+ atomic_add_unchecked(GET(HECCT),
38867 &PRIV(dev)->sonet_stats.uncorr_hcs);
38868 }
38869 if ((reason & uPD98402_INT_RFO) &&
38870@@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev *dev)
38871 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
38872 uPD98402_INT_LOS),PIMR); /* enable them */
38873 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
38874- atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
38875- atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
38876- atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
38877+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
38878+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
38879+ atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
38880 return 0;
38881 }
38882
38883diff --git a/drivers/atm/zatm.c b/drivers/atm/zatm.c
38884index cecfb94..87009ec 100644
38885--- a/drivers/atm/zatm.c
38886+++ b/drivers/atm/zatm.c
38887@@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
38888 }
38889 if (!size) {
38890 dev_kfree_skb_irq(skb);
38891- if (vcc) atomic_inc(&vcc->stats->rx_err);
38892+ if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
38893 continue;
38894 }
38895 if (!atm_charge(vcc,skb->truesize)) {
38896@@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy[0],dummy[1]);
38897 skb->len = size;
38898 ATM_SKB(skb)->vcc = vcc;
38899 vcc->push(vcc,skb);
38900- atomic_inc(&vcc->stats->rx);
38901+ atomic_inc_unchecked(&vcc->stats->rx);
38902 }
38903 zout(pos & 0xffff,MTA(mbx));
38904 #if 0 /* probably a stupid idea */
38905@@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD_V | uPD98401_TXPD_DP |
38906 skb_queue_head(&zatm_vcc->backlog,skb);
38907 break;
38908 }
38909- atomic_inc(&vcc->stats->tx);
38910+ atomic_inc_unchecked(&vcc->stats->tx);
38911 wake_up(&zatm_vcc->tx_wait);
38912 }
38913
38914diff --git a/drivers/base/bus.c b/drivers/base/bus.c
38915index 5005924..9fc06c4 100644
38916--- a/drivers/base/bus.c
38917+++ b/drivers/base/bus.c
38918@@ -1141,7 +1141,7 @@ int subsys_interface_register(struct subsys_interface *sif)
38919 return -EINVAL;
38920
38921 mutex_lock(&subsys->p->mutex);
38922- list_add_tail(&sif->node, &subsys->p->interfaces);
38923+ pax_list_add_tail((struct list_head *)&sif->node, &subsys->p->interfaces);
38924 if (sif->add_dev) {
38925 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
38926 while ((dev = subsys_dev_iter_next(&iter)))
38927@@ -1166,7 +1166,7 @@ void subsys_interface_unregister(struct subsys_interface *sif)
38928 subsys = sif->subsys;
38929
38930 mutex_lock(&subsys->p->mutex);
38931- list_del_init(&sif->node);
38932+ pax_list_del_init((struct list_head *)&sif->node);
38933 if (sif->remove_dev) {
38934 subsys_dev_iter_init(&iter, subsys, NULL, NULL);
38935 while ((dev = subsys_dev_iter_next(&iter)))
38936diff --git a/drivers/base/devtmpfs.c b/drivers/base/devtmpfs.c
38937index 68f0314..ca2a609 100644
38938--- a/drivers/base/devtmpfs.c
38939+++ b/drivers/base/devtmpfs.c
38940@@ -354,7 +354,7 @@ int devtmpfs_mount(const char *mntdir)
38941 if (!thread)
38942 return 0;
38943
38944- err = sys_mount("devtmpfs", (char *)mntdir, "devtmpfs", MS_SILENT, NULL);
38945+ err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)mntdir, (char __force_user *)"devtmpfs", MS_SILENT, NULL);
38946 if (err)
38947 printk(KERN_INFO "devtmpfs: error mounting %i\n", err);
38948 else
38949@@ -380,11 +380,11 @@ static int devtmpfsd(void *p)
38950 *err = sys_unshare(CLONE_NEWNS);
38951 if (*err)
38952 goto out;
38953- *err = sys_mount("devtmpfs", "/", "devtmpfs", MS_SILENT, options);
38954+ *err = sys_mount((char __force_user *)"devtmpfs", (char __force_user *)"/", (char __force_user *)"devtmpfs", MS_SILENT, (char __force_user *)options);
38955 if (*err)
38956 goto out;
38957- sys_chdir("/.."); /* will traverse into overmounted root */
38958- sys_chroot(".");
38959+ sys_chdir((char __force_user *)"/.."); /* will traverse into overmounted root */
38960+ sys_chroot((char __force_user *)".");
38961 complete(&setup_done);
38962 while (1) {
38963 spin_lock(&req_lock);
38964diff --git a/drivers/base/node.c b/drivers/base/node.c
38965index 560751b..3a4847a 100644
38966--- a/drivers/base/node.c
38967+++ b/drivers/base/node.c
38968@@ -627,7 +627,7 @@ static ssize_t print_nodes_state(enum node_states state, char *buf)
38969 struct node_attr {
38970 struct device_attribute attr;
38971 enum node_states state;
38972-};
38973+} __do_const;
38974
38975 static ssize_t show_node_state(struct device *dev,
38976 struct device_attribute *attr, char *buf)
38977diff --git a/drivers/base/power/domain.c b/drivers/base/power/domain.c
38978index 0ee43c1..369dd62 100644
38979--- a/drivers/base/power/domain.c
38980+++ b/drivers/base/power/domain.c
38981@@ -1738,7 +1738,7 @@ int pm_genpd_attach_cpuidle(struct generic_pm_domain *genpd, int state)
38982 {
38983 struct cpuidle_driver *cpuidle_drv;
38984 struct gpd_cpuidle_data *cpuidle_data;
38985- struct cpuidle_state *idle_state;
38986+ cpuidle_state_no_const *idle_state;
38987 int ret = 0;
38988
38989 if (IS_ERR_OR_NULL(genpd) || state < 0)
38990@@ -1806,7 +1806,7 @@ int pm_genpd_name_attach_cpuidle(const char *name, int state)
38991 int pm_genpd_detach_cpuidle(struct generic_pm_domain *genpd)
38992 {
38993 struct gpd_cpuidle_data *cpuidle_data;
38994- struct cpuidle_state *idle_state;
38995+ cpuidle_state_no_const *idle_state;
38996 int ret = 0;
38997
38998 if (IS_ERR_OR_NULL(genpd))
38999@@ -2241,8 +2241,11 @@ int genpd_dev_pm_attach(struct device *dev)
39000 return ret;
39001 }
39002
39003- dev->pm_domain->detach = genpd_dev_pm_detach;
39004- dev->pm_domain->sync = genpd_dev_pm_sync;
39005+ pax_open_kernel();
39006+ *(void **)&dev->pm_domain->detach = genpd_dev_pm_detach;
39007+ *(void **)&dev->pm_domain->sync = genpd_dev_pm_sync;
39008+ pax_close_kernel();
39009+
39010 pm_genpd_poweron(pd);
39011
39012 return 0;
39013diff --git a/drivers/base/power/sysfs.c b/drivers/base/power/sysfs.c
39014index d2be3f9..0a3167a 100644
39015--- a/drivers/base/power/sysfs.c
39016+++ b/drivers/base/power/sysfs.c
39017@@ -181,7 +181,7 @@ static ssize_t rtpm_status_show(struct device *dev,
39018 return -EIO;
39019 }
39020 }
39021- return sprintf(buf, p);
39022+ return sprintf(buf, "%s", p);
39023 }
39024
39025 static DEVICE_ATTR(runtime_status, 0444, rtpm_status_show, NULL);
39026diff --git a/drivers/base/power/wakeup.c b/drivers/base/power/wakeup.c
39027index 51f15bc..892a668 100644
39028--- a/drivers/base/power/wakeup.c
39029+++ b/drivers/base/power/wakeup.c
39030@@ -33,14 +33,14 @@ static bool pm_abort_suspend __read_mostly;
39031 * They need to be modified together atomically, so it's better to use one
39032 * atomic variable to hold them both.
39033 */
39034-static atomic_t combined_event_count = ATOMIC_INIT(0);
39035+static atomic_unchecked_t combined_event_count = ATOMIC_INIT(0);
39036
39037 #define IN_PROGRESS_BITS (sizeof(int) * 4)
39038 #define MAX_IN_PROGRESS ((1 << IN_PROGRESS_BITS) - 1)
39039
39040 static void split_counters(unsigned int *cnt, unsigned int *inpr)
39041 {
39042- unsigned int comb = atomic_read(&combined_event_count);
39043+ unsigned int comb = atomic_read_unchecked(&combined_event_count);
39044
39045 *cnt = (comb >> IN_PROGRESS_BITS);
39046 *inpr = comb & MAX_IN_PROGRESS;
39047@@ -537,7 +537,7 @@ static void wakeup_source_activate(struct wakeup_source *ws)
39048 ws->start_prevent_time = ws->last_time;
39049
39050 /* Increment the counter of events in progress. */
39051- cec = atomic_inc_return(&combined_event_count);
39052+ cec = atomic_inc_return_unchecked(&combined_event_count);
39053
39054 trace_wakeup_source_activate(ws->name, cec);
39055 }
39056@@ -663,7 +663,7 @@ static void wakeup_source_deactivate(struct wakeup_source *ws)
39057 * Increment the counter of registered wakeup events and decrement the
39058 * couter of wakeup events in progress simultaneously.
39059 */
39060- cec = atomic_add_return(MAX_IN_PROGRESS, &combined_event_count);
39061+ cec = atomic_add_return_unchecked(MAX_IN_PROGRESS, &combined_event_count);
39062 trace_wakeup_source_deactivate(ws->name, cec);
39063
39064 split_counters(&cnt, &inpr);
39065diff --git a/drivers/base/regmap/regmap-debugfs.c b/drivers/base/regmap/regmap-debugfs.c
39066index c8941f3..f7c7a7e 100644
39067--- a/drivers/base/regmap/regmap-debugfs.c
39068+++ b/drivers/base/regmap/regmap-debugfs.c
39069@@ -30,7 +30,7 @@ static LIST_HEAD(regmap_debugfs_early_list);
39070 static DEFINE_MUTEX(regmap_debugfs_early_lock);
39071
39072 /* Calculate the length of a fixed format */
39073-static size_t regmap_calc_reg_len(int max_val, char *buf, size_t buf_size)
39074+static size_t regmap_calc_reg_len(int max_val)
39075 {
39076 return snprintf(NULL, 0, "%x", max_val);
39077 }
39078@@ -173,8 +173,7 @@ static inline void regmap_calc_tot_len(struct regmap *map,
39079 {
39080 /* Calculate the length of a fixed format */
39081 if (!map->debugfs_tot_len) {
39082- map->debugfs_reg_len = regmap_calc_reg_len(map->max_register,
39083- buf, count);
39084+ map->debugfs_reg_len = regmap_calc_reg_len(map->max_register);
39085 map->debugfs_val_len = 2 * map->format.val_bytes;
39086 map->debugfs_tot_len = map->debugfs_reg_len +
39087 map->debugfs_val_len + 3; /* : \n */
39088@@ -404,7 +403,7 @@ static ssize_t regmap_access_read_file(struct file *file,
39089 char __user *user_buf, size_t count,
39090 loff_t *ppos)
39091 {
39092- int reg_len, tot_len;
39093+ size_t reg_len, tot_len;
39094 size_t buf_pos = 0;
39095 loff_t p = 0;
39096 ssize_t ret;
39097@@ -420,7 +419,7 @@ static ssize_t regmap_access_read_file(struct file *file,
39098 return -ENOMEM;
39099
39100 /* Calculate the length of a fixed format */
39101- reg_len = regmap_calc_reg_len(map->max_register, buf, count);
39102+ reg_len = regmap_calc_reg_len(map->max_register);
39103 tot_len = reg_len + 10; /* ': R W V P\n' */
39104
39105 for (i = 0; i <= map->max_register; i += map->reg_stride) {
39106diff --git a/drivers/base/syscore.c b/drivers/base/syscore.c
39107index 8d98a32..61d3165 100644
39108--- a/drivers/base/syscore.c
39109+++ b/drivers/base/syscore.c
39110@@ -22,7 +22,7 @@ static DEFINE_MUTEX(syscore_ops_lock);
39111 void register_syscore_ops(struct syscore_ops *ops)
39112 {
39113 mutex_lock(&syscore_ops_lock);
39114- list_add_tail(&ops->node, &syscore_ops_list);
39115+ pax_list_add_tail((struct list_head *)&ops->node, &syscore_ops_list);
39116 mutex_unlock(&syscore_ops_lock);
39117 }
39118 EXPORT_SYMBOL_GPL(register_syscore_ops);
39119@@ -34,7 +34,7 @@ EXPORT_SYMBOL_GPL(register_syscore_ops);
39120 void unregister_syscore_ops(struct syscore_ops *ops)
39121 {
39122 mutex_lock(&syscore_ops_lock);
39123- list_del(&ops->node);
39124+ pax_list_del((struct list_head *)&ops->node);
39125 mutex_unlock(&syscore_ops_lock);
39126 }
39127 EXPORT_SYMBOL_GPL(unregister_syscore_ops);
39128diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c
39129index 0422c47..b222c7a 100644
39130--- a/drivers/block/cciss.c
39131+++ b/drivers/block/cciss.c
39132@@ -3024,7 +3024,7 @@ static void start_io(ctlr_info_t *h)
39133 while (!list_empty(&h->reqQ)) {
39134 c = list_entry(h->reqQ.next, CommandList_struct, list);
39135 /* can't do anything if fifo is full */
39136- if ((h->access.fifo_full(h))) {
39137+ if ((h->access->fifo_full(h))) {
39138 dev_warn(&h->pdev->dev, "fifo full\n");
39139 break;
39140 }
39141@@ -3034,7 +3034,7 @@ static void start_io(ctlr_info_t *h)
39142 h->Qdepth--;
39143
39144 /* Tell the controller execute command */
39145- h->access.submit_command(h, c);
39146+ h->access->submit_command(h, c);
39147
39148 /* Put job onto the completed Q */
39149 addQ(&h->cmpQ, c);
39150@@ -3460,17 +3460,17 @@ startio:
39151
39152 static inline unsigned long get_next_completion(ctlr_info_t *h)
39153 {
39154- return h->access.command_completed(h);
39155+ return h->access->command_completed(h);
39156 }
39157
39158 static inline int interrupt_pending(ctlr_info_t *h)
39159 {
39160- return h->access.intr_pending(h);
39161+ return h->access->intr_pending(h);
39162 }
39163
39164 static inline long interrupt_not_for_us(ctlr_info_t *h)
39165 {
39166- return ((h->access.intr_pending(h) == 0) ||
39167+ return ((h->access->intr_pending(h) == 0) ||
39168 (h->interrupts_enabled == 0));
39169 }
39170
39171@@ -3503,7 +3503,7 @@ static inline u32 next_command(ctlr_info_t *h)
39172 u32 a;
39173
39174 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
39175- return h->access.command_completed(h);
39176+ return h->access->command_completed(h);
39177
39178 if ((*(h->reply_pool_head) & 1) == (h->reply_pool_wraparound)) {
39179 a = *(h->reply_pool_head); /* Next cmd in ring buffer */
39180@@ -4060,7 +4060,7 @@ static void cciss_put_controller_into_performant_mode(ctlr_info_t *h)
39181 trans_support & CFGTBL_Trans_use_short_tags);
39182
39183 /* Change the access methods to the performant access methods */
39184- h->access = SA5_performant_access;
39185+ h->access = &SA5_performant_access;
39186 h->transMethod = CFGTBL_Trans_Performant;
39187
39188 return;
39189@@ -4334,7 +4334,7 @@ static int cciss_pci_init(ctlr_info_t *h)
39190 if (prod_index < 0)
39191 return -ENODEV;
39192 h->product_name = products[prod_index].product_name;
39193- h->access = *(products[prod_index].access);
39194+ h->access = products[prod_index].access;
39195
39196 if (cciss_board_disabled(h)) {
39197 dev_warn(&h->pdev->dev, "controller appears to be disabled\n");
39198@@ -5065,7 +5065,7 @@ reinit_after_soft_reset:
39199 }
39200
39201 /* make sure the board interrupts are off */
39202- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39203+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39204 rc = cciss_request_irq(h, do_cciss_msix_intr, do_cciss_intx);
39205 if (rc)
39206 goto clean2;
39207@@ -5115,7 +5115,7 @@ reinit_after_soft_reset:
39208 * fake ones to scoop up any residual completions.
39209 */
39210 spin_lock_irqsave(&h->lock, flags);
39211- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39212+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39213 spin_unlock_irqrestore(&h->lock, flags);
39214 free_irq(h->intr[h->intr_mode], h);
39215 rc = cciss_request_irq(h, cciss_msix_discard_completions,
39216@@ -5135,9 +5135,9 @@ reinit_after_soft_reset:
39217 dev_info(&h->pdev->dev, "Board READY.\n");
39218 dev_info(&h->pdev->dev,
39219 "Waiting for stale completions to drain.\n");
39220- h->access.set_intr_mask(h, CCISS_INTR_ON);
39221+ h->access->set_intr_mask(h, CCISS_INTR_ON);
39222 msleep(10000);
39223- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39224+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39225
39226 rc = controller_reset_failed(h->cfgtable);
39227 if (rc)
39228@@ -5160,7 +5160,7 @@ reinit_after_soft_reset:
39229 cciss_scsi_setup(h);
39230
39231 /* Turn the interrupts on so we can service requests */
39232- h->access.set_intr_mask(h, CCISS_INTR_ON);
39233+ h->access->set_intr_mask(h, CCISS_INTR_ON);
39234
39235 /* Get the firmware version */
39236 inq_buff = kzalloc(sizeof(InquiryData_struct), GFP_KERNEL);
39237@@ -5232,7 +5232,7 @@ static void cciss_shutdown(struct pci_dev *pdev)
39238 kfree(flush_buf);
39239 if (return_code != IO_OK)
39240 dev_warn(&h->pdev->dev, "Error flushing cache\n");
39241- h->access.set_intr_mask(h, CCISS_INTR_OFF);
39242+ h->access->set_intr_mask(h, CCISS_INTR_OFF);
39243 free_irq(h->intr[h->intr_mode], h);
39244 }
39245
39246diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h
39247index 7fda30e..2f27946 100644
39248--- a/drivers/block/cciss.h
39249+++ b/drivers/block/cciss.h
39250@@ -101,7 +101,7 @@ struct ctlr_info
39251 /* information about each logical volume */
39252 drive_info_struct *drv[CISS_MAX_LUN];
39253
39254- struct access_method access;
39255+ struct access_method *access;
39256
39257 /* queue and queue Info */
39258 struct list_head reqQ;
39259@@ -402,27 +402,27 @@ static bool SA5_performant_intr_pending(ctlr_info_t *h)
39260 }
39261
39262 static struct access_method SA5_access = {
39263- SA5_submit_command,
39264- SA5_intr_mask,
39265- SA5_fifo_full,
39266- SA5_intr_pending,
39267- SA5_completed,
39268+ .submit_command = SA5_submit_command,
39269+ .set_intr_mask = SA5_intr_mask,
39270+ .fifo_full = SA5_fifo_full,
39271+ .intr_pending = SA5_intr_pending,
39272+ .command_completed = SA5_completed,
39273 };
39274
39275 static struct access_method SA5B_access = {
39276- SA5_submit_command,
39277- SA5B_intr_mask,
39278- SA5_fifo_full,
39279- SA5B_intr_pending,
39280- SA5_completed,
39281+ .submit_command = SA5_submit_command,
39282+ .set_intr_mask = SA5B_intr_mask,
39283+ .fifo_full = SA5_fifo_full,
39284+ .intr_pending = SA5B_intr_pending,
39285+ .command_completed = SA5_completed,
39286 };
39287
39288 static struct access_method SA5_performant_access = {
39289- SA5_submit_command,
39290- SA5_performant_intr_mask,
39291- SA5_fifo_full,
39292- SA5_performant_intr_pending,
39293- SA5_performant_completed,
39294+ .submit_command = SA5_submit_command,
39295+ .set_intr_mask = SA5_performant_intr_mask,
39296+ .fifo_full = SA5_fifo_full,
39297+ .intr_pending = SA5_performant_intr_pending,
39298+ .command_completed = SA5_performant_completed,
39299 };
39300
39301 struct board_type {
39302diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c
39303index f749df9..5f8b9c4 100644
39304--- a/drivers/block/cpqarray.c
39305+++ b/drivers/block/cpqarray.c
39306@@ -404,7 +404,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
39307 if (register_blkdev(COMPAQ_SMART2_MAJOR+i, hba[i]->devname)) {
39308 goto Enomem4;
39309 }
39310- hba[i]->access.set_intr_mask(hba[i], 0);
39311+ hba[i]->access->set_intr_mask(hba[i], 0);
39312 if (request_irq(hba[i]->intr, do_ida_intr, IRQF_SHARED,
39313 hba[i]->devname, hba[i]))
39314 {
39315@@ -459,7 +459,7 @@ static int cpqarray_register_ctlr(int i, struct pci_dev *pdev)
39316 add_timer(&hba[i]->timer);
39317
39318 /* Enable IRQ now that spinlock and rate limit timer are set up */
39319- hba[i]->access.set_intr_mask(hba[i], FIFO_NOT_EMPTY);
39320+ hba[i]->access->set_intr_mask(hba[i], FIFO_NOT_EMPTY);
39321
39322 for(j=0; j<NWD; j++) {
39323 struct gendisk *disk = ida_gendisk[i][j];
39324@@ -694,7 +694,7 @@ DBGINFO(
39325 for(i=0; i<NR_PRODUCTS; i++) {
39326 if (board_id == products[i].board_id) {
39327 c->product_name = products[i].product_name;
39328- c->access = *(products[i].access);
39329+ c->access = products[i].access;
39330 break;
39331 }
39332 }
39333@@ -792,7 +792,7 @@ static int cpqarray_eisa_detect(void)
39334 hba[ctlr]->intr = intr;
39335 sprintf(hba[ctlr]->devname, "ida%d", nr_ctlr);
39336 hba[ctlr]->product_name = products[j].product_name;
39337- hba[ctlr]->access = *(products[j].access);
39338+ hba[ctlr]->access = products[j].access;
39339 hba[ctlr]->ctlr = ctlr;
39340 hba[ctlr]->board_id = board_id;
39341 hba[ctlr]->pci_dev = NULL; /* not PCI */
39342@@ -978,7 +978,7 @@ static void start_io(ctlr_info_t *h)
39343
39344 while((c = h->reqQ) != NULL) {
39345 /* Can't do anything if we're busy */
39346- if (h->access.fifo_full(h) == 0)
39347+ if (h->access->fifo_full(h) == 0)
39348 return;
39349
39350 /* Get the first entry from the request Q */
39351@@ -986,7 +986,7 @@ static void start_io(ctlr_info_t *h)
39352 h->Qdepth--;
39353
39354 /* Tell the controller to do our bidding */
39355- h->access.submit_command(h, c);
39356+ h->access->submit_command(h, c);
39357
39358 /* Get onto the completion Q */
39359 addQ(&h->cmpQ, c);
39360@@ -1048,7 +1048,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
39361 unsigned long flags;
39362 __u32 a,a1;
39363
39364- istat = h->access.intr_pending(h);
39365+ istat = h->access->intr_pending(h);
39366 /* Is this interrupt for us? */
39367 if (istat == 0)
39368 return IRQ_NONE;
39369@@ -1059,7 +1059,7 @@ static irqreturn_t do_ida_intr(int irq, void *dev_id)
39370 */
39371 spin_lock_irqsave(IDA_LOCK(h->ctlr), flags);
39372 if (istat & FIFO_NOT_EMPTY) {
39373- while((a = h->access.command_completed(h))) {
39374+ while((a = h->access->command_completed(h))) {
39375 a1 = a; a &= ~3;
39376 if ((c = h->cmpQ) == NULL)
39377 {
39378@@ -1448,11 +1448,11 @@ static int sendcmd(
39379 /*
39380 * Disable interrupt
39381 */
39382- info_p->access.set_intr_mask(info_p, 0);
39383+ info_p->access->set_intr_mask(info_p, 0);
39384 /* Make sure there is room in the command FIFO */
39385 /* Actually it should be completely empty at this time. */
39386 for (i = 200000; i > 0; i--) {
39387- temp = info_p->access.fifo_full(info_p);
39388+ temp = info_p->access->fifo_full(info_p);
39389 if (temp != 0) {
39390 break;
39391 }
39392@@ -1465,7 +1465,7 @@ DBG(
39393 /*
39394 * Send the cmd
39395 */
39396- info_p->access.submit_command(info_p, c);
39397+ info_p->access->submit_command(info_p, c);
39398 complete = pollcomplete(ctlr);
39399
39400 pci_unmap_single(info_p->pci_dev, (dma_addr_t) c->req.sg[0].addr,
39401@@ -1548,9 +1548,9 @@ static int revalidate_allvol(ctlr_info_t *host)
39402 * we check the new geometry. Then turn interrupts back on when
39403 * we're done.
39404 */
39405- host->access.set_intr_mask(host, 0);
39406+ host->access->set_intr_mask(host, 0);
39407 getgeometry(ctlr);
39408- host->access.set_intr_mask(host, FIFO_NOT_EMPTY);
39409+ host->access->set_intr_mask(host, FIFO_NOT_EMPTY);
39410
39411 for(i=0; i<NWD; i++) {
39412 struct gendisk *disk = ida_gendisk[ctlr][i];
39413@@ -1590,7 +1590,7 @@ static int pollcomplete(int ctlr)
39414 /* Wait (up to 2 seconds) for a command to complete */
39415
39416 for (i = 200000; i > 0; i--) {
39417- done = hba[ctlr]->access.command_completed(hba[ctlr]);
39418+ done = hba[ctlr]->access->command_completed(hba[ctlr]);
39419 if (done == 0) {
39420 udelay(10); /* a short fixed delay */
39421 } else
39422diff --git a/drivers/block/cpqarray.h b/drivers/block/cpqarray.h
39423index be73e9d..7fbf140 100644
39424--- a/drivers/block/cpqarray.h
39425+++ b/drivers/block/cpqarray.h
39426@@ -99,7 +99,7 @@ struct ctlr_info {
39427 drv_info_t drv[NWD];
39428 struct proc_dir_entry *proc;
39429
39430- struct access_method access;
39431+ struct access_method *access;
39432
39433 cmdlist_t *reqQ;
39434 cmdlist_t *cmpQ;
39435diff --git a/drivers/block/drbd/drbd_bitmap.c b/drivers/block/drbd/drbd_bitmap.c
39436index 434c77d..6d3219a 100644
39437--- a/drivers/block/drbd/drbd_bitmap.c
39438+++ b/drivers/block/drbd/drbd_bitmap.c
39439@@ -1036,7 +1036,7 @@ static void bm_page_io_async(struct drbd_bm_aio_ctx *ctx, int page_nr) __must_ho
39440 submit_bio(rw, bio);
39441 /* this should not count as user activity and cause the
39442 * resync to throttle -- see drbd_rs_should_slow_down(). */
39443- atomic_add(len >> 9, &device->rs_sect_ev);
39444+ atomic_add_unchecked(len >> 9, &device->rs_sect_ev);
39445 }
39446 }
39447
39448diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
39449index efd19c2..6ccfa94 100644
39450--- a/drivers/block/drbd/drbd_int.h
39451+++ b/drivers/block/drbd/drbd_int.h
39452@@ -386,7 +386,7 @@ struct drbd_epoch {
39453 struct drbd_connection *connection;
39454 struct list_head list;
39455 unsigned int barrier_nr;
39456- atomic_t epoch_size; /* increased on every request added. */
39457+ atomic_unchecked_t epoch_size; /* increased on every request added. */
39458 atomic_t active; /* increased on every req. added, and dec on every finished. */
39459 unsigned long flags;
39460 };
39461@@ -947,7 +947,7 @@ struct drbd_device {
39462 unsigned int al_tr_number;
39463 int al_tr_cycle;
39464 wait_queue_head_t seq_wait;
39465- atomic_t packet_seq;
39466+ atomic_unchecked_t packet_seq;
39467 unsigned int peer_seq;
39468 spinlock_t peer_seq_lock;
39469 unsigned long comm_bm_set; /* communicated number of set bits. */
39470@@ -956,8 +956,8 @@ struct drbd_device {
39471 struct mutex own_state_mutex;
39472 struct mutex *state_mutex; /* either own_state_mutex or first_peer_device(device)->connection->cstate_mutex */
39473 char congestion_reason; /* Why we where congested... */
39474- atomic_t rs_sect_in; /* for incoming resync data rate, SyncTarget */
39475- atomic_t rs_sect_ev; /* for submitted resync data rate, both */
39476+ atomic_unchecked_t rs_sect_in; /* for incoming resync data rate, SyncTarget */
39477+ atomic_unchecked_t rs_sect_ev; /* for submitted resync data rate, both */
39478 int rs_last_sect_ev; /* counter to compare with */
39479 int rs_last_events; /* counter of read or write "events" (unit sectors)
39480 * on the lower level device when we last looked. */
39481diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c
39482index a151853..b9b5baa 100644
39483--- a/drivers/block/drbd/drbd_main.c
39484+++ b/drivers/block/drbd/drbd_main.c
39485@@ -1328,7 +1328,7 @@ static int _drbd_send_ack(struct drbd_peer_device *peer_device, enum drbd_packet
39486 p->sector = sector;
39487 p->block_id = block_id;
39488 p->blksize = blksize;
39489- p->seq_num = cpu_to_be32(atomic_inc_return(&peer_device->device->packet_seq));
39490+ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&peer_device->device->packet_seq));
39491 return drbd_send_command(peer_device, sock, cmd, sizeof(*p), NULL, 0);
39492 }
39493
39494@@ -1634,7 +1634,7 @@ int drbd_send_dblock(struct drbd_peer_device *peer_device, struct drbd_request *
39495 return -EIO;
39496 p->sector = cpu_to_be64(req->i.sector);
39497 p->block_id = (unsigned long)req;
39498- p->seq_num = cpu_to_be32(atomic_inc_return(&device->packet_seq));
39499+ p->seq_num = cpu_to_be32(atomic_inc_return_unchecked(&device->packet_seq));
39500 dp_flags = bio_flags_to_wire(peer_device->connection, req->master_bio->bi_rw);
39501 if (device->state.conn >= C_SYNC_SOURCE &&
39502 device->state.conn <= C_PAUSED_SYNC_T)
39503@@ -1915,8 +1915,8 @@ void drbd_init_set_defaults(struct drbd_device *device)
39504 atomic_set(&device->unacked_cnt, 0);
39505 atomic_set(&device->local_cnt, 0);
39506 atomic_set(&device->pp_in_use_by_net, 0);
39507- atomic_set(&device->rs_sect_in, 0);
39508- atomic_set(&device->rs_sect_ev, 0);
39509+ atomic_set_unchecked(&device->rs_sect_in, 0);
39510+ atomic_set_unchecked(&device->rs_sect_ev, 0);
39511 atomic_set(&device->ap_in_flight, 0);
39512 atomic_set(&device->md_io.in_use, 0);
39513
39514@@ -2683,8 +2683,8 @@ void drbd_destroy_connection(struct kref *kref)
39515 struct drbd_connection *connection = container_of(kref, struct drbd_connection, kref);
39516 struct drbd_resource *resource = connection->resource;
39517
39518- if (atomic_read(&connection->current_epoch->epoch_size) != 0)
39519- drbd_err(connection, "epoch_size:%d\n", atomic_read(&connection->current_epoch->epoch_size));
39520+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size) != 0)
39521+ drbd_err(connection, "epoch_size:%d\n", atomic_read_unchecked(&connection->current_epoch->epoch_size));
39522 kfree(connection->current_epoch);
39523
39524 idr_destroy(&connection->peer_devices);
39525diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
39526index 74df8cf..e41fc24 100644
39527--- a/drivers/block/drbd/drbd_nl.c
39528+++ b/drivers/block/drbd/drbd_nl.c
39529@@ -3637,13 +3637,13 @@ finish:
39530
39531 void drbd_bcast_event(struct drbd_device *device, const struct sib_info *sib)
39532 {
39533- static atomic_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
39534+ static atomic_unchecked_t drbd_genl_seq = ATOMIC_INIT(2); /* two. */
39535 struct sk_buff *msg;
39536 struct drbd_genlmsghdr *d_out;
39537 unsigned seq;
39538 int err = -ENOMEM;
39539
39540- seq = atomic_inc_return(&drbd_genl_seq);
39541+ seq = atomic_inc_return_unchecked(&drbd_genl_seq);
39542 msg = genlmsg_new(NLMSG_GOODSIZE, GFP_NOIO);
39543 if (!msg)
39544 goto failed;
39545diff --git a/drivers/block/drbd/drbd_receiver.c b/drivers/block/drbd/drbd_receiver.c
39546index c097909..13688e1 100644
39547--- a/drivers/block/drbd/drbd_receiver.c
39548+++ b/drivers/block/drbd/drbd_receiver.c
39549@@ -870,7 +870,7 @@ int drbd_connected(struct drbd_peer_device *peer_device)
39550 struct drbd_device *device = peer_device->device;
39551 int err;
39552
39553- atomic_set(&device->packet_seq, 0);
39554+ atomic_set_unchecked(&device->packet_seq, 0);
39555 device->peer_seq = 0;
39556
39557 device->state_mutex = peer_device->connection->agreed_pro_version < 100 ?
39558@@ -1233,7 +1233,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_connection *connectio
39559 do {
39560 next_epoch = NULL;
39561
39562- epoch_size = atomic_read(&epoch->epoch_size);
39563+ epoch_size = atomic_read_unchecked(&epoch->epoch_size);
39564
39565 switch (ev & ~EV_CLEANUP) {
39566 case EV_PUT:
39567@@ -1273,7 +1273,7 @@ static enum finish_epoch drbd_may_finish_epoch(struct drbd_connection *connectio
39568 rv = FE_DESTROYED;
39569 } else {
39570 epoch->flags = 0;
39571- atomic_set(&epoch->epoch_size, 0);
39572+ atomic_set_unchecked(&epoch->epoch_size, 0);
39573 /* atomic_set(&epoch->active, 0); is already zero */
39574 if (rv == FE_STILL_LIVE)
39575 rv = FE_RECYCLED;
39576@@ -1550,7 +1550,7 @@ static int receive_Barrier(struct drbd_connection *connection, struct packet_inf
39577 conn_wait_active_ee_empty(connection);
39578 drbd_flush(connection);
39579
39580- if (atomic_read(&connection->current_epoch->epoch_size)) {
39581+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size)) {
39582 epoch = kmalloc(sizeof(struct drbd_epoch), GFP_NOIO);
39583 if (epoch)
39584 break;
39585@@ -1564,11 +1564,11 @@ static int receive_Barrier(struct drbd_connection *connection, struct packet_inf
39586 }
39587
39588 epoch->flags = 0;
39589- atomic_set(&epoch->epoch_size, 0);
39590+ atomic_set_unchecked(&epoch->epoch_size, 0);
39591 atomic_set(&epoch->active, 0);
39592
39593 spin_lock(&connection->epoch_lock);
39594- if (atomic_read(&connection->current_epoch->epoch_size)) {
39595+ if (atomic_read_unchecked(&connection->current_epoch->epoch_size)) {
39596 list_add(&epoch->list, &connection->current_epoch->list);
39597 connection->current_epoch = epoch;
39598 connection->epochs++;
39599@@ -1802,7 +1802,7 @@ static int recv_resync_read(struct drbd_peer_device *peer_device, sector_t secto
39600 list_add_tail(&peer_req->w.list, &device->sync_ee);
39601 spin_unlock_irq(&device->resource->req_lock);
39602
39603- atomic_add(pi->size >> 9, &device->rs_sect_ev);
39604+ atomic_add_unchecked(pi->size >> 9, &device->rs_sect_ev);
39605 if (drbd_submit_peer_request(device, peer_req, WRITE, DRBD_FAULT_RS_WR) == 0)
39606 return 0;
39607
39608@@ -1900,7 +1900,7 @@ static int receive_RSDataReply(struct drbd_connection *connection, struct packet
39609 drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
39610 }
39611
39612- atomic_add(pi->size >> 9, &device->rs_sect_in);
39613+ atomic_add_unchecked(pi->size >> 9, &device->rs_sect_in);
39614
39615 return err;
39616 }
39617@@ -2290,7 +2290,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
39618
39619 err = wait_for_and_update_peer_seq(peer_device, peer_seq);
39620 drbd_send_ack_dp(peer_device, P_NEG_ACK, p, pi->size);
39621- atomic_inc(&connection->current_epoch->epoch_size);
39622+ atomic_inc_unchecked(&connection->current_epoch->epoch_size);
39623 err2 = drbd_drain_block(peer_device, pi->size);
39624 if (!err)
39625 err = err2;
39626@@ -2334,7 +2334,7 @@ static int receive_Data(struct drbd_connection *connection, struct packet_info *
39627
39628 spin_lock(&connection->epoch_lock);
39629 peer_req->epoch = connection->current_epoch;
39630- atomic_inc(&peer_req->epoch->epoch_size);
39631+ atomic_inc_unchecked(&peer_req->epoch->epoch_size);
39632 atomic_inc(&peer_req->epoch->active);
39633 spin_unlock(&connection->epoch_lock);
39634
39635@@ -2479,7 +2479,7 @@ bool drbd_rs_c_min_rate_throttle(struct drbd_device *device)
39636
39637 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
39638 (int)part_stat_read(&disk->part0, sectors[1]) -
39639- atomic_read(&device->rs_sect_ev);
39640+ atomic_read_unchecked(&device->rs_sect_ev);
39641
39642 if (atomic_read(&device->ap_actlog_cnt)
39643 || curr_events - device->rs_last_events > 64) {
39644@@ -2618,7 +2618,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
39645 device->use_csums = true;
39646 } else if (pi->cmd == P_OV_REPLY) {
39647 /* track progress, we may need to throttle */
39648- atomic_add(size >> 9, &device->rs_sect_in);
39649+ atomic_add_unchecked(size >> 9, &device->rs_sect_in);
39650 peer_req->w.cb = w_e_end_ov_reply;
39651 dec_rs_pending(device);
39652 /* drbd_rs_begin_io done when we sent this request,
39653@@ -2691,7 +2691,7 @@ static int receive_DataRequest(struct drbd_connection *connection, struct packet
39654 goto out_free_e;
39655
39656 submit_for_resync:
39657- atomic_add(size >> 9, &device->rs_sect_ev);
39658+ atomic_add_unchecked(size >> 9, &device->rs_sect_ev);
39659
39660 submit:
39661 update_receiver_timing_details(connection, drbd_submit_peer_request);
39662@@ -4564,7 +4564,7 @@ struct data_cmd {
39663 int expect_payload;
39664 size_t pkt_size;
39665 int (*fn)(struct drbd_connection *, struct packet_info *);
39666-};
39667+} __do_const;
39668
39669 static struct data_cmd drbd_cmd_handler[] = {
39670 [P_DATA] = { 1, sizeof(struct p_data), receive_Data },
39671@@ -4678,7 +4678,7 @@ static void conn_disconnect(struct drbd_connection *connection)
39672 if (!list_empty(&connection->current_epoch->list))
39673 drbd_err(connection, "ASSERTION FAILED: connection->current_epoch->list not empty\n");
39674 /* ok, no more ee's on the fly, it is safe to reset the epoch_size */
39675- atomic_set(&connection->current_epoch->epoch_size, 0);
39676+ atomic_set_unchecked(&connection->current_epoch->epoch_size, 0);
39677 connection->send.seen_any_write_yet = false;
39678
39679 drbd_info(connection, "Connection closed\n");
39680@@ -5182,7 +5182,7 @@ static int got_IsInSync(struct drbd_connection *connection, struct packet_info *
39681 put_ldev(device);
39682 }
39683 dec_rs_pending(device);
39684- atomic_add(blksize >> 9, &device->rs_sect_in);
39685+ atomic_add_unchecked(blksize >> 9, &device->rs_sect_in);
39686
39687 return 0;
39688 }
39689@@ -5470,7 +5470,7 @@ static int connection_finish_peer_reqs(struct drbd_connection *connection)
39690 struct asender_cmd {
39691 size_t pkt_size;
39692 int (*fn)(struct drbd_connection *connection, struct packet_info *);
39693-};
39694+} __do_const;
39695
39696 static struct asender_cmd asender_tbl[] = {
39697 [P_PING] = { 0, got_Ping },
39698diff --git a/drivers/block/drbd/drbd_worker.c b/drivers/block/drbd/drbd_worker.c
39699index d0fae55..4469096 100644
39700--- a/drivers/block/drbd/drbd_worker.c
39701+++ b/drivers/block/drbd/drbd_worker.c
39702@@ -408,7 +408,7 @@ static int read_for_csum(struct drbd_peer_device *peer_device, sector_t sector,
39703 list_add_tail(&peer_req->w.list, &device->read_ee);
39704 spin_unlock_irq(&device->resource->req_lock);
39705
39706- atomic_add(size >> 9, &device->rs_sect_ev);
39707+ atomic_add_unchecked(size >> 9, &device->rs_sect_ev);
39708 if (drbd_submit_peer_request(device, peer_req, READ, DRBD_FAULT_RS_RD) == 0)
39709 return 0;
39710
39711@@ -553,7 +553,7 @@ static int drbd_rs_number_requests(struct drbd_device *device)
39712 unsigned int sect_in; /* Number of sectors that came in since the last turn */
39713 int number, mxb;
39714
39715- sect_in = atomic_xchg(&device->rs_sect_in, 0);
39716+ sect_in = atomic_xchg_unchecked(&device->rs_sect_in, 0);
39717 device->rs_in_flight -= sect_in;
39718
39719 rcu_read_lock();
39720@@ -1595,8 +1595,8 @@ void drbd_rs_controller_reset(struct drbd_device *device)
39721 struct gendisk *disk = device->ldev->backing_bdev->bd_contains->bd_disk;
39722 struct fifo_buffer *plan;
39723
39724- atomic_set(&device->rs_sect_in, 0);
39725- atomic_set(&device->rs_sect_ev, 0);
39726+ atomic_set_unchecked(&device->rs_sect_in, 0);
39727+ atomic_set_unchecked(&device->rs_sect_ev, 0);
39728 device->rs_in_flight = 0;
39729 device->rs_last_events =
39730 (int)part_stat_read(&disk->part0, sectors[0]) +
39731diff --git a/drivers/block/pktcdvd.c b/drivers/block/pktcdvd.c
39732index 4c20c22..caef1eb 100644
39733--- a/drivers/block/pktcdvd.c
39734+++ b/drivers/block/pktcdvd.c
39735@@ -109,7 +109,7 @@ static int pkt_seq_show(struct seq_file *m, void *p);
39736
39737 static sector_t get_zone(sector_t sector, struct pktcdvd_device *pd)
39738 {
39739- return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1);
39740+ return (sector + pd->offset) & ~(sector_t)(pd->settings.size - 1UL);
39741 }
39742
39743 /*
39744@@ -1891,7 +1891,7 @@ static noinline_for_stack int pkt_probe_settings(struct pktcdvd_device *pd)
39745 return -EROFS;
39746 }
39747 pd->settings.fp = ti.fp;
39748- pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1);
39749+ pd->offset = (be32_to_cpu(ti.track_start) << 2) & (pd->settings.size - 1UL);
39750
39751 if (ti.nwa_v) {
39752 pd->nwa = be32_to_cpu(ti.next_writable);
39753diff --git a/drivers/block/rbd.c b/drivers/block/rbd.c
39754index 324bf35..02b54e6 100644
39755--- a/drivers/block/rbd.c
39756+++ b/drivers/block/rbd.c
39757@@ -64,7 +64,7 @@
39758 * If the counter is already at its maximum value returns
39759 * -EINVAL without updating it.
39760 */
39761-static int atomic_inc_return_safe(atomic_t *v)
39762+static int __intentional_overflow(-1) atomic_inc_return_safe(atomic_t *v)
39763 {
39764 unsigned int counter;
39765
39766diff --git a/drivers/block/smart1,2.h b/drivers/block/smart1,2.h
39767index e5565fb..71be10b4 100644
39768--- a/drivers/block/smart1,2.h
39769+++ b/drivers/block/smart1,2.h
39770@@ -108,11 +108,11 @@ static unsigned long smart4_intr_pending(ctlr_info_t *h)
39771 }
39772
39773 static struct access_method smart4_access = {
39774- smart4_submit_command,
39775- smart4_intr_mask,
39776- smart4_fifo_full,
39777- smart4_intr_pending,
39778- smart4_completed,
39779+ .submit_command = smart4_submit_command,
39780+ .set_intr_mask = smart4_intr_mask,
39781+ .fifo_full = smart4_fifo_full,
39782+ .intr_pending = smart4_intr_pending,
39783+ .command_completed = smart4_completed,
39784 };
39785
39786 /*
39787@@ -144,11 +144,11 @@ static unsigned long smart2_intr_pending(ctlr_info_t *h)
39788 }
39789
39790 static struct access_method smart2_access = {
39791- smart2_submit_command,
39792- smart2_intr_mask,
39793- smart2_fifo_full,
39794- smart2_intr_pending,
39795- smart2_completed,
39796+ .submit_command = smart2_submit_command,
39797+ .set_intr_mask = smart2_intr_mask,
39798+ .fifo_full = smart2_fifo_full,
39799+ .intr_pending = smart2_intr_pending,
39800+ .command_completed = smart2_completed,
39801 };
39802
39803 /*
39804@@ -180,11 +180,11 @@ static unsigned long smart2e_intr_pending(ctlr_info_t *h)
39805 }
39806
39807 static struct access_method smart2e_access = {
39808- smart2e_submit_command,
39809- smart2e_intr_mask,
39810- smart2e_fifo_full,
39811- smart2e_intr_pending,
39812- smart2e_completed,
39813+ .submit_command = smart2e_submit_command,
39814+ .set_intr_mask = smart2e_intr_mask,
39815+ .fifo_full = smart2e_fifo_full,
39816+ .intr_pending = smart2e_intr_pending,
39817+ .command_completed = smart2e_completed,
39818 };
39819
39820 /*
39821@@ -270,9 +270,9 @@ static unsigned long smart1_intr_pending(ctlr_info_t *h)
39822 }
39823
39824 static struct access_method smart1_access = {
39825- smart1_submit_command,
39826- smart1_intr_mask,
39827- smart1_fifo_full,
39828- smart1_intr_pending,
39829- smart1_completed,
39830+ .submit_command = smart1_submit_command,
39831+ .set_intr_mask = smart1_intr_mask,
39832+ .fifo_full = smart1_fifo_full,
39833+ .intr_pending = smart1_intr_pending,
39834+ .command_completed = smart1_completed,
39835 };
39836diff --git a/drivers/bluetooth/btwilink.c b/drivers/bluetooth/btwilink.c
39837index 7a722df..54b76ab 100644
39838--- a/drivers/bluetooth/btwilink.c
39839+++ b/drivers/bluetooth/btwilink.c
39840@@ -288,7 +288,7 @@ static int ti_st_send_frame(struct hci_dev *hdev, struct sk_buff *skb)
39841
39842 static int bt_ti_probe(struct platform_device *pdev)
39843 {
39844- static struct ti_st *hst;
39845+ struct ti_st *hst;
39846 struct hci_dev *hdev;
39847 int err;
39848
39849diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c
39850index 5d28a45..a538f90 100644
39851--- a/drivers/cdrom/cdrom.c
39852+++ b/drivers/cdrom/cdrom.c
39853@@ -610,7 +610,6 @@ int register_cdrom(struct cdrom_device_info *cdi)
39854 ENSURE(reset, CDC_RESET);
39855 ENSURE(generic_packet, CDC_GENERIC_PACKET);
39856 cdi->mc_flags = 0;
39857- cdo->n_minors = 0;
39858 cdi->options = CDO_USE_FFLAGS;
39859
39860 if (autoclose == 1 && CDROM_CAN(CDC_CLOSE_TRAY))
39861@@ -630,8 +629,11 @@ int register_cdrom(struct cdrom_device_info *cdi)
39862 else
39863 cdi->cdda_method = CDDA_OLD;
39864
39865- if (!cdo->generic_packet)
39866- cdo->generic_packet = cdrom_dummy_generic_packet;
39867+ if (!cdo->generic_packet) {
39868+ pax_open_kernel();
39869+ *(void **)&cdo->generic_packet = cdrom_dummy_generic_packet;
39870+ pax_close_kernel();
39871+ }
39872
39873 cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" registered\n", cdi->name);
39874 mutex_lock(&cdrom_mutex);
39875@@ -652,7 +654,6 @@ void unregister_cdrom(struct cdrom_device_info *cdi)
39876 if (cdi->exit)
39877 cdi->exit(cdi);
39878
39879- cdi->ops->n_minors--;
39880 cd_dbg(CD_REG_UNREG, "drive \"/dev/%s\" unregistered\n", cdi->name);
39881 }
39882
39883@@ -2126,7 +2127,7 @@ static int cdrom_read_cdda_old(struct cdrom_device_info *cdi, __u8 __user *ubuf,
39884 */
39885 nr = nframes;
39886 do {
39887- cgc.buffer = kmalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
39888+ cgc.buffer = kzalloc(CD_FRAMESIZE_RAW * nr, GFP_KERNEL);
39889 if (cgc.buffer)
39890 break;
39891
39892@@ -3434,7 +3435,7 @@ static int cdrom_print_info(const char *header, int val, char *info,
39893 struct cdrom_device_info *cdi;
39894 int ret;
39895
39896- ret = scnprintf(info + *pos, max_size - *pos, header);
39897+ ret = scnprintf(info + *pos, max_size - *pos, "%s", header);
39898 if (!ret)
39899 return 1;
39900
39901diff --git a/drivers/cdrom/gdrom.c b/drivers/cdrom/gdrom.c
39902index 584bc31..e64a12c 100644
39903--- a/drivers/cdrom/gdrom.c
39904+++ b/drivers/cdrom/gdrom.c
39905@@ -491,7 +491,6 @@ static struct cdrom_device_ops gdrom_ops = {
39906 .audio_ioctl = gdrom_audio_ioctl,
39907 .capability = CDC_MULTI_SESSION | CDC_MEDIA_CHANGED |
39908 CDC_RESET | CDC_DRIVE_STATUS | CDC_CD_R,
39909- .n_minors = 1,
39910 };
39911
39912 static int gdrom_bdops_open(struct block_device *bdev, fmode_t mode)
39913diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig
39914index a043107..1263e4a 100644
39915--- a/drivers/char/Kconfig
39916+++ b/drivers/char/Kconfig
39917@@ -17,7 +17,8 @@ config DEVMEM
39918
39919 config DEVKMEM
39920 bool "/dev/kmem virtual device support"
39921- default y
39922+ default n
39923+ depends on !GRKERNSEC_KMEM
39924 help
39925 Say Y here if you want to support the /dev/kmem device. The
39926 /dev/kmem device is rarely used, but can be used for certain
39927@@ -586,6 +587,7 @@ config DEVPORT
39928 bool
39929 depends on !M68K
39930 depends on ISA || PCI
39931+ depends on !GRKERNSEC_KMEM
39932 default y
39933
39934 source "drivers/s390/char/Kconfig"
39935diff --git a/drivers/char/agp/compat_ioctl.c b/drivers/char/agp/compat_ioctl.c
39936index a48e05b..6bac831 100644
39937--- a/drivers/char/agp/compat_ioctl.c
39938+++ b/drivers/char/agp/compat_ioctl.c
39939@@ -108,7 +108,7 @@ static int compat_agpioc_reserve_wrap(struct agp_file_private *priv, void __user
39940 return -ENOMEM;
39941 }
39942
39943- if (copy_from_user(usegment, (void __user *) ureserve.seg_list,
39944+ if (copy_from_user(usegment, (void __force_user *) ureserve.seg_list,
39945 sizeof(*usegment) * ureserve.seg_count)) {
39946 kfree(usegment);
39947 kfree(ksegment);
39948diff --git a/drivers/char/agp/frontend.c b/drivers/char/agp/frontend.c
39949index 09f17eb..8531d2f 100644
39950--- a/drivers/char/agp/frontend.c
39951+++ b/drivers/char/agp/frontend.c
39952@@ -806,7 +806,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
39953 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
39954 return -EFAULT;
39955
39956- if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
39957+ if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
39958 return -EFAULT;
39959
39960 client = agp_find_client_by_pid(reserve.pid);
39961@@ -836,7 +836,7 @@ static int agpioc_reserve_wrap(struct agp_file_private *priv, void __user *arg)
39962 if (segment == NULL)
39963 return -ENOMEM;
39964
39965- if (copy_from_user(segment, (void __user *) reserve.seg_list,
39966+ if (copy_from_user(segment, (void __force_user *) reserve.seg_list,
39967 sizeof(struct agp_segment) * reserve.seg_count)) {
39968 kfree(segment);
39969 return -EFAULT;
39970diff --git a/drivers/char/agp/intel-gtt.c b/drivers/char/agp/intel-gtt.c
39971index c6dea3f..72ae4b0 100644
39972--- a/drivers/char/agp/intel-gtt.c
39973+++ b/drivers/char/agp/intel-gtt.c
39974@@ -1408,8 +1408,8 @@ int intel_gmch_probe(struct pci_dev *bridge_pdev, struct pci_dev *gpu_pdev,
39975 }
39976 EXPORT_SYMBOL(intel_gmch_probe);
39977
39978-void intel_gtt_get(size_t *gtt_total, size_t *stolen_size,
39979- phys_addr_t *mappable_base, unsigned long *mappable_end)
39980+void intel_gtt_get(uint64_t *gtt_total, uint64_t *stolen_size,
39981+ uint64_t *mappable_base, uint64_t *mappable_end)
39982 {
39983 *gtt_total = intel_private.gtt_total_entries << PAGE_SHIFT;
39984 *stolen_size = intel_private.stolen_size;
39985diff --git a/drivers/char/genrtc.c b/drivers/char/genrtc.c
39986index 4f94375..413694e 100644
39987--- a/drivers/char/genrtc.c
39988+++ b/drivers/char/genrtc.c
39989@@ -273,6 +273,7 @@ static int gen_rtc_ioctl(struct file *file,
39990 switch (cmd) {
39991
39992 case RTC_PLL_GET:
39993+ memset(&pll, 0, sizeof(pll));
39994 if (get_rtc_pll(&pll))
39995 return -EINVAL;
39996 else
39997diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c
39998index 5c0baa9..44011b1 100644
39999--- a/drivers/char/hpet.c
40000+++ b/drivers/char/hpet.c
40001@@ -575,7 +575,7 @@ static inline unsigned long hpet_time_div(struct hpets *hpets,
40002 }
40003
40004 static int
40005-hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
40006+hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
40007 struct hpet_info *info)
40008 {
40009 struct hpet_timer __iomem *timer;
40010diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c
40011index bf75f63..359fa10 100644
40012--- a/drivers/char/ipmi/ipmi_msghandler.c
40013+++ b/drivers/char/ipmi/ipmi_msghandler.c
40014@@ -436,7 +436,7 @@ struct ipmi_smi {
40015 struct proc_dir_entry *proc_dir;
40016 char proc_dir_name[10];
40017
40018- atomic_t stats[IPMI_NUM_STATS];
40019+ atomic_unchecked_t stats[IPMI_NUM_STATS];
40020
40021 /*
40022 * run_to_completion duplicate of smb_info, smi_info
40023@@ -468,9 +468,9 @@ static LIST_HEAD(smi_watchers);
40024 static DEFINE_MUTEX(smi_watchers_mutex);
40025
40026 #define ipmi_inc_stat(intf, stat) \
40027- atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
40028+ atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
40029 #define ipmi_get_stat(intf, stat) \
40030- ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
40031+ ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
40032
40033 static char *addr_src_to_str[] = { "invalid", "hotmod", "hardcoded", "SPMI",
40034 "ACPI", "SMBIOS", "PCI",
40035@@ -2828,7 +2828,7 @@ int ipmi_register_smi(struct ipmi_smi_handlers *handlers,
40036 INIT_LIST_HEAD(&intf->cmd_rcvrs);
40037 init_waitqueue_head(&intf->waitq);
40038 for (i = 0; i < IPMI_NUM_STATS; i++)
40039- atomic_set(&intf->stats[i], 0);
40040+ atomic_set_unchecked(&intf->stats[i], 0);
40041
40042 intf->proc_dir = NULL;
40043
40044diff --git a/drivers/char/ipmi/ipmi_si_intf.c b/drivers/char/ipmi/ipmi_si_intf.c
40045index 8a45e92..e41b1c7 100644
40046--- a/drivers/char/ipmi/ipmi_si_intf.c
40047+++ b/drivers/char/ipmi/ipmi_si_intf.c
40048@@ -289,7 +289,7 @@ struct smi_info {
40049 unsigned char slave_addr;
40050
40051 /* Counters and things for the proc filesystem. */
40052- atomic_t stats[SI_NUM_STATS];
40053+ atomic_unchecked_t stats[SI_NUM_STATS];
40054
40055 struct task_struct *thread;
40056
40057@@ -298,9 +298,9 @@ struct smi_info {
40058 };
40059
40060 #define smi_inc_stat(smi, stat) \
40061- atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
40062+ atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
40063 #define smi_get_stat(smi, stat) \
40064- ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
40065+ ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
40066
40067 #define SI_MAX_PARMS 4
40068
40069@@ -3500,7 +3500,7 @@ static int try_smi_init(struct smi_info *new_smi)
40070 atomic_set(&new_smi->req_events, 0);
40071 new_smi->run_to_completion = false;
40072 for (i = 0; i < SI_NUM_STATS; i++)
40073- atomic_set(&new_smi->stats[i], 0);
40074+ atomic_set_unchecked(&new_smi->stats[i], 0);
40075
40076 new_smi->interrupt_disabled = true;
40077 atomic_set(&new_smi->need_watch, 0);
40078diff --git a/drivers/char/mem.c b/drivers/char/mem.c
40079index 6b1721f..fda9398 100644
40080--- a/drivers/char/mem.c
40081+++ b/drivers/char/mem.c
40082@@ -18,6 +18,7 @@
40083 #include <linux/raw.h>
40084 #include <linux/tty.h>
40085 #include <linux/capability.h>
40086+#include <linux/security.h>
40087 #include <linux/ptrace.h>
40088 #include <linux/device.h>
40089 #include <linux/highmem.h>
40090@@ -36,6 +37,10 @@
40091
40092 #define DEVPORT_MINOR 4
40093
40094+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
40095+extern const struct file_operations grsec_fops;
40096+#endif
40097+
40098 static inline unsigned long size_inside_page(unsigned long start,
40099 unsigned long size)
40100 {
40101@@ -67,9 +72,13 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40102
40103 while (cursor < to) {
40104 if (!devmem_is_allowed(pfn)) {
40105+#ifdef CONFIG_GRKERNSEC_KMEM
40106+ gr_handle_mem_readwrite(from, to);
40107+#else
40108 printk(KERN_INFO
40109 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
40110 current->comm, from, to);
40111+#endif
40112 return 0;
40113 }
40114 cursor += PAGE_SIZE;
40115@@ -77,6 +86,11 @@ static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40116 }
40117 return 1;
40118 }
40119+#elif defined(CONFIG_GRKERNSEC_KMEM)
40120+static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40121+{
40122+ return 0;
40123+}
40124 #else
40125 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
40126 {
40127@@ -124,7 +138,8 @@ static ssize_t read_mem(struct file *file, char __user *buf,
40128 #endif
40129
40130 while (count > 0) {
40131- unsigned long remaining;
40132+ unsigned long remaining = 0;
40133+ char *temp;
40134
40135 sz = size_inside_page(p, count);
40136
40137@@ -140,7 +155,24 @@ static ssize_t read_mem(struct file *file, char __user *buf,
40138 if (!ptr)
40139 return -EFAULT;
40140
40141- remaining = copy_to_user(buf, ptr, sz);
40142+#ifdef CONFIG_PAX_USERCOPY
40143+ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
40144+ if (!temp) {
40145+ unxlate_dev_mem_ptr(p, ptr);
40146+ return -ENOMEM;
40147+ }
40148+ remaining = probe_kernel_read(temp, ptr, sz);
40149+#else
40150+ temp = ptr;
40151+#endif
40152+
40153+ if (!remaining)
40154+ remaining = copy_to_user(buf, temp, sz);
40155+
40156+#ifdef CONFIG_PAX_USERCOPY
40157+ kfree(temp);
40158+#endif
40159+
40160 unxlate_dev_mem_ptr(p, ptr);
40161 if (remaining)
40162 return -EFAULT;
40163@@ -380,9 +412,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
40164 size_t count, loff_t *ppos)
40165 {
40166 unsigned long p = *ppos;
40167- ssize_t low_count, read, sz;
40168+ ssize_t low_count, read, sz, err = 0;
40169 char *kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
40170- int err = 0;
40171
40172 read = 0;
40173 if (p < (unsigned long) high_memory) {
40174@@ -404,6 +435,8 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
40175 }
40176 #endif
40177 while (low_count > 0) {
40178+ char *temp;
40179+
40180 sz = size_inside_page(p, low_count);
40181
40182 /*
40183@@ -413,7 +446,23 @@ static ssize_t read_kmem(struct file *file, char __user *buf,
40184 */
40185 kbuf = xlate_dev_kmem_ptr((void *)p);
40186
40187- if (copy_to_user(buf, kbuf, sz))
40188+#ifdef CONFIG_PAX_USERCOPY
40189+ temp = kmalloc(sz, GFP_KERNEL|GFP_USERCOPY);
40190+ if (!temp)
40191+ return -ENOMEM;
40192+ err = probe_kernel_read(temp, kbuf, sz);
40193+#else
40194+ temp = kbuf;
40195+#endif
40196+
40197+ if (!err)
40198+ err = copy_to_user(buf, temp, sz);
40199+
40200+#ifdef CONFIG_PAX_USERCOPY
40201+ kfree(temp);
40202+#endif
40203+
40204+ if (err)
40205 return -EFAULT;
40206 buf += sz;
40207 p += sz;
40208@@ -802,6 +851,9 @@ static const struct memdev {
40209 #ifdef CONFIG_PRINTK
40210 [11] = { "kmsg", 0644, &kmsg_fops, 0 },
40211 #endif
40212+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
40213+ [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, 0 },
40214+#endif
40215 };
40216
40217 static int memory_open(struct inode *inode, struct file *filp)
40218@@ -863,7 +915,7 @@ static int __init chr_dev_init(void)
40219 continue;
40220
40221 device_create(mem_class, NULL, MKDEV(MEM_MAJOR, minor),
40222- NULL, devlist[minor].name);
40223+ NULL, "%s", devlist[minor].name);
40224 }
40225
40226 return tty_init();
40227diff --git a/drivers/char/nvram.c b/drivers/char/nvram.c
40228index 9df78e2..01ba9ae 100644
40229--- a/drivers/char/nvram.c
40230+++ b/drivers/char/nvram.c
40231@@ -247,7 +247,7 @@ static ssize_t nvram_read(struct file *file, char __user *buf,
40232
40233 spin_unlock_irq(&rtc_lock);
40234
40235- if (copy_to_user(buf, contents, tmp - contents))
40236+ if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
40237 return -EFAULT;
40238
40239 *ppos = i;
40240diff --git a/drivers/char/pcmcia/synclink_cs.c b/drivers/char/pcmcia/synclink_cs.c
40241index 7680d52..073f799e 100644
40242--- a/drivers/char/pcmcia/synclink_cs.c
40243+++ b/drivers/char/pcmcia/synclink_cs.c
40244@@ -2345,7 +2345,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
40245
40246 if (debug_level >= DEBUG_LEVEL_INFO)
40247 printk("%s(%d):mgslpc_close(%s) entry, count=%d\n",
40248- __FILE__, __LINE__, info->device_name, port->count);
40249+ __FILE__, __LINE__, info->device_name, atomic_read(&port->count));
40250
40251 if (tty_port_close_start(port, tty, filp) == 0)
40252 goto cleanup;
40253@@ -2363,7 +2363,7 @@ static void mgslpc_close(struct tty_struct *tty, struct file * filp)
40254 cleanup:
40255 if (debug_level >= DEBUG_LEVEL_INFO)
40256 printk("%s(%d):mgslpc_close(%s) exit, count=%d\n", __FILE__, __LINE__,
40257- tty->driver->name, port->count);
40258+ tty->driver->name, atomic_read(&port->count));
40259 }
40260
40261 /* Wait until the transmitter is empty.
40262@@ -2505,7 +2505,7 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
40263
40264 if (debug_level >= DEBUG_LEVEL_INFO)
40265 printk("%s(%d):mgslpc_open(%s), old ref count = %d\n",
40266- __FILE__, __LINE__, tty->driver->name, port->count);
40267+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
40268
40269 /* If port is closing, signal caller to try again */
40270 if (port->flags & ASYNC_CLOSING){
40271@@ -2525,11 +2525,11 @@ static int mgslpc_open(struct tty_struct *tty, struct file * filp)
40272 goto cleanup;
40273 }
40274 spin_lock(&port->lock);
40275- port->count++;
40276+ atomic_inc(&port->count);
40277 spin_unlock(&port->lock);
40278 spin_unlock_irqrestore(&info->netlock, flags);
40279
40280- if (port->count == 1) {
40281+ if (atomic_read(&port->count) == 1) {
40282 /* 1st open on this device, init hardware */
40283 retval = startup(info, tty);
40284 if (retval < 0)
40285@@ -3918,7 +3918,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
40286 unsigned short new_crctype;
40287
40288 /* return error if TTY interface open */
40289- if (info->port.count)
40290+ if (atomic_read(&info->port.count))
40291 return -EBUSY;
40292
40293 switch (encoding)
40294@@ -4022,7 +4022,7 @@ static int hdlcdev_open(struct net_device *dev)
40295
40296 /* arbitrate between network and tty opens */
40297 spin_lock_irqsave(&info->netlock, flags);
40298- if (info->port.count != 0 || info->netcount != 0) {
40299+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
40300 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
40301 spin_unlock_irqrestore(&info->netlock, flags);
40302 return -EBUSY;
40303@@ -4112,7 +4112,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
40304 printk("%s:hdlcdev_ioctl(%s)\n", __FILE__, dev->name);
40305
40306 /* return error if TTY interface open */
40307- if (info->port.count)
40308+ if (atomic_read(&info->port.count))
40309 return -EBUSY;
40310
40311 if (cmd != SIOCWANDEV)
40312diff --git a/drivers/char/random.c b/drivers/char/random.c
40313index d0da5d8..739fd3a 100644
40314--- a/drivers/char/random.c
40315+++ b/drivers/char/random.c
40316@@ -289,9 +289,6 @@
40317 /*
40318 * To allow fractional bits to be tracked, the entropy_count field is
40319 * denominated in units of 1/8th bits.
40320- *
40321- * 2*(ENTROPY_SHIFT + log2(poolbits)) must <= 31, or the multiply in
40322- * credit_entropy_bits() needs to be 64 bits wide.
40323 */
40324 #define ENTROPY_SHIFT 3
40325 #define ENTROPY_BITS(r) ((r)->entropy_count >> ENTROPY_SHIFT)
40326@@ -442,9 +439,9 @@ struct entropy_store {
40327 };
40328
40329 static void push_to_pool(struct work_struct *work);
40330-static __u32 input_pool_data[INPUT_POOL_WORDS];
40331-static __u32 blocking_pool_data[OUTPUT_POOL_WORDS];
40332-static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS];
40333+static __u32 input_pool_data[INPUT_POOL_WORDS] __latent_entropy;
40334+static __u32 blocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
40335+static __u32 nonblocking_pool_data[OUTPUT_POOL_WORDS] __latent_entropy;
40336
40337 static struct entropy_store input_pool = {
40338 .poolinfo = &poolinfo_table[0],
40339@@ -654,7 +651,7 @@ retry:
40340 /* The +2 corresponds to the /4 in the denominator */
40341
40342 do {
40343- unsigned int anfrac = min(pnfrac, pool_size/2);
40344+ u64 anfrac = min(pnfrac, pool_size/2);
40345 unsigned int add =
40346 ((pool_size - entropy_count)*anfrac*3) >> s;
40347
40348@@ -1227,7 +1224,7 @@ static ssize_t extract_entropy_user(struct entropy_store *r, void __user *buf,
40349
40350 extract_buf(r, tmp);
40351 i = min_t(int, nbytes, EXTRACT_SIZE);
40352- if (copy_to_user(buf, tmp, i)) {
40353+ if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
40354 ret = -EFAULT;
40355 break;
40356 }
40357@@ -1668,7 +1665,7 @@ static char sysctl_bootid[16];
40358 static int proc_do_uuid(struct ctl_table *table, int write,
40359 void __user *buffer, size_t *lenp, loff_t *ppos)
40360 {
40361- struct ctl_table fake_table;
40362+ ctl_table_no_const fake_table;
40363 unsigned char buf[64], tmp_uuid[16], *uuid;
40364
40365 uuid = table->data;
40366@@ -1698,7 +1695,7 @@ static int proc_do_uuid(struct ctl_table *table, int write,
40367 static int proc_do_entropy(struct ctl_table *table, int write,
40368 void __user *buffer, size_t *lenp, loff_t *ppos)
40369 {
40370- struct ctl_table fake_table;
40371+ ctl_table_no_const fake_table;
40372 int entropy_count;
40373
40374 entropy_count = *(int *)table->data >> ENTROPY_SHIFT;
40375diff --git a/drivers/char/sonypi.c b/drivers/char/sonypi.c
40376index e496dae..3db53b6 100644
40377--- a/drivers/char/sonypi.c
40378+++ b/drivers/char/sonypi.c
40379@@ -54,6 +54,7 @@
40380
40381 #include <asm/uaccess.h>
40382 #include <asm/io.h>
40383+#include <asm/local.h>
40384
40385 #include <linux/sonypi.h>
40386
40387@@ -490,7 +491,7 @@ static struct sonypi_device {
40388 spinlock_t fifo_lock;
40389 wait_queue_head_t fifo_proc_list;
40390 struct fasync_struct *fifo_async;
40391- int open_count;
40392+ local_t open_count;
40393 int model;
40394 struct input_dev *input_jog_dev;
40395 struct input_dev *input_key_dev;
40396@@ -892,7 +893,7 @@ static int sonypi_misc_fasync(int fd, struct file *filp, int on)
40397 static int sonypi_misc_release(struct inode *inode, struct file *file)
40398 {
40399 mutex_lock(&sonypi_device.lock);
40400- sonypi_device.open_count--;
40401+ local_dec(&sonypi_device.open_count);
40402 mutex_unlock(&sonypi_device.lock);
40403 return 0;
40404 }
40405@@ -901,9 +902,9 @@ static int sonypi_misc_open(struct inode *inode, struct file *file)
40406 {
40407 mutex_lock(&sonypi_device.lock);
40408 /* Flush input queue on first open */
40409- if (!sonypi_device.open_count)
40410+ if (!local_read(&sonypi_device.open_count))
40411 kfifo_reset(&sonypi_device.fifo);
40412- sonypi_device.open_count++;
40413+ local_inc(&sonypi_device.open_count);
40414 mutex_unlock(&sonypi_device.lock);
40415
40416 return 0;
40417@@ -1491,7 +1492,7 @@ static struct platform_driver sonypi_driver = {
40418
40419 static struct platform_device *sonypi_platform_device;
40420
40421-static struct dmi_system_id __initdata sonypi_dmi_table[] = {
40422+static const struct dmi_system_id __initconst sonypi_dmi_table[] = {
40423 {
40424 .ident = "Sony Vaio",
40425 .matches = {
40426diff --git a/drivers/char/tpm/tpm_acpi.c b/drivers/char/tpm/tpm_acpi.c
40427index 565a947..dcdc06e 100644
40428--- a/drivers/char/tpm/tpm_acpi.c
40429+++ b/drivers/char/tpm/tpm_acpi.c
40430@@ -98,11 +98,12 @@ int read_log(struct tpm_bios_log *log)
40431 virt = acpi_os_map_iomem(start, len);
40432 if (!virt) {
40433 kfree(log->bios_event_log);
40434+ log->bios_event_log = NULL;
40435 printk("%s: ERROR - Unable to map memory\n", __func__);
40436 return -EIO;
40437 }
40438
40439- memcpy_fromio(log->bios_event_log, virt, len);
40440+ memcpy_fromio(log->bios_event_log, (const char __force_kernel *)virt, len);
40441
40442 acpi_os_unmap_iomem(virt, len);
40443 return 0;
40444diff --git a/drivers/char/tpm/tpm_eventlog.c b/drivers/char/tpm/tpm_eventlog.c
40445index 3a56a13..f8cbd25 100644
40446--- a/drivers/char/tpm/tpm_eventlog.c
40447+++ b/drivers/char/tpm/tpm_eventlog.c
40448@@ -95,7 +95,7 @@ static void *tpm_bios_measurements_start(struct seq_file *m, loff_t *pos)
40449 event = addr;
40450
40451 if ((event->event_type == 0 && event->event_size == 0) ||
40452- ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
40453+ (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
40454 return NULL;
40455
40456 return addr;
40457@@ -120,7 +120,7 @@ static void *tpm_bios_measurements_next(struct seq_file *m, void *v,
40458 return NULL;
40459
40460 if ((event->event_type == 0 && event->event_size == 0) ||
40461- ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
40462+ (event->event_size >= limit - v - sizeof(struct tcpa_event)))
40463 return NULL;
40464
40465 (*pos)++;
40466@@ -213,7 +213,8 @@ static int tpm_binary_bios_measurements_show(struct seq_file *m, void *v)
40467 int i;
40468
40469 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
40470- seq_putc(m, data[i]);
40471+ if (!seq_putc(m, data[i]))
40472+ return -EFAULT;
40473
40474 return 0;
40475 }
40476diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
40477index d2406fe..243951a 100644
40478--- a/drivers/char/virtio_console.c
40479+++ b/drivers/char/virtio_console.c
40480@@ -685,7 +685,7 @@ static ssize_t fill_readbuf(struct port *port, char __user *out_buf,
40481 if (to_user) {
40482 ssize_t ret;
40483
40484- ret = copy_to_user(out_buf, buf->buf + buf->offset, out_count);
40485+ ret = copy_to_user((char __force_user *)out_buf, buf->buf + buf->offset, out_count);
40486 if (ret)
40487 return -EFAULT;
40488 } else {
40489@@ -789,7 +789,7 @@ static ssize_t port_fops_read(struct file *filp, char __user *ubuf,
40490 if (!port_has_data(port) && !port->host_connected)
40491 return 0;
40492
40493- return fill_readbuf(port, ubuf, count, true);
40494+ return fill_readbuf(port, (char __force_kernel *)ubuf, count, true);
40495 }
40496
40497 static int wait_port_writable(struct port *port, bool nonblock)
40498diff --git a/drivers/clk/clk-composite.c b/drivers/clk/clk-composite.c
40499index 616f5ae..747bdd0 100644
40500--- a/drivers/clk/clk-composite.c
40501+++ b/drivers/clk/clk-composite.c
40502@@ -197,7 +197,7 @@ struct clk *clk_register_composite(struct device *dev, const char *name,
40503 struct clk *clk;
40504 struct clk_init_data init;
40505 struct clk_composite *composite;
40506- struct clk_ops *clk_composite_ops;
40507+ clk_ops_no_const *clk_composite_ops;
40508
40509 composite = kzalloc(sizeof(*composite), GFP_KERNEL);
40510 if (!composite)
40511diff --git a/drivers/clk/samsung/clk.h b/drivers/clk/samsung/clk.h
40512index b775fc2..2d45b64 100644
40513--- a/drivers/clk/samsung/clk.h
40514+++ b/drivers/clk/samsung/clk.h
40515@@ -260,7 +260,7 @@ struct samsung_gate_clock {
40516 #define GATE_DA(_id, dname, cname, pname, o, b, f, gf, a) \
40517 __GATE(_id, dname, cname, pname, o, b, f, gf, a)
40518
40519-#define PNAME(x) static const char *x[] __initdata
40520+#define PNAME(x) static const char * const x[] __initconst
40521
40522 /**
40523 * struct samsung_clk_reg_dump: register dump of clock controller registers.
40524diff --git a/drivers/clk/socfpga/clk-gate.c b/drivers/clk/socfpga/clk-gate.c
40525index 82449cd..dcfec30 100644
40526--- a/drivers/clk/socfpga/clk-gate.c
40527+++ b/drivers/clk/socfpga/clk-gate.c
40528@@ -22,6 +22,7 @@
40529 #include <linux/mfd/syscon.h>
40530 #include <linux/of.h>
40531 #include <linux/regmap.h>
40532+#include <asm/pgtable.h>
40533
40534 #include "clk.h"
40535
40536@@ -170,7 +171,7 @@ static int socfpga_clk_prepare(struct clk_hw *hwclk)
40537 return 0;
40538 }
40539
40540-static struct clk_ops gateclk_ops = {
40541+static clk_ops_no_const gateclk_ops __read_only = {
40542 .prepare = socfpga_clk_prepare,
40543 .recalc_rate = socfpga_clk_recalc_rate,
40544 .get_parent = socfpga_clk_get_parent,
40545@@ -203,8 +204,10 @@ static void __init __socfpga_gate_init(struct device_node *node,
40546 socfpga_clk->hw.reg = clk_mgr_base_addr + clk_gate[0];
40547 socfpga_clk->hw.bit_idx = clk_gate[1];
40548
40549- gateclk_ops.enable = clk_gate_ops.enable;
40550- gateclk_ops.disable = clk_gate_ops.disable;
40551+ pax_open_kernel();
40552+ *(void **)&gateclk_ops.enable = clk_gate_ops.enable;
40553+ *(void **)&gateclk_ops.disable = clk_gate_ops.disable;
40554+ pax_close_kernel();
40555 }
40556
40557 rc = of_property_read_u32(node, "fixed-divider", &fixed_div);
40558diff --git a/drivers/clk/socfpga/clk-pll.c b/drivers/clk/socfpga/clk-pll.c
40559index 8f26b52..29f2a3a 100644
40560--- a/drivers/clk/socfpga/clk-pll.c
40561+++ b/drivers/clk/socfpga/clk-pll.c
40562@@ -21,6 +21,7 @@
40563 #include <linux/io.h>
40564 #include <linux/of.h>
40565 #include <linux/of_address.h>
40566+#include <asm/pgtable.h>
40567
40568 #include "clk.h"
40569
40570@@ -76,7 +77,7 @@ static u8 clk_pll_get_parent(struct clk_hw *hwclk)
40571 CLK_MGR_PLL_CLK_SRC_MASK;
40572 }
40573
40574-static struct clk_ops clk_pll_ops = {
40575+static clk_ops_no_const clk_pll_ops __read_only = {
40576 .recalc_rate = clk_pll_recalc_rate,
40577 .get_parent = clk_pll_get_parent,
40578 };
40579@@ -115,8 +116,10 @@ static __init struct clk *__socfpga_pll_init(struct device_node *node,
40580 pll_clk->hw.hw.init = &init;
40581
40582 pll_clk->hw.bit_idx = SOCFPGA_PLL_EXT_ENA;
40583- clk_pll_ops.enable = clk_gate_ops.enable;
40584- clk_pll_ops.disable = clk_gate_ops.disable;
40585+ pax_open_kernel();
40586+ *(void **)&clk_pll_ops.enable = clk_gate_ops.enable;
40587+ *(void **)&clk_pll_ops.disable = clk_gate_ops.disable;
40588+ pax_close_kernel();
40589
40590 clk = clk_register(NULL, &pll_clk->hw.hw);
40591 if (WARN_ON(IS_ERR(clk))) {
40592diff --git a/drivers/cpufreq/acpi-cpufreq.c b/drivers/cpufreq/acpi-cpufreq.c
40593index 7c2a738..0b84bd6 100644
40594--- a/drivers/cpufreq/acpi-cpufreq.c
40595+++ b/drivers/cpufreq/acpi-cpufreq.c
40596@@ -678,8 +678,11 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
40597 data->acpi_data = per_cpu_ptr(acpi_perf_data, cpu);
40598 per_cpu(acfreq_data, cpu) = data;
40599
40600- if (cpu_has(c, X86_FEATURE_CONSTANT_TSC))
40601- acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
40602+ if (cpu_has(c, X86_FEATURE_CONSTANT_TSC)) {
40603+ pax_open_kernel();
40604+ *(u8 *)&acpi_cpufreq_driver.flags |= CPUFREQ_CONST_LOOPS;
40605+ pax_close_kernel();
40606+ }
40607
40608 result = acpi_processor_register_performance(data->acpi_data, cpu);
40609 if (result)
40610@@ -813,7 +816,9 @@ static int acpi_cpufreq_cpu_init(struct cpufreq_policy *policy)
40611 policy->cur = acpi_cpufreq_guess_freq(data, policy->cpu);
40612 break;
40613 case ACPI_ADR_SPACE_FIXED_HARDWARE:
40614- acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
40615+ pax_open_kernel();
40616+ *(void **)&acpi_cpufreq_driver.get = get_cur_freq_on_cpu;
40617+ pax_close_kernel();
40618 break;
40619 default:
40620 break;
40621@@ -907,8 +912,10 @@ static void __init acpi_cpufreq_boost_init(void)
40622 if (!msrs)
40623 return;
40624
40625- acpi_cpufreq_driver.boost_supported = true;
40626- acpi_cpufreq_driver.boost_enabled = boost_state(0);
40627+ pax_open_kernel();
40628+ *(bool *)&acpi_cpufreq_driver.boost_supported = true;
40629+ *(bool *)&acpi_cpufreq_driver.boost_enabled = boost_state(0);
40630+ pax_close_kernel();
40631
40632 cpu_notifier_register_begin();
40633
40634diff --git a/drivers/cpufreq/cpufreq-dt.c b/drivers/cpufreq/cpufreq-dt.c
40635index 99a4065..f97236c 100644
40636--- a/drivers/cpufreq/cpufreq-dt.c
40637+++ b/drivers/cpufreq/cpufreq-dt.c
40638@@ -393,7 +393,9 @@ static int dt_cpufreq_probe(struct platform_device *pdev)
40639 if (!IS_ERR(cpu_reg))
40640 regulator_put(cpu_reg);
40641
40642- dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
40643+ pax_open_kernel();
40644+ *(void **)&dt_cpufreq_driver.driver_data = dev_get_platdata(&pdev->dev);
40645+ pax_close_kernel();
40646
40647 ret = cpufreq_register_driver(&dt_cpufreq_driver);
40648 if (ret)
40649diff --git a/drivers/cpufreq/cpufreq.c b/drivers/cpufreq/cpufreq.c
40650index 7a3c30c..bac142e 100644
40651--- a/drivers/cpufreq/cpufreq.c
40652+++ b/drivers/cpufreq/cpufreq.c
40653@@ -2197,7 +2197,7 @@ void cpufreq_unregister_governor(struct cpufreq_governor *governor)
40654 read_unlock_irqrestore(&cpufreq_driver_lock, flags);
40655
40656 mutex_lock(&cpufreq_governor_mutex);
40657- list_del(&governor->governor_list);
40658+ pax_list_del(&governor->governor_list);
40659 mutex_unlock(&cpufreq_governor_mutex);
40660 return;
40661 }
40662@@ -2412,7 +2412,7 @@ static int cpufreq_cpu_callback(struct notifier_block *nfb,
40663 return NOTIFY_OK;
40664 }
40665
40666-static struct notifier_block __refdata cpufreq_cpu_notifier = {
40667+static struct notifier_block cpufreq_cpu_notifier = {
40668 .notifier_call = cpufreq_cpu_callback,
40669 };
40670
40671@@ -2452,13 +2452,17 @@ int cpufreq_boost_trigger_state(int state)
40672 return 0;
40673
40674 write_lock_irqsave(&cpufreq_driver_lock, flags);
40675- cpufreq_driver->boost_enabled = state;
40676+ pax_open_kernel();
40677+ *(bool *)&cpufreq_driver->boost_enabled = state;
40678+ pax_close_kernel();
40679 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40680
40681 ret = cpufreq_driver->set_boost(state);
40682 if (ret) {
40683 write_lock_irqsave(&cpufreq_driver_lock, flags);
40684- cpufreq_driver->boost_enabled = !state;
40685+ pax_open_kernel();
40686+ *(bool *)&cpufreq_driver->boost_enabled = !state;
40687+ pax_close_kernel();
40688 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40689
40690 pr_err("%s: Cannot %s BOOST\n",
40691@@ -2523,16 +2527,22 @@ int cpufreq_register_driver(struct cpufreq_driver *driver_data)
40692 cpufreq_driver = driver_data;
40693 write_unlock_irqrestore(&cpufreq_driver_lock, flags);
40694
40695- if (driver_data->setpolicy)
40696- driver_data->flags |= CPUFREQ_CONST_LOOPS;
40697+ if (driver_data->setpolicy) {
40698+ pax_open_kernel();
40699+ *(u8 *)&driver_data->flags |= CPUFREQ_CONST_LOOPS;
40700+ pax_close_kernel();
40701+ }
40702
40703 if (cpufreq_boost_supported()) {
40704 /*
40705 * Check if driver provides function to enable boost -
40706 * if not, use cpufreq_boost_set_sw as default
40707 */
40708- if (!cpufreq_driver->set_boost)
40709- cpufreq_driver->set_boost = cpufreq_boost_set_sw;
40710+ if (!cpufreq_driver->set_boost) {
40711+ pax_open_kernel();
40712+ *(void **)&cpufreq_driver->set_boost = cpufreq_boost_set_sw;
40713+ pax_close_kernel();
40714+ }
40715
40716 ret = cpufreq_sysfs_create_file(&boost.attr);
40717 if (ret) {
40718diff --git a/drivers/cpufreq/cpufreq_governor.c b/drivers/cpufreq/cpufreq_governor.c
40719index 57a39f8..feb9c73 100644
40720--- a/drivers/cpufreq/cpufreq_governor.c
40721+++ b/drivers/cpufreq/cpufreq_governor.c
40722@@ -378,7 +378,7 @@ static int cpufreq_governor_start(struct cpufreq_policy *policy,
40723 cs_dbs_info->enable = 1;
40724 cs_dbs_info->requested_freq = policy->cur;
40725 } else {
40726- struct od_ops *od_ops = cdata->gov_ops;
40727+ const struct od_ops *od_ops = cdata->gov_ops;
40728 struct od_cpu_dbs_info_s *od_dbs_info = cdata->get_cpu_dbs_info_s(cpu);
40729
40730 od_dbs_info->rate_mult = 1;
40731diff --git a/drivers/cpufreq/cpufreq_governor.h b/drivers/cpufreq/cpufreq_governor.h
40732index 34736f5..da8cf4a 100644
40733--- a/drivers/cpufreq/cpufreq_governor.h
40734+++ b/drivers/cpufreq/cpufreq_governor.h
40735@@ -212,7 +212,7 @@ struct common_dbs_data {
40736 void (*exit)(struct dbs_data *dbs_data, bool notify);
40737
40738 /* Governor specific ops, see below */
40739- void *gov_ops;
40740+ const void *gov_ops;
40741
40742 /*
40743 * Protects governor's data (struct dbs_data and struct common_dbs_data)
40744@@ -234,7 +234,7 @@ struct od_ops {
40745 unsigned int (*powersave_bias_target)(struct cpufreq_policy *policy,
40746 unsigned int freq_next, unsigned int relation);
40747 void (*freq_increase)(struct cpufreq_policy *policy, unsigned int freq);
40748-};
40749+} __no_const;
40750
40751 static inline int delay_for_sampling_rate(unsigned int sampling_rate)
40752 {
40753diff --git a/drivers/cpufreq/cpufreq_ondemand.c b/drivers/cpufreq/cpufreq_ondemand.c
40754index 3c1e10f..02f17af 100644
40755--- a/drivers/cpufreq/cpufreq_ondemand.c
40756+++ b/drivers/cpufreq/cpufreq_ondemand.c
40757@@ -523,7 +523,7 @@ static void od_exit(struct dbs_data *dbs_data, bool notify)
40758
40759 define_get_cpu_dbs_routines(od_cpu_dbs_info);
40760
40761-static struct od_ops od_ops = {
40762+static struct od_ops od_ops __read_only = {
40763 .powersave_bias_init_cpu = ondemand_powersave_bias_init_cpu,
40764 .powersave_bias_target = generic_powersave_bias_target,
40765 .freq_increase = dbs_freq_increase,
40766@@ -579,14 +579,18 @@ void od_register_powersave_bias_handler(unsigned int (*f)
40767 (struct cpufreq_policy *, unsigned int, unsigned int),
40768 unsigned int powersave_bias)
40769 {
40770- od_ops.powersave_bias_target = f;
40771+ pax_open_kernel();
40772+ *(void **)&od_ops.powersave_bias_target = f;
40773+ pax_close_kernel();
40774 od_set_powersave_bias(powersave_bias);
40775 }
40776 EXPORT_SYMBOL_GPL(od_register_powersave_bias_handler);
40777
40778 void od_unregister_powersave_bias_handler(void)
40779 {
40780- od_ops.powersave_bias_target = generic_powersave_bias_target;
40781+ pax_open_kernel();
40782+ *(void **)&od_ops.powersave_bias_target = generic_powersave_bias_target;
40783+ pax_close_kernel();
40784 od_set_powersave_bias(0);
40785 }
40786 EXPORT_SYMBOL_GPL(od_unregister_powersave_bias_handler);
40787diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
40788index fcb929e..e628818 100644
40789--- a/drivers/cpufreq/intel_pstate.c
40790+++ b/drivers/cpufreq/intel_pstate.c
40791@@ -137,10 +137,10 @@ struct pstate_funcs {
40792 struct cpu_defaults {
40793 struct pstate_adjust_policy pid_policy;
40794 struct pstate_funcs funcs;
40795-};
40796+} __do_const;
40797
40798 static struct pstate_adjust_policy pid_params;
40799-static struct pstate_funcs pstate_funcs;
40800+static struct pstate_funcs *pstate_funcs;
40801 static int hwp_active;
40802
40803 struct perf_limits {
40804@@ -726,18 +726,18 @@ static void intel_pstate_set_pstate(struct cpudata *cpu, int pstate, bool force)
40805
40806 cpu->pstate.current_pstate = pstate;
40807
40808- pstate_funcs.set(cpu, pstate);
40809+ pstate_funcs->set(cpu, pstate);
40810 }
40811
40812 static void intel_pstate_get_cpu_pstates(struct cpudata *cpu)
40813 {
40814- cpu->pstate.min_pstate = pstate_funcs.get_min();
40815- cpu->pstate.max_pstate = pstate_funcs.get_max();
40816- cpu->pstate.turbo_pstate = pstate_funcs.get_turbo();
40817- cpu->pstate.scaling = pstate_funcs.get_scaling();
40818+ cpu->pstate.min_pstate = pstate_funcs->get_min();
40819+ cpu->pstate.max_pstate = pstate_funcs->get_max();
40820+ cpu->pstate.turbo_pstate = pstate_funcs->get_turbo();
40821+ cpu->pstate.scaling = pstate_funcs->get_scaling();
40822
40823- if (pstate_funcs.get_vid)
40824- pstate_funcs.get_vid(cpu);
40825+ if (pstate_funcs->get_vid)
40826+ pstate_funcs->get_vid(cpu);
40827 intel_pstate_set_pstate(cpu, cpu->pstate.min_pstate, false);
40828 }
40829
40830@@ -1070,15 +1070,15 @@ static unsigned int force_load;
40831
40832 static int intel_pstate_msrs_not_valid(void)
40833 {
40834- if (!pstate_funcs.get_max() ||
40835- !pstate_funcs.get_min() ||
40836- !pstate_funcs.get_turbo())
40837+ if (!pstate_funcs->get_max() ||
40838+ !pstate_funcs->get_min() ||
40839+ !pstate_funcs->get_turbo())
40840 return -ENODEV;
40841
40842 return 0;
40843 }
40844
40845-static void copy_pid_params(struct pstate_adjust_policy *policy)
40846+static void copy_pid_params(const struct pstate_adjust_policy *policy)
40847 {
40848 pid_params.sample_rate_ms = policy->sample_rate_ms;
40849 pid_params.p_gain_pct = policy->p_gain_pct;
40850@@ -1090,12 +1090,7 @@ static void copy_pid_params(struct pstate_adjust_policy *policy)
40851
40852 static void copy_cpu_funcs(struct pstate_funcs *funcs)
40853 {
40854- pstate_funcs.get_max = funcs->get_max;
40855- pstate_funcs.get_min = funcs->get_min;
40856- pstate_funcs.get_turbo = funcs->get_turbo;
40857- pstate_funcs.get_scaling = funcs->get_scaling;
40858- pstate_funcs.set = funcs->set;
40859- pstate_funcs.get_vid = funcs->get_vid;
40860+ pstate_funcs = funcs;
40861 }
40862
40863 #if IS_ENABLED(CONFIG_ACPI)
40864diff --git a/drivers/cpufreq/p4-clockmod.c b/drivers/cpufreq/p4-clockmod.c
40865index 5dd95da..abc3837 100644
40866--- a/drivers/cpufreq/p4-clockmod.c
40867+++ b/drivers/cpufreq/p4-clockmod.c
40868@@ -134,10 +134,14 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
40869 case 0x0F: /* Core Duo */
40870 case 0x16: /* Celeron Core */
40871 case 0x1C: /* Atom */
40872- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40873+ pax_open_kernel();
40874+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40875+ pax_close_kernel();
40876 return speedstep_get_frequency(SPEEDSTEP_CPU_PCORE);
40877 case 0x0D: /* Pentium M (Dothan) */
40878- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40879+ pax_open_kernel();
40880+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40881+ pax_close_kernel();
40882 /* fall through */
40883 case 0x09: /* Pentium M (Banias) */
40884 return speedstep_get_frequency(SPEEDSTEP_CPU_PM);
40885@@ -149,7 +153,9 @@ static unsigned int cpufreq_p4_get_frequency(struct cpuinfo_x86 *c)
40886
40887 /* on P-4s, the TSC runs with constant frequency independent whether
40888 * throttling is active or not. */
40889- p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40890+ pax_open_kernel();
40891+ *(u8 *)&p4clockmod_driver.flags |= CPUFREQ_CONST_LOOPS;
40892+ pax_close_kernel();
40893
40894 if (speedstep_detect_processor() == SPEEDSTEP_CPU_P4M) {
40895 printk(KERN_WARNING PFX "Warning: Pentium 4-M detected. "
40896diff --git a/drivers/cpufreq/sparc-us3-cpufreq.c b/drivers/cpufreq/sparc-us3-cpufreq.c
40897index 9bb42ba..b01b4a2 100644
40898--- a/drivers/cpufreq/sparc-us3-cpufreq.c
40899+++ b/drivers/cpufreq/sparc-us3-cpufreq.c
40900@@ -18,14 +18,12 @@
40901 #include <asm/head.h>
40902 #include <asm/timer.h>
40903
40904-static struct cpufreq_driver *cpufreq_us3_driver;
40905-
40906 struct us3_freq_percpu_info {
40907 struct cpufreq_frequency_table table[4];
40908 };
40909
40910 /* Indexed by cpu number. */
40911-static struct us3_freq_percpu_info *us3_freq_table;
40912+static struct us3_freq_percpu_info us3_freq_table[NR_CPUS];
40913
40914 /* UltraSPARC-III has three dividers: 1, 2, and 32. These are controlled
40915 * in the Safari config register.
40916@@ -156,16 +154,27 @@ static int __init us3_freq_cpu_init(struct cpufreq_policy *policy)
40917
40918 static int us3_freq_cpu_exit(struct cpufreq_policy *policy)
40919 {
40920- if (cpufreq_us3_driver)
40921- us3_freq_target(policy, 0);
40922+ us3_freq_target(policy, 0);
40923
40924 return 0;
40925 }
40926
40927+static int __init us3_freq_init(void);
40928+static void __exit us3_freq_exit(void);
40929+
40930+static struct cpufreq_driver cpufreq_us3_driver = {
40931+ .init = us3_freq_cpu_init,
40932+ .verify = cpufreq_generic_frequency_table_verify,
40933+ .target_index = us3_freq_target,
40934+ .get = us3_freq_get,
40935+ .exit = us3_freq_cpu_exit,
40936+ .name = "UltraSPARC-III",
40937+
40938+};
40939+
40940 static int __init us3_freq_init(void)
40941 {
40942 unsigned long manuf, impl, ver;
40943- int ret;
40944
40945 if (tlb_type != cheetah && tlb_type != cheetah_plus)
40946 return -ENODEV;
40947@@ -178,55 +187,15 @@ static int __init us3_freq_init(void)
40948 (impl == CHEETAH_IMPL ||
40949 impl == CHEETAH_PLUS_IMPL ||
40950 impl == JAGUAR_IMPL ||
40951- impl == PANTHER_IMPL)) {
40952- struct cpufreq_driver *driver;
40953-
40954- ret = -ENOMEM;
40955- driver = kzalloc(sizeof(*driver), GFP_KERNEL);
40956- if (!driver)
40957- goto err_out;
40958-
40959- us3_freq_table = kzalloc((NR_CPUS * sizeof(*us3_freq_table)),
40960- GFP_KERNEL);
40961- if (!us3_freq_table)
40962- goto err_out;
40963-
40964- driver->init = us3_freq_cpu_init;
40965- driver->verify = cpufreq_generic_frequency_table_verify;
40966- driver->target_index = us3_freq_target;
40967- driver->get = us3_freq_get;
40968- driver->exit = us3_freq_cpu_exit;
40969- strcpy(driver->name, "UltraSPARC-III");
40970-
40971- cpufreq_us3_driver = driver;
40972- ret = cpufreq_register_driver(driver);
40973- if (ret)
40974- goto err_out;
40975-
40976- return 0;
40977-
40978-err_out:
40979- if (driver) {
40980- kfree(driver);
40981- cpufreq_us3_driver = NULL;
40982- }
40983- kfree(us3_freq_table);
40984- us3_freq_table = NULL;
40985- return ret;
40986- }
40987+ impl == PANTHER_IMPL))
40988+ return cpufreq_register_driver(&cpufreq_us3_driver);
40989
40990 return -ENODEV;
40991 }
40992
40993 static void __exit us3_freq_exit(void)
40994 {
40995- if (cpufreq_us3_driver) {
40996- cpufreq_unregister_driver(cpufreq_us3_driver);
40997- kfree(cpufreq_us3_driver);
40998- cpufreq_us3_driver = NULL;
40999- kfree(us3_freq_table);
41000- us3_freq_table = NULL;
41001- }
41002+ cpufreq_unregister_driver(&cpufreq_us3_driver);
41003 }
41004
41005 MODULE_AUTHOR("David S. Miller <davem@redhat.com>");
41006diff --git a/drivers/cpufreq/speedstep-centrino.c b/drivers/cpufreq/speedstep-centrino.c
41007index 7d4a315..21bb886 100644
41008--- a/drivers/cpufreq/speedstep-centrino.c
41009+++ b/drivers/cpufreq/speedstep-centrino.c
41010@@ -351,8 +351,11 @@ static int centrino_cpu_init(struct cpufreq_policy *policy)
41011 !cpu_has(cpu, X86_FEATURE_EST))
41012 return -ENODEV;
41013
41014- if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC))
41015- centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
41016+ if (cpu_has(cpu, X86_FEATURE_CONSTANT_TSC)) {
41017+ pax_open_kernel();
41018+ *(u8 *)&centrino_driver.flags |= CPUFREQ_CONST_LOOPS;
41019+ pax_close_kernel();
41020+ }
41021
41022 if (policy->cpu != 0)
41023 return -ENODEV;
41024diff --git a/drivers/cpuidle/driver.c b/drivers/cpuidle/driver.c
41025index 5db1478..e90e25e 100644
41026--- a/drivers/cpuidle/driver.c
41027+++ b/drivers/cpuidle/driver.c
41028@@ -193,7 +193,7 @@ static int poll_idle(struct cpuidle_device *dev,
41029
41030 static void poll_idle_init(struct cpuidle_driver *drv)
41031 {
41032- struct cpuidle_state *state = &drv->states[0];
41033+ cpuidle_state_no_const *state = &drv->states[0];
41034
41035 snprintf(state->name, CPUIDLE_NAME_LEN, "POLL");
41036 snprintf(state->desc, CPUIDLE_DESC_LEN, "CPUIDLE CORE POLL IDLE");
41037diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c
41038index a5c111b..1113002 100644
41039--- a/drivers/cpuidle/dt_idle_states.c
41040+++ b/drivers/cpuidle/dt_idle_states.c
41041@@ -21,7 +21,7 @@
41042
41043 #include "dt_idle_states.h"
41044
41045-static int init_state_node(struct cpuidle_state *idle_state,
41046+static int init_state_node(cpuidle_state_no_const *idle_state,
41047 const struct of_device_id *matches,
41048 struct device_node *state_node)
41049 {
41050diff --git a/drivers/cpuidle/governor.c b/drivers/cpuidle/governor.c
41051index fb9f511..213e6cc 100644
41052--- a/drivers/cpuidle/governor.c
41053+++ b/drivers/cpuidle/governor.c
41054@@ -87,7 +87,7 @@ int cpuidle_register_governor(struct cpuidle_governor *gov)
41055 mutex_lock(&cpuidle_lock);
41056 if (__cpuidle_find_governor(gov->name) == NULL) {
41057 ret = 0;
41058- list_add_tail(&gov->governor_list, &cpuidle_governors);
41059+ pax_list_add_tail((struct list_head *)&gov->governor_list, &cpuidle_governors);
41060 if (!cpuidle_curr_governor ||
41061 cpuidle_curr_governor->rating < gov->rating)
41062 cpuidle_switch_governor(gov);
41063diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c
41064index 832a2c3..1794080 100644
41065--- a/drivers/cpuidle/sysfs.c
41066+++ b/drivers/cpuidle/sysfs.c
41067@@ -135,7 +135,7 @@ static struct attribute *cpuidle_switch_attrs[] = {
41068 NULL
41069 };
41070
41071-static struct attribute_group cpuidle_attr_group = {
41072+static attribute_group_no_const cpuidle_attr_group = {
41073 .attrs = cpuidle_default_attrs,
41074 .name = "cpuidle",
41075 };
41076diff --git a/drivers/crypto/hifn_795x.c b/drivers/crypto/hifn_795x.c
41077index 8d2a772..33826c9 100644
41078--- a/drivers/crypto/hifn_795x.c
41079+++ b/drivers/crypto/hifn_795x.c
41080@@ -51,7 +51,7 @@ module_param_string(hifn_pll_ref, hifn_pll_ref, sizeof(hifn_pll_ref), 0444);
41081 MODULE_PARM_DESC(hifn_pll_ref,
41082 "PLL reference clock (pci[freq] or ext[freq], default ext)");
41083
41084-static atomic_t hifn_dev_number;
41085+static atomic_unchecked_t hifn_dev_number;
41086
41087 #define ACRYPTO_OP_DECRYPT 0
41088 #define ACRYPTO_OP_ENCRYPT 1
41089@@ -2577,7 +2577,7 @@ static int hifn_probe(struct pci_dev *pdev, const struct pci_device_id *id)
41090 goto err_out_disable_pci_device;
41091
41092 snprintf(name, sizeof(name), "hifn%d",
41093- atomic_inc_return(&hifn_dev_number)-1);
41094+ atomic_inc_return_unchecked(&hifn_dev_number)-1);
41095
41096 err = pci_request_regions(pdev, name);
41097 if (err)
41098diff --git a/drivers/devfreq/devfreq.c b/drivers/devfreq/devfreq.c
41099index ca1b362..01cae6a 100644
41100--- a/drivers/devfreq/devfreq.c
41101+++ b/drivers/devfreq/devfreq.c
41102@@ -672,7 +672,7 @@ int devfreq_add_governor(struct devfreq_governor *governor)
41103 goto err_out;
41104 }
41105
41106- list_add(&governor->node, &devfreq_governor_list);
41107+ pax_list_add((struct list_head *)&governor->node, &devfreq_governor_list);
41108
41109 list_for_each_entry(devfreq, &devfreq_list, node) {
41110 int ret = 0;
41111@@ -760,7 +760,7 @@ int devfreq_remove_governor(struct devfreq_governor *governor)
41112 }
41113 }
41114
41115- list_del(&governor->node);
41116+ pax_list_del((struct list_head *)&governor->node);
41117 err_out:
41118 mutex_unlock(&devfreq_list_lock);
41119
41120diff --git a/drivers/dma/sh/shdma-base.c b/drivers/dma/sh/shdma-base.c
41121index 10fcaba..326f709 100644
41122--- a/drivers/dma/sh/shdma-base.c
41123+++ b/drivers/dma/sh/shdma-base.c
41124@@ -227,8 +227,8 @@ static int shdma_alloc_chan_resources(struct dma_chan *chan)
41125 schan->slave_id = -EINVAL;
41126 }
41127
41128- schan->desc = kcalloc(NR_DESCS_PER_CHANNEL,
41129- sdev->desc_size, GFP_KERNEL);
41130+ schan->desc = kcalloc(sdev->desc_size,
41131+ NR_DESCS_PER_CHANNEL, GFP_KERNEL);
41132 if (!schan->desc) {
41133 ret = -ENOMEM;
41134 goto edescalloc;
41135diff --git a/drivers/dma/sh/shdmac.c b/drivers/dma/sh/shdmac.c
41136index 11707df..2ea96f7 100644
41137--- a/drivers/dma/sh/shdmac.c
41138+++ b/drivers/dma/sh/shdmac.c
41139@@ -513,7 +513,7 @@ static int sh_dmae_nmi_handler(struct notifier_block *self,
41140 return ret;
41141 }
41142
41143-static struct notifier_block sh_dmae_nmi_notifier __read_mostly = {
41144+static struct notifier_block sh_dmae_nmi_notifier = {
41145 .notifier_call = sh_dmae_nmi_handler,
41146
41147 /* Run before NMI debug handler and KGDB */
41148diff --git a/drivers/edac/edac_device.c b/drivers/edac/edac_device.c
41149index 592af5f..bb1d583 100644
41150--- a/drivers/edac/edac_device.c
41151+++ b/drivers/edac/edac_device.c
41152@@ -477,9 +477,9 @@ void edac_device_reset_delay_period(struct edac_device_ctl_info *edac_dev,
41153 */
41154 int edac_device_alloc_index(void)
41155 {
41156- static atomic_t device_indexes = ATOMIC_INIT(0);
41157+ static atomic_unchecked_t device_indexes = ATOMIC_INIT(0);
41158
41159- return atomic_inc_return(&device_indexes) - 1;
41160+ return atomic_inc_return_unchecked(&device_indexes) - 1;
41161 }
41162 EXPORT_SYMBOL_GPL(edac_device_alloc_index);
41163
41164diff --git a/drivers/edac/edac_mc_sysfs.c b/drivers/edac/edac_mc_sysfs.c
41165index 33df7d9..0794989 100644
41166--- a/drivers/edac/edac_mc_sysfs.c
41167+++ b/drivers/edac/edac_mc_sysfs.c
41168@@ -154,7 +154,7 @@ static const char * const edac_caps[] = {
41169 struct dev_ch_attribute {
41170 struct device_attribute attr;
41171 int channel;
41172-};
41173+} __do_const;
41174
41175 #define DEVICE_CHANNEL(_name, _mode, _show, _store, _var) \
41176 static struct dev_ch_attribute dev_attr_legacy_##_name = \
41177diff --git a/drivers/edac/edac_pci.c b/drivers/edac/edac_pci.c
41178index 2cf44b4d..6dd2dc7 100644
41179--- a/drivers/edac/edac_pci.c
41180+++ b/drivers/edac/edac_pci.c
41181@@ -29,7 +29,7 @@
41182
41183 static DEFINE_MUTEX(edac_pci_ctls_mutex);
41184 static LIST_HEAD(edac_pci_list);
41185-static atomic_t pci_indexes = ATOMIC_INIT(0);
41186+static atomic_unchecked_t pci_indexes = ATOMIC_INIT(0);
41187
41188 /*
41189 * edac_pci_alloc_ctl_info
41190@@ -315,7 +315,7 @@ EXPORT_SYMBOL_GPL(edac_pci_reset_delay_period);
41191 */
41192 int edac_pci_alloc_index(void)
41193 {
41194- return atomic_inc_return(&pci_indexes) - 1;
41195+ return atomic_inc_return_unchecked(&pci_indexes) - 1;
41196 }
41197 EXPORT_SYMBOL_GPL(edac_pci_alloc_index);
41198
41199diff --git a/drivers/edac/edac_pci_sysfs.c b/drivers/edac/edac_pci_sysfs.c
41200index 24d877f..4e30133 100644
41201--- a/drivers/edac/edac_pci_sysfs.c
41202+++ b/drivers/edac/edac_pci_sysfs.c
41203@@ -23,8 +23,8 @@ static int edac_pci_log_pe = 1; /* log PCI parity errors */
41204 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
41205 static int edac_pci_poll_msec = 1000; /* one second workq period */
41206
41207-static atomic_t pci_parity_count = ATOMIC_INIT(0);
41208-static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
41209+static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
41210+static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
41211
41212 static struct kobject *edac_pci_top_main_kobj;
41213 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
41214@@ -232,7 +232,7 @@ struct edac_pci_dev_attribute {
41215 void *value;
41216 ssize_t(*show) (void *, char *);
41217 ssize_t(*store) (void *, const char *, size_t);
41218-};
41219+} __do_const;
41220
41221 /* Set of show/store abstract level functions for PCI Parity object */
41222 static ssize_t edac_pci_dev_show(struct kobject *kobj, struct attribute *attr,
41223@@ -576,7 +576,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41224 edac_printk(KERN_CRIT, EDAC_PCI,
41225 "Signaled System Error on %s\n",
41226 pci_name(dev));
41227- atomic_inc(&pci_nonparity_count);
41228+ atomic_inc_unchecked(&pci_nonparity_count);
41229 }
41230
41231 if (status & (PCI_STATUS_PARITY)) {
41232@@ -584,7 +584,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41233 "Master Data Parity Error on %s\n",
41234 pci_name(dev));
41235
41236- atomic_inc(&pci_parity_count);
41237+ atomic_inc_unchecked(&pci_parity_count);
41238 }
41239
41240 if (status & (PCI_STATUS_DETECTED_PARITY)) {
41241@@ -592,7 +592,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41242 "Detected Parity Error on %s\n",
41243 pci_name(dev));
41244
41245- atomic_inc(&pci_parity_count);
41246+ atomic_inc_unchecked(&pci_parity_count);
41247 }
41248 }
41249
41250@@ -615,7 +615,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41251 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
41252 "Signaled System Error on %s\n",
41253 pci_name(dev));
41254- atomic_inc(&pci_nonparity_count);
41255+ atomic_inc_unchecked(&pci_nonparity_count);
41256 }
41257
41258 if (status & (PCI_STATUS_PARITY)) {
41259@@ -623,7 +623,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41260 "Master Data Parity Error on "
41261 "%s\n", pci_name(dev));
41262
41263- atomic_inc(&pci_parity_count);
41264+ atomic_inc_unchecked(&pci_parity_count);
41265 }
41266
41267 if (status & (PCI_STATUS_DETECTED_PARITY)) {
41268@@ -631,7 +631,7 @@ static void edac_pci_dev_parity_test(struct pci_dev *dev)
41269 "Detected Parity Error on %s\n",
41270 pci_name(dev));
41271
41272- atomic_inc(&pci_parity_count);
41273+ atomic_inc_unchecked(&pci_parity_count);
41274 }
41275 }
41276 }
41277@@ -669,7 +669,7 @@ void edac_pci_do_parity_check(void)
41278 if (!check_pci_errors)
41279 return;
41280
41281- before_count = atomic_read(&pci_parity_count);
41282+ before_count = atomic_read_unchecked(&pci_parity_count);
41283
41284 /* scan all PCI devices looking for a Parity Error on devices and
41285 * bridges.
41286@@ -681,7 +681,7 @@ void edac_pci_do_parity_check(void)
41287 /* Only if operator has selected panic on PCI Error */
41288 if (edac_pci_get_panic_on_pe()) {
41289 /* If the count is different 'after' from 'before' */
41290- if (before_count != atomic_read(&pci_parity_count))
41291+ if (before_count != atomic_read_unchecked(&pci_parity_count))
41292 panic("EDAC: PCI Parity Error");
41293 }
41294 }
41295diff --git a/drivers/edac/mce_amd.h b/drivers/edac/mce_amd.h
41296index c2359a1..8bd119d 100644
41297--- a/drivers/edac/mce_amd.h
41298+++ b/drivers/edac/mce_amd.h
41299@@ -74,7 +74,7 @@ struct amd_decoder_ops {
41300 bool (*mc0_mce)(u16, u8);
41301 bool (*mc1_mce)(u16, u8);
41302 bool (*mc2_mce)(u16, u8);
41303-};
41304+} __no_const;
41305
41306 void amd_report_gart_errors(bool);
41307 void amd_register_ecc_decoder(void (*f)(int, struct mce *));
41308diff --git a/drivers/firewire/core-card.c b/drivers/firewire/core-card.c
41309index 57ea7f4..af06b76 100644
41310--- a/drivers/firewire/core-card.c
41311+++ b/drivers/firewire/core-card.c
41312@@ -528,9 +528,9 @@ void fw_card_initialize(struct fw_card *card,
41313 const struct fw_card_driver *driver,
41314 struct device *device)
41315 {
41316- static atomic_t index = ATOMIC_INIT(-1);
41317+ static atomic_unchecked_t index = ATOMIC_INIT(-1);
41318
41319- card->index = atomic_inc_return(&index);
41320+ card->index = atomic_inc_return_unchecked(&index);
41321 card->driver = driver;
41322 card->device = device;
41323 card->current_tlabel = 0;
41324@@ -680,7 +680,7 @@ EXPORT_SYMBOL_GPL(fw_card_release);
41325
41326 void fw_core_remove_card(struct fw_card *card)
41327 {
41328- struct fw_card_driver dummy_driver = dummy_driver_template;
41329+ fw_card_driver_no_const dummy_driver = dummy_driver_template;
41330
41331 card->driver->update_phy_reg(card, 4,
41332 PHY_LINK_ACTIVE | PHY_CONTENDER, 0);
41333diff --git a/drivers/firewire/core-device.c b/drivers/firewire/core-device.c
41334index f9e3aee..269dbdb 100644
41335--- a/drivers/firewire/core-device.c
41336+++ b/drivers/firewire/core-device.c
41337@@ -256,7 +256,7 @@ EXPORT_SYMBOL(fw_device_enable_phys_dma);
41338 struct config_rom_attribute {
41339 struct device_attribute attr;
41340 u32 key;
41341-};
41342+} __do_const;
41343
41344 static ssize_t show_immediate(struct device *dev,
41345 struct device_attribute *dattr, char *buf)
41346diff --git a/drivers/firewire/core-transaction.c b/drivers/firewire/core-transaction.c
41347index d6a09b9..18e90dd 100644
41348--- a/drivers/firewire/core-transaction.c
41349+++ b/drivers/firewire/core-transaction.c
41350@@ -38,6 +38,7 @@
41351 #include <linux/timer.h>
41352 #include <linux/types.h>
41353 #include <linux/workqueue.h>
41354+#include <linux/sched.h>
41355
41356 #include <asm/byteorder.h>
41357
41358diff --git a/drivers/firewire/core.h b/drivers/firewire/core.h
41359index e1480ff6..1a429bd 100644
41360--- a/drivers/firewire/core.h
41361+++ b/drivers/firewire/core.h
41362@@ -111,6 +111,7 @@ struct fw_card_driver {
41363
41364 int (*stop_iso)(struct fw_iso_context *ctx);
41365 };
41366+typedef struct fw_card_driver __no_const fw_card_driver_no_const;
41367
41368 void fw_card_initialize(struct fw_card *card,
41369 const struct fw_card_driver *driver, struct device *device);
41370diff --git a/drivers/firewire/ohci.c b/drivers/firewire/ohci.c
41371index f51d376..b118e40 100644
41372--- a/drivers/firewire/ohci.c
41373+++ b/drivers/firewire/ohci.c
41374@@ -2049,10 +2049,12 @@ static void bus_reset_work(struct work_struct *work)
41375 be32_to_cpu(ohci->next_header));
41376 }
41377
41378+#ifndef CONFIG_GRKERNSEC
41379 if (param_remote_dma) {
41380 reg_write(ohci, OHCI1394_PhyReqFilterHiSet, ~0);
41381 reg_write(ohci, OHCI1394_PhyReqFilterLoSet, ~0);
41382 }
41383+#endif
41384
41385 spin_unlock_irq(&ohci->lock);
41386
41387@@ -2584,8 +2586,10 @@ static int ohci_enable_phys_dma(struct fw_card *card,
41388 unsigned long flags;
41389 int n, ret = 0;
41390
41391+#ifndef CONFIG_GRKERNSEC
41392 if (param_remote_dma)
41393 return 0;
41394+#endif
41395
41396 /*
41397 * FIXME: Make sure this bitmask is cleared when we clear the busReset
41398diff --git a/drivers/firmware/dmi-id.c b/drivers/firmware/dmi-id.c
41399index 94a58a0..f5eba42 100644
41400--- a/drivers/firmware/dmi-id.c
41401+++ b/drivers/firmware/dmi-id.c
41402@@ -16,7 +16,7 @@
41403 struct dmi_device_attribute{
41404 struct device_attribute dev_attr;
41405 int field;
41406-};
41407+} __do_const;
41408 #define to_dmi_dev_attr(_dev_attr) \
41409 container_of(_dev_attr, struct dmi_device_attribute, dev_attr)
41410
41411diff --git a/drivers/firmware/dmi_scan.c b/drivers/firmware/dmi_scan.c
41412index ac1ce4a..321745e 100644
41413--- a/drivers/firmware/dmi_scan.c
41414+++ b/drivers/firmware/dmi_scan.c
41415@@ -690,14 +690,18 @@ static int __init dmi_init(void)
41416 if (!dmi_table)
41417 goto err_tables;
41418
41419- bin_attr_smbios_entry_point.size = smbios_entry_point_size;
41420- bin_attr_smbios_entry_point.private = smbios_entry_point;
41421+ pax_open_kernel();
41422+ *(size_t *)&bin_attr_smbios_entry_point.size = smbios_entry_point_size;
41423+ *(void **)&bin_attr_smbios_entry_point.private = smbios_entry_point;
41424+ pax_close_kernel();
41425 ret = sysfs_create_bin_file(tables_kobj, &bin_attr_smbios_entry_point);
41426 if (ret)
41427 goto err_unmap;
41428
41429- bin_attr_DMI.size = dmi_len;
41430- bin_attr_DMI.private = dmi_table;
41431+ pax_open_kernel();
41432+ *(size_t *)&bin_attr_DMI.size = dmi_len;
41433+ *(void **)&bin_attr_DMI.private = dmi_table;
41434+ pax_close_kernel();
41435 ret = sysfs_create_bin_file(tables_kobj, &bin_attr_DMI);
41436 if (!ret)
41437 return 0;
41438diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
41439index d425374..1da1716 100644
41440--- a/drivers/firmware/efi/cper.c
41441+++ b/drivers/firmware/efi/cper.c
41442@@ -44,12 +44,12 @@ static char rcd_decode_str[CPER_REC_LEN];
41443 */
41444 u64 cper_next_record_id(void)
41445 {
41446- static atomic64_t seq;
41447+ static atomic64_unchecked_t seq;
41448
41449- if (!atomic64_read(&seq))
41450- atomic64_set(&seq, ((u64)get_seconds()) << 32);
41451+ if (!atomic64_read_unchecked(&seq))
41452+ atomic64_set_unchecked(&seq, ((u64)get_seconds()) << 32);
41453
41454- return atomic64_inc_return(&seq);
41455+ return atomic64_inc_return_unchecked(&seq);
41456 }
41457 EXPORT_SYMBOL_GPL(cper_next_record_id);
41458
41459diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
41460index d6144e3..23f9686 100644
41461--- a/drivers/firmware/efi/efi.c
41462+++ b/drivers/firmware/efi/efi.c
41463@@ -170,14 +170,16 @@ static struct attribute_group efi_subsys_attr_group = {
41464 };
41465
41466 static struct efivars generic_efivars;
41467-static struct efivar_operations generic_ops;
41468+static efivar_operations_no_const generic_ops __read_only;
41469
41470 static int generic_ops_register(void)
41471 {
41472- generic_ops.get_variable = efi.get_variable;
41473- generic_ops.set_variable = efi.set_variable;
41474- generic_ops.get_next_variable = efi.get_next_variable;
41475- generic_ops.query_variable_store = efi_query_variable_store;
41476+ pax_open_kernel();
41477+ *(void **)&generic_ops.get_variable = efi.get_variable;
41478+ *(void **)&generic_ops.set_variable = efi.set_variable;
41479+ *(void **)&generic_ops.get_next_variable = efi.get_next_variable;
41480+ *(void **)&generic_ops.query_variable_store = efi_query_variable_store;
41481+ pax_close_kernel();
41482
41483 return efivars_register(&generic_efivars, &generic_ops, efi_kobj);
41484 }
41485diff --git a/drivers/firmware/efi/efivars.c b/drivers/firmware/efi/efivars.c
41486index 756eca8..2336d08 100644
41487--- a/drivers/firmware/efi/efivars.c
41488+++ b/drivers/firmware/efi/efivars.c
41489@@ -590,7 +590,7 @@ efivar_create_sysfs_entry(struct efivar_entry *new_var)
41490 static int
41491 create_efivars_bin_attributes(void)
41492 {
41493- struct bin_attribute *attr;
41494+ bin_attribute_no_const *attr;
41495 int error;
41496
41497 /* new_var */
41498diff --git a/drivers/firmware/efi/runtime-map.c b/drivers/firmware/efi/runtime-map.c
41499index 5c55227..97f4978 100644
41500--- a/drivers/firmware/efi/runtime-map.c
41501+++ b/drivers/firmware/efi/runtime-map.c
41502@@ -97,7 +97,7 @@ static void map_release(struct kobject *kobj)
41503 kfree(entry);
41504 }
41505
41506-static struct kobj_type __refdata map_ktype = {
41507+static const struct kobj_type __refconst map_ktype = {
41508 .sysfs_ops = &map_attr_ops,
41509 .default_attrs = def_attrs,
41510 .release = map_release,
41511diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c
41512index f1ab05e..ab51228 100644
41513--- a/drivers/firmware/google/gsmi.c
41514+++ b/drivers/firmware/google/gsmi.c
41515@@ -709,7 +709,7 @@ static u32 __init hash_oem_table_id(char s[8])
41516 return local_hash_64(input, 32);
41517 }
41518
41519-static struct dmi_system_id gsmi_dmi_table[] __initdata = {
41520+static const struct dmi_system_id gsmi_dmi_table[] __initconst = {
41521 {
41522 .ident = "Google Board",
41523 .matches = {
41524diff --git a/drivers/firmware/google/memconsole.c b/drivers/firmware/google/memconsole.c
41525index 2f569aa..26e4f39 100644
41526--- a/drivers/firmware/google/memconsole.c
41527+++ b/drivers/firmware/google/memconsole.c
41528@@ -136,7 +136,7 @@ static bool __init found_memconsole(void)
41529 return false;
41530 }
41531
41532-static struct dmi_system_id memconsole_dmi_table[] __initdata = {
41533+static const struct dmi_system_id memconsole_dmi_table[] __initconst = {
41534 {
41535 .ident = "Google Board",
41536 .matches = {
41537@@ -155,7 +155,10 @@ static int __init memconsole_init(void)
41538 if (!found_memconsole())
41539 return -ENODEV;
41540
41541- memconsole_bin_attr.size = memconsole_length;
41542+ pax_open_kernel();
41543+ *(size_t *)&memconsole_bin_attr.size = memconsole_length;
41544+ pax_close_kernel();
41545+
41546 return sysfs_create_bin_file(firmware_kobj, &memconsole_bin_attr);
41547 }
41548
41549diff --git a/drivers/firmware/memmap.c b/drivers/firmware/memmap.c
41550index 5de3ed2..d839c56 100644
41551--- a/drivers/firmware/memmap.c
41552+++ b/drivers/firmware/memmap.c
41553@@ -124,7 +124,7 @@ static void __meminit release_firmware_map_entry(struct kobject *kobj)
41554 kfree(entry);
41555 }
41556
41557-static struct kobj_type __refdata memmap_ktype = {
41558+static const struct kobj_type __refconst memmap_ktype = {
41559 .release = release_firmware_map_entry,
41560 .sysfs_ops = &memmap_attr_ops,
41561 .default_attrs = def_attrs,
41562diff --git a/drivers/gpio/gpio-davinci.c b/drivers/gpio/gpio-davinci.c
41563index c246ac3..6867ca6 100644
41564--- a/drivers/gpio/gpio-davinci.c
41565+++ b/drivers/gpio/gpio-davinci.c
41566@@ -442,9 +442,9 @@ static struct irq_chip *davinci_gpio_get_irq_chip(unsigned int irq)
41567 return &gpio_unbanked.chip;
41568 };
41569
41570-static struct irq_chip *keystone_gpio_get_irq_chip(unsigned int irq)
41571+static irq_chip_no_const *keystone_gpio_get_irq_chip(unsigned int irq)
41572 {
41573- static struct irq_chip gpio_unbanked;
41574+ static irq_chip_no_const gpio_unbanked;
41575
41576 gpio_unbanked = *irq_get_chip(irq);
41577 return &gpio_unbanked;
41578@@ -474,7 +474,7 @@ static int davinci_gpio_irq_setup(struct platform_device *pdev)
41579 struct davinci_gpio_regs __iomem *g;
41580 struct irq_domain *irq_domain = NULL;
41581 const struct of_device_id *match;
41582- struct irq_chip *irq_chip;
41583+ irq_chip_no_const *irq_chip;
41584 gpio_get_irq_chip_cb_t gpio_get_irq_chip;
41585
41586 /*
41587diff --git a/drivers/gpio/gpio-em.c b/drivers/gpio/gpio-em.c
41588index fbf2873..0a37114 100644
41589--- a/drivers/gpio/gpio-em.c
41590+++ b/drivers/gpio/gpio-em.c
41591@@ -278,7 +278,7 @@ static int em_gio_probe(struct platform_device *pdev)
41592 struct em_gio_priv *p;
41593 struct resource *io[2], *irq[2];
41594 struct gpio_chip *gpio_chip;
41595- struct irq_chip *irq_chip;
41596+ irq_chip_no_const *irq_chip;
41597 const char *name = dev_name(&pdev->dev);
41598 int ret;
41599
41600diff --git a/drivers/gpio/gpio-ich.c b/drivers/gpio/gpio-ich.c
41601index 4ba7ed5..1536b5d 100644
41602--- a/drivers/gpio/gpio-ich.c
41603+++ b/drivers/gpio/gpio-ich.c
41604@@ -94,7 +94,7 @@ struct ichx_desc {
41605 * this option allows driver caching written output values
41606 */
41607 bool use_outlvl_cache;
41608-};
41609+} __do_const;
41610
41611 static struct {
41612 spinlock_t lock;
41613diff --git a/drivers/gpio/gpio-omap.c b/drivers/gpio/gpio-omap.c
41614index 61a731f..d5ca6cb 100644
41615--- a/drivers/gpio/gpio-omap.c
41616+++ b/drivers/gpio/gpio-omap.c
41617@@ -1067,7 +1067,7 @@ static void omap_gpio_mod_init(struct gpio_bank *bank)
41618 dev_err(bank->dev, "Could not get gpio dbck\n");
41619 }
41620
41621-static int omap_gpio_chip_init(struct gpio_bank *bank, struct irq_chip *irqc)
41622+static int omap_gpio_chip_init(struct gpio_bank *bank, irq_chip_no_const *irqc)
41623 {
41624 static int gpio;
41625 int irq_base = 0;
41626@@ -1150,7 +1150,7 @@ static int omap_gpio_probe(struct platform_device *pdev)
41627 const struct omap_gpio_platform_data *pdata;
41628 struct resource *res;
41629 struct gpio_bank *bank;
41630- struct irq_chip *irqc;
41631+ irq_chip_no_const *irqc;
41632 int ret;
41633
41634 match = of_match_device(of_match_ptr(omap_gpio_match), dev);
41635diff --git a/drivers/gpio/gpio-rcar.c b/drivers/gpio/gpio-rcar.c
41636index 1e14a6c..0442450 100644
41637--- a/drivers/gpio/gpio-rcar.c
41638+++ b/drivers/gpio/gpio-rcar.c
41639@@ -379,7 +379,7 @@ static int gpio_rcar_probe(struct platform_device *pdev)
41640 struct gpio_rcar_priv *p;
41641 struct resource *io, *irq;
41642 struct gpio_chip *gpio_chip;
41643- struct irq_chip *irq_chip;
41644+ irq_chip_no_const *irq_chip;
41645 struct device *dev = &pdev->dev;
41646 const char *name = dev_name(dev);
41647 int ret;
41648diff --git a/drivers/gpio/gpio-vr41xx.c b/drivers/gpio/gpio-vr41xx.c
41649index c1caa45..f0f97d2 100644
41650--- a/drivers/gpio/gpio-vr41xx.c
41651+++ b/drivers/gpio/gpio-vr41xx.c
41652@@ -224,7 +224,7 @@ static int giu_get_irq(unsigned int irq)
41653 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
41654 maskl, pendl, maskh, pendh);
41655
41656- atomic_inc(&irq_err_count);
41657+ atomic_inc_unchecked(&irq_err_count);
41658
41659 return -EINVAL;
41660 }
41661diff --git a/drivers/gpio/gpiolib.c b/drivers/gpio/gpiolib.c
41662index bf4bd1d..51154a3 100644
41663--- a/drivers/gpio/gpiolib.c
41664+++ b/drivers/gpio/gpiolib.c
41665@@ -569,8 +569,10 @@ static void gpiochip_irqchip_remove(struct gpio_chip *gpiochip)
41666 }
41667
41668 if (gpiochip->irqchip) {
41669- gpiochip->irqchip->irq_request_resources = NULL;
41670- gpiochip->irqchip->irq_release_resources = NULL;
41671+ pax_open_kernel();
41672+ *(void **)&gpiochip->irqchip->irq_request_resources = NULL;
41673+ *(void **)&gpiochip->irqchip->irq_release_resources = NULL;
41674+ pax_close_kernel();
41675 gpiochip->irqchip = NULL;
41676 }
41677 }
41678@@ -636,8 +638,11 @@ int gpiochip_irqchip_add(struct gpio_chip *gpiochip,
41679 gpiochip->irqchip = NULL;
41680 return -EINVAL;
41681 }
41682- irqchip->irq_request_resources = gpiochip_irq_reqres;
41683- irqchip->irq_release_resources = gpiochip_irq_relres;
41684+
41685+ pax_open_kernel();
41686+ *(void **)&irqchip->irq_request_resources = gpiochip_irq_reqres;
41687+ *(void **)&irqchip->irq_release_resources = gpiochip_irq_relres;
41688+ pax_close_kernel();
41689
41690 /*
41691 * Prepare the mapping since the irqchip shall be orthogonal to
41692diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41693index 99f158e..20b6c4c 100644
41694--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41695+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_device.c
41696@@ -1071,7 +1071,7 @@ static bool amdgpu_switcheroo_can_switch(struct pci_dev *pdev)
41697 * locking inversion with the driver load path. And the access here is
41698 * completely racy anyway. So don't bother with locking for now.
41699 */
41700- return dev->open_count == 0;
41701+ return local_read(&dev->open_count) == 0;
41702 }
41703
41704 static const struct vga_switcheroo_client_ops amdgpu_switcheroo_ops = {
41705diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41706index c991973..8eb176b 100644
41707--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41708+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
41709@@ -419,7 +419,7 @@ static int kfd_ioctl_set_memory_policy(struct file *filep,
41710 (args->alternate_policy == KFD_IOC_CACHE_POLICY_COHERENT)
41711 ? cache_policy_coherent : cache_policy_noncoherent;
41712
41713- if (!dev->dqm->ops.set_cache_memory_policy(dev->dqm,
41714+ if (!dev->dqm->ops->set_cache_memory_policy(dev->dqm,
41715 &pdd->qpd,
41716 default_policy,
41717 alternate_policy,
41718diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41719index 75312c8..e3684e6 100644
41720--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41721+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
41722@@ -293,7 +293,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd,
41723 goto device_queue_manager_error;
41724 }
41725
41726- if (kfd->dqm->ops.start(kfd->dqm) != 0) {
41727+ if (kfd->dqm->ops->start(kfd->dqm) != 0) {
41728 dev_err(kfd_device,
41729 "Error starting queuen manager for device (%x:%x)\n",
41730 kfd->pdev->vendor, kfd->pdev->device);
41731@@ -349,7 +349,7 @@ void kgd2kfd_suspend(struct kfd_dev *kfd)
41732 BUG_ON(kfd == NULL);
41733
41734 if (kfd->init_complete) {
41735- kfd->dqm->ops.stop(kfd->dqm);
41736+ kfd->dqm->ops->stop(kfd->dqm);
41737 amd_iommu_set_invalidate_ctx_cb(kfd->pdev, NULL);
41738 amd_iommu_set_invalid_ppr_cb(kfd->pdev, NULL);
41739 amd_iommu_free_device(kfd->pdev);
41740@@ -372,7 +372,7 @@ int kgd2kfd_resume(struct kfd_dev *kfd)
41741 amd_iommu_set_invalidate_ctx_cb(kfd->pdev,
41742 iommu_pasid_shutdown_callback);
41743 amd_iommu_set_invalid_ppr_cb(kfd->pdev, iommu_invalid_ppr_cb);
41744- kfd->dqm->ops.start(kfd->dqm);
41745+ kfd->dqm->ops->start(kfd->dqm);
41746 }
41747
41748 return 0;
41749diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41750index 4bb7f42..320fcac 100644
41751--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41752+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
41753@@ -242,7 +242,7 @@ static int create_compute_queue_nocpsch(struct device_queue_manager *dqm,
41754
41755 BUG_ON(!dqm || !q || !qpd);
41756
41757- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41758+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41759 if (mqd == NULL)
41760 return -ENOMEM;
41761
41762@@ -288,14 +288,14 @@ static int destroy_queue_nocpsch(struct device_queue_manager *dqm,
41763 mutex_lock(&dqm->lock);
41764
41765 if (q->properties.type == KFD_QUEUE_TYPE_COMPUTE) {
41766- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41767+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41768 if (mqd == NULL) {
41769 retval = -ENOMEM;
41770 goto out;
41771 }
41772 deallocate_hqd(dqm, q);
41773 } else if (q->properties.type == KFD_QUEUE_TYPE_SDMA) {
41774- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41775+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41776 if (mqd == NULL) {
41777 retval = -ENOMEM;
41778 goto out;
41779@@ -347,7 +347,7 @@ static int update_queue(struct device_queue_manager *dqm, struct queue *q)
41780 BUG_ON(!dqm || !q || !q->mqd);
41781
41782 mutex_lock(&dqm->lock);
41783- mqd = dqm->ops.get_mqd_manager(dqm,
41784+ mqd = dqm->ops->get_mqd_manager(dqm,
41785 get_mqd_type_from_queue_type(q->properties.type));
41786 if (mqd == NULL) {
41787 mutex_unlock(&dqm->lock);
41788@@ -414,7 +414,7 @@ static int register_process_nocpsch(struct device_queue_manager *dqm,
41789 mutex_lock(&dqm->lock);
41790 list_add(&n->list, &dqm->queues);
41791
41792- retval = dqm->ops_asic_specific.register_process(dqm, qpd);
41793+ retval = dqm->ops_asic_specific->register_process(dqm, qpd);
41794
41795 dqm->processes_count++;
41796
41797@@ -502,7 +502,7 @@ int init_pipelines(struct device_queue_manager *dqm,
41798
41799 memset(hpdptr, 0, CIK_HPD_EOP_BYTES * pipes_num);
41800
41801- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41802+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_COMPUTE);
41803 if (mqd == NULL) {
41804 kfd_gtt_sa_free(dqm->dev, dqm->pipeline_mem);
41805 return -ENOMEM;
41806@@ -635,7 +635,7 @@ static int create_sdma_queue_nocpsch(struct device_queue_manager *dqm,
41807 struct mqd_manager *mqd;
41808 int retval;
41809
41810- mqd = dqm->ops.get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41811+ mqd = dqm->ops->get_mqd_manager(dqm, KFD_MQD_TYPE_SDMA);
41812 if (!mqd)
41813 return -ENOMEM;
41814
41815@@ -650,7 +650,7 @@ static int create_sdma_queue_nocpsch(struct device_queue_manager *dqm,
41816 pr_debug(" sdma queue id: %d\n", q->properties.sdma_queue_id);
41817 pr_debug(" sdma engine id: %d\n", q->properties.sdma_engine_id);
41818
41819- dqm->ops_asic_specific.init_sdma_vm(dqm, q, qpd);
41820+ dqm->ops_asic_specific->init_sdma_vm(dqm, q, qpd);
41821 retval = mqd->init_mqd(mqd, &q->mqd, &q->mqd_mem_obj,
41822 &q->gart_mqd_addr, &q->properties);
41823 if (retval != 0) {
41824@@ -712,7 +712,7 @@ static int initialize_cpsch(struct device_queue_manager *dqm)
41825 dqm->queue_count = dqm->processes_count = 0;
41826 dqm->sdma_queue_count = 0;
41827 dqm->active_runlist = false;
41828- retval = dqm->ops_asic_specific.initialize(dqm);
41829+ retval = dqm->ops_asic_specific->initialize(dqm);
41830 if (retval != 0)
41831 goto fail_init_pipelines;
41832
41833@@ -879,7 +879,7 @@ static int create_queue_cpsch(struct device_queue_manager *dqm, struct queue *q,
41834 if (q->properties.type == KFD_QUEUE_TYPE_SDMA)
41835 select_sdma_engine_id(q);
41836
41837- mqd = dqm->ops.get_mqd_manager(dqm,
41838+ mqd = dqm->ops->get_mqd_manager(dqm,
41839 get_mqd_type_from_queue_type(q->properties.type));
41840
41841 if (mqd == NULL) {
41842@@ -887,7 +887,7 @@ static int create_queue_cpsch(struct device_queue_manager *dqm, struct queue *q,
41843 return -ENOMEM;
41844 }
41845
41846- dqm->ops_asic_specific.init_sdma_vm(dqm, q, qpd);
41847+ dqm->ops_asic_specific->init_sdma_vm(dqm, q, qpd);
41848 retval = mqd->init_mqd(mqd, &q->mqd, &q->mqd_mem_obj,
41849 &q->gart_mqd_addr, &q->properties);
41850 if (retval != 0)
41851@@ -1060,7 +1060,7 @@ static int destroy_queue_cpsch(struct device_queue_manager *dqm,
41852
41853 }
41854
41855- mqd = dqm->ops.get_mqd_manager(dqm,
41856+ mqd = dqm->ops->get_mqd_manager(dqm,
41857 get_mqd_type_from_queue_type(q->properties.type));
41858 if (!mqd) {
41859 retval = -ENOMEM;
41860@@ -1149,7 +1149,7 @@ static bool set_cache_memory_policy(struct device_queue_manager *dqm,
41861 qpd->sh_mem_ape1_limit = limit >> 16;
41862 }
41863
41864- retval = dqm->ops_asic_specific.set_cache_memory_policy(
41865+ retval = dqm->ops_asic_specific->set_cache_memory_policy(
41866 dqm,
41867 qpd,
41868 default_policy,
41869@@ -1172,6 +1172,36 @@ out:
41870 return false;
41871 }
41872
41873+static const struct device_queue_manager_ops cp_dqm_ops = {
41874+ .create_queue = create_queue_cpsch,
41875+ .initialize = initialize_cpsch,
41876+ .start = start_cpsch,
41877+ .stop = stop_cpsch,
41878+ .destroy_queue = destroy_queue_cpsch,
41879+ .update_queue = update_queue,
41880+ .get_mqd_manager = get_mqd_manager_nocpsch,
41881+ .register_process = register_process_nocpsch,
41882+ .unregister_process = unregister_process_nocpsch,
41883+ .uninitialize = uninitialize_nocpsch,
41884+ .create_kernel_queue = create_kernel_queue_cpsch,
41885+ .destroy_kernel_queue = destroy_kernel_queue_cpsch,
41886+ .set_cache_memory_policy = set_cache_memory_policy,
41887+};
41888+
41889+static const struct device_queue_manager_ops no_cp_dqm_ops = {
41890+ .start = start_nocpsch,
41891+ .stop = stop_nocpsch,
41892+ .create_queue = create_queue_nocpsch,
41893+ .destroy_queue = destroy_queue_nocpsch,
41894+ .update_queue = update_queue,
41895+ .get_mqd_manager = get_mqd_manager_nocpsch,
41896+ .register_process = register_process_nocpsch,
41897+ .unregister_process = unregister_process_nocpsch,
41898+ .initialize = initialize_nocpsch,
41899+ .uninitialize = uninitialize_nocpsch,
41900+ .set_cache_memory_policy = set_cache_memory_policy,
41901+};
41902+
41903 struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41904 {
41905 struct device_queue_manager *dqm;
41906@@ -1189,33 +1219,11 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41907 case KFD_SCHED_POLICY_HWS:
41908 case KFD_SCHED_POLICY_HWS_NO_OVERSUBSCRIPTION:
41909 /* initialize dqm for cp scheduling */
41910- dqm->ops.create_queue = create_queue_cpsch;
41911- dqm->ops.initialize = initialize_cpsch;
41912- dqm->ops.start = start_cpsch;
41913- dqm->ops.stop = stop_cpsch;
41914- dqm->ops.destroy_queue = destroy_queue_cpsch;
41915- dqm->ops.update_queue = update_queue;
41916- dqm->ops.get_mqd_manager = get_mqd_manager_nocpsch;
41917- dqm->ops.register_process = register_process_nocpsch;
41918- dqm->ops.unregister_process = unregister_process_nocpsch;
41919- dqm->ops.uninitialize = uninitialize_nocpsch;
41920- dqm->ops.create_kernel_queue = create_kernel_queue_cpsch;
41921- dqm->ops.destroy_kernel_queue = destroy_kernel_queue_cpsch;
41922- dqm->ops.set_cache_memory_policy = set_cache_memory_policy;
41923+ dqm->ops = &cp_dqm_ops;
41924 break;
41925 case KFD_SCHED_POLICY_NO_HWS:
41926 /* initialize dqm for no cp scheduling */
41927- dqm->ops.start = start_nocpsch;
41928- dqm->ops.stop = stop_nocpsch;
41929- dqm->ops.create_queue = create_queue_nocpsch;
41930- dqm->ops.destroy_queue = destroy_queue_nocpsch;
41931- dqm->ops.update_queue = update_queue;
41932- dqm->ops.get_mqd_manager = get_mqd_manager_nocpsch;
41933- dqm->ops.register_process = register_process_nocpsch;
41934- dqm->ops.unregister_process = unregister_process_nocpsch;
41935- dqm->ops.initialize = initialize_nocpsch;
41936- dqm->ops.uninitialize = uninitialize_nocpsch;
41937- dqm->ops.set_cache_memory_policy = set_cache_memory_policy;
41938+ dqm->ops = &no_cp_dqm_ops;
41939 break;
41940 default:
41941 BUG();
41942@@ -1224,15 +1232,15 @@ struct device_queue_manager *device_queue_manager_init(struct kfd_dev *dev)
41943
41944 switch (dev->device_info->asic_family) {
41945 case CHIP_CARRIZO:
41946- device_queue_manager_init_vi(&dqm->ops_asic_specific);
41947+ device_queue_manager_init_vi(dqm);
41948 break;
41949
41950 case CHIP_KAVERI:
41951- device_queue_manager_init_cik(&dqm->ops_asic_specific);
41952+ device_queue_manager_init_cik(dqm);
41953 break;
41954 }
41955
41956- if (dqm->ops.initialize(dqm) != 0) {
41957+ if (dqm->ops->initialize(dqm) != 0) {
41958 kfree(dqm);
41959 return NULL;
41960 }
41961@@ -1244,6 +1252,6 @@ void device_queue_manager_uninit(struct device_queue_manager *dqm)
41962 {
41963 BUG_ON(!dqm);
41964
41965- dqm->ops.uninitialize(dqm);
41966+ dqm->ops->uninitialize(dqm);
41967 kfree(dqm);
41968 }
41969diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
41970index ec4036a..3ef0646 100644
41971--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
41972+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.h
41973@@ -154,8 +154,8 @@ struct device_queue_manager_asic_ops {
41974 */
41975
41976 struct device_queue_manager {
41977- struct device_queue_manager_ops ops;
41978- struct device_queue_manager_asic_ops ops_asic_specific;
41979+ struct device_queue_manager_ops *ops;
41980+ struct device_queue_manager_asic_ops *ops_asic_specific;
41981
41982 struct mqd_manager *mqds[KFD_MQD_TYPE_MAX];
41983 struct packet_manager packets;
41984@@ -178,8 +178,8 @@ struct device_queue_manager {
41985 bool active_runlist;
41986 };
41987
41988-void device_queue_manager_init_cik(struct device_queue_manager_asic_ops *ops);
41989-void device_queue_manager_init_vi(struct device_queue_manager_asic_ops *ops);
41990+void device_queue_manager_init_cik(struct device_queue_manager *dqm);
41991+void device_queue_manager_init_vi(struct device_queue_manager *dqm);
41992 void program_sh_mem_settings(struct device_queue_manager *dqm,
41993 struct qcm_process_device *qpd);
41994 int init_pipelines(struct device_queue_manager *dqm,
41995diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
41996index 9ce8a20..1ca4e22 100644
41997--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
41998+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_cik.c
41999@@ -36,12 +36,16 @@ static int initialize_cpsch_cik(struct device_queue_manager *dqm);
42000 static void init_sdma_vm(struct device_queue_manager *dqm, struct queue *q,
42001 struct qcm_process_device *qpd);
42002
42003-void device_queue_manager_init_cik(struct device_queue_manager_asic_ops *ops)
42004+static const struct device_queue_manager_asic_ops cik_dqm_asic_ops = {
42005+ .set_cache_memory_policy = set_cache_memory_policy_cik,
42006+ .register_process = register_process_cik,
42007+ .initialize = initialize_cpsch_cik,
42008+ .init_sdma_vm = init_sdma_vm,
42009+};
42010+
42011+void device_queue_manager_init_cik(struct device_queue_manager *dqm)
42012 {
42013- ops->set_cache_memory_policy = set_cache_memory_policy_cik;
42014- ops->register_process = register_process_cik;
42015- ops->initialize = initialize_cpsch_cik;
42016- ops->init_sdma_vm = init_sdma_vm;
42017+ dqm->ops_asic_specific = &cik_dqm_asic_ops;
42018 }
42019
42020 static uint32_t compute_sh_mem_bases_64bit(unsigned int top_address_nybble)
42021diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
42022index 4c15212..61bfab8 100644
42023--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
42024+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager_vi.c
42025@@ -35,14 +35,18 @@ static int initialize_cpsch_vi(struct device_queue_manager *dqm);
42026 static void init_sdma_vm(struct device_queue_manager *dqm, struct queue *q,
42027 struct qcm_process_device *qpd);
42028
42029-void device_queue_manager_init_vi(struct device_queue_manager_asic_ops *ops)
42030+static const struct device_queue_manager_asic_ops vi_dqm_asic_ops = {
42031+ .set_cache_memory_policy = set_cache_memory_policy_vi,
42032+ .register_process = register_process_vi,
42033+ .initialize = initialize_cpsch_vi,
42034+ .init_sdma_vm = init_sdma_vm,
42035+};
42036+
42037+void device_queue_manager_init_vi(struct device_queue_manager *dqm)
42038 {
42039 pr_warn("amdkfd: VI DQM is not currently supported\n");
42040
42041- ops->set_cache_memory_policy = set_cache_memory_policy_vi;
42042- ops->register_process = register_process_vi;
42043- ops->initialize = initialize_cpsch_vi;
42044- ops->init_sdma_vm = init_sdma_vm;
42045+ dqm->ops_asic_specific = &vi_dqm_asic_ops;
42046 }
42047
42048 static bool set_cache_memory_policy_vi(struct device_queue_manager *dqm,
42049diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c b/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
42050index 7f134aa..cd34d4a 100644
42051--- a/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
42052+++ b/drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c
42053@@ -50,8 +50,8 @@ static void interrupt_wq(struct work_struct *);
42054
42055 int kfd_interrupt_init(struct kfd_dev *kfd)
42056 {
42057- void *interrupt_ring = kmalloc_array(KFD_INTERRUPT_RING_SIZE,
42058- kfd->device_info->ih_ring_entry_size,
42059+ void *interrupt_ring = kmalloc_array(kfd->device_info->ih_ring_entry_size,
42060+ KFD_INTERRUPT_RING_SIZE,
42061 GFP_KERNEL);
42062 if (!interrupt_ring)
42063 return -ENOMEM;
42064diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
42065index 8fa8941..5ae07df 100644
42066--- a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
42067+++ b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.c
42068@@ -56,7 +56,7 @@ static bool initialize(struct kernel_queue *kq, struct kfd_dev *dev,
42069 switch (type) {
42070 case KFD_QUEUE_TYPE_DIQ:
42071 case KFD_QUEUE_TYPE_HIQ:
42072- kq->mqd = dev->dqm->ops.get_mqd_manager(dev->dqm,
42073+ kq->mqd = dev->dqm->ops->get_mqd_manager(dev->dqm,
42074 KFD_MQD_TYPE_HIQ);
42075 break;
42076 default:
42077diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
42078index 5940531..a75b0e5 100644
42079--- a/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
42080+++ b/drivers/gpu/drm/amd/amdkfd/kfd_kernel_queue.h
42081@@ -62,7 +62,7 @@ struct kernel_queue_ops {
42082
42083 void (*submit_packet)(struct kernel_queue *kq);
42084 void (*rollback_packet)(struct kernel_queue *kq);
42085-};
42086+} __no_const;
42087
42088 struct kernel_queue {
42089 struct kernel_queue_ops ops;
42090diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
42091index 7b69070..d7bd78b 100644
42092--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
42093+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
42094@@ -194,7 +194,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
42095
42096 if (list_empty(&pqm->queues)) {
42097 pdd->qpd.pqm = pqm;
42098- dev->dqm->ops.register_process(dev->dqm, &pdd->qpd);
42099+ dev->dqm->ops->register_process(dev->dqm, &pdd->qpd);
42100 }
42101
42102 pqn = kzalloc(sizeof(struct process_queue_node), GFP_KERNEL);
42103@@ -220,7 +220,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
42104 goto err_create_queue;
42105 pqn->q = q;
42106 pqn->kq = NULL;
42107- retval = dev->dqm->ops.create_queue(dev->dqm, q, &pdd->qpd,
42108+ retval = dev->dqm->ops->create_queue(dev->dqm, q, &pdd->qpd,
42109 &q->properties.vmid);
42110 pr_debug("DQM returned %d for create_queue\n", retval);
42111 print_queue(q);
42112@@ -234,7 +234,7 @@ int pqm_create_queue(struct process_queue_manager *pqm,
42113 kq->queue->properties.queue_id = *qid;
42114 pqn->kq = kq;
42115 pqn->q = NULL;
42116- retval = dev->dqm->ops.create_kernel_queue(dev->dqm,
42117+ retval = dev->dqm->ops->create_kernel_queue(dev->dqm,
42118 kq, &pdd->qpd);
42119 break;
42120 default:
42121@@ -265,7 +265,7 @@ err_allocate_pqn:
42122 /* check if queues list is empty unregister process from device */
42123 clear_bit(*qid, pqm->queue_slot_bitmap);
42124 if (list_empty(&pqm->queues))
42125- dev->dqm->ops.unregister_process(dev->dqm, &pdd->qpd);
42126+ dev->dqm->ops->unregister_process(dev->dqm, &pdd->qpd);
42127 return retval;
42128 }
42129
42130@@ -306,13 +306,13 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
42131 if (pqn->kq) {
42132 /* destroy kernel queue (DIQ) */
42133 dqm = pqn->kq->dev->dqm;
42134- dqm->ops.destroy_kernel_queue(dqm, pqn->kq, &pdd->qpd);
42135+ dqm->ops->destroy_kernel_queue(dqm, pqn->kq, &pdd->qpd);
42136 kernel_queue_uninit(pqn->kq);
42137 }
42138
42139 if (pqn->q) {
42140 dqm = pqn->q->device->dqm;
42141- retval = dqm->ops.destroy_queue(dqm, &pdd->qpd, pqn->q);
42142+ retval = dqm->ops->destroy_queue(dqm, &pdd->qpd, pqn->q);
42143 if (retval != 0)
42144 return retval;
42145
42146@@ -324,7 +324,7 @@ int pqm_destroy_queue(struct process_queue_manager *pqm, unsigned int qid)
42147 clear_bit(qid, pqm->queue_slot_bitmap);
42148
42149 if (list_empty(&pqm->queues))
42150- dqm->ops.unregister_process(dqm, &pdd->qpd);
42151+ dqm->ops->unregister_process(dqm, &pdd->qpd);
42152
42153 return retval;
42154 }
42155@@ -349,7 +349,7 @@ int pqm_update_queue(struct process_queue_manager *pqm, unsigned int qid,
42156 pqn->q->properties.queue_percent = p->queue_percent;
42157 pqn->q->properties.priority = p->priority;
42158
42159- retval = pqn->q->device->dqm->ops.update_queue(pqn->q->device->dqm,
42160+ retval = pqn->q->device->dqm->ops->update_queue(pqn->q->device->dqm,
42161 pqn->q);
42162 if (retval != 0)
42163 return retval;
42164diff --git a/drivers/gpu/drm/drm_context.c b/drivers/gpu/drm/drm_context.c
42165index 9b23525..65f4110 100644
42166--- a/drivers/gpu/drm/drm_context.c
42167+++ b/drivers/gpu/drm/drm_context.c
42168@@ -53,6 +53,9 @@ struct drm_ctx_list {
42169 */
42170 void drm_legacy_ctxbitmap_free(struct drm_device * dev, int ctx_handle)
42171 {
42172+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42173+ return;
42174+
42175 mutex_lock(&dev->struct_mutex);
42176 idr_remove(&dev->ctx_idr, ctx_handle);
42177 mutex_unlock(&dev->struct_mutex);
42178@@ -87,6 +90,9 @@ static int drm_legacy_ctxbitmap_next(struct drm_device * dev)
42179 */
42180 int drm_legacy_ctxbitmap_init(struct drm_device * dev)
42181 {
42182+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42183+ return -EINVAL;
42184+
42185 idr_init(&dev->ctx_idr);
42186 return 0;
42187 }
42188@@ -101,6 +107,9 @@ int drm_legacy_ctxbitmap_init(struct drm_device * dev)
42189 */
42190 void drm_legacy_ctxbitmap_cleanup(struct drm_device * dev)
42191 {
42192+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42193+ return;
42194+
42195 mutex_lock(&dev->struct_mutex);
42196 idr_destroy(&dev->ctx_idr);
42197 mutex_unlock(&dev->struct_mutex);
42198@@ -119,11 +128,14 @@ void drm_legacy_ctxbitmap_flush(struct drm_device *dev, struct drm_file *file)
42199 {
42200 struct drm_ctx_list *pos, *tmp;
42201
42202+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42203+ return;
42204+
42205 mutex_lock(&dev->ctxlist_mutex);
42206
42207 list_for_each_entry_safe(pos, tmp, &dev->ctxlist, head) {
42208 if (pos->tag == file &&
42209- pos->handle != DRM_KERNEL_CONTEXT) {
42210+ _DRM_LOCKING_CONTEXT(pos->handle) != DRM_KERNEL_CONTEXT) {
42211 if (dev->driver->context_dtor)
42212 dev->driver->context_dtor(dev, pos->handle);
42213
42214@@ -161,6 +173,9 @@ int drm_legacy_getsareactx(struct drm_device *dev, void *data,
42215 struct drm_local_map *map;
42216 struct drm_map_list *_entry;
42217
42218+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42219+ return -EINVAL;
42220+
42221 mutex_lock(&dev->struct_mutex);
42222
42223 map = idr_find(&dev->ctx_idr, request->ctx_id);
42224@@ -205,6 +220,9 @@ int drm_legacy_setsareactx(struct drm_device *dev, void *data,
42225 struct drm_local_map *map = NULL;
42226 struct drm_map_list *r_list = NULL;
42227
42228+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42229+ return -EINVAL;
42230+
42231 mutex_lock(&dev->struct_mutex);
42232 list_for_each_entry(r_list, &dev->maplist, head) {
42233 if (r_list->map
42234@@ -277,7 +295,13 @@ static int drm_context_switch_complete(struct drm_device *dev,
42235 {
42236 dev->last_context = new; /* PRE/POST: This is the _only_ writer. */
42237
42238- if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
42239+ if (file_priv->master->lock.hw_lock == NULL) {
42240+ DRM_ERROR(
42241+ "Device has been unregistered. Hard exit. Process %d\n",
42242+ task_pid_nr(current));
42243+ send_sig(SIGTERM, current, 0);
42244+ return -EPERM;
42245+ } else if (!_DRM_LOCK_IS_HELD(file_priv->master->lock.hw_lock->lock)) {
42246 DRM_ERROR("Lock isn't held after context switch\n");
42247 }
42248
42249@@ -305,6 +329,9 @@ int drm_legacy_resctx(struct drm_device *dev, void *data,
42250 struct drm_ctx ctx;
42251 int i;
42252
42253+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42254+ return -EINVAL;
42255+
42256 if (res->count >= DRM_RESERVED_CONTEXTS) {
42257 memset(&ctx, 0, sizeof(ctx));
42258 for (i = 0; i < DRM_RESERVED_CONTEXTS; i++) {
42259@@ -335,8 +362,11 @@ int drm_legacy_addctx(struct drm_device *dev, void *data,
42260 struct drm_ctx_list *ctx_entry;
42261 struct drm_ctx *ctx = data;
42262
42263+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42264+ return -EINVAL;
42265+
42266 ctx->handle = drm_legacy_ctxbitmap_next(dev);
42267- if (ctx->handle == DRM_KERNEL_CONTEXT) {
42268+ if (_DRM_LOCKING_CONTEXT(ctx->handle) == DRM_KERNEL_CONTEXT) {
42269 /* Skip kernel's context and get a new one. */
42270 ctx->handle = drm_legacy_ctxbitmap_next(dev);
42271 }
42272@@ -378,6 +408,9 @@ int drm_legacy_getctx(struct drm_device *dev, void *data,
42273 {
42274 struct drm_ctx *ctx = data;
42275
42276+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42277+ return -EINVAL;
42278+
42279 /* This is 0, because we don't handle any context flags */
42280 ctx->flags = 0;
42281
42282@@ -400,6 +433,9 @@ int drm_legacy_switchctx(struct drm_device *dev, void *data,
42283 {
42284 struct drm_ctx *ctx = data;
42285
42286+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42287+ return -EINVAL;
42288+
42289 DRM_DEBUG("%d\n", ctx->handle);
42290 return drm_context_switch(dev, dev->last_context, ctx->handle);
42291 }
42292@@ -420,6 +456,9 @@ int drm_legacy_newctx(struct drm_device *dev, void *data,
42293 {
42294 struct drm_ctx *ctx = data;
42295
42296+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42297+ return -EINVAL;
42298+
42299 DRM_DEBUG("%d\n", ctx->handle);
42300 drm_context_switch_complete(dev, file_priv, ctx->handle);
42301
42302@@ -442,8 +481,11 @@ int drm_legacy_rmctx(struct drm_device *dev, void *data,
42303 {
42304 struct drm_ctx *ctx = data;
42305
42306+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42307+ return -EINVAL;
42308+
42309 DRM_DEBUG("%d\n", ctx->handle);
42310- if (ctx->handle != DRM_KERNEL_CONTEXT) {
42311+ if (_DRM_LOCKING_CONTEXT(ctx->handle) != DRM_KERNEL_CONTEXT) {
42312 if (dev->driver->context_dtor)
42313 dev->driver->context_dtor(dev, ctx->handle);
42314 drm_legacy_ctxbitmap_free(dev, ctx->handle);
42315diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c
42316index fed7483..5bc0335 100644
42317--- a/drivers/gpu/drm/drm_crtc.c
42318+++ b/drivers/gpu/drm/drm_crtc.c
42319@@ -4174,7 +4174,7 @@ int drm_mode_getproperty_ioctl(struct drm_device *dev,
42320 goto done;
42321 }
42322
42323- if (copy_to_user(&enum_ptr[copied].name,
42324+ if (copy_to_user(enum_ptr[copied].name,
42325 &prop_enum->name, DRM_PROP_NAME_LEN)) {
42326 ret = -EFAULT;
42327 goto done;
42328diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c
42329index b7bf4ce..585cf3b 100644
42330--- a/drivers/gpu/drm/drm_drv.c
42331+++ b/drivers/gpu/drm/drm_drv.c
42332@@ -434,7 +434,7 @@ void drm_unplug_dev(struct drm_device *dev)
42333
42334 drm_device_set_unplugged(dev);
42335
42336- if (dev->open_count == 0) {
42337+ if (local_read(&dev->open_count) == 0) {
42338 drm_put_dev(dev);
42339 }
42340 mutex_unlock(&drm_global_mutex);
42341@@ -582,10 +582,13 @@ struct drm_device *drm_dev_alloc(struct drm_driver *driver,
42342 if (drm_ht_create(&dev->map_hash, 12))
42343 goto err_minors;
42344
42345- ret = drm_legacy_ctxbitmap_init(dev);
42346- if (ret) {
42347- DRM_ERROR("Cannot allocate memory for context bitmap.\n");
42348- goto err_ht;
42349+ if (drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT)) {
42350+ ret = drm_legacy_ctxbitmap_init(dev);
42351+ if (ret) {
42352+ DRM_ERROR(
42353+ "Cannot allocate memory for context bitmap.\n");
42354+ goto err_ht;
42355+ }
42356 }
42357
42358 if (drm_core_check_feature(dev, DRIVER_GEM)) {
42359diff --git a/drivers/gpu/drm/drm_fops.c b/drivers/gpu/drm/drm_fops.c
42360index c59ce4d..056d413 100644
42361--- a/drivers/gpu/drm/drm_fops.c
42362+++ b/drivers/gpu/drm/drm_fops.c
42363@@ -89,7 +89,7 @@ int drm_open(struct inode *inode, struct file *filp)
42364 return PTR_ERR(minor);
42365
42366 dev = minor->dev;
42367- if (!dev->open_count++)
42368+ if (local_inc_return(&dev->open_count) == 1)
42369 need_setup = 1;
42370
42371 /* share address_space across all char-devs of a single device */
42372@@ -106,7 +106,7 @@ int drm_open(struct inode *inode, struct file *filp)
42373 return 0;
42374
42375 err_undo:
42376- dev->open_count--;
42377+ local_dec(&dev->open_count);
42378 drm_minor_release(minor);
42379 return retcode;
42380 }
42381@@ -377,7 +377,7 @@ int drm_release(struct inode *inode, struct file *filp)
42382
42383 mutex_lock(&drm_global_mutex);
42384
42385- DRM_DEBUG("open_count = %d\n", dev->open_count);
42386+ DRM_DEBUG("open_count = %ld\n", local_read(&dev->open_count));
42387
42388 mutex_lock(&dev->struct_mutex);
42389 list_del(&file_priv->lhead);
42390@@ -392,10 +392,10 @@ int drm_release(struct inode *inode, struct file *filp)
42391 * Begin inline drm_release
42392 */
42393
42394- DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
42395+ DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %ld\n",
42396 task_pid_nr(current),
42397 (long)old_encode_dev(file_priv->minor->kdev->devt),
42398- dev->open_count);
42399+ local_read(&dev->open_count));
42400
42401 /* if the master has gone away we can't do anything with the lock */
42402 if (file_priv->minor->master)
42403@@ -465,7 +465,7 @@ int drm_release(struct inode *inode, struct file *filp)
42404 * End inline drm_release
42405 */
42406
42407- if (!--dev->open_count) {
42408+ if (local_dec_and_test(&dev->open_count)) {
42409 retcode = drm_lastclose(dev);
42410 if (drm_device_is_unplugged(dev))
42411 drm_put_dev(dev);
42412diff --git a/drivers/gpu/drm/drm_global.c b/drivers/gpu/drm/drm_global.c
42413index 3d2e91c..d31c4c9 100644
42414--- a/drivers/gpu/drm/drm_global.c
42415+++ b/drivers/gpu/drm/drm_global.c
42416@@ -36,7 +36,7 @@
42417 struct drm_global_item {
42418 struct mutex mutex;
42419 void *object;
42420- int refcount;
42421+ atomic_t refcount;
42422 };
42423
42424 static struct drm_global_item glob[DRM_GLOBAL_NUM];
42425@@ -49,7 +49,7 @@ void drm_global_init(void)
42426 struct drm_global_item *item = &glob[i];
42427 mutex_init(&item->mutex);
42428 item->object = NULL;
42429- item->refcount = 0;
42430+ atomic_set(&item->refcount, 0);
42431 }
42432 }
42433
42434@@ -59,7 +59,7 @@ void drm_global_release(void)
42435 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
42436 struct drm_global_item *item = &glob[i];
42437 BUG_ON(item->object != NULL);
42438- BUG_ON(item->refcount != 0);
42439+ BUG_ON(atomic_read(&item->refcount) != 0);
42440 }
42441 }
42442
42443@@ -69,7 +69,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
42444 struct drm_global_item *item = &glob[ref->global_type];
42445
42446 mutex_lock(&item->mutex);
42447- if (item->refcount == 0) {
42448+ if (atomic_read(&item->refcount) == 0) {
42449 item->object = kzalloc(ref->size, GFP_KERNEL);
42450 if (unlikely(item->object == NULL)) {
42451 ret = -ENOMEM;
42452@@ -82,7 +82,7 @@ int drm_global_item_ref(struct drm_global_reference *ref)
42453 goto out_err;
42454
42455 }
42456- ++item->refcount;
42457+ atomic_inc(&item->refcount);
42458 ref->object = item->object;
42459 mutex_unlock(&item->mutex);
42460 return 0;
42461@@ -98,9 +98,9 @@ void drm_global_item_unref(struct drm_global_reference *ref)
42462 struct drm_global_item *item = &glob[ref->global_type];
42463
42464 mutex_lock(&item->mutex);
42465- BUG_ON(item->refcount == 0);
42466+ BUG_ON(atomic_read(&item->refcount) == 0);
42467 BUG_ON(ref->object != item->object);
42468- if (--item->refcount == 0) {
42469+ if (atomic_dec_and_test(&item->refcount)) {
42470 ref->release(ref);
42471 item->object = NULL;
42472 }
42473diff --git a/drivers/gpu/drm/drm_info.c b/drivers/gpu/drm/drm_info.c
42474index cbb4fc0..5c756cb9 100644
42475--- a/drivers/gpu/drm/drm_info.c
42476+++ b/drivers/gpu/drm/drm_info.c
42477@@ -77,10 +77,13 @@ int drm_vm_info(struct seq_file *m, void *data)
42478 struct drm_local_map *map;
42479 struct drm_map_list *r_list;
42480
42481- /* Hardcoded from _DRM_FRAME_BUFFER,
42482- _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
42483- _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
42484- const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
42485+ static const char * const types[] = {
42486+ [_DRM_FRAME_BUFFER] = "FB",
42487+ [_DRM_REGISTERS] = "REG",
42488+ [_DRM_SHM] = "SHM",
42489+ [_DRM_AGP] = "AGP",
42490+ [_DRM_SCATTER_GATHER] = "SG",
42491+ [_DRM_CONSISTENT] = "PCI"};
42492 const char *type;
42493 int i;
42494
42495@@ -91,7 +94,7 @@ int drm_vm_info(struct seq_file *m, void *data)
42496 map = r_list->map;
42497 if (!map)
42498 continue;
42499- if (map->type < 0 || map->type > 5)
42500+ if (map->type >= ARRAY_SIZE(types))
42501 type = "??";
42502 else
42503 type = types[map->type];
42504diff --git a/drivers/gpu/drm/drm_ioc32.c b/drivers/gpu/drm/drm_ioc32.c
42505index 9cfcd0a..7142a7f 100644
42506--- a/drivers/gpu/drm/drm_ioc32.c
42507+++ b/drivers/gpu/drm/drm_ioc32.c
42508@@ -459,7 +459,7 @@ static int compat_drm_infobufs(struct file *file, unsigned int cmd,
42509 request = compat_alloc_user_space(nbytes);
42510 if (!access_ok(VERIFY_WRITE, request, nbytes))
42511 return -EFAULT;
42512- list = (struct drm_buf_desc *) (request + 1);
42513+ list = (struct drm_buf_desc __user *) (request + 1);
42514
42515 if (__put_user(count, &request->count)
42516 || __put_user(list, &request->list))
42517@@ -520,7 +520,7 @@ static int compat_drm_mapbufs(struct file *file, unsigned int cmd,
42518 request = compat_alloc_user_space(nbytes);
42519 if (!access_ok(VERIFY_WRITE, request, nbytes))
42520 return -EFAULT;
42521- list = (struct drm_buf_pub *) (request + 1);
42522+ list = (struct drm_buf_pub __user *) (request + 1);
42523
42524 if (__put_user(count, &request->count)
42525 || __put_user(list, &request->list))
42526@@ -1075,7 +1075,7 @@ static int compat_drm_mode_addfb2(struct file *file, unsigned int cmd,
42527 return 0;
42528 }
42529
42530-static drm_ioctl_compat_t *drm_compat_ioctls[] = {
42531+static drm_ioctl_compat_t drm_compat_ioctls[] = {
42532 [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version,
42533 [DRM_IOCTL_NR(DRM_IOCTL_GET_UNIQUE32)] = compat_drm_getunique,
42534 [DRM_IOCTL_NR(DRM_IOCTL_GET_MAP32)] = compat_drm_getmap,
42535@@ -1122,7 +1122,6 @@ static drm_ioctl_compat_t *drm_compat_ioctls[] = {
42536 long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42537 {
42538 unsigned int nr = DRM_IOCTL_NR(cmd);
42539- drm_ioctl_compat_t *fn;
42540 int ret;
42541
42542 /* Assume that ioctls without an explicit compat routine will just
42543@@ -1132,10 +1131,8 @@ long drm_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42544 if (nr >= ARRAY_SIZE(drm_compat_ioctls))
42545 return drm_ioctl(filp, cmd, arg);
42546
42547- fn = drm_compat_ioctls[nr];
42548-
42549- if (fn != NULL)
42550- ret = (*fn) (filp, cmd, arg);
42551+ if (drm_compat_ioctls[nr] != NULL)
42552+ ret = (*drm_compat_ioctls[nr]) (filp, cmd, arg);
42553 else
42554 ret = drm_ioctl(filp, cmd, arg);
42555
42556diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c
42557index b1d303f..c59012c 100644
42558--- a/drivers/gpu/drm/drm_ioctl.c
42559+++ b/drivers/gpu/drm/drm_ioctl.c
42560@@ -650,7 +650,7 @@ long drm_ioctl(struct file *filp,
42561 struct drm_file *file_priv = filp->private_data;
42562 struct drm_device *dev;
42563 const struct drm_ioctl_desc *ioctl = NULL;
42564- drm_ioctl_t *func;
42565+ drm_ioctl_no_const_t func;
42566 unsigned int nr = DRM_IOCTL_NR(cmd);
42567 int retcode = -EINVAL;
42568 char stack_kdata[128];
42569diff --git a/drivers/gpu/drm/drm_lock.c b/drivers/gpu/drm/drm_lock.c
42570index 4924d381..fd3b5ee 100644
42571--- a/drivers/gpu/drm/drm_lock.c
42572+++ b/drivers/gpu/drm/drm_lock.c
42573@@ -61,12 +61,15 @@ int drm_legacy_lock(struct drm_device *dev, void *data,
42574 struct drm_master *master = file_priv->master;
42575 int ret = 0;
42576
42577+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42578+ return -EINVAL;
42579+
42580 if (drm_core_check_feature(dev, DRIVER_MODESET))
42581 return -EINVAL;
42582
42583 ++file_priv->lock_count;
42584
42585- if (lock->context == DRM_KERNEL_CONTEXT) {
42586+ if (_DRM_LOCKING_CONTEXT(lock->context) == DRM_KERNEL_CONTEXT) {
42587 DRM_ERROR("Process %d using kernel context %d\n",
42588 task_pid_nr(current), lock->context);
42589 return -EINVAL;
42590@@ -156,6 +159,9 @@ int drm_legacy_unlock(struct drm_device *dev, void *data, struct drm_file *file_
42591 struct drm_lock *lock = data;
42592 struct drm_master *master = file_priv->master;
42593
42594+ if (!drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT))
42595+ return -EINVAL;
42596+
42597 if (drm_core_check_feature(dev, DRIVER_MODESET))
42598 return -EINVAL;
42599
42600@@ -165,6 +171,14 @@ int drm_legacy_unlock(struct drm_device *dev, void *data, struct drm_file *file_
42601 return -EINVAL;
42602 }
42603
42604+ if (!master->lock.hw_lock) {
42605+ DRM_ERROR(
42606+ "Device has been unregistered. Hard exit. Process %d\n",
42607+ task_pid_nr(current));
42608+ send_sig(SIGTERM, current, 0);
42609+ return -EPERM;
42610+ }
42611+
42612 if (drm_legacy_lock_free(&master->lock, lock->context)) {
42613 /* FIXME: Should really bail out here. */
42614 }
42615diff --git a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42616index d4813e0..6c1ab4d 100644
42617--- a/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42618+++ b/drivers/gpu/drm/gma500/mdfld_dsi_dpi.c
42619@@ -825,10 +825,16 @@ void mdfld_dsi_dpi_mode_set(struct drm_encoder *encoder,
42620 u32 pipeconf_reg = PIPEACONF;
42621 u32 dspcntr_reg = DSPACNTR;
42622
42623- u32 pipeconf = dev_priv->pipeconf[pipe];
42624- u32 dspcntr = dev_priv->dspcntr[pipe];
42625+ u32 pipeconf;
42626+ u32 dspcntr;
42627 u32 mipi = MIPI_PORT_EN | PASS_FROM_SPHY_TO_AFE | SEL_FLOPPED_HSTX;
42628
42629+ if (pipe == -1)
42630+ return;
42631+
42632+ pipeconf = dev_priv->pipeconf[pipe];
42633+ dspcntr = dev_priv->dspcntr[pipe];
42634+
42635 if (pipe) {
42636 pipeconf_reg = PIPECCONF;
42637 dspcntr_reg = DSPCCNTR;
42638diff --git a/drivers/gpu/drm/i810/i810_drv.h b/drivers/gpu/drm/i810/i810_drv.h
42639index 93ec5dc..82acbaf 100644
42640--- a/drivers/gpu/drm/i810/i810_drv.h
42641+++ b/drivers/gpu/drm/i810/i810_drv.h
42642@@ -110,8 +110,8 @@ typedef struct drm_i810_private {
42643 int page_flipping;
42644
42645 wait_queue_head_t irq_queue;
42646- atomic_t irq_received;
42647- atomic_t irq_emitted;
42648+ atomic_unchecked_t irq_received;
42649+ atomic_unchecked_t irq_emitted;
42650
42651 int front_offset;
42652 } drm_i810_private_t;
42653diff --git a/drivers/gpu/drm/i915/i915_debugfs.c b/drivers/gpu/drm/i915/i915_debugfs.c
42654index 82bbe3f..ce004bf 100644
42655--- a/drivers/gpu/drm/i915/i915_debugfs.c
42656+++ b/drivers/gpu/drm/i915/i915_debugfs.c
42657@@ -480,7 +480,7 @@ static int i915_gem_object_info(struct seq_file *m, void* data)
42658 seq_printf(m, "%u fault mappable objects, %zu bytes\n",
42659 count, size);
42660
42661- seq_printf(m, "%zu [%lu] gtt total\n",
42662+ seq_printf(m, "%llu [%llu] gtt total\n",
42663 dev_priv->gtt.base.total,
42664 dev_priv->gtt.mappable_end - dev_priv->gtt.base.start);
42665
42666diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c
42667index d2df321..f746478 100644
42668--- a/drivers/gpu/drm/i915/i915_dma.c
42669+++ b/drivers/gpu/drm/i915/i915_dma.c
42670@@ -162,6 +162,8 @@ static int i915_getparam(struct drm_device *dev, void *data,
42671 value = INTEL_INFO(dev)->eu_total;
42672 if (!value)
42673 return -ENODEV;
42674+ case I915_PARAM_HAS_LEGACY_CONTEXT:
42675+ value = drm_core_check_feature(dev, DRIVER_KMS_LEGACY_CONTEXT);
42676 break;
42677 default:
42678 DRM_DEBUG("Unknown parameter %d\n", param->param);
42679@@ -376,7 +378,7 @@ static bool i915_switcheroo_can_switch(struct pci_dev *pdev)
42680 * locking inversion with the driver load path. And the access here is
42681 * completely racy anyway. So don't bother with locking for now.
42682 */
42683- return dev->open_count == 0;
42684+ return local_read(&dev->open_count) == 0;
42685 }
42686
42687 static const struct vga_switcheroo_client_ops i915_switcheroo_ops = {
42688diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42689index 5e6b4a2..6ba2c85 100644
42690--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42691+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
42692@@ -935,12 +935,12 @@ i915_gem_check_execbuffer(struct drm_i915_gem_execbuffer2 *exec)
42693 static int
42694 validate_exec_list(struct drm_device *dev,
42695 struct drm_i915_gem_exec_object2 *exec,
42696- int count)
42697+ unsigned int count)
42698 {
42699 unsigned relocs_total = 0;
42700 unsigned relocs_max = UINT_MAX / sizeof(struct drm_i915_gem_relocation_entry);
42701 unsigned invalid_flags;
42702- int i;
42703+ unsigned int i;
42704
42705 invalid_flags = __EXEC_OBJECT_UNKNOWN_FLAGS;
42706 if (USES_FULL_PPGTT(dev))
42707diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.c b/drivers/gpu/drm/i915/i915_gem_gtt.c
42708index 31e8269..7055934 100644
42709--- a/drivers/gpu/drm/i915/i915_gem_gtt.c
42710+++ b/drivers/gpu/drm/i915/i915_gem_gtt.c
42711@@ -2360,10 +2360,10 @@ static void chv_setup_private_ppat(struct drm_i915_private *dev_priv)
42712 }
42713
42714 static int gen8_gmch_probe(struct drm_device *dev,
42715- size_t *gtt_total,
42716- size_t *stolen,
42717- phys_addr_t *mappable_base,
42718- unsigned long *mappable_end)
42719+ uint64_t *gtt_total,
42720+ uint64_t *stolen,
42721+ uint64_t *mappable_base,
42722+ uint64_t *mappable_end)
42723 {
42724 struct drm_i915_private *dev_priv = dev->dev_private;
42725 unsigned int gtt_size;
42726@@ -2408,10 +2408,10 @@ static int gen8_gmch_probe(struct drm_device *dev,
42727 }
42728
42729 static int gen6_gmch_probe(struct drm_device *dev,
42730- size_t *gtt_total,
42731- size_t *stolen,
42732- phys_addr_t *mappable_base,
42733- unsigned long *mappable_end)
42734+ uint64_t *gtt_total,
42735+ uint64_t *stolen,
42736+ uint64_t *mappable_base,
42737+ uint64_t *mappable_end)
42738 {
42739 struct drm_i915_private *dev_priv = dev->dev_private;
42740 unsigned int gtt_size;
42741@@ -2425,7 +2425,7 @@ static int gen6_gmch_probe(struct drm_device *dev,
42742 * a coarse sanity check.
42743 */
42744 if ((*mappable_end < (64<<20) || (*mappable_end > (512<<20)))) {
42745- DRM_ERROR("Unknown GMADR size (%lx)\n",
42746+ DRM_ERROR("Unknown GMADR size (%llx)\n",
42747 dev_priv->gtt.mappable_end);
42748 return -ENXIO;
42749 }
42750@@ -2459,10 +2459,10 @@ static void gen6_gmch_remove(struct i915_address_space *vm)
42751 }
42752
42753 static int i915_gmch_probe(struct drm_device *dev,
42754- size_t *gtt_total,
42755- size_t *stolen,
42756- phys_addr_t *mappable_base,
42757- unsigned long *mappable_end)
42758+ uint64_t *gtt_total,
42759+ uint64_t *stolen,
42760+ uint64_t *mappable_base,
42761+ uint64_t *mappable_end)
42762 {
42763 struct drm_i915_private *dev_priv = dev->dev_private;
42764 int ret;
42765@@ -2527,10 +2527,10 @@ int i915_gem_gtt_init(struct drm_device *dev)
42766 gtt->base.dev = dev;
42767
42768 /* GMADR is the PCI mmio aperture into the global GTT. */
42769- DRM_INFO("Memory usable by graphics device = %zdM\n",
42770+ DRM_INFO("Memory usable by graphics device = %lldM\n",
42771 gtt->base.total >> 20);
42772- DRM_DEBUG_DRIVER("GMADR size = %ldM\n", gtt->mappable_end >> 20);
42773- DRM_DEBUG_DRIVER("GTT stolen size = %zdM\n", gtt->stolen_size >> 20);
42774+ DRM_DEBUG_DRIVER("GMADR size = %lldM\n", gtt->mappable_end >> 20);
42775+ DRM_DEBUG_DRIVER("GTT stolen size = %lldM\n", gtt->stolen_size >> 20);
42776 #ifdef CONFIG_INTEL_IOMMU
42777 if (intel_iommu_gfx_mapped)
42778 DRM_INFO("VT-d active for gfx access\n");
42779diff --git a/drivers/gpu/drm/i915/i915_gem_gtt.h b/drivers/gpu/drm/i915/i915_gem_gtt.h
42780index 0d46dd2..1171c00 100644
42781--- a/drivers/gpu/drm/i915/i915_gem_gtt.h
42782+++ b/drivers/gpu/drm/i915/i915_gem_gtt.h
42783@@ -233,8 +233,8 @@ struct i915_address_space {
42784 struct drm_mm mm;
42785 struct drm_device *dev;
42786 struct list_head global_link;
42787- unsigned long start; /* Start offset always 0 for dri2 */
42788- size_t total; /* size addr space maps (ex. 2GB for ggtt) */
42789+ uint64_t start; /* Start offset always 0 for dri2 */
42790+ uint64_t total; /* size addr space maps (ex. 2GB for ggtt) */
42791
42792 struct {
42793 dma_addr_t addr;
42794@@ -300,11 +300,11 @@ struct i915_address_space {
42795 */
42796 struct i915_gtt {
42797 struct i915_address_space base;
42798- size_t stolen_size; /* Total size of stolen memory */
42799+ uint64_t stolen_size; /* Total size of stolen memory */
42800
42801- unsigned long mappable_end; /* End offset that we can CPU map */
42802+ uint64_t mappable_end; /* End offset that we can CPU map */
42803 struct io_mapping *mappable; /* Mapping to our CPU mappable region */
42804- phys_addr_t mappable_base; /* PA of our GMADR */
42805+ uint64_t mappable_base; /* PA of our GMADR */
42806
42807 /** "Graphics Stolen Memory" holds the global PTEs */
42808 void __iomem *gsm;
42809@@ -314,9 +314,9 @@ struct i915_gtt {
42810 int mtrr;
42811
42812 /* global gtt ops */
42813- int (*gtt_probe)(struct drm_device *dev, size_t *gtt_total,
42814- size_t *stolen, phys_addr_t *mappable_base,
42815- unsigned long *mappable_end);
42816+ int (*gtt_probe)(struct drm_device *dev, uint64_t *gtt_total,
42817+ uint64_t *stolen, uint64_t *mappable_base,
42818+ uint64_t *mappable_end);
42819 };
42820
42821 struct i915_hw_ppgtt {
42822diff --git a/drivers/gpu/drm/i915/i915_gem_stolen.c b/drivers/gpu/drm/i915/i915_gem_stolen.c
42823index 8b5b784..78711f6 100644
42824--- a/drivers/gpu/drm/i915/i915_gem_stolen.c
42825+++ b/drivers/gpu/drm/i915/i915_gem_stolen.c
42826@@ -310,7 +310,7 @@ int i915_gem_init_stolen(struct drm_device *dev)
42827 if (dev_priv->mm.stolen_base == 0)
42828 return 0;
42829
42830- DRM_DEBUG_KMS("found %zd bytes of stolen memory at %08lx\n",
42831+ DRM_DEBUG_KMS("found %lld bytes of stolen memory at %08lx\n",
42832 dev_priv->gtt.stolen_size, dev_priv->mm.stolen_base);
42833
42834 if (INTEL_INFO(dev)->gen >= 8) {
42835diff --git a/drivers/gpu/drm/i915/i915_ioc32.c b/drivers/gpu/drm/i915/i915_ioc32.c
42836index 23aa04c..1d25960 100644
42837--- a/drivers/gpu/drm/i915/i915_ioc32.c
42838+++ b/drivers/gpu/drm/i915/i915_ioc32.c
42839@@ -62,7 +62,7 @@ static int compat_i915_batchbuffer(struct file *file, unsigned int cmd,
42840 || __put_user(batchbuffer32.DR4, &batchbuffer->DR4)
42841 || __put_user(batchbuffer32.num_cliprects,
42842 &batchbuffer->num_cliprects)
42843- || __put_user((int __user *)(unsigned long)batchbuffer32.cliprects,
42844+ || __put_user((struct drm_clip_rect __user *)(unsigned long)batchbuffer32.cliprects,
42845 &batchbuffer->cliprects))
42846 return -EFAULT;
42847
42848@@ -91,13 +91,13 @@ static int compat_i915_cmdbuffer(struct file *file, unsigned int cmd,
42849
42850 cmdbuffer = compat_alloc_user_space(sizeof(*cmdbuffer));
42851 if (!access_ok(VERIFY_WRITE, cmdbuffer, sizeof(*cmdbuffer))
42852- || __put_user((int __user *)(unsigned long)cmdbuffer32.buf,
42853+ || __put_user((char __user *)(unsigned long)cmdbuffer32.buf,
42854 &cmdbuffer->buf)
42855 || __put_user(cmdbuffer32.sz, &cmdbuffer->sz)
42856 || __put_user(cmdbuffer32.DR1, &cmdbuffer->DR1)
42857 || __put_user(cmdbuffer32.DR4, &cmdbuffer->DR4)
42858 || __put_user(cmdbuffer32.num_cliprects, &cmdbuffer->num_cliprects)
42859- || __put_user((int __user *)(unsigned long)cmdbuffer32.cliprects,
42860+ || __put_user((struct drm_clip_rect __user *)(unsigned long)cmdbuffer32.cliprects,
42861 &cmdbuffer->cliprects))
42862 return -EFAULT;
42863
42864@@ -181,7 +181,7 @@ static int compat_i915_alloc(struct file *file, unsigned int cmd,
42865 (unsigned long)request);
42866 }
42867
42868-static drm_ioctl_compat_t *i915_compat_ioctls[] = {
42869+static drm_ioctl_compat_t i915_compat_ioctls[] = {
42870 [DRM_I915_BATCHBUFFER] = compat_i915_batchbuffer,
42871 [DRM_I915_CMDBUFFER] = compat_i915_cmdbuffer,
42872 [DRM_I915_GETPARAM] = compat_i915_getparam,
42873@@ -201,17 +201,13 @@ static drm_ioctl_compat_t *i915_compat_ioctls[] = {
42874 long i915_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42875 {
42876 unsigned int nr = DRM_IOCTL_NR(cmd);
42877- drm_ioctl_compat_t *fn = NULL;
42878 int ret;
42879
42880 if (nr < DRM_COMMAND_BASE || nr >= DRM_COMMAND_END)
42881 return drm_compat_ioctl(filp, cmd, arg);
42882
42883- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(i915_compat_ioctls))
42884- fn = i915_compat_ioctls[nr - DRM_COMMAND_BASE];
42885-
42886- if (fn != NULL)
42887- ret = (*fn) (filp, cmd, arg);
42888+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(i915_compat_ioctls) && i915_compat_ioctls[nr - DRM_COMMAND_BASE])
42889+ ret = (*i915_compat_ioctls[nr - DRM_COMMAND_BASE])(filp, cmd, arg);
42890 else
42891 ret = drm_ioctl(filp, cmd, arg);
42892
42893diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c
42894index 107c6c0..e1926b0 100644
42895--- a/drivers/gpu/drm/i915/intel_display.c
42896+++ b/drivers/gpu/drm/i915/intel_display.c
42897@@ -14501,13 +14501,13 @@ struct intel_quirk {
42898 int subsystem_vendor;
42899 int subsystem_device;
42900 void (*hook)(struct drm_device *dev);
42901-};
42902+} __do_const;
42903
42904 /* For systems that don't have a meaningful PCI subdevice/subvendor ID */
42905 struct intel_dmi_quirk {
42906 void (*hook)(struct drm_device *dev);
42907 const struct dmi_system_id (*dmi_id_list)[];
42908-};
42909+} __do_const;
42910
42911 static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
42912 {
42913@@ -14515,18 +14515,20 @@ static int intel_dmi_reverse_brightness(const struct dmi_system_id *id)
42914 return 1;
42915 }
42916
42917-static const struct intel_dmi_quirk intel_dmi_quirks[] = {
42918+static const struct dmi_system_id intel_dmi_quirks_table[] = {
42919 {
42920- .dmi_id_list = &(const struct dmi_system_id[]) {
42921- {
42922- .callback = intel_dmi_reverse_brightness,
42923- .ident = "NCR Corporation",
42924- .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
42925- DMI_MATCH(DMI_PRODUCT_NAME, ""),
42926- },
42927- },
42928- { } /* terminating entry */
42929+ .callback = intel_dmi_reverse_brightness,
42930+ .ident = "NCR Corporation",
42931+ .matches = {DMI_MATCH(DMI_SYS_VENDOR, "NCR Corporation"),
42932+ DMI_MATCH(DMI_PRODUCT_NAME, ""),
42933 },
42934+ },
42935+ { } /* terminating entry */
42936+};
42937+
42938+static const struct intel_dmi_quirk intel_dmi_quirks[] = {
42939+ {
42940+ .dmi_id_list = &intel_dmi_quirks_table,
42941 .hook = quirk_invert_brightness,
42942 },
42943 };
42944diff --git a/drivers/gpu/drm/imx/imx-drm-core.c b/drivers/gpu/drm/imx/imx-drm-core.c
42945index 74f505b..21f6914 100644
42946--- a/drivers/gpu/drm/imx/imx-drm-core.c
42947+++ b/drivers/gpu/drm/imx/imx-drm-core.c
42948@@ -355,7 +355,7 @@ int imx_drm_add_crtc(struct drm_device *drm, struct drm_crtc *crtc,
42949 if (imxdrm->pipes >= MAX_CRTC)
42950 return -EINVAL;
42951
42952- if (imxdrm->drm->open_count)
42953+ if (local_read(&imxdrm->drm->open_count))
42954 return -EBUSY;
42955
42956 imx_drm_crtc = kzalloc(sizeof(*imx_drm_crtc), GFP_KERNEL);
42957diff --git a/drivers/gpu/drm/mga/mga_drv.h b/drivers/gpu/drm/mga/mga_drv.h
42958index b4a20149..219ab78 100644
42959--- a/drivers/gpu/drm/mga/mga_drv.h
42960+++ b/drivers/gpu/drm/mga/mga_drv.h
42961@@ -122,9 +122,9 @@ typedef struct drm_mga_private {
42962 u32 clear_cmd;
42963 u32 maccess;
42964
42965- atomic_t vbl_received; /**< Number of vblanks received. */
42966+ atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
42967 wait_queue_head_t fence_queue;
42968- atomic_t last_fence_retired;
42969+ atomic_unchecked_t last_fence_retired;
42970 u32 next_fence_to_post;
42971
42972 unsigned int fb_cpp;
42973diff --git a/drivers/gpu/drm/mga/mga_ioc32.c b/drivers/gpu/drm/mga/mga_ioc32.c
42974index 729bfd5..14bae78 100644
42975--- a/drivers/gpu/drm/mga/mga_ioc32.c
42976+++ b/drivers/gpu/drm/mga/mga_ioc32.c
42977@@ -190,7 +190,7 @@ static int compat_mga_dma_bootstrap(struct file *file, unsigned int cmd,
42978 return 0;
42979 }
42980
42981-drm_ioctl_compat_t *mga_compat_ioctls[] = {
42982+drm_ioctl_compat_t mga_compat_ioctls[] = {
42983 [DRM_MGA_INIT] = compat_mga_init,
42984 [DRM_MGA_GETPARAM] = compat_mga_getparam,
42985 [DRM_MGA_DMA_BOOTSTRAP] = compat_mga_dma_bootstrap,
42986@@ -208,17 +208,13 @@ drm_ioctl_compat_t *mga_compat_ioctls[] = {
42987 long mga_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
42988 {
42989 unsigned int nr = DRM_IOCTL_NR(cmd);
42990- drm_ioctl_compat_t *fn = NULL;
42991 int ret;
42992
42993 if (nr < DRM_COMMAND_BASE)
42994 return drm_compat_ioctl(filp, cmd, arg);
42995
42996- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(mga_compat_ioctls))
42997- fn = mga_compat_ioctls[nr - DRM_COMMAND_BASE];
42998-
42999- if (fn != NULL)
43000- ret = (*fn) (filp, cmd, arg);
43001+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(mga_compat_ioctls) && mga_compat_ioctls[nr - DRM_COMMAND_BASE])
43002+ ret = (*mga_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43003 else
43004 ret = drm_ioctl(filp, cmd, arg);
43005
43006diff --git a/drivers/gpu/drm/mga/mga_irq.c b/drivers/gpu/drm/mga/mga_irq.c
43007index 1b071b8..de8601a 100644
43008--- a/drivers/gpu/drm/mga/mga_irq.c
43009+++ b/drivers/gpu/drm/mga/mga_irq.c
43010@@ -43,7 +43,7 @@ u32 mga_get_vblank_counter(struct drm_device *dev, int crtc)
43011 if (crtc != 0)
43012 return 0;
43013
43014- return atomic_read(&dev_priv->vbl_received);
43015+ return atomic_read_unchecked(&dev_priv->vbl_received);
43016 }
43017
43018
43019@@ -59,7 +59,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg)
43020 /* VBLANK interrupt */
43021 if (status & MGA_VLINEPEN) {
43022 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
43023- atomic_inc(&dev_priv->vbl_received);
43024+ atomic_inc_unchecked(&dev_priv->vbl_received);
43025 drm_handle_vblank(dev, 0);
43026 handled = 1;
43027 }
43028@@ -78,7 +78,7 @@ irqreturn_t mga_driver_irq_handler(int irq, void *arg)
43029 if ((prim_start & ~0x03) != (prim_end & ~0x03))
43030 MGA_WRITE(MGA_PRIMEND, prim_end);
43031
43032- atomic_inc(&dev_priv->last_fence_retired);
43033+ atomic_inc_unchecked(&dev_priv->last_fence_retired);
43034 wake_up(&dev_priv->fence_queue);
43035 handled = 1;
43036 }
43037@@ -129,7 +129,7 @@ int mga_driver_fence_wait(struct drm_device *dev, unsigned int *sequence)
43038 * using fences.
43039 */
43040 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * HZ,
43041- (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
43042+ (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
43043 - *sequence) <= (1 << 23)));
43044
43045 *sequence = cur_fence;
43046diff --git a/drivers/gpu/drm/nouveau/nouveau_bios.c b/drivers/gpu/drm/nouveau/nouveau_bios.c
43047index 0190b69..60c3eaf 100644
43048--- a/drivers/gpu/drm/nouveau/nouveau_bios.c
43049+++ b/drivers/gpu/drm/nouveau/nouveau_bios.c
43050@@ -963,7 +963,7 @@ static int parse_bit_tmds_tbl_entry(struct drm_device *dev, struct nvbios *bios,
43051 struct bit_table {
43052 const char id;
43053 int (* const parse_fn)(struct drm_device *, struct nvbios *, struct bit_entry *);
43054-};
43055+} __no_const;
43056
43057 #define BIT_TABLE(id, funcid) ((struct bit_table){ id, parse_bit_##funcid##_tbl_entry })
43058
43059diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.c b/drivers/gpu/drm/nouveau/nouveau_drm.c
43060index 477cbb1..109b826 100644
43061--- a/drivers/gpu/drm/nouveau/nouveau_drm.c
43062+++ b/drivers/gpu/drm/nouveau/nouveau_drm.c
43063@@ -946,7 +946,8 @@ static struct drm_driver
43064 driver_stub = {
43065 .driver_features =
43066 DRIVER_USE_AGP |
43067- DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER,
43068+ DRIVER_GEM | DRIVER_MODESET | DRIVER_PRIME | DRIVER_RENDER |
43069+ DRIVER_KMS_LEGACY_CONTEXT,
43070
43071 .load = nouveau_drm_load,
43072 .unload = nouveau_drm_unload,
43073diff --git a/drivers/gpu/drm/nouveau/nouveau_drm.h b/drivers/gpu/drm/nouveau/nouveau_drm.h
43074index dd72652..1fd2368 100644
43075--- a/drivers/gpu/drm/nouveau/nouveau_drm.h
43076+++ b/drivers/gpu/drm/nouveau/nouveau_drm.h
43077@@ -123,7 +123,6 @@ struct nouveau_drm {
43078 struct drm_global_reference mem_global_ref;
43079 struct ttm_bo_global_ref bo_global_ref;
43080 struct ttm_bo_device bdev;
43081- atomic_t validate_sequence;
43082 int (*move)(struct nouveau_channel *,
43083 struct ttm_buffer_object *,
43084 struct ttm_mem_reg *, struct ttm_mem_reg *);
43085diff --git a/drivers/gpu/drm/nouveau/nouveau_ioc32.c b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
43086index 462679a..88e32a7 100644
43087--- a/drivers/gpu/drm/nouveau/nouveau_ioc32.c
43088+++ b/drivers/gpu/drm/nouveau/nouveau_ioc32.c
43089@@ -50,7 +50,7 @@ long nouveau_compat_ioctl(struct file *filp, unsigned int cmd,
43090 unsigned long arg)
43091 {
43092 unsigned int nr = DRM_IOCTL_NR(cmd);
43093- drm_ioctl_compat_t *fn = NULL;
43094+ drm_ioctl_compat_t fn = NULL;
43095 int ret;
43096
43097 if (nr < DRM_COMMAND_BASE)
43098diff --git a/drivers/gpu/drm/nouveau/nouveau_ttm.c b/drivers/gpu/drm/nouveau/nouveau_ttm.c
43099index 7464aef3..c63ae4f 100644
43100--- a/drivers/gpu/drm/nouveau/nouveau_ttm.c
43101+++ b/drivers/gpu/drm/nouveau/nouveau_ttm.c
43102@@ -130,11 +130,11 @@ nouveau_vram_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
43103 }
43104
43105 const struct ttm_mem_type_manager_func nouveau_vram_manager = {
43106- nouveau_vram_manager_init,
43107- nouveau_vram_manager_fini,
43108- nouveau_vram_manager_new,
43109- nouveau_vram_manager_del,
43110- nouveau_vram_manager_debug
43111+ .init = nouveau_vram_manager_init,
43112+ .takedown = nouveau_vram_manager_fini,
43113+ .get_node = nouveau_vram_manager_new,
43114+ .put_node = nouveau_vram_manager_del,
43115+ .debug = nouveau_vram_manager_debug
43116 };
43117
43118 static int
43119@@ -207,11 +207,11 @@ nouveau_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
43120 }
43121
43122 const struct ttm_mem_type_manager_func nouveau_gart_manager = {
43123- nouveau_gart_manager_init,
43124- nouveau_gart_manager_fini,
43125- nouveau_gart_manager_new,
43126- nouveau_gart_manager_del,
43127- nouveau_gart_manager_debug
43128+ .init = nouveau_gart_manager_init,
43129+ .takedown = nouveau_gart_manager_fini,
43130+ .get_node = nouveau_gart_manager_new,
43131+ .put_node = nouveau_gart_manager_del,
43132+ .debug = nouveau_gart_manager_debug
43133 };
43134
43135 /*XXX*/
43136@@ -280,11 +280,11 @@ nv04_gart_manager_debug(struct ttm_mem_type_manager *man, const char *prefix)
43137 }
43138
43139 const struct ttm_mem_type_manager_func nv04_gart_manager = {
43140- nv04_gart_manager_init,
43141- nv04_gart_manager_fini,
43142- nv04_gart_manager_new,
43143- nv04_gart_manager_del,
43144- nv04_gart_manager_debug
43145+ .init = nv04_gart_manager_init,
43146+ .takedown = nv04_gart_manager_fini,
43147+ .get_node = nv04_gart_manager_new,
43148+ .put_node = nv04_gart_manager_del,
43149+ .debug = nv04_gart_manager_debug
43150 };
43151
43152 int
43153diff --git a/drivers/gpu/drm/nouveau/nouveau_vga.c b/drivers/gpu/drm/nouveau/nouveau_vga.c
43154index c7592ec..dd45ebc 100644
43155--- a/drivers/gpu/drm/nouveau/nouveau_vga.c
43156+++ b/drivers/gpu/drm/nouveau/nouveau_vga.c
43157@@ -72,7 +72,7 @@ nouveau_switcheroo_can_switch(struct pci_dev *pdev)
43158 * locking inversion with the driver load path. And the access here is
43159 * completely racy anyway. So don't bother with locking for now.
43160 */
43161- return dev->open_count == 0;
43162+ return local_read(&dev->open_count) == 0;
43163 }
43164
43165 static const struct vga_switcheroo_client_ops
43166diff --git a/drivers/gpu/drm/omapdrm/Makefile b/drivers/gpu/drm/omapdrm/Makefile
43167index 778372b..4b81cb4 100644
43168--- a/drivers/gpu/drm/omapdrm/Makefile
43169+++ b/drivers/gpu/drm/omapdrm/Makefile
43170@@ -3,7 +3,7 @@
43171 # Direct Rendering Infrastructure (DRI)
43172 #
43173
43174-ccflags-y := -Iinclude/drm -Werror
43175+ccflags-y := -Iinclude/drm
43176 omapdrm-y := omap_drv.o \
43177 omap_irq.o \
43178 omap_debugfs.o \
43179diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c
43180index fdc1833..f307630 100644
43181--- a/drivers/gpu/drm/qxl/qxl_cmd.c
43182+++ b/drivers/gpu/drm/qxl/qxl_cmd.c
43183@@ -285,27 +285,27 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port,
43184 int ret;
43185
43186 mutex_lock(&qdev->async_io_mutex);
43187- irq_num = atomic_read(&qdev->irq_received_io_cmd);
43188+ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd);
43189 if (qdev->last_sent_io_cmd > irq_num) {
43190 if (intr)
43191 ret = wait_event_interruptible_timeout(qdev->io_cmd_event,
43192- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43193+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43194 else
43195 ret = wait_event_timeout(qdev->io_cmd_event,
43196- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43197+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43198 /* 0 is timeout, just bail the "hw" has gone away */
43199 if (ret <= 0)
43200 goto out;
43201- irq_num = atomic_read(&qdev->irq_received_io_cmd);
43202+ irq_num = atomic_read_unchecked(&qdev->irq_received_io_cmd);
43203 }
43204 outb(val, addr);
43205 qdev->last_sent_io_cmd = irq_num + 1;
43206 if (intr)
43207 ret = wait_event_interruptible_timeout(qdev->io_cmd_event,
43208- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43209+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43210 else
43211 ret = wait_event_timeout(qdev->io_cmd_event,
43212- atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43213+ atomic_read_unchecked(&qdev->irq_received_io_cmd) > irq_num, 5*HZ);
43214 out:
43215 if (ret > 0)
43216 ret = 0;
43217diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c
43218index 6911b8c..89d6867 100644
43219--- a/drivers/gpu/drm/qxl/qxl_debugfs.c
43220+++ b/drivers/gpu/drm/qxl/qxl_debugfs.c
43221@@ -42,10 +42,10 @@ qxl_debugfs_irq_received(struct seq_file *m, void *data)
43222 struct drm_info_node *node = (struct drm_info_node *) m->private;
43223 struct qxl_device *qdev = node->minor->dev->dev_private;
43224
43225- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received));
43226- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_display));
43227- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_cursor));
43228- seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_io_cmd));
43229+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received));
43230+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_display));
43231+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_cursor));
43232+ seq_printf(m, "%d\n", atomic_read_unchecked(&qdev->irq_received_io_cmd));
43233 seq_printf(m, "%d\n", qdev->irq_received_error);
43234 return 0;
43235 }
43236diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h
43237index 01a8694..584fb48 100644
43238--- a/drivers/gpu/drm/qxl/qxl_drv.h
43239+++ b/drivers/gpu/drm/qxl/qxl_drv.h
43240@@ -290,10 +290,10 @@ struct qxl_device {
43241 unsigned int last_sent_io_cmd;
43242
43243 /* interrupt handling */
43244- atomic_t irq_received;
43245- atomic_t irq_received_display;
43246- atomic_t irq_received_cursor;
43247- atomic_t irq_received_io_cmd;
43248+ atomic_unchecked_t irq_received;
43249+ atomic_unchecked_t irq_received_display;
43250+ atomic_unchecked_t irq_received_cursor;
43251+ atomic_unchecked_t irq_received_io_cmd;
43252 unsigned irq_received_error;
43253 wait_queue_head_t display_event;
43254 wait_queue_head_t cursor_event;
43255diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c
43256index bda5c5f..140ac46 100644
43257--- a/drivers/gpu/drm/qxl/qxl_ioctl.c
43258+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c
43259@@ -183,7 +183,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
43260
43261 /* TODO copy slow path code from i915 */
43262 fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE));
43263- unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)cmd->command, cmd->command_size);
43264+ unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void __force_user *)(unsigned long)cmd->command, cmd->command_size);
43265
43266 {
43267 struct qxl_drawable *draw = fb_cmd;
43268@@ -203,7 +203,7 @@ static int qxl_process_single_command(struct qxl_device *qdev,
43269 struct drm_qxl_reloc reloc;
43270
43271 if (copy_from_user(&reloc,
43272- &((struct drm_qxl_reloc *)(uintptr_t)cmd->relocs)[i],
43273+ &((struct drm_qxl_reloc __force_user *)(uintptr_t)cmd->relocs)[i],
43274 sizeof(reloc))) {
43275 ret = -EFAULT;
43276 goto out_free_bos;
43277@@ -282,10 +282,10 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data,
43278
43279 for (cmd_num = 0; cmd_num < execbuffer->commands_num; ++cmd_num) {
43280
43281- struct drm_qxl_command *commands =
43282- (struct drm_qxl_command *)(uintptr_t)execbuffer->commands;
43283+ struct drm_qxl_command __user *commands =
43284+ (struct drm_qxl_command __user *)(uintptr_t)execbuffer->commands;
43285
43286- if (copy_from_user(&user_cmd, &commands[cmd_num],
43287+ if (copy_from_user(&user_cmd, (struct drm_qxl_command __force_user *)&commands[cmd_num],
43288 sizeof(user_cmd)))
43289 return -EFAULT;
43290
43291diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c
43292index 0bf1e20..42a7310 100644
43293--- a/drivers/gpu/drm/qxl/qxl_irq.c
43294+++ b/drivers/gpu/drm/qxl/qxl_irq.c
43295@@ -36,19 +36,19 @@ irqreturn_t qxl_irq_handler(int irq, void *arg)
43296 if (!pending)
43297 return IRQ_NONE;
43298
43299- atomic_inc(&qdev->irq_received);
43300+ atomic_inc_unchecked(&qdev->irq_received);
43301
43302 if (pending & QXL_INTERRUPT_DISPLAY) {
43303- atomic_inc(&qdev->irq_received_display);
43304+ atomic_inc_unchecked(&qdev->irq_received_display);
43305 wake_up_all(&qdev->display_event);
43306 qxl_queue_garbage_collect(qdev, false);
43307 }
43308 if (pending & QXL_INTERRUPT_CURSOR) {
43309- atomic_inc(&qdev->irq_received_cursor);
43310+ atomic_inc_unchecked(&qdev->irq_received_cursor);
43311 wake_up_all(&qdev->cursor_event);
43312 }
43313 if (pending & QXL_INTERRUPT_IO_CMD) {
43314- atomic_inc(&qdev->irq_received_io_cmd);
43315+ atomic_inc_unchecked(&qdev->irq_received_io_cmd);
43316 wake_up_all(&qdev->io_cmd_event);
43317 }
43318 if (pending & QXL_INTERRUPT_ERROR) {
43319@@ -85,10 +85,10 @@ int qxl_irq_init(struct qxl_device *qdev)
43320 init_waitqueue_head(&qdev->io_cmd_event);
43321 INIT_WORK(&qdev->client_monitors_config_work,
43322 qxl_client_monitors_config_work_func);
43323- atomic_set(&qdev->irq_received, 0);
43324- atomic_set(&qdev->irq_received_display, 0);
43325- atomic_set(&qdev->irq_received_cursor, 0);
43326- atomic_set(&qdev->irq_received_io_cmd, 0);
43327+ atomic_set_unchecked(&qdev->irq_received, 0);
43328+ atomic_set_unchecked(&qdev->irq_received_display, 0);
43329+ atomic_set_unchecked(&qdev->irq_received_cursor, 0);
43330+ atomic_set_unchecked(&qdev->irq_received_io_cmd, 0);
43331 qdev->irq_received_error = 0;
43332 ret = drm_irq_install(qdev->ddev, qdev->ddev->pdev->irq);
43333 qdev->ram_header->int_mask = QXL_INTERRUPT_MASK;
43334diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c
43335index 0cbc4c9..0e46686 100644
43336--- a/drivers/gpu/drm/qxl/qxl_ttm.c
43337+++ b/drivers/gpu/drm/qxl/qxl_ttm.c
43338@@ -103,7 +103,7 @@ static void qxl_ttm_global_fini(struct qxl_device *qdev)
43339 }
43340 }
43341
43342-static struct vm_operations_struct qxl_ttm_vm_ops;
43343+static vm_operations_struct_no_const qxl_ttm_vm_ops __read_only;
43344 static const struct vm_operations_struct *ttm_vm_ops;
43345
43346 static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
43347@@ -145,8 +145,10 @@ int qxl_mmap(struct file *filp, struct vm_area_struct *vma)
43348 return r;
43349 if (unlikely(ttm_vm_ops == NULL)) {
43350 ttm_vm_ops = vma->vm_ops;
43351+ pax_open_kernel();
43352 qxl_ttm_vm_ops = *ttm_vm_ops;
43353 qxl_ttm_vm_ops.fault = &qxl_ttm_fault;
43354+ pax_close_kernel();
43355 }
43356 vma->vm_ops = &qxl_ttm_vm_ops;
43357 return 0;
43358@@ -464,25 +466,23 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data)
43359 static int qxl_ttm_debugfs_init(struct qxl_device *qdev)
43360 {
43361 #if defined(CONFIG_DEBUG_FS)
43362- static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES];
43363- static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32];
43364- unsigned i;
43365+ static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES] = {
43366+ {
43367+ .name = "qxl_mem_mm",
43368+ .show = &qxl_mm_dump_table,
43369+ },
43370+ {
43371+ .name = "qxl_surf_mm",
43372+ .show = &qxl_mm_dump_table,
43373+ }
43374+ };
43375
43376- for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) {
43377- if (i == 0)
43378- sprintf(qxl_mem_types_names[i], "qxl_mem_mm");
43379- else
43380- sprintf(qxl_mem_types_names[i], "qxl_surf_mm");
43381- qxl_mem_types_list[i].name = qxl_mem_types_names[i];
43382- qxl_mem_types_list[i].show = &qxl_mm_dump_table;
43383- qxl_mem_types_list[i].driver_features = 0;
43384- if (i == 0)
43385- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
43386- else
43387- qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
43388+ pax_open_kernel();
43389+ *(void **)&qxl_mem_types_list[0].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv;
43390+ *(void **)&qxl_mem_types_list[1].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv;
43391+ pax_close_kernel();
43392
43393- }
43394- return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i);
43395+ return qxl_debugfs_add_files(qdev, qxl_mem_types_list, QXL_DEBUGFS_MEM_TYPES);
43396 #else
43397 return 0;
43398 #endif
43399diff --git a/drivers/gpu/drm/r128/r128_cce.c b/drivers/gpu/drm/r128/r128_cce.c
43400index 2c45ac9..5d740f8 100644
43401--- a/drivers/gpu/drm/r128/r128_cce.c
43402+++ b/drivers/gpu/drm/r128/r128_cce.c
43403@@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_device *dev, drm_r128_init_t *init)
43404
43405 /* GH: Simple idle check.
43406 */
43407- atomic_set(&dev_priv->idle_count, 0);
43408+ atomic_set_unchecked(&dev_priv->idle_count, 0);
43409
43410 /* We don't support anything other than bus-mastering ring mode,
43411 * but the ring can be in either AGP or PCI space for the ring
43412diff --git a/drivers/gpu/drm/r128/r128_drv.h b/drivers/gpu/drm/r128/r128_drv.h
43413index 723e5d6..102dbaf 100644
43414--- a/drivers/gpu/drm/r128/r128_drv.h
43415+++ b/drivers/gpu/drm/r128/r128_drv.h
43416@@ -93,14 +93,14 @@ typedef struct drm_r128_private {
43417 int is_pci;
43418 unsigned long cce_buffers_offset;
43419
43420- atomic_t idle_count;
43421+ atomic_unchecked_t idle_count;
43422
43423 int page_flipping;
43424 int current_page;
43425 u32 crtc_offset;
43426 u32 crtc_offset_cntl;
43427
43428- atomic_t vbl_received;
43429+ atomic_unchecked_t vbl_received;
43430
43431 u32 color_fmt;
43432 unsigned int front_offset;
43433diff --git a/drivers/gpu/drm/r128/r128_ioc32.c b/drivers/gpu/drm/r128/r128_ioc32.c
43434index 663f38c..ec159a1 100644
43435--- a/drivers/gpu/drm/r128/r128_ioc32.c
43436+++ b/drivers/gpu/drm/r128/r128_ioc32.c
43437@@ -178,7 +178,7 @@ static int compat_r128_getparam(struct file *file, unsigned int cmd,
43438 return drm_ioctl(file, DRM_IOCTL_R128_GETPARAM, (unsigned long)getparam);
43439 }
43440
43441-drm_ioctl_compat_t *r128_compat_ioctls[] = {
43442+drm_ioctl_compat_t r128_compat_ioctls[] = {
43443 [DRM_R128_INIT] = compat_r128_init,
43444 [DRM_R128_DEPTH] = compat_r128_depth,
43445 [DRM_R128_STIPPLE] = compat_r128_stipple,
43446@@ -197,17 +197,13 @@ drm_ioctl_compat_t *r128_compat_ioctls[] = {
43447 long r128_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43448 {
43449 unsigned int nr = DRM_IOCTL_NR(cmd);
43450- drm_ioctl_compat_t *fn = NULL;
43451 int ret;
43452
43453 if (nr < DRM_COMMAND_BASE)
43454 return drm_compat_ioctl(filp, cmd, arg);
43455
43456- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(r128_compat_ioctls))
43457- fn = r128_compat_ioctls[nr - DRM_COMMAND_BASE];
43458-
43459- if (fn != NULL)
43460- ret = (*fn) (filp, cmd, arg);
43461+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(r128_compat_ioctls) && r128_compat_ioctls[nr - DRM_COMMAND_BASE])
43462+ ret = (*r128_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43463 else
43464 ret = drm_ioctl(filp, cmd, arg);
43465
43466diff --git a/drivers/gpu/drm/r128/r128_irq.c b/drivers/gpu/drm/r128/r128_irq.c
43467index c2ae496..30b5993 100644
43468--- a/drivers/gpu/drm/r128/r128_irq.c
43469+++ b/drivers/gpu/drm/r128/r128_irq.c
43470@@ -41,7 +41,7 @@ u32 r128_get_vblank_counter(struct drm_device *dev, int crtc)
43471 if (crtc != 0)
43472 return 0;
43473
43474- return atomic_read(&dev_priv->vbl_received);
43475+ return atomic_read_unchecked(&dev_priv->vbl_received);
43476 }
43477
43478 irqreturn_t r128_driver_irq_handler(int irq, void *arg)
43479@@ -55,7 +55,7 @@ irqreturn_t r128_driver_irq_handler(int irq, void *arg)
43480 /* VBLANK interrupt */
43481 if (status & R128_CRTC_VBLANK_INT) {
43482 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
43483- atomic_inc(&dev_priv->vbl_received);
43484+ atomic_inc_unchecked(&dev_priv->vbl_received);
43485 drm_handle_vblank(dev, 0);
43486 return IRQ_HANDLED;
43487 }
43488diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c
43489index 8fd2d9f..18c9660 100644
43490--- a/drivers/gpu/drm/r128/r128_state.c
43491+++ b/drivers/gpu/drm/r128/r128_state.c
43492@@ -320,10 +320,10 @@ static void r128_clear_box(drm_r128_private_t *dev_priv,
43493
43494 static void r128_cce_performance_boxes(drm_r128_private_t *dev_priv)
43495 {
43496- if (atomic_read(&dev_priv->idle_count) == 0)
43497+ if (atomic_read_unchecked(&dev_priv->idle_count) == 0)
43498 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
43499 else
43500- atomic_set(&dev_priv->idle_count, 0);
43501+ atomic_set_unchecked(&dev_priv->idle_count, 0);
43502 }
43503
43504 #endif
43505diff --git a/drivers/gpu/drm/radeon/mkregtable.c b/drivers/gpu/drm/radeon/mkregtable.c
43506index b928c17..e5d9400 100644
43507--- a/drivers/gpu/drm/radeon/mkregtable.c
43508+++ b/drivers/gpu/drm/radeon/mkregtable.c
43509@@ -624,14 +624,14 @@ static int parser_auth(struct table *t, const char *filename)
43510 regex_t mask_rex;
43511 regmatch_t match[4];
43512 char buf[1024];
43513- size_t end;
43514+ long end;
43515 int len;
43516 int done = 0;
43517 int r;
43518 unsigned o;
43519 struct offset *offset;
43520 char last_reg_s[10];
43521- int last_reg;
43522+ unsigned long last_reg;
43523
43524 if (regcomp
43525 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
43526diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
43527index d8319da..d6e066f 100644
43528--- a/drivers/gpu/drm/radeon/radeon_device.c
43529+++ b/drivers/gpu/drm/radeon/radeon_device.c
43530@@ -1253,7 +1253,7 @@ static bool radeon_switcheroo_can_switch(struct pci_dev *pdev)
43531 * locking inversion with the driver load path. And the access here is
43532 * completely racy anyway. So don't bother with locking for now.
43533 */
43534- return dev->open_count == 0;
43535+ return local_read(&dev->open_count) == 0;
43536 }
43537
43538 static const struct vga_switcheroo_client_ops radeon_switcheroo_ops = {
43539diff --git a/drivers/gpu/drm/radeon/radeon_drv.h b/drivers/gpu/drm/radeon/radeon_drv.h
43540index 46bd393..6ae4719 100644
43541--- a/drivers/gpu/drm/radeon/radeon_drv.h
43542+++ b/drivers/gpu/drm/radeon/radeon_drv.h
43543@@ -264,7 +264,7 @@ typedef struct drm_radeon_private {
43544
43545 /* SW interrupt */
43546 wait_queue_head_t swi_queue;
43547- atomic_t swi_emitted;
43548+ atomic_unchecked_t swi_emitted;
43549 int vblank_crtc;
43550 uint32_t irq_enable_reg;
43551 uint32_t r500_disp_irq_reg;
43552diff --git a/drivers/gpu/drm/radeon/radeon_ioc32.c b/drivers/gpu/drm/radeon/radeon_ioc32.c
43553index 0b98ea1..a3c770f 100644
43554--- a/drivers/gpu/drm/radeon/radeon_ioc32.c
43555+++ b/drivers/gpu/drm/radeon/radeon_ioc32.c
43556@@ -358,7 +358,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
43557 request = compat_alloc_user_space(sizeof(*request));
43558 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
43559 || __put_user(req32.param, &request->param)
43560- || __put_user((void __user *)(unsigned long)req32.value,
43561+ || __put_user((unsigned long)req32.value,
43562 &request->value))
43563 return -EFAULT;
43564
43565@@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(struct file *file, unsigned int cmd,
43566 #define compat_radeon_cp_setparam NULL
43567 #endif /* X86_64 || IA64 */
43568
43569-static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
43570+static drm_ioctl_compat_t radeon_compat_ioctls[] = {
43571 [DRM_RADEON_CP_INIT] = compat_radeon_cp_init,
43572 [DRM_RADEON_CLEAR] = compat_radeon_cp_clear,
43573 [DRM_RADEON_STIPPLE] = compat_radeon_cp_stipple,
43574@@ -393,17 +393,13 @@ static drm_ioctl_compat_t *radeon_compat_ioctls[] = {
43575 long radeon_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
43576 {
43577 unsigned int nr = DRM_IOCTL_NR(cmd);
43578- drm_ioctl_compat_t *fn = NULL;
43579 int ret;
43580
43581 if (nr < DRM_COMMAND_BASE)
43582 return drm_compat_ioctl(filp, cmd, arg);
43583
43584- if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(radeon_compat_ioctls))
43585- fn = radeon_compat_ioctls[nr - DRM_COMMAND_BASE];
43586-
43587- if (fn != NULL)
43588- ret = (*fn) (filp, cmd, arg);
43589+ if (nr < DRM_COMMAND_BASE + ARRAY_SIZE(radeon_compat_ioctls) && radeon_compat_ioctls[nr - DRM_COMMAND_BASE])
43590+ ret = (*radeon_compat_ioctls[nr - DRM_COMMAND_BASE]) (filp, cmd, arg);
43591 else
43592 ret = drm_ioctl(filp, cmd, arg);
43593
43594diff --git a/drivers/gpu/drm/radeon/radeon_irq.c b/drivers/gpu/drm/radeon/radeon_irq.c
43595index 244b19b..c19226d 100644
43596--- a/drivers/gpu/drm/radeon/radeon_irq.c
43597+++ b/drivers/gpu/drm/radeon/radeon_irq.c
43598@@ -226,8 +226,8 @@ static int radeon_emit_irq(struct drm_device * dev)
43599 unsigned int ret;
43600 RING_LOCALS;
43601
43602- atomic_inc(&dev_priv->swi_emitted);
43603- ret = atomic_read(&dev_priv->swi_emitted);
43604+ atomic_inc_unchecked(&dev_priv->swi_emitted);
43605+ ret = atomic_read_unchecked(&dev_priv->swi_emitted);
43606
43607 BEGIN_RING(4);
43608 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
43609@@ -353,7 +353,7 @@ int radeon_driver_irq_postinstall(struct drm_device *dev)
43610 drm_radeon_private_t *dev_priv =
43611 (drm_radeon_private_t *) dev->dev_private;
43612
43613- atomic_set(&dev_priv->swi_emitted, 0);
43614+ atomic_set_unchecked(&dev_priv->swi_emitted, 0);
43615 init_waitqueue_head(&dev_priv->swi_queue);
43616
43617 dev->max_vblank_count = 0x001fffff;
43618diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c
43619index 15aee72..cda326e 100644
43620--- a/drivers/gpu/drm/radeon/radeon_state.c
43621+++ b/drivers/gpu/drm/radeon/radeon_state.c
43622@@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_device *dev, void *data, struct drm_file *
43623 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
43624 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
43625
43626- if (copy_from_user(&depth_boxes, clear->depth_boxes,
43627+ if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || copy_from_user(&depth_boxes, clear->depth_boxes,
43628 sarea_priv->nbox * sizeof(depth_boxes[0])))
43629 return -EFAULT;
43630
43631@@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm_device *dev, void *data, struct drm_fil
43632 {
43633 drm_radeon_private_t *dev_priv = dev->dev_private;
43634 drm_radeon_getparam_t *param = data;
43635- int value;
43636+ int value = 0;
43637
43638 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
43639
43640diff --git a/drivers/gpu/drm/radeon/radeon_ttm.c b/drivers/gpu/drm/radeon/radeon_ttm.c
43641index 06ac59fe..57e0681 100644
43642--- a/drivers/gpu/drm/radeon/radeon_ttm.c
43643+++ b/drivers/gpu/drm/radeon/radeon_ttm.c
43644@@ -961,7 +961,7 @@ void radeon_ttm_set_active_vram_size(struct radeon_device *rdev, u64 size)
43645 man->size = size >> PAGE_SHIFT;
43646 }
43647
43648-static struct vm_operations_struct radeon_ttm_vm_ops;
43649+static vm_operations_struct_no_const radeon_ttm_vm_ops __read_only;
43650 static const struct vm_operations_struct *ttm_vm_ops = NULL;
43651
43652 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
43653@@ -1002,8 +1002,10 @@ int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
43654 }
43655 if (unlikely(ttm_vm_ops == NULL)) {
43656 ttm_vm_ops = vma->vm_ops;
43657+ pax_open_kernel();
43658 radeon_ttm_vm_ops = *ttm_vm_ops;
43659 radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
43660+ pax_close_kernel();
43661 }
43662 vma->vm_ops = &radeon_ttm_vm_ops;
43663 return 0;
43664diff --git a/drivers/gpu/drm/tegra/dc.c b/drivers/gpu/drm/tegra/dc.c
43665index a287e4f..df1d5dd 100644
43666--- a/drivers/gpu/drm/tegra/dc.c
43667+++ b/drivers/gpu/drm/tegra/dc.c
43668@@ -1594,7 +1594,7 @@ static int tegra_dc_debugfs_init(struct tegra_dc *dc, struct drm_minor *minor)
43669 }
43670
43671 for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
43672- dc->debugfs_files[i].data = dc;
43673+ *(void **)&dc->debugfs_files[i].data = dc;
43674
43675 err = drm_debugfs_create_files(dc->debugfs_files,
43676 ARRAY_SIZE(debugfs_files),
43677diff --git a/drivers/gpu/drm/tegra/dsi.c b/drivers/gpu/drm/tegra/dsi.c
43678index ed970f6..4eeea42 100644
43679--- a/drivers/gpu/drm/tegra/dsi.c
43680+++ b/drivers/gpu/drm/tegra/dsi.c
43681@@ -62,7 +62,7 @@ struct tegra_dsi {
43682 struct clk *clk_lp;
43683 struct clk *clk;
43684
43685- struct drm_info_list *debugfs_files;
43686+ drm_info_list_no_const *debugfs_files;
43687 struct drm_minor *minor;
43688 struct dentry *debugfs;
43689
43690diff --git a/drivers/gpu/drm/tegra/hdmi.c b/drivers/gpu/drm/tegra/hdmi.c
43691index 06ab178..b5324e4 100644
43692--- a/drivers/gpu/drm/tegra/hdmi.c
43693+++ b/drivers/gpu/drm/tegra/hdmi.c
43694@@ -64,7 +64,7 @@ struct tegra_hdmi {
43695 bool stereo;
43696 bool dvi;
43697
43698- struct drm_info_list *debugfs_files;
43699+ drm_info_list_no_const *debugfs_files;
43700 struct drm_minor *minor;
43701 struct dentry *debugfs;
43702 };
43703diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c
43704index 7591d89..463e2b6 100644
43705--- a/drivers/gpu/drm/tegra/sor.c
43706+++ b/drivers/gpu/drm/tegra/sor.c
43707@@ -826,8 +826,11 @@ static int tegra_sor_debugfs_init(struct tegra_sor *sor,
43708 goto remove;
43709 }
43710
43711- for (i = 0; i < ARRAY_SIZE(debugfs_files); i++)
43712- sor->debugfs_files[i].data = sor;
43713+ for (i = 0; i < ARRAY_SIZE(debugfs_files); i++) {
43714+ pax_open_kernel();
43715+ *(void **)&sor->debugfs_files[i].data = sor;
43716+ pax_close_kernel();
43717+ }
43718
43719 err = drm_debugfs_create_files(sor->debugfs_files,
43720 ARRAY_SIZE(debugfs_files),
43721diff --git a/drivers/gpu/drm/tilcdc/Makefile b/drivers/gpu/drm/tilcdc/Makefile
43722index deeca48..54e1b6c 100644
43723--- a/drivers/gpu/drm/tilcdc/Makefile
43724+++ b/drivers/gpu/drm/tilcdc/Makefile
43725@@ -1,7 +1,7 @@
43726 ccflags-y := -Iinclude/drm
43727-ifeq (, $(findstring -W,$(EXTRA_CFLAGS)))
43728- ccflags-y += -Werror
43729-endif
43730+#ifeq (, $(findstring -W,$(EXTRA_CFLAGS)))
43731+# ccflags-y += -Werror
43732+#endif
43733
43734 obj-$(CONFIG_DRM_TILCDC_SLAVE_COMPAT) += tilcdc_slave_compat.o \
43735 tilcdc_slave_compat.dtb.o
43736diff --git a/drivers/gpu/drm/ttm/ttm_bo_manager.c b/drivers/gpu/drm/ttm/ttm_bo_manager.c
43737index aa0bd054..aea6a01 100644
43738--- a/drivers/gpu/drm/ttm/ttm_bo_manager.c
43739+++ b/drivers/gpu/drm/ttm/ttm_bo_manager.c
43740@@ -148,10 +148,10 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man,
43741 }
43742
43743 const struct ttm_mem_type_manager_func ttm_bo_manager_func = {
43744- ttm_bo_man_init,
43745- ttm_bo_man_takedown,
43746- ttm_bo_man_get_node,
43747- ttm_bo_man_put_node,
43748- ttm_bo_man_debug
43749+ .init = ttm_bo_man_init,
43750+ .takedown = ttm_bo_man_takedown,
43751+ .get_node = ttm_bo_man_get_node,
43752+ .put_node = ttm_bo_man_put_node,
43753+ .debug = ttm_bo_man_debug
43754 };
43755 EXPORT_SYMBOL(ttm_bo_manager_func);
43756diff --git a/drivers/gpu/drm/ttm/ttm_memory.c b/drivers/gpu/drm/ttm/ttm_memory.c
43757index a1803fb..c53f6b0 100644
43758--- a/drivers/gpu/drm/ttm/ttm_memory.c
43759+++ b/drivers/gpu/drm/ttm/ttm_memory.c
43760@@ -264,7 +264,7 @@ static int ttm_mem_init_kernel_zone(struct ttm_mem_global *glob,
43761 zone->glob = glob;
43762 glob->zone_kernel = zone;
43763 ret = kobject_init_and_add(
43764- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
43765+ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
43766 if (unlikely(ret != 0)) {
43767 kobject_put(&zone->kobj);
43768 return ret;
43769@@ -348,7 +348,7 @@ static int ttm_mem_init_dma32_zone(struct ttm_mem_global *glob,
43770 zone->glob = glob;
43771 glob->zone_dma32 = zone;
43772 ret = kobject_init_and_add(
43773- &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, zone->name);
43774+ &zone->kobj, &ttm_mem_zone_kobj_type, &glob->kobj, "%s", zone->name);
43775 if (unlikely(ret != 0)) {
43776 kobject_put(&zone->kobj);
43777 return ret;
43778diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc.c b/drivers/gpu/drm/ttm/ttm_page_alloc.c
43779index 025c429..314062f 100644
43780--- a/drivers/gpu/drm/ttm/ttm_page_alloc.c
43781+++ b/drivers/gpu/drm/ttm/ttm_page_alloc.c
43782@@ -54,7 +54,7 @@
43783
43784 #define NUM_PAGES_TO_ALLOC (PAGE_SIZE/sizeof(struct page *))
43785 #define SMALL_ALLOCATION 16
43786-#define FREE_ALL_PAGES (~0U)
43787+#define FREE_ALL_PAGES (~0UL)
43788 /* times are in msecs */
43789 #define PAGE_FREE_INTERVAL 1000
43790
43791@@ -299,15 +299,14 @@ static void ttm_pool_update_free_locked(struct ttm_page_pool *pool,
43792 * @free_all: If set to true will free all pages in pool
43793 * @use_static: Safe to use static buffer
43794 **/
43795-static int ttm_page_pool_free(struct ttm_page_pool *pool, unsigned nr_free,
43796+static unsigned long ttm_page_pool_free(struct ttm_page_pool *pool, unsigned long nr_free,
43797 bool use_static)
43798 {
43799 static struct page *static_buf[NUM_PAGES_TO_ALLOC];
43800 unsigned long irq_flags;
43801 struct page *p;
43802 struct page **pages_to_free;
43803- unsigned freed_pages = 0,
43804- npages_to_free = nr_free;
43805+ unsigned long freed_pages = 0, npages_to_free = nr_free;
43806
43807 if (NUM_PAGES_TO_ALLOC < nr_free)
43808 npages_to_free = NUM_PAGES_TO_ALLOC;
43809@@ -371,7 +370,8 @@ restart:
43810 __list_del(&p->lru, &pool->list);
43811
43812 ttm_pool_update_free_locked(pool, freed_pages);
43813- nr_free -= freed_pages;
43814+ if (likely(nr_free != FREE_ALL_PAGES))
43815+ nr_free -= freed_pages;
43816 }
43817
43818 spin_unlock_irqrestore(&pool->lock, irq_flags);
43819@@ -399,7 +399,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43820 unsigned i;
43821 unsigned pool_offset;
43822 struct ttm_page_pool *pool;
43823- int shrink_pages = sc->nr_to_scan;
43824+ unsigned long shrink_pages = sc->nr_to_scan;
43825 unsigned long freed = 0;
43826
43827 if (!mutex_trylock(&lock))
43828@@ -407,7 +407,7 @@ ttm_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43829 pool_offset = ++start_pool % NUM_POOLS;
43830 /* select start pool in round robin fashion */
43831 for (i = 0; i < NUM_POOLS; ++i) {
43832- unsigned nr_free = shrink_pages;
43833+ unsigned long nr_free = shrink_pages;
43834 if (shrink_pages == 0)
43835 break;
43836 pool = &_manager->pools[(i + pool_offset)%NUM_POOLS];
43837@@ -673,7 +673,7 @@ out:
43838 }
43839
43840 /* Put all pages in pages list to correct pool to wait for reuse */
43841-static void ttm_put_pages(struct page **pages, unsigned npages, int flags,
43842+static void ttm_put_pages(struct page **pages, unsigned long npages, int flags,
43843 enum ttm_caching_state cstate)
43844 {
43845 unsigned long irq_flags;
43846@@ -728,7 +728,7 @@ static int ttm_get_pages(struct page **pages, unsigned npages, int flags,
43847 struct list_head plist;
43848 struct page *p = NULL;
43849 gfp_t gfp_flags = GFP_USER;
43850- unsigned count;
43851+ unsigned long count;
43852 int r;
43853
43854 /* set zero flag for page allocation if required */
43855diff --git a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43856index 624d941..106fa1f 100644
43857--- a/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43858+++ b/drivers/gpu/drm/ttm/ttm_page_alloc_dma.c
43859@@ -56,7 +56,7 @@
43860
43861 #define NUM_PAGES_TO_ALLOC (PAGE_SIZE/sizeof(struct page *))
43862 #define SMALL_ALLOCATION 4
43863-#define FREE_ALL_PAGES (~0U)
43864+#define FREE_ALL_PAGES (~0UL)
43865 /* times are in msecs */
43866 #define IS_UNDEFINED (0)
43867 #define IS_WC (1<<1)
43868@@ -416,7 +416,7 @@ static void ttm_dma_page_put(struct dma_pool *pool, struct dma_page *d_page)
43869 * @nr_free: If set to true will free all pages in pool
43870 * @use_static: Safe to use static buffer
43871 **/
43872-static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
43873+static unsigned long ttm_dma_page_pool_free(struct dma_pool *pool, unsigned long nr_free,
43874 bool use_static)
43875 {
43876 static struct page *static_buf[NUM_PAGES_TO_ALLOC];
43877@@ -424,8 +424,7 @@ static unsigned ttm_dma_page_pool_free(struct dma_pool *pool, unsigned nr_free,
43878 struct dma_page *dma_p, *tmp;
43879 struct page **pages_to_free;
43880 struct list_head d_pages;
43881- unsigned freed_pages = 0,
43882- npages_to_free = nr_free;
43883+ unsigned long freed_pages = 0, npages_to_free = nr_free;
43884
43885 if (NUM_PAGES_TO_ALLOC < nr_free)
43886 npages_to_free = NUM_PAGES_TO_ALLOC;
43887@@ -502,7 +501,8 @@ restart:
43888 /* remove range of pages from the pool */
43889 if (freed_pages) {
43890 ttm_pool_update_free_locked(pool, freed_pages);
43891- nr_free -= freed_pages;
43892+ if (likely(nr_free != FREE_ALL_PAGES))
43893+ nr_free -= freed_pages;
43894 }
43895
43896 spin_unlock_irqrestore(&pool->lock, irq_flags);
43897@@ -939,7 +939,7 @@ void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev)
43898 struct dma_page *d_page, *next;
43899 enum pool_type type;
43900 bool is_cached = false;
43901- unsigned count = 0, i, npages = 0;
43902+ unsigned long count = 0, i, npages = 0;
43903 unsigned long irq_flags;
43904
43905 type = ttm_to_type(ttm->page_flags, ttm->caching_state);
43906@@ -1014,7 +1014,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43907 static unsigned start_pool;
43908 unsigned idx = 0;
43909 unsigned pool_offset;
43910- unsigned shrink_pages = sc->nr_to_scan;
43911+ unsigned long shrink_pages = sc->nr_to_scan;
43912 struct device_pools *p;
43913 unsigned long freed = 0;
43914
43915@@ -1027,7 +1027,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43916 goto out;
43917 pool_offset = ++start_pool % _manager->npools;
43918 list_for_each_entry(p, &_manager->pools, pools) {
43919- unsigned nr_free;
43920+ unsigned long nr_free;
43921
43922 if (!p->dev)
43923 continue;
43924@@ -1041,7 +1041,7 @@ ttm_dma_pool_shrink_scan(struct shrinker *shrink, struct shrink_control *sc)
43925 shrink_pages = ttm_dma_page_pool_free(p->pool, nr_free, true);
43926 freed += nr_free - shrink_pages;
43927
43928- pr_debug("%s: (%s:%d) Asked to shrink %d, have %d more to go\n",
43929+ pr_debug("%s: (%s:%d) Asked to shrink %lu, have %lu more to go\n",
43930 p->pool->dev_name, p->pool->name, current->pid,
43931 nr_free, shrink_pages);
43932 }
43933diff --git a/drivers/gpu/drm/udl/udl_fb.c b/drivers/gpu/drm/udl/udl_fb.c
43934index 5fc16ce..1bd84ec 100644
43935--- a/drivers/gpu/drm/udl/udl_fb.c
43936+++ b/drivers/gpu/drm/udl/udl_fb.c
43937@@ -367,7 +367,6 @@ static int udl_fb_release(struct fb_info *info, int user)
43938 fb_deferred_io_cleanup(info);
43939 kfree(info->fbdefio);
43940 info->fbdefio = NULL;
43941- info->fbops->fb_mmap = udl_fb_mmap;
43942 }
43943
43944 pr_warn("released /dev/fb%d user=%d count=%d\n",
43945diff --git a/drivers/gpu/drm/via/via_drv.h b/drivers/gpu/drm/via/via_drv.h
43946index ef8c500..01030c8 100644
43947--- a/drivers/gpu/drm/via/via_drv.h
43948+++ b/drivers/gpu/drm/via/via_drv.h
43949@@ -53,7 +53,7 @@ typedef struct drm_via_ring_buffer {
43950 typedef uint32_t maskarray_t[5];
43951
43952 typedef struct drm_via_irq {
43953- atomic_t irq_received;
43954+ atomic_unchecked_t irq_received;
43955 uint32_t pending_mask;
43956 uint32_t enable_mask;
43957 wait_queue_head_t irq_queue;
43958@@ -77,7 +77,7 @@ typedef struct drm_via_private {
43959 struct timeval last_vblank;
43960 int last_vblank_valid;
43961 unsigned usec_per_vblank;
43962- atomic_t vbl_received;
43963+ atomic_unchecked_t vbl_received;
43964 drm_via_state_t hc_state;
43965 char pci_buf[VIA_PCI_BUF_SIZE];
43966 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
43967diff --git a/drivers/gpu/drm/via/via_irq.c b/drivers/gpu/drm/via/via_irq.c
43968index 1319433..a993b0c 100644
43969--- a/drivers/gpu/drm/via/via_irq.c
43970+++ b/drivers/gpu/drm/via/via_irq.c
43971@@ -101,7 +101,7 @@ u32 via_get_vblank_counter(struct drm_device *dev, int crtc)
43972 if (crtc != 0)
43973 return 0;
43974
43975- return atomic_read(&dev_priv->vbl_received);
43976+ return atomic_read_unchecked(&dev_priv->vbl_received);
43977 }
43978
43979 irqreturn_t via_driver_irq_handler(int irq, void *arg)
43980@@ -116,8 +116,8 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
43981
43982 status = VIA_READ(VIA_REG_INTERRUPT);
43983 if (status & VIA_IRQ_VBLANK_PENDING) {
43984- atomic_inc(&dev_priv->vbl_received);
43985- if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
43986+ atomic_inc_unchecked(&dev_priv->vbl_received);
43987+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
43988 do_gettimeofday(&cur_vblank);
43989 if (dev_priv->last_vblank_valid) {
43990 dev_priv->usec_per_vblank =
43991@@ -127,7 +127,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
43992 dev_priv->last_vblank = cur_vblank;
43993 dev_priv->last_vblank_valid = 1;
43994 }
43995- if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
43996+ if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
43997 DRM_DEBUG("US per vblank is: %u\n",
43998 dev_priv->usec_per_vblank);
43999 }
44000@@ -137,7 +137,7 @@ irqreturn_t via_driver_irq_handler(int irq, void *arg)
44001
44002 for (i = 0; i < dev_priv->num_irqs; ++i) {
44003 if (status & cur_irq->pending_mask) {
44004- atomic_inc(&cur_irq->irq_received);
44005+ atomic_inc_unchecked(&cur_irq->irq_received);
44006 wake_up(&cur_irq->irq_queue);
44007 handled = 1;
44008 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i)
44009@@ -242,11 +242,11 @@ via_driver_irq_wait(struct drm_device *dev, unsigned int irq, int force_sequence
44010 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ,
44011 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
44012 masks[irq][4]));
44013- cur_irq_sequence = atomic_read(&cur_irq->irq_received);
44014+ cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
44015 } else {
44016 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * HZ,
44017 (((cur_irq_sequence =
44018- atomic_read(&cur_irq->irq_received)) -
44019+ atomic_read_unchecked(&cur_irq->irq_received)) -
44020 *sequence) <= (1 << 23)));
44021 }
44022 *sequence = cur_irq_sequence;
44023@@ -284,7 +284,7 @@ void via_driver_irq_preinstall(struct drm_device *dev)
44024 }
44025
44026 for (i = 0; i < dev_priv->num_irqs; ++i) {
44027- atomic_set(&cur_irq->irq_received, 0);
44028+ atomic_set_unchecked(&cur_irq->irq_received, 0);
44029 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
44030 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
44031 init_waitqueue_head(&cur_irq->irq_queue);
44032@@ -366,7 +366,7 @@ int via_wait_irq(struct drm_device *dev, void *data, struct drm_file *file_priv)
44033 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
44034 case VIA_IRQ_RELATIVE:
44035 irqwait->request.sequence +=
44036- atomic_read(&cur_irq->irq_received);
44037+ atomic_read_unchecked(&cur_irq->irq_received);
44038 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
44039 case VIA_IRQ_ABSOLUTE:
44040 break;
44041diff --git a/drivers/gpu/drm/virtio/virtgpu_debugfs.c b/drivers/gpu/drm/virtio/virtgpu_debugfs.c
44042index db8b491..d87b27c 100644
44043--- a/drivers/gpu/drm/virtio/virtgpu_debugfs.c
44044+++ b/drivers/gpu/drm/virtio/virtgpu_debugfs.c
44045@@ -34,7 +34,7 @@ virtio_gpu_debugfs_irq_info(struct seq_file *m, void *data)
44046 struct drm_info_node *node = (struct drm_info_node *) m->private;
44047 struct virtio_gpu_device *vgdev = node->minor->dev->dev_private;
44048
44049- seq_printf(m, "fence %ld %lld\n",
44050+ seq_printf(m, "fence %lld %lld\n",
44051 atomic64_read(&vgdev->fence_drv.last_seq),
44052 vgdev->fence_drv.sync_seq);
44053 return 0;
44054diff --git a/drivers/gpu/drm/virtio/virtgpu_fence.c b/drivers/gpu/drm/virtio/virtgpu_fence.c
44055index 1da6326..98dd385 100644
44056--- a/drivers/gpu/drm/virtio/virtgpu_fence.c
44057+++ b/drivers/gpu/drm/virtio/virtgpu_fence.c
44058@@ -61,7 +61,7 @@ static void virtio_timeline_value_str(struct fence *f, char *str, int size)
44059 {
44060 struct virtio_gpu_fence *fence = to_virtio_fence(f);
44061
44062- snprintf(str, size, "%lu", atomic64_read(&fence->drv->last_seq));
44063+ snprintf(str, size, "%llu", atomic64_read(&fence->drv->last_seq));
44064 }
44065
44066 static const struct fence_ops virtio_fence_ops = {
44067diff --git a/drivers/gpu/drm/virtio/virtgpu_ttm.c b/drivers/gpu/drm/virtio/virtgpu_ttm.c
44068index b092d7b..3bbecd9 100644
44069--- a/drivers/gpu/drm/virtio/virtgpu_ttm.c
44070+++ b/drivers/gpu/drm/virtio/virtgpu_ttm.c
44071@@ -197,11 +197,11 @@ static void ttm_bo_man_debug(struct ttm_mem_type_manager *man,
44072 }
44073
44074 static const struct ttm_mem_type_manager_func virtio_gpu_bo_manager_func = {
44075- ttm_bo_man_init,
44076- ttm_bo_man_takedown,
44077- ttm_bo_man_get_node,
44078- ttm_bo_man_put_node,
44079- ttm_bo_man_debug
44080+ .init = &ttm_bo_man_init,
44081+ .takedown = &ttm_bo_man_takedown,
44082+ .get_node = &ttm_bo_man_get_node,
44083+ .put_node = &ttm_bo_man_put_node,
44084+ .debug = &ttm_bo_man_debug
44085 };
44086
44087 static int virtio_gpu_init_mem_type(struct ttm_bo_device *bdev, uint32_t type,
44088diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
44089index d26a6da..5fa41ed 100644
44090--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
44091+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
44092@@ -447,7 +447,7 @@ struct vmw_private {
44093 * Fencing and IRQs.
44094 */
44095
44096- atomic_t marker_seq;
44097+ atomic_unchecked_t marker_seq;
44098 wait_queue_head_t fence_queue;
44099 wait_queue_head_t fifo_queue;
44100 spinlock_t waiter_lock;
44101diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
44102index 39f2b03..d1b0a64 100644
44103--- a/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
44104+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_fifo.c
44105@@ -152,7 +152,7 @@ int vmw_fifo_init(struct vmw_private *dev_priv, struct vmw_fifo_state *fifo)
44106 (unsigned int) min,
44107 (unsigned int) fifo->capabilities);
44108
44109- atomic_set(&dev_priv->marker_seq, dev_priv->last_read_seqno);
44110+ atomic_set_unchecked(&dev_priv->marker_seq, dev_priv->last_read_seqno);
44111 iowrite32(dev_priv->last_read_seqno, fifo_mem + SVGA_FIFO_FENCE);
44112 vmw_marker_queue_init(&fifo->marker_queue);
44113 return vmw_fifo_send_fence(dev_priv, &dummy);
44114@@ -372,7 +372,7 @@ void *vmw_fifo_reserve(struct vmw_private *dev_priv, uint32_t bytes)
44115 if (reserveable)
44116 iowrite32(bytes, fifo_mem +
44117 SVGA_FIFO_RESERVED);
44118- return fifo_mem + (next_cmd >> 2);
44119+ return (__le32 __force_kernel *)fifo_mem + (next_cmd >> 2);
44120 } else {
44121 need_bounce = true;
44122 }
44123@@ -492,7 +492,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
44124
44125 fm = vmw_fifo_reserve(dev_priv, bytes);
44126 if (unlikely(fm == NULL)) {
44127- *seqno = atomic_read(&dev_priv->marker_seq);
44128+ *seqno = atomic_read_unchecked(&dev_priv->marker_seq);
44129 ret = -ENOMEM;
44130 (void)vmw_fallback_wait(dev_priv, false, true, *seqno,
44131 false, 3*HZ);
44132@@ -500,7 +500,7 @@ int vmw_fifo_send_fence(struct vmw_private *dev_priv, uint32_t *seqno)
44133 }
44134
44135 do {
44136- *seqno = atomic_add_return(1, &dev_priv->marker_seq);
44137+ *seqno = atomic_add_return_unchecked(1, &dev_priv->marker_seq);
44138 } while (*seqno == 0);
44139
44140 if (!(fifo_state->capabilities & SVGA_FIFO_CAP_FENCE)) {
44141diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
44142index 170b61b..fec7348 100644
44143--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
44144+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmrid_manager.c
44145@@ -164,9 +164,9 @@ static void vmw_gmrid_man_debug(struct ttm_mem_type_manager *man,
44146 }
44147
44148 const struct ttm_mem_type_manager_func vmw_gmrid_manager_func = {
44149- vmw_gmrid_man_init,
44150- vmw_gmrid_man_takedown,
44151- vmw_gmrid_man_get_node,
44152- vmw_gmrid_man_put_node,
44153- vmw_gmrid_man_debug
44154+ .init = vmw_gmrid_man_init,
44155+ .takedown = vmw_gmrid_man_takedown,
44156+ .get_node = vmw_gmrid_man_get_node,
44157+ .put_node = vmw_gmrid_man_put_node,
44158+ .debug = vmw_gmrid_man_debug
44159 };
44160diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
44161index 69c8ce2..cacb0ab 100644
44162--- a/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
44163+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_ioctl.c
44164@@ -235,7 +235,7 @@ int vmw_present_ioctl(struct drm_device *dev, void *data,
44165 int ret;
44166
44167 num_clips = arg->num_clips;
44168- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
44169+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
44170
44171 if (unlikely(num_clips == 0))
44172 return 0;
44173@@ -318,7 +318,7 @@ int vmw_present_readback_ioctl(struct drm_device *dev, void *data,
44174 int ret;
44175
44176 num_clips = arg->num_clips;
44177- clips_ptr = (struct drm_vmw_rect *)(unsigned long)arg->clips_ptr;
44178+ clips_ptr = (struct drm_vmw_rect __user *)(unsigned long)arg->clips_ptr;
44179
44180 if (unlikely(num_clips == 0))
44181 return 0;
44182diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
44183index 9fe9827..0aa2fc0 100644
44184--- a/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
44185+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_irq.c
44186@@ -102,7 +102,7 @@ bool vmw_seqno_passed(struct vmw_private *dev_priv,
44187 * emitted. Then the fence is stale and signaled.
44188 */
44189
44190- ret = ((atomic_read(&dev_priv->marker_seq) - seqno)
44191+ ret = ((atomic_read_unchecked(&dev_priv->marker_seq) - seqno)
44192 > VMW_FENCE_WRAP);
44193
44194 return ret;
44195@@ -133,7 +133,7 @@ int vmw_fallback_wait(struct vmw_private *dev_priv,
44196
44197 if (fifo_idle)
44198 down_read(&fifo_state->rwsem);
44199- signal_seq = atomic_read(&dev_priv->marker_seq);
44200+ signal_seq = atomic_read_unchecked(&dev_priv->marker_seq);
44201 ret = 0;
44202
44203 for (;;) {
44204diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
44205index efd1ffd..0ae13ca 100644
44206--- a/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
44207+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_marker.c
44208@@ -135,7 +135,7 @@ int vmw_wait_lag(struct vmw_private *dev_priv,
44209 while (!vmw_lag_lt(queue, us)) {
44210 spin_lock(&queue->lock);
44211 if (list_empty(&queue->head))
44212- seqno = atomic_read(&dev_priv->marker_seq);
44213+ seqno = atomic_read_unchecked(&dev_priv->marker_seq);
44214 else {
44215 marker = list_first_entry(&queue->head,
44216 struct vmw_marker, head);
44217diff --git a/drivers/gpu/vga/vga_switcheroo.c b/drivers/gpu/vga/vga_switcheroo.c
44218index 37ac7b5..d52a5c9 100644
44219--- a/drivers/gpu/vga/vga_switcheroo.c
44220+++ b/drivers/gpu/vga/vga_switcheroo.c
44221@@ -644,7 +644,7 @@ static int vga_switcheroo_runtime_resume(struct device *dev)
44222
44223 /* this version is for the case where the power switch is separate
44224 to the device being powered down. */
44225-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain)
44226+int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain)
44227 {
44228 /* copy over all the bus versions */
44229 if (dev->bus && dev->bus->pm) {
44230@@ -695,7 +695,7 @@ static int vga_switcheroo_runtime_resume_hdmi_audio(struct device *dev)
44231 return ret;
44232 }
44233
44234-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain)
44235+int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain)
44236 {
44237 /* copy over all the bus versions */
44238 if (dev->bus && dev->bus->pm) {
44239diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
44240index e6fce23..85949a0 100644
44241--- a/drivers/hid/hid-core.c
44242+++ b/drivers/hid/hid-core.c
44243@@ -2550,7 +2550,7 @@ EXPORT_SYMBOL_GPL(hid_ignore);
44244
44245 int hid_add_device(struct hid_device *hdev)
44246 {
44247- static atomic_t id = ATOMIC_INIT(0);
44248+ static atomic_unchecked_t id = ATOMIC_INIT(0);
44249 int ret;
44250
44251 if (WARN_ON(hdev->status & HID_STAT_ADDED))
44252@@ -2593,7 +2593,7 @@ int hid_add_device(struct hid_device *hdev)
44253 /* XXX hack, any other cleaner solution after the driver core
44254 * is converted to allow more than 20 bytes as the device name? */
44255 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
44256- hdev->vendor, hdev->product, atomic_inc_return(&id));
44257+ hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
44258
44259 hid_debug_register(hdev, dev_name(&hdev->dev));
44260 ret = device_add(&hdev->dev);
44261diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c
44262index 5614fee..8a6f5f6 100644
44263--- a/drivers/hid/hid-sensor-custom.c
44264+++ b/drivers/hid/hid-sensor-custom.c
44265@@ -590,7 +590,7 @@ static int hid_sensor_custom_add_attributes(struct hid_sensor_custom
44266 j = 0;
44267 while (j < HID_CUSTOM_TOTAL_ATTRS &&
44268 hid_custom_attrs[j].name) {
44269- struct device_attribute *device_attr;
44270+ device_attribute_no_const *device_attr;
44271
44272 device_attr = &sensor_inst->fields[i].sd_attrs[j];
44273
44274diff --git a/drivers/hid/hid-wiimote-debug.c b/drivers/hid/hid-wiimote-debug.c
44275index c13fb5b..55a3802 100644
44276--- a/drivers/hid/hid-wiimote-debug.c
44277+++ b/drivers/hid/hid-wiimote-debug.c
44278@@ -66,7 +66,7 @@ static ssize_t wiidebug_eeprom_read(struct file *f, char __user *u, size_t s,
44279 else if (size == 0)
44280 return -EIO;
44281
44282- if (copy_to_user(u, buf, size))
44283+ if (size > sizeof(buf) || copy_to_user(u, buf, size))
44284 return -EFAULT;
44285
44286 *off += size;
44287diff --git a/drivers/hv/channel.c b/drivers/hv/channel.c
44288index 603ce97..7f27468 100644
44289--- a/drivers/hv/channel.c
44290+++ b/drivers/hv/channel.c
44291@@ -382,7 +382,7 @@ int vmbus_establish_gpadl(struct vmbus_channel *channel, void *kbuffer,
44292 int ret = 0;
44293
44294 next_gpadl_handle =
44295- (atomic_inc_return(&vmbus_connection.next_gpadl_handle) - 1);
44296+ (atomic_inc_return_unchecked(&vmbus_connection.next_gpadl_handle) - 1);
44297
44298 ret = create_gpadl_header(kbuffer, size, &msginfo, &msgcount);
44299 if (ret)
44300diff --git a/drivers/hv/hv.c b/drivers/hv/hv.c
44301index d3943bc..597fd1e 100644
44302--- a/drivers/hv/hv.c
44303+++ b/drivers/hv/hv.c
44304@@ -118,7 +118,7 @@ static u64 do_hypercall(u64 control, void *input, void *output)
44305 u64 output_address = (output) ? virt_to_phys(output) : 0;
44306 u32 output_address_hi = output_address >> 32;
44307 u32 output_address_lo = output_address & 0xFFFFFFFF;
44308- void *hypercall_page = hv_context.hypercall_page;
44309+ void *hypercall_page = (void *)ktva_ktla((unsigned long)hv_context.hypercall_page);
44310
44311 __asm__ __volatile__ ("call *%8" : "=d"(hv_status_hi),
44312 "=a"(hv_status_lo) : "d" (control_hi),
44313@@ -164,7 +164,7 @@ int hv_init(void)
44314 /* See if the hypercall page is already set */
44315 rdmsrl(HV_X64_MSR_HYPERCALL, hypercall_msr.as_uint64);
44316
44317- virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_EXEC);
44318+ virtaddr = __vmalloc(PAGE_SIZE, GFP_KERNEL, PAGE_KERNEL_RX);
44319
44320 if (!virtaddr)
44321 goto cleanup;
44322diff --git a/drivers/hv/hv_balloon.c b/drivers/hv/hv_balloon.c
44323index 8a725cd..91abaf0 100644
44324--- a/drivers/hv/hv_balloon.c
44325+++ b/drivers/hv/hv_balloon.c
44326@@ -469,7 +469,7 @@ MODULE_PARM_DESC(hot_add, "If set attempt memory hot_add");
44327
44328 module_param(pressure_report_delay, uint, (S_IRUGO | S_IWUSR));
44329 MODULE_PARM_DESC(pressure_report_delay, "Delay in secs in reporting pressure");
44330-static atomic_t trans_id = ATOMIC_INIT(0);
44331+static atomic_unchecked_t trans_id = ATOMIC_INIT(0);
44332
44333 static int dm_ring_size = (5 * PAGE_SIZE);
44334
44335@@ -943,7 +943,7 @@ static void hot_add_req(struct work_struct *dummy)
44336 pr_info("Memory hot add failed\n");
44337
44338 dm->state = DM_INITIALIZED;
44339- resp.hdr.trans_id = atomic_inc_return(&trans_id);
44340+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44341 vmbus_sendpacket(dm->dev->channel, &resp,
44342 sizeof(struct dm_hot_add_response),
44343 (unsigned long)NULL,
44344@@ -1024,7 +1024,7 @@ static void post_status(struct hv_dynmem_device *dm)
44345 memset(&status, 0, sizeof(struct dm_status));
44346 status.hdr.type = DM_STATUS_REPORT;
44347 status.hdr.size = sizeof(struct dm_status);
44348- status.hdr.trans_id = atomic_inc_return(&trans_id);
44349+ status.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44350
44351 /*
44352 * The host expects the guest to report free and committed memory.
44353@@ -1048,7 +1048,7 @@ static void post_status(struct hv_dynmem_device *dm)
44354 * send the status. This can happen if we were interrupted
44355 * after we picked our transaction ID.
44356 */
44357- if (status.hdr.trans_id != atomic_read(&trans_id))
44358+ if (status.hdr.trans_id != atomic_read_unchecked(&trans_id))
44359 return;
44360
44361 /*
44362@@ -1193,7 +1193,7 @@ static void balloon_up(struct work_struct *dummy)
44363 */
44364
44365 do {
44366- bl_resp->hdr.trans_id = atomic_inc_return(&trans_id);
44367+ bl_resp->hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44368 ret = vmbus_sendpacket(dm_device.dev->channel,
44369 bl_resp,
44370 bl_resp->hdr.size,
44371@@ -1239,7 +1239,7 @@ static void balloon_down(struct hv_dynmem_device *dm,
44372
44373 memset(&resp, 0, sizeof(struct dm_unballoon_response));
44374 resp.hdr.type = DM_UNBALLOON_RESPONSE;
44375- resp.hdr.trans_id = atomic_inc_return(&trans_id);
44376+ resp.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44377 resp.hdr.size = sizeof(struct dm_unballoon_response);
44378
44379 vmbus_sendpacket(dm_device.dev->channel, &resp,
44380@@ -1300,7 +1300,7 @@ static void version_resp(struct hv_dynmem_device *dm,
44381 memset(&version_req, 0, sizeof(struct dm_version_request));
44382 version_req.hdr.type = DM_VERSION_REQUEST;
44383 version_req.hdr.size = sizeof(struct dm_version_request);
44384- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
44385+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44386 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN7;
44387 version_req.is_last_attempt = 1;
44388
44389@@ -1473,7 +1473,7 @@ static int balloon_probe(struct hv_device *dev,
44390 memset(&version_req, 0, sizeof(struct dm_version_request));
44391 version_req.hdr.type = DM_VERSION_REQUEST;
44392 version_req.hdr.size = sizeof(struct dm_version_request);
44393- version_req.hdr.trans_id = atomic_inc_return(&trans_id);
44394+ version_req.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44395 version_req.version.version = DYNMEM_PROTOCOL_VERSION_WIN8;
44396 version_req.is_last_attempt = 0;
44397
44398@@ -1504,7 +1504,7 @@ static int balloon_probe(struct hv_device *dev,
44399 memset(&cap_msg, 0, sizeof(struct dm_capabilities));
44400 cap_msg.hdr.type = DM_CAPABILITIES_REPORT;
44401 cap_msg.hdr.size = sizeof(struct dm_capabilities);
44402- cap_msg.hdr.trans_id = atomic_inc_return(&trans_id);
44403+ cap_msg.hdr.trans_id = atomic_inc_return_unchecked(&trans_id);
44404
44405 cap_msg.caps.cap_bits.balloon = 1;
44406 cap_msg.caps.cap_bits.hot_add = 1;
44407diff --git a/drivers/hv/hyperv_vmbus.h b/drivers/hv/hyperv_vmbus.h
44408index cddc0c9..2eb587d 100644
44409--- a/drivers/hv/hyperv_vmbus.h
44410+++ b/drivers/hv/hyperv_vmbus.h
44411@@ -645,7 +645,7 @@ enum vmbus_connect_state {
44412 struct vmbus_connection {
44413 enum vmbus_connect_state conn_state;
44414
44415- atomic_t next_gpadl_handle;
44416+ atomic_unchecked_t next_gpadl_handle;
44417
44418 struct completion unload_event;
44419 /*
44420diff --git a/drivers/hwmon/acpi_power_meter.c b/drivers/hwmon/acpi_power_meter.c
44421index 579bdf9..0dac21d5 100644
44422--- a/drivers/hwmon/acpi_power_meter.c
44423+++ b/drivers/hwmon/acpi_power_meter.c
44424@@ -116,7 +116,7 @@ struct sensor_template {
44425 struct device_attribute *devattr,
44426 const char *buf, size_t count);
44427 int index;
44428-};
44429+} __do_const;
44430
44431 /* Averaging interval */
44432 static int update_avg_interval(struct acpi_power_meter_resource *resource)
44433@@ -631,7 +631,7 @@ static int register_attrs(struct acpi_power_meter_resource *resource,
44434 struct sensor_template *attrs)
44435 {
44436 struct device *dev = &resource->acpi_dev->dev;
44437- struct sensor_device_attribute *sensors =
44438+ sensor_device_attribute_no_const *sensors =
44439 &resource->sensors[resource->num_sensors];
44440 int res = 0;
44441
44442@@ -973,7 +973,7 @@ static int __init enable_cap_knobs(const struct dmi_system_id *d)
44443 return 0;
44444 }
44445
44446-static struct dmi_system_id __initdata pm_dmi_table[] = {
44447+static const struct dmi_system_id __initconst pm_dmi_table[] = {
44448 {
44449 enable_cap_knobs, "IBM Active Energy Manager",
44450 {
44451diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c
44452index 0af63da..05a183a 100644
44453--- a/drivers/hwmon/applesmc.c
44454+++ b/drivers/hwmon/applesmc.c
44455@@ -1105,7 +1105,7 @@ static int applesmc_create_nodes(struct applesmc_node_group *groups, int num)
44456 {
44457 struct applesmc_node_group *grp;
44458 struct applesmc_dev_attr *node;
44459- struct attribute *attr;
44460+ attribute_no_const *attr;
44461 int ret, i;
44462
44463 for (grp = groups; grp->format; grp++) {
44464diff --git a/drivers/hwmon/asus_atk0110.c b/drivers/hwmon/asus_atk0110.c
44465index cccef87..06ce8ec 100644
44466--- a/drivers/hwmon/asus_atk0110.c
44467+++ b/drivers/hwmon/asus_atk0110.c
44468@@ -147,10 +147,10 @@ MODULE_DEVICE_TABLE(acpi, atk_ids);
44469 struct atk_sensor_data {
44470 struct list_head list;
44471 struct atk_data *data;
44472- struct device_attribute label_attr;
44473- struct device_attribute input_attr;
44474- struct device_attribute limit1_attr;
44475- struct device_attribute limit2_attr;
44476+ device_attribute_no_const label_attr;
44477+ device_attribute_no_const input_attr;
44478+ device_attribute_no_const limit1_attr;
44479+ device_attribute_no_const limit2_attr;
44480 char label_attr_name[ATTR_NAME_SIZE];
44481 char input_attr_name[ATTR_NAME_SIZE];
44482 char limit1_attr_name[ATTR_NAME_SIZE];
44483@@ -270,7 +270,7 @@ static ssize_t atk_name_show(struct device *dev,
44484 static struct device_attribute atk_name_attr =
44485 __ATTR(name, 0444, atk_name_show, NULL);
44486
44487-static void atk_init_attribute(struct device_attribute *attr, char *name,
44488+static void atk_init_attribute(device_attribute_no_const *attr, char *name,
44489 sysfs_show_func show)
44490 {
44491 sysfs_attr_init(&attr->attr);
44492diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c
44493index 3e03379..ec521d3 100644
44494--- a/drivers/hwmon/coretemp.c
44495+++ b/drivers/hwmon/coretemp.c
44496@@ -783,7 +783,7 @@ static int coretemp_cpu_callback(struct notifier_block *nfb,
44497 return NOTIFY_OK;
44498 }
44499
44500-static struct notifier_block coretemp_cpu_notifier __refdata = {
44501+static struct notifier_block coretemp_cpu_notifier = {
44502 .notifier_call = coretemp_cpu_callback,
44503 };
44504
44505diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
44506index c848789..e9e9217 100644
44507--- a/drivers/hwmon/dell-smm-hwmon.c
44508+++ b/drivers/hwmon/dell-smm-hwmon.c
44509@@ -819,7 +819,7 @@ static const struct i8k_config_data i8k_config_data[] = {
44510 },
44511 };
44512
44513-static struct dmi_system_id i8k_dmi_table[] __initdata = {
44514+static const struct dmi_system_id i8k_dmi_table[] __initconst = {
44515 {
44516 .ident = "Dell Inspiron",
44517 .matches = {
44518diff --git a/drivers/hwmon/ibmaem.c b/drivers/hwmon/ibmaem.c
44519index 7a8a6fb..015c1fd 100644
44520--- a/drivers/hwmon/ibmaem.c
44521+++ b/drivers/hwmon/ibmaem.c
44522@@ -924,7 +924,7 @@ static int aem_register_sensors(struct aem_data *data,
44523 struct aem_rw_sensor_template *rw)
44524 {
44525 struct device *dev = &data->pdev->dev;
44526- struct sensor_device_attribute *sensors = data->sensors;
44527+ sensor_device_attribute_no_const *sensors = data->sensors;
44528 int err;
44529
44530 /* Set up read-only sensors */
44531diff --git a/drivers/hwmon/iio_hwmon.c b/drivers/hwmon/iio_hwmon.c
44532index 17ae2eb..21b71dd 100644
44533--- a/drivers/hwmon/iio_hwmon.c
44534+++ b/drivers/hwmon/iio_hwmon.c
44535@@ -61,7 +61,7 @@ static int iio_hwmon_probe(struct platform_device *pdev)
44536 {
44537 struct device *dev = &pdev->dev;
44538 struct iio_hwmon_state *st;
44539- struct sensor_device_attribute *a;
44540+ sensor_device_attribute_no_const *a;
44541 int ret, i;
44542 int in_i = 1, temp_i = 1, curr_i = 1, humidity_i = 1;
44543 enum iio_chan_type type;
44544diff --git a/drivers/hwmon/nct6683.c b/drivers/hwmon/nct6683.c
44545index 37f0170..414ec2c 100644
44546--- a/drivers/hwmon/nct6683.c
44547+++ b/drivers/hwmon/nct6683.c
44548@@ -397,11 +397,11 @@ static struct attribute_group *
44549 nct6683_create_attr_group(struct device *dev, struct sensor_template_group *tg,
44550 int repeat)
44551 {
44552- struct sensor_device_attribute_2 *a2;
44553- struct sensor_device_attribute *a;
44554+ sensor_device_attribute_2_no_const *a2;
44555+ sensor_device_attribute_no_const *a;
44556 struct sensor_device_template **t;
44557 struct sensor_device_attr_u *su;
44558- struct attribute_group *group;
44559+ attribute_group_no_const *group;
44560 struct attribute **attrs;
44561 int i, j, count;
44562
44563diff --git a/drivers/hwmon/nct6775.c b/drivers/hwmon/nct6775.c
44564index 2aaedbe..e944f14 100644
44565--- a/drivers/hwmon/nct6775.c
44566+++ b/drivers/hwmon/nct6775.c
44567@@ -957,10 +957,10 @@ static struct attribute_group *
44568 nct6775_create_attr_group(struct device *dev, struct sensor_template_group *tg,
44569 int repeat)
44570 {
44571- struct attribute_group *group;
44572+ attribute_group_no_const *group;
44573 struct sensor_device_attr_u *su;
44574- struct sensor_device_attribute *a;
44575- struct sensor_device_attribute_2 *a2;
44576+ sensor_device_attribute_no_const *a;
44577+ sensor_device_attribute_2_no_const *a2;
44578 struct attribute **attrs;
44579 struct sensor_device_template **t;
44580 int i, count;
44581diff --git a/drivers/hwmon/pmbus/pmbus_core.c b/drivers/hwmon/pmbus/pmbus_core.c
44582index f2e47c7..45d7941 100644
44583--- a/drivers/hwmon/pmbus/pmbus_core.c
44584+++ b/drivers/hwmon/pmbus/pmbus_core.c
44585@@ -816,7 +816,7 @@ static int pmbus_add_attribute(struct pmbus_data *data, struct attribute *attr)
44586 return 0;
44587 }
44588
44589-static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
44590+static void pmbus_dev_attr_init(device_attribute_no_const *dev_attr,
44591 const char *name,
44592 umode_t mode,
44593 ssize_t (*show)(struct device *dev,
44594@@ -833,7 +833,7 @@ static void pmbus_dev_attr_init(struct device_attribute *dev_attr,
44595 dev_attr->store = store;
44596 }
44597
44598-static void pmbus_attr_init(struct sensor_device_attribute *a,
44599+static void pmbus_attr_init(sensor_device_attribute_no_const *a,
44600 const char *name,
44601 umode_t mode,
44602 ssize_t (*show)(struct device *dev,
44603@@ -855,7 +855,7 @@ static int pmbus_add_boolean(struct pmbus_data *data,
44604 u16 reg, u8 mask)
44605 {
44606 struct pmbus_boolean *boolean;
44607- struct sensor_device_attribute *a;
44608+ sensor_device_attribute_no_const *a;
44609
44610 boolean = devm_kzalloc(data->dev, sizeof(*boolean), GFP_KERNEL);
44611 if (!boolean)
44612@@ -880,7 +880,7 @@ static struct pmbus_sensor *pmbus_add_sensor(struct pmbus_data *data,
44613 bool update, bool readonly)
44614 {
44615 struct pmbus_sensor *sensor;
44616- struct device_attribute *a;
44617+ device_attribute_no_const *a;
44618
44619 sensor = devm_kzalloc(data->dev, sizeof(*sensor), GFP_KERNEL);
44620 if (!sensor)
44621@@ -911,7 +911,7 @@ static int pmbus_add_label(struct pmbus_data *data,
44622 const char *lstring, int index)
44623 {
44624 struct pmbus_label *label;
44625- struct device_attribute *a;
44626+ device_attribute_no_const *a;
44627
44628 label = devm_kzalloc(data->dev, sizeof(*label), GFP_KERNEL);
44629 if (!label)
44630diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c
44631index 497a7f8..3fffedf 100644
44632--- a/drivers/hwmon/sht15.c
44633+++ b/drivers/hwmon/sht15.c
44634@@ -169,7 +169,7 @@ struct sht15_data {
44635 int supply_uv;
44636 bool supply_uv_valid;
44637 struct work_struct update_supply_work;
44638- atomic_t interrupt_handled;
44639+ atomic_unchecked_t interrupt_handled;
44640 };
44641
44642 /**
44643@@ -542,13 +542,13 @@ static int sht15_measurement(struct sht15_data *data,
44644 ret = gpio_direction_input(data->pdata->gpio_data);
44645 if (ret)
44646 return ret;
44647- atomic_set(&data->interrupt_handled, 0);
44648+ atomic_set_unchecked(&data->interrupt_handled, 0);
44649
44650 enable_irq(gpio_to_irq(data->pdata->gpio_data));
44651 if (gpio_get_value(data->pdata->gpio_data) == 0) {
44652 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
44653 /* Only relevant if the interrupt hasn't occurred. */
44654- if (!atomic_read(&data->interrupt_handled))
44655+ if (!atomic_read_unchecked(&data->interrupt_handled))
44656 schedule_work(&data->read_work);
44657 }
44658 ret = wait_event_timeout(data->wait_queue,
44659@@ -820,7 +820,7 @@ static irqreturn_t sht15_interrupt_fired(int irq, void *d)
44660
44661 /* First disable the interrupt */
44662 disable_irq_nosync(irq);
44663- atomic_inc(&data->interrupt_handled);
44664+ atomic_inc_unchecked(&data->interrupt_handled);
44665 /* Then schedule a reading work struct */
44666 if (data->state != SHT15_READING_NOTHING)
44667 schedule_work(&data->read_work);
44668@@ -842,11 +842,11 @@ static void sht15_bh_read_data(struct work_struct *work_s)
44669 * If not, then start the interrupt again - care here as could
44670 * have gone low in meantime so verify it hasn't!
44671 */
44672- atomic_set(&data->interrupt_handled, 0);
44673+ atomic_set_unchecked(&data->interrupt_handled, 0);
44674 enable_irq(gpio_to_irq(data->pdata->gpio_data));
44675 /* If still not occurred or another handler was scheduled */
44676 if (gpio_get_value(data->pdata->gpio_data)
44677- || atomic_read(&data->interrupt_handled))
44678+ || atomic_read_unchecked(&data->interrupt_handled))
44679 return;
44680 }
44681
44682diff --git a/drivers/hwmon/via-cputemp.c b/drivers/hwmon/via-cputemp.c
44683index ac91c07..8e69663 100644
44684--- a/drivers/hwmon/via-cputemp.c
44685+++ b/drivers/hwmon/via-cputemp.c
44686@@ -295,7 +295,7 @@ static int via_cputemp_cpu_callback(struct notifier_block *nfb,
44687 return NOTIFY_OK;
44688 }
44689
44690-static struct notifier_block via_cputemp_cpu_notifier __refdata = {
44691+static struct notifier_block via_cputemp_cpu_notifier = {
44692 .notifier_call = via_cputemp_cpu_callback,
44693 };
44694
44695diff --git a/drivers/i2c/busses/i2c-amd756-s4882.c b/drivers/i2c/busses/i2c-amd756-s4882.c
44696index 65e3240..e6c511d 100644
44697--- a/drivers/i2c/busses/i2c-amd756-s4882.c
44698+++ b/drivers/i2c/busses/i2c-amd756-s4882.c
44699@@ -39,7 +39,7 @@
44700 extern struct i2c_adapter amd756_smbus;
44701
44702 static struct i2c_adapter *s4882_adapter;
44703-static struct i2c_algorithm *s4882_algo;
44704+static i2c_algorithm_no_const *s4882_algo;
44705
44706 /* Wrapper access functions for multiplexed SMBus */
44707 static DEFINE_MUTEX(amd756_lock);
44708diff --git a/drivers/i2c/busses/i2c-nforce2-s4985.c b/drivers/i2c/busses/i2c-nforce2-s4985.c
44709index 88eda09..cf40434 100644
44710--- a/drivers/i2c/busses/i2c-nforce2-s4985.c
44711+++ b/drivers/i2c/busses/i2c-nforce2-s4985.c
44712@@ -37,7 +37,7 @@
44713 extern struct i2c_adapter *nforce2_smbus;
44714
44715 static struct i2c_adapter *s4985_adapter;
44716-static struct i2c_algorithm *s4985_algo;
44717+static i2c_algorithm_no_const *s4985_algo;
44718
44719 /* Wrapper access functions for multiplexed SMBus */
44720 static DEFINE_MUTEX(nforce2_lock);
44721diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
44722index 71c7a39..71dd3e0 100644
44723--- a/drivers/i2c/i2c-dev.c
44724+++ b/drivers/i2c/i2c-dev.c
44725@@ -272,7 +272,7 @@ static noinline int i2cdev_ioctl_rdrw(struct i2c_client *client,
44726 break;
44727 }
44728
44729- data_ptrs[i] = (u8 __user *)rdwr_pa[i].buf;
44730+ data_ptrs[i] = (u8 __force_user *)rdwr_pa[i].buf;
44731 rdwr_pa[i].buf = memdup_user(data_ptrs[i], rdwr_pa[i].len);
44732 if (IS_ERR(rdwr_pa[i].buf)) {
44733 res = PTR_ERR(rdwr_pa[i].buf);
44734diff --git a/drivers/ide/ide-cd.c b/drivers/ide/ide-cd.c
44735index 64a6b82..a524354 100644
44736--- a/drivers/ide/ide-cd.c
44737+++ b/drivers/ide/ide-cd.c
44738@@ -768,7 +768,7 @@ static void cdrom_do_block_pc(ide_drive_t *drive, struct request *rq)
44739 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
44740 if ((unsigned long)buf & alignment
44741 || blk_rq_bytes(rq) & q->dma_pad_mask
44742- || object_is_on_stack(buf))
44743+ || object_starts_on_stack(buf))
44744 drive->dma = 0;
44745 }
44746 }
44747diff --git a/drivers/ide/ide-disk.c b/drivers/ide/ide-disk.c
44748index 56b9708..980b63b 100644
44749--- a/drivers/ide/ide-disk.c
44750+++ b/drivers/ide/ide-disk.c
44751@@ -178,7 +178,7 @@ static ide_startstop_t __ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44752 * 1073741822 == 549756 MB or 48bit addressing fake drive
44753 */
44754
44755-static ide_startstop_t ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44756+static ide_startstop_t __intentional_overflow(-1) ide_do_rw_disk(ide_drive_t *drive, struct request *rq,
44757 sector_t block)
44758 {
44759 ide_hwif_t *hwif = drive->hwif;
44760diff --git a/drivers/iio/industrialio-core.c b/drivers/iio/industrialio-core.c
44761index 3524b0d..8c14520 100644
44762--- a/drivers/iio/industrialio-core.c
44763+++ b/drivers/iio/industrialio-core.c
44764@@ -576,7 +576,7 @@ static ssize_t iio_write_channel_info(struct device *dev,
44765 }
44766
44767 static
44768-int __iio_device_attr_init(struct device_attribute *dev_attr,
44769+int __iio_device_attr_init(device_attribute_no_const *dev_attr,
44770 const char *postfix,
44771 struct iio_chan_spec const *chan,
44772 ssize_t (*readfunc)(struct device *dev,
44773diff --git a/drivers/iio/magnetometer/ak8975.c b/drivers/iio/magnetometer/ak8975.c
44774index b13936d..65322b2 100644
44775--- a/drivers/iio/magnetometer/ak8975.c
44776+++ b/drivers/iio/magnetometer/ak8975.c
44777@@ -776,7 +776,7 @@ static int ak8975_probe(struct i2c_client *client,
44778 name = id->name;
44779 } else if (ACPI_HANDLE(&client->dev))
44780 name = ak8975_match_acpi_device(&client->dev, &chipset);
44781- else
44782+ if (!name)
44783 return -ENOSYS;
44784
44785 if (chipset >= AK_MAX_TYPE) {
44786diff --git a/drivers/infiniband/core/cm.c b/drivers/infiniband/core/cm.c
44787index 3a972eb..4126183 100644
44788--- a/drivers/infiniband/core/cm.c
44789+++ b/drivers/infiniband/core/cm.c
44790@@ -115,7 +115,7 @@ static char const counter_group_names[CM_COUNTER_GROUPS]
44791
44792 struct cm_counter_group {
44793 struct kobject obj;
44794- atomic_long_t counter[CM_ATTR_COUNT];
44795+ atomic_long_unchecked_t counter[CM_ATTR_COUNT];
44796 };
44797
44798 struct cm_counter_attribute {
44799@@ -1411,7 +1411,7 @@ static void cm_dup_req_handler(struct cm_work *work,
44800 struct ib_mad_send_buf *msg = NULL;
44801 int ret;
44802
44803- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44804+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44805 counter[CM_REQ_COUNTER]);
44806
44807 /* Quick state check to discard duplicate REQs. */
44808@@ -1798,7 +1798,7 @@ static void cm_dup_rep_handler(struct cm_work *work)
44809 if (!cm_id_priv)
44810 return;
44811
44812- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44813+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44814 counter[CM_REP_COUNTER]);
44815 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
44816 if (ret)
44817@@ -1965,7 +1965,7 @@ static int cm_rtu_handler(struct cm_work *work)
44818 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
44819 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
44820 spin_unlock_irq(&cm_id_priv->lock);
44821- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44822+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44823 counter[CM_RTU_COUNTER]);
44824 goto out;
44825 }
44826@@ -2148,7 +2148,7 @@ static int cm_dreq_handler(struct cm_work *work)
44827 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
44828 dreq_msg->local_comm_id);
44829 if (!cm_id_priv) {
44830- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44831+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44832 counter[CM_DREQ_COUNTER]);
44833 cm_issue_drep(work->port, work->mad_recv_wc);
44834 return -EINVAL;
44835@@ -2173,7 +2173,7 @@ static int cm_dreq_handler(struct cm_work *work)
44836 case IB_CM_MRA_REP_RCVD:
44837 break;
44838 case IB_CM_TIMEWAIT:
44839- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44840+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44841 counter[CM_DREQ_COUNTER]);
44842 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
44843 goto unlock;
44844@@ -2187,7 +2187,7 @@ static int cm_dreq_handler(struct cm_work *work)
44845 cm_free_msg(msg);
44846 goto deref;
44847 case IB_CM_DREQ_RCVD:
44848- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44849+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44850 counter[CM_DREQ_COUNTER]);
44851 goto unlock;
44852 default:
44853@@ -2554,7 +2554,7 @@ static int cm_mra_handler(struct cm_work *work)
44854 ib_modify_mad(cm_id_priv->av.port->mad_agent,
44855 cm_id_priv->msg, timeout)) {
44856 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
44857- atomic_long_inc(&work->port->
44858+ atomic_long_inc_unchecked(&work->port->
44859 counter_group[CM_RECV_DUPLICATES].
44860 counter[CM_MRA_COUNTER]);
44861 goto out;
44862@@ -2563,7 +2563,7 @@ static int cm_mra_handler(struct cm_work *work)
44863 break;
44864 case IB_CM_MRA_REQ_RCVD:
44865 case IB_CM_MRA_REP_RCVD:
44866- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44867+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44868 counter[CM_MRA_COUNTER]);
44869 /* fall through */
44870 default:
44871@@ -2725,7 +2725,7 @@ static int cm_lap_handler(struct cm_work *work)
44872 case IB_CM_LAP_IDLE:
44873 break;
44874 case IB_CM_MRA_LAP_SENT:
44875- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44876+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44877 counter[CM_LAP_COUNTER]);
44878 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
44879 goto unlock;
44880@@ -2741,7 +2741,7 @@ static int cm_lap_handler(struct cm_work *work)
44881 cm_free_msg(msg);
44882 goto deref;
44883 case IB_CM_LAP_RCVD:
44884- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44885+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44886 counter[CM_LAP_COUNTER]);
44887 goto unlock;
44888 default:
44889@@ -3025,7 +3025,7 @@ static int cm_sidr_req_handler(struct cm_work *work)
44890 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
44891 if (cur_cm_id_priv) {
44892 spin_unlock_irq(&cm.lock);
44893- atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
44894+ atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
44895 counter[CM_SIDR_REQ_COUNTER]);
44896 goto out; /* Duplicate message. */
44897 }
44898@@ -3237,10 +3237,10 @@ static void cm_send_handler(struct ib_mad_agent *mad_agent,
44899 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
44900 msg->retries = 1;
44901
44902- atomic_long_add(1 + msg->retries,
44903+ atomic_long_add_unchecked(1 + msg->retries,
44904 &port->counter_group[CM_XMIT].counter[attr_index]);
44905 if (msg->retries)
44906- atomic_long_add(msg->retries,
44907+ atomic_long_add_unchecked(msg->retries,
44908 &port->counter_group[CM_XMIT_RETRIES].
44909 counter[attr_index]);
44910
44911@@ -3466,7 +3466,7 @@ static void cm_recv_handler(struct ib_mad_agent *mad_agent,
44912 }
44913
44914 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
44915- atomic_long_inc(&port->counter_group[CM_RECV].
44916+ atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
44917 counter[attr_id - CM_ATTR_ID_OFFSET]);
44918
44919 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
44920@@ -3709,7 +3709,7 @@ static ssize_t cm_show_counter(struct kobject *obj, struct attribute *attr,
44921 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
44922
44923 return sprintf(buf, "%ld\n",
44924- atomic_long_read(&group->counter[cm_attr->index]));
44925+ atomic_long_read_unchecked(&group->counter[cm_attr->index]));
44926 }
44927
44928 static const struct sysfs_ops cm_counter_ops = {
44929diff --git a/drivers/infiniband/core/fmr_pool.c b/drivers/infiniband/core/fmr_pool.c
44930index 9f5ad7c..588cd84 100644
44931--- a/drivers/infiniband/core/fmr_pool.c
44932+++ b/drivers/infiniband/core/fmr_pool.c
44933@@ -98,8 +98,8 @@ struct ib_fmr_pool {
44934
44935 struct task_struct *thread;
44936
44937- atomic_t req_ser;
44938- atomic_t flush_ser;
44939+ atomic_unchecked_t req_ser;
44940+ atomic_unchecked_t flush_ser;
44941
44942 wait_queue_head_t force_wait;
44943 };
44944@@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
44945 struct ib_fmr_pool *pool = pool_ptr;
44946
44947 do {
44948- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
44949+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
44950 ib_fmr_batch_release(pool);
44951
44952- atomic_inc(&pool->flush_ser);
44953+ atomic_inc_unchecked(&pool->flush_ser);
44954 wake_up_interruptible(&pool->force_wait);
44955
44956 if (pool->flush_function)
44957@@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *pool_ptr)
44958 }
44959
44960 set_current_state(TASK_INTERRUPTIBLE);
44961- if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
44962+ if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
44963 !kthread_should_stop())
44964 schedule();
44965 __set_current_state(TASK_RUNNING);
44966@@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(struct ib_pd *pd,
44967 pool->dirty_watermark = params->dirty_watermark;
44968 pool->dirty_len = 0;
44969 spin_lock_init(&pool->pool_lock);
44970- atomic_set(&pool->req_ser, 0);
44971- atomic_set(&pool->flush_ser, 0);
44972+ atomic_set_unchecked(&pool->req_ser, 0);
44973+ atomic_set_unchecked(&pool->flush_ser, 0);
44974 init_waitqueue_head(&pool->force_wait);
44975
44976 pool->thread = kthread_run(ib_fmr_cleanup_thread,
44977@@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool *pool)
44978 }
44979 spin_unlock_irq(&pool->pool_lock);
44980
44981- serial = atomic_inc_return(&pool->req_ser);
44982+ serial = atomic_inc_return_unchecked(&pool->req_ser);
44983 wake_up_process(pool->thread);
44984
44985 if (wait_event_interruptible(pool->force_wait,
44986- atomic_read(&pool->flush_ser) - serial >= 0))
44987+ atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
44988 return -EINTR;
44989
44990 return 0;
44991@@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr *fmr)
44992 } else {
44993 list_add_tail(&fmr->list, &pool->dirty_list);
44994 if (++pool->dirty_len >= pool->dirty_watermark) {
44995- atomic_inc(&pool->req_ser);
44996+ atomic_inc_unchecked(&pool->req_ser);
44997 wake_up_process(pool->thread);
44998 }
44999 }
45000diff --git a/drivers/infiniband/core/uverbs_cmd.c b/drivers/infiniband/core/uverbs_cmd.c
45001index a6ca83b..bd3a726 100644
45002--- a/drivers/infiniband/core/uverbs_cmd.c
45003+++ b/drivers/infiniband/core/uverbs_cmd.c
45004@@ -951,6 +951,9 @@ ssize_t ib_uverbs_reg_mr(struct ib_uverbs_file *file,
45005 if (copy_from_user(&cmd, buf, sizeof cmd))
45006 return -EFAULT;
45007
45008+ if (!access_ok_noprefault(VERIFY_READ, cmd.start, cmd.length))
45009+ return -EFAULT;
45010+
45011 INIT_UDATA(&udata, buf + sizeof cmd,
45012 (unsigned long) cmd.response + sizeof resp,
45013 in_len - sizeof cmd, out_len - sizeof resp);
45014diff --git a/drivers/infiniband/hw/cxgb4/mem.c b/drivers/infiniband/hw/cxgb4/mem.c
45015index cff815b..75576dd 100644
45016--- a/drivers/infiniband/hw/cxgb4/mem.c
45017+++ b/drivers/infiniband/hw/cxgb4/mem.c
45018@@ -256,7 +256,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
45019 int err;
45020 struct fw_ri_tpte tpt;
45021 u32 stag_idx;
45022- static atomic_t key;
45023+ static atomic_unchecked_t key;
45024
45025 if (c4iw_fatal_error(rdev))
45026 return -EIO;
45027@@ -277,7 +277,7 @@ static int write_tpt_entry(struct c4iw_rdev *rdev, u32 reset_tpt_entry,
45028 if (rdev->stats.stag.cur > rdev->stats.stag.max)
45029 rdev->stats.stag.max = rdev->stats.stag.cur;
45030 mutex_unlock(&rdev->stats.lock);
45031- *stag = (stag_idx << 8) | (atomic_inc_return(&key) & 0xff);
45032+ *stag = (stag_idx << 8) | (atomic_inc_return_unchecked(&key) & 0xff);
45033 }
45034 PDBG("%s stag_state 0x%0x type 0x%0x pdid 0x%0x, stag_idx 0x%x\n",
45035 __func__, stag_state, type, pdid, stag_idx);
45036diff --git a/drivers/infiniband/hw/ipath/ipath_rc.c b/drivers/infiniband/hw/ipath/ipath_rc.c
45037index 79b3dbc..96e5fcc 100644
45038--- a/drivers/infiniband/hw/ipath/ipath_rc.c
45039+++ b/drivers/infiniband/hw/ipath/ipath_rc.c
45040@@ -1868,7 +1868,7 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
45041 struct ib_atomic_eth *ateth;
45042 struct ipath_ack_entry *e;
45043 u64 vaddr;
45044- atomic64_t *maddr;
45045+ atomic64_unchecked_t *maddr;
45046 u64 sdata;
45047 u32 rkey;
45048 u8 next;
45049@@ -1903,11 +1903,11 @@ void ipath_rc_rcv(struct ipath_ibdev *dev, struct ipath_ib_header *hdr,
45050 IB_ACCESS_REMOTE_ATOMIC)))
45051 goto nack_acc_unlck;
45052 /* Perform atomic OP and save result. */
45053- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
45054+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
45055 sdata = be64_to_cpu(ateth->swap_data);
45056 e = &qp->s_ack_queue[qp->r_head_ack_queue];
45057 e->atomic_data = (opcode == OP(FETCH_ADD)) ?
45058- (u64) atomic64_add_return(sdata, maddr) - sdata :
45059+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
45060 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
45061 be64_to_cpu(ateth->compare_data),
45062 sdata);
45063diff --git a/drivers/infiniband/hw/ipath/ipath_ruc.c b/drivers/infiniband/hw/ipath/ipath_ruc.c
45064index 1f95bba..9530f87 100644
45065--- a/drivers/infiniband/hw/ipath/ipath_ruc.c
45066+++ b/drivers/infiniband/hw/ipath/ipath_ruc.c
45067@@ -266,7 +266,7 @@ static void ipath_ruc_loopback(struct ipath_qp *sqp)
45068 unsigned long flags;
45069 struct ib_wc wc;
45070 u64 sdata;
45071- atomic64_t *maddr;
45072+ atomic64_unchecked_t *maddr;
45073 enum ib_wc_status send_status;
45074
45075 /*
45076@@ -382,11 +382,11 @@ again:
45077 IB_ACCESS_REMOTE_ATOMIC)))
45078 goto acc_err;
45079 /* Perform atomic OP and save result. */
45080- maddr = (atomic64_t *) qp->r_sge.sge.vaddr;
45081+ maddr = (atomic64_unchecked_t *) qp->r_sge.sge.vaddr;
45082 sdata = wqe->wr.wr.atomic.compare_add;
45083 *(u64 *) sqp->s_sge.sge.vaddr =
45084 (wqe->wr.opcode == IB_WR_ATOMIC_FETCH_AND_ADD) ?
45085- (u64) atomic64_add_return(sdata, maddr) - sdata :
45086+ (u64) atomic64_add_return_unchecked(sdata, maddr) - sdata :
45087 (u64) cmpxchg((u64 *) qp->r_sge.sge.vaddr,
45088 sdata, wqe->wr.wr.atomic.swap);
45089 goto send_comp;
45090diff --git a/drivers/infiniband/hw/mlx4/mad.c b/drivers/infiniband/hw/mlx4/mad.c
45091index 68b3dfa..3e0c511 100644
45092--- a/drivers/infiniband/hw/mlx4/mad.c
45093+++ b/drivers/infiniband/hw/mlx4/mad.c
45094@@ -98,7 +98,7 @@ __be64 mlx4_ib_gen_node_guid(void)
45095
45096 __be64 mlx4_ib_get_new_demux_tid(struct mlx4_ib_demux_ctx *ctx)
45097 {
45098- return cpu_to_be64(atomic_inc_return(&ctx->tid)) |
45099+ return cpu_to_be64(atomic_inc_return_unchecked(&ctx->tid)) |
45100 cpu_to_be64(0xff00000000000000LL);
45101 }
45102
45103diff --git a/drivers/infiniband/hw/mlx4/mcg.c b/drivers/infiniband/hw/mlx4/mcg.c
45104index a0559a8..86a2320 100644
45105--- a/drivers/infiniband/hw/mlx4/mcg.c
45106+++ b/drivers/infiniband/hw/mlx4/mcg.c
45107@@ -1042,7 +1042,7 @@ int mlx4_ib_mcg_port_init(struct mlx4_ib_demux_ctx *ctx)
45108 {
45109 char name[20];
45110
45111- atomic_set(&ctx->tid, 0);
45112+ atomic_set_unchecked(&ctx->tid, 0);
45113 sprintf(name, "mlx4_ib_mcg%d", ctx->port);
45114 ctx->mcg_wq = create_singlethread_workqueue(name);
45115 if (!ctx->mcg_wq)
45116diff --git a/drivers/infiniband/hw/mlx4/mlx4_ib.h b/drivers/infiniband/hw/mlx4/mlx4_ib.h
45117index 334387f..e640d74 100644
45118--- a/drivers/infiniband/hw/mlx4/mlx4_ib.h
45119+++ b/drivers/infiniband/hw/mlx4/mlx4_ib.h
45120@@ -436,7 +436,7 @@ struct mlx4_ib_demux_ctx {
45121 struct list_head mcg_mgid0_list;
45122 struct workqueue_struct *mcg_wq;
45123 struct mlx4_ib_demux_pv_ctx **tun;
45124- atomic_t tid;
45125+ atomic_unchecked_t tid;
45126 int flushing; /* flushing the work queue */
45127 };
45128
45129diff --git a/drivers/infiniband/hw/mthca/mthca_cmd.c b/drivers/infiniband/hw/mthca/mthca_cmd.c
45130index c7f49bb..6a021bb 100644
45131--- a/drivers/infiniband/hw/mthca/mthca_cmd.c
45132+++ b/drivers/infiniband/hw/mthca/mthca_cmd.c
45133@@ -772,7 +772,7 @@ static void mthca_setup_cmd_doorbells(struct mthca_dev *dev, u64 base)
45134 mthca_dbg(dev, "Mapped doorbell page for posting FW commands\n");
45135 }
45136
45137-int mthca_QUERY_FW(struct mthca_dev *dev)
45138+int __intentional_overflow(-1) mthca_QUERY_FW(struct mthca_dev *dev)
45139 {
45140 struct mthca_mailbox *mailbox;
45141 u32 *outbox;
45142@@ -1612,7 +1612,7 @@ int mthca_HW2SW_MPT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45143 CMD_TIME_CLASS_B);
45144 }
45145
45146-int mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45147+int __intentional_overflow(-1) mthca_WRITE_MTT(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45148 int num_mtt)
45149 {
45150 return mthca_cmd(dev, mailbox->dma, num_mtt, 0, CMD_WRITE_MTT,
45151@@ -1634,7 +1634,7 @@ int mthca_MAP_EQ(struct mthca_dev *dev, u64 event_mask, int unmap,
45152 0, CMD_MAP_EQ, CMD_TIME_CLASS_B);
45153 }
45154
45155-int mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45156+int __intentional_overflow(-1) mthca_SW2HW_EQ(struct mthca_dev *dev, struct mthca_mailbox *mailbox,
45157 int eq_num)
45158 {
45159 return mthca_cmd(dev, mailbox->dma, eq_num, 0, CMD_SW2HW_EQ,
45160@@ -1857,7 +1857,7 @@ int mthca_CONF_SPECIAL_QP(struct mthca_dev *dev, int type, u32 qpn)
45161 CMD_TIME_CLASS_B);
45162 }
45163
45164-int mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey,
45165+int __intentional_overflow(-1) mthca_MAD_IFC(struct mthca_dev *dev, int ignore_mkey, int ignore_bkey,
45166 int port, const struct ib_wc *in_wc, const struct ib_grh *in_grh,
45167 const void *in_mad, void *response_mad)
45168 {
45169diff --git a/drivers/infiniband/hw/mthca/mthca_main.c b/drivers/infiniband/hw/mthca/mthca_main.c
45170index ded76c1..0cf0a08 100644
45171--- a/drivers/infiniband/hw/mthca/mthca_main.c
45172+++ b/drivers/infiniband/hw/mthca/mthca_main.c
45173@@ -692,7 +692,7 @@ err_close:
45174 return err;
45175 }
45176
45177-static int mthca_setup_hca(struct mthca_dev *dev)
45178+static int __intentional_overflow(-1) mthca_setup_hca(struct mthca_dev *dev)
45179 {
45180 int err;
45181
45182diff --git a/drivers/infiniband/hw/mthca/mthca_mr.c b/drivers/infiniband/hw/mthca/mthca_mr.c
45183index ed9a989..6aa5dc2 100644
45184--- a/drivers/infiniband/hw/mthca/mthca_mr.c
45185+++ b/drivers/infiniband/hw/mthca/mthca_mr.c
45186@@ -81,7 +81,7 @@ struct mthca_mpt_entry {
45187 * through the bitmaps)
45188 */
45189
45190-static u32 mthca_buddy_alloc(struct mthca_buddy *buddy, int order)
45191+static u32 __intentional_overflow(-1) mthca_buddy_alloc(struct mthca_buddy *buddy, int order)
45192 {
45193 int o;
45194 int m;
45195@@ -426,7 +426,7 @@ static inline u32 adjust_key(struct mthca_dev *dev, u32 key)
45196 return key;
45197 }
45198
45199-int mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
45200+int __intentional_overflow(-1) mthca_mr_alloc(struct mthca_dev *dev, u32 pd, int buffer_size_shift,
45201 u64 iova, u64 total_size, u32 access, struct mthca_mr *mr)
45202 {
45203 struct mthca_mailbox *mailbox;
45204@@ -516,7 +516,7 @@ int mthca_mr_alloc_notrans(struct mthca_dev *dev, u32 pd,
45205 return mthca_mr_alloc(dev, pd, 12, 0, ~0ULL, access, mr);
45206 }
45207
45208-int mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
45209+int __intentional_overflow(-1) mthca_mr_alloc_phys(struct mthca_dev *dev, u32 pd,
45210 u64 *buffer_list, int buffer_size_shift,
45211 int list_len, u64 iova, u64 total_size,
45212 u32 access, struct mthca_mr *mr)
45213diff --git a/drivers/infiniband/hw/mthca/mthca_provider.c b/drivers/infiniband/hw/mthca/mthca_provider.c
45214index 93ae51d..84c4a44 100644
45215--- a/drivers/infiniband/hw/mthca/mthca_provider.c
45216+++ b/drivers/infiniband/hw/mthca/mthca_provider.c
45217@@ -771,7 +771,7 @@ unlock:
45218 return 0;
45219 }
45220
45221-static int mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata)
45222+static int __intentional_overflow(-1) mthca_resize_cq(struct ib_cq *ibcq, int entries, struct ib_udata *udata)
45223 {
45224 struct mthca_dev *dev = to_mdev(ibcq->device);
45225 struct mthca_cq *cq = to_mcq(ibcq);
45226diff --git a/drivers/infiniband/hw/nes/nes.c b/drivers/infiniband/hw/nes/nes.c
45227index 9f9d5c5..3c19aac 100644
45228--- a/drivers/infiniband/hw/nes/nes.c
45229+++ b/drivers/infiniband/hw/nes/nes.c
45230@@ -97,7 +97,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limit max read request size to 256 Bytes");
45231 LIST_HEAD(nes_adapter_list);
45232 static LIST_HEAD(nes_dev_list);
45233
45234-atomic_t qps_destroyed;
45235+atomic_unchecked_t qps_destroyed;
45236
45237 static unsigned int ee_flsh_adapter;
45238 static unsigned int sysfs_nonidx_addr;
45239@@ -279,7 +279,7 @@ static void nes_cqp_rem_ref_callback(struct nes_device *nesdev, struct nes_cqp_r
45240 struct nes_qp *nesqp = cqp_request->cqp_callback_pointer;
45241 struct nes_adapter *nesadapter = nesdev->nesadapter;
45242
45243- atomic_inc(&qps_destroyed);
45244+ atomic_inc_unchecked(&qps_destroyed);
45245
45246 /* Free the control structures */
45247
45248diff --git a/drivers/infiniband/hw/nes/nes.h b/drivers/infiniband/hw/nes/nes.h
45249index bd9d132..70d84f4 100644
45250--- a/drivers/infiniband/hw/nes/nes.h
45251+++ b/drivers/infiniband/hw/nes/nes.h
45252@@ -180,17 +180,17 @@ extern unsigned int nes_debug_level;
45253 extern unsigned int wqm_quanta;
45254 extern struct list_head nes_adapter_list;
45255
45256-extern atomic_t cm_connects;
45257-extern atomic_t cm_accepts;
45258-extern atomic_t cm_disconnects;
45259-extern atomic_t cm_closes;
45260-extern atomic_t cm_connecteds;
45261-extern atomic_t cm_connect_reqs;
45262-extern atomic_t cm_rejects;
45263-extern atomic_t mod_qp_timouts;
45264-extern atomic_t qps_created;
45265-extern atomic_t qps_destroyed;
45266-extern atomic_t sw_qps_destroyed;
45267+extern atomic_unchecked_t cm_connects;
45268+extern atomic_unchecked_t cm_accepts;
45269+extern atomic_unchecked_t cm_disconnects;
45270+extern atomic_unchecked_t cm_closes;
45271+extern atomic_unchecked_t cm_connecteds;
45272+extern atomic_unchecked_t cm_connect_reqs;
45273+extern atomic_unchecked_t cm_rejects;
45274+extern atomic_unchecked_t mod_qp_timouts;
45275+extern atomic_unchecked_t qps_created;
45276+extern atomic_unchecked_t qps_destroyed;
45277+extern atomic_unchecked_t sw_qps_destroyed;
45278 extern u32 mh_detected;
45279 extern u32 mh_pauses_sent;
45280 extern u32 cm_packets_sent;
45281@@ -199,16 +199,16 @@ extern u32 cm_packets_created;
45282 extern u32 cm_packets_received;
45283 extern u32 cm_packets_dropped;
45284 extern u32 cm_packets_retrans;
45285-extern atomic_t cm_listens_created;
45286-extern atomic_t cm_listens_destroyed;
45287+extern atomic_unchecked_t cm_listens_created;
45288+extern atomic_unchecked_t cm_listens_destroyed;
45289 extern u32 cm_backlog_drops;
45290-extern atomic_t cm_loopbacks;
45291-extern atomic_t cm_nodes_created;
45292-extern atomic_t cm_nodes_destroyed;
45293-extern atomic_t cm_accel_dropped_pkts;
45294-extern atomic_t cm_resets_recvd;
45295-extern atomic_t pau_qps_created;
45296-extern atomic_t pau_qps_destroyed;
45297+extern atomic_unchecked_t cm_loopbacks;
45298+extern atomic_unchecked_t cm_nodes_created;
45299+extern atomic_unchecked_t cm_nodes_destroyed;
45300+extern atomic_unchecked_t cm_accel_dropped_pkts;
45301+extern atomic_unchecked_t cm_resets_recvd;
45302+extern atomic_unchecked_t pau_qps_created;
45303+extern atomic_unchecked_t pau_qps_destroyed;
45304
45305 extern u32 int_mod_timer_init;
45306 extern u32 int_mod_cq_depth_256;
45307diff --git a/drivers/infiniband/hw/nes/nes_cm.c b/drivers/infiniband/hw/nes/nes_cm.c
45308index 8a3ad17..e1ed4bc 100644
45309--- a/drivers/infiniband/hw/nes/nes_cm.c
45310+++ b/drivers/infiniband/hw/nes/nes_cm.c
45311@@ -69,14 +69,14 @@ u32 cm_packets_dropped;
45312 u32 cm_packets_retrans;
45313 u32 cm_packets_created;
45314 u32 cm_packets_received;
45315-atomic_t cm_listens_created;
45316-atomic_t cm_listens_destroyed;
45317+atomic_unchecked_t cm_listens_created;
45318+atomic_unchecked_t cm_listens_destroyed;
45319 u32 cm_backlog_drops;
45320-atomic_t cm_loopbacks;
45321-atomic_t cm_nodes_created;
45322-atomic_t cm_nodes_destroyed;
45323-atomic_t cm_accel_dropped_pkts;
45324-atomic_t cm_resets_recvd;
45325+atomic_unchecked_t cm_loopbacks;
45326+atomic_unchecked_t cm_nodes_created;
45327+atomic_unchecked_t cm_nodes_destroyed;
45328+atomic_unchecked_t cm_accel_dropped_pkts;
45329+atomic_unchecked_t cm_resets_recvd;
45330
45331 static inline int mini_cm_accelerated(struct nes_cm_core *, struct nes_cm_node *);
45332 static struct nes_cm_listener *mini_cm_listen(struct nes_cm_core *, struct nes_vnic *, struct nes_cm_info *);
45333@@ -135,28 +135,28 @@ static void record_ird_ord(struct nes_cm_node *, u16, u16);
45334 /* instance of function pointers for client API */
45335 /* set address of this instance to cm_core->cm_ops at cm_core alloc */
45336 static struct nes_cm_ops nes_cm_api = {
45337- mini_cm_accelerated,
45338- mini_cm_listen,
45339- mini_cm_del_listen,
45340- mini_cm_connect,
45341- mini_cm_close,
45342- mini_cm_accept,
45343- mini_cm_reject,
45344- mini_cm_recv_pkt,
45345- mini_cm_dealloc_core,
45346- mini_cm_get,
45347- mini_cm_set
45348+ .accelerated = mini_cm_accelerated,
45349+ .listen = mini_cm_listen,
45350+ .stop_listener = mini_cm_del_listen,
45351+ .connect = mini_cm_connect,
45352+ .close = mini_cm_close,
45353+ .accept = mini_cm_accept,
45354+ .reject = mini_cm_reject,
45355+ .recv_pkt = mini_cm_recv_pkt,
45356+ .destroy_cm_core = mini_cm_dealloc_core,
45357+ .get = mini_cm_get,
45358+ .set = mini_cm_set
45359 };
45360
45361 static struct nes_cm_core *g_cm_core;
45362
45363-atomic_t cm_connects;
45364-atomic_t cm_accepts;
45365-atomic_t cm_disconnects;
45366-atomic_t cm_closes;
45367-atomic_t cm_connecteds;
45368-atomic_t cm_connect_reqs;
45369-atomic_t cm_rejects;
45370+atomic_unchecked_t cm_connects;
45371+atomic_unchecked_t cm_accepts;
45372+atomic_unchecked_t cm_disconnects;
45373+atomic_unchecked_t cm_closes;
45374+atomic_unchecked_t cm_connecteds;
45375+atomic_unchecked_t cm_connect_reqs;
45376+atomic_unchecked_t cm_rejects;
45377
45378 int nes_add_ref_cm_node(struct nes_cm_node *cm_node)
45379 {
45380@@ -1461,7 +1461,7 @@ static int mini_cm_dec_refcnt_listen(struct nes_cm_core *cm_core,
45381 kfree(listener);
45382 listener = NULL;
45383 ret = 0;
45384- atomic_inc(&cm_listens_destroyed);
45385+ atomic_inc_unchecked(&cm_listens_destroyed);
45386 } else {
45387 spin_unlock_irqrestore(&cm_core->listen_list_lock, flags);
45388 }
45389@@ -1670,7 +1670,7 @@ static struct nes_cm_node *make_cm_node(struct nes_cm_core *cm_core,
45390 cm_node->rem_mac);
45391
45392 add_hte_node(cm_core, cm_node);
45393- atomic_inc(&cm_nodes_created);
45394+ atomic_inc_unchecked(&cm_nodes_created);
45395
45396 return cm_node;
45397 }
45398@@ -1731,7 +1731,7 @@ static int rem_ref_cm_node(struct nes_cm_core *cm_core,
45399 }
45400
45401 atomic_dec(&cm_core->node_cnt);
45402- atomic_inc(&cm_nodes_destroyed);
45403+ atomic_inc_unchecked(&cm_nodes_destroyed);
45404 nesqp = cm_node->nesqp;
45405 if (nesqp) {
45406 nesqp->cm_node = NULL;
45407@@ -1795,7 +1795,7 @@ static int process_options(struct nes_cm_node *cm_node, u8 *optionsloc,
45408
45409 static void drop_packet(struct sk_buff *skb)
45410 {
45411- atomic_inc(&cm_accel_dropped_pkts);
45412+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
45413 dev_kfree_skb_any(skb);
45414 }
45415
45416@@ -1858,7 +1858,7 @@ static void handle_rst_pkt(struct nes_cm_node *cm_node, struct sk_buff *skb,
45417 {
45418
45419 int reset = 0; /* whether to send reset in case of err.. */
45420- atomic_inc(&cm_resets_recvd);
45421+ atomic_inc_unchecked(&cm_resets_recvd);
45422 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
45423 " refcnt=%d\n", cm_node, cm_node->state,
45424 atomic_read(&cm_node->ref_count));
45425@@ -2526,7 +2526,7 @@ static struct nes_cm_node *mini_cm_connect(struct nes_cm_core *cm_core,
45426 rem_ref_cm_node(cm_node->cm_core, cm_node);
45427 return NULL;
45428 }
45429- atomic_inc(&cm_loopbacks);
45430+ atomic_inc_unchecked(&cm_loopbacks);
45431 loopbackremotenode->loopbackpartner = cm_node;
45432 loopbackremotenode->tcp_cntxt.rcv_wscale =
45433 NES_CM_DEFAULT_RCV_WND_SCALE;
45434@@ -2807,7 +2807,7 @@ static int mini_cm_recv_pkt(struct nes_cm_core *cm_core,
45435 nes_queue_mgt_skbs(skb, nesvnic, cm_node->nesqp);
45436 else {
45437 rem_ref_cm_node(cm_core, cm_node);
45438- atomic_inc(&cm_accel_dropped_pkts);
45439+ atomic_inc_unchecked(&cm_accel_dropped_pkts);
45440 dev_kfree_skb_any(skb);
45441 }
45442 break;
45443@@ -3118,7 +3118,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
45444
45445 if ((cm_id) && (cm_id->event_handler)) {
45446 if (issue_disconn) {
45447- atomic_inc(&cm_disconnects);
45448+ atomic_inc_unchecked(&cm_disconnects);
45449 cm_event.event = IW_CM_EVENT_DISCONNECT;
45450 cm_event.status = disconn_status;
45451 cm_event.local_addr = cm_id->local_addr;
45452@@ -3140,7 +3140,7 @@ static int nes_cm_disconn_true(struct nes_qp *nesqp)
45453 }
45454
45455 if (issue_close) {
45456- atomic_inc(&cm_closes);
45457+ atomic_inc_unchecked(&cm_closes);
45458 nes_disconnect(nesqp, 1);
45459
45460 cm_id->provider_data = nesqp;
45461@@ -3278,7 +3278,7 @@ int nes_accept(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
45462
45463 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
45464 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
45465- atomic_inc(&cm_accepts);
45466+ atomic_inc_unchecked(&cm_accepts);
45467
45468 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
45469 netdev_refcnt_read(nesvnic->netdev));
45470@@ -3476,7 +3476,7 @@ int nes_reject(struct iw_cm_id *cm_id, const void *pdata, u8 pdata_len)
45471 struct nes_cm_core *cm_core;
45472 u8 *start_buff;
45473
45474- atomic_inc(&cm_rejects);
45475+ atomic_inc_unchecked(&cm_rejects);
45476 cm_node = (struct nes_cm_node *)cm_id->provider_data;
45477 loopback = cm_node->loopbackpartner;
45478 cm_core = cm_node->cm_core;
45479@@ -3541,7 +3541,7 @@ int nes_connect(struct iw_cm_id *cm_id, struct iw_cm_conn_param *conn_param)
45480 ntohs(raddr->sin_port), ntohl(laddr->sin_addr.s_addr),
45481 ntohs(laddr->sin_port));
45482
45483- atomic_inc(&cm_connects);
45484+ atomic_inc_unchecked(&cm_connects);
45485 nesqp->active_conn = 1;
45486
45487 /* cache the cm_id in the qp */
45488@@ -3688,7 +3688,7 @@ int nes_create_listen(struct iw_cm_id *cm_id, int backlog)
45489 g_cm_core->api->stop_listener(g_cm_core, (void *)cm_node);
45490 return err;
45491 }
45492- atomic_inc(&cm_listens_created);
45493+ atomic_inc_unchecked(&cm_listens_created);
45494 }
45495
45496 cm_id->add_ref(cm_id);
45497@@ -3795,7 +3795,7 @@ static void cm_event_connected(struct nes_cm_event *event)
45498
45499 if (nesqp->destroyed)
45500 return;
45501- atomic_inc(&cm_connecteds);
45502+ atomic_inc_unchecked(&cm_connecteds);
45503 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
45504 " local port 0x%04X. jiffies = %lu.\n",
45505 nesqp->hwqp.qp_id, ntohl(raddr->sin_addr.s_addr),
45506@@ -3980,7 +3980,7 @@ static void cm_event_reset(struct nes_cm_event *event)
45507
45508 cm_id->add_ref(cm_id);
45509 ret = cm_id->event_handler(cm_id, &cm_event);
45510- atomic_inc(&cm_closes);
45511+ atomic_inc_unchecked(&cm_closes);
45512 cm_event.event = IW_CM_EVENT_CLOSE;
45513 cm_event.status = 0;
45514 cm_event.provider_data = cm_id->provider_data;
45515@@ -4020,7 +4020,7 @@ static void cm_event_mpa_req(struct nes_cm_event *event)
45516 return;
45517 cm_id = cm_node->cm_id;
45518
45519- atomic_inc(&cm_connect_reqs);
45520+ atomic_inc_unchecked(&cm_connect_reqs);
45521 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
45522 cm_node, cm_id, jiffies);
45523
45524@@ -4069,7 +4069,7 @@ static void cm_event_mpa_reject(struct nes_cm_event *event)
45525 return;
45526 cm_id = cm_node->cm_id;
45527
45528- atomic_inc(&cm_connect_reqs);
45529+ atomic_inc_unchecked(&cm_connect_reqs);
45530 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
45531 cm_node, cm_id, jiffies);
45532
45533diff --git a/drivers/infiniband/hw/nes/nes_mgt.c b/drivers/infiniband/hw/nes/nes_mgt.c
45534index 4166452..fc952c3 100644
45535--- a/drivers/infiniband/hw/nes/nes_mgt.c
45536+++ b/drivers/infiniband/hw/nes/nes_mgt.c
45537@@ -40,8 +40,8 @@
45538 #include "nes.h"
45539 #include "nes_mgt.h"
45540
45541-atomic_t pau_qps_created;
45542-atomic_t pau_qps_destroyed;
45543+atomic_unchecked_t pau_qps_created;
45544+atomic_unchecked_t pau_qps_destroyed;
45545
45546 static void nes_replenish_mgt_rq(struct nes_vnic_mgt *mgtvnic)
45547 {
45548@@ -621,7 +621,7 @@ void nes_destroy_pau_qp(struct nes_device *nesdev, struct nes_qp *nesqp)
45549 {
45550 struct sk_buff *skb;
45551 unsigned long flags;
45552- atomic_inc(&pau_qps_destroyed);
45553+ atomic_inc_unchecked(&pau_qps_destroyed);
45554
45555 /* Free packets that have not yet been forwarded */
45556 /* Lock is acquired by skb_dequeue when removing the skb */
45557@@ -810,7 +810,7 @@ static void nes_mgt_ce_handler(struct nes_device *nesdev, struct nes_hw_nic_cq *
45558 cq->cq_vbase[head].cqe_words[NES_NIC_CQE_HASH_RCVNXT]);
45559 skb_queue_head_init(&nesqp->pau_list);
45560 spin_lock_init(&nesqp->pau_lock);
45561- atomic_inc(&pau_qps_created);
45562+ atomic_inc_unchecked(&pau_qps_created);
45563 nes_change_quad_hash(nesdev, mgtvnic->nesvnic, nesqp);
45564 }
45565
45566diff --git a/drivers/infiniband/hw/nes/nes_nic.c b/drivers/infiniband/hw/nes/nes_nic.c
45567index 70acda9..a96de9d 100644
45568--- a/drivers/infiniband/hw/nes/nes_nic.c
45569+++ b/drivers/infiniband/hw/nes/nes_nic.c
45570@@ -1274,39 +1274,39 @@ static void nes_netdev_get_ethtool_stats(struct net_device *netdev,
45571 target_stat_values[++index] = mh_detected;
45572 target_stat_values[++index] = mh_pauses_sent;
45573 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
45574- target_stat_values[++index] = atomic_read(&cm_connects);
45575- target_stat_values[++index] = atomic_read(&cm_accepts);
45576- target_stat_values[++index] = atomic_read(&cm_disconnects);
45577- target_stat_values[++index] = atomic_read(&cm_connecteds);
45578- target_stat_values[++index] = atomic_read(&cm_connect_reqs);
45579- target_stat_values[++index] = atomic_read(&cm_rejects);
45580- target_stat_values[++index] = atomic_read(&mod_qp_timouts);
45581- target_stat_values[++index] = atomic_read(&qps_created);
45582- target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
45583- target_stat_values[++index] = atomic_read(&qps_destroyed);
45584- target_stat_values[++index] = atomic_read(&cm_closes);
45585+ target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
45586+ target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
45587+ target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
45588+ target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
45589+ target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
45590+ target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
45591+ target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
45592+ target_stat_values[++index] = atomic_read_unchecked(&qps_created);
45593+ target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
45594+ target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
45595+ target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
45596 target_stat_values[++index] = cm_packets_sent;
45597 target_stat_values[++index] = cm_packets_bounced;
45598 target_stat_values[++index] = cm_packets_created;
45599 target_stat_values[++index] = cm_packets_received;
45600 target_stat_values[++index] = cm_packets_dropped;
45601 target_stat_values[++index] = cm_packets_retrans;
45602- target_stat_values[++index] = atomic_read(&cm_listens_created);
45603- target_stat_values[++index] = atomic_read(&cm_listens_destroyed);
45604+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_created);
45605+ target_stat_values[++index] = atomic_read_unchecked(&cm_listens_destroyed);
45606 target_stat_values[++index] = cm_backlog_drops;
45607- target_stat_values[++index] = atomic_read(&cm_loopbacks);
45608- target_stat_values[++index] = atomic_read(&cm_nodes_created);
45609- target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
45610- target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
45611- target_stat_values[++index] = atomic_read(&cm_resets_recvd);
45612+ target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
45613+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
45614+ target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
45615+ target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
45616+ target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
45617 target_stat_values[++index] = nesadapter->free_4kpbl;
45618 target_stat_values[++index] = nesadapter->free_256pbl;
45619 target_stat_values[++index] = int_mod_timer_init;
45620 target_stat_values[++index] = nesvnic->lro_mgr.stats.aggregated;
45621 target_stat_values[++index] = nesvnic->lro_mgr.stats.flushed;
45622 target_stat_values[++index] = nesvnic->lro_mgr.stats.no_desc;
45623- target_stat_values[++index] = atomic_read(&pau_qps_created);
45624- target_stat_values[++index] = atomic_read(&pau_qps_destroyed);
45625+ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_created);
45626+ target_stat_values[++index] = atomic_read_unchecked(&pau_qps_destroyed);
45627 }
45628
45629 /**
45630diff --git a/drivers/infiniband/hw/nes/nes_verbs.c b/drivers/infiniband/hw/nes/nes_verbs.c
45631index fbc43e5..3672792 100644
45632--- a/drivers/infiniband/hw/nes/nes_verbs.c
45633+++ b/drivers/infiniband/hw/nes/nes_verbs.c
45634@@ -46,9 +46,9 @@
45635
45636 #include <rdma/ib_umem.h>
45637
45638-atomic_t mod_qp_timouts;
45639-atomic_t qps_created;
45640-atomic_t sw_qps_destroyed;
45641+atomic_unchecked_t mod_qp_timouts;
45642+atomic_unchecked_t qps_created;
45643+atomic_unchecked_t sw_qps_destroyed;
45644
45645 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
45646
45647@@ -1137,7 +1137,7 @@ static struct ib_qp *nes_create_qp(struct ib_pd *ibpd,
45648 if (init_attr->create_flags)
45649 return ERR_PTR(-EINVAL);
45650
45651- atomic_inc(&qps_created);
45652+ atomic_inc_unchecked(&qps_created);
45653 switch (init_attr->qp_type) {
45654 case IB_QPT_RC:
45655 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
45656@@ -1471,7 +1471,7 @@ static int nes_destroy_qp(struct ib_qp *ibqp)
45657 struct iw_cm_event cm_event;
45658 int ret = 0;
45659
45660- atomic_inc(&sw_qps_destroyed);
45661+ atomic_inc_unchecked(&sw_qps_destroyed);
45662 nesqp->destroyed = 1;
45663
45664 /* Blow away the connection if it exists. */
45665diff --git a/drivers/infiniband/hw/qib/qib.h b/drivers/infiniband/hw/qib/qib.h
45666index 7df16f7..7e1b21e 100644
45667--- a/drivers/infiniband/hw/qib/qib.h
45668+++ b/drivers/infiniband/hw/qib/qib.h
45669@@ -52,6 +52,7 @@
45670 #include <linux/kref.h>
45671 #include <linux/sched.h>
45672 #include <linux/kthread.h>
45673+#include <linux/slab.h>
45674
45675 #include "qib_common.h"
45676 #include "qib_verbs.h"
45677diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45678index cdc7df4..a2fdfdb 100644
45679--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45680+++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c
45681@@ -156,7 +156,7 @@ static size_t ipoib_get_size(const struct net_device *dev)
45682 nla_total_size(2); /* IFLA_IPOIB_UMCAST */
45683 }
45684
45685-static struct rtnl_link_ops ipoib_link_ops __read_mostly = {
45686+static struct rtnl_link_ops ipoib_link_ops = {
45687 .kind = "ipoib",
45688 .maxtype = IFLA_IPOIB_MAX,
45689 .policy = ipoib_policy,
45690diff --git a/drivers/input/gameport/gameport.c b/drivers/input/gameport/gameport.c
45691index e853a21..56fc5a8 100644
45692--- a/drivers/input/gameport/gameport.c
45693+++ b/drivers/input/gameport/gameport.c
45694@@ -527,14 +527,14 @@ EXPORT_SYMBOL(gameport_set_phys);
45695 */
45696 static void gameport_init_port(struct gameport *gameport)
45697 {
45698- static atomic_t gameport_no = ATOMIC_INIT(-1);
45699+ static atomic_unchecked_t gameport_no = ATOMIC_INIT(-1);
45700
45701 __module_get(THIS_MODULE);
45702
45703 mutex_init(&gameport->drv_mutex);
45704 device_initialize(&gameport->dev);
45705 dev_set_name(&gameport->dev, "gameport%lu",
45706- (unsigned long)atomic_inc_return(&gameport_no));
45707+ (unsigned long)atomic_inc_return_unchecked(&gameport_no));
45708 gameport->dev.bus = &gameport_bus;
45709 gameport->dev.release = gameport_release_port;
45710 if (gameport->parent)
45711diff --git a/drivers/input/input.c b/drivers/input/input.c
45712index 78d2499..1f0318e 100644
45713--- a/drivers/input/input.c
45714+++ b/drivers/input/input.c
45715@@ -1775,7 +1775,7 @@ EXPORT_SYMBOL_GPL(input_class);
45716 */
45717 struct input_dev *input_allocate_device(void)
45718 {
45719- static atomic_t input_no = ATOMIC_INIT(-1);
45720+ static atomic_unchecked_t input_no = ATOMIC_INIT(-1);
45721 struct input_dev *dev;
45722
45723 dev = kzalloc(sizeof(struct input_dev), GFP_KERNEL);
45724@@ -1790,7 +1790,7 @@ struct input_dev *input_allocate_device(void)
45725 INIT_LIST_HEAD(&dev->node);
45726
45727 dev_set_name(&dev->dev, "input%lu",
45728- (unsigned long)atomic_inc_return(&input_no));
45729+ (unsigned long)atomic_inc_return_unchecked(&input_no));
45730
45731 __module_get(THIS_MODULE);
45732 }
45733diff --git a/drivers/input/joystick/sidewinder.c b/drivers/input/joystick/sidewinder.c
45734index 4a95b22..874c182 100644
45735--- a/drivers/input/joystick/sidewinder.c
45736+++ b/drivers/input/joystick/sidewinder.c
45737@@ -30,6 +30,7 @@
45738 #include <linux/kernel.h>
45739 #include <linux/module.h>
45740 #include <linux/slab.h>
45741+#include <linux/sched.h>
45742 #include <linux/input.h>
45743 #include <linux/gameport.h>
45744 #include <linux/jiffies.h>
45745diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
45746index f8850f9..9708a2d 100644
45747--- a/drivers/input/joystick/xpad.c
45748+++ b/drivers/input/joystick/xpad.c
45749@@ -959,7 +959,7 @@ static void xpad_led_set(struct led_classdev *led_cdev,
45750
45751 static int xpad_led_probe(struct usb_xpad *xpad)
45752 {
45753- static atomic_t led_seq = ATOMIC_INIT(-1);
45754+ static atomic_unchecked_t led_seq = ATOMIC_INIT(-1);
45755 struct xpad_led *led;
45756 struct led_classdev *led_cdev;
45757 int error;
45758@@ -971,7 +971,7 @@ static int xpad_led_probe(struct usb_xpad *xpad)
45759 if (!led)
45760 return -ENOMEM;
45761
45762- xpad->led_no = atomic_inc_return(&led_seq);
45763+ xpad->led_no = atomic_inc_return_unchecked(&led_seq);
45764
45765 snprintf(led->name, sizeof(led->name), "xpad%lu", xpad->led_no);
45766 led->xpad = xpad;
45767diff --git a/drivers/input/misc/ims-pcu.c b/drivers/input/misc/ims-pcu.c
45768index ac1fa5f..5f7502c 100644
45769--- a/drivers/input/misc/ims-pcu.c
45770+++ b/drivers/input/misc/ims-pcu.c
45771@@ -1851,7 +1851,7 @@ static int ims_pcu_identify_type(struct ims_pcu *pcu, u8 *device_id)
45772
45773 static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
45774 {
45775- static atomic_t device_no = ATOMIC_INIT(-1);
45776+ static atomic_unchecked_t device_no = ATOMIC_INIT(-1);
45777
45778 const struct ims_pcu_device_info *info;
45779 int error;
45780@@ -1882,7 +1882,7 @@ static int ims_pcu_init_application_mode(struct ims_pcu *pcu)
45781 }
45782
45783 /* Device appears to be operable, complete initialization */
45784- pcu->device_no = atomic_inc_return(&device_no);
45785+ pcu->device_no = atomic_inc_return_unchecked(&device_no);
45786
45787 /*
45788 * PCU-B devices, both GEN_1 and GEN_2 do not have OFN sensor
45789diff --git a/drivers/input/mouse/psmouse.h b/drivers/input/mouse/psmouse.h
45790index ad5a5a1..5eac214 100644
45791--- a/drivers/input/mouse/psmouse.h
45792+++ b/drivers/input/mouse/psmouse.h
45793@@ -125,7 +125,7 @@ struct psmouse_attribute {
45794 ssize_t (*set)(struct psmouse *psmouse, void *data,
45795 const char *buf, size_t count);
45796 bool protect;
45797-};
45798+} __do_const;
45799 #define to_psmouse_attr(a) container_of((a), struct psmouse_attribute, dattr)
45800
45801 ssize_t psmouse_attr_show_helper(struct device *dev, struct device_attribute *attr,
45802diff --git a/drivers/input/mousedev.c b/drivers/input/mousedev.c
45803index b604564..3f14ae4 100644
45804--- a/drivers/input/mousedev.c
45805+++ b/drivers/input/mousedev.c
45806@@ -744,7 +744,7 @@ static ssize_t mousedev_read(struct file *file, char __user *buffer,
45807
45808 spin_unlock_irq(&client->packet_lock);
45809
45810- if (copy_to_user(buffer, data, count))
45811+ if (count > sizeof(data) || copy_to_user(buffer, data, count))
45812 return -EFAULT;
45813
45814 return count;
45815diff --git a/drivers/input/serio/serio.c b/drivers/input/serio/serio.c
45816index a05a517..323a2fd 100644
45817--- a/drivers/input/serio/serio.c
45818+++ b/drivers/input/serio/serio.c
45819@@ -514,7 +514,7 @@ static void serio_release_port(struct device *dev)
45820 */
45821 static void serio_init_port(struct serio *serio)
45822 {
45823- static atomic_t serio_no = ATOMIC_INIT(-1);
45824+ static atomic_unchecked_t serio_no = ATOMIC_INIT(-1);
45825
45826 __module_get(THIS_MODULE);
45827
45828@@ -525,7 +525,7 @@ static void serio_init_port(struct serio *serio)
45829 mutex_init(&serio->drv_mutex);
45830 device_initialize(&serio->dev);
45831 dev_set_name(&serio->dev, "serio%lu",
45832- (unsigned long)atomic_inc_return(&serio_no));
45833+ (unsigned long)atomic_inc_return_unchecked(&serio_no));
45834 serio->dev.bus = &serio_bus;
45835 serio->dev.release = serio_release_port;
45836 serio->dev.groups = serio_device_attr_groups;
45837diff --git a/drivers/input/serio/serio_raw.c b/drivers/input/serio/serio_raw.c
45838index 71ef5d6..93380a9 100644
45839--- a/drivers/input/serio/serio_raw.c
45840+++ b/drivers/input/serio/serio_raw.c
45841@@ -292,7 +292,7 @@ static irqreturn_t serio_raw_interrupt(struct serio *serio, unsigned char data,
45842
45843 static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
45844 {
45845- static atomic_t serio_raw_no = ATOMIC_INIT(-1);
45846+ static atomic_unchecked_t serio_raw_no = ATOMIC_INIT(-1);
45847 struct serio_raw *serio_raw;
45848 int err;
45849
45850@@ -303,7 +303,7 @@ static int serio_raw_connect(struct serio *serio, struct serio_driver *drv)
45851 }
45852
45853 snprintf(serio_raw->name, sizeof(serio_raw->name),
45854- "serio_raw%ld", (long)atomic_inc_return(&serio_raw_no));
45855+ "serio_raw%ld", (long)atomic_inc_return_unchecked(&serio_raw_no));
45856 kref_init(&serio_raw->kref);
45857 INIT_LIST_HEAD(&serio_raw->client_list);
45858 init_waitqueue_head(&serio_raw->wait);
45859diff --git a/drivers/input/touchscreen/htcpen.c b/drivers/input/touchscreen/htcpen.c
45860index 92e2243..8fd9092 100644
45861--- a/drivers/input/touchscreen/htcpen.c
45862+++ b/drivers/input/touchscreen/htcpen.c
45863@@ -219,7 +219,7 @@ static struct isa_driver htcpen_isa_driver = {
45864 }
45865 };
45866
45867-static struct dmi_system_id htcshift_dmi_table[] __initdata = {
45868+static const struct dmi_system_id htcshift_dmi_table[] __initconst = {
45869 {
45870 .ident = "Shift",
45871 .matches = {
45872diff --git a/drivers/iommu/Kconfig b/drivers/iommu/Kconfig
45873index f1fb1d3..82257cc 100644
45874--- a/drivers/iommu/Kconfig
45875+++ b/drivers/iommu/Kconfig
45876@@ -102,6 +102,7 @@ config AMD_IOMMU_STATS
45877 bool "Export AMD IOMMU statistics to debugfs"
45878 depends on AMD_IOMMU
45879 select DEBUG_FS
45880+ depends on !GRKERNSEC_KMEM
45881 ---help---
45882 This option enables code in the AMD IOMMU driver to collect various
45883 statistics about whats happening in the driver and exports that
45884diff --git a/drivers/iommu/amd_iommu.c b/drivers/iommu/amd_iommu.c
45885index 658ee39..6fde5be 100644
45886--- a/drivers/iommu/amd_iommu.c
45887+++ b/drivers/iommu/amd_iommu.c
45888@@ -794,11 +794,21 @@ static void copy_cmd_to_buffer(struct amd_iommu *iommu,
45889
45890 static void build_completion_wait(struct iommu_cmd *cmd, u64 address)
45891 {
45892+ phys_addr_t physaddr;
45893 WARN_ON(address & 0x7ULL);
45894
45895 memset(cmd, 0, sizeof(*cmd));
45896- cmd->data[0] = lower_32_bits(__pa(address)) | CMD_COMPL_WAIT_STORE_MASK;
45897- cmd->data[1] = upper_32_bits(__pa(address));
45898+
45899+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
45900+ if (object_starts_on_stack((void *)address)) {
45901+ void *adjbuf = (void *)address - current->stack + current->lowmem_stack;
45902+ physaddr = __pa((u64)adjbuf);
45903+ } else
45904+#endif
45905+ physaddr = __pa(address);
45906+
45907+ cmd->data[0] = lower_32_bits(physaddr) | CMD_COMPL_WAIT_STORE_MASK;
45908+ cmd->data[1] = upper_32_bits(physaddr);
45909 cmd->data[2] = 1;
45910 CMD_SET_TYPE(cmd, CMD_COMPL_WAIT);
45911 }
45912diff --git a/drivers/iommu/arm-smmu.c b/drivers/iommu/arm-smmu.c
45913index 4cd0c29..afd3cbe 100644
45914--- a/drivers/iommu/arm-smmu.c
45915+++ b/drivers/iommu/arm-smmu.c
45916@@ -330,7 +330,7 @@ enum arm_smmu_domain_stage {
45917
45918 struct arm_smmu_domain {
45919 struct arm_smmu_device *smmu;
45920- struct io_pgtable_ops *pgtbl_ops;
45921+ struct io_pgtable *pgtbl;
45922 spinlock_t pgtbl_lock;
45923 struct arm_smmu_cfg cfg;
45924 enum arm_smmu_domain_stage stage;
45925@@ -816,7 +816,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
45926 {
45927 int irq, start, ret = 0;
45928 unsigned long ias, oas;
45929- struct io_pgtable_ops *pgtbl_ops;
45930+ struct io_pgtable *pgtbl;
45931 struct io_pgtable_cfg pgtbl_cfg;
45932 enum io_pgtable_fmt fmt;
45933 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45934@@ -901,14 +901,16 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
45935 };
45936
45937 smmu_domain->smmu = smmu;
45938- pgtbl_ops = alloc_io_pgtable_ops(fmt, &pgtbl_cfg, smmu_domain);
45939- if (!pgtbl_ops) {
45940+ pgtbl = alloc_io_pgtable(fmt, &pgtbl_cfg, smmu_domain);
45941+ if (!pgtbl) {
45942 ret = -ENOMEM;
45943 goto out_clear_smmu;
45944 }
45945
45946 /* Update our support page sizes to reflect the page table format */
45947- arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
45948+ pax_open_kernel();
45949+ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap = pgtbl_cfg.pgsize_bitmap;
45950+ pax_close_kernel();
45951
45952 /* Initialise the context bank with our page table cfg */
45953 arm_smmu_init_context_bank(smmu_domain, &pgtbl_cfg);
45954@@ -929,7 +931,7 @@ static int arm_smmu_init_domain_context(struct iommu_domain *domain,
45955 mutex_unlock(&smmu_domain->init_mutex);
45956
45957 /* Publish page table ops for map/unmap */
45958- smmu_domain->pgtbl_ops = pgtbl_ops;
45959+ smmu_domain->pgtbl = pgtbl;
45960 return 0;
45961
45962 out_clear_smmu:
45963@@ -962,8 +964,7 @@ static void arm_smmu_destroy_domain_context(struct iommu_domain *domain)
45964 free_irq(irq, domain);
45965 }
45966
45967- if (smmu_domain->pgtbl_ops)
45968- free_io_pgtable_ops(smmu_domain->pgtbl_ops);
45969+ free_io_pgtable(smmu_domain->pgtbl);
45970
45971 __arm_smmu_free_bitmap(smmu->context_map, cfg->cbndx);
45972 }
45973@@ -1189,13 +1190,13 @@ static int arm_smmu_map(struct iommu_domain *domain, unsigned long iova,
45974 int ret;
45975 unsigned long flags;
45976 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45977- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
45978+ struct io_pgtable *iop = smmu_domain->pgtbl;
45979
45980- if (!ops)
45981+ if (!iop)
45982 return -ENODEV;
45983
45984 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
45985- ret = ops->map(ops, iova, paddr, size, prot);
45986+ ret = iop->ops->map(iop, iova, paddr, size, prot);
45987 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
45988 return ret;
45989 }
45990@@ -1206,13 +1207,13 @@ static size_t arm_smmu_unmap(struct iommu_domain *domain, unsigned long iova,
45991 size_t ret;
45992 unsigned long flags;
45993 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
45994- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
45995+ struct io_pgtable *iop = smmu_domain->pgtbl;
45996
45997- if (!ops)
45998+ if (!iop)
45999 return 0;
46000
46001 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
46002- ret = ops->unmap(ops, iova, size);
46003+ ret = iop->ops->unmap(iop, iova, size);
46004 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
46005 return ret;
46006 }
46007@@ -1223,7 +1224,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
46008 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46009 struct arm_smmu_device *smmu = smmu_domain->smmu;
46010 struct arm_smmu_cfg *cfg = &smmu_domain->cfg;
46011- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
46012+ struct io_pgtable *iop = smmu_domain->pgtbl;
46013 struct device *dev = smmu->dev;
46014 void __iomem *cb_base;
46015 u32 tmp;
46016@@ -1246,7 +1247,7 @@ static phys_addr_t arm_smmu_iova_to_phys_hard(struct iommu_domain *domain,
46017 dev_err(dev,
46018 "iova to phys timed out on 0x%pad. Falling back to software table walk.\n",
46019 &iova);
46020- return ops->iova_to_phys(ops, iova);
46021+ return iop->ops->iova_to_phys(iop, iova);
46022 }
46023
46024 phys = readl_relaxed(cb_base + ARM_SMMU_CB_PAR_LO);
46025@@ -1267,9 +1268,9 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
46026 phys_addr_t ret;
46027 unsigned long flags;
46028 struct arm_smmu_domain *smmu_domain = to_smmu_domain(domain);
46029- struct io_pgtable_ops *ops= smmu_domain->pgtbl_ops;
46030+ struct io_pgtable *iop = smmu_domain->pgtbl;
46031
46032- if (!ops)
46033+ if (!iop)
46034 return 0;
46035
46036 spin_lock_irqsave(&smmu_domain->pgtbl_lock, flags);
46037@@ -1277,7 +1278,7 @@ static phys_addr_t arm_smmu_iova_to_phys(struct iommu_domain *domain,
46038 smmu_domain->stage == ARM_SMMU_DOMAIN_S1) {
46039 ret = arm_smmu_iova_to_phys_hard(domain, iova);
46040 } else {
46041- ret = ops->iova_to_phys(ops, iova);
46042+ ret = iop->ops->iova_to_phys(iop, iova);
46043 }
46044
46045 spin_unlock_irqrestore(&smmu_domain->pgtbl_lock, flags);
46046@@ -1667,7 +1668,9 @@ static int arm_smmu_device_cfg_probe(struct arm_smmu_device *smmu)
46047 size |= SZ_64K | SZ_512M;
46048 }
46049
46050- arm_smmu_ops.pgsize_bitmap &= size;
46051+ pax_open_kernel();
46052+ *(unsigned long *)&arm_smmu_ops.pgsize_bitmap &= size;
46053+ pax_close_kernel();
46054 dev_notice(smmu->dev, "\tSupported page sizes: 0x%08lx\n", size);
46055
46056 if (smmu->features & ARM_SMMU_FEAT_TRANS_S1)
46057diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
46058index e29d5d7..e5eeb3e 100644
46059--- a/drivers/iommu/io-pgtable-arm.c
46060+++ b/drivers/iommu/io-pgtable-arm.c
46061@@ -36,12 +36,6 @@
46062 #define io_pgtable_to_data(x) \
46063 container_of((x), struct arm_lpae_io_pgtable, iop)
46064
46065-#define io_pgtable_ops_to_pgtable(x) \
46066- container_of((x), struct io_pgtable, ops)
46067-
46068-#define io_pgtable_ops_to_data(x) \
46069- io_pgtable_to_data(io_pgtable_ops_to_pgtable(x))
46070-
46071 /*
46072 * For consistency with the architecture, we always consider
46073 * ARM_LPAE_MAX_LEVELS levels, with the walk starting at level n >=0
46074@@ -319,10 +313,10 @@ static arm_lpae_iopte arm_lpae_prot_to_pte(struct arm_lpae_io_pgtable *data,
46075 return pte;
46076 }
46077
46078-static int arm_lpae_map(struct io_pgtable_ops *ops, unsigned long iova,
46079+static int arm_lpae_map(struct io_pgtable *iop, unsigned long iova,
46080 phys_addr_t paddr, size_t size, int iommu_prot)
46081 {
46082- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46083+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46084 arm_lpae_iopte *ptep = data->pgd;
46085 int lvl = ARM_LPAE_START_LVL(data);
46086 arm_lpae_iopte prot;
46087@@ -462,12 +456,11 @@ static int __arm_lpae_unmap(struct arm_lpae_io_pgtable *data,
46088 return __arm_lpae_unmap(data, iova, size, lvl + 1, ptep);
46089 }
46090
46091-static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
46092+static int arm_lpae_unmap(struct io_pgtable *iop, unsigned long iova,
46093 size_t size)
46094 {
46095 size_t unmapped;
46096- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46097- struct io_pgtable *iop = &data->iop;
46098+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46099 arm_lpae_iopte *ptep = data->pgd;
46100 int lvl = ARM_LPAE_START_LVL(data);
46101
46102@@ -478,10 +471,10 @@ static int arm_lpae_unmap(struct io_pgtable_ops *ops, unsigned long iova,
46103 return unmapped;
46104 }
46105
46106-static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable_ops *ops,
46107+static phys_addr_t arm_lpae_iova_to_phys(struct io_pgtable *iop,
46108 unsigned long iova)
46109 {
46110- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46111+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46112 arm_lpae_iopte pte, *ptep = data->pgd;
46113 int lvl = ARM_LPAE_START_LVL(data);
46114
46115@@ -548,6 +541,12 @@ static void arm_lpae_restrict_pgsizes(struct io_pgtable_cfg *cfg)
46116 }
46117 }
46118
46119+static struct io_pgtable_ops arm_lpae_io_pgtable_ops = {
46120+ .map = arm_lpae_map,
46121+ .unmap = arm_lpae_unmap,
46122+ .iova_to_phys = arm_lpae_iova_to_phys,
46123+};
46124+
46125 static struct arm_lpae_io_pgtable *
46126 arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
46127 {
46128@@ -579,11 +578,7 @@ arm_lpae_alloc_pgtable(struct io_pgtable_cfg *cfg)
46129 pgd_bits = va_bits - (data->bits_per_level * (data->levels - 1));
46130 data->pgd_size = 1UL << (pgd_bits + ilog2(sizeof(arm_lpae_iopte)));
46131
46132- data->iop.ops = (struct io_pgtable_ops) {
46133- .map = arm_lpae_map,
46134- .unmap = arm_lpae_unmap,
46135- .iova_to_phys = arm_lpae_iova_to_phys,
46136- };
46137+ data->iop.ops = &arm_lpae_io_pgtable_ops;
46138
46139 return data;
46140 }
46141@@ -845,9 +840,9 @@ static struct iommu_gather_ops dummy_tlb_ops __initdata = {
46142 .flush_pgtable = dummy_flush_pgtable,
46143 };
46144
46145-static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
46146+static void __init arm_lpae_dump_ops(struct io_pgtable *iop)
46147 {
46148- struct arm_lpae_io_pgtable *data = io_pgtable_ops_to_data(ops);
46149+ struct arm_lpae_io_pgtable *data = io_pgtable_to_data(iop);
46150 struct io_pgtable_cfg *cfg = &data->iop.cfg;
46151
46152 pr_err("cfg: pgsize_bitmap 0x%lx, ias %u-bit\n",
46153@@ -857,9 +852,9 @@ static void __init arm_lpae_dump_ops(struct io_pgtable_ops *ops)
46154 data->bits_per_level, data->pgd);
46155 }
46156
46157-#define __FAIL(ops, i) ({ \
46158+#define __FAIL(iop, i) ({ \
46159 WARN(1, "selftest: test failed for fmt idx %d\n", (i)); \
46160- arm_lpae_dump_ops(ops); \
46161+ arm_lpae_dump_ops(iop); \
46162 selftest_running = false; \
46163 -EFAULT; \
46164 })
46165@@ -874,30 +869,32 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46166 int i, j;
46167 unsigned long iova;
46168 size_t size;
46169- struct io_pgtable_ops *ops;
46170+ struct io_pgtable *iop;
46171+ const struct io_pgtable_ops *ops;
46172
46173 selftest_running = true;
46174
46175 for (i = 0; i < ARRAY_SIZE(fmts); ++i) {
46176 cfg_cookie = cfg;
46177- ops = alloc_io_pgtable_ops(fmts[i], cfg, cfg);
46178- if (!ops) {
46179+ iop = alloc_io_pgtable(fmts[i], cfg, cfg);
46180+ if (!iop) {
46181 pr_err("selftest: failed to allocate io pgtable ops\n");
46182 return -ENOMEM;
46183 }
46184+ ops = iop->ops;
46185
46186 /*
46187 * Initial sanity checks.
46188 * Empty page tables shouldn't provide any translations.
46189 */
46190- if (ops->iova_to_phys(ops, 42))
46191- return __FAIL(ops, i);
46192+ if (ops->iova_to_phys(iop, 42))
46193+ return __FAIL(iop, i);
46194
46195- if (ops->iova_to_phys(ops, SZ_1G + 42))
46196- return __FAIL(ops, i);
46197+ if (ops->iova_to_phys(iop, SZ_1G + 42))
46198+ return __FAIL(iop, i);
46199
46200- if (ops->iova_to_phys(ops, SZ_2G + 42))
46201- return __FAIL(ops, i);
46202+ if (ops->iova_to_phys(iop, SZ_2G + 42))
46203+ return __FAIL(iop, i);
46204
46205 /*
46206 * Distinct mappings of different granule sizes.
46207@@ -907,19 +904,19 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46208 while (j != BITS_PER_LONG) {
46209 size = 1UL << j;
46210
46211- if (ops->map(ops, iova, iova, size, IOMMU_READ |
46212+ if (ops->map(iop, iova, iova, size, IOMMU_READ |
46213 IOMMU_WRITE |
46214 IOMMU_NOEXEC |
46215 IOMMU_CACHE))
46216- return __FAIL(ops, i);
46217+ return __FAIL(iop, i);
46218
46219 /* Overlapping mappings */
46220- if (!ops->map(ops, iova, iova + size, size,
46221+ if (!ops->map(iop, iova, iova + size, size,
46222 IOMMU_READ | IOMMU_NOEXEC))
46223- return __FAIL(ops, i);
46224+ return __FAIL(iop, i);
46225
46226- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
46227- return __FAIL(ops, i);
46228+ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
46229+ return __FAIL(iop, i);
46230
46231 iova += SZ_1G;
46232 j++;
46233@@ -928,15 +925,15 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46234
46235 /* Partial unmap */
46236 size = 1UL << __ffs(cfg->pgsize_bitmap);
46237- if (ops->unmap(ops, SZ_1G + size, size) != size)
46238- return __FAIL(ops, i);
46239+ if (ops->unmap(iop, SZ_1G + size, size) != size)
46240+ return __FAIL(iop, i);
46241
46242 /* Remap of partial unmap */
46243- if (ops->map(ops, SZ_1G + size, size, size, IOMMU_READ))
46244- return __FAIL(ops, i);
46245+ if (ops->map(iop, SZ_1G + size, size, size, IOMMU_READ))
46246+ return __FAIL(iop, i);
46247
46248- if (ops->iova_to_phys(ops, SZ_1G + size + 42) != (size + 42))
46249- return __FAIL(ops, i);
46250+ if (ops->iova_to_phys(iop, SZ_1G + size + 42) != (size + 42))
46251+ return __FAIL(iop, i);
46252
46253 /* Full unmap */
46254 iova = 0;
46255@@ -944,25 +941,25 @@ static int __init arm_lpae_run_tests(struct io_pgtable_cfg *cfg)
46256 while (j != BITS_PER_LONG) {
46257 size = 1UL << j;
46258
46259- if (ops->unmap(ops, iova, size) != size)
46260- return __FAIL(ops, i);
46261+ if (ops->unmap(iop, iova, size) != size)
46262+ return __FAIL(iop, i);
46263
46264- if (ops->iova_to_phys(ops, iova + 42))
46265- return __FAIL(ops, i);
46266+ if (ops->iova_to_phys(iop, iova + 42))
46267+ return __FAIL(iop, i);
46268
46269 /* Remap full block */
46270- if (ops->map(ops, iova, iova, size, IOMMU_WRITE))
46271- return __FAIL(ops, i);
46272+ if (ops->map(iop, iova, iova, size, IOMMU_WRITE))
46273+ return __FAIL(iop, i);
46274
46275- if (ops->iova_to_phys(ops, iova + 42) != (iova + 42))
46276- return __FAIL(ops, i);
46277+ if (ops->iova_to_phys(iop, iova + 42) != (iova + 42))
46278+ return __FAIL(iop, i);
46279
46280 iova += SZ_1G;
46281 j++;
46282 j = find_next_bit(&cfg->pgsize_bitmap, BITS_PER_LONG, j);
46283 }
46284
46285- free_io_pgtable_ops(ops);
46286+ free_io_pgtable(iop);
46287 }
46288
46289 selftest_running = false;
46290diff --git a/drivers/iommu/io-pgtable.c b/drivers/iommu/io-pgtable.c
46291index 6436fe2..088c965 100644
46292--- a/drivers/iommu/io-pgtable.c
46293+++ b/drivers/iommu/io-pgtable.c
46294@@ -40,7 +40,7 @@ io_pgtable_init_table[IO_PGTABLE_NUM_FMTS] =
46295 #endif
46296 };
46297
46298-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46299+struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
46300 struct io_pgtable_cfg *cfg,
46301 void *cookie)
46302 {
46303@@ -62,21 +62,18 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46304 iop->cookie = cookie;
46305 iop->cfg = *cfg;
46306
46307- return &iop->ops;
46308+ return iop;
46309 }
46310
46311 /*
46312 * It is the IOMMU driver's responsibility to ensure that the page table
46313 * is no longer accessible to the walker by this point.
46314 */
46315-void free_io_pgtable_ops(struct io_pgtable_ops *ops)
46316+void free_io_pgtable(struct io_pgtable *iop)
46317 {
46318- struct io_pgtable *iop;
46319-
46320- if (!ops)
46321+ if (!iop)
46322 return;
46323
46324- iop = container_of(ops, struct io_pgtable, ops);
46325 iop->cfg.tlb->tlb_flush_all(iop->cookie);
46326 io_pgtable_init_table[iop->fmt]->free(iop);
46327 }
46328diff --git a/drivers/iommu/io-pgtable.h b/drivers/iommu/io-pgtable.h
46329index 10e32f6..0b276c8 100644
46330--- a/drivers/iommu/io-pgtable.h
46331+++ b/drivers/iommu/io-pgtable.h
46332@@ -75,17 +75,18 @@ struct io_pgtable_cfg {
46333 * These functions map directly onto the iommu_ops member functions with
46334 * the same names.
46335 */
46336+struct io_pgtable;
46337 struct io_pgtable_ops {
46338- int (*map)(struct io_pgtable_ops *ops, unsigned long iova,
46339+ int (*map)(struct io_pgtable *iop, unsigned long iova,
46340 phys_addr_t paddr, size_t size, int prot);
46341- int (*unmap)(struct io_pgtable_ops *ops, unsigned long iova,
46342+ int (*unmap)(struct io_pgtable *iop, unsigned long iova,
46343 size_t size);
46344- phys_addr_t (*iova_to_phys)(struct io_pgtable_ops *ops,
46345+ phys_addr_t (*iova_to_phys)(struct io_pgtable *iop,
46346 unsigned long iova);
46347 };
46348
46349 /**
46350- * alloc_io_pgtable_ops() - Allocate a page table allocator for use by an IOMMU.
46351+ * alloc_io_pgtable() - Allocate a page table allocator for use by an IOMMU.
46352 *
46353 * @fmt: The page table format.
46354 * @cfg: The page table configuration. This will be modified to represent
46355@@ -94,9 +95,9 @@ struct io_pgtable_ops {
46356 * @cookie: An opaque token provided by the IOMMU driver and passed back to
46357 * the callback routines in cfg->tlb.
46358 */
46359-struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46360- struct io_pgtable_cfg *cfg,
46361- void *cookie);
46362+struct io_pgtable *alloc_io_pgtable(enum io_pgtable_fmt fmt,
46363+ struct io_pgtable_cfg *cfg,
46364+ void *cookie);
46365
46366 /**
46367 * free_io_pgtable_ops() - Free an io_pgtable_ops structure. The caller
46368@@ -105,7 +106,7 @@ struct io_pgtable_ops *alloc_io_pgtable_ops(enum io_pgtable_fmt fmt,
46369 *
46370 * @ops: The ops returned from alloc_io_pgtable_ops.
46371 */
46372-void free_io_pgtable_ops(struct io_pgtable_ops *ops);
46373+void free_io_pgtable(struct io_pgtable *iop);
46374
46375
46376 /*
46377@@ -125,7 +126,7 @@ struct io_pgtable {
46378 enum io_pgtable_fmt fmt;
46379 void *cookie;
46380 struct io_pgtable_cfg cfg;
46381- struct io_pgtable_ops ops;
46382+ const struct io_pgtable_ops *ops;
46383 };
46384
46385 /**
46386diff --git a/drivers/iommu/iommu.c b/drivers/iommu/iommu.c
46387index f286090..bac3e7e 100644
46388--- a/drivers/iommu/iommu.c
46389+++ b/drivers/iommu/iommu.c
46390@@ -934,7 +934,7 @@ static int iommu_bus_notifier(struct notifier_block *nb,
46391 static int iommu_bus_init(struct bus_type *bus, const struct iommu_ops *ops)
46392 {
46393 int err;
46394- struct notifier_block *nb;
46395+ notifier_block_no_const *nb;
46396 struct iommu_callback_data cb = {
46397 .ops = ops,
46398 };
46399diff --git a/drivers/iommu/ipmmu-vmsa.c b/drivers/iommu/ipmmu-vmsa.c
46400index 1a67c53..23181d8 100644
46401--- a/drivers/iommu/ipmmu-vmsa.c
46402+++ b/drivers/iommu/ipmmu-vmsa.c
46403@@ -41,7 +41,7 @@ struct ipmmu_vmsa_domain {
46404 struct iommu_domain io_domain;
46405
46406 struct io_pgtable_cfg cfg;
46407- struct io_pgtable_ops *iop;
46408+ struct io_pgtable *iop;
46409
46410 unsigned int context_id;
46411 spinlock_t lock; /* Protects mappings */
46412@@ -328,8 +328,7 @@ static int ipmmu_domain_init_context(struct ipmmu_vmsa_domain *domain)
46413 domain->cfg.oas = 40;
46414 domain->cfg.tlb = &ipmmu_gather_ops;
46415
46416- domain->iop = alloc_io_pgtable_ops(ARM_32_LPAE_S1, &domain->cfg,
46417- domain);
46418+ domain->iop = alloc_io_pgtable(ARM_32_LPAE_S1, &domain->cfg, domain);
46419 if (!domain->iop)
46420 return -EINVAL;
46421
46422@@ -487,7 +486,7 @@ static void ipmmu_domain_free(struct iommu_domain *io_domain)
46423 * been detached.
46424 */
46425 ipmmu_domain_destroy_context(domain);
46426- free_io_pgtable_ops(domain->iop);
46427+ free_io_pgtable(domain->iop);
46428 kfree(domain);
46429 }
46430
46431@@ -556,7 +555,7 @@ static int ipmmu_map(struct iommu_domain *io_domain, unsigned long iova,
46432 if (!domain)
46433 return -ENODEV;
46434
46435- return domain->iop->map(domain->iop, iova, paddr, size, prot);
46436+ return domain->iop->ops->map(domain->iop, iova, paddr, size, prot);
46437 }
46438
46439 static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
46440@@ -564,7 +563,7 @@ static size_t ipmmu_unmap(struct iommu_domain *io_domain, unsigned long iova,
46441 {
46442 struct ipmmu_vmsa_domain *domain = to_vmsa_domain(io_domain);
46443
46444- return domain->iop->unmap(domain->iop, iova, size);
46445+ return domain->iop->ops->unmap(domain->iop, iova, size);
46446 }
46447
46448 static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
46449@@ -574,7 +573,7 @@ static phys_addr_t ipmmu_iova_to_phys(struct iommu_domain *io_domain,
46450
46451 /* TODO: Is locking needed ? */
46452
46453- return domain->iop->iova_to_phys(domain->iop, iova);
46454+ return domain->iop->ops->iova_to_phys(domain->iop, iova);
46455 }
46456
46457 static int ipmmu_find_utlbs(struct ipmmu_vmsa_device *mmu, struct device *dev,
46458diff --git a/drivers/iommu/irq_remapping.c b/drivers/iommu/irq_remapping.c
46459index 2d99930..b8b358c 100644
46460--- a/drivers/iommu/irq_remapping.c
46461+++ b/drivers/iommu/irq_remapping.c
46462@@ -149,7 +149,7 @@ int __init irq_remap_enable_fault_handling(void)
46463 void panic_if_irq_remap(const char *msg)
46464 {
46465 if (irq_remapping_enabled)
46466- panic(msg);
46467+ panic("%s", msg);
46468 }
46469
46470 void ir_ack_apic_edge(struct irq_data *data)
46471diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c
46472index f3d20a2..5dcb85e 100644
46473--- a/drivers/iommu/omap-iommu-debug.c
46474+++ b/drivers/iommu/omap-iommu-debug.c
46475@@ -55,34 +55,22 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf,
46476 return bytes;
46477 }
46478
46479-static ssize_t debug_read_tlb(struct file *file, char __user *userbuf,
46480- size_t count, loff_t *ppos)
46481+static int debug_read_tlb(struct seq_file *s, void *data)
46482 {
46483- struct omap_iommu *obj = file->private_data;
46484- char *p, *buf;
46485- ssize_t bytes, rest;
46486+ struct omap_iommu *obj = s->private;
46487
46488 if (is_omap_iommu_detached(obj))
46489 return -EPERM;
46490
46491- buf = kmalloc(count, GFP_KERNEL);
46492- if (!buf)
46493- return -ENOMEM;
46494- p = buf;
46495-
46496 mutex_lock(&iommu_debug_lock);
46497
46498- p += sprintf(p, "%8s %8s\n", "cam:", "ram:");
46499- p += sprintf(p, "-----------------------------------------\n");
46500- rest = count - (p - buf);
46501- p += omap_dump_tlb_entries(obj, p, rest);
46502-
46503- bytes = simple_read_from_buffer(userbuf, count, ppos, buf, p - buf);
46504+ seq_printf(s, "%8s %8s\n", "cam:", "ram:");
46505+ seq_puts(s, "-----------------------------------------\n");
46506+ omap_dump_tlb_entries(obj, s);
46507
46508 mutex_unlock(&iommu_debug_lock);
46509- kfree(buf);
46510
46511- return bytes;
46512+ return 0;
46513 }
46514
46515 static void dump_ioptable(struct seq_file *s)
46516@@ -157,7 +145,7 @@ static int debug_read_pagetable(struct seq_file *s, void *data)
46517 };
46518
46519 DEBUG_FOPS_RO(regs);
46520-DEBUG_FOPS_RO(tlb);
46521+DEBUG_SEQ_FOPS_RO(tlb);
46522 DEBUG_SEQ_FOPS_RO(pagetable);
46523
46524 #define __DEBUG_ADD_FILE(attr, mode) \
46525diff --git a/drivers/iommu/omap-iommu.c b/drivers/iommu/omap-iommu.c
46526index a22c33d..2247075e2 100644
46527--- a/drivers/iommu/omap-iommu.c
46528+++ b/drivers/iommu/omap-iommu.c
46529@@ -546,36 +546,30 @@ __dump_tlb_entries(struct omap_iommu *obj, struct cr_regs *crs, int num)
46530 }
46531
46532 /**
46533- * iotlb_dump_cr - Dump an iommu tlb entry into buf
46534+ * iotlb_dump_cr - Dump an iommu tlb entry into seq_file
46535 * @obj: target iommu
46536 * @cr: contents of cam and ram register
46537- * @buf: output buffer
46538+ * @s: output seq_file
46539 **/
46540 static ssize_t iotlb_dump_cr(struct omap_iommu *obj, struct cr_regs *cr,
46541- char *buf)
46542+ struct seq_file *s)
46543 {
46544- char *p = buf;
46545-
46546 /* FIXME: Need more detail analysis of cam/ram */
46547- p += sprintf(p, "%08x %08x %01x\n", cr->cam, cr->ram,
46548- (cr->cam & MMU_CAM_P) ? 1 : 0);
46549-
46550- return p - buf;
46551+ return seq_printf(s, "%08x %08x %01x\n", cr->cam, cr->ram,
46552+ (cr->cam & MMU_CAM_P) ? 1 : 0);
46553 }
46554
46555 /**
46556- * omap_dump_tlb_entries - dump cr arrays to given buffer
46557+ * omap_dump_tlb_entries - dump cr arrays to given seq_file
46558 * @obj: target iommu
46559- * @buf: output buffer
46560+ * @s: output seq_file
46561 **/
46562-size_t omap_dump_tlb_entries(struct omap_iommu *obj, char *buf, ssize_t bytes)
46563+size_t omap_dump_tlb_entries(struct omap_iommu *obj, struct seq_file *s)
46564 {
46565 int i, num;
46566 struct cr_regs *cr;
46567- char *p = buf;
46568
46569- num = bytes / sizeof(*cr);
46570- num = min(obj->nr_tlb_entries, num);
46571+ num = obj->nr_tlb_entries;
46572
46573 cr = kcalloc(num, sizeof(*cr), GFP_KERNEL);
46574 if (!cr)
46575@@ -583,10 +577,10 @@ size_t omap_dump_tlb_entries(struct omap_iommu *obj, char *buf, ssize_t bytes)
46576
46577 num = __dump_tlb_entries(obj, cr, num);
46578 for (i = 0; i < num; i++)
46579- p += iotlb_dump_cr(obj, cr + i, p);
46580+ iotlb_dump_cr(obj, cr + i, s);
46581 kfree(cr);
46582
46583- return p - buf;
46584+ return 0;
46585 }
46586
46587 #endif /* CONFIG_OMAP_IOMMU_DEBUG */
46588diff --git a/drivers/iommu/omap-iommu.h b/drivers/iommu/omap-iommu.h
46589index d736630..5df9755 100644
46590--- a/drivers/iommu/omap-iommu.h
46591+++ b/drivers/iommu/omap-iommu.h
46592@@ -193,8 +193,7 @@ static inline struct omap_iommu *dev_to_omap_iommu(struct device *dev)
46593 #ifdef CONFIG_OMAP_IOMMU_DEBUG
46594 extern ssize_t
46595 omap_iommu_dump_ctx(struct omap_iommu *obj, char *buf, ssize_t len);
46596-extern size_t
46597-omap_dump_tlb_entries(struct omap_iommu *obj, char *buf, ssize_t len);
46598+extern size_t omap_dump_tlb_entries(struct omap_iommu *obj, struct seq_file *s);
46599
46600 void omap_iommu_debugfs_init(void);
46601 void omap_iommu_debugfs_exit(void);
46602diff --git a/drivers/irqchip/irq-gic.c b/drivers/irqchip/irq-gic.c
46603index 4dd8826..1f33400 100644
46604--- a/drivers/irqchip/irq-gic.c
46605+++ b/drivers/irqchip/irq-gic.c
46606@@ -313,7 +313,7 @@ static void gic_handle_cascade_irq(unsigned int irq, struct irq_desc *desc)
46607 chained_irq_exit(chip, desc);
46608 }
46609
46610-static struct irq_chip gic_chip = {
46611+static irq_chip_no_const gic_chip __read_only = {
46612 .name = "GIC",
46613 .irq_mask = gic_mask_irq,
46614 .irq_unmask = gic_unmask_irq,
46615diff --git a/drivers/irqchip/irq-renesas-intc-irqpin.c b/drivers/irqchip/irq-renesas-intc-irqpin.c
46616index 0670ab4..1094651 100644
46617--- a/drivers/irqchip/irq-renesas-intc-irqpin.c
46618+++ b/drivers/irqchip/irq-renesas-intc-irqpin.c
46619@@ -373,7 +373,7 @@ static int intc_irqpin_probe(struct platform_device *pdev)
46620 struct intc_irqpin_iomem *i;
46621 struct resource *io[INTC_IRQPIN_REG_NR];
46622 struct resource *irq;
46623- struct irq_chip *irq_chip;
46624+ irq_chip_no_const *irq_chip;
46625 void (*enable_fn)(struct irq_data *d);
46626 void (*disable_fn)(struct irq_data *d);
46627 const char *name = dev_name(dev);
46628diff --git a/drivers/irqchip/irq-renesas-irqc.c b/drivers/irqchip/irq-renesas-irqc.c
46629index 778bd07..0397152 100644
46630--- a/drivers/irqchip/irq-renesas-irqc.c
46631+++ b/drivers/irqchip/irq-renesas-irqc.c
46632@@ -176,7 +176,7 @@ static int irqc_probe(struct platform_device *pdev)
46633 struct irqc_priv *p;
46634 struct resource *io;
46635 struct resource *irq;
46636- struct irq_chip *irq_chip;
46637+ irq_chip_no_const *irq_chip;
46638 const char *name = dev_name(&pdev->dev);
46639 int ret;
46640 int k;
46641diff --git a/drivers/isdn/capi/capi.c b/drivers/isdn/capi/capi.c
46642index 6a2df32..dc962f1 100644
46643--- a/drivers/isdn/capi/capi.c
46644+++ b/drivers/isdn/capi/capi.c
46645@@ -81,8 +81,8 @@ struct capiminor {
46646
46647 struct capi20_appl *ap;
46648 u32 ncci;
46649- atomic_t datahandle;
46650- atomic_t msgid;
46651+ atomic_unchecked_t datahandle;
46652+ atomic_unchecked_t msgid;
46653
46654 struct tty_port port;
46655 int ttyinstop;
46656@@ -391,7 +391,7 @@ gen_data_b3_resp_for(struct capiminor *mp, struct sk_buff *skb)
46657 capimsg_setu16(s, 2, mp->ap->applid);
46658 capimsg_setu8 (s, 4, CAPI_DATA_B3);
46659 capimsg_setu8 (s, 5, CAPI_RESP);
46660- capimsg_setu16(s, 6, atomic_inc_return(&mp->msgid));
46661+ capimsg_setu16(s, 6, atomic_inc_return_unchecked(&mp->msgid));
46662 capimsg_setu32(s, 8, mp->ncci);
46663 capimsg_setu16(s, 12, datahandle);
46664 }
46665@@ -512,14 +512,14 @@ static void handle_minor_send(struct capiminor *mp)
46666 mp->outbytes -= len;
46667 spin_unlock_bh(&mp->outlock);
46668
46669- datahandle = atomic_inc_return(&mp->datahandle);
46670+ datahandle = atomic_inc_return_unchecked(&mp->datahandle);
46671 skb_push(skb, CAPI_DATA_B3_REQ_LEN);
46672 memset(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
46673 capimsg_setu16(skb->data, 0, CAPI_DATA_B3_REQ_LEN);
46674 capimsg_setu16(skb->data, 2, mp->ap->applid);
46675 capimsg_setu8 (skb->data, 4, CAPI_DATA_B3);
46676 capimsg_setu8 (skb->data, 5, CAPI_REQ);
46677- capimsg_setu16(skb->data, 6, atomic_inc_return(&mp->msgid));
46678+ capimsg_setu16(skb->data, 6, atomic_inc_return_unchecked(&mp->msgid));
46679 capimsg_setu32(skb->data, 8, mp->ncci); /* NCCI */
46680 capimsg_setu32(skb->data, 12, (u32)(long)skb->data);/* Data32 */
46681 capimsg_setu16(skb->data, 16, len); /* Data length */
46682diff --git a/drivers/isdn/gigaset/bas-gigaset.c b/drivers/isdn/gigaset/bas-gigaset.c
46683index aecec6d..11e13c5 100644
46684--- a/drivers/isdn/gigaset/bas-gigaset.c
46685+++ b/drivers/isdn/gigaset/bas-gigaset.c
46686@@ -2565,22 +2565,22 @@ static int gigaset_post_reset(struct usb_interface *intf)
46687
46688
46689 static const struct gigaset_ops gigops = {
46690- gigaset_write_cmd,
46691- gigaset_write_room,
46692- gigaset_chars_in_buffer,
46693- gigaset_brkchars,
46694- gigaset_init_bchannel,
46695- gigaset_close_bchannel,
46696- gigaset_initbcshw,
46697- gigaset_freebcshw,
46698- gigaset_reinitbcshw,
46699- gigaset_initcshw,
46700- gigaset_freecshw,
46701- gigaset_set_modem_ctrl,
46702- gigaset_baud_rate,
46703- gigaset_set_line_ctrl,
46704- gigaset_isoc_send_skb,
46705- gigaset_isoc_input,
46706+ .write_cmd = gigaset_write_cmd,
46707+ .write_room = gigaset_write_room,
46708+ .chars_in_buffer = gigaset_chars_in_buffer,
46709+ .brkchars = gigaset_brkchars,
46710+ .init_bchannel = gigaset_init_bchannel,
46711+ .close_bchannel = gigaset_close_bchannel,
46712+ .initbcshw = gigaset_initbcshw,
46713+ .freebcshw = gigaset_freebcshw,
46714+ .reinitbcshw = gigaset_reinitbcshw,
46715+ .initcshw = gigaset_initcshw,
46716+ .freecshw = gigaset_freecshw,
46717+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46718+ .baud_rate = gigaset_baud_rate,
46719+ .set_line_ctrl = gigaset_set_line_ctrl,
46720+ .send_skb = gigaset_isoc_send_skb,
46721+ .handle_input = gigaset_isoc_input,
46722 };
46723
46724 /* bas_gigaset_init
46725diff --git a/drivers/isdn/gigaset/interface.c b/drivers/isdn/gigaset/interface.c
46726index 600c79b..3752bab 100644
46727--- a/drivers/isdn/gigaset/interface.c
46728+++ b/drivers/isdn/gigaset/interface.c
46729@@ -130,9 +130,9 @@ static int if_open(struct tty_struct *tty, struct file *filp)
46730 }
46731 tty->driver_data = cs;
46732
46733- ++cs->port.count;
46734+ atomic_inc(&cs->port.count);
46735
46736- if (cs->port.count == 1) {
46737+ if (atomic_read(&cs->port.count) == 1) {
46738 tty_port_tty_set(&cs->port, tty);
46739 cs->port.low_latency = 1;
46740 }
46741@@ -156,9 +156,9 @@ static void if_close(struct tty_struct *tty, struct file *filp)
46742
46743 if (!cs->connected)
46744 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
46745- else if (!cs->port.count)
46746+ else if (!atomic_read(&cs->port.count))
46747 dev_warn(cs->dev, "%s: device not opened\n", __func__);
46748- else if (!--cs->port.count)
46749+ else if (!atomic_dec_return(&cs->port.count))
46750 tty_port_tty_set(&cs->port, NULL);
46751
46752 mutex_unlock(&cs->mutex);
46753diff --git a/drivers/isdn/gigaset/ser-gigaset.c b/drivers/isdn/gigaset/ser-gigaset.c
46754index 375be50..675293c 100644
46755--- a/drivers/isdn/gigaset/ser-gigaset.c
46756+++ b/drivers/isdn/gigaset/ser-gigaset.c
46757@@ -453,22 +453,22 @@ static int gigaset_set_line_ctrl(struct cardstate *cs, unsigned cflag)
46758 }
46759
46760 static const struct gigaset_ops ops = {
46761- gigaset_write_cmd,
46762- gigaset_write_room,
46763- gigaset_chars_in_buffer,
46764- gigaset_brkchars,
46765- gigaset_init_bchannel,
46766- gigaset_close_bchannel,
46767- gigaset_initbcshw,
46768- gigaset_freebcshw,
46769- gigaset_reinitbcshw,
46770- gigaset_initcshw,
46771- gigaset_freecshw,
46772- gigaset_set_modem_ctrl,
46773- gigaset_baud_rate,
46774- gigaset_set_line_ctrl,
46775- gigaset_m10x_send_skb, /* asyncdata.c */
46776- gigaset_m10x_input, /* asyncdata.c */
46777+ .write_cmd = gigaset_write_cmd,
46778+ .write_room = gigaset_write_room,
46779+ .chars_in_buffer = gigaset_chars_in_buffer,
46780+ .brkchars = gigaset_brkchars,
46781+ .init_bchannel = gigaset_init_bchannel,
46782+ .close_bchannel = gigaset_close_bchannel,
46783+ .initbcshw = gigaset_initbcshw,
46784+ .freebcshw = gigaset_freebcshw,
46785+ .reinitbcshw = gigaset_reinitbcshw,
46786+ .initcshw = gigaset_initcshw,
46787+ .freecshw = gigaset_freecshw,
46788+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46789+ .baud_rate = gigaset_baud_rate,
46790+ .set_line_ctrl = gigaset_set_line_ctrl,
46791+ .send_skb = gigaset_m10x_send_skb, /* asyncdata.c */
46792+ .handle_input = gigaset_m10x_input, /* asyncdata.c */
46793 };
46794
46795
46796diff --git a/drivers/isdn/gigaset/usb-gigaset.c b/drivers/isdn/gigaset/usb-gigaset.c
46797index 5f306e2..5342f88 100644
46798--- a/drivers/isdn/gigaset/usb-gigaset.c
46799+++ b/drivers/isdn/gigaset/usb-gigaset.c
46800@@ -543,7 +543,7 @@ static int gigaset_brkchars(struct cardstate *cs, const unsigned char buf[6])
46801 gigaset_dbg_buffer(DEBUG_USBREQ, "brkchars", 6, buf);
46802 memcpy(cs->hw.usb->bchars, buf, 6);
46803 return usb_control_msg(udev, usb_sndctrlpipe(udev, 0), 0x19, 0x41,
46804- 0, 0, &buf, 6, 2000);
46805+ 0, 0, buf, 6, 2000);
46806 }
46807
46808 static void gigaset_freebcshw(struct bc_state *bcs)
46809@@ -862,22 +862,22 @@ static int gigaset_pre_reset(struct usb_interface *intf)
46810 }
46811
46812 static const struct gigaset_ops ops = {
46813- gigaset_write_cmd,
46814- gigaset_write_room,
46815- gigaset_chars_in_buffer,
46816- gigaset_brkchars,
46817- gigaset_init_bchannel,
46818- gigaset_close_bchannel,
46819- gigaset_initbcshw,
46820- gigaset_freebcshw,
46821- gigaset_reinitbcshw,
46822- gigaset_initcshw,
46823- gigaset_freecshw,
46824- gigaset_set_modem_ctrl,
46825- gigaset_baud_rate,
46826- gigaset_set_line_ctrl,
46827- gigaset_m10x_send_skb,
46828- gigaset_m10x_input,
46829+ .write_cmd = gigaset_write_cmd,
46830+ .write_room = gigaset_write_room,
46831+ .chars_in_buffer = gigaset_chars_in_buffer,
46832+ .brkchars = gigaset_brkchars,
46833+ .init_bchannel = gigaset_init_bchannel,
46834+ .close_bchannel = gigaset_close_bchannel,
46835+ .initbcshw = gigaset_initbcshw,
46836+ .freebcshw = gigaset_freebcshw,
46837+ .reinitbcshw = gigaset_reinitbcshw,
46838+ .initcshw = gigaset_initcshw,
46839+ .freecshw = gigaset_freecshw,
46840+ .set_modem_ctrl = gigaset_set_modem_ctrl,
46841+ .baud_rate = gigaset_baud_rate,
46842+ .set_line_ctrl = gigaset_set_line_ctrl,
46843+ .send_skb = gigaset_m10x_send_skb,
46844+ .handle_input = gigaset_m10x_input,
46845 };
46846
46847 /*
46848diff --git a/drivers/isdn/hardware/avm/b1.c b/drivers/isdn/hardware/avm/b1.c
46849index 4d9b195..455075c 100644
46850--- a/drivers/isdn/hardware/avm/b1.c
46851+++ b/drivers/isdn/hardware/avm/b1.c
46852@@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capiloaddatapart *t4file)
46853 }
46854 if (left) {
46855 if (t4file->user) {
46856- if (copy_from_user(buf, dp, left))
46857+ if (left > sizeof buf || copy_from_user(buf, dp, left))
46858 return -EFAULT;
46859 } else {
46860 memcpy(buf, dp, left);
46861@@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capiloaddatapart *config)
46862 }
46863 if (left) {
46864 if (config->user) {
46865- if (copy_from_user(buf, dp, left))
46866+ if (left > sizeof buf || copy_from_user(buf, dp, left))
46867 return -EFAULT;
46868 } else {
46869 memcpy(buf, dp, left);
46870diff --git a/drivers/isdn/i4l/isdn_common.c b/drivers/isdn/i4l/isdn_common.c
46871index 9b856e1..fa03c92 100644
46872--- a/drivers/isdn/i4l/isdn_common.c
46873+++ b/drivers/isdn/i4l/isdn_common.c
46874@@ -1654,6 +1654,8 @@ isdn_ioctl(struct file *file, uint cmd, ulong arg)
46875 } else
46876 return -EINVAL;
46877 case IIOCDBGVAR:
46878+ if (!capable(CAP_SYS_RAWIO))
46879+ return -EPERM;
46880 if (arg) {
46881 if (copy_to_user(argp, &dev, sizeof(ulong)))
46882 return -EFAULT;
46883diff --git a/drivers/isdn/i4l/isdn_concap.c b/drivers/isdn/i4l/isdn_concap.c
46884index 91d5730..336523e 100644
46885--- a/drivers/isdn/i4l/isdn_concap.c
46886+++ b/drivers/isdn/i4l/isdn_concap.c
46887@@ -80,9 +80,9 @@ static int isdn_concap_dl_disconn_req(struct concap_proto *concap)
46888 }
46889
46890 struct concap_device_ops isdn_concap_reliable_dl_dops = {
46891- &isdn_concap_dl_data_req,
46892- &isdn_concap_dl_connect_req,
46893- &isdn_concap_dl_disconn_req
46894+ .data_req = &isdn_concap_dl_data_req,
46895+ .connect_req = &isdn_concap_dl_connect_req,
46896+ .disconn_req = &isdn_concap_dl_disconn_req
46897 };
46898
46899 /* The following should better go into a dedicated source file such that
46900diff --git a/drivers/isdn/i4l/isdn_tty.c b/drivers/isdn/i4l/isdn_tty.c
46901index bc91261..2ef7e36 100644
46902--- a/drivers/isdn/i4l/isdn_tty.c
46903+++ b/drivers/isdn/i4l/isdn_tty.c
46904@@ -1503,9 +1503,9 @@ isdn_tty_open(struct tty_struct *tty, struct file *filp)
46905
46906 #ifdef ISDN_DEBUG_MODEM_OPEN
46907 printk(KERN_DEBUG "isdn_tty_open %s, count = %d\n", tty->name,
46908- port->count);
46909+ atomic_read(&port->count));
46910 #endif
46911- port->count++;
46912+ atomic_inc(&port->count);
46913 port->tty = tty;
46914 /*
46915 * Start up serial port
46916@@ -1549,7 +1549,7 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
46917 #endif
46918 return;
46919 }
46920- if ((tty->count == 1) && (port->count != 1)) {
46921+ if ((tty->count == 1) && (atomic_read(&port->count) != 1)) {
46922 /*
46923 * Uh, oh. tty->count is 1, which means that the tty
46924 * structure will be freed. Info->count should always
46925@@ -1558,15 +1558,15 @@ isdn_tty_close(struct tty_struct *tty, struct file *filp)
46926 * serial port won't be shutdown.
46927 */
46928 printk(KERN_ERR "isdn_tty_close: bad port count; tty->count is 1, "
46929- "info->count is %d\n", port->count);
46930- port->count = 1;
46931+ "info->count is %d\n", atomic_read(&port->count));
46932+ atomic_set(&port->count, 1);
46933 }
46934- if (--port->count < 0) {
46935+ if (atomic_dec_return(&port->count) < 0) {
46936 printk(KERN_ERR "isdn_tty_close: bad port count for ttyi%d: %d\n",
46937- info->line, port->count);
46938- port->count = 0;
46939+ info->line, atomic_read(&port->count));
46940+ atomic_set(&port->count, 0);
46941 }
46942- if (port->count) {
46943+ if (atomic_read(&port->count)) {
46944 #ifdef ISDN_DEBUG_MODEM_OPEN
46945 printk(KERN_DEBUG "isdn_tty_close after info->count != 0\n");
46946 #endif
46947@@ -1620,7 +1620,7 @@ isdn_tty_hangup(struct tty_struct *tty)
46948 if (isdn_tty_paranoia_check(info, tty->name, "isdn_tty_hangup"))
46949 return;
46950 isdn_tty_shutdown(info);
46951- port->count = 0;
46952+ atomic_set(&port->count, 0);
46953 port->flags &= ~ASYNC_NORMAL_ACTIVE;
46954 port->tty = NULL;
46955 wake_up_interruptible(&port->open_wait);
46956@@ -1965,7 +1965,7 @@ isdn_tty_find_icall(int di, int ch, setup_parm *setup)
46957 for (i = 0; i < ISDN_MAX_CHANNELS; i++) {
46958 modem_info *info = &dev->mdm.info[i];
46959
46960- if (info->port.count == 0)
46961+ if (atomic_read(&info->port.count) == 0)
46962 continue;
46963 if ((info->emu.mdmreg[REG_SI1] & si2bit[si1]) && /* SI1 is matching */
46964 (info->emu.mdmreg[REG_SI2] == si2)) { /* SI2 is matching */
46965diff --git a/drivers/isdn/i4l/isdn_x25iface.c b/drivers/isdn/i4l/isdn_x25iface.c
46966index e2d4e58..40cd045 100644
46967--- a/drivers/isdn/i4l/isdn_x25iface.c
46968+++ b/drivers/isdn/i4l/isdn_x25iface.c
46969@@ -53,14 +53,14 @@ static int isdn_x25iface_disconn_ind(struct concap_proto *);
46970
46971
46972 static struct concap_proto_ops ix25_pops = {
46973- &isdn_x25iface_proto_new,
46974- &isdn_x25iface_proto_del,
46975- &isdn_x25iface_proto_restart,
46976- &isdn_x25iface_proto_close,
46977- &isdn_x25iface_xmit,
46978- &isdn_x25iface_receive,
46979- &isdn_x25iface_connect_ind,
46980- &isdn_x25iface_disconn_ind
46981+ .proto_new = &isdn_x25iface_proto_new,
46982+ .proto_del = &isdn_x25iface_proto_del,
46983+ .restart = &isdn_x25iface_proto_restart,
46984+ .close = &isdn_x25iface_proto_close,
46985+ .encap_and_xmit = &isdn_x25iface_xmit,
46986+ .data_ind = &isdn_x25iface_receive,
46987+ .connect_ind = &isdn_x25iface_connect_ind,
46988+ .disconn_ind = &isdn_x25iface_disconn_ind
46989 };
46990
46991 /* error message helper function */
46992diff --git a/drivers/isdn/icn/icn.c b/drivers/isdn/icn/icn.c
46993index 358a574..b4987ea 100644
46994--- a/drivers/isdn/icn/icn.c
46995+++ b/drivers/isdn/icn/icn.c
46996@@ -1045,7 +1045,7 @@ icn_writecmd(const u_char *buf, int len, int user, icn_card *card)
46997 if (count > len)
46998 count = len;
46999 if (user) {
47000- if (copy_from_user(msg, buf, count))
47001+ if (count > sizeof msg || copy_from_user(msg, buf, count))
47002 return -EFAULT;
47003 } else
47004 memcpy(msg, buf, count);
47005diff --git a/drivers/isdn/mISDN/dsp_cmx.c b/drivers/isdn/mISDN/dsp_cmx.c
47006index 52c4382..09e0c7c 100644
47007--- a/drivers/isdn/mISDN/dsp_cmx.c
47008+++ b/drivers/isdn/mISDN/dsp_cmx.c
47009@@ -1625,7 +1625,7 @@ unsigned long dsp_spl_jiffies; /* calculate the next time to fire */
47010 static u16 dsp_count; /* last sample count */
47011 static int dsp_count_valid; /* if we have last sample count */
47012
47013-void
47014+void __intentional_overflow(-1)
47015 dsp_cmx_send(void *arg)
47016 {
47017 struct dsp_conf *conf;
47018diff --git a/drivers/lguest/core.c b/drivers/lguest/core.c
47019index 312ffd3..9263d05 100644
47020--- a/drivers/lguest/core.c
47021+++ b/drivers/lguest/core.c
47022@@ -96,9 +96,17 @@ static __init int map_switcher(void)
47023 * The end address needs +1 because __get_vm_area allocates an
47024 * extra guard page, so we need space for that.
47025 */
47026+
47027+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
47028+ switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
47029+ VM_ALLOC | VM_KERNEXEC, switcher_addr, switcher_addr
47030+ + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
47031+#else
47032 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
47033 VM_ALLOC, switcher_addr, switcher_addr
47034 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
47035+#endif
47036+
47037 if (!switcher_vma) {
47038 err = -ENOMEM;
47039 printk("lguest: could not map switcher pages high\n");
47040@@ -121,7 +129,7 @@ static __init int map_switcher(void)
47041 * Now the Switcher is mapped at the right address, we can't fail!
47042 * Copy in the compiled-in Switcher code (from x86/switcher_32.S).
47043 */
47044- memcpy(switcher_vma->addr, start_switcher_text,
47045+ memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
47046 end_switcher_text - start_switcher_text);
47047
47048 printk(KERN_INFO "lguest: mapped switcher at %p\n",
47049diff --git a/drivers/lguest/page_tables.c b/drivers/lguest/page_tables.c
47050index e3abebc9..6a35328 100644
47051--- a/drivers/lguest/page_tables.c
47052+++ b/drivers/lguest/page_tables.c
47053@@ -585,7 +585,7 @@ void pin_page(struct lg_cpu *cpu, unsigned long vaddr)
47054 /*:*/
47055
47056 #ifdef CONFIG_X86_PAE
47057-static void release_pmd(pmd_t *spmd)
47058+static void __intentional_overflow(-1) release_pmd(pmd_t *spmd)
47059 {
47060 /* If the entry's not present, there's nothing to release. */
47061 if (pmd_flags(*spmd) & _PAGE_PRESENT) {
47062diff --git a/drivers/lguest/x86/core.c b/drivers/lguest/x86/core.c
47063index 6a4cd77..c9e2d9f 100644
47064--- a/drivers/lguest/x86/core.c
47065+++ b/drivers/lguest/x86/core.c
47066@@ -60,7 +60,7 @@ static struct {
47067 /* Offset from where switcher.S was compiled to where we've copied it */
47068 static unsigned long switcher_offset(void)
47069 {
47070- return switcher_addr - (unsigned long)start_switcher_text;
47071+ return switcher_addr - ktla_ktva((unsigned long)start_switcher_text);
47072 }
47073
47074 /* This cpu's struct lguest_pages (after the Switcher text page) */
47075@@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg_cpu *cpu, struct lguest_pages *pages)
47076 * These copies are pretty cheap, so we do them unconditionally: */
47077 /* Save the current Host top-level page directory.
47078 */
47079+
47080+#ifdef CONFIG_PAX_PER_CPU_PGD
47081+ pages->state.host_cr3 = read_cr3();
47082+#else
47083 pages->state.host_cr3 = __pa(current->mm->pgd);
47084+#endif
47085+
47086 /*
47087 * Set up the Guest's page tables to see this CPU's pages (and no
47088 * other CPU's pages).
47089@@ -494,7 +500,7 @@ void __init lguest_arch_host_init(void)
47090 * compiled-in switcher code and the high-mapped copy we just made.
47091 */
47092 for (i = 0; i < IDT_ENTRIES; i++)
47093- default_idt_entries[i] += switcher_offset();
47094+ default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
47095
47096 /*
47097 * Set up the Switcher's per-cpu areas.
47098@@ -577,7 +583,7 @@ void __init lguest_arch_host_init(void)
47099 * it will be undisturbed when we switch. To change %cs and jump we
47100 * need this structure to feed to Intel's "lcall" instruction.
47101 */
47102- lguest_entry.offset = (long)switch_to_guest + switcher_offset();
47103+ lguest_entry.offset = ktla_ktva((unsigned long)switch_to_guest) + switcher_offset();
47104 lguest_entry.segment = LGUEST_CS;
47105
47106 /*
47107diff --git a/drivers/lguest/x86/switcher_32.S b/drivers/lguest/x86/switcher_32.S
47108index 40634b0..4f5855e 100644
47109--- a/drivers/lguest/x86/switcher_32.S
47110+++ b/drivers/lguest/x86/switcher_32.S
47111@@ -87,6 +87,7 @@
47112 #include <asm/page.h>
47113 #include <asm/segment.h>
47114 #include <asm/lguest.h>
47115+#include <asm/processor-flags.h>
47116
47117 // We mark the start of the code to copy
47118 // It's placed in .text tho it's never run here
47119@@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
47120 // Changes type when we load it: damn Intel!
47121 // For after we switch over our page tables
47122 // That entry will be read-only: we'd crash.
47123+
47124+#ifdef CONFIG_PAX_KERNEXEC
47125+ mov %cr0, %edx
47126+ xor $X86_CR0_WP, %edx
47127+ mov %edx, %cr0
47128+#endif
47129+
47130 movl $(GDT_ENTRY_TSS*8), %edx
47131 ltr %dx
47132
47133@@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
47134 // Let's clear it again for our return.
47135 // The GDT descriptor of the Host
47136 // Points to the table after two "size" bytes
47137- movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
47138+ movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
47139 // Clear "used" from type field (byte 5, bit 2)
47140- andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
47141+ andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
47142+
47143+#ifdef CONFIG_PAX_KERNEXEC
47144+ mov %cr0, %eax
47145+ xor $X86_CR0_WP, %eax
47146+ mov %eax, %cr0
47147+#endif
47148
47149 // Once our page table's switched, the Guest is live!
47150 // The Host fades as we run this final step.
47151@@ -295,13 +309,12 @@ deliver_to_host:
47152 // I consulted gcc, and it gave
47153 // These instructions, which I gladly credit:
47154 leal (%edx,%ebx,8), %eax
47155- movzwl (%eax),%edx
47156- movl 4(%eax), %eax
47157- xorw %ax, %ax
47158- orl %eax, %edx
47159+ movl 4(%eax), %edx
47160+ movw (%eax), %dx
47161 // Now the address of the handler's in %edx
47162 // We call it now: its "iret" drops us home.
47163- jmp *%edx
47164+ ljmp $__KERNEL_CS, $1f
47165+1: jmp *%edx
47166
47167 // Every interrupt can come to us here
47168 // But we must truly tell each apart.
47169diff --git a/drivers/md/bcache/Kconfig b/drivers/md/bcache/Kconfig
47170index 4d20088..de60cb2 100644
47171--- a/drivers/md/bcache/Kconfig
47172+++ b/drivers/md/bcache/Kconfig
47173@@ -20,6 +20,7 @@ config BCACHE_CLOSURES_DEBUG
47174 bool "Debug closures"
47175 depends on BCACHE
47176 select DEBUG_FS
47177+ depends on !GRKERNSEC_KMEM
47178 ---help---
47179 Keeps all active closures in a linked list and provides a debugfs
47180 interface to list them, which makes it possible to see asynchronous
47181diff --git a/drivers/md/bcache/closure.h b/drivers/md/bcache/closure.h
47182index 79a6d63..47acff6 100644
47183--- a/drivers/md/bcache/closure.h
47184+++ b/drivers/md/bcache/closure.h
47185@@ -238,7 +238,7 @@ static inline void closure_set_stopped(struct closure *cl)
47186 static inline void set_closure_fn(struct closure *cl, closure_fn *fn,
47187 struct workqueue_struct *wq)
47188 {
47189- BUG_ON(object_is_on_stack(cl));
47190+ BUG_ON(object_starts_on_stack(cl));
47191 closure_set_ip(cl);
47192 cl->fn = fn;
47193 cl->wq = wq;
47194diff --git a/drivers/md/bitmap.c b/drivers/md/bitmap.c
47195index 48b5890..b0af0ca 100644
47196--- a/drivers/md/bitmap.c
47197+++ b/drivers/md/bitmap.c
47198@@ -1933,7 +1933,7 @@ void bitmap_status(struct seq_file *seq, struct bitmap *bitmap)
47199 chunk_kb ? "KB" : "B");
47200 if (bitmap->storage.file) {
47201 seq_printf(seq, ", file: ");
47202- seq_file_path(seq, bitmap->storage.file, " \t\n");
47203+ seq_file_path(seq, bitmap->storage.file, " \t\n\\");
47204 }
47205
47206 seq_printf(seq, "\n");
47207diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c
47208index 720ceeb..030f1d4 100644
47209--- a/drivers/md/dm-ioctl.c
47210+++ b/drivers/md/dm-ioctl.c
47211@@ -1773,7 +1773,7 @@ static int validate_params(uint cmd, struct dm_ioctl *param)
47212 cmd == DM_LIST_VERSIONS_CMD)
47213 return 0;
47214
47215- if ((cmd == DM_DEV_CREATE_CMD)) {
47216+ if (cmd == DM_DEV_CREATE_CMD) {
47217 if (!*param->name) {
47218 DMWARN("name not supplied when creating device");
47219 return -EINVAL;
47220diff --git a/drivers/md/dm-raid1.c b/drivers/md/dm-raid1.c
47221index d83696b..44f22f7 100644
47222--- a/drivers/md/dm-raid1.c
47223+++ b/drivers/md/dm-raid1.c
47224@@ -42,7 +42,7 @@ enum dm_raid1_error {
47225
47226 struct mirror {
47227 struct mirror_set *ms;
47228- atomic_t error_count;
47229+ atomic_unchecked_t error_count;
47230 unsigned long error_type;
47231 struct dm_dev *dev;
47232 sector_t offset;
47233@@ -188,7 +188,7 @@ static struct mirror *get_valid_mirror(struct mirror_set *ms)
47234 struct mirror *m;
47235
47236 for (m = ms->mirror; m < ms->mirror + ms->nr_mirrors; m++)
47237- if (!atomic_read(&m->error_count))
47238+ if (!atomic_read_unchecked(&m->error_count))
47239 return m;
47240
47241 return NULL;
47242@@ -220,7 +220,7 @@ static void fail_mirror(struct mirror *m, enum dm_raid1_error error_type)
47243 * simple way to tell if a device has encountered
47244 * errors.
47245 */
47246- atomic_inc(&m->error_count);
47247+ atomic_inc_unchecked(&m->error_count);
47248
47249 if (test_and_set_bit(error_type, &m->error_type))
47250 return;
47251@@ -378,7 +378,7 @@ static void reset_ms_flags(struct mirror_set *ms)
47252
47253 ms->leg_failure = 0;
47254 for (m = 0; m < ms->nr_mirrors; m++) {
47255- atomic_set(&(ms->mirror[m].error_count), 0);
47256+ atomic_set_unchecked(&(ms->mirror[m].error_count), 0);
47257 ms->mirror[m].error_type = 0;
47258 }
47259 }
47260@@ -423,7 +423,7 @@ static struct mirror *choose_mirror(struct mirror_set *ms, sector_t sector)
47261 struct mirror *m = get_default_mirror(ms);
47262
47263 do {
47264- if (likely(!atomic_read(&m->error_count)))
47265+ if (likely(!atomic_read_unchecked(&m->error_count)))
47266 return m;
47267
47268 if (m-- == ms->mirror)
47269@@ -437,7 +437,7 @@ static int default_ok(struct mirror *m)
47270 {
47271 struct mirror *default_mirror = get_default_mirror(m->ms);
47272
47273- return !atomic_read(&default_mirror->error_count);
47274+ return !atomic_read_unchecked(&default_mirror->error_count);
47275 }
47276
47277 static int mirror_available(struct mirror_set *ms, struct bio *bio)
47278@@ -574,7 +574,7 @@ static void do_reads(struct mirror_set *ms, struct bio_list *reads)
47279 */
47280 if (likely(region_in_sync(ms, region, 1)))
47281 m = choose_mirror(ms, bio->bi_iter.bi_sector);
47282- else if (m && atomic_read(&m->error_count))
47283+ else if (m && atomic_read_unchecked(&m->error_count))
47284 m = NULL;
47285
47286 if (likely(m))
47287@@ -956,7 +956,7 @@ static int get_mirror(struct mirror_set *ms, struct dm_target *ti,
47288 }
47289
47290 ms->mirror[mirror].ms = ms;
47291- atomic_set(&(ms->mirror[mirror].error_count), 0);
47292+ atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
47293 ms->mirror[mirror].error_type = 0;
47294 ms->mirror[mirror].offset = offset;
47295
47296@@ -1380,7 +1380,7 @@ static void mirror_resume(struct dm_target *ti)
47297 */
47298 static char device_status_char(struct mirror *m)
47299 {
47300- if (!atomic_read(&(m->error_count)))
47301+ if (!atomic_read_unchecked(&(m->error_count)))
47302 return 'A';
47303
47304 return (test_bit(DM_RAID1_FLUSH_ERROR, &(m->error_type))) ? 'F' :
47305diff --git a/drivers/md/dm-stats.c b/drivers/md/dm-stats.c
47306index 8289804..12db118 100644
47307--- a/drivers/md/dm-stats.c
47308+++ b/drivers/md/dm-stats.c
47309@@ -435,7 +435,7 @@ do_sync_free:
47310 synchronize_rcu_expedited();
47311 dm_stat_free(&s->rcu_head);
47312 } else {
47313- ACCESS_ONCE(dm_stat_need_rcu_barrier) = 1;
47314+ ACCESS_ONCE_RW(dm_stat_need_rcu_barrier) = 1;
47315 call_rcu(&s->rcu_head, dm_stat_free);
47316 }
47317 return 0;
47318@@ -648,8 +648,8 @@ void dm_stats_account_io(struct dm_stats *stats, unsigned long bi_rw,
47319 ((bi_rw & (REQ_WRITE | REQ_DISCARD)) ==
47320 (ACCESS_ONCE(last->last_rw) & (REQ_WRITE | REQ_DISCARD)))
47321 ));
47322- ACCESS_ONCE(last->last_sector) = end_sector;
47323- ACCESS_ONCE(last->last_rw) = bi_rw;
47324+ ACCESS_ONCE_RW(last->last_sector) = end_sector;
47325+ ACCESS_ONCE_RW(last->last_rw) = bi_rw;
47326 }
47327
47328 rcu_read_lock();
47329diff --git a/drivers/md/dm-stripe.c b/drivers/md/dm-stripe.c
47330index a672a15..dc85e99 100644
47331--- a/drivers/md/dm-stripe.c
47332+++ b/drivers/md/dm-stripe.c
47333@@ -21,7 +21,7 @@ struct stripe {
47334 struct dm_dev *dev;
47335 sector_t physical_start;
47336
47337- atomic_t error_count;
47338+ atomic_unchecked_t error_count;
47339 };
47340
47341 struct stripe_c {
47342@@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *ti, unsigned int argc, char **argv)
47343 kfree(sc);
47344 return r;
47345 }
47346- atomic_set(&(sc->stripe[i].error_count), 0);
47347+ atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
47348 }
47349
47350 ti->private = sc;
47351@@ -332,7 +332,7 @@ static void stripe_status(struct dm_target *ti, status_type_t type,
47352 DMEMIT("%d ", sc->stripes);
47353 for (i = 0; i < sc->stripes; i++) {
47354 DMEMIT("%s ", sc->stripe[i].dev->name);
47355- buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
47356+ buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
47357 'D' : 'A';
47358 }
47359 buffer[i] = '\0';
47360@@ -377,8 +377,8 @@ static int stripe_end_io(struct dm_target *ti, struct bio *bio, int error)
47361 */
47362 for (i = 0; i < sc->stripes; i++)
47363 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
47364- atomic_inc(&(sc->stripe[i].error_count));
47365- if (atomic_read(&(sc->stripe[i].error_count)) <
47366+ atomic_inc_unchecked(&(sc->stripe[i].error_count));
47367+ if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
47368 DM_IO_ERROR_THRESHOLD)
47369 schedule_work(&sc->trigger_event);
47370 }
47371diff --git a/drivers/md/dm-table.c b/drivers/md/dm-table.c
47372index 16ba55a..31af906 100644
47373--- a/drivers/md/dm-table.c
47374+++ b/drivers/md/dm-table.c
47375@@ -305,7 +305,7 @@ static int device_area_is_invalid(struct dm_target *ti, struct dm_dev *dev,
47376 if (!dev_size)
47377 return 0;
47378
47379- if ((start >= dev_size) || (start + len > dev_size)) {
47380+ if ((start >= dev_size) || (len > dev_size - start)) {
47381 DMWARN("%s: %s too small for target: "
47382 "start=%llu, len=%llu, dev_size=%llu",
47383 dm_device_name(ti->table->md), bdevname(bdev, b),
47384diff --git a/drivers/md/dm-thin-metadata.c b/drivers/md/dm-thin-metadata.c
47385index 6ba47cf..a870ba2 100644
47386--- a/drivers/md/dm-thin-metadata.c
47387+++ b/drivers/md/dm-thin-metadata.c
47388@@ -403,7 +403,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
47389 {
47390 pmd->info.tm = pmd->tm;
47391 pmd->info.levels = 2;
47392- pmd->info.value_type.context = pmd->data_sm;
47393+ pmd->info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
47394 pmd->info.value_type.size = sizeof(__le64);
47395 pmd->info.value_type.inc = data_block_inc;
47396 pmd->info.value_type.dec = data_block_dec;
47397@@ -422,7 +422,7 @@ static void __setup_btree_details(struct dm_pool_metadata *pmd)
47398
47399 pmd->bl_info.tm = pmd->tm;
47400 pmd->bl_info.levels = 1;
47401- pmd->bl_info.value_type.context = pmd->data_sm;
47402+ pmd->bl_info.value_type.context = (dm_space_map_no_const *)pmd->data_sm;
47403 pmd->bl_info.value_type.size = sizeof(__le64);
47404 pmd->bl_info.value_type.inc = data_block_inc;
47405 pmd->bl_info.value_type.dec = data_block_dec;
47406diff --git a/drivers/md/dm.c b/drivers/md/dm.c
47407index 3e32f4e..01e0a7f 100644
47408--- a/drivers/md/dm.c
47409+++ b/drivers/md/dm.c
47410@@ -194,9 +194,9 @@ struct mapped_device {
47411 /*
47412 * Event handling.
47413 */
47414- atomic_t event_nr;
47415+ atomic_unchecked_t event_nr;
47416 wait_queue_head_t eventq;
47417- atomic_t uevent_seq;
47418+ atomic_unchecked_t uevent_seq;
47419 struct list_head uevent_list;
47420 spinlock_t uevent_lock; /* Protect access to uevent_list */
47421
47422@@ -2339,8 +2339,8 @@ static struct mapped_device *alloc_dev(int minor)
47423 spin_lock_init(&md->deferred_lock);
47424 atomic_set(&md->holders, 1);
47425 atomic_set(&md->open_count, 0);
47426- atomic_set(&md->event_nr, 0);
47427- atomic_set(&md->uevent_seq, 0);
47428+ atomic_set_unchecked(&md->event_nr, 0);
47429+ atomic_set_unchecked(&md->uevent_seq, 0);
47430 INIT_LIST_HEAD(&md->uevent_list);
47431 INIT_LIST_HEAD(&md->table_devices);
47432 spin_lock_init(&md->uevent_lock);
47433@@ -2481,7 +2481,7 @@ static void event_callback(void *context)
47434
47435 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
47436
47437- atomic_inc(&md->event_nr);
47438+ atomic_inc_unchecked(&md->event_nr);
47439 wake_up(&md->eventq);
47440 }
47441
47442@@ -3479,18 +3479,18 @@ int dm_kobject_uevent(struct mapped_device *md, enum kobject_action action,
47443
47444 uint32_t dm_next_uevent_seq(struct mapped_device *md)
47445 {
47446- return atomic_add_return(1, &md->uevent_seq);
47447+ return atomic_add_return_unchecked(1, &md->uevent_seq);
47448 }
47449
47450 uint32_t dm_get_event_nr(struct mapped_device *md)
47451 {
47452- return atomic_read(&md->event_nr);
47453+ return atomic_read_unchecked(&md->event_nr);
47454 }
47455
47456 int dm_wait_event(struct mapped_device *md, int event_nr)
47457 {
47458 return wait_event_interruptible(md->eventq,
47459- (event_nr != atomic_read(&md->event_nr)));
47460+ (event_nr != atomic_read_unchecked(&md->event_nr)));
47461 }
47462
47463 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
47464diff --git a/drivers/md/md.c b/drivers/md/md.c
47465index e25f00f..12caa60 100644
47466--- a/drivers/md/md.c
47467+++ b/drivers/md/md.c
47468@@ -197,10 +197,10 @@ EXPORT_SYMBOL_GPL(bio_clone_mddev);
47469 * start build, activate spare
47470 */
47471 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
47472-static atomic_t md_event_count;
47473+static atomic_unchecked_t md_event_count;
47474 void md_new_event(struct mddev *mddev)
47475 {
47476- atomic_inc(&md_event_count);
47477+ atomic_inc_unchecked(&md_event_count);
47478 wake_up(&md_event_waiters);
47479 }
47480 EXPORT_SYMBOL_GPL(md_new_event);
47481@@ -210,7 +210,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
47482 */
47483 static void md_new_event_inintr(struct mddev *mddev)
47484 {
47485- atomic_inc(&md_event_count);
47486+ atomic_inc_unchecked(&md_event_count);
47487 wake_up(&md_event_waiters);
47488 }
47489
47490@@ -1449,7 +1449,7 @@ static int super_1_load(struct md_rdev *rdev, struct md_rdev *refdev, int minor_
47491 if ((le32_to_cpu(sb->feature_map) & MD_FEATURE_RESHAPE_ACTIVE) &&
47492 (le32_to_cpu(sb->feature_map) & MD_FEATURE_NEW_OFFSET))
47493 rdev->new_data_offset += (s32)le32_to_cpu(sb->new_offset);
47494- atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
47495+ atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
47496
47497 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
47498 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
47499@@ -1700,7 +1700,7 @@ static void super_1_sync(struct mddev *mddev, struct md_rdev *rdev)
47500 else
47501 sb->resync_offset = cpu_to_le64(0);
47502
47503- sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
47504+ sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
47505
47506 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
47507 sb->size = cpu_to_le64(mddev->dev_sectors);
47508@@ -2622,7 +2622,7 @@ __ATTR_PREALLOC(state, S_IRUGO|S_IWUSR, state_show, state_store);
47509 static ssize_t
47510 errors_show(struct md_rdev *rdev, char *page)
47511 {
47512- return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
47513+ return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
47514 }
47515
47516 static ssize_t
47517@@ -2634,7 +2634,7 @@ errors_store(struct md_rdev *rdev, const char *buf, size_t len)
47518 rv = kstrtouint(buf, 10, &n);
47519 if (rv < 0)
47520 return rv;
47521- atomic_set(&rdev->corrected_errors, n);
47522+ atomic_set_unchecked(&rdev->corrected_errors, n);
47523 return len;
47524 }
47525 static struct rdev_sysfs_entry rdev_errors =
47526@@ -3071,8 +3071,8 @@ int md_rdev_init(struct md_rdev *rdev)
47527 rdev->sb_loaded = 0;
47528 rdev->bb_page = NULL;
47529 atomic_set(&rdev->nr_pending, 0);
47530- atomic_set(&rdev->read_errors, 0);
47531- atomic_set(&rdev->corrected_errors, 0);
47532+ atomic_set_unchecked(&rdev->read_errors, 0);
47533+ atomic_set_unchecked(&rdev->corrected_errors, 0);
47534
47535 INIT_LIST_HEAD(&rdev->same_set);
47536 init_waitqueue_head(&rdev->blocked_wait);
47537@@ -7256,7 +7256,7 @@ static int md_seq_show(struct seq_file *seq, void *v)
47538
47539 spin_unlock(&pers_lock);
47540 seq_printf(seq, "\n");
47541- seq->poll_event = atomic_read(&md_event_count);
47542+ seq->poll_event = atomic_read_unchecked(&md_event_count);
47543 return 0;
47544 }
47545 if (v == (void*)2) {
47546@@ -7359,7 +7359,7 @@ static int md_seq_open(struct inode *inode, struct file *file)
47547 return error;
47548
47549 seq = file->private_data;
47550- seq->poll_event = atomic_read(&md_event_count);
47551+ seq->poll_event = atomic_read_unchecked(&md_event_count);
47552 return error;
47553 }
47554
47555@@ -7376,7 +7376,7 @@ static unsigned int mdstat_poll(struct file *filp, poll_table *wait)
47556 /* always allow read */
47557 mask = POLLIN | POLLRDNORM;
47558
47559- if (seq->poll_event != atomic_read(&md_event_count))
47560+ if (seq->poll_event != atomic_read_unchecked(&md_event_count))
47561 mask |= POLLERR | POLLPRI;
47562 return mask;
47563 }
47564@@ -7472,7 +7472,7 @@ static int is_mddev_idle(struct mddev *mddev, int init)
47565 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
47566 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
47567 (int)part_stat_read(&disk->part0, sectors[1]) -
47568- atomic_read(&disk->sync_io);
47569+ atomic_read_unchecked(&disk->sync_io);
47570 /* sync IO will cause sync_io to increase before the disk_stats
47571 * as sync_io is counted when a request starts, and
47572 * disk_stats is counted when it completes.
47573diff --git a/drivers/md/md.h b/drivers/md/md.h
47574index 7da6e9c..f0c1f10 100644
47575--- a/drivers/md/md.h
47576+++ b/drivers/md/md.h
47577@@ -96,13 +96,13 @@ struct md_rdev {
47578 * only maintained for arrays that
47579 * support hot removal
47580 */
47581- atomic_t read_errors; /* number of consecutive read errors that
47582+ atomic_unchecked_t read_errors; /* number of consecutive read errors that
47583 * we have tried to ignore.
47584 */
47585 struct timespec last_read_error; /* monotonic time since our
47586 * last read error
47587 */
47588- atomic_t corrected_errors; /* number of corrected read errors,
47589+ atomic_unchecked_t corrected_errors; /* number of corrected read errors,
47590 * for reporting to userspace and storing
47591 * in superblock.
47592 */
47593@@ -487,7 +487,7 @@ extern void mddev_unlock(struct mddev *mddev);
47594
47595 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
47596 {
47597- atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
47598+ atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
47599 }
47600
47601 struct md_personality
47602diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
47603index 5309129..7fb096e 100644
47604--- a/drivers/md/persistent-data/dm-space-map-metadata.c
47605+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
47606@@ -691,7 +691,7 @@ static int sm_metadata_extend(struct dm_space_map *sm, dm_block_t extra_blocks)
47607 * Flick into a mode where all blocks get allocated in the new area.
47608 */
47609 smm->begin = old_len;
47610- memcpy(sm, &bootstrap_ops, sizeof(*sm));
47611+ memcpy((void *)sm, &bootstrap_ops, sizeof(*sm));
47612
47613 /*
47614 * Extend.
47615@@ -728,7 +728,7 @@ out:
47616 /*
47617 * Switch back to normal behaviour.
47618 */
47619- memcpy(sm, &ops, sizeof(*sm));
47620+ memcpy((void *)sm, &ops, sizeof(*sm));
47621 return r;
47622 }
47623
47624diff --git a/drivers/md/persistent-data/dm-space-map.h b/drivers/md/persistent-data/dm-space-map.h
47625index 3e6d115..ffecdeb 100644
47626--- a/drivers/md/persistent-data/dm-space-map.h
47627+++ b/drivers/md/persistent-data/dm-space-map.h
47628@@ -71,6 +71,7 @@ struct dm_space_map {
47629 dm_sm_threshold_fn fn,
47630 void *context);
47631 };
47632+typedef struct dm_space_map __no_const dm_space_map_no_const;
47633
47634 /*----------------------------------------------------------------*/
47635
47636diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c
47637index 967a4ed..002d339 100644
47638--- a/drivers/md/raid1.c
47639+++ b/drivers/md/raid1.c
47640@@ -1937,7 +1937,7 @@ static int fix_sync_read_error(struct r1bio *r1_bio)
47641 if (r1_sync_page_io(rdev, sect, s,
47642 bio->bi_io_vec[idx].bv_page,
47643 READ) != 0)
47644- atomic_add(s, &rdev->corrected_errors);
47645+ atomic_add_unchecked(s, &rdev->corrected_errors);
47646 }
47647 sectors -= s;
47648 sect += s;
47649@@ -2170,7 +2170,7 @@ static void fix_read_error(struct r1conf *conf, int read_disk,
47650 !test_bit(Faulty, &rdev->flags)) {
47651 if (r1_sync_page_io(rdev, sect, s,
47652 conf->tmppage, READ)) {
47653- atomic_add(s, &rdev->corrected_errors);
47654+ atomic_add_unchecked(s, &rdev->corrected_errors);
47655 printk(KERN_INFO
47656 "md/raid1:%s: read error corrected "
47657 "(%d sectors at %llu on %s)\n",
47658diff --git a/drivers/md/raid10.c b/drivers/md/raid10.c
47659index 38c58e1..89c3e0f 100644
47660--- a/drivers/md/raid10.c
47661+++ b/drivers/md/raid10.c
47662@@ -1934,7 +1934,7 @@ static void end_sync_read(struct bio *bio, int error)
47663 /* The write handler will notice the lack of
47664 * R10BIO_Uptodate and record any errors etc
47665 */
47666- atomic_add(r10_bio->sectors,
47667+ atomic_add_unchecked(r10_bio->sectors,
47668 &conf->mirrors[d].rdev->corrected_errors);
47669
47670 /* for reconstruct, we always reschedule after a read.
47671@@ -2281,7 +2281,7 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
47672 {
47673 struct timespec cur_time_mon;
47674 unsigned long hours_since_last;
47675- unsigned int read_errors = atomic_read(&rdev->read_errors);
47676+ unsigned int read_errors = atomic_read_unchecked(&rdev->read_errors);
47677
47678 ktime_get_ts(&cur_time_mon);
47679
47680@@ -2303,9 +2303,9 @@ static void check_decay_read_errors(struct mddev *mddev, struct md_rdev *rdev)
47681 * overflowing the shift of read_errors by hours_since_last.
47682 */
47683 if (hours_since_last >= 8 * sizeof(read_errors))
47684- atomic_set(&rdev->read_errors, 0);
47685+ atomic_set_unchecked(&rdev->read_errors, 0);
47686 else
47687- atomic_set(&rdev->read_errors, read_errors >> hours_since_last);
47688+ atomic_set_unchecked(&rdev->read_errors, read_errors >> hours_since_last);
47689 }
47690
47691 static int r10_sync_page_io(struct md_rdev *rdev, sector_t sector,
47692@@ -2359,8 +2359,8 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47693 return;
47694
47695 check_decay_read_errors(mddev, rdev);
47696- atomic_inc(&rdev->read_errors);
47697- if (atomic_read(&rdev->read_errors) > max_read_errors) {
47698+ atomic_inc_unchecked(&rdev->read_errors);
47699+ if (atomic_read_unchecked(&rdev->read_errors) > max_read_errors) {
47700 char b[BDEVNAME_SIZE];
47701 bdevname(rdev->bdev, b);
47702
47703@@ -2368,7 +2368,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47704 "md/raid10:%s: %s: Raid device exceeded "
47705 "read_error threshold [cur %d:max %d]\n",
47706 mdname(mddev), b,
47707- atomic_read(&rdev->read_errors), max_read_errors);
47708+ atomic_read_unchecked(&rdev->read_errors), max_read_errors);
47709 printk(KERN_NOTICE
47710 "md/raid10:%s: %s: Failing raid device\n",
47711 mdname(mddev), b);
47712@@ -2523,7 +2523,7 @@ static void fix_read_error(struct r10conf *conf, struct mddev *mddev, struct r10
47713 sect +
47714 choose_data_offset(r10_bio, rdev)),
47715 bdevname(rdev->bdev, b));
47716- atomic_add(s, &rdev->corrected_errors);
47717+ atomic_add_unchecked(s, &rdev->corrected_errors);
47718 }
47719
47720 rdev_dec_pending(rdev, mddev);
47721diff --git a/drivers/md/raid5.c b/drivers/md/raid5.c
47722index f757023..f958632 100644
47723--- a/drivers/md/raid5.c
47724+++ b/drivers/md/raid5.c
47725@@ -1119,23 +1119,23 @@ async_copy_data(int frombio, struct bio *bio, struct page **page,
47726 struct bio_vec bvl;
47727 struct bvec_iter iter;
47728 struct page *bio_page;
47729- int page_offset;
47730+ s64 page_offset;
47731 struct async_submit_ctl submit;
47732 enum async_tx_flags flags = 0;
47733
47734 if (bio->bi_iter.bi_sector >= sector)
47735- page_offset = (signed)(bio->bi_iter.bi_sector - sector) * 512;
47736+ page_offset = (s64)(bio->bi_iter.bi_sector - sector) * 512;
47737 else
47738- page_offset = (signed)(sector - bio->bi_iter.bi_sector) * -512;
47739+ page_offset = (s64)(sector - bio->bi_iter.bi_sector) * -512;
47740
47741 if (frombio)
47742 flags |= ASYNC_TX_FENCE;
47743 init_async_submit(&submit, flags, tx, NULL, NULL, NULL);
47744
47745 bio_for_each_segment(bvl, bio, iter) {
47746- int len = bvl.bv_len;
47747- int clen;
47748- int b_offset = 0;
47749+ s64 len = bvl.bv_len;
47750+ s64 clen;
47751+ s64 b_offset = 0;
47752
47753 if (page_offset < 0) {
47754 b_offset = -page_offset;
47755@@ -2028,6 +2028,10 @@ static int grow_one_stripe(struct r5conf *conf, gfp_t gfp)
47756 return 1;
47757 }
47758
47759+#ifdef CONFIG_GRKERNSEC_HIDESYM
47760+static atomic_unchecked_t raid5_cache_id = ATOMIC_INIT(0);
47761+#endif
47762+
47763 static int grow_stripes(struct r5conf *conf, int num)
47764 {
47765 struct kmem_cache *sc;
47766@@ -2038,7 +2042,11 @@ static int grow_stripes(struct r5conf *conf, int num)
47767 "raid%d-%s", conf->level, mdname(conf->mddev));
47768 else
47769 sprintf(conf->cache_name[0],
47770+#ifdef CONFIG_GRKERNSEC_HIDESYM
47771+ "raid%d-%08lx", conf->level, atomic_inc_return_unchecked(&raid5_cache_id));
47772+#else
47773 "raid%d-%p", conf->level, conf->mddev);
47774+#endif
47775 sprintf(conf->cache_name[1], "%s-alt", conf->cache_name[0]);
47776
47777 conf->active_name = 0;
47778@@ -2331,21 +2339,21 @@ static void raid5_end_read_request(struct bio * bi, int error)
47779 mdname(conf->mddev), STRIPE_SECTORS,
47780 (unsigned long long)s,
47781 bdevname(rdev->bdev, b));
47782- atomic_add(STRIPE_SECTORS, &rdev->corrected_errors);
47783+ atomic_add_unchecked(STRIPE_SECTORS, &rdev->corrected_errors);
47784 clear_bit(R5_ReadError, &sh->dev[i].flags);
47785 clear_bit(R5_ReWrite, &sh->dev[i].flags);
47786 } else if (test_bit(R5_ReadNoMerge, &sh->dev[i].flags))
47787 clear_bit(R5_ReadNoMerge, &sh->dev[i].flags);
47788
47789- if (atomic_read(&rdev->read_errors))
47790- atomic_set(&rdev->read_errors, 0);
47791+ if (atomic_read_unchecked(&rdev->read_errors))
47792+ atomic_set_unchecked(&rdev->read_errors, 0);
47793 } else {
47794 const char *bdn = bdevname(rdev->bdev, b);
47795 int retry = 0;
47796 int set_bad = 0;
47797
47798 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
47799- atomic_inc(&rdev->read_errors);
47800+ atomic_inc_unchecked(&rdev->read_errors);
47801 if (test_bit(R5_ReadRepl, &sh->dev[i].flags))
47802 printk_ratelimited(
47803 KERN_WARNING
47804@@ -2373,7 +2381,7 @@ static void raid5_end_read_request(struct bio * bi, int error)
47805 mdname(conf->mddev),
47806 (unsigned long long)s,
47807 bdn);
47808- } else if (atomic_read(&rdev->read_errors)
47809+ } else if (atomic_read_unchecked(&rdev->read_errors)
47810 > conf->max_nr_stripes)
47811 printk(KERN_WARNING
47812 "md/raid:%s: Too many read errors, failing device %s.\n",
47813diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c
47814index 13bb57f..0ca21b2 100644
47815--- a/drivers/media/dvb-core/dvbdev.c
47816+++ b/drivers/media/dvb-core/dvbdev.c
47817@@ -272,7 +272,7 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev,
47818 const struct dvb_device *template, void *priv, int type)
47819 {
47820 struct dvb_device *dvbdev;
47821- struct file_operations *dvbdevfops;
47822+ file_operations_no_const *dvbdevfops;
47823 struct device *clsdev;
47824 int minor;
47825 int id;
47826diff --git a/drivers/media/dvb-frontends/af9033.h b/drivers/media/dvb-frontends/af9033.h
47827index 6ad22b6..6e90e2a 100644
47828--- a/drivers/media/dvb-frontends/af9033.h
47829+++ b/drivers/media/dvb-frontends/af9033.h
47830@@ -96,6 +96,6 @@ struct af9033_ops {
47831 int (*pid_filter_ctrl)(struct dvb_frontend *fe, int onoff);
47832 int (*pid_filter)(struct dvb_frontend *fe, int index, u16 pid,
47833 int onoff);
47834-};
47835+} __no_const;
47836
47837 #endif /* AF9033_H */
47838diff --git a/drivers/media/dvb-frontends/dib3000.h b/drivers/media/dvb-frontends/dib3000.h
47839index 6ae9899..07d8543 100644
47840--- a/drivers/media/dvb-frontends/dib3000.h
47841+++ b/drivers/media/dvb-frontends/dib3000.h
47842@@ -39,7 +39,7 @@ struct dib_fe_xfer_ops
47843 int (*fifo_ctrl)(struct dvb_frontend *fe, int onoff);
47844 int (*pid_ctrl)(struct dvb_frontend *fe, int index, int pid, int onoff);
47845 int (*tuner_pass_ctrl)(struct dvb_frontend *fe, int onoff, u8 pll_ctrl);
47846-};
47847+} __no_const;
47848
47849 #if IS_REACHABLE(CONFIG_DVB_DIB3000MB)
47850 extern struct dvb_frontend* dib3000mb_attach(const struct dib3000_config* config,
47851diff --git a/drivers/media/dvb-frontends/dib7000p.h b/drivers/media/dvb-frontends/dib7000p.h
47852index baa2789..c8de7fe 100644
47853--- a/drivers/media/dvb-frontends/dib7000p.h
47854+++ b/drivers/media/dvb-frontends/dib7000p.h
47855@@ -64,7 +64,7 @@ struct dib7000p_ops {
47856 int (*get_adc_power)(struct dvb_frontend *fe);
47857 int (*slave_reset)(struct dvb_frontend *fe);
47858 struct dvb_frontend *(*init)(struct i2c_adapter *i2c_adap, u8 i2c_addr, struct dib7000p_config *cfg);
47859-};
47860+} __no_const;
47861
47862 #if IS_REACHABLE(CONFIG_DVB_DIB7000P)
47863 void *dib7000p_attach(struct dib7000p_ops *ops);
47864diff --git a/drivers/media/dvb-frontends/dib8000.h b/drivers/media/dvb-frontends/dib8000.h
47865index 2b8b4b1..8cef451 100644
47866--- a/drivers/media/dvb-frontends/dib8000.h
47867+++ b/drivers/media/dvb-frontends/dib8000.h
47868@@ -61,7 +61,7 @@ struct dib8000_ops {
47869 int (*pid_filter_ctrl)(struct dvb_frontend *fe, u8 onoff);
47870 int (*pid_filter)(struct dvb_frontend *fe, u8 id, u16 pid, u8 onoff);
47871 struct dvb_frontend *(*init)(struct i2c_adapter *i2c_adap, u8 i2c_addr, struct dib8000_config *cfg);
47872-};
47873+} __no_const;
47874
47875 #if IS_REACHABLE(CONFIG_DVB_DIB8000)
47876 void *dib8000_attach(struct dib8000_ops *ops);
47877diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c
47878index 400e5ca..f69f748 100644
47879--- a/drivers/media/pci/cx88/cx88-video.c
47880+++ b/drivers/media/pci/cx88/cx88-video.c
47881@@ -50,9 +50,9 @@ MODULE_VERSION(CX88_VERSION);
47882
47883 /* ------------------------------------------------------------------ */
47884
47885-static unsigned int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47886-static unsigned int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47887-static unsigned int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47888+static int video_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47889+static int vbi_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47890+static int radio_nr[] = {[0 ... (CX88_MAXBOARDS - 1)] = UNSET };
47891
47892 module_param_array(video_nr, int, NULL, 0444);
47893 module_param_array(vbi_nr, int, NULL, 0444);
47894diff --git a/drivers/media/pci/ivtv/ivtv-driver.c b/drivers/media/pci/ivtv/ivtv-driver.c
47895index 8616fa8..e16eeaf 100644
47896--- a/drivers/media/pci/ivtv/ivtv-driver.c
47897+++ b/drivers/media/pci/ivtv/ivtv-driver.c
47898@@ -83,7 +83,7 @@ static struct pci_device_id ivtv_pci_tbl[] = {
47899 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
47900
47901 /* ivtv instance counter */
47902-static atomic_t ivtv_instance = ATOMIC_INIT(0);
47903+static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
47904
47905 /* Parameter declarations */
47906 static int cardtype[IVTV_MAX_CARDS];
47907diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c
47908index 570d119..ed25830 100644
47909--- a/drivers/media/pci/solo6x10/solo6x10-core.c
47910+++ b/drivers/media/pci/solo6x10/solo6x10-core.c
47911@@ -424,7 +424,7 @@ static void solo_device_release(struct device *dev)
47912
47913 static int solo_sysfs_init(struct solo_dev *solo_dev)
47914 {
47915- struct bin_attribute *sdram_attr = &solo_dev->sdram_attr;
47916+ bin_attribute_no_const *sdram_attr = &solo_dev->sdram_attr;
47917 struct device *dev = &solo_dev->dev;
47918 const char *driver;
47919 int i;
47920diff --git a/drivers/media/pci/solo6x10/solo6x10-g723.c b/drivers/media/pci/solo6x10/solo6x10-g723.c
47921index 7ddc767..1c24361 100644
47922--- a/drivers/media/pci/solo6x10/solo6x10-g723.c
47923+++ b/drivers/media/pci/solo6x10/solo6x10-g723.c
47924@@ -351,7 +351,7 @@ static int solo_snd_pcm_init(struct solo_dev *solo_dev)
47925
47926 int solo_g723_init(struct solo_dev *solo_dev)
47927 {
47928- static struct snd_device_ops ops = { NULL };
47929+ static struct snd_device_ops ops = { };
47930 struct snd_card *card;
47931 struct snd_kcontrol_new kctl;
47932 char name[32];
47933diff --git a/drivers/media/pci/solo6x10/solo6x10-p2m.c b/drivers/media/pci/solo6x10/solo6x10-p2m.c
47934index 8c84846..27b4f83 100644
47935--- a/drivers/media/pci/solo6x10/solo6x10-p2m.c
47936+++ b/drivers/media/pci/solo6x10/solo6x10-p2m.c
47937@@ -73,7 +73,7 @@ int solo_p2m_dma_desc(struct solo_dev *solo_dev,
47938
47939 /* Get next ID. According to Softlogic, 6110 has problems on !=0 P2M */
47940 if (solo_dev->type != SOLO_DEV_6110 && multi_p2m) {
47941- p2m_id = atomic_inc_return(&solo_dev->p2m_count) % SOLO_NR_P2M;
47942+ p2m_id = atomic_inc_return_unchecked(&solo_dev->p2m_count) % SOLO_NR_P2M;
47943 if (p2m_id < 0)
47944 p2m_id = -p2m_id;
47945 }
47946diff --git a/drivers/media/pci/solo6x10/solo6x10.h b/drivers/media/pci/solo6x10/solo6x10.h
47947index 1ca54b0..7d7cb9a 100644
47948--- a/drivers/media/pci/solo6x10/solo6x10.h
47949+++ b/drivers/media/pci/solo6x10/solo6x10.h
47950@@ -218,7 +218,7 @@ struct solo_dev {
47951
47952 /* P2M DMA Engine */
47953 struct solo_p2m_dev p2m_dev[SOLO_NR_P2M];
47954- atomic_t p2m_count;
47955+ atomic_unchecked_t p2m_count;
47956 int p2m_jiffies;
47957 unsigned int p2m_timeouts;
47958
47959diff --git a/drivers/media/pci/tw68/tw68-core.c b/drivers/media/pci/tw68/tw68-core.c
47960index c135165..dc69499 100644
47961--- a/drivers/media/pci/tw68/tw68-core.c
47962+++ b/drivers/media/pci/tw68/tw68-core.c
47963@@ -60,7 +60,7 @@ static unsigned int card[] = {[0 ... (TW68_MAXBOARDS - 1)] = UNSET };
47964 module_param_array(card, int, NULL, 0444);
47965 MODULE_PARM_DESC(card, "card type");
47966
47967-static atomic_t tw68_instance = ATOMIC_INIT(0);
47968+static atomic_unchecked_t tw68_instance = ATOMIC_INIT(0);
47969
47970 /* ------------------------------------------------------------------ */
47971
47972diff --git a/drivers/media/platform/omap/omap_vout.c b/drivers/media/platform/omap/omap_vout.c
47973index f09c5f1..38f6d65 100644
47974--- a/drivers/media/platform/omap/omap_vout.c
47975+++ b/drivers/media/platform/omap/omap_vout.c
47976@@ -63,7 +63,6 @@ enum omap_vout_channels {
47977 OMAP_VIDEO2,
47978 };
47979
47980-static struct videobuf_queue_ops video_vbq_ops;
47981 /* Variables configurable through module params*/
47982 static u32 video1_numbuffers = 3;
47983 static u32 video2_numbuffers = 3;
47984@@ -1008,6 +1007,12 @@ static int omap_vout_open(struct file *file)
47985 {
47986 struct videobuf_queue *q;
47987 struct omap_vout_device *vout = NULL;
47988+ static struct videobuf_queue_ops video_vbq_ops = {
47989+ .buf_setup = omap_vout_buffer_setup,
47990+ .buf_prepare = omap_vout_buffer_prepare,
47991+ .buf_release = omap_vout_buffer_release,
47992+ .buf_queue = omap_vout_buffer_queue,
47993+ };
47994
47995 vout = video_drvdata(file);
47996 v4l2_dbg(1, debug, &vout->vid_dev->v4l2_dev, "Entering %s\n", __func__);
47997@@ -1025,10 +1030,6 @@ static int omap_vout_open(struct file *file)
47998 vout->type = V4L2_BUF_TYPE_VIDEO_OUTPUT;
47999
48000 q = &vout->vbq;
48001- video_vbq_ops.buf_setup = omap_vout_buffer_setup;
48002- video_vbq_ops.buf_prepare = omap_vout_buffer_prepare;
48003- video_vbq_ops.buf_release = omap_vout_buffer_release;
48004- video_vbq_ops.buf_queue = omap_vout_buffer_queue;
48005 spin_lock_init(&vout->vbq_lock);
48006
48007 videobuf_queue_dma_contig_init(q, &video_vbq_ops, q->dev,
48008diff --git a/drivers/media/platform/s5p-tv/mixer.h b/drivers/media/platform/s5p-tv/mixer.h
48009index fb2acc5..a2fcbdc4 100644
48010--- a/drivers/media/platform/s5p-tv/mixer.h
48011+++ b/drivers/media/platform/s5p-tv/mixer.h
48012@@ -156,7 +156,7 @@ struct mxr_layer {
48013 /** layer index (unique identifier) */
48014 int idx;
48015 /** callbacks for layer methods */
48016- struct mxr_layer_ops ops;
48017+ struct mxr_layer_ops *ops;
48018 /** format array */
48019 const struct mxr_format **fmt_array;
48020 /** size of format array */
48021diff --git a/drivers/media/platform/s5p-tv/mixer_grp_layer.c b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
48022index 74344c7..a39e70e 100644
48023--- a/drivers/media/platform/s5p-tv/mixer_grp_layer.c
48024+++ b/drivers/media/platform/s5p-tv/mixer_grp_layer.c
48025@@ -235,7 +235,7 @@ struct mxr_layer *mxr_graph_layer_create(struct mxr_device *mdev, int idx)
48026 {
48027 struct mxr_layer *layer;
48028 int ret;
48029- struct mxr_layer_ops ops = {
48030+ static struct mxr_layer_ops ops = {
48031 .release = mxr_graph_layer_release,
48032 .buffer_set = mxr_graph_buffer_set,
48033 .stream_set = mxr_graph_stream_set,
48034diff --git a/drivers/media/platform/s5p-tv/mixer_reg.c b/drivers/media/platform/s5p-tv/mixer_reg.c
48035index b713403..53cb5ad 100644
48036--- a/drivers/media/platform/s5p-tv/mixer_reg.c
48037+++ b/drivers/media/platform/s5p-tv/mixer_reg.c
48038@@ -276,7 +276,7 @@ static void mxr_irq_layer_handle(struct mxr_layer *layer)
48039 layer->update_buf = next;
48040 }
48041
48042- layer->ops.buffer_set(layer, layer->update_buf);
48043+ layer->ops->buffer_set(layer, layer->update_buf);
48044
48045 if (done && done != layer->shadow_buf)
48046 vb2_buffer_done(&done->vb, VB2_BUF_STATE_DONE);
48047diff --git a/drivers/media/platform/s5p-tv/mixer_video.c b/drivers/media/platform/s5p-tv/mixer_video.c
48048index 751f3b6..d829203 100644
48049--- a/drivers/media/platform/s5p-tv/mixer_video.c
48050+++ b/drivers/media/platform/s5p-tv/mixer_video.c
48051@@ -210,7 +210,7 @@ static void mxr_layer_default_geo(struct mxr_layer *layer)
48052 layer->geo.src.height = layer->geo.src.full_height;
48053
48054 mxr_geometry_dump(mdev, &layer->geo);
48055- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48056+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48057 mxr_geometry_dump(mdev, &layer->geo);
48058 }
48059
48060@@ -228,7 +228,7 @@ static void mxr_layer_update_output(struct mxr_layer *layer)
48061 layer->geo.dst.full_width = mbus_fmt.width;
48062 layer->geo.dst.full_height = mbus_fmt.height;
48063 layer->geo.dst.field = mbus_fmt.field;
48064- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48065+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SINK, 0);
48066
48067 mxr_geometry_dump(mdev, &layer->geo);
48068 }
48069@@ -334,7 +334,7 @@ static int mxr_s_fmt(struct file *file, void *priv,
48070 /* set source size to highest accepted value */
48071 geo->src.full_width = max(geo->dst.full_width, pix->width);
48072 geo->src.full_height = max(geo->dst.full_height, pix->height);
48073- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48074+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48075 mxr_geometry_dump(mdev, &layer->geo);
48076 /* set cropping to total visible screen */
48077 geo->src.width = pix->width;
48078@@ -342,12 +342,12 @@ static int mxr_s_fmt(struct file *file, void *priv,
48079 geo->src.x_offset = 0;
48080 geo->src.y_offset = 0;
48081 /* assure consistency of geometry */
48082- layer->ops.fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
48083+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_CROP, MXR_NO_OFFSET);
48084 mxr_geometry_dump(mdev, &layer->geo);
48085 /* set full size to lowest possible value */
48086 geo->src.full_width = 0;
48087 geo->src.full_height = 0;
48088- layer->ops.fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48089+ layer->ops->fix_geometry(layer, MXR_GEOMETRY_SOURCE, 0);
48090 mxr_geometry_dump(mdev, &layer->geo);
48091
48092 /* returning results */
48093@@ -474,7 +474,7 @@ static int mxr_s_selection(struct file *file, void *fh,
48094 target->width = s->r.width;
48095 target->height = s->r.height;
48096
48097- layer->ops.fix_geometry(layer, stage, s->flags);
48098+ layer->ops->fix_geometry(layer, stage, s->flags);
48099
48100 /* retrieve update selection rectangle */
48101 res.left = target->x_offset;
48102@@ -938,13 +938,13 @@ static int start_streaming(struct vb2_queue *vq, unsigned int count)
48103 mxr_output_get(mdev);
48104
48105 mxr_layer_update_output(layer);
48106- layer->ops.format_set(layer);
48107+ layer->ops->format_set(layer);
48108 /* enabling layer in hardware */
48109 spin_lock_irqsave(&layer->enq_slock, flags);
48110 layer->state = MXR_LAYER_STREAMING;
48111 spin_unlock_irqrestore(&layer->enq_slock, flags);
48112
48113- layer->ops.stream_set(layer, MXR_ENABLE);
48114+ layer->ops->stream_set(layer, MXR_ENABLE);
48115 mxr_streamer_get(mdev);
48116
48117 return 0;
48118@@ -1014,7 +1014,7 @@ static void stop_streaming(struct vb2_queue *vq)
48119 spin_unlock_irqrestore(&layer->enq_slock, flags);
48120
48121 /* disabling layer in hardware */
48122- layer->ops.stream_set(layer, MXR_DISABLE);
48123+ layer->ops->stream_set(layer, MXR_DISABLE);
48124 /* remove one streamer */
48125 mxr_streamer_put(mdev);
48126 /* allow changes in output configuration */
48127@@ -1052,8 +1052,8 @@ void mxr_base_layer_unregister(struct mxr_layer *layer)
48128
48129 void mxr_layer_release(struct mxr_layer *layer)
48130 {
48131- if (layer->ops.release)
48132- layer->ops.release(layer);
48133+ if (layer->ops->release)
48134+ layer->ops->release(layer);
48135 }
48136
48137 void mxr_base_layer_release(struct mxr_layer *layer)
48138@@ -1079,7 +1079,7 @@ struct mxr_layer *mxr_base_layer_create(struct mxr_device *mdev,
48139
48140 layer->mdev = mdev;
48141 layer->idx = idx;
48142- layer->ops = *ops;
48143+ layer->ops = ops;
48144
48145 spin_lock_init(&layer->enq_slock);
48146 INIT_LIST_HEAD(&layer->enq_list);
48147diff --git a/drivers/media/platform/s5p-tv/mixer_vp_layer.c b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
48148index c9388c4..ce71ece 100644
48149--- a/drivers/media/platform/s5p-tv/mixer_vp_layer.c
48150+++ b/drivers/media/platform/s5p-tv/mixer_vp_layer.c
48151@@ -206,7 +206,7 @@ struct mxr_layer *mxr_vp_layer_create(struct mxr_device *mdev, int idx)
48152 {
48153 struct mxr_layer *layer;
48154 int ret;
48155- struct mxr_layer_ops ops = {
48156+ static struct mxr_layer_ops ops = {
48157 .release = mxr_vp_layer_release,
48158 .buffer_set = mxr_vp_buffer_set,
48159 .stream_set = mxr_vp_stream_set,
48160diff --git a/drivers/media/platform/vivid/vivid-osd.c b/drivers/media/platform/vivid/vivid-osd.c
48161index 084d346..e15eef6 100644
48162--- a/drivers/media/platform/vivid/vivid-osd.c
48163+++ b/drivers/media/platform/vivid/vivid-osd.c
48164@@ -85,6 +85,7 @@ static int vivid_fb_ioctl(struct fb_info *info, unsigned cmd, unsigned long arg)
48165 case FBIOGET_VBLANK: {
48166 struct fb_vblank vblank;
48167
48168+ memset(&vblank, 0, sizeof(vblank));
48169 vblank.flags = FB_VBLANK_HAVE_COUNT | FB_VBLANK_HAVE_VCOUNT |
48170 FB_VBLANK_HAVE_VSYNC;
48171 vblank.count = 0;
48172diff --git a/drivers/media/radio/radio-cadet.c b/drivers/media/radio/radio-cadet.c
48173index 82affae..42833ec 100644
48174--- a/drivers/media/radio/radio-cadet.c
48175+++ b/drivers/media/radio/radio-cadet.c
48176@@ -333,6 +333,8 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
48177 unsigned char readbuf[RDS_BUFFER];
48178 int i = 0;
48179
48180+ if (count > RDS_BUFFER)
48181+ return -EFAULT;
48182 mutex_lock(&dev->lock);
48183 if (dev->rdsstat == 0)
48184 cadet_start_rds(dev);
48185@@ -349,8 +351,9 @@ static ssize_t cadet_read(struct file *file, char __user *data, size_t count, lo
48186 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
48187 mutex_unlock(&dev->lock);
48188
48189- if (i && copy_to_user(data, readbuf, i))
48190- return -EFAULT;
48191+ if (i > sizeof(readbuf) || (i && copy_to_user(data, readbuf, i)))
48192+ i = -EFAULT;
48193+
48194 return i;
48195 }
48196
48197diff --git a/drivers/media/radio/radio-maxiradio.c b/drivers/media/radio/radio-maxiradio.c
48198index 5236035..c622c74 100644
48199--- a/drivers/media/radio/radio-maxiradio.c
48200+++ b/drivers/media/radio/radio-maxiradio.c
48201@@ -61,7 +61,7 @@ MODULE_PARM_DESC(radio_nr, "Radio device number");
48202 /* TEA5757 pin mappings */
48203 static const int clk = 1, data = 2, wren = 4, mo_st = 8, power = 16;
48204
48205-static atomic_t maxiradio_instance = ATOMIC_INIT(0);
48206+static atomic_unchecked_t maxiradio_instance = ATOMIC_INIT(0);
48207
48208 #define PCI_VENDOR_ID_GUILLEMOT 0x5046
48209 #define PCI_DEVICE_ID_GUILLEMOT_MAXIRADIO 0x1001
48210diff --git a/drivers/media/radio/radio-shark.c b/drivers/media/radio/radio-shark.c
48211index 050b3bb..79f62b9 100644
48212--- a/drivers/media/radio/radio-shark.c
48213+++ b/drivers/media/radio/radio-shark.c
48214@@ -79,7 +79,7 @@ struct shark_device {
48215 u32 last_val;
48216 };
48217
48218-static atomic_t shark_instance = ATOMIC_INIT(0);
48219+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
48220
48221 static void shark_write_val(struct snd_tea575x *tea, u32 val)
48222 {
48223diff --git a/drivers/media/radio/radio-shark2.c b/drivers/media/radio/radio-shark2.c
48224index 8654e0d..0608a64 100644
48225--- a/drivers/media/radio/radio-shark2.c
48226+++ b/drivers/media/radio/radio-shark2.c
48227@@ -74,7 +74,7 @@ struct shark_device {
48228 u8 *transfer_buffer;
48229 };
48230
48231-static atomic_t shark_instance = ATOMIC_INIT(0);
48232+static atomic_unchecked_t shark_instance = ATOMIC_INIT(0);
48233
48234 static int shark_write_reg(struct radio_tea5777 *tea, u64 reg)
48235 {
48236diff --git a/drivers/media/radio/radio-si476x.c b/drivers/media/radio/radio-si476x.c
48237index 9cbb8cd..2bf2ff3 100644
48238--- a/drivers/media/radio/radio-si476x.c
48239+++ b/drivers/media/radio/radio-si476x.c
48240@@ -1445,7 +1445,7 @@ static int si476x_radio_probe(struct platform_device *pdev)
48241 struct si476x_radio *radio;
48242 struct v4l2_ctrl *ctrl;
48243
48244- static atomic_t instance = ATOMIC_INIT(0);
48245+ static atomic_unchecked_t instance = ATOMIC_INIT(0);
48246
48247 radio = devm_kzalloc(&pdev->dev, sizeof(*radio), GFP_KERNEL);
48248 if (!radio)
48249diff --git a/drivers/media/radio/wl128x/fmdrv_common.c b/drivers/media/radio/wl128x/fmdrv_common.c
48250index 704397f..4d05977 100644
48251--- a/drivers/media/radio/wl128x/fmdrv_common.c
48252+++ b/drivers/media/radio/wl128x/fmdrv_common.c
48253@@ -71,7 +71,7 @@ module_param(default_rds_buf, uint, 0444);
48254 MODULE_PARM_DESC(rds_buf, "RDS buffer entries");
48255
48256 /* Radio Nr */
48257-static u32 radio_nr = -1;
48258+static int radio_nr = -1;
48259 module_param(radio_nr, int, 0444);
48260 MODULE_PARM_DESC(radio_nr, "Radio Nr");
48261
48262diff --git a/drivers/media/usb/dvb-usb/cinergyT2-core.c b/drivers/media/usb/dvb-usb/cinergyT2-core.c
48263index 9fd1527..8927230 100644
48264--- a/drivers/media/usb/dvb-usb/cinergyT2-core.c
48265+++ b/drivers/media/usb/dvb-usb/cinergyT2-core.c
48266@@ -50,29 +50,73 @@ static struct dvb_usb_device_properties cinergyt2_properties;
48267
48268 static int cinergyt2_streaming_ctrl(struct dvb_usb_adapter *adap, int enable)
48269 {
48270- char buf[] = { CINERGYT2_EP1_CONTROL_STREAM_TRANSFER, enable ? 1 : 0 };
48271- char result[64];
48272- return dvb_usb_generic_rw(adap->dev, buf, sizeof(buf), result,
48273- sizeof(result), 0);
48274+ char *buf;
48275+ char *result;
48276+ int retval;
48277+
48278+ buf = kmalloc(2, GFP_KERNEL);
48279+ if (buf == NULL)
48280+ return -ENOMEM;
48281+ result = kmalloc(64, GFP_KERNEL);
48282+ if (result == NULL) {
48283+ kfree(buf);
48284+ return -ENOMEM;
48285+ }
48286+
48287+ buf[0] = CINERGYT2_EP1_CONTROL_STREAM_TRANSFER;
48288+ buf[1] = enable ? 1 : 0;
48289+
48290+ retval = dvb_usb_generic_rw(adap->dev, buf, 2, result, 64, 0);
48291+
48292+ kfree(buf);
48293+ kfree(result);
48294+ return retval;
48295 }
48296
48297 static int cinergyt2_power_ctrl(struct dvb_usb_device *d, int enable)
48298 {
48299- char buf[] = { CINERGYT2_EP1_SLEEP_MODE, enable ? 0 : 1 };
48300- char state[3];
48301- return dvb_usb_generic_rw(d, buf, sizeof(buf), state, sizeof(state), 0);
48302+ char *buf;
48303+ char *state;
48304+ int retval;
48305+
48306+ buf = kmalloc(2, GFP_KERNEL);
48307+ if (buf == NULL)
48308+ return -ENOMEM;
48309+ state = kmalloc(3, GFP_KERNEL);
48310+ if (state == NULL) {
48311+ kfree(buf);
48312+ return -ENOMEM;
48313+ }
48314+
48315+ buf[0] = CINERGYT2_EP1_SLEEP_MODE;
48316+ buf[1] = enable ? 1 : 0;
48317+
48318+ retval = dvb_usb_generic_rw(d, buf, 2, state, 3, 0);
48319+
48320+ kfree(buf);
48321+ kfree(state);
48322+ return retval;
48323 }
48324
48325 static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
48326 {
48327- char query[] = { CINERGYT2_EP1_GET_FIRMWARE_VERSION };
48328- char state[3];
48329+ char *query;
48330+ char *state;
48331 int ret;
48332+ query = kmalloc(1, GFP_KERNEL);
48333+ if (query == NULL)
48334+ return -ENOMEM;
48335+ state = kmalloc(3, GFP_KERNEL);
48336+ if (state == NULL) {
48337+ kfree(query);
48338+ return -ENOMEM;
48339+ }
48340+
48341+ query[0] = CINERGYT2_EP1_GET_FIRMWARE_VERSION;
48342
48343 adap->fe_adap[0].fe = cinergyt2_fe_attach(adap->dev);
48344
48345- ret = dvb_usb_generic_rw(adap->dev, query, sizeof(query), state,
48346- sizeof(state), 0);
48347+ ret = dvb_usb_generic_rw(adap->dev, query, 1, state, 3, 0);
48348 if (ret < 0) {
48349 deb_rc("cinergyt2_power_ctrl() Failed to retrieve sleep "
48350 "state info\n");
48351@@ -80,7 +124,8 @@ static int cinergyt2_frontend_attach(struct dvb_usb_adapter *adap)
48352
48353 /* Copy this pointer as we are gonna need it in the release phase */
48354 cinergyt2_usb_device = adap->dev;
48355-
48356+ kfree(query);
48357+ kfree(state);
48358 return 0;
48359 }
48360
48361@@ -141,12 +186,23 @@ static int repeatable_keys[] = {
48362 static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
48363 {
48364 struct cinergyt2_state *st = d->priv;
48365- u8 key[5] = {0, 0, 0, 0, 0}, cmd = CINERGYT2_EP1_GET_RC_EVENTS;
48366+ u8 *key, *cmd;
48367 int i;
48368
48369+ cmd = kmalloc(1, GFP_KERNEL);
48370+ if (cmd == NULL)
48371+ return -EINVAL;
48372+ key = kzalloc(5, GFP_KERNEL);
48373+ if (key == NULL) {
48374+ kfree(cmd);
48375+ return -EINVAL;
48376+ }
48377+
48378+ cmd[0] = CINERGYT2_EP1_GET_RC_EVENTS;
48379+
48380 *state = REMOTE_NO_KEY_PRESSED;
48381
48382- dvb_usb_generic_rw(d, &cmd, 1, key, sizeof(key), 0);
48383+ dvb_usb_generic_rw(d, cmd, 1, key, 5, 0);
48384 if (key[4] == 0xff) {
48385 /* key repeat */
48386 st->rc_counter++;
48387@@ -157,12 +213,12 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
48388 *event = d->last_event;
48389 deb_rc("repeat key, event %x\n",
48390 *event);
48391- return 0;
48392+ goto out;
48393 }
48394 }
48395 deb_rc("repeated key (non repeatable)\n");
48396 }
48397- return 0;
48398+ goto out;
48399 }
48400
48401 /* hack to pass checksum on the custom field */
48402@@ -174,6 +230,9 @@ static int cinergyt2_rc_query(struct dvb_usb_device *d, u32 *event, int *state)
48403
48404 deb_rc("key: %*ph\n", 5, key);
48405 }
48406+out:
48407+ kfree(cmd);
48408+ kfree(key);
48409 return 0;
48410 }
48411
48412diff --git a/drivers/media/usb/dvb-usb/cinergyT2-fe.c b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
48413index b3ec743..9c0e418 100644
48414--- a/drivers/media/usb/dvb-usb/cinergyT2-fe.c
48415+++ b/drivers/media/usb/dvb-usb/cinergyT2-fe.c
48416@@ -145,103 +145,176 @@ static int cinergyt2_fe_read_status(struct dvb_frontend *fe,
48417 enum fe_status *status)
48418 {
48419 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48420- struct dvbt_get_status_msg result;
48421- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48422+ struct dvbt_get_status_msg *result;
48423+ u8 *cmd;
48424 int ret;
48425
48426- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&result,
48427- sizeof(result), 0);
48428+ cmd = kmalloc(1, GFP_KERNEL);
48429+ if (cmd == NULL)
48430+ return -ENOMEM;
48431+ result = kmalloc(sizeof(*result), GFP_KERNEL);
48432+ if (result == NULL) {
48433+ kfree(cmd);
48434+ return -ENOMEM;
48435+ }
48436+
48437+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48438+
48439+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)result,
48440+ sizeof(*result), 0);
48441 if (ret < 0)
48442- return ret;
48443+ goto out;
48444
48445 *status = 0;
48446
48447- if (0xffff - le16_to_cpu(result.gain) > 30)
48448+ if (0xffff - le16_to_cpu(result->gain) > 30)
48449 *status |= FE_HAS_SIGNAL;
48450- if (result.lock_bits & (1 << 6))
48451+ if (result->lock_bits & (1 << 6))
48452 *status |= FE_HAS_LOCK;
48453- if (result.lock_bits & (1 << 5))
48454+ if (result->lock_bits & (1 << 5))
48455 *status |= FE_HAS_SYNC;
48456- if (result.lock_bits & (1 << 4))
48457+ if (result->lock_bits & (1 << 4))
48458 *status |= FE_HAS_CARRIER;
48459- if (result.lock_bits & (1 << 1))
48460+ if (result->lock_bits & (1 << 1))
48461 *status |= FE_HAS_VITERBI;
48462
48463 if ((*status & (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC)) !=
48464 (FE_HAS_CARRIER | FE_HAS_VITERBI | FE_HAS_SYNC))
48465 *status &= ~FE_HAS_LOCK;
48466
48467- return 0;
48468+out:
48469+ kfree(cmd);
48470+ kfree(result);
48471+ return ret;
48472 }
48473
48474 static int cinergyt2_fe_read_ber(struct dvb_frontend *fe, u32 *ber)
48475 {
48476 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48477- struct dvbt_get_status_msg status;
48478- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48479+ struct dvbt_get_status_msg *status;
48480+ char *cmd;
48481 int ret;
48482
48483- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48484- sizeof(status), 0);
48485+ cmd = kmalloc(1, GFP_KERNEL);
48486+ if (cmd == NULL)
48487+ return -ENOMEM;
48488+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48489+ if (status == NULL) {
48490+ kfree(cmd);
48491+ return -ENOMEM;
48492+ }
48493+
48494+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48495+
48496+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48497+ sizeof(*status), 0);
48498 if (ret < 0)
48499- return ret;
48500+ goto out;
48501
48502- *ber = le32_to_cpu(status.viterbi_error_rate);
48503+ *ber = le32_to_cpu(status->viterbi_error_rate);
48504+out:
48505+ kfree(cmd);
48506+ kfree(status);
48507 return 0;
48508 }
48509
48510 static int cinergyt2_fe_read_unc_blocks(struct dvb_frontend *fe, u32 *unc)
48511 {
48512 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48513- struct dvbt_get_status_msg status;
48514- u8 cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48515+ struct dvbt_get_status_msg *status;
48516+ u8 *cmd;
48517 int ret;
48518
48519- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (u8 *)&status,
48520- sizeof(status), 0);
48521+ cmd = kmalloc(1, GFP_KERNEL);
48522+ if (cmd == NULL)
48523+ return -ENOMEM;
48524+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48525+ if (status == NULL) {
48526+ kfree(cmd);
48527+ return -ENOMEM;
48528+ }
48529+
48530+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48531+
48532+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (u8 *)status,
48533+ sizeof(*status), 0);
48534 if (ret < 0) {
48535 err("cinergyt2_fe_read_unc_blocks() Failed! (Error=%d)\n",
48536 ret);
48537- return ret;
48538+ goto out;
48539 }
48540- *unc = le32_to_cpu(status.uncorrected_block_count);
48541- return 0;
48542+ *unc = le32_to_cpu(status->uncorrected_block_count);
48543+
48544+out:
48545+ kfree(cmd);
48546+ kfree(status);
48547+ return ret;
48548 }
48549
48550 static int cinergyt2_fe_read_signal_strength(struct dvb_frontend *fe,
48551 u16 *strength)
48552 {
48553 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48554- struct dvbt_get_status_msg status;
48555- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48556+ struct dvbt_get_status_msg *status;
48557+ char *cmd;
48558 int ret;
48559
48560- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48561- sizeof(status), 0);
48562+ cmd = kmalloc(1, GFP_KERNEL);
48563+ if (cmd == NULL)
48564+ return -ENOMEM;
48565+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48566+ if (status == NULL) {
48567+ kfree(cmd);
48568+ return -ENOMEM;
48569+ }
48570+
48571+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48572+
48573+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48574+ sizeof(*status), 0);
48575 if (ret < 0) {
48576 err("cinergyt2_fe_read_signal_strength() Failed!"
48577 " (Error=%d)\n", ret);
48578- return ret;
48579+ goto out;
48580 }
48581- *strength = (0xffff - le16_to_cpu(status.gain));
48582+ *strength = (0xffff - le16_to_cpu(status->gain));
48583+
48584+out:
48585+ kfree(cmd);
48586+ kfree(status);
48587 return 0;
48588 }
48589
48590 static int cinergyt2_fe_read_snr(struct dvb_frontend *fe, u16 *snr)
48591 {
48592 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48593- struct dvbt_get_status_msg status;
48594- char cmd[] = { CINERGYT2_EP1_GET_TUNER_STATUS };
48595+ struct dvbt_get_status_msg *status;
48596+ char *cmd;
48597 int ret;
48598
48599- ret = dvb_usb_generic_rw(state->d, cmd, sizeof(cmd), (char *)&status,
48600- sizeof(status), 0);
48601+ cmd = kmalloc(1, GFP_KERNEL);
48602+ if (cmd == NULL)
48603+ return -ENOMEM;
48604+ status = kmalloc(sizeof(*status), GFP_KERNEL);
48605+ if (status == NULL) {
48606+ kfree(cmd);
48607+ return -ENOMEM;
48608+ }
48609+
48610+ cmd[0] = CINERGYT2_EP1_GET_TUNER_STATUS;
48611+
48612+ ret = dvb_usb_generic_rw(state->d, cmd, 1, (char *)status,
48613+ sizeof(*status), 0);
48614 if (ret < 0) {
48615 err("cinergyt2_fe_read_snr() Failed! (Error=%d)\n", ret);
48616- return ret;
48617+ goto out;
48618 }
48619- *snr = (status.snr << 8) | status.snr;
48620- return 0;
48621+ *snr = (status->snr << 8) | status->snr;
48622+
48623+out:
48624+ kfree(cmd);
48625+ kfree(status);
48626+ return ret;
48627 }
48628
48629 static int cinergyt2_fe_init(struct dvb_frontend *fe)
48630@@ -266,35 +339,46 @@ static int cinergyt2_fe_set_frontend(struct dvb_frontend *fe)
48631 {
48632 struct dtv_frontend_properties *fep = &fe->dtv_property_cache;
48633 struct cinergyt2_fe_state *state = fe->demodulator_priv;
48634- struct dvbt_set_parameters_msg param;
48635- char result[2];
48636+ struct dvbt_set_parameters_msg *param;
48637+ char *result;
48638 int err;
48639
48640- param.cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
48641- param.tps = cpu_to_le16(compute_tps(fep));
48642- param.freq = cpu_to_le32(fep->frequency / 1000);
48643- param.flags = 0;
48644+ result = kmalloc(2, GFP_KERNEL);
48645+ if (result == NULL)
48646+ return -ENOMEM;
48647+ param = kmalloc(sizeof(*param), GFP_KERNEL);
48648+ if (param == NULL) {
48649+ kfree(result);
48650+ return -ENOMEM;
48651+ }
48652+
48653+ param->cmd = CINERGYT2_EP1_SET_TUNER_PARAMETERS;
48654+ param->tps = cpu_to_le16(compute_tps(fep));
48655+ param->freq = cpu_to_le32(fep->frequency / 1000);
48656+ param->flags = 0;
48657
48658 switch (fep->bandwidth_hz) {
48659 default:
48660 case 8000000:
48661- param.bandwidth = 8;
48662+ param->bandwidth = 8;
48663 break;
48664 case 7000000:
48665- param.bandwidth = 7;
48666+ param->bandwidth = 7;
48667 break;
48668 case 6000000:
48669- param.bandwidth = 6;
48670+ param->bandwidth = 6;
48671 break;
48672 }
48673
48674 err = dvb_usb_generic_rw(state->d,
48675- (char *)&param, sizeof(param),
48676- result, sizeof(result), 0);
48677+ (char *)param, sizeof(*param),
48678+ result, 2, 0);
48679 if (err < 0)
48680 err("cinergyt2_fe_set_frontend() Failed! err=%d\n", err);
48681
48682- return (err < 0) ? err : 0;
48683+ kfree(result);
48684+ kfree(param);
48685+ return err;
48686 }
48687
48688 static void cinergyt2_fe_release(struct dvb_frontend *fe)
48689diff --git a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48690index 733a7ff..f8b52e3 100644
48691--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48692+++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
48693@@ -35,42 +35,57 @@ static int usb_cypress_writemem(struct usb_device *udev,u16 addr,u8 *data, u8 le
48694
48695 int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type)
48696 {
48697- struct hexline hx;
48698- u8 reset;
48699+ struct hexline *hx;
48700+ u8 *reset;
48701 int ret,pos=0;
48702
48703+ reset = kmalloc(1, GFP_KERNEL);
48704+ if (reset == NULL)
48705+ return -ENOMEM;
48706+
48707+ hx = kmalloc(sizeof(struct hexline), GFP_KERNEL);
48708+ if (hx == NULL) {
48709+ kfree(reset);
48710+ return -ENOMEM;
48711+ }
48712+
48713 /* stop the CPU */
48714- reset = 1;
48715- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1)
48716+ reset[0] = 1;
48717+ if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1)) != 1)
48718 err("could not stop the USB controller CPU.");
48719
48720- while ((ret = dvb_usb_get_hexline(fw,&hx,&pos)) > 0) {
48721- deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx.addr,hx.len,hx.chk);
48722- ret = usb_cypress_writemem(udev,hx.addr,hx.data,hx.len);
48723+ while ((ret = dvb_usb_get_hexline(fw,hx,&pos)) > 0) {
48724+ deb_fw("writing to address 0x%04x (buffer: 0x%02x %02x)\n",hx->addr,hx->len,hx->chk);
48725+ ret = usb_cypress_writemem(udev,hx->addr,hx->data,hx->len);
48726
48727- if (ret != hx.len) {
48728+ if (ret != hx->len) {
48729 err("error while transferring firmware "
48730 "(transferred size: %d, block size: %d)",
48731- ret,hx.len);
48732+ ret,hx->len);
48733 ret = -EINVAL;
48734 break;
48735 }
48736 }
48737 if (ret < 0) {
48738 err("firmware download failed at %d with %d",pos,ret);
48739+ kfree(reset);
48740+ kfree(hx);
48741 return ret;
48742 }
48743
48744 if (ret == 0) {
48745 /* restart the CPU */
48746- reset = 0;
48747- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) {
48748+ reset[0] = 0;
48749+ if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,reset,1) != 1) {
48750 err("could not restart the USB controller CPU.");
48751 ret = -EINVAL;
48752 }
48753 } else
48754 ret = -EIO;
48755
48756+ kfree(reset);
48757+ kfree(hx);
48758+
48759 return ret;
48760 }
48761 EXPORT_SYMBOL(usb_cypress_load_firmware);
48762diff --git a/drivers/media/usb/dvb-usb/technisat-usb2.c b/drivers/media/usb/dvb-usb/technisat-usb2.c
48763index 03f334d..0986492 100644
48764--- a/drivers/media/usb/dvb-usb/technisat-usb2.c
48765+++ b/drivers/media/usb/dvb-usb/technisat-usb2.c
48766@@ -87,8 +87,11 @@ struct technisat_usb2_state {
48767 static int technisat_usb2_i2c_access(struct usb_device *udev,
48768 u8 device_addr, u8 *tx, u8 txlen, u8 *rx, u8 rxlen)
48769 {
48770- u8 b[64];
48771- int ret, actual_length;
48772+ u8 *b = kmalloc(64, GFP_KERNEL);
48773+ int ret, actual_length, error = 0;
48774+
48775+ if (b == NULL)
48776+ return -ENOMEM;
48777
48778 deb_i2c("i2c-access: %02x, tx: ", device_addr);
48779 debug_dump(tx, txlen, deb_i2c);
48780@@ -121,7 +124,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48781
48782 if (ret < 0) {
48783 err("i2c-error: out failed %02x = %d", device_addr, ret);
48784- return -ENODEV;
48785+ error = -ENODEV;
48786+ goto out;
48787 }
48788
48789 ret = usb_bulk_msg(udev,
48790@@ -129,7 +133,8 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48791 b, 64, &actual_length, 1000);
48792 if (ret < 0) {
48793 err("i2c-error: in failed %02x = %d", device_addr, ret);
48794- return -ENODEV;
48795+ error = -ENODEV;
48796+ goto out;
48797 }
48798
48799 if (b[0] != I2C_STATUS_OK) {
48800@@ -137,8 +142,10 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48801 /* handle tuner-i2c-nak */
48802 if (!(b[0] == I2C_STATUS_NAK &&
48803 device_addr == 0x60
48804- /* && device_is_technisat_usb2 */))
48805- return -ENODEV;
48806+ /* && device_is_technisat_usb2 */)) {
48807+ error = -ENODEV;
48808+ goto out;
48809+ }
48810 }
48811
48812 deb_i2c("status: %d, ", b[0]);
48813@@ -152,7 +159,9 @@ static int technisat_usb2_i2c_access(struct usb_device *udev,
48814
48815 deb_i2c("\n");
48816
48817- return 0;
48818+out:
48819+ kfree(b);
48820+ return error;
48821 }
48822
48823 static int technisat_usb2_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg *msg,
48824@@ -224,14 +233,16 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
48825 {
48826 int ret;
48827
48828- u8 led[8] = {
48829- red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
48830- 0
48831- };
48832+ u8 *led = kzalloc(8, GFP_KERNEL);
48833+
48834+ if (led == NULL)
48835+ return -ENOMEM;
48836
48837 if (disable_led_control && state != TECH_LED_OFF)
48838 return 0;
48839
48840+ led[0] = red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST;
48841+
48842 switch (state) {
48843 case TECH_LED_ON:
48844 led[1] = 0x82;
48845@@ -263,16 +274,22 @@ static int technisat_usb2_set_led(struct dvb_usb_device *d, int red, enum techni
48846 red ? SET_RED_LED_VENDOR_REQUEST : SET_GREEN_LED_VENDOR_REQUEST,
48847 USB_TYPE_VENDOR | USB_DIR_OUT,
48848 0, 0,
48849- led, sizeof(led), 500);
48850+ led, 8, 500);
48851
48852 mutex_unlock(&d->i2c_mutex);
48853+
48854+ kfree(led);
48855+
48856 return ret;
48857 }
48858
48859 static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 green)
48860 {
48861 int ret;
48862- u8 b = 0;
48863+ u8 *b = kzalloc(1, GFP_KERNEL);
48864+
48865+ if (b == NULL)
48866+ return -ENOMEM;
48867
48868 if (mutex_lock_interruptible(&d->i2c_mutex) < 0)
48869 return -EAGAIN;
48870@@ -281,10 +298,12 @@ static int technisat_usb2_set_led_timer(struct dvb_usb_device *d, u8 red, u8 gre
48871 SET_LED_TIMER_DIVIDER_VENDOR_REQUEST,
48872 USB_TYPE_VENDOR | USB_DIR_OUT,
48873 (red << 8) | green, 0,
48874- &b, 1, 500);
48875+ b, 1, 500);
48876
48877 mutex_unlock(&d->i2c_mutex);
48878
48879+ kfree(b);
48880+
48881 return ret;
48882 }
48883
48884@@ -328,7 +347,7 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48885 struct dvb_usb_device_description **desc, int *cold)
48886 {
48887 int ret;
48888- u8 version[3];
48889+ u8 *version = kmalloc(3, GFP_KERNEL);
48890
48891 /* first select the interface */
48892 if (usb_set_interface(udev, 0, 1) != 0)
48893@@ -338,11 +357,14 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48894
48895 *cold = 0; /* by default do not download a firmware - just in case something is wrong */
48896
48897+ if (version == NULL)
48898+ return 0;
48899+
48900 ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
48901 GET_VERSION_INFO_VENDOR_REQUEST,
48902 USB_TYPE_VENDOR | USB_DIR_IN,
48903 0, 0,
48904- version, sizeof(version), 500);
48905+ version, 3, 500);
48906
48907 if (ret < 0)
48908 *cold = 1;
48909@@ -351,6 +373,8 @@ static int technisat_usb2_identify_state(struct usb_device *udev,
48910 *cold = 0;
48911 }
48912
48913+ kfree(version);
48914+
48915 return 0;
48916 }
48917
48918@@ -594,10 +618,15 @@ static int technisat_usb2_frontend_attach(struct dvb_usb_adapter *a)
48919
48920 static int technisat_usb2_get_ir(struct dvb_usb_device *d)
48921 {
48922- u8 buf[62], *b;
48923+ u8 *buf, *b;
48924 int ret;
48925 struct ir_raw_event ev;
48926
48927+ buf = kmalloc(62, GFP_KERNEL);
48928+
48929+ if (buf == NULL)
48930+ return -ENOMEM;
48931+
48932 buf[0] = GET_IR_DATA_VENDOR_REQUEST;
48933 buf[1] = 0x08;
48934 buf[2] = 0x8f;
48935@@ -620,16 +649,20 @@ static int technisat_usb2_get_ir(struct dvb_usb_device *d)
48936 GET_IR_DATA_VENDOR_REQUEST,
48937 USB_TYPE_VENDOR | USB_DIR_IN,
48938 0x8080, 0,
48939- buf, sizeof(buf), 500);
48940+ buf, 62, 500);
48941
48942 unlock:
48943 mutex_unlock(&d->i2c_mutex);
48944
48945- if (ret < 0)
48946+ if (ret < 0) {
48947+ kfree(buf);
48948 return ret;
48949+ }
48950
48951- if (ret == 1)
48952+ if (ret == 1) {
48953+ kfree(buf);
48954 return 0; /* no key pressed */
48955+ }
48956
48957 /* decoding */
48958 b = buf+1;
48959@@ -656,6 +689,8 @@ unlock:
48960
48961 ir_raw_event_handle(d->rc_dev);
48962
48963+ kfree(buf);
48964+
48965 return 1;
48966 }
48967
48968diff --git a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
48969index af63543..0436f20 100644
48970--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
48971+++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c
48972@@ -429,7 +429,7 @@ static int get_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
48973 * by passing a very big num_planes value */
48974 uplane = compat_alloc_user_space(num_planes *
48975 sizeof(struct v4l2_plane));
48976- kp->m.planes = (__force struct v4l2_plane *)uplane;
48977+ kp->m.planes = (__force_kernel struct v4l2_plane *)uplane;
48978
48979 while (--num_planes >= 0) {
48980 ret = get_v4l2_plane32(uplane, uplane32, kp->memory);
48981@@ -500,7 +500,7 @@ static int put_v4l2_buffer32(struct v4l2_buffer *kp, struct v4l2_buffer32 __user
48982 if (num_planes == 0)
48983 return 0;
48984
48985- uplane = (__force struct v4l2_plane __user *)kp->m.planes;
48986+ uplane = (struct v4l2_plane __force_user *)kp->m.planes;
48987 if (get_user(p, &up->m.planes))
48988 return -EFAULT;
48989 uplane32 = compat_ptr(p);
48990@@ -564,7 +564,7 @@ static int get_v4l2_framebuffer32(struct v4l2_framebuffer *kp, struct v4l2_frame
48991 get_user(kp->flags, &up->flags) ||
48992 copy_from_user(&kp->fmt, &up->fmt, sizeof(up->fmt)))
48993 return -EFAULT;
48994- kp->base = (__force void *)compat_ptr(tmp);
48995+ kp->base = (__force_kernel void *)compat_ptr(tmp);
48996 return 0;
48997 }
48998
48999@@ -669,7 +669,7 @@ static int get_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
49000 n * sizeof(struct v4l2_ext_control32)))
49001 return -EFAULT;
49002 kcontrols = compat_alloc_user_space(n * sizeof(struct v4l2_ext_control));
49003- kp->controls = (__force struct v4l2_ext_control *)kcontrols;
49004+ kp->controls = (__force_kernel struct v4l2_ext_control *)kcontrols;
49005 while (--n >= 0) {
49006 u32 id;
49007
49008@@ -696,7 +696,7 @@ static int put_v4l2_ext_controls32(struct v4l2_ext_controls *kp, struct v4l2_ext
49009 {
49010 struct v4l2_ext_control32 __user *ucontrols;
49011 struct v4l2_ext_control __user *kcontrols =
49012- (__force struct v4l2_ext_control __user *)kp->controls;
49013+ (struct v4l2_ext_control __force_user *)kp->controls;
49014 int n = kp->count;
49015 compat_caddr_t p;
49016
49017@@ -780,7 +780,7 @@ static int get_v4l2_edid32(struct v4l2_edid *kp, struct v4l2_edid32 __user *up)
49018 get_user(tmp, &up->edid) ||
49019 copy_from_user(kp->reserved, up->reserved, sizeof(kp->reserved)))
49020 return -EFAULT;
49021- kp->edid = (__force u8 *)compat_ptr(tmp);
49022+ kp->edid = (__force_kernel u8 *)compat_ptr(tmp);
49023 return 0;
49024 }
49025
49026diff --git a/drivers/media/v4l2-core/v4l2-device.c b/drivers/media/v4l2-core/v4l2-device.c
49027index 5b0a30b..1974b38 100644
49028--- a/drivers/media/v4l2-core/v4l2-device.c
49029+++ b/drivers/media/v4l2-core/v4l2-device.c
49030@@ -74,9 +74,9 @@ int v4l2_device_put(struct v4l2_device *v4l2_dev)
49031 EXPORT_SYMBOL_GPL(v4l2_device_put);
49032
49033 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
49034- atomic_t *instance)
49035+ atomic_unchecked_t *instance)
49036 {
49037- int num = atomic_inc_return(instance) - 1;
49038+ int num = atomic_inc_return_unchecked(instance) - 1;
49039 int len = strlen(basename);
49040
49041 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
49042diff --git a/drivers/media/v4l2-core/v4l2-ioctl.c b/drivers/media/v4l2-core/v4l2-ioctl.c
49043index 85de455..4987854 100644
49044--- a/drivers/media/v4l2-core/v4l2-ioctl.c
49045+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
49046@@ -2341,7 +2341,8 @@ struct v4l2_ioctl_info {
49047 struct file *file, void *fh, void *p);
49048 } u;
49049 void (*debug)(const void *arg, bool write_only);
49050-};
49051+} __do_const;
49052+typedef struct v4l2_ioctl_info __no_const v4l2_ioctl_info_no_const;
49053
49054 /* This control needs a priority check */
49055 #define INFO_FL_PRIO (1 << 0)
49056@@ -2525,7 +2526,7 @@ static long __video_do_ioctl(struct file *file,
49057 struct video_device *vfd = video_devdata(file);
49058 const struct v4l2_ioctl_ops *ops = vfd->ioctl_ops;
49059 bool write_only = false;
49060- struct v4l2_ioctl_info default_info;
49061+ v4l2_ioctl_info_no_const default_info;
49062 const struct v4l2_ioctl_info *info;
49063 void *fh = file->private_data;
49064 struct v4l2_fh *vfh = NULL;
49065@@ -2616,7 +2617,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
49066 ret = -EINVAL;
49067 break;
49068 }
49069- *user_ptr = (void __user *)buf->m.planes;
49070+ *user_ptr = (void __force_user *)buf->m.planes;
49071 *kernel_ptr = (void **)&buf->m.planes;
49072 *array_size = sizeof(struct v4l2_plane) * buf->length;
49073 ret = 1;
49074@@ -2633,7 +2634,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
49075 ret = -EINVAL;
49076 break;
49077 }
49078- *user_ptr = (void __user *)edid->edid;
49079+ *user_ptr = (void __force_user *)edid->edid;
49080 *kernel_ptr = (void **)&edid->edid;
49081 *array_size = edid->blocks * 128;
49082 ret = 1;
49083@@ -2651,7 +2652,7 @@ static int check_array_args(unsigned int cmd, void *parg, size_t *array_size,
49084 ret = -EINVAL;
49085 break;
49086 }
49087- *user_ptr = (void __user *)ctrls->controls;
49088+ *user_ptr = (void __force_user *)ctrls->controls;
49089 *kernel_ptr = (void **)&ctrls->controls;
49090 *array_size = sizeof(struct v4l2_ext_control)
49091 * ctrls->count;
49092@@ -2752,7 +2753,7 @@ video_usercopy(struct file *file, unsigned int cmd, unsigned long arg,
49093 }
49094
49095 if (has_array_args) {
49096- *kernel_ptr = (void __force *)user_ptr;
49097+ *kernel_ptr = (void __force_kernel *)user_ptr;
49098 if (copy_to_user(user_ptr, mbuf, array_size))
49099 err = -EFAULT;
49100 goto out_array_args;
49101diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c
49102index 9426276..9abd11e 100644
49103--- a/drivers/memory/omap-gpmc.c
49104+++ b/drivers/memory/omap-gpmc.c
49105@@ -232,7 +232,6 @@ struct omap3_gpmc_regs {
49106 };
49107
49108 static struct gpmc_client_irq gpmc_client_irq[GPMC_NR_IRQ];
49109-static struct irq_chip gpmc_irq_chip;
49110 static int gpmc_irq_start;
49111
49112 static struct resource gpmc_mem_root;
49113@@ -1146,6 +1145,17 @@ static void gpmc_irq_noop(struct irq_data *data) { }
49114
49115 static unsigned int gpmc_irq_noop_ret(struct irq_data *data) { return 0; }
49116
49117+static struct irq_chip gpmc_irq_chip = {
49118+ .name = "gpmc",
49119+ .irq_startup = gpmc_irq_noop_ret,
49120+ .irq_enable = gpmc_irq_enable,
49121+ .irq_disable = gpmc_irq_disable,
49122+ .irq_shutdown = gpmc_irq_noop,
49123+ .irq_ack = gpmc_irq_noop,
49124+ .irq_mask = gpmc_irq_noop,
49125+ .irq_unmask = gpmc_irq_noop,
49126+};
49127+
49128 static int gpmc_setup_irq(void)
49129 {
49130 int i;
49131@@ -1160,15 +1170,6 @@ static int gpmc_setup_irq(void)
49132 return gpmc_irq_start;
49133 }
49134
49135- gpmc_irq_chip.name = "gpmc";
49136- gpmc_irq_chip.irq_startup = gpmc_irq_noop_ret;
49137- gpmc_irq_chip.irq_enable = gpmc_irq_enable;
49138- gpmc_irq_chip.irq_disable = gpmc_irq_disable;
49139- gpmc_irq_chip.irq_shutdown = gpmc_irq_noop;
49140- gpmc_irq_chip.irq_ack = gpmc_irq_noop;
49141- gpmc_irq_chip.irq_mask = gpmc_irq_noop;
49142- gpmc_irq_chip.irq_unmask = gpmc_irq_noop;
49143-
49144 gpmc_client_irq[0].bitmask = GPMC_IRQ_FIFOEVENTENABLE;
49145 gpmc_client_irq[1].bitmask = GPMC_IRQ_COUNT_EVENT;
49146
49147diff --git a/drivers/message/fusion/mptbase.c b/drivers/message/fusion/mptbase.c
49148index 5dcc031..e08ecd2 100644
49149--- a/drivers/message/fusion/mptbase.c
49150+++ b/drivers/message/fusion/mptbase.c
49151@@ -6722,8 +6722,13 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
49152 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
49153 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
49154
49155+#ifdef CONFIG_GRKERNSEC_HIDESYM
49156+ seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
49157+#else
49158 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
49159 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
49160+#endif
49161+
49162 /*
49163 * Rounding UP to nearest 4-kB boundary here...
49164 */
49165@@ -6736,7 +6741,11 @@ static int mpt_iocinfo_proc_show(struct seq_file *m, void *v)
49166 ioc->facts.GlobalCredits);
49167
49168 seq_printf(m, " Frames @ 0x%p (Dma @ 0x%p)\n",
49169+#ifdef CONFIG_GRKERNSEC_HIDESYM
49170+ NULL, NULL);
49171+#else
49172 (void *)ioc->alloc, (void *)(ulong)ioc->alloc_dma);
49173+#endif
49174 sz = (ioc->reply_sz * ioc->reply_depth) + 128;
49175 seq_printf(m, " {CurRepSz=%d} x {CurRepDepth=%d} = %d bytes ^= 0x%x\n",
49176 ioc->reply_sz, ioc->reply_depth, ioc->reply_sz*ioc->reply_depth, sz);
49177diff --git a/drivers/message/fusion/mptsas.c b/drivers/message/fusion/mptsas.c
49178index 005a88b..5a90fbb 100644
49179--- a/drivers/message/fusion/mptsas.c
49180+++ b/drivers/message/fusion/mptsas.c
49181@@ -446,6 +446,23 @@ mptsas_is_end_device(struct mptsas_devinfo * attached)
49182 return 0;
49183 }
49184
49185+static inline void
49186+mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
49187+{
49188+ if (phy_info->port_details) {
49189+ phy_info->port_details->rphy = rphy;
49190+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
49191+ ioc->name, rphy));
49192+ }
49193+
49194+ if (rphy) {
49195+ dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
49196+ &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
49197+ dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
49198+ ioc->name, rphy, rphy->dev.release));
49199+ }
49200+}
49201+
49202 /* no mutex */
49203 static void
49204 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
49205@@ -484,23 +501,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *phy_info)
49206 return NULL;
49207 }
49208
49209-static inline void
49210-mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
49211-{
49212- if (phy_info->port_details) {
49213- phy_info->port_details->rphy = rphy;
49214- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
49215- ioc->name, rphy));
49216- }
49217-
49218- if (rphy) {
49219- dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
49220- &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
49221- dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
49222- ioc->name, rphy, rphy->dev.release));
49223- }
49224-}
49225-
49226 static inline struct sas_port *
49227 mptsas_get_port(struct mptsas_phyinfo *phy_info)
49228 {
49229diff --git a/drivers/mfd/ab8500-debugfs.c b/drivers/mfd/ab8500-debugfs.c
49230index 0236cd7..53b10d7 100644
49231--- a/drivers/mfd/ab8500-debugfs.c
49232+++ b/drivers/mfd/ab8500-debugfs.c
49233@@ -100,7 +100,7 @@ static int irq_last;
49234 static u32 *irq_count;
49235 static int num_irqs;
49236
49237-static struct device_attribute **dev_attr;
49238+static device_attribute_no_const **dev_attr;
49239 static char **event_name;
49240
49241 static u8 avg_sample = SAMPLE_16;
49242diff --git a/drivers/mfd/kempld-core.c b/drivers/mfd/kempld-core.c
49243index 8057849..0550fdf 100644
49244--- a/drivers/mfd/kempld-core.c
49245+++ b/drivers/mfd/kempld-core.c
49246@@ -499,7 +499,7 @@ static struct platform_driver kempld_driver = {
49247 .remove = kempld_remove,
49248 };
49249
49250-static struct dmi_system_id kempld_dmi_table[] __initdata = {
49251+static const struct dmi_system_id kempld_dmi_table[] __initconst = {
49252 {
49253 .ident = "BHL6",
49254 .matches = {
49255diff --git a/drivers/mfd/max8925-i2c.c b/drivers/mfd/max8925-i2c.c
49256index c880c89..45a7c68 100644
49257--- a/drivers/mfd/max8925-i2c.c
49258+++ b/drivers/mfd/max8925-i2c.c
49259@@ -152,7 +152,7 @@ static int max8925_probe(struct i2c_client *client,
49260 const struct i2c_device_id *id)
49261 {
49262 struct max8925_platform_data *pdata = dev_get_platdata(&client->dev);
49263- static struct max8925_chip *chip;
49264+ struct max8925_chip *chip;
49265 struct device_node *node = client->dev.of_node;
49266
49267 if (node && !pdata) {
49268diff --git a/drivers/mfd/tps65910.c b/drivers/mfd/tps65910.c
49269index 7612d89..70549c2 100644
49270--- a/drivers/mfd/tps65910.c
49271+++ b/drivers/mfd/tps65910.c
49272@@ -230,7 +230,7 @@ static int tps65910_irq_init(struct tps65910 *tps65910, int irq,
49273 struct tps65910_platform_data *pdata)
49274 {
49275 int ret = 0;
49276- static struct regmap_irq_chip *tps6591x_irqs_chip;
49277+ struct regmap_irq_chip *tps6591x_irqs_chip;
49278
49279 if (!irq) {
49280 dev_warn(tps65910->dev, "No interrupt support, no core IRQ\n");
49281diff --git a/drivers/mfd/twl4030-irq.c b/drivers/mfd/twl4030-irq.c
49282index a3fa7f4..eac02ef 100644
49283--- a/drivers/mfd/twl4030-irq.c
49284+++ b/drivers/mfd/twl4030-irq.c
49285@@ -34,6 +34,7 @@
49286 #include <linux/of.h>
49287 #include <linux/irqdomain.h>
49288 #include <linux/i2c/twl.h>
49289+#include <asm/pgtable.h>
49290
49291 #include "twl-core.h"
49292
49293@@ -729,10 +730,12 @@ int twl4030_init_irq(struct device *dev, int irq_num)
49294 * Install an irq handler for each of the SIH modules;
49295 * clone dummy irq_chip since PIH can't *do* anything
49296 */
49297- twl4030_irq_chip = dummy_irq_chip;
49298- twl4030_irq_chip.name = "twl4030";
49299+ pax_open_kernel();
49300+ memcpy((void *)&twl4030_irq_chip, &dummy_irq_chip, sizeof twl4030_irq_chip);
49301+ *(const char **)&twl4030_irq_chip.name = "twl4030";
49302
49303- twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
49304+ *(void **)&twl4030_sih_irq_chip.irq_ack = dummy_irq_chip.irq_ack;
49305+ pax_close_kernel();
49306
49307 for (i = irq_base; i < irq_end; i++) {
49308 irq_set_chip_and_handler(i, &twl4030_irq_chip,
49309diff --git a/drivers/misc/c2port/core.c b/drivers/misc/c2port/core.c
49310index 464419b..64bae8d 100644
49311--- a/drivers/misc/c2port/core.c
49312+++ b/drivers/misc/c2port/core.c
49313@@ -922,7 +922,9 @@ struct c2port_device *c2port_device_register(char *name,
49314 goto error_idr_alloc;
49315 c2dev->id = ret;
49316
49317- bin_attr_flash_data.size = ops->blocks_num * ops->block_size;
49318+ pax_open_kernel();
49319+ *(size_t *)&bin_attr_flash_data.size = ops->blocks_num * ops->block_size;
49320+ pax_close_kernel();
49321
49322 c2dev->dev = device_create(c2port_class, NULL, 0, c2dev,
49323 "c2port%d", c2dev->id);
49324diff --git a/drivers/misc/eeprom/sunxi_sid.c b/drivers/misc/eeprom/sunxi_sid.c
49325index 8385177..2f54635 100644
49326--- a/drivers/misc/eeprom/sunxi_sid.c
49327+++ b/drivers/misc/eeprom/sunxi_sid.c
49328@@ -126,7 +126,9 @@ static int sunxi_sid_probe(struct platform_device *pdev)
49329
49330 platform_set_drvdata(pdev, sid_data);
49331
49332- sid_bin_attr.size = sid_data->keysize;
49333+ pax_open_kernel();
49334+ *(size_t *)&sid_bin_attr.size = sid_data->keysize;
49335+ pax_close_kernel();
49336 if (device_create_bin_file(&pdev->dev, &sid_bin_attr))
49337 return -ENODEV;
49338
49339diff --git a/drivers/misc/kgdbts.c b/drivers/misc/kgdbts.c
49340index 9a60bd4..cee2069 100644
49341--- a/drivers/misc/kgdbts.c
49342+++ b/drivers/misc/kgdbts.c
49343@@ -834,7 +834,7 @@ static void run_plant_and_detach_test(int is_early)
49344 char before[BREAK_INSTR_SIZE];
49345 char after[BREAK_INSTR_SIZE];
49346
49347- probe_kernel_read(before, (char *)kgdbts_break_test,
49348+ probe_kernel_read(before, (void *)ktla_ktva((unsigned long)kgdbts_break_test),
49349 BREAK_INSTR_SIZE);
49350 init_simple_test();
49351 ts.tst = plant_and_detach_test;
49352@@ -842,7 +842,7 @@ static void run_plant_and_detach_test(int is_early)
49353 /* Activate test with initial breakpoint */
49354 if (!is_early)
49355 kgdb_breakpoint();
49356- probe_kernel_read(after, (char *)kgdbts_break_test,
49357+ probe_kernel_read(after, (void *)ktla_ktva((unsigned long)kgdbts_break_test),
49358 BREAK_INSTR_SIZE);
49359 if (memcmp(before, after, BREAK_INSTR_SIZE)) {
49360 printk(KERN_CRIT "kgdbts: ERROR kgdb corrupted memory\n");
49361diff --git a/drivers/misc/lis3lv02d/lis3lv02d.c b/drivers/misc/lis3lv02d/lis3lv02d.c
49362index fb8705f..dc2f679 100644
49363--- a/drivers/misc/lis3lv02d/lis3lv02d.c
49364+++ b/drivers/misc/lis3lv02d/lis3lv02d.c
49365@@ -497,7 +497,7 @@ static irqreturn_t lis302dl_interrupt(int irq, void *data)
49366 * the lid is closed. This leads to interrupts as soon as a little move
49367 * is done.
49368 */
49369- atomic_inc(&lis3->count);
49370+ atomic_inc_unchecked(&lis3->count);
49371
49372 wake_up_interruptible(&lis3->misc_wait);
49373 kill_fasync(&lis3->async_queue, SIGIO, POLL_IN);
49374@@ -583,7 +583,7 @@ static int lis3lv02d_misc_open(struct inode *inode, struct file *file)
49375 if (lis3->pm_dev)
49376 pm_runtime_get_sync(lis3->pm_dev);
49377
49378- atomic_set(&lis3->count, 0);
49379+ atomic_set_unchecked(&lis3->count, 0);
49380 return 0;
49381 }
49382
49383@@ -615,7 +615,7 @@ static ssize_t lis3lv02d_misc_read(struct file *file, char __user *buf,
49384 add_wait_queue(&lis3->misc_wait, &wait);
49385 while (true) {
49386 set_current_state(TASK_INTERRUPTIBLE);
49387- data = atomic_xchg(&lis3->count, 0);
49388+ data = atomic_xchg_unchecked(&lis3->count, 0);
49389 if (data)
49390 break;
49391
49392@@ -656,7 +656,7 @@ static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
49393 struct lis3lv02d, miscdev);
49394
49395 poll_wait(file, &lis3->misc_wait, wait);
49396- if (atomic_read(&lis3->count))
49397+ if (atomic_read_unchecked(&lis3->count))
49398 return POLLIN | POLLRDNORM;
49399 return 0;
49400 }
49401diff --git a/drivers/misc/lis3lv02d/lis3lv02d.h b/drivers/misc/lis3lv02d/lis3lv02d.h
49402index c439c82..1f20f57 100644
49403--- a/drivers/misc/lis3lv02d/lis3lv02d.h
49404+++ b/drivers/misc/lis3lv02d/lis3lv02d.h
49405@@ -297,7 +297,7 @@ struct lis3lv02d {
49406 struct input_polled_dev *idev; /* input device */
49407 struct platform_device *pdev; /* platform device */
49408 struct regulator_bulk_data regulators[2];
49409- atomic_t count; /* interrupt count after last read */
49410+ atomic_unchecked_t count; /* interrupt count after last read */
49411 union axis_conversion ac; /* hw -> logical axis */
49412 int mapped_btns[3];
49413
49414diff --git a/drivers/misc/mic/scif/scif_rb.c b/drivers/misc/mic/scif/scif_rb.c
49415index 637cc46..4fb1267 100644
49416--- a/drivers/misc/mic/scif/scif_rb.c
49417+++ b/drivers/misc/mic/scif/scif_rb.c
49418@@ -138,7 +138,7 @@ void scif_rb_commit(struct scif_rb *rb)
49419 * the read barrier in scif_rb_count(..)
49420 */
49421 wmb();
49422- ACCESS_ONCE(*rb->write_ptr) = rb->current_write_offset;
49423+ ACCESS_ONCE_RW(*rb->write_ptr) = rb->current_write_offset;
49424 #ifdef CONFIG_INTEL_MIC_CARD
49425 /*
49426 * X100 Si bug: For the case where a Core is performing an EXT_WR
49427@@ -147,7 +147,7 @@ void scif_rb_commit(struct scif_rb *rb)
49428 * This way, if ordering is violated for the Interrupt Message, it will
49429 * fall just behind the first Posted associated with the first EXT_WR.
49430 */
49431- ACCESS_ONCE(*rb->write_ptr) = rb->current_write_offset;
49432+ ACCESS_ONCE_RW(*rb->write_ptr) = rb->current_write_offset;
49433 #endif
49434 }
49435
49436@@ -210,7 +210,7 @@ void scif_rb_update_read_ptr(struct scif_rb *rb)
49437 * scif_rb_space(..)
49438 */
49439 mb();
49440- ACCESS_ONCE(*rb->read_ptr) = new_offset;
49441+ ACCESS_ONCE_RW(*rb->read_ptr) = new_offset;
49442 #ifdef CONFIG_INTEL_MIC_CARD
49443 /*
49444 * X100 Si Bug: For the case where a Core is performing an EXT_WR
49445@@ -219,7 +219,7 @@ void scif_rb_update_read_ptr(struct scif_rb *rb)
49446 * This way, if ordering is violated for the Interrupt Message, it will
49447 * fall just behind the first Posted associated with the first EXT_WR.
49448 */
49449- ACCESS_ONCE(*rb->read_ptr) = new_offset;
49450+ ACCESS_ONCE_RW(*rb->read_ptr) = new_offset;
49451 #endif
49452 }
49453
49454diff --git a/drivers/misc/sgi-gru/gruhandles.c b/drivers/misc/sgi-gru/gruhandles.c
49455index 2f30bad..c4c13d0 100644
49456--- a/drivers/misc/sgi-gru/gruhandles.c
49457+++ b/drivers/misc/sgi-gru/gruhandles.c
49458@@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op op, unsigned long clks)
49459 unsigned long nsec;
49460
49461 nsec = CLKS2NSEC(clks);
49462- atomic_long_inc(&mcs_op_statistics[op].count);
49463- atomic_long_add(nsec, &mcs_op_statistics[op].total);
49464+ atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
49465+ atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
49466 if (mcs_op_statistics[op].max < nsec)
49467 mcs_op_statistics[op].max = nsec;
49468 }
49469diff --git a/drivers/misc/sgi-gru/gruprocfs.c b/drivers/misc/sgi-gru/gruprocfs.c
49470index 4f76359..cdfcb2e 100644
49471--- a/drivers/misc/sgi-gru/gruprocfs.c
49472+++ b/drivers/misc/sgi-gru/gruprocfs.c
49473@@ -32,9 +32,9 @@
49474
49475 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
49476
49477-static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
49478+static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
49479 {
49480- unsigned long val = atomic_long_read(v);
49481+ unsigned long val = atomic_long_read_unchecked(v);
49482
49483 seq_printf(s, "%16lu %s\n", val, id);
49484 }
49485@@ -134,8 +134,8 @@ static int mcs_statistics_show(struct seq_file *s, void *p)
49486
49487 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
49488 for (op = 0; op < mcsop_last; op++) {
49489- count = atomic_long_read(&mcs_op_statistics[op].count);
49490- total = atomic_long_read(&mcs_op_statistics[op].total);
49491+ count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
49492+ total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
49493 max = mcs_op_statistics[op].max;
49494 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
49495 count ? total / count : 0, max);
49496diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h
49497index 5c3ce24..4915ccb 100644
49498--- a/drivers/misc/sgi-gru/grutables.h
49499+++ b/drivers/misc/sgi-gru/grutables.h
49500@@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
49501 * GRU statistics.
49502 */
49503 struct gru_stats_s {
49504- atomic_long_t vdata_alloc;
49505- atomic_long_t vdata_free;
49506- atomic_long_t gts_alloc;
49507- atomic_long_t gts_free;
49508- atomic_long_t gms_alloc;
49509- atomic_long_t gms_free;
49510- atomic_long_t gts_double_allocate;
49511- atomic_long_t assign_context;
49512- atomic_long_t assign_context_failed;
49513- atomic_long_t free_context;
49514- atomic_long_t load_user_context;
49515- atomic_long_t load_kernel_context;
49516- atomic_long_t lock_kernel_context;
49517- atomic_long_t unlock_kernel_context;
49518- atomic_long_t steal_user_context;
49519- atomic_long_t steal_kernel_context;
49520- atomic_long_t steal_context_failed;
49521- atomic_long_t nopfn;
49522- atomic_long_t asid_new;
49523- atomic_long_t asid_next;
49524- atomic_long_t asid_wrap;
49525- atomic_long_t asid_reuse;
49526- atomic_long_t intr;
49527- atomic_long_t intr_cbr;
49528- atomic_long_t intr_tfh;
49529- atomic_long_t intr_spurious;
49530- atomic_long_t intr_mm_lock_failed;
49531- atomic_long_t call_os;
49532- atomic_long_t call_os_wait_queue;
49533- atomic_long_t user_flush_tlb;
49534- atomic_long_t user_unload_context;
49535- atomic_long_t user_exception;
49536- atomic_long_t set_context_option;
49537- atomic_long_t check_context_retarget_intr;
49538- atomic_long_t check_context_unload;
49539- atomic_long_t tlb_dropin;
49540- atomic_long_t tlb_preload_page;
49541- atomic_long_t tlb_dropin_fail_no_asid;
49542- atomic_long_t tlb_dropin_fail_upm;
49543- atomic_long_t tlb_dropin_fail_invalid;
49544- atomic_long_t tlb_dropin_fail_range_active;
49545- atomic_long_t tlb_dropin_fail_idle;
49546- atomic_long_t tlb_dropin_fail_fmm;
49547- atomic_long_t tlb_dropin_fail_no_exception;
49548- atomic_long_t tfh_stale_on_fault;
49549- atomic_long_t mmu_invalidate_range;
49550- atomic_long_t mmu_invalidate_page;
49551- atomic_long_t flush_tlb;
49552- atomic_long_t flush_tlb_gru;
49553- atomic_long_t flush_tlb_gru_tgh;
49554- atomic_long_t flush_tlb_gru_zero_asid;
49555+ atomic_long_unchecked_t vdata_alloc;
49556+ atomic_long_unchecked_t vdata_free;
49557+ atomic_long_unchecked_t gts_alloc;
49558+ atomic_long_unchecked_t gts_free;
49559+ atomic_long_unchecked_t gms_alloc;
49560+ atomic_long_unchecked_t gms_free;
49561+ atomic_long_unchecked_t gts_double_allocate;
49562+ atomic_long_unchecked_t assign_context;
49563+ atomic_long_unchecked_t assign_context_failed;
49564+ atomic_long_unchecked_t free_context;
49565+ atomic_long_unchecked_t load_user_context;
49566+ atomic_long_unchecked_t load_kernel_context;
49567+ atomic_long_unchecked_t lock_kernel_context;
49568+ atomic_long_unchecked_t unlock_kernel_context;
49569+ atomic_long_unchecked_t steal_user_context;
49570+ atomic_long_unchecked_t steal_kernel_context;
49571+ atomic_long_unchecked_t steal_context_failed;
49572+ atomic_long_unchecked_t nopfn;
49573+ atomic_long_unchecked_t asid_new;
49574+ atomic_long_unchecked_t asid_next;
49575+ atomic_long_unchecked_t asid_wrap;
49576+ atomic_long_unchecked_t asid_reuse;
49577+ atomic_long_unchecked_t intr;
49578+ atomic_long_unchecked_t intr_cbr;
49579+ atomic_long_unchecked_t intr_tfh;
49580+ atomic_long_unchecked_t intr_spurious;
49581+ atomic_long_unchecked_t intr_mm_lock_failed;
49582+ atomic_long_unchecked_t call_os;
49583+ atomic_long_unchecked_t call_os_wait_queue;
49584+ atomic_long_unchecked_t user_flush_tlb;
49585+ atomic_long_unchecked_t user_unload_context;
49586+ atomic_long_unchecked_t user_exception;
49587+ atomic_long_unchecked_t set_context_option;
49588+ atomic_long_unchecked_t check_context_retarget_intr;
49589+ atomic_long_unchecked_t check_context_unload;
49590+ atomic_long_unchecked_t tlb_dropin;
49591+ atomic_long_unchecked_t tlb_preload_page;
49592+ atomic_long_unchecked_t tlb_dropin_fail_no_asid;
49593+ atomic_long_unchecked_t tlb_dropin_fail_upm;
49594+ atomic_long_unchecked_t tlb_dropin_fail_invalid;
49595+ atomic_long_unchecked_t tlb_dropin_fail_range_active;
49596+ atomic_long_unchecked_t tlb_dropin_fail_idle;
49597+ atomic_long_unchecked_t tlb_dropin_fail_fmm;
49598+ atomic_long_unchecked_t tlb_dropin_fail_no_exception;
49599+ atomic_long_unchecked_t tfh_stale_on_fault;
49600+ atomic_long_unchecked_t mmu_invalidate_range;
49601+ atomic_long_unchecked_t mmu_invalidate_page;
49602+ atomic_long_unchecked_t flush_tlb;
49603+ atomic_long_unchecked_t flush_tlb_gru;
49604+ atomic_long_unchecked_t flush_tlb_gru_tgh;
49605+ atomic_long_unchecked_t flush_tlb_gru_zero_asid;
49606
49607- atomic_long_t copy_gpa;
49608- atomic_long_t read_gpa;
49609+ atomic_long_unchecked_t copy_gpa;
49610+ atomic_long_unchecked_t read_gpa;
49611
49612- atomic_long_t mesq_receive;
49613- atomic_long_t mesq_receive_none;
49614- atomic_long_t mesq_send;
49615- atomic_long_t mesq_send_failed;
49616- atomic_long_t mesq_noop;
49617- atomic_long_t mesq_send_unexpected_error;
49618- atomic_long_t mesq_send_lb_overflow;
49619- atomic_long_t mesq_send_qlimit_reached;
49620- atomic_long_t mesq_send_amo_nacked;
49621- atomic_long_t mesq_send_put_nacked;
49622- atomic_long_t mesq_page_overflow;
49623- atomic_long_t mesq_qf_locked;
49624- atomic_long_t mesq_qf_noop_not_full;
49625- atomic_long_t mesq_qf_switch_head_failed;
49626- atomic_long_t mesq_qf_unexpected_error;
49627- atomic_long_t mesq_noop_unexpected_error;
49628- atomic_long_t mesq_noop_lb_overflow;
49629- atomic_long_t mesq_noop_qlimit_reached;
49630- atomic_long_t mesq_noop_amo_nacked;
49631- atomic_long_t mesq_noop_put_nacked;
49632- atomic_long_t mesq_noop_page_overflow;
49633+ atomic_long_unchecked_t mesq_receive;
49634+ atomic_long_unchecked_t mesq_receive_none;
49635+ atomic_long_unchecked_t mesq_send;
49636+ atomic_long_unchecked_t mesq_send_failed;
49637+ atomic_long_unchecked_t mesq_noop;
49638+ atomic_long_unchecked_t mesq_send_unexpected_error;
49639+ atomic_long_unchecked_t mesq_send_lb_overflow;
49640+ atomic_long_unchecked_t mesq_send_qlimit_reached;
49641+ atomic_long_unchecked_t mesq_send_amo_nacked;
49642+ atomic_long_unchecked_t mesq_send_put_nacked;
49643+ atomic_long_unchecked_t mesq_page_overflow;
49644+ atomic_long_unchecked_t mesq_qf_locked;
49645+ atomic_long_unchecked_t mesq_qf_noop_not_full;
49646+ atomic_long_unchecked_t mesq_qf_switch_head_failed;
49647+ atomic_long_unchecked_t mesq_qf_unexpected_error;
49648+ atomic_long_unchecked_t mesq_noop_unexpected_error;
49649+ atomic_long_unchecked_t mesq_noop_lb_overflow;
49650+ atomic_long_unchecked_t mesq_noop_qlimit_reached;
49651+ atomic_long_unchecked_t mesq_noop_amo_nacked;
49652+ atomic_long_unchecked_t mesq_noop_put_nacked;
49653+ atomic_long_unchecked_t mesq_noop_page_overflow;
49654
49655 };
49656
49657@@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start, cchop_interrupt, cchop_interrupt_sync,
49658 tghop_invalidate, mcsop_last};
49659
49660 struct mcs_op_statistic {
49661- atomic_long_t count;
49662- atomic_long_t total;
49663+ atomic_long_unchecked_t count;
49664+ atomic_long_unchecked_t total;
49665 unsigned long max;
49666 };
49667
49668@@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_statistics[mcsop_last];
49669
49670 #define STAT(id) do { \
49671 if (gru_options & OPT_STATS) \
49672- atomic_long_inc(&gru_stats.id); \
49673+ atomic_long_inc_unchecked(&gru_stats.id); \
49674 } while (0)
49675
49676 #ifdef CONFIG_SGI_GRU_DEBUG
49677diff --git a/drivers/misc/sgi-xp/xp.h b/drivers/misc/sgi-xp/xp.h
49678index c862cd4..0d176fe 100644
49679--- a/drivers/misc/sgi-xp/xp.h
49680+++ b/drivers/misc/sgi-xp/xp.h
49681@@ -288,7 +288,7 @@ struct xpc_interface {
49682 xpc_notify_func, void *);
49683 void (*received) (short, int, void *);
49684 enum xp_retval (*partid_to_nasids) (short, void *);
49685-};
49686+} __no_const;
49687
49688 extern struct xpc_interface xpc_interface;
49689
49690diff --git a/drivers/misc/sgi-xp/xp_main.c b/drivers/misc/sgi-xp/xp_main.c
49691index 01be66d..e3a0c7e 100644
49692--- a/drivers/misc/sgi-xp/xp_main.c
49693+++ b/drivers/misc/sgi-xp/xp_main.c
49694@@ -78,13 +78,13 @@ xpc_notloaded(void)
49695 }
49696
49697 struct xpc_interface xpc_interface = {
49698- (void (*)(int))xpc_notloaded,
49699- (void (*)(int))xpc_notloaded,
49700- (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded,
49701- (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func,
49702+ .connect = (void (*)(int))xpc_notloaded,
49703+ .disconnect = (void (*)(int))xpc_notloaded,
49704+ .send = (enum xp_retval(*)(short, int, u32, void *, u16))xpc_notloaded,
49705+ .send_notify = (enum xp_retval(*)(short, int, u32, void *, u16, xpc_notify_func,
49706 void *))xpc_notloaded,
49707- (void (*)(short, int, void *))xpc_notloaded,
49708- (enum xp_retval(*)(short, void *))xpc_notloaded
49709+ .received = (void (*)(short, int, void *))xpc_notloaded,
49710+ .partid_to_nasids = (enum xp_retval(*)(short, void *))xpc_notloaded
49711 };
49712 EXPORT_SYMBOL_GPL(xpc_interface);
49713
49714diff --git a/drivers/misc/sgi-xp/xpc.h b/drivers/misc/sgi-xp/xpc.h
49715index b94d5f7..7f494c5 100644
49716--- a/drivers/misc/sgi-xp/xpc.h
49717+++ b/drivers/misc/sgi-xp/xpc.h
49718@@ -835,6 +835,7 @@ struct xpc_arch_operations {
49719 void (*received_payload) (struct xpc_channel *, void *);
49720 void (*notify_senders_of_disconnect) (struct xpc_channel *);
49721 };
49722+typedef struct xpc_arch_operations __no_const xpc_arch_operations_no_const;
49723
49724 /* struct xpc_partition act_state values (for XPC HB) */
49725
49726@@ -876,7 +877,7 @@ extern struct xpc_registration xpc_registrations[];
49727 /* found in xpc_main.c */
49728 extern struct device *xpc_part;
49729 extern struct device *xpc_chan;
49730-extern struct xpc_arch_operations xpc_arch_ops;
49731+extern xpc_arch_operations_no_const xpc_arch_ops;
49732 extern int xpc_disengage_timelimit;
49733 extern int xpc_disengage_timedout;
49734 extern int xpc_activate_IRQ_rcvd;
49735diff --git a/drivers/misc/sgi-xp/xpc_main.c b/drivers/misc/sgi-xp/xpc_main.c
49736index 7f32712..8539ab2 100644
49737--- a/drivers/misc/sgi-xp/xpc_main.c
49738+++ b/drivers/misc/sgi-xp/xpc_main.c
49739@@ -166,7 +166,7 @@ static struct notifier_block xpc_die_notifier = {
49740 .notifier_call = xpc_system_die,
49741 };
49742
49743-struct xpc_arch_operations xpc_arch_ops;
49744+xpc_arch_operations_no_const xpc_arch_ops;
49745
49746 /*
49747 * Timer function to enforce the timelimit on the partition disengage.
49748diff --git a/drivers/mmc/card/block.c b/drivers/mmc/card/block.c
49749index a1b820f..e299c58 100644
49750--- a/drivers/mmc/card/block.c
49751+++ b/drivers/mmc/card/block.c
49752@@ -579,7 +579,7 @@ static int mmc_blk_ioctl_cmd(struct block_device *bdev,
49753 if (idata->ic.postsleep_min_us)
49754 usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
49755
49756- if (copy_to_user(&(ic_ptr->response), cmd.resp, sizeof(cmd.resp))) {
49757+ if (copy_to_user(ic_ptr->response, cmd.resp, sizeof(cmd.resp))) {
49758 err = -EFAULT;
49759 goto cmd_rel_host;
49760 }
49761diff --git a/drivers/mmc/host/dw_mmc.h b/drivers/mmc/host/dw_mmc.h
49762index 8ce4674..a23c858 100644
49763--- a/drivers/mmc/host/dw_mmc.h
49764+++ b/drivers/mmc/host/dw_mmc.h
49765@@ -286,5 +286,5 @@ struct dw_mci_drv_data {
49766 struct mmc_ios *ios);
49767 int (*switch_voltage)(struct mmc_host *mmc,
49768 struct mmc_ios *ios);
49769-};
49770+} __do_const;
49771 #endif /* _DW_MMC_H_ */
49772diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c
49773index fb26674..3172c2b 100644
49774--- a/drivers/mmc/host/mmci.c
49775+++ b/drivers/mmc/host/mmci.c
49776@@ -1633,7 +1633,9 @@ static int mmci_probe(struct amba_device *dev,
49777 mmc->caps |= MMC_CAP_CMD23;
49778
49779 if (variant->busy_detect) {
49780- mmci_ops.card_busy = mmci_card_busy;
49781+ pax_open_kernel();
49782+ *(void **)&mmci_ops.card_busy = mmci_card_busy;
49783+ pax_close_kernel();
49784 mmci_write_datactrlreg(host, MCI_ST_DPSM_BUSYMODE);
49785 mmc->caps |= MMC_CAP_WAIT_WHILE_BUSY;
49786 mmc->max_busy_timeout = 0;
49787diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c
49788index 4d12032..2b0eb6d 100644
49789--- a/drivers/mmc/host/omap_hsmmc.c
49790+++ b/drivers/mmc/host/omap_hsmmc.c
49791@@ -1984,7 +1984,9 @@ static int omap_hsmmc_probe(struct platform_device *pdev)
49792
49793 if (host->pdata->controller_flags & OMAP_HSMMC_BROKEN_MULTIBLOCK_READ) {
49794 dev_info(&pdev->dev, "multiblock reads disabled due to 35xx erratum 2.1.1.128; MMC read performance may suffer\n");
49795- omap_hsmmc_ops.multi_io_quirk = omap_hsmmc_multi_io_quirk;
49796+ pax_open_kernel();
49797+ *(void **)&omap_hsmmc_ops.multi_io_quirk = omap_hsmmc_multi_io_quirk;
49798+ pax_close_kernel();
49799 }
49800
49801 device_init_wakeup(&pdev->dev, true);
49802diff --git a/drivers/mmc/host/sdhci-esdhc-imx.c b/drivers/mmc/host/sdhci-esdhc-imx.c
49803index c6b9f64..00e656c 100644
49804--- a/drivers/mmc/host/sdhci-esdhc-imx.c
49805+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
49806@@ -1088,9 +1088,12 @@ static int sdhci_esdhc_imx_probe(struct platform_device *pdev)
49807 host->ioaddr + 0x6c);
49808 }
49809
49810- if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING)
49811- sdhci_esdhc_ops.platform_execute_tuning =
49812+ if (imx_data->socdata->flags & ESDHC_FLAG_MAN_TUNING) {
49813+ pax_open_kernel();
49814+ *(void **)&sdhci_esdhc_ops.platform_execute_tuning =
49815 esdhc_executing_tuning;
49816+ pax_close_kernel();
49817+ }
49818
49819 if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING)
49820 writel(readl(host->ioaddr + ESDHC_TUNING_CTRL) |
49821diff --git a/drivers/mmc/host/sdhci-s3c.c b/drivers/mmc/host/sdhci-s3c.c
49822index 70c724b..308aafc 100644
49823--- a/drivers/mmc/host/sdhci-s3c.c
49824+++ b/drivers/mmc/host/sdhci-s3c.c
49825@@ -598,9 +598,11 @@ static int sdhci_s3c_probe(struct platform_device *pdev)
49826 * we can use overriding functions instead of default.
49827 */
49828 if (sc->no_divider) {
49829- sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
49830- sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
49831- sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
49832+ pax_open_kernel();
49833+ *(void **)&sdhci_s3c_ops.set_clock = sdhci_cmu_set_clock;
49834+ *(void **)&sdhci_s3c_ops.get_min_clock = sdhci_cmu_get_min_clock;
49835+ *(void **)&sdhci_s3c_ops.get_max_clock = sdhci_cmu_get_max_clock;
49836+ pax_close_kernel();
49837 }
49838
49839 /* It supports additional host capabilities if needed */
49840diff --git a/drivers/mtd/chips/cfi_cmdset_0020.c b/drivers/mtd/chips/cfi_cmdset_0020.c
49841index 9a1a6ff..b8f1a57 100644
49842--- a/drivers/mtd/chips/cfi_cmdset_0020.c
49843+++ b/drivers/mtd/chips/cfi_cmdset_0020.c
49844@@ -666,7 +666,7 @@ cfi_staa_writev(struct mtd_info *mtd, const struct kvec *vecs,
49845 size_t totlen = 0, thislen;
49846 int ret = 0;
49847 size_t buflen = 0;
49848- static char *buffer;
49849+ char *buffer;
49850
49851 if (!ECCBUF_SIZE) {
49852 /* We should fall back to a general writev implementation.
49853diff --git a/drivers/mtd/nand/denali.c b/drivers/mtd/nand/denali.c
49854index 870c7fc..c7d6440 100644
49855--- a/drivers/mtd/nand/denali.c
49856+++ b/drivers/mtd/nand/denali.c
49857@@ -24,6 +24,7 @@
49858 #include <linux/slab.h>
49859 #include <linux/mtd/mtd.h>
49860 #include <linux/module.h>
49861+#include <linux/slab.h>
49862
49863 #include "denali.h"
49864
49865diff --git a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49866index 1b8f350..990f2e9 100644
49867--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49868+++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c
49869@@ -386,7 +386,7 @@ void prepare_data_dma(struct gpmi_nand_data *this, enum dma_data_direction dr)
49870
49871 /* first try to map the upper buffer directly */
49872 if (virt_addr_valid(this->upper_buf) &&
49873- !object_is_on_stack(this->upper_buf)) {
49874+ !object_starts_on_stack(this->upper_buf)) {
49875 sg_init_one(sgl, this->upper_buf, this->upper_len);
49876 ret = dma_map_sg(this->dev, sgl, 1, dr);
49877 if (ret == 0)
49878diff --git a/drivers/mtd/nftlmount.c b/drivers/mtd/nftlmount.c
49879index a5dfbfb..8042ab4 100644
49880--- a/drivers/mtd/nftlmount.c
49881+++ b/drivers/mtd/nftlmount.c
49882@@ -24,6 +24,7 @@
49883 #include <asm/errno.h>
49884 #include <linux/delay.h>
49885 #include <linux/slab.h>
49886+#include <linux/sched.h>
49887 #include <linux/mtd/mtd.h>
49888 #include <linux/mtd/nand.h>
49889 #include <linux/mtd/nftl.h>
49890diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c
49891index c23184a..4115c41 100644
49892--- a/drivers/mtd/sm_ftl.c
49893+++ b/drivers/mtd/sm_ftl.c
49894@@ -56,7 +56,7 @@ static ssize_t sm_attr_show(struct device *dev, struct device_attribute *attr,
49895 #define SM_CIS_VENDOR_OFFSET 0x59
49896 static struct attribute_group *sm_create_sysfs_attributes(struct sm_ftl *ftl)
49897 {
49898- struct attribute_group *attr_group;
49899+ attribute_group_no_const *attr_group;
49900 struct attribute **attributes;
49901 struct sm_sysfs_attribute *vendor_attribute;
49902 char *vendor;
49903diff --git a/drivers/net/bonding/bond_netlink.c b/drivers/net/bonding/bond_netlink.c
49904index 1bda292..3f4af40 100644
49905--- a/drivers/net/bonding/bond_netlink.c
49906+++ b/drivers/net/bonding/bond_netlink.c
49907@@ -649,7 +649,7 @@ nla_put_failure:
49908 return -EMSGSIZE;
49909 }
49910
49911-struct rtnl_link_ops bond_link_ops __read_mostly = {
49912+struct rtnl_link_ops bond_link_ops = {
49913 .kind = "bond",
49914 .priv_size = sizeof(struct bonding),
49915 .setup = bond_setup,
49916diff --git a/drivers/net/caif/caif_hsi.c b/drivers/net/caif/caif_hsi.c
49917index b3b922a..80bba38 100644
49918--- a/drivers/net/caif/caif_hsi.c
49919+++ b/drivers/net/caif/caif_hsi.c
49920@@ -1444,7 +1444,7 @@ err:
49921 return -ENODEV;
49922 }
49923
49924-static struct rtnl_link_ops caif_hsi_link_ops __read_mostly = {
49925+static struct rtnl_link_ops caif_hsi_link_ops = {
49926 .kind = "cfhsi",
49927 .priv_size = sizeof(struct cfhsi),
49928 .setup = cfhsi_setup,
49929diff --git a/drivers/net/can/Kconfig b/drivers/net/can/Kconfig
49930index e8c96b8..516a96c 100644
49931--- a/drivers/net/can/Kconfig
49932+++ b/drivers/net/can/Kconfig
49933@@ -98,7 +98,7 @@ config CAN_JANZ_ICAN3
49934
49935 config CAN_FLEXCAN
49936 tristate "Support for Freescale FLEXCAN based chips"
49937- depends on ARM || PPC
49938+ depends on (ARM && CPU_LITTLE_ENDIAN) || PPC
49939 ---help---
49940 Say Y here if you want to support for Freescale FlexCAN.
49941
49942diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c
49943index aede704..ca734ed 100644
49944--- a/drivers/net/can/dev.c
49945+++ b/drivers/net/can/dev.c
49946@@ -915,7 +915,7 @@ static int can_fill_info(struct sk_buff *skb, const struct net_device *dev)
49947 nla_put(skb, IFLA_CAN_BITTIMING_CONST,
49948 sizeof(*priv->bittiming_const), priv->bittiming_const)) ||
49949
49950- nla_put(skb, IFLA_CAN_CLOCK, sizeof(cm), &priv->clock) ||
49951+ nla_put(skb, IFLA_CAN_CLOCK, sizeof(priv->clock), &priv->clock) ||
49952 nla_put_u32(skb, IFLA_CAN_STATE, state) ||
49953 nla_put(skb, IFLA_CAN_CTRLMODE, sizeof(cm), &cm) ||
49954 nla_put_u32(skb, IFLA_CAN_RESTART_MS, priv->restart_ms) ||
49955@@ -961,7 +961,7 @@ static int can_newlink(struct net *src_net, struct net_device *dev,
49956 return -EOPNOTSUPP;
49957 }
49958
49959-static struct rtnl_link_ops can_link_ops __read_mostly = {
49960+static struct rtnl_link_ops can_link_ops = {
49961 .kind = "can",
49962 .maxtype = IFLA_CAN_MAX,
49963 .policy = can_policy,
49964diff --git a/drivers/net/can/vcan.c b/drivers/net/can/vcan.c
49965index 674f367..ec3a31f 100644
49966--- a/drivers/net/can/vcan.c
49967+++ b/drivers/net/can/vcan.c
49968@@ -163,7 +163,7 @@ static void vcan_setup(struct net_device *dev)
49969 dev->destructor = free_netdev;
49970 }
49971
49972-static struct rtnl_link_ops vcan_link_ops __read_mostly = {
49973+static struct rtnl_link_ops vcan_link_ops = {
49974 .kind = "vcan",
49975 .setup = vcan_setup,
49976 };
49977diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c
49978index 49adbf1..fff7ff8 100644
49979--- a/drivers/net/dummy.c
49980+++ b/drivers/net/dummy.c
49981@@ -164,7 +164,7 @@ static int dummy_validate(struct nlattr *tb[], struct nlattr *data[])
49982 return 0;
49983 }
49984
49985-static struct rtnl_link_ops dummy_link_ops __read_mostly = {
49986+static struct rtnl_link_ops dummy_link_ops = {
49987 .kind = DRV_NAME,
49988 .setup = dummy_setup,
49989 .validate = dummy_validate,
49990diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c
49991index 0443654..4f0aa18 100644
49992--- a/drivers/net/ethernet/8390/ax88796.c
49993+++ b/drivers/net/ethernet/8390/ax88796.c
49994@@ -889,9 +889,11 @@ static int ax_probe(struct platform_device *pdev)
49995 if (ax->plat->reg_offsets)
49996 ei_local->reg_offset = ax->plat->reg_offsets;
49997 else {
49998+ resource_size_t _mem_size = mem_size;
49999+ do_div(_mem_size, 0x18);
50000 ei_local->reg_offset = ax->reg_offsets;
50001 for (ret = 0; ret < 0x18; ret++)
50002- ax->reg_offsets[ret] = (mem_size / 0x18) * ret;
50003+ ax->reg_offsets[ret] = _mem_size * ret;
50004 }
50005
50006 if (!request_mem_region(mem->start, mem_size, pdev->name)) {
50007diff --git a/drivers/net/ethernet/altera/altera_tse_main.c b/drivers/net/ethernet/altera/altera_tse_main.c
50008index 8207877..ce13e99 100644
50009--- a/drivers/net/ethernet/altera/altera_tse_main.c
50010+++ b/drivers/net/ethernet/altera/altera_tse_main.c
50011@@ -1255,7 +1255,7 @@ static int tse_shutdown(struct net_device *dev)
50012 return 0;
50013 }
50014
50015-static struct net_device_ops altera_tse_netdev_ops = {
50016+static net_device_ops_no_const altera_tse_netdev_ops __read_only = {
50017 .ndo_open = tse_open,
50018 .ndo_stop = tse_shutdown,
50019 .ndo_start_xmit = tse_start_xmit,
50020@@ -1492,11 +1492,13 @@ static int altera_tse_probe(struct platform_device *pdev)
50021 ndev->netdev_ops = &altera_tse_netdev_ops;
50022 altera_tse_set_ethtool_ops(ndev);
50023
50024+ pax_open_kernel();
50025 altera_tse_netdev_ops.ndo_set_rx_mode = tse_set_rx_mode;
50026
50027 if (priv->hash_filter)
50028 altera_tse_netdev_ops.ndo_set_rx_mode =
50029 tse_set_rx_mode_hashfilter;
50030+ pax_close_kernel();
50031
50032 /* Scatter/gather IO is not supported,
50033 * so it is turned off
50034diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-common.h b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
50035index b6fa891..31ef157 100644
50036--- a/drivers/net/ethernet/amd/xgbe/xgbe-common.h
50037+++ b/drivers/net/ethernet/amd/xgbe/xgbe-common.h
50038@@ -1279,14 +1279,14 @@ do { \
50039 * operations, everything works on mask values.
50040 */
50041 #define XMDIO_READ(_pdata, _mmd, _reg) \
50042- ((_pdata)->hw_if.read_mmd_regs((_pdata), 0, \
50043+ ((_pdata)->hw_if->read_mmd_regs((_pdata), 0, \
50044 MII_ADDR_C45 | (_mmd << 16) | ((_reg) & 0xffff)))
50045
50046 #define XMDIO_READ_BITS(_pdata, _mmd, _reg, _mask) \
50047 (XMDIO_READ((_pdata), _mmd, _reg) & _mask)
50048
50049 #define XMDIO_WRITE(_pdata, _mmd, _reg, _val) \
50050- ((_pdata)->hw_if.write_mmd_regs((_pdata), 0, \
50051+ ((_pdata)->hw_if->write_mmd_regs((_pdata), 0, \
50052 MII_ADDR_C45 | (_mmd << 16) | ((_reg) & 0xffff), (_val)))
50053
50054 #define XMDIO_WRITE_BITS(_pdata, _mmd, _reg, _mask, _val) \
50055diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c b/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
50056index a6b9899..2e5e972 100644
50057--- a/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
50058+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dcb.c
50059@@ -190,7 +190,7 @@ static int xgbe_dcb_ieee_setets(struct net_device *netdev,
50060
50061 memcpy(pdata->ets, ets, sizeof(*pdata->ets));
50062
50063- pdata->hw_if.config_dcb_tc(pdata);
50064+ pdata->hw_if->config_dcb_tc(pdata);
50065
50066 return 0;
50067 }
50068@@ -230,7 +230,7 @@ static int xgbe_dcb_ieee_setpfc(struct net_device *netdev,
50069
50070 memcpy(pdata->pfc, pfc, sizeof(*pdata->pfc));
50071
50072- pdata->hw_if.config_dcb_pfc(pdata);
50073+ pdata->hw_if->config_dcb_pfc(pdata);
50074
50075 return 0;
50076 }
50077diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
50078index b3bc87f..5bdfdd3 100644
50079--- a/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
50080+++ b/drivers/net/ethernet/amd/xgbe/xgbe-desc.c
50081@@ -353,7 +353,7 @@ static int xgbe_map_rx_buffer(struct xgbe_prv_data *pdata,
50082
50083 static void xgbe_wrapper_tx_descriptor_init(struct xgbe_prv_data *pdata)
50084 {
50085- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50086+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50087 struct xgbe_channel *channel;
50088 struct xgbe_ring *ring;
50089 struct xgbe_ring_data *rdata;
50090@@ -394,7 +394,7 @@ static void xgbe_wrapper_tx_descriptor_init(struct xgbe_prv_data *pdata)
50091
50092 static void xgbe_wrapper_rx_descriptor_init(struct xgbe_prv_data *pdata)
50093 {
50094- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50095+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50096 struct xgbe_channel *channel;
50097 struct xgbe_ring *ring;
50098 struct xgbe_ring_desc *rdesc;
50099@@ -628,17 +628,12 @@ err_out:
50100 return 0;
50101 }
50102
50103-void xgbe_init_function_ptrs_desc(struct xgbe_desc_if *desc_if)
50104-{
50105- DBGPR("-->xgbe_init_function_ptrs_desc\n");
50106-
50107- desc_if->alloc_ring_resources = xgbe_alloc_ring_resources;
50108- desc_if->free_ring_resources = xgbe_free_ring_resources;
50109- desc_if->map_tx_skb = xgbe_map_tx_skb;
50110- desc_if->map_rx_buffer = xgbe_map_rx_buffer;
50111- desc_if->unmap_rdata = xgbe_unmap_rdata;
50112- desc_if->wrapper_tx_desc_init = xgbe_wrapper_tx_descriptor_init;
50113- desc_if->wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init;
50114-
50115- DBGPR("<--xgbe_init_function_ptrs_desc\n");
50116-}
50117+const struct xgbe_desc_if default_xgbe_desc_if = {
50118+ .alloc_ring_resources = xgbe_alloc_ring_resources,
50119+ .free_ring_resources = xgbe_free_ring_resources,
50120+ .map_tx_skb = xgbe_map_tx_skb,
50121+ .map_rx_buffer = xgbe_map_rx_buffer,
50122+ .unmap_rdata = xgbe_unmap_rdata,
50123+ .wrapper_tx_desc_init = xgbe_wrapper_tx_descriptor_init,
50124+ .wrapper_rx_desc_init = xgbe_wrapper_rx_descriptor_init,
50125+};
50126diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
50127index a4473d8..039a2ab 100644
50128--- a/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
50129+++ b/drivers/net/ethernet/amd/xgbe/xgbe-dev.c
50130@@ -2776,7 +2776,7 @@ static void xgbe_powerdown_rx(struct xgbe_prv_data *pdata)
50131
50132 static int xgbe_init(struct xgbe_prv_data *pdata)
50133 {
50134- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50135+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50136 int ret;
50137
50138 DBGPR("-->xgbe_init\n");
50139@@ -2842,106 +2842,101 @@ static int xgbe_init(struct xgbe_prv_data *pdata)
50140 return 0;
50141 }
50142
50143-void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *hw_if)
50144-{
50145- DBGPR("-->xgbe_init_function_ptrs\n");
50146-
50147- hw_if->tx_complete = xgbe_tx_complete;
50148-
50149- hw_if->set_mac_address = xgbe_set_mac_address;
50150- hw_if->config_rx_mode = xgbe_config_rx_mode;
50151-
50152- hw_if->enable_rx_csum = xgbe_enable_rx_csum;
50153- hw_if->disable_rx_csum = xgbe_disable_rx_csum;
50154-
50155- hw_if->enable_rx_vlan_stripping = xgbe_enable_rx_vlan_stripping;
50156- hw_if->disable_rx_vlan_stripping = xgbe_disable_rx_vlan_stripping;
50157- hw_if->enable_rx_vlan_filtering = xgbe_enable_rx_vlan_filtering;
50158- hw_if->disable_rx_vlan_filtering = xgbe_disable_rx_vlan_filtering;
50159- hw_if->update_vlan_hash_table = xgbe_update_vlan_hash_table;
50160-
50161- hw_if->read_mmd_regs = xgbe_read_mmd_regs;
50162- hw_if->write_mmd_regs = xgbe_write_mmd_regs;
50163-
50164- hw_if->set_gmii_speed = xgbe_set_gmii_speed;
50165- hw_if->set_gmii_2500_speed = xgbe_set_gmii_2500_speed;
50166- hw_if->set_xgmii_speed = xgbe_set_xgmii_speed;
50167-
50168- hw_if->enable_tx = xgbe_enable_tx;
50169- hw_if->disable_tx = xgbe_disable_tx;
50170- hw_if->enable_rx = xgbe_enable_rx;
50171- hw_if->disable_rx = xgbe_disable_rx;
50172-
50173- hw_if->powerup_tx = xgbe_powerup_tx;
50174- hw_if->powerdown_tx = xgbe_powerdown_tx;
50175- hw_if->powerup_rx = xgbe_powerup_rx;
50176- hw_if->powerdown_rx = xgbe_powerdown_rx;
50177-
50178- hw_if->dev_xmit = xgbe_dev_xmit;
50179- hw_if->dev_read = xgbe_dev_read;
50180- hw_if->enable_int = xgbe_enable_int;
50181- hw_if->disable_int = xgbe_disable_int;
50182- hw_if->init = xgbe_init;
50183- hw_if->exit = xgbe_exit;
50184+const struct xgbe_hw_if default_xgbe_hw_if = {
50185+ .tx_complete = xgbe_tx_complete,
50186+
50187+ .set_mac_address = xgbe_set_mac_address,
50188+ .config_rx_mode = xgbe_config_rx_mode,
50189+
50190+ .enable_rx_csum = xgbe_enable_rx_csum,
50191+ .disable_rx_csum = xgbe_disable_rx_csum,
50192+
50193+ .enable_rx_vlan_stripping = xgbe_enable_rx_vlan_stripping,
50194+ .disable_rx_vlan_stripping = xgbe_disable_rx_vlan_stripping,
50195+ .enable_rx_vlan_filtering = xgbe_enable_rx_vlan_filtering,
50196+ .disable_rx_vlan_filtering = xgbe_disable_rx_vlan_filtering,
50197+ .update_vlan_hash_table = xgbe_update_vlan_hash_table,
50198+
50199+ .read_mmd_regs = xgbe_read_mmd_regs,
50200+ .write_mmd_regs = xgbe_write_mmd_regs,
50201+
50202+ .set_gmii_speed = xgbe_set_gmii_speed,
50203+ .set_gmii_2500_speed = xgbe_set_gmii_2500_speed,
50204+ .set_xgmii_speed = xgbe_set_xgmii_speed,
50205+
50206+ .enable_tx = xgbe_enable_tx,
50207+ .disable_tx = xgbe_disable_tx,
50208+ .enable_rx = xgbe_enable_rx,
50209+ .disable_rx = xgbe_disable_rx,
50210+
50211+ .powerup_tx = xgbe_powerup_tx,
50212+ .powerdown_tx = xgbe_powerdown_tx,
50213+ .powerup_rx = xgbe_powerup_rx,
50214+ .powerdown_rx = xgbe_powerdown_rx,
50215+
50216+ .dev_xmit = xgbe_dev_xmit,
50217+ .dev_read = xgbe_dev_read,
50218+ .enable_int = xgbe_enable_int,
50219+ .disable_int = xgbe_disable_int,
50220+ .init = xgbe_init,
50221+ .exit = xgbe_exit,
50222
50223 /* Descriptor related Sequences have to be initialized here */
50224- hw_if->tx_desc_init = xgbe_tx_desc_init;
50225- hw_if->rx_desc_init = xgbe_rx_desc_init;
50226- hw_if->tx_desc_reset = xgbe_tx_desc_reset;
50227- hw_if->rx_desc_reset = xgbe_rx_desc_reset;
50228- hw_if->is_last_desc = xgbe_is_last_desc;
50229- hw_if->is_context_desc = xgbe_is_context_desc;
50230- hw_if->tx_start_xmit = xgbe_tx_start_xmit;
50231+ .tx_desc_init = xgbe_tx_desc_init,
50232+ .rx_desc_init = xgbe_rx_desc_init,
50233+ .tx_desc_reset = xgbe_tx_desc_reset,
50234+ .rx_desc_reset = xgbe_rx_desc_reset,
50235+ .is_last_desc = xgbe_is_last_desc,
50236+ .is_context_desc = xgbe_is_context_desc,
50237+ .tx_start_xmit = xgbe_tx_start_xmit,
50238
50239 /* For FLOW ctrl */
50240- hw_if->config_tx_flow_control = xgbe_config_tx_flow_control;
50241- hw_if->config_rx_flow_control = xgbe_config_rx_flow_control;
50242+ .config_tx_flow_control = xgbe_config_tx_flow_control,
50243+ .config_rx_flow_control = xgbe_config_rx_flow_control,
50244
50245 /* For RX coalescing */
50246- hw_if->config_rx_coalesce = xgbe_config_rx_coalesce;
50247- hw_if->config_tx_coalesce = xgbe_config_tx_coalesce;
50248- hw_if->usec_to_riwt = xgbe_usec_to_riwt;
50249- hw_if->riwt_to_usec = xgbe_riwt_to_usec;
50250+ .config_rx_coalesce = xgbe_config_rx_coalesce,
50251+ .config_tx_coalesce = xgbe_config_tx_coalesce,
50252+ .usec_to_riwt = xgbe_usec_to_riwt,
50253+ .riwt_to_usec = xgbe_riwt_to_usec,
50254
50255 /* For RX and TX threshold config */
50256- hw_if->config_rx_threshold = xgbe_config_rx_threshold;
50257- hw_if->config_tx_threshold = xgbe_config_tx_threshold;
50258+ .config_rx_threshold = xgbe_config_rx_threshold,
50259+ .config_tx_threshold = xgbe_config_tx_threshold,
50260
50261 /* For RX and TX Store and Forward Mode config */
50262- hw_if->config_rsf_mode = xgbe_config_rsf_mode;
50263- hw_if->config_tsf_mode = xgbe_config_tsf_mode;
50264+ .config_rsf_mode = xgbe_config_rsf_mode,
50265+ .config_tsf_mode = xgbe_config_tsf_mode,
50266
50267 /* For TX DMA Operating on Second Frame config */
50268- hw_if->config_osp_mode = xgbe_config_osp_mode;
50269+ .config_osp_mode = xgbe_config_osp_mode,
50270
50271 /* For RX and TX PBL config */
50272- hw_if->config_rx_pbl_val = xgbe_config_rx_pbl_val;
50273- hw_if->get_rx_pbl_val = xgbe_get_rx_pbl_val;
50274- hw_if->config_tx_pbl_val = xgbe_config_tx_pbl_val;
50275- hw_if->get_tx_pbl_val = xgbe_get_tx_pbl_val;
50276- hw_if->config_pblx8 = xgbe_config_pblx8;
50277+ .config_rx_pbl_val = xgbe_config_rx_pbl_val,
50278+ .get_rx_pbl_val = xgbe_get_rx_pbl_val,
50279+ .config_tx_pbl_val = xgbe_config_tx_pbl_val,
50280+ .get_tx_pbl_val = xgbe_get_tx_pbl_val,
50281+ .config_pblx8 = xgbe_config_pblx8,
50282
50283 /* For MMC statistics support */
50284- hw_if->tx_mmc_int = xgbe_tx_mmc_int;
50285- hw_if->rx_mmc_int = xgbe_rx_mmc_int;
50286- hw_if->read_mmc_stats = xgbe_read_mmc_stats;
50287+ .tx_mmc_int = xgbe_tx_mmc_int,
50288+ .rx_mmc_int = xgbe_rx_mmc_int,
50289+ .read_mmc_stats = xgbe_read_mmc_stats,
50290
50291 /* For PTP config */
50292- hw_if->config_tstamp = xgbe_config_tstamp;
50293- hw_if->update_tstamp_addend = xgbe_update_tstamp_addend;
50294- hw_if->set_tstamp_time = xgbe_set_tstamp_time;
50295- hw_if->get_tstamp_time = xgbe_get_tstamp_time;
50296- hw_if->get_tx_tstamp = xgbe_get_tx_tstamp;
50297+ .config_tstamp = xgbe_config_tstamp,
50298+ .update_tstamp_addend = xgbe_update_tstamp_addend,
50299+ .set_tstamp_time = xgbe_set_tstamp_time,
50300+ .get_tstamp_time = xgbe_get_tstamp_time,
50301+ .get_tx_tstamp = xgbe_get_tx_tstamp,
50302
50303 /* For Data Center Bridging config */
50304- hw_if->config_dcb_tc = xgbe_config_dcb_tc;
50305- hw_if->config_dcb_pfc = xgbe_config_dcb_pfc;
50306+ .config_dcb_tc = xgbe_config_dcb_tc,
50307+ .config_dcb_pfc = xgbe_config_dcb_pfc,
50308
50309 /* For Receive Side Scaling */
50310- hw_if->enable_rss = xgbe_enable_rss;
50311- hw_if->disable_rss = xgbe_disable_rss;
50312- hw_if->set_rss_hash_key = xgbe_set_rss_hash_key;
50313- hw_if->set_rss_lookup_table = xgbe_set_rss_lookup_table;
50314-
50315- DBGPR("<--xgbe_init_function_ptrs\n");
50316-}
50317+ .enable_rss = xgbe_enable_rss,
50318+ .disable_rss = xgbe_disable_rss,
50319+ .set_rss_hash_key = xgbe_set_rss_hash_key,
50320+ .set_rss_lookup_table = xgbe_set_rss_lookup_table,
50321+};
50322diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
50323index aae9d5e..29ce58d 100644
50324--- a/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
50325+++ b/drivers/net/ethernet/amd/xgbe/xgbe-drv.c
50326@@ -245,7 +245,7 @@ static int xgbe_maybe_stop_tx_queue(struct xgbe_channel *channel,
50327 * support, tell it now
50328 */
50329 if (ring->tx.xmit_more)
50330- pdata->hw_if.tx_start_xmit(channel, ring);
50331+ pdata->hw_if->tx_start_xmit(channel, ring);
50332
50333 return NETDEV_TX_BUSY;
50334 }
50335@@ -273,7 +273,7 @@ static int xgbe_calc_rx_buf_size(struct net_device *netdev, unsigned int mtu)
50336
50337 static void xgbe_enable_rx_tx_ints(struct xgbe_prv_data *pdata)
50338 {
50339- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50340+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50341 struct xgbe_channel *channel;
50342 enum xgbe_int int_id;
50343 unsigned int i;
50344@@ -295,7 +295,7 @@ static void xgbe_enable_rx_tx_ints(struct xgbe_prv_data *pdata)
50345
50346 static void xgbe_disable_rx_tx_ints(struct xgbe_prv_data *pdata)
50347 {
50348- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50349+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50350 struct xgbe_channel *channel;
50351 enum xgbe_int int_id;
50352 unsigned int i;
50353@@ -318,7 +318,7 @@ static void xgbe_disable_rx_tx_ints(struct xgbe_prv_data *pdata)
50354 static irqreturn_t xgbe_isr(int irq, void *data)
50355 {
50356 struct xgbe_prv_data *pdata = data;
50357- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50358+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50359 struct xgbe_channel *channel;
50360 unsigned int dma_isr, dma_ch_isr;
50361 unsigned int mac_isr, mac_tssr;
50362@@ -443,7 +443,7 @@ static void xgbe_service(struct work_struct *work)
50363 struct xgbe_prv_data,
50364 service_work);
50365
50366- pdata->phy_if.phy_status(pdata);
50367+ pdata->phy_if->phy_status(pdata);
50368 }
50369
50370 static void xgbe_service_timer(unsigned long data)
50371@@ -702,7 +702,7 @@ static void xgbe_free_irqs(struct xgbe_prv_data *pdata)
50372
50373 void xgbe_init_tx_coalesce(struct xgbe_prv_data *pdata)
50374 {
50375- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50376+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50377
50378 DBGPR("-->xgbe_init_tx_coalesce\n");
50379
50380@@ -716,7 +716,7 @@ void xgbe_init_tx_coalesce(struct xgbe_prv_data *pdata)
50381
50382 void xgbe_init_rx_coalesce(struct xgbe_prv_data *pdata)
50383 {
50384- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50385+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50386
50387 DBGPR("-->xgbe_init_rx_coalesce\n");
50388
50389@@ -731,7 +731,7 @@ void xgbe_init_rx_coalesce(struct xgbe_prv_data *pdata)
50390
50391 static void xgbe_free_tx_data(struct xgbe_prv_data *pdata)
50392 {
50393- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50394+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50395 struct xgbe_channel *channel;
50396 struct xgbe_ring *ring;
50397 struct xgbe_ring_data *rdata;
50398@@ -756,7 +756,7 @@ static void xgbe_free_tx_data(struct xgbe_prv_data *pdata)
50399
50400 static void xgbe_free_rx_data(struct xgbe_prv_data *pdata)
50401 {
50402- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50403+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50404 struct xgbe_channel *channel;
50405 struct xgbe_ring *ring;
50406 struct xgbe_ring_data *rdata;
50407@@ -784,13 +784,13 @@ static int xgbe_phy_init(struct xgbe_prv_data *pdata)
50408 pdata->phy_link = -1;
50409 pdata->phy_speed = SPEED_UNKNOWN;
50410
50411- return pdata->phy_if.phy_reset(pdata);
50412+ return pdata->phy_if->phy_reset(pdata);
50413 }
50414
50415 int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
50416 {
50417 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50418- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50419+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50420 unsigned long flags;
50421
50422 DBGPR("-->xgbe_powerdown\n");
50423@@ -829,7 +829,7 @@ int xgbe_powerdown(struct net_device *netdev, unsigned int caller)
50424 int xgbe_powerup(struct net_device *netdev, unsigned int caller)
50425 {
50426 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50427- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50428+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50429 unsigned long flags;
50430
50431 DBGPR("-->xgbe_powerup\n");
50432@@ -866,8 +866,8 @@ int xgbe_powerup(struct net_device *netdev, unsigned int caller)
50433
50434 static int xgbe_start(struct xgbe_prv_data *pdata)
50435 {
50436- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50437- struct xgbe_phy_if *phy_if = &pdata->phy_if;
50438+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50439+ struct xgbe_phy_if *phy_if = pdata->phy_if;
50440 struct net_device *netdev = pdata->netdev;
50441 int ret;
50442
50443@@ -910,8 +910,8 @@ err_phy:
50444
50445 static void xgbe_stop(struct xgbe_prv_data *pdata)
50446 {
50447- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50448- struct xgbe_phy_if *phy_if = &pdata->phy_if;
50449+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50450+ struct xgbe_phy_if *phy_if = pdata->phy_if;
50451 struct xgbe_channel *channel;
50452 struct net_device *netdev = pdata->netdev;
50453 struct netdev_queue *txq;
50454@@ -1139,7 +1139,7 @@ static int xgbe_set_hwtstamp_settings(struct xgbe_prv_data *pdata,
50455 return -ERANGE;
50456 }
50457
50458- pdata->hw_if.config_tstamp(pdata, mac_tscr);
50459+ pdata->hw_if->config_tstamp(pdata, mac_tscr);
50460
50461 memcpy(&pdata->tstamp_config, &config, sizeof(config));
50462
50463@@ -1288,7 +1288,7 @@ static void xgbe_packet_info(struct xgbe_prv_data *pdata,
50464 static int xgbe_open(struct net_device *netdev)
50465 {
50466 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50467- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50468+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50469 int ret;
50470
50471 DBGPR("-->xgbe_open\n");
50472@@ -1360,7 +1360,7 @@ err_sysclk:
50473 static int xgbe_close(struct net_device *netdev)
50474 {
50475 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50476- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50477+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50478
50479 DBGPR("-->xgbe_close\n");
50480
50481@@ -1387,8 +1387,8 @@ static int xgbe_close(struct net_device *netdev)
50482 static int xgbe_xmit(struct sk_buff *skb, struct net_device *netdev)
50483 {
50484 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50485- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50486- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50487+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50488+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50489 struct xgbe_channel *channel;
50490 struct xgbe_ring *ring;
50491 struct xgbe_packet_data *packet;
50492@@ -1457,7 +1457,7 @@ tx_netdev_return:
50493 static void xgbe_set_rx_mode(struct net_device *netdev)
50494 {
50495 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50496- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50497+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50498
50499 DBGPR("-->xgbe_set_rx_mode\n");
50500
50501@@ -1469,7 +1469,7 @@ static void xgbe_set_rx_mode(struct net_device *netdev)
50502 static int xgbe_set_mac_address(struct net_device *netdev, void *addr)
50503 {
50504 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50505- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50506+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50507 struct sockaddr *saddr = addr;
50508
50509 DBGPR("-->xgbe_set_mac_address\n");
50510@@ -1544,7 +1544,7 @@ static struct rtnl_link_stats64 *xgbe_get_stats64(struct net_device *netdev,
50511
50512 DBGPR("-->%s\n", __func__);
50513
50514- pdata->hw_if.read_mmc_stats(pdata);
50515+ pdata->hw_if->read_mmc_stats(pdata);
50516
50517 s->rx_packets = pstats->rxframecount_gb;
50518 s->rx_bytes = pstats->rxoctetcount_gb;
50519@@ -1571,7 +1571,7 @@ static int xgbe_vlan_rx_add_vid(struct net_device *netdev, __be16 proto,
50520 u16 vid)
50521 {
50522 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50523- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50524+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50525
50526 DBGPR("-->%s\n", __func__);
50527
50528@@ -1587,7 +1587,7 @@ static int xgbe_vlan_rx_kill_vid(struct net_device *netdev, __be16 proto,
50529 u16 vid)
50530 {
50531 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50532- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50533+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50534
50535 DBGPR("-->%s\n", __func__);
50536
50537@@ -1654,7 +1654,7 @@ static int xgbe_set_features(struct net_device *netdev,
50538 netdev_features_t features)
50539 {
50540 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50541- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50542+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50543 netdev_features_t rxhash, rxcsum, rxvlan, rxvlan_filter;
50544 int ret = 0;
50545
50546@@ -1720,8 +1720,8 @@ struct net_device_ops *xgbe_get_netdev_ops(void)
50547 static void xgbe_rx_refresh(struct xgbe_channel *channel)
50548 {
50549 struct xgbe_prv_data *pdata = channel->pdata;
50550- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50551- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50552+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50553+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50554 struct xgbe_ring *ring = channel->rx_ring;
50555 struct xgbe_ring_data *rdata;
50556
50557@@ -1798,8 +1798,8 @@ static struct sk_buff *xgbe_create_skb(struct xgbe_prv_data *pdata,
50558 static int xgbe_tx_poll(struct xgbe_channel *channel)
50559 {
50560 struct xgbe_prv_data *pdata = channel->pdata;
50561- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50562- struct xgbe_desc_if *desc_if = &pdata->desc_if;
50563+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50564+ struct xgbe_desc_if *desc_if = pdata->desc_if;
50565 struct xgbe_ring *ring = channel->tx_ring;
50566 struct xgbe_ring_data *rdata;
50567 struct xgbe_ring_desc *rdesc;
50568@@ -1863,7 +1863,7 @@ static int xgbe_tx_poll(struct xgbe_channel *channel)
50569 static int xgbe_rx_poll(struct xgbe_channel *channel, int budget)
50570 {
50571 struct xgbe_prv_data *pdata = channel->pdata;
50572- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50573+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50574 struct xgbe_ring *ring = channel->rx_ring;
50575 struct xgbe_ring_data *rdata;
50576 struct xgbe_packet_data *packet;
50577diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50578index 59e090e..90bc0b4 100644
50579--- a/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50580+++ b/drivers/net/ethernet/amd/xgbe/xgbe-ethtool.c
50581@@ -211,7 +211,7 @@ static void xgbe_get_ethtool_stats(struct net_device *netdev,
50582
50583 DBGPR("-->%s\n", __func__);
50584
50585- pdata->hw_if.read_mmc_stats(pdata);
50586+ pdata->hw_if->read_mmc_stats(pdata);
50587 for (i = 0; i < XGBE_STATS_COUNT; i++) {
50588 stat = (u8 *)pdata + xgbe_gstring_stats[i].stat_offset;
50589 *data++ = *(u64 *)stat;
50590@@ -284,7 +284,7 @@ static int xgbe_set_pauseparam(struct net_device *netdev,
50591 pdata->phy.advertising ^= ADVERTISED_Asym_Pause;
50592
50593 if (netif_running(netdev))
50594- ret = pdata->phy_if.phy_config_aneg(pdata);
50595+ ret = pdata->phy_if->phy_config_aneg(pdata);
50596
50597 DBGPR("<--xgbe_set_pauseparam\n");
50598
50599@@ -364,7 +364,7 @@ static int xgbe_set_settings(struct net_device *netdev,
50600 pdata->phy.advertising &= ~ADVERTISED_Autoneg;
50601
50602 if (netif_running(netdev))
50603- ret = pdata->phy_if.phy_config_aneg(pdata);
50604+ ret = pdata->phy_if->phy_config_aneg(pdata);
50605
50606 DBGPR("<--xgbe_set_settings\n");
50607
50608@@ -411,7 +411,7 @@ static int xgbe_set_coalesce(struct net_device *netdev,
50609 struct ethtool_coalesce *ec)
50610 {
50611 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50612- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50613+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50614 unsigned int rx_frames, rx_riwt, rx_usecs;
50615 unsigned int tx_frames;
50616
50617@@ -536,7 +536,7 @@ static int xgbe_set_rxfh(struct net_device *netdev, const u32 *indir,
50618 const u8 *key, const u8 hfunc)
50619 {
50620 struct xgbe_prv_data *pdata = netdev_priv(netdev);
50621- struct xgbe_hw_if *hw_if = &pdata->hw_if;
50622+ struct xgbe_hw_if *hw_if = pdata->hw_if;
50623 unsigned int ret;
50624
50625 if (hfunc != ETH_RSS_HASH_NO_CHANGE && hfunc != ETH_RSS_HASH_TOP)
50626diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-main.c b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50627index e83bd76..f2d5d56 100644
50628--- a/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50629+++ b/drivers/net/ethernet/amd/xgbe/xgbe-main.c
50630@@ -202,13 +202,6 @@ static void xgbe_default_config(struct xgbe_prv_data *pdata)
50631 DBGPR("<--xgbe_default_config\n");
50632 }
50633
50634-static void xgbe_init_all_fptrs(struct xgbe_prv_data *pdata)
50635-{
50636- xgbe_init_function_ptrs_dev(&pdata->hw_if);
50637- xgbe_init_function_ptrs_phy(&pdata->phy_if);
50638- xgbe_init_function_ptrs_desc(&pdata->desc_if);
50639-}
50640-
50641 #ifdef CONFIG_ACPI
50642 static int xgbe_acpi_support(struct xgbe_prv_data *pdata)
50643 {
50644@@ -641,10 +634,12 @@ static int xgbe_probe(struct platform_device *pdev)
50645 memcpy(netdev->dev_addr, pdata->mac_addr, netdev->addr_len);
50646
50647 /* Set all the function pointers */
50648- xgbe_init_all_fptrs(pdata);
50649+ pdata->hw_if = &default_xgbe_hw_if;
50650+ pdata->phy_if = &default_xgbe_phy_if;
50651+ pdata->desc_if = &default_xgbe_desc_if;
50652
50653 /* Issue software reset to device */
50654- pdata->hw_if.exit(pdata);
50655+ pdata->hw_if->exit(pdata);
50656
50657 /* Populate the hardware features */
50658 xgbe_get_all_hw_features(pdata);
50659@@ -698,7 +693,7 @@ static int xgbe_probe(struct platform_device *pdev)
50660 XGMAC_SET_BITS(pdata->rss_options, MAC_RSSCR, UDP4TE, 1);
50661
50662 /* Call MDIO/PHY initialization routine */
50663- pdata->phy_if.phy_init(pdata);
50664+ pdata->phy_if->phy_init(pdata);
50665
50666 /* Set device operations */
50667 netdev->netdev_ops = xgbe_get_netdev_ops();
50668diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50669index 9088c3a..2ffe7c4 100644
50670--- a/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50671+++ b/drivers/net/ethernet/amd/xgbe/xgbe-mdio.c
50672@@ -202,7 +202,7 @@ static void xgbe_xgmii_mode(struct xgbe_prv_data *pdata)
50673 xgbe_an_enable_kr_training(pdata);
50674
50675 /* Set MAC to 10G speed */
50676- pdata->hw_if.set_xgmii_speed(pdata);
50677+ pdata->hw_if->set_xgmii_speed(pdata);
50678
50679 /* Set PCS to KR/10G speed */
50680 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50681@@ -250,7 +250,7 @@ static void xgbe_gmii_2500_mode(struct xgbe_prv_data *pdata)
50682 xgbe_an_disable_kr_training(pdata);
50683
50684 /* Set MAC to 2.5G speed */
50685- pdata->hw_if.set_gmii_2500_speed(pdata);
50686+ pdata->hw_if->set_gmii_2500_speed(pdata);
50687
50688 /* Set PCS to KX/1G speed */
50689 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50690@@ -298,7 +298,7 @@ static void xgbe_gmii_mode(struct xgbe_prv_data *pdata)
50691 xgbe_an_disable_kr_training(pdata);
50692
50693 /* Set MAC to 1G speed */
50694- pdata->hw_if.set_gmii_speed(pdata);
50695+ pdata->hw_if->set_gmii_speed(pdata);
50696
50697 /* Set PCS to KX/1G speed */
50698 reg = XMDIO_READ(pdata, MDIO_MMD_PCS, MDIO_CTRL2);
50699@@ -872,13 +872,13 @@ static void xgbe_phy_adjust_link(struct xgbe_prv_data *pdata)
50700
50701 if (pdata->tx_pause != pdata->phy.tx_pause) {
50702 new_state = 1;
50703- pdata->hw_if.config_tx_flow_control(pdata);
50704+ pdata->hw_if->config_tx_flow_control(pdata);
50705 pdata->tx_pause = pdata->phy.tx_pause;
50706 }
50707
50708 if (pdata->rx_pause != pdata->phy.rx_pause) {
50709 new_state = 1;
50710- pdata->hw_if.config_rx_flow_control(pdata);
50711+ pdata->hw_if->config_rx_flow_control(pdata);
50712 pdata->rx_pause = pdata->phy.rx_pause;
50713 }
50714
50715@@ -1351,14 +1351,13 @@ static void xgbe_phy_init(struct xgbe_prv_data *pdata)
50716 xgbe_dump_phy_registers(pdata);
50717 }
50718
50719-void xgbe_init_function_ptrs_phy(struct xgbe_phy_if *phy_if)
50720-{
50721- phy_if->phy_init = xgbe_phy_init;
50722+const struct xgbe_phy_if default_xgbe_phy_if = {
50723+ .phy_init = xgbe_phy_init,
50724
50725- phy_if->phy_reset = xgbe_phy_reset;
50726- phy_if->phy_start = xgbe_phy_start;
50727- phy_if->phy_stop = xgbe_phy_stop;
50728+ .phy_reset = xgbe_phy_reset,
50729+ .phy_start = xgbe_phy_start,
50730+ .phy_stop = xgbe_phy_stop,
50731
50732- phy_if->phy_status = xgbe_phy_status;
50733- phy_if->phy_config_aneg = xgbe_phy_config_aneg;
50734-}
50735+ .phy_status = xgbe_phy_status,
50736+ .phy_config_aneg = xgbe_phy_config_aneg,
50737+};
50738diff --git a/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c b/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50739index b03e4f5..78e4cc4 100644
50740--- a/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50741+++ b/drivers/net/ethernet/amd/xgbe/xgbe-ptp.c
50742@@ -129,7 +129,7 @@ static cycle_t xgbe_cc_read(const struct cyclecounter *cc)
50743 tstamp_cc);
50744 u64 nsec;
50745
50746- nsec = pdata->hw_if.get_tstamp_time(pdata);
50747+ nsec = pdata->hw_if->get_tstamp_time(pdata);
50748
50749 return nsec;
50750 }
50751@@ -158,7 +158,7 @@ static int xgbe_adjfreq(struct ptp_clock_info *info, s32 delta)
50752
50753 spin_lock_irqsave(&pdata->tstamp_lock, flags);
50754
50755- pdata->hw_if.update_tstamp_addend(pdata, addend);
50756+ pdata->hw_if->update_tstamp_addend(pdata, addend);
50757
50758 spin_unlock_irqrestore(&pdata->tstamp_lock, flags);
50759
50760diff --git a/drivers/net/ethernet/amd/xgbe/xgbe.h b/drivers/net/ethernet/amd/xgbe/xgbe.h
50761index 717ce21..aacd1f3 100644
50762--- a/drivers/net/ethernet/amd/xgbe/xgbe.h
50763+++ b/drivers/net/ethernet/amd/xgbe/xgbe.h
50764@@ -801,9 +801,9 @@ struct xgbe_prv_data {
50765 int dev_irq;
50766 unsigned int per_channel_irq;
50767
50768- struct xgbe_hw_if hw_if;
50769- struct xgbe_phy_if phy_if;
50770- struct xgbe_desc_if desc_if;
50771+ struct xgbe_hw_if *hw_if;
50772+ struct xgbe_phy_if *phy_if;
50773+ struct xgbe_desc_if *desc_if;
50774
50775 /* AXI DMA settings */
50776 unsigned int coherent;
50777@@ -964,6 +964,10 @@ struct xgbe_prv_data {
50778 #endif
50779 };
50780
50781+extern const struct xgbe_hw_if default_xgbe_hw_if;
50782+extern const struct xgbe_phy_if default_xgbe_phy_if;
50783+extern const struct xgbe_desc_if default_xgbe_desc_if;
50784+
50785 /* Function prototypes*/
50786
50787 void xgbe_init_function_ptrs_dev(struct xgbe_hw_if *);
50788diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50789index 03b7404..01ff3b3 100644
50790--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50791+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.h
50792@@ -1082,7 +1082,7 @@ static inline u8 bnx2x_get_path_func_num(struct bnx2x *bp)
50793 static inline void bnx2x_init_bp_objs(struct bnx2x *bp)
50794 {
50795 /* RX_MODE controlling object */
50796- bnx2x_init_rx_mode_obj(bp, &bp->rx_mode_obj);
50797+ bnx2x_init_rx_mode_obj(bp);
50798
50799 /* multicast configuration controlling object */
50800 bnx2x_init_mcast_obj(bp, &bp->mcast_obj, bp->fp->cl_id, bp->fp->cid,
50801diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50802index 4ad415a..8e0a040 100644
50803--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50804+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.c
50805@@ -2329,15 +2329,14 @@ int bnx2x_config_rx_mode(struct bnx2x *bp,
50806 return rc;
50807 }
50808
50809-void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
50810- struct bnx2x_rx_mode_obj *o)
50811+void bnx2x_init_rx_mode_obj(struct bnx2x *bp)
50812 {
50813 if (CHIP_IS_E1x(bp)) {
50814- o->wait_comp = bnx2x_empty_rx_mode_wait;
50815- o->config_rx_mode = bnx2x_set_rx_mode_e1x;
50816+ bp->rx_mode_obj.wait_comp = bnx2x_empty_rx_mode_wait;
50817+ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e1x;
50818 } else {
50819- o->wait_comp = bnx2x_wait_rx_mode_comp_e2;
50820- o->config_rx_mode = bnx2x_set_rx_mode_e2;
50821+ bp->rx_mode_obj.wait_comp = bnx2x_wait_rx_mode_comp_e2;
50822+ bp->rx_mode_obj.config_rx_mode = bnx2x_set_rx_mode_e2;
50823 }
50824 }
50825
50826diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50827index 86baecb..ff3bb46 100644
50828--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50829+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_sp.h
50830@@ -1411,8 +1411,7 @@ int bnx2x_vlan_mac_move(struct bnx2x *bp,
50831
50832 /********************* RX MODE ****************/
50833
50834-void bnx2x_init_rx_mode_obj(struct bnx2x *bp,
50835- struct bnx2x_rx_mode_obj *o);
50836+void bnx2x_init_rx_mode_obj(struct bnx2x *bp);
50837
50838 /**
50839 * bnx2x_config_rx_mode - Send and RX_MODE ramrod according to the provided parameters.
50840diff --git a/drivers/net/ethernet/broadcom/tg3.h b/drivers/net/ethernet/broadcom/tg3.h
50841index 31c9f82..e65e986 100644
50842--- a/drivers/net/ethernet/broadcom/tg3.h
50843+++ b/drivers/net/ethernet/broadcom/tg3.h
50844@@ -150,6 +150,7 @@
50845 #define CHIPREV_ID_5750_A0 0x4000
50846 #define CHIPREV_ID_5750_A1 0x4001
50847 #define CHIPREV_ID_5750_A3 0x4003
50848+#define CHIPREV_ID_5750_C1 0x4201
50849 #define CHIPREV_ID_5750_C2 0x4202
50850 #define CHIPREV_ID_5752_A0_HW 0x5000
50851 #define CHIPREV_ID_5752_A0 0x6000
50852diff --git a/drivers/net/ethernet/brocade/bna/bna_enet.c b/drivers/net/ethernet/brocade/bna/bna_enet.c
50853index 4e5c387..bba8173 100644
50854--- a/drivers/net/ethernet/brocade/bna/bna_enet.c
50855+++ b/drivers/net/ethernet/brocade/bna/bna_enet.c
50856@@ -1676,10 +1676,10 @@ bna_cb_ioceth_reset(void *arg)
50857 }
50858
50859 static struct bfa_ioc_cbfn bna_ioceth_cbfn = {
50860- bna_cb_ioceth_enable,
50861- bna_cb_ioceth_disable,
50862- bna_cb_ioceth_hbfail,
50863- bna_cb_ioceth_reset
50864+ .enable_cbfn = bna_cb_ioceth_enable,
50865+ .disable_cbfn = bna_cb_ioceth_disable,
50866+ .hbfail_cbfn = bna_cb_ioceth_hbfail,
50867+ .reset_cbfn = bna_cb_ioceth_reset
50868 };
50869
50870 static void bna_attr_init(struct bna_ioceth *ioceth)
50871diff --git a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50872index 29f3308..b594c38 100644
50873--- a/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50874+++ b/drivers/net/ethernet/cavium/liquidio/lio_ethtool.c
50875@@ -265,9 +265,9 @@ static void octnet_mdio_resp_callback(struct octeon_device *oct,
50876 if (status) {
50877 dev_err(&oct->pci_dev->dev, "MIDO instruction failed. Status: %llx\n",
50878 CVM_CAST64(status));
50879- ACCESS_ONCE(mdio_cmd_ctx->cond) = -1;
50880+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = -1;
50881 } else {
50882- ACCESS_ONCE(mdio_cmd_ctx->cond) = 1;
50883+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = 1;
50884 }
50885 wake_up_interruptible(&mdio_cmd_ctx->wc);
50886 }
50887@@ -298,7 +298,7 @@ octnet_mdio45_access(struct lio *lio, int op, int loc, int *value)
50888 mdio_cmd_rsp = (struct oct_mdio_cmd_resp *)sc->virtrptr;
50889 mdio_cmd = (struct oct_mdio_cmd *)sc->virtdptr;
50890
50891- ACCESS_ONCE(mdio_cmd_ctx->cond) = 0;
50892+ ACCESS_ONCE_RW(mdio_cmd_ctx->cond) = 0;
50893 mdio_cmd_ctx->octeon_id = lio_get_device_id(oct_dev);
50894 mdio_cmd->op = op;
50895 mdio_cmd->mdio_addr = loc;
50896diff --git a/drivers/net/ethernet/cavium/liquidio/lio_main.c b/drivers/net/ethernet/cavium/liquidio/lio_main.c
50897index 0660dee..e07895e 100644
50898--- a/drivers/net/ethernet/cavium/liquidio/lio_main.c
50899+++ b/drivers/net/ethernet/cavium/liquidio/lio_main.c
50900@@ -1727,7 +1727,7 @@ static void if_cfg_callback(struct octeon_device *oct,
50901 if (resp->status)
50902 dev_err(&oct->pci_dev->dev, "nic if cfg instruction failed. Status: %llx\n",
50903 CVM_CAST64(resp->status));
50904- ACCESS_ONCE(ctx->cond) = 1;
50905+ ACCESS_ONCE_RW(ctx->cond) = 1;
50906
50907 /* This barrier is required to be sure that the response has been
50908 * written fully before waking up the handler
50909@@ -3177,7 +3177,7 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
50910 dev_dbg(&octeon_dev->pci_dev->dev,
50911 "requesting config for interface %d, iqs %d, oqs %d\n",
50912 i, num_iqueues, num_oqueues);
50913- ACCESS_ONCE(ctx->cond) = 0;
50914+ ACCESS_ONCE_RW(ctx->cond) = 0;
50915 ctx->octeon_id = lio_get_device_id(octeon_dev);
50916 init_waitqueue_head(&ctx->wc);
50917
50918@@ -3240,8 +3240,11 @@ static int setup_nic_devices(struct octeon_device *octeon_dev)
50919 props = &octeon_dev->props[i];
50920 props->netdev = netdev;
50921
50922- if (num_iqueues > 1)
50923- lionetdevops.ndo_select_queue = select_q;
50924+ if (num_iqueues > 1) {
50925+ pax_open_kernel();
50926+ *(void **)&lionetdevops.ndo_select_queue = select_q;
50927+ pax_close_kernel();
50928+ }
50929
50930 /* Associate the routines that will handle different
50931 * netdev tasks.
50932diff --git a/drivers/net/ethernet/chelsio/cxgb3/l2t.h b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
50933index 8cffcdf..aadf043 100644
50934--- a/drivers/net/ethernet/chelsio/cxgb3/l2t.h
50935+++ b/drivers/net/ethernet/chelsio/cxgb3/l2t.h
50936@@ -87,7 +87,7 @@ typedef void (*arp_failure_handler_func)(struct t3cdev * dev,
50937 */
50938 struct l2t_skb_cb {
50939 arp_failure_handler_func arp_failure_handler;
50940-};
50941+} __no_const;
50942
50943 #define L2T_SKB_CB(skb) ((struct l2t_skb_cb *)(skb)->cb)
50944
50945diff --git a/drivers/net/ethernet/dec/tulip/de4x5.c b/drivers/net/ethernet/dec/tulip/de4x5.c
50946index 8966f31..e15a101 100644
50947--- a/drivers/net/ethernet/dec/tulip/de4x5.c
50948+++ b/drivers/net/ethernet/dec/tulip/de4x5.c
50949@@ -5373,7 +5373,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
50950 for (i=0; i<ETH_ALEN; i++) {
50951 tmp.addr[i] = dev->dev_addr[i];
50952 }
50953- if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
50954+ if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
50955 break;
50956
50957 case DE4X5_SET_HWADDR: /* Set the hardware address */
50958@@ -5413,7 +5413,7 @@ de4x5_ioctl(struct net_device *dev, struct ifreq *rq, int cmd)
50959 spin_lock_irqsave(&lp->lock, flags);
50960 memcpy(&statbuf, &lp->pktStats, ioc->len);
50961 spin_unlock_irqrestore(&lp->lock, flags);
50962- if (copy_to_user(ioc->data, &statbuf, ioc->len))
50963+ if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
50964 return -EFAULT;
50965 break;
50966 }
50967diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c
50968index 6ca693b..fa18c3f 100644
50969--- a/drivers/net/ethernet/emulex/benet/be_main.c
50970+++ b/drivers/net/ethernet/emulex/benet/be_main.c
50971@@ -551,7 +551,7 @@ static void accumulate_16bit_val(u32 *acc, u16 val)
50972
50973 if (wrapped)
50974 newacc += 65536;
50975- ACCESS_ONCE(*acc) = newacc;
50976+ ACCESS_ONCE_RW(*acc) = newacc;
50977 }
50978
50979 static void populate_erx_stats(struct be_adapter *adapter,
50980diff --git a/drivers/net/ethernet/faraday/ftgmac100.c b/drivers/net/ethernet/faraday/ftgmac100.c
50981index 6d0c5d5..55be363 100644
50982--- a/drivers/net/ethernet/faraday/ftgmac100.c
50983+++ b/drivers/net/ethernet/faraday/ftgmac100.c
50984@@ -30,6 +30,8 @@
50985 #include <linux/netdevice.h>
50986 #include <linux/phy.h>
50987 #include <linux/platform_device.h>
50988+#include <linux/interrupt.h>
50989+#include <linux/irqreturn.h>
50990 #include <net/ip.h>
50991
50992 #include "ftgmac100.h"
50993diff --git a/drivers/net/ethernet/faraday/ftmac100.c b/drivers/net/ethernet/faraday/ftmac100.c
50994index dce5f7b..2433466 100644
50995--- a/drivers/net/ethernet/faraday/ftmac100.c
50996+++ b/drivers/net/ethernet/faraday/ftmac100.c
50997@@ -31,6 +31,8 @@
50998 #include <linux/module.h>
50999 #include <linux/netdevice.h>
51000 #include <linux/platform_device.h>
51001+#include <linux/interrupt.h>
51002+#include <linux/irqreturn.h>
51003
51004 #include "ftmac100.h"
51005
51006diff --git a/drivers/net/ethernet/intel/i40e/i40e_ptp.c b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
51007index a92b772..250fe69 100644
51008--- a/drivers/net/ethernet/intel/i40e/i40e_ptp.c
51009+++ b/drivers/net/ethernet/intel/i40e/i40e_ptp.c
51010@@ -419,7 +419,7 @@ void i40e_ptp_set_increment(struct i40e_pf *pf)
51011 wr32(hw, I40E_PRTTSYN_INC_H, incval >> 32);
51012
51013 /* Update the base adjustement value. */
51014- ACCESS_ONCE(pf->ptp_base_adj) = incval;
51015+ ACCESS_ONCE_RW(pf->ptp_base_adj) = incval;
51016 smp_mb(); /* Force the above update. */
51017 }
51018
51019diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
51020index e5ba040..d47531c 100644
51021--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
51022+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ptp.c
51023@@ -782,7 +782,7 @@ void ixgbe_ptp_start_cyclecounter(struct ixgbe_adapter *adapter)
51024 }
51025
51026 /* update the base incval used to calculate frequency adjustment */
51027- ACCESS_ONCE(adapter->base_incval) = incval;
51028+ ACCESS_ONCE_RW(adapter->base_incval) = incval;
51029 smp_mb();
51030
51031 /* need lock to prevent incorrect read while modifying cyclecounter */
51032diff --git a/drivers/net/ethernet/mellanox/mlx4/cmd.c b/drivers/net/ethernet/mellanox/mlx4/cmd.c
51033index 0a32020..2177e56 100644
51034--- a/drivers/net/ethernet/mellanox/mlx4/cmd.c
51035+++ b/drivers/net/ethernet/mellanox/mlx4/cmd.c
51036@@ -2398,7 +2398,7 @@ int mlx4_multi_func_init(struct mlx4_dev *dev)
51037 }
51038 }
51039
51040- memset(&priv->mfunc.master.cmd_eqe, 0, dev->caps.eqe_size);
51041+ memset(&priv->mfunc.master.cmd_eqe, 0, sizeof(struct mlx4_eqe));
51042 priv->mfunc.master.cmd_eqe.type = MLX4_EVENT_TYPE_CMD;
51043 INIT_WORK(&priv->mfunc.master.comm_work,
51044 mlx4_master_comm_channel);
51045diff --git a/drivers/net/ethernet/mellanox/mlx4/en_tx.c b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
51046index c10d98f..72914c6 100644
51047--- a/drivers/net/ethernet/mellanox/mlx4/en_tx.c
51048+++ b/drivers/net/ethernet/mellanox/mlx4/en_tx.c
51049@@ -475,8 +475,8 @@ static bool mlx4_en_process_tx_cq(struct net_device *dev,
51050 wmb();
51051
51052 /* we want to dirty this cache line once */
51053- ACCESS_ONCE(ring->last_nr_txbb) = last_nr_txbb;
51054- ACCESS_ONCE(ring->cons) = ring_cons + txbbs_skipped;
51055+ ACCESS_ONCE_RW(ring->last_nr_txbb) = last_nr_txbb;
51056+ ACCESS_ONCE_RW(ring->cons) = ring_cons + txbbs_skipped;
51057
51058 netdev_tx_completed_queue(ring->tx_queue, packets, bytes);
51059
51060diff --git a/drivers/net/ethernet/mellanox/mlx4/eq.c b/drivers/net/ethernet/mellanox/mlx4/eq.c
51061index 8e81e53..ad8f95d 100644
51062--- a/drivers/net/ethernet/mellanox/mlx4/eq.c
51063+++ b/drivers/net/ethernet/mellanox/mlx4/eq.c
51064@@ -196,7 +196,7 @@ static void slave_event(struct mlx4_dev *dev, u8 slave, struct mlx4_eqe *eqe)
51065 return;
51066 }
51067
51068- memcpy(s_eqe, eqe, dev->caps.eqe_size - 1);
51069+ memcpy(s_eqe, eqe, sizeof(struct mlx4_eqe) - 1);
51070 s_eqe->slave_id = slave;
51071 /* ensure all information is written before setting the ownersip bit */
51072 dma_wmb();
51073diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
51074index 40206da..9d94643 100644
51075--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
51076+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c
51077@@ -1734,7 +1734,9 @@ static void mlx5e_build_netdev(struct net_device *netdev)
51078 SET_NETDEV_DEV(netdev, &mdev->pdev->dev);
51079
51080 if (priv->num_tc > 1) {
51081- mlx5e_netdev_ops.ndo_select_queue = mlx5e_select_queue;
51082+ pax_open_kernel();
51083+ *(void **)&mlx5e_netdev_ops.ndo_select_queue = mlx5e_select_queue;
51084+ pax_close_kernel();
51085 }
51086
51087 netdev->netdev_ops = &mlx5e_netdev_ops;
51088diff --git a/drivers/net/ethernet/neterion/vxge/vxge-config.c b/drivers/net/ethernet/neterion/vxge/vxge-config.c
51089index 6223930..975033d 100644
51090--- a/drivers/net/ethernet/neterion/vxge/vxge-config.c
51091+++ b/drivers/net/ethernet/neterion/vxge/vxge-config.c
51092@@ -3457,7 +3457,10 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
51093 struct __vxge_hw_fifo *fifo;
51094 struct vxge_hw_fifo_config *config;
51095 u32 txdl_size, txdl_per_memblock;
51096- struct vxge_hw_mempool_cbs fifo_mp_callback;
51097+ static struct vxge_hw_mempool_cbs fifo_mp_callback = {
51098+ .item_func_alloc = __vxge_hw_fifo_mempool_item_alloc,
51099+ };
51100+
51101 struct __vxge_hw_virtualpath *vpath;
51102
51103 if ((vp == NULL) || (attr == NULL)) {
51104@@ -3540,8 +3543,6 @@ __vxge_hw_fifo_create(struct __vxge_hw_vpath_handle *vp,
51105 goto exit;
51106 }
51107
51108- fifo_mp_callback.item_func_alloc = __vxge_hw_fifo_mempool_item_alloc;
51109-
51110 fifo->mempool =
51111 __vxge_hw_mempool_create(vpath->hldev,
51112 fifo->config->memblock_size,
51113diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
51114index 753ea8b..674c39a 100644
51115--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
51116+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c
51117@@ -2324,7 +2324,9 @@ int qlcnic_83xx_configure_opmode(struct qlcnic_adapter *adapter)
51118 max_tx_rings = QLCNIC_MAX_VNIC_TX_RINGS;
51119 } else if (ret == QLC_83XX_DEFAULT_OPMODE) {
51120 ahw->nic_mode = QLCNIC_DEFAULT_MODE;
51121- adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
51122+ pax_open_kernel();
51123+ *(void **)&adapter->nic_ops->init_driver = qlcnic_83xx_init_default_driver;
51124+ pax_close_kernel();
51125 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
51126 max_sds_rings = QLCNIC_MAX_SDS_RINGS;
51127 max_tx_rings = QLCNIC_MAX_TX_RINGS;
51128diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
51129index be7d7a6..a8983f8 100644
51130--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
51131+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_vnic.c
51132@@ -207,17 +207,23 @@ int qlcnic_83xx_config_vnic_opmode(struct qlcnic_adapter *adapter)
51133 case QLCNIC_NON_PRIV_FUNC:
51134 ahw->op_mode = QLCNIC_NON_PRIV_FUNC;
51135 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
51136- nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
51137+ pax_open_kernel();
51138+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_non_privileged_vnic;
51139+ pax_close_kernel();
51140 break;
51141 case QLCNIC_PRIV_FUNC:
51142 ahw->op_mode = QLCNIC_PRIV_FUNC;
51143 ahw->idc.state_entry = qlcnic_83xx_idc_vnic_pf_entry;
51144- nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
51145+ pax_open_kernel();
51146+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_privileged_vnic;
51147+ pax_close_kernel();
51148 break;
51149 case QLCNIC_MGMT_FUNC:
51150 ahw->op_mode = QLCNIC_MGMT_FUNC;
51151 ahw->idc.state_entry = qlcnic_83xx_idc_ready_state_entry;
51152- nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
51153+ pax_open_kernel();
51154+ *(void **)&nic_ops->init_driver = qlcnic_83xx_init_mgmt_vnic;
51155+ pax_close_kernel();
51156 break;
51157 default:
51158 dev_err(&adapter->pdev->dev, "Invalid Virtual NIC opmode\n");
51159diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
51160index 332bb8a..e6adcd1 100644
51161--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
51162+++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_minidump.c
51163@@ -1285,7 +1285,7 @@ flash_temp:
51164 int qlcnic_dump_fw(struct qlcnic_adapter *adapter)
51165 {
51166 struct qlcnic_fw_dump *fw_dump = &adapter->ahw->fw_dump;
51167- static const struct qlcnic_dump_operations *fw_dump_ops;
51168+ const struct qlcnic_dump_operations *fw_dump_ops;
51169 struct qlcnic_83xx_dump_template_hdr *hdr_83xx;
51170 u32 entry_offset, dump, no_entries, buf_offset = 0;
51171 int i, k, ops_cnt, ops_index, dump_size = 0;
51172diff --git a/drivers/net/ethernet/realtek/r8169.c b/drivers/net/ethernet/realtek/r8169.c
51173index f790f61..f1faafe 100644
51174--- a/drivers/net/ethernet/realtek/r8169.c
51175+++ b/drivers/net/ethernet/realtek/r8169.c
51176@@ -788,22 +788,22 @@ struct rtl8169_private {
51177 struct mdio_ops {
51178 void (*write)(struct rtl8169_private *, int, int);
51179 int (*read)(struct rtl8169_private *, int);
51180- } mdio_ops;
51181+ } __no_const mdio_ops;
51182
51183 struct pll_power_ops {
51184 void (*down)(struct rtl8169_private *);
51185 void (*up)(struct rtl8169_private *);
51186- } pll_power_ops;
51187+ } __no_const pll_power_ops;
51188
51189 struct jumbo_ops {
51190 void (*enable)(struct rtl8169_private *);
51191 void (*disable)(struct rtl8169_private *);
51192- } jumbo_ops;
51193+ } __no_const jumbo_ops;
51194
51195 struct csi_ops {
51196 void (*write)(struct rtl8169_private *, int, int);
51197 u32 (*read)(struct rtl8169_private *, int);
51198- } csi_ops;
51199+ } __no_const csi_ops;
51200
51201 int (*set_speed)(struct net_device *, u8 aneg, u16 sp, u8 dpx, u32 adv);
51202 int (*get_settings)(struct net_device *, struct ethtool_cmd *);
51203diff --git a/drivers/net/ethernet/sfc/ptp.c b/drivers/net/ethernet/sfc/ptp.c
51204index ad62615..a4c124d 100644
51205--- a/drivers/net/ethernet/sfc/ptp.c
51206+++ b/drivers/net/ethernet/sfc/ptp.c
51207@@ -832,7 +832,7 @@ static int efx_ptp_synchronize(struct efx_nic *efx, unsigned int num_readings)
51208 ptp->start.dma_addr);
51209
51210 /* Clear flag that signals MC ready */
51211- ACCESS_ONCE(*start) = 0;
51212+ ACCESS_ONCE_RW(*start) = 0;
51213 rc = efx_mcdi_rpc_start(efx, MC_CMD_PTP, synch_buf,
51214 MC_CMD_PTP_IN_SYNCHRONIZE_LEN);
51215 EFX_BUG_ON_PARANOID(rc);
51216diff --git a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
51217index 3f20bb1..59add41 100644
51218--- a/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
51219+++ b/drivers/net/ethernet/stmicro/stmmac/mmc_core.c
51220@@ -140,8 +140,8 @@ void dwmac_mmc_ctrl(void __iomem *ioaddr, unsigned int mode)
51221
51222 writel(value, ioaddr + MMC_CNTRL);
51223
51224- pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
51225- MMC_CNTRL, value);
51226+// pr_debug("stmmac: MMC ctrl register (offset 0x%x): 0x%08x\n",
51227+// MMC_CNTRL, value);
51228 }
51229
51230 /* To mask all all interrupts.*/
51231diff --git a/drivers/net/ethernet/via/via-rhine.c b/drivers/net/ethernet/via/via-rhine.c
51232index a832637..092da0a 100644
51233--- a/drivers/net/ethernet/via/via-rhine.c
51234+++ b/drivers/net/ethernet/via/via-rhine.c
51235@@ -2599,7 +2599,7 @@ static struct platform_driver rhine_driver_platform = {
51236 }
51237 };
51238
51239-static struct dmi_system_id rhine_dmi_table[] __initdata = {
51240+static const struct dmi_system_id rhine_dmi_table[] __initconst = {
51241 {
51242 .ident = "EPIA-M",
51243 .matches = {
51244diff --git a/drivers/net/hyperv/hyperv_net.h b/drivers/net/hyperv/hyperv_net.h
51245index dd45440..c5f3cae 100644
51246--- a/drivers/net/hyperv/hyperv_net.h
51247+++ b/drivers/net/hyperv/hyperv_net.h
51248@@ -177,7 +177,7 @@ struct rndis_device {
51249 enum rndis_device_state state;
51250 bool link_state;
51251 bool link_change;
51252- atomic_t new_req_id;
51253+ atomic_unchecked_t new_req_id;
51254
51255 spinlock_t request_lock;
51256 struct list_head req_list;
51257diff --git a/drivers/net/hyperv/rndis_filter.c b/drivers/net/hyperv/rndis_filter.c
51258index 236aeb7..fd695e2 100644
51259--- a/drivers/net/hyperv/rndis_filter.c
51260+++ b/drivers/net/hyperv/rndis_filter.c
51261@@ -101,7 +101,7 @@ static struct rndis_request *get_rndis_request(struct rndis_device *dev,
51262 * template
51263 */
51264 set = &rndis_msg->msg.set_req;
51265- set->req_id = atomic_inc_return(&dev->new_req_id);
51266+ set->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
51267
51268 /* Add to the request list */
51269 spin_lock_irqsave(&dev->request_lock, flags);
51270@@ -924,7 +924,7 @@ static void rndis_filter_halt_device(struct rndis_device *dev)
51271
51272 /* Setup the rndis set */
51273 halt = &request->request_msg.msg.halt_req;
51274- halt->req_id = atomic_inc_return(&dev->new_req_id);
51275+ halt->req_id = atomic_inc_return_unchecked(&dev->new_req_id);
51276
51277 /* Ignore return since this msg is optional. */
51278 rndis_filter_send_request(dev, request);
51279diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c
51280index 94570aa..1a798e1 100644
51281--- a/drivers/net/ifb.c
51282+++ b/drivers/net/ifb.c
51283@@ -253,7 +253,7 @@ static int ifb_validate(struct nlattr *tb[], struct nlattr *data[])
51284 return 0;
51285 }
51286
51287-static struct rtnl_link_ops ifb_link_ops __read_mostly = {
51288+static struct rtnl_link_ops ifb_link_ops = {
51289 .kind = "ifb",
51290 .priv_size = sizeof(struct ifb_private),
51291 .setup = ifb_setup,
51292diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
51293index 207f62e..af3f5e5 100644
51294--- a/drivers/net/ipvlan/ipvlan_core.c
51295+++ b/drivers/net/ipvlan/ipvlan_core.c
51296@@ -466,7 +466,7 @@ static void ipvlan_multicast_enqueue(struct ipvl_port *port,
51297 schedule_work(&port->wq);
51298 } else {
51299 spin_unlock(&port->backlog.lock);
51300- atomic_long_inc(&skb->dev->rx_dropped);
51301+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
51302 kfree_skb(skb);
51303 }
51304 }
51305diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
51306index 9f59f17..52cb38f 100644
51307--- a/drivers/net/macvlan.c
51308+++ b/drivers/net/macvlan.c
51309@@ -335,7 +335,7 @@ static void macvlan_broadcast_enqueue(struct macvlan_port *port,
51310 free_nskb:
51311 kfree_skb(nskb);
51312 err:
51313- atomic_long_inc(&skb->dev->rx_dropped);
51314+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
51315 }
51316
51317 static void macvlan_flush_sources(struct macvlan_port *port,
51318@@ -1480,13 +1480,15 @@ static const struct nla_policy macvlan_policy[IFLA_MACVLAN_MAX + 1] = {
51319 int macvlan_link_register(struct rtnl_link_ops *ops)
51320 {
51321 /* common fields */
51322- ops->priv_size = sizeof(struct macvlan_dev);
51323- ops->validate = macvlan_validate;
51324- ops->maxtype = IFLA_MACVLAN_MAX;
51325- ops->policy = macvlan_policy;
51326- ops->changelink = macvlan_changelink;
51327- ops->get_size = macvlan_get_size;
51328- ops->fill_info = macvlan_fill_info;
51329+ pax_open_kernel();
51330+ *(size_t *)&ops->priv_size = sizeof(struct macvlan_dev);
51331+ *(void **)&ops->validate = macvlan_validate;
51332+ *(int *)&ops->maxtype = IFLA_MACVLAN_MAX;
51333+ *(const void **)&ops->policy = macvlan_policy;
51334+ *(void **)&ops->changelink = macvlan_changelink;
51335+ *(void **)&ops->get_size = macvlan_get_size;
51336+ *(void **)&ops->fill_info = macvlan_fill_info;
51337+ pax_close_kernel();
51338
51339 return rtnl_link_register(ops);
51340 };
51341@@ -1572,7 +1574,7 @@ static int macvlan_device_event(struct notifier_block *unused,
51342 return NOTIFY_DONE;
51343 }
51344
51345-static struct notifier_block macvlan_notifier_block __read_mostly = {
51346+static struct notifier_block macvlan_notifier_block = {
51347 .notifier_call = macvlan_device_event,
51348 };
51349
51350diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c
51351index 248478c..05e8467 100644
51352--- a/drivers/net/macvtap.c
51353+++ b/drivers/net/macvtap.c
51354@@ -485,7 +485,7 @@ static void macvtap_setup(struct net_device *dev)
51355 dev->tx_queue_len = TUN_READQ_SIZE;
51356 }
51357
51358-static struct rtnl_link_ops macvtap_link_ops __read_mostly = {
51359+static struct rtnl_link_ops macvtap_link_ops = {
51360 .kind = "macvtap",
51361 .setup = macvtap_setup,
51362 .newlink = macvtap_newlink,
51363@@ -1090,7 +1090,7 @@ static long macvtap_ioctl(struct file *file, unsigned int cmd,
51364
51365 ret = 0;
51366 u = q->flags;
51367- if (copy_to_user(&ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
51368+ if (copy_to_user(ifr->ifr_name, vlan->dev->name, IFNAMSIZ) ||
51369 put_user(u, &ifr->ifr_flags))
51370 ret = -EFAULT;
51371 macvtap_put_vlan(vlan);
51372@@ -1308,7 +1308,7 @@ static int macvtap_device_event(struct notifier_block *unused,
51373 return NOTIFY_DONE;
51374 }
51375
51376-static struct notifier_block macvtap_notifier_block __read_mostly = {
51377+static struct notifier_block macvtap_notifier_block = {
51378 .notifier_call = macvtap_device_event,
51379 };
51380
51381diff --git a/drivers/net/nlmon.c b/drivers/net/nlmon.c
51382index 34924df..a747360 100644
51383--- a/drivers/net/nlmon.c
51384+++ b/drivers/net/nlmon.c
51385@@ -154,7 +154,7 @@ static int nlmon_validate(struct nlattr *tb[], struct nlattr *data[])
51386 return 0;
51387 }
51388
51389-static struct rtnl_link_ops nlmon_link_ops __read_mostly = {
51390+static struct rtnl_link_ops nlmon_link_ops = {
51391 .kind = "nlmon",
51392 .priv_size = sizeof(struct nlmon),
51393 .setup = nlmon_setup,
51394diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c
51395index 55f0178..6220e93 100644
51396--- a/drivers/net/phy/phy_device.c
51397+++ b/drivers/net/phy/phy_device.c
51398@@ -218,7 +218,7 @@ EXPORT_SYMBOL(phy_device_create);
51399 * zero on success.
51400 *
51401 */
51402-static int get_phy_c45_ids(struct mii_bus *bus, int addr, u32 *phy_id,
51403+static int get_phy_c45_ids(struct mii_bus *bus, int addr, int *phy_id,
51404 struct phy_c45_device_ids *c45_ids) {
51405 int phy_reg;
51406 int i, reg_addr;
51407@@ -296,7 +296,7 @@ retry: reg_addr = MII_ADDR_C45 | i << 16 | MDIO_DEVS2;
51408 * its return value is in turn returned.
51409 *
51410 */
51411-static int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id,
51412+static int get_phy_id(struct mii_bus *bus, int addr, int *phy_id,
51413 bool is_c45, struct phy_c45_device_ids *c45_ids)
51414 {
51415 int phy_reg;
51416@@ -334,7 +334,7 @@ static int get_phy_id(struct mii_bus *bus, int addr, u32 *phy_id,
51417 struct phy_device *get_phy_device(struct mii_bus *bus, int addr, bool is_c45)
51418 {
51419 struct phy_c45_device_ids c45_ids = {0};
51420- u32 phy_id = 0;
51421+ int phy_id = 0;
51422 int r;
51423
51424 r = get_phy_id(bus, addr, &phy_id, is_c45, &c45_ids);
51425diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
51426index 487be20..f4c87bc 100644
51427--- a/drivers/net/ppp/ppp_generic.c
51428+++ b/drivers/net/ppp/ppp_generic.c
51429@@ -1035,7 +1035,6 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
51430 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
51431 struct ppp_stats stats;
51432 struct ppp_comp_stats cstats;
51433- char *vers;
51434
51435 switch (cmd) {
51436 case SIOCGPPPSTATS:
51437@@ -1057,8 +1056,7 @@ ppp_net_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
51438 break;
51439
51440 case SIOCGPPPVER:
51441- vers = PPP_VERSION;
51442- if (copy_to_user(addr, vers, strlen(vers) + 1))
51443+ if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
51444 break;
51445 err = 0;
51446 break;
51447diff --git a/drivers/net/slip/slhc.c b/drivers/net/slip/slhc.c
51448index 079f7ad..7e59810 100644
51449--- a/drivers/net/slip/slhc.c
51450+++ b/drivers/net/slip/slhc.c
51451@@ -94,6 +94,9 @@ slhc_init(int rslots, int tslots)
51452 register struct cstate *ts;
51453 struct slcompress *comp;
51454
51455+ if (rslots <= 0 || tslots <= 0 || rslots >= 256 || tslots >= 256)
51456+ goto out_fail;
51457+
51458 comp = kzalloc(sizeof(struct slcompress), GFP_KERNEL);
51459 if (! comp)
51460 goto out_fail;
51461@@ -487,7 +490,7 @@ slhc_uncompress(struct slcompress *comp, unsigned char *icp, int isize)
51462 register struct tcphdr *thp;
51463 register struct iphdr *ip;
51464 register struct cstate *cs;
51465- int len, hdrlen;
51466+ long len, hdrlen;
51467 unsigned char *cp = icp;
51468
51469 /* We've got a compressed packet; read the change byte */
51470diff --git a/drivers/net/team/team.c b/drivers/net/team/team.c
51471index daa054b..07d6b98 100644
51472--- a/drivers/net/team/team.c
51473+++ b/drivers/net/team/team.c
51474@@ -2107,7 +2107,7 @@ static unsigned int team_get_num_rx_queues(void)
51475 return TEAM_DEFAULT_NUM_RX_QUEUES;
51476 }
51477
51478-static struct rtnl_link_ops team_link_ops __read_mostly = {
51479+static struct rtnl_link_ops team_link_ops = {
51480 .kind = DRV_NAME,
51481 .priv_size = sizeof(struct team),
51482 .setup = team_setup,
51483@@ -2897,7 +2897,7 @@ static int team_device_event(struct notifier_block *unused,
51484 return NOTIFY_DONE;
51485 }
51486
51487-static struct notifier_block team_notifier_block __read_mostly = {
51488+static struct notifier_block team_notifier_block = {
51489 .notifier_call = team_device_event,
51490 };
51491
51492diff --git a/drivers/net/tun.c b/drivers/net/tun.c
51493index 06a0394..1756d18 100644
51494--- a/drivers/net/tun.c
51495+++ b/drivers/net/tun.c
51496@@ -1472,7 +1472,7 @@ static int tun_validate(struct nlattr *tb[], struct nlattr *data[])
51497 return -EINVAL;
51498 }
51499
51500-static struct rtnl_link_ops tun_link_ops __read_mostly = {
51501+static struct rtnl_link_ops tun_link_ops = {
51502 .kind = DRV_NAME,
51503 .priv_size = sizeof(struct tun_struct),
51504 .setup = tun_setup,
51505@@ -1871,7 +1871,7 @@ unlock:
51506 }
51507
51508 static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
51509- unsigned long arg, int ifreq_len)
51510+ unsigned long arg, size_t ifreq_len)
51511 {
51512 struct tun_file *tfile = file->private_data;
51513 struct tun_struct *tun;
51514@@ -1885,6 +1885,9 @@ static long __tun_chr_ioctl(struct file *file, unsigned int cmd,
51515 int le;
51516 int ret;
51517
51518+ if (ifreq_len > sizeof ifr)
51519+ return -EFAULT;
51520+
51521 if (cmd == TUNSETIFF || cmd == TUNSETQUEUE || _IOC_TYPE(cmd) == 0x89) {
51522 if (copy_from_user(&ifr, argp, ifreq_len))
51523 return -EFAULT;
51524diff --git a/drivers/net/usb/hso.c b/drivers/net/usb/hso.c
51525index 111d907..1ee643e 100644
51526--- a/drivers/net/usb/hso.c
51527+++ b/drivers/net/usb/hso.c
51528@@ -70,7 +70,7 @@
51529 #include <asm/byteorder.h>
51530 #include <linux/serial_core.h>
51531 #include <linux/serial.h>
51532-
51533+#include <asm/local.h>
51534
51535 #define MOD_AUTHOR "Option Wireless"
51536 #define MOD_DESCRIPTION "USB High Speed Option driver"
51537@@ -1183,7 +1183,7 @@ static void put_rxbuf_data_and_resubmit_ctrl_urb(struct hso_serial *serial)
51538 struct urb *urb;
51539
51540 urb = serial->rx_urb[0];
51541- if (serial->port.count > 0) {
51542+ if (atomic_read(&serial->port.count) > 0) {
51543 count = put_rxbuf_data(urb, serial);
51544 if (count == -1)
51545 return;
51546@@ -1221,7 +1221,7 @@ static void hso_std_serial_read_bulk_callback(struct urb *urb)
51547 DUMP1(urb->transfer_buffer, urb->actual_length);
51548
51549 /* Anyone listening? */
51550- if (serial->port.count == 0)
51551+ if (atomic_read(&serial->port.count) == 0)
51552 return;
51553
51554 if (serial->parent->port_spec & HSO_INFO_CRC_BUG)
51555@@ -1282,8 +1282,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
51556 tty_port_tty_set(&serial->port, tty);
51557
51558 /* check for port already opened, if not set the termios */
51559- serial->port.count++;
51560- if (serial->port.count == 1) {
51561+ if (atomic_inc_return(&serial->port.count) == 1) {
51562 serial->rx_state = RX_IDLE;
51563 /* Force default termio settings */
51564 _hso_serial_set_termios(tty, NULL);
51565@@ -1293,7 +1292,7 @@ static int hso_serial_open(struct tty_struct *tty, struct file *filp)
51566 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
51567 if (result) {
51568 hso_stop_serial_device(serial->parent);
51569- serial->port.count--;
51570+ atomic_dec(&serial->port.count);
51571 } else {
51572 kref_get(&serial->parent->ref);
51573 }
51574@@ -1331,10 +1330,10 @@ static void hso_serial_close(struct tty_struct *tty, struct file *filp)
51575
51576 /* reset the rts and dtr */
51577 /* do the actual close */
51578- serial->port.count--;
51579+ atomic_dec(&serial->port.count);
51580
51581- if (serial->port.count <= 0) {
51582- serial->port.count = 0;
51583+ if (atomic_read(&serial->port.count) <= 0) {
51584+ atomic_set(&serial->port.count, 0);
51585 tty_port_tty_set(&serial->port, NULL);
51586 if (!usb_gone)
51587 hso_stop_serial_device(serial->parent);
51588@@ -1417,7 +1416,7 @@ static void hso_serial_set_termios(struct tty_struct *tty, struct ktermios *old)
51589
51590 /* the actual setup */
51591 spin_lock_irqsave(&serial->serial_lock, flags);
51592- if (serial->port.count)
51593+ if (atomic_read(&serial->port.count))
51594 _hso_serial_set_termios(tty, old);
51595 else
51596 tty->termios = *old;
51597@@ -1891,7 +1890,7 @@ static void intr_callback(struct urb *urb)
51598 D1("Pending read interrupt on port %d\n", i);
51599 spin_lock(&serial->serial_lock);
51600 if (serial->rx_state == RX_IDLE &&
51601- serial->port.count > 0) {
51602+ atomic_read(&serial->port.count) > 0) {
51603 /* Setup and send a ctrl req read on
51604 * port i */
51605 if (!serial->rx_urb_filled[0]) {
51606@@ -3058,7 +3057,7 @@ static int hso_resume(struct usb_interface *iface)
51607 /* Start all serial ports */
51608 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
51609 if (serial_table[i] && (serial_table[i]->interface == iface)) {
51610- if (dev2ser(serial_table[i])->port.count) {
51611+ if (atomic_read(&dev2ser(serial_table[i])->port.count)) {
51612 result =
51613 hso_start_serial_device(serial_table[i], GFP_NOIO);
51614 hso_kick_transmit(dev2ser(serial_table[i]));
51615diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c
51616index ad8cbc6..de80b09 100644
51617--- a/drivers/net/usb/r8152.c
51618+++ b/drivers/net/usb/r8152.c
51619@@ -603,7 +603,7 @@ struct r8152 {
51620 void (*unload)(struct r8152 *);
51621 int (*eee_get)(struct r8152 *, struct ethtool_eee *);
51622 int (*eee_set)(struct r8152 *, struct ethtool_eee *);
51623- } rtl_ops;
51624+ } __no_const rtl_ops;
51625
51626 int intr_interval;
51627 u32 saved_wolopts;
51628diff --git a/drivers/net/usb/sierra_net.c b/drivers/net/usb/sierra_net.c
51629index a2515887..6d13233 100644
51630--- a/drivers/net/usb/sierra_net.c
51631+++ b/drivers/net/usb/sierra_net.c
51632@@ -51,7 +51,7 @@ static const char driver_name[] = "sierra_net";
51633 /* atomic counter partially included in MAC address to make sure 2 devices
51634 * do not end up with the same MAC - concept breaks in case of > 255 ifaces
51635 */
51636-static atomic_t iface_counter = ATOMIC_INIT(0);
51637+static atomic_unchecked_t iface_counter = ATOMIC_INIT(0);
51638
51639 /*
51640 * SYNC Timer Delay definition used to set the expiry time
51641@@ -697,7 +697,7 @@ static int sierra_net_bind(struct usbnet *dev, struct usb_interface *intf)
51642 dev->net->netdev_ops = &sierra_net_device_ops;
51643
51644 /* change MAC addr to include, ifacenum, and to be unique */
51645- dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return(&iface_counter);
51646+ dev->net->dev_addr[ETH_ALEN-2] = atomic_inc_return_unchecked(&iface_counter);
51647 dev->net->dev_addr[ETH_ALEN-1] = ifacenum;
51648
51649 /* we will have to manufacture ethernet headers, prepare template */
51650diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c
51651index 237f8e5..8dccb91 100644
51652--- a/drivers/net/virtio_net.c
51653+++ b/drivers/net/virtio_net.c
51654@@ -48,7 +48,7 @@ module_param(gso, bool, 0444);
51655 #define RECEIVE_AVG_WEIGHT 64
51656
51657 /* Minimum alignment for mergeable packet buffers. */
51658-#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256)
51659+#define MERGEABLE_BUFFER_ALIGN max(L1_CACHE_BYTES, 256UL)
51660
51661 #define VIRTNET_DRIVER_VERSION "1.0.0"
51662
51663diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
51664index 5bc4b1e..d5769f5 100644
51665--- a/drivers/net/vxlan.c
51666+++ b/drivers/net/vxlan.c
51667@@ -2884,7 +2884,7 @@ static struct net *vxlan_get_link_net(const struct net_device *dev)
51668 return vxlan->net;
51669 }
51670
51671-static struct rtnl_link_ops vxlan_link_ops __read_mostly = {
51672+static struct rtnl_link_ops vxlan_link_ops = {
51673 .kind = "vxlan",
51674 .maxtype = IFLA_VXLAN_MAX,
51675 .policy = vxlan_policy,
51676@@ -2932,7 +2932,7 @@ static int vxlan_lowerdev_event(struct notifier_block *unused,
51677 return NOTIFY_DONE;
51678 }
51679
51680-static struct notifier_block vxlan_notifier_block __read_mostly = {
51681+static struct notifier_block vxlan_notifier_block = {
51682 .notifier_call = vxlan_lowerdev_event,
51683 };
51684
51685diff --git a/drivers/net/wan/lmc/lmc_media.c b/drivers/net/wan/lmc/lmc_media.c
51686index 5920c99..ff2e4a5 100644
51687--- a/drivers/net/wan/lmc/lmc_media.c
51688+++ b/drivers/net/wan/lmc/lmc_media.c
51689@@ -95,62 +95,63 @@ static inline void write_av9110_bit (lmc_softc_t *, int);
51690 static void write_av9110(lmc_softc_t *, u32, u32, u32, u32, u32);
51691
51692 lmc_media_t lmc_ds3_media = {
51693- lmc_ds3_init, /* special media init stuff */
51694- lmc_ds3_default, /* reset to default state */
51695- lmc_ds3_set_status, /* reset status to state provided */
51696- lmc_dummy_set_1, /* set clock source */
51697- lmc_dummy_set2_1, /* set line speed */
51698- lmc_ds3_set_100ft, /* set cable length */
51699- lmc_ds3_set_scram, /* set scrambler */
51700- lmc_ds3_get_link_status, /* get link status */
51701- lmc_dummy_set_1, /* set link status */
51702- lmc_ds3_set_crc_length, /* set CRC length */
51703- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51704- lmc_ds3_watchdog
51705+ .init = lmc_ds3_init, /* special media init stuff */
51706+ .defaults = lmc_ds3_default, /* reset to default state */
51707+ .set_status = lmc_ds3_set_status, /* reset status to state provided */
51708+ .set_clock_source = lmc_dummy_set_1, /* set clock source */
51709+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51710+ .set_cable_length = lmc_ds3_set_100ft, /* set cable length */
51711+ .set_scrambler = lmc_ds3_set_scram, /* set scrambler */
51712+ .get_link_status = lmc_ds3_get_link_status, /* get link status */
51713+ .set_link_status = lmc_dummy_set_1, /* set link status */
51714+ .set_crc_length = lmc_ds3_set_crc_length, /* set CRC length */
51715+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51716+ .watchdog = lmc_ds3_watchdog
51717 };
51718
51719 lmc_media_t lmc_hssi_media = {
51720- lmc_hssi_init, /* special media init stuff */
51721- lmc_hssi_default, /* reset to default state */
51722- lmc_hssi_set_status, /* reset status to state provided */
51723- lmc_hssi_set_clock, /* set clock source */
51724- lmc_dummy_set2_1, /* set line speed */
51725- lmc_dummy_set_1, /* set cable length */
51726- lmc_dummy_set_1, /* set scrambler */
51727- lmc_hssi_get_link_status, /* get link status */
51728- lmc_hssi_set_link_status, /* set link status */
51729- lmc_hssi_set_crc_length, /* set CRC length */
51730- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51731- lmc_hssi_watchdog
51732+ .init = lmc_hssi_init, /* special media init stuff */
51733+ .defaults = lmc_hssi_default, /* reset to default state */
51734+ .set_status = lmc_hssi_set_status, /* reset status to state provided */
51735+ .set_clock_source = lmc_hssi_set_clock, /* set clock source */
51736+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51737+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51738+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51739+ .get_link_status = lmc_hssi_get_link_status, /* get link status */
51740+ .set_link_status = lmc_hssi_set_link_status, /* set link status */
51741+ .set_crc_length = lmc_hssi_set_crc_length, /* set CRC length */
51742+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51743+ .watchdog = lmc_hssi_watchdog
51744 };
51745
51746-lmc_media_t lmc_ssi_media = { lmc_ssi_init, /* special media init stuff */
51747- lmc_ssi_default, /* reset to default state */
51748- lmc_ssi_set_status, /* reset status to state provided */
51749- lmc_ssi_set_clock, /* set clock source */
51750- lmc_ssi_set_speed, /* set line speed */
51751- lmc_dummy_set_1, /* set cable length */
51752- lmc_dummy_set_1, /* set scrambler */
51753- lmc_ssi_get_link_status, /* get link status */
51754- lmc_ssi_set_link_status, /* set link status */
51755- lmc_ssi_set_crc_length, /* set CRC length */
51756- lmc_dummy_set_1, /* set T1 or E1 circuit type */
51757- lmc_ssi_watchdog
51758+lmc_media_t lmc_ssi_media = {
51759+ .init = lmc_ssi_init, /* special media init stuff */
51760+ .defaults = lmc_ssi_default, /* reset to default state */
51761+ .set_status = lmc_ssi_set_status, /* reset status to state provided */
51762+ .set_clock_source = lmc_ssi_set_clock, /* set clock source */
51763+ .set_speed = lmc_ssi_set_speed, /* set line speed */
51764+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51765+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51766+ .get_link_status = lmc_ssi_get_link_status, /* get link status */
51767+ .set_link_status = lmc_ssi_set_link_status, /* set link status */
51768+ .set_crc_length = lmc_ssi_set_crc_length, /* set CRC length */
51769+ .set_circuit_type = lmc_dummy_set_1, /* set T1 or E1 circuit type */
51770+ .watchdog = lmc_ssi_watchdog
51771 };
51772
51773 lmc_media_t lmc_t1_media = {
51774- lmc_t1_init, /* special media init stuff */
51775- lmc_t1_default, /* reset to default state */
51776- lmc_t1_set_status, /* reset status to state provided */
51777- lmc_t1_set_clock, /* set clock source */
51778- lmc_dummy_set2_1, /* set line speed */
51779- lmc_dummy_set_1, /* set cable length */
51780- lmc_dummy_set_1, /* set scrambler */
51781- lmc_t1_get_link_status, /* get link status */
51782- lmc_dummy_set_1, /* set link status */
51783- lmc_t1_set_crc_length, /* set CRC length */
51784- lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */
51785- lmc_t1_watchdog
51786+ .init = lmc_t1_init, /* special media init stuff */
51787+ .defaults = lmc_t1_default, /* reset to default state */
51788+ .set_status = lmc_t1_set_status, /* reset status to state provided */
51789+ .set_clock_source = lmc_t1_set_clock, /* set clock source */
51790+ .set_speed = lmc_dummy_set2_1, /* set line speed */
51791+ .set_cable_length = lmc_dummy_set_1, /* set cable length */
51792+ .set_scrambler = lmc_dummy_set_1, /* set scrambler */
51793+ .get_link_status = lmc_t1_get_link_status, /* get link status */
51794+ .set_link_status = lmc_dummy_set_1, /* set link status */
51795+ .set_crc_length = lmc_t1_set_crc_length, /* set CRC length */
51796+ .set_circuit_type = lmc_t1_set_circuit_type, /* set T1 or E1 circuit type */
51797+ .watchdog = lmc_t1_watchdog
51798 };
51799
51800 static void
51801diff --git a/drivers/net/wan/z85230.c b/drivers/net/wan/z85230.c
51802index 2f0bd69..e46ed7b 100644
51803--- a/drivers/net/wan/z85230.c
51804+++ b/drivers/net/wan/z85230.c
51805@@ -485,9 +485,9 @@ static void z8530_status(struct z8530_channel *chan)
51806
51807 struct z8530_irqhandler z8530_sync =
51808 {
51809- z8530_rx,
51810- z8530_tx,
51811- z8530_status
51812+ .rx = z8530_rx,
51813+ .tx = z8530_tx,
51814+ .status = z8530_status
51815 };
51816
51817 EXPORT_SYMBOL(z8530_sync);
51818@@ -605,15 +605,15 @@ static void z8530_dma_status(struct z8530_channel *chan)
51819 }
51820
51821 static struct z8530_irqhandler z8530_dma_sync = {
51822- z8530_dma_rx,
51823- z8530_dma_tx,
51824- z8530_dma_status
51825+ .rx = z8530_dma_rx,
51826+ .tx = z8530_dma_tx,
51827+ .status = z8530_dma_status
51828 };
51829
51830 static struct z8530_irqhandler z8530_txdma_sync = {
51831- z8530_rx,
51832- z8530_dma_tx,
51833- z8530_dma_status
51834+ .rx = z8530_rx,
51835+ .tx = z8530_dma_tx,
51836+ .status = z8530_dma_status
51837 };
51838
51839 /**
51840@@ -680,9 +680,9 @@ static void z8530_status_clear(struct z8530_channel *chan)
51841
51842 struct z8530_irqhandler z8530_nop=
51843 {
51844- z8530_rx_clear,
51845- z8530_tx_clear,
51846- z8530_status_clear
51847+ .rx = z8530_rx_clear,
51848+ .tx = z8530_tx_clear,
51849+ .status = z8530_status_clear
51850 };
51851
51852
51853diff --git a/drivers/net/wimax/i2400m/rx.c b/drivers/net/wimax/i2400m/rx.c
51854index 0b60295..b8bfa5b 100644
51855--- a/drivers/net/wimax/i2400m/rx.c
51856+++ b/drivers/net/wimax/i2400m/rx.c
51857@@ -1359,7 +1359,7 @@ int i2400m_rx_setup(struct i2400m *i2400m)
51858 if (i2400m->rx_roq == NULL)
51859 goto error_roq_alloc;
51860
51861- rd = kcalloc(I2400M_RO_CIN + 1, sizeof(*i2400m->rx_roq[0].log),
51862+ rd = kcalloc(sizeof(*i2400m->rx_roq[0].log), I2400M_RO_CIN + 1,
51863 GFP_KERNEL);
51864 if (rd == NULL) {
51865 result = -ENOMEM;
51866diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c
51867index d0c97c2..108f59b 100644
51868--- a/drivers/net/wireless/airo.c
51869+++ b/drivers/net/wireless/airo.c
51870@@ -7846,7 +7846,7 @@ static int writerids(struct net_device *dev, aironet_ioctl *comp) {
51871 struct airo_info *ai = dev->ml_priv;
51872 int ridcode;
51873 int enabled;
51874- static int (* writer)(struct airo_info *, u16 rid, const void *, int, int);
51875+ int (* writer)(struct airo_info *, u16 rid, const void *, int, int);
51876 unsigned char *iobuf;
51877
51878 /* Only super-user can write RIDs */
51879diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c
51880index dab2513..4c4b65d 100644
51881--- a/drivers/net/wireless/at76c50x-usb.c
51882+++ b/drivers/net/wireless/at76c50x-usb.c
51883@@ -353,7 +353,7 @@ static int at76_dfu_get_state(struct usb_device *udev, u8 *state)
51884 }
51885
51886 /* Convert timeout from the DFU status to jiffies */
51887-static inline unsigned long at76_get_timeout(struct dfu_status *s)
51888+static inline unsigned long __intentional_overflow(-1) at76_get_timeout(struct dfu_status *s)
51889 {
51890 return msecs_to_jiffies((s->poll_timeout[2] << 16)
51891 | (s->poll_timeout[1] << 8)
51892diff --git a/drivers/net/wireless/ath/ath10k/ce.c b/drivers/net/wireless/ath/ath10k/ce.c
51893index e508c65..fb0dbae 100644
51894--- a/drivers/net/wireless/ath/ath10k/ce.c
51895+++ b/drivers/net/wireless/ath/ath10k/ce.c
51896@@ -896,7 +896,7 @@ static int ath10k_ce_init_dest_ring(struct ath10k *ar,
51897 return 0;
51898 }
51899
51900-static struct ath10k_ce_ring *
51901+static struct ath10k_ce_ring * __intentional_overflow(-1)
51902 ath10k_ce_alloc_src_ring(struct ath10k *ar, unsigned int ce_id,
51903 const struct ce_attr *attr)
51904 {
51905diff --git a/drivers/net/wireless/ath/ath10k/htc.c b/drivers/net/wireless/ath/ath10k/htc.c
51906index 32d9ff1..0952b33 100644
51907--- a/drivers/net/wireless/ath/ath10k/htc.c
51908+++ b/drivers/net/wireless/ath/ath10k/htc.c
51909@@ -841,7 +841,10 @@ int ath10k_htc_start(struct ath10k_htc *htc)
51910 /* registered target arrival callback from the HIF layer */
51911 int ath10k_htc_init(struct ath10k *ar)
51912 {
51913- struct ath10k_hif_cb htc_callbacks;
51914+ static struct ath10k_hif_cb htc_callbacks = {
51915+ .rx_completion = ath10k_htc_rx_completion_handler,
51916+ .tx_completion = ath10k_htc_tx_completion_handler,
51917+ };
51918 struct ath10k_htc_ep *ep = NULL;
51919 struct ath10k_htc *htc = &ar->htc;
51920
51921@@ -850,8 +853,6 @@ int ath10k_htc_init(struct ath10k *ar)
51922 ath10k_htc_reset_endpoint_states(htc);
51923
51924 /* setup HIF layer callbacks */
51925- htc_callbacks.rx_completion = ath10k_htc_rx_completion_handler;
51926- htc_callbacks.tx_completion = ath10k_htc_tx_completion_handler;
51927 htc->ar = ar;
51928
51929 /* Get HIF default pipe for HTC message exchange */
51930diff --git a/drivers/net/wireless/ath/ath10k/htc.h b/drivers/net/wireless/ath/ath10k/htc.h
51931index 527179c..a890150 100644
51932--- a/drivers/net/wireless/ath/ath10k/htc.h
51933+++ b/drivers/net/wireless/ath/ath10k/htc.h
51934@@ -270,13 +270,13 @@ enum ath10k_htc_ep_id {
51935
51936 struct ath10k_htc_ops {
51937 void (*target_send_suspend_complete)(struct ath10k *ar);
51938-};
51939+} __no_const;
51940
51941 struct ath10k_htc_ep_ops {
51942 void (*ep_tx_complete)(struct ath10k *, struct sk_buff *);
51943 void (*ep_rx_complete)(struct ath10k *, struct sk_buff *);
51944 void (*ep_tx_credits)(struct ath10k *);
51945-};
51946+} __no_const;
51947
51948 /* service connection information */
51949 struct ath10k_htc_svc_conn_req {
51950diff --git a/drivers/net/wireless/ath/ath9k/Kconfig b/drivers/net/wireless/ath/ath9k/Kconfig
51951index fee0cad..a7a3b63 100644
51952--- a/drivers/net/wireless/ath/ath9k/Kconfig
51953+++ b/drivers/net/wireless/ath/ath9k/Kconfig
51954@@ -3,7 +3,6 @@ config ATH9K_HW
51955 config ATH9K_COMMON
51956 tristate
51957 select ATH_COMMON
51958- select DEBUG_FS
51959 select RELAY
51960 config ATH9K_DFS_DEBUGFS
51961 def_bool y
51962diff --git a/drivers/net/wireless/ath/ath9k/ar9002_mac.c b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51963index f816909..e56cd8b 100644
51964--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51965+++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c
51966@@ -220,8 +220,8 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51967 ads->ds_txstatus6 = ads->ds_txstatus7 = 0;
51968 ads->ds_txstatus8 = ads->ds_txstatus9 = 0;
51969
51970- ACCESS_ONCE(ads->ds_link) = i->link;
51971- ACCESS_ONCE(ads->ds_data) = i->buf_addr[0];
51972+ ACCESS_ONCE_RW(ads->ds_link) = i->link;
51973+ ACCESS_ONCE_RW(ads->ds_data) = i->buf_addr[0];
51974
51975 ctl1 = i->buf_len[0] | (i->is_last ? 0 : AR_TxMore);
51976 ctl6 = SM(i->keytype, AR_EncrType);
51977@@ -235,26 +235,26 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
51978
51979 if ((i->is_first || i->is_last) &&
51980 i->aggr != AGGR_BUF_MIDDLE && i->aggr != AGGR_BUF_LAST) {
51981- ACCESS_ONCE(ads->ds_ctl2) = set11nTries(i->rates, 0)
51982+ ACCESS_ONCE_RW(ads->ds_ctl2) = set11nTries(i->rates, 0)
51983 | set11nTries(i->rates, 1)
51984 | set11nTries(i->rates, 2)
51985 | set11nTries(i->rates, 3)
51986 | (i->dur_update ? AR_DurUpdateEna : 0)
51987 | SM(0, AR_BurstDur);
51988
51989- ACCESS_ONCE(ads->ds_ctl3) = set11nRate(i->rates, 0)
51990+ ACCESS_ONCE_RW(ads->ds_ctl3) = set11nRate(i->rates, 0)
51991 | set11nRate(i->rates, 1)
51992 | set11nRate(i->rates, 2)
51993 | set11nRate(i->rates, 3);
51994 } else {
51995- ACCESS_ONCE(ads->ds_ctl2) = 0;
51996- ACCESS_ONCE(ads->ds_ctl3) = 0;
51997+ ACCESS_ONCE_RW(ads->ds_ctl2) = 0;
51998+ ACCESS_ONCE_RW(ads->ds_ctl3) = 0;
51999 }
52000
52001 if (!i->is_first) {
52002- ACCESS_ONCE(ads->ds_ctl0) = 0;
52003- ACCESS_ONCE(ads->ds_ctl1) = ctl1;
52004- ACCESS_ONCE(ads->ds_ctl6) = ctl6;
52005+ ACCESS_ONCE_RW(ads->ds_ctl0) = 0;
52006+ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
52007+ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
52008 return;
52009 }
52010
52011@@ -279,7 +279,7 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52012 break;
52013 }
52014
52015- ACCESS_ONCE(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
52016+ ACCESS_ONCE_RW(ads->ds_ctl0) = (i->pkt_len & AR_FrameLen)
52017 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
52018 | SM(i->txpower[0], AR_XmitPower0)
52019 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
52020@@ -289,27 +289,27 @@ ar9002_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52021 | (i->flags & ATH9K_TXDESC_RTSENA ? AR_RTSEnable :
52022 (i->flags & ATH9K_TXDESC_CTSENA ? AR_CTSEnable : 0));
52023
52024- ACCESS_ONCE(ads->ds_ctl1) = ctl1;
52025- ACCESS_ONCE(ads->ds_ctl6) = ctl6;
52026+ ACCESS_ONCE_RW(ads->ds_ctl1) = ctl1;
52027+ ACCESS_ONCE_RW(ads->ds_ctl6) = ctl6;
52028
52029 if (i->aggr == AGGR_BUF_MIDDLE || i->aggr == AGGR_BUF_LAST)
52030 return;
52031
52032- ACCESS_ONCE(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
52033+ ACCESS_ONCE_RW(ads->ds_ctl4) = set11nPktDurRTSCTS(i->rates, 0)
52034 | set11nPktDurRTSCTS(i->rates, 1);
52035
52036- ACCESS_ONCE(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
52037+ ACCESS_ONCE_RW(ads->ds_ctl5) = set11nPktDurRTSCTS(i->rates, 2)
52038 | set11nPktDurRTSCTS(i->rates, 3);
52039
52040- ACCESS_ONCE(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
52041+ ACCESS_ONCE_RW(ads->ds_ctl7) = set11nRateFlags(i->rates, 0)
52042 | set11nRateFlags(i->rates, 1)
52043 | set11nRateFlags(i->rates, 2)
52044 | set11nRateFlags(i->rates, 3)
52045 | SM(i->rtscts_rate, AR_RTSCTSRate);
52046
52047- ACCESS_ONCE(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
52048- ACCESS_ONCE(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
52049- ACCESS_ONCE(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
52050+ ACCESS_ONCE_RW(ads->ds_ctl9) = SM(i->txpower[1], AR_XmitPower1);
52051+ ACCESS_ONCE_RW(ads->ds_ctl10) = SM(i->txpower[2], AR_XmitPower2);
52052+ ACCESS_ONCE_RW(ads->ds_ctl11) = SM(i->txpower[3], AR_XmitPower3);
52053 }
52054
52055 static int ar9002_hw_proc_txdesc(struct ath_hw *ah, void *ds,
52056diff --git a/drivers/net/wireless/ath/ath9k/ar9003_mac.c b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
52057index da84b70..83e4978 100644
52058--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c
52059+++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c
52060@@ -39,47 +39,47 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52061 (i->qcu << AR_TxQcuNum_S) | desc_len;
52062
52063 checksum += val;
52064- ACCESS_ONCE(ads->info) = val;
52065+ ACCESS_ONCE_RW(ads->info) = val;
52066
52067 checksum += i->link;
52068- ACCESS_ONCE(ads->link) = i->link;
52069+ ACCESS_ONCE_RW(ads->link) = i->link;
52070
52071 checksum += i->buf_addr[0];
52072- ACCESS_ONCE(ads->data0) = i->buf_addr[0];
52073+ ACCESS_ONCE_RW(ads->data0) = i->buf_addr[0];
52074 checksum += i->buf_addr[1];
52075- ACCESS_ONCE(ads->data1) = i->buf_addr[1];
52076+ ACCESS_ONCE_RW(ads->data1) = i->buf_addr[1];
52077 checksum += i->buf_addr[2];
52078- ACCESS_ONCE(ads->data2) = i->buf_addr[2];
52079+ ACCESS_ONCE_RW(ads->data2) = i->buf_addr[2];
52080 checksum += i->buf_addr[3];
52081- ACCESS_ONCE(ads->data3) = i->buf_addr[3];
52082+ ACCESS_ONCE_RW(ads->data3) = i->buf_addr[3];
52083
52084 checksum += (val = (i->buf_len[0] << AR_BufLen_S) & AR_BufLen);
52085- ACCESS_ONCE(ads->ctl3) = val;
52086+ ACCESS_ONCE_RW(ads->ctl3) = val;
52087 checksum += (val = (i->buf_len[1] << AR_BufLen_S) & AR_BufLen);
52088- ACCESS_ONCE(ads->ctl5) = val;
52089+ ACCESS_ONCE_RW(ads->ctl5) = val;
52090 checksum += (val = (i->buf_len[2] << AR_BufLen_S) & AR_BufLen);
52091- ACCESS_ONCE(ads->ctl7) = val;
52092+ ACCESS_ONCE_RW(ads->ctl7) = val;
52093 checksum += (val = (i->buf_len[3] << AR_BufLen_S) & AR_BufLen);
52094- ACCESS_ONCE(ads->ctl9) = val;
52095+ ACCESS_ONCE_RW(ads->ctl9) = val;
52096
52097 checksum = (u16) (((checksum & 0xffff) + (checksum >> 16)) & 0xffff);
52098- ACCESS_ONCE(ads->ctl10) = checksum;
52099+ ACCESS_ONCE_RW(ads->ctl10) = checksum;
52100
52101 if (i->is_first || i->is_last) {
52102- ACCESS_ONCE(ads->ctl13) = set11nTries(i->rates, 0)
52103+ ACCESS_ONCE_RW(ads->ctl13) = set11nTries(i->rates, 0)
52104 | set11nTries(i->rates, 1)
52105 | set11nTries(i->rates, 2)
52106 | set11nTries(i->rates, 3)
52107 | (i->dur_update ? AR_DurUpdateEna : 0)
52108 | SM(0, AR_BurstDur);
52109
52110- ACCESS_ONCE(ads->ctl14) = set11nRate(i->rates, 0)
52111+ ACCESS_ONCE_RW(ads->ctl14) = set11nRate(i->rates, 0)
52112 | set11nRate(i->rates, 1)
52113 | set11nRate(i->rates, 2)
52114 | set11nRate(i->rates, 3);
52115 } else {
52116- ACCESS_ONCE(ads->ctl13) = 0;
52117- ACCESS_ONCE(ads->ctl14) = 0;
52118+ ACCESS_ONCE_RW(ads->ctl13) = 0;
52119+ ACCESS_ONCE_RW(ads->ctl14) = 0;
52120 }
52121
52122 ads->ctl20 = 0;
52123@@ -89,17 +89,17 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52124
52125 ctl17 = SM(i->keytype, AR_EncrType);
52126 if (!i->is_first) {
52127- ACCESS_ONCE(ads->ctl11) = 0;
52128- ACCESS_ONCE(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
52129- ACCESS_ONCE(ads->ctl15) = 0;
52130- ACCESS_ONCE(ads->ctl16) = 0;
52131- ACCESS_ONCE(ads->ctl17) = ctl17;
52132- ACCESS_ONCE(ads->ctl18) = 0;
52133- ACCESS_ONCE(ads->ctl19) = 0;
52134+ ACCESS_ONCE_RW(ads->ctl11) = 0;
52135+ ACCESS_ONCE_RW(ads->ctl12) = i->is_last ? 0 : AR_TxMore;
52136+ ACCESS_ONCE_RW(ads->ctl15) = 0;
52137+ ACCESS_ONCE_RW(ads->ctl16) = 0;
52138+ ACCESS_ONCE_RW(ads->ctl17) = ctl17;
52139+ ACCESS_ONCE_RW(ads->ctl18) = 0;
52140+ ACCESS_ONCE_RW(ads->ctl19) = 0;
52141 return;
52142 }
52143
52144- ACCESS_ONCE(ads->ctl11) = (i->pkt_len & AR_FrameLen)
52145+ ACCESS_ONCE_RW(ads->ctl11) = (i->pkt_len & AR_FrameLen)
52146 | (i->flags & ATH9K_TXDESC_VMF ? AR_VirtMoreFrag : 0)
52147 | SM(i->txpower[0], AR_XmitPower0)
52148 | (i->flags & ATH9K_TXDESC_VEOL ? AR_VEOL : 0)
52149@@ -135,26 +135,26 @@ ar9003_set_txdesc(struct ath_hw *ah, void *ds, struct ath_tx_info *i)
52150 val = (i->flags & ATH9K_TXDESC_PAPRD) >> ATH9K_TXDESC_PAPRD_S;
52151 ctl12 |= SM(val, AR_PAPRDChainMask);
52152
52153- ACCESS_ONCE(ads->ctl12) = ctl12;
52154- ACCESS_ONCE(ads->ctl17) = ctl17;
52155+ ACCESS_ONCE_RW(ads->ctl12) = ctl12;
52156+ ACCESS_ONCE_RW(ads->ctl17) = ctl17;
52157
52158- ACCESS_ONCE(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
52159+ ACCESS_ONCE_RW(ads->ctl15) = set11nPktDurRTSCTS(i->rates, 0)
52160 | set11nPktDurRTSCTS(i->rates, 1);
52161
52162- ACCESS_ONCE(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
52163+ ACCESS_ONCE_RW(ads->ctl16) = set11nPktDurRTSCTS(i->rates, 2)
52164 | set11nPktDurRTSCTS(i->rates, 3);
52165
52166- ACCESS_ONCE(ads->ctl18) = set11nRateFlags(i->rates, 0)
52167+ ACCESS_ONCE_RW(ads->ctl18) = set11nRateFlags(i->rates, 0)
52168 | set11nRateFlags(i->rates, 1)
52169 | set11nRateFlags(i->rates, 2)
52170 | set11nRateFlags(i->rates, 3)
52171 | SM(i->rtscts_rate, AR_RTSCTSRate);
52172
52173- ACCESS_ONCE(ads->ctl19) = AR_Not_Sounding;
52174+ ACCESS_ONCE_RW(ads->ctl19) = AR_Not_Sounding;
52175
52176- ACCESS_ONCE(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
52177- ACCESS_ONCE(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
52178- ACCESS_ONCE(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
52179+ ACCESS_ONCE_RW(ads->ctl20) = SM(i->txpower[1], AR_XmitPower1);
52180+ ACCESS_ONCE_RW(ads->ctl21) = SM(i->txpower[2], AR_XmitPower2);
52181+ ACCESS_ONCE_RW(ads->ctl22) = SM(i->txpower[3], AR_XmitPower3);
52182 }
52183
52184 static u16 ar9003_calc_ptr_chksum(struct ar9003_txc *ads)
52185diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
52186index e8454db..c7b26fe 100644
52187--- a/drivers/net/wireless/ath/ath9k/hw.h
52188+++ b/drivers/net/wireless/ath/ath9k/hw.h
52189@@ -671,7 +671,7 @@ struct ath_hw_private_ops {
52190 #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT
52191 bool (*is_aic_enabled)(struct ath_hw *ah);
52192 #endif /* CONFIG_ATH9K_BTCOEX_SUPPORT */
52193-};
52194+} __no_const;
52195
52196 /**
52197 * struct ath_spec_scan - parameters for Atheros spectral scan
52198@@ -747,7 +747,7 @@ struct ath_hw_ops {
52199 #ifdef CONFIG_ATH9K_BTCOEX_SUPPORT
52200 void (*set_bt_ant_diversity)(struct ath_hw *hw, bool enable);
52201 #endif
52202-};
52203+} __no_const;
52204
52205 struct ath_nf_limits {
52206 s16 max;
52207diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c
52208index cfd45cb..6de2be6 100644
52209--- a/drivers/net/wireless/ath/ath9k/main.c
52210+++ b/drivers/net/wireless/ath/ath9k/main.c
52211@@ -2574,16 +2574,18 @@ void ath9k_fill_chanctx_ops(void)
52212 if (!ath9k_is_chanctx_enabled())
52213 return;
52214
52215- ath9k_ops.hw_scan = ath9k_hw_scan;
52216- ath9k_ops.cancel_hw_scan = ath9k_cancel_hw_scan;
52217- ath9k_ops.remain_on_channel = ath9k_remain_on_channel;
52218- ath9k_ops.cancel_remain_on_channel = ath9k_cancel_remain_on_channel;
52219- ath9k_ops.add_chanctx = ath9k_add_chanctx;
52220- ath9k_ops.remove_chanctx = ath9k_remove_chanctx;
52221- ath9k_ops.change_chanctx = ath9k_change_chanctx;
52222- ath9k_ops.assign_vif_chanctx = ath9k_assign_vif_chanctx;
52223- ath9k_ops.unassign_vif_chanctx = ath9k_unassign_vif_chanctx;
52224- ath9k_ops.mgd_prepare_tx = ath9k_mgd_prepare_tx;
52225+ pax_open_kernel();
52226+ *(void **)&ath9k_ops.hw_scan = ath9k_hw_scan;
52227+ *(void **)&ath9k_ops.cancel_hw_scan = ath9k_cancel_hw_scan;
52228+ *(void **)&ath9k_ops.remain_on_channel = ath9k_remain_on_channel;
52229+ *(void **)&ath9k_ops.cancel_remain_on_channel = ath9k_cancel_remain_on_channel;
52230+ *(void **)&ath9k_ops.add_chanctx = ath9k_add_chanctx;
52231+ *(void **)&ath9k_ops.remove_chanctx = ath9k_remove_chanctx;
52232+ *(void **)&ath9k_ops.change_chanctx = ath9k_change_chanctx;
52233+ *(void **)&ath9k_ops.assign_vif_chanctx = ath9k_assign_vif_chanctx;
52234+ *(void **)&ath9k_ops.unassign_vif_chanctx = ath9k_unassign_vif_chanctx;
52235+ *(void **)&ath9k_ops.mgd_prepare_tx = ath9k_mgd_prepare_tx;
52236+ pax_close_kernel();
52237 }
52238
52239 #endif
52240diff --git a/drivers/net/wireless/b43/phy_lp.c b/drivers/net/wireless/b43/phy_lp.c
52241index 058a9f2..d5cb1ba 100644
52242--- a/drivers/net/wireless/b43/phy_lp.c
52243+++ b/drivers/net/wireless/b43/phy_lp.c
52244@@ -2502,7 +2502,7 @@ static int lpphy_b2063_tune(struct b43_wldev *dev,
52245 {
52246 struct ssb_bus *bus = dev->dev->sdev->bus;
52247
52248- static const struct b206x_channel *chandata = NULL;
52249+ const struct b206x_channel *chandata = NULL;
52250 u32 crystal_freq = bus->chipco.pmu.crystalfreq * 1000;
52251 u32 freqref, vco_freq, val1, val2, val3, timeout, timeoutref, count;
52252 u16 old_comm15, scale;
52253diff --git a/drivers/net/wireless/iwlegacy/3945-mac.c b/drivers/net/wireless/iwlegacy/3945-mac.c
52254index 7f4cb69..16c0825 100644
52255--- a/drivers/net/wireless/iwlegacy/3945-mac.c
52256+++ b/drivers/net/wireless/iwlegacy/3945-mac.c
52257@@ -3633,7 +3633,9 @@ il3945_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
52258 */
52259 if (il3945_mod_params.disable_hw_scan) {
52260 D_INFO("Disabling hw_scan\n");
52261- il3945_mac_ops.hw_scan = NULL;
52262+ pax_open_kernel();
52263+ *(void **)&il3945_mac_ops.hw_scan = NULL;
52264+ pax_close_kernel();
52265 }
52266
52267 D_INFO("*** LOAD DRIVER ***\n");
52268diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
52269index 0ffb6ff..c0b7f0e 100644
52270--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c
52271+++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c
52272@@ -188,7 +188,7 @@ static ssize_t iwl_dbgfs_sram_write(struct file *file,
52273 {
52274 struct iwl_priv *priv = file->private_data;
52275 char buf[64];
52276- int buf_size;
52277+ size_t buf_size;
52278 u32 offset, len;
52279
52280 memset(buf, 0, sizeof(buf));
52281@@ -458,7 +458,7 @@ static ssize_t iwl_dbgfs_rx_handlers_write(struct file *file,
52282 struct iwl_priv *priv = file->private_data;
52283
52284 char buf[8];
52285- int buf_size;
52286+ size_t buf_size;
52287 u32 reset_flag;
52288
52289 memset(buf, 0, sizeof(buf));
52290@@ -539,7 +539,7 @@ static ssize_t iwl_dbgfs_disable_ht40_write(struct file *file,
52291 {
52292 struct iwl_priv *priv = file->private_data;
52293 char buf[8];
52294- int buf_size;
52295+ size_t buf_size;
52296 int ht40;
52297
52298 memset(buf, 0, sizeof(buf));
52299@@ -591,7 +591,7 @@ static ssize_t iwl_dbgfs_sleep_level_override_write(struct file *file,
52300 {
52301 struct iwl_priv *priv = file->private_data;
52302 char buf[8];
52303- int buf_size;
52304+ size_t buf_size;
52305 int value;
52306
52307 memset(buf, 0, sizeof(buf));
52308@@ -683,10 +683,10 @@ DEBUGFS_READ_FILE_OPS(temperature);
52309 DEBUGFS_READ_WRITE_FILE_OPS(sleep_level_override);
52310 DEBUGFS_READ_FILE_OPS(current_sleep_command);
52311
52312-static const char *fmt_value = " %-30s %10u\n";
52313-static const char *fmt_hex = " %-30s 0x%02X\n";
52314-static const char *fmt_table = " %-30s %10u %10u %10u %10u\n";
52315-static const char *fmt_header =
52316+static const char fmt_value[] = " %-30s %10u\n";
52317+static const char fmt_hex[] = " %-30s 0x%02X\n";
52318+static const char fmt_table[] = " %-30s %10u %10u %10u %10u\n";
52319+static const char fmt_header[] =
52320 "%-32s current cumulative delta max\n";
52321
52322 static int iwl_statistics_flag(struct iwl_priv *priv, char *buf, int bufsz)
52323@@ -1856,7 +1856,7 @@ static ssize_t iwl_dbgfs_clear_ucode_statistics_write(struct file *file,
52324 {
52325 struct iwl_priv *priv = file->private_data;
52326 char buf[8];
52327- int buf_size;
52328+ size_t buf_size;
52329 int clear;
52330
52331 memset(buf, 0, sizeof(buf));
52332@@ -1901,7 +1901,7 @@ static ssize_t iwl_dbgfs_ucode_tracing_write(struct file *file,
52333 {
52334 struct iwl_priv *priv = file->private_data;
52335 char buf[8];
52336- int buf_size;
52337+ size_t buf_size;
52338 int trace;
52339
52340 memset(buf, 0, sizeof(buf));
52341@@ -1972,7 +1972,7 @@ static ssize_t iwl_dbgfs_missed_beacon_write(struct file *file,
52342 {
52343 struct iwl_priv *priv = file->private_data;
52344 char buf[8];
52345- int buf_size;
52346+ size_t buf_size;
52347 int missed;
52348
52349 memset(buf, 0, sizeof(buf));
52350@@ -2013,7 +2013,7 @@ static ssize_t iwl_dbgfs_plcp_delta_write(struct file *file,
52351
52352 struct iwl_priv *priv = file->private_data;
52353 char buf[8];
52354- int buf_size;
52355+ size_t buf_size;
52356 int plcp;
52357
52358 memset(buf, 0, sizeof(buf));
52359@@ -2073,7 +2073,7 @@ static ssize_t iwl_dbgfs_txfifo_flush_write(struct file *file,
52360
52361 struct iwl_priv *priv = file->private_data;
52362 char buf[8];
52363- int buf_size;
52364+ size_t buf_size;
52365 int flush;
52366
52367 memset(buf, 0, sizeof(buf));
52368@@ -2163,7 +2163,7 @@ static ssize_t iwl_dbgfs_protection_mode_write(struct file *file,
52369
52370 struct iwl_priv *priv = file->private_data;
52371 char buf[8];
52372- int buf_size;
52373+ size_t buf_size;
52374 int rts;
52375
52376 if (!priv->cfg->ht_params)
52377@@ -2204,7 +2204,7 @@ static ssize_t iwl_dbgfs_echo_test_write(struct file *file,
52378 {
52379 struct iwl_priv *priv = file->private_data;
52380 char buf[8];
52381- int buf_size;
52382+ size_t buf_size;
52383
52384 memset(buf, 0, sizeof(buf));
52385 buf_size = min(count, sizeof(buf) - 1);
52386@@ -2238,7 +2238,7 @@ static ssize_t iwl_dbgfs_log_event_write(struct file *file,
52387 struct iwl_priv *priv = file->private_data;
52388 u32 event_log_flag;
52389 char buf[8];
52390- int buf_size;
52391+ size_t buf_size;
52392
52393 /* check that the interface is up */
52394 if (!iwl_is_ready(priv))
52395@@ -2292,7 +2292,7 @@ static ssize_t iwl_dbgfs_calib_disabled_write(struct file *file,
52396 struct iwl_priv *priv = file->private_data;
52397 char buf[8];
52398 u32 calib_disabled;
52399- int buf_size;
52400+ size_t buf_size;
52401
52402 memset(buf, 0, sizeof(buf));
52403 buf_size = min(count, sizeof(buf) - 1);
52404diff --git a/drivers/net/wireless/iwlwifi/pcie/trans.c b/drivers/net/wireless/iwlwifi/pcie/trans.c
52405index 9e144e7..2f5511a 100644
52406--- a/drivers/net/wireless/iwlwifi/pcie/trans.c
52407+++ b/drivers/net/wireless/iwlwifi/pcie/trans.c
52408@@ -1950,7 +1950,7 @@ static ssize_t iwl_dbgfs_interrupt_write(struct file *file,
52409 struct isr_statistics *isr_stats = &trans_pcie->isr_stats;
52410
52411 char buf[8];
52412- int buf_size;
52413+ size_t buf_size;
52414 u32 reset_flag;
52415
52416 memset(buf, 0, sizeof(buf));
52417@@ -1971,7 +1971,7 @@ static ssize_t iwl_dbgfs_csr_write(struct file *file,
52418 {
52419 struct iwl_trans *trans = file->private_data;
52420 char buf[8];
52421- int buf_size;
52422+ size_t buf_size;
52423 int csr;
52424
52425 memset(buf, 0, sizeof(buf));
52426diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
52427index 99e873d..0d9aab2 100644
52428--- a/drivers/net/wireless/mac80211_hwsim.c
52429+++ b/drivers/net/wireless/mac80211_hwsim.c
52430@@ -3148,20 +3148,20 @@ static int __init init_mac80211_hwsim(void)
52431 if (channels < 1)
52432 return -EINVAL;
52433
52434- mac80211_hwsim_mchan_ops = mac80211_hwsim_ops;
52435- mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan;
52436- mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
52437- mac80211_hwsim_mchan_ops.sw_scan_start = NULL;
52438- mac80211_hwsim_mchan_ops.sw_scan_complete = NULL;
52439- mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc;
52440- mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
52441- mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx;
52442- mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
52443- mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx;
52444- mac80211_hwsim_mchan_ops.assign_vif_chanctx =
52445- mac80211_hwsim_assign_vif_chanctx;
52446- mac80211_hwsim_mchan_ops.unassign_vif_chanctx =
52447- mac80211_hwsim_unassign_vif_chanctx;
52448+ pax_open_kernel();
52449+ memcpy((void *)&mac80211_hwsim_mchan_ops, &mac80211_hwsim_ops, sizeof mac80211_hwsim_mchan_ops);
52450+ *(void **)&mac80211_hwsim_mchan_ops.hw_scan = mac80211_hwsim_hw_scan;
52451+ *(void **)&mac80211_hwsim_mchan_ops.cancel_hw_scan = mac80211_hwsim_cancel_hw_scan;
52452+ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_start = NULL;
52453+ *(void **)&mac80211_hwsim_mchan_ops.sw_scan_complete = NULL;
52454+ *(void **)&mac80211_hwsim_mchan_ops.remain_on_channel = mac80211_hwsim_roc;
52455+ *(void **)&mac80211_hwsim_mchan_ops.cancel_remain_on_channel = mac80211_hwsim_croc;
52456+ *(void **)&mac80211_hwsim_mchan_ops.add_chanctx = mac80211_hwsim_add_chanctx;
52457+ *(void **)&mac80211_hwsim_mchan_ops.remove_chanctx = mac80211_hwsim_remove_chanctx;
52458+ *(void **)&mac80211_hwsim_mchan_ops.change_chanctx = mac80211_hwsim_change_chanctx;
52459+ *(void **)&mac80211_hwsim_mchan_ops.assign_vif_chanctx = mac80211_hwsim_assign_vif_chanctx;
52460+ *(void **)&mac80211_hwsim_mchan_ops.unassign_vif_chanctx = mac80211_hwsim_unassign_vif_chanctx;
52461+ pax_close_kernel();
52462
52463 spin_lock_init(&hwsim_radio_lock);
52464 INIT_LIST_HEAD(&hwsim_radios);
52465diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c
52466index 71a825c..ce7d6c3 100644
52467--- a/drivers/net/wireless/rndis_wlan.c
52468+++ b/drivers/net/wireless/rndis_wlan.c
52469@@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbnet *usbdev, u32 rts_threshold)
52470
52471 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
52472
52473- if (rts_threshold < 0 || rts_threshold > 2347)
52474+ if (rts_threshold > 2347)
52475 rts_threshold = 2347;
52476
52477 tmp = cpu_to_le32(rts_threshold);
52478diff --git a/drivers/net/wireless/rt2x00/rt2x00.h b/drivers/net/wireless/rt2x00/rt2x00.h
52479index 9bb398b..b0cc047 100644
52480--- a/drivers/net/wireless/rt2x00/rt2x00.h
52481+++ b/drivers/net/wireless/rt2x00/rt2x00.h
52482@@ -375,7 +375,7 @@ struct rt2x00_intf {
52483 * for hardware which doesn't support hardware
52484 * sequence counting.
52485 */
52486- atomic_t seqno;
52487+ atomic_unchecked_t seqno;
52488 };
52489
52490 static inline struct rt2x00_intf* vif_to_intf(struct ieee80211_vif *vif)
52491diff --git a/drivers/net/wireless/rt2x00/rt2x00queue.c b/drivers/net/wireless/rt2x00/rt2x00queue.c
52492index 68b620b..92ecd9e 100644
52493--- a/drivers/net/wireless/rt2x00/rt2x00queue.c
52494+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c
52495@@ -224,9 +224,9 @@ static void rt2x00queue_create_tx_descriptor_seq(struct rt2x00_dev *rt2x00dev,
52496 * sequence counter given by mac80211.
52497 */
52498 if (test_bit(ENTRY_TXD_FIRST_FRAGMENT, &txdesc->flags))
52499- seqno = atomic_add_return(0x10, &intf->seqno);
52500+ seqno = atomic_add_return_unchecked(0x10, &intf->seqno);
52501 else
52502- seqno = atomic_read(&intf->seqno);
52503+ seqno = atomic_read_unchecked(&intf->seqno);
52504
52505 hdr->seq_ctrl &= cpu_to_le16(IEEE80211_SCTL_FRAG);
52506 hdr->seq_ctrl |= cpu_to_le16(seqno);
52507diff --git a/drivers/net/wireless/ti/wl1251/sdio.c b/drivers/net/wireless/ti/wl1251/sdio.c
52508index b661f896..ddf7d2b 100644
52509--- a/drivers/net/wireless/ti/wl1251/sdio.c
52510+++ b/drivers/net/wireless/ti/wl1251/sdio.c
52511@@ -282,13 +282,17 @@ static int wl1251_sdio_probe(struct sdio_func *func,
52512
52513 irq_set_irq_type(wl->irq, IRQ_TYPE_EDGE_RISING);
52514
52515- wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
52516- wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
52517+ pax_open_kernel();
52518+ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_enable_line_irq;
52519+ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_disable_line_irq;
52520+ pax_close_kernel();
52521
52522 wl1251_info("using dedicated interrupt line");
52523 } else {
52524- wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
52525- wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
52526+ pax_open_kernel();
52527+ *(void **)&wl1251_sdio_ops.enable_irq = wl1251_sdio_enable_irq;
52528+ *(void **)&wl1251_sdio_ops.disable_irq = wl1251_sdio_disable_irq;
52529+ pax_close_kernel();
52530
52531 wl1251_info("using SDIO interrupt");
52532 }
52533diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
52534index af0fe2e..d04986b 100644
52535--- a/drivers/net/wireless/ti/wl12xx/main.c
52536+++ b/drivers/net/wireless/ti/wl12xx/main.c
52537@@ -655,7 +655,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
52538 sizeof(wl->conf.mem));
52539
52540 /* read data preparation is only needed by wl127x */
52541- wl->ops->prepare_read = wl127x_prepare_read;
52542+ pax_open_kernel();
52543+ *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
52544+ pax_close_kernel();
52545
52546 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
52547 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
52548@@ -680,7 +682,9 @@ static int wl12xx_identify_chip(struct wl1271 *wl)
52549 sizeof(wl->conf.mem));
52550
52551 /* read data preparation is only needed by wl127x */
52552- wl->ops->prepare_read = wl127x_prepare_read;
52553+ pax_open_kernel();
52554+ *(void **)&wl->ops->prepare_read = wl127x_prepare_read;
52555+ pax_close_kernel();
52556
52557 wlcore_set_min_fw_ver(wl, WL127X_CHIP_VER,
52558 WL127X_IFTYPE_SR_VER, WL127X_MAJOR_SR_VER,
52559diff --git a/drivers/net/wireless/ti/wl18xx/main.c b/drivers/net/wireless/ti/wl18xx/main.c
52560index 49aca2c..3b9c10c 100644
52561--- a/drivers/net/wireless/ti/wl18xx/main.c
52562+++ b/drivers/net/wireless/ti/wl18xx/main.c
52563@@ -1952,8 +1952,10 @@ static int wl18xx_setup(struct wl1271 *wl)
52564 }
52565
52566 if (!checksum_param) {
52567- wl18xx_ops.set_rx_csum = NULL;
52568- wl18xx_ops.init_vif = NULL;
52569+ pax_open_kernel();
52570+ *(void **)&wl18xx_ops.set_rx_csum = NULL;
52571+ *(void **)&wl18xx_ops.init_vif = NULL;
52572+ pax_close_kernel();
52573 }
52574
52575 /* Enable 11a Band only if we have 5G antennas */
52576diff --git a/drivers/net/wireless/zd1211rw/zd_usb.c b/drivers/net/wireless/zd1211rw/zd_usb.c
52577index a912dc0..a8225ba 100644
52578--- a/drivers/net/wireless/zd1211rw/zd_usb.c
52579+++ b/drivers/net/wireless/zd1211rw/zd_usb.c
52580@@ -385,7 +385,7 @@ static inline void handle_regs_int(struct urb *urb)
52581 {
52582 struct zd_usb *usb = urb->context;
52583 struct zd_usb_interrupt *intr = &usb->intr;
52584- int len;
52585+ unsigned int len;
52586 u16 int_num;
52587
52588 ZD_ASSERT(in_interrupt());
52589diff --git a/drivers/nfc/nfcwilink.c b/drivers/nfc/nfcwilink.c
52590index ce2e2cf..f81e500 100644
52591--- a/drivers/nfc/nfcwilink.c
52592+++ b/drivers/nfc/nfcwilink.c
52593@@ -497,7 +497,7 @@ static struct nci_ops nfcwilink_ops = {
52594
52595 static int nfcwilink_probe(struct platform_device *pdev)
52596 {
52597- static struct nfcwilink *drv;
52598+ struct nfcwilink *drv;
52599 int rc;
52600 __u32 protocols;
52601
52602diff --git a/drivers/of/fdt.c b/drivers/of/fdt.c
52603index 6e82bc42..ab4145c 100644
52604--- a/drivers/of/fdt.c
52605+++ b/drivers/of/fdt.c
52606@@ -1161,7 +1161,9 @@ static int __init of_fdt_raw_init(void)
52607 pr_warn("fdt: not creating '/sys/firmware/fdt': CRC check failed\n");
52608 return 0;
52609 }
52610- of_fdt_raw_attr.size = fdt_totalsize(initial_boot_params);
52611+ pax_open_kernel();
52612+ *(size_t *)&of_fdt_raw_attr.size = fdt_totalsize(initial_boot_params);
52613+ pax_close_kernel();
52614 return sysfs_create_bin_file(firmware_kobj, &of_fdt_raw_attr);
52615 }
52616 late_initcall(of_fdt_raw_init);
52617diff --git a/drivers/oprofile/buffer_sync.c b/drivers/oprofile/buffer_sync.c
52618index 82f7000..d6d0447 100644
52619--- a/drivers/oprofile/buffer_sync.c
52620+++ b/drivers/oprofile/buffer_sync.c
52621@@ -345,7 +345,7 @@ static void add_data(struct op_entry *entry, struct mm_struct *mm)
52622 if (cookie == NO_COOKIE)
52623 offset = pc;
52624 if (cookie == INVALID_COOKIE) {
52625- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
52626+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
52627 offset = pc;
52628 }
52629 if (cookie != last_cookie) {
52630@@ -389,14 +389,14 @@ add_sample(struct mm_struct *mm, struct op_sample *s, int in_kernel)
52631 /* add userspace sample */
52632
52633 if (!mm) {
52634- atomic_inc(&oprofile_stats.sample_lost_no_mm);
52635+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
52636 return 0;
52637 }
52638
52639 cookie = lookup_dcookie(mm, s->eip, &offset);
52640
52641 if (cookie == INVALID_COOKIE) {
52642- atomic_inc(&oprofile_stats.sample_lost_no_mapping);
52643+ atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
52644 return 0;
52645 }
52646
52647@@ -554,7 +554,7 @@ void sync_buffer(int cpu)
52648 /* ignore backtraces if failed to add a sample */
52649 if (state == sb_bt_start) {
52650 state = sb_bt_ignore;
52651- atomic_inc(&oprofile_stats.bt_lost_no_mapping);
52652+ atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
52653 }
52654 }
52655 release_mm(mm);
52656diff --git a/drivers/oprofile/event_buffer.c b/drivers/oprofile/event_buffer.c
52657index c0cc4e7..44d4e54 100644
52658--- a/drivers/oprofile/event_buffer.c
52659+++ b/drivers/oprofile/event_buffer.c
52660@@ -53,7 +53,7 @@ void add_event_entry(unsigned long value)
52661 }
52662
52663 if (buffer_pos == buffer_size) {
52664- atomic_inc(&oprofile_stats.event_lost_overflow);
52665+ atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
52666 return;
52667 }
52668
52669diff --git a/drivers/oprofile/oprof.c b/drivers/oprofile/oprof.c
52670index ed2c3ec..deda85a 100644
52671--- a/drivers/oprofile/oprof.c
52672+++ b/drivers/oprofile/oprof.c
52673@@ -110,7 +110,7 @@ static void switch_worker(struct work_struct *work)
52674 if (oprofile_ops.switch_events())
52675 return;
52676
52677- atomic_inc(&oprofile_stats.multiplex_counter);
52678+ atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
52679 start_switch_worker();
52680 }
52681
52682diff --git a/drivers/oprofile/oprofile_stats.c b/drivers/oprofile/oprofile_stats.c
52683index 59659ce..6c860a0 100644
52684--- a/drivers/oprofile/oprofile_stats.c
52685+++ b/drivers/oprofile/oprofile_stats.c
52686@@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
52687 cpu_buf->sample_invalid_eip = 0;
52688 }
52689
52690- atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
52691- atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
52692- atomic_set(&oprofile_stats.event_lost_overflow, 0);
52693- atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
52694- atomic_set(&oprofile_stats.multiplex_counter, 0);
52695+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
52696+ atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
52697+ atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
52698+ atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
52699+ atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
52700 }
52701
52702
52703diff --git a/drivers/oprofile/oprofile_stats.h b/drivers/oprofile/oprofile_stats.h
52704index 1fc622b..8c48fc3 100644
52705--- a/drivers/oprofile/oprofile_stats.h
52706+++ b/drivers/oprofile/oprofile_stats.h
52707@@ -13,11 +13,11 @@
52708 #include <linux/atomic.h>
52709
52710 struct oprofile_stat_struct {
52711- atomic_t sample_lost_no_mm;
52712- atomic_t sample_lost_no_mapping;
52713- atomic_t bt_lost_no_mapping;
52714- atomic_t event_lost_overflow;
52715- atomic_t multiplex_counter;
52716+ atomic_unchecked_t sample_lost_no_mm;
52717+ atomic_unchecked_t sample_lost_no_mapping;
52718+ atomic_unchecked_t bt_lost_no_mapping;
52719+ atomic_unchecked_t event_lost_overflow;
52720+ atomic_unchecked_t multiplex_counter;
52721 };
52722
52723 extern struct oprofile_stat_struct oprofile_stats;
52724diff --git a/drivers/oprofile/oprofilefs.c b/drivers/oprofile/oprofilefs.c
52725index dd92c5e..dfc04b5 100644
52726--- a/drivers/oprofile/oprofilefs.c
52727+++ b/drivers/oprofile/oprofilefs.c
52728@@ -176,8 +176,8 @@ int oprofilefs_create_ro_ulong(struct dentry *root,
52729
52730 static ssize_t atomic_read_file(struct file *file, char __user *buf, size_t count, loff_t *offset)
52731 {
52732- atomic_t *val = file->private_data;
52733- return oprofilefs_ulong_to_user(atomic_read(val), buf, count, offset);
52734+ atomic_unchecked_t *val = file->private_data;
52735+ return oprofilefs_ulong_to_user(atomic_read_unchecked(val), buf, count, offset);
52736 }
52737
52738
52739@@ -189,7 +189,7 @@ static const struct file_operations atomic_ro_fops = {
52740
52741
52742 int oprofilefs_create_ro_atomic(struct dentry *root,
52743- char const *name, atomic_t *val)
52744+ char const *name, atomic_unchecked_t *val)
52745 {
52746 return __oprofilefs_create_file(root, name,
52747 &atomic_ro_fops, 0444, val);
52748diff --git a/drivers/oprofile/timer_int.c b/drivers/oprofile/timer_int.c
52749index bdef916..88c7dee 100644
52750--- a/drivers/oprofile/timer_int.c
52751+++ b/drivers/oprofile/timer_int.c
52752@@ -93,7 +93,7 @@ static int oprofile_cpu_notify(struct notifier_block *self,
52753 return NOTIFY_OK;
52754 }
52755
52756-static struct notifier_block __refdata oprofile_cpu_notifier = {
52757+static struct notifier_block oprofile_cpu_notifier = {
52758 .notifier_call = oprofile_cpu_notify,
52759 };
52760
52761diff --git a/drivers/parport/procfs.c b/drivers/parport/procfs.c
52762index c776333..aa6b325 100644
52763--- a/drivers/parport/procfs.c
52764+++ b/drivers/parport/procfs.c
52765@@ -65,7 +65,7 @@ static int do_active_device(struct ctl_table *table, int write,
52766
52767 *ppos += len;
52768
52769- return copy_to_user(result, buffer, len) ? -EFAULT : 0;
52770+ return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
52771 }
52772
52773 #ifdef CONFIG_PARPORT_1284
52774@@ -107,7 +107,7 @@ static int do_autoprobe(struct ctl_table *table, int write,
52775
52776 *ppos += len;
52777
52778- return copy_to_user (result, buffer, len) ? -EFAULT : 0;
52779+ return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
52780 }
52781 #endif /* IEEE1284.3 support. */
52782
52783diff --git a/drivers/pci/host/pci-host-generic.c b/drivers/pci/host/pci-host-generic.c
52784index ba46e58..90cfc24 100644
52785--- a/drivers/pci/host/pci-host-generic.c
52786+++ b/drivers/pci/host/pci-host-generic.c
52787@@ -26,9 +26,9 @@
52788 #include <linux/platform_device.h>
52789
52790 struct gen_pci_cfg_bus_ops {
52791+ struct pci_ops ops;
52792 u32 bus_shift;
52793- void __iomem *(*map_bus)(struct pci_bus *, unsigned int, int);
52794-};
52795+} __do_const;
52796
52797 struct gen_pci_cfg_windows {
52798 struct resource res;
52799@@ -56,8 +56,12 @@ static void __iomem *gen_pci_map_cfg_bus_cam(struct pci_bus *bus,
52800 }
52801
52802 static struct gen_pci_cfg_bus_ops gen_pci_cfg_cam_bus_ops = {
52803+ .ops = {
52804+ .map_bus = gen_pci_map_cfg_bus_cam,
52805+ .read = pci_generic_config_read,
52806+ .write = pci_generic_config_write,
52807+ },
52808 .bus_shift = 16,
52809- .map_bus = gen_pci_map_cfg_bus_cam,
52810 };
52811
52812 static void __iomem *gen_pci_map_cfg_bus_ecam(struct pci_bus *bus,
52813@@ -72,13 +76,12 @@ static void __iomem *gen_pci_map_cfg_bus_ecam(struct pci_bus *bus,
52814 }
52815
52816 static struct gen_pci_cfg_bus_ops gen_pci_cfg_ecam_bus_ops = {
52817+ .ops = {
52818+ .map_bus = gen_pci_map_cfg_bus_ecam,
52819+ .read = pci_generic_config_read,
52820+ .write = pci_generic_config_write,
52821+ },
52822 .bus_shift = 20,
52823- .map_bus = gen_pci_map_cfg_bus_ecam,
52824-};
52825-
52826-static struct pci_ops gen_pci_ops = {
52827- .read = pci_generic_config_read,
52828- .write = pci_generic_config_write,
52829 };
52830
52831 static const struct of_device_id gen_pci_of_match[] = {
52832@@ -219,7 +222,6 @@ static int gen_pci_probe(struct platform_device *pdev)
52833 .private_data = (void **)&pci,
52834 .setup = gen_pci_setup,
52835 .map_irq = of_irq_parse_and_map_pci,
52836- .ops = &gen_pci_ops,
52837 };
52838
52839 if (!pci)
52840@@ -241,7 +243,7 @@ static int gen_pci_probe(struct platform_device *pdev)
52841
52842 of_id = of_match_node(gen_pci_of_match, np);
52843 pci->cfg.ops = of_id->data;
52844- gen_pci_ops.map_bus = pci->cfg.ops->map_bus;
52845+ hw.ops = &pci->cfg.ops->ops;
52846 pci->host.dev.parent = dev;
52847 INIT_LIST_HEAD(&pci->host.windows);
52848 INIT_LIST_HEAD(&pci->resources);
52849diff --git a/drivers/pci/hotplug/acpiphp_ibm.c b/drivers/pci/hotplug/acpiphp_ibm.c
52850index 6ca2399..68d866b 100644
52851--- a/drivers/pci/hotplug/acpiphp_ibm.c
52852+++ b/drivers/pci/hotplug/acpiphp_ibm.c
52853@@ -452,7 +452,9 @@ static int __init ibm_acpiphp_init(void)
52854 goto init_cleanup;
52855 }
52856
52857- ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
52858+ pax_open_kernel();
52859+ *(size_t *)&ibm_apci_table_attr.size = ibm_get_table_from_acpi(NULL);
52860+ pax_close_kernel();
52861 retval = sysfs_create_bin_file(sysdir, &ibm_apci_table_attr);
52862
52863 return retval;
52864diff --git a/drivers/pci/hotplug/cpcihp_generic.c b/drivers/pci/hotplug/cpcihp_generic.c
52865index 66b7bbe..26bee78 100644
52866--- a/drivers/pci/hotplug/cpcihp_generic.c
52867+++ b/drivers/pci/hotplug/cpcihp_generic.c
52868@@ -73,7 +73,6 @@ static u16 port;
52869 static unsigned int enum_bit;
52870 static u8 enum_mask;
52871
52872-static struct cpci_hp_controller_ops generic_hpc_ops;
52873 static struct cpci_hp_controller generic_hpc;
52874
52875 static int __init validate_parameters(void)
52876@@ -139,6 +138,10 @@ static int query_enum(void)
52877 return ((value & enum_mask) == enum_mask);
52878 }
52879
52880+static struct cpci_hp_controller_ops generic_hpc_ops = {
52881+ .query_enum = query_enum,
52882+};
52883+
52884 static int __init cpcihp_generic_init(void)
52885 {
52886 int status;
52887@@ -165,7 +168,6 @@ static int __init cpcihp_generic_init(void)
52888 pci_dev_put(dev);
52889
52890 memset(&generic_hpc, 0, sizeof (struct cpci_hp_controller));
52891- generic_hpc_ops.query_enum = query_enum;
52892 generic_hpc.ops = &generic_hpc_ops;
52893
52894 status = cpci_hp_register_controller(&generic_hpc);
52895diff --git a/drivers/pci/hotplug/cpcihp_zt5550.c b/drivers/pci/hotplug/cpcihp_zt5550.c
52896index 7ecf34e..effed62 100644
52897--- a/drivers/pci/hotplug/cpcihp_zt5550.c
52898+++ b/drivers/pci/hotplug/cpcihp_zt5550.c
52899@@ -59,7 +59,6 @@
52900 /* local variables */
52901 static bool debug;
52902 static bool poll;
52903-static struct cpci_hp_controller_ops zt5550_hpc_ops;
52904 static struct cpci_hp_controller zt5550_hpc;
52905
52906 /* Primary cPCI bus bridge device */
52907@@ -204,6 +203,10 @@ static int zt5550_hc_disable_irq(void)
52908 return 0;
52909 }
52910
52911+static struct cpci_hp_controller_ops zt5550_hpc_ops = {
52912+ .query_enum = zt5550_hc_query_enum,
52913+};
52914+
52915 static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id *ent)
52916 {
52917 int status;
52918@@ -215,16 +218,17 @@ static int zt5550_hc_init_one (struct pci_dev *pdev, const struct pci_device_id
52919 dbg("returned from zt5550_hc_config");
52920
52921 memset(&zt5550_hpc, 0, sizeof (struct cpci_hp_controller));
52922- zt5550_hpc_ops.query_enum = zt5550_hc_query_enum;
52923 zt5550_hpc.ops = &zt5550_hpc_ops;
52924 if (!poll) {
52925 zt5550_hpc.irq = hc_dev->irq;
52926 zt5550_hpc.irq_flags = IRQF_SHARED;
52927 zt5550_hpc.dev_id = hc_dev;
52928
52929- zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
52930- zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
52931- zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
52932+ pax_open_kernel();
52933+ *(void **)&zt5550_hpc_ops.enable_irq = zt5550_hc_enable_irq;
52934+ *(void **)&zt5550_hpc_ops.disable_irq = zt5550_hc_disable_irq;
52935+ *(void **)&zt5550_hpc_ops.check_irq = zt5550_hc_check_irq;
52936+ pax_open_kernel();
52937 } else {
52938 info("using ENUM# polling mode");
52939 }
52940diff --git a/drivers/pci/hotplug/cpqphp_nvram.c b/drivers/pci/hotplug/cpqphp_nvram.c
52941index 1e08ff8c..3cd145f 100644
52942--- a/drivers/pci/hotplug/cpqphp_nvram.c
52943+++ b/drivers/pci/hotplug/cpqphp_nvram.c
52944@@ -425,8 +425,10 @@ static u32 store_HRT (void __iomem *rom_start)
52945
52946 void compaq_nvram_init (void __iomem *rom_start)
52947 {
52948+#ifndef CONFIG_PAX_KERNEXEC
52949 if (rom_start)
52950 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
52951+#endif
52952
52953 dbg("int15 entry = %p\n", compaq_int15_entry_point);
52954
52955diff --git a/drivers/pci/hotplug/pci_hotplug_core.c b/drivers/pci/hotplug/pci_hotplug_core.c
52956index 56d8486..f26113f 100644
52957--- a/drivers/pci/hotplug/pci_hotplug_core.c
52958+++ b/drivers/pci/hotplug/pci_hotplug_core.c
52959@@ -436,8 +436,10 @@ int __pci_hp_register(struct hotplug_slot *slot, struct pci_bus *bus,
52960 return -EINVAL;
52961 }
52962
52963- slot->ops->owner = owner;
52964- slot->ops->mod_name = mod_name;
52965+ pax_open_kernel();
52966+ *(struct module **)&slot->ops->owner = owner;
52967+ *(const char **)&slot->ops->mod_name = mod_name;
52968+ pax_close_kernel();
52969
52970 mutex_lock(&pci_hp_mutex);
52971 /*
52972diff --git a/drivers/pci/hotplug/pciehp_core.c b/drivers/pci/hotplug/pciehp_core.c
52973index 612b21a..9494a5e 100644
52974--- a/drivers/pci/hotplug/pciehp_core.c
52975+++ b/drivers/pci/hotplug/pciehp_core.c
52976@@ -87,7 +87,7 @@ static int init_slot(struct controller *ctrl)
52977 struct slot *slot = ctrl->slot;
52978 struct hotplug_slot *hotplug = NULL;
52979 struct hotplug_slot_info *info = NULL;
52980- struct hotplug_slot_ops *ops = NULL;
52981+ hotplug_slot_ops_no_const *ops = NULL;
52982 char name[SLOT_NAME_SIZE];
52983 int retval = -ENOMEM;
52984
52985diff --git a/drivers/pci/msi.c b/drivers/pci/msi.c
52986index f66be86..6cbcabb 100644
52987--- a/drivers/pci/msi.c
52988+++ b/drivers/pci/msi.c
52989@@ -492,8 +492,8 @@ static int populate_msi_sysfs(struct pci_dev *pdev)
52990 {
52991 struct attribute **msi_attrs;
52992 struct attribute *msi_attr;
52993- struct device_attribute *msi_dev_attr;
52994- struct attribute_group *msi_irq_group;
52995+ device_attribute_no_const *msi_dev_attr;
52996+ attribute_group_no_const *msi_irq_group;
52997 const struct attribute_group **msi_irq_groups;
52998 struct msi_desc *entry;
52999 int ret = -ENOMEM;
53000@@ -552,7 +552,7 @@ error_attrs:
53001 count = 0;
53002 msi_attr = msi_attrs[count];
53003 while (msi_attr) {
53004- msi_dev_attr = container_of(msi_attr, struct device_attribute, attr);
53005+ msi_dev_attr = container_of(msi_attr, device_attribute_no_const, attr);
53006 kfree(msi_attr->name);
53007 kfree(msi_dev_attr);
53008 ++count;
53009@@ -1236,12 +1236,14 @@ static void pci_msi_domain_update_dom_ops(struct msi_domain_info *info)
53010 if (ops == NULL) {
53011 info->ops = &pci_msi_domain_ops_default;
53012 } else {
53013+ pax_open_kernel();
53014 if (ops->set_desc == NULL)
53015- ops->set_desc = pci_msi_domain_set_desc;
53016+ *(void **)&ops->set_desc = pci_msi_domain_set_desc;
53017 if (ops->msi_check == NULL)
53018- ops->msi_check = pci_msi_domain_check_cap;
53019+ *(void **)&ops->msi_check = pci_msi_domain_check_cap;
53020 if (ops->handle_error == NULL)
53021- ops->handle_error = pci_msi_domain_handle_error;
53022+ *(void **)&ops->handle_error = pci_msi_domain_handle_error;
53023+ pax_close_kernel();
53024 }
53025 }
53026
53027@@ -1250,8 +1252,11 @@ static void pci_msi_domain_update_chip_ops(struct msi_domain_info *info)
53028 struct irq_chip *chip = info->chip;
53029
53030 BUG_ON(!chip);
53031- if (!chip->irq_write_msi_msg)
53032- chip->irq_write_msi_msg = pci_msi_domain_write_msg;
53033+ if (!chip->irq_write_msi_msg) {
53034+ pax_open_kernel();
53035+ *(void **)&chip->irq_write_msi_msg = pci_msi_domain_write_msg;
53036+ pax_close_kernel();
53037+ }
53038 }
53039
53040 /**
53041diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c
53042index 312f23a..8c8b922 100644
53043--- a/drivers/pci/pci-sysfs.c
53044+++ b/drivers/pci/pci-sysfs.c
53045@@ -216,7 +216,7 @@ static ssize_t numa_node_store(struct device *dev,
53046 if (ret)
53047 return ret;
53048
53049- if (!node_online(node))
53050+ if (node >= MAX_NUMNODES || !node_online(node))
53051 return -EINVAL;
53052
53053 add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK);
53054@@ -1140,7 +1140,7 @@ static int pci_create_attr(struct pci_dev *pdev, int num, int write_combine)
53055 {
53056 /* allocate attribute structure, piggyback attribute name */
53057 int name_len = write_combine ? 13 : 10;
53058- struct bin_attribute *res_attr;
53059+ bin_attribute_no_const *res_attr;
53060 int retval;
53061
53062 res_attr = kzalloc(sizeof(*res_attr) + name_len, GFP_ATOMIC);
53063@@ -1317,7 +1317,7 @@ static struct device_attribute reset_attr = __ATTR(reset, 0200, NULL, reset_stor
53064 static int pci_create_capabilities_sysfs(struct pci_dev *dev)
53065 {
53066 int retval;
53067- struct bin_attribute *attr;
53068+ bin_attribute_no_const *attr;
53069
53070 /* If the device has VPD, try to expose it in sysfs. */
53071 if (dev->vpd) {
53072@@ -1364,7 +1364,7 @@ int __must_check pci_create_sysfs_dev_files(struct pci_dev *pdev)
53073 {
53074 int retval;
53075 int rom_size = 0;
53076- struct bin_attribute *attr;
53077+ bin_attribute_no_const *attr;
53078
53079 if (!sysfs_initialized)
53080 return -EACCES;
53081diff --git a/drivers/pci/pci.h b/drivers/pci/pci.h
53082index 4ff0ff1..e309fb0 100644
53083--- a/drivers/pci/pci.h
53084+++ b/drivers/pci/pci.h
53085@@ -99,7 +99,7 @@ struct pci_vpd_ops {
53086 struct pci_vpd {
53087 unsigned int len;
53088 const struct pci_vpd_ops *ops;
53089- struct bin_attribute *attr; /* descriptor for sysfs VPD entry */
53090+ bin_attribute_no_const *attr; /* descriptor for sysfs VPD entry */
53091 };
53092
53093 int pci_vpd_pci22_init(struct pci_dev *dev);
53094diff --git a/drivers/pci/pcie/aspm.c b/drivers/pci/pcie/aspm.c
53095index 317e355..21f7b91 100644
53096--- a/drivers/pci/pcie/aspm.c
53097+++ b/drivers/pci/pcie/aspm.c
53098@@ -27,9 +27,9 @@
53099 #define MODULE_PARAM_PREFIX "pcie_aspm."
53100
53101 /* Note: those are not register definitions */
53102-#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
53103-#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
53104-#define ASPM_STATE_L1 (4) /* L1 state */
53105+#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
53106+#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
53107+#define ASPM_STATE_L1 (4U) /* L1 state */
53108 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
53109 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
53110
53111diff --git a/drivers/pci/pcie/portdrv_pci.c b/drivers/pci/pcie/portdrv_pci.c
53112index be35da2..ec16cdb 100644
53113--- a/drivers/pci/pcie/portdrv_pci.c
53114+++ b/drivers/pci/pcie/portdrv_pci.c
53115@@ -324,7 +324,7 @@ static int __init dmi_pcie_pme_disable_msi(const struct dmi_system_id *d)
53116 return 0;
53117 }
53118
53119-static struct dmi_system_id __initdata pcie_portdrv_dmi_table[] = {
53120+static const struct dmi_system_id __initconst pcie_portdrv_dmi_table[] = {
53121 /*
53122 * Boxes that should not use MSI for PCIe PME signaling.
53123 */
53124diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
53125index f6ae0d0..af897bc 100644
53126--- a/drivers/pci/probe.c
53127+++ b/drivers/pci/probe.c
53128@@ -176,7 +176,7 @@ int __pci_read_base(struct pci_dev *dev, enum pci_bar_type type,
53129 u16 orig_cmd;
53130 struct pci_bus_region region, inverted_region;
53131
53132- mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
53133+ mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
53134
53135 /* No printks while decoding is disabled! */
53136 if (!dev->mmio_always_on) {
53137diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c
53138index 3f155e7..0f4b1f0 100644
53139--- a/drivers/pci/proc.c
53140+++ b/drivers/pci/proc.c
53141@@ -434,7 +434,16 @@ static const struct file_operations proc_bus_pci_dev_operations = {
53142 static int __init pci_proc_init(void)
53143 {
53144 struct pci_dev *dev = NULL;
53145+
53146+#ifdef CONFIG_GRKERNSEC_PROC_ADD
53147+#ifdef CONFIG_GRKERNSEC_PROC_USER
53148+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
53149+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
53150+ proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
53151+#endif
53152+#else
53153 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
53154+#endif
53155 proc_create("devices", 0, proc_bus_pci_dir,
53156 &proc_bus_pci_dev_operations);
53157 proc_initialized = 1;
53158diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c
53159index 2deb130..8194e13 100644
53160--- a/drivers/pinctrl/pinctrl-at91.c
53161+++ b/drivers/pinctrl/pinctrl-at91.c
53162@@ -24,6 +24,7 @@
53163 #include <linux/pinctrl/pinmux.h>
53164 /* Since we request GPIOs from ourself */
53165 #include <linux/pinctrl/consumer.h>
53166+#include <asm/pgtable.h>
53167
53168 #include "pinctrl-at91.h"
53169 #include "core.h"
53170@@ -1656,7 +1657,9 @@ static int at91_gpio_of_irq_setup(struct platform_device *pdev,
53171 at91_gpio->pioc_hwirq = irqd_to_hwirq(d);
53172
53173 /* Setup proper .irq_set_type function */
53174- gpio_irqchip.irq_set_type = at91_gpio->ops->irq_type;
53175+ pax_open_kernel();
53176+ *(void **)&gpio_irqchip.irq_set_type = at91_gpio->ops->irq_type;
53177+ pax_close_kernel();
53178
53179 /* Disable irqs of this PIO controller */
53180 writel_relaxed(~0, at91_gpio->regbase + PIO_IDR);
53181diff --git a/drivers/platform/chrome/chromeos_pstore.c b/drivers/platform/chrome/chromeos_pstore.c
53182index 3474920..acc9581 100644
53183--- a/drivers/platform/chrome/chromeos_pstore.c
53184+++ b/drivers/platform/chrome/chromeos_pstore.c
53185@@ -13,7 +13,7 @@
53186 #include <linux/platform_device.h>
53187 #include <linux/pstore_ram.h>
53188
53189-static struct dmi_system_id chromeos_pstore_dmi_table[] __initdata = {
53190+static const struct dmi_system_id chromeos_pstore_dmi_table[] __initconst = {
53191 {
53192 /*
53193 * Today all Chromebooks/boxes ship with Google_* as version and
53194diff --git a/drivers/platform/x86/alienware-wmi.c b/drivers/platform/x86/alienware-wmi.c
53195index 1e1e594..8fe59c5 100644
53196--- a/drivers/platform/x86/alienware-wmi.c
53197+++ b/drivers/platform/x86/alienware-wmi.c
53198@@ -150,7 +150,7 @@ struct wmax_led_args {
53199 } __packed;
53200
53201 static struct platform_device *platform_device;
53202-static struct device_attribute *zone_dev_attrs;
53203+static device_attribute_no_const *zone_dev_attrs;
53204 static struct attribute **zone_attrs;
53205 static struct platform_zone *zone_data;
53206
53207@@ -160,7 +160,7 @@ static struct platform_driver platform_driver = {
53208 }
53209 };
53210
53211-static struct attribute_group zone_attribute_group = {
53212+static attribute_group_no_const zone_attribute_group = {
53213 .name = "rgb_zones",
53214 };
53215
53216diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c
53217index efbc3f0..18ae682 100644
53218--- a/drivers/platform/x86/asus-wmi.c
53219+++ b/drivers/platform/x86/asus-wmi.c
53220@@ -1868,6 +1868,10 @@ static int show_dsts(struct seq_file *m, void *data)
53221 int err;
53222 u32 retval = -1;
53223
53224+#ifdef CONFIG_GRKERNSEC_KMEM
53225+ return -EPERM;
53226+#endif
53227+
53228 err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval);
53229
53230 if (err < 0)
53231@@ -1884,6 +1888,10 @@ static int show_devs(struct seq_file *m, void *data)
53232 int err;
53233 u32 retval = -1;
53234
53235+#ifdef CONFIG_GRKERNSEC_KMEM
53236+ return -EPERM;
53237+#endif
53238+
53239 err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param,
53240 &retval);
53241
53242@@ -1908,6 +1916,10 @@ static int show_call(struct seq_file *m, void *data)
53243 union acpi_object *obj;
53244 acpi_status status;
53245
53246+#ifdef CONFIG_GRKERNSEC_KMEM
53247+ return -EPERM;
53248+#endif
53249+
53250 status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID,
53251 1, asus->debug.method_id,
53252 &input, &output);
53253diff --git a/drivers/platform/x86/compal-laptop.c b/drivers/platform/x86/compal-laptop.c
53254index f2706d2..850edfa4 100644
53255--- a/drivers/platform/x86/compal-laptop.c
53256+++ b/drivers/platform/x86/compal-laptop.c
53257@@ -765,7 +765,7 @@ static int dmi_check_cb_extra(const struct dmi_system_id *id)
53258 return 1;
53259 }
53260
53261-static struct dmi_system_id __initdata compal_dmi_table[] = {
53262+static const struct dmi_system_id __initconst compal_dmi_table[] = {
53263 {
53264 .ident = "FL90/IFL90",
53265 .matches = {
53266diff --git a/drivers/platform/x86/hdaps.c b/drivers/platform/x86/hdaps.c
53267index 458e6c9..089aee7 100644
53268--- a/drivers/platform/x86/hdaps.c
53269+++ b/drivers/platform/x86/hdaps.c
53270@@ -514,7 +514,7 @@ static int __init hdaps_dmi_match_invert(const struct dmi_system_id *id)
53271 "ThinkPad T42p", so the order of the entries matters.
53272 If your ThinkPad is not recognized, please update to latest
53273 BIOS. This is especially the case for some R52 ThinkPads. */
53274-static struct dmi_system_id __initdata hdaps_whitelist[] = {
53275+static const struct dmi_system_id __initconst hdaps_whitelist[] = {
53276 HDAPS_DMI_MATCH_INVERT("IBM", "ThinkPad R50p", HDAPS_BOTH_AXES),
53277 HDAPS_DMI_MATCH_NORMAL("IBM", "ThinkPad R50"),
53278 HDAPS_DMI_MATCH_NORMAL("IBM", "ThinkPad R51"),
53279diff --git a/drivers/platform/x86/ibm_rtl.c b/drivers/platform/x86/ibm_rtl.c
53280index 97c2be1..2ee50ce 100644
53281--- a/drivers/platform/x86/ibm_rtl.c
53282+++ b/drivers/platform/x86/ibm_rtl.c
53283@@ -227,7 +227,7 @@ static void rtl_teardown_sysfs(void) {
53284 }
53285
53286
53287-static struct dmi_system_id __initdata ibm_rtl_dmi_table[] = {
53288+static const struct dmi_system_id __initconst ibm_rtl_dmi_table[] = {
53289 { \
53290 .matches = { \
53291 DMI_MATCH(DMI_SYS_VENDOR, "IBM"), \
53292diff --git a/drivers/platform/x86/intel_oaktrail.c b/drivers/platform/x86/intel_oaktrail.c
53293index 6aa33c4..cfb5425 100644
53294--- a/drivers/platform/x86/intel_oaktrail.c
53295+++ b/drivers/platform/x86/intel_oaktrail.c
53296@@ -299,7 +299,7 @@ static int dmi_check_cb(const struct dmi_system_id *id)
53297 return 0;
53298 }
53299
53300-static struct dmi_system_id __initdata oaktrail_dmi_table[] = {
53301+static const struct dmi_system_id __initconst oaktrail_dmi_table[] = {
53302 {
53303 .ident = "OakTrail platform",
53304 .matches = {
53305diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c
53306index 4231770..10a6caf 100644
53307--- a/drivers/platform/x86/msi-laptop.c
53308+++ b/drivers/platform/x86/msi-laptop.c
53309@@ -605,7 +605,7 @@ static int dmi_check_cb(const struct dmi_system_id *dmi)
53310 return 1;
53311 }
53312
53313-static struct dmi_system_id __initdata msi_dmi_table[] = {
53314+static const struct dmi_system_id __initconst msi_dmi_table[] = {
53315 {
53316 .ident = "MSI S270",
53317 .matches = {
53318@@ -1000,12 +1000,14 @@ static int __init load_scm_model_init(struct platform_device *sdev)
53319
53320 if (!quirks->ec_read_only) {
53321 /* allow userland write sysfs file */
53322- dev_attr_bluetooth.store = store_bluetooth;
53323- dev_attr_wlan.store = store_wlan;
53324- dev_attr_threeg.store = store_threeg;
53325- dev_attr_bluetooth.attr.mode |= S_IWUSR;
53326- dev_attr_wlan.attr.mode |= S_IWUSR;
53327- dev_attr_threeg.attr.mode |= S_IWUSR;
53328+ pax_open_kernel();
53329+ *(void **)&dev_attr_bluetooth.store = store_bluetooth;
53330+ *(void **)&dev_attr_wlan.store = store_wlan;
53331+ *(void **)&dev_attr_threeg.store = store_threeg;
53332+ *(umode_t *)&dev_attr_bluetooth.attr.mode |= S_IWUSR;
53333+ *(umode_t *)&dev_attr_wlan.attr.mode |= S_IWUSR;
53334+ *(umode_t *)&dev_attr_threeg.attr.mode |= S_IWUSR;
53335+ pax_close_kernel();
53336 }
53337
53338 /* disable hardware control by fn key */
53339diff --git a/drivers/platform/x86/msi-wmi.c b/drivers/platform/x86/msi-wmi.c
53340index 978e6d6..1f0b37d 100644
53341--- a/drivers/platform/x86/msi-wmi.c
53342+++ b/drivers/platform/x86/msi-wmi.c
53343@@ -184,7 +184,7 @@ static const struct backlight_ops msi_backlight_ops = {
53344 static void msi_wmi_notify(u32 value, void *context)
53345 {
53346 struct acpi_buffer response = { ACPI_ALLOCATE_BUFFER, NULL };
53347- static struct key_entry *key;
53348+ struct key_entry *key;
53349 union acpi_object *obj;
53350 acpi_status status;
53351
53352diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c
53353index 8c146e2..356c62e 100644
53354--- a/drivers/platform/x86/samsung-laptop.c
53355+++ b/drivers/platform/x86/samsung-laptop.c
53356@@ -1567,7 +1567,7 @@ static int __init samsung_dmi_matched(const struct dmi_system_id *d)
53357 return 0;
53358 }
53359
53360-static struct dmi_system_id __initdata samsung_dmi_table[] = {
53361+static const struct dmi_system_id __initconst samsung_dmi_table[] = {
53362 {
53363 .matches = {
53364 DMI_MATCH(DMI_SYS_VENDOR,
53365diff --git a/drivers/platform/x86/samsung-q10.c b/drivers/platform/x86/samsung-q10.c
53366index e6aac72..e11ff24 100644
53367--- a/drivers/platform/x86/samsung-q10.c
53368+++ b/drivers/platform/x86/samsung-q10.c
53369@@ -95,7 +95,7 @@ static int __init dmi_check_callback(const struct dmi_system_id *id)
53370 return 1;
53371 }
53372
53373-static struct dmi_system_id __initdata samsungq10_dmi_table[] = {
53374+static const struct dmi_system_id __initconst samsungq10_dmi_table[] = {
53375 {
53376 .ident = "Samsung Q10",
53377 .matches = {
53378diff --git a/drivers/platform/x86/sony-laptop.c b/drivers/platform/x86/sony-laptop.c
53379index aeb80d1..3eb376b 100644
53380--- a/drivers/platform/x86/sony-laptop.c
53381+++ b/drivers/platform/x86/sony-laptop.c
53382@@ -2527,7 +2527,7 @@ static void sony_nc_gfx_switch_cleanup(struct platform_device *pd)
53383 }
53384
53385 /* High speed charging function */
53386-static struct device_attribute *hsc_handle;
53387+static device_attribute_no_const *hsc_handle;
53388
53389 static ssize_t sony_nc_highspeed_charging_store(struct device *dev,
53390 struct device_attribute *attr,
53391@@ -2601,7 +2601,7 @@ static void sony_nc_highspeed_charging_cleanup(struct platform_device *pd)
53392 }
53393
53394 /* low battery function */
53395-static struct device_attribute *lowbatt_handle;
53396+static device_attribute_no_const *lowbatt_handle;
53397
53398 static ssize_t sony_nc_lowbatt_store(struct device *dev,
53399 struct device_attribute *attr,
53400@@ -2667,7 +2667,7 @@ static void sony_nc_lowbatt_cleanup(struct platform_device *pd)
53401 }
53402
53403 /* fan speed function */
53404-static struct device_attribute *fan_handle, *hsf_handle;
53405+static device_attribute_no_const *fan_handle, *hsf_handle;
53406
53407 static ssize_t sony_nc_hsfan_store(struct device *dev,
53408 struct device_attribute *attr,
53409@@ -2774,7 +2774,7 @@ static void sony_nc_fanspeed_cleanup(struct platform_device *pd)
53410 }
53411
53412 /* USB charge function */
53413-static struct device_attribute *uc_handle;
53414+static device_attribute_no_const *uc_handle;
53415
53416 static ssize_t sony_nc_usb_charge_store(struct device *dev,
53417 struct device_attribute *attr,
53418@@ -2848,7 +2848,7 @@ static void sony_nc_usb_charge_cleanup(struct platform_device *pd)
53419 }
53420
53421 /* Panel ID function */
53422-static struct device_attribute *panel_handle;
53423+static device_attribute_no_const *panel_handle;
53424
53425 static ssize_t sony_nc_panelid_show(struct device *dev,
53426 struct device_attribute *attr, char *buffer)
53427@@ -2895,7 +2895,7 @@ static void sony_nc_panelid_cleanup(struct platform_device *pd)
53428 }
53429
53430 /* smart connect function */
53431-static struct device_attribute *sc_handle;
53432+static device_attribute_no_const *sc_handle;
53433
53434 static ssize_t sony_nc_smart_conn_store(struct device *dev,
53435 struct device_attribute *attr,
53436@@ -4851,7 +4851,7 @@ static struct acpi_driver sony_pic_driver = {
53437 .drv.pm = &sony_pic_pm,
53438 };
53439
53440-static struct dmi_system_id __initdata sonypi_dmi_table[] = {
53441+static const struct dmi_system_id __initconst sonypi_dmi_table[] = {
53442 {
53443 .ident = "Sony Vaio",
53444 .matches = {
53445diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c
53446index 33e488c..417aaea 100644
53447--- a/drivers/platform/x86/thinkpad_acpi.c
53448+++ b/drivers/platform/x86/thinkpad_acpi.c
53449@@ -2460,10 +2460,10 @@ static void hotkey_compare_and_issue_event(struct tp_nvram_state *oldn,
53450 && !tp_features.bright_unkfw)
53451 TPACPI_MAY_SEND_KEY(TP_ACPI_HOTKEYSCAN_FNHOME);
53452 }
53453+}
53454
53455 #undef TPACPI_COMPARE_KEY
53456 #undef TPACPI_MAY_SEND_KEY
53457-}
53458
53459 /*
53460 * Polling driver
53461diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
53462index 438d4c7..ca8a2fb 100644
53463--- a/drivers/pnp/pnpbios/bioscalls.c
53464+++ b/drivers/pnp/pnpbios/bioscalls.c
53465@@ -59,7 +59,7 @@ do { \
53466 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
53467 } while(0)
53468
53469-static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
53470+static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
53471 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
53472
53473 /*
53474@@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
53475
53476 cpu = get_cpu();
53477 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
53478+
53479+ pax_open_kernel();
53480 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
53481+ pax_close_kernel();
53482
53483 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
53484 spin_lock_irqsave(&pnp_bios_lock, flags);
53485@@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func, u16 arg1, u16 arg2, u16 arg3,
53486 :"memory");
53487 spin_unlock_irqrestore(&pnp_bios_lock, flags);
53488
53489+ pax_open_kernel();
53490 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
53491+ pax_close_kernel();
53492+
53493 put_cpu();
53494
53495 /* If we get here and this is set then the PnP BIOS faulted on us. */
53496@@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 nvram_base)
53497 return status;
53498 }
53499
53500-void pnpbios_calls_init(union pnp_bios_install_struct *header)
53501+void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
53502 {
53503 int i;
53504
53505@@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
53506 pnp_bios_callpoint.offset = header->fields.pm16offset;
53507 pnp_bios_callpoint.segment = PNP_CS16;
53508
53509+ pax_open_kernel();
53510+
53511 for_each_possible_cpu(i) {
53512 struct desc_struct *gdt = get_cpu_gdt_table(i);
53513 if (!gdt)
53514@@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_install_struct *header)
53515 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
53516 (unsigned long)__va(header->fields.pm16dseg));
53517 }
53518+
53519+ pax_close_kernel();
53520 }
53521diff --git a/drivers/pnp/pnpbios/core.c b/drivers/pnp/pnpbios/core.c
53522index facd43b..b291260 100644
53523--- a/drivers/pnp/pnpbios/core.c
53524+++ b/drivers/pnp/pnpbios/core.c
53525@@ -494,7 +494,7 @@ static int __init exploding_pnp_bios(const struct dmi_system_id *d)
53526 return 0;
53527 }
53528
53529-static struct dmi_system_id pnpbios_dmi_table[] __initdata = {
53530+static const struct dmi_system_id pnpbios_dmi_table[] __initconst = {
53531 { /* PnPBIOS GPF on boot */
53532 .callback = exploding_pnp_bios,
53533 .ident = "Higraded P14H",
53534diff --git a/drivers/power/pda_power.c b/drivers/power/pda_power.c
53535index dfe1ee8..67e820c 100644
53536--- a/drivers/power/pda_power.c
53537+++ b/drivers/power/pda_power.c
53538@@ -38,7 +38,11 @@ static struct power_supply *pda_psy_ac, *pda_psy_usb;
53539
53540 #if IS_ENABLED(CONFIG_USB_PHY)
53541 static struct usb_phy *transceiver;
53542-static struct notifier_block otg_nb;
53543+static int otg_handle_notification(struct notifier_block *nb,
53544+ unsigned long event, void *unused);
53545+static struct notifier_block otg_nb = {
53546+ .notifier_call = otg_handle_notification
53547+};
53548 #endif
53549
53550 static struct regulator *ac_draw;
53551@@ -373,7 +377,6 @@ static int pda_power_probe(struct platform_device *pdev)
53552
53553 #if IS_ENABLED(CONFIG_USB_PHY)
53554 if (!IS_ERR_OR_NULL(transceiver) && pdata->use_otg_notifier) {
53555- otg_nb.notifier_call = otg_handle_notification;
53556 ret = usb_register_notifier(transceiver, &otg_nb);
53557 if (ret) {
53558 dev_err(dev, "failure to register otg notifier\n");
53559diff --git a/drivers/power/power_supply.h b/drivers/power/power_supply.h
53560index cc439fd..8fa30df 100644
53561--- a/drivers/power/power_supply.h
53562+++ b/drivers/power/power_supply.h
53563@@ -16,12 +16,12 @@ struct power_supply;
53564
53565 #ifdef CONFIG_SYSFS
53566
53567-extern void power_supply_init_attrs(struct device_type *dev_type);
53568+extern void power_supply_init_attrs(void);
53569 extern int power_supply_uevent(struct device *dev, struct kobj_uevent_env *env);
53570
53571 #else
53572
53573-static inline void power_supply_init_attrs(struct device_type *dev_type) {}
53574+static inline void power_supply_init_attrs(void) {}
53575 #define power_supply_uevent NULL
53576
53577 #endif /* CONFIG_SYSFS */
53578diff --git a/drivers/power/power_supply_core.c b/drivers/power/power_supply_core.c
53579index 869284c..38a812b 100644
53580--- a/drivers/power/power_supply_core.c
53581+++ b/drivers/power/power_supply_core.c
53582@@ -28,7 +28,10 @@ EXPORT_SYMBOL_GPL(power_supply_class);
53583 ATOMIC_NOTIFIER_HEAD(power_supply_notifier);
53584 EXPORT_SYMBOL_GPL(power_supply_notifier);
53585
53586-static struct device_type power_supply_dev_type;
53587+extern const struct attribute_group *power_supply_attr_groups[];
53588+static struct device_type power_supply_dev_type = {
53589+ .groups = power_supply_attr_groups,
53590+};
53591
53592 #define POWER_SUPPLY_DEFERRED_REGISTER_TIME msecs_to_jiffies(10)
53593
53594@@ -960,7 +963,7 @@ static int __init power_supply_class_init(void)
53595 return PTR_ERR(power_supply_class);
53596
53597 power_supply_class->dev_uevent = power_supply_uevent;
53598- power_supply_init_attrs(&power_supply_dev_type);
53599+ power_supply_init_attrs();
53600
53601 return 0;
53602 }
53603diff --git a/drivers/power/power_supply_sysfs.c b/drivers/power/power_supply_sysfs.c
53604index ed2d7fd..266b28f 100644
53605--- a/drivers/power/power_supply_sysfs.c
53606+++ b/drivers/power/power_supply_sysfs.c
53607@@ -238,17 +238,15 @@ static struct attribute_group power_supply_attr_group = {
53608 .is_visible = power_supply_attr_is_visible,
53609 };
53610
53611-static const struct attribute_group *power_supply_attr_groups[] = {
53612+const struct attribute_group *power_supply_attr_groups[] = {
53613 &power_supply_attr_group,
53614 NULL,
53615 };
53616
53617-void power_supply_init_attrs(struct device_type *dev_type)
53618+void power_supply_init_attrs(void)
53619 {
53620 int i;
53621
53622- dev_type->groups = power_supply_attr_groups;
53623-
53624 for (i = 0; i < ARRAY_SIZE(power_supply_attrs); i++)
53625 __power_supply_attrs[i] = &power_supply_attrs[i].attr;
53626 }
53627diff --git a/drivers/power/reset/at91-reset.c b/drivers/power/reset/at91-reset.c
53628index 36dc52f..e2e8a4b 100644
53629--- a/drivers/power/reset/at91-reset.c
53630+++ b/drivers/power/reset/at91-reset.c
53631@@ -16,6 +16,7 @@
53632 #include <linux/of_address.h>
53633 #include <linux/platform_device.h>
53634 #include <linux/reboot.h>
53635+#include <asm/pgtable.h>
53636
53637 #include <soc/at91/at91sam9_ddrsdr.h>
53638 #include <soc/at91/at91sam9_sdramc.h>
53639@@ -191,7 +192,9 @@ static int at91_reset_of_probe(struct platform_device *pdev)
53640 }
53641
53642 match = of_match_node(at91_reset_of_match, pdev->dev.of_node);
53643- at91_restart_nb.notifier_call = match->data;
53644+ pax_open_kernel();
53645+ *(void **)&at91_restart_nb.notifier_call = match->data;
53646+ pax_close_kernel();
53647 return register_restart_handler(&at91_restart_nb);
53648 }
53649
53650@@ -219,9 +222,11 @@ static int at91_reset_platform_probe(struct platform_device *pdev)
53651 }
53652
53653 match = platform_get_device_id(pdev);
53654- at91_restart_nb.notifier_call =
53655+ pax_open_kernel();
53656+ *(void **)&at91_restart_nb.notifier_call =
53657 (int (*)(struct notifier_block *,
53658 unsigned long, void *)) match->driver_data;
53659+ pax_close_kernel();
53660
53661 return register_restart_handler(&at91_restart_nb);
53662 }
53663diff --git a/drivers/powercap/powercap_sys.c b/drivers/powercap/powercap_sys.c
53664index 84419af..268ede8 100644
53665--- a/drivers/powercap/powercap_sys.c
53666+++ b/drivers/powercap/powercap_sys.c
53667@@ -154,8 +154,77 @@ struct powercap_constraint_attr {
53668 struct device_attribute name_attr;
53669 };
53670
53671+static ssize_t show_constraint_name(struct device *dev,
53672+ struct device_attribute *dev_attr,
53673+ char *buf);
53674+
53675 static struct powercap_constraint_attr
53676- constraint_attrs[MAX_CONSTRAINTS_PER_ZONE];
53677+ constraint_attrs[MAX_CONSTRAINTS_PER_ZONE] = {
53678+ [0 ... MAX_CONSTRAINTS_PER_ZONE - 1] = {
53679+ .power_limit_attr = {
53680+ .attr = {
53681+ .name = NULL,
53682+ .mode = S_IWUSR | S_IRUGO
53683+ },
53684+ .show = show_constraint_power_limit_uw,
53685+ .store = store_constraint_power_limit_uw
53686+ },
53687+
53688+ .time_window_attr = {
53689+ .attr = {
53690+ .name = NULL,
53691+ .mode = S_IWUSR | S_IRUGO
53692+ },
53693+ .show = show_constraint_time_window_us,
53694+ .store = store_constraint_time_window_us
53695+ },
53696+
53697+ .max_power_attr = {
53698+ .attr = {
53699+ .name = NULL,
53700+ .mode = S_IRUGO
53701+ },
53702+ .show = show_constraint_max_power_uw,
53703+ .store = NULL
53704+ },
53705+
53706+ .min_power_attr = {
53707+ .attr = {
53708+ .name = NULL,
53709+ .mode = S_IRUGO
53710+ },
53711+ .show = show_constraint_min_power_uw,
53712+ .store = NULL
53713+ },
53714+
53715+ .max_time_window_attr = {
53716+ .attr = {
53717+ .name = NULL,
53718+ .mode = S_IRUGO
53719+ },
53720+ .show = show_constraint_max_time_window_us,
53721+ .store = NULL
53722+ },
53723+
53724+ .min_time_window_attr = {
53725+ .attr = {
53726+ .name = NULL,
53727+ .mode = S_IRUGO
53728+ },
53729+ .show = show_constraint_min_time_window_us,
53730+ .store = NULL
53731+ },
53732+
53733+ .name_attr = {
53734+ .attr = {
53735+ .name = NULL,
53736+ .mode = S_IRUGO
53737+ },
53738+ .show = show_constraint_name,
53739+ .store = NULL
53740+ }
53741+ }
53742+};
53743
53744 /* A list of powercap control_types */
53745 static LIST_HEAD(powercap_cntrl_list);
53746@@ -193,23 +262,16 @@ static ssize_t show_constraint_name(struct device *dev,
53747 }
53748
53749 static int create_constraint_attribute(int id, const char *name,
53750- int mode,
53751- struct device_attribute *dev_attr,
53752- ssize_t (*show)(struct device *,
53753- struct device_attribute *, char *),
53754- ssize_t (*store)(struct device *,
53755- struct device_attribute *,
53756- const char *, size_t)
53757- )
53758+ struct device_attribute *dev_attr)
53759 {
53760+ name = kasprintf(GFP_KERNEL, "constraint_%d_%s", id, name);
53761
53762- dev_attr->attr.name = kasprintf(GFP_KERNEL, "constraint_%d_%s",
53763- id, name);
53764- if (!dev_attr->attr.name)
53765+ if (!name)
53766 return -ENOMEM;
53767- dev_attr->attr.mode = mode;
53768- dev_attr->show = show;
53769- dev_attr->store = store;
53770+
53771+ pax_open_kernel();
53772+ *(const char **)&dev_attr->attr.name = name;
53773+ pax_close_kernel();
53774
53775 return 0;
53776 }
53777@@ -236,49 +298,31 @@ static int seed_constraint_attributes(void)
53778
53779 for (i = 0; i < MAX_CONSTRAINTS_PER_ZONE; ++i) {
53780 ret = create_constraint_attribute(i, "power_limit_uw",
53781- S_IWUSR | S_IRUGO,
53782- &constraint_attrs[i].power_limit_attr,
53783- show_constraint_power_limit_uw,
53784- store_constraint_power_limit_uw);
53785+ &constraint_attrs[i].power_limit_attr);
53786 if (ret)
53787 goto err_alloc;
53788 ret = create_constraint_attribute(i, "time_window_us",
53789- S_IWUSR | S_IRUGO,
53790- &constraint_attrs[i].time_window_attr,
53791- show_constraint_time_window_us,
53792- store_constraint_time_window_us);
53793+ &constraint_attrs[i].time_window_attr);
53794 if (ret)
53795 goto err_alloc;
53796- ret = create_constraint_attribute(i, "name", S_IRUGO,
53797- &constraint_attrs[i].name_attr,
53798- show_constraint_name,
53799- NULL);
53800+ ret = create_constraint_attribute(i, "name",
53801+ &constraint_attrs[i].name_attr);
53802 if (ret)
53803 goto err_alloc;
53804- ret = create_constraint_attribute(i, "max_power_uw", S_IRUGO,
53805- &constraint_attrs[i].max_power_attr,
53806- show_constraint_max_power_uw,
53807- NULL);
53808+ ret = create_constraint_attribute(i, "max_power_uw",
53809+ &constraint_attrs[i].max_power_attr);
53810 if (ret)
53811 goto err_alloc;
53812- ret = create_constraint_attribute(i, "min_power_uw", S_IRUGO,
53813- &constraint_attrs[i].min_power_attr,
53814- show_constraint_min_power_uw,
53815- NULL);
53816+ ret = create_constraint_attribute(i, "min_power_uw",
53817+ &constraint_attrs[i].min_power_attr);
53818 if (ret)
53819 goto err_alloc;
53820 ret = create_constraint_attribute(i, "max_time_window_us",
53821- S_IRUGO,
53822- &constraint_attrs[i].max_time_window_attr,
53823- show_constraint_max_time_window_us,
53824- NULL);
53825+ &constraint_attrs[i].max_time_window_attr);
53826 if (ret)
53827 goto err_alloc;
53828 ret = create_constraint_attribute(i, "min_time_window_us",
53829- S_IRUGO,
53830- &constraint_attrs[i].min_time_window_attr,
53831- show_constraint_min_time_window_us,
53832- NULL);
53833+ &constraint_attrs[i].min_time_window_attr);
53834 if (ret)
53835 goto err_alloc;
53836
53837@@ -378,10 +422,12 @@ static void create_power_zone_common_attributes(
53838 power_zone->zone_dev_attrs[count++] =
53839 &dev_attr_max_energy_range_uj.attr;
53840 if (power_zone->ops->get_energy_uj) {
53841+ pax_open_kernel();
53842 if (power_zone->ops->reset_energy_uj)
53843- dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO;
53844+ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IWUSR | S_IRUGO;
53845 else
53846- dev_attr_energy_uj.attr.mode = S_IRUGO;
53847+ *(umode_t *)&dev_attr_energy_uj.attr.mode = S_IRUGO;
53848+ pax_close_kernel();
53849 power_zone->zone_dev_attrs[count++] =
53850 &dev_attr_energy_uj.attr;
53851 }
53852diff --git a/drivers/ptp/ptp_private.h b/drivers/ptp/ptp_private.h
53853index 9c5d414..c7900ce 100644
53854--- a/drivers/ptp/ptp_private.h
53855+++ b/drivers/ptp/ptp_private.h
53856@@ -51,7 +51,7 @@ struct ptp_clock {
53857 struct mutex pincfg_mux; /* protect concurrent info->pin_config access */
53858 wait_queue_head_t tsev_wq;
53859 int defunct; /* tells readers to go away when clock is being removed */
53860- struct device_attribute *pin_dev_attr;
53861+ device_attribute_no_const *pin_dev_attr;
53862 struct attribute **pin_attr;
53863 struct attribute_group pin_attr_group;
53864 };
53865diff --git a/drivers/ptp/ptp_sysfs.c b/drivers/ptp/ptp_sysfs.c
53866index 302e626..12579af 100644
53867--- a/drivers/ptp/ptp_sysfs.c
53868+++ b/drivers/ptp/ptp_sysfs.c
53869@@ -280,7 +280,7 @@ static int ptp_populate_pins(struct ptp_clock *ptp)
53870 goto no_pin_attr;
53871
53872 for (i = 0; i < n_pins; i++) {
53873- struct device_attribute *da = &ptp->pin_dev_attr[i];
53874+ device_attribute_no_const *da = &ptp->pin_dev_attr[i];
53875 sysfs_attr_init(&da->attr);
53876 da->attr.name = info->pin_config[i].name;
53877 da->attr.mode = 0644;
53878diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
53879index 5081533..794deb2 100644
53880--- a/drivers/regulator/core.c
53881+++ b/drivers/regulator/core.c
53882@@ -3650,7 +3650,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
53883 const struct regulation_constraints *constraints = NULL;
53884 const struct regulator_init_data *init_data;
53885 struct regulator_config *config = NULL;
53886- static atomic_t regulator_no = ATOMIC_INIT(-1);
53887+ static atomic_unchecked_t regulator_no = ATOMIC_INIT(-1);
53888 struct regulator_dev *rdev;
53889 struct device *dev;
53890 int ret, i;
53891@@ -3733,7 +3733,7 @@ regulator_register(const struct regulator_desc *regulator_desc,
53892 rdev->dev.class = &regulator_class;
53893 rdev->dev.parent = dev;
53894 dev_set_name(&rdev->dev, "regulator.%lu",
53895- (unsigned long) atomic_inc_return(&regulator_no));
53896+ (unsigned long) atomic_inc_return_unchecked(&regulator_no));
53897 ret = device_register(&rdev->dev);
53898 if (ret != 0) {
53899 put_device(&rdev->dev);
53900diff --git a/drivers/regulator/max8660.c b/drivers/regulator/max8660.c
53901index 4071d74..260b15a 100644
53902--- a/drivers/regulator/max8660.c
53903+++ b/drivers/regulator/max8660.c
53904@@ -423,8 +423,10 @@ static int max8660_probe(struct i2c_client *client,
53905 max8660->shadow_regs[MAX8660_OVER1] = 5;
53906 } else {
53907 /* Otherwise devices can be toggled via software */
53908- max8660_dcdc_ops.enable = max8660_dcdc_enable;
53909- max8660_dcdc_ops.disable = max8660_dcdc_disable;
53910+ pax_open_kernel();
53911+ *(void **)&max8660_dcdc_ops.enable = max8660_dcdc_enable;
53912+ *(void **)&max8660_dcdc_ops.disable = max8660_dcdc_disable;
53913+ pax_close_kernel();
53914 }
53915
53916 /*
53917diff --git a/drivers/regulator/max8973-regulator.c b/drivers/regulator/max8973-regulator.c
53918index e94ddcf..bad33ad 100644
53919--- a/drivers/regulator/max8973-regulator.c
53920+++ b/drivers/regulator/max8973-regulator.c
53921@@ -580,9 +580,11 @@ static int max8973_probe(struct i2c_client *client,
53922 if (!pdata->enable_ext_control) {
53923 max->desc.enable_reg = MAX8973_VOUT;
53924 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
53925- max->ops.enable = regulator_enable_regmap;
53926- max->ops.disable = regulator_disable_regmap;
53927- max->ops.is_enabled = regulator_is_enabled_regmap;
53928+ pax_open_kernel();
53929+ *(void **)&max->ops.enable = regulator_enable_regmap;
53930+ *(void **)&max->ops.disable = regulator_disable_regmap;
53931+ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap;
53932+ pax_close_kernel();
53933 break;
53934 }
53935
53936@@ -610,9 +612,11 @@ static int max8973_probe(struct i2c_client *client,
53937
53938 max->desc.enable_reg = MAX8973_VOUT;
53939 max->desc.enable_mask = MAX8973_VOUT_ENABLE;
53940- max->ops.enable = regulator_enable_regmap;
53941- max->ops.disable = regulator_disable_regmap;
53942- max->ops.is_enabled = regulator_is_enabled_regmap;
53943+ pax_open_kernel();
53944+ *(void **)&max->ops.enable = regulator_enable_regmap;
53945+ *(void **)&max->ops.disable = regulator_disable_regmap;
53946+ *(void **)&max->ops.is_enabled = regulator_is_enabled_regmap;
53947+ pax_close_kernel();
53948 break;
53949 default:
53950 break;
53951diff --git a/drivers/regulator/mc13892-regulator.c b/drivers/regulator/mc13892-regulator.c
53952index 0d17c92..a29f627 100644
53953--- a/drivers/regulator/mc13892-regulator.c
53954+++ b/drivers/regulator/mc13892-regulator.c
53955@@ -584,10 +584,12 @@ static int mc13892_regulator_probe(struct platform_device *pdev)
53956 mc13xxx_unlock(mc13892);
53957
53958 /* update mc13892_vcam ops */
53959- memcpy(&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
53960+ pax_open_kernel();
53961+ memcpy((void *)&mc13892_vcam_ops, mc13892_regulators[MC13892_VCAM].desc.ops,
53962 sizeof(struct regulator_ops));
53963- mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
53964- mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
53965+ *(void **)&mc13892_vcam_ops.set_mode = mc13892_vcam_set_mode,
53966+ *(void **)&mc13892_vcam_ops.get_mode = mc13892_vcam_get_mode,
53967+ pax_close_kernel();
53968 mc13892_regulators[MC13892_VCAM].desc.ops = &mc13892_vcam_ops;
53969
53970 mc13xxx_data = mc13xxx_parse_regulators_dt(pdev, mc13892_regulators,
53971diff --git a/drivers/rtc/rtc-armada38x.c b/drivers/rtc/rtc-armada38x.c
53972index 2b08cac..8942201 100644
53973--- a/drivers/rtc/rtc-armada38x.c
53974+++ b/drivers/rtc/rtc-armada38x.c
53975@@ -18,6 +18,7 @@
53976 #include <linux/of.h>
53977 #include <linux/platform_device.h>
53978 #include <linux/rtc.h>
53979+#include <asm/pgtable.h>
53980
53981 #define RTC_STATUS 0x0
53982 #define RTC_STATUS_ALARM1 BIT(0)
53983@@ -254,8 +255,10 @@ static __init int armada38x_rtc_probe(struct platform_device *pdev)
53984 * If there is no interrupt available then we can't
53985 * use the alarm
53986 */
53987- armada38x_rtc_ops.set_alarm = NULL;
53988- armada38x_rtc_ops.alarm_irq_enable = NULL;
53989+ pax_open_kernel();
53990+ *(void **)&armada38x_rtc_ops.set_alarm = NULL;
53991+ *(void **)&armada38x_rtc_ops.alarm_irq_enable = NULL;
53992+ pax_close_kernel();
53993 }
53994 platform_set_drvdata(pdev, rtc);
53995 if (rtc->irq != -1)
53996diff --git a/drivers/rtc/rtc-cmos.c b/drivers/rtc/rtc-cmos.c
53997index a82556a0..e842923 100644
53998--- a/drivers/rtc/rtc-cmos.c
53999+++ b/drivers/rtc/rtc-cmos.c
54000@@ -793,7 +793,9 @@ cmos_do_probe(struct device *dev, struct resource *ports, int rtc_irq)
54001 hpet_rtc_timer_init();
54002
54003 /* export at least the first block of NVRAM */
54004- nvram.size = address_space - NVRAM_OFFSET;
54005+ pax_open_kernel();
54006+ *(size_t *)&nvram.size = address_space - NVRAM_OFFSET;
54007+ pax_close_kernel();
54008 retval = sysfs_create_bin_file(&dev->kobj, &nvram);
54009 if (retval < 0) {
54010 dev_dbg(dev, "can't create nvram file? %d\n", retval);
54011diff --git a/drivers/rtc/rtc-dev.c b/drivers/rtc/rtc-dev.c
54012index 799c34b..8e9786a 100644
54013--- a/drivers/rtc/rtc-dev.c
54014+++ b/drivers/rtc/rtc-dev.c
54015@@ -16,6 +16,7 @@
54016 #include <linux/module.h>
54017 #include <linux/rtc.h>
54018 #include <linux/sched.h>
54019+#include <linux/grsecurity.h>
54020 #include "rtc-core.h"
54021
54022 static dev_t rtc_devt;
54023@@ -347,6 +348,8 @@ static long rtc_dev_ioctl(struct file *file,
54024 if (copy_from_user(&tm, uarg, sizeof(tm)))
54025 return -EFAULT;
54026
54027+ gr_log_timechange();
54028+
54029 return rtc_set_time(rtc, &tm);
54030
54031 case RTC_PIE_ON:
54032diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
54033index 6e76de1..d38a1e0 100644
54034--- a/drivers/rtc/rtc-ds1307.c
54035+++ b/drivers/rtc/rtc-ds1307.c
54036@@ -107,7 +107,7 @@ struct ds1307 {
54037 u8 offset; /* register's offset */
54038 u8 regs[11];
54039 u16 nvram_offset;
54040- struct bin_attribute *nvram;
54041+ bin_attribute_no_const *nvram;
54042 enum ds_type type;
54043 unsigned long flags;
54044 #define HAS_NVRAM 0 /* bit 0 == sysfs file active */
54045diff --git a/drivers/rtc/rtc-m48t59.c b/drivers/rtc/rtc-m48t59.c
54046index 90abb5b..e0bf6dd 100644
54047--- a/drivers/rtc/rtc-m48t59.c
54048+++ b/drivers/rtc/rtc-m48t59.c
54049@@ -483,7 +483,9 @@ static int m48t59_rtc_probe(struct platform_device *pdev)
54050 if (IS_ERR(m48t59->rtc))
54051 return PTR_ERR(m48t59->rtc);
54052
54053- m48t59_nvram_attr.size = pdata->offset;
54054+ pax_open_kernel();
54055+ *(size_t *)&m48t59_nvram_attr.size = pdata->offset;
54056+ pax_close_kernel();
54057
54058 ret = sysfs_create_bin_file(&pdev->dev.kobj, &m48t59_nvram_attr);
54059 if (ret)
54060diff --git a/drivers/rtc/rtc-test.c b/drivers/rtc/rtc-test.c
54061index 3a2da4c..e88493c 100644
54062--- a/drivers/rtc/rtc-test.c
54063+++ b/drivers/rtc/rtc-test.c
54064@@ -112,8 +112,10 @@ static int test_probe(struct platform_device *plat_dev)
54065 struct rtc_device *rtc;
54066
54067 if (test_mmss64) {
54068- test_rtc_ops.set_mmss64 = test_rtc_set_mmss64;
54069- test_rtc_ops.set_mmss = NULL;
54070+ pax_open_kernel();
54071+ *(void **)&test_rtc_ops.set_mmss64 = test_rtc_set_mmss64;
54072+ *(void **)&test_rtc_ops.set_mmss = NULL;
54073+ pax_close_kernel();
54074 }
54075
54076 rtc = devm_rtc_device_register(&plat_dev->dev, "test",
54077diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
54078index 7a6dbfb..5cdcd29 100644
54079--- a/drivers/scsi/be2iscsi/be_main.c
54080+++ b/drivers/scsi/be2iscsi/be_main.c
54081@@ -3184,7 +3184,7 @@ be_sgl_create_contiguous(void *virtual_address,
54082 {
54083 WARN_ON(!virtual_address);
54084 WARN_ON(!physical_address);
54085- WARN_ON(!length > 0);
54086+ WARN_ON(!length);
54087 WARN_ON(!sgl);
54088
54089 sgl->va = virtual_address;
54090diff --git a/drivers/scsi/bfa/bfa_fcpim.h b/drivers/scsi/bfa/bfa_fcpim.h
54091index e693af6..2e525b6 100644
54092--- a/drivers/scsi/bfa/bfa_fcpim.h
54093+++ b/drivers/scsi/bfa/bfa_fcpim.h
54094@@ -36,7 +36,7 @@ struct bfa_iotag_s {
54095
54096 struct bfa_itn_s {
54097 bfa_isr_func_t isr;
54098-};
54099+} __no_const;
54100
54101 void bfa_itn_create(struct bfa_s *bfa, struct bfa_rport_s *rport,
54102 void (*isr)(struct bfa_s *bfa, struct bfi_msg_s *m));
54103diff --git a/drivers/scsi/bfa/bfa_fcs.c b/drivers/scsi/bfa/bfa_fcs.c
54104index 0f19455..ef7adb5 100644
54105--- a/drivers/scsi/bfa/bfa_fcs.c
54106+++ b/drivers/scsi/bfa/bfa_fcs.c
54107@@ -38,10 +38,21 @@ struct bfa_fcs_mod_s {
54108 #define BFA_FCS_MODULE(_mod) { _mod ## _modinit, _mod ## _modexit }
54109
54110 static struct bfa_fcs_mod_s fcs_modules[] = {
54111- { bfa_fcs_port_attach, NULL, NULL },
54112- { bfa_fcs_uf_attach, NULL, NULL },
54113- { bfa_fcs_fabric_attach, bfa_fcs_fabric_modinit,
54114- bfa_fcs_fabric_modexit },
54115+ {
54116+ .attach = bfa_fcs_port_attach,
54117+ .modinit = NULL,
54118+ .modexit = NULL
54119+ },
54120+ {
54121+ .attach = bfa_fcs_uf_attach,
54122+ .modinit = NULL,
54123+ .modexit = NULL
54124+ },
54125+ {
54126+ .attach = bfa_fcs_fabric_attach,
54127+ .modinit = bfa_fcs_fabric_modinit,
54128+ .modexit = bfa_fcs_fabric_modexit
54129+ },
54130 };
54131
54132 /*
54133diff --git a/drivers/scsi/bfa/bfa_fcs_lport.c b/drivers/scsi/bfa/bfa_fcs_lport.c
54134index ff75ef8..2dfe00a 100644
54135--- a/drivers/scsi/bfa/bfa_fcs_lport.c
54136+++ b/drivers/scsi/bfa/bfa_fcs_lport.c
54137@@ -89,15 +89,26 @@ static struct {
54138 void (*offline) (struct bfa_fcs_lport_s *port);
54139 } __port_action[] = {
54140 {
54141- bfa_fcs_lport_unknown_init, bfa_fcs_lport_unknown_online,
54142- bfa_fcs_lport_unknown_offline}, {
54143- bfa_fcs_lport_fab_init, bfa_fcs_lport_fab_online,
54144- bfa_fcs_lport_fab_offline}, {
54145- bfa_fcs_lport_n2n_init, bfa_fcs_lport_n2n_online,
54146- bfa_fcs_lport_n2n_offline}, {
54147- bfa_fcs_lport_loop_init, bfa_fcs_lport_loop_online,
54148- bfa_fcs_lport_loop_offline},
54149- };
54150+ .init = bfa_fcs_lport_unknown_init,
54151+ .online = bfa_fcs_lport_unknown_online,
54152+ .offline = bfa_fcs_lport_unknown_offline
54153+ },
54154+ {
54155+ .init = bfa_fcs_lport_fab_init,
54156+ .online = bfa_fcs_lport_fab_online,
54157+ .offline = bfa_fcs_lport_fab_offline
54158+ },
54159+ {
54160+ .init = bfa_fcs_lport_n2n_init,
54161+ .online = bfa_fcs_lport_n2n_online,
54162+ .offline = bfa_fcs_lport_n2n_offline
54163+ },
54164+ {
54165+ .init = bfa_fcs_lport_loop_init,
54166+ .online = bfa_fcs_lport_loop_online,
54167+ .offline = bfa_fcs_lport_loop_offline
54168+ },
54169+};
54170
54171 /*
54172 * fcs_port_sm FCS logical port state machine
54173diff --git a/drivers/scsi/bfa/bfa_ioc.h b/drivers/scsi/bfa/bfa_ioc.h
54174index a38aafa0..fe8f03b 100644
54175--- a/drivers/scsi/bfa/bfa_ioc.h
54176+++ b/drivers/scsi/bfa/bfa_ioc.h
54177@@ -258,7 +258,7 @@ struct bfa_ioc_cbfn_s {
54178 bfa_ioc_disable_cbfn_t disable_cbfn;
54179 bfa_ioc_hbfail_cbfn_t hbfail_cbfn;
54180 bfa_ioc_reset_cbfn_t reset_cbfn;
54181-};
54182+} __no_const;
54183
54184 /*
54185 * IOC event notification mechanism.
54186@@ -352,7 +352,7 @@ struct bfa_ioc_hwif_s {
54187 void (*ioc_set_alt_fwstate) (struct bfa_ioc_s *ioc,
54188 enum bfi_ioc_state fwstate);
54189 enum bfi_ioc_state (*ioc_get_alt_fwstate) (struct bfa_ioc_s *ioc);
54190-};
54191+} __no_const;
54192
54193 /*
54194 * Queue element to wait for room in request queue. FIFO order is
54195diff --git a/drivers/scsi/bfa/bfa_modules.h b/drivers/scsi/bfa/bfa_modules.h
54196index a14c784..6de6790 100644
54197--- a/drivers/scsi/bfa/bfa_modules.h
54198+++ b/drivers/scsi/bfa/bfa_modules.h
54199@@ -78,12 +78,12 @@ enum {
54200 \
54201 extern struct bfa_module_s hal_mod_ ## __mod; \
54202 struct bfa_module_s hal_mod_ ## __mod = { \
54203- bfa_ ## __mod ## _meminfo, \
54204- bfa_ ## __mod ## _attach, \
54205- bfa_ ## __mod ## _detach, \
54206- bfa_ ## __mod ## _start, \
54207- bfa_ ## __mod ## _stop, \
54208- bfa_ ## __mod ## _iocdisable, \
54209+ .meminfo = bfa_ ## __mod ## _meminfo, \
54210+ .attach = bfa_ ## __mod ## _attach, \
54211+ .detach = bfa_ ## __mod ## _detach, \
54212+ .start = bfa_ ## __mod ## _start, \
54213+ .stop = bfa_ ## __mod ## _stop, \
54214+ .iocdisable = bfa_ ## __mod ## _iocdisable, \
54215 }
54216
54217 #define BFA_CACHELINE_SZ (256)
54218diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c
54219index 045c4e1..13de803 100644
54220--- a/drivers/scsi/fcoe/fcoe_sysfs.c
54221+++ b/drivers/scsi/fcoe/fcoe_sysfs.c
54222@@ -33,8 +33,8 @@
54223 */
54224 #include "libfcoe.h"
54225
54226-static atomic_t ctlr_num;
54227-static atomic_t fcf_num;
54228+static atomic_unchecked_t ctlr_num;
54229+static atomic_unchecked_t fcf_num;
54230
54231 /*
54232 * fcoe_fcf_dev_loss_tmo: the default number of seconds that fcoe sysfs
54233@@ -685,7 +685,7 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent,
54234 if (!ctlr)
54235 goto out;
54236
54237- ctlr->id = atomic_inc_return(&ctlr_num) - 1;
54238+ ctlr->id = atomic_inc_return_unchecked(&ctlr_num) - 1;
54239 ctlr->f = f;
54240 ctlr->mode = FIP_CONN_TYPE_FABRIC;
54241 INIT_LIST_HEAD(&ctlr->fcfs);
54242@@ -902,7 +902,7 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr,
54243 fcf->dev.parent = &ctlr->dev;
54244 fcf->dev.bus = &fcoe_bus_type;
54245 fcf->dev.type = &fcoe_fcf_device_type;
54246- fcf->id = atomic_inc_return(&fcf_num) - 1;
54247+ fcf->id = atomic_inc_return_unchecked(&fcf_num) - 1;
54248 fcf->state = FCOE_FCF_STATE_UNKNOWN;
54249
54250 fcf->dev_loss_tmo = ctlr->fcf_dev_loss_tmo;
54251@@ -938,8 +938,8 @@ int __init fcoe_sysfs_setup(void)
54252 {
54253 int error;
54254
54255- atomic_set(&ctlr_num, 0);
54256- atomic_set(&fcf_num, 0);
54257+ atomic_set_unchecked(&ctlr_num, 0);
54258+ atomic_set_unchecked(&fcf_num, 0);
54259
54260 error = bus_register(&fcoe_bus_type);
54261 if (error)
54262diff --git a/drivers/scsi/hosts.c b/drivers/scsi/hosts.c
54263index 8bb173e..20236b4 100644
54264--- a/drivers/scsi/hosts.c
54265+++ b/drivers/scsi/hosts.c
54266@@ -42,7 +42,7 @@
54267 #include "scsi_logging.h"
54268
54269
54270-static atomic_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
54271+static atomic_unchecked_t scsi_host_next_hn = ATOMIC_INIT(0); /* host_no for next new host */
54272
54273
54274 static void scsi_host_cls_release(struct device *dev)
54275@@ -392,7 +392,7 @@ struct Scsi_Host *scsi_host_alloc(struct scsi_host_template *sht, int privsize)
54276 * subtract one because we increment first then return, but we need to
54277 * know what the next host number was before increment
54278 */
54279- shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
54280+ shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
54281 shost->dma_channel = 0xff;
54282
54283 /* These three are default values which can be overridden */
54284diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c
54285index cab4e98..31323f6 100644
54286--- a/drivers/scsi/hpsa.c
54287+++ b/drivers/scsi/hpsa.c
54288@@ -793,10 +793,10 @@ static inline u32 next_command(struct ctlr_info *h, u8 q)
54289 struct reply_queue_buffer *rq = &h->reply_queue[q];
54290
54291 if (h->transMethod & CFGTBL_Trans_io_accel1)
54292- return h->access.command_completed(h, q);
54293+ return h->access->command_completed(h, q);
54294
54295 if (unlikely(!(h->transMethod & CFGTBL_Trans_Performant)))
54296- return h->access.command_completed(h, q);
54297+ return h->access->command_completed(h, q);
54298
54299 if ((rq->head[rq->current_entry] & 1) == rq->wraparound) {
54300 a = rq->head[rq->current_entry];
54301@@ -978,7 +978,7 @@ static void __enqueue_cmd_and_start_io(struct ctlr_info *h,
54302 break;
54303 default:
54304 set_performant_mode(h, c, reply_queue);
54305- h->access.submit_command(h, c);
54306+ h->access->submit_command(h, c);
54307 }
54308 }
54309
54310@@ -6343,17 +6343,17 @@ static void __iomem *remap_pci_mem(ulong base, ulong size)
54311
54312 static inline unsigned long get_next_completion(struct ctlr_info *h, u8 q)
54313 {
54314- return h->access.command_completed(h, q);
54315+ return h->access->command_completed(h, q);
54316 }
54317
54318 static inline bool interrupt_pending(struct ctlr_info *h)
54319 {
54320- return h->access.intr_pending(h);
54321+ return h->access->intr_pending(h);
54322 }
54323
54324 static inline long interrupt_not_for_us(struct ctlr_info *h)
54325 {
54326- return (h->access.intr_pending(h) == 0) ||
54327+ return (h->access->intr_pending(h) == 0) ||
54328 (h->interrupts_enabled == 0);
54329 }
54330
54331@@ -7291,7 +7291,7 @@ static int hpsa_pci_init(struct ctlr_info *h)
54332 if (prod_index < 0)
54333 return prod_index;
54334 h->product_name = products[prod_index].product_name;
54335- h->access = *(products[prod_index].access);
54336+ h->access = products[prod_index].access;
54337
54338 h->needs_abort_tags_swizzled =
54339 ctlr_needs_abort_tags_swizzled(h->board_id);
54340@@ -7690,7 +7690,7 @@ static void controller_lockup_detected(struct ctlr_info *h)
54341 unsigned long flags;
54342 u32 lockup_detected;
54343
54344- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54345+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54346 spin_lock_irqsave(&h->lock, flags);
54347 lockup_detected = readl(h->vaddr + SA5_SCRATCHPAD_OFFSET);
54348 if (!lockup_detected) {
54349@@ -7973,7 +7973,7 @@ reinit_after_soft_reset:
54350 }
54351
54352 /* make sure the board interrupts are off */
54353- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54354+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54355
54356 rc = hpsa_request_irqs(h, do_hpsa_intr_msi, do_hpsa_intr_intx);
54357 if (rc)
54358@@ -8032,7 +8032,7 @@ reinit_after_soft_reset:
54359 * fake ones to scoop up any residual completions.
54360 */
54361 spin_lock_irqsave(&h->lock, flags);
54362- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54363+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54364 spin_unlock_irqrestore(&h->lock, flags);
54365 hpsa_free_irqs(h);
54366 rc = hpsa_request_irqs(h, hpsa_msix_discard_completions,
54367@@ -8062,9 +8062,9 @@ reinit_after_soft_reset:
54368 dev_info(&h->pdev->dev, "Board READY.\n");
54369 dev_info(&h->pdev->dev,
54370 "Waiting for stale completions to drain.\n");
54371- h->access.set_intr_mask(h, HPSA_INTR_ON);
54372+ h->access->set_intr_mask(h, HPSA_INTR_ON);
54373 msleep(10000);
54374- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54375+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54376
54377 rc = controller_reset_failed(h->cfgtable);
54378 if (rc)
54379@@ -8089,7 +8089,7 @@ reinit_after_soft_reset:
54380
54381
54382 /* Turn the interrupts on so we can service requests */
54383- h->access.set_intr_mask(h, HPSA_INTR_ON);
54384+ h->access->set_intr_mask(h, HPSA_INTR_ON);
54385
54386 hpsa_hba_inquiry(h);
54387
54388@@ -8107,7 +8107,7 @@ clean9: /* wq, sh, perf, sg, cmd, irq, shost, pci, lu, aer/h */
54389 kfree(h->hba_inquiry_data);
54390 clean7: /* perf, sg, cmd, irq, shost, pci, lu, aer/h */
54391 hpsa_free_performant_mode(h);
54392- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54393+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54394 clean6: /* sg, cmd, irq, pci, lockup, wq/aer/h */
54395 hpsa_free_sg_chain_blocks(h);
54396 clean5: /* cmd, irq, shost, pci, lu, aer/h */
54397@@ -8177,7 +8177,7 @@ static void hpsa_shutdown(struct pci_dev *pdev)
54398 * To write all data in the battery backed cache to disks
54399 */
54400 hpsa_flush_cache(h);
54401- h->access.set_intr_mask(h, HPSA_INTR_OFF);
54402+ h->access->set_intr_mask(h, HPSA_INTR_OFF);
54403 hpsa_free_irqs(h); /* init_one 4 */
54404 hpsa_disable_interrupt_mode(h); /* pci_init 2 */
54405 }
54406@@ -8309,7 +8309,7 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
54407 CFGTBL_Trans_enable_directed_msix |
54408 (trans_support & (CFGTBL_Trans_io_accel1 |
54409 CFGTBL_Trans_io_accel2));
54410- struct access_method access = SA5_performant_access;
54411+ struct access_method *access = &SA5_performant_access;
54412
54413 /* This is a bit complicated. There are 8 registers on
54414 * the controller which we write to to tell it 8 different
54415@@ -8351,7 +8351,7 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
54416 * perform the superfluous readl() after each command submission.
54417 */
54418 if (trans_support & (CFGTBL_Trans_io_accel1 | CFGTBL_Trans_io_accel2))
54419- access = SA5_performant_access_no_read;
54420+ access = &SA5_performant_access_no_read;
54421
54422 /* Controller spec: zero out this buffer. */
54423 for (i = 0; i < h->nreply_queues; i++)
54424@@ -8381,12 +8381,12 @@ static int hpsa_enter_performant_mode(struct ctlr_info *h, u32 trans_support)
54425 * enable outbound interrupt coalescing in accelerator mode;
54426 */
54427 if (trans_support & CFGTBL_Trans_io_accel1) {
54428- access = SA5_ioaccel_mode1_access;
54429+ access = &SA5_ioaccel_mode1_access;
54430 writel(10, &h->cfgtable->HostWrite.CoalIntDelay);
54431 writel(4, &h->cfgtable->HostWrite.CoalIntCount);
54432 } else {
54433 if (trans_support & CFGTBL_Trans_io_accel2) {
54434- access = SA5_ioaccel_mode2_access;
54435+ access = &SA5_ioaccel_mode2_access;
54436 writel(10, &h->cfgtable->HostWrite.CoalIntDelay);
54437 writel(4, &h->cfgtable->HostWrite.CoalIntCount);
54438 }
54439diff --git a/drivers/scsi/hpsa.h b/drivers/scsi/hpsa.h
54440index 6ee4da6..dfafb48 100644
54441--- a/drivers/scsi/hpsa.h
54442+++ b/drivers/scsi/hpsa.h
54443@@ -152,7 +152,7 @@ struct ctlr_info {
54444 unsigned int msix_vector;
54445 unsigned int msi_vector;
54446 int intr_mode; /* either PERF_MODE_INT or SIMPLE_MODE_INT */
54447- struct access_method access;
54448+ struct access_method *access;
54449 char hba_mode_enabled;
54450
54451 /* queue and queue Info */
54452@@ -542,38 +542,38 @@ static unsigned long SA5_ioaccel_mode1_completed(struct ctlr_info *h, u8 q)
54453 }
54454
54455 static struct access_method SA5_access = {
54456- SA5_submit_command,
54457- SA5_intr_mask,
54458- SA5_intr_pending,
54459- SA5_completed,
54460+ .submit_command = SA5_submit_command,
54461+ .set_intr_mask = SA5_intr_mask,
54462+ .intr_pending = SA5_intr_pending,
54463+ .command_completed = SA5_completed,
54464 };
54465
54466 static struct access_method SA5_ioaccel_mode1_access = {
54467- SA5_submit_command,
54468- SA5_performant_intr_mask,
54469- SA5_ioaccel_mode1_intr_pending,
54470- SA5_ioaccel_mode1_completed,
54471+ .submit_command = SA5_submit_command,
54472+ .set_intr_mask = SA5_performant_intr_mask,
54473+ .intr_pending = SA5_ioaccel_mode1_intr_pending,
54474+ .command_completed = SA5_ioaccel_mode1_completed,
54475 };
54476
54477 static struct access_method SA5_ioaccel_mode2_access = {
54478- SA5_submit_command_ioaccel2,
54479- SA5_performant_intr_mask,
54480- SA5_performant_intr_pending,
54481- SA5_performant_completed,
54482+ .submit_command = SA5_submit_command_ioaccel2,
54483+ .set_intr_mask = SA5_performant_intr_mask,
54484+ .intr_pending = SA5_performant_intr_pending,
54485+ .command_completed = SA5_performant_completed,
54486 };
54487
54488 static struct access_method SA5_performant_access = {
54489- SA5_submit_command,
54490- SA5_performant_intr_mask,
54491- SA5_performant_intr_pending,
54492- SA5_performant_completed,
54493+ .submit_command = SA5_submit_command,
54494+ .set_intr_mask = SA5_performant_intr_mask,
54495+ .intr_pending = SA5_performant_intr_pending,
54496+ .command_completed = SA5_performant_completed,
54497 };
54498
54499 static struct access_method SA5_performant_access_no_read = {
54500- SA5_submit_command_no_read,
54501- SA5_performant_intr_mask,
54502- SA5_performant_intr_pending,
54503- SA5_performant_completed,
54504+ .submit_command = SA5_submit_command_no_read,
54505+ .set_intr_mask = SA5_performant_intr_mask,
54506+ .intr_pending = SA5_performant_intr_pending,
54507+ .command_completed = SA5_performant_completed,
54508 };
54509
54510 struct board_type {
54511diff --git a/drivers/scsi/libfc/fc_exch.c b/drivers/scsi/libfc/fc_exch.c
54512index 30f9ef0..a1e29ac 100644
54513--- a/drivers/scsi/libfc/fc_exch.c
54514+++ b/drivers/scsi/libfc/fc_exch.c
54515@@ -101,12 +101,12 @@ struct fc_exch_mgr {
54516 u16 pool_max_index;
54517
54518 struct {
54519- atomic_t no_free_exch;
54520- atomic_t no_free_exch_xid;
54521- atomic_t xid_not_found;
54522- atomic_t xid_busy;
54523- atomic_t seq_not_found;
54524- atomic_t non_bls_resp;
54525+ atomic_unchecked_t no_free_exch;
54526+ atomic_unchecked_t no_free_exch_xid;
54527+ atomic_unchecked_t xid_not_found;
54528+ atomic_unchecked_t xid_busy;
54529+ atomic_unchecked_t seq_not_found;
54530+ atomic_unchecked_t non_bls_resp;
54531 } stats;
54532 };
54533
54534@@ -809,7 +809,7 @@ static struct fc_exch *fc_exch_em_alloc(struct fc_lport *lport,
54535 /* allocate memory for exchange */
54536 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
54537 if (!ep) {
54538- atomic_inc(&mp->stats.no_free_exch);
54539+ atomic_inc_unchecked(&mp->stats.no_free_exch);
54540 goto out;
54541 }
54542 memset(ep, 0, sizeof(*ep));
54543@@ -872,7 +872,7 @@ out:
54544 return ep;
54545 err:
54546 spin_unlock_bh(&pool->lock);
54547- atomic_inc(&mp->stats.no_free_exch_xid);
54548+ atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
54549 mempool_free(ep, mp->ep_pool);
54550 return NULL;
54551 }
54552@@ -1021,7 +1021,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54553 xid = ntohs(fh->fh_ox_id); /* we originated exch */
54554 ep = fc_exch_find(mp, xid);
54555 if (!ep) {
54556- atomic_inc(&mp->stats.xid_not_found);
54557+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54558 reject = FC_RJT_OX_ID;
54559 goto out;
54560 }
54561@@ -1051,7 +1051,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54562 ep = fc_exch_find(mp, xid);
54563 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
54564 if (ep) {
54565- atomic_inc(&mp->stats.xid_busy);
54566+ atomic_inc_unchecked(&mp->stats.xid_busy);
54567 reject = FC_RJT_RX_ID;
54568 goto rel;
54569 }
54570@@ -1062,7 +1062,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54571 }
54572 xid = ep->xid; /* get our XID */
54573 } else if (!ep) {
54574- atomic_inc(&mp->stats.xid_not_found);
54575+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54576 reject = FC_RJT_RX_ID; /* XID not found */
54577 goto out;
54578 }
54579@@ -1080,7 +1080,7 @@ static enum fc_pf_rjt_reason fc_seq_lookup_recip(struct fc_lport *lport,
54580 } else {
54581 sp = &ep->seq;
54582 if (sp->id != fh->fh_seq_id) {
54583- atomic_inc(&mp->stats.seq_not_found);
54584+ atomic_inc_unchecked(&mp->stats.seq_not_found);
54585 if (f_ctl & FC_FC_END_SEQ) {
54586 /*
54587 * Update sequence_id based on incoming last
54588@@ -1531,22 +1531,22 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54589
54590 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
54591 if (!ep) {
54592- atomic_inc(&mp->stats.xid_not_found);
54593+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54594 goto out;
54595 }
54596 if (ep->esb_stat & ESB_ST_COMPLETE) {
54597- atomic_inc(&mp->stats.xid_not_found);
54598+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54599 goto rel;
54600 }
54601 if (ep->rxid == FC_XID_UNKNOWN)
54602 ep->rxid = ntohs(fh->fh_rx_id);
54603 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
54604- atomic_inc(&mp->stats.xid_not_found);
54605+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54606 goto rel;
54607 }
54608 if (ep->did != ntoh24(fh->fh_s_id) &&
54609 ep->did != FC_FID_FLOGI) {
54610- atomic_inc(&mp->stats.xid_not_found);
54611+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54612 goto rel;
54613 }
54614 sof = fr_sof(fp);
54615@@ -1555,7 +1555,7 @@ static void fc_exch_recv_seq_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54616 sp->ssb_stat |= SSB_ST_RESP;
54617 sp->id = fh->fh_seq_id;
54618 } else if (sp->id != fh->fh_seq_id) {
54619- atomic_inc(&mp->stats.seq_not_found);
54620+ atomic_inc_unchecked(&mp->stats.seq_not_found);
54621 goto rel;
54622 }
54623
54624@@ -1618,9 +1618,9 @@ static void fc_exch_recv_resp(struct fc_exch_mgr *mp, struct fc_frame *fp)
54625 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
54626
54627 if (!sp)
54628- atomic_inc(&mp->stats.xid_not_found);
54629+ atomic_inc_unchecked(&mp->stats.xid_not_found);
54630 else
54631- atomic_inc(&mp->stats.non_bls_resp);
54632+ atomic_inc_unchecked(&mp->stats.non_bls_resp);
54633
54634 fc_frame_free(fp);
54635 }
54636@@ -2261,13 +2261,13 @@ void fc_exch_update_stats(struct fc_lport *lport)
54637
54638 list_for_each_entry(ema, &lport->ema_list, ema_list) {
54639 mp = ema->mp;
54640- st->fc_no_free_exch += atomic_read(&mp->stats.no_free_exch);
54641+ st->fc_no_free_exch += atomic_read_unchecked(&mp->stats.no_free_exch);
54642 st->fc_no_free_exch_xid +=
54643- atomic_read(&mp->stats.no_free_exch_xid);
54644- st->fc_xid_not_found += atomic_read(&mp->stats.xid_not_found);
54645- st->fc_xid_busy += atomic_read(&mp->stats.xid_busy);
54646- st->fc_seq_not_found += atomic_read(&mp->stats.seq_not_found);
54647- st->fc_non_bls_resp += atomic_read(&mp->stats.non_bls_resp);
54648+ atomic_read_unchecked(&mp->stats.no_free_exch_xid);
54649+ st->fc_xid_not_found += atomic_read_unchecked(&mp->stats.xid_not_found);
54650+ st->fc_xid_busy += atomic_read_unchecked(&mp->stats.xid_busy);
54651+ st->fc_seq_not_found += atomic_read_unchecked(&mp->stats.seq_not_found);
54652+ st->fc_non_bls_resp += atomic_read_unchecked(&mp->stats.non_bls_resp);
54653 }
54654 }
54655 EXPORT_SYMBOL(fc_exch_update_stats);
54656diff --git a/drivers/scsi/libsas/sas_ata.c b/drivers/scsi/libsas/sas_ata.c
54657index 9c706d8..d3e3ed2 100644
54658--- a/drivers/scsi/libsas/sas_ata.c
54659+++ b/drivers/scsi/libsas/sas_ata.c
54660@@ -535,7 +535,7 @@ static struct ata_port_operations sas_sata_ops = {
54661 .postreset = ata_std_postreset,
54662 .error_handler = ata_std_error_handler,
54663 .post_internal_cmd = sas_ata_post_internal,
54664- .qc_defer = ata_std_qc_defer,
54665+ .qc_defer = ata_std_qc_defer,
54666 .qc_prep = ata_noop_qc_prep,
54667 .qc_issue = sas_ata_qc_issue,
54668 .qc_fill_rtf = sas_ata_qc_fill_rtf,
54669diff --git a/drivers/scsi/lpfc/lpfc.h b/drivers/scsi/lpfc/lpfc.h
54670index a5a56fa..43499fd 100644
54671--- a/drivers/scsi/lpfc/lpfc.h
54672+++ b/drivers/scsi/lpfc/lpfc.h
54673@@ -435,7 +435,7 @@ struct lpfc_vport {
54674 struct dentry *debug_nodelist;
54675 struct dentry *vport_debugfs_root;
54676 struct lpfc_debugfs_trc *disc_trc;
54677- atomic_t disc_trc_cnt;
54678+ atomic_unchecked_t disc_trc_cnt;
54679 #endif
54680 uint8_t stat_data_enabled;
54681 uint8_t stat_data_blocked;
54682@@ -885,8 +885,8 @@ struct lpfc_hba {
54683 struct timer_list fabric_block_timer;
54684 unsigned long bit_flags;
54685 #define FABRIC_COMANDS_BLOCKED 0
54686- atomic_t num_rsrc_err;
54687- atomic_t num_cmd_success;
54688+ atomic_unchecked_t num_rsrc_err;
54689+ atomic_unchecked_t num_cmd_success;
54690 unsigned long last_rsrc_error_time;
54691 unsigned long last_ramp_down_time;
54692 #ifdef CONFIG_SCSI_LPFC_DEBUG_FS
54693@@ -921,7 +921,7 @@ struct lpfc_hba {
54694
54695 struct dentry *debug_slow_ring_trc;
54696 struct lpfc_debugfs_trc *slow_ring_trc;
54697- atomic_t slow_ring_trc_cnt;
54698+ atomic_unchecked_t slow_ring_trc_cnt;
54699 /* iDiag debugfs sub-directory */
54700 struct dentry *idiag_root;
54701 struct dentry *idiag_pci_cfg;
54702diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
54703index 25aa9b9..d700a65 100644
54704--- a/drivers/scsi/lpfc/lpfc_debugfs.c
54705+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
54706@@ -106,7 +106,7 @@ MODULE_PARM_DESC(lpfc_debugfs_mask_disc_trc,
54707
54708 #include <linux/debugfs.h>
54709
54710-static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
54711+static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
54712 static unsigned long lpfc_debugfs_start_time = 0L;
54713
54714 /* iDiag */
54715@@ -147,7 +147,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_vport *vport, char *buf, int size)
54716 lpfc_debugfs_enable = 0;
54717
54718 len = 0;
54719- index = (atomic_read(&vport->disc_trc_cnt) + 1) &
54720+ index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
54721 (lpfc_debugfs_max_disc_trc - 1);
54722 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
54723 dtp = vport->disc_trc + i;
54724@@ -213,7 +213,7 @@ lpfc_debugfs_slow_ring_trc_data(struct lpfc_hba *phba, char *buf, int size)
54725 lpfc_debugfs_enable = 0;
54726
54727 len = 0;
54728- index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
54729+ index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
54730 (lpfc_debugfs_max_slow_ring_trc - 1);
54731 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
54732 dtp = phba->slow_ring_trc + i;
54733@@ -646,14 +646,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport *vport, int mask, char *fmt,
54734 !vport || !vport->disc_trc)
54735 return;
54736
54737- index = atomic_inc_return(&vport->disc_trc_cnt) &
54738+ index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
54739 (lpfc_debugfs_max_disc_trc - 1);
54740 dtp = vport->disc_trc + index;
54741 dtp->fmt = fmt;
54742 dtp->data1 = data1;
54743 dtp->data2 = data2;
54744 dtp->data3 = data3;
54745- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
54746+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
54747 dtp->jif = jiffies;
54748 #endif
54749 return;
54750@@ -684,14 +684,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_hba *phba, char *fmt,
54751 !phba || !phba->slow_ring_trc)
54752 return;
54753
54754- index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
54755+ index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
54756 (lpfc_debugfs_max_slow_ring_trc - 1);
54757 dtp = phba->slow_ring_trc + index;
54758 dtp->fmt = fmt;
54759 dtp->data1 = data1;
54760 dtp->data2 = data2;
54761 dtp->data3 = data3;
54762- dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
54763+ dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
54764 dtp->jif = jiffies;
54765 #endif
54766 return;
54767@@ -4268,7 +4268,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
54768 "slow_ring buffer\n");
54769 goto debug_failed;
54770 }
54771- atomic_set(&phba->slow_ring_trc_cnt, 0);
54772+ atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
54773 memset(phba->slow_ring_trc, 0,
54774 (sizeof(struct lpfc_debugfs_trc) *
54775 lpfc_debugfs_max_slow_ring_trc));
54776@@ -4314,7 +4314,7 @@ lpfc_debugfs_initialize(struct lpfc_vport *vport)
54777 "buffer\n");
54778 goto debug_failed;
54779 }
54780- atomic_set(&vport->disc_trc_cnt, 0);
54781+ atomic_set_unchecked(&vport->disc_trc_cnt, 0);
54782
54783 snprintf(name, sizeof(name), "discovery_trace");
54784 vport->debug_disc_trc =
54785diff --git a/drivers/scsi/lpfc/lpfc_init.c b/drivers/scsi/lpfc/lpfc_init.c
54786index f962118..6706983 100644
54787--- a/drivers/scsi/lpfc/lpfc_init.c
54788+++ b/drivers/scsi/lpfc/lpfc_init.c
54789@@ -11416,8 +11416,10 @@ lpfc_init(void)
54790 "misc_register returned with status %d", error);
54791
54792 if (lpfc_enable_npiv) {
54793- lpfc_transport_functions.vport_create = lpfc_vport_create;
54794- lpfc_transport_functions.vport_delete = lpfc_vport_delete;
54795+ pax_open_kernel();
54796+ *(void **)&lpfc_transport_functions.vport_create = lpfc_vport_create;
54797+ *(void **)&lpfc_transport_functions.vport_delete = lpfc_vport_delete;
54798+ pax_close_kernel();
54799 }
54800 lpfc_transport_template =
54801 fc_attach_transport(&lpfc_transport_functions);
54802diff --git a/drivers/scsi/lpfc/lpfc_scsi.c b/drivers/scsi/lpfc/lpfc_scsi.c
54803index e5eb40d..056dcd4 100644
54804--- a/drivers/scsi/lpfc/lpfc_scsi.c
54805+++ b/drivers/scsi/lpfc/lpfc_scsi.c
54806@@ -261,7 +261,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hba *phba)
54807 unsigned long expires;
54808
54809 spin_lock_irqsave(&phba->hbalock, flags);
54810- atomic_inc(&phba->num_rsrc_err);
54811+ atomic_inc_unchecked(&phba->num_rsrc_err);
54812 phba->last_rsrc_error_time = jiffies;
54813
54814 expires = phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL;
54815@@ -303,8 +303,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
54816 unsigned long num_rsrc_err, num_cmd_success;
54817 int i;
54818
54819- num_rsrc_err = atomic_read(&phba->num_rsrc_err);
54820- num_cmd_success = atomic_read(&phba->num_cmd_success);
54821+ num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
54822+ num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
54823
54824 /*
54825 * The error and success command counters are global per
54826@@ -331,8 +331,8 @@ lpfc_ramp_down_queue_handler(struct lpfc_hba *phba)
54827 }
54828 }
54829 lpfc_destroy_vport_work_array(phba, vports);
54830- atomic_set(&phba->num_rsrc_err, 0);
54831- atomic_set(&phba->num_cmd_success, 0);
54832+ atomic_set_unchecked(&phba->num_rsrc_err, 0);
54833+ atomic_set_unchecked(&phba->num_cmd_success, 0);
54834 }
54835
54836 /**
54837diff --git a/drivers/scsi/megaraid/megaraid_sas.h b/drivers/scsi/megaraid/megaraid_sas.h
54838index 20c3754..1b05e727 100644
54839--- a/drivers/scsi/megaraid/megaraid_sas.h
54840+++ b/drivers/scsi/megaraid/megaraid_sas.h
54841@@ -1700,7 +1700,7 @@ struct megasas_instance {
54842 s8 init_id;
54843
54844 u16 max_num_sge;
54845- u16 max_fw_cmds;
54846+ u16 max_fw_cmds __intentional_overflow(-1);
54847 u16 max_mfi_cmds;
54848 u16 max_scsi_cmds;
54849 u32 max_sectors_per_req;
54850diff --git a/drivers/scsi/mpt2sas/mpt2sas_scsih.c b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54851index 3f26147..ee8efd1 100644
54852--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54853+++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
54854@@ -1509,7 +1509,7 @@ _scsih_get_resync(struct device *dev)
54855 {
54856 struct scsi_device *sdev = to_scsi_device(dev);
54857 struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host);
54858- static struct _raid_device *raid_device;
54859+ struct _raid_device *raid_device;
54860 unsigned long flags;
54861 Mpi2RaidVolPage0_t vol_pg0;
54862 Mpi2ConfigReply_t mpi_reply;
54863@@ -1561,7 +1561,7 @@ _scsih_get_state(struct device *dev)
54864 {
54865 struct scsi_device *sdev = to_scsi_device(dev);
54866 struct MPT2SAS_ADAPTER *ioc = shost_priv(sdev->host);
54867- static struct _raid_device *raid_device;
54868+ struct _raid_device *raid_device;
54869 unsigned long flags;
54870 Mpi2RaidVolPage0_t vol_pg0;
54871 Mpi2ConfigReply_t mpi_reply;
54872@@ -6641,7 +6641,7 @@ _scsih_sas_ir_operation_status_event(struct MPT2SAS_ADAPTER *ioc,
54873 Mpi2EventDataIrOperationStatus_t *event_data =
54874 (Mpi2EventDataIrOperationStatus_t *)
54875 fw_event->event_data;
54876- static struct _raid_device *raid_device;
54877+ struct _raid_device *raid_device;
54878 unsigned long flags;
54879 u16 handle;
54880
54881@@ -7112,7 +7112,7 @@ _scsih_scan_for_devices_after_reset(struct MPT2SAS_ADAPTER *ioc)
54882 u64 sas_address;
54883 struct _sas_device *sas_device;
54884 struct _sas_node *expander_device;
54885- static struct _raid_device *raid_device;
54886+ struct _raid_device *raid_device;
54887 u8 retry_count;
54888 unsigned long flags;
54889
54890diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c
54891index ed31d8c..ab856b3 100644
54892--- a/drivers/scsi/pmcraid.c
54893+++ b/drivers/scsi/pmcraid.c
54894@@ -200,8 +200,8 @@ static int pmcraid_slave_alloc(struct scsi_device *scsi_dev)
54895 res->scsi_dev = scsi_dev;
54896 scsi_dev->hostdata = res;
54897 res->change_detected = 0;
54898- atomic_set(&res->read_failures, 0);
54899- atomic_set(&res->write_failures, 0);
54900+ atomic_set_unchecked(&res->read_failures, 0);
54901+ atomic_set_unchecked(&res->write_failures, 0);
54902 rc = 0;
54903 }
54904 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
54905@@ -2640,9 +2640,9 @@ static int pmcraid_error_handler(struct pmcraid_cmd *cmd)
54906
54907 /* If this was a SCSI read/write command keep count of errors */
54908 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
54909- atomic_inc(&res->read_failures);
54910+ atomic_inc_unchecked(&res->read_failures);
54911 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
54912- atomic_inc(&res->write_failures);
54913+ atomic_inc_unchecked(&res->write_failures);
54914
54915 if (!RES_IS_GSCSI(res->cfg_entry) &&
54916 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
54917@@ -3468,7 +3468,7 @@ static int pmcraid_queuecommand_lck(
54918 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
54919 * hrrq_id assigned here in queuecommand
54920 */
54921- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
54922+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
54923 pinstance->num_hrrq;
54924 cmd->cmd_done = pmcraid_io_done;
54925
54926@@ -3782,7 +3782,7 @@ static long pmcraid_ioctl_passthrough(
54927 * block of scsi_cmd which is re-used (e.g. cancel/abort), which uses
54928 * hrrq_id assigned here in queuecommand
54929 */
54930- ioarcb->hrrq_id = atomic_add_return(1, &(pinstance->last_message_id)) %
54931+ ioarcb->hrrq_id = atomic_add_return_unchecked(1, &(pinstance->last_message_id)) %
54932 pinstance->num_hrrq;
54933
54934 if (request_size) {
54935@@ -4420,7 +4420,7 @@ static void pmcraid_worker_function(struct work_struct *workp)
54936
54937 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
54938 /* add resources only after host is added into system */
54939- if (!atomic_read(&pinstance->expose_resources))
54940+ if (!atomic_read_unchecked(&pinstance->expose_resources))
54941 return;
54942
54943 fw_version = be16_to_cpu(pinstance->inq_data->fw_version);
54944@@ -5237,8 +5237,8 @@ static int pmcraid_init_instance(struct pci_dev *pdev, struct Scsi_Host *host,
54945 init_waitqueue_head(&pinstance->reset_wait_q);
54946
54947 atomic_set(&pinstance->outstanding_cmds, 0);
54948- atomic_set(&pinstance->last_message_id, 0);
54949- atomic_set(&pinstance->expose_resources, 0);
54950+ atomic_set_unchecked(&pinstance->last_message_id, 0);
54951+ atomic_set_unchecked(&pinstance->expose_resources, 0);
54952
54953 INIT_LIST_HEAD(&pinstance->free_res_q);
54954 INIT_LIST_HEAD(&pinstance->used_res_q);
54955@@ -5951,7 +5951,7 @@ static int pmcraid_probe(struct pci_dev *pdev,
54956 /* Schedule worker thread to handle CCN and take care of adding and
54957 * removing devices to OS
54958 */
54959- atomic_set(&pinstance->expose_resources, 1);
54960+ atomic_set_unchecked(&pinstance->expose_resources, 1);
54961 schedule_work(&pinstance->worker_q);
54962 return rc;
54963
54964diff --git a/drivers/scsi/pmcraid.h b/drivers/scsi/pmcraid.h
54965index e1d150f..6c6df44 100644
54966--- a/drivers/scsi/pmcraid.h
54967+++ b/drivers/scsi/pmcraid.h
54968@@ -748,7 +748,7 @@ struct pmcraid_instance {
54969 struct pmcraid_isr_param hrrq_vector[PMCRAID_NUM_MSIX_VECTORS];
54970
54971 /* Message id as filled in last fired IOARCB, used to identify HRRQ */
54972- atomic_t last_message_id;
54973+ atomic_unchecked_t last_message_id;
54974
54975 /* configuration table */
54976 struct pmcraid_config_table *cfg_table;
54977@@ -777,7 +777,7 @@ struct pmcraid_instance {
54978 atomic_t outstanding_cmds;
54979
54980 /* should add/delete resources to mid-layer now ?*/
54981- atomic_t expose_resources;
54982+ atomic_unchecked_t expose_resources;
54983
54984
54985
54986@@ -813,8 +813,8 @@ struct pmcraid_resource_entry {
54987 struct pmcraid_config_table_entry_ext cfg_entry_ext;
54988 };
54989 struct scsi_device *scsi_dev; /* Link scsi_device structure */
54990- atomic_t read_failures; /* count of failed READ commands */
54991- atomic_t write_failures; /* count of failed WRITE commands */
54992+ atomic_unchecked_t read_failures; /* count of failed READ commands */
54993+ atomic_unchecked_t write_failures; /* count of failed WRITE commands */
54994
54995 /* To indicate add/delete/modify during CCN */
54996 u8 change_detected;
54997diff --git a/drivers/scsi/qla2xxx/qla_attr.c b/drivers/scsi/qla2xxx/qla_attr.c
54998index 437254e..a66eb82 100644
54999--- a/drivers/scsi/qla2xxx/qla_attr.c
55000+++ b/drivers/scsi/qla2xxx/qla_attr.c
55001@@ -2192,7 +2192,7 @@ qla24xx_vport_disable(struct fc_vport *fc_vport, bool disable)
55002 return 0;
55003 }
55004
55005-struct fc_function_template qla2xxx_transport_functions = {
55006+fc_function_template_no_const qla2xxx_transport_functions = {
55007
55008 .show_host_node_name = 1,
55009 .show_host_port_name = 1,
55010@@ -2240,7 +2240,7 @@ struct fc_function_template qla2xxx_transport_functions = {
55011 .bsg_timeout = qla24xx_bsg_timeout,
55012 };
55013
55014-struct fc_function_template qla2xxx_transport_vport_functions = {
55015+fc_function_template_no_const qla2xxx_transport_vport_functions = {
55016
55017 .show_host_node_name = 1,
55018 .show_host_port_name = 1,
55019diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h
55020index 7686bfe..4710893 100644
55021--- a/drivers/scsi/qla2xxx/qla_gbl.h
55022+++ b/drivers/scsi/qla2xxx/qla_gbl.h
55023@@ -571,8 +571,8 @@ extern void qla2x00_get_sym_node_name(scsi_qla_host_t *, uint8_t *, size_t);
55024 struct device_attribute;
55025 extern struct device_attribute *qla2x00_host_attrs[];
55026 struct fc_function_template;
55027-extern struct fc_function_template qla2xxx_transport_functions;
55028-extern struct fc_function_template qla2xxx_transport_vport_functions;
55029+extern fc_function_template_no_const qla2xxx_transport_functions;
55030+extern fc_function_template_no_const qla2xxx_transport_vport_functions;
55031 extern void qla2x00_alloc_sysfs_attr(scsi_qla_host_t *);
55032 extern void qla2x00_free_sysfs_attr(scsi_qla_host_t *, bool);
55033 extern void qla2x00_init_host_attr(scsi_qla_host_t *);
55034diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c
55035index 8a5cac8..4eba6ab 100644
55036--- a/drivers/scsi/qla2xxx/qla_os.c
55037+++ b/drivers/scsi/qla2xxx/qla_os.c
55038@@ -1435,8 +1435,10 @@ qla2x00_config_dma_addressing(struct qla_hw_data *ha)
55039 !pci_set_consistent_dma_mask(ha->pdev, DMA_BIT_MASK(64))) {
55040 /* Ok, a 64bit DMA mask is applicable. */
55041 ha->flags.enable_64bit_addressing = 1;
55042- ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
55043- ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
55044+ pax_open_kernel();
55045+ *(void **)&ha->isp_ops->calc_req_entries = qla2x00_calc_iocbs_64;
55046+ *(void **)&ha->isp_ops->build_iocbs = qla2x00_build_scsi_iocbs_64;
55047+ pax_close_kernel();
55048 return;
55049 }
55050 }
55051diff --git a/drivers/scsi/qla4xxx/ql4_def.h b/drivers/scsi/qla4xxx/ql4_def.h
55052index a7cfc27..151f483 100644
55053--- a/drivers/scsi/qla4xxx/ql4_def.h
55054+++ b/drivers/scsi/qla4xxx/ql4_def.h
55055@@ -306,7 +306,7 @@ struct ddb_entry {
55056 * (4000 only) */
55057 atomic_t relogin_timer; /* Max Time to wait for
55058 * relogin to complete */
55059- atomic_t relogin_retry_count; /* Num of times relogin has been
55060+ atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
55061 * retried */
55062 uint32_t default_time2wait; /* Default Min time between
55063 * relogins (+aens) */
55064diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c
55065index 6d25879..3031a9f 100644
55066--- a/drivers/scsi/qla4xxx/ql4_os.c
55067+++ b/drivers/scsi/qla4xxx/ql4_os.c
55068@@ -4491,12 +4491,12 @@ static void qla4xxx_check_relogin_flash_ddb(struct iscsi_cls_session *cls_sess)
55069 */
55070 if (!iscsi_is_session_online(cls_sess)) {
55071 /* Reset retry relogin timer */
55072- atomic_inc(&ddb_entry->relogin_retry_count);
55073+ atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
55074 DEBUG2(ql4_printk(KERN_INFO, ha,
55075 "%s: index[%d] relogin timed out-retrying"
55076 " relogin (%d), retry (%d)\n", __func__,
55077 ddb_entry->fw_ddb_index,
55078- atomic_read(&ddb_entry->relogin_retry_count),
55079+ atomic_read_unchecked(&ddb_entry->relogin_retry_count),
55080 ddb_entry->default_time2wait + 4));
55081 set_bit(DPC_RELOGIN_DEVICE, &ha->dpc_flags);
55082 atomic_set(&ddb_entry->retry_relogin_timer,
55083@@ -6604,7 +6604,7 @@ static void qla4xxx_setup_flash_ddb_entry(struct scsi_qla_host *ha,
55084
55085 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
55086 atomic_set(&ddb_entry->relogin_timer, 0);
55087- atomic_set(&ddb_entry->relogin_retry_count, 0);
55088+ atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
55089 def_timeout = le16_to_cpu(ddb_entry->fw_ddb_entry.def_timeout);
55090 ddb_entry->default_relogin_timeout =
55091 (def_timeout > LOGIN_TOV) && (def_timeout < LOGIN_TOV * 10) ?
55092diff --git a/drivers/scsi/scsi.c b/drivers/scsi/scsi.c
55093index 207d6a7..bf155b5 100644
55094--- a/drivers/scsi/scsi.c
55095+++ b/drivers/scsi/scsi.c
55096@@ -591,7 +591,7 @@ void scsi_finish_command(struct scsi_cmnd *cmd)
55097
55098 good_bytes = scsi_bufflen(cmd);
55099 if (cmd->request->cmd_type != REQ_TYPE_BLOCK_PC) {
55100- int old_good_bytes = good_bytes;
55101+ unsigned int old_good_bytes = good_bytes;
55102 drv = scsi_cmd_to_driver(cmd);
55103 if (drv->done)
55104 good_bytes = drv->done(cmd);
55105diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
55106index 448ebda..9bd345f 100644
55107--- a/drivers/scsi/scsi_lib.c
55108+++ b/drivers/scsi/scsi_lib.c
55109@@ -1597,7 +1597,7 @@ static void scsi_kill_request(struct request *req, struct request_queue *q)
55110 shost = sdev->host;
55111 scsi_init_cmd_errh(cmd);
55112 cmd->result = DID_NO_CONNECT << 16;
55113- atomic_inc(&cmd->device->iorequest_cnt);
55114+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
55115
55116 /*
55117 * SCSI request completion path will do scsi_device_unbusy(),
55118@@ -1620,9 +1620,9 @@ static void scsi_softirq_done(struct request *rq)
55119
55120 INIT_LIST_HEAD(&cmd->eh_entry);
55121
55122- atomic_inc(&cmd->device->iodone_cnt);
55123+ atomic_inc_unchecked(&cmd->device->iodone_cnt);
55124 if (cmd->result)
55125- atomic_inc(&cmd->device->ioerr_cnt);
55126+ atomic_inc_unchecked(&cmd->device->ioerr_cnt);
55127
55128 disposition = scsi_decide_disposition(cmd);
55129 if (disposition != SUCCESS &&
55130@@ -1663,7 +1663,7 @@ static int scsi_dispatch_cmd(struct scsi_cmnd *cmd)
55131 struct Scsi_Host *host = cmd->device->host;
55132 int rtn = 0;
55133
55134- atomic_inc(&cmd->device->iorequest_cnt);
55135+ atomic_inc_unchecked(&cmd->device->iorequest_cnt);
55136
55137 /* check if the device is still usable */
55138 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
55139diff --git a/drivers/scsi/scsi_sysfs.c b/drivers/scsi/scsi_sysfs.c
55140index 9ad4116..4e736fc 100644
55141--- a/drivers/scsi/scsi_sysfs.c
55142+++ b/drivers/scsi/scsi_sysfs.c
55143@@ -788,7 +788,7 @@ show_iostat_##field(struct device *dev, struct device_attribute *attr, \
55144 char *buf) \
55145 { \
55146 struct scsi_device *sdev = to_scsi_device(dev); \
55147- unsigned long long count = atomic_read(&sdev->field); \
55148+ unsigned long long count = atomic_read_unchecked(&sdev->field); \
55149 return snprintf(buf, 20, "0x%llx\n", count); \
55150 } \
55151 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
55152diff --git a/drivers/scsi/scsi_transport_fc.c b/drivers/scsi/scsi_transport_fc.c
55153index 24eaaf6..de30ec9 100644
55154--- a/drivers/scsi/scsi_transport_fc.c
55155+++ b/drivers/scsi/scsi_transport_fc.c
55156@@ -502,7 +502,7 @@ static DECLARE_TRANSPORT_CLASS(fc_vport_class,
55157 * Netlink Infrastructure
55158 */
55159
55160-static atomic_t fc_event_seq;
55161+static atomic_unchecked_t fc_event_seq;
55162
55163 /**
55164 * fc_get_event_number - Obtain the next sequential FC event number
55165@@ -515,7 +515,7 @@ static atomic_t fc_event_seq;
55166 u32
55167 fc_get_event_number(void)
55168 {
55169- return atomic_add_return(1, &fc_event_seq);
55170+ return atomic_add_return_unchecked(1, &fc_event_seq);
55171 }
55172 EXPORT_SYMBOL(fc_get_event_number);
55173
55174@@ -659,7 +659,7 @@ static __init int fc_transport_init(void)
55175 {
55176 int error;
55177
55178- atomic_set(&fc_event_seq, 0);
55179+ atomic_set_unchecked(&fc_event_seq, 0);
55180
55181 error = transport_class_register(&fc_host_class);
55182 if (error)
55183@@ -849,7 +849,7 @@ static int fc_str_to_dev_loss(const char *buf, unsigned long *val)
55184 char *cp;
55185
55186 *val = simple_strtoul(buf, &cp, 0);
55187- if ((*cp && (*cp != '\n')) || (*val < 0))
55188+ if (*cp && (*cp != '\n'))
55189 return -EINVAL;
55190 /*
55191 * Check for overflow; dev_loss_tmo is u32
55192diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
55193index 55647aa..b647d05 100644
55194--- a/drivers/scsi/scsi_transport_iscsi.c
55195+++ b/drivers/scsi/scsi_transport_iscsi.c
55196@@ -79,7 +79,7 @@ struct iscsi_internal {
55197 struct transport_container session_cont;
55198 };
55199
55200-static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
55201+static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
55202 static struct workqueue_struct *iscsi_eh_timer_workq;
55203
55204 static DEFINE_IDA(iscsi_sess_ida);
55205@@ -2073,7 +2073,7 @@ int iscsi_add_session(struct iscsi_cls_session *session, unsigned int target_id)
55206 int err;
55207
55208 ihost = shost->shost_data;
55209- session->sid = atomic_add_return(1, &iscsi_session_nr);
55210+ session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
55211
55212 if (target_id == ISCSI_MAX_TARGET) {
55213 id = ida_simple_get(&iscsi_sess_ida, 0, 0, GFP_KERNEL);
55214@@ -4517,7 +4517,7 @@ static __init int iscsi_transport_init(void)
55215 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
55216 ISCSI_TRANSPORT_VERSION);
55217
55218- atomic_set(&iscsi_session_nr, 0);
55219+ atomic_set_unchecked(&iscsi_session_nr, 0);
55220
55221 err = class_register(&iscsi_transport_class);
55222 if (err)
55223diff --git a/drivers/scsi/scsi_transport_srp.c b/drivers/scsi/scsi_transport_srp.c
55224index e3cd3ec..00560ec 100644
55225--- a/drivers/scsi/scsi_transport_srp.c
55226+++ b/drivers/scsi/scsi_transport_srp.c
55227@@ -35,7 +35,7 @@
55228 #include "scsi_priv.h"
55229
55230 struct srp_host_attrs {
55231- atomic_t next_port_id;
55232+ atomic_unchecked_t next_port_id;
55233 };
55234 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
55235
55236@@ -105,7 +105,7 @@ static int srp_host_setup(struct transport_container *tc, struct device *dev,
55237 struct Scsi_Host *shost = dev_to_shost(dev);
55238 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
55239
55240- atomic_set(&srp_host->next_port_id, 0);
55241+ atomic_set_unchecked(&srp_host->next_port_id, 0);
55242 return 0;
55243 }
55244
55245@@ -752,7 +752,7 @@ struct srp_rport *srp_rport_add(struct Scsi_Host *shost,
55246 rport_fast_io_fail_timedout);
55247 INIT_DELAYED_WORK(&rport->dev_loss_work, rport_dev_loss_timedout);
55248
55249- id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
55250+ id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
55251 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
55252
55253 transport_setup_device(&rport->dev);
55254diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
55255index a20da8c..7f47bac 100644
55256--- a/drivers/scsi/sd.c
55257+++ b/drivers/scsi/sd.c
55258@@ -111,7 +111,7 @@ static int sd_resume(struct device *);
55259 static void sd_rescan(struct device *);
55260 static int sd_init_command(struct scsi_cmnd *SCpnt);
55261 static void sd_uninit_command(struct scsi_cmnd *SCpnt);
55262-static int sd_done(struct scsi_cmnd *);
55263+static unsigned int sd_done(struct scsi_cmnd *);
55264 static int sd_eh_action(struct scsi_cmnd *, int);
55265 static void sd_read_capacity(struct scsi_disk *sdkp, unsigned char *buffer);
55266 static void scsi_disk_release(struct device *cdev);
55267@@ -1646,7 +1646,7 @@ static unsigned int sd_completed_bytes(struct scsi_cmnd *scmd)
55268 *
55269 * Note: potentially run from within an ISR. Must not block.
55270 **/
55271-static int sd_done(struct scsi_cmnd *SCpnt)
55272+static unsigned int sd_done(struct scsi_cmnd *SCpnt)
55273 {
55274 int result = SCpnt->result;
55275 unsigned int good_bytes = result ? 0 : scsi_bufflen(SCpnt);
55276@@ -2973,7 +2973,7 @@ static int sd_probe(struct device *dev)
55277 sdkp->disk = gd;
55278 sdkp->index = index;
55279 atomic_set(&sdkp->openers, 0);
55280- atomic_set(&sdkp->device->ioerr_cnt, 0);
55281+ atomic_set_unchecked(&sdkp->device->ioerr_cnt, 0);
55282
55283 if (!sdp->request_queue->rq_timeout) {
55284 if (sdp->type != TYPE_MOD)
55285diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
55286index 9d7b7db..33ecc51 100644
55287--- a/drivers/scsi/sg.c
55288+++ b/drivers/scsi/sg.c
55289@@ -1083,7 +1083,7 @@ sg_ioctl(struct file *filp, unsigned int cmd_in, unsigned long arg)
55290 sdp->disk->disk_name,
55291 MKDEV(SCSI_GENERIC_MAJOR, sdp->index),
55292 NULL,
55293- (char *)arg);
55294+ (char __user *)arg);
55295 case BLKTRACESTART:
55296 return blk_trace_startstop(sdp->device->request_queue, 1);
55297 case BLKTRACESTOP:
55298diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
55299index 8bd54a6..58fa0d6 100644
55300--- a/drivers/scsi/sr.c
55301+++ b/drivers/scsi/sr.c
55302@@ -80,7 +80,7 @@ static DEFINE_MUTEX(sr_mutex);
55303 static int sr_probe(struct device *);
55304 static int sr_remove(struct device *);
55305 static int sr_init_command(struct scsi_cmnd *SCpnt);
55306-static int sr_done(struct scsi_cmnd *);
55307+static unsigned int sr_done(struct scsi_cmnd *);
55308 static int sr_runtime_suspend(struct device *dev);
55309
55310 static struct dev_pm_ops sr_pm_ops = {
55311@@ -312,13 +312,13 @@ do_tur:
55312 * It will be notified on the end of a SCSI read / write, and will take one
55313 * of several actions based on success or failure.
55314 */
55315-static int sr_done(struct scsi_cmnd *SCpnt)
55316+static unsigned int sr_done(struct scsi_cmnd *SCpnt)
55317 {
55318 int result = SCpnt->result;
55319- int this_count = scsi_bufflen(SCpnt);
55320- int good_bytes = (result == 0 ? this_count : 0);
55321- int block_sectors = 0;
55322- long error_sector;
55323+ unsigned int this_count = scsi_bufflen(SCpnt);
55324+ unsigned int good_bytes = (result == 0 ? this_count : 0);
55325+ unsigned int block_sectors = 0;
55326+ sector_t error_sector;
55327 struct scsi_cd *cd = scsi_cd(SCpnt->request->rq_disk);
55328
55329 #ifdef DEBUG
55330@@ -351,9 +351,12 @@ static int sr_done(struct scsi_cmnd *SCpnt)
55331 if (cd->device->sector_size == 2048)
55332 error_sector <<= 2;
55333 error_sector &= ~(block_sectors - 1);
55334- good_bytes = (error_sector -
55335- blk_rq_pos(SCpnt->request)) << 9;
55336- if (good_bytes < 0 || good_bytes >= this_count)
55337+ if (error_sector >= blk_rq_pos(SCpnt->request)) {
55338+ good_bytes = (error_sector -
55339+ blk_rq_pos(SCpnt->request)) << 9;
55340+ if (good_bytes >= this_count)
55341+ good_bytes = 0;
55342+ } else
55343 good_bytes = 0;
55344 /*
55345 * The SCSI specification allows for the value
55346diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c
55347index c0d660f..24a5854 100644
55348--- a/drivers/soc/tegra/fuse/fuse-tegra.c
55349+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
55350@@ -71,7 +71,7 @@ static ssize_t fuse_read(struct file *fd, struct kobject *kobj,
55351 return i;
55352 }
55353
55354-static struct bin_attribute fuse_bin_attr = {
55355+static bin_attribute_no_const fuse_bin_attr = {
55356 .attr = { .name = "fuse", .mode = S_IRUGO, },
55357 .read = fuse_read,
55358 };
55359diff --git a/drivers/spi/spi.c b/drivers/spi/spi.c
55360index 9ce2f15..1ff9b36 100644
55361--- a/drivers/spi/spi.c
55362+++ b/drivers/spi/spi.c
55363@@ -2215,7 +2215,7 @@ int spi_bus_unlock(struct spi_master *master)
55364 EXPORT_SYMBOL_GPL(spi_bus_unlock);
55365
55366 /* portable code must never pass more than 32 bytes */
55367-#define SPI_BUFSIZ max(32, SMP_CACHE_BYTES)
55368+#define SPI_BUFSIZ max(32UL, SMP_CACHE_BYTES)
55369
55370 static u8 *buf;
55371
55372diff --git a/drivers/staging/android/timed_output.c b/drivers/staging/android/timed_output.c
55373index b41429f..2de5373 100644
55374--- a/drivers/staging/android/timed_output.c
55375+++ b/drivers/staging/android/timed_output.c
55376@@ -25,7 +25,7 @@
55377 #include "timed_output.h"
55378
55379 static struct class *timed_output_class;
55380-static atomic_t device_count;
55381+static atomic_unchecked_t device_count;
55382
55383 static ssize_t enable_show(struct device *dev, struct device_attribute *attr,
55384 char *buf)
55385@@ -65,7 +65,7 @@ static int create_timed_output_class(void)
55386 timed_output_class = class_create(THIS_MODULE, "timed_output");
55387 if (IS_ERR(timed_output_class))
55388 return PTR_ERR(timed_output_class);
55389- atomic_set(&device_count, 0);
55390+ atomic_set_unchecked(&device_count, 0);
55391 timed_output_class->dev_groups = timed_output_groups;
55392 }
55393
55394@@ -83,7 +83,7 @@ int timed_output_dev_register(struct timed_output_dev *tdev)
55395 if (ret < 0)
55396 return ret;
55397
55398- tdev->index = atomic_inc_return(&device_count);
55399+ tdev->index = atomic_inc_return_unchecked(&device_count);
55400 tdev->dev = device_create(timed_output_class, NULL,
55401 MKDEV(0, tdev->index), NULL, "%s", tdev->name);
55402 if (IS_ERR(tdev->dev))
55403diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c
55404index 985d94b..49c59fb 100644
55405--- a/drivers/staging/comedi/comedi_fops.c
55406+++ b/drivers/staging/comedi/comedi_fops.c
55407@@ -314,8 +314,8 @@ static void comedi_file_reset(struct file *file)
55408 }
55409 cfp->last_attached = dev->attached;
55410 cfp->last_detach_count = dev->detach_count;
55411- ACCESS_ONCE(cfp->read_subdev) = read_s;
55412- ACCESS_ONCE(cfp->write_subdev) = write_s;
55413+ ACCESS_ONCE_RW(cfp->read_subdev) = read_s;
55414+ ACCESS_ONCE_RW(cfp->write_subdev) = write_s;
55415 }
55416
55417 static void comedi_file_check(struct file *file)
55418@@ -1983,7 +1983,7 @@ static int do_setrsubd_ioctl(struct comedi_device *dev, unsigned long arg,
55419 !(s_old->async->cmd.flags & CMDF_WRITE))
55420 return -EBUSY;
55421
55422- ACCESS_ONCE(cfp->read_subdev) = s_new;
55423+ ACCESS_ONCE_RW(cfp->read_subdev) = s_new;
55424 return 0;
55425 }
55426
55427@@ -2025,7 +2025,7 @@ static int do_setwsubd_ioctl(struct comedi_device *dev, unsigned long arg,
55428 (s_old->async->cmd.flags & CMDF_WRITE))
55429 return -EBUSY;
55430
55431- ACCESS_ONCE(cfp->write_subdev) = s_new;
55432+ ACCESS_ONCE_RW(cfp->write_subdev) = s_new;
55433 return 0;
55434 }
55435
55436diff --git a/drivers/staging/dgnc/dgnc_mgmt.c b/drivers/staging/dgnc/dgnc_mgmt.c
55437index b13318a..883e2a8 100644
55438--- a/drivers/staging/dgnc/dgnc_mgmt.c
55439+++ b/drivers/staging/dgnc/dgnc_mgmt.c
55440@@ -115,6 +115,7 @@ long dgnc_mgmt_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
55441
55442 spin_lock_irqsave(&dgnc_global_lock, flags);
55443
55444+ memset(&ddi, 0, sizeof(ddi));
55445 ddi.dinfo_nboards = dgnc_NumBoards;
55446 sprintf(ddi.dinfo_version, "%s", DG_PART);
55447
55448diff --git a/drivers/staging/fbtft/fbtft-core.c b/drivers/staging/fbtft/fbtft-core.c
55449index 9cc8141..ffd5039 100644
55450--- a/drivers/staging/fbtft/fbtft-core.c
55451+++ b/drivers/staging/fbtft/fbtft-core.c
55452@@ -681,7 +681,7 @@ struct fb_info *fbtft_framebuffer_alloc(struct fbtft_display *display,
55453 {
55454 struct fb_info *info;
55455 struct fbtft_par *par;
55456- struct fb_ops *fbops = NULL;
55457+ fb_ops_no_const *fbops = NULL;
55458 struct fb_deferred_io *fbdefio = NULL;
55459 struct fbtft_platform_data *pdata = dev->platform_data;
55460 u8 *vmem = NULL;
55461diff --git a/drivers/staging/fbtft/fbtft.h b/drivers/staging/fbtft/fbtft.h
55462index 7d817eb..d22e49e 100644
55463--- a/drivers/staging/fbtft/fbtft.h
55464+++ b/drivers/staging/fbtft/fbtft.h
55465@@ -106,7 +106,7 @@ struct fbtft_ops {
55466
55467 int (*set_var)(struct fbtft_par *par);
55468 int (*set_gamma)(struct fbtft_par *par, unsigned long *curves);
55469-};
55470+} __no_const;
55471
55472 /**
55473 * struct fbtft_display - Describes the display properties
55474diff --git a/drivers/staging/gdm724x/gdm_tty.c b/drivers/staging/gdm724x/gdm_tty.c
55475index 001348c..cfaac8a 100644
55476--- a/drivers/staging/gdm724x/gdm_tty.c
55477+++ b/drivers/staging/gdm724x/gdm_tty.c
55478@@ -44,7 +44,7 @@
55479 #define gdm_tty_send_control(n, r, v, d, l) (\
55480 n->tty_dev->send_control(n->tty_dev->priv_dev, r, v, d, l))
55481
55482-#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && gdm->port.count)
55483+#define GDM_TTY_READY(gdm) (gdm && gdm->tty_dev && atomic_read(&gdm->port.count))
55484
55485 static struct tty_driver *gdm_driver[TTY_MAX_COUNT];
55486 static struct gdm *gdm_table[TTY_MAX_COUNT][GDM_TTY_MINOR];
55487diff --git a/drivers/staging/iio/accel/lis3l02dq_ring.c b/drivers/staging/iio/accel/lis3l02dq_ring.c
55488index b892f2c..9b4898a 100644
55489--- a/drivers/staging/iio/accel/lis3l02dq_ring.c
55490+++ b/drivers/staging/iio/accel/lis3l02dq_ring.c
55491@@ -118,7 +118,7 @@ static int lis3l02dq_get_buffer_element(struct iio_dev *indio_dev,
55492 int scan_count = bitmap_weight(indio_dev->active_scan_mask,
55493 indio_dev->masklength);
55494
55495- rx_array = kcalloc(4, scan_count, GFP_KERNEL);
55496+ rx_array = kcalloc(scan_count, 4, GFP_KERNEL);
55497 if (!rx_array)
55498 return -ENOMEM;
55499 ret = lis3l02dq_read_all(indio_dev, rx_array);
55500diff --git a/drivers/staging/iio/adc/ad7280a.c b/drivers/staging/iio/adc/ad7280a.c
55501index d98e229..9c59bc2 100644
55502--- a/drivers/staging/iio/adc/ad7280a.c
55503+++ b/drivers/staging/iio/adc/ad7280a.c
55504@@ -547,8 +547,8 @@ static int ad7280_attr_init(struct ad7280_state *st)
55505 {
55506 int dev, ch, cnt;
55507
55508- st->iio_attr = kcalloc(2, sizeof(*st->iio_attr) *
55509- (st->slave_num + 1) * AD7280A_CELLS_PER_DEV,
55510+ st->iio_attr = kcalloc(sizeof(*st->iio_attr) *
55511+ (st->slave_num + 1) * AD7280A_CELLS_PER_DEV, 2,
55512 GFP_KERNEL);
55513 if (st->iio_attr == NULL)
55514 return -ENOMEM;
55515diff --git a/drivers/staging/lustre/lnet/selftest/brw_test.c b/drivers/staging/lustre/lnet/selftest/brw_test.c
55516index de11f1b..f7181cf 100644
55517--- a/drivers/staging/lustre/lnet/selftest/brw_test.c
55518+++ b/drivers/staging/lustre/lnet/selftest/brw_test.c
55519@@ -487,13 +487,11 @@ brw_server_handle(struct srpc_server_rpc *rpc)
55520 return 0;
55521 }
55522
55523-sfw_test_client_ops_t brw_test_client;
55524-void brw_init_test_client(void)
55525-{
55526- brw_test_client.tso_init = brw_client_init;
55527- brw_test_client.tso_fini = brw_client_fini;
55528- brw_test_client.tso_prep_rpc = brw_client_prep_rpc;
55529- brw_test_client.tso_done_rpc = brw_client_done_rpc;
55530+sfw_test_client_ops_t brw_test_client = {
55531+ .tso_init = brw_client_init,
55532+ .tso_fini = brw_client_fini,
55533+ .tso_prep_rpc = brw_client_prep_rpc,
55534+ .tso_done_rpc = brw_client_done_rpc,
55535 };
55536
55537 srpc_service_t brw_test_service;
55538diff --git a/drivers/staging/lustre/lnet/selftest/framework.c b/drivers/staging/lustre/lnet/selftest/framework.c
55539index 7c5185a..51c2ae7 100644
55540--- a/drivers/staging/lustre/lnet/selftest/framework.c
55541+++ b/drivers/staging/lustre/lnet/selftest/framework.c
55542@@ -1628,12 +1628,10 @@ static srpc_service_t sfw_services[] = {
55543
55544 extern sfw_test_client_ops_t ping_test_client;
55545 extern srpc_service_t ping_test_service;
55546-extern void ping_init_test_client(void);
55547 extern void ping_init_test_service(void);
55548
55549 extern sfw_test_client_ops_t brw_test_client;
55550 extern srpc_service_t brw_test_service;
55551-extern void brw_init_test_client(void);
55552 extern void brw_init_test_service(void);
55553
55554
55555@@ -1675,12 +1673,10 @@ sfw_startup(void)
55556 INIT_LIST_HEAD(&sfw_data.fw_zombie_rpcs);
55557 INIT_LIST_HEAD(&sfw_data.fw_zombie_sessions);
55558
55559- brw_init_test_client();
55560 brw_init_test_service();
55561 rc = sfw_register_test(&brw_test_service, &brw_test_client);
55562 LASSERT(rc == 0);
55563
55564- ping_init_test_client();
55565 ping_init_test_service();
55566 rc = sfw_register_test(&ping_test_service, &ping_test_client);
55567 LASSERT(rc == 0);
55568diff --git a/drivers/staging/lustre/lnet/selftest/ping_test.c b/drivers/staging/lustre/lnet/selftest/ping_test.c
55569index 1dab998..edfe0ac 100644
55570--- a/drivers/staging/lustre/lnet/selftest/ping_test.c
55571+++ b/drivers/staging/lustre/lnet/selftest/ping_test.c
55572@@ -211,14 +211,12 @@ ping_server_handle(struct srpc_server_rpc *rpc)
55573 return 0;
55574 }
55575
55576-sfw_test_client_ops_t ping_test_client;
55577-void ping_init_test_client(void)
55578-{
55579- ping_test_client.tso_init = ping_client_init;
55580- ping_test_client.tso_fini = ping_client_fini;
55581- ping_test_client.tso_prep_rpc = ping_client_prep_rpc;
55582- ping_test_client.tso_done_rpc = ping_client_done_rpc;
55583-}
55584+sfw_test_client_ops_t ping_test_client = {
55585+ .tso_init = ping_client_init,
55586+ .tso_fini = ping_client_fini,
55587+ .tso_prep_rpc = ping_client_prep_rpc,
55588+ .tso_done_rpc = ping_client_done_rpc,
55589+};
55590
55591 srpc_service_t ping_test_service;
55592 void ping_init_test_service(void)
55593diff --git a/drivers/staging/lustre/lustre/include/lustre_dlm.h b/drivers/staging/lustre/lustre/include/lustre_dlm.h
55594index f6f4c03..cdc3556 100644
55595--- a/drivers/staging/lustre/lustre/include/lustre_dlm.h
55596+++ b/drivers/staging/lustre/lustre/include/lustre_dlm.h
55597@@ -1107,7 +1107,7 @@ struct ldlm_callback_suite {
55598 ldlm_completion_callback lcs_completion;
55599 ldlm_blocking_callback lcs_blocking;
55600 ldlm_glimpse_callback lcs_glimpse;
55601-};
55602+} __no_const;
55603
55604 /* ldlm_lockd.c */
55605 int ldlm_del_waiting_lock(struct ldlm_lock *lock);
55606diff --git a/drivers/staging/lustre/lustre/include/obd.h b/drivers/staging/lustre/lustre/include/obd.h
55607index 55452e5..43b0f2f 100644
55608--- a/drivers/staging/lustre/lustre/include/obd.h
55609+++ b/drivers/staging/lustre/lustre/include/obd.h
55610@@ -1364,7 +1364,7 @@ struct md_ops {
55611 * lprocfs_alloc_md_stats() in obdclass/lprocfs_status.c. Also, add a
55612 * wrapper function in include/linux/obd_class.h.
55613 */
55614-};
55615+} __no_const;
55616
55617 struct lsm_operations {
55618 void (*lsm_free)(struct lov_stripe_md *);
55619diff --git a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55620index a4c252f..b21acac 100644
55621--- a/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55622+++ b/drivers/staging/lustre/lustre/ldlm/ldlm_flock.c
55623@@ -258,7 +258,7 @@ ldlm_process_flock_lock(struct ldlm_lock *req, __u64 *flags, int first_enq,
55624 int added = (mode == LCK_NL);
55625 int overlaps = 0;
55626 int splitted = 0;
55627- const struct ldlm_callback_suite null_cbs = { NULL };
55628+ const struct ldlm_callback_suite null_cbs = { };
55629
55630 CDEBUG(D_DLMTRACE,
55631 "flags %#llx owner %llu pid %u mode %u start %llu end %llu\n",
55632diff --git a/drivers/staging/lustre/lustre/libcfs/module.c b/drivers/staging/lustre/lustre/libcfs/module.c
55633index e60b2e9..ad9ceb3 100644
55634--- a/drivers/staging/lustre/lustre/libcfs/module.c
55635+++ b/drivers/staging/lustre/lustre/libcfs/module.c
55636@@ -377,11 +377,11 @@ out:
55637
55638
55639 struct cfs_psdev_ops libcfs_psdev_ops = {
55640- libcfs_psdev_open,
55641- libcfs_psdev_release,
55642- NULL,
55643- NULL,
55644- libcfs_ioctl
55645+ .p_open = libcfs_psdev_open,
55646+ .p_close = libcfs_psdev_release,
55647+ .p_read = NULL,
55648+ .p_write = NULL,
55649+ .p_ioctl = libcfs_ioctl
55650 };
55651
55652 static int init_libcfs_module(void)
55653@@ -623,7 +623,7 @@ static int proc_console_max_delay_cs(struct ctl_table *table, int write,
55654 loff_t *ppos)
55655 {
55656 int rc, max_delay_cs;
55657- struct ctl_table dummy = *table;
55658+ ctl_table_no_const dummy = *table;
55659 long d;
55660
55661 dummy.data = &max_delay_cs;
55662@@ -656,7 +656,7 @@ static int proc_console_min_delay_cs(struct ctl_table *table, int write,
55663 loff_t *ppos)
55664 {
55665 int rc, min_delay_cs;
55666- struct ctl_table dummy = *table;
55667+ ctl_table_no_const dummy = *table;
55668 long d;
55669
55670 dummy.data = &min_delay_cs;
55671@@ -688,7 +688,7 @@ static int proc_console_backoff(struct ctl_table *table, int write,
55672 void __user *buffer, size_t *lenp, loff_t *ppos)
55673 {
55674 int rc, backoff;
55675- struct ctl_table dummy = *table;
55676+ ctl_table_no_const dummy = *table;
55677
55678 dummy.data = &backoff;
55679 dummy.proc_handler = &proc_dointvec;
55680diff --git a/drivers/staging/octeon/ethernet-rx.c b/drivers/staging/octeon/ethernet-rx.c
55681index 22853d3..cfa3c49 100644
55682--- a/drivers/staging/octeon/ethernet-rx.c
55683+++ b/drivers/staging/octeon/ethernet-rx.c
55684@@ -335,14 +335,14 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
55685 /* Increment RX stats for virtual ports */
55686 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
55687 #ifdef CONFIG_64BIT
55688- atomic64_add(1,
55689+ atomic64_add_unchecked(1,
55690 (atomic64_t *)&priv->stats.rx_packets);
55691- atomic64_add(skb->len,
55692+ atomic64_add_unchecked(skb->len,
55693 (atomic64_t *)&priv->stats.rx_bytes);
55694 #else
55695- atomic_add(1,
55696+ atomic_add_unchecked(1,
55697 (atomic_t *)&priv->stats.rx_packets);
55698- atomic_add(skb->len,
55699+ atomic_add_unchecked(skb->len,
55700 (atomic_t *)&priv->stats.rx_bytes);
55701 #endif
55702 }
55703@@ -354,10 +354,10 @@ static int cvm_oct_napi_poll(struct napi_struct *napi, int budget)
55704 dev->name);
55705 */
55706 #ifdef CONFIG_64BIT
55707- atomic64_add(1,
55708+ atomic64_add_unchecked(1,
55709 (atomic64_t *)&priv->stats.rx_dropped);
55710 #else
55711- atomic_add(1,
55712+ atomic_add_unchecked(1,
55713 (atomic_t *)&priv->stats.rx_dropped);
55714 #endif
55715 dev_kfree_skb_irq(skb);
55716diff --git a/drivers/staging/octeon/ethernet.c b/drivers/staging/octeon/ethernet.c
55717index f9dba23..7bc0ef3 100644
55718--- a/drivers/staging/octeon/ethernet.c
55719+++ b/drivers/staging/octeon/ethernet.c
55720@@ -231,11 +231,11 @@ static struct net_device_stats *cvm_oct_common_get_stats(struct net_device *dev)
55721 * since the RX tasklet also increments it.
55722 */
55723 #ifdef CONFIG_64BIT
55724- atomic64_add(rx_status.dropped_packets,
55725- (atomic64_t *)&priv->stats.rx_dropped);
55726+ atomic64_add_unchecked(rx_status.dropped_packets,
55727+ (atomic64_unchecked_t *)&priv->stats.rx_dropped);
55728 #else
55729- atomic_add(rx_status.dropped_packets,
55730- (atomic_t *)&priv->stats.rx_dropped);
55731+ atomic_add_unchecked(rx_status.dropped_packets,
55732+ (atomic_unchecked_t *)&priv->stats.rx_dropped);
55733 #endif
55734 }
55735
55736diff --git a/drivers/staging/rtl8188eu/include/hal_intf.h b/drivers/staging/rtl8188eu/include/hal_intf.h
55737index 3b476d8..f522d68 100644
55738--- a/drivers/staging/rtl8188eu/include/hal_intf.h
55739+++ b/drivers/staging/rtl8188eu/include/hal_intf.h
55740@@ -225,7 +225,7 @@ struct hal_ops {
55741
55742 void (*hal_notch_filter)(struct adapter *adapter, bool enable);
55743 void (*hal_reset_security_engine)(struct adapter *adapter);
55744-};
55745+} __no_const;
55746
55747 enum rt_eeprom_type {
55748 EEPROM_93C46,
55749diff --git a/drivers/staging/rtl8712/rtl871x_io.h b/drivers/staging/rtl8712/rtl871x_io.h
55750index 070cc03..6806e37 100644
55751--- a/drivers/staging/rtl8712/rtl871x_io.h
55752+++ b/drivers/staging/rtl8712/rtl871x_io.h
55753@@ -108,7 +108,7 @@ struct _io_ops {
55754 u8 *pmem);
55755 u32 (*_write_port)(struct intf_hdl *pintfhdl, u32 addr, u32 cnt,
55756 u8 *pmem);
55757-};
55758+} __no_const;
55759
55760 struct io_req {
55761 struct list_head list;
55762diff --git a/drivers/staging/sm750fb/sm750.c b/drivers/staging/sm750fb/sm750.c
55763index 8e201f1..bf2a28d 100644
55764--- a/drivers/staging/sm750fb/sm750.c
55765+++ b/drivers/staging/sm750fb/sm750.c
55766@@ -775,6 +775,7 @@ static struct fb_ops lynxfb_ops = {
55767 .fb_set_par = lynxfb_ops_set_par,
55768 .fb_setcolreg = lynxfb_ops_setcolreg,
55769 .fb_blank = lynxfb_ops_blank,
55770+ .fb_pan_display = lynxfb_ops_pan_display,
55771 .fb_fillrect = cfb_fillrect,
55772 .fb_imageblit = cfb_imageblit,
55773 .fb_copyarea = cfb_copyarea,
55774@@ -822,8 +823,10 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55775 par->index = index;
55776 output->channel = &crtc->channel;
55777 sm750fb_set_drv(par);
55778- lynxfb_ops.fb_pan_display = lynxfb_ops_pan_display;
55779
55780+ pax_open_kernel();
55781+ *(void **)&lynxfb_ops.fb_pan_display = lynxfb_ops_pan_display;
55782+ pax_close_kernel();
55783
55784 /* set current cursor variable and proc pointer,
55785 * must be set after crtc member initialized */
55786@@ -845,7 +848,9 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55787 crtc->cursor.share = share;
55788 memset_io(crtc->cursor.vstart, 0, crtc->cursor.size);
55789 if (!g_hwcursor) {
55790- lynxfb_ops.fb_cursor = NULL;
55791+ pax_open_kernel();
55792+ *(void **)&lynxfb_ops.fb_cursor = NULL;
55793+ pax_close_kernel();
55794 crtc->cursor.disable(&crtc->cursor);
55795 }
55796
55797@@ -853,9 +858,11 @@ static int lynxfb_set_fbinfo(struct fb_info *info, int index)
55798 /* set info->fbops, must be set before fb_find_mode */
55799 if (!share->accel_off) {
55800 /* use 2d acceleration */
55801- lynxfb_ops.fb_fillrect = lynxfb_ops_fillrect;
55802- lynxfb_ops.fb_copyarea = lynxfb_ops_copyarea;
55803- lynxfb_ops.fb_imageblit = lynxfb_ops_imageblit;
55804+ pax_open_kernel();
55805+ *(void **)&lynxfb_ops.fb_fillrect = lynxfb_ops_fillrect;
55806+ *(void **)&lynxfb_ops.fb_copyarea = lynxfb_ops_copyarea;
55807+ *(void **)&lynxfb_ops.fb_imageblit = lynxfb_ops_imageblit;
55808+ pax_close_kernel();
55809 }
55810 info->fbops = &lynxfb_ops;
55811
55812diff --git a/drivers/staging/unisys/visorbus/visorbus_private.h b/drivers/staging/unisys/visorbus/visorbus_private.h
55813index 2f12483..6e1b50a 100644
55814--- a/drivers/staging/unisys/visorbus/visorbus_private.h
55815+++ b/drivers/staging/unisys/visorbus/visorbus_private.h
55816@@ -35,7 +35,7 @@ struct visorchipset_busdev_notifiers {
55817 void (*device_destroy)(struct visor_device *bus_info);
55818 void (*device_pause)(struct visor_device *bus_info);
55819 void (*device_resume)(struct visor_device *bus_info);
55820-};
55821+} __no_const;
55822
55823 /* These functions live inside visorchipset, and will be called to indicate
55824 * responses to specific events (by code outside of visorchipset).
55825@@ -50,7 +50,7 @@ struct visorchipset_busdev_responders {
55826 void (*device_destroy)(struct visor_device *p, int response);
55827 void (*device_pause)(struct visor_device *p, int response);
55828 void (*device_resume)(struct visor_device *p, int response);
55829-};
55830+} __no_const;
55831
55832 /** Register functions (in the bus driver) to get called by visorchipset
55833 * whenever a bus or device appears for which this guest is to be the
55834diff --git a/drivers/target/sbp/sbp_target.c b/drivers/target/sbp/sbp_target.c
55835index 0edf320..49afe95 100644
55836--- a/drivers/target/sbp/sbp_target.c
55837+++ b/drivers/target/sbp/sbp_target.c
55838@@ -60,7 +60,7 @@ static const u32 sbp_unit_directory_template[] = {
55839
55840 #define SESSION_MAINTENANCE_INTERVAL HZ
55841
55842-static atomic_t login_id = ATOMIC_INIT(0);
55843+static atomic_unchecked_t login_id = ATOMIC_INIT(0);
55844
55845 static void session_maintenance_work(struct work_struct *);
55846 static int sbp_run_transaction(struct fw_card *, int, int, int, int,
55847@@ -441,7 +441,7 @@ static void sbp_management_request_login(
55848 login->login_lun = unpacked_lun;
55849 login->status_fifo_addr = sbp2_pointer_to_addr(&req->orb.status_fifo);
55850 login->exclusive = LOGIN_ORB_EXCLUSIVE(be32_to_cpu(req->orb.misc));
55851- login->login_id = atomic_inc_return(&login_id);
55852+ login->login_id = atomic_inc_return_unchecked(&login_id);
55853
55854 login->tgt_agt = sbp_target_agent_register(login);
55855 if (IS_ERR(login->tgt_agt)) {
55856diff --git a/drivers/target/target_core_device.c b/drivers/target/target_core_device.c
55857index 8f1cd19..ba7a8f1 100644
55858--- a/drivers/target/target_core_device.c
55859+++ b/drivers/target/target_core_device.c
55860@@ -772,7 +772,7 @@ struct se_device *target_alloc_device(struct se_hba *hba, const char *name)
55861 spin_lock_init(&dev->se_tmr_lock);
55862 spin_lock_init(&dev->qf_cmd_lock);
55863 sema_init(&dev->caw_sem, 1);
55864- atomic_set(&dev->dev_ordered_id, 0);
55865+ atomic_set_unchecked(&dev->dev_ordered_id, 0);
55866 INIT_LIST_HEAD(&dev->t10_wwn.t10_vpd_list);
55867 spin_lock_init(&dev->t10_wwn.t10_vpd_lock);
55868 INIT_LIST_HEAD(&dev->t10_pr.registration_list);
55869diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
55870index ce8574b..98d6199 100644
55871--- a/drivers/target/target_core_transport.c
55872+++ b/drivers/target/target_core_transport.c
55873@@ -1181,7 +1181,7 @@ transport_check_alloc_task_attr(struct se_cmd *cmd)
55874 * Used to determine when ORDERED commands should go from
55875 * Dormant to Active status.
55876 */
55877- cmd->se_ordered_id = atomic_inc_return(&dev->dev_ordered_id);
55878+ cmd->se_ordered_id = atomic_inc_return_unchecked(&dev->dev_ordered_id);
55879 pr_debug("Allocated se_ordered_id: %u for Task Attr: 0x%02x on %s\n",
55880 cmd->se_ordered_id, cmd->sam_task_attr,
55881 dev->transport->name);
55882diff --git a/drivers/thermal/cpu_cooling.c b/drivers/thermal/cpu_cooling.c
55883index 42c6f71..1c64309 100644
55884--- a/drivers/thermal/cpu_cooling.c
55885+++ b/drivers/thermal/cpu_cooling.c
55886@@ -838,10 +838,11 @@ __cpufreq_cooling_register(struct device_node *np,
55887 cpumask_copy(&cpufreq_dev->allowed_cpus, clip_cpus);
55888
55889 if (capacitance) {
55890- cpufreq_cooling_ops.get_requested_power =
55891- cpufreq_get_requested_power;
55892- cpufreq_cooling_ops.state2power = cpufreq_state2power;
55893- cpufreq_cooling_ops.power2state = cpufreq_power2state;
55894+ pax_open_kernel();
55895+ *(void **)&cpufreq_cooling_ops.get_requested_power = cpufreq_get_requested_power;
55896+ *(void **)&cpufreq_cooling_ops.state2power = cpufreq_state2power;
55897+ *(void **)&cpufreq_cooling_ops.power2state = cpufreq_power2state;
55898+ pax_close_kernel();
55899 cpufreq_dev->plat_get_static_power = plat_static_func;
55900
55901 ret = build_dyn_power_table(cpufreq_dev, capacitance);
55902diff --git a/drivers/thermal/int340x_thermal/int3400_thermal.c b/drivers/thermal/int340x_thermal/int3400_thermal.c
55903index 031018e..90981a1 100644
55904--- a/drivers/thermal/int340x_thermal/int3400_thermal.c
55905+++ b/drivers/thermal/int340x_thermal/int3400_thermal.c
55906@@ -272,8 +272,10 @@ static int int3400_thermal_probe(struct platform_device *pdev)
55907 platform_set_drvdata(pdev, priv);
55908
55909 if (priv->uuid_bitmap & 1 << INT3400_THERMAL_PASSIVE_1) {
55910- int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
55911- int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
55912+ pax_open_kernel();
55913+ *(void **)&int3400_thermal_ops.get_mode = int3400_thermal_get_mode;
55914+ *(void **)&int3400_thermal_ops.set_mode = int3400_thermal_set_mode;
55915+ pax_close_kernel();
55916 }
55917 priv->thermal = thermal_zone_device_register("INT3400 Thermal", 0, 0,
55918 priv, &int3400_thermal_ops,
55919diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c
55920index b295b2b..f7e2a30 100644
55921--- a/drivers/thermal/of-thermal.c
55922+++ b/drivers/thermal/of-thermal.c
55923@@ -31,6 +31,7 @@
55924 #include <linux/export.h>
55925 #include <linux/string.h>
55926 #include <linux/thermal.h>
55927+#include <linux/mm.h>
55928
55929 #include "thermal_core.h"
55930
55931@@ -417,9 +418,11 @@ thermal_zone_of_add_sensor(struct device_node *zone,
55932 tz->ops = ops;
55933 tz->sensor_data = data;
55934
55935- tzd->ops->get_temp = of_thermal_get_temp;
55936- tzd->ops->get_trend = of_thermal_get_trend;
55937- tzd->ops->set_emul_temp = of_thermal_set_emul_temp;
55938+ pax_open_kernel();
55939+ *(void **)&tzd->ops->get_temp = of_thermal_get_temp;
55940+ *(void **)&tzd->ops->get_trend = of_thermal_get_trend;
55941+ *(void **)&tzd->ops->set_emul_temp = of_thermal_set_emul_temp;
55942+ pax_close_kernel();
55943 mutex_unlock(&tzd->lock);
55944
55945 return tzd;
55946@@ -549,9 +552,11 @@ void thermal_zone_of_sensor_unregister(struct device *dev,
55947 return;
55948
55949 mutex_lock(&tzd->lock);
55950- tzd->ops->get_temp = NULL;
55951- tzd->ops->get_trend = NULL;
55952- tzd->ops->set_emul_temp = NULL;
55953+ pax_open_kernel();
55954+ *(void **)&tzd->ops->get_temp = NULL;
55955+ *(void **)&tzd->ops->get_trend = NULL;
55956+ *(void **)&tzd->ops->set_emul_temp = NULL;
55957+ pax_close_kernel();
55958
55959 tz->ops = NULL;
55960 tz->sensor_data = NULL;
55961diff --git a/drivers/thermal/x86_pkg_temp_thermal.c b/drivers/thermal/x86_pkg_temp_thermal.c
55962index 50d1d2c..39c5ce0 100644
55963--- a/drivers/thermal/x86_pkg_temp_thermal.c
55964+++ b/drivers/thermal/x86_pkg_temp_thermal.c
55965@@ -567,7 +567,7 @@ static int pkg_temp_thermal_cpu_callback(struct notifier_block *nfb,
55966 return NOTIFY_OK;
55967 }
55968
55969-static struct notifier_block pkg_temp_thermal_notifier __refdata = {
55970+static struct notifier_block pkg_temp_thermal_notifier __refconst = {
55971 .notifier_call = pkg_temp_thermal_cpu_callback,
55972 };
55973
55974diff --git a/drivers/tty/cyclades.c b/drivers/tty/cyclades.c
55975index 87f6578..905c8f8 100644
55976--- a/drivers/tty/cyclades.c
55977+++ b/drivers/tty/cyclades.c
55978@@ -1570,10 +1570,10 @@ static int cy_open(struct tty_struct *tty, struct file *filp)
55979 printk(KERN_DEBUG "cyc:cy_open ttyC%d, count = %d\n", info->line,
55980 info->port.count);
55981 #endif
55982- info->port.count++;
55983+ atomic_inc(&info->port.count);
55984 #ifdef CY_DEBUG_COUNT
55985 printk(KERN_DEBUG "cyc:cy_open (%d): incrementing count to %d\n",
55986- current->pid, info->port.count);
55987+ current->pid, atomic_read(&info->port.count));
55988 #endif
55989
55990 /*
55991@@ -3970,7 +3970,7 @@ static int cyclades_proc_show(struct seq_file *m, void *v)
55992 for (j = 0; j < cy_card[i].nports; j++) {
55993 info = &cy_card[i].ports[j];
55994
55995- if (info->port.count) {
55996+ if (atomic_read(&info->port.count)) {
55997 /* XXX is the ldisc num worth this? */
55998 struct tty_struct *tty;
55999 struct tty_ldisc *ld;
56000diff --git a/drivers/tty/hvc/hvc_console.c b/drivers/tty/hvc/hvc_console.c
56001index 4e9c4cc..2199d8f 100644
56002--- a/drivers/tty/hvc/hvc_console.c
56003+++ b/drivers/tty/hvc/hvc_console.c
56004@@ -343,7 +343,7 @@ static int hvc_open(struct tty_struct *tty, struct file * filp)
56005
56006 spin_lock_irqsave(&hp->port.lock, flags);
56007 /* Check and then increment for fast path open. */
56008- if (hp->port.count++ > 0) {
56009+ if (atomic_inc_return(&hp->port.count) > 1) {
56010 spin_unlock_irqrestore(&hp->port.lock, flags);
56011 hvc_kick();
56012 return 0;
56013@@ -398,7 +398,7 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
56014
56015 spin_lock_irqsave(&hp->port.lock, flags);
56016
56017- if (--hp->port.count == 0) {
56018+ if (atomic_dec_return(&hp->port.count) == 0) {
56019 spin_unlock_irqrestore(&hp->port.lock, flags);
56020 /* We are done with the tty pointer now. */
56021 tty_port_tty_set(&hp->port, NULL);
56022@@ -420,9 +420,9 @@ static void hvc_close(struct tty_struct *tty, struct file * filp)
56023 */
56024 tty_wait_until_sent_from_close(tty, HVC_CLOSE_WAIT);
56025 } else {
56026- if (hp->port.count < 0)
56027+ if (atomic_read(&hp->port.count) < 0)
56028 printk(KERN_ERR "hvc_close %X: oops, count is %d\n",
56029- hp->vtermno, hp->port.count);
56030+ hp->vtermno, atomic_read(&hp->port.count));
56031 spin_unlock_irqrestore(&hp->port.lock, flags);
56032 }
56033 }
56034@@ -452,12 +452,12 @@ static void hvc_hangup(struct tty_struct *tty)
56035 * open->hangup case this can be called after the final close so prevent
56036 * that from happening for now.
56037 */
56038- if (hp->port.count <= 0) {
56039+ if (atomic_read(&hp->port.count) <= 0) {
56040 spin_unlock_irqrestore(&hp->port.lock, flags);
56041 return;
56042 }
56043
56044- hp->port.count = 0;
56045+ atomic_set(&hp->port.count, 0);
56046 spin_unlock_irqrestore(&hp->port.lock, flags);
56047 tty_port_tty_set(&hp->port, NULL);
56048
56049@@ -505,7 +505,7 @@ static int hvc_write(struct tty_struct *tty, const unsigned char *buf, int count
56050 return -EPIPE;
56051
56052 /* FIXME what's this (unprotected) check for? */
56053- if (hp->port.count <= 0)
56054+ if (atomic_read(&hp->port.count) <= 0)
56055 return -EIO;
56056
56057 spin_lock_irqsave(&hp->lock, flags);
56058diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c
56059index f7ff97c..0c0ebbf 100644
56060--- a/drivers/tty/hvc/hvcs.c
56061+++ b/drivers/tty/hvc/hvcs.c
56062@@ -83,6 +83,7 @@
56063 #include <asm/hvcserver.h>
56064 #include <asm/uaccess.h>
56065 #include <asm/vio.h>
56066+#include <asm/local.h>
56067
56068 /*
56069 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
56070@@ -416,7 +417,7 @@ static ssize_t hvcs_vterm_state_store(struct device *dev, struct device_attribut
56071
56072 spin_lock_irqsave(&hvcsd->lock, flags);
56073
56074- if (hvcsd->port.count > 0) {
56075+ if (atomic_read(&hvcsd->port.count) > 0) {
56076 spin_unlock_irqrestore(&hvcsd->lock, flags);
56077 printk(KERN_INFO "HVCS: vterm state unchanged. "
56078 "The hvcs device node is still in use.\n");
56079@@ -1127,7 +1128,7 @@ static int hvcs_install(struct tty_driver *driver, struct tty_struct *tty)
56080 }
56081 }
56082
56083- hvcsd->port.count = 0;
56084+ atomic_set(&hvcsd->port.count, 0);
56085 hvcsd->port.tty = tty;
56086 tty->driver_data = hvcsd;
56087
56088@@ -1180,7 +1181,7 @@ static int hvcs_open(struct tty_struct *tty, struct file *filp)
56089 unsigned long flags;
56090
56091 spin_lock_irqsave(&hvcsd->lock, flags);
56092- hvcsd->port.count++;
56093+ atomic_inc(&hvcsd->port.count);
56094 hvcsd->todo_mask |= HVCS_SCHED_READ;
56095 spin_unlock_irqrestore(&hvcsd->lock, flags);
56096
56097@@ -1216,7 +1217,7 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
56098 hvcsd = tty->driver_data;
56099
56100 spin_lock_irqsave(&hvcsd->lock, flags);
56101- if (--hvcsd->port.count == 0) {
56102+ if (atomic_dec_and_test(&hvcsd->port.count)) {
56103
56104 vio_disable_interrupts(hvcsd->vdev);
56105
56106@@ -1241,10 +1242,10 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp)
56107
56108 free_irq(irq, hvcsd);
56109 return;
56110- } else if (hvcsd->port.count < 0) {
56111+ } else if (atomic_read(&hvcsd->port.count) < 0) {
56112 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
56113 " is missmanaged.\n",
56114- hvcsd->vdev->unit_address, hvcsd->port.count);
56115+ hvcsd->vdev->unit_address, atomic_read(&hvcsd->port.count));
56116 }
56117
56118 spin_unlock_irqrestore(&hvcsd->lock, flags);
56119@@ -1266,7 +1267,7 @@ static void hvcs_hangup(struct tty_struct * tty)
56120
56121 spin_lock_irqsave(&hvcsd->lock, flags);
56122 /* Preserve this so that we know how many kref refs to put */
56123- temp_open_count = hvcsd->port.count;
56124+ temp_open_count = atomic_read(&hvcsd->port.count);
56125
56126 /*
56127 * Don't kref put inside the spinlock because the destruction
56128@@ -1281,7 +1282,7 @@ static void hvcs_hangup(struct tty_struct * tty)
56129 tty->driver_data = NULL;
56130 hvcsd->port.tty = NULL;
56131
56132- hvcsd->port.count = 0;
56133+ atomic_set(&hvcsd->port.count, 0);
56134
56135 /* This will drop any buffered data on the floor which is OK in a hangup
56136 * scenario. */
56137@@ -1352,7 +1353,7 @@ static int hvcs_write(struct tty_struct *tty,
56138 * the middle of a write operation? This is a crummy place to do this
56139 * but we want to keep it all in the spinlock.
56140 */
56141- if (hvcsd->port.count <= 0) {
56142+ if (atomic_read(&hvcsd->port.count) <= 0) {
56143 spin_unlock_irqrestore(&hvcsd->lock, flags);
56144 return -ENODEV;
56145 }
56146@@ -1426,7 +1427,7 @@ static int hvcs_write_room(struct tty_struct *tty)
56147 {
56148 struct hvcs_struct *hvcsd = tty->driver_data;
56149
56150- if (!hvcsd || hvcsd->port.count <= 0)
56151+ if (!hvcsd || atomic_read(&hvcsd->port.count) <= 0)
56152 return 0;
56153
56154 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
56155diff --git a/drivers/tty/hvc/hvsi.c b/drivers/tty/hvc/hvsi.c
56156index 4190199..06d5bfa 100644
56157--- a/drivers/tty/hvc/hvsi.c
56158+++ b/drivers/tty/hvc/hvsi.c
56159@@ -85,7 +85,7 @@ struct hvsi_struct {
56160 int n_outbuf;
56161 uint32_t vtermno;
56162 uint32_t virq;
56163- atomic_t seqno; /* HVSI packet sequence number */
56164+ atomic_unchecked_t seqno; /* HVSI packet sequence number */
56165 uint16_t mctrl;
56166 uint8_t state; /* HVSI protocol state */
56167 uint8_t flags;
56168@@ -295,7 +295,7 @@ static int hvsi_version_respond(struct hvsi_struct *hp, uint16_t query_seqno)
56169
56170 packet.hdr.type = VS_QUERY_RESPONSE_PACKET_HEADER;
56171 packet.hdr.len = sizeof(struct hvsi_query_response);
56172- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56173+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56174 packet.verb = VSV_SEND_VERSION_NUMBER;
56175 packet.u.version = HVSI_VERSION;
56176 packet.query_seqno = query_seqno+1;
56177@@ -555,7 +555,7 @@ static int hvsi_query(struct hvsi_struct *hp, uint16_t verb)
56178
56179 packet.hdr.type = VS_QUERY_PACKET_HEADER;
56180 packet.hdr.len = sizeof(struct hvsi_query);
56181- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56182+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56183 packet.verb = verb;
56184
56185 pr_debug("%s: sending %i bytes\n", __func__, packet.hdr.len);
56186@@ -597,7 +597,7 @@ static int hvsi_set_mctrl(struct hvsi_struct *hp, uint16_t mctrl)
56187 int wrote;
56188
56189 packet.hdr.type = VS_CONTROL_PACKET_HEADER,
56190- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56191+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56192 packet.hdr.len = sizeof(struct hvsi_control);
56193 packet.verb = VSV_SET_MODEM_CTL;
56194 packet.mask = HVSI_TSDTR;
56195@@ -680,7 +680,7 @@ static int hvsi_put_chars(struct hvsi_struct *hp, const char *buf, int count)
56196 BUG_ON(count > HVSI_MAX_OUTGOING_DATA);
56197
56198 packet.hdr.type = VS_DATA_PACKET_HEADER;
56199- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56200+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56201 packet.hdr.len = count + sizeof(struct hvsi_header);
56202 memcpy(&packet.data, buf, count);
56203
56204@@ -697,7 +697,7 @@ static void hvsi_close_protocol(struct hvsi_struct *hp)
56205 struct hvsi_control packet __ALIGNED__;
56206
56207 packet.hdr.type = VS_CONTROL_PACKET_HEADER;
56208- packet.hdr.seqno = atomic_inc_return(&hp->seqno);
56209+ packet.hdr.seqno = atomic_inc_return_unchecked(&hp->seqno);
56210 packet.hdr.len = 6;
56211 packet.verb = VSV_CLOSE_PROTOCOL;
56212
56213@@ -725,7 +725,7 @@ static int hvsi_open(struct tty_struct *tty, struct file *filp)
56214
56215 tty_port_tty_set(&hp->port, tty);
56216 spin_lock_irqsave(&hp->lock, flags);
56217- hp->port.count++;
56218+ atomic_inc(&hp->port.count);
56219 atomic_set(&hp->seqno, 0);
56220 h_vio_signal(hp->vtermno, VIO_IRQ_ENABLE);
56221 spin_unlock_irqrestore(&hp->lock, flags);
56222@@ -782,7 +782,7 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp)
56223
56224 spin_lock_irqsave(&hp->lock, flags);
56225
56226- if (--hp->port.count == 0) {
56227+ if (atomic_dec_return(&hp->port.count) == 0) {
56228 tty_port_tty_set(&hp->port, NULL);
56229 hp->inbuf_end = hp->inbuf; /* discard remaining partial packets */
56230
56231@@ -815,9 +815,9 @@ static void hvsi_close(struct tty_struct *tty, struct file *filp)
56232
56233 spin_lock_irqsave(&hp->lock, flags);
56234 }
56235- } else if (hp->port.count < 0)
56236+ } else if (atomic_read(&hp->port.count) < 0)
56237 printk(KERN_ERR "hvsi_close %lu: oops, count is %d\n",
56238- hp - hvsi_ports, hp->port.count);
56239+ hp - hvsi_ports, atomic_read(&hp->port.count));
56240
56241 spin_unlock_irqrestore(&hp->lock, flags);
56242 }
56243@@ -832,7 +832,7 @@ static void hvsi_hangup(struct tty_struct *tty)
56244 tty_port_tty_set(&hp->port, NULL);
56245
56246 spin_lock_irqsave(&hp->lock, flags);
56247- hp->port.count = 0;
56248+ atomic_set(&hp->port.count, 0);
56249 hp->n_outbuf = 0;
56250 spin_unlock_irqrestore(&hp->lock, flags);
56251 }
56252diff --git a/drivers/tty/hvc/hvsi_lib.c b/drivers/tty/hvc/hvsi_lib.c
56253index a270f04..7c77b5d 100644
56254--- a/drivers/tty/hvc/hvsi_lib.c
56255+++ b/drivers/tty/hvc/hvsi_lib.c
56256@@ -8,7 +8,7 @@
56257
56258 static int hvsi_send_packet(struct hvsi_priv *pv, struct hvsi_header *packet)
56259 {
56260- packet->seqno = cpu_to_be16(atomic_inc_return(&pv->seqno));
56261+ packet->seqno = cpu_to_be16(atomic_inc_return_unchecked(&pv->seqno));
56262
56263 /* Assumes that always succeeds, works in practice */
56264 return pv->put_chars(pv->termno, (char *)packet, packet->len);
56265@@ -20,7 +20,7 @@ static void hvsi_start_handshake(struct hvsi_priv *pv)
56266
56267 /* Reset state */
56268 pv->established = 0;
56269- atomic_set(&pv->seqno, 0);
56270+ atomic_set_unchecked(&pv->seqno, 0);
56271
56272 pr_devel("HVSI@%x: Handshaking started\n", pv->termno);
56273
56274diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c
56275index 345cebb..d5a1e9e 100644
56276--- a/drivers/tty/ipwireless/tty.c
56277+++ b/drivers/tty/ipwireless/tty.c
56278@@ -28,6 +28,7 @@
56279 #include <linux/tty_driver.h>
56280 #include <linux/tty_flip.h>
56281 #include <linux/uaccess.h>
56282+#include <asm/local.h>
56283
56284 #include "tty.h"
56285 #include "network.h"
56286@@ -93,10 +94,10 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
56287 return -ENODEV;
56288
56289 mutex_lock(&tty->ipw_tty_mutex);
56290- if (tty->port.count == 0)
56291+ if (atomic_read(&tty->port.count) == 0)
56292 tty->tx_bytes_queued = 0;
56293
56294- tty->port.count++;
56295+ atomic_inc(&tty->port.count);
56296
56297 tty->port.tty = linux_tty;
56298 linux_tty->driver_data = tty;
56299@@ -112,9 +113,7 @@ static int ipw_open(struct tty_struct *linux_tty, struct file *filp)
56300
56301 static void do_ipw_close(struct ipw_tty *tty)
56302 {
56303- tty->port.count--;
56304-
56305- if (tty->port.count == 0) {
56306+ if (atomic_dec_return(&tty->port.count) == 0) {
56307 struct tty_struct *linux_tty = tty->port.tty;
56308
56309 if (linux_tty != NULL) {
56310@@ -135,7 +134,7 @@ static void ipw_hangup(struct tty_struct *linux_tty)
56311 return;
56312
56313 mutex_lock(&tty->ipw_tty_mutex);
56314- if (tty->port.count == 0) {
56315+ if (atomic_read(&tty->port.count) == 0) {
56316 mutex_unlock(&tty->ipw_tty_mutex);
56317 return;
56318 }
56319@@ -158,7 +157,7 @@ void ipwireless_tty_received(struct ipw_tty *tty, unsigned char *data,
56320
56321 mutex_lock(&tty->ipw_tty_mutex);
56322
56323- if (!tty->port.count) {
56324+ if (!atomic_read(&tty->port.count)) {
56325 mutex_unlock(&tty->ipw_tty_mutex);
56326 return;
56327 }
56328@@ -197,7 +196,7 @@ static int ipw_write(struct tty_struct *linux_tty,
56329 return -ENODEV;
56330
56331 mutex_lock(&tty->ipw_tty_mutex);
56332- if (!tty->port.count) {
56333+ if (!atomic_read(&tty->port.count)) {
56334 mutex_unlock(&tty->ipw_tty_mutex);
56335 return -EINVAL;
56336 }
56337@@ -237,7 +236,7 @@ static int ipw_write_room(struct tty_struct *linux_tty)
56338 if (!tty)
56339 return -ENODEV;
56340
56341- if (!tty->port.count)
56342+ if (!atomic_read(&tty->port.count))
56343 return -EINVAL;
56344
56345 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
56346@@ -279,7 +278,7 @@ static int ipw_chars_in_buffer(struct tty_struct *linux_tty)
56347 if (!tty)
56348 return 0;
56349
56350- if (!tty->port.count)
56351+ if (!atomic_read(&tty->port.count))
56352 return 0;
56353
56354 return tty->tx_bytes_queued;
56355@@ -360,7 +359,7 @@ static int ipw_tiocmget(struct tty_struct *linux_tty)
56356 if (!tty)
56357 return -ENODEV;
56358
56359- if (!tty->port.count)
56360+ if (!atomic_read(&tty->port.count))
56361 return -EINVAL;
56362
56363 return get_control_lines(tty);
56364@@ -376,7 +375,7 @@ ipw_tiocmset(struct tty_struct *linux_tty,
56365 if (!tty)
56366 return -ENODEV;
56367
56368- if (!tty->port.count)
56369+ if (!atomic_read(&tty->port.count))
56370 return -EINVAL;
56371
56372 return set_control_lines(tty, set, clear);
56373@@ -390,7 +389,7 @@ static int ipw_ioctl(struct tty_struct *linux_tty,
56374 if (!tty)
56375 return -ENODEV;
56376
56377- if (!tty->port.count)
56378+ if (!atomic_read(&tty->port.count))
56379 return -EINVAL;
56380
56381 /* FIXME: Exactly how is the tty object locked here .. */
56382@@ -546,7 +545,7 @@ void ipwireless_tty_free(struct ipw_tty *tty)
56383 * are gone */
56384 mutex_lock(&ttyj->ipw_tty_mutex);
56385 }
56386- while (ttyj->port.count)
56387+ while (atomic_read(&ttyj->port.count))
56388 do_ipw_close(ttyj);
56389 ipwireless_disassociate_network_ttys(network,
56390 ttyj->channel_idx);
56391diff --git a/drivers/tty/moxa.c b/drivers/tty/moxa.c
56392index 14c54e0..1efd4f2 100644
56393--- a/drivers/tty/moxa.c
56394+++ b/drivers/tty/moxa.c
56395@@ -1189,7 +1189,7 @@ static int moxa_open(struct tty_struct *tty, struct file *filp)
56396 }
56397
56398 ch = &brd->ports[port % MAX_PORTS_PER_BOARD];
56399- ch->port.count++;
56400+ atomic_inc(&ch->port.count);
56401 tty->driver_data = ch;
56402 tty_port_tty_set(&ch->port, tty);
56403 mutex_lock(&ch->port.mutex);
56404diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
56405index 382d3fc..b16d625 100644
56406--- a/drivers/tty/n_gsm.c
56407+++ b/drivers/tty/n_gsm.c
56408@@ -1644,7 +1644,7 @@ static struct gsm_dlci *gsm_dlci_alloc(struct gsm_mux *gsm, int addr)
56409 spin_lock_init(&dlci->lock);
56410 mutex_init(&dlci->mutex);
56411 dlci->fifo = &dlci->_fifo;
56412- if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
56413+ if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
56414 kfree(dlci);
56415 return NULL;
56416 }
56417@@ -2957,7 +2957,7 @@ static int gsmtty_open(struct tty_struct *tty, struct file *filp)
56418 struct gsm_dlci *dlci = tty->driver_data;
56419 struct tty_port *port = &dlci->port;
56420
56421- port->count++;
56422+ atomic_inc(&port->count);
56423 tty_port_tty_set(port, tty);
56424
56425 dlci->modem_rx = 0;
56426diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c
56427index afc1879..b605d4b 100644
56428--- a/drivers/tty/n_tty.c
56429+++ b/drivers/tty/n_tty.c
56430@@ -2574,6 +2574,7 @@ void n_tty_inherit_ops(struct tty_ldisc_ops *ops)
56431 {
56432 *ops = tty_ldisc_N_TTY;
56433 ops->owner = NULL;
56434- ops->refcount = ops->flags = 0;
56435+ atomic_set(&ops->refcount, 0);
56436+ ops->flags = 0;
56437 }
56438 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
56439diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
56440index 4d5e840..a2340a6 100644
56441--- a/drivers/tty/pty.c
56442+++ b/drivers/tty/pty.c
56443@@ -849,8 +849,10 @@ static void __init unix98_pty_init(void)
56444 panic("Couldn't register Unix98 pts driver");
56445
56446 /* Now create the /dev/ptmx special device */
56447+ pax_open_kernel();
56448 tty_default_fops(&ptmx_fops);
56449- ptmx_fops.open = ptmx_open;
56450+ *(void **)&ptmx_fops.open = ptmx_open;
56451+ pax_close_kernel();
56452
56453 cdev_init(&ptmx_cdev, &ptmx_fops);
56454 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
56455diff --git a/drivers/tty/rocket.c b/drivers/tty/rocket.c
56456index c8dd8dc..dca6cfd 100644
56457--- a/drivers/tty/rocket.c
56458+++ b/drivers/tty/rocket.c
56459@@ -914,7 +914,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
56460 tty->driver_data = info;
56461 tty_port_tty_set(port, tty);
56462
56463- if (port->count++ == 0) {
56464+ if (atomic_inc_return(&port->count) == 1) {
56465 atomic_inc(&rp_num_ports_open);
56466
56467 #ifdef ROCKET_DEBUG_OPEN
56468@@ -923,7 +923,7 @@ static int rp_open(struct tty_struct *tty, struct file *filp)
56469 #endif
56470 }
56471 #ifdef ROCKET_DEBUG_OPEN
56472- printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, info->port.count);
56473+ printk(KERN_INFO "rp_open ttyR%d, count=%d\n", info->line, atomic-read(&info->port.count));
56474 #endif
56475
56476 /*
56477@@ -1515,7 +1515,7 @@ static void rp_hangup(struct tty_struct *tty)
56478 spin_unlock_irqrestore(&info->port.lock, flags);
56479 return;
56480 }
56481- if (info->port.count)
56482+ if (atomic_read(&info->port.count))
56483 atomic_dec(&rp_num_ports_open);
56484 clear_bit((info->aiop * 8) + info->chan, (void *) &xmit_flags[info->board]);
56485 spin_unlock_irqrestore(&info->port.lock, flags);
56486diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
56487index c35d96e..f05d689 100644
56488--- a/drivers/tty/serial/8250/8250_core.c
56489+++ b/drivers/tty/serial/8250/8250_core.c
56490@@ -3237,9 +3237,9 @@ static void univ8250_release_port(struct uart_port *port)
56491
56492 static void univ8250_rsa_support(struct uart_ops *ops)
56493 {
56494- ops->config_port = univ8250_config_port;
56495- ops->request_port = univ8250_request_port;
56496- ops->release_port = univ8250_release_port;
56497+ *(void **)&ops->config_port = univ8250_config_port;
56498+ *(void **)&ops->request_port = univ8250_request_port;
56499+ *(void **)&ops->release_port = univ8250_release_port;
56500 }
56501
56502 #else
56503@@ -3282,8 +3282,10 @@ static void __init serial8250_isa_init_ports(void)
56504 }
56505
56506 /* chain base port ops to support Remote Supervisor Adapter */
56507- univ8250_port_ops = *base_ops;
56508+ pax_open_kernel();
56509+ memcpy((void *)&univ8250_port_ops, base_ops, sizeof univ8250_port_ops);
56510 univ8250_rsa_support(&univ8250_port_ops);
56511+ pax_close_kernel();
56512
56513 if (share_irqs)
56514 irqflag = IRQF_SHARED;
56515diff --git a/drivers/tty/serial/ifx6x60.c b/drivers/tty/serial/ifx6x60.c
56516index 536a33b..1b98f43 100644
56517--- a/drivers/tty/serial/ifx6x60.c
56518+++ b/drivers/tty/serial/ifx6x60.c
56519@@ -649,7 +649,7 @@ static void ifx_spi_complete(void *ctx)
56520 struct ifx_spi_device *ifx_dev = ctx;
56521 int length;
56522 int actual_length;
56523- unsigned char more;
56524+ unsigned char more = 0;
56525 unsigned char cts;
56526 int local_write_pending = 0;
56527 int queue_length;
56528diff --git a/drivers/tty/serial/ioc4_serial.c b/drivers/tty/serial/ioc4_serial.c
56529index e5c42fe..f091b02 100644
56530--- a/drivers/tty/serial/ioc4_serial.c
56531+++ b/drivers/tty/serial/ioc4_serial.c
56532@@ -437,7 +437,7 @@ struct ioc4_soft {
56533 } is_intr_info[MAX_IOC4_INTR_ENTS];
56534
56535 /* Number of entries active in the above array */
56536- atomic_t is_num_intrs;
56537+ atomic_unchecked_t is_num_intrs;
56538 } is_intr_type[IOC4_NUM_INTR_TYPES];
56539
56540 /* is_ir_lock must be held while
56541@@ -974,7 +974,7 @@ intr_connect(struct ioc4_soft *soft, int type,
56542 BUG_ON(!((type == IOC4_SIO_INTR_TYPE)
56543 || (type == IOC4_OTHER_INTR_TYPE)));
56544
56545- i = atomic_inc_return(&soft-> is_intr_type[type].is_num_intrs) - 1;
56546+ i = atomic_inc_return_unchecked(&soft-> is_intr_type[type].is_num_intrs) - 1;
56547 BUG_ON(!(i < MAX_IOC4_INTR_ENTS || (printk("i %d\n", i), 0)));
56548
56549 /* Save off the lower level interrupt handler */
56550@@ -1001,7 +1001,7 @@ static irqreturn_t ioc4_intr(int irq, void *arg)
56551
56552 soft = arg;
56553 for (intr_type = 0; intr_type < IOC4_NUM_INTR_TYPES; intr_type++) {
56554- num_intrs = (int)atomic_read(
56555+ num_intrs = (int)atomic_read_unchecked(
56556 &soft->is_intr_type[intr_type].is_num_intrs);
56557
56558 this_mir = this_ir = pending_intrs(soft, intr_type);
56559diff --git a/drivers/tty/serial/kgdb_nmi.c b/drivers/tty/serial/kgdb_nmi.c
56560index 117df15..2f7dfcf 100644
56561--- a/drivers/tty/serial/kgdb_nmi.c
56562+++ b/drivers/tty/serial/kgdb_nmi.c
56563@@ -53,7 +53,9 @@ static int kgdb_nmi_console_setup(struct console *co, char *options)
56564 * I/O utilities that messages sent to the console will automatically
56565 * be displayed on the dbg_io.
56566 */
56567- dbg_io_ops->is_console = true;
56568+ pax_open_kernel();
56569+ *(int *)&dbg_io_ops->is_console = true;
56570+ pax_close_kernel();
56571
56572 return 0;
56573 }
56574diff --git a/drivers/tty/serial/kgdboc.c b/drivers/tty/serial/kgdboc.c
56575index a260cde..6b2b5ce 100644
56576--- a/drivers/tty/serial/kgdboc.c
56577+++ b/drivers/tty/serial/kgdboc.c
56578@@ -24,8 +24,9 @@
56579 #define MAX_CONFIG_LEN 40
56580
56581 static struct kgdb_io kgdboc_io_ops;
56582+static struct kgdb_io kgdboc_io_ops_console;
56583
56584-/* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
56585+/* -1 = init not run yet, 0 = unconfigured, 1/2 = configured. */
56586 static int configured = -1;
56587
56588 static char config[MAX_CONFIG_LEN];
56589@@ -151,6 +152,8 @@ static void cleanup_kgdboc(void)
56590 kgdboc_unregister_kbd();
56591 if (configured == 1)
56592 kgdb_unregister_io_module(&kgdboc_io_ops);
56593+ else if (configured == 2)
56594+ kgdb_unregister_io_module(&kgdboc_io_ops_console);
56595 }
56596
56597 static int configure_kgdboc(void)
56598@@ -160,13 +163,13 @@ static int configure_kgdboc(void)
56599 int err;
56600 char *cptr = config;
56601 struct console *cons;
56602+ int is_console = 0;
56603
56604 err = kgdboc_option_setup(config);
56605 if (err || !strlen(config) || isspace(config[0]))
56606 goto noconfig;
56607
56608 err = -ENODEV;
56609- kgdboc_io_ops.is_console = 0;
56610 kgdb_tty_driver = NULL;
56611
56612 kgdboc_use_kms = 0;
56613@@ -187,7 +190,7 @@ static int configure_kgdboc(void)
56614 int idx;
56615 if (cons->device && cons->device(cons, &idx) == p &&
56616 idx == tty_line) {
56617- kgdboc_io_ops.is_console = 1;
56618+ is_console = 1;
56619 break;
56620 }
56621 cons = cons->next;
56622@@ -197,7 +200,13 @@ static int configure_kgdboc(void)
56623 kgdb_tty_line = tty_line;
56624
56625 do_register:
56626- err = kgdb_register_io_module(&kgdboc_io_ops);
56627+ if (is_console) {
56628+ err = kgdb_register_io_module(&kgdboc_io_ops_console);
56629+ configured = 2;
56630+ } else {
56631+ err = kgdb_register_io_module(&kgdboc_io_ops);
56632+ configured = 1;
56633+ }
56634 if (err)
56635 goto noconfig;
56636
56637@@ -205,8 +214,6 @@ do_register:
56638 if (err)
56639 goto nmi_con_failed;
56640
56641- configured = 1;
56642-
56643 return 0;
56644
56645 nmi_con_failed:
56646@@ -223,7 +230,7 @@ noconfig:
56647 static int __init init_kgdboc(void)
56648 {
56649 /* Already configured? */
56650- if (configured == 1)
56651+ if (configured >= 1)
56652 return 0;
56653
56654 return configure_kgdboc();
56655@@ -272,7 +279,7 @@ static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp)
56656 if (config[len - 1] == '\n')
56657 config[len - 1] = '\0';
56658
56659- if (configured == 1)
56660+ if (configured >= 1)
56661 cleanup_kgdboc();
56662
56663 /* Go and configure with the new params. */
56664@@ -312,6 +319,15 @@ static struct kgdb_io kgdboc_io_ops = {
56665 .post_exception = kgdboc_post_exp_handler,
56666 };
56667
56668+static struct kgdb_io kgdboc_io_ops_console = {
56669+ .name = "kgdboc",
56670+ .read_char = kgdboc_get_char,
56671+ .write_char = kgdboc_put_char,
56672+ .pre_exception = kgdboc_pre_exp_handler,
56673+ .post_exception = kgdboc_post_exp_handler,
56674+ .is_console = 1
56675+};
56676+
56677 #ifdef CONFIG_KGDB_SERIAL_CONSOLE
56678 /* This is only available if kgdboc is a built in for early debugging */
56679 static int __init kgdboc_early_init(char *opt)
56680diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c
56681index b73889c..9f74f0a 100644
56682--- a/drivers/tty/serial/msm_serial.c
56683+++ b/drivers/tty/serial/msm_serial.c
56684@@ -1012,7 +1012,7 @@ static struct uart_driver msm_uart_driver = {
56685 .cons = MSM_CONSOLE,
56686 };
56687
56688-static atomic_t msm_uart_next_id = ATOMIC_INIT(0);
56689+static atomic_unchecked_t msm_uart_next_id = ATOMIC_INIT(0);
56690
56691 static const struct of_device_id msm_uartdm_table[] = {
56692 { .compatible = "qcom,msm-uartdm-v1.1", .data = (void *)UARTDM_1P1 },
56693@@ -1036,7 +1036,7 @@ static int msm_serial_probe(struct platform_device *pdev)
56694 line = pdev->id;
56695
56696 if (line < 0)
56697- line = atomic_inc_return(&msm_uart_next_id) - 1;
56698+ line = atomic_inc_return_unchecked(&msm_uart_next_id) - 1;
56699
56700 if (unlikely(line < 0 || line >= UART_NR))
56701 return -ENXIO;
56702diff --git a/drivers/tty/serial/samsung.c b/drivers/tty/serial/samsung.c
56703index 5916311..1e32415 100644
56704--- a/drivers/tty/serial/samsung.c
56705+++ b/drivers/tty/serial/samsung.c
56706@@ -995,11 +995,16 @@ static void s3c24xx_serial_shutdown(struct uart_port *port)
56707 ourport->tx_in_progress = 0;
56708 }
56709
56710+static int s3c64xx_serial_startup(struct uart_port *port);
56711 static int s3c24xx_serial_startup(struct uart_port *port)
56712 {
56713 struct s3c24xx_uart_port *ourport = to_ourport(port);
56714 int ret;
56715
56716+ /* Startup sequence is different for s3c64xx and higher SoC's */
56717+ if (s3c24xx_serial_has_interrupt_mask(port))
56718+ return s3c64xx_serial_startup(port);
56719+
56720 dbg("s3c24xx_serial_startup: port=%p (%08llx,%p)\n",
56721 port, (unsigned long long)port->mapbase, port->membase);
56722
56723@@ -1706,10 +1711,6 @@ static int s3c24xx_serial_init_port(struct s3c24xx_uart_port *ourport,
56724 /* setup info for port */
56725 port->dev = &platdev->dev;
56726
56727- /* Startup sequence is different for s3c64xx and higher SoC's */
56728- if (s3c24xx_serial_has_interrupt_mask(port))
56729- s3c24xx_serial_ops.startup = s3c64xx_serial_startup;
56730-
56731 port->uartclk = 1;
56732
56733 if (cfg->uart_flags & UPF_CONS_FLOW) {
56734diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c
56735index f368520..c7a703a 100644
56736--- a/drivers/tty/serial/serial_core.c
56737+++ b/drivers/tty/serial/serial_core.c
56738@@ -1385,7 +1385,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
56739 state = drv->state + tty->index;
56740 port = &state->port;
56741 spin_lock_irq(&port->lock);
56742- --port->count;
56743+ atomic_dec(&port->count);
56744 spin_unlock_irq(&port->lock);
56745 return;
56746 }
56747@@ -1395,7 +1395,7 @@ static void uart_close(struct tty_struct *tty, struct file *filp)
56748
56749 pr_debug("uart_close(%d) called\n", uport ? uport->line : -1);
56750
56751- if (!port->count || tty_port_close_start(port, tty, filp) == 0)
56752+ if (!atomic_read(&port->count) || tty_port_close_start(port, tty, filp) == 0)
56753 return;
56754
56755 /*
56756@@ -1520,7 +1520,7 @@ static void uart_hangup(struct tty_struct *tty)
56757 uart_flush_buffer(tty);
56758 uart_shutdown(tty, state);
56759 spin_lock_irqsave(&port->lock, flags);
56760- port->count = 0;
56761+ atomic_set(&port->count, 0);
56762 clear_bit(ASYNCB_NORMAL_ACTIVE, &port->flags);
56763 spin_unlock_irqrestore(&port->lock, flags);
56764 tty_port_tty_set(port, NULL);
56765@@ -1607,7 +1607,7 @@ static int uart_open(struct tty_struct *tty, struct file *filp)
56766 pr_debug("uart_open(%d) called\n", line);
56767
56768 spin_lock_irq(&port->lock);
56769- ++port->count;
56770+ atomic_inc(&port->count);
56771 spin_unlock_irq(&port->lock);
56772
56773 /*
56774diff --git a/drivers/tty/serial/uartlite.c b/drivers/tty/serial/uartlite.c
56775index b1c6bd3..5f038e2 100644
56776--- a/drivers/tty/serial/uartlite.c
56777+++ b/drivers/tty/serial/uartlite.c
56778@@ -341,13 +341,13 @@ static int ulite_request_port(struct uart_port *port)
56779 return -EBUSY;
56780 }
56781
56782- port->private_data = &uartlite_be;
56783+ port->private_data = (void *)&uartlite_be;
56784 ret = uart_in32(ULITE_CONTROL, port);
56785 uart_out32(ULITE_CONTROL_RST_TX, ULITE_CONTROL, port);
56786 ret = uart_in32(ULITE_STATUS, port);
56787 /* Endianess detection */
56788 if ((ret & ULITE_STATUS_TXEMPTY) != ULITE_STATUS_TXEMPTY)
56789- port->private_data = &uartlite_le;
56790+ port->private_data = (void *)&uartlite_le;
56791
56792 return 0;
56793 }
56794diff --git a/drivers/tty/synclink.c b/drivers/tty/synclink.c
56795index 2fac712..fcd5268 100644
56796--- a/drivers/tty/synclink.c
56797+++ b/drivers/tty/synclink.c
56798@@ -3090,7 +3090,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
56799
56800 if (debug_level >= DEBUG_LEVEL_INFO)
56801 printk("%s(%d):mgsl_close(%s) entry, count=%d\n",
56802- __FILE__,__LINE__, info->device_name, info->port.count);
56803+ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
56804
56805 if (tty_port_close_start(&info->port, tty, filp) == 0)
56806 goto cleanup;
56807@@ -3108,7 +3108,7 @@ static void mgsl_close(struct tty_struct *tty, struct file * filp)
56808 cleanup:
56809 if (debug_level >= DEBUG_LEVEL_INFO)
56810 printk("%s(%d):mgsl_close(%s) exit, count=%d\n", __FILE__,__LINE__,
56811- tty->driver->name, info->port.count);
56812+ tty->driver->name, atomic_read(&info->port.count));
56813
56814 } /* end of mgsl_close() */
56815
56816@@ -3207,8 +3207,8 @@ static void mgsl_hangup(struct tty_struct *tty)
56817
56818 mgsl_flush_buffer(tty);
56819 shutdown(info);
56820-
56821- info->port.count = 0;
56822+
56823+ atomic_set(&info->port.count, 0);
56824 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
56825 info->port.tty = NULL;
56826
56827@@ -3296,10 +3296,10 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56828
56829 if (debug_level >= DEBUG_LEVEL_INFO)
56830 printk("%s(%d):block_til_ready before block on %s count=%d\n",
56831- __FILE__,__LINE__, tty->driver->name, port->count );
56832+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56833
56834 spin_lock_irqsave(&info->irq_spinlock, flags);
56835- port->count--;
56836+ atomic_dec(&port->count);
56837 spin_unlock_irqrestore(&info->irq_spinlock, flags);
56838 port->blocked_open++;
56839
56840@@ -3327,7 +3327,7 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56841
56842 if (debug_level >= DEBUG_LEVEL_INFO)
56843 printk("%s(%d):block_til_ready blocking on %s count=%d\n",
56844- __FILE__,__LINE__, tty->driver->name, port->count );
56845+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56846
56847 tty_unlock(tty);
56848 schedule();
56849@@ -3339,12 +3339,12 @@ static int block_til_ready(struct tty_struct *tty, struct file * filp,
56850
56851 /* FIXME: Racy on hangup during close wait */
56852 if (!tty_hung_up_p(filp))
56853- port->count++;
56854+ atomic_inc(&port->count);
56855 port->blocked_open--;
56856
56857 if (debug_level >= DEBUG_LEVEL_INFO)
56858 printk("%s(%d):block_til_ready after blocking on %s count=%d\n",
56859- __FILE__,__LINE__, tty->driver->name, port->count );
56860+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
56861
56862 if (!retval)
56863 port->flags |= ASYNC_NORMAL_ACTIVE;
56864@@ -3396,7 +3396,7 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
56865
56866 if (debug_level >= DEBUG_LEVEL_INFO)
56867 printk("%s(%d):mgsl_open(%s), old ref count = %d\n",
56868- __FILE__,__LINE__,tty->driver->name, info->port.count);
56869+ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
56870
56871 /* If port is closing, signal caller to try again */
56872 if (info->port.flags & ASYNC_CLOSING){
56873@@ -3415,10 +3415,10 @@ static int mgsl_open(struct tty_struct *tty, struct file * filp)
56874 spin_unlock_irqrestore(&info->netlock, flags);
56875 goto cleanup;
56876 }
56877- info->port.count++;
56878+ atomic_inc(&info->port.count);
56879 spin_unlock_irqrestore(&info->netlock, flags);
56880
56881- if (info->port.count == 1) {
56882+ if (atomic_read(&info->port.count) == 1) {
56883 /* 1st open on this device, init hardware */
56884 retval = startup(info);
56885 if (retval < 0)
56886@@ -3442,8 +3442,8 @@ cleanup:
56887 if (retval) {
56888 if (tty->count == 1)
56889 info->port.tty = NULL; /* tty layer will release tty struct */
56890- if(info->port.count)
56891- info->port.count--;
56892+ if (atomic_read(&info->port.count))
56893+ atomic_dec(&info->port.count);
56894 }
56895
56896 return retval;
56897@@ -7662,7 +7662,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
56898 unsigned short new_crctype;
56899
56900 /* return error if TTY interface open */
56901- if (info->port.count)
56902+ if (atomic_read(&info->port.count))
56903 return -EBUSY;
56904
56905 switch (encoding)
56906@@ -7758,7 +7758,7 @@ static int hdlcdev_open(struct net_device *dev)
56907
56908 /* arbitrate between network and tty opens */
56909 spin_lock_irqsave(&info->netlock, flags);
56910- if (info->port.count != 0 || info->netcount != 0) {
56911+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
56912 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
56913 spin_unlock_irqrestore(&info->netlock, flags);
56914 return -EBUSY;
56915@@ -7844,7 +7844,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
56916 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
56917
56918 /* return error if TTY interface open */
56919- if (info->port.count)
56920+ if (atomic_read(&info->port.count))
56921 return -EBUSY;
56922
56923 if (cmd != SIOCWANDEV)
56924diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c
56925index 0ea8eee..b3f1b8f 100644
56926--- a/drivers/tty/synclink_gt.c
56927+++ b/drivers/tty/synclink_gt.c
56928@@ -670,7 +670,7 @@ static int open(struct tty_struct *tty, struct file *filp)
56929 tty->driver_data = info;
56930 info->port.tty = tty;
56931
56932- DBGINFO(("%s open, old ref count = %d\n", info->device_name, info->port.count));
56933+ DBGINFO(("%s open, old ref count = %d\n", info->device_name, atomic_read(&info->port.count)));
56934
56935 /* If port is closing, signal caller to try again */
56936 if (info->port.flags & ASYNC_CLOSING){
56937@@ -691,10 +691,10 @@ static int open(struct tty_struct *tty, struct file *filp)
56938 mutex_unlock(&info->port.mutex);
56939 goto cleanup;
56940 }
56941- info->port.count++;
56942+ atomic_inc(&info->port.count);
56943 spin_unlock_irqrestore(&info->netlock, flags);
56944
56945- if (info->port.count == 1) {
56946+ if (atomic_read(&info->port.count) == 1) {
56947 /* 1st open on this device, init hardware */
56948 retval = startup(info);
56949 if (retval < 0) {
56950@@ -715,8 +715,8 @@ cleanup:
56951 if (retval) {
56952 if (tty->count == 1)
56953 info->port.tty = NULL; /* tty layer will release tty struct */
56954- if(info->port.count)
56955- info->port.count--;
56956+ if(atomic_read(&info->port.count))
56957+ atomic_dec(&info->port.count);
56958 }
56959
56960 DBGINFO(("%s open rc=%d\n", info->device_name, retval));
56961@@ -729,7 +729,7 @@ static void close(struct tty_struct *tty, struct file *filp)
56962
56963 if (sanity_check(info, tty->name, "close"))
56964 return;
56965- DBGINFO(("%s close entry, count=%d\n", info->device_name, info->port.count));
56966+ DBGINFO(("%s close entry, count=%d\n", info->device_name, atomic_read(&info->port.count)));
56967
56968 if (tty_port_close_start(&info->port, tty, filp) == 0)
56969 goto cleanup;
56970@@ -746,7 +746,7 @@ static void close(struct tty_struct *tty, struct file *filp)
56971 tty_port_close_end(&info->port, tty);
56972 info->port.tty = NULL;
56973 cleanup:
56974- DBGINFO(("%s close exit, count=%d\n", tty->driver->name, info->port.count));
56975+ DBGINFO(("%s close exit, count=%d\n", tty->driver->name, atomic_read(&info->port.count)));
56976 }
56977
56978 static void hangup(struct tty_struct *tty)
56979@@ -764,7 +764,7 @@ static void hangup(struct tty_struct *tty)
56980 shutdown(info);
56981
56982 spin_lock_irqsave(&info->port.lock, flags);
56983- info->port.count = 0;
56984+ atomic_set(&info->port.count, 0);
56985 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
56986 info->port.tty = NULL;
56987 spin_unlock_irqrestore(&info->port.lock, flags);
56988@@ -1449,7 +1449,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
56989 unsigned short new_crctype;
56990
56991 /* return error if TTY interface open */
56992- if (info->port.count)
56993+ if (atomic_read(&info->port.count))
56994 return -EBUSY;
56995
56996 DBGINFO(("%s hdlcdev_attach\n", info->device_name));
56997@@ -1545,7 +1545,7 @@ static int hdlcdev_open(struct net_device *dev)
56998
56999 /* arbitrate between network and tty opens */
57000 spin_lock_irqsave(&info->netlock, flags);
57001- if (info->port.count != 0 || info->netcount != 0) {
57002+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
57003 DBGINFO(("%s hdlc_open busy\n", dev->name));
57004 spin_unlock_irqrestore(&info->netlock, flags);
57005 return -EBUSY;
57006@@ -1630,7 +1630,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
57007 DBGINFO(("%s hdlcdev_ioctl\n", dev->name));
57008
57009 /* return error if TTY interface open */
57010- if (info->port.count)
57011+ if (atomic_read(&info->port.count))
57012 return -EBUSY;
57013
57014 if (cmd != SIOCWANDEV)
57015@@ -2417,7 +2417,7 @@ static irqreturn_t slgt_interrupt(int dummy, void *dev_id)
57016 if (port == NULL)
57017 continue;
57018 spin_lock(&port->lock);
57019- if ((port->port.count || port->netcount) &&
57020+ if ((atomic_read(&port->port.count) || port->netcount) &&
57021 port->pending_bh && !port->bh_running &&
57022 !port->bh_requested) {
57023 DBGISR(("%s bh queued\n", port->device_name));
57024@@ -3303,7 +3303,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57025 add_wait_queue(&port->open_wait, &wait);
57026
57027 spin_lock_irqsave(&info->lock, flags);
57028- port->count--;
57029+ atomic_dec(&port->count);
57030 spin_unlock_irqrestore(&info->lock, flags);
57031 port->blocked_open++;
57032
57033@@ -3339,7 +3339,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57034 remove_wait_queue(&port->open_wait, &wait);
57035
57036 if (!tty_hung_up_p(filp))
57037- port->count++;
57038+ atomic_inc(&port->count);
57039 port->blocked_open--;
57040
57041 if (!retval)
57042diff --git a/drivers/tty/synclinkmp.c b/drivers/tty/synclinkmp.c
57043index 08633a8..3d56e14 100644
57044--- a/drivers/tty/synclinkmp.c
57045+++ b/drivers/tty/synclinkmp.c
57046@@ -750,7 +750,7 @@ static int open(struct tty_struct *tty, struct file *filp)
57047
57048 if (debug_level >= DEBUG_LEVEL_INFO)
57049 printk("%s(%d):%s open(), old ref count = %d\n",
57050- __FILE__,__LINE__,tty->driver->name, info->port.count);
57051+ __FILE__,__LINE__,tty->driver->name, atomic_read(&info->port.count));
57052
57053 /* If port is closing, signal caller to try again */
57054 if (info->port.flags & ASYNC_CLOSING){
57055@@ -769,10 +769,10 @@ static int open(struct tty_struct *tty, struct file *filp)
57056 spin_unlock_irqrestore(&info->netlock, flags);
57057 goto cleanup;
57058 }
57059- info->port.count++;
57060+ atomic_inc(&info->port.count);
57061 spin_unlock_irqrestore(&info->netlock, flags);
57062
57063- if (info->port.count == 1) {
57064+ if (atomic_read(&info->port.count) == 1) {
57065 /* 1st open on this device, init hardware */
57066 retval = startup(info);
57067 if (retval < 0)
57068@@ -796,8 +796,8 @@ cleanup:
57069 if (retval) {
57070 if (tty->count == 1)
57071 info->port.tty = NULL; /* tty layer will release tty struct */
57072- if(info->port.count)
57073- info->port.count--;
57074+ if(atomic_read(&info->port.count))
57075+ atomic_dec(&info->port.count);
57076 }
57077
57078 return retval;
57079@@ -815,7 +815,7 @@ static void close(struct tty_struct *tty, struct file *filp)
57080
57081 if (debug_level >= DEBUG_LEVEL_INFO)
57082 printk("%s(%d):%s close() entry, count=%d\n",
57083- __FILE__,__LINE__, info->device_name, info->port.count);
57084+ __FILE__,__LINE__, info->device_name, atomic_read(&info->port.count));
57085
57086 if (tty_port_close_start(&info->port, tty, filp) == 0)
57087 goto cleanup;
57088@@ -834,7 +834,7 @@ static void close(struct tty_struct *tty, struct file *filp)
57089 cleanup:
57090 if (debug_level >= DEBUG_LEVEL_INFO)
57091 printk("%s(%d):%s close() exit, count=%d\n", __FILE__,__LINE__,
57092- tty->driver->name, info->port.count);
57093+ tty->driver->name, atomic_read(&info->port.count));
57094 }
57095
57096 /* Called by tty_hangup() when a hangup is signaled.
57097@@ -857,7 +857,7 @@ static void hangup(struct tty_struct *tty)
57098 shutdown(info);
57099
57100 spin_lock_irqsave(&info->port.lock, flags);
57101- info->port.count = 0;
57102+ atomic_set(&info->port.count, 0);
57103 info->port.flags &= ~ASYNC_NORMAL_ACTIVE;
57104 info->port.tty = NULL;
57105 spin_unlock_irqrestore(&info->port.lock, flags);
57106@@ -1565,7 +1565,7 @@ static int hdlcdev_attach(struct net_device *dev, unsigned short encoding,
57107 unsigned short new_crctype;
57108
57109 /* return error if TTY interface open */
57110- if (info->port.count)
57111+ if (atomic_read(&info->port.count))
57112 return -EBUSY;
57113
57114 switch (encoding)
57115@@ -1661,7 +1661,7 @@ static int hdlcdev_open(struct net_device *dev)
57116
57117 /* arbitrate between network and tty opens */
57118 spin_lock_irqsave(&info->netlock, flags);
57119- if (info->port.count != 0 || info->netcount != 0) {
57120+ if (atomic_read(&info->port.count) != 0 || info->netcount != 0) {
57121 printk(KERN_WARNING "%s: hdlc_open returning busy\n", dev->name);
57122 spin_unlock_irqrestore(&info->netlock, flags);
57123 return -EBUSY;
57124@@ -1747,7 +1747,7 @@ static int hdlcdev_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
57125 printk("%s:hdlcdev_ioctl(%s)\n",__FILE__,dev->name);
57126
57127 /* return error if TTY interface open */
57128- if (info->port.count)
57129+ if (atomic_read(&info->port.count))
57130 return -EBUSY;
57131
57132 if (cmd != SIOCWANDEV)
57133@@ -2624,7 +2624,7 @@ static irqreturn_t synclinkmp_interrupt(int dummy, void *dev_id)
57134 * do not request bottom half processing if the
57135 * device is not open in a normal mode.
57136 */
57137- if ( port && (port->port.count || port->netcount) &&
57138+ if ( port && (atomic_read(&port->port.count) || port->netcount) &&
57139 port->pending_bh && !port->bh_running &&
57140 !port->bh_requested ) {
57141 if ( debug_level >= DEBUG_LEVEL_ISR )
57142@@ -3321,10 +3321,10 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57143
57144 if (debug_level >= DEBUG_LEVEL_INFO)
57145 printk("%s(%d):%s block_til_ready() before block, count=%d\n",
57146- __FILE__,__LINE__, tty->driver->name, port->count );
57147+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
57148
57149 spin_lock_irqsave(&info->lock, flags);
57150- port->count--;
57151+ atomic_dec(&port->count);
57152 spin_unlock_irqrestore(&info->lock, flags);
57153 port->blocked_open++;
57154
57155@@ -3352,7 +3352,7 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57156
57157 if (debug_level >= DEBUG_LEVEL_INFO)
57158 printk("%s(%d):%s block_til_ready() count=%d\n",
57159- __FILE__,__LINE__, tty->driver->name, port->count );
57160+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
57161
57162 tty_unlock(tty);
57163 schedule();
57164@@ -3362,12 +3362,12 @@ static int block_til_ready(struct tty_struct *tty, struct file *filp,
57165 set_current_state(TASK_RUNNING);
57166 remove_wait_queue(&port->open_wait, &wait);
57167 if (!tty_hung_up_p(filp))
57168- port->count++;
57169+ atomic_inc(&port->count);
57170 port->blocked_open--;
57171
57172 if (debug_level >= DEBUG_LEVEL_INFO)
57173 printk("%s(%d):%s block_til_ready() after, count=%d\n",
57174- __FILE__,__LINE__, tty->driver->name, port->count );
57175+ __FILE__,__LINE__, tty->driver->name, atomic_read(&port->count));
57176
57177 if (!retval)
57178 port->flags |= ASYNC_NORMAL_ACTIVE;
57179diff --git a/drivers/tty/sysrq.c b/drivers/tty/sysrq.c
57180index b5b4278..bb9c7b0 100644
57181--- a/drivers/tty/sysrq.c
57182+++ b/drivers/tty/sysrq.c
57183@@ -1072,7 +1072,7 @@ EXPORT_SYMBOL(unregister_sysrq_key);
57184 static ssize_t write_sysrq_trigger(struct file *file, const char __user *buf,
57185 size_t count, loff_t *ppos)
57186 {
57187- if (count) {
57188+ if (count && capable(CAP_SYS_ADMIN)) {
57189 char c;
57190
57191 if (get_user(c, buf))
57192diff --git a/drivers/tty/tty_buffer.c b/drivers/tty/tty_buffer.c
57193index 4cf263d..fd011fa 100644
57194--- a/drivers/tty/tty_buffer.c
57195+++ b/drivers/tty/tty_buffer.c
57196@@ -242,7 +242,10 @@ void tty_buffer_flush(struct tty_struct *tty, struct tty_ldisc *ld)
57197 atomic_inc(&buf->priority);
57198
57199 mutex_lock(&buf->lock);
57200- while ((next = buf->head->next) != NULL) {
57201+ /* paired w/ release in __tty_buffer_request_room; ensures there are
57202+ * no pending memory accesses to the freed buffer
57203+ */
57204+ while ((next = smp_load_acquire(&buf->head->next)) != NULL) {
57205 tty_buffer_free(port, buf->head);
57206 buf->head = next;
57207 }
57208@@ -290,13 +293,15 @@ static int __tty_buffer_request_room(struct tty_port *port, size_t size,
57209 if (n != NULL) {
57210 n->flags = flags;
57211 buf->tail = n;
57212- b->commit = b->used;
57213- /* paired w/ barrier in flush_to_ldisc(); ensures the
57214+ /* paired w/ acquire in flush_to_ldisc(); ensures
57215+ * flush_to_ldisc() sees buffer data.
57216+ */
57217+ smp_store_release(&b->commit, b->used);
57218+ /* paired w/ acquire in flush_to_ldisc(); ensures the
57219 * latest commit value can be read before the head is
57220 * advanced to the next buffer
57221 */
57222- smp_wmb();
57223- b->next = n;
57224+ smp_store_release(&b->next, n);
57225 } else if (change)
57226 size = 0;
57227 else
57228@@ -394,7 +399,10 @@ void tty_schedule_flip(struct tty_port *port)
57229 {
57230 struct tty_bufhead *buf = &port->buf;
57231
57232- buf->tail->commit = buf->tail->used;
57233+ /* paired w/ acquire in flush_to_ldisc(); ensures
57234+ * flush_to_ldisc() sees buffer data.
57235+ */
57236+ smp_store_release(&buf->tail->commit, buf->tail->used);
57237 schedule_work(&buf->work);
57238 }
57239 EXPORT_SYMBOL(tty_schedule_flip);
57240@@ -469,7 +477,7 @@ static void flush_to_ldisc(struct work_struct *work)
57241 struct tty_struct *tty;
57242 struct tty_ldisc *disc;
57243
57244- tty = port->itty;
57245+ tty = READ_ONCE(port->itty);
57246 if (tty == NULL)
57247 return;
57248
57249@@ -488,13 +496,15 @@ static void flush_to_ldisc(struct work_struct *work)
57250 if (atomic_read(&buf->priority))
57251 break;
57252
57253- next = head->next;
57254- /* paired w/ barrier in __tty_buffer_request_room();
57255+ /* paired w/ release in __tty_buffer_request_room();
57256 * ensures commit value read is not stale if the head
57257 * is advancing to the next buffer
57258 */
57259- smp_rmb();
57260- count = head->commit - head->read;
57261+ next = smp_load_acquire(&head->next);
57262+ /* paired w/ release in __tty_buffer_request_room() or in
57263+ * tty_buffer_flush(); ensures we see the committed buffer data
57264+ */
57265+ count = smp_load_acquire(&head->commit) - head->read;
57266 if (!count) {
57267 if (next == NULL) {
57268 check_other_closed(tty);
57269diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
57270index 774df35..62fa290 100644
57271--- a/drivers/tty/tty_io.c
57272+++ b/drivers/tty/tty_io.c
57273@@ -3524,7 +3524,7 @@ EXPORT_SYMBOL(tty_devnum);
57274
57275 void tty_default_fops(struct file_operations *fops)
57276 {
57277- *fops = tty_fops;
57278+ memcpy((void *)fops, &tty_fops, sizeof(tty_fops));
57279 }
57280
57281 /*
57282diff --git a/drivers/tty/tty_ldisc.c b/drivers/tty/tty_ldisc.c
57283index c07fb5d..942acf7 100644
57284--- a/drivers/tty/tty_ldisc.c
57285+++ b/drivers/tty/tty_ldisc.c
57286@@ -70,7 +70,7 @@ int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc)
57287 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
57288 tty_ldiscs[disc] = new_ldisc;
57289 new_ldisc->num = disc;
57290- new_ldisc->refcount = 0;
57291+ atomic_set(&new_ldisc->refcount, 0);
57292 raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags);
57293
57294 return ret;
57295@@ -98,7 +98,7 @@ int tty_unregister_ldisc(int disc)
57296 return -EINVAL;
57297
57298 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
57299- if (tty_ldiscs[disc]->refcount)
57300+ if (atomic_read(&tty_ldiscs[disc]->refcount))
57301 ret = -EBUSY;
57302 else
57303 tty_ldiscs[disc] = NULL;
57304@@ -119,7 +119,7 @@ static struct tty_ldisc_ops *get_ldops(int disc)
57305 if (ldops) {
57306 ret = ERR_PTR(-EAGAIN);
57307 if (try_module_get(ldops->owner)) {
57308- ldops->refcount++;
57309+ atomic_inc(&ldops->refcount);
57310 ret = ldops;
57311 }
57312 }
57313@@ -132,7 +132,7 @@ static void put_ldops(struct tty_ldisc_ops *ldops)
57314 unsigned long flags;
57315
57316 raw_spin_lock_irqsave(&tty_ldiscs_lock, flags);
57317- ldops->refcount--;
57318+ atomic_dec(&ldops->refcount);
57319 module_put(ldops->owner);
57320 raw_spin_unlock_irqrestore(&tty_ldiscs_lock, flags);
57321 }
57322diff --git a/drivers/tty/tty_port.c b/drivers/tty/tty_port.c
57323index 40b31835..94d92ae 100644
57324--- a/drivers/tty/tty_port.c
57325+++ b/drivers/tty/tty_port.c
57326@@ -236,7 +236,7 @@ void tty_port_hangup(struct tty_port *port)
57327 unsigned long flags;
57328
57329 spin_lock_irqsave(&port->lock, flags);
57330- port->count = 0;
57331+ atomic_set(&port->count, 0);
57332 port->flags &= ~ASYNC_NORMAL_ACTIVE;
57333 tty = port->tty;
57334 if (tty)
57335@@ -398,7 +398,7 @@ int tty_port_block_til_ready(struct tty_port *port,
57336
57337 /* The port lock protects the port counts */
57338 spin_lock_irqsave(&port->lock, flags);
57339- port->count--;
57340+ atomic_dec(&port->count);
57341 port->blocked_open++;
57342 spin_unlock_irqrestore(&port->lock, flags);
57343
57344@@ -440,7 +440,7 @@ int tty_port_block_til_ready(struct tty_port *port,
57345 we must not mess that up further */
57346 spin_lock_irqsave(&port->lock, flags);
57347 if (!tty_hung_up_p(filp))
57348- port->count++;
57349+ atomic_inc(&port->count);
57350 port->blocked_open--;
57351 if (retval == 0)
57352 port->flags |= ASYNC_NORMAL_ACTIVE;
57353@@ -476,19 +476,19 @@ int tty_port_close_start(struct tty_port *port,
57354 return 0;
57355
57356 spin_lock_irqsave(&port->lock, flags);
57357- if (tty->count == 1 && port->count != 1) {
57358+ if (tty->count == 1 && atomic_read(&port->count) != 1) {
57359 printk(KERN_WARNING
57360 "tty_port_close_start: tty->count = 1 port count = %d.\n",
57361- port->count);
57362- port->count = 1;
57363+ atomic_read(&port->count));
57364+ atomic_set(&port->count, 1);
57365 }
57366- if (--port->count < 0) {
57367+ if (atomic_dec_return(&port->count) < 0) {
57368 printk(KERN_WARNING "tty_port_close_start: count = %d\n",
57369- port->count);
57370- port->count = 0;
57371+ atomic_read(&port->count));
57372+ atomic_set(&port->count, 0);
57373 }
57374
57375- if (port->count) {
57376+ if (atomic_read(&port->count)) {
57377 spin_unlock_irqrestore(&port->lock, flags);
57378 return 0;
57379 }
57380@@ -590,7 +590,7 @@ int tty_port_open(struct tty_port *port, struct tty_struct *tty,
57381 struct file *filp)
57382 {
57383 spin_lock_irq(&port->lock);
57384- ++port->count;
57385+ atomic_inc(&port->count);
57386 spin_unlock_irq(&port->lock);
57387 tty_port_tty_set(port, tty);
57388
57389diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c
57390index 6f0336f..5818bc1 100644
57391--- a/drivers/tty/vt/keyboard.c
57392+++ b/drivers/tty/vt/keyboard.c
57393@@ -642,6 +642,16 @@ static void k_spec(struct vc_data *vc, unsigned char value, char up_flag)
57394 kbd->kbdmode == VC_OFF) &&
57395 value != KVAL(K_SAK))
57396 return; /* SAK is allowed even in raw mode */
57397+
57398+#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
57399+ {
57400+ void *func = fn_handler[value];
57401+ if (func == fn_show_state || func == fn_show_ptregs ||
57402+ func == fn_show_mem)
57403+ return;
57404+ }
57405+#endif
57406+
57407 fn_handler[value](vc);
57408 }
57409
57410@@ -1880,9 +1890,6 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
57411 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
57412 return -EFAULT;
57413
57414- if (!capable(CAP_SYS_TTY_CONFIG))
57415- perm = 0;
57416-
57417 switch (cmd) {
57418 case KDGKBENT:
57419 /* Ensure another thread doesn't free it under us */
57420@@ -1897,6 +1904,9 @@ int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, int perm,
57421 spin_unlock_irqrestore(&kbd_event_lock, flags);
57422 return put_user(val, &user_kbe->kb_value);
57423 case KDSKBENT:
57424+ if (!capable(CAP_SYS_TTY_CONFIG))
57425+ perm = 0;
57426+
57427 if (!perm)
57428 return -EPERM;
57429 if (!i && v == K_NOSUCHMAP) {
57430@@ -1987,9 +1997,6 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
57431 int i, j, k;
57432 int ret;
57433
57434- if (!capable(CAP_SYS_TTY_CONFIG))
57435- perm = 0;
57436-
57437 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
57438 if (!kbs) {
57439 ret = -ENOMEM;
57440@@ -2023,6 +2030,9 @@ int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, int perm)
57441 kfree(kbs);
57442 return ((p && *p) ? -EOVERFLOW : 0);
57443 case KDSKBSENT:
57444+ if (!capable(CAP_SYS_TTY_CONFIG))
57445+ perm = 0;
57446+
57447 if (!perm) {
57448 ret = -EPERM;
57449 goto reterr;
57450diff --git a/drivers/uio/uio.c b/drivers/uio/uio.c
57451index 3257d42..b430b06 100644
57452--- a/drivers/uio/uio.c
57453+++ b/drivers/uio/uio.c
57454@@ -25,6 +25,7 @@
57455 #include <linux/kobject.h>
57456 #include <linux/cdev.h>
57457 #include <linux/uio_driver.h>
57458+#include <asm/local.h>
57459
57460 #define UIO_MAX_DEVICES (1U << MINORBITS)
57461
57462@@ -231,7 +232,7 @@ static ssize_t event_show(struct device *dev,
57463 struct device_attribute *attr, char *buf)
57464 {
57465 struct uio_device *idev = dev_get_drvdata(dev);
57466- return sprintf(buf, "%u\n", (unsigned int)atomic_read(&idev->event));
57467+ return sprintf(buf, "%u\n", (unsigned int)atomic_read_unchecked(&idev->event));
57468 }
57469 static DEVICE_ATTR_RO(event);
57470
57471@@ -393,7 +394,7 @@ void uio_event_notify(struct uio_info *info)
57472 {
57473 struct uio_device *idev = info->uio_dev;
57474
57475- atomic_inc(&idev->event);
57476+ atomic_inc_unchecked(&idev->event);
57477 wake_up_interruptible(&idev->wait);
57478 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
57479 }
57480@@ -446,7 +447,7 @@ static int uio_open(struct inode *inode, struct file *filep)
57481 }
57482
57483 listener->dev = idev;
57484- listener->event_count = atomic_read(&idev->event);
57485+ listener->event_count = atomic_read_unchecked(&idev->event);
57486 filep->private_data = listener;
57487
57488 if (idev->info->open) {
57489@@ -497,7 +498,7 @@ static unsigned int uio_poll(struct file *filep, poll_table *wait)
57490 return -EIO;
57491
57492 poll_wait(filep, &idev->wait, wait);
57493- if (listener->event_count != atomic_read(&idev->event))
57494+ if (listener->event_count != atomic_read_unchecked(&idev->event))
57495 return POLLIN | POLLRDNORM;
57496 return 0;
57497 }
57498@@ -522,7 +523,7 @@ static ssize_t uio_read(struct file *filep, char __user *buf,
57499 do {
57500 set_current_state(TASK_INTERRUPTIBLE);
57501
57502- event_count = atomic_read(&idev->event);
57503+ event_count = atomic_read_unchecked(&idev->event);
57504 if (event_count != listener->event_count) {
57505 if (copy_to_user(buf, &event_count, count))
57506 retval = -EFAULT;
57507@@ -579,9 +580,13 @@ static ssize_t uio_write(struct file *filep, const char __user *buf,
57508 static int uio_find_mem_index(struct vm_area_struct *vma)
57509 {
57510 struct uio_device *idev = vma->vm_private_data;
57511+ unsigned long size;
57512
57513 if (vma->vm_pgoff < MAX_UIO_MAPS) {
57514- if (idev->info->mem[vma->vm_pgoff].size == 0)
57515+ size = idev->info->mem[vma->vm_pgoff].size;
57516+ if (size == 0)
57517+ return -1;
57518+ if (vma->vm_end - vma->vm_start > size)
57519 return -1;
57520 return (int)vma->vm_pgoff;
57521 }
57522@@ -813,7 +818,7 @@ int __uio_register_device(struct module *owner,
57523 idev->owner = owner;
57524 idev->info = info;
57525 init_waitqueue_head(&idev->wait);
57526- atomic_set(&idev->event, 0);
57527+ atomic_set_unchecked(&idev->event, 0);
57528
57529 ret = uio_get_minor(idev);
57530 if (ret)
57531diff --git a/drivers/usb/atm/cxacru.c b/drivers/usb/atm/cxacru.c
57532index 813d4d3..a71934f 100644
57533--- a/drivers/usb/atm/cxacru.c
57534+++ b/drivers/usb/atm/cxacru.c
57535@@ -472,7 +472,7 @@ static ssize_t cxacru_sysfs_store_adsl_config(struct device *dev,
57536 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
57537 if (ret < 2)
57538 return -EINVAL;
57539- if (index < 0 || index > 0x7f)
57540+ if (index > 0x7f)
57541 return -EINVAL;
57542 pos += tmp;
57543
57544diff --git a/drivers/usb/atm/usbatm.c b/drivers/usb/atm/usbatm.c
57545index db322d9..f0f4bc1 100644
57546--- a/drivers/usb/atm/usbatm.c
57547+++ b/drivers/usb/atm/usbatm.c
57548@@ -331,7 +331,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57549 if (printk_ratelimit())
57550 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
57551 __func__, vpi, vci);
57552- atomic_inc(&vcc->stats->rx_err);
57553+ atomic_inc_unchecked(&vcc->stats->rx_err);
57554 return;
57555 }
57556
57557@@ -358,7 +358,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57558 if (length > ATM_MAX_AAL5_PDU) {
57559 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
57560 __func__, length, vcc);
57561- atomic_inc(&vcc->stats->rx_err);
57562+ atomic_inc_unchecked(&vcc->stats->rx_err);
57563 goto out;
57564 }
57565
57566@@ -367,14 +367,14 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57567 if (sarb->len < pdu_length) {
57568 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
57569 __func__, pdu_length, sarb->len, vcc);
57570- atomic_inc(&vcc->stats->rx_err);
57571+ atomic_inc_unchecked(&vcc->stats->rx_err);
57572 goto out;
57573 }
57574
57575 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
57576 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
57577 __func__, vcc);
57578- atomic_inc(&vcc->stats->rx_err);
57579+ atomic_inc_unchecked(&vcc->stats->rx_err);
57580 goto out;
57581 }
57582
57583@@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57584 if (printk_ratelimit())
57585 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
57586 __func__, length);
57587- atomic_inc(&vcc->stats->rx_drop);
57588+ atomic_inc_unchecked(&vcc->stats->rx_drop);
57589 goto out;
57590 }
57591
57592@@ -415,7 +415,7 @@ static void usbatm_extract_one_cell(struct usbatm_data *instance, unsigned char
57593
57594 vcc->push(vcc, skb);
57595
57596- atomic_inc(&vcc->stats->rx);
57597+ atomic_inc_unchecked(&vcc->stats->rx);
57598 out:
57599 skb_trim(sarb, 0);
57600 }
57601@@ -613,7 +613,7 @@ static void usbatm_tx_process(unsigned long data)
57602 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
57603
57604 usbatm_pop(vcc, skb);
57605- atomic_inc(&vcc->stats->tx);
57606+ atomic_inc_unchecked(&vcc->stats->tx);
57607
57608 skb = skb_dequeue(&instance->sndqueue);
57609 }
57610@@ -757,11 +757,11 @@ static int usbatm_atm_proc_read(struct atm_dev *atm_dev, loff_t *pos, char *page
57611 if (!left--)
57612 return sprintf(page,
57613 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
57614- atomic_read(&atm_dev->stats.aal5.tx),
57615- atomic_read(&atm_dev->stats.aal5.tx_err),
57616- atomic_read(&atm_dev->stats.aal5.rx),
57617- atomic_read(&atm_dev->stats.aal5.rx_err),
57618- atomic_read(&atm_dev->stats.aal5.rx_drop));
57619+ atomic_read_unchecked(&atm_dev->stats.aal5.tx),
57620+ atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
57621+ atomic_read_unchecked(&atm_dev->stats.aal5.rx),
57622+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
57623+ atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
57624
57625 if (!left--) {
57626 if (instance->disconnected)
57627diff --git a/drivers/usb/class/cdc-acm.h b/drivers/usb/class/cdc-acm.h
57628index dd9af38..75b53e3 100644
57629--- a/drivers/usb/class/cdc-acm.h
57630+++ b/drivers/usb/class/cdc-acm.h
57631@@ -95,7 +95,7 @@ struct acm {
57632 struct urb *read_urbs[ACM_NR];
57633 struct acm_rb read_buffers[ACM_NR];
57634 int rx_buflimit;
57635- int rx_endpoint;
57636+ unsigned int rx_endpoint;
57637 spinlock_t read_lock;
57638 int write_used; /* number of non-empty write buffers */
57639 int transmitting;
57640diff --git a/drivers/usb/core/devices.c b/drivers/usb/core/devices.c
57641index 2a3bbdf..91d72cf 100644
57642--- a/drivers/usb/core/devices.c
57643+++ b/drivers/usb/core/devices.c
57644@@ -126,7 +126,7 @@ static const char format_endpt[] =
57645 * time it gets called.
57646 */
57647 static struct device_connect_event {
57648- atomic_t count;
57649+ atomic_unchecked_t count;
57650 wait_queue_head_t wait;
57651 } device_event = {
57652 .count = ATOMIC_INIT(1),
57653@@ -164,7 +164,7 @@ static const struct class_info clas_info[] = {
57654
57655 void usbfs_conn_disc_event(void)
57656 {
57657- atomic_add(2, &device_event.count);
57658+ atomic_add_unchecked(2, &device_event.count);
57659 wake_up(&device_event.wait);
57660 }
57661
57662@@ -652,7 +652,7 @@ static unsigned int usb_device_poll(struct file *file,
57663
57664 poll_wait(file, &device_event.wait, wait);
57665
57666- event_count = atomic_read(&device_event.count);
57667+ event_count = atomic_read_unchecked(&device_event.count);
57668 if (file->f_version != event_count) {
57669 file->f_version = event_count;
57670 return POLLIN | POLLRDNORM;
57671diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
57672index 986abde..2af59b11 100644
57673--- a/drivers/usb/core/devio.c
57674+++ b/drivers/usb/core/devio.c
57675@@ -187,7 +187,7 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
57676 struct usb_dev_state *ps = file->private_data;
57677 struct usb_device *dev = ps->dev;
57678 ssize_t ret = 0;
57679- unsigned len;
57680+ size_t len;
57681 loff_t pos;
57682 int i;
57683
57684@@ -229,22 +229,22 @@ static ssize_t usbdev_read(struct file *file, char __user *buf, size_t nbytes,
57685 for (i = 0; nbytes && i < dev->descriptor.bNumConfigurations; i++) {
57686 struct usb_config_descriptor *config =
57687 (struct usb_config_descriptor *)dev->rawdescriptors[i];
57688- unsigned int length = le16_to_cpu(config->wTotalLength);
57689+ size_t length = le16_to_cpu(config->wTotalLength);
57690
57691 if (*ppos < pos + length) {
57692
57693 /* The descriptor may claim to be longer than it
57694 * really is. Here is the actual allocated length. */
57695- unsigned alloclen =
57696+ size_t alloclen =
57697 le16_to_cpu(dev->config[i].desc.wTotalLength);
57698
57699- len = length - (*ppos - pos);
57700+ len = length + pos - *ppos;
57701 if (len > nbytes)
57702 len = nbytes;
57703
57704 /* Simply don't write (skip over) unallocated parts */
57705 if (alloclen > (*ppos - pos)) {
57706- alloclen -= (*ppos - pos);
57707+ alloclen = alloclen + pos - *ppos;
57708 if (copy_to_user(buf,
57709 dev->rawdescriptors[i] + (*ppos - pos),
57710 min(len, alloclen))) {
57711@@ -1499,7 +1499,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
57712 }
57713 }
57714 as->urb->dev = ps->dev;
57715- as->urb->pipe = (uurb->type << 30) |
57716+ as->urb->pipe = ((unsigned int)uurb->type << 30) |
57717 __create_pipe(ps->dev, uurb->endpoint & 0xf) |
57718 (uurb->endpoint & USB_DIR_IN);
57719
57720diff --git a/drivers/usb/core/hcd.c b/drivers/usb/core/hcd.c
57721index cbcd092..e783f87 100644
57722--- a/drivers/usb/core/hcd.c
57723+++ b/drivers/usb/core/hcd.c
57724@@ -1554,7 +1554,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
57725 */
57726 usb_get_urb(urb);
57727 atomic_inc(&urb->use_count);
57728- atomic_inc(&urb->dev->urbnum);
57729+ atomic_inc_unchecked(&urb->dev->urbnum);
57730 usbmon_urb_submit(&hcd->self, urb);
57731
57732 /* NOTE requirements on root-hub callers (usbfs and the hub
57733@@ -1581,7 +1581,7 @@ int usb_hcd_submit_urb (struct urb *urb, gfp_t mem_flags)
57734 urb->hcpriv = NULL;
57735 INIT_LIST_HEAD(&urb->urb_list);
57736 atomic_dec(&urb->use_count);
57737- atomic_dec(&urb->dev->urbnum);
57738+ atomic_dec_unchecked(&urb->dev->urbnum);
57739 if (atomic_read(&urb->reject))
57740 wake_up(&usb_kill_urb_queue);
57741 usb_put_urb(urb);
57742diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c
57743index 73dfa19..c22f1e43 100644
57744--- a/drivers/usb/core/hub.c
57745+++ b/drivers/usb/core/hub.c
57746@@ -26,6 +26,7 @@
57747 #include <linux/mutex.h>
57748 #include <linux/random.h>
57749 #include <linux/pm_qos.h>
57750+#include <linux/grsecurity.h>
57751
57752 #include <asm/uaccess.h>
57753 #include <asm/byteorder.h>
57754@@ -4655,6 +4656,10 @@ static void hub_port_connect(struct usb_hub *hub, int port1, u16 portstatus,
57755 goto done;
57756 return;
57757 }
57758+
57759+ if (gr_handle_new_usb())
57760+ goto done;
57761+
57762 if (hub_is_superspeed(hub->hdev))
57763 unit_load = 150;
57764 else
57765diff --git a/drivers/usb/core/sysfs.c b/drivers/usb/core/sysfs.c
57766index d269738..7340cd7 100644
57767--- a/drivers/usb/core/sysfs.c
57768+++ b/drivers/usb/core/sysfs.c
57769@@ -244,7 +244,7 @@ static ssize_t urbnum_show(struct device *dev, struct device_attribute *attr,
57770 struct usb_device *udev;
57771
57772 udev = to_usb_device(dev);
57773- return sprintf(buf, "%d\n", atomic_read(&udev->urbnum));
57774+ return sprintf(buf, "%d\n", atomic_read_unchecked(&udev->urbnum));
57775 }
57776 static DEVICE_ATTR_RO(urbnum);
57777
57778diff --git a/drivers/usb/core/usb.c b/drivers/usb/core/usb.c
57779index 8d5b2f4..3896940 100644
57780--- a/drivers/usb/core/usb.c
57781+++ b/drivers/usb/core/usb.c
57782@@ -447,7 +447,7 @@ struct usb_device *usb_alloc_dev(struct usb_device *parent,
57783 set_dev_node(&dev->dev, dev_to_node(bus->controller));
57784 dev->state = USB_STATE_ATTACHED;
57785 dev->lpm_disable_count = 1;
57786- atomic_set(&dev->urbnum, 0);
57787+ atomic_set_unchecked(&dev->urbnum, 0);
57788
57789 INIT_LIST_HEAD(&dev->ep0.urb_list);
57790 dev->ep0.desc.bLength = USB_DT_ENDPOINT_SIZE;
57791diff --git a/drivers/usb/early/ehci-dbgp.c b/drivers/usb/early/ehci-dbgp.c
57792index 8cfc319..4868255 100644
57793--- a/drivers/usb/early/ehci-dbgp.c
57794+++ b/drivers/usb/early/ehci-dbgp.c
57795@@ -98,7 +98,8 @@ static inline u32 dbgp_len_update(u32 x, u32 len)
57796
57797 #ifdef CONFIG_KGDB
57798 static struct kgdb_io kgdbdbgp_io_ops;
57799-#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
57800+static struct kgdb_io kgdbdbgp_io_ops_console;
57801+#define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops || dbg_io_ops == &kgdbdbgp_io_ops_console)
57802 #else
57803 #define dbgp_kgdb_mode (0)
57804 #endif
57805@@ -1043,6 +1044,13 @@ static struct kgdb_io kgdbdbgp_io_ops = {
57806 .write_char = kgdbdbgp_write_char,
57807 };
57808
57809+static struct kgdb_io kgdbdbgp_io_ops_console = {
57810+ .name = "kgdbdbgp",
57811+ .read_char = kgdbdbgp_read_char,
57812+ .write_char = kgdbdbgp_write_char,
57813+ .is_console = 1
57814+};
57815+
57816 static int kgdbdbgp_wait_time;
57817
57818 static int __init kgdbdbgp_parse_config(char *str)
57819@@ -1058,8 +1066,10 @@ static int __init kgdbdbgp_parse_config(char *str)
57820 ptr++;
57821 kgdbdbgp_wait_time = simple_strtoul(ptr, &ptr, 10);
57822 }
57823- kgdb_register_io_module(&kgdbdbgp_io_ops);
57824- kgdbdbgp_io_ops.is_console = early_dbgp_console.index != -1;
57825+ if (early_dbgp_console.index != -1)
57826+ kgdb_register_io_module(&kgdbdbgp_io_ops_console);
57827+ else
57828+ kgdb_register_io_module(&kgdbdbgp_io_ops);
57829
57830 return 0;
57831 }
57832diff --git a/drivers/usb/gadget/function/f_uac1.c b/drivers/usb/gadget/function/f_uac1.c
57833index 7856b33..8b7fe09 100644
57834--- a/drivers/usb/gadget/function/f_uac1.c
57835+++ b/drivers/usb/gadget/function/f_uac1.c
57836@@ -14,6 +14,7 @@
57837 #include <linux/module.h>
57838 #include <linux/device.h>
57839 #include <linux/atomic.h>
57840+#include <linux/module.h>
57841
57842 #include "u_uac1.h"
57843
57844diff --git a/drivers/usb/gadget/function/u_serial.c b/drivers/usb/gadget/function/u_serial.c
57845index 7ee05793..2e31e99 100644
57846--- a/drivers/usb/gadget/function/u_serial.c
57847+++ b/drivers/usb/gadget/function/u_serial.c
57848@@ -732,9 +732,9 @@ static int gs_open(struct tty_struct *tty, struct file *file)
57849 spin_lock_irq(&port->port_lock);
57850
57851 /* already open? Great. */
57852- if (port->port.count) {
57853+ if (atomic_read(&port->port.count)) {
57854 status = 0;
57855- port->port.count++;
57856+ atomic_inc(&port->port.count);
57857
57858 /* currently opening/closing? wait ... */
57859 } else if (port->openclose) {
57860@@ -793,7 +793,7 @@ static int gs_open(struct tty_struct *tty, struct file *file)
57861 tty->driver_data = port;
57862 port->port.tty = tty;
57863
57864- port->port.count = 1;
57865+ atomic_set(&port->port.count, 1);
57866 port->openclose = false;
57867
57868 /* if connected, start the I/O stream */
57869@@ -835,11 +835,11 @@ static void gs_close(struct tty_struct *tty, struct file *file)
57870
57871 spin_lock_irq(&port->port_lock);
57872
57873- if (port->port.count != 1) {
57874- if (port->port.count == 0)
57875+ if (atomic_read(&port->port.count) != 1) {
57876+ if (atomic_read(&port->port.count) == 0)
57877 WARN_ON(1);
57878 else
57879- --port->port.count;
57880+ atomic_dec(&port->port.count);
57881 goto exit;
57882 }
57883
57884@@ -849,7 +849,7 @@ static void gs_close(struct tty_struct *tty, struct file *file)
57885 * and sleep if necessary
57886 */
57887 port->openclose = true;
57888- port->port.count = 0;
57889+ atomic_set(&port->port.count, 0);
57890
57891 gser = port->port_usb;
57892 if (gser && gser->disconnect)
57893@@ -1065,7 +1065,7 @@ static int gs_closed(struct gs_port *port)
57894 int cond;
57895
57896 spin_lock_irq(&port->port_lock);
57897- cond = (port->port.count == 0) && !port->openclose;
57898+ cond = (atomic_read(&port->port.count) == 0) && !port->openclose;
57899 spin_unlock_irq(&port->port_lock);
57900 return cond;
57901 }
57902@@ -1208,7 +1208,7 @@ int gserial_connect(struct gserial *gser, u8 port_num)
57903 /* if it's already open, start I/O ... and notify the serial
57904 * protocol about open/close status (connect/disconnect).
57905 */
57906- if (port->port.count) {
57907+ if (atomic_read(&port->port.count)) {
57908 pr_debug("gserial_connect: start ttyGS%d\n", port->port_num);
57909 gs_start_io(port);
57910 if (gser->connect)
57911@@ -1255,7 +1255,7 @@ void gserial_disconnect(struct gserial *gser)
57912
57913 port->port_usb = NULL;
57914 gser->ioport = NULL;
57915- if (port->port.count > 0 || port->openclose) {
57916+ if (atomic_read(&port->port.count) > 0 || port->openclose) {
57917 wake_up_interruptible(&port->drain_wait);
57918 if (port->port.tty)
57919 tty_hangup(port->port.tty);
57920@@ -1271,7 +1271,7 @@ void gserial_disconnect(struct gserial *gser)
57921
57922 /* finally, free any unused/unusable I/O buffers */
57923 spin_lock_irqsave(&port->port_lock, flags);
57924- if (port->port.count == 0 && !port->openclose)
57925+ if (atomic_read(&port->port.count) == 0 && !port->openclose)
57926 gs_buf_free(&port->port_write_buf);
57927 gs_free_requests(gser->out, &port->read_pool, NULL);
57928 gs_free_requests(gser->out, &port->read_queue, NULL);
57929diff --git a/drivers/usb/gadget/function/u_uac1.c b/drivers/usb/gadget/function/u_uac1.c
57930index c78c841..48fd281 100644
57931--- a/drivers/usb/gadget/function/u_uac1.c
57932+++ b/drivers/usb/gadget/function/u_uac1.c
57933@@ -17,6 +17,7 @@
57934 #include <linux/ctype.h>
57935 #include <linux/random.h>
57936 #include <linux/syscalls.h>
57937+#include <linux/module.h>
57938
57939 #include "u_uac1.h"
57940
57941diff --git a/drivers/usb/gadget/udc/dummy_hcd.c b/drivers/usb/gadget/udc/dummy_hcd.c
57942index 181112c..036bcab 100644
57943--- a/drivers/usb/gadget/udc/dummy_hcd.c
57944+++ b/drivers/usb/gadget/udc/dummy_hcd.c
57945@@ -2384,7 +2384,7 @@ static int dummy_setup(struct usb_hcd *hcd)
57946 struct dummy *dum;
57947
57948 dum = *((void **)dev_get_platdata(hcd->self.controller));
57949- hcd->self.sg_tablesize = ~0;
57950+ hcd->self.sg_tablesize = SG_ALL;
57951 if (usb_hcd_is_primary_hcd(hcd)) {
57952 dum->hs_hcd = hcd_to_dummy_hcd(hcd);
57953 dum->hs_hcd->dum = dum;
57954diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c
57955index c63d82c..a7e8665 100644
57956--- a/drivers/usb/host/ehci-hcd.c
57957+++ b/drivers/usb/host/ehci-hcd.c
57958@@ -564,7 +564,7 @@ static int ehci_init(struct usb_hcd *hcd)
57959
57960 /* Accept arbitrarily long scatter-gather lists */
57961 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
57962- hcd->self.sg_tablesize = ~0;
57963+ hcd->self.sg_tablesize = SG_ALL;
57964 return 0;
57965 }
57966
57967diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c
57968index 22abb68..50b7b84 100644
57969--- a/drivers/usb/host/ehci-hub.c
57970+++ b/drivers/usb/host/ehci-hub.c
57971@@ -773,7 +773,7 @@ static struct urb *request_single_step_set_feature_urb(
57972 urb->transfer_flags = URB_DIR_IN;
57973 usb_get_urb(urb);
57974 atomic_inc(&urb->use_count);
57975- atomic_inc(&urb->dev->urbnum);
57976+ atomic_inc_unchecked(&urb->dev->urbnum);
57977 urb->setup_dma = dma_map_single(
57978 hcd->self.controller,
57979 urb->setup_packet,
57980@@ -840,7 +840,7 @@ static int ehset_single_step_set_feature(struct usb_hcd *hcd, int port)
57981 urb->status = -EINPROGRESS;
57982 usb_get_urb(urb);
57983 atomic_inc(&urb->use_count);
57984- atomic_inc(&urb->dev->urbnum);
57985+ atomic_inc_unchecked(&urb->dev->urbnum);
57986 retval = submit_single_step_set_feature(hcd, urb, 0);
57987 if (!retval && !wait_for_completion_timeout(&done,
57988 msecs_to_jiffies(2000))) {
57989diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c
57990index 54f5332..8b8335c 100644
57991--- a/drivers/usb/host/ehci-q.c
57992+++ b/drivers/usb/host/ehci-q.c
57993@@ -44,9 +44,9 @@
57994
57995 static int
57996 qtd_fill(struct ehci_hcd *ehci, struct ehci_qtd *qtd, dma_addr_t buf,
57997- size_t len, int token, int maxpacket)
57998+ size_t len, u32 token, int maxpacket)
57999 {
58000- int i, count;
58001+ u32 i, count;
58002 u64 addr = buf;
58003
58004 /* one buffer entry per 4K ... first might be short or unaligned */
58005diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
58006index 000ed80..2701154 100644
58007--- a/drivers/usb/host/fotg210-hcd.c
58008+++ b/drivers/usb/host/fotg210-hcd.c
58009@@ -5231,7 +5231,7 @@ static int hcd_fotg210_init(struct usb_hcd *hcd)
58010
58011 /* Accept arbitrarily long scatter-gather lists */
58012 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58013- hcd->self.sg_tablesize = ~0;
58014+ hcd->self.sg_tablesize = SG_ALL;
58015 return 0;
58016 }
58017
58018diff --git a/drivers/usb/host/fusbh200-hcd.c b/drivers/usb/host/fusbh200-hcd.c
58019index 1fd8718..c7ff47c 100644
58020--- a/drivers/usb/host/fusbh200-hcd.c
58021+++ b/drivers/usb/host/fusbh200-hcd.c
58022@@ -5156,7 +5156,7 @@ static int hcd_fusbh200_init(struct usb_hcd *hcd)
58023
58024 /* Accept arbitrarily long scatter-gather lists */
58025 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58026- hcd->self.sg_tablesize = ~0;
58027+ hcd->self.sg_tablesize = SG_ALL;
58028 return 0;
58029 }
58030
58031diff --git a/drivers/usb/host/hwa-hc.c b/drivers/usb/host/hwa-hc.c
58032index 1db0626..2e9f5ea 100644
58033--- a/drivers/usb/host/hwa-hc.c
58034+++ b/drivers/usb/host/hwa-hc.c
58035@@ -337,7 +337,10 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
58036 struct hwahc *hwahc = container_of(wusbhc, struct hwahc, wusbhc);
58037 struct wahc *wa = &hwahc->wa;
58038 struct device *dev = &wa->usb_iface->dev;
58039- u8 mas_le[UWB_NUM_MAS/8];
58040+ u8 *mas_le = kmalloc(UWB_NUM_MAS/8, GFP_KERNEL);
58041+
58042+ if (mas_le == NULL)
58043+ return -ENOMEM;
58044
58045 /* Set the stream index */
58046 result = usb_control_msg(wa->usb_dev, usb_sndctrlpipe(wa->usb_dev, 0),
58047@@ -356,10 +359,12 @@ static int __hwahc_op_bwa_set(struct wusbhc *wusbhc, s8 stream_index,
58048 WUSB_REQ_SET_WUSB_MAS,
58049 USB_DIR_OUT | USB_TYPE_CLASS | USB_RECIP_INTERFACE,
58050 0, wa->usb_iface->cur_altsetting->desc.bInterfaceNumber,
58051- mas_le, 32, USB_CTRL_SET_TIMEOUT);
58052+ mas_le, UWB_NUM_MAS/8, USB_CTRL_SET_TIMEOUT);
58053 if (result < 0)
58054 dev_err(dev, "Cannot set WUSB MAS allocation: %d\n", result);
58055 out:
58056+ kfree(mas_le);
58057+
58058 return result;
58059 }
58060
58061@@ -812,7 +817,7 @@ static int hwahc_probe(struct usb_interface *usb_iface,
58062 goto error_alloc;
58063 }
58064 usb_hcd->wireless = 1;
58065- usb_hcd->self.sg_tablesize = ~0;
58066+ usb_hcd->self.sg_tablesize = SG_ALL;
58067 wusbhc = usb_hcd_to_wusbhc(usb_hcd);
58068 hwahc = container_of(wusbhc, struct hwahc, wusbhc);
58069 hwahc_init(hwahc);
58070diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c
58071index 760cb57..fc7f8ad 100644
58072--- a/drivers/usb/host/ohci-hcd.c
58073+++ b/drivers/usb/host/ohci-hcd.c
58074@@ -444,7 +444,7 @@ static int ohci_init (struct ohci_hcd *ohci)
58075 struct usb_hcd *hcd = ohci_to_hcd(ohci);
58076
58077 /* Accept arbitrarily long scatter-gather lists */
58078- hcd->self.sg_tablesize = ~0;
58079+ hcd->self.sg_tablesize = SG_ALL;
58080
58081 if (distrust_firmware)
58082 ohci->flags |= OHCI_QUIRK_HUB_POWER;
58083diff --git a/drivers/usb/host/r8a66597.h b/drivers/usb/host/r8a66597.h
58084index 672cea3..31a730db 100644
58085--- a/drivers/usb/host/r8a66597.h
58086+++ b/drivers/usb/host/r8a66597.h
58087@@ -125,7 +125,7 @@ struct r8a66597 {
58088 unsigned short interval_map;
58089 unsigned char pipe_cnt[R8A66597_MAX_NUM_PIPE];
58090 unsigned char dma_map;
58091- unsigned int max_root_hub;
58092+ unsigned char max_root_hub;
58093
58094 struct list_head child_device;
58095 unsigned long child_connect_map[4];
58096diff --git a/drivers/usb/host/uhci-hcd.c b/drivers/usb/host/uhci-hcd.c
58097index a7de8e8..e1ef134 100644
58098--- a/drivers/usb/host/uhci-hcd.c
58099+++ b/drivers/usb/host/uhci-hcd.c
58100@@ -570,7 +570,7 @@ static int uhci_start(struct usb_hcd *hcd)
58101 hcd->uses_new_polling = 1;
58102 /* Accept arbitrarily long scatter-gather lists */
58103 if (!(hcd->driver->flags & HCD_LOCAL_MEM))
58104- hcd->self.sg_tablesize = ~0;
58105+ hcd->self.sg_tablesize = SG_ALL;
58106
58107 spin_lock_init(&uhci->lock);
58108 setup_timer(&uhci->fsbr_timer, uhci_fsbr_timeout,
58109diff --git a/drivers/usb/host/xhci-pci.c b/drivers/usb/host/xhci-pci.c
58110index c79d336..8fe41af 100644
58111--- a/drivers/usb/host/xhci-pci.c
58112+++ b/drivers/usb/host/xhci-pci.c
58113@@ -30,7 +30,7 @@
58114
58115 #define PORT2_SSIC_CONFIG_REG2 0x883c
58116 #define PROG_DONE (1 << 30)
58117-#define SSIC_PORT_UNUSED (1 << 31)
58118+#define SSIC_PORT_UNUSED (1U << 31)
58119
58120 /* Device for a quirk */
58121 #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
58122diff --git a/drivers/usb/host/xhci.c b/drivers/usb/host/xhci.c
58123index d7b9f484..8208965 100644
58124--- a/drivers/usb/host/xhci.c
58125+++ b/drivers/usb/host/xhci.c
58126@@ -4837,7 +4837,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks)
58127 int retval;
58128
58129 /* Accept arbitrarily long scatter-gather lists */
58130- hcd->self.sg_tablesize = ~0;
58131+ hcd->self.sg_tablesize = SG_ALL;
58132
58133 /* support to build packet from discontinuous buffers */
58134 hcd->self.no_sg_constraint = 1;
58135diff --git a/drivers/usb/misc/appledisplay.c b/drivers/usb/misc/appledisplay.c
58136index a0a3827..d7ec10b 100644
58137--- a/drivers/usb/misc/appledisplay.c
58138+++ b/drivers/usb/misc/appledisplay.c
58139@@ -84,7 +84,7 @@ struct appledisplay {
58140 struct mutex sysfslock; /* concurrent read and write */
58141 };
58142
58143-static atomic_t count_displays = ATOMIC_INIT(0);
58144+static atomic_unchecked_t count_displays = ATOMIC_INIT(0);
58145 static struct workqueue_struct *wq;
58146
58147 static void appledisplay_complete(struct urb *urb)
58148@@ -288,7 +288,7 @@ static int appledisplay_probe(struct usb_interface *iface,
58149
58150 /* Register backlight device */
58151 snprintf(bl_name, sizeof(bl_name), "appledisplay%d",
58152- atomic_inc_return(&count_displays) - 1);
58153+ atomic_inc_return_unchecked(&count_displays) - 1);
58154 memset(&props, 0, sizeof(struct backlight_properties));
58155 props.type = BACKLIGHT_RAW;
58156 props.max_brightness = 0xff;
58157diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c
58158index 3806e70..55c508b 100644
58159--- a/drivers/usb/serial/console.c
58160+++ b/drivers/usb/serial/console.c
58161@@ -126,7 +126,7 @@ static int usb_console_setup(struct console *co, char *options)
58162
58163 info->port = port;
58164
58165- ++port->port.count;
58166+ atomic_inc(&port->port.count);
58167 if (!test_bit(ASYNCB_INITIALIZED, &port->port.flags)) {
58168 if (serial->type->set_termios) {
58169 /*
58170@@ -175,7 +175,7 @@ static int usb_console_setup(struct console *co, char *options)
58171 }
58172 /* Now that any required fake tty operations are completed restore
58173 * the tty port count */
58174- --port->port.count;
58175+ atomic_dec(&port->port.count);
58176 /* The console is special in terms of closing the device so
58177 * indicate this port is now acting as a system console. */
58178 port->port.console = 1;
58179@@ -188,7 +188,7 @@ static int usb_console_setup(struct console *co, char *options)
58180 put_tty:
58181 tty_kref_put(tty);
58182 reset_open_count:
58183- port->port.count = 0;
58184+ atomic_set(&port->port.count, 0);
58185 usb_autopm_put_interface(serial->interface);
58186 error_get_interface:
58187 usb_serial_put(serial);
58188@@ -199,7 +199,7 @@ static int usb_console_setup(struct console *co, char *options)
58189 static void usb_console_write(struct console *co,
58190 const char *buf, unsigned count)
58191 {
58192- static struct usbcons_info *info = &usbcons_info;
58193+ struct usbcons_info *info = &usbcons_info;
58194 struct usb_serial_port *port = info->port;
58195 struct usb_serial *serial;
58196 int retval = -ENODEV;
58197diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
58198index 540add2..2a2c7da 100644
58199--- a/drivers/usb/storage/transport.c
58200+++ b/drivers/usb/storage/transport.c
58201@@ -689,7 +689,7 @@ void usb_stor_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
58202 if (need_auto_sense) {
58203 int temp_result;
58204 struct scsi_eh_save ses;
58205- int sense_size = US_SENSE_SIZE;
58206+ unsigned int sense_size = US_SENSE_SIZE;
58207 struct scsi_sense_hdr sshdr;
58208 const u8 *scdd;
58209 u8 fm_ili;
58210diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c
58211index 43576ed..583589d 100644
58212--- a/drivers/usb/storage/usb.c
58213+++ b/drivers/usb/storage/usb.c
58214@@ -912,7 +912,7 @@ static void usb_stor_scan_dwork(struct work_struct *work)
58215 clear_bit(US_FLIDX_SCAN_PENDING, &us->dflags);
58216 }
58217
58218-static unsigned int usb_stor_sg_tablesize(struct usb_interface *intf)
58219+static unsigned short usb_stor_sg_tablesize(struct usb_interface *intf)
58220 {
58221 struct usb_device *usb_dev = interface_to_usbdev(intf);
58222
58223diff --git a/drivers/usb/storage/usb.h b/drivers/usb/storage/usb.h
58224index da0ad32..50b5bbe 100644
58225--- a/drivers/usb/storage/usb.h
58226+++ b/drivers/usb/storage/usb.h
58227@@ -63,7 +63,7 @@ struct us_unusual_dev {
58228 __u8 useProtocol;
58229 __u8 useTransport;
58230 int (*initFunction)(struct us_data *);
58231-};
58232+} __do_const;
58233
58234
58235 /* Dynamic bitflag definitions (us->dflags): used in set_bit() etc. */
58236diff --git a/drivers/usb/usbip/vhci.h b/drivers/usb/usbip/vhci.h
58237index a863a98..d272795 100644
58238--- a/drivers/usb/usbip/vhci.h
58239+++ b/drivers/usb/usbip/vhci.h
58240@@ -83,7 +83,7 @@ struct vhci_hcd {
58241 unsigned resuming:1;
58242 unsigned long re_timeout;
58243
58244- atomic_t seqnum;
58245+ atomic_unchecked_t seqnum;
58246
58247 /*
58248 * NOTE:
58249diff --git a/drivers/usb/usbip/vhci_hcd.c b/drivers/usb/usbip/vhci_hcd.c
58250index e9ef1ec..c3a0b04 100644
58251--- a/drivers/usb/usbip/vhci_hcd.c
58252+++ b/drivers/usb/usbip/vhci_hcd.c
58253@@ -440,7 +440,7 @@ static void vhci_tx_urb(struct urb *urb)
58254
58255 spin_lock(&vdev->priv_lock);
58256
58257- priv->seqnum = atomic_inc_return(&the_controller->seqnum);
58258+ priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
58259 if (priv->seqnum == 0xffff)
58260 dev_info(&urb->dev->dev, "seqnum max\n");
58261
58262@@ -685,7 +685,7 @@ static int vhci_urb_dequeue(struct usb_hcd *hcd, struct urb *urb, int status)
58263 return -ENOMEM;
58264 }
58265
58266- unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
58267+ unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
58268 if (unlink->seqnum == 0xffff)
58269 pr_info("seqnum max\n");
58270
58271@@ -889,7 +889,7 @@ static int vhci_start(struct usb_hcd *hcd)
58272 vdev->rhport = rhport;
58273 }
58274
58275- atomic_set(&vhci->seqnum, 0);
58276+ atomic_set_unchecked(&vhci->seqnum, 0);
58277 spin_lock_init(&vhci->lock);
58278
58279 hcd->power_budget = 0; /* no limit */
58280diff --git a/drivers/usb/usbip/vhci_rx.c b/drivers/usb/usbip/vhci_rx.c
58281index 00e4a54..d676f85 100644
58282--- a/drivers/usb/usbip/vhci_rx.c
58283+++ b/drivers/usb/usbip/vhci_rx.c
58284@@ -80,7 +80,7 @@ static void vhci_recv_ret_submit(struct vhci_device *vdev,
58285 if (!urb) {
58286 pr_err("cannot find a urb of seqnum %u\n", pdu->base.seqnum);
58287 pr_info("max seqnum %d\n",
58288- atomic_read(&the_controller->seqnum));
58289+ atomic_read_unchecked(&the_controller->seqnum));
58290 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
58291 return;
58292 }
58293diff --git a/drivers/usb/usbip/vhci_sysfs.c b/drivers/usb/usbip/vhci_sysfs.c
58294index 211f43f..6c22ae1 100644
58295--- a/drivers/usb/usbip/vhci_sysfs.c
58296+++ b/drivers/usb/usbip/vhci_sysfs.c
58297@@ -59,7 +59,7 @@ static ssize_t status_show(struct device *dev, struct device_attribute *attr,
58298 if (vdev->ud.status == VDEV_ST_USED) {
58299 out += sprintf(out, "%03u %08x ",
58300 vdev->speed, vdev->devid);
58301- out += sprintf(out, "%16p ", vdev->ud.tcp_socket);
58302+ out += sprintf(out, "%16pK ", vdev->ud.tcp_socket);
58303 out += sprintf(out, "%s", dev_name(&vdev->udev->dev));
58304
58305 } else {
58306diff --git a/drivers/usb/wusbcore/wa-hc.h b/drivers/usb/wusbcore/wa-hc.h
58307index edc7267..9f65ce2 100644
58308--- a/drivers/usb/wusbcore/wa-hc.h
58309+++ b/drivers/usb/wusbcore/wa-hc.h
58310@@ -240,7 +240,7 @@ struct wahc {
58311 spinlock_t xfer_list_lock;
58312 struct work_struct xfer_enqueue_work;
58313 struct work_struct xfer_error_work;
58314- atomic_t xfer_id_count;
58315+ atomic_unchecked_t xfer_id_count;
58316
58317 kernel_ulong_t quirks;
58318 };
58319@@ -305,7 +305,7 @@ static inline void wa_init(struct wahc *wa)
58320 INIT_WORK(&wa->xfer_enqueue_work, wa_urb_enqueue_run);
58321 INIT_WORK(&wa->xfer_error_work, wa_process_errored_transfers_run);
58322 wa->dto_in_use = 0;
58323- atomic_set(&wa->xfer_id_count, 1);
58324+ atomic_set_unchecked(&wa->xfer_id_count, 1);
58325 /* init the buf in URBs */
58326 for (index = 0; index < WA_MAX_BUF_IN_URBS; ++index)
58327 usb_init_urb(&(wa->buf_in_urbs[index]));
58328diff --git a/drivers/usb/wusbcore/wa-xfer.c b/drivers/usb/wusbcore/wa-xfer.c
58329index 69af4fd..da390d7 100644
58330--- a/drivers/usb/wusbcore/wa-xfer.c
58331+++ b/drivers/usb/wusbcore/wa-xfer.c
58332@@ -314,7 +314,7 @@ static void wa_xfer_completion(struct wa_xfer *xfer)
58333 */
58334 static void wa_xfer_id_init(struct wa_xfer *xfer)
58335 {
58336- xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
58337+ xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
58338 }
58339
58340 /* Return the xfer's ID. */
58341diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c
58342index 563c510..1fcc957 100644
58343--- a/drivers/vfio/vfio.c
58344+++ b/drivers/vfio/vfio.c
58345@@ -517,7 +517,7 @@ static int vfio_group_nb_add_dev(struct vfio_group *group, struct device *dev)
58346 return 0;
58347
58348 /* TODO Prevent device auto probing */
58349- WARN("Device %s added to live group %d!\n", dev_name(dev),
58350+ WARN(1, "Device %s added to live group %d!\n", dev_name(dev),
58351 iommu_group_id(group->iommu_group));
58352
58353 return 0;
58354diff --git a/drivers/vhost/vringh.c b/drivers/vhost/vringh.c
58355index 3bb02c6..a01ff38 100644
58356--- a/drivers/vhost/vringh.c
58357+++ b/drivers/vhost/vringh.c
58358@@ -551,7 +551,7 @@ static inline void __vringh_notify_disable(struct vringh *vrh,
58359 static inline int getu16_user(const struct vringh *vrh, u16 *val, const __virtio16 *p)
58360 {
58361 __virtio16 v = 0;
58362- int rc = get_user(v, (__force __virtio16 __user *)p);
58363+ int rc = get_user(v, (__force_user __virtio16 *)p);
58364 *val = vringh16_to_cpu(vrh, v);
58365 return rc;
58366 }
58367@@ -559,12 +559,12 @@ static inline int getu16_user(const struct vringh *vrh, u16 *val, const __virtio
58368 static inline int putu16_user(const struct vringh *vrh, __virtio16 *p, u16 val)
58369 {
58370 __virtio16 v = cpu_to_vringh16(vrh, val);
58371- return put_user(v, (__force __virtio16 __user *)p);
58372+ return put_user(v, (__force_user __virtio16 *)p);
58373 }
58374
58375 static inline int copydesc_user(void *dst, const void *src, size_t len)
58376 {
58377- return copy_from_user(dst, (__force void __user *)src, len) ?
58378+ return copy_from_user(dst, (void __force_user *)src, len) ?
58379 -EFAULT : 0;
58380 }
58381
58382@@ -572,19 +572,19 @@ static inline int putused_user(struct vring_used_elem *dst,
58383 const struct vring_used_elem *src,
58384 unsigned int num)
58385 {
58386- return copy_to_user((__force void __user *)dst, src,
58387+ return copy_to_user((void __force_user *)dst, src,
58388 sizeof(*dst) * num) ? -EFAULT : 0;
58389 }
58390
58391 static inline int xfer_from_user(void *src, void *dst, size_t len)
58392 {
58393- return copy_from_user(dst, (__force void __user *)src, len) ?
58394+ return copy_from_user(dst, (void __force_user *)src, len) ?
58395 -EFAULT : 0;
58396 }
58397
58398 static inline int xfer_to_user(void *dst, void *src, size_t len)
58399 {
58400- return copy_to_user((__force void __user *)dst, src, len) ?
58401+ return copy_to_user((void __force_user *)dst, src, len) ?
58402 -EFAULT : 0;
58403 }
58404
58405@@ -621,9 +621,9 @@ int vringh_init_user(struct vringh *vrh, u64 features,
58406 vrh->last_used_idx = 0;
58407 vrh->vring.num = num;
58408 /* vring expects kernel addresses, but only used via accessors. */
58409- vrh->vring.desc = (__force struct vring_desc *)desc;
58410- vrh->vring.avail = (__force struct vring_avail *)avail;
58411- vrh->vring.used = (__force struct vring_used *)used;
58412+ vrh->vring.desc = (__force_kernel struct vring_desc *)desc;
58413+ vrh->vring.avail = (__force_kernel struct vring_avail *)avail;
58414+ vrh->vring.used = (__force_kernel struct vring_used *)used;
58415 return 0;
58416 }
58417 EXPORT_SYMBOL(vringh_init_user);
58418@@ -826,7 +826,7 @@ static inline int getu16_kern(const struct vringh *vrh,
58419
58420 static inline int putu16_kern(const struct vringh *vrh, __virtio16 *p, u16 val)
58421 {
58422- ACCESS_ONCE(*p) = cpu_to_vringh16(vrh, val);
58423+ ACCESS_ONCE_RW(*p) = cpu_to_vringh16(vrh, val);
58424 return 0;
58425 }
58426
58427diff --git a/drivers/video/backlight/kb3886_bl.c b/drivers/video/backlight/kb3886_bl.c
58428index 84a110a..96312c3 100644
58429--- a/drivers/video/backlight/kb3886_bl.c
58430+++ b/drivers/video/backlight/kb3886_bl.c
58431@@ -78,7 +78,7 @@ static struct kb3886bl_machinfo *bl_machinfo;
58432 static unsigned long kb3886bl_flags;
58433 #define KB3886BL_SUSPENDED 0x01
58434
58435-static struct dmi_system_id kb3886bl_device_table[] __initdata = {
58436+static const struct dmi_system_id kb3886bl_device_table[] __initconst = {
58437 {
58438 .ident = "Sahara Touch-iT",
58439 .matches = {
58440diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
58441index 1aaf893..da2885a 100644
58442--- a/drivers/video/console/fbcon.c
58443+++ b/drivers/video/console/fbcon.c
58444@@ -106,7 +106,7 @@ static int fbcon_softback_size = 32768;
58445 static unsigned long softback_buf, softback_curr;
58446 static unsigned long softback_in;
58447 static unsigned long softback_top, softback_end;
58448-static int softback_lines;
58449+static long softback_lines;
58450 /* console mappings */
58451 static int first_fb_vc;
58452 static int last_fb_vc = MAX_NR_CONSOLES - 1;
58453diff --git a/drivers/video/fbdev/arcfb.c b/drivers/video/fbdev/arcfb.c
58454index 1b0b233..6f34c2c 100644
58455--- a/drivers/video/fbdev/arcfb.c
58456+++ b/drivers/video/fbdev/arcfb.c
58457@@ -458,7 +458,7 @@ static ssize_t arcfb_write(struct fb_info *info, const char __user *buf,
58458 return -ENOSPC;
58459
58460 err = 0;
58461- if ((count + p) > fbmemlength) {
58462+ if (count > (fbmemlength - p)) {
58463 count = fbmemlength - p;
58464 err = -ENOSPC;
58465 }
58466diff --git a/drivers/video/fbdev/aty/aty128fb.c b/drivers/video/fbdev/aty/aty128fb.c
58467index c42ce2f..4c8bc59 100644
58468--- a/drivers/video/fbdev/aty/aty128fb.c
58469+++ b/drivers/video/fbdev/aty/aty128fb.c
58470@@ -145,7 +145,7 @@ enum {
58471 };
58472
58473 /* Must match above enum */
58474-static char * const r128_family[] = {
58475+static const char * const r128_family[] = {
58476 "AGP",
58477 "PCI",
58478 "PRO AGP",
58479diff --git a/drivers/video/fbdev/aty/atyfb_base.c b/drivers/video/fbdev/aty/atyfb_base.c
58480index 8789e48..698fe4c 100644
58481--- a/drivers/video/fbdev/aty/atyfb_base.c
58482+++ b/drivers/video/fbdev/aty/atyfb_base.c
58483@@ -1326,10 +1326,14 @@ static int atyfb_set_par(struct fb_info *info)
58484 par->accel_flags = var->accel_flags; /* hack */
58485
58486 if (var->accel_flags) {
58487- info->fbops->fb_sync = atyfb_sync;
58488+ pax_open_kernel();
58489+ *(void **)&info->fbops->fb_sync = atyfb_sync;
58490+ pax_close_kernel();
58491 info->flags &= ~FBINFO_HWACCEL_DISABLED;
58492 } else {
58493- info->fbops->fb_sync = NULL;
58494+ pax_open_kernel();
58495+ *(void **)&info->fbops->fb_sync = NULL;
58496+ pax_close_kernel();
58497 info->flags |= FBINFO_HWACCEL_DISABLED;
58498 }
58499
58500diff --git a/drivers/video/fbdev/aty/mach64_cursor.c b/drivers/video/fbdev/aty/mach64_cursor.c
58501index 2fa0317..4983f2a 100644
58502--- a/drivers/video/fbdev/aty/mach64_cursor.c
58503+++ b/drivers/video/fbdev/aty/mach64_cursor.c
58504@@ -8,6 +8,7 @@
58505 #include "../core/fb_draw.h"
58506
58507 #include <asm/io.h>
58508+#include <asm/pgtable.h>
58509
58510 #ifdef __sparc__
58511 #include <asm/fbio.h>
58512@@ -218,7 +219,9 @@ int aty_init_cursor(struct fb_info *info)
58513 info->sprite.buf_align = 16; /* and 64 lines tall. */
58514 info->sprite.flags = FB_PIXMAP_IO;
58515
58516- info->fbops->fb_cursor = atyfb_cursor;
58517+ pax_open_kernel();
58518+ *(void **)&info->fbops->fb_cursor = atyfb_cursor;
58519+ pax_close_kernel();
58520
58521 return 0;
58522 }
58523diff --git a/drivers/video/fbdev/core/fb_defio.c b/drivers/video/fbdev/core/fb_defio.c
58524index 3fc63c2..eec5e49 100644
58525--- a/drivers/video/fbdev/core/fb_defio.c
58526+++ b/drivers/video/fbdev/core/fb_defio.c
58527@@ -207,7 +207,9 @@ void fb_deferred_io_init(struct fb_info *info)
58528
58529 BUG_ON(!fbdefio);
58530 mutex_init(&fbdefio->lock);
58531- info->fbops->fb_mmap = fb_deferred_io_mmap;
58532+ pax_open_kernel();
58533+ *(void **)&info->fbops->fb_mmap = fb_deferred_io_mmap;
58534+ pax_close_kernel();
58535 INIT_DELAYED_WORK(&info->deferred_work, fb_deferred_io_work);
58536 INIT_LIST_HEAD(&fbdefio->pagelist);
58537 if (fbdefio->delay == 0) /* set a default of 1 s */
58538@@ -238,7 +240,7 @@ void fb_deferred_io_cleanup(struct fb_info *info)
58539 page->mapping = NULL;
58540 }
58541
58542- info->fbops->fb_mmap = NULL;
58543+ *(void **)&info->fbops->fb_mmap = NULL;
58544 mutex_destroy(&fbdefio->lock);
58545 }
58546 EXPORT_SYMBOL_GPL(fb_deferred_io_cleanup);
58547diff --git a/drivers/video/fbdev/core/fbmem.c b/drivers/video/fbdev/core/fbmem.c
58548index 0705d88..d9429bf 100644
58549--- a/drivers/video/fbdev/core/fbmem.c
58550+++ b/drivers/video/fbdev/core/fbmem.c
58551@@ -1301,7 +1301,7 @@ static int do_fscreeninfo_to_user(struct fb_fix_screeninfo *fix,
58552 __u32 data;
58553 int err;
58554
58555- err = copy_to_user(&fix32->id, &fix->id, sizeof(fix32->id));
58556+ err = copy_to_user(fix32->id, &fix->id, sizeof(fix32->id));
58557
58558 data = (__u32) (unsigned long) fix->smem_start;
58559 err |= put_user(data, &fix32->smem_start);
58560diff --git a/drivers/video/fbdev/hyperv_fb.c b/drivers/video/fbdev/hyperv_fb.c
58561index 807ee22..7814cd6 100644
58562--- a/drivers/video/fbdev/hyperv_fb.c
58563+++ b/drivers/video/fbdev/hyperv_fb.c
58564@@ -240,7 +240,7 @@ static uint screen_fb_size;
58565 static inline int synthvid_send(struct hv_device *hdev,
58566 struct synthvid_msg *msg)
58567 {
58568- static atomic64_t request_id = ATOMIC64_INIT(0);
58569+ static atomic64_unchecked_t request_id = ATOMIC64_INIT(0);
58570 int ret;
58571
58572 msg->pipe_hdr.type = PIPE_MSG_DATA;
58573@@ -248,7 +248,7 @@ static inline int synthvid_send(struct hv_device *hdev,
58574
58575 ret = vmbus_sendpacket(hdev->channel, msg,
58576 msg->vid_hdr.size + sizeof(struct pipe_msg_hdr),
58577- atomic64_inc_return(&request_id),
58578+ atomic64_inc_return_unchecked(&request_id),
58579 VM_PKT_DATA_INBAND, 0);
58580
58581 if (ret)
58582diff --git a/drivers/video/fbdev/i810/i810_accel.c b/drivers/video/fbdev/i810/i810_accel.c
58583index 7672d2e..b56437f 100644
58584--- a/drivers/video/fbdev/i810/i810_accel.c
58585+++ b/drivers/video/fbdev/i810/i810_accel.c
58586@@ -73,6 +73,7 @@ static inline int wait_for_space(struct fb_info *info, u32 space)
58587 }
58588 }
58589 printk("ringbuffer lockup!!!\n");
58590+ printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
58591 i810_report_error(mmio);
58592 par->dev_flags |= LOCKUP;
58593 info->pixmap.scan_align = 1;
58594diff --git a/drivers/video/fbdev/matrox/matroxfb_DAC1064.c b/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
58595index a01147f..5d896f8 100644
58596--- a/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
58597+++ b/drivers/video/fbdev/matrox/matroxfb_DAC1064.c
58598@@ -1088,14 +1088,20 @@ static void MGAG100_restore(struct matrox_fb_info *minfo)
58599
58600 #ifdef CONFIG_FB_MATROX_MYSTIQUE
58601 struct matrox_switch matrox_mystique = {
58602- MGA1064_preinit, MGA1064_reset, MGA1064_init, MGA1064_restore,
58603+ .preinit = MGA1064_preinit,
58604+ .reset = MGA1064_reset,
58605+ .init = MGA1064_init,
58606+ .restore = MGA1064_restore,
58607 };
58608 EXPORT_SYMBOL(matrox_mystique);
58609 #endif
58610
58611 #ifdef CONFIG_FB_MATROX_G
58612 struct matrox_switch matrox_G100 = {
58613- MGAG100_preinit, MGAG100_reset, MGAG100_init, MGAG100_restore,
58614+ .preinit = MGAG100_preinit,
58615+ .reset = MGAG100_reset,
58616+ .init = MGAG100_init,
58617+ .restore = MGAG100_restore,
58618 };
58619 EXPORT_SYMBOL(matrox_G100);
58620 #endif
58621diff --git a/drivers/video/fbdev/matrox/matroxfb_Ti3026.c b/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
58622index 195ad7c..09743fc 100644
58623--- a/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
58624+++ b/drivers/video/fbdev/matrox/matroxfb_Ti3026.c
58625@@ -738,7 +738,10 @@ static int Ti3026_preinit(struct matrox_fb_info *minfo)
58626 }
58627
58628 struct matrox_switch matrox_millennium = {
58629- Ti3026_preinit, Ti3026_reset, Ti3026_init, Ti3026_restore
58630+ .preinit = Ti3026_preinit,
58631+ .reset = Ti3026_reset,
58632+ .init = Ti3026_init,
58633+ .restore = Ti3026_restore
58634 };
58635 EXPORT_SYMBOL(matrox_millennium);
58636 #endif
58637diff --git a/drivers/video/fbdev/matrox/matroxfb_base.c b/drivers/video/fbdev/matrox/matroxfb_base.c
58638index 11eb094..622ee31 100644
58639--- a/drivers/video/fbdev/matrox/matroxfb_base.c
58640+++ b/drivers/video/fbdev/matrox/matroxfb_base.c
58641@@ -2176,7 +2176,7 @@ static struct pci_driver matroxfb_driver = {
58642 #define RS1056x480 14 /* 132 x 60 text */
58643 #define RSNoxNo 15
58644 /* 10-FF */
58645-static struct { int xres, yres, left, right, upper, lower, hslen, vslen, vfreq; } timmings[] __initdata = {
58646+static struct { unsigned int xres, yres, left, right, upper, lower, hslen, vslen, vfreq; } timmings[] __initdata = {
58647 { 640, 400, 48, 16, 39, 8, 96, 2, 70 },
58648 { 640, 480, 48, 16, 33, 10, 96, 2, 60 },
58649 { 800, 600, 144, 24, 28, 8, 112, 6, 60 },
58650diff --git a/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c b/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
58651index fe92eed..106e085 100644
58652--- a/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
58653+++ b/drivers/video/fbdev/mb862xx/mb862xxfb_accel.c
58654@@ -312,14 +312,18 @@ void mb862xxfb_init_accel(struct fb_info *info, int xres)
58655 struct mb862xxfb_par *par = info->par;
58656
58657 if (info->var.bits_per_pixel == 32) {
58658- info->fbops->fb_fillrect = cfb_fillrect;
58659- info->fbops->fb_copyarea = cfb_copyarea;
58660- info->fbops->fb_imageblit = cfb_imageblit;
58661+ pax_open_kernel();
58662+ *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
58663+ *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
58664+ *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
58665+ pax_close_kernel();
58666 } else {
58667 outreg(disp, GC_L0EM, 3);
58668- info->fbops->fb_fillrect = mb86290fb_fillrect;
58669- info->fbops->fb_copyarea = mb86290fb_copyarea;
58670- info->fbops->fb_imageblit = mb86290fb_imageblit;
58671+ pax_open_kernel();
58672+ *(void **)&info->fbops->fb_fillrect = mb86290fb_fillrect;
58673+ *(void **)&info->fbops->fb_copyarea = mb86290fb_copyarea;
58674+ *(void **)&info->fbops->fb_imageblit = mb86290fb_imageblit;
58675+ pax_close_kernel();
58676 }
58677 outreg(draw, GDC_REG_DRAW_BASE, 0);
58678 outreg(draw, GDC_REG_MODE_MISC, 0x8000);
58679diff --git a/drivers/video/fbdev/nvidia/nvidia.c b/drivers/video/fbdev/nvidia/nvidia.c
58680index ce7dab7..a87baf8 100644
58681--- a/drivers/video/fbdev/nvidia/nvidia.c
58682+++ b/drivers/video/fbdev/nvidia/nvidia.c
58683@@ -660,19 +660,23 @@ static int nvidiafb_set_par(struct fb_info *info)
58684 info->fix.line_length = (info->var.xres_virtual *
58685 info->var.bits_per_pixel) >> 3;
58686 if (info->var.accel_flags) {
58687- info->fbops->fb_imageblit = nvidiafb_imageblit;
58688- info->fbops->fb_fillrect = nvidiafb_fillrect;
58689- info->fbops->fb_copyarea = nvidiafb_copyarea;
58690- info->fbops->fb_sync = nvidiafb_sync;
58691+ pax_open_kernel();
58692+ *(void **)&info->fbops->fb_imageblit = nvidiafb_imageblit;
58693+ *(void **)&info->fbops->fb_fillrect = nvidiafb_fillrect;
58694+ *(void **)&info->fbops->fb_copyarea = nvidiafb_copyarea;
58695+ *(void **)&info->fbops->fb_sync = nvidiafb_sync;
58696+ pax_close_kernel();
58697 info->pixmap.scan_align = 4;
58698 info->flags &= ~FBINFO_HWACCEL_DISABLED;
58699 info->flags |= FBINFO_READS_FAST;
58700 NVResetGraphics(info);
58701 } else {
58702- info->fbops->fb_imageblit = cfb_imageblit;
58703- info->fbops->fb_fillrect = cfb_fillrect;
58704- info->fbops->fb_copyarea = cfb_copyarea;
58705- info->fbops->fb_sync = NULL;
58706+ pax_open_kernel();
58707+ *(void **)&info->fbops->fb_imageblit = cfb_imageblit;
58708+ *(void **)&info->fbops->fb_fillrect = cfb_fillrect;
58709+ *(void **)&info->fbops->fb_copyarea = cfb_copyarea;
58710+ *(void **)&info->fbops->fb_sync = NULL;
58711+ pax_close_kernel();
58712 info->pixmap.scan_align = 1;
58713 info->flags |= FBINFO_HWACCEL_DISABLED;
58714 info->flags &= ~FBINFO_READS_FAST;
58715@@ -1164,8 +1168,11 @@ static int nvidia_set_fbinfo(struct fb_info *info)
58716 info->pixmap.size = 8 * 1024;
58717 info->pixmap.flags = FB_PIXMAP_SYSTEM;
58718
58719- if (!hwcur)
58720- info->fbops->fb_cursor = NULL;
58721+ if (!hwcur) {
58722+ pax_open_kernel();
58723+ *(void **)&info->fbops->fb_cursor = NULL;
58724+ pax_close_kernel();
58725+ }
58726
58727 info->var.accel_flags = (!noaccel);
58728
58729diff --git a/drivers/video/fbdev/omap2/dss/display.c b/drivers/video/fbdev/omap2/dss/display.c
58730index ef5b902..47cf7f5 100644
58731--- a/drivers/video/fbdev/omap2/dss/display.c
58732+++ b/drivers/video/fbdev/omap2/dss/display.c
58733@@ -161,12 +161,14 @@ int omapdss_register_display(struct omap_dss_device *dssdev)
58734 if (dssdev->name == NULL)
58735 dssdev->name = dssdev->alias;
58736
58737+ pax_open_kernel();
58738 if (drv && drv->get_resolution == NULL)
58739- drv->get_resolution = omapdss_default_get_resolution;
58740+ *(void **)&drv->get_resolution = omapdss_default_get_resolution;
58741 if (drv && drv->get_recommended_bpp == NULL)
58742- drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
58743+ *(void **)&drv->get_recommended_bpp = omapdss_default_get_recommended_bpp;
58744 if (drv && drv->get_timings == NULL)
58745- drv->get_timings = omapdss_default_get_timings;
58746+ *(void **)&drv->get_timings = omapdss_default_get_timings;
58747+ pax_close_kernel();
58748
58749 mutex_lock(&panel_list_mutex);
58750 list_add_tail(&dssdev->panel_list, &panel_list);
58751diff --git a/drivers/video/fbdev/s1d13xxxfb.c b/drivers/video/fbdev/s1d13xxxfb.c
58752index 83433cb..71e9b98 100644
58753--- a/drivers/video/fbdev/s1d13xxxfb.c
58754+++ b/drivers/video/fbdev/s1d13xxxfb.c
58755@@ -881,8 +881,10 @@ static int s1d13xxxfb_probe(struct platform_device *pdev)
58756
58757 switch(prod_id) {
58758 case S1D13506_PROD_ID: /* activate acceleration */
58759- s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
58760- s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
58761+ pax_open_kernel();
58762+ *(void **)&s1d13xxxfb_fbops.fb_fillrect = s1d13xxxfb_bitblt_solidfill;
58763+ *(void **)&s1d13xxxfb_fbops.fb_copyarea = s1d13xxxfb_bitblt_copyarea;
58764+ pax_close_kernel();
58765 info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_YPAN |
58766 FBINFO_HWACCEL_FILLRECT | FBINFO_HWACCEL_COPYAREA;
58767 break;
58768diff --git a/drivers/video/fbdev/sh_mobile_lcdcfb.c b/drivers/video/fbdev/sh_mobile_lcdcfb.c
58769index 82c0a8c..42499a1 100644
58770--- a/drivers/video/fbdev/sh_mobile_lcdcfb.c
58771+++ b/drivers/video/fbdev/sh_mobile_lcdcfb.c
58772@@ -439,9 +439,9 @@ static unsigned long lcdc_sys_read_data(void *handle)
58773 }
58774
58775 static struct sh_mobile_lcdc_sys_bus_ops sh_mobile_lcdc_sys_bus_ops = {
58776- lcdc_sys_write_index,
58777- lcdc_sys_write_data,
58778- lcdc_sys_read_data,
58779+ .write_index = lcdc_sys_write_index,
58780+ .write_data = lcdc_sys_write_data,
58781+ .read_data = lcdc_sys_read_data,
58782 };
58783
58784 static int sh_mobile_lcdc_sginit(struct fb_info *info,
58785diff --git a/drivers/video/fbdev/smscufx.c b/drivers/video/fbdev/smscufx.c
58786index 9279e5f..d5f5276 100644
58787--- a/drivers/video/fbdev/smscufx.c
58788+++ b/drivers/video/fbdev/smscufx.c
58789@@ -1174,7 +1174,9 @@ static int ufx_ops_release(struct fb_info *info, int user)
58790 fb_deferred_io_cleanup(info);
58791 kfree(info->fbdefio);
58792 info->fbdefio = NULL;
58793- info->fbops->fb_mmap = ufx_ops_mmap;
58794+ pax_open_kernel();
58795+ *(void **)&info->fbops->fb_mmap = ufx_ops_mmap;
58796+ pax_close_kernel();
58797 }
58798
58799 pr_debug("released /dev/fb%d user=%d count=%d",
58800diff --git a/drivers/video/fbdev/udlfb.c b/drivers/video/fbdev/udlfb.c
58801index ff2b873..626a8d5 100644
58802--- a/drivers/video/fbdev/udlfb.c
58803+++ b/drivers/video/fbdev/udlfb.c
58804@@ -623,11 +623,11 @@ static int dlfb_handle_damage(struct dlfb_data *dev, int x, int y,
58805 dlfb_urb_completion(urb);
58806
58807 error:
58808- atomic_add(bytes_sent, &dev->bytes_sent);
58809- atomic_add(bytes_identical, &dev->bytes_identical);
58810- atomic_add(width*height*2, &dev->bytes_rendered);
58811+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
58812+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
58813+ atomic_add_unchecked(width*height*2, &dev->bytes_rendered);
58814 end_cycles = get_cycles();
58815- atomic_add(((unsigned int) ((end_cycles - start_cycles)
58816+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
58817 >> 10)), /* Kcycles */
58818 &dev->cpu_kcycles_used);
58819
58820@@ -748,11 +748,11 @@ static void dlfb_dpy_deferred_io(struct fb_info *info,
58821 dlfb_urb_completion(urb);
58822
58823 error:
58824- atomic_add(bytes_sent, &dev->bytes_sent);
58825- atomic_add(bytes_identical, &dev->bytes_identical);
58826- atomic_add(bytes_rendered, &dev->bytes_rendered);
58827+ atomic_add_unchecked(bytes_sent, &dev->bytes_sent);
58828+ atomic_add_unchecked(bytes_identical, &dev->bytes_identical);
58829+ atomic_add_unchecked(bytes_rendered, &dev->bytes_rendered);
58830 end_cycles = get_cycles();
58831- atomic_add(((unsigned int) ((end_cycles - start_cycles)
58832+ atomic_add_unchecked(((unsigned int) ((end_cycles - start_cycles)
58833 >> 10)), /* Kcycles */
58834 &dev->cpu_kcycles_used);
58835 }
58836@@ -991,7 +991,9 @@ static int dlfb_ops_release(struct fb_info *info, int user)
58837 fb_deferred_io_cleanup(info);
58838 kfree(info->fbdefio);
58839 info->fbdefio = NULL;
58840- info->fbops->fb_mmap = dlfb_ops_mmap;
58841+ pax_open_kernel();
58842+ *(void **)&info->fbops->fb_mmap = dlfb_ops_mmap;
58843+ pax_close_kernel();
58844 }
58845
58846 pr_warn("released /dev/fb%d user=%d count=%d\n",
58847@@ -1373,7 +1375,7 @@ static ssize_t metrics_bytes_rendered_show(struct device *fbdev,
58848 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58849 struct dlfb_data *dev = fb_info->par;
58850 return snprintf(buf, PAGE_SIZE, "%u\n",
58851- atomic_read(&dev->bytes_rendered));
58852+ atomic_read_unchecked(&dev->bytes_rendered));
58853 }
58854
58855 static ssize_t metrics_bytes_identical_show(struct device *fbdev,
58856@@ -1381,7 +1383,7 @@ static ssize_t metrics_bytes_identical_show(struct device *fbdev,
58857 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58858 struct dlfb_data *dev = fb_info->par;
58859 return snprintf(buf, PAGE_SIZE, "%u\n",
58860- atomic_read(&dev->bytes_identical));
58861+ atomic_read_unchecked(&dev->bytes_identical));
58862 }
58863
58864 static ssize_t metrics_bytes_sent_show(struct device *fbdev,
58865@@ -1389,7 +1391,7 @@ static ssize_t metrics_bytes_sent_show(struct device *fbdev,
58866 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58867 struct dlfb_data *dev = fb_info->par;
58868 return snprintf(buf, PAGE_SIZE, "%u\n",
58869- atomic_read(&dev->bytes_sent));
58870+ atomic_read_unchecked(&dev->bytes_sent));
58871 }
58872
58873 static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
58874@@ -1397,7 +1399,7 @@ static ssize_t metrics_cpu_kcycles_used_show(struct device *fbdev,
58875 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58876 struct dlfb_data *dev = fb_info->par;
58877 return snprintf(buf, PAGE_SIZE, "%u\n",
58878- atomic_read(&dev->cpu_kcycles_used));
58879+ atomic_read_unchecked(&dev->cpu_kcycles_used));
58880 }
58881
58882 static ssize_t edid_show(
58883@@ -1457,10 +1459,10 @@ static ssize_t metrics_reset_store(struct device *fbdev,
58884 struct fb_info *fb_info = dev_get_drvdata(fbdev);
58885 struct dlfb_data *dev = fb_info->par;
58886
58887- atomic_set(&dev->bytes_rendered, 0);
58888- atomic_set(&dev->bytes_identical, 0);
58889- atomic_set(&dev->bytes_sent, 0);
58890- atomic_set(&dev->cpu_kcycles_used, 0);
58891+ atomic_set_unchecked(&dev->bytes_rendered, 0);
58892+ atomic_set_unchecked(&dev->bytes_identical, 0);
58893+ atomic_set_unchecked(&dev->bytes_sent, 0);
58894+ atomic_set_unchecked(&dev->cpu_kcycles_used, 0);
58895
58896 return count;
58897 }
58898diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c
58899index 178ae93..624b2eb 100644
58900--- a/drivers/video/fbdev/uvesafb.c
58901+++ b/drivers/video/fbdev/uvesafb.c
58902@@ -19,6 +19,7 @@
58903 #include <linux/io.h>
58904 #include <linux/mutex.h>
58905 #include <linux/slab.h>
58906+#include <linux/moduleloader.h>
58907 #include <video/edid.h>
58908 #include <video/uvesafb.h>
58909 #ifdef CONFIG_X86
58910@@ -565,10 +566,32 @@ static int uvesafb_vbe_getpmi(struct uvesafb_ktask *task,
58911 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
58912 par->pmi_setpal = par->ypan = 0;
58913 } else {
58914+
58915+#ifdef CONFIG_PAX_KERNEXEC
58916+#ifdef CONFIG_MODULES
58917+ par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
58918+#endif
58919+ if (!par->pmi_code) {
58920+ par->pmi_setpal = par->ypan = 0;
58921+ return 0;
58922+ }
58923+#endif
58924+
58925 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
58926 + task->t.regs.edi);
58927+
58928+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58929+ pax_open_kernel();
58930+ memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
58931+ pax_close_kernel();
58932+
58933+ par->pmi_start = (void *)ktva_ktla((unsigned long)(par->pmi_code + par->pmi_base[1]));
58934+ par->pmi_pal = (void *)ktva_ktla((unsigned long)(par->pmi_code + par->pmi_base[2]));
58935+#else
58936 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
58937 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
58938+#endif
58939+
58940 printk(KERN_INFO "uvesafb: protected mode interface info at "
58941 "%04x:%04x\n",
58942 (u16)task->t.regs.es, (u16)task->t.regs.edi);
58943@@ -813,13 +836,14 @@ static int uvesafb_vbe_init(struct fb_info *info)
58944 par->ypan = ypan;
58945
58946 if (par->pmi_setpal || par->ypan) {
58947+#if !defined(CONFIG_MODULES) || !defined(CONFIG_PAX_KERNEXEC)
58948 if (__supported_pte_mask & _PAGE_NX) {
58949 par->pmi_setpal = par->ypan = 0;
58950 printk(KERN_WARNING "uvesafb: NX protection is active, "
58951 "better not use the PMI.\n");
58952- } else {
58953+ } else
58954+#endif
58955 uvesafb_vbe_getpmi(task, par);
58956- }
58957 }
58958 #else
58959 /* The protected mode interface is not available on non-x86. */
58960@@ -1452,8 +1476,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
58961 info->fix.ywrapstep = (par->ypan > 1) ? 1 : 0;
58962
58963 /* Disable blanking if the user requested so. */
58964- if (!blank)
58965- info->fbops->fb_blank = NULL;
58966+ if (!blank) {
58967+ pax_open_kernel();
58968+ *(void **)&info->fbops->fb_blank = NULL;
58969+ pax_close_kernel();
58970+ }
58971
58972 /*
58973 * Find out how much IO memory is required for the mode with
58974@@ -1524,8 +1551,11 @@ static void uvesafb_init_info(struct fb_info *info, struct vbe_mode_ib *mode)
58975 info->flags = FBINFO_FLAG_DEFAULT |
58976 (par->ypan ? FBINFO_HWACCEL_YPAN : 0);
58977
58978- if (!par->ypan)
58979- info->fbops->fb_pan_display = NULL;
58980+ if (!par->ypan) {
58981+ pax_open_kernel();
58982+ *(void **)&info->fbops->fb_pan_display = NULL;
58983+ pax_close_kernel();
58984+ }
58985 }
58986
58987 static void uvesafb_init_mtrr(struct fb_info *info)
58988@@ -1786,6 +1816,11 @@ out_mode:
58989 out:
58990 kfree(par->vbe_modes);
58991
58992+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
58993+ if (par->pmi_code)
58994+ module_memfree_exec(par->pmi_code);
58995+#endif
58996+
58997 framebuffer_release(info);
58998 return err;
58999 }
59000@@ -1810,6 +1845,11 @@ static int uvesafb_remove(struct platform_device *dev)
59001 kfree(par->vbe_state_orig);
59002 kfree(par->vbe_state_saved);
59003
59004+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59005+ if (par->pmi_code)
59006+ module_memfree_exec(par->pmi_code);
59007+#endif
59008+
59009 framebuffer_release(info);
59010 }
59011 return 0;
59012diff --git a/drivers/video/fbdev/vesafb.c b/drivers/video/fbdev/vesafb.c
59013index 528fe91..6fd29fe 100644
59014--- a/drivers/video/fbdev/vesafb.c
59015+++ b/drivers/video/fbdev/vesafb.c
59016@@ -9,6 +9,7 @@
59017 */
59018
59019 #include <linux/module.h>
59020+#include <linux/moduleloader.h>
59021 #include <linux/kernel.h>
59022 #include <linux/errno.h>
59023 #include <linux/string.h>
59024@@ -56,8 +57,8 @@ static int vram_remap; /* Set amount of memory to be used */
59025 static int vram_total; /* Set total amount of memory */
59026 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
59027 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
59028-static void (*pmi_start)(void) __read_mostly;
59029-static void (*pmi_pal) (void) __read_mostly;
59030+static void (*pmi_start)(void) __read_only;
59031+static void (*pmi_pal) (void) __read_only;
59032 static int depth __read_mostly;
59033 static int vga_compat __read_mostly;
59034 /* --------------------------------------------------------------------- */
59035@@ -241,6 +242,7 @@ static int vesafb_probe(struct platform_device *dev)
59036 unsigned int size_remap;
59037 unsigned int size_total;
59038 char *option = NULL;
59039+ void *pmi_code = NULL;
59040
59041 /* ignore error return of fb_get_options */
59042 fb_get_options("vesafb", &option);
59043@@ -287,10 +289,6 @@ static int vesafb_probe(struct platform_device *dev)
59044 size_remap = size_total;
59045 vesafb_fix.smem_len = size_remap;
59046
59047-#ifndef __i386__
59048- screen_info.vesapm_seg = 0;
59049-#endif
59050-
59051 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
59052 printk(KERN_WARNING
59053 "vesafb: cannot reserve video memory at 0x%lx\n",
59054@@ -320,9 +318,21 @@ static int vesafb_probe(struct platform_device *dev)
59055 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
59056 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
59057
59058+#ifdef __i386__
59059+
59060+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59061+ pmi_code = module_alloc_exec(screen_info.vesapm_size);
59062+ if (!pmi_code)
59063+#elif !defined(CONFIG_PAX_KERNEXEC)
59064+ if (0)
59065+#endif
59066+
59067+#endif
59068+ screen_info.vesapm_seg = 0;
59069+
59070 if (screen_info.vesapm_seg) {
59071- printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
59072- screen_info.vesapm_seg,screen_info.vesapm_off);
59073+ printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
59074+ screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
59075 }
59076
59077 if (screen_info.vesapm_seg < 0xc000)
59078@@ -330,9 +340,25 @@ static int vesafb_probe(struct platform_device *dev)
59079
59080 if (ypan || pmi_setpal) {
59081 unsigned short *pmi_base;
59082+
59083 pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
59084- pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
59085- pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
59086+
59087+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59088+ pax_open_kernel();
59089+ memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
59090+#else
59091+ pmi_code = pmi_base;
59092+#endif
59093+
59094+ pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
59095+ pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
59096+
59097+#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59098+ pmi_start = (void *)ktva_ktla((unsigned long)pmi_start);
59099+ pmi_pal = (void *)ktva_ktla((unsigned long)pmi_pal);
59100+ pax_close_kernel();
59101+#endif
59102+
59103 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
59104 if (pmi_base[3]) {
59105 printk(KERN_INFO "vesafb: pmi: ports = ");
59106@@ -452,8 +478,11 @@ static int vesafb_probe(struct platform_device *dev)
59107 info->flags = FBINFO_FLAG_DEFAULT | FBINFO_MISC_FIRMWARE |
59108 (ypan ? FBINFO_HWACCEL_YPAN : 0);
59109
59110- if (!ypan)
59111- info->fbops->fb_pan_display = NULL;
59112+ if (!ypan) {
59113+ pax_open_kernel();
59114+ *(void **)&info->fbops->fb_pan_display = NULL;
59115+ pax_close_kernel();
59116+ }
59117
59118 if (fb_alloc_cmap(&info->cmap, 256, 0) < 0) {
59119 err = -ENOMEM;
59120@@ -467,6 +496,11 @@ static int vesafb_probe(struct platform_device *dev)
59121 fb_info(info, "%s frame buffer device\n", info->fix.id);
59122 return 0;
59123 err:
59124+
59125+#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
59126+ module_memfree_exec(pmi_code);
59127+#endif
59128+
59129 arch_phys_wc_del(par->wc_cookie);
59130 if (info->screen_base)
59131 iounmap(info->screen_base);
59132diff --git a/drivers/video/fbdev/via/via_clock.h b/drivers/video/fbdev/via/via_clock.h
59133index 88714ae..16c2e11 100644
59134--- a/drivers/video/fbdev/via/via_clock.h
59135+++ b/drivers/video/fbdev/via/via_clock.h
59136@@ -56,7 +56,7 @@ struct via_clock {
59137
59138 void (*set_engine_pll_state)(u8 state);
59139 void (*set_engine_pll)(struct via_pll_config config);
59140-};
59141+} __no_const;
59142
59143
59144 static inline u32 get_pll_internal_frequency(u32 ref_freq,
59145diff --git a/drivers/video/logo/logo_linux_clut224.ppm b/drivers/video/logo/logo_linux_clut224.ppm
59146index 3c14e43..2630570 100644
59147--- a/drivers/video/logo/logo_linux_clut224.ppm
59148+++ b/drivers/video/logo/logo_linux_clut224.ppm
59149@@ -2,1603 +2,1123 @@ P3
59150 # Standard 224-color Linux logo
59151 80 80
59152 255
59153- 0 0 0 0 0 0 0 0 0 0 0 0
59154- 0 0 0 0 0 0 0 0 0 0 0 0
59155- 0 0 0 0 0 0 0 0 0 0 0 0
59156- 0 0 0 0 0 0 0 0 0 0 0 0
59157- 0 0 0 0 0 0 0 0 0 0 0 0
59158- 0 0 0 0 0 0 0 0 0 0 0 0
59159- 0 0 0 0 0 0 0 0 0 0 0 0
59160- 0 0 0 0 0 0 0 0 0 0 0 0
59161- 0 0 0 0 0 0 0 0 0 0 0 0
59162- 6 6 6 6 6 6 10 10 10 10 10 10
59163- 10 10 10 6 6 6 6 6 6 6 6 6
59164- 0 0 0 0 0 0 0 0 0 0 0 0
59165- 0 0 0 0 0 0 0 0 0 0 0 0
59166- 0 0 0 0 0 0 0 0 0 0 0 0
59167- 0 0 0 0 0 0 0 0 0 0 0 0
59168- 0 0 0 0 0 0 0 0 0 0 0 0
59169- 0 0 0 0 0 0 0 0 0 0 0 0
59170- 0 0 0 0 0 0 0 0 0 0 0 0
59171- 0 0 0 0 0 0 0 0 0 0 0 0
59172- 0 0 0 0 0 0 0 0 0 0 0 0
59173- 0 0 0 0 0 0 0 0 0 0 0 0
59174- 0 0 0 0 0 0 0 0 0 0 0 0
59175- 0 0 0 0 0 0 0 0 0 0 0 0
59176- 0 0 0 0 0 0 0 0 0 0 0 0
59177- 0 0 0 0 0 0 0 0 0 0 0 0
59178- 0 0 0 0 0 0 0 0 0 0 0 0
59179- 0 0 0 0 0 0 0 0 0 0 0 0
59180- 0 0 0 0 0 0 0 0 0 0 0 0
59181- 0 0 0 6 6 6 10 10 10 14 14 14
59182- 22 22 22 26 26 26 30 30 30 34 34 34
59183- 30 30 30 30 30 30 26 26 26 18 18 18
59184- 14 14 14 10 10 10 6 6 6 0 0 0
59185- 0 0 0 0 0 0 0 0 0 0 0 0
59186- 0 0 0 0 0 0 0 0 0 0 0 0
59187- 0 0 0 0 0 0 0 0 0 0 0 0
59188- 0 0 0 0 0 0 0 0 0 0 0 0
59189- 0 0 0 0 0 0 0 0 0 0 0 0
59190- 0 0 0 0 0 0 0 0 0 0 0 0
59191- 0 0 0 0 0 0 0 0 0 0 0 0
59192- 0 0 0 0 0 0 0 0 0 0 0 0
59193- 0 0 0 0 0 0 0 0 0 0 0 0
59194- 0 0 0 0 0 1 0 0 1 0 0 0
59195- 0 0 0 0 0 0 0 0 0 0 0 0
59196- 0 0 0 0 0 0 0 0 0 0 0 0
59197- 0 0 0 0 0 0 0 0 0 0 0 0
59198- 0 0 0 0 0 0 0 0 0 0 0 0
59199- 0 0 0 0 0 0 0 0 0 0 0 0
59200- 0 0 0 0 0 0 0 0 0 0 0 0
59201- 6 6 6 14 14 14 26 26 26 42 42 42
59202- 54 54 54 66 66 66 78 78 78 78 78 78
59203- 78 78 78 74 74 74 66 66 66 54 54 54
59204- 42 42 42 26 26 26 18 18 18 10 10 10
59205- 6 6 6 0 0 0 0 0 0 0 0 0
59206- 0 0 0 0 0 0 0 0 0 0 0 0
59207- 0 0 0 0 0 0 0 0 0 0 0 0
59208- 0 0 0 0 0 0 0 0 0 0 0 0
59209- 0 0 0 0 0 0 0 0 0 0 0 0
59210- 0 0 0 0 0 0 0 0 0 0 0 0
59211- 0 0 0 0 0 0 0 0 0 0 0 0
59212- 0 0 0 0 0 0 0 0 0 0 0 0
59213- 0 0 0 0 0 0 0 0 0 0 0 0
59214- 0 0 1 0 0 0 0 0 0 0 0 0
59215- 0 0 0 0 0 0 0 0 0 0 0 0
59216- 0 0 0 0 0 0 0 0 0 0 0 0
59217- 0 0 0 0 0 0 0 0 0 0 0 0
59218- 0 0 0 0 0 0 0 0 0 0 0 0
59219- 0 0 0 0 0 0 0 0 0 0 0 0
59220- 0 0 0 0 0 0 0 0 0 10 10 10
59221- 22 22 22 42 42 42 66 66 66 86 86 86
59222- 66 66 66 38 38 38 38 38 38 22 22 22
59223- 26 26 26 34 34 34 54 54 54 66 66 66
59224- 86 86 86 70 70 70 46 46 46 26 26 26
59225- 14 14 14 6 6 6 0 0 0 0 0 0
59226- 0 0 0 0 0 0 0 0 0 0 0 0
59227- 0 0 0 0 0 0 0 0 0 0 0 0
59228- 0 0 0 0 0 0 0 0 0 0 0 0
59229- 0 0 0 0 0 0 0 0 0 0 0 0
59230- 0 0 0 0 0 0 0 0 0 0 0 0
59231- 0 0 0 0 0 0 0 0 0 0 0 0
59232- 0 0 0 0 0 0 0 0 0 0 0 0
59233- 0 0 0 0 0 0 0 0 0 0 0 0
59234- 0 0 1 0 0 1 0 0 1 0 0 0
59235- 0 0 0 0 0 0 0 0 0 0 0 0
59236- 0 0 0 0 0 0 0 0 0 0 0 0
59237- 0 0 0 0 0 0 0 0 0 0 0 0
59238- 0 0 0 0 0 0 0 0 0 0 0 0
59239- 0 0 0 0 0 0 0 0 0 0 0 0
59240- 0 0 0 0 0 0 10 10 10 26 26 26
59241- 50 50 50 82 82 82 58 58 58 6 6 6
59242- 2 2 6 2 2 6 2 2 6 2 2 6
59243- 2 2 6 2 2 6 2 2 6 2 2 6
59244- 6 6 6 54 54 54 86 86 86 66 66 66
59245- 38 38 38 18 18 18 6 6 6 0 0 0
59246- 0 0 0 0 0 0 0 0 0 0 0 0
59247- 0 0 0 0 0 0 0 0 0 0 0 0
59248- 0 0 0 0 0 0 0 0 0 0 0 0
59249- 0 0 0 0 0 0 0 0 0 0 0 0
59250- 0 0 0 0 0 0 0 0 0 0 0 0
59251- 0 0 0 0 0 0 0 0 0 0 0 0
59252- 0 0 0 0 0 0 0 0 0 0 0 0
59253- 0 0 0 0 0 0 0 0 0 0 0 0
59254- 0 0 0 0 0 0 0 0 0 0 0 0
59255- 0 0 0 0 0 0 0 0 0 0 0 0
59256- 0 0 0 0 0 0 0 0 0 0 0 0
59257- 0 0 0 0 0 0 0 0 0 0 0 0
59258- 0 0 0 0 0 0 0 0 0 0 0 0
59259- 0 0 0 0 0 0 0 0 0 0 0 0
59260- 0 0 0 6 6 6 22 22 22 50 50 50
59261- 78 78 78 34 34 34 2 2 6 2 2 6
59262- 2 2 6 2 2 6 2 2 6 2 2 6
59263- 2 2 6 2 2 6 2 2 6 2 2 6
59264- 2 2 6 2 2 6 6 6 6 70 70 70
59265- 78 78 78 46 46 46 22 22 22 6 6 6
59266- 0 0 0 0 0 0 0 0 0 0 0 0
59267- 0 0 0 0 0 0 0 0 0 0 0 0
59268- 0 0 0 0 0 0 0 0 0 0 0 0
59269- 0 0 0 0 0 0 0 0 0 0 0 0
59270- 0 0 0 0 0 0 0 0 0 0 0 0
59271- 0 0 0 0 0 0 0 0 0 0 0 0
59272- 0 0 0 0 0 0 0 0 0 0 0 0
59273- 0 0 0 0 0 0 0 0 0 0 0 0
59274- 0 0 1 0 0 1 0 0 1 0 0 0
59275- 0 0 0 0 0 0 0 0 0 0 0 0
59276- 0 0 0 0 0 0 0 0 0 0 0 0
59277- 0 0 0 0 0 0 0 0 0 0 0 0
59278- 0 0 0 0 0 0 0 0 0 0 0 0
59279- 0 0 0 0 0 0 0 0 0 0 0 0
59280- 6 6 6 18 18 18 42 42 42 82 82 82
59281- 26 26 26 2 2 6 2 2 6 2 2 6
59282- 2 2 6 2 2 6 2 2 6 2 2 6
59283- 2 2 6 2 2 6 2 2 6 14 14 14
59284- 46 46 46 34 34 34 6 6 6 2 2 6
59285- 42 42 42 78 78 78 42 42 42 18 18 18
59286- 6 6 6 0 0 0 0 0 0 0 0 0
59287- 0 0 0 0 0 0 0 0 0 0 0 0
59288- 0 0 0 0 0 0 0 0 0 0 0 0
59289- 0 0 0 0 0 0 0 0 0 0 0 0
59290- 0 0 0 0 0 0 0 0 0 0 0 0
59291- 0 0 0 0 0 0 0 0 0 0 0 0
59292- 0 0 0 0 0 0 0 0 0 0 0 0
59293- 0 0 0 0 0 0 0 0 0 0 0 0
59294- 0 0 1 0 0 0 0 0 1 0 0 0
59295- 0 0 0 0 0 0 0 0 0 0 0 0
59296- 0 0 0 0 0 0 0 0 0 0 0 0
59297- 0 0 0 0 0 0 0 0 0 0 0 0
59298- 0 0 0 0 0 0 0 0 0 0 0 0
59299- 0 0 0 0 0 0 0 0 0 0 0 0
59300- 10 10 10 30 30 30 66 66 66 58 58 58
59301- 2 2 6 2 2 6 2 2 6 2 2 6
59302- 2 2 6 2 2 6 2 2 6 2 2 6
59303- 2 2 6 2 2 6 2 2 6 26 26 26
59304- 86 86 86 101 101 101 46 46 46 10 10 10
59305- 2 2 6 58 58 58 70 70 70 34 34 34
59306- 10 10 10 0 0 0 0 0 0 0 0 0
59307- 0 0 0 0 0 0 0 0 0 0 0 0
59308- 0 0 0 0 0 0 0 0 0 0 0 0
59309- 0 0 0 0 0 0 0 0 0 0 0 0
59310- 0 0 0 0 0 0 0 0 0 0 0 0
59311- 0 0 0 0 0 0 0 0 0 0 0 0
59312- 0 0 0 0 0 0 0 0 0 0 0 0
59313- 0 0 0 0 0 0 0 0 0 0 0 0
59314- 0 0 1 0 0 1 0 0 1 0 0 0
59315- 0 0 0 0 0 0 0 0 0 0 0 0
59316- 0 0 0 0 0 0 0 0 0 0 0 0
59317- 0 0 0 0 0 0 0 0 0 0 0 0
59318- 0 0 0 0 0 0 0 0 0 0 0 0
59319- 0 0 0 0 0 0 0 0 0 0 0 0
59320- 14 14 14 42 42 42 86 86 86 10 10 10
59321- 2 2 6 2 2 6 2 2 6 2 2 6
59322- 2 2 6 2 2 6 2 2 6 2 2 6
59323- 2 2 6 2 2 6 2 2 6 30 30 30
59324- 94 94 94 94 94 94 58 58 58 26 26 26
59325- 2 2 6 6 6 6 78 78 78 54 54 54
59326- 22 22 22 6 6 6 0 0 0 0 0 0
59327- 0 0 0 0 0 0 0 0 0 0 0 0
59328- 0 0 0 0 0 0 0 0 0 0 0 0
59329- 0 0 0 0 0 0 0 0 0 0 0 0
59330- 0 0 0 0 0 0 0 0 0 0 0 0
59331- 0 0 0 0 0 0 0 0 0 0 0 0
59332- 0 0 0 0 0 0 0 0 0 0 0 0
59333- 0 0 0 0 0 0 0 0 0 0 0 0
59334- 0 0 0 0 0 0 0 0 0 0 0 0
59335- 0 0 0 0 0 0 0 0 0 0 0 0
59336- 0 0 0 0 0 0 0 0 0 0 0 0
59337- 0 0 0 0 0 0 0 0 0 0 0 0
59338- 0 0 0 0 0 0 0 0 0 0 0 0
59339- 0 0 0 0 0 0 0 0 0 6 6 6
59340- 22 22 22 62 62 62 62 62 62 2 2 6
59341- 2 2 6 2 2 6 2 2 6 2 2 6
59342- 2 2 6 2 2 6 2 2 6 2 2 6
59343- 2 2 6 2 2 6 2 2 6 26 26 26
59344- 54 54 54 38 38 38 18 18 18 10 10 10
59345- 2 2 6 2 2 6 34 34 34 82 82 82
59346- 38 38 38 14 14 14 0 0 0 0 0 0
59347- 0 0 0 0 0 0 0 0 0 0 0 0
59348- 0 0 0 0 0 0 0 0 0 0 0 0
59349- 0 0 0 0 0 0 0 0 0 0 0 0
59350- 0 0 0 0 0 0 0 0 0 0 0 0
59351- 0 0 0 0 0 0 0 0 0 0 0 0
59352- 0 0 0 0 0 0 0 0 0 0 0 0
59353- 0 0 0 0 0 0 0 0 0 0 0 0
59354- 0 0 0 0 0 1 0 0 1 0 0 0
59355- 0 0 0 0 0 0 0 0 0 0 0 0
59356- 0 0 0 0 0 0 0 0 0 0 0 0
59357- 0 0 0 0 0 0 0 0 0 0 0 0
59358- 0 0 0 0 0 0 0 0 0 0 0 0
59359- 0 0 0 0 0 0 0 0 0 6 6 6
59360- 30 30 30 78 78 78 30 30 30 2 2 6
59361- 2 2 6 2 2 6 2 2 6 2 2 6
59362- 2 2 6 2 2 6 2 2 6 2 2 6
59363- 2 2 6 2 2 6 2 2 6 10 10 10
59364- 10 10 10 2 2 6 2 2 6 2 2 6
59365- 2 2 6 2 2 6 2 2 6 78 78 78
59366- 50 50 50 18 18 18 6 6 6 0 0 0
59367- 0 0 0 0 0 0 0 0 0 0 0 0
59368- 0 0 0 0 0 0 0 0 0 0 0 0
59369- 0 0 0 0 0 0 0 0 0 0 0 0
59370- 0 0 0 0 0 0 0 0 0 0 0 0
59371- 0 0 0 0 0 0 0 0 0 0 0 0
59372- 0 0 0 0 0 0 0 0 0 0 0 0
59373- 0 0 0 0 0 0 0 0 0 0 0 0
59374- 0 0 1 0 0 0 0 0 0 0 0 0
59375- 0 0 0 0 0 0 0 0 0 0 0 0
59376- 0 0 0 0 0 0 0 0 0 0 0 0
59377- 0 0 0 0 0 0 0 0 0 0 0 0
59378- 0 0 0 0 0 0 0 0 0 0 0 0
59379- 0 0 0 0 0 0 0 0 0 10 10 10
59380- 38 38 38 86 86 86 14 14 14 2 2 6
59381- 2 2 6 2 2 6 2 2 6 2 2 6
59382- 2 2 6 2 2 6 2 2 6 2 2 6
59383- 2 2 6 2 2 6 2 2 6 2 2 6
59384- 2 2 6 2 2 6 2 2 6 2 2 6
59385- 2 2 6 2 2 6 2 2 6 54 54 54
59386- 66 66 66 26 26 26 6 6 6 0 0 0
59387- 0 0 0 0 0 0 0 0 0 0 0 0
59388- 0 0 0 0 0 0 0 0 0 0 0 0
59389- 0 0 0 0 0 0 0 0 0 0 0 0
59390- 0 0 0 0 0 0 0 0 0 0 0 0
59391- 0 0 0 0 0 0 0 0 0 0 0 0
59392- 0 0 0 0 0 0 0 0 0 0 0 0
59393- 0 0 0 0 0 0 0 0 0 0 0 0
59394- 0 0 0 0 0 1 0 0 1 0 0 0
59395- 0 0 0 0 0 0 0 0 0 0 0 0
59396- 0 0 0 0 0 0 0 0 0 0 0 0
59397- 0 0 0 0 0 0 0 0 0 0 0 0
59398- 0 0 0 0 0 0 0 0 0 0 0 0
59399- 0 0 0 0 0 0 0 0 0 14 14 14
59400- 42 42 42 82 82 82 2 2 6 2 2 6
59401- 2 2 6 6 6 6 10 10 10 2 2 6
59402- 2 2 6 2 2 6 2 2 6 2 2 6
59403- 2 2 6 2 2 6 2 2 6 6 6 6
59404- 14 14 14 10 10 10 2 2 6 2 2 6
59405- 2 2 6 2 2 6 2 2 6 18 18 18
59406- 82 82 82 34 34 34 10 10 10 0 0 0
59407- 0 0 0 0 0 0 0 0 0 0 0 0
59408- 0 0 0 0 0 0 0 0 0 0 0 0
59409- 0 0 0 0 0 0 0 0 0 0 0 0
59410- 0 0 0 0 0 0 0 0 0 0 0 0
59411- 0 0 0 0 0 0 0 0 0 0 0 0
59412- 0 0 0 0 0 0 0 0 0 0 0 0
59413- 0 0 0 0 0 0 0 0 0 0 0 0
59414- 0 0 1 0 0 0 0 0 0 0 0 0
59415- 0 0 0 0 0 0 0 0 0 0 0 0
59416- 0 0 0 0 0 0 0 0 0 0 0 0
59417- 0 0 0 0 0 0 0 0 0 0 0 0
59418- 0 0 0 0 0 0 0 0 0 0 0 0
59419- 0 0 0 0 0 0 0 0 0 14 14 14
59420- 46 46 46 86 86 86 2 2 6 2 2 6
59421- 6 6 6 6 6 6 22 22 22 34 34 34
59422- 6 6 6 2 2 6 2 2 6 2 2 6
59423- 2 2 6 2 2 6 18 18 18 34 34 34
59424- 10 10 10 50 50 50 22 22 22 2 2 6
59425- 2 2 6 2 2 6 2 2 6 10 10 10
59426- 86 86 86 42 42 42 14 14 14 0 0 0
59427- 0 0 0 0 0 0 0 0 0 0 0 0
59428- 0 0 0 0 0 0 0 0 0 0 0 0
59429- 0 0 0 0 0 0 0 0 0 0 0 0
59430- 0 0 0 0 0 0 0 0 0 0 0 0
59431- 0 0 0 0 0 0 0 0 0 0 0 0
59432- 0 0 0 0 0 0 0 0 0 0 0 0
59433- 0 0 0 0 0 0 0 0 0 0 0 0
59434- 0 0 1 0 0 1 0 0 1 0 0 0
59435- 0 0 0 0 0 0 0 0 0 0 0 0
59436- 0 0 0 0 0 0 0 0 0 0 0 0
59437- 0 0 0 0 0 0 0 0 0 0 0 0
59438- 0 0 0 0 0 0 0 0 0 0 0 0
59439- 0 0 0 0 0 0 0 0 0 14 14 14
59440- 46 46 46 86 86 86 2 2 6 2 2 6
59441- 38 38 38 116 116 116 94 94 94 22 22 22
59442- 22 22 22 2 2 6 2 2 6 2 2 6
59443- 14 14 14 86 86 86 138 138 138 162 162 162
59444-154 154 154 38 38 38 26 26 26 6 6 6
59445- 2 2 6 2 2 6 2 2 6 2 2 6
59446- 86 86 86 46 46 46 14 14 14 0 0 0
59447- 0 0 0 0 0 0 0 0 0 0 0 0
59448- 0 0 0 0 0 0 0 0 0 0 0 0
59449- 0 0 0 0 0 0 0 0 0 0 0 0
59450- 0 0 0 0 0 0 0 0 0 0 0 0
59451- 0 0 0 0 0 0 0 0 0 0 0 0
59452- 0 0 0 0 0 0 0 0 0 0 0 0
59453- 0 0 0 0 0 0 0 0 0 0 0 0
59454- 0 0 0 0 0 0 0 0 0 0 0 0
59455- 0 0 0 0 0 0 0 0 0 0 0 0
59456- 0 0 0 0 0 0 0 0 0 0 0 0
59457- 0 0 0 0 0 0 0 0 0 0 0 0
59458- 0 0 0 0 0 0 0 0 0 0 0 0
59459- 0 0 0 0 0 0 0 0 0 14 14 14
59460- 46 46 46 86 86 86 2 2 6 14 14 14
59461-134 134 134 198 198 198 195 195 195 116 116 116
59462- 10 10 10 2 2 6 2 2 6 6 6 6
59463-101 98 89 187 187 187 210 210 210 218 218 218
59464-214 214 214 134 134 134 14 14 14 6 6 6
59465- 2 2 6 2 2 6 2 2 6 2 2 6
59466- 86 86 86 50 50 50 18 18 18 6 6 6
59467- 0 0 0 0 0 0 0 0 0 0 0 0
59468- 0 0 0 0 0 0 0 0 0 0 0 0
59469- 0 0 0 0 0 0 0 0 0 0 0 0
59470- 0 0 0 0 0 0 0 0 0 0 0 0
59471- 0 0 0 0 0 0 0 0 0 0 0 0
59472- 0 0 0 0 0 0 0 0 0 0 0 0
59473- 0 0 0 0 0 0 0 0 1 0 0 0
59474- 0 0 1 0 0 1 0 0 1 0 0 0
59475- 0 0 0 0 0 0 0 0 0 0 0 0
59476- 0 0 0 0 0 0 0 0 0 0 0 0
59477- 0 0 0 0 0 0 0 0 0 0 0 0
59478- 0 0 0 0 0 0 0 0 0 0 0 0
59479- 0 0 0 0 0 0 0 0 0 14 14 14
59480- 46 46 46 86 86 86 2 2 6 54 54 54
59481-218 218 218 195 195 195 226 226 226 246 246 246
59482- 58 58 58 2 2 6 2 2 6 30 30 30
59483-210 210 210 253 253 253 174 174 174 123 123 123
59484-221 221 221 234 234 234 74 74 74 2 2 6
59485- 2 2 6 2 2 6 2 2 6 2 2 6
59486- 70 70 70 58 58 58 22 22 22 6 6 6
59487- 0 0 0 0 0 0 0 0 0 0 0 0
59488- 0 0 0 0 0 0 0 0 0 0 0 0
59489- 0 0 0 0 0 0 0 0 0 0 0 0
59490- 0 0 0 0 0 0 0 0 0 0 0 0
59491- 0 0 0 0 0 0 0 0 0 0 0 0
59492- 0 0 0 0 0 0 0 0 0 0 0 0
59493- 0 0 0 0 0 0 0 0 0 0 0 0
59494- 0 0 0 0 0 0 0 0 0 0 0 0
59495- 0 0 0 0 0 0 0 0 0 0 0 0
59496- 0 0 0 0 0 0 0 0 0 0 0 0
59497- 0 0 0 0 0 0 0 0 0 0 0 0
59498- 0 0 0 0 0 0 0 0 0 0 0 0
59499- 0 0 0 0 0 0 0 0 0 14 14 14
59500- 46 46 46 82 82 82 2 2 6 106 106 106
59501-170 170 170 26 26 26 86 86 86 226 226 226
59502-123 123 123 10 10 10 14 14 14 46 46 46
59503-231 231 231 190 190 190 6 6 6 70 70 70
59504- 90 90 90 238 238 238 158 158 158 2 2 6
59505- 2 2 6 2 2 6 2 2 6 2 2 6
59506- 70 70 70 58 58 58 22 22 22 6 6 6
59507- 0 0 0 0 0 0 0 0 0 0 0 0
59508- 0 0 0 0 0 0 0 0 0 0 0 0
59509- 0 0 0 0 0 0 0 0 0 0 0 0
59510- 0 0 0 0 0 0 0 0 0 0 0 0
59511- 0 0 0 0 0 0 0 0 0 0 0 0
59512- 0 0 0 0 0 0 0 0 0 0 0 0
59513- 0 0 0 0 0 0 0 0 1 0 0 0
59514- 0 0 1 0 0 1 0 0 1 0 0 0
59515- 0 0 0 0 0 0 0 0 0 0 0 0
59516- 0 0 0 0 0 0 0 0 0 0 0 0
59517- 0 0 0 0 0 0 0 0 0 0 0 0
59518- 0 0 0 0 0 0 0 0 0 0 0 0
59519- 0 0 0 0 0 0 0 0 0 14 14 14
59520- 42 42 42 86 86 86 6 6 6 116 116 116
59521-106 106 106 6 6 6 70 70 70 149 149 149
59522-128 128 128 18 18 18 38 38 38 54 54 54
59523-221 221 221 106 106 106 2 2 6 14 14 14
59524- 46 46 46 190 190 190 198 198 198 2 2 6
59525- 2 2 6 2 2 6 2 2 6 2 2 6
59526- 74 74 74 62 62 62 22 22 22 6 6 6
59527- 0 0 0 0 0 0 0 0 0 0 0 0
59528- 0 0 0 0 0 0 0 0 0 0 0 0
59529- 0 0 0 0 0 0 0 0 0 0 0 0
59530- 0 0 0 0 0 0 0 0 0 0 0 0
59531- 0 0 0 0 0 0 0 0 0 0 0 0
59532- 0 0 0 0 0 0 0 0 0 0 0 0
59533- 0 0 0 0 0 0 0 0 1 0 0 0
59534- 0 0 1 0 0 0 0 0 1 0 0 0
59535- 0 0 0 0 0 0 0 0 0 0 0 0
59536- 0 0 0 0 0 0 0 0 0 0 0 0
59537- 0 0 0 0 0 0 0 0 0 0 0 0
59538- 0 0 0 0 0 0 0 0 0 0 0 0
59539- 0 0 0 0 0 0 0 0 0 14 14 14
59540- 42 42 42 94 94 94 14 14 14 101 101 101
59541-128 128 128 2 2 6 18 18 18 116 116 116
59542-118 98 46 121 92 8 121 92 8 98 78 10
59543-162 162 162 106 106 106 2 2 6 2 2 6
59544- 2 2 6 195 195 195 195 195 195 6 6 6
59545- 2 2 6 2 2 6 2 2 6 2 2 6
59546- 74 74 74 62 62 62 22 22 22 6 6 6
59547- 0 0 0 0 0 0 0 0 0 0 0 0
59548- 0 0 0 0 0 0 0 0 0 0 0 0
59549- 0 0 0 0 0 0 0 0 0 0 0 0
59550- 0 0 0 0 0 0 0 0 0 0 0 0
59551- 0 0 0 0 0 0 0 0 0 0 0 0
59552- 0 0 0 0 0 0 0 0 0 0 0 0
59553- 0 0 0 0 0 0 0 0 1 0 0 1
59554- 0 0 1 0 0 0 0 0 1 0 0 0
59555- 0 0 0 0 0 0 0 0 0 0 0 0
59556- 0 0 0 0 0 0 0 0 0 0 0 0
59557- 0 0 0 0 0 0 0 0 0 0 0 0
59558- 0 0 0 0 0 0 0 0 0 0 0 0
59559- 0 0 0 0 0 0 0 0 0 10 10 10
59560- 38 38 38 90 90 90 14 14 14 58 58 58
59561-210 210 210 26 26 26 54 38 6 154 114 10
59562-226 170 11 236 186 11 225 175 15 184 144 12
59563-215 174 15 175 146 61 37 26 9 2 2 6
59564- 70 70 70 246 246 246 138 138 138 2 2 6
59565- 2 2 6 2 2 6 2 2 6 2 2 6
59566- 70 70 70 66 66 66 26 26 26 6 6 6
59567- 0 0 0 0 0 0 0 0 0 0 0 0
59568- 0 0 0 0 0 0 0 0 0 0 0 0
59569- 0 0 0 0 0 0 0 0 0 0 0 0
59570- 0 0 0 0 0 0 0 0 0 0 0 0
59571- 0 0 0 0 0 0 0 0 0 0 0 0
59572- 0 0 0 0 0 0 0 0 0 0 0 0
59573- 0 0 0 0 0 0 0 0 0 0 0 0
59574- 0 0 0 0 0 0 0 0 0 0 0 0
59575- 0 0 0 0 0 0 0 0 0 0 0 0
59576- 0 0 0 0 0 0 0 0 0 0 0 0
59577- 0 0 0 0 0 0 0 0 0 0 0 0
59578- 0 0 0 0 0 0 0 0 0 0 0 0
59579- 0 0 0 0 0 0 0 0 0 10 10 10
59580- 38 38 38 86 86 86 14 14 14 10 10 10
59581-195 195 195 188 164 115 192 133 9 225 175 15
59582-239 182 13 234 190 10 232 195 16 232 200 30
59583-245 207 45 241 208 19 232 195 16 184 144 12
59584-218 194 134 211 206 186 42 42 42 2 2 6
59585- 2 2 6 2 2 6 2 2 6 2 2 6
59586- 50 50 50 74 74 74 30 30 30 6 6 6
59587- 0 0 0 0 0 0 0 0 0 0 0 0
59588- 0 0 0 0 0 0 0 0 0 0 0 0
59589- 0 0 0 0 0 0 0 0 0 0 0 0
59590- 0 0 0 0 0 0 0 0 0 0 0 0
59591- 0 0 0 0 0 0 0 0 0 0 0 0
59592- 0 0 0 0 0 0 0 0 0 0 0 0
59593- 0 0 0 0 0 0 0 0 0 0 0 0
59594- 0 0 0 0 0 0 0 0 0 0 0 0
59595- 0 0 0 0 0 0 0 0 0 0 0 0
59596- 0 0 0 0 0 0 0 0 0 0 0 0
59597- 0 0 0 0 0 0 0 0 0 0 0 0
59598- 0 0 0 0 0 0 0 0 0 0 0 0
59599- 0 0 0 0 0 0 0 0 0 10 10 10
59600- 34 34 34 86 86 86 14 14 14 2 2 6
59601-121 87 25 192 133 9 219 162 10 239 182 13
59602-236 186 11 232 195 16 241 208 19 244 214 54
59603-246 218 60 246 218 38 246 215 20 241 208 19
59604-241 208 19 226 184 13 121 87 25 2 2 6
59605- 2 2 6 2 2 6 2 2 6 2 2 6
59606- 50 50 50 82 82 82 34 34 34 10 10 10
59607- 0 0 0 0 0 0 0 0 0 0 0 0
59608- 0 0 0 0 0 0 0 0 0 0 0 0
59609- 0 0 0 0 0 0 0 0 0 0 0 0
59610- 0 0 0 0 0 0 0 0 0 0 0 0
59611- 0 0 0 0 0 0 0 0 0 0 0 0
59612- 0 0 0 0 0 0 0 0 0 0 0 0
59613- 0 0 0 0 0 0 0 0 0 0 0 0
59614- 0 0 0 0 0 0 0 0 0 0 0 0
59615- 0 0 0 0 0 0 0 0 0 0 0 0
59616- 0 0 0 0 0 0 0 0 0 0 0 0
59617- 0 0 0 0 0 0 0 0 0 0 0 0
59618- 0 0 0 0 0 0 0 0 0 0 0 0
59619- 0 0 0 0 0 0 0 0 0 10 10 10
59620- 34 34 34 82 82 82 30 30 30 61 42 6
59621-180 123 7 206 145 10 230 174 11 239 182 13
59622-234 190 10 238 202 15 241 208 19 246 218 74
59623-246 218 38 246 215 20 246 215 20 246 215 20
59624-226 184 13 215 174 15 184 144 12 6 6 6
59625- 2 2 6 2 2 6 2 2 6 2 2 6
59626- 26 26 26 94 94 94 42 42 42 14 14 14
59627- 0 0 0 0 0 0 0 0 0 0 0 0
59628- 0 0 0 0 0 0 0 0 0 0 0 0
59629- 0 0 0 0 0 0 0 0 0 0 0 0
59630- 0 0 0 0 0 0 0 0 0 0 0 0
59631- 0 0 0 0 0 0 0 0 0 0 0 0
59632- 0 0 0 0 0 0 0 0 0 0 0 0
59633- 0 0 0 0 0 0 0 0 0 0 0 0
59634- 0 0 0 0 0 0 0 0 0 0 0 0
59635- 0 0 0 0 0 0 0 0 0 0 0 0
59636- 0 0 0 0 0 0 0 0 0 0 0 0
59637- 0 0 0 0 0 0 0 0 0 0 0 0
59638- 0 0 0 0 0 0 0 0 0 0 0 0
59639- 0 0 0 0 0 0 0 0 0 10 10 10
59640- 30 30 30 78 78 78 50 50 50 104 69 6
59641-192 133 9 216 158 10 236 178 12 236 186 11
59642-232 195 16 241 208 19 244 214 54 245 215 43
59643-246 215 20 246 215 20 241 208 19 198 155 10
59644-200 144 11 216 158 10 156 118 10 2 2 6
59645- 2 2 6 2 2 6 2 2 6 2 2 6
59646- 6 6 6 90 90 90 54 54 54 18 18 18
59647- 6 6 6 0 0 0 0 0 0 0 0 0
59648- 0 0 0 0 0 0 0 0 0 0 0 0
59649- 0 0 0 0 0 0 0 0 0 0 0 0
59650- 0 0 0 0 0 0 0 0 0 0 0 0
59651- 0 0 0 0 0 0 0 0 0 0 0 0
59652- 0 0 0 0 0 0 0 0 0 0 0 0
59653- 0 0 0 0 0 0 0 0 0 0 0 0
59654- 0 0 0 0 0 0 0 0 0 0 0 0
59655- 0 0 0 0 0 0 0 0 0 0 0 0
59656- 0 0 0 0 0 0 0 0 0 0 0 0
59657- 0 0 0 0 0 0 0 0 0 0 0 0
59658- 0 0 0 0 0 0 0 0 0 0 0 0
59659- 0 0 0 0 0 0 0 0 0 10 10 10
59660- 30 30 30 78 78 78 46 46 46 22 22 22
59661-137 92 6 210 162 10 239 182 13 238 190 10
59662-238 202 15 241 208 19 246 215 20 246 215 20
59663-241 208 19 203 166 17 185 133 11 210 150 10
59664-216 158 10 210 150 10 102 78 10 2 2 6
59665- 6 6 6 54 54 54 14 14 14 2 2 6
59666- 2 2 6 62 62 62 74 74 74 30 30 30
59667- 10 10 10 0 0 0 0 0 0 0 0 0
59668- 0 0 0 0 0 0 0 0 0 0 0 0
59669- 0 0 0 0 0 0 0 0 0 0 0 0
59670- 0 0 0 0 0 0 0 0 0 0 0 0
59671- 0 0 0 0 0 0 0 0 0 0 0 0
59672- 0 0 0 0 0 0 0 0 0 0 0 0
59673- 0 0 0 0 0 0 0 0 0 0 0 0
59674- 0 0 0 0 0 0 0 0 0 0 0 0
59675- 0 0 0 0 0 0 0 0 0 0 0 0
59676- 0 0 0 0 0 0 0 0 0 0 0 0
59677- 0 0 0 0 0 0 0 0 0 0 0 0
59678- 0 0 0 0 0 0 0 0 0 0 0 0
59679- 0 0 0 0 0 0 0 0 0 10 10 10
59680- 34 34 34 78 78 78 50 50 50 6 6 6
59681- 94 70 30 139 102 15 190 146 13 226 184 13
59682-232 200 30 232 195 16 215 174 15 190 146 13
59683-168 122 10 192 133 9 210 150 10 213 154 11
59684-202 150 34 182 157 106 101 98 89 2 2 6
59685- 2 2 6 78 78 78 116 116 116 58 58 58
59686- 2 2 6 22 22 22 90 90 90 46 46 46
59687- 18 18 18 6 6 6 0 0 0 0 0 0
59688- 0 0 0 0 0 0 0 0 0 0 0 0
59689- 0 0 0 0 0 0 0 0 0 0 0 0
59690- 0 0 0 0 0 0 0 0 0 0 0 0
59691- 0 0 0 0 0 0 0 0 0 0 0 0
59692- 0 0 0 0 0 0 0 0 0 0 0 0
59693- 0 0 0 0 0 0 0 0 0 0 0 0
59694- 0 0 0 0 0 0 0 0 0 0 0 0
59695- 0 0 0 0 0 0 0 0 0 0 0 0
59696- 0 0 0 0 0 0 0 0 0 0 0 0
59697- 0 0 0 0 0 0 0 0 0 0 0 0
59698- 0 0 0 0 0 0 0 0 0 0 0 0
59699- 0 0 0 0 0 0 0 0 0 10 10 10
59700- 38 38 38 86 86 86 50 50 50 6 6 6
59701-128 128 128 174 154 114 156 107 11 168 122 10
59702-198 155 10 184 144 12 197 138 11 200 144 11
59703-206 145 10 206 145 10 197 138 11 188 164 115
59704-195 195 195 198 198 198 174 174 174 14 14 14
59705- 2 2 6 22 22 22 116 116 116 116 116 116
59706- 22 22 22 2 2 6 74 74 74 70 70 70
59707- 30 30 30 10 10 10 0 0 0 0 0 0
59708- 0 0 0 0 0 0 0 0 0 0 0 0
59709- 0 0 0 0 0 0 0 0 0 0 0 0
59710- 0 0 0 0 0 0 0 0 0 0 0 0
59711- 0 0 0 0 0 0 0 0 0 0 0 0
59712- 0 0 0 0 0 0 0 0 0 0 0 0
59713- 0 0 0 0 0 0 0 0 0 0 0 0
59714- 0 0 0 0 0 0 0 0 0 0 0 0
59715- 0 0 0 0 0 0 0 0 0 0 0 0
59716- 0 0 0 0 0 0 0 0 0 0 0 0
59717- 0 0 0 0 0 0 0 0 0 0 0 0
59718- 0 0 0 0 0 0 0 0 0 0 0 0
59719- 0 0 0 0 0 0 6 6 6 18 18 18
59720- 50 50 50 101 101 101 26 26 26 10 10 10
59721-138 138 138 190 190 190 174 154 114 156 107 11
59722-197 138 11 200 144 11 197 138 11 192 133 9
59723-180 123 7 190 142 34 190 178 144 187 187 187
59724-202 202 202 221 221 221 214 214 214 66 66 66
59725- 2 2 6 2 2 6 50 50 50 62 62 62
59726- 6 6 6 2 2 6 10 10 10 90 90 90
59727- 50 50 50 18 18 18 6 6 6 0 0 0
59728- 0 0 0 0 0 0 0 0 0 0 0 0
59729- 0 0 0 0 0 0 0 0 0 0 0 0
59730- 0 0 0 0 0 0 0 0 0 0 0 0
59731- 0 0 0 0 0 0 0 0 0 0 0 0
59732- 0 0 0 0 0 0 0 0 0 0 0 0
59733- 0 0 0 0 0 0 0 0 0 0 0 0
59734- 0 0 0 0 0 0 0 0 0 0 0 0
59735- 0 0 0 0 0 0 0 0 0 0 0 0
59736- 0 0 0 0 0 0 0 0 0 0 0 0
59737- 0 0 0 0 0 0 0 0 0 0 0 0
59738- 0 0 0 0 0 0 0 0 0 0 0 0
59739- 0 0 0 0 0 0 10 10 10 34 34 34
59740- 74 74 74 74 74 74 2 2 6 6 6 6
59741-144 144 144 198 198 198 190 190 190 178 166 146
59742-154 121 60 156 107 11 156 107 11 168 124 44
59743-174 154 114 187 187 187 190 190 190 210 210 210
59744-246 246 246 253 253 253 253 253 253 182 182 182
59745- 6 6 6 2 2 6 2 2 6 2 2 6
59746- 2 2 6 2 2 6 2 2 6 62 62 62
59747- 74 74 74 34 34 34 14 14 14 0 0 0
59748- 0 0 0 0 0 0 0 0 0 0 0 0
59749- 0 0 0 0 0 0 0 0 0 0 0 0
59750- 0 0 0 0 0 0 0 0 0 0 0 0
59751- 0 0 0 0 0 0 0 0 0 0 0 0
59752- 0 0 0 0 0 0 0 0 0 0 0 0
59753- 0 0 0 0 0 0 0 0 0 0 0 0
59754- 0 0 0 0 0 0 0 0 0 0 0 0
59755- 0 0 0 0 0 0 0 0 0 0 0 0
59756- 0 0 0 0 0 0 0 0 0 0 0 0
59757- 0 0 0 0 0 0 0 0 0 0 0 0
59758- 0 0 0 0 0 0 0 0 0 0 0 0
59759- 0 0 0 10 10 10 22 22 22 54 54 54
59760- 94 94 94 18 18 18 2 2 6 46 46 46
59761-234 234 234 221 221 221 190 190 190 190 190 190
59762-190 190 190 187 187 187 187 187 187 190 190 190
59763-190 190 190 195 195 195 214 214 214 242 242 242
59764-253 253 253 253 253 253 253 253 253 253 253 253
59765- 82 82 82 2 2 6 2 2 6 2 2 6
59766- 2 2 6 2 2 6 2 2 6 14 14 14
59767- 86 86 86 54 54 54 22 22 22 6 6 6
59768- 0 0 0 0 0 0 0 0 0 0 0 0
59769- 0 0 0 0 0 0 0 0 0 0 0 0
59770- 0 0 0 0 0 0 0 0 0 0 0 0
59771- 0 0 0 0 0 0 0 0 0 0 0 0
59772- 0 0 0 0 0 0 0 0 0 0 0 0
59773- 0 0 0 0 0 0 0 0 0 0 0 0
59774- 0 0 0 0 0 0 0 0 0 0 0 0
59775- 0 0 0 0 0 0 0 0 0 0 0 0
59776- 0 0 0 0 0 0 0 0 0 0 0 0
59777- 0 0 0 0 0 0 0 0 0 0 0 0
59778- 0 0 0 0 0 0 0 0 0 0 0 0
59779- 6 6 6 18 18 18 46 46 46 90 90 90
59780- 46 46 46 18 18 18 6 6 6 182 182 182
59781-253 253 253 246 246 246 206 206 206 190 190 190
59782-190 190 190 190 190 190 190 190 190 190 190 190
59783-206 206 206 231 231 231 250 250 250 253 253 253
59784-253 253 253 253 253 253 253 253 253 253 253 253
59785-202 202 202 14 14 14 2 2 6 2 2 6
59786- 2 2 6 2 2 6 2 2 6 2 2 6
59787- 42 42 42 86 86 86 42 42 42 18 18 18
59788- 6 6 6 0 0 0 0 0 0 0 0 0
59789- 0 0 0 0 0 0 0 0 0 0 0 0
59790- 0 0 0 0 0 0 0 0 0 0 0 0
59791- 0 0 0 0 0 0 0 0 0 0 0 0
59792- 0 0 0 0 0 0 0 0 0 0 0 0
59793- 0 0 0 0 0 0 0 0 0 0 0 0
59794- 0 0 0 0 0 0 0 0 0 0 0 0
59795- 0 0 0 0 0 0 0 0 0 0 0 0
59796- 0 0 0 0 0 0 0 0 0 0 0 0
59797- 0 0 0 0 0 0 0 0 0 0 0 0
59798- 0 0 0 0 0 0 0 0 0 6 6 6
59799- 14 14 14 38 38 38 74 74 74 66 66 66
59800- 2 2 6 6 6 6 90 90 90 250 250 250
59801-253 253 253 253 253 253 238 238 238 198 198 198
59802-190 190 190 190 190 190 195 195 195 221 221 221
59803-246 246 246 253 253 253 253 253 253 253 253 253
59804-253 253 253 253 253 253 253 253 253 253 253 253
59805-253 253 253 82 82 82 2 2 6 2 2 6
59806- 2 2 6 2 2 6 2 2 6 2 2 6
59807- 2 2 6 78 78 78 70 70 70 34 34 34
59808- 14 14 14 6 6 6 0 0 0 0 0 0
59809- 0 0 0 0 0 0 0 0 0 0 0 0
59810- 0 0 0 0 0 0 0 0 0 0 0 0
59811- 0 0 0 0 0 0 0 0 0 0 0 0
59812- 0 0 0 0 0 0 0 0 0 0 0 0
59813- 0 0 0 0 0 0 0 0 0 0 0 0
59814- 0 0 0 0 0 0 0 0 0 0 0 0
59815- 0 0 0 0 0 0 0 0 0 0 0 0
59816- 0 0 0 0 0 0 0 0 0 0 0 0
59817- 0 0 0 0 0 0 0 0 0 0 0 0
59818- 0 0 0 0 0 0 0 0 0 14 14 14
59819- 34 34 34 66 66 66 78 78 78 6 6 6
59820- 2 2 6 18 18 18 218 218 218 253 253 253
59821-253 253 253 253 253 253 253 253 253 246 246 246
59822-226 226 226 231 231 231 246 246 246 253 253 253
59823-253 253 253 253 253 253 253 253 253 253 253 253
59824-253 253 253 253 253 253 253 253 253 253 253 253
59825-253 253 253 178 178 178 2 2 6 2 2 6
59826- 2 2 6 2 2 6 2 2 6 2 2 6
59827- 2 2 6 18 18 18 90 90 90 62 62 62
59828- 30 30 30 10 10 10 0 0 0 0 0 0
59829- 0 0 0 0 0 0 0 0 0 0 0 0
59830- 0 0 0 0 0 0 0 0 0 0 0 0
59831- 0 0 0 0 0 0 0 0 0 0 0 0
59832- 0 0 0 0 0 0 0 0 0 0 0 0
59833- 0 0 0 0 0 0 0 0 0 0 0 0
59834- 0 0 0 0 0 0 0 0 0 0 0 0
59835- 0 0 0 0 0 0 0 0 0 0 0 0
59836- 0 0 0 0 0 0 0 0 0 0 0 0
59837- 0 0 0 0 0 0 0 0 0 0 0 0
59838- 0 0 0 0 0 0 10 10 10 26 26 26
59839- 58 58 58 90 90 90 18 18 18 2 2 6
59840- 2 2 6 110 110 110 253 253 253 253 253 253
59841-253 253 253 253 253 253 253 253 253 253 253 253
59842-250 250 250 253 253 253 253 253 253 253 253 253
59843-253 253 253 253 253 253 253 253 253 253 253 253
59844-253 253 253 253 253 253 253 253 253 253 253 253
59845-253 253 253 231 231 231 18 18 18 2 2 6
59846- 2 2 6 2 2 6 2 2 6 2 2 6
59847- 2 2 6 2 2 6 18 18 18 94 94 94
59848- 54 54 54 26 26 26 10 10 10 0 0 0
59849- 0 0 0 0 0 0 0 0 0 0 0 0
59850- 0 0 0 0 0 0 0 0 0 0 0 0
59851- 0 0 0 0 0 0 0 0 0 0 0 0
59852- 0 0 0 0 0 0 0 0 0 0 0 0
59853- 0 0 0 0 0 0 0 0 0 0 0 0
59854- 0 0 0 0 0 0 0 0 0 0 0 0
59855- 0 0 0 0 0 0 0 0 0 0 0 0
59856- 0 0 0 0 0 0 0 0 0 0 0 0
59857- 0 0 0 0 0 0 0 0 0 0 0 0
59858- 0 0 0 6 6 6 22 22 22 50 50 50
59859- 90 90 90 26 26 26 2 2 6 2 2 6
59860- 14 14 14 195 195 195 250 250 250 253 253 253
59861-253 253 253 253 253 253 253 253 253 253 253 253
59862-253 253 253 253 253 253 253 253 253 253 253 253
59863-253 253 253 253 253 253 253 253 253 253 253 253
59864-253 253 253 253 253 253 253 253 253 253 253 253
59865-250 250 250 242 242 242 54 54 54 2 2 6
59866- 2 2 6 2 2 6 2 2 6 2 2 6
59867- 2 2 6 2 2 6 2 2 6 38 38 38
59868- 86 86 86 50 50 50 22 22 22 6 6 6
59869- 0 0 0 0 0 0 0 0 0 0 0 0
59870- 0 0 0 0 0 0 0 0 0 0 0 0
59871- 0 0 0 0 0 0 0 0 0 0 0 0
59872- 0 0 0 0 0 0 0 0 0 0 0 0
59873- 0 0 0 0 0 0 0 0 0 0 0 0
59874- 0 0 0 0 0 0 0 0 0 0 0 0
59875- 0 0 0 0 0 0 0 0 0 0 0 0
59876- 0 0 0 0 0 0 0 0 0 0 0 0
59877- 0 0 0 0 0 0 0 0 0 0 0 0
59878- 6 6 6 14 14 14 38 38 38 82 82 82
59879- 34 34 34 2 2 6 2 2 6 2 2 6
59880- 42 42 42 195 195 195 246 246 246 253 253 253
59881-253 253 253 253 253 253 253 253 253 250 250 250
59882-242 242 242 242 242 242 250 250 250 253 253 253
59883-253 253 253 253 253 253 253 253 253 253 253 253
59884-253 253 253 250 250 250 246 246 246 238 238 238
59885-226 226 226 231 231 231 101 101 101 6 6 6
59886- 2 2 6 2 2 6 2 2 6 2 2 6
59887- 2 2 6 2 2 6 2 2 6 2 2 6
59888- 38 38 38 82 82 82 42 42 42 14 14 14
59889- 6 6 6 0 0 0 0 0 0 0 0 0
59890- 0 0 0 0 0 0 0 0 0 0 0 0
59891- 0 0 0 0 0 0 0 0 0 0 0 0
59892- 0 0 0 0 0 0 0 0 0 0 0 0
59893- 0 0 0 0 0 0 0 0 0 0 0 0
59894- 0 0 0 0 0 0 0 0 0 0 0 0
59895- 0 0 0 0 0 0 0 0 0 0 0 0
59896- 0 0 0 0 0 0 0 0 0 0 0 0
59897- 0 0 0 0 0 0 0 0 0 0 0 0
59898- 10 10 10 26 26 26 62 62 62 66 66 66
59899- 2 2 6 2 2 6 2 2 6 6 6 6
59900- 70 70 70 170 170 170 206 206 206 234 234 234
59901-246 246 246 250 250 250 250 250 250 238 238 238
59902-226 226 226 231 231 231 238 238 238 250 250 250
59903-250 250 250 250 250 250 246 246 246 231 231 231
59904-214 214 214 206 206 206 202 202 202 202 202 202
59905-198 198 198 202 202 202 182 182 182 18 18 18
59906- 2 2 6 2 2 6 2 2 6 2 2 6
59907- 2 2 6 2 2 6 2 2 6 2 2 6
59908- 2 2 6 62 62 62 66 66 66 30 30 30
59909- 10 10 10 0 0 0 0 0 0 0 0 0
59910- 0 0 0 0 0 0 0 0 0 0 0 0
59911- 0 0 0 0 0 0 0 0 0 0 0 0
59912- 0 0 0 0 0 0 0 0 0 0 0 0
59913- 0 0 0 0 0 0 0 0 0 0 0 0
59914- 0 0 0 0 0 0 0 0 0 0 0 0
59915- 0 0 0 0 0 0 0 0 0 0 0 0
59916- 0 0 0 0 0 0 0 0 0 0 0 0
59917- 0 0 0 0 0 0 0 0 0 0 0 0
59918- 14 14 14 42 42 42 82 82 82 18 18 18
59919- 2 2 6 2 2 6 2 2 6 10 10 10
59920- 94 94 94 182 182 182 218 218 218 242 242 242
59921-250 250 250 253 253 253 253 253 253 250 250 250
59922-234 234 234 253 253 253 253 253 253 253 253 253
59923-253 253 253 253 253 253 253 253 253 246 246 246
59924-238 238 238 226 226 226 210 210 210 202 202 202
59925-195 195 195 195 195 195 210 210 210 158 158 158
59926- 6 6 6 14 14 14 50 50 50 14 14 14
59927- 2 2 6 2 2 6 2 2 6 2 2 6
59928- 2 2 6 6 6 6 86 86 86 46 46 46
59929- 18 18 18 6 6 6 0 0 0 0 0 0
59930- 0 0 0 0 0 0 0 0 0 0 0 0
59931- 0 0 0 0 0 0 0 0 0 0 0 0
59932- 0 0 0 0 0 0 0 0 0 0 0 0
59933- 0 0 0 0 0 0 0 0 0 0 0 0
59934- 0 0 0 0 0 0 0 0 0 0 0 0
59935- 0 0 0 0 0 0 0 0 0 0 0 0
59936- 0 0 0 0 0 0 0 0 0 0 0 0
59937- 0 0 0 0 0 0 0 0 0 6 6 6
59938- 22 22 22 54 54 54 70 70 70 2 2 6
59939- 2 2 6 10 10 10 2 2 6 22 22 22
59940-166 166 166 231 231 231 250 250 250 253 253 253
59941-253 253 253 253 253 253 253 253 253 250 250 250
59942-242 242 242 253 253 253 253 253 253 253 253 253
59943-253 253 253 253 253 253 253 253 253 253 253 253
59944-253 253 253 253 253 253 253 253 253 246 246 246
59945-231 231 231 206 206 206 198 198 198 226 226 226
59946- 94 94 94 2 2 6 6 6 6 38 38 38
59947- 30 30 30 2 2 6 2 2 6 2 2 6
59948- 2 2 6 2 2 6 62 62 62 66 66 66
59949- 26 26 26 10 10 10 0 0 0 0 0 0
59950- 0 0 0 0 0 0 0 0 0 0 0 0
59951- 0 0 0 0 0 0 0 0 0 0 0 0
59952- 0 0 0 0 0 0 0 0 0 0 0 0
59953- 0 0 0 0 0 0 0 0 0 0 0 0
59954- 0 0 0 0 0 0 0 0 0 0 0 0
59955- 0 0 0 0 0 0 0 0 0 0 0 0
59956- 0 0 0 0 0 0 0 0 0 0 0 0
59957- 0 0 0 0 0 0 0 0 0 10 10 10
59958- 30 30 30 74 74 74 50 50 50 2 2 6
59959- 26 26 26 26 26 26 2 2 6 106 106 106
59960-238 238 238 253 253 253 253 253 253 253 253 253
59961-253 253 253 253 253 253 253 253 253 253 253 253
59962-253 253 253 253 253 253 253 253 253 253 253 253
59963-253 253 253 253 253 253 253 253 253 253 253 253
59964-253 253 253 253 253 253 253 253 253 253 253 253
59965-253 253 253 246 246 246 218 218 218 202 202 202
59966-210 210 210 14 14 14 2 2 6 2 2 6
59967- 30 30 30 22 22 22 2 2 6 2 2 6
59968- 2 2 6 2 2 6 18 18 18 86 86 86
59969- 42 42 42 14 14 14 0 0 0 0 0 0
59970- 0 0 0 0 0 0 0 0 0 0 0 0
59971- 0 0 0 0 0 0 0 0 0 0 0 0
59972- 0 0 0 0 0 0 0 0 0 0 0 0
59973- 0 0 0 0 0 0 0 0 0 0 0 0
59974- 0 0 0 0 0 0 0 0 0 0 0 0
59975- 0 0 0 0 0 0 0 0 0 0 0 0
59976- 0 0 0 0 0 0 0 0 0 0 0 0
59977- 0 0 0 0 0 0 0 0 0 14 14 14
59978- 42 42 42 90 90 90 22 22 22 2 2 6
59979- 42 42 42 2 2 6 18 18 18 218 218 218
59980-253 253 253 253 253 253 253 253 253 253 253 253
59981-253 253 253 253 253 253 253 253 253 253 253 253
59982-253 253 253 253 253 253 253 253 253 253 253 253
59983-253 253 253 253 253 253 253 253 253 253 253 253
59984-253 253 253 253 253 253 253 253 253 253 253 253
59985-253 253 253 253 253 253 250 250 250 221 221 221
59986-218 218 218 101 101 101 2 2 6 14 14 14
59987- 18 18 18 38 38 38 10 10 10 2 2 6
59988- 2 2 6 2 2 6 2 2 6 78 78 78
59989- 58 58 58 22 22 22 6 6 6 0 0 0
59990- 0 0 0 0 0 0 0 0 0 0 0 0
59991- 0 0 0 0 0 0 0 0 0 0 0 0
59992- 0 0 0 0 0 0 0 0 0 0 0 0
59993- 0 0 0 0 0 0 0 0 0 0 0 0
59994- 0 0 0 0 0 0 0 0 0 0 0 0
59995- 0 0 0 0 0 0 0 0 0 0 0 0
59996- 0 0 0 0 0 0 0 0 0 0 0 0
59997- 0 0 0 0 0 0 6 6 6 18 18 18
59998- 54 54 54 82 82 82 2 2 6 26 26 26
59999- 22 22 22 2 2 6 123 123 123 253 253 253
60000-253 253 253 253 253 253 253 253 253 253 253 253
60001-253 253 253 253 253 253 253 253 253 253 253 253
60002-253 253 253 253 253 253 253 253 253 253 253 253
60003-253 253 253 253 253 253 253 253 253 253 253 253
60004-253 253 253 253 253 253 253 253 253 253 253 253
60005-253 253 253 253 253 253 253 253 253 250 250 250
60006-238 238 238 198 198 198 6 6 6 38 38 38
60007- 58 58 58 26 26 26 38 38 38 2 2 6
60008- 2 2 6 2 2 6 2 2 6 46 46 46
60009- 78 78 78 30 30 30 10 10 10 0 0 0
60010- 0 0 0 0 0 0 0 0 0 0 0 0
60011- 0 0 0 0 0 0 0 0 0 0 0 0
60012- 0 0 0 0 0 0 0 0 0 0 0 0
60013- 0 0 0 0 0 0 0 0 0 0 0 0
60014- 0 0 0 0 0 0 0 0 0 0 0 0
60015- 0 0 0 0 0 0 0 0 0 0 0 0
60016- 0 0 0 0 0 0 0 0 0 0 0 0
60017- 0 0 0 0 0 0 10 10 10 30 30 30
60018- 74 74 74 58 58 58 2 2 6 42 42 42
60019- 2 2 6 22 22 22 231 231 231 253 253 253
60020-253 253 253 253 253 253 253 253 253 253 253 253
60021-253 253 253 253 253 253 253 253 253 250 250 250
60022-253 253 253 253 253 253 253 253 253 253 253 253
60023-253 253 253 253 253 253 253 253 253 253 253 253
60024-253 253 253 253 253 253 253 253 253 253 253 253
60025-253 253 253 253 253 253 253 253 253 253 253 253
60026-253 253 253 246 246 246 46 46 46 38 38 38
60027- 42 42 42 14 14 14 38 38 38 14 14 14
60028- 2 2 6 2 2 6 2 2 6 6 6 6
60029- 86 86 86 46 46 46 14 14 14 0 0 0
60030- 0 0 0 0 0 0 0 0 0 0 0 0
60031- 0 0 0 0 0 0 0 0 0 0 0 0
60032- 0 0 0 0 0 0 0 0 0 0 0 0
60033- 0 0 0 0 0 0 0 0 0 0 0 0
60034- 0 0 0 0 0 0 0 0 0 0 0 0
60035- 0 0 0 0 0 0 0 0 0 0 0 0
60036- 0 0 0 0 0 0 0 0 0 0 0 0
60037- 0 0 0 6 6 6 14 14 14 42 42 42
60038- 90 90 90 18 18 18 18 18 18 26 26 26
60039- 2 2 6 116 116 116 253 253 253 253 253 253
60040-253 253 253 253 253 253 253 253 253 253 253 253
60041-253 253 253 253 253 253 250 250 250 238 238 238
60042-253 253 253 253 253 253 253 253 253 253 253 253
60043-253 253 253 253 253 253 253 253 253 253 253 253
60044-253 253 253 253 253 253 253 253 253 253 253 253
60045-253 253 253 253 253 253 253 253 253 253 253 253
60046-253 253 253 253 253 253 94 94 94 6 6 6
60047- 2 2 6 2 2 6 10 10 10 34 34 34
60048- 2 2 6 2 2 6 2 2 6 2 2 6
60049- 74 74 74 58 58 58 22 22 22 6 6 6
60050- 0 0 0 0 0 0 0 0 0 0 0 0
60051- 0 0 0 0 0 0 0 0 0 0 0 0
60052- 0 0 0 0 0 0 0 0 0 0 0 0
60053- 0 0 0 0 0 0 0 0 0 0 0 0
60054- 0 0 0 0 0 0 0 0 0 0 0 0
60055- 0 0 0 0 0 0 0 0 0 0 0 0
60056- 0 0 0 0 0 0 0 0 0 0 0 0
60057- 0 0 0 10 10 10 26 26 26 66 66 66
60058- 82 82 82 2 2 6 38 38 38 6 6 6
60059- 14 14 14 210 210 210 253 253 253 253 253 253
60060-253 253 253 253 253 253 253 253 253 253 253 253
60061-253 253 253 253 253 253 246 246 246 242 242 242
60062-253 253 253 253 253 253 253 253 253 253 253 253
60063-253 253 253 253 253 253 253 253 253 253 253 253
60064-253 253 253 253 253 253 253 253 253 253 253 253
60065-253 253 253 253 253 253 253 253 253 253 253 253
60066-253 253 253 253 253 253 144 144 144 2 2 6
60067- 2 2 6 2 2 6 2 2 6 46 46 46
60068- 2 2 6 2 2 6 2 2 6 2 2 6
60069- 42 42 42 74 74 74 30 30 30 10 10 10
60070- 0 0 0 0 0 0 0 0 0 0 0 0
60071- 0 0 0 0 0 0 0 0 0 0 0 0
60072- 0 0 0 0 0 0 0 0 0 0 0 0
60073- 0 0 0 0 0 0 0 0 0 0 0 0
60074- 0 0 0 0 0 0 0 0 0 0 0 0
60075- 0 0 0 0 0 0 0 0 0 0 0 0
60076- 0 0 0 0 0 0 0 0 0 0 0 0
60077- 6 6 6 14 14 14 42 42 42 90 90 90
60078- 26 26 26 6 6 6 42 42 42 2 2 6
60079- 74 74 74 250 250 250 253 253 253 253 253 253
60080-253 253 253 253 253 253 253 253 253 253 253 253
60081-253 253 253 253 253 253 242 242 242 242 242 242
60082-253 253 253 253 253 253 253 253 253 253 253 253
60083-253 253 253 253 253 253 253 253 253 253 253 253
60084-253 253 253 253 253 253 253 253 253 253 253 253
60085-253 253 253 253 253 253 253 253 253 253 253 253
60086-253 253 253 253 253 253 182 182 182 2 2 6
60087- 2 2 6 2 2 6 2 2 6 46 46 46
60088- 2 2 6 2 2 6 2 2 6 2 2 6
60089- 10 10 10 86 86 86 38 38 38 10 10 10
60090- 0 0 0 0 0 0 0 0 0 0 0 0
60091- 0 0 0 0 0 0 0 0 0 0 0 0
60092- 0 0 0 0 0 0 0 0 0 0 0 0
60093- 0 0 0 0 0 0 0 0 0 0 0 0
60094- 0 0 0 0 0 0 0 0 0 0 0 0
60095- 0 0 0 0 0 0 0 0 0 0 0 0
60096- 0 0 0 0 0 0 0 0 0 0 0 0
60097- 10 10 10 26 26 26 66 66 66 82 82 82
60098- 2 2 6 22 22 22 18 18 18 2 2 6
60099-149 149 149 253 253 253 253 253 253 253 253 253
60100-253 253 253 253 253 253 253 253 253 253 253 253
60101-253 253 253 253 253 253 234 234 234 242 242 242
60102-253 253 253 253 253 253 253 253 253 253 253 253
60103-253 253 253 253 253 253 253 253 253 253 253 253
60104-253 253 253 253 253 253 253 253 253 253 253 253
60105-253 253 253 253 253 253 253 253 253 253 253 253
60106-253 253 253 253 253 253 206 206 206 2 2 6
60107- 2 2 6 2 2 6 2 2 6 38 38 38
60108- 2 2 6 2 2 6 2 2 6 2 2 6
60109- 6 6 6 86 86 86 46 46 46 14 14 14
60110- 0 0 0 0 0 0 0 0 0 0 0 0
60111- 0 0 0 0 0 0 0 0 0 0 0 0
60112- 0 0 0 0 0 0 0 0 0 0 0 0
60113- 0 0 0 0 0 0 0 0 0 0 0 0
60114- 0 0 0 0 0 0 0 0 0 0 0 0
60115- 0 0 0 0 0 0 0 0 0 0 0 0
60116- 0 0 0 0 0 0 0 0 0 6 6 6
60117- 18 18 18 46 46 46 86 86 86 18 18 18
60118- 2 2 6 34 34 34 10 10 10 6 6 6
60119-210 210 210 253 253 253 253 253 253 253 253 253
60120-253 253 253 253 253 253 253 253 253 253 253 253
60121-253 253 253 253 253 253 234 234 234 242 242 242
60122-253 253 253 253 253 253 253 253 253 253 253 253
60123-253 253 253 253 253 253 253 253 253 253 253 253
60124-253 253 253 253 253 253 253 253 253 253 253 253
60125-253 253 253 253 253 253 253 253 253 253 253 253
60126-253 253 253 253 253 253 221 221 221 6 6 6
60127- 2 2 6 2 2 6 6 6 6 30 30 30
60128- 2 2 6 2 2 6 2 2 6 2 2 6
60129- 2 2 6 82 82 82 54 54 54 18 18 18
60130- 6 6 6 0 0 0 0 0 0 0 0 0
60131- 0 0 0 0 0 0 0 0 0 0 0 0
60132- 0 0 0 0 0 0 0 0 0 0 0 0
60133- 0 0 0 0 0 0 0 0 0 0 0 0
60134- 0 0 0 0 0 0 0 0 0 0 0 0
60135- 0 0 0 0 0 0 0 0 0 0 0 0
60136- 0 0 0 0 0 0 0 0 0 10 10 10
60137- 26 26 26 66 66 66 62 62 62 2 2 6
60138- 2 2 6 38 38 38 10 10 10 26 26 26
60139-238 238 238 253 253 253 253 253 253 253 253 253
60140-253 253 253 253 253 253 253 253 253 253 253 253
60141-253 253 253 253 253 253 231 231 231 238 238 238
60142-253 253 253 253 253 253 253 253 253 253 253 253
60143-253 253 253 253 253 253 253 253 253 253 253 253
60144-253 253 253 253 253 253 253 253 253 253 253 253
60145-253 253 253 253 253 253 253 253 253 253 253 253
60146-253 253 253 253 253 253 231 231 231 6 6 6
60147- 2 2 6 2 2 6 10 10 10 30 30 30
60148- 2 2 6 2 2 6 2 2 6 2 2 6
60149- 2 2 6 66 66 66 58 58 58 22 22 22
60150- 6 6 6 0 0 0 0 0 0 0 0 0
60151- 0 0 0 0 0 0 0 0 0 0 0 0
60152- 0 0 0 0 0 0 0 0 0 0 0 0
60153- 0 0 0 0 0 0 0 0 0 0 0 0
60154- 0 0 0 0 0 0 0 0 0 0 0 0
60155- 0 0 0 0 0 0 0 0 0 0 0 0
60156- 0 0 0 0 0 0 0 0 0 10 10 10
60157- 38 38 38 78 78 78 6 6 6 2 2 6
60158- 2 2 6 46 46 46 14 14 14 42 42 42
60159-246 246 246 253 253 253 253 253 253 253 253 253
60160-253 253 253 253 253 253 253 253 253 253 253 253
60161-253 253 253 253 253 253 231 231 231 242 242 242
60162-253 253 253 253 253 253 253 253 253 253 253 253
60163-253 253 253 253 253 253 253 253 253 253 253 253
60164-253 253 253 253 253 253 253 253 253 253 253 253
60165-253 253 253 253 253 253 253 253 253 253 253 253
60166-253 253 253 253 253 253 234 234 234 10 10 10
60167- 2 2 6 2 2 6 22 22 22 14 14 14
60168- 2 2 6 2 2 6 2 2 6 2 2 6
60169- 2 2 6 66 66 66 62 62 62 22 22 22
60170- 6 6 6 0 0 0 0 0 0 0 0 0
60171- 0 0 0 0 0 0 0 0 0 0 0 0
60172- 0 0 0 0 0 0 0 0 0 0 0 0
60173- 0 0 0 0 0 0 0 0 0 0 0 0
60174- 0 0 0 0 0 0 0 0 0 0 0 0
60175- 0 0 0 0 0 0 0 0 0 0 0 0
60176- 0 0 0 0 0 0 6 6 6 18 18 18
60177- 50 50 50 74 74 74 2 2 6 2 2 6
60178- 14 14 14 70 70 70 34 34 34 62 62 62
60179-250 250 250 253 253 253 253 253 253 253 253 253
60180-253 253 253 253 253 253 253 253 253 253 253 253
60181-253 253 253 253 253 253 231 231 231 246 246 246
60182-253 253 253 253 253 253 253 253 253 253 253 253
60183-253 253 253 253 253 253 253 253 253 253 253 253
60184-253 253 253 253 253 253 253 253 253 253 253 253
60185-253 253 253 253 253 253 253 253 253 253 253 253
60186-253 253 253 253 253 253 234 234 234 14 14 14
60187- 2 2 6 2 2 6 30 30 30 2 2 6
60188- 2 2 6 2 2 6 2 2 6 2 2 6
60189- 2 2 6 66 66 66 62 62 62 22 22 22
60190- 6 6 6 0 0 0 0 0 0 0 0 0
60191- 0 0 0 0 0 0 0 0 0 0 0 0
60192- 0 0 0 0 0 0 0 0 0 0 0 0
60193- 0 0 0 0 0 0 0 0 0 0 0 0
60194- 0 0 0 0 0 0 0 0 0 0 0 0
60195- 0 0 0 0 0 0 0 0 0 0 0 0
60196- 0 0 0 0 0 0 6 6 6 18 18 18
60197- 54 54 54 62 62 62 2 2 6 2 2 6
60198- 2 2 6 30 30 30 46 46 46 70 70 70
60199-250 250 250 253 253 253 253 253 253 253 253 253
60200-253 253 253 253 253 253 253 253 253 253 253 253
60201-253 253 253 253 253 253 231 231 231 246 246 246
60202-253 253 253 253 253 253 253 253 253 253 253 253
60203-253 253 253 253 253 253 253 253 253 253 253 253
60204-253 253 253 253 253 253 253 253 253 253 253 253
60205-253 253 253 253 253 253 253 253 253 253 253 253
60206-253 253 253 253 253 253 226 226 226 10 10 10
60207- 2 2 6 6 6 6 30 30 30 2 2 6
60208- 2 2 6 2 2 6 2 2 6 2 2 6
60209- 2 2 6 66 66 66 58 58 58 22 22 22
60210- 6 6 6 0 0 0 0 0 0 0 0 0
60211- 0 0 0 0 0 0 0 0 0 0 0 0
60212- 0 0 0 0 0 0 0 0 0 0 0 0
60213- 0 0 0 0 0 0 0 0 0 0 0 0
60214- 0 0 0 0 0 0 0 0 0 0 0 0
60215- 0 0 0 0 0 0 0 0 0 0 0 0
60216- 0 0 0 0 0 0 6 6 6 22 22 22
60217- 58 58 58 62 62 62 2 2 6 2 2 6
60218- 2 2 6 2 2 6 30 30 30 78 78 78
60219-250 250 250 253 253 253 253 253 253 253 253 253
60220-253 253 253 253 253 253 253 253 253 253 253 253
60221-253 253 253 253 253 253 231 231 231 246 246 246
60222-253 253 253 253 253 253 253 253 253 253 253 253
60223-253 253 253 253 253 253 253 253 253 253 253 253
60224-253 253 253 253 253 253 253 253 253 253 253 253
60225-253 253 253 253 253 253 253 253 253 253 253 253
60226-253 253 253 253 253 253 206 206 206 2 2 6
60227- 22 22 22 34 34 34 18 14 6 22 22 22
60228- 26 26 26 18 18 18 6 6 6 2 2 6
60229- 2 2 6 82 82 82 54 54 54 18 18 18
60230- 6 6 6 0 0 0 0 0 0 0 0 0
60231- 0 0 0 0 0 0 0 0 0 0 0 0
60232- 0 0 0 0 0 0 0 0 0 0 0 0
60233- 0 0 0 0 0 0 0 0 0 0 0 0
60234- 0 0 0 0 0 0 0 0 0 0 0 0
60235- 0 0 0 0 0 0 0 0 0 0 0 0
60236- 0 0 0 0 0 0 6 6 6 26 26 26
60237- 62 62 62 106 106 106 74 54 14 185 133 11
60238-210 162 10 121 92 8 6 6 6 62 62 62
60239-238 238 238 253 253 253 253 253 253 253 253 253
60240-253 253 253 253 253 253 253 253 253 253 253 253
60241-253 253 253 253 253 253 231 231 231 246 246 246
60242-253 253 253 253 253 253 253 253 253 253 253 253
60243-253 253 253 253 253 253 253 253 253 253 253 253
60244-253 253 253 253 253 253 253 253 253 253 253 253
60245-253 253 253 253 253 253 253 253 253 253 253 253
60246-253 253 253 253 253 253 158 158 158 18 18 18
60247- 14 14 14 2 2 6 2 2 6 2 2 6
60248- 6 6 6 18 18 18 66 66 66 38 38 38
60249- 6 6 6 94 94 94 50 50 50 18 18 18
60250- 6 6 6 0 0 0 0 0 0 0 0 0
60251- 0 0 0 0 0 0 0 0 0 0 0 0
60252- 0 0 0 0 0 0 0 0 0 0 0 0
60253- 0 0 0 0 0 0 0 0 0 0 0 0
60254- 0 0 0 0 0 0 0 0 0 0 0 0
60255- 0 0 0 0 0 0 0 0 0 6 6 6
60256- 10 10 10 10 10 10 18 18 18 38 38 38
60257- 78 78 78 142 134 106 216 158 10 242 186 14
60258-246 190 14 246 190 14 156 118 10 10 10 10
60259- 90 90 90 238 238 238 253 253 253 253 253 253
60260-253 253 253 253 253 253 253 253 253 253 253 253
60261-253 253 253 253 253 253 231 231 231 250 250 250
60262-253 253 253 253 253 253 253 253 253 253 253 253
60263-253 253 253 253 253 253 253 253 253 253 253 253
60264-253 253 253 253 253 253 253 253 253 253 253 253
60265-253 253 253 253 253 253 253 253 253 246 230 190
60266-238 204 91 238 204 91 181 142 44 37 26 9
60267- 2 2 6 2 2 6 2 2 6 2 2 6
60268- 2 2 6 2 2 6 38 38 38 46 46 46
60269- 26 26 26 106 106 106 54 54 54 18 18 18
60270- 6 6 6 0 0 0 0 0 0 0 0 0
60271- 0 0 0 0 0 0 0 0 0 0 0 0
60272- 0 0 0 0 0 0 0 0 0 0 0 0
60273- 0 0 0 0 0 0 0 0 0 0 0 0
60274- 0 0 0 0 0 0 0 0 0 0 0 0
60275- 0 0 0 6 6 6 14 14 14 22 22 22
60276- 30 30 30 38 38 38 50 50 50 70 70 70
60277-106 106 106 190 142 34 226 170 11 242 186 14
60278-246 190 14 246 190 14 246 190 14 154 114 10
60279- 6 6 6 74 74 74 226 226 226 253 253 253
60280-253 253 253 253 253 253 253 253 253 253 253 253
60281-253 253 253 253 253 253 231 231 231 250 250 250
60282-253 253 253 253 253 253 253 253 253 253 253 253
60283-253 253 253 253 253 253 253 253 253 253 253 253
60284-253 253 253 253 253 253 253 253 253 253 253 253
60285-253 253 253 253 253 253 253 253 253 228 184 62
60286-241 196 14 241 208 19 232 195 16 38 30 10
60287- 2 2 6 2 2 6 2 2 6 2 2 6
60288- 2 2 6 6 6 6 30 30 30 26 26 26
60289-203 166 17 154 142 90 66 66 66 26 26 26
60290- 6 6 6 0 0 0 0 0 0 0 0 0
60291- 0 0 0 0 0 0 0 0 0 0 0 0
60292- 0 0 0 0 0 0 0 0 0 0 0 0
60293- 0 0 0 0 0 0 0 0 0 0 0 0
60294- 0 0 0 0 0 0 0 0 0 0 0 0
60295- 6 6 6 18 18 18 38 38 38 58 58 58
60296- 78 78 78 86 86 86 101 101 101 123 123 123
60297-175 146 61 210 150 10 234 174 13 246 186 14
60298-246 190 14 246 190 14 246 190 14 238 190 10
60299-102 78 10 2 2 6 46 46 46 198 198 198
60300-253 253 253 253 253 253 253 253 253 253 253 253
60301-253 253 253 253 253 253 234 234 234 242 242 242
60302-253 253 253 253 253 253 253 253 253 253 253 253
60303-253 253 253 253 253 253 253 253 253 253 253 253
60304-253 253 253 253 253 253 253 253 253 253 253 253
60305-253 253 253 253 253 253 253 253 253 224 178 62
60306-242 186 14 241 196 14 210 166 10 22 18 6
60307- 2 2 6 2 2 6 2 2 6 2 2 6
60308- 2 2 6 2 2 6 6 6 6 121 92 8
60309-238 202 15 232 195 16 82 82 82 34 34 34
60310- 10 10 10 0 0 0 0 0 0 0 0 0
60311- 0 0 0 0 0 0 0 0 0 0 0 0
60312- 0 0 0 0 0 0 0 0 0 0 0 0
60313- 0 0 0 0 0 0 0 0 0 0 0 0
60314- 0 0 0 0 0 0 0 0 0 0 0 0
60315- 14 14 14 38 38 38 70 70 70 154 122 46
60316-190 142 34 200 144 11 197 138 11 197 138 11
60317-213 154 11 226 170 11 242 186 14 246 190 14
60318-246 190 14 246 190 14 246 190 14 246 190 14
60319-225 175 15 46 32 6 2 2 6 22 22 22
60320-158 158 158 250 250 250 253 253 253 253 253 253
60321-253 253 253 253 253 253 253 253 253 253 253 253
60322-253 253 253 253 253 253 253 253 253 253 253 253
60323-253 253 253 253 253 253 253 253 253 253 253 253
60324-253 253 253 253 253 253 253 253 253 253 253 253
60325-253 253 253 250 250 250 242 242 242 224 178 62
60326-239 182 13 236 186 11 213 154 11 46 32 6
60327- 2 2 6 2 2 6 2 2 6 2 2 6
60328- 2 2 6 2 2 6 61 42 6 225 175 15
60329-238 190 10 236 186 11 112 100 78 42 42 42
60330- 14 14 14 0 0 0 0 0 0 0 0 0
60331- 0 0 0 0 0 0 0 0 0 0 0 0
60332- 0 0 0 0 0 0 0 0 0 0 0 0
60333- 0 0 0 0 0 0 0 0 0 0 0 0
60334- 0 0 0 0 0 0 0 0 0 6 6 6
60335- 22 22 22 54 54 54 154 122 46 213 154 11
60336-226 170 11 230 174 11 226 170 11 226 170 11
60337-236 178 12 242 186 14 246 190 14 246 190 14
60338-246 190 14 246 190 14 246 190 14 246 190 14
60339-241 196 14 184 144 12 10 10 10 2 2 6
60340- 6 6 6 116 116 116 242 242 242 253 253 253
60341-253 253 253 253 253 253 253 253 253 253 253 253
60342-253 253 253 253 253 253 253 253 253 253 253 253
60343-253 253 253 253 253 253 253 253 253 253 253 253
60344-253 253 253 253 253 253 253 253 253 253 253 253
60345-253 253 253 231 231 231 198 198 198 214 170 54
60346-236 178 12 236 178 12 210 150 10 137 92 6
60347- 18 14 6 2 2 6 2 2 6 2 2 6
60348- 6 6 6 70 47 6 200 144 11 236 178 12
60349-239 182 13 239 182 13 124 112 88 58 58 58
60350- 22 22 22 6 6 6 0 0 0 0 0 0
60351- 0 0 0 0 0 0 0 0 0 0 0 0
60352- 0 0 0 0 0 0 0 0 0 0 0 0
60353- 0 0 0 0 0 0 0 0 0 0 0 0
60354- 0 0 0 0 0 0 0 0 0 10 10 10
60355- 30 30 30 70 70 70 180 133 36 226 170 11
60356-239 182 13 242 186 14 242 186 14 246 186 14
60357-246 190 14 246 190 14 246 190 14 246 190 14
60358-246 190 14 246 190 14 246 190 14 246 190 14
60359-246 190 14 232 195 16 98 70 6 2 2 6
60360- 2 2 6 2 2 6 66 66 66 221 221 221
60361-253 253 253 253 253 253 253 253 253 253 253 253
60362-253 253 253 253 253 253 253 253 253 253 253 253
60363-253 253 253 253 253 253 253 253 253 253 253 253
60364-253 253 253 253 253 253 253 253 253 253 253 253
60365-253 253 253 206 206 206 198 198 198 214 166 58
60366-230 174 11 230 174 11 216 158 10 192 133 9
60367-163 110 8 116 81 8 102 78 10 116 81 8
60368-167 114 7 197 138 11 226 170 11 239 182 13
60369-242 186 14 242 186 14 162 146 94 78 78 78
60370- 34 34 34 14 14 14 6 6 6 0 0 0
60371- 0 0 0 0 0 0 0 0 0 0 0 0
60372- 0 0 0 0 0 0 0 0 0 0 0 0
60373- 0 0 0 0 0 0 0 0 0 0 0 0
60374- 0 0 0 0 0 0 0 0 0 6 6 6
60375- 30 30 30 78 78 78 190 142 34 226 170 11
60376-239 182 13 246 190 14 246 190 14 246 190 14
60377-246 190 14 246 190 14 246 190 14 246 190 14
60378-246 190 14 246 190 14 246 190 14 246 190 14
60379-246 190 14 241 196 14 203 166 17 22 18 6
60380- 2 2 6 2 2 6 2 2 6 38 38 38
60381-218 218 218 253 253 253 253 253 253 253 253 253
60382-253 253 253 253 253 253 253 253 253 253 253 253
60383-253 253 253 253 253 253 253 253 253 253 253 253
60384-253 253 253 253 253 253 253 253 253 253 253 253
60385-250 250 250 206 206 206 198 198 198 202 162 69
60386-226 170 11 236 178 12 224 166 10 210 150 10
60387-200 144 11 197 138 11 192 133 9 197 138 11
60388-210 150 10 226 170 11 242 186 14 246 190 14
60389-246 190 14 246 186 14 225 175 15 124 112 88
60390- 62 62 62 30 30 30 14 14 14 6 6 6
60391- 0 0 0 0 0 0 0 0 0 0 0 0
60392- 0 0 0 0 0 0 0 0 0 0 0 0
60393- 0 0 0 0 0 0 0 0 0 0 0 0
60394- 0 0 0 0 0 0 0 0 0 10 10 10
60395- 30 30 30 78 78 78 174 135 50 224 166 10
60396-239 182 13 246 190 14 246 190 14 246 190 14
60397-246 190 14 246 190 14 246 190 14 246 190 14
60398-246 190 14 246 190 14 246 190 14 246 190 14
60399-246 190 14 246 190 14 241 196 14 139 102 15
60400- 2 2 6 2 2 6 2 2 6 2 2 6
60401- 78 78 78 250 250 250 253 253 253 253 253 253
60402-253 253 253 253 253 253 253 253 253 253 253 253
60403-253 253 253 253 253 253 253 253 253 253 253 253
60404-253 253 253 253 253 253 253 253 253 253 253 253
60405-250 250 250 214 214 214 198 198 198 190 150 46
60406-219 162 10 236 178 12 234 174 13 224 166 10
60407-216 158 10 213 154 11 213 154 11 216 158 10
60408-226 170 11 239 182 13 246 190 14 246 190 14
60409-246 190 14 246 190 14 242 186 14 206 162 42
60410-101 101 101 58 58 58 30 30 30 14 14 14
60411- 6 6 6 0 0 0 0 0 0 0 0 0
60412- 0 0 0 0 0 0 0 0 0 0 0 0
60413- 0 0 0 0 0 0 0 0 0 0 0 0
60414- 0 0 0 0 0 0 0 0 0 10 10 10
60415- 30 30 30 74 74 74 174 135 50 216 158 10
60416-236 178 12 246 190 14 246 190 14 246 190 14
60417-246 190 14 246 190 14 246 190 14 246 190 14
60418-246 190 14 246 190 14 246 190 14 246 190 14
60419-246 190 14 246 190 14 241 196 14 226 184 13
60420- 61 42 6 2 2 6 2 2 6 2 2 6
60421- 22 22 22 238 238 238 253 253 253 253 253 253
60422-253 253 253 253 253 253 253 253 253 253 253 253
60423-253 253 253 253 253 253 253 253 253 253 253 253
60424-253 253 253 253 253 253 253 253 253 253 253 253
60425-253 253 253 226 226 226 187 187 187 180 133 36
60426-216 158 10 236 178 12 239 182 13 236 178 12
60427-230 174 11 226 170 11 226 170 11 230 174 11
60428-236 178 12 242 186 14 246 190 14 246 190 14
60429-246 190 14 246 190 14 246 186 14 239 182 13
60430-206 162 42 106 106 106 66 66 66 34 34 34
60431- 14 14 14 6 6 6 0 0 0 0 0 0
60432- 0 0 0 0 0 0 0 0 0 0 0 0
60433- 0 0 0 0 0 0 0 0 0 0 0 0
60434- 0 0 0 0 0 0 0 0 0 6 6 6
60435- 26 26 26 70 70 70 163 133 67 213 154 11
60436-236 178 12 246 190 14 246 190 14 246 190 14
60437-246 190 14 246 190 14 246 190 14 246 190 14
60438-246 190 14 246 190 14 246 190 14 246 190 14
60439-246 190 14 246 190 14 246 190 14 241 196 14
60440-190 146 13 18 14 6 2 2 6 2 2 6
60441- 46 46 46 246 246 246 253 253 253 253 253 253
60442-253 253 253 253 253 253 253 253 253 253 253 253
60443-253 253 253 253 253 253 253 253 253 253 253 253
60444-253 253 253 253 253 253 253 253 253 253 253 253
60445-253 253 253 221 221 221 86 86 86 156 107 11
60446-216 158 10 236 178 12 242 186 14 246 186 14
60447-242 186 14 239 182 13 239 182 13 242 186 14
60448-242 186 14 246 186 14 246 190 14 246 190 14
60449-246 190 14 246 190 14 246 190 14 246 190 14
60450-242 186 14 225 175 15 142 122 72 66 66 66
60451- 30 30 30 10 10 10 0 0 0 0 0 0
60452- 0 0 0 0 0 0 0 0 0 0 0 0
60453- 0 0 0 0 0 0 0 0 0 0 0 0
60454- 0 0 0 0 0 0 0 0 0 6 6 6
60455- 26 26 26 70 70 70 163 133 67 210 150 10
60456-236 178 12 246 190 14 246 190 14 246 190 14
60457-246 190 14 246 190 14 246 190 14 246 190 14
60458-246 190 14 246 190 14 246 190 14 246 190 14
60459-246 190 14 246 190 14 246 190 14 246 190 14
60460-232 195 16 121 92 8 34 34 34 106 106 106
60461-221 221 221 253 253 253 253 253 253 253 253 253
60462-253 253 253 253 253 253 253 253 253 253 253 253
60463-253 253 253 253 253 253 253 253 253 253 253 253
60464-253 253 253 253 253 253 253 253 253 253 253 253
60465-242 242 242 82 82 82 18 14 6 163 110 8
60466-216 158 10 236 178 12 242 186 14 246 190 14
60467-246 190 14 246 190 14 246 190 14 246 190 14
60468-246 190 14 246 190 14 246 190 14 246 190 14
60469-246 190 14 246 190 14 246 190 14 246 190 14
60470-246 190 14 246 190 14 242 186 14 163 133 67
60471- 46 46 46 18 18 18 6 6 6 0 0 0
60472- 0 0 0 0 0 0 0 0 0 0 0 0
60473- 0 0 0 0 0 0 0 0 0 0 0 0
60474- 0 0 0 0 0 0 0 0 0 10 10 10
60475- 30 30 30 78 78 78 163 133 67 210 150 10
60476-236 178 12 246 186 14 246 190 14 246 190 14
60477-246 190 14 246 190 14 246 190 14 246 190 14
60478-246 190 14 246 190 14 246 190 14 246 190 14
60479-246 190 14 246 190 14 246 190 14 246 190 14
60480-241 196 14 215 174 15 190 178 144 253 253 253
60481-253 253 253 253 253 253 253 253 253 253 253 253
60482-253 253 253 253 253 253 253 253 253 253 253 253
60483-253 253 253 253 253 253 253 253 253 253 253 253
60484-253 253 253 253 253 253 253 253 253 218 218 218
60485- 58 58 58 2 2 6 22 18 6 167 114 7
60486-216 158 10 236 178 12 246 186 14 246 190 14
60487-246 190 14 246 190 14 246 190 14 246 190 14
60488-246 190 14 246 190 14 246 190 14 246 190 14
60489-246 190 14 246 190 14 246 190 14 246 190 14
60490-246 190 14 246 186 14 242 186 14 190 150 46
60491- 54 54 54 22 22 22 6 6 6 0 0 0
60492- 0 0 0 0 0 0 0 0 0 0 0 0
60493- 0 0 0 0 0 0 0 0 0 0 0 0
60494- 0 0 0 0 0 0 0 0 0 14 14 14
60495- 38 38 38 86 86 86 180 133 36 213 154 11
60496-236 178 12 246 186 14 246 190 14 246 190 14
60497-246 190 14 246 190 14 246 190 14 246 190 14
60498-246 190 14 246 190 14 246 190 14 246 190 14
60499-246 190 14 246 190 14 246 190 14 246 190 14
60500-246 190 14 232 195 16 190 146 13 214 214 214
60501-253 253 253 253 253 253 253 253 253 253 253 253
60502-253 253 253 253 253 253 253 253 253 253 253 253
60503-253 253 253 253 253 253 253 253 253 253 253 253
60504-253 253 253 250 250 250 170 170 170 26 26 26
60505- 2 2 6 2 2 6 37 26 9 163 110 8
60506-219 162 10 239 182 13 246 186 14 246 190 14
60507-246 190 14 246 190 14 246 190 14 246 190 14
60508-246 190 14 246 190 14 246 190 14 246 190 14
60509-246 190 14 246 190 14 246 190 14 246 190 14
60510-246 186 14 236 178 12 224 166 10 142 122 72
60511- 46 46 46 18 18 18 6 6 6 0 0 0
60512- 0 0 0 0 0 0 0 0 0 0 0 0
60513- 0 0 0 0 0 0 0 0 0 0 0 0
60514- 0 0 0 0 0 0 6 6 6 18 18 18
60515- 50 50 50 109 106 95 192 133 9 224 166 10
60516-242 186 14 246 190 14 246 190 14 246 190 14
60517-246 190 14 246 190 14 246 190 14 246 190 14
60518-246 190 14 246 190 14 246 190 14 246 190 14
60519-246 190 14 246 190 14 246 190 14 246 190 14
60520-242 186 14 226 184 13 210 162 10 142 110 46
60521-226 226 226 253 253 253 253 253 253 253 253 253
60522-253 253 253 253 253 253 253 253 253 253 253 253
60523-253 253 253 253 253 253 253 253 253 253 253 253
60524-198 198 198 66 66 66 2 2 6 2 2 6
60525- 2 2 6 2 2 6 50 34 6 156 107 11
60526-219 162 10 239 182 13 246 186 14 246 190 14
60527-246 190 14 246 190 14 246 190 14 246 190 14
60528-246 190 14 246 190 14 246 190 14 246 190 14
60529-246 190 14 246 190 14 246 190 14 242 186 14
60530-234 174 13 213 154 11 154 122 46 66 66 66
60531- 30 30 30 10 10 10 0 0 0 0 0 0
60532- 0 0 0 0 0 0 0 0 0 0 0 0
60533- 0 0 0 0 0 0 0 0 0 0 0 0
60534- 0 0 0 0 0 0 6 6 6 22 22 22
60535- 58 58 58 154 121 60 206 145 10 234 174 13
60536-242 186 14 246 186 14 246 190 14 246 190 14
60537-246 190 14 246 190 14 246 190 14 246 190 14
60538-246 190 14 246 190 14 246 190 14 246 190 14
60539-246 190 14 246 190 14 246 190 14 246 190 14
60540-246 186 14 236 178 12 210 162 10 163 110 8
60541- 61 42 6 138 138 138 218 218 218 250 250 250
60542-253 253 253 253 253 253 253 253 253 250 250 250
60543-242 242 242 210 210 210 144 144 144 66 66 66
60544- 6 6 6 2 2 6 2 2 6 2 2 6
60545- 2 2 6 2 2 6 61 42 6 163 110 8
60546-216 158 10 236 178 12 246 190 14 246 190 14
60547-246 190 14 246 190 14 246 190 14 246 190 14
60548-246 190 14 246 190 14 246 190 14 246 190 14
60549-246 190 14 239 182 13 230 174 11 216 158 10
60550-190 142 34 124 112 88 70 70 70 38 38 38
60551- 18 18 18 6 6 6 0 0 0 0 0 0
60552- 0 0 0 0 0 0 0 0 0 0 0 0
60553- 0 0 0 0 0 0 0 0 0 0 0 0
60554- 0 0 0 0 0 0 6 6 6 22 22 22
60555- 62 62 62 168 124 44 206 145 10 224 166 10
60556-236 178 12 239 182 13 242 186 14 242 186 14
60557-246 186 14 246 190 14 246 190 14 246 190 14
60558-246 190 14 246 190 14 246 190 14 246 190 14
60559-246 190 14 246 190 14 246 190 14 246 190 14
60560-246 190 14 236 178 12 216 158 10 175 118 6
60561- 80 54 7 2 2 6 6 6 6 30 30 30
60562- 54 54 54 62 62 62 50 50 50 38 38 38
60563- 14 14 14 2 2 6 2 2 6 2 2 6
60564- 2 2 6 2 2 6 2 2 6 2 2 6
60565- 2 2 6 6 6 6 80 54 7 167 114 7
60566-213 154 11 236 178 12 246 190 14 246 190 14
60567-246 190 14 246 190 14 246 190 14 246 190 14
60568-246 190 14 242 186 14 239 182 13 239 182 13
60569-230 174 11 210 150 10 174 135 50 124 112 88
60570- 82 82 82 54 54 54 34 34 34 18 18 18
60571- 6 6 6 0 0 0 0 0 0 0 0 0
60572- 0 0 0 0 0 0 0 0 0 0 0 0
60573- 0 0 0 0 0 0 0 0 0 0 0 0
60574- 0 0 0 0 0 0 6 6 6 18 18 18
60575- 50 50 50 158 118 36 192 133 9 200 144 11
60576-216 158 10 219 162 10 224 166 10 226 170 11
60577-230 174 11 236 178 12 239 182 13 239 182 13
60578-242 186 14 246 186 14 246 190 14 246 190 14
60579-246 190 14 246 190 14 246 190 14 246 190 14
60580-246 186 14 230 174 11 210 150 10 163 110 8
60581-104 69 6 10 10 10 2 2 6 2 2 6
60582- 2 2 6 2 2 6 2 2 6 2 2 6
60583- 2 2 6 2 2 6 2 2 6 2 2 6
60584- 2 2 6 2 2 6 2 2 6 2 2 6
60585- 2 2 6 6 6 6 91 60 6 167 114 7
60586-206 145 10 230 174 11 242 186 14 246 190 14
60587-246 190 14 246 190 14 246 186 14 242 186 14
60588-239 182 13 230 174 11 224 166 10 213 154 11
60589-180 133 36 124 112 88 86 86 86 58 58 58
60590- 38 38 38 22 22 22 10 10 10 6 6 6
60591- 0 0 0 0 0 0 0 0 0 0 0 0
60592- 0 0 0 0 0 0 0 0 0 0 0 0
60593- 0 0 0 0 0 0 0 0 0 0 0 0
60594- 0 0 0 0 0 0 0 0 0 14 14 14
60595- 34 34 34 70 70 70 138 110 50 158 118 36
60596-167 114 7 180 123 7 192 133 9 197 138 11
60597-200 144 11 206 145 10 213 154 11 219 162 10
60598-224 166 10 230 174 11 239 182 13 242 186 14
60599-246 186 14 246 186 14 246 186 14 246 186 14
60600-239 182 13 216 158 10 185 133 11 152 99 6
60601-104 69 6 18 14 6 2 2 6 2 2 6
60602- 2 2 6 2 2 6 2 2 6 2 2 6
60603- 2 2 6 2 2 6 2 2 6 2 2 6
60604- 2 2 6 2 2 6 2 2 6 2 2 6
60605- 2 2 6 6 6 6 80 54 7 152 99 6
60606-192 133 9 219 162 10 236 178 12 239 182 13
60607-246 186 14 242 186 14 239 182 13 236 178 12
60608-224 166 10 206 145 10 192 133 9 154 121 60
60609- 94 94 94 62 62 62 42 42 42 22 22 22
60610- 14 14 14 6 6 6 0 0 0 0 0 0
60611- 0 0 0 0 0 0 0 0 0 0 0 0
60612- 0 0 0 0 0 0 0 0 0 0 0 0
60613- 0 0 0 0 0 0 0 0 0 0 0 0
60614- 0 0 0 0 0 0 0 0 0 6 6 6
60615- 18 18 18 34 34 34 58 58 58 78 78 78
60616-101 98 89 124 112 88 142 110 46 156 107 11
60617-163 110 8 167 114 7 175 118 6 180 123 7
60618-185 133 11 197 138 11 210 150 10 219 162 10
60619-226 170 11 236 178 12 236 178 12 234 174 13
60620-219 162 10 197 138 11 163 110 8 130 83 6
60621- 91 60 6 10 10 10 2 2 6 2 2 6
60622- 18 18 18 38 38 38 38 38 38 38 38 38
60623- 38 38 38 38 38 38 38 38 38 38 38 38
60624- 38 38 38 38 38 38 26 26 26 2 2 6
60625- 2 2 6 6 6 6 70 47 6 137 92 6
60626-175 118 6 200 144 11 219 162 10 230 174 11
60627-234 174 13 230 174 11 219 162 10 210 150 10
60628-192 133 9 163 110 8 124 112 88 82 82 82
60629- 50 50 50 30 30 30 14 14 14 6 6 6
60630- 0 0 0 0 0 0 0 0 0 0 0 0
60631- 0 0 0 0 0 0 0 0 0 0 0 0
60632- 0 0 0 0 0 0 0 0 0 0 0 0
60633- 0 0 0 0 0 0 0 0 0 0 0 0
60634- 0 0 0 0 0 0 0 0 0 0 0 0
60635- 6 6 6 14 14 14 22 22 22 34 34 34
60636- 42 42 42 58 58 58 74 74 74 86 86 86
60637-101 98 89 122 102 70 130 98 46 121 87 25
60638-137 92 6 152 99 6 163 110 8 180 123 7
60639-185 133 11 197 138 11 206 145 10 200 144 11
60640-180 123 7 156 107 11 130 83 6 104 69 6
60641- 50 34 6 54 54 54 110 110 110 101 98 89
60642- 86 86 86 82 82 82 78 78 78 78 78 78
60643- 78 78 78 78 78 78 78 78 78 78 78 78
60644- 78 78 78 82 82 82 86 86 86 94 94 94
60645-106 106 106 101 101 101 86 66 34 124 80 6
60646-156 107 11 180 123 7 192 133 9 200 144 11
60647-206 145 10 200 144 11 192 133 9 175 118 6
60648-139 102 15 109 106 95 70 70 70 42 42 42
60649- 22 22 22 10 10 10 0 0 0 0 0 0
60650- 0 0 0 0 0 0 0 0 0 0 0 0
60651- 0 0 0 0 0 0 0 0 0 0 0 0
60652- 0 0 0 0 0 0 0 0 0 0 0 0
60653- 0 0 0 0 0 0 0 0 0 0 0 0
60654- 0 0 0 0 0 0 0 0 0 0 0 0
60655- 0 0 0 0 0 0 6 6 6 10 10 10
60656- 14 14 14 22 22 22 30 30 30 38 38 38
60657- 50 50 50 62 62 62 74 74 74 90 90 90
60658-101 98 89 112 100 78 121 87 25 124 80 6
60659-137 92 6 152 99 6 152 99 6 152 99 6
60660-138 86 6 124 80 6 98 70 6 86 66 30
60661-101 98 89 82 82 82 58 58 58 46 46 46
60662- 38 38 38 34 34 34 34 34 34 34 34 34
60663- 34 34 34 34 34 34 34 34 34 34 34 34
60664- 34 34 34 34 34 34 38 38 38 42 42 42
60665- 54 54 54 82 82 82 94 86 76 91 60 6
60666-134 86 6 156 107 11 167 114 7 175 118 6
60667-175 118 6 167 114 7 152 99 6 121 87 25
60668-101 98 89 62 62 62 34 34 34 18 18 18
60669- 6 6 6 0 0 0 0 0 0 0 0 0
60670- 0 0 0 0 0 0 0 0 0 0 0 0
60671- 0 0 0 0 0 0 0 0 0 0 0 0
60672- 0 0 0 0 0 0 0 0 0 0 0 0
60673- 0 0 0 0 0 0 0 0 0 0 0 0
60674- 0 0 0 0 0 0 0 0 0 0 0 0
60675- 0 0 0 0 0 0 0 0 0 0 0 0
60676- 0 0 0 6 6 6 6 6 6 10 10 10
60677- 18 18 18 22 22 22 30 30 30 42 42 42
60678- 50 50 50 66 66 66 86 86 86 101 98 89
60679-106 86 58 98 70 6 104 69 6 104 69 6
60680-104 69 6 91 60 6 82 62 34 90 90 90
60681- 62 62 62 38 38 38 22 22 22 14 14 14
60682- 10 10 10 10 10 10 10 10 10 10 10 10
60683- 10 10 10 10 10 10 6 6 6 10 10 10
60684- 10 10 10 10 10 10 10 10 10 14 14 14
60685- 22 22 22 42 42 42 70 70 70 89 81 66
60686- 80 54 7 104 69 6 124 80 6 137 92 6
60687-134 86 6 116 81 8 100 82 52 86 86 86
60688- 58 58 58 30 30 30 14 14 14 6 6 6
60689- 0 0 0 0 0 0 0 0 0 0 0 0
60690- 0 0 0 0 0 0 0 0 0 0 0 0
60691- 0 0 0 0 0 0 0 0 0 0 0 0
60692- 0 0 0 0 0 0 0 0 0 0 0 0
60693- 0 0 0 0 0 0 0 0 0 0 0 0
60694- 0 0 0 0 0 0 0 0 0 0 0 0
60695- 0 0 0 0 0 0 0 0 0 0 0 0
60696- 0 0 0 0 0 0 0 0 0 0 0 0
60697- 0 0 0 6 6 6 10 10 10 14 14 14
60698- 18 18 18 26 26 26 38 38 38 54 54 54
60699- 70 70 70 86 86 86 94 86 76 89 81 66
60700- 89 81 66 86 86 86 74 74 74 50 50 50
60701- 30 30 30 14 14 14 6 6 6 0 0 0
60702- 0 0 0 0 0 0 0 0 0 0 0 0
60703- 0 0 0 0 0 0 0 0 0 0 0 0
60704- 0 0 0 0 0 0 0 0 0 0 0 0
60705- 6 6 6 18 18 18 34 34 34 58 58 58
60706- 82 82 82 89 81 66 89 81 66 89 81 66
60707- 94 86 66 94 86 76 74 74 74 50 50 50
60708- 26 26 26 14 14 14 6 6 6 0 0 0
60709- 0 0 0 0 0 0 0 0 0 0 0 0
60710- 0 0 0 0 0 0 0 0 0 0 0 0
60711- 0 0 0 0 0 0 0 0 0 0 0 0
60712- 0 0 0 0 0 0 0 0 0 0 0 0
60713- 0 0 0 0 0 0 0 0 0 0 0 0
60714- 0 0 0 0 0 0 0 0 0 0 0 0
60715- 0 0 0 0 0 0 0 0 0 0 0 0
60716- 0 0 0 0 0 0 0 0 0 0 0 0
60717- 0 0 0 0 0 0 0 0 0 0 0 0
60718- 6 6 6 6 6 6 14 14 14 18 18 18
60719- 30 30 30 38 38 38 46 46 46 54 54 54
60720- 50 50 50 42 42 42 30 30 30 18 18 18
60721- 10 10 10 0 0 0 0 0 0 0 0 0
60722- 0 0 0 0 0 0 0 0 0 0 0 0
60723- 0 0 0 0 0 0 0 0 0 0 0 0
60724- 0 0 0 0 0 0 0 0 0 0 0 0
60725- 0 0 0 6 6 6 14 14 14 26 26 26
60726- 38 38 38 50 50 50 58 58 58 58 58 58
60727- 54 54 54 42 42 42 30 30 30 18 18 18
60728- 10 10 10 0 0 0 0 0 0 0 0 0
60729- 0 0 0 0 0 0 0 0 0 0 0 0
60730- 0 0 0 0 0 0 0 0 0 0 0 0
60731- 0 0 0 0 0 0 0 0 0 0 0 0
60732- 0 0 0 0 0 0 0 0 0 0 0 0
60733- 0 0 0 0 0 0 0 0 0 0 0 0
60734- 0 0 0 0 0 0 0 0 0 0 0 0
60735- 0 0 0 0 0 0 0 0 0 0 0 0
60736- 0 0 0 0 0 0 0 0 0 0 0 0
60737- 0 0 0 0 0 0 0 0 0 0 0 0
60738- 0 0 0 0 0 0 0 0 0 6 6 6
60739- 6 6 6 10 10 10 14 14 14 18 18 18
60740- 18 18 18 14 14 14 10 10 10 6 6 6
60741- 0 0 0 0 0 0 0 0 0 0 0 0
60742- 0 0 0 0 0 0 0 0 0 0 0 0
60743- 0 0 0 0 0 0 0 0 0 0 0 0
60744- 0 0 0 0 0 0 0 0 0 0 0 0
60745- 0 0 0 0 0 0 0 0 0 6 6 6
60746- 14 14 14 18 18 18 22 22 22 22 22 22
60747- 18 18 18 14 14 14 10 10 10 6 6 6
60748- 0 0 0 0 0 0 0 0 0 0 0 0
60749- 0 0 0 0 0 0 0 0 0 0 0 0
60750- 0 0 0 0 0 0 0 0 0 0 0 0
60751- 0 0 0 0 0 0 0 0 0 0 0 0
60752- 0 0 0 0 0 0 0 0 0 0 0 0
60753+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60754+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60755+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60756+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60757+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60758+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60759+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60760+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60761+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60762+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60763+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60764+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60765+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60766+4 4 4 4 4 4
60767+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60768+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60769+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60770+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60771+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60772+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60773+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60774+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60775+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60776+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60777+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60778+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60779+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60780+4 4 4 4 4 4
60781+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60782+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60783+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60784+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60785+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60786+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60787+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60788+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60789+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60790+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60791+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60792+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60793+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60794+4 4 4 4 4 4
60795+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60796+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60797+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60798+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60799+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60800+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60801+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60802+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60803+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60804+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60805+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60806+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60807+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60808+4 4 4 4 4 4
60809+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60810+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60811+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60812+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60813+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60814+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60815+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60816+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60817+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60818+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60820+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60821+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60822+4 4 4 4 4 4
60823+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60824+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60825+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60826+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60827+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60828+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60829+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60830+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60831+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60832+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60834+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60835+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60836+4 4 4 4 4 4
60837+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60838+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60839+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60840+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60841+4 4 4 4 4 4 4 4 4 3 3 3 0 0 0 0 0 0
60842+0 0 0 0 0 0 0 0 0 0 0 0 3 3 3 4 4 4
60843+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60844+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60845+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60846+4 4 4 4 4 4 4 4 4 4 4 4 1 1 1 0 0 0
60847+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60848+4 4 4 4 4 4 4 4 4 2 1 0 2 1 0 3 2 2
60849+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60850+4 4 4 4 4 4
60851+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60852+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60853+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60854+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60855+4 4 4 4 4 4 2 2 2 0 0 0 3 4 3 26 28 28
60856+37 38 37 37 38 37 14 17 19 2 2 2 0 0 0 2 2 2
60857+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60858+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60859+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60860+4 4 4 4 4 4 3 3 3 0 0 0 1 1 1 6 6 6
60861+2 2 2 0 0 0 3 3 3 4 4 4 4 4 4 4 4 4
60862+4 4 5 3 3 3 1 0 0 0 0 0 1 0 0 0 0 0
60863+1 1 1 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60864+4 4 4 4 4 4
60865+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60866+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60867+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60868+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60869+2 2 2 0 0 0 0 0 0 14 17 19 60 74 84 137 136 137
60870+153 152 153 137 136 137 125 124 125 60 73 81 6 6 6 3 1 0
60871+0 0 0 3 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60872+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60873+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60874+4 4 4 4 4 4 0 0 0 4 4 4 41 54 63 125 124 125
60875+60 73 81 6 6 6 4 0 0 3 3 3 4 4 4 4 4 4
60876+4 4 4 0 0 0 6 9 11 41 54 63 41 65 82 22 30 35
60877+2 2 2 2 1 0 4 4 4 4 4 4 4 4 4 4 4 4
60878+4 4 4 4 4 4
60879+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60880+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60881+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60882+4 4 4 4 4 4 5 5 5 5 5 5 2 2 2 0 0 0
60883+4 0 0 6 6 6 41 54 63 137 136 137 174 174 174 167 166 167
60884+165 164 165 165 164 165 163 162 163 163 162 163 125 124 125 41 54 63
60885+1 1 1 0 0 0 0 0 0 3 3 3 5 5 5 4 4 4
60886+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60887+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
60888+3 3 3 2 0 0 4 0 0 60 73 81 156 155 156 167 166 167
60889+163 162 163 85 115 134 5 7 8 0 0 0 4 4 4 5 5 5
60890+0 0 0 2 5 5 55 98 126 90 154 193 90 154 193 72 125 159
60891+37 51 59 2 0 0 1 1 1 4 5 5 4 4 4 4 4 4
60892+4 4 4 4 4 4
60893+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60894+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60895+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60896+4 4 4 5 5 5 4 4 4 1 1 1 0 0 0 3 3 3
60897+37 38 37 125 124 125 163 162 163 174 174 174 158 157 158 158 157 158
60898+156 155 156 156 155 156 158 157 158 165 164 165 174 174 174 166 165 166
60899+125 124 125 16 19 21 1 0 0 0 0 0 0 0 0 4 4 4
60900+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
60901+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 1 1 1
60902+0 0 0 0 0 0 37 38 37 153 152 153 174 174 174 158 157 158
60903+174 174 174 163 162 163 37 38 37 4 3 3 4 0 0 1 1 1
60904+0 0 0 22 40 52 101 161 196 101 161 196 90 154 193 101 161 196
60905+64 123 161 14 17 19 0 0 0 4 4 4 4 4 4 4 4 4
60906+4 4 4 4 4 4
60907+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60908+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60909+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
60910+5 5 5 2 2 2 0 0 0 4 0 0 24 26 27 85 115 134
60911+156 155 156 174 174 174 167 166 167 156 155 156 154 153 154 157 156 157
60912+156 155 156 156 155 156 155 154 155 153 152 153 158 157 158 167 166 167
60913+174 174 174 156 155 156 60 74 84 16 19 21 0 0 0 0 0 0
60914+1 1 1 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
60915+4 4 4 5 5 5 6 6 6 3 3 3 0 0 0 4 0 0
60916+13 16 17 60 73 81 137 136 137 165 164 165 156 155 156 153 152 153
60917+174 174 174 177 184 187 60 73 81 3 1 0 0 0 0 1 1 2
60918+22 30 35 64 123 161 136 185 209 90 154 193 90 154 193 90 154 193
60919+90 154 193 21 29 34 0 0 0 3 2 2 4 4 5 4 4 4
60920+4 4 4 4 4 4
60921+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60922+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60923+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 3 3 3
60924+0 0 0 0 0 0 10 13 16 60 74 84 157 156 157 174 174 174
60925+174 174 174 158 157 158 153 152 153 154 153 154 156 155 156 155 154 155
60926+156 155 156 155 154 155 154 153 154 157 156 157 154 153 154 153 152 153
60927+163 162 163 174 174 174 177 184 187 137 136 137 60 73 81 13 16 17
60928+4 0 0 0 0 0 3 3 3 5 5 5 4 4 4 4 4 4
60929+5 5 5 4 4 4 1 1 1 0 0 0 3 3 3 41 54 63
60930+131 129 131 174 174 174 174 174 174 174 174 174 167 166 167 174 174 174
60931+190 197 201 137 136 137 24 26 27 4 0 0 16 21 25 50 82 103
60932+90 154 193 136 185 209 90 154 193 101 161 196 101 161 196 101 161 196
60933+31 91 132 3 6 7 0 0 0 4 4 4 4 4 4 4 4 4
60934+4 4 4 4 4 4
60935+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60936+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60937+4 4 4 4 4 4 4 4 4 2 2 2 0 0 0 4 0 0
60938+4 0 0 43 57 68 137 136 137 177 184 187 174 174 174 163 162 163
60939+155 154 155 155 154 155 156 155 156 155 154 155 158 157 158 165 164 165
60940+167 166 167 166 165 166 163 162 163 157 156 157 155 154 155 155 154 155
60941+153 152 153 156 155 156 167 166 167 174 174 174 174 174 174 131 129 131
60942+41 54 63 5 5 5 0 0 0 0 0 0 3 3 3 4 4 4
60943+1 1 1 0 0 0 1 0 0 26 28 28 125 124 125 174 174 174
60944+177 184 187 174 174 174 174 174 174 156 155 156 131 129 131 137 136 137
60945+125 124 125 24 26 27 4 0 0 41 65 82 90 154 193 136 185 209
60946+136 185 209 101 161 196 53 118 160 37 112 160 90 154 193 34 86 122
60947+7 12 15 0 0 0 4 4 4 4 4 4 4 4 4 4 4 4
60948+4 4 4 4 4 4
60949+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60950+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60951+4 4 4 3 3 3 0 0 0 0 0 0 5 5 5 37 38 37
60952+125 124 125 167 166 167 174 174 174 167 166 167 158 157 158 155 154 155
60953+156 155 156 156 155 156 156 155 156 163 162 163 167 166 167 155 154 155
60954+137 136 137 153 152 153 156 155 156 165 164 165 163 162 163 156 155 156
60955+156 155 156 156 155 156 155 154 155 158 157 158 166 165 166 174 174 174
60956+167 166 167 125 124 125 37 38 37 1 0 0 0 0 0 0 0 0
60957+0 0 0 24 26 27 60 74 84 158 157 158 174 174 174 174 174 174
60958+166 165 166 158 157 158 125 124 125 41 54 63 13 16 17 6 6 6
60959+6 6 6 37 38 37 80 127 157 136 185 209 101 161 196 101 161 196
60960+90 154 193 28 67 93 6 10 14 13 20 25 13 20 25 6 10 14
60961+1 1 2 4 3 3 4 4 4 4 4 4 4 4 4 4 4 4
60962+4 4 4 4 4 4
60963+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60964+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60965+1 1 1 1 0 0 4 3 3 37 38 37 60 74 84 153 152 153
60966+167 166 167 167 166 167 158 157 158 154 153 154 155 154 155 156 155 156
60967+157 156 157 158 157 158 167 166 167 167 166 167 131 129 131 43 57 68
60968+26 28 28 37 38 37 60 73 81 131 129 131 165 164 165 166 165 166
60969+158 157 158 155 154 155 156 155 156 156 155 156 156 155 156 158 157 158
60970+165 164 165 174 174 174 163 162 163 60 74 84 16 19 21 13 16 17
60971+60 73 81 131 129 131 174 174 174 174 174 174 167 166 167 165 164 165
60972+137 136 137 60 73 81 24 26 27 4 0 0 4 0 0 16 19 21
60973+52 104 138 101 161 196 136 185 209 136 185 209 90 154 193 27 99 146
60974+13 20 25 4 5 7 2 5 5 4 5 7 1 1 2 0 0 0
60975+4 4 4 4 4 4 3 3 3 2 2 2 2 2 2 4 4 4
60976+4 4 4 4 4 4
60977+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60978+4 4 4 4 4 4 4 4 4 4 4 4 3 3 3 0 0 0
60979+0 0 0 13 16 17 60 73 81 137 136 137 174 174 174 166 165 166
60980+158 157 158 156 155 156 157 156 157 156 155 156 155 154 155 158 157 158
60981+167 166 167 174 174 174 153 152 153 60 73 81 16 19 21 4 0 0
60982+4 0 0 4 0 0 6 6 6 26 28 28 60 74 84 158 157 158
60983+174 174 174 166 165 166 157 156 157 155 154 155 156 155 156 156 155 156
60984+155 154 155 158 157 158 167 166 167 167 166 167 131 129 131 125 124 125
60985+137 136 137 167 166 167 167 166 167 174 174 174 158 157 158 125 124 125
60986+16 19 21 4 0 0 4 0 0 10 13 16 49 76 92 107 159 188
60987+136 185 209 136 185 209 90 154 193 26 108 161 22 40 52 6 10 14
60988+2 3 3 1 1 2 1 1 2 4 4 5 4 4 5 4 4 5
60989+4 4 5 2 2 1 0 0 0 0 0 0 0 0 0 2 2 2
60990+4 4 4 4 4 4
60991+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
60992+4 4 4 5 5 5 3 3 3 0 0 0 1 0 0 4 0 0
60993+37 51 59 131 129 131 167 166 167 167 166 167 163 162 163 157 156 157
60994+157 156 157 155 154 155 153 152 153 157 156 157 167 166 167 174 174 174
60995+153 152 153 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
60996+4 3 3 4 3 3 4 0 0 6 6 6 4 0 0 37 38 37
60997+125 124 125 174 174 174 174 174 174 165 164 165 156 155 156 154 153 154
60998+156 155 156 156 155 156 155 154 155 163 162 163 158 157 158 163 162 163
60999+174 174 174 174 174 174 174 174 174 125 124 125 37 38 37 0 0 0
61000+4 0 0 6 9 11 41 54 63 90 154 193 136 185 209 146 190 211
61001+136 185 209 37 112 160 22 40 52 6 10 14 3 6 7 1 1 2
61002+1 1 2 3 3 3 1 1 2 3 3 3 4 4 4 4 4 4
61003+2 2 2 2 0 0 16 19 21 37 38 37 24 26 27 0 0 0
61004+0 0 0 4 4 4
61005+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 5 5 5
61006+4 4 4 0 0 0 0 0 0 0 0 0 26 28 28 120 125 127
61007+158 157 158 174 174 174 165 164 165 157 156 157 155 154 155 156 155 156
61008+153 152 153 153 152 153 167 166 167 174 174 174 174 174 174 125 124 125
61009+37 38 37 4 0 0 0 0 0 4 0 0 4 3 3 4 4 4
61010+4 4 4 4 4 4 5 5 5 4 0 0 4 0 0 4 0 0
61011+4 3 3 43 57 68 137 136 137 174 174 174 174 174 174 165 164 165
61012+154 153 154 153 152 153 153 152 153 153 152 153 163 162 163 174 174 174
61013+174 174 174 153 152 153 60 73 81 6 6 6 4 0 0 4 3 3
61014+32 43 50 80 127 157 136 185 209 146 190 211 146 190 211 90 154 193
61015+28 67 93 28 67 93 40 71 93 3 6 7 1 1 2 2 5 5
61016+50 82 103 79 117 143 26 37 45 0 0 0 3 3 3 1 1 1
61017+0 0 0 41 54 63 137 136 137 174 174 174 153 152 153 60 73 81
61018+2 0 0 0 0 0
61019+4 4 4 4 4 4 4 4 4 4 4 4 6 6 6 2 2 2
61020+0 0 0 2 0 0 24 26 27 60 74 84 153 152 153 174 174 174
61021+174 174 174 157 156 157 154 153 154 156 155 156 154 153 154 153 152 153
61022+165 164 165 174 174 174 177 184 187 137 136 137 43 57 68 6 6 6
61023+4 0 0 2 0 0 3 3 3 5 5 5 5 5 5 4 4 4
61024+4 4 4 4 4 4 4 4 4 5 5 5 6 6 6 4 3 3
61025+4 0 0 4 0 0 24 26 27 60 73 81 153 152 153 174 174 174
61026+174 174 174 158 157 158 158 157 158 174 174 174 174 174 174 158 157 158
61027+60 74 84 24 26 27 4 0 0 4 0 0 17 23 27 59 113 148
61028+136 185 209 191 222 234 146 190 211 136 185 209 31 91 132 7 11 13
61029+22 40 52 101 161 196 90 154 193 6 9 11 3 4 4 43 95 132
61030+136 185 209 172 205 220 55 98 126 0 0 0 0 0 0 2 0 0
61031+26 28 28 153 152 153 177 184 187 167 166 167 177 184 187 165 164 165
61032+37 38 37 0 0 0
61033+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
61034+13 16 17 60 73 81 137 136 137 174 174 174 174 174 174 165 164 165
61035+153 152 153 153 152 153 155 154 155 154 153 154 158 157 158 174 174 174
61036+177 184 187 163 162 163 60 73 81 16 19 21 4 0 0 4 0 0
61037+4 3 3 4 4 4 5 5 5 5 5 5 4 4 4 5 5 5
61038+5 5 5 5 5 5 5 5 5 4 4 4 4 4 4 5 5 5
61039+6 6 6 4 0 0 4 0 0 4 0 0 24 26 27 60 74 84
61040+166 165 166 174 174 174 177 184 187 165 164 165 125 124 125 24 26 27
61041+4 0 0 4 0 0 5 5 5 50 82 103 136 185 209 172 205 220
61042+146 190 211 136 185 209 26 108 161 22 40 52 7 12 15 44 81 103
61043+71 116 144 28 67 93 37 51 59 41 65 82 100 139 164 101 161 196
61044+90 154 193 90 154 193 28 67 93 0 0 0 0 0 0 26 28 28
61045+125 124 125 167 166 167 163 162 163 153 152 153 163 162 163 174 174 174
61046+85 115 134 4 0 0
61047+4 4 4 5 5 5 4 4 4 1 0 0 4 0 0 34 47 55
61048+125 124 125 174 174 174 174 174 174 167 166 167 157 156 157 153 152 153
61049+155 154 155 155 154 155 158 157 158 166 165 166 167 166 167 154 153 154
61050+125 124 125 26 28 28 4 0 0 4 0 0 4 0 0 5 5 5
61051+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 1 1 1
61052+0 0 0 0 0 0 1 1 1 4 4 4 4 4 4 4 4 4
61053+5 5 5 5 5 5 4 3 3 4 0 0 4 0 0 6 6 6
61054+37 38 37 131 129 131 137 136 137 37 38 37 0 0 0 4 0 0
61055+4 5 5 43 61 72 90 154 193 172 205 220 146 190 211 136 185 209
61056+90 154 193 28 67 93 13 20 25 43 61 72 71 116 144 44 81 103
61057+2 5 5 7 11 13 59 113 148 101 161 196 90 154 193 28 67 93
61058+13 20 25 6 10 14 0 0 0 13 16 17 60 73 81 137 136 137
61059+166 165 166 158 157 158 156 155 156 154 153 154 167 166 167 174 174 174
61060+60 73 81 4 0 0
61061+4 4 4 4 4 4 0 0 0 3 3 3 60 74 84 174 174 174
61062+174 174 174 167 166 167 163 162 163 155 154 155 157 156 157 155 154 155
61063+156 155 156 163 162 163 167 166 167 158 157 158 125 124 125 37 38 37
61064+4 3 3 4 0 0 4 0 0 6 6 6 6 6 6 5 5 5
61065+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 2 3 3
61066+10 13 16 7 11 13 1 0 0 0 0 0 2 2 1 4 4 4
61067+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 4 0 0
61068+4 0 0 7 11 13 13 16 17 4 0 0 3 3 3 34 47 55
61069+80 127 157 146 190 211 172 205 220 136 185 209 136 185 209 136 185 209
61070+28 67 93 22 40 52 55 98 126 55 98 126 21 29 34 7 11 13
61071+50 82 103 101 161 196 101 161 196 35 83 115 13 20 25 2 2 1
61072+1 1 2 1 1 2 37 51 59 131 129 131 174 174 174 174 174 174
61073+167 166 167 163 162 163 163 162 163 167 166 167 174 174 174 125 124 125
61074+16 19 21 4 0 0
61075+4 4 4 4 0 0 4 0 0 60 74 84 174 174 174 174 174 174
61076+158 157 158 155 154 155 155 154 155 156 155 156 155 154 155 158 157 158
61077+167 166 167 165 164 165 131 129 131 60 73 81 13 16 17 4 0 0
61078+4 0 0 4 3 3 6 6 6 4 3 3 5 5 5 4 4 4
61079+4 4 4 3 2 2 0 0 0 0 0 0 7 11 13 45 69 86
61080+80 127 157 71 116 144 43 61 72 7 11 13 0 0 0 1 1 1
61081+4 3 3 4 4 4 4 4 4 4 4 4 6 6 6 5 5 5
61082+3 2 2 4 0 0 1 0 0 21 29 34 59 113 148 136 185 209
61083+146 190 211 136 185 209 136 185 209 136 185 209 136 185 209 136 185 209
61084+68 124 159 44 81 103 22 40 52 13 16 17 43 61 72 90 154 193
61085+136 185 209 59 113 148 21 29 34 3 4 3 1 1 1 0 0 0
61086+24 26 27 125 124 125 163 162 163 174 174 174 166 165 166 165 164 165
61087+163 162 163 125 124 125 125 124 125 125 124 125 125 124 125 26 28 28
61088+4 0 0 4 3 3
61089+3 3 3 0 0 0 24 26 27 153 152 153 177 184 187 158 157 158
61090+156 155 156 156 155 156 155 154 155 155 154 155 165 164 165 174 174 174
61091+155 154 155 60 74 84 26 28 28 4 0 0 4 0 0 3 1 0
61092+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 3 3
61093+2 0 0 0 0 0 0 0 0 32 43 50 72 125 159 101 161 196
61094+136 185 209 101 161 196 101 161 196 79 117 143 32 43 50 0 0 0
61095+0 0 0 2 2 2 4 4 4 4 4 4 3 3 3 1 0 0
61096+0 0 0 4 5 5 49 76 92 101 161 196 146 190 211 146 190 211
61097+136 185 209 136 185 209 136 185 209 136 185 209 136 185 209 90 154 193
61098+28 67 93 13 16 17 37 51 59 80 127 157 136 185 209 90 154 193
61099+22 40 52 6 9 11 3 4 3 2 2 1 16 19 21 60 73 81
61100+137 136 137 163 162 163 158 157 158 166 165 166 167 166 167 153 152 153
61101+60 74 84 37 38 37 6 6 6 13 16 17 4 0 0 1 0 0
61102+3 2 2 4 4 4
61103+3 2 2 4 0 0 37 38 37 137 136 137 167 166 167 158 157 158
61104+157 156 157 154 153 154 157 156 157 167 166 167 174 174 174 125 124 125
61105+37 38 37 4 0 0 4 0 0 4 0 0 4 3 3 4 4 4
61106+4 4 4 4 4 4 5 5 5 5 5 5 1 1 1 0 0 0
61107+0 0 0 16 21 25 55 98 126 90 154 193 136 185 209 101 161 196
61108+101 161 196 101 161 196 136 185 209 136 185 209 101 161 196 55 98 126
61109+14 17 19 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
61110+22 40 52 90 154 193 146 190 211 146 190 211 136 185 209 136 185 209
61111+136 185 209 136 185 209 136 185 209 101 161 196 35 83 115 7 11 13
61112+17 23 27 59 113 148 136 185 209 101 161 196 34 86 122 7 12 15
61113+2 5 5 3 4 3 6 6 6 60 73 81 131 129 131 163 162 163
61114+166 165 166 174 174 174 174 174 174 163 162 163 125 124 125 41 54 63
61115+13 16 17 4 0 0 4 0 0 4 0 0 1 0 0 2 2 2
61116+4 4 4 4 4 4
61117+1 1 1 2 1 0 43 57 68 137 136 137 153 152 153 153 152 153
61118+163 162 163 156 155 156 165 164 165 167 166 167 60 74 84 6 6 6
61119+4 0 0 4 0 0 5 5 5 4 4 4 4 4 4 4 4 4
61120+4 5 5 6 6 6 4 3 3 0 0 0 0 0 0 11 15 18
61121+40 71 93 100 139 164 101 161 196 101 161 196 101 161 196 101 161 196
61122+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 136 185 209
61123+101 161 196 45 69 86 6 6 6 0 0 0 17 23 27 55 98 126
61124+136 185 209 146 190 211 136 185 209 136 185 209 136 185 209 136 185 209
61125+136 185 209 136 185 209 90 154 193 22 40 52 7 11 13 50 82 103
61126+136 185 209 136 185 209 53 118 160 22 40 52 7 11 13 2 5 5
61127+3 4 3 37 38 37 125 124 125 157 156 157 166 165 166 167 166 167
61128+174 174 174 174 174 174 137 136 137 60 73 81 4 0 0 4 0 0
61129+4 0 0 4 0 0 5 5 5 3 3 3 3 3 3 4 4 4
61130+4 4 4 4 4 4
61131+4 0 0 4 0 0 41 54 63 137 136 137 125 124 125 131 129 131
61132+155 154 155 167 166 167 174 174 174 60 74 84 6 6 6 4 0 0
61133+4 3 3 6 6 6 4 4 4 4 4 4 4 4 4 5 5 5
61134+4 4 4 1 1 1 0 0 0 3 6 7 41 65 82 72 125 159
61135+101 161 196 101 161 196 101 161 196 90 154 193 90 154 193 101 161 196
61136+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
61137+136 185 209 136 185 209 80 127 157 55 98 126 101 161 196 146 190 211
61138+136 185 209 136 185 209 136 185 209 101 161 196 136 185 209 101 161 196
61139+136 185 209 101 161 196 35 83 115 22 30 35 101 161 196 172 205 220
61140+90 154 193 28 67 93 7 11 13 2 5 5 3 4 3 13 16 17
61141+85 115 134 167 166 167 174 174 174 174 174 174 174 174 174 174 174 174
61142+167 166 167 60 74 84 13 16 17 4 0 0 4 0 0 4 3 3
61143+6 6 6 5 5 5 4 4 4 5 5 5 4 4 4 5 5 5
61144+5 5 5 5 5 5
61145+1 1 1 4 0 0 41 54 63 137 136 137 137 136 137 125 124 125
61146+131 129 131 167 166 167 157 156 157 37 38 37 6 6 6 4 0 0
61147+6 6 6 5 5 5 4 4 4 4 4 4 4 5 5 2 2 1
61148+0 0 0 0 0 0 26 37 45 58 111 146 101 161 196 101 161 196
61149+101 161 196 90 154 193 90 154 193 90 154 193 101 161 196 101 161 196
61150+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61151+101 161 196 136 185 209 136 185 209 136 185 209 146 190 211 136 185 209
61152+136 185 209 101 161 196 136 185 209 136 185 209 101 161 196 136 185 209
61153+101 161 196 136 185 209 136 185 209 136 185 209 136 185 209 16 89 141
61154+7 11 13 2 5 5 2 5 5 13 16 17 60 73 81 154 154 154
61155+174 174 174 174 174 174 174 174 174 174 174 174 163 162 163 125 124 125
61156+24 26 27 4 0 0 4 0 0 4 0 0 5 5 5 5 5 5
61157+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
61158+5 5 5 4 4 4
61159+4 0 0 6 6 6 37 38 37 137 136 137 137 136 137 131 129 131
61160+131 129 131 153 152 153 131 129 131 26 28 28 4 0 0 4 3 3
61161+6 6 6 4 4 4 4 4 4 4 4 4 0 0 0 0 0 0
61162+13 20 25 51 88 114 90 154 193 101 161 196 101 161 196 90 154 193
61163+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
61164+101 161 196 101 161 196 101 161 196 101 161 196 136 185 209 101 161 196
61165+101 161 196 136 185 209 101 161 196 136 185 209 136 185 209 101 161 196
61166+136 185 209 101 161 196 136 185 209 101 161 196 101 161 196 101 161 196
61167+136 185 209 136 185 209 136 185 209 37 112 160 21 29 34 5 7 8
61168+2 5 5 13 16 17 43 57 68 131 129 131 174 174 174 174 174 174
61169+174 174 174 167 166 167 157 156 157 125 124 125 37 38 37 4 0 0
61170+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
61171+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61172+4 4 4 4 4 4
61173+1 1 1 4 0 0 41 54 63 153 152 153 137 136 137 137 136 137
61174+137 136 137 153 152 153 125 124 125 24 26 27 4 0 0 3 2 2
61175+4 4 4 4 4 4 4 3 3 4 0 0 3 6 7 43 61 72
61176+64 123 161 101 161 196 90 154 193 90 154 193 90 154 193 90 154 193
61177+90 154 193 90 154 193 90 154 193 90 154 193 101 161 196 90 154 193
61178+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61179+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61180+136 185 209 101 161 196 101 161 196 136 185 209 136 185 209 101 161 196
61181+101 161 196 90 154 193 28 67 93 13 16 17 7 11 13 3 6 7
61182+37 51 59 125 124 125 163 162 163 174 174 174 167 166 167 166 165 166
61183+167 166 167 131 129 131 60 73 81 4 0 0 4 0 0 4 0 0
61184+3 3 3 5 5 5 6 6 6 4 4 4 4 4 4 4 4 4
61185+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61186+4 4 4 4 4 4
61187+4 0 0 4 0 0 41 54 63 137 136 137 153 152 153 137 136 137
61188+153 152 153 157 156 157 125 124 125 24 26 27 0 0 0 2 2 2
61189+4 4 4 4 4 4 2 0 0 0 0 0 28 67 93 90 154 193
61190+90 154 193 90 154 193 90 154 193 90 154 193 64 123 161 90 154 193
61191+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
61192+90 154 193 101 161 196 101 161 196 101 161 196 90 154 193 136 185 209
61193+101 161 196 101 161 196 136 185 209 101 161 196 136 185 209 101 161 196
61194+101 161 196 101 161 196 136 185 209 101 161 196 101 161 196 90 154 193
61195+35 83 115 13 16 17 3 6 7 2 5 5 13 16 17 60 74 84
61196+154 154 154 166 165 166 165 164 165 158 157 158 163 162 163 157 156 157
61197+60 74 84 13 16 17 4 0 0 4 0 0 3 2 2 4 4 4
61198+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61199+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61200+4 4 4 4 4 4
61201+1 1 1 4 0 0 41 54 63 157 156 157 155 154 155 137 136 137
61202+153 152 153 158 157 158 137 136 137 26 28 28 2 0 0 2 2 2
61203+4 4 4 4 4 4 1 0 0 6 10 14 34 86 122 90 154 193
61204+64 123 161 90 154 193 64 123 161 90 154 193 90 154 193 90 154 193
61205+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
61206+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61207+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 101 161 196
61208+136 185 209 101 161 196 136 185 209 90 154 193 26 108 161 22 40 52
61209+13 16 17 5 7 8 2 5 5 2 5 5 37 38 37 165 164 165
61210+174 174 174 163 162 163 154 154 154 165 164 165 167 166 167 60 73 81
61211+6 6 6 4 0 0 4 0 0 4 4 4 4 4 4 4 4 4
61212+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61213+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61214+4 4 4 4 4 4
61215+4 0 0 6 6 6 41 54 63 156 155 156 158 157 158 153 152 153
61216+156 155 156 165 164 165 137 136 137 26 28 28 0 0 0 2 2 2
61217+4 4 5 4 4 4 2 0 0 7 12 15 31 96 139 64 123 161
61218+90 154 193 64 123 161 90 154 193 90 154 193 64 123 161 90 154 193
61219+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
61220+90 154 193 90 154 193 90 154 193 101 161 196 101 161 196 101 161 196
61221+101 161 196 101 161 196 101 161 196 101 161 196 101 161 196 136 185 209
61222+101 161 196 136 185 209 26 108 161 22 40 52 7 11 13 5 7 8
61223+2 5 5 2 5 5 2 5 5 2 2 1 37 38 37 158 157 158
61224+174 174 174 154 154 154 156 155 156 167 166 167 165 164 165 37 38 37
61225+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61226+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61227+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61228+4 4 4 4 4 4
61229+3 1 0 4 0 0 60 73 81 157 156 157 163 162 163 153 152 153
61230+158 157 158 167 166 167 137 136 137 26 28 28 2 0 0 2 2 2
61231+4 5 5 4 4 4 4 0 0 7 12 15 24 86 132 26 108 161
61232+37 112 160 64 123 161 90 154 193 64 123 161 90 154 193 90 154 193
61233+90 154 193 90 154 193 90 154 193 90 154 193 90 154 193 90 154 193
61234+90 154 193 101 161 196 90 154 193 101 161 196 101 161 196 101 161 196
61235+101 161 196 101 161 196 101 161 196 136 185 209 101 161 196 136 185 209
61236+90 154 193 35 83 115 13 16 17 13 16 17 7 11 13 3 6 7
61237+5 7 8 6 6 6 3 4 3 2 2 1 30 32 34 154 154 154
61238+167 166 167 154 154 154 154 154 154 174 174 174 165 164 165 37 38 37
61239+6 6 6 4 0 0 6 6 6 4 4 4 4 4 4 4 4 4
61240+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61241+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61242+4 4 4 4 4 4
61243+4 0 0 4 0 0 41 54 63 163 162 163 166 165 166 154 154 154
61244+163 162 163 174 174 174 137 136 137 26 28 28 0 0 0 2 2 2
61245+4 5 5 4 4 5 1 1 2 6 10 14 28 67 93 18 97 151
61246+18 97 151 18 97 151 26 108 161 37 112 160 37 112 160 90 154 193
61247+64 123 161 90 154 193 90 154 193 90 154 193 90 154 193 101 161 196
61248+90 154 193 101 161 196 101 161 196 90 154 193 101 161 196 101 161 196
61249+101 161 196 101 161 196 101 161 196 136 185 209 90 154 193 16 89 141
61250+13 20 25 7 11 13 5 7 8 5 7 8 2 5 5 4 5 5
61251+3 4 3 4 5 5 3 4 3 0 0 0 37 38 37 158 157 158
61252+174 174 174 158 157 158 158 157 158 167 166 167 174 174 174 41 54 63
61253+4 0 0 3 2 2 5 5 5 4 4 4 4 4 4 4 4 4
61254+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61255+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61256+4 4 4 4 4 4
61257+1 1 1 4 0 0 60 73 81 165 164 165 174 174 174 158 157 158
61258+167 166 167 174 174 174 153 152 153 26 28 28 2 0 0 2 2 2
61259+4 5 5 4 4 4 4 0 0 7 12 15 10 87 144 10 87 144
61260+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
61261+26 108 161 37 112 160 53 118 160 90 154 193 90 154 193 90 154 193
61262+90 154 193 90 154 193 101 161 196 101 161 196 101 161 196 101 161 196
61263+101 161 196 136 185 209 90 154 193 26 108 161 22 40 52 13 16 17
61264+7 11 13 3 6 7 5 7 8 5 7 8 2 5 5 4 5 5
61265+4 5 5 6 6 6 3 4 3 0 0 0 30 32 34 158 157 158
61266+174 174 174 156 155 156 155 154 155 165 164 165 154 153 154 37 38 37
61267+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61268+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61269+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61270+4 4 4 4 4 4
61271+4 0 0 4 0 0 60 73 81 167 166 167 174 174 174 163 162 163
61272+174 174 174 174 174 174 153 152 153 26 28 28 0 0 0 3 3 3
61273+5 5 5 4 4 4 1 1 2 7 12 15 28 67 93 18 97 151
61274+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
61275+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61276+90 154 193 26 108 161 90 154 193 90 154 193 90 154 193 101 161 196
61277+101 161 196 26 108 161 22 40 52 13 16 17 7 11 13 2 5 5
61278+2 5 5 6 6 6 2 5 5 4 5 5 4 5 5 4 5 5
61279+3 4 3 5 5 5 3 4 3 2 0 0 30 32 34 137 136 137
61280+153 152 153 137 136 137 131 129 131 137 136 137 131 129 131 37 38 37
61281+4 0 0 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61282+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61283+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61284+4 4 4 4 4 4
61285+1 1 1 4 0 0 60 73 81 167 166 167 174 174 174 166 165 166
61286+174 174 174 177 184 187 153 152 153 30 32 34 1 0 0 3 3 3
61287+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
61288+18 97 151 18 97 151 18 97 151 26 108 161 26 108 161 26 108 161
61289+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61290+26 108 161 26 108 161 26 108 161 90 154 193 90 154 193 26 108 161
61291+35 83 115 13 16 17 7 11 13 5 7 8 3 6 7 5 7 8
61292+2 5 5 6 6 6 4 5 5 4 5 5 3 4 3 4 5 5
61293+3 4 3 6 6 6 3 4 3 0 0 0 26 28 28 125 124 125
61294+131 129 131 125 124 125 125 124 125 131 129 131 131 129 131 37 38 37
61295+4 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61296+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61297+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61298+4 4 4 4 4 4
61299+3 1 0 4 0 0 60 73 81 174 174 174 177 184 187 167 166 167
61300+174 174 174 177 184 187 153 152 153 30 32 34 0 0 0 3 3 3
61301+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
61302+18 97 151 18 97 151 18 97 151 18 97 151 18 97 151 26 108 161
61303+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61304+26 108 161 90 154 193 26 108 161 26 108 161 24 86 132 13 20 25
61305+7 11 13 13 20 25 22 40 52 5 7 8 3 4 3 3 4 3
61306+4 5 5 3 4 3 4 5 5 3 4 3 4 5 5 3 4 3
61307+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
61308+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61309+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61310+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61311+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61312+4 4 4 4 4 4
61313+1 1 1 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
61314+174 174 174 190 197 201 157 156 157 30 32 34 1 0 0 3 3 3
61315+5 5 5 4 3 3 4 0 0 7 12 15 10 87 144 10 87 144
61316+18 97 151 19 95 150 19 95 150 18 97 151 18 97 151 26 108 161
61317+18 97 151 26 108 161 26 108 161 26 108 161 26 108 161 90 154 193
61318+26 108 161 26 108 161 26 108 161 22 40 52 2 5 5 3 4 3
61319+28 67 93 37 112 160 34 86 122 2 5 5 3 4 3 3 4 3
61320+3 4 3 3 4 3 3 4 3 2 2 1 3 4 3 4 4 4
61321+4 5 5 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61322+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61323+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61324+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61325+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61326+4 4 4 4 4 4
61327+4 0 0 4 0 0 60 73 81 174 174 174 177 184 187 174 174 174
61328+174 174 174 190 197 201 158 157 158 30 32 34 0 0 0 2 2 2
61329+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 18 97 151
61330+10 87 144 19 95 150 19 95 150 18 97 151 18 97 151 18 97 151
61331+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61332+18 97 151 22 40 52 2 5 5 2 2 1 22 40 52 26 108 161
61333+90 154 193 37 112 160 22 40 52 3 4 3 13 20 25 22 30 35
61334+3 6 7 1 1 1 2 2 2 6 9 11 5 5 5 4 3 3
61335+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
61336+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61337+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61338+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61339+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61340+4 4 4 4 4 4
61341+1 1 1 4 0 0 60 73 81 177 184 187 193 200 203 174 174 174
61342+177 184 187 193 200 203 163 162 163 30 32 34 4 0 0 2 2 2
61343+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
61344+10 87 144 10 87 144 19 95 150 19 95 150 19 95 150 18 97 151
61345+26 108 161 26 108 161 26 108 161 90 154 193 26 108 161 28 67 93
61346+6 10 14 2 5 5 13 20 25 24 86 132 37 112 160 90 154 193
61347+10 87 144 7 12 15 2 5 5 28 67 93 37 112 160 28 67 93
61348+2 2 1 7 12 15 35 83 115 28 67 93 3 6 7 1 0 0
61349+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61350+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61351+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61352+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61353+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61354+4 4 4 4 4 4
61355+4 0 0 4 0 0 60 73 81 174 174 174 190 197 201 174 174 174
61356+177 184 187 193 200 203 163 162 163 30 32 34 0 0 0 2 2 2
61357+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
61358+10 87 144 16 89 141 19 95 150 10 87 144 26 108 161 26 108 161
61359+26 108 161 26 108 161 26 108 161 28 67 93 6 10 14 1 1 2
61360+7 12 15 28 67 93 26 108 161 16 89 141 24 86 132 21 29 34
61361+3 4 3 21 29 34 37 112 160 37 112 160 27 99 146 21 29 34
61362+21 29 34 26 108 161 90 154 193 35 83 115 1 1 2 2 0 0
61363+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 125 124 125
61364+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61365+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61366+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61367+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61368+4 4 4 4 4 4
61369+3 1 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
61370+190 197 201 193 200 203 165 164 165 37 38 37 4 0 0 2 2 2
61371+5 5 5 4 3 3 4 0 0 6 10 14 24 86 132 10 87 144
61372+10 87 144 10 87 144 16 89 141 18 97 151 18 97 151 10 87 144
61373+24 86 132 24 86 132 13 20 25 4 5 7 4 5 7 22 40 52
61374+18 97 151 37 112 160 26 108 161 7 12 15 1 1 1 0 0 0
61375+28 67 93 37 112 160 26 108 161 28 67 93 22 40 52 28 67 93
61376+26 108 161 90 154 193 26 108 161 10 87 144 0 0 0 2 0 0
61377+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61378+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61379+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61380+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61381+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61382+4 4 4 4 4 4
61383+4 0 0 6 6 6 60 73 81 174 174 174 193 200 203 174 174 174
61384+190 197 201 193 200 203 165 164 165 30 32 34 0 0 0 2 2 2
61385+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
61386+10 87 144 10 87 144 10 87 144 18 97 151 28 67 93 6 10 14
61387+0 0 0 1 1 2 4 5 7 13 20 25 16 89 141 26 108 161
61388+26 108 161 26 108 161 24 86 132 6 9 11 2 3 3 22 40 52
61389+37 112 160 16 89 141 22 40 52 28 67 93 26 108 161 26 108 161
61390+90 154 193 26 108 161 26 108 161 28 67 93 1 1 1 4 0 0
61391+4 4 4 5 5 5 3 3 3 4 0 0 26 28 28 124 126 130
61392+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61393+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61394+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61395+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61396+4 4 4 4 4 4
61397+4 0 0 4 0 0 60 73 81 193 200 203 193 200 203 174 174 174
61398+193 200 203 193 200 203 167 166 167 37 38 37 4 0 0 2 2 2
61399+5 5 5 4 4 4 4 0 0 6 10 14 28 67 93 10 87 144
61400+10 87 144 10 87 144 18 97 151 10 87 144 13 20 25 4 5 7
61401+1 1 2 1 1 1 22 40 52 26 108 161 26 108 161 26 108 161
61402+26 108 161 26 108 161 26 108 161 24 86 132 22 40 52 22 40 52
61403+22 40 52 22 40 52 10 87 144 26 108 161 26 108 161 26 108 161
61404+26 108 161 26 108 161 90 154 193 10 87 144 0 0 0 4 0 0
61405+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61406+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61407+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61408+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61409+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61410+4 4 4 4 4 4
61411+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61412+190 197 201 205 212 215 167 166 167 30 32 34 0 0 0 2 2 2
61413+5 5 5 4 4 4 1 1 2 6 10 14 28 67 93 10 87 144
61414+10 87 144 10 87 144 10 87 144 10 87 144 22 40 52 1 1 2
61415+2 0 0 1 1 2 24 86 132 26 108 161 26 108 161 26 108 161
61416+26 108 161 19 95 150 16 89 141 10 87 144 22 40 52 22 40 52
61417+10 87 144 26 108 161 37 112 160 26 108 161 26 108 161 26 108 161
61418+26 108 161 26 108 161 26 108 161 28 67 93 2 0 0 3 1 0
61419+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
61420+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61421+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61422+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61423+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61424+4 4 4 4 4 4
61425+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
61426+193 200 203 193 200 203 174 174 174 37 38 37 4 0 0 2 2 2
61427+5 5 5 4 4 4 3 2 2 1 1 2 13 20 25 10 87 144
61428+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 13 20 25
61429+13 20 25 22 40 52 10 87 144 18 97 151 18 97 151 26 108 161
61430+10 87 144 13 20 25 6 10 14 21 29 34 24 86 132 18 97 151
61431+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61432+26 108 161 90 154 193 18 97 151 13 20 25 0 0 0 4 3 3
61433+4 4 4 5 5 5 3 3 3 0 0 0 26 28 28 131 129 131
61434+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61435+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61436+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61437+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61438+4 4 4 4 4 4
61439+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61440+190 197 201 220 221 221 167 166 167 30 32 34 1 0 0 2 2 2
61441+5 5 5 4 4 4 4 4 5 2 5 5 4 5 7 13 20 25
61442+28 67 93 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
61443+10 87 144 10 87 144 18 97 151 10 87 144 18 97 151 18 97 151
61444+28 67 93 2 3 3 0 0 0 28 67 93 26 108 161 26 108 161
61445+26 108 161 26 108 161 26 108 161 26 108 161 26 108 161 26 108 161
61446+26 108 161 10 87 144 13 20 25 1 1 2 3 2 2 4 4 4
61447+4 4 4 5 5 5 3 3 3 2 0 0 26 28 28 131 129 131
61448+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61449+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61450+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61451+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61452+4 4 4 4 4 4
61453+4 0 0 4 0 0 60 73 81 220 221 221 190 197 201 174 174 174
61454+193 200 203 193 200 203 174 174 174 26 28 28 4 0 0 4 3 3
61455+5 5 5 4 4 4 4 4 4 4 4 5 1 1 2 2 5 5
61456+4 5 7 22 40 52 10 87 144 10 87 144 18 97 151 10 87 144
61457+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 18 97 151
61458+10 87 144 28 67 93 22 40 52 10 87 144 26 108 161 18 97 151
61459+18 97 151 18 97 151 26 108 161 26 108 161 26 108 161 26 108 161
61460+22 40 52 1 1 2 0 0 0 2 3 3 4 4 4 4 4 4
61461+4 4 4 5 5 5 4 4 4 0 0 0 26 28 28 131 129 131
61462+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61463+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61464+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61465+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61466+4 4 4 4 4 4
61467+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61468+190 197 201 220 221 221 190 197 201 41 54 63 4 0 0 2 2 2
61469+6 6 6 4 4 4 4 4 4 4 4 5 4 4 5 3 3 3
61470+1 1 2 1 1 2 6 10 14 22 40 52 10 87 144 18 97 151
61471+18 97 151 10 87 144 10 87 144 10 87 144 18 97 151 10 87 144
61472+10 87 144 18 97 151 26 108 161 18 97 151 18 97 151 10 87 144
61473+26 108 161 26 108 161 26 108 161 10 87 144 28 67 93 6 10 14
61474+1 1 2 1 1 2 4 3 3 4 4 5 4 4 4 4 4 4
61475+5 5 5 5 5 5 1 1 1 4 0 0 37 51 59 137 136 137
61476+137 136 137 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61477+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61478+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61479+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61480+4 4 4 4 4 4
61481+4 0 0 4 0 0 60 73 81 220 221 221 193 200 203 174 174 174
61482+193 200 203 193 200 203 220 221 221 137 136 137 13 16 17 4 0 0
61483+2 2 2 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5
61484+4 4 5 4 3 3 1 1 2 4 5 7 13 20 25 28 67 93
61485+10 87 144 10 87 144 10 87 144 10 87 144 10 87 144 10 87 144
61486+10 87 144 18 97 151 18 97 151 10 87 144 18 97 151 26 108 161
61487+26 108 161 18 97 151 28 67 93 6 10 14 0 0 0 0 0 0
61488+2 3 3 4 5 5 4 4 5 4 4 4 4 4 4 5 5 5
61489+3 3 3 1 1 1 0 0 0 16 19 21 125 124 125 137 136 137
61490+131 129 131 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61491+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61492+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61493+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61494+4 4 4 4 4 4
61495+4 0 0 6 6 6 60 73 81 174 174 174 220 221 221 174 174 174
61496+193 200 203 190 197 201 220 221 221 220 221 221 153 152 153 30 32 34
61497+0 0 0 0 0 0 2 2 2 4 4 4 4 4 4 4 4 4
61498+4 4 4 4 5 5 4 5 7 1 1 2 1 1 2 4 5 7
61499+13 20 25 28 67 93 10 87 144 18 97 151 10 87 144 10 87 144
61500+10 87 144 10 87 144 10 87 144 18 97 151 26 108 161 18 97 151
61501+28 67 93 7 12 15 0 0 0 0 0 0 2 2 1 4 4 4
61502+4 5 5 4 5 5 4 4 4 4 4 4 3 3 3 0 0 0
61503+0 0 0 0 0 0 37 38 37 125 124 125 158 157 158 131 129 131
61504+125 124 125 125 124 125 125 124 125 137 136 137 131 129 131 37 38 37
61505+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61506+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61507+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61508+4 4 4 4 4 4
61509+4 3 3 4 0 0 41 54 63 193 200 203 220 221 221 174 174 174
61510+193 200 203 193 200 203 193 200 203 220 221 221 244 246 246 193 200 203
61511+120 125 127 5 5 5 1 0 0 0 0 0 1 1 1 4 4 4
61512+4 4 4 4 4 4 4 5 5 4 5 5 4 4 5 1 1 2
61513+4 5 7 4 5 7 22 40 52 10 87 144 10 87 144 10 87 144
61514+10 87 144 10 87 144 18 97 151 10 87 144 10 87 144 13 20 25
61515+4 5 7 2 3 3 1 1 2 4 4 4 4 5 5 4 4 4
61516+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 1 2
61517+24 26 27 60 74 84 153 152 153 163 162 163 137 136 137 125 124 125
61518+125 124 125 125 124 125 125 124 125 137 136 137 125 124 125 26 28 28
61519+0 0 0 3 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61520+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61521+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61522+4 4 4 4 4 4
61523+4 0 0 6 6 6 26 28 28 156 155 156 220 221 221 220 221 221
61524+174 174 174 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
61525+220 221 221 167 166 167 60 73 81 7 11 13 0 0 0 0 0 0
61526+3 3 3 4 4 4 4 4 4 4 4 4 4 4 5 4 4 5
61527+4 4 5 1 1 2 1 1 2 4 5 7 22 40 52 10 87 144
61528+10 87 144 10 87 144 10 87 144 22 40 52 4 5 7 1 1 2
61529+1 1 2 4 4 5 4 4 4 4 4 4 4 4 4 4 4 4
61530+5 5 5 2 2 2 0 0 0 4 0 0 16 19 21 60 73 81
61531+137 136 137 167 166 167 158 157 158 137 136 137 131 129 131 131 129 131
61532+125 124 125 125 124 125 131 129 131 155 154 155 60 74 84 5 7 8
61533+0 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61534+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61535+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61536+4 4 4 4 4 4
61537+5 5 5 4 0 0 4 0 0 60 73 81 193 200 203 220 221 221
61538+193 200 203 193 200 203 193 200 203 193 200 203 205 212 215 220 221 221
61539+220 221 221 220 221 221 220 221 221 137 136 137 43 57 68 6 6 6
61540+4 0 0 1 1 1 4 4 4 4 4 4 4 4 4 4 4 4
61541+4 4 5 4 4 5 3 2 2 1 1 2 2 5 5 13 20 25
61542+22 40 52 22 40 52 13 20 25 2 3 3 1 1 2 3 3 3
61543+4 5 7 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61544+1 1 1 0 0 0 2 3 3 41 54 63 131 129 131 166 165 166
61545+166 165 166 155 154 155 153 152 153 137 136 137 137 136 137 125 124 125
61546+125 124 125 137 136 137 137 136 137 125 124 125 37 38 37 4 3 3
61547+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61548+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61549+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61550+4 4 4 4 4 4
61551+4 3 3 6 6 6 6 6 6 13 16 17 60 73 81 167 166 167
61552+220 221 221 220 221 221 220 221 221 193 200 203 193 200 203 193 200 203
61553+205 212 215 220 221 221 220 221 221 244 246 246 205 212 215 125 124 125
61554+24 26 27 0 0 0 0 0 0 2 2 2 5 5 5 5 5 5
61555+4 4 4 4 4 4 4 4 4 4 4 5 1 1 2 4 5 7
61556+4 5 7 4 5 7 1 1 2 3 2 2 4 4 5 4 4 4
61557+4 4 4 4 4 4 5 5 5 4 4 4 0 0 0 0 0 0
61558+2 0 0 26 28 28 125 124 125 174 174 174 174 174 174 166 165 166
61559+156 155 156 153 152 153 137 136 137 137 136 137 131 129 131 137 136 137
61560+137 136 137 137 136 137 60 74 84 30 32 34 4 0 0 4 0 0
61561+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61562+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61563+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61564+4 4 4 4 4 4
61565+5 5 5 6 6 6 4 0 0 4 0 0 6 6 6 26 28 28
61566+125 124 125 174 174 174 220 221 221 220 221 221 220 221 221 193 200 203
61567+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
61568+193 200 203 60 74 84 13 16 17 4 0 0 0 0 0 3 3 3
61569+5 5 5 5 5 5 4 4 4 4 4 4 4 4 5 3 3 3
61570+1 1 2 3 3 3 4 4 5 4 4 5 4 4 4 4 4 4
61571+5 5 5 5 5 5 2 2 2 0 0 0 0 0 0 13 16 17
61572+60 74 84 174 174 174 193 200 203 174 174 174 167 166 167 163 162 163
61573+153 152 153 153 152 153 137 136 137 137 136 137 153 152 153 137 136 137
61574+125 124 125 41 54 63 24 26 27 4 0 0 4 0 0 5 5 5
61575+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61576+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61577+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61578+4 4 4 4 4 4
61579+4 3 3 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61580+6 6 6 37 38 37 131 129 131 220 221 221 220 221 221 220 221 221
61581+193 200 203 193 200 203 220 221 221 205 212 215 220 221 221 244 246 246
61582+244 246 246 244 246 246 174 174 174 41 54 63 0 0 0 0 0 0
61583+0 0 0 4 4 4 5 5 5 5 5 5 4 4 4 4 4 5
61584+4 4 5 4 4 5 4 4 4 4 4 4 6 6 6 6 6 6
61585+3 3 3 0 0 0 2 0 0 13 16 17 60 73 81 156 155 156
61586+220 221 221 193 200 203 174 174 174 165 164 165 163 162 163 154 153 154
61587+153 152 153 153 152 153 158 157 158 163 162 163 137 136 137 60 73 81
61588+13 16 17 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
61589+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61590+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61591+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61592+4 4 4 4 4 4
61593+5 5 5 4 3 3 4 3 3 6 6 6 6 6 6 6 6 6
61594+6 6 6 6 6 6 6 6 6 37 38 37 167 166 167 244 246 246
61595+244 246 246 220 221 221 205 212 215 205 212 215 220 221 221 193 200 203
61596+220 221 221 244 246 246 244 246 246 244 246 246 137 136 137 37 38 37
61597+3 2 2 0 0 0 1 1 1 5 5 5 5 5 5 4 4 4
61598+4 4 4 4 4 4 4 4 4 5 5 5 4 4 4 1 1 1
61599+0 0 0 5 5 5 43 57 68 153 152 153 193 200 203 220 221 221
61600+177 184 187 174 174 174 167 166 167 166 165 166 158 157 158 157 156 157
61601+158 157 158 166 165 166 156 155 156 85 115 134 13 16 17 4 0 0
61602+4 0 0 4 0 0 5 5 5 5 5 5 4 4 4 4 4 4
61603+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61604+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61605+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61606+4 4 4 4 4 4
61607+5 5 5 4 3 3 6 6 6 6 6 6 4 0 0 6 6 6
61608+6 6 6 6 6 6 6 6 6 6 6 6 13 16 17 60 73 81
61609+177 184 187 220 221 221 220 221 221 220 221 221 205 212 215 220 221 221
61610+220 221 221 205 212 215 220 221 221 244 246 246 244 246 246 205 212 215
61611+125 124 125 30 32 34 0 0 0 0 0 0 2 2 2 5 5 5
61612+4 4 4 4 4 4 4 4 4 1 1 1 0 0 0 1 0 0
61613+37 38 37 131 129 131 205 212 215 220 221 221 193 200 203 174 174 174
61614+174 174 174 174 174 174 167 166 167 165 164 165 166 165 166 167 166 167
61615+158 157 158 125 124 125 37 38 37 4 0 0 4 0 0 4 0 0
61616+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61617+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61618+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61619+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61620+4 4 4 4 4 4
61621+4 4 4 5 5 5 4 3 3 4 3 3 6 6 6 6 6 6
61622+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61623+26 28 28 125 124 125 205 212 215 220 221 221 220 221 221 220 221 221
61624+205 212 215 220 221 221 205 212 215 220 221 221 220 221 221 244 246 246
61625+244 246 246 190 197 201 60 74 84 16 19 21 4 0 0 0 0 0
61626+0 0 0 0 0 0 0 0 0 0 0 0 16 19 21 120 125 127
61627+177 184 187 220 221 221 205 212 215 177 184 187 174 174 174 177 184 187
61628+174 174 174 174 174 174 167 166 167 174 174 174 166 165 166 137 136 137
61629+60 73 81 13 16 17 4 0 0 4 0 0 4 3 3 6 6 6
61630+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61631+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61632+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61633+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61634+4 4 4 4 4 4
61635+5 5 5 4 3 3 5 5 5 4 3 3 6 6 6 4 0 0
61636+6 6 6 6 6 6 4 0 0 6 6 6 4 0 0 6 6 6
61637+6 6 6 6 6 6 37 38 37 137 136 137 193 200 203 220 221 221
61638+220 221 221 205 212 215 220 221 221 205 212 215 205 212 215 220 221 221
61639+220 221 221 220 221 221 244 246 246 166 165 166 43 57 68 2 2 2
61640+0 0 0 4 0 0 16 19 21 60 73 81 157 156 157 202 210 214
61641+220 221 221 193 200 203 177 184 187 177 184 187 177 184 187 174 174 174
61642+174 174 174 174 174 174 174 174 174 157 156 157 60 74 84 24 26 27
61643+4 0 0 4 0 0 4 0 0 6 6 6 4 4 4 4 4 4
61644+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61645+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61646+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61647+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61648+4 4 4 4 4 4
61649+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
61650+6 6 6 4 0 0 6 6 6 6 6 6 6 6 6 4 0 0
61651+4 0 0 4 0 0 6 6 6 24 26 27 60 73 81 167 166 167
61652+220 221 221 220 221 221 220 221 221 205 212 215 205 212 215 205 212 215
61653+205 212 215 220 221 221 220 221 221 220 221 221 205 212 215 137 136 137
61654+60 74 84 125 124 125 137 136 137 190 197 201 220 221 221 193 200 203
61655+177 184 187 177 184 187 177 184 187 174 174 174 174 174 174 177 184 187
61656+190 197 201 174 174 174 125 124 125 37 38 37 6 6 6 4 0 0
61657+4 0 0 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61658+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61659+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61660+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61661+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61662+4 4 4 4 4 4
61663+4 4 4 4 4 4 5 5 5 5 5 5 4 3 3 6 6 6
61664+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 6 6 6
61665+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
61666+125 124 125 193 200 203 244 246 246 220 221 221 205 212 215 205 212 215
61667+205 212 215 193 200 203 205 212 215 205 212 215 220 221 221 220 221 221
61668+193 200 203 193 200 203 205 212 215 193 200 203 193 200 203 177 184 187
61669+190 197 201 190 197 201 174 174 174 190 197 201 193 200 203 190 197 201
61670+153 152 153 60 73 81 4 0 0 4 0 0 4 0 0 3 2 2
61671+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61672+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61673+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61674+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61675+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61676+4 4 4 4 4 4
61677+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
61678+6 6 6 4 3 3 4 3 3 4 3 3 6 6 6 6 6 6
61679+4 0 0 6 6 6 6 6 6 6 6 6 4 0 0 4 0 0
61680+4 0 0 26 28 28 131 129 131 220 221 221 244 246 246 220 221 221
61681+205 212 215 193 200 203 205 212 215 193 200 203 193 200 203 205 212 215
61682+220 221 221 193 200 203 193 200 203 193 200 203 190 197 201 174 174 174
61683+174 174 174 190 197 201 193 200 203 193 200 203 167 166 167 125 124 125
61684+6 6 6 4 0 0 4 0 0 4 3 3 4 4 4 4 4 4
61685+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61686+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61687+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61688+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61689+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61690+4 4 4 4 4 4
61691+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61692+5 5 5 4 3 3 5 5 5 6 6 6 4 3 3 5 5 5
61693+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61694+4 0 0 4 0 0 6 6 6 41 54 63 158 157 158 220 221 221
61695+220 221 221 220 221 221 193 200 203 193 200 203 193 200 203 190 197 201
61696+190 197 201 190 197 201 190 197 201 190 197 201 174 174 174 193 200 203
61697+193 200 203 220 221 221 174 174 174 125 124 125 37 38 37 4 0 0
61698+4 0 0 4 3 3 6 6 6 4 4 4 4 4 4 4 4 4
61699+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61700+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61701+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61702+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61703+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61704+4 4 4 4 4 4
61705+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61706+4 4 4 5 5 5 4 3 3 4 3 3 4 3 3 5 5 5
61707+4 3 3 6 6 6 5 5 5 4 3 3 6 6 6 6 6 6
61708+6 6 6 6 6 6 4 0 0 4 0 0 13 16 17 60 73 81
61709+174 174 174 220 221 221 220 221 221 205 212 215 190 197 201 174 174 174
61710+193 200 203 174 174 174 190 197 201 174 174 174 193 200 203 220 221 221
61711+193 200 203 131 129 131 37 38 37 6 6 6 4 0 0 4 0 0
61712+6 6 6 6 6 6 4 3 3 5 5 5 4 4 4 4 4 4
61713+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61714+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61715+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61716+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61717+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61718+4 4 4 4 4 4
61719+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61720+4 4 4 4 4 4 4 4 4 5 5 5 5 5 5 5 5 5
61721+5 5 5 4 3 3 4 3 3 5 5 5 4 3 3 4 3 3
61722+5 5 5 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
61723+6 6 6 125 124 125 174 174 174 220 221 221 220 221 221 193 200 203
61724+193 200 203 193 200 203 193 200 203 193 200 203 220 221 221 158 157 158
61725+60 73 81 6 6 6 4 0 0 4 0 0 5 5 5 6 6 6
61726+5 5 5 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61727+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61728+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61729+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61730+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61731+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61732+4 4 4 4 4 4
61733+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61734+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61735+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
61736+5 5 5 5 5 5 6 6 6 6 6 6 4 0 0 4 0 0
61737+4 0 0 4 0 0 26 28 28 125 124 125 174 174 174 193 200 203
61738+193 200 203 174 174 174 193 200 203 167 166 167 125 124 125 6 6 6
61739+6 6 6 6 6 6 4 0 0 6 6 6 6 6 6 5 5 5
61740+4 3 3 5 5 5 4 4 4 4 4 4 4 4 4 4 4 4
61741+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61742+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61743+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61744+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61745+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61746+4 4 4 4 4 4
61747+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61748+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61749+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61750+4 3 3 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61751+6 6 6 4 0 0 4 0 0 6 6 6 37 38 37 125 124 125
61752+153 152 153 131 129 131 125 124 125 37 38 37 6 6 6 6 6 6
61753+6 6 6 4 0 0 6 6 6 6 6 6 4 3 3 5 5 5
61754+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61755+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61756+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61757+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61758+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61759+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61760+4 4 4 4 4 4
61761+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61762+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61763+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61764+4 4 4 5 5 5 5 5 5 4 3 3 5 5 5 4 3 3
61765+6 6 6 6 6 6 4 0 0 4 0 0 6 6 6 6 6 6
61766+24 26 27 24 26 27 6 6 6 6 6 6 6 6 6 4 0 0
61767+6 6 6 6 6 6 4 0 0 6 6 6 5 5 5 4 3 3
61768+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61769+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61770+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61771+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61772+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61773+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61774+4 4 4 4 4 4
61775+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61776+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61777+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61778+4 4 4 4 4 4 5 5 5 4 3 3 5 5 5 6 6 6
61779+4 0 0 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6
61780+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 6 6 6
61781+4 0 0 6 6 6 6 6 6 4 3 3 5 5 5 4 4 4
61782+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61783+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61784+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61785+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61786+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61787+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61788+4 4 4 4 4 4
61789+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61790+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61791+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61792+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 5 5 5
61793+5 5 5 5 5 5 4 0 0 6 6 6 4 0 0 6 6 6
61794+6 6 6 6 6 6 6 6 6 4 0 0 6 6 6 4 0 0
61795+6 6 6 4 3 3 5 5 5 4 3 3 5 5 5 4 4 4
61796+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61797+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61798+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61799+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61800+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61801+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61802+4 4 4 4 4 4
61803+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61804+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61805+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61806+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 5 5 5
61807+4 3 3 6 6 6 4 3 3 6 6 6 6 6 6 6 6 6
61808+4 0 0 6 6 6 4 0 0 6 6 6 6 6 6 6 6 6
61809+6 6 6 4 3 3 5 5 5 4 4 4 4 4 4 4 4 4
61810+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61811+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61812+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61813+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61814+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61815+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61816+4 4 4 4 4 4
61817+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61818+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61819+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61820+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61821+4 4 4 5 5 5 4 3 3 5 5 5 4 0 0 6 6 6
61822+6 6 6 4 0 0 6 6 6 6 6 6 4 0 0 6 6 6
61823+4 3 3 5 5 5 5 5 5 4 4 4 4 4 4 4 4 4
61824+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61825+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61826+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61827+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61828+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61829+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61830+4 4 4 4 4 4
61831+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61832+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61833+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61834+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61835+4 4 4 5 5 5 4 3 3 5 5 5 6 6 6 4 3 3
61836+4 3 3 6 6 6 6 6 6 4 3 3 6 6 6 4 3 3
61837+5 5 5 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61838+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61839+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61840+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61841+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61842+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61843+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61844+4 4 4 4 4 4
61845+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61846+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61847+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61848+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61849+4 4 4 4 4 4 4 4 4 5 5 5 4 3 3 6 6 6
61850+5 5 5 4 3 3 4 3 3 4 3 3 5 5 5 5 5 5
61851+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61852+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61853+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61854+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61855+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61856+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61857+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61858+4 4 4 4 4 4
61859+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61860+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61861+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61862+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61863+4 4 4 4 4 4 4 4 4 4 4 4 5 5 5 4 3 3
61864+5 5 5 4 3 3 5 5 5 5 5 5 4 4 4 4 4 4
61865+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61866+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61867+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61868+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61869+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61870+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61871+4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4 4
61872+4 4 4 4 4 4
61873diff --git a/drivers/xen/events/events_base.c b/drivers/xen/events/events_base.c
61874index 96093ae..b9eed29 100644
61875--- a/drivers/xen/events/events_base.c
61876+++ b/drivers/xen/events/events_base.c
61877@@ -1568,7 +1568,7 @@ void xen_irq_resume(void)
61878 restore_pirqs();
61879 }
61880
61881-static struct irq_chip xen_dynamic_chip __read_mostly = {
61882+static struct irq_chip xen_dynamic_chip = {
61883 .name = "xen-dyn",
61884
61885 .irq_disable = disable_dynirq,
61886@@ -1582,7 +1582,7 @@ static struct irq_chip xen_dynamic_chip __read_mostly = {
61887 .irq_retrigger = retrigger_dynirq,
61888 };
61889
61890-static struct irq_chip xen_pirq_chip __read_mostly = {
61891+static struct irq_chip xen_pirq_chip = {
61892 .name = "xen-pirq",
61893
61894 .irq_startup = startup_pirq,
61895@@ -1602,7 +1602,7 @@ static struct irq_chip xen_pirq_chip __read_mostly = {
61896 .irq_retrigger = retrigger_dynirq,
61897 };
61898
61899-static struct irq_chip xen_percpu_chip __read_mostly = {
61900+static struct irq_chip xen_percpu_chip = {
61901 .name = "xen-percpu",
61902
61903 .irq_disable = disable_dynirq,
61904diff --git a/drivers/xen/evtchn.c b/drivers/xen/evtchn.c
61905index 00f40f0..e3c0b15 100644
61906--- a/drivers/xen/evtchn.c
61907+++ b/drivers/xen/evtchn.c
61908@@ -201,8 +201,8 @@ static ssize_t evtchn_read(struct file *file, char __user *buf,
61909
61910 /* Byte lengths of two chunks. Chunk split (if any) is at ring wrap. */
61911 if (((c ^ p) & EVTCHN_RING_SIZE) != 0) {
61912- bytes1 = (EVTCHN_RING_SIZE - EVTCHN_RING_MASK(c)) *
61913- sizeof(evtchn_port_t);
61914+ bytes1 = EVTCHN_RING_SIZE - EVTCHN_RING_MASK(c);
61915+ bytes1 *= sizeof(evtchn_port_t);
61916 bytes2 = EVTCHN_RING_MASK(p) * sizeof(evtchn_port_t);
61917 } else {
61918 bytes1 = (p - c) * sizeof(evtchn_port_t);
61919diff --git a/drivers/xen/xenfs/xenstored.c b/drivers/xen/xenfs/xenstored.c
61920index fef20db..d28b1ab 100644
61921--- a/drivers/xen/xenfs/xenstored.c
61922+++ b/drivers/xen/xenfs/xenstored.c
61923@@ -24,7 +24,12 @@ static int xsd_release(struct inode *inode, struct file *file)
61924 static int xsd_kva_open(struct inode *inode, struct file *file)
61925 {
61926 file->private_data = (void *)kasprintf(GFP_KERNEL, "0x%p",
61927+#ifdef CONFIG_GRKERNSEC_HIDESYM
61928+ NULL);
61929+#else
61930 xen_store_interface);
61931+#endif
61932+
61933 if (!file->private_data)
61934 return -ENOMEM;
61935 return 0;
61936diff --git a/firmware/Makefile b/firmware/Makefile
61937index e297e1b..aeb0982 100644
61938--- a/firmware/Makefile
61939+++ b/firmware/Makefile
61940@@ -35,9 +35,11 @@ fw-shipped-$(CONFIG_BNX2X) += bnx2x/bnx2x-e1-6.2.9.0.fw \
61941 bnx2x/bnx2x-e1h-6.2.9.0.fw \
61942 bnx2x/bnx2x-e2-6.2.9.0.fw
61943 fw-shipped-$(CONFIG_BNX2) += bnx2/bnx2-mips-09-6.2.1a.fw \
61944+ bnx2/bnx2-mips-09-6.2.1b.fw \
61945 bnx2/bnx2-rv2p-09-6.0.17.fw \
61946 bnx2/bnx2-rv2p-09ax-6.0.17.fw \
61947 bnx2/bnx2-mips-06-6.2.1.fw \
61948+ bnx2/bnx2-mips-06-6.2.3.fw \
61949 bnx2/bnx2-rv2p-06-6.0.15.fw
61950 fw-shipped-$(CONFIG_CASSINI) += sun/cassini.bin
61951 fw-shipped-$(CONFIG_CHELSIO_T3) += cxgb3/t3b_psram-1.1.0.bin \
61952diff --git a/firmware/WHENCE b/firmware/WHENCE
61953index 0c4d96d..b17700f 100644
61954--- a/firmware/WHENCE
61955+++ b/firmware/WHENCE
61956@@ -653,21 +653,23 @@ Found in hex form in kernel source.
61957 Driver: BNX2 - Broadcom NetXtremeII
61958
61959 File: bnx2/bnx2-mips-06-6.2.1.fw
61960+File: bnx2/bnx2-mips-06-6.2.3.fw
61961 File: bnx2/bnx2-rv2p-06-6.0.15.fw
61962 File: bnx2/bnx2-mips-09-6.2.1a.fw
61963+File: bnx2/bnx2-mips-09-6.2.1b.fw
61964 File: bnx2/bnx2-rv2p-09-6.0.17.fw
61965 File: bnx2/bnx2-rv2p-09ax-6.0.17.fw
61966
61967 Licence:
61968-
61969- This file contains firmware data derived from proprietary unpublished
61970- source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
61971-
61972- Permission is hereby granted for the distribution of this firmware data
61973- in hexadecimal or equivalent format, provided this copyright notice is
61974- accompanying it.
61975-
61976-Found in hex form in kernel source.
61977+
61978+ This file contains firmware data derived from proprietary unpublished
61979+ source code, Copyright (c) 2004 - 2010 Broadcom Corporation.
61980+
61981+ Permission is hereby granted for the distribution of this firmware data
61982+ in hexadecimal or equivalent format, provided this copyright notice is
61983+ accompanying it.
61984+
61985+Found in hex form in kernel source.
61986
61987 --------------------------------------------------------------------------
61988
61989diff --git a/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
61990new file mode 100644
61991index 0000000..da72bf1
61992--- /dev/null
61993+++ b/firmware/bnx2/bnx2-mips-06-6.2.3.fw.ihex
61994@@ -0,0 +1,5804 @@
61995+:10000000080001180800000000004A68000000C84D
61996+:1000100000000000000000000000000008004A6826
61997+:100020000000001400004B30080000A00800000091
61998+:100030000000569400004B44080058200000008443
61999+:100040000000A1D808005694000001580000A25CEE
62000+:100050000800321008000000000072F00000A3B495
62001+:10006000000000000000000000000000080072F026
62002+:1000700000000024000116A40800049008000400F9
62003+:10008000000017D4000116C80000000000000000A6
62004+:100090000000000000000000000000000000000060
62005+:1000A000080000A80800000000003BFC00012E9C96
62006+:1000B0000000000000000000000000000000000040
62007+:1000C00000000000000000000A00004600000000E0
62008+:1000D000000000000000000D636F6D362E322E33DD
62009+:1000E0000000000006020302000000000000000300
62010+:1000F000000000C800000032000000030000000003
62011+:1001000000000000000000000000000000000000EF
62012+:1001100000000010000001360000EA600000000549
62013+:1001200000000000000000000000000000000008C7
62014+:1001300000000000000000000000000000000000BF
62015+:1001400000000000000000000000000000000000AF
62016+:10015000000000000000000000000000000000009F
62017+:10016000000000020000000000000000000000008D
62018+:10017000000000000000000000000000000000007F
62019+:10018000000000000000000000000010000000005F
62020+:10019000000000000000000000000000000000005F
62021+:1001A000000000000000000000000000000000004F
62022+:1001B000000000000000000000000000000000003F
62023+:1001C000000000000000000000000000000000002F
62024+:1001D000000000000000000000000000000000001F
62025+:1001E0000000000010000003000000000000000DEF
62026+:1001F0000000000D3C02080024424AA03C03080015
62027+:1002000024634B9CAC4000000043202B1480FFFD76
62028+:10021000244200043C1D080037BD7FFC03A0F021F0
62029+:100220003C100800261001183C1C0800279C4AA01E
62030+:100230000E000168000000000000000D27470100CB
62031+:1002400090E3000B2402001A94E5000814620028D1
62032+:10025000000020218CE200003C0308008C63004475
62033+:1002600094E60014000211C20002104030A4000203
62034+:10027000005A10212463000130A50004A446008028
62035+:100280003C010800AC23004410A000190004202BFE
62036+:100290008F4202B804410008240400013C02080017
62037+:1002A0008C420060244200013C010800AC22006046
62038+:1002B00003E00008008010218CE2002094E3001687
62039+:1002C00000002021AF4202808CE20004A743028498
62040+:1002D000AF4202883C021000AF4202B83C02080064
62041+:1002E0008C42005C244200013C010800AC22005C0E
62042+:1002F00003E00008008010212747010090E3000B75
62043+:100300002402000394E50008146200280000202164
62044+:100310008CE200003C0308008C63004494E6001467
62045+:10032000000211C20002104030A40002005A102145
62046+:100330002463000130A50004A44600803C010800AD
62047+:10034000AC23004410A000190004202B8F4202B8F7
62048+:1003500004410008240400013C0208008C420060B3
62049+:10036000244200013C010800AC22006003E00008C8
62050+:10037000008010218CE2002094E300160000202170
62051+:10038000AF4202808CE20004A7430284AF4202889D
62052+:100390003C021000AF4202B83C0208008C42005CF4
62053+:1003A000244200013C010800AC22005C03E000088C
62054+:1003B000008010218F4301002402010050620003DD
62055+:1003C000000311C20000000D000311C20002104022
62056+:1003D000005A1021A440008003E000080000102112
62057+:1003E0009362000003E00008AF80000003E0000813
62058+:1003F0000000102103E00008000010212402010089
62059+:1004000014820008000000003C0208008C4200FC3E
62060+:10041000244200013C010800AC2200FC0A0000DD7F
62061+:1004200030A200203C0208008C42008424420001DB
62062+:100430003C010800AC22008430A2002010400008DB
62063+:1004400030A300103C0208008C4201082442000145
62064+:100450003C010800AC22010803E000080000000095
62065+:1004600010600008000000003C0208008C420104FB
62066+:10047000244200013C010800AC22010403E0000812
62067+:10048000000000003C0208008C42010024420001F0
62068+:100490003C010800AC22010003E00008000000005D
62069+:1004A00027BDFFE8AFBF0010274401009483000878
62070+:1004B000306200041040001B306600028F4202B818
62071+:1004C00004410008240500013C0208008C42006041
62072+:1004D000244200013C010800AC2200600A0001290E
62073+:1004E0008FBF00108C82002094830016000028210A
62074+:1004F000AF4202808C820004A7430284AF4202888C
62075+:100500003C021000AF4202B83C0208008C42005C82
62076+:10051000244200013C010800AC22005C0A000129D1
62077+:100520008FBF001010C00006006028218F4401001A
62078+:100530000E0000CD000000000A0001282405000183
62079+:100540008F8200088F4301045043000700002821D8
62080+:100550008F4401000E0000CD000000008F42010416
62081+:10056000AF820008000028218FBF001000A01021DA
62082+:1005700003E0000827BD001827BDFFE8AFBF001447
62083+:10058000AFB00010974201083043700024022000F1
62084+:100590001062000B286220011440002F000010217F
62085+:1005A00024024000106200250000000024026000C8
62086+:1005B00010620026000010210A0001658FBF0014A0
62087+:1005C00027500100920200091040001A2403000184
62088+:1005D0003C0208008C420020104000160000182148
62089+:1005E0000E00049300000000960300083C0608007B
62090+:1005F00094C64B5E8E0400188F8200209605000C76
62091+:1006000000031C0000661825AC440000AC45000443
62092+:1006100024040001AC400008AC40000CAC400010C9
62093+:10062000AC400014AC4000180E0004B8AC43001CF1
62094+:10063000000018210A000164006010210E0003254B
62095+:10064000000000000A000164000010210E000EE905
62096+:1006500000000000000010218FBF00148FB00010B8
62097+:1006600003E0000827BD001827BDFFE0AFB2001867
62098+:100670003C036010AFBF001CAFB10014AFB000105E
62099+:100680008C6450002402FF7F3C1A800000822024EA
62100+:100690003484380C24020037AC6450003C1208004B
62101+:1006A00026524AD8AF42000824020C80AF420024F0
62102+:1006B0003C1B80083C06080024C60324024010218D
62103+:1006C0002404001D2484FFFFAC4600000481FFFDCC
62104+:1006D000244200043C020800244204B03C0108000B
62105+:1006E000AC224AE03C020800244202303C010800EF
62106+:1006F000AC224AE43C020800244201743C03080096
62107+:100700002463032C3C040800248403D83C0508001F
62108+:1007100024A538F03C010800AC224B403C02080004
62109+:10072000244202EC3C010800AC264B243C010800AA
62110+:10073000AC254B343C010800AC234B3C3C01080089
62111+:10074000AC244B443C010800AC224B483C0108005F
62112+:10075000AC234ADC3C010800AC204AE83C0108001C
62113+:10076000AC204AEC3C010800AC204AF03C010800F7
62114+:10077000AC204AF43C010800AC204AF83C010800D7
62115+:10078000AC204AFC3C010800AC204B003C010800B6
62116+:10079000AC244B043C010800AC204B083C01080091
62117+:1007A000AC204B0C3C010800AC204B103C01080075
62118+:1007B000AC204B143C010800AC204B183C01080055
62119+:1007C000AC264B1C3C010800AC264B203C01080029
62120+:1007D000AC254B303C010800AC234B380E000623FF
62121+:1007E000000000003C028000344200708C42000097
62122+:1007F000AF8200143C0308008C6300208F82000449
62123+:10080000104300043C0280000E00045BAF83000430
62124+:100810003C028000344600703C0308008C6300A05A
62125+:100820003C0208008C4200A4104300048F84001492
62126+:100830003C010800AC2300A4A743009E8CCA000022
62127+:100840003C0308008C6300BC3C0208008C4200B8EA
62128+:100850000144202300641821000040210064202B63
62129+:1008600000481021004410213C010800AC2300BCCA
62130+:100870003C010800AC2200B88F5100003222000772
62131+:100880001040FFDCAF8A00148CC600003C05080055
62132+:100890008CA500BC3C0408008C8400B800CA30233E
62133+:1008A00000A628210000102100A6302B0082202164
62134+:1008B00000862021322700013C010800AC2500BC45
62135+:1008C0003C010800AC2400B810E0001F32220002F6
62136+:1008D0008F420100AF4200208F420104AF4200A8C6
62137+:1008E0009342010B0E0000C6305000FF2E02001E86
62138+:1008F00054400004001010800E0000C90A000213CA
62139+:1009000000000000005210218C4200000040F80955
62140+:1009100000000000104000053C0240008F4301042D
62141+:100920003C026020AC4300143C024000AF4201385E
62142+:100930003C0208008C420034244200013C010800C3
62143+:10094000AC220034322200021040000E3222000499
62144+:100950008F4201400E0000C6AF4200200E000295FB
62145+:10096000000000003C024000AF4201783C02080059
62146+:100970008C420038244200013C010800AC220038BF
62147+:10098000322200041040FF983C0280008F42018018
62148+:100990000E0000C6AF4200208F43018024020F00EA
62149+:1009A00014620005000000008F420188A742009CED
62150+:1009B0000A0002483C0240009362000024030050F9
62151+:1009C000304200FF144300083C0240000E00027B4E
62152+:1009D00000000000544000043C0240000E000D7571
62153+:1009E000000000003C024000AF4201B83C02080099
62154+:1009F0008C42003C244200013C010800AC22003C37
62155+:100A00000A0001C83C0280003C0290003442000110
62156+:100A100000822025AF4400208F4200200440FFFECA
62157+:100A20000000000003E00008000000003C0280001D
62158+:100A3000344200010082202503E00008AF4400207A
62159+:100A400027BDFFE0AFB10014AFB0001000808821D7
62160+:100A5000AFBF00180E00025030B000FF9362007D5F
62161+:100A60000220202102028025A370007D8F70007477
62162+:100A70003C0280000E000259020280241600000988
62163+:100A80008FBF00188F4201F80440FFFE24020002CD
62164+:100A9000AF5101C0A34201C43C021000AF4201F8B3
62165+:100AA0008FBF00188FB100148FB0001003E0000852
62166+:100AB00027BD002027BDFFE8AFBF0010974201848B
62167+:100AC0008F440188304202001040000500002821B8
62168+:100AD0000E000FAA000000000A00028D240500018C
62169+:100AE0003C02FF0004800005008218243C02040040
62170+:100AF000506200019362003E240500018FBF001088
62171+:100B000000A0102103E0000827BD0018A360002208
62172+:100B10008F4401400A00025E2405000127BDFFE862
62173+:100B2000AFBF0014AFB0001093620000304400FF6C
62174+:100B300038830020388200300003182B0002102B6D
62175+:100B40000062182410600003240200501482008008
62176+:100B50008FBF001493620005304200011040007CFA
62177+:100B60008FBF0014934201482443FFFF2C6200050D
62178+:100B7000104000788FB00010000310803C03080084
62179+:100B800024634A68004310218C42000000400008A2
62180+:100B9000000000000E0002508F4401408F70000CD6
62181+:100BA0008F4201441602000224020001AF62000CD1
62182+:100BB0000E0002598F4401408F420144145000043A
62183+:100BC0008FBF00148FB000100A000F2027BD00183F
62184+:100BD0008F62000C0A0003040000000097620010FE
62185+:100BE0008F4301443042FFFF1462001A00000000EE
62186+:100BF00024020001A76200108F4202380443001053
62187+:100C00008F4201403C02003F3446F0003C0560004A
62188+:100C10003C04FFC08CA22BBC0044182400461024C6
62189+:100C20000002130200031D82106200390000000060
62190+:100C30008F4202380440FFF7000000008F4201405D
62191+:100C4000AF4202003C021000AF4202380A00032209
62192+:100C50008FBF0014976200100A0003040000000018
62193+:100C60000E0002508F440140976200128F430144EE
62194+:100C70003050FFFF1603000224020001A762001299
62195+:100C80000E0002598F4401408F42014416020004B5
62196+:100C90008FBF00148FB000100A00029127BD00180A
62197+:100CA000976200120A00030400000000976200141B
62198+:100CB0008F4301443042FFFF14620006240200010A
62199+:100CC0008FBF00148FB00010A76200140A00124AF0
62200+:100CD00027BD0018976200141440001D8FBF001438
62201+:100CE0000A00031C00000000976200168F430144B5
62202+:100CF0003042FFFF1462000B240200018FBF00147A
62203+:100D00008FB00010A76200160A000B1227BD001852
62204+:100D10009742007824420004A76200100A000322D0
62205+:100D20008FBF001497620016240300013042FFFFBA
62206+:100D3000144300078FBF00143C0208008C4200706F
62207+:100D4000244200013C010800AC2200708FBF001457
62208+:100D50008FB0001003E0000827BD001827BDFFE892
62209+:100D6000AFBF0014AFB000108F50010093620000BD
62210+:100D700093430109304400FF2402001F106200A5C4
62211+:100D80002862002010400018240200382862000A5F
62212+:100D90001040000C2402000B286200081040002CB8
62213+:100DA00000000000046000E52862000214400028F2
62214+:100DB00024020006106200268FBF00140A00041FE0
62215+:100DC0008FB000101062005E2862000B144000DC3F
62216+:100DD0008FBF00142402000E106200738FB0001049
62217+:100DE0000A00041F00000000106200C028620039E1
62218+:100DF0001040000A2402008024020036106200CA5B
62219+:100E000028620037104000B424020035106200C18F
62220+:100E10008FBF00140A00041F8FB000101062002B57
62221+:100E20002862008110400006240200C82402003914
62222+:100E3000106200B48FBF00140A00041F8FB00010AE
62223+:100E4000106200998FBF00140A00041F8FB00010B9
62224+:100E50003C0208008C420020104000B98FBF0014F3
62225+:100E60000E000493000000008F4201008F830020D9
62226+:100E70009745010C97460108AC6200008F420104BF
62227+:100E80003C04080094844B5E00052C00AC62000416
62228+:100E90008F4201180006340000C43025AC620008FF
62229+:100EA0008F42011C24040001AC62000C9342010A31
62230+:100EB00000A22825AC650010AC600014AC600018DE
62231+:100EC000AC66001C0A0003F58FBF00143C0208004A
62232+:100ED0008C4200201040009A8FBF00140E00049333
62233+:100EE00000000000974401083C03080094634B5E37
62234+:100EF0009745010C000422029746010E8F820020C4
62235+:100F0000000426000083202500052C003C030080FF
62236+:100F100000A6282500832025AC400000AC4000043A
62237+:100F2000AC400008AC40000CAC450010AC400014D4
62238+:100F3000AC400018AC44001C0A0003F42404000177
62239+:100F40009742010C14400015000000009362000558
62240+:100F50003042001014400011000000000E0002504A
62241+:100F6000020020219362000502002021344200107B
62242+:100F70000E000259A36200059362000024030020C2
62243+:100F8000304200FF1043006D020020218FBF00148B
62244+:100F90008FB000100A000FC027BD00180000000D20
62245+:100FA0000A00041E8FBF00143C0208008C4200207F
62246+:100FB000104000638FBF00140E0004930000000077
62247+:100FC0008F4201048F8300209744010C3C050800E8
62248+:100FD00094A54B5EAC6200009762002C00042400D4
62249+:100FE0003042FFFF008220253C02400E00A228254F
62250+:100FF000AC640004AC600008AC60000CAC60001095
62251+:10100000AC600014AC600018AC65001C0A0003F46E
62252+:10101000240400010E00025002002021A7600008F5
62253+:101020000E00025902002021020020210E00025E63
62254+:10103000240500013C0208008C42002010400040C2
62255+:101040008FBF00140E000493000000009742010CB3
62256+:101050008F8300203C05080094A54B5E000214001D
62257+:10106000AC700000AC620004AC6000088F64004CFF
62258+:101070003C02401F00A22825AC64000C8F62005087
62259+:1010800024040001AC6200108F620054AC620014B2
62260+:10109000AC600018AC65001C8FBF00148FB000104E
62261+:1010A0000A0004B827BD0018240200205082002541
62262+:1010B0008FB000100E000F0A020020211040002007
62263+:1010C0008FBF0014020020218FB0001000002821E3
62264+:1010D0000A00025E27BD0018020020218FBF001405
62265+:1010E0008FB000100A00058027BD00189745010C3D
62266+:1010F000020020218FBF00148FB000100A0005A04D
62267+:1011000027BD0018020020218FB000100A0005C57D
62268+:1011100027BD00189345010D020020218FB000105B
62269+:101120000A00060F27BD0018020020218FBF0014FF
62270+:101130008FB000100A0005EB27BD00188FBF001408
62271+:101140008FB0001003E0000827BD00188F4202781E
62272+:101150000440FFFE2402000234840080AF440240B9
62273+:10116000A34202443C02100003E00008AF420278B0
62274+:101170003C04080094844B6A3C0208008C424B7487
62275+:101180003083FFFF000318C000431021AF42003C32
62276+:101190003C0208008C424B70AF4200383C020050C9
62277+:1011A00034420008AF4200300000000000000000A0
62278+:1011B000000000008F420000304200201040FFFD80
62279+:1011C000000000008F4204003C010800AC224B608C
62280+:1011D0008F4204043C010800AC224B643C02002016
62281+:1011E000AF420030000000003C02080094424B680F
62282+:1011F0003C03080094634B6C3C05080094A54B6EBF
62283+:1012000024840001004310213083FFFF3C010800CB
62284+:10121000A4224B683C010800A4244B6A1465000317
62285+:10122000000000003C010800A4204B6A03E0000815
62286+:10123000000000003C05000A27BDFFE80345282107
62287+:101240003C04080024844B50AFBF00100E00051D65
62288+:101250002406000A3C02080094424B523C0308005A
62289+:1012600094634B6E3042000F244200030043180485
62290+:1012700024027FFF0043102B10400002AF83001CAC
62291+:101280000000000D0E00042A000000003C020800CF
62292+:1012900094424B5A8FBF001027BD001803E000088E
62293+:1012A000A74200A23C02000A034210219443000618
62294+:1012B0003C02080094424B5A3C010800A4234B56C0
62295+:1012C000004310238F83001C00021400000214034B
62296+:1012D0000043102B03E000083842000127BDFFE85F
62297+:1012E000AFBF00103C02000A0342102194420006E6
62298+:1012F0003C010800A4224B560E00047700000000B9
62299+:101300005440FFF93C02000A8FBF001003E00008C0
62300+:1013100027BD001827BDFFE8AFBF00100E000477FF
62301+:101320000000000010400003000000000E000485D3
62302+:10133000000000003C0208008C424B608FBF001090
62303+:1013400027430400AF4200383C0208008C424B6443
62304+:1013500027BD0018AF830020AF42003C3C020005CF
62305+:10136000AF42003003E00008AF8000188F82001801
62306+:101370003C0300060002114000431025AF4200303C
62307+:101380000000000000000000000000008F4200008C
62308+:10139000304200101040FFFD27420400AF820020C1
62309+:1013A00003E00008AF8000183C0608008CC64B64C0
62310+:1013B0008F8500188F8300203C02080094424B5A0E
62311+:1013C00027BDFFE024A50001246300202442000182
62312+:1013D00024C70020AFB10014AFB00010AFBF001899
62313+:1013E000AF850018AF8300203C010800A4224B5AAF
62314+:1013F000309000FF3C010800AC274B6404C100089A
62315+:101400000000882104E00006000000003C02080003
62316+:101410008C424B60244200013C010800AC224B602E
62317+:101420003C02080094424B5A3C03080094634B680A
62318+:101430000010202B004310262C42000100441025F0
62319+:10144000144000048F830018240200101462000F5F
62320+:10145000000000000E0004A9241100013C03080054
62321+:1014600094634B5A3C02080094424B681462000398
62322+:10147000000000000E00042A000000001600000317
62323+:10148000000000000E000493000000003C03080070
62324+:1014900094634B5E3C02080094424B5C2463000161
62325+:1014A0003064FFFF3C010800A4234B5E148200035C
62326+:1014B000000000003C010800A4204B5E1200000662
62327+:1014C000000000003C02080094424B5AA74200A2D0
62328+:1014D0000A00050B022010210E0004770000000016
62329+:1014E00010400004022010210E00048500000000BE
62330+:1014F000022010218FBF00188FB100148FB0001090
62331+:1015000003E0000827BD00203084FFFF30A5FFFF67
62332+:101510000000182110800007000000003082000148
62333+:101520001040000200042042006518210A00051343
62334+:101530000005284003E000080060102110C00006EC
62335+:1015400024C6FFFF8CA2000024A50004AC8200008A
62336+:101550000A00051D2484000403E0000800000000C8
62337+:1015600010A0000824A3FFFFAC86000000000000CC
62338+:10157000000000002402FFFF2463FFFF1462FFFA53
62339+:101580002484000403E0000800000000240200019D
62340+:10159000AF62000CA7620010A7620012A7620014DD
62341+:1015A00003E00008A76200163082007F034210218A
62342+:1015B0003C08000E004818213C0208008C42002024
62343+:1015C00027BDFFD82407FF80AFB3001CAFB20018BF
62344+:1015D000AFB10014AFB00010AFBF00200080802179
62345+:1015E00030B100FF0087202430D200FF1040002FD0
62346+:1015F00000009821AF44002C9062000024030050AA
62347+:10160000304200FF1443000E000000003C020800BE
62348+:101610008C4200E00202102100471024AF42002C4F
62349+:101620003C0208008C4200E0020210213042007FA0
62350+:101630000342102100481021944200D43053FFFF90
62351+:101640000E000493000000003C02080094424B5E30
62352+:101650008F8300200011340000C2302500122C00BE
62353+:101660003C02400000C2302534A50001AC700000EF
62354+:101670008FBF0020AC6000048FB20018AC7300086C
62355+:101680008FB10014AC60000C8FB3001CAC6500106F
62356+:101690008FB00010AC60001424040001AC6000188E
62357+:1016A00027BD00280A0004B8AC66001C8FBF0020CC
62358+:1016B0008FB3001C8FB200188FB100148FB00010D0
62359+:1016C00003E0000827BD00289343010F2402001007
62360+:1016D0001062000E2865001110A0000724020012FD
62361+:1016E000240200082405003A1062000600003021A0
62362+:1016F00003E0000800000000240500351462FFFC30
62363+:10170000000030210A000538000000008F420074FC
62364+:1017100024420FA003E00008AF62000C27BDFFE8E1
62365+:10172000AFBF00100E00025E240500018FBF001045
62366+:1017300024020001A762001227BD00182402000144
62367+:1017400003E00008A360002227BDFFE0AFB1001452
62368+:10175000AFB00010AFBF001830B1FFFF0E00025055
62369+:10176000008080219362003F24030004304200FF88
62370+:101770001443000C02002021122000082402000A59
62371+:101780000E00053100000000936200052403FFFEF7
62372+:1017900000431024A362000524020012A362003F4C
62373+:1017A000020020210E000259A360008116200003D0
62374+:1017B000020020210E0005950000000002002021FB
62375+:1017C000322600FF8FBF00188FB100148FB00010B9
62376+:1017D000240500380A00053827BD002027BDFFE09A
62377+:1017E000AFBF001CAFB20018AFB10014AFB0001013
62378+:1017F0000E000250008080210E0005310000000024
62379+:101800009362003F24120018305100FF123200038F
62380+:101810000200202124020012A362003F936200050F
62381+:101820002403FFFE004310240E000259A3620005AA
62382+:10183000020020212405002016320007000030217C
62383+:101840008FBF001C8FB200188FB100148FB0001032
62384+:101850000A00025E27BD00208FBF001C8FB2001857
62385+:101860008FB100148FB00010240500390A0005382C
62386+:1018700027BD002027BDFFE8AFB00010AFBF0014A8
62387+:101880009742010C2405003600808021144000108E
62388+:10189000304600FF0E00025000000000240200123B
62389+:1018A000A362003F93620005344200100E00053130
62390+:1018B000A36200050E00025902002021020020212F
62391+:1018C0000E00025E240500200A000604000000004D
62392+:1018D0000E000538000000000E000250020020211A
62393+:1018E000936200232403FF9F020020210043102461
62394+:1018F0008FBF00148FB00010A36200230A000259AA
62395+:1019000027BD001827BDFFE0AFBF0018AFB100141E
62396+:10191000AFB0001030B100FF0E00025000808021F7
62397+:10192000240200120E000531A362003F0E0002598E
62398+:101930000200202102002021022030218FBF001848
62399+:101940008FB100148FB00010240500350A0005384F
62400+:1019500027BD0020A380002C03E00008A380002DF9
62401+:101960008F4202780440FFFE8F820034AF42024073
62402+:1019700024020002A34202443C02100003E00008DB
62403+:10198000AF4202783C0360008C6254003042000891
62404+:101990001440FFFD000000008C625408AF82000C70
62405+:1019A00024020052AC605408AC645430AC6254342D
62406+:1019B0002402000803E00008AC6254003C0260000E
62407+:1019C0008C42540030420008104000053C03600087
62408+:1019D0008C625400304200081440FFFD00000000FB
62409+:1019E0008F83000C3C02600003E00008AC43540805
62410+:1019F00090A3000024020005008040213063003FD6
62411+:101A000000004821146200050000502190A2001C33
62412+:101A100094A3001E304900FF306AFFFFAD00000CA8
62413+:101A2000AD000010AD000024950200148D05001CCF
62414+:101A30008D0400183042FFFF0049102300021100FE
62415+:101A4000000237C3004038210086202300A2102B5B
62416+:101A50000082202300A72823AD05001CAD04001838
62417+:101A6000A5090014A5090020A50A001603E0000836
62418+:101A7000A50A00228F4201F80440FFFE2402000262
62419+:101A8000AF4401C0A34201C43C02100003E00008BF
62420+:101A9000AF4201F83C0208008C4200B427BDFFE8C9
62421+:101AA000AFBF001424420001AFB000103C01080099
62422+:101AB000AC2200B48F4300243C02001F30AA00FF78
62423+:101AC0003442FF8030D800FF006280240080F8217B
62424+:101AD00030EF00FF1158003B01405821240CFF80DB
62425+:101AE0003C19000A3163007F000310C00003194055
62426+:101AF000006218213C0208008C4200DC25680001CD
62427+:101B0000310D007F03E21021004310213043007F9C
62428+:101B100003431821004C102400794821AF420024CF
62429+:101B20008D220024016C1824006C7026AD22000C5C
62430+:101B30008D220024310800FFAD22001095220014F0
62431+:101B4000952300208D27001C3042FFFF3063FFFFEC
62432+:101B50008D2600180043102300021100000227C345
62433+:101B60000040282100C4302300E2102B00C23023A3
62434+:101B700000E53823AD27001CAD2600189522002073
62435+:101B8000A522001495220022154B000AA52200165A
62436+:101B90008D2300248D220008254600013145008058
62437+:101BA0001462000430C4007F108F000238AA008045
62438+:101BB00000C0502151AF000131C800FF1518FFC906
62439+:101BC000010058218F8400343082007F03421821A5
62440+:101BD0003C02000A006218212402FF8000822024B7
62441+:101BE000AF440024A06A0079A06A00838C62005090
62442+:101BF0008F840034AC6200708C6500743C027FFFFF
62443+:101C00003442FFFF00A228240E00066BAC6500746E
62444+:101C1000AF5000248FBF00148FB0001003E0000805
62445+:101C200027BD001827BDFFC0AFBE0038AFB70034D6
62446+:101C3000AFB5002CAFB20020AFB1001CAFB00018A0
62447+:101C4000AFBF003CAFB60030AFB40028AFB3002444
62448+:101C50008F4500248F4600288F43002C3C02001F34
62449+:101C60003442FF800062182400C230240080A82182
62450+:101C7000AFA3001400A2F0240E00062FAFA60010A0
62451+:101C80003C0208008C4200E02410FF8003608821A1
62452+:101C900002A2102100501024AF4200243C02080090
62453+:101CA0008C4200E002A210213042007F0342182142
62454+:101CB0003C02000A00629021924200D293630084A9
62455+:101CC000305700FF306300FF24020001106200342F
62456+:101CD000036020212402000214620036000000008C
62457+:101CE0000E001216024028219223008392220083C4
62458+:101CF0003063007F3042007F000210C000031940B3
62459+:101D0000006218213C0208008C4200DC02A2102173
62460+:101D10000043382100F01024AF42002892250078BB
62461+:101D20009224008330E2007F034218213C02000C21
62462+:101D300014850007006280212402FFFFA24200F107
62463+:101D40002402FFFFA64200F20A0007272402FFFF39
62464+:101D500096020020A24200F196020022A64200F262
62465+:101D60008E020024AE4200F492220083A24200F0D0
62466+:101D70008E4200C8AE4200FC8E4200C4AE4200F863
62467+:101D80008E220050AE4201008E4200CCAE420104D1
62468+:101D9000922200853042003F0A0007823442004010
62469+:101DA0000E00123902402821922200850A00078283
62470+:101DB0003042003F936200852403FFDF3042003F42
62471+:101DC000A36200859362008500431024A36200850E
62472+:101DD0009363008393620078307400FF304200FF09
62473+:101DE00010540036240AFF803C0C000C3283007F24
62474+:101DF000000310C000031940006218213C020800D3
62475+:101E00008C4200DC268800013109007F02A21021EB
62476+:101E10000043382130E2007F0342182100EA1024F9
62477+:101E2000AF420028006C80218E020024028A182410
62478+:101E3000006A5826AE02000C8E020024310800FF12
62479+:101E4000AE02001096020014960300208E07001CBC
62480+:101E50003042FFFF3063FFFF8E060018004310235F
62481+:101E600000021100000227C30040282100C43023D3
62482+:101E700000E2102B00C2302300E53823AE07001C1F
62483+:101E8000AE06001896020020A60200149602002258
62484+:101E9000A602001692220079304200FF105400077B
62485+:101EA0000000000051370001316800FF92220078E5
62486+:101EB000304200FF1448FFCD0100A0219222008390
62487+:101EC000A22200798E2200500A0007E2AE220070A2
62488+:101ED000A22200858E22004C2405FF80AE42010C18
62489+:101EE0009222008534420020A2220085924200D135
62490+:101EF0003C0308008C6300DC305400FF3C02080007
62491+:101F00008C4200E400143140001420C002A31821C8
62492+:101F100000C4202102A210210064382100461021B3
62493+:101F20000045182400E52824AF450028AF43002CC5
62494+:101F30003042007F924400D030E3007F03422821EA
62495+:101F4000034318213C02000C006280213C02000E79
62496+:101F5000309600FF00A298211296002A000000008F
62497+:101F60008E02000C02002021026028211040002572
62498+:101F7000261000280E00064A000000009262000DA4
62499+:101F800026830001307400FF3042007FA262000D02
62500+:101F90002404FF801697FFF0267300203C020800FF
62501+:101FA0008C4200DC0000A02102A210210044102479
62502+:101FB000AF4200283C0208008C4200E43C030800C9
62503+:101FC0008C6300DC02A2102100441024AF42002CDC
62504+:101FD0003C0208008C4200E402A318213063007F19
62505+:101FE00002A210213042007F034220210343182126
62506+:101FF0003C02000C006280213C02000E0A0007A493
62507+:10200000008298218E4200D8AE2200508E4200D825
62508+:10201000AE22007092250083924600D19223008365
62509+:10202000924400D12402FF8000A228243063007F64
62510+:10203000308400FF00A628250064182A10600002E2
62511+:1020400030A500FF38A50080A2250083A2250079D5
62512+:102050000E00063D000000009222007E02A020211A
62513+:10206000A222007A8E2300743C027FFF3442FFFFDD
62514+:10207000006218240E00066BAE2300748FA20010BD
62515+:10208000AF5E00248FBF003CAF4200288FBE0038F7
62516+:102090008FA200148FB700348FB600308FB5002C9C
62517+:1020A0008FB400288FB300248FB200208FB1001CA2
62518+:1020B0008FB0001827BD004003E00008AF42002C9D
62519+:1020C00090A2000024420001A0A200003C030800EE
62520+:1020D0008C6300F4304200FF1443000F0080302175
62521+:1020E000A0A000003C0208008C4200E48F84003471
62522+:1020F000008220213082007F034218213C02000C24
62523+:10210000006218212402FF8000822024ACC300005A
62524+:1021100003E00008AF4400288C8200002442002025
62525+:1021200003E00008AC82000094C200003C080800F4
62526+:10213000950800CA30E7FFFF008048210102102106
62527+:10214000A4C2000094C200003042FFFF00E2102B46
62528+:1021500054400001A4C7000094A200003C03080002
62529+:102160008C6300CC24420001A4A2000094A20000D1
62530+:102170003042FFFF544300078F8600280107102BD1
62531+:10218000A4A000005440000101003821A4C70000B1
62532+:102190008F8600288CC4001CAF44003C94A2000031
62533+:1021A0008F43003C3042FFFF000210C00062182144
62534+:1021B000AF43003C8F42003C008220231880000483
62535+:1021C000000000008CC200180A00084324420001ED
62536+:1021D0008CC20018AF4200383C020050344200105C
62537+:1021E000AF420030000000000000000000000000CE
62538+:1021F0008F420000304200201040FFFD0000000030
62539+:102200008F420404AD2200048F420400AD2200007E
62540+:102210003C020020AF42003003E000080000000054
62541+:1022200027BDFFE0AFB20018AFB10014AFB000108F
62542+:10223000AFBF001C94C2000000C080213C12080007
62543+:10224000965200C624420001A60200009603000038
62544+:1022500094E2000000E03021144300058FB100300B
62545+:102260000E000818024038210A000875000000001E
62546+:102270008C8300048C820004244200400461000727
62547+:10228000AC8200048C8200040440000400000000C2
62548+:102290008C82000024420001AC8200009602000003
62549+:1022A0003042FFFF50520001A600000096220000BD
62550+:1022B00024420001A62200008F82002896230000FD
62551+:1022C00094420016144300048FBF001C2402000136
62552+:1022D000A62200008FBF001C8FB200188FB100141F
62553+:1022E0008FB0001003E0000827BD00208F89002870
62554+:1022F00027BDFFE0AFBF00188D220028274804004B
62555+:1023000030E700FFAF4200388D22002CAF8800304C
62556+:10231000AF42003C3C020005AF420030000000002C
62557+:1023200000000000000000000000000000000000AD
62558+:10233000000000008C82000C8C82000CAD020000BA
62559+:102340008C820010AD0200048C820018AD020008DF
62560+:102350008C82001CAD02000C8CA20014AD02001097
62561+:102360008C820020AD02001490820005304200FFF4
62562+:1023700000021200AD0200188CA20018AD02001C71
62563+:102380008CA2000CAD0200208CA20010AD02002433
62564+:102390008CA2001CAD0200288CA20020AD02002CF3
62565+:1023A000AD060030AD000034978300263402FFFFF5
62566+:1023B00014620002006020213404FFFF10E00011CD
62567+:1023C000AD04003895230036952400362402000120
62568+:1023D0003063FFFF000318C20069182190650040B8
62569+:1023E000308400070082100400451025A0620040E0
62570+:1023F0008F820028944200563042FFFF0A0008DC1A
62571+:10240000AD02003C952300369524003624020001DD
62572+:102410003063FFFF000318C2006918219065004077
62573+:1024200030840007008210040002102700451024A9
62574+:10243000A0620040AD00003C000000000000000071
62575+:10244000000000003C02000634420040AF42003071
62576+:102450000000000000000000000000008F420000AB
62577+:10246000304200101040FFFD8F860028AF880030FA
62578+:1024700024C2005624C7003C24C4002824C50032CE
62579+:1024800024C600360E000856AFA200108FBF0018F9
62580+:1024900003E0000827BD00208F8300243C060800CD
62581+:1024A0008CC600E88F82003430633FFF0003198040
62582+:1024B00000461021004310212403FF803046007F96
62583+:1024C00000431024AF420028034618213C02000CB0
62584+:1024D0000062302190C2000D30A500FF00003821BD
62585+:1024E00034420010A0C2000D8F8900288F8A00247A
62586+:1024F00095230036000A13823048000324020001AD
62587+:10250000A4C3000E1102000B2902000210400005B6
62588+:10251000240200021100000C240300010A0009201B
62589+:102520000000182111020006000000000A00092026
62590+:10253000000018218CC2002C0A000920244300014D
62591+:102540008CC20014244300018CC200180043102BDD
62592+:1025500050400009240700012402002714A20003B0
62593+:10256000000000000A00092C240700019522003E0B
62594+:1025700024420001A522003E000A138230430003DA
62595+:102580002C62000210400009008028211460000421
62596+:102590000000000094C200360A00093C3046FFFFEC
62597+:1025A0008CC600380A00093C008028210000302138
62598+:1025B0003C04080024844B780A00088900000000CD
62599+:1025C000274901008D22000C9523000601202021BF
62600+:1025D000000216023046003F3063FFFF240200274E
62601+:1025E00000C0282128C7002810C2000EAF83002495
62602+:1025F00010E00008240200312402002110C200096A
62603+:102600002402002510C200079382002D0A00095BF6
62604+:102610000000000010C200059382002D0A00095B33
62605+:10262000000000000A0008F4000000000A0006266E
62606+:102630000000000095230006912400058D25000C64
62607+:102640008D2600108D2700188D28001C8D29002054
62608+:10265000244200013C010800A4234B7E3C010800F9
62609+:10266000A0244B7D3C010800AC254B843C010800B4
62610+:10267000AC264B883C010800AC274B903C0108007D
62611+:10268000AC284B943C010800AC294B9803E00008AF
62612+:10269000A382002D8F87002827BDFFC0AFB3003471
62613+:1026A000AFB20030AFB1002CAFB00028AFBF0038E0
62614+:1026B0003C0208008C4200D094E3003030B0FFFFB1
62615+:1026C000005010073045FFFF3063FFFF00C0982126
62616+:1026D000A7A200103C110800963100C614A3000602
62617+:1026E0003092FFFF8CE2002424420030AF42003CD5
62618+:1026F0000A0009948CE2002094E200323042FFFF8D
62619+:1027000054A2000827A400188CE2002C24420030B8
62620+:10271000AF42003C8CE20028AF4200380A0009A218
62621+:102720008F84002827A5001027A60020022038212A
62622+:102730000E000818A7A000208FA200182442003025
62623+:10274000AF4200388FA2001CAF42003C8F840028AB
62624+:102750003C020005AF42003094820034274304005D
62625+:102760003042FFFF0202102B14400007AF830030FD
62626+:1027700094820054948300340202102100431023F9
62627+:102780000A0009B63043FFFF94830054948200345A
62628+:102790000223182100501023006218233063FFFF2A
62629+:1027A000948200163042FFFF144300030000000033
62630+:1027B0000A0009C424030001948200163042FFFF7E
62631+:1027C0000043102B104000058F82003094820016C9
62632+:1027D000006210233043FFFF8F820030AC530000B3
62633+:1027E000AC400004AC520008AC43000C3C020006B4
62634+:1027F00034420010AF420030000000000000000032
62635+:10280000000000008F420000304200101040FFFD29
62636+:10281000001018C2006418219065004032040007BF
62637+:10282000240200018FBF00388FB300348FB2003014
62638+:102830008FB1002C8FB000280082100400451025B5
62639+:1028400027BD004003E00008A062004027BDFFA8AC
62640+:10285000AFB60050AFB5004CAFB40048AFB30044C2
62641+:10286000AFB1003CAFBF0054AFB20040AFB00038D2
62642+:102870008C9000003C0208008C4200E88F860034F7
62643+:10288000960300022413FF8000C2302130633FFF13
62644+:102890000003198000C3382100F3102490B2000017
62645+:1028A000AF42002C9203000230E2007F034230214D
62646+:1028B0003C02000E00C28821306300C024020040A8
62647+:1028C0000080A82100A0B021146200260000A021F1
62648+:1028D0008E3400388E2200181440000224020001B9
62649+:1028E000AE2200189202000D304200201440001564
62650+:1028F0008F8200343C0308008C6300DC001238C077
62651+:10290000001231400043102100C730210046382119
62652+:1029100030E300073C02008030E6007800C230253A
62653+:102920000343182100F31024AF4208002463090078
62654+:10293000AF4608108E2200188C6300080043102157
62655+:10294000AE2200188E22002C8E2300182442000193
62656+:102950000062182B1060003D000000000A000A7899
62657+:1029600000000000920300022402FFC00043102474
62658+:10297000304200FF1440000524020001AE2200187E
62659+:10298000962200360A000A613054FFFF8E2200149E
62660+:1029900024420001AE22001892020000000216003C
62661+:1029A0000002160304410029000000009602000204
62662+:1029B00027A4001000802821A7A20016960200027A
62663+:1029C00024070001000030213042FFFFAF820024C5
62664+:1029D0000E000889AFA0001C960300023C0408000A
62665+:1029E0008C8400E88F82003430633FFF000319803D
62666+:1029F00000441021004310213043007F3C05000CAF
62667+:102A00000053102403431821AF4200280065182109
62668+:102A10009062000D001221403042007FA062000D44
62669+:102A20003C0308008C6300E48F82003400431021D3
62670+:102A30000044382130E2007F03421021004510217C
62671+:102A400000F31824AF430028AEA200009222000D2C
62672+:102A5000304200101040001302A020218F83002874
62673+:102A60008EA40000028030219462003E2442FFFFC9
62674+:102A7000A462003E948400029625000E3084FFFF7D
62675+:102A80000E00097330A5FFFF8F82002894430034A5
62676+:102A90009622000E1443000302A02021240200010C
62677+:102AA000A382002C02C028210E0007FE00000000B7
62678+:102AB0008FBF00548FB600508FB5004C8FB40048C4
62679+:102AC0008FB300448FB200408FB1003C8FB000380C
62680+:102AD00003E0000827BD00588F82002827BDFFD0E3
62681+:102AE000AFB40028AFB20020AFBF002CAFB30024BA
62682+:102AF000AFB1001CAFB00018904400D0904300D19B
62683+:102B00000000A021309200FFA3A30010306300FF5B
62684+:102B10008C5100D88C5300DC1072002B2402000171
62685+:102B20003C0308008C6300E493A400108F820034FF
62686+:102B30002406FF800004214000431021004410219E
62687+:102B40003043007F00461024AF4200280343182181
62688+:102B50003C02000C006218218C62000427A40014BF
62689+:102B600027A50010022280210270102304400015C6
62690+:102B7000AFA300149062000D00C21024304200FF89
62691+:102B800014400007020088219062000D344200408A
62692+:102B90000E0007FEA062000D0A000ABD93A20010FD
62693+:102BA0000E0009E1241400018F830028AC7000D8C6
62694+:102BB00093A20010A06200D193A200101452FFD87B
62695+:102BC0000000000024020001168200048FBF002CC8
62696+:102BD0000E000626000000008FBF002C8FB40028D6
62697+:102BE0008FB300248FB200208FB1001C8FB000186B
62698+:102BF00003E0000827BD003027BDFFD8AFB3001C9D
62699+:102C0000AFB20018AFB10014AFB00010AFBF0020DA
62700+:102C10000080982100E0802130B1FFFF0E00049376
62701+:102C200030D200FF000000000000000000000000A3
62702+:102C30008F820020AC510000AC520004AC5300085D
62703+:102C4000AC40000CAC400010AC400014AC4000188C
62704+:102C50003C03080094634B5E02038025AC50001CCB
62705+:102C6000000000000000000000000000240400013B
62706+:102C70008FBF00208FB3001C8FB200188FB10014DB
62707+:102C80008FB000100A0004B827BD002827BDFFE858
62708+:102C9000AFB00010AFBF001430A5FFFF30C600FF7B
62709+:102CA0000080802124020C80AF420024000000003C
62710+:102CB0000000000000000000000000000000000014
62711+:102CC0000E000ACC000000003C040800248400E050
62712+:102CD0008C8200002403FF808FBF001402021021A9
62713+:102CE00000431024AF4200248C8200003C03000A01
62714+:102CF000020280213210007F035010218FB000109B
62715+:102D00000043102127BD001803E00008AF8200280F
62716+:102D100027BDFFE8AFBF00108F4401403C0308000F
62717+:102D20008C6300E02402FF80AF840034008318210C
62718+:102D300000621024AF4200243C02000803424021FC
62719+:102D4000950500023063007F3C02000A034318210E
62720+:102D50000062182130A5FFFF3402FFFF0000302180
62721+:102D60003C07602010A20006AF8300282402FFFF6A
62722+:102D7000A5020002946500D40E000AF130A5FFFF01
62723+:102D80008FBF001024020C8027BD001803E000084C
62724+:102D9000AF4200243C020008034240219502000299
62725+:102DA0003C0A0800954A00C63046FFFF14C00007E1
62726+:102DB0003402FFFF8F8200288F8400343C0760209C
62727+:102DC000944500D40A000B5A30A5FFFF10C200241E
62728+:102DD0008F87002894E2005494E400163045FFFFEA
62729+:102DE00000A6102300A6182B3089FFFF10600004F6
62730+:102DF0003044FFFF00C51023012210233044FFFFA1
62731+:102E0000008A102B1040000C012A1023240200011C
62732+:102E1000A50200162402FFFFA502000294E500D4DB
62733+:102E20008F8400340000302130A5FFFF3C07602074
62734+:102E30000A000AF1000000000044102A10400008B7
62735+:102E4000000000009502001630420001104000040E
62736+:102E5000000000009742007E24420014A5020016E4
62737+:102E600003E00008000000008F84002827BDFFE079
62738+:102E7000AFBF0018948200349483003E1060001AA3
62739+:102E80003048FFFF9383002C2402000114620027C6
62740+:102E90008FBF00188F820028000818C23108000771
62741+:102EA000006218212447003A244900542444002099
62742+:102EB000244500302446003490620040304200FF38
62743+:102EC0000102100730420001104000168FBF0018A9
62744+:102ED0000E000856AFA900108F82002894420034DB
62745+:102EE0000A000B733048FFFF94830036948200344D
62746+:102EF0001043000E8FBF001894820036A482003465
62747+:102F000094820056A48200548C82002CAC8200244F
62748+:102F100094820032A48200309482003CA482003A61
62749+:102F20008FBF00180A000B3327BD002003E0000804
62750+:102F300027BD002027BDFFE8AFBF00108F4A01006A
62751+:102F40003C0508008CA500E03C02080090424B8440
62752+:102F50003C0C0800958C4B7E01452821304B003FEE
62753+:102F600030A2007F03424021396900323C02000A4E
62754+:102F70003963003F2C630001010240212D2900012B
62755+:102F80002402FF8000A2282401234825AF8A0034B0
62756+:102F900000801821AF450024000030210080282146
62757+:102FA00024070001AF8800283C04080024844B78E3
62758+:102FB000AF8C002415200007A380002D24020020E0
62759+:102FC0005562000F006020213402FFFF5582000C83
62760+:102FD000006020212402002015620005000000008E
62761+:102FE0008C6300142402FFFF106200070000000041
62762+:102FF0000E000889000000000A000BD0000000004D
62763+:103000000E0008F4016028210E000B68000000008B
62764+:103010008FBF001024020C8027BD001803E00008B9
62765+:10302000AF4200243C0208008C4200E027BDFFA014
62766+:10303000AFB1003C008210212411FF80AFBE0058C8
62767+:10304000AFB70054AFB20040AFB00038AFBF005CC4
62768+:10305000AFB60050AFB5004CAFB40048AFB30044BA
62769+:10306000005110248F4800248F4900288F470028E2
62770+:10307000AF4200243C0208008C4200E00080902116
62771+:1030800024060006008210213042007F03421821EE
62772+:103090003C02000A006280213C02001F3442FF8093
62773+:1030A00000E2382427A40010260500F00122F024B5
62774+:1030B0000102B8240E00051DAFA700308FA2001832
62775+:1030C000AE0200C48FA2001CAE0200C88FA2002472
62776+:1030D000AE0200CC93A40010920300D12402FF8022
62777+:1030E0000082102400431025304900FF3083007F08
62778+:1030F0003122007F0062102A10400004000310C03B
62779+:1031000001311026304900FF000310C000031940B0
62780+:10311000006218213C0208008C4200DC920400D2BC
62781+:10312000024210210043102100511024AF42002818
62782+:1031300093A300103063007F000310C00003194008
62783+:10314000006218213C0208008C4200DC024210217F
62784+:10315000004310213042007F034218213C02000C42
62785+:10316000006240218FA300142402FFFF1062003090
62786+:10317000309500FF93A2001195030014304400FF26
62787+:103180003063FFFF0064182B1060000D000000008A
62788+:10319000950400148D07001C8D0600183084FFFF75
62789+:1031A00000442023000421000000102100E4382105
62790+:1031B00000E4202B00C230210A000C4A00C4302158
62791+:1031C000950400148D07001C8D0600183084FFFF45
62792+:1031D000008220230004210000001021008018211B
62793+:1031E00000C2302300E4202B00C4302300E3382346
62794+:1031F000AD07001CAD06001893A20011A502001433
62795+:1032000097A20012A50200168FA20014AD020010B2
62796+:103210008FA20014AD02000C93A20011A5020020A1
62797+:1032200097A20012A50200228FA20014AD02002472
62798+:103230002406FF80024610243256007FAF4200244D
62799+:10324000035618213C02000A006280218E02004CC5
62800+:103250008FA200203124007F000428C0AE0200505D
62801+:103260008FA200200004214000852821AE020070BA
62802+:1032700093A2001001208821A202008393A20010D3
62803+:10328000A2020079920200853042003FA20200852E
62804+:103290003C0208008C4200DC024210210045102153
62805+:1032A00000461024AF42002C3C0208008C4200E48F
62806+:1032B0003C0308008C6300DC024210210044102112
62807+:1032C00000461024AF4200283C0208008C4200E473
62808+:1032D00002431821006518210242102100441021E8
62809+:1032E0003042007F3063007F93A50010034220210D
62810+:1032F000034318213C02000E006240213C02000CF6
62811+:1033000010B1008C008248213233007F1660001912
62812+:103310002404FF803C0208008C4200DC02421021A1
62813+:1033200000441024AF42002C3C0208008C4200E410
62814+:103330003C0308008C6300DC02421021004410248E
62815+:10334000AF4200283C0208008C4200E402431821EE
62816+:103350003063007F024210213042007F034220216F
62817+:10336000034318213C02000E006240213C02000C85
62818+:10337000008248219124000D2414FF8000001021B8
62819+:1033800000942025A124000D950400029505001449
62820+:103390008D07001C3084FFFF30A5FFFF8D0600184D
62821+:1033A000008520230004210000E4382100C23021E0
62822+:1033B00000E4202B00C43021AD07001CAD0600182E
62823+:1033C00095020002A5020014A50000168D02000857
62824+:1033D000AD0200108D020008AD02000C9502000243
62825+:1033E000A5020020A50000228D020008AD020024E5
62826+:1033F0009122000D30420040104000422622000180
62827+:103400003C0208008C4200E0A3B300283C10000AF4
62828+:103410000242102100541024AF4200243C02080054
62829+:103420008C4200E0A380002C27A4002C0242102133
62830+:103430003042007F03421821007018218C6200D8AE
62831+:103440008D26000427A50028AFA9002C00461021D6
62832+:10345000AC6200D80E0009E1AF83002893A30028D6
62833+:103460008F8200280E000626A04300D10E000B68B4
62834+:103470000000000002541024AF4200243C02080067
62835+:103480008C4200DC00132940001320C000A420213E
62836+:10349000024210210044102100541024AF42002C9D
62837+:1034A0003C0208008C4200E43C0308008C6300DC12
62838+:1034B00003563021024210210045102100541024EF
62839+:1034C000AF4200283C0208008C4200E4024318216D
62840+:1034D0000064182102421021004510213042007F73
62841+:1034E0003063007F03422021034318213C02000E79
62842+:1034F000006240213C02000C00D080210082482163
62843+:10350000262200013043007F14750005304400FF7F
62844+:103510002403FF800223102400431026304400FFC0
62845+:1035200093A2001000808821250800281444FF760B
62846+:103530002529002093A400108FA300142402FFFF6C
62847+:103540001062000A308900FF2482000124830001F8
62848+:103550003042007F14550005306900FF2403FF80CE
62849+:103560000083102400431026304900FF92020078A7
62850+:10357000305300FF11330032012088213C02080043
62851+:103580008C4200DC3225007F000520C00005294068
62852+:1035900000A42021024210212406FF8000441021B3
62853+:1035A00000461024AF42002C3C0308008C6300DC72
62854+:1035B0003C0208008C4200E4024318210242102120
62855+:1035C0000045102100641821004610243063007F5C
62856+:1035D000AF420028034318213C02000E0062402144
62857+:1035E0003C0208008C4200E48D06000C0100202102
62858+:1035F00002421021004510213042007F0342182171
62859+:103600003C02000C0062482110C0000D012028215E
62860+:103610000E00064A000000002402FF800222182447
62861+:1036200026240001006228263082007F1455000203
62862+:10363000308300FF30A300FF1473FFD000608821A7
62863+:103640008E0300743C027FFF3442FFFF00621824A7
62864+:10365000AE0300740E00066B02402021AF57002419
62865+:103660008FA20030AF5E00288FBF005C8FBE005875
62866+:103670008FB700548FB600508FB5004C8FB4004800
62867+:103680008FB300448FB200408FB1003C8FB0003840
62868+:1036900027BD006003E00008AF42002C27BDFFD823
62869+:1036A000AFB1001CAFBF0020AFB000182751018898
62870+:1036B000922200032408FF803C03000A3047007F69
62871+:1036C000A3A700108F4601803C0208008C4200E056
62872+:1036D000AF86003400C2282100A81024AF42002485
62873+:1036E0009224000030A2007F0342102100431021E9
62874+:1036F000AF8200283084007F24020002148200255B
62875+:10370000000719403C0208008C4200E400C210216E
62876+:103710000043282130A2007F0342182100A8102472
62877+:10372000AF4200283C02000C006218219062000D9C
62878+:10373000AFA3001400481025A062000D8FA3001451
62879+:103740009062000D304200405040006A8FBF002060
62880+:103750008F860028A380002C27A400148CC200D8D8
62881+:103760008C63000427A50010004310210E0009E11E
62882+:10377000ACC200D893A300108F8200280E0006264A
62883+:10378000A04300D10E000B68000000000A000E0BE1
62884+:103790008FBF00200E00062F00C020210E00063D26
62885+:1037A000000000003C020008034280219223000137
62886+:1037B0009202007B1443004F8FBF00209222000032
62887+:1037C0003044007F24020004108200172882000584
62888+:1037D00010400006240200052402000310820007A6
62889+:1037E0008FB1001C0A000E0C0000000010820012B5
62890+:1037F0008FBF00200A000E0C8FB1001C92050083C1
62891+:10380000920600788E0700748F84003430A500FF84
62892+:1038100000073E0230C600FF0E00067330E7007F4F
62893+:103820000A000E0B8FBF00200E000BD78F840034D0
62894+:103830000A000E0B8FBF002024020C80AF42002430
62895+:103840009202003E30420040104000200000000084
62896+:103850009202003E00021600000216030441000618
62897+:10386000000000008F8400340E0005A024050093A2
62898+:103870000A000E0B8FBF00209202003F24030018A5
62899+:10388000304200FF1443000C8F84003424050039BB
62900+:103890000E000538000030210E0002508F840034E5
62901+:1038A00024020012A202003F0E0002598F8400344D
62902+:1038B0000A000E0B8FBF0020240500360E000538CD
62903+:1038C000000030210A000E0B8FBF00200E000250B6
62904+:1038D0008F8400349202000534420020A2020005C9
62905+:1038E0000E0002598F8400340E000FC08F84003404
62906+:1038F0008FBF00208FB1001C8FB0001824020C80F5
62907+:1039000027BD002803E00008AF42002427BDFFE8E0
62908+:10391000AFB00010AFBF001427430100946200084D
62909+:103920000002140000021403044100020000802180
62910+:103930002410000194620008304200801040001AF8
62911+:10394000020010219462000830422000104000164E
62912+:10395000020010218C6300183C021C2D344219ED2A
62913+:10396000240600061062000F3C0760213C0208009C
62914+:103970008C4200D4104000078F8200288F830028DB
62915+:10398000906200623042000F34420040A062006248
62916+:103990008F8200288F840034944500D40E000AF1F1
62917+:1039A00030A5FFFF020010218FBF00148FB0001060
62918+:1039B00003E0000827BD001827BDFFE0AFB10014E9
62919+:1039C000AFB00010A380002CAFBF00188F450100DE
62920+:1039D0003C0308008C6300E02402FF80AF850034C4
62921+:1039E00000A318213064007F0344202100621824C2
62922+:1039F0003C02000A00822021AF430024275001002E
62923+:103A00008E0200148C8300DCAF8400280043102356
62924+:103A100018400004000088218E0200140E000A8461
62925+:103A2000AC8200DC9202000B24030002304200FF53
62926+:103A30001443002F0000000096020008304300FFEE
62927+:103A40002402008214620005240200840E00093E54
62928+:103A5000000000000A000E97000000001462000938
62929+:103A6000240200818F8200288F8400343C0760216B
62930+:103A7000944500D49206000530A5FFFF0A000E868B
62931+:103A800030C600FF14620027000000009202000A06
62932+:103A9000304300FF306200201040000430620040DC
62933+:103AA0008F8400340A000E82240600401040000477
62934+:103AB000000316008F8400340A000E8224060041A1
62935+:103AC00000021603044100178F84003424060042CC
62936+:103AD0008F8200283C076019944500D430A5FFFF71
62937+:103AE0000E000AF1000000000A000E97000000001E
62938+:103AF0009202000B24030016304200FF1043000620
62939+:103B0000000000009202000B24030017304200FF67
62940+:103B100014430004000000000E000E11000000001D
62941+:103B2000004088210E000B68000000009202000A8D
62942+:103B3000304200081040000624020C808F850028C7
62943+:103B40003C0400080E0011EE0344202124020C80E6
62944+:103B5000AF4200248FBF0018022010218FB0001048
62945+:103B60008FB1001403E0000827BD002027BDFFE847
62946+:103B7000AFBF0014AFB000108F5000243C0308000A
62947+:103B80008C6300E08F4501002402FF8000A3182110
62948+:103B90003064007F03442021006218243C02000AA4
62949+:103BA00000822021AF850034AF4300249082006260
62950+:103BB000AF8400283042000F34420050A0820062DF
62951+:103BC0003C02001F3442FF800E00062602028024C1
62952+:103BD000AF5000248FBF00148FB0001003E0000826
62953+:103BE00027BD00183C0208008C4200201040001D38
62954+:103BF0002745010090A300093C0200080342202150
62955+:103C000024020018546200033C0200080A000ED887
62956+:103C10002402000803422021240200161462000539
62957+:103C20002402001724020012A082003F0A000EE2C4
62958+:103C300094A700085462000694A700089362000548
62959+:103C40002403FFFE00431024A362000594A700088C
62960+:103C500090A6001B8CA4000094A500060A000ACCC4
62961+:103C600000073C0003E000080000000027440100BA
62962+:103C700094820008304500FF38A3008238A20084F7
62963+:103C80002C6300012C420001006218251060000620
62964+:103C9000240200839382002D1040000D00000000DC
62965+:103CA0000A000B9B0000000014A2000524A2FF8064
62966+:103CB0008F4301043C02602003E00008AC43001481
62967+:103CC000304200FF2C420002104000032402002278
62968+:103CD0000A000E3C0000000014A2000300000000D7
62969+:103CE0000A000EA9000000000A000EC70000000034
62970+:103CF0009363007E9362007A144300090000202140
62971+:103D00009362000024030050304200FF144300047B
62972+:103D1000240400019362007E24420001A362007E1D
62973+:103D200003E00008008010218F4201F80440FFFEEC
62974+:103D300024020002AF4401C0A34201C43C021000AF
62975+:103D400003E00008AF4201F827BDFFE8AFBF001055
62976+:103D50009362003F2403000A304200FF14430046F0
62977+:103D6000000000008F6300548F62004C1062007DE1
62978+:103D7000036030219362000024030050304200FFB2
62979+:103D80001443002F000000008F4401403C02080053
62980+:103D90008C4200E02403FF800082102100431024A5
62981+:103DA000AF4200243C0208008C4200E08F650054C2
62982+:103DB0003C03000A008220213084007F034410214C
62983+:103DC00000431021AC4501089762003C8F63004C12
62984+:103DD0003042FFFF0002104000621821AF63005C18
62985+:103DE0008F6300548F64004C9762003C006418237A
62986+:103DF0003042FFFF00031843000210400043102A26
62987+:103E000010400006000000008F6200548F63004CD9
62988+:103E1000004310230A000F58000210439762003C31
62989+:103E20003042FFFF00021040ACC2006424020001D7
62990+:103E3000A0C0007CA0C2008424020C80AF420024F9
62991+:103E40000E000F0A8F440140104000478FBF001042
62992+:103E50008F4301408F4201F80440FFFE240200021C
62993+:103E6000AF4301C0A34201C43C021000AF4201F8BD
62994+:103E70000A000FA88FBF00109362003F24030010B8
62995+:103E8000304200FF14430004000000008F44014052
62996+:103E90000A000F94000028219362003F24030016BB
62997+:103EA000304200FF1443000424020014A362003FC8
62998+:103EB0000A000FA2000000008F62004C8F630050C8
62999+:103EC00000431023044100288FBF0010936200813B
63000+:103ED00024420001A3620081936200812C4200040D
63001+:103EE00014400010000000009362003F240300040F
63002+:103EF000304200FF14430006000000008F440140E0
63003+:103F00008FBF0010240500930A0005A027BD0018EC
63004+:103F10008F440140240500938FBF00100A00060F54
63005+:103F200027BD00188F4401400E0002500000000021
63006+:103F30008F6200542442FFFFAF6200548F62005032
63007+:103F40002442FFFFAF6200500E0002598F4401402F
63008+:103F50008F4401408FBF0010240500040A00025E58
63009+:103F600027BD00188FBF001003E0000827BD001810
63010+:103F70008F4201889363007E00021402304400FFE8
63011+:103F8000306300FF1464000D0000000093620080A5
63012+:103F9000304200FF1044000900000000A3640080CC
63013+:103FA0009362000024030050304200FF14430004D9
63014+:103FB000000000000A0006D78F440180A36400803F
63015+:103FC00003E000080000000027BDFFE8AFB00010CC
63016+:103FD000AFBF00149362000524030030304200306C
63017+:103FE00014430089008080213C0208008C4200209C
63018+:103FF00010400080020020210E0004930000000009
63019+:104000008F850020ACB000009362003E9363003FB8
63020+:10401000304200FF00021200306300FF0043102511
63021+:10402000ACA2000493620082000216000002160394
63022+:1040300004410005000000003C0308008C630048B8
63023+:104040000A000FE6000000009362003E304200408C
63024+:10405000144000030000182193620081304300FFE8
63025+:104060009362008200031E00304200FF0002140031
63026+:1040700000621825ACA300088F620040ACA2000CBF
63027+:104080008F620048ACA200108F62004CACA20014FA
63028+:104090008F6200508F63004C0043102304410003E3
63029+:1040A000000000000A000FFA8F62004C8F6200507F
63030+:1040B000ACA200183C02080094424B5E3C03C00BCB
63031+:1040C00000002021004310250E0004B8ACA2001C03
63032+:1040D0008F6200548F840020AC8200008F620058F1
63033+:1040E000AC8200048F62005CAC8200088F620060CA
63034+:1040F0008F43007400431021AC82000C8F62006477
63035+:10410000AC820010976300689762006A00031C008D
63036+:104110003042FFFF00621825AC83001493620082D6
63037+:1041200024030080304200FF14430003000000001D
63038+:104130000A00102EAC8000188F63000C24020001CE
63039+:104140001062000E2402FFFF9362003E30420040E6
63040+:104150001440000A2402FFFF8F63000C8F4200749A
63041+:10416000006218233C020800006210241440000280
63042+:10417000000028210060282100051043AC820018AF
63043+:104180003C02080094424B5E3C03C00C000020211E
63044+:10419000004310258F8300200E0004B8AC62001C81
63045+:1041A0008F6200188F8300203C05080094A54B5EA9
63046+:1041B00024040001AC620000AC6000048F66006C57
63047+:1041C0003C02400D00A22825AC6600088F6200DC8E
63048+:1041D000AC62000CAC600010936200050002160097
63049+:1041E000AC620014AC6000180E0004B8AC65001C92
63050+:1041F000020020218FBF00148FB00010A3600005C3
63051+:104200000A00042127BD00188FBF00148FB00010D2
63052+:1042100003E0000827BD00189742007C30C600FF6D
63053+:10422000A08600843047FFFF2402000514C2000B63
63054+:1042300024E3465090A201122C42000710400007D0
63055+:1042400024E30A0090A30112240200140062100467
63056+:1042500000E210210A0010663047FFFF3067FFFFC1
63057+:1042600003E00008A4870014AC87004C8CA201086E
63058+:104270000080402100A0482100E2102330C600FF4A
63059+:104280001840000393AA001324E2FFFCACA201082B
63060+:1042900030C2000110400008000000008D020050F4
63061+:1042A00000E2102304410013240600058D0200548F
63062+:1042B00010E20010000000008D02005414E2001A09
63063+:1042C000000000003C0208008C4200D83042002070
63064+:1042D0001040000A2402000191030078910200833B
63065+:1042E000144300062402000101002021012028219E
63066+:1042F000240600040A00105400000000A1000084FD
63067+:1043000011400009A50200148F4301008F4201F8FB
63068+:104310000440FFFE24020002AF4301C0A34201C4D7
63069+:104320003C021000AF4201F803E00008000000006A
63070+:1043300027BDFFE88FA90028AFBF001000804021F3
63071+:1043400000E918231860007330C600FFA080007CCD
63072+:10435000A08000818CA2010800E210230440004DDF
63073+:10436000000000008C8200509483003C8C84006428
63074+:10437000004748233063FFFF012318210083202BCF
63075+:1043800010800004000000008D0200640A0010B7D5
63076+:1043900000E210219502003C3042FFFF0122102173
63077+:1043A00000E21021AD02005C9502003C8D03005C30
63078+:1043B0003042FFFF0002104000E210210043102BAA
63079+:1043C00010400003000000000A0010C68D02005CCF
63080+:1043D0009502003C3042FFFF0002104000E2102135
63081+:1043E000AD02005CA1000084AD07004C8CA2010866
63082+:1043F00000E210231840000224E2FFFCACA20108F6
63083+:1044000030C200011040000A000000008D02005080
63084+:1044100000E2102304410004010020218D02005419
63085+:1044200014E20003000000000A0010E82406000562
63086+:104430008D02005414E200478FBF00103C020800B8
63087+:104440008C4200D8304200201040000A24020001B3
63088+:1044500091030078910200831443000624020001B6
63089+:1044600001002021240600048FBF00100A00105410
63090+:1044700027BD0018A1000084A50200148F4301008D
63091+:104480008F4201F80440FFFE240200020A00110DD1
63092+:10449000000000008C82005C004910230043102BB8
63093+:1044A00054400001AC87005C9502003C3042FFFFA5
63094+:1044B0000062102B14400007240200029502003C09
63095+:1044C0008D03005C3042FFFF00621821AD03005CE9
63096+:1044D00024020002AD07004CA10200840E000F0A66
63097+:1044E0008F4401001040001B8FBF00108F4301005C
63098+:1044F0008F4201F80440FFFE24020002AF4301C0D6
63099+:10450000A34201C43C021000AF4201F80A0011238B
63100+:104510008FBF001030C200101040000E8FBF00107F
63101+:104520008C83005C9482003C006918233042FFFFBA
63102+:10453000006218213C023FFF3444FFFF0083102B30
63103+:10454000544000010080182101231021AD02005CBD
63104+:104550008FBF001003E0000827BD001827BDFFE84B
63105+:104560008FAA0028AFBF00100080402100EA482336
63106+:104570001920002130C600FF8C83005C8C8200640F
63107+:10458000006A18230043102B5040001000691821C6
63108+:1045900094A2011001221021A4A2011094A20110E2
63109+:1045A0003042FFFF0043102B1440000A3C023FFF43
63110+:1045B00094A2011000431023A4A201109482003C95
63111+:1045C0003042FFFF0A00114200621821A4A001102E
63112+:1045D0003C023FFF3444FFFF0083102B5440000196
63113+:1045E0000080182100671021AD02005CA100007C52
63114+:1045F0000A00118AA100008130C200101040003C66
63115+:10460000000000008C820050004A1023184000383F
63116+:10461000000000009082007C24420001A082007C07
63117+:104620009082007C3C0308008C630024304200FF31
63118+:104630000043102B1440005C8FBF00108CA20108B7
63119+:1046400000E2102318400058000000008C83005442
63120+:104650009482003C006A18233042FFFF0003184395
63121+:10466000000210400043102A104000050000000026
63122+:104670008C820054004A10230A001171000210437A
63123+:104680009482003C3042FFFF00021040AD02006403
63124+:104690009502003C8D0400649503003C3042FFFF0E
63125+:1046A00000021040008220213063FFFF00831821A8
63126+:1046B00001431021AD02005C8D020054ACA2010840
63127+:1046C00024020002A10200840E000F0A8F440100A0
63128+:1046D000104000358FBF00108F4301008F4201F85A
63129+:1046E0000440FFFE240200020A0011B30000000093
63130+:1046F000AD07004C8CA2010800E210231840000214
63131+:1047000024E2FFFCACA2010830C200011040000A04
63132+:10471000000000008D02005000E21023044100045C
63133+:10472000010020218D02005414E20003000000006B
63134+:104730000A0011AA240600058D02005414E2001A92
63135+:104740008FBF00103C0208008C4200D8304200208D
63136+:104750001040000A240200019103007891020083B6
63137+:104760001443000624020001010020212406000455
63138+:104770008FBF00100A00105427BD0018A10000844C
63139+:10478000A50200148F4301008F4201F80440FFFE90
63140+:1047900024020002AF4301C0A34201C43C02100046
63141+:1047A000AF4201F88FBF001003E0000827BD0018DA
63142+:1047B0008FAA00108C8200500080402130C600FF7C
63143+:1047C000004A102300A048211840000700E01821EB
63144+:1047D00024020001A0800084A0A00112A482001481
63145+:1047E0000A001125AFAA0010A0800081AD07004C7F
63146+:1047F0008CA2010800E210231840000224E2FFFC12
63147+:10480000ACA2010830C20001104000080000000006
63148+:104810008D0200500062102304410013240600059D
63149+:104820008D02005410620010000000008D02005440
63150+:1048300014620011000000003C0208008C4200D805
63151+:10484000304200201040000A240200019103007849
63152+:10485000910200831443000624020001010020217C
63153+:1048600001202821240600040A0010540000000042
63154+:10487000A1000084A502001403E00008000000006D
63155+:1048800027BDFFE0AFBF0018274201009046000A95
63156+:104890008C4800148C8B004C9082008430C900FF3F
63157+:1048A00001681823304A00FF1C60001A2D460006DC
63158+:1048B000240200010142100410C00016304300031E
63159+:1048C000012030210100382114600007304C000C19
63160+:1048D00015800009304200301440000B8FBF0018D3
63161+:1048E0000A001214000000000E001125AFAB0010EA
63162+:1048F0000A0012148FBF00180E00109AAFAB001000
63163+:104900000A0012148FBF0018AFAB00100E0011BACE
63164+:10491000AFAA00148FBF001803E0000827BD0020D5
63165+:1049200024020003A08200848C82005403E000086B
63166+:10493000ACA201083C0200080342182190620081E9
63167+:10494000240600433C07601924420001A062008154
63168+:10495000906300813C0208008C4200C0306300FF7D
63169+:10496000146200102403FF803C0208008C4200E027
63170+:104970000082102100431024AF4200243C020800B2
63171+:104980008C4200E03C03000A008210213042007F8C
63172+:104990000342102100431021944500D40A000AF17B
63173+:1049A00030A5FFFF03E000080000000027BDFFE086
63174+:1049B000AFBF0018AFB10014AFB000108F4201803C
63175+:1049C0000080802100A088210E00121B00402021C1
63176+:1049D000A20000848E0200548FBF00188FB0001018
63177+:1049E000AE2201088FB1001403E0000827BD0020AB
63178+:1049F00027BDFFE03C020008AFB00010AFBF0018B9
63179+:104A0000AFB10014034280218F5101409203008412
63180+:104A10008E0400508E02004C14820040306600FF6D
63181+:104A20003C0208008C4200E02403FF800222102197
63182+:104A300000431024AF4200243C0208008C4200E0F6
63183+:104A40009744007C92050081022210213042007FB1
63184+:104A5000034218213C02000A0062182114A0000B36
63185+:104A60003084FFFF2402000554C20014248205DCB8
63186+:104A70009062011224420001A062011224020C8003
63187+:104A8000AF4200240A00127324020005A060011244
63188+:104A90002402000514C20009248205DC9202008170
63189+:104AA0002C4200075040000524820A009203008136
63190+:104AB0002402001400621004008210213044FFFF21
63191+:104AC000A60400140E00121B022020219602003CB6
63192+:104AD0008E03004C022020213042FFFF00021040D4
63193+:104AE000006218210E000250AE03005C9202007DAD
63194+:104AF00002202021344200400E000259A202007D13
63195+:104B00008F4201F80440FFFE24020002AF5101C0B1
63196+:104B1000A34201C43C021000AF4201F88FBF00184D
63197+:104B20008FB100148FB0001003E0000827BD0020F3
63198+:104B300008000ACC08000B1408000B9808000BE4CE
63199+:104B400008000C200A0000280000000000000000FF
63200+:104B50000000000D6370362E322E3300000000007E
63201+:104B60000602030400000000000000000000000036
63202+:104B70000000000000000000000000000000000035
63203+:104B80000000000000000000000000000000002005
63204+:104B90000000000000000000000000000000000015
63205+:104BA0000000000000000000000000000000000005
63206+:104BB00000000000000000000000000000000001F4
63207+:104BC0000000002B000000000000000400030D4066
63208+:104BD00000000000000000000000000000000000D5
63209+:104BE00000000000000000001000000300000000B2
63210+:104BF0000000000D0000000D3C020800244258A4F3
63211+:104C00003C03080024635F70AC4000000043202B8D
63212+:104C10001480FFFD244200043C1D080037BD7FFCCA
63213+:104C200003A0F0213C100800261000A03C1C080046
63214+:104C3000279C58A40E0001AC000000000000000DED
63215+:104C400027BDFFE83C096018AFBF00108D2C500055
63216+:104C5000240DFF7F24080031018D5824356A380C5B
63217+:104C600024070C003C1A8000AD2A50003C04800A46
63218+:104C7000AF4800083C1B8008AF4700240E00091510
63219+:104C8000AF8400100E0008D8000000000E000825B8
63220+:104C9000000000000E001252000000003C046016EC
63221+:104CA0008C8500003C06FFFF3C02535300A61824ED
63222+:104CB0001062004734867C0094C201F2A780002C69
63223+:104CC00010400003A78000CC38581E1EA798002C67
63224+:104CD00094C201F810400004978300CC38591E1E7E
63225+:104CE000A79900CC978300CC2C7F006753E000018C
63226+:104CF000240300669784002C2C82040114400002D7
63227+:104D000000602821240404003C0760008CE904387A
63228+:104D10002403103C3128FFFF1103001F30B9FFFFAF
63229+:104D200057200010A38000CE24020050A38200CEA2
63230+:104D3000939F00CE53E0000FA78500CCA78000CC46
63231+:104D4000978500CC8FBF0010A780002CA78000346F
63232+:104D5000A78000E63C010800AC25008003E00008C5
63233+:104D600027BD0018939F00CE57E0FFF5A78000CC29
63234+:104D7000A78500CC978500CC8FBF0010A784002C9E
63235+:104D8000A7800034A78000E63C010800AC25008025
63236+:104D900003E0000827BD0018A38000CE8CCB003CA8
63237+:104DA000316A00011140000E0000000030A7FFFF33
63238+:104DB00010E0FFDE240200508CCC00C831860001D8
63239+:104DC00014C0FFDC939F00CE0A00007A2402005139
63240+:104DD0008C8F00043C0E60000A00005D01EE302163
63241+:104DE0008CEF0808240D5708000F740211CD000441
63242+:104DF00030B8FFFF240500660A00007B240404008D
63243+:104E00001700FFCC939F00CE0A00007A24020050C6
63244+:104E10008F8600103089FFFF000939408CC30010D5
63245+:104E20003C08005000E82025AF4300388CC5001432
63246+:104E300027420400AF82001CAF45003CAF44003065
63247+:104E40000000000000000000000000000000000062
63248+:104E50000000000000000000000000000000000052
63249+:104E60008F4B0000316A00201140FFFD0000000060
63250+:104E700003E00008000000008F840010948A001AEC
63251+:104E80008C8700243149FFFF000940C000E8302131
63252+:104E9000AF46003C8C8500248F43003C00A31023C8
63253+:104EA00018400029000000008C8B002025620001C2
63254+:104EB0003C0D005035AC0008AF420038AF4C00301C
63255+:104EC00000000000000000000000000000000000E2
63256+:104ED00000000000000000000000000000000000D2
63257+:104EE0008F4F000031EE002011C0FFFD00000000D8
63258+:104EF0008F4A04003C080020AC8A00108F4904044B
63259+:104F0000AC890014AF4800300000000094860018FF
63260+:104F10009487001C00C71821A48300189485001AE8
63261+:104F200024A20001A482001A9498001A9499001EE9
63262+:104F3000133800030000000003E000080000000038
63263+:104F400003E00008A480001A8C8200200A0000DC24
63264+:104F50003C0D00500A0000CD000000003C0308009A
63265+:104F60008C6300208F82001827BDFFE810620008C4
63266+:104F7000AFBF00100E000104AF8300183C0308000F
63267+:104F80008C63002024040001106400048F89001049
63268+:104F90008FBF001003E0000827BD00188FBF00106E
63269+:104FA0003C076012A520000A9528000A34E500108D
63270+:104FB00027BD00183106FFFF03E00008ACA60090F3
63271+:104FC0003C0208008C42002027BDFFC8AFBF003460
63272+:104FD000AFBE0030AFB7002CAFB60028AFB500248D
63273+:104FE000AFB40020AFB3001CAFB20018AFB10014D3
63274+:104FF00010400050AFB000108F840010948600065F
63275+:105000009483000A00C3282330B6FFFF12C0004A71
63276+:105010008FBF003494890018948A000A012A402323
63277+:105020003102FFFF02C2382B14E0000202C020212F
63278+:10503000004020212C8C0005158000020080A0215A
63279+:10504000241400040E0000B3028020218F8700107A
63280+:1050500002809821AF80001494ED000A028088211C
63281+:105060001280004E31B2FFFF3C1770003C1540002B
63282+:105070003C1E60008F8F001C8DEE000001D71824AD
63283+:10508000507500500220202102A3802B160000350D
63284+:105090003C182000507800470220202124100001F5
63285+:1050A0008F83001414600039029158230230F823D2
63286+:1050B0000250C82133F1FFFF1620FFEE3332FFFF0D
63287+:1050C0008F8700103C110020AF510030000000001D
63288+:1050D00094E6000A3C1E601237D5001002662821B3
63289+:1050E000A4E5000A94E2000A94F2000A94F400187D
63290+:1050F0003057FFFF1292003BAEB700908CED0014CA
63291+:105100008CE400100013714001AE4021000E5FC31B
63292+:10511000010E502B008B4821012A1821ACE8001405
63293+:10512000ACE3001002D3382330F6FFFF16C0FFB9FE
63294+:105130008F8400108FBF00348FBE00308FB7002CDB
63295+:105140008FB600288FB500248FB400208FB3001CC9
63296+:105150008FB200188FB100148FB0001003E0000868
63297+:1051600027BD0038107E001B000000001477FFCC24
63298+:10517000241000010E00159B000000008F83001416
63299+:105180001060FFCB0230F823029158238F87001064
63300+:10519000017020210A0001973093FFFF8F830014D4
63301+:1051A0001460FFCB3C110020AF5100300A000163B6
63302+:1051B000000000000E00077D024028210A00015770
63303+:1051C000004080210E00033A024028210A000157C6
63304+:1051D000004080210E001463022020210A000157A4
63305+:1051E000004080210E0000CD000000000A0001797F
63306+:1051F00002D3382327BDFFE8AFB00010AFBF0014C3
63307+:105200000E00003F000000003C028000345000709F
63308+:105210000A0001BA8E0600008F4F000039EE00012F
63309+:1052200031C20001104000248F8600A88E070000C4
63310+:105230003C0C08008D8C003C3C0908008D2900388E
63311+:1052400000E66823018D28210000502100AD302B9D
63312+:10525000012A4021010620213C010800AC25003C28
63313+:10526000AF8700A83C010800AC2400380E000106FE
63314+:10527000000000003C0308008C6300701060FFE633
63315+:10528000006020213C0508008CA500683C06080051
63316+:105290008CC6006C0E00152A000000003C010800BE
63317+:1052A000AC2000708F4F000039EE000131C20001C8
63318+:1052B0001440FFDE8F8600A88E0A00008F8B00A8A6
63319+:1052C0003C0508008CA5003C3C0408008C84003898
63320+:1052D000014B482300A938210082182100E9402B06
63321+:1052E000006810213C010800AC27003C3C0108008C
63322+:1052F000AC2200388F5F01002419FF0024180C0035
63323+:1053000003F9202410980012AF840000AF4400205D
63324+:10531000936D0000240C002031A600FF10CC001279
63325+:10532000240E005010CE00043C194000AF59013843
63326+:105330000A0001B3000000000E0011C800000000C8
63327+:105340003C194000AF5901380A0001B300000000C9
63328+:105350000E00011F000000003C194000AF59013849
63329+:105360000A0001B3000000008F58010000802821CE
63330+:10537000330F00FF01E020210E0002F1AF8F000487
63331+:105380003C194000AF5901380A0001B30000000089
63332+:1053900000A4102B2403000110400009000030215C
63333+:1053A0000005284000A4102B04A0000300031840AF
63334+:1053B0005440FFFC000528405060000A0004182BF0
63335+:1053C0000085382B54E000040003184200C3302548
63336+:1053D00000852023000318421460FFF900052842CD
63337+:1053E0000004182B03E0000800C310218F4201B80D
63338+:1053F0000440FFFE00000000AF4401803C031000A9
63339+:1054000024040040AF450184A3440188A3460189D8
63340+:10541000A747018A03E00008AF4301B83084FFFFCB
63341+:105420000080382130A5FFFF000020210A00022A59
63342+:10543000240600803087FFFF8CA40000240600387B
63343+:105440000A00022A000028218F8300388F8600304E
63344+:105450001066000B008040213C07080024E75A1822
63345+:10546000000328C000A710218C4400002463000121
63346+:10547000108800053063000F5466FFFA000328C04F
63347+:1054800003E00008000010213C07080024E75A1C34
63348+:1054900000A7302103E000088CC200003C0390000C
63349+:1054A0003462000100822025AF4400208F45002097
63350+:1054B00004A0FFFE0000000003E000080000000060
63351+:1054C0003C038000346200010082202503E00008D4
63352+:1054D000AF44002027BDFFE0AFB100143091FFFFC3
63353+:1054E000AFB00010AFBF00181220001300A0802141
63354+:1054F0008CA2000024040002240601401040000F8A
63355+:10550000004028210E000C5C00000000000010216B
63356+:10551000AE000000022038218FBF00188FB10014A8
63357+:105520008FB0001000402021000028210000302111
63358+:105530000A00022A27BD00208CA200000220382188
63359+:105540008FBF00188FB100148FB0001000402021D1
63360+:1055500000002821000030210A00022A27BD002077
63361+:1055600000A010213087FFFF8CA500048C440000B0
63362+:105570000A00022A2406000627BDFFE0AFB0001093
63363+:10558000AFBF0018AFB100149363003E00808021CC
63364+:105590000080282130620040000020211040000FD0
63365+:1055A0008E1100000E000851022020219367000098
63366+:1055B0002404005030E500FF50A400128E0F0000BC
63367+:1055C000022020218FBF00188FB100148FB000106F
63368+:1055D000A762013C0A00091127BD00200E000287C6
63369+:1055E000000000000E0008510220202193670000F7
63370+:1055F0002404005030E500FF14A4FFF20220202113
63371+:105600008E0F00003C1008008E1000503C0D000C66
63372+:10561000240BFF8001F05021314E007F01DA602120
63373+:10562000018D4021014B4824AF4900280220202150
63374+:105630008FBF00188FB100148FB00010A50200D6E4
63375+:1056400027BD00200A000911AF8800D027BDFFE068
63376+:10565000AFBF0018AFB10014AFB0001093660001E7
63377+:10566000008080210E00025630D1000493640005B2
63378+:10567000001029C2A765000034830040A363000521
63379+:105680000E00025F020020210E00091302002021FB
63380+:1056900024020001AF62000C02002821A762001062
63381+:1056A00024040002A762001224060140A76200142D
63382+:1056B0000E000C5CA76200161620000F8FBF0018AA
63383+:1056C000978C00343C0B08008D6B00782588FFFF19
63384+:1056D0003109FFFF256A0001012A382B10E000067E
63385+:1056E000A78800343C0F6006240E001635ED00102C
63386+:1056F000ADAE00508FBF00188FB100148FB00010F6
63387+:1057000003E0000827BD002027BDFFE0AFB1001473
63388+:10571000AFBF0018AFB0001000A088211080000AB1
63389+:105720003C03600024020080108200120000000090
63390+:105730000000000D8FBF00188FB100148FB0001053
63391+:1057400003E0000827BD00208C682BF80500FFFE51
63392+:1057500000000000AC712BC08FBF00188FB1001487
63393+:105760008FB000103C09100027BD002003E00008A6
63394+:10577000AC692BF80E00025600A0202193650005AD
63395+:10578000022020210E00025F30B000FF2403003E03
63396+:105790001603FFE7000000008F4401780480FFFE3D
63397+:1057A000240700073C061000AF51014002202021D1
63398+:1057B000A34701448FBF00188FB100148FB00010B1
63399+:1057C000AF4601780A0002C227BD002027BDFFE8CE
63400+:1057D000AFBF0014AFB000108F50002000000000D9
63401+:1057E0000E000913AF440020AF5000208FBF0014FB
63402+:1057F0008FB0001003E0000827BD00183084FFFFC1
63403+:10580000008038212406003500A020210A00022A49
63404+:10581000000028213084FFFF008038212406003654
63405+:1058200000A020210A00022A0000282127BDFFD065
63406+:10583000AFB3001C3093FFFFAFB50024AFB2001828
63407+:10584000AFBF0028AFB40020AFB10014AFB000105C
63408+:1058500030B5FFFF12600027000090218F90001CE0
63409+:105860008E0300003C0680002402004000033E023C
63410+:1058700000032C0230E4007F006688241482001D9F
63411+:1058800030A500FF8F8300282C68000A510000100B
63412+:105890008F910014000358803C0C0800258C56940E
63413+:1058A000016C50218D49000001200008000000001B
63414+:1058B00002B210213045FFFF0E000236240400849E
63415+:1058C000162000028F90001CAF8000288F910014DA
63416+:1058D000260C002026430001018080213072FFFF4A
63417+:1058E00016200004AF8C001C0253502B1540FFDC27
63418+:1058F00000000000024010218FBF00288FB5002457
63419+:105900008FB400208FB3001C8FB200188FB1001429
63420+:105910008FB0001003E0000827BD0030240E0034D3
63421+:1059200014AE00F9000000009203000E241F168040
63422+:105930003C07000CA36300219202000D0347C8211D
63423+:105940003C066000A3620020961100123C0A7FFF13
63424+:10595000354CFFFFA771003C960B00102403000597
63425+:105960003168FFFFAF6800848E05001CAF5F002820
63426+:105970008F3800008CC4444803057826008F3021FE
63427+:10598000AF66004C8F69004C24CE00013C057F00BF
63428+:10599000AF6900508F740050AF740054AF66007050
63429+:1059A000AF6E00588F6D005824140050AF6D005C2E
63430+:1059B000A3600023AF6C0064A36300378E02001461
63431+:1059C000AF6200488F710048AF7100248E0B001841
63432+:1059D000AF6B006C9208000CA3680036937F003E0A
63433+:1059E00037F90020A379003E8F78007403058024E6
63434+:1059F000360F4000AF6F007493640000308900FFE1
63435+:105A0000513402452404FF803C04080024845A9841
63436+:105A10000E00028D000000003C1008008E105A9805
63437+:105A20000E00025602002021240600042407000173
63438+:105A3000A366007D020020210E00025FA36700051F
63439+:105A40008F5F017807E0FFFE240B0002AF5001409A
63440+:105A5000A34B01448F90001C3C081000AF48017814
63441+:105A60000A000362AF8000282CAD003751A0FF98D8
63442+:105A70008F9100140005A0803C180800271856BC20
63443+:105A8000029878218DEE000001C00008000000009F
63444+:105A90002418000614B80011000000003C0808009B
63445+:105AA0008D085A9824040005AF4800208E1F001866
63446+:105AB000AF7F00188F79004CAF79001C8F650050C4
63447+:105AC000122000C0AF6500700A000362AF84002896
63448+:105AD0002406000710A60083240300063C050800E6
63449+:105AE00024A55A980E000264240400818F90001CA3
63450+:105AF0000011102B0A000362AF8200282407000463
63451+:105B000014A7FFF6240500503C1808008F185A9877
63452+:105B1000AF5800208E0F0008AF6F00408E090008BC
63453+:105B2000AF6900448E14000CAF7400488E0E001054
63454+:105B3000AF6E004C8E0D0010AF6D00848E0A001405
63455+:105B4000AF6A00508E0C0018AF6C00548E04001C1D
63456+:105B5000AF64005893630000306B00FF116501D8FB
63457+:105B6000000000008F7400488F6900400289702394
63458+:105B700005C000042404008C1620FFDE240200036C
63459+:105B8000240400823C05080024A55A980E000287D0
63460+:105B9000000000008F90001C000010210A0003622A
63461+:105BA000AF820028240F000514AFFFCC240520008D
63462+:105BB0003C0708008CE75A98AF4700208E06000487
63463+:105BC000AF66005C9208000824100008A36800215A
63464+:105BD0008F9F001C93F90009A37900208F86001C79
63465+:105BE00090D8000A330400FF10900011000000005C
63466+:105BF0002885000914A0006924020002240A00205C
63467+:105C0000108A000B34058000288D002115A00008A3
63468+:105C100024054000240E0040108E00053C050001C4
63469+:105C200024140080109400023C050002240540006A
63470+:105C30008F7800743C19FF00031980240205782531
63471+:105C4000AF6F007490C4000BA36400818F84001CAC
63472+:105C50009489000C11200192000000009490000C27
63473+:105C60002406FFBF24050004A770003C908F000E9F
63474+:105C7000A36F003E8F84001C9089000FA369003F32
63475+:105C80008F8B001C8D6E00108F54007401D468231C
63476+:105C9000AF6D00608D6A0014AF6A0064956C0018E7
63477+:105CA000A76C00689563001AA763006A8D62001CE8
63478+:105CB000AF62006C9167000EA367003E9368003EE0
63479+:105CC0000106F8241220014BA37F003E8F90001C98
63480+:105CD0000A000362AF8500282407002214A7FF7F73
63481+:105CE000240300073C0B08008D6B5A981220000C0F
63482+:105CF000AF4B00200A000362AF830028240C00335E
63483+:105D000010AC0014240A00283C05080024A55A9869
63484+:105D10000E00023C240400810A0003EB8F90001C5B
63485+:105D20003C04080024845A980E00028D00000000F4
63486+:105D30009363000024110050306200FF10510135C0
63487+:105D4000000000008F90001C000018210A00036270
63488+:105D5000AF8300283C0D08008DAD5A9824040081C3
63489+:105D6000AF4D00203C05080024A55A980E00023CC7
63490+:105D7000A36A00348F90001C240200090A00036209
63491+:105D8000AF82002802B288213225FFFF0E000236C2
63492+:105D9000240400840A0003628F90001C1082FFA478
63493+:105DA00024050400288B000311600170240C0004FA
63494+:105DB000240300015483FF9E240540000A00043B95
63495+:105DC000240501003C04080024845A988F62004C8A
63496+:105DD0000E00028D8F6300508F90001C0000202168
63497+:105DE0000A000362AF8400288E1000042404008A95
63498+:105DF000AF50002093790005333800021700015F8F
63499+:105E0000020028219368002302002821311F00206E
63500+:105E100017E0015A2404008D9367003F2406001206
63501+:105E200030E200FF10460155240400810E000256A6
63502+:105E30000200202193630023240500040200202196
63503+:105E4000346B0042A36B00230E00025FA365007D4C
63504+:105E50008F4401780480FFFE240A0002AF50014005
63505+:105E6000A34A01448F90001C3C0C1000AF4C0178F9
63506+:105E70000A0003EC0011102B8E1000042404008A89
63507+:105E8000AF500020936E000531CD000215A0001622
63508+:105E900002002821936F003F2414000402002821EF
63509+:105EA00031E900FF11340010240400810E00025675
63510+:105EB000020020219362002324080012241FFFFE09
63511+:105EC00034460020A3660023A368003F93790005B1
63512+:105ED00002002021033FC0240E00025FA3780005CA
63513+:105EE00002002821000020210E00033400000000E1
63514+:105EF0000A0003EB8F90001C8E1000043C03000886
63515+:105F00000343A021AF500020928B000024050050D5
63516+:105F1000316400FF10850161240700880200202100
63517+:105F2000000028210E00022A2406000E928D000097
63518+:105F3000240EFF800200282101AE8025A2900000DF
63519+:105F4000240400040E000C5C240600300A0003EB5D
63520+:105F50008F90001C8E0800043C14080026945A9868
63521+:105F60003C010800AC285A98AF480020921F00035B
63522+:105F700033F9000413200002240200122402000658
63523+:105F8000A362003F920B001B2404FFC03165003F59
63524+:105F900000A43825A367003E9206000330C200012A
63525+:105FA00014400132000000008E020008AE8200089A
63526+:105FB0003C0208008C425AA010400131000249C244
63527+:105FC000A76900088E14000C240C0001240300149F
63528+:105FD000AF74002C8E0E0010AF6E0030960D0016C0
63529+:105FE000A76D0038960A0014A76A003AAF6C000C3F
63530+:105FF000A76C0010A76C0012A76C0014A76C001609
63531+:1060000012200136A3630034920F000331F0000226
63532+:106010002E1100018F90001C262200080A00036246
63533+:10602000AF8200288E0400043C0E0008034E30218D
63534+:10603000AF4400208E05000890CD0000240C0050D5
63535+:1060400031AA00FF114C00862407008824060009AD
63536+:106050000E00022A000000000A0003EB8F90001CD3
63537+:106060008E04001C0E00024100000000104000F4ED
63538+:10607000004050218F89001C240700890140202105
63539+:106080008D25001C240600010E00022A00000000DD
63540+:106090000A0003EB8F90001C960D00023C140800D0
63541+:1060A00026945A9831AA0004514000B83C10600070
63542+:1060B0008E0E001C3C010800AC2E5A98AF4E0020FA
63543+:1060C000920700102408001430E200FF144800D6A4
63544+:1060D00000000000960B00023163000114600165AE
63545+:1060E000000000008E020004AE8200083C1408008C
63546+:1060F0008E945AA01280015B000000008F7400741F
63547+:106100003C0380002404000102835825AF6B007417
63548+:10611000A3600005AF64000C3C0708008CE75AA0A0
63549+:106120008F86001CA7640010000711C2A76400122C
63550+:10613000A7640014A7640016A76200088CC80008B2
63551+:1061400024040002AF68002C8CC5000CAF65003041
63552+:1061500090DF0010A37F00348F99001C9330001152
63553+:10616000A37000358F98001C930F0012A36F0036A8
63554+:106170008F89001C912E0013A36E00378F90001C96
63555+:10618000960D0014A76D0038960A0016A76A003A0B
63556+:106190008E0C0018AF6C00245620FDCCAF84002874
63557+:1061A0003C05080024A55A980E0002640000202136
63558+:1061B0008F90001C0A0004A7000020218E1000040C
63559+:1061C00024070081AF500020936900233134001070
63560+:1061D000128000170000000002002021000028218A
63561+:1061E0002406001F0E00022A000000000A0003EB34
63562+:1061F0008F90001C3C05080024A55A980E000287C9
63563+:10620000240400828F90001C000028210A000362F1
63564+:10621000AF8500283C0408008C845A980E0014E8CE
63565+:10622000000000008F90001C0A000482000018216A
63566+:106230000E00025602002021937800230200202144
63567+:10624000370F00100E00025FA36F002300003821FB
63568+:1062500002002021000028210A0005A82406001FB2
63569+:10626000920F000C31E90001112000030000000032
63570+:106270009618000EA4D8002C921F000C33F90002CF
63571+:1062800013200005000038218E0200149608001229
63572+:10629000ACC2001CA4C8001A0A0005432406000969
63573+:1062A0003C05080024A55A980E0002872404008BA0
63574+:1062B0008F90001C0011282B0A000362AF85002874
63575+:1062C000AF6000843C0A08008D4A5A983C0D0800D3
63576+:1062D0008DAD0050240CFF803C02000C014D1821B4
63577+:1062E000006C2024AF4400288E070014306B007F20
63578+:1062F000017A282100A2C821AF2700D88E060014F9
63579+:10630000AF9900D0AF2600DC8E080010251FFFFEDD
63580+:106310000A000408AF3F01083C0508008CA55A9804
63581+:106320003C1908008F39005024CCFFFE00B9C02171
63582+:1063300003047824AF4F00283C1408008E945A9828
63583+:106340003C0908008D2900500289702131CD007F61
63584+:1063500001BA502101478021AE0600D8AF9000D08D
63585+:10636000AE0000DC0A0003B1AE0C0108548CFE3014
63586+:10637000240540000A00043B240510000E00032EF3
63587+:10638000000000000A0003EB8F90001C8E0F442CCD
63588+:106390003C186C62370979703C010800AC205A98AF
63589+:1063A00015E9000824050140979F00349786002CCA
63590+:1063B0000280282103E6C82B132000112404009238
63591+:1063C000240501400E000C7A240400023C01080060
63592+:1063D000AC225A98AF4200203C0508008CA55A9880
63593+:1063E00010A00005240400830E00084500000000F2
63594+:1063F00010400009240400833C05080024A55A9895
63595+:106400000E000264000000008F90001C0011202B81
63596+:106410000A000362AF8400280E0008490000000053
63597+:106420000A00055F8F90001C0E00084D0000000060
63598+:106430003C05080024A55A980A00062F2404008B66
63599+:10644000240400040E000C7A240500301440002AB5
63600+:10645000004050218F89001C240700830140202127
63601+:106460008D25001C0A000551240600018E04000839
63602+:106470000E000241000000000A00051BAE82000869
63603+:106480003C05080024A55A980E00023C240400870D
63604+:106490008F90001C0A0005360011102B8F830038E6
63605+:1064A0008F8600301066FE9D000038213C070800F2
63606+:1064B00024E75A1C000320C0008728218CAC000070
63607+:1064C00011900061246A00013143000F5466FFFA05
63608+:1064D000000320C00A0004F6000038213C05080033
63609+:1064E00024A55A980E000287240400828F90001C75
63610+:1064F0000A000536000010213C0B0008034B202148
63611+:106500002403005024070001AF420020A0830000B4
63612+:10651000A08700018F82001C90480004A08800180A
63613+:106520008F85001C90A60005A08600198F9F001C77
63614+:1065300093F90006A099001A8F90001C921800078A
63615+:10654000A098001B8F94001C928F0008A08F001C45
63616+:106550008F89001C912E0009A08E001D8F8D001CBC
63617+:1065600091AC000AA08C001E8F8B001C3C0C080014
63618+:10657000258C5A1C9163000B3C0B0800256B5A18A4
63619+:10658000A083001F8F87001C90E8000CA0880020CB
63620+:106590008F82001C9045000D24024646A0850021F4
63621+:1065A0008F86001C90DF000EA09F00228F99001C98
63622+:1065B0009330000FA09000238F98001C93140010BC
63623+:1065C000A09400248F8F001C91E90011A089002560
63624+:1065D0008F89001C8F8E00308F900038952D00140D
63625+:1065E000000E18C025C80001A48D002895270016AC
63626+:1065F000006C3021006BC821A487002A9525001863
63627+:106600003108000FA485002CA482002E8D3F001CB1
63628+:10661000ACCA0000AF88003011100006AF3F000088
63629+:10662000000038218D25001C014020210A00055161
63630+:1066300024060001250C00013184000F00003821E0
63631+:106640000A0006B8AF8400383C07080024E75A184F
63632+:106650000087302100003821ACA000000A0004F6B9
63633+:10666000ACC000003C05080024A55A980A00062F7B
63634+:10667000240400878E0400040E0002410000000084
63635+:106680000A00056AAE8200083084FFFF30C600FFB2
63636+:106690008F4201B80440FFFE00064400010430258B
63637+:1066A0003C07200000C720253C031000AF400180BC
63638+:1066B000AF450184AF44018803E00008AF4301B84F
63639+:1066C00027BDFFE8AFB00010AFBF00143C0760006B
63640+:1066D000240600021080000600A080210010102B6C
63641+:1066E0008FBF00148FB0001003E0000827BD001812
63642+:1066F0003C09600EAD2000348CE5201C8F82001C0C
63643+:106700002408FFFC00A81824ACE3201C0E0006D1CE
63644+:106710008C45000C0010102B8FBF00148FB00010A0
63645+:1067200003E0000827BD00183C02600E344701005A
63646+:1067300024090018274A040000000000000000009F
63647+:10674000000000003C06005034C30200AF44003893
63648+:10675000AF45003CAF430030014018218F4B000093
63649+:10676000316800201100FFFD2406007F2408FFFF90
63650+:106770008C6C000024C6FFFF24630004ACEC000016
63651+:1067800014C8FFFB24E70004000000000000000024
63652+:10679000000000003C0F0020AF4F00300000000060
63653+:1067A00024AD020001A5702B2529FFFF008E2021BA
63654+:1067B0001520FFE101A0282103E0000800000000EF
63655+:1067C00027BDFFE0AFB10014AFBF0018AFB000109D
63656+:1067D0003C05600E8CA20034008088211440000625
63657+:1067E0003C0460008C87201C2408FFFC00E8302457
63658+:1067F00034C30001AC83201C8F8B001C24090001D2
63659+:10680000ACA90034956900028D6500148D70000CF0
63660+:106810002D2400818D6700048D660008108000071C
63661+:106820008D6A00102D2C00041580000E30CE00075C
63662+:10683000312D000311A0000B000000002404008B88
63663+:10684000020028210E0006D1240600030011102B9F
63664+:106850008FBF00188FB100148FB0001003E0000844
63665+:1068600027BD002015C0FFF62404008B3C03002048
63666+:10687000AF4300300000000024020001AF8200148A
63667+:106880000000000000000000000000003C1F01505C
63668+:10689000013FC825253800033C0F600EAF47003884
63669+:1068A00000181882AF46003C35E8003CAF59003074
63670+:1068B000274704008F4400003086002010C0FFFDF1
63671+:1068C00000000000106000082466FFFF2403FFFFA3
63672+:1068D0008CEB000024C6FFFF24E70004AD0B000092
63673+:1068E00014C3FFFB250800043C08600EAD09003806
63674+:1068F0000000000000000000000000003C07002035
63675+:10690000AF470030000000000E0006F901402021D2
63676+:1069100002002821000020210E0006D124060003D9
63677+:106920000011102B8FBF00188FB100148FB0001012
63678+:1069300003E0000827BD002027BDFFE0AFB200182C
63679+:106940003092FFFFAFB10014AFBF001CAFB000101A
63680+:106950001640000D000088210A0007AA022010211D
63681+:1069600024050001508500278CE5000C0000000D77
63682+:10697000262300013071FFFF24E200200232382B71
63683+:1069800010E00019AF82001C8F8200141440001622
63684+:106990008F87001C3C0670003C0320008CE5000043
63685+:1069A00000A62024148300108F84003C00054402BC
63686+:1069B0003C09800000A980241480FFE9310600FF13
63687+:1069C0002CCA00095140FFEB262300010006688015
63688+:1069D0003C0E080025CE579801AE60218D8B00003B
63689+:1069E0000160000800000000022010218FBF001C81
63690+:1069F0008FB200188FB100148FB0001003E00008B0
63691+:106A000027BD00200E0006D1240400841600FFD804
63692+:106A10008F87001C0A00078BAF80003C90EF0002BC
63693+:106A200000002021240600090E0006D1000F2E00D0
63694+:106A30008F87001C0010102B0A00078BAF82003CD0
63695+:106A4000020028210E0006DF240400018F87001CAD
63696+:106A50000A00078BAF82003C020028210E0006DFEF
63697+:106A6000000020210A0007C38F87001C0E00071FAB
63698+:106A7000020020210A0007C38F87001C30B0FFFFEF
63699+:106A8000001019C08F5801B80700FFFE3C1F2004FA
63700+:106A90003C191000AF430180AF400184AF5F018813
63701+:106AA000AF5901B80A00078C262300013082FFFF8E
63702+:106AB00014400003000018210004240224030010E5
63703+:106AC000308500FF14A000053087000F2466000801
63704+:106AD0000004220230C300FF3087000F14E00005DD
63705+:106AE000308900032468000400042102310300FF00
63706+:106AF0003089000315200005388B0001246A00024C
63707+:106B000000042082314300FF388B00013164000112
63708+:106B100010800002246C0001318300FF03E00008B4
63709+:106B200000601021308BFFFF000B394230E600FF80
63710+:106B30003C09080025295998000640800109602178
63711+:106B40008D8700003164001F240A0001008A1804A8
63712+:106B500030A500FF00E3202514A000020003102749
63713+:106B600000E22024240F000100CF700401096821F5
63714+:106B7000000E282714800005ADA400008F86000CAD
63715+:106B800000A6102403E00008AF82000C8F88000CE0
63716+:106B900001C8102503E00008AF82000C3C06001F6E
63717+:106BA0003C0360003084FFFF34C5FF8024020020D6
63718+:106BB000AC602008AC60200CAC602010AC652014E8
63719+:106BC000AC642018AC62200000000000000000004F
63720+:106BD00003E000080000000027BDFFE82402FFFFDB
63721+:106BE000AFBF0010AF82000C000020213C0608005F
63722+:106BF00024C659982405FFFF248900010004408021
63723+:106C00003124FFFF010618212C87002014E0FFFA31
63724+:106C1000AC6500000E0008160000202124020001CF
63725+:106C20003C04600024050020AC822018AC852000C4
63726+:106C3000000000000000000000000000244A0001E5
63727+:106C40003142FFFF2C46040014C0FFF78FBF001035
63728+:106C500003E0000827BD00188F8300082C620400A1
63729+:106C600003E00008384200018F830008246200011D
63730+:106C700003E00008AF8200088F8300082462FFFF52
63731+:106C800003E00008AF82000827BDFFE0AFB10014A9
63732+:106C9000AFBF0018AFB000108F6B00303C06600033
63733+:106CA00000808821ACCB20088F6A002C3C02800039
63734+:106CB00024030008ACCA200C9769003A9768003892
63735+:106CC00000092C003107FFFF00A72025ACC42010CD
63736+:106CD000ACC22014ACC32000000000000000000083
63737+:106CE000000000003C0360008C6D200031AC000807
63738+:106CF0001580FFF9000000008C6E201405C00020F4
63739+:106D0000000000000E0007DA8F84000C00024080B3
63740+:106D10003C09080025295998010938218CE4000014
63741+:106D20000E0007DA00028140020220213090FFFFAE
63742+:106D3000020020210E0007F8000028213C0C8000F2
63743+:106D4000022C58253210FFFF3C116000240A00205D
63744+:106D5000AE2B2014AE302018AE2A20000000000018
63745+:106D60000000000000000000020010218FBF00188A
63746+:106D70008FB100148FB0001003E0000827BD002081
63747+:106D80008C6620143C02001F3443FF803C1FFFE848
63748+:106D900000C3C02437F9080003198021001079C20C
63749+:106DA0003C0C8000022C582531F0FFFF3C116000A4
63750+:106DB000240A0020AE2B2014AE302018AE2A20006A
63751+:106DC0000000000000000000000000000200102190
63752+:106DD0008FBF00188FB100148FB0001003E00008BF
63753+:106DE00027BD002027BDFFE8AFB000103402FFFF31
63754+:106DF0003090FFFFAFBF00141202000602002021F6
63755+:106E00000E00081600000000020020210E0007F806
63756+:106E1000240500018F8400088FBF00148FB000107C
63757+:106E20002483FFFF27BD001803E00008AF8300089C
63758+:106E3000000439C230E6003F00043B42000718401E
63759+:106E4000240210002CC4002024C8FFE0AF42002C14
63760+:106E5000246300011480000330A900FF00071840DC
63761+:106E6000310600FF0003608024080001019A5821C8
63762+:106E70003C0A000E00C82804016A382111200005D0
63763+:106E8000000530278CE900000125302503E00008CB
63764+:106E9000ACE600008CEE000001C6682403E00008A8
63765+:106EA000ACED000027BDFFE8AFBF0014AFB000108D
63766+:106EB0003C0460008C8508083403F00030A2F00028
63767+:106EC00050430006240200018C8708083404E000C7
63768+:106ED00030E6F00010C4001E24020002AF82004021
63769+:106EE0003C1060003C0A0200AE0A0814240910009D
63770+:106EF0003C08000E8E03440003482021AF49002CBB
63771+:106F0000240501200E000CC0000030218F830040BA
63772+:106F1000106000043C021691240B0001106B000E5F
63773+:106F20003C023D2C344F0090AE0F44088FBF00143C
63774+:106F30008FB000103C0C6000240E10003C0D0200CD
63775+:106F400027BD0018AD8E442003E00008AD8D081069
63776+:106F50000A0008E7AF8000403C0218DA344F009086
63777+:106F6000AE0F44088FBF00148FB000103C0C6000BF
63778+:106F7000240E10003C0D020027BD0018AD8E4420E9
63779+:106F800003E00008AD8D08100A0008BB24050001CD
63780+:106F90000A0008BB000028213C08080025085DA461
63781+:106FA0002404FFFF010018212402001E2442FFFFD9
63782+:106FB000AC6400000441FFFD246300043C070800AA
63783+:106FC00024E75E208CE5FFFC2404001C240600015D
63784+:106FD000308A001F0146480424840001000910275C
63785+:106FE0002C8300201460FFFA00A22824ACE5FFFCEB
63786+:106FF0003C05666634A4616E3C06080024C65EE06B
63787+:10700000AF840058AF88009C2404FFFF00C0182103
63788+:107010002402001F2442FFFFAC6400000441FFFD76
63789+:10702000246300043C0766663C05080024A55EA0B6
63790+:10703000AF86004834E6616EAF8600982404FFFFF7
63791+:1070400000A018212402000F2442FFFFAC640000BE
63792+:107050000441FFFD246300043C0B66663C06080007
63793+:1070600024C65E203568616EAF8500A4AF880070CD
63794+:107070002404FFFF00C018212402001F2442FFFF48
63795+:10708000AC6400000441FFFD246300043C0D66660F
63796+:107090003C0A0800254A5F6035AC616EAF860090FF
63797+:1070A000AF8C005C2404FFFF014018212402000380
63798+:1070B0002442FFFFAC6400000441FFFD2463000490
63799+:1070C0003C09080025295F708D27FFFC2404000679
63800+:1070D000240500013099001F0325C0042484000109
63801+:1070E000001878272C8E002015C0FFFA00EF3824F6
63802+:1070F000AD27FFFC3C09666624030400240403DC7E
63803+:1071000024050200240600663522616E3C08080052
63804+:1071100025085AA4AF820074AF830044AF83006C8B
63805+:10712000AF830050AF830084AF8A008CAF840064CB
63806+:10713000AF85004CAF860054AF840078AF85006007
63807+:10714000AF86008001001821240200022442FFFFC4
63808+:10715000AC6000000441FFFD24630004240400032C
63809+:107160002403000C3C0A0800254A5AB0AF8A006884
63810+:107170000A00098E2405FFFF000418802484000102
63811+:10718000006858212C8700C014E0FFFBAD650000AB
63812+:107190003C0E666635CD616E240C17A024081800DD
63813+:1071A000AF8D0088AF8C009403E00008AF88007CAE
63814+:1071B0002484007F000421C200004021000030210F
63815+:1071C00000003821000028210A0009A5AF8400A092
63816+:1071D0001060000624E7000100C4302124A500014E
63817+:1071E0002CC20BF51440FFFA2CA300663C090800E2
63818+:1071F00025295F6001201821240200032442FFFF9B
63819+:10720000AC6000000441FFFD2463000410E0001A9C
63820+:1072100024E3FFFF0003294210A0000A0000202100
63821+:107220002406FFFF3C03080024635F602484000100
63822+:107230000085502BAC660000250800011540FFFBBF
63823+:107240002463000430E2001F10400008000868803A
63824+:10725000240C0001004C38040008588001692821E2
63825+:1072600024E6FFFF03E00008ACA6000001A94021CE
63826+:107270002409FFFFAD09000003E000080000000042
63827+:10728000AF4400283C04000C034420210005288260
63828+:107290000A000CC000003021000421803C03600083
63829+:1072A000AC6410080000000000052980AC65100CDB
63830+:1072B0000000000003E000088C62100C27BDFFE80E
63831+:1072C0000080282124040038AFBF00140E0009D527
63832+:1072D000AFB0001024040E00AF4400283C10000C96
63833+:1072E00003502021240500100E000CC000003021A6
63834+:1072F00003501021AC400000AC40000424040038CE
63835+:107300008FBF00148FB0001024053FFF27BD001869
63836+:107310000A0009D58C430000000421803C03600072
63837+:10732000AC641008000000008C62100C03E0000840
63838+:107330000002118227BDFFC8AFB400208F940068FF
63839+:10734000AFBE0030AFB7002CAFB600280000B821A8
63840+:107350000080B021241E00C0AFBF0034AFB50024B0
63841+:10736000AFB3001CAFB20018AFB10014AFB0001043
63842+:107370000A000A12AFA5003C504000018F9400683B
63843+:1073800027DEFFFF13C00028269400048E92000021
63844+:107390003C03080024635DA01240FFF70283102B1A
63845+:1073A0003C04080024845AA4028410230002A8C0CC
63846+:1073B000000098210A000A212411000100118840D0
63847+:1073C000122000260000000002B380210251282470
63848+:1073D0000200202110A0FFF9267300010E0009DE33
63849+:1073E000000000000016684032EC000101AC2021D2
63850+:1073F0000E0009D5020028218F89009426F700018C
63851+:107400008FA6003C3AEB0001316A00012528FFFFFE
63852+:107410000011382702CAB021AF88009416E6FFE7B2
63853+:1074200002479024AE92000002E010218FBF00348A
63854+:107430008FBE00308FB7002C8FB600288FB5002488
63855+:107440008FB400208FB3001C8FB200188FB10014CE
63856+:107450008FB0001003E0000827BD00383C0E080084
63857+:1074600025CE5DA0028E102B0A000A0DAE92000000
63858+:1074700027BDFFD8AFB10014AFB00010AFBF0020E0
63859+:10748000AFB3001CAFB2001800A0882110A0001FED
63860+:10749000000480403C13080026735AA40A000A5ACC
63861+:1074A0002412000112200019261000010E0009F517
63862+:1074B00002002021000231422444FFA0000618806F
63863+:1074C0003045001F2C8217A1007318212631FFFFC1
63864+:1074D0001040FFF400B230048C690000020020214B
63865+:1074E00024053FFF012640241500FFEE0126382524
63866+:1074F0000E0009D5AC6700008F8A009426100001A9
63867+:10750000254700011620FFE9AF8700948FBF0020B8
63868+:107510008FB3001C8FB200188FB100148FB0001011
63869+:1075200003E0000827BD00288F85009C00805821BB
63870+:107530000000402100004821240A001F3C0C0800E4
63871+:10754000258C5E1C3C0D080025AD5DA48CA60000BA
63872+:1075500050C000140000402100AD1023000238C0CC
63873+:10756000240300010A000A930000202115000003F3
63874+:1075700000E410212448202400004821252900018E
63875+:10758000512B00132506DFDC106000062484000167
63876+:1075900000C3702415C0FFF5000318400A000A91CB
63877+:1075A0000000402110AC002624A300040060282124
63878+:1075B000254AFFFF1540FFE5AF85009C512B0004D5
63879+:1075C0002506DFDC0000402103E000080100102157
63880+:1075D0000006614230C5001F000C50803C070800C7
63881+:1075E00024E75DA424040001014730211120000F8D
63882+:1075F00000A420043C05080024A55E20148000059A
63883+:107600002529FFFF24C6000410C50011000000005A
63884+:10761000240400018CCF00000004C0270004204097
63885+:1076200001F868241520FFF5ACCD00008F99007893
63886+:1076300001001021032B482303E00008AF890078E4
63887+:107640003C05080024A55DA40A000A9B0000402117
63888+:107650003C06080024C65DA40A000AB42404000104
63889+:10766000308800FF240200021102000A24030003F4
63890+:107670001103005C8F8900A4240400041104005F3E
63891+:1076800024050005110500670000182103E000082B
63892+:10769000006010218F8900483C0C0800258C5EE0BA
63893+:1076A0003C04080024845F60240300201060000F65
63894+:1076B00000005821240D0002240E00033C0F080096
63895+:1076C00025EF5EE08D27000014E0000B30F9FFFF8E
63896+:1076D000252900040124C02B53000001018048210A
63897+:1076E0002463FFFF5460FFF88D270000016018211C
63898+:1076F00003E0000800601021132000323C0500FF69
63899+:1077000030E200FF004030211040004200005021D4
63900+:1077100024050001000020210005C84000A6C02467
63901+:1077200017000003332500FF14A0FFFB2484000191
63902+:10773000012CC023001828C000AA6021008C502111
63903+:107740003144001F240C0001008C18040003102792
63904+:1077500000E23024110D0041AD260000110E004C56
63905+:10776000000A1840110D00368F87006C510E00562C
63906+:107770008F8C0060240D0004110D005A8F8E008440
63907+:10778000240E0005150EFFDA01601821240B1430B9
63908+:1077900011400006000018218F8400A0246300011E
63909+:1077A000006A402B1500FFFD016458218F8A00807C
63910+:1077B000AF89008C016018212549FFFF0A000AEB00
63911+:1077C000AF89008000E52024000736021080FFD03A
63912+:1077D000240A001800075402314600FF0A000AF389
63913+:1077E000240A00103C0C0800258C5EA03C04080014
63914+:1077F00024845EE00A000ADA240300103C0C08002E
63915+:10780000258C5E203C04080024845EA00A000AD96E
63916+:107810008F89009000071A02306600FF0A000AF301
63917+:10782000240A00088F89008C3C0C0800258C5F60BE
63918+:107830003C04080024845F700A000ADA2403000470
63919+:10784000000A4080250B003024E6FFFF016018216C
63920+:10785000AF8900480A000AEBAF86006C000AC982B3
63921+:10786000001978803C07080024E75EA001E720218A
63922+:10787000000A18428C8F00003079001F032C380456
63923+:107880000007C02701F860240A000B08AC8C000038
63924+:10789000000331420006288000AF28213062001F1B
63925+:1078A0008CB8000024630001004CC804000321428E
63926+:1078B000001938270004108003073024004F2021CE
63927+:1078C0000A000B4CACA60000000A68C025AB0032D1
63928+:1078D000258AFFFF01601821AF8900A40A000AEB86
63929+:1078E000AF8A0060254B1030AF89009001601821ED
63930+:1078F00025C9FFFF0A000AEBAF8900843086000724
63931+:107900002CC2000610400014000000000006408059
63932+:107910003C030800246357BC010338218CE40000B9
63933+:1079200000800008000000002409000310A9000ED8
63934+:1079300000000000240A000510AA000B000000004F
63935+:10794000240B000110AB0008000000008F8C00A089
63936+:1079500010AC00050000000003E00008000010214A
63937+:107960000A000A7900A020210A000AC700C02021CD
63938+:1079700027BDFFE8308400FF240300021083000BC2
63939+:10798000AFBF0010240600031086003A240800044C
63940+:1079900010880068240E0005108E007F2CAF143074
63941+:1079A0008FBF001003E0000827BD00182CA2003094
63942+:1079B0001440FFFC8FBF001024A5FFD0000531C28A
63943+:1079C000000668803C07080024E75EE001A730213C
63944+:1079D0008CC900000005288230AC001F240B000178
63945+:1079E000018B50048F840048012A4025ACC8000058
63946+:1079F0008C83000050600001AF8600488F98006CB7
63947+:107A000030AE000124A6FFFF270F000115C00002C1
63948+:107A1000AF8F006C24A600010006414200082080C0
63949+:107A2000008718218C79000030C2001F2406000155
63950+:107A30000046F804033F382410E0FFDA8FBF00103F
63951+:107A40000005C182001870803C0F080025EF5EA081
63952+:107A500001CF48218D2B00000005684231A5001F91
63953+:107A600000A66004016C502527BD001803E0000843
63954+:107A7000AD2A00002CA7003014E0FFCA8FBF001011
63955+:107A800030B900071723FFC724A8FFCE00086A02F9
63956+:107A9000000D60803C0B0800256B5EA0018B30213F
63957+:107AA0008CC40000000828C230AA001F240800016E
63958+:107AB000014848048F8200A400891825ACC3000047
63959+:107AC0008C5F000053E00001AF8600A40005704009
63960+:107AD000000E7942000F28803C04080024845EE0F8
63961+:107AE00000A418218C6B000025DF000131CD001FA0
63962+:107AF000001F514201A86004016C4825000A108053
63963+:107B0000AC690000004428218CA600008F9800601A
63964+:107B100033F9001F8FBF00100328380400C77825F1
63965+:107B2000270E000127BD0018ACAF000003E00008DD
63966+:107B3000AF8E006024A5EFD02CB804001300FF998D
63967+:107B40008FBF001000053142000658803C0A080033
63968+:107B5000254A5E20016A30218CC4000030A3001F3A
63969+:107B600024090001006910048F9900900082F82513
63970+:107B7000ACDF00008F27000050E00001AF860090CE
63971+:107B80008F8D00848FBF001027BD001825AC000129
63972+:107B900003E00008AF8C008415E0FF828FBF001067
63973+:107BA0008F8600A0000610400046F821001F21002B
63974+:107BB00003E4C8210019384024F8143000B8402BE1
63975+:107BC0001100FF788FBF001024A4EBD00E00021329
63976+:107BD00000C0282100027942000F70803C0D08008F
63977+:107BE00025AD5F6001CD20218C8B0000304C001F43
63978+:107BF00024060001018618048F89008C016350253A
63979+:107C0000AC8A00008D25000050A00001AF84008CDC
63980+:107C10008F9800808FBF001027BD00182708000133
63981+:107C200003E00008AF88008030A5000724030003AC
63982+:107C300010A3001028A2000414400008240700022A
63983+:107C40002403000410A300152408000510A8000F49
63984+:107C50008F8500A003E000080000000014A7FFFDCE
63985+:107C60000080282114C3FFFB240400020A000B8BB0
63986+:107C700000000000240900050080282110C9FFFB36
63987+:107C80002404000303E000080000000014C5FFF115
63988+:107C9000008028210A000B8B24040005240A00011F
63989+:107CA0000080282110CAFFF12404000403E000082A
63990+:107CB0000000000027BDFFE0AFB00010000581C24A
63991+:107CC0002603FFD024C5003F2C6223D024C6007FAA
63992+:107CD000AFB20018AFB10014AFBF001C309100FF6D
63993+:107CE000000691C2000529820200202110400008F0
63994+:107CF0002403FFFF0E000A4B0000000002002021B9
63995+:107D0000022028210E000C390240302100001821E9
63996+:107D10008FBF001C8FB200188FB100148FB00010FD
63997+:107D20000060102103E0000827BD002027BDFFD818
63998+:107D300024A2007FAFB3001CAFB20018000299C2AA
63999+:107D4000309200FF24A3003F02402021026028213E
64000+:107D5000AFB10014AFB00010AFBF00200E000B6E2B
64001+:107D60000003898200408021004020210220282138
64002+:107D700014400009000018218FBF00208FB3001CA1
64003+:107D80008FB200188FB100148FB000100060102166
64004+:107D900003E0000827BD00280E0009FC00000000D9
64005+:107DA00000402821020020211051FFF3001019C0CB
64006+:107DB0000E000A4B00000000020020210240282192
64007+:107DC0000E000C39026030218FBF00208FB3001CE1
64008+:107DD0008FB200188FB100148FB00010000018216E
64009+:107DE0000060102103E0000827BD00283084FFFF59
64010+:107DF00030A5FFFF1080000700001821308200012D
64011+:107E00001040000200042042006518211480FFFB8E
64012+:107E10000005284003E000080060102110C00007A2
64013+:107E2000000000008CA2000024C6FFFF24A500046F
64014+:107E3000AC82000014C0FFFB2484000403E00008AF
64015+:107E40000000000010A0000824A3FFFFAC86000083
64016+:107E500000000000000000002402FFFF2463FFFF79
64017+:107E60001462FFFA2484000403E00008000000000C
64018+:107E700030A5FFFF8F4201B80440FFFE3C076015AC
64019+:107E800000A730253C031000AF440180AF400184BF
64020+:107E9000AF46018803E00008AF4301B88F8500D0EA
64021+:107EA0002C864000008018218CA700840087102BAE
64022+:107EB00014400010000000008CA800842D06400033
64023+:107EC00050C0000F240340008CAA0084008A482B75
64024+:107ED000512000018CA3008400035A42000B208033
64025+:107EE0003C05080024A558200085182103E000085F
64026+:107EF0008C62000014C0FFF4000000002403400066
64027+:107F000000035A42000B20803C05080024A558209D
64028+:107F10000085182103E000088C6200008F8300D0E8
64029+:107F2000906600D024C50001A06500D08F8500D0E8
64030+:107F3000906400D090A200D210440017000000000E
64031+:107F4000936C00788F8B00BC318A00FFA16A000C13
64032+:107F500025490001938700C4312200FF3048007F8B
64033+:107F60001107000B00026827A36200788F4E01788A
64034+:107F700005C0FFFE8F9900B0241800023C0F1000CE
64035+:107F8000AF590140A358014403E00008AF4F017806
64036+:107F90000A000D0931A20080A0A000D00A000CFF49
64037+:107FA000000000008F8700D027BDFFC8AFBF0030A2
64038+:107FB000AFB7002CAFB60028AFB50024AFB4002097
64039+:107FC000AFB3001CAFB20018AFB10014AFB00010D7
64040+:107FD00094E300E094E200E2104300D72405FFFFA1
64041+:107FE0003C047FFF3497FFFF2415FF800A000DF04B
64042+:107FF0003C16000E108A00D18FBF00308F9100B068
64043+:108000003C1808008F18005C001230C0001291402C
64044+:108010000311702101D57824AF4F002C94EC00E2BD
64045+:1080200031CD007F01BA5821318A7FFF0176482186
64046+:10803000000A804002091021945300003C08080007
64047+:108040008D0800580246C02132733FFF001319808B
64048+:10805000010320210224282130BF007F03FAC82118
64049+:1080600000B5A024AF54002C0336A0218E87001049
64050+:108070008E8F003003785821256D008800EF702323
64051+:10808000240C0002AE8E0010AF8D00ACA16C0088F5
64052+:10809000976A003C8E8400308F9100AC0E000CD6A5
64053+:1080A0003150FFFF00024B80020940253C02420094
64054+:1080B00001022025AE2400048E8300048F8D00ACC5
64055+:1080C0008E860000240E0008ADA3001CADA600188B
64056+:1080D000ADA0000CADA00010929F000A33F900FF84
64057+:1080E000A5B90014968500083C1F000CA5A5001634
64058+:1080F0009298000A331100FFA5B100209690000865
64059+:1081000024180005A5B00022ADA00024928F000B1A
64060+:108110002410C00031E700FFA5A70002A1AE0001B6
64061+:108120008E8C00308F8B00AC8F8400B0AD6C00085B
64062+:108130003C0A08008D4A005401444821013540247E
64063+:10814000AF4800283C0208008C4200540044302113
64064+:1081500030C3007F007AC821033F282102458821CF
64065+:10816000AF9100BCAF8500C0A23800008F8A00BC70
64066+:108170002403FFBF2418FFDF954F000201F03824CD
64067+:1081800000F37025A54E0002914D000231AC003F76
64068+:10819000358B0040A14B00028F8600BC8F8900D038
64069+:1081A000ACC000048D28007C3C098000ACC80008ED
64070+:1081B00090C4000D3082007FA0C2000D8F8500BCEE
64071+:1081C00090BF000D03E3C824A0B9000D8F9100BC3F
64072+:1081D0009233000D02789024A232000D8E9000346C
64073+:1081E0008F8B00BCAD7000108E87002C8E8F0030FE
64074+:1081F00000EF7023AD6E0014916D001831AC007F5C
64075+:10820000A16C00188F9F00BC8E8A00308FE8001888
64076+:10821000015720240109302400C41025AFE20018C2
64077+:108220009283000AA3E3001C969900088F8500BC86
64078+:108230008F9800D0A4B9001E8E9000308E8400303C
64079+:108240000E0002138F0500848F8500D0000291403C
64080+:108250000002990090AF00BC0253882100403021F9
64081+:1082600031E7000210E0000302118021000290803B
64082+:108270000212802190B900BC3327000410E00002F4
64083+:108280000006F880021F80218E9800308F8B00BC82
64084+:1082900024068000330F0003000F702331CD00034C
64085+:1082A000020D6021AD6C000494A400E294AA00E2E7
64086+:1082B00094B000E231497FFF2522000130537FFF57
64087+:1082C0000206182400734025A4A800E294A400E24A
64088+:1082D0003C1408008E94006030917FFF123400221D
64089+:1082E000000000000E000CF6000000008F8700D098
64090+:1082F0000000282194F300E094F000E21213000F34
64091+:108300008FBF003090E900D090E800D1313200FFFB
64092+:10831000310400FF0244302B14C0FF36264A00010E
64093+:1083200090EE00D2264B000131CD00FF008D602180
64094+:10833000158BFF338F9100B08FBF00308FB7002CAB
64095+:108340008FB600288FB500248FB400208FB3001C97
64096+:108350008FB200188FB100148FB0001000A0102150
64097+:1083600003E0000827BD003894A300E20066402423
64098+:10837000A4A800E290A400E290B900E2309100FFCE
64099+:108380000011A1C20014F827001F39C03332007F4A
64100+:10839000024730250A000DE8A0A600E23084FFFF66
64101+:1083A00030A5FFFFAF440018AF45001C03E00008F4
64102+:1083B0008F42001427BDFFB8AFB000208F9000D0CF
64103+:1083C0003084FFFFAFA40010AFBF0044AFBE004039
64104+:1083D000AFB7003CAFB60038AFB50034AFB4003033
64105+:1083E000AFB3002CAFB20028AFB10024A7A0001893
64106+:1083F000920600D1920500D030C400FF30A300FFE8
64107+:108400000064102B10400122AFA00014920900D08C
64108+:108410008FB50010312800FF0088382324F4FFFFB7
64109+:108420000014882B0015982B02339024524001260B
64110+:108430008FB40014961E0012961F00108FB7001004
64111+:1084400003DFC823001714000019C400000224032E
64112+:108450000018140302E2B02A52C00001004020219B
64113+:108460000284282B10A0000200801821028018210D
64114+:1084700000033C0000071C033064FFFF2C8600094A
64115+:1084800014C000020060B821241700088E0A0008FA
64116+:10849000001769808E09000C31ABFFFF3C0C001007
64117+:1084A000016C402527520400AF4A0038AF9200B853
64118+:1084B000AF49003CAF480030000000000000000061
64119+:1084C00000000000000000000000000000000000AC
64120+:1084D00000000000000000008F4F000031EE00207F
64121+:1084E00011C0FFFD0017982A027110240A000E83A4
64122+:1084F0000000B02155E001019258000131130080C5
64123+:10850000126001CF012020219655001232A5FFFFF5
64124+:108510000E000CCBA7B500188F9000D00291A023BD
64125+:1085200026CD00018F9100B8000DB4000016B403F1
64126+:108530002638004002D7582A0014882B2405000151
64127+:108540000300902101711024AF9800B8AFA500146A
64128+:10855000104001BC8F8900B03C0C08008D8C005489
64129+:10856000240BFF80921E00D001895021014B28244A
64130+:10857000921900D0AF4500288E4700103C08080033
64131+:108580008D0800583C1808008F18005430E33FFF56
64132+:108590000003218001043021012658212402FF809C
64133+:1085A0000162F824920C00D0AF5F002C92480000CA
64134+:1085B00033D100FF333500FF0309982100117140CA
64135+:1085C000001578C0326D007F01CF382101BA282113
64136+:1085D000318300FF3164007F3C0A000C00AA88212F
64137+:1085E0000367F02100033140009A10213108003F59
64138+:1085F0003C1F000E00D1C021005F982127D90088C0
64139+:108600002D150008AF9100C0AF9900ACAF9800BC29
64140+:10861000AF9300B412A0018A00008821240E00014B
64141+:10862000010E4004310D005D11A0FFB2310F0002B8
64142+:108630008E4A00283C0300803C04FFEFAE6A000035
64143+:108640008E450024A260000A3488FFFFAE65000456
64144+:108650009247002C3C1FFF9F37FEFFFFA267000CD4
64145+:108660008E62000C3C180040A267000B00433025CE
64146+:1086700000C8C824033E88240238A825AE75000C23
64147+:108680008E490004AE6000183C0F00FFAE69001474
64148+:108690008E4D002C35EEFFFF8F8B00B001AE6024B5
64149+:1086A000AE6C00108E470008A660000896450012C8
64150+:1086B000AE6700208E42000C30B03FFF00105180AA
64151+:1086C000AE6200248E5E0014014B182130A400011C
64152+:1086D000AE7E00288E590018000331C2000443808A
64153+:1086E000AE79002C8E51001C00C8F821A67F001C1A
64154+:1086F000AE710030965800028E550020A678001EFC
64155+:10870000AE75003492490033313000045600000544
64156+:10871000925000008F8C00D08D8B007CAE6B0030AF
64157+:10872000925000008F8F00BCA1F00000924E0033E9
64158+:1087300031CD000251A00007925E00018F8900BC7C
64159+:108740002418FF80913100000311A825A1350000F5
64160+:10875000925E00018F9900BC2409FFBF240BFFDF4C
64161+:10876000A33E00018F9500BC92B8000D3311007F2D
64162+:10877000A2B1000D8F8E00BC91D0000D02097824AB
64163+:10878000A1CF000D8F8800BC8E6D0014910A000DE2
64164+:108790002DAC0001000C2940014B382400E51825C0
64165+:1087A000A103000D964200128F8800BC8F8700D075
64166+:1087B000A50200028E45000490FF00BC30A4000317
64167+:1087C0000004302330DE000300BE102133F9000224
64168+:1087D00017200002244400342444003090E200BCFE
64169+:1087E00000A2302430DF000417E0000224830004DC
64170+:1087F000008018218F8F00AC24090002AD03000413
64171+:10880000A1E90000924E003F8F8D00ACA1AE0001A7
64172+:108810008F9500AC924C003F8E440004A6AC000241
64173+:10882000976B003C0E000CD63170FFFF00025380A6
64174+:10883000020A38253C05420000E51825AEA30004D5
64175+:108840008F8600AC8E480038ACC800188E440034C7
64176+:10885000ACC4001CACC0000CACC00010A4C0001420
64177+:10886000A4C00016A4C00020A4C00022ACC00024F4
64178+:108870008E6400145080000124040001ACC4000880
64179+:108880000E000CF6241100010A000E768F9000D025
64180+:10889000920F00D2920E00D08FB5001031EB00FF86
64181+:1088A00031CD00FF008D6023016C50212554FFFF66
64182+:1088B0000014882B0015982B023390241640FEDDFF
64183+:1088C000000000008FB400148FBF00448FBE004032
64184+:1088D0003A8200018FB7003C8FB600388FB5003464
64185+:1088E0008FB400308FB3002C8FB200288FB10024DA
64186+:1088F0008FB0002003E0000827BD0048331100209E
64187+:10890000122000EF24150001921E00BC241F00015C
64188+:108910000000A82133D900011320000DAFBF001CB7
64189+:108920008E4400148E0800840088102B144000022E
64190+:10893000008030218E0600848E03006400C3A82BC3
64191+:1089400016A0000200C020218E0400640080A8212F
64192+:108950008E4700148E05006400E5302B14C0000221
64193+:1089600000E020218E0400640095F02313C0000471
64194+:108970008FAC001C240A0002AFAA001C8FAC001CA4
64195+:10898000028C582B156000A8000018218E4F00386B
64196+:108990008E6D000C3C0E0080AE6F00008E4A0034DD
64197+:1089A0003C10FF9F01AE5825AE6A00049246003F7E
64198+:1089B000360CFFFF016C38243C0500203C03FFEF20
64199+:1089C000A266000B00E510253468FFFF8F8700B812
64200+:1089D0000048F8243C04000803E4C825AE79000CE4
64201+:1089E0008CF80014AE60001802BE7821AE78001436
64202+:1089F0008CF10018AE71001C8CE90008AE690024EF
64203+:108A00008CEE000CAE6F002CAE600028AE6E002025
64204+:108A1000A6600038A660003A8CED001401B58023F2
64205+:108A2000021E902312400011AE72001090EA003D29
64206+:108A30008E6500048E640000000A310000A6C82183
64207+:108A4000000010210326402B0082F82103E8C021FA
64208+:108A5000AE790004AE78000090F1003DA271000AEA
64209+:108A60008F8900B895320006A67200088F9800AC76
64210+:108A70002419000202A02021A31900009769003CDC
64211+:108A80008F9200AC0E000CD63131FFFF00027B80CC
64212+:108A90008F8500B8022F68253C0E420001AE80256C
64213+:108AA000AE5000048F8400AC8CAC0038AC8C001845
64214+:108AB0008CAB0034AC8B001CAC80000CAC80001084
64215+:108AC000A4800014A4800016A4800020A4800022AA
64216+:108AD000AC80002490A7003FA487000212A00135BB
64217+:108AE0002403000153C0000290A2003D90A2003E6A
64218+:108AF00024480001A08800018F9F00ACAFF500085A
64219+:108B00008F8300D024070034906600BC30C500027B
64220+:108B100050A00001240700308F9200B88F8A00BC5B
64221+:108B2000906D00BC924B00002412C00032A50003DF
64222+:108B3000A14B00008F8600B88F8800BC240200047F
64223+:108B400090C400010045182330790003A1040001FE
64224+:108B50008F8A00BC8F9F00B800F53821955800021D
64225+:108B600097E9001200F9382103128824312F3FFFC2
64226+:108B7000022F7025A54E00029150000231A800047A
64227+:108B8000320C003F358B0040A14B000212A00002C6
64228+:108B90008F8500BC00E838218F8E00D0ACA7000480
64229+:108BA000240BFFBF8DCD007C2EA400012403FFDF2A
64230+:108BB000ACAD000890B0000D00044140320C007FC5
64231+:108BC000A0AC000D8F8600BC90CA000D014B102494
64232+:108BD000A0C2000D8F8700BC90E5000D00A3F82413
64233+:108BE00003E8C825A0F9000D8F9100B88F8D00BC57
64234+:108BF0008E380020ADB800108E290024ADA90014D5
64235+:108C00008E2F0028ADAF00188E2E002C0E000CF613
64236+:108C1000ADAE001C8FB0001C240C0002120C00EE44
64237+:108C20008F9000D08FA3001C006088211460000288
64238+:108C30000060A8210000A02156A0FE390291A023C7
64239+:108C40000014882B8FA90010960700103C1E0020EE
64240+:108C50000136402302C750213112FFFFA60A00103F
64241+:108C6000AFB20010AF5E0030000000009617001099
64242+:108C7000961300121277008F000000008E05000C82
64243+:108C80008E0B00080016698000AD7021000DC7C36F
64244+:108C900001CDA82B0178782101F56021AE0E000CE2
64245+:108CA000AE0C00088FB300100013B82B02378024DD
64246+:108CB0001200FF048F9000D00A000E3C000000005C
64247+:108CC0008E4D0038A6600008240B0003AE6D000036
64248+:108CD0008E500034A260000A8F9800B8AE70000475
64249+:108CE0003C0500809311003FA26B000C8E6F000CBE
64250+:108CF0003C0EFF9FA271000B01E5102535CCFFFF54
64251+:108D00003C03FFEF8F9200B8004C30243464FFFF27
64252+:108D100000C4F824AE7F000C8E590014964800124F
64253+:108D20008F8A00B0AE7900108E490014AE60001832
64254+:108D3000AE600020AE690014AE6000248E470018BB
64255+:108D400031093FFF0009F180AE6700288E4D000811
64256+:108D500003CA802131180001AE6D00308E4F000C27
64257+:108D60008F8C00AC001089C200185B80022B282178
64258+:108D7000240E0002A665001CA6600036AE6F002C13
64259+:108D8000A18E00009763003C8F8A00AC3C04420037
64260+:108D90003062FFFF00443025AD4600048F9F00B8CD
64261+:108DA000240700012411C0008FF30038240600348A
64262+:108DB000AD5300188FF90034AD59001CAD40000CC4
64263+:108DC000AD400010A5400014A5400016A5400020AD
64264+:108DD000A5400022AD400024A5550002A147000196
64265+:108DE0008F9E00AC8F8800B88F9200BCAFD5000872
64266+:108DF000910D0000A24D00008F9000B88F8B00BC39
64267+:108E000092180001A17800018F8400BC94850002B3
64268+:108E100000B1782401E97025A48E0002908C000234
64269+:108E20003183003FA08300028F8300D08F8400BC79
64270+:108E3000906200BC305300025260000124060030F2
64271+:108E4000AC8600048C6F007C2403FFBF02A0882145
64272+:108E5000AC8F0008908E000D31CC007FA08C000DEF
64273+:108E60008F8600BC90C2000D00432024A0C4000DDA
64274+:108E70008F8900BC913F000D37F90020A139000D0A
64275+:108E80008F8800B88F9300BC8D070020AE6700105C
64276+:108E90008D0A0024AE6A00148D1E0028AE7E0018D4
64277+:108EA0008D12002C0E000CF6AE72001C0A00103D54
64278+:108EB0008F9000D0960E00148E03000431CCFFFF7B
64279+:108EC000000C10C000622021AF44003C8E1F000443
64280+:108ED0008F46003C03E6C8231B20003C0000000036
64281+:108EE0008E0F000025E200013C05001034B500089B
64282+:108EF000AF420038AF550030000000000000000015
64283+:108F00000000000000000000000000000000000061
64284+:108F100000000000000000008F580000330B00200C
64285+:108F20001160FFFD000000008F5304003C0D002085
64286+:108F3000AE1300088F570404AE17000CAF4D00307D
64287+:108F4000000000003C0608008CC600442416000106
64288+:108F500010D600BD00000000961F00123C0508005E
64289+:108F60008CA5004000BFC821A61900129609001464
64290+:108F700025270001A6070014960A00143144FFFFBC
64291+:108F80005486FF498FB30010A60000140E000E1681
64292+:108F900030A5FFFF3C0408008C84002496030012D7
64293+:108FA0000044102300623023A60600120A00105964
64294+:108FB0008FB30010A08300018F8200AC2404000155
64295+:108FC000AC4400080A000FF08F8300D08E0200002E
64296+:108FD0000A0010EA3C0500108F8200C08FA7001C19
64297+:108FE000921800D0920B00D0920E00D0331100FFE7
64298+:108FF000316900FF00117940000928C001E56021B6
64299+:1090000031C300FF036C50210003314000C2C8216E
64300+:10901000255F0088AF9F00ACAF9900BCA1470088D6
64301+:109020009768003C03C020218F9100AC0E000CD645
64302+:109030003110FFFF00026B80020DC0253C0442008E
64303+:109040008F8D00B803045825AE2B00048DA900387D
64304+:109050008F8B00AC0000882100118100AD690018E1
64305+:109060008DAF00343C087FFF3504FFFFAD6F001C5F
64306+:1090700091AC003E8D65001C8D660018000C190037
64307+:10908000000C770200A33821020E102500E3F82B14
64308+:1090900000C2C821033F5021AD67001CAD6A001813
64309+:1090A000AD60000CAD60001091B8003E24050005D5
64310+:1090B00003C45024A578001495A9000403C02021FE
64311+:1090C000A569001691AF003EA56F002095B1000480
64312+:1090D000A5710022AD60002491AE003FA56E000294
64313+:1090E00091B0003E91AC003D01901023244300015B
64314+:1090F000A16300018F8600AC8F9F00BCACDE00082E
64315+:10910000A3E500008F9000BC8F9900B82405FFBF35
64316+:1091100096070002973800120247782433093FFF70
64317+:1091200001E98825A6110002921200022418FFDF2F
64318+:10913000324E003F35CD0040A20D00028F8600BCAC
64319+:109140008F8C00D02412FFFFACC000048D8B007CFC
64320+:109150003C0C8000ACCB000890C2000D3043007F77
64321+:10916000A0C3000D8F8700BC90FF000D03E5C8244D
64322+:10917000A0F9000D8F9100BC9229000D01387824D0
64323+:10918000A22F000D8F9000BCAE120010AE1500147F
64324+:10919000920E00182415FF8002AE6825A20D00185B
64325+:1091A0008F8500BC8F8300B88CAB0018016C102435
64326+:1091B000004A3025ACA600189068003EA0A8001C0C
64327+:1091C0008F9F00B88F8700BC8F9800D097F900045C
64328+:1091D000A4F9001E0E0002138F0500848F8600D0B4
64329+:1091E000000279400002490090D200BC01E98821C8
64330+:1091F000004028213255000212A0000303D1202193
64331+:109200000002A8800095202190CD00BC31B200045E
64332+:109210001240000333DF0003000540800088202156
64333+:10922000240600048F9E00BC00DFC8233327000300
64334+:1092300000875021AFCA00040E000CF6A665003866
64335+:109240000A0010388F9000D0961E00123C080800CB
64336+:109250008D080024011E9021A61200120A00105948
64337+:109260008FB3001027BDFFE03C1808008F18005096
64338+:10927000AFB00010AFBF0018AFB10014AF8400B0A2
64339+:1092800093710074030478212410FF8031EE007F75
64340+:109290003225007F01F0582401DA68213C0C000AD5
64341+:1092A000A38500C401AC2821AF4B002494A9001071
64342+:1092B0009768000690A600620080382124020030E2
64343+:1092C0000109202330C300F0AF8500D010620019DF
64344+:1092D0003090FFFF90AE0062240DFFF0240A005092
64345+:1092E00001AE6024318B00FF116A002F00000000E6
64346+:1092F00016000007241F0C00AF5F00248FB100147C
64347+:109300008FBF00188FB0001003E0000827BD0020B9
64348+:109310000E000E1C02002021241F0C00AF5F002451
64349+:109320008FB100148FBF00188FB0001003E0000849
64350+:1093300027BD002094A200E094A400E290BF011396
64351+:10934000008218263079FFFF33E700C014E00009DF
64352+:109350002F31000116000038000000005620FFE603
64353+:10936000241F0C000E000D18000000000A0011ED73
64354+:10937000241F0C001620FFDE000000000E000D1858
64355+:10938000000000001440FFDC241F0C001600002227
64356+:109390008F8300D0906901133122003FA062011336
64357+:1093A0000A0011ED241F0C0094AF00D48F8600D466
64358+:1093B00000E02821240400050E000C5C31F0FFFFC2
64359+:1093C0001440000524030003979100E600001821D3
64360+:1093D0002625FFFFA78500E68F5801B80700FFFE8E
64361+:1093E0003C196013AF400180241F0C00AF50018472
64362+:1093F000007938253C101000AF4701888FB1001468
64363+:10940000AF5001B8AF5F00248FB000108FBF0018BD
64364+:1094100003E0000827BD00200E000E1C02002021E2
64365+:109420005040FFB5241F0C008F8300D090690113BA
64366+:109430000A0012163122003F0E000E1C02002021ED
64367+:109440001440FFAD241F0C00122000078F8300D0B2
64368+:10945000906801133106003F34C20040A06201133E
64369+:109460000A0011ED241F0C000E000D180000000072
64370+:109470005040FFA1241F0C008F8300D0906801137F
64371+:109480003106003F0A00124634C20040AF9B00C8BC
64372+:1094900003E00008AF8000EC3089FFFF0009404284
64373+:1094A0002D020041000921801440000200095040B3
64374+:1094B00024080040000830C0000811400046582130
64375+:1094C000256701A800E2C821272F007F2418FF800C
64376+:1094D00001F818240064302100CA702125CC00FF57
64377+:1094E000240DFF00018D202425650088240A0088B2
64378+:1094F0003C010800AC2A004C3C010800AC2500509F
64379+:10950000AF8400D43C010800AC2900603C01080095
64380+:10951000AC2800643C010800AC2700543C01080062
64381+:10952000AC2300583C010800AC26005C03E00008B6
64382+:1095300000000000308300FF30C6FFFF30E400FF72
64383+:109540008F4201B80440FFFE00034C00012438257F
64384+:109550003C08600000E820253C031000AF45018076
64385+:10956000AF460184AF44018803E00008AF4301B86F
64386+:109570008F86001C3C096012352700108CCB00043C
64387+:109580003C0C600E35850010316A00062D48000144
64388+:10959000ACE800C48CC40004ACA431808CC20008C8
64389+:1095A00094C30002ACA2318403E00008A78300E466
64390+:1095B0003C0308008C6300508F8400E88F86001CF9
64391+:1095C0002402FF800064C0210302C824AF59002890
64392+:1095D0008CCD00043305007F00BA78213C0E000CCE
64393+:1095E00001EE2821ACAD00588CC80008AF8500D032
64394+:1095F0003C076012ACA8005C8CCC001034E8001072
64395+:10960000ACAC000C8CCB000CACAB000894AA0014E2
64396+:109610003C0208008C42004425490001A4A9001422
64397+:1096200094A400143083FFFF106200178F8400D0D1
64398+:109630003C0A08008D4A0040A4AA00128CCE0018F3
64399+:10964000AC8E00248CCD0014AC8D00208CC700188B
64400+:10965000AC87002C8CCC001424060001AC8C0028B4
64401+:109660008D0B00BC5166001A8D0200B48D0200B84B
64402+:10967000A482003A948F003AA48F003C948800D4CE
64403+:1096800003E000083102FFFF3C0908008D29002497
64404+:10969000A4A000148F8400D0A4A900128CCE0018BE
64405+:1096A000AC8E00248CCD0014AC8D00208CC700182B
64406+:1096B000AC87002C8CCC001424060001AC8C002854
64407+:1096C0008D0B00BC5566FFEA8D0200B88D0200B418
64408+:1096D000A482003A948F003AA48F003C948800D46E
64409+:1096E00003E000083102FFFF8F86001C3C0C0800DD
64410+:1096F0008D8C0050240BFF808CCD00083C03000CA7
64411+:10970000000D51C0018A4021010B4824AF8A00E8B6
64412+:10971000AF49002890C700073105007F00BA10212B
64413+:109720000043282130E4000410800039AF8500D0C8
64414+:1097300090CF000731EE000811C000380000000093
64415+:109740008CD9000C8CC400140324C02B13000030EF
64416+:10975000000000008CC2000CACA200648CCD00188C
64417+:109760002402FFF8ACAD00688CCC0010ACAC0080DB
64418+:109770008CCB000CACAB00848CCA001CACAA007C67
64419+:1097800090A900BC01224024A0A800BC90C30007FF
64420+:109790003067000810E000048F8500D090AF00BC57
64421+:1097A00035EE0001A0AE00BC90D9000733380001AF
64422+:1097B000130000088F8300D08F8700D0240400346A
64423+:1097C00090E800BC35030002A0E300BC8F8300D00A
64424+:1097D000AC6400C090C900073126000210C000052B
64425+:1097E00000000000906A00BC35420004A06200BC8A
64426+:1097F0008F8300D09065011330AD003FA06D011341
64427+:109800008F8C00D0958B00D403E000083162FFFFFD
64428+:109810008CC200140A001305000000000A001306A1
64429+:10982000ACA0006427BDFFD8AFB000108F90001C23
64430+:10983000AFBF0024AFB40020AFB20018AFB1001426
64431+:10984000AFB3001C9613000E3C07600A3C14600680
64432+:109850003264FFFF369300100E00125534F40410EA
64433+:109860008F8400D43C11600E0E00099B363100102D
64434+:10987000920E00153C0708008CE700603C12601255
64435+:1098800031CD000FA38D00F08E0E00048E0D000868
64436+:1098900096080012961F00109619001A9618001EBE
64437+:1098A000960F001C310CFFFF33EBFFFF332AFFFF45
64438+:1098B0003309FFFF31E6FFFF3C010800AC2B0040FD
64439+:1098C0003C010800AC2C00243C010800AC2A0044F8
64440+:1098D000AE293178AE26317C92020015960300162F
64441+:1098E00036520010304400FF3065FFFF3C06080090
64442+:1098F0008CC60064AE243188AE4500B492080014D2
64443+:1099000096190018241F0001011FC004332FFFFF08
64444+:109910003C0508008CA50058AE5800B8AE4F00BCFE
64445+:10992000920C0014AF8E00D8AF8D00DC318B00FF9D
64446+:10993000AE4B00C0920A0015AE670048AE66004C00
64447+:10994000314900FFAE4900C8AE65007C3C03080009
64448+:109950008C6300503C0408008C84004C3C080800D8
64449+:109960008D0800543C0208008C42005C8FBF00242C
64450+:10997000AE6300808FB00010AE8300748FB3001C04
64451+:10998000AE22319CAE4200DCAE2731A0AE2631A41F
64452+:10999000AE24318CAE233190AE283194AE2531986F
64453+:1099A000AE870050AE860054AE8500708FB10014B3
64454+:1099B000AE4700E0AE4600E4AE4400CCAE4300D07B
64455+:1099C000AE4800D4AE4500D88FB400208FB2001846
64456+:1099D00003E0000827BD002827BDFFE0AFB1001459
64457+:1099E000AFBF0018241100010E000845AFB00010F1
64458+:1099F00010510005978400E6978300CC0083102B5C
64459+:109A0000144000088F8500D4240700028FBF00187F
64460+:109A10008FB100148FB0001000E0102103E00008A7
64461+:109A200027BD00200E000C7A24040005AF8200E858
64462+:109A30001040FFF6240700020E0008498F90001C1A
64463+:109A4000979F00E68F9900E88F8D00C827EF0001EF
64464+:109A5000240E0050AF590020A78F00E6A1AE0000F1
64465+:109A60003C0C08008D8C00648F8600C8240A80009E
64466+:109A7000000C5E00ACCB0074A4C0000694C9000AC0
64467+:109A8000241FFF803C0D000C012AC024A4D8000A2A
64468+:109A900090C8000A24182000011F1825A0C3000A3E
64469+:109AA0008F8700C8A0E000788F8500C800003821AB
64470+:109AB000A0A000833C0208008C4200508F8400E884
64471+:109AC0000044782101FFC824AF590028960B0002FA
64472+:109AD00031EE007F01DA6021018D3021A4CB00D46A
64473+:109AE000960A0002AF8600D03C0E000425492401EE
64474+:109AF000A4C900E68E080004ACC800048E03000868
64475+:109B0000ACC30000A4C00010A4C00014A0C000D0CA
64476+:109B10008F8500D02403FFBFA0A000D13C04080023
64477+:109B20008C8400648F8200D0A04400D28E1F000C71
64478+:109B30008F8A00D0978F00E4AD5F001C8E19001053
64479+:109B400024100030AD590018A5400030A551005434
64480+:109B5000A5510056A54F0016AD4E0068AD580080C7
64481+:109B6000AD580084914D006231AC000F358B001070
64482+:109B7000A14B00628F8600D090C900633128007F1E
64483+:109B8000A0C800638F8400D02406FFFF9085006387
64484+:109B900000A31024A08200638F9100D000E0102168
64485+:109BA000923F00BC37F90001A23900BC8F8A00D077
64486+:109BB000938F00F0AD580064AD5000C0914E00D3BB
64487+:109BC000000F690031CC000F018D5825A14B00D347
64488+:109BD0008F8500D08F8900DCACA900E88F8800D881
64489+:109BE0008FBF00188FB100148FB0001027BD002068
64490+:109BF000ACA800ECA4A600D6A4A000E0A4A000E2BB
64491+:109C000003E000080000000027BDFFE0AFB0001037
64492+:109C10008F90001CAFB10014AFBF00188E19000464
64493+:109C20003C1808008F180050240FFF80001989C0CD
64494+:109C30000238702131CD007F01CF602401BA50215C
64495+:109C40003C0B000CAF4C0028014B4021950900D47F
64496+:109C5000950400D68E0700043131FFFFAF8800D095
64497+:109C60000E000913000721C08E0600048F8300C870
64498+:109C7000000629C0AF4500209064003E30820040BD
64499+:109C8000144000068F8400D0341FFFFF948300D659
64500+:109C90003062FFFF145F000400000000948400D6CF
64501+:109CA0000E0008A83084FFFF8E050004022030213A
64502+:109CB0008FBF00188FB100148FB000102404002251
64503+:109CC00000003821000529C00A00127C27BD0020B1
64504+:109CD00027BDFFE0AFB100143091FFFFAFB000101F
64505+:109CE000AFBF00181220001D000080218F86001CCD
64506+:109CF0008CC500002403000600053F020005140285
64507+:109D000030E4000714830015304500FF2CA800063E
64508+:109D10001100004D000558803C0C0800258C57D4DC
64509+:109D2000016C50218D490000012000080000000056
64510+:109D30008F8E00EC240D000111CD005900000000B1
64511+:109D4000260B00013170FFFF24CA00200211202BD6
64512+:109D5000014030211480FFE6AF8A001C0200102170
64513+:109D60008FBF00188FB100148FB0001003E00008FF
64514+:109D700027BD0020938700CE14E00038240400148F
64515+:109D80000E001338000000008F86001C2402000122
64516+:109D90000A00147FAF8200EC8F8900EC24080002D7
64517+:109DA0001128003B2404001300002821000030216A
64518+:109DB000240700010E00127C000000000A00147F3E
64519+:109DC0008F86001C8F8700EC2405000214E5FFF647
64520+:109DD000240400120E0012E9000000008F8500E844
64521+:109DE00000403021240400120E00127C00003821B3
64522+:109DF0000A00147F8F86001C8F8300EC241F000351
64523+:109E0000147FFFD0260B00010E00129B0000000003
64524+:109E10008F8500E800403021240200022404001055
64525+:109E200000003821AF8200EC0E00127C0000000020
64526+:109E30000A00147F8F86001C8F8F00EC240600021E
64527+:109E400011E6000B0000000024040010000028218F
64528+:109E5000000030210A00149C240700010000282182
64529+:109E60000E00127C000030210A00147F8F86001C37
64530+:109E70000E0013A500000000144000128F99001C72
64531+:109E80008F86001C240200030A00147FAF8200ECBE
64532+:109E90000E001431000000000A00147F8F86001CA1
64533+:109EA0000E00128B000000002402000224040014A3
64534+:109EB0000000282100003021000038210A0014B9D8
64535+:109EC000AF8200EC004038212404001097380002D3
64536+:109ED000000028210E00127C3306FFFF0A00147FC9
64537+:109EE0008F86001C8F8400C83C077FFF34E6FFFF8D
64538+:109EF0008C8500742402000100A61824AC83007431
64539+:109F000003E00008A082000510A000362CA200800B
64540+:109F1000274A04003C0B000524090080104000077C
64541+:109F20002408008030A6000F00C540212D030081C9
64542+:109F30001460000200A0482124080080AF4B0030CC
64543+:109F400000000000000000000000000011000009F7
64544+:109F500000003821014030218C8D000024E70004EE
64545+:109F600000E8602BACCD0000248400041580FFFACB
64546+:109F700024C60004000000000000000000000000F3
64547+:109F80003C0E0006010E3825AF47003000000000EF
64548+:109F900000000000000000008F4F000031E80010BA
64549+:109FA0001100FFFD000000008F42003C8F43003C89
64550+:109FB0000049C8210323C02B130000040000000047
64551+:109FC0008F4C003825860001AF4600388F47003C93
64552+:109FD00000A9282300E96821AF4D003C14A0FFCE62
64553+:109FE0002CA2008003E000080000000027BDFFD085
64554+:109FF0003C020002AFB100143C11000CAF45003828
64555+:10A00000AFB3001CAF46003C00809821AF42003047
64556+:10A0100024050088AF44002803512021AFBF002849
64557+:10A02000AFB50024AFB40020AFB200180E0014F199
64558+:10A03000AFB000103C1F08008FFF004C3C18080018
64559+:10A040008F1800642410FF8003F3A82132B9007F29
64560+:10A0500002B078240018A0C0033A70210018914083
64561+:10A0600001D12021AF4F00280E0014F10254282105
64562+:10A070003C0D08008DAD00502405012001B358218E
64563+:10A08000316C007F01705024019A48210131202158
64564+:10A090000E0014F1AF4A00283C0808008D08005457
64565+:10A0A0003C0508008CA500640113382130E6007FD0
64566+:10A0B00000F0182400DA202100912021AF4300286D
64567+:10A0C0000E0014F1000529403C0208008C420058A3
64568+:10A0D0003C1008008E1000601200001C0053882104
64569+:10A0E0002415FF800A0015743C14000C3226007FF2
64570+:10A0F0000235182400DA202102402821AF4300282D
64571+:10A10000009420210E0014F12610FFC01200000F51
64572+:10A11000023288212E05004110A0FFF42412100005
64573+:10A120003226007F001091800235182400DA2021A9
64574+:10A1300002402821AF430028009420210E0014F192
64575+:10A14000000080211600FFF3023288213C0B08003A
64576+:10A150008D6B005C240AFF802405000201734021FE
64577+:10A16000010A4824AF4900283C0408009484006296
64578+:10A170003110007F021A88213C07000C0E000CAA47
64579+:10A180000227982100402821026020218FBF00284B
64580+:10A190008FB500248FB400208FB3001C8FB200183D
64581+:10A1A0008FB100148FB000100A0014F127BD0030E9
64582+:10A1B0008F83001C8C62000410400003000000002C
64583+:10A1C00003E00008000000008C6400108C650008AB
64584+:10A1D0000A00152A8C66000C000000000000001B1D
64585+:10A1E0000000000F0000000A000000080000000648
64586+:10A1F000000000050000000500000004000000044D
64587+:10A200000000000300000003000000030000000342
64588+:10A210000000000300000002000000020000000235
64589+:10A220000000000200000002000000020000000226
64590+:10A230000000000200000002000000020000000216
64591+:10A240000000000200000002000000020000000206
64592+:10A2500000000001000000010000000108000F24C0
64593+:10A2600008000D6C08000FB80800106008000F4CC3
64594+:10A2700008000F8C0800119408000D88080011B820
64595+:10A2800008000DD8080015540800151C08000D889A
64596+:10A2900008000D8808000D880800124008001240D0
64597+:10A2A00008000D8808000D88080014E008000D88DB
64598+:10A2B00008000D8808000D8808000D88080013B4F8
64599+:10A2C00008000D8808000D8808000D8808000D881A
64600+:10A2D00008000D8808000D8808000D8808000D880A
64601+:10A2E00008000D8808000D8808000D8808000D88FA
64602+:10A2F00008000D8808000D8808000FAC08000D88C4
64603+:10A3000008000D880800167808000D8808000D88E0
64604+:10A3100008000D8808000D8808000D8808000D88C9
64605+:10A3200008000D8808000D8808000D8808000D88B9
64606+:10A3300008000D8808000D8808000D8808000D88A9
64607+:10A3400008000D8808000D8808000D88080014100A
64608+:10A3500008000D8808000D8808001334080012A4B6
64609+:10A3600008001E2C08001EFC08001F1408001F28EF
64610+:10A3700008001F3808001E2C08001E2C08001E2C88
64611+:10A3800008001ED808002E1408002E1C08002DE41A
64612+:10A3900008002DF008002DFC08002E08080052F4DB
64613+:10A3A000080052B40800528008005254080052308D
64614+:10A3B000080051EC0A000C840000000000000000BE
64615+:10A3C0000000000D727870362E322E33000000002F
64616+:10A3D000060203030000000000000001000000006E
64617+:10A3E000000000000000000000000000000000006D
64618+:10A3F000000000000000000000000000000000005D
64619+:10A40000000000000000000000000000000000004C
64620+:10A41000000000000000000000000000000000003C
64621+:10A42000000000000000000000000000000000002C
64622+:10A43000000000000000000000000000000000001C
64623+:10A44000000000000000000000000000000000000C
64624+:10A4500000000000000000000000000000000000FC
64625+:10A4600000000000000000000000000000000000EC
64626+:10A4700000000000000000000000000000000000DC
64627+:10A4800000000000000000000000000000000000CC
64628+:10A4900000000000000000000000000000000000BC
64629+:10A4A00000000000000000000000000000000000AC
64630+:10A4B000000000000000000000000000000000009C
64631+:10A4C000000000000000000000000000000000008C
64632+:10A4D000000000000000000000000000000000007C
64633+:10A4E000000000000000000000000000000000006C
64634+:10A4F000000000000000000000000000000000005C
64635+:10A50000000000000000000000000000000000004B
64636+:10A51000000000000000000000000000000000003B
64637+:10A52000000000000000000000000000000000002B
64638+:10A53000000000000000000000000000000000001B
64639+:10A54000000000000000000000000000000000000B
64640+:10A5500000000000000000000000000000000000FB
64641+:10A5600000000000000000000000000000000000EB
64642+:10A5700000000000000000000000000000000000DB
64643+:10A5800000000000000000000000000000000000CB
64644+:10A5900000000000000000000000000000000000BB
64645+:10A5A00000000000000000000000000000000000AB
64646+:10A5B000000000000000000000000000000000009B
64647+:10A5C000000000000000000000000000000000008B
64648+:10A5D000000000000000000000000000000000007B
64649+:10A5E000000000000000000000000000000000006B
64650+:10A5F000000000000000000000000000000000005B
64651+:10A60000000000000000000000000000000000004A
64652+:10A61000000000000000000000000000000000003A
64653+:10A62000000000000000000000000000000000002A
64654+:10A63000000000000000000000000000000000001A
64655+:10A64000000000000000000000000000000000000A
64656+:10A6500000000000000000000000000000000000FA
64657+:10A6600000000000000000000000000000000000EA
64658+:10A6700000000000000000000000000000000000DA
64659+:10A6800000000000000000000000000000000000CA
64660+:10A6900000000000000000000000000000000000BA
64661+:10A6A00000000000000000000000000000000000AA
64662+:10A6B000000000000000000000000000000000009A
64663+:10A6C000000000000000000000000000000000008A
64664+:10A6D000000000000000000000000000000000007A
64665+:10A6E000000000000000000000000000000000006A
64666+:10A6F000000000000000000000000000000000005A
64667+:10A700000000000000000000000000000000000049
64668+:10A710000000000000000000000000000000000039
64669+:10A720000000000000000000000000000000000029
64670+:10A730000000000000000000000000000000000019
64671+:10A740000000000000000000000000000000000009
64672+:10A7500000000000000000000000000000000000F9
64673+:10A7600000000000000000000000000000000000E9
64674+:10A7700000000000000000000000000000000000D9
64675+:10A7800000000000000000000000000000000000C9
64676+:10A7900000000000000000000000000000000000B9
64677+:10A7A00000000000000000000000000000000000A9
64678+:10A7B0000000000000000000000000000000000099
64679+:10A7C0000000000000000000000000000000000089
64680+:10A7D0000000000000000000000000000000000079
64681+:10A7E0000000000000000000000000000000000069
64682+:10A7F0000000000000000000000000000000000059
64683+:10A800000000000000000000000000000000000048
64684+:10A810000000000000000000000000000000000038
64685+:10A820000000000000000000000000000000000028
64686+:10A830000000000000000000000000000000000018
64687+:10A840000000000000000000000000000000000008
64688+:10A8500000000000000000000000000000000000F8
64689+:10A8600000000000000000000000000000000000E8
64690+:10A8700000000000000000000000000000000000D8
64691+:10A8800000000000000000000000000000000000C8
64692+:10A8900000000000000000000000000000000000B8
64693+:10A8A00000000000000000000000000000000000A8
64694+:10A8B0000000000000000000000000000000000098
64695+:10A8C0000000000000000000000000000000000088
64696+:10A8D0000000000000000000000000000000000078
64697+:10A8E0000000000000000000000000000000000068
64698+:10A8F0000000000000000000000000000000000058
64699+:10A900000000000000000000000000000000000047
64700+:10A910000000000000000000000000000000000037
64701+:10A920000000000000000000000000000000000027
64702+:10A930000000000000000000000000000000000017
64703+:10A940000000000000000000000000000000000007
64704+:10A9500000000000000000000000000000000000F7
64705+:10A9600000000000000000000000000000000000E7
64706+:10A9700000000000000000000000000000000000D7
64707+:10A9800000000000000000000000000000000000C7
64708+:10A9900000000000000000000000000000000000B7
64709+:10A9A00000000000000000000000000000000000A7
64710+:10A9B0000000000000000000000000000000000097
64711+:10A9C0000000000000000000000000000000000087
64712+:10A9D0000000000000000000000000000000000077
64713+:10A9E0000000000000000000000000000000000067
64714+:10A9F0000000000000000000000000000000000057
64715+:10AA00000000000000000000000000000000000046
64716+:10AA10000000000000000000000000000000000036
64717+:10AA20000000000000000000000000000000000026
64718+:10AA30000000000000000000000000000000000016
64719+:10AA40000000000000000000000000000000000006
64720+:10AA500000000000000000000000000000000000F6
64721+:10AA600000000000000000000000000000000000E6
64722+:10AA700000000000000000000000000000000000D6
64723+:10AA800000000000000000000000000000000000C6
64724+:10AA900000000000000000000000000000000000B6
64725+:10AAA00000000000000000000000000000000000A6
64726+:10AAB0000000000000000000000000000000000096
64727+:10AAC0000000000000000000000000000000000086
64728+:10AAD0000000000000000000000000000000000076
64729+:10AAE0000000000000000000000000000000000066
64730+:10AAF0000000000000000000000000000000000056
64731+:10AB00000000000000000000000000000000000045
64732+:10AB10000000000000000000000000000000000035
64733+:10AB20000000000000000000000000000000000025
64734+:10AB30000000000000000000000000000000000015
64735+:10AB40000000000000000000000000000000000005
64736+:10AB500000000000000000000000000000000000F5
64737+:10AB600000000000000000000000000000000000E5
64738+:10AB700000000000000000000000000000000000D5
64739+:10AB800000000000000000000000000000000000C5
64740+:10AB900000000000000000000000000000000000B5
64741+:10ABA00000000000000000000000000000000000A5
64742+:10ABB0000000000000000000000000000000000095
64743+:10ABC0000000000000000000000000000000000085
64744+:10ABD0000000000000000000000000000000000075
64745+:10ABE0000000000000000000000000000000000065
64746+:10ABF0000000000000000000000000000000000055
64747+:10AC00000000000000000000000000000000000044
64748+:10AC10000000000000000000000000000000000034
64749+:10AC20000000000000000000000000000000000024
64750+:10AC30000000000000000000000000000000000014
64751+:10AC40000000000000000000000000000000000004
64752+:10AC500000000000000000000000000000000000F4
64753+:10AC600000000000000000000000000000000000E4
64754+:10AC700000000000000000000000000000000000D4
64755+:10AC800000000000000000000000000000000000C4
64756+:10AC900000000000000000000000000000000000B4
64757+:10ACA00000000000000000000000000000000000A4
64758+:10ACB0000000000000000000000000000000000094
64759+:10ACC0000000000000000000000000000000000084
64760+:10ACD0000000000000000000000000000000000074
64761+:10ACE0000000000000000000000000000000000064
64762+:10ACF0000000000000000000000000000000000054
64763+:10AD00000000000000000000000000000000000043
64764+:10AD10000000000000000000000000000000000033
64765+:10AD20000000000000000000000000000000000023
64766+:10AD30000000000000000000000000000000000013
64767+:10AD40000000000000000000000000000000000003
64768+:10AD500000000000000000000000000000000000F3
64769+:10AD600000000000000000000000000000000000E3
64770+:10AD700000000000000000000000000000000000D3
64771+:10AD800000000000000000000000000000000000C3
64772+:10AD900000000000000000000000000000000000B3
64773+:10ADA00000000000000000000000000000000000A3
64774+:10ADB0000000000000000000000000000000000093
64775+:10ADC0000000000000000000000000000000000083
64776+:10ADD0000000000000000000000000000000000073
64777+:10ADE0000000000000000000000000000000000063
64778+:10ADF0000000000000000000000000000000000053
64779+:10AE00000000000000000000000000000000000042
64780+:10AE10000000000000000000000000000000000032
64781+:10AE20000000000000000000000000000000000022
64782+:10AE30000000000000000000000000000000000012
64783+:10AE40000000000000000000000000000000000002
64784+:10AE500000000000000000000000000000000000F2
64785+:10AE600000000000000000000000000000000000E2
64786+:10AE700000000000000000000000000000000000D2
64787+:10AE800000000000000000000000000000000000C2
64788+:10AE900000000000000000000000000000000000B2
64789+:10AEA00000000000000000000000000000000000A2
64790+:10AEB0000000000000000000000000000000000092
64791+:10AEC0000000000000000000000000000000000082
64792+:10AED0000000000000000000000000000000000072
64793+:10AEE0000000000000000000000000000000000062
64794+:10AEF0000000000000000000000000000000000052
64795+:10AF00000000000000000000000000000000000041
64796+:10AF10000000000000000000000000000000000031
64797+:10AF20000000000000000000000000000000000021
64798+:10AF30000000000000000000000000000000000011
64799+:10AF40000000000000000000000000000000000001
64800+:10AF500000000000000000000000000000000000F1
64801+:10AF600000000000000000000000000000000000E1
64802+:10AF700000000000000000000000000000000000D1
64803+:10AF800000000000000000000000000000000000C1
64804+:10AF900000000000000000000000000000000000B1
64805+:10AFA00000000000000000000000000000000000A1
64806+:10AFB0000000000000000000000000000000000091
64807+:10AFC0000000000000000000000000000000000081
64808+:10AFD0000000000000000000000000000000000071
64809+:10AFE0000000000000000000000000000000000061
64810+:10AFF0000000000000000000000000000000000051
64811+:10B000000000000000000000000000000000000040
64812+:10B010000000000000000000000000000000000030
64813+:10B020000000000000000000000000000000000020
64814+:10B030000000000000000000000000000000000010
64815+:10B040000000000000000000000000000000000000
64816+:10B0500000000000000000000000000000000000F0
64817+:10B0600000000000000000000000000000000000E0
64818+:10B0700000000000000000000000000000000000D0
64819+:10B0800000000000000000000000000000000000C0
64820+:10B0900000000000000000000000000000000000B0
64821+:10B0A00000000000000000000000000000000000A0
64822+:10B0B0000000000000000000000000000000000090
64823+:10B0C0000000000000000000000000000000000080
64824+:10B0D0000000000000000000000000000000000070
64825+:10B0E0000000000000000000000000000000000060
64826+:10B0F0000000000000000000000000000000000050
64827+:10B10000000000000000000000000000000000003F
64828+:10B11000000000000000000000000000000000002F
64829+:10B12000000000000000000000000000000000001F
64830+:10B13000000000000000000000000000000000000F
64831+:10B1400000000000000000000000000000000000FF
64832+:10B1500000000000000000000000000000000000EF
64833+:10B1600000000000000000000000000000000000DF
64834+:10B1700000000000000000000000000000000000CF
64835+:10B1800000000000000000000000000000000000BF
64836+:10B1900000000000000000000000000000000000AF
64837+:10B1A000000000000000000000000000000000009F
64838+:10B1B000000000000000000000000000000000008F
64839+:10B1C000000000000000000000000000000000007F
64840+:10B1D000000000000000000000000000000000006F
64841+:10B1E000000000000000000000000000000000005F
64842+:10B1F000000000000000000000000000000000004F
64843+:10B20000000000000000000000000000000000003E
64844+:10B21000000000000000000000000000000000002E
64845+:10B22000000000000000000000000000000000001E
64846+:10B23000000000000000000000000000000000000E
64847+:10B2400000000000000000000000000000000000FE
64848+:10B2500000000000000000000000000000000000EE
64849+:10B2600000000000000000000000000000000000DE
64850+:10B2700000000000000000000000000000000000CE
64851+:10B2800000000000000000000000000000000000BE
64852+:10B2900000000000000000000000000000000000AE
64853+:10B2A000000000000000000000000000000000009E
64854+:10B2B000000000000000000000000000000000008E
64855+:10B2C000000000000000000000000000000000007E
64856+:10B2D000000000000000000000000000000000006E
64857+:10B2E000000000000000000000000000000000005E
64858+:10B2F000000000000000000000000000000000004E
64859+:10B30000000000000000000000000000000000003D
64860+:10B31000000000000000000000000000000000002D
64861+:10B32000000000000000000000000000000000001D
64862+:10B33000000000000000000000000000000000000D
64863+:10B3400000000000000000000000000000000000FD
64864+:10B3500000000000000000000000000000000000ED
64865+:10B3600000000000000000000000000000000000DD
64866+:10B3700000000000000000000000000000000000CD
64867+:10B3800000000000000000000000000000000000BD
64868+:10B3900000000000000000000000000000000000AD
64869+:10B3A000000000000000000000000000000000009D
64870+:10B3B000000000000000000000000000000000008D
64871+:10B3C000000000000000000000000000000000007D
64872+:10B3D000000000000000000000000000000000006D
64873+:10B3E000000000000000000000000000000000005D
64874+:10B3F000000000000000000000000000000000004D
64875+:10B40000000000000000000000000000000000003C
64876+:10B41000000000000000000000000000000000002C
64877+:10B42000000000000000000000000000000000001C
64878+:10B43000000000000000000000000000000000000C
64879+:10B4400000000000000000000000000000000000FC
64880+:10B4500000000000000000000000000000000000EC
64881+:10B4600000000000000000000000000000000000DC
64882+:10B4700000000000000000000000000000000000CC
64883+:10B4800000000000000000000000000000000000BC
64884+:10B4900000000000000000000000000000000000AC
64885+:10B4A000000000000000000000000000000000009C
64886+:10B4B000000000000000000000000000000000008C
64887+:10B4C000000000000000000000000000000000007C
64888+:10B4D000000000000000000000000000000000006C
64889+:10B4E000000000000000000000000000000000005C
64890+:10B4F000000000000000000000000000000000004C
64891+:10B50000000000000000000000000000000000003B
64892+:10B51000000000000000000000000000000000002B
64893+:10B52000000000000000000000000000000000001B
64894+:10B53000000000000000000000000000000000000B
64895+:10B5400000000000000000000000000000000000FB
64896+:10B5500000000000000000000000000000000000EB
64897+:10B5600000000000000000000000000000000000DB
64898+:10B5700000000000000000000000000000000000CB
64899+:10B5800000000000000000000000000000000000BB
64900+:10B5900000000000000000000000000000000000AB
64901+:10B5A000000000000000000000000000000000009B
64902+:10B5B000000000000000000000000000000000008B
64903+:10B5C000000000000000000000000000000000007B
64904+:10B5D000000000000000000000000000000000006B
64905+:10B5E000000000000000000000000000000000005B
64906+:10B5F000000000000000000000000000000000004B
64907+:10B60000000000000000000000000000000000003A
64908+:10B61000000000000000000000000000000000002A
64909+:10B62000000000000000000000000000000000001A
64910+:10B63000000000000000000000000000000000000A
64911+:10B6400000000000000000000000000000000000FA
64912+:10B6500000000000000000000000000000000000EA
64913+:10B6600000000000000000000000000000000000DA
64914+:10B6700000000000000000000000000000000000CA
64915+:10B6800000000000000000000000000000000000BA
64916+:10B6900000000000000000000000000000000000AA
64917+:10B6A000000000000000000000000000000000009A
64918+:10B6B000000000000000000000000000000000008A
64919+:10B6C000000000000000000000000000000000007A
64920+:10B6D000000000000000000000000000000000006A
64921+:10B6E000000000000000000000000000000000005A
64922+:10B6F000000000000000000000000000000000004A
64923+:10B700000000000000000000000000000000000039
64924+:10B710000000000000000000000000000000000029
64925+:10B720000000000000000000000000000000000019
64926+:10B730000000000000000000000000000000000009
64927+:10B7400000000000000000000000000000000000F9
64928+:10B7500000000000000000000000000000000000E9
64929+:10B7600000000000000000000000000000000000D9
64930+:10B7700000000000000000000000000000000000C9
64931+:10B7800000000000000000000000000000000000B9
64932+:10B7900000000000000000000000000000000000A9
64933+:10B7A0000000000000000000000000000000000099
64934+:10B7B0000000000000000000000000000000000089
64935+:10B7C0000000000000000000000000000000000079
64936+:10B7D0000000000000000000000000000000000069
64937+:10B7E0000000000000000000000000000000000059
64938+:10B7F0000000000000000000000000000000000049
64939+:10B800000000000000000000000000000000000038
64940+:10B810000000000000000000000000000000000028
64941+:10B820000000000000000000000000000000000018
64942+:10B830000000000000000000000000000000000008
64943+:10B8400000000000000000000000000000000000F8
64944+:10B8500000000000000000000000000000000000E8
64945+:10B8600000000000000000000000000000000000D8
64946+:10B8700000000000000000000000000000000000C8
64947+:10B8800000000000000000000000000000000000B8
64948+:10B8900000000000000000000000000000000000A8
64949+:10B8A0000000000000000000000000000000000098
64950+:10B8B0000000000000000000000000000000000088
64951+:10B8C0000000000000000000000000000000000078
64952+:10B8D0000000000000000000000000000000000068
64953+:10B8E0000000000000000000000000000000000058
64954+:10B8F0000000000000000000000000000000000048
64955+:10B900000000000000000000000000000000000037
64956+:10B910000000000000000000000000000000000027
64957+:10B920000000000000000000000000000000000017
64958+:10B930000000000000000000000000000000000007
64959+:10B9400000000000000000000000000000000000F7
64960+:10B9500000000000000000000000000000000000E7
64961+:10B9600000000000000000000000000000000000D7
64962+:10B9700000000000000000000000000000000000C7
64963+:10B9800000000000000000000000000000000000B7
64964+:10B9900000000000000000000000000000000000A7
64965+:10B9A0000000000000000000000000000000000097
64966+:10B9B0000000000000000000000000000000000087
64967+:10B9C0000000000000000000000000000000000077
64968+:10B9D0000000000000000000000000000000000067
64969+:10B9E0000000000000000000000000000000000057
64970+:10B9F0000000000000000000000000000000000047
64971+:10BA00000000000000000000000000000000000036
64972+:10BA10000000000000000000000000000000000026
64973+:10BA20000000000000000000000000000000000016
64974+:10BA30000000000000000000000000000000000006
64975+:10BA400000000000000000000000000000000000F6
64976+:10BA500000000000000000000000000000000000E6
64977+:10BA600000000000000000000000000000000000D6
64978+:10BA700000000000000000000000000000000000C6
64979+:10BA800000000000000000000000000000000000B6
64980+:10BA900000000000000000000000000000000000A6
64981+:10BAA0000000000000000000000000000000000096
64982+:10BAB0000000000000000000000000000000000086
64983+:10BAC0000000000000000000000000000000000076
64984+:10BAD0000000000000000000000000000000000066
64985+:10BAE0000000000000000000000000000000000056
64986+:10BAF0000000000000000000000000000000000046
64987+:10BB00000000000000000000000000000000000035
64988+:10BB10000000000000000000000000000000000025
64989+:10BB20000000000000000000000000000000000015
64990+:10BB30000000000000000000000000000000000005
64991+:10BB400000000000000000000000000000000000F5
64992+:10BB500000000000000000000000000000000000E5
64993+:10BB600000000000000000000000000000000000D5
64994+:10BB700000000000000000000000000000000000C5
64995+:10BB800000000000000000000000000000000000B5
64996+:10BB900000000000000000000000000000000000A5
64997+:10BBA0000000000000000000000000000000000095
64998+:10BBB0000000000000000000000000000000000085
64999+:10BBC0000000000000000000000000000000000075
65000+:10BBD0000000000000000000000000000000000065
65001+:10BBE0000000000000000000000000000000000055
65002+:10BBF0000000000000000000000000000000000045
65003+:10BC00000000000000000000000000000000000034
65004+:10BC10000000000000000000000000000000000024
65005+:10BC20000000000000000000000000000000000014
65006+:10BC30000000000000000000000000000000000004
65007+:10BC400000000000000000000000000000000000F4
65008+:10BC500000000000000000000000000000000000E4
65009+:10BC600000000000000000000000000000000000D4
65010+:10BC700000000000000000000000000000000000C4
65011+:10BC800000000000000000000000000000000000B4
65012+:10BC900000000000000000000000000000000000A4
65013+:10BCA0000000000000000000000000000000000094
65014+:10BCB0000000000000000000000000000000000084
65015+:10BCC0000000000000000000000000000000000074
65016+:10BCD0000000000000000000000000000000000064
65017+:10BCE0000000000000000000000000000000000054
65018+:10BCF0000000000000000000000000000000000044
65019+:10BD00000000000000000000000000000000000033
65020+:10BD10000000000000000000000000000000000023
65021+:10BD20000000000000000000000000000000000013
65022+:10BD30000000000000000000000000000000000003
65023+:10BD400000000000000000000000000000000000F3
65024+:10BD500000000000000000000000000000000000E3
65025+:10BD600000000000000000000000000000000000D3
65026+:10BD700000000000000000000000000000000000C3
65027+:10BD800000000000000000000000000000000000B3
65028+:10BD900000000000000000000000000000000000A3
65029+:10BDA0000000000000000000000000000000000093
65030+:10BDB0000000000000000000000000000000000083
65031+:10BDC0000000000000000000000000000000000073
65032+:10BDD0000000000000000000000000000000000063
65033+:10BDE0000000000000000000000000000000000053
65034+:10BDF0000000000000000000000000000000000043
65035+:10BE00000000000000000000000000000000000032
65036+:10BE10000000000000000000000000000000000022
65037+:10BE20000000000000000000000000000000000012
65038+:10BE30000000000000000000000000000000000002
65039+:10BE400000000000000000000000000000000000F2
65040+:10BE500000000000000000000000000000000000E2
65041+:10BE600000000000000000000000000000000000D2
65042+:10BE700000000000000000000000000000000000C2
65043+:10BE800000000000000000000000000000000000B2
65044+:10BE900000000000000000000000000000000000A2
65045+:10BEA0000000000000000000000000000000000092
65046+:10BEB0000000000000000000000000000000000082
65047+:10BEC0000000000000000000000000000000000072
65048+:10BED0000000000000000000000000000000000062
65049+:10BEE0000000000000000000000000000000000052
65050+:10BEF0000000000000000000000000000000000042
65051+:10BF00000000000000000000000000000000000031
65052+:10BF10000000000000000000000000000000000021
65053+:10BF20000000000000000000000000000000000011
65054+:10BF30000000000000000000000000000000000001
65055+:10BF400000000000000000000000000000000000F1
65056+:10BF500000000000000000000000000000000000E1
65057+:10BF600000000000000000000000000000000000D1
65058+:10BF700000000000000000000000000000000000C1
65059+:10BF800000000000000000000000000000000000B1
65060+:10BF900000000000000000000000000000000000A1
65061+:10BFA0000000000000000000000000000000000091
65062+:10BFB0000000000000000000000000000000000081
65063+:10BFC0000000000000000000000000000000000071
65064+:10BFD0000000000000000000000000000000000061
65065+:10BFE0000000000000000000000000000000000051
65066+:10BFF0000000000000000000000000000000000041
65067+:10C000000000000000000000000000000000000030
65068+:10C010000000000000000000000000000000000020
65069+:10C020000000000000000000000000000000000010
65070+:10C030000000000000000000000000000000000000
65071+:10C0400000000000000000000000000000000000F0
65072+:10C0500000000000000000000000000000000000E0
65073+:10C0600000000000000000000000000000000000D0
65074+:10C0700000000000000000000000000000000000C0
65075+:10C0800000000000000000000000000000000000B0
65076+:10C0900000000000000000000000000000000000A0
65077+:10C0A0000000000000000000000000000000000090
65078+:10C0B0000000000000000000000000000000000080
65079+:10C0C0000000000000000000000000000000000070
65080+:10C0D0000000000000000000000000000000000060
65081+:10C0E0000000000000000000000000000000000050
65082+:10C0F0000000000000000000000000000000000040
65083+:10C10000000000000000000000000000000000002F
65084+:10C11000000000000000000000000000000000001F
65085+:10C12000000000000000000000000000000000000F
65086+:10C1300000000000000000000000000000000000FF
65087+:10C1400000000000000000000000000000000000EF
65088+:10C1500000000000000000000000000000000000DF
65089+:10C1600000000000000000000000000000000000CF
65090+:10C1700000000000000000000000000000000000BF
65091+:10C1800000000000000000000000000000000000AF
65092+:10C19000000000000000000000000000000000009F
65093+:10C1A000000000000000000000000000000000008F
65094+:10C1B000000000000000000000000000000000007F
65095+:10C1C000000000000000000000000000000000006F
65096+:10C1D000000000000000000000000000000000005F
65097+:10C1E000000000000000000000000000000000004F
65098+:10C1F000000000000000000000000000000000003F
65099+:10C20000000000000000000000000000000000002E
65100+:10C21000000000000000000000000000000000001E
65101+:10C22000000000000000000000000000000000000E
65102+:10C2300000000000000000000000000000000000FE
65103+:10C2400000000000000000000000000000000000EE
65104+:10C2500000000000000000000000000000000000DE
65105+:10C2600000000000000000000000000000000000CE
65106+:10C2700000000000000000000000000000000000BE
65107+:10C2800000000000000000000000000000000000AE
65108+:10C29000000000000000000000000000000000009E
65109+:10C2A000000000000000000000000000000000008E
65110+:10C2B000000000000000000000000000000000007E
65111+:10C2C000000000000000000000000000000000006E
65112+:10C2D000000000000000000000000000000000005E
65113+:10C2E000000000000000000000000000000000004E
65114+:10C2F000000000000000000000000000000000003E
65115+:10C30000000000000000000000000000000000002D
65116+:10C31000000000000000000000000000000000001D
65117+:10C32000000000000000000000000000000000000D
65118+:10C3300000000000000000000000000000000000FD
65119+:10C3400000000000000000000000000000000000ED
65120+:10C3500000000000000000000000000000000000DD
65121+:10C3600000000000000000000000000000000000CD
65122+:10C3700000000000000000000000000000000000BD
65123+:10C3800000000000000000000000000000000000AD
65124+:10C39000000000000000000000000000000000009D
65125+:10C3A000000000000000000000000000000000008D
65126+:10C3B000000000000000000000000000000000007D
65127+:10C3C000000000000000000000000000000000006D
65128+:10C3D000000000000000000000000000000000005D
65129+:10C3E000000000000000000000000000000000004D
65130+:10C3F000000000000000000000000000000000003D
65131+:10C40000000000000000000000000000000000002C
65132+:10C41000000000000000000000000000000000001C
65133+:10C42000000000000000000000000000000000000C
65134+:10C4300000000000000000000000000000000000FC
65135+:10C4400000000000000000000000000000000000EC
65136+:10C4500000000000000000000000000000000000DC
65137+:10C4600000000000000000000000000000000000CC
65138+:10C4700000000000000000000000000000000000BC
65139+:10C4800000000000000000000000000000000000AC
65140+:10C49000000000000000000000000000000000009C
65141+:10C4A000000000000000000000000000000000008C
65142+:10C4B000000000000000000000000000000000007C
65143+:10C4C000000000000000000000000000000000006C
65144+:10C4D000000000000000000000000000000000005C
65145+:10C4E000000000000000000000000000000000004C
65146+:10C4F000000000000000000000000000000000003C
65147+:10C50000000000000000000000000000000000002B
65148+:10C51000000000000000000000000000000000001B
65149+:10C52000000000000000000000000000000000000B
65150+:10C5300000000000000000000000000000000000FB
65151+:10C5400000000000000000000000000000000000EB
65152+:10C5500000000000000000000000000000000000DB
65153+:10C5600000000000000000000000000000000000CB
65154+:10C5700000000000000000000000000000000000BB
65155+:10C5800000000000000000000000000000000000AB
65156+:10C59000000000000000000000000000000000009B
65157+:10C5A000000000000000000000000000000000008B
65158+:10C5B000000000000000000000000000000000007B
65159+:10C5C000000000000000000000000000000000006B
65160+:10C5D000000000000000000000000000000000005B
65161+:10C5E000000000000000000000000000000000004B
65162+:10C5F000000000000000000000000000000000003B
65163+:10C60000000000000000000000000000000000002A
65164+:10C61000000000000000000000000000000000001A
65165+:10C62000000000000000000000000000000000000A
65166+:10C6300000000000000000000000000000000000FA
65167+:10C6400000000000000000000000000000000000EA
65168+:10C6500000000000000000000000000000000000DA
65169+:10C6600000000000000000000000000000000000CA
65170+:10C6700000000000000000000000000000000000BA
65171+:10C6800000000000000000000000000000000000AA
65172+:10C69000000000000000000000000000000000009A
65173+:10C6A000000000000000000000000000000000008A
65174+:10C6B000000000000000000000000000000000007A
65175+:10C6C000000000000000000000000000000000006A
65176+:10C6D000000000000000000000000000000000005A
65177+:10C6E000000000000000000000000000000000004A
65178+:10C6F000000000000000000000000000000000003A
65179+:10C700000000000000000000000000000000000029
65180+:10C710000000000000000000000000000000000019
65181+:10C720000000000000000000000000000000000009
65182+:10C7300000000000000000000000000000000000F9
65183+:10C7400000000000000000000000000000000000E9
65184+:10C7500000000000000000000000000000000000D9
65185+:10C7600000000000000000000000000000000000C9
65186+:10C7700000000000000000000000000000000000B9
65187+:10C7800000000000000000000000000000000000A9
65188+:10C790000000000000000000000000000000000099
65189+:10C7A0000000000000000000000000000000000089
65190+:10C7B0000000000000000000000000000000000079
65191+:10C7C0000000000000000000000000000000000069
65192+:10C7D0000000000000000000000000000000000059
65193+:10C7E0000000000000000000000000000000000049
65194+:10C7F0000000000000000000000000000000000039
65195+:10C800000000000000000000000000000000000028
65196+:10C810000000000000000000000000000000000018
65197+:10C820000000000000000000000000000000000008
65198+:10C8300000000000000000000000000000000000F8
65199+:10C8400000000000000000000000000000000000E8
65200+:10C8500000000000000000000000000000000000D8
65201+:10C8600000000000000000000000000000000000C8
65202+:10C8700000000000000000000000000000000000B8
65203+:10C8800000000000000000000000000000000000A8
65204+:10C890000000000000000000000000000000000098
65205+:10C8A0000000000000000000000000000000000088
65206+:10C8B0000000000000000000000000000000000078
65207+:10C8C0000000000000000000000000000000000068
65208+:10C8D0000000000000000000000000000000000058
65209+:10C8E0000000000000000000000000000000000048
65210+:10C8F0000000000000000000000000000000000038
65211+:10C900000000000000000000000000000000000027
65212+:10C910000000000000000000000000000000000017
65213+:10C920000000000000000000000000000000000007
65214+:10C9300000000000000000000000000000000000F7
65215+:10C9400000000000000000000000000000000000E7
65216+:10C9500000000000000000000000000000000000D7
65217+:10C9600000000000000000000000000000000000C7
65218+:10C9700000000000000000000000000000000000B7
65219+:10C9800000000000000000000000000000000000A7
65220+:10C990000000000000000000000000000000000097
65221+:10C9A0000000000000000000000000000000000087
65222+:10C9B0000000000000000000000000000000000077
65223+:10C9C0000000000000000000000000000000000067
65224+:10C9D0000000000000000000000000000000000057
65225+:10C9E0000000000000000000000000000000000047
65226+:10C9F0000000000000000000000000000000000037
65227+:10CA00000000000000000000000000000000000026
65228+:10CA10000000000000000000000000000000000016
65229+:10CA20000000000000000000000000000000000006
65230+:10CA300000000000000000000000000000000000F6
65231+:10CA400000000000000000000000000000000000E6
65232+:10CA500000000000000000000000000000000000D6
65233+:10CA600000000000000000000000000000000000C6
65234+:10CA700000000000000000000000000000000000B6
65235+:10CA800000000000000000000000000000000000A6
65236+:10CA90000000000000000000000000000000000096
65237+:10CAA0000000000000000000000000000000000086
65238+:10CAB0000000000000000000000000000000000076
65239+:10CAC0000000000000000000000000000000000066
65240+:10CAD0000000000000000000000000000000000056
65241+:10CAE0000000000000000000000000000000000046
65242+:10CAF0000000000000000000000000000000000036
65243+:10CB00000000000000000000000000000000000025
65244+:10CB10000000000000000000000000000000000015
65245+:10CB20000000000000000000000000000000000005
65246+:10CB300000000000000000000000000000000000F5
65247+:10CB400000000000000000000000000000000000E5
65248+:10CB500000000000000000000000000000000000D5
65249+:10CB600000000000000000000000000000000000C5
65250+:10CB700000000000000000000000000000000000B5
65251+:10CB800000000000000000000000000000000000A5
65252+:10CB90000000000000000000000000000000000095
65253+:10CBA0000000000000000000000000000000000085
65254+:10CBB0000000000000000000000000000000000075
65255+:10CBC0000000000000000000000000000000000065
65256+:10CBD0000000000000000000000000000000000055
65257+:10CBE0000000000000000000000000000000000045
65258+:10CBF0000000000000000000000000000000000035
65259+:10CC00000000000000000000000000000000000024
65260+:10CC10000000000000000000000000000000000014
65261+:10CC20000000000000000000000000000000000004
65262+:10CC300000000000000000000000000000000000F4
65263+:10CC400000000000000000000000000000000000E4
65264+:10CC500000000000000000000000000000000000D4
65265+:10CC600000000000000000000000000000000000C4
65266+:10CC700000000000000000000000000000000000B4
65267+:10CC800000000000000000000000000000000000A4
65268+:10CC90000000000000000000000000000000000094
65269+:10CCA0000000000000000000000000000000000084
65270+:10CCB0000000000000000000000000000000000074
65271+:10CCC0000000000000000000000000000000000064
65272+:10CCD0000000000000000000000000000000000054
65273+:10CCE0000000000000000000000000000000000044
65274+:10CCF0000000000000000000000000000000000034
65275+:10CD00000000000000000000000000000000000023
65276+:10CD10000000000000000000000000000000000013
65277+:10CD20000000000000000000000000000000000003
65278+:10CD300000000000000000000000000000000000F3
65279+:10CD400000000000000000000000000000000000E3
65280+:10CD500000000000000000000000000000000000D3
65281+:10CD600000000000000000000000000000000000C3
65282+:10CD700000000000000000000000000000000000B3
65283+:10CD800000000000000000000000000000000000A3
65284+:10CD90000000000000000000000000000000000093
65285+:10CDA0000000000000000000000000000000000083
65286+:10CDB0000000000000000000000000000000000073
65287+:10CDC0000000000000000000000000000000000063
65288+:10CDD0000000000000000000000000000000000053
65289+:10CDE0000000000000000000000000000000000043
65290+:10CDF0000000000000000000000000000000000033
65291+:10CE00000000000000000000000000000000000022
65292+:10CE10000000000000000000000000000000000012
65293+:10CE20000000000000000000000000000000000002
65294+:10CE300000000000000000000000000000000000F2
65295+:10CE400000000000000000000000000000000000E2
65296+:10CE500000000000000000000000000000000000D2
65297+:10CE600000000000000000000000000000000000C2
65298+:10CE700000000000000000000000000000000000B2
65299+:10CE800000000000000000000000000000000000A2
65300+:10CE90000000000000000000000000000000000092
65301+:10CEA0000000000000000000000000000000000082
65302+:10CEB0000000000000000000000000000000000072
65303+:10CEC0000000000000000000000000000000000062
65304+:10CED0000000000000000000000000000000000052
65305+:10CEE0000000000000000000000000000000000042
65306+:10CEF0000000000000000000000000000000000032
65307+:10CF00000000000000000000000000000000000021
65308+:10CF10000000000000000000000000000000000011
65309+:10CF20000000000000000000000000000000000001
65310+:10CF300000000000000000000000000000000000F1
65311+:10CF400000000000000000000000000000000000E1
65312+:10CF500000000000000000000000000000000000D1
65313+:10CF600000000000000000000000000000000000C1
65314+:10CF700000000000000000000000000000000000B1
65315+:10CF800000000000000000000000000000000000A1
65316+:10CF90000000000000000000000000000000000091
65317+:10CFA0000000000000000000000000000000000081
65318+:10CFB0000000000000000000000000000000000071
65319+:10CFC0000000000000000000000000000000000061
65320+:10CFD0000000000000000000000000000000000051
65321+:10CFE0000000000000000000000000000000000041
65322+:10CFF0000000000000000000000000000000000031
65323+:10D000000000000000000000000000000000000020
65324+:10D010000000000000000000000000000000000010
65325+:10D020000000000000000000000000000000000000
65326+:10D0300000000000000000000000000000000000F0
65327+:10D0400000000000000000000000000000000000E0
65328+:10D0500000000000000000000000000000000000D0
65329+:10D0600000000000000000000000000000000000C0
65330+:10D0700000000000000000000000000000000000B0
65331+:10D0800000000000000000000000000000000000A0
65332+:10D090000000000000000000000000000000000090
65333+:10D0A0000000000000000000000000000000000080
65334+:10D0B0000000000000000000000000000000000070
65335+:10D0C0000000000000000000000000000000000060
65336+:10D0D0000000000000000000000000000000000050
65337+:10D0E0000000000000000000000000000000000040
65338+:10D0F0000000000000000000000000000000000030
65339+:10D10000000000000000000000000000000000001F
65340+:10D11000000000000000000000000000000000000F
65341+:10D1200000000000000000000000000000000000FF
65342+:10D1300000000000000000000000000000000000EF
65343+:10D1400000000000000000000000000000000000DF
65344+:10D1500000000000000000000000000000000000CF
65345+:10D1600000000000000000000000000000000000BF
65346+:10D1700000000000000000000000000000000000AF
65347+:10D18000000000000000000000000000000000009F
65348+:10D19000000000000000000000000000000000008F
65349+:10D1A000000000000000000000000000000000007F
65350+:10D1B000000000000000000000000000000000006F
65351+:10D1C000000000000000000000000000000000005F
65352+:10D1D000000000000000000000000000000000004F
65353+:10D1E000000000000000000000000000000000003F
65354+:10D1F000000000000000000000000000000000002F
65355+:10D20000000000000000000000000000000000001E
65356+:10D21000000000000000000000000000000000000E
65357+:10D2200000000000000000000000000000000000FE
65358+:10D2300000000000000000000000000000000000EE
65359+:10D2400000000000000000000000000000000000DE
65360+:10D2500000000000000000000000000000000000CE
65361+:10D2600000000000000000000000000000000000BE
65362+:10D2700000000000000000000000000000000000AE
65363+:10D28000000000000000000000000000000000009E
65364+:10D29000000000000000000000000000000000008E
65365+:10D2A000000000000000000000000000000000007E
65366+:10D2B000000000000000000000000000000000006E
65367+:10D2C000000000000000000000000000000000005E
65368+:10D2D000000000000000000000000000000000004E
65369+:10D2E000000000000000000000000000000000003E
65370+:10D2F000000000000000000000000000000000002E
65371+:10D30000000000000000000000000000000000001D
65372+:10D31000000000000000000000000000000000000D
65373+:10D3200000000000000000000000000000000000FD
65374+:10D3300000000000000000000000000000000000ED
65375+:10D3400000000000000000000000000000000000DD
65376+:10D3500000000000000000000000000000000000CD
65377+:10D3600000000000000000000000000000000000BD
65378+:10D3700000000000000000000000000000000000AD
65379+:10D38000000000000000000000000000000000009D
65380+:10D39000000000000000000000000000000000008D
65381+:10D3A000000000000000000000000000000000007D
65382+:10D3B000000000000000000000000000000000006D
65383+:10D3C000000000000000000000000000000000005D
65384+:10D3D000000000000000000000000000000000004D
65385+:10D3E000000000000000000000000000000000003D
65386+:10D3F000000000000000000000000000000000002D
65387+:10D40000000000000000000000000000000000001C
65388+:10D41000000000000000000000000000000000000C
65389+:10D4200000000000000000000000000000000000FC
65390+:10D4300000000000000000000000000000000000EC
65391+:10D4400000000000000000000000000000000000DC
65392+:10D4500000000000000000000000000000000000CC
65393+:10D4600000000000000000000000000000000000BC
65394+:10D4700000000000000000000000000000000000AC
65395+:10D48000000000000000000000000000000000009C
65396+:10D49000000000000000000000000000000000008C
65397+:10D4A000000000000000000000000000000000007C
65398+:10D4B000000000000000000000000000000000006C
65399+:10D4C000000000000000000000000000000000005C
65400+:10D4D000000000000000000000000000000000004C
65401+:10D4E000000000000000000000000000000000003C
65402+:10D4F000000000000000000000000000000000002C
65403+:10D50000000000000000000000000000000000001B
65404+:10D51000000000000000000000000000000000000B
65405+:10D5200000000000000000000000000000000000FB
65406+:10D5300000000000000000000000000000000000EB
65407+:10D5400000000000000000000000000000000000DB
65408+:10D5500000000000000000000000000000000000CB
65409+:10D5600000000000000000000000000000000000BB
65410+:10D5700000000000000000000000000000000000AB
65411+:10D58000000000000000000000000000000000009B
65412+:10D59000000000000000008000000000000000000B
65413+:10D5A000000000000000000000000000000000007B
65414+:10D5B00000000000000000000000000A0000000061
65415+:10D5C0000000000000000000100000030000000048
65416+:10D5D0000000000D0000000D3C02080024427340D2
65417+:10D5E0003C030800246377CCAC4000000043202BB0
65418+:10D5F0001480FFFD244200043C1D080037BD7FFC61
65419+:10D6000003A0F0213C100800261032103C1C08003A
65420+:10D61000279C73400E0010FE000000000000000D6B
65421+:10D6200030A5FFFF30C600FF274301808F4201B8BD
65422+:10D630000440FFFE24020002AC640000A465000860
65423+:10D64000A066000AA062000B3C021000AC67001844
65424+:10D6500003E00008AF4201B83C0360008C624FF861
65425+:10D660000440FFFE3C020200AC644FC0AC624FC4F9
65426+:10D670003C02100003E00008AC624FF89482000CFA
65427+:10D680002486001400A0382100021302000210803A
65428+:10D690000082402100C8102B1040005700000000FD
65429+:10D6A00090C300002C6200095040005190C200015C
65430+:10D6B000000310803C030800246372F00043102133
65431+:10D6C0008C420000004000080000000090C30001F0
65432+:10D6D0002402000A1462003A000000000106102330
65433+:10D6E0002C42000A1440003624C600028CE20000DE
65434+:10D6F00034420100ACE2000090C2000090C300017F
65435+:10D7000090C4000290C5000300031C000002160034
65436+:10D710000043102500042200004410250045102578
65437+:10D7200024C60004ACE2000490C2000090C30001D3
65438+:10D7300090C4000290C500030002160000031C0004
65439+:10D740000043102500042200004410250045102548
65440+:10D7500024C600040A000CB8ACE2000890C3000123
65441+:10D76000240200041462001624C6000290C20000C5
65442+:10D7700090C400018CE30000000212000044102558
65443+:10D780003463000424C60002ACE2000C0A000CB8AA
65444+:10D79000ACE3000090C300012402000314620008FF
65445+:10D7A00024C600028CE2000090C3000024C60001E1
65446+:10D7B00034420008A0E300100A000CB8ACE20000FC
65447+:10D7C00003E000082402000190C3000124020002CB
65448+:10D7D0001062000224C40002010020210A000CB8DB
65449+:10D7E000008030210A000CB824C6000190C200015C
65450+:10D7F0000A000CB800C2302103E00008000010212C
65451+:10D8000027BDFFE8AFBF0014AFB000100E00130239
65452+:10D8100000808021936200052403FFFE0200202186
65453+:10D82000004310248FBF00148FB00010A3620005C6
65454+:10D830000A00130B27BD001827BDFFE8AFB000108A
65455+:10D84000AFBF00140E000F3C0080802193620000E7
65456+:10D8500024030050304200FF14430004240201005E
65457+:10D86000AF4201800A000D3002002021AF4001804C
65458+:10D87000020020218FBF00148FB000100A000FE7B4
65459+:10D8800027BD001827BDFF80AFBE0078AFB700747A
65460+:10D89000AFB20060AFBF007CAFB60070AFB5006C38
65461+:10D8A000AFB40068AFB30064AFB1005CAFB0005874
65462+:10D8B0008F5001283C0208008C4231A02403FF80D5
65463+:10D8C0009365003F0202102100431024AF42002460
65464+:10D8D0003C0208008C4231A09364000530B200FF86
65465+:10D8E000020210213042007F034218210004202749
65466+:10D8F0003C02000A0062182130840001AF8300144A
65467+:10D900000000F0210000B82114800053AFA00050A7
65468+:10D9100093430116934401128F450104306300FFC5
65469+:10D920003C020001308400FF00A2282403431021A0
65470+:10D9300003441821245640002467400014A001CD60
65471+:10D940002402000193620000304300FF2402002003
65472+:10D950001062000524020050106200060000000062
65473+:10D960000A000D74000000000000000D0A000D7D8B
65474+:10D97000AFA000303C1E080027DE738C0A000D7D2E
65475+:10D98000AFA000303C0208008C4200DC24420001C1
65476+:10D990003C010800AC2200DC0E00139F00000000D8
65477+:10D9A0000A000F318FBF007C8F4201043C0300202E
65478+:10D9B00092D3000D004310240002202B00042140CC
65479+:10D9C000AFA400308F4301043C02004000621824E1
65480+:10D9D000146000023485004000802821326200205B
65481+:10D9E000AFA500301440000234A6008000A0302112
65482+:10D9F00010C0000BAFA6003093C500088F67004C25
65483+:10DA00000200202100052B0034A5008130A5F08103
65484+:10DA10000E000C9B30C600FF0A000F2E0000000015
65485+:10DA20009362003E304200401040000F2402000488
65486+:10DA300056420007240200120200202100E02821A3
65487+:10DA40000E0013F702C030210A000F318FBF007C97
65488+:10DA500016420005000000000E000D2100002021EC
65489+:10DA60000A000F318FBF007C9743011A96C4000E45
65490+:10DA700093620035326500043075FFFF00442004D6
65491+:10DA8000AFA400548ED1000410A000158ED400085D
65492+:10DA90009362003E3042004010400007000000004A
65493+:10DAA0000E0013E0022020211040000D00000000B5
65494+:10DAB0000A000F2E000000008F6200440222102393
65495+:10DAC0000440016A000000008F6200480222102317
65496+:10DAD00004410166240400160A000E218FC20004CE
65497+:10DAE0008F6200480222102304400008000000005A
65498+:10DAF0003C0208008C423100244200013C01080035
65499+:10DB0000AC2231000A000F23000000008F620040A9
65500+:10DB100002221023184000128F8400143C020800D7
65501+:10DB20008C423100327300FC0000A8212442000125
65502+:10DB30003C010800AC2231008F6300409482011C3C
65503+:10DB4000022318233042FFFF0043102A50400010E8
65504+:10DB50002402000C8F6200400A000DF20222102302
65505+:10DB60009483011C9762003C0043102B1040000678
65506+:10DB7000000000009482011C00551023A482011CA7
65507+:10DB80000A000DF72402000CA480011C2402000CE2
65508+:10DB9000AFA200308F620040005120231880000D9A
65509+:10DBA00002A4102A1440012600000000149500066B
65510+:10DBB00002A410233A620001304200011440012007
65511+:10DBC0000000000002A41023022488210A000E098C
65512+:10DBD0003055FFFF00002021326200021040001A81
65513+:10DBE000326200109362003E30420040504000110B
65514+:10DBF0008FC200040E00130202002021240200182C
65515+:10DC0000A362003F936200052403FFFE020020216F
65516+:10DC1000004310240E00130BA362000524040039F6
65517+:10DC2000000028210E0013C9240600180A000F3036
65518+:10DC300024020001240400170040F809000000003D
65519+:10DC40000A000F302402000110400108000000000B
65520+:10DC50008F63004C8F620054028210231C4001032A
65521+:10DC600002831023044200010060A021AFA4001829
65522+:10DC7000AFB10010AFB50014934201208F65004092
65523+:10DC80009763003C304200FF034210210044102102
65524+:10DC90008FA400543063FFFF244240000083182B00
65525+:10DCA0008FA40030AFA20020AFA50028008320255C
65526+:10DCB000AFA40030AFA50024AFA0002CAFB4003457
65527+:10DCC0009362003E30420008504000118FC20000B5
65528+:10DCD00002C0202127A500380E000CB2AFA00038EA
65529+:10DCE0005440000B8FC200008FA200383042010068
65530+:10DCF000504000078FC200008FA3003C8F6200607D
65531+:10DD00000062102304430001AF6300608FC2000073
65532+:10DD10000040F80927A400108FA200303042000212
65533+:10DD200054400001327300FE9362003E30420040D6
65534+:10DD3000104000378FA200248F6200541682001A10
65535+:10DD40003262000124020014124200102A4200151F
65536+:10DD500010400006240200162402000C12420007A4
65537+:10DD6000326200010A000E7D000000001242000530
65538+:10DD7000326200010A000E7D000000000A000E78E9
65539+:10DD80002417000E0A000E78241700100A000E7CDB
65540+:10DD900024170012936200232403FFBD00431024C4
65541+:10DDA000A362002332620001104000198FA20024F8
65542+:10DDB0002402000C1242000E2A42000D1040000600
65543+:10DDC0002402000E2402000A124200078FA200243F
65544+:10DDD0000A000E9524420001124200088FA200247E
65545+:10DDE0000A000E95244200010A000E932417000831
65546+:10DDF0002402000E16E20002241700162417001059
65547+:10DE00008FA2002424420001AFA200248FA200248C
65548+:10DE10008FA300148F76004000431021AF620040B2
65549+:10DE20008F8200149442011C104000090000000081
65550+:10DE30008F6200488F6400409763003C00441023C9
65551+:10DE40003063FFFF0043102A104000088FA20054E7
65552+:10DE5000936400368F6300403402FFFC008210049C
65553+:10DE600000621821AF6300488FA200548FA60030D3
65554+:10DE70000282902130C200081040000E0000000015
65555+:10DE80008F6200581642000430C600FF9742011A04
65556+:10DE90005040000134C6001093C500088FA700341D
65557+:10DEA0000200202100052B0034A500800E000C9BF1
65558+:10DEB00030A5F0808F620040005610231840001BF0
65559+:10DEC0008FA200183C0208008C42319830420010AA
65560+:10DED0001040000D24020001976200681440000AFF
65561+:10DEE000240200018F8200149442011C1440000699
65562+:10DEF00024020001A76200689742007A244200646D
65563+:10DF00000A000EE9A7620012A76200120E001302B7
65564+:10DF1000020020219362007D2403000102002021E1
65565+:10DF2000344200010A000EE7AFA300501840000A77
65566+:10DF3000000000000E001302020020219362007D09
65567+:10DF40002403000102002021AFA30050344200044A
65568+:10DF50000E00130BA362007D9362003E304200402E
65569+:10DF60001440000C326200011040000A0000000062
65570+:10DF70008F6300408FC20004240400182463000152
65571+:10DF80000040F809AF6300408FA200300A000F3054
65572+:10DF9000304200048F620058105200100000000050
65573+:10DFA0008F620018022210231C4000082404000184
65574+:10DFB0008F62001816220009000000008F62001C0A
65575+:10DFC000028210230440000500000000AF720058D8
65576+:10DFD000AFA40050AF710018AF74001C12E0000B2A
65577+:10DFE0008FA200500E00130202002021A377003FF1
65578+:10DFF0000E00130B0200202102E030212404003720
65579+:10E000000E0013C9000028218FA200501040000309
65580+:10E01000000000000E000CA90200202112A0000543
65581+:10E02000000018218FA2003030420004504000113F
65582+:10E0300000601021240300010A000F30006010214D
65583+:10E040000E001302020020219362007D02002021B5
65584+:10E05000344200040E00130BA362007D0E000CA9D5
65585+:10E06000020020210A000F3024020001AF400044CA
65586+:10E07000240200018FBF007C8FBE00788FB7007430
65587+:10E080008FB600708FB5006C8FB400688FB30064DA
65588+:10E090008FB200608FB1005C8FB0005803E00008C1
65589+:10E0A00027BD00808F4201B80440FFFE2402080013
65590+:10E0B000AF4201B803E00008000000003C02000885
65591+:10E0C00003421021944200483084FFFF2484001250
65592+:10E0D0003045FFFF10A0001700A4102B10400016C1
65593+:10E0E00024020003934201202403001AA343018B5E
65594+:10E0F000304200FF2446FFFE8F82000000A6182B4E
65595+:10E100003863000100021382004310241040000510
65596+:10E110008F84000434820001A746019403E00008C4
65597+:10E12000AF8200042402FFFE0082102403E00008F6
65598+:10E13000AF8200042402000303E00008A342018B25
65599+:10E1400027BDFFE0AFB10014AFB00010AFBF0018A3
65600+:10E1500030B0FFFF30D1FFFF8F4201B80440FFFE17
65601+:10E1600000000000AF440180AF4400200E000F42C9
65602+:10E17000020020218F8300008F840004A750019AA1
65603+:10E18000A750018EA74301908F8300083082800042
65604+:10E19000AF4301A8A75101881040000E8F820004F0
65605+:10E1A00093420116304200FC24420004005A102120
65606+:10E1B0008C4240003042FFFF144000068F82000472
65607+:10E1C0003C02FFFF34427FFF00821024AF82000434
65608+:10E1D0008F8200042403BFFF00431024A74201A63E
65609+:10E1E0009743010C8F42010400031C003042FFFFE3
65610+:10E1F00000621825AF4301AC3C021000AF4201B8E9
65611+:10E200008FBF00188FB100148FB0001003E000081A
65612+:10E2100027BD00208F470070934201128F830000BA
65613+:10E2200027BDFFF0304200FF00022882306201006B
65614+:10E23000000030211040004324A40003306240005D
65615+:10E24000104000103062200000041080005A10219D
65616+:10E250008C43400024A4000400041080AFA30000FD
65617+:10E26000005A10218C424000AFA2000493420116D4
65618+:10E27000304200FC005A10218C4240000A000FC0BE
65619+:10E28000AFA200081040002F0000302100041080D1
65620+:10E29000005A10218C43400024A400040004108084
65621+:10E2A000AFA30000005A10218C424000AFA000082C
65622+:10E2B000AFA200048FA80008000030210000202138
65623+:10E2C000240A00083C0908002529010003A41021A4
65624+:10E2D000148A000300042A001100000A0000000054
65625+:10E2E00090420000248400012C83000C00A2102125
65626+:10E2F00000021080004910218C4200001460FFF3DE
65627+:10E3000000C230263C0408008C8431048F42007027
65628+:10E310002C83002010600009004738233C030800CC
65629+:10E32000246331080004108000431021248300017D
65630+:10E33000AC4700003C010800AC233104AF86000864
65631+:10E340002406000100C0102103E0000827BD0010D2
65632+:10E350003C0208008C42003827BDFFD0AFB5002436
65633+:10E36000AFB40020AFB10014AFBF0028AFB3001CA2
65634+:10E37000AFB20018AFB00010000088213C150800B3
65635+:10E3800026B50038144000022454FFFF0000A021ED
65636+:10E390009742010E8F8400003042FFFF308340001F
65637+:10E3A0001060000A245200043C0200200082102465
65638+:10E3B00050400007308280008F8200042403BFFF9A
65639+:10E3C000008318240A0010103442100030828000AC
65640+:10E3D0001040000A3C020020008210241040000778
65641+:10E3E0008F8200043C03FFFF34637FFF0083182407
65642+:10E3F00034428000AF820004AF8300000E000F980B
65643+:10E400000000000014400007000000009743011EB8
65644+:10E410009742011C3063FFFF0002140000621825C0
65645+:10E42000AF8300089742010C8F4340003045FFFF47
65646+:10E430003402FFFF14620003000000000A001028ED
65647+:10E44000241100208F42400030420100544000015E
65648+:10E45000241100108F8400003082100050400014FE
65649+:10E4600036310001308200201440000B3C021000C5
65650+:10E47000008210245040000E363100013C030E0093
65651+:10E480003C020DFF008318243442FFFF0043102B91
65652+:10E4900050400007363100013C0208008C42002C3D
65653+:10E4A000244200013C010800AC22002C363100055A
65654+:10E4B0003C0608008CC6003454C000238F85000041
65655+:10E4C0008F820004304240005440001F8F850000BE
65656+:10E4D0003C021F01008210243C0310005443001A28
65657+:10E4E0008F85000030A20200144000178F850000C5
65658+:10E4F0003250FFFF363100028F4201B80440FFFE68
65659+:10E5000000000000AF400180020020210E000F42F9
65660+:10E51000AF4000208F8300042402BFFFA750019A60
65661+:10E52000006218248F820000A750018EA751018835
65662+:10E53000A74301A6A74201903C021000AF4201B8D8
65663+:10E540000A0010F5000010213C02100000A2102467
65664+:10E550001040003A0000000010C0000F0000000052
65665+:10E5600030A201001040000C3C0302003C020F00EE
65666+:10E5700000A2102410430008000000008F82000851
65667+:10E58000005410240055102190420004244200043D
65668+:10E590000A00109F000221C00000000000051602C2
65669+:10E5A0003050000F3A0300022E4203EF38420001C0
65670+:10E5B0002C6300010062182414600073240200011F
65671+:10E5C0003C0308008C6300D02E06000C386200016A
65672+:10E5D0002C4200010046102414400015001021C0F8
65673+:10E5E0002602FFFC2C4200045440001100002021B0
65674+:10E5F000386200022C420001004610241040000343
65675+:10E60000000512420A00109F000020210010182B64
65676+:10E610000043102450400006001021C000002021BB
65677+:10E620003245FFFF0E000F633226FFFB001021C0B2
65678+:10E630003245FFFF0A0010F2362600028F424000EA
65679+:10E640003C0308008C630024304201001040004667
65680+:10E6500030620001322200043070000D14400002CC
65681+:10E660002413000424130002000512C238420001E2
65682+:10E670002E4303EF304200013863000100431025B0
65683+:10E68000104000033231FFFB2402FFFB0202802412
65684+:10E6900010C000183202000130A201001040001525
65685+:10E6A000320200013C020F0000A210243C030200D1
65686+:10E6B0001043000F8F8200082403FFFE0203802412
65687+:10E6C00000541024005510219042000402333025DC
65688+:10E6D0002442000412000002000221C03226FFFF83
65689+:10E6E0000E000F633245FFFF1200002700001021CB
65690+:10E6F000320200011040000D320200042402000129
65691+:10E7000012020002023330253226FFFF00002021D2
65692+:10E710000E000F633245FFFF2402FFFE0202802439
65693+:10E7200012000019000010213202000410400016EF
65694+:10E7300024020001240200041202000202333025E8
65695+:10E740003226FFFF3245FFFF0E000F632404010055
65696+:10E750002402FFFB020280241200000B00001021A3
65697+:10E760000A0010F5240200011040000700001021EB
65698+:10E770003245FFFF36260002000020210E000F6305
65699+:10E7800000000000000010218FBF00288FB500247A
65700+:10E790008FB400208FB3001C8FB200188FB100140B
65701+:10E7A0008FB0001003E0000827BD003027BDFFD068
65702+:10E7B000AFB000103C04600CAFBF002CAFB6002817
65703+:10E7C000AFB50024AFB40020AFB3001CAFB2001847
65704+:10E7D000AFB100148C8250002403FF7F3C1A8000EC
65705+:10E7E000004310243442380CAC8250002402000351
65706+:10E7F0003C106000AF4200088E0208083C1B8008F5
65707+:10E800003C010800AC2000203042FFF038420010EC
65708+:10E810002C4200010E001B8DAF8200183C04FFFF4C
65709+:10E820003C020400348308063442000CAE0219484E
65710+:10E83000AE03194C3C0560168E0219808CA30000B3
65711+:10E840003442020000641824AE0219803C02535383
65712+:10E850001462000334A47C008CA200040050202128
65713+:10E860008C82007C8C830078AF820010AF83000C18
65714+:10E870008F55000032A200031040FFFD32A20001BC
65715+:10E880001040013D32A200028F420128AF42002019
65716+:10E890008F4201048F430100AF8200000E000F3C45
65717+:10E8A000AF8300043C0208008C4200C01040000806
65718+:10E8B0008F8400003C0208008C4200C42442000106
65719+:10E8C0003C010800AC2200C40A00126900000000EC
65720+:10E8D0003C020010008210241440010C8F830004BD
65721+:10E8E0003C0208008C4200203C0308008C63003886
65722+:10E8F00000008821244200013C010800AC220020D5
65723+:10E900003C16080026D60038146000022474FFFF6D
65724+:10E910000000A0219742010E308340003042FFFFEB
65725+:10E920001060000A245200043C02002000821024DF
65726+:10E9300050400007308280008F8200042403BFFF14
65727+:10E94000008318240A0011703442100030828000C5
65728+:10E950001040000A3C0200200082102410400007F2
65729+:10E960008F8200043C03FFFF34637FFF0083182481
65730+:10E9700034428000AF820004AF8300000E000F9885
65731+:10E980000000000014400007000000009743011E33
65732+:10E990009742011C3063FFFF00021400006218253B
65733+:10E9A000AF8300089742010C8F4340003045FFFFC2
65734+:10E9B0003402FFFF14620003000000000A00118807
65735+:10E9C000241100208F4240003042010054400001D9
65736+:10E9D000241100108F840000308210005040001479
65737+:10E9E00036310001308200201440000B3C02100040
65738+:10E9F000008210245040000E363100013C030E000E
65739+:10EA00003C020DFF008318243442FFFF0043102B0B
65740+:10EA100050400007363100013C0208008C42002CB7
65741+:10EA2000244200013C010800AC22002C36310005D4
65742+:10EA30003C0608008CC6003454C000238F850000BB
65743+:10EA40008F820004304240005440001F8F85000038
65744+:10EA50003C021F01008210243C0310005443001AA2
65745+:10EA60008F85000030A20200144000178F8500003F
65746+:10EA70003250FFFF363100028F4201B80440FFFEE2
65747+:10EA800000000000AF400180020020210E000F4274
65748+:10EA9000AF4000208F8300042402BFFFA750019ADB
65749+:10EAA000006218248F820000A750018EA7510188B0
65750+:10EAB000A74301A6A74201903C021000AF4201B853
65751+:10EAC0000A001267000010213C02100000A210246E
65752+:10EAD0001040003A0000000010C0000F00000000CD
65753+:10EAE00030A201001040000C3C0302003C020F0069
65754+:10EAF00000A2102410430008000000008F820008CC
65755+:10EB000000541024005610219042000424420004B6
65756+:10EB10000A0011FF000221C00000000000051602DB
65757+:10EB20003050000F3A0300022E4203EF384200013A
65758+:10EB30002C63000100621824146000852402000187
65759+:10EB40003C0308008C6300D02E06000C38620001E4
65760+:10EB50002C4200010046102414400015001021C072
65761+:10EB60002602FFFC2C42000454400011000020212A
65762+:10EB7000386200022C42000100461024504000037D
65763+:10EB8000000512420A0011FF000020210010182B7E
65764+:10EB90000043102450400006001021C00000202136
65765+:10EBA0003245FFFF0E000F633226FFFB001021C02D
65766+:10EBB0003245FFFF0A001252362600028F42400003
65767+:10EBC0003C0308008C6300243042010010400046E2
65768+:10EBD00030620001322200043070000D1440000247
65769+:10EBE0002413000424130002000512C2384200015D
65770+:10EBF0002E4303EF3042000138630001004310252B
65771+:10EC0000104000033231FFFB2402FFFB020280248C
65772+:10EC100010C000183202000130A20100104000159F
65773+:10EC2000320200013C020F0000A210243C0302004B
65774+:10EC30001043000F8F8200082403FFFE020380248C
65775+:10EC40000054102400561021904200040233302555
65776+:10EC50002442000412000002000221C03226FFFFFD
65777+:10EC60000E000F633245FFFF120000390000102133
65778+:10EC7000320200011040000D3202000424020001A3
65779+:10EC800012020002023330253226FFFF000020214D
65780+:10EC90000E000F633245FFFF2402FFFE02028024B4
65781+:10ECA0001200002B00001021320200041040002846
65782+:10ECB0002402000124020004120200020233302563
65783+:10ECC0003226FFFF3245FFFF0E000F6324040100D0
65784+:10ECD0002402FFFB020280241200001D000010210C
65785+:10ECE0000A001267240200015040001900001021A0
65786+:10ECF0003245FFFF36260002000020210E000F6380
65787+:10ED0000000000000A001267000010212402BFFF6B
65788+:10ED1000006210241040000800000000240287FF59
65789+:10ED200000621024144000083C020060008210249D
65790+:10ED300010400005000000000E000D34000000002F
65791+:10ED40000A001267000000000E0012C70000000059
65792+:10ED5000104000063C0240008F4301243C0260202A
65793+:10ED6000AC430014000000003C024000AF420138F8
65794+:10ED70000000000032A200021040FEBD00000000B2
65795+:10ED80008F4201403C044000AF4200208F430148C5
65796+:10ED90003C02700000621824106400420000000071
65797+:10EDA0000083102B144000063C0260003C0220004F
65798+:10EDB000106200073C0240000A0012C3000000007D
65799+:10EDC0001062003C3C0240000A0012C30000000038
65800+:10EDD0008F4501408F4601448F42014800021402D2
65801+:10EDE000304300FF240200041462000A274401801B
65802+:10EDF0008F4201B80440FFFE2402001CAC850000D5
65803+:10EE0000A082000B3C021000AF4201B80A0012C3FE
65804+:10EE10003C0240002402000914620012000616029F
65805+:10EE2000000229C0AF4500208F4201B80440FFFE18
65806+:10EE30002402000124030003AF450180A343018B9A
65807+:10EE4000A740018EA740019AA7400190AF4001A8BA
65808+:10EE5000A7420188A74201A6AF4001AC3C021000C6
65809+:10EE6000AF4201B88F4201B80440FFFE000000002D
65810+:10EE7000AC8500008F42014800021402A482000801
65811+:10EE800024020002A082000B8F420148A4820010DD
65812+:10EE90003C021000AC860024AF4201B80A0012C345
65813+:10EEA0003C0240000E001310000000000A0012C3D4
65814+:10EEB0003C0240000E001BC2000000003C0240006B
65815+:10EEC000AF420178000000000A00112F000000008E
65816+:10EED0008F4201003042003E144000112402000124
65817+:10EEE000AF4000488F420100304207C0104000058B
65818+:10EEF00000000000AF40004CAF40005003E00008AD
65819+:10EF000024020001AF400054AF4000408F42010096
65820+:10EF10003042380054400001AF4000442402000158
65821+:10EF200003E00008000000008F4201B80440FFFE2B
65822+:10EF300024020001AF440180AF400184A74501884D
65823+:10EF4000A342018A24020002A342018B9742014A94
65824+:10EF500014C00004A7420190AF4001A40A0012EFC0
65825+:10EF60003C0210008F420144AF4201A43C02100059
65826+:10EF7000AF4001A803E00008AF4201B88F4201B8DA
65827+:10EF80000440FFFE24020002AF440180AF4401842C
65828+:10EF9000A7450188A342018AA342018B9742014AF7
65829+:10EFA000A7420190AF4001A48F420144AF4201A8A3
65830+:10EFB0003C02100003E00008AF4201B83C029000A0
65831+:10EFC0003442000100822025AF4400208F420020FF
65832+:10EFD0000440FFFE0000000003E000080000000005
65833+:10EFE0003C028000344200010082202503E000083A
65834+:10EFF000AF44002027BDFFE8AFBF0014AFB0001042
65835+:10F000008F50014093430149934201489344014882
65836+:10F01000306300FF304200FF00021200006228252A
65837+:10F020002402001910620076308400802862001AE1
65838+:10F030001040001C24020020240200081062007707
65839+:10F04000286200091040000E2402000B2402000177
65840+:10F0500010620034286200025040000524020006BD
65841+:10F0600050600034020020210A00139A00000000C2
65842+:10F0700010620030020020210A00139A00000000F4
65843+:10F080001062003B2862000C504000022402000E77
65844+:10F090002402000910620056020020210A00139A7F
65845+:10F0A0000000000010620056286200211040000F8E
65846+:10F0B000240200382402001C106200582862001D3F
65847+:10F0C000104000062402001F2402001B1062004CA6
65848+:10F0D000000000000A00139A000000001062004ABD
65849+:10F0E000020020210A00139A00000000106200456F
65850+:10F0F0002862003910400007240200802462FFCB00
65851+:10F100002C42000210400045020020210A00139604
65852+:10F110000000302110620009000000000A00139A6C
65853+:10F12000000000001480003D020020210A0013901E
65854+:10F130008FBF00140A001396240600018F4201B805
65855+:10F140000440FFFE24020002A342018BA745018870
65856+:10F150009742014AA74201908F420144A74201927F
65857+:10F160003C021000AF4201B80A00139C8FBF00148C
65858+:10F170009742014A144000290000000093620005F4
65859+:10F180003042000414400025000000000E0013026D
65860+:10F190000200202193620005020020213442000475
65861+:10F1A0000E00130BA36200059362000530420004B9
65862+:10F1B00014400002000000000000000D93620000F7
65863+:10F1C00024030020304200FF14430014000000001C
65864+:10F1D0008F4201B80440FFFE24020005AF500180B9
65865+:10F1E000A342018B3C0210000A00139AAF4201B8FF
65866+:10F1F0008FBF00148FB000100A0012F227BD001854
65867+:10F200000000000D02002021000030218FBF0014FB
65868+:10F210008FB000100A0012DD27BD00180000000D9D
65869+:10F220008FBF00148FB0001003E0000827BD001846
65870+:10F2300027BDFFE8AFBF00100E000F3C000000002C
65871+:10F24000AF4001808FBF0010000020210A000FE7AF
65872+:10F2500027BD00183084FFFF30A5FFFF00001821F4
65873+:10F260001080000700000000308200011040000202
65874+:10F2700000042042006518210A0013AB0005284055
65875+:10F2800003E000080060102110C0000624C6FFFF44
65876+:10F290008CA2000024A50004AC8200000A0013B573
65877+:10F2A0002484000403E000080000000010A000080F
65878+:10F2B00024A3FFFFAC860000000000000000000057
65879+:10F2C0002402FFFF2463FFFF1462FFFA248400047A
65880+:10F2D00003E0000800000000308300FF30A500FFBD
65881+:10F2E00030C600FF274701808F4201B80440FFFE6F
65882+:10F2F000000000008F42012834634000ACE20000AF
65883+:10F3000024020001ACE00004A4E30008A0E2000A2B
65884+:10F3100024020002A0E2000B3C021000A4E5001051
65885+:10F32000ACE00024ACE00028A4E6001203E00008F2
65886+:10F33000AF4201B827BDFFE8AFBF00109362003FA6
65887+:10F3400024030012304200FF1043000D00803021E2
65888+:10F350008F620044008210230440000A8FBF001017
65889+:10F360008F620048240400390000282100C21023C5
65890+:10F3700004410004240600120E0013C9000000001E
65891+:10F380008FBF00102402000103E0000827BD001811
65892+:10F3900027BDFFC8AFB20030AFB1002CAFBF003403
65893+:10F3A000AFB0002890C5000D0080902130A400105F
65894+:10F3B0001080000B00C088218CC300088F620054AD
65895+:10F3C0001062000730A20005144000B524040001BB
65896+:10F3D0000E000D21000020210A0014BB0040202156
65897+:10F3E00030A200051040000930A30012108000ACCC
65898+:10F3F000240400018E2300088F620054146200A9C7
65899+:10F400008FBF00340A00142C240400382402001298
65900+:10F41000146200A3240400010220202127A500106B
65901+:10F420000E000CB2AFA000101040001102402021CD
65902+:10F430008E220008AF620084AF6000400E0013020D
65903+:10F44000000000009362007D024020213442002031
65904+:10F450000E00130BA362007D0E000CA902402021B8
65905+:10F46000240400382405008D0A0014B82406001274
65906+:10F470009362003E304200081040000F8FA200103F
65907+:10F4800030420100104000078FA300148F6200601B
65908+:10F490000062102304430008AF6300600A001441B7
65909+:10F4A00000000000AF6000609362003E2403FFF79D
65910+:10F4B00000431024A362003E9362003E30420008E5
65911+:10F4C000144000022406000300003021936200343F
65912+:10F4D000936300378F640084304200FF306300FF85
65913+:10F4E00000661821000318800043282100A4202B67
65914+:10F4F0001080000B000000009763003C8F620084C6
65915+:10F500003063FFFF004510230062182B14600004D5
65916+:10F51000000000008F6200840A00145D0045802313
65917+:10F520009762003C3050FFFF8FA300103062000450
65918+:10F5300010400004000628808FA2001C0A001465F9
65919+:10F540000202102B2E02021850400003240202185F
65920+:10F550000A00146E020510233063000410600003DB
65921+:10F56000004510238FA2001C00451023004080217D
65922+:10F570002C42008054400001241000800E00130231
65923+:10F580000240202124020001AF62000C9362003E81
65924+:10F59000001020403042007FA362003E8E22000413
65925+:10F5A00024420001AF620040A770003C8F6200500F
65926+:10F5B0009623000E00431021AF6200588F62005066
65927+:10F5C00000441021AF62005C8E220004AF6200187C
65928+:10F5D0008E220008AF62001C8FA20010304200088B
65929+:10F5E0005440000A93A20020A360003693620036C4
65930+:10F5F0002403FFDFA36200359362003E0043102422
65931+:10F60000A362003E0A0014988E220008A36200350F
65932+:10F610008E220008AF62004C8F6200248F6300408E
65933+:10F6200000431021AF6200489362000024030050A1
65934+:10F63000304200FF144300122403FF803C02080004
65935+:10F640008C4231A00242102100431024AF42002816
65936+:10F650003C0208008C4231A08E2400083C03000CC0
65937+:10F66000024210213042007F03421021004310214A
65938+:10F67000AC4400D88E230008AF820014AC4300DCF9
65939+:10F680000E00130B02402021240400380000282122
65940+:10F690002406000A0E0013C9000000002404000123
65941+:10F6A0008FBF00348FB200308FB1002C8FB0002894
65942+:10F6B0000080102103E0000827BD003827BDFFF8B7
65943+:10F6C00027420180AFA20000308A00FF8F4201B8BC
65944+:10F6D0000440FFFE000000008F4601283C020800A5
65945+:10F6E0008C4231A02403FF80AF86004800C2102165
65946+:10F6F00000431024AF4200243C0208008C4231A099
65947+:10F700008FA900008FA8000000C210213042007FA6
65948+:10F71000034218213C02000A00621821946400D4BC
65949+:10F720008FA700008FA5000024020002AF83001401
65950+:10F73000A0A2000B8FA30000354260003084FFFFC1
65951+:10F74000A4E200083C021000AD260000AD04000455
65952+:10F75000AC60002427BD0008AF4201B803E00008F8
65953+:10F76000240200018F88003C938200288F830014BC
65954+:10F770003C07080024E7779800481023304200FF38
65955+:10F78000304900FC246500888F860040304A000321
65956+:10F790001120000900002021248200048CA3000015
65957+:10F7A000304400FF0089102AACE3000024A50004C7
65958+:10F7B0001440FFF924E70004114000090000202153
65959+:10F7C0002482000190A30000304400FF008A102B27
65960+:10F7D000A0E3000024A500011440FFF924E7000184
65961+:10F7E00030C20003144000048F85003C3102000346
65962+:10F7F0001040000D0000000010A0000900002021B2
65963+:10F800002482000190C30000304400FF0085102BCB
65964+:10F81000A0E3000024C600011440FFF924E7000122
65965+:10F8200003E00008000000001100FFFD000020219F
65966+:10F83000248200048CC30000304400FF0088102B99
65967+:10F84000ACE3000024C600041440FFF924E70004E0
65968+:10F8500003E00008000000008F83003C9382002832
65969+:10F8600030C600FF30A500FF00431023304300FFE7
65970+:10F870008F820014008038210043102114C0000240
65971+:10F88000244800880083382130E20003144000053A
65972+:10F8900030A2000314400003306200031040000D4A
65973+:10F8A0000000000010A000090000202124820001B7
65974+:10F8B00090E30000304400FF0085102BA1030000FE
65975+:10F8C00024E700011440FFF92508000103E00008C7
65976+:10F8D0000000000010A0FFFD000020212482000491
65977+:10F8E0008CE30000304400FF0085102BAD030000C6
65978+:10F8F00024E700041440FFF92508000403E0000891
65979+:10F90000000000000080482130AAFFFF30C600FF41
65980+:10F9100030E7FFFF274801808F4201B80440FFFE17
65981+:10F920008F820048AD0200008F420124AD02000426
65982+:10F930008D220020A5070008A102000A240200165B
65983+:10F94000A102000B934301208D2200088D240004A6
65984+:10F95000306300FF004310219783003A00441021D8
65985+:10F960008D250024004310233C0308008C6331A044
65986+:10F970008F840014A502000C246300E82402FFFF1A
65987+:10F98000A50A000EA5030010A5060012AD0500187B
65988+:10F99000AD020024948201142403FFF73042FFFFDC
65989+:10F9A000AD0200288C820118AD02002C3C02100030
65990+:10F9B000AD000030AF4201B88D220020004310247A
65991+:10F9C00003E00008AD2200208F82001430E7FFFF23
65992+:10F9D00000804821904200D330A5FFFF30C600FFD1
65993+:10F9E0000002110030420F0000E238252748018054
65994+:10F9F0008F4201B80440FFFE8F820048AD02000034
65995+:10FA00008F420124AD0200048D220020A5070008CA
65996+:10FA1000A102000A24020017A102000B9343012057
65997+:10FA20008D2200088D240004306300FF0043102164
65998+:10FA30009783003A004410218F8400140043102360
65999+:10FA40003C0308008C6331A0A502000CA505000E44
66000+:10FA5000246300E8A5030010A5060012AD00001401
66001+:10FA60008D220024AD0200188C82005CAD02001CC7
66002+:10FA70008C820058AD0200202402FFFFAD0200245A
66003+:10FA8000948200E63042FFFFAD02002894820060BD
66004+:10FA9000948300BE30427FFF3063FFFF00021200FC
66005+:10FAA00000431021AD02002C3C021000AD000030DC
66006+:10FAB000AF4201B8948200BE2403FFF700A21021D8
66007+:10FAC000A48200BE8D2200200043102403E0000821
66008+:10FAD000AD220020274301808F4201B80440FFFE81
66009+:10FAE0008F8200249442001C3042FFFF000211C0AC
66010+:10FAF000AC62000024020019A062000B3C0210005E
66011+:10FB0000AC60003003E00008AF4201B88F87002CE2
66012+:10FB100030C300FF8F4201B80440FFFE8F820048CF
66013+:10FB200034636000ACA2000093820044A0A20005F0
66014+:10FB30008CE20010A4A20006A4A300088C8200207E
66015+:10FB40002403FFF7A0A2000A24020002A0A2000BD7
66016+:10FB50008CE20000ACA200108CE20004ACA2001405
66017+:10FB60008CE2001CACA200248CE20020ACA2002895
66018+:10FB70008CE2002CACA2002C8C820024ACA20018D9
66019+:10FB80003C021000AF4201B88C82002000431024D8
66020+:10FB900003E00008AC8200208F86001427BDFFE838
66021+:10FBA000AFBF0014AFB0001090C20063304200201D
66022+:10FBB0001040000830A500FF8CC2007C2403FFDF4A
66023+:10FBC00024420001ACC2007C90C2006300431024B8
66024+:10FBD000A0C2006310A000238F830014275001806F
66025+:10FBE000020028210E0015D6240600828F82001400
66026+:10FBF000904200633042004050400019A38000440E
66027+:10FC00008F83002C8F4201B80440FFFE8F82004892
66028+:10FC1000AE02000024026082A60200082402000254
66029+:10FC2000A202000B8C620008AE0200108C62000C75
66030+:10FC3000AE0200148C620014AE0200188C62001830
66031+:10FC4000AE0200248C620024AE0200288C620028E0
66032+:10FC5000AE02002C3C021000AF4201B8A380004469
66033+:10FC60008F8300148FBF00148FB000109062006368
66034+:10FC700027BD00183042007FA06200639782003ADF
66035+:10FC80008F86003C8F850014938300280046102344
66036+:10FC9000A782003AA4A000E490A400638F820040F1
66037+:10FCA000AF83003C2403FFBF0046102100832024C3
66038+:10FCB000AF820040A0A400638F820014A04000BD6A
66039+:10FCC0008F82001403E00008A44000BE8F8A001455
66040+:10FCD00027BDFFE0AFB10014AFB000108F88003C2B
66041+:10FCE000AFBF00189389001C954200E430D100FF9B
66042+:10FCF0000109182B0080802130AC00FF3047FFFF46
66043+:10FD00000000582114600003310600FF012030215B
66044+:10FD1000010958239783003A0068102B1440003CD7
66045+:10FD20000000000014680007240200018E02002079
66046+:10FD30002403FFFB34E7800000431024AE020020C0
66047+:10FD40002402000134E70880158200053165FFFFB9
66048+:10FD50000E001554020020210A00169102002021F5
66049+:10FD60000E001585020020218F8400482743018062
66050+:10FD70008F4201B80440FFFE24020018AC6400006A
66051+:10FD8000A062000B8F840014948200E6A46200102D
66052+:10FD90003C021000AC600030AF4201B894820060B9
66053+:10FDA00024420001A4820060948200603C030800A9
66054+:10FDB0008C63318830427FFF5443000F02002021C2
66055+:10FDC000948200602403800000431024A482006019
66056+:10FDD0009082006090830060304200FF000211C2F8
66057+:10FDE00000021027000211C03063007F0062182556
66058+:10FDF000A083006002002021022028218FBF00186C
66059+:10FE00008FB100148FB000100A0015F927BD002033
66060+:10FE1000914200632403FF8000431025A142006348
66061+:10FE20009782003A3048FFFF110000209383001CA6
66062+:10FE30008F840014004B1023304600FF948300E4AD
66063+:10FE40002402EFFF0168282B00621824A48300E439
66064+:10FE500014A000038E020020010058210000302170
66065+:10FE60002403FFFB34E7800000431024AE0200208F
66066+:10FE700024020001158200053165FFFF0E001554B4
66067+:10FE8000020020210A0016B99783003A0E0015855A
66068+:10FE9000020020219783003A8F82003CA780003A1D
66069+:10FEA00000431023AF82003C9383001C8F82001418
66070+:10FEB0008FBF00188FB100148FB0001027BD002035
66071+:10FEC00003E00008A04300BD938200442403000126
66072+:10FED00027BDFFE8004330042C420020AFB00010E3
66073+:10FEE000AFBF00142410FFFE10400005274501801D
66074+:10FEF0003C0208008C4231900A0016D600461024BD
66075+:10FF00003C0208008C423194004610241440000743
66076+:10FF1000240600848F8300142410FFFF9062006287
66077+:10FF20003042000F34420040A06200620E0015D63D
66078+:10FF300000000000020010218FBF00148FB00010DD
66079+:10FF400003E0000827BD00188F83002427BDFFE0D1
66080+:10FF5000AFB20018AFB10014AFB00010AFBF001CBB
66081+:10FF60009062000D00A0902130D100FF3042007F50
66082+:10FF7000A062000D8F8500148E4300180080802140
66083+:10FF80008CA2007C146200052402000E90A2006383
66084+:10FF9000344200200A0016FFA0A200630E0016C51E
66085+:10FFA000A38200442403FFFF104300472404FFFF03
66086+:10FFB00052200045000020218E4300003C0200102A
66087+:10FFC00000621024504000043C020008020020217E
66088+:10FFD0000A00170E24020015006210245040000988
66089+:10FFE0008E45000002002021240200140E0016C5D8
66090+:10FFF000A38200442403FFFF104300332404FFFFC7
66091+:020000021000EC
66092+:100000008E4500003C02000200A2102410400016A1
66093+:100010003C0200048F8600248CC200148CC30010A4
66094+:100020008CC40014004310230044102B50400005E2
66095+:10003000020020218E43002C8CC2001010620003AD
66096+:10004000020020210A00173F240200123C02000493
66097+:1000500000A210245040001C00002021020020219A
66098+:100060000A00173F2402001300A2102410400006CB
66099+:100070008F8300248C620010504000130000202168
66100+:100080000A001739020020218C6200105040000441
66101+:100090008E42002C020020210A00173F240200118A
66102+:1000A00050400009000020210200202124020017F6
66103+:1000B0000E0016C5A38200442403FFFF1043000274
66104+:1000C0002404FFFF000020218FBF001C8FB2001806
66105+:1000D0008FB100148FB000100080102103E00008E1
66106+:1000E00027BD00208F83001427BDFFD8AFB40020A8
66107+:1000F000AFB3001CAFB20018AFB10014AFB0001026
66108+:10010000AFBF0024906200638F91002C2412FFFF88
66109+:100110003442004092250000A06200638E2200104D
66110+:100120000080982130B0003F105200060360A021EB
66111+:100130002402000D0E0016C5A38200441052005484
66112+:100140002404FFFF8F8300148E2200188C63007C30
66113+:1001500010430007026020212402000E0E0016C585
66114+:10016000A38200442403FFFF104300492404FFFF3F
66115+:1001700024040020120400048F83001490620063A2
66116+:1001800034420020A06200638F85003410A000205C
66117+:1001900000000000560400048F8200140260202139
66118+:1001A0000A0017902402000A9683000A9442006015
66119+:1001B0003042FFFF144300048F8200202404FFFD1F
66120+:1001C0000A0017B7AF82003C3C0208008C42318C19
66121+:1001D0000045102B14400006026020210000282159
66122+:1001E0000E001646240600010A0017B70000202161
66123+:1001F0002402002D0E0016C5A38200442403FFFF35
66124+:10020000104300232404FFFF0A0017B70000202139
66125+:10021000160400058F8400148E2300142402FFFFAF
66126+:100220005062001802602021948200602442000184
66127+:10023000A4820060948200603C0308008C633188D3
66128+:1002400030427FFF5443000F0260202194820060FF
66129+:100250002403800000431024A48200609082006088
66130+:1002600090830060304200FF000211C2000210279C
66131+:10027000000211C03063007F00621825A083006077
66132+:10028000026020210E0015F9240500010000202144
66133+:100290008FBF00248FB400208FB3001C8FB20018D2
66134+:1002A0008FB100148FB000100080102103E000080F
66135+:1002B00027BD00288F83001427BDFFE8AFB00010D2
66136+:1002C000AFBF0014906200638F87002C00808021F4
66137+:1002D000344200408CE60010A06200633C0308003A
66138+:1002E0008C6331B030C23FFF0043102B1040004EF2
66139+:1002F0008F8500302402FF8090A3000D004310245E
66140+:10030000304200FF504000490200202100061382C5
66141+:10031000304800032402000255020044020020215C
66142+:1003200094A2001C8F85001424030023A4A20114AE
66143+:100330008CE60000000616023042003F1043001019
66144+:100340003C0300838CE300188CA2007C1062000642
66145+:100350002402000E0E0016C5A38200442403FFFFF2
66146+:10036000104300382404FFFF8F8300149062006361
66147+:1003700034420020A06200630A0017FC8F8300242F
66148+:1003800000C31024144300078F83002490A200624E
66149+:100390003042000F34420020A0A20062A38800383F
66150+:1003A0008F8300249062000D3042007FA062000D18
66151+:1003B0008F83003410600018020020218F840030E9
66152+:1003C0008C8200100043102B1040000924020018FA
66153+:1003D000020020210E0016C5A38200442403FFFF63
66154+:1003E000104300182404FFFF0A00182400002021F5
66155+:1003F0008C820010240500010200202100431023FC
66156+:100400008F830024240600010E001646AC62001003
66157+:100410000A001824000020210E0015F9240500010F
66158+:100420000A00182400002021020020212402000DCF
66159+:100430008FBF00148FB0001027BD00180A0016C52A
66160+:10044000A38200448FBF00148FB0001000801021E1
66161+:1004500003E0000827BD001827BDFFC8AFB2002089
66162+:10046000AFBF0034AFB60030AFB5002CAFB400283A
66163+:10047000AFB30024AFB1001CAFB000188F46012805
66164+:100480003C0308008C6331A02402FF80AF86004843
66165+:1004900000C318213065007F03452821006218241D
66166+:1004A0003C02000AAF43002400A2282190A200626F
66167+:1004B00000809021AF850014304200FF000211023D
66168+:1004C000A382003890A200BC304200021440000217
66169+:1004D00024030034240300308F820014A3830028F7
66170+:1004E000938300388C4200C0A3800044AF82003C5C
66171+:1004F000240200041062031C8F84003C8E4400041C
66172+:10050000508003198F84003C8E4200103083FFFF1F
66173+:10051000A784003A106002FFAF8200408F8400146D
66174+:100520002403FF809082006300621024304200FFA9
66175+:10053000144002CF9785003A9383003824020002CA
66176+:1005400030B6FFFF14620005000088219382002866
66177+:100550002403FFFD0A001B19AF82003C8F82003C80
66178+:1005600002C2102B144002A18F8400400E0014EC34
66179+:1005700000000000938300283C040800248477983E
66180+:10058000240200341462002EAF84002C3C0A0800C0
66181+:100590008D4A77C82402FFFFAFA2001000803821E7
66182+:1005A0002405002F3C09080025297398240800FF22
66183+:1005B0002406FFFF90E2000024A3FFFF00062202B2
66184+:1005C00000C21026304200FF0002108000491021B6
66185+:1005D0008C420000306500FF24E7000114A8FFF5FD
66186+:1005E0000082302600061027AFA20014AFA2001030
66187+:1005F0000000282127A7001027A6001400C51023FB
66188+:100600009044000324A2000100A71821304500FFF8
66189+:100610002CA200041440FFF9A06400008FA2001077
66190+:100620001142000724020005024020210E0016C5D9
66191+:10063000A38200442403FFFF104300642404FFFF4F
66192+:100640003C0208009042779C104000098F82001401
66193+:10065000024020212402000C0E0016C5A382004493
66194+:100660002403FFFF104300592404FFFF8F8200146E
66195+:10067000A380001C3C0308008C63779C8C440080A2
66196+:100680003C0200FF3442FFFF006218240083202B4D
66197+:1006900010800008AF83003402402021240200199A
66198+:1006A0000E0016C5A38200442403FFFF1043004739
66199+:1006B0002404FFFF8F87003C9782003A8F85003427
66200+:1006C000AF8700200047202310A0003BA784003AFA
66201+:1006D0008F86001430A200030002102390C300BCD8
66202+:1006E0003050000300B0282100031882307300014D
66203+:1006F0000013108000A228213C0308008C6331A065
66204+:100700008F8200483084FFFF0085202B004310219A
66205+:1007100010800011244200888F84002C1082000E6B
66206+:100720003C033F013C0208008C42779800431024B0
66207+:100730003C0325001443000630E500FF8C820000D6
66208+:10074000ACC200888C8200100A0018E9ACC2009884
66209+:100750000E001529000030219382001C8F850014A3
66210+:100760008F830040020238218F82003CA387001C47
66211+:1007700094A400E4006218218F82003434841000B5
66212+:10078000AF83004000503021A4A400E41260000EAA
66213+:10079000AF86003C24E20004A382001C94A200E483
66214+:1007A00024C30004AF83003C34422000A4A200E430
66215+:1007B0000A001906000020218F820040AF80003C13
66216+:1007C00000471021AF820040000020212414FFFFC9
66217+:1007D000109402112403FFFF3C0808008D0877A83D
66218+:1007E0003C0208008C4231B03C03080090637798CB
66219+:1007F00031043FFF0082102B1040001B3067003F88
66220+:100800003C0208008C4231A88F83004800042180FC
66221+:1008100000621821006418213062007F0342282101
66222+:100820003C02000C00A228213C020080344200015E
66223+:100830003066007800C230252402FF800062102458
66224+:10084000AF42002830640007AF4208048F820014D2
66225+:100850000344202124840940AF460814AF850024B6
66226+:10086000AF840030AC4301189383003824020003A6
66227+:10087000146201CF240200012402002610E201D1FB
66228+:1008800028E2002710400013240200322402002234
66229+:1008900010E201CC28E200231040000824020024CA
66230+:1008A0002402002010E201B82402002110E20147D6
66231+:1008B000024020210A001AFB2402000B10E201C1B1
66232+:1008C0002402002510E20010024020210A001AFB39
66233+:1008D0002402000B10E201AE28E2003310400006B3
66234+:1008E0002402003F2402003110E2009A024020213D
66235+:1008F0000A001AFB2402000B10E201A5024020218D
66236+:100900000A001AFB2402000B8F90002C3C03080005
66237+:100910008C6331B08F8500308E0400100000A82158
66238+:100920008CB3001430823FFF0043102B8CB10020A9
66239+:100930005040018F0240202190A3000D2402FF802F
66240+:1009400000431024304200FF504001890240202122
66241+:10095000000413823042000314400185024020212C
66242+:1009600094A3001C8F8200148E040028A443011459
66243+:100970008CA20010026218231064000302402021A0
66244+:100980000A00197C2402001F8F82003400621021AB
66245+:100990000262102B104000088F83002402402021A7
66246+:1009A000240200180E0016C5A382004410540174DE
66247+:1009B0002404FFFF8F8300248F8400348C62001096
66248+:1009C0000224882100441023AC6200108F8200149E
66249+:1009D000AC7100208C4200680051102B10400009BF
66250+:1009E0008F830030024020212402001D0E0016C516
66251+:1009F000A38200442403FFFF104301612404FFFF8E
66252+:100A00008F8300308E0200248C6300241043000783
66253+:100A1000024020212402001C0E0016C5A3820044BF
66254+:100A20002403FFFF104301562404FFFF8F8400249A
66255+:100A30008C82002424420001AC8200241233000482
66256+:100A40008F8200148C4200685622000E8E02000035
66257+:100A50008E0200003C030080004310241440000D6F
66258+:100A60002402001A024020210E0016C5A382004471
66259+:100A70002403FFFF104301422404FFFF0A0019BAB8
66260+:100A80008E0200143C0300800043102450400003F9
66261+:100A90008E020014AC8000208E0200142411FFFF8F
66262+:100AA0001051000E3C0308003C0208008C423190BB
66263+:100AB000004310242403001B14400007A3830044B8
66264+:100AC0000E0016C5024020211051012D2404FFFF05
66265+:100AD0000A0019CB8E030000A38000448E0300009F
66266+:100AE0003C02000100621024104000123C02008011
66267+:100AF0000062102414400008024020212402001A41
66268+:100B00000E0016C5A38200442403FFFF1043011CFE
66269+:100B10002404FFFF02402021020028210E0016E5D8
66270+:100B2000240600012403FFFF104301152404FFFFE6
66271+:100B3000241500018F83002402A0302102402021CF
66272+:100B40009462003624050001244200010A001ADFE5
66273+:100B5000A46200368F90002C3C0308008C6331B0F7
66274+:100B60008E13001032623FFF0043102B10400089AB
66275+:100B70008F8400302402FF809083000D00431024F6
66276+:100B8000304200FF104000842402000D0013138245
66277+:100B900030420003240300011443007F2402000DAF
66278+:100BA0009082000D30420008544000048F820034CF
66279+:100BB000024020210A001A102402002450400004A0
66280+:100BC0008E03000C024020210A001A102402002784
66281+:100BD0008C82002054620006024020218E0300080F
66282+:100BE0008C820024506200098E02001402402021F1
66283+:100BF000240200200E0016C5A38200441054007188
66284+:100C00002403FFFF0A001A458F8400242411FFFFEC
66285+:100C1000145100048F860014024020210A001A405B
66286+:100C2000240200258E0300188CC2007C1062000391
66287+:100C30002402000E0A001A40024020218E030024E4
66288+:100C40008C82002810620003240200210A001A404E
66289+:100C5000024020218E0500288C82002C10A2000367
66290+:100C60002402001F0A001A40024020218E03002C9B
66291+:100C700014600003240200230A001A4002402021CD
66292+:100C80008CC200680043102B104000032402002691
66293+:100C90000A001A40024020218C82001400651821AD
66294+:100CA0000043102B104000088F84002402402021B4
66295+:100CB000240200220E0016C5A382004410510041F8
66296+:100CC0002403FFFF8F8400242403FFF79082000D8C
66297+:100CD00000431024A082000D8F8600143C030800FE
66298+:100CE0008C6331AC8F82004894C400E08F8500246F
66299+:100CF0000043102130847FFF000420400044102175
66300+:100D00003043007F034320213C03000E0083202159
66301+:100D10002403FF8000431024AF42002CA493000062
66302+:100D20008CA2002824420001ACA200288CA2002C36
66303+:100D30008E03002C00431021ACA2002C8E02002C4C
66304+:100D4000ACA200308E020014ACA2003494A2003A8F
66305+:100D500024420001A4A2003A94C600E03C0208002C
66306+:100D60008C4231B024C4000130837FFF1462000F35
66307+:100D700000803021240280000082302430C2FFFF36
66308+:100D8000000213C2304200FF000210270A001A7E40
66309+:100D9000000233C02402000D024020210E0016C5BF
66310+:100DA000A38200440A001A84004018218F82001494
66311+:100DB00002402021240500010E0015F9A44600E0A0
66312+:100DC000000018210A001B16006088218F90002C5B
66313+:100DD0003C0308008C6331B08E05001030A23FFF49
66314+:100DE0000043102B104000612402FF808F840030EC
66315+:100DF0009083000D00431024304200FF5040005CFF
66316+:100E0000024020218F8200341040000B0005138225
66317+:100E10008F8200149763000A944200603042FFFF03
66318+:100E200014430005000513828F8200202404FFFD77
66319+:100E30000A001AF3AF82003C304200031440000E57
66320+:100E40000000000092020002104000058E03002402
66321+:100E500050600015920300030A001AAF02402021DF
66322+:100E60008C82002450620010920300030240202173
66323+:100E70000A001AB72402000F9082000D30420008C9
66324+:100E80005440000992030003024020212402001074
66325+:100E90000E0016C5A38200442403FFFF1043003850
66326+:100EA0002404FFFF92030003240200025462000C9A
66327+:100EB000920200038F820034544000099202000322
66328+:100EC000024020212402002C0E0016C5A3820044FB
66329+:100ED0002403FFFF1043002A2404FFFF92020003B3
66330+:100EE0000200282102402021384600102CC60001B3
66331+:100EF0002C4200010E0016E5004630252410FFFFAD
66332+:100F00001050001F2404FFFF8F8300341060001373
66333+:100F1000024020213C0208008C42318C0043102BFF
66334+:100F200014400007000000000000282124060001F2
66335+:100F30000E001646000000000A001AF300002021EF
66336+:100F40002402002D0E0016C5A38200441050000C90
66337+:100F50002404FFFF0A001AF3000020210E0015F9F7
66338+:100F6000240500010A001AF300002021024020217C
66339+:100F70002402000D0E0016C5A3820044004020216B
66340+:100F80000A001B16008088211514000E00000000C6
66341+:100F90000E00174C024020210A001B160040882139
66342+:100FA0000E0016C5A38200440A001B1600408821CB
66343+:100FB00014620017022018212402002314E2000505
66344+:100FC0002402000B0E0017C0024020210A001B164D
66345+:100FD0000040882102402021A38200440E0016C553
66346+:100FE0002411FFFF0A001B170220182130A500FF63
66347+:100FF0000E001529240600019783003A8F82003CD9
66348+:10100000A780003A00431023AF82003C0220182141
66349+:101010001220003E9782003A2402FFFD5462003EF7
66350+:101020008E4300208E4200048F830014005610234C
66351+:10103000AE420004906200633042007FA062006311
66352+:101040008E4200208F840014A780003A34420002B0
66353+:10105000AE420020A48000E4908200632403FFBF1E
66354+:1010600000431024A08200630A001B598E43002015
66355+:101070009082006300621024304200FF1040002381
66356+:101080009782003A90820088908300BD2485008872
66357+:101090003042003F2444FFE02C820020A383001C48
66358+:1010A00010400019AF85002C2402000100821804B2
66359+:1010B000306200191440000C3C02800034420002EF
66360+:1010C000006210241440000B306200201040000F1A
66361+:1010D0009782003A90A600010240202124050001D9
66362+:1010E0000A001B5330C60001024020210A001B5297
66363+:1010F00024050001024020210000282124060001CF
66364+:101100000E001646000000009782003A1440FD04CD
66365+:101110008F8400148E4300203062000410400012BF
66366+:101120008F84003C2402FFFB00621024AE420020AA
66367+:10113000274301808F4201B80440FFFE8F820048A0
66368+:10114000AC6200008F420124AC6200042402608380
66369+:10115000A462000824020002A062000B3C021000FE
66370+:10116000AF4201B88F84003C8F8300148FBF0034DE
66371+:101170008FB600308FB5002C8FB400288FB30024B9
66372+:101180008FB200208FB1001C8FB000182402000124
66373+:1011900027BD003803E00008AC6400C030A500FFA4
66374+:1011A0002403000124A900010069102B1040000C49
66375+:1011B00000004021240A000100A31023004A380443
66376+:1011C00024630001308200010069302B10400002CE
66377+:1011D000000420420107402554C0FFF800A310235B
66378+:1011E00003E00008010010213C020800244260A432
66379+:1011F0003C010800AC22738C3C02080024425308D6
66380+:101200003C010800AC2273902402000627BDFFE0D9
66381+:101210003C010800A02273943C021EDCAFB200180F
66382+:10122000AFB10014AFBF001CAFB0001034526F411B
66383+:1012300000008821240500080E001B7A02202021CE
66384+:10124000001180803C07080024E773980002160014
66385+:1012500002071821AC6200000000282124A200012E
66386+:101260003045FFFF8C6200002CA6000804410002FC
66387+:10127000000220400092202614C0FFF8AC64000059
66388+:10128000020780218E0400000E001B7A2405002036
66389+:10129000262300013071FFFF2E2301001460FFE5BB
66390+:1012A000AE0200008FBF001C8FB200188FB1001477
66391+:1012B0008FB0001003E0000827BD002027BDFFD835
66392+:1012C000AFB3001CAFB20018AFBF0020AFB1001425
66393+:1012D000AFB000108F5101408F48014800089402C0
66394+:1012E000324300FF311300FF8F4201B80440FFFE7C
66395+:1012F00027500180AE1100008F420144AE0200046D
66396+:1013000024020002A6120008A202000B240200140C
66397+:10131000AE1300241062002528620015104000085A
66398+:101320002402001524020010106200302402001272
66399+:10133000106200098FBF00200A001CB58FB3001C8B
66400+:101340001062007024020022106200378FBF00205C
66401+:101350000A001CB58FB3001C3C0208008C4231A06F
66402+:101360002403FF800222102100431024AF420024F6
66403+:101370003C0208008C4231A0022210213042007F42
66404+:10138000034218213C02000A00621821166000BCCA
66405+:10139000AF830014906200623042000F344200308C
66406+:1013A000A06200620A001CB48FBF00203C046000F1
66407+:1013B0008C832C083C02F0033442FFFF00621824A7
66408+:1013C000AC832C083C0208008C4231A08C832C0892
66409+:1013D000244200740002108200021480006218256A
66410+:1013E000AC832C080A001CB48FBF00203C0208000C
66411+:1013F0008C4231A02403FF800222102100431024DC
66412+:10140000AF4200243C0208008C4231A03C03000A99
66413+:10141000022210213042007F03421021004310219C
66414+:101420000A001CB3AF8200143C0208008C4231A0B9
66415+:101430002405FF800222102100451024AF42002421
66416+:101440003C0208008C4231A0022210213042007F71
66417+:10145000034218213C02000A0062182190620063D6
66418+:1014600000A21024304200FF10400085AF8300141A
66419+:1014700024620088944300123C0208008C4231A888
66420+:1014800030633FFF00031980022210210043102126
66421+:101490003043007F03432021004510243C03000C0F
66422+:1014A00000832021AF4200289082000D00A210246A
66423+:1014B000304200FF10400072AF8400249082000D83
66424+:1014C000304200101440006F8FBF00200E0015C87E
66425+:1014D000000000008F4201B80440FFFE0000000041
66426+:1014E000AE1100008F420144AE020004240200024B
66427+:1014F000A6120008A202000BAE1300240A001CB4BE
66428+:101500008FBF00202406FF8002261024AF42002057
66429+:101510003C0208008C4231A031043FFF00042180CE
66430+:101520000222102100461024AF4200243C03080090
66431+:101530008C6331A83C0208008C4231A03227007F26
66432+:101540000223182102221021006418213042007F5A
66433+:101550003064007F034228213C02000A0066182400
66434+:1015600000A22821034420213C02000C00822021FB
66435+:10157000AF4300283C020008034718210062902175
66436+:10158000AF850014AF8400240E0015C8010080212F
66437+:101590008F4201B80440FFFE8F8200248F84001424
66438+:1015A000274501809042000DACB10000A4B00006B8
66439+:1015B000000216000002160300021027000237C2C4
66440+:1015C00014C00016248200889442001232033FFFA8
66441+:1015D00030423FFF14430012240260829083006374
66442+:1015E0002402FF8000431024304200FF5040000CD2
66443+:1015F00024026082908200623042000F3442004038
66444+:10160000A082006224026084A4A200082402000DCB
66445+:10161000A0A200050A001C9E3C0227002402608252
66446+:10162000A4A20008A0A000053C02270000061C00A0
66447+:101630000062182524020002A0A2000BACA3001037
66448+:10164000ACA00014ACA00024ACA00028ACA0002CDE
66449+:101650008E42004C8F840024ACA200189083000DB1
66450+:101660002402FF8000431024304200FF1040000598
66451+:101670008FBF00209082000D3042007FA082000DBD
66452+:101680008FBF00208FB3001C8FB200188FB10014E1
66453+:101690008FB000103C02100027BD002803E00008B6
66454+:1016A000AF4201B80800343008003430080033A8D5
66455+:1016B000080033E0080034140800343808003438D7
66456+:1016C00008003438080033180A0001240000000024
66457+:1016D000000000000000000D747061362E322E33C1
66458+:1016E00000000000060203010000000000000000EE
66459+:1016F00000000000000000000000000000000000EA
66460+:1017000000000000000000000000000000000000D9
66461+:1017100000000000000000000000000000000000C9
66462+:1017200000000000000000000000000000000000B9
66463+:1017300000000000000000000000000000000000A9
66464+:101740000000000000000000000000000000000099
66465+:101750000000000000000000000000001000000376
66466+:10176000000000000000000D0000000D3C02080019
66467+:1017700024421C003C03080024632094AC40000079
66468+:101780000043202B1480FFFD244200043C1D080070
66469+:1017900037BD2FFC03A0F0213C1008002610049058
66470+:1017A0003C1C0800279C1C000E00015C000000008F
66471+:1017B0000000000D3084FFFF308200078F85001885
66472+:1017C00010400002248300073064FFF800853021B8
66473+:1017D00030C41FFF03441821247B4000AF85001C48
66474+:1017E000AF84001803E00008AF4400843084FFFF9A
66475+:1017F000308200078F8500208F860028104000026D
66476+:10180000248300073064FFF8008520210086182B10
66477+:1018100014600002AF8500240086202303442821A1
66478+:1018200034068000AF840020AF44008000A6202151
66479+:1018300003E00008AF84003827BDFFD8AFB3001C19
66480+:10184000AFB20018AFB00010AFBF0024AFB400209B
66481+:10185000AFB100143C0860088D1450002418FF7FBD
66482+:101860003C1A8000029898243672380CAD12500051
66483+:101870008F5100083C07601C3C08600036300001B6
66484+:10188000AF500008AF800018AF400080AF40008428
66485+:101890008CE600088D0F08083C0760168CEC0000F1
66486+:1018A00031EEFFF039CA00103C0DFFFF340B800011
66487+:1018B0003C030080034B48212D440001018D282466
66488+:1018C0003C0253533C010800AC230420AF8900388C
66489+:1018D000AF860028AF840010275B400014A20003ED
66490+:1018E00034E37C008CF90004032818218C7F007CF1
66491+:1018F0008C6500783C0280003C0B08008D6B048CEA
66492+:101900003C0A08008D4A048834520070AF85003CC0
66493+:10191000AF9F00403C13080026731C440240A021E6
66494+:101920008E4800008F46000038C30001306400017B
66495+:1019300010800017AF880034028048218D2F0000EE
66496+:101940003C0508008CA5045C3C1808008F1804585E
66497+:1019500001E8102300A280210000C8210202402BD0
66498+:1019600003198821022838213C010800AC30045CAE
66499+:101970003C010800AC2704588F4E000039CD00010F
66500+:1019800031AC00011580FFED01E04021AF8F003444
66501+:101990008E5100003C0708008CE7045C3C0D0800F9
66502+:1019A0008DAD04580228802300F0602100007021D2
66503+:1019B0000190302B01AE1821006620213C01080067
66504+:1019C000AC2C045C3C010800AC2404588F46010890
66505+:1019D0008F47010030C92000AF860000AF87000CA0
66506+:1019E0001120000A00C040213C1808008F18042C68
66507+:1019F000270800013C010800AC28042C3C184000DA
66508+:101A0000AF5801380A000196000000009749010410
66509+:101A100000002821014550213122FFFF0162582199
66510+:101A20000162F82B015F502130D902003C0108000F
66511+:101A3000AC2B048C3C010800AC2A0488172000154C
66512+:101A400024040F0010E400130000000024080D001F
66513+:101A500010E8023B30CD000611A0FFE93C18400021
66514+:101A6000936E00002409001031C400F01089027147
66515+:101A700024020070108202E58F880014250F0001F7
66516+:101A8000AF8F00143C184000AF5801380A0001968F
66517+:101A900000000000974C01041180FFD93C18400061
66518+:101AA00030C34000146000A1000000008F460178A0
66519+:101AB00004C0FFFE8F87003824100800240F0008A0
66520+:101AC0008CE30008AF500178A74F0140A7400142C6
66521+:101AD000974E01048F86000031C9FFFF30CD000111
66522+:101AE00011A002E1012040212531FFFE241800024F
66523+:101AF000A75801463228FFFFA75101483C190800AA
66524+:101B00008F39043C172002D08F8C000C30DF00206E
66525+:101B100017E00002240400092404000130C20C0074
66526+:101B2000240504005045000134840004A744014A00
66527+:101B30003C1108008E3104203C1800483C10000184
66528+:101B40000238182530CF00020070282511E000046B
66529+:101B5000000018213C19010000B9282524030001C8
66530+:101B600030DF000453E00005AF8300083C0600109E
66531+:101B700000A6282524030001AF830008AF4510000C
66532+:101B80000000000000000000000000000000000055
66533+:101B90008F83000810600023000000008F451000B4
66534+:101BA00004A1FFFE000000001060001E0000000005
66535+:101BB0008F4410003C0C0020008C102410400019B1
66536+:101BC0008F8E000031CD000211A000160000000031
66537+:101BD000974F101415E000130000000097591008EB
66538+:101BE0003338FFFF271100060011188200033080F0
66539+:101BF00000C7282132300001322300031200032CD9
66540+:101C00008CA200000000000D00C7F821AFE2000028
66541+:101C10003C0508008CA5043024A600013C01080006
66542+:101C2000AC2604308F6D00003402FFFFAF8D00043E
66543+:101C30008CEC0000118202A6000020218CED000037
66544+:101C400031AC01001180028A000000003C02080053
66545+:101C50008C4204743C0308008C63044C3C1F080055
66546+:101C60008FFF04703C1808008F1804480048382182
66547+:101C70000068802100E8282B03E430210208402B73
66548+:101C80000304882100C57021022878213C01080046
66549+:101C9000AC30044C3C010800AC2F04483C01080067
66550+:101CA000AC2704743C010800AC2E04708F8400182B
66551+:101CB0000120302131290007249F000833F91FFF3C
66552+:101CC00003594021AF84001CAF990018251B400028
66553+:101CD000AF590084112000038F83002024C2000725
66554+:101CE0003046FFF88F84002800C3282100A4302B41
66555+:101CF00014C00002AF83002400A428230345602100
66556+:101D0000340D8000018D10213C0F1000AF850020A4
66557+:101D1000AF820038AF450080AF4F01788F88001444
66558+:101D2000250F00010A0001EFAF8F00148F62000839
66559+:101D30008F670000240500300007760231C300F0F1
66560+:101D4000106500A7240F0040546FFF4C8F880014CB
66561+:101D50008F4B01780560FFFE0000000030CA0200D2
66562+:101D600015400003000612820000000D00061282DA
66563+:101D7000304D0003000D4900012D18210003808023
66564+:101D8000020D402100086080019380218E1F000019
66565+:101D900017E00002000000000000000D8F6E00043C
66566+:101DA00005C202BD92070006920E000592020004D1
66567+:101DB0003C090001000E18800070F8218FED00181A
66568+:101DC000277100082448000501A96021000830821D
66569+:101DD000AFEC0018022020210E00059E26050014FD
66570+:101DE000920A00068F7900043C0B7FFF000A2080D6
66571+:101DF000009178218DF800043566FFFF0326282422
66572+:101E000003053821ADE70004920E0005920D000491
66573+:101E1000960C0008000E10800051C8218F2300008E
66574+:101E2000974901043C07FFFF006758243128FFFF52
66575+:101E3000010DF82103EC50233144FFFF01643025EC
66576+:101E4000AF260000920300072418000110780275E5
66577+:101E5000240F0003106F0285000000008E050010A3
66578+:101E60002419000AA7590140A7450142921800040D
66579+:101E70008F860000240F0001A7580144A7400146A7
66580+:101E80009747010430D100023C050041A7470148B3
66581+:101E900000001821A74F014A1220000330CB000494
66582+:101EA0003C0501412403000151600005AF83000897
66583+:101EB0003C06001000A6282524030001AF8300087B
66584+:101EC000AF4510000000000000000000000000000E
66585+:101ED000000000008F8A000811400004000000008C
66586+:101EE0008F4410000481FFFE000000008F6B000093
66587+:101EF000920800043C1108008E310444AF8B0004AA
66588+:101F000097590104311800FF3C0E08008DCE0440A3
66589+:101F10003325FFFF0305382102276021000010212F
66590+:101F2000250F000A31E8FFFF0187482B01C2682115
66591+:101F300001A9F821311000073C010800AC2C044431
66592+:101F40003C010800AC3F0440120000038F8C0018D5
66593+:101F50002506000730C8FFF8010C682131BF1FFFBC
66594+:101F6000AF8C001CAF9F0018AF5F00849744010442
66595+:101F7000035F80213084FFFF308A00071140000397
66596+:101F8000261B4000248900073124FFF88F8200209F
66597+:101F90008F850028008220210085702B15C000024B
66598+:101FA000AF820024008520233C0B08008D6B048C3D
66599+:101FB0003C0A08008D4A04880344882134038000C9
66600+:101FC000022310213C0F1000AF840020AF820038A4
66601+:101FD000AF440080AF4F01780A0002968F8800144A
66602+:101FE0008F5001780600FFFE30D10200162000035A
66603+:101FF000000612820000000D00061282305F00030E
66604+:10200000001F1900007F302100062080009FC8219A
66605+:1020100000194880013380218E180000130000024F
66606+:10202000000000000000000D8F6C000C058001FB1B
66607+:102030008F870038240E0001AE0E00008CE30008EC
66608+:10204000A20000078F65000400055402314D00FF17
66609+:1020500025A80005000830822CCB00411560000245
66610+:10206000A20A00040000000D8F7800043C03FFFF6B
66611+:1020700000E02821330BFFFF256C000B000C1082C1
66612+:1020800000022080008748218D3F000026040014B4
66613+:10209000A618000803E3C8240E00059EAD39000011
66614+:1020A0008F4F01083C11100001F1382410E001AB02
66615+:1020B00000000000974D01049208000725AAFFECDC
66616+:1020C000350600023144FFFFA2060007960600080D
66617+:1020D0002CC7001354E0000592030007921100077B
66618+:1020E000362F0001A20F00079203000724180001F9
66619+:1020F000107801C224090003106901D58F880038C7
66620+:1021000030CBFFFF257100020011788331E400FF1E
66621+:1021100000042880A20F000500A848218D2D000092
66622+:10212000974A01043C0EFFFF01AEF8243143FFFF44
66623+:10213000006B1023244CFFFE03ECC825AD390000D2
66624+:10214000920600053C03FFF63462FFFF30D800FF23
66625+:102150000018388000F08821922F00143C04FF7F83
66626+:102160003487FFFF31EE000F01C65821316500FFB3
66627+:1021700000055080015068218DAC00200148F821F5
66628+:10218000A20B00060182C824AE0C000CAFF9000CB3
66629+:10219000920900068E11000C032778240009C080E4
66630+:1021A0000310702195C60026030828210227202449
66631+:1021B000AE04000CADCF0020ADC60024ACA60010CC
66632+:1021C0008F8800003C0B08008D6B048C3C0A0800D3
66633+:1021D0008D4A0488241F001024190002A75F0140C3
66634+:1021E000A7400142A7400144A7590146974901046D
66635+:1021F00024070001310600022538FFFEA7580148D8
66636+:102200003C050009A747014A10C00003000018213F
66637+:102210003C05010924030001310C00045180000534
66638+:10222000AF8300083C08001000A828252403000103
66639+:10223000AF830008AF451000000000000000000060
66640+:1022400000000000000000009205000424AE00021F
66641+:1022500031CD0007000D182330620007AE020010D8
66642+:102260008F90000812000004000000008F4F100043
66643+:1022700005E1FFFE000000008F7100008F8E001846
66644+:102280003C0308008C630444AF91000497450104AB
66645+:1022900025CF001031E61FFF30A2FFFFAF8E001CDC
66646+:1022A000AF860018AF4600842449FFFE3C0C0800AE
66647+:1022B0008D8C0440974D010401208021000947C303
66648+:1022C0000070C02131A9FFFF0310F82B0188C8213D
66649+:1022D000033F202103463821313100073C0108002B
66650+:1022E000AC3804443C010800AC2404401220000334
66651+:1022F00024FB40002527000730E9FFF88F860020E7
66652+:102300008F8400280126382100E4C02B170000022A
66653+:10231000AF86002400E438230347202134198000CD
66654+:10232000009910213C0F1000AF870020AF820038C9
66655+:10233000AF470080AF4F01780A0002968F880014E3
66656+:102340009747010410E0FDAE3C1840008F5801781B
66657+:102350000700FFFE30C5400010A000033C1F00082E
66658+:102360000000000D3C1F0008AF5F01402410080072
66659+:102370008F860000AF5001789744010430D90001E6
66660+:10238000132000ED3086FFFF24CCFFFE240D000259
66661+:10239000A74D0146A74C01488F9100182408000D55
66662+:1023A000A748014A8F630000262F000831E21FFF73
66663+:1023B0000342702130C90007AF830004AF91001CB5
66664+:1023C000AF82001800C03821AF4200841120000302
66665+:1023D00025DB400024D800073307FFF88F85002055
66666+:1023E0008F84002800E5302100C4382B14E000025F
66667+:1023F000AF85002400C430238F8400140346F821E5
66668+:10240000340C8000AF86002003EC8021AF460080B2
66669+:10241000249900013C0610003C184000AF460178AA
66670+:10242000AF900038AF990014AF5801380A000196F8
66671+:10243000000000008F630000975101043067FFFF28
66672+:102440003228FFFF8F4F017805E0FFFE30EC0007D8
66673+:10245000000CF82333F0000724F9FFFE2404000ADF
66674+:10246000A7440140A7500142A7590144A740014693
66675+:10247000A74801488F45010830B800201700000226
66676+:10248000240300092403000130CD0002A743014AC0
66677+:102490003C04004111A00003000018213C0401414C
66678+:1024A0002403000130C9000451200005AF83000857
66679+:1024B0003C0600100086202524030001AF8300089D
66680+:1024C000AF44100000000000000000000000000009
66681+:1024D000000000008F8E000811C000040000000002
66682+:1024E0008F4210000441FFFE000000008F7F0000BB
66683+:1024F000276400088F91003CAF9F0004948500087A
66684+:102500009490000A9499000C30AFFFFF0010C400B3
66685+:102510003323FFFF11F100A6030320253C0E080022
66686+:102520008DCE04443C0C08008D8C044000E88821CA
66687+:102530002626FFFE01C628210000682100A6F82BF0
66688+:10254000018D2021009F80213C010800AC2504441E
66689+:102550003C010800AC30044024E200083042FFFF98
66690+:102560003047000710E000038F830018244F000756
66691+:1025700031E2FFF83106FFFF30C800070043802139
66692+:1025800032191FFF0359C021AF83001CAF990018F7
66693+:10259000271B4000AF590084110000038F8C0020DE
66694+:1025A00024C5000730A6FFF88F84002800CC28211E
66695+:1025B00000A4F82B17E00002AF8C002400A428230D
66696+:1025C000AF850020AF4500803C0408008C840434B3
66697+:1025D00003454821340E8000012E6821108000053B
66698+:1025E000AF8D0038939100172406000E12260011BB
66699+:1025F0002407043F3C021000AF4201788F8800148A
66700+:10260000250F00010A0001EFAF8F00140E0005C472
66701+:1026100000E020218F8800143C0B08008D6B048C97
66702+:102620003C0A08008D4A0488250F00010A0001EFCA
66703+:10263000AF8F00143C021000A7470148AF42017859
66704+:102640000A0004CE8F88001424040F001184003D7A
66705+:1026500030CE002015C0000224030009240300012D
66706+:102660000A00021AA743014A0A00020DA7400146C8
66707+:1026700094EF000894F1000A94F0000C8F8C003C59
66708+:10268000001174003207FFFF31EDFFFF11AC00377E
66709+:1026900001C720253C1808008F1804443C0F08008F
66710+:1026A0008DEF0440000080210308682101A8382B29
66711+:1026B00001F0702101C760213C010800AC2D0444E9
66712+:1026C0003C010800AC2C04400A00027A8F840018F8
66713+:1026D0003C0208008C42047C3C0308008C630454D8
66714+:1026E0003C1F08008FFF04783C1808008F18045026
66715+:1026F000004838210068802100E8282B03E43021BD
66716+:102700000208402B0304882100C57021022878218B
66717+:102710003C010800AC3004543C010800AC2F0450CC
66718+:102720003C010800AC27047C3C010800AC2E047876
66719+:102730000A00027A8F840018A74001460A00043577
66720+:102740008F91001830CD002015A0FFC52403000D87
66721+:10275000240300050A00021AA743014A974E010408
66722+:1027600025C5FFF00A00038130A4FFFF8F980040C9
66723+:102770001498FFC8000010213C0508008CA5046CCB
66724+:102780003C1F08008FFF046800A8C8210328302BD5
66725+:1027900003E22021008640213C010800AC39046C92
66726+:1027A0003C010800AC2804680A00027A8F840018F3
66727+:1027B0008F8C0040148CFF5900E8C8213C18080099
66728+:1027C0008F18046C3C1108008E3104682723FFFE2B
66729+:1027D00003034821000010210123302B0222702125
66730+:1027E00001C668213C010800AC29046C3C010800CA
66731+:1027F000AC2D04680A0004A524E200088F88003884
66732+:102800003C03FFFF8D02000C0043F82403E4C825BD
66733+:10281000AD19000C0A00038F30CBFFFF0A0003C381
66734+:10282000AE000000974A0104920400048E26000CBA
66735+:10283000014458212579FFF200C7C0243325FFFF4A
66736+:1028400003053825AE27000C0A0002E68E050010AD
66737+:102850003C0DFFFF8D0A0010014D582401646025D6
66738+:10286000AD0C00100A00038F30CBFFFF974301042B
66739+:10287000920E00048E290010006E1021244DFFEEF0
66740+:102880000127602431A8FFFF0188F825AE3F001022
66741+:102890000A0002E68E0500108E0F000CAE0000004C
66742+:1028A00000078880023028210A0002B8ACAF00205F
66743+:1028B0001460000D3058FFFF3C04FFFF0044682403
66744+:1028C00001A47026000E602B000D102B004CF82484
66745+:1028D00013E00002000000000000000D8CAF0000BB
66746+:1028E0000A00025001E410253B03FFFF0003882B80
66747+:1028F0000018802B0211202410800002000000002C
66748+:102900000000000D8CB900000A0002503722FFFFC2
66749+:102910003084FFFF30A5FFFF108000070000182162
66750+:10292000308200011040000200042042006518219E
66751+:102930001480FFFB0005284003E000080060102120
66752+:1029400010C00007000000008CA2000024C6FFFF9A
66753+:1029500024A50004AC82000014C0FFFB2484000402
66754+:1029600003E000080000000010A0000824A3FFFFFF
66755+:10297000AC86000000000000000000002402FFFF01
66756+:102980002463FFFF1462FFFA2484000403E00008BC
66757+:1029900000000000308EFFFF30D8FFFF00057C00F4
66758+:1029A00001F8602539CDFFFF01AC5021014C582BB7
66759+:1029B000014B4821000944023127FFFF00E8302184
66760+:1029C0000006240230C5FFFF00A418213862FFFF73
66761+:1029D00003E000083042FFFF3C0C08008D8C0484AB
66762+:1029E000240BFF8027BDFFD001845021014B4824D8
66763+:1029F000AF4900203C0808008D080484AFB20020D5
66764+:102A0000AFB00018AFBF0028AFB30024AFB1001CB7
66765+:102A1000936600040104382130E4007F009A1021FD
66766+:102A20003C0300080043902130C500200360802152
66767+:102A30003C080111277B000814A000022646007004
66768+:102A40002646006C9213000497510104920F000473
66769+:102A50003267000F322EFFFF31ED004001C72823FF
66770+:102A600011A0000500004821925900BC3338000431
66771+:102A70001700009000000000924300BC307F00046B
66772+:102A800013E0000F0000000010A0000D0000000087
66773+:102A9000960E0002240AFF8000A7602125CDFFFECC
66774+:102AA000A74D1016920B0004014B2024308200FF2A
66775+:102AB00010400085010C40253C0F0400010F40250B
66776+:102AC0008F5301780660FFFE2404000AA7440140EA
66777+:102AD000960D00022404000931AC0007000C5823B5
66778+:102AE000316A0007A74A0142960200022443FFFE12
66779+:102AF000A7430144A7400146975F0104A75F01482F
66780+:102B00008F590108333800205300000124040001CC
66781+:102B1000920F000431EE001015C000023483001043
66782+:102B200000801821A743014A0000000000000000B7
66783+:102B30000000000000000000AF481000000000008E
66784+:102B40000000000000000000000000008F51100095
66785+:102B50000621FFFE3113FFFF12600003000000009A
66786+:102B60008F481018ACC8000096030006307FFFFFA6
66787+:102B700027F900020019988200138880023B302157
66788+:102B80008CD800001520005700183402920300046E
66789+:102B90002405FF8000A3F82433F100FF1220002C4D
66790+:102BA00000000000924700BC30F2000212400028F2
66791+:102BB00000000000974B100C2562FFFEA742101684
66792+:102BC000000000003C0A040035490030AF49100005
66793+:102BD00000000000000000000000000000000000F5
66794+:102BE0008F4C10000581FFFE000000009749100C7B
66795+:102BF0008F51101C00C020213127FFFF24F200302C
66796+:102C0000001218820003288000BBF8213226FFFF43
66797+:102C1000AFF100000E0005B300112C020013C880B4
66798+:102C2000033B98218E78000000027400AFB80010BA
66799+:102C30008FA80010310FFFFFAFAF00108FA400105E
66800+:102C400001C46825AFAD00108FA60010AE6600006D
66801+:102C500097730008976D000A9766000C8F8A003CF6
66802+:102C6000000D5C0030CCFFFF3262FFFF104A0036DF
66803+:102C7000016C2025960600023C10100024D30008A9
66804+:102C80000E00013B3264FFFF974C01040E00014926
66805+:102C90003184FFFFAF5001788FBF00288FB300242D
66806+:102CA0008FB200208FB1001C8FB0001803E0000825
66807+:102CB00027BD003010A0FF700000000024A5FFFC1D
66808+:102CC0000A0005EC240900048CD10000AF51101853
66809+:102CD0008F5301780660FF7A2404000A0A00060177
66810+:102CE0000000000000A7C8218F8800388F4E101CFC
66811+:102CF0000019C0820018788001E82021AC8E000005
66812+:102D0000000E2C0200C020210E0005B331C6FFFFCB
66813+:102D1000023B28218CAD000000025400004030210D
66814+:102D2000AFAD00108FAC0010318BFFFFAFAB0010C8
66815+:102D30008FA2001001424825AFA900108FA70010F4
66816+:102D40000A000631ACA700008F8F0040148FFFC926
66817+:102D50000000000097420104960B00023C050800A9
66818+:102D60008CA5046C3049FFFF316AFFFF3C1108005D
66819+:102D70008E310468012A382124F2FFFE00B240217E
66820+:102D80000012FFC30112C82B023FC02103192021EA
66821+:102D90003C010800AC28046C3C010800AC24046829
66822+:102DA0000A00066B0000000000A4102B1040000970
66823+:102DB000240300010005284000A4102B04A00003F8
66824+:102DC000000318405440FFFC000528401060000735
66825+:102DD000000000000085302B14C0000200031842E0
66826+:102DE000008520231460FFFB0005284203E0000853
66827+:102DF000008010218F85002C27BDFFE800053027BB
66828+:102E00002CC300012CA400020083102510400003F5
66829+:102E1000AFBF00102405007FAF85002C00052827D8
66830+:102E200030A5FFFF0E000592240426F58F830030A5
66831+:102E3000240402BD004030210083382B10E000093B
66832+:102E400024050001000420400083102B04800003AF
66833+:102E5000000528405440FFFC0004204010A000085A
66834+:102E600000C350210064402B1500000200052842D9
66835+:102E70000064182314A0FFFB0004204200C350216B
66836+:102E80008FBF0010000A4C02312200FF27BD00183E
66837+:102E9000AF8A002C03E00008AF8900300A00002A46
66838+:102EA00000000000000000000000000D7478703683
66839+:102EB0002E322E3300000000060203000000000046
66840+:102EC000000001360000EA60000000000000000081
66841+:102ED00000000000000000000000000000000000F2
66842+:102EE00000000000000000000000000000000000E2
66843+:102EF00000000000000000000000000000000016BC
66844+:102F000000000000000000000000000000000000C1
66845+:102F100000000000000000000000000000000000B1
66846+:102F200000000000000000000000000000000000A1
66847+:102F3000000000000000138800000000000005DC15
66848+:102F4000000000000000000010000003000000006E
66849+:102F50000000000D0000000D3C02080024423C204F
66850+:102F60003C03080024633DD4AC4000000043202B08
66851+:102F70001480FFFD244200043C1D080037BD7FFC87
66852+:102F800003A0F0213C100800261000A83C1C0800FB
66853+:102F9000279C3C200E0002BA000000000000000D3B
66854+:102FA0008F8300383C088000350700708CE50000F6
66855+:102FB000008330253C02900000C22025AF85003000
66856+:102FC000AF4400208F4900200520FFFE3C03800015
66857+:102FD000346200708C4500008F8600303C19080078
66858+:102FE0008F39007C3C0E08008DCE007800A620238F
66859+:102FF00003245821000078210164682B01CF60214F
66860+:10300000018D50213C010800AC2B007C3C010800E4
66861+:10301000AC2A007803E00008000000000A0000412C
66862+:10302000240400018F8400383C05800034A2000194
66863+:103030000082182503E00008AF43002003E00008E9
66864+:10304000000010213084FFFF30A5FFFF1080000733
66865+:1030500000001821308200011040000200042042CC
66866+:10306000006518211480FFFB0005284003E00008DC
66867+:103070000060102110C00007000000008CA20000BA
66868+:1030800024C6FFFF24A50004AC82000014C0FFFB8F
66869+:103090002484000403E000080000000010A00008E1
66870+:1030A00024A3FFFFAC860000000000000000000029
66871+:1030B0002402FFFF2463FFFF1462FFFA248400044C
66872+:1030C00003E0000800000000308AFFFF93A800130F
66873+:1030D000A74A014497490E1630C600FF3C02100073
66874+:1030E000A7490146AF450148A3460152A748015AE6
66875+:1030F000AF4701608FA400188FA30014A7440158A4
66876+:10310000AF43015403E00008AF42017803E0000838
66877+:10311000000000003C038000346200708C49000015
66878+:103120008F8800002484000727BDFFF83084FFF853
66879+:10313000AF890030974D008A31ACFFFFAFAC000083
66880+:103140008FAB0000016850232547FFFF30E61FFFCB
66881+:1031500000C4282B14A0FFF73C0C8000358B0070B6
66882+:103160008D6A00003C0708008CE700843C060800DC
66883+:103170008CC6008000081082014918230002788064
66884+:1031800000E370210000202101C3C82B00C4C0212E
66885+:1031900001FA4021031948212502400027BD0008FB
66886+:1031A0003C010800AC2E00843C010800AC290080E2
66887+:1031B00003E00008000000008F8200002486000762
66888+:1031C00030C5FFF800A2182130641FFF03E000089B
66889+:1031D000AF8400008F8700388F8A004027BDFFB87A
66890+:1031E0008F860044AFB60040AFBF0044AFB5003C8F
66891+:1031F000AFB40038AFB30034AFB20030AFB1002C81
66892+:10320000AFB000288F4501048D4900ACAF47008066
66893+:103210008CC8002000A938230000B021AF480E1050
66894+:103220008F440E1000004821AF440E148CC20024BD
66895+:10323000AF420E188F430E18AF430E1C10E001254D
66896+:103240002D230001936B0008116000D400000000E2
66897+:10325000976E001031CDFFFF00ED602B158000CF81
66898+:103260000000000097700010320FFFFFAF4F0E00FC
66899+:103270008F520000325100081220FFFD00000000B4
66900+:1032800097540E088F460E043285FFFF30B30001BD
66901+:1032900012600132000000000000000D30B8A040B4
66902+:1032A00024150040131500C030A9A0001120012DE5
66903+:1032B00000000000937F000813E0000800000000F9
66904+:1032C00097630010306BFFFF00CB402B1100000311
66905+:1032D00030AC00401180012300000000A785003CB5
66906+:1032E000AF8600349366000800E02821AFA70020D5
66907+:1032F00014C0012427B30020AF60000C9782003C6B
66908+:103300003047400014E00002240300162403000E9E
66909+:1033100024194007A363000AAF790014938A003E82
66910+:103320008F740014315800070018AA4002959025A8
66911+:10333000AF7200149784003C8F700014309100101D
66912+:1033400002117825AF6F0014978E003C31CD000834
66913+:1033500011A00147000028218F6700143C021000D3
66914+:103360003C0C810000E22825AF65001497460E0A48
66915+:103370002408000E3405FFFC30C3FFFF006C582505
66916+:10338000AF6B0004A3680002937F000A27E90004E2
66917+:10339000A369000A9786003C9363000A30CC1F00A3
66918+:1033A000000C598301634021251F0028A37F0009D9
66919+:1033B00097490E0CA769001093790009272A00028B
66920+:1033C000315800070018A82332B10007A371000B81
66921+:1033D00093740009976400108F910034978F003C1C
66922+:1033E000329200FF024480210205702131ED00403D
66923+:1033F00011A0000531C4FFFF0091282B3C12800072
66924+:1034000010A000140000A0210224382B14E0011B9E
66925+:103410008FA500208F4D0E14AF4D0E108F420E1C45
66926+:10342000AF420E18AF440E008F4F000031EE00087F
66927+:1034300011C0FFFD0000000097540E080080882195
66928+:1034400000009021A794003C8F500E04241400012A
66929+:10345000AF900034976400103095FFFF8E68000035
66930+:103460000111F82317E00009AE7F00008F650014FA
66931+:103470008F8B004434A60040AF6600148F4C0E10B2
66932+:10348000AD6C00208F430E18AD63002493670008D5
66933+:1034900014E000D2000000000E00009E2404001082
66934+:1034A0008F8900483C08320000402821312600FF67
66935+:1034B0000006FC0003E8502525390001AF990048BB
66936+:1034C000AC4A0000937800099370000A330400FFAF
66937+:1034D00000047400320F00FF01CF6825AC4D0004DA
66938+:1034E0008F820048064000EAACA20008ACA0000CA5
66939+:1034F0009783003C306B0008156000022628000608
66940+:1035000026280002974E0E148F450E1C8F6700046C
66941+:10351000936D000231C4FFFF31A200FFAFA2001083
66942+:103520008F6C0014AFA800180E00008BAFAC001415
66943+:10353000240400100E0000C7000000008E7200007E
66944+:1035400016400005000000008F6400142405FFBF32
66945+:1035500000859824AF7300148F79000C033538214F
66946+:10356000AF67000C9375000816A00008000000006B
66947+:1035700012800006000000008F7F00143C0BEFFF5C
66948+:103580003568FFFE03E84824AF690014A3740008FF
66949+:103590008FA500200A00024602202021AF470E001E
66950+:1035A0000A0000F5000000008F5901780720FFFE97
66951+:1035B000241F08008F840000AF5F0178974B008ABA
66952+:1035C000316AFFFF014448232528FFFF31021FFF16
66953+:1035D0002C4300081460FFF9000000008F8E0048A3
66954+:1035E0008F8D003800C048210344202125C60001EA
66955+:1035F000240C0F00AF86004800E9382324864000E1
66956+:1036000031CA00FF11AC0005240800019391003E6F
66957+:103610003230000700107A4035E80001000AAC00A3
66958+:103620003C18010002B8A025AC9440008F930048DC
66959+:1036300030B2003630A40008ACD3000410800097EC
66960+:1036400001123025974E0E0A8F8D00003C0281003A
66961+:1036500031CCFFFF25AB0008018240253C03100060
66962+:1036600031651FFF25390006241F000EAF48016099
66963+:1036700000C33025A75F015AAF850000A759015844
66964+:1036800014E0000A8F93003824120F0052720002D7
66965+:103690002416000134C600408F580E108F94004449
66966+:1036A000AE9800208F550E18AE9500248F450E144D
66967+:1036B000AF4501448F590E1CAF590148A34A01522E
66968+:1036C0003C0A1000AF460154AF4A017814E0FEDD19
66969+:1036D0002D2300010076A025128000178FBF004423
66970+:1036E0008F84003824160F0010960084000000001C
66971+:1036F0008F45017804A0FFFE24150F001095006E81
66972+:10370000000000008F470E14240202403C1F1000EE
66973+:10371000AF4701448F440E1CAF440148A3400152FF
66974+:10372000A740015AAF400160A7400158AF42015481
66975+:10373000AF5F01788FBF00448FB600408FB5003C6B
66976+:103740008FB400388FB300348FB200308FB1002CAB
66977+:103750008FB0002803E0000827BD004814C0FED049
66978+:1037600030B8A0408F420E148F84004400004821DE
66979+:10377000AC8200208F510E1CAC9100240A00020E76
66980+:103780002D2300018F910034978A003C3C12800069
66981+:103790000220A821315800401700FF300000A0216E
66982+:1037A000976900108F9200343139FFFF13320035D2
66983+:1037B00000002021008048211480FEA000A03821B4
66984+:1037C0008F420E148F840044AC8200208F510E1C57
66985+:1037D000AC9100240A00020E2D230001936A000917
66986+:1037E0009378000B315000FF330F00FF020F702160
66987+:1037F00025C2000A3050FFFF0E00009E020020216B
66988+:103800008F8600483C1F410024CD0001AF8D004849
66989+:10381000936C000930C600FF00064400318300FFAE
66990+:10382000246B0002010B4825013FC825AC5900005C
66991+:103830008F67000C97440E1400F22825AC45000455
66992+:103840008F450E1C8F670004936A00023084FFFFCF
66993+:10385000315800FFAFB800108F6F0014AFB10018DF
66994+:103860000E00008BAFAF00140A0001A60200202159
66995+:10387000AF6000040A00013EA36000020A00024695
66996+:1038800000002021000090210A0001702414000192
66997+:103890003C1280000A000195ACB2000C8F91000030
66998+:1038A00025240002A744015826300008320F1FFFCC
66999+:1038B0000A0001F9AF8F0000AF40014C1120002C2D
67000+:1038C000000000008F590E10AF5901448F430E18AD
67001+:1038D000240200403C1F1000AF430148A3400152A6
67002+:1038E000A740015AAF400160A7400158AF420154C0
67003+:1038F000AF5F01780A0002278FBF00441120000645
67004+:103900000000000097460E0830CC004015800002F1
67005+:10391000000000000000000D8F4D017805A0FFFEA3
67006+:103920000000000097530E103C120500240E2000EA
67007+:10393000326AFFFF0152C025AF58014C8F4F0E1461
67008+:103940003C021000AF4F01448F500E1CAF50014895
67009+:10395000A34001528F840038A740015AAF40016054
67010+:10396000A7400158AF4E01540A000215AF4201783A
67011+:103970008F490E14AF4901448F430E1C0A00028E7A
67012+:10398000240200403C0E20FF27BDFFE03C1A8000CF
67013+:103990003C0F800835CDFFFDAFBF001CAFB2001853
67014+:1039A000AFB10014AFB00010AF8F0040AF4D0E00AC
67015+:1039B0000000000000000000000000000000000007
67016+:1039C000000000003C0C00FF358BFFFDAF4B0E00EC
67017+:1039D0003C0660048CC95000240AFF7F3C11600043
67018+:1039E000012A40243507380CACC750008E24043817
67019+:1039F00024050009AF4500083083FFFF38622F71AE
67020+:103A00002450C0B3AF8000480E000068AF800000B3
67021+:103A100052000001AE20442C0E0004353C11800001
67022+:103A20000E000ED9363000708F8A00403C1208001C
67023+:103A300026523C88020088218E0800008F5F00001B
67024+:103A40003BF900013338000113000017AF88003044
67025+:103A5000022048218D2700003C0F08008DEF006CEC
67026+:103A60003C0C08008D8C006800E8C02301F8282178
67027+:103A70000000682100B8302B018D582101664021DB
67028+:103A80003C010800AC25006C3C010800AC28006833
67029+:103A90008F44000038830001306200011440FFEDC4
67030+:103AA00000E04021AF8700308E0C00003C0508008C
67031+:103AB0008CA5006C3C0408008C84006801883023CD
67032+:103AC00000A638210000102100E6402B00821821BA
67033+:103AD0000068F8213C010800AC27006C3C0108009C
67034+:103AE000AC3F00688F49010025590088AF99004418
67035+:103AF000AF890038AF4900208E070000AF87003043
67036+:103B00008F4D017805A0FFFE000000008E0600002A
67037+:103B10003C0B08008D6B00743C0408008C84007022
67038+:103B200000C728230165F8210000102103E5402B80
67039+:103B30000082382100E8C821240908003C0108005F
67040+:103B4000AC3F00743C010800AC390070AF4901780B
67041+:103B500093580108A398003E938F003E31EE000178
67042+:103B600015C000158F830038240E0D00106E00194B
67043+:103B7000240F0F00106F001D00000000915900007D
67044+:103B800024180050332900FF113800043C1F400066
67045+:103B9000AF5F01380A0002E7000000000E00090EC6
67046+:103BA000000000008F8A00403C1F4000AF5F0138DA
67047+:103BB0000A0002E700000000938D003E31AC0006D1
67048+:103BC000000C51000E0000CE0152D8210A00034320
67049+:103BD0008F8A00403C1B0800277B3D080E0000CE6A
67050+:103BE000000000000A0003438F8A00403C1B0800CD
67051+:103BF000277B3D280E0000CE000000000A00034392
67052+:103C00008F8A004090AA00018FAB00108CAC00108E
67053+:103C10003C0300FF8D680004AD6C00208CAD0014E7
67054+:103C200000E060213462FFFFAD6D00248CA7001816
67055+:103C30003C09FF000109C024AD6700288CAE001CC0
67056+:103C40000182C82403197825AD6F0004AD6E002CE5
67057+:103C50008CAD0008314A00FFAD6D001C94A9000234
67058+:103C60003128FFFFAD68001090A70000A56000029A
67059+:103C7000A1600004A167000090A30002306200FF71
67060+:103C80000002198210600005240500011065000E75
67061+:103C90000000000003E00008A16A00018CD80028A1
67062+:103CA000354A0080AD7800188CCF0014AD6F001439
67063+:103CB0008CCE0030AD6E00088CC4002CA16A0001CF
67064+:103CC00003E00008AD64000C8CCD001CAD6D001845
67065+:103CD0008CC90014AD6900148CC80024AD680008BC
67066+:103CE0008CC70020AD67000C8CC200148C8300646C
67067+:103CF0000043C82B13200007000000008CC20014F2
67068+:103D0000144CFFE400000000354A008003E0000886
67069+:103D1000A16A00018C8200640A000399000000007F
67070+:103D200090AA000027BDFFF88FA9001CA3AA0000DD
67071+:103D30008FAE00003C0FFF808FA8001835E2FFFF18
67072+:103D40008CCD002C01C26024AFAC0000A120000487
67073+:103D500000E06021A7A000028FB800008D270004BA
67074+:103D60000188182100A0582100C05021006D28268C
67075+:103D70003C06FF7F3C0F00FF2CAD000135EEFFFF3E
67076+:103D800034D9FFFF3C02FF0003193024000D1DC091
67077+:103D9000010EC82400E2C02400C370250319782551
67078+:103DA000AD2E0000AD2F00048D450024AFAE000005
67079+:103DB000AD2500088D4D00202405FFFFAD2D000C22
67080+:103DC000956800023107FFFFAD27001091660018CB
67081+:103DD00030C200FF000219C2506000018D4500345E
67082+:103DE000AD2500148D67000827BD0008AD27001C15
67083+:103DF0008C8B00CCAD2C0028AD20002CAD2B0024EA
67084+:103E0000AD20001803E00008AD20002027BDFFE032
67085+:103E1000AFB20018AFB10014AFB00010AFBF001CBC
67086+:103E20009098000000C088213C0D00FF330F007FF8
67087+:103E3000A0CF0000908E000135ACFFFF3C0AFF00D0
67088+:103E4000A0CE000194A6001EA22000048CAB00149A
67089+:103E50008E29000400A08021016C2824012A40241E
67090+:103E60000080902101052025A6260002AE24000432
67091+:103E700026050020262400080E00007624060002F5
67092+:103E800092470000260500282624001400071E0083
67093+:103E90000003160324060004044000032403FFFF6C
67094+:103EA000965900023323FFFF0E000076AE23001068
67095+:103EB000262400248FBF001C8FB200188FB100147D
67096+:103EC0008FB0001024050003000030210A0000809C
67097+:103ED00027BD002027BDFFD8AFB1001CAFB0001830
67098+:103EE000AFBF002090A80000240200018FB0003C6A
67099+:103EF0003103003F00808821106200148FAA00382F
67100+:103F0000240B0005506B0016AFAA001000A0202162
67101+:103F100000C028210E0003DC02003021922400BCE6
67102+:103F2000308300021060000326060030ACC00000A1
67103+:103F300024C600048FBF00208FB1001C8FB0001872
67104+:103F400000C0102103E0000827BD002801403821EF
67105+:103F50000E00035AAFB000100A0004200000000059
67106+:103F60000E0003A1AFB000140A00042000000000FE
67107+:103F70003C02000A034218213C04080024843D6CE2
67108+:103F80002405001A000030210A000080AF8300548D
67109+:103F90003C038000346200708C48000000A058216F
67110+:103FA00000C04821308A00FFAF8800308F4401787C
67111+:103FB0000480FFFE3C0C8000358600708CC500003C
67112+:103FC0003C0308008C6300743C1808008F180070D4
67113+:103FD00000A82023006468210000C82101A4782BD8
67114+:103FE0000319702101CF60213C010800AC2D007441
67115+:103FF0003C010800AC2C00708F480E14AF480144FF
67116+:10400000AF47014CA34A0152A74B01589346010800
67117+:1040100030C5000854A0000135291000934B090059
67118+:1040200024070050316A00FF11470007000000001C
67119+:104030008F450E1CAF450148AF4901543C091000A3
67120+:1040400003E00008AF490178934D010831A800084A
67121+:104050001100001000000000934F010831EE001025
67122+:1040600051C00001352900083C04080090843DD06F
67123+:10407000A34401508F4309A4AF4301488F4209A0D4
67124+:10408000AF420144AF4901543C09100003E000086D
67125+:10409000AF4901783C1908008F393D8C333800084E
67126+:1040A0005700FFF1352900080A00047300000000E2
67127+:1040B00024070040AF470814AF4008108F4209445E
67128+:1040C0008F4309508F4409548F45095C8F46094C32
67129+:1040D000AF820064AF830050AF84004CAF85005CBA
67130+:1040E00003E00008AF8600609346010930C5007FF9
67131+:1040F000000518C0000521400083102103E00008DE
67132+:10410000244200883C09080091293D9124A800021E
67133+:104110003C05110000093C0000E8302500C51825C9
67134+:1041200024820008AC83000003E00008AC80000497
67135+:104130009347010B8F4A002C974F09083C18000E3B
67136+:104140000358482131EEFFFF000E41C0AF48002C5C
67137+:1041500097430908952C001A008040212403000190
67138+:10416000318BFFFFAC8B00008D2D001C00A058216F
67139+:1041700000C06021AC8D00048D24002030E7004099
67140+:10418000AD04000891220019304400031083004858
67141+:104190002885000214A00062240600021086005642
67142+:1041A00024190003109900660000000010E0003A96
67143+:1041B000000000003C07080094E73D8624E200016F
67144+:1041C000934F0934934709219525002A31EE00FFCA
67145+:1041D000000E488230ED00FF978700580009360036
67146+:1041E000000D1C003044FFFF00C310250044C02513
67147+:1041F00000A778213C19400003197025000F4C00DE
67148+:10420000AD090004AD0E0000934D09203C030006EB
67149+:1042100025090014000D360000C32025AD04000858
67150+:104220008F59092C24E5000130A27FFFAD19000C45
67151+:104230008F580930A782005825020028AD180010B9
67152+:104240008F4F0938AD0F0014AD2B00048F4E09407D
67153+:10425000AD2E0008934D09373C05080090A53D9010
67154+:104260008F4409488F46094031A700FF00EC182110
67155+:10427000008678230003C7000005CC0003196025E1
67156+:1042800031E8FFFC01885825AD2B000CAD20001053
67157+:1042900003E00008AF4A002C3C0D080095AD3D86B8
67158+:1042A0003C0E080095CE3D800A0004C901AE1021E5
67159+:1042B0003C05080094A53D8A3C06080094C63D8054
67160+:1042C0003C18080097183D7C952E002400A6782104
67161+:1042D00001F86823000E240025A2FFF200821825B1
67162+:1042E00024190800AD03000CAD190014AD00001036
67163+:1042F0000A0004C4250800189526002495250028E6
67164+:104300000006C40000057C00370E810035ED080072
67165+:10431000AD0E000CAD0D00100A0004C425080014F9
67166+:104320001480FFA200000000952400240004140063
67167+:1043300034430800AD03000C0A0004C42508001033
67168+:104340003C03080094633D8A3C05080094A53D8029
67169+:104350003C06080094C63D7C953900249538002819
67170+:10436000006520210086782300196C000018740075
67171+:1043700025E2FFEE01C2202535A3810024190800A3
67172+:10438000AD03000CAD040010AD190018AD00001411
67173+:104390000A0004C42508001C03E00008240201F4FC
67174+:1043A00027BDFFE8AFB00010AFBF00140E000060E3
67175+:1043B0000080802124050040AF4508148F83005001
67176+:1043C0008F84004C8F85005C0070182100641023DE
67177+:1043D00018400004AF830050AF6300548F66005450
67178+:1043E000AF86004C1200000C000000008F440074E7
67179+:1043F000936800813409FA002D07000710E00005DA
67180+:1044000000891021936C0081240B01F4018B50046E
67181+:1044100001441021AF62000C8F4E095C01C5682376
67182+:1044200019A000048FBF00148F4F095CAF8F005C90
67183+:104430008FBF00148FB000100A00006227BD001863
67184+:104440008F8400648F8300508F82004CAF640044DF
67185+:10445000AF63005003E00008AF6200543C038000EB
67186+:10446000346200708C43000027BDFFF8308700FFE6
67187+:1044700030A900FF30C800FFAF8300308F440178BF
67188+:104480000480FFFE3C028000345900708F38000029
67189+:10449000A3A700033C0708008CE700748FAC000062
67190+:1044A0003C0608008CC60070030378233C0E7FFF97
67191+:1044B00000EFC82135CDFFFF00005021018D2824D9
67192+:1044C00000CA1821000847C0032F202B00A8102580
67193+:1044D0000064C021AFA200003C010800AC390074A8
67194+:1044E0003C010800AC380070934F010AA3A0000201
67195+:1044F0003C0E80FFA3AF00018FAC0000312B007F8A
67196+:1045000035CDFFFF018D4824000B5600012A4025C0
67197+:10451000240730002406FF803C05100027BD00085A
67198+:10452000AF48014CAF470154A7400158A346015280
67199+:1045300003E00008AF45017827BDFFE8AFBF0014D6
67200+:10454000AFB000108F6500743C068000309000FF13
67201+:1045500000A620250E000060AF6400749363000580
67202+:10456000346200080E000062A362000502002021F0
67203+:104570008FBF00148FB00010240500052406000131
67204+:104580000A00057027BD001827BDFFE03C0380002E
67205+:10459000AFB00010AFBF0018AFB1001434620070AC
67206+:1045A0008C470000309000FF30A800FFAF8700303C
67207+:1045B0008F4401780480FFFE3C18800037110070A2
67208+:1045C0008E2F00003C0D08008DAD00743C0A0800E1
67209+:1045D0008D4A007001E7702301AE282100005821A8
67210+:1045E00000AE302B014B4821012638213C01080048
67211+:1045F000AC250074000088213C010800AC27007045
67212+:104600001100000F000000008F6200742619FFFFE8
67213+:104610003208007F0002FE0233E5007F150000062D
67214+:10462000332200FF2407FF800207202624A3FFFF78
67215+:1046300000838025320200FF0040802124111008F1
67216+:104640000E000060000000008F49081831250004AA
67217+:1046500014A0FFFD3218007F001878C000187140C8
67218+:1046600001CF682125AC0088AF4C0818274A098083
67219+:104670008D4B0020AF4B01448D460024AF460148CE
67220+:10468000A35001500E000062A740015802201021E3
67221+:104690008FBF00188FB100148FB0001003E0000826
67222+:1046A00027BD002027BDFFE8308400FFAFBF00100A
67223+:1046B0000E0005BB30A500FF8F8300508FBF001098
67224+:1046C000344500402404FF903C02100027BD001830
67225+:1046D000AF43014CA3440152AF45015403E000082D
67226+:1046E000AF4201789343093E306200081040000D4C
67227+:1046F0003C0901013528080AAC8800008F47007486
67228+:10470000AC8700043C06080090C63D9030C5001000
67229+:1047100050A00006AC8000088F6A0060AC8A0008D8
67230+:104720002484000C03E00008008010210A00062207
67231+:104730002484000C27BDFFE8AFBF0014AFB0001009
67232+:104740009346093F00A050210005288000853823AA
67233+:1047500030C200FF240300063C09080095293D866D
67234+:1047600024E8FFD824050004104300372406000283
67235+:104770009750093C3C0F020400063400320EFFFF44
67236+:1047800001CF6825AC8D0000934C093E318B002091
67237+:104790001160000800000000934309363C02010349
67238+:1047A000345F0300307900FF033FC0252405000873
67239+:1047B000AC98000493430934935909210005F88209
67240+:1047C000306200FF0002C082332F00FF00186E002D
67241+:1047D000000F740001AE6025018920253C094000CE
67242+:1047E00000898025ACF0FFD8934309378F4F0948E3
67243+:1047F0008F580940306200FF004AC821033F7021F2
67244+:1048000001F86023000E6F0001A650253185FFFCE2
67245+:10481000001F58800145482501683821AD09002056
67246+:104820000E00006024F00028240400040E00006242
67247+:10483000A364003F020010218FBF00148FB000104E
67248+:1048400003E0000827BD00180A0006352406001200
67249+:1048500027BDFFD024090010AFB60028AFB5002453
67250+:10486000AFB40020AFB10014AFB000103C0108009D
67251+:10487000A0293D90AFBF002CAFB3001CAFB2001811
67252+:1048800097480908309400FF3C02000E3107FFFFF3
67253+:10489000000731C0AF46002C974409089344010B30
67254+:1048A00030B500FF03428021308300300000B0218A
67255+:1048B0001060012500008821240C00043C01080040
67256+:1048C000A02C3D90934B093E000B5600000A2E038E
67257+:1048D00004A0016000000000AF400048934F010BAE
67258+:1048E00031EE002011C00006000000009358093E80
67259+:1048F00000189E0000139603064001890000000086
67260+:104900009344010B30830040106000038F930050EC
67261+:104910008F8200502453FFFF9347093E30E6000882
67262+:1049200014C0000224120003000090219619002CEC
67263+:1049300093580934934F0937A7990058330C00FF57
67264+:1049400031EE00FF024E6821000D5880016C5021AD
67265+:10495000015140213C010800A4283D869205001821
67266+:1049600030A900FF010918213C010800A4233D885B
67267+:104970009211001816200002000000000000000D37
67268+:104980003C010800A4233D8A3C010800A4203D808E
67269+:104990003C010800A4203D7C935F010B3063FFFFC6
67270+:1049A00033F00040120000022464000A2464000B6B
67271+:1049B0003091FFFF0E00009E022020219358010B32
67272+:1049C0003C08080095083D8A0040202100185982C3
67273+:1049D000316700010E00049A01072821934C010B56
67274+:1049E0008F4B002C974E09083C0F000E034F4021BF
67275+:1049F00031CDFFFF000D51C0AF4A002C974309088D
67276+:104A00009505001A004038212404000130A9FFFF59
67277+:104A1000AC4900008D06001C00404821318A00404E
67278+:104A2000AC4600048D020020ACE20008910300199E
67279+:104A300030630003106400EC28790002172001188D
67280+:104A4000241000021070010C241F0003107F011EAF
67281+:104A500000000000114000DE000000003C090800DA
67282+:104A600095293D8625220001935F0934934E092143
67283+:104A70009504002A33F900FF0019C08231CF00FFEE
67284+:104A8000978E005800184600000F6C00010D80251D
67285+:104A90003045FFFF02051025008E50213C034000E9
67286+:104AA00000433025000A6400ACEC0004ACE60000D2
67287+:104AB000935F09203C19000624EC0014001FC60077
67288+:104AC00003197825ACEF00088F48092C25CD00018B
67289+:104AD00031A57FFFACE8000C8F500930A785005846
67290+:104AE00024E80028ACF000108F4409380100802130
67291+:104AF000ACE40014AD9300048F530940AD9300085B
67292+:104B0000934A09373C19080093393D908F4309486F
67293+:104B10008F460940314200FF0052F82100667023A1
67294+:104B2000001F7F000019C40001F8282531CDFFFCCB
67295+:104B300000AD2025AD84000CAD800010AF4B002CE3
67296+:104B4000934B093E317300081260000D3C060101D1
67297+:104B500034CC080AACEC00288F530074AD13000469
67298+:104B60003C0B0800916B3D903167001050E0000352
67299+:104B7000AD0000088F6A0060AD0A00082510000C27
67300+:104B800012C0003D000000009343093F24160006B8
67301+:104B900024060004306200FF105600C924070002FA
67302+:104BA0009758093C3C0F0204330DFFFF01AF40252D
67303+:104BB000AE0800009345093E30A400201080000894
67304+:104BC00000000000935309363C0B0103357F0300BE
67305+:104BD000327900FF033F7025AE0E00042406000862
67306+:104BE000934F093493480921312AFFFF31ED00FF2B
67307+:104BF000000D1082310300FF0002B60000032C00FC
67308+:104C000002C56025018A9825001220803C094000D9
67309+:104C10000204502302695825AD4BFFD8935F093732
67310+:104C20008F4F09488F58094033F900FF0332702134
67311+:104C30000006B08201D668210007440001F828234D
67312+:104C4000000D1F000068302530A2FFFC2547FFD86B
67313+:104C500000C260250016808002074821ACEC0020CD
67314+:104C6000253000280E00006024120004A372003FCB
67315+:104C70000E000062000000009347010B30F200407C
67316+:104C8000124000053C1900FF8E180000372EFFFF70
67317+:104C9000030E3024AE0600000E0000C702202021C3
67318+:104CA0003C10080092103D90321100031220000FBA
67319+:104CB00002A028218F89005025330001AF930050B6
67320+:104CC000AF7300508F6B00540173F8231BE0000298
67321+:104CD000026020218F640054AF6400548F4C007434
67322+:104CE000258401F4AF64000C02A028210280202159
67323+:104CF000A76000680E0005BB3C1410008F850050B3
67324+:104D000034550006AF45014C8F8A00488FBF002CF8
67325+:104D10008FB3001C25560001AF9600488FB20018D3
67326+:104D2000A34A01528FB60028AF5501548FB1001429
67327+:104D3000AF5401788FB500248FB400208FB00010DD
67328+:104D400003E0000827BD00309358093E00189E007C
67329+:104D500000139603064200362411000293440923EF
67330+:104D6000308300021060FEDD8F8600608F8200506D
67331+:104D700014C2FEDA000000000E0000600000000017
67332+:104D80009369003F24070016312800FF1107000C2B
67333+:104D9000240500083C0C0800918C3D90358B0001E7
67334+:104DA0003C010800A02B3D90936A003F314300FF77
67335+:104DB00010650065240D000A106D005E2402000CD1
67336+:104DC0000E000062000000000A00069000000000D3
67337+:104DD0003C09080095293D863C0A0800954A3D801B
67338+:104DE0000A0006F3012A10213C09080095293D8A92
67339+:104DF0003C04080094843D803C06080094C63D7C39
67340+:104E000095030024012410210046F8230003CC0060
67341+:104E100027F0FFF20330C025240F0800ACF8000C87
67342+:104E2000ACEF0014ACE000100A0006EE24E7001816
67343+:104E30003C010800A0313D90935F093E241600011B
67344+:104E400033F900201720FEA5241100080A0006905F
67345+:104E5000241100048F6E00848F4D094011A0FE9E26
67346+:104E6000AF8E0050240F00143C010800A02F3D908D
67347+:104E70000A00068F00000000950E0024950D002802
67348+:104E8000000E6400000D2C003589810034A6080056
67349+:104E9000ACE9000CACE600100A0006EE24E70014B2
67350+:104EA0001460FEEC000000009502002400021C00CB
67351+:104EB00034640800ACE4000C0A0006EE24E700109D
67352+:104EC0000A000741240700123C02080094423D8A70
67353+:104ED0003C06080094C63D803C03080094633D7C7A
67354+:104EE00095100024951900280046F82103E3C023FB
67355+:104EF00000106C0000197400270FFFEE01CF282569
67356+:104F000035AC8100ACEC000CACE5001024070800C7
67357+:104F1000AD2700182527001C0A0006EEAD2000145E
67358+:104F20008F7F004CAF7F00548F7900540A000699A0
67359+:104F3000AF790050A362003F0E0000620000000045
67360+:104F40000A00069000000000240200140A0008274E
67361+:104F5000A362003F27BDFFE8308400FFAFBF001011
67362+:104F60000E0005BB30A500FF9378007E9379007F8B
67363+:104F7000936E00809368007A332F00FF001866005C
67364+:104F8000000F6C0031CB00FF018D4825000B520053
67365+:104F90008FBF0010012A3825310600FF344470000D
67366+:104FA00000E628252402FF813C03100027BD0018DD
67367+:104FB000AF45014CAF440154A342015203E0000845
67368+:104FC000AF43017827BDFFD8AFB20018AFB10014CE
67369+:104FD000AFB00010AFBF0020AFB3001C9342010977
67370+:104FE000308600FF30B000FF000618C23204000215
67371+:104FF0003071000114800005305200FF93670005F6
67372+:1050000030E5000810A0000D30C80010024020213B
67373+:105010000E0005A702202821240400018FBF0020D4
67374+:105020008FB3001C8FB200188FB100148FB0001026
67375+:105030000080102103E0000827BD00281500003281
67376+:105040000000000093430109000028213062007F26
67377+:10505000000220C00002F94003E49821267900886C
67378+:10506000033B98218E7800248E6F0008130F0046B2
67379+:10507000000000008F640084241800020004FD82F8
67380+:1050800033F900031338007C0000000093660083AE
67381+:10509000934A0109514600043205007C10A00060CB
67382+:1050A000000000003205007C14A0005302402021C3
67383+:1050B00016200006320400018E7F00248F5901045F
67384+:1050C00017F9FFD600002021320400011080000AE9
67385+:1050D000024020218F4209408F9300641053000644
67386+:1050E000000000000E00066D022028218F430940B9
67387+:1050F000AF630044024020210E0006020220282156
67388+:105100000A000860240400013C0908008D2900649D
67389+:10511000252600013C010800AC26006416000012A0
67390+:10512000000000008F6D00843C0E00C001AE6024C2
67391+:1051300015800005024020210E00082E02202821A3
67392+:105140000A00086024040001240500040E00057014
67393+:1051500024060001024020210E00082E02202821F2
67394+:105160000A000860240400010E000041240400012C
67395+:10517000936B007D020B50250E000062A36A007D38
67396+:105180000A0008A38F6D00848F6600748F480104A5
67397+:105190008E67002400064E021507FFB63126007FF9
67398+:1051A000936B008326440001308A007F1146004340
67399+:1051B000316300FF5464FFB08F6400842645000112
67400+:1051C00030B1007F30A200FF122600042405000148
67401+:1051D000004090210A00087624110001240FFF806E
67402+:1051E000024F702401CF9026324200FF00409021F0
67403+:1051F0000A000876241100010E00066D0220282105
67404+:10520000321800301300FFAA321000820240202121
67405+:105210000E0005A7022028210A00086024040001CE
67406+:105220008F6E00743C0F80002405000301CF902591
67407+:10523000AF72007493710083240600010E000570A4
67408+:10524000322400FF0E00004124040001936D007D14
67409+:10525000020D60250E000062A36C007D3C0B08006F
67410+:105260008D6B0054257000013C010800AC300054E7
67411+:105270000A000860240400018F6800743C09800063
67412+:105280002405000401093825AF6700749363008387
67413+:10529000240600010E000570306400FF0E0000417E
67414+:1052A000240400019362007D020298250E00006232
67415+:1052B000A373007D0A00086024040001324D0080C1
67416+:1052C00039AC0080546CFF6C8F6400840A0008C9FC
67417+:1052D0002645000127BDFFC83C0A0008AFBF0030CB
67418+:1052E000AFB5002CAFB40028AFB30024AFB200209C
67419+:1052F000AFB1001CAFB00018034AD8212409004008
67420+:10530000AF490814AF4008108F4209448F43095039
67421+:105310008F4609548F47095C8F48094C9344010814
67422+:105320009345010BAF820064308400FF30A500FF7D
67423+:10533000AF830050AF86004CAF87005C0E00084A78
67424+:10534000AF8800601440017D8FBF0030A760006807
67425+:10535000934D0900240B00503C15080026B53D482C
67426+:1053600031AC00FF3C12080026523D58118B00035F
67427+:10537000000000000000A8210000902193510109C5
67428+:105380008F9F005024040010322E007F000E68C052
67429+:10539000000E6140018D282124B40088AF54081804
67430+:1053A0008F4901048F4A09A43C0B000E034BC02116
67431+:1053B000012A10233C010800AC223D6C8F430958A0
67432+:1053C0003C010800A0243D9097470908007F302346
67433+:1053D0003C010800AC263D7030E8FFFF0008C9C062
67434+:1053E0003C010800AC3F3D94AF59002C974209089E
67435+:1053F0009710002C8EB10000930F001803749821B1
67436+:10540000A7900058AF9300440220F80931F000FF44
67437+:10541000304E000215C001B2304F000111E0014FC3
67438+:10542000000000009343093E3066000814C00002EB
67439+:10543000241400030000A0218F5809A424130001A4
67440+:105440003C010800AC383D98934F0934935109371B
67441+:1054500031EC00FF322E00FF028E6821000D288003
67442+:1054600000AC5021015058213C010800A42B3D887C
67443+:105470003C010800A42A3D8693490934312200FFEB
67444+:1054800002022021249000103C010800A4303D8439
67445+:10549000240700068F9F00503C010800AC273D8C7C
67446+:1054A0008F88005C8F59095800008021011F282334
67447+:1054B00004A00149033F20230480014700A4302BAE
67448+:1054C00010C00149000000003C010800AC253D70FF
67449+:1054D0008E4200000040F809000000003043000246
67450+:1054E000146000F80040882130440001548000100E
67451+:1054F0008E4200043C0908008D293D743C0AC0001E
67452+:10550000012A8025AF500E008F45000030AB000807
67453+:105510001160FFFD00000000974D0E0824100001EF
67454+:10552000A78D003C8F4C0E04AF8C00348E420004DB
67455+:105530000040F8090000000002228825322E0002F7
67456+:1055400015C00180000000003C09080095293D7C41
67457+:105550003C06080094C63D883C0A0800954A3D7EFA
67458+:105560003C1908008F393D74012660213C18080061
67459+:105570008F183D983C03080094633D92018A2021D6
67460+:105580008F4E09400329F821248F000203E32821CC
67461+:10559000031968213C010800A42C3D8AAF8E0064E9
67462+:1055A0003C010800AC2D3D983C010800A4253D803D
67463+:1055B0000E00009E31E4FFFF8F870048004020214D
67464+:1055C0003C010800A0273D918E42000824E800011C
67465+:1055D000AF8800480040F809000000009344010B28
67466+:1055E0008F4C002C974A09083C0B000E034B4021BE
67467+:1055F0003149FFFF000919C08F8B0050AF43002CC9
67468+:10560000974309089506001A00403821308A004067
67469+:1056100030DFFFFFAC5F00008D19001C0040482107
67470+:10562000AC5900048D180020AC580008910F0019E7
67471+:1056300031E30003107300F0000000002862000254
67472+:105640001440010924050002106500FD240D00032B
67473+:10565000106D010D00000000114000D90000000095
67474+:105660003C0A0800954A3D8625420001934D0934C5
67475+:1056700093580921950E002A31A300FF00032082D0
67476+:10568000331F00FF9798005800047E00001FCC00D5
67477+:1056900001F940253049FFFF0109102501D83021CB
67478+:1056A0003C0540000045502500066C00ACED0004B0
67479+:1056B000ACEA0000934309203C04000624ED0014EA
67480+:1056C0000003FE0003E4C825ACF900088F49092C4B
67481+:1056D000270F000131EE7FFFACE9000C8F48093045
67482+:1056E000A78E005824E90028ACE800108F4509383F
67483+:1056F00001204021ACE50014ADAB00048F4209400D
67484+:10570000ADA20008934B09373C1F080093FF3D9062
67485+:105710008F4309488F4A0940316600FF00D4202199
67486+:10572000006A78230004C700001FCC000319282555
67487+:1057300031EEFFFC00AE1025ADA2000CADA00010B4
67488+:10574000AF4C002C934C093E318B00085160000F88
67489+:105750008E58000C3C06010134CA080AACEA002845
67490+:105760008F4B0074AD2B00043C0C0800918C3D90D5
67491+:105770003187001050E00003AD2000088F62006008
67492+:10578000AD2200082528000C8E58000C0300F809F3
67493+:10579000010020213C19080097393D8A3C1F080070
67494+:1057A00097FF3D7E033F782125E900020E0000C7E8
67495+:1057B0003124FFFF3C0E08008DCE3D6C3C080800F4
67496+:1057C0008D083D7401C828233C010800AC253D6CC0
67497+:1057D00014A00006000000003C0308008C633D8C10
67498+:1057E000346400403C010800AC243D8C1200007081
67499+:1057F0008F8C00448F470E108F900044AE0700201E
67500+:105800008F4D0E18AE0D00243C10080096103D8000
67501+:105810000E0000600000000024020040AF420814A7
67502+:105820008F8600508F8A004C00D01821006A5823C0
67503+:1058300019600004AF830050AF6300548F650054BB
67504+:10584000AF85004C1200000C000000008F44007473
67505+:10585000936800813409FA002D0E000711C000057D
67506+:1058600000891821937F0081241901F403F9780439
67507+:1058700001E41821AF63000C8F44095C8F83005C46
67508+:105880000083C0231B000003000000008F50095C50
67509+:10589000AF90005C0E000062000000008F8C005092
67510+:1058A0008E4700103C010800AC2C3D9400E0F80944
67511+:1058B000000000003C0D08008DAD3D6C55A0FEF5CC
67512+:1058C000240700068F450024975909088F8B006430
67513+:1058D0008F9400503C0F001F978200588F86005411
67514+:1058E0008F93004C3328FFFF35E9FF8000A9502437
67515+:1058F000000871C032320100AF4E0024A4C2002C57
67516+:10590000AF4A0024AF6B0044AF740050AF73005433
67517+:105910001640008032380010570000868EA4000424
67518+:10592000322300405460001B8EB100088EB0000C82
67519+:105930000200F809000000008FBF00308FB5002C76
67520+:105940008FB400288FB300248FB200208FB1001CC9
67521+:105950008FB0001803E0000827BD00389347010905
67522+:105960008F8800380007FE0003E8C825AF59008083
67523+:105970008F5809A08F5309A4AFB80010AF580E1468
67524+:105980008FB40010AF540E10AF530E1C0A00096202
67525+:10599000AF530E180220F809000000008EB0000C72
67526+:1059A0000200F809000000000A000AA88FBF0030BA
67527+:1059B000A5800020A59300220A000A5BAD93002475
67528+:1059C0003C09080095293D863C06080094C63D80A8
67529+:1059D0000A0009F4012610213C010800AC203D70AA
67530+:1059E0000A00098E8E4200003C010800AC243D7084
67531+:1059F0000A00098E8E4200003C03080094633D8A31
67532+:105A00003C04080094843D803C1F080097FF3D7CC7
67533+:105A1000951800240064C821033F782300186C0007
67534+:105A200025EEFFF201AE2825AC45000C240208004B
67535+:105A3000ACE20014ACE000100A0009EF24E7001803
67536+:105A400095060024950900280006240000091C0082
67537+:105A5000349F810034790800ACFF000CACF90010D1
67538+:105A60000A0009EF24E700141460FEFB00000000A8
67539+:105A70009518002400187C0035EE0800ACEE000CF0
67540+:105A80000A0009EF24E700103C07080094E73D8076
67541+:105A90003C04080094843D8A3C03080094633D7CE8
67542+:105AA00095190024951800280087F82103E378232E
67543+:105AB0002407080000192C0000186C0025EEFFEEEA
67544+:105AC00001AE302534A28100AD2700182527001C27
67545+:105AD000AD22000CAD2600100A0009EFAD20001425
67546+:105AE00093520109000028210E000602324400FFF3
67547+:105AF0008FBF00308FB5002C8FB400288FB30024E7
67548+:105B00008FB200208FB1001C8FB0001803E0000896
67549+:105B100027BD0038935F010933E400FF0E00066DD6
67550+:105B200000002821323800105300FF7E322300404D
67551+:105B30008EA400040080F809000000000A000AA2F8
67552+:105B4000322300401200FF5F000000008F540E144B
67553+:105B50008F920044AE5400208F530E1C0A000A8A14
67554+:105B6000AE5300248F82001C008040213C040100C1
67555+:105B70009047008530E3002010600009000000001D
67556+:105B80003C0708008CE73D948F83001800E3202336
67557+:105B9000048000089389000414E30003010020211D
67558+:105BA00003E00008008010213C04010003E000082D
67559+:105BB000008010211120000B006738238F8C0020FB
67560+:105BC00024090034918B00BC316A0002514000016D
67561+:105BD0002409003000E9682B15A0FFF10100202105
67562+:105BE00000E938232419FFFC00B9C02400F9782407
67563+:105BF00000F8702B15C0FFEA01E8202130C2000335
67564+:105C00000002182314C00012306900030000302184
67565+:105C100000A9702101C6682100ED602B1180FFE012
67566+:105C20003C0401002D2F00010006482B01053821FE
67567+:105C300001E9302414C0FFDA24E4FFFC2419FFFC3E
67568+:105C400000B9C0240308202103E0000800801021CF
67569+:105C50008F8B002024060004916A00BC31440004AC
67570+:105C60001480FFEC00A970210A000B5E00003021B7
67571+:105C700027BDFFE8AFBF00108F460100934A01091E
67572+:105C80003C1F08008FFF00902407FF80314F00FF6A
67573+:105C900031E8007F0008614003E6C821032CC021E1
67574+:105CA00027090120012770243C010800A02F3DD0C6
67575+:105CB000AF4E080C3C0D08008DAD00903C040080F8
67576+:105CC0003482000301A65821016C182124650120AB
67577+:105CD00030AA007801424025AF48081C3C1F08004C
67578+:105CE0008FFF00908F88004003E6C0213319000722
67579+:105CF00003074824033A7821AF49002825E909C061
67580+:105D0000952E00023C0D08008DAD008C3C0A080069
67581+:105D10008D4A009031CC3FFF01A61821000C59801C
67582+:105D2000006B282100A72024AF44002C95220002FC
67583+:105D30003C1F08008FFF008C9107008530593FFF02
67584+:105D400003E678210019C1800146702101F868211D
67585+:105D500031CC007F31AB007F019A2821017A50219C
67586+:105D60003C03000C3C04000E00A328210144102138
67587+:105D700030E6002027470980AF82002CAF88001C46
67588+:105D8000AF890024AF85002010C00006AF8700282F
67589+:105D90008D0200508CA4010C0044302318C0007701
67590+:105DA00000000000910C0085240DFFDF018D3824D8
67591+:105DB000A10700858F8B001C8F8900248F87002806
67592+:105DC0008D65004CAF850018912F000D31EE00203D
67593+:105DD00011C000170000000024090001A38900047D
67594+:105DE000AF80000C8CE400248F85000C240A00088E
67595+:105DF000AF800008AF8000103C010800A42A3D7E5F
67596+:105E00003C010800A4203D920E000B32000030211E
67597+:105E10008F8500248FBF0010AF82001490A8000D62
67598+:105E200027BD00180008394203E0000830E20001F5
67599+:105E3000913F00022418000133F900FF001921826C
67600+:105E400010980039240800021088005B8F86002C0F
67601+:105E50008CE5002414A0001B8F9F002091220000DD
67602+:105E6000240A00053046003F10CA00472404000100
67603+:105E70008F860008A3840004AF860010AF86000C54
67604+:105E80008CE400248F85000C240A00083C010800E3
67605+:105E9000A42A3D7E3C010800A4203D920E000B3256
67606+:105EA000000000008F8500248FBF0010AF82001417
67607+:105EB00090A8000D27BD00180008394203E0000833
67608+:105EC00030E200018CF800088CF900248FEE00C449
67609+:105ED000A38000048CE40024AF8E000C8F85000C9E
67610+:105EE0008F86000803197823240A0008AF8F00105A
67611+:105EF0003C010800A42A3D7E3C010800A4203D92FC
67612+:105F00000E000B32000000008F8500248FBF0010B0
67613+:105F1000AF82001490A8000D27BD00180008394278
67614+:105F200003E0000830E20001912300003062003FEE
67615+:105F3000104400278F8500208CE400241480002169
67616+:105F4000000000008D2E00183C187FFF8F85002078
67617+:105F5000370FFFFF01CF1824AF8300088F9F000881
67618+:105F60008CA8008403E8C82B1720000203E020213E
67619+:105F70008CA400840A000BEDAF8400088CA3010CF4
67620+:105F80000A000BCBAF8300188D2C00188F860008F9
67621+:105F90003C0D7FFF8F89002035A3FFFF018358242C
67622+:105FA00024040001AF8B0010AD2000CCA3840004BA
67623+:105FB0000A000BF9AF86000C8CCA00140A000BED26
67624+:105FC000AF8A00088CA300C80A000C30AF83000819
67625+:105FD0008F84002C8CAC00648C8D0014018D582BA8
67626+:105FE00011600004000000008CA200640A000C3064
67627+:105FF000AF8200088C8200140A000C30AF820008C7
67628+:106000008F85000C27BDFFE0AFBF0018AFB10014B3
67629+:1060100014A00007AFB000108F86002424020005F2
67630+:1060200090C400003083003F106200B68F840020CF
67631+:106030008F91000800A080218F8C00283C0508006B
67632+:106040008CA53D708D8B000431663FFF00C5502B41
67633+:106050005540000100C02821938D000411A0007359
67634+:1060600000B0F82B8F98002024040034930F00BC5C
67635+:1060700031EE000251C000012404003000A4C82BFE
67636+:10608000172000D10000000000A4282300B0F82B46
67637+:106090003C010800A4243D7C17E000680200202198
67638+:1060A0003C0308008C633D6C0083102B54400001BE
67639+:1060B000008018218F8800243C010800AC233D7427
67640+:1060C000000048219104000D308300205060000141
67641+:1060D0008F490E188F8300140123382B10E00059CC
67642+:1060E000000000003C0408008C843D7400895821A5
67643+:1060F000006B502B114000560090602B006930233C
67644+:1061000000C020213C010800AC263D7412000003B1
67645+:10611000241FFFFC1090008A32270003009FC82430
67646+:106120003C010800AC393D743C010800A4203D92BC
67647+:106130008F84000C120400078F830020AF910008A9
67648+:10614000020020218C7100CCAF90000C26300001A1
67649+:10615000AC7000CC3C0208008C423D748F8A001069
67650+:10616000240700180082202301422823AF84000C5A
67651+:1061700010800002AF850010240700108F86001CDD
67652+:106180003C010800A0273D902407004090CC0085EA
67653+:10619000318B00C0116700408F8D001414A00015D2
67654+:1061A00000002021934A01098F420974314500FF04
67655+:1061B0000002260224A300013090007F3071007F8E
67656+:1061C0001230007A2407FF80A0C300833C09080036
67657+:1061D0008D293D8C8F880024240D0002352C000869
67658+:1061E0003C010800A02D3DD13C010800AC2C3D8CA9
67659+:1061F00024040010910E000D31C6002010C00005CF
67660+:1062000000801821240800013C010800AC283D74DE
67661+:10621000348300018FBF00188FB100148FB00010BD
67662+:106220000060102103E0000827BD00203C010800A9
67663+:10623000A4203D7C13E0FF9A020020210A000C817B
67664+:1062400000A020213C0408008C843D740090602B49
67665+:106250001180FFAE000000003C0F080095EF3D7C70
67666+:1062600001E4702101C6682B11A000072C820004F4
67667+:106270003C1F60008FF954043338003F1700FFE5DE
67668+:10628000240300422C8200041040FFA0240300429B
67669+:106290000A000CDF8FBF0018152DFFC000000000A2
67670+:1062A0008CDF00743C0380002405FF8003E3C825D5
67671+:1062B000ACD9007490D80085240E0004240400108A
67672+:1062C000330F003F01E54025A0C800858F880024DA
67673+:1062D0003C010800A02E3DD1240300019106000DD1
67674+:1062E00030C9002015200003000000003C03080016
67675+:1062F0008C633D743C010800AC233D6C0A000CD655
67676+:10630000000000008F8700108C88008400E8282B94
67677+:1063100014A0000200E088218C910084240900016F
67678+:10632000A38900048F440E18022028210E000B328E
67679+:1063300002203021022080210A000C67AF82001465
67680+:1063400000071823306600033C010800A4263D9294
67681+:10635000122000058F8C0020918B00BC316A000454
67682+:106360001540001524CD00043C0F080095EF3D9228
67683+:1063700001E4702100AE302B50C0FF6E8F84000C02
67684+:106380002C85000514A0FFA32403004230980003CD
67685+:1063900017000002009818232483FFFC3C0108002A
67686+:1063A000AC233D740A000CA30000000000A7582491
67687+:1063B0000A000CCB016718263C010800A42D3D9271
67688+:1063C0000A000D33000000003C010800AC203D74C1
67689+:1063D0000A000CDE240300428F83001014600007C3
67690+:1063E000000010218F88002424050005910600007C
67691+:1063F00030C400FF108500030000000003E0000827
67692+:1064000000000000910A0018314900FF000939C25C
67693+:1064100014E0FFFA8F85001C3C04080094843D7C46
67694+:106420003C0308008C633D943C1908008F393D748F
67695+:106430003C0F080095EF3D920064C0218CAD0054E4
67696+:106440000319702101CF6021018D58231960001DAF
67697+:1064500000000000910E001C8F8C002C974B0E103A
67698+:1064600031CD00FF8D850004016D30238D88000043
67699+:1064700030CEFFFF000E510000AAC82100003821D5
67700+:1064800001072021032A182B0083C021AD990004A5
67701+:10649000AD980000918F000A01CF6821A18D000AFC
67702+:1064A0008F88002C974B0E12A50B0008950A003818
67703+:1064B00025490001A50900389107000D34E60008C0
67704+:1064C000A106000D03E000080000000027BDFFE06A
67705+:1064D000938700048F8F00248FAD00143C0E7FFF44
67706+:1064E0008F89000C35C8FFFFAFBF001CAFB000188C
67707+:1064F00001A8182491EA000D000717C03C1FBFFF38
67708+:10650000006258252D2E00018F90001837F9FFFFEB
67709+:106510003C1808008F183D943C0F080095EF3D8A09
67710+:1065200001796824000E47803C07EFFF3C05F0FF2F
67711+:1065300001A818253149002034E2FFFF34ACFFFFE9
67712+:106540000310582327A500102406000225EA0002A4
67713+:1065500000621824008080211520000200004021E4
67714+:106560008F480E1CA7AA0012056000372407000000
67715+:1065700030FF00FF001FCF008F8B001C00793825F3
67716+:10658000AFA70014916F00853C08080091083D9169
67717+:106590003C18DFFF31EE00C0370AFFFF000E182B5A
67718+:1065A0003C1F080097FF3D8400EA6824A3A800115F
67719+:1065B0000003174001A248258FB90010AFA90014AD
67720+:1065C0003C0A0800914A3D93A7BF00168FA800140B
67721+:1065D000032CC0243C0B01003C0F0FFF030B1825BC
67722+:1065E0003147000335EEFFFF010C68240007160059
67723+:1065F000006EF8243C09700001A2C82503E9582563
67724+:10660000AFB90014AFAB00100E000076A3A00015C8
67725+:106610008F8C0024260200089186000D30C40020D3
67726+:10662000108000068FBF001C3C05080094A53D802B
67727+:1066300024B0FFFF3C010800A4303D808FB000185B
67728+:1066400003E0000827BD00208F9800140118502B8C
67729+:106650005540FFC7240700010A000DB630FF00FFB8
67730+:106660009382000427BDFFE0AFBF00181040000F69
67731+:10667000008050218F880024240B00058F8900089A
67732+:10668000910700008F8400200100282130E3003FA3
67733+:106690008F86002C106B000800003821AFA9001075
67734+:1066A0000E00040EAFAA0014A38000048FBF0018D0
67735+:1066B00003E0000827BD00208D1900183C0F0800DA
67736+:1066C0008DEF3D748F9800103C027FFF8D08001401
67737+:1066D000345FFFFF033F682401F8702101AE60239F
67738+:1066E00001883821AFA900100E00040EAFAA0014D3
67739+:1066F0000A000E04A38000048F8700243C050800D4
67740+:1067000094A53D923C0208008C423D8C90E6000D21
67741+:106710000005240030C300201060002C00444025F8
67742+:106720008F85001C00006021240B000190A30085D0
67743+:1067300000004821240A00013C0F800035EE007063
67744+:106740008DC70000AF8700308F5801780700FFFE2B
67745+:106750003C038000347900708F3800003C0508004D
67746+:106760008CA500743C0D08008DAD007003077823E4
67747+:1067700000AF38210000102100EF302B01A22021B2
67748+:10678000008618213C010800AC2700743C01080079
67749+:10679000AC230070AF4B01483C1908008F393D9481
67750+:1067A000A7490144A74A0146AF59014C3C0B0800D8
67751+:1067B000916B3D91A34B0152AF4801543C0810002E
67752+:1067C000A74C015803E00008AF4801788F4B0E1C1E
67753+:1067D0003C0A08008D4A3D7497490E16974D0E14D9
67754+:1067E00001456021312AFFFF0A000E2731A9FFFF72
67755+:1067F0008F8300249064000D308200201040002917
67756+:10680000000000000000482100005021000040214D
67757+:106810003C07800034EB00708D670000AF870030CC
67758+:106820008F4C01780580FFFE3C0D800035AC007078
67759+:106830008D8B00003C0508008CA500743C0408000A
67760+:106840008C8400700167302300A67821000010219D
67761+:1068500001E6C82B0082C021031970213C01080009
67762+:10686000AC2F00743C010800AC2E0070AF49014809
67763+:106870003C0D08008DAD3D94A7480144240900401B
67764+:10688000A74A01463C081000240AFF91AF4D014C75
67765+:10689000A34A0152AF490154A740015803E0000840
67766+:1068A000AF4801788F490E1897460E1297450E1083
67767+:1068B00030CAFFFF0A000E5D30A8FFFF8F8300245F
67768+:1068C00027BDFFF89064000D308200201040003A90
67769+:1068D00000000000240B000100004821240A0001F0
67770+:1068E0003C088000350700708CE30000AF83003067
67771+:1068F0008F4C01780580FFFE3C0E80003C040800B0
67772+:1069000090843DD035C700708CEC00003C05080039
67773+:106910008CA50074A3A400033C1908008F390070F3
67774+:106920008FAD00000183302300A638210000102124
67775+:106930000322782100E6C02B01F8602101AE40253A
67776+:10694000AFA800003C010800AC2700743C0108001F
67777+:10695000AC2C00709346010A3C04080090843DD1A1
67778+:10696000A3A00002A3A600018FA300003C0580FFA6
67779+:106970003099007F34A2FFFF006278240019C6001E
67780+:1069800001F87025240D3000AF4E014C27BD0008E2
67781+:10699000AF4D0154A7400158AF4B0148A7490144EE
67782+:1069A000A74A01463C091000240AFF80A34A01526D
67783+:1069B00003E00008AF4901788F4B0E1897460E127E
67784+:1069C00097450E1030CAFFFF0A000E9130A9FFFF55
67785+:1069D0008F85001C2402008090A40085308300C0B5
67786+:1069E000106200058F8600208F8800088F87000CBA
67787+:1069F000ACC800C8ACC700C403E000080000000039
67788+:106A00003C0A0800254A39543C09080025293A2047
67789+:106A10003C08080025082DD43C07080024E73B3437
67790+:106A20003C06080024C637C43C05080024A5353CB4
67791+:106A30003C040800248431643C0308002463385C6F
67792+:106A40003C020800244236303C010800AC2A3D508C
67793+:106A50003C010800AC293D4C3C010800AC283D48F5
67794+:106A60003C010800AC273D543C010800AC263D64C5
67795+:106A70003C010800AC253D5C3C010800AC243D58BD
67796+:106A80003C010800AC233D683C010800AC223D609D
67797+:086A900003E000080000000013
67798+:00000001FF
67799diff --git a/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex b/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex
67800new file mode 100644
67801index 0000000..43d7c4f
67802--- /dev/null
67803+++ b/firmware/bnx2/bnx2-mips-09-6.2.1b.fw.ihex
67804@@ -0,0 +1,6496 @@
67805+:10000000080001180800000000005594000000C816
67806+:1000100000000000000000000000000008005594EF
67807+:10002000000000380000565C080000A00800000036
67808+:100030000000574400005694080059200000008436
67809+:100040000000ADD808005744000001C00000AE5CBD
67810+:100050000800321008000000000092580000B01C98
67811+:10006000000000000000000000000000080092589E
67812+:100070000000033C000142740800049008000400E2
67813+:10008000000012FC000145B000000000000000006C
67814+:1000900000000000080016FC00000004000158AC3D
67815+:1000A000080000A80800000000003D00000158B052
67816+:1000B00000000000000000000000000008003D00FB
67817+:1000C00000000030000195B00A000046000000006A
67818+:1000D000000000000000000D636F6D362E322E31DF
67819+:1000E00062000000060201020000000000000003A0
67820+:1000F000000000C800000032000000030000000003
67821+:1001000000000000000000000000000000000000EF
67822+:1001100000000010000001360000EA600000000549
67823+:1001200000000000000000000000000000000008C7
67824+:1001300000000000000000000000000000000000BF
67825+:1001400000000000000000000000000000000000AF
67826+:10015000000000000000000000000000000000009F
67827+:10016000000000020000000000000000000000008D
67828+:10017000000000000000000000000000000000007F
67829+:10018000000000000000000000000010000000005F
67830+:10019000000000000000000000000000000000005F
67831+:1001A000000000000000000000000000000000004F
67832+:1001B000000000000000000000000000000000003F
67833+:1001C000000000000000000000000000000000002F
67834+:1001D000000000000000000000000000000000001F
67835+:1001E0000000000010000003000000000000000DEF
67836+:1001F0000000000D3C020800244256083C030800A1
67837+:1002000024635754AC4000000043202B1480FFFDB2
67838+:10021000244200043C1D080037BD9FFC03A0F021D0
67839+:100220003C100800261001183C1C0800279C5608AA
67840+:100230000E000256000000000000000D27BDFFB4B4
67841+:10024000AFA10000AFA20004AFA30008AFA4000C50
67842+:10025000AFA50010AFA60014AFA70018AFA8001CF0
67843+:10026000AFA90020AFAA0024AFAB0028AFAC002C90
67844+:10027000AFAD0030AFAE0034AFAF0038AFB8003C28
67845+:10028000AFB90040AFBC0044AFBF00480E001544FA
67846+:10029000000000008FBF00488FBC00448FB90040B1
67847+:1002A0008FB8003C8FAF00388FAE00348FAD003078
67848+:1002B0008FAC002C8FAB00288FAA00248FA90020C0
67849+:1002C0008FA8001C8FA700188FA600148FA5001000
67850+:1002D0008FA4000C8FA300088FA200048FA1000040
67851+:1002E00027BD004C3C1B60108F7A5030377B502864
67852+:1002F00003400008AF7A00008F82002427BDFFE092
67853+:10030000AFB00010AFBF0018AFB100148C42000CAA
67854+:100310003C1080008E110100104000348FBF001887
67855+:100320000E000D84000000008F85002024047FFF54
67856+:100330000091202BACB100008E030104960201084D
67857+:1003400000031C003042FFFF00621825ACA300042C
67858+:100350009202010A96030114304200FF3063FFFF4E
67859+:100360000002140000431025ACA200089603010C03
67860+:100370009602010E00031C003042FFFF00621825A8
67861+:10038000ACA3000C960301109602011200031C009E
67862+:100390003042FFFF00621825ACA300108E02011846
67863+:1003A000ACA200148E02011CACA20018148000083C
67864+:1003B0008F820024978200003C0420050044182509
67865+:1003C00024420001ACA3001C0A0000C6A782000062
67866+:1003D0003C0340189442001E00431025ACA2001CB0
67867+:1003E0000E000DB8240400018FBF00188FB1001457
67868+:1003F0008FB000100000102103E0000827BD00208E
67869+:100400003C0780008CE202B834E50100044100089A
67870+:10041000240300013C0208008C42006024420001D9
67871+:100420003C010800AC22006003E0000800601021DD
67872+:100430003C0208008C42005C8CA4002094A30016AF
67873+:100440008CA6000494A5000E24420001ACE40280B6
67874+:100450002463FFFC3C010800AC22005C3C0210005D
67875+:10046000A4E30284A4E5028600001821ACE6028819
67876+:10047000ACE202B803E000080060102127BDFFE0F5
67877+:100480003C028000AFB0001034420100AFBF001C3E
67878+:10049000AFB20018AFB100148C43000094450008BF
67879+:1004A0002462FE002C42038110400003000381C23D
67880+:1004B0000A00010226100004240201001462000553
67881+:1004C0003C1180003C02800890420004305000FF44
67882+:1004D0003C11800036320100964300143202000FB6
67883+:1004E00000021500004310253C0308008C63004403
67884+:1004F00030A40004AE220080246300013C01080007
67885+:10050000AC2300441080000730A200028FBF001C03
67886+:100510008FB200188FB100148FB000100A0000CE07
67887+:1005200027BD00201040002D0000182130A20080BF
67888+:1005300010400005362200708E44001C0E000C672F
67889+:10054000240500A0362200708C4400008F82000C2D
67890+:10055000008210232C43012C10600004AF82001095
67891+:10056000240300010A000145AF84000C8E42000400
67892+:100570003C036020AF84000CAC6200143C02080015
67893+:100580008C42005850400015000018218C62000475
67894+:10059000240301FE304203FF144300100000182121
67895+:1005A0002E020004104000032E0200080A00014041
67896+:1005B0000000802114400003000000000A000140F8
67897+:1005C0002610FFF90000000D2402000202021004B0
67898+:1005D0003C036000AC626914000018218FBF001C4E
67899+:1005E0008FB200188FB100148FB00010006010217E
67900+:1005F00003E0000827BD00203C0480008C8301003C
67901+:1006000024020100506200033C0280080000000D3B
67902+:100610003C02800890430004000010213063000F6A
67903+:1006200000031D0003E00008AC8300800004188074
67904+:100630002782FF9C00621821000410C00044102390
67905+:100640008C640000000210C03C030800246356E4E0
67906+:10065000004310213C038000AC64009003E00008DC
67907+:10066000AF8200243C0208008C42011410400019A3
67908+:100670003084400030A2007F000231C03C02020002
67909+:100680001080001400A218253C026020AC43001426
67910+:100690003C0408008C8456B83C0308008C630110AD
67911+:1006A0003C02800024050900AC4500200086202182
67912+:1006B000246300013C028008AC4400643C01080053
67913+:1006C000AC2301103C010800AC2456B803E000083C
67914+:1006D000000000003C02602003E00008AC4500146C
67915+:1006E00003E000080000102103E0000800001021D2
67916+:1006F00030A2000810400008240201003C0208005B
67917+:100700008C42010C244200013C010800AC22010C87
67918+:1007100003E0000800000000148200080000000050
67919+:100720003C0208008C4200FC244200013C0108000D
67920+:10073000AC2200FC0A0001A330A200203C02080009
67921+:100740008C420084244200013C010800AC22008459
67922+:1007500030A200201040000830A200103C02080027
67923+:100760008C420108244200013C010800AC2201082F
67924+:1007700003E0000800000000104000080000000036
67925+:100780003C0208008C420104244200013C010800A4
67926+:10079000AC22010403E00008000000003C02080055
67927+:1007A0008C420100244200013C010800AC220100FF
67928+:1007B00003E000080000000027BDFFE0AFB1001417
67929+:1007C0003C118000AFB20018AFBF001CAFB00010EA
67930+:1007D0003632010096500008320200041040000733
67931+:1007E000320300028FBF001C8FB200188FB10014BB
67932+:1007F0008FB000100A0000CE27BD00201060000B53
67933+:10080000020028218E2401000E00018A0000000051
67934+:100810003202008010400003240500A10E000C6786
67935+:100820008E44001C0A0001E3240200018E2301040F
67936+:100830008F82000810430006020028218E24010048
67937+:100840000E00018A000000008E220104AF82000821
67938+:10085000000010218FBF001C8FB200188FB1001450
67939+:100860008FB0001003E0000827BD00202C82000498
67940+:1008700014400002000018212483FFFD240200021E
67941+:10088000006210043C03600003E00008AC626914DD
67942+:1008900027BDFFE0AFBF001CAFB20018AFB100141E
67943+:1008A000AFB000103C048000948201083043700017
67944+:1008B000240220001062000A2862200154400052E5
67945+:1008C0008FBF001C24024000106200482402600018
67946+:1008D0001062004A8FBF001C0A0002518FB200183C
67947+:1008E00034820100904300098C5000189451000C90
67948+:1008F000240200091062001C0000902128620009F7
67949+:10090000144000218F8200242402000A5062001249
67950+:10091000323100FF2402000B1062000F00000000C3
67951+:100920002402000C146200188F8200243C0208008C
67952+:100930008C4256B824030900AC83002000501021DB
67953+:100940003C038008AC6200643C010800AC2256B84D
67954+:100950000A0002508FBF001C0E0001E900102602A1
67955+:100960000A0002308F8200240E0001E900102602E6
67956+:100970003C0380089462001A8C72000C3042FFFF26
67957+:10098000020280258F8200248C42000C5040001E01
67958+:100990008FBF001C0E000D84000000003C02800090
67959+:1009A00034420100944300088F82002400031C009D
67960+:1009B0009444001E8F82002000641825AC50000073
67961+:1009C00024040001AC510004AC520008AC40000CFF
67962+:1009D000AC400010AC400014AC4000180E000DB844
67963+:1009E000AC43001C0A0002508FBF001C0E000440E4
67964+:1009F000000000000A0002508FBF001C0E000C9F78
67965+:100A0000000000008FBF001C8FB200188FB10014CF
67966+:100A10008FB000100000102103E0000827BD002067
67967+:100A200027BDFFD8AFB400203C036010AFBF002447
67968+:100A3000AFB3001CAFB20018AFB10014AFB00010DC
67969+:100A40008C6450002402FF7F3C1408002694563822
67970+:100A5000008220243484380CAC6450003C028000B6
67971+:100A6000240300370E0014B0AC4300083C07080014
67972+:100A700024E70618028010212404001D2484FFFFAF
67973+:100A8000AC4700000481FFFD244200043C02080042
67974+:100A9000244207C83C010800AC2256403C02080032
67975+:100AA000244202303C030800246306203C04080072
67976+:100AB000248403B43C05080024A506F03C06080085
67977+:100AC00024C62C9C3C010800AC2256803C02080045
67978+:100AD000244205303C010800AC2756843C01080044
67979+:100AE000AC2656943C010800AC23569C3C010800FF
67980+:100AF000AC2456A03C010800AC2556A43C010800DB
67981+:100B0000AC2256A83C010800AC23563C3C0108002E
67982+:100B1000AC2456443C010800AC2056603C0108005F
67983+:100B2000AC2556643C010800AC2056703C0108001E
67984+:100B3000AC27567C3C010800AC2656903C010800CE
67985+:100B4000AC2356980E00056E00000000AF80000C2C
67986+:100B50003C0280008C5300008F8300043C0208009C
67987+:100B60008C420020106200213262000700008821C0
67988+:100B70002792FF9C3C100800261056E43C02080017
67989+:100B80008C42002024050001022518040043202483
67990+:100B90008F820004004310245044000C26310001D1
67991+:100BA00010800008AF9000248E4300003C028000BB
67992+:100BB000AC4300900E000D4BAE05000C0A0002C1C4
67993+:100BC00026310001AE00000C263100012E22000269
67994+:100BD000261000381440FFE9265200043C020800A9
67995+:100BE0008C420020AF820004326200071040FFD91F
67996+:100BF0003C028000326200011040002D326200028F
67997+:100C00003C0580008CA2010000002021ACA2002045
67998+:100C10008CA301042C42078110400008ACA300A85B
67999+:100C200094A2010824032000304270001443000302
68000+:100C30003C02800890420005304400FF0E0001593C
68001+:100C4000000000003C0280009042010B304300FF96
68002+:100C50002C62001E54400004000310800E00018628
68003+:100C60000A0002EC00000000005410218C42000039
68004+:100C70000040F80900000000104000043C02800021
68005+:100C80008C4301043C026020AC4300143C02080089
68006+:100C90008C4200343C0440003C03800024420001AC
68007+:100CA000AC6401383C010800AC220034326200021E
68008+:100CB00010400010326200043C1080008E0201409F
68009+:100CC000000020210E000159AE0200200E00038317
68010+:100CD000000000003C024000AE0201783C02080027
68011+:100CE0008C420038244200013C010800AC2200384C
68012+:100CF000326200041040FF973C0280003C108000EC
68013+:100D00008E020180000020210E000159AE02002059
68014+:100D10008E03018024020F00546200073C02800809
68015+:100D20008E0201883C0300E03042FFFF00431025A3
68016+:100D30000A000328AE020080344200809042000086
68017+:100D400024030050304200FF14430007000000005D
68018+:100D50000E000362000000001440000300000000C9
68019+:100D60000E000971000000003C0208008C42003CAB
68020+:100D70003C0440003C03800024420001AC6401B804
68021+:100D80003C010800AC22003C0A0002A33C028000A7
68022+:100D90003C02900034420001008220253C02800089
68023+:100DA000AC4400203C0380008C6200200440FFFE25
68024+:100DB0000000000003E00008000000003C0280008A
68025+:100DC000344300010083202503E00008AC440020E8
68026+:100DD00027BDFFE0AFB10014AFB000100080882144
68027+:100DE000AFBF00180E00033230B000FF8F83FF94B6
68028+:100DF000022020219062002502028025A07000259B
68029+:100E00008C7000183C0280000E00033D020280241A
68030+:100E10001600000B8FBF00183C0480008C8201F884
68031+:100E20000440FFFE348201C024030002AC510000E4
68032+:100E3000A04300043C021000AC8201F88FBF0018F0
68033+:100E40008FB100148FB0001003E0000827BD002010
68034+:100E500027BDFFE83C028000AFBF00103442018094
68035+:100E6000944300048C4400083063020010600005C5
68036+:100E7000000028210E00100C000000000A0003787A
68037+:100E8000240500013C02FF000480000700821824B2
68038+:100E90003C02040014620004240500018F82FF94C8
68039+:100EA00090420008240500018FBF001000A010210F
68040+:100EB00003E0000827BD00188F82FF982405000179
68041+:100EC000A040001A3C028000344201400A00034264
68042+:100ED0008C4400008F85FF9427BDFFE0AFBF001C4E
68043+:100EE000AFB20018AFB10014AFB0001090A2000074
68044+:100EF000304400FF38830020388200300003182B74
68045+:100F00000002102B0062182410600003240200501D
68046+:100F1000148200A88FBF001C90A20005304200017F
68047+:100F2000104000A48FBF001C3C02800034420140EE
68048+:100F3000904200082443FFFF2C6200051040009EF1
68049+:100F40008FB20018000310803C030800246355ACE6
68050+:100F5000004310218C420000004000080000000007
68051+:100F60003C028000345101400E0003328E24000008
68052+:100F70008F92FF948E2200048E50000C1602000205
68053+:100F800024020001AE42000C0E00033D8E2400003E
68054+:100F90008E220004145000068FBF001C8FB2001870
68055+:100FA0008FB100148FB000100A000F7827BD002009
68056+:100FB0008E42000C0A000419000000003C0480006E
68057+:100FC0003482014094A300108C4200043063FFFF80
68058+:100FD0001443001C0000000024020001A4A2001021
68059+:100FE0008C8202380441000F3C0380003C02003F29
68060+:100FF0003448F0003C0760003C06FFC08CE22BBC8C
68061+:1010000000461824004810240002130200031D8229
68062+:10101000106200583C0280008C8202380440FFF7C6
68063+:101020003C038000346201408C44000034620200C2
68064+:10103000AC4400003C021000AC6202380A00043BE1
68065+:101040008FBF001C94A200100A00041900000000C9
68066+:10105000240200201482000F3C0280003C03800028
68067+:1010600094A20012346301408C6300043042FFFFFD
68068+:10107000146200050000000024020001A4A2001276
68069+:101080000A0004028FBF001C94A200120A00041977
68070+:1010900000000000345101400E0003328E24000095
68071+:1010A0008F92FF948E230004964200123050FFFF6F
68072+:1010B0001603000224020001A64200120E00033DA6
68073+:1010C0008E2400008E220004160200068FBF001C32
68074+:1010D0008FB200188FB100148FB000100A00037C8B
68075+:1010E00027BD0020964200120A00041900000000EB
68076+:1010F0003C03800094A20014346301408C6300041C
68077+:101100003042FFFF14620008240200018FBF001C60
68078+:101110008FB200188FB100148FB00010A4A2001479
68079+:101120000A00146327BD002094A20014144000217B
68080+:101130008FBF001C0A000435000000003C03800043
68081+:1011400094A20016346301408C6300043042FFFF18
68082+:101150001462000D240200018FBF001C8FB2001822
68083+:101160008FB100148FB00010A4A200160A000B1457
68084+:1011700027BD00209442007824420004A4A200105D
68085+:101180000A00043B8FBF001C94A200162403000138
68086+:101190003042FFFF144300078FBF001C3C020800D1
68087+:1011A0008C420070244200013C010800AC22007017
68088+:1011B0008FBF001C8FB200188FB100148FB00010C9
68089+:1011C00003E0000827BD002027BDFFD8AFB20018FC
68090+:1011D0008F92FF94AFB10014AFBF0020AFB3001CDB
68091+:1011E000AFB000103C028000345101008C5001006F
68092+:1011F0009242000092230009304400FF2402001FA5
68093+:10120000106200AB28620020104000192402003850
68094+:101210002862000A1040000D2402000B286200081A
68095+:101220001040002E8F820024046001042862000216
68096+:101230001440002A8F820024240200061062002637
68097+:101240008FBF00200A00055F8FB3001C1062006092
68098+:101250002862000B144000FA8FBF00202402000E09
68099+:10126000106200788F8200240A00055F8FB3001C93
68100+:10127000106200D2286200391040000A2402008067
68101+:1012800024020036106200E528620037104000C3D7
68102+:1012900024020035106200D98FBF00200A00055FCC
68103+:1012A0008FB3001C1062002D2862008110400006E0
68104+:1012B000240200C824020039106200C98FBF002038
68105+:1012C0000A00055F8FB3001C106200A28FBF0020D0
68106+:1012D0000A00055F8FB3001C8F8200248C42000C33
68107+:1012E000104000D78FBF00200E000D8400000000CA
68108+:1012F0003C038000346301008C6200008F85002075
68109+:10130000946700089466000CACA200008C64000492
68110+:101310008F82002400063400ACA400049448001E10
68111+:101320008C62001800073C0000E83825ACA20008D9
68112+:101330008C62001C24040001ACA2000C9062000A24
68113+:1013400000C23025ACA60010ACA00014ACA0001860
68114+:10135000ACA7001C0A00051D8FBF00208F8200244F
68115+:101360008C42000C104000B68FBF00200E000D8490
68116+:10137000000000008F820024962400089625000CAF
68117+:101380009443001E000422029626000E8F82002045
68118+:10139000000426000083202500052C003C0300806B
68119+:1013A00000A6282500832025AC400000AC400004A6
68120+:1013B000AC400008AC40000CAC450010AC40001440
68121+:1013C000AC400018AC44001C0A00051C24040001B9
68122+:1013D0009622000C14400018000000009242000504
68123+:1013E0003042001014400014000000000E000332D0
68124+:1013F0000200202192420005020020213442001008
68125+:101400000E00033DA242000592420000240300208A
68126+:10141000304200FF10430089020020218FBF0020CE
68127+:101420008FB3001C8FB200188FB100148FB0001062
68128+:101430000A00107527BD00280000000D0A00055E97
68129+:101440008FBF00208C42000C1040007D8FBF002019
68130+:101450000E000D84000000008E2200048F84002006
68131+:101460009623000CAC8200003C0280089445002CBE
68132+:101470008F82002400031C0030A5FFFF9446001E4D
68133+:101480003C02400E0065182500C23025AC830004E4
68134+:10149000AC800008AC80000CAC800010AC80001464
68135+:1014A000AC800018AC86001C0A00051C2404000156
68136+:1014B0000E000332020020218F93FF9802002021AA
68137+:1014C0000E00033DA660000C020020210E00034226
68138+:1014D000240500018F8200248C42000C104000582B
68139+:1014E0008FBF00200E000D84000000009622000C2B
68140+:1014F0008F83002000021400AC700000AC62000476
68141+:10150000AC6000088E4400388F820024AC64000C6C
68142+:101510008E46003C9445001E3C02401FAC66001005
68143+:1015200000A228258E62000424040001AC6200148D
68144+:10153000AC600018AC65001C8FBF00208FB3001C8E
68145+:101540008FB200188FB100148FB000100A000DB8D0
68146+:1015500027BD0028240200201082003A8FB3001C0F
68147+:101560000E000F5E00000000104000358FBF00200D
68148+:101570003C0480008C8201F80440FFFE348201C0EC
68149+:1015800024030002AC500000A04300043C02100001
68150+:10159000AC8201F80A00055E8FBF00200200202106
68151+:1015A0008FBF00208FB3001C8FB200188FB10014C2
68152+:1015B0008FB000100A000EA727BD00289625000C4A
68153+:1015C000020020218FBF00208FB3001C8FB20018B3
68154+:1015D0008FB100148FB000100A000ECC27BD002878
68155+:1015E000020020218FB3001C8FB200188FB10014AD
68156+:1015F0008FB000100A000EF727BD00289225000DBD
68157+:10160000020020218FB3001C8FB200188FB100148C
68158+:101610008FB000100A000F4827BD002802002021CB
68159+:101620008FBF00208FB3001C8FB200188FB1001441
68160+:101630008FB000100A000F1F27BD00288FBF0020A9
68161+:101640008FB3001C8FB200188FB100148FB0001040
68162+:1016500003E0000827BD00283C0580008CA202782A
68163+:101660000440FFFE34A2024024030002AC44000008
68164+:10167000A04300043C02100003E00008ACA2027882
68165+:10168000A380001803E00008A38000193C03800039
68166+:101690008C6202780440FFFE8F82001CAC62024024
68167+:1016A00024020002A06202443C02100003E0000891
68168+:1016B000AC6202783C02600003E000088C425404F3
68169+:1016C0009083003024020005008040213063003FF9
68170+:1016D0000000482114620005000050219082004C57
68171+:1016E0009483004E304900FF306AFFFFAD00000CCC
68172+:1016F000AD000010AD000024950200148D05001C03
68173+:101700008D0400183042FFFF004910230002110031
68174+:10171000000237C3004038210086202300A2102B8E
68175+:101720000082202300A72823AD05001CAD0400186B
68176+:10173000A5090014A5090020A50A001603E0000869
68177+:10174000A50A002203E000080000000027BDFFD822
68178+:10175000AFB200183C128008AFB40020AFB3001C39
68179+:10176000AFB10014AFBF0024AFB00010365101007C
68180+:101770003C0260008C4254049222000C3C1408008D
68181+:10178000929400F7304300FF2402000110620032FF
68182+:101790000080982124020002146200353650008037
68183+:1017A0000E00143D000000009202004C2403FF8054
68184+:1017B0003C0480003042007F000211C024420240FD
68185+:1017C0000262102100431824AC8300949245000863
68186+:1017D0009204004C3042007F3C03800614850007D1
68187+:1017E000004380212402FFFFA22200112402FFFFF8
68188+:1017F000A62200120A0005D22402FFFF9602002052
68189+:10180000A222001196020022A62200128E020024BB
68190+:101810003C048008AE2200143485008090A2004C65
68191+:1018200034830100A06200108CA2003CAC6200185E
68192+:101830008C820068AC6200F48C820064AC6200F0C0
68193+:101840008C82006CAC6200F824020001A0A2006847
68194+:101850000A0005EE3C0480080E001456000000004B
68195+:1018600036420080A04000680A0005EE3C04800873
68196+:10187000A2000068A20000690A0006293C02800854
68197+:10188000348300808C62003834850100AC62006CC7
68198+:1018900024020001A062006990A200D59083000894
68199+:1018A000305100FF3072007F12320019001111C058
68200+:1018B00024420240026210212403FF8000431824C6
68201+:1018C0003C048000AC8300943042007F3C038006DF
68202+:1018D000004380218E02000C1040000D02002021E8
68203+:1018E0000E00057E0000000026220001305100FF9E
68204+:1018F0009203003C023410260002102B0002102339
68205+:101900003063007F022288240A0005F8A203003C0D
68206+:101910003C088008350401008C8200E03507008017
68207+:10192000ACE2003C8C8200E0AD02000090E5004C8F
68208+:10193000908600D590E3004C908400D52402FF806F
68209+:1019400000A228243063007F308400FF00A62825F1
68210+:101950000064182A1060000230A500FF38A500803E
68211+:10196000A0E5004CA10500093C0280089043000E50
68212+:10197000344400803C058000A043000A8C8300189A
68213+:101980003C027FFF3442FFFF00621824AC83001842
68214+:101990008CA201F80440FFFE00000000ACB301C0BF
68215+:1019A0008FBF00248FB400208FB3001C8FB20018AB
68216+:1019B0008FB100148FB0001024020002A0A201C455
68217+:1019C00027BD00283C02100003E00008ACA201F88B
68218+:1019D00090A2000024420001A0A200003C030800E5
68219+:1019E0008C6300F4304200FF144300020080302179
68220+:1019F000A0A0000090A200008F84001C000211C073
68221+:101A00002442024024830040008220212402FF80DF
68222+:101A1000008220243063007F3C02800A006218218B
68223+:101A20003C028000AC44002403E00008ACC300008A
68224+:101A300094820006908300058C85000C8C86001033
68225+:101A40008C8700188C88001C8C8400203C010800C6
68226+:101A5000A42256C63C010800A02356C53C0108003C
68227+:101A6000AC2556CC3C010800AC2656D03C01080001
68228+:101A7000AC2756D83C010800AC2856DC3C010800D5
68229+:101A8000AC2456E003E00008000000003C0280089F
68230+:101A9000344201008C4400343C038000346504006F
68231+:101AA000AC6400388C420038AF850028AC62003C42
68232+:101AB0003C020005AC6200300000000000000000A5
68233+:101AC00003E00008000000003C020006308400FF34
68234+:101AD000008220253C028000AC4400300000000061
68235+:101AE00000000000000000003C0380008C62000049
68236+:101AF000304200101040FFFD3462040003E0000893
68237+:101B0000AF82002894C200003C080800950800CA73
68238+:101B100030E7FFFF0080482101021021A4C200002D
68239+:101B200094C200003042FFFF00E2102B544000013D
68240+:101B3000A4C7000094A200003C0308008C6300CC02
68241+:101B400024420001A4A2000094A200003042FFFF42
68242+:101B5000144300073C0280080107102BA4A00000DA
68243+:101B60005440000101003821A4C700003C02800855
68244+:101B7000344601008CC3002894A200003C0480007D
68245+:101B80003042FFFE000210C000621021AC82003C17
68246+:101B90008C82003C006218231860000400000000E2
68247+:101BA0008CC200240A0006BA244200018CC2002420
68248+:101BB000AC8200383C020050344200103C038000EC
68249+:101BC000AC620030000000000000000000000000D7
68250+:101BD0008C620000304200201040FFFD0000000039
68251+:101BE00094A200003C04800030420001000210C0BA
68252+:101BF000004410218C430400AD2300008C420404F7
68253+:101C0000AD2200043C02002003E00008AC8200305A
68254+:101C100027BDFFE0AFB20018AFB10014AFB00010A5
68255+:101C2000AFBF001C94C2000000C080213C1208001D
68256+:101C3000965200C624420001A6020000960300004E
68257+:101C400094E2000000E03021144300058FB1003021
68258+:101C50000E00068F024038210A0006F10000000045
68259+:101C60008C8300048C82000424420040046100073D
68260+:101C7000AC8200048C8200040440000400000000D8
68261+:101C80008C82000024420001AC8200009602000019
68262+:101C90003042FFFF50520001A600000096220000D3
68263+:101CA00024420001A62200003C02800834420100C8
68264+:101CB000962300009442003C144300048FBF001C94
68265+:101CC00024020001A62200008FBF001C8FB2001862
68266+:101CD0008FB100148FB0001003E0000827BD002072
68267+:101CE00027BDFFE03C028008AFBF0018344201006E
68268+:101CF0008C4800343C03800034690400AC68003830
68269+:101D00008C42003830E700FFAF890028AC62003C0D
68270+:101D10003C020005AC620030000000000000000042
68271+:101D200000000000000000000000000000000000B3
68272+:101D30008C82000C8C82000C97830016AD22000070
68273+:101D40008C82001000604021AD2200048C820018BB
68274+:101D5000AD2200088C82001CAD22000C8CA2001465
68275+:101D6000AD2200108C820020AD220014908200056C
68276+:101D7000304200FF00021200AD2200188CA20018B1
68277+:101D8000AD22001C8CA2000CAD2200208CA2001001
68278+:101D9000AD2200248CA2001CAD2200288CA20020C1
68279+:101DA000AD22002C3402FFFFAD260030AD20003400
68280+:101DB000506200013408FFFFAD28003850E00011E8
68281+:101DC0003C0280083C048008348401009482005066
68282+:101DD0003042FFFFAD22003C9483004494850044D0
68283+:101DE000240200013063FFFF000318C200641821C1
68284+:101DF0009064006430A5000700A210040A00075C8C
68285+:101E00000044102534420100AD20003C94430044BE
68286+:101E1000944400443063FFFF000318C2006218219D
68287+:101E200030840007906500642402000100821004E1
68288+:101E30000002102700451024A0620064000000008A
68289+:101E400000000000000000003C0200063442004098
68290+:101E50003C038000AC620030000000000000000085
68291+:101E6000000000008C620000304200101040FFFDB6
68292+:101E70003C06800834C201503463040034C7014A70
68293+:101E800034C4013434C5014034C60144AFA200104B
68294+:101E90000E0006D2AF8300288FBF001803E00008B1
68295+:101EA00027BD00208F8300143C0608008CC600E884
68296+:101EB0008F82001C30633FFF000319800046102111
68297+:101EC000004310212403FF80004318243C068000B7
68298+:101ED000ACC300283042007F3C03800C004330211B
68299+:101EE00090C2000D30A500FF0000382134420010E0
68300+:101EF000A0C2000D8F8900143C028008344201000A
68301+:101F00009443004400091382304800032402000176
68302+:101F1000A4C3000E1102000B2902000210400005AC
68303+:101F2000240200021100000C240300010A0007A48F
68304+:101F30000000182111020006000000000A0007A49A
68305+:101F4000000018218CC2002C0A0007A424430001C1
68306+:101F50008CC20014244300018CC200180043102BD3
68307+:101F60005040000A240700012402002714A20003A5
68308+:101F70003C0380080A0007B1240700013463010014
68309+:101F80009462004C24420001A462004C00091382B8
68310+:101F9000304300032C620002104000090080282119
68311+:101FA000146000040000000094C200340A0007C15D
68312+:101FB0003046FFFF8CC600380A0007C10080282188
68313+:101FC000000030213C040800248456C00A000706A3
68314+:101FD0000000000027BDFF90AFB60068AFB50064F9
68315+:101FE000AFB40060AFB3005CAFB20058AFB1005403
68316+:101FF000AFBF006CAFB000508C9000000080B021EB
68317+:102000003C0208008C4200E8960400328F83001CDA
68318+:102010002414FF8030843FFF0062182100042180D7
68319+:1020200000641821007410243C13800000A090214B
68320+:1020300090A50000AE620028920400323C02800CA1
68321+:102040003063007F00628821308400C02402004099
68322+:10205000148200320000A8218E3500388E2200182C
68323+:102060001440000224020001AE2200189202003C3B
68324+:10207000304200201440000E8F83001C000511C068
68325+:102080002442024000621821306400783C02008043
68326+:102090000082202500741824AE630800AE64081086
68327+:1020A0008E2200188E03000800431021AE22001873
68328+:1020B0008E22002C8E230018244200010062182B6F
68329+:1020C0001060004300000000924200002442000122
68330+:1020D000A24200003C0308008C6300F4304200FF81
68331+:1020E00050430001A2400000924200008F84001C77
68332+:1020F000000211C024420240248300403063007F6C
68333+:10210000008220213C02800A0094202400621821D1
68334+:10211000AE6400240A0008D2AEC30000920300326D
68335+:102120002402FFC000431024304200FF1440000589
68336+:1021300024020001AE220018962200340A00084250
68337+:102140003055FFFF8E22001424420001AE220018F9
68338+:102150009202003000021600000216030441001C27
68339+:10216000000000009602003227A400100080282101
68340+:10217000A7A20016960200320000302124070001B9
68341+:102180003042FFFFAF8200140E000706AFA0001C14
68342+:10219000960200328F83001C3C0408008C8400E807
68343+:1021A00030423FFF000211800064182100621821B4
68344+:1021B00000741024AE62002C3063007F3C02800E5D
68345+:1021C000006218219062000D3042007FA062000D75
68346+:1021D0009222000D304200105040007892420000E0
68347+:1021E0003C028008344401009482004C8EC30000FD
68348+:1021F0003C130800967300C62442FFFFA482004CE3
68349+:10220000946200329623000E3054FFFF3070FFFFBF
68350+:102210003C0308008C6300D000701807A7A30038A7
68351+:102220009482003E3063FFFF3042FFFF14620007DC
68352+:10223000000000008C8200303C038000244200300B
68353+:10224000AC62003C0A00086A8C82002C9482004038
68354+:102250003042FFFF5462000927A400408C820038FE
68355+:102260003C03800024420030AC62003C8C8200348D
68356+:10227000AC6200380A0008793C03800027A50038CA
68357+:1022800027A60048026038210E00068FA7A000484C
68358+:102290008FA300403C02800024630030AC43003830
68359+:1022A0008FA30044AC43003C3C0380003C0200058B
68360+:1022B000AC6200303C028008344401009482004249
68361+:1022C000346304003042FFFF0202102B1440000769
68362+:1022D000AF8300289482004E9483004202021021B2
68363+:1022E000004310230A00088F3043FFFF9483004E01
68364+:1022F00094820042026318210050102300621823C8
68365+:102300003063FFFF3C028008344401009482003CAB
68366+:102310003042FFFF14430003000000000A00089F42
68367+:10232000240300019482003C3042FFFF0062102B26
68368+:10233000144000058F8200289482003C0062102324
68369+:102340003043FFFF8F820028AC550000AC400004F2
68370+:10235000AC540008AC43000C3C02000634420010B0
68371+:102360003C038000AC620030000000000000000070
68372+:10237000000000008C620000304200101040FFFDA1
68373+:102380003C04800834840100001018C20064182145
68374+:102390009065006432020007240600010046100424
68375+:1023A00000451025A0620064948300429622000E2E
68376+:1023B00050430001A386001892420000244200010D
68377+:1023C000A24200003C0308008C6300F4304200FF8E
68378+:1023D00050430001A2400000924200008F84001C84
68379+:1023E000000211C0244202402483004000822021C8
68380+:1023F0002402FF80008220243063007F3C02800A98
68381+:10240000006218213C028000AC440024AEC30000EE
68382+:102410008FBF006C8FB600688FB500648FB400600A
68383+:102420008FB3005C8FB200588FB100548FB0005052
68384+:1024300003E0000827BD007027BDFFD8AFB3001C24
68385+:10244000AFB20018AFB10014AFB00010AFBF0020A2
68386+:102450000080982100E0802130B1FFFF0E000D8444
68387+:1024600030D200FF0000000000000000000000006B
68388+:102470008F8200208F830024AC510000AC520004F6
68389+:10248000AC530008AC40000CAC400010AC40001451
68390+:10249000AC4000189463001E02038025AC50001C61
68391+:1024A0000000000000000000000000002404000103
68392+:1024B0008FBF00208FB3001C8FB200188FB10014A3
68393+:1024C0008FB000100A000DB827BD002830A5FFFF0F
68394+:1024D0000A0008DC30C600FF3C02800834430100DB
68395+:1024E0009462000E3C080800950800C63046FFFFC5
68396+:1024F00014C000043402FFFF946500EA0A000929B1
68397+:102500008F84001C10C20027000000009462004E5F
68398+:102510009464003C3045FFFF00A6102300A6182B52
68399+:102520003087FFFF106000043044FFFF00C5102318
68400+:1025300000E210233044FFFF0088102B1040000EF3
68401+:1025400000E810233C028008344401002403000109
68402+:1025500034420080A44300162402FFFFA482000E30
68403+:10256000948500EA8F84001C0000302130A5FFFF15
68404+:102570000A0009013C0760200044102A10400009AD
68405+:102580003C0280083443008094620016304200010F
68406+:10259000104000043C0280009442007E244200145B
68407+:1025A000A462001603E000080000000027BDFFE061
68408+:1025B0003C028008AFBF001CAFB0001834420100DD
68409+:1025C000944300429442004C104000193068FFFFD1
68410+:1025D0009383001824020001146200298FBF001C9D
68411+:1025E0003C06800834D00100000810C200501021C1
68412+:1025F000904200643103000734C70148304200FFB5
68413+:10260000006210073042000134C9014E34C4012C6D
68414+:1026100034C5013E1040001634C601420E0006D2F9
68415+:10262000AFA90010960200420A0009463048FFFF99
68416+:102630003C028008344401009483004494820042A8
68417+:102640001043000F8FBF001C94820044A4820042FC
68418+:1026500094820050A482004E8C820038AC820030FC
68419+:1026600094820040A482003E9482004AA4820048E2
68420+:102670008FBF001C8FB000180A00090427BD00207E
68421+:102680008FB0001803E0000827BD002027BDFFA081
68422+:10269000AFB1004C3C118000AFBF0058AFB3005445
68423+:1026A000AFB20050AFB000483626018890C2000398
68424+:1026B0003044007FA3A400108E32018090C200003D
68425+:1026C0003043007F240200031062003BAF92001CE5
68426+:1026D00028620004104000062402000424020002C4
68427+:1026E000106200098FBF00580A000B0F8FB300540F
68428+:1026F0001062004D240200051062014E8FBF005889
68429+:102700000A000B0F8FB30054000411C002421021C5
68430+:102710002404FF8024420240004410242643004049
68431+:10272000AE2200243063007F3C02800A0062182140
68432+:102730009062003CAFA3003C00441025A062003C26
68433+:102740008FA3003C9062003C304200401040016C7E
68434+:102750008FBF00583C108008A3800018361001007D
68435+:102760008E0200E08C63003427A4003C27A50010F3
68436+:10277000004310210E0007C3AE0200E093A2001038
68437+:102780003C038000A20200D58C6202780440FFFE68
68438+:102790008F82001CAC62024024020002A06202444C
68439+:1027A0003C021000AC6202780E0009390000000003
68440+:1027B0000A000B0E8FBF00583C05800890C3000133
68441+:1027C00090A2000B1443014E8FBF005834A4008028
68442+:1027D0008C8200189082004C90A200083C0260009D
68443+:1027E0008C4254048C8300183C027FFF3442FFFF6C
68444+:1027F000006218243C0208008C4200B4AC8300182C
68445+:102800003C038000244200013C010800AC2200B4DB
68446+:102810008C6201F80440FFFE8F82001CAC6201C094
68447+:102820000A000AD6240200023C10800890C300016E
68448+:102830009202000B144301328FBF005827A40018E6
68449+:1028400036050110240600033C0260008C4254044B
68450+:102850000E000E470000000027A40028360501F0F6
68451+:102860000E000E47240600038FA200283603010045
68452+:10287000AE0200648FA2002CAE0200688FA200306E
68453+:10288000AE02006C93A40018906300D52402FF8070
68454+:102890000082102400431025304900FF3084007F5F
68455+:1028A0003122007F0082102A544000013929008023
68456+:1028B000000411C0244202402403FF800242102180
68457+:1028C00000431024AE220094264200403042007F94
68458+:1028D0003C038006004340218FA3001C2402FFFF1D
68459+:1028E000AFA800403C130800927300F71062003359
68460+:1028F00093A2001995030014304400FF3063FFFFDA
68461+:102900000064182B106000100000000095040014F3
68462+:102910008D07001C8D0600183084FFFF0044202323
68463+:102920000004210000E438210000102100E4202BE5
68464+:1029300000C2302100C43021AD07001CAD060018D4
68465+:102940000A000A2F93A20019950400148D07001C99
68466+:102950008D0600183084FFFF008220230004210030
68467+:10296000000010210080182100C2302300E4202B39
68468+:1029700000C4302300E33823AD07001CAD06001867
68469+:1029800093A200198FA30040A462001497A2001A1A
68470+:10299000A46200168FA2001CAC6200108FA2001C63
68471+:1029A000AC62000C93A20019A462002097A2001A46
68472+:1029B000A46200228FA2001CAC6200243C048008A8
68473+:1029C000348300808C6200388FA20020012088218F
68474+:1029D000AC62003C8FA20020AC82000093A20018E1
68475+:1029E000A062004C93A20018A0820009A0600068B9
68476+:1029F00093A20018105100512407FF803229007F54
68477+:102A0000000911C024420240024210213046007FDA
68478+:102A10003C03800000471024AC6200943C02800616
68479+:102A200000C2302190C2003CAFA60040000020212F
68480+:102A300000471025A0C2003C8FA80040950200026C
68481+:102A4000950300148D07001C3042FFFF3063FFFF29
68482+:102A50008D060018004310230002110000E2382107
68483+:102A600000E2102B00C4302100C23021AD07001C51
68484+:102A7000AD06001895020002A5020014A50000167C
68485+:102A80008D020008AD0200108D020008AD02000C9E
68486+:102A900095020002A5020020A50000228D02000878
68487+:102AA000AD0200249102003C304200401040001A68
68488+:102AB000262200013C108008A3A90038A38000183A
68489+:102AC000361001008E0200E08D03003427A4004080
68490+:102AD00027A50038004310210E0007C3AE0200E016
68491+:102AE00093A200383C038000A20200D58C620278D9
68492+:102AF0000440FFFE8F82001CAC62024024020002F0
68493+:102B0000A06202443C021000AC6202780E00093957
68494+:102B100000000000262200013043007F14730004EF
68495+:102B2000004020212403FF8002231024004320269C
68496+:102B300093A200180A000A4B309100FF93A40018DA
68497+:102B40008FA3001C2402FFFF1062000A308900FFDF
68498+:102B500024820001248300013042007F14530005C9
68499+:102B6000306900FF2403FF800083102400431026F7
68500+:102B7000304900FF3C028008904200080120882173
68501+:102B8000305000FF123000193222007F000211C0C5
68502+:102B900002421021244202402403FF8000431824F3
68503+:102BA0003C048000AC8300943042007F3C038006EC
68504+:102BB000004310218C43000C004020211060000BCA
68505+:102BC000AFA200400E00057E000000002623000199
68506+:102BD0002405FF803062007F145300020225202468
68507+:102BE000008518260A000AAF307100FF3C048008F7
68508+:102BF000348400808C8300183C027FFF3442FFFF46
68509+:102C000000621824AC8300183C0380008C6201F839
68510+:102C10000440FFFE00000000AC7201C0240200026C
68511+:102C2000A06201C43C021000AC6201F80A000B0E65
68512+:102C30008FBF00583C04800890C300019082000BB5
68513+:102C40001443002F8FBF0058349000809202000878
68514+:102C500030420040104000200000000092020008B6
68515+:102C60000002160000021603044100050240202164
68516+:102C70000E000ECC240500930A000B0E8FBF0058E7
68517+:102C80009202000924030018304200FF1443000D93
68518+:102C900002402021240500390E000E64000030217E
68519+:102CA0000E0003328F84001C8F82FF9424030012D5
68520+:102CB000A04300090E00033D8F84001C0A000B0E88
68521+:102CC0008FBF0058240500360E000E64000030212E
68522+:102CD0000A000B0E8FBF00580E0003320240202165
68523+:102CE000920200058F84001C344200200E00033D38
68524+:102CF000A20200050E0010758F84001C8FBF0058C3
68525+:102D00008FB300548FB200508FB1004C8FB0004889
68526+:102D100003E0000827BD00603C0280083445010044
68527+:102D20003C0280008C42014094A3000E0000302140
68528+:102D300000402021AF82001C3063FFFF3402FFFF00
68529+:102D4000106200063C0760202402FFFFA4A2000ED0
68530+:102D500094A500EA0A00090130A5FFFF03E000087E
68531+:102D60000000000027BDFFC83C0280003C06800830
68532+:102D7000AFB5002CAFB1001CAFBF0030AFB400281E
68533+:102D8000AFB30024AFB20020AFB00018345101003F
68534+:102D900034C501008C4301008E2200148CA400E491
68535+:102DA0000000A821AF83001C0044102318400052EB
68536+:102DB000A38000188E22001400005021ACA200E471
68537+:102DC00090C3000890A200D53073007FA3A200102A
68538+:102DD0008CB200E08CB400E4304200FF1053003BA2
68539+:102DE00093A200108F83001C2407FF80000211C0F3
68540+:102DF0000062102124420240246300400047102456
68541+:102E00003063007F3C0980003C08800A006818217C
68542+:102E1000AD2200248C62003427A4001427A50010E2
68543+:102E2000024280210290102304400028AFA3001426
68544+:102E30009062003C00E21024304200FF1440001970
68545+:102E4000020090219062003C34420040A062003CAD
68546+:102E50008F86001C93A3001024C200403042007FE4
68547+:102E6000004828213C0208008C4200F42463000141
68548+:102E7000306400FF14820002A3A30010A3A000107E
68549+:102E800093A20010AFA50014000211C0244202401A
68550+:102E900000C2102100471024AD2200240A000B4577
68551+:102EA00093A200100E0007C3000000003C0280083F
68552+:102EB00034420100AC5000E093A30010240A00014A
68553+:102EC000A04300D50A000B4593A200102402000184
68554+:102ED000154200093C0380008C6202780440FFFE2A
68555+:102EE0008F82001CAC62024024020002A0620244F5
68556+:102EF0003C021000AC6202789222000B2403000214
68557+:102F0000304200FF144300720000000096220008C7
68558+:102F1000304300FF24020082146200402402008437
68559+:102F20003C028000344901008D22000C95230006EC
68560+:102F3000000216023063FFFF3045003F24020027E5
68561+:102F400010A2000FAF83001428A200281040000830
68562+:102F5000240200312402002110A2000924020025CD
68563+:102F600010A20007938200190A000BBD00000000A8
68564+:102F700010A20007938200190A000BBD0000000098
68565+:102F80000E000777012020210A000C3D0000000000
68566+:102F90003C0380008C6202780440FFFE8F82001C9C
68567+:102FA000AC62024024020002A06202443C02100013
68568+:102FB000AC6202780A000C3D000000009523000678
68569+:102FC000912400058D25000C8D2600108D270018FA
68570+:102FD0008D28001C8D290020244200013C0108009E
68571+:102FE000A42356C63C010800A02456C53C01080095
68572+:102FF000AC2556CC3C010800AC2656D03C0108005C
68573+:10300000AC2756D83C010800AC2856DC3C0108002F
68574+:10301000AC2956E00A000C3DA38200191462000A94
68575+:10302000240200813C02800834420100944500EAF9
68576+:10303000922600058F84001C30A5FFFF30C600FFDC
68577+:103040000A000BFE3C0760211462005C00000000D7
68578+:103050009222000A304300FF306200201040000737
68579+:10306000306200403C02800834420100944500EA8E
68580+:103070008F84001C0A000BFC24060040104000074F
68581+:10308000000316003C02800834420100944500EA27
68582+:103090008F84001C0A000BFC24060041000216036A
68583+:1030A000044100463C02800834420100944500EA95
68584+:1030B0008F84001C2406004230A5FFFF3C076019E6
68585+:1030C0000E000901000000000A000C3D0000000095
68586+:1030D0009222000B24040016304200FF1044000628
68587+:1030E0003C0680009222000B24030017304200FFB0
68588+:1030F000144300320000000034C5010090A2000B10
68589+:10310000304200FF1444000B000080218CA20020FC
68590+:103110008CA400202403FF800043102400021140EF
68591+:103120003084007F004410253C032000004310251C
68592+:10313000ACC2083094A2000800021400000214037C
68593+:10314000044200012410000194A2000830420080D3
68594+:103150005040001A0200A82194A20008304220002A
68595+:10316000504000160200A8218CA300183C021C2D20
68596+:10317000344219ED106200110200A8213C0208003F
68597+:103180008C4200D4104000053C0280082403000457
68598+:1031900034420100A04300FC3C028008344201009C
68599+:1031A000944500EA8F84001C2406000630A5FFFF2A
68600+:1031B0000E0009013C0760210200A8210E00093918
68601+:1031C000000000009222000A304200081040000473
68602+:1031D00002A010210E0013790000000002A01021AF
68603+:1031E0008FBF00308FB5002C8FB400288FB3002420
68604+:1031F0008FB200208FB1001C8FB0001803E00008D0
68605+:1032000027BD00382402FF80008220243C02900069
68606+:1032100034420007008220253C028000AC4400209C
68607+:103220003C0380008C6200200440FFFE0000000090
68608+:1032300003E00008000000003C0380002402FF803F
68609+:10324000008220243462000700822025AC64002024
68610+:103250008C6200200440FFFE0000000003E0000834
68611+:103260000000000027BDFFD8AFB3001CAFB10014B1
68612+:10327000AFB00010AFBF0020AFB200183C1180000B
68613+:103280003C0280088E32002034530100AE2400201E
68614+:10329000966300EA000514003C074000004738250B
68615+:1032A00000A08021000030210E0009013065FFFFE1
68616+:1032B000240200A1160200022402FFFFA2620009FC
68617+:1032C000AE3200208FBF00208FB3001C8FB20018D9
68618+:1032D0008FB100148FB0001003E0000827BD002854
68619+:1032E0003C0280082403000527BDFFE834420100AA
68620+:1032F000A04300FCAFBF00103C0280008C420100E4
68621+:10330000240500A1004020210E000C67AF82001CA4
68622+:103310003C0380008C6202780440FFFE8F82001C18
68623+:103320008FBF001027BD0018AC62024024020002CB
68624+:10333000A06202443C021000AC62027803E0000884
68625+:103340000000000027BDFFE83C068000AFBF001072
68626+:1033500034C7010094E20008304400FF3883008243
68627+:10336000388200842C6300012C4200010062182581
68628+:103370001060002D24020083938200195040003B0E
68629+:103380008FBF00103C020800904256CC8CC4010054
68630+:103390003C06080094C656C63045003F38A30032AC
68631+:1033A00038A2003F2C6300012C4200010062182566
68632+:1033B000AF84001CAF860014A380001914600007BE
68633+:1033C00000E020212402002014A2001200000000CE
68634+:1033D0003402FFFF14C2000F00000000240200208E
68635+:1033E00014A2000500E028218CE300142402FFFF52
68636+:1033F0005062000B8FBF00103C040800248456C0AC
68637+:10340000000030210E000706240700010A000CD638
68638+:103410008FBF00100E000777000000008FBF001064
68639+:103420000A00093927BD001814820004240200850F
68640+:103430008CC501040A000CE1000020211482000662
68641+:103440002482FF808CC50104240440008FBF00103B
68642+:103450000A00016727BD0018304200FF2C4200021D
68643+:1034600010400004240200228FBF00100A000B2726
68644+:1034700027BD0018148200048F8200248FBF001023
68645+:103480000A000C8627BD00188C42000C1040001E5C
68646+:1034900000E0282190E300092402001814620003D0
68647+:1034A000240200160A000CFC240300081462000722
68648+:1034B00024020017240300123C02800834420080DA
68649+:1034C000A04300090A000D0994A7000854620007F0
68650+:1034D00094A700088F82FF942404FFFE9043000508
68651+:1034E00000641824A043000594A7000890A6001BC0
68652+:1034F0008CA4000094A500068FBF001000073C00BC
68653+:103500000A0008DC27BD00188FBF001003E0000888
68654+:1035100027BD00188F8500243C04800094A2002A57
68655+:103520008CA30034000230C02402FFF000C210243B
68656+:1035300000621821AC83003C8CA200303C03800068
68657+:10354000AC8200383C02005034420010AC620030C3
68658+:103550000000000000000000000000008C6200007D
68659+:10356000304200201040FFFD30C20008104000062D
68660+:103570003C0280008C620408ACA200208C62040C27
68661+:103580000A000D34ACA200248C430400ACA300203C
68662+:103590008C420404ACA200243C0300203C028000C6
68663+:1035A000AC4300303C0480008C8200300043102487
68664+:1035B0001440FFFD8F8600243C020040AC820030A6
68665+:1035C00094C3002A94C2002894C4002C94C5002EF1
68666+:1035D00024630001004410213064FFFFA4C20028CE
68667+:1035E00014850002A4C3002AA4C0002A03E0000836
68668+:1035F000000000008F84002427BDFFE83C05800404
68669+:1036000024840010AFBF00100E000E472406000AED
68670+:103610008F840024948200129483002E3042000F85
68671+:10362000244200030043180424027FFF0043102BB0
68672+:1036300010400002AC8300000000000D0E000D13CE
68673+:10364000000000008F8300248FBF001027BD0018EA
68674+:10365000946200149463001A3042000F00021500B7
68675+:10366000006218253C02800003E00008AC4300A083
68676+:103670008F8300243C028004944400069462001A64
68677+:103680008C650000A4640016004410233042FFFF44
68678+:103690000045102B03E00008384200018F8400240D
68679+:1036A0003C0780049486001A8C85000094E2000692
68680+:1036B000A482001694E3000600C310233042FFFFEB
68681+:1036C0000045102B384200011440FFF8A483001677
68682+:1036D00003E00008000000008F8400243C02800406
68683+:1036E000944200069483001A8C850000A482001680
68684+:1036F000006210233042FFFF0045102B38420001CA
68685+:103700005040000D8F850024006030213C0780046C
68686+:1037100094E20006A482001694E3000600C310237E
68687+:103720003042FFFF0045102B384200011440FFF8E3
68688+:10373000A48300168F8500243C03800034620400BB
68689+:103740008CA40020AF820020AC6400388CA200243E
68690+:10375000AC62003C3C020005AC62003003E00008B3
68691+:10376000ACA000048F8400243C0300068C8200047B
68692+:1037700000021140004310253C038000AC62003081
68693+:103780000000000000000000000000008C6200004B
68694+:10379000304200101040FFFD34620400AC80000491
68695+:1037A00003E00008AF8200208F86002427BDFFE0E1
68696+:1037B000AFB10014AFB00010AFBF00188CC300044D
68697+:1037C0008CC500248F820020309000FF94C4001A22
68698+:1037D00024630001244200202484000124A7002047
68699+:1037E000ACC30004AF820020A4C4001AACC70024FC
68700+:1037F00004A100060000882104E2000594C2001A1A
68701+:103800008CC2002024420001ACC2002094C2001AE5
68702+:1038100094C300282E040001004310262C4200010E
68703+:10382000004410245040000594C2001A24020001F4
68704+:10383000ACC2000894C2001A94C300280010202BC8
68705+:10384000004310262C4200010044102514400007BC
68706+:10385000000000008CC20008144000042402001084
68707+:103860008CC300041462000F8F8500240E000DA786
68708+:10387000241100018F820024944300289442001AEE
68709+:1038800014430003000000000E000D1300000000B0
68710+:10389000160000048F8500240E000D840000000037
68711+:1038A0008F85002494A2001E94A4001C24420001D1
68712+:1038B0003043FFFF14640002A4A2001EA4A0001E57
68713+:1038C0001200000A3C02800494A2001494A3001A7F
68714+:1038D0003042000F00021500006218253C028000F3
68715+:1038E000AC4300A00A000E1EACA0000894420006E3
68716+:1038F00094A3001A8CA40000A4A200160062102356
68717+:103900003042FFFF0044102B384200011040000DF0
68718+:1039100002201021006030213C07800494E2000660
68719+:10392000A4A2001694E3000600C310233042FFFF58
68720+:103930000044102B384200011440FFF8A4A30016E5
68721+:10394000022010218FBF00188FB100148FB000101B
68722+:1039500003E0000827BD002003E00008000000008D
68723+:103960008F82002C3C03000600021140004310250A
68724+:103970003C038000AC62003000000000000000004A
68725+:10398000000000008C620000304200101040FFFD7B
68726+:1039900034620400AF82002803E00008AF80002CEE
68727+:1039A00003E000080000102103E000080000000010
68728+:1039B0003084FFFF30A5FFFF0000182110800007B2
68729+:1039C000000000003082000110400002000420428C
68730+:1039D000006518210A000E3D0005284003E000089C
68731+:1039E0000060102110C0000624C6FFFF8CA200005A
68732+:1039F00024A50004AC8200000A000E4724840004C1
68733+:103A000003E000080000000010A0000824A3FFFF4E
68734+:103A1000AC86000000000000000000002402FFFF50
68735+:103A20002463FFFF1462FFFA2484000403E000080B
68736+:103A3000000000003C0280083442008024030001A2
68737+:103A4000AC43000CA4430010A4430012A443001490
68738+:103A500003E00008A44300168F82002427BDFFD88E
68739+:103A6000AFB3001CAFB20018AFB10014AFB000107C
68740+:103A7000AFBF00208C47000C248200802409FF8007
68741+:103A80003C08800E3043007F008080213C0A80008B
68742+:103A9000004920240068182130B100FF30D200FF17
68743+:103AA00010E000290000982126020100AD44002CFE
68744+:103AB000004928243042007F004820219062000005
68745+:103AC00024030050304200FF1443000400000000B3
68746+:103AD000AD45002C948200EA3053FFFF0E000D84A8
68747+:103AE000000000008F8200248F83002000112C0032
68748+:103AF0009442001E001224003484000100A22825F4
68749+:103B00003C02400000A22825AC7000008FBF0020BE
68750+:103B1000AC6000048FB20018AC7300088FB10014C1
68751+:103B2000AC60000C8FB3001CAC6400108FB00010B0
68752+:103B3000AC60001424040001AC60001827BD00280C
68753+:103B40000A000DB8AC65001C8FBF00208FB3001CAD
68754+:103B50008FB200188FB100148FB0001003E000087E
68755+:103B600027BD00283C06800034C201009043000FAE
68756+:103B7000240200101062000E2865001110A000073A
68757+:103B800024020012240200082405003A10620006F4
68758+:103B90000000302103E0000800000000240500358B
68759+:103BA0001462FFFC000030210A000E6400000000D7
68760+:103BB0008CC200748F83FF9424420FA003E000089E
68761+:103BC000AC62000C27BDFFE8AFBF00100E0003423F
68762+:103BD000240500013C0480088FBF0010240200016E
68763+:103BE00034830080A462001227BD00182402000163
68764+:103BF00003E00008A080001A27BDFFE0AFB2001864
68765+:103C0000AFB10014AFB00010AFBF001C30B2FFFF67
68766+:103C10000E000332008088213C028008345000806E
68767+:103C20009202000924030004304200FF1443000CF8
68768+:103C30003C028008124000082402000A0E000E5BBD
68769+:103C400000000000920200052403FFFE0043102440
68770+:103C5000A202000524020012A20200093C02800810
68771+:103C600034420080022020210E00033DA0400027A6
68772+:103C700016400003022020210E000EBF00000000AD
68773+:103C800002202021324600FF8FBF001C8FB2001897
68774+:103C90008FB100148FB00010240500380A000E64A4
68775+:103CA00027BD002027BDFFE0AFBF001CAFB200184A
68776+:103CB000AFB10014AFB000100E00033200808021BD
68777+:103CC0000E000E5B000000003C02800834450080BE
68778+:103CD00090A2000924120018305100FF1232000394
68779+:103CE0000200202124020012A0A2000990A20005D7
68780+:103CF0002403FFFE004310240E00033DA0A2000594
68781+:103D00000200202124050020163200070000302187
68782+:103D10008FBF001C8FB200188FB100148FB000103D
68783+:103D20000A00034227BD00208FBF001C8FB200187D
68784+:103D30008FB100148FB00010240500390A000E6402
68785+:103D400027BD002027BDFFE83C028000AFB0001077
68786+:103D5000AFBF0014344201009442000C2405003629
68787+:103D60000080802114400012304600FF0E00033214
68788+:103D7000000000003C02800834420080240300124E
68789+:103D8000A043000990430005346300100E000E5B51
68790+:103D9000A04300050E00033D020020210200202167
68791+:103DA0000E000342240500200A000F3C0000000022
68792+:103DB0000E000E64000000000E00033202002021FD
68793+:103DC0003C0280089043001B2405FF9F0200202135
68794+:103DD000006518248FBF00148FB00010A043001B93
68795+:103DE0000A00033D27BD001827BDFFE0AFBF001844
68796+:103DF000AFB10014AFB0001030B100FF0E000332BD
68797+:103E0000008080213C02800824030012344200809C
68798+:103E10000E000E5BA04300090E00033D02002021AE
68799+:103E200002002021022030218FBF00188FB1001422
68800+:103E30008FB00010240500350A000E6427BD002055
68801+:103E40003C0480089083000E9082000A1443000B0B
68802+:103E5000000028218F82FF942403005024050001D4
68803+:103E600090420000304200FF1443000400000000B4
68804+:103E70009082000E24420001A082000E03E00008A0
68805+:103E800000A010213C0380008C6201F80440FFFE7A
68806+:103E900024020002AC6401C0A06201C43C02100014
68807+:103EA00003E00008AC6201F827BDFFE0AFB20018E4
68808+:103EB0003C128008AFB10014AFBF001CAFB00010BF
68809+:103EC00036510080922200092403000A304200FF8C
68810+:103ED0001443003E000000008E4300048E22003890
68811+:103EE000506200808FBF001C92220000240300500B
68812+:103EF000304200FF144300253C0280008C42014008
68813+:103F00008E4300043642010002202821AC43001CED
68814+:103F10009622005C8E2300383042FFFF00021040E2
68815+:103F200000621821AE23001C8E4300048E2400384A
68816+:103F30009622005C006418233042FFFF0003184300
68817+:103F4000000210400043102A10400006000000004C
68818+:103F50008E4200048E230038004310230A000FAA6B
68819+:103F6000000220439622005C3042FFFF0002204006
68820+:103F70003C0280083443010034420080ACA4002C91
68821+:103F8000A040002424020001A062000C0E000F5E7D
68822+:103F900000000000104000538FBF001C3C02800056
68823+:103FA0008C4401403C0380008C6201F80440FFFE19
68824+:103FB00024020002AC6401C0A06201C43C021000F3
68825+:103FC000AC6201F80A0010078FBF001C92220009A2
68826+:103FD00024030010304200FF144300043C02800020
68827+:103FE0008C4401400A000FEE0000282192220009B3
68828+:103FF00024030016304200FF14430006240200147C
68829+:10400000A22200093C0280008C4401400A001001F9
68830+:104010008FBF001C8E2200388E23003C00431023EB
68831+:10402000044100308FBF001C92220027244200016F
68832+:10403000A2220027922200272C42000414400016DE
68833+:104040003C1080009222000924030004304200FF4B
68834+:10405000144300093C0280008C4401408FBF001CC7
68835+:104060008FB200188FB100148FB000102405009398
68836+:104070000A000ECC27BD00208C440140240500938B
68837+:104080008FBF001C8FB200188FB100148FB00010CA
68838+:104090000A000F4827BD00208E0401400E000332A5
68839+:1040A000000000008E4200042442FFFFAE420004E4
68840+:1040B0008E22003C2442FFFFAE22003C0E00033D56
68841+:1040C0008E0401408E0401408FBF001C8FB2001887
68842+:1040D0008FB100148FB00010240500040A000342C1
68843+:1040E00027BD00208FB200188FB100148FB00010D0
68844+:1040F00003E0000827BD00203C0680008CC2018838
68845+:104100003C038008346500809063000E00021402B6
68846+:10411000304400FF306300FF1464000E3C0280084E
68847+:1041200090A20026304200FF104400098F82FF94C5
68848+:10413000A0A400262403005090420000304200FF5B
68849+:1041400014430006000000000A0005A18CC4018091
68850+:104150003C02800834420080A044002603E00008AE
68851+:104160000000000027BDFFE030E700FFAFB20018FD
68852+:10417000AFBF001CAFB10014AFB0001000809021A1
68853+:1041800014E0000630C600FF000000000000000D33
68854+:10419000000000000A001060240001163C038008A3
68855+:1041A0009062000E304200FF14460023346200800B
68856+:1041B00090420026304200FF1446001F000000001D
68857+:1041C0009062000F304200FF1446001B0000000008
68858+:1041D0009062000A304200FF144600038F90FF9463
68859+:1041E0000000000D8F90FF948F82FF983C1180009B
68860+:1041F000AE05003CAC450000A066000A0E0003328C
68861+:104200008E240100A20000240E00033D8E24010034
68862+:104210003C0380008C6201F80440FFFE240200028F
68863+:10422000AC7201C0A06201C43C021000AC6201F893
68864+:104230000A0010618FBF001C000000000000000D8C
68865+:10424000000000002400013F8FBF001C8FB2001847
68866+:104250008FB100148FB0001003E0000827BD0020CC
68867+:104260008F83FF943C0280008C44010034420100A3
68868+:104270008C65003C9046001B0A00102724070001B3
68869+:104280003C0280089043000E9042000A0043102632
68870+:10429000304200FF03E000080002102B27BDFFE0C2
68871+:1042A0003C028008AFB10014AFB00010AFBF0018DF
68872+:1042B0003450008092020005240300303042003068
68873+:1042C00014430085008088218F8200248C42000CDA
68874+:1042D000104000828FBF00180E000D840000000007
68875+:1042E0008F860020ACD100009202000892030009E2
68876+:1042F000304200FF00021200306300FF004310252F
68877+:10430000ACC200049202004D000216000002160327
68878+:1043100004410005000000003C0308008C630048D5
68879+:104320000A00109F3C1080089202000830420040B2
68880+:10433000144000030000182192020027304300FFC0
68881+:104340003C108008361100809222004D00031E00B0
68882+:10435000304200FF0002140000621825ACC30008C0
68883+:104360008E2400308F820024ACC4000C8E250034D3
68884+:104370009443001E3C02C00BACC50010006218251F
68885+:104380008E22003800002021ACC200148E22003C96
68886+:10439000ACC200180E000DB8ACC3001C8E020004A5
68887+:1043A0008F8400203C058000AC8200008E2200201B
68888+:1043B000AC8200048E22001CAC8200088E220058C1
68889+:1043C0008CA3007400431021AC82000C8E22002CC0
68890+:1043D000AC8200108E2200408E23004400021400A4
68891+:1043E00000431025AC8200149222004D240300806B
68892+:1043F000304200FF1443000400000000AC800018AD
68893+:104400000A0010E38F8200248E23000C2402000196
68894+:104410001062000E2402FFFF92220008304200408A
68895+:104420001440000A2402FFFF8E23000C8CA20074AB
68896+:10443000006218233C0208000062102414400002AD
68897+:10444000000028210060282100051043AC820018DC
68898+:104450008F820024000020219443001E3C02C00CE7
68899+:10446000006218258F8200200E000DB8AC43001C9E
68900+:104470003C038008346201008C4200008F850020DC
68901+:10448000346300808FBF0018ACA20000ACA0000411
68902+:104490008C6400488F8200248FB10014ACA4000803
68903+:1044A000ACA0000CACA00010906300059446001E68
68904+:1044B0003C02400D00031E0000C23025ACA30014D6
68905+:1044C0008FB00010ACA0001824040001ACA6001CA2
68906+:1044D0000A000DB827BD00208FBF00188FB100144F
68907+:1044E0008FB0001003E0000827BD00203C028000D0
68908+:1044F0009443007C3C02800834460100308400FF75
68909+:104500003065FFFF2402000524A34650A0C4000C20
68910+:104510005482000C3065FFFF90C2000D2C42000752
68911+:104520001040000724A30A0090C3000D24020014C9
68912+:104530000062100400A210210A00111F3045FFFF85
68913+:104540003065FFFF3C0280083442008003E0000831
68914+:10455000A44500143C03800834680080AD05003891
68915+:10456000346701008CE2001C308400FF00A210239D
68916+:104570001840000330C600FF24A2FFFCACE2001C80
68917+:1045800030820001504000083C0380088D02003C4E
68918+:1045900000A2102304410012240400058C620004D0
68919+:1045A00010A2000F3C0380088C62000414A2001EBD
68920+:1045B000000000003C0208008C4200D8304200207D
68921+:1045C000104000093C0280083462008090630008BB
68922+:1045D0009042004C144300043C0280082404000470
68923+:1045E0000A00110900000000344300803442010039
68924+:1045F000A040000C24020001A462001410C0000AB4
68925+:104600003C0280008C4401003C0380008C6201F875
68926+:104610000440FFFE24020002AC6401C0A06201C499
68927+:104620003C021000AC6201F803E00008000000004A
68928+:1046300027BDFFE800A61823AFBF00101860008058
68929+:10464000308800FF3C02800834470080A0E000244E
68930+:1046500034440100A0E000278C82001C00A210233B
68931+:1046600004400056000000008CE2003C94E3005C33
68932+:104670008CE4002C004530233063FFFF00C3182179
68933+:104680000083202B1080000400E018218CE2002C15
68934+:104690000A00117800A2102194E2005C3042FFFF72
68935+:1046A00000C2102100A21021AC62001C3C02800854
68936+:1046B000344400809482005C8C83001C3042FFFFF5
68937+:1046C0000002104000A210210043102B10400004F3
68938+:1046D000000000008C82001C0A00118B3C06800840
68939+:1046E0009482005C3042FFFF0002104000A21021C3
68940+:1046F0003C06800834C3010034C70080AC82001C33
68941+:10470000A060000CACE500388C62001C00A21023F5
68942+:104710001840000224A2FFFCAC62001C3102000120
68943+:10472000104000083C0380088CE2003C00A21023EB
68944+:1047300004410012240400058CC2000410A20010E1
68945+:104740008FBF00108C62000414A2004F8FBF0010B6
68946+:104750003C0208008C4200D8304200201040000A81
68947+:104760003C02800834620080906300089042004C54
68948+:10477000144300053C028008240400048FBF00108D
68949+:104780000A00110927BD001834430080344201009B
68950+:10479000A040000C24020001A46200143C0280002E
68951+:1047A0008C4401003C0380008C6201F80440FFFE51
68952+:1047B000240200020A0011D8000000008CE2001C54
68953+:1047C000004610230043102B54400001ACE5001CB0
68954+:1047D00094E2005C3042FFFF0062102B144000079F
68955+:1047E0002402000294E2005C8CE3001C3042FFFFD4
68956+:1047F00000621821ACE3001C24020002ACE5003882
68957+:104800000E000F5EA082000C1040001F8FBF001032
68958+:104810003C0280008C4401003C0380008C6201F863
68959+:104820000440FFFE24020002AC6401C0A06201C487
68960+:104830003C021000AC6201F80A0011F08FBF0010BA
68961+:1048400031020010104000108FBF00103C028008A1
68962+:10485000344500808CA3001C94A2005C00661823E1
68963+:104860003042FFFF006218213C023FFF3444FFFF4B
68964+:104870000083102B544000010080182100C3102138
68965+:10488000ACA2001C8FBF001003E0000827BD001879
68966+:1048900027BDFFE800C0402100A63023AFBF0010B5
68967+:1048A00018C00026308A00FF3C028008344900808E
68968+:1048B0008D24001C8D23002C008820230064182BDD
68969+:1048C0001060000F344701008CE2002000461021E8
68970+:1048D000ACE200208CE200200044102B1440000BBE
68971+:1048E0003C023FFF8CE2002000441023ACE2002099
68972+:1048F0009522005C3042FFFF0A0012100082202146
68973+:10490000ACE00020008620213C023FFF3443FFFF43
68974+:104910000064102B54400001006020213C028008FC
68975+:104920003442008000851821AC43001CA0400024C4
68976+:10493000A04000270A0012623C03800831420010A8
68977+:10494000104000433C0380083C06800834C40080CB
68978+:104950008C82003C004810235840003E34660080A2
68979+:104960009082002424420001A0820024908200242E
68980+:104970003C0308008C630024304200FF0043102BEE
68981+:10498000144000688FBF001034C201008C42001C2C
68982+:1049900000A2102318400063000000008CC3000434
68983+:1049A0009482005C006818233042FFFF0003184324
68984+:1049B000000210400043102A1040000500000000D3
68985+:1049C0008CC20004004810230A0012450002104364
68986+:1049D0009482005C3042FFFF000210403C068008D9
68987+:1049E000AC82002C34C5008094A2005C8CA4002C06
68988+:1049F00094A3005C3042FFFF00021040008220219F
68989+:104A00003063FFFF0083202101041021ACA2001CB1
68990+:104A10008CC2000434C60100ACC2001C2402000297
68991+:104A20000E000F5EA0C2000C1040003E8FBF0010B1
68992+:104A30003C0280008C4401003C0380008C6201F841
68993+:104A40000440FFFE240200020A001292000000004F
68994+:104A500034660080ACC50038346401008C82001CD0
68995+:104A600000A210231840000224A2FFFCAC82001C0C
68996+:104A7000314200015040000A3C0380088CC2003CD7
68997+:104A800000A2102304430014240400058C620004D7
68998+:104A900014A200033C0380080A00128424040005C9
68999+:104AA0008C62000414A2001F8FBF00103C0208009B
69000+:104AB0008C4200D8304200201040000A3C0280089E
69001+:104AC00034620080906300089042004C144300055B
69002+:104AD0003C028008240400048FBF00100A00110962
69003+:104AE00027BD00183443008034420100A040000C70
69004+:104AF00024020001A46200143C0280008C440100E6
69005+:104B00003C0380008C6201F80440FFFE2402000296
69006+:104B1000AC6401C0A06201C43C021000AC6201F8A8
69007+:104B20008FBF001003E0000827BD001827BDFFE875
69008+:104B30003C0A8008AFBF0010354900808D22003C40
69009+:104B400000C04021308400FF004610231840009D23
69010+:104B500030E700FF354701002402000100A63023A2
69011+:104B6000A0E0000CA0E0000DA522001418C0002455
69012+:104B7000308200108D23001C8D22002C0068182329
69013+:104B80000043102B1040000F000000008CE20020BA
69014+:104B900000461021ACE200208CE200200043102BE4
69015+:104BA0001440000B3C023FFF8CE200200043102326
69016+:104BB000ACE200209522005C3042FFFF0A0012C1E7
69017+:104BC00000621821ACE00020006618213C023FFF83
69018+:104BD0003446FFFF00C3102B5440000100C01821D1
69019+:104BE0003C0280083442008000651821AC43001C60
69020+:104BF000A0400024A04000270A00130F3C038008B7
69021+:104C0000104000403C0380088D22003C00481023E7
69022+:104C10005840003D34670080912200242442000166
69023+:104C2000A1220024912200243C0308008C6300246C
69024+:104C3000304200FF0043102B1440009A8FBF001039
69025+:104C40008CE2001C00A21023184000960000000017
69026+:104C50008D4300049522005C006818233042FFFF5A
69027+:104C600000031843000210400043102A10400005C2
69028+:104C7000012020218D420004004810230A0012F276
69029+:104C8000000210439522005C3042FFFF00021040FA
69030+:104C90003C068008AC82002C34C5008094A2005CE5
69031+:104CA0008CA4002C94A3005C3042FFFF0002104053
69032+:104CB000008220213063FFFF0083182101031021AF
69033+:104CC000ACA2001C8CC2000434C60100ACC2001CA3
69034+:104CD000240200020E000F5EA0C2000C1040007102
69035+:104CE0008FBF00103C0280008C4401003C03800018
69036+:104CF0008C6201F80440FFFE240200020A0013390E
69037+:104D00000000000034670080ACE500383466010024
69038+:104D10008CC2001C00A210231840000224A2FFFC39
69039+:104D2000ACC2001C30820001504000083C038008E7
69040+:104D30008CE2003C00A2102304430051240400052F
69041+:104D40008C62000410A2003E3C0380088C620004C8
69042+:104D500054A200548FBF00103C0208008C4200D8BF
69043+:104D600030420020104000063C028008346200807F
69044+:104D7000906300089042004C104300403C028008C1
69045+:104D80003443008034420100A040000C24020001A2
69046+:104D9000A46200143C0280008C4401003C038000AB
69047+:104DA0008C6201F80440FFFE24020002AC6401C0E2
69048+:104DB000A06201C43C021000AC6201F80A00137743
69049+:104DC0008FBF001024020005A120002714E2000A72
69050+:104DD0003C038008354301009062000D2C42000620
69051+:104DE000504000053C0380089062000D2442000101
69052+:104DF000A062000D3C03800834670080ACE50038F9
69053+:104E0000346601008CC2001C00A21023184000026E
69054+:104E100024A2FFFCACC2001C308200015040000AFA
69055+:104E20003C0380088CE2003C00A2102304410014E3
69056+:104E3000240400058C62000414A200033C038008D3
69057+:104E40000A00136E240400058C62000414A20015ED
69058+:104E50008FBF00103C0208008C4200D83042002076
69059+:104E60001040000A3C028008346200809063000811
69060+:104E70009042004C144300053C02800824040004C6
69061+:104E80008FBF00100A00110927BD001834430080AD
69062+:104E900034420100A040000C24020001A46200146E
69063+:104EA0008FBF001003E0000827BD00183C0B8008EE
69064+:104EB00027BDFFE83C028000AFBF00103442010074
69065+:104EC000356A00809044000A356901008C45001461
69066+:104ED0008D4800389123000C308400FF0105102319
69067+:104EE0001C4000B3306700FF2CE20006504000B1C8
69068+:104EF0008FBF00102402000100E2300430C2000322
69069+:104F00005440000800A8302330C2000C144000A117
69070+:104F100030C20030144000A38FBF00100A00143BC1
69071+:104F20000000000018C00024308200108D43001CD7
69072+:104F30008D42002C006818230043102B1040000FF6
69073+:104F4000000000008D22002000461021AD2200202C
69074+:104F50008D2200200043102B1440000B3C023FFF29
69075+:104F60008D22002000431023AD2200209542005CDA
69076+:104F70003042FFFF0A0013AF00621821AD2000206D
69077+:104F8000006618213C023FFF3446FFFF00C3102B90
69078+:104F90005440000100C018213C02800834420080C7
69079+:104FA00000651821AC43001CA0400024A04000274D
69080+:104FB0000A0013FD3C038008104000403C038008B9
69081+:104FC0008D42003C004810231840003D34670080AB
69082+:104FD0009142002424420001A14200249142002475
69083+:104FE0003C0308008C630024304200FF0043102B78
69084+:104FF000144000708FBF00108D22001C00A21023EF
69085+:105000001840006C000000008D6300049542005CB5
69086+:10501000006818233042FFFF0003184300021040CD
69087+:105020000043102A10400005014020218D62000439
69088+:10503000004810230A0013E0000210439542005C70
69089+:105040003042FFFF000210403C068008AC82002C7A
69090+:1050500034C5008094A2005C8CA4002C94A3005C56
69091+:105060003042FFFF00021040008220213063FFFF2A
69092+:105070000083182101031021ACA2001C8CC2000483
69093+:1050800034C60100ACC2001C240200020E000F5EF8
69094+:10509000A0C2000C104000478FBF00103C028000EF
69095+:1050A0008C4401003C0380008C6201F80440FFFE48
69096+:1050B000240200020A00142D000000003467008062
69097+:1050C000ACE50038346601008CC2001C00A210233D
69098+:1050D0001840000224A2FFFCACC2001C3082000178
69099+:1050E0005040000A3C0380088CE2003C00A21023E0
69100+:1050F00004430014240400058C62000414A200037D
69101+:105100003C0380080A00141F240400058C6200047C
69102+:1051100014A200288FBF00103C0208008C4200D867
69103+:10512000304200201040000A3C02800834620080B7
69104+:10513000906300089042004C144300053C02800834
69105+:10514000240400048FBF00100A00110927BD0018B5
69106+:105150003443008034420100A040000C24020001CE
69107+:10516000A46200143C0280008C4401003C038000D7
69108+:105170008C6201F80440FFFE24020002AC6401C00E
69109+:10518000A06201C43C021000AC6201F80A00143BAA
69110+:105190008FBF00108FBF0010010030210A00115A8C
69111+:1051A00027BD0018010030210A00129927BD001800
69112+:1051B0008FBF001003E0000827BD00183C038008E3
69113+:1051C0003464010024020003A082000C8C620004FD
69114+:1051D00003E00008AC82001C3C05800834A300807A
69115+:1051E0009062002734A501002406004324420001F8
69116+:1051F000A0620027906300273C0208008C42004810
69117+:10520000306300FF146200043C07602194A500EAAB
69118+:105210000A00090130A5FFFF03E0000800000000BC
69119+:1052200027BDFFE8AFBF00103C0280000E00144411
69120+:105230008C4401803C02800834430100A060000CD3
69121+:105240008C4200048FBF001027BD001803E0000847
69122+:10525000AC62001C27BDFFE03C028008AFBF001815
69123+:10526000AFB10014AFB000103445008034460100E7
69124+:105270003C0880008D09014090C3000C8CA4003CC8
69125+:105280008CA200381482003B306700FF9502007C3E
69126+:1052900090A30027146000093045FFFF2402000599
69127+:1052A00054E200083C04800890C2000D2442000132
69128+:1052B000A0C2000D0A00147F3C048008A0C0000DAD
69129+:1052C0003C048008348201009042000C2403000555
69130+:1052D000304200FF1443000A24A205DC348300801E
69131+:1052E000906200272C4200075040000524A20A00CB
69132+:1052F00090630027240200140062100400A2102111
69133+:105300003C108008361000803045FFFF012020212E
69134+:105310000E001444A60500149602005C8E030038AB
69135+:105320003C1180003042FFFF000210400062182153
69136+:10533000AE03001C0E0003328E24014092020025B1
69137+:1053400034420040A20200250E00033D8E2401409D
69138+:105350008E2401403C0380008C6201F80440FFFE73
69139+:1053600024020002AC6401C0A06201C43C0210002F
69140+:10537000AC6201F88FBF00188FB100148FB000101D
69141+:1053800003E0000827BD00203C0360103C02080039
69142+:1053900024420174AC62502C8C6250003C048000AA
69143+:1053A00034420080AC6250003C0208002442547C2D
69144+:1053B0003C010800AC2256003C020800244254384C
69145+:1053C0003C010800AC2256043C020002AC840008F8
69146+:1053D000AC82000C03E000082402000100A0302190
69147+:1053E0003C1C0800279C56083C0200023C050400B7
69148+:1053F00000852826008220260004102B2CA5000101
69149+:105400002C840001000210803C0308002463560035
69150+:105410000085202500431821108000030000102182
69151+:10542000AC6600002402000103E000080000000058
69152+:105430003C1C0800279C56083C0200023C05040066
69153+:1054400000852826008220260004102B2CA50001B0
69154+:105450002C840001000210803C03080024635600E5
69155+:105460000085202500431821108000050000102130
69156+:105470003C02080024425438AC62000024020001BF
69157+:1054800003E00008000000003C0200023C030400AE
69158+:1054900000821026008318262C4200012C63000194
69159+:1054A000004310251040000B000028213C1C080080
69160+:1054B000279C56083C0380008C62000824050001EC
69161+:1054C00000431025AC6200088C62000C00441025DB
69162+:1054D000AC62000C03E0000800A010213C1C080096
69163+:1054E000279C56083C0580008CA3000C0004202754
69164+:1054F000240200010064182403E00008ACA3000C9F
69165+:105500003C020002148200063C0560008CA208D018
69166+:105510002403FFFE0043102403E00008ACA208D0DF
69167+:105520003C02040014820005000000008CA208D098
69168+:105530002403FFFD00431024ACA208D003E00008C0
69169+:10554000000000003C02601A344200108C430080CE
69170+:1055500027BDFFF88C440084AFA3000093A3000094
69171+:10556000240200041462001AAFA4000493A20001F4
69172+:105570001040000797A300023062FFFC3C0380004C
69173+:10558000004310218C4200000A001536AFA200042F
69174+:105590003062FFFC3C03800000431021AC4400005B
69175+:1055A000A3A000003C0560008CA208D02403FFFEED
69176+:1055B0003C04601A00431024ACA208D08FA300045E
69177+:1055C0008FA2000034840010AC830084AC82008081
69178+:1055D00003E0000827BD000827BDFFE8AFBF0010AB
69179+:1055E0003C1C0800279C56083C0280008C43000CA1
69180+:1055F0008C420004004318243C0200021060001496
69181+:10560000006228243C0204003C04000210A00005B3
69182+:10561000006210243C0208008C4256000A00155B10
69183+:1056200000000000104000073C0404003C02080099
69184+:105630008C4256040040F809000000000A00156082
69185+:10564000000000000000000D3C1C0800279C5608CC
69186+:105650008FBF001003E0000827BD0018800802403B
69187+:1056600080080100800800808008000000000C8095
69188+:105670000000320008000E9808000EF408000F88A1
69189+:1056800008001028080010748008010080080080BD
69190+:10569000800800000A000028000000000000000050
69191+:1056A0000000000D6370362E322E316200000000C3
69192+:1056B00006020104000000000000000000000000DD
69193+:1056C000000000000000000038003C000000000066
69194+:1056D00000000000000000000000000000000020AA
69195+:1056E00000000000000000000000000000000000BA
69196+:1056F00000000000000000000000000000000000AA
69197+:10570000000000000000000021003800000000013F
69198+:105710000000002B000000000000000400030D400A
69199+:105720000000000000000000000000000000000079
69200+:105730000000000000000000100000030000000056
69201+:105740000000000D0000000D3C020800244259AC8E
69202+:105750003C03080024635BF4AC4000000043202BB2
69203+:105760001480FFFD244200043C1D080037BD9FFC4F
69204+:1057700003A0F0213C100800261000A03C1C0800EB
69205+:10578000279C59AC0E0002F6000000000000000D3E
69206+:1057900027BDFFB4AFA10000AFA20004AFA3000873
69207+:1057A000AFA4000CAFA50010AFA60014AFA700185F
69208+:1057B000AFA8001CAFA90020AFAA0024AFAB0028FF
69209+:1057C000AFAC002CAFAD0030AFAE0034AFAF00389F
69210+:1057D000AFB8003CAFB90040AFBC0044AFBF004819
69211+:1057E0000E000820000000008FBF00488FBC00445E
69212+:1057F0008FB900408FB8003C8FAF00388FAE0034B7
69213+:105800008FAD00308FAC002C8FAB00288FAA002406
69214+:105810008FA900208FA8001C8FA700188FA6001446
69215+:105820008FA500108FA4000C8FA300088FA2000486
69216+:105830008FA1000027BD004C3C1B60188F7A5030B0
69217+:10584000377B502803400008AF7A000000A01821E1
69218+:1058500000801021008028213C0460003C0760008B
69219+:105860002406000810600006348420788C42000072
69220+:10587000ACE220088C63000003E00008ACE3200CDD
69221+:105880000A000F8100000000240300403C02600079
69222+:1058900003E00008AC4320003C0760008F86000452
69223+:1058A0008CE520740086102100A2182B14600007DC
69224+:1058B000000028218F8AFDA024050001A1440013C7
69225+:1058C0008F89000401244021AF88000403E0000810
69226+:1058D00000A010218F84FDA08F8500049086001306
69227+:1058E00030C300FF00A31023AF82000403E00008D0
69228+:1058F000A08000138F84FDA027BDFFE8AFB000108B
69229+:10590000AFBF001490890011908700112402002875
69230+:10591000312800FF3906002830E300FF2485002CE1
69231+:105920002CD00001106200162484001C0E00006EB2
69232+:10593000000000008F8FFDA03C05600024020204DF
69233+:1059400095EE003E95ED003C000E5C0031ACFFFF93
69234+:10595000016C5025ACAA2010520000012402000462
69235+:10596000ACA22000000000000000000000000000C9
69236+:105970008FBF00148FB0001003E0000827BD00188F
69237+:105980000A0000A6000028218F85FDA027BDFFD8B2
69238+:10599000AFBF0020AFB3001CAFB20018AFB100140E
69239+:1059A000AFB000100080982190A4001124B0001C1A
69240+:1059B00024B1002C308300FF386200280E000090D4
69241+:1059C0002C5200010E00009800000000020020216F
69242+:1059D0001240000202202821000028210E00006E43
69243+:1059E000000000008F8DFDA03C0880003C05600099
69244+:1059F00095AC003E95AB003C02683025000C4C0095
69245+:105A0000316AFFFF012A3825ACA7201024020202C8
69246+:105A1000ACA6201452400001240200028FBF0020D7
69247+:105A20008FB3001C8FB200188FB100148FB000101C
69248+:105A300027BD002803E00008ACA2200027BDFFE03E
69249+:105A4000AFB20018AFB10014AFB00010AFBF001C70
69250+:105A50003C1160008E2320748F82000430D0FFFF41
69251+:105A600030F2FFFF1062000C2406008F0E00006E63
69252+:105A7000000000003C06801F0010440034C5FF00F9
69253+:105A80000112382524040002AE2720100000302126
69254+:105A9000AE252014AE2420008FBF001C8FB200184A
69255+:105AA0008FB100148FB0001000C0102103E0000877
69256+:105AB00027BD002027BDFFE0AFB0001030D0FFFFB2
69257+:105AC000AFBF0018AFB100140E00006E30F1FFFF41
69258+:105AD00000102400009180253C036000AC70201071
69259+:105AE0008FBF00188FB100148FB000102402000483
69260+:105AF000AC62200027BD002003E000080000102158
69261+:105B000027BDFFE03C046018AFBF0018AFB1001420
69262+:105B1000AFB000108C8850002403FF7F34028071E6
69263+:105B20000103382434E5380C241F00313C1980006F
69264+:105B3000AC8550003C11800AAC8253BCAF3F0008DA
69265+:105B40000E00054CAF9100400E00050A3C116000AC
69266+:105B50000E00007D000000008E3008083C0F570941
69267+:105B60002418FFF00218602435EEE00035EDF00057
69268+:105B7000018E5026018D58262D4600012D69000109
69269+:105B8000AF86004C0E000D09AF8900503C06601630
69270+:105B90008CC700003C0860148D0500A03C03FFFF8B
69271+:105BA00000E320243C02535300052FC2108200550D
69272+:105BB00034D07C00960201F2A780006C10400003F4
69273+:105BC000A780007C384B1E1EA78B006C960201F844
69274+:105BD000104000048F8D0050384C1E1EA78C007C96
69275+:105BE0008F8D005011A000058F83004C240E0020E3
69276+:105BF000A78E007CA78E006C8F83004C1060000580
69277+:105C00009785007C240F0020A78F007CA78F006C55
69278+:105C10009785007C2CB8008153000001240500808A
69279+:105C20009784006C2C91040152200001240404008C
69280+:105C30001060000B3C0260008FBF00188FB1001491
69281+:105C40008FB0001027BD0020A784006CA785007CC2
69282+:105C5000A380007EA780007403E00008A780009264
69283+:105C60008C4704382419103C30FFFFFF13F9000360
69284+:105C700030A8FFFF1100004624030050A380007EDF
69285+:105C80009386007E50C00024A785007CA780007CFE
69286+:105C90009798007CA780006CA7800074A780009272
69287+:105CA0003C010800AC3800800E00078700000000AF
69288+:105CB0003C0F60008DED0808240EFFF03C0B600ED9
69289+:105CC000260C0388356A00100000482100002821B6
69290+:105CD00001AE20243C105709AF8C0010AF8A004859
69291+:105CE000AF89001810900023AF8500148FBF0018F3
69292+:105CF0008FB100148FB0001027BD002003E0000812
69293+:105D0000AF80005400055080014648218D260004D4
69294+:105D10000A00014800D180219798007CA784006C7C
69295+:105D2000A7800074A78000923C010800AC38008076
69296+:105D30000E000787000000003C0F60008DED080892
69297+:105D4000240EFFF03C0B600E260C0388356A001011
69298+:105D5000000048210000282101AE20243C105709F2
69299+:105D6000AF8C0010AF8A0048AF8900181490FFDF95
69300+:105D7000AF85001424110001AF9100548FBF0018AB
69301+:105D80008FB100148FB0001003E0000827BD002081
69302+:105D90000A00017BA383007E3083FFFF8F880040D1
69303+:105DA0008F87003C000321403C0580003C020050EE
69304+:105DB000008248253C0660003C0A010034AC040027
69305+:105DC0008CCD08E001AA58241160000500000000F5
69306+:105DD0008CCF08E024E7000101EA7025ACCE08E092
69307+:105DE0008D19001001805821ACB900388D180014AD
69308+:105DF000ACB8003CACA9003000000000000000007E
69309+:105E00000000000000000000000000000000000092
69310+:105E100000000000000000003C0380008C640000D3
69311+:105E2000308200201040FFFD3C0F60008DED08E047
69312+:105E30003C0E010001AE18241460FFE100000000D8
69313+:105E4000AF87003C03E00008AF8B00588F8500400F
69314+:105E5000240BFFF03C06800094A7001A8CA90024B4
69315+:105E600030ECFFFF000C38C000EB5024012A402129
69316+:105E7000ACC8003C8CA400248CC3003C00831023DD
69317+:105E800018400033000000008CAD002025A2000166
69318+:105E90003C0F0050ACC2003835EE00103C068000CC
69319+:105EA000ACCE003000000000000000000000000048
69320+:105EB00000000000000000000000000000000000E2
69321+:105EC000000000003C0480008C9900003338002062
69322+:105ED0001300FFFD30E20008104000173C0980006D
69323+:105EE0008C880408ACA800108C83040CACA30014AC
69324+:105EF0003C1900203C188000AF19003094AE001807
69325+:105F000094AF001C01CF3021A4A6001894AD001A54
69326+:105F100025A70001A4A7001A94AB001A94AC001E98
69327+:105F2000118B00030000000003E0000800000000E7
69328+:105F300003E00008A4A0001A8D2A0400ACAA0010F7
69329+:105F40008D240404ACA400140A0002183C1900209B
69330+:105F50008CA200200A0002003C0F00500A0001EE53
69331+:105F60000000000027BDFFE8AFBF00100E000232A6
69332+:105F7000000000008F8900408FBF00103C038000AC
69333+:105F8000A520000A9528000A9527000427BD0018BF
69334+:105F90003105FFFF30E6000F0006150000A22025A6
69335+:105FA00003E00008AC6400803C0508008CA50020DC
69336+:105FB0008F83000C27BDFFE8AFB00010AFBF001407
69337+:105FC00010A300100000802124040001020430040A
69338+:105FD00000A6202400C3102450440006261000010F
69339+:105FE000001018802787FDA41480000A006718217C
69340+:105FF000261000012E0900025520FFF38F83000CAC
69341+:10600000AF85000C8FBF00148FB0001003E00008B4
69342+:1060100027BD00188C6800003C058000ACA8002457
69343+:106020000E000234261000013C0508008CA500205B
69344+:106030000A0002592E0900022405000100851804F7
69345+:106040003C0408008C84002027BDFFC8AFBF00348B
69346+:1060500000831024AFBE0030AFB7002CAFB60028CD
69347+:10606000AFB50024AFB40020AFB3001CAFB200182E
69348+:10607000AFB1001410400051AFB000108F84004049
69349+:10608000948700069488000A00E8302330D5FFFF8B
69350+:1060900012A0004B8FBF0034948B0018948C000A20
69351+:1060A000016C50233142FFFF02A2482B1520000251
69352+:1060B00002A02021004020212C8F000515E00002C5
69353+:1060C00000809821241300040E0001C102602021E9
69354+:1060D0008F87004002609021AF80004494F4000A52
69355+:1060E000026080211260004E3291FFFF3C1670006A
69356+:1060F0003C1440003C1E20003C1760008F99005863
69357+:106100008F380000031618241074004F0283F82BF8
69358+:1061100017E0003600000000107E00478F86004424
69359+:1061200014C0003A2403000102031023022320219B
69360+:106130003050FFFF1600FFF13091FFFF8F870040C6
69361+:106140003C1100203C108000AE11003094EB000A9E
69362+:106150003C178000024B5021A4EA000A94E9000A8F
69363+:1061600094E800043123FFFF3106000F00062D00E4
69364+:106170000065F025AEFE008094F3000A94F6001846
69365+:1061800012D30036001221408CFF00148CF4001052
69366+:1061900003E468210000C02101A4782B029870213B
69367+:1061A00001CF6021ACED0014ACEC001002B238233A
69368+:1061B00030F5FFFF16A0FFB88F8400408FBF00347A
69369+:1061C0008FBE00308FB7002C8FB600288FB500240B
69370+:1061D0008FB400208FB3001C8FB200188FB1001451
69371+:1061E0008FB0001003E0000827BD00381477FFCC03
69372+:1061F0008F8600440E000EE202002021004018218C
69373+:106200008F86004410C0FFC9020310230270702360
69374+:106210008F87004001C368210A0002E431B2FFFF0A
69375+:106220008F86004414C0FFC93C1100203C10800040
69376+:106230000A0002AEAE1100300E00046602002021FA
69377+:106240000A0002DB00401821020020210E0009395B
69378+:10625000022028210A0002DB004018210E0001EE76
69379+:10626000000000000A0002C702B2382327BDFFC8A1
69380+:10627000AFB7002CAFB60028AFB50024AFB40020F4
69381+:10628000AFB3001CAFB20018AFB10014AFB0001034
69382+:10629000AFBF00300E00011B241300013C047FFF40
69383+:1062A0003C0380083C0220003C010800AC20007048
69384+:1062B0003496FFFF34770080345200033C1512C03F
69385+:1062C000241400013C1080002411FF800E000245C0
69386+:1062D000000000008F8700488F8B00188F89001402
69387+:1062E0008CEA00EC8CE800E8014B302B01092823F4
69388+:1062F00000A6102314400006014B18231440000E82
69389+:106300003C05800002A3602B1180000B0000000000
69390+:106310003C0560008CEE00EC8CED00E88CA4180CC1
69391+:10632000AF8E001804800053AF8D00148F8F0010C3
69392+:10633000ADF400003C0580008CBF00003BF900017B
69393+:10634000333800011700FFE13C0380008C6201003C
69394+:1063500024060C0010460009000000008C680100B3
69395+:106360002D043080548000103C0480008C690100B2
69396+:106370002D2331811060000C3C0480008CAA0100A8
69397+:1063800011460004000020218CA6010024C5FF81D5
69398+:1063900030A400FF8E0B01000E000269AE0B00243A
69399+:1063A0000A00034F3C0480008C8D01002DAC3300AB
69400+:1063B00011800022000000003C0708008CE70098D4
69401+:1063C00024EE00013C010800AC2E00983C04800043
69402+:1063D0008C8201001440000300000000566000148D
69403+:1063E0003C0440008C9F01008C9801000000982123
69404+:1063F00003F1C82400193940330F007F00EF7025E6
69405+:1064000001D26825AC8D08308C8C01008C85010090
69406+:10641000258B0100017130240006514030A3007F1C
69407+:106420000143482501324025AC8808303C04400037
69408+:10643000AE0401380A00030E000000008C99010030
69409+:10644000240F0020AC99002092F80000330300FFD5
69410+:10645000106F000C241F0050547FFFDD3C048000AF
69411+:106460008C8401000E00154E000000000A00034F4E
69412+:106470003C04800000963824ACA7180C0A000327BF
69413+:106480008F8F00108C8501000E0008F72404008017
69414+:106490000A00034F3C04800000A4102B24030001D9
69415+:1064A00010400009000030210005284000A4102BF6
69416+:1064B00004A00003000318405440FFFC00052840DE
69417+:1064C0005060000A0004182B0085382B54E00004AB
69418+:1064D0000003184200C33025008520230003184222
69419+:1064E0001460FFF9000528420004182B03E000089F
69420+:1064F00000C310213084FFFF30C600FF3C0780003E
69421+:106500008CE201B80440FFFE00064C000124302557
69422+:106510003C08200000C820253C031000ACE00180AE
69423+:10652000ACE50184ACE4018803E00008ACE301B809
69424+:106530003C0660008CC5201C2402FFF03083020062
69425+:10654000308601001060000E00A2282434A500014E
69426+:106550003087300010E0000530830C0034A50004C3
69427+:106560003C04600003E00008AC85201C1060FFFDC7
69428+:106570003C04600034A5000803E00008AC85201C42
69429+:1065800054C0FFF334A500020A0003B03087300086
69430+:1065900027BDFFE8AFB00010AFBF00143C0760009C
69431+:1065A000240600021080001100A080218F83005873
69432+:1065B0000E0003A78C6400188F8200580000202171
69433+:1065C000240600018C45000C0E000398000000001A
69434+:1065D0001600000224020003000010218FBF0014E7
69435+:1065E0008FB0001003E0000827BD00188CE8201CC5
69436+:1065F0002409FFF001092824ACE5201C8F870058EE
69437+:106600000A0003CD8CE5000C3C02600E00804021A6
69438+:1066100034460100240900180000000000000000BA
69439+:10662000000000003C0A00503C0380003547020097
69440+:10663000AC68003834640400AC65003CAC670030E2
69441+:106640008C6C0000318B00201160FFFD2407FFFFE0
69442+:106650002403007F8C8D00002463FFFF248400044A
69443+:10666000ACCD00001467FFFB24C60004000000004E
69444+:10667000000000000000000024A402000085282B78
69445+:106680003C0300203C0E80002529FFFF010540212E
69446+:10669000ADC300301520FFE00080282103E0000892
69447+:1066A000000000008F82005827BDFFD8AFB3001C48
69448+:1066B000AFBF0020AFB20018AFB10014AFB00010F0
69449+:1066C00094460002008098218C5200182CC300814F
69450+:1066D0008C4800048C4700088C51000C8C49001039
69451+:1066E000106000078C4A00142CC4000414800013AE
69452+:1066F00030EB000730C5000310A0001000000000C0
69453+:106700002410008B02002021022028210E00039873
69454+:10671000240600031660000224020003000010217A
69455+:106720008FBF00208FB3001C8FB200188FB10014F0
69456+:106730008FB0001003E0000827BD00281560FFF1AE
69457+:106740002410008B3C0C80003C030020241F00011F
69458+:10675000AD830030AF9F0044000000000000000047
69459+:10676000000000002419FFF024D8000F031978243A
69460+:106770003C1000D0AD88003801F0702524CD000316
69461+:106780003C08600EAD87003C35850400AD8E0030BE
69462+:10679000000D38823504003C3C0380008C6B000007
69463+:1067A000316200201040FFFD0000000010E00008F2
69464+:1067B00024E3FFFF2407FFFF8CA800002463FFFFF2
69465+:1067C00024A50004AC8800001467FFFB24840004A7
69466+:1067D0003C05600EACA60038000000000000000080
69467+:1067E000000000008F8600543C0400203C0780001D
69468+:1067F000ACE4003054C000060120202102402021DA
69469+:106800000E0003A7000080210A00041D02002021C1
69470+:106810000E0003DD01402821024020210E0003A7C5
69471+:10682000000080210A00041D0200202127BDFFE096
69472+:10683000AFB200183092FFFFAFB10014AFBF001C21
69473+:10684000AFB000101640000D000088210A0004932C
69474+:106850000220102124050003508500278CE5000C40
69475+:106860000000000D262800013111FFFF24E2002066
69476+:106870000232802B12000019AF8200588F82004430
69477+:10688000144000168F8700583C0670003C0320001F
69478+:106890008CE5000000A62024148300108F84006083
69479+:1068A000000544023C09800000A980241480FFE90F
69480+:1068B000310600FF2CCA000B5140FFEB26280001D7
69481+:1068C000000668803C0E080025CE575801AE6021B6
69482+:1068D0008D8B0000016000080000000002201021E4
69483+:1068E0008FBF001C8FB200188FB100148FB0001042
69484+:1068F00003E0000827BD00200E0003982404008454
69485+:106900001600FFD88F8700580A000474AF8000601B
69486+:10691000020028210E0003BF240400018F870058C5
69487+:106920000A000474AF820060020028210E0003BF39
69488+:10693000000020210A0004A38F8700580E000404E1
69489+:10694000020020218F8700580A000474AF82006083
69490+:1069500030AFFFFF000F19C03C0480008C9001B8DD
69491+:106960000600FFFE3C1920043C181000AC83018097
69492+:10697000AC800184AC990188AC9801B80A00047518
69493+:106980002628000190E2000390E30002000020218D
69494+:106990000002FE0000033A0000FF2825240600083C
69495+:1069A0000E000398000000001600FFDC2402000324
69496+:1069B0008F870058000010210A000474AF82006025
69497+:1069C00090E8000200002021240600090A0004C308
69498+:1069D00000082E0090E4000C240900FF308500FF21
69499+:1069E00010A900150000302190F9000290F8000372
69500+:1069F000308F00FF94EB000400196E000018740043
69501+:106A0000000F62000186202501AE5025014B28258C
69502+:106A10003084FF8B0A0004C32406000A90E30002BE
69503+:106A200090FF0004000020210003360000DF28252D
69504+:106A30000A0004C32406000B0A0004D52406008BB8
69505+:106A4000000449C23127003F000443423C02800059
69506+:106A500000082040240316802CE60020AC43002CC4
69507+:106A600024EAFFE02482000114C0000330A900FFE3
69508+:106A700000801021314700FF000260803C0D800043
69509+:106A8000240A0001018D20213C0B000E00EA28049D
69510+:106A9000008B302111200005000538278CCE000026
69511+:106AA00001C5382503E00008ACC700008CD8000001
69512+:106AB0000307782403E00008ACCF000027BDFFE007
69513+:106AC000AFB10014AFB00010AFBF00183C076000BA
69514+:106AD0008CE408083402F0003C1160003083F000C0
69515+:106AE000240501C03C04800E000030211062000625
69516+:106AF000241000018CEA08083149F0003928E00030
69517+:106B00000008382B000780403C0D0200AE2D081411
69518+:106B1000240C16803C0B80008E2744000E000F8B47
69519+:106B2000AD6C002C120000043C02169124050001FB
69520+:106B3000120500103C023D2C345800E0AE384408E9
69521+:106B40003C1108008E31007C8FBF00183C066000AD
69522+:106B500000118540360F16808FB100148FB00010E1
69523+:106B60003C0E020027BD0020ACCF442003E000080B
69524+:106B7000ACCE08103C0218DA345800E0AE384408B5
69525+:106B80003C1108008E31007C8FBF00183C0660006D
69526+:106B900000118540360F16808FB100148FB00010A1
69527+:106BA0003C0E020027BD0020ACCF442003E00008CB
69528+:106BB000ACCE08100A0004EB240500010A0004EB27
69529+:106BC0000000282124020400A7820024A780001CC2
69530+:106BD000000020213C06080024C65A582405FFFF67
69531+:106BE00024890001000440803124FFFF01061821A0
69532+:106BF0002C87002014E0FFFAAC6500002404040098
69533+:106C0000A7840026A780001E000020213C06080063
69534+:106C100024C65AD82405FFFF248D0001000460809B
69535+:106C200031A4FFFF018658212C8A00201540FFFA6D
69536+:106C3000AD650000A7800028A7800020A780002263
69537+:106C4000000020213C06080024C65B582405FFFFF5
69538+:106C5000249900010004C0803324FFFF030678213B
69539+:106C60002C8E000415C0FFFAADE500003C05600065
69540+:106C70008CA73D002403E08F00E31024344601403C
69541+:106C800003E00008ACA63D002487007F000731C266
69542+:106C900024C5FFFF000518C2246400013082FFFFF5
69543+:106CA000000238C0A78400303C010800AC27003047
69544+:106CB000AF80002C0000282100002021000030219E
69545+:106CC0002489000100A728213124FFFF2CA81701E7
69546+:106CD000110000032C8300801460FFF924C600011A
69547+:106CE00000C02821AF86002C10C0001DA786002AF6
69548+:106CF00024CAFFFF000A11423C08080025085B581F
69549+:106D00001040000A00002021004030212407FFFF2E
69550+:106D1000248E00010004688031C4FFFF01A86021B7
69551+:106D20000086582B1560FFFAAD87000030A2001FC7
69552+:106D30005040000800043080240300010043C804D0
69553+:106D400000041080004878212738FFFF03E0000886
69554+:106D5000ADF8000000C820212405FFFFAC8500002D
69555+:106D600003E000080000000030A5FFFF30C6FFFF71
69556+:106D700030A8001F0080602130E700FF0005294295
69557+:106D80000000502110C0001D24090001240B000147
69558+:106D900025180001010B2004330800FF0126782686
69559+:106DA000390E00202DED00012DC2000101A2182591
69560+:106DB0001060000D014450250005C880032C4021BF
69561+:106DC0000100182110E0000F000A20278D040000A8
69562+:106DD000008A1825AD03000024AD00010000402109
69563+:106DE0000000502131A5FFFF252E000131C9FFFF12
69564+:106DF00000C9102B1040FFE72518000103E0000830
69565+:106E0000000000008D0A0000014440240A0005D162
69566+:106E1000AC68000027BDFFE830A5FFFF30C6FFFFCC
69567+:106E2000AFB00010AFBF001430E7FFFF00005021EB
69568+:106E30003410FFFF0000602124AF001F00C0482174
69569+:106E4000241800012419002005E0001601E010219B
69570+:106E50000002F943019F682A0009702B01AE40240B
69571+:106E600011000017000C18800064102110E00005CC
69572+:106E70008C4B000000F840040008382301675824B8
69573+:106E800000003821154000410000402155600016E7
69574+:106E90003169FFFF258B0001316CFFFF05E1FFEC3D
69575+:106EA00001E0102124A2003E0002F943019F682A5C
69576+:106EB0000009702B01AE40241500FFEB000C188078
69577+:106EC000154600053402FFFF020028210E0005B51B
69578+:106ED00000003821020010218FBF00148FB0001075
69579+:106EE00003E0000827BD00181520000301601821E9
69580+:106EF000000B1C0224080010306A00FF154000053A
69581+:106F0000306E000F250D000800031A0231A800FFA3
69582+:106F1000306E000F15C00005307F000325100004FF
69583+:106F200000031902320800FF307F000317E000055C
69584+:106F3000386900012502000200031882304800FF72
69585+:106F4000386900013123000110600004310300FFA3
69586+:106F5000250A0001314800FF310300FF000C6940A1
69587+:106F600001A34021240A000110CAFFD53110FFFF00
69588+:106F7000246E000131C800FF1119FFC638C9000195
69589+:106F80002D1F002053E0001C258B0001240D000163
69590+:106F90000A000648240E002051460017258B0001E8
69591+:106FA00025090001312800FF2D0900205120001281
69592+:106FB000258B000125430001010D5004014B1024D5
69593+:106FC000250900011440FFF4306AFFFF3127FFFF5D
69594+:106FD00010EE000C2582FFFF304CFFFF0000502117
69595+:106FE0003410FFFF312800FF2D0900205520FFF24B
69596+:106FF00025430001258B0001014648260A000602B0
69597+:10700000316CFFFF00003821000050210A000654B7
69598+:107010003410FFFF27BDFFD8AFB0001030F0FFFFE6
69599+:10702000AFB10014001039423211FFE000071080A8
69600+:10703000AFB3001C00B1282330D3FFFFAFB200185C
69601+:1070400030A5FFFF00809021026030210044202104
69602+:10705000AFBF00200E0005E03207001F022288218A
69603+:107060003403FFFF0240202102002821026030216A
69604+:1070700000003821104300093231FFFF02201021A7
69605+:107080008FBF00208FB3001C8FB200188FB1001487
69606+:107090008FB0001003E0000827BD00280E0005E0B7
69607+:1070A0000000000000408821022010218FBF002036
69608+:1070B0008FB3001C8FB200188FB100148FB0001076
69609+:1070C00003E0000827BD0028000424003C03600002
69610+:1070D000AC603D0810A00002348210063482101605
69611+:1070E00003E00008AC623D0427BDFFE0AFB0001034
69612+:1070F000309000FF2E020006AFBF001810400008BD
69613+:10710000AFB10014001030803C03080024635784A2
69614+:1071100000C328218CA400000080000800000000AB
69615+:10712000000020218FBF00188FB100148FB0001015
69616+:107130000080102103E0000827BD00209791002A5D
69617+:1071400016200051000020213C020800904200332C
69618+:107150000A0006BB00000000978D002615A0003134
69619+:10716000000020210A0006BB2402000897870024A3
69620+:1071700014E0001A00001821006020212402000100
69621+:107180001080FFE98FBF0018000429C2004530219C
69622+:1071900000A6582B1160FFE43C0880003C0720004B
69623+:1071A000000569C001A76025AD0C00203C038008E4
69624+:1071B0002402001F2442FFFFAC6000000441FFFDD9
69625+:1071C0002463000424A5000100A6702B15C0FFF560
69626+:1071D000000569C00A0006A58FBF00189787001C2C
69627+:1071E0003C04080024845A58240504000E0006605C
69628+:1071F00024060001978B002424440001308AFFFFFD
69629+:107200002569FFFF2D48040000402821150000409B
69630+:10721000A789002424AC3800000C19C00A0006B964
69631+:10722000A780001C9787001E3C04080024845AD8BD
69632+:10723000240504000E00066024060001979900262C
69633+:10724000244400013098FFFF272FFFFF2F0E04007A
69634+:107250000040882115C0002CA78F0026A780001EA3
69635+:107260003A020003262401003084FFFF0E00068D41
69636+:107270002C4500010011F8C027F00100001021C0CA
69637+:107280000A0006BB240200089785002E978700227B
69638+:107290003C04080024845B580E00066024060001AC
69639+:1072A0009787002A8F89002C2445000130A8FFFF12
69640+:1072B00024E3FFFF0109302B0040802114C0001897
69641+:1072C000A783002AA7800022978500300E000F7543
69642+:1072D00002002021244A05003144FFFF0E00068DE4
69643+:1072E000240500013C05080094A500320E000F752E
69644+:1072F00002002021244521003C0208009042003376
69645+:107300000A0006BB000521C00A0006F3A784001E80
69646+:1073100024AC3800000C19C00A0006B9A784001C70
69647+:107320000A00070DA7850022308400FF27BDFFE873
69648+:107330002C820006AFBF0014AFB000101040001543
69649+:1073400000A03821000440803C0308002463579CBF
69650+:10735000010328218CA40000008000080000000028
69651+:1073600024CC007F000751C2000C59C23170FFFFCE
69652+:107370002547C40030E5FFFF2784001C02003021B0
69653+:107380000E0005B52407000197860028020620217B
69654+:10739000A78400288FBF00148FB0001003E00008FE
69655+:1073A00027BD00183C0508008CA50030000779C2F5
69656+:1073B0000E00038125E4DF003045FFFF3C04080098
69657+:1073C00024845B58240600010E0005B52407000143
69658+:1073D000978E002A8FBF00148FB0001025CD0001BA
69659+:1073E00027BD001803E00008A78D002A0007C9C2C6
69660+:1073F0002738FF00001878C231F0FFFF3C04080076
69661+:1074000024845AD802002821240600010E0005B564
69662+:1074100024070001978D0026260E0100000E84002F
69663+:1074200025AC00013C0B6000A78C0026AD603D0838
69664+:1074300036040006000030213C0760008CE23D0469
69665+:10744000305F000617E0FFFD24C9000100061B00A5
69666+:10745000312600FF006440252CC50004ACE83D0443
69667+:1074600014A0FFF68FBF00148FB0001003E00008D7
69668+:1074700027BD0018000751C22549C8002406000195
69669+:10748000240700013C04080024845A580E0005B566
69670+:107490003125FFFF978700248FBF00148FB00010A5
69671+:1074A00024E6000127BD001803E00008A786002499
69672+:1074B0003C0660183C090800252900FCACC9502C8A
69673+:1074C0008CC850003C0580003C020002350700805B
69674+:1074D000ACC750003C04080024841FE03C030800B3
69675+:1074E00024631F98ACA50008ACA2000C3C01080066
69676+:1074F000AC2459A43C010800AC2359A803E00008BF
69677+:107500002402000100A030213C1C0800279C59AC3B
69678+:107510003C0C04003C0B0002008B3826008C4026FB
69679+:107520002CE200010007502B2D050001000A4880C5
69680+:107530003C030800246359A4004520250123182199
69681+:107540001080000300001021AC660000240200013E
69682+:1075500003E00008000000003C1C0800279C59AC18
69683+:107560003C0B04003C0A0002008A3026008B3826BF
69684+:107570002CC200010006482B2CE5000100094080C8
69685+:107580003C030800246359A4004520250103182169
69686+:1075900010800005000010213C0C0800258C1F986D
69687+:1075A000AC6C00002402000103E0000800000000B1
69688+:1075B0003C0900023C080400008830260089382677
69689+:1075C0002CC30001008028212CE400010083102539
69690+:1075D0001040000B000030213C1C0800279C59ACD7
69691+:1075E0003C0A80008D4E00082406000101CA68256F
69692+:1075F000AD4D00088D4C000C01855825AD4B000C9D
69693+:1076000003E0000800C010213C1C0800279C59AC76
69694+:107610003C0580008CA6000C0004202724020001F9
69695+:1076200000C4182403E00008ACA3000C3C020002D4
69696+:107630001082000B3C0560003C070400108700032B
69697+:107640000000000003E00008000000008CA908D042
69698+:10765000240AFFFD012A402403E00008ACA808D05A
69699+:107660008CA408D02406FFFE0086182403E000083E
69700+:10767000ACA308D03C05601A34A600108CC300806F
69701+:1076800027BDFFF88CC50084AFA3000093A40000C1
69702+:107690002402001010820003AFA5000403E00008DC
69703+:1076A00027BD000893A7000114E0001497AC000266
69704+:1076B00097B800023C0F8000330EFFFC01CF682119
69705+:1076C000ADA50000A3A000003C0660008CC708D058
69706+:1076D0002408FFFE3C04601A00E82824ACC508D04A
69707+:1076E0008FA300048FA200003499001027BD00086A
69708+:1076F000AF22008003E00008AF2300843C0B800031
69709+:10770000318AFFFC014B48218D2800000A00080C3B
69710+:10771000AFA8000427BDFFE8AFBF00103C1C080065
69711+:10772000279C59AC3C0580008CA4000C8CA2000462
69712+:107730003C0300020044282410A0000A00A31824DF
69713+:107740003C0604003C0400021460000900A610245A
69714+:107750001440000F3C0404000000000D3C1C080015
69715+:10776000279C59AC8FBF001003E0000827BD00180C
69716+:107770003C0208008C4259A40040F80900000000B7
69717+:107780003C1C0800279C59AC0A0008358FBF00102C
69718+:107790003C0208008C4259A80040F8090000000093
69719+:1077A0000A00083B000000003C0880008D0201B880
69720+:1077B0000440FFFE35090180AD2400003C031000A9
69721+:1077C00024040040AD250004A1240008A1260009DE
69722+:1077D000A527000A03E00008AD0301B83084FFFFCD
69723+:1077E0000080382130A5FFFF000020210A00084555
69724+:1077F000240600803087FFFF8CA400002406003898
69725+:107800000A000845000028218F8300788F860070C9
69726+:107810001066000B008040213C07080024E75B68ED
69727+:10782000000328C000A710218C440000246300013D
69728+:10783000108800053063000F5466FFFA000328C06B
69729+:1078400003E00008000010213C07080024E75B6CFF
69730+:1078500000A7302103E000088CC200003C03900028
69731+:1078600034620001008220253C038000AC640020CB
69732+:107870008C65002004A0FFFE0000000003E000086B
69733+:10788000000000003C0280003443000100832025FA
69734+:1078900003E00008AC44002027BDFFE0AFB10014B6
69735+:1078A0003091FFFFAFB00010AFBF001812200013DF
69736+:1078B00000A080218CA20000240400022406020003
69737+:1078C0001040000F004028210E0007250000000096
69738+:1078D00000001021AE000000022038218FBF0018E8
69739+:1078E0008FB100148FB0001000402021000028212B
69740+:1078F000000030210A00084527BD00208CA20000AE
69741+:10790000022038218FBF00188FB100148FB00010F3
69742+:107910000040202100002821000030210A000845F5
69743+:1079200027BD002000A010213087FFFF8CA5000498
69744+:107930008C4400000A000845240600068F83FD9C45
69745+:1079400027BDFFE8AFBF0014AFB00010906700087C
69746+:10795000008010210080282130E600400000202116
69747+:1079600010C000088C5000000E0000BD0200202155
69748+:10797000020020218FBF00148FB000100A000548BC
69749+:1079800027BD00180E0008A4000000000E0000BD76
69750+:1079900002002021020020218FBF00148FB00010B0
69751+:1079A0000A00054827BD001827BDFFE0AFB0001052
69752+:1079B0008F90FD9CAFBF001CAFB20018AFB1001498
69753+:1079C00092060001008088210E00087230D2000467
69754+:1079D00092040005001129C2A6050000348300406E
69755+:1079E000A20300050E00087C022020210E00054A9B
69756+:1079F0000220202124020001AE02000C02202821D6
69757+:107A0000A602001024040002A602001224060200AE
69758+:107A1000A60200140E000725A60200161640000F4D
69759+:107A20008FBF001C978C00743C0B08008D6B007896
69760+:107A30002588FFFF3109FFFF256A0001012A382B45
69761+:107A400010E00006A78800743C0F6006240E0016A4
69762+:107A500035ED0010ADAE00508FBF001C8FB2001886
69763+:107A60008FB100148FB0001003E0000827BD002084
69764+:107A700027BDFFE0AFB10014AFBF0018AFB00010DA
69765+:107A80001080000400A088212402008010820007DA
69766+:107A9000000000000000000D8FBF00188FB100141F
69767+:107AA0008FB0001003E0000827BD00200E00087210
69768+:107AB00000A020218F86FD9C0220202190C500057A
69769+:107AC0000E00087C30B000FF2403003E1603FFF1D7
69770+:107AD0003C0680008CC401780480FFFE34C801405D
69771+:107AE000240900073C071000AD11000002202021EE
69772+:107AF000A10900048FBF00188FB100148FB00010CF
69773+:107B0000ACC701780A0008C527BD002027BDFFE0EB
69774+:107B1000AFB00010AFBF0018AFB100143C10800030
69775+:107B20008E110020000000000E00054AAE04002067
69776+:107B3000AE1100208FBF00188FB100148FB000105D
69777+:107B400003E0000827BD00203084FFFF00803821BB
69778+:107B50002406003500A020210A0008450000282145
69779+:107B60003084FFFF008038212406003600A0202149
69780+:107B70000A0008450000282127BDFFD0AFB500242A
69781+:107B80003095FFFFAFB60028AFB40020AFBF002C88
69782+:107B9000AFB3001CAFB20018AFB10014AFB000100B
69783+:107BA00030B6FFFF12A000270000A0218F920058DE
69784+:107BB0008E4300003C0680002402004000033E0289
69785+:107BC00000032C0230E4007F006698241482001D1C
69786+:107BD00030A500FF8F8300682C68000A1100001098
69787+:107BE0008F8D0044000358803C0C0800258C57B84A
69788+:107BF000016C50218D4900000120000800000000A8
69789+:107C000002D4302130C5FFFF0E0008522404008446
69790+:107C1000166000028F920058AF8000688F8D00447C
69791+:107C20002659002026980001032090213314FFFFDD
69792+:107C300015A00004AF9900580295202B1480FFDC9A
69793+:107C400000000000028010218FBF002C8FB600289A
69794+:107C50008FB500248FB400208FB3001C8FB20018A2
69795+:107C60008FB100148FB0001003E0000827BD003072
69796+:107C70002407003414A70149000000009247000EB9
69797+:107C80008F9FFDA08F90FD9C24181600A3E700197C
69798+:107C90009242000D3C0880003C07800CA3E20018D3
69799+:107CA000964A00123C0D60003C117FFFA60A005C62
69800+:107CB000964400103623FFFF240200053099FFFF91
69801+:107CC000AE1900548E46001CAD1800288CEF000041
69802+:107CD0008DAE444801E6482601C93021AE06003881
69803+:107CE0008E05003824CB00013C0E7F00AE05003C21
69804+:107CF0008E0C003CAFEC0004AE0B00208E13002075
69805+:107D0000AE13001CA3E0001BAE03002CA3E2001284
69806+:107D10008E4A001424130050AE0A00348E0400343E
69807+:107D2000AFE400148E590018AE1900489258000CA8
69808+:107D3000A218004E920D000835AF0020A20F0008D7
69809+:107D40008E090018012E282434AC4000AE0C001817
69810+:107D5000920B0000317200FF1253027F2403FF8058
69811+:107D60003C04080024845BE80E0008AA0000000020
69812+:107D70003C1108008E315BE80E00087202202021C1
69813+:107D80002405000424080001A2050025022020216A
69814+:107D90000E00087CA20800053C0580008CB001782C
69815+:107DA0000600FFFE8F92005834AE0140240F0002FF
69816+:107DB0003C091000ADD10000A1CF0004ACA90178AE
69817+:107DC0000A000962AF8000682CAD003751A0FF9413
69818+:107DD0008F8D0044000580803C110800263157E05B
69819+:107DE000021178218DEE000001C0000800000000A3
69820+:107DF0002411000414B1008C3C0780003C080800EA
69821+:107E00008D085BE88F86FD9CACE800208E4500085D
69822+:107E10008F99FDA0240D0050ACC500308E4C000899
69823+:107E2000ACCC00508E4B000CACCB00348E43001019
69824+:107E3000ACC300388E4A0010ACCA00548E42001405
69825+:107E4000ACC2003C8E5F0018AF3F00048E50001C97
69826+:107E5000ACD0002090C40000309800FF130D024AFF
69827+:107E6000000000008CC400348CD00030009030231F
69828+:107E700004C000F12404008C126000EE2402000310
69829+:107E80000A000962AF8200682419000514B900666F
69830+:107E90003C0580003C0808008D085BE88F86FD9C4F
69831+:107EA000ACA800208E4C00048F8AFDA0240720007F
69832+:107EB000ACCC001C924B000824120008A14B001906
69833+:107EC0008F82005890430009A14300188F85005805
69834+:107ED00090BF000A33E400FF1092001028890009C7
69835+:107EE000152000BA240E0002240D0020108D000B76
69836+:107EF000340780002898002117000008240740005C
69837+:107F000024100040109000053C0700012419008057
69838+:107F1000109900023C070002240740008CC20018A0
69839+:107F20003C03FF00004350240147F825ACDF001854
69840+:107F300090B2000BA0D200278F8300589464000CED
69841+:107F4000108001FE000000009467000C3C1F8000C0
69842+:107F50002405FFBFA4C7005C9063000E2407000443
69843+:107F6000A0C300088F820058904A000FA0CA0009E1
69844+:107F70008F8900588D3200108FE400740244C823AA
69845+:107F8000ACD900588D300014ACD0002C95380018B6
69846+:107F9000330DFFFFACCD00409531001A322FFFFFAB
69847+:107FA000ACCF00448D2E001CACCE00489128000EB2
69848+:107FB000A0C8000890CC000801855824126001B6C2
69849+:107FC000A0CB00088F9200580A000962AF870068B2
69850+:107FD0002406000614A600143C0E80003C0F080086
69851+:107FE0008DEF5BE88F85FD98ADCF00208E4900189E
69852+:107FF0008F86FD9C8F8BFDA0ACA900008CC800383B
69853+:1080000024040005ACA800048CCC003C1260008164
69854+:10801000AD6C00000A000962AF84006824110007FB
69855+:1080200010B1004B240400063C05080024A55BE8C1
69856+:108030000E000881240400818F9200580013102B39
69857+:108040000A000962AF820068241F002314BFFFF6F4
69858+:108050003C0C80003C0508008CA55BE88F8BFDA0E4
69859+:10806000AD8500208F91FD9C8E4600042564002084
69860+:1080700026450014AE260028240600030E000F81BA
69861+:10808000257000308F87005802002021240600034D
69862+:108090000E000F8124E500083C04080024845BE8FE
69863+:1080A0000E0008AA0000000092230000240A0050DD
69864+:1080B000306200FF544AFFE18F9200580E000F6CAF
69865+:1080C000000000000A000A6A8F920058240800335A
69866+:1080D00014A800323C0380003C1108008E315BE89C
69867+:1080E0008F8FFDA0AC7100208E420008240D002867
69868+:1080F0008F89FD9CADE200308E4A000C24060009F9
69869+:10810000ADEA00348E5F0010ADFF00388E440014DD
69870+:10811000ADE400208E590018ADF900248E58001CE3
69871+:10812000ADF80028A1ED00118E4E00041260003160
69872+:10813000AD2E00288F9200580A000962AF860068B1
69873+:10814000240D002214ADFFB8000000002404000735
69874+:108150003C1008008E105BE83C188000AF10002037
69875+:108160005660FEAEAF8400683C04080024845BE8DF
69876+:108170000E0008AA241300508F84FD9C90920000EA
69877+:10818000325900FF1333014B000000008F9200585A
69878+:10819000000020210A000962AF8400683C05080045
69879+:1081A00024A55BE80E000858240400810A000A6A2E
69880+:1081B0008F92005802D498213265FFFF0E000852BA
69881+:1081C000240400840A0009628F920058108EFF5325
69882+:1081D000240704002887000310E00179241100041B
69883+:1081E000240F0001548FFF4D240740000A000A228B
69884+:1081F000240701003C05080024A55BE80E0008A444
69885+:10820000240400828F920058000030210A00096285
69886+:10821000AF8600683C04080024845BE88CC2003808
69887+:108220000E0008AA8CC3003C8F9200580A000AC0B6
69888+:1082300000002021240400823C05080024A55BE8FE
69889+:108240000E0008A4000000008F92005800001021CA
69890+:108250000A000962AF8200688E5000048F91FD9C75
69891+:108260003C078000ACF00020922C00050200282181
69892+:10827000318B0002156001562404008A8F92FDA004
69893+:108280002404008D9245001B30A6002014C001502C
69894+:1082900002002821922E00092408001231C900FF93
69895+:1082A0001128014B240400810E00087202002021D5
69896+:1082B0009258001B240F000402002021370D0042B9
69897+:1082C000A24D001B0E00087CA22F00253C0580005B
69898+:1082D0008CA401780480FFFE34B90140241F000201
69899+:1082E000AF300000A33F00048F9200583C101000F4
69900+:1082F000ACB001780A000A6B0013102B8E500004FA
69901+:108300008F91FD9C3C038000AC700020922A0005F8
69902+:108310000200282131420002144000172404008A80
69903+:10832000922C00092412000402002821318B00FF46
69904+:1083300011720011240400810E0008720200202135
69905+:108340008F89FDA0240800122405FFFE912F001B39
69906+:108350000200202135EE0020A12E001BA2280009DA
69907+:108360009226000500C538240E00087CA2270005CF
69908+:1083700002002821000020210E0009330000000027
69909+:108380000A000A6A8F9200588E4C00043C07800055
69910+:108390003C10080026105BE8ACEC00203C01080013
69911+:1083A000AC2C5BE8924B0003317100041220013BBE
69912+:1083B0008F84FD9C24020006A0820009924F001BBE
69913+:1083C000240EFFC031E9003F012E4025A08800089F
69914+:1083D0009245000330A6000114C0013200000000E5
69915+:1083E0008E420008AE0200083C0208008C425BF09E
69916+:1083F000104001318F90FDA0000219C28F8DFD9CAD
69917+:10840000A603000C8E4A000C24180001240400145A
69918+:10841000AE0A002C8E420010AE02001C965F0016C1
69919+:10842000A61F003C96590014A619003EADB8000CDA
69920+:10843000A5B80010A5B80012A5B80014A5B800167C
69921+:1084400012600144A2040011925100033232000272
69922+:108450002E5300018F920058266200080A0009621C
69923+:10846000AF8200688E4400043C1980003C068008FE
69924+:10847000AF2400208E45000890D80000240D005045
69925+:10848000331100FF122D009C2407008824060009E8
69926+:108490000E000845000000000A000A6A8F9200588A
69927+:1084A0008E5000043C0980003C118008AD30002053
69928+:1084B0009228000024050050310400FF10850110AF
69929+:1084C0002407008802002021000028210E00084512
69930+:1084D0002406000E922D00002418FF80020028219F
69931+:1084E00001B8802524040004240600300E0007256E
69932+:1084F000A23000000A000A6A8F9200588E500004D1
69933+:108500008F91FDA03C028000AC500020923F001BE8
69934+:1085100033F900101320006C240700810200202191
69935+:10852000000028212406001F0E000845000000005E
69936+:108530000A000A6A8F9200588E44001C0E00085DE3
69937+:1085400000000000104000E3004048218F880058E0
69938+:1085500024070089012020218D05001C240600012C
69939+:108560000E000845000000000A000A6A8F920058B9
69940+:10857000964900023C10080026105BE831280004F0
69941+:10858000110000973C0460008E4E001C3C0F8000E0
69942+:10859000ADEE00203C010800AC2E5BE896470002DF
69943+:1085A00030E40001148000E6000000008E42000468
69944+:1085B000AE0200083C1008008E105BF0120000ECC8
69945+:1085C0003C0F80008F92FD9C241000018E4E0018FD
69946+:1085D0008F8DFDA08F9FFD9801CF4825AE490018D3
69947+:1085E000A2400005AE50000C3C0808008D085BF06E
69948+:1085F0008F840058A6500010000839C2A6500012FF
69949+:10860000A6500014A6500016A5A7000C8C8C0008DC
69950+:108610008F8B00588F8A0058ADAC002C8D63000CF6
69951+:1086200024070002ADA3001C91460010A1A6001172
69952+:108630008F82005890450011A3E500088F990058DB
69953+:1086400093380012A258004E8F910058922F0013B9
69954+:10865000A1AF00128F920058964E0014A5AE003CB8
69955+:1086600096490016A5A9003E8E480018ADA8001432
69956+:108670005660FD6AAF8700683C05080024A55BE8EA
69957+:108680000E000881000020218F9200580000382140
69958+:108690000A000962AF8700683C05080024A55BE872
69959+:1086A0000E0008A4240400828F9200580A000A4D8C
69960+:1086B000000038210E000F6C000000008F9200585F
69961+:1086C0000A000AC0000020210E00087202002021CA
69962+:1086D0009223001B02002021346A00100E00087C47
69963+:1086E000A22A001B000038210200202100002821BE
69964+:1086F0000A000BA52406001F9242000C305F000107
69965+:1087000013E0000300000000964A000EA4CA002CEB
69966+:10871000924B000C316300025060000600003821CB
69967+:108720008E470014964C0012ACC7001CA4CC001A53
69968+:10873000000038210A000B7F240600093C050800D0
69969+:1087400024A55BE80E0008A42404008B8F92005837
69970+:108750000A000A4D0013382B3C0C08008D8C5BE896
69971+:1087600024DFFFFE25930100326B007F016790211B
69972+:1087700002638824AD110028AE4600E0AE4000E45C
69973+:108780000A0009B3AE5F001CACC000543C0D0800E9
69974+:108790008DAD5BE83C18800C37090100ACED00287A
69975+:1087A0008E510014AD3100E08E4F0014AD2F00E467
69976+:1087B0008E4E001025C7FFFE0A0009F4AD27001CED
69977+:1087C0005491FDD6240740000A000A222407100015
69978+:1087D0000E00092D000000000A000A6A8F9200585E
69979+:1087E0008C83442C3C12DEAD3651BEEF3C010800B8
69980+:1087F000AC205BE810710062000000003C196C6264
69981+:1088000037387970147800082404000297850074C2
69982+:108810009782006C2404009200A2F82B13E0001948
69983+:1088200002002821240400020E00069524050200FF
69984+:108830003C068000ACC200203C010800AC225BE892
69985+:108840001040000D8F8C0058240A002824040003D7
69986+:10885000918B0010316300FF546A00012404000171
69987+:108860000E0000810000000010400004240400837A
69988+:108870000A000BC28F920058240400833C050800B4
69989+:1088800024A55BE80E000881000000008F920058CC
69990+:108890000013382B0A000962AF8700680A000B49F1
69991+:1088A000240200128E4400080E00085D0000000043
69992+:1088B0000A000B55AE0200083C05080024A55BE841
69993+:1088C0000E000858240400878F9200580A000B728B
69994+:1088D0000013102B240400040E000695240500301C
69995+:1088E0001440002A004048218F8800582407008344
69996+:1088F000012020218D05001C0A000BB32406000175
69997+:108900008F8300788F8600701066FEEE000038219D
69998+:108910003C07080024E75B6C000320C00087282187
69999+:108920008CAE000011D0005D246F000131E3000F18
70000+:108930005466FFFA000320C00A000B8C00003821A7
70001+:108940008E4400040E00085D000000000A000BC801
70002+:10895000AE0200083C05080024A55BE80E0008A450
70003+:10896000240400828F9200580A000B72000010212C
70004+:108970003C05080024A55BE80A000C7C2404008761
70005+:108980008C83442C0A000C5B3C196C628F88005865
70006+:108990003C0780083C0C8000240B0050240A000196
70007+:1089A000AD820020A0EB0000A0EA000191030004CA
70008+:1089B000A0E3001891040005A0E400199106000648
70009+:1089C0003C04080024845B6CA0E6001A91020007B6
70010+:1089D0003C06080024C65B68A0E2001B9105000865
70011+:1089E000A0E5001C911F0009A0FF001D9119000ABD
70012+:1089F000A0F9001E9118000BA0F8001F9112000CA6
70013+:108A0000A0F200209111000DA0F100219110000EA4
70014+:108A1000A0F00022910F000FA0EF0023910E001094
70015+:108A2000A0EE0024910D0011A0ED0025950C00147E
70016+:108A3000A4EC0028950B00168F8A00708F920078A6
70017+:108A4000A4EB002A95030018000A10C02545000178
70018+:108A5000A4E3002C8D1F001C0044C0210046C82147
70019+:108A600030A5000FAF3F0000AF09000010B20006B4
70020+:108A7000AF850070000038218D05001C01202021E9
70021+:108A80000A000BB32406000124AD000131A7000F3A
70022+:108A9000AF8700780A000CF9000038213C06080076
70023+:108AA00024C65B680086902100003821ACA000003D
70024+:108AB0000A000B8CAE4000003C0482013C036000C5
70025+:108AC00034820E02AC603D68AF80009803E000087D
70026+:108AD000AC623D6C27BDFFE8AFB000103090FFFFE7
70027+:108AE000001018422C620041AFBF00141440000275
70028+:108AF00024040080240300403C010800AC300060E6
70029+:108B00003C010800AC2300640E000F7500602821B2
70030+:108B1000244802BF2409FF8001092824001039805D
70031+:108B2000001030408FBF00148FB0001000A720212C
70032+:108B300000861821AF8300803C010800AC25005856
70033+:108B40003C010800AC24005C03E0000827BD0018CD
70034+:108B5000308300FF30C6FFFF30E400FF3C08800098
70035+:108B60008D0201B80440FFFE000354000144382583
70036+:108B70003C09600000E920253C031000AD050180A0
70037+:108B8000AD060184AD04018803E00008AD0301B81F
70038+:108B90008F8500583C0A6012354800108CAC0004E8
70039+:108BA0003C0D600E35A60010318B00062D690001CA
70040+:108BB000AD0900C48CA70004ACC731808CA20008AA
70041+:108BC00094A40002ACC231848CA3001C0460000396
70042+:108BD000A784009003E00008000000008CAF00189C
70043+:108BE000ACCF31D08CAE001C03E00008ACCE31D449
70044+:108BF0008F8500588F87FF288F86FF308CAE00044A
70045+:108C00003C0F601235E80010ACEE00788CAD000827
70046+:108C1000ACED007C8CAC0010ACCC004C8CAB000CF0
70047+:108C2000ACCB004894CA00543C0208008C4200447B
70048+:108C300025490001A4C9005494C400543083FFFFA7
70049+:108C400010620017000000003C0208008C42004047
70050+:108C5000A4C200528CA30018ACE300308CA2001414
70051+:108C6000ACE2002C8CB90018ACF900388CB80014B8
70052+:108C700024050001ACF800348D0600BC50C5001975
70053+:108C80008D0200B48D0200B8A4E2004894E40048CC
70054+:108C9000A4E4004A94E800EA03E000083102FFFF80
70055+:108CA0003C0208008C420024A4C00054A4C200521C
70056+:108CB0008CA30018ACE300308CA20014ACE2002CB2
70057+:108CC0008CB90018ACF900388CB8001424050001E8
70058+:108CD000ACF800348D0600BC54C5FFEB8D0200B823
70059+:108CE0008D0200B4A4E2004894E40048A4E4004AE1
70060+:108CF00094E800EA03E000083102FFFF8F86005885
70061+:108D00003C0480008CC900088CC80008000929C0F8
70062+:108D1000000839C0AC87002090C30007306200040F
70063+:108D20001040003EAF85009490CB0007316A0008E8
70064+:108D30001140003D8F87FF2C8CCD000C8CCE001491
70065+:108D400001AE602B11800036000000008CC2000CC8
70066+:108D5000ACE200708CCB00188F85FF288F88FF3025
70067+:108D6000ACEB00748CCA00102402FFF8ACAA00D847
70068+:108D70008CC9000CAD0900608CC4001CACA400D0F0
70069+:108D800090E3007C0062C824A0F9007C90D8000722
70070+:108D9000330F000811E000040000000090ED007C9B
70071+:108DA00035AC0001A0EC007C90CF000731EE000153
70072+:108DB00011C000060000000090E3007C241800347D
70073+:108DC00034790002A0F9007CACB800DC90C2000746
70074+:108DD0003046000210C000040000000090E8007C53
70075+:108DE00035040004A0E4007C90ED007D3C0B600E97
70076+:108DF000356A001031AC003FA0EC007D8D4931D4C4
70077+:108E00003127000110E00002240E0001A0AE00098D
70078+:108E100094AF00EA03E0000831E2FFFF8F87FF2CE8
70079+:108E20000A000DAF8CC200140A000DB0ACE0007057
70080+:108E30008F8C005827BDFFD8AFB3001CAFB200180D
70081+:108E4000AFB00010AFBF0020AFB10014918F00157C
70082+:108E50003C13600E3673001031EB000FA38B009CA7
70083+:108E60008D8F00048D8B0008959F0012959900103E
70084+:108E70009584001A9598001E958E001C33EDFFFF17
70085+:108E8000332AFFFF3089FFFF3308FFFF31C7FFFFA1
70086+:108E90003C010800AC2D00243C010800AC29004432
70087+:108EA0003C010800AC2A0040AE683178AE67317CE6
70088+:108EB00091850015959100163C12601236520010F3
70089+:108EC00030A200FF3230FFFFAE623188AE5000B4F6
70090+:108ED00091830014959F0018240600010066C804C1
70091+:108EE00033F8FFFFAE5900B8AE5800BC918E0014A5
70092+:108EF000AF8F00843C08600631CD00FFAE4D00C04E
70093+:108F0000918A00159584000E3C07600A314900FFE4
70094+:108F1000AF8B00883084FFFFAE4900C835110010C8
70095+:108F20000E000D1034F004103C0208008C4200606A
70096+:108F30003C0308008C6300643C0608008CC60058A3
70097+:108F40003C0508008CA5005C8F8400808FBF00204A
70098+:108F5000AE23004CAE65319CAE030054AE4500DC40
70099+:108F6000AE6231A0AE6331A4AE663198AE22004845
70100+:108F70008FB3001CAE0200508FB10014AE4200E06F
70101+:108F8000AE4300E4AE4600D88FB000108FB2001898
70102+:108F90000A00057D27BD0028978500929783007CF5
70103+:108FA00027BDFFE8AFB0001000A3102BAFBF001427
70104+:108FB000240400058F900058104000552409000239
70105+:108FC0000E0006958F850080AF8200942404000374
70106+:108FD0001040004F240900023C0680000E00008172
70107+:108FE000ACC2002024070001240820001040004DDE
70108+:108FF00024040005978E00928F8AFF2C24090050CC
70109+:1090000025C50001A7850092A14900003C0D08007C
70110+:109010008DAD0064240380008F84FF28000D66005E
70111+:10902000AD4C0018A5400006954B000A8F85FF3017
70112+:109030002402FF8001633024A546000A915F000AE4
70113+:109040000000482103E2C825A159000AA0A0000899
70114+:10905000A140004CA08000D5961800029783009094
70115+:109060003C020004A49800EA960F00022418FFBFF7
70116+:1090700025EE2401A48E00BE8E0D0004ACAD00448C
70117+:109080008E0C0008ACAC0040A4A00050A4A000547A
70118+:109090008E0B000C240C0030AC8B00288E060010C8
70119+:1090A000AC860024A480003EA487004EA487005014
70120+:1090B000A483003CAD420074AC8800D8ACA800602A
70121+:1090C000A08700FC909F00D433F9007FA09900D4C2
70122+:1090D000909000D402187824A08F00D4914E007C88
70123+:1090E00035CD0001A14D007C938B009CAD480070F4
70124+:1090F000AC8C00DCA08B00D68F8800888F87008422
70125+:10910000AC8800C4AC8700C8A5400078A540007AB0
70126+:109110008FBF00148FB000100120102103E0000861
70127+:1091200027BD00188F8500940E0007258F860080CC
70128+:109130000A000E9F2409000227BDFFE0AFB0001017
70129+:109140008F900058AFB10014AFBF00188E09000413
70130+:109150000E00054A000921C08E0800048F84FF28F4
70131+:109160008F82FF30000839C03C068000ACC7002069
70132+:10917000948500EA904300131460001C30B1FFFF97
70133+:109180008F8CFF2C918B0008316A00401540000B3A
70134+:10919000000000008E0D0004022030218FBF001857
70135+:1091A0008FB100148FB00010240400220000382179
70136+:1091B000000D29C00A000D2F27BD00200E000098C9
70137+:1091C000000000008E0D0004022030218FBF001827
70138+:1091D0008FB100148FB00010240400220000382149
70139+:1091E000000D29C00A000D2F27BD00200E000090A1
70140+:1091F000000000008E0D0004022030218FBF0018F7
70141+:109200008FB100148FB00010240400220000382118
70142+:10921000000D29C00A000D2F27BD002027BDFFE04B
70143+:10922000AFB200183092FFFFAFB00010AFBF001C0C
70144+:10923000AFB100141240001E000080218F8600583C
70145+:109240008CC500002403000600053F02000514023F
70146+:1092500030E4000714830016304500FF2CA80006F8
70147+:1092600011000040000558803C0C0800258C58BCBB
70148+:10927000016C50218D490000012000080000000011
70149+:109280008F8E0098240D000111CD005024020002A1
70150+:10929000AF820098260900013130FFFF24C800206A
70151+:1092A0000212202B010030211480FFE5AF88005806
70152+:1092B000020010218FBF001C8FB200188FB1001464
70153+:1092C0008FB0001003E0000827BD00209387007EC8
70154+:1092D00054E00034000030210E000DE700000000D3
70155+:1092E0008F8600580A000EFF240200018F87009825
70156+:1092F0002405000210E50031240400130000282199
70157+:1093000000003021240700010E000D2F0000000096
70158+:109310000A000F008F8600588F83009824020002F5
70159+:109320001462FFF6240400120E000D9A00000000E3
70160+:109330008F85009400403021240400120E000D2F70
70161+:10934000000038210A000F008F8600588F83009894
70162+:109350002411000310710029241F0002107FFFCE8A
70163+:1093600026090001240400100000282100003021FB
70164+:109370000A000F1D240700018F91009824060002A7
70165+:109380001626FFF9240400100E000E410000000014
70166+:10939000144000238F9800588F8600580A000EFF53
70167+:1093A00024020003240400140E000D2F00002821C5
70168+:1093B0008F8600580A000EFF240200020E000EA93C
70169+:1093C000000000000A000F008F8600580E000D3FBD
70170+:1093D00000000000241900022404001400002821C9
70171+:1093E0000000302100003821AF9900980E000D2FA9
70172+:1093F000000000000A000F008F8600580E000D5775
70173+:10940000000000008F8500942419000200403021E4
70174+:1094100024040010000038210A000F56AF9900986C
70175+:109420000040382124040010970F0002000028217A
70176+:109430000E000D2F31E6FFFF8F8600580A000F0047
70177+:10944000AF9100988F84FF2C3C077FFF34E6FFFF2D
70178+:109450008C8500182402000100A61824AC83001893
70179+:1094600003E00008A08200053084FFFF30A5FFFF65
70180+:109470001080000700001821308200011040000217
70181+:1094800000042042006518211480FFFB00052840DD
70182+:1094900003E000080060102110C000070000000079
70183+:1094A0008CA2000024C6FFFF24A50004AC820000AB
70184+:1094B00014C0FFFB2484000403E000080000000047
70185+:1094C00010A0000824A3FFFFAC86000000000000ED
70186+:1094D000000000002402FFFF2463FFFF1462FFFA74
70187+:1094E0002484000403E0000800000000000411C010
70188+:1094F00003E000082442024027BDFFE8AFB000109F
70189+:1095000000808021AFBF00140E000F9600A0202124
70190+:1095100000504821240AFF808FBF00148FB0001034
70191+:10952000012A30243127007F3C08800A3C042100B6
70192+:1095300000E8102100C428253C03800027BD001846
70193+:10954000AC650024AF820038AC400000AC6500245C
70194+:1095500003E00008AC4000403C0D08008DAD005811
70195+:1095600000056180240AFF8001A45821016C482174
70196+:10957000012A30243127007F3C08800C3C04210064
70197+:1095800000E8102100C428253C038000AC650028B9
70198+:10959000AF82003403E00008AC40002430A5FFFF98
70199+:1095A0003C0680008CC201B80440FFFE3C086015F8
70200+:1095B00000A838253C031000ACC40180ACC0018475
70201+:1095C000ACC7018803E00008ACC301B83C0D08003B
70202+:1095D0008DAD005800056180240AFF8001A4582148
70203+:1095E000016C4021010A4824000931403107007F05
70204+:1095F00000C728253C04200000A418253C02800058
70205+:10960000AC43083003E00008AF80003427BDFFE81A
70206+:10961000AFB0001000808021AFBF00140E000F9685
70207+:1096200000A0202100504821240BFF80012B502452
70208+:10963000000A39403128007F3C0620008FBF00140B
70209+:109640008FB0001000E8282534C2000100A21825C0
70210+:109650003C04800027BD0018AC83083003E00008FC
70211+:10966000AF8000383C0580088CA700603C0680086D
70212+:109670000087102B144000112C8340008CA8006040
70213+:109680002D0340001060000F240340008CC90060CF
70214+:109690000089282B14A00002008018218CC30060D0
70215+:1096A00000035A42000B30803C0A0800254A59202A
70216+:1096B00000CA202103E000088C8200001460FFF340
70217+:1096C0002403400000035A42000B30803C0A08008B
70218+:1096D000254A592000CA202103E000088C8200009E
70219+:1096E0003C05800890A60008938400AB24C20001CA
70220+:1096F000304200FF3043007F1064000C0002382726
70221+:10970000A0A200083C0480008C85017804A0FFFE24
70222+:109710008F8A00A0240900023C081000AC8A014096
70223+:10972000A089014403E00008AC8801780A00101BFE
70224+:1097300030E2008027BDFFD8AFB200188F9200A49E
70225+:10974000AFBF0020AFB3001CAFB00010AFB100142A
70226+:109750008F9300348E5900283C1000803C0EFFEFA0
70227+:10976000AE7900008E580024A260000A35CDFFFFBC
70228+:10977000AE7800049251002C3C0BFF9F356AFFFF2E
70229+:10978000A271000C8E6F000C3C080040A271000B0F
70230+:1097900001F06025018D4824012A382400E8302595
70231+:1097A000AE66000C8E450004AE6000183C0400FF5D
70232+:1097B000AE6500148E43002C3482FFFFA6600008C3
70233+:1097C0000062F824AE7F00108E5900088F9000A030
70234+:1097D000964E0012AE7900208E51000C31D83FFF1A
70235+:1097E00000187980AE7100248E4D001401F06021C4
70236+:1097F00031CB0001AE6D00288E4A0018000C41C22A
70237+:10980000000B4B80AE6A002C8E46001C01093821EB
70238+:10981000A667001CAE660030964500028E4400200C
70239+:10982000A665001EAE64003492430033306200042B
70240+:1098300054400006924700003C0280083443010077
70241+:109840008C7F00D0AE7F0030924700008F860038BA
70242+:10985000A0C700309245003330A4000250800007BA
70243+:10986000925100018F880038240BFF80910A00304C
70244+:10987000014B4825A1090030925100018F9000381A
70245+:10988000240CFFBF2404FFDFA21100318F8D0038AC
70246+:109890003C1880083711008091AF003C31EE007F0A
70247+:1098A000A1AE003C8F890038912B003C016C502404
70248+:1098B000A12A003C8F9F00388E68001493E6003C7C
70249+:1098C0002D0700010007114000C4282400A218251C
70250+:1098D000A3E3003C8F87003896590012A4F90032A8
70251+:1098E0008E450004922E007C30B0000300107823D7
70252+:1098F00031ED000300AD102131CC000215800002D3
70253+:1099000024460034244600303C0280083443008062
70254+:10991000907F007C00BFC824333800041700000289
70255+:1099200024C2000400C010218F98003824190002BE
70256+:10993000ACE20034A3190000924F003F8F8E003834
70257+:109940003C0C8008358B0080A1CF00018F9100383E
70258+:10995000924D003F8E440004A62D0002956A005CE3
70259+:109960000E000FF43150FFFF00024B800209382532
70260+:109970003C08420000E82825AE2500048E4400384B
70261+:109980008F850038ACA400188E460034ACA6001CAD
70262+:10999000ACA0000CACA00010A4A00014A4A0001661
70263+:1099A000A4A00020A4A00022ACA000248E62001479
70264+:1099B00050400001240200018FBF00208FB3001C23
70265+:1099C0008FB200188FB100148FB00010ACA2000845
70266+:1099D0000A00101327BD002827BDFFC83C058008DA
70267+:1099E00034A40080AFBF0034AFBE0030AFB7002C4E
70268+:1099F000AFB60028AFB50024AFB40020AFB3001C51
70269+:109A0000AFB20018AFB10014AFB00010948300786B
70270+:109A10009482007A104300512405FFFF0080F0215A
70271+:109A20000A0011230080B821108B004D8FBF003435
70272+:109A30008F8600A03C1808008F18005C2411FF805E
70273+:109A40003C1680000306782101F18024AED0002C62
70274+:109A500096EE007A31EC007F3C0D800E31CB7FFF1B
70275+:109A6000018D5021000B4840012AA82196A4000036
70276+:109A70003C0808008D0800582405FF8030953FFF02
70277+:109A800001061821001539800067C8210325F82434
70278+:109A90003C02010003E290253338007F3C11800C2A
70279+:109AA000AED20028031190219250000D320F000415
70280+:109AB00011E0003702E0982196E3007A96E8007AF8
70281+:109AC00096E5007A2404800031077FFF24E300013B
70282+:109AD00030627FFF00A4F82403E2C825A6F9007ACB
70283+:109AE00096E6007A3C1408008E94006030D67FFF22
70284+:109AF00012D400C1000000008E5800188F8400A00E
70285+:109B000002A028212713FFFF0E000FCEAE53002C1A
70286+:109B100097D5007897D4007A12950010000028217C
70287+:109B20003C098008352401003C0A8008914800085F
70288+:109B3000908700D53114007F30E400FF0284302B81
70289+:109B400014C0FFB9268B0001938E00AB268C000158
70290+:109B5000008E682115ACFFB78F8600A08FBF003440
70291+:109B60008FBE00308FB7002C8FB600288FB5002431
70292+:109B70008FB400208FB3001C8FB200188FB1001477
70293+:109B80008FB0001000A0102103E0000827BD0038AE
70294+:109B900000C020210E000F99028028218E4B00105A
70295+:109BA0008E4C00308F84003824090002016C502351
70296+:109BB000AE4A0010A089000096E3005C8E4400309D
70297+:109BC0008F9100380E000FF43070FFFF00024380C9
70298+:109BD000020838253C02420000E22825AE25000498
70299+:109BE0008E5F00048F8A00388E590000240B000815
70300+:109BF000AD5F001CAD590018AD40000CAD40001029
70301+:109C00009246000A240400052408C00030D000FF5A
70302+:109C1000A550001496580008A55800169251000A45
70303+:109C20003C188008322F00FFA54F0020964E0008F8
70304+:109C300037110100A54E0022AD400024924D000BCB
70305+:109C400031AC00FFA54C0002A14B00018E49003051
70306+:109C50008F830038240BFFBFAC690008A06400307C
70307+:109C60008F9000382403FFDF9607003200E8282495
70308+:109C700000B51025A6020032921F003233F9003FD2
70309+:109C800037260040A20600328F8C0038AD800034A9
70310+:109C90008E2F00D0AD8F0038918E003C3C0F7FFF9F
70311+:109CA00031CD007FA18D003C8F84003835EEFFFF61
70312+:109CB000908A003C014B4824A089003C8F850038E5
70313+:109CC00090A8003C01033824A0A7003C8E42003439
70314+:109CD0008F9100383C038008AE2200408E59002C42
70315+:109CE0008E5F0030033F3023AE26004492300048A0
70316+:109CF0003218007FA23800488F8800388E4D00301F
70317+:109D00008D0C004801AE582401965024014B482583
70318+:109D1000AD0900489244000AA104004C964700088F
70319+:109D20008F850038A4A7004E8E5000308E4400303E
70320+:109D30000E0003818C65006092F9007C0002F940FE
70321+:109D4000004028210002110003E2302133360002D6
70322+:109D500012C00003020680210005B0800216802197
70323+:109D6000926D007C31B30004126000020005708027
70324+:109D7000020E80218E4B00308F8800382405800031
70325+:109D8000316A0003000A4823312400030204182129
70326+:109D9000AD03003496E4007A96F0007A96F1007AEA
70327+:109DA00032027FFF2447000130FF7FFF0225C824D5
70328+:109DB000033F3025A6E6007A96F8007A3C120800A8
70329+:109DC0008E520060330F7FFF11F200180000000078
70330+:109DD0008F8400A00E000FCE02A028218F8400A047
70331+:109DE0000E000FDE028028210E001013000000007C
70332+:109DF0000A00111F0000000096F1007A022480245E
70333+:109E0000A6F0007A92EF007A92EB007A31EE00FF32
70334+:109E1000000E69C2000D6027000C51C03169007F3F
70335+:109E2000012A20250A001119A2E4007A96E6007A98
70336+:109E300000C5C024A6F8007A92EF007A92F3007A67
70337+:109E400031F200FF001271C2000E6827000DB1C090
70338+:109E5000326C007F01962825A2E5007A0A0011D015
70339+:109E60008F8400A03C0380003084FFFF30A5FFFFFB
70340+:109E7000AC640018AC65001C03E000088C620014A0
70341+:109E800027BDFFA03C068008AFBF005CAFBE0058F6
70342+:109E9000AFB70054AFB60050AFB5004CAFB40048F8
70343+:109EA000AFB30044AFB20040AFB1003CAFB0003838
70344+:109EB00034C80100910500D590C700083084FFFF29
70345+:109EC00030A500FF30E2007F0045182AAFA4001043
70346+:109ED000A7A00018A7A0002610600055AFA000148E
70347+:109EE00090CA00083149007F00A9302324D3FFFF26
70348+:109EF0000013802B8FB400100014902B02128824C2
70349+:109F0000522000888FB300143C03800894790052DB
70350+:109F1000947E00508FB60010033EC0230018BC0092
70351+:109F2000001714030016FC0002C2A82A16A00002A3
70352+:109F3000001F2C030040282100133C0000072403CD
70353+:109F400000A4102A5440000100A020212885000907
70354+:109F500014A000020080A021241400083C0C8008FA
70355+:109F60008D860048001459808D88004C3C03800089
70356+:109F70003169FFFF3C0A0010012A202534710400DA
70357+:109F8000AC660038AF9100A4AC68003CAC64003013
70358+:109F900000000000000000000000000000000000C1
70359+:109FA00000000000000000000000000000000000B1
70360+:109FB0008C6E000031CD002011A0FFFD0014782A26
70361+:109FC00001F01024104000390000A8213C16800840
70362+:109FD00092D700083C1280008E44010032F6007FC8
70363+:109FE0000E000F9902C028218E3900108E44010006
70364+:109FF0000000902133373FFF0E000FB102E028210F
70365+:10A00000923800003302003F2C500008520000102C
70366+:10A0100000008821000210803C030800246358E4FB
70367+:10A020000043F8218FFE000003C00008000000007C
70368+:10A0300090CF0008938C00AB31EE007F00AE682318
70369+:10A04000018D58210A0012172573FFFF0000882197
70370+:10A050003C1E80008FC401000E000FCE02E02821BC
70371+:10A060008FC401000E000FDE02C028211220000F55
70372+:10A070000013802B8F8B00A426A400010004AC00E9
70373+:10A08000027298230015AC032578004002B4B02A70
70374+:10A090000013802B241700010300882102D0102414
70375+:10A0A000AF9800A41440FFC9AFB700143C07800864
70376+:10A0B00094E200508FAE00103C05800002A288217F
70377+:10A0C0003C060020A4F10050ACA6003094F40050EF
70378+:10A0D00094EF005201D51823306CFFFF11F4001EDD
70379+:10A0E000AFAC00108CEF004C001561808CF500487F
70380+:10A0F00001EC28210000202100AC582B02A4C02133
70381+:10A10000030BB021ACE5004CACF600488FB4001056
70382+:10A110000014902B021288241620FF7C3C03800838
70383+:10A120008FB300148FBF005C8FBE00583A620001ED
70384+:10A130008FB700548FB600508FB5004C8FB40048D5
70385+:10A140008FB300448FB200408FB1003C8FB0003815
70386+:10A1500003E0000827BD006094FE00548CF2004428
70387+:10A1600033C9FFFE0009C8C00259F821ACBF003C4A
70388+:10A170008CE800448CAD003C010D50231940003B9D
70389+:10A18000000000008CF7004026E20001ACA200387D
70390+:10A190003C05005034A700103C038000AC67003041
70391+:10A1A00000000000000000000000000000000000AF
70392+:10A1B000000000000000000000000000000000009F
70393+:10A1C0008C7800003316002012C0FFFD3C1180087F
70394+:10A1D000962200543C1580003C068008304E000159
70395+:10A1E000000E18C0007578218DEC04003C070800B3
70396+:10A1F0008CE700443C040020ACCC00488DF40404FF
70397+:10A20000240B0001ACD4004C10EB0260AEA4003073
70398+:10A21000963900523C0508008CA5004000B99021F9
70399+:10A22000A6320052963F005427ED0001A62D00549F
70400+:10A230009626005430C4FFFF5487FF2F8FB40010C0
70401+:10A2400030A5FFFF0E0011F4A62000543C070800C3
70402+:10A250008CE70024963E00520047B82303D74823DA
70403+:10A26000A62900520A0012198FB400108CE2004097
70404+:10A270000A0012BE00000000922400012407000121
70405+:10A280003085007F14A7001C97AD00268E2B00148C
70406+:10A29000240CC000316A3FFF01AC48243C06080092
70407+:10A2A0008CC60060012A402531043FFF0086882BC0
70408+:10A2B00012200011A7A800263C0508008CA5005814
70409+:10A2C0008F9100A0000439802402FF8000B1182182
70410+:10A2D0000067F82103E2F02433F8007F3C1280008D
70411+:10A2E0003C19800EAE5E002C0319702191D0000D38
70412+:10A2F000360F0004A1CF000D0E001028241200011B
70413+:10A30000241100013C1E80008FC401000E000FCEFE
70414+:10A3100002E028218FC401000E000FDE02C02821B8
70415+:10A320001620FF558F8B00A40A0012860013802B85
70416+:10A330008F8600A490C80001310400201080019194
70417+:10A34000241000013C048008348B0080916A007C5A
70418+:10A350008F9E0034AFA0002C314900011120000F66
70419+:10A36000AFB000288CCD00148C8E006001AE602B45
70420+:10A370001580000201A038218C8700603C188008FD
70421+:10A38000370300808C70007000F0782B15E000021D
70422+:10A3900000E020218C640070AFA4002C3C028008F7
70423+:10A3A000344500808CD200148CBF0070025FC82B33
70424+:10A3B00017200002024020218CA400708FA7002CDF
70425+:10A3C0000087182310600003AFA3003024050002AB
70426+:10A3D000AFA500288FA400280264882B162000BA9D
70427+:10A3E000000018218CD000388FCE000C3C0F00806C
70428+:10A3F000AFD000008CCD00343C0CFF9F01CF58251E
70429+:10A40000AFCD000490CA003F3586FFFF01662024CF
70430+:10A410003C0900203C08FFEFA3CA000B0089382547
70431+:10A420003511FFFF00F118243C0500088F8700A4B8
70432+:10A430000065C825AFD9000C8CE20014AFC000182D
70433+:10A440008FA60030AFC200148CF800188FB0002C1B
70434+:10A450003C1FFFFBAFD8001C8CEF000837F2FFFF5A
70435+:10A4600003326824AFCF00248CEC000C020670216C
70436+:10A47000AFCD000CA7C00038A7C0003AAFCE002C6B
70437+:10A48000AFCC0020AFC000288CEA00148FAB002CAA
70438+:10A49000014B48230126402311000011AFC80010D2
70439+:10A4A00090EB003D8FC900048FC80000000B5100E5
70440+:10A4B000012A28210000102100AA882B010218215E
70441+:10A4C0000071F821AFC50004AFDF000090F2003D3D
70442+:10A4D000A3D2000A8F9900A497380006A7D80008D5
70443+:10A4E0008F910038240800023C038008A228000055
70444+:10A4F0003465008094BF005C8FA4002C33F0FFFF14
70445+:10A500000E000FF48F9200380002CB808F8500A4DC
70446+:10A51000021978253C18420001F87025AE4E00045F
70447+:10A520008F8400388CAD0038AC8D00188CAC0034B2
70448+:10A53000AC8C001CAC80000CAC800010A48000141B
70449+:10A54000A4800016A4800020A4800022AC800024F7
70450+:10A5500090A6003F8FA7002CA486000250E0019235
70451+:10A56000240700018FA200305040000290A2003D5D
70452+:10A5700090A2003E244A0001A08A00018F84003886
70453+:10A580008FA9002CAC8900083C128008364D008051
70454+:10A5900091AC007C3186000214C000022407003414
70455+:10A5A000240700308F8500A43C198008373F0080C5
70456+:10A5B00090B0000093F9007C240E0004A0900030BD
70457+:10A5C0008F8F00A48FB8002C8F8D003891F200017E
70458+:10A5D0003304000301C46023A1B200318F8E003820
70459+:10A5E0008F8600A42402C00095CA003294C90012CC
70460+:10A5F0008FAB002C0142402431233FFF010388250B
70461+:10A60000A5D1003291D000323185000300EBF82152
70462+:10A610003218003F370F0040A1CF00328FA4002C2A
70463+:10A6200003E5382133280004108000028F850038AC
70464+:10A6300000E838213C0A8008ACA700343549010005
70465+:10A640008D2800D08FA3002C2419FFBFACA80038A0
70466+:10A6500090B1003C2C640001240FFFDF3227007F03
70467+:10A66000A0A7003C8F98003800049140931F003C45
70468+:10A6700003F98024A310003C8F8C0038918E003C9D
70469+:10A6800001CF682401B23025A186003C8F8900A447
70470+:10A690008F8800388D2B0020AD0B00408D220024C8
70471+:10A6A000AD0200448D2A0028AD0A00488D23002CFD
70472+:10A6B0000E001013AD03004C8FB1002824070002D8
70473+:10A6C000122700118FA300280003282B00058023E8
70474+:10A6D0000270982400608021006090210A00126FAF
70475+:10A6E0000010882B962900128F8400A00000902172
70476+:10A6F0003125FFFFA7A900180E000FC22411000189
70477+:10A700000A00131D3C1E80003C0B80003C12800898
70478+:10A710008D640100924900088F92FF340E000F995A
70479+:10A720003125007F8F9900388FA700288FA4003033
70480+:10A73000A3270000965F005C33F0FFFF0E000FF4CC
70481+:10A740008F91003800026B80020D80253C0842008A
70482+:10A750008F8D00A402085025AE2A00048DA5003874
70483+:10A760008F8A003800007821000F1100AD450018D5
70484+:10A770008DB800343C047FFF3488FFFFAD58001CC7
70485+:10A7800091A6003E8D4C001C8D4900180006190052
70486+:10A79000000677020183C821004E58250323882B29
70487+:10A7A000012B382100F1F821AD59001CAD5F0018D4
70488+:10A7B000AD40000CAD40001091B0003E8FA40030C1
70489+:10A7C00024090005A550001495A500042419C00013
70490+:10A7D00000884024A545001691B8003EA5580020E9
70491+:10A7E00095AF0004A54F0022AD40002491AE003F7C
70492+:10A7F000A54E000291A6003E91AC003D01861023BB
70493+:10A80000244B0001A14B00018F9100388FA3003031
70494+:10A810003C028008344B0100AE230008A22900301E
70495+:10A820008F8C00388F8700A4959F003294F000121F
70496+:10A830002407FFBF033FC02432053FFF03057825EF
70497+:10A84000A58F0032918E00322418FFDF31CD003FFA
70498+:10A8500035A60040A18600328F910038240DFFFFFD
70499+:10A86000240CFF80AE2000348D6A00D0AE2A003860
70500+:10A870009223003C3069007FA229003C8F90003871
70501+:10A880003C0380009219003C0327F824A21F003CDF
70502+:10A890008F8E003891C5003C00B87824A1CF003CD1
70503+:10A8A0008F8A00383C0E8008AD4D00408FA6002CEA
70504+:10A8B000AD46004491420048004C5825A14B004849
70505+:10A8C0008F9000388F9900A48E09004801238824B6
70506+:10A8D00002283825AE070048933F003EA21F004CD7
70507+:10A8E0008F9800A48F8F003897050004A5E5004ECF
70508+:10A8F0000E0003818DC500609246007C8FAC003055
70509+:10A9000000026940000291000040282130CB000283
70510+:10A9100001B21021156000AA018230213C0E80088E
70511+:10A9200035C20080904C007C31830004106000032D
70512+:10A930008FB900300005788000CF3021241F00043B
70513+:10A940008F910038332D000303ED8023320800037C
70514+:10A9500000C85021AE2A00343C188000A7C500383A
70515+:10A960003C0680088F04010090DE00080E000FDE18
70516+:10A9700033C5007F0E001013000000000A00140D04
70517+:10A980008FA300288F9800348CC90038241F00033F
70518+:10A99000A7000008AF0900008CC50034A300000A1E
70519+:10A9A0008F9900A4AF0500043C080080932D003F60
70520+:10A9B000A31F000C8F0A000C3C02FF9FA30D000B8D
70521+:10A9C0000148F0253451FFFF3C12FFEF8F9900A49E
70522+:10A9D00003D170243646FFFF01C61824AF03000CD4
70523+:10A9E0008F2C0014972900128F8400A0AF0C001048
70524+:10A9F0008F2F0014AF000018AF000020AF0F00141D
70525+:10AA0000AF0000248F270018312F3FFF000F59801F
70526+:10AA1000AF0700288F2500080164F821312D0001BF
70527+:10AA2000AF0500308F31000C8F920038001F51C2EB
70528+:10AA3000000D438001481021241E00023C068008BE
70529+:10AA4000A702001CA7000034AF11002CA25E00007A
70530+:10AA500034D20080964E005C8F9900383C0342004F
70531+:10AA600031CCFFFF01833825AF2700048F8B00A472
70532+:10AA7000240500012402C0008D640038240700343E
70533+:10AA8000AF2400188D690034AF29001CAF20000CE2
70534+:10AA9000AF200010A7200014A7200016A720002038
70535+:10AAA000A7200022AF200024A7300002A325000128
70536+:10AAB0008F8800388F9F00A4AD10000893ED000030
70537+:10AAC000A10D00308F8A00A48F98003891510001A9
70538+:10AAD000A31100318F8B0038957E003203C27024A1
70539+:10AAE00001CF6025A56C0032916300323064003FD5
70540+:10AAF000A16400329249007C3125000214A00002BA
70541+:10AB00008F840038240700303C198008AC8700345B
70542+:10AB1000373201008E5F00D0240AFFBF020090216F
70543+:10AB2000AC9F0038908D003C31A8007FA088003C8D
70544+:10AB30008F9E003893C2003C004A8824A3D1003C79
70545+:10AB40008F8300380010882B9066003C34CE0020A4
70546+:10AB5000A06E003C8F8400A48F9800388C8C00205D
70547+:10AB6000AF0C00408C8F0024AF0F00448C8700286E
70548+:10AB7000AF0700488C8B002CAF0B004C0E0010135D
70549+:10AB80003C1E80000A0012700000000094C80052B1
70550+:10AB90003C0A08008D4A002401488821A4D10052B3
70551+:10ABA0000A0012198FB40010A08700018F840038AA
70552+:10ABB000240B0001AC8B00080A0013BE3C12800875
70553+:10ABC000000520800A0014A200C4302127BDFFE048
70554+:10ABD0003C0D8008AFB20018AFB00010AFBF001C32
70555+:10ABE000AFB1001435B200808E4C001835A80100BA
70556+:10ABF000964B000695A70050910900FC000C5602E8
70557+:10AC0000016728233143007F312600FF240200031F
70558+:10AC1000AF8300A8AF8400A010C2001B30B0FFFFBC
70559+:10AC2000910600FC2412000530C200FF10520033D0
70560+:10AC300000000000160000098FBF001C8FB2001832
70561+:10AC40008FB100148FB00010240D0C003C0C80005C
70562+:10AC500027BD002003E00008AD8D00240E0011FB8D
70563+:10AC6000020020218FBF001C8FB200188FB100148A
70564+:10AC70008FB00010240D0C003C0C800027BD00207C
70565+:10AC800003E00008AD8D0024965800789651007AB4
70566+:10AC9000924E007D0238782631E8FFFF31C400C0B3
70567+:10ACA000148000092D11000116000037000000007B
70568+:10ACB0005620FFE28FBF001C0E0010D100000000E4
70569+:10ACC0000A00156A8FBF001C1620FFDA0000000082
70570+:10ACD0000E0010D1000000001440FFD88FBF001CF0
70571+:10ACE0001600002200000000925F007D33E2003F6A
70572+:10ACF000A242007D0A00156A8FBF001C950900EA78
70573+:10AD00008F86008000802821240400050E0007257E
70574+:10AD10003130FFFF978300923C0480002465FFFFE1
70575+:10AD2000A78500928C8A01B80540FFFE0000000054
70576+:10AD3000AC8001808FBF001CAC9001848FB20018E2
70577+:10AD40008FB100148FB000103C0760133C0B100053
70578+:10AD5000240D0C003C0C800027BD0020AC8701882E
70579+:10AD6000AC8B01B803E00008AD8D00240E0011FB90
70580+:10AD7000020020215040FFB18FBF001C925F007D78
70581+:10AD80000A00159733E2003F0E0011FB020020215C
70582+:10AD90001440FFAA8FBF001C122000070000000013
70583+:10ADA0009259007D3330003F36020040A242007DC0
70584+:10ADB0000A00156A8FBF001C0E0010D100000000B1
70585+:10ADC0005040FF9E8FBF001C9259007D3330003FE2
70586+:10ADD0000A0015C636020040000000000000001BFB
70587+:10ADE0000000000F0000000A00000008000000063C
70588+:10ADF0000000000500000005000000040000000441
70589+:10AE00000000000300000003000000030000000336
70590+:10AE10000000000300000002000000020000000229
70591+:10AE2000000000020000000200000002000000021A
70592+:10AE3000000000020000000200000002000000020A
70593+:10AE400000000002000000020000000200000002FA
70594+:10AE50000000000100000001000000018008010066
70595+:10AE6000800800808008000000000C000000308096
70596+:10AE7000080011D00800127C08001294080012A8E3
70597+:10AE8000080012BC080011D0080011D0080012F010
70598+:10AE90000800132C080013400800138808001A8CBF
70599+:10AEA00008001A8C08001AC408001AC408001AD82E
70600+:10AEB00008001AA808001D0008001CCC08001D5836
70601+:10AEC00008001D5808001DE008001D108008024001
70602+:10AED000080027340800256C0800275C080027F4C8
70603+:10AEE0000800293C0800298808002AAC080029B479
70604+:10AEF00008002A38080025DC08002EDC08002EA4F3
70605+:10AF000008002588080025880800258808002B20CF
70606+:10AF100008002B20080025880800258808002DD06F
70607+:10AF2000080025880800258808002588080025884D
70608+:10AF300008002E0C080025880800258808002588B0
70609+:10AF4000080025880800258808002588080025882D
70610+:10AF5000080025880800258808002588080025881D
70611+:10AF6000080025880800258808002588080029A8E9
70612+:10AF7000080025880800258808002E680800258814
70613+:10AF800008002588080025880800258808002588ED
70614+:10AF900008002588080025880800258808002588DD
70615+:10AFA00008002588080025880800258808002588CD
70616+:10AFB00008002588080025880800258808002588BD
70617+:10AFC00008002CF4080025880800258808002C6853
70618+:10AFD00008002BC408003CE408003CB808003C848E
70619+:10AFE00008003C5808003C3808003BEC8008010091
70620+:10AFF00080080080800800008008008008004C6401
70621+:10B0000008004C9C08004BE408004C6408004C64A9
70622+:10B01000080049B808004C64080050500A000C842D
70623+:10B0200000000000000000000000000D7278703683
70624+:10B030002E322E31620000000602010300000000E3
70625+:10B0400000000001000000000000000000000000FF
70626+:10B0500000000000000000000000000000000000F0
70627+:10B0600000000000000000000000000000000000E0
70628+:10B0700000000000000000000000000000000000D0
70629+:10B0800000000000000000000000000000000000C0
70630+:10B0900000000000000000000000000000000000B0
70631+:10B0A00000000000000000000000000000000000A0
70632+:10B0B0000000000000000000000000000000000090
70633+:10B0C0000000000000000000000000000000000080
70634+:10B0D0000000000000000000000000000000000070
70635+:10B0E0000000000000000000000000000000000060
70636+:10B0F0000000000000000000000000000000000050
70637+:10B10000000000000000000000000000000000003F
70638+:10B11000000000000000000000000000000000002F
70639+:10B12000000000000000000000000000000000001F
70640+:10B13000000000000000000000000000000000000F
70641+:10B1400000000000000000000000000000000000FF
70642+:10B1500000000000000000000000000000000000EF
70643+:10B1600000000000000000000000000000000000DF
70644+:10B1700000000000000000000000000000000000CF
70645+:10B1800000000000000000000000000000000000BF
70646+:10B1900000000000000000000000000000000000AF
70647+:10B1A000000000000000000000000000000000009F
70648+:10B1B000000000000000000000000000000000008F
70649+:10B1C000000000000000000000000000000000007F
70650+:10B1D000000000000000000000000000000000006F
70651+:10B1E000000000000000000000000000000000005F
70652+:10B1F000000000000000000000000000000000004F
70653+:10B20000000000000000000000000000000000003E
70654+:10B21000000000000000000000000000000000002E
70655+:10B22000000000000000000000000000000000001E
70656+:10B23000000000000000000000000000000000000E
70657+:10B2400000000000000000000000000000000000FE
70658+:10B2500000000000000000000000000000000000EE
70659+:10B2600000000000000000000000000000000000DE
70660+:10B2700000000000000000000000000000000000CE
70661+:10B2800000000000000000000000000000000000BE
70662+:10B2900000000000000000000000000000000000AE
70663+:10B2A000000000000000000000000000000000009E
70664+:10B2B000000000000000000000000000000000008E
70665+:10B2C000000000000000000000000000000000007E
70666+:10B2D000000000000000000000000000000000006E
70667+:10B2E000000000000000000000000000000000005E
70668+:10B2F000000000000000000000000000000000004E
70669+:10B30000000000000000000000000000000000003D
70670+:10B31000000000000000000000000000000000002D
70671+:10B32000000000000000000000000000000000001D
70672+:10B33000000000000000000000000000000000000D
70673+:10B3400000000000000000000000000000000000FD
70674+:10B3500000000000000000000000000000000000ED
70675+:10B3600000000000000000000000000000000000DD
70676+:10B3700000000000000000000000000000000000CD
70677+:10B3800000000000000000000000000000000000BD
70678+:10B3900000000000000000000000000000000000AD
70679+:10B3A000000000000000000000000000000000009D
70680+:10B3B000000000000000000000000000000000008D
70681+:10B3C000000000000000000000000000000000007D
70682+:10B3D000000000000000000000000000000000006D
70683+:10B3E000000000000000000000000000000000005D
70684+:10B3F000000000000000000000000000000000004D
70685+:10B40000000000000000000000000000000000003C
70686+:10B41000000000000000000000000000000000002C
70687+:10B42000000000000000000000000000000000001C
70688+:10B43000000000000000000000000000000000000C
70689+:10B4400000000000000000000000000000000000FC
70690+:10B4500000000000000000000000000000000000EC
70691+:10B4600000000000000000000000000000000000DC
70692+:10B4700000000000000000000000000000000000CC
70693+:10B4800000000000000000000000000000000000BC
70694+:10B4900000000000000000000000000000000000AC
70695+:10B4A000000000000000000000000000000000009C
70696+:10B4B000000000000000000000000000000000008C
70697+:10B4C000000000000000000000000000000000007C
70698+:10B4D000000000000000000000000000000000006C
70699+:10B4E000000000000000000000000000000000005C
70700+:10B4F000000000000000000000000000000000004C
70701+:10B50000000000000000000000000000000000003B
70702+:10B51000000000000000000000000000000000002B
70703+:10B52000000000000000000000000000000000001B
70704+:10B53000000000000000000000000000000000000B
70705+:10B5400000000000000000000000000000000000FB
70706+:10B5500000000000000000000000000000000000EB
70707+:10B5600000000000000000000000000000000000DB
70708+:10B5700000000000000000000000000000000000CB
70709+:10B5800000000000000000000000000000000000BB
70710+:10B5900000000000000000000000000000000000AB
70711+:10B5A000000000000000000000000000000000009B
70712+:10B5B000000000000000000000000000000000008B
70713+:10B5C000000000000000000000000000000000007B
70714+:10B5D000000000000000000000000000000000006B
70715+:10B5E000000000000000000000000000000000005B
70716+:10B5F000000000000000000000000000000000004B
70717+:10B60000000000000000000000000000000000003A
70718+:10B61000000000000000000000000000000000002A
70719+:10B62000000000000000000000000000000000001A
70720+:10B63000000000000000000000000000000000000A
70721+:10B6400000000000000000000000000000000000FA
70722+:10B6500000000000000000000000000000000000EA
70723+:10B6600000000000000000000000000000000000DA
70724+:10B6700000000000000000000000000000000000CA
70725+:10B6800000000000000000000000000000000000BA
70726+:10B6900000000000000000000000000000000000AA
70727+:10B6A000000000000000000000000000000000009A
70728+:10B6B000000000000000000000000000000000008A
70729+:10B6C000000000000000000000000000000000007A
70730+:10B6D000000000000000000000000000000000006A
70731+:10B6E000000000000000000000000000000000005A
70732+:10B6F000000000000000000000000000000000004A
70733+:10B700000000000000000000000000000000000039
70734+:10B710000000000000000000000000000000000029
70735+:10B720000000000000000000000000000000000019
70736+:10B730000000000000000000000000000000000009
70737+:10B7400000000000000000000000000000000000F9
70738+:10B7500000000000000000000000000000000000E9
70739+:10B7600000000000000000000000000000000000D9
70740+:10B7700000000000000000000000000000000000C9
70741+:10B7800000000000000000000000000000000000B9
70742+:10B7900000000000000000000000000000000000A9
70743+:10B7A0000000000000000000000000000000000099
70744+:10B7B0000000000000000000000000000000000089
70745+:10B7C0000000000000000000000000000000000079
70746+:10B7D0000000000000000000000000000000000069
70747+:10B7E0000000000000000000000000000000000059
70748+:10B7F0000000000000000000000000000000000049
70749+:10B800000000000000000000000000000000000038
70750+:10B810000000000000000000000000000000000028
70751+:10B820000000000000000000000000000000000018
70752+:10B830000000000000000000000000000000000008
70753+:10B8400000000000000000000000000000000000F8
70754+:10B8500000000000000000000000000000000000E8
70755+:10B8600000000000000000000000000000000000D8
70756+:10B8700000000000000000000000000000000000C8
70757+:10B8800000000000000000000000000000000000B8
70758+:10B8900000000000000000000000000000000000A8
70759+:10B8A0000000000000000000000000000000000098
70760+:10B8B0000000000000000000000000000000000088
70761+:10B8C0000000000000000000000000000000000078
70762+:10B8D0000000000000000000000000000000000068
70763+:10B8E0000000000000000000000000000000000058
70764+:10B8F0000000000000000000000000000000000048
70765+:10B900000000000000000000000000000000000037
70766+:10B910000000000000000000000000000000000027
70767+:10B920000000000000000000000000000000000017
70768+:10B930000000000000000000000000000000000007
70769+:10B9400000000000000000000000000000000000F7
70770+:10B9500000000000000000000000000000000000E7
70771+:10B9600000000000000000000000000000000000D7
70772+:10B9700000000000000000000000000000000000C7
70773+:10B9800000000000000000000000000000000000B7
70774+:10B9900000000000000000000000000000000000A7
70775+:10B9A0000000000000000000000000000000000097
70776+:10B9B0000000000000000000000000000000000087
70777+:10B9C0000000000000000000000000000000000077
70778+:10B9D0000000000000000000000000000000000067
70779+:10B9E0000000000000000000000000000000000057
70780+:10B9F0000000000000000000000000000000000047
70781+:10BA00000000000000000000000000000000000036
70782+:10BA10000000000000000000000000000000000026
70783+:10BA20000000000000000000000000000000000016
70784+:10BA30000000000000000000000000000000000006
70785+:10BA400000000000000000000000000000000000F6
70786+:10BA500000000000000000000000000000000000E6
70787+:10BA600000000000000000000000000000000000D6
70788+:10BA700000000000000000000000000000000000C6
70789+:10BA800000000000000000000000000000000000B6
70790+:10BA900000000000000000000000000000000000A6
70791+:10BAA0000000000000000000000000000000000096
70792+:10BAB0000000000000000000000000000000000086
70793+:10BAC0000000000000000000000000000000000076
70794+:10BAD0000000000000000000000000000000000066
70795+:10BAE0000000000000000000000000000000000056
70796+:10BAF0000000000000000000000000000000000046
70797+:10BB00000000000000000000000000000000000035
70798+:10BB10000000000000000000000000000000000025
70799+:10BB20000000000000000000000000000000000015
70800+:10BB30000000000000000000000000000000000005
70801+:10BB400000000000000000000000000000000000F5
70802+:10BB500000000000000000000000000000000000E5
70803+:10BB600000000000000000000000000000000000D5
70804+:10BB700000000000000000000000000000000000C5
70805+:10BB800000000000000000000000000000000000B5
70806+:10BB900000000000000000000000000000000000A5
70807+:10BBA0000000000000000000000000000000000095
70808+:10BBB0000000000000000000000000000000000085
70809+:10BBC0000000000000000000000000000000000075
70810+:10BBD0000000000000000000000000000000000065
70811+:10BBE0000000000000000000000000000000000055
70812+:10BBF0000000000000000000000000000000000045
70813+:10BC00000000000000000000000000000000000034
70814+:10BC10000000000000000000000000000000000024
70815+:10BC20000000000000000000000000000000000014
70816+:10BC30000000000000000000000000000000000004
70817+:10BC400000000000000000000000000000000000F4
70818+:10BC500000000000000000000000000000000000E4
70819+:10BC600000000000000000000000000000000000D4
70820+:10BC700000000000000000000000000000000000C4
70821+:10BC800000000000000000000000000000000000B4
70822+:10BC900000000000000000000000000000000000A4
70823+:10BCA0000000000000000000000000000000000094
70824+:10BCB0000000000000000000000000000000000084
70825+:10BCC0000000000000000000000000000000000074
70826+:10BCD0000000000000000000000000000000000064
70827+:10BCE0000000000000000000000000000000000054
70828+:10BCF0000000000000000000000000000000000044
70829+:10BD00000000000000000000000000000000000033
70830+:10BD10000000000000000000000000000000000023
70831+:10BD20000000000000000000000000000000000013
70832+:10BD30000000000000000000000000000000000003
70833+:10BD400000000000000000000000000000000000F3
70834+:10BD500000000000000000000000000000000000E3
70835+:10BD600000000000000000000000000000000000D3
70836+:10BD700000000000000000000000000000000000C3
70837+:10BD800000000000000000000000000000000000B3
70838+:10BD900000000000000000000000000000000000A3
70839+:10BDA0000000000000000000000000000000000093
70840+:10BDB0000000000000000000000000000000000083
70841+:10BDC0000000000000000000000000000000000073
70842+:10BDD0000000000000000000000000000000000063
70843+:10BDE0000000000000000000000000000000000053
70844+:10BDF0000000000000000000000000000000000043
70845+:10BE00000000000000000000000000000000000032
70846+:10BE10000000000000000000000000000000000022
70847+:10BE20000000000000000000000000000000000012
70848+:10BE30000000000000000000000000000000000002
70849+:10BE400000000000000000000000000000000000F2
70850+:10BE500000000000000000000000000000000000E2
70851+:10BE600000000000000000000000000000000000D2
70852+:10BE700000000000000000000000000000000000C2
70853+:10BE800000000000000000000000000000000000B2
70854+:10BE900000000000000000000000000000000000A2
70855+:10BEA0000000000000000000000000000000000092
70856+:10BEB0000000000000000000000000000000000082
70857+:10BEC0000000000000000000000000000000000072
70858+:10BED0000000000000000000000000000000000062
70859+:10BEE0000000000000000000000000000000000052
70860+:10BEF0000000000000000000000000000000000042
70861+:10BF00000000000000000000000000000000000031
70862+:10BF10000000000000000000000000000000000021
70863+:10BF20000000000000000000000000000000000011
70864+:10BF30000000000000000000000000000000000001
70865+:10BF400000000000000000000000000000000000F1
70866+:10BF500000000000000000000000000000000000E1
70867+:10BF600000000000000000000000000000000000D1
70868+:10BF700000000000000000000000000000000000C1
70869+:10BF800000000000000000000000000000000000B1
70870+:10BF900000000000000000000000000000000000A1
70871+:10BFA0000000000000000000000000000000000091
70872+:10BFB0000000000000000000000000000000000081
70873+:10BFC0000000000000000000000000000000000071
70874+:10BFD0000000000000000000000000000000000061
70875+:10BFE0000000000000000000000000000000000051
70876+:10BFF0000000000000000000000000000000000041
70877+:10C000000000000000000000000000000000000030
70878+:10C010000000000000000000000000000000000020
70879+:10C020000000000000000000000000000000000010
70880+:10C030000000000000000000000000000000000000
70881+:10C0400000000000000000000000000000000000F0
70882+:10C0500000000000000000000000000000000000E0
70883+:10C0600000000000000000000000000000000000D0
70884+:10C0700000000000000000000000000000000000C0
70885+:10C0800000000000000000000000000000000000B0
70886+:10C0900000000000000000000000000000000000A0
70887+:10C0A0000000000000000000000000000000000090
70888+:10C0B0000000000000000000000000000000000080
70889+:10C0C0000000000000000000000000000000000070
70890+:10C0D0000000000000000000000000000000000060
70891+:10C0E0000000000000000000000000000000000050
70892+:10C0F0000000000000000000000000000000000040
70893+:10C10000000000000000000000000000000000002F
70894+:10C11000000000000000000000000000000000001F
70895+:10C12000000000000000000000000000000000000F
70896+:10C1300000000000000000000000000000000000FF
70897+:10C1400000000000000000000000000000000000EF
70898+:10C1500000000000000000000000000000000000DF
70899+:10C1600000000000000000000000000000000000CF
70900+:10C1700000000000000000000000000000000000BF
70901+:10C1800000000000000000000000000000000000AF
70902+:10C19000000000000000000000000000000000009F
70903+:10C1A000000000000000000000000000000000008F
70904+:10C1B000000000000000000000000000000000007F
70905+:10C1C000000000000000000000000000000000006F
70906+:10C1D000000000000000000000000000000000005F
70907+:10C1E000000000000000000000000000000000004F
70908+:10C1F000000000000000000000000000000000003F
70909+:10C20000000000000000000000000000000000002E
70910+:10C21000000000000000000000000000000000001E
70911+:10C22000000000000000000000000000000000000E
70912+:10C2300000000000000000000000000000000000FE
70913+:10C2400000000000000000000000000000000000EE
70914+:10C2500000000000000000000000000000000000DE
70915+:10C2600000000000000000000000000000000000CE
70916+:10C2700000000000000000000000000000000000BE
70917+:10C2800000000000000000000000000000000000AE
70918+:10C29000000000000000000000000000000000009E
70919+:10C2A000000000000000000000000000000000008E
70920+:10C2B000000000000000000000000000000000007E
70921+:10C2C000000000000000000000000000000000006E
70922+:10C2D000000000000000000000000000000000005E
70923+:10C2E000000000000000000000000000000000004E
70924+:10C2F000000000000000000000000000000000003E
70925+:10C30000000000000000000000000000000000002D
70926+:10C31000000000000000000000000000000000001D
70927+:10C32000000000000000000000000000000000000D
70928+:10C3300000000000000000000000000000000000FD
70929+:10C3400000000000000000000000000000000000ED
70930+:10C3500000000000000000000000000000000000DD
70931+:10C3600000000000000000000000000000000000CD
70932+:10C3700000000000000000000000000000000000BD
70933+:10C3800000000000000000000000000000000000AD
70934+:10C39000000000000000000000000000000000009D
70935+:10C3A000000000000000000000000000000000008D
70936+:10C3B000000000000000000000000000000000007D
70937+:10C3C000000000000000000000000000000000006D
70938+:10C3D000000000000000000000000000000000005D
70939+:10C3E000000000000000000000000000000000004D
70940+:10C3F000000000000000000000000000000000003D
70941+:10C40000000000000000000000000000000000002C
70942+:10C41000000000000000000000000000000000001C
70943+:10C42000000000000000000000000000000000000C
70944+:10C4300000000000000000000000000000000000FC
70945+:10C4400000000000000000000000000000000000EC
70946+:10C4500000000000000000000000000000000000DC
70947+:10C4600000000000000000000000000000000000CC
70948+:10C4700000000000000000000000000000000000BC
70949+:10C4800000000000000000000000000000000000AC
70950+:10C49000000000000000000000000000000000009C
70951+:10C4A000000000000000000000000000000000008C
70952+:10C4B000000000000000000000000000000000007C
70953+:10C4C000000000000000000000000000000000006C
70954+:10C4D000000000000000000000000000000000005C
70955+:10C4E000000000000000000000000000000000004C
70956+:10C4F000000000000000000000000000000000003C
70957+:10C50000000000000000000000000000000000002B
70958+:10C51000000000000000000000000000000000001B
70959+:10C52000000000000000000000000000000000000B
70960+:10C5300000000000000000000000000000000000FB
70961+:10C5400000000000000000000000000000000000EB
70962+:10C5500000000000000000000000000000000000DB
70963+:10C5600000000000000000000000000000000000CB
70964+:10C5700000000000000000000000000000000000BB
70965+:10C5800000000000000000000000000000000000AB
70966+:10C59000000000000000000000000000000000009B
70967+:10C5A000000000000000000000000000000000008B
70968+:10C5B000000000000000000000000000000000007B
70969+:10C5C000000000000000000000000000000000006B
70970+:10C5D000000000000000000000000000000000005B
70971+:10C5E000000000000000000000000000000000004B
70972+:10C5F000000000000000000000000000000000003B
70973+:10C60000000000000000000000000000000000002A
70974+:10C61000000000000000000000000000000000001A
70975+:10C62000000000000000000000000000000000000A
70976+:10C6300000000000000000000000000000000000FA
70977+:10C6400000000000000000000000000000000000EA
70978+:10C6500000000000000000000000000000000000DA
70979+:10C6600000000000000000000000000000000000CA
70980+:10C6700000000000000000000000000000000000BA
70981+:10C6800000000000000000000000000000000000AA
70982+:10C69000000000000000000000000000000000009A
70983+:10C6A000000000000000000000000000000000008A
70984+:10C6B000000000000000000000000000000000007A
70985+:10C6C000000000000000000000000000000000006A
70986+:10C6D000000000000000000000000000000000005A
70987+:10C6E000000000000000000000000000000000004A
70988+:10C6F000000000000000000000000000000000003A
70989+:10C700000000000000000000000000000000000029
70990+:10C710000000000000000000000000000000000019
70991+:10C720000000000000000000000000000000000009
70992+:10C7300000000000000000000000000000000000F9
70993+:10C7400000000000000000000000000000000000E9
70994+:10C7500000000000000000000000000000000000D9
70995+:10C7600000000000000000000000000000000000C9
70996+:10C7700000000000000000000000000000000000B9
70997+:10C7800000000000000000000000000000000000A9
70998+:10C790000000000000000000000000000000000099
70999+:10C7A0000000000000000000000000000000000089
71000+:10C7B0000000000000000000000000000000000079
71001+:10C7C0000000000000000000000000000000000069
71002+:10C7D0000000000000000000000000000000000059
71003+:10C7E0000000000000000000000000000000000049
71004+:10C7F0000000000000000000000000000000000039
71005+:10C800000000000000000000000000000000000028
71006+:10C810000000000000000000000000000000000018
71007+:10C820000000000000000000000000000000000008
71008+:10C8300000000000000000000000000000000000F8
71009+:10C8400000000000000000000000000000000000E8
71010+:10C8500000000000000000000000000000000000D8
71011+:10C8600000000000000000000000000000000000C8
71012+:10C8700000000000000000000000000000000000B8
71013+:10C8800000000000000000000000000000000000A8
71014+:10C890000000000000000000000000000000000098
71015+:10C8A0000000000000000000000000000000000088
71016+:10C8B0000000000000000000000000000000000078
71017+:10C8C0000000000000000000000000000000000068
71018+:10C8D0000000000000000000000000000000000058
71019+:10C8E0000000000000000000000000000000000048
71020+:10C8F0000000000000000000000000000000000038
71021+:10C900000000000000000000000000000000000027
71022+:10C910000000000000000000000000000000000017
71023+:10C920000000000000000000000000000000000007
71024+:10C9300000000000000000000000000000000000F7
71025+:10C9400000000000000000000000000000000000E7
71026+:10C9500000000000000000000000000000000000D7
71027+:10C9600000000000000000000000000000000000C7
71028+:10C9700000000000000000000000000000000000B7
71029+:10C9800000000000000000000000000000000000A7
71030+:10C990000000000000000000000000000000000097
71031+:10C9A0000000000000000000000000000000000087
71032+:10C9B0000000000000000000000000000000000077
71033+:10C9C0000000000000000000000000000000000067
71034+:10C9D0000000000000000000000000000000000057
71035+:10C9E0000000000000000000000000000000000047
71036+:10C9F0000000000000000000000000000000000037
71037+:10CA00000000000000000000000000000000000026
71038+:10CA10000000000000000000000000000000000016
71039+:10CA20000000000000000000000000000000000006
71040+:10CA300000000000000000000000000000000000F6
71041+:10CA400000000000000000000000000000000000E6
71042+:10CA500000000000000000000000000000000000D6
71043+:10CA600000000000000000000000000000000000C6
71044+:10CA700000000000000000000000000000000000B6
71045+:10CA800000000000000000000000000000000000A6
71046+:10CA90000000000000000000000000000000000096
71047+:10CAA0000000000000000000000000000000000086
71048+:10CAB0000000000000000000000000000000000076
71049+:10CAC0000000000000000000000000000000000066
71050+:10CAD0000000000000000000000000000000000056
71051+:10CAE0000000000000000000000000000000000046
71052+:10CAF0000000000000000000000000000000000036
71053+:10CB00000000000000000000000000000000000025
71054+:10CB10000000000000000000000000000000000015
71055+:10CB20000000000000000000000000000000000005
71056+:10CB300000000000000000000000000000000000F5
71057+:10CB400000000000000000000000000000000000E5
71058+:10CB500000000000000000000000000000000000D5
71059+:10CB600000000000000000000000000000000000C5
71060+:10CB700000000000000000000000000000000000B5
71061+:10CB800000000000000000000000000000000000A5
71062+:10CB90000000000000000000000000000000000095
71063+:10CBA0000000000000000000000000000000000085
71064+:10CBB0000000000000000000000000000000000075
71065+:10CBC0000000000000000000000000000000000065
71066+:10CBD0000000000000000000000000000000000055
71067+:10CBE0000000000000000000000000000000000045
71068+:10CBF0000000000000000000000000000000000035
71069+:10CC00000000000000000000000000000000000024
71070+:10CC10000000000000000000000000000000000014
71071+:10CC20000000000000000000000000000000000004
71072+:10CC300000000000000000000000000000000000F4
71073+:10CC400000000000000000000000000000000000E4
71074+:10CC500000000000000000000000000000000000D4
71075+:10CC600000000000000000000000000000000000C4
71076+:10CC700000000000000000000000000000000000B4
71077+:10CC800000000000000000000000000000000000A4
71078+:10CC90000000000000000000000000000000000094
71079+:10CCA0000000000000000000000000000000000084
71080+:10CCB0000000000000000000000000000000000074
71081+:10CCC0000000000000000000000000000000000064
71082+:10CCD0000000000000000000000000000000000054
71083+:10CCE0000000000000000000000000000000000044
71084+:10CCF0000000000000000000000000000000000034
71085+:10CD00000000000000000000000000000000000023
71086+:10CD10000000000000000000000000000000000013
71087+:10CD20000000000000000000000000000000000003
71088+:10CD300000000000000000000000000000000000F3
71089+:10CD400000000000000000000000000000000000E3
71090+:10CD500000000000000000000000000000000000D3
71091+:10CD600000000000000000000000000000000000C3
71092+:10CD700000000000000000000000000000000000B3
71093+:10CD800000000000000000000000000000000000A3
71094+:10CD90000000000000000000000000000000000093
71095+:10CDA0000000000000000000000000000000000083
71096+:10CDB0000000000000000000000000000000000073
71097+:10CDC0000000000000000000000000000000000063
71098+:10CDD0000000000000000000000000000000000053
71099+:10CDE0000000000000000000000000000000000043
71100+:10CDF0000000000000000000000000000000000033
71101+:10CE00000000000000000000000000000000000022
71102+:10CE10000000000000000000000000000000000012
71103+:10CE20000000000000000000000000000000000002
71104+:10CE300000000000000000000000000000000000F2
71105+:10CE400000000000000000000000000000000000E2
71106+:10CE500000000000000000000000000000000000D2
71107+:10CE600000000000000000000000000000000000C2
71108+:10CE700000000000000000000000000000000000B2
71109+:10CE800000000000000000000000000000000000A2
71110+:10CE90000000000000000000000000000000000092
71111+:10CEA0000000000000000000000000000000000082
71112+:10CEB0000000000000000000000000000000000072
71113+:10CEC0000000000000000000000000000000000062
71114+:10CED0000000000000000000000000000000000052
71115+:10CEE0000000000000000000000000000000000042
71116+:10CEF0000000000000000000000000000000000032
71117+:10CF00000000000000000000000000000000000021
71118+:10CF10000000000000000000000000000000000011
71119+:10CF20000000000000000000000000000000000001
71120+:10CF300000000000000000000000000000000000F1
71121+:10CF400000000000000000000000000000000000E1
71122+:10CF500000000000000000000000000000000000D1
71123+:10CF600000000000000000000000000000000000C1
71124+:10CF700000000000000000000000000000000000B1
71125+:10CF800000000000000000000000000000000000A1
71126+:10CF90000000000000000000000000000000000091
71127+:10CFA0000000000000000000000000000000000081
71128+:10CFB0000000000000000000000000000000000071
71129+:10CFC0000000000000000000000000000000000061
71130+:10CFD0000000000000000000000000000000000051
71131+:10CFE0000000000000000000000000000000000041
71132+:10CFF0000000000000000000000000000000000031
71133+:10D000000000000000000000000000000000000020
71134+:10D010000000000000000000000000000000000010
71135+:10D020000000000000000000000000000000000000
71136+:10D0300000000000000000000000000000000000F0
71137+:10D0400000000000000000000000000000000000E0
71138+:10D0500000000000000000000000000000000000D0
71139+:10D0600000000000000000000000000000000000C0
71140+:10D0700000000000000000000000000000000000B0
71141+:10D0800000000000000000000000000000000000A0
71142+:10D090000000000000000000000000000000000090
71143+:10D0A0000000000000000000000000000000000080
71144+:10D0B0000000000000000000000000000000000070
71145+:10D0C0000000000000000000000000000000000060
71146+:10D0D0000000000000000000000000000000000050
71147+:10D0E0000000000000000000000000000000000040
71148+:10D0F0000000000000000000000000000000000030
71149+:10D10000000000000000000000000000000000001F
71150+:10D11000000000000000000000000000000000000F
71151+:10D1200000000000000000000000000000000000FF
71152+:10D1300000000000000000000000000000000000EF
71153+:10D1400000000000000000000000000000000000DF
71154+:10D1500000000000000000000000000000000000CF
71155+:10D1600000000000000000000000000000000000BF
71156+:10D1700000000000000000000000000000000000AF
71157+:10D18000000000000000000000000000000000009F
71158+:10D19000000000000000000000000000000000008F
71159+:10D1A000000000000000000000000000000000007F
71160+:10D1B000000000000000000000000000000000006F
71161+:10D1C000000000000000000000000000000000005F
71162+:10D1D000000000000000000000000000000000004F
71163+:10D1E000000000000000000000000000000000003F
71164+:10D1F000000000000000000000000000000000002F
71165+:10D20000000000000000000000000000000000001E
71166+:10D21000000000000000000000000000000000000E
71167+:10D2200000000000000000000000000000000000FE
71168+:10D2300000000000000000000000000000000000EE
71169+:10D2400000000000000000000000000000000000DE
71170+:10D2500000000000000000000000000000000000CE
71171+:10D2600000000000000000000000000000000000BE
71172+:10D2700000000000000000000000000000000000AE
71173+:10D28000000000000000000000000000000000009E
71174+:10D29000000000000000000000000000000000008E
71175+:10D2A000000000000000000000000000000000007E
71176+:10D2B000000000000000000000000000000000006E
71177+:10D2C000000000000000000000000000000000005E
71178+:10D2D000000000000000000000000000000000004E
71179+:10D2E000000000000000000000000000000000003E
71180+:10D2F000000000000000000000000000000000002E
71181+:10D30000000000000000000000000000000000001D
71182+:10D31000000000000000000000000000000000000D
71183+:10D3200000000000000000000000000000000000FD
71184+:10D3300000000000000000000000000000000000ED
71185+:10D3400000000000000000000000000000000000DD
71186+:10D3500000000000000000000000000000000000CD
71187+:10D3600000000000000000000000000000000000BD
71188+:10D3700000000000000000000000000000000000AD
71189+:10D38000000000000000000000000000000000009D
71190+:10D39000000000000000000000000000000000008D
71191+:10D3A000000000000000000000000000000000007D
71192+:10D3B000000000000000000000000000000000006D
71193+:10D3C000000000000000000000000000000000005D
71194+:10D3D000000000000000000000000000000000004D
71195+:10D3E000000000000000000000000000000000003D
71196+:10D3F000000000000000000000000000000000002D
71197+:10D40000000000000000000000000000000000001C
71198+:10D41000000000000000000000000000000000000C
71199+:10D4200000000000000000000000000000000000FC
71200+:10D4300000000000000000000000000000000000EC
71201+:10D4400000000000000000000000000000000000DC
71202+:10D4500000000000000000000000000000000000CC
71203+:10D4600000000000000000000000000000000000BC
71204+:10D4700000000000000000000000000000000000AC
71205+:10D48000000000000000000000000000000000009C
71206+:10D49000000000000000000000000000000000008C
71207+:10D4A000000000000000000000000000000000007C
71208+:10D4B000000000000000000000000000000000006C
71209+:10D4C000000000000000000000000000000000005C
71210+:10D4D000000000000000000000000000000000004C
71211+:10D4E000000000000000000000000000000000003C
71212+:10D4F000000000000000000000000000000000002C
71213+:10D50000000000000000000000000000000000001B
71214+:10D51000000000000000000000000000000000000B
71215+:10D5200000000000000000000000000000000000FB
71216+:10D5300000000000000000000000000000000000EB
71217+:10D5400000000000000000000000000000000000DB
71218+:10D5500000000000000000000000000000000000CB
71219+:10D5600000000000000000000000000000000000BB
71220+:10D5700000000000000000000000000000000000AB
71221+:10D58000000000000000000000000000000000009B
71222+:10D59000000000000000000000000000000000008B
71223+:10D5A000000000000000000000000000000000007B
71224+:10D5B000000000000000000000000000000000006B
71225+:10D5C000000000000000000000000000000000005B
71226+:10D5D000000000000000000000000000000000004B
71227+:10D5E000000000000000000000000000000000003B
71228+:10D5F000000000000000000000000000000000002B
71229+:10D60000000000000000000000000000000000001A
71230+:10D61000000000000000000000000000000000000A
71231+:10D6200000000000000000000000000000000000FA
71232+:10D6300000000000000000000000000000000000EA
71233+:10D6400000000000000000000000000000000000DA
71234+:10D6500000000000000000000000000000000000CA
71235+:10D6600000000000000000000000000000000000BA
71236+:10D6700000000000000000000000000000000000AA
71237+:10D68000000000000000000000000000000000009A
71238+:10D69000000000000000000000000000000000008A
71239+:10D6A000000000000000000000000000000000007A
71240+:10D6B000000000000000000000000000000000006A
71241+:10D6C000000000000000000000000000000000005A
71242+:10D6D000000000000000000000000000000000004A
71243+:10D6E000000000000000000000000000000000003A
71244+:10D6F000000000000000000000000000000000002A
71245+:10D700000000000000000000000000000000000019
71246+:10D710000000000000000000000000000000000009
71247+:10D7200000000000000000000000000000000000F9
71248+:10D7300000000000000000000000000000000000E9
71249+:10D7400000000000000000000000000000000000D9
71250+:10D7500000000000000000000000000000000000C9
71251+:10D7600000000000000000000000000000000000B9
71252+:10D7700000000000000000000000000000000000A9
71253+:10D780000000000000000000000000000000000099
71254+:10D790000000000000000000000000000000000089
71255+:10D7A0000000000000000000000000000000000079
71256+:10D7B0000000000000000000000000000000000069
71257+:10D7C0000000000000000000000000000000000059
71258+:10D7D0000000000000000000000000000000000049
71259+:10D7E0000000000000000000000000000000000039
71260+:10D7F0000000000000000000000000000000000029
71261+:10D800000000000000000000000000000000000018
71262+:10D810000000000000000000000000000000000008
71263+:10D8200000000000000000000000000000000000F8
71264+:10D8300000000000000000000000000000000000E8
71265+:10D8400000000000000000000000000000000000D8
71266+:10D8500000000000000000000000000000000000C8
71267+:10D8600000000000000000000000000000000000B8
71268+:10D8700000000000000000000000000000000000A8
71269+:10D880000000000000000000000000000000000098
71270+:10D890000000000000000000000000000000000088
71271+:10D8A0000000000000000000000000000000000078
71272+:10D8B0000000000000000000000000000000000068
71273+:10D8C0000000000000000000000000000000000058
71274+:10D8D0000000000000000000000000000000000048
71275+:10D8E0000000000000000000000000000000000038
71276+:10D8F0000000000000000000000000000000000028
71277+:10D900000000000000000000000000000000000017
71278+:10D910000000000000000000000000000000000007
71279+:10D9200000000000000000000000000000000000F7
71280+:10D9300000000000000000000000000000000000E7
71281+:10D9400000000000000000000000000000000000D7
71282+:10D9500000000000000000000000000000000000C7
71283+:10D9600000000000000000000000000000000000B7
71284+:10D9700000000000000000000000000000000000A7
71285+:10D980000000000000000000000000000000000097
71286+:10D990000000000000000000000000000000000087
71287+:10D9A0000000000000000000000000000000000077
71288+:10D9B0000000000000000000000000000000000067
71289+:10D9C0000000000000000000000000000000000057
71290+:10D9D0000000000000000000000000000000000047
71291+:10D9E0000000000000000000000000000000000037
71292+:10D9F0000000000000000000000000000000000027
71293+:10DA00000000000000000000000000000000000016
71294+:10DA10000000000000000000000000000000000006
71295+:10DA200000000000000000000000000000000000F6
71296+:10DA300000000000000000000000000000000000E6
71297+:10DA400000000000000000000000000000000000D6
71298+:10DA500000000000000000000000000000000000C6
71299+:10DA600000000000000000000000000000000000B6
71300+:10DA700000000000000000000000000000000000A6
71301+:10DA80000000000000000000000000000000000096
71302+:10DA90000000000000000000000000000000000086
71303+:10DAA0000000000000000000000000000000000076
71304+:10DAB0000000000000000000000000000000000066
71305+:10DAC0000000000000000000000000000000000056
71306+:10DAD0000000000000000000000000000000000046
71307+:10DAE0000000000000000000000000000000000036
71308+:10DAF0000000000000000000000000000000000026
71309+:10DB00000000000000000000000000000000000015
71310+:10DB10000000000000000000000000000000000005
71311+:10DB200000000000000000000000000000000000F5
71312+:10DB300000000000000000000000000000000000E5
71313+:10DB400000000000000000000000000000000000D5
71314+:10DB500000000000000000000000000000000000C5
71315+:10DB600000000000000000000000000000000000B5
71316+:10DB700000000000000000000000000000000000A5
71317+:10DB80000000000000000000000000000000000095
71318+:10DB90000000000000000000000000000000000085
71319+:10DBA0000000000000000000000000000000000075
71320+:10DBB0000000000000000000000000000000000065
71321+:10DBC0000000000000000000000000000000000055
71322+:10DBD0000000000000000000000000000000000045
71323+:10DBE0000000000000000000000000000000000035
71324+:10DBF0000000000000000000000000000000000025
71325+:10DC00000000000000000000000000000000000014
71326+:10DC10000000000000000000000000000000000004
71327+:10DC200000000000000000000000000000000000F4
71328+:10DC300000000000000000000000000000000000E4
71329+:10DC400000000000000000000000000000000000D4
71330+:10DC500000000000000000000000000000000000C4
71331+:10DC600000000000000000000000000000000000B4
71332+:10DC700000000000000000000000000000000000A4
71333+:10DC80000000000000000000000000000000000094
71334+:10DC90000000000000000000000000000000000084
71335+:10DCA0000000000000000000000000000000000074
71336+:10DCB0000000000000000000000000000000000064
71337+:10DCC0000000000000000000000000000000000054
71338+:10DCD0000000000000000000000000000000000044
71339+:10DCE0000000000000000000000000000000000034
71340+:10DCF0000000000000000000000000000000000024
71341+:10DD00000000000000000000000000000000000013
71342+:10DD10000000000000000000000000000000000003
71343+:10DD200000000000000000000000000000000000F3
71344+:10DD300000000000000000000000000000000000E3
71345+:10DD400000000000000000000000000000000000D3
71346+:10DD500000000000000000000000000000000000C3
71347+:10DD600000000000000000000000000000000000B3
71348+:10DD700000000000000000000000000000000000A3
71349+:10DD80000000000000000000000000000000000093
71350+:10DD90000000000000000000000000000000000083
71351+:10DDA0000000000000000000000000000000000073
71352+:10DDB0000000000000000000000000000000000063
71353+:10DDC0000000000000000000000000000000000053
71354+:10DDD0000000000000000000000000000000000043
71355+:10DDE0000000000000000000000000000000000033
71356+:10DDF0000000000000000000000000000000000023
71357+:10DE00000000000000000000000000000000000012
71358+:10DE10000000000000000000000000000000000002
71359+:10DE200000000000000000000000000000000000F2
71360+:10DE300000000000000000000000000000000000E2
71361+:10DE400000000000000000000000000000000000D2
71362+:10DE500000000000000000000000000000000000C2
71363+:10DE600000000000000000000000000000000000B2
71364+:10DE700000000000000000000000000000000000A2
71365+:10DE80000000000000000000000000000000000092
71366+:10DE90000000000000000000000000000000000082
71367+:10DEA0000000000000000000000000000000000072
71368+:10DEB0000000000000000000000000000000000062
71369+:10DEC0000000000000000000000000000000000052
71370+:10DED0000000000000000000000000000000000042
71371+:10DEE0000000000000000000000000000000000032
71372+:10DEF0000000000000000000000000000000000022
71373+:10DF00000000000000000000000000000000000011
71374+:10DF10000000000000000000000000000000000001
71375+:10DF200000000000000000000000000000000000F1
71376+:10DF300000000000000000000000000000000000E1
71377+:10DF400000000000000000000000000000000000D1
71378+:10DF500000000000000000000000000000000000C1
71379+:10DF600000000000000000000000000000000000B1
71380+:10DF700000000000000000000000000000000000A1
71381+:10DF80000000000000000000000000000000000091
71382+:10DF90000000000000000000000000000000000081
71383+:10DFA0000000000000000000000000000000000071
71384+:10DFB0000000000000000000000000000000000061
71385+:10DFC0000000000000000000000000000000000051
71386+:10DFD0000000000000000000000000000000000041
71387+:10DFE0000000000000000000000000000000000031
71388+:10DFF0000000000000000000000000000000000021
71389+:10E000000000000000000000000000000000000010
71390+:10E010000000000000000000000000000000000000
71391+:10E0200000000000000000000000000000000000F0
71392+:10E0300000000000000000000000000000000000E0
71393+:10E0400000000000000000000000000000000000D0
71394+:10E0500000000000000000000000000000000000C0
71395+:10E0600000000000000000000000000000000000B0
71396+:10E0700000000000000000000000000000000000A0
71397+:10E080000000000000000000000000000000000090
71398+:10E090000000000000000000000000000000000080
71399+:10E0A0000000000000000000000000000000000070
71400+:10E0B0000000000000000000000000000000000060
71401+:10E0C0000000000000000000000000000000000050
71402+:10E0D0000000000000000000000000000000000040
71403+:10E0E0000000000000000000000000000000000030
71404+:10E0F0000000000000000000000000000000000020
71405+:10E10000000000000000000000000000000000000F
71406+:10E1100000000000000000000000000000000000FF
71407+:10E1200000000000000000000000000000000000EF
71408+:10E1300000000000000000000000000000000000DF
71409+:10E1400000000000000000000000000000000000CF
71410+:10E1500000000000000000000000000000000000BF
71411+:10E1600000000000000000000000000000000000AF
71412+:10E17000000000000000000000000000000000009F
71413+:10E18000000000000000000000000000000000008F
71414+:10E19000000000000000000000000000000000007F
71415+:10E1A000000000000000000000000000000000006F
71416+:10E1B000000000000000000000000000000000005F
71417+:10E1C000000000000000000000000000000000004F
71418+:10E1D000000000000000000000000000000000003F
71419+:10E1E000000000000000000000000000000000002F
71420+:10E1F000000000000000000000000000000000809F
71421+:10E20000000000000000000000000000000000000E
71422+:10E2100000000000000000000000000000000000FE
71423+:10E220000000000A000000000000000000000000E4
71424+:10E2300010000003000000000000000D0000000DB1
71425+:10E240003C020801244295C03C030801246397FC6A
71426+:10E25000AC4000000043202B1480FFFD244200044A
71427+:10E260003C1D080037BD9FFC03A0F0213C100800B6
71428+:10E27000261032103C1C0801279C95C00E0012BECF
71429+:10E28000000000000000000D3C02800030A5FFFFF0
71430+:10E2900030C600FF344301803C0880008D0901B87E
71431+:10E2A0000520FFFE00000000AC6400002404000212
71432+:10E2B000A4650008A066000AA064000BAC67001803
71433+:10E2C0003C03100003E00008AD0301B83C0560000A
71434+:10E2D0008CA24FF80440FFFE00000000ACA44FC029
71435+:10E2E0003C0310003C040200ACA44FC403E000084F
71436+:10E2F000ACA34FF89486000C00A050212488001491
71437+:10E3000000062B0200051080004448210109182B4B
71438+:10E310001060001100000000910300002C6400094F
71439+:10E320005080000991190001000360803C0D080134
71440+:10E3300025AD9258018D58218D67000000E000083E
71441+:10E340000000000091190001011940210109302B42
71442+:10E3500054C0FFF29103000003E000080000102108
71443+:10E360000A000CCC25080001910F0001240E000AC0
71444+:10E3700015EE00400128C8232F38000A1700003D81
71445+:10E38000250D00028D580000250F0006370E0100F4
71446+:10E39000AD4E0000910C000291AB000191A400026F
71447+:10E3A00091A60003000C2E00000B3C0000A71025D6
71448+:10E3B00000041A000043C8250326C025AD580004F8
71449+:10E3C000910E000691ED000191E7000291E5000336
71450+:10E3D000000E5E00000D6400016C30250007220075
71451+:10E3E00000C41025004518252508000A0A000CCC99
71452+:10E3F000AD430008910F000125040002240800022B
71453+:10E4000055E80001012020210A000CCC00804021A9
71454+:10E41000910C0001240B0003158B00160000000076
71455+:10E420008D580000910E000225080003370D0008EA
71456+:10E43000A14E00100A000CCCAD4D00009119000156
71457+:10E44000240F0004172F000B0000000091070002AA
71458+:10E45000910400038D43000000072A0000A410254A
71459+:10E460003466000425080004AD42000C0A000CCC00
71460+:10E47000AD46000003E000082402000127BDFFE8CC
71461+:10E48000AFBF0014AFB000100E00164E0080802108
71462+:10E490003C0480083485008090A600052403FFFE1C
71463+:10E4A0000200202100C310248FBF00148FB0001081
71464+:10E4B000A0A200050A00165827BD001827BDFFE8D6
71465+:10E4C000AFB00010AFBF00140E000FD40080802149
71466+:10E4D0003C06800834C5008090A40000240200504F
71467+:10E4E000308300FF106200073C09800002002021F9
71468+:10E4F0008FBF00148FB00010AD2001800A00108F74
71469+:10E5000027BD0018240801003C07800002002021DC
71470+:10E510008FBF00148FB00010ACE801800A00108F8C
71471+:10E5200027BD001827BDFF783C058008AFBE0080DE
71472+:10E53000AFB7007CAFB3006CAFB10064AFBF008475
71473+:10E54000AFB60078AFB50074AFB40070AFB200687A
71474+:10E55000AFB0006034A600803C0580008CB201287A
71475+:10E5600090C400098CA701043C020001309100FF17
71476+:10E5700000E218240000B8210000F021106000071C
71477+:10E58000000098213C0908008D2931F02413000176
71478+:10E59000252800013C010800AC2831F0ACA0008423
71479+:10E5A00090CC0005000C5827316A0001154000721C
71480+:10E5B000AFA0005090CD00002406002031A400FF41
71481+:10E5C00010860018240E0050108E009300000000EA
71482+:10E5D0003C1008008E1000DC260F00013C010800F2
71483+:10E5E000AC2F00DC0E0016C7000000000040182110
71484+:10E5F0008FBF00848FBE00808FB7007C8FB60078FD
71485+:10E600008FB500748FB400708FB3006C8FB2006848
71486+:10E610008FB100648FB000600060102103E000083B
71487+:10E6200027BD00880000000D3C1F8000AFA0003017
71488+:10E6300097E501168FE201043C04002030B9FFFF8A
71489+:10E64000004438240007182B00033140AFA60030E7
71490+:10E650008FF5010437F80C003C1600400338802188
71491+:10E6600002B6A02434C40040128000479215000D69
71492+:10E6700032A800201500000234860080008030217E
71493+:10E6800014C0009FAFA600303C0D800835A6008066
71494+:10E6900090CC0008318B0040516000063C06800899
71495+:10E6A000240E0004122E00A8240F0012122F003294
71496+:10E6B0003C06800834C401003C0280009447011AE3
71497+:10E6C0009619000E909F00088E18000830E3FFFF97
71498+:10E6D00003F9B00432B40004AFB6005CAFA3005835
71499+:10E6E0008E1600041280002EAFB8005434C3008090
71500+:10E6F000906800083105004014A0002500000000CB
71501+:10E700008C70005002D090230640000500000000ED
71502+:10E710008C71003402D1A82306A201678EE20008A2
71503+:10E72000126000063C1280003C1508008EB531F4E2
71504+:10E7300026B600013C010800AC3631F4AE4000447E
71505+:10E74000240300018FBF00848FBE00808FB7007C40
71506+:10E750008FB600788FB500748FB400708FB3006CE3
71507+:10E760008FB200688FB100648FB00060006010212C
71508+:10E7700003E0000827BD00880E000D2800002021BE
71509+:10E780000A000D75004018210A000D9500C02021D7
71510+:10E790000E00171702C020211440FFE10000000006
71511+:10E7A0003C0B8008356400808C8A003402CA482300
71512+:10E7B0000520001D000000003C1E08008FDE310017
71513+:10E7C00027D700013C010800AC3731001260000679
71514+:10E7D000024020213C1408008E9431F42690000160
71515+:10E7E0003C010800AC3031F40E00164E3C1E80088F
71516+:10E7F00037CD008091B700250240202136EE00047D
71517+:10E800000E001658A1AE00250E000CAC02402021CF
71518+:10E810000A000DCA240300013C17080126F796C020
71519+:10E820000A000D843C1F80008C86003002C66023E5
71520+:10E830001980000C2419000C908F004F3C14080024
71521+:10E840008E94310032B500FC35ED0001268E0001BA
71522+:10E850003C010800AC2E3100A08D004FAFA0005845
71523+:10E860002419000CAFB900308C9800300316A02397
71524+:10E870001A80010B8FA300580074F82A17E0FFD309
71525+:10E88000000000001074002A8FA5005802D4B021A7
71526+:10E8900000B410233044FFFFAFA4005832A8000298
71527+:10E8A0001100002E32AB00103C15800836B00080FD
71528+:10E8B0009216000832D30040526000FB8EE200083E
71529+:10E8C0000E00164E02402021240A0018A20A000958
71530+:10E8D000921100052409FFFE024020210229902404
71531+:10E8E0000E001658A2120005240400390000282149
71532+:10E8F0000E0016F2240600180A000DCA24030001B7
71533+:10E9000092FE000C3C0A800835490080001EBB00C6
71534+:10E910008D27003836F10081024020213225F08118
71535+:10E920000E000C9B30C600FF0A000DC10000000065
71536+:10E930003AA7000130E300011460FFA402D4B02123
71537+:10E940000A000E1D00000000024020210E001734B6
71538+:10E95000020028210A000D75004018211160FF7087
71539+:10E960003C0F80083C0D800835EE00808DC40038D7
71540+:10E970008FA300548DA60004006660231D80FF68ED
71541+:10E98000000000000064C02307020001AFA400548F
71542+:10E990003C1F08008FFF31E433F9000113200015FC
71543+:10E9A0008FAC00583C07800094E3011A10600012FD
71544+:10E9B0003C0680080E00216A024020213C03080129
71545+:10E9C000906396F13064000214800145000000005D
71546+:10E9D000306C0004118000078FAC0058306600FBDB
71547+:10E9E0003C010801A02696F132B500FCAFA000580A
71548+:10E9F0008FAC00583C06800834D30080AFB40018B8
71549+:10EA0000AFB60010AFAC00143C088000950B01209D
71550+:10EA10008E6F0030966A005C8FA3005C8FBF003061
71551+:10EA20003169FFFF3144FFFF8FAE005401341021E4
71552+:10EA3000350540000064382B0045C82103E7C02598
71553+:10EA4000AFB90020AFAF0028AFB80030AFAF00249F
71554+:10EA5000AFA0002CAFAE0034926D000831B40008B6
71555+:10EA6000168000BB020020218EE200040040F8095D
71556+:10EA700027A400108FAF003031F300025660000170
71557+:10EA800032B500FE3C048008349F008093F90008F2
71558+:10EA900033380040530000138FA400248C850004F9
71559+:10EAA0008FA7005410A700D52404001432B0000131
71560+:10EAB0001200000C8FA400242414000C1234011A3C
71561+:10EAC0002A2D000D11A001022413000E240E000AAD
71562+:10EAD000522E0001241E00088FAF002425E40001FF
71563+:10EAE000AFA400248FAA00143C0B80083565008079
71564+:10EAF000008A48218CB10030ACA9003090A4004EAF
71565+:10EB00008CA700303408FFFF0088180400E3F821C8
71566+:10EB1000ACBF00348FA600308FB900548FB8005CB2
71567+:10EB200030C200081040000B033898218CAC002044
71568+:10EB3000119300D330C600FF92EE000C8FA7003473
71569+:10EB400002402021000E6B0035B400800E000C9BAB
71570+:10EB50003285F0803C028008345000808E0F0030F7
71571+:10EB600001F1302318C00097264800803C070800B8
71572+:10EB70008CE731E42404FF80010418243118007F5D
71573+:10EB80003C1F80003C19800430F10001AFE300908D
71574+:10EB900012200006031928213C030801906396F116
71575+:10EBA00030690008152000C6306A00F73C10800864
71576+:10EBB00036040080908C004F318B000115600042BC
71577+:10EBC000000000003C0608008CC6319830CE0010D2
71578+:10EBD00051C0004230F9000190AF006B55E0003F9A
71579+:10EBE00030F9000124180001A0B8006B3C1180002E
71580+:10EBF0009622007A24470064A48700123C0D800806
71581+:10EC000035A5008090B40008329000401600000442
71582+:10EC10003C03800832AE000115C0008B00000000EC
71583+:10EC2000346400808C86002010D3000A3463010015
71584+:10EC30008C67000002C7782319E000978FBF00544B
71585+:10EC4000AC93002024130001AC760000AFB3005059
71586+:10EC5000AC7F000417C0004E000000008FA90050D8
71587+:10EC60001520000B000000003C030801906396F1A2
71588+:10EC7000306A00011140002E8FAB0058306400FE56
71589+:10EC80003C010801A02496F10A000D75000018212E
71590+:10EC90000E000CAC024020210A000F1300000000FF
71591+:10ECA0000A000E200000A0210040F80924040017EB
71592+:10ECB0000A000DCA240300010040F80924040016CC
71593+:10ECC0000A000DCA240300019094004F240DFFFE9A
71594+:10ECD000028D2824A085004F30F900011320000682
71595+:10ECE0003C0480083C030801906396F1307F0010DB
71596+:10ECF00017E00051306800EF34900080240A0001D2
71597+:10ED0000024020210E00164EA60A00129203002592
71598+:10ED100024090001AFA90050346200010240202103
71599+:10ED20000E001658A20200250A000EF93C0D8008BC
71600+:10ED30001160FE83000018218FA5003030AC000464
71601+:10ED40001180FE2C8FBF00840A000DCB240300012C
71602+:10ED500027A500380E000CB6AFA000385440FF4382
71603+:10ED60008EE200048FB40038329001005200FF3F61
71604+:10ED70008EE200048FA3003C8E6E0058006E682364
71605+:10ED800005A3FF39AE6300580A000E948EE200041A
71606+:10ED90000E00164E024020213C038008346800809B
71607+:10EDA000024020210E001658A11E000903C0302188
71608+:10EDB000240400370E0016F2000028210A000F116B
71609+:10EDC0008FA900508FAB00185960FF8D3C0D800853
71610+:10EDD0000E00164E02402021920C00252405000151
71611+:10EDE000AFA5005035820004024020210E001658C5
71612+:10EDF000A20200250A000EF93C0D800812240059D9
71613+:10EE00002A2300151060004D240900162408000C68
71614+:10EE10005628FF2732B000013C0A8008914C001BA5
71615+:10EE20002406FFBD241E000E01865824A14B001BA2
71616+:10EE30000A000EA532B000013C010801A02896F19D
71617+:10EE40000A000EF93C0D80088CB500308EFE0008DB
71618+:10EE50002404001826B6000103C0F809ACB600303F
71619+:10EE60003C030801906396F13077000116E0FF81C2
71620+:10EE7000306A00018FB200300A000D753243000481
71621+:10EE80003C1080009605011A50A0FF2B34C60010DC
71622+:10EE90000A000EC892EE000C8C6200001456FF6D42
71623+:10EEA000000000008C7800048FB9005403388823D8
71624+:10EEB0000621FF638FBF00540A000F0E0000000000
71625+:10EEC0003C010801A02A96F10A000F3030F9000138
71626+:10EED0001633FF028FAF00240A000EB0241E00106C
71627+:10EEE0000E00164E024020213C0B80083568008041
71628+:10EEF00091090025240A0001AFAA0050353300040F
71629+:10EF0000024020210E001658A11300253C050801DF
71630+:10EF100090A596F130A200FD3C010801A02296F1D7
71631+:10EF20000A000E6D004018212411000E53D1FEEA94
71632+:10EF3000241E00100A000EAF241E00165629FEDC07
71633+:10EF400032B000013C0A8008914C001B2406FFBD32
71634+:10EF5000241E001001865824A14B001B0A000EA598
71635+:10EF600032B000010A000EA4241E00123C038000EF
71636+:10EF70008C6201B80440FFFE24040800AC6401B8B0
71637+:10EF800003E000080000000030A5FFFF30C6FFFFCF
71638+:10EF90003C0780008CE201B80440FFFE34EA0180A7
71639+:10EFA000AD440000ACE400203C0480089483004899
71640+:10EFB0003068FFFF11000016AF88000824AB001274
71641+:10EFC000010B482B512000133C04800034EF01005A
71642+:10EFD00095EE00208F890000240D001A31CCFFFF30
71643+:10EFE00031274000A14D000B10E000362583FFFEC5
71644+:10EFF0000103C02B170000348F9900048F88000490
71645+:10F00000A5430014350700010A001003AF87000470
71646+:10F010003C04800024030003348201808F890000B7
71647+:10F020008F870004A043000B3C088000350C018052
71648+:10F03000A585000EA585001A8F85000C30EB800099
71649+:10F04000A5890010AD850028A58600081160000F75
71650+:10F050008F85001435190100972A00163158FFFCDE
71651+:10F06000270F000401E870218DCD400031A6FFFF7D
71652+:10F0700014C000072403BFFF3C02FFFF34487FFF9A
71653+:10F0800000E83824AF8700048F8500142403BFFFF5
71654+:10F090003C04800000E3582434830180A46B0026E4
71655+:10F0A000AC69002C10A0000300054C02A465001000
71656+:10F0B000A46900263C071000AC8701B803E00008F3
71657+:10F0C000000000008F990004240AFFFE032A382460
71658+:10F0D0000A001003AF87000427BDFFE88FA20028B5
71659+:10F0E00030A5FFFF30C6FFFFAFBF0010AF87000C99
71660+:10F0F000AF820014AF8000040E000FDBAF80000071
71661+:10F100008FBF001027BD001803E00008AF80001477
71662+:10F110003C06800034C4007034C701008C8A0000B3
71663+:10F1200090E500128F84000027BDFFF030A300FFA0
71664+:10F13000000318823082400010400037246500032D
71665+:10F140000005C8800326C0218F0E4000246F0004F4
71666+:10F15000000F6880AFAE000001A660218D8B4000DB
71667+:10F16000AFAB000494E900163128FFFC01063821FA
71668+:10F170008CE64000AFA600088FA9000800003021EF
71669+:10F18000000028213C07080024E701000A0010675E
71670+:10F19000240800089059000024A500012CAC000CA4
71671+:10F1A0000079C0210018788001E770218DCD000022
71672+:10F1B0001180000600CD302603A5102114A8FFF50C
71673+:10F1C00000051A005520FFF4905900003C0480000F
71674+:10F1D000348700703C0508008CA531048CE30000E6
71675+:10F1E0002CA2002010400009006A38230005488046
71676+:10F1F0003C0B0800256B3108012B402124AA00019B
71677+:10F20000AD0700003C010800AC2A310400C0102109
71678+:10F2100003E0000827BD0010308220001040000BE2
71679+:10F2200000055880016648218D24400024680004B0
71680+:10F2300000083880AFA4000000E618218C6540006B
71681+:10F24000AFA000080A001057AFA500040000000D91
71682+:10F250000A0010588FA9000827BDFFE03C07800076
71683+:10F2600034E60100AFBF001CAFB20018AFB100140C
71684+:10F27000AFB0001094C5000E8F87000030A4FFFFD0
71685+:10F280002483000430E2400010400010AF830028C7
71686+:10F290003C09002000E940241100000D30EC800002
71687+:10F2A0008F8A0004240BBFFF00EB38243543100085
71688+:10F2B000AF87000030F220001640000B3C1900041C
71689+:10F2C000241FFFBF0A0010B7007F102430EC80001D
71690+:10F2D000158000423C0E002030F220001240FFF862
71691+:10F2E0008F8300043C19000400F9C0241300FFF5CB
71692+:10F2F000241FFFBF34620040AF82000430E20100EF
71693+:10F300001040001130F010008F83002C10600006B8
71694+:10F310003C0F80003C05002000E52024148000C044
71695+:10F320003C0800043C0F800035EE010095CD001E26
71696+:10F3300095CC001C31AAFFFF000C5C00014B482556
71697+:10F34000AF89000C30F010001200000824110001F9
71698+:10F3500030F100201620008B3C18100000F890249B
71699+:10F36000164000823C040C002411000130E801002A
71700+:10F370001500000B3C0900018F85000430A94000F6
71701+:10F38000152000073C0900013C0C1F0100EC58242B
71702+:10F390003C0A1000116A01183C1080003C09000171
71703+:10F3A00000E9302410C000173C0B10003C18080086
71704+:10F3B0008F1800243307000214E0014024030001E9
71705+:10F3C0008FBF001C8FB200188FB100148FB00010D7
71706+:10F3D0000060102103E0000827BD002000EE682433
71707+:10F3E00011A0FFBE30F220008F8F00043C11FFFF00
71708+:10F3F00036307FFF00F0382435E380000A0010A685
71709+:10F40000AF87000000EB102450400065AF8000245F
71710+:10F410008F8C002C3C0D0F0000ED18241580008807
71711+:10F42000AF83001030E8010011000086938F0010B8
71712+:10F430003C0A0200106A00833C1280003650010032
71713+:10F44000920500139789002A3626000230AF00FF8C
71714+:10F4500025EE0004000E19C03C0480008C9801B811
71715+:10F460000700FFFE34880180AD0300003C198008CE
71716+:10F47000AC830020973100483225FFFF10A0015CCB
71717+:10F48000AF8500082523001200A3F82B53E0015993
71718+:10F490008F850004348D010095AC00202402001AF1
71719+:10F4A00030E44000318BFFFFA102000B108001927D
71720+:10F4B0002563FFFE00A3502B154001908F8F0004A1
71721+:10F4C000A50300148F88000435050001AF850004F2
71722+:10F4D0003C08800035190180A729000EA729001AD1
71723+:10F4E0008F89000C30B18000A7270010AF290028B9
71724+:10F4F000A72600081220000E3C04800035020100FF
71725+:10F50000944C0016318BFFFC256400040088182100
71726+:10F510008C7F400033E6FFFF14C000053C048000F0
71727+:10F520003C0AFFFF354D7FFF00AD2824AF85000466
71728+:10F53000240EBFFF00AE402434850180A4A800261D
71729+:10F54000ACA7002C3C071000AC8701B800001821C4
71730+:10F550008FBF001C8FB200188FB100148FB0001045
71731+:10F560000060102103E0000827BD00203C020BFFD3
71732+:10F5700000E41824345FFFFF03E3C82B5320FF7B14
71733+:10F58000241100013C0608008CC6002C24C5000193
71734+:10F590003C010800AC25002C0A0010D42411000501
71735+:10F5A0008F85002410A0002FAF80001090A30000D2
71736+:10F5B000146000792419000310A0002A30E601002D
71737+:10F5C00010C000CC8F860010241F000210DF00C97D
71738+:10F5D0008F8B000C3C0708008CE7003824E4FFFF09
71739+:10F5E00014E0000201641824000018213C0D0800FA
71740+:10F5F00025AD0038006D1021904C00048F85002847
71741+:10F6000025830004000321C030A5FFFF3626000239
71742+:10F610000E000FDB000000000A00114D0000182151
71743+:10F6200000E8302414C0FF403C0F80000E00103D65
71744+:10F63000000000008F8700000A0010CAAF82000C93
71745+:10F64000938F00103C18080127189640000F90C0B7
71746+:10F6500002588021AF9000248F85002414A0FFD38E
71747+:10F66000AF8F00103C0480008C86400030C5010044
71748+:10F6700010A000BC322300043C0C08008D8C002438
71749+:10F6800024120004106000C23190000D3C04800080
71750+:10F690008C8D40003402FFFF11A201003231FFFBCC
71751+:10F6A0008C884000310A01005540000124110010EF
71752+:10F6B00030EE080011C000BE2419FFFB8F9800280F
71753+:10F6C0002F0F03EF51E000010219802430E90100FF
71754+:10F6D00011200014320800018F87002C14E000FB79
71755+:10F6E0008F8C000C3C05800034AB0100917F00132F
71756+:10F6F00033E300FF246A00042403FFFE0203802496
71757+:10F70000000A21C012000002023230253226FFFF1B
71758+:10F710000E000FDB9785002A1200FF290000182138
71759+:10F72000320800011100000D32180004240E0001FF
71760+:10F73000120E0002023230253226FFFF9785002A82
71761+:10F740000E000FDB00002021240FFFFE020F80249B
71762+:10F750001200FF1B00001821321800045300FF188C
71763+:10F760002403000102323025241200045612000145
71764+:10F770003226FFFF9785002A0E000FDB24040100CC
71765+:10F780002419FFFB021988241220FF0D0000182104
71766+:10F790000A0010E9240300011079009C00003021C8
71767+:10F7A00090AD00012402000211A200BE30EA004028
71768+:10F7B00090B90001241800011338007F30E900409F
71769+:10F7C0008CA600049785002A00C020210E000FDBC4
71770+:10F7D0003626000200004021010018218FBF001CC6
71771+:10F7E0008FB200188FB100148FB00010006010218C
71772+:10F7F00003E0000827BD0020360F010095EE000C45
71773+:10F8000031CD020015A0FEE63C0900013C1880083D
71774+:10F81000971200489789002A362600023248FFFFD7
71775+:10F82000AF8800083C0380008C7101B80620FFFE01
71776+:10F83000346A0180AD4000001100008E3C0F800052
71777+:10F84000253F0012011FC82B1320008B240E00033C
71778+:10F85000346C0100958B00202402001A30E4400033
71779+:10F860003163FFFFA142000B108000A72463FFFE5D
71780+:10F870000103682B15A000A52408FFFE34A5000194
71781+:10F88000A5430014AF8500043C0480002412BFFF90
71782+:10F8900000B2802434850180A4A9000EA4A9001A16
71783+:10F8A000A4A60008A4B00026A4A700103C071000DE
71784+:10F8B000AC8701B80A00114D000018213C038000FC
71785+:10F8C00034640100949F000E3C1908008F3900D861
71786+:10F8D0002404008033E5FFFF273100013C010800CC
71787+:10F8E000AC3100D80E000FDB240600030A00114DD6
71788+:10F8F00000001821240A000210CA00598F85002830
71789+:10F900003C0308008C6300D0240E0001106E005EE2
71790+:10F910002CCF000C24D2FFFC2E5000041600002136
71791+:10F9200000002021241800021078001B2CD9000CA4
71792+:10F9300024DFFFF82FE900041520FF330000202109
71793+:10F9400030EB020051600004000621C054C00022C8
71794+:10F9500030A5FFFF000621C030A5FFFF0A00117D82
71795+:10F96000362600023C0908008D29002431300001B0
71796+:10F970005200FEF7000018219785002A3626000263
71797+:10F980000E000FDB000020210A00114D000018219D
71798+:10F990000A00119C241200021320FFE624DFFFF866
71799+:10F9A0000000202130A5FFFF0A00117D362600024D
71800+:10F9B0000A0011AC021980245120FF828CA6000499
71801+:10F9C0003C05080190A5964110A0FF7E2408000187
71802+:10F9D0000A0011F0010018210E000FDB3226000191
71803+:10F9E0008F8600108F8500280A00124F000621C064
71804+:10F9F0008F8500043C18800024120003371001801A
71805+:10FA0000A212000B0A00112E3C08800090A30001F6
71806+:10FA1000241100011071FF70240800012409000264
71807+:10FA20005069000430E60040240800010A0011F08B
71808+:10FA30000100182150C0FFFD240800013C0C80008B
71809+:10FA4000358B01009563001094A40002307FFFFF06
71810+:10FA5000509FFF62010018210A001284240800014F
71811+:10FA60002CA803EF1100FE56240300010A001239EE
71812+:10FA700000000000240E000335EA0180A14E000BB7
71813+:10FA80000A00121C3C04800011E0FFA2000621C005
71814+:10FA900030A5FFFF0A00117D362600020A0011A5DD
71815+:10FAA000241100201140FFC63C1280003650010096
71816+:10FAB000960F001094AE000231E80FFF15C8FFC08A
71817+:10FAC000000000000A0011E690B900013C060800A1
71818+:10FAD0008CC6003824C4FFFF14C00002018418241F
71819+:10FAE000000018213C0D080025AD0038006D1021E4
71820+:10FAF0000A0011B6904300048F8F0004240EFFFE0D
71821+:10FB00000A00112C01EE28242408FFFE0A00121A14
71822+:10FB100000A8282427BDFFC8AFB00010AFBF003435
71823+:10FB20003C10600CAFBE0030AFB7002CAFB6002861
71824+:10FB3000AFB50024AFB40020AFB3001CAFB20018C3
71825+:10FB4000AFB100148E0E5000240FFF7F3C068000E2
71826+:10FB500001CF682435AC380C240B0003AE0C5000E8
71827+:10FB6000ACCB00083C010800AC2000200E001819A6
71828+:10FB7000000000003C0A0010354980513C06601628
71829+:10FB8000AE09537C8CC700003C0860148D0500A0B2
71830+:10FB90003C03FFFF00E320243C02535300051FC237
71831+:10FBA0001482000634C57C000003A08002869821E0
71832+:10FBB0008E7200043C116000025128218CBF007C31
71833+:10FBC0008CA200783C1E600037C420203C05080150
71834+:10FBD00024A59288AF820018AF9F001C0E0016DD8E
71835+:10FBE0002406000A3C190001273996403C01080010
71836+:10FBF000AC3931DC0E0020DDAF8000148FD708084F
71837+:10FC00002418FFF03C15570902F8B02412D502F56C
71838+:10FC100024040001AF80002C3C1480003697018042
71839+:10FC20003C1E080127DE9644369301008E900000AA
71840+:10FC30003205000310A0FFFD3207000110E000882C
71841+:10FC4000320600028E7100283C048000AE91002034
71842+:10FC50008E6500048E66000000A0382100C040219F
71843+:10FC60008C8301B80460FFFE3C0B0010240A0800DE
71844+:10FC700000AB4824AC8A01B8552000E0240BBFFF3C
71845+:10FC80009675000E3C1208008E52002030AC4000E9
71846+:10FC900032AFFFFF264E000125ED00043C010800B5
71847+:10FCA000AC2E0020118000E8AF8D00283C18002009
71848+:10FCB00000B8B02412C000E530B980002408BFFFAE
71849+:10FCC00000A8382434C81000AF87000030E62000B8
71850+:10FCD00010C000E92409FFBF3C03000400E328240E
71851+:10FCE00010A00002010910243502004030EA010092
71852+:10FCF00011400010AF8200048F8B002C11600007B0
71853+:10FD00003C0D002000ED6024118000043C0F000435
71854+:10FD100000EF702411C00239000000009668001E38
71855+:10FD20009678001C3115FFFF0018B40002B690252C
71856+:10FD3000AF92000C30F910001320001324150001BD
71857+:10FD400030FF002017E0000A3C04100000E41024FB
71858+:10FD50001040000D3C0A0C003C090BFF00EA18247F
71859+:10FD60003525FFFF00A3302B10C0000830ED010047
71860+:10FD70003C0C08008D8C002C24150005258B0001FF
71861+:10FD80003C010800AC2B002C30ED010015A0000B4D
71862+:10FD90003C0500018F85000430AE400055C00007CF
71863+:10FDA0003C0500013C161F0100F690243C0F10009A
71864+:10FDB000124F01CE000000003C05000100E5302498
71865+:10FDC00010C000AF3C0C10003C1F08008FFF002447
71866+:10FDD00033E90002152000712403000100601021A6
71867+:10FDE000104000083C0680003C08800035180100E7
71868+:10FDF0008F0F00243C056020ACAF00140000000011
71869+:10FE00003C0680003C194000ACD9013800000000DD
71870+:10FE10005220001332060002262B0140262C0080BF
71871+:10FE2000240EFF80016E2024018E6824000D1940ED
71872+:10FE3000318A007F0004A9403172007F3C16200007
71873+:10FE400036C20002006A482502B2382500E2882541
71874+:10FE50000122F825ACDF0830ACD1083032060002B0
71875+:10FE600010C0FF723C188000370501408CA80000CC
71876+:10FE700024100040AF08002090AF000831E300706C
71877+:10FE8000107000D428790041532000082405006038
71878+:10FE9000241100201071000E3C0A40003C09800033
71879+:10FEA000AD2A01780A001304000000001465FFFB6E
71880+:10FEB0003C0A40000E001FFA000000003C0A40000F
71881+:10FEC0003C098000AD2A01780A00130400000000FC
71882+:10FED00090A90009241F00048CA70000312800FF0E
71883+:10FEE000111F01B22503FFFA2C7200061240001404
71884+:10FEF0003C0680008CA9000494A4000A310500FF90
71885+:10FF000000095E022D6A00083086FFFF15400002DE
71886+:10FF10002567000424070003240C000910AC01FA33
71887+:10FF200028AD000A11A001DE2410000A240E0008EA
71888+:10FF300010AE0028000731C000C038213C06800008
71889+:10FF40008CD501B806A0FFFE34D20180AE47000078
71890+:10FF500034CB0140916E0008240300023C0A4000AB
71891+:10FF600031C400FF00046A0001A86025A64C000807
71892+:10FF7000A243000B9562000A3C0810003C09800077
71893+:10FF8000A64200108D670004AE470024ACC801B83B
71894+:10FF9000AD2A01780A001304000000003C0A80002A
71895+:10FFA000354401009483000E3C0208008C4200D8C6
71896+:10FFB000240400803065FFFF245500013C01080047
71897+:10FFC000AC3500D80E000FDB240600030A001370C6
71898+:10FFD000000018210009320230D900FF2418000166
71899+:10FFE0001738FFD5000731C08F910020262200016D
71900+:10FFF000AF8200200A0013C800C0382100CB2024A3
71901+:020000021000EC
71902+:10000000AF85000010800008AF860004240D87FF34
71903+:1000100000CD6024158000083C0E006000AE302446
71904+:1000200010C00005000000000E000D42000000009E
71905+:100030000A001371000000000E0016050000000009
71906+:100040000A0013710000000030B980005320FF1F28
71907+:10005000AF8500003C02002000A2F82453E0FF1B03
71908+:10006000AF8500003C07FFFF34E47FFF00A4382485
71909+:100070000A00132B34C880000A001334010910242D
71910+:1000800000EC58245160005AAF8000248F8D002C62
71911+:100090003C0E0F0000EE182415A00075AF83001071
71912+:1000A00030EF010011E00073939800103C12020041
71913+:1000B000107200703C06800034D9010093280013B0
71914+:1000C0009789002A36A60002311800FF271600047F
71915+:1000D000001619C03C0480008C8501B804A0FFFE06
71916+:1000E00034880180AD0300003C158008AC830020FB
71917+:1000F00096BF004833E5FFFF10A001BCAF850008A4
71918+:100100002523001200A3102B504001B98F85000455
71919+:10011000348D010095AC0020240B001A30E440001F
71920+:10012000318AFFFFA10B000B108001BA2543FFFEAF
71921+:1001300000A3702B15C001B88F9600048F8F0004A8
71922+:10014000A503001435E50001AF8500043C088000DC
71923+:1001500035150180A6A9000EA6A9001A8F89000CEA
71924+:1001600030BF8000A6A70010AEA90028A6A60008F0
71925+:1001700013E0000F3C0F8000350C0100958B00163A
71926+:10018000316AFFFC25440004008818218C6240007D
71927+:100190003046FFFF14C000072416BFFF3C0EFFFFD0
71928+:1001A00035CD7FFF00AD2824AF8500043C0F8000D3
71929+:1001B0002416BFFF00B6902435E50180A4B20026C6
71930+:1001C000ACA7002C3C071000ADE701B80A00137083
71931+:1001D000000018210E00165D000000003C0A4000DF
71932+:1001E0003C098000AD2A01780A00130400000000D9
71933+:1001F0008F85002410A00027AF80001090A300007E
71934+:10020000106000742409000310690101000030210E
71935+:1002100090AE0001240D000211CD014230EF0040EC
71936+:1002200090A90001241F0001113F000930E20040A5
71937+:100230008CA600049785002A00C020210E000FDB49
71938+:1002400036A60002000040210A00137001001821A8
71939+:100250005040FFF88CA600043C07080190E7964147
71940+:1002600010E0FFF4240800010A00137001001821B7
71941+:10027000939800103C1F080127FF96400018C8C043
71942+:10028000033F4021AF8800248F85002414A0FFDBAA
71943+:10029000AF9800103C0480008C86400030C50100FF
71944+:1002A00010A0008732AB00043C0C08008D8C0024A9
71945+:1002B00024160004156000033192000D241600027C
71946+:1002C0003C0480008C8E4000340DFFFF11CD0113E3
71947+:1002D00032B5FFFB8C984000330F010055E0000160
71948+:1002E0002415001030E80800110000382409FFFB35
71949+:1002F0008F9F00282FF903EF53200001024990241B
71950+:1003000030E2010010400014325F00018F87002CA2
71951+:1003100014E0010E8F8C000C3C0480003486010038
71952+:1003200090C5001330AA00FF25430004000321C03C
71953+:100330002419FFFE025990241240000202B6302513
71954+:1003400032A6FFFF0E000FDB9785002A1240FEA3A6
71955+:1003500000001821325F000113E0000D3247000455
71956+:10036000240900011249000202B6302532A6FFFF1F
71957+:100370009785002A0E000FDB000020212402FFFEDB
71958+:10038000024290241240FE950000182132470004DA
71959+:1003900050E0FE922403000102B63025241600042A
71960+:1003A0005656000132A6FFFF9785002A0E000FDB8C
71961+:1003B000240401002403FFFB0243A82412A0FE87AB
71962+:1003C000000018210A001370240300010A0014B968
71963+:1003D0000249902410A0FFAF30E5010010A00017E3
71964+:1003E0008F8600102403000210C300148F84000CB9
71965+:1003F0003C0608008CC6003824CAFFFF14C0000267
71966+:10040000008A1024000010213C0E080025CE003880
71967+:10041000004E682191AC00048F850028258B0004D4
71968+:10042000000B21C030A5FFFF36A600020E000FDB37
71969+:10043000000000000A00137000001821240F0002C1
71970+:1004400010CF0088241600013C0308008C6300D004
71971+:100450001076008D8F85002824D9FFFC2F280004FA
71972+:100460001500006300002021241F0002107F005DA2
71973+:100470002CC9000C24C3FFF82C6200041440FFE9CF
71974+:100480000000202130EA020051400004000621C093
71975+:1004900054C0000530A5FFFF000621C030A5FFFFB6
71976+:1004A0000A00150436A600020E000FDB32A600017A
71977+:1004B0008F8600108F8500280A001520000621C0B5
71978+:1004C0003C0A08008D4A0024315200015240FE438C
71979+:1004D000000018219785002A36A600020E000FDBC7
71980+:1004E000000020210A001370000018219668000CFB
71981+:1004F000311802005700FE313C0500013C1F800806
71982+:1005000097F900489789002A36A600023328FFFF92
71983+:10051000AF8800083C0380008C7501B806A0FFFE80
71984+:100520003C04800034820180AC400000110000B621
71985+:1005300024180003252A0012010A182B106000B2AB
71986+:1005400000000000966F00203C0E8000240D001A71
71987+:1005500031ECFFFF35CA018030EB4000A14D000BAC
71988+:10056000116000B02583FFFE0103902B164000AE02
71989+:100570002416FFFE34A50001A5430014AF85000436
71990+:100580002419BFFF00B94024A6E9000EA6E9001A0D
71991+:10059000A6E60008A6E80026A6E700103C07100023
71992+:1005A000AE8701B80A001370000018213C048000D7
71993+:1005B0008C8201B80440FFFE349601802415001C93
71994+:1005C000AEC70000A2D5000B3C071000AC8701B8F5
71995+:1005D0003C0A40003C098000AD2A01780A0013045F
71996+:1005E000000000005120FFA424C3FFF800002021D8
71997+:1005F00030A5FFFF0A00150436A600020E00103DCC
71998+:10060000000000008F8700000A001346AF82000C34
71999+:1006100090A30001241500011075FF0B24080001B0
72000+:10062000240600021066000430E2004024080001A5
72001+:100630000A001370010018215040FFFD240800013A
72002+:100640003C0C8000358B0100956A001094A40002D8
72003+:100650003143FFFF5083FDE1010018210A00158599
72004+:10066000240800018F8500282CB203EF1240FDDB27
72005+:10067000240300013C0308008C6300D02416000111
72006+:100680001476FF7624D9FFFC2CD8000C1300FF72DF
72007+:10069000000621C030A5FFFF0A00150436A600029F
72008+:1006A00010B00037240F000B14AFFE23000731C039
72009+:1006B000312600FF00065600000A4E0305220047BF
72010+:1006C00030C6007F0006F8C03C16080126D69640CA
72011+:1006D00003F68021A2000001A20000003C0F600090
72012+:1006E0008DF918202405000100C588040011302769
72013+:1006F0000326C024000731C000C03821ADF81820FF
72014+:100700000A0013C8A60000028F850020000731C030
72015+:1007100024A2FFFF0A0013F6AF8200200A0014B2E1
72016+:100720002415002011E0FECC3C1980003728010080
72017+:100730009518001094B6000233120FFF16D2FEC6B1
72018+:10074000000000000A00148290A900013C0B080080
72019+:100750008D6B0038256DFFFF15600002018D1024A0
72020+:10076000000010213C080800250800380048C0217E
72021+:10077000930F000425EE00040A0014C5000E21C0EA
72022+:1007800000065202241F00FF115FFDEB000731C07D
72023+:10079000000A20C03C0E080125CE9640008EA821FC
72024+:1007A000009E602100095C02240D00013C076000EE
72025+:1007B000A2AD0000AD860000A2AB00018CF21820B3
72026+:1007C00024030001014310040242B025ACF61820B6
72027+:1007D00000C038210A0013C8A6A900020A0015AA01
72028+:1007E000AF8000200A0012FFAF84002C8F85000428
72029+:1007F0003C1980002408000337380180A308000B4F
72030+:100800000A00144D3C088000A2F8000B0A00155A9B
72031+:100810002419BFFF8F9600042412FFFE0A00144B18
72032+:1008200002D228242416FFFE0A00155800B62824F8
72033+:100830003C038000346401008C85000030A2003E3F
72034+:100840001440000800000000AC6000488C870000E5
72035+:1008500030E607C010C0000500000000AC60004C8E
72036+:10086000AC60005003E0000824020001AC600054BA
72037+:10087000AC6000408C880000310438001080FFF923
72038+:10088000000000002402000103E00008AC60004406
72039+:100890003C0380008C6201B80440FFFE3467018095
72040+:1008A000ACE4000024080001ACE00004A4E500086A
72041+:1008B00024050002A0E8000A34640140A0E5000B12
72042+:1008C0009483000A14C00008A4E30010ACE00024E4
72043+:1008D0003C07800034E901803C041000AD20002872
72044+:1008E00003E00008ACE401B88C8600043C0410006E
72045+:1008F000ACE600243C07800034E90180AD200028EC
72046+:1009000003E00008ACE401B83C0680008CC201B8EA
72047+:100910000440FFFE34C7018024090002ACE400005B
72048+:10092000ACE40004A4E50008A0E9000A34C50140D5
72049+:10093000A0E9000B94A8000A3C041000A4E80010F1
72050+:10094000ACE000248CA30004ACE3002803E0000822
72051+:10095000ACC401B83C039000346200010082202541
72052+:100960003C038000AC6400208C65002004A0FFFEE6
72053+:100970000000000003E00008000000003C028000CE
72054+:10098000344300010083202503E00008AC4400202C
72055+:1009900027BDFFE03C098000AFBF0018AFB10014D5
72056+:1009A000AFB00010352801408D10000091040009FF
72057+:1009B0009107000891050008308400FF30E600FF31
72058+:1009C00000061A002C820081008330251040002A86
72059+:1009D00030A50080000460803C0D080125AD92B078
72060+:1009E000018D58218D6A00000140000800000000C0
72061+:1009F0003C038000346201409445000A14A0001EAC
72062+:100A00008F91FCC09227000530E6000414C0001A44
72063+:100A1000000000000E00164E02002021922A000560
72064+:100A200002002021354900040E001658A2290005B5
72065+:100A30009228000531040004148000020000000028
72066+:100A40000000000D922D0000240B002031AC00FFAF
72067+:100A5000158B00093C0580008CAE01B805C0FFFE77
72068+:100A600034B10180AE3000003C0F100024100005AE
72069+:100A7000A230000BACAF01B80000000D8FBF001812
72070+:100A80008FB100148FB0001003E0000827BD0020D4
72071+:100A90000200202100C028218FBF00188FB1001450
72072+:100AA0008FB00010240600010A00161D27BD00208B
72073+:100AB0000000000D0200202100C028218FBF001877
72074+:100AC0008FB100148FB00010000030210A00161DF5
72075+:100AD00027BD002014A0FFE8000000000200202134
72076+:100AE0008FBF00188FB100148FB0001000C02821F4
72077+:100AF0000A00163B27BD00203C0780008CEE01B8A1
72078+:100B000005C0FFFE34F00180241F0002A21F000B6D
72079+:100B100034F80140A60600089719000A3C0F10009F
72080+:100B2000A61900108F110004A6110012ACEF01B835
72081+:100B30000A0016998FBF001827BDFFE8AFBF00104D
72082+:100B40000E000FD4000000003C0280008FBF001098
72083+:100B500000002021AC4001800A00108F27BD001842
72084+:100B60003084FFFF30A5FFFF108000070000182130
72085+:100B7000308200011040000200042042006518216C
72086+:100B80001480FFFB0005284003E0000800601021EE
72087+:100B900010C00007000000008CA2000024C6FFFF68
72088+:100BA00024A50004AC82000014C0FFFB24840004D0
72089+:100BB00003E000080000000010A0000824A3FFFFCD
72090+:100BC000AC86000000000000000000002402FFFFCF
72091+:100BD0002463FFFF1462FFFA2484000403E000088A
72092+:100BE000000000003C03800027BDFFF83462018054
72093+:100BF000AFA20000308C00FF30AD00FF30CE00FF10
72094+:100C00003C0B80008D6401B80480FFFE00000000F2
72095+:100C10008FA900008D6801288FAA00008FA700000F
72096+:100C20008FA400002405000124020002A085000A10
72097+:100C30008FA30000359940003C051000A062000B16
72098+:100C40008FB800008FAC00008FA600008FAF0000AF
72099+:100C500027BD0008AD280000AD400004AD80002491
72100+:100C6000ACC00028A4F90008A70D0010A5EE0012E2
72101+:100C700003E00008AD6501B83C06800827BDFFE829
72102+:100C800034C50080AFBF001090A7000924020012F5
72103+:100C900030E300FF1062000B008030218CA8005070
72104+:100CA00000882023048000088FBF00108CAA003425
72105+:100CB000240400390000282100CA4823052000052B
72106+:100CC000240600128FBF00102402000103E0000878
72107+:100CD00027BD00180E0016F2000000008FBF0010A4
72108+:100CE0002402000103E0000827BD001827BDFFC84B
72109+:100CF000AFB20030AFB00028AFBF0034AFB1002CAE
72110+:100D000000A0802190A5000D30A6001010C000109A
72111+:100D1000008090213C0280088C4400048E0300086F
72112+:100D20001064000C30A7000530A6000510C0009329
72113+:100D3000240400018FBF00348FB200308FB1002C2B
72114+:100D40008FB000280080102103E0000827BD003884
72115+:100D500030A7000510E0000F30AB001210C00006F5
72116+:100D6000240400013C0980088E0800088D25000439
72117+:100D70005105009C240400388FBF00348FB200302E
72118+:100D80008FB1002C8FB000280080102103E00008F4
72119+:100D900027BD0038240A0012156AFFE6240400016A
72120+:100DA0000200202127A500100E000CB6AFA00010F5
72121+:100DB0001440007C3C19800837240080909800087B
72122+:100DC000331100081220000A8FA7001030FF010025
72123+:100DD00013E000A48FA300148C8600580066102333
72124+:100DE000044000043C0A8008AC8300588FA7001020
72125+:100DF0003C0A800835480080910900083124000829
72126+:100E00001480000224080003000040213C1F8008D9
72127+:100E100093F1001193F9001237E600808CCC005456
72128+:100E2000333800FF03087821322D00FF000F708057
72129+:100E300001AE282100AC582B1160006F00000000AB
72130+:100E400094CA005C8CC900543144FFFF0125102373
72131+:100E50000082182B14600068000000008CCB005446
72132+:100E60000165182330EC00041180006C000830800C
72133+:100E70008FA8001C0068102B1040006230ED0004A9
72134+:100E8000006610232C46008010C00002004088211C
72135+:100E9000241100800E00164E024020213C0D8008D7
72136+:100EA00035A6008024070001ACC7000C90C80008DC
72137+:100EB0000011484035A70100310C007FA0CC00088C
72138+:100EC0008E05000424AB0001ACCB0030A4D1005C43
72139+:100ED0008CCA003C9602000E01422021ACC40020C6
72140+:100EE0008CC3003C0069F821ACDF001C8E190004A3
72141+:100EF000ACF900008E180008ACF800048FB10010A7
72142+:100F0000322F000855E0004793A60020A0C0004EF5
72143+:100F100090D8004E2411FFDFA0F8000890CF000801
72144+:100F200001F17024A0CE00088E0500083C0B80085B
72145+:100F300035690080AD2500388D6A00148D2200309F
72146+:100F40002419005001422021AD24003491230000D7
72147+:100F5000307F00FF13F90036264F01000E001658AF
72148+:100F60000240202124040038000028210E0016F23F
72149+:100F70002406000A0A001757240400010E000D2859
72150+:100F8000000020218FBF00348FB200308FB1002CC1
72151+:100F90008FB00028004020210080102103E00008CD
72152+:100FA00027BD00388E0E00083C0F800835F0008009
72153+:100FB000AE0E005402402021AE0000300E00164E4E
72154+:100FC00000000000920D00250240202135AC0020D9
72155+:100FD0000E001658A20C00250E000CAC0240202179
72156+:100FE000240400382405008D0E0016F22406001299
72157+:100FF0000A0017572404000194C5005C0A001792E8
72158+:1010000030A3FFFF2407021811A0FF9E00E6102363
72159+:101010008FAE001C0A00179A01C610230A0017970A
72160+:101020002C620218A0E600080A0017C48E0500080A
72161+:101030002406FF8001E6C0243C118000AE38002861
72162+:101040008E0D000831E7007F3C0E800C00EE602121
72163+:10105000AD8D00E08E080008AF8C00380A0017D074
72164+:10106000AD8800E4AC800058908500082403FFF7A9
72165+:1010700000A33824A08700080A0017758FA7001066
72166+:101080003C05080024A560A83C04080024846FF4F3
72167+:101090003C020800244260B0240300063C01080121
72168+:1010A000AC2596C03C010801AC2496C43C01080163
72169+:1010B000AC2296C83C010801A02396CC03E00008AE
72170+:1010C0000000000003E00008240200013C02800050
72171+:1010D000308800FF344701803C0680008CC301B893
72172+:1010E0000460FFFE000000008CC501282418FF806A
72173+:1010F0003C0D800A24AF010001F8702431EC007F20
72174+:10110000ACCE0024018D2021ACE50000948B00EAD8
72175+:101110003509600024080002316AFFFFACEA0004D0
72176+:1011200024020001A4E90008A0E8000BACE00024C0
72177+:101130003C071000ACC701B8AF84003803E00008DA
72178+:10114000AF85006C938800488F8900608F820038DB
72179+:1011500030C600FF0109382330E900FF01221821C1
72180+:1011600030A500FF2468008810C000020124382147
72181+:101170000080382130E400031480000330AA00030B
72182+:101180001140000D312B000310A0000900001021B8
72183+:1011900090ED0000244E000131C200FF0045602B9D
72184+:1011A000A10D000024E700011580FFF925080001CA
72185+:1011B00003E00008000000001560FFF300000000DD
72186+:1011C00010A0FFFB000010218CF80000245900043F
72187+:1011D000332200FF0045782BAD18000024E70004FF
72188+:1011E00015E0FFF92508000403E0000800000000F6
72189+:1011F00093850048938800588F8700600004320070
72190+:101200003103007F00E5102B30C47F001040000F39
72191+:10121000006428258F8400383C0980008C8A00EC0B
72192+:10122000AD2A00A43C03800000A35825AC6B00A0AD
72193+:101230008C6C00A00580FFFE000000008C6D00ACEF
72194+:10124000AC8D00EC03E000088C6200A80A00188254
72195+:101250008F840038938800593C0280000080502120
72196+:10126000310300FEA383005930ABFFFF30CC00FFF9
72197+:1012700030E7FFFF344801803C0980008D2401B82D
72198+:101280000480FFFE8F8D006C24180016AD0D000049
72199+:101290008D2201248F8D0038AD0200048D5900206D
72200+:1012A000A5070008240201C4A119000AA118000B17
72201+:1012B000952F01208D4E00088D4700049783005C18
72202+:1012C0008D59002401CF302100C7282100A32023FD
72203+:1012D0002418FFFFA504000CA50B000EA5020010AA
72204+:1012E000A50C0012AD190018AD18002495AF00E848
72205+:1012F0003C0B10002407FFF731EEFFFFAD0E002876
72206+:101300008DAC0084AD0C002CAD2B01B88D460020B7
72207+:1013100000C7282403E00008AD4500208F8800386E
72208+:101320000080582130E7FFFF910900D63C02800081
72209+:1013300030A5FFFF312400FF00041A00006750258C
72210+:1013400030C600FF344701803C0980008D2C01B875
72211+:101350000580FFFE8F82006C240F0017ACE20000B6
72212+:101360008D390124ACF900048D780020A4EA00082E
72213+:10137000241901C4A0F8000AA0EF000B9523012056
72214+:101380008D6E00088D6D00049784005C01C35021B0
72215+:10139000014D602101841023A4E2000CA4E5000E9D
72216+:1013A000A4F90010A4E60012ACE000148D7800242B
72217+:1013B000240DFFFFACF800188D0F007CACEF001C73
72218+:1013C0008D0E00783C0F1000ACEE0020ACED002438
72219+:1013D000950A00BE240DFFF73146FFFFACE600285A
72220+:1013E000950C00809504008231837FFF0003CA00C2
72221+:1013F0003082FFFF0322C021ACF8002CAD2F01B8D2
72222+:10140000950E00828D6A002000AE3021014D282407
72223+:10141000A506008203E00008AD6500203C028000C4
72224+:10142000344501803C0480008C8301B80460FFFED9
72225+:101430008F8A0044240600199549001C3128FFFFBB
72226+:10144000000839C0ACA70000A0A6000B3C051000A6
72227+:1014500003E00008AC8501B88F87004C0080402174
72228+:1014600030C400FF3C0680008CC201B80440FFFE7F
72229+:101470008F89006C9383006834996000ACA90000E8
72230+:10148000A0A300058CE20010240F00022403FFF744
72231+:10149000A4A20006A4B900088D180020A0B8000A74
72232+:1014A000A0AF000B8CEE0000ACAE00108CED000481
72233+:1014B000ACAD00148CEC001CACAC00248CEB002018
72234+:1014C000ACAB00288CEA002C3C071000ACAA002C26
72235+:1014D0008D090024ACA90018ACC701B88D05002007
72236+:1014E00000A3202403E00008AD0400208F8600380C
72237+:1014F00027BDFFE0AFB10014AFBF0018AFB00010C0
72238+:1015000090C300D430A500FF3062002010400008D6
72239+:10151000008088218CCB00D02409FFDF256A0001E0
72240+:10152000ACCA00D090C800D401093824A0C700D4A8
72241+:1015300014A000403C0C80008F840038908700D4B9
72242+:101540002418FFBF2406FFEF30E3007FA08300D400
72243+:10155000979F005C8F8200608F8D003803E2C82364
72244+:10156000A799005CA5A000BC91AF00D401F870243D
72245+:10157000A1AE00D48F8C0038A18000D78F8A0038AC
72246+:10158000A5400082AD4000EC914500D400A658244F
72247+:10159000A14B00D48F9000348F8400609786005C4C
72248+:1015A0000204282110C0000FAF850034A38000582A
72249+:1015B0003C0780008E2C000894ED01208E2B000447
72250+:1015C000018D5021014B8021020620233086FFFF30
72251+:1015D00030C8000F3909000131310001162000091F
72252+:1015E000A3880058938600488FBF00188FB100145D
72253+:1015F0008FB0001027BD0020AF85006403E0000815
72254+:10160000AF86006000C870238FBF00189386004823
72255+:101610008FB100148FB0001034EF0C00010F28219F
72256+:1016200027BD0020ACEE0084AF85006403E0000815
72257+:10163000AF86006035900180020028210E00190F4E
72258+:10164000240600828F840038908600D430C5004084
72259+:1016500050A0FFBAA38000688F85004C3C06800034
72260+:101660008CCD01B805A0FFFE8F89006C2408608234
72261+:1016700024070002AE090000A6080008A207000B1C
72262+:101680008CA300083C0E1000AE0300108CA2000CCE
72263+:10169000AE0200148CBF0014AE1F00188CB90018E5
72264+:1016A000AE1900248CB80024AE1800288CAF002896
72265+:1016B000AE0F002CACCE01B80A001948A380006818
72266+:1016C0008F8A003827BDFFE0AFB10014AFB0001023
72267+:1016D0008F880060AFBF00189389003C954200BC22
72268+:1016E00030D100FF0109182B0080802130AC00FFB1
72269+:1016F0003047FFFF0000582114600003310600FF4F
72270+:1017000001203021010958239783005C0068202BB9
72271+:101710001480002700000000106800562419000102
72272+:101720001199006334E708803165FFFF0E0018C08F
72273+:10173000020020218F83006C3C07800034E601808A
72274+:101740003C0580008CAB01B80560FFFE240A001840
72275+:101750008F840038ACC30000A0CA000B948900BE7F
72276+:101760003C081000A4C90010ACC00030ACA801B8FF
72277+:101770009482008024430001A4830080949F008011
72278+:101780003C0608008CC6318833EC7FFF1186005E72
72279+:101790000000000002002021022028218FBF001835
72280+:1017A0008FB100148FB000100A00193427BD00203B
72281+:1017B000914400D42403FF8000838825A15100D4E4
72282+:1017C0009784005C3088FFFF51000023938C003C1D
72283+:1017D0008F8500382402EFFF008B782394AE00BC85
72284+:1017E0000168502B31E900FF01C26824A4AD00BCA0
72285+:1017F00051400039010058213C1F800037E60100AC
72286+:101800008CD800043C190001031940245500000144
72287+:1018100034E740008E0A00202403FFFB241100015E
72288+:1018200001432024AE0400201191002D34E78000F4
72289+:1018300002002021012030210E0018C03165FFFF79
72290+:101840009787005C8F890060A780005C0127802358
72291+:10185000AF900060938C003C8F8B00388FBF0018D6
72292+:101860008FB100148FB0001027BD002003E00008E6
72293+:10187000A16C00D73C0D800035AA01008D48000402
72294+:101880003C0900010109282454A0000134E740006C
72295+:101890008E0F00202418FFFB34E7800001F870242D
72296+:1018A00024190001AE0E00201599FF9F34E708802F
72297+:1018B000020020210E00188E3165FFFF020020215A
72298+:1018C000022028218FBF00188FB100148FB00010A4
72299+:1018D0000A00193427BD00200A0019F7000048212A
72300+:1018E00002002021012030210E00188E3165FFFFFB
72301+:1018F0009787005C8F890060A780005C01278023A8
72302+:101900000A001A0EAF900060948C0080241F8000A3
72303+:10191000019F3024A4860080908B0080908F0080EF
72304+:10192000316700FF0007C9C20019C027001871C045
72305+:1019300031ED007F01AE2825A08500800A0019DF67
72306+:1019400002002021938500682403000127BDFFE8E1
72307+:1019500000A330042CA20020AFB00010AFBF0014D1
72308+:1019600000C01821104000132410FFFE3C0708009F
72309+:101970008CE7319000E610243C088000350501809A
72310+:1019800014400005240600848F890038240A0004CE
72311+:101990002410FFFFA12A00FC0E00190F0000000018
72312+:1019A000020010218FBF00148FB0001003E0000868
72313+:1019B00027BD00183C0608008CC631940A001A574F
72314+:1019C00000C310248F87004427BDFFE0AFB200188A
72315+:1019D000AFB10014AFB00010AFBF001C30D000FF9B
72316+:1019E00090E6000D00A088210080902130C5007F86
72317+:1019F000A0E5000D8F8500388E2300188CA200D042
72318+:101A00001062002E240A000E0E001A4AA38A0068F3
72319+:101A10002409FFFF104900222404FFFF5200002088
72320+:101A2000000020218E2600003C0C001000CC582421
72321+:101A3000156000393C0E000800CE682455A0003F18
72322+:101A4000024020213C18000200D880241200001F10
72323+:101A50003C0A00048F8700448CE200148CE30010E1
72324+:101A60008CE500140043F82303E5C82B1320000580
72325+:101A7000024020218E24002C8CF1001010910031A6
72326+:101A80000240202124020012A38200680E001A4A9C
72327+:101A90002412FFFF105200022404FFFF0000202147
72328+:101AA0008FBF001C8FB200188FB100148FB00010D0
72329+:101AB0000080102103E0000827BD002090A800D47A
72330+:101AC000350400200A001A80A0A400D400CA4824CB
72331+:101AD0001520000B8F8B00448F8D00448DAC0010BF
72332+:101AE0001580000B024020218E2E002C51C0FFECEF
72333+:101AF00000002021024020210A001A9B2402001726
72334+:101B00008D66001050C0FFE6000020210240202119
72335+:101B10000A001A9B24020011024020212402001511
72336+:101B20000E001A4AA3820068240FFFFF104FFFDC4B
72337+:101B30002404FFFF0A001A8A8E2600000A001AC138
72338+:101B4000240200143C08000400C8382450E0FFD4EC
72339+:101B500000002021024020210A001A9B24020013C9
72340+:101B60008F85003827BDFFD8AFB3001CAFB2001877
72341+:101B7000AFB10014AFB00010AFBF002090A700D4E9
72342+:101B80008F90004C2412FFFF34E2004092060000C8
72343+:101B9000A0A200D48E0300100080982110720006CD
72344+:101BA00030D1003F2408000D0E001A4AA3880068B7
72345+:101BB000105200252404FFFF8F8A00388E09001878
72346+:101BC0008D4400D01124000702602021240C000E57
72347+:101BD0000E001A4AA38C0068240BFFFF104B001A5A
72348+:101BE0002404FFFF24040020122400048F8D0038F9
72349+:101BF00091AF00D435EE0020A1AE00D48F85005403
72350+:101C000010A00019000000001224004A8F9800382C
72351+:101C10008F92FCC0971000809651000A5230004805
72352+:101C20008F9300403C1F08008FFF318C03E5C82BC9
72353+:101C30001720001E02602021000028210E0019A993
72354+:101C400024060001000020218FBF00208FB3001C5C
72355+:101C50008FB200188FB100148FB0001000801021D7
72356+:101C600003E0000827BD00285224002A8E05001436
72357+:101C70008F840038948A008025490001A48900805F
72358+:101C8000948800803C0208008C42318831077FFF35
72359+:101C900010E2000E00000000026020210E00193446
72360+:101CA000240500010A001B0B000020212402002D46
72361+:101CB0000E001A4AA38200682403FFFF1443FFE1C9
72362+:101CC0002404FFFF0A001B0C8FBF002094990080A2
72363+:101CD000241F800024050001033FC024A498008035
72364+:101CE00090920080908E0080325100FF001181C2DE
72365+:101CF00000107827000F69C031CC007F018D582576
72366+:101D0000A08B00800E001934026020210A001B0BFA
72367+:101D1000000020212406FFFF54A6FFD68F84003840
72368+:101D2000026020210E001934240500010A001B0B5B
72369+:101D300000002021026020210A001B252402000A45
72370+:101D40002404FFFD0A001B0BAF9300608F8800384E
72371+:101D500027BDFFE8AFB00010AFBF0014910A00D458
72372+:101D60008F87004C00808021354900408CE60010B0
72373+:101D7000A10900D43C0208008C4231B030C53FFFBD
72374+:101D800000A2182B106000078F850050240DFF80E3
72375+:101D900090AE000D01AE6024318B00FF156000088D
72376+:101DA0000006C382020020212403000D8FBF00140F
72377+:101DB0008FB0001027BD00180A001A4AA3830068DC
72378+:101DC00033060003240F000254CFFFF70200202146
72379+:101DD00094A2001C8F85003824190023A4A200E8D7
72380+:101DE0008CE8000000081E02307F003F13F9003528
72381+:101DF0003C0A00838CE800188CA600D0110600086D
72382+:101E0000000000002405000E0E001A4AA385006899
72383+:101E10002407FFFF104700182404FFFF8F850038B8
72384+:101E200090A900D435240020A0A400D48F8C0044B5
72385+:101E3000918E000D31CD007FA18D000D8F83005458
72386+:101E40001060001C020020218F8400508C9800102C
72387+:101E50000303782B11E0000D241900180200202143
72388+:101E6000A39900680E001A4A2410FFFF10500002C8
72389+:101E70002404FFFF000020218FBF00148FB000104A
72390+:101E80000080102103E0000827BD00188C86001098
72391+:101E90008F9F00440200202100C31023AFE20010F6
72392+:101EA000240500010E0019A9240600010A001B9751
72393+:101EB000000020210E001934240500010A001B97A0
72394+:101EC00000002021010A5824156AFFD98F8C004494
72395+:101ED000A0A600FC0A001B84A386005A30A500FFC0
72396+:101EE0002406000124A9000100C9102B1040000C99
72397+:101EF00000004021240A000100A61823308B0001B5
72398+:101F000024C60001006A3804000420421160000267
72399+:101F100000C9182B010740251460FFF800A61823FC
72400+:101F200003E000080100102127BDFFD8AFB0001862
72401+:101F30008F90004CAFB1001CAFBF00202403FFFF07
72402+:101F40002411002FAFA30010920600002405000802
72403+:101F500026100001006620260E001BB0308400FF12
72404+:101F600000021E003C021EDC34466F410A001BD8F2
72405+:101F70000000102110A00009008018212445000154
72406+:101F800030A2FFFF2C4500080461FFFA0003204047
72407+:101F90000086202614A0FFF9008018210E001BB037
72408+:101FA000240500208FA300102629FFFF313100FFF8
72409+:101FB00000034202240700FF1627FFE20102182651
72410+:101FC00000035027AFAA0014AFAA00100000302170
72411+:101FD00027A8001027A7001400E6782391ED00033E
72412+:101FE00024CE000100C8602131C600FF2CCB0004C4
72413+:101FF0001560FFF9A18D00008FA200108FBF002097
72414+:102000008FB1001C8FB0001803E0000827BD002826
72415+:1020100027BDFFD0AFB3001CAFB00010AFBF00288A
72416+:10202000AFB50024AFB40020AFB20018AFB10014B8
72417+:102030003C0C80008D880128240FFF803C06800A1C
72418+:1020400025100100250B0080020F68243205007F57
72419+:10205000016F7024AD8E009000A62821AD8D002464
72420+:1020600090A600FC3169007F3C0A8004012A1821F7
72421+:10207000A386005A9067007C00809821AF830030CF
72422+:1020800030E20002AF88006CAF85003800A0182154
72423+:10209000144000022404003424040030A3840048C7
72424+:1020A0008C7200DC30D100FF24040004AF92006089
72425+:1020B00012240004A38000688E7400041680001EA1
72426+:1020C0003C0880009386005930C7000110E0000FE3
72427+:1020D0008F9300608CB000848CA800842404FF805F
72428+:1020E000020410240002F940310A007F03EA482567
72429+:1020F0003C0C2000012C902530CD00FE3C038000DC
72430+:10210000AC720830A38D00598F9300608FBF0028F8
72431+:102110008FB50024ACB300DC8FB400208FB3001C5B
72432+:102120008FB200188FB100148FB00010240200018C
72433+:1021300003E0000827BD00308E7F000895020120D3
72434+:102140008E67001003E2C8213326FFFF30D8000F4E
72435+:1021500033150001AF87003416A00058A39800582B
72436+:1021600035090C000309382100D81823AD03008479
72437+:10217000AF8700648E6A00043148FFFF1100007EC3
72438+:10218000A78A005C90AC00D42407FF8000EC3024C8
72439+:1021900030CB00FF1560004B9786005C938E005A91
72440+:1021A000240D000230D5FFFF11CD02A20000A021B6
72441+:1021B0008F85006002A5802B160000BC9388004824
72442+:1021C0003C11800096240120310400FF1485008812
72443+:1021D0008F8400648F9800343312000356400085CA
72444+:1021E00030A500FF8F900064310C00FF24060034FE
72445+:1021F00011860095AF90004C9204000414800118E1
72446+:102200008F8E0038A380003C8E0D00048DC800D84E
72447+:102210003C0600FF34CCFFFF01AC30240106182B34
72448+:1022200014600120AF8600548F8700609798005C8F
72449+:10223000AF8700400307402310C000C7A788005C99
72450+:102240008F91003030C3000300035823922A007C92
72451+:102250003171000302261021000A20823092000111
72452+:102260000012488000492821311FFFFF03E5C82BD9
72453+:10227000132001208F8800388F8500348F880064F8
72454+:102280001105025A3C0E3F018E0600003C0C250051
72455+:1022900000CE682411AC01638F84004C30E500FF50
72456+:1022A0000E00184A000030218F8800388F870060A8
72457+:1022B0008F8500340A001DB78F8600540A001C5613
72458+:1022C000AF87006490A400D400E48024320200FFB1
72459+:1022D000104000169386005990A6008890AE00D753
72460+:1022E00024A8008830D4003F2686FFE02CD10020AF
72461+:1022F000A38E003C1220000CAF88004C240B000180
72462+:1023000000CB20043095001916A0012B3C0680005C
72463+:1023100034CF0002008FC0241700022E3099002015
72464+:1023200017200234000000009386005930CB0001D2
72465+:102330001160000F9788005C8CBF00848CA900841A
72466+:10234000240AFF8003EA6024000C19403132007F28
72467+:10235000007238253C0D200000EDC82530D800FE65
72468+:102360003C0F8000ADF90830A39800599788005CB5
72469+:102370001500FF84000000008E630020306200041E
72470+:102380001040FF51938600592404FFFB0064802411
72471+:102390003C038000AE700020346601808C7301B86D
72472+:1023A0000660FFFE8F98006C347501003C1400013C
72473+:1023B000ACD800008C6B012424076085ACCB0004F2
72474+:1023C0008EAE000401D488245220000124076083CB
72475+:1023D00024190002A4C700083C0F1000A0D9000B6C
72476+:1023E0003C068000ACCF01B80A001C2B9386005934
72477+:1023F00030A500FF0E00184A240600018F88006CEB
72478+:102400003C05800034A90900250201889388004812
72479+:10241000304A0007304B00783C0340802407FF809F
72480+:102420000163C825014980210047F824310C00FFD1
72481+:1024300024060034ACBF0800AF90004CACB90810C3
72482+:102440005586FF6E920400048F8400388E11003090
72483+:10245000908E00D431CD001015A000108F83006045
72484+:102460002C6F000515E000E400000000909800D4F7
72485+:102470002465FFFC331200101640000830A400FF52
72486+:102480008F9F00648F99003413F90004388700018E
72487+:1024900030E20001144001C8000000000E001BC320
72488+:1024A000000000000A001DF8000000008F84006496
72489+:1024B00030C500FF0E00184A24060001939800481A
72490+:1024C000240B0034130B00A08F8500388F8600602A
72491+:1024D0009783005C306EFFFF00CE8823AF910060D1
72492+:1024E000A780005C1280FF90028018212414FFFD59
72493+:1024F0005474FFA28E6300208E6A00042403FFBF81
72494+:102500002408FFEF0155F823AE7F000490AC00D4FF
72495+:102510003189007FA0A900D48E7200208F8F0038EF
72496+:10252000A780005C364D0002AE6D0020A5E000BC27
72497+:1025300091E500D400A3C824A1F900D48F950038F8
72498+:10254000AEA000EC92B800D403085824A2AB00D48B
72499+:102550000A001CD78F8500388F910034AF8000604F
72500+:1025600002275821AF8B0034000020212403FFFFF5
72501+:10257000108301B48F8500388E0C00103C0D0800CC
72502+:102580008DAD31B09208000031843FFF008D802B6B
72503+:1025900012000023310D003F3C1908008F3931A88B
72504+:1025A0008F9F006C000479802408FF80033F202166
72505+:1025B000008FC821938500590328F8243C06008029
72506+:1025C0003C0F800034D80001001F91403331007F60
72507+:1025D0008F8600380251502535EE0940332B0078A4
72508+:1025E000333000073C0310003C02800C017890253A
72509+:1025F000020E48210143C0250222382134AE0001D9
72510+:10260000ADFF0804AF890050ADF20814AF87004455
72511+:10261000ADFF0028ACD90084ADF80830A38E005976
72512+:102620009383005A24070003106700272407000142
72513+:102630001467FFAC8F8500382411002311B1008589
72514+:1026400000000000240E000B026020210E001A4A38
72515+:10265000A38E00680040A0210A001D328F8500383B
72516+:1026600002602021240B000C0E001A4AA38B006884
72517+:10267000240AFFFF104AFFBD2404FFFF8F8E00389D
72518+:10268000A380003C8E0D00048DC800D83C0600FFDE
72519+:1026900034CCFFFF01AC30240106182B1060FEE2A1
72520+:1026A000AF86005402602021241200190E001A4A3D
72521+:1026B000A3920068240FFFFF104FFFAC2404FFFF1C
72522+:1026C0000A001C838F86005425A3FFE02C74002091
72523+:1026D0001280FFDD240E000B000328803C1108014E
72524+:1026E000263194B400B148218D2D000001A00008CE
72525+:1026F000000000008F85003400A710219385003C66
72526+:10270000AF82003402251821A383003C951F00BC32
72527+:102710000226282137F91000A51900BC5240FF926B
72528+:10272000AF850060246A0004A38A003C950900BCC0
72529+:1027300024A40004AF84006035322000A51200BC40
72530+:102740000A001D54000020218F8600602CC800055F
72531+:102750001500FF609783005C3065FFFF00C5C8234C
72532+:102760002F2F000511E00003306400FF24CDFFFC93
72533+:1027700031A400FF8F8900648F920034113200046D
72534+:10278000389F000133EC0001158001380000000083
72535+:102790008F840038908700D434E60010A08600D4DF
72536+:1027A0008F8500388F8600609783005CACA000ECBA
72537+:1027B0000A001D2F306EFFFF8CB500848CB400849E
72538+:1027C0003C04100002A7302400068940328E007FAE
72539+:1027D000022E8025020410253C08800024050001FB
72540+:1027E00002602021240600010E0019A9AD02083064
72541+:1027F0000A001CC38F8500388C8200EC1222FE7EFA
72542+:102800000260202124090005A38900680E001A4AED
72543+:102810002411FFFF1451FE782404FFFF0A001D5508
72544+:102820002403FFFF8F8F004C8F8800388DF8000045
72545+:10283000AD1800888DE70010AD0700988F87006005
72546+:102840000A001DB78F8600542406FFFF118600057D
72547+:10285000000000000E001B4C026020210A001D8FAA
72548+:102860000040A0210E001AD1026020210A001D8F15
72549+:102870000040A0218F90004C3C0208008C4231B0F7
72550+:102880008E110010322C3FFF0182282B10A0000C6B
72551+:10289000240BFF808F85005090A3000D01637024EE
72552+:1028A00031CA00FF1140000702602021001143825D
72553+:1028B000310600032418000110D8010600000000B2
72554+:1028C000026020212403000D0E001A4AA383006831
72555+:1028D000004020218F8500380A001D320080A02191
72556+:1028E0008F90004C3C0A08008D4A31B08F85005013
72557+:1028F0008E0400100000A0218CB1001430823FFF34
72558+:10290000004A602B8CB200205180FFEE0260202133
72559+:1029100090B8000D240BFF800178702431C300FFB4
72560+:102920005060FFE80260202100044382310600036A
72561+:1029300014C0FFE40260202194BF001C8F9900386E
72562+:102940008E060028A73F00E88CAF0010022F20233E
72563+:1029500014C4013A026020218F83005400C368210F
72564+:10296000022D382B14E00136240200188F8A00440F
72565+:102970008F820030024390218D4B00100163702341
72566+:10298000AD4E0010AD5200208C4C00740192282BEB
72567+:1029900014A0015F026020218F8400508E08002463
72568+:1029A0008C86002411060007026020212419001CD7
72569+:1029B0000E001A4AA3990068240FFFFF104FFFC5AD
72570+:1029C0002404FFFF8F8400448C87002424FF00012F
72571+:1029D000AC9F00241251012F8F8D00308DB10074F7
72572+:1029E0001232012C3C0B00808E0E000001CB5024D3
72573+:1029F00015400075000000008E0300142411FFFF35
72574+:102A0000107100073C0808003C0608008CC6319095
72575+:102A100000C8C0241300015202602021A380006876
72576+:102A20008E0300003C19000100792024108000135F
72577+:102A30003C1F0080007FA02416800009020028218E
72578+:102A4000026020212411001A0E001A4AA391006886
72579+:102A50002407FFFF1047FF9F2404FFFF02002821E7
72580+:102A6000026020210E001A6A240600012410FFFFD4
72581+:102A70001050FF982404FFFF241400018F8D0044A0
72582+:102A8000026020210280302195A900342405000134
72583+:102A9000253200010E0019A9A5B200340000202142
72584+:102AA0008F8500380A001D320080A0218F90004CD5
72585+:102AB0003C1408008E9431B08E07001030E53FFFC3
72586+:102AC00000B4C82B132000618F8600502412FF80B1
72587+:102AD00090C9000D0249682431A400FF5080005CB9
72588+:102AE000026020218F8C00541180000700078B8228
72589+:102AF0008F8500388F82FCC094BF0080944A000A02
72590+:102B0000515F00F78F8600403227000314E0006415
72591+:102B100000000000920E000211C000D8000000006A
72592+:102B20008E0B0024156000D902602021920400035E
72593+:102B300024190002308500FF14B90005308900FF18
72594+:102B40008F940054128000EA240D002C308900FF7D
72595+:102B5000392C00102D8400012D3200010244302553
72596+:102B6000020028210E001A6A026020212410FFFFB3
72597+:102B7000105000BF8F8500388F830054106000D341
72598+:102B8000240500013C0A08008D4A318C0143F82BD2
72599+:102B900017E000B22402002D02602021000028214D
72600+:102BA0000E0019A9240600018F85003800001821A5
72601+:102BB0000A001D320060A0210E0018750000000000
72602+:102BC0000A001DF800000000AC8000200A001E78FA
72603+:102BD0008E03001400002821026020210E0019A994
72604+:102BE000240600010A001CC38F8500380A001DB7A7
72605+:102BF0008F8800388CAA00848CAC00843C031000C1
72606+:102C00000147F824001F91403189007F024968255F
72607+:102C100001A32825ACC50830910700012405000157
72608+:102C2000026020210E0019A930E600010A001CC331
72609+:102C30008F850038938F00482403FFFD0A001D3460
72610+:102C4000AF8F00600A001D342403FFFF02602021C3
72611+:102C50002410000D0E001A4AA390006800401821AD
72612+:102C60008F8500380A001D320060A0210E00187503
72613+:102C7000000000009783005C8F86006000402021E8
72614+:102C80003070FFFF00D010232C4A00051140FE11C8
72615+:102C90008F850038ACA400EC0A001D2F306EFFFFBA
72616+:102CA00090CF000D31E300085460FFA192040003AF
72617+:102CB00002602021240200100E001A4AA38200683C
72618+:102CC0002403FFFF5443FF9A920400030A001F12DB
72619+:102CD0008F85003890A4000D308F000811E000951A
72620+:102CE0008F990054572000A6026020218E1F000CEF
72621+:102CF0008CB4002057F40005026020218E0D0008DE
72622+:102D00008CA7002411A7003A026020212402002091
72623+:102D1000A38200680E001A4A2412FFFF1052FEED33
72624+:102D20002404FFFF8F9F00442402FFF73C14800E11
72625+:102D300093EA000D2419FF803C03800001423824EF
72626+:102D4000A3E7000D8F9F00303C0908008D2931ACAE
72627+:102D50008F8C006C97F200788F870044012C302113
72628+:102D6000324D7FFF000D204000C4782131E5007F07
72629+:102D700000B4C02101F94024AC68002CA711000068
72630+:102D80008CEB0028256E0001ACEE00288CEA002CAC
72631+:102D90008E02002C01426021ACEC002C8E09002C2C
72632+:102DA000ACE900308E120014ACF2003494ED003A1D
72633+:102DB00025A40001A4E4003A97E600783C1108003D
72634+:102DC0008E3131B024C3000130707FFF1211005CDE
72635+:102DD000006030218F8F0030026020212405000127
72636+:102DE0000E001934A5E600780A001EA1000020217B
72637+:102DF0008E0900142412FFFF1132006B8F8A0038F5
72638+:102E00008E0200188D4C00D0144C00650260202109
72639+:102E10008E0B00248CAE0028116E005B2402002172
72640+:102E20000E001A4AA38200681452FFBE2404FFFF5A
72641+:102E30008F8500380A001D320080A0212402001F67
72642+:102E40000E001A4AA38200682409FFFF1049FEA160
72643+:102E50002404FFFF0A001E548F83005402602021C7
72644+:102E60000E001A4AA38200681450FF508F85003864
72645+:102E70002403FFFF0A001D320060A0218CD800242B
72646+:102E80008E0800241118FF29026020210A001F2744
72647+:102E90002402000F8E0900003C05008001259024CB
72648+:102EA0001640FF492402001A026020210E001A4A2F
72649+:102EB000A3820068240CFFFF144CFECF2404FFFF04
72650+:102EC0008F8500380A001D320080A0210E001934C1
72651+:102ED000026020218F8500380A001EE500001821BD
72652+:102EE0002403FFFD0060A0210A001D32AF860060B0
72653+:102EF000026020210E001A4AA38D00682403FFFF00
72654+:102F00001043FF588F8500380A001ECC920400033E
72655+:102F10002418001D0E001A4AA39800682403FFFF1E
72656+:102F20001443FE9D2404FFFF8F8500380A001D32E4
72657+:102F30000080A021026020210A001F3D24020024FD
72658+:102F4000240880000068C024330BFFFF000B73C20D
72659+:102F500031D000FF001088270A001F6E001133C017
72660+:102F6000240F001B0E001A4AA38F00681451FEACF8
72661+:102F70002404FFFF8F8500380A001D320080A02145
72662+:102F80000A001F3D240200278E0600288CA3002C77
72663+:102F900010C30008026020210A001F812402001FC4
72664+:102FA0000A001F812402000E026020210A001F81F6
72665+:102FB000240200258E04002C1080000D8F8F00301D
72666+:102FC0008DE800740104C02B5700000C0260202122
72667+:102FD0008CB900140086A0210334282B10A0FF52C6
72668+:102FE0008F9F0044026020210A001F8124020022DA
72669+:102FF000026020210A001F81240200230A001F8191
72670+:103000002402002627BDFFD8AFB3001CAFB10014C7
72671+:10301000AFBF0020AFB20018AFB000103C0280007C
72672+:103020008C5201408C4B01483C048000000B8C0208
72673+:10303000322300FF317300FF8C8501B804A0FFFE2E
72674+:1030400034900180AE1200008C8701442464FFF0AC
72675+:10305000240600022C830013AE070004A61100080A
72676+:10306000A206000BAE1300241060004F8FBF00209B
72677+:10307000000448803C0A0801254A9534012A402171
72678+:103080008D04000000800008000000003C030800E0
72679+:103090008C6331A831693FFF00099980007280215B
72680+:1030A000021370212405FF80264D0100264C00806C
72681+:1030B0003C02800031B1007F3198007F31CA007F2F
72682+:1030C0003C1F800A3C1980043C0F800C01C5202461
72683+:1030D00001A5302401853824014F1821AC46002475
72684+:1030E000023F402103194821AC470090AC4400281E
72685+:1030F000AF830044AF880038AF8900300E0019005C
72686+:10310000016080213C0380008C6B01B80560FFFEEC
72687+:103110008F8700448F8600383465018090E8000D69
72688+:10312000ACB20000A4B0000600082600000416039C
72689+:1031300000029027001227C21080008124C200885C
72690+:10314000241F6082A4BF0008A0A000052402000282
72691+:10315000A0A2000B8F8B0030000424003C08270045
72692+:1031600000889025ACB20010ACA00014ACA00024E4
72693+:10317000ACA00028ACA0002C8D6900382413FF807F
72694+:10318000ACA9001890E3000D02638024320500FF13
72695+:1031900010A000058FBF002090ED000D31AC007F26
72696+:1031A000A0EC000D8FBF00208FB3001C8FB2001861
72697+:1031B0008FB100148FB000103C0A10003C0E80004C
72698+:1031C00027BD002803E00008ADCA01B8265F010052
72699+:1031D0002405FF8033F8007F3C06800003E5782457
72700+:1031E0003C19800A03192021ACCF0024908E00D412
72701+:1031F00000AE682431AC00FF11800024AF84003899
72702+:10320000248E008895CD00123C0C08008D8C31A8CE
72703+:1032100031AB3FFF01924821000B5180012A402130
72704+:1032200001052024ACC400283107007F3C06800C37
72705+:1032300000E620219083000D00A31024304500FFFC
72706+:1032400010A0FFD8AF8400449098000D330F0010F9
72707+:1032500015E0FFD58FBF00200E0019000000000010
72708+:103260003C0380008C7901B80720FFFE00000000BD
72709+:10327000AE1200008C7F0144AE1F0004A6110008AE
72710+:1032800024110002A211000BAE1300243C1308010C
72711+:10329000927396F0327000015200FFC38FBF00207E
72712+:1032A0000E002146024020210A0020638FBF00202B
72713+:1032B0003C1260008E452C083C03F0033462FFFF93
72714+:1032C00000A2F824AE5F2C088E582C083C1901C0CF
72715+:1032D00003199825AE532C080A0020638FBF0020E5
72716+:1032E000264D010031AF007F3C10800A240EFF8084
72717+:1032F00001F0282101AE60243C0B8000AD6C00245D
72718+:103300001660FFA8AF85003824110003A0B100FCAF
72719+:103310000A0020638FBF002026480100310A007F89
72720+:103320003C0B800A2409FF80014B30210109202435
72721+:103330003C078000ACE400240A002062AF8600381D
72722+:10334000944E0012320C3FFF31CD3FFF15ACFF7D94
72723+:10335000241F608290D900D42418FF800319782498
72724+:1033600031EA00FF1140FF7700000000240700044D
72725+:10337000A0C700FC8F870044241160842406000D40
72726+:10338000A4B10008A0A600050A00204D24020002F6
72727+:103390003C040001248496DC24030014240200FE73
72728+:1033A0003C010800AC2431EC3C010800AC2331E8BE
72729+:1033B0003C010801A42296F83C040801248496F8F4
72730+:1033C0000000182100643021A0C300042463000120
72731+:1033D0002C6500FF54A0FFFC006430213C0708006E
72732+:1033E00024E7010003E00008AF87007800A058211F
72733+:1033F000008048210000102114A00012000050217C
72734+:103400000A002142000000003C010801A42096F8B7
72735+:103410003C05080194A596F88F8200783C0C0801C1
72736+:10342000258C96F800E2182100AC2021014B302BAE
72737+:10343000A089000400001021A460000810C0003919
72738+:10344000010048218F8600780009384000E94021BA
72739+:103450000008388000E6282190A8000B90B9000AE7
72740+:103460000008204000881021000218800066C0215A
72741+:10347000A319000A8F85007800E5782191EE000AF3
72742+:1034800091E6000B000E684001AE6021000C208028
72743+:1034900000851021A046000B3C030801906396F2C2
72744+:1034A000106000222462FFFF8F8300383C01080176
72745+:1034B000A02296F2906C00FF118000040000000032
72746+:1034C000906E00FF25CDFFFFA06D00FF3C190801A5
72747+:1034D000973996F8272300013078FFFF2F0F00FF60
72748+:1034E00011E0FFC9254A00013C010801A42396F818
72749+:1034F0003C05080194A596F88F8200783C0C0801E1
72750+:10350000258C96F800E2182100AC2021014B302BCD
72751+:10351000A089000400001021A460000814C0FFC9A5
72752+:103520000100482103E000080000000003E000085B
72753+:103530002402000227BDFFE0248501002407FF804C
72754+:10354000AFB00010AFBF0018AFB1001400A718242F
72755+:103550003C10800030A4007F3C06800A00862821B1
72756+:103560008E110024AE03002490A200FF1440000836
72757+:10357000AF850038A0A000098FBF0018AE1100244D
72758+:103580008FB100148FB0001003E0000827BD0020A9
72759+:1035900090A900FD90A800FF312400FF0E0020F448
72760+:1035A000310500FF8F8500388FBF0018A0A00009EB
72761+:1035B000AE1100248FB100148FB0001003E000089A
72762+:1035C00027BD002027BDFFD0AFB20020AFB1001C47
72763+:1035D000AFB00018AFBF002CAFB40028AFB30024C9
72764+:1035E0003C0980009533011635320C00952F011AE5
72765+:1035F0003271FFFF023280218E08000431EEFFFF9E
72766+:10360000248B0100010E6821240CFF8025A5FFFFFB
72767+:10361000016C50243166007F3C07800AAD2A0024EB
72768+:1036200000C73021AF850074AF8800703C010801ED
72769+:10363000A02096F190C300090200D02100809821BB
72770+:10364000306300FF2862000510400048AF86003854
72771+:10365000286400021480008E24140001240D00054B
72772+:103660003C010801A02D96D590CC00FD3C0108013D
72773+:10367000A02096D63C010801A02096D790CB000A46
72774+:10368000240AFF80318500FF014B4824312700FFC9
72775+:1036900010E0000C000058213C12800836510080D8
72776+:1036A0008E2F00308CD0005C01F0702305C0018E9D
72777+:1036B0008F87007090D4000A3284007FA0C4000A73
72778+:1036C0008F8600383C118008363000808E0F003025
72779+:1036D0008F87007000EF702319C000EE000000001B
72780+:1036E00090D4000924120002328400FF1092024795
72781+:1036F000000000008CC2005800E2F82327F9FFFF09
72782+:103700001B2001300000000090C5000924080004BF
72783+:1037100030A300FF10680057240A00013C01080193
72784+:10372000A02A96D590C900FF252700013C01080179
72785+:10373000A02796D43C030801906396D52406000583
72786+:103740001066006A2C780005130000C40000902168
72787+:103750000003F8803C0408012484958003E4C82118
72788+:103760008F25000000A0000800000000241800FFC2
72789+:103770001078005C0000000090CC000A90CA00099C
72790+:103780003C080801910896F13187008000EA48253D
72791+:103790003C010801A02996DC90C500FD3C140801FD
72792+:1037A000929496F2311100013C010801A02596DDAA
72793+:1037B00090DF00FE3C010801A03F96DE90D200FFA2
72794+:1037C0003C010801A03296DF8CD900543C0108016D
72795+:1037D000AC3996E08CD000583C010801AC3096E43E
72796+:1037E0008CC3005C3C010801AC3496EC3C01080140
72797+:1037F000AC2396E8162000088FBF002C8FB4002859
72798+:103800008FB300248FB200208FB1001C8FB000183E
72799+:1038100003E0000827BD00303C1180009624010E13
72800+:103820000E000FD43094FFFF3C0B08018D6B96F413
72801+:103830000260382102802821AE2B01803C13080150
72802+:103840008E7396D401602021240600830E00102F71
72803+:10385000AFB300108FBF002C8FB400288FB30024AB
72804+:103860008FB200208FB1001C8FB0001803E0000859
72805+:1038700027BD00303C1808008F1831FC270F0001CD
72806+:103880003C010800AC2F31FC0A0021D700000000E9
72807+:103890001474FFB900000000A0C000FF3C05080040
72808+:1038A0008CA531E43C0308008C6331E03C02080045
72809+:1038B0008C4232048F99003834A80001241F000282
72810+:1038C0003C010801AC2396F43C010801A02896F0C5
72811+:1038D0003C010801A02296F3A33F00090A002190B1
72812+:1038E0008F8600380E002146000000000A0021D714
72813+:1038F0008F8600383C1F080193FF96D424190001DD
72814+:1039000013F902298F8700703C100801921096D895
72815+:103910003C06080190C696D610C000050200A02102
72816+:103920003C040801908496D9109001E48F870078B8
72817+:10393000001088408F9F0078023048210009C8801D
72818+:10394000033F702195D80008270F0001A5CF00087C
72819+:103950003C040801908496D93C05080190A596D6B0
72820+:103960000E0020F4000000008F8700780230202134
72821+:103970000004308000C720218C8500048F820074F1
72822+:1039800000A2402305020006AC8200048C8A0000DD
72823+:103990008F830070014310235C400001AC83000062
72824+:1039A0008F86003890CB00FF2D6C00025580002DD3
72825+:1039B000241400010230F821001F40800107282153
72826+:1039C00090B9000B8CAE00040019C0400319782197
72827+:1039D000000F1880006710218C4D000001AE882375
72828+:1039E0002630FFFF5E00001F241400018C440004F9
72829+:1039F0008CAA0000008A482319200019240E000414
72830+:103A00003C010801A02E96D590AD000B8CAB0004B4
72831+:103A1000000D8840022D80210010108000471021E9
72832+:103A20008C44000401646023058202009443000872
72833+:103A300090DF00FE90B9000B33E500FF54B900049D
72834+:103A40000107A021A0D400FE8F8700780107A021E4
72835+:103A50009284000B0E0020F4240500018F860038AC
72836+:103A600024140001125400962E500001160000424A
72837+:103A70003C08FFFF241900021659FF3F0000000018
72838+:103A8000A0C000FF8F860038A0D200090A0021D70D
72839+:103A90008F86003890C700092404000230E300FF3D
72840+:103AA0001064016F24090004106901528F880074AA
72841+:103AB0008CCE0054010E682325B10001062001754B
72842+:103AC000241800043C010801A03896D53C010801E7
72843+:103AD000A02096D490D400FD90D200FF2E4F00027B
72844+:103AE00015E0FF14328400FF000438408F8900780D
72845+:103AF00090DF00FF00E41021000220800089C8212F
72846+:103B00002FE500029324000B14A0FF0A24070002F3
72847+:103B100000041840006480210010588001692821A9
72848+:103B20008CAC0004010C50230540FF020000000093
72849+:103B30003C030801906396D614600005246F0001D1
72850+:103B40003C010801A02496D93C010801A02796D782
72851+:103B50003C010801A02F96D690CE00FF24E700017B
72852+:103B600031CD00FF01A7882B1220FFE990A4000BA4
72853+:103B70000A0021C6000000003C0508018CA596D46F
72854+:103B80003C12000400A8F82413F2000624020005E9
72855+:103B90003C090801912996D5152000022402000352
72856+:103BA000240200053C010801A02296F190C700FF05
72857+:103BB00014E0012024020002A0C200090A0021D75B
72858+:103BC0008F86003890CC00FF1180FEDA240A0001B5
72859+:103BD0008F8C00748F890078240F00030180682186
72860+:103BE0001160001E240E0002000540400105A021C6
72861+:103BF00000142080008990218E51000401918023BF
72862+:103C00000600FECC000000003C020801904296D65F
72863+:103C100014400005245800013C010801A02A96D751
72864+:103C20003C010801A02596D93C010801A03896D690
72865+:103C300090DF00FF010510210002C88033E500FF7E
72866+:103C4000254A00010329202100AA402B1500FEB9B6
72867+:103C50009085000B1560FFE50005404000054040E1
72868+:103C600001051821000310803C010801A02A96D408
72869+:103C70003C010801A02596D8004918218C64000455
72870+:103C800000E4F82327F9FFFF1F20FFE900000000F0
72871+:103C90008C63000000E358230560013A01A38823E8
72872+:103CA00010E301170184C0231B00FEA200000000E6
72873+:103CB0003C010801A02E96D50A002305240B000123
72874+:103CC000240E0004A0CE00093C0D08008DAD31F893
72875+:103CD0008F86003825A200013C010800AC2231F893
72876+:103CE0000A0021D7000000008CD9005C00F9C02335
72877+:103CF0001F00FE7B000000008CDF005C10FFFF65F2
72878+:103D00008F8400748CC3005C008340232502000173
72879+:103D10001C40FF60000000008CC9005C248700018B
72880+:103D200000E9282B10A0FE943C0D80008DAB01040F
72881+:103D30003C0C0001016C50241140FE8F2402001045
72882+:103D40003C010801A02296F10A0021D700000000E2
72883+:103D50008F9100748F86003826220001ACC2005C6F
72884+:103D60000A002292241400018F8700382404FF8067
72885+:103D70000000882190E9000A241400010124302564
72886+:103D8000A0E6000A3C05080190A596D63C0408016F
72887+:103D9000908496D90E0020F4000000008F86003831
72888+:103DA0008F85007890C800FD310700FF0007404074
72889+:103DB0000107F821001FC0800305C8219323000BD1
72890+:103DC000A0C300FD8F8500788F8600380305602131
72891+:103DD000918F000B000F704001CF6821000D808093
72892+:103DE000020510218C4B0000ACCB00548D840004E4
72893+:103DF0008F83007400645023194000022482000164
72894+:103E00002462000101074821ACC2005C0009308037
72895+:103E100000C5402100E02021240500010E0020F40F
72896+:103E20009110000B8F86003890C500FF10A0FF0C8A
72897+:103E3000001070408F85007801D06821000D10803F
72898+:103E4000004558218D6400008F8C0074018450233C
72899+:103E50002547000104E0FF02263100013C03080170
72900+:103E6000906396D62E2F0002247800013C010801B1
72901+:103E7000A03896D63C010801A03496D711E0FEF890
72902+:103E8000020038210A002365000740408F84003873
72903+:103E90008F8300748C85005800A340230502FE9A8E
72904+:103EA000AC8300580A00223B000000003C070801D8
72905+:103EB00090E796F2240200FF10E200BE8F860038E1
72906+:103EC0003C110801963196FA3C030801246396F8E8
72907+:103ED000262500013230FFFF30ABFFFF02036021D7
72908+:103EE0002D6A00FF1540008D918700043C010801F8
72909+:103EF000A42096FA8F88003800074840012728211F
72910+:103F0000911800FF000530802405000127140001EE
72911+:103F1000A11400FF3C120801925296F28F8800789B
72912+:103F20008F8E0070264F000100C820213C0108013F
72913+:103F3000A02F96F2AC8E00008F8D0074A48500082F
72914+:103F4000AC8D00043C030801906396D414600077A4
72915+:103F5000000090213C010801A02596D4A087000B09
72916+:103F60008F8C007800CC5021A147000A8F82003846
72917+:103F7000A04700FD8F840038A08700FE8F860038A0
72918+:103F80008F9F0070ACDF00548F990074ACD900583B
72919+:103F90008F8D00780127C02100185880016DA02165
72920+:103FA000928F000A000F704001CF18210003888013
72921+:103FB000022D8021A207000B8F8600780166602108
72922+:103FC000918A000B000A1040004A2021000428803A
72923+:103FD00000A64021A107000A3C07800834E90080C0
72924+:103FE0008D2200308F860038ACC2005C0A0022921D
72925+:103FF0002414000190CA00FF1540FEAD8F880074A4
72926+:10400000A0C400090A0021D78F860038A0C000FD97
72927+:104010008F98003824060001A30000FE3C0108012F
72928+:10402000A02696D53C010801A02096D40A0021C6FE
72929+:104030000000000090CB00FF3C040801908496F340
72930+:10404000316C00FF0184502B1540000F2402000347
72931+:1040500024020004A0C200090A0021D78F8600387C
72932+:1040600090C3000A2410FF8002035824316C00FF23
72933+:104070001180FDC1000000003C010801A02096D580
72934+:104080000A0021C600000000A0C200090A0021D7D2
72935+:104090008F86003890D4000A2412FF8002544824EE
72936+:1040A000312800FF1500FFF4240200083C0108013C
72937+:1040B000A02296F10A0021D70000000000108840DD
72938+:1040C0008F8B0070023018210003688001A7202127
72939+:1040D000AC8B00008F8A0074240C0001A48C0008B3
72940+:1040E000AC8A00043C05080190A596D62402000184
72941+:1040F00010A2FE1E24A5FFFF0A0022519084000B8F
72942+:104100000184A0231A80FD8B000000003C010801FF
72943+:10411000A02E96D50A002305240B00013C010801BE
72944+:10412000A42596FA0A0023B78F880038240B0001D3
72945+:10413000106B00228F9800388F85003890BF00FFE9
72946+:1041400033F900FF1079002B000000003C1F08012C
72947+:1041500093FF96D8001FC840033FC0210018A080DD
72948+:104160000288782191EE000AA08E000A8F8D0078D7
72949+:104170003C030801906396D800CD88210A0023DD16
72950+:10418000A223000B263000010600003101A4902379
72951+:104190000640002B240200033C010801A02F96D505
72952+:1041A0000A002305240B00018F8900380A00223BF6
72953+:1041B000AD2700540A00229124120001931400FD3F
72954+:1041C000A094000B8F8800388F8F0078910E00FE2E
72955+:1041D00000CF6821A1AE000A8F910038A22700FD10
72956+:1041E0008F8300708F900038AE0300540A0023DEE6
72957+:1041F0008F8D007890B000FEA090000A8F8B003861
72958+:104200008F8C0078916A00FD00CC1021A04A000B31
72959+:104210008F840038A08700FE8F8600748F85003859
72960+:10422000ACA600580A0023DE8F8D007894B80008F1
72961+:10423000ACA40004030378210A002285A4AF00087F
72962+:104240003C010801A02296D50A0021C6000000000A
72963+:1042500090CF0009240D000431EE00FF11CDFD8543
72964+:10426000240200013C010801A02296D50A0021C6C3
72965+:1042700000000000080033440800334408003420E4
72966+:10428000080033F4080033D8080033280800332826
72967+:10429000080033280800334C8008010080080080A3
72968+:1042A000800800005F865437E4AC62CC50103A4579
72969+:1042B00036621985BF14C0E81BC27A1E84F4B55655
72970+:1042C000094EA6FE7DDA01E7C04D748108005A74DC
72971+:1042D00008005AB808005A5C08005A5C08005A5C8A
72972+:1042E00008005A5C08005A7408005A5C08005A5CBE
72973+:1042F00008005AC008005A5C080059D408005A5CEB
72974+:1043000008005A5C08005AC008005A5C08005A5C51
72975+:1043100008005A5C08005A5C08005A5C08005A5CA5
72976+:1043200008005A5C08005A5C08005A5C08005A5C95
72977+:1043300008005A9408005A5C08005A9408005A5C15
72978+:1043400008005A5C08005A5C08005A9808005A9401
72979+:1043500008005A5C08005A5C08005A5C08005A5C65
72980+:1043600008005A5C08005A5C08005A5C08005A5C55
72981+:1043700008005A5C08005A5C08005A5C08005A5C45
72982+:1043800008005A5C08005A5C08005A5C08005A5C35
72983+:1043900008005A5C08005A5C08005A5C08005A5C25
72984+:1043A00008005A9808005A9808005A5C08005A9861
72985+:1043B00008005A5C08005A5C08005A5C08005A5C05
72986+:1043C00008005A5C08005A5C08005A5C08005A5CF5
72987+:1043D00008005A5C08005A5C08005A5C08005A5CE5
72988+:1043E00008005A5C08005A5C08005A5C08005A5CD5
72989+:1043F00008005A5C08005A5C08005A5C08005A5CC5
72990+:1044000008005A5C08005A5C08005A5C08005A5CB4
72991+:1044100008005A5C08005A5C08005A5C08005A5CA4
72992+:1044200008005A5C08005A5C08005A5C08005A5C94
72993+:1044300008005A5C08005A5C08005A5C08005A5C84
72994+:1044400008005A5C08005A5C08005A5C08005A5C74
72995+:1044500008005A5C08005A5C08005A5C08005A5C64
72996+:1044600008005A5C08005A5C08005A5C08005A5C54
72997+:1044700008005A5C08005A5C08005A5C08005A5C44
72998+:1044800008005A5C08005A5C08005A5C08005A5C34
72999+:1044900008005A5C08005A5C08005A5C08005A5C24
73000+:1044A00008005A5C08005A5C08005A5C08005A5C14
73001+:1044B00008005A5C08005A5C08005A5C08005A5C04
73002+:1044C00008005A5C08005A5C08005A5C08005ADC74
73003+:1044D0000800782C08007A900800783808007628C0
73004+:1044E00008007838080078C4080078380800762872
73005+:1044F0000800762808007628080076280800762824
73006+:104500000800762808007628080076280800762813
73007+:1045100008007628080078580800784808007628AF
73008+:1045200008007628080076280800762808007628F3
73009+:1045300008007628080076280800762808007628E3
73010+:1045400008007628080076280800762808007848B1
73011+:10455000080082FC08008188080082C40800818865
73012+:104560000800829408008070080081880800818813
73013+:1045700008008188080081880800818808008188F7
73014+:1045800008008188080081880800818808008188E7
73015+:104590000800818808008188080081B008008D34F7
73016+:1045A00008008E9008008E70080088D808008D4C96
73017+:1045B0000A00012400000000000000000000000DBF
73018+:1045C000747061362E322E31620000000602010145
73019+:1045D00000000000000000000000000000000000DB
73020+:1045E00000000000000000000000000000000000CB
73021+:1045F00000000000000000000000000000000000BB
73022+:1046000000000000000000000000000000000000AA
73023+:10461000000000000000000000000000000000009A
73024+:10462000000000000000000000000000000000008A
73025+:10463000000000000000000000000000000000007A
73026+:104640000000000010000003000000000000000D4A
73027+:104650000000000D3C020800244217203C03080023
73028+:1046600024632A10AC4000000043202B1480FFFD7F
73029+:10467000244200043C1D080037BD2FFC03A0F0219C
73030+:104680003C100800261004903C1C0800279C1720B2
73031+:104690000E000262000000000000000D2402FF80F6
73032+:1046A00027BDFFE000821024AFB00010AF42002011
73033+:1046B000AFBF0018AFB10014936500043084007FD1
73034+:1046C000034418213C0200080062182130A5002094
73035+:1046D000036080213C080111277B000814A0000220
73036+:1046E0002466005C2466005892020004974301048B
73037+:1046F000920400043047000F3063FFFF3084004015
73038+:10470000006728231080000900004821920200055C
73039+:1047100030420004104000050000000010A000031B
73040+:104720000000000024A5FFFC2409000492020005FB
73041+:1047300030420004104000120000000010A00010E1
73042+:10474000000000009602000200A72021010440257D
73043+:104750002442FFFEA7421016920300042402FF80A9
73044+:1047600000431024304200FF104000033C020400CC
73045+:104770000A000174010240258CC20000AF421018EB
73046+:104780008F4201780440FFFE2402000AA742014044
73047+:1047900096020002240400093042000700021023A0
73048+:1047A00030420007A7420142960200022442FFFE67
73049+:1047B000A7420144A740014697420104A74201488D
73050+:1047C0008F420108304200205040000124040001C3
73051+:1047D00092020004304200101440000234830010A2
73052+:1047E00000801821A743014A0000000000000000DB
73053+:1047F0000000000000000000AF48100000000000B2
73054+:104800000000000000000000000000008F421000C7
73055+:104810000441FFFE3102FFFF1040000700000000CE
73056+:1048200092020004304200401440000300000000E7
73057+:104830008F421018ACC20000960200063042FFFF03
73058+:10484000244200020002104300021040036288214B
73059+:10485000962200001120000D3044FFFF00A7102118
73060+:104860008F8300388F45101C0002108200021080D8
73061+:1048700000431021AC45000030A6FFFF0E00058D5F
73062+:1048800000052C0200402021A62200009203000413
73063+:104890002402FF8000431024304200FF1040001F1C
73064+:1048A0000000000092020005304200021040001B90
73065+:1048B000000000009742100C2442FFFEA742101691
73066+:1048C000000000003C02040034420030AF421000FF
73067+:1048D00000000000000000000000000000000000D8
73068+:1048E0008F4210000441FFFE000000009742100CB0
73069+:1048F0008F45101C3042FFFF24420030000210821E
73070+:1049000000021080005B1021AC45000030A6FFFFC4
73071+:104910000E00058D00052C02A62200009604000260
73072+:10492000248400080E0001E93084FFFF974401044D
73073+:104930000E0001F73084FFFF8FBF00188FB1001405
73074+:104940008FB000103C02100027BD002003E00008DB
73075+:10495000AF4201783084FFFF308200078F8500244A
73076+:1049600010400002248300073064FFF800A41021E7
73077+:1049700030421FFF03421821247B4000AF850028EE
73078+:10498000AF82002403E00008AF4200843084FFFFC0
73079+:104990003082000F8F85002C8F860034104000027B
73080+:1049A0002483000F3064FFF000A410210046182B70
73081+:1049B000AF8500300046202314600002AF82002C37
73082+:1049C000AF84002C8F82002C340480000342182115
73083+:1049D00000641821AF83003803E00008AF42008074
73084+:1049E0008F820014104000088F8200048F82FFDC49
73085+:1049F000144000058F8200043C02FFBF3442FFFFD9
73086+:104A0000008220248F82000430430006240200022A
73087+:104A10001062000F3C0201012C62000350400005AF
73088+:104A2000240200041060000F3C0200010A00023062
73089+:104A30000000000010620005240200061462000C51
73090+:104A40003C0201110A000229008210253C020011DB
73091+:104A500000821025AF421000240200010A0002303B
73092+:104A6000AF82000C00821025AF421000AF80000C16
73093+:104A700000000000000000000000000003E000084B
73094+:104A8000000000008F82000C1040000400000000B5
73095+:104A90008F4210000441FFFE0000000003E0000808
73096+:104AA000000000008F8200102443F800000231C291
73097+:104AB00024C2FFF02C6303011060000300021042C7
73098+:104AC0000A000257AC8200008F85001800C5102B29
73099+:104AD0001440000B0000182100C5102324470001DA
73100+:104AE0008F82001C00A210212442FFFF0046102BE1
73101+:104AF000544000042402FFFF0A000257AC87000064
73102+:104B00002402FFFF0A000260AC8200008C820000D9
73103+:104B10000002194000621821000318800062182169
73104+:104B2000000318803C0208002442175C0062182130
73105+:104B300003E000080060102127BDFFD8AFBF0020B0
73106+:104B4000AFB1001CAFB000183C0460088C8250006C
73107+:104B50002403FF7F3C066000004310243442380CDD
73108+:104B6000AC8250008CC24C1C3C1A80000002160221
73109+:104B70003042000F10400007AF82001C8CC34C1C59
73110+:104B80003C02001F3442FC0000621824000319C2DA
73111+:104B9000AF8300188F420008275B400034420001B9
73112+:104BA000AF420008AF8000243C02601CAF40008090
73113+:104BB000AF4000848C4500088CC308083402800094
73114+:104BC000034220212402FFF0006218243C020080EE
73115+:104BD0003C010800AC2204203C025709AF84003895
73116+:104BE00014620004AF850034240200010A0002921E
73117+:104BF000AF820014AF8000148F42000038420001E1
73118+:104C0000304200011440FFFC8F8200141040001657
73119+:104C10000000000097420104104000058F8300004F
73120+:104C2000146000072462FFFF0A0002A72C62000A3A
73121+:104C30002C620010504000048F83000024620001A9
73122+:104C4000AF8200008F8300002C62000A1440000332
73123+:104C50002C6200070A0002AEAF80FFDC10400002A9
73124+:104C600024020001AF82FFDC8F4301088F44010062
73125+:104C700030622000AF83000410400008AF840010B1
73126+:104C80003C0208008C42042C244200013C01080034
73127+:104C9000AC22042C0A00058A3C0240003065020068
73128+:104CA00014A0000324020F001482026024020D00ED
73129+:104CB00097420104104002C83C02400030624000AC
73130+:104CC000144000AD8F8200388C4400088F42017878
73131+:104CD0000440FFFE24020800AF42017824020008CD
73132+:104CE000A7420140A7400142974201048F8400047B
73133+:104CF0003051FFFF30820001104000070220802168
73134+:104D00002623FFFE240200023070FFFFA742014667
73135+:104D10000A0002DBA7430148A74001463C02080005
73136+:104D20008C42043C1440000D8F8300103082002020
73137+:104D30001440000224030009240300010060202124
73138+:104D40008F830010240209005062000134840004A3
73139+:104D5000A744014A0A0002F60000000024020F00E6
73140+:104D60001462000530820020144000062403000D68
73141+:104D70000A0002F524030005144000022403000980
73142+:104D800024030001A743014A3C0208008C4204208E
73143+:104D90003C0400480E00020C004420250E000235A1
73144+:104DA000000000008F82000C1040003E0000000058
73145+:104DB0008F4210003C0300200043102410400039B3
73146+:104DC0008F820004304200021040003600000000D4
73147+:104DD000974210141440003300000000974210085E
73148+:104DE0008F8800383042FFFF2442000600021882FC
73149+:104DF0000003388000E83021304300018CC40000FB
73150+:104E000010600004304200030000000D0A00033768
73151+:104E100000E81021544000103084FFFF3C05FFFFE4
73152+:104E200000852024008518260003182B0004102B71
73153+:104E300000431024104000050000000000000000A6
73154+:104E40000000000D00000000240002228CC20000BF
73155+:104E50000A000336004520253883FFFF0003182B86
73156+:104E60000004102B00431024104000050000000037
73157+:104E7000000000000000000D000000002400022BD4
73158+:104E80008CC200003444FFFF00E81021AC44000055
73159+:104E90003C0208008C420430244200013C0108001E
73160+:104EA000AC2204308F6200008F840038AF8200088B
73161+:104EB0008C8300003402FFFF1462000F00001021F9
73162+:104EC0003C0508008CA504543C0408008C84045064
73163+:104ED00000B0282100B0302B008220210086202144
73164+:104EE0003C010800AC2504543C010800AC240450EB
73165+:104EF0000A000580240400088C8200003042010072
73166+:104F00001040000F000010213C0508008CA5044C47
73167+:104F10003C0408008C84044800B0282100B0302BE9
73168+:104F200000822021008620213C010800AC25044C91
73169+:104F30003C010800AC2404480A0005802404000851
73170+:104F40003C0508008CA504443C0408008C84044003
73171+:104F500000B0282100B0302B0082202100862021C3
73172+:104F60003C010800AC2504443C010800AC2404408A
73173+:104F70000A000580240400088F6200088F62000088
73174+:104F800000021602304300F02402003010620005D7
73175+:104F900024020040106200E08F8200200A00058891
73176+:104FA0002442000114A000050000000000000000E1
73177+:104FB0000000000D00000000240002568F4201781E
73178+:104FC0000440FFFE000000000E00023D27A4001078
73179+:104FD0001440000500408021000000000000000D8A
73180+:104FE000000000002400025D8E0200001040000559
73181+:104FF00000000000000000000000000D00000000A4
73182+:10500000240002608F62000C0443000324020001AC
73183+:105010000A00042EAE000000AE0200008F820038AD
73184+:105020008C480008A20000078F65000C8F64000404
73185+:1050300030A3FFFF0004240200852023308200FFFC
73186+:105040000043102124420005000230832CC200815D
73187+:10505000A605000A14400005A20400040000000098
73188+:105060000000000D00000000240002788F85003849
73189+:105070000E0005AB260400148F6200048F43010864
73190+:10508000A60200083C02100000621824106000080C
73191+:105090000000000097420104920300072442FFEC45
73192+:1050A000346300023045FFFF0A0003C3A203000778
73193+:1050B000974201042442FFF03045FFFF96060008A6
73194+:1050C0002CC200135440000592030007920200070F
73195+:1050D00034420001A20200079203000724020001EB
73196+:1050E00010620005240200031062000B8F8200385A
73197+:1050F0000A0003E030C6FFFF8F8200383C04FFFF48
73198+:105100008C43000C0064182400651825AC43000C87
73199+:105110000A0003E030C6FFFF3C04FFFF8C43001091
73200+:105120000064182400651825AC43001030C6FFFF4A
73201+:1051300024C2000200021083A20200058F830038FF
73202+:10514000304200FF00021080004328218CA800009C
73203+:105150008CA2000024030004000217021443001272
73204+:1051600000000000974201043C03FFFF01031824E4
73205+:105170003042FFFF004610232442FFFE006240251C
73206+:10518000ACA8000092030005306200FF000210800E
73207+:1051900000501021904200143042000F00431021B3
73208+:1051A0000A000415A20200068CA400049742010420
73209+:1051B0009603000A3088FFFF3042FFFF00461023AD
73210+:1051C0002442FFD60002140001024025ACA80004CE
73211+:1051D000920200079204000524630028000318834C
73212+:1051E0000064182134420004A2030006A202000752
73213+:1051F0008F8200042403FFFB34420002004310248A
73214+:10520000AF820004920300068F87003800031880E5
73215+:10521000007010218C4400203C02FFF63442FFFF56
73216+:105220000082402400671821AE04000CAC68000C1A
73217+:10523000920500063C03FF7F8E02000C00052880CB
73218+:1052400000B020213463FFFF01033024948800263E
73219+:1052500000A7282100431024AE02000CAC860020D9
73220+:10526000AC880024ACA8001024020010A742014022
73221+:1052700024020002A7400142A7400144A742014680
73222+:10528000974201043C0400082442FFFEA742014863
73223+:10529000240200010E00020CA742014A9603000AF4
73224+:1052A0009202000400431021244200023042000711
73225+:1052B00000021023304200070E000235AE0200103B
73226+:1052C0008F6200003C0308008C6304442404001037
73227+:1052D000AF820008974201043042FFFF2442FFFEE4
73228+:1052E00000403821000237C33C0208008C420440D1
73229+:1052F000006718210067282B004610210045102167
73230+:105300003C010800AC2304443C010800AC220440EA
73231+:105310000A0005150000000014A0000500000000B0
73232+:10532000000000000000000D000000002400030A3F
73233+:105330008F4201780440FFFE000000000E00023D95
73234+:1053400027A4001414400005004080210000000044
73235+:105350000000000D00000000240003118E02000078
73236+:105360005440000692020007000000000000000DFB
73237+:10537000000000002400031C9202000730420004D9
73238+:10538000104000058F8200042403FFFB344200021A
73239+:1053900000431024AF8200048F620004044300081D
73240+:1053A00092020007920200068E03000CAE0000007D
73241+:1053B0000002108000501021AC4300209202000730
73242+:1053C00030420004544000099602000A920200058F
73243+:1053D0003C03000100021080005010218C46001890
73244+:1053E00000C33021AC4600189602000A9206000461
73245+:1053F000277100080220202100C2302124C60005A8
73246+:10540000260500140E0005AB00063082920400064B
73247+:105410008F6500043C027FFF000420800091202162
73248+:105420008C8300043442FFFF00A228240065182169
73249+:10543000AC8300049202000792040005920300046A
73250+:10544000304200041040001496070008308400FF2A
73251+:1054500000042080009120218C86000497420104E2
73252+:105460009605000A306300FF3042FFFF0043102121
73253+:105470000045102130E3FFFF004310232442FFD8F2
73254+:1054800030C6FFFF0002140000C23025AC860004C5
73255+:105490000A0004C992030007308500FF0005288038
73256+:1054A00000B128218CA4000097420104306300FF62
73257+:1054B0003042FFFF00431021004710233C03FFFF51
73258+:1054C000008320243042FFFF00822025ACA400008E
73259+:1054D0009203000724020001106200060000000091
73260+:1054E0002402000310620011000000000A0004EC16
73261+:1054F0008E03001097420104920300049605000AEF
73262+:105500008E24000C00431021004510212442FFF29C
73263+:105510003C03FFFF008320243042FFFF0082202550
73264+:10552000AE24000C0A0004EC8E0300109742010424
73265+:10553000920300049605000A8E24001000431021F7
73266+:10554000004510212442FFEE3C03FFFF008320248E
73267+:105550003042FFFF00822025AE2400108E03001091
73268+:105560002402000AA7420140A74301429603000A11
73269+:10557000920200043C04004000431021A742014471
73270+:10558000A740014697420104A742014824020001B6
73271+:105590000E00020CA742014A0E0002350000000076
73272+:1055A0008F6200009203000400002021AF820008F7
73273+:1055B000974201049606000A3042FFFF006218215C
73274+:1055C000006028213C0308008C6304443C0208006E
73275+:1055D0008C42044000651821004410210065382BDE
73276+:1055E000004710213C010800AC2304443C010800A2
73277+:1055F000AC22044092040004008620212484000A86
73278+:105600003084FFFF0E0001E9000000009744010410
73279+:105610003084FFFF0E0001F7000000003C02100084
73280+:10562000AF4201780A0005878F820020148200278C
73281+:105630003062000697420104104000673C024000BF
73282+:105640003062400010400005000000000000000033
73283+:105650000000000D00000000240004208F420178AB
73284+:105660000440FFFE24020800AF4201782402000833
73285+:10567000A7420140A74001428F82000497430104E2
73286+:1056800030420001104000073070FFFF2603FFFE8C
73287+:1056900024020002A7420146A74301480A00053F31
73288+:1056A0002402000DA74001462402000DA742014A32
73289+:1056B0008F62000024040008AF8200080E0001E998
73290+:1056C000000000000A0005190200202110400042DD
73291+:1056D0003C02400093620000304300F024020010BE
73292+:1056E0001062000524020070106200358F820020D5
73293+:1056F0000A000588244200018F62000097430104DC
73294+:105700003050FFFF3071FFFF8F4201780440FFFEF1
73295+:105710003202000700021023304200072403000A6F
73296+:105720002604FFFEA7430140A7420142A7440144CB
73297+:10573000A7400146A75101488F420108304200208E
73298+:10574000144000022403000924030001A743014A76
73299+:105750000E00020C3C0400400E0002350000000068
73300+:105760003C0708008CE70444021110212442FFFE8C
73301+:105770003C0608008CC604400040182100E3382194
73302+:10578000000010218F65000000E3402B00C2302193
73303+:105790002604000800C830213084FFFFAF850008D0
73304+:1057A0003C010800AC2704443C010800AC2604403E
73305+:1057B0000E0001E9000000000A0005190220202166
73306+:1057C0000E00013B000000008F82002024420001F7
73307+:1057D000AF8200203C024000AF4201380A00029232
73308+:1057E000000000003084FFFF30C6FFFF00052C00E2
73309+:1057F00000A628253882FFFF004510210045282BF0
73310+:105800000045102100021C023042FFFF004310211E
73311+:1058100000021C023042FFFF004310213842FFFF0C
73312+:1058200003E000083042FFFF3084FFFF30A5FFFF98
73313+:1058300000001821108000070000000030820001E5
73314+:105840001040000200042042006518210A0005A152
73315+:105850000005284003E000080060102110C0000689
73316+:1058600024C6FFFF8CA2000024A50004AC82000027
73317+:105870000A0005AB2484000403E0000800000000D7
73318+:1058800010A0000824A3FFFFAC8600000000000069
73319+:10589000000000002402FFFF2463FFFF1462FFFAF0
73320+:1058A0002484000403E00008000000000000000160
73321+:1058B0000A00002A00000000000000000000000DA7
73322+:1058C000747870362E322E3162000000060201001C
73323+:1058D00000000000000001360000EA600000000047
73324+:1058E00000000000000000000000000000000000B8
73325+:1058F00000000000000000000000000000000000A8
73326+:105900000000000000000000000000000000000097
73327+:105910000000001600000000000000000000000071
73328+:105920000000000000000000000000000000000077
73329+:105930000000000000000000000000000000000067
73330+:1059400000000000000000000000138800000000BC
73331+:10595000000005DC00000000000000001000000353
73332+:10596000000000000000000D0000000D3C020800D7
73333+:1059700024423D683C0308002463401CAC40000006
73334+:105980000043202B1480FFFD244200043C1D08002E
73335+:1059900037BD7FFC03A0F0213C100800261000A8B2
73336+:1059A0003C1C0800279C3D680E00044E00000000CF
73337+:1059B0000000000D27BDFFB4AFA10000AFA200049E
73338+:1059C000AFA30008AFA4000CAFA50010AFA6001451
73339+:1059D000AFA70018AFA8001CAFA90020AFAA0024F1
73340+:1059E000AFAB0028AFAC002CAFAD0030AFAE003491
73341+:1059F000AFAF0038AFB8003CAFB90040AFBC004417
73342+:105A0000AFBF00480E000591000000008FBF0048A6
73343+:105A10008FBC00448FB900408FB8003C8FAF003876
73344+:105A20008FAE00348FAD00308FAC002C8FAB0028D0
73345+:105A30008FAA00248FA900208FA8001C8FA7001810
73346+:105A40008FA600148FA500108FA4000C8FA3000850
73347+:105A50008FA200048FA1000027BD004C3C1B6004F6
73348+:105A60008F7A5030377B502803400008AF7A00000F
73349+:105A70008F86003C3C0390003C0280000086282575
73350+:105A800000A32025AC4400203C0380008C6700204C
73351+:105A900004E0FFFE0000000003E00008000000003A
73352+:105AA0000A000070240400018F85003C3C04800043
73353+:105AB0003483000100A3102503E00008AC8200201D
73354+:105AC00003E00008000010213084FFFF30A5FFFF35
73355+:105AD00010800007000018213082000110400002F1
73356+:105AE00000042042006518211480FFFB00052840B7
73357+:105AF00003E000080060102110C000070000000053
73358+:105B00008CA2000024C6FFFF24A50004AC82000084
73359+:105B100014C0FFFB2484000403E000080000000020
73360+:105B200010A0000824A3FFFFAC86000000000000C6
73361+:105B3000000000002402FFFF2463FFFF1462FFFA4D
73362+:105B40002484000403E000080000000090AA003153
73363+:105B50008FAB00108CAC00403C0300FF8D6800044C
73364+:105B6000AD6C00208CAD004400E060213462FFFF8A
73365+:105B7000AD6D00248CA700483C09FF000109C0243A
73366+:105B8000AD6700288CAE004C0182C824031978252B
73367+:105B9000AD6F0004AD6E002C8CAD0038314A00FFB3
73368+:105BA000AD6D001C94A900323128FFFFAD680010D4
73369+:105BB00090A70030A5600002A1600004A16700006A
73370+:105BC00090A30032306200FF0002198210600005CD
73371+:105BD000240500011065000E0000000003E000082D
73372+:105BE000A16A00018CD80028354A0080AD780018E1
73373+:105BF0008CCF0014AD6F00148CCE0030AD6E000859
73374+:105C00008CC4002CA16A000103E00008AD64000C04
73375+:105C10008CCD001CAD6D00188CC90014AD6900144A
73376+:105C20008CC80024AD6800088CC70020AD67000C4C
73377+:105C30008CC200148C8300700043C82B1320000713
73378+:105C4000000000008CC20014144CFFE400000000AF
73379+:105C5000354A008003E00008A16A00018C820070D0
73380+:105C60000A0000E6000000009089003027BDFFF820
73381+:105C70008FA8001CA3A900008FA300003C0DFF808B
73382+:105C800035A2FFFF8CAC002C00625824AFAB0000A3
73383+:105C9000A100000400C05821A7A000028D06000446
73384+:105CA00000A048210167C8218FA500000080502175
73385+:105CB0003C18FF7F032C20263C0E00FF2C8C00019B
73386+:105CC000370FFFFF35CDFFFF3C02FF0000AFC824B8
73387+:105CD00000EDC02400C27824000C1DC003236825F9
73388+:105CE00001F87025AD0D0000AD0E00048D240024D8
73389+:105CF000AFAD0000AD0400088D2C00202404FFFF90
73390+:105D0000AD0C000C9547003230E6FFFFAD060010E9
73391+:105D10009145004830A200FF000219C25060000106
73392+:105D20008D240034AD0400148D4700388FAA00186C
73393+:105D300027BD0008AD0B0028AD0A0024AD07001CEC
73394+:105D4000AD00002CAD00001803E00008AD000020FD
73395+:105D500027BDFFE0AFB20018AFB10014AFB0001024
73396+:105D6000AFBF001C9098003000C088213C0D00FFA0
73397+:105D7000330F007FA0CF0000908E003135ACFFFFC5
73398+:105D80003C0AFF00A0CE000194A6001EA220000441
73399+:105D90008CAB00148E29000400A08021016C282403
73400+:105DA000012A40240080902101052025A62600021A
73401+:105DB000AE24000426050020262400080E000092D0
73402+:105DC00024060002924700302605002826240014ED
73403+:105DD00000071E000003160324060004044000030D
73404+:105DE0002403FFFF965900323323FFFF0E00009279
73405+:105DF000AE230010262400248FBF001C8FB2001891
73406+:105E00008FB100148FB00010240500030000302172
73407+:105E10000A00009C27BD002027BDFFD8AFB1001CA1
73408+:105E2000AFB00018AFBF002090A9003024020001DD
73409+:105E300000E050213123003F00A040218FB00040FE
73410+:105E40000080882100C04821106200148FA700380C
73411+:105E5000240B000500A0202100C02821106B001396
73412+:105E6000020030210E000128000000009225007C75
73413+:105E700030A400021080000326030030AE00003082
73414+:105E8000260300348FBF00208FB1001C8FB0001894
73415+:105E90000060102103E0000827BD00280E0000A7C5
73416+:105EA000AFB000100A00016F000000008FA3003C9B
73417+:105EB000010020210120282101403021AFA3001042
73418+:105EC0000E0000EEAFB000140A00016F00000000E9
73419+:105ED0003C06800034C20E008C4400108F850044C4
73420+:105EE000ACA400208C43001803E00008ACA30024FD
73421+:105EF0003C06800034C20E008C4400148F850044A0
73422+:105F0000ACA400208C43001C03E00008ACA30024D8
73423+:105F10009382000C1040001B2483000F2404FFF028
73424+:105F20000064382410E00019978B00109784000E4D
73425+:105F30009389000D3C0A601C0A0001AC01644023F7
73426+:105F400001037021006428231126000231C2FFFFE3
73427+:105F500030A2FFFF0047302B50C0000E00E4482164
73428+:105F60008D4D000C31A3FFFF00036400000C2C03D7
73429+:105F700004A1FFF30000302130637FFF0A0001A479
73430+:105F80002406000103E00008000000009784000ED2
73431+:105F900000E448213123FFFF3168FFFF0068382B00
73432+:105FA00054E0FFF8A783000E938A000D114000050E
73433+:105FB000240F0001006BC023A380000D03E0000844
73434+:105FC000A798000E006BC023A38F000D03E000080C
73435+:105FD000A798000E03E000080000000027BDFFE8BE
73436+:105FE000AFB000103C10800036030140308BFFFF43
73437+:105FF00093AA002BAFBF0014A46B000436040E005C
73438+:106000009488001630C600FF8FA90030A4680006EF
73439+:10601000AC650008A0660012A46A001AAC670020F4
73440+:106020008FA5002CA4690018012020210E000198E2
73441+:10603000AC6500143C021000AE0201788FBF001462
73442+:106040008FB0001003E0000827BD00188F85000006
73443+:106050002484000727BDFFF83084FFF83C06800049
73444+:1060600094CB008A316AFFFFAFAA00008FA900001D
73445+:10607000012540232507FFFF30E31FFF0064102B9D
73446+:106080001440FFF700056882000D288034CC4000E2
73447+:1060900000AC102103E0000827BD00088F8200003B
73448+:1060A0002486000730C5FFF800A2182130641FFFC6
73449+:1060B00003E00008AF8400008F87003C8F84004419
73450+:1060C00027BDFFB0AFB70044AFB40038AFB1002C6C
73451+:1060D000AFBF0048AFB60040AFB5003CAFB300342F
73452+:1060E000AFB20030AFB000283C0B80008C8600249B
73453+:1060F000AD6700808C8A002035670E00356901008D
73454+:10610000ACEA00108C8800248D2500040000B82122
73455+:10611000ACE800188CE3001000A688230000A02142
73456+:10612000ACE300148CE20018ACE2001C122000FE6C
73457+:1061300000E0B021936C0008118000F40000000022
73458+:10614000976F001031EEFFFF022E682B15A000EFB5
73459+:1061500000000000977200103250FFFFAED0000028
73460+:106160003C0380008C740000329300081260FFFD35
73461+:106170000000000096D800088EC700043305FFFF1A
73462+:1061800030B5000112A000E4000000000000000D86
73463+:1061900030BFA0402419004013F9011B30B4A00007
73464+:1061A000128000DF000000009373000812600008F6
73465+:1061B00000000000976D001031ACFFFF00EC202BB9
73466+:1061C0001080000330AE004011C000D50000000078
73467+:1061D000A7850040AF87003893630008022028217C
73468+:1061E000AFB10020146000F527B40020AF60000CB0
73469+:1061F000978F004031F14000162000022403001662
73470+:106200002403000E24054007A363000AAF650014B1
73471+:10621000938A00428F70001431550001001512401E
73472+:1062200002024825AF690014979F00408F78001440
73473+:1062300033F9001003194025AF680014979200400D
73474+:106240003247000810E0016E000000008F67001464
73475+:106250003C1210003C11800000F27825AF6F001452
73476+:1062600036230E00946E000A3C0D81002406000EB9
73477+:1062700031CCFFFF018D2025AF640004A36600022E
73478+:106280009373000A3406FFFC266B0004A36B000A1C
73479+:1062900097980040330820001100015F00000000C3
73480+:1062A0003C05800034A90E00979900409538000CF9
73481+:1062B00097870040001940423312C00031030003A9
73482+:1062C00000127B0330F11000006F6825001172038B
73483+:1062D00001AE6025000C20C0A76400129793004017
73484+:1062E000936A000A001359823175003C02AA1021FA
73485+:1062F0002450003CA3700009953F000C33F93FFF88
73486+:10630000A779001097700012936900090130F821F5
73487+:1063100027E5000230B900070019C0233308000741
73488+:10632000A368000B9371000997720012976F001019
73489+:10633000322700FF8F910038978D004000F218211E
73490+:10634000006F702101C6602131A6004010C0000519
73491+:106350003185FFFF00B1102B3C1280001040001768
73492+:10636000000098210225A82B56A0013E8FA50020F1
73493+:106370003C048000348A0E008D5300143C068000DB
73494+:10638000AD5300108D4B001CAD4B0018AD45000007
73495+:106390008CCD000031AC00081180FFFD34CE0E0022
73496+:1063A00095C3000800A0882100009021A783004029
73497+:1063B0008DC6000424130001AF860038976F0010CB
73498+:1063C00031F5FFFF8E9F000003F1282310A0011F6D
73499+:1063D000AE85000093620008144000DD000000005C
73500+:1063E0000E0001E7240400108F900048004028218F
73501+:1063F0003C023200320600FF000654000142F8253C
73502+:1064000026090001AF890048ACBF0000937900095C
73503+:1064100097780012936F000A332800FF3303FFFFC1
73504+:106420000103382100076C0031EE00FF01AE60254A
73505+:10643000ACAC00048F840048978B0040316A200088
73506+:106440001140010AACA4000897640012308BFFFFD2
73507+:1064500006400108ACAB000C978E004031C5000827
73508+:1064600014A0000226280006262800023C1F8000F7
73509+:1064700037E70E0094F900148CE5001C8F670004C8
73510+:10648000937800023324FFFF330300FFAFA3001013
73511+:106490008F6F0014AFA800180E0001CBAFAF00142F
73512+:1064A000240400100E0001FB000000008E9200008A
73513+:1064B00016400005000000008F7800142403FFBF81
73514+:1064C0000303A024AF7400148F67000C00F5C821EB
73515+:1064D000AF79000C9375000816A0000800000000BA
73516+:1064E00012600006000000008F6800143C0AEFFFF5
73517+:1064F0003549FFFE0109F824AF7F0014A37300089B
73518+:106500008FA500200A00034F02202021AED10000F9
73519+:106510000A00022D3C03800014E0FF1E30BFA040A3
73520+:106520000E0001900000A0212E9100010237B0253D
73521+:1065300012C000188FBF00488F87003C24170F003F
73522+:1065400010F700D43C0680008CD901780720FFFEAC
73523+:10655000241F0F0010FF00F634CA0E008D560014E1
73524+:1065600034C7014024080240ACF600048D49001CE9
73525+:106570003C141000ACE90008A0E00012A4E0001AEE
73526+:10658000ACE00020A4E00018ACE80014ACD4017822
73527+:106590008FBF00488FB700448FB600408FB5003CD6
73528+:1065A0008FB400388FB300348FB200308FB1002C1D
73529+:1065B0008FB0002803E0000827BD00508F910038FD
73530+:1065C000978800403C1280000220A821310700403B
73531+:1065D00014E0FF7C00009821977900108F9200381A
73532+:1065E0003338FFFF131200A8000020210080A021F3
73533+:1065F000108000F300A088211620FECE00000000CD
73534+:106600000A00031F2E9100013C0380008C62017878
73535+:106610000440FFFE240808008F860000AC68017863
73536+:106620003C038000946D008A31ACFFFF0186582343
73537+:10663000256AFFFF31441FFF2C8900081520FFF950
73538+:10664000000000008F8F0048347040008F83003CB2
73539+:1066500000E0A021240E0F0025E70001AF870048CD
73540+:1066600000D03021023488233C08800031F500FF3F
73541+:10667000106E0005240700019398004233130001B7
73542+:106680000013924036470001001524003C0A010027
73543+:10669000008A4825ACC900008F82004830BF003610
73544+:1066A00030B90008ACC200041320009900FF9825FF
73545+:1066B00035120E009650000A8F8700003C0F8100B3
73546+:1066C0003203FFFF24ED000835060140006F60250E
73547+:1066D0003C0E100031AB1FFF269200062405000E71
73548+:1066E000ACCC0020026E9825A4C5001AAF8B000028
73549+:1066F000A4D20018162000083C1080008F89003CAE
73550+:1067000024020F00512200022417000136730040BA
73551+:106710000E0001883C10800036060E008CCB001461
73552+:10672000360A014002402021AD4B00048CC5001CFC
73553+:10673000AD450008A1550012AD5300140E0001989C
73554+:106740003C151000AE1501780A000352000000004D
73555+:10675000936F0009976E0012936D000B31E500FFF7
73556+:1067600000AE202131AC00FF008C80212602000AFF
73557+:106770003050FFFF0E0001E7020020218F86004805
73558+:106780003C0341003C05800024CB0001AF8B004856
73559+:10679000936A00099769001230C600FF315F00FF5D
73560+:1067A0003128FFFF03E8382124F900020006C40065
73561+:1067B0000319782501E37025AC4E00008F6D000CA5
73562+:1067C00034A40E00948B001401B26025AC4C00047C
73563+:1067D0008C85001C8F670004936A00023164FFFF00
73564+:1067E000314900FFAFA900108F680014AFB1001845
73565+:1067F0000E0001CBAFA800140A0002FD0200202108
73566+:10680000AF600004A36000029798004033082000A6
73567+:106810001500FEA300003021A760001297840040FD
73568+:10682000936B000A3C10800030931F0000135183CB
73569+:10683000014BA82126A20028A362000936090E00F8
73570+:10684000953F000C0A000295A77F00108F7000147E
73571+:10685000360900400E000188AF6900140A0002C921
73572+:10686000000000000A00034F000020210641FEFA4C
73573+:10687000ACA0000C8CAC000C3C0D8000018D902570
73574+:106880000A0002EAACB2000C000090210A0002C526
73575+:1068900024130001128000073C028000344B0E00DC
73576+:1068A0009566000830D300401260004900000000E7
73577+:1068B0003C0680008CD001780600FFFE34C50E0037
73578+:1068C00094B500103C03050034CC014032B8FFFF02
73579+:1068D00003039025AD92000C8CAF0014240D200012
73580+:1068E0003C041000AD8F00048CAE001CAD8E00087F
73581+:1068F000A1800012A580001AAD800020A58000189C
73582+:10690000AD8D0014ACC401780A0003263C0680005B
73583+:106910008F9F0000351801402692000227F90008D9
73584+:1069200033281FFFA71200180A000391AF88000048
73585+:106930003C02800034450140ACA0000C1280001BDA
73586+:1069400034530E0034510E008E370010ACB70004E3
73587+:106950008E2400183C0B8000ACA400083570014068
73588+:1069600024040040A20000128FBF0048A600001AB5
73589+:106970008FB70044AE0000208FB60040A60000187C
73590+:106980008FB5003CAE0400148FB400388FB30034D0
73591+:106990008FB200308FB1002C8FB000283C02100065
73592+:1069A00027BD005003E00008AD6201788E66001438
73593+:1069B000ACA600048E64001C0A00042A3C0B800074
73594+:1069C0000E0001902E9100010A0003200237B0252D
73595+:1069D000000000000000000D00000000240003691A
73596+:1069E0000A0004013C06800027BDFFD8AFBF00208D
73597+:1069F0003C0980003C1F20FFAFB200183C0760003C
73598+:106A000035320E002402001037F9FFFDACE23008E9
73599+:106A1000AFB3001CAFB10014AFB00010AE5900000E
73600+:106A20000000000000000000000000000000000066
73601+:106A3000000000003C1800FF3713FFFDAE530000BC
73602+:106A40003C0B60048D7050002411FF7F3C0E00024F
73603+:106A50000211782435EC380C35CD0109ACED4C1819
73604+:106A6000240A0009AD6C50008CE80438AD2A0008F7
73605+:106A7000AD2000148CE54C1C3106FFFF38C42F718B
73606+:106A800000051E023062000F2486C0B310400007CC
73607+:106A9000AF8200088CE54C1C3C09001F3528FC0027
73608+:106AA00000A81824000321C2AF8400048CF1080858
73609+:106AB0003C0F57092412F0000232702435F0001008
73610+:106AC00001D0602601CF68262DAA00012D8B000180
73611+:106AD000014B382550E00009A380000C3C1F601CCE
73612+:106AE0008FF8000824190001A399000C33137C00CF
73613+:106AF000A7930010A780000EA380000DAF80004870
73614+:106B000014C00003AF8000003C066000ACC0442C01
73615+:106B10000E0005B93C1080000E000F1A361101005E
73616+:106B20003C12080026523DD03C13080026733E500C
73617+:106B30008E03000038640001308200011440FFFC25
73618+:106B40003C0B800A8E2600002407FF8024C90240E7
73619+:106B5000312A007F014B402101272824AE06002066
73620+:106B6000AF880044AE0500243C048000AF86003CA2
73621+:106B70008C8C01780580FFFE24180800922F0008F5
73622+:106B8000AC980178A38F0042938E004231CD000172
73623+:106B900011A0000F24050D0024DFF8002FF90301D8
73624+:106BA0001320001C000629C224A4FFF00004104298
73625+:106BB000000231400E00020200D2D8213C02400007
73626+:106BC0003C068000ACC201380A0004A000000000AE
73627+:106BD00010C50023240D0F0010CD00273C1F800896
73628+:106BE00037F9008093380000240E0050330F00FF67
73629+:106BF00015EEFFF33C0240000E000A3600000000D4
73630+:106C00003C0240003C068000ACC201380A0004A0EF
73631+:106C1000000000008F83000400A3402B1500000B30
73632+:106C20008F8B0008006B50212547FFFF00E5482BA4
73633+:106C30001520000600A36023000C19400E0002027C
73634+:106C40000073D8210A0004C43C0240000000000D7B
73635+:106C50000E000202000000000A0004C43C024000D2
73636+:106C60003C1B0800277B3F500E0002020000000082
73637+:106C70000A0004C43C0240003C1B0800277B3F7014
73638+:106C80000E000202000000000A0004C43C024000A2
73639+:106C90003C0660043C09080025290104ACC9502CBD
73640+:106CA0008CC850003C0580003C0200023507008083
73641+:106CB000ACC750003C040800248415A43C03080021
73642+:106CC0002463155CACA50008ACA2000C3C010800D4
73643+:106CD000AC243D603C010800AC233D6403E00008A7
73644+:106CE0002402000100A030213C1C0800279C3D68C4
73645+:106CF0003C0C04003C0B0002008B3826008C402624
73646+:106D00002CE200010007502B2D050001000A4880ED
73647+:106D10003C03080024633D60004520250123182121
73648+:106D20001080000300001021AC6600002402000166
73649+:106D300003E00008000000003C1C0800279C3D68A0
73650+:106D40003C0B04003C0A0002008A3026008B3826E7
73651+:106D50002CC200010006482B2CE5000100094080F0
73652+:106D60003C03080024633D600045202501031821F1
73653+:106D700010800005000010213C0C0800258C155CDB
73654+:106D8000AC6C00002402000103E0000800000000D9
73655+:106D90003C0900023C08040000883026008938269F
73656+:106DA0002CC30001008028212CE400010083102561
73657+:106DB0001040000B000030213C1C0800279C3D685F
73658+:106DC0003C0A80008D4E00082406000101CA682597
73659+:106DD000AD4D00088D4C000C01855825AD4B000CC5
73660+:106DE00003E0000800C010213C1C0800279C3D68FF
73661+:106DF0003C0580008CA6000C000420272402000122
73662+:106E000000C4182403E00008ACA3000C3C020002FC
73663+:106E10001082000B3C0560003C0704001087000353
73664+:106E20000000000003E00008000000008CA908D06A
73665+:106E3000240AFFFD012A402403E00008ACA808D082
73666+:106E40008CA408D02406FFFE0086182403E0000866
73667+:106E5000ACA308D03C05601A34A600108CC3008097
73668+:106E600027BDFFF88CC50084AFA3000093A40000E9
73669+:106E70002402000110820003AFA5000403E0000813
73670+:106E800027BD000893A7000114E0001497AC00028E
73671+:106E900097B800023C0F8000330EFFFC01CF682141
73672+:106EA000ADA50000A3A000003C0660008CC708D080
73673+:106EB0002408FFFE3C04601A00E82824ACC508D072
73674+:106EC0008FA300048FA200003499001027BD000892
73675+:106ED000AF22008003E00008AF2300843C0B800059
73676+:106EE000318AFFFC014B48218D2800000A00057DF6
73677+:106EF000AFA8000427BDFFE8AFBF00103C1C08008E
73678+:106F0000279C3D683C0580008CA4000C8CA20004EA
73679+:106F10003C0300020044282410A0000A00A3182407
73680+:106F20003C0604003C0400021460000900A6102482
73681+:106F30001440000F3C0404000000000D3C1C08003D
73682+:106F4000279C3D688FBF001003E0000827BD001894
73683+:106F50003C0208008C423D600040F809000000003F
73684+:106F60003C1C0800279C3D680A0005A68FBF001046
73685+:106F70003C0208008C423D640040F809000000001B
73686+:106F80000A0005AC00000000000411C003E0000886
73687+:106F9000244202403C04080024843FB42405001A23
73688+:106FA0000A00009C0000302127BDFFE0AFB00010B8
73689+:106FB0003C108000AFBF0018AFB1001436110100C3
73690+:106FC000922200090E0005B63044007F8E3F00007B
73691+:106FD0008F89003C3C0F008003E26021258800403F
73692+:106FE0000049F821240DFF80310E00783198007897
73693+:106FF00035F9000135F100020319382501D1482582
73694+:10700000010D302403ED5824018D2824240A00406A
73695+:1070100024040080240300C0AE0B0024AE0008103E
73696+:10702000AE0A0814AE040818AE03081CAE05080426
73697+:10703000AE070820AE060808AE0908243609090084
73698+:107040009539000C3605098033ED007F3338FFFF9A
73699+:10705000001889C0AE110800AE0F0828952C000C4E
73700+:107060008FBF00188FB10014318BFFFF000B51C090
73701+:10707000AE0A002C8CA400508FB000108CA3003CF2
73702+:107080008D2700048CA8001C8CA600383C0E800ABA
73703+:1070900001AE102127BD0020AF820044AF84005014
73704+:1070A000AF830054AF87004CAF88005C03E000085A
73705+:1070B000AF8600603C09080091293FD924A800024E
73706+:1070C0003C05110000093C0000E8302500C51825EA
73707+:1070D00024820008AC83000003E00008AC800004B8
73708+:1070E0003C098000352309009128010B906A0011AA
73709+:1070F0002402002800804821314700FF00A07021B1
73710+:1071000000C068213108004010E20002340C86DD26
73711+:10711000240C08003C0A800035420A9A944700007B
73712+:10712000354B0A9C35460AA030F9FFFFAD39000007
73713+:107130008D780000354B0A8024040001AD3800042E
73714+:107140008CCF0000AD2F00089165001930A300031B
73715+:107150001064009028640002148000AF240500022F
73716+:107160001065009E240F0003106F00B435450AA47B
73717+:10717000240A0800118A0048000000005100003D68
73718+:107180003C0B80003C0480003483090090670012AF
73719+:1071900030E200FF004D7821000FC8802724000155
73720+:1071A0003C0A8000354F090091E50019354C0980F3
73721+:1071B0008D87002830A300FF0003150000475825E5
73722+:1071C0000004C4003C19600001793025370806FF2F
73723+:1071D000AD260000AD2800048DEA002C25280028EB
73724+:1071E000AD2A00088DEC0030AD2C000C8DE500348C
73725+:1071F000AD2500108DE400383C05800034AC093C1E
73726+:10720000AD2400148DE3001CAD2300188DE7002091
73727+:10721000AD27001C8DE20024AD2200208DF900284E
73728+:1072200034A20100AD3900248D830000AD0E0004AE
73729+:1072300034B90900AD0300008C47000C250200148E
73730+:10724000AD070008932B00123C04080090843FD83F
73731+:10725000AD000010317800FF030D302100064F0013
73732+:1072600000047C00012F702535CDFFFC03E00008F1
73733+:10727000AD0D000C35780900930600123C0508009E
73734+:1072800094A53FC830C800FF010D5021000A60805E
73735+:107290000A00063C018520211500005B000000006B
73736+:1072A0003C08080095083FCE3C06080094C63FC83D
73737+:1072B000010610213C0B800035790900933800113C
73738+:1072C000932A001935660A80330800FF94CF002AFC
73739+:1072D00000086082314500FF978A0058000C1E00AC
73740+:1072E000000524003047FFFF006410250047C0253B
73741+:1072F00001EA30213C0B4000030B402500066400EE
73742+:10730000AD280000AD2C0004932500183C030006B6
73743+:107310002528001400053E0000E31025AD220008DA
73744+:107320008F24002C3C05800034AC093CAD24000CBB
73745+:107330008F38001C34A20100254F0001AD38001029
73746+:107340008D830000AD0E000431EB7FFFAD03000024
73747+:107350008C47000C34B90900A78B0058AD07000812
73748+:10736000932B00123C04080090843FD8250200149F
73749+:10737000317800FF030D302100064F0000047C002F
73750+:10738000012F702535CDFFFCAD00001003E0000893
73751+:10739000AD0D000C3C02080094423FD23C050800B1
73752+:1073A00094A53FC835440AA43C07080094E73FC4AD
73753+:1073B000948B00000045C8210327C023000B1C004C
73754+:1073C0002706FFF200665025AD2A000CAD20001004
73755+:1073D000AD2C00140A00063025290018354F0AA4E8
73756+:1073E00095E50000956400280005140000043C00A9
73757+:1073F0003459810000EC5825AD39000CAD2B00103C
73758+:107400000A000630252900143C0C0800958C3FCE5C
73759+:107410000A000681258200015460FF56240A0800F4
73760+:1074200035580AA49706000000061C00006C502581
73761+:10743000AD2A000C0A000630252900103C03080084
73762+:1074400094633FD23C07080094E73FC83C0F080014
73763+:1074500095EF3FC494A4000095790028006710219F
73764+:10746000004F582300041C00001934002578FFEE5B
73765+:1074700000D87825346A8100AD2A000CAD2F0010A9
73766+:10748000AD200014AD2C00180A0006302529001C80
73767+:1074900003E00008240207D027BDFFE0AFB20018C8
73768+:1074A000AFB10014AFB00010AFBF001C0E00007CE5
73769+:1074B000008088218F8800548F87004C3C0580080D
73770+:1074C00034B20080011128213C1080002402008089
73771+:1074D000240300C000A72023AE0208183C06800841
73772+:1074E000AE03081C18800004AF850054ACC500042E
73773+:1074F0008CC90004AF89004C1220000936040980B1
73774+:107500000E0006F800000000924C00278E0B00745D
73775+:1075100001825004014B3021AE46000C3604098034
73776+:107520008C8E001C8F8F005C01CF682319A0000493
73777+:107530008FBF001C8C90001CAF90005C8FBF001CA4
73778+:107540008FB200188FB100148FB000100A00007EB7
73779+:1075500027BD00208F8600508F8300548F82004CFF
73780+:107560003C05800834A40080AC860050AC83003C0D
73781+:1075700003E00008ACA200043C0308008C63005444
73782+:1075800027BDFFF8308400FF2462000130A500FF12
73783+:107590003C010800AC22005430C600FF3C078000CC
73784+:1075A0008CE801780500FFFE3C0C7FFFA3A40003DC
73785+:1075B0008FAA0000358BFFFF014B4824000627C02F
73786+:1075C00001244025AFA8000034E201009043000AE6
73787+:1075D000A3A000023C1980FFA3A300018FAF00000D
73788+:1075E00030AE007F3738FFFF01F86024000E6E00D8
73789+:1075F0003C0A002034E50140018D58253549200022
73790+:107600002406FF803C04100027BD0008ACAB000C32
73791+:10761000ACA90014A4A00018A0A6001203E0000862
73792+:10762000ACE40178308800FF30A700FF3C03800005
73793+:107630008C6201780440FFFE3C0C8000358A0A0011
73794+:107640008D4B00203584014035850980AC8B0004CA
73795+:107650008D4900240007302B00061540AC89000836
73796+:10766000A088001090A3004CA083002D03E0000828
73797+:10767000A480001827BDFFE8308400FFAFBF0010D2
73798+:107680000E00075D30A500FF8F8300548FBF0010F0
73799+:107690003C06800034C50140344700402404FF907C
73800+:1076A0003C02100027BD0018ACA3000CA0A40012DF
73801+:1076B000ACA7001403E00008ACC2017827BDFFE0CE
73802+:1076C0003C088008AFBF001CAFB20018AFB1001477
73803+:1076D000AFB00010351000808E0600183C07800007
73804+:1076E000309200FF00C72025AE0400180E00007C79
73805+:1076F00030B100FF92030005346200080E00007EE6
73806+:10770000A2020005024020210E000771022028215C
73807+:10771000024020218FBF001C8FB200188FB10014CF
73808+:107720008FB0001024050005240600010A0007326E
73809+:1077300027BD00203C05800034A309809066000826
73810+:1077400030C200081040000F3C0A01013549080A08
73811+:10775000AC8900008CA80074AC8800043C070800C9
73812+:1077600090E73FD830E5001050A00008AC8000083A
73813+:107770003C0D800835AC00808D8B0058AC8B000828
73814+:107780002484000C03E00008008010210A0007B5E3
73815+:107790002484000C27BDFFE83C098000AFB0001036
73816+:1077A000AFBF00143526098090C8000924020006E6
73817+:1077B00000A05821310300FF3527090000808021F7
73818+:1077C000240500041062007B2408000294CF005CB2
73819+:1077D0003C0E020431EDFFFF01AE6025AE0C00004F
73820+:1077E00090CA00083144002010800008000000000A
73821+:1077F00090C2004E3C1F010337F90300305800FFD0
73822+:107800000319302524050008AE06000490F9001184
73823+:1078100090E6001290E40011333800FF00187082E7
73824+:1078200030CF00FF01CF5021014B6821308900FF8C
73825+:1078300031AAFFFF39230028000A60801460002C61
73826+:10784000020C482390E400123C198000372F0100FD
73827+:10785000308C00FF018B1821000310800045F821B7
73828+:10786000001F8400360706FFAD270004373F0900DC
73829+:1078700093EC001193EE0012372609800005C082B8
73830+:107880008DE4000C8CC5003431CD00FF01AB10211C
73831+:107890000058182100A4F8230008840000033F00CA
73832+:1078A00000F0302533F9FFFF318F00FC00D970253F
73833+:1078B0000158202101E9682100045080ADAE000C80
73834+:1078C0000E00007C012A80213C088008240B000463
73835+:1078D000350500800E00007EA0AB000902001021DB
73836+:1078E0008FBF00148FB0001003E0000827BD001800
73837+:1078F00090EC001190E300193C18080097183FCE57
73838+:10790000318200FF0002F882307000FF001FCE00BD
73839+:1079100000103C000327302500D870253C0F4000A4
73840+:1079200001CF68253C198000AD2D0000373F0900CC
73841+:1079300093EC001193EE0012372F010037260980D7
73842+:107940000005C0828DE4000C8CC5003431CD00FFF1
73843+:1079500001AB10210058182100A4F823000884006E
73844+:1079600000033F0000F0302533F9FFFF318F00FCAA
73845+:1079700000D970250158202101E9682100045080B8
73846+:10798000ADAE000C0E00007C012A80213C0880086E
73847+:10799000240B0004350500800E00007EA0AB00091A
73848+:1079A000020010218FBF00148FB0001003E0000808
73849+:1079B00027BD00180A0007C72408001227BDFFD002
73850+:1079C0003C038000AFB60028AFB50024AFB4002060
73851+:1079D000AFB10014AFBF002CAFB3001CAFB20018A2
73852+:1079E000AFB000103467010090E6000B309400FF48
73853+:1079F00030B500FF30C200300000B02110400099C7
73854+:107A000000008821346409809088000800082E0056
73855+:107A100000051E03046000C0240400048F86005487
73856+:107A20003C010800A0243FD83C0C8000AD800048F9
73857+:107A30003C048000348E010091CD000B31A5002064
73858+:107A400010A000073C078000349309809272000860
73859+:107A50000012860000107E0305E000C43C1F800871
73860+:107A600034EC0100918A000B34EB09809169000825
73861+:107A7000314400400004402B3123000800C8982303
73862+:107A80001460000224120003000090213C108000CA
73863+:107A900036180A8036040900970E002C90830011D6
73864+:107AA0009089001293050018307F00FF312800FFF5
73865+:107AB000024810210002C880930D0018033F78216E
73866+:107AC00001F1302130B100FF00D11821A78E0058FC
73867+:107AD0003C010800A4263FCE3C010800A4233FD06F
73868+:107AE00015A00002000000000000000D920B010B29
73869+:107AF0003065FFFF3C010800A4233FD2316A0040FB
73870+:107B00003C010800A4203FC83C010800A4203FC459
73871+:107B10001140000224A4000A24A4000B3091FFFFAE
73872+:107B20000E0001E7022020219206010B3C0C080008
73873+:107B3000958C3FD2004020210006698231A70001C8
73874+:107B40000E00060101872821004020210260282123
73875+:107B50000E00060C024030210E0007A1004020213B
73876+:107B600016C00069004020219212010B32560040DD
73877+:107B700012C000053C0500FF8C93000034AEFFFFEF
73878+:107B8000026E8024AC9000000E0001FB0220202138
73879+:107B90003C0F080091EF3FD831F10003122000168E
73880+:107BA0003C1380088F8200543C09800835280080EF
73881+:107BB000245F0001AD1F003C3C0580088CB9000427
73882+:107BC00003E02021033FC0231B000002AF9F0054AD
73883+:107BD0008CA400040E0006F8ACA400043C0780004E
73884+:107BE0008CEB00743C04800834830080004B5021EF
73885+:107BF000AC6A000C3C1380083670008002802021A3
73886+:107C000002A02821A200006B0E00075D3C1480003A
73887+:107C10008F920054368C0140AD92000C8F86004844
73888+:107C20003C151000344D000624D60001AF960048E4
73889+:107C30008FBF002CA18600128FB60028AD8D0014D6
73890+:107C40008FB3001CAE9501788FB200188FB5002459
73891+:107C50008FB400208FB100148FB0001003E0000833
73892+:107C600027BD003034640980908F0008000F760033
73893+:107C7000000E6E0305A00033347F090093F8001B4B
73894+:107C8000241900103C010800A0393FD8331300022A
73895+:107C90001260FF678F8600548F8200601446FF6574
73896+:107CA0003C0480000E00007C000000003C048008C2
73897+:107CB0003485008090A8000924060016310300FFD7
73898+:107CC0001066000D0000000090AB00093C070800A2
73899+:107CD00090E73FD824090008316400FF34EA00012E
73900+:107CE0003C010800A02A3FD81089002F240C000A6C
73901+:107CF000108C00282402000C0E00007E0000000002
73902+:107D00000A0008608F8600540E0007B9024028213F
73903+:107D10000A0008AE004020213C0B8008356A008034
73904+:107D20008D4600548CE9000C1120FF3DAF860054B5
73905+:107D3000240700143C010800A0273FD80A00085F70
73906+:107D40003C0C800090910008241200023C010800C5
73907+:107D5000A0323FD8323000201200000B2416000160
73908+:107D60008F8600540A0008602411000837F800804C
73909+:107D70008F020038AFE200048FF90004AF19003C15
73910+:107D80000A00086C3C0780008F8600540A000860D7
73911+:107D900024110004A0A200090E00007E00000000D3
73912+:107DA0000A0008608F860054240200140A00093A71
73913+:107DB000A0A2000927BDFFE8AFB000103C10800072
73914+:107DC000AFBF001436020100904400090E00075DA9
73915+:107DD000240500013C0480089099000E3483008043
73916+:107DE000909F000F906F00269089000A33F800FFE3
73917+:107DF00000196E000018740031EC00FF01AE502530
73918+:107E0000000C5A00014B3825312800FF3603014091
73919+:107E10003445600000E830252402FF813C04100056
73920+:107E2000AC66000C8FBF0014AC650014A062001299
73921+:107E3000AE0401788FB0001003E0000827BD0018E1
73922+:107E400027BDFFE8308400FFAFBF00100E00075DC4
73923+:107E500030A500FF3C05800034A4014034470040B9
73924+:107E60002406FF92AC870014A08600128F83005472
73925+:107E70008FBF00103C02100027BD0018AC83000C1F
73926+:107E800003E00008ACA2017827BDFFD8AFB0001016
73927+:107E9000308400FF30B000FF3C058000AFB100141B
73928+:107EA000AFBF0020AFB3001CAFB20018000410C277
73929+:107EB00034A60100320300023051000114600007B3
73930+:107EC00090D200093C098008353300809268000593
73931+:107ED0003107000810E0000C308A00100240202119
73932+:107EE0000E00078302202821240200018FBF0020FA
73933+:107EF0008FB3001C8FB200188FB100148FB0001028
73934+:107F000003E0000827BD00281540003434A50A000E
73935+:107F10008CB800248CAF0008130F004B00003821F0
73936+:107F20003C0D800835B30080926C00682406000286
73937+:107F3000318B00FF116600843C06800034C20100D2
73938+:107F40009263004C90590009307F00FF53F9000400
73939+:107F50003213007C10E00069000000003213007C46
73940+:107F60005660005C0240202116200009320D0001FD
73941+:107F70003C0C800035840100358B0A008D6500249F
73942+:107F80008C86000414A6FFD900001021320D0001D8
73943+:107F900011A0000E024020213C1880003710010083
73944+:107FA0008E0F000C8F8E005011EE000800000000B4
73945+:107FB0000E000843022028218E19000C3C1F800867
73946+:107FC00037F00080AE190050024020210E000771EA
73947+:107FD000022028210A00098F240200013C05080024
73948+:107FE0008CA5006424A400013C010800AC240064BA
73949+:107FF0001600000D00000000022028210E0007716D
73950+:1080000002402021926E0068240C000231CD00FF56
73951+:1080100011AC0022024020210E00094100000000A6
73952+:108020000A00098F240200010E00007024040001E0
73953+:10803000926B0025020B30250E00007EA266002503
73954+:108040000A0009D3022028218E6200188CDF000468
73955+:108050008CB9002400021E0217F9FFB13065007FC1
73956+:108060009268004C264400013093007F1265004066
73957+:10807000310300FF1464FFAB3C0D8008264700016C
73958+:1080800030F1007F30E200FF1225000B24070001D1
73959+:10809000004090210A00099C2411000124050004DD
73960+:1080A0000E000732240600010E0009410000000006
73961+:1080B0000A00098F240200012405FF8002452024C4
73962+:1080C00000859026324200FF004090210A00099C62
73963+:1080D000241100010E00084302202821320700303D
73964+:1080E00010E0FFA132100082024020210E00078321
73965+:1080F000022028210A00098F240200018E6900183D
73966+:108100000240202102202821012640250E0009647A
73967+:10811000AE6800189264004C240500032406000198
73968+:108120000E000732308400FF0E00007024040001AE
73969+:1081300092710025021150250E00007EA26A0025D2
73970+:108140000A00098F240200018E6F00183C1880007D
73971+:108150000240202101F87025022028210E0007711D
73972+:10816000AE6E00189264004C0A000A1B240500043D
73973+:10817000324A0080394900801469FF6A3C0D80084A
73974+:108180000A0009F42647000127BDFFC0AFB0001860
73975+:108190003C108000AFBF0038AFB70034AFB600303E
73976+:1081A000AFB5002CAFB40028AFB30024AFB20020AD
73977+:1081B0000E0005BEAFB1001C360201009045000B59
73978+:1081C0000E00097690440008144000E78FBF003885
73979+:1081D0003C08800835070080A0E0006B3606098067
73980+:1081E00090C50000240300503C17080026F73F907C
73981+:1081F00030A400FF3C13080026733FA01083000347
73982+:108200003C1080000000B82100009821241F0010BD
73983+:108210003611010036120A00361509808E580024E6
73984+:108220008E3400048EAF00208F8C00543C01080077
73985+:10823000A03F3FD836190A80972B002C8EF60000FD
73986+:10824000932A00180298702301EC68233C0108006F
73987+:10825000AC2E3FB43C010800AC2D3FB83C010800F7
73988+:10826000AC2C3FDCA78B005802C0F809315400FF4A
73989+:1082700030490002152000E930420001504000C49E
73990+:108280009227000992A90008312800081500000271
73991+:10829000241500030000A8213C0A80003543090092
73992+:1082A00035440A008C8D00249072001190700012E9
73993+:1082B000907F0011325900FF321100FF02B11021EE
73994+:1082C0000002C08033EF00FF0319B021028F70213C
73995+:1082D00002D4602125CB00103C010800A4363FCE1B
73996+:1082E0003C010800AC2D3FE03C010800A42C3FD02D
73997+:1082F0003C010800A42B3FCC3556010035540980C1
73998+:1083000035510E008F8700548F89005C8E850020C8
73999+:1083100024080006012730233C010800AC283FD484
74000+:1083200000A7282304C000B50000902104A000B3DA
74001+:1083300000C5502B114000B5000000003C010800B2
74002+:10834000AC263FB88E6200000040F8090000000033
74003+:108350003046000214C0007400408021304B000100
74004+:10836000556000118E6200043C0D08008DAD3FBCCD
74005+:108370003C0EC0003C04800001AE6025AE2C000025
74006+:108380008C980000330F000811E0FFFD0000000092
74007+:10839000963F000824120001A79F00408E39000478
74008+:1083A000AF9900388E6200040040F8090000000018
74009+:1083B0000202802532030002146000B300000000B6
74010+:1083C0003C09080095293FC43C06080094C63FD0EC
74011+:1083D0003C0A0800954A3FC63C0708008CE73FBCB2
74012+:1083E000012670213C0308008C633FE03C08080034
74013+:1083F00095083FDA01CA20218ED9000C00E9282116
74014+:10840000249F000200A878210067C02133E4FFFF09
74015+:10841000AF9900503C010800AC383FE03C01080037
74016+:10842000A42F3FC83C010800A42E3FD20E0001E754
74017+:10843000000000008F8D0048004020213C01080012
74018+:10844000A02D3FD98E62000825AC0001AF8C0048FA
74019+:108450000040F809000000008F85005402A0302180
74020+:108460000E00060C004020210E0007A10040202134
74021+:108470008E6B000C0160F809004020213C0A0800C6
74022+:10848000954A3FD23C06080094C63FC601464821A3
74023+:10849000252800020E0001FB3104FFFF3C05080007
74024+:1084A0008CA53FB43C0708008CE73FBC00A7202305
74025+:1084B0003C010800AC243FB414800006000000001A
74026+:1084C0003C0208008C423FD4344B00403C01080081
74027+:1084D000AC2B3FD4124000438F8E00448E2D0010F1
74028+:1084E0008F920044AE4D00208E2C0018AE4C00241C
74029+:1084F0003C04080094843FC80E0006FA0000000007
74030+:108500008F9F00548E6700103C010800AC3F3FDC99
74031+:1085100000E0F809000000003C1908008F393FB462
74032+:108520001720FF798F870054979300583C11800ED5
74033+:10853000321601000E000729A633002C16C0004594
74034+:10854000320300105460004C8EE5000432080040F5
74035+:108550005500001D8EF000088EE4000C0080F80924
74036+:10856000000000008FBF00388FB700348FB6003096
74037+:108570008FB5002C8FB400288FB300248FB2002059
74038+:108580008FB1001C8FB0001803E0000827BD004029
74039+:108590008F86003C36110E0000072E0000A6202515
74040+:1085A000AE0400808E4300208E500024AFA3001044
74041+:1085B000AE2300148FB20010AE320010AE30001C9B
74042+:1085C0000A000A75AE3000180200F8090000000029
74043+:1085D0008EE4000C0080F809000000000A000B2E59
74044+:1085E0008FBF003824180001240F0001A5C000200F
74045+:1085F000A5D800220A000B10ADCF00243C010800D2
74046+:10860000AC203FB80A000AA68E6200003C010800B8
74047+:10861000AC253FB80A000AA68E6200009224000929
74048+:108620000E000771000028218FBF00388FB700347B
74049+:108630008FB600308FB5002C8FB400288FB3002484
74050+:108640008FB200208FB1001C8FB0001803E000082B
74051+:1086500027BD00403C1480009295010900002821AC
74052+:108660000E00084332A400FF320300105060FFB830
74053+:10867000320800408EE5000400A0F8090000000068
74054+:108680000A000B28320800405240FFA89793005878
74055+:108690008E3400148F930044AE7400208E35001C7D
74056+:1086A000AE7500240A000B1F979300588F820014A8
74057+:1086B0000004218003E00008008210213C078008AC
74058+:1086C00034E200809043006900804021106000097E
74059+:1086D0003C0401003C0708008CE73FDC8F8300303E
74060+:1086E00000E32023048000089389001C14E30003A6
74061+:1086F0000100202103E00008008010213C0401005B
74062+:1087000003E00008008010211120000B00673823CF
74063+:108710003C0D800035AC0980918B007C316A0002F1
74064+:10872000114000202409003400E9702B15C0FFF12E
74065+:108730000100202100E938232403FFFC00A3C82402
74066+:1087400000E3C02400F9782B15E0FFEA030820219C
74067+:1087500030C400030004102314C000143049000387
74068+:108760000000302100A9782101E6702100EE682B7D
74069+:1087700011A0FFE03C0401002D3800010006C82BC9
74070+:10878000010548210319382414E0FFDA2524FFFCF1
74071+:108790002402FFFC00A218240068202103E0000846
74072+:1087A000008010210A000B9E240900303C0C800040
74073+:1087B0003586098090CB007C316A00041540FFE9C2
74074+:1087C000240600040A000BAD000030213C03080021
74075+:1087D0008C63005C8F82001827BDFFE0AFBF0018DC
74076+:1087E000AFB1001410620005AFB00010000329C043
74077+:1087F00024A40280AF840014AF8300183C108000D2
74078+:1088000036020A0094450032361101000E000B7F3B
74079+:1088100030A43FFF8E240000241FFF803C11008005
74080+:108820000082C021031F60243309007F000CC9406F
74081+:1088300003294025330E0078362F00033C0D10002D
74082+:10884000010D502501CF5825AE0C002836080980AF
74083+:10885000AE0C080CAE0B082CAE0A08309103006970
74084+:108860003C06800C0126382110600006AF870034DA
74085+:108870008D09003C8D03006C0123382318E0008231
74086+:10888000000000003C0B8008356A00803C1080002E
74087+:10889000A1400069360609808CC200383C06800081
74088+:1088A00034C50A0090A8003C310C00201180001A49
74089+:1088B000AF820030240D00013C0E800035D10A004B
74090+:1088C000A38D001CAF8000248E2400248F850024FB
74091+:1088D000240D0008AF800020AF8000283C01080074
74092+:1088E000A42D3FC63C010800A4203FDA0E000B83F4
74093+:1088F000000030219228003C8FBF00188FB1001477
74094+:108900008FB0001000086142AF82002C27BD00200C
74095+:1089100003E000083182000190B80032240E00010B
74096+:10892000330F00FF000F2182108E00412419000236
74097+:108930001099006434C40AC03C03800034640A0007
74098+:108940008C8F002415E0001E34660900909F0030D3
74099+:108950002418000533F9003F1338004E24030001AA
74100+:108960008F860020A383001CAF860028AF860024DA
74101+:108970003C0E800035D10A008E2400248F8500240F
74102+:10898000240D00083C010800A42D3FC63C0108004E
74103+:10899000A4203FDA0E000B83000000009228003C68
74104+:1089A0008FBF00188FB100148FB000100008614213
74105+:1089B000AF82002C27BD002003E0000831820001B7
74106+:1089C0008C8A00088C8B00248CD000643C0E8000C4
74107+:1089D00035D10A00014B2823AF900024A380001C4E
74108+:1089E000AF8500288E2400248F8600208F850024E8
74109+:1089F000240D00083C010800A42D3FC63C010800DE
74110+:108A0000A4203FDA0E000B83000000009228003CF7
74111+:108A10008FBF00188FB100148FB0001000086142A2
74112+:108A2000AF82002C27BD002003E000083182000146
74113+:108A300090A200303051003F5224002834C50AC0B3
74114+:108A40008CB000241600002234CB09008CA600480C
74115+:108A50003C0A7FFF3545FFFF00C510243C0E800017
74116+:108A6000AF82002035C509008F8800208CAD0060E2
74117+:108A7000010D602B15800002010020218CA40060F4
74118+:108A80000A000C22AF8400208D02006C0A000BFC4F
74119+:108A90003C0680008C8200488F8600203C097FFFC6
74120+:108AA0003527FFFF004788243C0480082403000189
74121+:108AB000AF910028AC80006CA383001C0A000C302E
74122+:108AC000AF8600248C9F00140A000C22AF9F002068
74123+:108AD0008D6200680A000C6C3C0E800034C4098072
74124+:108AE0008C8900708CA300140123382B10E0000443
74125+:108AF000000000008C8200700A000C6C3C0E8000AC
74126+:108B00008CA200140A000C6C3C0E80008F8500249F
74127+:108B100027BDFFE0AFBF0018AFB1001414A00008DC
74128+:108B2000AFB000103C04800034870A0090E60030AB
74129+:108B30002402000530C3003F106200B934840900EC
74130+:108B40008F91002000A080213C048000348E0A0018
74131+:108B50008DCD00043C0608008CC63FB831A73FFF0E
74132+:108B600000E6602B5580000100E03021938F001C4F
74133+:108B700011E0007800D0282B349F098093F9007C05
74134+:108B800033380002130000792403003400C3102B93
74135+:108B9000144000D90000000000C3302300D0282B6F
74136+:108BA0003C010800A4233FC414A0006E0200182159
74137+:108BB0003C0408008C843FB40064402B5500000145
74138+:108BC000006020213C05800034A90A00912A003C65
74139+:108BD0003C010800AC243FBC31430020146000037A
74140+:108BE0000000482134AB0E008D6900188F88002CDE
74141+:108BF0000128202B1080005F000000003C050800C9
74142+:108C00008CA53FBC00A96821010D602B1180005C80
74143+:108C100000B0702B0109382300E028213C01080036
74144+:108C2000AC273FBC12000003240AFFFC10B0008DEB
74145+:108C30003224000300AA18243C010800A4203FDAD3
74146+:108C40003C010800AC233FBC006028218F84002435
74147+:108C5000120400063C0B80088D6C006C0200202181
74148+:108C6000AF91002025900001AD70006C8F8D002821
74149+:108C700000858823AF91002401A52023AF8400281C
74150+:108C80001220000224070018240700103C18800856
74151+:108C90003706008090CF00683C010800A0273FD82D
74152+:108CA0002407000131EE00FF11C70047000000005B
74153+:108CB00014800018000028213C06800034D109806F
74154+:108CC00034CD010091A600098E2C001824C40001A7
74155+:108CD000000C86023205007F308B007F1165007F1B
74156+:108CE0002407FF803C19800837290080A124004C0C
74157+:108CF0003C0808008D083FD4241800023C010800FD
74158+:108D0000A0384019350F00083C010800AC2F3FD4B3
74159+:108D1000240500103C02800034440A009083003C8B
74160+:108D2000307F002013E0000500A02021240A00016C
74161+:108D30003C010800AC2A3FBC34A400018FBF0018DE
74162+:108D40008FB100148FB000100080102103E00008E4
74163+:108D500027BD00203C010800A4203FC410A0FF94C0
74164+:108D6000020018210A000CC000C018210A000CB72C
74165+:108D7000240300303C0508008CA53FBC00B0702BDC
74166+:108D800011C0FFA8000000003C19080097393FC43B
74167+:108D90000325C0210307782B11E000072CAA00044B
74168+:108DA0003C0360008C625404305F003F17E0FFE337
74169+:108DB000240400422CAA00041140FF9A240400421B
74170+:108DC0000A000D248FBF00181528FFB9000000000D
74171+:108DD0008CCA00183C1F800024020002015F182585
74172+:108DE000ACC3001837F90A00A0C200689329003C00
74173+:108DF0002404000400A01021312800203C010800B8
74174+:108E0000A0244019110000022405001024020001D2
74175+:108E10003C010800AC223FB40A000D1A3C0280005D
74176+:108E20008F8800288C8900600109282B14A000027B
74177+:108E3000010088218C9100603C048000348B0E007E
74178+:108E40008D640018240A000102202821022030210C
74179+:108E5000A38A001C0E000B83022080210A000CA6AE
74180+:108E6000AF82002C00045823122000073164000355
74181+:108E70003C0E800035C7098090ED007C31AC0004C9
74182+:108E800015800019248F00043C010800A4243FDA57
74183+:108E90003C1F080097FF3FDA03E5C82100D9C02B2B
74184+:108EA0001300FF6B8F8400242CA6000514C0FFA3C1
74185+:108EB0002404004230A200031440000200A2182340
74186+:108EC00024A3FFFC3C010800AC233FBC3C0108008C
74187+:108ED000A4203FDA0A000CE70060282100C77024B4
74188+:108EE0000A000D0D01C720263C010800A42F3FDA1F
74189+:108EF0000A000D78000000003C010800AC203FBCD7
74190+:108F00000A000D23240400428F8300283C058000C2
74191+:108F100034AA0A00146000060000102191470030B6
74192+:108F20002406000530E400FF108600030000000066
74193+:108F300003E0000800000000914B0048316900FF89
74194+:108F4000000941C21500FFFA3C0680083C040800F5
74195+:108F500094843FC43C0308008C633FDC3C19080048
74196+:108F60008F393FBC3C0F080095EF3FDA0064C02109
74197+:108F70008CCD00040319702101CF602134AB0E00A9
74198+:108F8000018D282318A0001D00000000914F004C07
74199+:108F90008F8C0034956D001031EE00FF8D89000438
74200+:108FA00001AE30238D8A000030CEFFFF000E290075
74201+:108FB0000125C82100003821014720210325182B55
74202+:108FC0000083C021AD990004AD980000918F000A84
74203+:108FD00001CF6821A18D000A956500128F8A0034A7
74204+:108FE000A5450008954B003825690001A5490038C2
74205+:108FF0009148000D35070008A147000D03E0000867
74206+:109000000000000027BDFFD8AFB000189388001CF7
74207+:109010008FB000143C0A80003C197FFF8F8700242A
74208+:109020003738FFFFAFBF0020AFB1001C355F0A002B
74209+:109030000218182493EB003C00087FC03C02BFFFDD
74210+:10904000006F60252CF000013449FFFF3C1F080031
74211+:109050008FFF3FDC8F9900303C18080097183FD2F3
74212+:1090600001897824001047803C07EFFF3C05F0FFA2
74213+:1090700001E818253C1180003169002034E2FFFF2F
74214+:1090800034ADFFFF362E098027A50010240600020C
74215+:1090900003F96023270B0002354A0E0000621824F2
74216+:1090A0000080802115200002000040218D48001C16
74217+:1090B000A7AB0012058000392407000030E800FF4C
74218+:1090C00000083F00006758253C028008AFAB001441
74219+:1090D000344F008091EA00683C08080091083FD9AD
74220+:1090E0003C09DFFF352CFFFF000AF82B3C0208008B
74221+:1090F00094423FCCA3A80011016CC024001FCF40B4
74222+:10910000031918258FA70010AFA300143C0C08000A
74223+:10911000918C3FDBA7A200168FAB001400ED482412
74224+:109120003C0F01003C0A0FFF012FC82531980003B6
74225+:10913000355FFFFF016D40243C027000033F38247F
74226+:1091400000181E0000E2482501037825AFAF001487
74227+:10915000AFA9001091CC007C0E000092A3AC0015CA
74228+:10916000362D0A0091A6003C30C400201080000675
74229+:10917000260200083C11080096313FC8262EFFFF4A
74230+:109180003C010800A42E3FC88FBF00208FB1001CF7
74231+:109190008FB0001803E0000827BD00288F8B002C3B
74232+:1091A000010B502B5540FFC5240700010A000E0497
74233+:1091B00030E800FF9383001C3C02800027BDFFD8ED
74234+:1091C00034480A0000805021AFBF002034460AC056
74235+:1091D000010028211060000E3444098091070030FE
74236+:1091E000240B00058F89002030EC003F118B000B11
74237+:1091F00000003821AFA900103C0B80088D69006C7D
74238+:10920000AFAA00180E00015AAFA90014A380001CD9
74239+:109210008FBF002003E0000827BD00288D1F0048F5
74240+:109220003C1808008F183FBC8F9900283C027FFF34
74241+:109230008D0800443443FFFFAFA900103C0B8008A9
74242+:109240008D69006C03E370240319782101CF682332
74243+:1092500001A83821AFAA00180E00015AAFA90014C6
74244+:109260000A000E58A380001C3C05800034A60A00AA
74245+:1092700090C7003C3C06080094C63FDA3C02080058
74246+:109280008C423FD430E30020000624001060001E12
74247+:10929000004438253C0880083505008090A300680C
74248+:1092A00000004821240800010000282124040001B6
74249+:1092B0003C0680008CCD017805A0FFFE34CF014034
74250+:1092C000ADE800083C0208008C423FDCA5E5000444
74251+:1092D000A5E40006ADE2000C3C04080090843FD9F0
74252+:1092E0003C03800834790080A1E40012ADE700144B
74253+:1092F000A5E900189338004C3C0E1000A1F8002D91
74254+:1093000003E00008ACCE017834A90E008D28001CC3
74255+:109310003C0C08008D8C3FBC952B0016952A001440
74256+:10932000018648213164FFFF0A000E803145FFFFAE
74257+:109330003C04800034830A009065003C30A2002089
74258+:109340001040001934870E00000040210000382131
74259+:10935000000020213C0680008CC901780520FFFE1A
74260+:1093600034CA014034CF010091EB0009AD48000838
74261+:109370003C0E08008DCE3FDC240DFF91240C0040F4
74262+:109380003C081000A5440004A5470006AD4E000CA3
74263+:10939000A14D0012AD4C0014A5400018A14B002DAA
74264+:1093A00003E00008ACC801788CE8001894E60012CD
74265+:1093B00094E4001030C7FFFF0A000EA93084FFFFBD
74266+:1093C0003C04800034830A009065003C30A20020F9
74267+:1093D0001040002727BDFFF82409000100003821B4
74268+:1093E000240800013C0680008CCA01780540FFFE7D
74269+:1093F0003C0280FF34C40100908D00093C0C080041
74270+:10940000918C4019A3AD00038FAB00003185007F24
74271+:109410003459FFFF01665025AFAA00009083000A6F
74272+:10942000A3A0000200057E00A3A300018FB80000E6
74273+:1094300034CB0140240C30000319702401CF68257F
74274+:10944000AD6D000C27BD0008AD6C0014A5600018C0
74275+:10945000AD690008A56700042409FF80A56800061F
74276+:109460003C081000A169001203E00008ACC80178B4
74277+:1094700034870E008CE9001894E6001294E4001082
74278+:1094800030C8FFFF0A000ECD3087FFFF27BDFFE089
74279+:10949000AFB100143C118000AFB00010AFBF001896
74280+:1094A00036380A00970F0032363001000E000B7F6D
74281+:1094B00031E43FFF8E0E0000240DFF803C042000AD
74282+:1094C00001C25821016D6024000C4940316A007FBF
74283+:1094D000012A4025010438253C048008AE270830C5
74284+:1094E0003486008090C500682403000230A200FF8B
74285+:1094F000104300048F9F00208F990024AC9F0068C8
74286+:10950000AC9900648FBF00188FB100148FB00010A9
74287+:1095100003E0000827BD00203C0A0800254A3A80E5
74288+:109520003C09080025293B103C08080025082F1C91
74289+:109530003C07080024E73BDC3C06080024C639044D
74290+:109540003C05080024A536583C0408002484325CFD
74291+:109550003C030800246339B83C0208002442375415
74292+:109560003C010800AC2A3F983C010800AC293F941C
74293+:109570003C010800AC283F903C010800AC273F9C10
74294+:109580003C010800AC263FAC3C010800AC253FA4E0
74295+:109590003C010800AC243FA03C010800AC233FB0D4
74296+:1095A0003C010800AC223FA803E0000800000000D6
74297+:1095B00080000940800009008008010080080080C8
74298+:1095C00080080000800E00008008008080080000F5
74299+:1095D00080000A8080000A00800009808000090065
74300+:00000001FF
74301diff --git a/fs/Kconfig.binfmt b/fs/Kconfig.binfmt
74302index 2d0cbbd..a6d61492 100644
74303--- a/fs/Kconfig.binfmt
74304+++ b/fs/Kconfig.binfmt
74305@@ -103,7 +103,7 @@ config HAVE_AOUT
74306
74307 config BINFMT_AOUT
74308 tristate "Kernel support for a.out and ECOFF binaries"
74309- depends on HAVE_AOUT
74310+ depends on HAVE_AOUT && BROKEN
74311 ---help---
74312 A.out (Assembler.OUTput) is a set of formats for libraries and
74313 executables used in the earliest versions of UNIX. Linux used
74314diff --git a/fs/afs/inode.c b/fs/afs/inode.c
74315index e06f5a2..81d07ac 100644
74316--- a/fs/afs/inode.c
74317+++ b/fs/afs/inode.c
74318@@ -141,7 +141,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
74319 struct afs_vnode *vnode;
74320 struct super_block *sb;
74321 struct inode *inode;
74322- static atomic_t afs_autocell_ino;
74323+ static atomic_unchecked_t afs_autocell_ino;
74324
74325 _enter("{%x:%u},%*.*s,",
74326 AFS_FS_I(dir)->fid.vid, AFS_FS_I(dir)->fid.vnode,
74327@@ -154,7 +154,7 @@ struct inode *afs_iget_autocell(struct inode *dir, const char *dev_name,
74328 data.fid.unique = 0;
74329 data.fid.vnode = 0;
74330
74331- inode = iget5_locked(sb, atomic_inc_return(&afs_autocell_ino),
74332+ inode = iget5_locked(sb, atomic_inc_return_unchecked(&afs_autocell_ino),
74333 afs_iget5_autocell_test, afs_iget5_set,
74334 &data);
74335 if (!inode) {
74336diff --git a/fs/aio.c b/fs/aio.c
74337index 480440f..623fd88 100644
74338--- a/fs/aio.c
74339+++ b/fs/aio.c
74340@@ -441,7 +441,7 @@ static int aio_setup_ring(struct kioctx *ctx)
74341 size += sizeof(struct io_event) * nr_events;
74342
74343 nr_pages = PFN_UP(size);
74344- if (nr_pages < 0)
74345+ if (nr_pages <= 0)
74346 return -EINVAL;
74347
74348 file = aio_private_file(ctx, nr_pages);
74349diff --git a/fs/attr.c b/fs/attr.c
74350index 6530ced..4a827e2 100644
74351--- a/fs/attr.c
74352+++ b/fs/attr.c
74353@@ -102,6 +102,7 @@ int inode_newsize_ok(const struct inode *inode, loff_t offset)
74354 unsigned long limit;
74355
74356 limit = rlimit(RLIMIT_FSIZE);
74357+ gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
74358 if (limit != RLIM_INFINITY && offset > limit)
74359 goto out_sig;
74360 if (offset > inode->i_sb->s_maxbytes)
74361diff --git a/fs/autofs4/waitq.c b/fs/autofs4/waitq.c
74362index 35b755e..f4b9e0a 100644
74363--- a/fs/autofs4/waitq.c
74364+++ b/fs/autofs4/waitq.c
74365@@ -59,7 +59,7 @@ static int autofs4_write(struct autofs_sb_info *sbi,
74366 {
74367 unsigned long sigpipe, flags;
74368 mm_segment_t fs;
74369- const char *data = (const char *)addr;
74370+ const char __user *data = (const char __force_user *)addr;
74371 ssize_t wr = 0;
74372
74373 sigpipe = sigismember(&current->pending.signal, SIGPIPE);
74374@@ -340,6 +340,10 @@ static int validate_request(struct autofs_wait_queue **wait,
74375 return 1;
74376 }
74377
74378+#ifdef CONFIG_GRKERNSEC_HIDESYM
74379+static atomic_unchecked_t autofs_dummy_name_id = ATOMIC_INIT(0);
74380+#endif
74381+
74382 int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
74383 enum autofs_notify notify)
74384 {
74385@@ -385,7 +389,12 @@ int autofs4_wait(struct autofs_sb_info *sbi, struct dentry *dentry,
74386
74387 /* If this is a direct mount request create a dummy name */
74388 if (IS_ROOT(dentry) && autofs_type_trigger(sbi->type))
74389+#ifdef CONFIG_GRKERNSEC_HIDESYM
74390+ /* this name does get written to userland via autofs4_write() */
74391+ qstr.len = sprintf(name, "%08x", atomic_inc_return_unchecked(&autofs_dummy_name_id));
74392+#else
74393 qstr.len = sprintf(name, "%p", dentry);
74394+#endif
74395 else {
74396 qstr.len = autofs4_getpath(sbi, dentry, &name);
74397 if (!qstr.len) {
74398diff --git a/fs/befs/endian.h b/fs/befs/endian.h
74399index 2722387..56059b5 100644
74400--- a/fs/befs/endian.h
74401+++ b/fs/befs/endian.h
74402@@ -11,7 +11,7 @@
74403
74404 #include <asm/byteorder.h>
74405
74406-static inline u64
74407+static inline u64 __intentional_overflow(-1)
74408 fs64_to_cpu(const struct super_block *sb, fs64 n)
74409 {
74410 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
74411@@ -29,7 +29,7 @@ cpu_to_fs64(const struct super_block *sb, u64 n)
74412 return (__force fs64)cpu_to_be64(n);
74413 }
74414
74415-static inline u32
74416+static inline u32 __intentional_overflow(-1)
74417 fs32_to_cpu(const struct super_block *sb, fs32 n)
74418 {
74419 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
74420@@ -47,7 +47,7 @@ cpu_to_fs32(const struct super_block *sb, u32 n)
74421 return (__force fs32)cpu_to_be32(n);
74422 }
74423
74424-static inline u16
74425+static inline u16 __intentional_overflow(-1)
74426 fs16_to_cpu(const struct super_block *sb, fs16 n)
74427 {
74428 if (BEFS_SB(sb)->byte_order == BEFS_BYTESEX_LE)
74429diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
74430index 4c55668..eeae150 100644
74431--- a/fs/binfmt_aout.c
74432+++ b/fs/binfmt_aout.c
74433@@ -16,6 +16,7 @@
74434 #include <linux/string.h>
74435 #include <linux/fs.h>
74436 #include <linux/file.h>
74437+#include <linux/security.h>
74438 #include <linux/stat.h>
74439 #include <linux/fcntl.h>
74440 #include <linux/ptrace.h>
74441@@ -58,6 +59,8 @@ static int aout_core_dump(struct coredump_params *cprm)
74442 #endif
74443 # define START_STACK(u) ((void __user *)u.start_stack)
74444
74445+ memset(&dump, 0, sizeof(dump));
74446+
74447 fs = get_fs();
74448 set_fs(KERNEL_DS);
74449 has_dumped = 1;
74450@@ -68,10 +71,12 @@ static int aout_core_dump(struct coredump_params *cprm)
74451
74452 /* If the size of the dump file exceeds the rlimit, then see what would happen
74453 if we wrote the stack, but not the data area. */
74454+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
74455 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
74456 dump.u_dsize = 0;
74457
74458 /* Make sure we have enough room to write the stack and data areas. */
74459+ gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
74460 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
74461 dump.u_ssize = 0;
74462
74463@@ -232,6 +237,8 @@ static int load_aout_binary(struct linux_binprm * bprm)
74464 rlim = rlimit(RLIMIT_DATA);
74465 if (rlim >= RLIM_INFINITY)
74466 rlim = ~0;
74467+
74468+ gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
74469 if (ex.a_data + ex.a_bss > rlim)
74470 return -ENOMEM;
74471
74472@@ -261,6 +268,27 @@ static int load_aout_binary(struct linux_binprm * bprm)
74473
74474 install_exec_creds(bprm);
74475
74476+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74477+ current->mm->pax_flags = 0UL;
74478+#endif
74479+
74480+#ifdef CONFIG_PAX_PAGEEXEC
74481+ if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
74482+ current->mm->pax_flags |= MF_PAX_PAGEEXEC;
74483+
74484+#ifdef CONFIG_PAX_EMUTRAMP
74485+ if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
74486+ current->mm->pax_flags |= MF_PAX_EMUTRAMP;
74487+#endif
74488+
74489+#ifdef CONFIG_PAX_MPROTECT
74490+ if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
74491+ current->mm->pax_flags |= MF_PAX_MPROTECT;
74492+#endif
74493+
74494+ }
74495+#endif
74496+
74497 if (N_MAGIC(ex) == OMAGIC) {
74498 unsigned long text_addr, map_size;
74499 loff_t pos;
74500@@ -312,7 +340,7 @@ static int load_aout_binary(struct linux_binprm * bprm)
74501 return error;
74502
74503 error = vm_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
74504- PROT_READ | PROT_WRITE | PROT_EXEC,
74505+ PROT_READ | PROT_WRITE,
74506 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
74507 fd_offset + ex.a_text);
74508 if (error != N_DATADDR(ex))
74509diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
74510index 6b65996..17bd3c4 100644
74511--- a/fs/binfmt_elf.c
74512+++ b/fs/binfmt_elf.c
74513@@ -35,6 +35,7 @@
74514 #include <linux/utsname.h>
74515 #include <linux/coredump.h>
74516 #include <linux/sched.h>
74517+#include <linux/xattr.h>
74518 #include <asm/uaccess.h>
74519 #include <asm/param.h>
74520 #include <asm/page.h>
74521@@ -66,6 +67,14 @@ static int elf_core_dump(struct coredump_params *cprm);
74522 #define elf_core_dump NULL
74523 #endif
74524
74525+#ifdef CONFIG_PAX_MPROTECT
74526+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
74527+#endif
74528+
74529+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
74530+static void elf_handle_mmap(struct file *file);
74531+#endif
74532+
74533 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
74534 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
74535 #else
74536@@ -85,6 +94,15 @@ static struct linux_binfmt elf_format = {
74537 .load_binary = load_elf_binary,
74538 .load_shlib = load_elf_library,
74539 .core_dump = elf_core_dump,
74540+
74541+#ifdef CONFIG_PAX_MPROTECT
74542+ .handle_mprotect= elf_handle_mprotect,
74543+#endif
74544+
74545+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
74546+ .handle_mmap = elf_handle_mmap,
74547+#endif
74548+
74549 .min_coredump = ELF_EXEC_PAGESIZE,
74550 };
74551
74552@@ -92,6 +110,8 @@ static struct linux_binfmt elf_format = {
74553
74554 static int set_brk(unsigned long start, unsigned long end)
74555 {
74556+ unsigned long e = end;
74557+
74558 start = ELF_PAGEALIGN(start);
74559 end = ELF_PAGEALIGN(end);
74560 if (end > start) {
74561@@ -100,7 +120,7 @@ static int set_brk(unsigned long start, unsigned long end)
74562 if (BAD_ADDR(addr))
74563 return addr;
74564 }
74565- current->mm->start_brk = current->mm->brk = end;
74566+ current->mm->start_brk = current->mm->brk = e;
74567 return 0;
74568 }
74569
74570@@ -161,12 +181,13 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
74571 elf_addr_t __user *u_rand_bytes;
74572 const char *k_platform = ELF_PLATFORM;
74573 const char *k_base_platform = ELF_BASE_PLATFORM;
74574- unsigned char k_rand_bytes[16];
74575+ u32 k_rand_bytes[4];
74576 int items;
74577 elf_addr_t *elf_info;
74578 int ei_index = 0;
74579 const struct cred *cred = current_cred();
74580 struct vm_area_struct *vma;
74581+ unsigned long saved_auxv[AT_VECTOR_SIZE];
74582
74583 /*
74584 * In some cases (e.g. Hyper-Threading), we want to avoid L1
74585@@ -208,8 +229,12 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
74586 * Generate 16 random bytes for userspace PRNG seeding.
74587 */
74588 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
74589- u_rand_bytes = (elf_addr_t __user *)
74590- STACK_ALLOC(p, sizeof(k_rand_bytes));
74591+ prandom_seed(k_rand_bytes[0] ^ prandom_u32());
74592+ prandom_seed(k_rand_bytes[1] ^ prandom_u32());
74593+ prandom_seed(k_rand_bytes[2] ^ prandom_u32());
74594+ prandom_seed(k_rand_bytes[3] ^ prandom_u32());
74595+ p = STACK_ROUND(p, sizeof(k_rand_bytes));
74596+ u_rand_bytes = (elf_addr_t __user *) p;
74597 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
74598 return -EFAULT;
74599
74600@@ -324,9 +349,11 @@ create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,
74601 return -EFAULT;
74602 current->mm->env_end = p;
74603
74604+ memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
74605+
74606 /* Put the elf_info on the stack in the right place. */
74607 sp = (elf_addr_t __user *)envp + 1;
74608- if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
74609+ if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
74610 return -EFAULT;
74611 return 0;
74612 }
74613@@ -515,14 +542,14 @@ static inline int arch_check_elf(struct elfhdr *ehdr, bool has_interp,
74614 an ELF header */
74615
74616 static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74617- struct file *interpreter, unsigned long *interp_map_addr,
74618+ struct file *interpreter,
74619 unsigned long no_base, struct elf_phdr *interp_elf_phdata)
74620 {
74621 struct elf_phdr *eppnt;
74622- unsigned long load_addr = 0;
74623+ unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
74624 int load_addr_set = 0;
74625 unsigned long last_bss = 0, elf_bss = 0;
74626- unsigned long error = ~0UL;
74627+ unsigned long error = -EINVAL;
74628 unsigned long total_size;
74629 int i;
74630
74631@@ -542,6 +569,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74632 goto out;
74633 }
74634
74635+#ifdef CONFIG_PAX_SEGMEXEC
74636+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
74637+ pax_task_size = SEGMEXEC_TASK_SIZE;
74638+#endif
74639+
74640 eppnt = interp_elf_phdata;
74641 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
74642 if (eppnt->p_type == PT_LOAD) {
74643@@ -565,8 +597,6 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74644 map_addr = elf_map(interpreter, load_addr + vaddr,
74645 eppnt, elf_prot, elf_type, total_size);
74646 total_size = 0;
74647- if (!*interp_map_addr)
74648- *interp_map_addr = map_addr;
74649 error = map_addr;
74650 if (BAD_ADDR(map_addr))
74651 goto out;
74652@@ -585,8 +615,8 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74653 k = load_addr + eppnt->p_vaddr;
74654 if (BAD_ADDR(k) ||
74655 eppnt->p_filesz > eppnt->p_memsz ||
74656- eppnt->p_memsz > TASK_SIZE ||
74657- TASK_SIZE - eppnt->p_memsz < k) {
74658+ eppnt->p_memsz > pax_task_size ||
74659+ pax_task_size - eppnt->p_memsz < k) {
74660 error = -ENOMEM;
74661 goto out;
74662 }
74663@@ -625,9 +655,11 @@ static unsigned long load_elf_interp(struct elfhdr *interp_elf_ex,
74664 elf_bss = ELF_PAGESTART(elf_bss + ELF_MIN_ALIGN - 1);
74665
74666 /* Map the last of the bss segment */
74667- error = vm_brk(elf_bss, last_bss - elf_bss);
74668- if (BAD_ADDR(error))
74669- goto out;
74670+ if (last_bss > elf_bss) {
74671+ error = vm_brk(elf_bss, last_bss - elf_bss);
74672+ if (BAD_ADDR(error))
74673+ goto out;
74674+ }
74675 }
74676
74677 error = load_addr;
74678@@ -635,6 +667,336 @@ out:
74679 return error;
74680 }
74681
74682+#ifdef CONFIG_PAX_PT_PAX_FLAGS
74683+#ifdef CONFIG_PAX_SOFTMODE
74684+static unsigned long pax_parse_pt_pax_softmode(const struct elf_phdr * const elf_phdata)
74685+{
74686+ unsigned long pax_flags = 0UL;
74687+
74688+#ifdef CONFIG_PAX_PAGEEXEC
74689+ if (elf_phdata->p_flags & PF_PAGEEXEC)
74690+ pax_flags |= MF_PAX_PAGEEXEC;
74691+#endif
74692+
74693+#ifdef CONFIG_PAX_SEGMEXEC
74694+ if (elf_phdata->p_flags & PF_SEGMEXEC)
74695+ pax_flags |= MF_PAX_SEGMEXEC;
74696+#endif
74697+
74698+#ifdef CONFIG_PAX_EMUTRAMP
74699+ if ((elf_phdata->p_flags & PF_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
74700+ pax_flags |= MF_PAX_EMUTRAMP;
74701+#endif
74702+
74703+#ifdef CONFIG_PAX_MPROTECT
74704+ if (elf_phdata->p_flags & PF_MPROTECT)
74705+ pax_flags |= MF_PAX_MPROTECT;
74706+#endif
74707+
74708+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74709+ if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
74710+ pax_flags |= MF_PAX_RANDMMAP;
74711+#endif
74712+
74713+ return pax_flags;
74714+}
74715+#endif
74716+
74717+static unsigned long pax_parse_pt_pax_hardmode(const struct elf_phdr * const elf_phdata)
74718+{
74719+ unsigned long pax_flags = 0UL;
74720+
74721+#ifdef CONFIG_PAX_PAGEEXEC
74722+ if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
74723+ pax_flags |= MF_PAX_PAGEEXEC;
74724+#endif
74725+
74726+#ifdef CONFIG_PAX_SEGMEXEC
74727+ if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
74728+ pax_flags |= MF_PAX_SEGMEXEC;
74729+#endif
74730+
74731+#ifdef CONFIG_PAX_EMUTRAMP
74732+ if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
74733+ pax_flags |= MF_PAX_EMUTRAMP;
74734+#endif
74735+
74736+#ifdef CONFIG_PAX_MPROTECT
74737+ if (!(elf_phdata->p_flags & PF_NOMPROTECT))
74738+ pax_flags |= MF_PAX_MPROTECT;
74739+#endif
74740+
74741+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74742+ if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
74743+ pax_flags |= MF_PAX_RANDMMAP;
74744+#endif
74745+
74746+ return pax_flags;
74747+}
74748+#endif
74749+
74750+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
74751+#ifdef CONFIG_PAX_SOFTMODE
74752+static unsigned long pax_parse_xattr_pax_softmode(unsigned long pax_flags_softmode)
74753+{
74754+ unsigned long pax_flags = 0UL;
74755+
74756+#ifdef CONFIG_PAX_PAGEEXEC
74757+ if (pax_flags_softmode & MF_PAX_PAGEEXEC)
74758+ pax_flags |= MF_PAX_PAGEEXEC;
74759+#endif
74760+
74761+#ifdef CONFIG_PAX_SEGMEXEC
74762+ if (pax_flags_softmode & MF_PAX_SEGMEXEC)
74763+ pax_flags |= MF_PAX_SEGMEXEC;
74764+#endif
74765+
74766+#ifdef CONFIG_PAX_EMUTRAMP
74767+ if ((pax_flags_softmode & MF_PAX_EMUTRAMP) && (pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)))
74768+ pax_flags |= MF_PAX_EMUTRAMP;
74769+#endif
74770+
74771+#ifdef CONFIG_PAX_MPROTECT
74772+ if (pax_flags_softmode & MF_PAX_MPROTECT)
74773+ pax_flags |= MF_PAX_MPROTECT;
74774+#endif
74775+
74776+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74777+ if (randomize_va_space && (pax_flags_softmode & MF_PAX_RANDMMAP))
74778+ pax_flags |= MF_PAX_RANDMMAP;
74779+#endif
74780+
74781+ return pax_flags;
74782+}
74783+#endif
74784+
74785+static unsigned long pax_parse_xattr_pax_hardmode(unsigned long pax_flags_hardmode)
74786+{
74787+ unsigned long pax_flags = 0UL;
74788+
74789+#ifdef CONFIG_PAX_PAGEEXEC
74790+ if (!(pax_flags_hardmode & MF_PAX_PAGEEXEC))
74791+ pax_flags |= MF_PAX_PAGEEXEC;
74792+#endif
74793+
74794+#ifdef CONFIG_PAX_SEGMEXEC
74795+ if (!(pax_flags_hardmode & MF_PAX_SEGMEXEC))
74796+ pax_flags |= MF_PAX_SEGMEXEC;
74797+#endif
74798+
74799+#ifdef CONFIG_PAX_EMUTRAMP
74800+ if (!(pax_flags_hardmode & MF_PAX_EMUTRAMP))
74801+ pax_flags |= MF_PAX_EMUTRAMP;
74802+#endif
74803+
74804+#ifdef CONFIG_PAX_MPROTECT
74805+ if (!(pax_flags_hardmode & MF_PAX_MPROTECT))
74806+ pax_flags |= MF_PAX_MPROTECT;
74807+#endif
74808+
74809+#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
74810+ if (randomize_va_space && !(pax_flags_hardmode & MF_PAX_RANDMMAP))
74811+ pax_flags |= MF_PAX_RANDMMAP;
74812+#endif
74813+
74814+ return pax_flags;
74815+}
74816+#endif
74817+
74818+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
74819+static unsigned long pax_parse_defaults(void)
74820+{
74821+ unsigned long pax_flags = 0UL;
74822+
74823+#ifdef CONFIG_PAX_SOFTMODE
74824+ if (pax_softmode)
74825+ return pax_flags;
74826+#endif
74827+
74828+#ifdef CONFIG_PAX_PAGEEXEC
74829+ pax_flags |= MF_PAX_PAGEEXEC;
74830+#endif
74831+
74832+#ifdef CONFIG_PAX_SEGMEXEC
74833+ pax_flags |= MF_PAX_SEGMEXEC;
74834+#endif
74835+
74836+#ifdef CONFIG_PAX_MPROTECT
74837+ pax_flags |= MF_PAX_MPROTECT;
74838+#endif
74839+
74840+#ifdef CONFIG_PAX_RANDMMAP
74841+ if (randomize_va_space)
74842+ pax_flags |= MF_PAX_RANDMMAP;
74843+#endif
74844+
74845+ return pax_flags;
74846+}
74847+
74848+static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
74849+{
74850+ unsigned long pax_flags = PAX_PARSE_FLAGS_FALLBACK;
74851+
74852+#ifdef CONFIG_PAX_EI_PAX
74853+
74854+#ifdef CONFIG_PAX_SOFTMODE
74855+ if (pax_softmode)
74856+ return pax_flags;
74857+#endif
74858+
74859+ pax_flags = 0UL;
74860+
74861+#ifdef CONFIG_PAX_PAGEEXEC
74862+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
74863+ pax_flags |= MF_PAX_PAGEEXEC;
74864+#endif
74865+
74866+#ifdef CONFIG_PAX_SEGMEXEC
74867+ if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
74868+ pax_flags |= MF_PAX_SEGMEXEC;
74869+#endif
74870+
74871+#ifdef CONFIG_PAX_EMUTRAMP
74872+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
74873+ pax_flags |= MF_PAX_EMUTRAMP;
74874+#endif
74875+
74876+#ifdef CONFIG_PAX_MPROTECT
74877+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
74878+ pax_flags |= MF_PAX_MPROTECT;
74879+#endif
74880+
74881+#ifdef CONFIG_PAX_ASLR
74882+ if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
74883+ pax_flags |= MF_PAX_RANDMMAP;
74884+#endif
74885+
74886+#endif
74887+
74888+ return pax_flags;
74889+
74890+}
74891+
74892+static unsigned long pax_parse_pt_pax(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
74893+{
74894+
74895+#ifdef CONFIG_PAX_PT_PAX_FLAGS
74896+ unsigned long i;
74897+
74898+ for (i = 0UL; i < elf_ex->e_phnum; i++)
74899+ if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
74900+ if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
74901+ ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
74902+ ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
74903+ ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
74904+ ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
74905+ return PAX_PARSE_FLAGS_FALLBACK;
74906+
74907+#ifdef CONFIG_PAX_SOFTMODE
74908+ if (pax_softmode)
74909+ return pax_parse_pt_pax_softmode(&elf_phdata[i]);
74910+ else
74911+#endif
74912+
74913+ return pax_parse_pt_pax_hardmode(&elf_phdata[i]);
74914+ break;
74915+ }
74916+#endif
74917+
74918+ return PAX_PARSE_FLAGS_FALLBACK;
74919+}
74920+
74921+static unsigned long pax_parse_xattr_pax(struct file * const file)
74922+{
74923+
74924+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
74925+ ssize_t xattr_size, i;
74926+ unsigned char xattr_value[sizeof("pemrs") - 1];
74927+ unsigned long pax_flags_hardmode = 0UL, pax_flags_softmode = 0UL;
74928+
74929+ xattr_size = pax_getxattr(file->f_path.dentry, xattr_value, sizeof xattr_value);
74930+ if (xattr_size < 0 || xattr_size > sizeof xattr_value)
74931+ return PAX_PARSE_FLAGS_FALLBACK;
74932+
74933+ for (i = 0; i < xattr_size; i++)
74934+ switch (xattr_value[i]) {
74935+ default:
74936+ return PAX_PARSE_FLAGS_FALLBACK;
74937+
74938+#define parse_flag(option1, option2, flag) \
74939+ case option1: \
74940+ if (pax_flags_hardmode & MF_PAX_##flag) \
74941+ return PAX_PARSE_FLAGS_FALLBACK;\
74942+ pax_flags_hardmode |= MF_PAX_##flag; \
74943+ break; \
74944+ case option2: \
74945+ if (pax_flags_softmode & MF_PAX_##flag) \
74946+ return PAX_PARSE_FLAGS_FALLBACK;\
74947+ pax_flags_softmode |= MF_PAX_##flag; \
74948+ break;
74949+
74950+ parse_flag('p', 'P', PAGEEXEC);
74951+ parse_flag('e', 'E', EMUTRAMP);
74952+ parse_flag('m', 'M', MPROTECT);
74953+ parse_flag('r', 'R', RANDMMAP);
74954+ parse_flag('s', 'S', SEGMEXEC);
74955+
74956+#undef parse_flag
74957+ }
74958+
74959+ if (pax_flags_hardmode & pax_flags_softmode)
74960+ return PAX_PARSE_FLAGS_FALLBACK;
74961+
74962+#ifdef CONFIG_PAX_SOFTMODE
74963+ if (pax_softmode)
74964+ return pax_parse_xattr_pax_softmode(pax_flags_softmode);
74965+ else
74966+#endif
74967+
74968+ return pax_parse_xattr_pax_hardmode(pax_flags_hardmode);
74969+#else
74970+ return PAX_PARSE_FLAGS_FALLBACK;
74971+#endif
74972+
74973+}
74974+
74975+static long pax_parse_pax_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata, struct file * const file)
74976+{
74977+ unsigned long pax_flags, ei_pax_flags, pt_pax_flags, xattr_pax_flags;
74978+
74979+ pax_flags = pax_parse_defaults();
74980+ ei_pax_flags = pax_parse_ei_pax(elf_ex);
74981+ pt_pax_flags = pax_parse_pt_pax(elf_ex, elf_phdata);
74982+ xattr_pax_flags = pax_parse_xattr_pax(file);
74983+
74984+ if (pt_pax_flags != PAX_PARSE_FLAGS_FALLBACK &&
74985+ xattr_pax_flags != PAX_PARSE_FLAGS_FALLBACK &&
74986+ pt_pax_flags != xattr_pax_flags)
74987+ return -EINVAL;
74988+ if (xattr_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
74989+ pax_flags = xattr_pax_flags;
74990+ else if (pt_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
74991+ pax_flags = pt_pax_flags;
74992+ else if (ei_pax_flags != PAX_PARSE_FLAGS_FALLBACK)
74993+ pax_flags = ei_pax_flags;
74994+
74995+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
74996+ if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
74997+ if ((__supported_pte_mask & _PAGE_NX))
74998+ pax_flags &= ~MF_PAX_SEGMEXEC;
74999+ else
75000+ pax_flags &= ~MF_PAX_PAGEEXEC;
75001+ }
75002+#endif
75003+
75004+ if (0 > pax_check_flags(&pax_flags))
75005+ return -EINVAL;
75006+
75007+ current->mm->pax_flags = pax_flags;
75008+ return 0;
75009+}
75010+#endif
75011+
75012 /*
75013 * These are the functions used to load ELF style executables and shared
75014 * libraries. There is no binary dependent code anywhere else.
75015@@ -648,6 +1010,11 @@ static unsigned long randomize_stack_top(unsigned long stack_top)
75016 {
75017 unsigned long random_variable = 0;
75018
75019+#ifdef CONFIG_PAX_RANDUSTACK
75020+ if (current->mm->pax_flags & MF_PAX_RANDMMAP)
75021+ return stack_top - current->mm->delta_stack;
75022+#endif
75023+
75024 if ((current->flags & PF_RANDOMIZE) &&
75025 !(current->personality & ADDR_NO_RANDOMIZE)) {
75026 random_variable = (unsigned long) get_random_int();
75027@@ -667,7 +1034,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75028 unsigned long load_addr = 0, load_bias = 0;
75029 int load_addr_set = 0;
75030 char * elf_interpreter = NULL;
75031- unsigned long error;
75032+ unsigned long error = 0;
75033 struct elf_phdr *elf_ppnt, *elf_phdata, *interp_elf_phdata = NULL;
75034 unsigned long elf_bss, elf_brk;
75035 int retval, i;
75036@@ -682,6 +1049,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75037 struct elfhdr interp_elf_ex;
75038 } *loc;
75039 struct arch_elf_state arch_state = INIT_ARCH_ELF_STATE;
75040+ unsigned long pax_task_size;
75041
75042 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
75043 if (!loc) {
75044@@ -840,6 +1208,77 @@ static int load_elf_binary(struct linux_binprm *bprm)
75045 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
75046 may depend on the personality. */
75047 SET_PERSONALITY2(loc->elf_ex, &arch_state);
75048+
75049+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
75050+ current->mm->pax_flags = 0UL;
75051+#endif
75052+
75053+#ifdef CONFIG_PAX_DLRESOLVE
75054+ current->mm->call_dl_resolve = 0UL;
75055+#endif
75056+
75057+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
75058+ current->mm->call_syscall = 0UL;
75059+#endif
75060+
75061+#ifdef CONFIG_PAX_ASLR
75062+ current->mm->delta_mmap = 0UL;
75063+ current->mm->delta_stack = 0UL;
75064+#endif
75065+
75066+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
75067+ if (0 > pax_parse_pax_flags(&loc->elf_ex, elf_phdata, bprm->file)) {
75068+ retval = -EINVAL;
75069+ goto out_free_dentry;
75070+ }
75071+#endif
75072+
75073+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
75074+ pax_set_initial_flags(bprm);
75075+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
75076+ if (pax_set_initial_flags_func)
75077+ (pax_set_initial_flags_func)(bprm);
75078+#endif
75079+
75080+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
75081+ if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
75082+ current->mm->context.user_cs_limit = PAGE_SIZE;
75083+ current->mm->def_flags |= VM_PAGEEXEC | VM_NOHUGEPAGE;
75084+ }
75085+#endif
75086+
75087+#ifdef CONFIG_PAX_SEGMEXEC
75088+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
75089+ current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
75090+ current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
75091+ pax_task_size = SEGMEXEC_TASK_SIZE;
75092+ current->mm->def_flags |= VM_NOHUGEPAGE;
75093+ } else
75094+#endif
75095+
75096+ pax_task_size = TASK_SIZE;
75097+
75098+#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
75099+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75100+ set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
75101+ put_cpu();
75102+ }
75103+#endif
75104+
75105+#ifdef CONFIG_PAX_ASLR
75106+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
75107+ current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
75108+ current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
75109+ }
75110+#endif
75111+
75112+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
75113+ if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
75114+ executable_stack = EXSTACK_DISABLE_X;
75115+ current->personality &= ~READ_IMPLIES_EXEC;
75116+ } else
75117+#endif
75118+
75119 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
75120 current->personality |= READ_IMPLIES_EXEC;
75121
75122@@ -915,8 +1354,21 @@ static int load_elf_binary(struct linux_binprm *bprm)
75123 if (current->flags & PF_RANDOMIZE)
75124 load_bias += arch_mmap_rnd();
75125 load_bias = ELF_PAGESTART(load_bias);
75126- total_size = total_mapping_size(elf_phdata,
75127- loc->elf_ex.e_phnum);
75128+
75129+#ifdef CONFIG_PAX_RANDMMAP
75130+ /* PaX: randomize base address at the default exe base if requested */
75131+ if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
75132+#ifdef CONFIG_SPARC64
75133+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
75134+#else
75135+ load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
75136+#endif
75137+ load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
75138+ elf_flags |= MAP_FIXED;
75139+ }
75140+#endif
75141+
75142+ total_size = total_mapping_size(elf_phdata, loc->elf_ex.e_phnum);
75143 if (!total_size) {
75144 retval = -EINVAL;
75145 goto out_free_dentry;
75146@@ -952,9 +1404,9 @@ static int load_elf_binary(struct linux_binprm *bprm)
75147 * allowed task size. Note that p_filesz must always be
75148 * <= p_memsz so it is only necessary to check p_memsz.
75149 */
75150- if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
75151- elf_ppnt->p_memsz > TASK_SIZE ||
75152- TASK_SIZE - elf_ppnt->p_memsz < k) {
75153+ if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
75154+ elf_ppnt->p_memsz > pax_task_size ||
75155+ pax_task_size - elf_ppnt->p_memsz < k) {
75156 /* set_brk can never work. Avoid overflows. */
75157 retval = -EINVAL;
75158 goto out_free_dentry;
75159@@ -990,16 +1442,43 @@ static int load_elf_binary(struct linux_binprm *bprm)
75160 if (retval)
75161 goto out_free_dentry;
75162 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
75163- retval = -EFAULT; /* Nobody gets to see this, but.. */
75164- goto out_free_dentry;
75165+ /*
75166+ * This bss-zeroing can fail if the ELF
75167+ * file specifies odd protections. So
75168+ * we don't check the return value
75169+ */
75170 }
75171
75172+#ifdef CONFIG_PAX_RANDMMAP
75173+ if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
75174+ unsigned long start, size, flags;
75175+ vm_flags_t vm_flags;
75176+
75177+ start = ELF_PAGEALIGN(elf_brk);
75178+ size = PAGE_SIZE + ((pax_get_random_long() & ((1UL << 22) - 1UL)) << 4);
75179+ flags = MAP_FIXED | MAP_PRIVATE;
75180+ vm_flags = VM_DONTEXPAND | VM_DONTDUMP;
75181+
75182+ down_write(&current->mm->mmap_sem);
75183+ start = get_unmapped_area(NULL, start, PAGE_ALIGN(size), 0, flags);
75184+ retval = -ENOMEM;
75185+ if (!IS_ERR_VALUE(start) && !find_vma_intersection(current->mm, start, start + size + PAGE_SIZE)) {
75186+// if (current->personality & ADDR_NO_RANDOMIZE)
75187+// vm_flags |= VM_READ | VM_MAYREAD;
75188+ start = mmap_region(NULL, start, PAGE_ALIGN(size), vm_flags, 0);
75189+ retval = IS_ERR_VALUE(start) ? start : 0;
75190+ }
75191+ up_write(&current->mm->mmap_sem);
75192+ if (retval == 0)
75193+ retval = set_brk(start + size, start + size + PAGE_SIZE);
75194+ if (retval < 0)
75195+ goto out_free_dentry;
75196+ }
75197+#endif
75198+
75199 if (elf_interpreter) {
75200- unsigned long interp_map_addr = 0;
75201-
75202 elf_entry = load_elf_interp(&loc->interp_elf_ex,
75203 interpreter,
75204- &interp_map_addr,
75205 load_bias, interp_elf_phdata);
75206 if (!IS_ERR((void *)elf_entry)) {
75207 /*
75208@@ -1050,6 +1529,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75209 current->mm->end_data = end_data;
75210 current->mm->start_stack = bprm->p;
75211
75212+#ifndef CONFIG_PAX_RANDMMAP
75213 if ((current->flags & PF_RANDOMIZE) && (randomize_va_space > 1)) {
75214 current->mm->brk = current->mm->start_brk =
75215 arch_randomize_brk(current->mm);
75216@@ -1057,6 +1537,7 @@ static int load_elf_binary(struct linux_binprm *bprm)
75217 current->brk_randomized = 1;
75218 #endif
75219 }
75220+#endif
75221
75222 if (current->personality & MMAP_PAGE_ZERO) {
75223 /* Why this, you ask??? Well SVr4 maps page 0 as read-only,
75224@@ -1225,7 +1706,7 @@ static bool always_dump_vma(struct vm_area_struct *vma)
75225 * Decide what to dump of a segment, part, all or none.
75226 */
75227 static unsigned long vma_dump_size(struct vm_area_struct *vma,
75228- unsigned long mm_flags)
75229+ unsigned long mm_flags, long signr)
75230 {
75231 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
75232
75233@@ -1263,7 +1744,7 @@ static unsigned long vma_dump_size(struct vm_area_struct *vma,
75234 if (vma->vm_file == NULL)
75235 return 0;
75236
75237- if (FILTER(MAPPED_PRIVATE))
75238+ if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
75239 goto whole;
75240
75241 /*
75242@@ -1363,7 +1844,7 @@ static void fill_elf_header(struct elfhdr *elf, int segs,
75243 return;
75244 }
75245
75246-static void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
75247+static void fill_elf_note_phdr(struct elf_phdr *phdr, size_t sz, loff_t offset)
75248 {
75249 phdr->p_type = PT_NOTE;
75250 phdr->p_offset = offset;
75251@@ -1470,9 +1951,9 @@ static void fill_auxv_note(struct memelfnote *note, struct mm_struct *mm)
75252 {
75253 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
75254 int i = 0;
75255- do
75256+ do {
75257 i += 2;
75258- while (auxv[i - 2] != AT_NULL);
75259+ } while (auxv[i - 2] != AT_NULL);
75260 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
75261 }
75262
75263@@ -1481,7 +1962,7 @@ static void fill_siginfo_note(struct memelfnote *note, user_siginfo_t *csigdata,
75264 {
75265 mm_segment_t old_fs = get_fs();
75266 set_fs(KERNEL_DS);
75267- copy_siginfo_to_user((user_siginfo_t __user *) csigdata, siginfo);
75268+ copy_siginfo_to_user((user_siginfo_t __force_user *) csigdata, siginfo);
75269 set_fs(old_fs);
75270 fill_note(note, "CORE", NT_SIGINFO, sizeof(*csigdata), csigdata);
75271 }
75272@@ -2201,7 +2682,7 @@ static int elf_core_dump(struct coredump_params *cprm)
75273 vma = next_vma(vma, gate_vma)) {
75274 unsigned long dump_size;
75275
75276- dump_size = vma_dump_size(vma, cprm->mm_flags);
75277+ dump_size = vma_dump_size(vma, cprm->mm_flags, cprm->siginfo->si_signo);
75278 vma_filesz[i++] = dump_size;
75279 vma_data_size += dump_size;
75280 }
75281@@ -2309,6 +2790,167 @@ out:
75282
75283 #endif /* CONFIG_ELF_CORE */
75284
75285+#ifdef CONFIG_PAX_MPROTECT
75286+/* PaX: non-PIC ELF libraries need relocations on their executable segments
75287+ * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
75288+ * we'll remove VM_MAYWRITE for good on RELRO segments.
75289+ *
75290+ * The checks favour ld-linux.so behaviour which operates on a per ELF segment
75291+ * basis because we want to allow the common case and not the special ones.
75292+ */
75293+static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
75294+{
75295+ struct elfhdr elf_h;
75296+ struct elf_phdr elf_p;
75297+ unsigned long i;
75298+ unsigned long oldflags;
75299+ bool is_textrel_rw, is_textrel_rx, is_relro;
75300+
75301+ if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT) || !vma->vm_file)
75302+ return;
75303+
75304+ oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
75305+ newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
75306+
75307+#ifdef CONFIG_PAX_ELFRELOCS
75308+ /* possible TEXTREL */
75309+ is_textrel_rw = !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
75310+ is_textrel_rx = vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
75311+#else
75312+ is_textrel_rw = false;
75313+ is_textrel_rx = false;
75314+#endif
75315+
75316+ /* possible RELRO */
75317+ is_relro = vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
75318+
75319+ if (!is_textrel_rw && !is_textrel_rx && !is_relro)
75320+ return;
75321+
75322+ if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
75323+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
75324+
75325+#ifdef CONFIG_PAX_ETEXECRELOCS
75326+ ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
75327+#else
75328+ ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
75329+#endif
75330+
75331+ (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
75332+ !elf_check_arch(&elf_h) ||
75333+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
75334+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
75335+ return;
75336+
75337+ for (i = 0UL; i < elf_h.e_phnum; i++) {
75338+ if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
75339+ return;
75340+ switch (elf_p.p_type) {
75341+ case PT_DYNAMIC:
75342+ if (!is_textrel_rw && !is_textrel_rx)
75343+ continue;
75344+ i = 0UL;
75345+ while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
75346+ elf_dyn dyn;
75347+
75348+ if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
75349+ break;
75350+ if (dyn.d_tag == DT_NULL)
75351+ break;
75352+ if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
75353+ gr_log_textrel(vma, is_textrel_rw);
75354+ if (is_textrel_rw)
75355+ vma->vm_flags |= VM_MAYWRITE;
75356+ else
75357+ /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
75358+ vma->vm_flags &= ~VM_MAYWRITE;
75359+ break;
75360+ }
75361+ i++;
75362+ }
75363+ is_textrel_rw = false;
75364+ is_textrel_rx = false;
75365+ continue;
75366+
75367+ case PT_GNU_RELRO:
75368+ if (!is_relro)
75369+ continue;
75370+ if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
75371+ vma->vm_flags &= ~VM_MAYWRITE;
75372+ is_relro = false;
75373+ continue;
75374+
75375+#ifdef CONFIG_PAX_PT_PAX_FLAGS
75376+ case PT_PAX_FLAGS: {
75377+ const char *msg_mprotect = "", *msg_emutramp = "";
75378+ char *buffer_lib, *buffer_exe;
75379+
75380+ if (elf_p.p_flags & PF_NOMPROTECT)
75381+ msg_mprotect = "MPROTECT disabled";
75382+
75383+#ifdef CONFIG_PAX_EMUTRAMP
75384+ if (!(vma->vm_mm->pax_flags & MF_PAX_EMUTRAMP) && !(elf_p.p_flags & PF_NOEMUTRAMP))
75385+ msg_emutramp = "EMUTRAMP enabled";
75386+#endif
75387+
75388+ if (!msg_mprotect[0] && !msg_emutramp[0])
75389+ continue;
75390+
75391+ if (!printk_ratelimit())
75392+ continue;
75393+
75394+ buffer_lib = (char *)__get_free_page(GFP_KERNEL);
75395+ buffer_exe = (char *)__get_free_page(GFP_KERNEL);
75396+ if (buffer_lib && buffer_exe) {
75397+ char *path_lib, *path_exe;
75398+
75399+ path_lib = pax_get_path(&vma->vm_file->f_path, buffer_lib, PAGE_SIZE);
75400+ path_exe = pax_get_path(&vma->vm_mm->exe_file->f_path, buffer_exe, PAGE_SIZE);
75401+
75402+ pr_info("PAX: %s wants %s%s%s on %s\n", path_lib, msg_mprotect,
75403+ (msg_mprotect[0] && msg_emutramp[0] ? " and " : ""), msg_emutramp, path_exe);
75404+
75405+ }
75406+ free_page((unsigned long)buffer_exe);
75407+ free_page((unsigned long)buffer_lib);
75408+ continue;
75409+ }
75410+#endif
75411+
75412+ }
75413+ }
75414+}
75415+#endif
75416+
75417+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
75418+
75419+extern int grsec_enable_log_rwxmaps;
75420+
75421+static void elf_handle_mmap(struct file *file)
75422+{
75423+ struct elfhdr elf_h;
75424+ struct elf_phdr elf_p;
75425+ unsigned long i;
75426+
75427+ if (!grsec_enable_log_rwxmaps)
75428+ return;
75429+
75430+ if (sizeof(elf_h) != kernel_read(file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
75431+ memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
75432+ (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC) || !elf_check_arch(&elf_h) ||
75433+ elf_h.e_phentsize != sizeof(struct elf_phdr) ||
75434+ elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
75435+ return;
75436+
75437+ for (i = 0UL; i < elf_h.e_phnum; i++) {
75438+ if (sizeof(elf_p) != kernel_read(file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
75439+ return;
75440+ if (elf_p.p_type == PT_GNU_STACK && (elf_p.p_flags & PF_X))
75441+ gr_log_ptgnustack(file);
75442+ }
75443+}
75444+#endif
75445+
75446 static int __init init_elf_binfmt(void)
75447 {
75448 register_binfmt(&elf_format);
75449diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
75450index d3634bf..10fc244 100644
75451--- a/fs/binfmt_elf_fdpic.c
75452+++ b/fs/binfmt_elf_fdpic.c
75453@@ -1296,7 +1296,7 @@ static inline void fill_elf_fdpic_header(struct elfhdr *elf, int segs)
75454 return;
75455 }
75456
75457-static inline void fill_elf_note_phdr(struct elf_phdr *phdr, int sz, loff_t offset)
75458+static inline void fill_elf_note_phdr(struct elf_phdr *phdr, size_t sz, loff_t offset)
75459 {
75460 phdr->p_type = PT_NOTE;
75461 phdr->p_offset = offset;
75462@@ -1667,7 +1667,7 @@ static int elf_fdpic_core_dump(struct coredump_params *cprm)
75463
75464 /* Write notes phdr entry */
75465 {
75466- int sz = 0;
75467+ size_t sz = 0;
75468
75469 for (i = 0; i < numnote; i++)
75470 sz += notesize(notes + i);
75471diff --git a/fs/block_dev.c b/fs/block_dev.c
75472index 1170f8c..2a8acc1 100644
75473--- a/fs/block_dev.c
75474+++ b/fs/block_dev.c
75475@@ -738,7 +738,7 @@ static bool bd_may_claim(struct block_device *bdev, struct block_device *whole,
75476 else if (bdev->bd_contains == bdev)
75477 return true; /* is a whole device which isn't held */
75478
75479- else if (whole->bd_holder == bd_may_claim)
75480+ else if (whole->bd_holder == (void *)bd_may_claim)
75481 return true; /* is a partition of a device that is being partitioned */
75482 else if (whole->bd_holder != NULL)
75483 return false; /* is a partition of a held device */
75484diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
75485index 54114b4..580cfc9 100644
75486--- a/fs/btrfs/ctree.c
75487+++ b/fs/btrfs/ctree.c
75488@@ -1180,9 +1180,12 @@ static noinline int __btrfs_cow_block(struct btrfs_trans_handle *trans,
75489 free_extent_buffer(buf);
75490 add_root_to_dirty_list(root);
75491 } else {
75492- if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
75493- parent_start = parent->start;
75494- else
75495+ if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
75496+ if (parent)
75497+ parent_start = parent->start;
75498+ else
75499+ parent_start = 0;
75500+ } else
75501 parent_start = 0;
75502
75503 WARN_ON(trans->transid != btrfs_header_generation(parent));
75504diff --git a/fs/btrfs/delayed-inode.c b/fs/btrfs/delayed-inode.c
75505index a2ae427..53c2e98 100644
75506--- a/fs/btrfs/delayed-inode.c
75507+++ b/fs/btrfs/delayed-inode.c
75508@@ -462,7 +462,7 @@ static int __btrfs_add_delayed_deletion_item(struct btrfs_delayed_node *node,
75509
75510 static void finish_one_item(struct btrfs_delayed_root *delayed_root)
75511 {
75512- int seq = atomic_inc_return(&delayed_root->items_seq);
75513+ int seq = atomic_inc_return_unchecked(&delayed_root->items_seq);
75514 if ((atomic_dec_return(&delayed_root->items) <
75515 BTRFS_DELAYED_BACKGROUND || seq % BTRFS_DELAYED_BATCH == 0) &&
75516 waitqueue_active(&delayed_root->wait))
75517@@ -1412,7 +1412,7 @@ void btrfs_assert_delayed_root_empty(struct btrfs_root *root)
75518
75519 static int could_end_wait(struct btrfs_delayed_root *delayed_root, int seq)
75520 {
75521- int val = atomic_read(&delayed_root->items_seq);
75522+ int val = atomic_read_unchecked(&delayed_root->items_seq);
75523
75524 if (val < seq || val >= seq + BTRFS_DELAYED_BATCH)
75525 return 1;
75526@@ -1437,7 +1437,7 @@ void btrfs_balance_delayed_items(struct btrfs_root *root)
75527 int seq;
75528 int ret;
75529
75530- seq = atomic_read(&delayed_root->items_seq);
75531+ seq = atomic_read_unchecked(&delayed_root->items_seq);
75532
75533 ret = btrfs_wq_run_delayed_node(delayed_root, fs_info, 0);
75534 if (ret)
75535diff --git a/fs/btrfs/delayed-inode.h b/fs/btrfs/delayed-inode.h
75536index f70119f..ab5894d 100644
75537--- a/fs/btrfs/delayed-inode.h
75538+++ b/fs/btrfs/delayed-inode.h
75539@@ -43,7 +43,7 @@ struct btrfs_delayed_root {
75540 */
75541 struct list_head prepare_list;
75542 atomic_t items; /* for delayed items */
75543- atomic_t items_seq; /* for delayed items */
75544+ atomic_unchecked_t items_seq; /* for delayed items */
75545 int nodes; /* for delayed nodes */
75546 wait_queue_head_t wait;
75547 };
75548@@ -90,7 +90,7 @@ static inline void btrfs_init_delayed_root(
75549 struct btrfs_delayed_root *delayed_root)
75550 {
75551 atomic_set(&delayed_root->items, 0);
75552- atomic_set(&delayed_root->items_seq, 0);
75553+ atomic_set_unchecked(&delayed_root->items_seq, 0);
75554 delayed_root->nodes = 0;
75555 spin_lock_init(&delayed_root->lock);
75556 init_waitqueue_head(&delayed_root->wait);
75557diff --git a/fs/btrfs/super.c b/fs/btrfs/super.c
75558index cd7ef34..1e31ae3 100644
75559--- a/fs/btrfs/super.c
75560+++ b/fs/btrfs/super.c
75561@@ -265,7 +265,7 @@ void __btrfs_abort_transaction(struct btrfs_trans_handle *trans,
75562 function, line, errstr);
75563 return;
75564 }
75565- ACCESS_ONCE(trans->transaction->aborted) = errno;
75566+ ACCESS_ONCE_RW(trans->transaction->aborted) = errno;
75567 /* Wake up anybody who may be waiting on this transaction */
75568 wake_up(&root->fs_info->transaction_wait);
75569 wake_up(&root->fs_info->transaction_blocked_wait);
75570diff --git a/fs/btrfs/sysfs.c b/fs/btrfs/sysfs.c
75571index 603b0cc..8e3f600 100644
75572--- a/fs/btrfs/sysfs.c
75573+++ b/fs/btrfs/sysfs.c
75574@@ -481,7 +481,7 @@ static int addrm_unknown_feature_attrs(struct btrfs_fs_info *fs_info, bool add)
75575 for (set = 0; set < FEAT_MAX; set++) {
75576 int i;
75577 struct attribute *attrs[2];
75578- struct attribute_group agroup = {
75579+ attribute_group_no_const agroup = {
75580 .name = "features",
75581 .attrs = attrs,
75582 };
75583diff --git a/fs/btrfs/tests/free-space-tests.c b/fs/btrfs/tests/free-space-tests.c
75584index 2299bfd..4098e72 100644
75585--- a/fs/btrfs/tests/free-space-tests.c
75586+++ b/fs/btrfs/tests/free-space-tests.c
75587@@ -463,7 +463,9 @@ test_steal_space_from_bitmap_to_extent(struct btrfs_block_group_cache *cache)
75588 * extent entry.
75589 */
75590 use_bitmap_op = cache->free_space_ctl->op->use_bitmap;
75591- cache->free_space_ctl->op->use_bitmap = test_use_bitmap;
75592+ pax_open_kernel();
75593+ *(void **)&cache->free_space_ctl->op->use_bitmap = test_use_bitmap;
75594+ pax_close_kernel();
75595
75596 /*
75597 * Extent entry covering free space range [128Mb - 256Kb, 128Mb - 128Kb[
75598@@ -870,7 +872,9 @@ test_steal_space_from_bitmap_to_extent(struct btrfs_block_group_cache *cache)
75599 if (ret)
75600 return ret;
75601
75602- cache->free_space_ctl->op->use_bitmap = use_bitmap_op;
75603+ pax_open_kernel();
75604+ *(void **)&cache->free_space_ctl->op->use_bitmap = use_bitmap_op;
75605+ pax_close_kernel();
75606 __btrfs_remove_free_space_cache(cache->free_space_ctl);
75607
75608 return 0;
75609diff --git a/fs/btrfs/tree-log.h b/fs/btrfs/tree-log.h
75610index 6916a78..4598936 100644
75611--- a/fs/btrfs/tree-log.h
75612+++ b/fs/btrfs/tree-log.h
75613@@ -45,7 +45,7 @@ static inline void btrfs_init_log_ctx(struct btrfs_log_ctx *ctx)
75614 static inline void btrfs_set_log_full_commit(struct btrfs_fs_info *fs_info,
75615 struct btrfs_trans_handle *trans)
75616 {
75617- ACCESS_ONCE(fs_info->last_trans_log_full_commit) = trans->transid;
75618+ ACCESS_ONCE_RW(fs_info->last_trans_log_full_commit) = trans->transid;
75619 }
75620
75621 static inline int btrfs_need_log_full_commit(struct btrfs_fs_info *fs_info,
75622diff --git a/fs/buffer.c b/fs/buffer.c
75623index 1cf7a53..b49f8c0 100644
75624--- a/fs/buffer.c
75625+++ b/fs/buffer.c
75626@@ -3440,7 +3440,7 @@ void __init buffer_init(void)
75627 bh_cachep = kmem_cache_create("buffer_head",
75628 sizeof(struct buffer_head), 0,
75629 (SLAB_RECLAIM_ACCOUNT|SLAB_PANIC|
75630- SLAB_MEM_SPREAD),
75631+ SLAB_MEM_SPREAD|SLAB_NO_SANITIZE),
75632 NULL);
75633
75634 /*
75635diff --git a/fs/cachefiles/bind.c b/fs/cachefiles/bind.c
75636index 6af790f..ec4c1e6 100644
75637--- a/fs/cachefiles/bind.c
75638+++ b/fs/cachefiles/bind.c
75639@@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachefiles_cache *cache, char *args)
75640 args);
75641
75642 /* start by checking things over */
75643- ASSERT(cache->fstop_percent >= 0 &&
75644- cache->fstop_percent < cache->fcull_percent &&
75645+ ASSERT(cache->fstop_percent < cache->fcull_percent &&
75646 cache->fcull_percent < cache->frun_percent &&
75647 cache->frun_percent < 100);
75648
75649- ASSERT(cache->bstop_percent >= 0 &&
75650- cache->bstop_percent < cache->bcull_percent &&
75651+ ASSERT(cache->bstop_percent < cache->bcull_percent &&
75652 cache->bcull_percent < cache->brun_percent &&
75653 cache->brun_percent < 100);
75654
75655diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
75656index f601def..b2cf704 100644
75657--- a/fs/cachefiles/daemon.c
75658+++ b/fs/cachefiles/daemon.c
75659@@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(struct file *file, char __user *_buffer,
75660 if (n > buflen)
75661 return -EMSGSIZE;
75662
75663- if (copy_to_user(_buffer, buffer, n) != 0)
75664+ if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
75665 return -EFAULT;
75666
75667 return n;
75668@@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(struct file *file,
75669 if (test_bit(CACHEFILES_DEAD, &cache->flags))
75670 return -EIO;
75671
75672- if (datalen < 0 || datalen > PAGE_SIZE - 1)
75673+ if (datalen > PAGE_SIZE - 1)
75674 return -EOPNOTSUPP;
75675
75676 /* drag the command string into the kernel so we can parse it */
75677@@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struct cachefiles_cache *cache, char *args)
75678 if (args[0] != '%' || args[1] != '\0')
75679 return -EINVAL;
75680
75681- if (fstop < 0 || fstop >= cache->fcull_percent)
75682+ if (fstop >= cache->fcull_percent)
75683 return cachefiles_daemon_range_error(cache, args);
75684
75685 cache->fstop_percent = fstop;
75686@@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struct cachefiles_cache *cache, char *args)
75687 if (args[0] != '%' || args[1] != '\0')
75688 return -EINVAL;
75689
75690- if (bstop < 0 || bstop >= cache->bcull_percent)
75691+ if (bstop >= cache->bcull_percent)
75692 return cachefiles_daemon_range_error(cache, args);
75693
75694 cache->bstop_percent = bstop;
75695diff --git a/fs/cachefiles/internal.h b/fs/cachefiles/internal.h
75696index aecd085..3584e2f 100644
75697--- a/fs/cachefiles/internal.h
75698+++ b/fs/cachefiles/internal.h
75699@@ -65,7 +65,7 @@ struct cachefiles_cache {
75700 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
75701 struct rb_root active_nodes; /* active nodes (can't be culled) */
75702 rwlock_t active_lock; /* lock for active_nodes */
75703- atomic_t gravecounter; /* graveyard uniquifier */
75704+ atomic_unchecked_t gravecounter; /* graveyard uniquifier */
75705 unsigned frun_percent; /* when to stop culling (% files) */
75706 unsigned fcull_percent; /* when to start culling (% files) */
75707 unsigned fstop_percent; /* when to stop allocating (% files) */
75708@@ -177,19 +177,19 @@ extern int cachefiles_check_in_use(struct cachefiles_cache *cache,
75709 * proc.c
75710 */
75711 #ifdef CONFIG_CACHEFILES_HISTOGRAM
75712-extern atomic_t cachefiles_lookup_histogram[HZ];
75713-extern atomic_t cachefiles_mkdir_histogram[HZ];
75714-extern atomic_t cachefiles_create_histogram[HZ];
75715+extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
75716+extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
75717+extern atomic_unchecked_t cachefiles_create_histogram[HZ];
75718
75719 extern int __init cachefiles_proc_init(void);
75720 extern void cachefiles_proc_cleanup(void);
75721 static inline
75722-void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
75723+void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
75724 {
75725 unsigned long jif = jiffies - start_jif;
75726 if (jif >= HZ)
75727 jif = HZ - 1;
75728- atomic_inc(&histogram[jif]);
75729+ atomic_inc_unchecked(&histogram[jif]);
75730 }
75731
75732 #else
75733diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
75734index fc1056f..501a546 100644
75735--- a/fs/cachefiles/namei.c
75736+++ b/fs/cachefiles/namei.c
75737@@ -312,7 +312,7 @@ try_again:
75738 /* first step is to make up a grave dentry in the graveyard */
75739 sprintf(nbuffer, "%08x%08x",
75740 (uint32_t) get_seconds(),
75741- (uint32_t) atomic_inc_return(&cache->gravecounter));
75742+ (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
75743
75744 /* do the multiway lock magic */
75745 trap = lock_rename(cache->graveyard, dir);
75746diff --git a/fs/cachefiles/proc.c b/fs/cachefiles/proc.c
75747index eccd339..4c1d995 100644
75748--- a/fs/cachefiles/proc.c
75749+++ b/fs/cachefiles/proc.c
75750@@ -14,9 +14,9 @@
75751 #include <linux/seq_file.h>
75752 #include "internal.h"
75753
75754-atomic_t cachefiles_lookup_histogram[HZ];
75755-atomic_t cachefiles_mkdir_histogram[HZ];
75756-atomic_t cachefiles_create_histogram[HZ];
75757+atomic_unchecked_t cachefiles_lookup_histogram[HZ];
75758+atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
75759+atomic_unchecked_t cachefiles_create_histogram[HZ];
75760
75761 /*
75762 * display the latency histogram
75763@@ -35,9 +35,9 @@ static int cachefiles_histogram_show(struct seq_file *m, void *v)
75764 return 0;
75765 default:
75766 index = (unsigned long) v - 3;
75767- x = atomic_read(&cachefiles_lookup_histogram[index]);
75768- y = atomic_read(&cachefiles_mkdir_histogram[index]);
75769- z = atomic_read(&cachefiles_create_histogram[index]);
75770+ x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
75771+ y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
75772+ z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
75773 if (x == 0 && y == 0 && z == 0)
75774 return 0;
75775
75776diff --git a/fs/ceph/dir.c b/fs/ceph/dir.c
75777index 9314b4e..4a1f602 100644
75778--- a/fs/ceph/dir.c
75779+++ b/fs/ceph/dir.c
75780@@ -214,10 +214,18 @@ static int __dcache_readdir(struct file *file, struct dir_context *ctx,
75781 spin_unlock(&dentry->d_lock);
75782
75783 if (emit_dentry) {
75784+ char d_name[DNAME_INLINE_LEN];
75785+ const unsigned char *name;
75786+
75787 dout(" %llu (%llu) dentry %p %pd %p\n", di->offset, ctx->pos,
75788 dentry, dentry, d_inode(dentry));
75789 ctx->pos = di->offset;
75790- if (!dir_emit(ctx, dentry->d_name.name,
75791+ name = dentry->d_name.name;
75792+ if (name == dentry->d_iname) {
75793+ memcpy(d_name, name, dentry->d_name.len);
75794+ name = d_name;
75795+ }
75796+ if (!dir_emit(ctx, name,
75797 dentry->d_name.len,
75798 ceph_translate_ino(dentry->d_sb,
75799 d_inode(dentry)->i_ino),
75800@@ -259,7 +267,7 @@ static int ceph_readdir(struct file *file, struct dir_context *ctx)
75801 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
75802 struct ceph_mds_client *mdsc = fsc->mdsc;
75803 unsigned frag = fpos_frag(ctx->pos);
75804- int off = fpos_off(ctx->pos);
75805+ unsigned int off = fpos_off(ctx->pos);
75806 int err;
75807 u32 ftype;
75808 struct ceph_mds_reply_info_parsed *rinfo;
75809diff --git a/fs/ceph/super.c b/fs/ceph/super.c
75810index 7b6bfcb..f8d5416 100644
75811--- a/fs/ceph/super.c
75812+++ b/fs/ceph/super.c
75813@@ -906,7 +906,7 @@ static int ceph_compare_super(struct super_block *sb, void *data)
75814 /*
75815 * construct our own bdi so we can control readahead, etc.
75816 */
75817-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
75818+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
75819
75820 static int ceph_register_bdi(struct super_block *sb,
75821 struct ceph_fs_client *fsc)
75822@@ -923,7 +923,7 @@ static int ceph_register_bdi(struct super_block *sb,
75823 VM_MAX_READAHEAD * 1024 / PAGE_CACHE_SIZE;
75824
75825 err = bdi_register(&fsc->backing_dev_info, NULL, "ceph-%ld",
75826- atomic_long_inc_return(&bdi_seq));
75827+ atomic_long_inc_return_unchecked(&bdi_seq));
75828 if (!err)
75829 sb->s_bdi = &fsc->backing_dev_info;
75830 return err;
75831diff --git a/fs/cifs/cifs_debug.c b/fs/cifs/cifs_debug.c
75832index 7febcf2..62a5721 100644
75833--- a/fs/cifs/cifs_debug.c
75834+++ b/fs/cifs/cifs_debug.c
75835@@ -269,8 +269,8 @@ static ssize_t cifs_stats_proc_write(struct file *file,
75836
75837 if (strtobool(&c, &bv) == 0) {
75838 #ifdef CONFIG_CIFS_STATS2
75839- atomic_set(&totBufAllocCount, 0);
75840- atomic_set(&totSmBufAllocCount, 0);
75841+ atomic_set_unchecked(&totBufAllocCount, 0);
75842+ atomic_set_unchecked(&totSmBufAllocCount, 0);
75843 #endif /* CONFIG_CIFS_STATS2 */
75844 spin_lock(&cifs_tcp_ses_lock);
75845 list_for_each(tmp1, &cifs_tcp_ses_list) {
75846@@ -283,7 +283,7 @@ static ssize_t cifs_stats_proc_write(struct file *file,
75847 tcon = list_entry(tmp3,
75848 struct cifs_tcon,
75849 tcon_list);
75850- atomic_set(&tcon->num_smbs_sent, 0);
75851+ atomic_set_unchecked(&tcon->num_smbs_sent, 0);
75852 if (server->ops->clear_stats)
75853 server->ops->clear_stats(tcon);
75854 }
75855@@ -315,8 +315,8 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
75856 smBufAllocCount.counter, cifs_min_small);
75857 #ifdef CONFIG_CIFS_STATS2
75858 seq_printf(m, "Total Large %d Small %d Allocations\n",
75859- atomic_read(&totBufAllocCount),
75860- atomic_read(&totSmBufAllocCount));
75861+ atomic_read_unchecked(&totBufAllocCount),
75862+ atomic_read_unchecked(&totSmBufAllocCount));
75863 #endif /* CONFIG_CIFS_STATS2 */
75864
75865 seq_printf(m, "Operations (MIDs): %d\n", atomic_read(&midCount));
75866@@ -345,7 +345,7 @@ static int cifs_stats_proc_show(struct seq_file *m, void *v)
75867 if (tcon->need_reconnect)
75868 seq_puts(m, "\tDISCONNECTED ");
75869 seq_printf(m, "\nSMBs: %d",
75870- atomic_read(&tcon->num_smbs_sent));
75871+ atomic_read_unchecked(&tcon->num_smbs_sent));
75872 if (server->ops->print_stats)
75873 server->ops->print_stats(m, tcon);
75874 }
75875diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c
75876index 6a1119e..b2f2160 100644
75877--- a/fs/cifs/cifsfs.c
75878+++ b/fs/cifs/cifsfs.c
75879@@ -1082,7 +1082,7 @@ cifs_init_request_bufs(void)
75880 */
75881 cifs_req_cachep = kmem_cache_create("cifs_request",
75882 CIFSMaxBufSize + max_hdr_size, 0,
75883- SLAB_HWCACHE_ALIGN, NULL);
75884+ SLAB_HWCACHE_ALIGN | SLAB_USERCOPY, NULL);
75885 if (cifs_req_cachep == NULL)
75886 return -ENOMEM;
75887
75888@@ -1109,7 +1109,7 @@ cifs_init_request_bufs(void)
75889 efficient to alloc 1 per page off the slab compared to 17K (5page)
75890 alloc of large cifs buffers even when page debugging is on */
75891 cifs_sm_req_cachep = kmem_cache_create("cifs_small_rq",
75892- MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN,
75893+ MAX_CIFS_SMALL_BUFFER_SIZE, 0, SLAB_HWCACHE_ALIGN | SLAB_USERCOPY,
75894 NULL);
75895 if (cifs_sm_req_cachep == NULL) {
75896 mempool_destroy(cifs_req_poolp);
75897@@ -1194,8 +1194,8 @@ init_cifs(void)
75898 atomic_set(&bufAllocCount, 0);
75899 atomic_set(&smBufAllocCount, 0);
75900 #ifdef CONFIG_CIFS_STATS2
75901- atomic_set(&totBufAllocCount, 0);
75902- atomic_set(&totSmBufAllocCount, 0);
75903+ atomic_set_unchecked(&totBufAllocCount, 0);
75904+ atomic_set_unchecked(&totSmBufAllocCount, 0);
75905 #endif /* CONFIG_CIFS_STATS2 */
75906
75907 atomic_set(&midCount, 0);
75908diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
75909index b406a32..243eb1c 100644
75910--- a/fs/cifs/cifsglob.h
75911+++ b/fs/cifs/cifsglob.h
75912@@ -832,35 +832,35 @@ struct cifs_tcon {
75913 __u16 Flags; /* optional support bits */
75914 enum statusEnum tidStatus;
75915 #ifdef CONFIG_CIFS_STATS
75916- atomic_t num_smbs_sent;
75917+ atomic_unchecked_t num_smbs_sent;
75918 union {
75919 struct {
75920- atomic_t num_writes;
75921- atomic_t num_reads;
75922- atomic_t num_flushes;
75923- atomic_t num_oplock_brks;
75924- atomic_t num_opens;
75925- atomic_t num_closes;
75926- atomic_t num_deletes;
75927- atomic_t num_mkdirs;
75928- atomic_t num_posixopens;
75929- atomic_t num_posixmkdirs;
75930- atomic_t num_rmdirs;
75931- atomic_t num_renames;
75932- atomic_t num_t2renames;
75933- atomic_t num_ffirst;
75934- atomic_t num_fnext;
75935- atomic_t num_fclose;
75936- atomic_t num_hardlinks;
75937- atomic_t num_symlinks;
75938- atomic_t num_locks;
75939- atomic_t num_acl_get;
75940- atomic_t num_acl_set;
75941+ atomic_unchecked_t num_writes;
75942+ atomic_unchecked_t num_reads;
75943+ atomic_unchecked_t num_flushes;
75944+ atomic_unchecked_t num_oplock_brks;
75945+ atomic_unchecked_t num_opens;
75946+ atomic_unchecked_t num_closes;
75947+ atomic_unchecked_t num_deletes;
75948+ atomic_unchecked_t num_mkdirs;
75949+ atomic_unchecked_t num_posixopens;
75950+ atomic_unchecked_t num_posixmkdirs;
75951+ atomic_unchecked_t num_rmdirs;
75952+ atomic_unchecked_t num_renames;
75953+ atomic_unchecked_t num_t2renames;
75954+ atomic_unchecked_t num_ffirst;
75955+ atomic_unchecked_t num_fnext;
75956+ atomic_unchecked_t num_fclose;
75957+ atomic_unchecked_t num_hardlinks;
75958+ atomic_unchecked_t num_symlinks;
75959+ atomic_unchecked_t num_locks;
75960+ atomic_unchecked_t num_acl_get;
75961+ atomic_unchecked_t num_acl_set;
75962 } cifs_stats;
75963 #ifdef CONFIG_CIFS_SMB2
75964 struct {
75965- atomic_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
75966- atomic_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
75967+ atomic_unchecked_t smb2_com_sent[NUMBER_OF_SMB2_COMMANDS];
75968+ atomic_unchecked_t smb2_com_failed[NUMBER_OF_SMB2_COMMANDS];
75969 } smb2_stats;
75970 #endif /* CONFIG_CIFS_SMB2 */
75971 } stats;
75972@@ -1207,7 +1207,7 @@ convert_delimiter(char *path, char delim)
75973 }
75974
75975 #ifdef CONFIG_CIFS_STATS
75976-#define cifs_stats_inc atomic_inc
75977+#define cifs_stats_inc atomic_inc_unchecked
75978
75979 static inline void cifs_stats_bytes_written(struct cifs_tcon *tcon,
75980 unsigned int bytes)
75981@@ -1574,8 +1574,8 @@ GLOBAL_EXTERN atomic_t tconInfoReconnectCount;
75982 /* Various Debug counters */
75983 GLOBAL_EXTERN atomic_t bufAllocCount; /* current number allocated */
75984 #ifdef CONFIG_CIFS_STATS2
75985-GLOBAL_EXTERN atomic_t totBufAllocCount; /* total allocated over all time */
75986-GLOBAL_EXTERN atomic_t totSmBufAllocCount;
75987+GLOBAL_EXTERN atomic_unchecked_t totBufAllocCount; /* total allocated over all time */
75988+GLOBAL_EXTERN atomic_unchecked_t totSmBufAllocCount;
75989 #endif
75990 GLOBAL_EXTERN atomic_t smBufAllocCount;
75991 GLOBAL_EXTERN atomic_t midCount;
75992diff --git a/fs/cifs/file.c b/fs/cifs/file.c
75993index 3f50cee..7741620 100644
75994--- a/fs/cifs/file.c
75995+++ b/fs/cifs/file.c
75996@@ -2054,10 +2054,14 @@ static int cifs_writepages(struct address_space *mapping,
75997 index = mapping->writeback_index; /* Start from prev offset */
75998 end = -1;
75999 } else {
76000- index = wbc->range_start >> PAGE_CACHE_SHIFT;
76001- end = wbc->range_end >> PAGE_CACHE_SHIFT;
76002- if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX)
76003+ if (wbc->range_start == 0 && wbc->range_end == LLONG_MAX) {
76004 range_whole = true;
76005+ index = 0;
76006+ end = ULONG_MAX;
76007+ } else {
76008+ index = wbc->range_start >> PAGE_CACHE_SHIFT;
76009+ end = wbc->range_end >> PAGE_CACHE_SHIFT;
76010+ }
76011 scanned = true;
76012 }
76013 server = cifs_sb_master_tcon(cifs_sb)->ses->server;
76014diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c
76015index 8442b8b..ea6986f 100644
76016--- a/fs/cifs/misc.c
76017+++ b/fs/cifs/misc.c
76018@@ -170,7 +170,7 @@ cifs_buf_get(void)
76019 memset(ret_buf, 0, buf_size + 3);
76020 atomic_inc(&bufAllocCount);
76021 #ifdef CONFIG_CIFS_STATS2
76022- atomic_inc(&totBufAllocCount);
76023+ atomic_inc_unchecked(&totBufAllocCount);
76024 #endif /* CONFIG_CIFS_STATS2 */
76025 }
76026
76027@@ -205,7 +205,7 @@ cifs_small_buf_get(void)
76028 /* memset(ret_buf, 0, sizeof(struct smb_hdr) + 27);*/
76029 atomic_inc(&smBufAllocCount);
76030 #ifdef CONFIG_CIFS_STATS2
76031- atomic_inc(&totSmBufAllocCount);
76032+ atomic_inc_unchecked(&totSmBufAllocCount);
76033 #endif /* CONFIG_CIFS_STATS2 */
76034
76035 }
76036diff --git a/fs/cifs/smb1ops.c b/fs/cifs/smb1ops.c
76037index fc537c2..47d654c 100644
76038--- a/fs/cifs/smb1ops.c
76039+++ b/fs/cifs/smb1ops.c
76040@@ -622,27 +622,27 @@ static void
76041 cifs_clear_stats(struct cifs_tcon *tcon)
76042 {
76043 #ifdef CONFIG_CIFS_STATS
76044- atomic_set(&tcon->stats.cifs_stats.num_writes, 0);
76045- atomic_set(&tcon->stats.cifs_stats.num_reads, 0);
76046- atomic_set(&tcon->stats.cifs_stats.num_flushes, 0);
76047- atomic_set(&tcon->stats.cifs_stats.num_oplock_brks, 0);
76048- atomic_set(&tcon->stats.cifs_stats.num_opens, 0);
76049- atomic_set(&tcon->stats.cifs_stats.num_posixopens, 0);
76050- atomic_set(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
76051- atomic_set(&tcon->stats.cifs_stats.num_closes, 0);
76052- atomic_set(&tcon->stats.cifs_stats.num_deletes, 0);
76053- atomic_set(&tcon->stats.cifs_stats.num_mkdirs, 0);
76054- atomic_set(&tcon->stats.cifs_stats.num_rmdirs, 0);
76055- atomic_set(&tcon->stats.cifs_stats.num_renames, 0);
76056- atomic_set(&tcon->stats.cifs_stats.num_t2renames, 0);
76057- atomic_set(&tcon->stats.cifs_stats.num_ffirst, 0);
76058- atomic_set(&tcon->stats.cifs_stats.num_fnext, 0);
76059- atomic_set(&tcon->stats.cifs_stats.num_fclose, 0);
76060- atomic_set(&tcon->stats.cifs_stats.num_hardlinks, 0);
76061- atomic_set(&tcon->stats.cifs_stats.num_symlinks, 0);
76062- atomic_set(&tcon->stats.cifs_stats.num_locks, 0);
76063- atomic_set(&tcon->stats.cifs_stats.num_acl_get, 0);
76064- atomic_set(&tcon->stats.cifs_stats.num_acl_set, 0);
76065+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_writes, 0);
76066+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_reads, 0);
76067+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_flushes, 0);
76068+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_oplock_brks, 0);
76069+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_opens, 0);
76070+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixopens, 0);
76071+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs, 0);
76072+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_closes, 0);
76073+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_deletes, 0);
76074+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_mkdirs, 0);
76075+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_rmdirs, 0);
76076+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_renames, 0);
76077+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_t2renames, 0);
76078+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_ffirst, 0);
76079+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_fnext, 0);
76080+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_fclose, 0);
76081+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_hardlinks, 0);
76082+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_symlinks, 0);
76083+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_locks, 0);
76084+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_get, 0);
76085+ atomic_set_unchecked(&tcon->stats.cifs_stats.num_acl_set, 0);
76086 #endif
76087 }
76088
76089@@ -651,36 +651,36 @@ cifs_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
76090 {
76091 #ifdef CONFIG_CIFS_STATS
76092 seq_printf(m, " Oplocks breaks: %d",
76093- atomic_read(&tcon->stats.cifs_stats.num_oplock_brks));
76094+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_oplock_brks));
76095 seq_printf(m, "\nReads: %d Bytes: %llu",
76096- atomic_read(&tcon->stats.cifs_stats.num_reads),
76097+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_reads),
76098 (long long)(tcon->bytes_read));
76099 seq_printf(m, "\nWrites: %d Bytes: %llu",
76100- atomic_read(&tcon->stats.cifs_stats.num_writes),
76101+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_writes),
76102 (long long)(tcon->bytes_written));
76103 seq_printf(m, "\nFlushes: %d",
76104- atomic_read(&tcon->stats.cifs_stats.num_flushes));
76105+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_flushes));
76106 seq_printf(m, "\nLocks: %d HardLinks: %d Symlinks: %d",
76107- atomic_read(&tcon->stats.cifs_stats.num_locks),
76108- atomic_read(&tcon->stats.cifs_stats.num_hardlinks),
76109- atomic_read(&tcon->stats.cifs_stats.num_symlinks));
76110+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_locks),
76111+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_hardlinks),
76112+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_symlinks));
76113 seq_printf(m, "\nOpens: %d Closes: %d Deletes: %d",
76114- atomic_read(&tcon->stats.cifs_stats.num_opens),
76115- atomic_read(&tcon->stats.cifs_stats.num_closes),
76116- atomic_read(&tcon->stats.cifs_stats.num_deletes));
76117+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_opens),
76118+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_closes),
76119+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_deletes));
76120 seq_printf(m, "\nPosix Opens: %d Posix Mkdirs: %d",
76121- atomic_read(&tcon->stats.cifs_stats.num_posixopens),
76122- atomic_read(&tcon->stats.cifs_stats.num_posixmkdirs));
76123+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixopens),
76124+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_posixmkdirs));
76125 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
76126- atomic_read(&tcon->stats.cifs_stats.num_mkdirs),
76127- atomic_read(&tcon->stats.cifs_stats.num_rmdirs));
76128+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_mkdirs),
76129+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_rmdirs));
76130 seq_printf(m, "\nRenames: %d T2 Renames %d",
76131- atomic_read(&tcon->stats.cifs_stats.num_renames),
76132- atomic_read(&tcon->stats.cifs_stats.num_t2renames));
76133+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_renames),
76134+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_t2renames));
76135 seq_printf(m, "\nFindFirst: %d FNext %d FClose %d",
76136- atomic_read(&tcon->stats.cifs_stats.num_ffirst),
76137- atomic_read(&tcon->stats.cifs_stats.num_fnext),
76138- atomic_read(&tcon->stats.cifs_stats.num_fclose));
76139+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_ffirst),
76140+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_fnext),
76141+ atomic_read_unchecked(&tcon->stats.cifs_stats.num_fclose));
76142 #endif
76143 }
76144
76145diff --git a/fs/cifs/smb2ops.c b/fs/cifs/smb2ops.c
76146index 18da19f..38a3a79 100644
76147--- a/fs/cifs/smb2ops.c
76148+++ b/fs/cifs/smb2ops.c
76149@@ -422,8 +422,8 @@ smb2_clear_stats(struct cifs_tcon *tcon)
76150 #ifdef CONFIG_CIFS_STATS
76151 int i;
76152 for (i = 0; i < NUMBER_OF_SMB2_COMMANDS; i++) {
76153- atomic_set(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
76154- atomic_set(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
76155+ atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_sent[i], 0);
76156+ atomic_set_unchecked(&tcon->stats.smb2_stats.smb2_com_failed[i], 0);
76157 }
76158 #endif
76159 }
76160@@ -463,65 +463,65 @@ static void
76161 smb2_print_stats(struct seq_file *m, struct cifs_tcon *tcon)
76162 {
76163 #ifdef CONFIG_CIFS_STATS
76164- atomic_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
76165- atomic_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
76166+ atomic_unchecked_t *sent = tcon->stats.smb2_stats.smb2_com_sent;
76167+ atomic_unchecked_t *failed = tcon->stats.smb2_stats.smb2_com_failed;
76168 seq_printf(m, "\nNegotiates: %d sent %d failed",
76169- atomic_read(&sent[SMB2_NEGOTIATE_HE]),
76170- atomic_read(&failed[SMB2_NEGOTIATE_HE]));
76171+ atomic_read_unchecked(&sent[SMB2_NEGOTIATE_HE]),
76172+ atomic_read_unchecked(&failed[SMB2_NEGOTIATE_HE]));
76173 seq_printf(m, "\nSessionSetups: %d sent %d failed",
76174- atomic_read(&sent[SMB2_SESSION_SETUP_HE]),
76175- atomic_read(&failed[SMB2_SESSION_SETUP_HE]));
76176+ atomic_read_unchecked(&sent[SMB2_SESSION_SETUP_HE]),
76177+ atomic_read_unchecked(&failed[SMB2_SESSION_SETUP_HE]));
76178 seq_printf(m, "\nLogoffs: %d sent %d failed",
76179- atomic_read(&sent[SMB2_LOGOFF_HE]),
76180- atomic_read(&failed[SMB2_LOGOFF_HE]));
76181+ atomic_read_unchecked(&sent[SMB2_LOGOFF_HE]),
76182+ atomic_read_unchecked(&failed[SMB2_LOGOFF_HE]));
76183 seq_printf(m, "\nTreeConnects: %d sent %d failed",
76184- atomic_read(&sent[SMB2_TREE_CONNECT_HE]),
76185- atomic_read(&failed[SMB2_TREE_CONNECT_HE]));
76186+ atomic_read_unchecked(&sent[SMB2_TREE_CONNECT_HE]),
76187+ atomic_read_unchecked(&failed[SMB2_TREE_CONNECT_HE]));
76188 seq_printf(m, "\nTreeDisconnects: %d sent %d failed",
76189- atomic_read(&sent[SMB2_TREE_DISCONNECT_HE]),
76190- atomic_read(&failed[SMB2_TREE_DISCONNECT_HE]));
76191+ atomic_read_unchecked(&sent[SMB2_TREE_DISCONNECT_HE]),
76192+ atomic_read_unchecked(&failed[SMB2_TREE_DISCONNECT_HE]));
76193 seq_printf(m, "\nCreates: %d sent %d failed",
76194- atomic_read(&sent[SMB2_CREATE_HE]),
76195- atomic_read(&failed[SMB2_CREATE_HE]));
76196+ atomic_read_unchecked(&sent[SMB2_CREATE_HE]),
76197+ atomic_read_unchecked(&failed[SMB2_CREATE_HE]));
76198 seq_printf(m, "\nCloses: %d sent %d failed",
76199- atomic_read(&sent[SMB2_CLOSE_HE]),
76200- atomic_read(&failed[SMB2_CLOSE_HE]));
76201+ atomic_read_unchecked(&sent[SMB2_CLOSE_HE]),
76202+ atomic_read_unchecked(&failed[SMB2_CLOSE_HE]));
76203 seq_printf(m, "\nFlushes: %d sent %d failed",
76204- atomic_read(&sent[SMB2_FLUSH_HE]),
76205- atomic_read(&failed[SMB2_FLUSH_HE]));
76206+ atomic_read_unchecked(&sent[SMB2_FLUSH_HE]),
76207+ atomic_read_unchecked(&failed[SMB2_FLUSH_HE]));
76208 seq_printf(m, "\nReads: %d sent %d failed",
76209- atomic_read(&sent[SMB2_READ_HE]),
76210- atomic_read(&failed[SMB2_READ_HE]));
76211+ atomic_read_unchecked(&sent[SMB2_READ_HE]),
76212+ atomic_read_unchecked(&failed[SMB2_READ_HE]));
76213 seq_printf(m, "\nWrites: %d sent %d failed",
76214- atomic_read(&sent[SMB2_WRITE_HE]),
76215- atomic_read(&failed[SMB2_WRITE_HE]));
76216+ atomic_read_unchecked(&sent[SMB2_WRITE_HE]),
76217+ atomic_read_unchecked(&failed[SMB2_WRITE_HE]));
76218 seq_printf(m, "\nLocks: %d sent %d failed",
76219- atomic_read(&sent[SMB2_LOCK_HE]),
76220- atomic_read(&failed[SMB2_LOCK_HE]));
76221+ atomic_read_unchecked(&sent[SMB2_LOCK_HE]),
76222+ atomic_read_unchecked(&failed[SMB2_LOCK_HE]));
76223 seq_printf(m, "\nIOCTLs: %d sent %d failed",
76224- atomic_read(&sent[SMB2_IOCTL_HE]),
76225- atomic_read(&failed[SMB2_IOCTL_HE]));
76226+ atomic_read_unchecked(&sent[SMB2_IOCTL_HE]),
76227+ atomic_read_unchecked(&failed[SMB2_IOCTL_HE]));
76228 seq_printf(m, "\nCancels: %d sent %d failed",
76229- atomic_read(&sent[SMB2_CANCEL_HE]),
76230- atomic_read(&failed[SMB2_CANCEL_HE]));
76231+ atomic_read_unchecked(&sent[SMB2_CANCEL_HE]),
76232+ atomic_read_unchecked(&failed[SMB2_CANCEL_HE]));
76233 seq_printf(m, "\nEchos: %d sent %d failed",
76234- atomic_read(&sent[SMB2_ECHO_HE]),
76235- atomic_read(&failed[SMB2_ECHO_HE]));
76236+ atomic_read_unchecked(&sent[SMB2_ECHO_HE]),
76237+ atomic_read_unchecked(&failed[SMB2_ECHO_HE]));
76238 seq_printf(m, "\nQueryDirectories: %d sent %d failed",
76239- atomic_read(&sent[SMB2_QUERY_DIRECTORY_HE]),
76240- atomic_read(&failed[SMB2_QUERY_DIRECTORY_HE]));
76241+ atomic_read_unchecked(&sent[SMB2_QUERY_DIRECTORY_HE]),
76242+ atomic_read_unchecked(&failed[SMB2_QUERY_DIRECTORY_HE]));
76243 seq_printf(m, "\nChangeNotifies: %d sent %d failed",
76244- atomic_read(&sent[SMB2_CHANGE_NOTIFY_HE]),
76245- atomic_read(&failed[SMB2_CHANGE_NOTIFY_HE]));
76246+ atomic_read_unchecked(&sent[SMB2_CHANGE_NOTIFY_HE]),
76247+ atomic_read_unchecked(&failed[SMB2_CHANGE_NOTIFY_HE]));
76248 seq_printf(m, "\nQueryInfos: %d sent %d failed",
76249- atomic_read(&sent[SMB2_QUERY_INFO_HE]),
76250- atomic_read(&failed[SMB2_QUERY_INFO_HE]));
76251+ atomic_read_unchecked(&sent[SMB2_QUERY_INFO_HE]),
76252+ atomic_read_unchecked(&failed[SMB2_QUERY_INFO_HE]));
76253 seq_printf(m, "\nSetInfos: %d sent %d failed",
76254- atomic_read(&sent[SMB2_SET_INFO_HE]),
76255- atomic_read(&failed[SMB2_SET_INFO_HE]));
76256+ atomic_read_unchecked(&sent[SMB2_SET_INFO_HE]),
76257+ atomic_read_unchecked(&failed[SMB2_SET_INFO_HE]));
76258 seq_printf(m, "\nOplockBreaks: %d sent %d failed",
76259- atomic_read(&sent[SMB2_OPLOCK_BREAK_HE]),
76260- atomic_read(&failed[SMB2_OPLOCK_BREAK_HE]));
76261+ atomic_read_unchecked(&sent[SMB2_OPLOCK_BREAK_HE]),
76262+ atomic_read_unchecked(&failed[SMB2_OPLOCK_BREAK_HE]));
76263 #endif
76264 }
76265
76266diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
76267index 60dd831..42f911c 100644
76268--- a/fs/cifs/smb2pdu.c
76269+++ b/fs/cifs/smb2pdu.c
76270@@ -2252,8 +2252,7 @@ SMB2_query_directory(const unsigned int xid, struct cifs_tcon *tcon,
76271 default:
76272 cifs_dbg(VFS, "info level %u isn't supported\n",
76273 srch_inf->info_level);
76274- rc = -EINVAL;
76275- goto qdir_exit;
76276+ return -EINVAL;
76277 }
76278
76279 req->FileIndex = cpu_to_le32(index);
76280diff --git a/fs/coda/cache.c b/fs/coda/cache.c
76281index 5bb630a..043dc70 100644
76282--- a/fs/coda/cache.c
76283+++ b/fs/coda/cache.c
76284@@ -24,7 +24,7 @@
76285 #include "coda_linux.h"
76286 #include "coda_cache.h"
76287
76288-static atomic_t permission_epoch = ATOMIC_INIT(0);
76289+static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
76290
76291 /* replace or extend an acl cache hit */
76292 void coda_cache_enter(struct inode *inode, int mask)
76293@@ -32,7 +32,7 @@ void coda_cache_enter(struct inode *inode, int mask)
76294 struct coda_inode_info *cii = ITOC(inode);
76295
76296 spin_lock(&cii->c_lock);
76297- cii->c_cached_epoch = atomic_read(&permission_epoch);
76298+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
76299 if (!uid_eq(cii->c_uid, current_fsuid())) {
76300 cii->c_uid = current_fsuid();
76301 cii->c_cached_perm = mask;
76302@@ -46,14 +46,14 @@ void coda_cache_clear_inode(struct inode *inode)
76303 {
76304 struct coda_inode_info *cii = ITOC(inode);
76305 spin_lock(&cii->c_lock);
76306- cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
76307+ cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
76308 spin_unlock(&cii->c_lock);
76309 }
76310
76311 /* remove all acl caches */
76312 void coda_cache_clear_all(struct super_block *sb)
76313 {
76314- atomic_inc(&permission_epoch);
76315+ atomic_inc_unchecked(&permission_epoch);
76316 }
76317
76318
76319@@ -66,7 +66,7 @@ int coda_cache_check(struct inode *inode, int mask)
76320 spin_lock(&cii->c_lock);
76321 hit = (mask & cii->c_cached_perm) == mask &&
76322 uid_eq(cii->c_uid, current_fsuid()) &&
76323- cii->c_cached_epoch == atomic_read(&permission_epoch);
76324+ cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
76325 spin_unlock(&cii->c_lock);
76326
76327 return hit;
76328diff --git a/fs/compat.c b/fs/compat.c
76329index 6fd272d..dd34ba2 100644
76330--- a/fs/compat.c
76331+++ b/fs/compat.c
76332@@ -54,7 +54,7 @@
76333 #include <asm/ioctls.h>
76334 #include "internal.h"
76335
76336-int compat_log = 1;
76337+int compat_log = 0;
76338
76339 int compat_printk(const char *fmt, ...)
76340 {
76341@@ -512,7 +512,7 @@ COMPAT_SYSCALL_DEFINE2(io_setup, unsigned, nr_reqs, u32 __user *, ctx32p)
76342
76343 set_fs(KERNEL_DS);
76344 /* The __user pointer cast is valid because of the set_fs() */
76345- ret = sys_io_setup(nr_reqs, (aio_context_t __user *) &ctx64);
76346+ ret = sys_io_setup(nr_reqs, (aio_context_t __force_user *) &ctx64);
76347 set_fs(oldfs);
76348 /* truncating is ok because it's a user address */
76349 if (!ret)
76350@@ -562,7 +562,7 @@ ssize_t compat_rw_copy_check_uvector(int type,
76351 goto out;
76352
76353 ret = -EINVAL;
76354- if (nr_segs > UIO_MAXIOV || nr_segs < 0)
76355+ if (nr_segs > UIO_MAXIOV)
76356 goto out;
76357 if (nr_segs > fast_segs) {
76358 ret = -ENOMEM;
76359@@ -844,6 +844,7 @@ struct compat_old_linux_dirent {
76360 struct compat_readdir_callback {
76361 struct dir_context ctx;
76362 struct compat_old_linux_dirent __user *dirent;
76363+ struct file * file;
76364 int result;
76365 };
76366
76367@@ -863,6 +864,10 @@ static int compat_fillonedir(struct dir_context *ctx, const char *name,
76368 buf->result = -EOVERFLOW;
76369 return -EOVERFLOW;
76370 }
76371+
76372+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
76373+ return 0;
76374+
76375 buf->result++;
76376 dirent = buf->dirent;
76377 if (!access_ok(VERIFY_WRITE, dirent,
76378@@ -894,6 +899,7 @@ COMPAT_SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
76379 if (!f.file)
76380 return -EBADF;
76381
76382+ buf.file = f.file;
76383 error = iterate_dir(f.file, &buf.ctx);
76384 if (buf.result)
76385 error = buf.result;
76386@@ -913,6 +919,7 @@ struct compat_getdents_callback {
76387 struct dir_context ctx;
76388 struct compat_linux_dirent __user *current_dir;
76389 struct compat_linux_dirent __user *previous;
76390+ struct file * file;
76391 int count;
76392 int error;
76393 };
76394@@ -935,6 +942,10 @@ static int compat_filldir(struct dir_context *ctx, const char *name, int namlen,
76395 buf->error = -EOVERFLOW;
76396 return -EOVERFLOW;
76397 }
76398+
76399+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
76400+ return 0;
76401+
76402 dirent = buf->previous;
76403 if (dirent) {
76404 if (__put_user(offset, &dirent->d_off))
76405@@ -980,6 +991,7 @@ COMPAT_SYSCALL_DEFINE3(getdents, unsigned int, fd,
76406 if (!f.file)
76407 return -EBADF;
76408
76409+ buf.file = f.file;
76410 error = iterate_dir(f.file, &buf.ctx);
76411 if (error >= 0)
76412 error = buf.error;
76413@@ -1000,6 +1012,7 @@ struct compat_getdents_callback64 {
76414 struct dir_context ctx;
76415 struct linux_dirent64 __user *current_dir;
76416 struct linux_dirent64 __user *previous;
76417+ struct file * file;
76418 int count;
76419 int error;
76420 };
76421@@ -1018,6 +1031,10 @@ static int compat_filldir64(struct dir_context *ctx, const char *name,
76422 buf->error = -EINVAL; /* only used if we fail.. */
76423 if (reclen > buf->count)
76424 return -EINVAL;
76425+
76426+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
76427+ return 0;
76428+
76429 dirent = buf->previous;
76430
76431 if (dirent) {
76432@@ -1067,6 +1084,7 @@ COMPAT_SYSCALL_DEFINE3(getdents64, unsigned int, fd,
76433 if (!f.file)
76434 return -EBADF;
76435
76436+ buf.file = f.file;
76437 error = iterate_dir(f.file, &buf.ctx);
76438 if (error >= 0)
76439 error = buf.error;
76440diff --git a/fs/compat_binfmt_elf.c b/fs/compat_binfmt_elf.c
76441index 4d24d17..4f8c09e 100644
76442--- a/fs/compat_binfmt_elf.c
76443+++ b/fs/compat_binfmt_elf.c
76444@@ -30,11 +30,13 @@
76445 #undef elf_phdr
76446 #undef elf_shdr
76447 #undef elf_note
76448+#undef elf_dyn
76449 #undef elf_addr_t
76450 #define elfhdr elf32_hdr
76451 #define elf_phdr elf32_phdr
76452 #define elf_shdr elf32_shdr
76453 #define elf_note elf32_note
76454+#define elf_dyn Elf32_Dyn
76455 #define elf_addr_t Elf32_Addr
76456
76457 /*
76458diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c
76459index 48851f6..6c79d32 100644
76460--- a/fs/compat_ioctl.c
76461+++ b/fs/compat_ioctl.c
76462@@ -622,7 +622,7 @@ static int serial_struct_ioctl(unsigned fd, unsigned cmd,
76463 return -EFAULT;
76464 if (__get_user(udata, &ss32->iomem_base))
76465 return -EFAULT;
76466- ss.iomem_base = compat_ptr(udata);
76467+ ss.iomem_base = (unsigned char __force_kernel *)compat_ptr(udata);
76468 if (__get_user(ss.iomem_reg_shift, &ss32->iomem_reg_shift) ||
76469 __get_user(ss.port_high, &ss32->port_high))
76470 return -EFAULT;
76471@@ -704,8 +704,8 @@ static int do_i2c_rdwr_ioctl(unsigned int fd, unsigned int cmd,
76472 for (i = 0; i < nmsgs; i++) {
76473 if (copy_in_user(&tmsgs[i].addr, &umsgs[i].addr, 3*sizeof(u16)))
76474 return -EFAULT;
76475- if (get_user(datap, &umsgs[i].buf) ||
76476- put_user(compat_ptr(datap), &tmsgs[i].buf))
76477+ if (get_user(datap, (compat_caddr_t __user *)&umsgs[i].buf) ||
76478+ put_user(compat_ptr(datap), (u8 __user * __user *)&tmsgs[i].buf))
76479 return -EFAULT;
76480 }
76481 return sys_ioctl(fd, cmd, (unsigned long)tdata);
76482@@ -798,7 +798,7 @@ static int compat_ioctl_preallocate(struct file *file,
76483 copy_in_user(&p->l_len, &p32->l_len, sizeof(s64)) ||
76484 copy_in_user(&p->l_sysid, &p32->l_sysid, sizeof(s32)) ||
76485 copy_in_user(&p->l_pid, &p32->l_pid, sizeof(u32)) ||
76486- copy_in_user(&p->l_pad, &p32->l_pad, 4*sizeof(u32)))
76487+ copy_in_user(p->l_pad, p32->l_pad, 4*sizeof(u32)))
76488 return -EFAULT;
76489
76490 return ioctl_preallocate(file, p);
76491@@ -1621,8 +1621,8 @@ COMPAT_SYSCALL_DEFINE3(ioctl, unsigned int, fd, unsigned int, cmd,
76492 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
76493 {
76494 unsigned int a, b;
76495- a = *(unsigned int *)p;
76496- b = *(unsigned int *)q;
76497+ a = *(const unsigned int *)p;
76498+ b = *(const unsigned int *)q;
76499 if (a > b)
76500 return 1;
76501 if (a < b)
76502diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
76503index c81ce7f..f3de5fd 100644
76504--- a/fs/configfs/dir.c
76505+++ b/fs/configfs/dir.c
76506@@ -1540,7 +1540,8 @@ static int configfs_readdir(struct file *file, struct dir_context *ctx)
76507 }
76508 for (p = q->next; p != &parent_sd->s_children; p = p->next) {
76509 struct configfs_dirent *next;
76510- const char *name;
76511+ const unsigned char * name;
76512+ char d_name[sizeof(next->s_dentry->d_iname)];
76513 int len;
76514 struct inode *inode = NULL;
76515
76516@@ -1549,7 +1550,12 @@ static int configfs_readdir(struct file *file, struct dir_context *ctx)
76517 continue;
76518
76519 name = configfs_get_name(next);
76520- len = strlen(name);
76521+ if (next->s_dentry && name == next->s_dentry->d_iname) {
76522+ len = next->s_dentry->d_name.len;
76523+ memcpy(d_name, name, len);
76524+ name = d_name;
76525+ } else
76526+ len = strlen(name);
76527
76528 /*
76529 * We'll have a dentry and an inode for
76530diff --git a/fs/coredump.c b/fs/coredump.c
76531index a8f7564..3dde349 100644
76532--- a/fs/coredump.c
76533+++ b/fs/coredump.c
76534@@ -457,8 +457,8 @@ static void wait_for_dump_helpers(struct file *file)
76535 struct pipe_inode_info *pipe = file->private_data;
76536
76537 pipe_lock(pipe);
76538- pipe->readers++;
76539- pipe->writers--;
76540+ atomic_inc(&pipe->readers);
76541+ atomic_dec(&pipe->writers);
76542 wake_up_interruptible_sync(&pipe->wait);
76543 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
76544 pipe_unlock(pipe);
76545@@ -467,11 +467,11 @@ static void wait_for_dump_helpers(struct file *file)
76546 * We actually want wait_event_freezable() but then we need
76547 * to clear TIF_SIGPENDING and improve dump_interrupted().
76548 */
76549- wait_event_interruptible(pipe->wait, pipe->readers == 1);
76550+ wait_event_interruptible(pipe->wait, atomic_read(&pipe->readers) == 1);
76551
76552 pipe_lock(pipe);
76553- pipe->readers--;
76554- pipe->writers++;
76555+ atomic_dec(&pipe->readers);
76556+ atomic_inc(&pipe->writers);
76557 pipe_unlock(pipe);
76558 }
76559
76560@@ -518,7 +518,9 @@ void do_coredump(const siginfo_t *siginfo)
76561 /* require nonrelative corefile path and be extra careful */
76562 bool need_suid_safe = false;
76563 bool core_dumped = false;
76564- static atomic_t core_dump_count = ATOMIC_INIT(0);
76565+ static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
76566+ long signr = siginfo->si_signo;
76567+ int dumpable;
76568 struct coredump_params cprm = {
76569 .siginfo = siginfo,
76570 .regs = signal_pt_regs(),
76571@@ -531,12 +533,17 @@ void do_coredump(const siginfo_t *siginfo)
76572 .mm_flags = mm->flags,
76573 };
76574
76575- audit_core_dumps(siginfo->si_signo);
76576+ audit_core_dumps(signr);
76577+
76578+ dumpable = __get_dumpable(cprm.mm_flags);
76579+
76580+ if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
76581+ gr_handle_brute_attach(dumpable);
76582
76583 binfmt = mm->binfmt;
76584 if (!binfmt || !binfmt->core_dump)
76585 goto fail;
76586- if (!__get_dumpable(cprm.mm_flags))
76587+ if (!dumpable)
76588 goto fail;
76589
76590 cred = prepare_creds();
76591@@ -554,7 +561,7 @@ void do_coredump(const siginfo_t *siginfo)
76592 need_suid_safe = true;
76593 }
76594
76595- retval = coredump_wait(siginfo->si_signo, &core_state);
76596+ retval = coredump_wait(signr, &core_state);
76597 if (retval < 0)
76598 goto fail_creds;
76599
76600@@ -597,7 +604,7 @@ void do_coredump(const siginfo_t *siginfo)
76601 }
76602 cprm.limit = RLIM_INFINITY;
76603
76604- dump_count = atomic_inc_return(&core_dump_count);
76605+ dump_count = atomic_inc_return_unchecked(&core_dump_count);
76606 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
76607 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
76608 task_tgid_vnr(current), current->comm);
76609@@ -629,6 +636,8 @@ void do_coredump(const siginfo_t *siginfo)
76610 } else {
76611 struct inode *inode;
76612
76613+ gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
76614+
76615 if (cprm.limit < binfmt->min_coredump)
76616 goto fail_unlock;
76617
76618@@ -718,7 +727,7 @@ close_fail:
76619 filp_close(cprm.file, NULL);
76620 fail_dropcount:
76621 if (ispipe)
76622- atomic_dec(&core_dump_count);
76623+ atomic_dec_unchecked(&core_dump_count);
76624 fail_unlock:
76625 kfree(cn.corename);
76626 coredump_finish(mm, core_dumped);
76627@@ -739,6 +748,8 @@ int dump_emit(struct coredump_params *cprm, const void *addr, int nr)
76628 struct file *file = cprm->file;
76629 loff_t pos = file->f_pos;
76630 ssize_t n;
76631+
76632+ gr_learn_resource(current, RLIMIT_CORE, cprm->written + nr, 1);
76633 if (cprm->written + nr > cprm->limit)
76634 return 0;
76635 while (nr) {
76636diff --git a/fs/dcache.c b/fs/dcache.c
76637index e3b44ca..e0d94f1 100644
76638--- a/fs/dcache.c
76639+++ b/fs/dcache.c
76640@@ -545,7 +545,7 @@ static void __dentry_kill(struct dentry *dentry)
76641 * dentry_iput drops the locks, at which point nobody (except
76642 * transient RCU lookups) can reach this dentry.
76643 */
76644- BUG_ON(dentry->d_lockref.count > 0);
76645+ BUG_ON(__lockref_read(&dentry->d_lockref) > 0);
76646 this_cpu_dec(nr_dentry);
76647 if (dentry->d_op && dentry->d_op->d_release)
76648 dentry->d_op->d_release(dentry);
76649@@ -598,7 +598,7 @@ static inline struct dentry *lock_parent(struct dentry *dentry)
76650 struct dentry *parent = dentry->d_parent;
76651 if (IS_ROOT(dentry))
76652 return NULL;
76653- if (unlikely(dentry->d_lockref.count < 0))
76654+ if (unlikely(__lockref_read(&dentry->d_lockref) < 0))
76655 return NULL;
76656 if (likely(spin_trylock(&parent->d_lock)))
76657 return parent;
76658@@ -660,8 +660,8 @@ static inline bool fast_dput(struct dentry *dentry)
76659 */
76660 if (unlikely(ret < 0)) {
76661 spin_lock(&dentry->d_lock);
76662- if (dentry->d_lockref.count > 1) {
76663- dentry->d_lockref.count--;
76664+ if (__lockref_read(&dentry->d_lockref) > 1) {
76665+ __lockref_dec(&dentry->d_lockref);
76666 spin_unlock(&dentry->d_lock);
76667 return 1;
76668 }
76669@@ -716,7 +716,7 @@ static inline bool fast_dput(struct dentry *dentry)
76670 * else could have killed it and marked it dead. Either way, we
76671 * don't need to do anything else.
76672 */
76673- if (dentry->d_lockref.count) {
76674+ if (__lockref_read(&dentry->d_lockref)) {
76675 spin_unlock(&dentry->d_lock);
76676 return 1;
76677 }
76678@@ -726,7 +726,7 @@ static inline bool fast_dput(struct dentry *dentry)
76679 * lock, and we just tested that it was zero, so we can just
76680 * set it to 1.
76681 */
76682- dentry->d_lockref.count = 1;
76683+ __lockref_set(&dentry->d_lockref, 1);
76684 return 0;
76685 }
76686
76687@@ -788,7 +788,7 @@ repeat:
76688 dentry->d_flags |= DCACHE_REFERENCED;
76689 dentry_lru_add(dentry);
76690
76691- dentry->d_lockref.count--;
76692+ __lockref_dec(&dentry->d_lockref);
76693 spin_unlock(&dentry->d_lock);
76694 return;
76695
76696@@ -803,7 +803,7 @@ EXPORT_SYMBOL(dput);
76697 /* This must be called with d_lock held */
76698 static inline void __dget_dlock(struct dentry *dentry)
76699 {
76700- dentry->d_lockref.count++;
76701+ __lockref_inc(&dentry->d_lockref);
76702 }
76703
76704 static inline void __dget(struct dentry *dentry)
76705@@ -844,8 +844,8 @@ repeat:
76706 goto repeat;
76707 }
76708 rcu_read_unlock();
76709- BUG_ON(!ret->d_lockref.count);
76710- ret->d_lockref.count++;
76711+ BUG_ON(!__lockref_read(&ret->d_lockref));
76712+ __lockref_inc(&ret->d_lockref);
76713 spin_unlock(&ret->d_lock);
76714 return ret;
76715 }
76716@@ -923,9 +923,9 @@ restart:
76717 spin_lock(&inode->i_lock);
76718 hlist_for_each_entry(dentry, &inode->i_dentry, d_u.d_alias) {
76719 spin_lock(&dentry->d_lock);
76720- if (!dentry->d_lockref.count) {
76721+ if (!__lockref_read(&dentry->d_lockref)) {
76722 struct dentry *parent = lock_parent(dentry);
76723- if (likely(!dentry->d_lockref.count)) {
76724+ if (likely(!__lockref_read(&dentry->d_lockref))) {
76725 __dentry_kill(dentry);
76726 dput(parent);
76727 goto restart;
76728@@ -960,7 +960,7 @@ static void shrink_dentry_list(struct list_head *list)
76729 * We found an inuse dentry which was not removed from
76730 * the LRU because of laziness during lookup. Do not free it.
76731 */
76732- if (dentry->d_lockref.count > 0) {
76733+ if (__lockref_read(&dentry->d_lockref) > 0) {
76734 spin_unlock(&dentry->d_lock);
76735 if (parent)
76736 spin_unlock(&parent->d_lock);
76737@@ -998,8 +998,8 @@ static void shrink_dentry_list(struct list_head *list)
76738 dentry = parent;
76739 while (dentry && !lockref_put_or_lock(&dentry->d_lockref)) {
76740 parent = lock_parent(dentry);
76741- if (dentry->d_lockref.count != 1) {
76742- dentry->d_lockref.count--;
76743+ if (__lockref_read(&dentry->d_lockref) != 1) {
76744+ __lockref_inc(&dentry->d_lockref);
76745 spin_unlock(&dentry->d_lock);
76746 if (parent)
76747 spin_unlock(&parent->d_lock);
76748@@ -1039,7 +1039,7 @@ static enum lru_status dentry_lru_isolate(struct list_head *item,
76749 * counts, just remove them from the LRU. Otherwise give them
76750 * another pass through the LRU.
76751 */
76752- if (dentry->d_lockref.count) {
76753+ if (__lockref_read(&dentry->d_lockref)) {
76754 d_lru_isolate(lru, dentry);
76755 spin_unlock(&dentry->d_lock);
76756 return LRU_REMOVED;
76757@@ -1373,7 +1373,7 @@ static enum d_walk_ret select_collect(void *_data, struct dentry *dentry)
76758 } else {
76759 if (dentry->d_flags & DCACHE_LRU_LIST)
76760 d_lru_del(dentry);
76761- if (!dentry->d_lockref.count) {
76762+ if (!__lockref_read(&dentry->d_lockref)) {
76763 d_shrink_add(dentry, &data->dispose);
76764 data->found++;
76765 }
76766@@ -1421,7 +1421,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
76767 return D_WALK_CONTINUE;
76768
76769 /* root with refcount 1 is fine */
76770- if (dentry == _data && dentry->d_lockref.count == 1)
76771+ if (dentry == _data && __lockref_read(&dentry->d_lockref) == 1)
76772 return D_WALK_CONTINUE;
76773
76774 printk(KERN_ERR "BUG: Dentry %p{i=%lx,n=%pd} "
76775@@ -1430,7 +1430,7 @@ static enum d_walk_ret umount_check(void *_data, struct dentry *dentry)
76776 dentry->d_inode ?
76777 dentry->d_inode->i_ino : 0UL,
76778 dentry,
76779- dentry->d_lockref.count,
76780+ __lockref_read(&dentry->d_lockref),
76781 dentry->d_sb->s_type->name,
76782 dentry->d_sb->s_id);
76783 WARN_ON(1);
76784@@ -1571,7 +1571,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76785 dentry->d_iname[DNAME_INLINE_LEN-1] = 0;
76786 if (name->len > DNAME_INLINE_LEN-1) {
76787 size_t size = offsetof(struct external_name, name[1]);
76788- struct external_name *p = kmalloc(size + name->len, GFP_KERNEL);
76789+ struct external_name *p = kmalloc(round_up(size + name->len, sizeof(unsigned long)), GFP_KERNEL);
76790 if (!p) {
76791 kmem_cache_free(dentry_cache, dentry);
76792 return NULL;
76793@@ -1594,7 +1594,7 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76794 smp_wmb();
76795 dentry->d_name.name = dname;
76796
76797- dentry->d_lockref.count = 1;
76798+ __lockref_set(&dentry->d_lockref, 1);
76799 dentry->d_flags = 0;
76800 spin_lock_init(&dentry->d_lock);
76801 seqcount_init(&dentry->d_seq);
76802@@ -1603,6 +1603,9 @@ struct dentry *__d_alloc(struct super_block *sb, const struct qstr *name)
76803 dentry->d_sb = sb;
76804 dentry->d_op = NULL;
76805 dentry->d_fsdata = NULL;
76806+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
76807+ atomic_set(&dentry->chroot_refcnt, 0);
76808+#endif
76809 INIT_HLIST_BL_NODE(&dentry->d_hash);
76810 INIT_LIST_HEAD(&dentry->d_lru);
76811 INIT_LIST_HEAD(&dentry->d_subdirs);
76812@@ -2327,7 +2330,7 @@ struct dentry *__d_lookup(const struct dentry *parent, const struct qstr *name)
76813 goto next;
76814 }
76815
76816- dentry->d_lockref.count++;
76817+ __lockref_inc(&dentry->d_lockref);
76818 found = dentry;
76819 spin_unlock(&dentry->d_lock);
76820 break;
76821@@ -2395,7 +2398,7 @@ again:
76822 spin_lock(&dentry->d_lock);
76823 inode = dentry->d_inode;
76824 isdir = S_ISDIR(inode->i_mode);
76825- if (dentry->d_lockref.count == 1) {
76826+ if (__lockref_read(&dentry->d_lockref) == 1) {
76827 if (!spin_trylock(&inode->i_lock)) {
76828 spin_unlock(&dentry->d_lock);
76829 cpu_relax();
76830@@ -3344,7 +3347,7 @@ static enum d_walk_ret d_genocide_kill(void *data, struct dentry *dentry)
76831
76832 if (!(dentry->d_flags & DCACHE_GENOCIDE)) {
76833 dentry->d_flags |= DCACHE_GENOCIDE;
76834- dentry->d_lockref.count--;
76835+ __lockref_dec(&dentry->d_lockref);
76836 }
76837 }
76838 return D_WALK_CONTINUE;
76839@@ -3452,7 +3455,8 @@ void __init vfs_caches_init_early(void)
76840 void __init vfs_caches_init(void)
76841 {
76842 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
76843- SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
76844+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY|
76845+ SLAB_NO_SANITIZE, NULL);
76846
76847 dcache_init();
76848 inode_init();
76849diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
76850index c711be8..23b8df9 100644
76851--- a/fs/debugfs/inode.c
76852+++ b/fs/debugfs/inode.c
76853@@ -402,6 +402,10 @@ EXPORT_SYMBOL_GPL(debugfs_create_file_size);
76854 * If debugfs is not enabled in the kernel, the value -%ENODEV will be
76855 * returned.
76856 */
76857+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
76858+extern int grsec_enable_sysfs_restrict;
76859+#endif
76860+
76861 struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
76862 {
76863 struct dentry *dentry = start_creating(name, parent);
76864@@ -414,7 +418,12 @@ struct dentry *debugfs_create_dir(const char *name, struct dentry *parent)
76865 if (unlikely(!inode))
76866 return failed_creating(dentry);
76867
76868- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
76869+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
76870+ if (grsec_enable_sysfs_restrict)
76871+ inode->i_mode = S_IFDIR | S_IRWXU;
76872+ else
76873+#endif
76874+ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO;
76875 inode->i_op = &simple_dir_inode_operations;
76876 inode->i_fop = &simple_dir_operations;
76877
76878diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
76879index 754fd6c..ed6acbe 100644
76880--- a/fs/dlm/lowcomms.c
76881+++ b/fs/dlm/lowcomms.c
76882@@ -538,7 +538,7 @@ static void close_connection(struct connection *con, bool and_other)
76883 /* We only send shutdown messages to nodes that are not part of the cluster */
76884 static void sctp_send_shutdown(sctp_assoc_t associd)
76885 {
76886- static char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
76887+ char outcmsg[CMSG_SPACE(sizeof(struct sctp_sndrcvinfo))];
76888 struct msghdr outmessage;
76889 struct cmsghdr *cmsg;
76890 struct sctp_sndrcvinfo *sinfo;
76891diff --git a/fs/ecryptfs/inode.c b/fs/ecryptfs/inode.c
76892index 3c4db11..a43976f 100644
76893--- a/fs/ecryptfs/inode.c
76894+++ b/fs/ecryptfs/inode.c
76895@@ -662,7 +662,7 @@ static char *ecryptfs_readlink_lower(struct dentry *dentry, size_t *bufsiz)
76896 old_fs = get_fs();
76897 set_fs(get_ds());
76898 rc = d_inode(lower_dentry)->i_op->readlink(lower_dentry,
76899- (char __user *)lower_buf,
76900+ (char __force_user *)lower_buf,
76901 PATH_MAX);
76902 set_fs(old_fs);
76903 if (rc < 0)
76904diff --git a/fs/ecryptfs/miscdev.c b/fs/ecryptfs/miscdev.c
76905index e4141f2..d8263e8 100644
76906--- a/fs/ecryptfs/miscdev.c
76907+++ b/fs/ecryptfs/miscdev.c
76908@@ -304,7 +304,7 @@ check_list:
76909 goto out_unlock_msg_ctx;
76910 i = PKT_TYPE_SIZE + PKT_CTR_SIZE;
76911 if (msg_ctx->msg) {
76912- if (copy_to_user(&buf[i], packet_length, packet_length_size))
76913+ if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
76914 goto out_unlock_msg_ctx;
76915 i += packet_length_size;
76916 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
76917diff --git a/fs/exec.c b/fs/exec.c
76918index 1977c2a..b6b953a 100644
76919--- a/fs/exec.c
76920+++ b/fs/exec.c
76921@@ -56,8 +56,20 @@
76922 #include <linux/pipe_fs_i.h>
76923 #include <linux/oom.h>
76924 #include <linux/compat.h>
76925+#include <linux/random.h>
76926+#include <linux/seq_file.h>
76927+#include <linux/coredump.h>
76928+#include <linux/mman.h>
76929+
76930+#ifdef CONFIG_PAX_REFCOUNT
76931+#include <linux/kallsyms.h>
76932+#include <linux/kdebug.h>
76933+#endif
76934+
76935+#include <trace/events/fs.h>
76936
76937 #include <asm/uaccess.h>
76938+#include <asm/sections.h>
76939 #include <asm/mmu_context.h>
76940 #include <asm/tlb.h>
76941
76942@@ -66,19 +78,34 @@
76943
76944 #include <trace/events/sched.h>
76945
76946+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
76947+void __weak pax_set_initial_flags(struct linux_binprm *bprm)
76948+{
76949+ pr_warn_once("PAX: PAX_HAVE_ACL_FLAGS was enabled without providing the pax_set_initial_flags callback, this is probably not what you wanted.\n");
76950+}
76951+#endif
76952+
76953+#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
76954+void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
76955+EXPORT_SYMBOL(pax_set_initial_flags_func);
76956+#endif
76957+
76958 int suid_dumpable = 0;
76959
76960 static LIST_HEAD(formats);
76961 static DEFINE_RWLOCK(binfmt_lock);
76962
76963+extern int gr_process_kernel_exec_ban(void);
76964+extern int gr_process_suid_exec_ban(const struct linux_binprm *bprm);
76965+
76966 void __register_binfmt(struct linux_binfmt * fmt, int insert)
76967 {
76968 BUG_ON(!fmt);
76969 if (WARN_ON(!fmt->load_binary))
76970 return;
76971 write_lock(&binfmt_lock);
76972- insert ? list_add(&fmt->lh, &formats) :
76973- list_add_tail(&fmt->lh, &formats);
76974+ insert ? pax_list_add((struct list_head *)&fmt->lh, &formats) :
76975+ pax_list_add_tail((struct list_head *)&fmt->lh, &formats);
76976 write_unlock(&binfmt_lock);
76977 }
76978
76979@@ -87,7 +114,7 @@ EXPORT_SYMBOL(__register_binfmt);
76980 void unregister_binfmt(struct linux_binfmt * fmt)
76981 {
76982 write_lock(&binfmt_lock);
76983- list_del(&fmt->lh);
76984+ pax_list_del((struct list_head *)&fmt->lh);
76985 write_unlock(&binfmt_lock);
76986 }
76987
76988@@ -183,18 +210,10 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
76989 int write)
76990 {
76991 struct page *page;
76992- int ret;
76993
76994-#ifdef CONFIG_STACK_GROWSUP
76995- if (write) {
76996- ret = expand_downwards(bprm->vma, pos);
76997- if (ret < 0)
76998- return NULL;
76999- }
77000-#endif
77001- ret = get_user_pages(current, bprm->mm, pos,
77002- 1, write, 1, &page, NULL);
77003- if (ret <= 0)
77004+ if (0 > expand_downwards(bprm->vma, pos))
77005+ return NULL;
77006+ if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
77007 return NULL;
77008
77009 if (write) {
77010@@ -210,6 +229,17 @@ static struct page *get_arg_page(struct linux_binprm *bprm, unsigned long pos,
77011 if (size <= ARG_MAX)
77012 return page;
77013
77014+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
77015+ // only allow 512KB for argv+env on suid/sgid binaries
77016+ // to prevent easy ASLR exhaustion
77017+ if (((!uid_eq(bprm->cred->euid, current_euid())) ||
77018+ (!gid_eq(bprm->cred->egid, current_egid()))) &&
77019+ (size > (512 * 1024))) {
77020+ put_page(page);
77021+ return NULL;
77022+ }
77023+#endif
77024+
77025 /*
77026 * Limit to 1/4-th the stack size for the argv+env strings.
77027 * This ensures that:
77028@@ -269,6 +299,11 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
77029 vma->vm_end = STACK_TOP_MAX;
77030 vma->vm_start = vma->vm_end - PAGE_SIZE;
77031 vma->vm_flags = VM_SOFTDIRTY | VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
77032+
77033+#ifdef CONFIG_PAX_SEGMEXEC
77034+ vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
77035+#endif
77036+
77037 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
77038 INIT_LIST_HEAD(&vma->anon_vma_chain);
77039
77040@@ -280,6 +315,12 @@ static int __bprm_mm_init(struct linux_binprm *bprm)
77041 arch_bprm_mm_init(mm, vma);
77042 up_write(&mm->mmap_sem);
77043 bprm->p = vma->vm_end - sizeof(void *);
77044+
77045+#ifdef CONFIG_PAX_RANDUSTACK
77046+ if (randomize_va_space)
77047+ bprm->p ^= prandom_u32() & ~PAGE_MASK;
77048+#endif
77049+
77050 return 0;
77051 err:
77052 up_write(&mm->mmap_sem);
77053@@ -396,7 +437,7 @@ struct user_arg_ptr {
77054 } ptr;
77055 };
77056
77057-static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
77058+const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
77059 {
77060 const char __user *native;
77061
77062@@ -405,14 +446,14 @@ static const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr)
77063 compat_uptr_t compat;
77064
77065 if (get_user(compat, argv.ptr.compat + nr))
77066- return ERR_PTR(-EFAULT);
77067+ return (const char __force_user *)ERR_PTR(-EFAULT);
77068
77069 return compat_ptr(compat);
77070 }
77071 #endif
77072
77073 if (get_user(native, argv.ptr.native + nr))
77074- return ERR_PTR(-EFAULT);
77075+ return (const char __force_user *)ERR_PTR(-EFAULT);
77076
77077 return native;
77078 }
77079@@ -431,7 +472,7 @@ static int count(struct user_arg_ptr argv, int max)
77080 if (!p)
77081 break;
77082
77083- if (IS_ERR(p))
77084+ if (IS_ERR((const char __force_kernel *)p))
77085 return -EFAULT;
77086
77087 if (i >= max)
77088@@ -466,7 +507,7 @@ static int copy_strings(int argc, struct user_arg_ptr argv,
77089
77090 ret = -EFAULT;
77091 str = get_user_arg_ptr(argv, argc);
77092- if (IS_ERR(str))
77093+ if (IS_ERR((const char __force_kernel *)str))
77094 goto out;
77095
77096 len = strnlen_user(str, MAX_ARG_STRLEN);
77097@@ -548,7 +589,7 @@ int copy_strings_kernel(int argc, const char *const *__argv,
77098 int r;
77099 mm_segment_t oldfs = get_fs();
77100 struct user_arg_ptr argv = {
77101- .ptr.native = (const char __user *const __user *)__argv,
77102+ .ptr.native = (const char __user * const __force_user *)__argv,
77103 };
77104
77105 set_fs(KERNEL_DS);
77106@@ -583,7 +624,8 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
77107 unsigned long new_end = old_end - shift;
77108 struct mmu_gather tlb;
77109
77110- BUG_ON(new_start > new_end);
77111+ if (new_start >= new_end || new_start < mmap_min_addr)
77112+ return -ENOMEM;
77113
77114 /*
77115 * ensure there are no vmas between where we want to go
77116@@ -592,6 +634,10 @@ static int shift_arg_pages(struct vm_area_struct *vma, unsigned long shift)
77117 if (vma != find_vma(mm, new_start))
77118 return -EFAULT;
77119
77120+#ifdef CONFIG_PAX_SEGMEXEC
77121+ BUG_ON(pax_find_mirror_vma(vma));
77122+#endif
77123+
77124 /*
77125 * cover the whole range: [new_start, old_end)
77126 */
77127@@ -675,10 +721,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
77128 stack_top = arch_align_stack(stack_top);
77129 stack_top = PAGE_ALIGN(stack_top);
77130
77131- if (unlikely(stack_top < mmap_min_addr) ||
77132- unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
77133- return -ENOMEM;
77134-
77135 stack_shift = vma->vm_end - stack_top;
77136
77137 bprm->p -= stack_shift;
77138@@ -690,8 +732,28 @@ int setup_arg_pages(struct linux_binprm *bprm,
77139 bprm->exec -= stack_shift;
77140
77141 down_write(&mm->mmap_sem);
77142+
77143+ /* Move stack pages down in memory. */
77144+ if (stack_shift) {
77145+ ret = shift_arg_pages(vma, stack_shift);
77146+ if (ret)
77147+ goto out_unlock;
77148+ }
77149+
77150 vm_flags = VM_STACK_FLAGS;
77151
77152+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
77153+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
77154+ vm_flags &= ~VM_EXEC;
77155+
77156+#ifdef CONFIG_PAX_MPROTECT
77157+ if (mm->pax_flags & MF_PAX_MPROTECT)
77158+ vm_flags &= ~VM_MAYEXEC;
77159+#endif
77160+
77161+ }
77162+#endif
77163+
77164 /*
77165 * Adjust stack execute permissions; explicitly enable for
77166 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
77167@@ -710,13 +772,6 @@ int setup_arg_pages(struct linux_binprm *bprm,
77168 goto out_unlock;
77169 BUG_ON(prev != vma);
77170
77171- /* Move stack pages down in memory. */
77172- if (stack_shift) {
77173- ret = shift_arg_pages(vma, stack_shift);
77174- if (ret)
77175- goto out_unlock;
77176- }
77177-
77178 /* mprotect_fixup is overkill to remove the temporary stack flags */
77179 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
77180
77181@@ -740,6 +795,27 @@ int setup_arg_pages(struct linux_binprm *bprm,
77182 #endif
77183 current->mm->start_stack = bprm->p;
77184 ret = expand_stack(vma, stack_base);
77185+
77186+#if !defined(CONFIG_STACK_GROWSUP) && defined(CONFIG_PAX_RANDMMAP)
77187+ if (!ret && (mm->pax_flags & MF_PAX_RANDMMAP) && STACK_TOP <= 0xFFFFFFFFU && STACK_TOP > vma->vm_end) {
77188+ unsigned long size;
77189+ vm_flags_t vm_flags;
77190+
77191+ size = STACK_TOP - vma->vm_end;
77192+ vm_flags = VM_NONE | VM_DONTEXPAND | VM_DONTDUMP;
77193+
77194+ ret = vma->vm_end != mmap_region(NULL, vma->vm_end, size, vm_flags, 0);
77195+
77196+#ifdef CONFIG_X86
77197+ if (!ret) {
77198+ size = PAGE_SIZE + mmap_min_addr + ((mm->delta_mmap ^ mm->delta_stack) & (0xFFUL << PAGE_SHIFT));
77199+ ret = 0 != mmap_region(NULL, 0, PAGE_ALIGN(size), vm_flags, 0);
77200+ }
77201+#endif
77202+
77203+ }
77204+#endif
77205+
77206 if (ret)
77207 ret = -EFAULT;
77208
77209@@ -784,8 +860,10 @@ static struct file *do_open_execat(int fd, struct filename *name, int flags)
77210 if (err)
77211 goto exit;
77212
77213- if (name->name[0] != '\0')
77214+ if (name->name[0] != '\0') {
77215 fsnotify_open(file);
77216+ trace_open_exec(name->name);
77217+ }
77218
77219 out:
77220 return file;
77221@@ -818,7 +896,7 @@ int kernel_read(struct file *file, loff_t offset,
77222 old_fs = get_fs();
77223 set_fs(get_ds());
77224 /* The cast to a user pointer is valid due to the set_fs() */
77225- result = vfs_read(file, (void __user *)addr, count, &pos);
77226+ result = vfs_read(file, (void __force_user *)addr, count, &pos);
77227 set_fs(old_fs);
77228 return result;
77229 }
77230@@ -863,6 +941,7 @@ static int exec_mmap(struct mm_struct *mm)
77231 tsk->mm = mm;
77232 tsk->active_mm = mm;
77233 activate_mm(active_mm, mm);
77234+ populate_stack();
77235 tsk->mm->vmacache_seqnum = 0;
77236 vmacache_flush(tsk);
77237 task_unlock(tsk);
77238@@ -1271,7 +1350,7 @@ static void check_unsafe_exec(struct linux_binprm *bprm)
77239 }
77240 rcu_read_unlock();
77241
77242- if (p->fs->users > n_fs)
77243+ if (atomic_read(&p->fs->users) > n_fs)
77244 bprm->unsafe |= LSM_UNSAFE_SHARE;
77245 else
77246 p->fs->in_exec = 1;
77247@@ -1472,6 +1551,31 @@ static int exec_binprm(struct linux_binprm *bprm)
77248 return ret;
77249 }
77250
77251+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
77252+static DEFINE_PER_CPU(u64, exec_counter);
77253+static int __init init_exec_counters(void)
77254+{
77255+ unsigned int cpu;
77256+
77257+ for_each_possible_cpu(cpu) {
77258+ per_cpu(exec_counter, cpu) = (u64)cpu;
77259+ }
77260+
77261+ return 0;
77262+}
77263+early_initcall(init_exec_counters);
77264+static inline void increment_exec_counter(void)
77265+{
77266+ BUILD_BUG_ON(NR_CPUS > (1 << 16));
77267+ current->exec_id = this_cpu_add_return(exec_counter, 1 << 16);
77268+}
77269+#else
77270+static inline void increment_exec_counter(void) {}
77271+#endif
77272+
77273+extern void gr_handle_exec_args(struct linux_binprm *bprm,
77274+ struct user_arg_ptr argv);
77275+
77276 /*
77277 * sys_execve() executes a new program.
77278 */
77279@@ -1480,6 +1584,11 @@ static int do_execveat_common(int fd, struct filename *filename,
77280 struct user_arg_ptr envp,
77281 int flags)
77282 {
77283+#ifdef CONFIG_GRKERNSEC
77284+ struct file *old_exec_file;
77285+ struct acl_subject_label *old_acl;
77286+ struct rlimit old_rlim[RLIM_NLIMITS];
77287+#endif
77288 char *pathbuf = NULL;
77289 struct linux_binprm *bprm;
77290 struct file *file;
77291@@ -1489,6 +1598,8 @@ static int do_execveat_common(int fd, struct filename *filename,
77292 if (IS_ERR(filename))
77293 return PTR_ERR(filename);
77294
77295+ gr_learn_resource(current, RLIMIT_NPROC, atomic_read(&current_user()->processes), 1);
77296+
77297 /*
77298 * We move the actual failure in case of RLIMIT_NPROC excess from
77299 * set*uid() to execve() because too many poorly written programs
77300@@ -1526,6 +1637,11 @@ static int do_execveat_common(int fd, struct filename *filename,
77301 if (IS_ERR(file))
77302 goto out_unmark;
77303
77304+ if (gr_ptrace_readexec(file, bprm->unsafe)) {
77305+ retval = -EPERM;
77306+ goto out_unmark;
77307+ }
77308+
77309 sched_exec();
77310
77311 bprm->file = file;
77312@@ -1552,6 +1668,11 @@ static int do_execveat_common(int fd, struct filename *filename,
77313 }
77314 bprm->interp = bprm->filename;
77315
77316+ if (!gr_acl_handle_execve(file->f_path.dentry, file->f_path.mnt)) {
77317+ retval = -EACCES;
77318+ goto out_unmark;
77319+ }
77320+
77321 retval = bprm_mm_init(bprm);
77322 if (retval)
77323 goto out_unmark;
77324@@ -1568,24 +1689,70 @@ static int do_execveat_common(int fd, struct filename *filename,
77325 if (retval < 0)
77326 goto out;
77327
77328+#ifdef CONFIG_GRKERNSEC
77329+ old_acl = current->acl;
77330+ memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
77331+ old_exec_file = current->exec_file;
77332+ get_file(file);
77333+ current->exec_file = file;
77334+#endif
77335+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
77336+ /* limit suid stack to 8MB
77337+ * we saved the old limits above and will restore them if this exec fails
77338+ */
77339+ if (((!uid_eq(bprm->cred->euid, current_euid())) || (!gid_eq(bprm->cred->egid, current_egid()))) &&
77340+ (old_rlim[RLIMIT_STACK].rlim_cur > (8 * 1024 * 1024)))
77341+ current->signal->rlim[RLIMIT_STACK].rlim_cur = 8 * 1024 * 1024;
77342+#endif
77343+
77344+ if (gr_process_kernel_exec_ban() || gr_process_suid_exec_ban(bprm)) {
77345+ retval = -EPERM;
77346+ goto out_fail;
77347+ }
77348+
77349+ if (!gr_tpe_allow(file)) {
77350+ retval = -EACCES;
77351+ goto out_fail;
77352+ }
77353+
77354+ if (gr_check_crash_exec(file)) {
77355+ retval = -EACCES;
77356+ goto out_fail;
77357+ }
77358+
77359+ retval = gr_set_proc_label(file->f_path.dentry, file->f_path.mnt,
77360+ bprm->unsafe);
77361+ if (retval < 0)
77362+ goto out_fail;
77363+
77364 retval = copy_strings_kernel(1, &bprm->filename, bprm);
77365 if (retval < 0)
77366- goto out;
77367+ goto out_fail;
77368
77369 bprm->exec = bprm->p;
77370 retval = copy_strings(bprm->envc, envp, bprm);
77371 if (retval < 0)
77372- goto out;
77373+ goto out_fail;
77374
77375 retval = copy_strings(bprm->argc, argv, bprm);
77376 if (retval < 0)
77377- goto out;
77378+ goto out_fail;
77379+
77380+ gr_log_chroot_exec(file->f_path.dentry, file->f_path.mnt);
77381+
77382+ gr_handle_exec_args(bprm, argv);
77383
77384 retval = exec_binprm(bprm);
77385 if (retval < 0)
77386- goto out;
77387+ goto out_fail;
77388+#ifdef CONFIG_GRKERNSEC
77389+ if (old_exec_file)
77390+ fput(old_exec_file);
77391+#endif
77392
77393 /* execve succeeded */
77394+
77395+ increment_exec_counter();
77396 current->fs->in_exec = 0;
77397 current->in_execve = 0;
77398 acct_update_integrals(current);
77399@@ -1597,6 +1764,14 @@ static int do_execveat_common(int fd, struct filename *filename,
77400 put_files_struct(displaced);
77401 return retval;
77402
77403+out_fail:
77404+#ifdef CONFIG_GRKERNSEC
77405+ current->acl = old_acl;
77406+ memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
77407+ fput(current->exec_file);
77408+ current->exec_file = old_exec_file;
77409+#endif
77410+
77411 out:
77412 if (bprm->mm) {
77413 acct_arg_size(bprm, 0);
77414@@ -1743,3 +1918,324 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
77415 argv, envp, flags);
77416 }
77417 #endif
77418+
77419+int pax_check_flags(unsigned long *flags)
77420+{
77421+ int retval = 0;
77422+
77423+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
77424+ if (*flags & MF_PAX_SEGMEXEC)
77425+ {
77426+ *flags &= ~MF_PAX_SEGMEXEC;
77427+ retval = -EINVAL;
77428+ }
77429+#endif
77430+
77431+ if ((*flags & MF_PAX_PAGEEXEC)
77432+
77433+#ifdef CONFIG_PAX_PAGEEXEC
77434+ && (*flags & MF_PAX_SEGMEXEC)
77435+#endif
77436+
77437+ )
77438+ {
77439+ *flags &= ~MF_PAX_PAGEEXEC;
77440+ retval = -EINVAL;
77441+ }
77442+
77443+ if ((*flags & MF_PAX_MPROTECT)
77444+
77445+#ifdef CONFIG_PAX_MPROTECT
77446+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
77447+#endif
77448+
77449+ )
77450+ {
77451+ *flags &= ~MF_PAX_MPROTECT;
77452+ retval = -EINVAL;
77453+ }
77454+
77455+ if ((*flags & MF_PAX_EMUTRAMP)
77456+
77457+#ifdef CONFIG_PAX_EMUTRAMP
77458+ && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
77459+#endif
77460+
77461+ )
77462+ {
77463+ *flags &= ~MF_PAX_EMUTRAMP;
77464+ retval = -EINVAL;
77465+ }
77466+
77467+ return retval;
77468+}
77469+
77470+EXPORT_SYMBOL(pax_check_flags);
77471+
77472+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
77473+char *pax_get_path(const struct path *path, char *buf, int buflen)
77474+{
77475+ char *pathname = d_path(path, buf, buflen);
77476+
77477+ if (IS_ERR(pathname))
77478+ goto toolong;
77479+
77480+ pathname = mangle_path(buf, pathname, "\t\n\\");
77481+ if (!pathname)
77482+ goto toolong;
77483+
77484+ *pathname = 0;
77485+ return buf;
77486+
77487+toolong:
77488+ return "<path too long>";
77489+}
77490+EXPORT_SYMBOL(pax_get_path);
77491+
77492+void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
77493+{
77494+ struct task_struct *tsk = current;
77495+ struct mm_struct *mm = current->mm;
77496+ char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
77497+ char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
77498+ char *path_exec = NULL;
77499+ char *path_fault = NULL;
77500+ unsigned long start = 0UL, end = 0UL, offset = 0UL;
77501+ siginfo_t info = { };
77502+
77503+ if (buffer_exec && buffer_fault) {
77504+ struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
77505+
77506+ down_read(&mm->mmap_sem);
77507+ vma = mm->mmap;
77508+ while (vma && (!vma_exec || !vma_fault)) {
77509+ if (vma->vm_file && mm->exe_file == vma->vm_file && (vma->vm_flags & VM_EXEC))
77510+ vma_exec = vma;
77511+ if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
77512+ vma_fault = vma;
77513+ vma = vma->vm_next;
77514+ }
77515+ if (vma_exec)
77516+ path_exec = pax_get_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
77517+ if (vma_fault) {
77518+ start = vma_fault->vm_start;
77519+ end = vma_fault->vm_end;
77520+ offset = vma_fault->vm_pgoff << PAGE_SHIFT;
77521+ if (vma_fault->vm_file)
77522+ path_fault = pax_get_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
77523+ else if ((unsigned long)pc >= mm->start_brk && (unsigned long)pc < mm->brk)
77524+ path_fault = "<heap>";
77525+ else if (vma_fault->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
77526+ path_fault = "<stack>";
77527+ else
77528+ path_fault = "<anonymous mapping>";
77529+ }
77530+ up_read(&mm->mmap_sem);
77531+ }
77532+ if (tsk->signal->curr_ip)
77533+ printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
77534+ else
77535+ printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
77536+ printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
77537+ from_kuid_munged(&init_user_ns, task_uid(tsk)), from_kuid_munged(&init_user_ns, task_euid(tsk)), pc, sp);
77538+ free_page((unsigned long)buffer_exec);
77539+ free_page((unsigned long)buffer_fault);
77540+ pax_report_insns(regs, pc, sp);
77541+ info.si_signo = SIGKILL;
77542+ info.si_errno = 0;
77543+ info.si_code = SI_KERNEL;
77544+ info.si_pid = 0;
77545+ info.si_uid = 0;
77546+ do_coredump(&info);
77547+}
77548+#endif
77549+
77550+#ifdef CONFIG_PAX_REFCOUNT
77551+void pax_report_refcount_overflow(struct pt_regs *regs)
77552+{
77553+ if (current->signal->curr_ip)
77554+ printk(KERN_EMERG "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
77555+ &current->signal->curr_ip, current->comm, task_pid_nr(current),
77556+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
77557+ else
77558+ printk(KERN_EMERG "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n", current->comm, task_pid_nr(current),
77559+ from_kuid_munged(&init_user_ns, current_uid()), from_kuid_munged(&init_user_ns, current_euid()));
77560+ print_symbol(KERN_EMERG "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
77561+ preempt_disable();
77562+ show_regs(regs);
77563+ preempt_enable();
77564+ force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
77565+}
77566+#endif
77567+
77568+#ifdef CONFIG_PAX_USERCOPY
77569+/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
77570+static noinline int check_stack_object(const void *obj, unsigned long len)
77571+{
77572+ const void * const stack = task_stack_page(current);
77573+ const void * const stackend = stack + THREAD_SIZE;
77574+
77575+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
77576+ const void *frame = NULL;
77577+ const void *oldframe;
77578+#endif
77579+
77580+ if (obj + len < obj)
77581+ return -1;
77582+
77583+ if (obj + len <= stack || stackend <= obj)
77584+ return 0;
77585+
77586+ if (obj < stack || stackend < obj + len)
77587+ return -1;
77588+
77589+#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
77590+ oldframe = __builtin_frame_address(1);
77591+ if (oldframe)
77592+ frame = __builtin_frame_address(2);
77593+ /*
77594+ low ----------------------------------------------> high
77595+ [saved bp][saved ip][args][local vars][saved bp][saved ip]
77596+ ^----------------^
77597+ allow copies only within here
77598+ */
77599+ while (stack <= frame && frame < stackend) {
77600+ /* if obj + len extends past the last frame, this
77601+ check won't pass and the next frame will be 0,
77602+ causing us to bail out and correctly report
77603+ the copy as invalid
77604+ */
77605+ if (obj + len <= frame)
77606+ return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
77607+ oldframe = frame;
77608+ frame = *(const void * const *)frame;
77609+ }
77610+ return -1;
77611+#else
77612+ return 1;
77613+#endif
77614+}
77615+
77616+static __noreturn void pax_report_usercopy(const void *ptr, unsigned long len, bool to_user, const char *type)
77617+{
77618+ if (current->signal->curr_ip)
77619+ printk(KERN_EMERG "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
77620+ &current->signal->curr_ip, to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
77621+ else
77622+ printk(KERN_EMERG "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
77623+ to_user ? "leak" : "overwrite", to_user ? "from" : "to", ptr, type ? : "unknown", len);
77624+ dump_stack();
77625+ gr_handle_kernel_exploit();
77626+ do_group_exit(SIGKILL);
77627+}
77628+#endif
77629+
77630+#ifdef CONFIG_PAX_USERCOPY
77631+
77632+static inline bool check_kernel_text_object(unsigned long low, unsigned long high)
77633+{
77634+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
77635+ unsigned long textlow = ktla_ktva((unsigned long)_stext);
77636+#ifdef CONFIG_MODULES
77637+ unsigned long texthigh = (unsigned long)MODULES_EXEC_VADDR;
77638+#else
77639+ unsigned long texthigh = ktla_ktva((unsigned long)_etext);
77640+#endif
77641+
77642+#else
77643+ unsigned long textlow = (unsigned long)_stext;
77644+ unsigned long texthigh = (unsigned long)_etext;
77645+
77646+#ifdef CONFIG_X86_64
77647+ /* check against linear mapping as well */
77648+ if (high > (unsigned long)__va(__pa(textlow)) &&
77649+ low < (unsigned long)__va(__pa(texthigh)))
77650+ return true;
77651+#endif
77652+
77653+#endif
77654+
77655+ if (high <= textlow || low >= texthigh)
77656+ return false;
77657+ else
77658+ return true;
77659+}
77660+#endif
77661+
77662+void __check_object_size(const void *ptr, unsigned long n, bool to_user, bool const_size)
77663+{
77664+#ifdef CONFIG_PAX_USERCOPY
77665+ const char *type;
77666+#endif
77667+
77668+#if !defined(CONFIG_STACK_GROWSUP) && !defined(CONFIG_X86_64)
77669+ unsigned long stackstart = (unsigned long)task_stack_page(current);
77670+ unsigned long currentsp = (unsigned long)&stackstart;
77671+ if (unlikely((currentsp < stackstart + 512 ||
77672+ currentsp >= stackstart + THREAD_SIZE) && !in_interrupt()))
77673+ BUG();
77674+#endif
77675+
77676+#ifndef CONFIG_PAX_USERCOPY_DEBUG
77677+ if (const_size)
77678+ return;
77679+#endif
77680+
77681+#ifdef CONFIG_PAX_USERCOPY
77682+ if (!n)
77683+ return;
77684+
77685+ type = check_heap_object(ptr, n);
77686+ if (!type) {
77687+ int ret = check_stack_object(ptr, n);
77688+ if (ret == 1 || ret == 2)
77689+ return;
77690+ if (ret == 0) {
77691+ if (check_kernel_text_object((unsigned long)ptr, (unsigned long)ptr + n))
77692+ type = "<kernel text>";
77693+ else
77694+ return;
77695+ } else
77696+ type = "<process stack>";
77697+ }
77698+
77699+ pax_report_usercopy(ptr, n, to_user, type);
77700+#endif
77701+
77702+}
77703+EXPORT_SYMBOL(__check_object_size);
77704+
77705+#ifdef CONFIG_PAX_MEMORY_STACKLEAK
77706+void __used pax_track_stack(void)
77707+{
77708+ unsigned long sp = (unsigned long)&sp;
77709+ if (sp < current_thread_info()->lowest_stack &&
77710+ sp >= (unsigned long)task_stack_page(current) + 2 * sizeof(unsigned long))
77711+ current_thread_info()->lowest_stack = sp;
77712+ if (unlikely((sp & ~(THREAD_SIZE - 1)) < (THREAD_SIZE/16)))
77713+ BUG();
77714+}
77715+EXPORT_SYMBOL(pax_track_stack);
77716+#endif
77717+
77718+#ifdef CONFIG_PAX_SIZE_OVERFLOW
77719+
77720+#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
77721+static DEFINE_RATELIMIT_STATE(size_overflow_ratelimit, 15 * HZ, 3);
77722+#endif
77723+
77724+void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
77725+{
77726+#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
77727+ if (__ratelimit(&size_overflow_ratelimit)) {
77728+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
77729+ dump_stack();
77730+ }
77731+#else
77732+ printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
77733+ dump_stack();
77734+ do_group_exit(SIGKILL);
77735+#endif
77736+}
77737+EXPORT_SYMBOL(report_size_overflow);
77738+#endif
77739diff --git a/fs/ext2/balloc.c b/fs/ext2/balloc.c
77740index 9f9992b..8b59411 100644
77741--- a/fs/ext2/balloc.c
77742+++ b/fs/ext2/balloc.c
77743@@ -1184,10 +1184,10 @@ static int ext2_has_free_blocks(struct ext2_sb_info *sbi)
77744
77745 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
77746 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
77747- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
77748+ if (free_blocks < root_blocks + 1 &&
77749 !uid_eq(sbi->s_resuid, current_fsuid()) &&
77750 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
77751- !in_group_p (sbi->s_resgid))) {
77752+ !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
77753 return 0;
77754 }
77755 return 1;
77756diff --git a/fs/ext2/super.c b/fs/ext2/super.c
77757index 900e19c..f7dc2b8 100644
77758--- a/fs/ext2/super.c
77759+++ b/fs/ext2/super.c
77760@@ -267,10 +267,8 @@ static int ext2_show_options(struct seq_file *seq, struct dentry *root)
77761 #ifdef CONFIG_EXT2_FS_XATTR
77762 if (test_opt(sb, XATTR_USER))
77763 seq_puts(seq, ",user_xattr");
77764- if (!test_opt(sb, XATTR_USER) &&
77765- (def_mount_opts & EXT2_DEFM_XATTR_USER)) {
77766+ if (!test_opt(sb, XATTR_USER))
77767 seq_puts(seq, ",nouser_xattr");
77768- }
77769 #endif
77770
77771 #ifdef CONFIG_EXT2_FS_POSIX_ACL
77772@@ -856,8 +854,8 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
77773 if (def_mount_opts & EXT2_DEFM_UID16)
77774 set_opt(sbi->s_mount_opt, NO_UID32);
77775 #ifdef CONFIG_EXT2_FS_XATTR
77776- if (def_mount_opts & EXT2_DEFM_XATTR_USER)
77777- set_opt(sbi->s_mount_opt, XATTR_USER);
77778+ /* always enable user xattrs */
77779+ set_opt(sbi->s_mount_opt, XATTR_USER);
77780 #endif
77781 #ifdef CONFIG_EXT2_FS_POSIX_ACL
77782 if (def_mount_opts & EXT2_DEFM_ACL)
77783diff --git a/fs/ext2/xattr.c b/fs/ext2/xattr.c
77784index 0b6bfd3..93a2964 100644
77785--- a/fs/ext2/xattr.c
77786+++ b/fs/ext2/xattr.c
77787@@ -247,7 +247,7 @@ ext2_xattr_list(struct dentry *dentry, char *buffer, size_t buffer_size)
77788 struct buffer_head *bh = NULL;
77789 struct ext2_xattr_entry *entry;
77790 char *end;
77791- size_t rest = buffer_size;
77792+ size_t rest = buffer_size, total_size = 0;
77793 int error;
77794
77795 ea_idebug(inode, "buffer=%p, buffer_size=%ld",
77796@@ -305,9 +305,10 @@ bad_block: ext2_error(inode->i_sb, "ext2_xattr_list",
77797 buffer += size;
77798 }
77799 rest -= size;
77800+ total_size += size;
77801 }
77802 }
77803- error = buffer_size - rest; /* total size */
77804+ error = total_size;
77805
77806 cleanup:
77807 brelse(bh);
77808diff --git a/fs/ext3/balloc.c b/fs/ext3/balloc.c
77809index 158b5d4..2432610 100644
77810--- a/fs/ext3/balloc.c
77811+++ b/fs/ext3/balloc.c
77812@@ -1438,10 +1438,10 @@ static int ext3_has_free_blocks(struct ext3_sb_info *sbi, int use_reservation)
77813
77814 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
77815 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
77816- if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
77817+ if (free_blocks < root_blocks + 1 &&
77818 !use_reservation && !uid_eq(sbi->s_resuid, current_fsuid()) &&
77819 (gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) ||
77820- !in_group_p (sbi->s_resgid))) {
77821+ !in_group_p (sbi->s_resgid)) && !capable_nolog(CAP_SYS_RESOURCE)) {
77822 return 0;
77823 }
77824 return 1;
77825diff --git a/fs/ext3/super.c b/fs/ext3/super.c
77826index 5ed0044..656e3d2 100644
77827--- a/fs/ext3/super.c
77828+++ b/fs/ext3/super.c
77829@@ -655,10 +655,8 @@ static int ext3_show_options(struct seq_file *seq, struct dentry *root)
77830 #ifdef CONFIG_EXT3_FS_XATTR
77831 if (test_opt(sb, XATTR_USER))
77832 seq_puts(seq, ",user_xattr");
77833- if (!test_opt(sb, XATTR_USER) &&
77834- (def_mount_opts & EXT3_DEFM_XATTR_USER)) {
77835+ if (!test_opt(sb, XATTR_USER))
77836 seq_puts(seq, ",nouser_xattr");
77837- }
77838 #endif
77839 #ifdef CONFIG_EXT3_FS_POSIX_ACL
77840 if (test_opt(sb, POSIX_ACL))
77841@@ -1760,8 +1758,8 @@ static int ext3_fill_super (struct super_block *sb, void *data, int silent)
77842 if (def_mount_opts & EXT3_DEFM_UID16)
77843 set_opt(sbi->s_mount_opt, NO_UID32);
77844 #ifdef CONFIG_EXT3_FS_XATTR
77845- if (def_mount_opts & EXT3_DEFM_XATTR_USER)
77846- set_opt(sbi->s_mount_opt, XATTR_USER);
77847+ /* always enable user xattrs */
77848+ set_opt(sbi->s_mount_opt, XATTR_USER);
77849 #endif
77850 #ifdef CONFIG_EXT3_FS_POSIX_ACL
77851 if (def_mount_opts & EXT3_DEFM_ACL)
77852diff --git a/fs/ext3/xattr.c b/fs/ext3/xattr.c
77853index 7cf3650..e3f4a51 100644
77854--- a/fs/ext3/xattr.c
77855+++ b/fs/ext3/xattr.c
77856@@ -330,7 +330,7 @@ static int
77857 ext3_xattr_list_entries(struct dentry *dentry, struct ext3_xattr_entry *entry,
77858 char *buffer, size_t buffer_size)
77859 {
77860- size_t rest = buffer_size;
77861+ size_t rest = buffer_size, total_size = 0;
77862
77863 for (; !IS_LAST_ENTRY(entry); entry = EXT3_XATTR_NEXT(entry)) {
77864 const struct xattr_handler *handler =
77865@@ -347,9 +347,10 @@ ext3_xattr_list_entries(struct dentry *dentry, struct ext3_xattr_entry *entry,
77866 buffer += size;
77867 }
77868 rest -= size;
77869+ total_size += size;
77870 }
77871 }
77872- return buffer_size - rest;
77873+ return total_size;
77874 }
77875
77876 static int
77877diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
77878index cd6ea29..1cd2a97 100644
77879--- a/fs/ext4/balloc.c
77880+++ b/fs/ext4/balloc.c
77881@@ -556,8 +556,8 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
77882 /* Hm, nope. Are (enough) root reserved clusters available? */
77883 if (uid_eq(sbi->s_resuid, current_fsuid()) ||
77884 (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
77885- capable(CAP_SYS_RESOURCE) ||
77886- (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
77887+ (flags & EXT4_MB_USE_ROOT_BLOCKS) ||
77888+ capable_nolog(CAP_SYS_RESOURCE)) {
77889
77890 if (free_clusters >= (nclusters + dirty_clusters +
77891 resv_clusters))
77892diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
77893index f5e9f04..91296b9 100644
77894--- a/fs/ext4/ext4.h
77895+++ b/fs/ext4/ext4.h
77896@@ -1305,19 +1305,19 @@ struct ext4_sb_info {
77897 unsigned long s_mb_last_start;
77898
77899 /* stats for buddy allocator */
77900- atomic_t s_bal_reqs; /* number of reqs with len > 1 */
77901- atomic_t s_bal_success; /* we found long enough chunks */
77902- atomic_t s_bal_allocated; /* in blocks */
77903- atomic_t s_bal_ex_scanned; /* total extents scanned */
77904- atomic_t s_bal_goals; /* goal hits */
77905- atomic_t s_bal_breaks; /* too long searches */
77906- atomic_t s_bal_2orders; /* 2^order hits */
77907+ atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
77908+ atomic_unchecked_t s_bal_success; /* we found long enough chunks */
77909+ atomic_unchecked_t s_bal_allocated; /* in blocks */
77910+ atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
77911+ atomic_unchecked_t s_bal_goals; /* goal hits */
77912+ atomic_unchecked_t s_bal_breaks; /* too long searches */
77913+ atomic_unchecked_t s_bal_2orders; /* 2^order hits */
77914 spinlock_t s_bal_lock;
77915 unsigned long s_mb_buddies_generated;
77916 unsigned long long s_mb_generation_time;
77917- atomic_t s_mb_lost_chunks;
77918- atomic_t s_mb_preallocated;
77919- atomic_t s_mb_discarded;
77920+ atomic_unchecked_t s_mb_lost_chunks;
77921+ atomic_unchecked_t s_mb_preallocated;
77922+ atomic_unchecked_t s_mb_discarded;
77923 atomic_t s_lock_busy;
77924
77925 /* locality groups */
77926diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
77927index 34b610e..ecc47cb 100644
77928--- a/fs/ext4/mballoc.c
77929+++ b/fs/ext4/mballoc.c
77930@@ -1905,7 +1905,7 @@ void ext4_mb_simple_scan_group(struct ext4_allocation_context *ac,
77931 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
77932
77933 if (EXT4_SB(sb)->s_mb_stats)
77934- atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
77935+ atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
77936
77937 break;
77938 }
77939@@ -2228,7 +2228,7 @@ repeat:
77940 ac->ac_status = AC_STATUS_CONTINUE;
77941 ac->ac_flags |= EXT4_MB_HINT_FIRST;
77942 cr = 3;
77943- atomic_inc(&sbi->s_mb_lost_chunks);
77944+ atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
77945 goto repeat;
77946 }
77947 }
77948@@ -2732,25 +2732,25 @@ int ext4_mb_release(struct super_block *sb)
77949 if (sbi->s_mb_stats) {
77950 ext4_msg(sb, KERN_INFO,
77951 "mballoc: %u blocks %u reqs (%u success)",
77952- atomic_read(&sbi->s_bal_allocated),
77953- atomic_read(&sbi->s_bal_reqs),
77954- atomic_read(&sbi->s_bal_success));
77955+ atomic_read_unchecked(&sbi->s_bal_allocated),
77956+ atomic_read_unchecked(&sbi->s_bal_reqs),
77957+ atomic_read_unchecked(&sbi->s_bal_success));
77958 ext4_msg(sb, KERN_INFO,
77959 "mballoc: %u extents scanned, %u goal hits, "
77960 "%u 2^N hits, %u breaks, %u lost",
77961- atomic_read(&sbi->s_bal_ex_scanned),
77962- atomic_read(&sbi->s_bal_goals),
77963- atomic_read(&sbi->s_bal_2orders),
77964- atomic_read(&sbi->s_bal_breaks),
77965- atomic_read(&sbi->s_mb_lost_chunks));
77966+ atomic_read_unchecked(&sbi->s_bal_ex_scanned),
77967+ atomic_read_unchecked(&sbi->s_bal_goals),
77968+ atomic_read_unchecked(&sbi->s_bal_2orders),
77969+ atomic_read_unchecked(&sbi->s_bal_breaks),
77970+ atomic_read_unchecked(&sbi->s_mb_lost_chunks));
77971 ext4_msg(sb, KERN_INFO,
77972 "mballoc: %lu generated and it took %Lu",
77973 sbi->s_mb_buddies_generated,
77974 sbi->s_mb_generation_time);
77975 ext4_msg(sb, KERN_INFO,
77976 "mballoc: %u preallocated, %u discarded",
77977- atomic_read(&sbi->s_mb_preallocated),
77978- atomic_read(&sbi->s_mb_discarded));
77979+ atomic_read_unchecked(&sbi->s_mb_preallocated),
77980+ atomic_read_unchecked(&sbi->s_mb_discarded));
77981 }
77982
77983 free_percpu(sbi->s_locality_groups);
77984@@ -3206,16 +3206,16 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
77985 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
77986
77987 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
77988- atomic_inc(&sbi->s_bal_reqs);
77989- atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
77990+ atomic_inc_unchecked(&sbi->s_bal_reqs);
77991+ atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
77992 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
77993- atomic_inc(&sbi->s_bal_success);
77994- atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
77995+ atomic_inc_unchecked(&sbi->s_bal_success);
77996+ atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
77997 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
77998 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
77999- atomic_inc(&sbi->s_bal_goals);
78000+ atomic_inc_unchecked(&sbi->s_bal_goals);
78001 if (ac->ac_found > sbi->s_mb_max_to_scan)
78002- atomic_inc(&sbi->s_bal_breaks);
78003+ atomic_inc_unchecked(&sbi->s_bal_breaks);
78004 }
78005
78006 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
78007@@ -3642,7 +3642,7 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
78008 trace_ext4_mb_new_inode_pa(ac, pa);
78009
78010 ext4_mb_use_inode_pa(ac, pa);
78011- atomic_add(pa->pa_free, &sbi->s_mb_preallocated);
78012+ atomic_add_unchecked(pa->pa_free, &sbi->s_mb_preallocated);
78013
78014 ei = EXT4_I(ac->ac_inode);
78015 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
78016@@ -3702,7 +3702,7 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
78017 trace_ext4_mb_new_group_pa(ac, pa);
78018
78019 ext4_mb_use_group_pa(ac, pa);
78020- atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
78021+ atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
78022
78023 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
78024 lg = ac->ac_lg;
78025@@ -3791,7 +3791,7 @@ ext4_mb_release_inode_pa(struct ext4_buddy *e4b, struct buffer_head *bitmap_bh,
78026 * from the bitmap and continue.
78027 */
78028 }
78029- atomic_add(free, &sbi->s_mb_discarded);
78030+ atomic_add_unchecked(free, &sbi->s_mb_discarded);
78031
78032 return err;
78033 }
78034@@ -3809,7 +3809,7 @@ ext4_mb_release_group_pa(struct ext4_buddy *e4b,
78035 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
78036 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
78037 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
78038- atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
78039+ atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
78040 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
78041
78042 return 0;
78043diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
78044index 8313ca3..8a37d08 100644
78045--- a/fs/ext4/mmp.c
78046+++ b/fs/ext4/mmp.c
78047@@ -111,7 +111,7 @@ static int read_mmp_block(struct super_block *sb, struct buffer_head **bh,
78048 void __dump_mmp_msg(struct super_block *sb, struct mmp_struct *mmp,
78049 const char *function, unsigned int line, const char *msg)
78050 {
78051- __ext4_warning(sb, function, line, msg);
78052+ __ext4_warning(sb, function, line, "%s", msg);
78053 __ext4_warning(sb, function, line,
78054 "MMP failure info: last update time: %llu, last update "
78055 "node: %s, last update device: %s\n",
78056diff --git a/fs/ext4/resize.c b/fs/ext4/resize.c
78057index cf0c472..ddf284d 100644
78058--- a/fs/ext4/resize.c
78059+++ b/fs/ext4/resize.c
78060@@ -413,7 +413,7 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
78061
78062 ext4_debug("mark blocks [%llu/%u] used\n", block, count);
78063 for (count2 = count; count > 0; count -= count2, block += count2) {
78064- ext4_fsblk_t start;
78065+ ext4_fsblk_t start, diff;
78066 struct buffer_head *bh;
78067 ext4_group_t group;
78068 int err;
78069@@ -422,10 +422,6 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
78070 start = ext4_group_first_block_no(sb, group);
78071 group -= flex_gd->groups[0].group;
78072
78073- count2 = EXT4_BLOCKS_PER_GROUP(sb) - (block - start);
78074- if (count2 > count)
78075- count2 = count;
78076-
78077 if (flex_gd->bg_flags[group] & EXT4_BG_BLOCK_UNINIT) {
78078 BUG_ON(flex_gd->count > 1);
78079 continue;
78080@@ -443,9 +439,15 @@ static int set_flexbg_block_bitmap(struct super_block *sb, handle_t *handle,
78081 err = ext4_journal_get_write_access(handle, bh);
78082 if (err)
78083 return err;
78084+
78085+ diff = block - start;
78086+ count2 = EXT4_BLOCKS_PER_GROUP(sb) - diff;
78087+ if (count2 > count)
78088+ count2 = count;
78089+
78090 ext4_debug("mark block bitmap %#04llx (+%llu/%u)\n", block,
78091- block - start, count2);
78092- ext4_set_bits(bh->b_data, block - start, count2);
78093+ diff, count2);
78094+ ext4_set_bits(bh->b_data, diff, count2);
78095
78096 err = ext4_handle_dirty_metadata(handle, NULL, bh);
78097 if (unlikely(err))
78098diff --git a/fs/ext4/super.c b/fs/ext4/super.c
78099index a5e8c74..a7711a8 100644
78100--- a/fs/ext4/super.c
78101+++ b/fs/ext4/super.c
78102@@ -1274,7 +1274,7 @@ static ext4_fsblk_t get_sb_block(void **data)
78103 }
78104
78105 #define DEFAULT_JOURNAL_IOPRIO (IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, 3))
78106-static char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
78107+static const char deprecated_msg[] = "Mount option \"%s\" will be removed by %s\n"
78108 "Contact linux-ext4@vger.kernel.org if you think we should keep it.\n";
78109
78110 #ifdef CONFIG_QUOTA
78111@@ -2484,7 +2484,7 @@ struct ext4_attr {
78112 int offset;
78113 int deprecated_val;
78114 } u;
78115-};
78116+} __do_const;
78117
78118 static int parse_strtoull(const char *buf,
78119 unsigned long long max, unsigned long long *value)
78120diff --git a/fs/ext4/xattr.c b/fs/ext4/xattr.c
78121index 16e28c0..728c282 100644
78122--- a/fs/ext4/xattr.c
78123+++ b/fs/ext4/xattr.c
78124@@ -398,7 +398,7 @@ static int
78125 ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
78126 char *buffer, size_t buffer_size)
78127 {
78128- size_t rest = buffer_size;
78129+ size_t rest = buffer_size, total_size = 0;
78130
78131 for (; !IS_LAST_ENTRY(entry); entry = EXT4_XATTR_NEXT(entry)) {
78132 const struct xattr_handler *handler =
78133@@ -415,9 +415,10 @@ ext4_xattr_list_entries(struct dentry *dentry, struct ext4_xattr_entry *entry,
78134 buffer += size;
78135 }
78136 rest -= size;
78137+ total_size += size;
78138 }
78139 }
78140- return buffer_size - rest;
78141+ return total_size;
78142 }
78143
78144 static int
78145diff --git a/fs/fcntl.c b/fs/fcntl.c
78146index ee85cd4..9dd0d20 100644
78147--- a/fs/fcntl.c
78148+++ b/fs/fcntl.c
78149@@ -102,6 +102,10 @@ void __f_setown(struct file *filp, struct pid *pid, enum pid_type type,
78150 int force)
78151 {
78152 security_file_set_fowner(filp);
78153+ if (gr_handle_chroot_fowner(pid, type))
78154+ return;
78155+ if (gr_check_protected_task_fowner(pid, type))
78156+ return;
78157 f_modown(filp, pid, type, force);
78158 }
78159 EXPORT_SYMBOL(__f_setown);
78160diff --git a/fs/fhandle.c b/fs/fhandle.c
78161index d59712d..2281df9 100644
78162--- a/fs/fhandle.c
78163+++ b/fs/fhandle.c
78164@@ -8,6 +8,7 @@
78165 #include <linux/fs_struct.h>
78166 #include <linux/fsnotify.h>
78167 #include <linux/personality.h>
78168+#include <linux/grsecurity.h>
78169 #include <asm/uaccess.h>
78170 #include "internal.h"
78171 #include "mount.h"
78172@@ -67,8 +68,7 @@ static long do_sys_name_to_handle(struct path *path,
78173 } else
78174 retval = 0;
78175 /* copy the mount id */
78176- if (copy_to_user(mnt_id, &real_mount(path->mnt)->mnt_id,
78177- sizeof(*mnt_id)) ||
78178+ if (put_user(real_mount(path->mnt)->mnt_id, mnt_id) ||
78179 copy_to_user(ufh, handle,
78180 sizeof(struct file_handle) + handle_bytes))
78181 retval = -EFAULT;
78182@@ -175,7 +175,7 @@ static int handle_to_path(int mountdirfd, struct file_handle __user *ufh,
78183 * the directory. Ideally we would like CAP_DAC_SEARCH.
78184 * But we don't have that
78185 */
78186- if (!capable(CAP_DAC_READ_SEARCH)) {
78187+ if (!capable(CAP_DAC_READ_SEARCH) || !gr_chroot_fhandle()) {
78188 retval = -EPERM;
78189 goto out_err;
78190 }
78191diff --git a/fs/file.c b/fs/file.c
78192index 6c672ad..bf787b0 100644
78193--- a/fs/file.c
78194+++ b/fs/file.c
78195@@ -16,6 +16,7 @@
78196 #include <linux/slab.h>
78197 #include <linux/vmalloc.h>
78198 #include <linux/file.h>
78199+#include <linux/security.h>
78200 #include <linux/fdtable.h>
78201 #include <linux/bitops.h>
78202 #include <linux/interrupt.h>
78203@@ -139,7 +140,7 @@ out:
78204 * Return <0 error code on error; 1 on successful completion.
78205 * The files->file_lock should be held on entry, and will be held on exit.
78206 */
78207-static int expand_fdtable(struct files_struct *files, int nr)
78208+static int expand_fdtable(struct files_struct *files, unsigned int nr)
78209 __releases(files->file_lock)
78210 __acquires(files->file_lock)
78211 {
78212@@ -184,7 +185,7 @@ static int expand_fdtable(struct files_struct *files, int nr)
78213 * expanded and execution may have blocked.
78214 * The files->file_lock should be held on entry, and will be held on exit.
78215 */
78216-static int expand_files(struct files_struct *files, int nr)
78217+static int expand_files(struct files_struct *files, unsigned int nr)
78218 __releases(files->file_lock)
78219 __acquires(files->file_lock)
78220 {
78221@@ -834,6 +835,7 @@ int replace_fd(unsigned fd, struct file *file, unsigned flags)
78222 if (!file)
78223 return __close_fd(files, fd);
78224
78225+ gr_learn_resource(current, RLIMIT_NOFILE, fd, 0);
78226 if (fd >= rlimit(RLIMIT_NOFILE))
78227 return -EBADF;
78228
78229@@ -860,6 +862,7 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags)
78230 if (unlikely(oldfd == newfd))
78231 return -EINVAL;
78232
78233+ gr_learn_resource(current, RLIMIT_NOFILE, newfd, 0);
78234 if (newfd >= rlimit(RLIMIT_NOFILE))
78235 return -EBADF;
78236
78237@@ -915,6 +918,7 @@ SYSCALL_DEFINE1(dup, unsigned int, fildes)
78238 int f_dupfd(unsigned int from, struct file *file, unsigned flags)
78239 {
78240 int err;
78241+ gr_learn_resource(current, RLIMIT_NOFILE, from, 0);
78242 if (from >= rlimit(RLIMIT_NOFILE))
78243 return -EINVAL;
78244 err = alloc_fd(from, flags);
78245diff --git a/fs/filesystems.c b/fs/filesystems.c
78246index 5797d45..7d7d79a 100644
78247--- a/fs/filesystems.c
78248+++ b/fs/filesystems.c
78249@@ -275,7 +275,11 @@ struct file_system_type *get_fs_type(const char *name)
78250 int len = dot ? dot - name : strlen(name);
78251
78252 fs = __get_fs_type(name, len);
78253+#ifdef CONFIG_GRKERNSEC_MODHARDEN
78254+ if (!fs && (___request_module(true, "grsec_modharden_fs", "fs-%.*s", len, name) == 0))
78255+#else
78256 if (!fs && (request_module("fs-%.*s", len, name) == 0))
78257+#endif
78258 fs = __get_fs_type(name, len);
78259
78260 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
78261diff --git a/fs/fs_struct.c b/fs/fs_struct.c
78262index 7dca743..1ff87ae 100644
78263--- a/fs/fs_struct.c
78264+++ b/fs/fs_struct.c
78265@@ -4,6 +4,7 @@
78266 #include <linux/path.h>
78267 #include <linux/slab.h>
78268 #include <linux/fs_struct.h>
78269+#include <linux/grsecurity.h>
78270 #include "internal.h"
78271
78272 /*
78273@@ -15,14 +16,18 @@ void set_fs_root(struct fs_struct *fs, const struct path *path)
78274 struct path old_root;
78275
78276 path_get(path);
78277+ gr_inc_chroot_refcnts(path->dentry, path->mnt);
78278 spin_lock(&fs->lock);
78279 write_seqcount_begin(&fs->seq);
78280 old_root = fs->root;
78281 fs->root = *path;
78282+ gr_set_chroot_entries(current, path);
78283 write_seqcount_end(&fs->seq);
78284 spin_unlock(&fs->lock);
78285- if (old_root.dentry)
78286+ if (old_root.dentry) {
78287+ gr_dec_chroot_refcnts(old_root.dentry, old_root.mnt);
78288 path_put(&old_root);
78289+ }
78290 }
78291
78292 /*
78293@@ -67,6 +72,10 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
78294 int hits = 0;
78295 spin_lock(&fs->lock);
78296 write_seqcount_begin(&fs->seq);
78297+ /* this root replacement is only done by pivot_root,
78298+ leave grsec's chroot tagging alone for this task
78299+ so that a pivoted root isn't treated as a chroot
78300+ */
78301 hits += replace_path(&fs->root, old_root, new_root);
78302 hits += replace_path(&fs->pwd, old_root, new_root);
78303 write_seqcount_end(&fs->seq);
78304@@ -85,6 +94,7 @@ void chroot_fs_refs(const struct path *old_root, const struct path *new_root)
78305
78306 void free_fs_struct(struct fs_struct *fs)
78307 {
78308+ gr_dec_chroot_refcnts(fs->root.dentry, fs->root.mnt);
78309 path_put(&fs->root);
78310 path_put(&fs->pwd);
78311 kmem_cache_free(fs_cachep, fs);
78312@@ -99,7 +109,8 @@ void exit_fs(struct task_struct *tsk)
78313 task_lock(tsk);
78314 spin_lock(&fs->lock);
78315 tsk->fs = NULL;
78316- kill = !--fs->users;
78317+ gr_clear_chroot_entries(tsk);
78318+ kill = !atomic_dec_return(&fs->users);
78319 spin_unlock(&fs->lock);
78320 task_unlock(tsk);
78321 if (kill)
78322@@ -112,7 +123,7 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
78323 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
78324 /* We don't need to lock fs - think why ;-) */
78325 if (fs) {
78326- fs->users = 1;
78327+ atomic_set(&fs->users, 1);
78328 fs->in_exec = 0;
78329 spin_lock_init(&fs->lock);
78330 seqcount_init(&fs->seq);
78331@@ -121,9 +132,13 @@ struct fs_struct *copy_fs_struct(struct fs_struct *old)
78332 spin_lock(&old->lock);
78333 fs->root = old->root;
78334 path_get(&fs->root);
78335+ /* instead of calling gr_set_chroot_entries here,
78336+ we call it from every caller of this function
78337+ */
78338 fs->pwd = old->pwd;
78339 path_get(&fs->pwd);
78340 spin_unlock(&old->lock);
78341+ gr_inc_chroot_refcnts(fs->root.dentry, fs->root.mnt);
78342 }
78343 return fs;
78344 }
78345@@ -139,8 +154,9 @@ int unshare_fs_struct(void)
78346
78347 task_lock(current);
78348 spin_lock(&fs->lock);
78349- kill = !--fs->users;
78350+ kill = !atomic_dec_return(&fs->users);
78351 current->fs = new_fs;
78352+ gr_set_chroot_entries(current, &new_fs->root);
78353 spin_unlock(&fs->lock);
78354 task_unlock(current);
78355
78356@@ -153,13 +169,13 @@ EXPORT_SYMBOL_GPL(unshare_fs_struct);
78357
78358 int current_umask(void)
78359 {
78360- return current->fs->umask;
78361+ return current->fs->umask | gr_acl_umask();
78362 }
78363 EXPORT_SYMBOL(current_umask);
78364
78365 /* to be mentioned only in INIT_TASK */
78366 struct fs_struct init_fs = {
78367- .users = 1,
78368+ .users = ATOMIC_INIT(1),
78369 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
78370 .seq = SEQCNT_ZERO(init_fs.seq),
78371 .umask = 0022,
78372diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
78373index d403c69..30be0a9 100644
78374--- a/fs/fscache/cookie.c
78375+++ b/fs/fscache/cookie.c
78376@@ -19,7 +19,7 @@
78377
78378 struct kmem_cache *fscache_cookie_jar;
78379
78380-static atomic_t fscache_object_debug_id = ATOMIC_INIT(0);
78381+static atomic_unchecked_t fscache_object_debug_id = ATOMIC_INIT(0);
78382
78383 static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie);
78384 static int fscache_alloc_object(struct fscache_cache *cache,
78385@@ -69,11 +69,11 @@ struct fscache_cookie *__fscache_acquire_cookie(
78386 parent ? (char *) parent->def->name : "<no-parent>",
78387 def->name, netfs_data, enable);
78388
78389- fscache_stat(&fscache_n_acquires);
78390+ fscache_stat_unchecked(&fscache_n_acquires);
78391
78392 /* if there's no parent cookie, then we don't create one here either */
78393 if (!parent) {
78394- fscache_stat(&fscache_n_acquires_null);
78395+ fscache_stat_unchecked(&fscache_n_acquires_null);
78396 _leave(" [no parent]");
78397 return NULL;
78398 }
78399@@ -88,7 +88,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
78400 /* allocate and initialise a cookie */
78401 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
78402 if (!cookie) {
78403- fscache_stat(&fscache_n_acquires_oom);
78404+ fscache_stat_unchecked(&fscache_n_acquires_oom);
78405 _leave(" [ENOMEM]");
78406 return NULL;
78407 }
78408@@ -115,13 +115,13 @@ struct fscache_cookie *__fscache_acquire_cookie(
78409
78410 switch (cookie->def->type) {
78411 case FSCACHE_COOKIE_TYPE_INDEX:
78412- fscache_stat(&fscache_n_cookie_index);
78413+ fscache_stat_unchecked(&fscache_n_cookie_index);
78414 break;
78415 case FSCACHE_COOKIE_TYPE_DATAFILE:
78416- fscache_stat(&fscache_n_cookie_data);
78417+ fscache_stat_unchecked(&fscache_n_cookie_data);
78418 break;
78419 default:
78420- fscache_stat(&fscache_n_cookie_special);
78421+ fscache_stat_unchecked(&fscache_n_cookie_special);
78422 break;
78423 }
78424
78425@@ -135,7 +135,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
78426 } else {
78427 atomic_dec(&parent->n_children);
78428 __fscache_cookie_put(cookie);
78429- fscache_stat(&fscache_n_acquires_nobufs);
78430+ fscache_stat_unchecked(&fscache_n_acquires_nobufs);
78431 _leave(" = NULL");
78432 return NULL;
78433 }
78434@@ -144,7 +144,7 @@ struct fscache_cookie *__fscache_acquire_cookie(
78435 }
78436 }
78437
78438- fscache_stat(&fscache_n_acquires_ok);
78439+ fscache_stat_unchecked(&fscache_n_acquires_ok);
78440 _leave(" = %p", cookie);
78441 return cookie;
78442 }
78443@@ -213,7 +213,7 @@ static int fscache_acquire_non_index_cookie(struct fscache_cookie *cookie)
78444 cache = fscache_select_cache_for_object(cookie->parent);
78445 if (!cache) {
78446 up_read(&fscache_addremove_sem);
78447- fscache_stat(&fscache_n_acquires_no_cache);
78448+ fscache_stat_unchecked(&fscache_n_acquires_no_cache);
78449 _leave(" = -ENOMEDIUM [no cache]");
78450 return -ENOMEDIUM;
78451 }
78452@@ -297,14 +297,14 @@ static int fscache_alloc_object(struct fscache_cache *cache,
78453 object = cache->ops->alloc_object(cache, cookie);
78454 fscache_stat_d(&fscache_n_cop_alloc_object);
78455 if (IS_ERR(object)) {
78456- fscache_stat(&fscache_n_object_no_alloc);
78457+ fscache_stat_unchecked(&fscache_n_object_no_alloc);
78458 ret = PTR_ERR(object);
78459 goto error;
78460 }
78461
78462- fscache_stat(&fscache_n_object_alloc);
78463+ fscache_stat_unchecked(&fscache_n_object_alloc);
78464
78465- object->debug_id = atomic_inc_return(&fscache_object_debug_id);
78466+ object->debug_id = atomic_inc_return_unchecked(&fscache_object_debug_id);
78467
78468 _debug("ALLOC OBJ%x: %s {%lx}",
78469 object->debug_id, cookie->def->name, object->events);
78470@@ -419,7 +419,7 @@ void __fscache_invalidate(struct fscache_cookie *cookie)
78471
78472 _enter("{%s}", cookie->def->name);
78473
78474- fscache_stat(&fscache_n_invalidates);
78475+ fscache_stat_unchecked(&fscache_n_invalidates);
78476
78477 /* Only permit invalidation of data files. Invalidating an index will
78478 * require the caller to release all its attachments to the tree rooted
78479@@ -477,10 +477,10 @@ void __fscache_update_cookie(struct fscache_cookie *cookie)
78480 {
78481 struct fscache_object *object;
78482
78483- fscache_stat(&fscache_n_updates);
78484+ fscache_stat_unchecked(&fscache_n_updates);
78485
78486 if (!cookie) {
78487- fscache_stat(&fscache_n_updates_null);
78488+ fscache_stat_unchecked(&fscache_n_updates_null);
78489 _leave(" [no cookie]");
78490 return;
78491 }
78492@@ -581,12 +581,12 @@ EXPORT_SYMBOL(__fscache_disable_cookie);
78493 */
78494 void __fscache_relinquish_cookie(struct fscache_cookie *cookie, bool retire)
78495 {
78496- fscache_stat(&fscache_n_relinquishes);
78497+ fscache_stat_unchecked(&fscache_n_relinquishes);
78498 if (retire)
78499- fscache_stat(&fscache_n_relinquishes_retire);
78500+ fscache_stat_unchecked(&fscache_n_relinquishes_retire);
78501
78502 if (!cookie) {
78503- fscache_stat(&fscache_n_relinquishes_null);
78504+ fscache_stat_unchecked(&fscache_n_relinquishes_null);
78505 _leave(" [no cookie]");
78506 return;
78507 }
78508@@ -687,7 +687,7 @@ int __fscache_check_consistency(struct fscache_cookie *cookie)
78509 if (test_bit(FSCACHE_IOERROR, &object->cache->flags))
78510 goto inconsistent;
78511
78512- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
78513+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
78514
78515 __fscache_use_cookie(cookie);
78516 if (fscache_submit_op(object, op) < 0)
78517diff --git a/fs/fscache/internal.h b/fs/fscache/internal.h
78518index 97ec451..f722cee 100644
78519--- a/fs/fscache/internal.h
78520+++ b/fs/fscache/internal.h
78521@@ -136,8 +136,8 @@ extern void fscache_operation_gc(struct work_struct *);
78522 extern int fscache_wait_for_deferred_lookup(struct fscache_cookie *);
78523 extern int fscache_wait_for_operation_activation(struct fscache_object *,
78524 struct fscache_operation *,
78525- atomic_t *,
78526- atomic_t *);
78527+ atomic_unchecked_t *,
78528+ atomic_unchecked_t *);
78529 extern void fscache_invalidate_writes(struct fscache_cookie *);
78530
78531 /*
78532@@ -155,102 +155,102 @@ extern void fscache_proc_cleanup(void);
78533 * stats.c
78534 */
78535 #ifdef CONFIG_FSCACHE_STATS
78536-extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
78537-extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
78538+extern atomic_unchecked_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
78539+extern atomic_unchecked_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
78540
78541-extern atomic_t fscache_n_op_pend;
78542-extern atomic_t fscache_n_op_run;
78543-extern atomic_t fscache_n_op_enqueue;
78544-extern atomic_t fscache_n_op_deferred_release;
78545-extern atomic_t fscache_n_op_initialised;
78546-extern atomic_t fscache_n_op_release;
78547-extern atomic_t fscache_n_op_gc;
78548-extern atomic_t fscache_n_op_cancelled;
78549-extern atomic_t fscache_n_op_rejected;
78550+extern atomic_unchecked_t fscache_n_op_pend;
78551+extern atomic_unchecked_t fscache_n_op_run;
78552+extern atomic_unchecked_t fscache_n_op_enqueue;
78553+extern atomic_unchecked_t fscache_n_op_deferred_release;
78554+extern atomic_unchecked_t fscache_n_op_initialised;
78555+extern atomic_unchecked_t fscache_n_op_release;
78556+extern atomic_unchecked_t fscache_n_op_gc;
78557+extern atomic_unchecked_t fscache_n_op_cancelled;
78558+extern atomic_unchecked_t fscache_n_op_rejected;
78559
78560-extern atomic_t fscache_n_attr_changed;
78561-extern atomic_t fscache_n_attr_changed_ok;
78562-extern atomic_t fscache_n_attr_changed_nobufs;
78563-extern atomic_t fscache_n_attr_changed_nomem;
78564-extern atomic_t fscache_n_attr_changed_calls;
78565+extern atomic_unchecked_t fscache_n_attr_changed;
78566+extern atomic_unchecked_t fscache_n_attr_changed_ok;
78567+extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
78568+extern atomic_unchecked_t fscache_n_attr_changed_nomem;
78569+extern atomic_unchecked_t fscache_n_attr_changed_calls;
78570
78571-extern atomic_t fscache_n_allocs;
78572-extern atomic_t fscache_n_allocs_ok;
78573-extern atomic_t fscache_n_allocs_wait;
78574-extern atomic_t fscache_n_allocs_nobufs;
78575-extern atomic_t fscache_n_allocs_intr;
78576-extern atomic_t fscache_n_allocs_object_dead;
78577-extern atomic_t fscache_n_alloc_ops;
78578-extern atomic_t fscache_n_alloc_op_waits;
78579+extern atomic_unchecked_t fscache_n_allocs;
78580+extern atomic_unchecked_t fscache_n_allocs_ok;
78581+extern atomic_unchecked_t fscache_n_allocs_wait;
78582+extern atomic_unchecked_t fscache_n_allocs_nobufs;
78583+extern atomic_unchecked_t fscache_n_allocs_intr;
78584+extern atomic_unchecked_t fscache_n_allocs_object_dead;
78585+extern atomic_unchecked_t fscache_n_alloc_ops;
78586+extern atomic_unchecked_t fscache_n_alloc_op_waits;
78587
78588-extern atomic_t fscache_n_retrievals;
78589-extern atomic_t fscache_n_retrievals_ok;
78590-extern atomic_t fscache_n_retrievals_wait;
78591-extern atomic_t fscache_n_retrievals_nodata;
78592-extern atomic_t fscache_n_retrievals_nobufs;
78593-extern atomic_t fscache_n_retrievals_intr;
78594-extern atomic_t fscache_n_retrievals_nomem;
78595-extern atomic_t fscache_n_retrievals_object_dead;
78596-extern atomic_t fscache_n_retrieval_ops;
78597-extern atomic_t fscache_n_retrieval_op_waits;
78598+extern atomic_unchecked_t fscache_n_retrievals;
78599+extern atomic_unchecked_t fscache_n_retrievals_ok;
78600+extern atomic_unchecked_t fscache_n_retrievals_wait;
78601+extern atomic_unchecked_t fscache_n_retrievals_nodata;
78602+extern atomic_unchecked_t fscache_n_retrievals_nobufs;
78603+extern atomic_unchecked_t fscache_n_retrievals_intr;
78604+extern atomic_unchecked_t fscache_n_retrievals_nomem;
78605+extern atomic_unchecked_t fscache_n_retrievals_object_dead;
78606+extern atomic_unchecked_t fscache_n_retrieval_ops;
78607+extern atomic_unchecked_t fscache_n_retrieval_op_waits;
78608
78609-extern atomic_t fscache_n_stores;
78610-extern atomic_t fscache_n_stores_ok;
78611-extern atomic_t fscache_n_stores_again;
78612-extern atomic_t fscache_n_stores_nobufs;
78613-extern atomic_t fscache_n_stores_oom;
78614-extern atomic_t fscache_n_store_ops;
78615-extern atomic_t fscache_n_store_calls;
78616-extern atomic_t fscache_n_store_pages;
78617-extern atomic_t fscache_n_store_radix_deletes;
78618-extern atomic_t fscache_n_store_pages_over_limit;
78619+extern atomic_unchecked_t fscache_n_stores;
78620+extern atomic_unchecked_t fscache_n_stores_ok;
78621+extern atomic_unchecked_t fscache_n_stores_again;
78622+extern atomic_unchecked_t fscache_n_stores_nobufs;
78623+extern atomic_unchecked_t fscache_n_stores_oom;
78624+extern atomic_unchecked_t fscache_n_store_ops;
78625+extern atomic_unchecked_t fscache_n_store_calls;
78626+extern atomic_unchecked_t fscache_n_store_pages;
78627+extern atomic_unchecked_t fscache_n_store_radix_deletes;
78628+extern atomic_unchecked_t fscache_n_store_pages_over_limit;
78629
78630-extern atomic_t fscache_n_store_vmscan_not_storing;
78631-extern atomic_t fscache_n_store_vmscan_gone;
78632-extern atomic_t fscache_n_store_vmscan_busy;
78633-extern atomic_t fscache_n_store_vmscan_cancelled;
78634-extern atomic_t fscache_n_store_vmscan_wait;
78635+extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
78636+extern atomic_unchecked_t fscache_n_store_vmscan_gone;
78637+extern atomic_unchecked_t fscache_n_store_vmscan_busy;
78638+extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
78639+extern atomic_unchecked_t fscache_n_store_vmscan_wait;
78640
78641-extern atomic_t fscache_n_marks;
78642-extern atomic_t fscache_n_uncaches;
78643+extern atomic_unchecked_t fscache_n_marks;
78644+extern atomic_unchecked_t fscache_n_uncaches;
78645
78646-extern atomic_t fscache_n_acquires;
78647-extern atomic_t fscache_n_acquires_null;
78648-extern atomic_t fscache_n_acquires_no_cache;
78649-extern atomic_t fscache_n_acquires_ok;
78650-extern atomic_t fscache_n_acquires_nobufs;
78651-extern atomic_t fscache_n_acquires_oom;
78652+extern atomic_unchecked_t fscache_n_acquires;
78653+extern atomic_unchecked_t fscache_n_acquires_null;
78654+extern atomic_unchecked_t fscache_n_acquires_no_cache;
78655+extern atomic_unchecked_t fscache_n_acquires_ok;
78656+extern atomic_unchecked_t fscache_n_acquires_nobufs;
78657+extern atomic_unchecked_t fscache_n_acquires_oom;
78658
78659-extern atomic_t fscache_n_invalidates;
78660-extern atomic_t fscache_n_invalidates_run;
78661+extern atomic_unchecked_t fscache_n_invalidates;
78662+extern atomic_unchecked_t fscache_n_invalidates_run;
78663
78664-extern atomic_t fscache_n_updates;
78665-extern atomic_t fscache_n_updates_null;
78666-extern atomic_t fscache_n_updates_run;
78667+extern atomic_unchecked_t fscache_n_updates;
78668+extern atomic_unchecked_t fscache_n_updates_null;
78669+extern atomic_unchecked_t fscache_n_updates_run;
78670
78671-extern atomic_t fscache_n_relinquishes;
78672-extern atomic_t fscache_n_relinquishes_null;
78673-extern atomic_t fscache_n_relinquishes_waitcrt;
78674-extern atomic_t fscache_n_relinquishes_retire;
78675+extern atomic_unchecked_t fscache_n_relinquishes;
78676+extern atomic_unchecked_t fscache_n_relinquishes_null;
78677+extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
78678+extern atomic_unchecked_t fscache_n_relinquishes_retire;
78679
78680-extern atomic_t fscache_n_cookie_index;
78681-extern atomic_t fscache_n_cookie_data;
78682-extern atomic_t fscache_n_cookie_special;
78683+extern atomic_unchecked_t fscache_n_cookie_index;
78684+extern atomic_unchecked_t fscache_n_cookie_data;
78685+extern atomic_unchecked_t fscache_n_cookie_special;
78686
78687-extern atomic_t fscache_n_object_alloc;
78688-extern atomic_t fscache_n_object_no_alloc;
78689-extern atomic_t fscache_n_object_lookups;
78690-extern atomic_t fscache_n_object_lookups_negative;
78691-extern atomic_t fscache_n_object_lookups_positive;
78692-extern atomic_t fscache_n_object_lookups_timed_out;
78693-extern atomic_t fscache_n_object_created;
78694-extern atomic_t fscache_n_object_avail;
78695-extern atomic_t fscache_n_object_dead;
78696+extern atomic_unchecked_t fscache_n_object_alloc;
78697+extern atomic_unchecked_t fscache_n_object_no_alloc;
78698+extern atomic_unchecked_t fscache_n_object_lookups;
78699+extern atomic_unchecked_t fscache_n_object_lookups_negative;
78700+extern atomic_unchecked_t fscache_n_object_lookups_positive;
78701+extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
78702+extern atomic_unchecked_t fscache_n_object_created;
78703+extern atomic_unchecked_t fscache_n_object_avail;
78704+extern atomic_unchecked_t fscache_n_object_dead;
78705
78706-extern atomic_t fscache_n_checkaux_none;
78707-extern atomic_t fscache_n_checkaux_okay;
78708-extern atomic_t fscache_n_checkaux_update;
78709-extern atomic_t fscache_n_checkaux_obsolete;
78710+extern atomic_unchecked_t fscache_n_checkaux_none;
78711+extern atomic_unchecked_t fscache_n_checkaux_okay;
78712+extern atomic_unchecked_t fscache_n_checkaux_update;
78713+extern atomic_unchecked_t fscache_n_checkaux_obsolete;
78714
78715 extern atomic_t fscache_n_cop_alloc_object;
78716 extern atomic_t fscache_n_cop_lookup_object;
78717@@ -280,6 +280,11 @@ static inline void fscache_stat(atomic_t *stat)
78718 atomic_inc(stat);
78719 }
78720
78721+static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
78722+{
78723+ atomic_inc_unchecked(stat);
78724+}
78725+
78726 static inline void fscache_stat_d(atomic_t *stat)
78727 {
78728 atomic_dec(stat);
78729@@ -292,6 +297,7 @@ extern const struct file_operations fscache_stats_fops;
78730
78731 #define __fscache_stat(stat) (NULL)
78732 #define fscache_stat(stat) do {} while (0)
78733+#define fscache_stat_unchecked(stat) do {} while (0)
78734 #define fscache_stat_d(stat) do {} while (0)
78735 #endif
78736
78737diff --git a/fs/fscache/object.c b/fs/fscache/object.c
78738index 9e792e3..6b2affb 100644
78739--- a/fs/fscache/object.c
78740+++ b/fs/fscache/object.c
78741@@ -465,7 +465,7 @@ static const struct fscache_state *fscache_look_up_object(struct fscache_object
78742 _debug("LOOKUP \"%s\" in \"%s\"",
78743 cookie->def->name, object->cache->tag->name);
78744
78745- fscache_stat(&fscache_n_object_lookups);
78746+ fscache_stat_unchecked(&fscache_n_object_lookups);
78747 fscache_stat(&fscache_n_cop_lookup_object);
78748 ret = object->cache->ops->lookup_object(object);
78749 fscache_stat_d(&fscache_n_cop_lookup_object);
78750@@ -475,7 +475,7 @@ static const struct fscache_state *fscache_look_up_object(struct fscache_object
78751 if (ret == -ETIMEDOUT) {
78752 /* probably stuck behind another object, so move this one to
78753 * the back of the queue */
78754- fscache_stat(&fscache_n_object_lookups_timed_out);
78755+ fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
78756 _leave(" [timeout]");
78757 return NO_TRANSIT;
78758 }
78759@@ -503,7 +503,7 @@ void fscache_object_lookup_negative(struct fscache_object *object)
78760 _enter("{OBJ%x,%s}", object->debug_id, object->state->name);
78761
78762 if (!test_and_set_bit(FSCACHE_OBJECT_IS_LOOKED_UP, &object->flags)) {
78763- fscache_stat(&fscache_n_object_lookups_negative);
78764+ fscache_stat_unchecked(&fscache_n_object_lookups_negative);
78765
78766 /* Allow write requests to begin stacking up and read requests to begin
78767 * returning ENODATA.
78768@@ -538,7 +538,7 @@ void fscache_obtained_object(struct fscache_object *object)
78769 /* if we were still looking up, then we must have a positive lookup
78770 * result, in which case there may be data available */
78771 if (!test_and_set_bit(FSCACHE_OBJECT_IS_LOOKED_UP, &object->flags)) {
78772- fscache_stat(&fscache_n_object_lookups_positive);
78773+ fscache_stat_unchecked(&fscache_n_object_lookups_positive);
78774
78775 /* We do (presumably) have data */
78776 clear_bit_unlock(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
78777@@ -550,7 +550,7 @@ void fscache_obtained_object(struct fscache_object *object)
78778 clear_bit_unlock(FSCACHE_COOKIE_LOOKING_UP, &cookie->flags);
78779 wake_up_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP);
78780 } else {
78781- fscache_stat(&fscache_n_object_created);
78782+ fscache_stat_unchecked(&fscache_n_object_created);
78783 }
78784
78785 set_bit(FSCACHE_OBJECT_IS_AVAILABLE, &object->flags);
78786@@ -586,7 +586,7 @@ static const struct fscache_state *fscache_object_available(struct fscache_objec
78787 fscache_stat_d(&fscache_n_cop_lookup_complete);
78788
78789 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
78790- fscache_stat(&fscache_n_object_avail);
78791+ fscache_stat_unchecked(&fscache_n_object_avail);
78792
78793 _leave("");
78794 return transit_to(JUMPSTART_DEPS);
78795@@ -735,7 +735,7 @@ static const struct fscache_state *fscache_drop_object(struct fscache_object *ob
78796
78797 /* this just shifts the object release to the work processor */
78798 fscache_put_object(object);
78799- fscache_stat(&fscache_n_object_dead);
78800+ fscache_stat_unchecked(&fscache_n_object_dead);
78801
78802 _leave("");
78803 return transit_to(OBJECT_DEAD);
78804@@ -900,7 +900,7 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
78805 enum fscache_checkaux result;
78806
78807 if (!object->cookie->def->check_aux) {
78808- fscache_stat(&fscache_n_checkaux_none);
78809+ fscache_stat_unchecked(&fscache_n_checkaux_none);
78810 return FSCACHE_CHECKAUX_OKAY;
78811 }
78812
78813@@ -909,17 +909,17 @@ enum fscache_checkaux fscache_check_aux(struct fscache_object *object,
78814 switch (result) {
78815 /* entry okay as is */
78816 case FSCACHE_CHECKAUX_OKAY:
78817- fscache_stat(&fscache_n_checkaux_okay);
78818+ fscache_stat_unchecked(&fscache_n_checkaux_okay);
78819 break;
78820
78821 /* entry requires update */
78822 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
78823- fscache_stat(&fscache_n_checkaux_update);
78824+ fscache_stat_unchecked(&fscache_n_checkaux_update);
78825 break;
78826
78827 /* entry requires deletion */
78828 case FSCACHE_CHECKAUX_OBSOLETE:
78829- fscache_stat(&fscache_n_checkaux_obsolete);
78830+ fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
78831 break;
78832
78833 default:
78834@@ -1007,7 +1007,7 @@ static const struct fscache_state *fscache_invalidate_object(struct fscache_obje
78835 {
78836 const struct fscache_state *s;
78837
78838- fscache_stat(&fscache_n_invalidates_run);
78839+ fscache_stat_unchecked(&fscache_n_invalidates_run);
78840 fscache_stat(&fscache_n_cop_invalidate_object);
78841 s = _fscache_invalidate_object(object, event);
78842 fscache_stat_d(&fscache_n_cop_invalidate_object);
78843@@ -1022,7 +1022,7 @@ static const struct fscache_state *fscache_update_object(struct fscache_object *
78844 {
78845 _enter("{OBJ%x},%d", object->debug_id, event);
78846
78847- fscache_stat(&fscache_n_updates_run);
78848+ fscache_stat_unchecked(&fscache_n_updates_run);
78849 fscache_stat(&fscache_n_cop_update_object);
78850 object->cache->ops->update_object(object);
78851 fscache_stat_d(&fscache_n_cop_update_object);
78852diff --git a/fs/fscache/operation.c b/fs/fscache/operation.c
78853index de67745..6a3a9b6 100644
78854--- a/fs/fscache/operation.c
78855+++ b/fs/fscache/operation.c
78856@@ -17,7 +17,7 @@
78857 #include <linux/slab.h>
78858 #include "internal.h"
78859
78860-atomic_t fscache_op_debug_id;
78861+atomic_unchecked_t fscache_op_debug_id;
78862 EXPORT_SYMBOL(fscache_op_debug_id);
78863
78864 static void fscache_operation_dummy_cancel(struct fscache_operation *op)
78865@@ -40,12 +40,12 @@ void fscache_operation_init(struct fscache_operation *op,
78866 INIT_WORK(&op->work, fscache_op_work_func);
78867 atomic_set(&op->usage, 1);
78868 op->state = FSCACHE_OP_ST_INITIALISED;
78869- op->debug_id = atomic_inc_return(&fscache_op_debug_id);
78870+ op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
78871 op->processor = processor;
78872 op->cancel = cancel ?: fscache_operation_dummy_cancel;
78873 op->release = release;
78874 INIT_LIST_HEAD(&op->pend_link);
78875- fscache_stat(&fscache_n_op_initialised);
78876+ fscache_stat_unchecked(&fscache_n_op_initialised);
78877 }
78878 EXPORT_SYMBOL(fscache_operation_init);
78879
78880@@ -68,7 +68,7 @@ void fscache_enqueue_operation(struct fscache_operation *op)
78881 ASSERTCMP(atomic_read(&op->usage), >, 0);
78882 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_IN_PROGRESS);
78883
78884- fscache_stat(&fscache_n_op_enqueue);
78885+ fscache_stat_unchecked(&fscache_n_op_enqueue);
78886 switch (op->flags & FSCACHE_OP_TYPE) {
78887 case FSCACHE_OP_ASYNC:
78888 _debug("queue async");
78889@@ -101,7 +101,7 @@ static void fscache_run_op(struct fscache_object *object,
78890 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
78891 if (op->processor)
78892 fscache_enqueue_operation(op);
78893- fscache_stat(&fscache_n_op_run);
78894+ fscache_stat_unchecked(&fscache_n_op_run);
78895 }
78896
78897 /*
78898@@ -169,7 +169,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78899 op->state = FSCACHE_OP_ST_PENDING;
78900 flags = READ_ONCE(object->flags);
78901 if (unlikely(!(flags & BIT(FSCACHE_OBJECT_IS_LIVE)))) {
78902- fscache_stat(&fscache_n_op_rejected);
78903+ fscache_stat_unchecked(&fscache_n_op_rejected);
78904 op->cancel(op);
78905 op->state = FSCACHE_OP_ST_CANCELLED;
78906 ret = -ENOBUFS;
78907@@ -185,11 +185,11 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78908 if (object->n_in_progress > 0) {
78909 atomic_inc(&op->usage);
78910 list_add_tail(&op->pend_link, &object->pending_ops);
78911- fscache_stat(&fscache_n_op_pend);
78912+ fscache_stat_unchecked(&fscache_n_op_pend);
78913 } else if (!list_empty(&object->pending_ops)) {
78914 atomic_inc(&op->usage);
78915 list_add_tail(&op->pend_link, &object->pending_ops);
78916- fscache_stat(&fscache_n_op_pend);
78917+ fscache_stat_unchecked(&fscache_n_op_pend);
78918 fscache_start_operations(object);
78919 } else {
78920 ASSERTCMP(object->n_in_progress, ==, 0);
78921@@ -205,7 +205,7 @@ int fscache_submit_exclusive_op(struct fscache_object *object,
78922 object->n_exclusive++; /* reads and writes must wait */
78923 atomic_inc(&op->usage);
78924 list_add_tail(&op->pend_link, &object->pending_ops);
78925- fscache_stat(&fscache_n_op_pend);
78926+ fscache_stat_unchecked(&fscache_n_op_pend);
78927 ret = 0;
78928 } else if (flags & BIT(FSCACHE_OBJECT_KILLED_BY_CACHE)) {
78929 op->cancel(op);
78930@@ -254,7 +254,7 @@ int fscache_submit_op(struct fscache_object *object,
78931 op->state = FSCACHE_OP_ST_PENDING;
78932 flags = READ_ONCE(object->flags);
78933 if (unlikely(!(flags & BIT(FSCACHE_OBJECT_IS_LIVE)))) {
78934- fscache_stat(&fscache_n_op_rejected);
78935+ fscache_stat_unchecked(&fscache_n_op_rejected);
78936 op->cancel(op);
78937 op->state = FSCACHE_OP_ST_CANCELLED;
78938 ret = -ENOBUFS;
78939@@ -269,11 +269,11 @@ int fscache_submit_op(struct fscache_object *object,
78940 if (object->n_exclusive > 0) {
78941 atomic_inc(&op->usage);
78942 list_add_tail(&op->pend_link, &object->pending_ops);
78943- fscache_stat(&fscache_n_op_pend);
78944+ fscache_stat_unchecked(&fscache_n_op_pend);
78945 } else if (!list_empty(&object->pending_ops)) {
78946 atomic_inc(&op->usage);
78947 list_add_tail(&op->pend_link, &object->pending_ops);
78948- fscache_stat(&fscache_n_op_pend);
78949+ fscache_stat_unchecked(&fscache_n_op_pend);
78950 fscache_start_operations(object);
78951 } else {
78952 ASSERTCMP(object->n_exclusive, ==, 0);
78953@@ -285,7 +285,7 @@ int fscache_submit_op(struct fscache_object *object,
78954 object->n_ops++;
78955 atomic_inc(&op->usage);
78956 list_add_tail(&op->pend_link, &object->pending_ops);
78957- fscache_stat(&fscache_n_op_pend);
78958+ fscache_stat_unchecked(&fscache_n_op_pend);
78959 ret = 0;
78960 } else if (flags & BIT(FSCACHE_OBJECT_KILLED_BY_CACHE)) {
78961 op->cancel(op);
78962@@ -369,7 +369,7 @@ int fscache_cancel_op(struct fscache_operation *op,
78963 list_del_init(&op->pend_link);
78964 put = true;
78965
78966- fscache_stat(&fscache_n_op_cancelled);
78967+ fscache_stat_unchecked(&fscache_n_op_cancelled);
78968 op->cancel(op);
78969 op->state = FSCACHE_OP_ST_CANCELLED;
78970 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
78971@@ -385,7 +385,7 @@ int fscache_cancel_op(struct fscache_operation *op,
78972 if (object->n_in_progress == 0)
78973 fscache_start_operations(object);
78974
78975- fscache_stat(&fscache_n_op_cancelled);
78976+ fscache_stat_unchecked(&fscache_n_op_cancelled);
78977 op->cancel(op);
78978 op->state = FSCACHE_OP_ST_CANCELLED;
78979 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
78980@@ -416,7 +416,7 @@ void fscache_cancel_all_ops(struct fscache_object *object)
78981 while (!list_empty(&object->pending_ops)) {
78982 op = list_entry(object->pending_ops.next,
78983 struct fscache_operation, pend_link);
78984- fscache_stat(&fscache_n_op_cancelled);
78985+ fscache_stat_unchecked(&fscache_n_op_cancelled);
78986 list_del_init(&op->pend_link);
78987
78988 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_PENDING);
78989@@ -493,7 +493,7 @@ void fscache_put_operation(struct fscache_operation *op)
78990 op->state != FSCACHE_OP_ST_COMPLETE,
78991 op->state, ==, FSCACHE_OP_ST_CANCELLED);
78992
78993- fscache_stat(&fscache_n_op_release);
78994+ fscache_stat_unchecked(&fscache_n_op_release);
78995
78996 if (op->release) {
78997 op->release(op);
78998@@ -513,7 +513,7 @@ void fscache_put_operation(struct fscache_operation *op)
78999 * lock, and defer it otherwise */
79000 if (!spin_trylock(&object->lock)) {
79001 _debug("defer put");
79002- fscache_stat(&fscache_n_op_deferred_release);
79003+ fscache_stat_unchecked(&fscache_n_op_deferred_release);
79004
79005 cache = object->cache;
79006 spin_lock(&cache->op_gc_list_lock);
79007@@ -567,7 +567,7 @@ void fscache_operation_gc(struct work_struct *work)
79008
79009 _debug("GC DEFERRED REL OBJ%x OP%x",
79010 object->debug_id, op->debug_id);
79011- fscache_stat(&fscache_n_op_gc);
79012+ fscache_stat_unchecked(&fscache_n_op_gc);
79013
79014 ASSERTCMP(atomic_read(&op->usage), ==, 0);
79015 ASSERTCMP(op->state, ==, FSCACHE_OP_ST_DEAD);
79016diff --git a/fs/fscache/page.c b/fs/fscache/page.c
79017index 483bbc6..ba36737 100644
79018--- a/fs/fscache/page.c
79019+++ b/fs/fscache/page.c
79020@@ -74,7 +74,7 @@ try_again:
79021 val = radix_tree_lookup(&cookie->stores, page->index);
79022 if (!val) {
79023 rcu_read_unlock();
79024- fscache_stat(&fscache_n_store_vmscan_not_storing);
79025+ fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
79026 __fscache_uncache_page(cookie, page);
79027 return true;
79028 }
79029@@ -104,11 +104,11 @@ try_again:
79030 spin_unlock(&cookie->stores_lock);
79031
79032 if (xpage) {
79033- fscache_stat(&fscache_n_store_vmscan_cancelled);
79034- fscache_stat(&fscache_n_store_radix_deletes);
79035+ fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
79036+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
79037 ASSERTCMP(xpage, ==, page);
79038 } else {
79039- fscache_stat(&fscache_n_store_vmscan_gone);
79040+ fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
79041 }
79042
79043 wake_up_bit(&cookie->flags, 0);
79044@@ -123,11 +123,11 @@ page_busy:
79045 * sleeping on memory allocation, so we may need to impose a timeout
79046 * too. */
79047 if (!(gfp & __GFP_WAIT) || !(gfp & __GFP_FS)) {
79048- fscache_stat(&fscache_n_store_vmscan_busy);
79049+ fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
79050 return false;
79051 }
79052
79053- fscache_stat(&fscache_n_store_vmscan_wait);
79054+ fscache_stat_unchecked(&fscache_n_store_vmscan_wait);
79055 if (!release_page_wait_timeout(cookie, page))
79056 _debug("fscache writeout timeout page: %p{%lx}",
79057 page, page->index);
79058@@ -156,7 +156,7 @@ static void fscache_end_page_write(struct fscache_object *object,
79059 FSCACHE_COOKIE_STORING_TAG);
79060 if (!radix_tree_tag_get(&cookie->stores, page->index,
79061 FSCACHE_COOKIE_PENDING_TAG)) {
79062- fscache_stat(&fscache_n_store_radix_deletes);
79063+ fscache_stat_unchecked(&fscache_n_store_radix_deletes);
79064 xpage = radix_tree_delete(&cookie->stores, page->index);
79065 }
79066 spin_unlock(&cookie->stores_lock);
79067@@ -177,7 +177,7 @@ static void fscache_attr_changed_op(struct fscache_operation *op)
79068
79069 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
79070
79071- fscache_stat(&fscache_n_attr_changed_calls);
79072+ fscache_stat_unchecked(&fscache_n_attr_changed_calls);
79073
79074 if (fscache_object_is_active(object)) {
79075 fscache_stat(&fscache_n_cop_attr_changed);
79076@@ -204,11 +204,11 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
79077
79078 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
79079
79080- fscache_stat(&fscache_n_attr_changed);
79081+ fscache_stat_unchecked(&fscache_n_attr_changed);
79082
79083 op = kzalloc(sizeof(*op), GFP_KERNEL);
79084 if (!op) {
79085- fscache_stat(&fscache_n_attr_changed_nomem);
79086+ fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
79087 _leave(" = -ENOMEM");
79088 return -ENOMEM;
79089 }
79090@@ -230,7 +230,7 @@ int __fscache_attr_changed(struct fscache_cookie *cookie)
79091 if (fscache_submit_exclusive_op(object, op) < 0)
79092 goto nobufs_dec;
79093 spin_unlock(&cookie->lock);
79094- fscache_stat(&fscache_n_attr_changed_ok);
79095+ fscache_stat_unchecked(&fscache_n_attr_changed_ok);
79096 fscache_put_operation(op);
79097 _leave(" = 0");
79098 return 0;
79099@@ -242,7 +242,7 @@ nobufs:
79100 fscache_put_operation(op);
79101 if (wake_cookie)
79102 __fscache_wake_unused_cookie(cookie);
79103- fscache_stat(&fscache_n_attr_changed_nobufs);
79104+ fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
79105 _leave(" = %d", -ENOBUFS);
79106 return -ENOBUFS;
79107 }
79108@@ -293,7 +293,7 @@ static struct fscache_retrieval *fscache_alloc_retrieval(
79109 /* allocate a retrieval operation and attempt to submit it */
79110 op = kzalloc(sizeof(*op), GFP_NOIO);
79111 if (!op) {
79112- fscache_stat(&fscache_n_retrievals_nomem);
79113+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
79114 return NULL;
79115 }
79116
79117@@ -332,12 +332,12 @@ int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
79118 return 0;
79119 }
79120
79121- fscache_stat(&fscache_n_retrievals_wait);
79122+ fscache_stat_unchecked(&fscache_n_retrievals_wait);
79123
79124 jif = jiffies;
79125 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
79126 TASK_INTERRUPTIBLE) != 0) {
79127- fscache_stat(&fscache_n_retrievals_intr);
79128+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
79129 _leave(" = -ERESTARTSYS");
79130 return -ERESTARTSYS;
79131 }
79132@@ -355,8 +355,8 @@ int fscache_wait_for_deferred_lookup(struct fscache_cookie *cookie)
79133 */
79134 int fscache_wait_for_operation_activation(struct fscache_object *object,
79135 struct fscache_operation *op,
79136- atomic_t *stat_op_waits,
79137- atomic_t *stat_object_dead)
79138+ atomic_unchecked_t *stat_op_waits,
79139+ atomic_unchecked_t *stat_object_dead)
79140 {
79141 int ret;
79142
79143@@ -365,7 +365,7 @@ int fscache_wait_for_operation_activation(struct fscache_object *object,
79144
79145 _debug(">>> WT");
79146 if (stat_op_waits)
79147- fscache_stat(stat_op_waits);
79148+ fscache_stat_unchecked(stat_op_waits);
79149 if (wait_on_bit(&op->flags, FSCACHE_OP_WAITING,
79150 TASK_INTERRUPTIBLE) != 0) {
79151 ret = fscache_cancel_op(op, false);
79152@@ -382,7 +382,7 @@ int fscache_wait_for_operation_activation(struct fscache_object *object,
79153 check_if_dead:
79154 if (op->state == FSCACHE_OP_ST_CANCELLED) {
79155 if (stat_object_dead)
79156- fscache_stat(stat_object_dead);
79157+ fscache_stat_unchecked(stat_object_dead);
79158 _leave(" = -ENOBUFS [cancelled]");
79159 return -ENOBUFS;
79160 }
79161@@ -391,7 +391,7 @@ check_if_dead:
79162 enum fscache_operation_state state = op->state;
79163 fscache_cancel_op(op, true);
79164 if (stat_object_dead)
79165- fscache_stat(stat_object_dead);
79166+ fscache_stat_unchecked(stat_object_dead);
79167 _leave(" = -ENOBUFS [obj dead %d]", state);
79168 return -ENOBUFS;
79169 }
79170@@ -420,7 +420,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
79171
79172 _enter("%p,%p,,,", cookie, page);
79173
79174- fscache_stat(&fscache_n_retrievals);
79175+ fscache_stat_unchecked(&fscache_n_retrievals);
79176
79177 if (hlist_empty(&cookie->backing_objects))
79178 goto nobufs;
79179@@ -462,7 +462,7 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
79180 goto nobufs_unlock_dec;
79181 spin_unlock(&cookie->lock);
79182
79183- fscache_stat(&fscache_n_retrieval_ops);
79184+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
79185
79186 /* we wait for the operation to become active, and then process it
79187 * *here*, in this thread, and not in the thread pool */
79188@@ -488,15 +488,15 @@ int __fscache_read_or_alloc_page(struct fscache_cookie *cookie,
79189
79190 error:
79191 if (ret == -ENOMEM)
79192- fscache_stat(&fscache_n_retrievals_nomem);
79193+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
79194 else if (ret == -ERESTARTSYS)
79195- fscache_stat(&fscache_n_retrievals_intr);
79196+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
79197 else if (ret == -ENODATA)
79198- fscache_stat(&fscache_n_retrievals_nodata);
79199+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
79200 else if (ret < 0)
79201- fscache_stat(&fscache_n_retrievals_nobufs);
79202+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79203 else
79204- fscache_stat(&fscache_n_retrievals_ok);
79205+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
79206
79207 fscache_put_retrieval(op);
79208 _leave(" = %d", ret);
79209@@ -511,7 +511,7 @@ nobufs_unlock:
79210 __fscache_wake_unused_cookie(cookie);
79211 fscache_put_retrieval(op);
79212 nobufs:
79213- fscache_stat(&fscache_n_retrievals_nobufs);
79214+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79215 _leave(" = -ENOBUFS");
79216 return -ENOBUFS;
79217 }
79218@@ -550,7 +550,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
79219
79220 _enter("%p,,%d,,,", cookie, *nr_pages);
79221
79222- fscache_stat(&fscache_n_retrievals);
79223+ fscache_stat_unchecked(&fscache_n_retrievals);
79224
79225 if (hlist_empty(&cookie->backing_objects))
79226 goto nobufs;
79227@@ -588,7 +588,7 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
79228 goto nobufs_unlock_dec;
79229 spin_unlock(&cookie->lock);
79230
79231- fscache_stat(&fscache_n_retrieval_ops);
79232+ fscache_stat_unchecked(&fscache_n_retrieval_ops);
79233
79234 /* we wait for the operation to become active, and then process it
79235 * *here*, in this thread, and not in the thread pool */
79236@@ -614,15 +614,15 @@ int __fscache_read_or_alloc_pages(struct fscache_cookie *cookie,
79237
79238 error:
79239 if (ret == -ENOMEM)
79240- fscache_stat(&fscache_n_retrievals_nomem);
79241+ fscache_stat_unchecked(&fscache_n_retrievals_nomem);
79242 else if (ret == -ERESTARTSYS)
79243- fscache_stat(&fscache_n_retrievals_intr);
79244+ fscache_stat_unchecked(&fscache_n_retrievals_intr);
79245 else if (ret == -ENODATA)
79246- fscache_stat(&fscache_n_retrievals_nodata);
79247+ fscache_stat_unchecked(&fscache_n_retrievals_nodata);
79248 else if (ret < 0)
79249- fscache_stat(&fscache_n_retrievals_nobufs);
79250+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79251 else
79252- fscache_stat(&fscache_n_retrievals_ok);
79253+ fscache_stat_unchecked(&fscache_n_retrievals_ok);
79254
79255 fscache_put_retrieval(op);
79256 _leave(" = %d", ret);
79257@@ -637,7 +637,7 @@ nobufs_unlock:
79258 if (wake_cookie)
79259 __fscache_wake_unused_cookie(cookie);
79260 nobufs:
79261- fscache_stat(&fscache_n_retrievals_nobufs);
79262+ fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
79263 _leave(" = -ENOBUFS");
79264 return -ENOBUFS;
79265 }
79266@@ -662,7 +662,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
79267
79268 _enter("%p,%p,,,", cookie, page);
79269
79270- fscache_stat(&fscache_n_allocs);
79271+ fscache_stat_unchecked(&fscache_n_allocs);
79272
79273 if (hlist_empty(&cookie->backing_objects))
79274 goto nobufs;
79275@@ -696,7 +696,7 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
79276 goto nobufs_unlock_dec;
79277 spin_unlock(&cookie->lock);
79278
79279- fscache_stat(&fscache_n_alloc_ops);
79280+ fscache_stat_unchecked(&fscache_n_alloc_ops);
79281
79282 ret = fscache_wait_for_operation_activation(
79283 object, &op->op,
79284@@ -712,11 +712,11 @@ int __fscache_alloc_page(struct fscache_cookie *cookie,
79285
79286 error:
79287 if (ret == -ERESTARTSYS)
79288- fscache_stat(&fscache_n_allocs_intr);
79289+ fscache_stat_unchecked(&fscache_n_allocs_intr);
79290 else if (ret < 0)
79291- fscache_stat(&fscache_n_allocs_nobufs);
79292+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
79293 else
79294- fscache_stat(&fscache_n_allocs_ok);
79295+ fscache_stat_unchecked(&fscache_n_allocs_ok);
79296
79297 fscache_put_retrieval(op);
79298 _leave(" = %d", ret);
79299@@ -730,7 +730,7 @@ nobufs_unlock:
79300 if (wake_cookie)
79301 __fscache_wake_unused_cookie(cookie);
79302 nobufs:
79303- fscache_stat(&fscache_n_allocs_nobufs);
79304+ fscache_stat_unchecked(&fscache_n_allocs_nobufs);
79305 _leave(" = -ENOBUFS");
79306 return -ENOBUFS;
79307 }
79308@@ -806,7 +806,7 @@ static void fscache_write_op(struct fscache_operation *_op)
79309
79310 spin_lock(&cookie->stores_lock);
79311
79312- fscache_stat(&fscache_n_store_calls);
79313+ fscache_stat_unchecked(&fscache_n_store_calls);
79314
79315 /* find a page to store */
79316 page = NULL;
79317@@ -817,7 +817,7 @@ static void fscache_write_op(struct fscache_operation *_op)
79318 page = results[0];
79319 _debug("gang %d [%lx]", n, page->index);
79320 if (page->index > op->store_limit) {
79321- fscache_stat(&fscache_n_store_pages_over_limit);
79322+ fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
79323 goto superseded;
79324 }
79325
79326@@ -829,7 +829,7 @@ static void fscache_write_op(struct fscache_operation *_op)
79327 spin_unlock(&cookie->stores_lock);
79328 spin_unlock(&object->lock);
79329
79330- fscache_stat(&fscache_n_store_pages);
79331+ fscache_stat_unchecked(&fscache_n_store_pages);
79332 fscache_stat(&fscache_n_cop_write_page);
79333 ret = object->cache->ops->write_page(op, page);
79334 fscache_stat_d(&fscache_n_cop_write_page);
79335@@ -933,7 +933,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79336 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
79337 ASSERT(PageFsCache(page));
79338
79339- fscache_stat(&fscache_n_stores);
79340+ fscache_stat_unchecked(&fscache_n_stores);
79341
79342 if (test_bit(FSCACHE_COOKIE_INVALIDATING, &cookie->flags)) {
79343 _leave(" = -ENOBUFS [invalidating]");
79344@@ -992,7 +992,7 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79345 spin_unlock(&cookie->stores_lock);
79346 spin_unlock(&object->lock);
79347
79348- op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
79349+ op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
79350 op->store_limit = object->store_limit;
79351
79352 __fscache_use_cookie(cookie);
79353@@ -1001,8 +1001,8 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79354
79355 spin_unlock(&cookie->lock);
79356 radix_tree_preload_end();
79357- fscache_stat(&fscache_n_store_ops);
79358- fscache_stat(&fscache_n_stores_ok);
79359+ fscache_stat_unchecked(&fscache_n_store_ops);
79360+ fscache_stat_unchecked(&fscache_n_stores_ok);
79361
79362 /* the work queue now carries its own ref on the object */
79363 fscache_put_operation(&op->op);
79364@@ -1010,14 +1010,14 @@ int __fscache_write_page(struct fscache_cookie *cookie,
79365 return 0;
79366
79367 already_queued:
79368- fscache_stat(&fscache_n_stores_again);
79369+ fscache_stat_unchecked(&fscache_n_stores_again);
79370 already_pending:
79371 spin_unlock(&cookie->stores_lock);
79372 spin_unlock(&object->lock);
79373 spin_unlock(&cookie->lock);
79374 radix_tree_preload_end();
79375 fscache_put_operation(&op->op);
79376- fscache_stat(&fscache_n_stores_ok);
79377+ fscache_stat_unchecked(&fscache_n_stores_ok);
79378 _leave(" = 0");
79379 return 0;
79380
79381@@ -1039,14 +1039,14 @@ nobufs:
79382 fscache_put_operation(&op->op);
79383 if (wake_cookie)
79384 __fscache_wake_unused_cookie(cookie);
79385- fscache_stat(&fscache_n_stores_nobufs);
79386+ fscache_stat_unchecked(&fscache_n_stores_nobufs);
79387 _leave(" = -ENOBUFS");
79388 return -ENOBUFS;
79389
79390 nomem_free:
79391 fscache_put_operation(&op->op);
79392 nomem:
79393- fscache_stat(&fscache_n_stores_oom);
79394+ fscache_stat_unchecked(&fscache_n_stores_oom);
79395 _leave(" = -ENOMEM");
79396 return -ENOMEM;
79397 }
79398@@ -1064,7 +1064,7 @@ void __fscache_uncache_page(struct fscache_cookie *cookie, struct page *page)
79399 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
79400 ASSERTCMP(page, !=, NULL);
79401
79402- fscache_stat(&fscache_n_uncaches);
79403+ fscache_stat_unchecked(&fscache_n_uncaches);
79404
79405 /* cache withdrawal may beat us to it */
79406 if (!PageFsCache(page))
79407@@ -1115,7 +1115,7 @@ void fscache_mark_page_cached(struct fscache_retrieval *op, struct page *page)
79408 struct fscache_cookie *cookie = op->op.object->cookie;
79409
79410 #ifdef CONFIG_FSCACHE_STATS
79411- atomic_inc(&fscache_n_marks);
79412+ atomic_inc_unchecked(&fscache_n_marks);
79413 #endif
79414
79415 _debug("- mark %p{%lx}", page, page->index);
79416diff --git a/fs/fscache/stats.c b/fs/fscache/stats.c
79417index 7cfa0aa..d5ef97b7 100644
79418--- a/fs/fscache/stats.c
79419+++ b/fs/fscache/stats.c
79420@@ -18,100 +18,100 @@
79421 /*
79422 * operation counters
79423 */
79424-atomic_t fscache_n_op_pend;
79425-atomic_t fscache_n_op_run;
79426-atomic_t fscache_n_op_enqueue;
79427-atomic_t fscache_n_op_requeue;
79428-atomic_t fscache_n_op_deferred_release;
79429-atomic_t fscache_n_op_initialised;
79430-atomic_t fscache_n_op_release;
79431-atomic_t fscache_n_op_gc;
79432-atomic_t fscache_n_op_cancelled;
79433-atomic_t fscache_n_op_rejected;
79434+atomic_unchecked_t fscache_n_op_pend;
79435+atomic_unchecked_t fscache_n_op_run;
79436+atomic_unchecked_t fscache_n_op_enqueue;
79437+atomic_unchecked_t fscache_n_op_requeue;
79438+atomic_unchecked_t fscache_n_op_deferred_release;
79439+atomic_unchecked_t fscache_n_op_initialised;
79440+atomic_unchecked_t fscache_n_op_release;
79441+atomic_unchecked_t fscache_n_op_gc;
79442+atomic_unchecked_t fscache_n_op_cancelled;
79443+atomic_unchecked_t fscache_n_op_rejected;
79444
79445-atomic_t fscache_n_attr_changed;
79446-atomic_t fscache_n_attr_changed_ok;
79447-atomic_t fscache_n_attr_changed_nobufs;
79448-atomic_t fscache_n_attr_changed_nomem;
79449-atomic_t fscache_n_attr_changed_calls;
79450+atomic_unchecked_t fscache_n_attr_changed;
79451+atomic_unchecked_t fscache_n_attr_changed_ok;
79452+atomic_unchecked_t fscache_n_attr_changed_nobufs;
79453+atomic_unchecked_t fscache_n_attr_changed_nomem;
79454+atomic_unchecked_t fscache_n_attr_changed_calls;
79455
79456-atomic_t fscache_n_allocs;
79457-atomic_t fscache_n_allocs_ok;
79458-atomic_t fscache_n_allocs_wait;
79459-atomic_t fscache_n_allocs_nobufs;
79460-atomic_t fscache_n_allocs_intr;
79461-atomic_t fscache_n_allocs_object_dead;
79462-atomic_t fscache_n_alloc_ops;
79463-atomic_t fscache_n_alloc_op_waits;
79464+atomic_unchecked_t fscache_n_allocs;
79465+atomic_unchecked_t fscache_n_allocs_ok;
79466+atomic_unchecked_t fscache_n_allocs_wait;
79467+atomic_unchecked_t fscache_n_allocs_nobufs;
79468+atomic_unchecked_t fscache_n_allocs_intr;
79469+atomic_unchecked_t fscache_n_allocs_object_dead;
79470+atomic_unchecked_t fscache_n_alloc_ops;
79471+atomic_unchecked_t fscache_n_alloc_op_waits;
79472
79473-atomic_t fscache_n_retrievals;
79474-atomic_t fscache_n_retrievals_ok;
79475-atomic_t fscache_n_retrievals_wait;
79476-atomic_t fscache_n_retrievals_nodata;
79477-atomic_t fscache_n_retrievals_nobufs;
79478-atomic_t fscache_n_retrievals_intr;
79479-atomic_t fscache_n_retrievals_nomem;
79480-atomic_t fscache_n_retrievals_object_dead;
79481-atomic_t fscache_n_retrieval_ops;
79482-atomic_t fscache_n_retrieval_op_waits;
79483+atomic_unchecked_t fscache_n_retrievals;
79484+atomic_unchecked_t fscache_n_retrievals_ok;
79485+atomic_unchecked_t fscache_n_retrievals_wait;
79486+atomic_unchecked_t fscache_n_retrievals_nodata;
79487+atomic_unchecked_t fscache_n_retrievals_nobufs;
79488+atomic_unchecked_t fscache_n_retrievals_intr;
79489+atomic_unchecked_t fscache_n_retrievals_nomem;
79490+atomic_unchecked_t fscache_n_retrievals_object_dead;
79491+atomic_unchecked_t fscache_n_retrieval_ops;
79492+atomic_unchecked_t fscache_n_retrieval_op_waits;
79493
79494-atomic_t fscache_n_stores;
79495-atomic_t fscache_n_stores_ok;
79496-atomic_t fscache_n_stores_again;
79497-atomic_t fscache_n_stores_nobufs;
79498-atomic_t fscache_n_stores_oom;
79499-atomic_t fscache_n_store_ops;
79500-atomic_t fscache_n_store_calls;
79501-atomic_t fscache_n_store_pages;
79502-atomic_t fscache_n_store_radix_deletes;
79503-atomic_t fscache_n_store_pages_over_limit;
79504+atomic_unchecked_t fscache_n_stores;
79505+atomic_unchecked_t fscache_n_stores_ok;
79506+atomic_unchecked_t fscache_n_stores_again;
79507+atomic_unchecked_t fscache_n_stores_nobufs;
79508+atomic_unchecked_t fscache_n_stores_oom;
79509+atomic_unchecked_t fscache_n_store_ops;
79510+atomic_unchecked_t fscache_n_store_calls;
79511+atomic_unchecked_t fscache_n_store_pages;
79512+atomic_unchecked_t fscache_n_store_radix_deletes;
79513+atomic_unchecked_t fscache_n_store_pages_over_limit;
79514
79515-atomic_t fscache_n_store_vmscan_not_storing;
79516-atomic_t fscache_n_store_vmscan_gone;
79517-atomic_t fscache_n_store_vmscan_busy;
79518-atomic_t fscache_n_store_vmscan_cancelled;
79519-atomic_t fscache_n_store_vmscan_wait;
79520+atomic_unchecked_t fscache_n_store_vmscan_not_storing;
79521+atomic_unchecked_t fscache_n_store_vmscan_gone;
79522+atomic_unchecked_t fscache_n_store_vmscan_busy;
79523+atomic_unchecked_t fscache_n_store_vmscan_cancelled;
79524+atomic_unchecked_t fscache_n_store_vmscan_wait;
79525
79526-atomic_t fscache_n_marks;
79527-atomic_t fscache_n_uncaches;
79528+atomic_unchecked_t fscache_n_marks;
79529+atomic_unchecked_t fscache_n_uncaches;
79530
79531-atomic_t fscache_n_acquires;
79532-atomic_t fscache_n_acquires_null;
79533-atomic_t fscache_n_acquires_no_cache;
79534-atomic_t fscache_n_acquires_ok;
79535-atomic_t fscache_n_acquires_nobufs;
79536-atomic_t fscache_n_acquires_oom;
79537+atomic_unchecked_t fscache_n_acquires;
79538+atomic_unchecked_t fscache_n_acquires_null;
79539+atomic_unchecked_t fscache_n_acquires_no_cache;
79540+atomic_unchecked_t fscache_n_acquires_ok;
79541+atomic_unchecked_t fscache_n_acquires_nobufs;
79542+atomic_unchecked_t fscache_n_acquires_oom;
79543
79544-atomic_t fscache_n_invalidates;
79545-atomic_t fscache_n_invalidates_run;
79546+atomic_unchecked_t fscache_n_invalidates;
79547+atomic_unchecked_t fscache_n_invalidates_run;
79548
79549-atomic_t fscache_n_updates;
79550-atomic_t fscache_n_updates_null;
79551-atomic_t fscache_n_updates_run;
79552+atomic_unchecked_t fscache_n_updates;
79553+atomic_unchecked_t fscache_n_updates_null;
79554+atomic_unchecked_t fscache_n_updates_run;
79555
79556-atomic_t fscache_n_relinquishes;
79557-atomic_t fscache_n_relinquishes_null;
79558-atomic_t fscache_n_relinquishes_waitcrt;
79559-atomic_t fscache_n_relinquishes_retire;
79560+atomic_unchecked_t fscache_n_relinquishes;
79561+atomic_unchecked_t fscache_n_relinquishes_null;
79562+atomic_unchecked_t fscache_n_relinquishes_waitcrt;
79563+atomic_unchecked_t fscache_n_relinquishes_retire;
79564
79565-atomic_t fscache_n_cookie_index;
79566-atomic_t fscache_n_cookie_data;
79567-atomic_t fscache_n_cookie_special;
79568+atomic_unchecked_t fscache_n_cookie_index;
79569+atomic_unchecked_t fscache_n_cookie_data;
79570+atomic_unchecked_t fscache_n_cookie_special;
79571
79572-atomic_t fscache_n_object_alloc;
79573-atomic_t fscache_n_object_no_alloc;
79574-atomic_t fscache_n_object_lookups;
79575-atomic_t fscache_n_object_lookups_negative;
79576-atomic_t fscache_n_object_lookups_positive;
79577-atomic_t fscache_n_object_lookups_timed_out;
79578-atomic_t fscache_n_object_created;
79579-atomic_t fscache_n_object_avail;
79580-atomic_t fscache_n_object_dead;
79581+atomic_unchecked_t fscache_n_object_alloc;
79582+atomic_unchecked_t fscache_n_object_no_alloc;
79583+atomic_unchecked_t fscache_n_object_lookups;
79584+atomic_unchecked_t fscache_n_object_lookups_negative;
79585+atomic_unchecked_t fscache_n_object_lookups_positive;
79586+atomic_unchecked_t fscache_n_object_lookups_timed_out;
79587+atomic_unchecked_t fscache_n_object_created;
79588+atomic_unchecked_t fscache_n_object_avail;
79589+atomic_unchecked_t fscache_n_object_dead;
79590
79591-atomic_t fscache_n_checkaux_none;
79592-atomic_t fscache_n_checkaux_okay;
79593-atomic_t fscache_n_checkaux_update;
79594-atomic_t fscache_n_checkaux_obsolete;
79595+atomic_unchecked_t fscache_n_checkaux_none;
79596+atomic_unchecked_t fscache_n_checkaux_okay;
79597+atomic_unchecked_t fscache_n_checkaux_update;
79598+atomic_unchecked_t fscache_n_checkaux_obsolete;
79599
79600 atomic_t fscache_n_cop_alloc_object;
79601 atomic_t fscache_n_cop_lookup_object;
79602@@ -144,119 +144,119 @@ static int fscache_stats_show(struct seq_file *m, void *v)
79603 seq_puts(m, "FS-Cache statistics\n");
79604
79605 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
79606- atomic_read(&fscache_n_cookie_index),
79607- atomic_read(&fscache_n_cookie_data),
79608- atomic_read(&fscache_n_cookie_special));
79609+ atomic_read_unchecked(&fscache_n_cookie_index),
79610+ atomic_read_unchecked(&fscache_n_cookie_data),
79611+ atomic_read_unchecked(&fscache_n_cookie_special));
79612
79613 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
79614- atomic_read(&fscache_n_object_alloc),
79615- atomic_read(&fscache_n_object_no_alloc),
79616- atomic_read(&fscache_n_object_avail),
79617- atomic_read(&fscache_n_object_dead));
79618+ atomic_read_unchecked(&fscache_n_object_alloc),
79619+ atomic_read_unchecked(&fscache_n_object_no_alloc),
79620+ atomic_read_unchecked(&fscache_n_object_avail),
79621+ atomic_read_unchecked(&fscache_n_object_dead));
79622 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
79623- atomic_read(&fscache_n_checkaux_none),
79624- atomic_read(&fscache_n_checkaux_okay),
79625- atomic_read(&fscache_n_checkaux_update),
79626- atomic_read(&fscache_n_checkaux_obsolete));
79627+ atomic_read_unchecked(&fscache_n_checkaux_none),
79628+ atomic_read_unchecked(&fscache_n_checkaux_okay),
79629+ atomic_read_unchecked(&fscache_n_checkaux_update),
79630+ atomic_read_unchecked(&fscache_n_checkaux_obsolete));
79631
79632 seq_printf(m, "Pages : mrk=%u unc=%u\n",
79633- atomic_read(&fscache_n_marks),
79634- atomic_read(&fscache_n_uncaches));
79635+ atomic_read_unchecked(&fscache_n_marks),
79636+ atomic_read_unchecked(&fscache_n_uncaches));
79637
79638 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
79639 " oom=%u\n",
79640- atomic_read(&fscache_n_acquires),
79641- atomic_read(&fscache_n_acquires_null),
79642- atomic_read(&fscache_n_acquires_no_cache),
79643- atomic_read(&fscache_n_acquires_ok),
79644- atomic_read(&fscache_n_acquires_nobufs),
79645- atomic_read(&fscache_n_acquires_oom));
79646+ atomic_read_unchecked(&fscache_n_acquires),
79647+ atomic_read_unchecked(&fscache_n_acquires_null),
79648+ atomic_read_unchecked(&fscache_n_acquires_no_cache),
79649+ atomic_read_unchecked(&fscache_n_acquires_ok),
79650+ atomic_read_unchecked(&fscache_n_acquires_nobufs),
79651+ atomic_read_unchecked(&fscache_n_acquires_oom));
79652
79653 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
79654- atomic_read(&fscache_n_object_lookups),
79655- atomic_read(&fscache_n_object_lookups_negative),
79656- atomic_read(&fscache_n_object_lookups_positive),
79657- atomic_read(&fscache_n_object_created),
79658- atomic_read(&fscache_n_object_lookups_timed_out));
79659+ atomic_read_unchecked(&fscache_n_object_lookups),
79660+ atomic_read_unchecked(&fscache_n_object_lookups_negative),
79661+ atomic_read_unchecked(&fscache_n_object_lookups_positive),
79662+ atomic_read_unchecked(&fscache_n_object_created),
79663+ atomic_read_unchecked(&fscache_n_object_lookups_timed_out));
79664
79665 seq_printf(m, "Invals : n=%u run=%u\n",
79666- atomic_read(&fscache_n_invalidates),
79667- atomic_read(&fscache_n_invalidates_run));
79668+ atomic_read_unchecked(&fscache_n_invalidates),
79669+ atomic_read_unchecked(&fscache_n_invalidates_run));
79670
79671 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
79672- atomic_read(&fscache_n_updates),
79673- atomic_read(&fscache_n_updates_null),
79674- atomic_read(&fscache_n_updates_run));
79675+ atomic_read_unchecked(&fscache_n_updates),
79676+ atomic_read_unchecked(&fscache_n_updates_null),
79677+ atomic_read_unchecked(&fscache_n_updates_run));
79678
79679 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
79680- atomic_read(&fscache_n_relinquishes),
79681- atomic_read(&fscache_n_relinquishes_null),
79682- atomic_read(&fscache_n_relinquishes_waitcrt),
79683- atomic_read(&fscache_n_relinquishes_retire));
79684+ atomic_read_unchecked(&fscache_n_relinquishes),
79685+ atomic_read_unchecked(&fscache_n_relinquishes_null),
79686+ atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
79687+ atomic_read_unchecked(&fscache_n_relinquishes_retire));
79688
79689 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
79690- atomic_read(&fscache_n_attr_changed),
79691- atomic_read(&fscache_n_attr_changed_ok),
79692- atomic_read(&fscache_n_attr_changed_nobufs),
79693- atomic_read(&fscache_n_attr_changed_nomem),
79694- atomic_read(&fscache_n_attr_changed_calls));
79695+ atomic_read_unchecked(&fscache_n_attr_changed),
79696+ atomic_read_unchecked(&fscache_n_attr_changed_ok),
79697+ atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
79698+ atomic_read_unchecked(&fscache_n_attr_changed_nomem),
79699+ atomic_read_unchecked(&fscache_n_attr_changed_calls));
79700
79701 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
79702- atomic_read(&fscache_n_allocs),
79703- atomic_read(&fscache_n_allocs_ok),
79704- atomic_read(&fscache_n_allocs_wait),
79705- atomic_read(&fscache_n_allocs_nobufs),
79706- atomic_read(&fscache_n_allocs_intr));
79707+ atomic_read_unchecked(&fscache_n_allocs),
79708+ atomic_read_unchecked(&fscache_n_allocs_ok),
79709+ atomic_read_unchecked(&fscache_n_allocs_wait),
79710+ atomic_read_unchecked(&fscache_n_allocs_nobufs),
79711+ atomic_read_unchecked(&fscache_n_allocs_intr));
79712 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
79713- atomic_read(&fscache_n_alloc_ops),
79714- atomic_read(&fscache_n_alloc_op_waits),
79715- atomic_read(&fscache_n_allocs_object_dead));
79716+ atomic_read_unchecked(&fscache_n_alloc_ops),
79717+ atomic_read_unchecked(&fscache_n_alloc_op_waits),
79718+ atomic_read_unchecked(&fscache_n_allocs_object_dead));
79719
79720 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
79721 " int=%u oom=%u\n",
79722- atomic_read(&fscache_n_retrievals),
79723- atomic_read(&fscache_n_retrievals_ok),
79724- atomic_read(&fscache_n_retrievals_wait),
79725- atomic_read(&fscache_n_retrievals_nodata),
79726- atomic_read(&fscache_n_retrievals_nobufs),
79727- atomic_read(&fscache_n_retrievals_intr),
79728- atomic_read(&fscache_n_retrievals_nomem));
79729+ atomic_read_unchecked(&fscache_n_retrievals),
79730+ atomic_read_unchecked(&fscache_n_retrievals_ok),
79731+ atomic_read_unchecked(&fscache_n_retrievals_wait),
79732+ atomic_read_unchecked(&fscache_n_retrievals_nodata),
79733+ atomic_read_unchecked(&fscache_n_retrievals_nobufs),
79734+ atomic_read_unchecked(&fscache_n_retrievals_intr),
79735+ atomic_read_unchecked(&fscache_n_retrievals_nomem));
79736 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
79737- atomic_read(&fscache_n_retrieval_ops),
79738- atomic_read(&fscache_n_retrieval_op_waits),
79739- atomic_read(&fscache_n_retrievals_object_dead));
79740+ atomic_read_unchecked(&fscache_n_retrieval_ops),
79741+ atomic_read_unchecked(&fscache_n_retrieval_op_waits),
79742+ atomic_read_unchecked(&fscache_n_retrievals_object_dead));
79743
79744 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
79745- atomic_read(&fscache_n_stores),
79746- atomic_read(&fscache_n_stores_ok),
79747- atomic_read(&fscache_n_stores_again),
79748- atomic_read(&fscache_n_stores_nobufs),
79749- atomic_read(&fscache_n_stores_oom));
79750+ atomic_read_unchecked(&fscache_n_stores),
79751+ atomic_read_unchecked(&fscache_n_stores_ok),
79752+ atomic_read_unchecked(&fscache_n_stores_again),
79753+ atomic_read_unchecked(&fscache_n_stores_nobufs),
79754+ atomic_read_unchecked(&fscache_n_stores_oom));
79755 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
79756- atomic_read(&fscache_n_store_ops),
79757- atomic_read(&fscache_n_store_calls),
79758- atomic_read(&fscache_n_store_pages),
79759- atomic_read(&fscache_n_store_radix_deletes),
79760- atomic_read(&fscache_n_store_pages_over_limit));
79761+ atomic_read_unchecked(&fscache_n_store_ops),
79762+ atomic_read_unchecked(&fscache_n_store_calls),
79763+ atomic_read_unchecked(&fscache_n_store_pages),
79764+ atomic_read_unchecked(&fscache_n_store_radix_deletes),
79765+ atomic_read_unchecked(&fscache_n_store_pages_over_limit));
79766
79767 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u wt=%u\n",
79768- atomic_read(&fscache_n_store_vmscan_not_storing),
79769- atomic_read(&fscache_n_store_vmscan_gone),
79770- atomic_read(&fscache_n_store_vmscan_busy),
79771- atomic_read(&fscache_n_store_vmscan_cancelled),
79772- atomic_read(&fscache_n_store_vmscan_wait));
79773+ atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
79774+ atomic_read_unchecked(&fscache_n_store_vmscan_gone),
79775+ atomic_read_unchecked(&fscache_n_store_vmscan_busy),
79776+ atomic_read_unchecked(&fscache_n_store_vmscan_cancelled),
79777+ atomic_read_unchecked(&fscache_n_store_vmscan_wait));
79778
79779 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
79780- atomic_read(&fscache_n_op_pend),
79781- atomic_read(&fscache_n_op_run),
79782- atomic_read(&fscache_n_op_enqueue),
79783- atomic_read(&fscache_n_op_cancelled),
79784- atomic_read(&fscache_n_op_rejected));
79785+ atomic_read_unchecked(&fscache_n_op_pend),
79786+ atomic_read_unchecked(&fscache_n_op_run),
79787+ atomic_read_unchecked(&fscache_n_op_enqueue),
79788+ atomic_read_unchecked(&fscache_n_op_cancelled),
79789+ atomic_read_unchecked(&fscache_n_op_rejected));
79790 seq_printf(m, "Ops : ini=%u dfr=%u rel=%u gc=%u\n",
79791- atomic_read(&fscache_n_op_initialised),
79792- atomic_read(&fscache_n_op_deferred_release),
79793- atomic_read(&fscache_n_op_release),
79794- atomic_read(&fscache_n_op_gc));
79795+ atomic_read_unchecked(&fscache_n_op_initialised),
79796+ atomic_read_unchecked(&fscache_n_op_deferred_release),
79797+ atomic_read_unchecked(&fscache_n_op_release),
79798+ atomic_read_unchecked(&fscache_n_op_gc));
79799
79800 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
79801 atomic_read(&fscache_n_cop_alloc_object),
79802diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
79803index eae2c11..b277a45 100644
79804--- a/fs/fuse/cuse.c
79805+++ b/fs/fuse/cuse.c
79806@@ -609,10 +609,12 @@ static int __init cuse_init(void)
79807 INIT_LIST_HEAD(&cuse_conntbl[i]);
79808
79809 /* inherit and extend fuse_dev_operations */
79810- cuse_channel_fops = fuse_dev_operations;
79811- cuse_channel_fops.owner = THIS_MODULE;
79812- cuse_channel_fops.open = cuse_channel_open;
79813- cuse_channel_fops.release = cuse_channel_release;
79814+ pax_open_kernel();
79815+ memcpy((void *)&cuse_channel_fops, &fuse_dev_operations, sizeof(fuse_dev_operations));
79816+ *(void **)&cuse_channel_fops.owner = THIS_MODULE;
79817+ *(void **)&cuse_channel_fops.open = cuse_channel_open;
79818+ *(void **)&cuse_channel_fops.release = cuse_channel_release;
79819+ pax_close_kernel();
79820
79821 cuse_class = class_create(THIS_MODULE, "cuse");
79822 if (IS_ERR(cuse_class))
79823diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
79824index ebb5e37..beae05b 100644
79825--- a/fs/fuse/dev.c
79826+++ b/fs/fuse/dev.c
79827@@ -1390,7 +1390,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
79828 ret = 0;
79829 pipe_lock(pipe);
79830
79831- if (!pipe->readers) {
79832+ if (!atomic_read(&pipe->readers)) {
79833 send_sig(SIGPIPE, current, 0);
79834 if (!ret)
79835 ret = -EPIPE;
79836@@ -1419,7 +1419,7 @@ static ssize_t fuse_dev_splice_read(struct file *in, loff_t *ppos,
79837 page_nr++;
79838 ret += buf->len;
79839
79840- if (pipe->files)
79841+ if (atomic_read(&pipe->files))
79842 do_wakeup = 1;
79843 }
79844
79845diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
79846index a38e38f..6dbdcf6 100644
79847--- a/fs/gfs2/glock.c
79848+++ b/fs/gfs2/glock.c
79849@@ -385,9 +385,9 @@ static void state_change(struct gfs2_glock *gl, unsigned int new_state)
79850 if (held1 != held2) {
79851 GLOCK_BUG_ON(gl, __lockref_is_dead(&gl->gl_lockref));
79852 if (held2)
79853- gl->gl_lockref.count++;
79854+ __lockref_inc(&gl->gl_lockref);
79855 else
79856- gl->gl_lockref.count--;
79857+ __lockref_dec(&gl->gl_lockref);
79858 }
79859 if (held1 && held2 && list_empty(&gl->gl_holders))
79860 clear_bit(GLF_QUEUED, &gl->gl_flags);
79861@@ -614,9 +614,9 @@ out:
79862 out_sched:
79863 clear_bit(GLF_LOCK, &gl->gl_flags);
79864 smp_mb__after_atomic();
79865- gl->gl_lockref.count++;
79866+ __lockref_inc(&gl->gl_lockref);
79867 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79868- gl->gl_lockref.count--;
79869+ __lockref_dec(&gl->gl_lockref);
79870 return;
79871
79872 out_unlock:
79873@@ -742,7 +742,7 @@ int gfs2_glock_get(struct gfs2_sbd *sdp, u64 number,
79874 gl->gl_sbd = sdp;
79875 gl->gl_flags = 0;
79876 gl->gl_name = name;
79877- gl->gl_lockref.count = 1;
79878+ __lockref_set(&gl->gl_lockref, 1);
79879 gl->gl_state = LM_ST_UNLOCKED;
79880 gl->gl_target = LM_ST_UNLOCKED;
79881 gl->gl_demote_state = LM_ST_EXCLUSIVE;
79882@@ -1020,9 +1020,9 @@ int gfs2_glock_nq(struct gfs2_holder *gh)
79883 if (unlikely((LM_FLAG_NOEXP & gh->gh_flags) &&
79884 test_and_clear_bit(GLF_FROZEN, &gl->gl_flags))) {
79885 set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
79886- gl->gl_lockref.count++;
79887+ __lockref_inc(&gl->gl_lockref);
79888 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79889- gl->gl_lockref.count--;
79890+ __lockref_dec(&gl->gl_lockref);
79891 }
79892 run_queue(gl, 1);
79893 spin_unlock(&gl->gl_spin);
79894@@ -1326,7 +1326,7 @@ void gfs2_glock_complete(struct gfs2_glock *gl, int ret)
79895 }
79896 }
79897
79898- gl->gl_lockref.count++;
79899+ __lockref_inc(&gl->gl_lockref);
79900 set_bit(GLF_REPLY_PENDING, &gl->gl_flags);
79901 spin_unlock(&gl->gl_spin);
79902
79903@@ -1385,12 +1385,12 @@ add_back_to_lru:
79904 goto add_back_to_lru;
79905 }
79906 clear_bit(GLF_LRU, &gl->gl_flags);
79907- gl->gl_lockref.count++;
79908+ __lockref_inc(&gl->gl_lockref);
79909 if (demote_ok(gl))
79910 handle_callback(gl, LM_ST_UNLOCKED, 0, false);
79911 WARN_ON(!test_and_clear_bit(GLF_LOCK, &gl->gl_flags));
79912 if (queue_delayed_work(glock_workqueue, &gl->gl_work, 0) == 0)
79913- gl->gl_lockref.count--;
79914+ __lockref_dec(&gl->gl_lockref);
79915 spin_unlock(&gl->gl_spin);
79916 cond_resched_lock(&lru_lock);
79917 }
79918@@ -1720,7 +1720,7 @@ void gfs2_dump_glock(struct seq_file *seq, const struct gfs2_glock *gl)
79919 state2str(gl->gl_demote_state), dtime,
79920 atomic_read(&gl->gl_ail_count),
79921 atomic_read(&gl->gl_revokes),
79922- (int)gl->gl_lockref.count, gl->gl_hold_time);
79923+ __lockref_read(&gl->gl_lockref), gl->gl_hold_time);
79924
79925 list_for_each_entry(gh, &gl->gl_holders, gh_list)
79926 dump_holder(seq, gh);
79927diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
79928index fa3fa5e..9fe2272 100644
79929--- a/fs/gfs2/glops.c
79930+++ b/fs/gfs2/glops.c
79931@@ -552,9 +552,9 @@ static void iopen_go_callback(struct gfs2_glock *gl, bool remote)
79932
79933 if (gl->gl_demote_state == LM_ST_UNLOCKED &&
79934 gl->gl_state == LM_ST_SHARED && ip) {
79935- gl->gl_lockref.count++;
79936+ __lockref_inc(&gl->gl_lockref);
79937 if (queue_work(gfs2_delete_workqueue, &gl->gl_delete) == 0)
79938- gl->gl_lockref.count--;
79939+ __lockref_dec(&gl->gl_lockref);
79940 }
79941 }
79942
79943diff --git a/fs/gfs2/quota.c b/fs/gfs2/quota.c
79944index 9b61f92..ab84778 100644
79945--- a/fs/gfs2/quota.c
79946+++ b/fs/gfs2/quota.c
79947@@ -154,7 +154,7 @@ static enum lru_status gfs2_qd_isolate(struct list_head *item,
79948 if (!spin_trylock(&qd->qd_lockref.lock))
79949 return LRU_SKIP;
79950
79951- if (qd->qd_lockref.count == 0) {
79952+ if (__lockref_read(&qd->qd_lockref) == 0) {
79953 lockref_mark_dead(&qd->qd_lockref);
79954 list_lru_isolate_move(lru, &qd->qd_lru, dispose);
79955 }
79956@@ -221,7 +221,7 @@ static struct gfs2_quota_data *qd_alloc(unsigned hash, struct gfs2_sbd *sdp, str
79957 return NULL;
79958
79959 qd->qd_sbd = sdp;
79960- qd->qd_lockref.count = 1;
79961+ __lockref_set(&qd->qd_lockref, 1);
79962 spin_lock_init(&qd->qd_lockref.lock);
79963 qd->qd_id = qid;
79964 qd->qd_slot = -1;
79965@@ -312,7 +312,7 @@ static void qd_put(struct gfs2_quota_data *qd)
79966 if (lockref_put_or_lock(&qd->qd_lockref))
79967 return;
79968
79969- qd->qd_lockref.count = 0;
79970+ __lockref_set(&qd->qd_lockref, 0);
79971 list_lru_add(&gfs2_qd_lru, &qd->qd_lru);
79972 spin_unlock(&qd->qd_lockref.lock);
79973
79974diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c
79975index 973c24c..a3cbeb3 100644
79976--- a/fs/hugetlbfs/inode.c
79977+++ b/fs/hugetlbfs/inode.c
79978@@ -150,6 +150,7 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
79979 struct mm_struct *mm = current->mm;
79980 struct vm_area_struct *vma;
79981 struct hstate *h = hstate_file(file);
79982+ unsigned long offset = gr_rand_threadstack_offset(mm, file, flags);
79983 struct vm_unmapped_area_info info;
79984
79985 if (len & ~huge_page_mask(h))
79986@@ -163,17 +164,26 @@ hugetlb_get_unmapped_area(struct file *file, unsigned long addr,
79987 return addr;
79988 }
79989
79990+#ifdef CONFIG_PAX_RANDMMAP
79991+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
79992+#endif
79993+
79994 if (addr) {
79995 addr = ALIGN(addr, huge_page_size(h));
79996 vma = find_vma(mm, addr);
79997- if (TASK_SIZE - len >= addr &&
79998- (!vma || addr + len <= vma->vm_start))
79999+ if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len, offset))
80000 return addr;
80001 }
80002
80003 info.flags = 0;
80004 info.length = len;
80005 info.low_limit = TASK_UNMAPPED_BASE;
80006+
80007+#ifdef CONFIG_PAX_RANDMMAP
80008+ if (mm->pax_flags & MF_PAX_RANDMMAP)
80009+ info.low_limit += mm->delta_mmap;
80010+#endif
80011+
80012 info.high_limit = TASK_SIZE;
80013 info.align_mask = PAGE_MASK & ~huge_page_mask(h);
80014 info.align_offset = 0;
80015@@ -938,7 +948,7 @@ static struct file_system_type hugetlbfs_fs_type = {
80016 };
80017 MODULE_ALIAS_FS("hugetlbfs");
80018
80019-static struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
80020+struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
80021
80022 static int can_do_hugetlb_shm(void)
80023 {
80024diff --git a/fs/inode.c b/fs/inode.c
80025index d30640f..9d909a7 100644
80026--- a/fs/inode.c
80027+++ b/fs/inode.c
80028@@ -832,19 +832,19 @@ unsigned int get_next_ino(void)
80029 unsigned int *p = &get_cpu_var(last_ino);
80030 unsigned int res = *p;
80031
80032+start:
80033+
80034 #ifdef CONFIG_SMP
80035 if (unlikely((res & (LAST_INO_BATCH-1)) == 0)) {
80036- static atomic_t shared_last_ino;
80037- int next = atomic_add_return(LAST_INO_BATCH, &shared_last_ino);
80038+ static atomic_unchecked_t shared_last_ino;
80039+ int next = atomic_add_return_unchecked(LAST_INO_BATCH, &shared_last_ino);
80040
80041 res = next - LAST_INO_BATCH;
80042 }
80043 #endif
80044
80045- res++;
80046- /* get_next_ino should not provide a 0 inode number */
80047- if (unlikely(!res))
80048- res++;
80049+ if (unlikely(!++res))
80050+ goto start; /* never zero */
80051 *p = res;
80052 put_cpu_var(last_ino);
80053 return res;
80054diff --git a/fs/jffs2/erase.c b/fs/jffs2/erase.c
80055index 4a6cf28..d3a29d3 100644
80056--- a/fs/jffs2/erase.c
80057+++ b/fs/jffs2/erase.c
80058@@ -452,7 +452,8 @@ static void jffs2_mark_erased_block(struct jffs2_sb_info *c, struct jffs2_eraseb
80059 struct jffs2_unknown_node marker = {
80060 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
80061 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
80062- .totlen = cpu_to_je32(c->cleanmarker_size)
80063+ .totlen = cpu_to_je32(c->cleanmarker_size),
80064+ .hdr_crc = cpu_to_je32(0)
80065 };
80066
80067 jffs2_prealloc_raw_node_refs(c, jeb, 1);
80068diff --git a/fs/jffs2/wbuf.c b/fs/jffs2/wbuf.c
80069index 09ed551..45684f8 100644
80070--- a/fs/jffs2/wbuf.c
80071+++ b/fs/jffs2/wbuf.c
80072@@ -1023,7 +1023,8 @@ static const struct jffs2_unknown_node oob_cleanmarker =
80073 {
80074 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
80075 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
80076- .totlen = constant_cpu_to_je32(8)
80077+ .totlen = constant_cpu_to_je32(8),
80078+ .hdr_crc = constant_cpu_to_je32(0)
80079 };
80080
80081 /*
80082diff --git a/fs/jfs/super.c b/fs/jfs/super.c
80083index 4cd9798..8dfe86a 100644
80084--- a/fs/jfs/super.c
80085+++ b/fs/jfs/super.c
80086@@ -901,7 +901,7 @@ static int __init init_jfs_fs(void)
80087
80088 jfs_inode_cachep =
80089 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
80090- SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
80091+ SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
80092 init_once);
80093 if (jfs_inode_cachep == NULL)
80094 return -ENOMEM;
80095diff --git a/fs/kernfs/dir.c b/fs/kernfs/dir.c
80096index 2d48d28..82eddad 100644
80097--- a/fs/kernfs/dir.c
80098+++ b/fs/kernfs/dir.c
80099@@ -182,7 +182,7 @@ struct kernfs_node *kernfs_get_parent(struct kernfs_node *kn)
80100 *
80101 * Returns 31 bit hash of ns + name (so it fits in an off_t )
80102 */
80103-static unsigned int kernfs_name_hash(const char *name, const void *ns)
80104+static unsigned int kernfs_name_hash(const unsigned char *name, const void *ns)
80105 {
80106 unsigned long hash = init_name_hash();
80107 unsigned int len = strlen(name);
80108@@ -873,6 +873,12 @@ static int kernfs_iop_mkdir(struct inode *dir, struct dentry *dentry,
80109 ret = scops->mkdir(parent, dentry->d_name.name, mode);
80110
80111 kernfs_put_active(parent);
80112+
80113+ if (!ret) {
80114+ struct dentry *dentry_ret = kernfs_iop_lookup(dir, dentry, 0);
80115+ ret = PTR_ERR_OR_ZERO(dentry_ret);
80116+ }
80117+
80118 return ret;
80119 }
80120
80121diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
80122index 7247252..c73808e 100644
80123--- a/fs/kernfs/file.c
80124+++ b/fs/kernfs/file.c
80125@@ -34,7 +34,7 @@ static DEFINE_MUTEX(kernfs_open_file_mutex);
80126
80127 struct kernfs_open_node {
80128 atomic_t refcnt;
80129- atomic_t event;
80130+ atomic_unchecked_t event;
80131 wait_queue_head_t poll;
80132 struct list_head files; /* goes through kernfs_open_file.list */
80133 };
80134@@ -163,7 +163,7 @@ static int kernfs_seq_show(struct seq_file *sf, void *v)
80135 {
80136 struct kernfs_open_file *of = sf->private;
80137
80138- of->event = atomic_read(&of->kn->attr.open->event);
80139+ of->event = atomic_read_unchecked(&of->kn->attr.open->event);
80140
80141 return of->kn->attr.ops->seq_show(sf, v);
80142 }
80143@@ -207,7 +207,7 @@ static ssize_t kernfs_file_direct_read(struct kernfs_open_file *of,
80144 goto out_free;
80145 }
80146
80147- of->event = atomic_read(&of->kn->attr.open->event);
80148+ of->event = atomic_read_unchecked(&of->kn->attr.open->event);
80149 ops = kernfs_ops(of->kn);
80150 if (ops->read)
80151 len = ops->read(of, buf, len, *ppos);
80152@@ -272,7 +272,7 @@ static ssize_t kernfs_fop_write(struct file *file, const char __user *user_buf,
80153 {
80154 struct kernfs_open_file *of = kernfs_of(file);
80155 const struct kernfs_ops *ops;
80156- size_t len;
80157+ ssize_t len;
80158 char *buf;
80159
80160 if (of->atomic_write_len) {
80161@@ -385,12 +385,12 @@ static int kernfs_vma_page_mkwrite(struct vm_area_struct *vma,
80162 return ret;
80163 }
80164
80165-static int kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,
80166- void *buf, int len, int write)
80167+static ssize_t kernfs_vma_access(struct vm_area_struct *vma, unsigned long addr,
80168+ void *buf, size_t len, int write)
80169 {
80170 struct file *file = vma->vm_file;
80171 struct kernfs_open_file *of = kernfs_of(file);
80172- int ret;
80173+ ssize_t ret;
80174
80175 if (!of->vm_ops)
80176 return -EINVAL;
80177@@ -569,7 +569,7 @@ static int kernfs_get_open_node(struct kernfs_node *kn,
80178 return -ENOMEM;
80179
80180 atomic_set(&new_on->refcnt, 0);
80181- atomic_set(&new_on->event, 1);
80182+ atomic_set_unchecked(&new_on->event, 1);
80183 init_waitqueue_head(&new_on->poll);
80184 INIT_LIST_HEAD(&new_on->files);
80185 goto retry;
80186@@ -792,7 +792,7 @@ static unsigned int kernfs_fop_poll(struct file *filp, poll_table *wait)
80187
80188 kernfs_put_active(kn);
80189
80190- if (of->event != atomic_read(&on->event))
80191+ if (of->event != atomic_read_unchecked(&on->event))
80192 goto trigger;
80193
80194 return DEFAULT_POLLMASK;
80195@@ -823,7 +823,7 @@ repeat:
80196
80197 on = kn->attr.open;
80198 if (on) {
80199- atomic_inc(&on->event);
80200+ atomic_inc_unchecked(&on->event);
80201 wake_up_interruptible(&on->poll);
80202 }
80203
80204diff --git a/fs/libfs.c b/fs/libfs.c
80205index c7cbfb0..fc3636d4 100644
80206--- a/fs/libfs.c
80207+++ b/fs/libfs.c
80208@@ -155,6 +155,9 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
80209
80210 for (p = q->next; p != &dentry->d_subdirs; p = p->next) {
80211 struct dentry *next = list_entry(p, struct dentry, d_child);
80212+ char d_name[sizeof(next->d_iname)];
80213+ const unsigned char *name;
80214+
80215 spin_lock_nested(&next->d_lock, DENTRY_D_LOCK_NESTED);
80216 if (!simple_positive(next)) {
80217 spin_unlock(&next->d_lock);
80218@@ -163,7 +166,12 @@ int dcache_readdir(struct file *file, struct dir_context *ctx)
80219
80220 spin_unlock(&next->d_lock);
80221 spin_unlock(&dentry->d_lock);
80222- if (!dir_emit(ctx, next->d_name.name, next->d_name.len,
80223+ name = next->d_name.name;
80224+ if (name == next->d_iname) {
80225+ memcpy(d_name, name, next->d_name.len);
80226+ name = d_name;
80227+ }
80228+ if (!dir_emit(ctx, name, next->d_name.len,
80229 d_inode(next)->i_ino, dt_type(d_inode(next))))
80230 return 0;
80231 spin_lock(&dentry->d_lock);
80232diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
80233index acd3947..1f896e2 100644
80234--- a/fs/lockd/clntproc.c
80235+++ b/fs/lockd/clntproc.c
80236@@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt_cancel_ops;
80237 /*
80238 * Cookie counter for NLM requests
80239 */
80240-static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
80241+static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
80242
80243 void nlmclnt_next_cookie(struct nlm_cookie *c)
80244 {
80245- u32 cookie = atomic_inc_return(&nlm_cookie);
80246+ u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
80247
80248 memcpy(c->data, &cookie, 4);
80249 c->len=4;
80250diff --git a/fs/mount.h b/fs/mount.h
80251index 14db05d..687f6d8 100644
80252--- a/fs/mount.h
80253+++ b/fs/mount.h
80254@@ -13,7 +13,7 @@ struct mnt_namespace {
80255 u64 seq; /* Sequence number to prevent loops */
80256 wait_queue_head_t poll;
80257 u64 event;
80258-};
80259+} __randomize_layout;
80260
80261 struct mnt_pcp {
80262 int mnt_count;
80263@@ -65,7 +65,7 @@ struct mount {
80264 struct hlist_head mnt_pins;
80265 struct fs_pin mnt_umount;
80266 struct dentry *mnt_ex_mountpoint;
80267-};
80268+} __randomize_layout;
80269
80270 #define MNT_NS_INTERNAL ERR_PTR(-EINVAL) /* distinct from any mnt_namespace */
80271
80272diff --git a/fs/namei.c b/fs/namei.c
80273index 36df481..c3045fd 100644
80274--- a/fs/namei.c
80275+++ b/fs/namei.c
80276@@ -336,17 +336,32 @@ int generic_permission(struct inode *inode, int mask)
80277 if (ret != -EACCES)
80278 return ret;
80279
80280+#ifdef CONFIG_GRKERNSEC
80281+ /* we'll block if we have to log due to a denied capability use */
80282+ if (mask & MAY_NOT_BLOCK)
80283+ return -ECHILD;
80284+#endif
80285+
80286 if (S_ISDIR(inode->i_mode)) {
80287 /* DACs are overridable for directories */
80288- if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
80289- return 0;
80290 if (!(mask & MAY_WRITE))
80291- if (capable_wrt_inode_uidgid(inode,
80292- CAP_DAC_READ_SEARCH))
80293+ if (capable_wrt_inode_uidgid_nolog(inode, CAP_DAC_OVERRIDE) ||
80294+ capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
80295 return 0;
80296+ if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
80297+ return 0;
80298 return -EACCES;
80299 }
80300 /*
80301+ * Searching includes executable on directories, else just read.
80302+ */
80303+ mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
80304+ if (mask == MAY_READ)
80305+ if (capable_wrt_inode_uidgid_nolog(inode, CAP_DAC_OVERRIDE) ||
80306+ capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
80307+ return 0;
80308+
80309+ /*
80310 * Read/write DACs are always overridable.
80311 * Executable DACs are overridable when there is
80312 * at least one exec bit set.
80313@@ -355,14 +370,6 @@ int generic_permission(struct inode *inode, int mask)
80314 if (capable_wrt_inode_uidgid(inode, CAP_DAC_OVERRIDE))
80315 return 0;
80316
80317- /*
80318- * Searching includes executable on directories, else just read.
80319- */
80320- mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
80321- if (mask == MAY_READ)
80322- if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH))
80323- return 0;
80324-
80325 return -EACCES;
80326 }
80327 EXPORT_SYMBOL(generic_permission);
80328@@ -514,12 +521,35 @@ struct nameidata {
80329 struct nameidata *saved;
80330 unsigned root_seq;
80331 int dfd;
80332-};
80333+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80334+ struct path *symlinkown_stack;
80335+ struct path symlinkown_internal[EMBEDDED_LEVELS];
80336+ unsigned symlinkown_depth;
80337+ int symlinkown_enabled;
80338+#endif
80339+} __randomize_layout;
80340+
80341+static int gr_handle_nameidata_symlinkowner(const struct nameidata *nd, const struct inode *target)
80342+{
80343+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80344+ int i;
80345+
80346+ for (i = 0; i < nd->symlinkown_depth; i++) {
80347+ if (gr_handle_symlink_owner(&nd->symlinkown_stack[i], target))
80348+ return -EACCES;
80349+ }
80350+#endif
80351+ return 0;
80352+}
80353
80354 static void set_nameidata(struct nameidata *p, int dfd, struct filename *name)
80355 {
80356 struct nameidata *old = current->nameidata;
80357 p->stack = p->internal;
80358+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80359+ p->symlinkown_stack = p->symlinkown_internal;
80360+ p->symlinkown_enabled = -1;
80361+#endif
80362 p->dfd = dfd;
80363 p->name = name;
80364 p->total_link_count = old ? old->total_link_count : 0;
80365@@ -538,6 +568,12 @@ static void restore_nameidata(void)
80366 kfree(now->stack);
80367 now->stack = now->internal;
80368 }
80369+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80370+ if (now->symlinkown_stack != now->symlinkown_internal) {
80371+ kfree(now->symlinkown_stack);
80372+ now->symlinkown_stack = now->symlinkown_internal;
80373+ }
80374+#endif
80375 }
80376
80377 static int __nd_alloc_stack(struct nameidata *nd)
80378@@ -557,9 +593,29 @@ static int __nd_alloc_stack(struct nameidata *nd)
80379 }
80380 memcpy(p, nd->internal, sizeof(nd->internal));
80381 nd->stack = p;
80382+
80383 return 0;
80384 }
80385
80386+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80387+static int nd_alloc_symlinkown_stack(struct nameidata *nd)
80388+{
80389+ struct path *p;
80390+
80391+ if (likely(nd->symlinkown_depth != EMBEDDED_LEVELS))
80392+ return 0;
80393+ if (nd->symlinkown_stack != nd->symlinkown_internal)
80394+ return 0;
80395+
80396+ p = kmalloc(MAXSYMLINKS * sizeof(struct path), GFP_KERNEL);
80397+ if (unlikely(!p))
80398+ return -ENOMEM;
80399+ memcpy(p, nd->symlinkown_internal, sizeof(nd->symlinkown_internal));
80400+ nd->symlinkown_stack = p;
80401+ return 0;
80402+}
80403+#endif
80404+
80405 /**
80406 * path_connected - Verify that a path->dentry is below path->mnt.mnt_root
80407 * @path: nameidate to verify
80408@@ -580,6 +636,11 @@ static bool path_connected(const struct path *path)
80409
80410 static inline int nd_alloc_stack(struct nameidata *nd)
80411 {
80412+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80413+ if (nd->flags & LOOKUP_RCU)
80414+ return -ECHILD;
80415+#endif
80416+
80417 if (likely(nd->depth != EMBEDDED_LEVELS))
80418 return 0;
80419 if (likely(nd->stack != nd->internal))
80420@@ -608,6 +669,14 @@ static void terminate_walk(struct nameidata *nd)
80421 path_put(&nd->path);
80422 for (i = 0; i < nd->depth; i++)
80423 path_put(&nd->stack[i].link);
80424+
80425+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80426+ /* we'll only ever set our values in ref-walk mode */
80427+ for (i = 0; i < nd->symlinkown_depth; i++)
80428+ path_put(&nd->symlinkown_stack[i]);
80429+ nd->symlinkown_depth = 0;
80430+#endif
80431+
80432 if (nd->root.mnt && !(nd->flags & LOOKUP_ROOT)) {
80433 path_put(&nd->root);
80434 nd->root.mnt = NULL;
80435@@ -1004,6 +1073,9 @@ const char *get_link(struct nameidata *nd)
80436 if (unlikely(error))
80437 return ERR_PTR(error);
80438
80439+ if (gr_handle_follow_link(dentry, last->link.mnt))
80440+ return ERR_PTR(-EACCES);
80441+
80442 nd->last_type = LAST_BIND;
80443 res = inode->i_link;
80444 if (!res) {
80445@@ -1692,6 +1764,23 @@ static int pick_link(struct nameidata *nd, struct path *link,
80446 }
80447 }
80448
80449+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80450+ if (unlikely(nd->symlinkown_enabled == -1))
80451+ nd->symlinkown_enabled = gr_get_symlinkown_enabled();
80452+ if (nd->symlinkown_enabled && gr_is_global_nonroot(inode->i_uid)) {
80453+ struct path *symlinkownlast;
80454+ error = nd_alloc_symlinkown_stack(nd);
80455+ if (unlikely(error)) {
80456+ path_put(link);
80457+ return error;
80458+ }
80459+ symlinkownlast = nd->symlinkown_stack + nd->symlinkown_depth++;
80460+ symlinkownlast->dentry = link->dentry;
80461+ symlinkownlast->mnt = link->mnt;
80462+ path_get(symlinkownlast);
80463+ }
80464+#endif
80465+
80466 last = nd->stack + nd->depth++;
80467 last->link = *link;
80468 last->cookie = NULL;
80469@@ -1831,7 +1920,7 @@ EXPORT_SYMBOL(full_name_hash);
80470 static inline u64 hash_name(const char *name)
80471 {
80472 unsigned long a, b, adata, bdata, mask, hash, len;
80473- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
80474+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
80475
80476 hash = a = 0;
80477 len = -sizeof(unsigned long);
80478@@ -2000,6 +2089,9 @@ static const char *path_init(struct nameidata *nd, unsigned flags)
80479 nd->flags = flags | LOOKUP_JUMPED | LOOKUP_PARENT;
80480 nd->depth = 0;
80481 nd->total_link_count = 0;
80482+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
80483+ nd->symlinkown_depth = 0;
80484+#endif
80485 if (flags & LOOKUP_ROOT) {
80486 struct dentry *root = nd->root.dentry;
80487 struct inode *inode = root->d_inode;
80488@@ -2137,6 +2229,11 @@ static int path_lookupat(struct nameidata *nd, unsigned flags, struct path *path
80489 if (!err)
80490 err = complete_walk(nd);
80491
80492+ if (!err && !(nd->flags & LOOKUP_PARENT)) {
80493+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
80494+ err = -ENOENT;
80495+ }
80496+
80497 if (!err && nd->flags & LOOKUP_DIRECTORY)
80498 if (!d_can_lookup(nd->path.dentry))
80499 err = -ENOTDIR;
80500@@ -2185,6 +2282,10 @@ static int path_parentat(struct nameidata *nd, unsigned flags,
80501 err = link_path_walk(s, nd);
80502 if (!err)
80503 err = complete_walk(nd);
80504+
80505+ if (!err && gr_handle_nameidata_symlinkowner(nd, nd->inode))
80506+ err = -EACCES;
80507+
80508 if (!err) {
80509 *parent = nd->path;
80510 nd->path.mnt = NULL;
80511@@ -2716,6 +2817,13 @@ static int may_open(struct path *path, int acc_mode, int flag)
80512 if (flag & O_NOATIME && !inode_owner_or_capable(inode))
80513 return -EPERM;
80514
80515+ if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode))
80516+ return -EPERM;
80517+ if (gr_handle_rawio(inode))
80518+ return -EPERM;
80519+ if (!gr_acl_handle_open(dentry, path->mnt, acc_mode))
80520+ return -EACCES;
80521+
80522 return 0;
80523 }
80524
80525@@ -2982,6 +3090,18 @@ static int lookup_open(struct nameidata *nd, struct path *path,
80526 /* Negative dentry, just create the file */
80527 if (!dentry->d_inode && (op->open_flag & O_CREAT)) {
80528 umode_t mode = op->mode;
80529+
80530+
80531+ if (gr_handle_nameidata_symlinkowner(nd, dir_inode)) {
80532+ error = -EACCES;
80533+ goto out_dput;
80534+ }
80535+
80536+ if (!gr_acl_handle_creat(dentry, dir, nd->path.mnt, op->open_flag, op->acc_mode, mode)) {
80537+ error = -EACCES;
80538+ goto out_dput;
80539+ }
80540+
80541 if (!IS_POSIXACL(dir->d_inode))
80542 mode &= ~current_umask();
80543 /*
80544@@ -3003,6 +3123,8 @@ static int lookup_open(struct nameidata *nd, struct path *path,
80545 nd->flags & LOOKUP_EXCL);
80546 if (error)
80547 goto out_dput;
80548+ else
80549+ gr_handle_create(dentry, nd->path.mnt);
80550 }
80551 out_no_open:
80552 path->dentry = dentry;
80553@@ -3066,6 +3188,9 @@ static int do_last(struct nameidata *nd,
80554 if (error)
80555 return error;
80556
80557+ if (!gr_acl_handle_hidden_file(dir, nd->path.mnt))
80558+ return -ENOENT;
80559+
80560 audit_inode(nd->name, dir, LOOKUP_PARENT);
80561 /* trailing slashes? */
80562 if (unlikely(nd->last.name[nd->last.len]))
80563@@ -3108,11 +3233,24 @@ retry_lookup:
80564 goto finish_open_created;
80565 }
80566
80567+ if (!gr_acl_handle_hidden_file(path.dentry, nd->path.mnt)) {
80568+ path_to_nameidata(&path, nd);
80569+ return -ENOENT;
80570+ }
80571+
80572 /*
80573 * create/update audit record if it already exists.
80574 */
80575- if (d_is_positive(path.dentry))
80576+ if (d_is_positive(path.dentry)) {
80577+ /* only check if O_CREAT is specified, all other checks need to go
80578+ into may_open */
80579+ if (gr_handle_fifo(path.dentry, path.mnt, dir, open_flag, acc_mode)) {
80580+ path_to_nameidata(&path, nd);
80581+ return -EACCES;
80582+ }
80583+
80584 audit_inode(nd->name, path.dentry, 0);
80585+ }
80586
80587 /*
80588 * If atomic_open() acquired write access it is dropped now due to
80589@@ -3148,6 +3286,11 @@ finish_lookup:
80590 if (unlikely(error))
80591 return error;
80592
80593+ if (gr_handle_nameidata_symlinkowner(nd, inode)) {
80594+ path_to_nameidata(&path, nd);
80595+ return -EACCES;
80596+ }
80597+
80598 if (unlikely(d_is_symlink(path.dentry)) && !(open_flag & O_PATH)) {
80599 path_to_nameidata(&path, nd);
80600 return -ELOOP;
80601@@ -3170,6 +3313,12 @@ finish_open:
80602 path_put(&save_parent);
80603 return error;
80604 }
80605+
80606+ if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
80607+ error = -ENOENT;
80608+ goto out;
80609+ }
80610+
80611 audit_inode(nd->name, nd->path.dentry, 0);
80612 error = -EISDIR;
80613 if ((open_flag & O_CREAT) && d_is_dir(nd->path.dentry))
80614@@ -3436,9 +3585,11 @@ static struct dentry *filename_create(int dfd, struct filename *name,
80615 goto unlock;
80616
80617 error = -EEXIST;
80618- if (d_is_positive(dentry))
80619+ if (d_is_positive(dentry)) {
80620+ if (!gr_acl_handle_hidden_file(dentry, path->mnt))
80621+ error = -ENOENT;
80622 goto fail;
80623-
80624+ }
80625 /*
80626 * Special case - lookup gave negative, but... we had foo/bar/
80627 * From the vfs_mknod() POV we just have a negative dentry -
80628@@ -3492,6 +3643,20 @@ inline struct dentry *user_path_create(int dfd, const char __user *pathname,
80629 }
80630 EXPORT_SYMBOL(user_path_create);
80631
80632+static struct dentry *user_path_create_with_name(int dfd, const char __user *pathname, struct path *path, struct filename **to, unsigned int lookup_flags)
80633+{
80634+ struct filename *tmp = getname(pathname);
80635+ struct dentry *res;
80636+ if (IS_ERR(tmp))
80637+ return ERR_CAST(tmp);
80638+ res = kern_path_create(dfd, tmp->name, path, lookup_flags);
80639+ if (IS_ERR(res))
80640+ putname(tmp);
80641+ else
80642+ *to = tmp;
80643+ return res;
80644+}
80645+
80646 int vfs_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
80647 {
80648 int error = may_create(dir, dentry);
80649@@ -3555,6 +3720,17 @@ retry:
80650
80651 if (!IS_POSIXACL(path.dentry->d_inode))
80652 mode &= ~current_umask();
80653+
80654+ if (gr_handle_chroot_mknod(dentry, path.mnt, mode)) {
80655+ error = -EPERM;
80656+ goto out;
80657+ }
80658+
80659+ if (!gr_acl_handle_mknod(dentry, path.dentry, path.mnt, mode)) {
80660+ error = -EACCES;
80661+ goto out;
80662+ }
80663+
80664 error = security_path_mknod(&path, dentry, mode, dev);
80665 if (error)
80666 goto out;
80667@@ -3570,6 +3746,8 @@ retry:
80668 error = vfs_mknod(path.dentry->d_inode,dentry,mode,0);
80669 break;
80670 }
80671+ if (!error)
80672+ gr_handle_create(dentry, path.mnt);
80673 out:
80674 done_path_create(&path, dentry);
80675 if (retry_estale(error, lookup_flags)) {
80676@@ -3624,9 +3802,16 @@ retry:
80677
80678 if (!IS_POSIXACL(path.dentry->d_inode))
80679 mode &= ~current_umask();
80680+ if (!gr_acl_handle_mkdir(dentry, path.dentry, path.mnt)) {
80681+ error = -EACCES;
80682+ goto out;
80683+ }
80684 error = security_path_mkdir(&path, dentry, mode);
80685 if (!error)
80686 error = vfs_mkdir(path.dentry->d_inode, dentry, mode);
80687+ if (!error)
80688+ gr_handle_create(dentry, path.mnt);
80689+out:
80690 done_path_create(&path, dentry);
80691 if (retry_estale(error, lookup_flags)) {
80692 lookup_flags |= LOOKUP_REVAL;
80693@@ -3659,7 +3844,7 @@ void dentry_unhash(struct dentry *dentry)
80694 {
80695 shrink_dcache_parent(dentry);
80696 spin_lock(&dentry->d_lock);
80697- if (dentry->d_lockref.count == 1)
80698+ if (__lockref_read(&dentry->d_lockref) == 1)
80699 __d_drop(dentry);
80700 spin_unlock(&dentry->d_lock);
80701 }
80702@@ -3712,6 +3897,8 @@ static long do_rmdir(int dfd, const char __user *pathname)
80703 struct path path;
80704 struct qstr last;
80705 int type;
80706+ u64 saved_ino = 0;
80707+ dev_t saved_dev = 0;
80708 unsigned int lookup_flags = 0;
80709 retry:
80710 name = user_path_parent(dfd, pathname,
80711@@ -3744,10 +3931,20 @@ retry:
80712 error = -ENOENT;
80713 goto exit3;
80714 }
80715+ saved_ino = gr_get_ino_from_dentry(dentry);
80716+ saved_dev = gr_get_dev_from_dentry(dentry);
80717+
80718+ if (!gr_acl_handle_rmdir(dentry, path.mnt)) {
80719+ error = -EACCES;
80720+ goto exit3;
80721+ }
80722+
80723 error = security_path_rmdir(&path, dentry);
80724 if (error)
80725 goto exit3;
80726 error = vfs_rmdir(path.dentry->d_inode, dentry);
80727+ if (!error && (saved_dev || saved_ino))
80728+ gr_handle_delete(saved_ino, saved_dev);
80729 exit3:
80730 dput(dentry);
80731 exit2:
80732@@ -3842,6 +4039,8 @@ static long do_unlinkat(int dfd, const char __user *pathname)
80733 int type;
80734 struct inode *inode = NULL;
80735 struct inode *delegated_inode = NULL;
80736+ u64 saved_ino = 0;
80737+ dev_t saved_dev = 0;
80738 unsigned int lookup_flags = 0;
80739 retry:
80740 name = user_path_parent(dfd, pathname,
80741@@ -3868,10 +4067,21 @@ retry_deleg:
80742 if (d_is_negative(dentry))
80743 goto slashes;
80744 ihold(inode);
80745+ if (inode->i_nlink <= 1) {
80746+ saved_ino = gr_get_ino_from_dentry(dentry);
80747+ saved_dev = gr_get_dev_from_dentry(dentry);
80748+ }
80749+ if (!gr_acl_handle_unlink(dentry, path.mnt)) {
80750+ error = -EACCES;
80751+ goto exit2;
80752+ }
80753+
80754 error = security_path_unlink(&path, dentry);
80755 if (error)
80756 goto exit2;
80757 error = vfs_unlink(path.dentry->d_inode, dentry, &delegated_inode);
80758+ if (!error && (saved_ino || saved_dev))
80759+ gr_handle_delete(saved_ino, saved_dev);
80760 exit2:
80761 dput(dentry);
80762 }
80763@@ -3960,9 +4170,17 @@ retry:
80764 if (IS_ERR(dentry))
80765 goto out_putname;
80766
80767+ if (!gr_acl_handle_symlink(dentry, path.dentry, path.mnt, from)) {
80768+ error = -EACCES;
80769+ goto out;
80770+ }
80771+
80772 error = security_path_symlink(&path, dentry, from->name);
80773 if (!error)
80774 error = vfs_symlink(path.dentry->d_inode, dentry, from->name);
80775+ if (!error)
80776+ gr_handle_create(dentry, path.mnt);
80777+out:
80778 done_path_create(&path, dentry);
80779 if (retry_estale(error, lookup_flags)) {
80780 lookup_flags |= LOOKUP_REVAL;
80781@@ -4066,6 +4284,7 @@ SYSCALL_DEFINE5(linkat, int, olddfd, const char __user *, oldname,
80782 struct dentry *new_dentry;
80783 struct path old_path, new_path;
80784 struct inode *delegated_inode = NULL;
80785+ struct filename *to = NULL;
80786 int how = 0;
80787 int error;
80788
80789@@ -4089,7 +4308,7 @@ retry:
80790 if (error)
80791 return error;
80792
80793- new_dentry = user_path_create(newdfd, newname, &new_path,
80794+ new_dentry = user_path_create_with_name(newdfd, newname, &new_path, &to,
80795 (how & LOOKUP_REVAL));
80796 error = PTR_ERR(new_dentry);
80797 if (IS_ERR(new_dentry))
80798@@ -4101,11 +4320,26 @@ retry:
80799 error = may_linkat(&old_path);
80800 if (unlikely(error))
80801 goto out_dput;
80802+
80803+ if (gr_handle_hardlink(old_path.dentry, old_path.mnt, to)) {
80804+ error = -EACCES;
80805+ goto out_dput;
80806+ }
80807+
80808+ if (!gr_acl_handle_link(new_dentry, new_path.dentry, new_path.mnt,
80809+ old_path.dentry, old_path.mnt, to)) {
80810+ error = -EACCES;
80811+ goto out_dput;
80812+ }
80813+
80814 error = security_path_link(old_path.dentry, &new_path, new_dentry);
80815 if (error)
80816 goto out_dput;
80817 error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
80818+ if (!error)
80819+ gr_handle_create(new_dentry, new_path.mnt);
80820 out_dput:
80821+ putname(to);
80822 done_path_create(&new_path, new_dentry);
80823 if (delegated_inode) {
80824 error = break_deleg_wait(&delegated_inode);
80825@@ -4420,6 +4654,20 @@ retry_deleg:
80826 if (new_dentry == trap)
80827 goto exit5;
80828
80829+ if (gr_bad_chroot_rename(old_dentry, old_path.mnt, new_dentry, new_path.mnt)) {
80830+ /* use EXDEV error to cause 'mv' to switch to an alternative
80831+ * method for usability
80832+ */
80833+ error = -EXDEV;
80834+ goto exit5;
80835+ }
80836+
80837+ error = gr_acl_handle_rename(new_dentry, new_path.dentry, new_path.mnt,
80838+ old_dentry, d_backing_inode(old_path.dentry), old_path.mnt,
80839+ to, flags);
80840+ if (error)
80841+ goto exit5;
80842+
80843 error = security_path_rename(&old_path, old_dentry,
80844 &new_path, new_dentry, flags);
80845 if (error)
80846@@ -4427,6 +4675,9 @@ retry_deleg:
80847 error = vfs_rename(old_path.dentry->d_inode, old_dentry,
80848 new_path.dentry->d_inode, new_dentry,
80849 &delegated_inode, flags);
80850+ if (!error)
80851+ gr_handle_rename(d_backing_inode(old_path.dentry), d_backing_inode(new_path.dentry), old_dentry,
80852+ new_dentry, old_path.mnt, d_is_positive(new_dentry) ? 1 : 0, flags);
80853 exit5:
80854 dput(new_dentry);
80855 exit4:
80856@@ -4483,14 +4734,24 @@ EXPORT_SYMBOL(vfs_whiteout);
80857
80858 int readlink_copy(char __user *buffer, int buflen, const char *link)
80859 {
80860+ char tmpbuf[64];
80861+ const char *newlink;
80862 int len = PTR_ERR(link);
80863+
80864 if (IS_ERR(link))
80865 goto out;
80866
80867 len = strlen(link);
80868 if (len > (unsigned) buflen)
80869 len = buflen;
80870- if (copy_to_user(buffer, link, len))
80871+
80872+ if (len < sizeof(tmpbuf)) {
80873+ memcpy(tmpbuf, link, len);
80874+ newlink = tmpbuf;
80875+ } else
80876+ newlink = link;
80877+
80878+ if (copy_to_user(buffer, newlink, len))
80879 len = -EFAULT;
80880 out:
80881 return len;
80882diff --git a/fs/namespace.c b/fs/namespace.c
80883index 2b8aa15..3230081 100644
80884--- a/fs/namespace.c
80885+++ b/fs/namespace.c
80886@@ -1516,6 +1516,9 @@ static int do_umount(struct mount *mnt, int flags)
80887 if (!(sb->s_flags & MS_RDONLY))
80888 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
80889 up_write(&sb->s_umount);
80890+
80891+ gr_log_remount(mnt->mnt_devname, retval);
80892+
80893 return retval;
80894 }
80895
80896@@ -1538,6 +1541,9 @@ static int do_umount(struct mount *mnt, int flags)
80897 }
80898 unlock_mount_hash();
80899 namespace_unlock();
80900+
80901+ gr_log_unmount(mnt->mnt_devname, retval);
80902+
80903 return retval;
80904 }
80905
80906@@ -1592,7 +1598,7 @@ static inline bool may_mount(void)
80907 * unixes. Our API is identical to OSF/1 to avoid making a mess of AMD
80908 */
80909
80910-SYSCALL_DEFINE2(umount, char __user *, name, int, flags)
80911+SYSCALL_DEFINE2(umount, const char __user *, name, int, flags)
80912 {
80913 struct path path;
80914 struct mount *mnt;
80915@@ -1637,7 +1643,7 @@ out:
80916 /*
80917 * The 2.0 compatible umount. No flags.
80918 */
80919-SYSCALL_DEFINE1(oldumount, char __user *, name)
80920+SYSCALL_DEFINE1(oldumount, const char __user *, name)
80921 {
80922 return sys_umount(name, 0);
80923 }
80924@@ -2712,6 +2718,16 @@ long do_mount(const char *dev_name, const char __user *dir_name,
80925 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
80926 MS_STRICTATIME);
80927
80928+ if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
80929+ retval = -EPERM;
80930+ goto dput_out;
80931+ }
80932+
80933+ if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
80934+ retval = -EPERM;
80935+ goto dput_out;
80936+ }
80937+
80938 if (flags & MS_REMOUNT)
80939 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
80940 data_page);
80941@@ -2725,7 +2741,10 @@ long do_mount(const char *dev_name, const char __user *dir_name,
80942 retval = do_new_mount(&path, type_page, flags, mnt_flags,
80943 dev_name, data_page);
80944 dput_out:
80945+ gr_log_mount(dev_name, &path, retval);
80946+
80947 path_put(&path);
80948+
80949 return retval;
80950 }
80951
80952@@ -2743,7 +2762,7 @@ static void free_mnt_ns(struct mnt_namespace *ns)
80953 * number incrementing at 10Ghz will take 12,427 years to wrap which
80954 * is effectively never, so we can ignore the possibility.
80955 */
80956-static atomic64_t mnt_ns_seq = ATOMIC64_INIT(1);
80957+static atomic64_unchecked_t mnt_ns_seq = ATOMIC64_INIT(1);
80958
80959 static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
80960 {
80961@@ -2759,7 +2778,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
80962 return ERR_PTR(ret);
80963 }
80964 new_ns->ns.ops = &mntns_operations;
80965- new_ns->seq = atomic64_add_return(1, &mnt_ns_seq);
80966+ new_ns->seq = atomic64_add_return_unchecked(1, &mnt_ns_seq);
80967 atomic_set(&new_ns->count, 1);
80968 new_ns->root = NULL;
80969 INIT_LIST_HEAD(&new_ns->list);
80970@@ -2769,7 +2788,7 @@ static struct mnt_namespace *alloc_mnt_ns(struct user_namespace *user_ns)
80971 return new_ns;
80972 }
80973
80974-struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
80975+__latent_entropy struct mnt_namespace *copy_mnt_ns(unsigned long flags, struct mnt_namespace *ns,
80976 struct user_namespace *user_ns, struct fs_struct *new_fs)
80977 {
80978 struct mnt_namespace *new_ns;
80979@@ -2890,8 +2909,8 @@ struct dentry *mount_subtree(struct vfsmount *mnt, const char *name)
80980 }
80981 EXPORT_SYMBOL(mount_subtree);
80982
80983-SYSCALL_DEFINE5(mount, char __user *, dev_name, char __user *, dir_name,
80984- char __user *, type, unsigned long, flags, void __user *, data)
80985+SYSCALL_DEFINE5(mount, const char __user *, dev_name, const char __user *, dir_name,
80986+ const char __user *, type, unsigned long, flags, void __user *, data)
80987 {
80988 int ret;
80989 char *kernel_type;
80990@@ -2997,6 +3016,11 @@ SYSCALL_DEFINE2(pivot_root, const char __user *, new_root,
80991 if (error)
80992 goto out2;
80993
80994+ if (gr_handle_chroot_pivot()) {
80995+ error = -EPERM;
80996+ goto out2;
80997+ }
80998+
80999 get_fs_root(current->fs, &root);
81000 old_mp = lock_mount(&old);
81001 error = PTR_ERR(old_mp);
81002@@ -3298,7 +3322,7 @@ static int mntns_install(struct nsproxy *nsproxy, struct ns_common *ns)
81003 !ns_capable(current_user_ns(), CAP_SYS_ADMIN))
81004 return -EPERM;
81005
81006- if (fs->users != 1)
81007+ if (atomic_read(&fs->users) != 1)
81008 return -EINVAL;
81009
81010 get_mnt_ns(mnt_ns);
81011diff --git a/fs/nfs/callback_xdr.c b/fs/nfs/callback_xdr.c
81012index 6b1697a..6d5787c 100644
81013--- a/fs/nfs/callback_xdr.c
81014+++ b/fs/nfs/callback_xdr.c
81015@@ -51,7 +51,7 @@ struct callback_op {
81016 callback_decode_arg_t decode_args;
81017 callback_encode_res_t encode_res;
81018 long res_maxsize;
81019-};
81020+} __do_const;
81021
81022 static struct callback_op callback_ops[];
81023
81024diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
81025index 4afbe13..a6a26ce 100644
81026--- a/fs/nfs/inode.c
81027+++ b/fs/nfs/inode.c
81028@@ -1273,16 +1273,16 @@ static int nfs_check_inode_attributes(struct inode *inode, struct nfs_fattr *fat
81029 return 0;
81030 }
81031
81032-static atomic_long_t nfs_attr_generation_counter;
81033+static atomic_long_unchecked_t nfs_attr_generation_counter;
81034
81035 static unsigned long nfs_read_attr_generation_counter(void)
81036 {
81037- return atomic_long_read(&nfs_attr_generation_counter);
81038+ return atomic_long_read_unchecked(&nfs_attr_generation_counter);
81039 }
81040
81041 unsigned long nfs_inc_attr_generation_counter(void)
81042 {
81043- return atomic_long_inc_return(&nfs_attr_generation_counter);
81044+ return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
81045 }
81046 EXPORT_SYMBOL_GPL(nfs_inc_attr_generation_counter);
81047
81048diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c
81049index 90cfda7..e4b50df 100644
81050--- a/fs/nfsd/nfs4proc.c
81051+++ b/fs/nfsd/nfs4proc.c
81052@@ -1487,7 +1487,7 @@ struct nfsd4_operation {
81053 nfsd4op_rsize op_rsize_bop;
81054 stateid_getter op_get_currentstateid;
81055 stateid_setter op_set_currentstateid;
81056-};
81057+} __do_const;
81058
81059 static struct nfsd4_operation nfsd4_ops[];
81060
81061diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c
81062index b81f725..8e36601 100644
81063--- a/fs/nfsd/nfs4xdr.c
81064+++ b/fs/nfsd/nfs4xdr.c
81065@@ -1704,7 +1704,7 @@ nfsd4_decode_notsupp(struct nfsd4_compoundargs *argp, void *p)
81066
81067 typedef __be32(*nfsd4_dec)(struct nfsd4_compoundargs *argp, void *);
81068
81069-static nfsd4_dec nfsd4_dec_ops[] = {
81070+static const nfsd4_dec nfsd4_dec_ops[] = {
81071 [OP_ACCESS] = (nfsd4_dec)nfsd4_decode_access,
81072 [OP_CLOSE] = (nfsd4_dec)nfsd4_decode_close,
81073 [OP_COMMIT] = (nfsd4_dec)nfsd4_decode_commit,
81074diff --git a/fs/nfsd/nfscache.c b/fs/nfsd/nfscache.c
81075index 46ec934..f384e41 100644
81076--- a/fs/nfsd/nfscache.c
81077+++ b/fs/nfsd/nfscache.c
81078@@ -541,7 +541,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
81079 struct kvec *resv = &rqstp->rq_res.head[0], *cachv;
81080 u32 hash;
81081 struct nfsd_drc_bucket *b;
81082- int len;
81083+ long len;
81084 size_t bufsize = 0;
81085
81086 if (!rp)
81087@@ -550,11 +550,14 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
81088 hash = nfsd_cache_hash(rp->c_xid);
81089 b = &drc_hashtbl[hash];
81090
81091- len = resv->iov_len - ((char*)statp - (char*)resv->iov_base);
81092- len >>= 2;
81093+ if (statp) {
81094+ len = (char*)statp - (char*)resv->iov_base;
81095+ len = resv->iov_len - len;
81096+ len >>= 2;
81097+ }
81098
81099 /* Don't cache excessive amounts of data and XDR failures */
81100- if (!statp || len > (256 >> 2)) {
81101+ if (!statp || len > (256 >> 2) || len < 0) {
81102 nfsd_reply_cache_free(b, rp);
81103 return;
81104 }
81105@@ -562,7 +565,7 @@ nfsd_cache_update(struct svc_rqst *rqstp, int cachetype, __be32 *statp)
81106 switch (cachetype) {
81107 case RC_REPLSTAT:
81108 if (len != 1)
81109- printk("nfsd: RC_REPLSTAT/reply len %d!\n",len);
81110+ printk("nfsd: RC_REPLSTAT/reply len %ld!\n",len);
81111 rp->c_replstat = *statp;
81112 break;
81113 case RC_REPLBUFF:
81114diff --git a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
81115index b5e077a..50cf549 100644
81116--- a/fs/nfsd/vfs.c
81117+++ b/fs/nfsd/vfs.c
81118@@ -855,7 +855,7 @@ __be32 nfsd_readv(struct file *file, loff_t offset, struct kvec *vec, int vlen,
81119
81120 oldfs = get_fs();
81121 set_fs(KERNEL_DS);
81122- host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
81123+ host_err = vfs_readv(file, (struct iovec __force_user *)vec, vlen, &offset);
81124 set_fs(oldfs);
81125 return nfsd_finish_read(file, count, host_err);
81126 }
81127@@ -942,7 +942,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, struct svc_fh *fhp, struct file *file,
81128
81129 /* Write the data. */
81130 oldfs = get_fs(); set_fs(KERNEL_DS);
81131- host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &pos);
81132+ host_err = vfs_writev(file, (struct iovec __force_user *)vec, vlen, &pos);
81133 set_fs(oldfs);
81134 if (host_err < 0)
81135 goto out_nfserr;
81136@@ -1455,7 +1455,7 @@ nfsd_readlink(struct svc_rqst *rqstp, struct svc_fh *fhp, char *buf, int *lenp)
81137 */
81138
81139 oldfs = get_fs(); set_fs(KERNEL_DS);
81140- host_err = inode->i_op->readlink(path.dentry, (char __user *)buf, *lenp);
81141+ host_err = inode->i_op->readlink(path.dentry, (char __force_user *)buf, *lenp);
81142 set_fs(oldfs);
81143
81144 if (host_err < 0)
81145diff --git a/fs/nls/nls_base.c b/fs/nls/nls_base.c
81146index 52ccd34..7a6b202 100644
81147--- a/fs/nls/nls_base.c
81148+++ b/fs/nls/nls_base.c
81149@@ -234,21 +234,25 @@ EXPORT_SYMBOL(utf16s_to_utf8s);
81150
81151 int __register_nls(struct nls_table *nls, struct module *owner)
81152 {
81153- struct nls_table ** tmp = &tables;
81154+ struct nls_table *tmp = tables;
81155
81156 if (nls->next)
81157 return -EBUSY;
81158
81159- nls->owner = owner;
81160+ pax_open_kernel();
81161+ *(void **)&nls->owner = owner;
81162+ pax_close_kernel();
81163 spin_lock(&nls_lock);
81164- while (*tmp) {
81165- if (nls == *tmp) {
81166+ while (tmp) {
81167+ if (nls == tmp) {
81168 spin_unlock(&nls_lock);
81169 return -EBUSY;
81170 }
81171- tmp = &(*tmp)->next;
81172+ tmp = tmp->next;
81173 }
81174- nls->next = tables;
81175+ pax_open_kernel();
81176+ *(struct nls_table **)&nls->next = tables;
81177+ pax_close_kernel();
81178 tables = nls;
81179 spin_unlock(&nls_lock);
81180 return 0;
81181@@ -257,12 +261,14 @@ EXPORT_SYMBOL(__register_nls);
81182
81183 int unregister_nls(struct nls_table * nls)
81184 {
81185- struct nls_table ** tmp = &tables;
81186+ struct nls_table * const * tmp = &tables;
81187
81188 spin_lock(&nls_lock);
81189 while (*tmp) {
81190 if (nls == *tmp) {
81191- *tmp = nls->next;
81192+ pax_open_kernel();
81193+ *(struct nls_table **)tmp = nls->next;
81194+ pax_close_kernel();
81195 spin_unlock(&nls_lock);
81196 return 0;
81197 }
81198@@ -272,7 +278,7 @@ int unregister_nls(struct nls_table * nls)
81199 return -EINVAL;
81200 }
81201
81202-static struct nls_table *find_nls(char *charset)
81203+static struct nls_table *find_nls(const char *charset)
81204 {
81205 struct nls_table *nls;
81206 spin_lock(&nls_lock);
81207@@ -288,7 +294,7 @@ static struct nls_table *find_nls(char *charset)
81208 return nls;
81209 }
81210
81211-struct nls_table *load_nls(char *charset)
81212+struct nls_table *load_nls(const char *charset)
81213 {
81214 return try_then_request_module(find_nls(charset), "nls_%s", charset);
81215 }
81216diff --git a/fs/nls/nls_euc-jp.c b/fs/nls/nls_euc-jp.c
81217index 162b3f1..6076a7c 100644
81218--- a/fs/nls/nls_euc-jp.c
81219+++ b/fs/nls/nls_euc-jp.c
81220@@ -560,8 +560,10 @@ static int __init init_nls_euc_jp(void)
81221 p_nls = load_nls("cp932");
81222
81223 if (p_nls) {
81224- table.charset2upper = p_nls->charset2upper;
81225- table.charset2lower = p_nls->charset2lower;
81226+ pax_open_kernel();
81227+ *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
81228+ *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
81229+ pax_close_kernel();
81230 return register_nls(&table);
81231 }
81232
81233diff --git a/fs/nls/nls_koi8-ru.c b/fs/nls/nls_koi8-ru.c
81234index a80a741..7b96e1b 100644
81235--- a/fs/nls/nls_koi8-ru.c
81236+++ b/fs/nls/nls_koi8-ru.c
81237@@ -62,8 +62,10 @@ static int __init init_nls_koi8_ru(void)
81238 p_nls = load_nls("koi8-u");
81239
81240 if (p_nls) {
81241- table.charset2upper = p_nls->charset2upper;
81242- table.charset2lower = p_nls->charset2lower;
81243+ pax_open_kernel();
81244+ *(const unsigned char **)&table.charset2upper = p_nls->charset2upper;
81245+ *(const unsigned char **)&table.charset2lower = p_nls->charset2lower;
81246+ pax_close_kernel();
81247 return register_nls(&table);
81248 }
81249
81250diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
81251index cf27550..6c70f29d 100644
81252--- a/fs/notify/fanotify/fanotify_user.c
81253+++ b/fs/notify/fanotify/fanotify_user.c
81254@@ -216,8 +216,8 @@ static ssize_t copy_event_to_user(struct fsnotify_group *group,
81255
81256 fd = fanotify_event_metadata.fd;
81257 ret = -EFAULT;
81258- if (copy_to_user(buf, &fanotify_event_metadata,
81259- fanotify_event_metadata.event_len))
81260+ if (fanotify_event_metadata.event_len > sizeof fanotify_event_metadata ||
81261+ copy_to_user(buf, &fanotify_event_metadata, fanotify_event_metadata.event_len))
81262 goto out_close_fd;
81263
81264 #ifdef CONFIG_FANOTIFY_ACCESS_PERMISSIONS
81265diff --git a/fs/notify/notification.c b/fs/notify/notification.c
81266index a95d8e0..a91a5fd 100644
81267--- a/fs/notify/notification.c
81268+++ b/fs/notify/notification.c
81269@@ -48,7 +48,7 @@
81270 #include <linux/fsnotify_backend.h>
81271 #include "fsnotify.h"
81272
81273-static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
81274+static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
81275
81276 /**
81277 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
81278@@ -56,7 +56,7 @@ static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
81279 */
81280 u32 fsnotify_get_cookie(void)
81281 {
81282- return atomic_inc_return(&fsnotify_sync_cookie);
81283+ return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
81284 }
81285 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
81286
81287diff --git a/fs/ntfs/dir.c b/fs/ntfs/dir.c
81288index 9e38daf..5727cae 100644
81289--- a/fs/ntfs/dir.c
81290+++ b/fs/ntfs/dir.c
81291@@ -1310,7 +1310,7 @@ find_next_index_buffer:
81292 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
81293 ~(s64)(ndir->itype.index.block_size - 1)));
81294 /* Bounds checks. */
81295- if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
81296+ if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
81297 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
81298 "inode 0x%lx or driver bug.", vdir->i_ino);
81299 goto err_out;
81300diff --git a/fs/ntfs/super.c b/fs/ntfs/super.c
81301index 9e1e112..241a52a 100644
81302--- a/fs/ntfs/super.c
81303+++ b/fs/ntfs/super.c
81304@@ -688,7 +688,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
81305 if (!silent)
81306 ntfs_error(sb, "Primary boot sector is invalid.");
81307 } else if (!silent)
81308- ntfs_error(sb, read_err_str, "primary");
81309+ ntfs_error(sb, read_err_str, "%s", "primary");
81310 if (!(NTFS_SB(sb)->on_errors & ON_ERRORS_RECOVER)) {
81311 if (bh_primary)
81312 brelse(bh_primary);
81313@@ -704,7 +704,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
81314 goto hotfix_primary_boot_sector;
81315 brelse(bh_backup);
81316 } else if (!silent)
81317- ntfs_error(sb, read_err_str, "backup");
81318+ ntfs_error(sb, read_err_str, "%s", "backup");
81319 /* Try to read NT3.51- backup boot sector. */
81320 if ((bh_backup = sb_bread(sb, nr_blocks >> 1))) {
81321 if (is_boot_sector_ntfs(sb, (NTFS_BOOT_SECTOR*)
81322@@ -715,7 +715,7 @@ static struct buffer_head *read_ntfs_boot_sector(struct super_block *sb,
81323 "sector.");
81324 brelse(bh_backup);
81325 } else if (!silent)
81326- ntfs_error(sb, read_err_str, "backup");
81327+ ntfs_error(sb, read_err_str, "%s", "backup");
81328 /* We failed. Cleanup and return. */
81329 if (bh_primary)
81330 brelse(bh_primary);
81331diff --git a/fs/ocfs2/localalloc.c b/fs/ocfs2/localalloc.c
81332index 857bbbc..3c47d15 100644
81333--- a/fs/ocfs2/localalloc.c
81334+++ b/fs/ocfs2/localalloc.c
81335@@ -1320,7 +1320,7 @@ static int ocfs2_local_alloc_slide_window(struct ocfs2_super *osb,
81336 goto bail;
81337 }
81338
81339- atomic_inc(&osb->alloc_stats.moves);
81340+ atomic_inc_unchecked(&osb->alloc_stats.moves);
81341
81342 bail:
81343 if (handle)
81344diff --git a/fs/ocfs2/ocfs2.h b/fs/ocfs2/ocfs2.h
81345index 690ddc6..f2d4c4d 100644
81346--- a/fs/ocfs2/ocfs2.h
81347+++ b/fs/ocfs2/ocfs2.h
81348@@ -247,11 +247,11 @@ enum ocfs2_vol_state
81349
81350 struct ocfs2_alloc_stats
81351 {
81352- atomic_t moves;
81353- atomic_t local_data;
81354- atomic_t bitmap_data;
81355- atomic_t bg_allocs;
81356- atomic_t bg_extends;
81357+ atomic_unchecked_t moves;
81358+ atomic_unchecked_t local_data;
81359+ atomic_unchecked_t bitmap_data;
81360+ atomic_unchecked_t bg_allocs;
81361+ atomic_unchecked_t bg_extends;
81362 };
81363
81364 enum ocfs2_local_alloc_state
81365diff --git a/fs/ocfs2/suballoc.c b/fs/ocfs2/suballoc.c
81366index 4479029..5de740b 100644
81367--- a/fs/ocfs2/suballoc.c
81368+++ b/fs/ocfs2/suballoc.c
81369@@ -867,7 +867,7 @@ static int ocfs2_reserve_suballoc_bits(struct ocfs2_super *osb,
81370 mlog_errno(status);
81371 goto bail;
81372 }
81373- atomic_inc(&osb->alloc_stats.bg_extends);
81374+ atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
81375
81376 /* You should never ask for this much metadata */
81377 BUG_ON(bits_wanted >
81378@@ -2014,7 +2014,7 @@ int ocfs2_claim_metadata(handle_t *handle,
81379 mlog_errno(status);
81380 goto bail;
81381 }
81382- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81383+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81384
81385 *suballoc_loc = res.sr_bg_blkno;
81386 *suballoc_bit_start = res.sr_bit_offset;
81387@@ -2180,7 +2180,7 @@ int ocfs2_claim_new_inode_at_loc(handle_t *handle,
81388 trace_ocfs2_claim_new_inode_at_loc((unsigned long long)di_blkno,
81389 res->sr_bits);
81390
81391- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81392+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81393
81394 BUG_ON(res->sr_bits != 1);
81395
81396@@ -2222,7 +2222,7 @@ int ocfs2_claim_new_inode(handle_t *handle,
81397 mlog_errno(status);
81398 goto bail;
81399 }
81400- atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81401+ atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
81402
81403 BUG_ON(res.sr_bits != 1);
81404
81405@@ -2326,7 +2326,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
81406 cluster_start,
81407 num_clusters);
81408 if (!status)
81409- atomic_inc(&osb->alloc_stats.local_data);
81410+ atomic_inc_unchecked(&osb->alloc_stats.local_data);
81411 } else {
81412 if (min_clusters > (osb->bitmap_cpg - 1)) {
81413 /* The only paths asking for contiguousness
81414@@ -2352,7 +2352,7 @@ int __ocfs2_claim_clusters(handle_t *handle,
81415 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
81416 res.sr_bg_blkno,
81417 res.sr_bit_offset);
81418- atomic_inc(&osb->alloc_stats.bitmap_data);
81419+ atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
81420 *num_clusters = res.sr_bits;
81421 }
81422 }
81423diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
81424index a482e31..81b251d 100644
81425--- a/fs/ocfs2/super.c
81426+++ b/fs/ocfs2/super.c
81427@@ -308,11 +308,11 @@ static int ocfs2_osb_dump(struct ocfs2_super *osb, char *buf, int len)
81428 "%10s => GlobalAllocs: %d LocalAllocs: %d "
81429 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
81430 "Stats",
81431- atomic_read(&osb->alloc_stats.bitmap_data),
81432- atomic_read(&osb->alloc_stats.local_data),
81433- atomic_read(&osb->alloc_stats.bg_allocs),
81434- atomic_read(&osb->alloc_stats.moves),
81435- atomic_read(&osb->alloc_stats.bg_extends));
81436+ atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
81437+ atomic_read_unchecked(&osb->alloc_stats.local_data),
81438+ atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
81439+ atomic_read_unchecked(&osb->alloc_stats.moves),
81440+ atomic_read_unchecked(&osb->alloc_stats.bg_extends));
81441
81442 out += snprintf(buf + out, len - out,
81443 "%10s => State: %u Descriptor: %llu Size: %u bits "
81444@@ -2095,11 +2095,11 @@ static int ocfs2_initialize_super(struct super_block *sb,
81445
81446 mutex_init(&osb->system_file_mutex);
81447
81448- atomic_set(&osb->alloc_stats.moves, 0);
81449- atomic_set(&osb->alloc_stats.local_data, 0);
81450- atomic_set(&osb->alloc_stats.bitmap_data, 0);
81451- atomic_set(&osb->alloc_stats.bg_allocs, 0);
81452- atomic_set(&osb->alloc_stats.bg_extends, 0);
81453+ atomic_set_unchecked(&osb->alloc_stats.moves, 0);
81454+ atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
81455+ atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
81456+ atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
81457+ atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
81458
81459 /* Copy the blockcheck stats from the superblock probe */
81460 osb->osb_ecc_stats = *stats;
81461diff --git a/fs/open.c b/fs/open.c
81462index e33dab2..cdbdad9 100644
81463--- a/fs/open.c
81464+++ b/fs/open.c
81465@@ -32,6 +32,8 @@
81466 #include <linux/dnotify.h>
81467 #include <linux/compat.h>
81468
81469+#define CREATE_TRACE_POINTS
81470+#include <trace/events/fs.h>
81471 #include "internal.h"
81472
81473 int do_truncate(struct dentry *dentry, loff_t length, unsigned int time_attrs,
81474@@ -105,6 +107,8 @@ long vfs_truncate(struct path *path, loff_t length)
81475 error = locks_verify_truncate(inode, NULL, length);
81476 if (!error)
81477 error = security_path_truncate(path);
81478+ if (!error && !gr_acl_handle_truncate(path->dentry, path->mnt))
81479+ error = -EACCES;
81480 if (!error)
81481 error = do_truncate(path->dentry, length, 0, NULL);
81482
81483@@ -189,6 +193,8 @@ static long do_sys_ftruncate(unsigned int fd, loff_t length, int small)
81484 error = locks_verify_truncate(inode, f.file, length);
81485 if (!error)
81486 error = security_path_truncate(&f.file->f_path);
81487+ if (!error && !gr_acl_handle_truncate(f.file->f_path.dentry, f.file->f_path.mnt))
81488+ error = -EACCES;
81489 if (!error)
81490 error = do_truncate(dentry, length, ATTR_MTIME|ATTR_CTIME, f.file);
81491 sb_end_write(inode->i_sb);
81492@@ -398,6 +404,9 @@ retry:
81493 if (__mnt_is_readonly(path.mnt))
81494 res = -EROFS;
81495
81496+ if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
81497+ res = -EACCES;
81498+
81499 out_path_release:
81500 path_put(&path);
81501 if (retry_estale(res, lookup_flags)) {
81502@@ -429,6 +438,8 @@ retry:
81503 if (error)
81504 goto dput_and_out;
81505
81506+ gr_log_chdir(path.dentry, path.mnt);
81507+
81508 set_fs_pwd(current->fs, &path);
81509
81510 dput_and_out:
81511@@ -458,6 +469,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd)
81512 goto out_putf;
81513
81514 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
81515+
81516+ if (!error && !gr_chroot_fchdir(f.file->f_path.dentry, f.file->f_path.mnt))
81517+ error = -EPERM;
81518+
81519+ if (!error)
81520+ gr_log_chdir(f.file->f_path.dentry, f.file->f_path.mnt);
81521+
81522 if (!error)
81523 set_fs_pwd(current->fs, &f.file->f_path);
81524 out_putf:
81525@@ -487,7 +505,13 @@ retry:
81526 if (error)
81527 goto dput_and_out;
81528
81529+ if (gr_handle_chroot_chroot(path.dentry, path.mnt))
81530+ goto dput_and_out;
81531+
81532 set_fs_root(current->fs, &path);
81533+
81534+ gr_handle_chroot_chdir(&path);
81535+
81536 error = 0;
81537 dput_and_out:
81538 path_put(&path);
81539@@ -511,6 +535,16 @@ static int chmod_common(struct path *path, umode_t mode)
81540 return error;
81541 retry_deleg:
81542 mutex_lock(&inode->i_mutex);
81543+
81544+ if (!gr_acl_handle_chmod(path->dentry, path->mnt, &mode)) {
81545+ error = -EACCES;
81546+ goto out_unlock;
81547+ }
81548+ if (gr_handle_chroot_chmod(path->dentry, path->mnt, mode)) {
81549+ error = -EACCES;
81550+ goto out_unlock;
81551+ }
81552+
81553 error = security_path_chmod(path, mode);
81554 if (error)
81555 goto out_unlock;
81556@@ -576,6 +610,9 @@ static int chown_common(struct path *path, uid_t user, gid_t group)
81557 uid = make_kuid(current_user_ns(), user);
81558 gid = make_kgid(current_user_ns(), group);
81559
81560+ if (!gr_acl_handle_chown(path->dentry, path->mnt))
81561+ return -EACCES;
81562+
81563 retry_deleg:
81564 newattrs.ia_valid = ATTR_CTIME;
81565 if (user != (uid_t) -1) {
81566@@ -1029,6 +1066,7 @@ long do_sys_open(int dfd, const char __user *filename, int flags, umode_t mode)
81567 } else {
81568 fsnotify_open(f);
81569 fd_install(fd, f);
81570+ trace_do_sys_open(tmp->name, flags, mode);
81571 }
81572 }
81573 putname(tmp);
81574diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
81575index 84d693d..871fcb6 100644
81576--- a/fs/overlayfs/copy_up.c
81577+++ b/fs/overlayfs/copy_up.c
81578@@ -81,11 +81,11 @@ static int ovl_copy_up_data(struct path *old, struct path *new, loff_t len)
81579 if (len == 0)
81580 return 0;
81581
81582- old_file = ovl_path_open(old, O_RDONLY);
81583+ old_file = ovl_path_open(old, O_LARGEFILE | O_RDONLY);
81584 if (IS_ERR(old_file))
81585 return PTR_ERR(old_file);
81586
81587- new_file = ovl_path_open(new, O_WRONLY);
81588+ new_file = ovl_path_open(new, O_LARGEFILE | O_WRONLY);
81589 if (IS_ERR(new_file)) {
81590 error = PTR_ERR(new_file);
81591 goto out_fput;
81592@@ -267,7 +267,7 @@ out:
81593
81594 out_cleanup:
81595 ovl_cleanup(wdir, newdentry);
81596- goto out;
81597+ goto out2;
81598 }
81599
81600 /*
81601diff --git a/fs/overlayfs/inode.c b/fs/overlayfs/inode.c
81602index d9da5a4..f9b5b82 100644
81603--- a/fs/overlayfs/inode.c
81604+++ b/fs/overlayfs/inode.c
81605@@ -346,6 +346,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
81606 if (d_is_dir(dentry))
81607 return d_backing_inode(dentry);
81608
81609+ if (d_is_dir(dentry))
81610+ return d_backing_inode(dentry);
81611+
81612 type = ovl_path_real(dentry, &realpath);
81613 if (ovl_open_need_copy_up(file_flags, type, realpath.dentry)) {
81614 err = ovl_want_write(dentry);
81615@@ -363,6 +366,9 @@ struct inode *ovl_d_select_inode(struct dentry *dentry, unsigned file_flags)
81616 ovl_path_upper(dentry, &realpath);
81617 }
81618
81619+ if (realpath.dentry->d_flags & DCACHE_OP_SELECT_INODE)
81620+ return realpath.dentry->d_op->d_select_inode(realpath.dentry, file_flags);
81621+
81622 return d_backing_inode(realpath.dentry);
81623 }
81624
81625diff --git a/fs/overlayfs/super.c b/fs/overlayfs/super.c
81626index 79073d6..6fc10e4 100644
81627--- a/fs/overlayfs/super.c
81628+++ b/fs/overlayfs/super.c
81629@@ -172,7 +172,7 @@ void ovl_path_lower(struct dentry *dentry, struct path *path)
81630 {
81631 struct ovl_entry *oe = dentry->d_fsdata;
81632
81633- *path = oe->numlower ? oe->lowerstack[0] : (struct path) { NULL, NULL };
81634+ *path = oe->numlower ? oe->lowerstack[0] : (struct path) { .dentry = NULL, .mnt = NULL };
81635 }
81636
81637 int ovl_want_write(struct dentry *dentry)
81638@@ -544,6 +544,7 @@ static void ovl_put_super(struct super_block *sb)
81639 mntput(ufs->upper_mnt);
81640 for (i = 0; i < ufs->numlower; i++)
81641 mntput(ufs->lower_mnt[i]);
81642+ kfree(ufs->lower_mnt);
81643
81644 kfree(ufs->config.lowerdir);
81645 kfree(ufs->config.upperdir);
81646@@ -879,8 +880,8 @@ static unsigned int ovl_split_lowerdirs(char *str)
81647
81648 static int ovl_fill_super(struct super_block *sb, void *data, int silent)
81649 {
81650- struct path upperpath = { NULL, NULL };
81651- struct path workpath = { NULL, NULL };
81652+ struct path upperpath = { .dentry = NULL, .mnt = NULL };
81653+ struct path workpath = { .dentry = NULL, .mnt = NULL };
81654 struct dentry *root_dentry;
81655 struct ovl_entry *oe;
81656 struct ovl_fs *ufs;
81657@@ -1048,6 +1049,7 @@ static int ovl_fill_super(struct super_block *sb, void *data, int silent)
81658 oe->lowerstack[i].dentry = stack[i].dentry;
81659 oe->lowerstack[i].mnt = ufs->lower_mnt[i];
81660 }
81661+ kfree(stack);
81662
81663 root_dentry->d_fsdata = oe;
81664
81665diff --git a/fs/pipe.c b/fs/pipe.c
81666index 8865f79..bd2c79b 100644
81667--- a/fs/pipe.c
81668+++ b/fs/pipe.c
81669@@ -36,7 +36,7 @@ unsigned int pipe_max_size = 1048576;
81670 /*
81671 * Minimum pipe size, as required by POSIX
81672 */
81673-unsigned int pipe_min_size = PAGE_SIZE;
81674+unsigned int pipe_min_size __read_only = PAGE_SIZE;
81675
81676 /*
81677 * We use a start+len construction, which provides full use of the
81678@@ -55,7 +55,7 @@ unsigned int pipe_min_size = PAGE_SIZE;
81679
81680 static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
81681 {
81682- if (pipe->files)
81683+ if (atomic_read(&pipe->files))
81684 mutex_lock_nested(&pipe->mutex, subclass);
81685 }
81686
81687@@ -70,7 +70,7 @@ EXPORT_SYMBOL(pipe_lock);
81688
81689 void pipe_unlock(struct pipe_inode_info *pipe)
81690 {
81691- if (pipe->files)
81692+ if (atomic_read(&pipe->files))
81693 mutex_unlock(&pipe->mutex);
81694 }
81695 EXPORT_SYMBOL(pipe_unlock);
81696@@ -291,9 +291,9 @@ pipe_read(struct kiocb *iocb, struct iov_iter *to)
81697 }
81698 if (bufs) /* More to do? */
81699 continue;
81700- if (!pipe->writers)
81701+ if (!atomic_read(&pipe->writers))
81702 break;
81703- if (!pipe->waiting_writers) {
81704+ if (!atomic_read(&pipe->waiting_writers)) {
81705 /* syscall merging: Usually we must not sleep
81706 * if O_NONBLOCK is set, or if we got some data.
81707 * But if a writer sleeps in kernel space, then
81708@@ -350,7 +350,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81709
81710 __pipe_lock(pipe);
81711
81712- if (!pipe->readers) {
81713+ if (!atomic_read(&pipe->readers)) {
81714 send_sig(SIGPIPE, current, 0);
81715 ret = -EPIPE;
81716 goto out;
81717@@ -386,7 +386,7 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81718 for (;;) {
81719 int bufs;
81720
81721- if (!pipe->readers) {
81722+ if (!atomic_read(&pipe->readers)) {
81723 send_sig(SIGPIPE, current, 0);
81724 if (!ret)
81725 ret = -EPIPE;
81726@@ -454,9 +454,9 @@ pipe_write(struct kiocb *iocb, struct iov_iter *from)
81727 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
81728 do_wakeup = 0;
81729 }
81730- pipe->waiting_writers++;
81731+ atomic_inc(&pipe->waiting_writers);
81732 pipe_wait(pipe);
81733- pipe->waiting_writers--;
81734+ atomic_dec(&pipe->waiting_writers);
81735 }
81736 out:
81737 __pipe_unlock(pipe);
81738@@ -511,7 +511,7 @@ pipe_poll(struct file *filp, poll_table *wait)
81739 mask = 0;
81740 if (filp->f_mode & FMODE_READ) {
81741 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
81742- if (!pipe->writers && filp->f_version != pipe->w_counter)
81743+ if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
81744 mask |= POLLHUP;
81745 }
81746
81747@@ -521,7 +521,7 @@ pipe_poll(struct file *filp, poll_table *wait)
81748 * Most Unices do not set POLLERR for FIFOs but on Linux they
81749 * behave exactly like pipes for poll().
81750 */
81751- if (!pipe->readers)
81752+ if (!atomic_read(&pipe->readers))
81753 mask |= POLLERR;
81754 }
81755
81756@@ -533,7 +533,7 @@ static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
81757 int kill = 0;
81758
81759 spin_lock(&inode->i_lock);
81760- if (!--pipe->files) {
81761+ if (atomic_dec_and_test(&pipe->files)) {
81762 inode->i_pipe = NULL;
81763 kill = 1;
81764 }
81765@@ -550,11 +550,11 @@ pipe_release(struct inode *inode, struct file *file)
81766
81767 __pipe_lock(pipe);
81768 if (file->f_mode & FMODE_READ)
81769- pipe->readers--;
81770+ atomic_dec(&pipe->readers);
81771 if (file->f_mode & FMODE_WRITE)
81772- pipe->writers--;
81773+ atomic_dec(&pipe->writers);
81774
81775- if (pipe->readers || pipe->writers) {
81776+ if (atomic_read(&pipe->readers) || atomic_read(&pipe->writers)) {
81777 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
81778 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
81779 kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
81780@@ -619,7 +619,7 @@ void free_pipe_info(struct pipe_inode_info *pipe)
81781 kfree(pipe);
81782 }
81783
81784-static struct vfsmount *pipe_mnt __read_mostly;
81785+struct vfsmount *pipe_mnt __read_mostly;
81786
81787 /*
81788 * pipefs_dname() is called from d_path().
81789@@ -649,8 +649,9 @@ static struct inode * get_pipe_inode(void)
81790 goto fail_iput;
81791
81792 inode->i_pipe = pipe;
81793- pipe->files = 2;
81794- pipe->readers = pipe->writers = 1;
81795+ atomic_set(&pipe->files, 2);
81796+ atomic_set(&pipe->readers, 1);
81797+ atomic_set(&pipe->writers, 1);
81798 inode->i_fop = &pipefifo_fops;
81799
81800 /*
81801@@ -829,17 +830,17 @@ static int fifo_open(struct inode *inode, struct file *filp)
81802 spin_lock(&inode->i_lock);
81803 if (inode->i_pipe) {
81804 pipe = inode->i_pipe;
81805- pipe->files++;
81806+ atomic_inc(&pipe->files);
81807 spin_unlock(&inode->i_lock);
81808 } else {
81809 spin_unlock(&inode->i_lock);
81810 pipe = alloc_pipe_info();
81811 if (!pipe)
81812 return -ENOMEM;
81813- pipe->files = 1;
81814+ atomic_set(&pipe->files, 1);
81815 spin_lock(&inode->i_lock);
81816 if (unlikely(inode->i_pipe)) {
81817- inode->i_pipe->files++;
81818+ atomic_inc(&inode->i_pipe->files);
81819 spin_unlock(&inode->i_lock);
81820 free_pipe_info(pipe);
81821 pipe = inode->i_pipe;
81822@@ -864,10 +865,10 @@ static int fifo_open(struct inode *inode, struct file *filp)
81823 * opened, even when there is no process writing the FIFO.
81824 */
81825 pipe->r_counter++;
81826- if (pipe->readers++ == 0)
81827+ if (atomic_inc_return(&pipe->readers) == 1)
81828 wake_up_partner(pipe);
81829
81830- if (!is_pipe && !pipe->writers) {
81831+ if (!is_pipe && !atomic_read(&pipe->writers)) {
81832 if ((filp->f_flags & O_NONBLOCK)) {
81833 /* suppress POLLHUP until we have
81834 * seen a writer */
81835@@ -886,14 +887,14 @@ static int fifo_open(struct inode *inode, struct file *filp)
81836 * errno=ENXIO when there is no process reading the FIFO.
81837 */
81838 ret = -ENXIO;
81839- if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !pipe->readers)
81840+ if (!is_pipe && (filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
81841 goto err;
81842
81843 pipe->w_counter++;
81844- if (!pipe->writers++)
81845+ if (atomic_inc_return(&pipe->writers) == 1)
81846 wake_up_partner(pipe);
81847
81848- if (!is_pipe && !pipe->readers) {
81849+ if (!is_pipe && !atomic_read(&pipe->readers)) {
81850 if (wait_for_partner(pipe, &pipe->r_counter))
81851 goto err_wr;
81852 }
81853@@ -907,11 +908,11 @@ static int fifo_open(struct inode *inode, struct file *filp)
81854 * the process can at least talk to itself.
81855 */
81856
81857- pipe->readers++;
81858- pipe->writers++;
81859+ atomic_inc(&pipe->readers);
81860+ atomic_inc(&pipe->writers);
81861 pipe->r_counter++;
81862 pipe->w_counter++;
81863- if (pipe->readers == 1 || pipe->writers == 1)
81864+ if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
81865 wake_up_partner(pipe);
81866 break;
81867
81868@@ -925,13 +926,13 @@ static int fifo_open(struct inode *inode, struct file *filp)
81869 return 0;
81870
81871 err_rd:
81872- if (!--pipe->readers)
81873+ if (atomic_dec_and_test(&pipe->readers))
81874 wake_up_interruptible(&pipe->wait);
81875 ret = -ERESTARTSYS;
81876 goto err;
81877
81878 err_wr:
81879- if (!--pipe->writers)
81880+ if (atomic_dec_and_test(&pipe->writers))
81881 wake_up_interruptible(&pipe->wait);
81882 ret = -ERESTARTSYS;
81883 goto err;
81884@@ -1007,7 +1008,7 @@ static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long nr_pages)
81885 * Currently we rely on the pipe array holding a power-of-2 number
81886 * of pages.
81887 */
81888-static inline unsigned int round_pipe_size(unsigned int size)
81889+static inline unsigned long round_pipe_size(unsigned long size)
81890 {
81891 unsigned long nr_pages;
81892
81893@@ -1055,13 +1056,16 @@ long pipe_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
81894
81895 switch (cmd) {
81896 case F_SETPIPE_SZ: {
81897- unsigned int size, nr_pages;
81898+ unsigned long size, nr_pages;
81899+
81900+ ret = -EINVAL;
81901+ if (arg < pipe_min_size)
81902+ goto out;
81903
81904 size = round_pipe_size(arg);
81905 nr_pages = size >> PAGE_SHIFT;
81906
81907- ret = -EINVAL;
81908- if (!nr_pages)
81909+ if (size < pipe_min_size)
81910 goto out;
81911
81912 if (!capable(CAP_SYS_RESOURCE) && size > pipe_max_size) {
81913diff --git a/fs/posix_acl.c b/fs/posix_acl.c
81914index 4fb17de..13d8c0f 100644
81915--- a/fs/posix_acl.c
81916+++ b/fs/posix_acl.c
81917@@ -20,6 +20,7 @@
81918 #include <linux/xattr.h>
81919 #include <linux/export.h>
81920 #include <linux/user_namespace.h>
81921+#include <linux/grsecurity.h>
81922
81923 struct posix_acl **acl_by_type(struct inode *inode, int type)
81924 {
81925@@ -277,7 +278,7 @@ posix_acl_equiv_mode(const struct posix_acl *acl, umode_t *mode_p)
81926 }
81927 }
81928 if (mode_p)
81929- *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
81930+ *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
81931 return not_equiv;
81932 }
81933 EXPORT_SYMBOL(posix_acl_equiv_mode);
81934@@ -427,7 +428,7 @@ static int posix_acl_create_masq(struct posix_acl *acl, umode_t *mode_p)
81935 mode &= (group_obj->e_perm << 3) | ~S_IRWXG;
81936 }
81937
81938- *mode_p = (*mode_p & ~S_IRWXUGO) | mode;
81939+ *mode_p = ((*mode_p & ~S_IRWXUGO) | mode) & ~gr_acl_umask();
81940 return not_equiv;
81941 }
81942
81943@@ -485,6 +486,8 @@ __posix_acl_create(struct posix_acl **acl, gfp_t gfp, umode_t *mode_p)
81944 struct posix_acl *clone = posix_acl_clone(*acl, gfp);
81945 int err = -ENOMEM;
81946 if (clone) {
81947+ *mode_p &= ~gr_acl_umask();
81948+
81949 err = posix_acl_create_masq(clone, mode_p);
81950 if (err < 0) {
81951 posix_acl_release(clone);
81952@@ -657,11 +660,12 @@ struct posix_acl *
81953 posix_acl_from_xattr(struct user_namespace *user_ns,
81954 const void *value, size_t size)
81955 {
81956- posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
81957- posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
81958+ const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
81959+ const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
81960 int count;
81961 struct posix_acl *acl;
81962 struct posix_acl_entry *acl_e;
81963+ umode_t umask = gr_acl_umask();
81964
81965 if (!value)
81966 return NULL;
81967@@ -687,12 +691,18 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
81968
81969 switch(acl_e->e_tag) {
81970 case ACL_USER_OBJ:
81971+ acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
81972+ break;
81973 case ACL_GROUP_OBJ:
81974 case ACL_MASK:
81975+ acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
81976+ break;
81977 case ACL_OTHER:
81978+ acl_e->e_perm &= ~(umask & S_IRWXO);
81979 break;
81980
81981 case ACL_USER:
81982+ acl_e->e_perm &= ~((umask & S_IRWXU) >> 6);
81983 acl_e->e_uid =
81984 make_kuid(user_ns,
81985 le32_to_cpu(entry->e_id));
81986@@ -700,6 +710,7 @@ posix_acl_from_xattr(struct user_namespace *user_ns,
81987 goto fail;
81988 break;
81989 case ACL_GROUP:
81990+ acl_e->e_perm &= ~((umask & S_IRWXG) >> 3);
81991 acl_e->e_gid =
81992 make_kgid(user_ns,
81993 le32_to_cpu(entry->e_id));
81994diff --git a/fs/proc/Kconfig b/fs/proc/Kconfig
81995index 1ade120..a86f1a2 100644
81996--- a/fs/proc/Kconfig
81997+++ b/fs/proc/Kconfig
81998@@ -30,7 +30,7 @@ config PROC_FS
81999
82000 config PROC_KCORE
82001 bool "/proc/kcore support" if !ARM
82002- depends on PROC_FS && MMU
82003+ depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
82004 help
82005 Provides a virtual ELF core file of the live kernel. This can
82006 be read with gdb and other ELF tools. No modifications can be
82007@@ -38,8 +38,8 @@ config PROC_KCORE
82008
82009 config PROC_VMCORE
82010 bool "/proc/vmcore support"
82011- depends on PROC_FS && CRASH_DUMP
82012- default y
82013+ depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
82014+ default n
82015 help
82016 Exports the dump image of crashed kernel in ELF format.
82017
82018@@ -63,8 +63,8 @@ config PROC_SYSCTL
82019 limited in memory.
82020
82021 config PROC_PAGE_MONITOR
82022- default y
82023- depends on PROC_FS && MMU
82024+ default n
82025+ depends on PROC_FS && MMU && !GRKERNSEC
82026 bool "Enable /proc page monitoring" if EXPERT
82027 help
82028 Various /proc files exist to monitor process memory utilization:
82029diff --git a/fs/proc/array.c b/fs/proc/array.c
82030index ce065cf..8974fed 100644
82031--- a/fs/proc/array.c
82032+++ b/fs/proc/array.c
82033@@ -60,6 +60,7 @@
82034 #include <linux/tty.h>
82035 #include <linux/string.h>
82036 #include <linux/mman.h>
82037+#include <linux/grsecurity.h>
82038 #include <linux/proc_fs.h>
82039 #include <linux/ioport.h>
82040 #include <linux/uaccess.h>
82041@@ -348,6 +349,21 @@ static void task_cpus_allowed(struct seq_file *m, struct task_struct *task)
82042 cpumask_pr_args(&task->cpus_allowed));
82043 }
82044
82045+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
82046+static inline void task_pax(struct seq_file *m, struct task_struct *p)
82047+{
82048+ if (p->mm)
82049+ seq_printf(m, "PaX:\t%c%c%c%c%c\n",
82050+ p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
82051+ p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
82052+ p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
82053+ p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
82054+ p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
82055+ else
82056+ seq_printf(m, "PaX:\t-----\n");
82057+}
82058+#endif
82059+
82060 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
82061 struct pid *pid, struct task_struct *task)
82062 {
82063@@ -366,9 +382,24 @@ int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
82064 task_cpus_allowed(m, task);
82065 cpuset_task_status_allowed(m, task);
82066 task_context_switch_counts(m, task);
82067+
82068+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
82069+ task_pax(m, task);
82070+#endif
82071+
82072+#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
82073+ task_grsec_rbac(m, task);
82074+#endif
82075+
82076 return 0;
82077 }
82078
82079+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82080+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
82081+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
82082+ _mm->pax_flags & MF_PAX_SEGMEXEC))
82083+#endif
82084+
82085 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82086 struct pid *pid, struct task_struct *task, int whole)
82087 {
82088@@ -390,6 +421,13 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82089 char tcomm[sizeof(task->comm)];
82090 unsigned long flags;
82091
82092+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82093+ if (current->exec_id != m->exec_id) {
82094+ gr_log_badprocpid("stat");
82095+ return 0;
82096+ }
82097+#endif
82098+
82099 state = *get_task_state(task);
82100 vsize = eip = esp = 0;
82101 permitted = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
82102@@ -460,6 +498,19 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82103 gtime = task_gtime(task);
82104 }
82105
82106+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82107+ if (PAX_RAND_FLAGS(mm)) {
82108+ eip = 0;
82109+ esp = 0;
82110+ wchan = 0;
82111+ }
82112+#endif
82113+#ifdef CONFIG_GRKERNSEC_HIDESYM
82114+ wchan = 0;
82115+ eip =0;
82116+ esp =0;
82117+#endif
82118+
82119 /* scale priority and nice values from timeslices to -20..20 */
82120 /* to make it look like a "normal" Unix priority/nice value */
82121 priority = task_prio(task);
82122@@ -491,9 +542,15 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82123 seq_put_decimal_ull(m, ' ', vsize);
82124 seq_put_decimal_ull(m, ' ', mm ? get_mm_rss(mm) : 0);
82125 seq_put_decimal_ull(m, ' ', rsslim);
82126+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82127+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0));
82128+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0));
82129+ seq_put_decimal_ull(m, ' ', PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0));
82130+#else
82131 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->start_code : 1) : 0);
82132 seq_put_decimal_ull(m, ' ', mm ? (permitted ? mm->end_code : 1) : 0);
82133 seq_put_decimal_ull(m, ' ', (permitted && mm) ? mm->start_stack : 0);
82134+#endif
82135 seq_put_decimal_ull(m, ' ', esp);
82136 seq_put_decimal_ull(m, ' ', eip);
82137 /* The signal information here is obsolete.
82138@@ -515,7 +572,11 @@ static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
82139 seq_put_decimal_ull(m, ' ', cputime_to_clock_t(gtime));
82140 seq_put_decimal_ll(m, ' ', cputime_to_clock_t(cgtime));
82141
82142- if (mm && permitted) {
82143+ if (mm && permitted
82144+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82145+ && !PAX_RAND_FLAGS(mm)
82146+#endif
82147+ ) {
82148 seq_put_decimal_ull(m, ' ', mm->start_data);
82149 seq_put_decimal_ull(m, ' ', mm->end_data);
82150 seq_put_decimal_ull(m, ' ', mm->start_brk);
82151@@ -553,8 +614,15 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
82152 struct pid *pid, struct task_struct *task)
82153 {
82154 unsigned long size = 0, resident = 0, shared = 0, text = 0, data = 0;
82155- struct mm_struct *mm = get_task_mm(task);
82156+ struct mm_struct *mm;
82157
82158+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82159+ if (current->exec_id != m->exec_id) {
82160+ gr_log_badprocpid("statm");
82161+ return 0;
82162+ }
82163+#endif
82164+ mm = get_task_mm(task);
82165 if (mm) {
82166 size = task_statm(mm, &shared, &text, &data, &resident);
82167 mmput(mm);
82168@@ -577,6 +645,20 @@ int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
82169 return 0;
82170 }
82171
82172+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82173+int proc_pid_ipaddr(struct seq_file *m, struct pid_namespace *ns, struct pid *pid, struct task_struct *task)
82174+{
82175+ unsigned long flags;
82176+ u32 curr_ip = 0;
82177+
82178+ if (lock_task_sighand(task, &flags)) {
82179+ curr_ip = task->signal->curr_ip;
82180+ unlock_task_sighand(task, &flags);
82181+ }
82182+ return seq_printf(m, "%pI4\n", &curr_ip);
82183+}
82184+#endif
82185+
82186 #ifdef CONFIG_PROC_CHILDREN
82187 static struct pid *
82188 get_children_pid(struct inode *inode, struct pid *pid_prev, loff_t pos)
82189diff --git a/fs/proc/base.c b/fs/proc/base.c
82190index aa50d1a..7a62b7a 100644
82191--- a/fs/proc/base.c
82192+++ b/fs/proc/base.c
82193@@ -113,6 +113,14 @@ struct pid_entry {
82194 union proc_op op;
82195 };
82196
82197+struct getdents_callback {
82198+ struct linux_dirent __user * current_dir;
82199+ struct linux_dirent __user * previous;
82200+ struct file * file;
82201+ int count;
82202+ int error;
82203+};
82204+
82205 #define NOD(NAME, MODE, IOP, FOP, OP) { \
82206 .name = (NAME), \
82207 .len = sizeof(NAME) - 1, \
82208@@ -224,6 +232,11 @@ static ssize_t proc_pid_cmdline_read(struct file *file, char __user *buf,
82209 goto out_mmput;
82210 }
82211
82212+ if (gr_acl_handle_procpidmem(tsk)) {
82213+ rv = 0;
82214+ goto out_mmput;
82215+ }
82216+
82217 page = (char *)__get_free_page(GFP_TEMPORARY);
82218 if (!page) {
82219 rv = -ENOMEM;
82220@@ -400,12 +413,28 @@ static const struct file_operations proc_pid_cmdline_ops = {
82221 .llseek = generic_file_llseek,
82222 };
82223
82224+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82225+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
82226+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
82227+ _mm->pax_flags & MF_PAX_SEGMEXEC))
82228+#endif
82229+
82230 static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
82231 struct pid *pid, struct task_struct *task)
82232 {
82233 struct mm_struct *mm = mm_access(task, PTRACE_MODE_READ);
82234 if (mm && !IS_ERR(mm)) {
82235 unsigned int nwords = 0;
82236+
82237+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82238+ /* allow if we're currently ptracing this task */
82239+ if (PAX_RAND_FLAGS(mm) &&
82240+ (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
82241+ mmput(mm);
82242+ return 0;
82243+ }
82244+#endif
82245+
82246 do {
82247 nwords += 2;
82248 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
82249@@ -417,7 +446,7 @@ static int proc_pid_auxv(struct seq_file *m, struct pid_namespace *ns,
82250 }
82251
82252
82253-#ifdef CONFIG_KALLSYMS
82254+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82255 /*
82256 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
82257 * Returns the resolved symbol. If that fails, simply return the address.
82258@@ -459,7 +488,7 @@ static void unlock_trace(struct task_struct *task)
82259 mutex_unlock(&task->signal->cred_guard_mutex);
82260 }
82261
82262-#ifdef CONFIG_STACKTRACE
82263+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82264
82265 #define MAX_STACK_TRACE_DEPTH 64
82266
82267@@ -657,7 +686,7 @@ static int proc_pid_limits(struct seq_file *m, struct pid_namespace *ns,
82268 return 0;
82269 }
82270
82271-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
82272+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
82273 static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
82274 struct pid *pid, struct task_struct *task)
82275 {
82276@@ -690,7 +719,7 @@ static int proc_pid_syscall(struct seq_file *m, struct pid_namespace *ns,
82277 /************************************************************************/
82278
82279 /* permission checks */
82280-static int proc_fd_access_allowed(struct inode *inode)
82281+static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
82282 {
82283 struct task_struct *task;
82284 int allowed = 0;
82285@@ -700,7 +729,10 @@ static int proc_fd_access_allowed(struct inode *inode)
82286 */
82287 task = get_proc_task(inode);
82288 if (task) {
82289- allowed = ptrace_may_access(task, PTRACE_MODE_READ);
82290+ if (log)
82291+ allowed = ptrace_may_access(task, PTRACE_MODE_READ);
82292+ else
82293+ allowed = ptrace_may_access(task, PTRACE_MODE_READ | PTRACE_MODE_NOAUDIT);
82294 put_task_struct(task);
82295 }
82296 return allowed;
82297@@ -731,10 +763,35 @@ static bool has_pid_permissions(struct pid_namespace *pid,
82298 struct task_struct *task,
82299 int hide_pid_min)
82300 {
82301+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82302+ return false;
82303+
82304+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82305+ rcu_read_lock();
82306+ {
82307+ const struct cred *tmpcred = current_cred();
82308+ const struct cred *cred = __task_cred(task);
82309+
82310+ if (uid_eq(tmpcred->uid, GLOBAL_ROOT_UID) || uid_eq(tmpcred->uid, cred->uid)
82311+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82312+ || in_group_p(grsec_proc_gid)
82313+#endif
82314+ ) {
82315+ rcu_read_unlock();
82316+ return true;
82317+ }
82318+ }
82319+ rcu_read_unlock();
82320+
82321+ if (!pid->hide_pid)
82322+ return false;
82323+#endif
82324+
82325 if (pid->hide_pid < hide_pid_min)
82326 return true;
82327 if (in_group_p(pid->pid_gid))
82328 return true;
82329+
82330 return ptrace_may_access(task, PTRACE_MODE_READ);
82331 }
82332
82333@@ -752,7 +809,11 @@ static int proc_pid_permission(struct inode *inode, int mask)
82334 put_task_struct(task);
82335
82336 if (!has_perms) {
82337+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82338+ {
82339+#else
82340 if (pid->hide_pid == 2) {
82341+#endif
82342 /*
82343 * Let's make getdents(), stat(), and open()
82344 * consistent with each other. If a process
82345@@ -813,6 +874,10 @@ struct mm_struct *proc_mem_open(struct inode *inode, unsigned int mode)
82346
82347 if (task) {
82348 mm = mm_access(task, mode);
82349+ if (!IS_ERR_OR_NULL(mm) && gr_acl_handle_procpidmem(task)) {
82350+ mmput(mm);
82351+ mm = ERR_PTR(-EPERM);
82352+ }
82353 put_task_struct(task);
82354
82355 if (!IS_ERR_OR_NULL(mm)) {
82356@@ -834,6 +899,11 @@ static int __mem_open(struct inode *inode, struct file *file, unsigned int mode)
82357 return PTR_ERR(mm);
82358
82359 file->private_data = mm;
82360+
82361+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82362+ file->f_version = current->exec_id;
82363+#endif
82364+
82365 return 0;
82366 }
82367
82368@@ -855,6 +925,17 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
82369 ssize_t copied;
82370 char *page;
82371
82372+#ifdef CONFIG_GRKERNSEC
82373+ if (write)
82374+ return -EPERM;
82375+#endif
82376+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82377+ if (file->f_version != current->exec_id) {
82378+ gr_log_badprocpid("mem");
82379+ return 0;
82380+ }
82381+#endif
82382+
82383 if (!mm)
82384 return 0;
82385
82386@@ -867,7 +948,7 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
82387 goto free;
82388
82389 while (count > 0) {
82390- int this_len = min_t(int, count, PAGE_SIZE);
82391+ ssize_t this_len = min_t(ssize_t, count, PAGE_SIZE);
82392
82393 if (write && copy_from_user(page, buf, this_len)) {
82394 copied = -EFAULT;
82395@@ -959,6 +1040,13 @@ static ssize_t environ_read(struct file *file, char __user *buf,
82396 if (!mm)
82397 return 0;
82398
82399+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
82400+ if (file->f_version != current->exec_id) {
82401+ gr_log_badprocpid("environ");
82402+ return 0;
82403+ }
82404+#endif
82405+
82406 page = (char *)__get_free_page(GFP_TEMPORARY);
82407 if (!page)
82408 return -ENOMEM;
82409@@ -968,7 +1056,7 @@ static ssize_t environ_read(struct file *file, char __user *buf,
82410 goto free;
82411 while (count > 0) {
82412 size_t this_len, max_len;
82413- int retval;
82414+ ssize_t retval;
82415
82416 if (src >= (mm->env_end - mm->env_start))
82417 break;
82418@@ -1582,7 +1670,7 @@ static const char *proc_pid_follow_link(struct dentry *dentry, void **cookie)
82419 int error = -EACCES;
82420
82421 /* Are we allowed to snoop on the tasks file descriptors? */
82422- if (!proc_fd_access_allowed(inode))
82423+ if (!proc_fd_access_allowed(inode, 0))
82424 goto out;
82425
82426 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
82427@@ -1626,8 +1714,18 @@ static int proc_pid_readlink(struct dentry * dentry, char __user * buffer, int b
82428 struct path path;
82429
82430 /* Are we allowed to snoop on the tasks file descriptors? */
82431- if (!proc_fd_access_allowed(inode))
82432- goto out;
82433+ /* logging this is needed for learning on chromium to work properly,
82434+ but we don't want to flood the logs from 'ps' which does a readlink
82435+ on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
82436+ CAP_SYS_PTRACE as it's not necessary for its basic functionality
82437+ */
82438+ if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
82439+ if (!proc_fd_access_allowed(inode,0))
82440+ goto out;
82441+ } else {
82442+ if (!proc_fd_access_allowed(inode,1))
82443+ goto out;
82444+ }
82445
82446 error = PROC_I(inode)->op.proc_get_link(dentry, &path);
82447 if (error)
82448@@ -1677,7 +1775,11 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t
82449 rcu_read_lock();
82450 cred = __task_cred(task);
82451 inode->i_uid = cred->euid;
82452+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82453+ inode->i_gid = grsec_proc_gid;
82454+#else
82455 inode->i_gid = cred->egid;
82456+#endif
82457 rcu_read_unlock();
82458 }
82459 security_task_to_inode(task, inode);
82460@@ -1713,10 +1815,19 @@ int pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat)
82461 return -ENOENT;
82462 }
82463 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
82464+#ifdef CONFIG_GRKERNSEC_PROC_USER
82465+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
82466+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82467+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
82468+#endif
82469 task_dumpable(task)) {
82470 cred = __task_cred(task);
82471 stat->uid = cred->euid;
82472+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82473+ stat->gid = grsec_proc_gid;
82474+#else
82475 stat->gid = cred->egid;
82476+#endif
82477 }
82478 }
82479 rcu_read_unlock();
82480@@ -1754,11 +1865,20 @@ int pid_revalidate(struct dentry *dentry, unsigned int flags)
82481
82482 if (task) {
82483 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
82484+#ifdef CONFIG_GRKERNSEC_PROC_USER
82485+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
82486+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82487+ (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
82488+#endif
82489 task_dumpable(task)) {
82490 rcu_read_lock();
82491 cred = __task_cred(task);
82492 inode->i_uid = cred->euid;
82493+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82494+ inode->i_gid = grsec_proc_gid;
82495+#else
82496 inode->i_gid = cred->egid;
82497+#endif
82498 rcu_read_unlock();
82499 } else {
82500 inode->i_uid = GLOBAL_ROOT_UID;
82501@@ -2290,6 +2410,9 @@ static struct dentry *proc_pident_lookup(struct inode *dir,
82502 if (!task)
82503 goto out_no_task;
82504
82505+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82506+ goto out;
82507+
82508 /*
82509 * Yes, it does not scale. And it should not. Don't add
82510 * new entries into /proc/<tgid>/ without very good reasons.
82511@@ -2320,6 +2443,9 @@ static int proc_pident_readdir(struct file *file, struct dir_context *ctx,
82512 if (!task)
82513 return -ENOENT;
82514
82515+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82516+ goto out;
82517+
82518 if (!dir_emit_dots(file, ctx))
82519 goto out;
82520
82521@@ -2764,7 +2890,7 @@ static const struct pid_entry tgid_base_stuff[] = {
82522 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
82523 #endif
82524 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
82525-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
82526+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
82527 ONE("syscall", S_IRUSR, proc_pid_syscall),
82528 #endif
82529 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
82530@@ -2789,10 +2915,10 @@ static const struct pid_entry tgid_base_stuff[] = {
82531 #ifdef CONFIG_SECURITY
82532 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
82533 #endif
82534-#ifdef CONFIG_KALLSYMS
82535+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82536 ONE("wchan", S_IRUGO, proc_pid_wchan),
82537 #endif
82538-#ifdef CONFIG_STACKTRACE
82539+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82540 ONE("stack", S_IRUSR, proc_pid_stack),
82541 #endif
82542 #ifdef CONFIG_SCHED_INFO
82543@@ -2826,6 +2952,9 @@ static const struct pid_entry tgid_base_stuff[] = {
82544 #ifdef CONFIG_HARDWALL
82545 ONE("hardwall", S_IRUGO, proc_pid_hardwall),
82546 #endif
82547+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82548+ ONE("ipaddr", S_IRUSR, proc_pid_ipaddr),
82549+#endif
82550 #ifdef CONFIG_USER_NS
82551 REG("uid_map", S_IRUGO|S_IWUSR, proc_uid_map_operations),
82552 REG("gid_map", S_IRUGO|S_IWUSR, proc_gid_map_operations),
82553@@ -2958,7 +3087,14 @@ static int proc_pid_instantiate(struct inode *dir,
82554 if (!inode)
82555 goto out;
82556
82557+#ifdef CONFIG_GRKERNSEC_PROC_USER
82558+ inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
82559+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
82560+ inode->i_gid = grsec_proc_gid;
82561+ inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
82562+#else
82563 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
82564+#endif
82565 inode->i_op = &proc_tgid_base_inode_operations;
82566 inode->i_fop = &proc_tgid_base_operations;
82567 inode->i_flags|=S_IMMUTABLE;
82568@@ -2996,7 +3132,11 @@ struct dentry *proc_pid_lookup(struct inode *dir, struct dentry * dentry, unsign
82569 if (!task)
82570 goto out;
82571
82572+ if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
82573+ goto out_put_task;
82574+
82575 result = proc_pid_instantiate(dir, dentry, task, NULL);
82576+out_put_task:
82577 put_task_struct(task);
82578 out:
82579 return ERR_PTR(result);
82580@@ -3110,7 +3250,7 @@ static const struct pid_entry tid_base_stuff[] = {
82581 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
82582 #endif
82583 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
82584-#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
82585+#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
82586 ONE("syscall", S_IRUSR, proc_pid_syscall),
82587 #endif
82588 REG("cmdline", S_IRUGO, proc_pid_cmdline_ops),
82589@@ -3137,10 +3277,10 @@ static const struct pid_entry tid_base_stuff[] = {
82590 #ifdef CONFIG_SECURITY
82591 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
82592 #endif
82593-#ifdef CONFIG_KALLSYMS
82594+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82595 ONE("wchan", S_IRUGO, proc_pid_wchan),
82596 #endif
82597-#ifdef CONFIG_STACKTRACE
82598+#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
82599 ONE("stack", S_IRUSR, proc_pid_stack),
82600 #endif
82601 #ifdef CONFIG_SCHED_INFO
82602diff --git a/fs/proc/cmdline.c b/fs/proc/cmdline.c
82603index cbd82df..c0407d2 100644
82604--- a/fs/proc/cmdline.c
82605+++ b/fs/proc/cmdline.c
82606@@ -23,7 +23,11 @@ static const struct file_operations cmdline_proc_fops = {
82607
82608 static int __init proc_cmdline_init(void)
82609 {
82610+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82611+ proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
82612+#else
82613 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
82614+#endif
82615 return 0;
82616 }
82617 fs_initcall(proc_cmdline_init);
82618diff --git a/fs/proc/devices.c b/fs/proc/devices.c
82619index 50493ed..248166b 100644
82620--- a/fs/proc/devices.c
82621+++ b/fs/proc/devices.c
82622@@ -64,7 +64,11 @@ static const struct file_operations proc_devinfo_operations = {
82623
82624 static int __init proc_devices_init(void)
82625 {
82626+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82627+ proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
82628+#else
82629 proc_create("devices", 0, NULL, &proc_devinfo_operations);
82630+#endif
82631 return 0;
82632 }
82633 fs_initcall(proc_devices_init);
82634diff --git a/fs/proc/fd.c b/fs/proc/fd.c
82635index 6e5fcd0..06ea074 100644
82636--- a/fs/proc/fd.c
82637+++ b/fs/proc/fd.c
82638@@ -27,7 +27,8 @@ static int seq_show(struct seq_file *m, void *v)
82639 if (!task)
82640 return -ENOENT;
82641
82642- files = get_files_struct(task);
82643+ if (!gr_acl_handle_procpidmem(task))
82644+ files = get_files_struct(task);
82645 put_task_struct(task);
82646
82647 if (files) {
82648@@ -291,11 +292,21 @@ static struct dentry *proc_lookupfd(struct inode *dir, struct dentry *dentry,
82649 */
82650 int proc_fd_permission(struct inode *inode, int mask)
82651 {
82652+ struct task_struct *task;
82653 int rv = generic_permission(inode, mask);
82654- if (rv == 0)
82655- return 0;
82656+
82657 if (task_tgid(current) == proc_pid(inode))
82658 rv = 0;
82659+
82660+ task = get_proc_task(inode);
82661+ if (task == NULL)
82662+ return rv;
82663+
82664+ if (gr_acl_handle_procpidmem(task))
82665+ rv = -EACCES;
82666+
82667+ put_task_struct(task);
82668+
82669 return rv;
82670 }
82671
82672diff --git a/fs/proc/generic.c b/fs/proc/generic.c
82673index e5dee5c..dafe21b 100644
82674--- a/fs/proc/generic.c
82675+++ b/fs/proc/generic.c
82676@@ -22,6 +22,7 @@
82677 #include <linux/bitops.h>
82678 #include <linux/spinlock.h>
82679 #include <linux/completion.h>
82680+#include <linux/grsecurity.h>
82681 #include <asm/uaccess.h>
82682
82683 #include "internal.h"
82684@@ -253,6 +254,15 @@ struct dentry *proc_lookup(struct inode *dir, struct dentry *dentry,
82685 return proc_lookup_de(PDE(dir), dir, dentry);
82686 }
82687
82688+struct dentry *proc_lookup_restrict(struct inode *dir, struct dentry *dentry,
82689+ unsigned int flags)
82690+{
82691+ if (gr_proc_is_restricted())
82692+ return ERR_PTR(-EACCES);
82693+
82694+ return proc_lookup_de(PDE(dir), dir, dentry);
82695+}
82696+
82697 /*
82698 * This returns non-zero if at EOF, so that the /proc
82699 * root directory can use this and check if it should
82700@@ -310,6 +320,16 @@ int proc_readdir(struct file *file, struct dir_context *ctx)
82701 return proc_readdir_de(PDE(inode), file, ctx);
82702 }
82703
82704+int proc_readdir_restrict(struct file *file, struct dir_context *ctx)
82705+{
82706+ struct inode *inode = file_inode(file);
82707+
82708+ if (gr_proc_is_restricted())
82709+ return -EACCES;
82710+
82711+ return proc_readdir_de(PDE(inode), file, ctx);
82712+}
82713+
82714 /*
82715 * These are the generic /proc directory operations. They
82716 * use the in-memory "struct proc_dir_entry" tree to parse
82717@@ -321,6 +341,12 @@ static const struct file_operations proc_dir_operations = {
82718 .iterate = proc_readdir,
82719 };
82720
82721+static const struct file_operations proc_dir_restricted_operations = {
82722+ .llseek = generic_file_llseek,
82723+ .read = generic_read_dir,
82724+ .iterate = proc_readdir_restrict,
82725+};
82726+
82727 /*
82728 * proc directories can do almost nothing..
82729 */
82730@@ -330,6 +356,12 @@ static const struct inode_operations proc_dir_inode_operations = {
82731 .setattr = proc_notify_change,
82732 };
82733
82734+static const struct inode_operations proc_dir_restricted_inode_operations = {
82735+ .lookup = proc_lookup_restrict,
82736+ .getattr = proc_getattr,
82737+ .setattr = proc_notify_change,
82738+};
82739+
82740 static int proc_register(struct proc_dir_entry * dir, struct proc_dir_entry * dp)
82741 {
82742 int ret;
82743@@ -445,6 +477,31 @@ struct proc_dir_entry *proc_mkdir_data(const char *name, umode_t mode,
82744 }
82745 EXPORT_SYMBOL_GPL(proc_mkdir_data);
82746
82747+struct proc_dir_entry *proc_mkdir_data_restrict(const char *name, umode_t mode,
82748+ struct proc_dir_entry *parent, void *data)
82749+{
82750+ struct proc_dir_entry *ent;
82751+
82752+ if (mode == 0)
82753+ mode = S_IRUGO | S_IXUGO;
82754+
82755+ ent = __proc_create(&parent, name, S_IFDIR | mode, 2);
82756+ if (ent) {
82757+ ent->data = data;
82758+ ent->restricted = 1;
82759+ ent->proc_fops = &proc_dir_restricted_operations;
82760+ ent->proc_iops = &proc_dir_restricted_inode_operations;
82761+ parent->nlink++;
82762+ if (proc_register(parent, ent) < 0) {
82763+ kfree(ent);
82764+ parent->nlink--;
82765+ ent = NULL;
82766+ }
82767+ }
82768+ return ent;
82769+}
82770+EXPORT_SYMBOL_GPL(proc_mkdir_data_restrict);
82771+
82772 struct proc_dir_entry *proc_mkdir_mode(const char *name, umode_t mode,
82773 struct proc_dir_entry *parent)
82774 {
82775@@ -459,6 +516,13 @@ struct proc_dir_entry *proc_mkdir(const char *name,
82776 }
82777 EXPORT_SYMBOL(proc_mkdir);
82778
82779+struct proc_dir_entry *proc_mkdir_restrict(const char *name,
82780+ struct proc_dir_entry *parent)
82781+{
82782+ return proc_mkdir_data_restrict(name, 0, parent, NULL);
82783+}
82784+EXPORT_SYMBOL(proc_mkdir_restrict);
82785+
82786 struct proc_dir_entry *proc_create_mount_point(const char *name)
82787 {
82788 umode_t mode = S_IFDIR | S_IRUGO | S_IXUGO;
82789diff --git a/fs/proc/inode.c b/fs/proc/inode.c
82790index bd95b9f..a64a773 100644
82791--- a/fs/proc/inode.c
82792+++ b/fs/proc/inode.c
82793@@ -23,11 +23,17 @@
82794 #include <linux/slab.h>
82795 #include <linux/mount.h>
82796 #include <linux/magic.h>
82797+#include <linux/grsecurity.h>
82798
82799 #include <asm/uaccess.h>
82800
82801 #include "internal.h"
82802
82803+#ifdef CONFIG_PROC_SYSCTL
82804+extern const struct inode_operations proc_sys_inode_operations;
82805+extern const struct inode_operations proc_sys_dir_operations;
82806+#endif
82807+
82808 static void proc_evict_inode(struct inode *inode)
82809 {
82810 struct proc_dir_entry *de;
82811@@ -48,6 +54,13 @@ static void proc_evict_inode(struct inode *inode)
82812 RCU_INIT_POINTER(PROC_I(inode)->sysctl, NULL);
82813 sysctl_head_put(head);
82814 }
82815+
82816+#ifdef CONFIG_PROC_SYSCTL
82817+ if (inode->i_op == &proc_sys_inode_operations ||
82818+ inode->i_op == &proc_sys_dir_operations)
82819+ gr_handle_delete(inode->i_ino, inode->i_sb->s_dev);
82820+#endif
82821+
82822 }
82823
82824 static struct kmem_cache * proc_inode_cachep;
82825@@ -429,7 +442,11 @@ struct inode *proc_get_inode(struct super_block *sb, struct proc_dir_entry *de)
82826 if (de->mode) {
82827 inode->i_mode = de->mode;
82828 inode->i_uid = de->uid;
82829+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
82830+ inode->i_gid = grsec_proc_gid;
82831+#else
82832 inode->i_gid = de->gid;
82833+#endif
82834 }
82835 if (de->size)
82836 inode->i_size = de->size;
82837diff --git a/fs/proc/internal.h b/fs/proc/internal.h
82838index aa27810..9f2d3b2 100644
82839--- a/fs/proc/internal.h
82840+++ b/fs/proc/internal.h
82841@@ -47,9 +47,10 @@ struct proc_dir_entry {
82842 struct completion *pde_unload_completion;
82843 struct list_head pde_openers; /* who did ->open, but not ->release */
82844 spinlock_t pde_unload_lock; /* proc_fops checks and pde_users bumps */
82845+ u8 restricted; /* a directory in /proc/net that should be restricted via GRKERNSEC_PROC */
82846 u8 namelen;
82847 char name[];
82848-};
82849+} __randomize_layout;
82850
82851 union proc_op {
82852 int (*proc_get_link)(struct dentry *, struct path *);
82853@@ -67,7 +68,7 @@ struct proc_inode {
82854 struct ctl_table *sysctl_entry;
82855 const struct proc_ns_operations *ns_ops;
82856 struct inode vfs_inode;
82857-};
82858+} __randomize_layout;
82859
82860 /*
82861 * General functions
82862@@ -155,6 +156,10 @@ extern int proc_pid_status(struct seq_file *, struct pid_namespace *,
82863 struct pid *, struct task_struct *);
82864 extern int proc_pid_statm(struct seq_file *, struct pid_namespace *,
82865 struct pid *, struct task_struct *);
82866+#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
82867+extern int proc_pid_ipaddr(struct seq_file *, struct pid_namespace *,
82868+ struct pid *, struct task_struct *);
82869+#endif
82870
82871 /*
82872 * base.c
82873@@ -179,9 +184,11 @@ extern bool proc_fill_cache(struct file *, struct dir_context *, const char *, i
82874 * generic.c
82875 */
82876 extern struct dentry *proc_lookup(struct inode *, struct dentry *, unsigned int);
82877+extern struct dentry *proc_lookup_restrict(struct inode *, struct dentry *, unsigned int);
82878 extern struct dentry *proc_lookup_de(struct proc_dir_entry *, struct inode *,
82879 struct dentry *);
82880 extern int proc_readdir(struct file *, struct dir_context *);
82881+extern int proc_readdir_restrict(struct file *, struct dir_context *);
82882 extern int proc_readdir_de(struct proc_dir_entry *, struct file *, struct dir_context *);
82883
82884 static inline struct proc_dir_entry *pde_get(struct proc_dir_entry *pde)
82885diff --git a/fs/proc/interrupts.c b/fs/proc/interrupts.c
82886index a352d57..cb94a5c 100644
82887--- a/fs/proc/interrupts.c
82888+++ b/fs/proc/interrupts.c
82889@@ -47,7 +47,11 @@ static const struct file_operations proc_interrupts_operations = {
82890
82891 static int __init proc_interrupts_init(void)
82892 {
82893+#ifdef CONFIG_GRKERNSEC_PROC_ADD
82894+ proc_create_grsec("interrupts", 0, NULL, &proc_interrupts_operations);
82895+#else
82896 proc_create("interrupts", 0, NULL, &proc_interrupts_operations);
82897+#endif
82898 return 0;
82899 }
82900 fs_initcall(proc_interrupts_init);
82901diff --git a/fs/proc/kcore.c b/fs/proc/kcore.c
82902index 92e6726..a600d4fa 100644
82903--- a/fs/proc/kcore.c
82904+++ b/fs/proc/kcore.c
82905@@ -483,9 +483,10 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82906 * the addresses in the elf_phdr on our list.
82907 */
82908 start = kc_offset_to_vaddr(*fpos - elf_buflen);
82909- if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
82910+ tsz = PAGE_SIZE - (start & ~PAGE_MASK);
82911+ if (tsz > buflen)
82912 tsz = buflen;
82913-
82914+
82915 while (buflen) {
82916 struct kcore_list *m;
82917
82918@@ -515,19 +516,20 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82919 } else {
82920 if (kern_addr_valid(start)) {
82921 unsigned long n;
82922+ char *elf_buf;
82923+ mm_segment_t oldfs;
82924
82925- n = copy_to_user(buffer, (char *)start, tsz);
82926- /*
82927- * We cannot distinguish between fault on source
82928- * and fault on destination. When this happens
82929- * we clear too and hope it will trigger the
82930- * EFAULT again.
82931- */
82932- if (n) {
82933- if (clear_user(buffer + tsz - n,
82934- n))
82935- return -EFAULT;
82936- }
82937+ elf_buf = kzalloc(tsz, GFP_KERNEL);
82938+ if (!elf_buf)
82939+ return -ENOMEM;
82940+ oldfs = get_fs();
82941+ set_fs(KERNEL_DS);
82942+ n = __copy_from_user(elf_buf, (const void __user *)start, tsz);
82943+ set_fs(oldfs);
82944+ n = copy_to_user(buffer, elf_buf, tsz);
82945+ kfree(elf_buf);
82946+ if (n)
82947+ return -EFAULT;
82948 } else {
82949 if (clear_user(buffer, tsz))
82950 return -EFAULT;
82951@@ -547,6 +549,9 @@ read_kcore(struct file *file, char __user *buffer, size_t buflen, loff_t *fpos)
82952
82953 static int open_kcore(struct inode *inode, struct file *filp)
82954 {
82955+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
82956+ return -EPERM;
82957+#endif
82958 if (!capable(CAP_SYS_RAWIO))
82959 return -EPERM;
82960 if (kcore_need_update)
82961@@ -580,7 +585,7 @@ static int __meminit kcore_callback(struct notifier_block *self,
82962 return NOTIFY_OK;
82963 }
82964
82965-static struct notifier_block kcore_callback_nb __meminitdata = {
82966+static struct notifier_block kcore_callback_nb __meminitconst = {
82967 .notifier_call = kcore_callback,
82968 .priority = 0,
82969 };
82970diff --git a/fs/proc/meminfo.c b/fs/proc/meminfo.c
82971index d3ebf2e..abe1823 100644
82972--- a/fs/proc/meminfo.c
82973+++ b/fs/proc/meminfo.c
82974@@ -27,7 +27,6 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
82975 {
82976 struct sysinfo i;
82977 unsigned long committed;
82978- struct vmalloc_info vmi;
82979 long cached;
82980 long available;
82981 unsigned long pagecache;
82982@@ -49,8 +48,6 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
82983 if (cached < 0)
82984 cached = 0;
82985
82986- get_vmalloc_info(&vmi);
82987-
82988 for (lru = LRU_BASE; lru < NR_LRU_LISTS; lru++)
82989 pages[lru] = global_page_state(NR_LRU_BASE + lru);
82990
82991@@ -191,10 +188,10 @@ static int meminfo_proc_show(struct seq_file *m, void *v)
82992 K(vm_commit_limit()),
82993 K(committed),
82994 (unsigned long)VMALLOC_TOTAL >> 10,
82995- vmi.used >> 10,
82996- vmi.largest_chunk >> 10
82997+ 0ul, // used to be vmalloc 'used'
82998+ 0ul // used to be vmalloc 'largest_chunk'
82999 #ifdef CONFIG_MEMORY_FAILURE
83000- , atomic_long_read(&num_poisoned_pages) << (PAGE_SHIFT - 10)
83001+ , atomic_long_read_unchecked(&num_poisoned_pages) << (PAGE_SHIFT - 10)
83002 #endif
83003 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
83004 , K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
83005diff --git a/fs/proc/nommu.c b/fs/proc/nommu.c
83006index f8595e8..e0d13cbd 100644
83007--- a/fs/proc/nommu.c
83008+++ b/fs/proc/nommu.c
83009@@ -64,7 +64,7 @@ static int nommu_region_show(struct seq_file *m, struct vm_region *region)
83010
83011 if (file) {
83012 seq_pad(m, ' ');
83013- seq_file_path(m, file, "");
83014+ seq_file_path(m, file, "\n\\");
83015 }
83016
83017 seq_putc(m, '\n');
83018diff --git a/fs/proc/proc_net.c b/fs/proc/proc_net.c
83019index 350984a..0fb02a9 100644
83020--- a/fs/proc/proc_net.c
83021+++ b/fs/proc/proc_net.c
83022@@ -23,9 +23,27 @@
83023 #include <linux/nsproxy.h>
83024 #include <net/net_namespace.h>
83025 #include <linux/seq_file.h>
83026+#include <linux/grsecurity.h>
83027
83028 #include "internal.h"
83029
83030+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
83031+static struct seq_operations *ipv6_seq_ops_addr;
83032+
83033+void register_ipv6_seq_ops_addr(struct seq_operations *addr)
83034+{
83035+ ipv6_seq_ops_addr = addr;
83036+}
83037+
83038+void unregister_ipv6_seq_ops_addr(void)
83039+{
83040+ ipv6_seq_ops_addr = NULL;
83041+}
83042+
83043+EXPORT_SYMBOL_GPL(register_ipv6_seq_ops_addr);
83044+EXPORT_SYMBOL_GPL(unregister_ipv6_seq_ops_addr);
83045+#endif
83046+
83047 static inline struct net *PDE_NET(struct proc_dir_entry *pde)
83048 {
83049 return pde->parent->data;
83050@@ -36,6 +54,8 @@ static struct net *get_proc_net(const struct inode *inode)
83051 return maybe_get_net(PDE_NET(PDE(inode)));
83052 }
83053
83054+extern const struct seq_operations dev_seq_ops;
83055+
83056 int seq_open_net(struct inode *ino, struct file *f,
83057 const struct seq_operations *ops, int size)
83058 {
83059@@ -44,6 +64,14 @@ int seq_open_net(struct inode *ino, struct file *f,
83060
83061 BUG_ON(size < sizeof(*p));
83062
83063+ /* only permit access to /proc/net/dev */
83064+ if (
83065+#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
83066+ ops != ipv6_seq_ops_addr &&
83067+#endif
83068+ ops != &dev_seq_ops && gr_proc_is_restricted())
83069+ return -EACCES;
83070+
83071 net = get_proc_net(ino);
83072 if (net == NULL)
83073 return -ENXIO;
83074@@ -66,6 +94,9 @@ int single_open_net(struct inode *inode, struct file *file,
83075 int err;
83076 struct net *net;
83077
83078+ if (gr_proc_is_restricted())
83079+ return -EACCES;
83080+
83081 err = -ENXIO;
83082 net = get_proc_net(inode);
83083 if (net == NULL)
83084diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c
83085index fdda62e..cd7c75f 100644
83086--- a/fs/proc/proc_sysctl.c
83087+++ b/fs/proc/proc_sysctl.c
83088@@ -11,13 +11,21 @@
83089 #include <linux/namei.h>
83090 #include <linux/mm.h>
83091 #include <linux/module.h>
83092+#include <linux/nsproxy.h>
83093+#ifdef CONFIG_GRKERNSEC
83094+#include <net/net_namespace.h>
83095+#endif
83096 #include "internal.h"
83097
83098+extern int gr_handle_chroot_sysctl(const int op);
83099+extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
83100+ const int op);
83101+
83102 static const struct dentry_operations proc_sys_dentry_operations;
83103 static const struct file_operations proc_sys_file_operations;
83104-static const struct inode_operations proc_sys_inode_operations;
83105+const struct inode_operations proc_sys_inode_operations;
83106 static const struct file_operations proc_sys_dir_file_operations;
83107-static const struct inode_operations proc_sys_dir_operations;
83108+const struct inode_operations proc_sys_dir_operations;
83109
83110 /* Support for permanently empty directories */
83111
83112@@ -32,13 +40,17 @@ static bool is_empty_dir(struct ctl_table_header *head)
83113
83114 static void set_empty_dir(struct ctl_dir *dir)
83115 {
83116- dir->header.ctl_table[0].child = sysctl_mount_point;
83117+ pax_open_kernel();
83118+ *(const void **)&dir->header.ctl_table[0].child = sysctl_mount_point;
83119+ pax_close_kernel();
83120 }
83121
83122 static void clear_empty_dir(struct ctl_dir *dir)
83123
83124 {
83125- dir->header.ctl_table[0].child = NULL;
83126+ pax_open_kernel();
83127+ *(void **)&dir->header.ctl_table[0].child = NULL;
83128+ pax_close_kernel();
83129 }
83130
83131 void proc_sys_poll_notify(struct ctl_table_poll *poll)
83132@@ -504,6 +516,9 @@ static struct dentry *proc_sys_lookup(struct inode *dir, struct dentry *dentry,
83133
83134 err = NULL;
83135 d_set_d_op(dentry, &proc_sys_dentry_operations);
83136+
83137+ gr_handle_proc_create(dentry, inode);
83138+
83139 d_add(dentry, inode);
83140
83141 out:
83142@@ -519,6 +534,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
83143 struct inode *inode = file_inode(filp);
83144 struct ctl_table_header *head = grab_header(inode);
83145 struct ctl_table *table = PROC_I(inode)->sysctl_entry;
83146+ int op = write ? MAY_WRITE : MAY_READ;
83147 ssize_t error;
83148 size_t res;
83149
83150@@ -530,7 +546,7 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
83151 * and won't be until we finish.
83152 */
83153 error = -EPERM;
83154- if (sysctl_perm(head, table, write ? MAY_WRITE : MAY_READ))
83155+ if (sysctl_perm(head, table, op))
83156 goto out;
83157
83158 /* if that can happen at all, it should be -EINVAL, not -EISDIR */
83159@@ -538,6 +554,27 @@ static ssize_t proc_sys_call_handler(struct file *filp, void __user *buf,
83160 if (!table->proc_handler)
83161 goto out;
83162
83163+#ifdef CONFIG_GRKERNSEC
83164+ error = -EPERM;
83165+ if (gr_handle_chroot_sysctl(op))
83166+ goto out;
83167+ dget(filp->f_path.dentry);
83168+ if (gr_handle_sysctl_mod(filp->f_path.dentry->d_parent->d_name.name, table->procname, op)) {
83169+ dput(filp->f_path.dentry);
83170+ goto out;
83171+ }
83172+ dput(filp->f_path.dentry);
83173+ if (!gr_acl_handle_open(filp->f_path.dentry, filp->f_path.mnt, op))
83174+ goto out;
83175+ if (write) {
83176+ if (current->nsproxy->net_ns != table->extra2) {
83177+ if (!capable(CAP_SYS_ADMIN))
83178+ goto out;
83179+ } else if (!ns_capable(current->nsproxy->net_ns->user_ns, CAP_NET_ADMIN))
83180+ goto out;
83181+ }
83182+#endif
83183+
83184 /* careful: calling conventions are nasty here */
83185 res = count;
83186 error = table->proc_handler(table, write, buf, &res, ppos);
83187@@ -635,6 +672,9 @@ static bool proc_sys_fill_cache(struct file *file,
83188 return false;
83189 } else {
83190 d_set_d_op(child, &proc_sys_dentry_operations);
83191+
83192+ gr_handle_proc_create(child, inode);
83193+
83194 d_add(child, inode);
83195 }
83196 } else {
83197@@ -678,6 +718,9 @@ static int scan(struct ctl_table_header *head, struct ctl_table *table,
83198 if ((*pos)++ < ctx->pos)
83199 return true;
83200
83201+ if (!gr_acl_handle_hidden_file(file->f_path.dentry, file->f_path.mnt))
83202+ return 0;
83203+
83204 if (unlikely(S_ISLNK(table->mode)))
83205 res = proc_sys_link_fill_cache(file, ctx, head, table);
83206 else
83207@@ -771,6 +814,9 @@ static int proc_sys_getattr(struct vfsmount *mnt, struct dentry *dentry, struct
83208 if (IS_ERR(head))
83209 return PTR_ERR(head);
83210
83211+ if (table && !gr_acl_handle_hidden_file(dentry, mnt))
83212+ return -ENOENT;
83213+
83214 generic_fillattr(inode, stat);
83215 if (table)
83216 stat->mode = (stat->mode & S_IFMT) | table->mode;
83217@@ -793,13 +839,13 @@ static const struct file_operations proc_sys_dir_file_operations = {
83218 .llseek = generic_file_llseek,
83219 };
83220
83221-static const struct inode_operations proc_sys_inode_operations = {
83222+const struct inode_operations proc_sys_inode_operations = {
83223 .permission = proc_sys_permission,
83224 .setattr = proc_sys_setattr,
83225 .getattr = proc_sys_getattr,
83226 };
83227
83228-static const struct inode_operations proc_sys_dir_operations = {
83229+const struct inode_operations proc_sys_dir_operations = {
83230 .lookup = proc_sys_lookup,
83231 .permission = proc_sys_permission,
83232 .setattr = proc_sys_setattr,
83233@@ -876,7 +922,7 @@ static struct ctl_dir *find_subdir(struct ctl_dir *dir,
83234 static struct ctl_dir *new_dir(struct ctl_table_set *set,
83235 const char *name, int namelen)
83236 {
83237- struct ctl_table *table;
83238+ ctl_table_no_const *table;
83239 struct ctl_dir *new;
83240 struct ctl_node *node;
83241 char *new_name;
83242@@ -888,7 +934,7 @@ static struct ctl_dir *new_dir(struct ctl_table_set *set,
83243 return NULL;
83244
83245 node = (struct ctl_node *)(new + 1);
83246- table = (struct ctl_table *)(node + 1);
83247+ table = (ctl_table_no_const *)(node + 1);
83248 new_name = (char *)(table + 2);
83249 memcpy(new_name, name, namelen);
83250 new_name[namelen] = '\0';
83251@@ -1057,7 +1103,8 @@ static int sysctl_check_table(const char *path, struct ctl_table *table)
83252 static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table *table,
83253 struct ctl_table_root *link_root)
83254 {
83255- struct ctl_table *link_table, *entry, *link;
83256+ ctl_table_no_const *link_table, *link;
83257+ struct ctl_table *entry;
83258 struct ctl_table_header *links;
83259 struct ctl_node *node;
83260 char *link_name;
83261@@ -1080,7 +1127,7 @@ static struct ctl_table_header *new_links(struct ctl_dir *dir, struct ctl_table
83262 return NULL;
83263
83264 node = (struct ctl_node *)(links + 1);
83265- link_table = (struct ctl_table *)(node + nr_entries);
83266+ link_table = (ctl_table_no_const *)(node + nr_entries);
83267 link_name = (char *)&link_table[nr_entries + 1];
83268
83269 for (link = link_table, entry = table; entry->procname; link++, entry++) {
83270@@ -1328,8 +1375,8 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
83271 struct ctl_table_header ***subheader, struct ctl_table_set *set,
83272 struct ctl_table *table)
83273 {
83274- struct ctl_table *ctl_table_arg = NULL;
83275- struct ctl_table *entry, *files;
83276+ ctl_table_no_const *ctl_table_arg = NULL, *files = NULL;
83277+ struct ctl_table *entry;
83278 int nr_files = 0;
83279 int nr_dirs = 0;
83280 int err = -ENOMEM;
83281@@ -1341,10 +1388,9 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
83282 nr_files++;
83283 }
83284
83285- files = table;
83286 /* If there are mixed files and directories we need a new table */
83287 if (nr_dirs && nr_files) {
83288- struct ctl_table *new;
83289+ ctl_table_no_const *new;
83290 files = kzalloc(sizeof(struct ctl_table) * (nr_files + 1),
83291 GFP_KERNEL);
83292 if (!files)
83293@@ -1362,7 +1408,7 @@ static int register_leaf_sysctl_tables(const char *path, char *pos,
83294 /* Register everything except a directory full of subdirectories */
83295 if (nr_files || !nr_dirs) {
83296 struct ctl_table_header *header;
83297- header = __register_sysctl_table(set, path, files);
83298+ header = __register_sysctl_table(set, path, files ? files : table);
83299 if (!header) {
83300 kfree(ctl_table_arg);
83301 goto out;
83302diff --git a/fs/proc/root.c b/fs/proc/root.c
83303index 68feb0f..2c04780 100644
83304--- a/fs/proc/root.c
83305+++ b/fs/proc/root.c
83306@@ -185,7 +185,15 @@ void __init proc_root_init(void)
83307 proc_create_mount_point("openprom");
83308 #endif
83309 proc_tty_init();
83310+#ifdef CONFIG_GRKERNSEC_PROC_ADD
83311+#ifdef CONFIG_GRKERNSEC_PROC_USER
83312+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
83313+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
83314+ proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
83315+#endif
83316+#else
83317 proc_mkdir("bus", NULL);
83318+#endif
83319 proc_sys_init();
83320 }
83321
83322diff --git a/fs/proc/stat.c b/fs/proc/stat.c
83323index 510413eb..34d9a8c 100644
83324--- a/fs/proc/stat.c
83325+++ b/fs/proc/stat.c
83326@@ -11,6 +11,7 @@
83327 #include <linux/irqnr.h>
83328 #include <linux/cputime.h>
83329 #include <linux/tick.h>
83330+#include <linux/grsecurity.h>
83331
83332 #ifndef arch_irq_stat_cpu
83333 #define arch_irq_stat_cpu(cpu) 0
83334@@ -87,6 +88,18 @@ static int show_stat(struct seq_file *p, void *v)
83335 u64 sum_softirq = 0;
83336 unsigned int per_softirq_sums[NR_SOFTIRQS] = {0};
83337 struct timespec boottime;
83338+ int unrestricted = 1;
83339+
83340+#ifdef CONFIG_GRKERNSEC_PROC_ADD
83341+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
83342+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
83343+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
83344+ && !in_group_p(grsec_proc_gid)
83345+#endif
83346+ )
83347+ unrestricted = 0;
83348+#endif
83349+#endif
83350
83351 user = nice = system = idle = iowait =
83352 irq = softirq = steal = 0;
83353@@ -99,23 +112,25 @@ static int show_stat(struct seq_file *p, void *v)
83354 nice += kcpustat_cpu(i).cpustat[CPUTIME_NICE];
83355 system += kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
83356 idle += get_idle_time(i);
83357- iowait += get_iowait_time(i);
83358- irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83359- softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83360- steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83361- guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83362- guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83363- sum += kstat_cpu_irqs_sum(i);
83364- sum += arch_irq_stat_cpu(i);
83365+ if (unrestricted) {
83366+ iowait += get_iowait_time(i);
83367+ irq += kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83368+ softirq += kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83369+ steal += kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83370+ guest += kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83371+ guest_nice += kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83372+ sum += kstat_cpu_irqs_sum(i);
83373+ sum += arch_irq_stat_cpu(i);
83374+ for (j = 0; j < NR_SOFTIRQS; j++) {
83375+ unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
83376
83377- for (j = 0; j < NR_SOFTIRQS; j++) {
83378- unsigned int softirq_stat = kstat_softirqs_cpu(j, i);
83379-
83380- per_softirq_sums[j] += softirq_stat;
83381- sum_softirq += softirq_stat;
83382+ per_softirq_sums[j] += softirq_stat;
83383+ sum_softirq += softirq_stat;
83384+ }
83385 }
83386 }
83387- sum += arch_irq_stat();
83388+ if (unrestricted)
83389+ sum += arch_irq_stat();
83390
83391 seq_puts(p, "cpu ");
83392 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
83393@@ -136,12 +151,14 @@ static int show_stat(struct seq_file *p, void *v)
83394 nice = kcpustat_cpu(i).cpustat[CPUTIME_NICE];
83395 system = kcpustat_cpu(i).cpustat[CPUTIME_SYSTEM];
83396 idle = get_idle_time(i);
83397- iowait = get_iowait_time(i);
83398- irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83399- softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83400- steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83401- guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83402- guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83403+ if (unrestricted) {
83404+ iowait = get_iowait_time(i);
83405+ irq = kcpustat_cpu(i).cpustat[CPUTIME_IRQ];
83406+ softirq = kcpustat_cpu(i).cpustat[CPUTIME_SOFTIRQ];
83407+ steal = kcpustat_cpu(i).cpustat[CPUTIME_STEAL];
83408+ guest = kcpustat_cpu(i).cpustat[CPUTIME_GUEST];
83409+ guest_nice = kcpustat_cpu(i).cpustat[CPUTIME_GUEST_NICE];
83410+ }
83411 seq_printf(p, "cpu%d", i);
83412 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(user));
83413 seq_put_decimal_ull(p, ' ', cputime64_to_clock_t(nice));
83414@@ -159,7 +176,7 @@ static int show_stat(struct seq_file *p, void *v)
83415
83416 /* sum again ? it could be updated? */
83417 for_each_irq_nr(j)
83418- seq_put_decimal_ull(p, ' ', kstat_irqs_usr(j));
83419+ seq_put_decimal_ull(p, ' ', unrestricted ? kstat_irqs_usr(j) : 0ULL);
83420
83421 seq_printf(p,
83422 "\nctxt %llu\n"
83423@@ -167,11 +184,11 @@ static int show_stat(struct seq_file *p, void *v)
83424 "processes %lu\n"
83425 "procs_running %lu\n"
83426 "procs_blocked %lu\n",
83427- nr_context_switches(),
83428+ unrestricted ? nr_context_switches() : 0ULL,
83429 (unsigned long)jif,
83430- total_forks,
83431- nr_running(),
83432- nr_iowait());
83433+ unrestricted ? total_forks : 0UL,
83434+ unrestricted ? nr_running() : 0UL,
83435+ unrestricted ? nr_iowait() : 0UL);
83436
83437 seq_printf(p, "softirq %llu", (unsigned long long)sum_softirq);
83438
83439diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c
83440index ca1e091..a048795 100644
83441--- a/fs/proc/task_mmu.c
83442+++ b/fs/proc/task_mmu.c
83443@@ -13,12 +13,19 @@
83444 #include <linux/swap.h>
83445 #include <linux/swapops.h>
83446 #include <linux/mmu_notifier.h>
83447+#include <linux/grsecurity.h>
83448
83449 #include <asm/elf.h>
83450 #include <asm/uaccess.h>
83451 #include <asm/tlbflush.h>
83452 #include "internal.h"
83453
83454+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83455+#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
83456+ (_mm->pax_flags & MF_PAX_RANDMMAP || \
83457+ _mm->pax_flags & MF_PAX_SEGMEXEC))
83458+#endif
83459+
83460 void task_mem(struct seq_file *m, struct mm_struct *mm)
83461 {
83462 unsigned long data, text, lib, swap, ptes, pmds;
83463@@ -57,8 +64,13 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
83464 "VmLib:\t%8lu kB\n"
83465 "VmPTE:\t%8lu kB\n"
83466 "VmPMD:\t%8lu kB\n"
83467- "VmSwap:\t%8lu kB\n",
83468- hiwater_vm << (PAGE_SHIFT-10),
83469+ "VmSwap:\t%8lu kB\n"
83470+
83471+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
83472+ "CsBase:\t%8lx\nCsLim:\t%8lx\n"
83473+#endif
83474+
83475+ ,hiwater_vm << (PAGE_SHIFT-10),
83476 total_vm << (PAGE_SHIFT-10),
83477 mm->locked_vm << (PAGE_SHIFT-10),
83478 mm->pinned_vm << (PAGE_SHIFT-10),
83479@@ -68,7 +80,19 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
83480 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
83481 ptes >> 10,
83482 pmds >> 10,
83483- swap << (PAGE_SHIFT-10));
83484+ swap << (PAGE_SHIFT-10)
83485+
83486+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
83487+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83488+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_base
83489+ , PAX_RAND_FLAGS(mm) ? 0 : mm->context.user_cs_limit
83490+#else
83491+ , mm->context.user_cs_base
83492+ , mm->context.user_cs_limit
83493+#endif
83494+#endif
83495+
83496+ );
83497 }
83498
83499 unsigned long task_vsize(struct mm_struct *mm)
83500@@ -285,13 +309,13 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83501 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
83502 }
83503
83504- /* We don't show the stack guard page in /proc/maps */
83505+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83506+ start = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start;
83507+ end = PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end;
83508+#else
83509 start = vma->vm_start;
83510- if (stack_guard_page_start(vma, start))
83511- start += PAGE_SIZE;
83512 end = vma->vm_end;
83513- if (stack_guard_page_end(vma, end))
83514- end -= PAGE_SIZE;
83515+#endif
83516
83517 seq_setwidth(m, 25 + sizeof(void *) * 6 - 1);
83518 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu ",
83519@@ -301,7 +325,11 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83520 flags & VM_WRITE ? 'w' : '-',
83521 flags & VM_EXEC ? 'x' : '-',
83522 flags & VM_MAYSHARE ? 's' : 'p',
83523+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83524+ PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
83525+#else
83526 pgoff,
83527+#endif
83528 MAJOR(dev), MINOR(dev), ino);
83529
83530 /*
83531@@ -310,7 +338,7 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83532 */
83533 if (file) {
83534 seq_pad(m, ' ');
83535- seq_file_path(m, file, "\n");
83536+ seq_file_path(m, file, "\n\\");
83537 goto done;
83538 }
83539
83540@@ -341,8 +369,9 @@ show_map_vma(struct seq_file *m, struct vm_area_struct *vma, int is_pid)
83541 * Thread stack in /proc/PID/task/TID/maps or
83542 * the main process stack.
83543 */
83544- if (!is_pid || (vma->vm_start <= mm->start_stack &&
83545- vma->vm_end >= mm->start_stack)) {
83546+ if (!is_pid || (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
83547+ (vma->vm_start <= mm->start_stack &&
83548+ vma->vm_end >= mm->start_stack)) {
83549 name = "[stack]";
83550 } else {
83551 /* Thread stack in /proc/PID/maps */
83552@@ -362,6 +391,12 @@ done:
83553
83554 static int show_map(struct seq_file *m, void *v, int is_pid)
83555 {
83556+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83557+ if (current->exec_id != m->exec_id) {
83558+ gr_log_badprocpid("maps");
83559+ return 0;
83560+ }
83561+#endif
83562 show_map_vma(m, v, is_pid);
83563 m_cache_vma(m, v);
83564 return 0;
83565@@ -620,9 +655,18 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
83566 .private = &mss,
83567 };
83568
83569+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83570+ if (current->exec_id != m->exec_id) {
83571+ gr_log_badprocpid("smaps");
83572+ return 0;
83573+ }
83574+#endif
83575 memset(&mss, 0, sizeof mss);
83576- /* mmap_sem is held in m_start */
83577- walk_page_vma(vma, &smaps_walk);
83578+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83579+ if (!PAX_RAND_FLAGS(vma->vm_mm))
83580+#endif
83581+ /* mmap_sem is held in m_start */
83582+ walk_page_vma(vma, &smaps_walk);
83583
83584 show_map_vma(m, vma, is_pid);
83585
83586@@ -641,7 +685,11 @@ static int show_smap(struct seq_file *m, void *v, int is_pid)
83587 "KernelPageSize: %8lu kB\n"
83588 "MMUPageSize: %8lu kB\n"
83589 "Locked: %8lu kB\n",
83590+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83591+ PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
83592+#else
83593 (vma->vm_end - vma->vm_start) >> 10,
83594+#endif
83595 mss.resident >> 10,
83596 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
83597 mss.shared_clean >> 10,
83598@@ -1491,6 +1539,13 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
83599 char buffer[64];
83600 int nid;
83601
83602+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83603+ if (current->exec_id != m->exec_id) {
83604+ gr_log_badprocpid("numa_maps");
83605+ return 0;
83606+ }
83607+#endif
83608+
83609 if (!mm)
83610 return 0;
83611
83612@@ -1505,11 +1560,15 @@ static int show_numa_map(struct seq_file *m, void *v, int is_pid)
83613 mpol_to_str(buffer, sizeof(buffer), proc_priv->task_mempolicy);
83614 }
83615
83616+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83617+ seq_printf(m, "%08lx %s", PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : vma->vm_start, buffer);
83618+#else
83619 seq_printf(m, "%08lx %s", vma->vm_start, buffer);
83620+#endif
83621
83622 if (file) {
83623 seq_puts(m, " file=");
83624- seq_file_path(m, file, "\n\t= ");
83625+ seq_file_path(m, file, "\n\t\\= ");
83626 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
83627 seq_puts(m, " heap");
83628 } else {
83629diff --git a/fs/proc/task_nommu.c b/fs/proc/task_nommu.c
83630index e0d64c9..c44c96e 100644
83631--- a/fs/proc/task_nommu.c
83632+++ b/fs/proc/task_nommu.c
83633@@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct mm_struct *mm)
83634 else
83635 bytes += kobjsize(mm);
83636
83637- if (current->fs && current->fs->users > 1)
83638+ if (current->fs && atomic_read(&current->fs->users) > 1)
83639 sbytes += kobjsize(current->fs);
83640 else
83641 bytes += kobjsize(current->fs);
83642@@ -180,7 +180,7 @@ static int nommu_vma_show(struct seq_file *m, struct vm_area_struct *vma,
83643
83644 if (file) {
83645 seq_pad(m, ' ');
83646- seq_file_path(m, file, "");
83647+ seq_file_path(m, file, "\n\\");
83648 } else if (mm) {
83649 pid_t tid = pid_of_stack(priv, vma, is_pid);
83650
83651diff --git a/fs/proc/vmcore.c b/fs/proc/vmcore.c
83652index 4e61388..1a2523d 100644
83653--- a/fs/proc/vmcore.c
83654+++ b/fs/proc/vmcore.c
83655@@ -105,9 +105,13 @@ static ssize_t read_from_oldmem(char *buf, size_t count,
83656 nr_bytes = count;
83657
83658 /* If pfn is not ram, return zeros for sparse dump files */
83659- if (pfn_is_ram(pfn) == 0)
83660- memset(buf, 0, nr_bytes);
83661- else {
83662+ if (pfn_is_ram(pfn) == 0) {
83663+ if (userbuf) {
83664+ if (clear_user((char __force_user *)buf, nr_bytes))
83665+ return -EFAULT;
83666+ } else
83667+ memset(buf, 0, nr_bytes);
83668+ } else {
83669 tmp = copy_oldmem_page(pfn, buf, nr_bytes,
83670 offset, userbuf);
83671 if (tmp < 0)
83672@@ -170,7 +174,7 @@ int __weak remap_oldmem_pfn_range(struct vm_area_struct *vma,
83673 static int copy_to(void *target, void *src, size_t size, int userbuf)
83674 {
83675 if (userbuf) {
83676- if (copy_to_user((char __user *) target, src, size))
83677+ if (copy_to_user((char __force_user *) target, src, size))
83678 return -EFAULT;
83679 } else {
83680 memcpy(target, src, size);
83681@@ -233,7 +237,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos,
83682 if (*fpos < m->offset + m->size) {
83683 tsz = min_t(size_t, m->offset + m->size - *fpos, buflen);
83684 start = m->paddr + *fpos - m->offset;
83685- tmp = read_from_oldmem(buffer, tsz, &start, userbuf);
83686+ tmp = read_from_oldmem((char __force_kernel *)buffer, tsz, &start, userbuf);
83687 if (tmp < 0)
83688 return tmp;
83689 buflen -= tsz;
83690@@ -253,7 +257,7 @@ static ssize_t __read_vmcore(char *buffer, size_t buflen, loff_t *fpos,
83691 static ssize_t read_vmcore(struct file *file, char __user *buffer,
83692 size_t buflen, loff_t *fpos)
83693 {
83694- return __read_vmcore((__force char *) buffer, buflen, fpos, 1);
83695+ return __read_vmcore((__force_kernel char *) buffer, buflen, fpos, 1);
83696 }
83697
83698 /*
83699diff --git a/fs/qnx6/qnx6.h b/fs/qnx6/qnx6.h
83700index d3fb2b6..43a8140 100644
83701--- a/fs/qnx6/qnx6.h
83702+++ b/fs/qnx6/qnx6.h
83703@@ -74,7 +74,7 @@ enum {
83704 BYTESEX_BE,
83705 };
83706
83707-static inline __u64 fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
83708+static inline __u64 __intentional_overflow(-1) fs64_to_cpu(struct qnx6_sb_info *sbi, __fs64 n)
83709 {
83710 if (sbi->s_bytesex == BYTESEX_LE)
83711 return le64_to_cpu((__force __le64)n);
83712@@ -90,7 +90,7 @@ static inline __fs64 cpu_to_fs64(struct qnx6_sb_info *sbi, __u64 n)
83713 return (__force __fs64)cpu_to_be64(n);
83714 }
83715
83716-static inline __u32 fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
83717+static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct qnx6_sb_info *sbi, __fs32 n)
83718 {
83719 if (sbi->s_bytesex == BYTESEX_LE)
83720 return le32_to_cpu((__force __le32)n);
83721diff --git a/fs/quota/netlink.c b/fs/quota/netlink.c
83722index bb2869f..d34ada8 100644
83723--- a/fs/quota/netlink.c
83724+++ b/fs/quota/netlink.c
83725@@ -44,7 +44,7 @@ static struct genl_family quota_genl_family = {
83726 void quota_send_warning(struct kqid qid, dev_t dev,
83727 const char warntype)
83728 {
83729- static atomic_t seq;
83730+ static atomic_unchecked_t seq;
83731 struct sk_buff *skb;
83732 void *msg_head;
83733 int ret;
83734@@ -60,7 +60,7 @@ void quota_send_warning(struct kqid qid, dev_t dev,
83735 "VFS: Not enough memory to send quota warning.\n");
83736 return;
83737 }
83738- msg_head = genlmsg_put(skb, 0, atomic_add_return(1, &seq),
83739+ msg_head = genlmsg_put(skb, 0, atomic_add_return_unchecked(1, &seq),
83740 &quota_genl_family, 0, QUOTA_NL_C_WARNING);
83741 if (!msg_head) {
83742 printk(KERN_ERR
83743diff --git a/fs/read_write.c b/fs/read_write.c
83744index 819ef3f..f07222d 100644
83745--- a/fs/read_write.c
83746+++ b/fs/read_write.c
83747@@ -505,7 +505,7 @@ ssize_t __kernel_write(struct file *file, const char *buf, size_t count, loff_t
83748
83749 old_fs = get_fs();
83750 set_fs(get_ds());
83751- p = (__force const char __user *)buf;
83752+ p = (const char __force_user *)buf;
83753 if (count > MAX_RW_COUNT)
83754 count = MAX_RW_COUNT;
83755 ret = __vfs_write(file, p, count, pos);
83756diff --git a/fs/readdir.c b/fs/readdir.c
83757index ced6791..936687b 100644
83758--- a/fs/readdir.c
83759+++ b/fs/readdir.c
83760@@ -18,6 +18,7 @@
83761 #include <linux/security.h>
83762 #include <linux/syscalls.h>
83763 #include <linux/unistd.h>
83764+#include <linux/namei.h>
83765
83766 #include <asm/uaccess.h>
83767
83768@@ -71,6 +72,7 @@ struct old_linux_dirent {
83769 struct readdir_callback {
83770 struct dir_context ctx;
83771 struct old_linux_dirent __user * dirent;
83772+ struct file * file;
83773 int result;
83774 };
83775
83776@@ -89,6 +91,10 @@ static int fillonedir(struct dir_context *ctx, const char *name, int namlen,
83777 buf->result = -EOVERFLOW;
83778 return -EOVERFLOW;
83779 }
83780+
83781+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83782+ return 0;
83783+
83784 buf->result++;
83785 dirent = buf->dirent;
83786 if (!access_ok(VERIFY_WRITE, dirent,
83787@@ -120,6 +126,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned int, fd,
83788 if (!f.file)
83789 return -EBADF;
83790
83791+ buf.file = f.file;
83792 error = iterate_dir(f.file, &buf.ctx);
83793 if (buf.result)
83794 error = buf.result;
83795@@ -145,6 +152,7 @@ struct getdents_callback {
83796 struct dir_context ctx;
83797 struct linux_dirent __user * current_dir;
83798 struct linux_dirent __user * previous;
83799+ struct file * file;
83800 int count;
83801 int error;
83802 };
83803@@ -167,6 +175,10 @@ static int filldir(struct dir_context *ctx, const char *name, int namlen,
83804 buf->error = -EOVERFLOW;
83805 return -EOVERFLOW;
83806 }
83807+
83808+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83809+ return 0;
83810+
83811 dirent = buf->previous;
83812 if (dirent) {
83813 if (__put_user(offset, &dirent->d_off))
83814@@ -212,6 +224,7 @@ SYSCALL_DEFINE3(getdents, unsigned int, fd,
83815 if (!f.file)
83816 return -EBADF;
83817
83818+ buf.file = f.file;
83819 error = iterate_dir(f.file, &buf.ctx);
83820 if (error >= 0)
83821 error = buf.error;
83822@@ -230,6 +243,7 @@ struct getdents_callback64 {
83823 struct dir_context ctx;
83824 struct linux_dirent64 __user * current_dir;
83825 struct linux_dirent64 __user * previous;
83826+ struct file *file;
83827 int count;
83828 int error;
83829 };
83830@@ -246,6 +260,10 @@ static int filldir64(struct dir_context *ctx, const char *name, int namlen,
83831 buf->error = -EINVAL; /* only used if we fail.. */
83832 if (reclen > buf->count)
83833 return -EINVAL;
83834+
83835+ if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
83836+ return 0;
83837+
83838 dirent = buf->previous;
83839 if (dirent) {
83840 if (__put_user(offset, &dirent->d_off))
83841@@ -293,6 +311,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int, fd,
83842 if (!f.file)
83843 return -EBADF;
83844
83845+ buf.file = f.file;
83846 error = iterate_dir(f.file, &buf.ctx);
83847 if (error >= 0)
83848 error = buf.error;
83849diff --git a/fs/reiserfs/do_balan.c b/fs/reiserfs/do_balan.c
83850index 9c02d96..6562c10 100644
83851--- a/fs/reiserfs/do_balan.c
83852+++ b/fs/reiserfs/do_balan.c
83853@@ -1887,7 +1887,7 @@ void do_balance(struct tree_balance *tb, struct item_head *ih,
83854 return;
83855 }
83856
83857- atomic_inc(&fs_generation(tb->tb_sb));
83858+ atomic_inc_unchecked(&fs_generation(tb->tb_sb));
83859 do_balance_starts(tb);
83860
83861 /*
83862diff --git a/fs/reiserfs/item_ops.c b/fs/reiserfs/item_ops.c
83863index aca73dd..e3c558d 100644
83864--- a/fs/reiserfs/item_ops.c
83865+++ b/fs/reiserfs/item_ops.c
83866@@ -724,18 +724,18 @@ static void errcatch_print_vi(struct virtual_item *vi)
83867 }
83868
83869 static struct item_operations errcatch_ops = {
83870- errcatch_bytes_number,
83871- errcatch_decrement_key,
83872- errcatch_is_left_mergeable,
83873- errcatch_print_item,
83874- errcatch_check_item,
83875+ .bytes_number = errcatch_bytes_number,
83876+ .decrement_key = errcatch_decrement_key,
83877+ .is_left_mergeable = errcatch_is_left_mergeable,
83878+ .print_item = errcatch_print_item,
83879+ .check_item = errcatch_check_item,
83880
83881- errcatch_create_vi,
83882- errcatch_check_left,
83883- errcatch_check_right,
83884- errcatch_part_size,
83885- errcatch_unit_num,
83886- errcatch_print_vi
83887+ .create_vi = errcatch_create_vi,
83888+ .check_left = errcatch_check_left,
83889+ .check_right = errcatch_check_right,
83890+ .part_size = errcatch_part_size,
83891+ .unit_num = errcatch_unit_num,
83892+ .print_vi = errcatch_print_vi
83893 };
83894
83895 #if ! (TYPE_STAT_DATA == 0 && TYPE_INDIRECT == 1 && TYPE_DIRECT == 2 && TYPE_DIRENTRY == 3)
83896diff --git a/fs/reiserfs/procfs.c b/fs/reiserfs/procfs.c
83897index 621b9f3..af527fd 100644
83898--- a/fs/reiserfs/procfs.c
83899+++ b/fs/reiserfs/procfs.c
83900@@ -114,7 +114,7 @@ static int show_super(struct seq_file *m, void *unused)
83901 "SMALL_TAILS " : "NO_TAILS ",
83902 replay_only(sb) ? "REPLAY_ONLY " : "",
83903 convert_reiserfs(sb) ? "CONV " : "",
83904- atomic_read(&r->s_generation_counter),
83905+ atomic_read_unchecked(&r->s_generation_counter),
83906 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
83907 SF(s_do_balance), SF(s_unneeded_left_neighbor),
83908 SF(s_good_search_by_key_reada), SF(s_bmaps),
83909diff --git a/fs/reiserfs/reiserfs.h b/fs/reiserfs/reiserfs.h
83910index 2adcde1..7d27bc8 100644
83911--- a/fs/reiserfs/reiserfs.h
83912+++ b/fs/reiserfs/reiserfs.h
83913@@ -580,7 +580,7 @@ struct reiserfs_sb_info {
83914 /* Comment? -Hans */
83915 wait_queue_head_t s_wait;
83916 /* increased by one every time the tree gets re-balanced */
83917- atomic_t s_generation_counter;
83918+ atomic_unchecked_t s_generation_counter;
83919
83920 /* File system properties. Currently holds on-disk FS format */
83921 unsigned long s_properties;
83922@@ -2300,7 +2300,7 @@ static inline loff_t max_reiserfs_offset(struct inode *inode)
83923 #define REISERFS_USER_MEM 1 /* user memory mode */
83924
83925 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
83926-#define get_generation(s) atomic_read (&fs_generation(s))
83927+#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
83928 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
83929 #define __fs_changed(gen,s) (gen != get_generation (s))
83930 #define fs_changed(gen,s) \
83931diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c
83932index 4a62fe8..5dc2f5f 100644
83933--- a/fs/reiserfs/super.c
83934+++ b/fs/reiserfs/super.c
83935@@ -1870,6 +1870,10 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent)
83936 sbi->s_mount_opt |= (1 << REISERFS_SMALLTAIL);
83937 sbi->s_mount_opt |= (1 << REISERFS_ERROR_RO);
83938 sbi->s_mount_opt |= (1 << REISERFS_BARRIER_FLUSH);
83939+#ifdef CONFIG_REISERFS_FS_XATTR
83940+ /* turn on user xattrs by default */
83941+ sbi->s_mount_opt |= (1 << REISERFS_XATTRS_USER);
83942+#endif
83943 /* no preallocation minimum, be smart in reiserfs_file_write instead */
83944 sbi->s_alloc_options.preallocmin = 0;
83945 /* Preallocate by 16 blocks (17-1) at once */
83946diff --git a/fs/select.c b/fs/select.c
83947index 0155473..29d751f 100644
83948--- a/fs/select.c
83949+++ b/fs/select.c
83950@@ -20,6 +20,7 @@
83951 #include <linux/export.h>
83952 #include <linux/slab.h>
83953 #include <linux/poll.h>
83954+#include <linux/security.h>
83955 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
83956 #include <linux/file.h>
83957 #include <linux/fdtable.h>
83958@@ -880,6 +881,7 @@ int do_sys_poll(struct pollfd __user *ufds, unsigned int nfds,
83959 struct poll_list *walk = head;
83960 unsigned long todo = nfds;
83961
83962+ gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
83963 if (nfds > rlimit(RLIMIT_NOFILE))
83964 return -EINVAL;
83965
83966diff --git a/fs/seq_file.c b/fs/seq_file.c
83967index ce9e39f..5c5a436 100644
83968--- a/fs/seq_file.c
83969+++ b/fs/seq_file.c
83970@@ -12,6 +12,8 @@
83971 #include <linux/slab.h>
83972 #include <linux/cred.h>
83973 #include <linux/mm.h>
83974+#include <linux/sched.h>
83975+#include <linux/grsecurity.h>
83976
83977 #include <asm/uaccess.h>
83978 #include <asm/page.h>
83979@@ -29,9 +31,9 @@ static void *seq_buf_alloc(unsigned long size)
83980 * __GFP_NORETRY to avoid oom-killings with high-order allocations -
83981 * it's better to fall back to vmalloc() than to kill things.
83982 */
83983- buf = kmalloc(size, GFP_KERNEL | __GFP_NORETRY | __GFP_NOWARN);
83984+ buf = kmalloc(size, GFP_KERNEL | GFP_USERCOPY | __GFP_NORETRY | __GFP_NOWARN);
83985 if (!buf && size > PAGE_SIZE)
83986- buf = vmalloc(size);
83987+ buf = vmalloc_usercopy(size);
83988 return buf;
83989 }
83990
83991@@ -68,6 +70,9 @@ int seq_open(struct file *file, const struct seq_operations *op)
83992 #ifdef CONFIG_USER_NS
83993 p->user_ns = file->f_cred->user_ns;
83994 #endif
83995+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
83996+ p->exec_id = current->exec_id;
83997+#endif
83998
83999 /*
84000 * Wrappers around seq_open(e.g. swaps_open) need to be
84001@@ -90,6 +95,16 @@ int seq_open(struct file *file, const struct seq_operations *op)
84002 }
84003 EXPORT_SYMBOL(seq_open);
84004
84005+
84006+int seq_open_restrict(struct file *file, const struct seq_operations *op)
84007+{
84008+ if (gr_proc_is_restricted())
84009+ return -EACCES;
84010+
84011+ return seq_open(file, op);
84012+}
84013+EXPORT_SYMBOL(seq_open_restrict);
84014+
84015 static int traverse(struct seq_file *m, loff_t offset)
84016 {
84017 loff_t pos = 0, index;
84018@@ -161,7 +176,7 @@ Eoverflow:
84019 ssize_t seq_read(struct file *file, char __user *buf, size_t size, loff_t *ppos)
84020 {
84021 struct seq_file *m = file->private_data;
84022- size_t copied = 0;
84023+ ssize_t copied = 0;
84024 loff_t pos;
84025 size_t n;
84026 void *p;
84027@@ -575,7 +590,7 @@ static void single_stop(struct seq_file *p, void *v)
84028 int single_open(struct file *file, int (*show)(struct seq_file *, void *),
84029 void *data)
84030 {
84031- struct seq_operations *op = kmalloc(sizeof(*op), GFP_KERNEL);
84032+ seq_operations_no_const *op = kzalloc(sizeof(*op), GFP_KERNEL);
84033 int res = -ENOMEM;
84034
84035 if (op) {
84036@@ -611,6 +626,17 @@ int single_open_size(struct file *file, int (*show)(struct seq_file *, void *),
84037 }
84038 EXPORT_SYMBOL(single_open_size);
84039
84040+int single_open_restrict(struct file *file, int (*show)(struct seq_file *, void *),
84041+ void *data)
84042+{
84043+ if (gr_proc_is_restricted())
84044+ return -EACCES;
84045+
84046+ return single_open(file, show, data);
84047+}
84048+EXPORT_SYMBOL(single_open_restrict);
84049+
84050+
84051 int single_release(struct inode *inode, struct file *file)
84052 {
84053 const struct seq_operations *op = ((struct seq_file *)file->private_data)->op;
84054diff --git a/fs/splice.c b/fs/splice.c
84055index 5fc1e50..6ae8957 100644
84056--- a/fs/splice.c
84057+++ b/fs/splice.c
84058@@ -192,7 +192,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
84059 pipe_lock(pipe);
84060
84061 for (;;) {
84062- if (!pipe->readers) {
84063+ if (!atomic_read(&pipe->readers)) {
84064 send_sig(SIGPIPE, current, 0);
84065 if (!ret)
84066 ret = -EPIPE;
84067@@ -215,7 +215,7 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
84068 page_nr++;
84069 ret += buf->len;
84070
84071- if (pipe->files)
84072+ if (atomic_read(&pipe->files))
84073 do_wakeup = 1;
84074
84075 if (!--spd->nr_pages)
84076@@ -246,9 +246,9 @@ ssize_t splice_to_pipe(struct pipe_inode_info *pipe,
84077 do_wakeup = 0;
84078 }
84079
84080- pipe->waiting_writers++;
84081+ atomic_inc(&pipe->waiting_writers);
84082 pipe_wait(pipe);
84083- pipe->waiting_writers--;
84084+ atomic_dec(&pipe->waiting_writers);
84085 }
84086
84087 pipe_unlock(pipe);
84088@@ -579,7 +579,7 @@ static ssize_t kernel_readv(struct file *file, const struct iovec *vec,
84089 old_fs = get_fs();
84090 set_fs(get_ds());
84091 /* The cast to a user pointer is valid due to the set_fs() */
84092- res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
84093+ res = vfs_readv(file, (const struct iovec __force_user *)vec, vlen, &pos);
84094 set_fs(old_fs);
84095
84096 return res;
84097@@ -594,7 +594,7 @@ ssize_t kernel_write(struct file *file, const char *buf, size_t count,
84098 old_fs = get_fs();
84099 set_fs(get_ds());
84100 /* The cast to a user pointer is valid due to the set_fs() */
84101- res = vfs_write(file, (__force const char __user *)buf, count, &pos);
84102+ res = vfs_write(file, (const char __force_user *)buf, count, &pos);
84103 set_fs(old_fs);
84104
84105 return res;
84106@@ -647,7 +647,7 @@ ssize_t default_file_splice_read(struct file *in, loff_t *ppos,
84107 goto err;
84108
84109 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
84110- vec[i].iov_base = (void __user *) page_address(page);
84111+ vec[i].iov_base = (void __force_user *) page_address(page);
84112 vec[i].iov_len = this_len;
84113 spd.pages[i] = page;
84114 spd.nr_pages++;
84115@@ -786,7 +786,7 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
84116 ops->release(pipe, buf);
84117 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
84118 pipe->nrbufs--;
84119- if (pipe->files)
84120+ if (atomic_read(&pipe->files))
84121 sd->need_wakeup = true;
84122 }
84123
84124@@ -810,10 +810,10 @@ static int splice_from_pipe_feed(struct pipe_inode_info *pipe, struct splice_des
84125 static int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
84126 {
84127 while (!pipe->nrbufs) {
84128- if (!pipe->writers)
84129+ if (!atomic_read(&pipe->writers))
84130 return 0;
84131
84132- if (!pipe->waiting_writers && sd->num_spliced)
84133+ if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
84134 return 0;
84135
84136 if (sd->flags & SPLICE_F_NONBLOCK)
84137@@ -1028,7 +1028,7 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
84138 ops->release(pipe, buf);
84139 pipe->curbuf = (pipe->curbuf + 1) & (pipe->buffers - 1);
84140 pipe->nrbufs--;
84141- if (pipe->files)
84142+ if (atomic_read(&pipe->files))
84143 sd.need_wakeup = true;
84144 } else {
84145 buf->offset += ret;
84146@@ -1188,7 +1188,7 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
84147 * out of the pipe right after the splice_to_pipe(). So set
84148 * PIPE_READERS appropriately.
84149 */
84150- pipe->readers = 1;
84151+ atomic_set(&pipe->readers, 1);
84152
84153 current->splice_pipe = pipe;
84154 }
84155@@ -1495,6 +1495,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
84156
84157 partial[buffers].offset = off;
84158 partial[buffers].len = plen;
84159+ partial[buffers].private = 0;
84160
84161 off = 0;
84162 len -= plen;
84163@@ -1726,9 +1727,9 @@ static int ipipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
84164 ret = -ERESTARTSYS;
84165 break;
84166 }
84167- if (!pipe->writers)
84168+ if (!atomic_read(&pipe->writers))
84169 break;
84170- if (!pipe->waiting_writers) {
84171+ if (!atomic_read(&pipe->waiting_writers)) {
84172 if (flags & SPLICE_F_NONBLOCK) {
84173 ret = -EAGAIN;
84174 break;
84175@@ -1760,7 +1761,7 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
84176 pipe_lock(pipe);
84177
84178 while (pipe->nrbufs >= pipe->buffers) {
84179- if (!pipe->readers) {
84180+ if (!atomic_read(&pipe->readers)) {
84181 send_sig(SIGPIPE, current, 0);
84182 ret = -EPIPE;
84183 break;
84184@@ -1773,9 +1774,9 @@ static int opipe_prep(struct pipe_inode_info *pipe, unsigned int flags)
84185 ret = -ERESTARTSYS;
84186 break;
84187 }
84188- pipe->waiting_writers++;
84189+ atomic_inc(&pipe->waiting_writers);
84190 pipe_wait(pipe);
84191- pipe->waiting_writers--;
84192+ atomic_dec(&pipe->waiting_writers);
84193 }
84194
84195 pipe_unlock(pipe);
84196@@ -1811,14 +1812,14 @@ retry:
84197 pipe_double_lock(ipipe, opipe);
84198
84199 do {
84200- if (!opipe->readers) {
84201+ if (!atomic_read(&opipe->readers)) {
84202 send_sig(SIGPIPE, current, 0);
84203 if (!ret)
84204 ret = -EPIPE;
84205 break;
84206 }
84207
84208- if (!ipipe->nrbufs && !ipipe->writers)
84209+ if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
84210 break;
84211
84212 /*
84213@@ -1915,7 +1916,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
84214 pipe_double_lock(ipipe, opipe);
84215
84216 do {
84217- if (!opipe->readers) {
84218+ if (!atomic_read(&opipe->readers)) {
84219 send_sig(SIGPIPE, current, 0);
84220 if (!ret)
84221 ret = -EPIPE;
84222@@ -1960,7 +1961,7 @@ static int link_pipe(struct pipe_inode_info *ipipe,
84223 * return EAGAIN if we have the potential of some data in the
84224 * future, otherwise just return 0
84225 */
84226- if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
84227+ if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
84228 ret = -EAGAIN;
84229
84230 pipe_unlock(ipipe);
84231diff --git a/fs/squashfs/xattr.c b/fs/squashfs/xattr.c
84232index e5e0ddf..09598c4 100644
84233--- a/fs/squashfs/xattr.c
84234+++ b/fs/squashfs/xattr.c
84235@@ -46,8 +46,8 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84236 + msblk->xattr_table;
84237 int offset = SQUASHFS_XATTR_OFFSET(squashfs_i(inode)->xattr);
84238 int count = squashfs_i(inode)->xattr_count;
84239- size_t rest = buffer_size;
84240- int err;
84241+ size_t used = 0;
84242+ ssize_t err;
84243
84244 /* check that the file system has xattrs */
84245 if (msblk->xattr_id_table == NULL)
84246@@ -68,11 +68,11 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84247 name_size = le16_to_cpu(entry.size);
84248 handler = squashfs_xattr_handler(le16_to_cpu(entry.type));
84249 if (handler)
84250- prefix_size = handler->list(d, buffer, rest, NULL,
84251+ prefix_size = handler->list(d, buffer, buffer ? buffer_size - used : 0, NULL,
84252 name_size, handler->flags);
84253 if (prefix_size) {
84254 if (buffer) {
84255- if (prefix_size + name_size + 1 > rest) {
84256+ if (prefix_size + name_size + 1 > buffer_size - used) {
84257 err = -ERANGE;
84258 goto failed;
84259 }
84260@@ -86,7 +86,7 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84261 buffer[name_size] = '\0';
84262 buffer += name_size + 1;
84263 }
84264- rest -= prefix_size + name_size + 1;
84265+ used += prefix_size + name_size + 1;
84266 } else {
84267 /* no handler or insuffficient privileges, so skip */
84268 err = squashfs_read_metadata(sb, NULL, &start,
84269@@ -107,7 +107,7 @@ ssize_t squashfs_listxattr(struct dentry *d, char *buffer,
84270 if (err < 0)
84271 goto failed;
84272 }
84273- err = buffer_size - rest;
84274+ err = used;
84275
84276 failed:
84277 return err;
84278diff --git a/fs/stat.c b/fs/stat.c
84279index cccc1aa..7fe8951 100644
84280--- a/fs/stat.c
84281+++ b/fs/stat.c
84282@@ -28,8 +28,13 @@ void generic_fillattr(struct inode *inode, struct kstat *stat)
84283 stat->gid = inode->i_gid;
84284 stat->rdev = inode->i_rdev;
84285 stat->size = i_size_read(inode);
84286- stat->atime = inode->i_atime;
84287- stat->mtime = inode->i_mtime;
84288+ if (is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
84289+ stat->atime = inode->i_ctime;
84290+ stat->mtime = inode->i_ctime;
84291+ } else {
84292+ stat->atime = inode->i_atime;
84293+ stat->mtime = inode->i_mtime;
84294+ }
84295 stat->ctime = inode->i_ctime;
84296 stat->blksize = (1 << inode->i_blkbits);
84297 stat->blocks = inode->i_blocks;
84298@@ -52,9 +57,16 @@ EXPORT_SYMBOL(generic_fillattr);
84299 int vfs_getattr_nosec(struct path *path, struct kstat *stat)
84300 {
84301 struct inode *inode = d_backing_inode(path->dentry);
84302+ int retval;
84303
84304- if (inode->i_op->getattr)
84305- return inode->i_op->getattr(path->mnt, path->dentry, stat);
84306+ if (inode->i_op->getattr) {
84307+ retval = inode->i_op->getattr(path->mnt, path->dentry, stat);
84308+ if (!retval && is_sidechannel_device(inode) && !capable_nolog(CAP_MKNOD)) {
84309+ stat->atime = stat->ctime;
84310+ stat->mtime = stat->ctime;
84311+ }
84312+ return retval;
84313+ }
84314
84315 generic_fillattr(inode, stat);
84316 return 0;
84317diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
84318index 94374e4..b5da3a1 100644
84319--- a/fs/sysfs/dir.c
84320+++ b/fs/sysfs/dir.c
84321@@ -33,6 +33,10 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
84322 kfree(buf);
84323 }
84324
84325+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
84326+extern int grsec_enable_sysfs_restrict;
84327+#endif
84328+
84329 /**
84330 * sysfs_create_dir_ns - create a directory for an object with a namespace tag
84331 * @kobj: object we're creating directory for
84332@@ -41,9 +45,16 @@ void sysfs_warn_dup(struct kernfs_node *parent, const char *name)
84333 int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
84334 {
84335 struct kernfs_node *parent, *kn;
84336+ const char *name;
84337+ umode_t mode = S_IRWXU | S_IRUGO | S_IXUGO;
84338+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
84339+ const char *parent_name;
84340+#endif
84341
84342 BUG_ON(!kobj);
84343
84344+ name = kobject_name(kobj);
84345+
84346 if (kobj->parent)
84347 parent = kobj->parent->sd;
84348 else
84349@@ -52,11 +63,24 @@ int sysfs_create_dir_ns(struct kobject *kobj, const void *ns)
84350 if (!parent)
84351 return -ENOENT;
84352
84353- kn = kernfs_create_dir_ns(parent, kobject_name(kobj),
84354- S_IRWXU | S_IRUGO | S_IXUGO, kobj, ns);
84355+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
84356+ parent_name = parent->name;
84357+ mode = S_IRWXU;
84358+
84359+ if ((!strcmp(parent_name, "") && (!strcmp(name, "devices") || !strcmp(name, "fs"))) ||
84360+ (!strcmp(parent_name, "devices") && !strcmp(name, "system")) ||
84361+ (!strcmp(parent_name, "fs") && (!strcmp(name, "selinux") || !strcmp(name, "fuse") || !strcmp(name, "ecryptfs"))) ||
84362+ (!strcmp(parent_name, "system") && !strcmp(name, "cpu")))
84363+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
84364+ if (!grsec_enable_sysfs_restrict)
84365+ mode = S_IRWXU | S_IRUGO | S_IXUGO;
84366+#endif
84367+
84368+ kn = kernfs_create_dir_ns(parent, name,
84369+ mode, kobj, ns);
84370 if (IS_ERR(kn)) {
84371 if (PTR_ERR(kn) == -EEXIST)
84372- sysfs_warn_dup(parent, kobject_name(kobj));
84373+ sysfs_warn_dup(parent, name);
84374 return PTR_ERR(kn);
84375 }
84376
84377diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h
84378index 6c21228..9afd5fe 100644
84379--- a/fs/sysv/sysv.h
84380+++ b/fs/sysv/sysv.h
84381@@ -187,7 +187,7 @@ static inline u32 PDP_swab(u32 x)
84382 #endif
84383 }
84384
84385-static inline __u32 fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
84386+static inline __u32 __intentional_overflow(-1) fs32_to_cpu(struct sysv_sb_info *sbi, __fs32 n)
84387 {
84388 if (sbi->s_bytesex == BYTESEX_PDP)
84389 return PDP_swab((__force __u32)n);
84390diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
84391index cbc8d5d..56d2600 100644
84392--- a/fs/tracefs/inode.c
84393+++ b/fs/tracefs/inode.c
84394@@ -53,7 +53,7 @@ static const struct file_operations tracefs_file_operations = {
84395 static struct tracefs_dir_ops {
84396 int (*mkdir)(const char *name);
84397 int (*rmdir)(const char *name);
84398-} tracefs_ops;
84399+} __no_const tracefs_ops __read_only;
84400
84401 static char *get_dname(struct dentry *dentry)
84402 {
84403@@ -490,8 +490,10 @@ struct dentry *tracefs_create_instance_dir(const char *name, struct dentry *pare
84404 if (!dentry)
84405 return NULL;
84406
84407- tracefs_ops.mkdir = mkdir;
84408- tracefs_ops.rmdir = rmdir;
84409+ pax_open_kernel();
84410+ *(void **)&tracefs_ops.mkdir = mkdir;
84411+ *(void **)&tracefs_ops.rmdir = rmdir;
84412+ pax_close_kernel();
84413
84414 return dentry;
84415 }
84416diff --git a/fs/udf/misc.c b/fs/udf/misc.c
84417index 71d1c25..084e2ad 100644
84418--- a/fs/udf/misc.c
84419+++ b/fs/udf/misc.c
84420@@ -288,7 +288,7 @@ void udf_new_tag(char *data, uint16_t ident, uint16_t version, uint16_t snum,
84421
84422 u8 udf_tag_checksum(const struct tag *t)
84423 {
84424- u8 *data = (u8 *)t;
84425+ const u8 *data = (const u8 *)t;
84426 u8 checksum = 0;
84427 int i;
84428 for (i = 0; i < sizeof(struct tag); ++i)
84429diff --git a/fs/ufs/swab.h b/fs/ufs/swab.h
84430index 8d974c4..b82f6ec 100644
84431--- a/fs/ufs/swab.h
84432+++ b/fs/ufs/swab.h
84433@@ -22,7 +22,7 @@ enum {
84434 BYTESEX_BE
84435 };
84436
84437-static inline u64
84438+static inline u64 __intentional_overflow(-1)
84439 fs64_to_cpu(struct super_block *sbp, __fs64 n)
84440 {
84441 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
84442@@ -40,7 +40,7 @@ cpu_to_fs64(struct super_block *sbp, u64 n)
84443 return (__force __fs64)cpu_to_be64(n);
84444 }
84445
84446-static inline u32
84447+static inline u32 __intentional_overflow(-1)
84448 fs32_to_cpu(struct super_block *sbp, __fs32 n)
84449 {
84450 if (UFS_SB(sbp)->s_bytesex == BYTESEX_LE)
84451diff --git a/fs/utimes.c b/fs/utimes.c
84452index aa138d6..5f3a811 100644
84453--- a/fs/utimes.c
84454+++ b/fs/utimes.c
84455@@ -1,6 +1,7 @@
84456 #include <linux/compiler.h>
84457 #include <linux/file.h>
84458 #include <linux/fs.h>
84459+#include <linux/security.h>
84460 #include <linux/linkage.h>
84461 #include <linux/mount.h>
84462 #include <linux/namei.h>
84463@@ -103,6 +104,12 @@ static int utimes_common(struct path *path, struct timespec *times)
84464 }
84465 }
84466 retry_deleg:
84467+
84468+ if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
84469+ error = -EACCES;
84470+ goto mnt_drop_write_and_out;
84471+ }
84472+
84473 mutex_lock(&inode->i_mutex);
84474 error = notify_change(path->dentry, &newattrs, &delegated_inode);
84475 mutex_unlock(&inode->i_mutex);
84476diff --git a/fs/xattr.c b/fs/xattr.c
84477index 072fee1..9e497b0 100644
84478--- a/fs/xattr.c
84479+++ b/fs/xattr.c
84480@@ -227,6 +227,27 @@ int vfs_xattr_cmp(struct dentry *dentry, const char *xattr_name,
84481 return rc;
84482 }
84483
84484+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
84485+ssize_t
84486+pax_getxattr(struct dentry *dentry, void *value, size_t size)
84487+{
84488+ struct inode *inode = dentry->d_inode;
84489+ ssize_t error;
84490+
84491+ error = inode_permission(inode, MAY_EXEC);
84492+ if (error)
84493+ return error;
84494+
84495+ if (inode->i_op->getxattr)
84496+ error = inode->i_op->getxattr(dentry, XATTR_NAME_PAX_FLAGS, value, size);
84497+ else
84498+ error = -EOPNOTSUPP;
84499+
84500+ return error;
84501+}
84502+EXPORT_SYMBOL(pax_getxattr);
84503+#endif
84504+
84505 ssize_t
84506 vfs_getxattr(struct dentry *dentry, const char *name, void *value, size_t size)
84507 {
84508@@ -319,7 +340,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
84509 * Extended attribute SET operations
84510 */
84511 static long
84512-setxattr(struct dentry *d, const char __user *name, const void __user *value,
84513+setxattr(struct path *path, const char __user *name, const void __user *value,
84514 size_t size, int flags)
84515 {
84516 int error;
84517@@ -355,7 +376,12 @@ setxattr(struct dentry *d, const char __user *name, const void __user *value,
84518 posix_acl_fix_xattr_from_user(kvalue, size);
84519 }
84520
84521- error = vfs_setxattr(d, kname, kvalue, size, flags);
84522+ if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
84523+ error = -EACCES;
84524+ goto out;
84525+ }
84526+
84527+ error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
84528 out:
84529 if (vvalue)
84530 vfree(vvalue);
84531@@ -376,7 +402,7 @@ retry:
84532 return error;
84533 error = mnt_want_write(path.mnt);
84534 if (!error) {
84535- error = setxattr(path.dentry, name, value, size, flags);
84536+ error = setxattr(&path, name, value, size, flags);
84537 mnt_drop_write(path.mnt);
84538 }
84539 path_put(&path);
84540@@ -412,7 +438,7 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name,
84541 audit_file(f.file);
84542 error = mnt_want_write_file(f.file);
84543 if (!error) {
84544- error = setxattr(f.file->f_path.dentry, name, value, size, flags);
84545+ error = setxattr(&f.file->f_path, name, value, size, flags);
84546 mnt_drop_write_file(f.file);
84547 }
84548 fdput(f);
84549@@ -598,7 +624,7 @@ SYSCALL_DEFINE3(flistxattr, int, fd, char __user *, list, size_t, size)
84550 * Extended attribute REMOVE operations
84551 */
84552 static long
84553-removexattr(struct dentry *d, const char __user *name)
84554+removexattr(struct path *path, const char __user *name)
84555 {
84556 int error;
84557 char kname[XATTR_NAME_MAX + 1];
84558@@ -609,7 +635,10 @@ removexattr(struct dentry *d, const char __user *name)
84559 if (error < 0)
84560 return error;
84561
84562- return vfs_removexattr(d, kname);
84563+ if (!gr_acl_handle_removexattr(path->dentry, path->mnt))
84564+ return -EACCES;
84565+
84566+ return vfs_removexattr(path->dentry, kname);
84567 }
84568
84569 static int path_removexattr(const char __user *pathname,
84570@@ -623,7 +652,7 @@ retry:
84571 return error;
84572 error = mnt_want_write(path.mnt);
84573 if (!error) {
84574- error = removexattr(path.dentry, name);
84575+ error = removexattr(&path, name);
84576 mnt_drop_write(path.mnt);
84577 }
84578 path_put(&path);
84579@@ -649,14 +678,16 @@ SYSCALL_DEFINE2(lremovexattr, const char __user *, pathname,
84580 SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name)
84581 {
84582 struct fd f = fdget(fd);
84583+ struct path *path;
84584 int error = -EBADF;
84585
84586 if (!f.file)
84587 return error;
84588+ path = &f.file->f_path;
84589 audit_file(f.file);
84590 error = mnt_want_write_file(f.file);
84591 if (!error) {
84592- error = removexattr(f.file->f_path.dentry, name);
84593+ error = removexattr(path, name);
84594 mnt_drop_write_file(f.file);
84595 }
84596 fdput(f);
84597diff --git a/fs/xfs/libxfs/xfs_bmap.c b/fs/xfs/libxfs/xfs_bmap.c
84598index 63e05b6..249b043 100644
84599--- a/fs/xfs/libxfs/xfs_bmap.c
84600+++ b/fs/xfs/libxfs/xfs_bmap.c
84601@@ -554,7 +554,7 @@ xfs_bmap_validate_ret(
84602
84603 #else
84604 #define xfs_bmap_check_leaf_extents(cur, ip, whichfork) do { } while (0)
84605-#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
84606+#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do { } while (0)
84607 #endif /* DEBUG */
84608
84609 /*
84610diff --git a/fs/xfs/xfs_dir2_readdir.c b/fs/xfs/xfs_dir2_readdir.c
84611index 098cd78..724d3f8 100644
84612--- a/fs/xfs/xfs_dir2_readdir.c
84613+++ b/fs/xfs/xfs_dir2_readdir.c
84614@@ -140,7 +140,12 @@ xfs_dir2_sf_getdents(
84615 ino = dp->d_ops->sf_get_ino(sfp, sfep);
84616 filetype = dp->d_ops->sf_get_ftype(sfep);
84617 ctx->pos = off & 0x7fffffff;
84618- if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino,
84619+ if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
84620+ char name[sfep->namelen];
84621+ memcpy(name, sfep->name, sfep->namelen);
84622+ if (!dir_emit(ctx, name, sfep->namelen, ino, xfs_dir3_get_dtype(dp->i_mount, filetype)))
84623+ return 0;
84624+ } else if (!dir_emit(ctx, (char *)sfep->name, sfep->namelen, ino,
84625 xfs_dir3_get_dtype(dp->i_mount, filetype)))
84626 return 0;
84627 sfep = dp->d_ops->sf_nextentry(sfp, sfep);
84628diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c
84629index ea7d85a..6d4b24b 100644
84630--- a/fs/xfs/xfs_ioctl.c
84631+++ b/fs/xfs/xfs_ioctl.c
84632@@ -120,7 +120,7 @@ xfs_find_handle(
84633 }
84634
84635 error = -EFAULT;
84636- if (copy_to_user(hreq->ohandle, &handle, hsize) ||
84637+ if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
84638 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
84639 goto out_put;
84640
84641diff --git a/fs/xfs/xfs_linux.h b/fs/xfs/xfs_linux.h
84642index 85f883d..db6eecc 100644
84643--- a/fs/xfs/xfs_linux.h
84644+++ b/fs/xfs/xfs_linux.h
84645@@ -211,7 +211,7 @@ static inline kgid_t xfs_gid_to_kgid(__uint32_t gid)
84646 * of the compiler which do not like us using do_div in the middle
84647 * of large functions.
84648 */
84649-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
84650+static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
84651 {
84652 __u32 mod;
84653
84654@@ -267,7 +267,7 @@ static inline __u32 xfs_do_mod(void *a, __u32 b, int n)
84655 return 0;
84656 }
84657 #else
84658-static inline __u32 xfs_do_div(void *a, __u32 b, int n)
84659+static inline __u32 __intentional_overflow(-1) xfs_do_div(void *a, __u32 b, int n)
84660 {
84661 __u32 mod;
84662
84663diff --git a/grsecurity/Kconfig b/grsecurity/Kconfig
84664new file mode 100644
84665index 0000000..31f8fe4
84666--- /dev/null
84667+++ b/grsecurity/Kconfig
84668@@ -0,0 +1,1182 @@
84669+#
84670+# grecurity configuration
84671+#
84672+menu "Memory Protections"
84673+depends on GRKERNSEC
84674+
84675+config GRKERNSEC_KMEM
84676+ bool "Deny reading/writing to /dev/kmem, /dev/mem, and /dev/port"
84677+ default y if GRKERNSEC_CONFIG_AUTO
84678+ select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
84679+ help
84680+ If you say Y here, /dev/kmem and /dev/mem won't be allowed to
84681+ be written to or read from to modify or leak the contents of the running
84682+ kernel. /dev/port will also not be allowed to be opened, writing to
84683+ /dev/cpu/*/msr will be prevented, and support for kexec will be removed.
84684+ If you have module support disabled, enabling this will close up several
84685+ ways that are currently used to insert malicious code into the running
84686+ kernel.
84687+
84688+ Even with this feature enabled, we still highly recommend that
84689+ you use the RBAC system, as it is still possible for an attacker to
84690+ modify the running kernel through other more obscure methods.
84691+
84692+ It is highly recommended that you say Y here if you meet all the
84693+ conditions above.
84694+
84695+config GRKERNSEC_VM86
84696+ bool "Restrict VM86 mode"
84697+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
84698+ depends on X86_32
84699+
84700+ help
84701+ If you say Y here, only processes with CAP_SYS_RAWIO will be able to
84702+ make use of a special execution mode on 32bit x86 processors called
84703+ Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
84704+ video cards and will still work with this option enabled. The purpose
84705+ of the option is to prevent exploitation of emulation errors in
84706+ virtualization of vm86 mode like the one discovered in VMWare in 2009.
84707+ Nearly all users should be able to enable this option.
84708+
84709+config GRKERNSEC_IO
84710+ bool "Disable privileged I/O"
84711+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
84712+ depends on X86
84713+ select RTC_CLASS
84714+ select RTC_INTF_DEV
84715+ select RTC_DRV_CMOS
84716+
84717+ help
84718+ If you say Y here, all ioperm and iopl calls will return an error.
84719+ Ioperm and iopl can be used to modify the running kernel.
84720+ Unfortunately, some programs need this access to operate properly,
84721+ the most notable of which are XFree86 and hwclock. hwclock can be
84722+ remedied by having RTC support in the kernel, so real-time
84723+ clock support is enabled if this option is enabled, to ensure
84724+ that hwclock operates correctly. If hwclock still does not work,
84725+ either update udev or symlink /dev/rtc to /dev/rtc0.
84726+
84727+ If you're using XFree86 or a version of Xorg from 2012 or earlier,
84728+ you may not be able to boot into a graphical environment with this
84729+ option enabled. In this case, you should use the RBAC system instead.
84730+
84731+config GRKERNSEC_BPF_HARDEN
84732+ bool "Harden BPF interpreter"
84733+ default y if GRKERNSEC_CONFIG_AUTO
84734+ help
84735+ Unlike previous versions of grsecurity that hardened both the BPF
84736+ interpreted code against corruption at rest as well as the JIT code
84737+ against JIT-spray attacks and attacker-controlled immediate values
84738+ for ROP, this feature will enforce disabling of the new eBPF JIT engine
84739+ and will ensure the interpreted code is read-only at rest. This feature
84740+ may be removed at a later time when eBPF stabilizes to entirely revert
84741+ back to the more secure pre-3.16 BPF interpreter/JIT.
84742+
84743+ If you're using KERNEXEC, it's recommended that you enable this option
84744+ to supplement the hardening of the kernel.
84745+
84746+config GRKERNSEC_PERF_HARDEN
84747+ bool "Disable unprivileged PERF_EVENTS usage by default"
84748+ default y if GRKERNSEC_CONFIG_AUTO
84749+ depends on PERF_EVENTS
84750+ help
84751+ If you say Y here, the range of acceptable values for the
84752+ /proc/sys/kernel/perf_event_paranoid sysctl will be expanded to allow and
84753+ default to a new value: 3. When the sysctl is set to this value, no
84754+ unprivileged use of the PERF_EVENTS syscall interface will be permitted.
84755+
84756+ Though PERF_EVENTS can be used legitimately for performance monitoring
84757+ and low-level application profiling, it is forced on regardless of
84758+ configuration, has been at fault for several vulnerabilities, and
84759+ creates new opportunities for side channels and other information leaks.
84760+
84761+ This feature puts PERF_EVENTS into a secure default state and permits
84762+ the administrator to change out of it temporarily if unprivileged
84763+ application profiling is needed.
84764+
84765+config GRKERNSEC_RAND_THREADSTACK
84766+ bool "Insert random gaps between thread stacks"
84767+ default y if GRKERNSEC_CONFIG_AUTO
84768+ depends on PAX_RANDMMAP && !PPC
84769+ help
84770+ If you say Y here, a random-sized gap will be enforced between allocated
84771+ thread stacks. Glibc's NPTL and other threading libraries that
84772+ pass MAP_STACK to the kernel for thread stack allocation are supported.
84773+ The implementation currently provides 8 bits of entropy for the gap.
84774+
84775+ Many distributions do not compile threaded remote services with the
84776+ -fstack-check argument to GCC, causing the variable-sized stack-based
84777+ allocator, alloca(), to not probe the stack on allocation. This
84778+ permits an unbounded alloca() to skip over any guard page and potentially
84779+ modify another thread's stack reliably. An enforced random gap
84780+ reduces the reliability of such an attack and increases the chance
84781+ that such a read/write to another thread's stack instead lands in
84782+ an unmapped area, causing a crash and triggering grsecurity's
84783+ anti-bruteforcing logic.
84784+
84785+config GRKERNSEC_PROC_MEMMAP
84786+ bool "Harden ASLR against information leaks and entropy reduction"
84787+ default y if (GRKERNSEC_CONFIG_AUTO || PAX_NOEXEC || PAX_ASLR)
84788+ depends on PAX_NOEXEC || PAX_ASLR
84789+ help
84790+ If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
84791+ give no information about the addresses of its mappings if
84792+ PaX features that rely on random addresses are enabled on the task.
84793+ In addition to sanitizing this information and disabling other
84794+ dangerous sources of information, this option causes reads of sensitive
84795+ /proc/<pid> entries where the file descriptor was opened in a different
84796+ task than the one performing the read. Such attempts are logged.
84797+ This option also limits argv/env strings for suid/sgid binaries
84798+ to 512KB to prevent a complete exhaustion of the stack entropy provided
84799+ by ASLR. Finally, it places an 8MB stack resource limit on suid/sgid
84800+ binaries to prevent alternative mmap layouts from being abused.
84801+
84802+ If you use PaX it is essential that you say Y here as it closes up
84803+ several holes that make full ASLR useless locally.
84804+
84805+
84806+config GRKERNSEC_KSTACKOVERFLOW
84807+ bool "Prevent kernel stack overflows"
84808+ default y if GRKERNSEC_CONFIG_AUTO
84809+ depends on !IA64 && 64BIT
84810+ help
84811+ If you say Y here, the kernel's process stacks will be allocated
84812+ with vmalloc instead of the kernel's default allocator. This
84813+ introduces guard pages that in combination with the alloca checking
84814+ of the STACKLEAK feature prevents all forms of kernel process stack
84815+ overflow abuse. Note that this is different from kernel stack
84816+ buffer overflows.
84817+
84818+config GRKERNSEC_BRUTE
84819+ bool "Deter exploit bruteforcing"
84820+ default y if GRKERNSEC_CONFIG_AUTO
84821+ help
84822+ If you say Y here, attempts to bruteforce exploits against forking
84823+ daemons such as apache or sshd, as well as against suid/sgid binaries
84824+ will be deterred. When a child of a forking daemon is killed by PaX
84825+ or crashes due to an illegal instruction or other suspicious signal,
84826+ the parent process will be delayed 30 seconds upon every subsequent
84827+ fork until the administrator is able to assess the situation and
84828+ restart the daemon.
84829+ In the suid/sgid case, the attempt is logged, the user has all their
84830+ existing instances of the suid/sgid binary terminated and will
84831+ be unable to execute any suid/sgid binaries for 15 minutes.
84832+
84833+ It is recommended that you also enable signal logging in the auditing
84834+ section so that logs are generated when a process triggers a suspicious
84835+ signal.
84836+ If the sysctl option is enabled, a sysctl option with name
84837+ "deter_bruteforce" is created.
84838+
84839+config GRKERNSEC_MODHARDEN
84840+ bool "Harden module auto-loading"
84841+ default y if GRKERNSEC_CONFIG_AUTO
84842+ depends on MODULES
84843+ help
84844+ If you say Y here, module auto-loading in response to use of some
84845+ feature implemented by an unloaded module will be restricted to
84846+ root users. Enabling this option helps defend against attacks
84847+ by unprivileged users who abuse the auto-loading behavior to
84848+ cause a vulnerable module to load that is then exploited.
84849+
84850+ If this option prevents a legitimate use of auto-loading for a
84851+ non-root user, the administrator can execute modprobe manually
84852+ with the exact name of the module mentioned in the alert log.
84853+ Alternatively, the administrator can add the module to the list
84854+ of modules loaded at boot by modifying init scripts.
84855+
84856+ Modification of init scripts will most likely be needed on
84857+ Ubuntu servers with encrypted home directory support enabled,
84858+ as the first non-root user logging in will cause the ecb(aes),
84859+ ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
84860+
84861+config GRKERNSEC_HIDESYM
84862+ bool "Hide kernel symbols"
84863+ default y if GRKERNSEC_CONFIG_AUTO
84864+ select PAX_USERCOPY_SLABS
84865+ help
84866+ If you say Y here, getting information on loaded modules, and
84867+ displaying all kernel symbols through a syscall will be restricted
84868+ to users with CAP_SYS_MODULE. For software compatibility reasons,
84869+ /proc/kallsyms will be restricted to the root user. The RBAC
84870+ system can hide that entry even from root.
84871+
84872+ This option also prevents leaking of kernel addresses through
84873+ several /proc entries.
84874+
84875+ Note that this option is only effective provided the following
84876+ conditions are met:
84877+ 1) The kernel using grsecurity is not precompiled by some distribution
84878+ 2) You have also enabled GRKERNSEC_DMESG
84879+ 3) You are using the RBAC system and hiding other files such as your
84880+ kernel image and System.map. Alternatively, enabling this option
84881+ causes the permissions on /boot, /lib/modules, and the kernel
84882+ source directory to change at compile time to prevent
84883+ reading by non-root users.
84884+ If the above conditions are met, this option will aid in providing a
84885+ useful protection against local kernel exploitation of overflows
84886+ and arbitrary read/write vulnerabilities.
84887+
84888+ It is highly recommended that you enable GRKERNSEC_PERF_HARDEN
84889+ in addition to this feature.
84890+
84891+config GRKERNSEC_RANDSTRUCT
84892+ bool "Randomize layout of sensitive kernel structures"
84893+ default y if GRKERNSEC_CONFIG_AUTO
84894+ select GRKERNSEC_HIDESYM
84895+ select MODVERSIONS if MODULES
84896+ help
84897+ If you say Y here, the layouts of a number of sensitive kernel
84898+ structures (task, fs, cred, etc) and all structures composed entirely
84899+ of function pointers (aka "ops" structs) will be randomized at compile-time.
84900+ This can introduce the requirement of an additional infoleak
84901+ vulnerability for exploits targeting these structure types.
84902+
84903+ Enabling this feature will introduce some performance impact, slightly
84904+ increase memory usage, and prevent the use of forensic tools like
84905+ Volatility against the system (unless the kernel source tree isn't
84906+ cleaned after kernel installation).
84907+
84908+ The seed used for compilation is located at tools/gcc/randomize_layout_seed.h.
84909+ It remains after a make clean to allow for external modules to be compiled
84910+ with the existing seed and will be removed by a make mrproper or
84911+ make distclean.
84912+
84913+ Note that the implementation requires gcc 4.6.4. or newer. You may need
84914+ to install the supporting headers explicitly in addition to the normal
84915+ gcc package.
84916+
84917+config GRKERNSEC_RANDSTRUCT_PERFORMANCE
84918+ bool "Use cacheline-aware structure randomization"
84919+ depends on GRKERNSEC_RANDSTRUCT
84920+ default y if GRKERNSEC_CONFIG_PRIORITY_PERF
84921+ help
84922+ If you say Y here, the RANDSTRUCT randomization will make a best effort
84923+ at restricting randomization to cacheline-sized groups of elements. It
84924+ will further not randomize bitfields in structures. This reduces the
84925+ performance hit of RANDSTRUCT at the cost of weakened randomization.
84926+
84927+config GRKERNSEC_KERN_LOCKOUT
84928+ bool "Active kernel exploit response"
84929+ default y if GRKERNSEC_CONFIG_AUTO
84930+ depends on X86 || ARM || PPC || SPARC
84931+ help
84932+ If you say Y here, when a PaX alert is triggered due to suspicious
84933+ activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
84934+ or an OOPS occurs due to bad memory accesses, instead of just
84935+ terminating the offending process (and potentially allowing
84936+ a subsequent exploit from the same user), we will take one of two
84937+ actions:
84938+ If the user was root, we will panic the system
84939+ If the user was non-root, we will log the attempt, terminate
84940+ all processes owned by the user, then prevent them from creating
84941+ any new processes until the system is restarted
84942+ This deters repeated kernel exploitation/bruteforcing attempts
84943+ and is useful for later forensics.
84944+
84945+config GRKERNSEC_OLD_ARM_USERLAND
84946+ bool "Old ARM userland compatibility"
84947+ depends on ARM && (CPU_V6 || CPU_V6K || CPU_V7)
84948+ help
84949+ If you say Y here, stubs of executable code to perform such operations
84950+ as "compare-exchange" will be placed at fixed locations in the ARM vector
84951+ table. This is unfortunately needed for old ARM userland meant to run
84952+ across a wide range of processors. Without this option enabled,
84953+ the get_tls and data memory barrier stubs will be emulated by the kernel,
84954+ which is enough for Linaro userlands or other userlands designed for v6
84955+ and newer ARM CPUs. It's recommended that you try without this option enabled
84956+ first, and only enable it if your userland does not boot (it will likely fail
84957+ at init time).
84958+
84959+endmenu
84960+menu "Role Based Access Control Options"
84961+depends on GRKERNSEC
84962+
84963+config GRKERNSEC_RBAC_DEBUG
84964+ bool
84965+
84966+config GRKERNSEC_NO_RBAC
84967+ bool "Disable RBAC system"
84968+ help
84969+ If you say Y here, the /dev/grsec device will be removed from the kernel,
84970+ preventing the RBAC system from being enabled. You should only say Y
84971+ here if you have no intention of using the RBAC system, so as to prevent
84972+ an attacker with root access from misusing the RBAC system to hide files
84973+ and processes when loadable module support and /dev/[k]mem have been
84974+ locked down.
84975+
84976+config GRKERNSEC_ACL_HIDEKERN
84977+ bool "Hide kernel processes"
84978+ help
84979+ If you say Y here, all kernel threads will be hidden to all
84980+ processes but those whose subject has the "view hidden processes"
84981+ flag.
84982+
84983+config GRKERNSEC_ACL_MAXTRIES
84984+ int "Maximum tries before password lockout"
84985+ default 3
84986+ help
84987+ This option enforces the maximum number of times a user can attempt
84988+ to authorize themselves with the grsecurity RBAC system before being
84989+ denied the ability to attempt authorization again for a specified time.
84990+ The lower the number, the harder it will be to brute-force a password.
84991+
84992+config GRKERNSEC_ACL_TIMEOUT
84993+ int "Time to wait after max password tries, in seconds"
84994+ default 30
84995+ help
84996+ This option specifies the time the user must wait after attempting to
84997+ authorize to the RBAC system with the maximum number of invalid
84998+ passwords. The higher the number, the harder it will be to brute-force
84999+ a password.
85000+
85001+endmenu
85002+menu "Filesystem Protections"
85003+depends on GRKERNSEC
85004+
85005+config GRKERNSEC_PROC
85006+ bool "Proc restrictions"
85007+ default y if GRKERNSEC_CONFIG_AUTO
85008+ help
85009+ If you say Y here, the permissions of the /proc filesystem
85010+ will be altered to enhance system security and privacy. You MUST
85011+ choose either a user only restriction or a user and group restriction.
85012+ Depending upon the option you choose, you can either restrict users to
85013+ see only the processes they themselves run, or choose a group that can
85014+ view all processes and files normally restricted to root if you choose
85015+ the "restrict to user only" option. NOTE: If you're running identd or
85016+ ntpd as a non-root user, you will have to run it as the group you
85017+ specify here.
85018+
85019+config GRKERNSEC_PROC_USER
85020+ bool "Restrict /proc to user only"
85021+ depends on GRKERNSEC_PROC
85022+ help
85023+ If you say Y here, non-root users will only be able to view their own
85024+ processes, and restricts them from viewing network-related information,
85025+ and viewing kernel symbol and module information.
85026+
85027+config GRKERNSEC_PROC_USERGROUP
85028+ bool "Allow special group"
85029+ default y if GRKERNSEC_CONFIG_AUTO
85030+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
85031+ help
85032+ If you say Y here, you will be able to select a group that will be
85033+ able to view all processes and network-related information. If you've
85034+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
85035+ remain hidden. This option is useful if you want to run identd as
85036+ a non-root user. The group you select may also be chosen at boot time
85037+ via "grsec_proc_gid=" on the kernel commandline.
85038+
85039+config GRKERNSEC_PROC_GID
85040+ int "GID for special group"
85041+ depends on GRKERNSEC_PROC_USERGROUP
85042+ default 1001
85043+
85044+config GRKERNSEC_PROC_ADD
85045+ bool "Additional restrictions"
85046+ default y if GRKERNSEC_CONFIG_AUTO
85047+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
85048+ help
85049+ If you say Y here, additional restrictions will be placed on
85050+ /proc that keep normal users from viewing device information and
85051+ slabinfo information that could be useful for exploits.
85052+
85053+config GRKERNSEC_LINK
85054+ bool "Linking restrictions"
85055+ default y if GRKERNSEC_CONFIG_AUTO
85056+ help
85057+ If you say Y here, /tmp race exploits will be prevented, since users
85058+ will no longer be able to follow symlinks owned by other users in
85059+ world-writable +t directories (e.g. /tmp), unless the owner of the
85060+ symlink is the owner of the directory. users will also not be
85061+ able to hardlink to files they do not own. If the sysctl option is
85062+ enabled, a sysctl option with name "linking_restrictions" is created.
85063+
85064+config GRKERNSEC_SYMLINKOWN
85065+ bool "Kernel-enforced SymlinksIfOwnerMatch"
85066+ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
85067+ help
85068+ Apache's SymlinksIfOwnerMatch option has an inherent race condition
85069+ that prevents it from being used as a security feature. As Apache
85070+ verifies the symlink by performing a stat() against the target of
85071+ the symlink before it is followed, an attacker can setup a symlink
85072+ to point to a same-owned file, then replace the symlink with one
85073+ that targets another user's file just after Apache "validates" the
85074+ symlink -- a classic TOCTOU race. If you say Y here, a complete,
85075+ race-free replacement for Apache's "SymlinksIfOwnerMatch" option
85076+ will be in place for the group you specify. If the sysctl option
85077+ is enabled, a sysctl option with name "enforce_symlinksifowner" is
85078+ created.
85079+
85080+config GRKERNSEC_SYMLINKOWN_GID
85081+ int "GID for users with kernel-enforced SymlinksIfOwnerMatch"
85082+ depends on GRKERNSEC_SYMLINKOWN
85083+ default 1006
85084+ help
85085+ Setting this GID determines what group kernel-enforced
85086+ SymlinksIfOwnerMatch will be enabled for. If the sysctl option
85087+ is enabled, a sysctl option with name "symlinkown_gid" is created.
85088+
85089+config GRKERNSEC_FIFO
85090+ bool "FIFO restrictions"
85091+ default y if GRKERNSEC_CONFIG_AUTO
85092+ help
85093+ If you say Y here, users will not be able to write to FIFOs they don't
85094+ own in world-writable +t directories (e.g. /tmp), unless the owner of
85095+ the FIFO is the same owner of the directory it's held in. If the sysctl
85096+ option is enabled, a sysctl option with name "fifo_restrictions" is
85097+ created.
85098+
85099+config GRKERNSEC_SYSFS_RESTRICT
85100+ bool "Sysfs/debugfs restriction"
85101+ default y if (GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER)
85102+ depends on SYSFS
85103+ help
85104+ If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
85105+ any filesystem normally mounted under it (e.g. debugfs) will be
85106+ mostly accessible only by root. These filesystems generally provide access
85107+ to hardware and debug information that isn't appropriate for unprivileged
85108+ users of the system. Sysfs and debugfs have also become a large source
85109+ of new vulnerabilities, ranging from infoleaks to local compromise.
85110+ There has been very little oversight with an eye toward security involved
85111+ in adding new exporters of information to these filesystems, so their
85112+ use is discouraged.
85113+ For reasons of compatibility, a few directories have been whitelisted
85114+ for access by non-root users:
85115+ /sys/fs/selinux
85116+ /sys/fs/fuse
85117+ /sys/devices/system/cpu
85118+
85119+config GRKERNSEC_ROFS
85120+ bool "Runtime read-only mount protection"
85121+ depends on SYSCTL
85122+ help
85123+ If you say Y here, a sysctl option with name "romount_protect" will
85124+ be created. By setting this option to 1 at runtime, filesystems
85125+ will be protected in the following ways:
85126+ * No new writable mounts will be allowed
85127+ * Existing read-only mounts won't be able to be remounted read/write
85128+ * Write operations will be denied on all block devices
85129+ This option acts independently of grsec_lock: once it is set to 1,
85130+ it cannot be turned off. Therefore, please be mindful of the resulting
85131+ behavior if this option is enabled in an init script on a read-only
85132+ filesystem.
85133+ Also be aware that as with other root-focused features, GRKERNSEC_KMEM
85134+ and GRKERNSEC_IO should be enabled and module loading disabled via
85135+ config or at runtime.
85136+ This feature is mainly intended for secure embedded systems.
85137+
85138+
85139+config GRKERNSEC_DEVICE_SIDECHANNEL
85140+ bool "Eliminate stat/notify-based device sidechannels"
85141+ default y if GRKERNSEC_CONFIG_AUTO
85142+ help
85143+ If you say Y here, timing analyses on block or character
85144+ devices like /dev/ptmx using stat or inotify/dnotify/fanotify
85145+ will be thwarted for unprivileged users. If a process without
85146+ CAP_MKNOD stats such a device, the last access and last modify times
85147+ will match the device's create time. No access or modify events
85148+ will be triggered through inotify/dnotify/fanotify for such devices.
85149+ This feature will prevent attacks that may at a minimum
85150+ allow an attacker to determine the administrator's password length.
85151+
85152+config GRKERNSEC_CHROOT
85153+ bool "Chroot jail restrictions"
85154+ default y if GRKERNSEC_CONFIG_AUTO
85155+ help
85156+ If you say Y here, you will be able to choose several options that will
85157+ make breaking out of a chrooted jail much more difficult. If you
85158+ encounter no software incompatibilities with the following options, it
85159+ is recommended that you enable each one.
85160+
85161+ Note that the chroot restrictions are not intended to apply to "chroots"
85162+ to directories that are simple bind mounts of the global root filesystem.
85163+ For several other reasons, a user shouldn't expect any significant
85164+ security by performing such a chroot.
85165+
85166+config GRKERNSEC_CHROOT_MOUNT
85167+ bool "Deny mounts"
85168+ default y if GRKERNSEC_CONFIG_AUTO
85169+ depends on GRKERNSEC_CHROOT
85170+ help
85171+ If you say Y here, processes inside a chroot will not be able to
85172+ mount or remount filesystems. If the sysctl option is enabled, a
85173+ sysctl option with name "chroot_deny_mount" is created.
85174+
85175+config GRKERNSEC_CHROOT_DOUBLE
85176+ bool "Deny double-chroots"
85177+ default y if GRKERNSEC_CONFIG_AUTO
85178+ depends on GRKERNSEC_CHROOT
85179+ help
85180+ If you say Y here, processes inside a chroot will not be able to chroot
85181+ again outside the chroot. This is a widely used method of breaking
85182+ out of a chroot jail and should not be allowed. If the sysctl
85183+ option is enabled, a sysctl option with name
85184+ "chroot_deny_chroot" is created.
85185+
85186+config GRKERNSEC_CHROOT_PIVOT
85187+ bool "Deny pivot_root in chroot"
85188+ default y if GRKERNSEC_CONFIG_AUTO
85189+ depends on GRKERNSEC_CHROOT
85190+ help
85191+ If you say Y here, processes inside a chroot will not be able to use
85192+ a function called pivot_root() that was introduced in Linux 2.3.41. It
85193+ works similar to chroot in that it changes the root filesystem. This
85194+ function could be misused in a chrooted process to attempt to break out
85195+ of the chroot, and therefore should not be allowed. If the sysctl
85196+ option is enabled, a sysctl option with name "chroot_deny_pivot" is
85197+ created.
85198+
85199+config GRKERNSEC_CHROOT_CHDIR
85200+ bool "Enforce chdir(\"/\") on all chroots"
85201+ default y if GRKERNSEC_CONFIG_AUTO
85202+ depends on GRKERNSEC_CHROOT
85203+ help
85204+ If you say Y here, the current working directory of all newly-chrooted
85205+ applications will be set to the the root directory of the chroot.
85206+ The man page on chroot(2) states:
85207+ Note that this call does not change the current working
85208+ directory, so that `.' can be outside the tree rooted at
85209+ `/'. In particular, the super-user can escape from a
85210+ `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
85211+
85212+ It is recommended that you say Y here, since it's not known to break
85213+ any software. If the sysctl option is enabled, a sysctl option with
85214+ name "chroot_enforce_chdir" is created.
85215+
85216+config GRKERNSEC_CHROOT_CHMOD
85217+ bool "Deny (f)chmod +s"
85218+ default y if GRKERNSEC_CONFIG_AUTO
85219+ depends on GRKERNSEC_CHROOT
85220+ help
85221+ If you say Y here, processes inside a chroot will not be able to chmod
85222+ or fchmod files to make them have suid or sgid bits. This protects
85223+ against another published method of breaking a chroot. If the sysctl
85224+ option is enabled, a sysctl option with name "chroot_deny_chmod" is
85225+ created.
85226+
85227+config GRKERNSEC_CHROOT_FCHDIR
85228+ bool "Deny fchdir and fhandle out of chroot"
85229+ default y if GRKERNSEC_CONFIG_AUTO
85230+ depends on GRKERNSEC_CHROOT
85231+ help
85232+ If you say Y here, a well-known method of breaking chroots by fchdir'ing
85233+ to a file descriptor of the chrooting process that points to a directory
85234+ outside the filesystem will be stopped. Additionally, this option prevents
85235+ use of the recently-created syscall for opening files by a guessable "file
85236+ handle" inside a chroot. If the sysctl option is enabled, a sysctl option
85237+ with name "chroot_deny_fchdir" is created.
85238+
85239+config GRKERNSEC_CHROOT_MKNOD
85240+ bool "Deny mknod"
85241+ default y if GRKERNSEC_CONFIG_AUTO
85242+ depends on GRKERNSEC_CHROOT
85243+ help
85244+ If you say Y here, processes inside a chroot will not be allowed to
85245+ mknod. The problem with using mknod inside a chroot is that it
85246+ would allow an attacker to create a device entry that is the same
85247+ as one on the physical root of your system, which could range from
85248+ anything from the console device to a device for your harddrive (which
85249+ they could then use to wipe the drive or steal data). It is recommended
85250+ that you say Y here, unless you run into software incompatibilities.
85251+ If the sysctl option is enabled, a sysctl option with name
85252+ "chroot_deny_mknod" is created.
85253+
85254+config GRKERNSEC_CHROOT_SHMAT
85255+ bool "Deny shmat() out of chroot"
85256+ default y if GRKERNSEC_CONFIG_AUTO
85257+ depends on GRKERNSEC_CHROOT
85258+ help
85259+ If you say Y here, processes inside a chroot will not be able to attach
85260+ to shared memory segments that were created outside of the chroot jail.
85261+ It is recommended that you say Y here. If the sysctl option is enabled,
85262+ a sysctl option with name "chroot_deny_shmat" is created.
85263+
85264+config GRKERNSEC_CHROOT_UNIX
85265+ bool "Deny access to abstract AF_UNIX sockets out of chroot"
85266+ default y if GRKERNSEC_CONFIG_AUTO
85267+ depends on GRKERNSEC_CHROOT
85268+ help
85269+ If you say Y here, processes inside a chroot will not be able to
85270+ connect to abstract (meaning not belonging to a filesystem) Unix
85271+ domain sockets that were bound outside of a chroot. It is recommended
85272+ that you say Y here. If the sysctl option is enabled, a sysctl option
85273+ with name "chroot_deny_unix" is created.
85274+
85275+config GRKERNSEC_CHROOT_FINDTASK
85276+ bool "Protect outside processes"
85277+ default y if GRKERNSEC_CONFIG_AUTO
85278+ depends on GRKERNSEC_CHROOT
85279+ help
85280+ If you say Y here, processes inside a chroot will not be able to
85281+ kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
85282+ getsid, or view any process outside of the chroot. If the sysctl
85283+ option is enabled, a sysctl option with name "chroot_findtask" is
85284+ created.
85285+
85286+config GRKERNSEC_CHROOT_NICE
85287+ bool "Restrict priority changes"
85288+ default y if GRKERNSEC_CONFIG_AUTO
85289+ depends on GRKERNSEC_CHROOT
85290+ help
85291+ If you say Y here, processes inside a chroot will not be able to raise
85292+ the priority of processes in the chroot, or alter the priority of
85293+ processes outside the chroot. This provides more security than simply
85294+ removing CAP_SYS_NICE from the process' capability set. If the
85295+ sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
85296+ is created.
85297+
85298+config GRKERNSEC_CHROOT_SYSCTL
85299+ bool "Deny sysctl writes"
85300+ default y if GRKERNSEC_CONFIG_AUTO
85301+ depends on GRKERNSEC_CHROOT
85302+ help
85303+ If you say Y here, an attacker in a chroot will not be able to
85304+ write to sysctl entries, either by sysctl(2) or through a /proc
85305+ interface. It is strongly recommended that you say Y here. If the
85306+ sysctl option is enabled, a sysctl option with name
85307+ "chroot_deny_sysctl" is created.
85308+
85309+config GRKERNSEC_CHROOT_RENAME
85310+ bool "Deny bad renames"
85311+ default y if GRKERNSEC_CONFIG_AUTO
85312+ depends on GRKERNSEC_CHROOT
85313+ help
85314+ If you say Y here, an attacker in a chroot will not be able to
85315+ abuse the ability to create double chroots to break out of the
85316+ chroot by exploiting a race condition between a rename of a directory
85317+ within a chroot against an open of a symlink with relative path
85318+ components. This feature will likewise prevent an accomplice outside
85319+ a chroot from enabling a user inside the chroot to break out and make
85320+ use of their credentials on the global filesystem. Enabling this
85321+ feature is essential to prevent root users from breaking out of a
85322+ chroot. If the sysctl option is enabled, a sysctl option with name
85323+ "chroot_deny_bad_rename" is created.
85324+
85325+config GRKERNSEC_CHROOT_CAPS
85326+ bool "Capability restrictions"
85327+ default y if GRKERNSEC_CONFIG_AUTO
85328+ depends on GRKERNSEC_CHROOT
85329+ help
85330+ If you say Y here, the capabilities on all processes within a
85331+ chroot jail will be lowered to stop module insertion, raw i/o,
85332+ system and net admin tasks, rebooting the system, modifying immutable
85333+ files, modifying IPC owned by another, and changing the system time.
85334+ This is left an option because it can break some apps. Disable this
85335+ if your chrooted apps are having problems performing those kinds of
85336+ tasks. If the sysctl option is enabled, a sysctl option with
85337+ name "chroot_caps" is created.
85338+
85339+config GRKERNSEC_CHROOT_INITRD
85340+ bool "Exempt initrd tasks from restrictions"
85341+ default y if GRKERNSEC_CONFIG_AUTO
85342+ depends on GRKERNSEC_CHROOT && BLK_DEV_INITRD
85343+ help
85344+ If you say Y here, tasks started prior to init will be exempted from
85345+ grsecurity's chroot restrictions. This option is mainly meant to
85346+ resolve Plymouth's performing privileged operations unnecessarily
85347+ in a chroot.
85348+
85349+endmenu
85350+menu "Kernel Auditing"
85351+depends on GRKERNSEC
85352+
85353+config GRKERNSEC_AUDIT_GROUP
85354+ bool "Single group for auditing"
85355+ help
85356+ If you say Y here, the exec and chdir logging features will only operate
85357+ on a group you specify. This option is recommended if you only want to
85358+ watch certain users instead of having a large amount of logs from the
85359+ entire system. If the sysctl option is enabled, a sysctl option with
85360+ name "audit_group" is created.
85361+
85362+config GRKERNSEC_AUDIT_GID
85363+ int "GID for auditing"
85364+ depends on GRKERNSEC_AUDIT_GROUP
85365+ default 1007
85366+
85367+config GRKERNSEC_EXECLOG
85368+ bool "Exec logging"
85369+ help
85370+ If you say Y here, all execve() calls will be logged (since the
85371+ other exec*() calls are frontends to execve(), all execution
85372+ will be logged). Useful for shell-servers that like to keep track
85373+ of their users. If the sysctl option is enabled, a sysctl option with
85374+ name "exec_logging" is created.
85375+ WARNING: This option when enabled will produce a LOT of logs, especially
85376+ on an active system.
85377+
85378+config GRKERNSEC_RESLOG
85379+ bool "Resource logging"
85380+ default y if GRKERNSEC_CONFIG_AUTO
85381+ help
85382+ If you say Y here, all attempts to overstep resource limits will
85383+ be logged with the resource name, the requested size, and the current
85384+ limit. It is highly recommended that you say Y here. If the sysctl
85385+ option is enabled, a sysctl option with name "resource_logging" is
85386+ created. If the RBAC system is enabled, the sysctl value is ignored.
85387+
85388+config GRKERNSEC_CHROOT_EXECLOG
85389+ bool "Log execs within chroot"
85390+ help
85391+ If you say Y here, all executions inside a chroot jail will be logged
85392+ to syslog. This can cause a large amount of logs if certain
85393+ applications (eg. djb's daemontools) are installed on the system, and
85394+ is therefore left as an option. If the sysctl option is enabled, a
85395+ sysctl option with name "chroot_execlog" is created.
85396+
85397+config GRKERNSEC_AUDIT_PTRACE
85398+ bool "Ptrace logging"
85399+ help
85400+ If you say Y here, all attempts to attach to a process via ptrace
85401+ will be logged. If the sysctl option is enabled, a sysctl option
85402+ with name "audit_ptrace" is created.
85403+
85404+config GRKERNSEC_AUDIT_CHDIR
85405+ bool "Chdir logging"
85406+ help
85407+ If you say Y here, all chdir() calls will be logged. If the sysctl
85408+ option is enabled, a sysctl option with name "audit_chdir" is created.
85409+
85410+config GRKERNSEC_AUDIT_MOUNT
85411+ bool "(Un)Mount logging"
85412+ help
85413+ If you say Y here, all mounts and unmounts will be logged. If the
85414+ sysctl option is enabled, a sysctl option with name "audit_mount" is
85415+ created.
85416+
85417+config GRKERNSEC_SIGNAL
85418+ bool "Signal logging"
85419+ default y if GRKERNSEC_CONFIG_AUTO
85420+ help
85421+ If you say Y here, certain important signals will be logged, such as
85422+ SIGSEGV, which will as a result inform you of when a error in a program
85423+ occurred, which in some cases could mean a possible exploit attempt.
85424+ If the sysctl option is enabled, a sysctl option with name
85425+ "signal_logging" is created.
85426+
85427+config GRKERNSEC_FORKFAIL
85428+ bool "Fork failure logging"
85429+ help
85430+ If you say Y here, all failed fork() attempts will be logged.
85431+ This could suggest a fork bomb, or someone attempting to overstep
85432+ their process limit. If the sysctl option is enabled, a sysctl option
85433+ with name "forkfail_logging" is created.
85434+
85435+config GRKERNSEC_TIME
85436+ bool "Time change logging"
85437+ default y if GRKERNSEC_CONFIG_AUTO
85438+ help
85439+ If you say Y here, any changes of the system clock will be logged.
85440+ If the sysctl option is enabled, a sysctl option with name
85441+ "timechange_logging" is created.
85442+
85443+config GRKERNSEC_PROC_IPADDR
85444+ bool "/proc/<pid>/ipaddr support"
85445+ default y if GRKERNSEC_CONFIG_AUTO
85446+ help
85447+ If you say Y here, a new entry will be added to each /proc/<pid>
85448+ directory that contains the IP address of the person using the task.
85449+ The IP is carried across local TCP and AF_UNIX stream sockets.
85450+ This information can be useful for IDS/IPSes to perform remote response
85451+ to a local attack. The entry is readable by only the owner of the
85452+ process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
85453+ the RBAC system), and thus does not create privacy concerns.
85454+
85455+config GRKERNSEC_RWXMAP_LOG
85456+ bool 'Denied RWX mmap/mprotect logging'
85457+ default y if GRKERNSEC_CONFIG_AUTO
85458+ depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
85459+ help
85460+ If you say Y here, calls to mmap() and mprotect() with explicit
85461+ usage of PROT_WRITE and PROT_EXEC together will be logged when
85462+ denied by the PAX_MPROTECT feature. This feature will also
85463+ log other problematic scenarios that can occur when PAX_MPROTECT
85464+ is enabled on a binary, like textrels and PT_GNU_STACK. If the
85465+ sysctl option is enabled, a sysctl option with name "rwxmap_logging"
85466+ is created.
85467+
85468+endmenu
85469+
85470+menu "Executable Protections"
85471+depends on GRKERNSEC
85472+
85473+config GRKERNSEC_DMESG
85474+ bool "Dmesg(8) restriction"
85475+ default y if GRKERNSEC_CONFIG_AUTO
85476+ help
85477+ If you say Y here, non-root users will not be able to use dmesg(8)
85478+ to view the contents of the kernel's circular log buffer.
85479+ The kernel's log buffer often contains kernel addresses and other
85480+ identifying information useful to an attacker in fingerprinting a
85481+ system for a targeted exploit.
85482+ If the sysctl option is enabled, a sysctl option with name "dmesg" is
85483+ created.
85484+
85485+config GRKERNSEC_HARDEN_PTRACE
85486+ bool "Deter ptrace-based process snooping"
85487+ default y if GRKERNSEC_CONFIG_AUTO
85488+ help
85489+ If you say Y here, TTY sniffers and other malicious monitoring
85490+ programs implemented through ptrace will be defeated. If you
85491+ have been using the RBAC system, this option has already been
85492+ enabled for several years for all users, with the ability to make
85493+ fine-grained exceptions.
85494+
85495+ This option only affects the ability of non-root users to ptrace
85496+ processes that are not a descendent of the ptracing process.
85497+ This means that strace ./binary and gdb ./binary will still work,
85498+ but attaching to arbitrary processes will not. If the sysctl
85499+ option is enabled, a sysctl option with name "harden_ptrace" is
85500+ created.
85501+
85502+config GRKERNSEC_PTRACE_READEXEC
85503+ bool "Require read access to ptrace sensitive binaries"
85504+ default y if GRKERNSEC_CONFIG_AUTO
85505+ help
85506+ If you say Y here, unprivileged users will not be able to ptrace unreadable
85507+ binaries. This option is useful in environments that
85508+ remove the read bits (e.g. file mode 4711) from suid binaries to
85509+ prevent infoleaking of their contents. This option adds
85510+ consistency to the use of that file mode, as the binary could normally
85511+ be read out when run without privileges while ptracing.
85512+
85513+ If the sysctl option is enabled, a sysctl option with name "ptrace_readexec"
85514+ is created.
85515+
85516+config GRKERNSEC_SETXID
85517+ bool "Enforce consistent multithreaded privileges"
85518+ default y if GRKERNSEC_CONFIG_AUTO
85519+ depends on (X86 || SPARC64 || PPC || ARM || MIPS)
85520+ help
85521+ If you say Y here, a change from a root uid to a non-root uid
85522+ in a multithreaded application will cause the resulting uids,
85523+ gids, supplementary groups, and capabilities in that thread
85524+ to be propagated to the other threads of the process. In most
85525+ cases this is unnecessary, as glibc will emulate this behavior
85526+ on behalf of the application. Other libcs do not act in the
85527+ same way, allowing the other threads of the process to continue
85528+ running with root privileges. If the sysctl option is enabled,
85529+ a sysctl option with name "consistent_setxid" is created.
85530+
85531+config GRKERNSEC_HARDEN_IPC
85532+ bool "Disallow access to overly-permissive IPC objects"
85533+ default y if GRKERNSEC_CONFIG_AUTO
85534+ depends on SYSVIPC
85535+ help
85536+ If you say Y here, access to overly-permissive IPC objects (shared
85537+ memory, message queues, and semaphores) will be denied for processes
85538+ given the following criteria beyond normal permission checks:
85539+ 1) If the IPC object is world-accessible and the euid doesn't match
85540+ that of the creator or current uid for the IPC object
85541+ 2) If the IPC object is group-accessible and the egid doesn't
85542+ match that of the creator or current gid for the IPC object
85543+ It's a common error to grant too much permission to these objects,
85544+ with impact ranging from denial of service and information leaking to
85545+ privilege escalation. This feature was developed in response to
85546+ research by Tim Brown:
85547+ http://labs.portcullis.co.uk/whitepapers/memory-squatting-attacks-on-system-v-shared-memory/
85548+ who found hundreds of such insecure usages. Processes with
85549+ CAP_IPC_OWNER are still permitted to access these IPC objects.
85550+ If the sysctl option is enabled, a sysctl option with name
85551+ "harden_ipc" is created.
85552+
85553+config GRKERNSEC_TPE
85554+ bool "Trusted Path Execution (TPE)"
85555+ default y if GRKERNSEC_CONFIG_AUTO && GRKERNSEC_CONFIG_SERVER
85556+ help
85557+ If you say Y here, you will be able to choose a gid to add to the
85558+ supplementary groups of users you want to mark as "untrusted."
85559+ These users will not be able to execute any files that are not in
85560+ root-owned directories writable only by root. If the sysctl option
85561+ is enabled, a sysctl option with name "tpe" is created.
85562+
85563+config GRKERNSEC_TPE_ALL
85564+ bool "Partially restrict all non-root users"
85565+ depends on GRKERNSEC_TPE
85566+ help
85567+ If you say Y here, all non-root users will be covered under
85568+ a weaker TPE restriction. This is separate from, and in addition to,
85569+ the main TPE options that you have selected elsewhere. Thus, if a
85570+ "trusted" GID is chosen, this restriction applies to even that GID.
85571+ Under this restriction, all non-root users will only be allowed to
85572+ execute files in directories they own that are not group or
85573+ world-writable, or in directories owned by root and writable only by
85574+ root. If the sysctl option is enabled, a sysctl option with name
85575+ "tpe_restrict_all" is created.
85576+
85577+config GRKERNSEC_TPE_INVERT
85578+ bool "Invert GID option"
85579+ depends on GRKERNSEC_TPE
85580+ help
85581+ If you say Y here, the group you specify in the TPE configuration will
85582+ decide what group TPE restrictions will be *disabled* for. This
85583+ option is useful if you want TPE restrictions to be applied to most
85584+ users on the system. If the sysctl option is enabled, a sysctl option
85585+ with name "tpe_invert" is created. Unlike other sysctl options, this
85586+ entry will default to on for backward-compatibility.
85587+
85588+config GRKERNSEC_TPE_GID
85589+ int
85590+ default GRKERNSEC_TPE_UNTRUSTED_GID if (GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT)
85591+ default GRKERNSEC_TPE_TRUSTED_GID if (GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT)
85592+
85593+config GRKERNSEC_TPE_UNTRUSTED_GID
85594+ int "GID for TPE-untrusted users"
85595+ depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
85596+ default 1005
85597+ help
85598+ Setting this GID determines what group TPE restrictions will be
85599+ *enabled* for. If the sysctl option is enabled, a sysctl option
85600+ with name "tpe_gid" is created.
85601+
85602+config GRKERNSEC_TPE_TRUSTED_GID
85603+ int "GID for TPE-trusted users"
85604+ depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
85605+ default 1005
85606+ help
85607+ Setting this GID determines what group TPE restrictions will be
85608+ *disabled* for. If the sysctl option is enabled, a sysctl option
85609+ with name "tpe_gid" is created.
85610+
85611+endmenu
85612+menu "Network Protections"
85613+depends on GRKERNSEC
85614+
85615+config GRKERNSEC_BLACKHOLE
85616+ bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
85617+ default y if GRKERNSEC_CONFIG_AUTO
85618+ depends on NET
85619+ help
85620+ If you say Y here, neither TCP resets nor ICMP
85621+ destination-unreachable packets will be sent in response to packets
85622+ sent to ports for which no associated listening process exists.
85623+ It will also prevent the sending of ICMP protocol unreachable packets
85624+ in response to packets with unknown protocols.
85625+ This feature supports both IPV4 and IPV6 and exempts the
85626+ loopback interface from blackholing. Enabling this feature
85627+ makes a host more resilient to DoS attacks and reduces network
85628+ visibility against scanners.
85629+
85630+ The blackhole feature as-implemented is equivalent to the FreeBSD
85631+ blackhole feature, as it prevents RST responses to all packets, not
85632+ just SYNs. Under most application behavior this causes no
85633+ problems, but applications (like haproxy) may not close certain
85634+ connections in a way that cleanly terminates them on the remote
85635+ end, leaving the remote host in LAST_ACK state. Because of this
85636+ side-effect and to prevent intentional LAST_ACK DoSes, this
85637+ feature also adds automatic mitigation against such attacks.
85638+ The mitigation drastically reduces the amount of time a socket
85639+ can spend in LAST_ACK state. If you're using haproxy and not
85640+ all servers it connects to have this option enabled, consider
85641+ disabling this feature on the haproxy host.
85642+
85643+ If the sysctl option is enabled, two sysctl options with names
85644+ "ip_blackhole" and "lastack_retries" will be created.
85645+ While "ip_blackhole" takes the standard zero/non-zero on/off
85646+ toggle, "lastack_retries" uses the same kinds of values as
85647+ "tcp_retries1" and "tcp_retries2". The default value of 4
85648+ prevents a socket from lasting more than 45 seconds in LAST_ACK
85649+ state.
85650+
85651+config GRKERNSEC_NO_SIMULT_CONNECT
85652+ bool "Disable TCP Simultaneous Connect"
85653+ default y if GRKERNSEC_CONFIG_AUTO
85654+ depends on NET
85655+ help
85656+ If you say Y here, a feature by Willy Tarreau will be enabled that
85657+ removes a weakness in Linux's strict implementation of TCP that
85658+ allows two clients to connect to each other without either entering
85659+ a listening state. The weakness allows an attacker to easily prevent
85660+ a client from connecting to a known server provided the source port
85661+ for the connection is guessed correctly.
85662+
85663+ As the weakness could be used to prevent an antivirus or IPS from
85664+ fetching updates, or prevent an SSL gateway from fetching a CRL,
85665+ it should be eliminated by enabling this option. Though Linux is
85666+ one of few operating systems supporting simultaneous connect, it
85667+ has no legitimate use in practice and is rarely supported by firewalls.
85668+
85669+config GRKERNSEC_SOCKET
85670+ bool "Socket restrictions"
85671+ depends on NET
85672+ help
85673+ If you say Y here, you will be able to choose from several options.
85674+ If you assign a GID on your system and add it to the supplementary
85675+ groups of users you want to restrict socket access to, this patch
85676+ will perform up to three things, based on the option(s) you choose.
85677+
85678+config GRKERNSEC_SOCKET_ALL
85679+ bool "Deny any sockets to group"
85680+ depends on GRKERNSEC_SOCKET
85681+ help
85682+ If you say Y here, you will be able to choose a GID of whose users will
85683+ be unable to connect to other hosts from your machine or run server
85684+ applications from your machine. If the sysctl option is enabled, a
85685+ sysctl option with name "socket_all" is created.
85686+
85687+config GRKERNSEC_SOCKET_ALL_GID
85688+ int "GID to deny all sockets for"
85689+ depends on GRKERNSEC_SOCKET_ALL
85690+ default 1004
85691+ help
85692+ Here you can choose the GID to disable socket access for. Remember to
85693+ add the users you want socket access disabled for to the GID
85694+ specified here. If the sysctl option is enabled, a sysctl option
85695+ with name "socket_all_gid" is created.
85696+
85697+config GRKERNSEC_SOCKET_CLIENT
85698+ bool "Deny client sockets to group"
85699+ depends on GRKERNSEC_SOCKET
85700+ help
85701+ If you say Y here, you will be able to choose a GID of whose users will
85702+ be unable to connect to other hosts from your machine, but will be
85703+ able to run servers. If this option is enabled, all users in the group
85704+ you specify will have to use passive mode when initiating ftp transfers
85705+ from the shell on your machine. If the sysctl option is enabled, a
85706+ sysctl option with name "socket_client" is created.
85707+
85708+config GRKERNSEC_SOCKET_CLIENT_GID
85709+ int "GID to deny client sockets for"
85710+ depends on GRKERNSEC_SOCKET_CLIENT
85711+ default 1003
85712+ help
85713+ Here you can choose the GID to disable client socket access for.
85714+ Remember to add the users you want client socket access disabled for to
85715+ the GID specified here. If the sysctl option is enabled, a sysctl
85716+ option with name "socket_client_gid" is created.
85717+
85718+config GRKERNSEC_SOCKET_SERVER
85719+ bool "Deny server sockets to group"
85720+ depends on GRKERNSEC_SOCKET
85721+ help
85722+ If you say Y here, you will be able to choose a GID of whose users will
85723+ be unable to run server applications from your machine. If the sysctl
85724+ option is enabled, a sysctl option with name "socket_server" is created.
85725+
85726+config GRKERNSEC_SOCKET_SERVER_GID
85727+ int "GID to deny server sockets for"
85728+ depends on GRKERNSEC_SOCKET_SERVER
85729+ default 1002
85730+ help
85731+ Here you can choose the GID to disable server socket access for.
85732+ Remember to add the users you want server socket access disabled for to
85733+ the GID specified here. If the sysctl option is enabled, a sysctl
85734+ option with name "socket_server_gid" is created.
85735+
85736+endmenu
85737+
85738+menu "Physical Protections"
85739+depends on GRKERNSEC
85740+
85741+config GRKERNSEC_DENYUSB
85742+ bool "Deny new USB connections after toggle"
85743+ default y if GRKERNSEC_CONFIG_AUTO
85744+ depends on SYSCTL && USB_SUPPORT
85745+ help
85746+ If you say Y here, a new sysctl option with name "deny_new_usb"
85747+ will be created. Setting its value to 1 will prevent any new
85748+ USB devices from being recognized by the OS. Any attempted USB
85749+ device insertion will be logged. This option is intended to be
85750+ used against custom USB devices designed to exploit vulnerabilities
85751+ in various USB device drivers.
85752+
85753+ For greatest effectiveness, this sysctl should be set after any
85754+ relevant init scripts. This option is safe to enable in distros
85755+ as each user can choose whether or not to toggle the sysctl.
85756+
85757+config GRKERNSEC_DENYUSB_FORCE
85758+ bool "Reject all USB devices not connected at boot"
85759+ select USB
85760+ depends on GRKERNSEC_DENYUSB
85761+ help
85762+ If you say Y here, a variant of GRKERNSEC_DENYUSB will be enabled
85763+ that doesn't involve a sysctl entry. This option should only be
85764+ enabled if you're sure you want to deny all new USB connections
85765+ at runtime and don't want to modify init scripts. This should not
85766+ be enabled by distros. It forces the core USB code to be built
85767+ into the kernel image so that all devices connected at boot time
85768+ can be recognized and new USB device connections can be prevented
85769+ prior to init running.
85770+
85771+endmenu
85772+
85773+menu "Sysctl Support"
85774+depends on GRKERNSEC && SYSCTL
85775+
85776+config GRKERNSEC_SYSCTL
85777+ bool "Sysctl support"
85778+ default y if GRKERNSEC_CONFIG_AUTO
85779+ help
85780+ If you say Y here, you will be able to change the options that
85781+ grsecurity runs with at bootup, without having to recompile your
85782+ kernel. You can echo values to files in /proc/sys/kernel/grsecurity
85783+ to enable (1) or disable (0) various features. All the sysctl entries
85784+ are mutable until the "grsec_lock" entry is set to a non-zero value.
85785+ All features enabled in the kernel configuration are disabled at boot
85786+ if you do not say Y to the "Turn on features by default" option.
85787+ All options should be set at startup, and the grsec_lock entry should
85788+ be set to a non-zero value after all the options are set.
85789+ *THIS IS EXTREMELY IMPORTANT*
85790+
85791+config GRKERNSEC_SYSCTL_DISTRO
85792+ bool "Extra sysctl support for distro makers (READ HELP)"
85793+ depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
85794+ help
85795+ If you say Y here, additional sysctl options will be created
85796+ for features that affect processes running as root. Therefore,
85797+ it is critical when using this option that the grsec_lock entry be
85798+ enabled after boot. Only distros with prebuilt kernel packages
85799+ with this option enabled that can ensure grsec_lock is enabled
85800+ after boot should use this option.
85801+ *Failure to set grsec_lock after boot makes all grsec features
85802+ this option covers useless*
85803+
85804+ Currently this option creates the following sysctl entries:
85805+ "Disable Privileged I/O": "disable_priv_io"
85806+
85807+config GRKERNSEC_SYSCTL_ON
85808+ bool "Turn on features by default"
85809+ default y if GRKERNSEC_CONFIG_AUTO
85810+ depends on GRKERNSEC_SYSCTL
85811+ help
85812+ If you say Y here, instead of having all features enabled in the
85813+ kernel configuration disabled at boot time, the features will be
85814+ enabled at boot time. It is recommended you say Y here unless
85815+ there is some reason you would want all sysctl-tunable features to
85816+ be disabled by default. As mentioned elsewhere, it is important
85817+ to enable the grsec_lock entry once you have finished modifying
85818+ the sysctl entries.
85819+
85820+endmenu
85821+menu "Logging Options"
85822+depends on GRKERNSEC
85823+
85824+config GRKERNSEC_FLOODTIME
85825+ int "Seconds in between log messages (minimum)"
85826+ default 10
85827+ help
85828+ This option allows you to enforce the number of seconds between
85829+ grsecurity log messages. The default should be suitable for most
85830+ people, however, if you choose to change it, choose a value small enough
85831+ to allow informative logs to be produced, but large enough to
85832+ prevent flooding.
85833+
85834+ Setting both this value and GRKERNSEC_FLOODBURST to 0 will disable
85835+ any rate limiting on grsecurity log messages.
85836+
85837+config GRKERNSEC_FLOODBURST
85838+ int "Number of messages in a burst (maximum)"
85839+ default 6
85840+ help
85841+ This option allows you to choose the maximum number of messages allowed
85842+ within the flood time interval you chose in a separate option. The
85843+ default should be suitable for most people, however if you find that
85844+ many of your logs are being interpreted as flooding, you may want to
85845+ raise this value.
85846+
85847+ Setting both this value and GRKERNSEC_FLOODTIME to 0 will disable
85848+ any rate limiting on grsecurity log messages.
85849+
85850+endmenu
85851diff --git a/grsecurity/Makefile b/grsecurity/Makefile
85852new file mode 100644
85853index 0000000..30ababb
85854--- /dev/null
85855+++ b/grsecurity/Makefile
85856@@ -0,0 +1,54 @@
85857+# grsecurity – access control and security hardening for Linux
85858+# All code in this directory and various hooks located throughout the Linux kernel are
85859+# Copyright (C) 2001-2014 Bradley Spengler, Open Source Security, Inc.
85860+# http://www.grsecurity.net spender@grsecurity.net
85861+#
85862+# This program is free software; you can redistribute it and/or
85863+# modify it under the terms of the GNU General Public License version 2
85864+# as published by the Free Software Foundation.
85865+#
85866+# This program is distributed in the hope that it will be useful,
85867+# but WITHOUT ANY WARRANTY; without even the implied warranty of
85868+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
85869+# GNU General Public License for more details.
85870+#
85871+# You should have received a copy of the GNU General Public License
85872+# along with this program; if not, write to the Free Software
85873+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
85874+
85875+KBUILD_CFLAGS += -Werror
85876+
85877+obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
85878+ grsec_mount.o grsec_sig.o grsec_sysctl.o \
85879+ grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o \
85880+ grsec_usb.o grsec_ipc.o grsec_proc.o
85881+
85882+obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
85883+ gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
85884+ gracl_learn.o grsec_log.o gracl_policy.o
85885+ifdef CONFIG_COMPAT
85886+obj-$(CONFIG_GRKERNSEC) += gracl_compat.o
85887+endif
85888+
85889+obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
85890+
85891+ifdef CONFIG_NET
85892+obj-y += grsec_sock.o
85893+obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
85894+endif
85895+
85896+ifndef CONFIG_GRKERNSEC
85897+obj-y += grsec_disabled.o
85898+endif
85899+
85900+ifdef CONFIG_GRKERNSEC_HIDESYM
85901+extra-y := grsec_hidesym.o
85902+$(obj)/grsec_hidesym.o:
85903+ @-chmod -f 500 /boot
85904+ @-chmod -f 500 /lib/modules
85905+ @-chmod -f 500 /lib64/modules
85906+ @-chmod -f 500 /lib32/modules
85907+ @-chmod -f 700 .
85908+ @-chmod -f 700 $(objtree)
85909+ @echo ' grsec: protected kernel image paths'
85910+endif
85911diff --git a/grsecurity/gracl.c b/grsecurity/gracl.c
85912new file mode 100644
85913index 0000000..7ad630a
85914--- /dev/null
85915+++ b/grsecurity/gracl.c
85916@@ -0,0 +1,2757 @@
85917+#include <linux/kernel.h>
85918+#include <linux/module.h>
85919+#include <linux/sched.h>
85920+#include <linux/mm.h>
85921+#include <linux/file.h>
85922+#include <linux/fs.h>
85923+#include <linux/namei.h>
85924+#include <linux/mount.h>
85925+#include <linux/tty.h>
85926+#include <linux/proc_fs.h>
85927+#include <linux/lglock.h>
85928+#include <linux/slab.h>
85929+#include <linux/vmalloc.h>
85930+#include <linux/types.h>
85931+#include <linux/sysctl.h>
85932+#include <linux/netdevice.h>
85933+#include <linux/ptrace.h>
85934+#include <linux/gracl.h>
85935+#include <linux/gralloc.h>
85936+#include <linux/security.h>
85937+#include <linux/grinternal.h>
85938+#include <linux/pid_namespace.h>
85939+#include <linux/stop_machine.h>
85940+#include <linux/fdtable.h>
85941+#include <linux/percpu.h>
85942+#include <linux/lglock.h>
85943+#include <linux/hugetlb.h>
85944+#include <linux/posix-timers.h>
85945+#include <linux/prefetch.h>
85946+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
85947+#include <linux/magic.h>
85948+#include <linux/pagemap.h>
85949+#include "../fs/btrfs/async-thread.h"
85950+#include "../fs/btrfs/ctree.h"
85951+#include "../fs/btrfs/btrfs_inode.h"
85952+#endif
85953+#include "../fs/mount.h"
85954+
85955+#include <asm/uaccess.h>
85956+#include <asm/errno.h>
85957+#include <asm/mman.h>
85958+
85959+#define FOR_EACH_ROLE_START(role) \
85960+ role = running_polstate.role_list; \
85961+ while (role) {
85962+
85963+#define FOR_EACH_ROLE_END(role) \
85964+ role = role->prev; \
85965+ }
85966+
85967+extern struct path gr_real_root;
85968+
85969+static struct gr_policy_state running_polstate;
85970+struct gr_policy_state *polstate = &running_polstate;
85971+extern struct gr_alloc_state *current_alloc_state;
85972+
85973+extern char *gr_shared_page[4];
85974+DEFINE_RWLOCK(gr_inode_lock);
85975+
85976+static unsigned int gr_status __read_only = GR_STATUS_INIT;
85977+
85978+#ifdef CONFIG_NET
85979+extern struct vfsmount *sock_mnt;
85980+#endif
85981+
85982+extern struct vfsmount *pipe_mnt;
85983+extern struct vfsmount *shm_mnt;
85984+
85985+#ifdef CONFIG_HUGETLBFS
85986+extern struct vfsmount *hugetlbfs_vfsmount[HUGE_MAX_HSTATE];
85987+#endif
85988+
85989+extern u16 acl_sp_role_value;
85990+extern struct acl_object_label *fakefs_obj_rw;
85991+extern struct acl_object_label *fakefs_obj_rwx;
85992+
85993+int gr_acl_is_enabled(void)
85994+{
85995+ return (gr_status & GR_READY);
85996+}
85997+
85998+void gr_enable_rbac_system(void)
85999+{
86000+ pax_open_kernel();
86001+ gr_status |= GR_READY;
86002+ pax_close_kernel();
86003+}
86004+
86005+int gr_rbac_disable(void *unused)
86006+{
86007+ pax_open_kernel();
86008+ gr_status &= ~GR_READY;
86009+ pax_close_kernel();
86010+
86011+ return 0;
86012+}
86013+
86014+static inline dev_t __get_dev(const struct dentry *dentry)
86015+{
86016+ struct dentry *ldentry = d_backing_dentry((struct dentry *)dentry);
86017+
86018+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
86019+ if (ldentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
86020+ return BTRFS_I(d_inode(ldentry))->root->anon_dev;
86021+ else
86022+#endif
86023+ return d_inode(ldentry)->i_sb->s_dev;
86024+}
86025+
86026+static inline u64 __get_ino(const struct dentry *dentry)
86027+{
86028+ struct dentry *ldentry = d_backing_dentry((struct dentry *)dentry);
86029+
86030+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
86031+ if (ldentry->d_sb->s_magic == BTRFS_SUPER_MAGIC)
86032+ return btrfs_ino(d_inode(dentry));
86033+ else
86034+#endif
86035+ return d_inode(ldentry)->i_ino;
86036+}
86037+
86038+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
86039+{
86040+ return __get_dev(dentry);
86041+}
86042+
86043+u64 gr_get_ino_from_dentry(struct dentry *dentry)
86044+{
86045+ return __get_ino(dentry);
86046+}
86047+
86048+static char gr_task_roletype_to_char(struct task_struct *task)
86049+{
86050+ switch (task->role->roletype &
86051+ (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
86052+ GR_ROLE_SPECIAL)) {
86053+ case GR_ROLE_DEFAULT:
86054+ return 'D';
86055+ case GR_ROLE_USER:
86056+ return 'U';
86057+ case GR_ROLE_GROUP:
86058+ return 'G';
86059+ case GR_ROLE_SPECIAL:
86060+ return 'S';
86061+ }
86062+
86063+ return 'X';
86064+}
86065+
86066+char gr_roletype_to_char(void)
86067+{
86068+ return gr_task_roletype_to_char(current);
86069+}
86070+
86071+int
86072+gr_acl_tpe_check(void)
86073+{
86074+ if (unlikely(!(gr_status & GR_READY)))
86075+ return 0;
86076+ if (current->role->roletype & GR_ROLE_TPE)
86077+ return 1;
86078+ else
86079+ return 0;
86080+}
86081+
86082+int
86083+gr_handle_rawio(const struct inode *inode)
86084+{
86085+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
86086+ if (inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR)) &&
86087+ grsec_enable_chroot_caps && proc_is_chrooted(current) &&
86088+ !capable(CAP_SYS_RAWIO))
86089+ return 1;
86090+#endif
86091+ return 0;
86092+}
86093+
86094+int
86095+gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
86096+{
86097+ if (likely(lena != lenb))
86098+ return 0;
86099+
86100+ return !memcmp(a, b, lena);
86101+}
86102+
86103+static int prepend(char **buffer, int *buflen, const char *str, int namelen)
86104+{
86105+ *buflen -= namelen;
86106+ if (*buflen < 0)
86107+ return -ENAMETOOLONG;
86108+ *buffer -= namelen;
86109+ memcpy(*buffer, str, namelen);
86110+ return 0;
86111+}
86112+
86113+static int prepend_name(char **buffer, int *buflen, struct qstr *name)
86114+{
86115+ return prepend(buffer, buflen, name->name, name->len);
86116+}
86117+
86118+static int prepend_path(const struct path *path, struct path *root,
86119+ char **buffer, int *buflen)
86120+{
86121+ struct dentry *dentry = path->dentry;
86122+ struct vfsmount *vfsmnt = path->mnt;
86123+ struct mount *mnt = real_mount(vfsmnt);
86124+ bool slash = false;
86125+ int error = 0;
86126+
86127+ while (dentry != root->dentry || vfsmnt != root->mnt) {
86128+ struct dentry * parent;
86129+
86130+ if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
86131+ /* Global root? */
86132+ if (!mnt_has_parent(mnt)) {
86133+ goto out;
86134+ }
86135+ dentry = mnt->mnt_mountpoint;
86136+ mnt = mnt->mnt_parent;
86137+ vfsmnt = &mnt->mnt;
86138+ continue;
86139+ }
86140+ parent = dentry->d_parent;
86141+ prefetch(parent);
86142+ spin_lock(&dentry->d_lock);
86143+ error = prepend_name(buffer, buflen, &dentry->d_name);
86144+ spin_unlock(&dentry->d_lock);
86145+ if (!error)
86146+ error = prepend(buffer, buflen, "/", 1);
86147+ if (error)
86148+ break;
86149+
86150+ slash = true;
86151+ dentry = parent;
86152+ }
86153+
86154+out:
86155+ if (!error && !slash)
86156+ error = prepend(buffer, buflen, "/", 1);
86157+
86158+ return error;
86159+}
86160+
86161+/* this must be called with mount_lock and rename_lock held */
86162+
86163+static char *__our_d_path(const struct path *path, struct path *root,
86164+ char *buf, int buflen)
86165+{
86166+ char *res = buf + buflen;
86167+ int error;
86168+
86169+ prepend(&res, &buflen, "\0", 1);
86170+ error = prepend_path(path, root, &res, &buflen);
86171+ if (error)
86172+ return ERR_PTR(error);
86173+
86174+ return res;
86175+}
86176+
86177+static char *
86178+gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
86179+{
86180+ char *retval;
86181+
86182+ retval = __our_d_path(path, root, buf, buflen);
86183+ if (unlikely(IS_ERR(retval)))
86184+ retval = strcpy(buf, "<path too long>");
86185+ else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
86186+ retval[1] = '\0';
86187+
86188+ return retval;
86189+}
86190+
86191+static char *
86192+__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
86193+ char *buf, int buflen)
86194+{
86195+ struct path path;
86196+ char *res;
86197+
86198+ path.dentry = (struct dentry *)dentry;
86199+ path.mnt = (struct vfsmount *)vfsmnt;
86200+
86201+ /* we can use gr_real_root.dentry, gr_real_root.mnt, because this is only called
86202+ by the RBAC system */
86203+ res = gen_full_path(&path, &gr_real_root, buf, buflen);
86204+
86205+ return res;
86206+}
86207+
86208+static char *
86209+d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
86210+ char *buf, int buflen)
86211+{
86212+ char *res;
86213+ struct path path;
86214+ struct path root;
86215+ struct task_struct *reaper = init_pid_ns.child_reaper;
86216+
86217+ path.dentry = (struct dentry *)dentry;
86218+ path.mnt = (struct vfsmount *)vfsmnt;
86219+
86220+ /* we can't use gr_real_root.dentry, gr_real_root.mnt, because they belong only to the RBAC system */
86221+ get_fs_root(reaper->fs, &root);
86222+
86223+ read_seqlock_excl(&mount_lock);
86224+ write_seqlock(&rename_lock);
86225+ res = gen_full_path(&path, &root, buf, buflen);
86226+ write_sequnlock(&rename_lock);
86227+ read_sequnlock_excl(&mount_lock);
86228+
86229+ path_put(&root);
86230+ return res;
86231+}
86232+
86233+char *
86234+gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
86235+{
86236+ char *ret;
86237+ read_seqlock_excl(&mount_lock);
86238+ write_seqlock(&rename_lock);
86239+ ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
86240+ PAGE_SIZE);
86241+ write_sequnlock(&rename_lock);
86242+ read_sequnlock_excl(&mount_lock);
86243+ return ret;
86244+}
86245+
86246+static char *
86247+gr_to_proc_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
86248+{
86249+ char *ret;
86250+ char *buf;
86251+ int buflen;
86252+
86253+ read_seqlock_excl(&mount_lock);
86254+ write_seqlock(&rename_lock);
86255+ buf = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
86256+ ret = __d_real_path(dentry, mnt, buf, PAGE_SIZE - 6);
86257+ buflen = (int)(ret - buf);
86258+ if (buflen >= 5)
86259+ prepend(&ret, &buflen, "/proc", 5);
86260+ else
86261+ ret = strcpy(buf, "<path too long>");
86262+ write_sequnlock(&rename_lock);
86263+ read_sequnlock_excl(&mount_lock);
86264+ return ret;
86265+}
86266+
86267+char *
86268+gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
86269+{
86270+ return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
86271+ PAGE_SIZE);
86272+}
86273+
86274+char *
86275+gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
86276+{
86277+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
86278+ PAGE_SIZE);
86279+}
86280+
86281+char *
86282+gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
86283+{
86284+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
86285+ PAGE_SIZE);
86286+}
86287+
86288+char *
86289+gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
86290+{
86291+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
86292+ PAGE_SIZE);
86293+}
86294+
86295+char *
86296+gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
86297+{
86298+ return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
86299+ PAGE_SIZE);
86300+}
86301+
86302+__u32
86303+to_gr_audit(const __u32 reqmode)
86304+{
86305+ /* masks off auditable permission flags, then shifts them to create
86306+ auditing flags, and adds the special case of append auditing if
86307+ we're requesting write */
86308+ return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
86309+}
86310+
86311+struct acl_role_label *
86312+__lookup_acl_role_label(const struct gr_policy_state *state, const struct task_struct *task, const uid_t uid,
86313+ const gid_t gid)
86314+{
86315+ unsigned int index = gr_rhash(uid, GR_ROLE_USER, state->acl_role_set.r_size);
86316+ struct acl_role_label *match;
86317+ struct role_allowed_ip *ipp;
86318+ unsigned int x;
86319+ u32 curr_ip = task->signal->saved_ip;
86320+
86321+ match = state->acl_role_set.r_hash[index];
86322+
86323+ while (match) {
86324+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
86325+ for (x = 0; x < match->domain_child_num; x++) {
86326+ if (match->domain_children[x] == uid)
86327+ goto found;
86328+ }
86329+ } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
86330+ break;
86331+ match = match->next;
86332+ }
86333+found:
86334+ if (match == NULL) {
86335+ try_group:
86336+ index = gr_rhash(gid, GR_ROLE_GROUP, state->acl_role_set.r_size);
86337+ match = state->acl_role_set.r_hash[index];
86338+
86339+ while (match) {
86340+ if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
86341+ for (x = 0; x < match->domain_child_num; x++) {
86342+ if (match->domain_children[x] == gid)
86343+ goto found2;
86344+ }
86345+ } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
86346+ break;
86347+ match = match->next;
86348+ }
86349+found2:
86350+ if (match == NULL)
86351+ match = state->default_role;
86352+ if (match->allowed_ips == NULL)
86353+ return match;
86354+ else {
86355+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
86356+ if (likely
86357+ ((ntohl(curr_ip) & ipp->netmask) ==
86358+ (ntohl(ipp->addr) & ipp->netmask)))
86359+ return match;
86360+ }
86361+ match = state->default_role;
86362+ }
86363+ } else if (match->allowed_ips == NULL) {
86364+ return match;
86365+ } else {
86366+ for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
86367+ if (likely
86368+ ((ntohl(curr_ip) & ipp->netmask) ==
86369+ (ntohl(ipp->addr) & ipp->netmask)))
86370+ return match;
86371+ }
86372+ goto try_group;
86373+ }
86374+
86375+ return match;
86376+}
86377+
86378+static struct acl_role_label *
86379+lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
86380+ const gid_t gid)
86381+{
86382+ return __lookup_acl_role_label(&running_polstate, task, uid, gid);
86383+}
86384+
86385+struct acl_subject_label *
86386+lookup_acl_subj_label(const u64 ino, const dev_t dev,
86387+ const struct acl_role_label *role)
86388+{
86389+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
86390+ struct acl_subject_label *match;
86391+
86392+ match = role->subj_hash[index];
86393+
86394+ while (match && (match->inode != ino || match->device != dev ||
86395+ (match->mode & GR_DELETED))) {
86396+ match = match->next;
86397+ }
86398+
86399+ if (match && !(match->mode & GR_DELETED))
86400+ return match;
86401+ else
86402+ return NULL;
86403+}
86404+
86405+struct acl_subject_label *
86406+lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev,
86407+ const struct acl_role_label *role)
86408+{
86409+ unsigned int index = gr_fhash(ino, dev, role->subj_hash_size);
86410+ struct acl_subject_label *match;
86411+
86412+ match = role->subj_hash[index];
86413+
86414+ while (match && (match->inode != ino || match->device != dev ||
86415+ !(match->mode & GR_DELETED))) {
86416+ match = match->next;
86417+ }
86418+
86419+ if (match && (match->mode & GR_DELETED))
86420+ return match;
86421+ else
86422+ return NULL;
86423+}
86424+
86425+static struct acl_object_label *
86426+lookup_acl_obj_label(const u64 ino, const dev_t dev,
86427+ const struct acl_subject_label *subj)
86428+{
86429+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
86430+ struct acl_object_label *match;
86431+
86432+ match = subj->obj_hash[index];
86433+
86434+ while (match && (match->inode != ino || match->device != dev ||
86435+ (match->mode & GR_DELETED))) {
86436+ match = match->next;
86437+ }
86438+
86439+ if (match && !(match->mode & GR_DELETED))
86440+ return match;
86441+ else
86442+ return NULL;
86443+}
86444+
86445+static struct acl_object_label *
86446+lookup_acl_obj_label_create(const u64 ino, const dev_t dev,
86447+ const struct acl_subject_label *subj)
86448+{
86449+ unsigned int index = gr_fhash(ino, dev, subj->obj_hash_size);
86450+ struct acl_object_label *match;
86451+
86452+ match = subj->obj_hash[index];
86453+
86454+ while (match && (match->inode != ino || match->device != dev ||
86455+ !(match->mode & GR_DELETED))) {
86456+ match = match->next;
86457+ }
86458+
86459+ if (match && (match->mode & GR_DELETED))
86460+ return match;
86461+
86462+ match = subj->obj_hash[index];
86463+
86464+ while (match && (match->inode != ino || match->device != dev ||
86465+ (match->mode & GR_DELETED))) {
86466+ match = match->next;
86467+ }
86468+
86469+ if (match && !(match->mode & GR_DELETED))
86470+ return match;
86471+ else
86472+ return NULL;
86473+}
86474+
86475+struct name_entry *
86476+__lookup_name_entry(const struct gr_policy_state *state, const char *name)
86477+{
86478+ unsigned int len = strlen(name);
86479+ unsigned int key = full_name_hash(name, len);
86480+ unsigned int index = key % state->name_set.n_size;
86481+ struct name_entry *match;
86482+
86483+ match = state->name_set.n_hash[index];
86484+
86485+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
86486+ match = match->next;
86487+
86488+ return match;
86489+}
86490+
86491+static struct name_entry *
86492+lookup_name_entry(const char *name)
86493+{
86494+ return __lookup_name_entry(&running_polstate, name);
86495+}
86496+
86497+static struct name_entry *
86498+lookup_name_entry_create(const char *name)
86499+{
86500+ unsigned int len = strlen(name);
86501+ unsigned int key = full_name_hash(name, len);
86502+ unsigned int index = key % running_polstate.name_set.n_size;
86503+ struct name_entry *match;
86504+
86505+ match = running_polstate.name_set.n_hash[index];
86506+
86507+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
86508+ !match->deleted))
86509+ match = match->next;
86510+
86511+ if (match && match->deleted)
86512+ return match;
86513+
86514+ match = running_polstate.name_set.n_hash[index];
86515+
86516+ while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
86517+ match->deleted))
86518+ match = match->next;
86519+
86520+ if (match && !match->deleted)
86521+ return match;
86522+ else
86523+ return NULL;
86524+}
86525+
86526+static struct inodev_entry *
86527+lookup_inodev_entry(const u64 ino, const dev_t dev)
86528+{
86529+ unsigned int index = gr_fhash(ino, dev, running_polstate.inodev_set.i_size);
86530+ struct inodev_entry *match;
86531+
86532+ match = running_polstate.inodev_set.i_hash[index];
86533+
86534+ while (match && (match->nentry->inode != ino || match->nentry->device != dev))
86535+ match = match->next;
86536+
86537+ return match;
86538+}
86539+
86540+void
86541+__insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry)
86542+{
86543+ unsigned int index = gr_fhash(entry->nentry->inode, entry->nentry->device,
86544+ state->inodev_set.i_size);
86545+ struct inodev_entry **curr;
86546+
86547+ entry->prev = NULL;
86548+
86549+ curr = &state->inodev_set.i_hash[index];
86550+ if (*curr != NULL)
86551+ (*curr)->prev = entry;
86552+
86553+ entry->next = *curr;
86554+ *curr = entry;
86555+
86556+ return;
86557+}
86558+
86559+static void
86560+insert_inodev_entry(struct inodev_entry *entry)
86561+{
86562+ __insert_inodev_entry(&running_polstate, entry);
86563+}
86564+
86565+void
86566+insert_acl_obj_label(struct acl_object_label *obj,
86567+ struct acl_subject_label *subj)
86568+{
86569+ unsigned int index =
86570+ gr_fhash(obj->inode, obj->device, subj->obj_hash_size);
86571+ struct acl_object_label **curr;
86572+
86573+ obj->prev = NULL;
86574+
86575+ curr = &subj->obj_hash[index];
86576+ if (*curr != NULL)
86577+ (*curr)->prev = obj;
86578+
86579+ obj->next = *curr;
86580+ *curr = obj;
86581+
86582+ return;
86583+}
86584+
86585+void
86586+insert_acl_subj_label(struct acl_subject_label *obj,
86587+ struct acl_role_label *role)
86588+{
86589+ unsigned int index = gr_fhash(obj->inode, obj->device, role->subj_hash_size);
86590+ struct acl_subject_label **curr;
86591+
86592+ obj->prev = NULL;
86593+
86594+ curr = &role->subj_hash[index];
86595+ if (*curr != NULL)
86596+ (*curr)->prev = obj;
86597+
86598+ obj->next = *curr;
86599+ *curr = obj;
86600+
86601+ return;
86602+}
86603+
86604+/* derived from glibc fnmatch() 0: match, 1: no match*/
86605+
86606+static int
86607+glob_match(const char *p, const char *n)
86608+{
86609+ char c;
86610+
86611+ while ((c = *p++) != '\0') {
86612+ switch (c) {
86613+ case '?':
86614+ if (*n == '\0')
86615+ return 1;
86616+ else if (*n == '/')
86617+ return 1;
86618+ break;
86619+ case '\\':
86620+ if (*n != c)
86621+ return 1;
86622+ break;
86623+ case '*':
86624+ for (c = *p++; c == '?' || c == '*'; c = *p++) {
86625+ if (*n == '/')
86626+ return 1;
86627+ else if (c == '?') {
86628+ if (*n == '\0')
86629+ return 1;
86630+ else
86631+ ++n;
86632+ }
86633+ }
86634+ if (c == '\0') {
86635+ return 0;
86636+ } else {
86637+ const char *endp;
86638+
86639+ if ((endp = strchr(n, '/')) == NULL)
86640+ endp = n + strlen(n);
86641+
86642+ if (c == '[') {
86643+ for (--p; n < endp; ++n)
86644+ if (!glob_match(p, n))
86645+ return 0;
86646+ } else if (c == '/') {
86647+ while (*n != '\0' && *n != '/')
86648+ ++n;
86649+ if (*n == '/' && !glob_match(p, n + 1))
86650+ return 0;
86651+ } else {
86652+ for (--p; n < endp; ++n)
86653+ if (*n == c && !glob_match(p, n))
86654+ return 0;
86655+ }
86656+
86657+ return 1;
86658+ }
86659+ case '[':
86660+ {
86661+ int not;
86662+ char cold;
86663+
86664+ if (*n == '\0' || *n == '/')
86665+ return 1;
86666+
86667+ not = (*p == '!' || *p == '^');
86668+ if (not)
86669+ ++p;
86670+
86671+ c = *p++;
86672+ for (;;) {
86673+ unsigned char fn = (unsigned char)*n;
86674+
86675+ if (c == '\0')
86676+ return 1;
86677+ else {
86678+ if (c == fn)
86679+ goto matched;
86680+ cold = c;
86681+ c = *p++;
86682+
86683+ if (c == '-' && *p != ']') {
86684+ unsigned char cend = *p++;
86685+
86686+ if (cend == '\0')
86687+ return 1;
86688+
86689+ if (cold <= fn && fn <= cend)
86690+ goto matched;
86691+
86692+ c = *p++;
86693+ }
86694+ }
86695+
86696+ if (c == ']')
86697+ break;
86698+ }
86699+ if (!not)
86700+ return 1;
86701+ break;
86702+ matched:
86703+ while (c != ']') {
86704+ if (c == '\0')
86705+ return 1;
86706+
86707+ c = *p++;
86708+ }
86709+ if (not)
86710+ return 1;
86711+ }
86712+ break;
86713+ default:
86714+ if (c != *n)
86715+ return 1;
86716+ }
86717+
86718+ ++n;
86719+ }
86720+
86721+ if (*n == '\0')
86722+ return 0;
86723+
86724+ if (*n == '/')
86725+ return 0;
86726+
86727+ return 1;
86728+}
86729+
86730+static struct acl_object_label *
86731+chk_glob_label(struct acl_object_label *globbed,
86732+ const struct dentry *dentry, const struct vfsmount *mnt, char **path)
86733+{
86734+ struct acl_object_label *tmp;
86735+
86736+ if (*path == NULL)
86737+ *path = gr_to_filename_nolock(dentry, mnt);
86738+
86739+ tmp = globbed;
86740+
86741+ while (tmp) {
86742+ if (!glob_match(tmp->filename, *path))
86743+ return tmp;
86744+ tmp = tmp->next;
86745+ }
86746+
86747+ return NULL;
86748+}
86749+
86750+static struct acl_object_label *
86751+__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
86752+ const u64 curr_ino, const dev_t curr_dev,
86753+ const struct acl_subject_label *subj, char **path, const int checkglob)
86754+{
86755+ struct acl_subject_label *tmpsubj;
86756+ struct acl_object_label *retval;
86757+ struct acl_object_label *retval2;
86758+
86759+ tmpsubj = (struct acl_subject_label *) subj;
86760+ read_lock(&gr_inode_lock);
86761+ do {
86762+ retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
86763+ if (retval) {
86764+ if (checkglob && retval->globbed) {
86765+ retval2 = chk_glob_label(retval->globbed, orig_dentry, orig_mnt, path);
86766+ if (retval2)
86767+ retval = retval2;
86768+ }
86769+ break;
86770+ }
86771+ } while ((tmpsubj = tmpsubj->parent_subject));
86772+ read_unlock(&gr_inode_lock);
86773+
86774+ return retval;
86775+}
86776+
86777+static struct acl_object_label *
86778+full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
86779+ struct dentry *curr_dentry,
86780+ const struct acl_subject_label *subj, char **path, const int checkglob)
86781+{
86782+ int newglob = checkglob;
86783+ u64 inode;
86784+ dev_t device;
86785+
86786+ /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
86787+ as we don't want a / * rule to match instead of the / object
86788+ don't do this for create lookups that call this function though, since they're looking up
86789+ on the parent and thus need globbing checks on all paths
86790+ */
86791+ if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
86792+ newglob = GR_NO_GLOB;
86793+
86794+ spin_lock(&curr_dentry->d_lock);
86795+ inode = __get_ino(curr_dentry);
86796+ device = __get_dev(curr_dentry);
86797+ spin_unlock(&curr_dentry->d_lock);
86798+
86799+ return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
86800+}
86801+
86802+#ifdef CONFIG_HUGETLBFS
86803+static inline bool
86804+is_hugetlbfs_mnt(const struct vfsmount *mnt)
86805+{
86806+ int i;
86807+ for (i = 0; i < HUGE_MAX_HSTATE; i++) {
86808+ if (unlikely(hugetlbfs_vfsmount[i] == mnt))
86809+ return true;
86810+ }
86811+
86812+ return false;
86813+}
86814+#endif
86815+
86816+static struct acl_object_label *
86817+__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86818+ const struct acl_subject_label *subj, char *path, const int checkglob)
86819+{
86820+ struct dentry *dentry = (struct dentry *) l_dentry;
86821+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
86822+ struct inode * inode = d_backing_inode(dentry);
86823+ struct mount *real_mnt = real_mount(mnt);
86824+ struct acl_object_label *retval;
86825+ struct dentry *parent;
86826+
86827+ read_seqlock_excl(&mount_lock);
86828+ write_seqlock(&rename_lock);
86829+
86830+ if (unlikely((mnt == shm_mnt && inode->i_nlink == 0) || mnt == pipe_mnt ||
86831+#ifdef CONFIG_NET
86832+ mnt == sock_mnt ||
86833+#endif
86834+#ifdef CONFIG_HUGETLBFS
86835+ (is_hugetlbfs_mnt(mnt) && inode->i_nlink == 0) ||
86836+#endif
86837+ /* ignore Eric Biederman */
86838+ IS_PRIVATE(inode))) {
86839+ retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
86840+ goto out;
86841+ }
86842+
86843+ for (;;) {
86844+ if (dentry == gr_real_root.dentry && mnt == gr_real_root.mnt)
86845+ break;
86846+
86847+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
86848+ if (!mnt_has_parent(real_mnt))
86849+ break;
86850+
86851+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86852+ if (retval != NULL)
86853+ goto out;
86854+
86855+ dentry = real_mnt->mnt_mountpoint;
86856+ real_mnt = real_mnt->mnt_parent;
86857+ mnt = &real_mnt->mnt;
86858+ continue;
86859+ }
86860+
86861+ parent = dentry->d_parent;
86862+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86863+ if (retval != NULL)
86864+ goto out;
86865+
86866+ dentry = parent;
86867+ }
86868+
86869+ retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
86870+
86871+ /* gr_real_root is pinned so we don't have to hold a reference */
86872+ if (retval == NULL)
86873+ retval = full_lookup(l_dentry, l_mnt, gr_real_root.dentry, subj, &path, checkglob);
86874+out:
86875+ write_sequnlock(&rename_lock);
86876+ read_sequnlock_excl(&mount_lock);
86877+
86878+ BUG_ON(retval == NULL);
86879+
86880+ return retval;
86881+}
86882+
86883+static struct acl_object_label *
86884+chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86885+ const struct acl_subject_label *subj)
86886+{
86887+ char *path = NULL;
86888+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
86889+}
86890+
86891+static struct acl_object_label *
86892+chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86893+ const struct acl_subject_label *subj)
86894+{
86895+ char *path = NULL;
86896+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
86897+}
86898+
86899+static struct acl_object_label *
86900+chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86901+ const struct acl_subject_label *subj, char *path)
86902+{
86903+ return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
86904+}
86905+
86906+struct acl_subject_label *
86907+chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
86908+ const struct acl_role_label *role)
86909+{
86910+ struct dentry *dentry = (struct dentry *) l_dentry;
86911+ struct vfsmount *mnt = (struct vfsmount *) l_mnt;
86912+ struct mount *real_mnt = real_mount(mnt);
86913+ struct acl_subject_label *retval;
86914+ struct dentry *parent;
86915+
86916+ read_seqlock_excl(&mount_lock);
86917+ write_seqlock(&rename_lock);
86918+
86919+ for (;;) {
86920+ if (dentry == gr_real_root.dentry && mnt == gr_real_root.mnt)
86921+ break;
86922+ if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
86923+ if (!mnt_has_parent(real_mnt))
86924+ break;
86925+
86926+ spin_lock(&dentry->d_lock);
86927+ read_lock(&gr_inode_lock);
86928+ retval =
86929+ lookup_acl_subj_label(__get_ino(dentry),
86930+ __get_dev(dentry), role);
86931+ read_unlock(&gr_inode_lock);
86932+ spin_unlock(&dentry->d_lock);
86933+ if (retval != NULL)
86934+ goto out;
86935+
86936+ dentry = real_mnt->mnt_mountpoint;
86937+ real_mnt = real_mnt->mnt_parent;
86938+ mnt = &real_mnt->mnt;
86939+ continue;
86940+ }
86941+
86942+ spin_lock(&dentry->d_lock);
86943+ read_lock(&gr_inode_lock);
86944+ retval = lookup_acl_subj_label(__get_ino(dentry),
86945+ __get_dev(dentry), role);
86946+ read_unlock(&gr_inode_lock);
86947+ parent = dentry->d_parent;
86948+ spin_unlock(&dentry->d_lock);
86949+
86950+ if (retval != NULL)
86951+ goto out;
86952+
86953+ dentry = parent;
86954+ }
86955+
86956+ spin_lock(&dentry->d_lock);
86957+ read_lock(&gr_inode_lock);
86958+ retval = lookup_acl_subj_label(__get_ino(dentry),
86959+ __get_dev(dentry), role);
86960+ read_unlock(&gr_inode_lock);
86961+ spin_unlock(&dentry->d_lock);
86962+
86963+ if (unlikely(retval == NULL)) {
86964+ /* gr_real_root is pinned, we don't need to hold a reference */
86965+ read_lock(&gr_inode_lock);
86966+ retval = lookup_acl_subj_label(__get_ino(gr_real_root.dentry),
86967+ __get_dev(gr_real_root.dentry), role);
86968+ read_unlock(&gr_inode_lock);
86969+ }
86970+out:
86971+ write_sequnlock(&rename_lock);
86972+ read_sequnlock_excl(&mount_lock);
86973+
86974+ BUG_ON(retval == NULL);
86975+
86976+ return retval;
86977+}
86978+
86979+void
86980+assign_special_role(const char *rolename)
86981+{
86982+ struct acl_object_label *obj;
86983+ struct acl_role_label *r;
86984+ struct acl_role_label *assigned = NULL;
86985+ struct task_struct *tsk;
86986+ struct file *filp;
86987+
86988+ FOR_EACH_ROLE_START(r)
86989+ if (!strcmp(rolename, r->rolename) &&
86990+ (r->roletype & GR_ROLE_SPECIAL)) {
86991+ assigned = r;
86992+ break;
86993+ }
86994+ FOR_EACH_ROLE_END(r)
86995+
86996+ if (!assigned)
86997+ return;
86998+
86999+ read_lock(&tasklist_lock);
87000+ read_lock(&grsec_exec_file_lock);
87001+
87002+ tsk = current->real_parent;
87003+ if (tsk == NULL)
87004+ goto out_unlock;
87005+
87006+ filp = tsk->exec_file;
87007+ if (filp == NULL)
87008+ goto out_unlock;
87009+
87010+ tsk->is_writable = 0;
87011+ tsk->inherited = 0;
87012+
87013+ tsk->acl_sp_role = 1;
87014+ tsk->acl_role_id = ++acl_sp_role_value;
87015+ tsk->role = assigned;
87016+ tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
87017+
87018+ /* ignore additional mmap checks for processes that are writable
87019+ by the default ACL */
87020+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, running_polstate.default_role->root_label);
87021+ if (unlikely(obj->mode & GR_WRITE))
87022+ tsk->is_writable = 1;
87023+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
87024+ if (unlikely(obj->mode & GR_WRITE))
87025+ tsk->is_writable = 1;
87026+
87027+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87028+ printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename,
87029+ tsk->acl->filename, tsk->comm, task_pid_nr(tsk));
87030+#endif
87031+
87032+out_unlock:
87033+ read_unlock(&grsec_exec_file_lock);
87034+ read_unlock(&tasklist_lock);
87035+ return;
87036+}
87037+
87038+
87039+static void
87040+gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
87041+{
87042+ struct task_struct *task = current;
87043+ const struct cred *cred = current_cred();
87044+
87045+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
87046+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
87047+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
87048+ 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
87049+
87050+ return;
87051+}
87052+
87053+static void
87054+gr_log_learn_uid_change(const kuid_t real, const kuid_t effective, const kuid_t fs)
87055+{
87056+ struct task_struct *task = current;
87057+ const struct cred *cred = current_cred();
87058+
87059+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
87060+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
87061+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
87062+ 'u', GR_GLOBAL_UID(real), GR_GLOBAL_UID(effective), GR_GLOBAL_UID(fs), &task->signal->saved_ip);
87063+
87064+ return;
87065+}
87066+
87067+static void
87068+gr_log_learn_gid_change(const kgid_t real, const kgid_t effective, const kgid_t fs)
87069+{
87070+ struct task_struct *task = current;
87071+ const struct cred *cred = current_cred();
87072+
87073+ security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
87074+ GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
87075+ task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
87076+ 'g', GR_GLOBAL_GID(real), GR_GLOBAL_GID(effective), GR_GLOBAL_GID(fs), &task->signal->saved_ip);
87077+
87078+ return;
87079+}
87080+
87081+static void
87082+gr_set_proc_res(struct task_struct *task)
87083+{
87084+ struct acl_subject_label *proc;
87085+ unsigned short i;
87086+
87087+ proc = task->acl;
87088+
87089+ if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
87090+ return;
87091+
87092+ for (i = 0; i < RLIM_NLIMITS; i++) {
87093+ unsigned long rlim_cur, rlim_max;
87094+
87095+ if (!(proc->resmask & (1U << i)))
87096+ continue;
87097+
87098+ rlim_cur = proc->res[i].rlim_cur;
87099+ rlim_max = proc->res[i].rlim_max;
87100+
87101+ if (i == RLIMIT_NOFILE) {
87102+ unsigned long saved_sysctl_nr_open = sysctl_nr_open;
87103+ if (rlim_cur > saved_sysctl_nr_open)
87104+ rlim_cur = saved_sysctl_nr_open;
87105+ if (rlim_max > saved_sysctl_nr_open)
87106+ rlim_max = saved_sysctl_nr_open;
87107+ }
87108+
87109+ task->signal->rlim[i].rlim_cur = rlim_cur;
87110+ task->signal->rlim[i].rlim_max = rlim_max;
87111+
87112+ if (i == RLIMIT_CPU)
87113+ update_rlimit_cpu(task, rlim_cur);
87114+ }
87115+
87116+ return;
87117+}
87118+
87119+/* both of the below must be called with
87120+ rcu_read_lock();
87121+ read_lock(&tasklist_lock);
87122+ read_lock(&grsec_exec_file_lock);
87123+ except in the case of gr_set_role_label() (for __gr_get_subject_for_task)
87124+*/
87125+
87126+struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback)
87127+{
87128+ char *tmpname;
87129+ struct acl_subject_label *tmpsubj;
87130+ struct file *filp;
87131+ struct name_entry *nmatch;
87132+
87133+ filp = task->exec_file;
87134+ if (filp == NULL)
87135+ return NULL;
87136+
87137+ /* the following is to apply the correct subject
87138+ on binaries running when the RBAC system
87139+ is enabled, when the binaries have been
87140+ replaced or deleted since their execution
87141+ -----
87142+ when the RBAC system starts, the inode/dev
87143+ from exec_file will be one the RBAC system
87144+ is unaware of. It only knows the inode/dev
87145+ of the present file on disk, or the absence
87146+ of it.
87147+ */
87148+
87149+ if (filename)
87150+ nmatch = __lookup_name_entry(state, filename);
87151+ else {
87152+ preempt_disable();
87153+ tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
87154+
87155+ nmatch = __lookup_name_entry(state, tmpname);
87156+ preempt_enable();
87157+ }
87158+ tmpsubj = NULL;
87159+ if (nmatch) {
87160+ if (nmatch->deleted)
87161+ tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
87162+ else
87163+ tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
87164+ }
87165+ /* this also works for the reload case -- if we don't match a potentially inherited subject
87166+ then we fall back to a normal lookup based on the binary's ino/dev
87167+ */
87168+ if (tmpsubj == NULL && fallback)
87169+ tmpsubj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, task->role);
87170+
87171+ return tmpsubj;
87172+}
87173+
87174+static struct acl_subject_label *gr_get_subject_for_task(struct task_struct *task, const char *filename, int fallback)
87175+{
87176+ return __gr_get_subject_for_task(&running_polstate, task, filename, fallback);
87177+}
87178+
87179+void __gr_apply_subject_to_task(const struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj)
87180+{
87181+ struct acl_object_label *obj;
87182+ struct file *filp;
87183+
87184+ filp = task->exec_file;
87185+
87186+ task->acl = subj;
87187+ task->is_writable = 0;
87188+ /* ignore additional mmap checks for processes that are writable
87189+ by the default ACL */
87190+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, state->default_role->root_label);
87191+ if (unlikely(obj->mode & GR_WRITE))
87192+ task->is_writable = 1;
87193+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
87194+ if (unlikely(obj->mode & GR_WRITE))
87195+ task->is_writable = 1;
87196+
87197+ gr_set_proc_res(task);
87198+
87199+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87200+ printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87201+#endif
87202+}
87203+
87204+static void gr_apply_subject_to_task(struct task_struct *task, struct acl_subject_label *subj)
87205+{
87206+ __gr_apply_subject_to_task(&running_polstate, task, subj);
87207+}
87208+
87209+__u32
87210+gr_search_file(const struct dentry * dentry, const __u32 mode,
87211+ const struct vfsmount * mnt)
87212+{
87213+ __u32 retval = mode;
87214+ struct acl_subject_label *curracl;
87215+ struct acl_object_label *currobj;
87216+
87217+ if (unlikely(!(gr_status & GR_READY)))
87218+ return (mode & ~GR_AUDITS);
87219+
87220+ curracl = current->acl;
87221+
87222+ currobj = chk_obj_label(dentry, mnt, curracl);
87223+ retval = currobj->mode & mode;
87224+
87225+ /* if we're opening a specified transfer file for writing
87226+ (e.g. /dev/initctl), then transfer our role to init
87227+ */
87228+ if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
87229+ current->role->roletype & GR_ROLE_PERSIST)) {
87230+ struct task_struct *task = init_pid_ns.child_reaper;
87231+
87232+ if (task->role != current->role) {
87233+ struct acl_subject_label *subj;
87234+
87235+ task->acl_sp_role = 0;
87236+ task->acl_role_id = current->acl_role_id;
87237+ task->role = current->role;
87238+ rcu_read_lock();
87239+ read_lock(&grsec_exec_file_lock);
87240+ subj = gr_get_subject_for_task(task, NULL, 1);
87241+ gr_apply_subject_to_task(task, subj);
87242+ read_unlock(&grsec_exec_file_lock);
87243+ rcu_read_unlock();
87244+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
87245+ }
87246+ }
87247+
87248+ if (unlikely
87249+ ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
87250+ && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
87251+ __u32 new_mode = mode;
87252+
87253+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
87254+
87255+ retval = new_mode;
87256+
87257+ if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
87258+ new_mode |= GR_INHERIT;
87259+
87260+ if (!(mode & GR_NOLEARN))
87261+ gr_log_learn(dentry, mnt, new_mode);
87262+ }
87263+
87264+ return retval;
87265+}
87266+
87267+struct acl_object_label *gr_get_create_object(const struct dentry *new_dentry,
87268+ const struct dentry *parent,
87269+ const struct vfsmount *mnt)
87270+{
87271+ struct name_entry *match;
87272+ struct acl_object_label *matchpo;
87273+ struct acl_subject_label *curracl;
87274+ char *path;
87275+
87276+ if (unlikely(!(gr_status & GR_READY)))
87277+ return NULL;
87278+
87279+ preempt_disable();
87280+ path = gr_to_filename_rbac(new_dentry, mnt);
87281+ match = lookup_name_entry_create(path);
87282+
87283+ curracl = current->acl;
87284+
87285+ if (match) {
87286+ read_lock(&gr_inode_lock);
87287+ matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
87288+ read_unlock(&gr_inode_lock);
87289+
87290+ if (matchpo) {
87291+ preempt_enable();
87292+ return matchpo;
87293+ }
87294+ }
87295+
87296+ // lookup parent
87297+
87298+ matchpo = chk_obj_create_label(parent, mnt, curracl, path);
87299+
87300+ preempt_enable();
87301+ return matchpo;
87302+}
87303+
87304+__u32
87305+gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
87306+ const struct vfsmount * mnt, const __u32 mode)
87307+{
87308+ struct acl_object_label *matchpo;
87309+ __u32 retval;
87310+
87311+ if (unlikely(!(gr_status & GR_READY)))
87312+ return (mode & ~GR_AUDITS);
87313+
87314+ matchpo = gr_get_create_object(new_dentry, parent, mnt);
87315+
87316+ retval = matchpo->mode & mode;
87317+
87318+ if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
87319+ && (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
87320+ __u32 new_mode = mode;
87321+
87322+ new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
87323+
87324+ gr_log_learn(new_dentry, mnt, new_mode);
87325+ return new_mode;
87326+ }
87327+
87328+ return retval;
87329+}
87330+
87331+__u32
87332+gr_check_link(const struct dentry * new_dentry,
87333+ const struct dentry * parent_dentry,
87334+ const struct vfsmount * parent_mnt,
87335+ const struct dentry * old_dentry, const struct vfsmount * old_mnt)
87336+{
87337+ struct acl_object_label *obj;
87338+ __u32 oldmode, newmode;
87339+ __u32 needmode;
87340+ __u32 checkmodes = GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC | GR_SETID | GR_READ |
87341+ GR_DELETE | GR_INHERIT;
87342+
87343+ if (unlikely(!(gr_status & GR_READY)))
87344+ return (GR_CREATE | GR_LINK);
87345+
87346+ obj = chk_obj_label(old_dentry, old_mnt, current->acl);
87347+ oldmode = obj->mode;
87348+
87349+ obj = gr_get_create_object(new_dentry, parent_dentry, parent_mnt);
87350+ newmode = obj->mode;
87351+
87352+ needmode = newmode & checkmodes;
87353+
87354+ // old name for hardlink must have at least the permissions of the new name
87355+ if ((oldmode & needmode) != needmode)
87356+ goto bad;
87357+
87358+ // if old name had restrictions/auditing, make sure the new name does as well
87359+ needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
87360+
87361+ // don't allow hardlinking of suid/sgid/fcapped files without permission
87362+ if (is_privileged_binary(old_dentry))
87363+ needmode |= GR_SETID;
87364+
87365+ if ((newmode & needmode) != needmode)
87366+ goto bad;
87367+
87368+ // enforce minimum permissions
87369+ if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
87370+ return newmode;
87371+bad:
87372+ needmode = oldmode;
87373+ if (is_privileged_binary(old_dentry))
87374+ needmode |= GR_SETID;
87375+
87376+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
87377+ gr_log_learn(old_dentry, old_mnt, needmode | GR_CREATE | GR_LINK);
87378+ return (GR_CREATE | GR_LINK);
87379+ } else if (newmode & GR_SUPPRESS)
87380+ return GR_SUPPRESS;
87381+ else
87382+ return 0;
87383+}
87384+
87385+int
87386+gr_check_hidden_task(const struct task_struct *task)
87387+{
87388+ if (unlikely(!(gr_status & GR_READY)))
87389+ return 0;
87390+
87391+ if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
87392+ return 1;
87393+
87394+ return 0;
87395+}
87396+
87397+int
87398+gr_check_protected_task(const struct task_struct *task)
87399+{
87400+ if (unlikely(!(gr_status & GR_READY) || !task))
87401+ return 0;
87402+
87403+ if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
87404+ task->acl != current->acl)
87405+ return 1;
87406+
87407+ return 0;
87408+}
87409+
87410+int
87411+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
87412+{
87413+ struct task_struct *p;
87414+ int ret = 0;
87415+
87416+ if (unlikely(!(gr_status & GR_READY) || !pid))
87417+ return ret;
87418+
87419+ read_lock(&tasklist_lock);
87420+ do_each_pid_task(pid, type, p) {
87421+ if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
87422+ p->acl != current->acl) {
87423+ ret = 1;
87424+ goto out;
87425+ }
87426+ } while_each_pid_task(pid, type, p);
87427+out:
87428+ read_unlock(&tasklist_lock);
87429+
87430+ return ret;
87431+}
87432+
87433+void
87434+gr_copy_label(struct task_struct *tsk)
87435+{
87436+ struct task_struct *p = current;
87437+
87438+ tsk->inherited = p->inherited;
87439+ tsk->acl_sp_role = 0;
87440+ tsk->acl_role_id = p->acl_role_id;
87441+ tsk->acl = p->acl;
87442+ tsk->role = p->role;
87443+ tsk->signal->used_accept = 0;
87444+ tsk->signal->curr_ip = p->signal->curr_ip;
87445+ tsk->signal->saved_ip = p->signal->saved_ip;
87446+ if (p->exec_file)
87447+ get_file(p->exec_file);
87448+ tsk->exec_file = p->exec_file;
87449+ tsk->is_writable = p->is_writable;
87450+ if (unlikely(p->signal->used_accept)) {
87451+ p->signal->curr_ip = 0;
87452+ p->signal->saved_ip = 0;
87453+ }
87454+
87455+ return;
87456+}
87457+
87458+extern int gr_process_kernel_setuid_ban(struct user_struct *user);
87459+
87460+int
87461+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
87462+{
87463+ unsigned int i;
87464+ __u16 num;
87465+ uid_t *uidlist;
87466+ uid_t curuid;
87467+ int realok = 0;
87468+ int effectiveok = 0;
87469+ int fsok = 0;
87470+ uid_t globalreal, globaleffective, globalfs;
87471+
87472+#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT)
87473+ struct user_struct *user;
87474+
87475+ if (!uid_valid(real))
87476+ goto skipit;
87477+
87478+ /* find user based on global namespace */
87479+
87480+ globalreal = GR_GLOBAL_UID(real);
87481+
87482+ user = find_user(make_kuid(&init_user_ns, globalreal));
87483+ if (user == NULL)
87484+ goto skipit;
87485+
87486+ if (gr_process_kernel_setuid_ban(user)) {
87487+ /* for find_user */
87488+ free_uid(user);
87489+ return 1;
87490+ }
87491+
87492+ /* for find_user */
87493+ free_uid(user);
87494+
87495+skipit:
87496+#endif
87497+
87498+ if (unlikely(!(gr_status & GR_READY)))
87499+ return 0;
87500+
87501+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
87502+ gr_log_learn_uid_change(real, effective, fs);
87503+
87504+ num = current->acl->user_trans_num;
87505+ uidlist = current->acl->user_transitions;
87506+
87507+ if (uidlist == NULL)
87508+ return 0;
87509+
87510+ if (!uid_valid(real)) {
87511+ realok = 1;
87512+ globalreal = (uid_t)-1;
87513+ } else {
87514+ globalreal = GR_GLOBAL_UID(real);
87515+ }
87516+ if (!uid_valid(effective)) {
87517+ effectiveok = 1;
87518+ globaleffective = (uid_t)-1;
87519+ } else {
87520+ globaleffective = GR_GLOBAL_UID(effective);
87521+ }
87522+ if (!uid_valid(fs)) {
87523+ fsok = 1;
87524+ globalfs = (uid_t)-1;
87525+ } else {
87526+ globalfs = GR_GLOBAL_UID(fs);
87527+ }
87528+
87529+ if (current->acl->user_trans_type & GR_ID_ALLOW) {
87530+ for (i = 0; i < num; i++) {
87531+ curuid = uidlist[i];
87532+ if (globalreal == curuid)
87533+ realok = 1;
87534+ if (globaleffective == curuid)
87535+ effectiveok = 1;
87536+ if (globalfs == curuid)
87537+ fsok = 1;
87538+ }
87539+ } else if (current->acl->user_trans_type & GR_ID_DENY) {
87540+ for (i = 0; i < num; i++) {
87541+ curuid = uidlist[i];
87542+ if (globalreal == curuid)
87543+ break;
87544+ if (globaleffective == curuid)
87545+ break;
87546+ if (globalfs == curuid)
87547+ break;
87548+ }
87549+ /* not in deny list */
87550+ if (i == num) {
87551+ realok = 1;
87552+ effectiveok = 1;
87553+ fsok = 1;
87554+ }
87555+ }
87556+
87557+ if (realok && effectiveok && fsok)
87558+ return 0;
87559+ else {
87560+ gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
87561+ return 1;
87562+ }
87563+}
87564+
87565+int
87566+gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
87567+{
87568+ unsigned int i;
87569+ __u16 num;
87570+ gid_t *gidlist;
87571+ gid_t curgid;
87572+ int realok = 0;
87573+ int effectiveok = 0;
87574+ int fsok = 0;
87575+ gid_t globalreal, globaleffective, globalfs;
87576+
87577+ if (unlikely(!(gr_status & GR_READY)))
87578+ return 0;
87579+
87580+ if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
87581+ gr_log_learn_gid_change(real, effective, fs);
87582+
87583+ num = current->acl->group_trans_num;
87584+ gidlist = current->acl->group_transitions;
87585+
87586+ if (gidlist == NULL)
87587+ return 0;
87588+
87589+ if (!gid_valid(real)) {
87590+ realok = 1;
87591+ globalreal = (gid_t)-1;
87592+ } else {
87593+ globalreal = GR_GLOBAL_GID(real);
87594+ }
87595+ if (!gid_valid(effective)) {
87596+ effectiveok = 1;
87597+ globaleffective = (gid_t)-1;
87598+ } else {
87599+ globaleffective = GR_GLOBAL_GID(effective);
87600+ }
87601+ if (!gid_valid(fs)) {
87602+ fsok = 1;
87603+ globalfs = (gid_t)-1;
87604+ } else {
87605+ globalfs = GR_GLOBAL_GID(fs);
87606+ }
87607+
87608+ if (current->acl->group_trans_type & GR_ID_ALLOW) {
87609+ for (i = 0; i < num; i++) {
87610+ curgid = gidlist[i];
87611+ if (globalreal == curgid)
87612+ realok = 1;
87613+ if (globaleffective == curgid)
87614+ effectiveok = 1;
87615+ if (globalfs == curgid)
87616+ fsok = 1;
87617+ }
87618+ } else if (current->acl->group_trans_type & GR_ID_DENY) {
87619+ for (i = 0; i < num; i++) {
87620+ curgid = gidlist[i];
87621+ if (globalreal == curgid)
87622+ break;
87623+ if (globaleffective == curgid)
87624+ break;
87625+ if (globalfs == curgid)
87626+ break;
87627+ }
87628+ /* not in deny list */
87629+ if (i == num) {
87630+ realok = 1;
87631+ effectiveok = 1;
87632+ fsok = 1;
87633+ }
87634+ }
87635+
87636+ if (realok && effectiveok && fsok)
87637+ return 0;
87638+ else {
87639+ gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : globalfs) : globaleffective) : globalreal);
87640+ return 1;
87641+ }
87642+}
87643+
87644+extern int gr_acl_is_capable(const int cap);
87645+
87646+void
87647+gr_set_role_label(struct task_struct *task, const kuid_t kuid, const kgid_t kgid)
87648+{
87649+ struct acl_role_label *role = task->role;
87650+ struct acl_role_label *origrole = role;
87651+ struct acl_subject_label *subj = NULL;
87652+ struct acl_object_label *obj;
87653+ struct file *filp;
87654+ uid_t uid;
87655+ gid_t gid;
87656+
87657+ if (unlikely(!(gr_status & GR_READY)))
87658+ return;
87659+
87660+ uid = GR_GLOBAL_UID(kuid);
87661+ gid = GR_GLOBAL_GID(kgid);
87662+
87663+ filp = task->exec_file;
87664+
87665+ /* kernel process, we'll give them the kernel role */
87666+ if (unlikely(!filp)) {
87667+ task->role = running_polstate.kernel_role;
87668+ task->acl = running_polstate.kernel_role->root_label;
87669+ return;
87670+ } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL)) {
87671+ /* save the current ip at time of role lookup so that the proper
87672+ IP will be learned for role_allowed_ip */
87673+ task->signal->saved_ip = task->signal->curr_ip;
87674+ role = lookup_acl_role_label(task, uid, gid);
87675+ }
87676+
87677+ /* don't change the role if we're not a privileged process */
87678+ if (role && task->role != role &&
87679+ (((role->roletype & GR_ROLE_USER) && !gr_acl_is_capable(CAP_SETUID)) ||
87680+ ((role->roletype & GR_ROLE_GROUP) && !gr_acl_is_capable(CAP_SETGID))))
87681+ return;
87682+
87683+ task->role = role;
87684+
87685+ if (task->inherited) {
87686+ /* if we reached our subject through inheritance, then first see
87687+ if there's a subject of the same name in the new role that has
87688+ an object that would result in the same inherited subject
87689+ */
87690+ subj = gr_get_subject_for_task(task, task->acl->filename, 0);
87691+ if (subj) {
87692+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, subj);
87693+ if (!(obj->mode & GR_INHERIT))
87694+ subj = NULL;
87695+ }
87696+
87697+ }
87698+ if (subj == NULL) {
87699+ /* otherwise:
87700+ perform subject lookup in possibly new role
87701+ we can use this result below in the case where role == task->role
87702+ */
87703+ subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
87704+ }
87705+
87706+ /* if we changed uid/gid, but result in the same role
87707+ and are using inheritance, don't lose the inherited subject
87708+ if current subject is other than what normal lookup
87709+ would result in, we arrived via inheritance, don't
87710+ lose subject
87711+ */
87712+ if (role != origrole || (!(task->acl->mode & GR_INHERITLEARN) &&
87713+ (subj == task->acl)))
87714+ task->acl = subj;
87715+
87716+ /* leave task->inherited unaffected */
87717+
87718+ task->is_writable = 0;
87719+
87720+ /* ignore additional mmap checks for processes that are writable
87721+ by the default ACL */
87722+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, running_polstate.default_role->root_label);
87723+ if (unlikely(obj->mode & GR_WRITE))
87724+ task->is_writable = 1;
87725+ obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
87726+ if (unlikely(obj->mode & GR_WRITE))
87727+ task->is_writable = 1;
87728+
87729+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87730+ printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87731+#endif
87732+
87733+ gr_set_proc_res(task);
87734+
87735+ return;
87736+}
87737+
87738+int
87739+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
87740+ const int unsafe_flags)
87741+{
87742+ struct task_struct *task = current;
87743+ struct acl_subject_label *newacl;
87744+ struct acl_object_label *obj;
87745+ __u32 retmode;
87746+
87747+ if (unlikely(!(gr_status & GR_READY)))
87748+ return 0;
87749+
87750+ newacl = chk_subj_label(dentry, mnt, task->role);
87751+
87752+ /* special handling for if we did an strace -f -p <pid> from an admin role, where pid then
87753+ did an exec
87754+ */
87755+ rcu_read_lock();
87756+ read_lock(&tasklist_lock);
87757+ if (task->ptrace && task->parent && ((task->parent->role->roletype & GR_ROLE_GOD) ||
87758+ (task->parent->acl->mode & GR_POVERRIDE))) {
87759+ read_unlock(&tasklist_lock);
87760+ rcu_read_unlock();
87761+ goto skip_check;
87762+ }
87763+ read_unlock(&tasklist_lock);
87764+ rcu_read_unlock();
87765+
87766+ if (unsafe_flags && !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
87767+ !(task->role->roletype & GR_ROLE_GOD) &&
87768+ !gr_search_file(dentry, GR_PTRACERD, mnt) &&
87769+ !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN))) {
87770+ if (unsafe_flags & LSM_UNSAFE_SHARE)
87771+ gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
87772+ else
87773+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
87774+ return -EACCES;
87775+ }
87776+
87777+skip_check:
87778+
87779+ obj = chk_obj_label(dentry, mnt, task->acl);
87780+ retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
87781+
87782+ if (!(task->acl->mode & GR_INHERITLEARN) &&
87783+ ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
87784+ if (obj->nested)
87785+ task->acl = obj->nested;
87786+ else
87787+ task->acl = newacl;
87788+ task->inherited = 0;
87789+ } else {
87790+ task->inherited = 1;
87791+ if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
87792+ gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
87793+ }
87794+
87795+ task->is_writable = 0;
87796+
87797+ /* ignore additional mmap checks for processes that are writable
87798+ by the default ACL */
87799+ obj = chk_obj_label(dentry, mnt, running_polstate.default_role->root_label);
87800+ if (unlikely(obj->mode & GR_WRITE))
87801+ task->is_writable = 1;
87802+ obj = chk_obj_label(dentry, mnt, task->role->root_label);
87803+ if (unlikely(obj->mode & GR_WRITE))
87804+ task->is_writable = 1;
87805+
87806+ gr_set_proc_res(task);
87807+
87808+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
87809+ printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task_pid_nr(task), task->role->rolename, task->acl->filename);
87810+#endif
87811+ return 0;
87812+}
87813+
87814+/* always called with valid inodev ptr */
87815+static void
87816+do_handle_delete(struct inodev_entry *inodev, const u64 ino, const dev_t dev)
87817+{
87818+ struct acl_object_label *matchpo;
87819+ struct acl_subject_label *matchps;
87820+ struct acl_subject_label *subj;
87821+ struct acl_role_label *role;
87822+ unsigned int x;
87823+
87824+ FOR_EACH_ROLE_START(role)
87825+ FOR_EACH_SUBJECT_START(role, subj, x)
87826+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
87827+ matchpo->mode |= GR_DELETED;
87828+ FOR_EACH_SUBJECT_END(subj,x)
87829+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
87830+ /* nested subjects aren't in the role's subj_hash table */
87831+ if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
87832+ matchpo->mode |= GR_DELETED;
87833+ FOR_EACH_NESTED_SUBJECT_END(subj)
87834+ if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
87835+ matchps->mode |= GR_DELETED;
87836+ FOR_EACH_ROLE_END(role)
87837+
87838+ inodev->nentry->deleted = 1;
87839+
87840+ return;
87841+}
87842+
87843+void
87844+gr_handle_delete(const u64 ino, const dev_t dev)
87845+{
87846+ struct inodev_entry *inodev;
87847+
87848+ if (unlikely(!(gr_status & GR_READY)))
87849+ return;
87850+
87851+ write_lock(&gr_inode_lock);
87852+ inodev = lookup_inodev_entry(ino, dev);
87853+ if (inodev != NULL)
87854+ do_handle_delete(inodev, ino, dev);
87855+ write_unlock(&gr_inode_lock);
87856+
87857+ return;
87858+}
87859+
87860+static void
87861+update_acl_obj_label(const u64 oldinode, const dev_t olddevice,
87862+ const u64 newinode, const dev_t newdevice,
87863+ struct acl_subject_label *subj)
87864+{
87865+ unsigned int index = gr_fhash(oldinode, olddevice, subj->obj_hash_size);
87866+ struct acl_object_label *match;
87867+
87868+ match = subj->obj_hash[index];
87869+
87870+ while (match && (match->inode != oldinode ||
87871+ match->device != olddevice ||
87872+ !(match->mode & GR_DELETED)))
87873+ match = match->next;
87874+
87875+ if (match && (match->inode == oldinode)
87876+ && (match->device == olddevice)
87877+ && (match->mode & GR_DELETED)) {
87878+ if (match->prev == NULL) {
87879+ subj->obj_hash[index] = match->next;
87880+ if (match->next != NULL)
87881+ match->next->prev = NULL;
87882+ } else {
87883+ match->prev->next = match->next;
87884+ if (match->next != NULL)
87885+ match->next->prev = match->prev;
87886+ }
87887+ match->prev = NULL;
87888+ match->next = NULL;
87889+ match->inode = newinode;
87890+ match->device = newdevice;
87891+ match->mode &= ~GR_DELETED;
87892+
87893+ insert_acl_obj_label(match, subj);
87894+ }
87895+
87896+ return;
87897+}
87898+
87899+static void
87900+update_acl_subj_label(const u64 oldinode, const dev_t olddevice,
87901+ const u64 newinode, const dev_t newdevice,
87902+ struct acl_role_label *role)
87903+{
87904+ unsigned int index = gr_fhash(oldinode, olddevice, role->subj_hash_size);
87905+ struct acl_subject_label *match;
87906+
87907+ match = role->subj_hash[index];
87908+
87909+ while (match && (match->inode != oldinode ||
87910+ match->device != olddevice ||
87911+ !(match->mode & GR_DELETED)))
87912+ match = match->next;
87913+
87914+ if (match && (match->inode == oldinode)
87915+ && (match->device == olddevice)
87916+ && (match->mode & GR_DELETED)) {
87917+ if (match->prev == NULL) {
87918+ role->subj_hash[index] = match->next;
87919+ if (match->next != NULL)
87920+ match->next->prev = NULL;
87921+ } else {
87922+ match->prev->next = match->next;
87923+ if (match->next != NULL)
87924+ match->next->prev = match->prev;
87925+ }
87926+ match->prev = NULL;
87927+ match->next = NULL;
87928+ match->inode = newinode;
87929+ match->device = newdevice;
87930+ match->mode &= ~GR_DELETED;
87931+
87932+ insert_acl_subj_label(match, role);
87933+ }
87934+
87935+ return;
87936+}
87937+
87938+static void
87939+update_inodev_entry(const u64 oldinode, const dev_t olddevice,
87940+ const u64 newinode, const dev_t newdevice)
87941+{
87942+ unsigned int index = gr_fhash(oldinode, olddevice, running_polstate.inodev_set.i_size);
87943+ struct inodev_entry *match;
87944+
87945+ match = running_polstate.inodev_set.i_hash[index];
87946+
87947+ while (match && (match->nentry->inode != oldinode ||
87948+ match->nentry->device != olddevice || !match->nentry->deleted))
87949+ match = match->next;
87950+
87951+ if (match && (match->nentry->inode == oldinode)
87952+ && (match->nentry->device == olddevice) &&
87953+ match->nentry->deleted) {
87954+ if (match->prev == NULL) {
87955+ running_polstate.inodev_set.i_hash[index] = match->next;
87956+ if (match->next != NULL)
87957+ match->next->prev = NULL;
87958+ } else {
87959+ match->prev->next = match->next;
87960+ if (match->next != NULL)
87961+ match->next->prev = match->prev;
87962+ }
87963+ match->prev = NULL;
87964+ match->next = NULL;
87965+ match->nentry->inode = newinode;
87966+ match->nentry->device = newdevice;
87967+ match->nentry->deleted = 0;
87968+
87969+ insert_inodev_entry(match);
87970+ }
87971+
87972+ return;
87973+}
87974+
87975+static void
87976+__do_handle_create(const struct name_entry *matchn, u64 ino, dev_t dev)
87977+{
87978+ struct acl_subject_label *subj;
87979+ struct acl_role_label *role;
87980+ unsigned int x;
87981+
87982+ FOR_EACH_ROLE_START(role)
87983+ update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
87984+
87985+ FOR_EACH_NESTED_SUBJECT_START(role, subj)
87986+ if ((subj->inode == ino) && (subj->device == dev)) {
87987+ subj->inode = ino;
87988+ subj->device = dev;
87989+ }
87990+ /* nested subjects aren't in the role's subj_hash table */
87991+ update_acl_obj_label(matchn->inode, matchn->device,
87992+ ino, dev, subj);
87993+ FOR_EACH_NESTED_SUBJECT_END(subj)
87994+ FOR_EACH_SUBJECT_START(role, subj, x)
87995+ update_acl_obj_label(matchn->inode, matchn->device,
87996+ ino, dev, subj);
87997+ FOR_EACH_SUBJECT_END(subj,x)
87998+ FOR_EACH_ROLE_END(role)
87999+
88000+ update_inodev_entry(matchn->inode, matchn->device, ino, dev);
88001+
88002+ return;
88003+}
88004+
88005+static void
88006+do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
88007+ const struct vfsmount *mnt)
88008+{
88009+ u64 ino = __get_ino(dentry);
88010+ dev_t dev = __get_dev(dentry);
88011+
88012+ __do_handle_create(matchn, ino, dev);
88013+
88014+ return;
88015+}
88016+
88017+void
88018+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
88019+{
88020+ struct name_entry *matchn;
88021+
88022+ if (unlikely(!(gr_status & GR_READY)))
88023+ return;
88024+
88025+ preempt_disable();
88026+ matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
88027+
88028+ if (unlikely((unsigned long)matchn)) {
88029+ write_lock(&gr_inode_lock);
88030+ do_handle_create(matchn, dentry, mnt);
88031+ write_unlock(&gr_inode_lock);
88032+ }
88033+ preempt_enable();
88034+
88035+ return;
88036+}
88037+
88038+void
88039+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
88040+{
88041+ struct name_entry *matchn;
88042+
88043+ if (unlikely(!(gr_status & GR_READY)))
88044+ return;
88045+
88046+ preempt_disable();
88047+ matchn = lookup_name_entry(gr_to_proc_filename_rbac(dentry, init_pid_ns.proc_mnt));
88048+
88049+ if (unlikely((unsigned long)matchn)) {
88050+ write_lock(&gr_inode_lock);
88051+ __do_handle_create(matchn, inode->i_ino, inode->i_sb->s_dev);
88052+ write_unlock(&gr_inode_lock);
88053+ }
88054+ preempt_enable();
88055+
88056+ return;
88057+}
88058+
88059+void
88060+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
88061+ struct dentry *old_dentry,
88062+ struct dentry *new_dentry,
88063+ struct vfsmount *mnt, const __u8 replace, unsigned int flags)
88064+{
88065+ struct name_entry *matchn;
88066+ struct name_entry *matchn2 = NULL;
88067+ struct inodev_entry *inodev;
88068+ struct inode *inode = d_backing_inode(new_dentry);
88069+ struct inode *old_inode = d_backing_inode(old_dentry);
88070+ u64 old_ino = __get_ino(old_dentry);
88071+ dev_t old_dev = __get_dev(old_dentry);
88072+ unsigned int exchange = flags & RENAME_EXCHANGE;
88073+
88074+ /* vfs_rename swaps the name and parent link for old_dentry and
88075+ new_dentry
88076+ at this point, old_dentry has the new name, parent link, and inode
88077+ for the renamed file
88078+ if a file is being replaced by a rename, new_dentry has the inode
88079+ and name for the replaced file
88080+ */
88081+
88082+ if (unlikely(!(gr_status & GR_READY)))
88083+ return;
88084+
88085+ preempt_disable();
88086+ matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
88087+
88088+ /* exchange cases:
88089+ a filename exists for the source, but not dest
88090+ do a recreate on source
88091+ a filename exists for the dest, but not source
88092+ do a recreate on dest
88093+ a filename exists for both source and dest
88094+ delete source and dest, then create source and dest
88095+ a filename exists for neither source nor dest
88096+ no updates needed
88097+
88098+ the name entry lookups get us the old inode/dev associated with
88099+ each name, so do the deletes first (if possible) so that when
88100+ we do the create, we pick up on the right entries
88101+ */
88102+
88103+ if (exchange)
88104+ matchn2 = lookup_name_entry(gr_to_filename_rbac(new_dentry, mnt));
88105+
88106+ /* we wouldn't have to check d_inode if it weren't for
88107+ NFS silly-renaming
88108+ */
88109+
88110+ write_lock(&gr_inode_lock);
88111+ if (unlikely((replace || exchange) && inode)) {
88112+ u64 new_ino = __get_ino(new_dentry);
88113+ dev_t new_dev = __get_dev(new_dentry);
88114+
88115+ inodev = lookup_inodev_entry(new_ino, new_dev);
88116+ if (inodev != NULL && ((inode->i_nlink <= 1) || d_is_dir(new_dentry)))
88117+ do_handle_delete(inodev, new_ino, new_dev);
88118+ }
88119+
88120+ inodev = lookup_inodev_entry(old_ino, old_dev);
88121+ if (inodev != NULL && ((old_inode->i_nlink <= 1) || d_is_dir(old_dentry)))
88122+ do_handle_delete(inodev, old_ino, old_dev);
88123+
88124+ if (unlikely(matchn != NULL))
88125+ do_handle_create(matchn, old_dentry, mnt);
88126+
88127+ if (unlikely(matchn2 != NULL))
88128+ do_handle_create(matchn2, new_dentry, mnt);
88129+
88130+ write_unlock(&gr_inode_lock);
88131+ preempt_enable();
88132+
88133+ return;
88134+}
88135+
88136+#if defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC)
88137+static const unsigned long res_learn_bumps[GR_NLIMITS] = {
88138+ [RLIMIT_CPU] = GR_RLIM_CPU_BUMP,
88139+ [RLIMIT_FSIZE] = GR_RLIM_FSIZE_BUMP,
88140+ [RLIMIT_DATA] = GR_RLIM_DATA_BUMP,
88141+ [RLIMIT_STACK] = GR_RLIM_STACK_BUMP,
88142+ [RLIMIT_CORE] = GR_RLIM_CORE_BUMP,
88143+ [RLIMIT_RSS] = GR_RLIM_RSS_BUMP,
88144+ [RLIMIT_NPROC] = GR_RLIM_NPROC_BUMP,
88145+ [RLIMIT_NOFILE] = GR_RLIM_NOFILE_BUMP,
88146+ [RLIMIT_MEMLOCK] = GR_RLIM_MEMLOCK_BUMP,
88147+ [RLIMIT_AS] = GR_RLIM_AS_BUMP,
88148+ [RLIMIT_LOCKS] = GR_RLIM_LOCKS_BUMP,
88149+ [RLIMIT_SIGPENDING] = GR_RLIM_SIGPENDING_BUMP,
88150+ [RLIMIT_MSGQUEUE] = GR_RLIM_MSGQUEUE_BUMP,
88151+ [RLIMIT_NICE] = GR_RLIM_NICE_BUMP,
88152+ [RLIMIT_RTPRIO] = GR_RLIM_RTPRIO_BUMP,
88153+ [RLIMIT_RTTIME] = GR_RLIM_RTTIME_BUMP
88154+};
88155+
88156+void
88157+gr_learn_resource(const struct task_struct *task,
88158+ const int res, const unsigned long wanted, const int gt)
88159+{
88160+ struct acl_subject_label *acl;
88161+ const struct cred *cred;
88162+
88163+ if (unlikely((gr_status & GR_READY) &&
88164+ task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
88165+ goto skip_reslog;
88166+
88167+ gr_log_resource(task, res, wanted, gt);
88168+skip_reslog:
88169+
88170+ if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
88171+ return;
88172+
88173+ acl = task->acl;
88174+
88175+ if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
88176+ !(acl->resmask & (1U << (unsigned short) res))))
88177+ return;
88178+
88179+ if (wanted >= acl->res[res].rlim_cur) {
88180+ unsigned long res_add;
88181+
88182+ res_add = wanted + res_learn_bumps[res];
88183+
88184+ acl->res[res].rlim_cur = res_add;
88185+
88186+ if (wanted > acl->res[res].rlim_max)
88187+ acl->res[res].rlim_max = res_add;
88188+
88189+ /* only log the subject filename, since resource logging is supported for
88190+ single-subject learning only */
88191+ rcu_read_lock();
88192+ cred = __task_cred(task);
88193+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
88194+ task->role->roletype, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid), acl->filename,
88195+ acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
88196+ "", (unsigned long) res, &task->signal->saved_ip);
88197+ rcu_read_unlock();
88198+ }
88199+
88200+ return;
88201+}
88202+EXPORT_SYMBOL_GPL(gr_learn_resource);
88203+#endif
88204+
88205+#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
88206+void
88207+pax_set_initial_flags(struct linux_binprm *bprm)
88208+{
88209+ struct task_struct *task = current;
88210+ struct acl_subject_label *proc;
88211+ unsigned long flags;
88212+
88213+ if (unlikely(!(gr_status & GR_READY)))
88214+ return;
88215+
88216+ flags = pax_get_flags(task);
88217+
88218+ proc = task->acl;
88219+
88220+ if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
88221+ flags &= ~MF_PAX_PAGEEXEC;
88222+ if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
88223+ flags &= ~MF_PAX_SEGMEXEC;
88224+ if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
88225+ flags &= ~MF_PAX_RANDMMAP;
88226+ if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
88227+ flags &= ~MF_PAX_EMUTRAMP;
88228+ if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
88229+ flags &= ~MF_PAX_MPROTECT;
88230+
88231+ if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
88232+ flags |= MF_PAX_PAGEEXEC;
88233+ if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
88234+ flags |= MF_PAX_SEGMEXEC;
88235+ if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
88236+ flags |= MF_PAX_RANDMMAP;
88237+ if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
88238+ flags |= MF_PAX_EMUTRAMP;
88239+ if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
88240+ flags |= MF_PAX_MPROTECT;
88241+
88242+ pax_set_flags(task, flags);
88243+
88244+ return;
88245+}
88246+#endif
88247+
88248+int
88249+gr_handle_proc_ptrace(struct task_struct *task)
88250+{
88251+ struct file *filp;
88252+ struct task_struct *tmp = task;
88253+ struct task_struct *curtemp = current;
88254+ __u32 retmode;
88255+
88256+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
88257+ if (unlikely(!(gr_status & GR_READY)))
88258+ return 0;
88259+#endif
88260+
88261+ read_lock(&tasklist_lock);
88262+ read_lock(&grsec_exec_file_lock);
88263+ filp = task->exec_file;
88264+
88265+ while (task_pid_nr(tmp) > 0) {
88266+ if (tmp == curtemp)
88267+ break;
88268+ tmp = tmp->real_parent;
88269+ }
88270+
88271+ if (!filp || (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
88272+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
88273+ read_unlock(&grsec_exec_file_lock);
88274+ read_unlock(&tasklist_lock);
88275+ return 1;
88276+ }
88277+
88278+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
88279+ if (!(gr_status & GR_READY)) {
88280+ read_unlock(&grsec_exec_file_lock);
88281+ read_unlock(&tasklist_lock);
88282+ return 0;
88283+ }
88284+#endif
88285+
88286+ retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
88287+ read_unlock(&grsec_exec_file_lock);
88288+ read_unlock(&tasklist_lock);
88289+
88290+ if (retmode & GR_NOPTRACE)
88291+ return 1;
88292+
88293+ if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
88294+ && (current->acl != task->acl || (current->acl != current->role->root_label
88295+ && task_pid_nr(current) != task_pid_nr(task))))
88296+ return 1;
88297+
88298+ return 0;
88299+}
88300+
88301+void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
88302+{
88303+ if (unlikely(!(gr_status & GR_READY)))
88304+ return;
88305+
88306+ if (!(current->role->roletype & GR_ROLE_GOD))
88307+ return;
88308+
88309+ seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
88310+ p->role->rolename, gr_task_roletype_to_char(p),
88311+ p->acl->filename);
88312+}
88313+
88314+int
88315+gr_handle_ptrace(struct task_struct *task, const long request)
88316+{
88317+ struct task_struct *tmp = task;
88318+ struct task_struct *curtemp = current;
88319+ __u32 retmode;
88320+
88321+#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
88322+ if (unlikely(!(gr_status & GR_READY)))
88323+ return 0;
88324+#endif
88325+ if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
88326+ read_lock(&tasklist_lock);
88327+ while (task_pid_nr(tmp) > 0) {
88328+ if (tmp == curtemp)
88329+ break;
88330+ tmp = tmp->real_parent;
88331+ }
88332+
88333+ if (task_pid_nr(tmp) == 0 && ((grsec_enable_harden_ptrace && gr_is_global_nonroot(current_uid()) && !(gr_status & GR_READY)) ||
88334+ ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
88335+ read_unlock(&tasklist_lock);
88336+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
88337+ return 1;
88338+ }
88339+ read_unlock(&tasklist_lock);
88340+ }
88341+
88342+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
88343+ if (!(gr_status & GR_READY))
88344+ return 0;
88345+#endif
88346+
88347+ read_lock(&grsec_exec_file_lock);
88348+ if (unlikely(!task->exec_file)) {
88349+ read_unlock(&grsec_exec_file_lock);
88350+ return 0;
88351+ }
88352+
88353+ retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
88354+ read_unlock(&grsec_exec_file_lock);
88355+
88356+ if (retmode & GR_NOPTRACE) {
88357+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
88358+ return 1;
88359+ }
88360+
88361+ if (retmode & GR_PTRACERD) {
88362+ switch (request) {
88363+ case PTRACE_SEIZE:
88364+ case PTRACE_POKETEXT:
88365+ case PTRACE_POKEDATA:
88366+ case PTRACE_POKEUSR:
88367+#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
88368+ case PTRACE_SETREGS:
88369+ case PTRACE_SETFPREGS:
88370+#endif
88371+#ifdef CONFIG_X86
88372+ case PTRACE_SETFPXREGS:
88373+#endif
88374+#ifdef CONFIG_ALTIVEC
88375+ case PTRACE_SETVRREGS:
88376+#endif
88377+ return 1;
88378+ default:
88379+ return 0;
88380+ }
88381+ } else if (!(current->acl->mode & GR_POVERRIDE) &&
88382+ !(current->role->roletype & GR_ROLE_GOD) &&
88383+ (current->acl != task->acl)) {
88384+ gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
88385+ return 1;
88386+ }
88387+
88388+ return 0;
88389+}
88390+
88391+static int is_writable_mmap(const struct file *filp)
88392+{
88393+ struct task_struct *task = current;
88394+ struct acl_object_label *obj, *obj2;
88395+ struct dentry *dentry = filp->f_path.dentry;
88396+ struct vfsmount *mnt = filp->f_path.mnt;
88397+ struct inode *inode = d_backing_inode(dentry);
88398+
88399+ if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
88400+ !task->is_writable && d_is_reg(dentry) && (mnt != shm_mnt || (inode->i_nlink > 0))) {
88401+ obj = chk_obj_label(dentry, mnt, running_polstate.default_role->root_label);
88402+ obj2 = chk_obj_label(dentry, mnt, task->role->root_label);
88403+ if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
88404+ gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, dentry, mnt);
88405+ return 1;
88406+ }
88407+ }
88408+ return 0;
88409+}
88410+
88411+int
88412+gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
88413+{
88414+ __u32 mode;
88415+
88416+ if (unlikely(!file || !(prot & PROT_EXEC)))
88417+ return 1;
88418+
88419+ if (is_writable_mmap(file))
88420+ return 0;
88421+
88422+ mode =
88423+ gr_search_file(file->f_path.dentry,
88424+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
88425+ file->f_path.mnt);
88426+
88427+ if (!gr_tpe_allow(file))
88428+ return 0;
88429+
88430+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
88431+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88432+ return 0;
88433+ } else if (unlikely(!(mode & GR_EXEC))) {
88434+ return 0;
88435+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
88436+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88437+ return 1;
88438+ }
88439+
88440+ return 1;
88441+}
88442+
88443+int
88444+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
88445+{
88446+ __u32 mode;
88447+
88448+ if (unlikely(!file || !(prot & PROT_EXEC)))
88449+ return 1;
88450+
88451+ if (is_writable_mmap(file))
88452+ return 0;
88453+
88454+ mode =
88455+ gr_search_file(file->f_path.dentry,
88456+ GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
88457+ file->f_path.mnt);
88458+
88459+ if (!gr_tpe_allow(file))
88460+ return 0;
88461+
88462+ if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
88463+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88464+ return 0;
88465+ } else if (unlikely(!(mode & GR_EXEC))) {
88466+ return 0;
88467+ } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
88468+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
88469+ return 1;
88470+ }
88471+
88472+ return 1;
88473+}
88474+
88475+void
88476+gr_acl_handle_psacct(struct task_struct *task, const long code)
88477+{
88478+ unsigned long runtime, cputime;
88479+ cputime_t utime, stime;
88480+ unsigned int wday, cday;
88481+ __u8 whr, chr;
88482+ __u8 wmin, cmin;
88483+ __u8 wsec, csec;
88484+ struct timespec curtime, starttime;
88485+
88486+ if (unlikely(!(gr_status & GR_READY) || !task->acl ||
88487+ !(task->acl->mode & GR_PROCACCT)))
88488+ return;
88489+
88490+ curtime = ns_to_timespec(ktime_get_ns());
88491+ starttime = ns_to_timespec(task->start_time);
88492+ runtime = curtime.tv_sec - starttime.tv_sec;
88493+ wday = runtime / (60 * 60 * 24);
88494+ runtime -= wday * (60 * 60 * 24);
88495+ whr = runtime / (60 * 60);
88496+ runtime -= whr * (60 * 60);
88497+ wmin = runtime / 60;
88498+ runtime -= wmin * 60;
88499+ wsec = runtime;
88500+
88501+ task_cputime(task, &utime, &stime);
88502+ cputime = cputime_to_secs(utime + stime);
88503+ cday = cputime / (60 * 60 * 24);
88504+ cputime -= cday * (60 * 60 * 24);
88505+ chr = cputime / (60 * 60);
88506+ cputime -= chr * (60 * 60);
88507+ cmin = cputime / 60;
88508+ cputime -= cmin * 60;
88509+ csec = cputime;
88510+
88511+ gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
88512+
88513+ return;
88514+}
88515+
88516+#ifdef CONFIG_TASKSTATS
88517+int gr_is_taskstats_denied(int pid)
88518+{
88519+ struct task_struct *task;
88520+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
88521+ const struct cred *cred;
88522+#endif
88523+ int ret = 0;
88524+
88525+ /* restrict taskstats viewing to un-chrooted root users
88526+ who have the 'view' subject flag if the RBAC system is enabled
88527+ */
88528+
88529+ rcu_read_lock();
88530+ read_lock(&tasklist_lock);
88531+ task = find_task_by_vpid(pid);
88532+ if (task) {
88533+#ifdef CONFIG_GRKERNSEC_CHROOT
88534+ if (proc_is_chrooted(task))
88535+ ret = -EACCES;
88536+#endif
88537+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
88538+ cred = __task_cred(task);
88539+#ifdef CONFIG_GRKERNSEC_PROC_USER
88540+ if (gr_is_global_nonroot(cred->uid))
88541+ ret = -EACCES;
88542+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
88543+ if (gr_is_global_nonroot(cred->uid) && !groups_search(cred->group_info, grsec_proc_gid))
88544+ ret = -EACCES;
88545+#endif
88546+#endif
88547+ if (gr_status & GR_READY) {
88548+ if (!(task->acl->mode & GR_VIEW))
88549+ ret = -EACCES;
88550+ }
88551+ } else
88552+ ret = -ENOENT;
88553+
88554+ read_unlock(&tasklist_lock);
88555+ rcu_read_unlock();
88556+
88557+ return ret;
88558+}
88559+#endif
88560+
88561+/* AUXV entries are filled via a descendant of search_binary_handler
88562+ after we've already applied the subject for the target
88563+*/
88564+int gr_acl_enable_at_secure(void)
88565+{
88566+ if (unlikely(!(gr_status & GR_READY)))
88567+ return 0;
88568+
88569+ if (current->acl->mode & GR_ATSECURE)
88570+ return 1;
88571+
88572+ return 0;
88573+}
88574+
88575+int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const u64 ino)
88576+{
88577+ struct task_struct *task = current;
88578+ struct dentry *dentry = file->f_path.dentry;
88579+ struct vfsmount *mnt = file->f_path.mnt;
88580+ struct acl_object_label *obj, *tmp;
88581+ struct acl_subject_label *subj;
88582+ unsigned int bufsize;
88583+ int is_not_root;
88584+ char *path;
88585+ dev_t dev = __get_dev(dentry);
88586+
88587+ if (unlikely(!(gr_status & GR_READY)))
88588+ return 1;
88589+
88590+ if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
88591+ return 1;
88592+
88593+ /* ignore Eric Biederman */
88594+ if (IS_PRIVATE(d_backing_inode(dentry)))
88595+ return 1;
88596+
88597+ subj = task->acl;
88598+ read_lock(&gr_inode_lock);
88599+ do {
88600+ obj = lookup_acl_obj_label(ino, dev, subj);
88601+ if (obj != NULL) {
88602+ read_unlock(&gr_inode_lock);
88603+ return (obj->mode & GR_FIND) ? 1 : 0;
88604+ }
88605+ } while ((subj = subj->parent_subject));
88606+ read_unlock(&gr_inode_lock);
88607+
88608+ /* this is purely an optimization since we're looking for an object
88609+ for the directory we're doing a readdir on
88610+ if it's possible for any globbed object to match the entry we're
88611+ filling into the directory, then the object we find here will be
88612+ an anchor point with attached globbed objects
88613+ */
88614+ obj = chk_obj_label_noglob(dentry, mnt, task->acl);
88615+ if (obj->globbed == NULL)
88616+ return (obj->mode & GR_FIND) ? 1 : 0;
88617+
88618+ is_not_root = ((obj->filename[0] == '/') &&
88619+ (obj->filename[1] == '\0')) ? 0 : 1;
88620+ bufsize = PAGE_SIZE - namelen - is_not_root;
88621+
88622+ /* check bufsize > PAGE_SIZE || bufsize == 0 */
88623+ if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
88624+ return 1;
88625+
88626+ preempt_disable();
88627+ path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
88628+ bufsize);
88629+
88630+ bufsize = strlen(path);
88631+
88632+ /* if base is "/", don't append an additional slash */
88633+ if (is_not_root)
88634+ *(path + bufsize) = '/';
88635+ memcpy(path + bufsize + is_not_root, name, namelen);
88636+ *(path + bufsize + namelen + is_not_root) = '\0';
88637+
88638+ tmp = obj->globbed;
88639+ while (tmp) {
88640+ if (!glob_match(tmp->filename, path)) {
88641+ preempt_enable();
88642+ return (tmp->mode & GR_FIND) ? 1 : 0;
88643+ }
88644+ tmp = tmp->next;
88645+ }
88646+ preempt_enable();
88647+ return (obj->mode & GR_FIND) ? 1 : 0;
88648+}
88649+
88650+void gr_put_exec_file(struct task_struct *task)
88651+{
88652+ struct file *filp;
88653+
88654+ write_lock(&grsec_exec_file_lock);
88655+ filp = task->exec_file;
88656+ task->exec_file = NULL;
88657+ write_unlock(&grsec_exec_file_lock);
88658+
88659+ if (filp)
88660+ fput(filp);
88661+
88662+ return;
88663+}
88664+
88665+
88666+#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
88667+EXPORT_SYMBOL_GPL(gr_acl_is_enabled);
88668+#endif
88669+#ifdef CONFIG_SECURITY
88670+EXPORT_SYMBOL_GPL(gr_check_user_change);
88671+EXPORT_SYMBOL_GPL(gr_check_group_change);
88672+#endif
88673+
88674diff --git a/grsecurity/gracl_alloc.c b/grsecurity/gracl_alloc.c
88675new file mode 100644
88676index 0000000..9adc75c
88677--- /dev/null
88678+++ b/grsecurity/gracl_alloc.c
88679@@ -0,0 +1,105 @@
88680+#include <linux/kernel.h>
88681+#include <linux/mm.h>
88682+#include <linux/slab.h>
88683+#include <linux/vmalloc.h>
88684+#include <linux/gracl.h>
88685+#include <linux/grsecurity.h>
88686+
88687+static struct gr_alloc_state __current_alloc_state = { 1, 1, NULL };
88688+struct gr_alloc_state *current_alloc_state = &__current_alloc_state;
88689+
88690+static int
88691+alloc_pop(void)
88692+{
88693+ if (current_alloc_state->alloc_stack_next == 1)
88694+ return 0;
88695+
88696+ kfree(current_alloc_state->alloc_stack[current_alloc_state->alloc_stack_next - 2]);
88697+
88698+ current_alloc_state->alloc_stack_next--;
88699+
88700+ return 1;
88701+}
88702+
88703+static int
88704+alloc_push(void *buf)
88705+{
88706+ if (current_alloc_state->alloc_stack_next >= current_alloc_state->alloc_stack_size)
88707+ return 1;
88708+
88709+ current_alloc_state->alloc_stack[current_alloc_state->alloc_stack_next - 1] = buf;
88710+
88711+ current_alloc_state->alloc_stack_next++;
88712+
88713+ return 0;
88714+}
88715+
88716+void *
88717+acl_alloc(unsigned long len)
88718+{
88719+ void *ret = NULL;
88720+
88721+ if (!len || len > PAGE_SIZE)
88722+ goto out;
88723+
88724+ ret = kmalloc(len, GFP_KERNEL);
88725+
88726+ if (ret) {
88727+ if (alloc_push(ret)) {
88728+ kfree(ret);
88729+ ret = NULL;
88730+ }
88731+ }
88732+
88733+out:
88734+ return ret;
88735+}
88736+
88737+void *
88738+acl_alloc_num(unsigned long num, unsigned long len)
88739+{
88740+ if (!len || (num > (PAGE_SIZE / len)))
88741+ return NULL;
88742+
88743+ return acl_alloc(num * len);
88744+}
88745+
88746+void
88747+acl_free_all(void)
88748+{
88749+ if (!current_alloc_state->alloc_stack)
88750+ return;
88751+
88752+ while (alloc_pop()) ;
88753+
88754+ if (current_alloc_state->alloc_stack) {
88755+ if ((current_alloc_state->alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
88756+ kfree(current_alloc_state->alloc_stack);
88757+ else
88758+ vfree(current_alloc_state->alloc_stack);
88759+ }
88760+
88761+ current_alloc_state->alloc_stack = NULL;
88762+ current_alloc_state->alloc_stack_size = 1;
88763+ current_alloc_state->alloc_stack_next = 1;
88764+
88765+ return;
88766+}
88767+
88768+int
88769+acl_alloc_stack_init(unsigned long size)
88770+{
88771+ if ((size * sizeof (void *)) <= PAGE_SIZE)
88772+ current_alloc_state->alloc_stack =
88773+ (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
88774+ else
88775+ current_alloc_state->alloc_stack = (void **) vmalloc(size * sizeof (void *));
88776+
88777+ current_alloc_state->alloc_stack_size = size;
88778+ current_alloc_state->alloc_stack_next = 1;
88779+
88780+ if (!current_alloc_state->alloc_stack)
88781+ return 0;
88782+ else
88783+ return 1;
88784+}
88785diff --git a/grsecurity/gracl_cap.c b/grsecurity/gracl_cap.c
88786new file mode 100644
88787index 0000000..1a94c11
88788--- /dev/null
88789+++ b/grsecurity/gracl_cap.c
88790@@ -0,0 +1,127 @@
88791+#include <linux/kernel.h>
88792+#include <linux/module.h>
88793+#include <linux/sched.h>
88794+#include <linux/gracl.h>
88795+#include <linux/grsecurity.h>
88796+#include <linux/grinternal.h>
88797+
88798+extern const char *captab_log[];
88799+extern int captab_log_entries;
88800+
88801+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
88802+{
88803+ struct acl_subject_label *curracl;
88804+
88805+ if (!gr_acl_is_enabled())
88806+ return 1;
88807+
88808+ curracl = task->acl;
88809+
88810+ if (curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
88811+ security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
88812+ task->role->roletype, GR_GLOBAL_UID(cred->uid),
88813+ GR_GLOBAL_GID(cred->gid), task->exec_file ?
88814+ gr_to_filename(task->exec_file->f_path.dentry,
88815+ task->exec_file->f_path.mnt) : curracl->filename,
88816+ curracl->filename, 0UL,
88817+ 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
88818+ return 1;
88819+ }
88820+
88821+ return 0;
88822+}
88823+
88824+int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
88825+{
88826+ struct acl_subject_label *curracl;
88827+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
88828+ kernel_cap_t cap_audit = __cap_empty_set;
88829+
88830+ if (!gr_acl_is_enabled())
88831+ return 1;
88832+
88833+ curracl = task->acl;
88834+
88835+ cap_drop = curracl->cap_lower;
88836+ cap_mask = curracl->cap_mask;
88837+ cap_audit = curracl->cap_invert_audit;
88838+
88839+ while ((curracl = curracl->parent_subject)) {
88840+ /* if the cap isn't specified in the current computed mask but is specified in the
88841+ current level subject, and is lowered in the current level subject, then add
88842+ it to the set of dropped capabilities
88843+ otherwise, add the current level subject's mask to the current computed mask
88844+ */
88845+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
88846+ cap_raise(cap_mask, cap);
88847+ if (cap_raised(curracl->cap_lower, cap))
88848+ cap_raise(cap_drop, cap);
88849+ if (cap_raised(curracl->cap_invert_audit, cap))
88850+ cap_raise(cap_audit, cap);
88851+ }
88852+ }
88853+
88854+ if (!cap_raised(cap_drop, cap)) {
88855+ if (cap_raised(cap_audit, cap))
88856+ gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
88857+ return 1;
88858+ }
88859+
88860+ /* only learn the capability use if the process has the capability in the
88861+ general case, the two uses in sys.c of gr_learn_cap are an exception
88862+ to this rule to ensure any role transition involves what the full-learned
88863+ policy believes in a privileged process
88864+ */
88865+ if (cap_raised(cred->cap_effective, cap) && gr_learn_cap(task, cred, cap))
88866+ return 1;
88867+
88868+ if ((cap >= 0) && (cap < captab_log_entries) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
88869+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
88870+
88871+ return 0;
88872+}
88873+
88874+int
88875+gr_acl_is_capable(const int cap)
88876+{
88877+ return gr_task_acl_is_capable(current, current_cred(), cap);
88878+}
88879+
88880+int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap)
88881+{
88882+ struct acl_subject_label *curracl;
88883+ kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
88884+
88885+ if (!gr_acl_is_enabled())
88886+ return 1;
88887+
88888+ curracl = task->acl;
88889+
88890+ cap_drop = curracl->cap_lower;
88891+ cap_mask = curracl->cap_mask;
88892+
88893+ while ((curracl = curracl->parent_subject)) {
88894+ /* if the cap isn't specified in the current computed mask but is specified in the
88895+ current level subject, and is lowered in the current level subject, then add
88896+ it to the set of dropped capabilities
88897+ otherwise, add the current level subject's mask to the current computed mask
88898+ */
88899+ if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
88900+ cap_raise(cap_mask, cap);
88901+ if (cap_raised(curracl->cap_lower, cap))
88902+ cap_raise(cap_drop, cap);
88903+ }
88904+ }
88905+
88906+ if (!cap_raised(cap_drop, cap))
88907+ return 1;
88908+
88909+ return 0;
88910+}
88911+
88912+int
88913+gr_acl_is_capable_nolog(const int cap)
88914+{
88915+ return gr_task_acl_is_capable_nolog(current, cap);
88916+}
88917+
88918diff --git a/grsecurity/gracl_compat.c b/grsecurity/gracl_compat.c
88919new file mode 100644
88920index 0000000..a43dd06
88921--- /dev/null
88922+++ b/grsecurity/gracl_compat.c
88923@@ -0,0 +1,269 @@
88924+#include <linux/kernel.h>
88925+#include <linux/gracl.h>
88926+#include <linux/compat.h>
88927+#include <linux/gracl_compat.h>
88928+
88929+#include <asm/uaccess.h>
88930+
88931+int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap)
88932+{
88933+ struct gr_arg_wrapper_compat uwrapcompat;
88934+
88935+ if (copy_from_user(&uwrapcompat, buf, sizeof(uwrapcompat)))
88936+ return -EFAULT;
88937+
88938+ if ((uwrapcompat.version != GRSECURITY_VERSION) ||
88939+ (uwrapcompat.size != sizeof(struct gr_arg_compat)))
88940+ return -EINVAL;
88941+
88942+ uwrap->arg = compat_ptr(uwrapcompat.arg);
88943+ uwrap->version = uwrapcompat.version;
88944+ uwrap->size = sizeof(struct gr_arg);
88945+
88946+ return 0;
88947+}
88948+
88949+int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg)
88950+{
88951+ struct gr_arg_compat argcompat;
88952+
88953+ if (copy_from_user(&argcompat, buf, sizeof(argcompat)))
88954+ return -EFAULT;
88955+
88956+ arg->role_db.r_table = compat_ptr(argcompat.role_db.r_table);
88957+ arg->role_db.num_pointers = argcompat.role_db.num_pointers;
88958+ arg->role_db.num_roles = argcompat.role_db.num_roles;
88959+ arg->role_db.num_domain_children = argcompat.role_db.num_domain_children;
88960+ arg->role_db.num_subjects = argcompat.role_db.num_subjects;
88961+ arg->role_db.num_objects = argcompat.role_db.num_objects;
88962+
88963+ memcpy(&arg->pw, &argcompat.pw, sizeof(arg->pw));
88964+ memcpy(&arg->salt, &argcompat.salt, sizeof(arg->salt));
88965+ memcpy(&arg->sum, &argcompat.sum, sizeof(arg->sum));
88966+ memcpy(&arg->sp_role, &argcompat.sp_role, sizeof(arg->sp_role));
88967+ arg->sprole_pws = compat_ptr(argcompat.sprole_pws);
88968+ arg->segv_device = argcompat.segv_device;
88969+ arg->segv_inode = argcompat.segv_inode;
88970+ arg->segv_uid = argcompat.segv_uid;
88971+ arg->num_sprole_pws = argcompat.num_sprole_pws;
88972+ arg->mode = argcompat.mode;
88973+
88974+ return 0;
88975+}
88976+
88977+int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp)
88978+{
88979+ struct acl_object_label_compat objcompat;
88980+
88981+ if (copy_from_user(&objcompat, userp, sizeof(objcompat)))
88982+ return -EFAULT;
88983+
88984+ obj->filename = compat_ptr(objcompat.filename);
88985+ obj->inode = objcompat.inode;
88986+ obj->device = objcompat.device;
88987+ obj->mode = objcompat.mode;
88988+
88989+ obj->nested = compat_ptr(objcompat.nested);
88990+ obj->globbed = compat_ptr(objcompat.globbed);
88991+
88992+ obj->prev = compat_ptr(objcompat.prev);
88993+ obj->next = compat_ptr(objcompat.next);
88994+
88995+ return 0;
88996+}
88997+
88998+int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp)
88999+{
89000+ unsigned int i;
89001+ struct acl_subject_label_compat subjcompat;
89002+
89003+ if (copy_from_user(&subjcompat, userp, sizeof(subjcompat)))
89004+ return -EFAULT;
89005+
89006+ subj->filename = compat_ptr(subjcompat.filename);
89007+ subj->inode = subjcompat.inode;
89008+ subj->device = subjcompat.device;
89009+ subj->mode = subjcompat.mode;
89010+ subj->cap_mask = subjcompat.cap_mask;
89011+ subj->cap_lower = subjcompat.cap_lower;
89012+ subj->cap_invert_audit = subjcompat.cap_invert_audit;
89013+
89014+ for (i = 0; i < GR_NLIMITS; i++) {
89015+ if (subjcompat.res[i].rlim_cur == COMPAT_RLIM_INFINITY)
89016+ subj->res[i].rlim_cur = RLIM_INFINITY;
89017+ else
89018+ subj->res[i].rlim_cur = subjcompat.res[i].rlim_cur;
89019+ if (subjcompat.res[i].rlim_max == COMPAT_RLIM_INFINITY)
89020+ subj->res[i].rlim_max = RLIM_INFINITY;
89021+ else
89022+ subj->res[i].rlim_max = subjcompat.res[i].rlim_max;
89023+ }
89024+ subj->resmask = subjcompat.resmask;
89025+
89026+ subj->user_trans_type = subjcompat.user_trans_type;
89027+ subj->group_trans_type = subjcompat.group_trans_type;
89028+ subj->user_transitions = compat_ptr(subjcompat.user_transitions);
89029+ subj->group_transitions = compat_ptr(subjcompat.group_transitions);
89030+ subj->user_trans_num = subjcompat.user_trans_num;
89031+ subj->group_trans_num = subjcompat.group_trans_num;
89032+
89033+ memcpy(&subj->sock_families, &subjcompat.sock_families, sizeof(subj->sock_families));
89034+ memcpy(&subj->ip_proto, &subjcompat.ip_proto, sizeof(subj->ip_proto));
89035+ subj->ip_type = subjcompat.ip_type;
89036+ subj->ips = compat_ptr(subjcompat.ips);
89037+ subj->ip_num = subjcompat.ip_num;
89038+ subj->inaddr_any_override = subjcompat.inaddr_any_override;
89039+
89040+ subj->crashes = subjcompat.crashes;
89041+ subj->expires = subjcompat.expires;
89042+
89043+ subj->parent_subject = compat_ptr(subjcompat.parent_subject);
89044+ subj->hash = compat_ptr(subjcompat.hash);
89045+ subj->prev = compat_ptr(subjcompat.prev);
89046+ subj->next = compat_ptr(subjcompat.next);
89047+
89048+ subj->obj_hash = compat_ptr(subjcompat.obj_hash);
89049+ subj->obj_hash_size = subjcompat.obj_hash_size;
89050+ subj->pax_flags = subjcompat.pax_flags;
89051+
89052+ return 0;
89053+}
89054+
89055+int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp)
89056+{
89057+ struct acl_role_label_compat rolecompat;
89058+
89059+ if (copy_from_user(&rolecompat, userp, sizeof(rolecompat)))
89060+ return -EFAULT;
89061+
89062+ role->rolename = compat_ptr(rolecompat.rolename);
89063+ role->uidgid = rolecompat.uidgid;
89064+ role->roletype = rolecompat.roletype;
89065+
89066+ role->auth_attempts = rolecompat.auth_attempts;
89067+ role->expires = rolecompat.expires;
89068+
89069+ role->root_label = compat_ptr(rolecompat.root_label);
89070+ role->hash = compat_ptr(rolecompat.hash);
89071+
89072+ role->prev = compat_ptr(rolecompat.prev);
89073+ role->next = compat_ptr(rolecompat.next);
89074+
89075+ role->transitions = compat_ptr(rolecompat.transitions);
89076+ role->allowed_ips = compat_ptr(rolecompat.allowed_ips);
89077+ role->domain_children = compat_ptr(rolecompat.domain_children);
89078+ role->domain_child_num = rolecompat.domain_child_num;
89079+
89080+ role->umask = rolecompat.umask;
89081+
89082+ role->subj_hash = compat_ptr(rolecompat.subj_hash);
89083+ role->subj_hash_size = rolecompat.subj_hash_size;
89084+
89085+ return 0;
89086+}
89087+
89088+int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
89089+{
89090+ struct role_allowed_ip_compat roleip_compat;
89091+
89092+ if (copy_from_user(&roleip_compat, userp, sizeof(roleip_compat)))
89093+ return -EFAULT;
89094+
89095+ roleip->addr = roleip_compat.addr;
89096+ roleip->netmask = roleip_compat.netmask;
89097+
89098+ roleip->prev = compat_ptr(roleip_compat.prev);
89099+ roleip->next = compat_ptr(roleip_compat.next);
89100+
89101+ return 0;
89102+}
89103+
89104+int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp)
89105+{
89106+ struct role_transition_compat trans_compat;
89107+
89108+ if (copy_from_user(&trans_compat, userp, sizeof(trans_compat)))
89109+ return -EFAULT;
89110+
89111+ trans->rolename = compat_ptr(trans_compat.rolename);
89112+
89113+ trans->prev = compat_ptr(trans_compat.prev);
89114+ trans->next = compat_ptr(trans_compat.next);
89115+
89116+ return 0;
89117+
89118+}
89119+
89120+int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
89121+{
89122+ struct gr_hash_struct_compat hash_compat;
89123+
89124+ if (copy_from_user(&hash_compat, userp, sizeof(hash_compat)))
89125+ return -EFAULT;
89126+
89127+ hash->table = compat_ptr(hash_compat.table);
89128+ hash->nametable = compat_ptr(hash_compat.nametable);
89129+ hash->first = compat_ptr(hash_compat.first);
89130+
89131+ hash->table_size = hash_compat.table_size;
89132+ hash->used_size = hash_compat.used_size;
89133+
89134+ hash->type = hash_compat.type;
89135+
89136+ return 0;
89137+}
89138+
89139+int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp)
89140+{
89141+ compat_uptr_t ptrcompat;
89142+
89143+ if (copy_from_user(&ptrcompat, userp + (idx * sizeof(ptrcompat)), sizeof(ptrcompat)))
89144+ return -EFAULT;
89145+
89146+ *(void **)ptr = compat_ptr(ptrcompat);
89147+
89148+ return 0;
89149+}
89150+
89151+int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp)
89152+{
89153+ struct acl_ip_label_compat ip_compat;
89154+
89155+ if (copy_from_user(&ip_compat, userp, sizeof(ip_compat)))
89156+ return -EFAULT;
89157+
89158+ ip->iface = compat_ptr(ip_compat.iface);
89159+ ip->addr = ip_compat.addr;
89160+ ip->netmask = ip_compat.netmask;
89161+ ip->low = ip_compat.low;
89162+ ip->high = ip_compat.high;
89163+ ip->mode = ip_compat.mode;
89164+ ip->type = ip_compat.type;
89165+
89166+ memcpy(&ip->proto, &ip_compat.proto, sizeof(ip->proto));
89167+
89168+ ip->prev = compat_ptr(ip_compat.prev);
89169+ ip->next = compat_ptr(ip_compat.next);
89170+
89171+ return 0;
89172+}
89173+
89174+int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
89175+{
89176+ struct sprole_pw_compat pw_compat;
89177+
89178+ if (copy_from_user(&pw_compat, (const void *)userp + (sizeof(pw_compat) * idx), sizeof(pw_compat)))
89179+ return -EFAULT;
89180+
89181+ pw->rolename = compat_ptr(pw_compat.rolename);
89182+ memcpy(&pw->salt, pw_compat.salt, sizeof(pw->salt));
89183+ memcpy(&pw->sum, pw_compat.sum, sizeof(pw->sum));
89184+
89185+ return 0;
89186+}
89187+
89188+size_t get_gr_arg_wrapper_size_compat(void)
89189+{
89190+ return sizeof(struct gr_arg_wrapper_compat);
89191+}
89192+
89193diff --git a/grsecurity/gracl_fs.c b/grsecurity/gracl_fs.c
89194new file mode 100644
89195index 0000000..fce7f71
89196--- /dev/null
89197+++ b/grsecurity/gracl_fs.c
89198@@ -0,0 +1,448 @@
89199+#include <linux/kernel.h>
89200+#include <linux/sched.h>
89201+#include <linux/types.h>
89202+#include <linux/fs.h>
89203+#include <linux/file.h>
89204+#include <linux/stat.h>
89205+#include <linux/grsecurity.h>
89206+#include <linux/grinternal.h>
89207+#include <linux/gracl.h>
89208+
89209+umode_t
89210+gr_acl_umask(void)
89211+{
89212+ if (unlikely(!gr_acl_is_enabled()))
89213+ return 0;
89214+
89215+ return current->role->umask;
89216+}
89217+
89218+__u32
89219+gr_acl_handle_hidden_file(const struct dentry * dentry,
89220+ const struct vfsmount * mnt)
89221+{
89222+ __u32 mode;
89223+
89224+ if (unlikely(d_is_negative(dentry)))
89225+ return GR_FIND;
89226+
89227+ mode =
89228+ gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
89229+
89230+ if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
89231+ gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
89232+ return mode;
89233+ } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
89234+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
89235+ return 0;
89236+ } else if (unlikely(!(mode & GR_FIND)))
89237+ return 0;
89238+
89239+ return GR_FIND;
89240+}
89241+
89242+__u32
89243+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
89244+ int acc_mode)
89245+{
89246+ __u32 reqmode = GR_FIND;
89247+ __u32 mode;
89248+
89249+ if (unlikely(d_is_negative(dentry)))
89250+ return reqmode;
89251+
89252+ if (acc_mode & MAY_APPEND)
89253+ reqmode |= GR_APPEND;
89254+ else if (acc_mode & MAY_WRITE)
89255+ reqmode |= GR_WRITE;
89256+ if ((acc_mode & MAY_READ) && !d_is_dir(dentry))
89257+ reqmode |= GR_READ;
89258+
89259+ mode =
89260+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
89261+ mnt);
89262+
89263+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
89264+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
89265+ reqmode & GR_READ ? " reading" : "",
89266+ reqmode & GR_WRITE ? " writing" : reqmode &
89267+ GR_APPEND ? " appending" : "");
89268+ return reqmode;
89269+ } else
89270+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
89271+ {
89272+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
89273+ reqmode & GR_READ ? " reading" : "",
89274+ reqmode & GR_WRITE ? " writing" : reqmode &
89275+ GR_APPEND ? " appending" : "");
89276+ return 0;
89277+ } else if (unlikely((mode & reqmode) != reqmode))
89278+ return 0;
89279+
89280+ return reqmode;
89281+}
89282+
89283+__u32
89284+gr_acl_handle_creat(const struct dentry * dentry,
89285+ const struct dentry * p_dentry,
89286+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
89287+ const int imode)
89288+{
89289+ __u32 reqmode = GR_WRITE | GR_CREATE;
89290+ __u32 mode;
89291+
89292+ if (acc_mode & MAY_APPEND)
89293+ reqmode |= GR_APPEND;
89294+ // if a directory was required or the directory already exists, then
89295+ // don't count this open as a read
89296+ if ((acc_mode & MAY_READ) &&
89297+ !((open_flags & O_DIRECTORY) || d_is_dir(dentry)))
89298+ reqmode |= GR_READ;
89299+ if ((open_flags & O_CREAT) &&
89300+ ((imode & S_ISUID) || ((imode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
89301+ reqmode |= GR_SETID;
89302+
89303+ mode =
89304+ gr_check_create(dentry, p_dentry, p_mnt,
89305+ reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
89306+
89307+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
89308+ gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
89309+ reqmode & GR_READ ? " reading" : "",
89310+ reqmode & GR_WRITE ? " writing" : reqmode &
89311+ GR_APPEND ? " appending" : "");
89312+ return reqmode;
89313+ } else
89314+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
89315+ {
89316+ gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
89317+ reqmode & GR_READ ? " reading" : "",
89318+ reqmode & GR_WRITE ? " writing" : reqmode &
89319+ GR_APPEND ? " appending" : "");
89320+ return 0;
89321+ } else if (unlikely((mode & reqmode) != reqmode))
89322+ return 0;
89323+
89324+ return reqmode;
89325+}
89326+
89327+__u32
89328+gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
89329+ const int fmode)
89330+{
89331+ __u32 mode, reqmode = GR_FIND;
89332+
89333+ if ((fmode & S_IXOTH) && !d_is_dir(dentry))
89334+ reqmode |= GR_EXEC;
89335+ if (fmode & S_IWOTH)
89336+ reqmode |= GR_WRITE;
89337+ if (fmode & S_IROTH)
89338+ reqmode |= GR_READ;
89339+
89340+ mode =
89341+ gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
89342+ mnt);
89343+
89344+ if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
89345+ gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
89346+ reqmode & GR_READ ? " reading" : "",
89347+ reqmode & GR_WRITE ? " writing" : "",
89348+ reqmode & GR_EXEC ? " executing" : "");
89349+ return reqmode;
89350+ } else
89351+ if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
89352+ {
89353+ gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
89354+ reqmode & GR_READ ? " reading" : "",
89355+ reqmode & GR_WRITE ? " writing" : "",
89356+ reqmode & GR_EXEC ? " executing" : "");
89357+ return 0;
89358+ } else if (unlikely((mode & reqmode) != reqmode))
89359+ return 0;
89360+
89361+ return reqmode;
89362+}
89363+
89364+static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
89365+{
89366+ __u32 mode;
89367+
89368+ mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
89369+
89370+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
89371+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
89372+ return mode;
89373+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
89374+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
89375+ return 0;
89376+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
89377+ return 0;
89378+
89379+ return (reqmode);
89380+}
89381+
89382+__u32
89383+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
89384+{
89385+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
89386+}
89387+
89388+__u32
89389+gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
89390+{
89391+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
89392+}
89393+
89394+__u32
89395+gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
89396+{
89397+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
89398+}
89399+
89400+__u32
89401+gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
89402+{
89403+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
89404+}
89405+
89406+__u32
89407+gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
89408+ umode_t *modeptr)
89409+{
89410+ umode_t mode;
89411+ struct inode *inode = d_backing_inode(dentry);
89412+
89413+ *modeptr &= ~gr_acl_umask();
89414+ mode = *modeptr;
89415+
89416+ if (unlikely(inode && S_ISSOCK(inode->i_mode)))
89417+ return 1;
89418+
89419+ if (unlikely(!d_is_dir(dentry) &&
89420+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))) {
89421+ return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
89422+ GR_CHMOD_ACL_MSG);
89423+ } else {
89424+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
89425+ }
89426+}
89427+
89428+__u32
89429+gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
89430+{
89431+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
89432+}
89433+
89434+__u32
89435+gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
89436+{
89437+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
89438+}
89439+
89440+__u32
89441+gr_acl_handle_removexattr(const struct dentry *dentry, const struct vfsmount *mnt)
89442+{
89443+ return generic_fs_handler(dentry, mnt, GR_WRITE, GR_REMOVEXATTR_ACL_MSG);
89444+}
89445+
89446+__u32
89447+gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
89448+{
89449+ return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
89450+}
89451+
89452+__u32
89453+gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
89454+{
89455+ return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
89456+ GR_UNIXCONNECT_ACL_MSG);
89457+}
89458+
89459+/* hardlinks require at minimum create and link permission,
89460+ any additional privilege required is based on the
89461+ privilege of the file being linked to
89462+*/
89463+__u32
89464+gr_acl_handle_link(const struct dentry * new_dentry,
89465+ const struct dentry * parent_dentry,
89466+ const struct vfsmount * parent_mnt,
89467+ const struct dentry * old_dentry,
89468+ const struct vfsmount * old_mnt, const struct filename *to)
89469+{
89470+ __u32 mode;
89471+ __u32 needmode = GR_CREATE | GR_LINK;
89472+ __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
89473+
89474+ mode =
89475+ gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
89476+ old_mnt);
89477+
89478+ if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
89479+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
89480+ return mode;
89481+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
89482+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to->name);
89483+ return 0;
89484+ } else if (unlikely((mode & needmode) != needmode))
89485+ return 0;
89486+
89487+ return 1;
89488+}
89489+
89490+__u32
89491+gr_acl_handle_symlink(const struct dentry * new_dentry,
89492+ const struct dentry * parent_dentry,
89493+ const struct vfsmount * parent_mnt, const struct filename *from)
89494+{
89495+ __u32 needmode = GR_WRITE | GR_CREATE;
89496+ __u32 mode;
89497+
89498+ mode =
89499+ gr_check_create(new_dentry, parent_dentry, parent_mnt,
89500+ GR_CREATE | GR_AUDIT_CREATE |
89501+ GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
89502+
89503+ if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
89504+ gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
89505+ return mode;
89506+ } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
89507+ gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from->name, new_dentry, parent_mnt);
89508+ return 0;
89509+ } else if (unlikely((mode & needmode) != needmode))
89510+ return 0;
89511+
89512+ return (GR_WRITE | GR_CREATE);
89513+}
89514+
89515+static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
89516+{
89517+ __u32 mode;
89518+
89519+ mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
89520+
89521+ if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
89522+ gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
89523+ return mode;
89524+ } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
89525+ gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
89526+ return 0;
89527+ } else if (unlikely((mode & (reqmode)) != (reqmode)))
89528+ return 0;
89529+
89530+ return (reqmode);
89531+}
89532+
89533+__u32
89534+gr_acl_handle_mknod(const struct dentry * new_dentry,
89535+ const struct dentry * parent_dentry,
89536+ const struct vfsmount * parent_mnt,
89537+ const int mode)
89538+{
89539+ __u32 reqmode = GR_WRITE | GR_CREATE;
89540+ if (unlikely((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))))
89541+ reqmode |= GR_SETID;
89542+
89543+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
89544+ reqmode, GR_MKNOD_ACL_MSG);
89545+}
89546+
89547+__u32
89548+gr_acl_handle_mkdir(const struct dentry *new_dentry,
89549+ const struct dentry *parent_dentry,
89550+ const struct vfsmount *parent_mnt)
89551+{
89552+ return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
89553+ GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
89554+}
89555+
89556+#define RENAME_CHECK_SUCCESS(old, new) \
89557+ (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
89558+ ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
89559+
89560+int
89561+gr_acl_handle_rename(struct dentry *new_dentry,
89562+ struct dentry *parent_dentry,
89563+ const struct vfsmount *parent_mnt,
89564+ struct dentry *old_dentry,
89565+ struct inode *old_parent_inode,
89566+ struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags)
89567+{
89568+ __u32 comp1, comp2;
89569+ int error = 0;
89570+
89571+ if (unlikely(!gr_acl_is_enabled()))
89572+ return 0;
89573+
89574+ if (flags & RENAME_EXCHANGE) {
89575+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
89576+ GR_AUDIT_READ | GR_AUDIT_WRITE |
89577+ GR_SUPPRESS, parent_mnt);
89578+ comp2 =
89579+ gr_search_file(old_dentry,
89580+ GR_READ | GR_WRITE | GR_AUDIT_READ |
89581+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
89582+ } else if (d_is_negative(new_dentry)) {
89583+ comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
89584+ GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
89585+ GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
89586+ comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
89587+ GR_DELETE | GR_AUDIT_DELETE |
89588+ GR_AUDIT_READ | GR_AUDIT_WRITE |
89589+ GR_SUPPRESS, old_mnt);
89590+ } else {
89591+ comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
89592+ GR_CREATE | GR_DELETE |
89593+ GR_AUDIT_CREATE | GR_AUDIT_DELETE |
89594+ GR_AUDIT_READ | GR_AUDIT_WRITE |
89595+ GR_SUPPRESS, parent_mnt);
89596+ comp2 =
89597+ gr_search_file(old_dentry,
89598+ GR_READ | GR_WRITE | GR_AUDIT_READ |
89599+ GR_DELETE | GR_AUDIT_DELETE |
89600+ GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
89601+ }
89602+
89603+ if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
89604+ ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
89605+ gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
89606+ else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
89607+ && !(comp2 & GR_SUPPRESS)) {
89608+ gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname->name);
89609+ error = -EACCES;
89610+ } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
89611+ error = -EACCES;
89612+
89613+ return error;
89614+}
89615+
89616+void
89617+gr_acl_handle_exit(void)
89618+{
89619+ u16 id;
89620+ char *rolename;
89621+
89622+ if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
89623+ !(current->role->roletype & GR_ROLE_PERSIST))) {
89624+ id = current->acl_role_id;
89625+ rolename = current->role->rolename;
89626+ gr_set_acls(1);
89627+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
89628+ }
89629+
89630+ gr_put_exec_file(current);
89631+ return;
89632+}
89633+
89634+int
89635+gr_acl_handle_procpidmem(const struct task_struct *task)
89636+{
89637+ if (unlikely(!gr_acl_is_enabled()))
89638+ return 0;
89639+
89640+ if (task != current && (task->acl->mode & GR_PROTPROCFD) &&
89641+ !(current->acl->mode & GR_POVERRIDE) &&
89642+ !(current->role->roletype & GR_ROLE_GOD))
89643+ return -EACCES;
89644+
89645+ return 0;
89646+}
89647diff --git a/grsecurity/gracl_ip.c b/grsecurity/gracl_ip.c
89648new file mode 100644
89649index 0000000..ed6ee43
89650--- /dev/null
89651+++ b/grsecurity/gracl_ip.c
89652@@ -0,0 +1,386 @@
89653+#include <linux/kernel.h>
89654+#include <asm/uaccess.h>
89655+#include <asm/errno.h>
89656+#include <net/sock.h>
89657+#include <linux/file.h>
89658+#include <linux/fs.h>
89659+#include <linux/net.h>
89660+#include <linux/in.h>
89661+#include <linux/skbuff.h>
89662+#include <linux/ip.h>
89663+#include <linux/udp.h>
89664+#include <linux/types.h>
89665+#include <linux/sched.h>
89666+#include <linux/netdevice.h>
89667+#include <linux/inetdevice.h>
89668+#include <linux/gracl.h>
89669+#include <linux/grsecurity.h>
89670+#include <linux/grinternal.h>
89671+
89672+#define GR_BIND 0x01
89673+#define GR_CONNECT 0x02
89674+#define GR_INVERT 0x04
89675+#define GR_BINDOVERRIDE 0x08
89676+#define GR_CONNECTOVERRIDE 0x10
89677+#define GR_SOCK_FAMILY 0x20
89678+
89679+static const char * gr_protocols[IPPROTO_MAX] = {
89680+ "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
89681+ "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
89682+ "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
89683+ "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
89684+ "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
89685+ "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
89686+ "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
89687+ "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
89688+ "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
89689+ "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
89690+ "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
89691+ "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
89692+ "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
89693+ "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
89694+ "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
89695+ "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
89696+ "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
89697+ "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
89698+ "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
89699+ "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
89700+ "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
89701+ "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
89702+ "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
89703+ "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
89704+ "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
89705+ "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
89706+ "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
89707+ "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
89708+ "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
89709+ "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
89710+ "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
89711+ "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
89712+ };
89713+
89714+static const char * gr_socktypes[SOCK_MAX] = {
89715+ "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
89716+ "unknown:7", "unknown:8", "unknown:9", "packet"
89717+ };
89718+
89719+static const char * gr_sockfamilies[AF_MAX+1] = {
89720+ "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
89721+ "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
89722+ "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
89723+ "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf", "alg", "nfc", "vsock"
89724+ };
89725+
89726+const char *
89727+gr_proto_to_name(unsigned char proto)
89728+{
89729+ return gr_protocols[proto];
89730+}
89731+
89732+const char *
89733+gr_socktype_to_name(unsigned char type)
89734+{
89735+ return gr_socktypes[type];
89736+}
89737+
89738+const char *
89739+gr_sockfamily_to_name(unsigned char family)
89740+{
89741+ return gr_sockfamilies[family];
89742+}
89743+
89744+extern const struct net_proto_family __rcu *net_families[NPROTO] __read_mostly;
89745+
89746+int
89747+gr_search_socket(const int domain, const int type, const int protocol)
89748+{
89749+ struct acl_subject_label *curr;
89750+ const struct cred *cred = current_cred();
89751+
89752+ if (unlikely(!gr_acl_is_enabled()))
89753+ goto exit;
89754+
89755+ if ((domain < 0) || (type < 0) || (protocol < 0) ||
89756+ (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
89757+ goto exit; // let the kernel handle it
89758+
89759+ curr = current->acl;
89760+
89761+ if (curr->sock_families[domain / 32] & (1U << (domain % 32))) {
89762+ /* the family is allowed, if this is PF_INET allow it only if
89763+ the extra sock type/protocol checks pass */
89764+ if (domain == PF_INET)
89765+ goto inet_check;
89766+ goto exit;
89767+ } else {
89768+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89769+ __u32 fakeip = 0;
89770+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89771+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89772+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89773+ gr_to_filename(current->exec_file->f_path.dentry,
89774+ current->exec_file->f_path.mnt) :
89775+ curr->filename, curr->filename,
89776+ &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
89777+ &current->signal->saved_ip);
89778+ goto exit;
89779+ }
89780+ goto exit_fail;
89781+ }
89782+
89783+inet_check:
89784+ /* the rest of this checking is for IPv4 only */
89785+ if (!curr->ips)
89786+ goto exit;
89787+
89788+ if ((curr->ip_type & (1U << type)) &&
89789+ (curr->ip_proto[protocol / 32] & (1U << (protocol % 32))))
89790+ goto exit;
89791+
89792+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89793+ /* we don't place acls on raw sockets , and sometimes
89794+ dgram/ip sockets are opened for ioctl and not
89795+ bind/connect, so we'll fake a bind learn log */
89796+ if (type == SOCK_RAW || type == SOCK_PACKET) {
89797+ __u32 fakeip = 0;
89798+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89799+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89800+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89801+ gr_to_filename(current->exec_file->f_path.dentry,
89802+ current->exec_file->f_path.mnt) :
89803+ curr->filename, curr->filename,
89804+ &fakeip, 0, type,
89805+ protocol, GR_CONNECT, &current->signal->saved_ip);
89806+ } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
89807+ __u32 fakeip = 0;
89808+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89809+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89810+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89811+ gr_to_filename(current->exec_file->f_path.dentry,
89812+ current->exec_file->f_path.mnt) :
89813+ curr->filename, curr->filename,
89814+ &fakeip, 0, type,
89815+ protocol, GR_BIND, &current->signal->saved_ip);
89816+ }
89817+ /* we'll log when they use connect or bind */
89818+ goto exit;
89819+ }
89820+
89821+exit_fail:
89822+ if (domain == PF_INET)
89823+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
89824+ gr_socktype_to_name(type), gr_proto_to_name(protocol));
89825+ else if (rcu_access_pointer(net_families[domain]) != NULL)
89826+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
89827+ gr_socktype_to_name(type), protocol);
89828+
89829+ return 0;
89830+exit:
89831+ return 1;
89832+}
89833+
89834+int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
89835+{
89836+ if ((ip->mode & mode) &&
89837+ (ip_port >= ip->low) &&
89838+ (ip_port <= ip->high) &&
89839+ ((ntohl(ip_addr) & our_netmask) ==
89840+ (ntohl(our_addr) & our_netmask))
89841+ && (ip->proto[protocol / 32] & (1U << (protocol % 32)))
89842+ && (ip->type & (1U << type))) {
89843+ if (ip->mode & GR_INVERT)
89844+ return 2; // specifically denied
89845+ else
89846+ return 1; // allowed
89847+ }
89848+
89849+ return 0; // not specifically allowed, may continue parsing
89850+}
89851+
89852+static int
89853+gr_search_connectbind(const int full_mode, struct sock *sk,
89854+ struct sockaddr_in *addr, const int type)
89855+{
89856+ char iface[IFNAMSIZ] = {0};
89857+ struct acl_subject_label *curr;
89858+ struct acl_ip_label *ip;
89859+ struct inet_sock *isk;
89860+ struct net_device *dev;
89861+ struct in_device *idev;
89862+ unsigned long i;
89863+ int ret;
89864+ int mode = full_mode & (GR_BIND | GR_CONNECT);
89865+ __u32 ip_addr = 0;
89866+ __u32 our_addr;
89867+ __u32 our_netmask;
89868+ char *p;
89869+ __u16 ip_port = 0;
89870+ const struct cred *cred = current_cred();
89871+
89872+ if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
89873+ return 0;
89874+
89875+ curr = current->acl;
89876+ isk = inet_sk(sk);
89877+
89878+ /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
89879+ if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
89880+ addr->sin_addr.s_addr = curr->inaddr_any_override;
89881+ if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
89882+ struct sockaddr_in saddr;
89883+ int err;
89884+
89885+ saddr.sin_family = AF_INET;
89886+ saddr.sin_addr.s_addr = curr->inaddr_any_override;
89887+ saddr.sin_port = isk->inet_sport;
89888+
89889+ err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
89890+ if (err)
89891+ return err;
89892+
89893+ err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
89894+ if (err)
89895+ return err;
89896+ }
89897+
89898+ if (!curr->ips)
89899+ return 0;
89900+
89901+ ip_addr = addr->sin_addr.s_addr;
89902+ ip_port = ntohs(addr->sin_port);
89903+
89904+ if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
89905+ security_learn(GR_IP_LEARN_MSG, current->role->rolename,
89906+ current->role->roletype, GR_GLOBAL_UID(cred->uid),
89907+ GR_GLOBAL_GID(cred->gid), current->exec_file ?
89908+ gr_to_filename(current->exec_file->f_path.dentry,
89909+ current->exec_file->f_path.mnt) :
89910+ curr->filename, curr->filename,
89911+ &ip_addr, ip_port, type,
89912+ sk->sk_protocol, mode, &current->signal->saved_ip);
89913+ return 0;
89914+ }
89915+
89916+ for (i = 0; i < curr->ip_num; i++) {
89917+ ip = *(curr->ips + i);
89918+ if (ip->iface != NULL) {
89919+ strncpy(iface, ip->iface, IFNAMSIZ - 1);
89920+ p = strchr(iface, ':');
89921+ if (p != NULL)
89922+ *p = '\0';
89923+ dev = dev_get_by_name(sock_net(sk), iface);
89924+ if (dev == NULL)
89925+ continue;
89926+ idev = in_dev_get(dev);
89927+ if (idev == NULL) {
89928+ dev_put(dev);
89929+ continue;
89930+ }
89931+ rcu_read_lock();
89932+ for_ifa(idev) {
89933+ if (!strcmp(ip->iface, ifa->ifa_label)) {
89934+ our_addr = ifa->ifa_address;
89935+ our_netmask = 0xffffffff;
89936+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
89937+ if (ret == 1) {
89938+ rcu_read_unlock();
89939+ in_dev_put(idev);
89940+ dev_put(dev);
89941+ return 0;
89942+ } else if (ret == 2) {
89943+ rcu_read_unlock();
89944+ in_dev_put(idev);
89945+ dev_put(dev);
89946+ goto denied;
89947+ }
89948+ }
89949+ } endfor_ifa(idev);
89950+ rcu_read_unlock();
89951+ in_dev_put(idev);
89952+ dev_put(dev);
89953+ } else {
89954+ our_addr = ip->addr;
89955+ our_netmask = ip->netmask;
89956+ ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
89957+ if (ret == 1)
89958+ return 0;
89959+ else if (ret == 2)
89960+ goto denied;
89961+ }
89962+ }
89963+
89964+denied:
89965+ if (mode == GR_BIND)
89966+ gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
89967+ else if (mode == GR_CONNECT)
89968+ gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
89969+
89970+ return -EACCES;
89971+}
89972+
89973+int
89974+gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
89975+{
89976+ /* always allow disconnection of dgram sockets with connect */
89977+ if (addr->sin_family == AF_UNSPEC)
89978+ return 0;
89979+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
89980+}
89981+
89982+int
89983+gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
89984+{
89985+ return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
89986+}
89987+
89988+int gr_search_listen(struct socket *sock)
89989+{
89990+ struct sock *sk = sock->sk;
89991+ struct sockaddr_in addr;
89992+
89993+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
89994+ addr.sin_port = inet_sk(sk)->inet_sport;
89995+
89996+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
89997+}
89998+
89999+int gr_search_accept(struct socket *sock)
90000+{
90001+ struct sock *sk = sock->sk;
90002+ struct sockaddr_in addr;
90003+
90004+ addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
90005+ addr.sin_port = inet_sk(sk)->inet_sport;
90006+
90007+ return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
90008+}
90009+
90010+int
90011+gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
90012+{
90013+ if (addr)
90014+ return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
90015+ else {
90016+ struct sockaddr_in sin;
90017+ const struct inet_sock *inet = inet_sk(sk);
90018+
90019+ sin.sin_addr.s_addr = inet->inet_daddr;
90020+ sin.sin_port = inet->inet_dport;
90021+
90022+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
90023+ }
90024+}
90025+
90026+int
90027+gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
90028+{
90029+ struct sockaddr_in sin;
90030+
90031+ if (unlikely(skb->len < sizeof (struct udphdr)))
90032+ return 0; // skip this packet
90033+
90034+ sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
90035+ sin.sin_port = udp_hdr(skb)->source;
90036+
90037+ return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
90038+}
90039diff --git a/grsecurity/gracl_learn.c b/grsecurity/gracl_learn.c
90040new file mode 100644
90041index 0000000..25f54ef
90042--- /dev/null
90043+++ b/grsecurity/gracl_learn.c
90044@@ -0,0 +1,207 @@
90045+#include <linux/kernel.h>
90046+#include <linux/mm.h>
90047+#include <linux/sched.h>
90048+#include <linux/poll.h>
90049+#include <linux/string.h>
90050+#include <linux/file.h>
90051+#include <linux/types.h>
90052+#include <linux/vmalloc.h>
90053+#include <linux/grinternal.h>
90054+
90055+extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
90056+ size_t count, loff_t *ppos);
90057+extern int gr_acl_is_enabled(void);
90058+
90059+static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
90060+static int gr_learn_attached;
90061+
90062+/* use a 512k buffer */
90063+#define LEARN_BUFFER_SIZE (512 * 1024)
90064+
90065+static DEFINE_SPINLOCK(gr_learn_lock);
90066+static DEFINE_MUTEX(gr_learn_user_mutex);
90067+
90068+/* we need to maintain two buffers, so that the kernel context of grlearn
90069+ uses a semaphore around the userspace copying, and the other kernel contexts
90070+ use a spinlock when copying into the buffer, since they cannot sleep
90071+*/
90072+static char *learn_buffer;
90073+static char *learn_buffer_user;
90074+static int learn_buffer_len;
90075+static int learn_buffer_user_len;
90076+
90077+static ssize_t
90078+read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
90079+{
90080+ DECLARE_WAITQUEUE(wait, current);
90081+ ssize_t retval = 0;
90082+
90083+ add_wait_queue(&learn_wait, &wait);
90084+ set_current_state(TASK_INTERRUPTIBLE);
90085+ do {
90086+ mutex_lock(&gr_learn_user_mutex);
90087+ spin_lock(&gr_learn_lock);
90088+ if (learn_buffer_len)
90089+ break;
90090+ spin_unlock(&gr_learn_lock);
90091+ mutex_unlock(&gr_learn_user_mutex);
90092+ if (file->f_flags & O_NONBLOCK) {
90093+ retval = -EAGAIN;
90094+ goto out;
90095+ }
90096+ if (signal_pending(current)) {
90097+ retval = -ERESTARTSYS;
90098+ goto out;
90099+ }
90100+
90101+ schedule();
90102+ } while (1);
90103+
90104+ memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
90105+ learn_buffer_user_len = learn_buffer_len;
90106+ retval = learn_buffer_len;
90107+ learn_buffer_len = 0;
90108+
90109+ spin_unlock(&gr_learn_lock);
90110+
90111+ if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
90112+ retval = -EFAULT;
90113+
90114+ mutex_unlock(&gr_learn_user_mutex);
90115+out:
90116+ set_current_state(TASK_RUNNING);
90117+ remove_wait_queue(&learn_wait, &wait);
90118+ return retval;
90119+}
90120+
90121+static unsigned int
90122+poll_learn(struct file * file, poll_table * wait)
90123+{
90124+ poll_wait(file, &learn_wait, wait);
90125+
90126+ if (learn_buffer_len)
90127+ return (POLLIN | POLLRDNORM);
90128+
90129+ return 0;
90130+}
90131+
90132+void
90133+gr_clear_learn_entries(void)
90134+{
90135+ char *tmp;
90136+
90137+ mutex_lock(&gr_learn_user_mutex);
90138+ spin_lock(&gr_learn_lock);
90139+ tmp = learn_buffer;
90140+ learn_buffer = NULL;
90141+ spin_unlock(&gr_learn_lock);
90142+ if (tmp)
90143+ vfree(tmp);
90144+ if (learn_buffer_user != NULL) {
90145+ vfree(learn_buffer_user);
90146+ learn_buffer_user = NULL;
90147+ }
90148+ learn_buffer_len = 0;
90149+ mutex_unlock(&gr_learn_user_mutex);
90150+
90151+ return;
90152+}
90153+
90154+void
90155+gr_add_learn_entry(const char *fmt, ...)
90156+{
90157+ va_list args;
90158+ unsigned int len;
90159+
90160+ if (!gr_learn_attached)
90161+ return;
90162+
90163+ spin_lock(&gr_learn_lock);
90164+
90165+ /* leave a gap at the end so we know when it's "full" but don't have to
90166+ compute the exact length of the string we're trying to append
90167+ */
90168+ if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
90169+ spin_unlock(&gr_learn_lock);
90170+ wake_up_interruptible(&learn_wait);
90171+ return;
90172+ }
90173+ if (learn_buffer == NULL) {
90174+ spin_unlock(&gr_learn_lock);
90175+ return;
90176+ }
90177+
90178+ va_start(args, fmt);
90179+ len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
90180+ va_end(args);
90181+
90182+ learn_buffer_len += len + 1;
90183+
90184+ spin_unlock(&gr_learn_lock);
90185+ wake_up_interruptible(&learn_wait);
90186+
90187+ return;
90188+}
90189+
90190+static int
90191+open_learn(struct inode *inode, struct file *file)
90192+{
90193+ if (file->f_mode & FMODE_READ && gr_learn_attached)
90194+ return -EBUSY;
90195+ if (file->f_mode & FMODE_READ) {
90196+ int retval = 0;
90197+ mutex_lock(&gr_learn_user_mutex);
90198+ if (learn_buffer == NULL)
90199+ learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
90200+ if (learn_buffer_user == NULL)
90201+ learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
90202+ if (learn_buffer == NULL) {
90203+ retval = -ENOMEM;
90204+ goto out_error;
90205+ }
90206+ if (learn_buffer_user == NULL) {
90207+ retval = -ENOMEM;
90208+ goto out_error;
90209+ }
90210+ learn_buffer_len = 0;
90211+ learn_buffer_user_len = 0;
90212+ gr_learn_attached = 1;
90213+out_error:
90214+ mutex_unlock(&gr_learn_user_mutex);
90215+ return retval;
90216+ }
90217+ return 0;
90218+}
90219+
90220+static int
90221+close_learn(struct inode *inode, struct file *file)
90222+{
90223+ if (file->f_mode & FMODE_READ) {
90224+ char *tmp = NULL;
90225+ mutex_lock(&gr_learn_user_mutex);
90226+ spin_lock(&gr_learn_lock);
90227+ tmp = learn_buffer;
90228+ learn_buffer = NULL;
90229+ spin_unlock(&gr_learn_lock);
90230+ if (tmp)
90231+ vfree(tmp);
90232+ if (learn_buffer_user != NULL) {
90233+ vfree(learn_buffer_user);
90234+ learn_buffer_user = NULL;
90235+ }
90236+ learn_buffer_len = 0;
90237+ learn_buffer_user_len = 0;
90238+ gr_learn_attached = 0;
90239+ mutex_unlock(&gr_learn_user_mutex);
90240+ }
90241+
90242+ return 0;
90243+}
90244+
90245+const struct file_operations grsec_fops = {
90246+ .read = read_learn,
90247+ .write = write_grsec_handler,
90248+ .open = open_learn,
90249+ .release = close_learn,
90250+ .poll = poll_learn,
90251+};
90252diff --git a/grsecurity/gracl_policy.c b/grsecurity/gracl_policy.c
90253new file mode 100644
90254index 0000000..0773423
90255--- /dev/null
90256+++ b/grsecurity/gracl_policy.c
90257@@ -0,0 +1,1786 @@
90258+#include <linux/kernel.h>
90259+#include <linux/module.h>
90260+#include <linux/sched.h>
90261+#include <linux/mm.h>
90262+#include <linux/file.h>
90263+#include <linux/fs.h>
90264+#include <linux/namei.h>
90265+#include <linux/mount.h>
90266+#include <linux/tty.h>
90267+#include <linux/proc_fs.h>
90268+#include <linux/lglock.h>
90269+#include <linux/slab.h>
90270+#include <linux/vmalloc.h>
90271+#include <linux/types.h>
90272+#include <linux/sysctl.h>
90273+#include <linux/netdevice.h>
90274+#include <linux/ptrace.h>
90275+#include <linux/gracl.h>
90276+#include <linux/gralloc.h>
90277+#include <linux/security.h>
90278+#include <linux/grinternal.h>
90279+#include <linux/pid_namespace.h>
90280+#include <linux/stop_machine.h>
90281+#include <linux/fdtable.h>
90282+#include <linux/percpu.h>
90283+#include <linux/lglock.h>
90284+#include <linux/hugetlb.h>
90285+#include <linux/posix-timers.h>
90286+#include "../fs/mount.h"
90287+
90288+#include <asm/uaccess.h>
90289+#include <asm/errno.h>
90290+#include <asm/mman.h>
90291+
90292+extern struct gr_policy_state *polstate;
90293+
90294+#define FOR_EACH_ROLE_START(role) \
90295+ role = polstate->role_list; \
90296+ while (role) {
90297+
90298+#define FOR_EACH_ROLE_END(role) \
90299+ role = role->prev; \
90300+ }
90301+
90302+struct path gr_real_root;
90303+
90304+extern struct gr_alloc_state *current_alloc_state;
90305+
90306+u16 acl_sp_role_value;
90307+
90308+static DEFINE_MUTEX(gr_dev_mutex);
90309+
90310+extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
90311+extern void gr_clear_learn_entries(void);
90312+
90313+struct gr_arg *gr_usermode __read_only;
90314+unsigned char *gr_system_salt __read_only;
90315+unsigned char *gr_system_sum __read_only;
90316+
90317+static unsigned int gr_auth_attempts = 0;
90318+static unsigned long gr_auth_expires = 0UL;
90319+
90320+struct acl_object_label *fakefs_obj_rw;
90321+struct acl_object_label *fakefs_obj_rwx;
90322+
90323+extern int gr_init_uidset(void);
90324+extern void gr_free_uidset(void);
90325+extern void gr_remove_uid(uid_t uid);
90326+extern int gr_find_uid(uid_t uid);
90327+
90328+extern struct acl_subject_label *__gr_get_subject_for_task(const struct gr_policy_state *state, struct task_struct *task, const char *filename, int fallback);
90329+extern void __gr_apply_subject_to_task(struct gr_policy_state *state, struct task_struct *task, struct acl_subject_label *subj);
90330+extern int gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb);
90331+extern void __insert_inodev_entry(const struct gr_policy_state *state, struct inodev_entry *entry);
90332+extern struct acl_role_label *__lookup_acl_role_label(const struct gr_policy_state *state, const struct task_struct *task, const uid_t uid, const gid_t gid);
90333+extern void insert_acl_obj_label(struct acl_object_label *obj, struct acl_subject_label *subj);
90334+extern void insert_acl_subj_label(struct acl_subject_label *obj, struct acl_role_label *role);
90335+extern struct name_entry * __lookup_name_entry(const struct gr_policy_state *state, const char *name);
90336+extern char *gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt);
90337+extern struct acl_subject_label *lookup_acl_subj_label(const u64 ino, const dev_t dev, const struct acl_role_label *role);
90338+extern struct acl_subject_label *lookup_acl_subj_label_deleted(const u64 ino, const dev_t dev, const struct acl_role_label *role);
90339+extern void assign_special_role(const char *rolename);
90340+extern struct acl_subject_label *chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt, const struct acl_role_label *role);
90341+extern int gr_rbac_disable(void *unused);
90342+extern void gr_enable_rbac_system(void);
90343+
90344+static int copy_acl_object_label_normal(struct acl_object_label *obj, const struct acl_object_label *userp)
90345+{
90346+ if (copy_from_user(obj, userp, sizeof(struct acl_object_label)))
90347+ return -EFAULT;
90348+
90349+ return 0;
90350+}
90351+
90352+static int copy_acl_ip_label_normal(struct acl_ip_label *ip, const struct acl_ip_label *userp)
90353+{
90354+ if (copy_from_user(ip, userp, sizeof(struct acl_ip_label)))
90355+ return -EFAULT;
90356+
90357+ return 0;
90358+}
90359+
90360+static int copy_acl_subject_label_normal(struct acl_subject_label *subj, const struct acl_subject_label *userp)
90361+{
90362+ if (copy_from_user(subj, userp, sizeof(struct acl_subject_label)))
90363+ return -EFAULT;
90364+
90365+ return 0;
90366+}
90367+
90368+static int copy_acl_role_label_normal(struct acl_role_label *role, const struct acl_role_label *userp)
90369+{
90370+ if (copy_from_user(role, userp, sizeof(struct acl_role_label)))
90371+ return -EFAULT;
90372+
90373+ return 0;
90374+}
90375+
90376+static int copy_role_allowed_ip_normal(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp)
90377+{
90378+ if (copy_from_user(roleip, userp, sizeof(struct role_allowed_ip)))
90379+ return -EFAULT;
90380+
90381+ return 0;
90382+}
90383+
90384+static int copy_sprole_pw_normal(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp)
90385+{
90386+ if (copy_from_user(pw, userp + idx, sizeof(struct sprole_pw)))
90387+ return -EFAULT;
90388+
90389+ return 0;
90390+}
90391+
90392+static int copy_gr_hash_struct_normal(struct gr_hash_struct *hash, const struct gr_hash_struct *userp)
90393+{
90394+ if (copy_from_user(hash, userp, sizeof(struct gr_hash_struct)))
90395+ return -EFAULT;
90396+
90397+ return 0;
90398+}
90399+
90400+static int copy_role_transition_normal(struct role_transition *trans, const struct role_transition *userp)
90401+{
90402+ if (copy_from_user(trans, userp, sizeof(struct role_transition)))
90403+ return -EFAULT;
90404+
90405+ return 0;
90406+}
90407+
90408+int copy_pointer_from_array_normal(void *ptr, unsigned long idx, const void *userp)
90409+{
90410+ if (copy_from_user(ptr, userp + (idx * sizeof(void *)), sizeof(void *)))
90411+ return -EFAULT;
90412+
90413+ return 0;
90414+}
90415+
90416+static int copy_gr_arg_wrapper_normal(const char __user *buf, struct gr_arg_wrapper *uwrap)
90417+{
90418+ if (copy_from_user(uwrap, buf, sizeof (struct gr_arg_wrapper)))
90419+ return -EFAULT;
90420+
90421+ if ((uwrap->version != GRSECURITY_VERSION) ||
90422+ (uwrap->size != sizeof(struct gr_arg)))
90423+ return -EINVAL;
90424+
90425+ return 0;
90426+}
90427+
90428+static int copy_gr_arg_normal(const struct gr_arg __user *buf, struct gr_arg *arg)
90429+{
90430+ if (copy_from_user(arg, buf, sizeof (struct gr_arg)))
90431+ return -EFAULT;
90432+
90433+ return 0;
90434+}
90435+
90436+static size_t get_gr_arg_wrapper_size_normal(void)
90437+{
90438+ return sizeof(struct gr_arg_wrapper);
90439+}
90440+
90441+#ifdef CONFIG_COMPAT
90442+extern int copy_gr_arg_wrapper_compat(const char *buf, struct gr_arg_wrapper *uwrap);
90443+extern int copy_gr_arg_compat(const struct gr_arg __user *buf, struct gr_arg *arg);
90444+extern int copy_acl_object_label_compat(struct acl_object_label *obj, const struct acl_object_label *userp);
90445+extern int copy_acl_subject_label_compat(struct acl_subject_label *subj, const struct acl_subject_label *userp);
90446+extern int copy_acl_role_label_compat(struct acl_role_label *role, const struct acl_role_label *userp);
90447+extern int copy_role_allowed_ip_compat(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp);
90448+extern int copy_role_transition_compat(struct role_transition *trans, const struct role_transition *userp);
90449+extern int copy_gr_hash_struct_compat(struct gr_hash_struct *hash, const struct gr_hash_struct *userp);
90450+extern int copy_pointer_from_array_compat(void *ptr, unsigned long idx, const void *userp);
90451+extern int copy_acl_ip_label_compat(struct acl_ip_label *ip, const struct acl_ip_label *userp);
90452+extern int copy_sprole_pw_compat(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp);
90453+extern size_t get_gr_arg_wrapper_size_compat(void);
90454+
90455+int (* copy_gr_arg_wrapper)(const char *buf, struct gr_arg_wrapper *uwrap) __read_only;
90456+int (* copy_gr_arg)(const struct gr_arg *buf, struct gr_arg *arg) __read_only;
90457+int (* copy_acl_object_label)(struct acl_object_label *obj, const struct acl_object_label *userp) __read_only;
90458+int (* copy_acl_subject_label)(struct acl_subject_label *subj, const struct acl_subject_label *userp) __read_only;
90459+int (* copy_acl_role_label)(struct acl_role_label *role, const struct acl_role_label *userp) __read_only;
90460+int (* copy_acl_ip_label)(struct acl_ip_label *ip, const struct acl_ip_label *userp) __read_only;
90461+int (* copy_pointer_from_array)(void *ptr, unsigned long idx, const void *userp) __read_only;
90462+int (* copy_sprole_pw)(struct sprole_pw *pw, unsigned long idx, const struct sprole_pw *userp) __read_only;
90463+int (* copy_gr_hash_struct)(struct gr_hash_struct *hash, const struct gr_hash_struct *userp) __read_only;
90464+int (* copy_role_transition)(struct role_transition *trans, const struct role_transition *userp) __read_only;
90465+int (* copy_role_allowed_ip)(struct role_allowed_ip *roleip, const struct role_allowed_ip *userp) __read_only;
90466+size_t (* get_gr_arg_wrapper_size)(void) __read_only;
90467+
90468+#else
90469+#define copy_gr_arg_wrapper copy_gr_arg_wrapper_normal
90470+#define copy_gr_arg copy_gr_arg_normal
90471+#define copy_gr_hash_struct copy_gr_hash_struct_normal
90472+#define copy_acl_object_label copy_acl_object_label_normal
90473+#define copy_acl_subject_label copy_acl_subject_label_normal
90474+#define copy_acl_role_label copy_acl_role_label_normal
90475+#define copy_acl_ip_label copy_acl_ip_label_normal
90476+#define copy_pointer_from_array copy_pointer_from_array_normal
90477+#define copy_sprole_pw copy_sprole_pw_normal
90478+#define copy_role_transition copy_role_transition_normal
90479+#define copy_role_allowed_ip copy_role_allowed_ip_normal
90480+#define get_gr_arg_wrapper_size get_gr_arg_wrapper_size_normal
90481+#endif
90482+
90483+static struct acl_subject_label *
90484+lookup_subject_map(const struct acl_subject_label *userp)
90485+{
90486+ unsigned int index = gr_shash(userp, polstate->subj_map_set.s_size);
90487+ struct subject_map *match;
90488+
90489+ match = polstate->subj_map_set.s_hash[index];
90490+
90491+ while (match && match->user != userp)
90492+ match = match->next;
90493+
90494+ if (match != NULL)
90495+ return match->kernel;
90496+ else
90497+ return NULL;
90498+}
90499+
90500+static void
90501+insert_subj_map_entry(struct subject_map *subjmap)
90502+{
90503+ unsigned int index = gr_shash(subjmap->user, polstate->subj_map_set.s_size);
90504+ struct subject_map **curr;
90505+
90506+ subjmap->prev = NULL;
90507+
90508+ curr = &polstate->subj_map_set.s_hash[index];
90509+ if (*curr != NULL)
90510+ (*curr)->prev = subjmap;
90511+
90512+ subjmap->next = *curr;
90513+ *curr = subjmap;
90514+
90515+ return;
90516+}
90517+
90518+static void
90519+__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
90520+{
90521+ unsigned int index =
90522+ gr_rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), polstate->acl_role_set.r_size);
90523+ struct acl_role_label **curr;
90524+ struct acl_role_label *tmp, *tmp2;
90525+
90526+ curr = &polstate->acl_role_set.r_hash[index];
90527+
90528+ /* simple case, slot is empty, just set it to our role */
90529+ if (*curr == NULL) {
90530+ *curr = role;
90531+ } else {
90532+ /* example:
90533+ 1 -> 2 -> 3 (adding 2 -> 3 to here)
90534+ 2 -> 3
90535+ */
90536+ /* first check to see if we can already be reached via this slot */
90537+ tmp = *curr;
90538+ while (tmp && tmp != role)
90539+ tmp = tmp->next;
90540+ if (tmp == role) {
90541+ /* we don't need to add ourselves to this slot's chain */
90542+ return;
90543+ }
90544+ /* we need to add ourselves to this chain, two cases */
90545+ if (role->next == NULL) {
90546+ /* simple case, append the current chain to our role */
90547+ role->next = *curr;
90548+ *curr = role;
90549+ } else {
90550+ /* 1 -> 2 -> 3 -> 4
90551+ 2 -> 3 -> 4
90552+ 3 -> 4 (adding 1 -> 2 -> 3 -> 4 to here)
90553+ */
90554+ /* trickier case: walk our role's chain until we find
90555+ the role for the start of the current slot's chain */
90556+ tmp = role;
90557+ tmp2 = *curr;
90558+ while (tmp->next && tmp->next != tmp2)
90559+ tmp = tmp->next;
90560+ if (tmp->next == tmp2) {
90561+ /* from example above, we found 3, so just
90562+ replace this slot's chain with ours */
90563+ *curr = role;
90564+ } else {
90565+ /* we didn't find a subset of our role's chain
90566+ in the current slot's chain, so append their
90567+ chain to ours, and set us as the first role in
90568+ the slot's chain
90569+
90570+ we could fold this case with the case above,
90571+ but making it explicit for clarity
90572+ */
90573+ tmp->next = tmp2;
90574+ *curr = role;
90575+ }
90576+ }
90577+ }
90578+
90579+ return;
90580+}
90581+
90582+static void
90583+insert_acl_role_label(struct acl_role_label *role)
90584+{
90585+ int i;
90586+
90587+ if (polstate->role_list == NULL) {
90588+ polstate->role_list = role;
90589+ role->prev = NULL;
90590+ } else {
90591+ role->prev = polstate->role_list;
90592+ polstate->role_list = role;
90593+ }
90594+
90595+ /* used for hash chains */
90596+ role->next = NULL;
90597+
90598+ if (role->roletype & GR_ROLE_DOMAIN) {
90599+ for (i = 0; i < role->domain_child_num; i++)
90600+ __insert_acl_role_label(role, role->domain_children[i]);
90601+ } else
90602+ __insert_acl_role_label(role, role->uidgid);
90603+}
90604+
90605+static int
90606+insert_name_entry(char *name, const u64 inode, const dev_t device, __u8 deleted)
90607+{
90608+ struct name_entry **curr, *nentry;
90609+ struct inodev_entry *ientry;
90610+ unsigned int len = strlen(name);
90611+ unsigned int key = full_name_hash(name, len);
90612+ unsigned int index = key % polstate->name_set.n_size;
90613+
90614+ curr = &polstate->name_set.n_hash[index];
90615+
90616+ while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
90617+ curr = &((*curr)->next);
90618+
90619+ if (*curr != NULL)
90620+ return 1;
90621+
90622+ nentry = acl_alloc(sizeof (struct name_entry));
90623+ if (nentry == NULL)
90624+ return 0;
90625+ ientry = acl_alloc(sizeof (struct inodev_entry));
90626+ if (ientry == NULL)
90627+ return 0;
90628+ ientry->nentry = nentry;
90629+
90630+ nentry->key = key;
90631+ nentry->name = name;
90632+ nentry->inode = inode;
90633+ nentry->device = device;
90634+ nentry->len = len;
90635+ nentry->deleted = deleted;
90636+
90637+ nentry->prev = NULL;
90638+ curr = &polstate->name_set.n_hash[index];
90639+ if (*curr != NULL)
90640+ (*curr)->prev = nentry;
90641+ nentry->next = *curr;
90642+ *curr = nentry;
90643+
90644+ /* insert us into the table searchable by inode/dev */
90645+ __insert_inodev_entry(polstate, ientry);
90646+
90647+ return 1;
90648+}
90649+
90650+/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
90651+
90652+static void *
90653+create_table(__u32 * len, int elementsize)
90654+{
90655+ unsigned int table_sizes[] = {
90656+ 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
90657+ 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
90658+ 4194301, 8388593, 16777213, 33554393, 67108859
90659+ };
90660+ void *newtable = NULL;
90661+ unsigned int pwr = 0;
90662+
90663+ while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
90664+ table_sizes[pwr] <= *len)
90665+ pwr++;
90666+
90667+ if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
90668+ return newtable;
90669+
90670+ if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
90671+ newtable =
90672+ kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
90673+ else
90674+ newtable = vmalloc(table_sizes[pwr] * elementsize);
90675+
90676+ *len = table_sizes[pwr];
90677+
90678+ return newtable;
90679+}
90680+
90681+static int
90682+init_variables(const struct gr_arg *arg, bool reload)
90683+{
90684+ struct task_struct *reaper = init_pid_ns.child_reaper;
90685+ unsigned int stacksize;
90686+
90687+ polstate->subj_map_set.s_size = arg->role_db.num_subjects;
90688+ polstate->acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
90689+ polstate->name_set.n_size = arg->role_db.num_objects;
90690+ polstate->inodev_set.i_size = arg->role_db.num_objects;
90691+
90692+ if (!polstate->subj_map_set.s_size || !polstate->acl_role_set.r_size ||
90693+ !polstate->name_set.n_size || !polstate->inodev_set.i_size)
90694+ return 1;
90695+
90696+ if (!reload) {
90697+ if (!gr_init_uidset())
90698+ return 1;
90699+ }
90700+
90701+ /* set up the stack that holds allocation info */
90702+
90703+ stacksize = arg->role_db.num_pointers + 5;
90704+
90705+ if (!acl_alloc_stack_init(stacksize))
90706+ return 1;
90707+
90708+ if (!reload) {
90709+ /* grab reference for the real root dentry and vfsmount */
90710+ get_fs_root(reaper->fs, &gr_real_root);
90711+
90712+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
90713+ printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", gr_get_dev_from_dentry(gr_real_root.dentry), gr_get_ino_from_dentry(gr_real_root.dentry));
90714+#endif
90715+
90716+ fakefs_obj_rw = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL);
90717+ if (fakefs_obj_rw == NULL)
90718+ return 1;
90719+ fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
90720+
90721+ fakefs_obj_rwx = kzalloc(sizeof(struct acl_object_label), GFP_KERNEL);
90722+ if (fakefs_obj_rwx == NULL)
90723+ return 1;
90724+ fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
90725+ }
90726+
90727+ polstate->subj_map_set.s_hash =
90728+ (struct subject_map **) create_table(&polstate->subj_map_set.s_size, sizeof(void *));
90729+ polstate->acl_role_set.r_hash =
90730+ (struct acl_role_label **) create_table(&polstate->acl_role_set.r_size, sizeof(void *));
90731+ polstate->name_set.n_hash = (struct name_entry **) create_table(&polstate->name_set.n_size, sizeof(void *));
90732+ polstate->inodev_set.i_hash =
90733+ (struct inodev_entry **) create_table(&polstate->inodev_set.i_size, sizeof(void *));
90734+
90735+ if (!polstate->subj_map_set.s_hash || !polstate->acl_role_set.r_hash ||
90736+ !polstate->name_set.n_hash || !polstate->inodev_set.i_hash)
90737+ return 1;
90738+
90739+ memset(polstate->subj_map_set.s_hash, 0,
90740+ sizeof(struct subject_map *) * polstate->subj_map_set.s_size);
90741+ memset(polstate->acl_role_set.r_hash, 0,
90742+ sizeof (struct acl_role_label *) * polstate->acl_role_set.r_size);
90743+ memset(polstate->name_set.n_hash, 0,
90744+ sizeof (struct name_entry *) * polstate->name_set.n_size);
90745+ memset(polstate->inodev_set.i_hash, 0,
90746+ sizeof (struct inodev_entry *) * polstate->inodev_set.i_size);
90747+
90748+ return 0;
90749+}
90750+
90751+/* free information not needed after startup
90752+ currently contains user->kernel pointer mappings for subjects
90753+*/
90754+
90755+static void
90756+free_init_variables(void)
90757+{
90758+ __u32 i;
90759+
90760+ if (polstate->subj_map_set.s_hash) {
90761+ for (i = 0; i < polstate->subj_map_set.s_size; i++) {
90762+ if (polstate->subj_map_set.s_hash[i]) {
90763+ kfree(polstate->subj_map_set.s_hash[i]);
90764+ polstate->subj_map_set.s_hash[i] = NULL;
90765+ }
90766+ }
90767+
90768+ if ((polstate->subj_map_set.s_size * sizeof (struct subject_map *)) <=
90769+ PAGE_SIZE)
90770+ kfree(polstate->subj_map_set.s_hash);
90771+ else
90772+ vfree(polstate->subj_map_set.s_hash);
90773+ }
90774+
90775+ return;
90776+}
90777+
90778+static void
90779+free_variables(bool reload)
90780+{
90781+ struct acl_subject_label *s;
90782+ struct acl_role_label *r;
90783+ struct task_struct *task, *task2;
90784+ unsigned int x;
90785+
90786+ if (!reload) {
90787+ gr_clear_learn_entries();
90788+
90789+ read_lock(&tasklist_lock);
90790+ do_each_thread(task2, task) {
90791+ task->acl_sp_role = 0;
90792+ task->acl_role_id = 0;
90793+ task->inherited = 0;
90794+ task->acl = NULL;
90795+ task->role = NULL;
90796+ } while_each_thread(task2, task);
90797+ read_unlock(&tasklist_lock);
90798+
90799+ kfree(fakefs_obj_rw);
90800+ fakefs_obj_rw = NULL;
90801+ kfree(fakefs_obj_rwx);
90802+ fakefs_obj_rwx = NULL;
90803+
90804+ /* release the reference to the real root dentry and vfsmount */
90805+ path_put(&gr_real_root);
90806+ memset(&gr_real_root, 0, sizeof(gr_real_root));
90807+ }
90808+
90809+ /* free all object hash tables */
90810+
90811+ FOR_EACH_ROLE_START(r)
90812+ if (r->subj_hash == NULL)
90813+ goto next_role;
90814+ FOR_EACH_SUBJECT_START(r, s, x)
90815+ if (s->obj_hash == NULL)
90816+ break;
90817+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
90818+ kfree(s->obj_hash);
90819+ else
90820+ vfree(s->obj_hash);
90821+ FOR_EACH_SUBJECT_END(s, x)
90822+ FOR_EACH_NESTED_SUBJECT_START(r, s)
90823+ if (s->obj_hash == NULL)
90824+ break;
90825+ if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
90826+ kfree(s->obj_hash);
90827+ else
90828+ vfree(s->obj_hash);
90829+ FOR_EACH_NESTED_SUBJECT_END(s)
90830+ if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
90831+ kfree(r->subj_hash);
90832+ else
90833+ vfree(r->subj_hash);
90834+ r->subj_hash = NULL;
90835+next_role:
90836+ FOR_EACH_ROLE_END(r)
90837+
90838+ acl_free_all();
90839+
90840+ if (polstate->acl_role_set.r_hash) {
90841+ if ((polstate->acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
90842+ PAGE_SIZE)
90843+ kfree(polstate->acl_role_set.r_hash);
90844+ else
90845+ vfree(polstate->acl_role_set.r_hash);
90846+ }
90847+ if (polstate->name_set.n_hash) {
90848+ if ((polstate->name_set.n_size * sizeof (struct name_entry *)) <=
90849+ PAGE_SIZE)
90850+ kfree(polstate->name_set.n_hash);
90851+ else
90852+ vfree(polstate->name_set.n_hash);
90853+ }
90854+
90855+ if (polstate->inodev_set.i_hash) {
90856+ if ((polstate->inodev_set.i_size * sizeof (struct inodev_entry *)) <=
90857+ PAGE_SIZE)
90858+ kfree(polstate->inodev_set.i_hash);
90859+ else
90860+ vfree(polstate->inodev_set.i_hash);
90861+ }
90862+
90863+ if (!reload)
90864+ gr_free_uidset();
90865+
90866+ memset(&polstate->name_set, 0, sizeof (struct name_db));
90867+ memset(&polstate->inodev_set, 0, sizeof (struct inodev_db));
90868+ memset(&polstate->acl_role_set, 0, sizeof (struct acl_role_db));
90869+ memset(&polstate->subj_map_set, 0, sizeof (struct acl_subj_map_db));
90870+
90871+ polstate->default_role = NULL;
90872+ polstate->kernel_role = NULL;
90873+ polstate->role_list = NULL;
90874+
90875+ return;
90876+}
90877+
90878+static struct acl_subject_label *
90879+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied);
90880+
90881+static int alloc_and_copy_string(char **name, unsigned int maxlen)
90882+{
90883+ unsigned int len = strnlen_user(*name, maxlen);
90884+ char *tmp;
90885+
90886+ if (!len || len >= maxlen)
90887+ return -EINVAL;
90888+
90889+ if ((tmp = (char *) acl_alloc(len)) == NULL)
90890+ return -ENOMEM;
90891+
90892+ if (copy_from_user(tmp, *name, len))
90893+ return -EFAULT;
90894+
90895+ tmp[len-1] = '\0';
90896+ *name = tmp;
90897+
90898+ return 0;
90899+}
90900+
90901+static int
90902+copy_user_glob(struct acl_object_label *obj)
90903+{
90904+ struct acl_object_label *g_tmp, **guser;
90905+ int error;
90906+
90907+ if (obj->globbed == NULL)
90908+ return 0;
90909+
90910+ guser = &obj->globbed;
90911+ while (*guser) {
90912+ g_tmp = (struct acl_object_label *)
90913+ acl_alloc(sizeof (struct acl_object_label));
90914+ if (g_tmp == NULL)
90915+ return -ENOMEM;
90916+
90917+ if (copy_acl_object_label(g_tmp, *guser))
90918+ return -EFAULT;
90919+
90920+ error = alloc_and_copy_string(&g_tmp->filename, PATH_MAX);
90921+ if (error)
90922+ return error;
90923+
90924+ *guser = g_tmp;
90925+ guser = &(g_tmp->next);
90926+ }
90927+
90928+ return 0;
90929+}
90930+
90931+static int
90932+copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
90933+ struct acl_role_label *role)
90934+{
90935+ struct acl_object_label *o_tmp;
90936+ int ret;
90937+
90938+ while (userp) {
90939+ if ((o_tmp = (struct acl_object_label *)
90940+ acl_alloc(sizeof (struct acl_object_label))) == NULL)
90941+ return -ENOMEM;
90942+
90943+ if (copy_acl_object_label(o_tmp, userp))
90944+ return -EFAULT;
90945+
90946+ userp = o_tmp->prev;
90947+
90948+ ret = alloc_and_copy_string(&o_tmp->filename, PATH_MAX);
90949+ if (ret)
90950+ return ret;
90951+
90952+ insert_acl_obj_label(o_tmp, subj);
90953+ if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
90954+ o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
90955+ return -ENOMEM;
90956+
90957+ ret = copy_user_glob(o_tmp);
90958+ if (ret)
90959+ return ret;
90960+
90961+ if (o_tmp->nested) {
90962+ int already_copied;
90963+
90964+ o_tmp->nested = do_copy_user_subj(o_tmp->nested, role, &already_copied);
90965+ if (IS_ERR(o_tmp->nested))
90966+ return PTR_ERR(o_tmp->nested);
90967+
90968+ /* insert into nested subject list if we haven't copied this one yet
90969+ to prevent duplicate entries */
90970+ if (!already_copied) {
90971+ o_tmp->nested->next = role->hash->first;
90972+ role->hash->first = o_tmp->nested;
90973+ }
90974+ }
90975+ }
90976+
90977+ return 0;
90978+}
90979+
90980+static __u32
90981+count_user_subjs(struct acl_subject_label *userp)
90982+{
90983+ struct acl_subject_label s_tmp;
90984+ __u32 num = 0;
90985+
90986+ while (userp) {
90987+ if (copy_acl_subject_label(&s_tmp, userp))
90988+ break;
90989+
90990+ userp = s_tmp.prev;
90991+ }
90992+
90993+ return num;
90994+}
90995+
90996+static int
90997+copy_user_allowedips(struct acl_role_label *rolep)
90998+{
90999+ struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
91000+
91001+ ruserip = rolep->allowed_ips;
91002+
91003+ while (ruserip) {
91004+ rlast = rtmp;
91005+
91006+ if ((rtmp = (struct role_allowed_ip *)
91007+ acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
91008+ return -ENOMEM;
91009+
91010+ if (copy_role_allowed_ip(rtmp, ruserip))
91011+ return -EFAULT;
91012+
91013+ ruserip = rtmp->prev;
91014+
91015+ if (!rlast) {
91016+ rtmp->prev = NULL;
91017+ rolep->allowed_ips = rtmp;
91018+ } else {
91019+ rlast->next = rtmp;
91020+ rtmp->prev = rlast;
91021+ }
91022+
91023+ if (!ruserip)
91024+ rtmp->next = NULL;
91025+ }
91026+
91027+ return 0;
91028+}
91029+
91030+static int
91031+copy_user_transitions(struct acl_role_label *rolep)
91032+{
91033+ struct role_transition *rusertp, *rtmp = NULL, *rlast;
91034+ int error;
91035+
91036+ rusertp = rolep->transitions;
91037+
91038+ while (rusertp) {
91039+ rlast = rtmp;
91040+
91041+ if ((rtmp = (struct role_transition *)
91042+ acl_alloc(sizeof (struct role_transition))) == NULL)
91043+ return -ENOMEM;
91044+
91045+ if (copy_role_transition(rtmp, rusertp))
91046+ return -EFAULT;
91047+
91048+ rusertp = rtmp->prev;
91049+
91050+ error = alloc_and_copy_string(&rtmp->rolename, GR_SPROLE_LEN);
91051+ if (error)
91052+ return error;
91053+
91054+ if (!rlast) {
91055+ rtmp->prev = NULL;
91056+ rolep->transitions = rtmp;
91057+ } else {
91058+ rlast->next = rtmp;
91059+ rtmp->prev = rlast;
91060+ }
91061+
91062+ if (!rusertp)
91063+ rtmp->next = NULL;
91064+ }
91065+
91066+ return 0;
91067+}
91068+
91069+static __u32 count_user_objs(const struct acl_object_label __user *userp)
91070+{
91071+ struct acl_object_label o_tmp;
91072+ __u32 num = 0;
91073+
91074+ while (userp) {
91075+ if (copy_acl_object_label(&o_tmp, userp))
91076+ break;
91077+
91078+ userp = o_tmp.prev;
91079+ num++;
91080+ }
91081+
91082+ return num;
91083+}
91084+
91085+static struct acl_subject_label *
91086+do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role, int *already_copied)
91087+{
91088+ struct acl_subject_label *s_tmp = NULL, *s_tmp2;
91089+ __u32 num_objs;
91090+ struct acl_ip_label **i_tmp, *i_utmp2;
91091+ struct gr_hash_struct ghash;
91092+ struct subject_map *subjmap;
91093+ unsigned int i_num;
91094+ int err;
91095+
91096+ if (already_copied != NULL)
91097+ *already_copied = 0;
91098+
91099+ s_tmp = lookup_subject_map(userp);
91100+
91101+ /* we've already copied this subject into the kernel, just return
91102+ the reference to it, and don't copy it over again
91103+ */
91104+ if (s_tmp) {
91105+ if (already_copied != NULL)
91106+ *already_copied = 1;
91107+ return(s_tmp);
91108+ }
91109+
91110+ if ((s_tmp = (struct acl_subject_label *)
91111+ acl_alloc(sizeof (struct acl_subject_label))) == NULL)
91112+ return ERR_PTR(-ENOMEM);
91113+
91114+ subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
91115+ if (subjmap == NULL)
91116+ return ERR_PTR(-ENOMEM);
91117+
91118+ subjmap->user = userp;
91119+ subjmap->kernel = s_tmp;
91120+ insert_subj_map_entry(subjmap);
91121+
91122+ if (copy_acl_subject_label(s_tmp, userp))
91123+ return ERR_PTR(-EFAULT);
91124+
91125+ err = alloc_and_copy_string(&s_tmp->filename, PATH_MAX);
91126+ if (err)
91127+ return ERR_PTR(err);
91128+
91129+ if (!strcmp(s_tmp->filename, "/"))
91130+ role->root_label = s_tmp;
91131+
91132+ if (copy_gr_hash_struct(&ghash, s_tmp->hash))
91133+ return ERR_PTR(-EFAULT);
91134+
91135+ /* copy user and group transition tables */
91136+
91137+ if (s_tmp->user_trans_num) {
91138+ uid_t *uidlist;
91139+
91140+ uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
91141+ if (uidlist == NULL)
91142+ return ERR_PTR(-ENOMEM);
91143+ if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
91144+ return ERR_PTR(-EFAULT);
91145+
91146+ s_tmp->user_transitions = uidlist;
91147+ }
91148+
91149+ if (s_tmp->group_trans_num) {
91150+ gid_t *gidlist;
91151+
91152+ gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
91153+ if (gidlist == NULL)
91154+ return ERR_PTR(-ENOMEM);
91155+ if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
91156+ return ERR_PTR(-EFAULT);
91157+
91158+ s_tmp->group_transitions = gidlist;
91159+ }
91160+
91161+ /* set up object hash table */
91162+ num_objs = count_user_objs(ghash.first);
91163+
91164+ s_tmp->obj_hash_size = num_objs;
91165+ s_tmp->obj_hash =
91166+ (struct acl_object_label **)
91167+ create_table(&(s_tmp->obj_hash_size), sizeof(void *));
91168+
91169+ if (!s_tmp->obj_hash)
91170+ return ERR_PTR(-ENOMEM);
91171+
91172+ memset(s_tmp->obj_hash, 0,
91173+ s_tmp->obj_hash_size *
91174+ sizeof (struct acl_object_label *));
91175+
91176+ /* add in objects */
91177+ err = copy_user_objs(ghash.first, s_tmp, role);
91178+
91179+ if (err)
91180+ return ERR_PTR(err);
91181+
91182+ /* set pointer for parent subject */
91183+ if (s_tmp->parent_subject) {
91184+ s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role, NULL);
91185+
91186+ if (IS_ERR(s_tmp2))
91187+ return s_tmp2;
91188+
91189+ s_tmp->parent_subject = s_tmp2;
91190+ }
91191+
91192+ /* add in ip acls */
91193+
91194+ if (!s_tmp->ip_num) {
91195+ s_tmp->ips = NULL;
91196+ goto insert;
91197+ }
91198+
91199+ i_tmp =
91200+ (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
91201+ sizeof (struct acl_ip_label *));
91202+
91203+ if (!i_tmp)
91204+ return ERR_PTR(-ENOMEM);
91205+
91206+ for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
91207+ *(i_tmp + i_num) =
91208+ (struct acl_ip_label *)
91209+ acl_alloc(sizeof (struct acl_ip_label));
91210+ if (!*(i_tmp + i_num))
91211+ return ERR_PTR(-ENOMEM);
91212+
91213+ if (copy_pointer_from_array(&i_utmp2, i_num, s_tmp->ips))
91214+ return ERR_PTR(-EFAULT);
91215+
91216+ if (copy_acl_ip_label(*(i_tmp + i_num), i_utmp2))
91217+ return ERR_PTR(-EFAULT);
91218+
91219+ if ((*(i_tmp + i_num))->iface == NULL)
91220+ continue;
91221+
91222+ err = alloc_and_copy_string(&(*(i_tmp + i_num))->iface, IFNAMSIZ);
91223+ if (err)
91224+ return ERR_PTR(err);
91225+ }
91226+
91227+ s_tmp->ips = i_tmp;
91228+
91229+insert:
91230+ if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
91231+ s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
91232+ return ERR_PTR(-ENOMEM);
91233+
91234+ return s_tmp;
91235+}
91236+
91237+static int
91238+copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
91239+{
91240+ struct acl_subject_label s_pre;
91241+ struct acl_subject_label * ret;
91242+ int err;
91243+
91244+ while (userp) {
91245+ if (copy_acl_subject_label(&s_pre, userp))
91246+ return -EFAULT;
91247+
91248+ ret = do_copy_user_subj(userp, role, NULL);
91249+
91250+ err = PTR_ERR(ret);
91251+ if (IS_ERR(ret))
91252+ return err;
91253+
91254+ insert_acl_subj_label(ret, role);
91255+
91256+ userp = s_pre.prev;
91257+ }
91258+
91259+ return 0;
91260+}
91261+
91262+static int
91263+copy_user_acl(struct gr_arg *arg)
91264+{
91265+ struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
91266+ struct acl_subject_label *subj_list;
91267+ struct sprole_pw *sptmp;
91268+ struct gr_hash_struct *ghash;
91269+ uid_t *domainlist;
91270+ unsigned int r_num;
91271+ int err = 0;
91272+ __u16 i;
91273+ __u32 num_subjs;
91274+
91275+ /* we need a default and kernel role */
91276+ if (arg->role_db.num_roles < 2)
91277+ return -EINVAL;
91278+
91279+ /* copy special role authentication info from userspace */
91280+
91281+ polstate->num_sprole_pws = arg->num_sprole_pws;
91282+ polstate->acl_special_roles = (struct sprole_pw **) acl_alloc_num(polstate->num_sprole_pws, sizeof(struct sprole_pw *));
91283+
91284+ if (!polstate->acl_special_roles && polstate->num_sprole_pws)
91285+ return -ENOMEM;
91286+
91287+ for (i = 0; i < polstate->num_sprole_pws; i++) {
91288+ sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
91289+ if (!sptmp)
91290+ return -ENOMEM;
91291+ if (copy_sprole_pw(sptmp, i, arg->sprole_pws))
91292+ return -EFAULT;
91293+
91294+ err = alloc_and_copy_string((char **)&sptmp->rolename, GR_SPROLE_LEN);
91295+ if (err)
91296+ return err;
91297+
91298+#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
91299+ printk(KERN_ALERT "Copying special role %s\n", sptmp->rolename);
91300+#endif
91301+
91302+ polstate->acl_special_roles[i] = sptmp;
91303+ }
91304+
91305+ r_utmp = (struct acl_role_label **) arg->role_db.r_table;
91306+
91307+ for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
91308+ r_tmp = acl_alloc(sizeof (struct acl_role_label));
91309+
91310+ if (!r_tmp)
91311+ return -ENOMEM;
91312+
91313+ if (copy_pointer_from_array(&r_utmp2, r_num, r_utmp))
91314+ return -EFAULT;
91315+
91316+ if (copy_acl_role_label(r_tmp, r_utmp2))
91317+ return -EFAULT;
91318+
91319+ err = alloc_and_copy_string(&r_tmp->rolename, GR_SPROLE_LEN);
91320+ if (err)
91321+ return err;
91322+
91323+ if (!strcmp(r_tmp->rolename, "default")
91324+ && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
91325+ polstate->default_role = r_tmp;
91326+ } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
91327+ polstate->kernel_role = r_tmp;
91328+ }
91329+
91330+ if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL)
91331+ return -ENOMEM;
91332+
91333+ if (copy_gr_hash_struct(ghash, r_tmp->hash))
91334+ return -EFAULT;
91335+
91336+ r_tmp->hash = ghash;
91337+
91338+ num_subjs = count_user_subjs(r_tmp->hash->first);
91339+
91340+ r_tmp->subj_hash_size = num_subjs;
91341+ r_tmp->subj_hash =
91342+ (struct acl_subject_label **)
91343+ create_table(&(r_tmp->subj_hash_size), sizeof(void *));
91344+
91345+ if (!r_tmp->subj_hash)
91346+ return -ENOMEM;
91347+
91348+ err = copy_user_allowedips(r_tmp);
91349+ if (err)
91350+ return err;
91351+
91352+ /* copy domain info */
91353+ if (r_tmp->domain_children != NULL) {
91354+ domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
91355+ if (domainlist == NULL)
91356+ return -ENOMEM;
91357+
91358+ if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t)))
91359+ return -EFAULT;
91360+
91361+ r_tmp->domain_children = domainlist;
91362+ }
91363+
91364+ err = copy_user_transitions(r_tmp);
91365+ if (err)
91366+ return err;
91367+
91368+ memset(r_tmp->subj_hash, 0,
91369+ r_tmp->subj_hash_size *
91370+ sizeof (struct acl_subject_label *));
91371+
91372+ /* acquire the list of subjects, then NULL out
91373+ the list prior to parsing the subjects for this role,
91374+ as during this parsing the list is replaced with a list
91375+ of *nested* subjects for the role
91376+ */
91377+ subj_list = r_tmp->hash->first;
91378+
91379+ /* set nested subject list to null */
91380+ r_tmp->hash->first = NULL;
91381+
91382+ err = copy_user_subjs(subj_list, r_tmp);
91383+
91384+ if (err)
91385+ return err;
91386+
91387+ insert_acl_role_label(r_tmp);
91388+ }
91389+
91390+ if (polstate->default_role == NULL || polstate->kernel_role == NULL)
91391+ return -EINVAL;
91392+
91393+ return err;
91394+}
91395+
91396+static int gracl_reload_apply_policies(void *reload)
91397+{
91398+ struct gr_reload_state *reload_state = (struct gr_reload_state *)reload;
91399+ struct task_struct *task, *task2;
91400+ struct acl_role_label *role, *rtmp;
91401+ struct acl_subject_label *subj;
91402+ const struct cred *cred;
91403+ int role_applied;
91404+ int ret = 0;
91405+
91406+ memcpy(&reload_state->oldpolicy, reload_state->oldpolicy_ptr, sizeof(struct gr_policy_state));
91407+ memcpy(&reload_state->oldalloc, reload_state->oldalloc_ptr, sizeof(struct gr_alloc_state));
91408+
91409+ /* first make sure we'll be able to apply the new policy cleanly */
91410+ do_each_thread(task2, task) {
91411+ if (task->exec_file == NULL)
91412+ continue;
91413+ role_applied = 0;
91414+ if (!reload_state->oldmode && task->role->roletype & GR_ROLE_SPECIAL) {
91415+ /* preserve special roles */
91416+ FOR_EACH_ROLE_START(role)
91417+ if ((role->roletype & GR_ROLE_SPECIAL) && !strcmp(task->role->rolename, role->rolename)) {
91418+ rtmp = task->role;
91419+ task->role = role;
91420+ role_applied = 1;
91421+ break;
91422+ }
91423+ FOR_EACH_ROLE_END(role)
91424+ }
91425+ if (!role_applied) {
91426+ cred = __task_cred(task);
91427+ rtmp = task->role;
91428+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
91429+ }
91430+ /* this handles non-nested inherited subjects, nested subjects will still
91431+ be dropped currently */
91432+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
91433+ task->tmpacl = __gr_get_subject_for_task(polstate, task, NULL, 1);
91434+ /* change the role back so that we've made no modifications to the policy */
91435+ task->role = rtmp;
91436+
91437+ if (subj == NULL || task->tmpacl == NULL) {
91438+ ret = -EINVAL;
91439+ goto out;
91440+ }
91441+ } while_each_thread(task2, task);
91442+
91443+ /* now actually apply the policy */
91444+
91445+ do_each_thread(task2, task) {
91446+ if (task->exec_file) {
91447+ role_applied = 0;
91448+ if (!reload_state->oldmode && task->role->roletype & GR_ROLE_SPECIAL) {
91449+ /* preserve special roles */
91450+ FOR_EACH_ROLE_START(role)
91451+ if ((role->roletype & GR_ROLE_SPECIAL) && !strcmp(task->role->rolename, role->rolename)) {
91452+ task->role = role;
91453+ role_applied = 1;
91454+ break;
91455+ }
91456+ FOR_EACH_ROLE_END(role)
91457+ }
91458+ if (!role_applied) {
91459+ cred = __task_cred(task);
91460+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
91461+ }
91462+ /* this handles non-nested inherited subjects, nested subjects will still
91463+ be dropped currently */
91464+ if (!reload_state->oldmode && task->inherited)
91465+ subj = __gr_get_subject_for_task(polstate, task, task->acl->filename, 1);
91466+ else {
91467+ /* looked up and tagged to the task previously */
91468+ subj = task->tmpacl;
91469+ }
91470+ /* subj will be non-null */
91471+ __gr_apply_subject_to_task(polstate, task, subj);
91472+ if (reload_state->oldmode) {
91473+ task->acl_role_id = 0;
91474+ task->acl_sp_role = 0;
91475+ task->inherited = 0;
91476+ }
91477+ } else {
91478+ // it's a kernel process
91479+ task->role = polstate->kernel_role;
91480+ task->acl = polstate->kernel_role->root_label;
91481+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
91482+ task->acl->mode &= ~GR_PROCFIND;
91483+#endif
91484+ }
91485+ } while_each_thread(task2, task);
91486+
91487+ memcpy(reload_state->oldpolicy_ptr, &reload_state->newpolicy, sizeof(struct gr_policy_state));
91488+ memcpy(reload_state->oldalloc_ptr, &reload_state->newalloc, sizeof(struct gr_alloc_state));
91489+
91490+out:
91491+
91492+ return ret;
91493+}
91494+
91495+static int gracl_reload(struct gr_arg *args, unsigned char oldmode)
91496+{
91497+ struct gr_reload_state new_reload_state = { };
91498+ int err;
91499+
91500+ new_reload_state.oldpolicy_ptr = polstate;
91501+ new_reload_state.oldalloc_ptr = current_alloc_state;
91502+ new_reload_state.oldmode = oldmode;
91503+
91504+ current_alloc_state = &new_reload_state.newalloc;
91505+ polstate = &new_reload_state.newpolicy;
91506+
91507+ /* everything relevant is now saved off, copy in the new policy */
91508+ if (init_variables(args, true)) {
91509+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
91510+ err = -ENOMEM;
91511+ goto error;
91512+ }
91513+
91514+ err = copy_user_acl(args);
91515+ free_init_variables();
91516+ if (err)
91517+ goto error;
91518+ /* the new policy is copied in, with the old policy available via saved_state
91519+ first go through applying roles, making sure to preserve special roles
91520+ then apply new subjects, making sure to preserve inherited and nested subjects,
91521+ though currently only inherited subjects will be preserved
91522+ */
91523+ err = stop_machine(gracl_reload_apply_policies, &new_reload_state, NULL);
91524+ if (err)
91525+ goto error;
91526+
91527+ /* we've now applied the new policy, so restore the old policy state to free it */
91528+ polstate = &new_reload_state.oldpolicy;
91529+ current_alloc_state = &new_reload_state.oldalloc;
91530+ free_variables(true);
91531+
91532+ /* oldpolicy/oldalloc_ptr point to the new policy/alloc states as they were copied
91533+ to running_polstate/current_alloc_state inside stop_machine
91534+ */
91535+ err = 0;
91536+ goto out;
91537+error:
91538+ /* on error of loading the new policy, we'll just keep the previous
91539+ policy set around
91540+ */
91541+ free_variables(true);
91542+
91543+ /* doesn't affect runtime, but maintains consistent state */
91544+out:
91545+ polstate = new_reload_state.oldpolicy_ptr;
91546+ current_alloc_state = new_reload_state.oldalloc_ptr;
91547+
91548+ return err;
91549+}
91550+
91551+static int
91552+gracl_init(struct gr_arg *args)
91553+{
91554+ int error = 0;
91555+
91556+ memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
91557+ memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
91558+
91559+ if (init_variables(args, false)) {
91560+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
91561+ error = -ENOMEM;
91562+ goto out;
91563+ }
91564+
91565+ error = copy_user_acl(args);
91566+ free_init_variables();
91567+ if (error)
91568+ goto out;
91569+
91570+ error = gr_set_acls(0);
91571+ if (error)
91572+ goto out;
91573+
91574+ gr_enable_rbac_system();
91575+
91576+ return 0;
91577+
91578+out:
91579+ free_variables(false);
91580+ return error;
91581+}
91582+
91583+static int
91584+lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
91585+ unsigned char **sum)
91586+{
91587+ struct acl_role_label *r;
91588+ struct role_allowed_ip *ipp;
91589+ struct role_transition *trans;
91590+ unsigned int i;
91591+ int found = 0;
91592+ u32 curr_ip = current->signal->curr_ip;
91593+
91594+ current->signal->saved_ip = curr_ip;
91595+
91596+ /* check transition table */
91597+
91598+ for (trans = current->role->transitions; trans; trans = trans->next) {
91599+ if (!strcmp(rolename, trans->rolename)) {
91600+ found = 1;
91601+ break;
91602+ }
91603+ }
91604+
91605+ if (!found)
91606+ return 0;
91607+
91608+ /* handle special roles that do not require authentication
91609+ and check ip */
91610+
91611+ FOR_EACH_ROLE_START(r)
91612+ if (!strcmp(rolename, r->rolename) &&
91613+ (r->roletype & GR_ROLE_SPECIAL)) {
91614+ found = 0;
91615+ if (r->allowed_ips != NULL) {
91616+ for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
91617+ if ((ntohl(curr_ip) & ipp->netmask) ==
91618+ (ntohl(ipp->addr) & ipp->netmask))
91619+ found = 1;
91620+ }
91621+ } else
91622+ found = 2;
91623+ if (!found)
91624+ return 0;
91625+
91626+ if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
91627+ ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
91628+ *salt = NULL;
91629+ *sum = NULL;
91630+ return 1;
91631+ }
91632+ }
91633+ FOR_EACH_ROLE_END(r)
91634+
91635+ for (i = 0; i < polstate->num_sprole_pws; i++) {
91636+ if (!strcmp(rolename, polstate->acl_special_roles[i]->rolename)) {
91637+ *salt = polstate->acl_special_roles[i]->salt;
91638+ *sum = polstate->acl_special_roles[i]->sum;
91639+ return 1;
91640+ }
91641+ }
91642+
91643+ return 0;
91644+}
91645+
91646+int gr_check_secure_terminal(struct task_struct *task)
91647+{
91648+ struct task_struct *p, *p2, *p3;
91649+ struct files_struct *files;
91650+ struct fdtable *fdt;
91651+ struct file *our_file = NULL, *file;
91652+ struct inode *our_inode = NULL;
91653+ int i;
91654+
91655+ if (task->signal->tty == NULL)
91656+ return 1;
91657+
91658+ files = get_files_struct(task);
91659+ if (files != NULL) {
91660+ rcu_read_lock();
91661+ fdt = files_fdtable(files);
91662+ for (i=0; i < fdt->max_fds; i++) {
91663+ file = fcheck_files(files, i);
91664+ if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
91665+ get_file(file);
91666+ our_file = file;
91667+ }
91668+ }
91669+ rcu_read_unlock();
91670+ put_files_struct(files);
91671+ }
91672+
91673+ if (our_file == NULL)
91674+ return 1;
91675+
91676+ our_inode = d_backing_inode(our_file->f_path.dentry);
91677+
91678+ read_lock(&tasklist_lock);
91679+ do_each_thread(p2, p) {
91680+ files = get_files_struct(p);
91681+ if (files == NULL ||
91682+ (p->signal && p->signal->tty == task->signal->tty)) {
91683+ if (files != NULL)
91684+ put_files_struct(files);
91685+ continue;
91686+ }
91687+ rcu_read_lock();
91688+ fdt = files_fdtable(files);
91689+ for (i=0; i < fdt->max_fds; i++) {
91690+ struct inode *inode = NULL;
91691+ file = fcheck_files(files, i);
91692+ if (file)
91693+ inode = d_backing_inode(file->f_path.dentry);
91694+ if (inode && S_ISCHR(inode->i_mode) && inode->i_rdev == our_inode->i_rdev) {
91695+ p3 = task;
91696+ while (task_pid_nr(p3) > 0) {
91697+ if (p3 == p)
91698+ break;
91699+ p3 = p3->real_parent;
91700+ }
91701+ if (p3 == p)
91702+ break;
91703+ gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
91704+ gr_handle_alertkill(p);
91705+ rcu_read_unlock();
91706+ put_files_struct(files);
91707+ read_unlock(&tasklist_lock);
91708+ fput(our_file);
91709+ return 0;
91710+ }
91711+ }
91712+ rcu_read_unlock();
91713+ put_files_struct(files);
91714+ } while_each_thread(p2, p);
91715+ read_unlock(&tasklist_lock);
91716+
91717+ fput(our_file);
91718+ return 1;
91719+}
91720+
91721+ssize_t
91722+write_grsec_handler(struct file *file, const char __user * buf, size_t count, loff_t *ppos)
91723+{
91724+ struct gr_arg_wrapper uwrap;
91725+ unsigned char *sprole_salt = NULL;
91726+ unsigned char *sprole_sum = NULL;
91727+ int error = 0;
91728+ int error2 = 0;
91729+ size_t req_count = 0;
91730+ unsigned char oldmode = 0;
91731+
91732+ mutex_lock(&gr_dev_mutex);
91733+
91734+ if (gr_acl_is_enabled() && !(current->acl->mode & GR_KERNELAUTH)) {
91735+ error = -EPERM;
91736+ goto out;
91737+ }
91738+
91739+#ifdef CONFIG_COMPAT
91740+ pax_open_kernel();
91741+ if (is_compat_task()) {
91742+ copy_gr_arg_wrapper = &copy_gr_arg_wrapper_compat;
91743+ copy_gr_arg = &copy_gr_arg_compat;
91744+ copy_acl_object_label = &copy_acl_object_label_compat;
91745+ copy_acl_subject_label = &copy_acl_subject_label_compat;
91746+ copy_acl_role_label = &copy_acl_role_label_compat;
91747+ copy_acl_ip_label = &copy_acl_ip_label_compat;
91748+ copy_role_allowed_ip = &copy_role_allowed_ip_compat;
91749+ copy_role_transition = &copy_role_transition_compat;
91750+ copy_sprole_pw = &copy_sprole_pw_compat;
91751+ copy_gr_hash_struct = &copy_gr_hash_struct_compat;
91752+ copy_pointer_from_array = &copy_pointer_from_array_compat;
91753+ get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_compat;
91754+ } else {
91755+ copy_gr_arg_wrapper = &copy_gr_arg_wrapper_normal;
91756+ copy_gr_arg = &copy_gr_arg_normal;
91757+ copy_acl_object_label = &copy_acl_object_label_normal;
91758+ copy_acl_subject_label = &copy_acl_subject_label_normal;
91759+ copy_acl_role_label = &copy_acl_role_label_normal;
91760+ copy_acl_ip_label = &copy_acl_ip_label_normal;
91761+ copy_role_allowed_ip = &copy_role_allowed_ip_normal;
91762+ copy_role_transition = &copy_role_transition_normal;
91763+ copy_sprole_pw = &copy_sprole_pw_normal;
91764+ copy_gr_hash_struct = &copy_gr_hash_struct_normal;
91765+ copy_pointer_from_array = &copy_pointer_from_array_normal;
91766+ get_gr_arg_wrapper_size = &get_gr_arg_wrapper_size_normal;
91767+ }
91768+ pax_close_kernel();
91769+#endif
91770+
91771+ req_count = get_gr_arg_wrapper_size();
91772+
91773+ if (count != req_count) {
91774+ gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)req_count);
91775+ error = -EINVAL;
91776+ goto out;
91777+ }
91778+
91779+
91780+ if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
91781+ gr_auth_expires = 0;
91782+ gr_auth_attempts = 0;
91783+ }
91784+
91785+ error = copy_gr_arg_wrapper(buf, &uwrap);
91786+ if (error)
91787+ goto out;
91788+
91789+ error = copy_gr_arg(uwrap.arg, gr_usermode);
91790+ if (error)
91791+ goto out;
91792+
91793+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
91794+ gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
91795+ time_after(gr_auth_expires, get_seconds())) {
91796+ error = -EBUSY;
91797+ goto out;
91798+ }
91799+
91800+ /* if non-root trying to do anything other than use a special role,
91801+ do not attempt authentication, do not count towards authentication
91802+ locking
91803+ */
91804+
91805+ if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
91806+ gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
91807+ gr_is_global_nonroot(current_uid())) {
91808+ error = -EPERM;
91809+ goto out;
91810+ }
91811+
91812+ /* ensure pw and special role name are null terminated */
91813+
91814+ gr_usermode->pw[GR_PW_LEN - 1] = '\0';
91815+ gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
91816+
91817+ /* Okay.
91818+ * We have our enough of the argument structure..(we have yet
91819+ * to copy_from_user the tables themselves) . Copy the tables
91820+ * only if we need them, i.e. for loading operations. */
91821+
91822+ switch (gr_usermode->mode) {
91823+ case GR_STATUS:
91824+ if (gr_acl_is_enabled()) {
91825+ error = 1;
91826+ if (!gr_check_secure_terminal(current))
91827+ error = 3;
91828+ } else
91829+ error = 2;
91830+ goto out;
91831+ case GR_SHUTDOWN:
91832+ if (gr_acl_is_enabled() && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91833+ stop_machine(gr_rbac_disable, NULL, NULL);
91834+ free_variables(false);
91835+ memset(gr_usermode, 0, sizeof(struct gr_arg));
91836+ memset(gr_system_salt, 0, GR_SALT_LEN);
91837+ memset(gr_system_sum, 0, GR_SHA_LEN);
91838+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
91839+ } else if (gr_acl_is_enabled()) {
91840+ gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
91841+ error = -EPERM;
91842+ } else {
91843+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
91844+ error = -EAGAIN;
91845+ }
91846+ break;
91847+ case GR_ENABLE:
91848+ if (!gr_acl_is_enabled() && !(error2 = gracl_init(gr_usermode)))
91849+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
91850+ else {
91851+ if (gr_acl_is_enabled())
91852+ error = -EAGAIN;
91853+ else
91854+ error = error2;
91855+ gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
91856+ }
91857+ break;
91858+ case GR_OLDRELOAD:
91859+ oldmode = 1;
91860+ case GR_RELOAD:
91861+ if (!gr_acl_is_enabled()) {
91862+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
91863+ error = -EAGAIN;
91864+ } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91865+ error2 = gracl_reload(gr_usermode, oldmode);
91866+ if (!error2)
91867+ gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
91868+ else {
91869+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
91870+ error = error2;
91871+ }
91872+ } else {
91873+ gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
91874+ error = -EPERM;
91875+ }
91876+ break;
91877+ case GR_SEGVMOD:
91878+ if (unlikely(!gr_acl_is_enabled())) {
91879+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
91880+ error = -EAGAIN;
91881+ break;
91882+ }
91883+
91884+ if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
91885+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
91886+ if (gr_usermode->segv_device && gr_usermode->segv_inode) {
91887+ struct acl_subject_label *segvacl;
91888+ segvacl =
91889+ lookup_acl_subj_label(gr_usermode->segv_inode,
91890+ gr_usermode->segv_device,
91891+ current->role);
91892+ if (segvacl) {
91893+ segvacl->crashes = 0;
91894+ segvacl->expires = 0;
91895+ }
91896+ } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
91897+ gr_remove_uid(gr_usermode->segv_uid);
91898+ }
91899+ } else {
91900+ gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
91901+ error = -EPERM;
91902+ }
91903+ break;
91904+ case GR_SPROLE:
91905+ case GR_SPROLEPAM:
91906+ if (unlikely(!gr_acl_is_enabled())) {
91907+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
91908+ error = -EAGAIN;
91909+ break;
91910+ }
91911+
91912+ if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
91913+ current->role->expires = 0;
91914+ current->role->auth_attempts = 0;
91915+ }
91916+
91917+ if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
91918+ time_after(current->role->expires, get_seconds())) {
91919+ error = -EBUSY;
91920+ goto out;
91921+ }
91922+
91923+ if (lookup_special_role_auth
91924+ (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
91925+ && ((!sprole_salt && !sprole_sum)
91926+ || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
91927+ char *p = "";
91928+ assign_special_role(gr_usermode->sp_role);
91929+ read_lock(&tasklist_lock);
91930+ if (current->real_parent)
91931+ p = current->real_parent->role->rolename;
91932+ read_unlock(&tasklist_lock);
91933+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
91934+ p, acl_sp_role_value);
91935+ } else {
91936+ gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
91937+ error = -EPERM;
91938+ if(!(current->role->auth_attempts++))
91939+ current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
91940+
91941+ goto out;
91942+ }
91943+ break;
91944+ case GR_UNSPROLE:
91945+ if (unlikely(!gr_acl_is_enabled())) {
91946+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
91947+ error = -EAGAIN;
91948+ break;
91949+ }
91950+
91951+ if (current->role->roletype & GR_ROLE_SPECIAL) {
91952+ char *p = "";
91953+ int i = 0;
91954+
91955+ read_lock(&tasklist_lock);
91956+ if (current->real_parent) {
91957+ p = current->real_parent->role->rolename;
91958+ i = current->real_parent->acl_role_id;
91959+ }
91960+ read_unlock(&tasklist_lock);
91961+
91962+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
91963+ gr_set_acls(1);
91964+ } else {
91965+ error = -EPERM;
91966+ goto out;
91967+ }
91968+ break;
91969+ default:
91970+ gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
91971+ error = -EINVAL;
91972+ break;
91973+ }
91974+
91975+ if (error != -EPERM)
91976+ goto out;
91977+
91978+ if(!(gr_auth_attempts++))
91979+ gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
91980+
91981+ out:
91982+ mutex_unlock(&gr_dev_mutex);
91983+
91984+ if (!error)
91985+ error = req_count;
91986+
91987+ return error;
91988+}
91989+
91990+int
91991+gr_set_acls(const int type)
91992+{
91993+ struct task_struct *task, *task2;
91994+ struct acl_role_label *role = current->role;
91995+ struct acl_subject_label *subj;
91996+ __u16 acl_role_id = current->acl_role_id;
91997+ const struct cred *cred;
91998+ int ret;
91999+
92000+ rcu_read_lock();
92001+ read_lock(&tasklist_lock);
92002+ read_lock(&grsec_exec_file_lock);
92003+ do_each_thread(task2, task) {
92004+ /* check to see if we're called from the exit handler,
92005+ if so, only replace ACLs that have inherited the admin
92006+ ACL */
92007+
92008+ if (type && (task->role != role ||
92009+ task->acl_role_id != acl_role_id))
92010+ continue;
92011+
92012+ task->acl_role_id = 0;
92013+ task->acl_sp_role = 0;
92014+ task->inherited = 0;
92015+
92016+ if (task->exec_file) {
92017+ cred = __task_cred(task);
92018+ task->role = __lookup_acl_role_label(polstate, task, GR_GLOBAL_UID(cred->uid), GR_GLOBAL_GID(cred->gid));
92019+ subj = __gr_get_subject_for_task(polstate, task, NULL, 1);
92020+ if (subj == NULL) {
92021+ ret = -EINVAL;
92022+ read_unlock(&grsec_exec_file_lock);
92023+ read_unlock(&tasklist_lock);
92024+ rcu_read_unlock();
92025+ gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task_pid_nr(task));
92026+ return ret;
92027+ }
92028+ __gr_apply_subject_to_task(polstate, task, subj);
92029+ } else {
92030+ // it's a kernel process
92031+ task->role = polstate->kernel_role;
92032+ task->acl = polstate->kernel_role->root_label;
92033+#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
92034+ task->acl->mode &= ~GR_PROCFIND;
92035+#endif
92036+ }
92037+ } while_each_thread(task2, task);
92038+ read_unlock(&grsec_exec_file_lock);
92039+ read_unlock(&tasklist_lock);
92040+ rcu_read_unlock();
92041+
92042+ return 0;
92043+}
92044diff --git a/grsecurity/gracl_res.c b/grsecurity/gracl_res.c
92045new file mode 100644
92046index 0000000..39645c9
92047--- /dev/null
92048+++ b/grsecurity/gracl_res.c
92049@@ -0,0 +1,68 @@
92050+#include <linux/kernel.h>
92051+#include <linux/sched.h>
92052+#include <linux/gracl.h>
92053+#include <linux/grinternal.h>
92054+
92055+static const char *restab_log[] = {
92056+ [RLIMIT_CPU] = "RLIMIT_CPU",
92057+ [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
92058+ [RLIMIT_DATA] = "RLIMIT_DATA",
92059+ [RLIMIT_STACK] = "RLIMIT_STACK",
92060+ [RLIMIT_CORE] = "RLIMIT_CORE",
92061+ [RLIMIT_RSS] = "RLIMIT_RSS",
92062+ [RLIMIT_NPROC] = "RLIMIT_NPROC",
92063+ [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
92064+ [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
92065+ [RLIMIT_AS] = "RLIMIT_AS",
92066+ [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
92067+ [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
92068+ [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
92069+ [RLIMIT_NICE] = "RLIMIT_NICE",
92070+ [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
92071+ [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
92072+ [GR_CRASH_RES] = "RLIMIT_CRASH"
92073+};
92074+
92075+void
92076+gr_log_resource(const struct task_struct *task,
92077+ const int res, const unsigned long wanted, const int gt)
92078+{
92079+ const struct cred *cred;
92080+ unsigned long rlim;
92081+
92082+ if (!gr_acl_is_enabled() && !grsec_resource_logging)
92083+ return;
92084+
92085+ // not yet supported resource
92086+ if (unlikely(!restab_log[res]))
92087+ return;
92088+
92089+ if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
92090+ rlim = task_rlimit_max(task, res);
92091+ else
92092+ rlim = task_rlimit(task, res);
92093+
92094+ if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
92095+ return;
92096+
92097+ rcu_read_lock();
92098+ cred = __task_cred(task);
92099+
92100+ if (res == RLIMIT_NPROC &&
92101+ (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
92102+ cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
92103+ goto out_rcu_unlock;
92104+ else if (res == RLIMIT_MEMLOCK &&
92105+ cap_raised(cred->cap_effective, CAP_IPC_LOCK))
92106+ goto out_rcu_unlock;
92107+ else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
92108+ goto out_rcu_unlock;
92109+ rcu_read_unlock();
92110+
92111+ gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
92112+
92113+ return;
92114+out_rcu_unlock:
92115+ rcu_read_unlock();
92116+ return;
92117+}
92118diff --git a/grsecurity/gracl_segv.c b/grsecurity/gracl_segv.c
92119new file mode 100644
92120index 0000000..21646aa
92121--- /dev/null
92122+++ b/grsecurity/gracl_segv.c
92123@@ -0,0 +1,304 @@
92124+#include <linux/kernel.h>
92125+#include <linux/mm.h>
92126+#include <asm/uaccess.h>
92127+#include <asm/errno.h>
92128+#include <asm/mman.h>
92129+#include <net/sock.h>
92130+#include <linux/file.h>
92131+#include <linux/fs.h>
92132+#include <linux/net.h>
92133+#include <linux/in.h>
92134+#include <linux/slab.h>
92135+#include <linux/types.h>
92136+#include <linux/sched.h>
92137+#include <linux/timer.h>
92138+#include <linux/gracl.h>
92139+#include <linux/grsecurity.h>
92140+#include <linux/grinternal.h>
92141+#if defined(CONFIG_BTRFS_FS) || defined(CONFIG_BTRFS_FS_MODULE)
92142+#include <linux/magic.h>
92143+#include <linux/pagemap.h>
92144+#include "../fs/btrfs/async-thread.h"
92145+#include "../fs/btrfs/ctree.h"
92146+#include "../fs/btrfs/btrfs_inode.h"
92147+#endif
92148+
92149+static struct crash_uid *uid_set;
92150+static unsigned short uid_used;
92151+static DEFINE_SPINLOCK(gr_uid_lock);
92152+extern rwlock_t gr_inode_lock;
92153+extern struct acl_subject_label *
92154+ lookup_acl_subj_label(const u64 inode, const dev_t dev,
92155+ struct acl_role_label *role);
92156+
92157+int
92158+gr_init_uidset(void)
92159+{
92160+ uid_set =
92161+ kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
92162+ uid_used = 0;
92163+
92164+ return uid_set ? 1 : 0;
92165+}
92166+
92167+void
92168+gr_free_uidset(void)
92169+{
92170+ if (uid_set) {
92171+ struct crash_uid *tmpset;
92172+ spin_lock(&gr_uid_lock);
92173+ tmpset = uid_set;
92174+ uid_set = NULL;
92175+ uid_used = 0;
92176+ spin_unlock(&gr_uid_lock);
92177+ if (tmpset)
92178+ kfree(tmpset);
92179+ }
92180+
92181+ return;
92182+}
92183+
92184+int
92185+gr_find_uid(const uid_t uid)
92186+{
92187+ struct crash_uid *tmp = uid_set;
92188+ uid_t buid;
92189+ int low = 0, high = uid_used - 1, mid;
92190+
92191+ while (high >= low) {
92192+ mid = (low + high) >> 1;
92193+ buid = tmp[mid].uid;
92194+ if (buid == uid)
92195+ return mid;
92196+ if (buid > uid)
92197+ high = mid - 1;
92198+ if (buid < uid)
92199+ low = mid + 1;
92200+ }
92201+
92202+ return -1;
92203+}
92204+
92205+static void
92206+gr_insertsort(void)
92207+{
92208+ unsigned short i, j;
92209+ struct crash_uid index;
92210+
92211+ for (i = 1; i < uid_used; i++) {
92212+ index = uid_set[i];
92213+ j = i;
92214+ while ((j > 0) && uid_set[j - 1].uid > index.uid) {
92215+ uid_set[j] = uid_set[j - 1];
92216+ j--;
92217+ }
92218+ uid_set[j] = index;
92219+ }
92220+
92221+ return;
92222+}
92223+
92224+static void
92225+gr_insert_uid(const kuid_t kuid, const unsigned long expires)
92226+{
92227+ int loc;
92228+ uid_t uid = GR_GLOBAL_UID(kuid);
92229+
92230+ if (uid_used == GR_UIDTABLE_MAX)
92231+ return;
92232+
92233+ loc = gr_find_uid(uid);
92234+
92235+ if (loc >= 0) {
92236+ uid_set[loc].expires = expires;
92237+ return;
92238+ }
92239+
92240+ uid_set[uid_used].uid = uid;
92241+ uid_set[uid_used].expires = expires;
92242+ uid_used++;
92243+
92244+ gr_insertsort();
92245+
92246+ return;
92247+}
92248+
92249+void
92250+gr_remove_uid(const unsigned short loc)
92251+{
92252+ unsigned short i;
92253+
92254+ for (i = loc + 1; i < uid_used; i++)
92255+ uid_set[i - 1] = uid_set[i];
92256+
92257+ uid_used--;
92258+
92259+ return;
92260+}
92261+
92262+int
92263+gr_check_crash_uid(const kuid_t kuid)
92264+{
92265+ int loc;
92266+ int ret = 0;
92267+ uid_t uid;
92268+
92269+ if (unlikely(!gr_acl_is_enabled()))
92270+ return 0;
92271+
92272+ uid = GR_GLOBAL_UID(kuid);
92273+
92274+ spin_lock(&gr_uid_lock);
92275+ loc = gr_find_uid(uid);
92276+
92277+ if (loc < 0)
92278+ goto out_unlock;
92279+
92280+ if (time_before_eq(uid_set[loc].expires, get_seconds()))
92281+ gr_remove_uid(loc);
92282+ else
92283+ ret = 1;
92284+
92285+out_unlock:
92286+ spin_unlock(&gr_uid_lock);
92287+ return ret;
92288+}
92289+
92290+static int
92291+proc_is_setxid(const struct cred *cred)
92292+{
92293+ if (!uid_eq(cred->uid, cred->euid) || !uid_eq(cred->uid, cred->suid) ||
92294+ !uid_eq(cred->uid, cred->fsuid))
92295+ return 1;
92296+ if (!gid_eq(cred->gid, cred->egid) || !gid_eq(cred->gid, cred->sgid) ||
92297+ !gid_eq(cred->gid, cred->fsgid))
92298+ return 1;
92299+
92300+ return 0;
92301+}
92302+
92303+extern int gr_fake_force_sig(int sig, struct task_struct *t);
92304+
92305+void
92306+gr_handle_crash(struct task_struct *task, const int sig)
92307+{
92308+ struct acl_subject_label *curr;
92309+ struct task_struct *tsk, *tsk2;
92310+ const struct cred *cred;
92311+ const struct cred *cred2;
92312+
92313+ if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
92314+ return;
92315+
92316+ if (unlikely(!gr_acl_is_enabled()))
92317+ return;
92318+
92319+ curr = task->acl;
92320+
92321+ if (!(curr->resmask & (1U << GR_CRASH_RES)))
92322+ return;
92323+
92324+ if (time_before_eq(curr->expires, get_seconds())) {
92325+ curr->expires = 0;
92326+ curr->crashes = 0;
92327+ }
92328+
92329+ curr->crashes++;
92330+
92331+ if (!curr->expires)
92332+ curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
92333+
92334+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
92335+ time_after(curr->expires, get_seconds())) {
92336+ rcu_read_lock();
92337+ cred = __task_cred(task);
92338+ if (gr_is_global_nonroot(cred->uid) && proc_is_setxid(cred)) {
92339+ gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
92340+ spin_lock(&gr_uid_lock);
92341+ gr_insert_uid(cred->uid, curr->expires);
92342+ spin_unlock(&gr_uid_lock);
92343+ curr->expires = 0;
92344+ curr->crashes = 0;
92345+ read_lock(&tasklist_lock);
92346+ do_each_thread(tsk2, tsk) {
92347+ cred2 = __task_cred(tsk);
92348+ if (tsk != task && uid_eq(cred2->uid, cred->uid))
92349+ gr_fake_force_sig(SIGKILL, tsk);
92350+ } while_each_thread(tsk2, tsk);
92351+ read_unlock(&tasklist_lock);
92352+ } else {
92353+ gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
92354+ read_lock(&tasklist_lock);
92355+ read_lock(&grsec_exec_file_lock);
92356+ do_each_thread(tsk2, tsk) {
92357+ if (likely(tsk != task)) {
92358+ // if this thread has the same subject as the one that triggered
92359+ // RES_CRASH and it's the same binary, kill it
92360+ if (tsk->acl == task->acl && gr_is_same_file(tsk->exec_file, task->exec_file))
92361+ gr_fake_force_sig(SIGKILL, tsk);
92362+ }
92363+ } while_each_thread(tsk2, tsk);
92364+ read_unlock(&grsec_exec_file_lock);
92365+ read_unlock(&tasklist_lock);
92366+ }
92367+ rcu_read_unlock();
92368+ }
92369+
92370+ return;
92371+}
92372+
92373+int
92374+gr_check_crash_exec(const struct file *filp)
92375+{
92376+ struct acl_subject_label *curr;
92377+ struct dentry *dentry;
92378+
92379+ if (unlikely(!gr_acl_is_enabled()))
92380+ return 0;
92381+
92382+ read_lock(&gr_inode_lock);
92383+ dentry = filp->f_path.dentry;
92384+ curr = lookup_acl_subj_label(gr_get_ino_from_dentry(dentry), gr_get_dev_from_dentry(dentry),
92385+ current->role);
92386+ read_unlock(&gr_inode_lock);
92387+
92388+ if (!curr || !(curr->resmask & (1U << GR_CRASH_RES)) ||
92389+ (!curr->crashes && !curr->expires))
92390+ return 0;
92391+
92392+ if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
92393+ time_after(curr->expires, get_seconds()))
92394+ return 1;
92395+ else if (time_before_eq(curr->expires, get_seconds())) {
92396+ curr->crashes = 0;
92397+ curr->expires = 0;
92398+ }
92399+
92400+ return 0;
92401+}
92402+
92403+void
92404+gr_handle_alertkill(struct task_struct *task)
92405+{
92406+ struct acl_subject_label *curracl;
92407+ __u32 curr_ip;
92408+ struct task_struct *p, *p2;
92409+
92410+ if (unlikely(!gr_acl_is_enabled()))
92411+ return;
92412+
92413+ curracl = task->acl;
92414+ curr_ip = task->signal->curr_ip;
92415+
92416+ if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
92417+ read_lock(&tasklist_lock);
92418+ do_each_thread(p2, p) {
92419+ if (p->signal->curr_ip == curr_ip)
92420+ gr_fake_force_sig(SIGKILL, p);
92421+ } while_each_thread(p2, p);
92422+ read_unlock(&tasklist_lock);
92423+ } else if (curracl->mode & GR_KILLPROC)
92424+ gr_fake_force_sig(SIGKILL, task);
92425+
92426+ return;
92427+}
92428diff --git a/grsecurity/gracl_shm.c b/grsecurity/gracl_shm.c
92429new file mode 100644
92430index 0000000..6b0c9cc
92431--- /dev/null
92432+++ b/grsecurity/gracl_shm.c
92433@@ -0,0 +1,40 @@
92434+#include <linux/kernel.h>
92435+#include <linux/mm.h>
92436+#include <linux/sched.h>
92437+#include <linux/file.h>
92438+#include <linux/ipc.h>
92439+#include <linux/gracl.h>
92440+#include <linux/grsecurity.h>
92441+#include <linux/grinternal.h>
92442+
92443+int
92444+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
92445+ const u64 shm_createtime, const kuid_t cuid, const int shmid)
92446+{
92447+ struct task_struct *task;
92448+
92449+ if (!gr_acl_is_enabled())
92450+ return 1;
92451+
92452+ rcu_read_lock();
92453+ read_lock(&tasklist_lock);
92454+
92455+ task = find_task_by_vpid(shm_cprid);
92456+
92457+ if (unlikely(!task))
92458+ task = find_task_by_vpid(shm_lapid);
92459+
92460+ if (unlikely(task && (time_before_eq64(task->start_time, shm_createtime) ||
92461+ (task_pid_nr(task) == shm_lapid)) &&
92462+ (task->acl->mode & GR_PROTSHM) &&
92463+ (task->acl != current->acl))) {
92464+ read_unlock(&tasklist_lock);
92465+ rcu_read_unlock();
92466+ gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, GR_GLOBAL_UID(cuid), shm_cprid, shmid);
92467+ return 0;
92468+ }
92469+ read_unlock(&tasklist_lock);
92470+ rcu_read_unlock();
92471+
92472+ return 1;
92473+}
92474diff --git a/grsecurity/grsec_chdir.c b/grsecurity/grsec_chdir.c
92475new file mode 100644
92476index 0000000..bc0be01
92477--- /dev/null
92478+++ b/grsecurity/grsec_chdir.c
92479@@ -0,0 +1,19 @@
92480+#include <linux/kernel.h>
92481+#include <linux/sched.h>
92482+#include <linux/fs.h>
92483+#include <linux/file.h>
92484+#include <linux/grsecurity.h>
92485+#include <linux/grinternal.h>
92486+
92487+void
92488+gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
92489+{
92490+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
92491+ if ((grsec_enable_chdir && grsec_enable_group &&
92492+ in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
92493+ !grsec_enable_group)) {
92494+ gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
92495+ }
92496+#endif
92497+ return;
92498+}
92499diff --git a/grsecurity/grsec_chroot.c b/grsecurity/grsec_chroot.c
92500new file mode 100644
92501index 0000000..652ab45
92502--- /dev/null
92503+++ b/grsecurity/grsec_chroot.c
92504@@ -0,0 +1,467 @@
92505+#include <linux/kernel.h>
92506+#include <linux/module.h>
92507+#include <linux/sched.h>
92508+#include <linux/file.h>
92509+#include <linux/fs.h>
92510+#include <linux/mount.h>
92511+#include <linux/types.h>
92512+#include "../fs/mount.h"
92513+#include <linux/grsecurity.h>
92514+#include <linux/grinternal.h>
92515+
92516+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
92517+int gr_init_ran;
92518+#endif
92519+
92520+void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
92521+{
92522+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92523+ struct dentry *tmpd = dentry;
92524+
92525+ read_seqlock_excl(&mount_lock);
92526+ write_seqlock(&rename_lock);
92527+
92528+ while (tmpd != mnt->mnt_root) {
92529+ atomic_inc(&tmpd->chroot_refcnt);
92530+ tmpd = tmpd->d_parent;
92531+ }
92532+ atomic_inc(&tmpd->chroot_refcnt);
92533+
92534+ write_sequnlock(&rename_lock);
92535+ read_sequnlock_excl(&mount_lock);
92536+#endif
92537+}
92538+
92539+void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt)
92540+{
92541+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92542+ struct dentry *tmpd = dentry;
92543+
92544+ read_seqlock_excl(&mount_lock);
92545+ write_seqlock(&rename_lock);
92546+
92547+ while (tmpd != mnt->mnt_root) {
92548+ atomic_dec(&tmpd->chroot_refcnt);
92549+ tmpd = tmpd->d_parent;
92550+ }
92551+ atomic_dec(&tmpd->chroot_refcnt);
92552+
92553+ write_sequnlock(&rename_lock);
92554+ read_sequnlock_excl(&mount_lock);
92555+#endif
92556+}
92557+
92558+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92559+static struct dentry *get_closest_chroot(struct dentry *dentry)
92560+{
92561+ write_seqlock(&rename_lock);
92562+ do {
92563+ if (atomic_read(&dentry->chroot_refcnt)) {
92564+ write_sequnlock(&rename_lock);
92565+ return dentry;
92566+ }
92567+ dentry = dentry->d_parent;
92568+ } while (!IS_ROOT(dentry));
92569+ write_sequnlock(&rename_lock);
92570+ return NULL;
92571+}
92572+#endif
92573+
92574+int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
92575+ struct dentry *newdentry, struct vfsmount *newmnt)
92576+{
92577+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
92578+ struct dentry *chroot;
92579+
92580+ if (unlikely(!grsec_enable_chroot_rename))
92581+ return 0;
92582+
92583+ if (likely(!proc_is_chrooted(current) && gr_is_global_root(current_uid())))
92584+ return 0;
92585+
92586+ chroot = get_closest_chroot(olddentry);
92587+
92588+ if (chroot == NULL)
92589+ return 0;
92590+
92591+ if (is_subdir(newdentry, chroot))
92592+ return 0;
92593+
92594+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_RENAME_MSG, olddentry, oldmnt);
92595+
92596+ return 1;
92597+#else
92598+ return 0;
92599+#endif
92600+}
92601+
92602+void gr_set_chroot_entries(struct task_struct *task, const struct path *path)
92603+{
92604+#ifdef CONFIG_GRKERNSEC
92605+ if (task_pid_nr(task) > 1 && path->dentry != init_task.fs->root.dentry &&
92606+ path->dentry != task->nsproxy->mnt_ns->root->mnt.mnt_root
92607+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
92608+ && gr_init_ran
92609+#endif
92610+ )
92611+ task->gr_is_chrooted = 1;
92612+ else {
92613+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
92614+ if (task_pid_nr(task) == 1 && !gr_init_ran)
92615+ gr_init_ran = 1;
92616+#endif
92617+ task->gr_is_chrooted = 0;
92618+ }
92619+
92620+ task->gr_chroot_dentry = path->dentry;
92621+#endif
92622+ return;
92623+}
92624+
92625+void gr_clear_chroot_entries(struct task_struct *task)
92626+{
92627+#ifdef CONFIG_GRKERNSEC
92628+ task->gr_is_chrooted = 0;
92629+ task->gr_chroot_dentry = NULL;
92630+#endif
92631+ return;
92632+}
92633+
92634+int
92635+gr_handle_chroot_unix(const pid_t pid)
92636+{
92637+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
92638+ struct task_struct *p;
92639+
92640+ if (unlikely(!grsec_enable_chroot_unix))
92641+ return 1;
92642+
92643+ if (likely(!proc_is_chrooted(current)))
92644+ return 1;
92645+
92646+ rcu_read_lock();
92647+ read_lock(&tasklist_lock);
92648+ p = find_task_by_vpid_unrestricted(pid);
92649+ if (unlikely(p && !have_same_root(current, p))) {
92650+ read_unlock(&tasklist_lock);
92651+ rcu_read_unlock();
92652+ gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
92653+ return 0;
92654+ }
92655+ read_unlock(&tasklist_lock);
92656+ rcu_read_unlock();
92657+#endif
92658+ return 1;
92659+}
92660+
92661+int
92662+gr_handle_chroot_nice(void)
92663+{
92664+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
92665+ if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
92666+ gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
92667+ return -EPERM;
92668+ }
92669+#endif
92670+ return 0;
92671+}
92672+
92673+int
92674+gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
92675+{
92676+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
92677+ if (grsec_enable_chroot_nice && (niceval < task_nice(p))
92678+ && proc_is_chrooted(current)) {
92679+ gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, task_pid_nr(p));
92680+ return -EACCES;
92681+ }
92682+#endif
92683+ return 0;
92684+}
92685+
92686+int
92687+gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
92688+{
92689+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
92690+ struct task_struct *p;
92691+ int ret = 0;
92692+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
92693+ return ret;
92694+
92695+ read_lock(&tasklist_lock);
92696+ do_each_pid_task(pid, type, p) {
92697+ if (!have_same_root(current, p)) {
92698+ ret = 1;
92699+ goto out;
92700+ }
92701+ } while_each_pid_task(pid, type, p);
92702+out:
92703+ read_unlock(&tasklist_lock);
92704+ return ret;
92705+#endif
92706+ return 0;
92707+}
92708+
92709+int
92710+gr_pid_is_chrooted(struct task_struct *p)
92711+{
92712+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
92713+ if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
92714+ return 0;
92715+
92716+ if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
92717+ !have_same_root(current, p)) {
92718+ return 1;
92719+ }
92720+#endif
92721+ return 0;
92722+}
92723+
92724+EXPORT_SYMBOL_GPL(gr_pid_is_chrooted);
92725+
92726+#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
92727+int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
92728+{
92729+ struct path path, currentroot;
92730+ int ret = 0;
92731+
92732+ path.dentry = (struct dentry *)u_dentry;
92733+ path.mnt = (struct vfsmount *)u_mnt;
92734+ get_fs_root(current->fs, &currentroot);
92735+ if (path_is_under(&path, &currentroot))
92736+ ret = 1;
92737+ path_put(&currentroot);
92738+
92739+ return ret;
92740+}
92741+#endif
92742+
92743+int
92744+gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
92745+{
92746+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
92747+ if (!grsec_enable_chroot_fchdir)
92748+ return 1;
92749+
92750+ if (!proc_is_chrooted(current))
92751+ return 1;
92752+ else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
92753+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
92754+ return 0;
92755+ }
92756+#endif
92757+ return 1;
92758+}
92759+
92760+int
92761+gr_chroot_fhandle(void)
92762+{
92763+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
92764+ if (!grsec_enable_chroot_fchdir)
92765+ return 1;
92766+
92767+ if (!proc_is_chrooted(current))
92768+ return 1;
92769+ else {
92770+ gr_log_noargs(GR_DONT_AUDIT, GR_CHROOT_FHANDLE_MSG);
92771+ return 0;
92772+ }
92773+#endif
92774+ return 1;
92775+}
92776+
92777+int
92778+gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
92779+ const u64 shm_createtime)
92780+{
92781+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
92782+ struct task_struct *p;
92783+
92784+ if (unlikely(!grsec_enable_chroot_shmat))
92785+ return 1;
92786+
92787+ if (likely(!proc_is_chrooted(current)))
92788+ return 1;
92789+
92790+ rcu_read_lock();
92791+ read_lock(&tasklist_lock);
92792+
92793+ if ((p = find_task_by_vpid_unrestricted(shm_cprid))) {
92794+ if (time_before_eq64(p->start_time, shm_createtime)) {
92795+ if (have_same_root(current, p)) {
92796+ goto allow;
92797+ } else {
92798+ read_unlock(&tasklist_lock);
92799+ rcu_read_unlock();
92800+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
92801+ return 0;
92802+ }
92803+ }
92804+ /* creator exited, pid reuse, fall through to next check */
92805+ }
92806+ if ((p = find_task_by_vpid_unrestricted(shm_lapid))) {
92807+ if (unlikely(!have_same_root(current, p))) {
92808+ read_unlock(&tasklist_lock);
92809+ rcu_read_unlock();
92810+ gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
92811+ return 0;
92812+ }
92813+ }
92814+
92815+allow:
92816+ read_unlock(&tasklist_lock);
92817+ rcu_read_unlock();
92818+#endif
92819+ return 1;
92820+}
92821+
92822+void
92823+gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
92824+{
92825+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
92826+ if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
92827+ gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
92828+#endif
92829+ return;
92830+}
92831+
92832+int
92833+gr_handle_chroot_mknod(const struct dentry *dentry,
92834+ const struct vfsmount *mnt, const int mode)
92835+{
92836+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
92837+ if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
92838+ proc_is_chrooted(current)) {
92839+ gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
92840+ return -EPERM;
92841+ }
92842+#endif
92843+ return 0;
92844+}
92845+
92846+int
92847+gr_handle_chroot_mount(const struct dentry *dentry,
92848+ const struct vfsmount *mnt, const char *dev_name)
92849+{
92850+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
92851+ if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
92852+ gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none", dentry, mnt);
92853+ return -EPERM;
92854+ }
92855+#endif
92856+ return 0;
92857+}
92858+
92859+int
92860+gr_handle_chroot_pivot(void)
92861+{
92862+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
92863+ if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
92864+ gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
92865+ return -EPERM;
92866+ }
92867+#endif
92868+ return 0;
92869+}
92870+
92871+int
92872+gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
92873+{
92874+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
92875+ if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
92876+ !gr_is_outside_chroot(dentry, mnt)) {
92877+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
92878+ return -EPERM;
92879+ }
92880+#endif
92881+ return 0;
92882+}
92883+
92884+extern const char *captab_log[];
92885+extern int captab_log_entries;
92886+
92887+int
92888+gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
92889+{
92890+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92891+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
92892+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
92893+ if (cap_raised(chroot_caps, cap)) {
92894+ if (cap_raised(cred->cap_effective, cap) && cap < captab_log_entries) {
92895+ gr_log_cap(GR_DONT_AUDIT, GR_CAP_CHROOT_MSG, task, captab_log[cap]);
92896+ }
92897+ return 0;
92898+ }
92899+ }
92900+#endif
92901+ return 1;
92902+}
92903+
92904+int
92905+gr_chroot_is_capable(const int cap)
92906+{
92907+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92908+ return gr_task_chroot_is_capable(current, current_cred(), cap);
92909+#endif
92910+ return 1;
92911+}
92912+
92913+int
92914+gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap)
92915+{
92916+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92917+ if (grsec_enable_chroot_caps && proc_is_chrooted(task)) {
92918+ kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
92919+ if (cap_raised(chroot_caps, cap)) {
92920+ return 0;
92921+ }
92922+ }
92923+#endif
92924+ return 1;
92925+}
92926+
92927+int
92928+gr_chroot_is_capable_nolog(const int cap)
92929+{
92930+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
92931+ return gr_task_chroot_is_capable_nolog(current, cap);
92932+#endif
92933+ return 1;
92934+}
92935+
92936+int
92937+gr_handle_chroot_sysctl(const int op)
92938+{
92939+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
92940+ if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
92941+ proc_is_chrooted(current))
92942+ return -EACCES;
92943+#endif
92944+ return 0;
92945+}
92946+
92947+void
92948+gr_handle_chroot_chdir(const struct path *path)
92949+{
92950+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
92951+ if (grsec_enable_chroot_chdir)
92952+ set_fs_pwd(current->fs, path);
92953+#endif
92954+ return;
92955+}
92956+
92957+int
92958+gr_handle_chroot_chmod(const struct dentry *dentry,
92959+ const struct vfsmount *mnt, const int mode)
92960+{
92961+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
92962+ /* allow chmod +s on directories, but not files */
92963+ if (grsec_enable_chroot_chmod && !d_is_dir(dentry) &&
92964+ ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
92965+ proc_is_chrooted(current)) {
92966+ gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
92967+ return -EPERM;
92968+ }
92969+#endif
92970+ return 0;
92971+}
92972diff --git a/grsecurity/grsec_disabled.c b/grsecurity/grsec_disabled.c
92973new file mode 100644
92974index 0000000..e723c08
92975--- /dev/null
92976+++ b/grsecurity/grsec_disabled.c
92977@@ -0,0 +1,445 @@
92978+#include <linux/kernel.h>
92979+#include <linux/module.h>
92980+#include <linux/sched.h>
92981+#include <linux/file.h>
92982+#include <linux/fs.h>
92983+#include <linux/kdev_t.h>
92984+#include <linux/net.h>
92985+#include <linux/in.h>
92986+#include <linux/ip.h>
92987+#include <linux/skbuff.h>
92988+#include <linux/sysctl.h>
92989+
92990+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
92991+void
92992+pax_set_initial_flags(struct linux_binprm *bprm)
92993+{
92994+ return;
92995+}
92996+#endif
92997+
92998+#ifdef CONFIG_SYSCTL
92999+__u32
93000+gr_handle_sysctl(const struct ctl_table * table, const int op)
93001+{
93002+ return 0;
93003+}
93004+#endif
93005+
93006+#ifdef CONFIG_TASKSTATS
93007+int gr_is_taskstats_denied(int pid)
93008+{
93009+ return 0;
93010+}
93011+#endif
93012+
93013+int
93014+gr_acl_is_enabled(void)
93015+{
93016+ return 0;
93017+}
93018+
93019+int
93020+gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap)
93021+{
93022+ return 0;
93023+}
93024+
93025+void
93026+gr_handle_proc_create(const struct dentry *dentry, const struct inode *inode)
93027+{
93028+ return;
93029+}
93030+
93031+int
93032+gr_handle_rawio(const struct inode *inode)
93033+{
93034+ return 0;
93035+}
93036+
93037+void
93038+gr_acl_handle_psacct(struct task_struct *task, const long code)
93039+{
93040+ return;
93041+}
93042+
93043+int
93044+gr_handle_ptrace(struct task_struct *task, const long request)
93045+{
93046+ return 0;
93047+}
93048+
93049+int
93050+gr_handle_proc_ptrace(struct task_struct *task)
93051+{
93052+ return 0;
93053+}
93054+
93055+int
93056+gr_set_acls(const int type)
93057+{
93058+ return 0;
93059+}
93060+
93061+int
93062+gr_check_hidden_task(const struct task_struct *tsk)
93063+{
93064+ return 0;
93065+}
93066+
93067+int
93068+gr_check_protected_task(const struct task_struct *task)
93069+{
93070+ return 0;
93071+}
93072+
93073+int
93074+gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
93075+{
93076+ return 0;
93077+}
93078+
93079+void
93080+gr_copy_label(struct task_struct *tsk)
93081+{
93082+ return;
93083+}
93084+
93085+void
93086+gr_set_pax_flags(struct task_struct *task)
93087+{
93088+ return;
93089+}
93090+
93091+int
93092+gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
93093+ const int unsafe_share)
93094+{
93095+ return 0;
93096+}
93097+
93098+void
93099+gr_handle_delete(const u64 ino, const dev_t dev)
93100+{
93101+ return;
93102+}
93103+
93104+void
93105+gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
93106+{
93107+ return;
93108+}
93109+
93110+void
93111+gr_handle_crash(struct task_struct *task, const int sig)
93112+{
93113+ return;
93114+}
93115+
93116+int
93117+gr_check_crash_exec(const struct file *filp)
93118+{
93119+ return 0;
93120+}
93121+
93122+int
93123+gr_check_crash_uid(const kuid_t uid)
93124+{
93125+ return 0;
93126+}
93127+
93128+void
93129+gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
93130+ struct dentry *old_dentry,
93131+ struct dentry *new_dentry,
93132+ struct vfsmount *mnt, const __u8 replace, unsigned int flags)
93133+{
93134+ return;
93135+}
93136+
93137+int
93138+gr_search_socket(const int family, const int type, const int protocol)
93139+{
93140+ return 1;
93141+}
93142+
93143+int
93144+gr_search_connectbind(const int mode, const struct socket *sock,
93145+ const struct sockaddr_in *addr)
93146+{
93147+ return 0;
93148+}
93149+
93150+void
93151+gr_handle_alertkill(struct task_struct *task)
93152+{
93153+ return;
93154+}
93155+
93156+__u32
93157+gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
93158+{
93159+ return 1;
93160+}
93161+
93162+__u32
93163+gr_acl_handle_hidden_file(const struct dentry * dentry,
93164+ const struct vfsmount * mnt)
93165+{
93166+ return 1;
93167+}
93168+
93169+__u32
93170+gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
93171+ int acc_mode)
93172+{
93173+ return 1;
93174+}
93175+
93176+__u32
93177+gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
93178+{
93179+ return 1;
93180+}
93181+
93182+__u32
93183+gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
93184+{
93185+ return 1;
93186+}
93187+
93188+int
93189+gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
93190+ unsigned int *vm_flags)
93191+{
93192+ return 1;
93193+}
93194+
93195+__u32
93196+gr_acl_handle_truncate(const struct dentry * dentry,
93197+ const struct vfsmount * mnt)
93198+{
93199+ return 1;
93200+}
93201+
93202+__u32
93203+gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
93204+{
93205+ return 1;
93206+}
93207+
93208+__u32
93209+gr_acl_handle_access(const struct dentry * dentry,
93210+ const struct vfsmount * mnt, const int fmode)
93211+{
93212+ return 1;
93213+}
93214+
93215+__u32
93216+gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
93217+ umode_t *mode)
93218+{
93219+ return 1;
93220+}
93221+
93222+__u32
93223+gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
93224+{
93225+ return 1;
93226+}
93227+
93228+__u32
93229+gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
93230+{
93231+ return 1;
93232+}
93233+
93234+__u32
93235+gr_acl_handle_removexattr(const struct dentry * dentry, const struct vfsmount * mnt)
93236+{
93237+ return 1;
93238+}
93239+
93240+void
93241+grsecurity_init(void)
93242+{
93243+ return;
93244+}
93245+
93246+umode_t gr_acl_umask(void)
93247+{
93248+ return 0;
93249+}
93250+
93251+__u32
93252+gr_acl_handle_mknod(const struct dentry * new_dentry,
93253+ const struct dentry * parent_dentry,
93254+ const struct vfsmount * parent_mnt,
93255+ const int mode)
93256+{
93257+ return 1;
93258+}
93259+
93260+__u32
93261+gr_acl_handle_mkdir(const struct dentry * new_dentry,
93262+ const struct dentry * parent_dentry,
93263+ const struct vfsmount * parent_mnt)
93264+{
93265+ return 1;
93266+}
93267+
93268+__u32
93269+gr_acl_handle_symlink(const struct dentry * new_dentry,
93270+ const struct dentry * parent_dentry,
93271+ const struct vfsmount * parent_mnt, const struct filename *from)
93272+{
93273+ return 1;
93274+}
93275+
93276+__u32
93277+gr_acl_handle_link(const struct dentry * new_dentry,
93278+ const struct dentry * parent_dentry,
93279+ const struct vfsmount * parent_mnt,
93280+ const struct dentry * old_dentry,
93281+ const struct vfsmount * old_mnt, const struct filename *to)
93282+{
93283+ return 1;
93284+}
93285+
93286+int
93287+gr_acl_handle_rename(const struct dentry *new_dentry,
93288+ const struct dentry *parent_dentry,
93289+ const struct vfsmount *parent_mnt,
93290+ const struct dentry *old_dentry,
93291+ const struct inode *old_parent_inode,
93292+ const struct vfsmount *old_mnt, const struct filename *newname,
93293+ unsigned int flags)
93294+{
93295+ return 0;
93296+}
93297+
93298+int
93299+gr_acl_handle_filldir(const struct file *file, const char *name,
93300+ const int namelen, const u64 ino)
93301+{
93302+ return 1;
93303+}
93304+
93305+int
93306+gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
93307+ const u64 shm_createtime, const kuid_t cuid, const int shmid)
93308+{
93309+ return 1;
93310+}
93311+
93312+int
93313+gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
93314+{
93315+ return 0;
93316+}
93317+
93318+int
93319+gr_search_accept(const struct socket *sock)
93320+{
93321+ return 0;
93322+}
93323+
93324+int
93325+gr_search_listen(const struct socket *sock)
93326+{
93327+ return 0;
93328+}
93329+
93330+int
93331+gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
93332+{
93333+ return 0;
93334+}
93335+
93336+__u32
93337+gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
93338+{
93339+ return 1;
93340+}
93341+
93342+__u32
93343+gr_acl_handle_creat(const struct dentry * dentry,
93344+ const struct dentry * p_dentry,
93345+ const struct vfsmount * p_mnt, int open_flags, int acc_mode,
93346+ const int imode)
93347+{
93348+ return 1;
93349+}
93350+
93351+void
93352+gr_acl_handle_exit(void)
93353+{
93354+ return;
93355+}
93356+
93357+int
93358+gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
93359+{
93360+ return 1;
93361+}
93362+
93363+void
93364+gr_set_role_label(const kuid_t uid, const kgid_t gid)
93365+{
93366+ return;
93367+}
93368+
93369+int
93370+gr_acl_handle_procpidmem(const struct task_struct *task)
93371+{
93372+ return 0;
93373+}
93374+
93375+int
93376+gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
93377+{
93378+ return 0;
93379+}
93380+
93381+int
93382+gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
93383+{
93384+ return 0;
93385+}
93386+
93387+int
93388+gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs)
93389+{
93390+ return 0;
93391+}
93392+
93393+int
93394+gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs)
93395+{
93396+ return 0;
93397+}
93398+
93399+int gr_acl_enable_at_secure(void)
93400+{
93401+ return 0;
93402+}
93403+
93404+dev_t gr_get_dev_from_dentry(struct dentry *dentry)
93405+{
93406+ return d_backing_inode(dentry)->i_sb->s_dev;
93407+}
93408+
93409+u64 gr_get_ino_from_dentry(struct dentry *dentry)
93410+{
93411+ return d_backing_inode(dentry)->i_ino;
93412+}
93413+
93414+void gr_put_exec_file(struct task_struct *task)
93415+{
93416+ return;
93417+}
93418+
93419+#ifdef CONFIG_SECURITY
93420+EXPORT_SYMBOL_GPL(gr_check_user_change);
93421+EXPORT_SYMBOL_GPL(gr_check_group_change);
93422+#endif
93423diff --git a/grsecurity/grsec_exec.c b/grsecurity/grsec_exec.c
93424new file mode 100644
93425index 0000000..fb7531e
93426--- /dev/null
93427+++ b/grsecurity/grsec_exec.c
93428@@ -0,0 +1,189 @@
93429+#include <linux/kernel.h>
93430+#include <linux/sched.h>
93431+#include <linux/file.h>
93432+#include <linux/binfmts.h>
93433+#include <linux/fs.h>
93434+#include <linux/types.h>
93435+#include <linux/grdefs.h>
93436+#include <linux/grsecurity.h>
93437+#include <linux/grinternal.h>
93438+#include <linux/capability.h>
93439+#include <linux/module.h>
93440+#include <linux/compat.h>
93441+
93442+#include <asm/uaccess.h>
93443+
93444+#ifdef CONFIG_GRKERNSEC_EXECLOG
93445+static char gr_exec_arg_buf[132];
93446+static DEFINE_MUTEX(gr_exec_arg_mutex);
93447+#endif
93448+
93449+struct user_arg_ptr {
93450+#ifdef CONFIG_COMPAT
93451+ bool is_compat;
93452+#endif
93453+ union {
93454+ const char __user *const __user *native;
93455+#ifdef CONFIG_COMPAT
93456+ const compat_uptr_t __user *compat;
93457+#endif
93458+ } ptr;
93459+};
93460+
93461+extern const char __user *get_user_arg_ptr(struct user_arg_ptr argv, int nr);
93462+
93463+void
93464+gr_handle_exec_args(struct linux_binprm *bprm, struct user_arg_ptr argv)
93465+{
93466+#ifdef CONFIG_GRKERNSEC_EXECLOG
93467+ char *grarg = gr_exec_arg_buf;
93468+ unsigned int i, x, execlen = 0;
93469+ char c;
93470+
93471+ if (!((grsec_enable_execlog && grsec_enable_group &&
93472+ in_group_p(grsec_audit_gid))
93473+ || (grsec_enable_execlog && !grsec_enable_group)))
93474+ return;
93475+
93476+ mutex_lock(&gr_exec_arg_mutex);
93477+ memset(grarg, 0, sizeof(gr_exec_arg_buf));
93478+
93479+ for (i = 0; i < bprm->argc && execlen < 128; i++) {
93480+ const char __user *p;
93481+ unsigned int len;
93482+
93483+ p = get_user_arg_ptr(argv, i);
93484+ if (IS_ERR(p))
93485+ goto log;
93486+
93487+ len = strnlen_user(p, 128 - execlen);
93488+ if (len > 128 - execlen)
93489+ len = 128 - execlen;
93490+ else if (len > 0)
93491+ len--;
93492+ if (copy_from_user(grarg + execlen, p, len))
93493+ goto log;
93494+
93495+ /* rewrite unprintable characters */
93496+ for (x = 0; x < len; x++) {
93497+ c = *(grarg + execlen + x);
93498+ if (c < 32 || c > 126)
93499+ *(grarg + execlen + x) = ' ';
93500+ }
93501+
93502+ execlen += len;
93503+ *(grarg + execlen) = ' ';
93504+ *(grarg + execlen + 1) = '\0';
93505+ execlen++;
93506+ }
93507+
93508+ log:
93509+ gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
93510+ bprm->file->f_path.mnt, grarg);
93511+ mutex_unlock(&gr_exec_arg_mutex);
93512+#endif
93513+ return;
93514+}
93515+
93516+#ifdef CONFIG_GRKERNSEC
93517+extern int gr_acl_is_capable(const int cap);
93518+extern int gr_acl_is_capable_nolog(const int cap);
93519+extern int gr_task_acl_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
93520+extern int gr_task_acl_is_capable_nolog(const struct task_struct *task, const int cap);
93521+extern int gr_chroot_is_capable(const int cap);
93522+extern int gr_chroot_is_capable_nolog(const int cap);
93523+extern int gr_task_chroot_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
93524+extern int gr_task_chroot_is_capable_nolog(const struct task_struct *task, const int cap);
93525+#endif
93526+
93527+const char *captab_log[] = {
93528+ "CAP_CHOWN",
93529+ "CAP_DAC_OVERRIDE",
93530+ "CAP_DAC_READ_SEARCH",
93531+ "CAP_FOWNER",
93532+ "CAP_FSETID",
93533+ "CAP_KILL",
93534+ "CAP_SETGID",
93535+ "CAP_SETUID",
93536+ "CAP_SETPCAP",
93537+ "CAP_LINUX_IMMUTABLE",
93538+ "CAP_NET_BIND_SERVICE",
93539+ "CAP_NET_BROADCAST",
93540+ "CAP_NET_ADMIN",
93541+ "CAP_NET_RAW",
93542+ "CAP_IPC_LOCK",
93543+ "CAP_IPC_OWNER",
93544+ "CAP_SYS_MODULE",
93545+ "CAP_SYS_RAWIO",
93546+ "CAP_SYS_CHROOT",
93547+ "CAP_SYS_PTRACE",
93548+ "CAP_SYS_PACCT",
93549+ "CAP_SYS_ADMIN",
93550+ "CAP_SYS_BOOT",
93551+ "CAP_SYS_NICE",
93552+ "CAP_SYS_RESOURCE",
93553+ "CAP_SYS_TIME",
93554+ "CAP_SYS_TTY_CONFIG",
93555+ "CAP_MKNOD",
93556+ "CAP_LEASE",
93557+ "CAP_AUDIT_WRITE",
93558+ "CAP_AUDIT_CONTROL",
93559+ "CAP_SETFCAP",
93560+ "CAP_MAC_OVERRIDE",
93561+ "CAP_MAC_ADMIN",
93562+ "CAP_SYSLOG",
93563+ "CAP_WAKE_ALARM",
93564+ "CAP_BLOCK_SUSPEND",
93565+ "CAP_AUDIT_READ"
93566+};
93567+
93568+int captab_log_entries = sizeof(captab_log)/sizeof(captab_log[0]);
93569+
93570+int gr_is_capable(const int cap)
93571+{
93572+#ifdef CONFIG_GRKERNSEC
93573+ if (gr_acl_is_capable(cap) && gr_chroot_is_capable(cap))
93574+ return 1;
93575+ return 0;
93576+#else
93577+ return 1;
93578+#endif
93579+}
93580+
93581+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap)
93582+{
93583+#ifdef CONFIG_GRKERNSEC
93584+ if (gr_task_acl_is_capable(task, cred, cap) && gr_task_chroot_is_capable(task, cred, cap))
93585+ return 1;
93586+ return 0;
93587+#else
93588+ return 1;
93589+#endif
93590+}
93591+
93592+int gr_is_capable_nolog(const int cap)
93593+{
93594+#ifdef CONFIG_GRKERNSEC
93595+ if (gr_acl_is_capable_nolog(cap) && gr_chroot_is_capable_nolog(cap))
93596+ return 1;
93597+ return 0;
93598+#else
93599+ return 1;
93600+#endif
93601+}
93602+
93603+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap)
93604+{
93605+#ifdef CONFIG_GRKERNSEC
93606+ if (gr_task_acl_is_capable_nolog(task, cap) && gr_task_chroot_is_capable_nolog(task, cap))
93607+ return 1;
93608+ return 0;
93609+#else
93610+ return 1;
93611+#endif
93612+}
93613+
93614+EXPORT_SYMBOL_GPL(gr_is_capable);
93615+EXPORT_SYMBOL_GPL(gr_is_capable_nolog);
93616+EXPORT_SYMBOL_GPL(gr_task_is_capable);
93617+EXPORT_SYMBOL_GPL(gr_task_is_capable_nolog);
93618diff --git a/grsecurity/grsec_fifo.c b/grsecurity/grsec_fifo.c
93619new file mode 100644
93620index 0000000..cdec49b
93621--- /dev/null
93622+++ b/grsecurity/grsec_fifo.c
93623@@ -0,0 +1,26 @@
93624+#include <linux/kernel.h>
93625+#include <linux/sched.h>
93626+#include <linux/fs.h>
93627+#include <linux/file.h>
93628+#include <linux/grinternal.h>
93629+
93630+int
93631+gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
93632+ const struct dentry *dir, const int flag, const int acc_mode)
93633+{
93634+#ifdef CONFIG_GRKERNSEC_FIFO
93635+ const struct cred *cred = current_cred();
93636+ struct inode *inode = d_backing_inode(dentry);
93637+ struct inode *dir_inode = d_backing_inode(dir);
93638+
93639+ if (grsec_enable_fifo && S_ISFIFO(inode->i_mode) &&
93640+ !(flag & O_EXCL) && (dir_inode->i_mode & S_ISVTX) &&
93641+ !uid_eq(inode->i_uid, dir_inode->i_uid) &&
93642+ !uid_eq(cred->fsuid, inode->i_uid)) {
93643+ if (!inode_permission(inode, acc_mode))
93644+ gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid));
93645+ return -EACCES;
93646+ }
93647+#endif
93648+ return 0;
93649+}
93650diff --git a/grsecurity/grsec_fork.c b/grsecurity/grsec_fork.c
93651new file mode 100644
93652index 0000000..8ca18bf
93653--- /dev/null
93654+++ b/grsecurity/grsec_fork.c
93655@@ -0,0 +1,23 @@
93656+#include <linux/kernel.h>
93657+#include <linux/sched.h>
93658+#include <linux/grsecurity.h>
93659+#include <linux/grinternal.h>
93660+#include <linux/errno.h>
93661+
93662+void
93663+gr_log_forkfail(const int retval)
93664+{
93665+#ifdef CONFIG_GRKERNSEC_FORKFAIL
93666+ if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
93667+ switch (retval) {
93668+ case -EAGAIN:
93669+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
93670+ break;
93671+ case -ENOMEM:
93672+ gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
93673+ break;
93674+ }
93675+ }
93676+#endif
93677+ return;
93678+}
93679diff --git a/grsecurity/grsec_init.c b/grsecurity/grsec_init.c
93680new file mode 100644
93681index 0000000..a364c58
93682--- /dev/null
93683+++ b/grsecurity/grsec_init.c
93684@@ -0,0 +1,290 @@
93685+#include <linux/kernel.h>
93686+#include <linux/sched.h>
93687+#include <linux/mm.h>
93688+#include <linux/gracl.h>
93689+#include <linux/slab.h>
93690+#include <linux/vmalloc.h>
93691+#include <linux/percpu.h>
93692+#include <linux/module.h>
93693+
93694+int grsec_enable_ptrace_readexec __read_only;
93695+int grsec_enable_setxid __read_only;
93696+int grsec_enable_symlinkown __read_only;
93697+kgid_t grsec_symlinkown_gid __read_only;
93698+int grsec_enable_brute __read_only;
93699+int grsec_enable_link __read_only;
93700+int grsec_enable_dmesg __read_only;
93701+int grsec_enable_harden_ptrace __read_only;
93702+int grsec_enable_harden_ipc __read_only;
93703+int grsec_enable_fifo __read_only;
93704+int grsec_enable_execlog __read_only;
93705+int grsec_enable_signal __read_only;
93706+int grsec_enable_forkfail __read_only;
93707+int grsec_enable_audit_ptrace __read_only;
93708+int grsec_enable_time __read_only;
93709+int grsec_enable_group __read_only;
93710+kgid_t grsec_audit_gid __read_only;
93711+int grsec_enable_chdir __read_only;
93712+int grsec_enable_mount __read_only;
93713+int grsec_enable_rofs __read_only;
93714+int grsec_deny_new_usb __read_only;
93715+int grsec_enable_chroot_findtask __read_only;
93716+int grsec_enable_chroot_mount __read_only;
93717+int grsec_enable_chroot_shmat __read_only;
93718+int grsec_enable_chroot_fchdir __read_only;
93719+int grsec_enable_chroot_double __read_only;
93720+int grsec_enable_chroot_pivot __read_only;
93721+int grsec_enable_chroot_chdir __read_only;
93722+int grsec_enable_chroot_chmod __read_only;
93723+int grsec_enable_chroot_mknod __read_only;
93724+int grsec_enable_chroot_nice __read_only;
93725+int grsec_enable_chroot_execlog __read_only;
93726+int grsec_enable_chroot_caps __read_only;
93727+int grsec_enable_chroot_rename __read_only;
93728+int grsec_enable_chroot_sysctl __read_only;
93729+int grsec_enable_chroot_unix __read_only;
93730+int grsec_enable_tpe __read_only;
93731+kgid_t grsec_tpe_gid __read_only;
93732+int grsec_enable_blackhole __read_only;
93733+#ifdef CONFIG_IPV6_MODULE
93734+EXPORT_SYMBOL_GPL(grsec_enable_blackhole);
93735+#endif
93736+int grsec_lastack_retries __read_only;
93737+int grsec_enable_tpe_all __read_only;
93738+int grsec_enable_tpe_invert __read_only;
93739+int grsec_enable_socket_all __read_only;
93740+kgid_t grsec_socket_all_gid __read_only;
93741+int grsec_enable_socket_client __read_only;
93742+kgid_t grsec_socket_client_gid __read_only;
93743+int grsec_enable_socket_server __read_only;
93744+kgid_t grsec_socket_server_gid __read_only;
93745+int grsec_resource_logging __read_only;
93746+int grsec_disable_privio __read_only;
93747+int grsec_enable_log_rwxmaps __read_only;
93748+int grsec_lock __read_only;
93749+
93750+DEFINE_SPINLOCK(grsec_alert_lock);
93751+unsigned long grsec_alert_wtime = 0;
93752+unsigned long grsec_alert_fyet = 0;
93753+
93754+DEFINE_SPINLOCK(grsec_audit_lock);
93755+
93756+DEFINE_RWLOCK(grsec_exec_file_lock);
93757+
93758+char *gr_shared_page[4];
93759+
93760+char *gr_alert_log_fmt;
93761+char *gr_audit_log_fmt;
93762+char *gr_alert_log_buf;
93763+char *gr_audit_log_buf;
93764+
93765+extern struct gr_arg *gr_usermode;
93766+extern unsigned char *gr_system_salt;
93767+extern unsigned char *gr_system_sum;
93768+
93769+void __init
93770+grsecurity_init(void)
93771+{
93772+ int j;
93773+ /* create the per-cpu shared pages */
93774+
93775+#ifdef CONFIG_X86
93776+ memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
93777+#endif
93778+
93779+ for (j = 0; j < 4; j++) {
93780+ gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
93781+ if (gr_shared_page[j] == NULL) {
93782+ panic("Unable to allocate grsecurity shared page");
93783+ return;
93784+ }
93785+ }
93786+
93787+ /* allocate log buffers */
93788+ gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
93789+ if (!gr_alert_log_fmt) {
93790+ panic("Unable to allocate grsecurity alert log format buffer");
93791+ return;
93792+ }
93793+ gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
93794+ if (!gr_audit_log_fmt) {
93795+ panic("Unable to allocate grsecurity audit log format buffer");
93796+ return;
93797+ }
93798+ gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
93799+ if (!gr_alert_log_buf) {
93800+ panic("Unable to allocate grsecurity alert log buffer");
93801+ return;
93802+ }
93803+ gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
93804+ if (!gr_audit_log_buf) {
93805+ panic("Unable to allocate grsecurity audit log buffer");
93806+ return;
93807+ }
93808+
93809+ /* allocate memory for authentication structure */
93810+ gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
93811+ gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
93812+ gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
93813+
93814+ if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
93815+ panic("Unable to allocate grsecurity authentication structure");
93816+ return;
93817+ }
93818+
93819+#ifdef CONFIG_GRKERNSEC_IO
93820+#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
93821+ grsec_disable_privio = 1;
93822+#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
93823+ grsec_disable_privio = 1;
93824+#else
93825+ grsec_disable_privio = 0;
93826+#endif
93827+#endif
93828+
93829+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
93830+ /* for backward compatibility, tpe_invert always defaults to on if
93831+ enabled in the kernel
93832+ */
93833+ grsec_enable_tpe_invert = 1;
93834+#endif
93835+
93836+#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
93837+#ifndef CONFIG_GRKERNSEC_SYSCTL
93838+ grsec_lock = 1;
93839+#endif
93840+
93841+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
93842+ grsec_enable_log_rwxmaps = 1;
93843+#endif
93844+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
93845+ grsec_enable_group = 1;
93846+ grsec_audit_gid = KGIDT_INIT(CONFIG_GRKERNSEC_AUDIT_GID);
93847+#endif
93848+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
93849+ grsec_enable_ptrace_readexec = 1;
93850+#endif
93851+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
93852+ grsec_enable_chdir = 1;
93853+#endif
93854+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
93855+ grsec_enable_harden_ptrace = 1;
93856+#endif
93857+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
93858+ grsec_enable_harden_ipc = 1;
93859+#endif
93860+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
93861+ grsec_enable_mount = 1;
93862+#endif
93863+#ifdef CONFIG_GRKERNSEC_LINK
93864+ grsec_enable_link = 1;
93865+#endif
93866+#ifdef CONFIG_GRKERNSEC_BRUTE
93867+ grsec_enable_brute = 1;
93868+#endif
93869+#ifdef CONFIG_GRKERNSEC_DMESG
93870+ grsec_enable_dmesg = 1;
93871+#endif
93872+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
93873+ grsec_enable_blackhole = 1;
93874+ grsec_lastack_retries = 4;
93875+#endif
93876+#ifdef CONFIG_GRKERNSEC_FIFO
93877+ grsec_enable_fifo = 1;
93878+#endif
93879+#ifdef CONFIG_GRKERNSEC_EXECLOG
93880+ grsec_enable_execlog = 1;
93881+#endif
93882+#ifdef CONFIG_GRKERNSEC_SETXID
93883+ grsec_enable_setxid = 1;
93884+#endif
93885+#ifdef CONFIG_GRKERNSEC_SIGNAL
93886+ grsec_enable_signal = 1;
93887+#endif
93888+#ifdef CONFIG_GRKERNSEC_FORKFAIL
93889+ grsec_enable_forkfail = 1;
93890+#endif
93891+#ifdef CONFIG_GRKERNSEC_TIME
93892+ grsec_enable_time = 1;
93893+#endif
93894+#ifdef CONFIG_GRKERNSEC_RESLOG
93895+ grsec_resource_logging = 1;
93896+#endif
93897+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
93898+ grsec_enable_chroot_findtask = 1;
93899+#endif
93900+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
93901+ grsec_enable_chroot_unix = 1;
93902+#endif
93903+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
93904+ grsec_enable_chroot_mount = 1;
93905+#endif
93906+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
93907+ grsec_enable_chroot_fchdir = 1;
93908+#endif
93909+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
93910+ grsec_enable_chroot_shmat = 1;
93911+#endif
93912+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
93913+ grsec_enable_audit_ptrace = 1;
93914+#endif
93915+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
93916+ grsec_enable_chroot_double = 1;
93917+#endif
93918+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
93919+ grsec_enable_chroot_pivot = 1;
93920+#endif
93921+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
93922+ grsec_enable_chroot_chdir = 1;
93923+#endif
93924+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
93925+ grsec_enable_chroot_chmod = 1;
93926+#endif
93927+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
93928+ grsec_enable_chroot_mknod = 1;
93929+#endif
93930+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
93931+ grsec_enable_chroot_nice = 1;
93932+#endif
93933+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
93934+ grsec_enable_chroot_execlog = 1;
93935+#endif
93936+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
93937+ grsec_enable_chroot_caps = 1;
93938+#endif
93939+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
93940+ grsec_enable_chroot_rename = 1;
93941+#endif
93942+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
93943+ grsec_enable_chroot_sysctl = 1;
93944+#endif
93945+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
93946+ grsec_enable_symlinkown = 1;
93947+ grsec_symlinkown_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SYMLINKOWN_GID);
93948+#endif
93949+#ifdef CONFIG_GRKERNSEC_TPE
93950+ grsec_enable_tpe = 1;
93951+ grsec_tpe_gid = KGIDT_INIT(CONFIG_GRKERNSEC_TPE_GID);
93952+#ifdef CONFIG_GRKERNSEC_TPE_ALL
93953+ grsec_enable_tpe_all = 1;
93954+#endif
93955+#endif
93956+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
93957+ grsec_enable_socket_all = 1;
93958+ grsec_socket_all_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_ALL_GID);
93959+#endif
93960+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
93961+ grsec_enable_socket_client = 1;
93962+ grsec_socket_client_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_CLIENT_GID);
93963+#endif
93964+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
93965+ grsec_enable_socket_server = 1;
93966+ grsec_socket_server_gid = KGIDT_INIT(CONFIG_GRKERNSEC_SOCKET_SERVER_GID);
93967+#endif
93968+#endif
93969+#ifdef CONFIG_GRKERNSEC_DENYUSB_FORCE
93970+ grsec_deny_new_usb = 1;
93971+#endif
93972+
93973+ return;
93974+}
93975diff --git a/grsecurity/grsec_ipc.c b/grsecurity/grsec_ipc.c
93976new file mode 100644
93977index 0000000..1773300
93978--- /dev/null
93979+++ b/grsecurity/grsec_ipc.c
93980@@ -0,0 +1,48 @@
93981+#include <linux/kernel.h>
93982+#include <linux/mm.h>
93983+#include <linux/sched.h>
93984+#include <linux/file.h>
93985+#include <linux/ipc.h>
93986+#include <linux/ipc_namespace.h>
93987+#include <linux/grsecurity.h>
93988+#include <linux/grinternal.h>
93989+
93990+int
93991+gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode)
93992+{
93993+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
93994+ int write;
93995+ int orig_granted_mode;
93996+ kuid_t euid;
93997+ kgid_t egid;
93998+
93999+ if (!grsec_enable_harden_ipc)
94000+ return 1;
94001+
94002+ euid = current_euid();
94003+ egid = current_egid();
94004+
94005+ write = requested_mode & 00002;
94006+ orig_granted_mode = ipcp->mode;
94007+
94008+ if (uid_eq(euid, ipcp->cuid) || uid_eq(euid, ipcp->uid))
94009+ orig_granted_mode >>= 6;
94010+ else {
94011+ /* if likely wrong permissions, lock to user */
94012+ if (orig_granted_mode & 0007)
94013+ orig_granted_mode = 0;
94014+ /* otherwise do a egid-only check */
94015+ else if (gid_eq(egid, ipcp->cgid) || gid_eq(egid, ipcp->gid))
94016+ orig_granted_mode >>= 3;
94017+ /* otherwise, no access */
94018+ else
94019+ orig_granted_mode = 0;
94020+ }
94021+ if (!(requested_mode & ~granted_mode & 0007) && (requested_mode & ~orig_granted_mode & 0007) &&
94022+ !ns_capable_nolog(ns->user_ns, CAP_IPC_OWNER)) {
94023+ gr_log_str_int(GR_DONT_AUDIT, GR_IPC_DENIED_MSG, write ? "write" : "read", GR_GLOBAL_UID(ipcp->cuid));
94024+ return 0;
94025+ }
94026+#endif
94027+ return 1;
94028+}
94029diff --git a/grsecurity/grsec_link.c b/grsecurity/grsec_link.c
94030new file mode 100644
94031index 0000000..84c44a0
94032--- /dev/null
94033+++ b/grsecurity/grsec_link.c
94034@@ -0,0 +1,65 @@
94035+#include <linux/kernel.h>
94036+#include <linux/sched.h>
94037+#include <linux/fs.h>
94038+#include <linux/file.h>
94039+#include <linux/grinternal.h>
94040+
94041+int gr_get_symlinkown_enabled(void)
94042+{
94043+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
94044+ if (grsec_enable_symlinkown && in_group_p(grsec_symlinkown_gid))
94045+ return 1;
94046+#endif
94047+ return 0;
94048+}
94049+
94050+int gr_handle_symlink_owner(const struct path *link, const struct inode *target)
94051+{
94052+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
94053+ const struct inode *link_inode = d_backing_inode(link->dentry);
94054+
94055+ if (target && !uid_eq(link_inode->i_uid, target->i_uid)) {
94056+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINKOWNER_MSG, link->dentry, link->mnt, GR_GLOBAL_UID(link_inode->i_uid), GR_GLOBAL_UID(target->i_uid));
94057+ return 1;
94058+ }
94059+#endif
94060+ return 0;
94061+}
94062+
94063+int
94064+gr_handle_follow_link(const struct dentry *dentry, const struct vfsmount *mnt)
94065+{
94066+#ifdef CONFIG_GRKERNSEC_LINK
94067+ struct inode *inode = d_backing_inode(dentry);
94068+ struct inode *parent = d_backing_inode(dentry->d_parent);
94069+ const struct cred *cred = current_cred();
94070+
94071+ if (grsec_enable_link && d_is_symlink(dentry) &&
94072+ (parent->i_mode & S_ISVTX) && !uid_eq(parent->i_uid, inode->i_uid) &&
94073+ (parent->i_mode & S_IWOTH) && !uid_eq(cred->fsuid, inode->i_uid)) {
94074+ gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid));
94075+ return -EACCES;
94076+ }
94077+#endif
94078+ return 0;
94079+}
94080+
94081+int
94082+gr_handle_hardlink(const struct dentry *dentry,
94083+ const struct vfsmount *mnt,
94084+ const struct filename *to)
94085+{
94086+#ifdef CONFIG_GRKERNSEC_LINK
94087+ struct inode *inode = d_backing_inode(dentry);
94088+ const struct cred *cred = current_cred();
94089+
94090+ if (grsec_enable_link && !uid_eq(cred->fsuid, inode->i_uid) &&
94091+ (!d_is_reg(dentry) || is_privileged_binary(dentry) ||
94092+ (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
94093+ !capable(CAP_FOWNER) && gr_is_global_nonroot(cred->uid)) {
94094+ gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, GR_GLOBAL_UID(inode->i_uid), GR_GLOBAL_GID(inode->i_gid), to->name);
94095+ return -EPERM;
94096+ }
94097+#endif
94098+ return 0;
94099+}
94100diff --git a/grsecurity/grsec_log.c b/grsecurity/grsec_log.c
94101new file mode 100644
94102index 0000000..a24b338
94103--- /dev/null
94104+++ b/grsecurity/grsec_log.c
94105@@ -0,0 +1,340 @@
94106+#include <linux/kernel.h>
94107+#include <linux/sched.h>
94108+#include <linux/file.h>
94109+#include <linux/tty.h>
94110+#include <linux/fs.h>
94111+#include <linux/mm.h>
94112+#include <linux/grinternal.h>
94113+
94114+#ifdef CONFIG_TREE_PREEMPT_RCU
94115+#define DISABLE_PREEMPT() preempt_disable()
94116+#define ENABLE_PREEMPT() preempt_enable()
94117+#else
94118+#define DISABLE_PREEMPT()
94119+#define ENABLE_PREEMPT()
94120+#endif
94121+
94122+#define BEGIN_LOCKS(x) \
94123+ DISABLE_PREEMPT(); \
94124+ rcu_read_lock(); \
94125+ read_lock(&tasklist_lock); \
94126+ read_lock(&grsec_exec_file_lock); \
94127+ if (x != GR_DO_AUDIT) \
94128+ spin_lock(&grsec_alert_lock); \
94129+ else \
94130+ spin_lock(&grsec_audit_lock)
94131+
94132+#define END_LOCKS(x) \
94133+ if (x != GR_DO_AUDIT) \
94134+ spin_unlock(&grsec_alert_lock); \
94135+ else \
94136+ spin_unlock(&grsec_audit_lock); \
94137+ read_unlock(&grsec_exec_file_lock); \
94138+ read_unlock(&tasklist_lock); \
94139+ rcu_read_unlock(); \
94140+ ENABLE_PREEMPT(); \
94141+ if (x == GR_DONT_AUDIT) \
94142+ gr_handle_alertkill(current)
94143+
94144+enum {
94145+ FLOODING,
94146+ NO_FLOODING
94147+};
94148+
94149+extern char *gr_alert_log_fmt;
94150+extern char *gr_audit_log_fmt;
94151+extern char *gr_alert_log_buf;
94152+extern char *gr_audit_log_buf;
94153+
94154+static int gr_log_start(int audit)
94155+{
94156+ char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
94157+ char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
94158+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94159+#if (CONFIG_GRKERNSEC_FLOODTIME > 0 && CONFIG_GRKERNSEC_FLOODBURST > 0)
94160+ unsigned long curr_secs = get_seconds();
94161+
94162+ if (audit == GR_DO_AUDIT)
94163+ goto set_fmt;
94164+
94165+ if (!grsec_alert_wtime || time_after(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)) {
94166+ grsec_alert_wtime = curr_secs;
94167+ grsec_alert_fyet = 0;
94168+ } else if (time_before_eq(curr_secs, grsec_alert_wtime + CONFIG_GRKERNSEC_FLOODTIME)
94169+ && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
94170+ grsec_alert_fyet++;
94171+ } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
94172+ grsec_alert_wtime = curr_secs;
94173+ grsec_alert_fyet++;
94174+ printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
94175+ return FLOODING;
94176+ }
94177+ else return FLOODING;
94178+
94179+set_fmt:
94180+#endif
94181+ memset(buf, 0, PAGE_SIZE);
94182+ if (current->signal->curr_ip && gr_acl_is_enabled()) {
94183+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
94184+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
94185+ } else if (current->signal->curr_ip) {
94186+ sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
94187+ snprintf(buf, PAGE_SIZE - 1, fmt, &current->signal->curr_ip);
94188+ } else if (gr_acl_is_enabled()) {
94189+ sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
94190+ snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
94191+ } else {
94192+ sprintf(fmt, "%s%s", loglevel, "grsec: ");
94193+ strcpy(buf, fmt);
94194+ }
94195+
94196+ return NO_FLOODING;
94197+}
94198+
94199+static void gr_log_middle(int audit, const char *msg, va_list ap)
94200+ __attribute__ ((format (printf, 2, 0)));
94201+
94202+static void gr_log_middle(int audit, const char *msg, va_list ap)
94203+{
94204+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94205+ unsigned int len = strlen(buf);
94206+
94207+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
94208+
94209+ return;
94210+}
94211+
94212+static void gr_log_middle_varargs(int audit, const char *msg, ...)
94213+ __attribute__ ((format (printf, 2, 3)));
94214+
94215+static void gr_log_middle_varargs(int audit, const char *msg, ...)
94216+{
94217+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94218+ unsigned int len = strlen(buf);
94219+ va_list ap;
94220+
94221+ va_start(ap, msg);
94222+ vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
94223+ va_end(ap);
94224+
94225+ return;
94226+}
94227+
94228+static void gr_log_end(int audit, int append_default)
94229+{
94230+ char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
94231+ if (append_default) {
94232+ struct task_struct *task = current;
94233+ struct task_struct *parent = task->real_parent;
94234+ const struct cred *cred = __task_cred(task);
94235+ const struct cred *pcred = __task_cred(parent);
94236+ unsigned int len = strlen(buf);
94237+
94238+ snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94239+ }
94240+
94241+ printk("%s\n", buf);
94242+
94243+ return;
94244+}
94245+
94246+void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
94247+{
94248+ int logtype;
94249+ char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
94250+ char *str1 = NULL, *str2 = NULL, *str3 = NULL;
94251+ void *voidptr = NULL;
94252+ int num1 = 0, num2 = 0;
94253+ unsigned long ulong1 = 0, ulong2 = 0;
94254+ struct dentry *dentry = NULL;
94255+ struct vfsmount *mnt = NULL;
94256+ struct file *file = NULL;
94257+ struct task_struct *task = NULL;
94258+ struct vm_area_struct *vma = NULL;
94259+ const struct cred *cred, *pcred;
94260+ va_list ap;
94261+
94262+ BEGIN_LOCKS(audit);
94263+ logtype = gr_log_start(audit);
94264+ if (logtype == FLOODING) {
94265+ END_LOCKS(audit);
94266+ return;
94267+ }
94268+ va_start(ap, argtypes);
94269+ switch (argtypes) {
94270+ case GR_TTYSNIFF:
94271+ task = va_arg(ap, struct task_struct *);
94272+ gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task_pid_nr(task), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent));
94273+ break;
94274+ case GR_SYSCTL_HIDDEN:
94275+ str1 = va_arg(ap, char *);
94276+ gr_log_middle_varargs(audit, msg, result, str1);
94277+ break;
94278+ case GR_RBAC:
94279+ dentry = va_arg(ap, struct dentry *);
94280+ mnt = va_arg(ap, struct vfsmount *);
94281+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
94282+ break;
94283+ case GR_RBAC_STR:
94284+ dentry = va_arg(ap, struct dentry *);
94285+ mnt = va_arg(ap, struct vfsmount *);
94286+ str1 = va_arg(ap, char *);
94287+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
94288+ break;
94289+ case GR_STR_RBAC:
94290+ str1 = va_arg(ap, char *);
94291+ dentry = va_arg(ap, struct dentry *);
94292+ mnt = va_arg(ap, struct vfsmount *);
94293+ gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
94294+ break;
94295+ case GR_RBAC_MODE2:
94296+ dentry = va_arg(ap, struct dentry *);
94297+ mnt = va_arg(ap, struct vfsmount *);
94298+ str1 = va_arg(ap, char *);
94299+ str2 = va_arg(ap, char *);
94300+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
94301+ break;
94302+ case GR_RBAC_MODE3:
94303+ dentry = va_arg(ap, struct dentry *);
94304+ mnt = va_arg(ap, struct vfsmount *);
94305+ str1 = va_arg(ap, char *);
94306+ str2 = va_arg(ap, char *);
94307+ str3 = va_arg(ap, char *);
94308+ gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
94309+ break;
94310+ case GR_FILENAME:
94311+ dentry = va_arg(ap, struct dentry *);
94312+ mnt = va_arg(ap, struct vfsmount *);
94313+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
94314+ break;
94315+ case GR_STR_FILENAME:
94316+ str1 = va_arg(ap, char *);
94317+ dentry = va_arg(ap, struct dentry *);
94318+ mnt = va_arg(ap, struct vfsmount *);
94319+ gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
94320+ break;
94321+ case GR_FILENAME_STR:
94322+ dentry = va_arg(ap, struct dentry *);
94323+ mnt = va_arg(ap, struct vfsmount *);
94324+ str1 = va_arg(ap, char *);
94325+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
94326+ break;
94327+ case GR_FILENAME_TWO_INT:
94328+ dentry = va_arg(ap, struct dentry *);
94329+ mnt = va_arg(ap, struct vfsmount *);
94330+ num1 = va_arg(ap, int);
94331+ num2 = va_arg(ap, int);
94332+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
94333+ break;
94334+ case GR_FILENAME_TWO_INT_STR:
94335+ dentry = va_arg(ap, struct dentry *);
94336+ mnt = va_arg(ap, struct vfsmount *);
94337+ num1 = va_arg(ap, int);
94338+ num2 = va_arg(ap, int);
94339+ str1 = va_arg(ap, char *);
94340+ gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
94341+ break;
94342+ case GR_TEXTREL:
94343+ str1 = va_arg(ap, char *);
94344+ file = va_arg(ap, struct file *);
94345+ ulong1 = va_arg(ap, unsigned long);
94346+ ulong2 = va_arg(ap, unsigned long);
94347+ gr_log_middle_varargs(audit, msg, str1, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
94348+ break;
94349+ case GR_PTRACE:
94350+ task = va_arg(ap, struct task_struct *);
94351+ gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task_pid_nr(task));
94352+ break;
94353+ case GR_RESOURCE:
94354+ task = va_arg(ap, struct task_struct *);
94355+ cred = __task_cred(task);
94356+ pcred = __task_cred(task->real_parent);
94357+ ulong1 = va_arg(ap, unsigned long);
94358+ str1 = va_arg(ap, char *);
94359+ ulong2 = va_arg(ap, unsigned long);
94360+ gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94361+ break;
94362+ case GR_CAP:
94363+ task = va_arg(ap, struct task_struct *);
94364+ cred = __task_cred(task);
94365+ pcred = __task_cred(task->real_parent);
94366+ str1 = va_arg(ap, char *);
94367+ gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94368+ break;
94369+ case GR_SIG:
94370+ str1 = va_arg(ap, char *);
94371+ voidptr = va_arg(ap, void *);
94372+ gr_log_middle_varargs(audit, msg, str1, voidptr);
94373+ break;
94374+ case GR_SIG2:
94375+ task = va_arg(ap, struct task_struct *);
94376+ cred = __task_cred(task);
94377+ pcred = __task_cred(task->real_parent);
94378+ num1 = va_arg(ap, int);
94379+ gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath0(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94380+ break;
94381+ case GR_CRASH1:
94382+ task = va_arg(ap, struct task_struct *);
94383+ cred = __task_cred(task);
94384+ pcred = __task_cred(task->real_parent);
94385+ ulong1 = va_arg(ap, unsigned long);
94386+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), GR_GLOBAL_UID(cred->uid), ulong1);
94387+ break;
94388+ case GR_CRASH2:
94389+ task = va_arg(ap, struct task_struct *);
94390+ cred = __task_cred(task);
94391+ pcred = __task_cred(task->real_parent);
94392+ ulong1 = va_arg(ap, unsigned long);
94393+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid), ulong1);
94394+ break;
94395+ case GR_RWXMAP:
94396+ file = va_arg(ap, struct file *);
94397+ gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
94398+ break;
94399+ case GR_RWXMAPVMA:
94400+ vma = va_arg(ap, struct vm_area_struct *);
94401+ if (vma->vm_file)
94402+ str1 = gr_to_filename(vma->vm_file->f_path.dentry, vma->vm_file->f_path.mnt);
94403+ else if (vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP))
94404+ str1 = "<stack>";
94405+ else if (vma->vm_start <= current->mm->brk &&
94406+ vma->vm_end >= current->mm->start_brk)
94407+ str1 = "<heap>";
94408+ else
94409+ str1 = "<anonymous mapping>";
94410+ gr_log_middle_varargs(audit, msg, str1);
94411+ break;
94412+ case GR_PSACCT:
94413+ {
94414+ unsigned int wday, cday;
94415+ __u8 whr, chr;
94416+ __u8 wmin, cmin;
94417+ __u8 wsec, csec;
94418+
94419+ task = va_arg(ap, struct task_struct *);
94420+ wday = va_arg(ap, unsigned int);
94421+ cday = va_arg(ap, unsigned int);
94422+ whr = va_arg(ap, int);
94423+ chr = va_arg(ap, int);
94424+ wmin = va_arg(ap, int);
94425+ cmin = va_arg(ap, int);
94426+ wsec = va_arg(ap, int);
94427+ csec = va_arg(ap, int);
94428+ ulong1 = va_arg(ap, unsigned long);
94429+ cred = __task_cred(task);
94430+ pcred = __task_cred(task->real_parent);
94431+
94432+ gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task_pid_nr(task), &task->signal->curr_ip, tty_name(task->signal->tty), GR_GLOBAL_UID(cred->uid), GR_GLOBAL_UID(cred->euid), GR_GLOBAL_GID(cred->gid), GR_GLOBAL_GID(cred->egid), wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task_pid_nr(task->real_parent), &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty), GR_GLOBAL_UID(pcred->uid), GR_GLOBAL_UID(pcred->euid), GR_GLOBAL_GID(pcred->gid), GR_GLOBAL_GID(pcred->egid));
94433+ }
94434+ break;
94435+ default:
94436+ gr_log_middle(audit, msg, ap);
94437+ }
94438+ va_end(ap);
94439+ // these don't need DEFAULTSECARGS printed on the end
94440+ if (argtypes == GR_CRASH1 || argtypes == GR_CRASH2)
94441+ gr_log_end(audit, 0);
94442+ else
94443+ gr_log_end(audit, 1);
94444+ END_LOCKS(audit);
94445+}
94446diff --git a/grsecurity/grsec_mem.c b/grsecurity/grsec_mem.c
94447new file mode 100644
94448index 0000000..0e39d8c
94449--- /dev/null
94450+++ b/grsecurity/grsec_mem.c
94451@@ -0,0 +1,48 @@
94452+#include <linux/kernel.h>
94453+#include <linux/sched.h>
94454+#include <linux/mm.h>
94455+#include <linux/mman.h>
94456+#include <linux/module.h>
94457+#include <linux/grinternal.h>
94458+
94459+void gr_handle_msr_write(void)
94460+{
94461+ gr_log_noargs(GR_DONT_AUDIT, GR_MSRWRITE_MSG);
94462+ return;
94463+}
94464+EXPORT_SYMBOL_GPL(gr_handle_msr_write);
94465+
94466+void
94467+gr_handle_ioperm(void)
94468+{
94469+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
94470+ return;
94471+}
94472+
94473+void
94474+gr_handle_iopl(void)
94475+{
94476+ gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
94477+ return;
94478+}
94479+
94480+void
94481+gr_handle_mem_readwrite(u64 from, u64 to)
94482+{
94483+ gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
94484+ return;
94485+}
94486+
94487+void
94488+gr_handle_vm86(void)
94489+{
94490+ gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
94491+ return;
94492+}
94493+
94494+void
94495+gr_log_badprocpid(const char *entry)
94496+{
94497+ gr_log_str(GR_DONT_AUDIT, GR_BADPROCPID_MSG, entry);
94498+ return;
94499+}
94500diff --git a/grsecurity/grsec_mount.c b/grsecurity/grsec_mount.c
94501new file mode 100644
94502index 0000000..fe02bf4
94503--- /dev/null
94504+++ b/grsecurity/grsec_mount.c
94505@@ -0,0 +1,65 @@
94506+#include <linux/kernel.h>
94507+#include <linux/sched.h>
94508+#include <linux/mount.h>
94509+#include <linux/major.h>
94510+#include <linux/grsecurity.h>
94511+#include <linux/grinternal.h>
94512+
94513+void
94514+gr_log_remount(const char *devname, const int retval)
94515+{
94516+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94517+ if (grsec_enable_mount && (retval >= 0))
94518+ gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
94519+#endif
94520+ return;
94521+}
94522+
94523+void
94524+gr_log_unmount(const char *devname, const int retval)
94525+{
94526+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94527+ if (grsec_enable_mount && (retval >= 0))
94528+ gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
94529+#endif
94530+ return;
94531+}
94532+
94533+void
94534+gr_log_mount(const char *from, struct path *to, const int retval)
94535+{
94536+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
94537+ if (grsec_enable_mount && (retval >= 0))
94538+ gr_log_str_fs(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to->dentry, to->mnt);
94539+#endif
94540+ return;
94541+}
94542+
94543+int
94544+gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
94545+{
94546+#ifdef CONFIG_GRKERNSEC_ROFS
94547+ if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
94548+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
94549+ return -EPERM;
94550+ } else
94551+ return 0;
94552+#endif
94553+ return 0;
94554+}
94555+
94556+int
94557+gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
94558+{
94559+#ifdef CONFIG_GRKERNSEC_ROFS
94560+ struct inode *inode = d_backing_inode(dentry);
94561+
94562+ if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
94563+ inode && (S_ISBLK(inode->i_mode) || (S_ISCHR(inode->i_mode) && imajor(inode) == RAW_MAJOR))) {
94564+ gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
94565+ return -EPERM;
94566+ } else
94567+ return 0;
94568+#endif
94569+ return 0;
94570+}
94571diff --git a/grsecurity/grsec_pax.c b/grsecurity/grsec_pax.c
94572new file mode 100644
94573index 0000000..2ad7b96
94574--- /dev/null
94575+++ b/grsecurity/grsec_pax.c
94576@@ -0,0 +1,47 @@
94577+#include <linux/kernel.h>
94578+#include <linux/sched.h>
94579+#include <linux/mm.h>
94580+#include <linux/file.h>
94581+#include <linux/grinternal.h>
94582+#include <linux/grsecurity.h>
94583+
94584+void
94585+gr_log_textrel(struct vm_area_struct * vma, bool is_textrel_rw)
94586+{
94587+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94588+ if (grsec_enable_log_rwxmaps)
94589+ gr_log_textrel_ulong_ulong(GR_DONT_AUDIT, GR_TEXTREL_AUDIT_MSG,
94590+ is_textrel_rw ? "executable to writable" : "writable to executable",
94591+ vma->vm_file, vma->vm_start, vma->vm_pgoff);
94592+#endif
94593+ return;
94594+}
94595+
94596+void gr_log_ptgnustack(struct file *file)
94597+{
94598+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94599+ if (grsec_enable_log_rwxmaps)
94600+ gr_log_rwxmap(GR_DONT_AUDIT, GR_PTGNUSTACK_MSG, file);
94601+#endif
94602+ return;
94603+}
94604+
94605+void
94606+gr_log_rwxmmap(struct file *file)
94607+{
94608+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94609+ if (grsec_enable_log_rwxmaps)
94610+ gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
94611+#endif
94612+ return;
94613+}
94614+
94615+void
94616+gr_log_rwxmprotect(struct vm_area_struct *vma)
94617+{
94618+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
94619+ if (grsec_enable_log_rwxmaps)
94620+ gr_log_rwxmap_vma(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, vma);
94621+#endif
94622+ return;
94623+}
94624diff --git a/grsecurity/grsec_proc.c b/grsecurity/grsec_proc.c
94625new file mode 100644
94626index 0000000..2005a3a
94627--- /dev/null
94628+++ b/grsecurity/grsec_proc.c
94629@@ -0,0 +1,20 @@
94630+#include <linux/kernel.h>
94631+#include <linux/sched.h>
94632+#include <linux/grsecurity.h>
94633+#include <linux/grinternal.h>
94634+
94635+int gr_proc_is_restricted(void)
94636+{
94637+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
94638+ const struct cred *cred = current_cred();
94639+#endif
94640+
94641+#ifdef CONFIG_GRKERNSEC_PROC_USER
94642+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID))
94643+ return -EACCES;
94644+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
94645+ if (!uid_eq(cred->fsuid, GLOBAL_ROOT_UID) && !in_group_p(grsec_proc_gid))
94646+ return -EACCES;
94647+#endif
94648+ return 0;
94649+}
94650diff --git a/grsecurity/grsec_ptrace.c b/grsecurity/grsec_ptrace.c
94651new file mode 100644
94652index 0000000..304c518
94653--- /dev/null
94654+++ b/grsecurity/grsec_ptrace.c
94655@@ -0,0 +1,30 @@
94656+#include <linux/kernel.h>
94657+#include <linux/sched.h>
94658+#include <linux/grinternal.h>
94659+#include <linux/security.h>
94660+
94661+void
94662+gr_audit_ptrace(struct task_struct *task)
94663+{
94664+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
94665+ if (grsec_enable_audit_ptrace)
94666+ gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
94667+#endif
94668+ return;
94669+}
94670+
94671+int
94672+gr_ptrace_readexec(struct file *file, int unsafe_flags)
94673+{
94674+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
94675+ const struct dentry *dentry = file->f_path.dentry;
94676+ const struct vfsmount *mnt = file->f_path.mnt;
94677+
94678+ if (grsec_enable_ptrace_readexec && (unsafe_flags & LSM_UNSAFE_PTRACE) &&
94679+ (inode_permission(d_backing_inode(dentry), MAY_READ) || !gr_acl_handle_open(dentry, mnt, MAY_READ))) {
94680+ gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_READEXEC_MSG, dentry, mnt);
94681+ return -EACCES;
94682+ }
94683+#endif
94684+ return 0;
94685+}
94686diff --git a/grsecurity/grsec_sig.c b/grsecurity/grsec_sig.c
94687new file mode 100644
94688index 0000000..3860c7e
94689--- /dev/null
94690+++ b/grsecurity/grsec_sig.c
94691@@ -0,0 +1,236 @@
94692+#include <linux/kernel.h>
94693+#include <linux/sched.h>
94694+#include <linux/fs.h>
94695+#include <linux/delay.h>
94696+#include <linux/grsecurity.h>
94697+#include <linux/grinternal.h>
94698+#include <linux/hardirq.h>
94699+
94700+char *signames[] = {
94701+ [SIGSEGV] = "Segmentation fault",
94702+ [SIGILL] = "Illegal instruction",
94703+ [SIGABRT] = "Abort",
94704+ [SIGBUS] = "Invalid alignment/Bus error"
94705+};
94706+
94707+void
94708+gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
94709+{
94710+#ifdef CONFIG_GRKERNSEC_SIGNAL
94711+ if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
94712+ (sig == SIGABRT) || (sig == SIGBUS))) {
94713+ if (task_pid_nr(t) == task_pid_nr(current)) {
94714+ gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
94715+ } else {
94716+ gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
94717+ }
94718+ }
94719+#endif
94720+ return;
94721+}
94722+
94723+int
94724+gr_handle_signal(const struct task_struct *p, const int sig)
94725+{
94726+#ifdef CONFIG_GRKERNSEC
94727+ /* ignore the 0 signal for protected task checks */
94728+ if (task_pid_nr(current) > 1 && sig && gr_check_protected_task(p)) {
94729+ gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
94730+ return -EPERM;
94731+ } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
94732+ return -EPERM;
94733+ }
94734+#endif
94735+ return 0;
94736+}
94737+
94738+#ifdef CONFIG_GRKERNSEC
94739+extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
94740+
94741+int gr_fake_force_sig(int sig, struct task_struct *t)
94742+{
94743+ unsigned long int flags;
94744+ int ret, blocked, ignored;
94745+ struct k_sigaction *action;
94746+
94747+ spin_lock_irqsave(&t->sighand->siglock, flags);
94748+ action = &t->sighand->action[sig-1];
94749+ ignored = action->sa.sa_handler == SIG_IGN;
94750+ blocked = sigismember(&t->blocked, sig);
94751+ if (blocked || ignored) {
94752+ action->sa.sa_handler = SIG_DFL;
94753+ if (blocked) {
94754+ sigdelset(&t->blocked, sig);
94755+ recalc_sigpending_and_wake(t);
94756+ }
94757+ }
94758+ if (action->sa.sa_handler == SIG_DFL)
94759+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
94760+ ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
94761+
94762+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
94763+
94764+ return ret;
94765+}
94766+#endif
94767+
94768+#define GR_USER_BAN_TIME (15 * 60)
94769+#define GR_DAEMON_BRUTE_TIME (30 * 60)
94770+
94771+void gr_handle_brute_attach(int dumpable)
94772+{
94773+#ifdef CONFIG_GRKERNSEC_BRUTE
94774+ struct task_struct *p = current;
94775+ kuid_t uid = GLOBAL_ROOT_UID;
94776+ int daemon = 0;
94777+
94778+ if (!grsec_enable_brute)
94779+ return;
94780+
94781+ rcu_read_lock();
94782+ read_lock(&tasklist_lock);
94783+ read_lock(&grsec_exec_file_lock);
94784+ if (p->real_parent && gr_is_same_file(p->real_parent->exec_file, p->exec_file)) {
94785+ p->real_parent->brute_expires = get_seconds() + GR_DAEMON_BRUTE_TIME;
94786+ p->real_parent->brute = 1;
94787+ daemon = 1;
94788+ } else {
94789+ const struct cred *cred = __task_cred(p), *cred2;
94790+ struct task_struct *tsk, *tsk2;
94791+
94792+ if (dumpable != SUID_DUMP_USER && gr_is_global_nonroot(cred->uid)) {
94793+ struct user_struct *user;
94794+
94795+ uid = cred->uid;
94796+
94797+ /* this is put upon execution past expiration */
94798+ user = find_user(uid);
94799+ if (user == NULL)
94800+ goto unlock;
94801+ user->suid_banned = 1;
94802+ user->suid_ban_expires = get_seconds() + GR_USER_BAN_TIME;
94803+ if (user->suid_ban_expires == ~0UL)
94804+ user->suid_ban_expires--;
94805+
94806+ /* only kill other threads of the same binary, from the same user */
94807+ do_each_thread(tsk2, tsk) {
94808+ cred2 = __task_cred(tsk);
94809+ if (tsk != p && uid_eq(cred2->uid, uid) && gr_is_same_file(tsk->exec_file, p->exec_file))
94810+ gr_fake_force_sig(SIGKILL, tsk);
94811+ } while_each_thread(tsk2, tsk);
94812+ }
94813+ }
94814+unlock:
94815+ read_unlock(&grsec_exec_file_lock);
94816+ read_unlock(&tasklist_lock);
94817+ rcu_read_unlock();
94818+
94819+ if (gr_is_global_nonroot(uid))
94820+ gr_log_fs_int2(GR_DONT_AUDIT, GR_BRUTE_SUID_MSG, p->exec_file->f_path.dentry, p->exec_file->f_path.mnt, GR_GLOBAL_UID(uid), GR_USER_BAN_TIME / 60);
94821+ else if (daemon)
94822+ gr_log_noargs(GR_DONT_AUDIT, GR_BRUTE_DAEMON_MSG);
94823+
94824+#endif
94825+ return;
94826+}
94827+
94828+void gr_handle_brute_check(void)
94829+{
94830+#ifdef CONFIG_GRKERNSEC_BRUTE
94831+ struct task_struct *p = current;
94832+
94833+ if (unlikely(p->brute)) {
94834+ if (!grsec_enable_brute)
94835+ p->brute = 0;
94836+ else if (time_before(get_seconds(), p->brute_expires))
94837+ msleep(30 * 1000);
94838+ }
94839+#endif
94840+ return;
94841+}
94842+
94843+void gr_handle_kernel_exploit(void)
94844+{
94845+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94846+ const struct cred *cred;
94847+ struct task_struct *tsk, *tsk2;
94848+ struct user_struct *user;
94849+ kuid_t uid;
94850+
94851+ if (in_irq() || in_serving_softirq() || in_nmi())
94852+ panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
94853+
94854+ uid = current_uid();
94855+
94856+ if (gr_is_global_root(uid))
94857+ panic("grsec: halting the system due to suspicious kernel crash caused by root");
94858+ else {
94859+ /* kill all the processes of this user, hold a reference
94860+ to their creds struct, and prevent them from creating
94861+ another process until system reset
94862+ */
94863+ printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n",
94864+ GR_GLOBAL_UID(uid));
94865+ /* we intentionally leak this ref */
94866+ user = get_uid(current->cred->user);
94867+ if (user)
94868+ user->kernel_banned = 1;
94869+
94870+ /* kill all processes of this user */
94871+ read_lock(&tasklist_lock);
94872+ do_each_thread(tsk2, tsk) {
94873+ cred = __task_cred(tsk);
94874+ if (uid_eq(cred->uid, uid))
94875+ gr_fake_force_sig(SIGKILL, tsk);
94876+ } while_each_thread(tsk2, tsk);
94877+ read_unlock(&tasklist_lock);
94878+ }
94879+#endif
94880+}
94881+
94882+#ifdef CONFIG_GRKERNSEC_BRUTE
94883+static bool suid_ban_expired(struct user_struct *user)
94884+{
94885+ if (user->suid_ban_expires != ~0UL && time_after_eq(get_seconds(), user->suid_ban_expires)) {
94886+ user->suid_banned = 0;
94887+ user->suid_ban_expires = 0;
94888+ free_uid(user);
94889+ return true;
94890+ }
94891+
94892+ return false;
94893+}
94894+#endif
94895+
94896+int gr_process_kernel_exec_ban(void)
94897+{
94898+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94899+ if (unlikely(current->cred->user->kernel_banned))
94900+ return -EPERM;
94901+#endif
94902+ return 0;
94903+}
94904+
94905+int gr_process_kernel_setuid_ban(struct user_struct *user)
94906+{
94907+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
94908+ if (unlikely(user->kernel_banned))
94909+ gr_fake_force_sig(SIGKILL, current);
94910+#endif
94911+ return 0;
94912+}
94913+
94914+int gr_process_suid_exec_ban(const struct linux_binprm *bprm)
94915+{
94916+#ifdef CONFIG_GRKERNSEC_BRUTE
94917+ struct user_struct *user = current->cred->user;
94918+ if (unlikely(user->suid_banned)) {
94919+ if (suid_ban_expired(user))
94920+ return 0;
94921+ /* disallow execution of suid binaries only */
94922+ else if (!uid_eq(bprm->cred->euid, current->cred->uid))
94923+ return -EPERM;
94924+ }
94925+#endif
94926+ return 0;
94927+}
94928diff --git a/grsecurity/grsec_sock.c b/grsecurity/grsec_sock.c
94929new file mode 100644
94930index 0000000..a523bd2
94931--- /dev/null
94932+++ b/grsecurity/grsec_sock.c
94933@@ -0,0 +1,244 @@
94934+#include <linux/kernel.h>
94935+#include <linux/module.h>
94936+#include <linux/sched.h>
94937+#include <linux/file.h>
94938+#include <linux/net.h>
94939+#include <linux/in.h>
94940+#include <linux/ip.h>
94941+#include <net/sock.h>
94942+#include <net/inet_sock.h>
94943+#include <linux/grsecurity.h>
94944+#include <linux/grinternal.h>
94945+#include <linux/gracl.h>
94946+
94947+extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
94948+extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
94949+
94950+EXPORT_SYMBOL_GPL(gr_search_udp_recvmsg);
94951+EXPORT_SYMBOL_GPL(gr_search_udp_sendmsg);
94952+
94953+#ifdef CONFIG_UNIX_MODULE
94954+EXPORT_SYMBOL_GPL(gr_acl_handle_unix);
94955+EXPORT_SYMBOL_GPL(gr_acl_handle_mknod);
94956+EXPORT_SYMBOL_GPL(gr_handle_chroot_unix);
94957+EXPORT_SYMBOL_GPL(gr_handle_create);
94958+#endif
94959+
94960+#ifdef CONFIG_GRKERNSEC
94961+#define gr_conn_table_size 32749
94962+struct conn_table_entry {
94963+ struct conn_table_entry *next;
94964+ struct signal_struct *sig;
94965+};
94966+
94967+struct conn_table_entry *gr_conn_table[gr_conn_table_size];
94968+DEFINE_SPINLOCK(gr_conn_table_lock);
94969+
94970+extern const char * gr_socktype_to_name(unsigned char type);
94971+extern const char * gr_proto_to_name(unsigned char proto);
94972+extern const char * gr_sockfamily_to_name(unsigned char family);
94973+
94974+static int
94975+conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
94976+{
94977+ return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
94978+}
94979+
94980+static int
94981+conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
94982+ __u16 sport, __u16 dport)
94983+{
94984+ if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
94985+ sig->gr_sport == sport && sig->gr_dport == dport))
94986+ return 1;
94987+ else
94988+ return 0;
94989+}
94990+
94991+static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
94992+{
94993+ struct conn_table_entry **match;
94994+ unsigned int index;
94995+
94996+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
94997+ sig->gr_sport, sig->gr_dport,
94998+ gr_conn_table_size);
94999+
95000+ newent->sig = sig;
95001+
95002+ match = &gr_conn_table[index];
95003+ newent->next = *match;
95004+ *match = newent;
95005+
95006+ return;
95007+}
95008+
95009+static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
95010+{
95011+ struct conn_table_entry *match, *last = NULL;
95012+ unsigned int index;
95013+
95014+ index = conn_hash(sig->gr_saddr, sig->gr_daddr,
95015+ sig->gr_sport, sig->gr_dport,
95016+ gr_conn_table_size);
95017+
95018+ match = gr_conn_table[index];
95019+ while (match && !conn_match(match->sig,
95020+ sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
95021+ sig->gr_dport)) {
95022+ last = match;
95023+ match = match->next;
95024+ }
95025+
95026+ if (match) {
95027+ if (last)
95028+ last->next = match->next;
95029+ else
95030+ gr_conn_table[index] = NULL;
95031+ kfree(match);
95032+ }
95033+
95034+ return;
95035+}
95036+
95037+static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
95038+ __u16 sport, __u16 dport)
95039+{
95040+ struct conn_table_entry *match;
95041+ unsigned int index;
95042+
95043+ index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
95044+
95045+ match = gr_conn_table[index];
95046+ while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
95047+ match = match->next;
95048+
95049+ if (match)
95050+ return match->sig;
95051+ else
95052+ return NULL;
95053+}
95054+
95055+#endif
95056+
95057+void gr_update_task_in_ip_table(const struct inet_sock *inet)
95058+{
95059+#ifdef CONFIG_GRKERNSEC
95060+ struct signal_struct *sig = current->signal;
95061+ struct conn_table_entry *newent;
95062+
95063+ newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
95064+ if (newent == NULL)
95065+ return;
95066+ /* no bh lock needed since we are called with bh disabled */
95067+ spin_lock(&gr_conn_table_lock);
95068+ gr_del_task_from_ip_table_nolock(sig);
95069+ sig->gr_saddr = inet->inet_rcv_saddr;
95070+ sig->gr_daddr = inet->inet_daddr;
95071+ sig->gr_sport = inet->inet_sport;
95072+ sig->gr_dport = inet->inet_dport;
95073+ gr_add_to_task_ip_table_nolock(sig, newent);
95074+ spin_unlock(&gr_conn_table_lock);
95075+#endif
95076+ return;
95077+}
95078+
95079+void gr_del_task_from_ip_table(struct task_struct *task)
95080+{
95081+#ifdef CONFIG_GRKERNSEC
95082+ spin_lock_bh(&gr_conn_table_lock);
95083+ gr_del_task_from_ip_table_nolock(task->signal);
95084+ spin_unlock_bh(&gr_conn_table_lock);
95085+#endif
95086+ return;
95087+}
95088+
95089+void
95090+gr_attach_curr_ip(const struct sock *sk)
95091+{
95092+#ifdef CONFIG_GRKERNSEC
95093+ struct signal_struct *p, *set;
95094+ const struct inet_sock *inet = inet_sk(sk);
95095+
95096+ if (unlikely(sk->sk_protocol != IPPROTO_TCP))
95097+ return;
95098+
95099+ set = current->signal;
95100+
95101+ spin_lock_bh(&gr_conn_table_lock);
95102+ p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
95103+ inet->inet_dport, inet->inet_sport);
95104+ if (unlikely(p != NULL)) {
95105+ set->curr_ip = p->curr_ip;
95106+ set->used_accept = 1;
95107+ gr_del_task_from_ip_table_nolock(p);
95108+ spin_unlock_bh(&gr_conn_table_lock);
95109+ return;
95110+ }
95111+ spin_unlock_bh(&gr_conn_table_lock);
95112+
95113+ set->curr_ip = inet->inet_daddr;
95114+ set->used_accept = 1;
95115+#endif
95116+ return;
95117+}
95118+
95119+int
95120+gr_handle_sock_all(const int family, const int type, const int protocol)
95121+{
95122+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
95123+ if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
95124+ (family != AF_UNIX)) {
95125+ if (family == AF_INET)
95126+ gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
95127+ else
95128+ gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
95129+ return -EACCES;
95130+ }
95131+#endif
95132+ return 0;
95133+}
95134+
95135+int
95136+gr_handle_sock_server(const struct sockaddr *sck)
95137+{
95138+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
95139+ if (grsec_enable_socket_server &&
95140+ in_group_p(grsec_socket_server_gid) &&
95141+ sck && (sck->sa_family != AF_UNIX) &&
95142+ (sck->sa_family != AF_LOCAL)) {
95143+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
95144+ return -EACCES;
95145+ }
95146+#endif
95147+ return 0;
95148+}
95149+
95150+int
95151+gr_handle_sock_server_other(const struct sock *sck)
95152+{
95153+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
95154+ if (grsec_enable_socket_server &&
95155+ in_group_p(grsec_socket_server_gid) &&
95156+ sck && (sck->sk_family != AF_UNIX) &&
95157+ (sck->sk_family != AF_LOCAL)) {
95158+ gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
95159+ return -EACCES;
95160+ }
95161+#endif
95162+ return 0;
95163+}
95164+
95165+int
95166+gr_handle_sock_client(const struct sockaddr *sck)
95167+{
95168+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
95169+ if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
95170+ sck && (sck->sa_family != AF_UNIX) &&
95171+ (sck->sa_family != AF_LOCAL)) {
95172+ gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
95173+ return -EACCES;
95174+ }
95175+#endif
95176+ return 0;
95177+}
95178diff --git a/grsecurity/grsec_sysctl.c b/grsecurity/grsec_sysctl.c
95179new file mode 100644
95180index 0000000..aaec43c
95181--- /dev/null
95182+++ b/grsecurity/grsec_sysctl.c
95183@@ -0,0 +1,488 @@
95184+#include <linux/kernel.h>
95185+#include <linux/sched.h>
95186+#include <linux/sysctl.h>
95187+#include <linux/grsecurity.h>
95188+#include <linux/grinternal.h>
95189+
95190+int
95191+gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
95192+{
95193+#ifdef CONFIG_GRKERNSEC_SYSCTL
95194+ if (dirname == NULL || name == NULL)
95195+ return 0;
95196+ if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
95197+ gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
95198+ return -EACCES;
95199+ }
95200+#endif
95201+ return 0;
95202+}
95203+
95204+#if defined(CONFIG_GRKERNSEC_ROFS) || defined(CONFIG_GRKERNSEC_DENYUSB)
95205+static int __maybe_unused __read_only one = 1;
95206+#endif
95207+
95208+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS) || \
95209+ defined(CONFIG_GRKERNSEC_DENYUSB)
95210+struct ctl_table grsecurity_table[] = {
95211+#ifdef CONFIG_GRKERNSEC_SYSCTL
95212+#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
95213+#ifdef CONFIG_GRKERNSEC_IO
95214+ {
95215+ .procname = "disable_priv_io",
95216+ .data = &grsec_disable_privio,
95217+ .maxlen = sizeof(int),
95218+ .mode = 0600,
95219+ .proc_handler = &proc_dointvec_secure,
95220+ },
95221+#endif
95222+#endif
95223+#ifdef CONFIG_GRKERNSEC_LINK
95224+ {
95225+ .procname = "linking_restrictions",
95226+ .data = &grsec_enable_link,
95227+ .maxlen = sizeof(int),
95228+ .mode = 0600,
95229+ .proc_handler = &proc_dointvec_secure,
95230+ },
95231+#endif
95232+#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
95233+ {
95234+ .procname = "enforce_symlinksifowner",
95235+ .data = &grsec_enable_symlinkown,
95236+ .maxlen = sizeof(int),
95237+ .mode = 0600,
95238+ .proc_handler = &proc_dointvec_secure,
95239+ },
95240+ {
95241+ .procname = "symlinkown_gid",
95242+ .data = &grsec_symlinkown_gid,
95243+ .maxlen = sizeof(int),
95244+ .mode = 0600,
95245+ .proc_handler = &proc_dointvec_secure,
95246+ },
95247+#endif
95248+#ifdef CONFIG_GRKERNSEC_BRUTE
95249+ {
95250+ .procname = "deter_bruteforce",
95251+ .data = &grsec_enable_brute,
95252+ .maxlen = sizeof(int),
95253+ .mode = 0600,
95254+ .proc_handler = &proc_dointvec_secure,
95255+ },
95256+#endif
95257+#ifdef CONFIG_GRKERNSEC_FIFO
95258+ {
95259+ .procname = "fifo_restrictions",
95260+ .data = &grsec_enable_fifo,
95261+ .maxlen = sizeof(int),
95262+ .mode = 0600,
95263+ .proc_handler = &proc_dointvec_secure,
95264+ },
95265+#endif
95266+#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
95267+ {
95268+ .procname = "ptrace_readexec",
95269+ .data = &grsec_enable_ptrace_readexec,
95270+ .maxlen = sizeof(int),
95271+ .mode = 0600,
95272+ .proc_handler = &proc_dointvec_secure,
95273+ },
95274+#endif
95275+#ifdef CONFIG_GRKERNSEC_SETXID
95276+ {
95277+ .procname = "consistent_setxid",
95278+ .data = &grsec_enable_setxid,
95279+ .maxlen = sizeof(int),
95280+ .mode = 0600,
95281+ .proc_handler = &proc_dointvec_secure,
95282+ },
95283+#endif
95284+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
95285+ {
95286+ .procname = "ip_blackhole",
95287+ .data = &grsec_enable_blackhole,
95288+ .maxlen = sizeof(int),
95289+ .mode = 0600,
95290+ .proc_handler = &proc_dointvec_secure,
95291+ },
95292+ {
95293+ .procname = "lastack_retries",
95294+ .data = &grsec_lastack_retries,
95295+ .maxlen = sizeof(int),
95296+ .mode = 0600,
95297+ .proc_handler = &proc_dointvec_secure,
95298+ },
95299+#endif
95300+#ifdef CONFIG_GRKERNSEC_EXECLOG
95301+ {
95302+ .procname = "exec_logging",
95303+ .data = &grsec_enable_execlog,
95304+ .maxlen = sizeof(int),
95305+ .mode = 0600,
95306+ .proc_handler = &proc_dointvec_secure,
95307+ },
95308+#endif
95309+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
95310+ {
95311+ .procname = "rwxmap_logging",
95312+ .data = &grsec_enable_log_rwxmaps,
95313+ .maxlen = sizeof(int),
95314+ .mode = 0600,
95315+ .proc_handler = &proc_dointvec_secure,
95316+ },
95317+#endif
95318+#ifdef CONFIG_GRKERNSEC_SIGNAL
95319+ {
95320+ .procname = "signal_logging",
95321+ .data = &grsec_enable_signal,
95322+ .maxlen = sizeof(int),
95323+ .mode = 0600,
95324+ .proc_handler = &proc_dointvec_secure,
95325+ },
95326+#endif
95327+#ifdef CONFIG_GRKERNSEC_FORKFAIL
95328+ {
95329+ .procname = "forkfail_logging",
95330+ .data = &grsec_enable_forkfail,
95331+ .maxlen = sizeof(int),
95332+ .mode = 0600,
95333+ .proc_handler = &proc_dointvec_secure,
95334+ },
95335+#endif
95336+#ifdef CONFIG_GRKERNSEC_TIME
95337+ {
95338+ .procname = "timechange_logging",
95339+ .data = &grsec_enable_time,
95340+ .maxlen = sizeof(int),
95341+ .mode = 0600,
95342+ .proc_handler = &proc_dointvec_secure,
95343+ },
95344+#endif
95345+#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
95346+ {
95347+ .procname = "chroot_deny_shmat",
95348+ .data = &grsec_enable_chroot_shmat,
95349+ .maxlen = sizeof(int),
95350+ .mode = 0600,
95351+ .proc_handler = &proc_dointvec_secure,
95352+ },
95353+#endif
95354+#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
95355+ {
95356+ .procname = "chroot_deny_unix",
95357+ .data = &grsec_enable_chroot_unix,
95358+ .maxlen = sizeof(int),
95359+ .mode = 0600,
95360+ .proc_handler = &proc_dointvec_secure,
95361+ },
95362+#endif
95363+#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
95364+ {
95365+ .procname = "chroot_deny_mount",
95366+ .data = &grsec_enable_chroot_mount,
95367+ .maxlen = sizeof(int),
95368+ .mode = 0600,
95369+ .proc_handler = &proc_dointvec_secure,
95370+ },
95371+#endif
95372+#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
95373+ {
95374+ .procname = "chroot_deny_fchdir",
95375+ .data = &grsec_enable_chroot_fchdir,
95376+ .maxlen = sizeof(int),
95377+ .mode = 0600,
95378+ .proc_handler = &proc_dointvec_secure,
95379+ },
95380+#endif
95381+#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
95382+ {
95383+ .procname = "chroot_deny_chroot",
95384+ .data = &grsec_enable_chroot_double,
95385+ .maxlen = sizeof(int),
95386+ .mode = 0600,
95387+ .proc_handler = &proc_dointvec_secure,
95388+ },
95389+#endif
95390+#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
95391+ {
95392+ .procname = "chroot_deny_pivot",
95393+ .data = &grsec_enable_chroot_pivot,
95394+ .maxlen = sizeof(int),
95395+ .mode = 0600,
95396+ .proc_handler = &proc_dointvec_secure,
95397+ },
95398+#endif
95399+#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
95400+ {
95401+ .procname = "chroot_enforce_chdir",
95402+ .data = &grsec_enable_chroot_chdir,
95403+ .maxlen = sizeof(int),
95404+ .mode = 0600,
95405+ .proc_handler = &proc_dointvec_secure,
95406+ },
95407+#endif
95408+#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
95409+ {
95410+ .procname = "chroot_deny_chmod",
95411+ .data = &grsec_enable_chroot_chmod,
95412+ .maxlen = sizeof(int),
95413+ .mode = 0600,
95414+ .proc_handler = &proc_dointvec_secure,
95415+ },
95416+#endif
95417+#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
95418+ {
95419+ .procname = "chroot_deny_mknod",
95420+ .data = &grsec_enable_chroot_mknod,
95421+ .maxlen = sizeof(int),
95422+ .mode = 0600,
95423+ .proc_handler = &proc_dointvec_secure,
95424+ },
95425+#endif
95426+#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
95427+ {
95428+ .procname = "chroot_restrict_nice",
95429+ .data = &grsec_enable_chroot_nice,
95430+ .maxlen = sizeof(int),
95431+ .mode = 0600,
95432+ .proc_handler = &proc_dointvec_secure,
95433+ },
95434+#endif
95435+#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
95436+ {
95437+ .procname = "chroot_execlog",
95438+ .data = &grsec_enable_chroot_execlog,
95439+ .maxlen = sizeof(int),
95440+ .mode = 0600,
95441+ .proc_handler = &proc_dointvec_secure,
95442+ },
95443+#endif
95444+#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
95445+ {
95446+ .procname = "chroot_caps",
95447+ .data = &grsec_enable_chroot_caps,
95448+ .maxlen = sizeof(int),
95449+ .mode = 0600,
95450+ .proc_handler = &proc_dointvec_secure,
95451+ },
95452+#endif
95453+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
95454+ {
95455+ .procname = "chroot_deny_bad_rename",
95456+ .data = &grsec_enable_chroot_rename,
95457+ .maxlen = sizeof(int),
95458+ .mode = 0600,
95459+ .proc_handler = &proc_dointvec_secure,
95460+ },
95461+#endif
95462+#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
95463+ {
95464+ .procname = "chroot_deny_sysctl",
95465+ .data = &grsec_enable_chroot_sysctl,
95466+ .maxlen = sizeof(int),
95467+ .mode = 0600,
95468+ .proc_handler = &proc_dointvec_secure,
95469+ },
95470+#endif
95471+#ifdef CONFIG_GRKERNSEC_TPE
95472+ {
95473+ .procname = "tpe",
95474+ .data = &grsec_enable_tpe,
95475+ .maxlen = sizeof(int),
95476+ .mode = 0600,
95477+ .proc_handler = &proc_dointvec_secure,
95478+ },
95479+ {
95480+ .procname = "tpe_gid",
95481+ .data = &grsec_tpe_gid,
95482+ .maxlen = sizeof(int),
95483+ .mode = 0600,
95484+ .proc_handler = &proc_dointvec_secure,
95485+ },
95486+#endif
95487+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
95488+ {
95489+ .procname = "tpe_invert",
95490+ .data = &grsec_enable_tpe_invert,
95491+ .maxlen = sizeof(int),
95492+ .mode = 0600,
95493+ .proc_handler = &proc_dointvec_secure,
95494+ },
95495+#endif
95496+#ifdef CONFIG_GRKERNSEC_TPE_ALL
95497+ {
95498+ .procname = "tpe_restrict_all",
95499+ .data = &grsec_enable_tpe_all,
95500+ .maxlen = sizeof(int),
95501+ .mode = 0600,
95502+ .proc_handler = &proc_dointvec_secure,
95503+ },
95504+#endif
95505+#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
95506+ {
95507+ .procname = "socket_all",
95508+ .data = &grsec_enable_socket_all,
95509+ .maxlen = sizeof(int),
95510+ .mode = 0600,
95511+ .proc_handler = &proc_dointvec_secure,
95512+ },
95513+ {
95514+ .procname = "socket_all_gid",
95515+ .data = &grsec_socket_all_gid,
95516+ .maxlen = sizeof(int),
95517+ .mode = 0600,
95518+ .proc_handler = &proc_dointvec_secure,
95519+ },
95520+#endif
95521+#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
95522+ {
95523+ .procname = "socket_client",
95524+ .data = &grsec_enable_socket_client,
95525+ .maxlen = sizeof(int),
95526+ .mode = 0600,
95527+ .proc_handler = &proc_dointvec_secure,
95528+ },
95529+ {
95530+ .procname = "socket_client_gid",
95531+ .data = &grsec_socket_client_gid,
95532+ .maxlen = sizeof(int),
95533+ .mode = 0600,
95534+ .proc_handler = &proc_dointvec_secure,
95535+ },
95536+#endif
95537+#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
95538+ {
95539+ .procname = "socket_server",
95540+ .data = &grsec_enable_socket_server,
95541+ .maxlen = sizeof(int),
95542+ .mode = 0600,
95543+ .proc_handler = &proc_dointvec_secure,
95544+ },
95545+ {
95546+ .procname = "socket_server_gid",
95547+ .data = &grsec_socket_server_gid,
95548+ .maxlen = sizeof(int),
95549+ .mode = 0600,
95550+ .proc_handler = &proc_dointvec_secure,
95551+ },
95552+#endif
95553+#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
95554+ {
95555+ .procname = "audit_group",
95556+ .data = &grsec_enable_group,
95557+ .maxlen = sizeof(int),
95558+ .mode = 0600,
95559+ .proc_handler = &proc_dointvec_secure,
95560+ },
95561+ {
95562+ .procname = "audit_gid",
95563+ .data = &grsec_audit_gid,
95564+ .maxlen = sizeof(int),
95565+ .mode = 0600,
95566+ .proc_handler = &proc_dointvec_secure,
95567+ },
95568+#endif
95569+#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
95570+ {
95571+ .procname = "audit_chdir",
95572+ .data = &grsec_enable_chdir,
95573+ .maxlen = sizeof(int),
95574+ .mode = 0600,
95575+ .proc_handler = &proc_dointvec_secure,
95576+ },
95577+#endif
95578+#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
95579+ {
95580+ .procname = "audit_mount",
95581+ .data = &grsec_enable_mount,
95582+ .maxlen = sizeof(int),
95583+ .mode = 0600,
95584+ .proc_handler = &proc_dointvec_secure,
95585+ },
95586+#endif
95587+#ifdef CONFIG_GRKERNSEC_DMESG
95588+ {
95589+ .procname = "dmesg",
95590+ .data = &grsec_enable_dmesg,
95591+ .maxlen = sizeof(int),
95592+ .mode = 0600,
95593+ .proc_handler = &proc_dointvec_secure,
95594+ },
95595+#endif
95596+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
95597+ {
95598+ .procname = "chroot_findtask",
95599+ .data = &grsec_enable_chroot_findtask,
95600+ .maxlen = sizeof(int),
95601+ .mode = 0600,
95602+ .proc_handler = &proc_dointvec_secure,
95603+ },
95604+#endif
95605+#ifdef CONFIG_GRKERNSEC_RESLOG
95606+ {
95607+ .procname = "resource_logging",
95608+ .data = &grsec_resource_logging,
95609+ .maxlen = sizeof(int),
95610+ .mode = 0600,
95611+ .proc_handler = &proc_dointvec_secure,
95612+ },
95613+#endif
95614+#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
95615+ {
95616+ .procname = "audit_ptrace",
95617+ .data = &grsec_enable_audit_ptrace,
95618+ .maxlen = sizeof(int),
95619+ .mode = 0600,
95620+ .proc_handler = &proc_dointvec_secure,
95621+ },
95622+#endif
95623+#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
95624+ {
95625+ .procname = "harden_ptrace",
95626+ .data = &grsec_enable_harden_ptrace,
95627+ .maxlen = sizeof(int),
95628+ .mode = 0600,
95629+ .proc_handler = &proc_dointvec_secure,
95630+ },
95631+#endif
95632+#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
95633+ {
95634+ .procname = "harden_ipc",
95635+ .data = &grsec_enable_harden_ipc,
95636+ .maxlen = sizeof(int),
95637+ .mode = 0600,
95638+ .proc_handler = &proc_dointvec_secure,
95639+ },
95640+#endif
95641+ {
95642+ .procname = "grsec_lock",
95643+ .data = &grsec_lock,
95644+ .maxlen = sizeof(int),
95645+ .mode = 0600,
95646+ .proc_handler = &proc_dointvec_secure,
95647+ },
95648+#endif
95649+#ifdef CONFIG_GRKERNSEC_ROFS
95650+ {
95651+ .procname = "romount_protect",
95652+ .data = &grsec_enable_rofs,
95653+ .maxlen = sizeof(int),
95654+ .mode = 0600,
95655+ .proc_handler = &proc_dointvec_minmax_secure,
95656+ .extra1 = &one,
95657+ .extra2 = &one,
95658+ },
95659+#endif
95660+#if defined(CONFIG_GRKERNSEC_DENYUSB) && !defined(CONFIG_GRKERNSEC_DENYUSB_FORCE)
95661+ {
95662+ .procname = "deny_new_usb",
95663+ .data = &grsec_deny_new_usb,
95664+ .maxlen = sizeof(int),
95665+ .mode = 0600,
95666+ .proc_handler = &proc_dointvec_secure,
95667+ },
95668+#endif
95669+ { }
95670+};
95671+#endif
95672diff --git a/grsecurity/grsec_time.c b/grsecurity/grsec_time.c
95673new file mode 100644
95674index 0000000..61b514e
95675--- /dev/null
95676+++ b/grsecurity/grsec_time.c
95677@@ -0,0 +1,16 @@
95678+#include <linux/kernel.h>
95679+#include <linux/sched.h>
95680+#include <linux/grinternal.h>
95681+#include <linux/module.h>
95682+
95683+void
95684+gr_log_timechange(void)
95685+{
95686+#ifdef CONFIG_GRKERNSEC_TIME
95687+ if (grsec_enable_time)
95688+ gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
95689+#endif
95690+ return;
95691+}
95692+
95693+EXPORT_SYMBOL_GPL(gr_log_timechange);
95694diff --git a/grsecurity/grsec_tpe.c b/grsecurity/grsec_tpe.c
95695new file mode 100644
95696index 0000000..9786671
95697--- /dev/null
95698+++ b/grsecurity/grsec_tpe.c
95699@@ -0,0 +1,78 @@
95700+#include <linux/kernel.h>
95701+#include <linux/sched.h>
95702+#include <linux/file.h>
95703+#include <linux/fs.h>
95704+#include <linux/grinternal.h>
95705+
95706+extern int gr_acl_tpe_check(void);
95707+
95708+int
95709+gr_tpe_allow(const struct file *file)
95710+{
95711+#ifdef CONFIG_GRKERNSEC
95712+ struct inode *inode = d_backing_inode(file->f_path.dentry->d_parent);
95713+ struct inode *file_inode = d_backing_inode(file->f_path.dentry);
95714+ const struct cred *cred = current_cred();
95715+ char *msg = NULL;
95716+ char *msg2 = NULL;
95717+
95718+ // never restrict root
95719+ if (gr_is_global_root(cred->uid))
95720+ return 1;
95721+
95722+ if (grsec_enable_tpe) {
95723+#ifdef CONFIG_GRKERNSEC_TPE_INVERT
95724+ if (grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid))
95725+ msg = "not being in trusted group";
95726+ else if (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid))
95727+ msg = "being in untrusted group";
95728+#else
95729+ if (in_group_p(grsec_tpe_gid))
95730+ msg = "being in untrusted group";
95731+#endif
95732+ }
95733+ if (!msg && gr_acl_tpe_check())
95734+ msg = "being in untrusted role";
95735+
95736+ // not in any affected group/role
95737+ if (!msg)
95738+ goto next_check;
95739+
95740+ if (gr_is_global_nonroot(inode->i_uid))
95741+ msg2 = "file in non-root-owned directory";
95742+ else if (inode->i_mode & S_IWOTH)
95743+ msg2 = "file in world-writable directory";
95744+ else if (inode->i_mode & S_IWGRP)
95745+ msg2 = "file in group-writable directory";
95746+ else if (file_inode->i_mode & S_IWOTH)
95747+ msg2 = "file is world-writable";
95748+
95749+ if (msg && msg2) {
95750+ char fullmsg[70] = {0};
95751+ snprintf(fullmsg, sizeof(fullmsg)-1, "%s and %s", msg, msg2);
95752+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, fullmsg, file->f_path.dentry, file->f_path.mnt);
95753+ return 0;
95754+ }
95755+ msg = NULL;
95756+next_check:
95757+#ifdef CONFIG_GRKERNSEC_TPE_ALL
95758+ if (!grsec_enable_tpe || !grsec_enable_tpe_all)
95759+ return 1;
95760+
95761+ if (gr_is_global_nonroot(inode->i_uid) && !uid_eq(inode->i_uid, cred->uid))
95762+ msg = "directory not owned by user";
95763+ else if (inode->i_mode & S_IWOTH)
95764+ msg = "file in world-writable directory";
95765+ else if (inode->i_mode & S_IWGRP)
95766+ msg = "file in group-writable directory";
95767+ else if (file_inode->i_mode & S_IWOTH)
95768+ msg = "file is world-writable";
95769+
95770+ if (msg) {
95771+ gr_log_str_fs(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, msg, file->f_path.dentry, file->f_path.mnt);
95772+ return 0;
95773+ }
95774+#endif
95775+#endif
95776+ return 1;
95777+}
95778diff --git a/grsecurity/grsec_usb.c b/grsecurity/grsec_usb.c
95779new file mode 100644
95780index 0000000..ae02d8e
95781--- /dev/null
95782+++ b/grsecurity/grsec_usb.c
95783@@ -0,0 +1,15 @@
95784+#include <linux/kernel.h>
95785+#include <linux/grinternal.h>
95786+#include <linux/module.h>
95787+
95788+int gr_handle_new_usb(void)
95789+{
95790+#ifdef CONFIG_GRKERNSEC_DENYUSB
95791+ if (grsec_deny_new_usb) {
95792+ printk(KERN_ALERT "grsec: denied insert of new USB device\n");
95793+ return 1;
95794+ }
95795+#endif
95796+ return 0;
95797+}
95798+EXPORT_SYMBOL_GPL(gr_handle_new_usb);
95799diff --git a/grsecurity/grsum.c b/grsecurity/grsum.c
95800new file mode 100644
95801index 0000000..158b330
95802--- /dev/null
95803+++ b/grsecurity/grsum.c
95804@@ -0,0 +1,64 @@
95805+#include <linux/err.h>
95806+#include <linux/kernel.h>
95807+#include <linux/sched.h>
95808+#include <linux/mm.h>
95809+#include <linux/scatterlist.h>
95810+#include <linux/crypto.h>
95811+#include <linux/gracl.h>
95812+
95813+
95814+#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
95815+#error "crypto and sha256 must be built into the kernel"
95816+#endif
95817+
95818+int
95819+chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
95820+{
95821+ struct crypto_hash *tfm;
95822+ struct hash_desc desc;
95823+ struct scatterlist sg[2];
95824+ unsigned char temp_sum[GR_SHA_LEN] __attribute__((aligned(__alignof__(unsigned long))));
95825+ unsigned long *tmpsumptr = (unsigned long *)temp_sum;
95826+ unsigned long *sumptr = (unsigned long *)sum;
95827+ int cryptres;
95828+ int retval = 1;
95829+ volatile int mismatched = 0;
95830+ volatile int dummy = 0;
95831+ unsigned int i;
95832+
95833+ tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
95834+ if (IS_ERR(tfm)) {
95835+ /* should never happen, since sha256 should be built in */
95836+ memset(entry->pw, 0, GR_PW_LEN);
95837+ return 1;
95838+ }
95839+
95840+ sg_init_table(sg, 2);
95841+ sg_set_buf(&sg[0], salt, GR_SALT_LEN);
95842+ sg_set_buf(&sg[1], entry->pw, strlen(entry->pw));
95843+
95844+ desc.tfm = tfm;
95845+ desc.flags = 0;
95846+
95847+ cryptres = crypto_hash_digest(&desc, sg, GR_SALT_LEN + strlen(entry->pw),
95848+ temp_sum);
95849+
95850+ memset(entry->pw, 0, GR_PW_LEN);
95851+
95852+ if (cryptres)
95853+ goto out;
95854+
95855+ for (i = 0; i < GR_SHA_LEN/sizeof(tmpsumptr[0]); i++)
95856+ if (sumptr[i] != tmpsumptr[i])
95857+ mismatched = 1;
95858+ else
95859+ dummy = 1; // waste a cycle
95860+
95861+ if (!mismatched)
95862+ retval = dummy - 1;
95863+
95864+out:
95865+ crypto_free_hash(tfm);
95866+
95867+ return retval;
95868+}
95869diff --git a/include/asm-generic/4level-fixup.h b/include/asm-generic/4level-fixup.h
95870index 5bdab6b..9ae82fe 100644
95871--- a/include/asm-generic/4level-fixup.h
95872+++ b/include/asm-generic/4level-fixup.h
95873@@ -14,8 +14,10 @@
95874 #define pmd_alloc(mm, pud, address) \
95875 ((unlikely(pgd_none(*(pud))) && __pmd_alloc(mm, pud, address))? \
95876 NULL: pmd_offset(pud, address))
95877+#define pmd_alloc_kernel(mm, pud, address) pmd_alloc((mm), (pud), (address))
95878
95879 #define pud_alloc(mm, pgd, address) (pgd)
95880+#define pud_alloc_kernel(mm, pgd, address) pud_alloc((mm), (pgd), (address))
95881 #define pud_offset(pgd, start) (pgd)
95882 #define pud_none(pud) 0
95883 #define pud_bad(pud) 0
95884diff --git a/include/asm-generic/atomic-long.h b/include/asm-generic/atomic-long.h
95885index b7babf0..1e4b4f1 100644
95886--- a/include/asm-generic/atomic-long.h
95887+++ b/include/asm-generic/atomic-long.h
95888@@ -22,6 +22,12 @@
95889
95890 typedef atomic64_t atomic_long_t;
95891
95892+#ifdef CONFIG_PAX_REFCOUNT
95893+typedef atomic64_unchecked_t atomic_long_unchecked_t;
95894+#else
95895+typedef atomic64_t atomic_long_unchecked_t;
95896+#endif
95897+
95898 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
95899
95900 static inline long atomic_long_read(atomic_long_t *l)
95901@@ -31,6 +37,15 @@ static inline long atomic_long_read(atomic_long_t *l)
95902 return (long)atomic64_read(v);
95903 }
95904
95905+#ifdef CONFIG_PAX_REFCOUNT
95906+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
95907+{
95908+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95909+
95910+ return (long)atomic64_read_unchecked(v);
95911+}
95912+#endif
95913+
95914 static inline void atomic_long_set(atomic_long_t *l, long i)
95915 {
95916 atomic64_t *v = (atomic64_t *)l;
95917@@ -38,6 +53,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
95918 atomic64_set(v, i);
95919 }
95920
95921+#ifdef CONFIG_PAX_REFCOUNT
95922+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
95923+{
95924+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95925+
95926+ atomic64_set_unchecked(v, i);
95927+}
95928+#endif
95929+
95930 static inline void atomic_long_inc(atomic_long_t *l)
95931 {
95932 atomic64_t *v = (atomic64_t *)l;
95933@@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
95934 atomic64_inc(v);
95935 }
95936
95937+#ifdef CONFIG_PAX_REFCOUNT
95938+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
95939+{
95940+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95941+
95942+ atomic64_inc_unchecked(v);
95943+}
95944+#endif
95945+
95946 static inline void atomic_long_dec(atomic_long_t *l)
95947 {
95948 atomic64_t *v = (atomic64_t *)l;
95949@@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
95950 atomic64_dec(v);
95951 }
95952
95953+#ifdef CONFIG_PAX_REFCOUNT
95954+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
95955+{
95956+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95957+
95958+ atomic64_dec_unchecked(v);
95959+}
95960+#endif
95961+
95962 static inline void atomic_long_add(long i, atomic_long_t *l)
95963 {
95964 atomic64_t *v = (atomic64_t *)l;
95965@@ -59,6 +101,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
95966 atomic64_add(i, v);
95967 }
95968
95969+#ifdef CONFIG_PAX_REFCOUNT
95970+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
95971+{
95972+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95973+
95974+ atomic64_add_unchecked(i, v);
95975+}
95976+#endif
95977+
95978 static inline void atomic_long_sub(long i, atomic_long_t *l)
95979 {
95980 atomic64_t *v = (atomic64_t *)l;
95981@@ -66,6 +117,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
95982 atomic64_sub(i, v);
95983 }
95984
95985+#ifdef CONFIG_PAX_REFCOUNT
95986+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
95987+{
95988+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
95989+
95990+ atomic64_sub_unchecked(i, v);
95991+}
95992+#endif
95993+
95994 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
95995 {
95996 atomic64_t *v = (atomic64_t *)l;
95997@@ -94,13 +154,22 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
95998 return atomic64_add_negative(i, v);
95999 }
96000
96001-static inline long atomic_long_add_return(long i, atomic_long_t *l)
96002+static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
96003 {
96004 atomic64_t *v = (atomic64_t *)l;
96005
96006 return (long)atomic64_add_return(i, v);
96007 }
96008
96009+#ifdef CONFIG_PAX_REFCOUNT
96010+static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
96011+{
96012+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
96013+
96014+ return (long)atomic64_add_return_unchecked(i, v);
96015+}
96016+#endif
96017+
96018 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
96019 {
96020 atomic64_t *v = (atomic64_t *)l;
96021@@ -115,6 +184,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
96022 return (long)atomic64_inc_return(v);
96023 }
96024
96025+#ifdef CONFIG_PAX_REFCOUNT
96026+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
96027+{
96028+ atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
96029+
96030+ return (long)atomic64_inc_return_unchecked(v);
96031+}
96032+#endif
96033+
96034 static inline long atomic_long_dec_return(atomic_long_t *l)
96035 {
96036 atomic64_t *v = (atomic64_t *)l;
96037@@ -140,6 +218,12 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
96038
96039 typedef atomic_t atomic_long_t;
96040
96041+#ifdef CONFIG_PAX_REFCOUNT
96042+typedef atomic_unchecked_t atomic_long_unchecked_t;
96043+#else
96044+typedef atomic_t atomic_long_unchecked_t;
96045+#endif
96046+
96047 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
96048 static inline long atomic_long_read(atomic_long_t *l)
96049 {
96050@@ -148,6 +232,15 @@ static inline long atomic_long_read(atomic_long_t *l)
96051 return (long)atomic_read(v);
96052 }
96053
96054+#ifdef CONFIG_PAX_REFCOUNT
96055+static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
96056+{
96057+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96058+
96059+ return (long)atomic_read_unchecked(v);
96060+}
96061+#endif
96062+
96063 static inline void atomic_long_set(atomic_long_t *l, long i)
96064 {
96065 atomic_t *v = (atomic_t *)l;
96066@@ -155,6 +248,15 @@ static inline void atomic_long_set(atomic_long_t *l, long i)
96067 atomic_set(v, i);
96068 }
96069
96070+#ifdef CONFIG_PAX_REFCOUNT
96071+static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
96072+{
96073+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96074+
96075+ atomic_set_unchecked(v, i);
96076+}
96077+#endif
96078+
96079 static inline void atomic_long_inc(atomic_long_t *l)
96080 {
96081 atomic_t *v = (atomic_t *)l;
96082@@ -162,6 +264,15 @@ static inline void atomic_long_inc(atomic_long_t *l)
96083 atomic_inc(v);
96084 }
96085
96086+#ifdef CONFIG_PAX_REFCOUNT
96087+static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
96088+{
96089+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96090+
96091+ atomic_inc_unchecked(v);
96092+}
96093+#endif
96094+
96095 static inline void atomic_long_dec(atomic_long_t *l)
96096 {
96097 atomic_t *v = (atomic_t *)l;
96098@@ -169,6 +280,15 @@ static inline void atomic_long_dec(atomic_long_t *l)
96099 atomic_dec(v);
96100 }
96101
96102+#ifdef CONFIG_PAX_REFCOUNT
96103+static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
96104+{
96105+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96106+
96107+ atomic_dec_unchecked(v);
96108+}
96109+#endif
96110+
96111 static inline void atomic_long_add(long i, atomic_long_t *l)
96112 {
96113 atomic_t *v = (atomic_t *)l;
96114@@ -176,6 +296,15 @@ static inline void atomic_long_add(long i, atomic_long_t *l)
96115 atomic_add(i, v);
96116 }
96117
96118+#ifdef CONFIG_PAX_REFCOUNT
96119+static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
96120+{
96121+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96122+
96123+ atomic_add_unchecked(i, v);
96124+}
96125+#endif
96126+
96127 static inline void atomic_long_sub(long i, atomic_long_t *l)
96128 {
96129 atomic_t *v = (atomic_t *)l;
96130@@ -183,6 +312,15 @@ static inline void atomic_long_sub(long i, atomic_long_t *l)
96131 atomic_sub(i, v);
96132 }
96133
96134+#ifdef CONFIG_PAX_REFCOUNT
96135+static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
96136+{
96137+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96138+
96139+ atomic_sub_unchecked(i, v);
96140+}
96141+#endif
96142+
96143 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
96144 {
96145 atomic_t *v = (atomic_t *)l;
96146@@ -211,13 +349,23 @@ static inline int atomic_long_add_negative(long i, atomic_long_t *l)
96147 return atomic_add_negative(i, v);
96148 }
96149
96150-static inline long atomic_long_add_return(long i, atomic_long_t *l)
96151+static inline long __intentional_overflow(-1) atomic_long_add_return(long i, atomic_long_t *l)
96152 {
96153 atomic_t *v = (atomic_t *)l;
96154
96155 return (long)atomic_add_return(i, v);
96156 }
96157
96158+#ifdef CONFIG_PAX_REFCOUNT
96159+static inline long atomic_long_add_return_unchecked(long i, atomic_long_unchecked_t *l)
96160+{
96161+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96162+
96163+ return (long)atomic_add_return_unchecked(i, v);
96164+}
96165+
96166+#endif
96167+
96168 static inline long atomic_long_sub_return(long i, atomic_long_t *l)
96169 {
96170 atomic_t *v = (atomic_t *)l;
96171@@ -232,6 +380,15 @@ static inline long atomic_long_inc_return(atomic_long_t *l)
96172 return (long)atomic_inc_return(v);
96173 }
96174
96175+#ifdef CONFIG_PAX_REFCOUNT
96176+static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
96177+{
96178+ atomic_unchecked_t *v = (atomic_unchecked_t *)l;
96179+
96180+ return (long)atomic_inc_return_unchecked(v);
96181+}
96182+#endif
96183+
96184 static inline long atomic_long_dec_return(atomic_long_t *l)
96185 {
96186 atomic_t *v = (atomic_t *)l;
96187@@ -255,4 +412,57 @@ static inline long atomic_long_add_unless(atomic_long_t *l, long a, long u)
96188
96189 #endif /* BITS_PER_LONG == 64 */
96190
96191+#ifdef CONFIG_PAX_REFCOUNT
96192+static inline void pax_refcount_needs_these_functions(void)
96193+{
96194+ atomic_read_unchecked((atomic_unchecked_t *)NULL);
96195+ atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
96196+ atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
96197+ atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
96198+ atomic_inc_unchecked((atomic_unchecked_t *)NULL);
96199+ (void)atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
96200+ atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
96201+ atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
96202+ atomic_dec_unchecked((atomic_unchecked_t *)NULL);
96203+ atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
96204+ (void)atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
96205+#ifdef CONFIG_X86
96206+ atomic_clear_mask_unchecked(0, NULL);
96207+ atomic_set_mask_unchecked(0, NULL);
96208+#endif
96209+
96210+ atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
96211+ atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
96212+ atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
96213+ atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
96214+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
96215+ atomic_long_add_return_unchecked(0, (atomic_long_unchecked_t *)NULL);
96216+ atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
96217+ atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
96218+}
96219+#else
96220+#define atomic_read_unchecked(v) atomic_read(v)
96221+#define atomic_set_unchecked(v, i) atomic_set((v), (i))
96222+#define atomic_add_unchecked(i, v) atomic_add((i), (v))
96223+#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
96224+#define atomic_inc_unchecked(v) atomic_inc(v)
96225+#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
96226+#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
96227+#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
96228+#define atomic_dec_unchecked(v) atomic_dec(v)
96229+#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
96230+#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
96231+#define atomic_clear_mask_unchecked(mask, v) atomic_clear_mask((mask), (v))
96232+#define atomic_set_mask_unchecked(mask, v) atomic_set_mask((mask), (v))
96233+
96234+#define atomic_long_read_unchecked(v) atomic_long_read(v)
96235+#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
96236+#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
96237+#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
96238+#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
96239+#define atomic_long_add_return_unchecked(i, v) atomic_long_add_return((i), (v))
96240+#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
96241+#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
96242+#endif
96243+
96244 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
96245diff --git a/include/asm-generic/atomic64.h b/include/asm-generic/atomic64.h
96246index 30ad9c8..c70c170 100644
96247--- a/include/asm-generic/atomic64.h
96248+++ b/include/asm-generic/atomic64.h
96249@@ -16,6 +16,8 @@ typedef struct {
96250 long long counter;
96251 } atomic64_t;
96252
96253+typedef atomic64_t atomic64_unchecked_t;
96254+
96255 #define ATOMIC64_INIT(i) { (i) }
96256
96257 extern long long atomic64_read(const atomic64_t *v);
96258@@ -51,4 +53,14 @@ extern int atomic64_add_unless(atomic64_t *v, long long a, long long u);
96259 #define atomic64_dec_and_test(v) (atomic64_dec_return((v)) == 0)
96260 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1LL, 0LL)
96261
96262+#define atomic64_read_unchecked(v) atomic64_read(v)
96263+#define atomic64_set_unchecked(v, i) atomic64_set((v), (i))
96264+#define atomic64_add_unchecked(a, v) atomic64_add((a), (v))
96265+#define atomic64_add_return_unchecked(a, v) atomic64_add_return((a), (v))
96266+#define atomic64_sub_unchecked(a, v) atomic64_sub((a), (v))
96267+#define atomic64_inc_unchecked(v) atomic64_inc(v)
96268+#define atomic64_inc_return_unchecked(v) atomic64_inc_return(v)
96269+#define atomic64_dec_unchecked(v) atomic64_dec(v)
96270+#define atomic64_cmpxchg_unchecked(v, o, n) atomic64_cmpxchg((v), (o), (n))
96271+
96272 #endif /* _ASM_GENERIC_ATOMIC64_H */
96273diff --git a/include/asm-generic/barrier.h b/include/asm-generic/barrier.h
96274index 55e3abc..104e2a1 100644
96275--- a/include/asm-generic/barrier.h
96276+++ b/include/asm-generic/barrier.h
96277@@ -108,7 +108,7 @@
96278 do { \
96279 compiletime_assert_atomic_type(*p); \
96280 smp_mb(); \
96281- ACCESS_ONCE(*p) = (v); \
96282+ ACCESS_ONCE_RW(*p) = (v); \
96283 } while (0)
96284
96285 #define smp_load_acquire(p) \
96286diff --git a/include/asm-generic/bitops/__fls.h b/include/asm-generic/bitops/__fls.h
96287index a60a7cc..0fe12f2 100644
96288--- a/include/asm-generic/bitops/__fls.h
96289+++ b/include/asm-generic/bitops/__fls.h
96290@@ -9,7 +9,7 @@
96291 *
96292 * Undefined if no set bit exists, so code should check against 0 first.
96293 */
96294-static __always_inline unsigned long __fls(unsigned long word)
96295+static __always_inline unsigned long __intentional_overflow(-1) __fls(unsigned long word)
96296 {
96297 int num = BITS_PER_LONG - 1;
96298
96299diff --git a/include/asm-generic/bitops/fls.h b/include/asm-generic/bitops/fls.h
96300index 0576d1f..dad6c71 100644
96301--- a/include/asm-generic/bitops/fls.h
96302+++ b/include/asm-generic/bitops/fls.h
96303@@ -9,7 +9,7 @@
96304 * Note fls(0) = 0, fls(1) = 1, fls(0x80000000) = 32.
96305 */
96306
96307-static __always_inline int fls(int x)
96308+static __always_inline int __intentional_overflow(-1) fls(int x)
96309 {
96310 int r = 32;
96311
96312diff --git a/include/asm-generic/bitops/fls64.h b/include/asm-generic/bitops/fls64.h
96313index b097cf8..3d40e14 100644
96314--- a/include/asm-generic/bitops/fls64.h
96315+++ b/include/asm-generic/bitops/fls64.h
96316@@ -15,7 +15,7 @@
96317 * at position 64.
96318 */
96319 #if BITS_PER_LONG == 32
96320-static __always_inline int fls64(__u64 x)
96321+static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
96322 {
96323 __u32 h = x >> 32;
96324 if (h)
96325@@ -23,7 +23,7 @@ static __always_inline int fls64(__u64 x)
96326 return fls(x);
96327 }
96328 #elif BITS_PER_LONG == 64
96329-static __always_inline int fls64(__u64 x)
96330+static __always_inline int __intentional_overflow(-1) fls64(__u64 x)
96331 {
96332 if (x == 0)
96333 return 0;
96334diff --git a/include/asm-generic/bug.h b/include/asm-generic/bug.h
96335index 630dd23..8c1dcb6b 100644
96336--- a/include/asm-generic/bug.h
96337+++ b/include/asm-generic/bug.h
96338@@ -62,13 +62,13 @@ struct bug_entry {
96339 * to provide better diagnostics.
96340 */
96341 #ifndef __WARN_TAINT
96342-extern __printf(3, 4)
96343+extern __printf(3, 4) __nocapture(1, 3, 4)
96344 void warn_slowpath_fmt(const char *file, const int line,
96345 const char *fmt, ...);
96346-extern __printf(4, 5)
96347+extern __printf(4, 5) __nocapture(1, 4, 5)
96348 void warn_slowpath_fmt_taint(const char *file, const int line, unsigned taint,
96349 const char *fmt, ...);
96350-extern void warn_slowpath_null(const char *file, const int line);
96351+extern __nocapture(1) void warn_slowpath_null(const char *file, const int line);
96352 #define WANT_WARN_ON_SLOWPATH
96353 #define __WARN() warn_slowpath_null(__FILE__, __LINE__)
96354 #define __WARN_printf(arg...) warn_slowpath_fmt(__FILE__, __LINE__, arg)
96355diff --git a/include/asm-generic/cache.h b/include/asm-generic/cache.h
96356index 1bfcfe5..e04c5c9 100644
96357--- a/include/asm-generic/cache.h
96358+++ b/include/asm-generic/cache.h
96359@@ -6,7 +6,7 @@
96360 * cache lines need to provide their own cache.h.
96361 */
96362
96363-#define L1_CACHE_SHIFT 5
96364-#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
96365+#define L1_CACHE_SHIFT 5UL
96366+#define L1_CACHE_BYTES (1UL << L1_CACHE_SHIFT)
96367
96368 #endif /* __ASM_GENERIC_CACHE_H */
96369diff --git a/include/asm-generic/emergency-restart.h b/include/asm-generic/emergency-restart.h
96370index 0d68a1e..b74a761 100644
96371--- a/include/asm-generic/emergency-restart.h
96372+++ b/include/asm-generic/emergency-restart.h
96373@@ -1,7 +1,7 @@
96374 #ifndef _ASM_GENERIC_EMERGENCY_RESTART_H
96375 #define _ASM_GENERIC_EMERGENCY_RESTART_H
96376
96377-static inline void machine_emergency_restart(void)
96378+static inline __noreturn void machine_emergency_restart(void)
96379 {
96380 machine_restart(NULL);
96381 }
96382diff --git a/include/asm-generic/kmap_types.h b/include/asm-generic/kmap_types.h
96383index 90f99c7..00ce236 100644
96384--- a/include/asm-generic/kmap_types.h
96385+++ b/include/asm-generic/kmap_types.h
96386@@ -2,9 +2,9 @@
96387 #define _ASM_GENERIC_KMAP_TYPES_H
96388
96389 #ifdef __WITH_KM_FENCE
96390-# define KM_TYPE_NR 41
96391+# define KM_TYPE_NR 42
96392 #else
96393-# define KM_TYPE_NR 20
96394+# define KM_TYPE_NR 21
96395 #endif
96396
96397 #endif
96398diff --git a/include/asm-generic/local.h b/include/asm-generic/local.h
96399index 9ceb03b..62b0b8f 100644
96400--- a/include/asm-generic/local.h
96401+++ b/include/asm-generic/local.h
96402@@ -23,24 +23,37 @@ typedef struct
96403 atomic_long_t a;
96404 } local_t;
96405
96406+typedef struct {
96407+ atomic_long_unchecked_t a;
96408+} local_unchecked_t;
96409+
96410 #define LOCAL_INIT(i) { ATOMIC_LONG_INIT(i) }
96411
96412 #define local_read(l) atomic_long_read(&(l)->a)
96413+#define local_read_unchecked(l) atomic_long_read_unchecked(&(l)->a)
96414 #define local_set(l,i) atomic_long_set((&(l)->a),(i))
96415+#define local_set_unchecked(l,i) atomic_long_set_unchecked((&(l)->a),(i))
96416 #define local_inc(l) atomic_long_inc(&(l)->a)
96417+#define local_inc_unchecked(l) atomic_long_inc_unchecked(&(l)->a)
96418 #define local_dec(l) atomic_long_dec(&(l)->a)
96419+#define local_dec_unchecked(l) atomic_long_dec_unchecked(&(l)->a)
96420 #define local_add(i,l) atomic_long_add((i),(&(l)->a))
96421+#define local_add_unchecked(i,l) atomic_long_add_unchecked((i),(&(l)->a))
96422 #define local_sub(i,l) atomic_long_sub((i),(&(l)->a))
96423+#define local_sub_unchecked(i,l) atomic_long_sub_unchecked((i),(&(l)->a))
96424
96425 #define local_sub_and_test(i, l) atomic_long_sub_and_test((i), (&(l)->a))
96426 #define local_dec_and_test(l) atomic_long_dec_and_test(&(l)->a)
96427 #define local_inc_and_test(l) atomic_long_inc_and_test(&(l)->a)
96428 #define local_add_negative(i, l) atomic_long_add_negative((i), (&(l)->a))
96429 #define local_add_return(i, l) atomic_long_add_return((i), (&(l)->a))
96430+#define local_add_return_unchecked(i, l) atomic_long_add_return_unchecked((i), (&(l)->a))
96431 #define local_sub_return(i, l) atomic_long_sub_return((i), (&(l)->a))
96432 #define local_inc_return(l) atomic_long_inc_return(&(l)->a)
96433+#define local_dec_return(l) atomic_long_dec_return(&(l)->a)
96434
96435 #define local_cmpxchg(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
96436+#define local_cmpxchg_unchecked(l, o, n) atomic_long_cmpxchg((&(l)->a), (o), (n))
96437 #define local_xchg(l, n) atomic_long_xchg((&(l)->a), (n))
96438 #define local_add_unless(l, _a, u) atomic_long_add_unless((&(l)->a), (_a), (u))
96439 #define local_inc_not_zero(l) atomic_long_inc_not_zero(&(l)->a)
96440diff --git a/include/asm-generic/pgtable-nopmd.h b/include/asm-generic/pgtable-nopmd.h
96441index 725612b..9cc513a 100644
96442--- a/include/asm-generic/pgtable-nopmd.h
96443+++ b/include/asm-generic/pgtable-nopmd.h
96444@@ -1,14 +1,19 @@
96445 #ifndef _PGTABLE_NOPMD_H
96446 #define _PGTABLE_NOPMD_H
96447
96448-#ifndef __ASSEMBLY__
96449-
96450 #include <asm-generic/pgtable-nopud.h>
96451
96452-struct mm_struct;
96453-
96454 #define __PAGETABLE_PMD_FOLDED
96455
96456+#define PMD_SHIFT PUD_SHIFT
96457+#define PTRS_PER_PMD 1
96458+#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
96459+#define PMD_MASK (~(PMD_SIZE-1))
96460+
96461+#ifndef __ASSEMBLY__
96462+
96463+struct mm_struct;
96464+
96465 /*
96466 * Having the pmd type consist of a pud gets the size right, and allows
96467 * us to conceptually access the pud entry that this pmd is folded into
96468@@ -16,11 +21,6 @@ struct mm_struct;
96469 */
96470 typedef struct { pud_t pud; } pmd_t;
96471
96472-#define PMD_SHIFT PUD_SHIFT
96473-#define PTRS_PER_PMD 1
96474-#define PMD_SIZE (1UL << PMD_SHIFT)
96475-#define PMD_MASK (~(PMD_SIZE-1))
96476-
96477 /*
96478 * The "pud_xxx()" functions here are trivial for a folded two-level
96479 * setup: the pmd is never bad, and a pmd always exists (as it's folded
96480diff --git a/include/asm-generic/pgtable-nopud.h b/include/asm-generic/pgtable-nopud.h
96481index 810431d..0ec4804f 100644
96482--- a/include/asm-generic/pgtable-nopud.h
96483+++ b/include/asm-generic/pgtable-nopud.h
96484@@ -1,10 +1,15 @@
96485 #ifndef _PGTABLE_NOPUD_H
96486 #define _PGTABLE_NOPUD_H
96487
96488-#ifndef __ASSEMBLY__
96489-
96490 #define __PAGETABLE_PUD_FOLDED
96491
96492+#define PUD_SHIFT PGDIR_SHIFT
96493+#define PTRS_PER_PUD 1
96494+#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
96495+#define PUD_MASK (~(PUD_SIZE-1))
96496+
96497+#ifndef __ASSEMBLY__
96498+
96499 /*
96500 * Having the pud type consist of a pgd gets the size right, and allows
96501 * us to conceptually access the pgd entry that this pud is folded into
96502@@ -12,11 +17,6 @@
96503 */
96504 typedef struct { pgd_t pgd; } pud_t;
96505
96506-#define PUD_SHIFT PGDIR_SHIFT
96507-#define PTRS_PER_PUD 1
96508-#define PUD_SIZE (1UL << PUD_SHIFT)
96509-#define PUD_MASK (~(PUD_SIZE-1))
96510-
96511 /*
96512 * The "pgd_xxx()" functions here are trivial for a folded two-level
96513 * setup: the pud is never bad, and a pud always exists (as it's folded
96514@@ -29,6 +29,7 @@ static inline void pgd_clear(pgd_t *pgd) { }
96515 #define pud_ERROR(pud) (pgd_ERROR((pud).pgd))
96516
96517 #define pgd_populate(mm, pgd, pud) do { } while (0)
96518+#define pgd_populate_kernel(mm, pgd, pud) do { } while (0)
96519 /*
96520 * (puds are folded into pgds so this doesn't get actually called,
96521 * but the define is needed for a generic inline function.)
96522diff --git a/include/asm-generic/pgtable.h b/include/asm-generic/pgtable.h
96523index 29c57b2..da571a2 100644
96524--- a/include/asm-generic/pgtable.h
96525+++ b/include/asm-generic/pgtable.h
96526@@ -715,6 +715,22 @@ static inline int pmd_protnone(pmd_t pmd)
96527 }
96528 #endif /* CONFIG_NUMA_BALANCING */
96529
96530+#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
96531+#ifdef CONFIG_PAX_KERNEXEC
96532+#error KERNEXEC requires pax_open_kernel
96533+#else
96534+static inline unsigned long pax_open_kernel(void) { return 0; }
96535+#endif
96536+#endif
96537+
96538+#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
96539+#ifdef CONFIG_PAX_KERNEXEC
96540+#error KERNEXEC requires pax_close_kernel
96541+#else
96542+static inline unsigned long pax_close_kernel(void) { return 0; }
96543+#endif
96544+#endif
96545+
96546 #endif /* CONFIG_MMU */
96547
96548 #ifdef CONFIG_HAVE_ARCH_HUGE_VMAP
96549diff --git a/include/asm-generic/sections.h b/include/asm-generic/sections.h
96550index b58fd66..6cfae67 100644
96551--- a/include/asm-generic/sections.h
96552+++ b/include/asm-generic/sections.h
96553@@ -30,6 +30,7 @@ extern char _data[], _sdata[], _edata[];
96554 extern char __bss_start[], __bss_stop[];
96555 extern char __init_begin[], __init_end[];
96556 extern char _sinittext[], _einittext[];
96557+extern char _sinitdata[], _einitdata[];
96558 extern char _end[];
96559 extern char __per_cpu_load[], __per_cpu_start[], __per_cpu_end[];
96560 extern char __kprobes_text_start[], __kprobes_text_end[];
96561diff --git a/include/asm-generic/uaccess.h b/include/asm-generic/uaccess.h
96562index 72d8803..cb9749c 100644
96563--- a/include/asm-generic/uaccess.h
96564+++ b/include/asm-generic/uaccess.h
96565@@ -343,4 +343,20 @@ clear_user(void __user *to, unsigned long n)
96566 return __clear_user(to, n);
96567 }
96568
96569+#ifndef __HAVE_ARCH_PAX_OPEN_USERLAND
96570+#ifdef CONFIG_PAX_MEMORY_UDEREF
96571+#error UDEREF requires pax_open_userland
96572+#else
96573+static inline unsigned long pax_open_userland(void) { return 0; }
96574+#endif
96575+#endif
96576+
96577+#ifndef __HAVE_ARCH_PAX_CLOSE_USERLAND
96578+#ifdef CONFIG_PAX_MEMORY_UDEREF
96579+#error UDEREF requires pax_close_userland
96580+#else
96581+static inline unsigned long pax_close_userland(void) { return 0; }
96582+#endif
96583+#endif
96584+
96585 #endif /* __ASM_GENERIC_UACCESS_H */
96586diff --git a/include/asm-generic/vmlinux.lds.h b/include/asm-generic/vmlinux.lds.h
96587index 8bd374d..2665ce3 100644
96588--- a/include/asm-generic/vmlinux.lds.h
96589+++ b/include/asm-generic/vmlinux.lds.h
96590@@ -246,6 +246,7 @@
96591 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
96592 VMLINUX_SYMBOL(__start_rodata) = .; \
96593 *(.rodata) *(.rodata.*) \
96594+ *(.data..read_only) \
96595 *(__vermagic) /* Kernel version magic */ \
96596 . = ALIGN(8); \
96597 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
96598@@ -504,6 +505,7 @@
96599 KERNEL_CTORS() \
96600 MCOUNT_REC() \
96601 *(.init.rodata) \
96602+ *(.init.rodata.*) \
96603 FTRACE_EVENTS() \
96604 TRACE_SYSCALLS() \
96605 KPROBE_BLACKLIST() \
96606@@ -525,6 +527,8 @@
96607
96608 #define EXIT_DATA \
96609 *(.exit.data) \
96610+ *(.exit.rodata) \
96611+ *(.exit.rodata.*) \
96612 MEM_DISCARD(exit.data) \
96613 MEM_DISCARD(exit.rodata)
96614
96615@@ -741,17 +745,18 @@
96616 * section in the linker script will go there too. @phdr should have
96617 * a leading colon.
96618 *
96619- * Note that this macros defines __per_cpu_load as an absolute symbol.
96620+ * Note that this macros defines per_cpu_load as an absolute symbol.
96621 * If there is no need to put the percpu section at a predetermined
96622 * address, use PERCPU_SECTION.
96623 */
96624 #define PERCPU_VADDR(cacheline, vaddr, phdr) \
96625- VMLINUX_SYMBOL(__per_cpu_load) = .; \
96626- .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
96627+ per_cpu_load = .; \
96628+ .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
96629 - LOAD_OFFSET) { \
96630+ VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
96631 PERCPU_INPUT(cacheline) \
96632 } phdr \
96633- . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
96634+ . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
96635
96636 /**
96637 * PERCPU_SECTION - define output section for percpu area, simple version
96638@@ -813,12 +818,14 @@
96639
96640 #define INIT_DATA_SECTION(initsetup_align) \
96641 .init.data : AT(ADDR(.init.data) - LOAD_OFFSET) { \
96642+ VMLINUX_SYMBOL(_sinitdata) = .; \
96643 INIT_DATA \
96644 INIT_SETUP(initsetup_align) \
96645 INIT_CALLS \
96646 CON_INITCALL \
96647 SECURITY_INITCALL \
96648 INIT_RAM_FS \
96649+ VMLINUX_SYMBOL(_einitdata) = .; \
96650 }
96651
96652 #define BSS_SECTION(sbss_align, bss_align, stop_align) \
96653diff --git a/include/crypto/algapi.h b/include/crypto/algapi.h
96654index d4ebf6e..ca4bd35 100644
96655--- a/include/crypto/algapi.h
96656+++ b/include/crypto/algapi.h
96657@@ -35,7 +35,7 @@ struct crypto_type {
96658 unsigned int maskclear;
96659 unsigned int maskset;
96660 unsigned int tfmsize;
96661-};
96662+} __do_const;
96663
96664 struct crypto_instance {
96665 struct crypto_alg alg;
96666diff --git a/include/drm/drmP.h b/include/drm/drmP.h
96667index 5aa5197..e4ca348 100644
96668--- a/include/drm/drmP.h
96669+++ b/include/drm/drmP.h
96670@@ -59,6 +59,7 @@
96671
96672 #include <asm/mman.h>
96673 #include <asm/pgalloc.h>
96674+#include <asm/local.h>
96675 #include <asm/uaccess.h>
96676
96677 #include <uapi/drm/drm.h>
96678@@ -137,17 +138,18 @@ void drm_err(const char *format, ...);
96679 /*@{*/
96680
96681 /* driver capabilities and requirements mask */
96682-#define DRIVER_USE_AGP 0x1
96683-#define DRIVER_PCI_DMA 0x8
96684-#define DRIVER_SG 0x10
96685-#define DRIVER_HAVE_DMA 0x20
96686-#define DRIVER_HAVE_IRQ 0x40
96687-#define DRIVER_IRQ_SHARED 0x80
96688-#define DRIVER_GEM 0x1000
96689-#define DRIVER_MODESET 0x2000
96690-#define DRIVER_PRIME 0x4000
96691-#define DRIVER_RENDER 0x8000
96692-#define DRIVER_ATOMIC 0x10000
96693+#define DRIVER_USE_AGP 0x1
96694+#define DRIVER_PCI_DMA 0x8
96695+#define DRIVER_SG 0x10
96696+#define DRIVER_HAVE_DMA 0x20
96697+#define DRIVER_HAVE_IRQ 0x40
96698+#define DRIVER_IRQ_SHARED 0x80
96699+#define DRIVER_GEM 0x1000
96700+#define DRIVER_MODESET 0x2000
96701+#define DRIVER_PRIME 0x4000
96702+#define DRIVER_RENDER 0x8000
96703+#define DRIVER_ATOMIC 0x10000
96704+#define DRIVER_KMS_LEGACY_CONTEXT 0x20000
96705
96706 /***********************************************************************/
96707 /** \name Macros to make printk easier */
96708@@ -233,10 +235,12 @@ void drm_err(const char *format, ...);
96709 * \param cmd command.
96710 * \param arg argument.
96711 */
96712-typedef int drm_ioctl_t(struct drm_device *dev, void *data,
96713+typedef int (* const drm_ioctl_t)(struct drm_device *dev, void *data,
96714+ struct drm_file *file_priv);
96715+typedef int (* drm_ioctl_no_const_t)(struct drm_device *dev, void *data,
96716 struct drm_file *file_priv);
96717
96718-typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
96719+typedef int (* const drm_ioctl_compat_t)(struct file *filp, unsigned int cmd,
96720 unsigned long arg);
96721
96722 #define DRM_IOCTL_NR(n) _IOC_NR(n)
96723@@ -252,9 +256,9 @@ typedef int drm_ioctl_compat_t(struct file *filp, unsigned int cmd,
96724 struct drm_ioctl_desc {
96725 unsigned int cmd;
96726 int flags;
96727- drm_ioctl_t *func;
96728+ drm_ioctl_t func;
96729 const char *name;
96730-};
96731+} __do_const;
96732
96733 /**
96734 * Creates a driver or general drm_ioctl_desc array entry for the given
96735@@ -647,7 +651,8 @@ struct drm_info_list {
96736 int (*show)(struct seq_file*, void*); /** show callback */
96737 u32 driver_features; /**< Required driver features for this entry */
96738 void *data;
96739-};
96740+} __do_const;
96741+typedef struct drm_info_list __no_const drm_info_list_no_const;
96742
96743 /**
96744 * debugfs node structure. This structure represents a debugfs file.
96745@@ -735,7 +740,7 @@ struct drm_device {
96746
96747 /** \name Usage Counters */
96748 /*@{ */
96749- int open_count; /**< Outstanding files open, protected by drm_global_mutex. */
96750+ local_t open_count; /**< Outstanding files open, protected by drm_global_mutex. */
96751 spinlock_t buf_lock; /**< For drm_device::buf_use and a few other things. */
96752 int buf_use; /**< Buffers in use -- cannot alloc */
96753 atomic_t buf_alloc; /**< Buffer allocation in progress */
96754diff --git a/include/drm/drm_crtc_helper.h b/include/drm/drm_crtc_helper.h
96755index 918aa68..f162a8a 100644
96756--- a/include/drm/drm_crtc_helper.h
96757+++ b/include/drm/drm_crtc_helper.h
96758@@ -161,7 +161,7 @@ struct drm_encoder_helper_funcs {
96759 int (*atomic_check)(struct drm_encoder *encoder,
96760 struct drm_crtc_state *crtc_state,
96761 struct drm_connector_state *conn_state);
96762-};
96763+} __no_const;
96764
96765 /**
96766 * struct drm_connector_helper_funcs - helper operations for connectors
96767diff --git a/include/drm/drm_mm.h b/include/drm/drm_mm.h
96768index 0de6290..2a2c125 100644
96769--- a/include/drm/drm_mm.h
96770+++ b/include/drm/drm_mm.h
96771@@ -297,7 +297,7 @@ void drm_mm_remove_node(struct drm_mm_node *node);
96772 void drm_mm_replace_node(struct drm_mm_node *old, struct drm_mm_node *new);
96773 void drm_mm_init(struct drm_mm *mm,
96774 u64 start,
96775- u64 size);
96776+ u64 size) __intentional_overflow(3);
96777 void drm_mm_takedown(struct drm_mm *mm);
96778 bool drm_mm_clean(struct drm_mm *mm);
96779
96780diff --git a/include/drm/i915_pciids.h b/include/drm/i915_pciids.h
96781index 17c4456..da0c5eb 100644
96782--- a/include/drm/i915_pciids.h
96783+++ b/include/drm/i915_pciids.h
96784@@ -37,7 +37,7 @@
96785 */
96786 #define INTEL_VGA_DEVICE(id, info) { \
96787 0x8086, id, \
96788- ~0, ~0, \
96789+ PCI_ANY_ID, PCI_ANY_ID, \
96790 0x030000, 0xff0000, \
96791 (unsigned long) info }
96792
96793diff --git a/include/drm/intel-gtt.h b/include/drm/intel-gtt.h
96794index b08bdad..21e6054 100644
96795--- a/include/drm/intel-gtt.h
96796+++ b/include/drm/intel-gtt.h
96797@@ -3,8 +3,8 @@
96798 #ifndef _DRM_INTEL_GTT_H
96799 #define _DRM_INTEL_GTT_H
96800
96801-void intel_gtt_get(size_t *gtt_total, size_t *stolen_size,
96802- phys_addr_t *mappable_base, unsigned long *mappable_end);
96803+void intel_gtt_get(uint64_t *gtt_total, uint64_t *stolen_size,
96804+ uint64_t *mappable_base, uint64_t *mappable_end);
96805
96806 int intel_gmch_probe(struct pci_dev *bridge_pdev, struct pci_dev *gpu_pdev,
96807 struct agp_bridge_data *bridge);
96808diff --git a/include/drm/ttm/ttm_memory.h b/include/drm/ttm/ttm_memory.h
96809index 72dcbe8..8db58d7 100644
96810--- a/include/drm/ttm/ttm_memory.h
96811+++ b/include/drm/ttm/ttm_memory.h
96812@@ -48,7 +48,7 @@
96813
96814 struct ttm_mem_shrink {
96815 int (*do_shrink) (struct ttm_mem_shrink *);
96816-};
96817+} __no_const;
96818
96819 /**
96820 * struct ttm_mem_global - Global memory accounting structure.
96821diff --git a/include/drm/ttm/ttm_page_alloc.h b/include/drm/ttm/ttm_page_alloc.h
96822index 49a8284..9643967 100644
96823--- a/include/drm/ttm/ttm_page_alloc.h
96824+++ b/include/drm/ttm/ttm_page_alloc.h
96825@@ -80,6 +80,7 @@ void ttm_dma_page_alloc_fini(void);
96826 */
96827 extern int ttm_dma_page_alloc_debugfs(struct seq_file *m, void *data);
96828
96829+struct device;
96830 extern int ttm_dma_populate(struct ttm_dma_tt *ttm_dma, struct device *dev);
96831 extern void ttm_dma_unpopulate(struct ttm_dma_tt *ttm_dma, struct device *dev);
96832
96833diff --git a/include/keys/asymmetric-subtype.h b/include/keys/asymmetric-subtype.h
96834index 4b840e8..155d235 100644
96835--- a/include/keys/asymmetric-subtype.h
96836+++ b/include/keys/asymmetric-subtype.h
96837@@ -37,7 +37,7 @@ struct asymmetric_key_subtype {
96838 /* Verify the signature on a key of this subtype (optional) */
96839 int (*verify_signature)(const struct key *key,
96840 const struct public_key_signature *sig);
96841-};
96842+} __do_const;
96843
96844 /**
96845 * asymmetric_key_subtype - Get the subtype from an asymmetric key
96846diff --git a/include/linux/atmdev.h b/include/linux/atmdev.h
96847index c1da539..1dcec55 100644
96848--- a/include/linux/atmdev.h
96849+++ b/include/linux/atmdev.h
96850@@ -28,7 +28,7 @@ struct compat_atm_iobuf {
96851 #endif
96852
96853 struct k_atm_aal_stats {
96854-#define __HANDLE_ITEM(i) atomic_t i
96855+#define __HANDLE_ITEM(i) atomic_unchecked_t i
96856 __AAL_STAT_ITEMS
96857 #undef __HANDLE_ITEM
96858 };
96859@@ -200,7 +200,7 @@ struct atmdev_ops { /* only send is required */
96860 int (*change_qos)(struct atm_vcc *vcc,struct atm_qos *qos,int flags);
96861 int (*proc_read)(struct atm_dev *dev,loff_t *pos,char *page);
96862 struct module *owner;
96863-};
96864+} __do_const ;
96865
96866 struct atmphy_ops {
96867 int (*start)(struct atm_dev *dev);
96868diff --git a/include/linux/atomic.h b/include/linux/atomic.h
96869index 5b08a85..60922fb 100644
96870--- a/include/linux/atomic.h
96871+++ b/include/linux/atomic.h
96872@@ -12,7 +12,7 @@
96873 * Atomically adds @a to @v, so long as @v was not already @u.
96874 * Returns non-zero if @v was not @u, and zero otherwise.
96875 */
96876-static inline int atomic_add_unless(atomic_t *v, int a, int u)
96877+static inline int __intentional_overflow(-1) atomic_add_unless(atomic_t *v, int a, int u)
96878 {
96879 return __atomic_add_unless(v, a, u) != u;
96880 }
96881diff --git a/include/linux/audit.h b/include/linux/audit.h
96882index c2e7e3a..8bfc0e1 100644
96883--- a/include/linux/audit.h
96884+++ b/include/linux/audit.h
96885@@ -223,7 +223,7 @@ static inline void audit_ptrace(struct task_struct *t)
96886 extern unsigned int audit_serial(void);
96887 extern int auditsc_get_stamp(struct audit_context *ctx,
96888 struct timespec *t, unsigned int *serial);
96889-extern int audit_set_loginuid(kuid_t loginuid);
96890+extern int __intentional_overflow(-1) audit_set_loginuid(kuid_t loginuid);
96891
96892 static inline kuid_t audit_get_loginuid(struct task_struct *tsk)
96893 {
96894diff --git a/include/linux/binfmts.h b/include/linux/binfmts.h
96895index 576e463..28fd926 100644
96896--- a/include/linux/binfmts.h
96897+++ b/include/linux/binfmts.h
96898@@ -44,7 +44,7 @@ struct linux_binprm {
96899 unsigned interp_flags;
96900 unsigned interp_data;
96901 unsigned long loader, exec;
96902-};
96903+} __randomize_layout;
96904
96905 #define BINPRM_FLAGS_ENFORCE_NONDUMP_BIT 0
96906 #define BINPRM_FLAGS_ENFORCE_NONDUMP (1 << BINPRM_FLAGS_ENFORCE_NONDUMP_BIT)
96907@@ -77,8 +77,10 @@ struct linux_binfmt {
96908 int (*load_binary)(struct linux_binprm *);
96909 int (*load_shlib)(struct file *);
96910 int (*core_dump)(struct coredump_params *cprm);
96911+ void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
96912+ void (*handle_mmap)(struct file *);
96913 unsigned long min_coredump; /* minimal dump size */
96914-};
96915+} __do_const __randomize_layout;
96916
96917 extern void __register_binfmt(struct linux_binfmt *fmt, int insert);
96918
96919diff --git a/include/linux/bitmap.h b/include/linux/bitmap.h
96920index ea17cca..dd56e56 100644
96921--- a/include/linux/bitmap.h
96922+++ b/include/linux/bitmap.h
96923@@ -295,7 +295,7 @@ static inline int bitmap_full(const unsigned long *src, unsigned int nbits)
96924 return find_first_zero_bit(src, nbits) == nbits;
96925 }
96926
96927-static inline int bitmap_weight(const unsigned long *src, unsigned int nbits)
96928+static inline int __intentional_overflow(-1) bitmap_weight(const unsigned long *src, unsigned int nbits)
96929 {
96930 if (small_const_nbits(nbits))
96931 return hweight_long(*src & BITMAP_LAST_WORD_MASK(nbits));
96932diff --git a/include/linux/bitops.h b/include/linux/bitops.h
96933index 297f5bd..5892caa 100644
96934--- a/include/linux/bitops.h
96935+++ b/include/linux/bitops.h
96936@@ -75,7 +75,7 @@ static __inline__ int get_count_order(unsigned int count)
96937 return order;
96938 }
96939
96940-static inline unsigned long hweight_long(unsigned long w)
96941+static inline unsigned long __intentional_overflow(-1) hweight_long(unsigned long w)
96942 {
96943 return sizeof(w) == 4 ? hweight32(w) : hweight64(w);
96944 }
96945@@ -105,7 +105,7 @@ static inline __u64 ror64(__u64 word, unsigned int shift)
96946 * @word: value to rotate
96947 * @shift: bits to roll
96948 */
96949-static inline __u32 rol32(__u32 word, unsigned int shift)
96950+static inline __u32 __intentional_overflow(-1) rol32(__u32 word, unsigned int shift)
96951 {
96952 return (word << shift) | (word >> (32 - shift));
96953 }
96954@@ -115,7 +115,7 @@ static inline __u32 rol32(__u32 word, unsigned int shift)
96955 * @word: value to rotate
96956 * @shift: bits to roll
96957 */
96958-static inline __u32 ror32(__u32 word, unsigned int shift)
96959+static inline __u32 __intentional_overflow(-1) ror32(__u32 word, unsigned int shift)
96960 {
96961 return (word >> shift) | (word << (32 - shift));
96962 }
96963@@ -171,7 +171,7 @@ static inline __s32 sign_extend32(__u32 value, int index)
96964 return (__s32)(value << shift) >> shift;
96965 }
96966
96967-static inline unsigned fls_long(unsigned long l)
96968+static inline unsigned __intentional_overflow(-1) fls_long(unsigned long l)
96969 {
96970 if (sizeof(l) == 4)
96971 return fls(l);
96972diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
96973index d4068c1..77159a1 100644
96974--- a/include/linux/blkdev.h
96975+++ b/include/linux/blkdev.h
96976@@ -1567,7 +1567,7 @@ struct block_device_operations {
96977 /* this callback is with swap_lock and sometimes page table lock held */
96978 void (*swap_slot_free_notify) (struct block_device *, unsigned long);
96979 struct module *owner;
96980-};
96981+} __do_const;
96982
96983 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
96984 unsigned long);
96985diff --git a/include/linux/blktrace_api.h b/include/linux/blktrace_api.h
96986index afc1343..9735539 100644
96987--- a/include/linux/blktrace_api.h
96988+++ b/include/linux/blktrace_api.h
96989@@ -25,7 +25,7 @@ struct blk_trace {
96990 struct dentry *dropped_file;
96991 struct dentry *msg_file;
96992 struct list_head running_list;
96993- atomic_t dropped;
96994+ atomic_unchecked_t dropped;
96995 };
96996
96997 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
96998diff --git a/include/linux/cache.h b/include/linux/cache.h
96999index 17e7e82..1d7da26 100644
97000--- a/include/linux/cache.h
97001+++ b/include/linux/cache.h
97002@@ -16,6 +16,14 @@
97003 #define __read_mostly
97004 #endif
97005
97006+#ifndef __read_only
97007+#ifdef CONFIG_PAX_KERNEXEC
97008+#error KERNEXEC requires __read_only
97009+#else
97010+#define __read_only __read_mostly
97011+#endif
97012+#endif
97013+
97014 #ifndef ____cacheline_aligned
97015 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
97016 #endif
97017diff --git a/include/linux/capability.h b/include/linux/capability.h
97018index af9f0b9..71a5e5c 100644
97019--- a/include/linux/capability.h
97020+++ b/include/linux/capability.h
97021@@ -237,15 +237,28 @@ static inline bool capable(int cap)
97022 {
97023 return true;
97024 }
97025+static inline bool capable_nolog(int cap)
97026+{
97027+ return true;
97028+}
97029 static inline bool ns_capable(struct user_namespace *ns, int cap)
97030 {
97031 return true;
97032 }
97033+static inline bool ns_capable_nolog(struct user_namespace *ns, int cap)
97034+{
97035+ return true;
97036+}
97037 #endif /* CONFIG_MULTIUSER */
97038 extern bool capable_wrt_inode_uidgid(const struct inode *inode, int cap);
97039+extern bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap);
97040 extern bool file_ns_capable(const struct file *file, struct user_namespace *ns, int cap);
97041+extern bool capable_nolog(int cap);
97042+extern bool ns_capable_nolog(struct user_namespace *ns, int cap);
97043
97044 /* audit system wants to get cap info from files as well */
97045 extern int get_vfs_caps_from_disk(const struct dentry *dentry, struct cpu_vfs_cap_data *cpu_caps);
97046
97047+extern int is_privileged_binary(const struct dentry *dentry);
97048+
97049 #endif /* !_LINUX_CAPABILITY_H */
97050diff --git a/include/linux/cdrom.h b/include/linux/cdrom.h
97051index 8609d57..86e4d79 100644
97052--- a/include/linux/cdrom.h
97053+++ b/include/linux/cdrom.h
97054@@ -87,7 +87,6 @@ struct cdrom_device_ops {
97055
97056 /* driver specifications */
97057 const int capability; /* capability flags */
97058- int n_minors; /* number of active minor devices */
97059 /* handle uniform packets for scsi type devices (scsi,atapi) */
97060 int (*generic_packet) (struct cdrom_device_info *,
97061 struct packet_command *);
97062diff --git a/include/linux/cleancache.h b/include/linux/cleancache.h
97063index bda5ec0b4..51d8ea1 100644
97064--- a/include/linux/cleancache.h
97065+++ b/include/linux/cleancache.h
97066@@ -35,7 +35,7 @@ struct cleancache_ops {
97067 void (*invalidate_page)(int, struct cleancache_filekey, pgoff_t);
97068 void (*invalidate_inode)(int, struct cleancache_filekey);
97069 void (*invalidate_fs)(int);
97070-};
97071+} __no_const;
97072
97073 extern int cleancache_register_ops(struct cleancache_ops *ops);
97074 extern void __cleancache_init_fs(struct super_block *);
97075diff --git a/include/linux/clk-provider.h b/include/linux/clk-provider.h
97076index 78842f4..7e7f81f 100644
97077--- a/include/linux/clk-provider.h
97078+++ b/include/linux/clk-provider.h
97079@@ -196,6 +196,7 @@ struct clk_ops {
97080 void (*init)(struct clk_hw *hw);
97081 int (*debug_init)(struct clk_hw *hw, struct dentry *dentry);
97082 };
97083+typedef struct clk_ops __no_const clk_ops_no_const;
97084
97085 /**
97086 * struct clk_init_data - holds init data that's common to all clocks and is
97087diff --git a/include/linux/compat.h b/include/linux/compat.h
97088index a76c917..63b52db 100644
97089--- a/include/linux/compat.h
97090+++ b/include/linux/compat.h
97091@@ -316,7 +316,7 @@ compat_sys_get_robust_list(int pid, compat_uptr_t __user *head_ptr,
97092 compat_size_t __user *len_ptr);
97093
97094 asmlinkage long compat_sys_ipc(u32, int, int, u32, compat_uptr_t, u32);
97095-asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg);
97096+asmlinkage long compat_sys_shmat(int shmid, compat_uptr_t shmaddr, int shmflg) __intentional_overflow(0);
97097 asmlinkage long compat_sys_semctl(int semid, int semnum, int cmd, int arg);
97098 asmlinkage long compat_sys_msgsnd(int msqid, compat_uptr_t msgp,
97099 compat_ssize_t msgsz, int msgflg);
97100@@ -325,7 +325,7 @@ asmlinkage long compat_sys_msgrcv(int msqid, compat_uptr_t msgp,
97101 long compat_sys_msgctl(int first, int second, void __user *uptr);
97102 long compat_sys_shmctl(int first, int second, void __user *uptr);
97103 long compat_sys_semtimedop(int semid, struct sembuf __user *tsems,
97104- unsigned nsems, const struct compat_timespec __user *timeout);
97105+ compat_long_t nsems, const struct compat_timespec __user *timeout);
97106 asmlinkage long compat_sys_keyctl(u32 option,
97107 u32 arg2, u32 arg3, u32 arg4, u32 arg5);
97108 asmlinkage long compat_sys_ustat(unsigned dev, struct compat_ustat __user *u32);
97109@@ -439,7 +439,7 @@ extern int compat_ptrace_request(struct task_struct *child,
97110 extern long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
97111 compat_ulong_t addr, compat_ulong_t data);
97112 asmlinkage long compat_sys_ptrace(compat_long_t request, compat_long_t pid,
97113- compat_long_t addr, compat_long_t data);
97114+ compat_ulong_t addr, compat_ulong_t data);
97115
97116 asmlinkage long compat_sys_lookup_dcookie(u32, u32, char __user *, compat_size_t);
97117 /*
97118diff --git a/include/linux/compiler-gcc.h b/include/linux/compiler-gcc.h
97119index dfaa7b3..58cebfb 100644
97120--- a/include/linux/compiler-gcc.h
97121+++ b/include/linux/compiler-gcc.h
97122@@ -116,8 +116,8 @@
97123 */
97124 #define __pure __attribute__((pure))
97125 #define __aligned(x) __attribute__((aligned(x)))
97126-#define __printf(a, b) __attribute__((format(printf, a, b)))
97127-#define __scanf(a, b) __attribute__((format(scanf, a, b)))
97128+#define __printf(a, b) __attribute__((format(printf, a, b))) __nocapture(a, b)
97129+#define __scanf(a, b) __attribute__((format(scanf, a, b))) __nocapture(a, b)
97130 #define __attribute_const__ __attribute__((__const__))
97131 #define __maybe_unused __attribute__((unused))
97132 #define __always_unused __attribute__((unused))
97133@@ -184,9 +184,38 @@
97134 # define __compiletime_warning(message) __attribute__((warning(message)))
97135 # define __compiletime_error(message) __attribute__((error(message)))
97136 #endif /* __CHECKER__ */
97137+
97138+#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
97139+#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
97140+#define __bos0(ptr) __bos((ptr), 0)
97141+#define __bos1(ptr) __bos((ptr), 1)
97142 #endif /* GCC_VERSION >= 40300 */
97143
97144 #if GCC_VERSION >= 40500
97145+
97146+#ifdef RANDSTRUCT_PLUGIN
97147+#define __randomize_layout __attribute__((randomize_layout))
97148+#define __no_randomize_layout __attribute__((no_randomize_layout))
97149+#endif
97150+
97151+#ifdef CONSTIFY_PLUGIN
97152+#define __no_const __attribute__((no_const))
97153+#define __do_const __attribute__((do_const))
97154+#endif
97155+
97156+#ifdef SIZE_OVERFLOW_PLUGIN
97157+#define __size_overflow(...) __attribute__((size_overflow(__VA_ARGS__)))
97158+#define __intentional_overflow(...) __attribute__((intentional_overflow(__VA_ARGS__)))
97159+#endif
97160+
97161+#ifdef LATENT_ENTROPY_PLUGIN
97162+#define __latent_entropy __attribute__((latent_entropy))
97163+#endif
97164+
97165+#ifdef INITIFY_PLUGIN
97166+#define __nocapture(...) __attribute__((nocapture(__VA_ARGS__)))
97167+#endif
97168+
97169 /*
97170 * Mark a position in code as unreachable. This can be used to
97171 * suppress control flow warnings after asm blocks that transfer
97172diff --git a/include/linux/compiler.h b/include/linux/compiler.h
97173index e08a6ae..2e5e776 100644
97174--- a/include/linux/compiler.h
97175+++ b/include/linux/compiler.h
97176@@ -5,11 +5,14 @@
97177
97178 #ifdef __CHECKER__
97179 # define __user __attribute__((noderef, address_space(1)))
97180+# define __force_user __force __user
97181 # define __kernel __attribute__((address_space(0)))
97182+# define __force_kernel __force __kernel
97183 # define __safe __attribute__((safe))
97184 # define __force __attribute__((force))
97185 # define __nocast __attribute__((nocast))
97186 # define __iomem __attribute__((noderef, address_space(2)))
97187+# define __force_iomem __force __iomem
97188 # define __must_hold(x) __attribute__((context(x,1,1)))
97189 # define __acquires(x) __attribute__((context(x,0,1)))
97190 # define __releases(x) __attribute__((context(x,1,0)))
97191@@ -17,21 +20,39 @@
97192 # define __release(x) __context__(x,-1)
97193 # define __cond_lock(x,c) ((c) ? ({ __acquire(x); 1; }) : 0)
97194 # define __percpu __attribute__((noderef, address_space(3)))
97195+# define __force_percpu __force __percpu
97196 # define __pmem __attribute__((noderef, address_space(5)))
97197+# define __force_pmem __force __pmem
97198 #ifdef CONFIG_SPARSE_RCU_POINTER
97199 # define __rcu __attribute__((noderef, address_space(4)))
97200+# define __force_rcu __force __rcu
97201 #else
97202 # define __rcu
97203+# define __force_rcu
97204 #endif
97205 extern void __chk_user_ptr(const volatile void __user *);
97206 extern void __chk_io_ptr(const volatile void __iomem *);
97207 #else
97208-# define __user
97209-# define __kernel
97210+# ifdef CHECKER_PLUGIN
97211+//# define __user
97212+//# define __force_user
97213+//# define __kernel
97214+//# define __force_kernel
97215+# else
97216+# ifdef STRUCTLEAK_PLUGIN
97217+# define __user __attribute__((user))
97218+# else
97219+# define __user
97220+# endif
97221+# define __force_user
97222+# define __kernel
97223+# define __force_kernel
97224+# endif
97225 # define __safe
97226 # define __force
97227 # define __nocast
97228 # define __iomem
97229+# define __force_iomem
97230 # define __chk_user_ptr(x) (void)0
97231 # define __chk_io_ptr(x) (void)0
97232 # define __builtin_warning(x, y...) (1)
97233@@ -42,8 +63,11 @@ extern void __chk_io_ptr(const volatile void __iomem *);
97234 # define __release(x) (void)0
97235 # define __cond_lock(x,c) (c)
97236 # define __percpu
97237+# define __force_percpu
97238 # define __rcu
97239+# define __force_rcu
97240 # define __pmem
97241+# define __force_pmem
97242 #endif
97243
97244 /* Indirect macros required for expanded argument pasting, eg. __LINE__. */
97245@@ -201,27 +225,27 @@ void ftrace_likely_update(struct ftrace_branch_data *f, int val, int expect);
97246 static __always_inline void __read_once_size(const volatile void *p, void *res, int size)
97247 {
97248 switch (size) {
97249- case 1: *(__u8 *)res = *(volatile __u8 *)p; break;
97250- case 2: *(__u16 *)res = *(volatile __u16 *)p; break;
97251- case 4: *(__u32 *)res = *(volatile __u32 *)p; break;
97252- case 8: *(__u64 *)res = *(volatile __u64 *)p; break;
97253+ case 1: *(__u8 *)res = *(const volatile __u8 *)p; break;
97254+ case 2: *(__u16 *)res = *(const volatile __u16 *)p; break;
97255+ case 4: *(__u32 *)res = *(const volatile __u32 *)p; break;
97256+ case 8: *(__u64 *)res = *(const volatile __u64 *)p; break;
97257 default:
97258 barrier();
97259- __builtin_memcpy((void *)res, (const void *)p, size);
97260+ __builtin_memcpy(res, (const void *)p, size);
97261 barrier();
97262 }
97263 }
97264
97265-static __always_inline void __write_once_size(volatile void *p, void *res, int size)
97266+static __always_inline void __write_once_size(volatile void *p, const void *res, int size)
97267 {
97268 switch (size) {
97269- case 1: *(volatile __u8 *)p = *(__u8 *)res; break;
97270- case 2: *(volatile __u16 *)p = *(__u16 *)res; break;
97271- case 4: *(volatile __u32 *)p = *(__u32 *)res; break;
97272- case 8: *(volatile __u64 *)p = *(__u64 *)res; break;
97273+ case 1: *(volatile __u8 *)p = *(const __u8 *)res; break;
97274+ case 2: *(volatile __u16 *)p = *(const __u16 *)res; break;
97275+ case 4: *(volatile __u32 *)p = *(const __u32 *)res; break;
97276+ case 8: *(volatile __u64 *)p = *(const __u64 *)res; break;
97277 default:
97278 barrier();
97279- __builtin_memcpy((void *)p, (const void *)res, size);
97280+ __builtin_memcpy((void *)p, res, size);
97281 barrier();
97282 }
97283 }
97284@@ -370,6 +394,38 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97285 # define __attribute_const__ /* unimplemented */
97286 #endif
97287
97288+#ifndef __randomize_layout
97289+# define __randomize_layout
97290+#endif
97291+
97292+#ifndef __no_randomize_layout
97293+# define __no_randomize_layout
97294+#endif
97295+
97296+#ifndef __no_const
97297+# define __no_const
97298+#endif
97299+
97300+#ifndef __do_const
97301+# define __do_const
97302+#endif
97303+
97304+#ifndef __size_overflow
97305+# define __size_overflow(...)
97306+#endif
97307+
97308+#ifndef __intentional_overflow
97309+# define __intentional_overflow(...)
97310+#endif
97311+
97312+#ifndef __latent_entropy
97313+# define __latent_entropy
97314+#endif
97315+
97316+#ifndef __nocapture
97317+# define __nocapture(...)
97318+#endif
97319+
97320 /*
97321 * Tell gcc if a function is cold. The compiler will assume any path
97322 * directly leading to the call is unlikely.
97323@@ -379,6 +435,22 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97324 #define __cold
97325 #endif
97326
97327+#ifndef __alloc_size
97328+#define __alloc_size(...)
97329+#endif
97330+
97331+#ifndef __bos
97332+#define __bos(ptr, arg)
97333+#endif
97334+
97335+#ifndef __bos0
97336+#define __bos0(ptr)
97337+#endif
97338+
97339+#ifndef __bos1
97340+#define __bos1(ptr)
97341+#endif
97342+
97343 /* Simple shorthand for a section definition */
97344 #ifndef __section
97345 # define __section(S) __attribute__ ((__section__(#S)))
97346@@ -393,6 +465,8 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97347 # define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
97348 #endif
97349
97350+#define __type_is_unsigned(t) (__same_type((t)0, 0UL) || __same_type((t)0, 0U) || __same_type((t)0, (unsigned short)0) || __same_type((t)0, (unsigned char)0))
97351+
97352 /* Is this type a native word size -- useful for atomic operations */
97353 #ifndef __native_word
97354 # define __native_word(t) (sizeof(t) == sizeof(char) || sizeof(t) == sizeof(short) || sizeof(t) == sizeof(int) || sizeof(t) == sizeof(long))
97355@@ -472,8 +546,9 @@ static __always_inline void __write_once_size(volatile void *p, void *res, int s
97356 */
97357 #define __ACCESS_ONCE(x) ({ \
97358 __maybe_unused typeof(x) __var = (__force typeof(x)) 0; \
97359- (volatile typeof(x) *)&(x); })
97360+ (volatile const typeof(x) *)&(x); })
97361 #define ACCESS_ONCE(x) (*__ACCESS_ONCE(x))
97362+#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
97363
97364 /**
97365 * lockless_dereference() - safely load a pointer for later dereference
97366diff --git a/include/linux/configfs.h b/include/linux/configfs.h
97367index 63a36e8..26b0825 100644
97368--- a/include/linux/configfs.h
97369+++ b/include/linux/configfs.h
97370@@ -125,7 +125,7 @@ struct configfs_attribute {
97371 const char *ca_name;
97372 struct module *ca_owner;
97373 umode_t ca_mode;
97374-};
97375+} __do_const;
97376
97377 /*
97378 * Users often need to create attribute structures for their configurable
97379diff --git a/include/linux/cpufreq.h b/include/linux/cpufreq.h
97380index bde1e56..168de74 100644
97381--- a/include/linux/cpufreq.h
97382+++ b/include/linux/cpufreq.h
97383@@ -211,6 +211,7 @@ struct global_attr {
97384 ssize_t (*store)(struct kobject *a, struct attribute *b,
97385 const char *c, size_t count);
97386 };
97387+typedef struct global_attr __no_const global_attr_no_const;
97388
97389 #define define_one_global_ro(_name) \
97390 static struct global_attr _name = \
97391@@ -282,7 +283,7 @@ struct cpufreq_driver {
97392 bool boost_supported;
97393 bool boost_enabled;
97394 int (*set_boost)(int state);
97395-};
97396+} __do_const;
97397
97398 /* flags */
97399 #define CPUFREQ_STICKY (1 << 0) /* driver isn't removed even if
97400diff --git a/include/linux/cpuidle.h b/include/linux/cpuidle.h
97401index d075d34..3b6734a 100644
97402--- a/include/linux/cpuidle.h
97403+++ b/include/linux/cpuidle.h
97404@@ -59,7 +59,8 @@ struct cpuidle_state {
97405 void (*enter_freeze) (struct cpuidle_device *dev,
97406 struct cpuidle_driver *drv,
97407 int index);
97408-};
97409+} __do_const;
97410+typedef struct cpuidle_state __no_const cpuidle_state_no_const;
97411
97412 /* Idle State Flags */
97413 #define CPUIDLE_FLAG_COUPLED (0x02) /* state applies to multiple cpus */
97414@@ -235,7 +236,7 @@ struct cpuidle_governor {
97415 void (*reflect) (struct cpuidle_device *dev, int index);
97416
97417 struct module *owner;
97418-};
97419+} __do_const;
97420
97421 #ifdef CONFIG_CPU_IDLE
97422 extern int cpuidle_register_governor(struct cpuidle_governor *gov);
97423diff --git a/include/linux/cpumask.h b/include/linux/cpumask.h
97424index 59915ea..81ebec0 100644
97425--- a/include/linux/cpumask.h
97426+++ b/include/linux/cpumask.h
97427@@ -127,17 +127,17 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
97428 }
97429
97430 /* Valid inputs for n are -1 and 0. */
97431-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
97432+static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
97433 {
97434 return n+1;
97435 }
97436
97437-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
97438+static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
97439 {
97440 return n+1;
97441 }
97442
97443-static inline unsigned int cpumask_next_and(int n,
97444+static inline unsigned int __intentional_overflow(-1) cpumask_next_and(int n,
97445 const struct cpumask *srcp,
97446 const struct cpumask *andp)
97447 {
97448@@ -181,7 +181,7 @@ static inline unsigned int cpumask_first(const struct cpumask *srcp)
97449 *
97450 * Returns >= nr_cpu_ids if no further cpus set.
97451 */
97452-static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
97453+static inline unsigned int __intentional_overflow(-1) cpumask_next(int n, const struct cpumask *srcp)
97454 {
97455 /* -1 is a legal arg here. */
97456 if (n != -1)
97457@@ -196,7 +196,7 @@ static inline unsigned int cpumask_next(int n, const struct cpumask *srcp)
97458 *
97459 * Returns >= nr_cpu_ids if no further cpus unset.
97460 */
97461-static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
97462+static inline unsigned int __intentional_overflow(-1) cpumask_next_zero(int n, const struct cpumask *srcp)
97463 {
97464 /* -1 is a legal arg here. */
97465 if (n != -1)
97466@@ -204,7 +204,7 @@ static inline unsigned int cpumask_next_zero(int n, const struct cpumask *srcp)
97467 return find_next_zero_bit(cpumask_bits(srcp), nr_cpumask_bits, n+1);
97468 }
97469
97470-int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *);
97471+int cpumask_next_and(int n, const struct cpumask *, const struct cpumask *) __intentional_overflow(-1);
97472 int cpumask_any_but(const struct cpumask *mask, unsigned int cpu);
97473 unsigned int cpumask_local_spread(unsigned int i, int node);
97474
97475@@ -471,7 +471,7 @@ static inline bool cpumask_full(const struct cpumask *srcp)
97476 * cpumask_weight - Count of bits in *srcp
97477 * @srcp: the cpumask to count bits (< nr_cpu_ids) in.
97478 */
97479-static inline unsigned int cpumask_weight(const struct cpumask *srcp)
97480+static inline unsigned int __intentional_overflow(-1) cpumask_weight(const struct cpumask *srcp)
97481 {
97482 return bitmap_weight(cpumask_bits(srcp), nr_cpumask_bits);
97483 }
97484diff --git a/include/linux/cred.h b/include/linux/cred.h
97485index 8b6c083..51cb9f5 100644
97486--- a/include/linux/cred.h
97487+++ b/include/linux/cred.h
97488@@ -35,7 +35,7 @@ struct group_info {
97489 int nblocks;
97490 kgid_t small_block[NGROUPS_SMALL];
97491 kgid_t *blocks[0];
97492-};
97493+} __randomize_layout;
97494
97495 /**
97496 * get_group_info - Get a reference to a group info structure
97497@@ -152,7 +152,7 @@ struct cred {
97498 struct user_namespace *user_ns; /* user_ns the caps and keyrings are relative to. */
97499 struct group_info *group_info; /* supplementary groups for euid/fsgid */
97500 struct rcu_head rcu; /* RCU deletion hook */
97501-};
97502+} __randomize_layout;
97503
97504 extern void __put_cred(struct cred *);
97505 extern void exit_creds(struct task_struct *);
97506@@ -210,6 +210,9 @@ static inline void validate_creds_for_do_exit(struct task_struct *tsk)
97507 static inline void validate_process_creds(void)
97508 {
97509 }
97510+static inline void validate_task_creds(struct task_struct *task)
97511+{
97512+}
97513 #endif
97514
97515 /**
97516@@ -347,6 +350,7 @@ static inline void put_cred(const struct cred *_cred)
97517
97518 #define task_uid(task) (task_cred_xxx((task), uid))
97519 #define task_euid(task) (task_cred_xxx((task), euid))
97520+#define task_securebits(task) (task_cred_xxx((task), securebits))
97521
97522 #define current_cred_xxx(xxx) \
97523 ({ \
97524diff --git a/include/linux/crypto.h b/include/linux/crypto.h
97525index 81ef938..9ec0fdb 100644
97526--- a/include/linux/crypto.h
97527+++ b/include/linux/crypto.h
97528@@ -569,7 +569,7 @@ struct cipher_tfm {
97529 const u8 *key, unsigned int keylen);
97530 void (*cit_encrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
97531 void (*cit_decrypt_one)(struct crypto_tfm *tfm, u8 *dst, const u8 *src);
97532-};
97533+} __no_const;
97534
97535 struct hash_tfm {
97536 int (*init)(struct hash_desc *desc);
97537@@ -590,7 +590,7 @@ struct compress_tfm {
97538 int (*cot_decompress)(struct crypto_tfm *tfm,
97539 const u8 *src, unsigned int slen,
97540 u8 *dst, unsigned int *dlen);
97541-};
97542+} __no_const;
97543
97544 #define crt_ablkcipher crt_u.ablkcipher
97545 #define crt_blkcipher crt_u.blkcipher
97546diff --git a/include/linux/ctype.h b/include/linux/ctype.h
97547index 653589e..4ef254a 100644
97548--- a/include/linux/ctype.h
97549+++ b/include/linux/ctype.h
97550@@ -56,7 +56,7 @@ static inline unsigned char __toupper(unsigned char c)
97551 * Fast implementation of tolower() for internal usage. Do not use in your
97552 * code.
97553 */
97554-static inline char _tolower(const char c)
97555+static inline unsigned char _tolower(const unsigned char c)
97556 {
97557 return c | 0x20;
97558 }
97559diff --git a/include/linux/dcache.h b/include/linux/dcache.h
97560index d67ae11..9ec20d2 100644
97561--- a/include/linux/dcache.h
97562+++ b/include/linux/dcache.h
97563@@ -123,6 +123,9 @@ struct dentry {
97564 unsigned long d_time; /* used by d_revalidate */
97565 void *d_fsdata; /* fs-specific data */
97566
97567+#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
97568+ atomic_t chroot_refcnt; /* tracks use of directory in chroot */
97569+#endif
97570 struct list_head d_lru; /* LRU list */
97571 struct list_head d_child; /* child of parent list */
97572 struct list_head d_subdirs; /* our children */
97573@@ -133,7 +136,7 @@ struct dentry {
97574 struct hlist_node d_alias; /* inode alias list */
97575 struct rcu_head d_rcu;
97576 } d_u;
97577-};
97578+} __randomize_layout;
97579
97580 /*
97581 * dentry->d_lock spinlock nesting subclasses:
97582@@ -321,7 +324,7 @@ extern struct dentry *__d_lookup_rcu(const struct dentry *parent,
97583
97584 static inline unsigned d_count(const struct dentry *dentry)
97585 {
97586- return dentry->d_lockref.count;
97587+ return __lockref_read(&dentry->d_lockref);
97588 }
97589
97590 /*
97591@@ -350,7 +353,7 @@ extern char *dentry_path(struct dentry *, char *, int);
97592 static inline struct dentry *dget_dlock(struct dentry *dentry)
97593 {
97594 if (dentry)
97595- dentry->d_lockref.count++;
97596+ __lockref_inc(&dentry->d_lockref);
97597 return dentry;
97598 }
97599
97600diff --git a/include/linux/decompress/mm.h b/include/linux/decompress/mm.h
97601index 7925bf0..d5143d2 100644
97602--- a/include/linux/decompress/mm.h
97603+++ b/include/linux/decompress/mm.h
97604@@ -77,7 +77,7 @@ static void free(void *where)
97605 * warnings when not needed (indeed large_malloc / large_free are not
97606 * needed by inflate */
97607
97608-#define malloc(a) kmalloc(a, GFP_KERNEL)
97609+#define malloc(a) kmalloc((a), GFP_KERNEL)
97610 #define free(a) kfree(a)
97611
97612 #define large_malloc(a) vmalloc(a)
97613diff --git a/include/linux/devfreq.h b/include/linux/devfreq.h
97614index ce447f0..83c66bd 100644
97615--- a/include/linux/devfreq.h
97616+++ b/include/linux/devfreq.h
97617@@ -114,7 +114,7 @@ struct devfreq_governor {
97618 int (*get_target_freq)(struct devfreq *this, unsigned long *freq);
97619 int (*event_handler)(struct devfreq *devfreq,
97620 unsigned int event, void *data);
97621-};
97622+} __do_const;
97623
97624 /**
97625 * struct devfreq - Device devfreq structure
97626diff --git a/include/linux/device.h b/include/linux/device.h
97627index a2b4ea7..b07dddd 100644
97628--- a/include/linux/device.h
97629+++ b/include/linux/device.h
97630@@ -342,7 +342,7 @@ struct subsys_interface {
97631 struct list_head node;
97632 int (*add_dev)(struct device *dev, struct subsys_interface *sif);
97633 int (*remove_dev)(struct device *dev, struct subsys_interface *sif);
97634-};
97635+} __do_const;
97636
97637 int subsys_interface_register(struct subsys_interface *sif);
97638 void subsys_interface_unregister(struct subsys_interface *sif);
97639@@ -538,7 +538,7 @@ struct device_type {
97640 void (*release)(struct device *dev);
97641
97642 const struct dev_pm_ops *pm;
97643-};
97644+} __do_const;
97645
97646 /* interface for exporting device attributes */
97647 struct device_attribute {
97648@@ -548,11 +548,12 @@ struct device_attribute {
97649 ssize_t (*store)(struct device *dev, struct device_attribute *attr,
97650 const char *buf, size_t count);
97651 };
97652+typedef struct device_attribute __no_const device_attribute_no_const;
97653
97654 struct dev_ext_attribute {
97655 struct device_attribute attr;
97656 void *var;
97657-};
97658+} __do_const;
97659
97660 ssize_t device_show_ulong(struct device *dev, struct device_attribute *attr,
97661 char *buf);
97662diff --git a/include/linux/dma-mapping.h b/include/linux/dma-mapping.h
97663index ac07ff0..edff186 100644
97664--- a/include/linux/dma-mapping.h
97665+++ b/include/linux/dma-mapping.h
97666@@ -64,7 +64,7 @@ struct dma_map_ops {
97667 u64 (*get_required_mask)(struct device *dev);
97668 #endif
97669 int is_phys;
97670-};
97671+} __do_const;
97672
97673 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
97674
97675diff --git a/include/linux/efi.h b/include/linux/efi.h
97676index 85ef051..2714c3b 100644
97677--- a/include/linux/efi.h
97678+++ b/include/linux/efi.h
97679@@ -1073,6 +1073,7 @@ struct efivar_operations {
97680 efi_set_variable_nonblocking_t *set_variable_nonblocking;
97681 efi_query_variable_store_t *query_variable_store;
97682 };
97683+typedef struct efivar_operations __no_const efivar_operations_no_const;
97684
97685 struct efivars {
97686 /*
97687diff --git a/include/linux/elf.h b/include/linux/elf.h
97688index 20fa8d8..3d0dd18 100644
97689--- a/include/linux/elf.h
97690+++ b/include/linux/elf.h
97691@@ -29,6 +29,7 @@ extern Elf32_Dyn _DYNAMIC [];
97692 #define elf_note elf32_note
97693 #define elf_addr_t Elf32_Off
97694 #define Elf_Half Elf32_Half
97695+#define elf_dyn Elf32_Dyn
97696
97697 #else
97698
97699@@ -39,6 +40,7 @@ extern Elf64_Dyn _DYNAMIC [];
97700 #define elf_note elf64_note
97701 #define elf_addr_t Elf64_Off
97702 #define Elf_Half Elf64_Half
97703+#define elf_dyn Elf64_Dyn
97704
97705 #endif
97706
97707diff --git a/include/linux/err.h b/include/linux/err.h
97708index a729120..6ede2c9 100644
97709--- a/include/linux/err.h
97710+++ b/include/linux/err.h
97711@@ -20,12 +20,12 @@
97712
97713 #define IS_ERR_VALUE(x) unlikely((x) >= (unsigned long)-MAX_ERRNO)
97714
97715-static inline void * __must_check ERR_PTR(long error)
97716+static inline void * __must_check __intentional_overflow(-1) ERR_PTR(long error)
97717 {
97718 return (void *) error;
97719 }
97720
97721-static inline long __must_check PTR_ERR(__force const void *ptr)
97722+static inline long __must_check __intentional_overflow(-1) PTR_ERR(__force const void *ptr)
97723 {
97724 return (long) ptr;
97725 }
97726diff --git a/include/linux/extcon.h b/include/linux/extcon.h
97727index b16d929..d389bf1 100644
97728--- a/include/linux/extcon.h
97729+++ b/include/linux/extcon.h
97730@@ -120,7 +120,7 @@ struct extcon_dev {
97731 /* /sys/class/extcon/.../mutually_exclusive/... */
97732 struct attribute_group attr_g_muex;
97733 struct attribute **attrs_muex;
97734- struct device_attribute *d_attrs_muex;
97735+ device_attribute_no_const *d_attrs_muex;
97736 };
97737
97738 /**
97739diff --git a/include/linux/fb.h b/include/linux/fb.h
97740index 043f328..180ccbf 100644
97741--- a/include/linux/fb.h
97742+++ b/include/linux/fb.h
97743@@ -305,7 +305,8 @@ struct fb_ops {
97744 /* called at KDB enter and leave time to prepare the console */
97745 int (*fb_debug_enter)(struct fb_info *info);
97746 int (*fb_debug_leave)(struct fb_info *info);
97747-};
97748+} __do_const;
97749+typedef struct fb_ops __no_const fb_ops_no_const;
97750
97751 #ifdef CONFIG_FB_TILEBLITTING
97752 #define FB_TILE_CURSOR_NONE 0
97753diff --git a/include/linux/fdtable.h b/include/linux/fdtable.h
97754index fbb8874..15c61e7 100644
97755--- a/include/linux/fdtable.h
97756+++ b/include/linux/fdtable.h
97757@@ -103,7 +103,7 @@ struct files_struct *get_files_struct(struct task_struct *);
97758 void put_files_struct(struct files_struct *fs);
97759 void reset_files_struct(struct files_struct *);
97760 int unshare_files(struct files_struct **);
97761-struct files_struct *dup_fd(struct files_struct *, int *);
97762+struct files_struct *dup_fd(struct files_struct *, int *) __latent_entropy;
97763 void do_close_on_exec(struct files_struct *);
97764 int iterate_fd(struct files_struct *, unsigned,
97765 int (*)(const void *, struct file *, unsigned),
97766diff --git a/include/linux/fs.h b/include/linux/fs.h
97767index 84b783f..b31767d 100644
97768--- a/include/linux/fs.h
97769+++ b/include/linux/fs.h
97770@@ -439,7 +439,7 @@ struct address_space {
97771 spinlock_t private_lock; /* for use by the address_space */
97772 struct list_head private_list; /* ditto */
97773 void *private_data; /* ditto */
97774-} __attribute__((aligned(sizeof(long))));
97775+} __attribute__((aligned(sizeof(long)))) __randomize_layout;
97776 /*
97777 * On most architectures that alignment is already the case; but
97778 * must be enforced here for CRIS, to let the least significant bit
97779@@ -482,7 +482,7 @@ struct block_device {
97780 int bd_fsfreeze_count;
97781 /* Mutex for freeze */
97782 struct mutex bd_fsfreeze_mutex;
97783-};
97784+} __randomize_layout;
97785
97786 /*
97787 * Radix-tree tags, for tagging dirty and writeback pages within the pagecache
97788@@ -677,7 +677,7 @@ struct inode {
97789 #endif
97790
97791 void *i_private; /* fs or device private pointer */
97792-};
97793+} __randomize_layout;
97794
97795 static inline int inode_unhashed(struct inode *inode)
97796 {
97797@@ -872,7 +872,7 @@ struct file {
97798 struct list_head f_tfile_llink;
97799 #endif /* #ifdef CONFIG_EPOLL */
97800 struct address_space *f_mapping;
97801-} __attribute__((aligned(4))); /* lest something weird decides that 2 is OK */
97802+} __attribute__((aligned(4))) __randomize_layout; /* lest something weird decides that 2 is OK */
97803
97804 struct file_handle {
97805 __u32 handle_bytes;
97806@@ -1001,7 +1001,7 @@ struct file_lock {
97807 int state; /* state of grant or error if -ve */
97808 } afs;
97809 } fl_u;
97810-};
97811+} __randomize_layout;
97812
97813 struct file_lock_context {
97814 spinlock_t flc_lock;
97815@@ -1380,7 +1380,7 @@ struct super_block {
97816 * Indicates how deep in a filesystem stack this SB is
97817 */
97818 int s_stack_depth;
97819-};
97820+} __randomize_layout;
97821
97822 extern struct timespec current_fs_time(struct super_block *sb);
97823
97824@@ -1632,7 +1632,8 @@ struct file_operations {
97825 #ifndef CONFIG_MMU
97826 unsigned (*mmap_capabilities)(struct file *);
97827 #endif
97828-};
97829+} __do_const __randomize_layout;
97830+typedef struct file_operations __no_const file_operations_no_const;
97831
97832 struct inode_operations {
97833 struct dentry * (*lookup) (struct inode *,struct dentry *, unsigned int);
97834@@ -2341,7 +2342,7 @@ extern int register_chrdev_region(dev_t, unsigned, const char *);
97835 extern int __register_chrdev(unsigned int major, unsigned int baseminor,
97836 unsigned int count, const char *name,
97837 const struct file_operations *fops);
97838-extern void __unregister_chrdev(unsigned int major, unsigned int baseminor,
97839+extern __nocapture(4) void __unregister_chrdev(unsigned int major, unsigned int baseminor,
97840 unsigned int count, const char *name);
97841 extern void unregister_chrdev_region(dev_t, unsigned);
97842 extern void chrdev_show(struct seq_file *,off_t);
97843@@ -3041,4 +3042,14 @@ static inline bool dir_relax(struct inode *inode)
97844 return !IS_DEADDIR(inode);
97845 }
97846
97847+static inline bool is_sidechannel_device(const struct inode *inode)
97848+{
97849+#ifdef CONFIG_GRKERNSEC_DEVICE_SIDECHANNEL
97850+ umode_t mode = inode->i_mode;
97851+ return ((S_ISCHR(mode) || S_ISBLK(mode)) && (mode & (S_IROTH | S_IWOTH)));
97852+#else
97853+ return false;
97854+#endif
97855+}
97856+
97857 #endif /* _LINUX_FS_H */
97858diff --git a/include/linux/fs_struct.h b/include/linux/fs_struct.h
97859index 0efc3e6..fd23610 100644
97860--- a/include/linux/fs_struct.h
97861+++ b/include/linux/fs_struct.h
97862@@ -6,13 +6,13 @@
97863 #include <linux/seqlock.h>
97864
97865 struct fs_struct {
97866- int users;
97867+ atomic_t users;
97868 spinlock_t lock;
97869 seqcount_t seq;
97870 int umask;
97871 int in_exec;
97872 struct path root, pwd;
97873-};
97874+} __randomize_layout;
97875
97876 extern struct kmem_cache *fs_cachep;
97877
97878diff --git a/include/linux/fscache-cache.h b/include/linux/fscache-cache.h
97879index 604e152..5954d0d 100644
97880--- a/include/linux/fscache-cache.h
97881+++ b/include/linux/fscache-cache.h
97882@@ -117,7 +117,7 @@ struct fscache_operation {
97883 fscache_operation_release_t release;
97884 };
97885
97886-extern atomic_t fscache_op_debug_id;
97887+extern atomic_unchecked_t fscache_op_debug_id;
97888 extern void fscache_op_work_func(struct work_struct *work);
97889
97890 extern void fscache_enqueue_operation(struct fscache_operation *);
97891diff --git a/include/linux/fscache.h b/include/linux/fscache.h
97892index 115bb81..e7b812b 100644
97893--- a/include/linux/fscache.h
97894+++ b/include/linux/fscache.h
97895@@ -152,7 +152,7 @@ struct fscache_cookie_def {
97896 * - this is mandatory for any object that may have data
97897 */
97898 void (*now_uncached)(void *cookie_netfs_data);
97899-};
97900+} __do_const;
97901
97902 /*
97903 * fscache cached network filesystem type
97904diff --git a/include/linux/fsnotify.h b/include/linux/fsnotify.h
97905index 7ee1774..72505b8 100644
97906--- a/include/linux/fsnotify.h
97907+++ b/include/linux/fsnotify.h
97908@@ -197,6 +197,9 @@ static inline void fsnotify_access(struct file *file)
97909 struct inode *inode = file_inode(file);
97910 __u32 mask = FS_ACCESS;
97911
97912+ if (is_sidechannel_device(inode))
97913+ return;
97914+
97915 if (S_ISDIR(inode->i_mode))
97916 mask |= FS_ISDIR;
97917
97918@@ -215,6 +218,9 @@ static inline void fsnotify_modify(struct file *file)
97919 struct inode *inode = file_inode(file);
97920 __u32 mask = FS_MODIFY;
97921
97922+ if (is_sidechannel_device(inode))
97923+ return;
97924+
97925 if (S_ISDIR(inode->i_mode))
97926 mask |= FS_ISDIR;
97927
97928@@ -317,7 +323,7 @@ static inline void fsnotify_change(struct dentry *dentry, unsigned int ia_valid)
97929 */
97930 static inline const unsigned char *fsnotify_oldname_init(const unsigned char *name)
97931 {
97932- return kstrdup(name, GFP_KERNEL);
97933+ return (const unsigned char *)kstrdup((const char *)name, GFP_KERNEL);
97934 }
97935
97936 /*
97937diff --git a/include/linux/genhd.h b/include/linux/genhd.h
97938index ec274e0..e678159 100644
97939--- a/include/linux/genhd.h
97940+++ b/include/linux/genhd.h
97941@@ -194,7 +194,7 @@ struct gendisk {
97942 struct kobject *slave_dir;
97943
97944 struct timer_rand_state *random;
97945- atomic_t sync_io; /* RAID */
97946+ atomic_unchecked_t sync_io; /* RAID */
97947 struct disk_events *ev;
97948 #ifdef CONFIG_BLK_DEV_INTEGRITY
97949 struct blk_integrity *integrity;
97950@@ -435,7 +435,7 @@ extern void disk_flush_events(struct gendisk *disk, unsigned int mask);
97951 extern unsigned int disk_clear_events(struct gendisk *disk, unsigned int mask);
97952
97953 /* drivers/char/random.c */
97954-extern void add_disk_randomness(struct gendisk *disk);
97955+extern void add_disk_randomness(struct gendisk *disk) __latent_entropy;
97956 extern void rand_initialize_disk(struct gendisk *disk);
97957
97958 static inline sector_t get_start_sect(struct block_device *bdev)
97959diff --git a/include/linux/genl_magic_func.h b/include/linux/genl_magic_func.h
97960index 667c311..abac2a7 100644
97961--- a/include/linux/genl_magic_func.h
97962+++ b/include/linux/genl_magic_func.h
97963@@ -246,7 +246,7 @@ const char *CONCAT_(GENL_MAGIC_FAMILY, _genl_cmd_to_str)(__u8 cmd)
97964 },
97965
97966 #define ZZZ_genl_ops CONCAT_(GENL_MAGIC_FAMILY, _genl_ops)
97967-static struct genl_ops ZZZ_genl_ops[] __read_mostly = {
97968+static struct genl_ops ZZZ_genl_ops[] = {
97969 #include GENL_MAGIC_INCLUDE_FILE
97970 };
97971
97972diff --git a/include/linux/gfp.h b/include/linux/gfp.h
97973index ad35f30..30b1916 100644
97974--- a/include/linux/gfp.h
97975+++ b/include/linux/gfp.h
97976@@ -35,6 +35,13 @@ struct vm_area_struct;
97977 #define ___GFP_NO_KSWAPD 0x400000u
97978 #define ___GFP_OTHER_NODE 0x800000u
97979 #define ___GFP_WRITE 0x1000000u
97980+
97981+#ifdef CONFIG_PAX_USERCOPY_SLABS
97982+#define ___GFP_USERCOPY 0x2000000u
97983+#else
97984+#define ___GFP_USERCOPY 0
97985+#endif
97986+
97987 /* If the above are modified, __GFP_BITS_SHIFT may need updating */
97988
97989 /*
97990@@ -94,6 +101,7 @@ struct vm_area_struct;
97991 #define __GFP_NO_KSWAPD ((__force gfp_t)___GFP_NO_KSWAPD)
97992 #define __GFP_OTHER_NODE ((__force gfp_t)___GFP_OTHER_NODE) /* On behalf of other node */
97993 #define __GFP_WRITE ((__force gfp_t)___GFP_WRITE) /* Allocator intends to dirty page */
97994+#define __GFP_USERCOPY ((__force gfp_t)___GFP_USERCOPY)/* Allocator intends to copy page to/from userland */
97995
97996 /*
97997 * This may seem redundant, but it's a way of annotating false positives vs.
97998@@ -101,7 +109,7 @@ struct vm_area_struct;
97999 */
98000 #define __GFP_NOTRACK_FALSE_POSITIVE (__GFP_NOTRACK)
98001
98002-#define __GFP_BITS_SHIFT 25 /* Room for N __GFP_FOO bits */
98003+#define __GFP_BITS_SHIFT 26 /* Room for N __GFP_FOO bits */
98004 #define __GFP_BITS_MASK ((__force gfp_t)((1 << __GFP_BITS_SHIFT) - 1))
98005
98006 /* This equals 0, but use constants in case they ever change */
98007@@ -146,6 +154,8 @@ struct vm_area_struct;
98008 /* 4GB DMA on some platforms */
98009 #define GFP_DMA32 __GFP_DMA32
98010
98011+#define GFP_USERCOPY __GFP_USERCOPY
98012+
98013 /* Convert GFP flags to their corresponding migrate type */
98014 static inline int gfpflags_to_migratetype(const gfp_t gfp_flags)
98015 {
98016diff --git a/include/linux/gracl.h b/include/linux/gracl.h
98017new file mode 100644
98018index 0000000..91858e4
98019--- /dev/null
98020+++ b/include/linux/gracl.h
98021@@ -0,0 +1,342 @@
98022+#ifndef GR_ACL_H
98023+#define GR_ACL_H
98024+
98025+#include <linux/grdefs.h>
98026+#include <linux/resource.h>
98027+#include <linux/capability.h>
98028+#include <linux/dcache.h>
98029+#include <asm/resource.h>
98030+
98031+/* Major status information */
98032+
98033+#define GR_VERSION "grsecurity 3.1"
98034+#define GRSECURITY_VERSION 0x3100
98035+
98036+enum {
98037+ GR_SHUTDOWN = 0,
98038+ GR_ENABLE = 1,
98039+ GR_SPROLE = 2,
98040+ GR_OLDRELOAD = 3,
98041+ GR_SEGVMOD = 4,
98042+ GR_STATUS = 5,
98043+ GR_UNSPROLE = 6,
98044+ GR_PASSSET = 7,
98045+ GR_SPROLEPAM = 8,
98046+ GR_RELOAD = 9,
98047+};
98048+
98049+/* Password setup definitions
98050+ * kernel/grhash.c */
98051+enum {
98052+ GR_PW_LEN = 128,
98053+ GR_SALT_LEN = 16,
98054+ GR_SHA_LEN = 32,
98055+};
98056+
98057+enum {
98058+ GR_SPROLE_LEN = 64,
98059+};
98060+
98061+enum {
98062+ GR_NO_GLOB = 0,
98063+ GR_REG_GLOB,
98064+ GR_CREATE_GLOB
98065+};
98066+
98067+#define GR_NLIMITS 32
98068+
98069+/* Begin Data Structures */
98070+
98071+struct sprole_pw {
98072+ unsigned char *rolename;
98073+ unsigned char salt[GR_SALT_LEN];
98074+ unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
98075+};
98076+
98077+struct name_entry {
98078+ __u32 key;
98079+ u64 inode;
98080+ dev_t device;
98081+ char *name;
98082+ __u16 len;
98083+ __u8 deleted;
98084+ struct name_entry *prev;
98085+ struct name_entry *next;
98086+};
98087+
98088+struct inodev_entry {
98089+ struct name_entry *nentry;
98090+ struct inodev_entry *prev;
98091+ struct inodev_entry *next;
98092+};
98093+
98094+struct acl_role_db {
98095+ struct acl_role_label **r_hash;
98096+ __u32 r_size;
98097+};
98098+
98099+struct inodev_db {
98100+ struct inodev_entry **i_hash;
98101+ __u32 i_size;
98102+};
98103+
98104+struct name_db {
98105+ struct name_entry **n_hash;
98106+ __u32 n_size;
98107+};
98108+
98109+struct crash_uid {
98110+ uid_t uid;
98111+ unsigned long expires;
98112+};
98113+
98114+struct gr_hash_struct {
98115+ void **table;
98116+ void **nametable;
98117+ void *first;
98118+ __u32 table_size;
98119+ __u32 used_size;
98120+ int type;
98121+};
98122+
98123+/* Userspace Grsecurity ACL data structures */
98124+
98125+struct acl_subject_label {
98126+ char *filename;
98127+ u64 inode;
98128+ dev_t device;
98129+ __u32 mode;
98130+ kernel_cap_t cap_mask;
98131+ kernel_cap_t cap_lower;
98132+ kernel_cap_t cap_invert_audit;
98133+
98134+ struct rlimit res[GR_NLIMITS];
98135+ __u32 resmask;
98136+
98137+ __u8 user_trans_type;
98138+ __u8 group_trans_type;
98139+ uid_t *user_transitions;
98140+ gid_t *group_transitions;
98141+ __u16 user_trans_num;
98142+ __u16 group_trans_num;
98143+
98144+ __u32 sock_families[2];
98145+ __u32 ip_proto[8];
98146+ __u32 ip_type;
98147+ struct acl_ip_label **ips;
98148+ __u32 ip_num;
98149+ __u32 inaddr_any_override;
98150+
98151+ __u32 crashes;
98152+ unsigned long expires;
98153+
98154+ struct acl_subject_label *parent_subject;
98155+ struct gr_hash_struct *hash;
98156+ struct acl_subject_label *prev;
98157+ struct acl_subject_label *next;
98158+
98159+ struct acl_object_label **obj_hash;
98160+ __u32 obj_hash_size;
98161+ __u16 pax_flags;
98162+};
98163+
98164+struct role_allowed_ip {
98165+ __u32 addr;
98166+ __u32 netmask;
98167+
98168+ struct role_allowed_ip *prev;
98169+ struct role_allowed_ip *next;
98170+};
98171+
98172+struct role_transition {
98173+ char *rolename;
98174+
98175+ struct role_transition *prev;
98176+ struct role_transition *next;
98177+};
98178+
98179+struct acl_role_label {
98180+ char *rolename;
98181+ uid_t uidgid;
98182+ __u16 roletype;
98183+
98184+ __u16 auth_attempts;
98185+ unsigned long expires;
98186+
98187+ struct acl_subject_label *root_label;
98188+ struct gr_hash_struct *hash;
98189+
98190+ struct acl_role_label *prev;
98191+ struct acl_role_label *next;
98192+
98193+ struct role_transition *transitions;
98194+ struct role_allowed_ip *allowed_ips;
98195+ uid_t *domain_children;
98196+ __u16 domain_child_num;
98197+
98198+ umode_t umask;
98199+
98200+ struct acl_subject_label **subj_hash;
98201+ __u32 subj_hash_size;
98202+};
98203+
98204+struct user_acl_role_db {
98205+ struct acl_role_label **r_table;
98206+ __u32 num_pointers; /* Number of allocations to track */
98207+ __u32 num_roles; /* Number of roles */
98208+ __u32 num_domain_children; /* Number of domain children */
98209+ __u32 num_subjects; /* Number of subjects */
98210+ __u32 num_objects; /* Number of objects */
98211+};
98212+
98213+struct acl_object_label {
98214+ char *filename;
98215+ u64 inode;
98216+ dev_t device;
98217+ __u32 mode;
98218+
98219+ struct acl_subject_label *nested;
98220+ struct acl_object_label *globbed;
98221+
98222+ /* next two structures not used */
98223+
98224+ struct acl_object_label *prev;
98225+ struct acl_object_label *next;
98226+};
98227+
98228+struct acl_ip_label {
98229+ char *iface;
98230+ __u32 addr;
98231+ __u32 netmask;
98232+ __u16 low, high;
98233+ __u8 mode;
98234+ __u32 type;
98235+ __u32 proto[8];
98236+
98237+ /* next two structures not used */
98238+
98239+ struct acl_ip_label *prev;
98240+ struct acl_ip_label *next;
98241+};
98242+
98243+struct gr_arg {
98244+ struct user_acl_role_db role_db;
98245+ unsigned char pw[GR_PW_LEN];
98246+ unsigned char salt[GR_SALT_LEN];
98247+ unsigned char sum[GR_SHA_LEN];
98248+ unsigned char sp_role[GR_SPROLE_LEN];
98249+ struct sprole_pw *sprole_pws;
98250+ dev_t segv_device;
98251+ u64 segv_inode;
98252+ uid_t segv_uid;
98253+ __u16 num_sprole_pws;
98254+ __u16 mode;
98255+};
98256+
98257+struct gr_arg_wrapper {
98258+ struct gr_arg *arg;
98259+ __u32 version;
98260+ __u32 size;
98261+};
98262+
98263+struct subject_map {
98264+ struct acl_subject_label *user;
98265+ struct acl_subject_label *kernel;
98266+ struct subject_map *prev;
98267+ struct subject_map *next;
98268+};
98269+
98270+struct acl_subj_map_db {
98271+ struct subject_map **s_hash;
98272+ __u32 s_size;
98273+};
98274+
98275+struct gr_policy_state {
98276+ struct sprole_pw **acl_special_roles;
98277+ __u16 num_sprole_pws;
98278+ struct acl_role_label *kernel_role;
98279+ struct acl_role_label *role_list;
98280+ struct acl_role_label *default_role;
98281+ struct acl_role_db acl_role_set;
98282+ struct acl_subj_map_db subj_map_set;
98283+ struct name_db name_set;
98284+ struct inodev_db inodev_set;
98285+};
98286+
98287+struct gr_alloc_state {
98288+ unsigned long alloc_stack_next;
98289+ unsigned long alloc_stack_size;
98290+ void **alloc_stack;
98291+};
98292+
98293+struct gr_reload_state {
98294+ struct gr_policy_state oldpolicy;
98295+ struct gr_alloc_state oldalloc;
98296+ struct gr_policy_state newpolicy;
98297+ struct gr_alloc_state newalloc;
98298+ struct gr_policy_state *oldpolicy_ptr;
98299+ struct gr_alloc_state *oldalloc_ptr;
98300+ unsigned char oldmode;
98301+};
98302+
98303+/* End Data Structures Section */
98304+
98305+/* Hash functions generated by empirical testing by Brad Spengler
98306+ Makes good use of the low bits of the inode. Generally 0-1 times
98307+ in loop for successful match. 0-3 for unsuccessful match.
98308+ Shift/add algorithm with modulus of table size and an XOR*/
98309+
98310+static __inline__ unsigned int
98311+gr_rhash(const uid_t uid, const __u16 type, const unsigned int sz)
98312+{
98313+ return ((((uid + type) << (16 + type)) ^ uid) % sz);
98314+}
98315+
98316+ static __inline__ unsigned int
98317+gr_shash(const struct acl_subject_label *userp, const unsigned int sz)
98318+{
98319+ return ((const unsigned long)userp % sz);
98320+}
98321+
98322+static __inline__ unsigned int
98323+gr_fhash(const u64 ino, const dev_t dev, const unsigned int sz)
98324+{
98325+ unsigned int rem;
98326+ div_u64_rem((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9)), sz, &rem);
98327+ return rem;
98328+}
98329+
98330+static __inline__ unsigned int
98331+gr_nhash(const char *name, const __u16 len, const unsigned int sz)
98332+{
98333+ return full_name_hash((const unsigned char *)name, len) % sz;
98334+}
98335+
98336+#define FOR_EACH_SUBJECT_START(role,subj,iter) \
98337+ subj = NULL; \
98338+ iter = 0; \
98339+ while (iter < role->subj_hash_size) { \
98340+ if (subj == NULL) \
98341+ subj = role->subj_hash[iter]; \
98342+ if (subj == NULL) { \
98343+ iter++; \
98344+ continue; \
98345+ }
98346+
98347+#define FOR_EACH_SUBJECT_END(subj,iter) \
98348+ subj = subj->next; \
98349+ if (subj == NULL) \
98350+ iter++; \
98351+ }
98352+
98353+
98354+#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
98355+ subj = role->hash->first; \
98356+ while (subj != NULL) {
98357+
98358+#define FOR_EACH_NESTED_SUBJECT_END(subj) \
98359+ subj = subj->next; \
98360+ }
98361+
98362+#endif
98363+
98364diff --git a/include/linux/gracl_compat.h b/include/linux/gracl_compat.h
98365new file mode 100644
98366index 0000000..af64092
98367--- /dev/null
98368+++ b/include/linux/gracl_compat.h
98369@@ -0,0 +1,156 @@
98370+#ifndef GR_ACL_COMPAT_H
98371+#define GR_ACL_COMPAT_H
98372+
98373+#include <linux/resource.h>
98374+#include <asm/resource.h>
98375+
98376+struct sprole_pw_compat {
98377+ compat_uptr_t rolename;
98378+ unsigned char salt[GR_SALT_LEN];
98379+ unsigned char sum[GR_SHA_LEN];
98380+};
98381+
98382+struct gr_hash_struct_compat {
98383+ compat_uptr_t table;
98384+ compat_uptr_t nametable;
98385+ compat_uptr_t first;
98386+ __u32 table_size;
98387+ __u32 used_size;
98388+ int type;
98389+};
98390+
98391+struct acl_subject_label_compat {
98392+ compat_uptr_t filename;
98393+ compat_u64 inode;
98394+ __u32 device;
98395+ __u32 mode;
98396+ kernel_cap_t cap_mask;
98397+ kernel_cap_t cap_lower;
98398+ kernel_cap_t cap_invert_audit;
98399+
98400+ struct compat_rlimit res[GR_NLIMITS];
98401+ __u32 resmask;
98402+
98403+ __u8 user_trans_type;
98404+ __u8 group_trans_type;
98405+ compat_uptr_t user_transitions;
98406+ compat_uptr_t group_transitions;
98407+ __u16 user_trans_num;
98408+ __u16 group_trans_num;
98409+
98410+ __u32 sock_families[2];
98411+ __u32 ip_proto[8];
98412+ __u32 ip_type;
98413+ compat_uptr_t ips;
98414+ __u32 ip_num;
98415+ __u32 inaddr_any_override;
98416+
98417+ __u32 crashes;
98418+ compat_ulong_t expires;
98419+
98420+ compat_uptr_t parent_subject;
98421+ compat_uptr_t hash;
98422+ compat_uptr_t prev;
98423+ compat_uptr_t next;
98424+
98425+ compat_uptr_t obj_hash;
98426+ __u32 obj_hash_size;
98427+ __u16 pax_flags;
98428+};
98429+
98430+struct role_allowed_ip_compat {
98431+ __u32 addr;
98432+ __u32 netmask;
98433+
98434+ compat_uptr_t prev;
98435+ compat_uptr_t next;
98436+};
98437+
98438+struct role_transition_compat {
98439+ compat_uptr_t rolename;
98440+
98441+ compat_uptr_t prev;
98442+ compat_uptr_t next;
98443+};
98444+
98445+struct acl_role_label_compat {
98446+ compat_uptr_t rolename;
98447+ uid_t uidgid;
98448+ __u16 roletype;
98449+
98450+ __u16 auth_attempts;
98451+ compat_ulong_t expires;
98452+
98453+ compat_uptr_t root_label;
98454+ compat_uptr_t hash;
98455+
98456+ compat_uptr_t prev;
98457+ compat_uptr_t next;
98458+
98459+ compat_uptr_t transitions;
98460+ compat_uptr_t allowed_ips;
98461+ compat_uptr_t domain_children;
98462+ __u16 domain_child_num;
98463+
98464+ umode_t umask;
98465+
98466+ compat_uptr_t subj_hash;
98467+ __u32 subj_hash_size;
98468+};
98469+
98470+struct user_acl_role_db_compat {
98471+ compat_uptr_t r_table;
98472+ __u32 num_pointers;
98473+ __u32 num_roles;
98474+ __u32 num_domain_children;
98475+ __u32 num_subjects;
98476+ __u32 num_objects;
98477+};
98478+
98479+struct acl_object_label_compat {
98480+ compat_uptr_t filename;
98481+ compat_u64 inode;
98482+ __u32 device;
98483+ __u32 mode;
98484+
98485+ compat_uptr_t nested;
98486+ compat_uptr_t globbed;
98487+
98488+ compat_uptr_t prev;
98489+ compat_uptr_t next;
98490+};
98491+
98492+struct acl_ip_label_compat {
98493+ compat_uptr_t iface;
98494+ __u32 addr;
98495+ __u32 netmask;
98496+ __u16 low, high;
98497+ __u8 mode;
98498+ __u32 type;
98499+ __u32 proto[8];
98500+
98501+ compat_uptr_t prev;
98502+ compat_uptr_t next;
98503+};
98504+
98505+struct gr_arg_compat {
98506+ struct user_acl_role_db_compat role_db;
98507+ unsigned char pw[GR_PW_LEN];
98508+ unsigned char salt[GR_SALT_LEN];
98509+ unsigned char sum[GR_SHA_LEN];
98510+ unsigned char sp_role[GR_SPROLE_LEN];
98511+ compat_uptr_t sprole_pws;
98512+ __u32 segv_device;
98513+ compat_u64 segv_inode;
98514+ uid_t segv_uid;
98515+ __u16 num_sprole_pws;
98516+ __u16 mode;
98517+};
98518+
98519+struct gr_arg_wrapper_compat {
98520+ compat_uptr_t arg;
98521+ __u32 version;
98522+ __u32 size;
98523+};
98524+
98525+#endif
98526diff --git a/include/linux/gralloc.h b/include/linux/gralloc.h
98527new file mode 100644
98528index 0000000..323ecf2
98529--- /dev/null
98530+++ b/include/linux/gralloc.h
98531@@ -0,0 +1,9 @@
98532+#ifndef __GRALLOC_H
98533+#define __GRALLOC_H
98534+
98535+void acl_free_all(void);
98536+int acl_alloc_stack_init(unsigned long size);
98537+void *acl_alloc(unsigned long len);
98538+void *acl_alloc_num(unsigned long num, unsigned long len);
98539+
98540+#endif
98541diff --git a/include/linux/grdefs.h b/include/linux/grdefs.h
98542new file mode 100644
98543index 0000000..be66033
98544--- /dev/null
98545+++ b/include/linux/grdefs.h
98546@@ -0,0 +1,140 @@
98547+#ifndef GRDEFS_H
98548+#define GRDEFS_H
98549+
98550+/* Begin grsecurity status declarations */
98551+
98552+enum {
98553+ GR_READY = 0x01,
98554+ GR_STATUS_INIT = 0x00 // disabled state
98555+};
98556+
98557+/* Begin ACL declarations */
98558+
98559+/* Role flags */
98560+
98561+enum {
98562+ GR_ROLE_USER = 0x0001,
98563+ GR_ROLE_GROUP = 0x0002,
98564+ GR_ROLE_DEFAULT = 0x0004,
98565+ GR_ROLE_SPECIAL = 0x0008,
98566+ GR_ROLE_AUTH = 0x0010,
98567+ GR_ROLE_NOPW = 0x0020,
98568+ GR_ROLE_GOD = 0x0040,
98569+ GR_ROLE_LEARN = 0x0080,
98570+ GR_ROLE_TPE = 0x0100,
98571+ GR_ROLE_DOMAIN = 0x0200,
98572+ GR_ROLE_PAM = 0x0400,
98573+ GR_ROLE_PERSIST = 0x0800
98574+};
98575+
98576+/* ACL Subject and Object mode flags */
98577+enum {
98578+ GR_DELETED = 0x80000000
98579+};
98580+
98581+/* ACL Object-only mode flags */
98582+enum {
98583+ GR_READ = 0x00000001,
98584+ GR_APPEND = 0x00000002,
98585+ GR_WRITE = 0x00000004,
98586+ GR_EXEC = 0x00000008,
98587+ GR_FIND = 0x00000010,
98588+ GR_INHERIT = 0x00000020,
98589+ GR_SETID = 0x00000040,
98590+ GR_CREATE = 0x00000080,
98591+ GR_DELETE = 0x00000100,
98592+ GR_LINK = 0x00000200,
98593+ GR_AUDIT_READ = 0x00000400,
98594+ GR_AUDIT_APPEND = 0x00000800,
98595+ GR_AUDIT_WRITE = 0x00001000,
98596+ GR_AUDIT_EXEC = 0x00002000,
98597+ GR_AUDIT_FIND = 0x00004000,
98598+ GR_AUDIT_INHERIT= 0x00008000,
98599+ GR_AUDIT_SETID = 0x00010000,
98600+ GR_AUDIT_CREATE = 0x00020000,
98601+ GR_AUDIT_DELETE = 0x00040000,
98602+ GR_AUDIT_LINK = 0x00080000,
98603+ GR_PTRACERD = 0x00100000,
98604+ GR_NOPTRACE = 0x00200000,
98605+ GR_SUPPRESS = 0x00400000,
98606+ GR_NOLEARN = 0x00800000,
98607+ GR_INIT_TRANSFER= 0x01000000
98608+};
98609+
98610+#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
98611+ GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
98612+ GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
98613+
98614+/* ACL subject-only mode flags */
98615+enum {
98616+ GR_KILL = 0x00000001,
98617+ GR_VIEW = 0x00000002,
98618+ GR_PROTECTED = 0x00000004,
98619+ GR_LEARN = 0x00000008,
98620+ GR_OVERRIDE = 0x00000010,
98621+ /* just a placeholder, this mode is only used in userspace */
98622+ GR_DUMMY = 0x00000020,
98623+ GR_PROTSHM = 0x00000040,
98624+ GR_KILLPROC = 0x00000080,
98625+ GR_KILLIPPROC = 0x00000100,
98626+ /* just a placeholder, this mode is only used in userspace */
98627+ GR_NOTROJAN = 0x00000200,
98628+ GR_PROTPROCFD = 0x00000400,
98629+ GR_PROCACCT = 0x00000800,
98630+ GR_RELAXPTRACE = 0x00001000,
98631+ //GR_NESTED = 0x00002000,
98632+ GR_INHERITLEARN = 0x00004000,
98633+ GR_PROCFIND = 0x00008000,
98634+ GR_POVERRIDE = 0x00010000,
98635+ GR_KERNELAUTH = 0x00020000,
98636+ GR_ATSECURE = 0x00040000,
98637+ GR_SHMEXEC = 0x00080000
98638+};
98639+
98640+enum {
98641+ GR_PAX_ENABLE_SEGMEXEC = 0x0001,
98642+ GR_PAX_ENABLE_PAGEEXEC = 0x0002,
98643+ GR_PAX_ENABLE_MPROTECT = 0x0004,
98644+ GR_PAX_ENABLE_RANDMMAP = 0x0008,
98645+ GR_PAX_ENABLE_EMUTRAMP = 0x0010,
98646+ GR_PAX_DISABLE_SEGMEXEC = 0x0100,
98647+ GR_PAX_DISABLE_PAGEEXEC = 0x0200,
98648+ GR_PAX_DISABLE_MPROTECT = 0x0400,
98649+ GR_PAX_DISABLE_RANDMMAP = 0x0800,
98650+ GR_PAX_DISABLE_EMUTRAMP = 0x1000,
98651+};
98652+
98653+enum {
98654+ GR_ID_USER = 0x01,
98655+ GR_ID_GROUP = 0x02,
98656+};
98657+
98658+enum {
98659+ GR_ID_ALLOW = 0x01,
98660+ GR_ID_DENY = 0x02,
98661+};
98662+
98663+#define GR_CRASH_RES 31
98664+#define GR_UIDTABLE_MAX 500
98665+
98666+/* begin resource learning section */
98667+enum {
98668+ GR_RLIM_CPU_BUMP = 60,
98669+ GR_RLIM_FSIZE_BUMP = 50000,
98670+ GR_RLIM_DATA_BUMP = 10000,
98671+ GR_RLIM_STACK_BUMP = 1000,
98672+ GR_RLIM_CORE_BUMP = 10000,
98673+ GR_RLIM_RSS_BUMP = 500000,
98674+ GR_RLIM_NPROC_BUMP = 1,
98675+ GR_RLIM_NOFILE_BUMP = 5,
98676+ GR_RLIM_MEMLOCK_BUMP = 50000,
98677+ GR_RLIM_AS_BUMP = 500000,
98678+ GR_RLIM_LOCKS_BUMP = 2,
98679+ GR_RLIM_SIGPENDING_BUMP = 5,
98680+ GR_RLIM_MSGQUEUE_BUMP = 10000,
98681+ GR_RLIM_NICE_BUMP = 1,
98682+ GR_RLIM_RTPRIO_BUMP = 1,
98683+ GR_RLIM_RTTIME_BUMP = 1000000
98684+};
98685+
98686+#endif
98687diff --git a/include/linux/grinternal.h b/include/linux/grinternal.h
98688new file mode 100644
98689index 0000000..6245f9e
98690--- /dev/null
98691+++ b/include/linux/grinternal.h
98692@@ -0,0 +1,230 @@
98693+#ifndef __GRINTERNAL_H
98694+#define __GRINTERNAL_H
98695+
98696+#ifdef CONFIG_GRKERNSEC
98697+
98698+#include <linux/fs.h>
98699+#include <linux/mnt_namespace.h>
98700+#include <linux/nsproxy.h>
98701+#include <linux/gracl.h>
98702+#include <linux/grdefs.h>
98703+#include <linux/grmsg.h>
98704+
98705+void gr_add_learn_entry(const char *fmt, ...)
98706+ __attribute__ ((format (printf, 1, 2)));
98707+__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
98708+ const struct vfsmount *mnt);
98709+__u32 gr_check_create(const struct dentry *new_dentry,
98710+ const struct dentry *parent,
98711+ const struct vfsmount *mnt, const __u32 mode);
98712+int gr_check_protected_task(const struct task_struct *task);
98713+__u32 to_gr_audit(const __u32 reqmode);
98714+int gr_set_acls(const int type);
98715+int gr_acl_is_enabled(void);
98716+char gr_roletype_to_char(void);
98717+
98718+void gr_handle_alertkill(struct task_struct *task);
98719+char *gr_to_filename(const struct dentry *dentry,
98720+ const struct vfsmount *mnt);
98721+char *gr_to_filename1(const struct dentry *dentry,
98722+ const struct vfsmount *mnt);
98723+char *gr_to_filename2(const struct dentry *dentry,
98724+ const struct vfsmount *mnt);
98725+char *gr_to_filename3(const struct dentry *dentry,
98726+ const struct vfsmount *mnt);
98727+
98728+extern int grsec_enable_ptrace_readexec;
98729+extern int grsec_enable_harden_ptrace;
98730+extern int grsec_enable_link;
98731+extern int grsec_enable_fifo;
98732+extern int grsec_enable_execve;
98733+extern int grsec_enable_shm;
98734+extern int grsec_enable_execlog;
98735+extern int grsec_enable_signal;
98736+extern int grsec_enable_audit_ptrace;
98737+extern int grsec_enable_forkfail;
98738+extern int grsec_enable_time;
98739+extern int grsec_enable_rofs;
98740+extern int grsec_deny_new_usb;
98741+extern int grsec_enable_chroot_shmat;
98742+extern int grsec_enable_chroot_mount;
98743+extern int grsec_enable_chroot_double;
98744+extern int grsec_enable_chroot_pivot;
98745+extern int grsec_enable_chroot_chdir;
98746+extern int grsec_enable_chroot_chmod;
98747+extern int grsec_enable_chroot_mknod;
98748+extern int grsec_enable_chroot_fchdir;
98749+extern int grsec_enable_chroot_nice;
98750+extern int grsec_enable_chroot_execlog;
98751+extern int grsec_enable_chroot_caps;
98752+extern int grsec_enable_chroot_rename;
98753+extern int grsec_enable_chroot_sysctl;
98754+extern int grsec_enable_chroot_unix;
98755+extern int grsec_enable_symlinkown;
98756+extern kgid_t grsec_symlinkown_gid;
98757+extern int grsec_enable_tpe;
98758+extern kgid_t grsec_tpe_gid;
98759+extern int grsec_enable_tpe_all;
98760+extern int grsec_enable_tpe_invert;
98761+extern int grsec_enable_socket_all;
98762+extern kgid_t grsec_socket_all_gid;
98763+extern int grsec_enable_socket_client;
98764+extern kgid_t grsec_socket_client_gid;
98765+extern int grsec_enable_socket_server;
98766+extern kgid_t grsec_socket_server_gid;
98767+extern kgid_t grsec_audit_gid;
98768+extern int grsec_enable_group;
98769+extern int grsec_enable_log_rwxmaps;
98770+extern int grsec_enable_mount;
98771+extern int grsec_enable_chdir;
98772+extern int grsec_resource_logging;
98773+extern int grsec_enable_blackhole;
98774+extern int grsec_lastack_retries;
98775+extern int grsec_enable_brute;
98776+extern int grsec_enable_harden_ipc;
98777+extern int grsec_lock;
98778+
98779+extern spinlock_t grsec_alert_lock;
98780+extern unsigned long grsec_alert_wtime;
98781+extern unsigned long grsec_alert_fyet;
98782+
98783+extern spinlock_t grsec_audit_lock;
98784+
98785+extern rwlock_t grsec_exec_file_lock;
98786+
98787+#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
98788+ gr_to_filename2((tsk)->exec_file->f_path.dentry, \
98789+ (tsk)->exec_file->f_path.mnt) : "/")
98790+
98791+#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
98792+ gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
98793+ (tsk)->real_parent->exec_file->f_path.mnt) : "/")
98794+
98795+#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
98796+ gr_to_filename((tsk)->exec_file->f_path.dentry, \
98797+ (tsk)->exec_file->f_path.mnt) : "/")
98798+
98799+#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
98800+ gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
98801+ (tsk)->real_parent->exec_file->f_path.mnt) : "/")
98802+
98803+#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
98804+
98805+#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
98806+
98807+static inline bool gr_is_same_file(const struct file *file1, const struct file *file2)
98808+{
98809+ if (file1 && file2) {
98810+ const struct inode *inode1 = file1->f_path.dentry->d_inode;
98811+ const struct inode *inode2 = file2->f_path.dentry->d_inode;
98812+ if (inode1->i_ino == inode2->i_ino && inode1->i_sb->s_dev == inode2->i_sb->s_dev)
98813+ return true;
98814+ }
98815+
98816+ return false;
98817+}
98818+
98819+#define GR_CHROOT_CAPS {{ \
98820+ CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
98821+ CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
98822+ CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
98823+ CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
98824+ CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
98825+ CAP_TO_MASK(CAP_IPC_OWNER) | CAP_TO_MASK(CAP_SETFCAP), \
98826+ CAP_TO_MASK(CAP_SYSLOG) | CAP_TO_MASK(CAP_MAC_ADMIN) }}
98827+
98828+#define security_learn(normal_msg,args...) \
98829+({ \
98830+ read_lock(&grsec_exec_file_lock); \
98831+ gr_add_learn_entry(normal_msg "\n", ## args); \
98832+ read_unlock(&grsec_exec_file_lock); \
98833+})
98834+
98835+enum {
98836+ GR_DO_AUDIT,
98837+ GR_DONT_AUDIT,
98838+ /* used for non-audit messages that we shouldn't kill the task on */
98839+ GR_DONT_AUDIT_GOOD
98840+};
98841+
98842+enum {
98843+ GR_TTYSNIFF,
98844+ GR_RBAC,
98845+ GR_RBAC_STR,
98846+ GR_STR_RBAC,
98847+ GR_RBAC_MODE2,
98848+ GR_RBAC_MODE3,
98849+ GR_FILENAME,
98850+ GR_SYSCTL_HIDDEN,
98851+ GR_NOARGS,
98852+ GR_ONE_INT,
98853+ GR_ONE_INT_TWO_STR,
98854+ GR_ONE_STR,
98855+ GR_STR_INT,
98856+ GR_TWO_STR_INT,
98857+ GR_TWO_INT,
98858+ GR_TWO_U64,
98859+ GR_THREE_INT,
98860+ GR_FIVE_INT_TWO_STR,
98861+ GR_TWO_STR,
98862+ GR_THREE_STR,
98863+ GR_FOUR_STR,
98864+ GR_STR_FILENAME,
98865+ GR_FILENAME_STR,
98866+ GR_FILENAME_TWO_INT,
98867+ GR_FILENAME_TWO_INT_STR,
98868+ GR_TEXTREL,
98869+ GR_PTRACE,
98870+ GR_RESOURCE,
98871+ GR_CAP,
98872+ GR_SIG,
98873+ GR_SIG2,
98874+ GR_CRASH1,
98875+ GR_CRASH2,
98876+ GR_PSACCT,
98877+ GR_RWXMAP,
98878+ GR_RWXMAPVMA
98879+};
98880+
98881+#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
98882+#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
98883+#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
98884+#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
98885+#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
98886+#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
98887+#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
98888+#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
98889+#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
98890+#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
98891+#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
98892+#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
98893+#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
98894+#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
98895+#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
98896+#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
98897+#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
98898+#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
98899+#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
98900+#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
98901+#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
98902+#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
98903+#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
98904+#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
98905+#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
98906+#define gr_log_textrel_ulong_ulong(audit, msg, str, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, str, file, ulong1, ulong2)
98907+#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
98908+#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
98909+#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
98910+#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
98911+#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
98912+#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
98913+#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
98914+#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
98915+#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
98916+#define gr_log_rwxmap_vma(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAPVMA, str)
98917+
98918+void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
98919+
98920+#endif
98921+
98922+#endif
98923diff --git a/include/linux/grmsg.h b/include/linux/grmsg.h
98924new file mode 100644
98925index 0000000..3092b3c
98926--- /dev/null
98927+++ b/include/linux/grmsg.h
98928@@ -0,0 +1,118 @@
98929+#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
98930+#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
98931+#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
98932+#define GR_STOPMOD_MSG "denied modification of module state by "
98933+#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
98934+#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
98935+#define GR_IOPERM_MSG "denied use of ioperm() by "
98936+#define GR_IOPL_MSG "denied use of iopl() by "
98937+#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
98938+#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
98939+#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
98940+#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
98941+#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
98942+#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
98943+#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
98944+#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
98945+#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
98946+#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
98947+#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
98948+#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
98949+#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
98950+#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
98951+#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
98952+#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
98953+#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
98954+#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
98955+#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
98956+#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
98957+#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
98958+#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
98959+#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
98960+#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
98961+#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
98962+#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
98963+#define GR_EXEC_TPE_MSG "denied untrusted exec (due to %.70s) of %.950s by "
98964+#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
98965+#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
98966+#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
98967+#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
98968+#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
98969+#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
98970+#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
98971+#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
98972+#define GR_CHROOT_RENAME_MSG "denied bad rename of %.950s out of a chroot by "
98973+#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
98974+#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
98975+#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
98976+#define GR_CHROOT_FHANDLE_MSG "denied use of file handles inside chroot by "
98977+#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
98978+#define GR_SETXATTR_ACL_MSG "%s setting extended attribute of %.950s by "
98979+#define GR_REMOVEXATTR_ACL_MSG "%s removing extended attribute of %.950s by "
98980+#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
98981+#define GR_INITF_ACL_MSG "init_variables() failed %s by "
98982+#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
98983+#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbage by "
98984+#define GR_SHUTS_ACL_MSG "shutdown auth success for "
98985+#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
98986+#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
98987+#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
98988+#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
98989+#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
98990+#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
98991+#define GR_ENABLEF_ACL_MSG "unable to load %s for "
98992+#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
98993+#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
98994+#define GR_RELOADF_ACL_MSG "failed reload of %s for "
98995+#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
98996+#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
98997+#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
98998+#define GR_SPROLEF_ACL_MSG "special role %s failure for "
98999+#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
99000+#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
99001+#define GR_INVMODE_ACL_MSG "invalid mode %d by "
99002+#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
99003+#define GR_FAILFORK_MSG "failed fork with errno %s by "
99004+#define GR_NICE_CHROOT_MSG "denied priority change by "
99005+#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
99006+#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
99007+#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
99008+#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
99009+#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
99010+#define GR_TIME_MSG "time set by "
99011+#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
99012+#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
99013+#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
99014+#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
99015+#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
99016+#define GR_BIND_MSG "denied bind() by "
99017+#define GR_CONNECT_MSG "denied connect() by "
99018+#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
99019+#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
99020+#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
99021+#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
99022+#define GR_CAP_ACL_MSG "use of %s denied for "
99023+#define GR_CAP_CHROOT_MSG "use of %s in chroot denied for "
99024+#define GR_CAP_ACL_MSG2 "use of %s permitted for "
99025+#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
99026+#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
99027+#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
99028+#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
99029+#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
99030+#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
99031+#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
99032+#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
99033+#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
99034+#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
99035+#define GR_TEXTREL_AUDIT_MSG "allowed %s text relocation transition in %.950s, VMA:0x%08lx 0x%08lx by "
99036+#define GR_PTGNUSTACK_MSG "denied marking stack executable as requested by PT_GNU_STACK marking in %.950s by "
99037+#define GR_VM86_MSG "denied use of vm86 by "
99038+#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
99039+#define GR_PTRACE_READEXEC_MSG "denied ptrace of unreadable binary %.950s by "
99040+#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
99041+#define GR_BADPROCPID_MSG "denied read of sensitive /proc/pid/%s entry via fd passed across exec by "
99042+#define GR_SYMLINKOWNER_MSG "denied following symlink %.950s since symlink owner %u does not match target owner %u, by "
99043+#define GR_BRUTE_DAEMON_MSG "bruteforce prevention initiated for the next 30 minutes or until service restarted, stalling each fork 30 seconds. Please investigate the crash report for "
99044+#define GR_BRUTE_SUID_MSG "bruteforce prevention initiated due to crash of %.950s against uid %u, banning suid/sgid execs for %u minutes. Please investigate the crash report for "
99045+#define GR_IPC_DENIED_MSG "denied %s of overly-permissive IPC object with creator uid %u by "
99046+#define GR_MSRWRITE_MSG "denied write to CPU MSR by "
99047diff --git a/include/linux/grsecurity.h b/include/linux/grsecurity.h
99048new file mode 100644
99049index 0000000..0ea4a82
99050--- /dev/null
99051+++ b/include/linux/grsecurity.h
99052@@ -0,0 +1,255 @@
99053+#ifndef GR_SECURITY_H
99054+#define GR_SECURITY_H
99055+#include <linux/fs.h>
99056+#include <linux/fs_struct.h>
99057+#include <linux/binfmts.h>
99058+#include <linux/gracl.h>
99059+
99060+/* notify of brain-dead configs */
99061+#if defined(CONFIG_DEBUG_FS) && defined(CONFIG_GRKERNSEC_KMEM)
99062+#error "CONFIG_DEBUG_FS being enabled is a security risk when CONFIG_GRKERNSEC_KMEM is enabled"
99063+#endif
99064+#if defined(CONFIG_PROC_PAGE_MONITOR) && defined(CONFIG_GRKERNSEC)
99065+#error "CONFIG_PROC_PAGE_MONITOR is a security risk"
99066+#endif
99067+#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
99068+#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
99069+#endif
99070+#if defined(CONFIG_GRKERNSEC_PROC) && !defined(CONFIG_GRKERNSEC_PROC_USER) && !defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
99071+#error "CONFIG_GRKERNSEC_PROC enabled, but neither CONFIG_GRKERNSEC_PROC_USER nor CONFIG_GRKERNSEC_PROC_USERGROUP enabled"
99072+#endif
99073+#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
99074+#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
99075+#endif
99076+#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
99077+#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
99078+#endif
99079+#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
99080+#error "CONFIG_PAX enabled, but no PaX options are enabled."
99081+#endif
99082+
99083+int gr_handle_new_usb(void);
99084+
99085+void gr_handle_brute_attach(int dumpable);
99086+void gr_handle_brute_check(void);
99087+void gr_handle_kernel_exploit(void);
99088+
99089+char gr_roletype_to_char(void);
99090+
99091+int gr_proc_is_restricted(void);
99092+
99093+int gr_acl_enable_at_secure(void);
99094+
99095+int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
99096+int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
99097+
99098+int gr_learn_cap(const struct task_struct *task, const struct cred *cred, const int cap);
99099+
99100+void gr_del_task_from_ip_table(struct task_struct *p);
99101+
99102+int gr_pid_is_chrooted(struct task_struct *p);
99103+int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
99104+int gr_handle_chroot_nice(void);
99105+int gr_handle_chroot_sysctl(const int op);
99106+int gr_handle_chroot_setpriority(struct task_struct *p,
99107+ const int niceval);
99108+int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
99109+int gr_chroot_fhandle(void);
99110+int gr_handle_chroot_chroot(const struct dentry *dentry,
99111+ const struct vfsmount *mnt);
99112+void gr_handle_chroot_chdir(const struct path *path);
99113+int gr_handle_chroot_chmod(const struct dentry *dentry,
99114+ const struct vfsmount *mnt, const int mode);
99115+int gr_handle_chroot_mknod(const struct dentry *dentry,
99116+ const struct vfsmount *mnt, const int mode);
99117+int gr_handle_chroot_mount(const struct dentry *dentry,
99118+ const struct vfsmount *mnt,
99119+ const char *dev_name);
99120+int gr_handle_chroot_pivot(void);
99121+int gr_handle_chroot_unix(const pid_t pid);
99122+
99123+int gr_handle_rawio(const struct inode *inode);
99124+
99125+void gr_handle_ioperm(void);
99126+void gr_handle_iopl(void);
99127+void gr_handle_msr_write(void);
99128+
99129+umode_t gr_acl_umask(void);
99130+
99131+int gr_tpe_allow(const struct file *file);
99132+
99133+void gr_set_chroot_entries(struct task_struct *task, const struct path *path);
99134+void gr_clear_chroot_entries(struct task_struct *task);
99135+
99136+void gr_log_forkfail(const int retval);
99137+void gr_log_timechange(void);
99138+void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
99139+void gr_log_chdir(const struct dentry *dentry,
99140+ const struct vfsmount *mnt);
99141+void gr_log_chroot_exec(const struct dentry *dentry,
99142+ const struct vfsmount *mnt);
99143+void gr_log_remount(const char *devname, const int retval);
99144+void gr_log_unmount(const char *devname, const int retval);
99145+void gr_log_mount(const char *from, struct path *to, const int retval);
99146+void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw);
99147+void gr_log_ptgnustack(struct file *file);
99148+void gr_log_rwxmmap(struct file *file);
99149+void gr_log_rwxmprotect(struct vm_area_struct *vma);
99150+
99151+int gr_handle_follow_link(const struct dentry *dentry,
99152+ const struct vfsmount *mnt);
99153+int gr_handle_fifo(const struct dentry *dentry,
99154+ const struct vfsmount *mnt,
99155+ const struct dentry *dir, const int flag,
99156+ const int acc_mode);
99157+int gr_handle_hardlink(const struct dentry *dentry,
99158+ const struct vfsmount *mnt,
99159+ const struct filename *to);
99160+
99161+int gr_is_capable(const int cap);
99162+int gr_is_capable_nolog(const int cap);
99163+int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, const int cap);
99164+int gr_task_is_capable_nolog(const struct task_struct *task, const int cap);
99165+
99166+void gr_copy_label(struct task_struct *tsk);
99167+void gr_handle_crash(struct task_struct *task, const int sig);
99168+int gr_handle_signal(const struct task_struct *p, const int sig);
99169+int gr_check_crash_uid(const kuid_t uid);
99170+int gr_check_protected_task(const struct task_struct *task);
99171+int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
99172+int gr_acl_handle_mmap(const struct file *file,
99173+ const unsigned long prot);
99174+int gr_acl_handle_mprotect(const struct file *file,
99175+ const unsigned long prot);
99176+int gr_check_hidden_task(const struct task_struct *tsk);
99177+__u32 gr_acl_handle_truncate(const struct dentry *dentry,
99178+ const struct vfsmount *mnt);
99179+__u32 gr_acl_handle_utime(const struct dentry *dentry,
99180+ const struct vfsmount *mnt);
99181+__u32 gr_acl_handle_access(const struct dentry *dentry,
99182+ const struct vfsmount *mnt, const int fmode);
99183+__u32 gr_acl_handle_chmod(const struct dentry *dentry,
99184+ const struct vfsmount *mnt, umode_t *mode);
99185+__u32 gr_acl_handle_chown(const struct dentry *dentry,
99186+ const struct vfsmount *mnt);
99187+__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
99188+ const struct vfsmount *mnt);
99189+__u32 gr_acl_handle_removexattr(const struct dentry *dentry,
99190+ const struct vfsmount *mnt);
99191+int gr_handle_ptrace(struct task_struct *task, const long request);
99192+int gr_handle_proc_ptrace(struct task_struct *task);
99193+__u32 gr_acl_handle_execve(const struct dentry *dentry,
99194+ const struct vfsmount *mnt);
99195+int gr_check_crash_exec(const struct file *filp);
99196+int gr_acl_is_enabled(void);
99197+void gr_set_role_label(struct task_struct *task, const kuid_t uid,
99198+ const kgid_t gid);
99199+int gr_set_proc_label(const struct dentry *dentry,
99200+ const struct vfsmount *mnt,
99201+ const int unsafe_flags);
99202+__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
99203+ const struct vfsmount *mnt);
99204+__u32 gr_acl_handle_open(const struct dentry *dentry,
99205+ const struct vfsmount *mnt, int acc_mode);
99206+__u32 gr_acl_handle_creat(const struct dentry *dentry,
99207+ const struct dentry *p_dentry,
99208+ const struct vfsmount *p_mnt,
99209+ int open_flags, int acc_mode, const int imode);
99210+void gr_handle_create(const struct dentry *dentry,
99211+ const struct vfsmount *mnt);
99212+void gr_handle_proc_create(const struct dentry *dentry,
99213+ const struct inode *inode);
99214+__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
99215+ const struct dentry *parent_dentry,
99216+ const struct vfsmount *parent_mnt,
99217+ const int mode);
99218+__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
99219+ const struct dentry *parent_dentry,
99220+ const struct vfsmount *parent_mnt);
99221+__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
99222+ const struct vfsmount *mnt);
99223+void gr_handle_delete(const u64 ino, const dev_t dev);
99224+__u32 gr_acl_handle_unlink(const struct dentry *dentry,
99225+ const struct vfsmount *mnt);
99226+__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
99227+ const struct dentry *parent_dentry,
99228+ const struct vfsmount *parent_mnt,
99229+ const struct filename *from);
99230+__u32 gr_acl_handle_link(const struct dentry *new_dentry,
99231+ const struct dentry *parent_dentry,
99232+ const struct vfsmount *parent_mnt,
99233+ const struct dentry *old_dentry,
99234+ const struct vfsmount *old_mnt, const struct filename *to);
99235+int gr_handle_symlink_owner(const struct path *link, const struct inode *target);
99236+int gr_acl_handle_rename(struct dentry *new_dentry,
99237+ struct dentry *parent_dentry,
99238+ const struct vfsmount *parent_mnt,
99239+ struct dentry *old_dentry,
99240+ struct inode *old_parent_inode,
99241+ struct vfsmount *old_mnt, const struct filename *newname, unsigned int flags);
99242+void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
99243+ struct dentry *old_dentry,
99244+ struct dentry *new_dentry,
99245+ struct vfsmount *mnt, const __u8 replace, unsigned int flags);
99246+__u32 gr_check_link(const struct dentry *new_dentry,
99247+ const struct dentry *parent_dentry,
99248+ const struct vfsmount *parent_mnt,
99249+ const struct dentry *old_dentry,
99250+ const struct vfsmount *old_mnt);
99251+int gr_acl_handle_filldir(const struct file *file, const char *name,
99252+ const unsigned int namelen, const u64 ino);
99253+
99254+__u32 gr_acl_handle_unix(const struct dentry *dentry,
99255+ const struct vfsmount *mnt);
99256+void gr_acl_handle_exit(void);
99257+void gr_acl_handle_psacct(struct task_struct *task, const long code);
99258+int gr_acl_handle_procpidmem(const struct task_struct *task);
99259+int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
99260+int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
99261+void gr_audit_ptrace(struct task_struct *task);
99262+dev_t gr_get_dev_from_dentry(struct dentry *dentry);
99263+u64 gr_get_ino_from_dentry(struct dentry *dentry);
99264+void gr_put_exec_file(struct task_struct *task);
99265+
99266+int gr_get_symlinkown_enabled(void);
99267+
99268+int gr_ptrace_readexec(struct file *file, int unsafe_flags);
99269+
99270+void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
99271+void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
99272+int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
99273+ struct dentry *newdentry, struct vfsmount *newmnt);
99274+
99275+#ifdef CONFIG_GRKERNSEC_RESLOG
99276+extern void gr_log_resource(const struct task_struct *task, const int res,
99277+ const unsigned long wanted, const int gt);
99278+#else
99279+static inline void gr_log_resource(const struct task_struct *task, const int res,
99280+ const unsigned long wanted, const int gt)
99281+{
99282+}
99283+#endif
99284+
99285+#ifdef CONFIG_GRKERNSEC
99286+void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
99287+void gr_handle_vm86(void);
99288+void gr_handle_mem_readwrite(u64 from, u64 to);
99289+
99290+void gr_log_badprocpid(const char *entry);
99291+
99292+extern int grsec_enable_dmesg;
99293+extern int grsec_disable_privio;
99294+
99295+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
99296+extern kgid_t grsec_proc_gid;
99297+#endif
99298+
99299+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
99300+extern int grsec_enable_chroot_findtask;
99301+#endif
99302+#ifdef CONFIG_GRKERNSEC_SETXID
99303+extern int grsec_enable_setxid;
99304+#endif
99305+#endif
99306+
99307+#endif
99308diff --git a/include/linux/grsock.h b/include/linux/grsock.h
99309new file mode 100644
99310index 0000000..e7ffaaf
99311--- /dev/null
99312+++ b/include/linux/grsock.h
99313@@ -0,0 +1,19 @@
99314+#ifndef __GRSOCK_H
99315+#define __GRSOCK_H
99316+
99317+extern void gr_attach_curr_ip(const struct sock *sk);
99318+extern int gr_handle_sock_all(const int family, const int type,
99319+ const int protocol);
99320+extern int gr_handle_sock_server(const struct sockaddr *sck);
99321+extern int gr_handle_sock_server_other(const struct sock *sck);
99322+extern int gr_handle_sock_client(const struct sockaddr *sck);
99323+extern int gr_search_connect(struct socket * sock,
99324+ struct sockaddr_in * addr);
99325+extern int gr_search_bind(struct socket * sock,
99326+ struct sockaddr_in * addr);
99327+extern int gr_search_listen(struct socket * sock);
99328+extern int gr_search_accept(struct socket * sock);
99329+extern int gr_search_socket(const int domain, const int type,
99330+ const int protocol);
99331+
99332+#endif
99333diff --git a/include/linux/highmem.h b/include/linux/highmem.h
99334index 6aefcd0..98b81dc 100644
99335--- a/include/linux/highmem.h
99336+++ b/include/linux/highmem.h
99337@@ -191,6 +191,18 @@ static inline void clear_highpage(struct page *page)
99338 kunmap_atomic(kaddr);
99339 }
99340
99341+static inline void sanitize_highpage(struct page *page)
99342+{
99343+ void *kaddr;
99344+ unsigned long flags;
99345+
99346+ local_irq_save(flags);
99347+ kaddr = kmap_atomic(page);
99348+ clear_page(kaddr);
99349+ kunmap_atomic(kaddr);
99350+ local_irq_restore(flags);
99351+}
99352+
99353 static inline void zero_user_segments(struct page *page,
99354 unsigned start1, unsigned end1,
99355 unsigned start2, unsigned end2)
99356diff --git a/include/linux/hwmon-sysfs.h b/include/linux/hwmon-sysfs.h
99357index 1c7b89a..7dda400 100644
99358--- a/include/linux/hwmon-sysfs.h
99359+++ b/include/linux/hwmon-sysfs.h
99360@@ -25,7 +25,8 @@
99361 struct sensor_device_attribute{
99362 struct device_attribute dev_attr;
99363 int index;
99364-};
99365+} __do_const;
99366+typedef struct sensor_device_attribute __no_const sensor_device_attribute_no_const;
99367 #define to_sensor_dev_attr(_dev_attr) \
99368 container_of(_dev_attr, struct sensor_device_attribute, dev_attr)
99369
99370@@ -41,7 +42,8 @@ struct sensor_device_attribute_2 {
99371 struct device_attribute dev_attr;
99372 u8 index;
99373 u8 nr;
99374-};
99375+} __do_const;
99376+typedef struct sensor_device_attribute_2 __no_const sensor_device_attribute_2_no_const;
99377 #define to_sensor_dev_attr_2(_dev_attr) \
99378 container_of(_dev_attr, struct sensor_device_attribute_2, dev_attr)
99379
99380diff --git a/include/linux/i2c.h b/include/linux/i2c.h
99381index e83a738..8b323fa 100644
99382--- a/include/linux/i2c.h
99383+++ b/include/linux/i2c.h
99384@@ -409,6 +409,7 @@ struct i2c_algorithm {
99385 int (*unreg_slave)(struct i2c_client *client);
99386 #endif
99387 };
99388+typedef struct i2c_algorithm __no_const i2c_algorithm_no_const;
99389
99390 /**
99391 * struct i2c_bus_recovery_info - I2C bus recovery information
99392diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h
99393index b49cf92..0c29072 100644
99394--- a/include/linux/if_pppox.h
99395+++ b/include/linux/if_pppox.h
99396@@ -78,7 +78,7 @@ struct pppox_proto {
99397 int (*ioctl)(struct socket *sock, unsigned int cmd,
99398 unsigned long arg);
99399 struct module *owner;
99400-};
99401+} __do_const;
99402
99403 extern int register_pppox_proto(int proto_num, const struct pppox_proto *pp);
99404 extern void unregister_pppox_proto(int proto_num);
99405diff --git a/include/linux/init.h b/include/linux/init.h
99406index b449f37..61005b3 100644
99407--- a/include/linux/init.h
99408+++ b/include/linux/init.h
99409@@ -37,9 +37,17 @@
99410 * section.
99411 */
99412
99413+#define add_init_latent_entropy __latent_entropy
99414+
99415+#ifdef CONFIG_MEMORY_HOTPLUG
99416+#define add_meminit_latent_entropy
99417+#else
99418+#define add_meminit_latent_entropy __latent_entropy
99419+#endif
99420+
99421 /* These are for everybody (although not all archs will actually
99422 discard it in modules) */
99423-#define __init __section(.init.text) __cold notrace
99424+#define __init __section(.init.text) __cold notrace add_init_latent_entropy
99425 #define __initdata __section(.init.data)
99426 #define __initconst __constsection(.init.rodata)
99427 #define __exitdata __section(.exit.data)
99428@@ -92,7 +100,7 @@
99429 #define __exit __section(.exit.text) __exitused __cold notrace
99430
99431 /* Used for MEMORY_HOTPLUG */
99432-#define __meminit __section(.meminit.text) __cold notrace
99433+#define __meminit __section(.meminit.text) __cold notrace add_meminit_latent_entropy
99434 #define __meminitdata __section(.meminit.data)
99435 #define __meminitconst __constsection(.meminit.rodata)
99436 #define __memexit __section(.memexit.text) __exitused __cold notrace
99437diff --git a/include/linux/init_task.h b/include/linux/init_task.h
99438index bb9b075..ecac42c 100644
99439--- a/include/linux/init_task.h
99440+++ b/include/linux/init_task.h
99441@@ -157,6 +157,12 @@ extern struct task_group root_task_group;
99442
99443 #define INIT_TASK_COMM "swapper"
99444
99445+#ifdef CONFIG_X86
99446+#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
99447+#else
99448+#define INIT_TASK_THREAD_INFO
99449+#endif
99450+
99451 #ifdef CONFIG_RT_MUTEXES
99452 # define INIT_RT_MUTEXES(tsk) \
99453 .pi_waiters = RB_ROOT, \
99454@@ -223,6 +229,7 @@ extern struct task_group root_task_group;
99455 RCU_POINTER_INITIALIZER(cred, &init_cred), \
99456 .comm = INIT_TASK_COMM, \
99457 .thread = INIT_THREAD, \
99458+ INIT_TASK_THREAD_INFO \
99459 .fs = &init_fs, \
99460 .files = &init_files, \
99461 .signal = &init_signals, \
99462diff --git a/include/linux/interrupt.h b/include/linux/interrupt.h
99463index be7e75c..09bec77 100644
99464--- a/include/linux/interrupt.h
99465+++ b/include/linux/interrupt.h
99466@@ -433,8 +433,8 @@ extern const char * const softirq_to_name[NR_SOFTIRQS];
99467
99468 struct softirq_action
99469 {
99470- void (*action)(struct softirq_action *);
99471-};
99472+ void (*action)(void);
99473+} __no_const;
99474
99475 asmlinkage void do_softirq(void);
99476 asmlinkage void __do_softirq(void);
99477@@ -448,7 +448,7 @@ static inline void do_softirq_own_stack(void)
99478 }
99479 #endif
99480
99481-extern void open_softirq(int nr, void (*action)(struct softirq_action *));
99482+extern void open_softirq(int nr, void (*action)(void));
99483 extern void softirq_init(void);
99484 extern void __raise_softirq_irqoff(unsigned int nr);
99485
99486diff --git a/include/linux/iommu.h b/include/linux/iommu.h
99487index f9c1b6d..db7d6f5 100644
99488--- a/include/linux/iommu.h
99489+++ b/include/linux/iommu.h
99490@@ -192,7 +192,7 @@ struct iommu_ops {
99491
99492 unsigned long pgsize_bitmap;
99493 void *priv;
99494-};
99495+} __do_const;
99496
99497 #define IOMMU_GROUP_NOTIFY_ADD_DEVICE 1 /* Device added */
99498 #define IOMMU_GROUP_NOTIFY_DEL_DEVICE 2 /* Pre Device removed */
99499diff --git a/include/linux/ioport.h b/include/linux/ioport.h
99500index 388e3ae..d7e45a1 100644
99501--- a/include/linux/ioport.h
99502+++ b/include/linux/ioport.h
99503@@ -161,7 +161,7 @@ struct resource *lookup_resource(struct resource *root, resource_size_t start);
99504 int adjust_resource(struct resource *res, resource_size_t start,
99505 resource_size_t size);
99506 resource_size_t resource_alignment(struct resource *res);
99507-static inline resource_size_t resource_size(const struct resource *res)
99508+static inline resource_size_t __intentional_overflow(-1) resource_size(const struct resource *res)
99509 {
99510 return res->end - res->start + 1;
99511 }
99512diff --git a/include/linux/ipc.h b/include/linux/ipc.h
99513index 9d84942..12d5bdf 100644
99514--- a/include/linux/ipc.h
99515+++ b/include/linux/ipc.h
99516@@ -19,8 +19,8 @@ struct kern_ipc_perm
99517 kuid_t cuid;
99518 kgid_t cgid;
99519 umode_t mode;
99520- unsigned long seq;
99521+ unsigned long seq __intentional_overflow(-1);
99522 void *security;
99523-};
99524+} __randomize_layout;
99525
99526 #endif /* _LINUX_IPC_H */
99527diff --git a/include/linux/ipc_namespace.h b/include/linux/ipc_namespace.h
99528index 1eee6bc..9cf4912 100644
99529--- a/include/linux/ipc_namespace.h
99530+++ b/include/linux/ipc_namespace.h
99531@@ -60,7 +60,7 @@ struct ipc_namespace {
99532 struct user_namespace *user_ns;
99533
99534 struct ns_common ns;
99535-};
99536+} __randomize_layout;
99537
99538 extern struct ipc_namespace init_ipc_ns;
99539 extern atomic_t nr_ipc_ns;
99540diff --git a/include/linux/irq.h b/include/linux/irq.h
99541index 51744bc..e902653 100644
99542--- a/include/linux/irq.h
99543+++ b/include/linux/irq.h
99544@@ -383,7 +383,10 @@ struct irq_chip {
99545 int (*irq_set_vcpu_affinity)(struct irq_data *data, void *vcpu_info);
99546
99547 unsigned long flags;
99548-};
99549+} __do_const;
99550+#ifndef _LINUX_IRQDOMAIN_H
99551+typedef struct irq_chip __no_const irq_chip_no_const;
99552+#endif
99553
99554 /*
99555 * irq_chip specific flags
99556diff --git a/include/linux/irqdesc.h b/include/linux/irqdesc.h
99557index fcea4e4..cff381d 100644
99558--- a/include/linux/irqdesc.h
99559+++ b/include/linux/irqdesc.h
99560@@ -59,7 +59,7 @@ struct irq_desc {
99561 unsigned int irq_count; /* For detecting broken IRQs */
99562 unsigned long last_unhandled; /* Aging timer for unhandled count */
99563 unsigned int irqs_unhandled;
99564- atomic_t threads_handled;
99565+ atomic_unchecked_t threads_handled;
99566 int threads_handled_last;
99567 raw_spinlock_t lock;
99568 struct cpumask *percpu_enabled;
99569diff --git a/include/linux/irqdomain.h b/include/linux/irqdomain.h
99570index 744ac0e..382b1a6 100644
99571--- a/include/linux/irqdomain.h
99572+++ b/include/linux/irqdomain.h
99573@@ -40,6 +40,9 @@ struct device_node;
99574 struct irq_domain;
99575 struct of_device_id;
99576 struct irq_chip;
99577+#ifndef _LINUX_IRQ_H
99578+typedef struct irq_chip __no_const irq_chip_no_const;
99579+#endif
99580 struct irq_data;
99581
99582 /* Number of irqs reserved for a legacy isa controller */
99583diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h
99584index 535fd3b..e5c356e 100644
99585--- a/include/linux/jiffies.h
99586+++ b/include/linux/jiffies.h
99587@@ -284,19 +284,19 @@ extern unsigned long preset_lpj;
99588 extern unsigned int jiffies_to_msecs(const unsigned long j);
99589 extern unsigned int jiffies_to_usecs(const unsigned long j);
99590
99591-static inline u64 jiffies_to_nsecs(const unsigned long j)
99592+static inline u64 __intentional_overflow(-1) jiffies_to_nsecs(const unsigned long j)
99593 {
99594 return (u64)jiffies_to_usecs(j) * NSEC_PER_USEC;
99595 }
99596
99597-extern unsigned long __msecs_to_jiffies(const unsigned int m);
99598+extern unsigned long __msecs_to_jiffies(const unsigned int m) __intentional_overflow(-1);
99599 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
99600 /*
99601 * HZ is equal to or smaller than 1000, and 1000 is a nice round
99602 * multiple of HZ, divide with the factor between them, but round
99603 * upwards:
99604 */
99605-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99606+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
99607 {
99608 return (m + (MSEC_PER_SEC / HZ) - 1) / (MSEC_PER_SEC / HZ);
99609 }
99610@@ -307,7 +307,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99611 *
99612 * But first make sure the multiplication result cannot overflow:
99613 */
99614-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99615+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
99616 {
99617 if (m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
99618 return MAX_JIFFY_OFFSET;
99619@@ -318,7 +318,7 @@ static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99620 * Generic case - multiply, round and divide. But first check that if
99621 * we are doing a net multiplication, that we wouldn't overflow:
99622 */
99623-static inline unsigned long _msecs_to_jiffies(const unsigned int m)
99624+static inline unsigned long __intentional_overflow(-1) _msecs_to_jiffies(const unsigned int m)
99625 {
99626 if (HZ > MSEC_PER_SEC && m > jiffies_to_msecs(MAX_JIFFY_OFFSET))
99627 return MAX_JIFFY_OFFSET;
99628@@ -362,21 +362,19 @@ static inline unsigned long msecs_to_jiffies(const unsigned int m)
99629 }
99630 }
99631
99632-extern unsigned long __usecs_to_jiffies(const unsigned int u);
99633+extern unsigned long __usecs_to_jiffies(const unsigned int u) __intentional_overflow(-1);
99634 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
99635-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99636+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
99637 {
99638 return (u + (USEC_PER_SEC / HZ) - 1) / (USEC_PER_SEC / HZ);
99639 }
99640 #elif HZ > USEC_PER_SEC && !(HZ % USEC_PER_SEC)
99641-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99642+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
99643 {
99644 return u * (HZ / USEC_PER_SEC);
99645 }
99646-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99647-{
99648 #else
99649-static inline unsigned long _usecs_to_jiffies(const unsigned int u)
99650+static inline unsigned long __intentional_overflow(-1) _usecs_to_jiffies(const unsigned int u)
99651 {
99652 return (USEC_TO_HZ_MUL32 * u + USEC_TO_HZ_ADJ32)
99653 >> USEC_TO_HZ_SHR32;
99654diff --git a/include/linux/kallsyms.h b/include/linux/kallsyms.h
99655index 6883e19..e854fcb 100644
99656--- a/include/linux/kallsyms.h
99657+++ b/include/linux/kallsyms.h
99658@@ -15,7 +15,8 @@
99659
99660 struct module;
99661
99662-#ifdef CONFIG_KALLSYMS
99663+#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
99664+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
99665 /* Lookup the address for a symbol. Returns 0 if not found. */
99666 unsigned long kallsyms_lookup_name(const char *name);
99667
99668@@ -106,6 +107,21 @@ static inline int lookup_symbol_attrs(unsigned long addr, unsigned long *size, u
99669 /* Stupid that this does nothing, but I didn't create this mess. */
99670 #define __print_symbol(fmt, addr)
99671 #endif /*CONFIG_KALLSYMS*/
99672+#else /* when included by kallsyms.c, vsnprintf.c, kprobes.c, or
99673+ arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
99674+extern unsigned long kallsyms_lookup_name(const char *name);
99675+extern void __print_symbol(const char *fmt, unsigned long address);
99676+extern int sprint_backtrace(char *buffer, unsigned long address);
99677+extern int sprint_symbol(char *buffer, unsigned long address);
99678+extern int sprint_symbol_no_offset(char *buffer, unsigned long address);
99679+const char *kallsyms_lookup(unsigned long addr,
99680+ unsigned long *symbolsize,
99681+ unsigned long *offset,
99682+ char **modname, char *namebuf);
99683+extern int kallsyms_lookup_size_offset(unsigned long addr,
99684+ unsigned long *symbolsize,
99685+ unsigned long *offset);
99686+#endif
99687
99688 /* This macro allows us to keep printk typechecking */
99689 static __printf(1, 2)
99690diff --git a/include/linux/key-type.h b/include/linux/key-type.h
99691index ff9f1d3..6712be5 100644
99692--- a/include/linux/key-type.h
99693+++ b/include/linux/key-type.h
99694@@ -152,7 +152,7 @@ struct key_type {
99695 /* internal fields */
99696 struct list_head link; /* link in types list */
99697 struct lock_class_key lock_class; /* key->sem lock class */
99698-};
99699+} __do_const;
99700
99701 extern struct key_type key_type_keyring;
99702
99703diff --git a/include/linux/kgdb.h b/include/linux/kgdb.h
99704index e465bb1..19f605fd 100644
99705--- a/include/linux/kgdb.h
99706+++ b/include/linux/kgdb.h
99707@@ -52,7 +52,7 @@ extern int kgdb_connected;
99708 extern int kgdb_io_module_registered;
99709
99710 extern atomic_t kgdb_setting_breakpoint;
99711-extern atomic_t kgdb_cpu_doing_single_step;
99712+extern atomic_unchecked_t kgdb_cpu_doing_single_step;
99713
99714 extern struct task_struct *kgdb_usethread;
99715 extern struct task_struct *kgdb_contthread;
99716@@ -254,7 +254,7 @@ struct kgdb_arch {
99717 void (*correct_hw_break)(void);
99718
99719 void (*enable_nmi)(bool on);
99720-};
99721+} __do_const;
99722
99723 /**
99724 * struct kgdb_io - Describe the interface for an I/O driver to talk with KGDB.
99725@@ -279,7 +279,7 @@ struct kgdb_io {
99726 void (*pre_exception) (void);
99727 void (*post_exception) (void);
99728 int is_console;
99729-};
99730+} __do_const;
99731
99732 extern struct kgdb_arch arch_kgdb_ops;
99733
99734diff --git a/include/linux/kmemleak.h b/include/linux/kmemleak.h
99735index d0a1f99..0bd8b7c 100644
99736--- a/include/linux/kmemleak.h
99737+++ b/include/linux/kmemleak.h
99738@@ -27,7 +27,7 @@
99739
99740 extern void kmemleak_init(void) __ref;
99741 extern void kmemleak_alloc(const void *ptr, size_t size, int min_count,
99742- gfp_t gfp) __ref;
99743+ gfp_t gfp) __ref __size_overflow(2);
99744 extern void kmemleak_alloc_percpu(const void __percpu *ptr, size_t size,
99745 gfp_t gfp) __ref;
99746 extern void kmemleak_free(const void *ptr) __ref;
99747@@ -63,7 +63,7 @@ static inline void kmemleak_erase(void **ptr)
99748 static inline void kmemleak_init(void)
99749 {
99750 }
99751-static inline void kmemleak_alloc(const void *ptr, size_t size, int min_count,
99752+static inline void __size_overflow(2) kmemleak_alloc(const void *ptr, size_t size, int min_count,
99753 gfp_t gfp)
99754 {
99755 }
99756diff --git a/include/linux/kmod.h b/include/linux/kmod.h
99757index 0555cc6..40116ce 100644
99758--- a/include/linux/kmod.h
99759+++ b/include/linux/kmod.h
99760@@ -34,6 +34,8 @@ extern char modprobe_path[]; /* for sysctl */
99761 * usually useless though. */
99762 extern __printf(2, 3)
99763 int __request_module(bool wait, const char *name, ...);
99764+extern __printf(3, 4)
99765+int ___request_module(bool wait, char *param_name, const char *name, ...);
99766 #define request_module(mod...) __request_module(true, mod)
99767 #define request_module_nowait(mod...) __request_module(false, mod)
99768 #define try_then_request_module(x, mod...) \
99769@@ -57,6 +59,9 @@ struct subprocess_info {
99770 struct work_struct work;
99771 struct completion *complete;
99772 char *path;
99773+#ifdef CONFIG_GRKERNSEC
99774+ char *origpath;
99775+#endif
99776 char **argv;
99777 char **envp;
99778 int wait;
99779diff --git a/include/linux/kobject.h b/include/linux/kobject.h
99780index 637f670..3d69945 100644
99781--- a/include/linux/kobject.h
99782+++ b/include/linux/kobject.h
99783@@ -119,7 +119,7 @@ struct kobj_type {
99784 struct attribute **default_attrs;
99785 const struct kobj_ns_type_operations *(*child_ns_type)(struct kobject *kobj);
99786 const void *(*namespace)(struct kobject *kobj);
99787-};
99788+} __do_const;
99789
99790 struct kobj_uevent_env {
99791 char *argv[3];
99792@@ -143,6 +143,7 @@ struct kobj_attribute {
99793 ssize_t (*store)(struct kobject *kobj, struct kobj_attribute *attr,
99794 const char *buf, size_t count);
99795 };
99796+typedef struct kobj_attribute __no_const kobj_attribute_no_const;
99797
99798 extern const struct sysfs_ops kobj_sysfs_ops;
99799
99800@@ -170,7 +171,7 @@ struct kset {
99801 spinlock_t list_lock;
99802 struct kobject kobj;
99803 const struct kset_uevent_ops *uevent_ops;
99804-};
99805+} __randomize_layout;
99806
99807 extern void kset_init(struct kset *kset);
99808 extern int __must_check kset_register(struct kset *kset);
99809diff --git a/include/linux/kobject_ns.h b/include/linux/kobject_ns.h
99810index df32d25..fb52e27 100644
99811--- a/include/linux/kobject_ns.h
99812+++ b/include/linux/kobject_ns.h
99813@@ -44,7 +44,7 @@ struct kobj_ns_type_operations {
99814 const void *(*netlink_ns)(struct sock *sk);
99815 const void *(*initial_ns)(void);
99816 void (*drop_ns)(void *);
99817-};
99818+} __do_const;
99819
99820 int kobj_ns_type_register(const struct kobj_ns_type_operations *ops);
99821 int kobj_ns_type_registered(enum kobj_ns_type type);
99822diff --git a/include/linux/kref.h b/include/linux/kref.h
99823index 484604d..0f6c5b6 100644
99824--- a/include/linux/kref.h
99825+++ b/include/linux/kref.h
99826@@ -68,7 +68,7 @@ static inline void kref_get(struct kref *kref)
99827 static inline int kref_sub(struct kref *kref, unsigned int count,
99828 void (*release)(struct kref *kref))
99829 {
99830- WARN_ON(release == NULL);
99831+ BUG_ON(release == NULL);
99832
99833 if (atomic_sub_and_test((int) count, &kref->refcount)) {
99834 release(kref);
99835diff --git a/include/linux/kvm_host.h b/include/linux/kvm_host.h
99836index 05e99b8..484b1f97 100644
99837--- a/include/linux/kvm_host.h
99838+++ b/include/linux/kvm_host.h
99839@@ -468,7 +468,7 @@ static inline void kvm_irqfd_exit(void)
99840 {
99841 }
99842 #endif
99843-int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
99844+int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
99845 struct module *module);
99846 void kvm_exit(void);
99847
99848@@ -678,7 +678,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(struct kvm_vcpu *vcpu,
99849 struct kvm_guest_debug *dbg);
99850 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
99851
99852-int kvm_arch_init(void *opaque);
99853+int kvm_arch_init(const void *opaque);
99854 void kvm_arch_exit(void);
99855
99856 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
99857diff --git a/include/linux/libata.h b/include/linux/libata.h
99858index c9cfbcd..46986db 100644
99859--- a/include/linux/libata.h
99860+++ b/include/linux/libata.h
99861@@ -990,7 +990,7 @@ struct ata_port_operations {
99862 * fields must be pointers.
99863 */
99864 const struct ata_port_operations *inherits;
99865-};
99866+} __do_const;
99867
99868 struct ata_port_info {
99869 unsigned long flags;
99870diff --git a/include/linux/linkage.h b/include/linux/linkage.h
99871index a6a42dd..6c5ebce 100644
99872--- a/include/linux/linkage.h
99873+++ b/include/linux/linkage.h
99874@@ -36,6 +36,7 @@
99875 #endif
99876
99877 #define __page_aligned_data __section(.data..page_aligned) __aligned(PAGE_SIZE)
99878+#define __page_aligned_rodata __read_only __aligned(PAGE_SIZE)
99879 #define __page_aligned_bss __section(.bss..page_aligned) __aligned(PAGE_SIZE)
99880
99881 /*
99882diff --git a/include/linux/list.h b/include/linux/list.h
99883index feb773c..98f3075 100644
99884--- a/include/linux/list.h
99885+++ b/include/linux/list.h
99886@@ -113,6 +113,19 @@ extern void __list_del_entry(struct list_head *entry);
99887 extern void list_del(struct list_head *entry);
99888 #endif
99889
99890+extern void __pax_list_add(struct list_head *new,
99891+ struct list_head *prev,
99892+ struct list_head *next);
99893+static inline void pax_list_add(struct list_head *new, struct list_head *head)
99894+{
99895+ __pax_list_add(new, head, head->next);
99896+}
99897+static inline void pax_list_add_tail(struct list_head *new, struct list_head *head)
99898+{
99899+ __pax_list_add(new, head->prev, head);
99900+}
99901+extern void pax_list_del(struct list_head *entry);
99902+
99903 /**
99904 * list_replace - replace old entry by new one
99905 * @old : the element to be replaced
99906@@ -146,6 +159,8 @@ static inline void list_del_init(struct list_head *entry)
99907 INIT_LIST_HEAD(entry);
99908 }
99909
99910+extern void pax_list_del_init(struct list_head *entry);
99911+
99912 /**
99913 * list_move - delete from one list and add as another's head
99914 * @list: the entry to move
99915diff --git a/include/linux/lockref.h b/include/linux/lockref.h
99916index b10b122..d37b3de 100644
99917--- a/include/linux/lockref.h
99918+++ b/include/linux/lockref.h
99919@@ -28,7 +28,7 @@ struct lockref {
99920 #endif
99921 struct {
99922 spinlock_t lock;
99923- int count;
99924+ atomic_t count;
99925 };
99926 };
99927 };
99928@@ -43,9 +43,29 @@ extern void lockref_mark_dead(struct lockref *);
99929 extern int lockref_get_not_dead(struct lockref *);
99930
99931 /* Must be called under spinlock for reliable results */
99932-static inline int __lockref_is_dead(const struct lockref *l)
99933+static inline int __lockref_is_dead(const struct lockref *lockref)
99934 {
99935- return ((int)l->count < 0);
99936+ return atomic_read(&lockref->count) < 0;
99937+}
99938+
99939+static inline int __lockref_read(const struct lockref *lockref)
99940+{
99941+ return atomic_read(&lockref->count);
99942+}
99943+
99944+static inline void __lockref_set(struct lockref *lockref, int count)
99945+{
99946+ atomic_set(&lockref->count, count);
99947+}
99948+
99949+static inline void __lockref_inc(struct lockref *lockref)
99950+{
99951+ atomic_inc(&lockref->count);
99952+}
99953+
99954+static inline void __lockref_dec(struct lockref *lockref)
99955+{
99956+ atomic_dec(&lockref->count);
99957 }
99958
99959 #endif /* __LINUX_LOCKREF_H */
99960diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
99961index 9429f05..a5d5425 100644
99962--- a/include/linux/lsm_hooks.h
99963+++ b/include/linux/lsm_hooks.h
99964@@ -1824,7 +1824,7 @@ struct security_hook_heads {
99965 struct list_head audit_rule_match;
99966 struct list_head audit_rule_free;
99967 #endif /* CONFIG_AUDIT */
99968-};
99969+} __randomize_layout;
99970
99971 /*
99972 * Security module hook list structure.
99973@@ -1834,7 +1834,7 @@ struct security_hook_list {
99974 struct list_head list;
99975 struct list_head *head;
99976 union security_list_options hook;
99977-};
99978+} __randomize_layout;
99979
99980 /*
99981 * Initializing a security_hook_list structure takes
99982diff --git a/include/linux/math64.h b/include/linux/math64.h
99983index c45c089..298841c 100644
99984--- a/include/linux/math64.h
99985+++ b/include/linux/math64.h
99986@@ -15,7 +15,7 @@
99987 * This is commonly provided by 32bit archs to provide an optimized 64bit
99988 * divide.
99989 */
99990-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
99991+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
99992 {
99993 *remainder = dividend % divisor;
99994 return dividend / divisor;
99995@@ -42,7 +42,7 @@ static inline u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder)
99996 /**
99997 * div64_u64 - unsigned 64bit divide with 64bit divisor
99998 */
99999-static inline u64 div64_u64(u64 dividend, u64 divisor)
100000+static inline u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
100001 {
100002 return dividend / divisor;
100003 }
100004@@ -61,7 +61,7 @@ static inline s64 div64_s64(s64 dividend, s64 divisor)
100005 #define div64_ul(x, y) div_u64((x), (y))
100006
100007 #ifndef div_u64_rem
100008-static inline u64 div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
100009+static inline u64 __intentional_overflow(-1) div_u64_rem(u64 dividend, u32 divisor, u32 *remainder)
100010 {
100011 *remainder = do_div(dividend, divisor);
100012 return dividend;
100013@@ -77,7 +77,7 @@ extern u64 div64_u64_rem(u64 dividend, u64 divisor, u64 *remainder);
100014 #endif
100015
100016 #ifndef div64_u64
100017-extern u64 div64_u64(u64 dividend, u64 divisor);
100018+extern u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor);
100019 #endif
100020
100021 #ifndef div64_s64
100022@@ -94,7 +94,7 @@ extern s64 div64_s64(s64 dividend, s64 divisor);
100023 * divide.
100024 */
100025 #ifndef div_u64
100026-static inline u64 div_u64(u64 dividend, u32 divisor)
100027+static inline u64 __intentional_overflow(-1) div_u64(u64 dividend, u32 divisor)
100028 {
100029 u32 remainder;
100030 return div_u64_rem(dividend, divisor, &remainder);
100031diff --git a/include/linux/mempolicy.h b/include/linux/mempolicy.h
100032index 3d385c8..deacb6a 100644
100033--- a/include/linux/mempolicy.h
100034+++ b/include/linux/mempolicy.h
100035@@ -91,6 +91,10 @@ static inline struct mempolicy *mpol_dup(struct mempolicy *pol)
100036 }
100037
100038 #define vma_policy(vma) ((vma)->vm_policy)
100039+static inline void set_vma_policy(struct vm_area_struct *vma, struct mempolicy *pol)
100040+{
100041+ vma->vm_policy = pol;
100042+}
100043
100044 static inline void mpol_get(struct mempolicy *pol)
100045 {
100046@@ -229,6 +233,9 @@ static inline void mpol_free_shared_policy(struct shared_policy *p)
100047 }
100048
100049 #define vma_policy(vma) NULL
100050+static inline void set_vma_policy(struct vm_area_struct *vma, struct mempolicy *pol)
100051+{
100052+}
100053
100054 static inline int
100055 vma_dup_policy(struct vm_area_struct *src, struct vm_area_struct *dst)
100056diff --git a/include/linux/mm.h b/include/linux/mm.h
100057index 2b05068..c58989c 100644
100058--- a/include/linux/mm.h
100059+++ b/include/linux/mm.h
100060@@ -136,6 +136,11 @@ extern unsigned int kobjsize(const void *objp);
100061
100062 #define VM_DONTCOPY 0x00020000 /* Do not copy this vma on fork */
100063 #define VM_DONTEXPAND 0x00040000 /* Cannot expand with mremap() */
100064+
100065+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
100066+#define VM_PAGEEXEC 0x00080000 /* vma->vm_page_prot needs special handling */
100067+#endif
100068+
100069 #define VM_ACCOUNT 0x00100000 /* Is a VM accounted object */
100070 #define VM_NORESERVE 0x00200000 /* should the VM suppress accounting */
100071 #define VM_HUGETLB 0x00400000 /* Huge TLB Page VM */
100072@@ -258,8 +263,8 @@ struct vm_operations_struct {
100073 /* called by access_process_vm when get_user_pages() fails, typically
100074 * for use by special VMAs that can switch between memory and hardware
100075 */
100076- int (*access)(struct vm_area_struct *vma, unsigned long addr,
100077- void *buf, int len, int write);
100078+ ssize_t (*access)(struct vm_area_struct *vma, unsigned long addr,
100079+ void *buf, size_t len, int write);
100080
100081 /* Called by the /proc/PID/maps code to ask the vma whether it
100082 * has a special name. Returning non-NULL will also cause this
100083@@ -297,6 +302,7 @@ struct vm_operations_struct {
100084 struct page *(*find_special_page)(struct vm_area_struct *vma,
100085 unsigned long addr);
100086 };
100087+typedef struct vm_operations_struct __no_const vm_operations_struct_no_const;
100088
100089 struct mmu_gather;
100090 struct inode;
100091@@ -1181,8 +1187,8 @@ int follow_pfn(struct vm_area_struct *vma, unsigned long address,
100092 unsigned long *pfn);
100093 int follow_phys(struct vm_area_struct *vma, unsigned long address,
100094 unsigned int flags, unsigned long *prot, resource_size_t *phys);
100095-int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
100096- void *buf, int len, int write);
100097+ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
100098+ void *buf, size_t len, int write);
100099
100100 static inline void unmap_shared_mapping_range(struct address_space *mapping,
100101 loff_t const holebegin, loff_t const holelen)
100102@@ -1222,9 +1228,9 @@ static inline int fixup_user_fault(struct task_struct *tsk,
100103 }
100104 #endif
100105
100106-extern int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write);
100107-extern int access_remote_vm(struct mm_struct *mm, unsigned long addr,
100108- void *buf, int len, int write);
100109+extern ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write);
100110+extern ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
100111+ void *buf, size_t len, int write);
100112
100113 long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
100114 unsigned long start, unsigned long nr_pages,
100115@@ -1272,34 +1278,6 @@ int clear_page_dirty_for_io(struct page *page);
100116
100117 int get_cmdline(struct task_struct *task, char *buffer, int buflen);
100118
100119-/* Is the vma a continuation of the stack vma above it? */
100120-static inline int vma_growsdown(struct vm_area_struct *vma, unsigned long addr)
100121-{
100122- return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
100123-}
100124-
100125-static inline int stack_guard_page_start(struct vm_area_struct *vma,
100126- unsigned long addr)
100127-{
100128- return (vma->vm_flags & VM_GROWSDOWN) &&
100129- (vma->vm_start == addr) &&
100130- !vma_growsdown(vma->vm_prev, addr);
100131-}
100132-
100133-/* Is the vma a continuation of the stack vma below it? */
100134-static inline int vma_growsup(struct vm_area_struct *vma, unsigned long addr)
100135-{
100136- return vma && (vma->vm_start == addr) && (vma->vm_flags & VM_GROWSUP);
100137-}
100138-
100139-static inline int stack_guard_page_end(struct vm_area_struct *vma,
100140- unsigned long addr)
100141-{
100142- return (vma->vm_flags & VM_GROWSUP) &&
100143- (vma->vm_end == addr) &&
100144- !vma_growsup(vma->vm_next, addr);
100145-}
100146-
100147 extern struct task_struct *task_of_stack(struct task_struct *task,
100148 struct vm_area_struct *vma, bool in_group);
100149
100150@@ -1422,8 +1400,15 @@ static inline int __pud_alloc(struct mm_struct *mm, pgd_t *pgd,
100151 {
100152 return 0;
100153 }
100154+
100155+static inline int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd,
100156+ unsigned long address)
100157+{
100158+ return 0;
100159+}
100160 #else
100161 int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
100162+int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address);
100163 #endif
100164
100165 #if defined(__PAGETABLE_PMD_FOLDED) || !defined(CONFIG_MMU)
100166@@ -1433,6 +1418,12 @@ static inline int __pmd_alloc(struct mm_struct *mm, pud_t *pud,
100167 return 0;
100168 }
100169
100170+static inline int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud,
100171+ unsigned long address)
100172+{
100173+ return 0;
100174+}
100175+
100176 static inline void mm_nr_pmds_init(struct mm_struct *mm) {}
100177
100178 static inline unsigned long mm_nr_pmds(struct mm_struct *mm)
100179@@ -1445,6 +1436,7 @@ static inline void mm_dec_nr_pmds(struct mm_struct *mm) {}
100180
100181 #else
100182 int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address);
100183+int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address);
100184
100185 static inline void mm_nr_pmds_init(struct mm_struct *mm)
100186 {
100187@@ -1482,11 +1474,23 @@ static inline pud_t *pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long a
100188 NULL: pud_offset(pgd, address);
100189 }
100190
100191+static inline pud_t *pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
100192+{
100193+ return (unlikely(pgd_none(*pgd)) && __pud_alloc_kernel(mm, pgd, address))?
100194+ NULL: pud_offset(pgd, address);
100195+}
100196+
100197 static inline pmd_t *pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
100198 {
100199 return (unlikely(pud_none(*pud)) && __pmd_alloc(mm, pud, address))?
100200 NULL: pmd_offset(pud, address);
100201 }
100202+
100203+static inline pmd_t *pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
100204+{
100205+ return (unlikely(pud_none(*pud)) && __pmd_alloc_kernel(mm, pud, address))?
100206+ NULL: pmd_offset(pud, address);
100207+}
100208 #endif /* CONFIG_MMU && !__ARCH_HAS_4LEVEL_HACK */
100209
100210 #if USE_SPLIT_PTE_PTLOCKS
100211@@ -1867,12 +1871,23 @@ extern struct vm_area_struct *copy_vma(struct vm_area_struct **,
100212 bool *need_rmap_locks);
100213 extern void exit_mmap(struct mm_struct *);
100214
100215+#if defined(CONFIG_GRKERNSEC) && (defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC))
100216+extern void gr_learn_resource(const struct task_struct *task, const int res,
100217+ const unsigned long wanted, const int gt);
100218+#else
100219+static inline void gr_learn_resource(const struct task_struct *task, const int res,
100220+ const unsigned long wanted, const int gt)
100221+{
100222+}
100223+#endif
100224+
100225 static inline int check_data_rlimit(unsigned long rlim,
100226 unsigned long new,
100227 unsigned long start,
100228 unsigned long end_data,
100229 unsigned long start_data)
100230 {
100231+ gr_learn_resource(current, RLIMIT_DATA, (new - start) + (end_data - start_data), 1);
100232 if (rlim < RLIM_INFINITY) {
100233 if (((new - start) + (end_data - start_data)) > rlim)
100234 return -ENOSPC;
100235@@ -1905,6 +1920,7 @@ extern unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
100236 unsigned long len, unsigned long prot, unsigned long flags,
100237 unsigned long pgoff, unsigned long *populate);
100238 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
100239+extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
100240
100241 #ifdef CONFIG_MMU
100242 extern int __mm_populate(unsigned long addr, unsigned long len,
100243@@ -1933,10 +1949,11 @@ struct vm_unmapped_area_info {
100244 unsigned long high_limit;
100245 unsigned long align_mask;
100246 unsigned long align_offset;
100247+ unsigned long threadstack_offset;
100248 };
100249
100250-extern unsigned long unmapped_area(struct vm_unmapped_area_info *info);
100251-extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
100252+extern unsigned long unmapped_area(const struct vm_unmapped_area_info *info);
100253+extern unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info);
100254
100255 /*
100256 * Search for an unmapped address range.
100257@@ -1948,7 +1965,7 @@ extern unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info);
100258 * - satisfies (begin_addr & align_mask) == (align_offset & align_mask)
100259 */
100260 static inline unsigned long
100261-vm_unmapped_area(struct vm_unmapped_area_info *info)
100262+vm_unmapped_area(const struct vm_unmapped_area_info *info)
100263 {
100264 if (info->flags & VM_UNMAPPED_AREA_TOPDOWN)
100265 return unmapped_area_topdown(info);
100266@@ -2010,6 +2027,10 @@ extern struct vm_area_struct * find_vma(struct mm_struct * mm, unsigned long add
100267 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
100268 struct vm_area_struct **pprev);
100269
100270+extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
100271+extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
100272+extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
100273+
100274 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
100275 NULL if none. Assume start_addr < end_addr. */
100276 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
100277@@ -2039,10 +2060,10 @@ static inline struct vm_area_struct *find_exact_vma(struct mm_struct *mm,
100278 }
100279
100280 #ifdef CONFIG_MMU
100281-pgprot_t vm_get_page_prot(unsigned long vm_flags);
100282+pgprot_t vm_get_page_prot(vm_flags_t vm_flags);
100283 void vma_set_page_prot(struct vm_area_struct *vma);
100284 #else
100285-static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
100286+static inline pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
100287 {
100288 return __pgprot(0);
100289 }
100290@@ -2104,6 +2125,11 @@ void vm_stat_account(struct mm_struct *, unsigned long, struct file *, long);
100291 static inline void vm_stat_account(struct mm_struct *mm,
100292 unsigned long flags, struct file *file, long pages)
100293 {
100294+
100295+#ifdef CONFIG_PAX_RANDMMAP
100296+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
100297+#endif
100298+
100299 mm->total_vm += pages;
100300 }
100301 #endif /* CONFIG_PROC_FS */
100302@@ -2207,7 +2233,7 @@ extern int get_hwpoison_page(struct page *page);
100303 extern int sysctl_memory_failure_early_kill;
100304 extern int sysctl_memory_failure_recovery;
100305 extern void shake_page(struct page *p, int access);
100306-extern atomic_long_t num_poisoned_pages;
100307+extern atomic_long_unchecked_t num_poisoned_pages;
100308 extern int soft_offline_page(struct page *page, int flags);
100309
100310
100311@@ -2292,5 +2318,11 @@ void __init setup_nr_node_ids(void);
100312 static inline void setup_nr_node_ids(void) {}
100313 #endif
100314
100315+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
100316+extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
100317+#else
100318+static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
100319+#endif
100320+
100321 #endif /* __KERNEL__ */
100322 #endif /* _LINUX_MM_H */
100323diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h
100324index 1554957..0973bc5 100644
100325--- a/include/linux/mm_types.h
100326+++ b/include/linux/mm_types.h
100327@@ -322,7 +322,9 @@ struct vm_area_struct {
100328 #ifdef CONFIG_NUMA
100329 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
100330 #endif
100331-};
100332+
100333+ struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
100334+} __randomize_layout;
100335
100336 struct core_thread {
100337 struct task_struct *task;
100338@@ -475,7 +477,25 @@ struct mm_struct {
100339 /* address of the bounds directory */
100340 void __user *bd_addr;
100341 #endif
100342-};
100343+
100344+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
100345+ unsigned long pax_flags;
100346+#endif
100347+
100348+#ifdef CONFIG_PAX_DLRESOLVE
100349+ unsigned long call_dl_resolve;
100350+#endif
100351+
100352+#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
100353+ unsigned long call_syscall;
100354+#endif
100355+
100356+#ifdef CONFIG_PAX_ASLR
100357+ unsigned long delta_mmap; /* randomized offset */
100358+ unsigned long delta_stack; /* randomized offset */
100359+#endif
100360+
100361+} __randomize_layout;
100362
100363 static inline void mm_init_cpumask(struct mm_struct *mm)
100364 {
100365diff --git a/include/linux/mmiotrace.h b/include/linux/mmiotrace.h
100366index 3ba327a..85cd5ce 100644
100367--- a/include/linux/mmiotrace.h
100368+++ b/include/linux/mmiotrace.h
100369@@ -46,7 +46,7 @@ extern int kmmio_handler(struct pt_regs *regs, unsigned long addr);
100370 /* Called from ioremap.c */
100371 extern void mmiotrace_ioremap(resource_size_t offset, unsigned long size,
100372 void __iomem *addr);
100373-extern void mmiotrace_iounmap(volatile void __iomem *addr);
100374+extern void mmiotrace_iounmap(const volatile void __iomem *addr);
100375
100376 /* For anyone to insert markers. Remember trailing newline. */
100377 extern __printf(1, 2) int mmiotrace_printk(const char *fmt, ...);
100378@@ -66,7 +66,7 @@ static inline void mmiotrace_ioremap(resource_size_t offset,
100379 {
100380 }
100381
100382-static inline void mmiotrace_iounmap(volatile void __iomem *addr)
100383+static inline void mmiotrace_iounmap(const volatile void __iomem *addr)
100384 {
100385 }
100386
100387diff --git a/include/linux/mmzone.h b/include/linux/mmzone.h
100388index 754c259..7b65ac6 100644
100389--- a/include/linux/mmzone.h
100390+++ b/include/linux/mmzone.h
100391@@ -526,7 +526,7 @@ struct zone {
100392
100393 ZONE_PADDING(_pad3_)
100394 /* Zone statistics */
100395- atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
100396+ atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
100397 } ____cacheline_internodealigned_in_smp;
100398
100399 enum zone_flags {
100400diff --git a/include/linux/mod_devicetable.h b/include/linux/mod_devicetable.h
100401index 34f25b7..0586069 100644
100402--- a/include/linux/mod_devicetable.h
100403+++ b/include/linux/mod_devicetable.h
100404@@ -139,7 +139,7 @@ struct usb_device_id {
100405 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
100406 #define USB_DEVICE_ID_MATCH_INT_NUMBER 0x0400
100407
100408-#define HID_ANY_ID (~0)
100409+#define HID_ANY_ID (~0U)
100410 #define HID_BUS_ANY 0xffff
100411 #define HID_GROUP_ANY 0x0000
100412
100413@@ -472,7 +472,7 @@ struct dmi_system_id {
100414 const char *ident;
100415 struct dmi_strmatch matches[4];
100416 void *driver_data;
100417-};
100418+} __do_const;
100419 /*
100420 * struct dmi_device_id appears during expansion of
100421 * "MODULE_DEVICE_TABLE(dmi, x)". Compiler doesn't look inside it
100422diff --git a/include/linux/module.h b/include/linux/module.h
100423index 3a19c79..dea8c47 100644
100424--- a/include/linux/module.h
100425+++ b/include/linux/module.h
100426@@ -19,9 +19,11 @@
100427 #include <linux/jump_label.h>
100428 #include <linux/export.h>
100429 #include <linux/rbtree_latch.h>
100430+#include <linux/fs.h>
100431
100432 #include <linux/percpu.h>
100433 #include <asm/module.h>
100434+#include <asm/pgtable.h>
100435
100436 /* In stripped ARM and x86-64 modules, ~ is surprisingly rare. */
100437 #define MODULE_SIG_STRING "~Module signature appended~\n"
100438@@ -44,7 +46,7 @@ struct module_kobject {
100439 struct kobject *drivers_dir;
100440 struct module_param_attrs *mp;
100441 struct completion *kobj_completion;
100442-};
100443+} __randomize_layout;
100444
100445 struct module_attribute {
100446 struct attribute attr;
100447@@ -56,12 +58,13 @@ struct module_attribute {
100448 int (*test)(struct module *);
100449 void (*free)(struct module *);
100450 };
100451+typedef struct module_attribute __no_const module_attribute_no_const;
100452
100453 struct module_version_attribute {
100454 struct module_attribute mattr;
100455 const char *module_name;
100456 const char *version;
100457-} __attribute__ ((__aligned__(sizeof(void *))));
100458+} __do_const __attribute__ ((__aligned__(sizeof(void *))));
100459
100460 extern ssize_t __modver_version_show(struct module_attribute *,
100461 struct module_kobject *, char *);
100462@@ -313,7 +316,7 @@ struct module {
100463
100464 /* Sysfs stuff. */
100465 struct module_kobject mkobj;
100466- struct module_attribute *modinfo_attrs;
100467+ module_attribute_no_const *modinfo_attrs;
100468 const char *version;
100469 const char *srcversion;
100470 struct kobject *holders_dir;
100471@@ -370,20 +373,21 @@ struct module {
100472 * If this is non-NULL, vfree() after init() returns.
100473 *
100474 * Cacheline align here, such that:
100475- * module_init, module_core, init_size, core_size,
100476+ * module_init_*, module_core_*, init_size_*, core_size_*,
100477 * init_text_size, core_text_size and mtn_core::{mod,node[0]}
100478 * are on the same cacheline.
100479 */
100480- void *module_init ____cacheline_aligned;
100481+ void *module_init_rw ____cacheline_aligned;
100482+ void *module_init_rx;
100483
100484 /* Here is the actual code + data, vfree'd on unload. */
100485- void *module_core;
100486+ void *module_core_rx, *module_core_rw;
100487
100488 /* Here are the sizes of the init and core sections */
100489- unsigned int init_size, core_size;
100490+ unsigned int init_size_rw, core_size_rw;
100491
100492 /* The size of the executable code in each section. */
100493- unsigned int init_text_size, core_text_size;
100494+ unsigned int init_size_rx, core_size_rx;
100495
100496 #ifdef CONFIG_MODULES_TREE_LOOKUP
100497 /*
100498@@ -391,13 +395,12 @@ struct module {
100499 * above entries such that a regular lookup will only touch one
100500 * cacheline.
100501 */
100502- struct mod_tree_node mtn_core;
100503- struct mod_tree_node mtn_init;
100504+ struct mod_tree_node mtn_core_rw;
100505+ struct mod_tree_node mtn_core_rx;
100506+ struct mod_tree_node mtn_init_rw;
100507+ struct mod_tree_node mtn_init_rx;
100508 #endif
100509
100510- /* Size of RO sections of the module (text+rodata) */
100511- unsigned int init_ro_size, core_ro_size;
100512-
100513 /* Arch-specific module values */
100514 struct mod_arch_specific arch;
100515
100516@@ -454,6 +457,10 @@ struct module {
100517 unsigned int num_trace_events;
100518 struct trace_enum_map **trace_enums;
100519 unsigned int num_trace_enums;
100520+ struct file_operations trace_id;
100521+ struct file_operations trace_enable;
100522+ struct file_operations trace_format;
100523+ struct file_operations trace_filter;
100524 #endif
100525 #ifdef CONFIG_FTRACE_MCOUNT_RECORD
100526 unsigned int num_ftrace_callsites;
100527@@ -481,7 +488,8 @@ struct module {
100528 ctor_fn_t *ctors;
100529 unsigned int num_ctors;
100530 #endif
100531-} ____cacheline_aligned;
100532+} ____cacheline_aligned __randomize_layout;
100533+
100534 #ifndef MODULE_ARCH_INIT
100535 #define MODULE_ARCH_INIT {}
100536 #endif
100537@@ -502,18 +510,48 @@ bool is_module_address(unsigned long addr);
100538 bool is_module_percpu_address(unsigned long addr);
100539 bool is_module_text_address(unsigned long addr);
100540
100541+static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
100542+{
100543+
100544+#ifdef CONFIG_PAX_KERNEXEC
100545+ if (ktla_ktva(addr) >= (unsigned long)start &&
100546+ ktla_ktva(addr) < (unsigned long)start + size)
100547+ return 1;
100548+#endif
100549+
100550+ return ((void *)addr >= start && (void *)addr < start + size);
100551+}
100552+
100553+static inline int within_module_core_rx(unsigned long addr, const struct module *mod)
100554+{
100555+ return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
100556+}
100557+
100558+static inline int within_module_core_rw(unsigned long addr, const struct module *mod)
100559+{
100560+ return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
100561+}
100562+
100563+static inline int within_module_init_rx(unsigned long addr, const struct module *mod)
100564+{
100565+ return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
100566+}
100567+
100568+static inline int within_module_init_rw(unsigned long addr, const struct module *mod)
100569+{
100570+ return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
100571+}
100572+
100573 static inline bool within_module_core(unsigned long addr,
100574 const struct module *mod)
100575 {
100576- return (unsigned long)mod->module_core <= addr &&
100577- addr < (unsigned long)mod->module_core + mod->core_size;
100578+ return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
100579 }
100580
100581 static inline bool within_module_init(unsigned long addr,
100582 const struct module *mod)
100583 {
100584- return (unsigned long)mod->module_init <= addr &&
100585- addr < (unsigned long)mod->module_init + mod->init_size;
100586+ return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
100587 }
100588
100589 static inline bool within_module(unsigned long addr, const struct module *mod)
100590diff --git a/include/linux/moduleloader.h b/include/linux/moduleloader.h
100591index 4d0cb9b..3169ac7 100644
100592--- a/include/linux/moduleloader.h
100593+++ b/include/linux/moduleloader.h
100594@@ -25,9 +25,21 @@ unsigned int arch_mod_section_prepend(struct module *mod, unsigned int section);
100595 sections. Returns NULL on failure. */
100596 void *module_alloc(unsigned long size);
100597
100598+#ifdef CONFIG_PAX_KERNEXEC
100599+void *module_alloc_exec(unsigned long size);
100600+#else
100601+#define module_alloc_exec(x) module_alloc(x)
100602+#endif
100603+
100604 /* Free memory returned from module_alloc. */
100605 void module_memfree(void *module_region);
100606
100607+#ifdef CONFIG_PAX_KERNEXEC
100608+void module_memfree_exec(void *module_region);
100609+#else
100610+#define module_memfree_exec(x) module_memfree((x))
100611+#endif
100612+
100613 /*
100614 * Apply the given relocation to the (simplified) ELF. Return -error
100615 * or 0.
100616@@ -45,8 +57,10 @@ static inline int apply_relocate(Elf_Shdr *sechdrs,
100617 unsigned int relsec,
100618 struct module *me)
100619 {
100620+#ifdef CONFIG_MODULES
100621 printk(KERN_ERR "module %s: REL relocation unsupported\n",
100622 module_name(me));
100623+#endif
100624 return -ENOEXEC;
100625 }
100626 #endif
100627@@ -68,8 +82,10 @@ static inline int apply_relocate_add(Elf_Shdr *sechdrs,
100628 unsigned int relsec,
100629 struct module *me)
100630 {
100631+#ifdef CONFIG_MODULES
100632 printk(KERN_ERR "module %s: REL relocation unsupported\n",
100633 module_name(me));
100634+#endif
100635 return -ENOEXEC;
100636 }
100637 #endif
100638diff --git a/include/linux/moduleparam.h b/include/linux/moduleparam.h
100639index c12f214..3ef907f 100644
100640--- a/include/linux/moduleparam.h
100641+++ b/include/linux/moduleparam.h
100642@@ -289,7 +289,7 @@ static inline void kernel_param_unlock(struct module *mod)
100643 * @len is usually just sizeof(string).
100644 */
100645 #define module_param_string(name, string, len, perm) \
100646- static const struct kparam_string __param_string_##name \
100647+ static const struct kparam_string __param_string_##name __used \
100648 = { len, string }; \
100649 __module_param_call(MODULE_PARAM_PREFIX, name, \
100650 &param_ops_string, \
100651@@ -440,7 +440,7 @@ extern int param_set_bint(const char *val, const struct kernel_param *kp);
100652 */
100653 #define module_param_array_named(name, array, type, nump, perm) \
100654 param_check_##type(name, &(array)[0]); \
100655- static const struct kparam_array __param_arr_##name \
100656+ static const struct kparam_array __param_arr_##name __used \
100657 = { .max = ARRAY_SIZE(array), .num = nump, \
100658 .ops = &param_ops_##type, \
100659 .elemsize = sizeof(array[0]), .elem = array }; \
100660diff --git a/include/linux/mount.h b/include/linux/mount.h
100661index f822c3c..958ca0a 100644
100662--- a/include/linux/mount.h
100663+++ b/include/linux/mount.h
100664@@ -67,7 +67,7 @@ struct vfsmount {
100665 struct dentry *mnt_root; /* root of the mounted tree */
100666 struct super_block *mnt_sb; /* pointer to superblock */
100667 int mnt_flags;
100668-};
100669+} __randomize_layout;
100670
100671 struct file; /* forward dec */
100672 struct path;
100673diff --git a/include/linux/net.h b/include/linux/net.h
100674index 04aa068..8a24df5 100644
100675--- a/include/linux/net.h
100676+++ b/include/linux/net.h
100677@@ -189,7 +189,7 @@ struct net_proto_family {
100678 int (*create)(struct net *net, struct socket *sock,
100679 int protocol, int kern);
100680 struct module *owner;
100681-};
100682+} __do_const;
100683
100684 struct iovec;
100685 struct kvec;
100686diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
100687index e20979d..3c7827b 100644
100688--- a/include/linux/netdevice.h
100689+++ b/include/linux/netdevice.h
100690@@ -1212,6 +1212,7 @@ struct net_device_ops {
100691 u32 maxrate);
100692 int (*ndo_get_iflink)(const struct net_device *dev);
100693 };
100694+typedef struct net_device_ops __no_const net_device_ops_no_const;
100695
100696 /**
100697 * enum net_device_priv_flags - &struct net_device priv_flags
100698@@ -1519,7 +1520,7 @@ struct net_device {
100699 unsigned long base_addr;
100700 int irq;
100701
100702- atomic_t carrier_changes;
100703+ atomic_unchecked_t carrier_changes;
100704
100705 /*
100706 * Some hardware also needs these fields (state,dev_list,
100707@@ -1558,8 +1559,8 @@ struct net_device {
100708
100709 struct net_device_stats stats;
100710
100711- atomic_long_t rx_dropped;
100712- atomic_long_t tx_dropped;
100713+ atomic_long_unchecked_t rx_dropped;
100714+ atomic_long_unchecked_t tx_dropped;
100715
100716 #ifdef CONFIG_WIRELESS_EXT
100717 const struct iw_handler_def * wireless_handlers;
100718diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
100719index 00050df..0bc7081 100644
100720--- a/include/linux/netfilter.h
100721+++ b/include/linux/netfilter.h
100722@@ -115,7 +115,7 @@ struct nf_sockopt_ops {
100723 #endif
100724 /* Use the module struct to lock set/get code in place */
100725 struct module *owner;
100726-};
100727+} __do_const;
100728
100729 /* Function to register/unregister hook points. */
100730 int nf_register_hook(struct nf_hook_ops *reg);
100731diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
100732index e955d47..04a5338 100644
100733--- a/include/linux/netfilter/nfnetlink.h
100734+++ b/include/linux/netfilter/nfnetlink.h
100735@@ -19,7 +19,7 @@ struct nfnl_callback {
100736 const struct nlattr * const cda[]);
100737 const struct nla_policy *policy; /* netlink attribute policy */
100738 const u_int16_t attr_count; /* number of nlattr's */
100739-};
100740+} __do_const;
100741
100742 struct nfnetlink_subsystem {
100743 const char *name;
100744diff --git a/include/linux/netfilter/xt_gradm.h b/include/linux/netfilter/xt_gradm.h
100745new file mode 100644
100746index 0000000..33f4af8
100747--- /dev/null
100748+++ b/include/linux/netfilter/xt_gradm.h
100749@@ -0,0 +1,9 @@
100750+#ifndef _LINUX_NETFILTER_XT_GRADM_H
100751+#define _LINUX_NETFILTER_XT_GRADM_H 1
100752+
100753+struct xt_gradm_mtinfo {
100754+ __u16 flags;
100755+ __u16 invflags;
100756+};
100757+
100758+#endif
100759diff --git a/include/linux/nls.h b/include/linux/nls.h
100760index 520681b..2b7fabb 100644
100761--- a/include/linux/nls.h
100762+++ b/include/linux/nls.h
100763@@ -31,7 +31,7 @@ struct nls_table {
100764 const unsigned char *charset2upper;
100765 struct module *owner;
100766 struct nls_table *next;
100767-};
100768+} __do_const;
100769
100770 /* this value hold the maximum octet of charset */
100771 #define NLS_MAX_CHARSET_SIZE 6 /* for UTF-8 */
100772@@ -46,7 +46,7 @@ enum utf16_endian {
100773 /* nls_base.c */
100774 extern int __register_nls(struct nls_table *, struct module *);
100775 extern int unregister_nls(struct nls_table *);
100776-extern struct nls_table *load_nls(char *);
100777+extern struct nls_table *load_nls(const char *);
100778 extern void unload_nls(struct nls_table *);
100779 extern struct nls_table *load_nls_default(void);
100780 #define register_nls(nls) __register_nls((nls), THIS_MODULE)
100781diff --git a/include/linux/notifier.h b/include/linux/notifier.h
100782index d14a4c3..a078786 100644
100783--- a/include/linux/notifier.h
100784+++ b/include/linux/notifier.h
100785@@ -54,7 +54,8 @@ struct notifier_block {
100786 notifier_fn_t notifier_call;
100787 struct notifier_block __rcu *next;
100788 int priority;
100789-};
100790+} __do_const;
100791+typedef struct notifier_block __no_const notifier_block_no_const;
100792
100793 struct atomic_notifier_head {
100794 spinlock_t lock;
100795diff --git a/include/linux/oprofile.h b/include/linux/oprofile.h
100796index b2a0f15..4d7da32 100644
100797--- a/include/linux/oprofile.h
100798+++ b/include/linux/oprofile.h
100799@@ -138,9 +138,9 @@ int oprofilefs_create_ulong(struct dentry * root,
100800 int oprofilefs_create_ro_ulong(struct dentry * root,
100801 char const * name, ulong * val);
100802
100803-/** Create a file for read-only access to an atomic_t. */
100804+/** Create a file for read-only access to an atomic_unchecked_t. */
100805 int oprofilefs_create_ro_atomic(struct dentry * root,
100806- char const * name, atomic_t * val);
100807+ char const * name, atomic_unchecked_t * val);
100808
100809 /** create a directory */
100810 struct dentry *oprofilefs_mkdir(struct dentry *parent, char const *name);
100811diff --git a/include/linux/padata.h b/include/linux/padata.h
100812index 4386946..f50c615 100644
100813--- a/include/linux/padata.h
100814+++ b/include/linux/padata.h
100815@@ -129,7 +129,7 @@ struct parallel_data {
100816 struct padata_serial_queue __percpu *squeue;
100817 atomic_t reorder_objects;
100818 atomic_t refcnt;
100819- atomic_t seq_nr;
100820+ atomic_unchecked_t seq_nr;
100821 struct padata_cpumask cpumask;
100822 spinlock_t lock ____cacheline_aligned;
100823 unsigned int processed;
100824diff --git a/include/linux/path.h b/include/linux/path.h
100825index d137218..be0c176 100644
100826--- a/include/linux/path.h
100827+++ b/include/linux/path.h
100828@@ -1,13 +1,15 @@
100829 #ifndef _LINUX_PATH_H
100830 #define _LINUX_PATH_H
100831
100832+#include <linux/compiler.h>
100833+
100834 struct dentry;
100835 struct vfsmount;
100836
100837 struct path {
100838 struct vfsmount *mnt;
100839 struct dentry *dentry;
100840-};
100841+} __randomize_layout;
100842
100843 extern void path_get(const struct path *);
100844 extern void path_put(const struct path *);
100845diff --git a/include/linux/pci_hotplug.h b/include/linux/pci_hotplug.h
100846index 8c78950..0d74ed9 100644
100847--- a/include/linux/pci_hotplug.h
100848+++ b/include/linux/pci_hotplug.h
100849@@ -71,7 +71,8 @@ struct hotplug_slot_ops {
100850 int (*get_latch_status) (struct hotplug_slot *slot, u8 *value);
100851 int (*get_adapter_status) (struct hotplug_slot *slot, u8 *value);
100852 int (*reset_slot) (struct hotplug_slot *slot, int probe);
100853-};
100854+} __do_const;
100855+typedef struct hotplug_slot_ops __no_const hotplug_slot_ops_no_const;
100856
100857 /**
100858 * struct hotplug_slot_info - used to notify the hotplug pci core of the state of the slot
100859diff --git a/include/linux/percpu.h b/include/linux/percpu.h
100860index caebf2a..4c3ae9d 100644
100861--- a/include/linux/percpu.h
100862+++ b/include/linux/percpu.h
100863@@ -34,7 +34,7 @@
100864 * preallocate for this. Keep PERCPU_DYNAMIC_RESERVE equal to or
100865 * larger than PERCPU_DYNAMIC_EARLY_SIZE.
100866 */
100867-#define PERCPU_DYNAMIC_EARLY_SLOTS 128
100868+#define PERCPU_DYNAMIC_EARLY_SLOTS 256
100869 #define PERCPU_DYNAMIC_EARLY_SIZE (12 << 10)
100870
100871 /*
100872diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
100873index 2027809..c9cd38e 100644
100874--- a/include/linux/perf_event.h
100875+++ b/include/linux/perf_event.h
100876@@ -384,8 +384,8 @@ struct perf_event {
100877
100878 enum perf_event_active_state state;
100879 unsigned int attach_state;
100880- local64_t count;
100881- atomic64_t child_count;
100882+ local64_t count; /* PaX: fix it one day */
100883+ atomic64_unchecked_t child_count;
100884
100885 /*
100886 * These are the total time in nanoseconds that the event
100887@@ -436,8 +436,8 @@ struct perf_event {
100888 * These accumulate total time (in nanoseconds) that children
100889 * events have been enabled and running, respectively.
100890 */
100891- atomic64_t child_total_time_enabled;
100892- atomic64_t child_total_time_running;
100893+ atomic64_unchecked_t child_total_time_enabled;
100894+ atomic64_unchecked_t child_total_time_running;
100895
100896 /*
100897 * Protect attach/detach and child_list:
100898@@ -859,7 +859,7 @@ static inline void perf_event_task_sched_out(struct task_struct *prev,
100899
100900 static inline u64 __perf_event_count(struct perf_event *event)
100901 {
100902- return local64_read(&event->count) + atomic64_read(&event->child_count);
100903+ return local64_read(&event->count) + atomic64_read_unchecked(&event->child_count);
100904 }
100905
100906 extern void perf_event_mmap(struct vm_area_struct *vma);
100907@@ -883,7 +883,7 @@ static inline void perf_callchain_store(struct perf_callchain_entry *entry, u64
100908 entry->ip[entry->nr++] = ip;
100909 }
100910
100911-extern int sysctl_perf_event_paranoid;
100912+extern int sysctl_perf_event_legitimately_concerned;
100913 extern int sysctl_perf_event_mlock;
100914 extern int sysctl_perf_event_sample_rate;
100915 extern int sysctl_perf_cpu_time_max_percent;
100916@@ -898,19 +898,24 @@ extern int perf_cpu_time_max_percent_handler(struct ctl_table *table, int write,
100917 loff_t *ppos);
100918
100919
100920+static inline bool perf_paranoid_any(void)
100921+{
100922+ return sysctl_perf_event_legitimately_concerned > 2;
100923+}
100924+
100925 static inline bool perf_paranoid_tracepoint_raw(void)
100926 {
100927- return sysctl_perf_event_paranoid > -1;
100928+ return sysctl_perf_event_legitimately_concerned > -1;
100929 }
100930
100931 static inline bool perf_paranoid_cpu(void)
100932 {
100933- return sysctl_perf_event_paranoid > 0;
100934+ return sysctl_perf_event_legitimately_concerned > 0;
100935 }
100936
100937 static inline bool perf_paranoid_kernel(void)
100938 {
100939- return sysctl_perf_event_paranoid > 1;
100940+ return sysctl_perf_event_legitimately_concerned > 1;
100941 }
100942
100943 extern void perf_event_init(void);
100944@@ -1066,7 +1071,7 @@ struct perf_pmu_events_attr {
100945 struct device_attribute attr;
100946 u64 id;
100947 const char *event_str;
100948-};
100949+} __do_const;
100950
100951 ssize_t perf_event_sysfs_show(struct device *dev, struct device_attribute *attr,
100952 char *page);
100953diff --git a/include/linux/pid_namespace.h b/include/linux/pid_namespace.h
100954index 918b117..7af374b7 100644
100955--- a/include/linux/pid_namespace.h
100956+++ b/include/linux/pid_namespace.h
100957@@ -45,7 +45,7 @@ struct pid_namespace {
100958 int hide_pid;
100959 int reboot; /* group exit code if this pidns was rebooted */
100960 struct ns_common ns;
100961-};
100962+} __randomize_layout;
100963
100964 extern struct pid_namespace init_pid_ns;
100965
100966diff --git a/include/linux/pipe_fs_i.h b/include/linux/pipe_fs_i.h
100967index eb8b8ac..62649e1 100644
100968--- a/include/linux/pipe_fs_i.h
100969+++ b/include/linux/pipe_fs_i.h
100970@@ -47,10 +47,10 @@ struct pipe_inode_info {
100971 struct mutex mutex;
100972 wait_queue_head_t wait;
100973 unsigned int nrbufs, curbuf, buffers;
100974- unsigned int readers;
100975- unsigned int writers;
100976- unsigned int files;
100977- unsigned int waiting_writers;
100978+ atomic_t readers;
100979+ atomic_t writers;
100980+ atomic_t files;
100981+ atomic_t waiting_writers;
100982 unsigned int r_counter;
100983 unsigned int w_counter;
100984 struct page *tmp_page;
100985diff --git a/include/linux/pm.h b/include/linux/pm.h
100986index 35d599e..c604209 100644
100987--- a/include/linux/pm.h
100988+++ b/include/linux/pm.h
100989@@ -630,6 +630,7 @@ struct dev_pm_domain {
100990 void (*sync)(struct device *dev);
100991 void (*dismiss)(struct device *dev);
100992 };
100993+typedef struct dev_pm_domain __no_const dev_pm_domain_no_const;
100994
100995 /*
100996 * The PM_EVENT_ messages are also used by drivers implementing the legacy
100997diff --git a/include/linux/pm_domain.h b/include/linux/pm_domain.h
100998index 681ccb0..a90e0b7 100644
100999--- a/include/linux/pm_domain.h
101000+++ b/include/linux/pm_domain.h
101001@@ -39,11 +39,11 @@ struct gpd_dev_ops {
101002 int (*save_state)(struct device *dev);
101003 int (*restore_state)(struct device *dev);
101004 bool (*active_wakeup)(struct device *dev);
101005-};
101006+} __no_const;
101007
101008 struct gpd_cpuidle_data {
101009 unsigned int saved_exit_latency;
101010- struct cpuidle_state *idle_state;
101011+ cpuidle_state_no_const *idle_state;
101012 };
101013
101014 struct generic_pm_domain {
101015diff --git a/include/linux/pm_runtime.h b/include/linux/pm_runtime.h
101016index 30e84d4..22278b4 100644
101017--- a/include/linux/pm_runtime.h
101018+++ b/include/linux/pm_runtime.h
101019@@ -115,7 +115,7 @@ static inline bool pm_runtime_callbacks_present(struct device *dev)
101020
101021 static inline void pm_runtime_mark_last_busy(struct device *dev)
101022 {
101023- ACCESS_ONCE(dev->power.last_busy) = jiffies;
101024+ ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
101025 }
101026
101027 static inline bool pm_runtime_is_irq_safe(struct device *dev)
101028diff --git a/include/linux/pnp.h b/include/linux/pnp.h
101029index 5df733b..d55f252 100644
101030--- a/include/linux/pnp.h
101031+++ b/include/linux/pnp.h
101032@@ -298,7 +298,7 @@ static inline void pnp_set_drvdata(struct pnp_dev *pdev, void *data)
101033 struct pnp_fixup {
101034 char id[7];
101035 void (*quirk_function) (struct pnp_dev * dev); /* fixup function */
101036-};
101037+} __do_const;
101038
101039 /* config parameters */
101040 #define PNP_CONFIG_NORMAL 0x0001
101041diff --git a/include/linux/poison.h b/include/linux/poison.h
101042index 2110a81..13a11bb 100644
101043--- a/include/linux/poison.h
101044+++ b/include/linux/poison.h
101045@@ -19,8 +19,8 @@
101046 * under normal circumstances, used to verify that nobody uses
101047 * non-initialized list entries.
101048 */
101049-#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
101050-#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
101051+#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
101052+#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
101053
101054 /********** include/linux/timer.h **********/
101055 /*
101056diff --git a/include/linux/power/smartreflex.h b/include/linux/power/smartreflex.h
101057index d8b187c3..9a9257a 100644
101058--- a/include/linux/power/smartreflex.h
101059+++ b/include/linux/power/smartreflex.h
101060@@ -238,7 +238,7 @@ struct omap_sr_class_data {
101061 int (*notify)(struct omap_sr *sr, u32 status);
101062 u8 notify_flags;
101063 u8 class_type;
101064-};
101065+} __do_const;
101066
101067 /**
101068 * struct omap_sr_nvalue_table - Smartreflex n-target value info
101069diff --git a/include/linux/ppp-comp.h b/include/linux/ppp-comp.h
101070index 4ea1d37..80f4b33 100644
101071--- a/include/linux/ppp-comp.h
101072+++ b/include/linux/ppp-comp.h
101073@@ -84,7 +84,7 @@ struct compressor {
101074 struct module *owner;
101075 /* Extra skb space needed by the compressor algorithm */
101076 unsigned int comp_extra;
101077-};
101078+} __do_const;
101079
101080 /*
101081 * The return value from decompress routine is the length of the
101082diff --git a/include/linux/preempt.h b/include/linux/preempt.h
101083index bea8dd8..534a23d 100644
101084--- a/include/linux/preempt.h
101085+++ b/include/linux/preempt.h
101086@@ -140,11 +140,16 @@ extern void preempt_count_sub(int val);
101087 #define preempt_count_dec_and_test() __preempt_count_dec_and_test()
101088 #endif
101089
101090+#define raw_preempt_count_add(val) __preempt_count_add(val)
101091+#define raw_preempt_count_sub(val) __preempt_count_sub(val)
101092+
101093 #define __preempt_count_inc() __preempt_count_add(1)
101094 #define __preempt_count_dec() __preempt_count_sub(1)
101095
101096 #define preempt_count_inc() preempt_count_add(1)
101097+#define raw_preempt_count_inc() raw_preempt_count_add(1)
101098 #define preempt_count_dec() preempt_count_sub(1)
101099+#define raw_preempt_count_dec() raw_preempt_count_sub(1)
101100
101101 #define preempt_active_enter() \
101102 do { \
101103@@ -166,6 +171,12 @@ do { \
101104 barrier(); \
101105 } while (0)
101106
101107+#define raw_preempt_disable() \
101108+do { \
101109+ raw_preempt_count_inc(); \
101110+ barrier(); \
101111+} while (0)
101112+
101113 #define sched_preempt_enable_no_resched() \
101114 do { \
101115 barrier(); \
101116@@ -174,6 +185,12 @@ do { \
101117
101118 #define preempt_enable_no_resched() sched_preempt_enable_no_resched()
101119
101120+#define raw_preempt_enable_no_resched() \
101121+do { \
101122+ barrier(); \
101123+ raw_preempt_count_dec(); \
101124+} while (0)
101125+
101126 #define preemptible() (preempt_count() == 0 && !irqs_disabled())
101127
101128 #ifdef CONFIG_PREEMPT
101129@@ -234,8 +251,10 @@ do { \
101130 * region.
101131 */
101132 #define preempt_disable() barrier()
101133+#define raw_preempt_disable() barrier()
101134 #define sched_preempt_enable_no_resched() barrier()
101135 #define preempt_enable_no_resched() barrier()
101136+#define raw_preempt_enable_no_resched() barrier()
101137 #define preempt_enable() barrier()
101138 #define preempt_check_resched() do { } while (0)
101139
101140@@ -250,11 +269,13 @@ do { \
101141 /*
101142 * Modules have no business playing preemption tricks.
101143 */
101144+#ifndef CONFIG_PAX_KERNEXEC
101145 #undef sched_preempt_enable_no_resched
101146 #undef preempt_enable_no_resched
101147 #undef preempt_enable_no_resched_notrace
101148 #undef preempt_check_resched
101149 #endif
101150+#endif
101151
101152 #define preempt_set_need_resched() \
101153 do { \
101154diff --git a/include/linux/printk.h b/include/linux/printk.h
101155index a6298b2..57fe982 100644
101156--- a/include/linux/printk.h
101157+++ b/include/linux/printk.h
101158@@ -123,6 +123,7 @@ void early_printk(const char *s, ...) { }
101159 #endif
101160
101161 typedef __printf(1, 0) int (*printk_func_t)(const char *fmt, va_list args);
101162+extern int kptr_restrict;
101163
101164 #ifdef CONFIG_PRINTK
101165 asmlinkage __printf(5, 0)
101166@@ -158,7 +159,6 @@ extern bool printk_timed_ratelimit(unsigned long *caller_jiffies,
101167
101168 extern int printk_delay_msec;
101169 extern int dmesg_restrict;
101170-extern int kptr_restrict;
101171
101172 extern void wake_up_klogd(void);
101173
101174diff --git a/include/linux/proc_fs.h b/include/linux/proc_fs.h
101175index b97bf2e..f14c92d4 100644
101176--- a/include/linux/proc_fs.h
101177+++ b/include/linux/proc_fs.h
101178@@ -17,8 +17,11 @@ extern void proc_flush_task(struct task_struct *);
101179 extern struct proc_dir_entry *proc_symlink(const char *,
101180 struct proc_dir_entry *, const char *);
101181 extern struct proc_dir_entry *proc_mkdir(const char *, struct proc_dir_entry *);
101182+extern struct proc_dir_entry *proc_mkdir_restrict(const char *, struct proc_dir_entry *);
101183 extern struct proc_dir_entry *proc_mkdir_data(const char *, umode_t,
101184 struct proc_dir_entry *, void *);
101185+extern struct proc_dir_entry *proc_mkdir_data_restrict(const char *, umode_t,
101186+ struct proc_dir_entry *, void *);
101187 extern struct proc_dir_entry *proc_mkdir_mode(const char *, umode_t,
101188 struct proc_dir_entry *);
101189
101190@@ -34,6 +37,19 @@ static inline struct proc_dir_entry *proc_create(
101191 return proc_create_data(name, mode, parent, proc_fops, NULL);
101192 }
101193
101194+static inline struct proc_dir_entry *proc_create_grsec(const char *name, umode_t mode,
101195+ struct proc_dir_entry *parent, const struct file_operations *proc_fops)
101196+{
101197+#ifdef CONFIG_GRKERNSEC_PROC_USER
101198+ return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
101199+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
101200+ return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
101201+#else
101202+ return proc_create_data(name, mode, parent, proc_fops, NULL);
101203+#endif
101204+}
101205+
101206+
101207 extern void proc_set_size(struct proc_dir_entry *, loff_t);
101208 extern void proc_set_user(struct proc_dir_entry *, kuid_t, kgid_t);
101209 extern void *PDE_DATA(const struct inode *);
101210@@ -56,8 +72,12 @@ static inline struct proc_dir_entry *proc_symlink(const char *name,
101211 struct proc_dir_entry *parent,const char *dest) { return NULL;}
101212 static inline struct proc_dir_entry *proc_mkdir(const char *name,
101213 struct proc_dir_entry *parent) {return NULL;}
101214+static inline struct proc_dir_entry *proc_mkdir_restrict(const char *name,
101215+ struct proc_dir_entry *parent) { return NULL; }
101216 static inline struct proc_dir_entry *proc_mkdir_data(const char *name,
101217 umode_t mode, struct proc_dir_entry *parent, void *data) { return NULL; }
101218+static inline struct proc_dir_entry *proc_mkdir_data_restrict(const char *name,
101219+ umode_t mode, struct proc_dir_entry *parent, void *data) { return NULL; }
101220 static inline struct proc_dir_entry *proc_mkdir_mode(const char *name,
101221 umode_t mode, struct proc_dir_entry *parent) { return NULL; }
101222 #define proc_create(name, mode, parent, proc_fops) ({NULL;})
101223@@ -79,7 +99,7 @@ struct net;
101224 static inline struct proc_dir_entry *proc_net_mkdir(
101225 struct net *net, const char *name, struct proc_dir_entry *parent)
101226 {
101227- return proc_mkdir_data(name, 0, parent, net);
101228+ return proc_mkdir_data_restrict(name, 0, parent, net);
101229 }
101230
101231 #endif /* _LINUX_PROC_FS_H */
101232diff --git a/include/linux/proc_ns.h b/include/linux/proc_ns.h
101233index 42dfc61..8113a99 100644
101234--- a/include/linux/proc_ns.h
101235+++ b/include/linux/proc_ns.h
101236@@ -16,7 +16,7 @@ struct proc_ns_operations {
101237 struct ns_common *(*get)(struct task_struct *task);
101238 void (*put)(struct ns_common *ns);
101239 int (*install)(struct nsproxy *nsproxy, struct ns_common *ns);
101240-};
101241+} __do_const __randomize_layout;
101242
101243 extern const struct proc_ns_operations netns_operations;
101244 extern const struct proc_ns_operations utsns_operations;
101245diff --git a/include/linux/quota.h b/include/linux/quota.h
101246index b2505ac..5f7ab55 100644
101247--- a/include/linux/quota.h
101248+++ b/include/linux/quota.h
101249@@ -76,7 +76,7 @@ struct kqid { /* Type in which we store the quota identifier */
101250
101251 extern bool qid_eq(struct kqid left, struct kqid right);
101252 extern bool qid_lt(struct kqid left, struct kqid right);
101253-extern qid_t from_kqid(struct user_namespace *to, struct kqid qid);
101254+extern qid_t from_kqid(struct user_namespace *to, struct kqid qid) __intentional_overflow(-1);
101255 extern qid_t from_kqid_munged(struct user_namespace *to, struct kqid qid);
101256 extern bool qid_valid(struct kqid qid);
101257
101258diff --git a/include/linux/random.h b/include/linux/random.h
101259index e651874..a872186 100644
101260--- a/include/linux/random.h
101261+++ b/include/linux/random.h
101262@@ -16,9 +16,19 @@ struct random_ready_callback {
101263 };
101264
101265 extern void add_device_randomness(const void *, unsigned int);
101266+
101267+static inline void add_latent_entropy(void)
101268+{
101269+
101270+#ifdef LATENT_ENTROPY_PLUGIN
101271+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
101272+#endif
101273+
101274+}
101275+
101276 extern void add_input_randomness(unsigned int type, unsigned int code,
101277- unsigned int value);
101278-extern void add_interrupt_randomness(int irq, int irq_flags);
101279+ unsigned int value) __latent_entropy;
101280+extern void add_interrupt_randomness(int irq, int irq_flags) __latent_entropy;
101281
101282 extern void get_random_bytes(void *buf, int nbytes);
101283 extern int add_random_ready_callback(struct random_ready_callback *rdy);
101284@@ -46,6 +56,11 @@ struct rnd_state {
101285 u32 prandom_u32_state(struct rnd_state *state);
101286 void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
101287
101288+static inline unsigned long __intentional_overflow(-1) pax_get_random_long(void)
101289+{
101290+ return prandom_u32() + (sizeof(long) > 4 ? (unsigned long)prandom_u32() << 32 : 0);
101291+}
101292+
101293 /**
101294 * prandom_u32_max - returns a pseudo-random number in interval [0, ep_ro)
101295 * @ep_ro: right open interval endpoint
101296@@ -58,7 +73,7 @@ void prandom_bytes_state(struct rnd_state *state, void *buf, size_t nbytes);
101297 *
101298 * Returns: pseudo-random number in interval [0, ep_ro)
101299 */
101300-static inline u32 prandom_u32_max(u32 ep_ro)
101301+static inline u32 __intentional_overflow(-1) prandom_u32_max(u32 ep_ro)
101302 {
101303 return (u32)(((u64) prandom_u32() * ep_ro) >> 32);
101304 }
101305diff --git a/include/linux/rbtree_augmented.h b/include/linux/rbtree_augmented.h
101306index 14d7b83..a1edf56 100644
101307--- a/include/linux/rbtree_augmented.h
101308+++ b/include/linux/rbtree_augmented.h
101309@@ -90,7 +90,9 @@ rbname ## _rotate(struct rb_node *rb_old, struct rb_node *rb_new) \
101310 old->rbaugmented = rbcompute(old); \
101311 } \
101312 rbstatic const struct rb_augment_callbacks rbname = { \
101313- rbname ## _propagate, rbname ## _copy, rbname ## _rotate \
101314+ .propagate = rbname ## _propagate, \
101315+ .copy = rbname ## _copy, \
101316+ .rotate = rbname ## _rotate \
101317 };
101318
101319
101320diff --git a/include/linux/rculist.h b/include/linux/rculist.h
101321index 17c6b1f..a65e3f8 100644
101322--- a/include/linux/rculist.h
101323+++ b/include/linux/rculist.h
101324@@ -59,6 +59,9 @@ void __list_add_rcu(struct list_head *new,
101325 struct list_head *prev, struct list_head *next);
101326 #endif
101327
101328+void __pax_list_add_rcu(struct list_head *new,
101329+ struct list_head *prev, struct list_head *next);
101330+
101331 /**
101332 * list_add_rcu - add a new entry to rcu-protected list
101333 * @new: new entry to be added
101334@@ -80,6 +83,11 @@ static inline void list_add_rcu(struct list_head *new, struct list_head *head)
101335 __list_add_rcu(new, head, head->next);
101336 }
101337
101338+static inline void pax_list_add_rcu(struct list_head *new, struct list_head *head)
101339+{
101340+ __pax_list_add_rcu(new, head, head->next);
101341+}
101342+
101343 /**
101344 * list_add_tail_rcu - add a new entry to rcu-protected list
101345 * @new: new entry to be added
101346@@ -102,6 +110,12 @@ static inline void list_add_tail_rcu(struct list_head *new,
101347 __list_add_rcu(new, head->prev, head);
101348 }
101349
101350+static inline void pax_list_add_tail_rcu(struct list_head *new,
101351+ struct list_head *head)
101352+{
101353+ __pax_list_add_rcu(new, head->prev, head);
101354+}
101355+
101356 /**
101357 * list_del_rcu - deletes entry from list without re-initialization
101358 * @entry: the element to delete from the list.
101359@@ -132,6 +146,8 @@ static inline void list_del_rcu(struct list_head *entry)
101360 entry->prev = LIST_POISON2;
101361 }
101362
101363+extern void pax_list_del_rcu(struct list_head *entry);
101364+
101365 /**
101366 * hlist_del_init_rcu - deletes entry from hash list with re-initialization
101367 * @n: the element to delete from the hash list.
101368diff --git a/include/linux/reboot.h b/include/linux/reboot.h
101369index a7ff409..03e2fa8 100644
101370--- a/include/linux/reboot.h
101371+++ b/include/linux/reboot.h
101372@@ -47,9 +47,9 @@ extern void do_kernel_restart(char *cmd);
101373 */
101374
101375 extern void migrate_to_reboot_cpu(void);
101376-extern void machine_restart(char *cmd);
101377-extern void machine_halt(void);
101378-extern void machine_power_off(void);
101379+extern void machine_restart(char *cmd) __noreturn;
101380+extern void machine_halt(void) __noreturn;
101381+extern void machine_power_off(void) __noreturn;
101382
101383 extern void machine_shutdown(void);
101384 struct pt_regs;
101385@@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struct pt_regs *);
101386 */
101387
101388 extern void kernel_restart_prepare(char *cmd);
101389-extern void kernel_restart(char *cmd);
101390-extern void kernel_halt(void);
101391-extern void kernel_power_off(void);
101392+extern void kernel_restart(char *cmd) __noreturn;
101393+extern void kernel_halt(void) __noreturn;
101394+extern void kernel_power_off(void) __noreturn;
101395
101396 extern int C_A_D; /* for sysctl */
101397 void ctrl_alt_del(void);
101398@@ -77,7 +77,7 @@ extern void orderly_reboot(void);
101399 * Emergency restart, callable from an interrupt handler.
101400 */
101401
101402-extern void emergency_restart(void);
101403+extern void emergency_restart(void) __noreturn;
101404 #include <asm/emergency-restart.h>
101405
101406 #endif /* _LINUX_REBOOT_H */
101407diff --git a/include/linux/regset.h b/include/linux/regset.h
101408index 8e0c9fe..ac4d221 100644
101409--- a/include/linux/regset.h
101410+++ b/include/linux/regset.h
101411@@ -161,7 +161,8 @@ struct user_regset {
101412 unsigned int align;
101413 unsigned int bias;
101414 unsigned int core_note_type;
101415-};
101416+} __do_const;
101417+typedef struct user_regset __no_const user_regset_no_const;
101418
101419 /**
101420 * struct user_regset_view - available regsets
101421diff --git a/include/linux/relay.h b/include/linux/relay.h
101422index d7c8359..818daf5 100644
101423--- a/include/linux/relay.h
101424+++ b/include/linux/relay.h
101425@@ -157,7 +157,7 @@ struct rchan_callbacks
101426 * The callback should return 0 if successful, negative if not.
101427 */
101428 int (*remove_buf_file)(struct dentry *dentry);
101429-};
101430+} __no_const;
101431
101432 /*
101433 * CONFIG_RELAY kernel API, kernel/relay.c
101434diff --git a/include/linux/rio.h b/include/linux/rio.h
101435index cde976e..ebd6033 100644
101436--- a/include/linux/rio.h
101437+++ b/include/linux/rio.h
101438@@ -358,7 +358,7 @@ struct rio_ops {
101439 int (*map_inb)(struct rio_mport *mport, dma_addr_t lstart,
101440 u64 rstart, u32 size, u32 flags);
101441 void (*unmap_inb)(struct rio_mport *mport, dma_addr_t lstart);
101442-};
101443+} __no_const;
101444
101445 #define RIO_RESOURCE_MEM 0x00000100
101446 #define RIO_RESOURCE_DOORBELL 0x00000200
101447diff --git a/include/linux/rmap.h b/include/linux/rmap.h
101448index c89c53a..aa0a65a 100644
101449--- a/include/linux/rmap.h
101450+++ b/include/linux/rmap.h
101451@@ -146,8 +146,8 @@ static inline void anon_vma_unlock_read(struct anon_vma *anon_vma)
101452 void anon_vma_init(void); /* create anon_vma_cachep */
101453 int anon_vma_prepare(struct vm_area_struct *);
101454 void unlink_anon_vmas(struct vm_area_struct *);
101455-int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
101456-int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
101457+int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
101458+int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
101459
101460 static inline void anon_vma_merge(struct vm_area_struct *vma,
101461 struct vm_area_struct *next)
101462diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
101463index 9b1ef0c..9fa3feb 100644
101464--- a/include/linux/scatterlist.h
101465+++ b/include/linux/scatterlist.h
101466@@ -1,6 +1,7 @@
101467 #ifndef _LINUX_SCATTERLIST_H
101468 #define _LINUX_SCATTERLIST_H
101469
101470+#include <linux/sched.h>
101471 #include <linux/string.h>
101472 #include <linux/types.h>
101473 #include <linux/bug.h>
101474@@ -136,10 +137,17 @@ static inline struct page *sg_page(struct scatterlist *sg)
101475 static inline void sg_set_buf(struct scatterlist *sg, const void *buf,
101476 unsigned int buflen)
101477 {
101478+ const void *realbuf = buf;
101479+
101480+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101481+ if (object_starts_on_stack(buf))
101482+ realbuf = buf - current->stack + current->lowmem_stack;
101483+#endif
101484+
101485 #ifdef CONFIG_DEBUG_SG
101486- BUG_ON(!virt_addr_valid(buf));
101487+ BUG_ON(!virt_addr_valid(realbuf));
101488 #endif
101489- sg_set_page(sg, virt_to_page(buf), buflen, offset_in_page(buf));
101490+ sg_set_page(sg, virt_to_page(realbuf), buflen, offset_in_page(realbuf));
101491 }
101492
101493 /*
101494diff --git a/include/linux/sched.h b/include/linux/sched.h
101495index bfca8aa..ac50d1b 100644
101496--- a/include/linux/sched.h
101497+++ b/include/linux/sched.h
101498@@ -7,7 +7,7 @@
101499
101500
101501 struct sched_param {
101502- int sched_priority;
101503+ unsigned int sched_priority;
101504 };
101505
101506 #include <asm/param.h> /* for HZ */
101507@@ -134,6 +134,7 @@ struct perf_event_context;
101508 struct blk_plug;
101509 struct filename;
101510 struct nameidata;
101511+struct linux_binprm;
101512
101513 #define VMACACHE_BITS 2
101514 #define VMACACHE_SIZE (1U << VMACACHE_BITS)
101515@@ -436,6 +437,19 @@ struct nsproxy;
101516 struct user_namespace;
101517
101518 #ifdef CONFIG_MMU
101519+
101520+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
101521+extern unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags);
101522+#else
101523+static inline unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
101524+{
101525+ return 0;
101526+}
101527+#endif
101528+
101529+extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset);
101530+extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset);
101531+
101532 extern void arch_pick_mmap_layout(struct mm_struct *mm);
101533 extern unsigned long
101534 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
101535@@ -749,6 +763,17 @@ struct signal_struct {
101536 #ifdef CONFIG_TASKSTATS
101537 struct taskstats *stats;
101538 #endif
101539+
101540+#ifdef CONFIG_GRKERNSEC
101541+ u32 curr_ip;
101542+ u32 saved_ip;
101543+ u32 gr_saddr;
101544+ u32 gr_daddr;
101545+ u16 gr_sport;
101546+ u16 gr_dport;
101547+ u8 used_accept:1;
101548+#endif
101549+
101550 #ifdef CONFIG_AUDIT
101551 unsigned audit_tty;
101552 unsigned audit_tty_log_passwd;
101553@@ -775,7 +800,7 @@ struct signal_struct {
101554 struct mutex cred_guard_mutex; /* guard against foreign influences on
101555 * credential calculations
101556 * (notably. ptrace) */
101557-};
101558+} __randomize_layout;
101559
101560 /*
101561 * Bits in flags field of signal_struct.
101562@@ -828,6 +853,14 @@ struct user_struct {
101563 struct key *session_keyring; /* UID's default session keyring */
101564 #endif
101565
101566+#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
101567+ unsigned char kernel_banned;
101568+#endif
101569+#ifdef CONFIG_GRKERNSEC_BRUTE
101570+ unsigned char suid_banned;
101571+ unsigned long suid_ban_expires;
101572+#endif
101573+
101574 /* Hash table maintenance information */
101575 struct hlist_node uidhash_node;
101576 kuid_t uid;
101577@@ -835,7 +868,7 @@ struct user_struct {
101578 #ifdef CONFIG_PERF_EVENTS
101579 atomic_long_t locked_vm;
101580 #endif
101581-};
101582+} __randomize_layout;
101583
101584 extern int uids_sysfs_init(void);
101585
101586@@ -1356,6 +1389,9 @@ enum perf_event_task_context {
101587 struct task_struct {
101588 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
101589 void *stack;
101590+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101591+ void *lowmem_stack;
101592+#endif
101593 atomic_t usage;
101594 unsigned int flags; /* per process flags, defined below */
101595 unsigned int ptrace;
101596@@ -1488,8 +1524,8 @@ struct task_struct {
101597 struct list_head thread_node;
101598
101599 struct completion *vfork_done; /* for vfork() */
101600- int __user *set_child_tid; /* CLONE_CHILD_SETTID */
101601- int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
101602+ pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
101603+ pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
101604
101605 cputime_t utime, stime, utimescaled, stimescaled;
101606 cputime_t gtime;
101607@@ -1514,11 +1550,6 @@ struct task_struct {
101608 struct task_cputime cputime_expires;
101609 struct list_head cpu_timers[3];
101610
101611-/* process credentials */
101612- const struct cred __rcu *real_cred; /* objective and real subjective task
101613- * credentials (COW) */
101614- const struct cred __rcu *cred; /* effective (overridable) subjective task
101615- * credentials (COW) */
101616 char comm[TASK_COMM_LEN]; /* executable name excluding path
101617 - access with [gs]et_task_comm (which lock
101618 it with task_lock())
101619@@ -1534,6 +1565,8 @@ struct task_struct {
101620 /* hung task detection */
101621 unsigned long last_switch_count;
101622 #endif
101623+/* CPU-specific state of this task */
101624+ struct thread_struct thread;
101625 /* filesystem information */
101626 struct fs_struct *fs;
101627 /* open file information */
101628@@ -1610,6 +1643,10 @@ struct task_struct {
101629 gfp_t lockdep_reclaim_gfp;
101630 #endif
101631
101632+/* process credentials */
101633+ const struct cred __rcu *real_cred; /* objective and real subjective task
101634+ * credentials (COW) */
101635+
101636 /* journalling filesystem info */
101637 void *journal_info;
101638
101639@@ -1648,6 +1685,10 @@ struct task_struct {
101640 /* cg_list protected by css_set_lock and tsk->alloc_lock */
101641 struct list_head cg_list;
101642 #endif
101643+
101644+ const struct cred __rcu *cred; /* effective (overridable) subjective task
101645+ * credentials (COW) */
101646+
101647 #ifdef CONFIG_FUTEX
101648 struct robust_list_head __user *robust_list;
101649 #ifdef CONFIG_COMPAT
101650@@ -1759,7 +1800,7 @@ struct task_struct {
101651 * Number of functions that haven't been traced
101652 * because of depth overrun.
101653 */
101654- atomic_t trace_overrun;
101655+ atomic_unchecked_t trace_overrun;
101656 /* Pause for the tracing */
101657 atomic_t tracing_graph_pause;
101658 #endif
101659@@ -1788,22 +1829,89 @@ struct task_struct {
101660 unsigned long task_state_change;
101661 #endif
101662 int pagefault_disabled;
101663-/* CPU-specific state of this task */
101664- struct thread_struct thread;
101665-/*
101666- * WARNING: on x86, 'thread_struct' contains a variable-sized
101667- * structure. It *MUST* be at the end of 'task_struct'.
101668- *
101669- * Do not put anything below here!
101670- */
101671-};
101672+
101673+#ifdef CONFIG_GRKERNSEC
101674+ /* grsecurity */
101675+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
101676+ u64 exec_id;
101677+#endif
101678+#ifdef CONFIG_GRKERNSEC_SETXID
101679+ const struct cred *delayed_cred;
101680+#endif
101681+ struct dentry *gr_chroot_dentry;
101682+ struct acl_subject_label *acl;
101683+ struct acl_subject_label *tmpacl;
101684+ struct acl_role_label *role;
101685+ struct file *exec_file;
101686+ unsigned long brute_expires;
101687+ u16 acl_role_id;
101688+ u8 inherited;
101689+ /* is this the task that authenticated to the special role */
101690+ u8 acl_sp_role;
101691+ u8 is_writable;
101692+ u8 brute;
101693+ u8 gr_is_chrooted;
101694+#endif
101695+
101696+/* thread_info moved to task_struct */
101697+#ifdef CONFIG_X86
101698+ struct thread_info tinfo;
101699+#endif
101700+} __randomize_layout;
101701
101702 #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
101703-extern int arch_task_struct_size __read_mostly;
101704+extern size_t arch_task_struct_size __read_mostly;
101705 #else
101706 # define arch_task_struct_size (sizeof(struct task_struct))
101707 #endif
101708
101709+#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
101710+#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
101711+#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
101712+#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
101713+/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
101714+#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
101715+
101716+#ifdef CONFIG_PAX_SOFTMODE
101717+extern int pax_softmode;
101718+#endif
101719+
101720+extern int pax_check_flags(unsigned long *);
101721+#define PAX_PARSE_FLAGS_FALLBACK (~0UL)
101722+
101723+/* if tsk != current then task_lock must be held on it */
101724+#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
101725+static inline unsigned long pax_get_flags(struct task_struct *tsk)
101726+{
101727+ if (likely(tsk->mm))
101728+ return tsk->mm->pax_flags;
101729+ else
101730+ return 0UL;
101731+}
101732+
101733+/* if tsk != current then task_lock must be held on it */
101734+static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
101735+{
101736+ if (likely(tsk->mm)) {
101737+ tsk->mm->pax_flags = flags;
101738+ return 0;
101739+ }
101740+ return -EINVAL;
101741+}
101742+#endif
101743+
101744+#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
101745+extern void pax_set_initial_flags(struct linux_binprm *bprm);
101746+#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
101747+extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
101748+#endif
101749+
101750+struct path;
101751+extern char *pax_get_path(const struct path *path, char *buf, int buflen);
101752+extern void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
101753+extern void pax_report_insns(struct pt_regs *regs, void *pc, void *sp);
101754+extern void pax_report_refcount_overflow(struct pt_regs *regs);
101755+
101756 /* Future-safe accessor for struct task_struct's cpus_allowed. */
101757 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
101758
101759@@ -1885,7 +1993,7 @@ struct pid_namespace;
101760 pid_t __task_pid_nr_ns(struct task_struct *task, enum pid_type type,
101761 struct pid_namespace *ns);
101762
101763-static inline pid_t task_pid_nr(struct task_struct *tsk)
101764+static inline pid_t task_pid_nr(const struct task_struct *tsk)
101765 {
101766 return tsk->pid;
101767 }
101768@@ -2253,6 +2361,25 @@ extern u64 sched_clock_cpu(int cpu);
101769
101770 extern void sched_clock_init(void);
101771
101772+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
101773+static inline void populate_stack(void)
101774+{
101775+ struct task_struct *curtask = current;
101776+ int c;
101777+ int *ptr = curtask->stack;
101778+ int *end = curtask->stack + THREAD_SIZE;
101779+
101780+ while (ptr < end) {
101781+ c = *(volatile int *)ptr;
101782+ ptr += PAGE_SIZE/sizeof(int);
101783+ }
101784+}
101785+#else
101786+static inline void populate_stack(void)
101787+{
101788+}
101789+#endif
101790+
101791 #ifndef CONFIG_HAVE_UNSTABLE_SCHED_CLOCK
101792 static inline void sched_clock_tick(void)
101793 {
101794@@ -2381,7 +2508,9 @@ extern void set_curr_task(int cpu, struct task_struct *p);
101795 void yield(void);
101796
101797 union thread_union {
101798+#ifndef CONFIG_X86
101799 struct thread_info thread_info;
101800+#endif
101801 unsigned long stack[THREAD_SIZE/sizeof(long)];
101802 };
101803
101804@@ -2414,6 +2543,7 @@ extern struct pid_namespace init_pid_ns;
101805 */
101806
101807 extern struct task_struct *find_task_by_vpid(pid_t nr);
101808+extern struct task_struct *find_task_by_vpid_unrestricted(pid_t nr);
101809 extern struct task_struct *find_task_by_pid_ns(pid_t nr,
101810 struct pid_namespace *ns);
101811
101812@@ -2591,7 +2721,7 @@ extern void __cleanup_sighand(struct sighand_struct *);
101813 extern void exit_itimers(struct signal_struct *);
101814 extern void flush_itimer_signals(void);
101815
101816-extern void do_group_exit(int);
101817+extern __noreturn void do_group_exit(int);
101818
101819 extern int do_execve(struct filename *,
101820 const char __user * const __user *,
101821@@ -2796,9 +2926,9 @@ static inline unsigned long *end_of_stack(struct task_struct *p)
101822 #define task_stack_end_corrupted(task) \
101823 (*(end_of_stack(task)) != STACK_END_MAGIC)
101824
101825-static inline int object_is_on_stack(void *obj)
101826+static inline int object_starts_on_stack(const void *obj)
101827 {
101828- void *stack = task_stack_page(current);
101829+ const void *stack = task_stack_page(current);
101830
101831 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
101832 }
101833diff --git a/include/linux/sched/sysctl.h b/include/linux/sched/sysctl.h
101834index c9e4731..c716293 100644
101835--- a/include/linux/sched/sysctl.h
101836+++ b/include/linux/sched/sysctl.h
101837@@ -34,6 +34,7 @@ enum { sysctl_hung_task_timeout_secs = 0 };
101838 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
101839
101840 extern int sysctl_max_map_count;
101841+extern unsigned long sysctl_heap_stack_gap;
101842
101843 extern unsigned int sysctl_sched_latency;
101844 extern unsigned int sysctl_sched_min_granularity;
101845diff --git a/include/linux/security.h b/include/linux/security.h
101846index 2f4c1f7..5bc05d7 100644
101847--- a/include/linux/security.h
101848+++ b/include/linux/security.h
101849@@ -28,6 +28,7 @@
101850 #include <linux/err.h>
101851 #include <linux/string.h>
101852 #include <linux/mm.h>
101853+#include <linux/grsecurity.h>
101854
101855 struct linux_binprm;
101856 struct cred;
101857diff --git a/include/linux/semaphore.h b/include/linux/semaphore.h
101858index dc368b8..e895209 100644
101859--- a/include/linux/semaphore.h
101860+++ b/include/linux/semaphore.h
101861@@ -37,7 +37,7 @@ static inline void sema_init(struct semaphore *sem, int val)
101862 }
101863
101864 extern void down(struct semaphore *sem);
101865-extern int __must_check down_interruptible(struct semaphore *sem);
101866+extern int __must_check down_interruptible(struct semaphore *sem) __intentional_overflow(-1);
101867 extern int __must_check down_killable(struct semaphore *sem);
101868 extern int __must_check down_trylock(struct semaphore *sem);
101869 extern int __must_check down_timeout(struct semaphore *sem, long jiffies);
101870diff --git a/include/linux/seq_file.h b/include/linux/seq_file.h
101871index d4c7271..abf5706 100644
101872--- a/include/linux/seq_file.h
101873+++ b/include/linux/seq_file.h
101874@@ -27,6 +27,9 @@ struct seq_file {
101875 struct mutex lock;
101876 const struct seq_operations *op;
101877 int poll_event;
101878+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
101879+ u64 exec_id;
101880+#endif
101881 #ifdef CONFIG_USER_NS
101882 struct user_namespace *user_ns;
101883 #endif
101884@@ -39,6 +42,7 @@ struct seq_operations {
101885 void * (*next) (struct seq_file *m, void *v, loff_t *pos);
101886 int (*show) (struct seq_file *m, void *v);
101887 };
101888+typedef struct seq_operations __no_const seq_operations_no_const;
101889
101890 #define SEQ_SKIP 1
101891
101892@@ -111,6 +115,7 @@ void seq_pad(struct seq_file *m, char c);
101893
101894 char *mangle_path(char *s, const char *p, const char *esc);
101895 int seq_open(struct file *, const struct seq_operations *);
101896+int seq_open_restrict(struct file *, const struct seq_operations *);
101897 ssize_t seq_read(struct file *, char __user *, size_t, loff_t *);
101898 loff_t seq_lseek(struct file *, loff_t, int);
101899 int seq_release(struct inode *, struct file *);
101900@@ -129,6 +134,7 @@ int seq_path_root(struct seq_file *m, const struct path *path,
101901 const struct path *root, const char *esc);
101902
101903 int single_open(struct file *, int (*)(struct seq_file *, void *), void *);
101904+int single_open_restrict(struct file *, int (*)(struct seq_file *, void *), void *);
101905 int single_open_size(struct file *, int (*)(struct seq_file *, void *), void *, size_t);
101906 int single_release(struct inode *, struct file *);
101907 void *__seq_open_private(struct file *, const struct seq_operations *, int);
101908diff --git a/include/linux/shm.h b/include/linux/shm.h
101909index 6fb8016..2cf60e7 100644
101910--- a/include/linux/shm.h
101911+++ b/include/linux/shm.h
101912@@ -22,7 +22,11 @@ struct shmid_kernel /* private to the kernel */
101913 /* The task created the shm object. NULL if the task is dead. */
101914 struct task_struct *shm_creator;
101915 struct list_head shm_clist; /* list by creator */
101916-};
101917+#ifdef CONFIG_GRKERNSEC
101918+ u64 shm_createtime;
101919+ pid_t shm_lapid;
101920+#endif
101921+} __randomize_layout;
101922
101923 /* shm_mode upper byte flags */
101924 #define SHM_DEST 01000 /* segment will be destroyed on last detach */
101925diff --git a/include/linux/signal.h b/include/linux/signal.h
101926index ab1e039..ad4229e 100644
101927--- a/include/linux/signal.h
101928+++ b/include/linux/signal.h
101929@@ -289,7 +289,7 @@ static inline void allow_signal(int sig)
101930 * know it'll be handled, so that they don't get converted to
101931 * SIGKILL or just silently dropped.
101932 */
101933- kernel_sigaction(sig, (__force __sighandler_t)2);
101934+ kernel_sigaction(sig, (__force_user __sighandler_t)2);
101935 }
101936
101937 static inline void disallow_signal(int sig)
101938diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
101939index 2751588..dc96c12 100644
101940--- a/include/linux/skbuff.h
101941+++ b/include/linux/skbuff.h
101942@@ -784,7 +784,7 @@ struct sk_buff *__alloc_skb(unsigned int size, gfp_t priority, int flags,
101943 int node);
101944 struct sk_buff *__build_skb(void *data, unsigned int frag_size);
101945 struct sk_buff *build_skb(void *data, unsigned int frag_size);
101946-static inline struct sk_buff *alloc_skb(unsigned int size,
101947+static inline struct sk_buff * __intentional_overflow(0) alloc_skb(unsigned int size,
101948 gfp_t priority)
101949 {
101950 return __alloc_skb(size, priority, 0, NUMA_NO_NODE);
101951@@ -1964,7 +1964,7 @@ static inline int skb_checksum_start_offset(const struct sk_buff *skb)
101952 return skb->csum_start - skb_headroom(skb);
101953 }
101954
101955-static inline int skb_transport_offset(const struct sk_buff *skb)
101956+static inline int __intentional_overflow(0) skb_transport_offset(const struct sk_buff *skb)
101957 {
101958 return skb_transport_header(skb) - skb->data;
101959 }
101960@@ -1979,7 +1979,7 @@ static inline u32 skb_inner_network_header_len(const struct sk_buff *skb)
101961 return skb->inner_transport_header - skb->inner_network_header;
101962 }
101963
101964-static inline int skb_network_offset(const struct sk_buff *skb)
101965+static inline int __intentional_overflow(0) skb_network_offset(const struct sk_buff *skb)
101966 {
101967 return skb_network_header(skb) - skb->data;
101968 }
101969@@ -2039,7 +2039,7 @@ static inline int pskb_network_may_pull(struct sk_buff *skb, unsigned int len)
101970 * NET_IP_ALIGN(2) + ethernet_header(14) + IP_header(20/40) + ports(8)
101971 */
101972 #ifndef NET_SKB_PAD
101973-#define NET_SKB_PAD max(32, L1_CACHE_BYTES)
101974+#define NET_SKB_PAD max(_AC(32,UL), L1_CACHE_BYTES)
101975 #endif
101976
101977 int ___pskb_trim(struct sk_buff *skb, unsigned int len);
101978@@ -2685,9 +2685,9 @@ struct sk_buff *skb_recv_datagram(struct sock *sk, unsigned flags, int noblock,
101979 int *err);
101980 unsigned int datagram_poll(struct file *file, struct socket *sock,
101981 struct poll_table_struct *wait);
101982-int skb_copy_datagram_iter(const struct sk_buff *from, int offset,
101983+int __intentional_overflow(0) skb_copy_datagram_iter(const struct sk_buff *from, int offset,
101984 struct iov_iter *to, int size);
101985-static inline int skb_copy_datagram_msg(const struct sk_buff *from, int offset,
101986+static inline int __intentional_overflow(2,4) skb_copy_datagram_msg(const struct sk_buff *from, int offset,
101987 struct msghdr *msg, int size)
101988 {
101989 return skb_copy_datagram_iter(from, offset, &msg->msg_iter, size);
101990@@ -3216,6 +3216,9 @@ static inline void nf_reset(struct sk_buff *skb)
101991 nf_bridge_put(skb->nf_bridge);
101992 skb->nf_bridge = NULL;
101993 #endif
101994+#if IS_ENABLED(CONFIG_NETFILTER_XT_TARGET_TRACE)
101995+ skb->nf_trace = 0;
101996+#endif
101997 }
101998
101999 static inline void nf_reset_trace(struct sk_buff *skb)
102000diff --git a/include/linux/slab.h b/include/linux/slab.h
102001index a99f0e5..4efa730 100644
102002--- a/include/linux/slab.h
102003+++ b/include/linux/slab.h
102004@@ -15,14 +15,29 @@
102005 #include <linux/types.h>
102006 #include <linux/workqueue.h>
102007
102008+#include <linux/err.h>
102009
102010 /*
102011 * Flags to pass to kmem_cache_create().
102012 * The ones marked DEBUG are only valid if CONFIG_DEBUG_SLAB is set.
102013 */
102014 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
102015+
102016+#ifdef CONFIG_PAX_USERCOPY_SLABS
102017+#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
102018+#else
102019+#define SLAB_USERCOPY 0x00000000UL
102020+#endif
102021+
102022 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
102023 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
102024+
102025+#ifdef CONFIG_PAX_MEMORY_SANITIZE
102026+#define SLAB_NO_SANITIZE 0x00001000UL /* PaX: Do not sanitize objs on free */
102027+#else
102028+#define SLAB_NO_SANITIZE 0x00000000UL
102029+#endif
102030+
102031 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
102032 #define SLAB_CACHE_DMA 0x00004000UL /* Use GFP_DMA memory */
102033 #define SLAB_STORE_USER 0x00010000UL /* DEBUG: Store the last owner for bug hunting */
102034@@ -98,10 +113,13 @@
102035 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
102036 * Both make kfree a no-op.
102037 */
102038-#define ZERO_SIZE_PTR ((void *)16)
102039+#define ZERO_SIZE_PTR \
102040+({ \
102041+ BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
102042+ (void *)(-MAX_ERRNO-1L); \
102043+})
102044
102045-#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
102046- (unsigned long)ZERO_SIZE_PTR)
102047+#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
102048
102049 #include <linux/kmemleak.h>
102050 #include <linux/kasan.h>
102051@@ -143,6 +161,8 @@ void * __must_check krealloc(const void *, size_t, gfp_t);
102052 void kfree(const void *);
102053 void kzfree(const void *);
102054 size_t ksize(const void *);
102055+const char *check_heap_object(const void *ptr, unsigned long n);
102056+bool is_usercopy_object(const void *ptr);
102057
102058 /*
102059 * Some archs want to perform DMA into kmalloc caches and need a guaranteed
102060@@ -235,6 +255,10 @@ extern struct kmem_cache *kmalloc_caches[KMALLOC_SHIFT_HIGH + 1];
102061 extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
102062 #endif
102063
102064+#ifdef CONFIG_PAX_USERCOPY_SLABS
102065+extern struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
102066+#endif
102067+
102068 /*
102069 * Figure out which kmalloc slab an allocation of a certain size
102070 * belongs to.
102071@@ -243,7 +267,7 @@ extern struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
102072 * 2 = 129 .. 192 bytes
102073 * n = 2^(n-1)+1 .. 2^n
102074 */
102075-static __always_inline int kmalloc_index(size_t size)
102076+static __always_inline __size_overflow(1) int kmalloc_index(size_t size)
102077 {
102078 if (!size)
102079 return 0;
102080@@ -286,15 +310,15 @@ static __always_inline int kmalloc_index(size_t size)
102081 }
102082 #endif /* !CONFIG_SLOB */
102083
102084-void *__kmalloc(size_t size, gfp_t flags);
102085+void *__kmalloc(size_t size, gfp_t flags) __alloc_size(1) __size_overflow(1);
102086 void *kmem_cache_alloc(struct kmem_cache *, gfp_t flags);
102087 void kmem_cache_free(struct kmem_cache *, void *);
102088
102089 #ifdef CONFIG_NUMA
102090-void *__kmalloc_node(size_t size, gfp_t flags, int node);
102091+void *__kmalloc_node(size_t size, gfp_t flags, int node) __alloc_size(1) __size_overflow(1);
102092 void *kmem_cache_alloc_node(struct kmem_cache *, gfp_t flags, int node);
102093 #else
102094-static __always_inline void *__kmalloc_node(size_t size, gfp_t flags, int node)
102095+static __always_inline void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
102096 {
102097 return __kmalloc(size, flags);
102098 }
102099diff --git a/include/linux/slab_def.h b/include/linux/slab_def.h
102100index 33d0490..70a6313 100644
102101--- a/include/linux/slab_def.h
102102+++ b/include/linux/slab_def.h
102103@@ -40,7 +40,7 @@ struct kmem_cache {
102104 /* 4) cache creation/removal */
102105 const char *name;
102106 struct list_head list;
102107- int refcount;
102108+ atomic_t refcount;
102109 int object_size;
102110 int align;
102111
102112@@ -56,10 +56,14 @@ struct kmem_cache {
102113 unsigned long node_allocs;
102114 unsigned long node_frees;
102115 unsigned long node_overflow;
102116- atomic_t allochit;
102117- atomic_t allocmiss;
102118- atomic_t freehit;
102119- atomic_t freemiss;
102120+ atomic_unchecked_t allochit;
102121+ atomic_unchecked_t allocmiss;
102122+ atomic_unchecked_t freehit;
102123+ atomic_unchecked_t freemiss;
102124+#ifdef CONFIG_PAX_MEMORY_SANITIZE
102125+ atomic_unchecked_t sanitized;
102126+ atomic_unchecked_t not_sanitized;
102127+#endif
102128
102129 /*
102130 * If debugging is enabled, then the allocator can add additional
102131diff --git a/include/linux/slub_def.h b/include/linux/slub_def.h
102132index 3388511..6252f90 100644
102133--- a/include/linux/slub_def.h
102134+++ b/include/linux/slub_def.h
102135@@ -74,7 +74,7 @@ struct kmem_cache {
102136 struct kmem_cache_order_objects max;
102137 struct kmem_cache_order_objects min;
102138 gfp_t allocflags; /* gfp flags to use on each alloc */
102139- int refcount; /* Refcount for slab cache destroy */
102140+ atomic_t refcount; /* Refcount for slab cache destroy */
102141 void (*ctor)(void *);
102142 int inuse; /* Offset to metadata */
102143 int align; /* Alignment */
102144diff --git a/include/linux/smp.h b/include/linux/smp.h
102145index c441407..f487b83 100644
102146--- a/include/linux/smp.h
102147+++ b/include/linux/smp.h
102148@@ -183,7 +183,9 @@ static inline void smp_init(void) { }
102149 #endif
102150
102151 #define get_cpu() ({ preempt_disable(); smp_processor_id(); })
102152+#define raw_get_cpu() ({ raw_preempt_disable(); raw_smp_processor_id(); })
102153 #define put_cpu() preempt_enable()
102154+#define raw_put_cpu_no_resched() raw_preempt_enable_no_resched()
102155
102156 /*
102157 * Callback to arch code if there's nosmp or maxcpus=0 on the
102158diff --git a/include/linux/sock_diag.h b/include/linux/sock_diag.h
102159index fddebc6..6f0ae39 100644
102160--- a/include/linux/sock_diag.h
102161+++ b/include/linux/sock_diag.h
102162@@ -15,7 +15,7 @@ struct sock_diag_handler {
102163 __u8 family;
102164 int (*dump)(struct sk_buff *skb, struct nlmsghdr *nlh);
102165 int (*get_info)(struct sk_buff *skb, struct sock *sk);
102166-};
102167+} __do_const;
102168
102169 int sock_diag_register(const struct sock_diag_handler *h);
102170 void sock_diag_unregister(const struct sock_diag_handler *h);
102171diff --git a/include/linux/sonet.h b/include/linux/sonet.h
102172index 680f9a3..f13aeb0 100644
102173--- a/include/linux/sonet.h
102174+++ b/include/linux/sonet.h
102175@@ -7,7 +7,7 @@
102176 #include <uapi/linux/sonet.h>
102177
102178 struct k_sonet_stats {
102179-#define __HANDLE_ITEM(i) atomic_t i
102180+#define __HANDLE_ITEM(i) atomic_unchecked_t i
102181 __SONET_ITEMS
102182 #undef __HANDLE_ITEM
102183 };
102184diff --git a/include/linux/sunrpc/addr.h b/include/linux/sunrpc/addr.h
102185index 07d8e53..dc934c9 100644
102186--- a/include/linux/sunrpc/addr.h
102187+++ b/include/linux/sunrpc/addr.h
102188@@ -23,9 +23,9 @@ static inline unsigned short rpc_get_port(const struct sockaddr *sap)
102189 {
102190 switch (sap->sa_family) {
102191 case AF_INET:
102192- return ntohs(((struct sockaddr_in *)sap)->sin_port);
102193+ return ntohs(((const struct sockaddr_in *)sap)->sin_port);
102194 case AF_INET6:
102195- return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
102196+ return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
102197 }
102198 return 0;
102199 }
102200@@ -58,7 +58,7 @@ static inline bool __rpc_cmp_addr4(const struct sockaddr *sap1,
102201 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
102202 const struct sockaddr *src)
102203 {
102204- const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
102205+ const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
102206 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
102207
102208 dsin->sin_family = ssin->sin_family;
102209@@ -164,7 +164,7 @@ static inline u32 rpc_get_scope_id(const struct sockaddr *sa)
102210 if (sa->sa_family != AF_INET6)
102211 return 0;
102212
102213- return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
102214+ return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
102215 }
102216
102217 #endif /* _LINUX_SUNRPC_ADDR_H */
102218diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h
102219index 131032f..5f9378a 100644
102220--- a/include/linux/sunrpc/clnt.h
102221+++ b/include/linux/sunrpc/clnt.h
102222@@ -101,7 +101,7 @@ struct rpc_procinfo {
102223 unsigned int p_timer; /* Which RTT timer to use */
102224 u32 p_statidx; /* Which procedure to account */
102225 const char * p_name; /* name of procedure */
102226-};
102227+} __do_const;
102228
102229 #ifdef __KERNEL__
102230
102231diff --git a/include/linux/sunrpc/svc.h b/include/linux/sunrpc/svc.h
102232index fae6fb9..023fbcd 100644
102233--- a/include/linux/sunrpc/svc.h
102234+++ b/include/linux/sunrpc/svc.h
102235@@ -420,7 +420,7 @@ struct svc_procedure {
102236 unsigned int pc_count; /* call count */
102237 unsigned int pc_cachetype; /* cache info (NFS) */
102238 unsigned int pc_xdrressize; /* maximum size of XDR reply */
102239-};
102240+} __do_const;
102241
102242 /*
102243 * Function prototypes.
102244diff --git a/include/linux/sunrpc/svc_rdma.h b/include/linux/sunrpc/svc_rdma.h
102245index 4929a8a..b8f29e9 100644
102246--- a/include/linux/sunrpc/svc_rdma.h
102247+++ b/include/linux/sunrpc/svc_rdma.h
102248@@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
102249 extern unsigned int svcrdma_max_requests;
102250 extern unsigned int svcrdma_max_req_size;
102251
102252-extern atomic_t rdma_stat_recv;
102253-extern atomic_t rdma_stat_read;
102254-extern atomic_t rdma_stat_write;
102255-extern atomic_t rdma_stat_sq_starve;
102256-extern atomic_t rdma_stat_rq_starve;
102257-extern atomic_t rdma_stat_rq_poll;
102258-extern atomic_t rdma_stat_rq_prod;
102259-extern atomic_t rdma_stat_sq_poll;
102260-extern atomic_t rdma_stat_sq_prod;
102261+extern atomic_unchecked_t rdma_stat_recv;
102262+extern atomic_unchecked_t rdma_stat_read;
102263+extern atomic_unchecked_t rdma_stat_write;
102264+extern atomic_unchecked_t rdma_stat_sq_starve;
102265+extern atomic_unchecked_t rdma_stat_rq_starve;
102266+extern atomic_unchecked_t rdma_stat_rq_poll;
102267+extern atomic_unchecked_t rdma_stat_rq_prod;
102268+extern atomic_unchecked_t rdma_stat_sq_poll;
102269+extern atomic_unchecked_t rdma_stat_sq_prod;
102270
102271 /*
102272 * Contexts are built when an RDMA request is created and are a
102273diff --git a/include/linux/sunrpc/svcauth.h b/include/linux/sunrpc/svcauth.h
102274index 8d71d65..f79586e 100644
102275--- a/include/linux/sunrpc/svcauth.h
102276+++ b/include/linux/sunrpc/svcauth.h
102277@@ -120,7 +120,7 @@ struct auth_ops {
102278 int (*release)(struct svc_rqst *rq);
102279 void (*domain_release)(struct auth_domain *);
102280 int (*set_client)(struct svc_rqst *rq);
102281-};
102282+} __do_const;
102283
102284 #define SVC_GARBAGE 1
102285 #define SVC_SYSERR 2
102286diff --git a/include/linux/swiotlb.h b/include/linux/swiotlb.h
102287index e7a018e..49f8b17 100644
102288--- a/include/linux/swiotlb.h
102289+++ b/include/linux/swiotlb.h
102290@@ -60,7 +60,8 @@ extern void
102291
102292 extern void
102293 swiotlb_free_coherent(struct device *hwdev, size_t size,
102294- void *vaddr, dma_addr_t dma_handle);
102295+ void *vaddr, dma_addr_t dma_handle,
102296+ struct dma_attrs *attrs);
102297
102298 extern dma_addr_t swiotlb_map_page(struct device *dev, struct page *page,
102299 unsigned long offset, size_t size,
102300diff --git a/include/linux/syscalls.h b/include/linux/syscalls.h
102301index b45c45b..a6ae64c 100644
102302--- a/include/linux/syscalls.h
102303+++ b/include/linux/syscalls.h
102304@@ -102,7 +102,12 @@ union bpf_attr;
102305 #define __TYPE_IS_L(t) (__same_type((t)0, 0L))
102306 #define __TYPE_IS_UL(t) (__same_type((t)0, 0UL))
102307 #define __TYPE_IS_LL(t) (__same_type((t)0, 0LL) || __same_type((t)0, 0ULL))
102308-#define __SC_LONG(t, a) __typeof(__builtin_choose_expr(__TYPE_IS_LL(t), 0LL, 0L)) a
102309+#define __SC_LONG(t, a) __typeof__( \
102310+ __builtin_choose_expr( \
102311+ sizeof(t) > sizeof(int), \
102312+ (t) 0, \
102313+ __builtin_choose_expr(__type_is_unsigned(t), 0UL, 0L) \
102314+ )) a
102315 #define __SC_CAST(t, a) (t) a
102316 #define __SC_ARGS(t, a) a
102317 #define __SC_TEST(t, a) (void)BUILD_BUG_ON_ZERO(!__TYPE_IS_LL(t) && sizeof(t) > sizeof(long))
102318@@ -384,11 +389,11 @@ asmlinkage long sys_sync(void);
102319 asmlinkage long sys_fsync(unsigned int fd);
102320 asmlinkage long sys_fdatasync(unsigned int fd);
102321 asmlinkage long sys_bdflush(int func, long data);
102322-asmlinkage long sys_mount(char __user *dev_name, char __user *dir_name,
102323- char __user *type, unsigned long flags,
102324+asmlinkage long sys_mount(const char __user *dev_name, const char __user *dir_name,
102325+ const char __user *type, unsigned long flags,
102326 void __user *data);
102327-asmlinkage long sys_umount(char __user *name, int flags);
102328-asmlinkage long sys_oldumount(char __user *name);
102329+asmlinkage long sys_umount(const char __user *name, int flags);
102330+asmlinkage long sys_oldumount(const char __user *name);
102331 asmlinkage long sys_truncate(const char __user *path, long length);
102332 asmlinkage long sys_ftruncate(unsigned int fd, unsigned long length);
102333 asmlinkage long sys_stat(const char __user *filename,
102334@@ -604,7 +609,7 @@ asmlinkage long sys_getsockname(int, struct sockaddr __user *, int __user *);
102335 asmlinkage long sys_getpeername(int, struct sockaddr __user *, int __user *);
102336 asmlinkage long sys_send(int, void __user *, size_t, unsigned);
102337 asmlinkage long sys_sendto(int, void __user *, size_t, unsigned,
102338- struct sockaddr __user *, int);
102339+ struct sockaddr __user *, int) __intentional_overflow(0);
102340 asmlinkage long sys_sendmsg(int fd, struct user_msghdr __user *msg, unsigned flags);
102341 asmlinkage long sys_sendmmsg(int fd, struct mmsghdr __user *msg,
102342 unsigned int vlen, unsigned flags);
102343@@ -663,10 +668,10 @@ asmlinkage long sys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf);
102344
102345 asmlinkage long sys_semget(key_t key, int nsems, int semflg);
102346 asmlinkage long sys_semop(int semid, struct sembuf __user *sops,
102347- unsigned nsops);
102348+ long nsops);
102349 asmlinkage long sys_semctl(int semid, int semnum, int cmd, unsigned long arg);
102350 asmlinkage long sys_semtimedop(int semid, struct sembuf __user *sops,
102351- unsigned nsops,
102352+ long nsops,
102353 const struct timespec __user *timeout);
102354 asmlinkage long sys_shmat(int shmid, char __user *shmaddr, int shmflg);
102355 asmlinkage long sys_shmget(key_t key, size_t size, int flag);
102356diff --git a/include/linux/syscore_ops.h b/include/linux/syscore_ops.h
102357index 27b3b0b..e093dd9 100644
102358--- a/include/linux/syscore_ops.h
102359+++ b/include/linux/syscore_ops.h
102360@@ -16,7 +16,7 @@ struct syscore_ops {
102361 int (*suspend)(void);
102362 void (*resume)(void);
102363 void (*shutdown)(void);
102364-};
102365+} __do_const;
102366
102367 extern void register_syscore_ops(struct syscore_ops *ops);
102368 extern void unregister_syscore_ops(struct syscore_ops *ops);
102369diff --git a/include/linux/sysctl.h b/include/linux/sysctl.h
102370index fa7bc29..0d96561 100644
102371--- a/include/linux/sysctl.h
102372+++ b/include/linux/sysctl.h
102373@@ -39,10 +39,16 @@ typedef int proc_handler (struct ctl_table *ctl, int write,
102374
102375 extern int proc_dostring(struct ctl_table *, int,
102376 void __user *, size_t *, loff_t *);
102377+extern int proc_dostring_modpriv(struct ctl_table *, int,
102378+ void __user *, size_t *, loff_t *);
102379 extern int proc_dointvec(struct ctl_table *, int,
102380 void __user *, size_t *, loff_t *);
102381+extern int proc_dointvec_secure(struct ctl_table *, int,
102382+ void __user *, size_t *, loff_t *);
102383 extern int proc_dointvec_minmax(struct ctl_table *, int,
102384 void __user *, size_t *, loff_t *);
102385+extern int proc_dointvec_minmax_secure(struct ctl_table *, int,
102386+ void __user *, size_t *, loff_t *);
102387 extern int proc_dointvec_jiffies(struct ctl_table *, int,
102388 void __user *, size_t *, loff_t *);
102389 extern int proc_dointvec_userhz_jiffies(struct ctl_table *, int,
102390@@ -113,7 +119,8 @@ struct ctl_table
102391 struct ctl_table_poll *poll;
102392 void *extra1;
102393 void *extra2;
102394-};
102395+} __do_const __randomize_layout;
102396+typedef struct ctl_table __no_const ctl_table_no_const;
102397
102398 struct ctl_node {
102399 struct rb_node node;
102400diff --git a/include/linux/sysfs.h b/include/linux/sysfs.h
102401index 9f65758..487a6f1 100644
102402--- a/include/linux/sysfs.h
102403+++ b/include/linux/sysfs.h
102404@@ -34,7 +34,8 @@ struct attribute {
102405 struct lock_class_key *key;
102406 struct lock_class_key skey;
102407 #endif
102408-};
102409+} __do_const;
102410+typedef struct attribute __no_const attribute_no_const;
102411
102412 /**
102413 * sysfs_attr_init - initialize a dynamically allocated sysfs attribute
102414@@ -78,7 +79,8 @@ struct attribute_group {
102415 struct attribute *, int);
102416 struct attribute **attrs;
102417 struct bin_attribute **bin_attrs;
102418-};
102419+} __do_const;
102420+typedef struct attribute_group __no_const attribute_group_no_const;
102421
102422 /**
102423 * Use these macros to make defining attributes easier. See include/linux/device.h
102424@@ -152,7 +154,8 @@ struct bin_attribute {
102425 char *, loff_t, size_t);
102426 int (*mmap)(struct file *, struct kobject *, struct bin_attribute *attr,
102427 struct vm_area_struct *vma);
102428-};
102429+} __do_const;
102430+typedef struct bin_attribute __no_const bin_attribute_no_const;
102431
102432 /**
102433 * sysfs_bin_attr_init - initialize a dynamically allocated bin_attribute
102434diff --git a/include/linux/sysrq.h b/include/linux/sysrq.h
102435index 387fa7d..3fcde6b 100644
102436--- a/include/linux/sysrq.h
102437+++ b/include/linux/sysrq.h
102438@@ -16,6 +16,7 @@
102439
102440 #include <linux/errno.h>
102441 #include <linux/types.h>
102442+#include <linux/compiler.h>
102443
102444 /* Possible values of bitmask for enabling sysrq functions */
102445 /* 0x0001 is reserved for enable everything */
102446@@ -33,7 +34,7 @@ struct sysrq_key_op {
102447 char *help_msg;
102448 char *action_msg;
102449 int enable_mask;
102450-};
102451+} __do_const;
102452
102453 #ifdef CONFIG_MAGIC_SYSRQ
102454
102455diff --git a/include/linux/tcp.h b/include/linux/tcp.h
102456index 48c3696..e7a7ba6 100644
102457--- a/include/linux/tcp.h
102458+++ b/include/linux/tcp.h
102459@@ -63,13 +63,13 @@ struct tcp_fastopen_cookie {
102460
102461 /* This defines a selective acknowledgement block. */
102462 struct tcp_sack_block_wire {
102463- __be32 start_seq;
102464- __be32 end_seq;
102465+ __be32 start_seq __intentional_overflow(-1);
102466+ __be32 end_seq __intentional_overflow(-1);
102467 };
102468
102469 struct tcp_sack_block {
102470- u32 start_seq;
102471- u32 end_seq;
102472+ u32 start_seq __intentional_overflow(-1);
102473+ u32 end_seq __intentional_overflow(-1);
102474 };
102475
102476 /*These are used to set the sack_ok field in struct tcp_options_received */
102477@@ -153,7 +153,7 @@ struct tcp_sock {
102478 * total number of segments in.
102479 */
102480 u32 rcv_nxt; /* What we want to receive next */
102481- u32 copied_seq; /* Head of yet unread data */
102482+ u32 copied_seq __intentional_overflow(-1); /* Head of yet unread data */
102483 u32 rcv_wup; /* rcv_nxt on last window update sent */
102484 u32 snd_nxt; /* Next sequence we send */
102485 u32 segs_out; /* RFC4898 tcpEStatsPerfSegsOut
102486@@ -248,7 +248,7 @@ struct tcp_sock {
102487 u32 prr_out; /* Total number of pkts sent during Recovery. */
102488
102489 u32 rcv_wnd; /* Current receiver window */
102490- u32 write_seq; /* Tail(+1) of data held in tcp send buffer */
102491+ u32 write_seq __intentional_overflow(-1); /* Tail(+1) of data held in tcp send buffer */
102492 u32 notsent_lowat; /* TCP_NOTSENT_LOWAT */
102493 u32 pushed_seq; /* Last pushed seq, required to talk to windows */
102494 u32 lost_out; /* Lost packets */
102495@@ -291,7 +291,7 @@ struct tcp_sock {
102496 int undo_retrans; /* number of undoable retransmissions. */
102497 u32 total_retrans; /* Total retransmits for entire connection */
102498
102499- u32 urg_seq; /* Seq of received urgent pointer */
102500+ u32 urg_seq __intentional_overflow(-1); /* Seq of received urgent pointer */
102501 unsigned int keepalive_time; /* time before keep alive takes place */
102502 unsigned int keepalive_intvl; /* time interval between keep alive probes */
102503
102504diff --git a/include/linux/thread_info.h b/include/linux/thread_info.h
102505index ff307b5..f1a4468 100644
102506--- a/include/linux/thread_info.h
102507+++ b/include/linux/thread_info.h
102508@@ -145,6 +145,13 @@ static inline bool test_and_clear_restore_sigmask(void)
102509 #error "no set_restore_sigmask() provided and default one won't work"
102510 #endif
102511
102512+extern void __check_object_size(const void *ptr, unsigned long n, bool to_user, bool const_size);
102513+
102514+static inline void check_object_size(const void *ptr, unsigned long n, bool to_user)
102515+{
102516+ __check_object_size(ptr, n, to_user, __builtin_constant_p(n));
102517+}
102518+
102519 #endif /* __KERNEL__ */
102520
102521 #endif /* _LINUX_THREAD_INFO_H */
102522diff --git a/include/linux/tty.h b/include/linux/tty.h
102523index ad6c891..93a8f45 100644
102524--- a/include/linux/tty.h
102525+++ b/include/linux/tty.h
102526@@ -225,7 +225,7 @@ struct tty_port {
102527 const struct tty_port_operations *ops; /* Port operations */
102528 spinlock_t lock; /* Lock protecting tty field */
102529 int blocked_open; /* Waiting to open */
102530- int count; /* Usage count */
102531+ atomic_t count; /* Usage count */
102532 wait_queue_head_t open_wait; /* Open waiters */
102533 wait_queue_head_t close_wait; /* Close waiters */
102534 wait_queue_head_t delta_msr_wait; /* Modem status change */
102535@@ -313,7 +313,7 @@ struct tty_struct {
102536 /* If the tty has a pending do_SAK, queue it here - akpm */
102537 struct work_struct SAK_work;
102538 struct tty_port *port;
102539-};
102540+} __randomize_layout;
102541
102542 /* Each of a tty's open files has private_data pointing to tty_file_private */
102543 struct tty_file_private {
102544@@ -573,7 +573,7 @@ extern int tty_port_open(struct tty_port *port,
102545 struct tty_struct *tty, struct file *filp);
102546 static inline int tty_port_users(struct tty_port *port)
102547 {
102548- return port->count + port->blocked_open;
102549+ return atomic_read(&port->count) + port->blocked_open;
102550 }
102551
102552 extern int tty_register_ldisc(int disc, struct tty_ldisc_ops *new_ldisc);
102553diff --git a/include/linux/tty_driver.h b/include/linux/tty_driver.h
102554index 92e337c..f46757b 100644
102555--- a/include/linux/tty_driver.h
102556+++ b/include/linux/tty_driver.h
102557@@ -291,7 +291,7 @@ struct tty_operations {
102558 void (*poll_put_char)(struct tty_driver *driver, int line, char ch);
102559 #endif
102560 const struct file_operations *proc_fops;
102561-};
102562+} __do_const __randomize_layout;
102563
102564 struct tty_driver {
102565 int magic; /* magic number for this structure */
102566@@ -325,7 +325,7 @@ struct tty_driver {
102567
102568 const struct tty_operations *ops;
102569 struct list_head tty_drivers;
102570-};
102571+} __randomize_layout;
102572
102573 extern struct list_head tty_drivers;
102574
102575diff --git a/include/linux/tty_ldisc.h b/include/linux/tty_ldisc.h
102576index 00c9d68..bc0188b 100644
102577--- a/include/linux/tty_ldisc.h
102578+++ b/include/linux/tty_ldisc.h
102579@@ -215,7 +215,7 @@ struct tty_ldisc_ops {
102580
102581 struct module *owner;
102582
102583- int refcount;
102584+ atomic_t refcount;
102585 };
102586
102587 struct tty_ldisc {
102588diff --git a/include/linux/types.h b/include/linux/types.h
102589index 8715287..1be77ee 100644
102590--- a/include/linux/types.h
102591+++ b/include/linux/types.h
102592@@ -176,10 +176,26 @@ typedef struct {
102593 int counter;
102594 } atomic_t;
102595
102596+#ifdef CONFIG_PAX_REFCOUNT
102597+typedef struct {
102598+ int counter;
102599+} atomic_unchecked_t;
102600+#else
102601+typedef atomic_t atomic_unchecked_t;
102602+#endif
102603+
102604 #ifdef CONFIG_64BIT
102605 typedef struct {
102606 long counter;
102607 } atomic64_t;
102608+
102609+#ifdef CONFIG_PAX_REFCOUNT
102610+typedef struct {
102611+ long counter;
102612+} atomic64_unchecked_t;
102613+#else
102614+typedef atomic64_t atomic64_unchecked_t;
102615+#endif
102616 #endif
102617
102618 struct list_head {
102619diff --git a/include/linux/uaccess.h b/include/linux/uaccess.h
102620index ae572c1..73bd4ec 100644
102621--- a/include/linux/uaccess.h
102622+++ b/include/linux/uaccess.h
102623@@ -97,11 +97,11 @@ static inline unsigned long __copy_from_user_nocache(void *to,
102624 long ret; \
102625 mm_segment_t old_fs = get_fs(); \
102626 \
102627- set_fs(KERNEL_DS); \
102628 pagefault_disable(); \
102629- ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
102630- pagefault_enable(); \
102631+ set_fs(KERNEL_DS); \
102632+ ret = __copy_from_user_inatomic(&(retval), (typeof(retval) __force_user *)(addr), sizeof(retval)); \
102633 set_fs(old_fs); \
102634+ pagefault_enable(); \
102635 ret; \
102636 })
102637
102638diff --git a/include/linux/uidgid.h b/include/linux/uidgid.h
102639index 0383552..a0125dd 100644
102640--- a/include/linux/uidgid.h
102641+++ b/include/linux/uidgid.h
102642@@ -187,4 +187,9 @@ static inline bool kgid_has_mapping(struct user_namespace *ns, kgid_t gid)
102643
102644 #endif /* CONFIG_USER_NS */
102645
102646+#define GR_GLOBAL_UID(x) from_kuid_munged(&init_user_ns, (x))
102647+#define GR_GLOBAL_GID(x) from_kgid_munged(&init_user_ns, (x))
102648+#define gr_is_global_root(x) uid_eq((x), GLOBAL_ROOT_UID)
102649+#define gr_is_global_nonroot(x) (!uid_eq((x), GLOBAL_ROOT_UID))
102650+
102651 #endif /* _LINUX_UIDGID_H */
102652diff --git a/include/linux/uio_driver.h b/include/linux/uio_driver.h
102653index 32c0e83..671eb35 100644
102654--- a/include/linux/uio_driver.h
102655+++ b/include/linux/uio_driver.h
102656@@ -67,7 +67,7 @@ struct uio_device {
102657 struct module *owner;
102658 struct device *dev;
102659 int minor;
102660- atomic_t event;
102661+ atomic_unchecked_t event;
102662 struct fasync_struct *async_queue;
102663 wait_queue_head_t wait;
102664 struct uio_info *info;
102665diff --git a/include/linux/unaligned/access_ok.h b/include/linux/unaligned/access_ok.h
102666index 99c1b4d..562e6f3 100644
102667--- a/include/linux/unaligned/access_ok.h
102668+++ b/include/linux/unaligned/access_ok.h
102669@@ -4,34 +4,34 @@
102670 #include <linux/kernel.h>
102671 #include <asm/byteorder.h>
102672
102673-static inline u16 get_unaligned_le16(const void *p)
102674+static inline u16 __intentional_overflow(-1) get_unaligned_le16(const void *p)
102675 {
102676- return le16_to_cpup((__le16 *)p);
102677+ return le16_to_cpup((const __le16 *)p);
102678 }
102679
102680-static inline u32 get_unaligned_le32(const void *p)
102681+static inline u32 __intentional_overflow(-1) get_unaligned_le32(const void *p)
102682 {
102683- return le32_to_cpup((__le32 *)p);
102684+ return le32_to_cpup((const __le32 *)p);
102685 }
102686
102687-static inline u64 get_unaligned_le64(const void *p)
102688+static inline u64 __intentional_overflow(-1) get_unaligned_le64(const void *p)
102689 {
102690- return le64_to_cpup((__le64 *)p);
102691+ return le64_to_cpup((const __le64 *)p);
102692 }
102693
102694-static inline u16 get_unaligned_be16(const void *p)
102695+static inline u16 __intentional_overflow(-1) get_unaligned_be16(const void *p)
102696 {
102697- return be16_to_cpup((__be16 *)p);
102698+ return be16_to_cpup((const __be16 *)p);
102699 }
102700
102701-static inline u32 get_unaligned_be32(const void *p)
102702+static inline u32 __intentional_overflow(-1) get_unaligned_be32(const void *p)
102703 {
102704- return be32_to_cpup((__be32 *)p);
102705+ return be32_to_cpup((const __be32 *)p);
102706 }
102707
102708-static inline u64 get_unaligned_be64(const void *p)
102709+static inline u64 __intentional_overflow(-1) get_unaligned_be64(const void *p)
102710 {
102711- return be64_to_cpup((__be64 *)p);
102712+ return be64_to_cpup((const __be64 *)p);
102713 }
102714
102715 static inline void put_unaligned_le16(u16 val, void *p)
102716diff --git a/include/linux/usb.h b/include/linux/usb.h
102717index 447fe29..07a9cf0 100644
102718--- a/include/linux/usb.h
102719+++ b/include/linux/usb.h
102720@@ -363,7 +363,7 @@ struct usb_bus {
102721 * with the URB_SHORT_NOT_OK flag set.
102722 */
102723 unsigned no_sg_constraint:1; /* no sg constraint */
102724- unsigned sg_tablesize; /* 0 or largest number of sg list entries */
102725+ unsigned short sg_tablesize; /* 0 or largest number of sg list entries */
102726
102727 int devnum_next; /* Next open device number in
102728 * round-robin allocation */
102729@@ -592,7 +592,7 @@ struct usb_device {
102730 int maxchild;
102731
102732 u32 quirks;
102733- atomic_t urbnum;
102734+ atomic_unchecked_t urbnum;
102735
102736 unsigned long active_duration;
102737
102738@@ -1785,10 +1785,10 @@ void usb_sg_wait(struct usb_sg_request *io);
102739
102740 /* NOTE: these are not the standard USB_ENDPOINT_XFER_* values!! */
102741 /* (yet ... they're the values used by usbfs) */
102742-#define PIPE_ISOCHRONOUS 0
102743-#define PIPE_INTERRUPT 1
102744-#define PIPE_CONTROL 2
102745-#define PIPE_BULK 3
102746+#define PIPE_ISOCHRONOUS 0U
102747+#define PIPE_INTERRUPT 1U
102748+#define PIPE_CONTROL 2U
102749+#define PIPE_BULK 3U
102750
102751 #define usb_pipein(pipe) ((pipe) & USB_DIR_IN)
102752 #define usb_pipeout(pipe) (!usb_pipein(pipe))
102753diff --git a/include/linux/usb/hcd.h b/include/linux/usb/hcd.h
102754index c9aa779..46d6f69 100644
102755--- a/include/linux/usb/hcd.h
102756+++ b/include/linux/usb/hcd.h
102757@@ -23,6 +23,7 @@
102758
102759 #include <linux/rwsem.h>
102760 #include <linux/interrupt.h>
102761+#include <scsi/scsi_host.h>
102762
102763 #define MAX_TOPO_LEVEL 6
102764
102765diff --git a/include/linux/usb/renesas_usbhs.h b/include/linux/usb/renesas_usbhs.h
102766index 3dd5a78..ed69d7b 100644
102767--- a/include/linux/usb/renesas_usbhs.h
102768+++ b/include/linux/usb/renesas_usbhs.h
102769@@ -39,7 +39,7 @@ enum {
102770 */
102771 struct renesas_usbhs_driver_callback {
102772 int (*notify_hotplug)(struct platform_device *pdev);
102773-};
102774+} __no_const;
102775
102776 /*
102777 * callback functions for platform
102778diff --git a/include/linux/user_namespace.h b/include/linux/user_namespace.h
102779index 8297e5b..0dfae27 100644
102780--- a/include/linux/user_namespace.h
102781+++ b/include/linux/user_namespace.h
102782@@ -39,7 +39,7 @@ struct user_namespace {
102783 struct key *persistent_keyring_register;
102784 struct rw_semaphore persistent_keyring_register_sem;
102785 #endif
102786-};
102787+} __randomize_layout;
102788
102789 extern struct user_namespace init_user_ns;
102790
102791diff --git a/include/linux/utsname.h b/include/linux/utsname.h
102792index 5093f58..c103e58 100644
102793--- a/include/linux/utsname.h
102794+++ b/include/linux/utsname.h
102795@@ -25,7 +25,7 @@ struct uts_namespace {
102796 struct new_utsname name;
102797 struct user_namespace *user_ns;
102798 struct ns_common ns;
102799-};
102800+} __randomize_layout;
102801 extern struct uts_namespace init_uts_ns;
102802
102803 #ifdef CONFIG_UTS_NS
102804diff --git a/include/linux/vermagic.h b/include/linux/vermagic.h
102805index 6f8fbcf..4efc177 100644
102806--- a/include/linux/vermagic.h
102807+++ b/include/linux/vermagic.h
102808@@ -25,9 +25,42 @@
102809 #define MODULE_ARCH_VERMAGIC ""
102810 #endif
102811
102812+#ifdef CONFIG_PAX_REFCOUNT
102813+#define MODULE_PAX_REFCOUNT "REFCOUNT "
102814+#else
102815+#define MODULE_PAX_REFCOUNT ""
102816+#endif
102817+
102818+#ifdef CONSTIFY_PLUGIN
102819+#define MODULE_CONSTIFY_PLUGIN "CONSTIFY_PLUGIN "
102820+#else
102821+#define MODULE_CONSTIFY_PLUGIN ""
102822+#endif
102823+
102824+#ifdef STACKLEAK_PLUGIN
102825+#define MODULE_STACKLEAK_PLUGIN "STACKLEAK_PLUGIN "
102826+#else
102827+#define MODULE_STACKLEAK_PLUGIN ""
102828+#endif
102829+
102830+#ifdef RANDSTRUCT_PLUGIN
102831+#include <generated/randomize_layout_hash.h>
102832+#define MODULE_RANDSTRUCT_PLUGIN "RANDSTRUCT_PLUGIN_" RANDSTRUCT_HASHED_SEED
102833+#else
102834+#define MODULE_RANDSTRUCT_PLUGIN
102835+#endif
102836+
102837+#ifdef CONFIG_GRKERNSEC
102838+#define MODULE_GRSEC "GRSEC "
102839+#else
102840+#define MODULE_GRSEC ""
102841+#endif
102842+
102843 #define VERMAGIC_STRING \
102844 UTS_RELEASE " " \
102845 MODULE_VERMAGIC_SMP MODULE_VERMAGIC_PREEMPT \
102846 MODULE_VERMAGIC_MODULE_UNLOAD MODULE_VERMAGIC_MODVERSIONS \
102847- MODULE_ARCH_VERMAGIC
102848+ MODULE_ARCH_VERMAGIC \
102849+ MODULE_PAX_REFCOUNT MODULE_CONSTIFY_PLUGIN MODULE_STACKLEAK_PLUGIN \
102850+ MODULE_GRSEC MODULE_RANDSTRUCT_PLUGIN
102851
102852diff --git a/include/linux/vga_switcheroo.h b/include/linux/vga_switcheroo.h
102853index b483abd..af305ad 100644
102854--- a/include/linux/vga_switcheroo.h
102855+++ b/include/linux/vga_switcheroo.h
102856@@ -63,9 +63,9 @@ int vga_switcheroo_get_client_state(struct pci_dev *dev);
102857
102858 void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic);
102859
102860-int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain);
102861+int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain);
102862 void vga_switcheroo_fini_domain_pm_ops(struct device *dev);
102863-int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain);
102864+int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain);
102865 #else
102866
102867 static inline void vga_switcheroo_unregister_client(struct pci_dev *dev) {}
102868@@ -82,9 +82,9 @@ static inline int vga_switcheroo_get_client_state(struct pci_dev *dev) { return
102869
102870 static inline void vga_switcheroo_set_dynamic_switch(struct pci_dev *pdev, enum vga_switcheroo_state dynamic) {}
102871
102872-static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; }
102873+static inline int vga_switcheroo_init_domain_pm_ops(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; }
102874 static inline void vga_switcheroo_fini_domain_pm_ops(struct device *dev) {}
102875-static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, struct dev_pm_domain *domain) { return -EINVAL; }
102876+static inline int vga_switcheroo_init_domain_pm_optimus_hdmi_audio(struct device *dev, dev_pm_domain_no_const *domain) { return -EINVAL; }
102877
102878 #endif
102879 #endif /* _LINUX_VGA_SWITCHEROO_H_ */
102880diff --git a/include/linux/vmalloc.h b/include/linux/vmalloc.h
102881index 0ec5983..66d8171 100644
102882--- a/include/linux/vmalloc.h
102883+++ b/include/linux/vmalloc.h
102884@@ -18,6 +18,14 @@ struct vm_area_struct; /* vma defining user mapping in mm_types.h */
102885 #define VM_UNINITIALIZED 0x00000020 /* vm_struct is not fully initialized */
102886 #define VM_NO_GUARD 0x00000040 /* don't add guard page */
102887 #define VM_KASAN 0x00000080 /* has allocated kasan shadow memory */
102888+
102889+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
102890+#define VM_KERNEXEC 0x00000100 /* allocate from executable kernel memory range */
102891+#endif
102892+
102893+#define VM_USERCOPY 0x00000200 /* allocation intended for copies to userland */
102894+
102895+
102896 /* bits [20..32] reserved for arch specific ioremap internals */
102897
102898 /*
102899@@ -67,6 +75,7 @@ static inline void vmalloc_init(void)
102900 #endif
102901
102902 extern void *vmalloc(unsigned long size);
102903+extern void *vmalloc_usercopy(unsigned long size);
102904 extern void *vzalloc(unsigned long size);
102905 extern void *vmalloc_user(unsigned long size);
102906 extern void *vmalloc_node(unsigned long size, int node);
102907@@ -86,6 +95,10 @@ extern void *vmap(struct page **pages, unsigned int count,
102908 unsigned long flags, pgprot_t prot);
102909 extern void vunmap(const void *addr);
102910
102911+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
102912+extern void unmap_process_stacks(struct task_struct *task);
102913+#endif
102914+
102915 extern int remap_vmalloc_range_partial(struct vm_area_struct *vma,
102916 unsigned long uaddr, void *kaddr,
102917 unsigned long size);
102918@@ -150,7 +163,7 @@ extern void free_vm_area(struct vm_struct *area);
102919
102920 /* for /dev/kmem */
102921 extern long vread(char *buf, char *addr, unsigned long count);
102922-extern long vwrite(char *buf, char *addr, unsigned long count);
102923+extern long vwrite(char *buf, char *addr, unsigned long count) __size_overflow(3);
102924
102925 /*
102926 * Internals. Dont't use..
102927@@ -182,22 +195,10 @@ pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms)
102928 # endif
102929 #endif
102930
102931-struct vmalloc_info {
102932- unsigned long used;
102933- unsigned long largest_chunk;
102934-};
102935-
102936 #ifdef CONFIG_MMU
102937 #define VMALLOC_TOTAL (VMALLOC_END - VMALLOC_START)
102938-extern void get_vmalloc_info(struct vmalloc_info *vmi);
102939 #else
102940-
102941 #define VMALLOC_TOTAL 0UL
102942-#define get_vmalloc_info(vmi) \
102943-do { \
102944- (vmi)->used = 0; \
102945- (vmi)->largest_chunk = 0; \
102946-} while (0)
102947 #endif
102948
102949 #endif /* _LINUX_VMALLOC_H */
102950diff --git a/include/linux/vmstat.h b/include/linux/vmstat.h
102951index 82e7db7..f8ce3d0 100644
102952--- a/include/linux/vmstat.h
102953+++ b/include/linux/vmstat.h
102954@@ -108,18 +108,18 @@ static inline void vm_events_fold_cpu(int cpu)
102955 /*
102956 * Zone based page accounting with per cpu differentials.
102957 */
102958-extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
102959+extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
102960
102961 static inline void zone_page_state_add(long x, struct zone *zone,
102962 enum zone_stat_item item)
102963 {
102964- atomic_long_add(x, &zone->vm_stat[item]);
102965- atomic_long_add(x, &vm_stat[item]);
102966+ atomic_long_add_unchecked(x, &zone->vm_stat[item]);
102967+ atomic_long_add_unchecked(x, &vm_stat[item]);
102968 }
102969
102970-static inline unsigned long global_page_state(enum zone_stat_item item)
102971+static inline unsigned long __intentional_overflow(-1) global_page_state(enum zone_stat_item item)
102972 {
102973- long x = atomic_long_read(&vm_stat[item]);
102974+ long x = atomic_long_read_unchecked(&vm_stat[item]);
102975 #ifdef CONFIG_SMP
102976 if (x < 0)
102977 x = 0;
102978@@ -127,10 +127,10 @@ static inline unsigned long global_page_state(enum zone_stat_item item)
102979 return x;
102980 }
102981
102982-static inline unsigned long zone_page_state(struct zone *zone,
102983+static inline unsigned long __intentional_overflow(-1) zone_page_state(struct zone *zone,
102984 enum zone_stat_item item)
102985 {
102986- long x = atomic_long_read(&zone->vm_stat[item]);
102987+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
102988 #ifdef CONFIG_SMP
102989 if (x < 0)
102990 x = 0;
102991@@ -147,7 +147,7 @@ static inline unsigned long zone_page_state(struct zone *zone,
102992 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
102993 enum zone_stat_item item)
102994 {
102995- long x = atomic_long_read(&zone->vm_stat[item]);
102996+ long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
102997
102998 #ifdef CONFIG_SMP
102999 int cpu;
103000@@ -234,14 +234,14 @@ static inline void __mod_zone_page_state(struct zone *zone,
103001
103002 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
103003 {
103004- atomic_long_inc(&zone->vm_stat[item]);
103005- atomic_long_inc(&vm_stat[item]);
103006+ atomic_long_inc_unchecked(&zone->vm_stat[item]);
103007+ atomic_long_inc_unchecked(&vm_stat[item]);
103008 }
103009
103010 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
103011 {
103012- atomic_long_dec(&zone->vm_stat[item]);
103013- atomic_long_dec(&vm_stat[item]);
103014+ atomic_long_dec_unchecked(&zone->vm_stat[item]);
103015+ atomic_long_dec_unchecked(&vm_stat[item]);
103016 }
103017
103018 static inline void __inc_zone_page_state(struct page *page,
103019diff --git a/include/linux/xattr.h b/include/linux/xattr.h
103020index 91b0a68..0e9adf6 100644
103021--- a/include/linux/xattr.h
103022+++ b/include/linux/xattr.h
103023@@ -28,7 +28,7 @@ struct xattr_handler {
103024 size_t size, int handler_flags);
103025 int (*set)(struct dentry *dentry, const char *name, const void *buffer,
103026 size_t size, int flags, int handler_flags);
103027-};
103028+} __do_const;
103029
103030 struct xattr {
103031 const char *name;
103032@@ -37,6 +37,9 @@ struct xattr {
103033 };
103034
103035 ssize_t xattr_getsecurity(struct inode *, const char *, void *, size_t);
103036+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
103037+ssize_t pax_getxattr(struct dentry *, void *, size_t);
103038+#endif
103039 ssize_t vfs_getxattr(struct dentry *, const char *, void *, size_t);
103040 ssize_t vfs_listxattr(struct dentry *d, char *list, size_t size);
103041 int __vfs_setxattr_noperm(struct dentry *, const char *, const void *, size_t, int);
103042diff --git a/include/linux/zlib.h b/include/linux/zlib.h
103043index 92dbbd3..13ab0b3 100644
103044--- a/include/linux/zlib.h
103045+++ b/include/linux/zlib.h
103046@@ -31,6 +31,7 @@
103047 #define _ZLIB_H
103048
103049 #include <linux/zconf.h>
103050+#include <linux/compiler.h>
103051
103052 /* zlib deflate based on ZLIB_VERSION "1.1.3" */
103053 /* zlib inflate based on ZLIB_VERSION "1.2.3" */
103054@@ -179,7 +180,7 @@ typedef z_stream *z_streamp;
103055
103056 /* basic functions */
103057
103058-extern int zlib_deflate_workspacesize (int windowBits, int memLevel);
103059+extern int zlib_deflate_workspacesize (int windowBits, int memLevel) __intentional_overflow(0);
103060 /*
103061 Returns the number of bytes that needs to be allocated for a per-
103062 stream workspace with the specified parameters. A pointer to this
103063diff --git a/include/media/v4l2-dev.h b/include/media/v4l2-dev.h
103064index acbcd2f..c3abe84 100644
103065--- a/include/media/v4l2-dev.h
103066+++ b/include/media/v4l2-dev.h
103067@@ -74,7 +74,7 @@ struct v4l2_file_operations {
103068 int (*mmap) (struct file *, struct vm_area_struct *);
103069 int (*open) (struct file *);
103070 int (*release) (struct file *);
103071-};
103072+} __do_const;
103073
103074 /*
103075 * Newer version of video_device, handled by videodev2.c
103076diff --git a/include/media/v4l2-device.h b/include/media/v4l2-device.h
103077index 9c58157..d86ebf5 100644
103078--- a/include/media/v4l2-device.h
103079+++ b/include/media/v4l2-device.h
103080@@ -93,7 +93,7 @@ int __must_check v4l2_device_register(struct device *dev, struct v4l2_device *v4
103081 this function returns 0. If the name ends with a digit (e.g. cx18),
103082 then the name will be set to cx18-0 since cx180 looks really odd. */
103083 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
103084- atomic_t *instance);
103085+ atomic_unchecked_t *instance);
103086
103087 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
103088 Since the parent disappears this ensures that v4l2_dev doesn't have an
103089diff --git a/include/net/9p/transport.h b/include/net/9p/transport.h
103090index 5122b5e..598b440 100644
103091--- a/include/net/9p/transport.h
103092+++ b/include/net/9p/transport.h
103093@@ -62,7 +62,7 @@ struct p9_trans_module {
103094 int (*cancelled)(struct p9_client *, struct p9_req_t *req);
103095 int (*zc_request)(struct p9_client *, struct p9_req_t *,
103096 struct iov_iter *, struct iov_iter *, int , int, int);
103097-};
103098+} __do_const;
103099
103100 void v9fs_register_trans(struct p9_trans_module *m);
103101 void v9fs_unregister_trans(struct p9_trans_module *m);
103102diff --git a/include/net/af_unix.h b/include/net/af_unix.h
103103index cb1b9bb..56b3ee0 100644
103104--- a/include/net/af_unix.h
103105+++ b/include/net/af_unix.h
103106@@ -36,7 +36,7 @@ struct unix_skb_parms {
103107 u32 secid; /* Security ID */
103108 #endif
103109 u32 consumed;
103110-};
103111+} __randomize_layout;
103112
103113 #define UNIXCB(skb) (*(struct unix_skb_parms *)&((skb)->cb))
103114
103115diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h
103116index 2239a37..a83461f 100644
103117--- a/include/net/bluetooth/l2cap.h
103118+++ b/include/net/bluetooth/l2cap.h
103119@@ -609,7 +609,7 @@ struct l2cap_ops {
103120 struct sk_buff *(*alloc_skb) (struct l2cap_chan *chan,
103121 unsigned long hdr_len,
103122 unsigned long len, int nb);
103123-};
103124+} __do_const;
103125
103126 struct l2cap_conn {
103127 struct hci_conn *hcon;
103128diff --git a/include/net/bonding.h b/include/net/bonding.h
103129index 20defc0..3072903 100644
103130--- a/include/net/bonding.h
103131+++ b/include/net/bonding.h
103132@@ -661,7 +661,7 @@ extern struct rtnl_link_ops bond_link_ops;
103133
103134 static inline void bond_tx_drop(struct net_device *dev, struct sk_buff *skb)
103135 {
103136- atomic_long_inc(&dev->tx_dropped);
103137+ atomic_long_inc_unchecked(&dev->tx_dropped);
103138 dev_kfree_skb_any(skb);
103139 }
103140
103141diff --git a/include/net/caif/cfctrl.h b/include/net/caif/cfctrl.h
103142index f2ae33d..c457cf0 100644
103143--- a/include/net/caif/cfctrl.h
103144+++ b/include/net/caif/cfctrl.h
103145@@ -52,7 +52,7 @@ struct cfctrl_rsp {
103146 void (*radioset_rsp)(void);
103147 void (*reject_rsp)(struct cflayer *layer, u8 linkid,
103148 struct cflayer *client_layer);
103149-};
103150+} __no_const;
103151
103152 /* Link Setup Parameters for CAIF-Links. */
103153 struct cfctrl_link_param {
103154@@ -101,8 +101,8 @@ struct cfctrl_request_info {
103155 struct cfctrl {
103156 struct cfsrvl serv;
103157 struct cfctrl_rsp res;
103158- atomic_t req_seq_no;
103159- atomic_t rsp_seq_no;
103160+ atomic_unchecked_t req_seq_no;
103161+ atomic_unchecked_t rsp_seq_no;
103162 struct list_head list;
103163 /* Protects from simultaneous access to first_req list */
103164 spinlock_t info_list_lock;
103165diff --git a/include/net/flow.h b/include/net/flow.h
103166index 8109a15..504466d 100644
103167--- a/include/net/flow.h
103168+++ b/include/net/flow.h
103169@@ -231,6 +231,6 @@ void flow_cache_fini(struct net *net);
103170
103171 void flow_cache_flush(struct net *net);
103172 void flow_cache_flush_deferred(struct net *net);
103173-extern atomic_t flow_cache_genid;
103174+extern atomic_unchecked_t flow_cache_genid;
103175
103176 #endif
103177diff --git a/include/net/genetlink.h b/include/net/genetlink.h
103178index a9af1cc..1f3fa7b 100644
103179--- a/include/net/genetlink.h
103180+++ b/include/net/genetlink.h
103181@@ -128,7 +128,7 @@ struct genl_ops {
103182 u8 cmd;
103183 u8 internal_flags;
103184 u8 flags;
103185-};
103186+} __do_const;
103187
103188 int __genl_register_family(struct genl_family *family);
103189
103190diff --git a/include/net/gro_cells.h b/include/net/gro_cells.h
103191index 0f712c0..cd762c4 100644
103192--- a/include/net/gro_cells.h
103193+++ b/include/net/gro_cells.h
103194@@ -27,7 +27,7 @@ static inline void gro_cells_receive(struct gro_cells *gcells, struct sk_buff *s
103195 cell = this_cpu_ptr(gcells->cells);
103196
103197 if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
103198- atomic_long_inc(&dev->rx_dropped);
103199+ atomic_long_inc_unchecked(&dev->rx_dropped);
103200 kfree_skb(skb);
103201 return;
103202 }
103203diff --git a/include/net/inet_connection_sock.h b/include/net/inet_connection_sock.h
103204index 0320bbb..938789c 100644
103205--- a/include/net/inet_connection_sock.h
103206+++ b/include/net/inet_connection_sock.h
103207@@ -63,7 +63,7 @@ struct inet_connection_sock_af_ops {
103208 int (*bind_conflict)(const struct sock *sk,
103209 const struct inet_bind_bucket *tb, bool relax);
103210 void (*mtu_reduced)(struct sock *sk);
103211-};
103212+} __do_const;
103213
103214 /** inet_connection_sock - INET connection oriented sock
103215 *
103216diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
103217index 47eb67b..0e733b2 100644
103218--- a/include/net/inet_sock.h
103219+++ b/include/net/inet_sock.h
103220@@ -43,7 +43,7 @@
103221 struct ip_options {
103222 __be32 faddr;
103223 __be32 nexthop;
103224- unsigned char optlen;
103225+ unsigned char optlen __intentional_overflow(0);
103226 unsigned char srr;
103227 unsigned char rr;
103228 unsigned char ts;
103229diff --git a/include/net/inetpeer.h b/include/net/inetpeer.h
103230index d5332dd..10a5c3c 100644
103231--- a/include/net/inetpeer.h
103232+++ b/include/net/inetpeer.h
103233@@ -48,7 +48,7 @@ struct inet_peer {
103234 */
103235 union {
103236 struct {
103237- atomic_t rid; /* Frag reception counter */
103238+ atomic_unchecked_t rid; /* Frag reception counter */
103239 };
103240 struct rcu_head rcu;
103241 struct inet_peer *gc_next;
103242diff --git a/include/net/ip.h b/include/net/ip.h
103243index d5fe9f2..8da10ed 100644
103244--- a/include/net/ip.h
103245+++ b/include/net/ip.h
103246@@ -319,7 +319,7 @@ static inline unsigned int ip_skb_dst_mtu(const struct sk_buff *skb)
103247 }
103248 }
103249
103250-u32 ip_idents_reserve(u32 hash, int segs);
103251+u32 ip_idents_reserve(u32 hash, int segs) __intentional_overflow(-1);
103252 void __ip_select_ident(struct net *net, struct iphdr *iph, int segs);
103253
103254 static inline void ip_select_ident_segs(struct net *net, struct sk_buff *skb,
103255diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
103256index 5fa643b..d871e20 100644
103257--- a/include/net/ip_fib.h
103258+++ b/include/net/ip_fib.h
103259@@ -170,7 +170,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh);
103260
103261 #define FIB_RES_SADDR(net, res) \
103262 ((FIB_RES_NH(res).nh_saddr_genid == \
103263- atomic_read(&(net)->ipv4.dev_addr_genid)) ? \
103264+ atomic_read_unchecked(&(net)->ipv4.dev_addr_genid)) ? \
103265 FIB_RES_NH(res).nh_saddr : \
103266 fib_info_update_nh_saddr((net), &FIB_RES_NH(res)))
103267 #define FIB_RES_GW(res) (FIB_RES_NH(res).nh_gw)
103268diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
103269index 4e3731e..a242e28 100644
103270--- a/include/net/ip_vs.h
103271+++ b/include/net/ip_vs.h
103272@@ -551,7 +551,7 @@ struct ip_vs_conn {
103273 struct ip_vs_conn *control; /* Master control connection */
103274 atomic_t n_control; /* Number of controlled ones */
103275 struct ip_vs_dest *dest; /* real server */
103276- atomic_t in_pkts; /* incoming packet counter */
103277+ atomic_unchecked_t in_pkts; /* incoming packet counter */
103278
103279 /* Packet transmitter for different forwarding methods. If it
103280 * mangles the packet, it must return NF_DROP or better NF_STOLEN,
103281@@ -699,7 +699,7 @@ struct ip_vs_dest {
103282 __be16 port; /* port number of the server */
103283 union nf_inet_addr addr; /* IP address of the server */
103284 volatile unsigned int flags; /* dest status flags */
103285- atomic_t conn_flags; /* flags to copy to conn */
103286+ atomic_unchecked_t conn_flags; /* flags to copy to conn */
103287 atomic_t weight; /* server weight */
103288
103289 atomic_t refcnt; /* reference counter */
103290@@ -946,11 +946,11 @@ struct netns_ipvs {
103291 /* ip_vs_lblc */
103292 int sysctl_lblc_expiration;
103293 struct ctl_table_header *lblc_ctl_header;
103294- struct ctl_table *lblc_ctl_table;
103295+ ctl_table_no_const *lblc_ctl_table;
103296 /* ip_vs_lblcr */
103297 int sysctl_lblcr_expiration;
103298 struct ctl_table_header *lblcr_ctl_header;
103299- struct ctl_table *lblcr_ctl_table;
103300+ ctl_table_no_const *lblcr_ctl_table;
103301 /* ip_vs_est */
103302 struct list_head est_list; /* estimator list */
103303 spinlock_t est_lock;
103304diff --git a/include/net/irda/ircomm_tty.h b/include/net/irda/ircomm_tty.h
103305index 8d4f588..2e37ad2 100644
103306--- a/include/net/irda/ircomm_tty.h
103307+++ b/include/net/irda/ircomm_tty.h
103308@@ -33,6 +33,7 @@
103309 #include <linux/termios.h>
103310 #include <linux/timer.h>
103311 #include <linux/tty.h> /* struct tty_struct */
103312+#include <asm/local.h>
103313
103314 #include <net/irda/irias_object.h>
103315 #include <net/irda/ircomm_core.h>
103316diff --git a/include/net/iucv/af_iucv.h b/include/net/iucv/af_iucv.h
103317index 714cc9a..ea05f3e 100644
103318--- a/include/net/iucv/af_iucv.h
103319+++ b/include/net/iucv/af_iucv.h
103320@@ -149,7 +149,7 @@ struct iucv_skb_cb {
103321 struct iucv_sock_list {
103322 struct hlist_head head;
103323 rwlock_t lock;
103324- atomic_t autobind_name;
103325+ atomic_unchecked_t autobind_name;
103326 };
103327
103328 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
103329diff --git a/include/net/llc_c_ac.h b/include/net/llc_c_ac.h
103330index f3be818..bf46196 100644
103331--- a/include/net/llc_c_ac.h
103332+++ b/include/net/llc_c_ac.h
103333@@ -87,7 +87,7 @@
103334 #define LLC_CONN_AC_STOP_SENDACK_TMR 70
103335 #define LLC_CONN_AC_START_SENDACK_TMR_IF_NOT_RUNNING 71
103336
103337-typedef int (*llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
103338+typedef int (* const llc_conn_action_t)(struct sock *sk, struct sk_buff *skb);
103339
103340 int llc_conn_ac_clear_remote_busy(struct sock *sk, struct sk_buff *skb);
103341 int llc_conn_ac_conn_ind(struct sock *sk, struct sk_buff *skb);
103342diff --git a/include/net/llc_c_ev.h b/include/net/llc_c_ev.h
103343index 3948cf1..83b28c4 100644
103344--- a/include/net/llc_c_ev.h
103345+++ b/include/net/llc_c_ev.h
103346@@ -125,8 +125,8 @@ static __inline__ struct llc_conn_state_ev *llc_conn_ev(struct sk_buff *skb)
103347 return (struct llc_conn_state_ev *)skb->cb;
103348 }
103349
103350-typedef int (*llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
103351-typedef int (*llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
103352+typedef int (* const llc_conn_ev_t)(struct sock *sk, struct sk_buff *skb);
103353+typedef int (* const llc_conn_ev_qfyr_t)(struct sock *sk, struct sk_buff *skb);
103354
103355 int llc_conn_ev_conn_req(struct sock *sk, struct sk_buff *skb);
103356 int llc_conn_ev_data_req(struct sock *sk, struct sk_buff *skb);
103357diff --git a/include/net/llc_c_st.h b/include/net/llc_c_st.h
103358index 48f3f89..0e92c50 100644
103359--- a/include/net/llc_c_st.h
103360+++ b/include/net/llc_c_st.h
103361@@ -37,7 +37,7 @@ struct llc_conn_state_trans {
103362 u8 next_state;
103363 const llc_conn_ev_qfyr_t *ev_qualifiers;
103364 const llc_conn_action_t *ev_actions;
103365-};
103366+} __do_const;
103367
103368 struct llc_conn_state {
103369 u8 current_state;
103370diff --git a/include/net/llc_s_ac.h b/include/net/llc_s_ac.h
103371index a61b98c..aade1eb 100644
103372--- a/include/net/llc_s_ac.h
103373+++ b/include/net/llc_s_ac.h
103374@@ -23,7 +23,7 @@
103375 #define SAP_ACT_TEST_IND 9
103376
103377 /* All action functions must look like this */
103378-typedef int (*llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
103379+typedef int (* const llc_sap_action_t)(struct llc_sap *sap, struct sk_buff *skb);
103380
103381 int llc_sap_action_unitdata_ind(struct llc_sap *sap, struct sk_buff *skb);
103382 int llc_sap_action_send_ui(struct llc_sap *sap, struct sk_buff *skb);
103383diff --git a/include/net/llc_s_st.h b/include/net/llc_s_st.h
103384index c4359e2..76dbc4a 100644
103385--- a/include/net/llc_s_st.h
103386+++ b/include/net/llc_s_st.h
103387@@ -20,7 +20,7 @@ struct llc_sap_state_trans {
103388 llc_sap_ev_t ev;
103389 u8 next_state;
103390 const llc_sap_action_t *ev_actions;
103391-};
103392+} __do_const;
103393
103394 struct llc_sap_state {
103395 u8 curr_state;
103396diff --git a/include/net/mac80211.h b/include/net/mac80211.h
103397index 6b1077c..7b72f67 100644
103398--- a/include/net/mac80211.h
103399+++ b/include/net/mac80211.h
103400@@ -5106,7 +5106,7 @@ struct ieee80211_tx_rate_control {
103401 struct sk_buff *skb;
103402 struct ieee80211_tx_rate reported_rate;
103403 bool rts, short_preamble;
103404- u8 max_rate_idx;
103405+ s8 max_rate_idx;
103406 u32 rate_idx_mask;
103407 u8 *rate_idx_mcs_mask;
103408 bool bss;
103409@@ -5143,7 +5143,7 @@ struct rate_control_ops {
103410 void (*remove_sta_debugfs)(void *priv, void *priv_sta);
103411
103412 u32 (*get_expected_throughput)(void *priv_sta);
103413-};
103414+} __do_const;
103415
103416 static inline int rate_supported(struct ieee80211_sta *sta,
103417 enum ieee80211_band band,
103418diff --git a/include/net/neighbour.h b/include/net/neighbour.h
103419index bd33e66..6508d00 100644
103420--- a/include/net/neighbour.h
103421+++ b/include/net/neighbour.h
103422@@ -162,7 +162,7 @@ struct neigh_ops {
103423 void (*error_report)(struct neighbour *, struct sk_buff *);
103424 int (*output)(struct neighbour *, struct sk_buff *);
103425 int (*connected_output)(struct neighbour *, struct sk_buff *);
103426-};
103427+} __do_const;
103428
103429 struct pneigh_entry {
103430 struct pneigh_entry *next;
103431@@ -216,7 +216,7 @@ struct neigh_table {
103432 struct neigh_statistics __percpu *stats;
103433 struct neigh_hash_table __rcu *nht;
103434 struct pneigh_entry **phash_buckets;
103435-};
103436+} __randomize_layout;
103437
103438 enum {
103439 NEIGH_ARP_TABLE = 0,
103440diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
103441index e951453..0685f5b 100644
103442--- a/include/net/net_namespace.h
103443+++ b/include/net/net_namespace.h
103444@@ -53,7 +53,7 @@ struct net {
103445 */
103446 spinlock_t rules_mod_lock;
103447
103448- atomic64_t cookie_gen;
103449+ atomic64_unchecked_t cookie_gen;
103450
103451 struct list_head list; /* list of network namespaces */
103452 struct list_head cleanup_list; /* namespaces on death row */
103453@@ -135,8 +135,8 @@ struct net {
103454 struct netns_mpls mpls;
103455 #endif
103456 struct sock *diag_nlsk;
103457- atomic_t fnhe_genid;
103458-};
103459+ atomic_unchecked_t fnhe_genid;
103460+} __randomize_layout;
103461
103462 #include <linux/seq_file_net.h>
103463
103464@@ -271,7 +271,11 @@ static inline struct net *read_pnet(const possible_net_t *pnet)
103465 #define __net_init __init
103466 #define __net_exit __exit_refok
103467 #define __net_initdata __initdata
103468+#ifdef CONSTIFY_PLUGIN
103469 #define __net_initconst __initconst
103470+#else
103471+#define __net_initconst __initdata
103472+#endif
103473 #endif
103474
103475 int peernet2id_alloc(struct net *net, struct net *peer);
103476@@ -286,7 +290,7 @@ struct pernet_operations {
103477 void (*exit_batch)(struct list_head *net_exit_list);
103478 int *id;
103479 size_t size;
103480-};
103481+} __do_const;
103482
103483 /*
103484 * Use these carefully. If you implement a network device and it
103485@@ -334,12 +338,12 @@ static inline void unregister_net_sysctl_table(struct ctl_table_header *header)
103486
103487 static inline int rt_genid_ipv4(struct net *net)
103488 {
103489- return atomic_read(&net->ipv4.rt_genid);
103490+ return atomic_read_unchecked(&net->ipv4.rt_genid);
103491 }
103492
103493 static inline void rt_genid_bump_ipv4(struct net *net)
103494 {
103495- atomic_inc(&net->ipv4.rt_genid);
103496+ atomic_inc_unchecked(&net->ipv4.rt_genid);
103497 }
103498
103499 extern void (*__fib6_flush_trees)(struct net *net);
103500@@ -366,12 +370,12 @@ static inline void rt_genid_bump_all(struct net *net)
103501
103502 static inline int fnhe_genid(struct net *net)
103503 {
103504- return atomic_read(&net->fnhe_genid);
103505+ return atomic_read_unchecked(&net->fnhe_genid);
103506 }
103507
103508 static inline void fnhe_genid_bump(struct net *net)
103509 {
103510- atomic_inc(&net->fnhe_genid);
103511+ atomic_inc_unchecked(&net->fnhe_genid);
103512 }
103513
103514 #endif /* __NET_NET_NAMESPACE_H */
103515diff --git a/include/net/netlink.h b/include/net/netlink.h
103516index 2a5dbcc..8243656 100644
103517--- a/include/net/netlink.h
103518+++ b/include/net/netlink.h
103519@@ -521,7 +521,7 @@ static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
103520 {
103521 if (mark) {
103522 WARN_ON((unsigned char *) mark < skb->data);
103523- skb_trim(skb, (unsigned char *) mark - skb->data);
103524+ skb_trim(skb, (const unsigned char *) mark - skb->data);
103525 }
103526 }
103527
103528diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
103529index 723b61c..4386367 100644
103530--- a/include/net/netns/conntrack.h
103531+++ b/include/net/netns/conntrack.h
103532@@ -14,10 +14,10 @@ struct nf_conntrack_ecache;
103533 struct nf_proto_net {
103534 #ifdef CONFIG_SYSCTL
103535 struct ctl_table_header *ctl_table_header;
103536- struct ctl_table *ctl_table;
103537+ ctl_table_no_const *ctl_table;
103538 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
103539 struct ctl_table_header *ctl_compat_header;
103540- struct ctl_table *ctl_compat_table;
103541+ ctl_table_no_const *ctl_compat_table;
103542 #endif
103543 #endif
103544 unsigned int users;
103545@@ -60,7 +60,7 @@ struct nf_ip_net {
103546 struct nf_icmp_net icmpv6;
103547 #if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
103548 struct ctl_table_header *ctl_table_header;
103549- struct ctl_table *ctl_table;
103550+ ctl_table_no_const *ctl_table;
103551 #endif
103552 };
103553
103554diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
103555index c68926b..106c147 100644
103556--- a/include/net/netns/ipv4.h
103557+++ b/include/net/netns/ipv4.h
103558@@ -93,7 +93,7 @@ struct netns_ipv4 {
103559
103560 struct ping_group_range ping_group_range;
103561
103562- atomic_t dev_addr_genid;
103563+ atomic_unchecked_t dev_addr_genid;
103564
103565 #ifdef CONFIG_SYSCTL
103566 unsigned long *sysctl_local_reserved_ports;
103567@@ -107,6 +107,6 @@ struct netns_ipv4 {
103568 struct fib_rules_ops *mr_rules_ops;
103569 #endif
103570 #endif
103571- atomic_t rt_genid;
103572+ atomic_unchecked_t rt_genid;
103573 };
103574 #endif
103575diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
103576index 8d93544..05c3e89 100644
103577--- a/include/net/netns/ipv6.h
103578+++ b/include/net/netns/ipv6.h
103579@@ -79,8 +79,8 @@ struct netns_ipv6 {
103580 struct fib_rules_ops *mr6_rules_ops;
103581 #endif
103582 #endif
103583- atomic_t dev_addr_genid;
103584- atomic_t fib6_sernum;
103585+ atomic_unchecked_t dev_addr_genid;
103586+ atomic_unchecked_t fib6_sernum;
103587 };
103588
103589 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
103590diff --git a/include/net/netns/xfrm.h b/include/net/netns/xfrm.h
103591index 730d82a..045f2c4 100644
103592--- a/include/net/netns/xfrm.h
103593+++ b/include/net/netns/xfrm.h
103594@@ -78,7 +78,7 @@ struct netns_xfrm {
103595
103596 /* flow cache part */
103597 struct flow_cache flow_cache_global;
103598- atomic_t flow_cache_genid;
103599+ atomic_unchecked_t flow_cache_genid;
103600 struct list_head flow_cache_gc_list;
103601 spinlock_t flow_cache_gc_lock;
103602 struct work_struct flow_cache_gc_work;
103603diff --git a/include/net/ping.h b/include/net/ping.h
103604index ac80cb4..ec1ed09 100644
103605--- a/include/net/ping.h
103606+++ b/include/net/ping.h
103607@@ -54,7 +54,7 @@ struct ping_iter_state {
103608
103609 extern struct proto ping_prot;
103610 #if IS_ENABLED(CONFIG_IPV6)
103611-extern struct pingv6_ops pingv6_ops;
103612+extern struct pingv6_ops *pingv6_ops;
103613 #endif
103614
103615 struct pingfakehdr {
103616diff --git a/include/net/protocol.h b/include/net/protocol.h
103617index d6fcc1f..ca277058 100644
103618--- a/include/net/protocol.h
103619+++ b/include/net/protocol.h
103620@@ -49,7 +49,7 @@ struct net_protocol {
103621 * socket lookup?
103622 */
103623 icmp_strict_tag_validation:1;
103624-};
103625+} __do_const;
103626
103627 #if IS_ENABLED(CONFIG_IPV6)
103628 struct inet6_protocol {
103629@@ -62,7 +62,7 @@ struct inet6_protocol {
103630 u8 type, u8 code, int offset,
103631 __be32 info);
103632 unsigned int flags; /* INET6_PROTO_xxx */
103633-};
103634+} __do_const;
103635
103636 #define INET6_PROTO_NOPOLICY 0x1
103637 #define INET6_PROTO_FINAL 0x2
103638diff --git a/include/net/rtnetlink.h b/include/net/rtnetlink.h
103639index 343d922..7959cde 100644
103640--- a/include/net/rtnetlink.h
103641+++ b/include/net/rtnetlink.h
103642@@ -95,7 +95,7 @@ struct rtnl_link_ops {
103643 const struct net_device *dev,
103644 const struct net_device *slave_dev);
103645 struct net *(*get_link_net)(const struct net_device *dev);
103646-};
103647+} __do_const;
103648
103649 int __rtnl_link_register(struct rtnl_link_ops *ops);
103650 void __rtnl_link_unregister(struct rtnl_link_ops *ops);
103651diff --git a/include/net/sctp/checksum.h b/include/net/sctp/checksum.h
103652index 4a5b9a3..ca27d73 100644
103653--- a/include/net/sctp/checksum.h
103654+++ b/include/net/sctp/checksum.h
103655@@ -61,8 +61,8 @@ static inline __le32 sctp_compute_cksum(const struct sk_buff *skb,
103656 unsigned int offset)
103657 {
103658 struct sctphdr *sh = sctp_hdr(skb);
103659- __le32 ret, old = sh->checksum;
103660- const struct skb_checksum_ops ops = {
103661+ __le32 ret, old = sh->checksum;
103662+ static const struct skb_checksum_ops ops = {
103663 .update = sctp_csum_update,
103664 .combine = sctp_csum_combine,
103665 };
103666diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h
103667index 487ef34..d457f98 100644
103668--- a/include/net/sctp/sm.h
103669+++ b/include/net/sctp/sm.h
103670@@ -80,7 +80,7 @@ typedef void (sctp_timer_event_t) (unsigned long);
103671 typedef struct {
103672 sctp_state_fn_t *fn;
103673 const char *name;
103674-} sctp_sm_table_entry_t;
103675+} __do_const sctp_sm_table_entry_t;
103676
103677 /* A naming convention of "sctp_sf_xxx" applies to all the state functions
103678 * currently in use.
103679@@ -292,7 +292,7 @@ __u32 sctp_generate_tag(const struct sctp_endpoint *);
103680 __u32 sctp_generate_tsn(const struct sctp_endpoint *);
103681
103682 /* Extern declarations for major data structures. */
103683-extern sctp_timer_event_t *sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
103684+extern sctp_timer_event_t * const sctp_timer_events[SCTP_NUM_TIMEOUT_TYPES];
103685
103686
103687 /* Get the size of a DATA chunk payload. */
103688diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
103689index 495c87e..5b327ff 100644
103690--- a/include/net/sctp/structs.h
103691+++ b/include/net/sctp/structs.h
103692@@ -513,7 +513,7 @@ struct sctp_pf {
103693 void (*to_sk_saddr)(union sctp_addr *, struct sock *sk);
103694 void (*to_sk_daddr)(union sctp_addr *, struct sock *sk);
103695 struct sctp_af *af;
103696-};
103697+} __do_const;
103698
103699
103700 /* Structure to track chunk fragments that have been acked, but peer
103701diff --git a/include/net/sock.h b/include/net/sock.h
103702index 4ca4c3f..1573f47 100644
103703--- a/include/net/sock.h
103704+++ b/include/net/sock.h
103705@@ -198,7 +198,7 @@ struct sock_common {
103706 struct in6_addr skc_v6_rcv_saddr;
103707 #endif
103708
103709- atomic64_t skc_cookie;
103710+ atomic64_unchecked_t skc_cookie;
103711
103712 /*
103713 * fields between dontcopy_begin/dontcopy_end
103714@@ -364,7 +364,7 @@ struct sock {
103715 unsigned int sk_napi_id;
103716 unsigned int sk_ll_usec;
103717 #endif
103718- atomic_t sk_drops;
103719+ atomic_unchecked_t sk_drops;
103720 int sk_rcvbuf;
103721
103722 struct sk_filter __rcu *sk_filter;
103723@@ -1046,7 +1046,7 @@ struct proto {
103724 void (*destroy_cgroup)(struct mem_cgroup *memcg);
103725 struct cg_proto *(*proto_cgroup)(struct mem_cgroup *memcg);
103726 #endif
103727-};
103728+} __randomize_layout;
103729
103730 /*
103731 * Bits in struct cg_proto.flags
103732@@ -1219,7 +1219,7 @@ static inline void memcg_memory_allocated_sub(struct cg_proto *prot,
103733 page_counter_uncharge(&prot->memory_allocated, amt);
103734 }
103735
103736-static inline long
103737+static inline long __intentional_overflow(-1)
103738 sk_memory_allocated(const struct sock *sk)
103739 {
103740 struct proto *prot = sk->sk_prot;
103741@@ -1784,7 +1784,7 @@ static inline void sk_nocaps_add(struct sock *sk, netdev_features_t flags)
103742 }
103743
103744 static inline int skb_do_copy_data_nocache(struct sock *sk, struct sk_buff *skb,
103745- struct iov_iter *from, char *to,
103746+ struct iov_iter *from, unsigned char *to,
103747 int copy, int offset)
103748 {
103749 if (skb->ip_summed == CHECKSUM_NONE) {
103750@@ -2031,7 +2031,7 @@ static inline void sk_stream_moderate_sndbuf(struct sock *sk)
103751 }
103752 }
103753
103754-struct sk_buff *sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
103755+struct sk_buff * __intentional_overflow(0) sk_stream_alloc_skb(struct sock *sk, int size, gfp_t gfp,
103756 bool force_schedule);
103757
103758 /**
103759@@ -2107,7 +2107,7 @@ struct sock_skb_cb {
103760 static inline void
103761 sock_skb_set_dropcount(const struct sock *sk, struct sk_buff *skb)
103762 {
103763- SOCK_SKB_CB(skb)->dropcount = atomic_read(&sk->sk_drops);
103764+ SOCK_SKB_CB(skb)->dropcount = atomic_read_unchecked(&sk->sk_drops);
103765 }
103766
103767 void __sock_recv_timestamp(struct msghdr *msg, struct sock *sk,
103768diff --git a/include/net/tcp.h b/include/net/tcp.h
103769index 950cfec..0bf9d85 100644
103770--- a/include/net/tcp.h
103771+++ b/include/net/tcp.h
103772@@ -546,7 +546,7 @@ void tcp_retransmit_timer(struct sock *sk);
103773 void tcp_xmit_retransmit_queue(struct sock *);
103774 void tcp_simple_retransmit(struct sock *);
103775 int tcp_trim_head(struct sock *, struct sk_buff *, u32);
103776-int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int, gfp_t);
103777+int tcp_fragment(struct sock *, struct sk_buff *, u32, unsigned int, gfp_t) __intentional_overflow(3);
103778
103779 void tcp_send_probe0(struct sock *);
103780 void tcp_send_partial(struct sock *);
103781@@ -724,8 +724,8 @@ static inline u32 tcp_skb_timestamp(const struct sk_buff *skb)
103782 * If this grows please adjust skbuff.h:skbuff->cb[xxx] size appropriately.
103783 */
103784 struct tcp_skb_cb {
103785- __u32 seq; /* Starting sequence number */
103786- __u32 end_seq; /* SEQ + FIN + SYN + datalen */
103787+ __u32 seq __intentional_overflow(-1); /* Starting sequence number */
103788+ __u32 end_seq __intentional_overflow(-1); /* SEQ + FIN + SYN + datalen */
103789 union {
103790 /* Note : tcp_tw_isn is used in input path only
103791 * (isn chosen by tcp_timewait_state_process())
103792@@ -753,7 +753,7 @@ struct tcp_skb_cb {
103793
103794 __u8 ip_dsfield; /* IPv4 tos or IPv6 dsfield */
103795 /* 1 byte hole */
103796- __u32 ack_seq; /* Sequence number ACK'd */
103797+ __u32 ack_seq __intentional_overflow(-1); /* Sequence number ACK'd */
103798 union {
103799 struct inet_skb_parm h4;
103800 #if IS_ENABLED(CONFIG_IPV6)
103801diff --git a/include/net/xfrm.h b/include/net/xfrm.h
103802index f0ee97e..73e2b5a 100644
103803--- a/include/net/xfrm.h
103804+++ b/include/net/xfrm.h
103805@@ -284,7 +284,6 @@ struct xfrm_dst;
103806 struct xfrm_policy_afinfo {
103807 unsigned short family;
103808 struct dst_ops *dst_ops;
103809- void (*garbage_collect)(struct net *net);
103810 struct dst_entry *(*dst_lookup)(struct net *net, int tos,
103811 const xfrm_address_t *saddr,
103812 const xfrm_address_t *daddr);
103813@@ -302,7 +301,7 @@ struct xfrm_policy_afinfo {
103814 struct net_device *dev,
103815 const struct flowi *fl);
103816 struct dst_entry *(*blackhole_route)(struct net *net, struct dst_entry *orig);
103817-};
103818+} __do_const;
103819
103820 int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo);
103821 int xfrm_policy_unregister_afinfo(struct xfrm_policy_afinfo *afinfo);
103822@@ -341,7 +340,7 @@ struct xfrm_state_afinfo {
103823 int (*transport_finish)(struct sk_buff *skb,
103824 int async);
103825 void (*local_error)(struct sk_buff *skb, u32 mtu);
103826-};
103827+} __do_const;
103828
103829 int xfrm_state_register_afinfo(struct xfrm_state_afinfo *afinfo);
103830 int xfrm_state_unregister_afinfo(struct xfrm_state_afinfo *afinfo);
103831@@ -436,7 +435,7 @@ struct xfrm_mode {
103832 struct module *owner;
103833 unsigned int encap;
103834 int flags;
103835-};
103836+} __do_const;
103837
103838 /* Flags for xfrm_mode. */
103839 enum {
103840@@ -531,7 +530,7 @@ struct xfrm_policy {
103841 struct timer_list timer;
103842
103843 struct flow_cache_object flo;
103844- atomic_t genid;
103845+ atomic_unchecked_t genid;
103846 u32 priority;
103847 u32 index;
103848 struct xfrm_mark mark;
103849@@ -1164,6 +1163,7 @@ static inline void xfrm_sk_free_policy(struct sock *sk)
103850 }
103851
103852 void xfrm_garbage_collect(struct net *net);
103853+void xfrm_garbage_collect_deferred(struct net *net);
103854
103855 #else
103856
103857@@ -1202,6 +1202,9 @@ static inline int xfrm6_policy_check_reverse(struct sock *sk, int dir,
103858 static inline void xfrm_garbage_collect(struct net *net)
103859 {
103860 }
103861+static inline void xfrm_garbage_collect_deferred(struct net *net)
103862+{
103863+}
103864 #endif
103865
103866 static __inline__
103867diff --git a/include/rdma/iw_cm.h b/include/rdma/iw_cm.h
103868index 036bd27..c0d7f17 100644
103869--- a/include/rdma/iw_cm.h
103870+++ b/include/rdma/iw_cm.h
103871@@ -123,7 +123,7 @@ struct iw_cm_verbs {
103872 int backlog);
103873
103874 int (*destroy_listen)(struct iw_cm_id *cm_id);
103875-};
103876+} __no_const;
103877
103878 /**
103879 * iw_create_cm_id - Create an IW CM identifier.
103880diff --git a/include/scsi/libfc.h b/include/scsi/libfc.h
103881index 93d14da..734b3d8 100644
103882--- a/include/scsi/libfc.h
103883+++ b/include/scsi/libfc.h
103884@@ -771,6 +771,7 @@ struct libfc_function_template {
103885 */
103886 void (*disc_stop_final) (struct fc_lport *);
103887 };
103888+typedef struct libfc_function_template __no_const libfc_function_template_no_const;
103889
103890 /**
103891 * struct fc_disc - Discovery context
103892@@ -875,7 +876,7 @@ struct fc_lport {
103893 struct fc_vport *vport;
103894
103895 /* Operational Information */
103896- struct libfc_function_template tt;
103897+ libfc_function_template_no_const tt;
103898 u8 link_up;
103899 u8 qfull;
103900 enum fc_lport_state state;
103901diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
103902index ae84b22..7954097 100644
103903--- a/include/scsi/scsi_device.h
103904+++ b/include/scsi/scsi_device.h
103905@@ -185,9 +185,9 @@ struct scsi_device {
103906 unsigned int max_device_blocked; /* what device_blocked counts down from */
103907 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
103908
103909- atomic_t iorequest_cnt;
103910- atomic_t iodone_cnt;
103911- atomic_t ioerr_cnt;
103912+ atomic_unchecked_t iorequest_cnt;
103913+ atomic_unchecked_t iodone_cnt;
103914+ atomic_unchecked_t ioerr_cnt;
103915
103916 struct device sdev_gendev,
103917 sdev_dev;
103918diff --git a/include/scsi/scsi_driver.h b/include/scsi/scsi_driver.h
103919index 891a658..fcd68df 100644
103920--- a/include/scsi/scsi_driver.h
103921+++ b/include/scsi/scsi_driver.h
103922@@ -14,7 +14,7 @@ struct scsi_driver {
103923 void (*rescan)(struct device *);
103924 int (*init_command)(struct scsi_cmnd *);
103925 void (*uninit_command)(struct scsi_cmnd *);
103926- int (*done)(struct scsi_cmnd *);
103927+ unsigned int (*done)(struct scsi_cmnd *);
103928 int (*eh_action)(struct scsi_cmnd *, int);
103929 };
103930 #define to_scsi_driver(drv) \
103931diff --git a/include/scsi/scsi_transport_fc.h b/include/scsi/scsi_transport_fc.h
103932index 784bc2c..855a04c 100644
103933--- a/include/scsi/scsi_transport_fc.h
103934+++ b/include/scsi/scsi_transport_fc.h
103935@@ -757,7 +757,8 @@ struct fc_function_template {
103936 unsigned long show_host_system_hostname:1;
103937
103938 unsigned long disable_target_scan:1;
103939-};
103940+} __do_const;
103941+typedef struct fc_function_template __no_const fc_function_template_no_const;
103942
103943
103944 /**
103945diff --git a/include/scsi/sg.h b/include/scsi/sg.h
103946index 3afec70..b196b43 100644
103947--- a/include/scsi/sg.h
103948+++ b/include/scsi/sg.h
103949@@ -52,7 +52,7 @@ typedef struct sg_io_hdr
103950 or scatter gather list */
103951 unsigned char __user *cmdp; /* [i], [*i] points to command to perform */
103952 void __user *sbp; /* [i], [*o] points to sense_buffer memory */
103953- unsigned int timeout; /* [i] MAX_UINT->no timeout (unit: millisec) */
103954+ unsigned int timeout __intentional_overflow(-1); /* [i] MAX_UINT->no timeout (unit: millisec) */
103955 unsigned int flags; /* [i] 0 -> default, see SG_FLAG... */
103956 int pack_id; /* [i->o] unused internally (normally) */
103957 void __user * usr_ptr; /* [i->o] unused internally */
103958diff --git a/include/sound/compress_driver.h b/include/sound/compress_driver.h
103959index fa1d055..3647940 100644
103960--- a/include/sound/compress_driver.h
103961+++ b/include/sound/compress_driver.h
103962@@ -130,7 +130,7 @@ struct snd_compr_ops {
103963 struct snd_compr_caps *caps);
103964 int (*get_codec_caps) (struct snd_compr_stream *stream,
103965 struct snd_compr_codec_caps *codec);
103966-};
103967+} __no_const;
103968
103969 /**
103970 * struct snd_compr: Compressed device
103971diff --git a/include/sound/soc.h b/include/sound/soc.h
103972index 93df8bf..c84577b 100644
103973--- a/include/sound/soc.h
103974+++ b/include/sound/soc.h
103975@@ -883,7 +883,7 @@ struct snd_soc_codec_driver {
103976 enum snd_soc_dapm_type, int);
103977
103978 bool ignore_pmdown_time; /* Doesn't benefit from pmdown delay */
103979-};
103980+} __do_const;
103981
103982 /* SoC platform interface */
103983 struct snd_soc_platform_driver {
103984@@ -910,7 +910,7 @@ struct snd_soc_platform_driver {
103985 const struct snd_compr_ops *compr_ops;
103986
103987 int (*bespoke_trigger)(struct snd_pcm_substream *, int);
103988-};
103989+} __do_const;
103990
103991 struct snd_soc_dai_link_component {
103992 const char *name;
103993diff --git a/include/target/target_core_base.h b/include/target/target_core_base.h
103994index 17ae2d6..2c06382 100644
103995--- a/include/target/target_core_base.h
103996+++ b/include/target/target_core_base.h
103997@@ -751,7 +751,7 @@ struct se_device {
103998 atomic_long_t write_bytes;
103999 /* Active commands on this virtual SE device */
104000 atomic_t simple_cmds;
104001- atomic_t dev_ordered_id;
104002+ atomic_unchecked_t dev_ordered_id;
104003 atomic_t dev_ordered_sync;
104004 atomic_t dev_qf_count;
104005 u32 export_count;
104006diff --git a/include/trace/events/fs.h b/include/trace/events/fs.h
104007new file mode 100644
104008index 0000000..fb634b7
104009--- /dev/null
104010+++ b/include/trace/events/fs.h
104011@@ -0,0 +1,53 @@
104012+#undef TRACE_SYSTEM
104013+#define TRACE_SYSTEM fs
104014+
104015+#if !defined(_TRACE_FS_H) || defined(TRACE_HEADER_MULTI_READ)
104016+#define _TRACE_FS_H
104017+
104018+#include <linux/fs.h>
104019+#include <linux/tracepoint.h>
104020+
104021+TRACE_EVENT(do_sys_open,
104022+
104023+ TP_PROTO(const char *filename, int flags, int mode),
104024+
104025+ TP_ARGS(filename, flags, mode),
104026+
104027+ TP_STRUCT__entry(
104028+ __string( filename, filename )
104029+ __field( int, flags )
104030+ __field( int, mode )
104031+ ),
104032+
104033+ TP_fast_assign(
104034+ __assign_str(filename, filename);
104035+ __entry->flags = flags;
104036+ __entry->mode = mode;
104037+ ),
104038+
104039+ TP_printk("\"%s\" %x %o",
104040+ __get_str(filename), __entry->flags, __entry->mode)
104041+);
104042+
104043+TRACE_EVENT(open_exec,
104044+
104045+ TP_PROTO(const char *filename),
104046+
104047+ TP_ARGS(filename),
104048+
104049+ TP_STRUCT__entry(
104050+ __string( filename, filename )
104051+ ),
104052+
104053+ TP_fast_assign(
104054+ __assign_str(filename, filename);
104055+ ),
104056+
104057+ TP_printk("\"%s\"",
104058+ __get_str(filename))
104059+);
104060+
104061+#endif /* _TRACE_FS_H */
104062+
104063+/* This part must be outside protection */
104064+#include <trace/define_trace.h>
104065diff --git a/include/trace/events/irq.h b/include/trace/events/irq.h
104066index ff8f6c0..6b6bae3 100644
104067--- a/include/trace/events/irq.h
104068+++ b/include/trace/events/irq.h
104069@@ -51,7 +51,7 @@ SOFTIRQ_NAME_LIST
104070 */
104071 TRACE_EVENT(irq_handler_entry,
104072
104073- TP_PROTO(int irq, struct irqaction *action),
104074+ TP_PROTO(int irq, const struct irqaction *action),
104075
104076 TP_ARGS(irq, action),
104077
104078@@ -81,7 +81,7 @@ TRACE_EVENT(irq_handler_entry,
104079 */
104080 TRACE_EVENT(irq_handler_exit,
104081
104082- TP_PROTO(int irq, struct irqaction *action, int ret),
104083+ TP_PROTO(int irq, const struct irqaction *action, int ret),
104084
104085 TP_ARGS(irq, action, ret),
104086
104087diff --git a/include/uapi/drm/i915_drm.h b/include/uapi/drm/i915_drm.h
104088index db809b7..05a44aa 100644
104089--- a/include/uapi/drm/i915_drm.h
104090+++ b/include/uapi/drm/i915_drm.h
104091@@ -354,6 +354,7 @@ typedef struct drm_i915_irq_wait {
104092 #define I915_PARAM_REVISION 32
104093 #define I915_PARAM_SUBSLICE_TOTAL 33
104094 #define I915_PARAM_EU_TOTAL 34
104095+#define I915_PARAM_HAS_LEGACY_CONTEXT 35
104096
104097 typedef struct drm_i915_getparam {
104098 int param;
104099diff --git a/include/uapi/linux/a.out.h b/include/uapi/linux/a.out.h
104100index 7caf44c..23c6f27 100644
104101--- a/include/uapi/linux/a.out.h
104102+++ b/include/uapi/linux/a.out.h
104103@@ -39,6 +39,14 @@ enum machine_type {
104104 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
104105 };
104106
104107+/* Constants for the N_FLAGS field */
104108+#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
104109+#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
104110+#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
104111+#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
104112+/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
104113+#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
104114+
104115 #if !defined (N_MAGIC)
104116 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
104117 #endif
104118diff --git a/include/uapi/linux/bcache.h b/include/uapi/linux/bcache.h
104119index 22b6ad3..aeba37e 100644
104120--- a/include/uapi/linux/bcache.h
104121+++ b/include/uapi/linux/bcache.h
104122@@ -5,6 +5,7 @@
104123 * Bcache on disk data structures
104124 */
104125
104126+#include <linux/compiler.h>
104127 #include <asm/types.h>
104128
104129 #define BITMASK(name, type, field, offset, size) \
104130@@ -20,8 +21,8 @@ static inline void SET_##name(type *k, __u64 v) \
104131 /* Btree keys - all units are in sectors */
104132
104133 struct bkey {
104134- __u64 high;
104135- __u64 low;
104136+ __u64 high __intentional_overflow(-1);
104137+ __u64 low __intentional_overflow(-1);
104138 __u64 ptr[];
104139 };
104140
104141diff --git a/include/uapi/linux/byteorder/little_endian.h b/include/uapi/linux/byteorder/little_endian.h
104142index d876736..ccce5c0 100644
104143--- a/include/uapi/linux/byteorder/little_endian.h
104144+++ b/include/uapi/linux/byteorder/little_endian.h
104145@@ -42,51 +42,51 @@
104146
104147 static inline __le64 __cpu_to_le64p(const __u64 *p)
104148 {
104149- return (__force __le64)*p;
104150+ return (__force const __le64)*p;
104151 }
104152-static inline __u64 __le64_to_cpup(const __le64 *p)
104153+static inline __u64 __intentional_overflow(-1) __le64_to_cpup(const __le64 *p)
104154 {
104155- return (__force __u64)*p;
104156+ return (__force const __u64)*p;
104157 }
104158 static inline __le32 __cpu_to_le32p(const __u32 *p)
104159 {
104160- return (__force __le32)*p;
104161+ return (__force const __le32)*p;
104162 }
104163 static inline __u32 __le32_to_cpup(const __le32 *p)
104164 {
104165- return (__force __u32)*p;
104166+ return (__force const __u32)*p;
104167 }
104168 static inline __le16 __cpu_to_le16p(const __u16 *p)
104169 {
104170- return (__force __le16)*p;
104171+ return (__force const __le16)*p;
104172 }
104173 static inline __u16 __le16_to_cpup(const __le16 *p)
104174 {
104175- return (__force __u16)*p;
104176+ return (__force const __u16)*p;
104177 }
104178 static inline __be64 __cpu_to_be64p(const __u64 *p)
104179 {
104180- return (__force __be64)__swab64p(p);
104181+ return (__force const __be64)__swab64p(p);
104182 }
104183 static inline __u64 __be64_to_cpup(const __be64 *p)
104184 {
104185- return __swab64p((__u64 *)p);
104186+ return __swab64p((const __u64 *)p);
104187 }
104188 static inline __be32 __cpu_to_be32p(const __u32 *p)
104189 {
104190- return (__force __be32)__swab32p(p);
104191+ return (__force const __be32)__swab32p(p);
104192 }
104193-static inline __u32 __be32_to_cpup(const __be32 *p)
104194+static inline __u32 __intentional_overflow(-1) __be32_to_cpup(const __be32 *p)
104195 {
104196- return __swab32p((__u32 *)p);
104197+ return __swab32p((const __u32 *)p);
104198 }
104199 static inline __be16 __cpu_to_be16p(const __u16 *p)
104200 {
104201- return (__force __be16)__swab16p(p);
104202+ return (__force const __be16)__swab16p(p);
104203 }
104204 static inline __u16 __be16_to_cpup(const __be16 *p)
104205 {
104206- return __swab16p((__u16 *)p);
104207+ return __swab16p((const __u16 *)p);
104208 }
104209 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
104210 #define __le64_to_cpus(x) do { (void)(x); } while (0)
104211diff --git a/include/uapi/linux/connector.h b/include/uapi/linux/connector.h
104212index 4cb2835..cfbc4e2 100644
104213--- a/include/uapi/linux/connector.h
104214+++ b/include/uapi/linux/connector.h
104215@@ -69,7 +69,7 @@ struct cb_id {
104216 struct cn_msg {
104217 struct cb_id id;
104218
104219- __u32 seq;
104220+ __u32 seq __intentional_overflow(-1);
104221 __u32 ack;
104222
104223 __u16 len; /* Length of the following data */
104224diff --git a/include/uapi/linux/elf.h b/include/uapi/linux/elf.h
104225index 71e1d0e..6cc9caf 100644
104226--- a/include/uapi/linux/elf.h
104227+++ b/include/uapi/linux/elf.h
104228@@ -37,6 +37,17 @@ typedef __s64 Elf64_Sxword;
104229 #define PT_GNU_EH_FRAME 0x6474e550
104230
104231 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
104232+#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
104233+
104234+#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
104235+
104236+/* Constants for the e_flags field */
104237+#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
104238+#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
104239+#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
104240+#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
104241+/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
104242+#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
104243
104244 /*
104245 * Extended Numbering
104246@@ -94,6 +105,8 @@ typedef __s64 Elf64_Sxword;
104247 #define DT_DEBUG 21
104248 #define DT_TEXTREL 22
104249 #define DT_JMPREL 23
104250+#define DT_FLAGS 30
104251+ #define DF_TEXTREL 0x00000004
104252 #define DT_ENCODING 32
104253 #define OLD_DT_LOOS 0x60000000
104254 #define DT_LOOS 0x6000000d
104255@@ -240,6 +253,19 @@ typedef struct elf64_hdr {
104256 #define PF_W 0x2
104257 #define PF_X 0x1
104258
104259+#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
104260+#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
104261+#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
104262+#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
104263+#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
104264+#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
104265+/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
104266+/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
104267+#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
104268+#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
104269+#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
104270+#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
104271+
104272 typedef struct elf32_phdr{
104273 Elf32_Word p_type;
104274 Elf32_Off p_offset;
104275@@ -332,6 +358,8 @@ typedef struct elf64_shdr {
104276 #define EI_OSABI 7
104277 #define EI_PAD 8
104278
104279+#define EI_PAX 14
104280+
104281 #define ELFMAG0 0x7f /* EI_MAG */
104282 #define ELFMAG1 'E'
104283 #define ELFMAG2 'L'
104284diff --git a/include/uapi/linux/personality.h b/include/uapi/linux/personality.h
104285index aa169c4..6a2771d 100644
104286--- a/include/uapi/linux/personality.h
104287+++ b/include/uapi/linux/personality.h
104288@@ -30,6 +30,7 @@ enum {
104289 #define PER_CLEAR_ON_SETID (READ_IMPLIES_EXEC | \
104290 ADDR_NO_RANDOMIZE | \
104291 ADDR_COMPAT_LAYOUT | \
104292+ ADDR_LIMIT_3GB | \
104293 MMAP_PAGE_ZERO)
104294
104295 /*
104296diff --git a/include/uapi/linux/screen_info.h b/include/uapi/linux/screen_info.h
104297index 7530e74..e714828 100644
104298--- a/include/uapi/linux/screen_info.h
104299+++ b/include/uapi/linux/screen_info.h
104300@@ -43,7 +43,8 @@ struct screen_info {
104301 __u16 pages; /* 0x32 */
104302 __u16 vesa_attributes; /* 0x34 */
104303 __u32 capabilities; /* 0x36 */
104304- __u8 _reserved[6]; /* 0x3a */
104305+ __u16 vesapm_size; /* 0x3a */
104306+ __u8 _reserved[4]; /* 0x3c */
104307 } __attribute__((packed));
104308
104309 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
104310diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h
104311index 0e011eb..82681b1 100644
104312--- a/include/uapi/linux/swab.h
104313+++ b/include/uapi/linux/swab.h
104314@@ -43,7 +43,7 @@
104315 * ___swab16, ___swab32, ___swab64, ___swahw32, ___swahb32
104316 */
104317
104318-static inline __attribute_const__ __u16 __fswab16(__u16 val)
104319+static inline __intentional_overflow(-1) __attribute_const__ __u16 __fswab16(__u16 val)
104320 {
104321 #ifdef __HAVE_BUILTIN_BSWAP16__
104322 return __builtin_bswap16(val);
104323@@ -54,7 +54,7 @@ static inline __attribute_const__ __u16 __fswab16(__u16 val)
104324 #endif
104325 }
104326
104327-static inline __attribute_const__ __u32 __fswab32(__u32 val)
104328+static inline __intentional_overflow(-1) __attribute_const__ __u32 __fswab32(__u32 val)
104329 {
104330 #ifdef __HAVE_BUILTIN_BSWAP32__
104331 return __builtin_bswap32(val);
104332@@ -65,7 +65,7 @@ static inline __attribute_const__ __u32 __fswab32(__u32 val)
104333 #endif
104334 }
104335
104336-static inline __attribute_const__ __u64 __fswab64(__u64 val)
104337+static inline __intentional_overflow(-1) __attribute_const__ __u64 __fswab64(__u64 val)
104338 {
104339 #ifdef __HAVE_BUILTIN_BSWAP64__
104340 return __builtin_bswap64(val);
104341diff --git a/include/uapi/linux/xattr.h b/include/uapi/linux/xattr.h
104342index 1590c49..5eab462 100644
104343--- a/include/uapi/linux/xattr.h
104344+++ b/include/uapi/linux/xattr.h
104345@@ -73,5 +73,9 @@
104346 #define XATTR_POSIX_ACL_DEFAULT "posix_acl_default"
104347 #define XATTR_NAME_POSIX_ACL_DEFAULT XATTR_SYSTEM_PREFIX XATTR_POSIX_ACL_DEFAULT
104348
104349+/* User namespace */
104350+#define XATTR_PAX_PREFIX XATTR_USER_PREFIX "pax."
104351+#define XATTR_PAX_FLAGS_SUFFIX "flags"
104352+#define XATTR_NAME_PAX_FLAGS XATTR_PAX_PREFIX XATTR_PAX_FLAGS_SUFFIX
104353
104354 #endif /* _UAPI_LINUX_XATTR_H */
104355diff --git a/include/video/udlfb.h b/include/video/udlfb.h
104356index f9466fa..f4e2b81 100644
104357--- a/include/video/udlfb.h
104358+++ b/include/video/udlfb.h
104359@@ -53,10 +53,10 @@ struct dlfb_data {
104360 u32 pseudo_palette[256];
104361 int blank_mode; /*one of FB_BLANK_ */
104362 /* blit-only rendering path metrics, exposed through sysfs */
104363- atomic_t bytes_rendered; /* raw pixel-bytes driver asked to render */
104364- atomic_t bytes_identical; /* saved effort with backbuffer comparison */
104365- atomic_t bytes_sent; /* to usb, after compression including overhead */
104366- atomic_t cpu_kcycles_used; /* transpired during pixel processing */
104367+ atomic_unchecked_t bytes_rendered; /* raw pixel-bytes driver asked to render */
104368+ atomic_unchecked_t bytes_identical; /* saved effort with backbuffer comparison */
104369+ atomic_unchecked_t bytes_sent; /* to usb, after compression including overhead */
104370+ atomic_unchecked_t cpu_kcycles_used; /* transpired during pixel processing */
104371 };
104372
104373 #define NR_USB_REQUEST_I2C_SUB_IO 0x02
104374diff --git a/include/video/uvesafb.h b/include/video/uvesafb.h
104375index 30f5362..8ed8ac9 100644
104376--- a/include/video/uvesafb.h
104377+++ b/include/video/uvesafb.h
104378@@ -122,6 +122,7 @@ struct uvesafb_par {
104379 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
104380 u8 pmi_setpal; /* PMI for palette changes */
104381 u16 *pmi_base; /* protected mode interface location */
104382+ u8 *pmi_code; /* protected mode code location */
104383 void *pmi_start;
104384 void *pmi_pal;
104385 u8 *vbe_state_orig; /*
104386diff --git a/init/Kconfig b/init/Kconfig
104387index af09b4f..5ee6e6a 100644
104388--- a/init/Kconfig
104389+++ b/init/Kconfig
104390@@ -642,6 +642,7 @@ config RCU_FAST_NO_HZ
104391 config TREE_RCU_TRACE
104392 def_bool RCU_TRACE && ( TREE_RCU || PREEMPT_RCU )
104393 select DEBUG_FS
104394+ depends on !GRKERNSEC_KMEM
104395 help
104396 This option provides tracing for the TREE_RCU and
104397 PREEMPT_RCU implementations, permitting Makefile to
104398@@ -1139,6 +1140,7 @@ endif # CGROUPS
104399 config CHECKPOINT_RESTORE
104400 bool "Checkpoint/restore support" if EXPERT
104401 select PROC_CHILDREN
104402+ depends on !GRKERNSEC
104403 default n
104404 help
104405 Enables additional kernel features in a sake of checkpoint/restore.
104406@@ -1664,7 +1666,7 @@ config SLUB_DEBUG
104407
104408 config COMPAT_BRK
104409 bool "Disable heap randomization"
104410- default y
104411+ default n
104412 help
104413 Randomizing heap placement makes heap exploits harder, but it
104414 also breaks ancient binaries (including anything libc5 based).
104415@@ -1994,7 +1996,7 @@ config INIT_ALL_POSSIBLE
104416 config STOP_MACHINE
104417 bool
104418 default y
104419- depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU
104420+ depends on (SMP && MODULE_UNLOAD) || HOTPLUG_CPU || GRKERNSEC
104421 help
104422 Need stop_machine() primitive.
104423
104424diff --git a/init/Makefile b/init/Makefile
104425index 7bc47ee..6da2dc7 100644
104426--- a/init/Makefile
104427+++ b/init/Makefile
104428@@ -2,6 +2,9 @@
104429 # Makefile for the linux kernel.
104430 #
104431
104432+ccflags-y := $(GCC_PLUGINS_CFLAGS)
104433+asflags-y := $(GCC_PLUGINS_AFLAGS)
104434+
104435 obj-y := main.o version.o mounts.o
104436 ifneq ($(CONFIG_BLK_DEV_INITRD),y)
104437 obj-y += noinitramfs.o
104438diff --git a/init/do_mounts.c b/init/do_mounts.c
104439index dea5de9..bbdbb5f 100644
104440--- a/init/do_mounts.c
104441+++ b/init/do_mounts.c
104442@@ -363,11 +363,11 @@ static void __init get_fs_names(char *page)
104443 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
104444 {
104445 struct super_block *s;
104446- int err = sys_mount(name, "/root", fs, flags, data);
104447+ int err = sys_mount((char __force_user *)name, (char __force_user *)"/root", (char __force_user *)fs, flags, (void __force_user *)data);
104448 if (err)
104449 return err;
104450
104451- sys_chdir("/root");
104452+ sys_chdir((const char __force_user *)"/root");
104453 s = current->fs->pwd.dentry->d_sb;
104454 ROOT_DEV = s->s_dev;
104455 printk(KERN_INFO
104456@@ -490,18 +490,18 @@ void __init change_floppy(char *fmt, ...)
104457 va_start(args, fmt);
104458 vsprintf(buf, fmt, args);
104459 va_end(args);
104460- fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
104461+ fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
104462 if (fd >= 0) {
104463 sys_ioctl(fd, FDEJECT, 0);
104464 sys_close(fd);
104465 }
104466 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
104467- fd = sys_open("/dev/console", O_RDWR, 0);
104468+ fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
104469 if (fd >= 0) {
104470 sys_ioctl(fd, TCGETS, (long)&termios);
104471 termios.c_lflag &= ~ICANON;
104472 sys_ioctl(fd, TCSETSF, (long)&termios);
104473- sys_read(fd, &c, 1);
104474+ sys_read(fd, (char __user *)&c, 1);
104475 termios.c_lflag |= ICANON;
104476 sys_ioctl(fd, TCSETSF, (long)&termios);
104477 sys_close(fd);
104478@@ -600,8 +600,8 @@ void __init prepare_namespace(void)
104479 mount_root();
104480 out:
104481 devtmpfs_mount("dev");
104482- sys_mount(".", "/", NULL, MS_MOVE, NULL);
104483- sys_chroot(".");
104484+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
104485+ sys_chroot((const char __force_user *)".");
104486 }
104487
104488 static bool is_tmpfs;
104489diff --git a/init/do_mounts.h b/init/do_mounts.h
104490index f5b978a..69dbfe8 100644
104491--- a/init/do_mounts.h
104492+++ b/init/do_mounts.h
104493@@ -15,15 +15,15 @@ extern int root_mountflags;
104494
104495 static inline int create_dev(char *name, dev_t dev)
104496 {
104497- sys_unlink(name);
104498- return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
104499+ sys_unlink((char __force_user *)name);
104500+ return sys_mknod((char __force_user *)name, S_IFBLK|0600, new_encode_dev(dev));
104501 }
104502
104503 #if BITS_PER_LONG == 32
104504 static inline u32 bstat(char *name)
104505 {
104506 struct stat64 stat;
104507- if (sys_stat64(name, &stat) != 0)
104508+ if (sys_stat64((char __force_user *)name, (struct stat64 __force_user *)&stat) != 0)
104509 return 0;
104510 if (!S_ISBLK(stat.st_mode))
104511 return 0;
104512@@ -35,7 +35,7 @@ static inline u32 bstat(char *name)
104513 static inline u32 bstat(char *name)
104514 {
104515 struct stat stat;
104516- if (sys_newstat(name, &stat) != 0)
104517+ if (sys_newstat((const char __force_user *)name, (struct stat __force_user *)&stat) != 0)
104518 return 0;
104519 if (!S_ISBLK(stat.st_mode))
104520 return 0;
104521diff --git a/init/do_mounts_initrd.c b/init/do_mounts_initrd.c
104522index 3e0878e..8a9d7a0 100644
104523--- a/init/do_mounts_initrd.c
104524+++ b/init/do_mounts_initrd.c
104525@@ -37,13 +37,13 @@ static int init_linuxrc(struct subprocess_info *info, struct cred *new)
104526 {
104527 sys_unshare(CLONE_FS | CLONE_FILES);
104528 /* stdin/stdout/stderr for /linuxrc */
104529- sys_open("/dev/console", O_RDWR, 0);
104530+ sys_open((const char __force_user *)"/dev/console", O_RDWR, 0);
104531 sys_dup(0);
104532 sys_dup(0);
104533 /* move initrd over / and chdir/chroot in initrd root */
104534- sys_chdir("/root");
104535- sys_mount(".", "/", NULL, MS_MOVE, NULL);
104536- sys_chroot(".");
104537+ sys_chdir((const char __force_user *)"/root");
104538+ sys_mount((char __force_user *)".", (char __force_user *)"/", NULL, MS_MOVE, NULL);
104539+ sys_chroot((const char __force_user *)".");
104540 sys_setsid();
104541 return 0;
104542 }
104543@@ -59,8 +59,8 @@ static void __init handle_initrd(void)
104544 create_dev("/dev/root.old", Root_RAM0);
104545 /* mount initrd on rootfs' /root */
104546 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
104547- sys_mkdir("/old", 0700);
104548- sys_chdir("/old");
104549+ sys_mkdir((const char __force_user *)"/old", 0700);
104550+ sys_chdir((const char __force_user *)"/old");
104551
104552 /* try loading default modules from initrd */
104553 load_default_modules();
104554@@ -80,31 +80,31 @@ static void __init handle_initrd(void)
104555 current->flags &= ~PF_FREEZER_SKIP;
104556
104557 /* move initrd to rootfs' /old */
104558- sys_mount("..", ".", NULL, MS_MOVE, NULL);
104559+ sys_mount((char __force_user *)"..", (char __force_user *)".", NULL, MS_MOVE, NULL);
104560 /* switch root and cwd back to / of rootfs */
104561- sys_chroot("..");
104562+ sys_chroot((const char __force_user *)"..");
104563
104564 if (new_decode_dev(real_root_dev) == Root_RAM0) {
104565- sys_chdir("/old");
104566+ sys_chdir((const char __force_user *)"/old");
104567 return;
104568 }
104569
104570- sys_chdir("/");
104571+ sys_chdir((const char __force_user *)"/");
104572 ROOT_DEV = new_decode_dev(real_root_dev);
104573 mount_root();
104574
104575 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
104576- error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
104577+ error = sys_mount((char __force_user *)"/old", (char __force_user *)"/root/initrd", NULL, MS_MOVE, NULL);
104578 if (!error)
104579 printk("okay\n");
104580 else {
104581- int fd = sys_open("/dev/root.old", O_RDWR, 0);
104582+ int fd = sys_open((const char __force_user *)"/dev/root.old", O_RDWR, 0);
104583 if (error == -ENOENT)
104584 printk("/initrd does not exist. Ignored.\n");
104585 else
104586 printk("failed\n");
104587 printk(KERN_NOTICE "Unmounting old root\n");
104588- sys_umount("/old", MNT_DETACH);
104589+ sys_umount((char __force_user *)"/old", MNT_DETACH);
104590 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
104591 if (fd < 0) {
104592 error = fd;
104593@@ -127,11 +127,11 @@ int __init initrd_load(void)
104594 * mounted in the normal path.
104595 */
104596 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
104597- sys_unlink("/initrd.image");
104598+ sys_unlink((const char __force_user *)"/initrd.image");
104599 handle_initrd();
104600 return 1;
104601 }
104602 }
104603- sys_unlink("/initrd.image");
104604+ sys_unlink((const char __force_user *)"/initrd.image");
104605 return 0;
104606 }
104607diff --git a/init/do_mounts_md.c b/init/do_mounts_md.c
104608index 8cb6db5..d729f50 100644
104609--- a/init/do_mounts_md.c
104610+++ b/init/do_mounts_md.c
104611@@ -180,7 +180,7 @@ static void __init md_setup_drive(void)
104612 partitioned ? "_d" : "", minor,
104613 md_setup_args[ent].device_names);
104614
104615- fd = sys_open(name, 0, 0);
104616+ fd = sys_open((char __force_user *)name, 0, 0);
104617 if (fd < 0) {
104618 printk(KERN_ERR "md: open failed - cannot start "
104619 "array %s\n", name);
104620@@ -243,7 +243,7 @@ static void __init md_setup_drive(void)
104621 * array without it
104622 */
104623 sys_close(fd);
104624- fd = sys_open(name, 0, 0);
104625+ fd = sys_open((char __force_user *)name, 0, 0);
104626 sys_ioctl(fd, BLKRRPART, 0);
104627 }
104628 sys_close(fd);
104629@@ -293,7 +293,7 @@ static void __init autodetect_raid(void)
104630
104631 wait_for_device_probe();
104632
104633- fd = sys_open("/dev/md0", 0, 0);
104634+ fd = sys_open((const char __force_user *) "/dev/md0", 0, 0);
104635 if (fd >= 0) {
104636 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
104637 sys_close(fd);
104638diff --git a/init/init_task.c b/init/init_task.c
104639index ba0a7f36..2bcf1d5 100644
104640--- a/init/init_task.c
104641+++ b/init/init_task.c
104642@@ -22,5 +22,9 @@ EXPORT_SYMBOL(init_task);
104643 * Initial thread structure. Alignment of this is handled by a special
104644 * linker map entry.
104645 */
104646+#ifdef CONFIG_X86
104647+union thread_union init_thread_union __init_task_data;
104648+#else
104649 union thread_union init_thread_union __init_task_data =
104650 { INIT_THREAD_INFO(init_task) };
104651+#endif
104652diff --git a/init/initramfs.c b/init/initramfs.c
104653index ad1bd77..dca2c1b 100644
104654--- a/init/initramfs.c
104655+++ b/init/initramfs.c
104656@@ -25,7 +25,7 @@ static ssize_t __init xwrite(int fd, const char *p, size_t count)
104657
104658 /* sys_write only can write MAX_RW_COUNT aka 2G-4K bytes at most */
104659 while (count) {
104660- ssize_t rv = sys_write(fd, p, count);
104661+ ssize_t rv = sys_write(fd, (char __force_user *)p, count);
104662
104663 if (rv < 0) {
104664 if (rv == -EINTR || rv == -EAGAIN)
104665@@ -107,7 +107,7 @@ static void __init free_hash(void)
104666 }
104667 }
104668
104669-static long __init do_utime(char *filename, time_t mtime)
104670+static long __init do_utime(char __force_user *filename, time_t mtime)
104671 {
104672 struct timespec t[2];
104673
104674@@ -142,7 +142,7 @@ static void __init dir_utime(void)
104675 struct dir_entry *de, *tmp;
104676 list_for_each_entry_safe(de, tmp, &dir_list, list) {
104677 list_del(&de->list);
104678- do_utime(de->name, de->mtime);
104679+ do_utime((char __force_user *)de->name, de->mtime);
104680 kfree(de->name);
104681 kfree(de);
104682 }
104683@@ -304,7 +304,7 @@ static int __init maybe_link(void)
104684 if (nlink >= 2) {
104685 char *old = find_link(major, minor, ino, mode, collected);
104686 if (old)
104687- return (sys_link(old, collected) < 0) ? -1 : 1;
104688+ return (sys_link((char __force_user *)old, (char __force_user *)collected) < 0) ? -1 : 1;
104689 }
104690 return 0;
104691 }
104692@@ -313,11 +313,11 @@ static void __init clean_path(char *path, umode_t fmode)
104693 {
104694 struct stat st;
104695
104696- if (!sys_newlstat(path, &st) && (st.st_mode ^ fmode) & S_IFMT) {
104697+ if (!sys_newlstat((char __force_user *)path, (struct stat __force_user *)&st) && (st.st_mode ^ fmode) & S_IFMT) {
104698 if (S_ISDIR(st.st_mode))
104699- sys_rmdir(path);
104700+ sys_rmdir((char __force_user *)path);
104701 else
104702- sys_unlink(path);
104703+ sys_unlink((char __force_user *)path);
104704 }
104705 }
104706
104707@@ -338,7 +338,7 @@ static int __init do_name(void)
104708 int openflags = O_WRONLY|O_CREAT;
104709 if (ml != 1)
104710 openflags |= O_TRUNC;
104711- wfd = sys_open(collected, openflags, mode);
104712+ wfd = sys_open((char __force_user *)collected, openflags, mode);
104713
104714 if (wfd >= 0) {
104715 sys_fchown(wfd, uid, gid);
104716@@ -350,17 +350,17 @@ static int __init do_name(void)
104717 }
104718 }
104719 } else if (S_ISDIR(mode)) {
104720- sys_mkdir(collected, mode);
104721- sys_chown(collected, uid, gid);
104722- sys_chmod(collected, mode);
104723+ sys_mkdir((char __force_user *)collected, mode);
104724+ sys_chown((char __force_user *)collected, uid, gid);
104725+ sys_chmod((char __force_user *)collected, mode);
104726 dir_add(collected, mtime);
104727 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
104728 S_ISFIFO(mode) || S_ISSOCK(mode)) {
104729 if (maybe_link() == 0) {
104730- sys_mknod(collected, mode, rdev);
104731- sys_chown(collected, uid, gid);
104732- sys_chmod(collected, mode);
104733- do_utime(collected, mtime);
104734+ sys_mknod((char __force_user *)collected, mode, rdev);
104735+ sys_chown((char __force_user *)collected, uid, gid);
104736+ sys_chmod((char __force_user *)collected, mode);
104737+ do_utime((char __force_user *)collected, mtime);
104738 }
104739 }
104740 return 0;
104741@@ -372,7 +372,7 @@ static int __init do_copy(void)
104742 if (xwrite(wfd, victim, body_len) != body_len)
104743 error("write error");
104744 sys_close(wfd);
104745- do_utime(vcollected, mtime);
104746+ do_utime((char __force_user *)vcollected, mtime);
104747 kfree(vcollected);
104748 eat(body_len);
104749 state = SkipIt;
104750@@ -390,9 +390,9 @@ static int __init do_symlink(void)
104751 {
104752 collected[N_ALIGN(name_len) + body_len] = '\0';
104753 clean_path(collected, 0);
104754- sys_symlink(collected + N_ALIGN(name_len), collected);
104755- sys_lchown(collected, uid, gid);
104756- do_utime(collected, mtime);
104757+ sys_symlink((char __force_user *)collected + N_ALIGN(name_len), (char __force_user *)collected);
104758+ sys_lchown((char __force_user *)collected, uid, gid);
104759+ do_utime((char __force_user *)collected, mtime);
104760 state = SkipIt;
104761 next_state = Reset;
104762 return 0;
104763diff --git a/init/main.c b/init/main.c
104764index 5650655..937d1b1 100644
104765--- a/init/main.c
104766+++ b/init/main.c
104767@@ -97,6 +97,8 @@ extern void radix_tree_init(void);
104768 static inline void mark_rodata_ro(void) { }
104769 #endif
104770
104771+extern void grsecurity_init(void);
104772+
104773 /*
104774 * Debug helper: via this flag we know that we are in 'early bootup code'
104775 * where only the boot processor is running with IRQ disabled. This means
104776@@ -158,6 +160,37 @@ static int __init set_reset_devices(char *str)
104777
104778 __setup("reset_devices", set_reset_devices);
104779
104780+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
104781+kgid_t grsec_proc_gid = KGIDT_INIT(CONFIG_GRKERNSEC_PROC_GID);
104782+static int __init setup_grsec_proc_gid(char *str)
104783+{
104784+ grsec_proc_gid = KGIDT_INIT(simple_strtol(str, NULL, 0));
104785+ return 1;
104786+}
104787+__setup("grsec_proc_gid=", setup_grsec_proc_gid);
104788+#endif
104789+#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
104790+int grsec_enable_sysfs_restrict = 1;
104791+static int __init setup_grsec_sysfs_restrict(char *str)
104792+{
104793+ if (!simple_strtol(str, NULL, 0))
104794+ grsec_enable_sysfs_restrict = 0;
104795+ return 1;
104796+}
104797+__setup("grsec_sysfs_restrict", setup_grsec_sysfs_restrict);
104798+#endif
104799+
104800+#ifdef CONFIG_PAX_SOFTMODE
104801+int pax_softmode;
104802+
104803+static int __init setup_pax_softmode(char *str)
104804+{
104805+ get_option(&str, &pax_softmode);
104806+ return 1;
104807+}
104808+__setup("pax_softmode=", setup_pax_softmode);
104809+#endif
104810+
104811 static const char *argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
104812 const char *envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
104813 static const char *panic_later, *panic_param;
104814@@ -731,7 +764,7 @@ static bool __init_or_module initcall_blacklisted(initcall_t fn)
104815 struct blacklist_entry *entry;
104816 char *fn_name;
104817
104818- fn_name = kasprintf(GFP_KERNEL, "%pf", fn);
104819+ fn_name = kasprintf(GFP_KERNEL, "%pX", fn);
104820 if (!fn_name)
104821 return false;
104822
104823@@ -783,7 +816,7 @@ int __init_or_module do_one_initcall(initcall_t fn)
104824 {
104825 int count = preempt_count();
104826 int ret;
104827- char msgbuf[64];
104828+ const char *msg1 = "", *msg2 = "";
104829
104830 if (initcall_blacklisted(fn))
104831 return -EPERM;
104832@@ -793,18 +826,17 @@ int __init_or_module do_one_initcall(initcall_t fn)
104833 else
104834 ret = fn();
104835
104836- msgbuf[0] = 0;
104837-
104838 if (preempt_count() != count) {
104839- sprintf(msgbuf, "preemption imbalance ");
104840+ msg1 = " preemption imbalance";
104841 preempt_count_set(count);
104842 }
104843 if (irqs_disabled()) {
104844- strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
104845+ msg2 = " disabled interrupts";
104846 local_irq_enable();
104847 }
104848- WARN(msgbuf[0], "initcall %pF returned with %s\n", fn, msgbuf);
104849+ WARN(*msg1 || *msg2, "initcall %pF returned with%s%s\n", fn, msg1, msg2);
104850
104851+ add_latent_entropy();
104852 return ret;
104853 }
104854
104855@@ -910,8 +942,8 @@ static int run_init_process(const char *init_filename)
104856 {
104857 argv_init[0] = init_filename;
104858 return do_execve(getname_kernel(init_filename),
104859- (const char __user *const __user *)argv_init,
104860- (const char __user *const __user *)envp_init);
104861+ (const char __user *const __force_user *)argv_init,
104862+ (const char __user *const __force_user *)envp_init);
104863 }
104864
104865 static int try_to_run_init_process(const char *init_filename)
104866@@ -928,6 +960,10 @@ static int try_to_run_init_process(const char *init_filename)
104867 return ret;
104868 }
104869
104870+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
104871+extern int gr_init_ran;
104872+#endif
104873+
104874 static noinline void __init kernel_init_freeable(void);
104875
104876 static int __ref kernel_init(void *unused)
104877@@ -952,6 +988,11 @@ static int __ref kernel_init(void *unused)
104878 ramdisk_execute_command, ret);
104879 }
104880
104881+#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
104882+ /* if no initrd was used, be extra sure we enforce chroot restrictions */
104883+ gr_init_ran = 1;
104884+#endif
104885+
104886 /*
104887 * We try each of these until one succeeds.
104888 *
104889@@ -1009,7 +1050,7 @@ static noinline void __init kernel_init_freeable(void)
104890 do_basic_setup();
104891
104892 /* Open the /dev/console on the rootfs, this should never fail */
104893- if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
104894+ if (sys_open((const char __force_user *) "/dev/console", O_RDWR, 0) < 0)
104895 pr_err("Warning: unable to open an initial console.\n");
104896
104897 (void) sys_dup(0);
104898@@ -1022,11 +1063,13 @@ static noinline void __init kernel_init_freeable(void)
104899 if (!ramdisk_execute_command)
104900 ramdisk_execute_command = "/init";
104901
104902- if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
104903+ if (sys_access((const char __force_user *) ramdisk_execute_command, 0) != 0) {
104904 ramdisk_execute_command = NULL;
104905 prepare_namespace();
104906 }
104907
104908+ grsecurity_init();
104909+
104910 /*
104911 * Ok, we have completed the initial bootup, and
104912 * we're essentially up and running. Get rid of the
104913diff --git a/ipc/compat.c b/ipc/compat.c
104914index 9b3c85f..5266b0f 100644
104915--- a/ipc/compat.c
104916+++ b/ipc/compat.c
104917@@ -396,7 +396,7 @@ COMPAT_SYSCALL_DEFINE6(ipc, u32, call, int, first, int, second,
104918 COMPAT_SHMLBA);
104919 if (err < 0)
104920 return err;
104921- return put_user(raddr, (compat_ulong_t *)compat_ptr(third));
104922+ return put_user(raddr, (compat_ulong_t __user *)compat_ptr(third));
104923 }
104924 case SHMDT:
104925 return sys_shmdt(compat_ptr(ptr));
104926@@ -747,7 +747,7 @@ COMPAT_SYSCALL_DEFINE3(shmctl, int, first, int, second, void __user *, uptr)
104927 }
104928
104929 COMPAT_SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsems,
104930- unsigned, nsops,
104931+ compat_long_t, nsops,
104932 const struct compat_timespec __user *, timeout)
104933 {
104934 struct timespec __user *ts64;
104935diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
104936index 8ad93c2..efd80f8 100644
104937--- a/ipc/ipc_sysctl.c
104938+++ b/ipc/ipc_sysctl.c
104939@@ -30,7 +30,7 @@ static void *get_ipc(struct ctl_table *table)
104940 static int proc_ipc_dointvec(struct ctl_table *table, int write,
104941 void __user *buffer, size_t *lenp, loff_t *ppos)
104942 {
104943- struct ctl_table ipc_table;
104944+ ctl_table_no_const ipc_table;
104945
104946 memcpy(&ipc_table, table, sizeof(ipc_table));
104947 ipc_table.data = get_ipc(table);
104948@@ -41,7 +41,7 @@ static int proc_ipc_dointvec(struct ctl_table *table, int write,
104949 static int proc_ipc_dointvec_minmax(struct ctl_table *table, int write,
104950 void __user *buffer, size_t *lenp, loff_t *ppos)
104951 {
104952- struct ctl_table ipc_table;
104953+ ctl_table_no_const ipc_table;
104954
104955 memcpy(&ipc_table, table, sizeof(ipc_table));
104956 ipc_table.data = get_ipc(table);
104957@@ -65,7 +65,7 @@ static int proc_ipc_dointvec_minmax_orphans(struct ctl_table *table, int write,
104958 static int proc_ipc_doulongvec_minmax(struct ctl_table *table, int write,
104959 void __user *buffer, size_t *lenp, loff_t *ppos)
104960 {
104961- struct ctl_table ipc_table;
104962+ ctl_table_no_const ipc_table;
104963 memcpy(&ipc_table, table, sizeof(ipc_table));
104964 ipc_table.data = get_ipc(table);
104965
104966@@ -76,7 +76,7 @@ static int proc_ipc_doulongvec_minmax(struct ctl_table *table, int write,
104967 static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
104968 void __user *buffer, size_t *lenp, loff_t *ppos)
104969 {
104970- struct ctl_table ipc_table;
104971+ ctl_table_no_const ipc_table;
104972 int dummy = 0;
104973
104974 memcpy(&ipc_table, table, sizeof(ipc_table));
104975diff --git a/ipc/mq_sysctl.c b/ipc/mq_sysctl.c
104976index 68d4e95..1477ded 100644
104977--- a/ipc/mq_sysctl.c
104978+++ b/ipc/mq_sysctl.c
104979@@ -25,7 +25,7 @@ static void *get_mq(struct ctl_table *table)
104980 static int proc_mq_dointvec(struct ctl_table *table, int write,
104981 void __user *buffer, size_t *lenp, loff_t *ppos)
104982 {
104983- struct ctl_table mq_table;
104984+ ctl_table_no_const mq_table;
104985 memcpy(&mq_table, table, sizeof(mq_table));
104986 mq_table.data = get_mq(table);
104987
104988@@ -35,7 +35,7 @@ static int proc_mq_dointvec(struct ctl_table *table, int write,
104989 static int proc_mq_dointvec_minmax(struct ctl_table *table, int write,
104990 void __user *buffer, size_t *lenp, loff_t *ppos)
104991 {
104992- struct ctl_table mq_table;
104993+ ctl_table_no_const mq_table;
104994 memcpy(&mq_table, table, sizeof(mq_table));
104995 mq_table.data = get_mq(table);
104996
104997diff --git a/ipc/mqueue.c b/ipc/mqueue.c
104998index 161a180..be31d93 100644
104999--- a/ipc/mqueue.c
105000+++ b/ipc/mqueue.c
105001@@ -274,6 +274,7 @@ static struct inode *mqueue_get_inode(struct super_block *sb,
105002 mq_bytes = mq_treesize + (info->attr.mq_maxmsg *
105003 info->attr.mq_msgsize);
105004
105005+ gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
105006 spin_lock(&mq_lock);
105007 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
105008 u->mq_bytes + mq_bytes > rlimit(RLIMIT_MSGQUEUE)) {
105009diff --git a/ipc/sem.c b/ipc/sem.c
105010index b471e5a..89aef1d 100644
105011--- a/ipc/sem.c
105012+++ b/ipc/sem.c
105013@@ -1790,7 +1790,7 @@ static int get_queue_result(struct sem_queue *q)
105014 }
105015
105016 SYSCALL_DEFINE4(semtimedop, int, semid, struct sembuf __user *, tsops,
105017- unsigned, nsops, const struct timespec __user *, timeout)
105018+ long, nsops, const struct timespec __user *, timeout)
105019 {
105020 int error = -EINVAL;
105021 struct sem_array *sma;
105022@@ -2025,7 +2025,7 @@ out_free:
105023 }
105024
105025 SYSCALL_DEFINE3(semop, int, semid, struct sembuf __user *, tsops,
105026- unsigned, nsops)
105027+ long, nsops)
105028 {
105029 return sys_semtimedop(semid, tsops, nsops, NULL);
105030 }
105031diff --git a/ipc/shm.c b/ipc/shm.c
105032index 0e61fd4..c545631 100644
105033--- a/ipc/shm.c
105034+++ b/ipc/shm.c
105035@@ -72,6 +72,14 @@ static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp);
105036 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
105037 #endif
105038
105039+#ifdef CONFIG_GRKERNSEC
105040+extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
105041+ const u64 shm_createtime, const kuid_t cuid,
105042+ const int shmid);
105043+extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
105044+ const u64 shm_createtime);
105045+#endif
105046+
105047 void shm_init_ns(struct ipc_namespace *ns)
105048 {
105049 ns->shm_ctlmax = SHMMAX;
105050@@ -555,6 +563,9 @@ static int newseg(struct ipc_namespace *ns, struct ipc_params *params)
105051 shp->shm_lprid = 0;
105052 shp->shm_atim = shp->shm_dtim = 0;
105053 shp->shm_ctim = get_seconds();
105054+#ifdef CONFIG_GRKERNSEC
105055+ shp->shm_createtime = ktime_get_ns();
105056+#endif
105057 shp->shm_segsz = size;
105058 shp->shm_nattch = 0;
105059 shp->shm_file = file;
105060@@ -1098,6 +1109,12 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
105061 f_mode = FMODE_READ | FMODE_WRITE;
105062 }
105063 if (shmflg & SHM_EXEC) {
105064+
105065+#ifdef CONFIG_PAX_MPROTECT
105066+ if (current->mm->pax_flags & MF_PAX_MPROTECT)
105067+ goto out;
105068+#endif
105069+
105070 prot |= PROT_EXEC;
105071 acc_mode |= S_IXUGO;
105072 }
105073@@ -1122,6 +1139,15 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
105074 if (err)
105075 goto out_unlock;
105076
105077+#ifdef CONFIG_GRKERNSEC
105078+ if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
105079+ shp->shm_perm.cuid, shmid) ||
105080+ !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
105081+ err = -EACCES;
105082+ goto out_unlock;
105083+ }
105084+#endif
105085+
105086 ipc_lock_object(&shp->shm_perm);
105087
105088 /* check if shm_destroy() is tearing down shp */
105089@@ -1134,6 +1160,9 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
105090 path = shp->shm_file->f_path;
105091 path_get(&path);
105092 shp->shm_nattch++;
105093+#ifdef CONFIG_GRKERNSEC
105094+ shp->shm_lapid = current->pid;
105095+#endif
105096 size = i_size_read(d_inode(path.dentry));
105097 ipc_unlock_object(&shp->shm_perm);
105098 rcu_read_unlock();
105099diff --git a/ipc/util.c b/ipc/util.c
105100index 0f401d9..049b0ff 100644
105101--- a/ipc/util.c
105102+++ b/ipc/util.c
105103@@ -71,6 +71,8 @@ struct ipc_proc_iface {
105104 int (*show)(struct seq_file *, void *);
105105 };
105106
105107+extern int gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, int requested_mode, int granted_mode);
105108+
105109 /**
105110 * ipc_init - initialise ipc subsystem
105111 *
105112@@ -494,6 +496,10 @@ int ipcperms(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp, short flag)
105113 granted_mode >>= 6;
105114 else if (in_group_p(ipcp->cgid) || in_group_p(ipcp->gid))
105115 granted_mode >>= 3;
105116+
105117+ if (!gr_ipc_permitted(ns, ipcp, requested_mode, granted_mode))
105118+ return -1;
105119+
105120 /* is there some bit set in requested_mode but not in granted_mode? */
105121 if ((requested_mode & ~granted_mode & 0007) &&
105122 !ns_capable(ns->user_ns, CAP_IPC_OWNER))
105123diff --git a/kernel/audit.c b/kernel/audit.c
105124index f9e6065..3fcb6ab 100644
105125--- a/kernel/audit.c
105126+++ b/kernel/audit.c
105127@@ -124,7 +124,7 @@ u32 audit_sig_sid = 0;
105128 3) suppressed due to audit_rate_limit
105129 4) suppressed due to audit_backlog_limit
105130 */
105131-static atomic_t audit_lost = ATOMIC_INIT(0);
105132+static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
105133
105134 /* The netlink socket. */
105135 static struct sock *audit_sock;
105136@@ -258,7 +258,7 @@ void audit_log_lost(const char *message)
105137 unsigned long now;
105138 int print;
105139
105140- atomic_inc(&audit_lost);
105141+ atomic_inc_unchecked(&audit_lost);
105142
105143 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
105144
105145@@ -275,7 +275,7 @@ void audit_log_lost(const char *message)
105146 if (print) {
105147 if (printk_ratelimit())
105148 pr_warn("audit_lost=%u audit_rate_limit=%u audit_backlog_limit=%u\n",
105149- atomic_read(&audit_lost),
105150+ atomic_read_unchecked(&audit_lost),
105151 audit_rate_limit,
105152 audit_backlog_limit);
105153 audit_panic(message);
105154@@ -833,7 +833,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
105155 s.pid = audit_pid;
105156 s.rate_limit = audit_rate_limit;
105157 s.backlog_limit = audit_backlog_limit;
105158- s.lost = atomic_read(&audit_lost);
105159+ s.lost = atomic_read_unchecked(&audit_lost);
105160 s.backlog = skb_queue_len(&audit_skb_queue);
105161 s.feature_bitmap = AUDIT_FEATURE_BITMAP_ALL;
105162 s.backlog_wait_time = audit_backlog_wait_time_master;
105163diff --git a/kernel/auditsc.c b/kernel/auditsc.c
105164index e85bdfd..441a638 100644
105165--- a/kernel/auditsc.c
105166+++ b/kernel/auditsc.c
105167@@ -1021,7 +1021,7 @@ static int audit_log_single_execve_arg(struct audit_context *context,
105168 * for strings that are too long, we should not have created
105169 * any.
105170 */
105171- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) {
105172+ if (WARN_ON_ONCE(len > MAX_ARG_STRLEN - 1)) {
105173 send_sig(SIGKILL, current, 0);
105174 return -1;
105175 }
105176@@ -1952,7 +1952,7 @@ int auditsc_get_stamp(struct audit_context *ctx,
105177 }
105178
105179 /* global counter which is incremented every time something logs in */
105180-static atomic_t session_id = ATOMIC_INIT(0);
105181+static atomic_unchecked_t session_id = ATOMIC_INIT(0);
105182
105183 static int audit_set_loginuid_perm(kuid_t loginuid)
105184 {
105185@@ -2019,7 +2019,7 @@ int audit_set_loginuid(kuid_t loginuid)
105186
105187 /* are we setting or clearing? */
105188 if (uid_valid(loginuid))
105189- sessionid = (unsigned int)atomic_inc_return(&session_id);
105190+ sessionid = (unsigned int)atomic_inc_return_unchecked(&session_id);
105191
105192 task->sessionid = sessionid;
105193 task->loginuid = loginuid;
105194diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
105195index c5bedc8..6ec8715 100644
105196--- a/kernel/bpf/core.c
105197+++ b/kernel/bpf/core.c
105198@@ -145,14 +145,17 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
105199 * random section of illegal instructions.
105200 */
105201 size = round_up(proglen + sizeof(*hdr) + 128, PAGE_SIZE);
105202- hdr = module_alloc(size);
105203+ hdr = module_alloc_exec(size);
105204 if (hdr == NULL)
105205 return NULL;
105206
105207 /* Fill space with illegal/arch-dep instructions. */
105208 bpf_fill_ill_insns(hdr, size);
105209
105210+ pax_open_kernel();
105211 hdr->pages = size / PAGE_SIZE;
105212+ pax_close_kernel();
105213+
105214 hole = min_t(unsigned int, size - (proglen + sizeof(*hdr)),
105215 PAGE_SIZE - sizeof(*hdr));
105216 start = (prandom_u32() % hole) & ~(alignment - 1);
105217@@ -165,7 +168,7 @@ bpf_jit_binary_alloc(unsigned int proglen, u8 **image_ptr,
105218
105219 void bpf_jit_binary_free(struct bpf_binary_header *hdr)
105220 {
105221- module_memfree(hdr);
105222+ module_memfree_exec(hdr);
105223 }
105224 #endif /* CONFIG_BPF_JIT */
105225
105226diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
105227index a1b14d1..7dce5d9 100644
105228--- a/kernel/bpf/syscall.c
105229+++ b/kernel/bpf/syscall.c
105230@@ -592,11 +592,15 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, siz
105231 int err;
105232
105233 /* the syscall is limited to root temporarily. This restriction will be
105234- * lifted when security audit is clean. Note that eBPF+tracing must have
105235- * this restriction, since it may pass kernel data to user space
105236+ * lifted by upstream when a half-assed security audit is clean. Note
105237+ * that eBPF+tracing must have this restriction, since it may pass
105238+ * kernel data to user space
105239 */
105240 if (!capable(CAP_SYS_ADMIN))
105241 return -EPERM;
105242+#ifdef CONFIG_GRKERNSEC
105243+ return -EPERM;
105244+#endif
105245
105246 if (!access_ok(VERIFY_READ, uattr, 1))
105247 return -EFAULT;
105248diff --git a/kernel/capability.c b/kernel/capability.c
105249index 45432b5..988f1e4 100644
105250--- a/kernel/capability.c
105251+++ b/kernel/capability.c
105252@@ -193,6 +193,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_t, header, cap_user_data_t, dataptr)
105253 * before modification is attempted and the application
105254 * fails.
105255 */
105256+ if (tocopy > ARRAY_SIZE(kdata))
105257+ return -EFAULT;
105258+
105259 if (copy_to_user(dataptr, kdata, tocopy
105260 * sizeof(struct __user_cap_data_struct))) {
105261 return -EFAULT;
105262@@ -298,10 +301,11 @@ bool has_ns_capability(struct task_struct *t,
105263 int ret;
105264
105265 rcu_read_lock();
105266- ret = security_capable(__task_cred(t), ns, cap);
105267+ ret = security_capable(__task_cred(t), ns, cap) == 0 &&
105268+ gr_task_is_capable(t, __task_cred(t), cap);
105269 rcu_read_unlock();
105270
105271- return (ret == 0);
105272+ return ret;
105273 }
105274
105275 /**
105276@@ -338,10 +342,10 @@ bool has_ns_capability_noaudit(struct task_struct *t,
105277 int ret;
105278
105279 rcu_read_lock();
105280- ret = security_capable_noaudit(__task_cred(t), ns, cap);
105281+ ret = security_capable_noaudit(__task_cred(t), ns, cap) == 0 && gr_task_is_capable_nolog(t, cap);
105282 rcu_read_unlock();
105283
105284- return (ret == 0);
105285+ return ret;
105286 }
105287
105288 /**
105289@@ -379,7 +383,7 @@ bool ns_capable(struct user_namespace *ns, int cap)
105290 BUG();
105291 }
105292
105293- if (security_capable(current_cred(), ns, cap) == 0) {
105294+ if (security_capable(current_cred(), ns, cap) == 0 && gr_is_capable(cap)) {
105295 current->flags |= PF_SUPERPRIV;
105296 return true;
105297 }
105298@@ -387,6 +391,20 @@ bool ns_capable(struct user_namespace *ns, int cap)
105299 }
105300 EXPORT_SYMBOL(ns_capable);
105301
105302+bool ns_capable_nolog(struct user_namespace *ns, int cap)
105303+{
105304+ if (unlikely(!cap_valid(cap))) {
105305+ pr_crit("capable_nolog() called with invalid cap=%u\n", cap);
105306+ BUG();
105307+ }
105308+
105309+ if (security_capable_noaudit(current_cred(), ns, cap) == 0 && gr_is_capable_nolog(cap)) {
105310+ current->flags |= PF_SUPERPRIV;
105311+ return true;
105312+ }
105313+ return false;
105314+}
105315+EXPORT_SYMBOL(ns_capable_nolog);
105316
105317 /**
105318 * capable - Determine if the current task has a superior capability in effect
105319@@ -403,6 +421,13 @@ bool capable(int cap)
105320 return ns_capable(&init_user_ns, cap);
105321 }
105322 EXPORT_SYMBOL(capable);
105323+
105324+bool capable_nolog(int cap)
105325+{
105326+ return ns_capable_nolog(&init_user_ns, cap);
105327+}
105328+EXPORT_SYMBOL(capable_nolog);
105329+
105330 #endif /* CONFIG_MULTIUSER */
105331
105332 /**
105333@@ -447,3 +472,12 @@ bool capable_wrt_inode_uidgid(const struct inode *inode, int cap)
105334 kgid_has_mapping(ns, inode->i_gid);
105335 }
105336 EXPORT_SYMBOL(capable_wrt_inode_uidgid);
105337+
105338+bool capable_wrt_inode_uidgid_nolog(const struct inode *inode, int cap)
105339+{
105340+ struct user_namespace *ns = current_user_ns();
105341+
105342+ return ns_capable_nolog(ns, cap) && kuid_has_mapping(ns, inode->i_uid) &&
105343+ kgid_has_mapping(ns, inode->i_gid);
105344+}
105345+EXPORT_SYMBOL(capable_wrt_inode_uidgid_nolog);
105346diff --git a/kernel/cgroup.c b/kernel/cgroup.c
105347index fe6f855..7dba913 100644
105348--- a/kernel/cgroup.c
105349+++ b/kernel/cgroup.c
105350@@ -5425,6 +5425,9 @@ static void cgroup_release_agent(struct work_struct *work)
105351 if (!pathbuf || !agentbuf)
105352 goto out;
105353
105354+ if (agentbuf[0] == '\0')
105355+ goto out;
105356+
105357 path = cgroup_path(cgrp, pathbuf, PATH_MAX);
105358 if (!path)
105359 goto out;
105360@@ -5610,7 +5613,7 @@ static int cgroup_css_links_read(struct seq_file *seq, void *v)
105361 struct task_struct *task;
105362 int count = 0;
105363
105364- seq_printf(seq, "css_set %p\n", cset);
105365+ seq_printf(seq, "css_set %pK\n", cset);
105366
105367 list_for_each_entry(task, &cset->tasks, cg_list) {
105368 if (count++ > MAX_TASKS_SHOWN_PER_CSS)
105369diff --git a/kernel/compat.c b/kernel/compat.c
105370index 333d364..762ec00 100644
105371--- a/kernel/compat.c
105372+++ b/kernel/compat.c
105373@@ -13,6 +13,7 @@
105374
105375 #include <linux/linkage.h>
105376 #include <linux/compat.h>
105377+#include <linux/module.h>
105378 #include <linux/errno.h>
105379 #include <linux/time.h>
105380 #include <linux/signal.h>
105381@@ -220,7 +221,7 @@ static long compat_nanosleep_restart(struct restart_block *restart)
105382 mm_segment_t oldfs;
105383 long ret;
105384
105385- restart->nanosleep.rmtp = (struct timespec __user *) &rmt;
105386+ restart->nanosleep.rmtp = (struct timespec __force_user *) &rmt;
105387 oldfs = get_fs();
105388 set_fs(KERNEL_DS);
105389 ret = hrtimer_nanosleep_restart(restart);
105390@@ -252,7 +253,7 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp,
105391 oldfs = get_fs();
105392 set_fs(KERNEL_DS);
105393 ret = hrtimer_nanosleep(&tu,
105394- rmtp ? (struct timespec __user *)&rmt : NULL,
105395+ rmtp ? (struct timespec __force_user *)&rmt : NULL,
105396 HRTIMER_MODE_REL, CLOCK_MONOTONIC);
105397 set_fs(oldfs);
105398
105399@@ -378,7 +379,7 @@ COMPAT_SYSCALL_DEFINE1(sigpending, compat_old_sigset_t __user *, set)
105400 mm_segment_t old_fs = get_fs();
105401
105402 set_fs(KERNEL_DS);
105403- ret = sys_sigpending((old_sigset_t __user *) &s);
105404+ ret = sys_sigpending((old_sigset_t __force_user *) &s);
105405 set_fs(old_fs);
105406 if (ret == 0)
105407 ret = put_user(s, set);
105408@@ -468,7 +469,7 @@ COMPAT_SYSCALL_DEFINE2(old_getrlimit, unsigned int, resource,
105409 mm_segment_t old_fs = get_fs();
105410
105411 set_fs(KERNEL_DS);
105412- ret = sys_old_getrlimit(resource, (struct rlimit __user *)&r);
105413+ ret = sys_old_getrlimit(resource, (struct rlimit __force_user *)&r);
105414 set_fs(old_fs);
105415
105416 if (!ret) {
105417@@ -550,8 +551,8 @@ COMPAT_SYSCALL_DEFINE4(wait4,
105418 set_fs (KERNEL_DS);
105419 ret = sys_wait4(pid,
105420 (stat_addr ?
105421- (unsigned int __user *) &status : NULL),
105422- options, (struct rusage __user *) &r);
105423+ (unsigned int __force_user *) &status : NULL),
105424+ options, (struct rusage __force_user *) &r);
105425 set_fs (old_fs);
105426
105427 if (ret > 0) {
105428@@ -577,8 +578,8 @@ COMPAT_SYSCALL_DEFINE5(waitid,
105429 memset(&info, 0, sizeof(info));
105430
105431 set_fs(KERNEL_DS);
105432- ret = sys_waitid(which, pid, (siginfo_t __user *)&info, options,
105433- uru ? (struct rusage __user *)&ru : NULL);
105434+ ret = sys_waitid(which, pid, (siginfo_t __force_user *)&info, options,
105435+ uru ? (struct rusage __force_user *)&ru : NULL);
105436 set_fs(old_fs);
105437
105438 if ((ret < 0) || (info.si_signo == 0))
105439@@ -712,8 +713,8 @@ COMPAT_SYSCALL_DEFINE4(timer_settime, timer_t, timer_id, int, flags,
105440 oldfs = get_fs();
105441 set_fs(KERNEL_DS);
105442 err = sys_timer_settime(timer_id, flags,
105443- (struct itimerspec __user *) &newts,
105444- (struct itimerspec __user *) &oldts);
105445+ (struct itimerspec __force_user *) &newts,
105446+ (struct itimerspec __force_user *) &oldts);
105447 set_fs(oldfs);
105448 if (!err && old && put_compat_itimerspec(old, &oldts))
105449 return -EFAULT;
105450@@ -730,7 +731,7 @@ COMPAT_SYSCALL_DEFINE2(timer_gettime, timer_t, timer_id,
105451 oldfs = get_fs();
105452 set_fs(KERNEL_DS);
105453 err = sys_timer_gettime(timer_id,
105454- (struct itimerspec __user *) &ts);
105455+ (struct itimerspec __force_user *) &ts);
105456 set_fs(oldfs);
105457 if (!err && put_compat_itimerspec(setting, &ts))
105458 return -EFAULT;
105459@@ -749,7 +750,7 @@ COMPAT_SYSCALL_DEFINE2(clock_settime, clockid_t, which_clock,
105460 oldfs = get_fs();
105461 set_fs(KERNEL_DS);
105462 err = sys_clock_settime(which_clock,
105463- (struct timespec __user *) &ts);
105464+ (struct timespec __force_user *) &ts);
105465 set_fs(oldfs);
105466 return err;
105467 }
105468@@ -764,7 +765,7 @@ COMPAT_SYSCALL_DEFINE2(clock_gettime, clockid_t, which_clock,
105469 oldfs = get_fs();
105470 set_fs(KERNEL_DS);
105471 err = sys_clock_gettime(which_clock,
105472- (struct timespec __user *) &ts);
105473+ (struct timespec __force_user *) &ts);
105474 set_fs(oldfs);
105475 if (!err && compat_put_timespec(&ts, tp))
105476 return -EFAULT;
105477@@ -784,7 +785,7 @@ COMPAT_SYSCALL_DEFINE2(clock_adjtime, clockid_t, which_clock,
105478
105479 oldfs = get_fs();
105480 set_fs(KERNEL_DS);
105481- ret = sys_clock_adjtime(which_clock, (struct timex __user *) &txc);
105482+ ret = sys_clock_adjtime(which_clock, (struct timex __force_user *) &txc);
105483 set_fs(oldfs);
105484
105485 err = compat_put_timex(utp, &txc);
105486@@ -804,7 +805,7 @@ COMPAT_SYSCALL_DEFINE2(clock_getres, clockid_t, which_clock,
105487 oldfs = get_fs();
105488 set_fs(KERNEL_DS);
105489 err = sys_clock_getres(which_clock,
105490- (struct timespec __user *) &ts);
105491+ (struct timespec __force_user *) &ts);
105492 set_fs(oldfs);
105493 if (!err && tp && compat_put_timespec(&ts, tp))
105494 return -EFAULT;
105495@@ -818,7 +819,7 @@ static long compat_clock_nanosleep_restart(struct restart_block *restart)
105496 struct timespec tu;
105497 struct compat_timespec __user *rmtp = restart->nanosleep.compat_rmtp;
105498
105499- restart->nanosleep.rmtp = (struct timespec __user *) &tu;
105500+ restart->nanosleep.rmtp = (struct timespec __force_user *) &tu;
105501 oldfs = get_fs();
105502 set_fs(KERNEL_DS);
105503 err = clock_nanosleep_restart(restart);
105504@@ -850,8 +851,8 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags,
105505 oldfs = get_fs();
105506 set_fs(KERNEL_DS);
105507 err = sys_clock_nanosleep(which_clock, flags,
105508- (struct timespec __user *) &in,
105509- (struct timespec __user *) &out);
105510+ (struct timespec __force_user *) &in,
105511+ (struct timespec __force_user *) &out);
105512 set_fs(oldfs);
105513
105514 if ((err == -ERESTART_RESTARTBLOCK) && rmtp &&
105515@@ -1147,7 +1148,7 @@ COMPAT_SYSCALL_DEFINE2(sched_rr_get_interval,
105516 mm_segment_t old_fs = get_fs();
105517
105518 set_fs(KERNEL_DS);
105519- ret = sys_sched_rr_get_interval(pid, (struct timespec __user *)&t);
105520+ ret = sys_sched_rr_get_interval(pid, (struct timespec __force_user *)&t);
105521 set_fs(old_fs);
105522 if (compat_put_timespec(&t, interval))
105523 return -EFAULT;
105524diff --git a/kernel/configs.c b/kernel/configs.c
105525index c18b1f1..b9a0132 100644
105526--- a/kernel/configs.c
105527+++ b/kernel/configs.c
105528@@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
105529 struct proc_dir_entry *entry;
105530
105531 /* create the current config file */
105532+#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
105533+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
105534+ entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
105535+ &ikconfig_file_ops);
105536+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
105537+ entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
105538+ &ikconfig_file_ops);
105539+#endif
105540+#else
105541 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
105542 &ikconfig_file_ops);
105543+#endif
105544+
105545 if (!entry)
105546 return -ENOMEM;
105547
105548diff --git a/kernel/cred.c b/kernel/cred.c
105549index ec1c076..7da8a0e 100644
105550--- a/kernel/cred.c
105551+++ b/kernel/cred.c
105552@@ -167,6 +167,15 @@ void exit_creds(struct task_struct *tsk)
105553 validate_creds(cred);
105554 alter_cred_subscribers(cred, -1);
105555 put_cred(cred);
105556+
105557+#ifdef CONFIG_GRKERNSEC_SETXID
105558+ cred = (struct cred *) tsk->delayed_cred;
105559+ if (cred != NULL) {
105560+ tsk->delayed_cred = NULL;
105561+ validate_creds(cred);
105562+ put_cred(cred);
105563+ }
105564+#endif
105565 }
105566
105567 /**
105568@@ -414,7 +423,7 @@ static bool cred_cap_issubset(const struct cred *set, const struct cred *subset)
105569 * Always returns 0 thus allowing this function to be tail-called at the end
105570 * of, say, sys_setgid().
105571 */
105572-int commit_creds(struct cred *new)
105573+static int __commit_creds(struct cred *new)
105574 {
105575 struct task_struct *task = current;
105576 const struct cred *old = task->real_cred;
105577@@ -433,6 +442,8 @@ int commit_creds(struct cred *new)
105578
105579 get_cred(new); /* we will require a ref for the subj creds too */
105580
105581+ gr_set_role_label(task, new->uid, new->gid);
105582+
105583 /* dumpability changes */
105584 if (!uid_eq(old->euid, new->euid) ||
105585 !gid_eq(old->egid, new->egid) ||
105586@@ -482,6 +493,105 @@ int commit_creds(struct cred *new)
105587 put_cred(old);
105588 return 0;
105589 }
105590+#ifdef CONFIG_GRKERNSEC_SETXID
105591+extern int set_user(struct cred *new);
105592+
105593+void gr_delayed_cred_worker(void)
105594+{
105595+ const struct cred *new = current->delayed_cred;
105596+ struct cred *ncred;
105597+
105598+ current->delayed_cred = NULL;
105599+
105600+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID) && new != NULL) {
105601+ // from doing get_cred on it when queueing this
105602+ put_cred(new);
105603+ return;
105604+ } else if (new == NULL)
105605+ return;
105606+
105607+ ncred = prepare_creds();
105608+ if (!ncred)
105609+ goto die;
105610+ // uids
105611+ ncred->uid = new->uid;
105612+ ncred->euid = new->euid;
105613+ ncred->suid = new->suid;
105614+ ncred->fsuid = new->fsuid;
105615+ // gids
105616+ ncred->gid = new->gid;
105617+ ncred->egid = new->egid;
105618+ ncred->sgid = new->sgid;
105619+ ncred->fsgid = new->fsgid;
105620+ // groups
105621+ set_groups(ncred, new->group_info);
105622+ // caps
105623+ ncred->securebits = new->securebits;
105624+ ncred->cap_inheritable = new->cap_inheritable;
105625+ ncred->cap_permitted = new->cap_permitted;
105626+ ncred->cap_effective = new->cap_effective;
105627+ ncred->cap_bset = new->cap_bset;
105628+
105629+ if (set_user(ncred)) {
105630+ abort_creds(ncred);
105631+ goto die;
105632+ }
105633+
105634+ // from doing get_cred on it when queueing this
105635+ put_cred(new);
105636+
105637+ __commit_creds(ncred);
105638+ return;
105639+die:
105640+ // from doing get_cred on it when queueing this
105641+ put_cred(new);
105642+ do_group_exit(SIGKILL);
105643+}
105644+#endif
105645+
105646+int commit_creds(struct cred *new)
105647+{
105648+#ifdef CONFIG_GRKERNSEC_SETXID
105649+ int ret;
105650+ int schedule_it = 0;
105651+ struct task_struct *t;
105652+ unsigned oldsecurebits = current_cred()->securebits;
105653+
105654+ /* we won't get called with tasklist_lock held for writing
105655+ and interrupts disabled as the cred struct in that case is
105656+ init_cred
105657+ */
105658+ if (grsec_enable_setxid && !current_is_single_threaded() &&
105659+ uid_eq(current_uid(), GLOBAL_ROOT_UID) &&
105660+ !uid_eq(new->uid, GLOBAL_ROOT_UID)) {
105661+ schedule_it = 1;
105662+ }
105663+ ret = __commit_creds(new);
105664+ if (schedule_it) {
105665+ rcu_read_lock();
105666+ read_lock(&tasklist_lock);
105667+ for (t = next_thread(current); t != current;
105668+ t = next_thread(t)) {
105669+ /* we'll check if the thread has uid 0 in
105670+ * the delayed worker routine
105671+ */
105672+ if (task_securebits(t) == oldsecurebits &&
105673+ t->delayed_cred == NULL) {
105674+ t->delayed_cred = get_cred(new);
105675+ set_tsk_thread_flag(t, TIF_GRSEC_SETXID);
105676+ set_tsk_need_resched(t);
105677+ }
105678+ }
105679+ read_unlock(&tasklist_lock);
105680+ rcu_read_unlock();
105681+ }
105682+
105683+ return ret;
105684+#else
105685+ return __commit_creds(new);
105686+#endif
105687+}
105688+
105689 EXPORT_SYMBOL(commit_creds);
105690
105691 /**
105692diff --git a/kernel/debug/debug_core.c b/kernel/debug/debug_core.c
105693index 0874e2e..5b32cc9 100644
105694--- a/kernel/debug/debug_core.c
105695+++ b/kernel/debug/debug_core.c
105696@@ -127,7 +127,7 @@ static DEFINE_RAW_SPINLOCK(dbg_slave_lock);
105697 */
105698 static atomic_t masters_in_kgdb;
105699 static atomic_t slaves_in_kgdb;
105700-static atomic_t kgdb_break_tasklet_var;
105701+static atomic_unchecked_t kgdb_break_tasklet_var;
105702 atomic_t kgdb_setting_breakpoint;
105703
105704 struct task_struct *kgdb_usethread;
105705@@ -137,7 +137,7 @@ int kgdb_single_step;
105706 static pid_t kgdb_sstep_pid;
105707
105708 /* to keep track of the CPU which is doing the single stepping*/
105709-atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
105710+atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
105711
105712 /*
105713 * If you are debugging a problem where roundup (the collection of
105714@@ -552,7 +552,7 @@ return_normal:
105715 * kernel will only try for the value of sstep_tries before
105716 * giving up and continuing on.
105717 */
105718- if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
105719+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
105720 (kgdb_info[cpu].task &&
105721 kgdb_info[cpu].task->pid != kgdb_sstep_pid) && --sstep_tries) {
105722 atomic_set(&kgdb_active, -1);
105723@@ -654,8 +654,8 @@ cpu_master_loop:
105724 }
105725
105726 kgdb_restore:
105727- if (atomic_read(&kgdb_cpu_doing_single_step) != -1) {
105728- int sstep_cpu = atomic_read(&kgdb_cpu_doing_single_step);
105729+ if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1) {
105730+ int sstep_cpu = atomic_read_unchecked(&kgdb_cpu_doing_single_step);
105731 if (kgdb_info[sstep_cpu].task)
105732 kgdb_sstep_pid = kgdb_info[sstep_cpu].task->pid;
105733 else
105734@@ -949,18 +949,18 @@ static void kgdb_unregister_callbacks(void)
105735 static void kgdb_tasklet_bpt(unsigned long ing)
105736 {
105737 kgdb_breakpoint();
105738- atomic_set(&kgdb_break_tasklet_var, 0);
105739+ atomic_set_unchecked(&kgdb_break_tasklet_var, 0);
105740 }
105741
105742 static DECLARE_TASKLET(kgdb_tasklet_breakpoint, kgdb_tasklet_bpt, 0);
105743
105744 void kgdb_schedule_breakpoint(void)
105745 {
105746- if (atomic_read(&kgdb_break_tasklet_var) ||
105747+ if (atomic_read_unchecked(&kgdb_break_tasklet_var) ||
105748 atomic_read(&kgdb_active) != -1 ||
105749 atomic_read(&kgdb_setting_breakpoint))
105750 return;
105751- atomic_inc(&kgdb_break_tasklet_var);
105752+ atomic_inc_unchecked(&kgdb_break_tasklet_var);
105753 tasklet_schedule(&kgdb_tasklet_breakpoint);
105754 }
105755 EXPORT_SYMBOL_GPL(kgdb_schedule_breakpoint);
105756diff --git a/kernel/debug/kdb/kdb_main.c b/kernel/debug/kdb/kdb_main.c
105757index 41213454..861e178 100644
105758--- a/kernel/debug/kdb/kdb_main.c
105759+++ b/kernel/debug/kdb/kdb_main.c
105760@@ -2021,7 +2021,7 @@ static int kdb_lsmod(int argc, const char **argv)
105761 continue;
105762
105763 kdb_printf("%-20s%8u 0x%p ", mod->name,
105764- mod->core_size, (void *)mod);
105765+ mod->core_size_rx + mod->core_size_rw, (void *)mod);
105766 #ifdef CONFIG_MODULE_UNLOAD
105767 kdb_printf("%4d ", module_refcount(mod));
105768 #endif
105769@@ -2031,7 +2031,7 @@ static int kdb_lsmod(int argc, const char **argv)
105770 kdb_printf(" (Loading)");
105771 else
105772 kdb_printf(" (Live)");
105773- kdb_printf(" 0x%p", mod->module_core);
105774+ kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
105775
105776 #ifdef CONFIG_MODULE_UNLOAD
105777 {
105778diff --git a/kernel/events/core.c b/kernel/events/core.c
105779index e6feb51..470c853 100644
105780--- a/kernel/events/core.c
105781+++ b/kernel/events/core.c
105782@@ -174,8 +174,15 @@ static struct srcu_struct pmus_srcu;
105783 * 0 - disallow raw tracepoint access for unpriv
105784 * 1 - disallow cpu events for unpriv
105785 * 2 - disallow kernel profiling for unpriv
105786+ * 3 - disallow all unpriv perf event use
105787 */
105788-int sysctl_perf_event_paranoid __read_mostly = 1;
105789+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
105790+int sysctl_perf_event_legitimately_concerned __read_only = 3;
105791+#elif defined(CONFIG_GRKERNSEC_HIDESYM)
105792+int sysctl_perf_event_legitimately_concerned __read_only = 2;
105793+#else
105794+int sysctl_perf_event_legitimately_concerned __read_only = 1;
105795+#endif
105796
105797 /* Minimum for 512 kiB + 1 user control page */
105798 int sysctl_perf_event_mlock __read_mostly = 512 + (PAGE_SIZE / 1024); /* 'free' kiB per user */
105799@@ -201,7 +208,7 @@ void update_perf_cpu_limits(void)
105800
105801 tmp *= sysctl_perf_cpu_time_max_percent;
105802 do_div(tmp, 100);
105803- ACCESS_ONCE(perf_sample_allowed_ns) = tmp;
105804+ ACCESS_ONCE_RW(perf_sample_allowed_ns) = tmp;
105805 }
105806
105807 static int perf_rotate_context(struct perf_cpu_context *cpuctx);
105808@@ -307,7 +314,7 @@ void perf_sample_event_took(u64 sample_len_ns)
105809 }
105810 }
105811
105812-static atomic64_t perf_event_id;
105813+static atomic64_unchecked_t perf_event_id;
105814
105815 static void cpu_ctx_sched_out(struct perf_cpu_context *cpuctx,
105816 enum event_type_t event_type);
105817@@ -3753,9 +3760,9 @@ u64 perf_event_read_value(struct perf_event *event, u64 *enabled, u64 *running)
105818 mutex_lock(&event->child_mutex);
105819 total += perf_event_read(event);
105820 *enabled += event->total_time_enabled +
105821- atomic64_read(&event->child_total_time_enabled);
105822+ atomic64_read_unchecked(&event->child_total_time_enabled);
105823 *running += event->total_time_running +
105824- atomic64_read(&event->child_total_time_running);
105825+ atomic64_read_unchecked(&event->child_total_time_running);
105826
105827 list_for_each_entry(child, &event->child_list, child_list) {
105828 total += perf_event_read(child);
105829@@ -4285,10 +4292,10 @@ void perf_event_update_userpage(struct perf_event *event)
105830 userpg->offset -= local64_read(&event->hw.prev_count);
105831
105832 userpg->time_enabled = enabled +
105833- atomic64_read(&event->child_total_time_enabled);
105834+ atomic64_read_unchecked(&event->child_total_time_enabled);
105835
105836 userpg->time_running = running +
105837- atomic64_read(&event->child_total_time_running);
105838+ atomic64_read_unchecked(&event->child_total_time_running);
105839
105840 arch_perf_update_userpage(event, userpg, now);
105841
105842@@ -4963,7 +4970,7 @@ perf_output_sample_ustack(struct perf_output_handle *handle, u64 dump_size,
105843
105844 /* Data. */
105845 sp = perf_user_stack_pointer(regs);
105846- rem = __output_copy_user(handle, (void *) sp, dump_size);
105847+ rem = __output_copy_user(handle, (void __user *) sp, dump_size);
105848 dyn_size = dump_size - rem;
105849
105850 perf_output_skip(handle, rem);
105851@@ -5054,11 +5061,11 @@ static void perf_output_read_one(struct perf_output_handle *handle,
105852 values[n++] = perf_event_count(event);
105853 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
105854 values[n++] = enabled +
105855- atomic64_read(&event->child_total_time_enabled);
105856+ atomic64_read_unchecked(&event->child_total_time_enabled);
105857 }
105858 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
105859 values[n++] = running +
105860- atomic64_read(&event->child_total_time_running);
105861+ atomic64_read_unchecked(&event->child_total_time_running);
105862 }
105863 if (read_format & PERF_FORMAT_ID)
105864 values[n++] = primary_event_id(event);
105865@@ -7588,7 +7595,7 @@ perf_event_alloc(struct perf_event_attr *attr, int cpu,
105866 event->parent = parent_event;
105867
105868 event->ns = get_pid_ns(task_active_pid_ns(current));
105869- event->id = atomic64_inc_return(&perf_event_id);
105870+ event->id = atomic64_inc_return_unchecked(&perf_event_id);
105871
105872 event->state = PERF_EVENT_STATE_INACTIVE;
105873
105874@@ -7947,6 +7954,11 @@ SYSCALL_DEFINE5(perf_event_open,
105875 if (flags & ~PERF_FLAG_ALL)
105876 return -EINVAL;
105877
105878+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
105879+ if (perf_paranoid_any() && !capable(CAP_SYS_ADMIN))
105880+ return -EACCES;
105881+#endif
105882+
105883 err = perf_copy_attr(attr_uptr, &attr);
105884 if (err)
105885 return err;
105886@@ -8395,10 +8407,10 @@ static void sync_child_event(struct perf_event *child_event,
105887 /*
105888 * Add back the child's count to the parent's count:
105889 */
105890- atomic64_add(child_val, &parent_event->child_count);
105891- atomic64_add(child_event->total_time_enabled,
105892+ atomic64_add_unchecked(child_val, &parent_event->child_count);
105893+ atomic64_add_unchecked(child_event->total_time_enabled,
105894 &parent_event->child_total_time_enabled);
105895- atomic64_add(child_event->total_time_running,
105896+ atomic64_add_unchecked(child_event->total_time_running,
105897 &parent_event->child_total_time_running);
105898
105899 /*
105900diff --git a/kernel/events/internal.h b/kernel/events/internal.h
105901index 2bbad9c..056f20c 100644
105902--- a/kernel/events/internal.h
105903+++ b/kernel/events/internal.h
105904@@ -115,10 +115,10 @@ static inline unsigned long perf_aux_size(struct ring_buffer *rb)
105905 return rb->aux_nr_pages << PAGE_SHIFT;
105906 }
105907
105908-#define DEFINE_OUTPUT_COPY(func_name, memcpy_func) \
105909+#define DEFINE_OUTPUT_COPY(func_name, memcpy_func, user) \
105910 static inline unsigned long \
105911 func_name(struct perf_output_handle *handle, \
105912- const void *buf, unsigned long len) \
105913+ const void user *buf, unsigned long len) \
105914 { \
105915 unsigned long size, written; \
105916 \
105917@@ -151,7 +151,7 @@ memcpy_common(void *dst, const void *src, unsigned long n)
105918 return 0;
105919 }
105920
105921-DEFINE_OUTPUT_COPY(__output_copy, memcpy_common)
105922+DEFINE_OUTPUT_COPY(__output_copy, memcpy_common, )
105923
105924 static inline unsigned long
105925 memcpy_skip(void *dst, const void *src, unsigned long n)
105926@@ -159,7 +159,7 @@ memcpy_skip(void *dst, const void *src, unsigned long n)
105927 return 0;
105928 }
105929
105930-DEFINE_OUTPUT_COPY(__output_skip, memcpy_skip)
105931+DEFINE_OUTPUT_COPY(__output_skip, memcpy_skip, )
105932
105933 #ifndef arch_perf_out_copy_user
105934 #define arch_perf_out_copy_user arch_perf_out_copy_user
105935@@ -177,7 +177,7 @@ arch_perf_out_copy_user(void *dst, const void *src, unsigned long n)
105936 }
105937 #endif
105938
105939-DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user)
105940+DEFINE_OUTPUT_COPY(__output_copy_user, arch_perf_out_copy_user, __user)
105941
105942 /* Callchain handling */
105943 extern struct perf_callchain_entry *
105944diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
105945index cb346f2..e4dc317 100644
105946--- a/kernel/events/uprobes.c
105947+++ b/kernel/events/uprobes.c
105948@@ -1670,7 +1670,7 @@ static int is_trap_at_addr(struct mm_struct *mm, unsigned long vaddr)
105949 {
105950 struct page *page;
105951 uprobe_opcode_t opcode;
105952- int result;
105953+ long result;
105954
105955 pagefault_disable();
105956 result = __copy_from_user_inatomic(&opcode, (void __user*)vaddr,
105957diff --git a/kernel/exit.c b/kernel/exit.c
105958index 031325e..c6342c4 100644
105959--- a/kernel/exit.c
105960+++ b/kernel/exit.c
105961@@ -171,6 +171,10 @@ void release_task(struct task_struct *p)
105962 struct task_struct *leader;
105963 int zap_leader;
105964 repeat:
105965+#ifdef CONFIG_NET
105966+ gr_del_task_from_ip_table(p);
105967+#endif
105968+
105969 /* don't need to get the RCU readlock here - the process is dead and
105970 * can't be modifying its own credentials. But shut RCU-lockdep up */
105971 rcu_read_lock();
105972@@ -656,6 +660,8 @@ void do_exit(long code)
105973 int group_dead;
105974 TASKS_RCU(int tasks_rcu_i);
105975
105976+ set_fs(USER_DS);
105977+
105978 profile_task_exit(tsk);
105979
105980 WARN_ON(blk_needs_flush_plug(tsk));
105981@@ -672,7 +678,6 @@ void do_exit(long code)
105982 * mm_release()->clear_child_tid() from writing to a user-controlled
105983 * kernel address.
105984 */
105985- set_fs(USER_DS);
105986
105987 ptrace_event(PTRACE_EVENT_EXIT, code);
105988
105989@@ -730,6 +735,9 @@ void do_exit(long code)
105990 tsk->exit_code = code;
105991 taskstats_exit(tsk, group_dead);
105992
105993+ gr_acl_handle_psacct(tsk, code);
105994+ gr_acl_handle_exit();
105995+
105996 exit_mm(tsk);
105997
105998 if (group_dead)
105999@@ -847,7 +855,7 @@ SYSCALL_DEFINE1(exit, int, error_code)
106000 * Take down every thread in the group. This is called by fatal signals
106001 * as well as by sys_exit_group (below).
106002 */
106003-void
106004+__noreturn void
106005 do_group_exit(int exit_code)
106006 {
106007 struct signal_struct *sig = current->signal;
106008diff --git a/kernel/fork.c b/kernel/fork.c
106009index e769c8c..9fa1de5 100644
106010--- a/kernel/fork.c
106011+++ b/kernel/fork.c
106012@@ -188,12 +188,54 @@ static void free_thread_info(struct thread_info *ti)
106013 void thread_info_cache_init(void)
106014 {
106015 thread_info_cache = kmem_cache_create("thread_info", THREAD_SIZE,
106016- THREAD_SIZE, 0, NULL);
106017+ THREAD_SIZE, SLAB_USERCOPY, NULL);
106018 BUG_ON(thread_info_cache == NULL);
106019 }
106020 # endif
106021 #endif
106022
106023+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
106024+static inline struct thread_info *gr_alloc_thread_info_node(struct task_struct *tsk,
106025+ int node, void **lowmem_stack)
106026+{
106027+ struct page *pages[THREAD_SIZE / PAGE_SIZE];
106028+ void *ret = NULL;
106029+ unsigned int i;
106030+
106031+ *lowmem_stack = alloc_thread_info_node(tsk, node);
106032+ if (*lowmem_stack == NULL)
106033+ goto out;
106034+
106035+ for (i = 0; i < THREAD_SIZE / PAGE_SIZE; i++)
106036+ pages[i] = virt_to_page(*lowmem_stack + (i * PAGE_SIZE));
106037+
106038+ /* use VM_IOREMAP to gain THREAD_SIZE alignment */
106039+ ret = vmap(pages, THREAD_SIZE / PAGE_SIZE, VM_IOREMAP, PAGE_KERNEL);
106040+ if (ret == NULL) {
106041+ free_thread_info(*lowmem_stack);
106042+ *lowmem_stack = NULL;
106043+ }
106044+
106045+out:
106046+ return ret;
106047+}
106048+
106049+static inline void gr_free_thread_info(struct task_struct *tsk, struct thread_info *ti)
106050+{
106051+ unmap_process_stacks(tsk);
106052+}
106053+#else
106054+static inline struct thread_info *gr_alloc_thread_info_node(struct task_struct *tsk,
106055+ int node, void **lowmem_stack)
106056+{
106057+ return alloc_thread_info_node(tsk, node);
106058+}
106059+static inline void gr_free_thread_info(struct task_struct *tsk, struct thread_info *ti)
106060+{
106061+ free_thread_info(ti);
106062+}
106063+#endif
106064+
106065 /* SLAB cache for signal_struct structures (tsk->signal) */
106066 static struct kmem_cache *signal_cachep;
106067
106068@@ -212,18 +254,22 @@ struct kmem_cache *vm_area_cachep;
106069 /* SLAB cache for mm_struct structures (tsk->mm) */
106070 static struct kmem_cache *mm_cachep;
106071
106072-static void account_kernel_stack(struct thread_info *ti, int account)
106073+static void account_kernel_stack(struct task_struct *tsk, struct thread_info *ti, int account)
106074 {
106075+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
106076+ struct zone *zone = page_zone(virt_to_page(tsk->lowmem_stack));
106077+#else
106078 struct zone *zone = page_zone(virt_to_page(ti));
106079+#endif
106080
106081 mod_zone_page_state(zone, NR_KERNEL_STACK, account);
106082 }
106083
106084 void free_task(struct task_struct *tsk)
106085 {
106086- account_kernel_stack(tsk->stack, -1);
106087+ account_kernel_stack(tsk, tsk->stack, -1);
106088 arch_release_thread_info(tsk->stack);
106089- free_thread_info(tsk->stack);
106090+ gr_free_thread_info(tsk, tsk->stack);
106091 rt_mutex_debug_task_free(tsk);
106092 ftrace_graph_exit_task(tsk);
106093 put_seccomp_filter(tsk);
106094@@ -289,7 +335,7 @@ static void set_max_threads(unsigned int max_threads_suggested)
106095
106096 #ifdef CONFIG_ARCH_WANTS_DYNAMIC_TASK_STRUCT
106097 /* Initialized by the architecture: */
106098-int arch_task_struct_size __read_mostly;
106099+size_t arch_task_struct_size __read_mostly;
106100 #endif
106101
106102 void __init fork_init(void)
106103@@ -334,6 +380,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106104 {
106105 struct task_struct *tsk;
106106 struct thread_info *ti;
106107+ void *lowmem_stack;
106108 int node = tsk_fork_get_node(orig);
106109 int err;
106110
106111@@ -341,7 +388,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106112 if (!tsk)
106113 return NULL;
106114
106115- ti = alloc_thread_info_node(tsk, node);
106116+ ti = gr_alloc_thread_info_node(tsk, node, &lowmem_stack);
106117 if (!ti)
106118 goto free_tsk;
106119
106120@@ -350,6 +397,9 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106121 goto free_ti;
106122
106123 tsk->stack = ti;
106124+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
106125+ tsk->lowmem_stack = lowmem_stack;
106126+#endif
106127 #ifdef CONFIG_SECCOMP
106128 /*
106129 * We must handle setting up seccomp filters once we're under
106130@@ -366,7 +416,7 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106131 set_task_stack_end_magic(tsk);
106132
106133 #ifdef CONFIG_CC_STACKPROTECTOR
106134- tsk->stack_canary = get_random_int();
106135+ tsk->stack_canary = pax_get_random_long();
106136 #endif
106137
106138 /*
106139@@ -380,24 +430,89 @@ static struct task_struct *dup_task_struct(struct task_struct *orig)
106140 tsk->splice_pipe = NULL;
106141 tsk->task_frag.page = NULL;
106142
106143- account_kernel_stack(ti, 1);
106144+ account_kernel_stack(tsk, ti, 1);
106145
106146 return tsk;
106147
106148 free_ti:
106149- free_thread_info(ti);
106150+ gr_free_thread_info(tsk, ti);
106151 free_tsk:
106152 free_task_struct(tsk);
106153 return NULL;
106154 }
106155
106156 #ifdef CONFIG_MMU
106157-static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106158+static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct mm_struct *oldmm, struct vm_area_struct *mpnt)
106159+{
106160+ struct vm_area_struct *tmp;
106161+ unsigned long charge;
106162+ struct file *file;
106163+ int retval;
106164+
106165+ charge = 0;
106166+ if (mpnt->vm_flags & VM_ACCOUNT) {
106167+ unsigned long len = vma_pages(mpnt);
106168+
106169+ if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
106170+ goto fail_nomem;
106171+ charge = len;
106172+ }
106173+ tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
106174+ if (!tmp)
106175+ goto fail_nomem;
106176+ *tmp = *mpnt;
106177+ tmp->vm_mm = mm;
106178+ INIT_LIST_HEAD(&tmp->anon_vma_chain);
106179+ retval = vma_dup_policy(mpnt, tmp);
106180+ if (retval)
106181+ goto fail_nomem_policy;
106182+ if (anon_vma_fork(tmp, mpnt))
106183+ goto fail_nomem_anon_vma_fork;
106184+ tmp->vm_flags &= ~VM_LOCKED;
106185+ tmp->vm_next = tmp->vm_prev = NULL;
106186+ tmp->vm_mirror = NULL;
106187+ file = tmp->vm_file;
106188+ if (file) {
106189+ struct inode *inode = file_inode(file);
106190+ struct address_space *mapping = file->f_mapping;
106191+
106192+ get_file(file);
106193+ if (tmp->vm_flags & VM_DENYWRITE)
106194+ atomic_dec(&inode->i_writecount);
106195+ i_mmap_lock_write(mapping);
106196+ if (tmp->vm_flags & VM_SHARED)
106197+ atomic_inc(&mapping->i_mmap_writable);
106198+ flush_dcache_mmap_lock(mapping);
106199+ /* insert tmp into the share list, just after mpnt */
106200+ vma_interval_tree_insert_after(tmp, mpnt, &mapping->i_mmap);
106201+ flush_dcache_mmap_unlock(mapping);
106202+ i_mmap_unlock_write(mapping);
106203+ }
106204+
106205+ /*
106206+ * Clear hugetlb-related page reserves for children. This only
106207+ * affects MAP_PRIVATE mappings. Faults generated by the child
106208+ * are not guaranteed to succeed, even if read-only
106209+ */
106210+ if (is_vm_hugetlb_page(tmp))
106211+ reset_vma_resv_huge_pages(tmp);
106212+
106213+ return tmp;
106214+
106215+fail_nomem_anon_vma_fork:
106216+ mpol_put(vma_policy(tmp));
106217+fail_nomem_policy:
106218+ kmem_cache_free(vm_area_cachep, tmp);
106219+fail_nomem:
106220+ vm_unacct_memory(charge);
106221+ return NULL;
106222+}
106223+
106224+static __latent_entropy int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106225 {
106226 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
106227 struct rb_node **rb_link, *rb_parent;
106228 int retval;
106229- unsigned long charge;
106230
106231 uprobe_start_dup_mmap();
106232 down_write(&oldmm->mmap_sem);
106233@@ -428,51 +543,15 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106234
106235 prev = NULL;
106236 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
106237- struct file *file;
106238-
106239 if (mpnt->vm_flags & VM_DONTCOPY) {
106240 vm_stat_account(mm, mpnt->vm_flags, mpnt->vm_file,
106241 -vma_pages(mpnt));
106242 continue;
106243 }
106244- charge = 0;
106245- if (mpnt->vm_flags & VM_ACCOUNT) {
106246- unsigned long len = vma_pages(mpnt);
106247-
106248- if (security_vm_enough_memory_mm(oldmm, len)) /* sic */
106249- goto fail_nomem;
106250- charge = len;
106251- }
106252- tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
106253- if (!tmp)
106254- goto fail_nomem;
106255- *tmp = *mpnt;
106256- INIT_LIST_HEAD(&tmp->anon_vma_chain);
106257- retval = vma_dup_policy(mpnt, tmp);
106258- if (retval)
106259- goto fail_nomem_policy;
106260- tmp->vm_mm = mm;
106261- if (anon_vma_fork(tmp, mpnt))
106262- goto fail_nomem_anon_vma_fork;
106263- tmp->vm_flags &= ~VM_LOCKED;
106264- tmp->vm_next = tmp->vm_prev = NULL;
106265- file = tmp->vm_file;
106266- if (file) {
106267- struct inode *inode = file_inode(file);
106268- struct address_space *mapping = file->f_mapping;
106269-
106270- get_file(file);
106271- if (tmp->vm_flags & VM_DENYWRITE)
106272- atomic_dec(&inode->i_writecount);
106273- i_mmap_lock_write(mapping);
106274- if (tmp->vm_flags & VM_SHARED)
106275- atomic_inc(&mapping->i_mmap_writable);
106276- flush_dcache_mmap_lock(mapping);
106277- /* insert tmp into the share list, just after mpnt */
106278- vma_interval_tree_insert_after(tmp, mpnt,
106279- &mapping->i_mmap);
106280- flush_dcache_mmap_unlock(mapping);
106281- i_mmap_unlock_write(mapping);
106282+ tmp = dup_vma(mm, oldmm, mpnt);
106283+ if (!tmp) {
106284+ retval = -ENOMEM;
106285+ goto out;
106286 }
106287
106288 /*
106289@@ -504,6 +583,31 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
106290 if (retval)
106291 goto out;
106292 }
106293+
106294+#ifdef CONFIG_PAX_SEGMEXEC
106295+ if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
106296+ struct vm_area_struct *mpnt_m;
106297+
106298+ for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
106299+ BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
106300+
106301+ if (!mpnt->vm_mirror)
106302+ continue;
106303+
106304+ if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
106305+ BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
106306+ mpnt->vm_mirror = mpnt_m;
106307+ } else {
106308+ BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
106309+ mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
106310+ mpnt_m->vm_mirror->vm_mirror = mpnt_m;
106311+ mpnt->vm_mirror->vm_mirror = mpnt;
106312+ }
106313+ }
106314+ BUG_ON(mpnt_m);
106315+ }
106316+#endif
106317+
106318 /* a new mm has just been created */
106319 arch_dup_mmap(oldmm, mm);
106320 retval = 0;
106321@@ -513,14 +617,6 @@ out:
106322 up_write(&oldmm->mmap_sem);
106323 uprobe_end_dup_mmap();
106324 return retval;
106325-fail_nomem_anon_vma_fork:
106326- mpol_put(vma_policy(tmp));
106327-fail_nomem_policy:
106328- kmem_cache_free(vm_area_cachep, tmp);
106329-fail_nomem:
106330- retval = -ENOMEM;
106331- vm_unacct_memory(charge);
106332- goto out;
106333 }
106334
106335 static inline int mm_alloc_pgd(struct mm_struct *mm)
106336@@ -795,8 +891,8 @@ struct mm_struct *mm_access(struct task_struct *task, unsigned int mode)
106337 return ERR_PTR(err);
106338
106339 mm = get_task_mm(task);
106340- if (mm && mm != current->mm &&
106341- !ptrace_may_access(task, mode)) {
106342+ if (mm && ((mm != current->mm && !ptrace_may_access(task, mode)) ||
106343+ (mode == PTRACE_MODE_ATTACH && (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))))) {
106344 mmput(mm);
106345 mm = ERR_PTR(-EACCES);
106346 }
106347@@ -997,13 +1093,20 @@ static int copy_fs(unsigned long clone_flags, struct task_struct *tsk)
106348 spin_unlock(&fs->lock);
106349 return -EAGAIN;
106350 }
106351- fs->users++;
106352+ atomic_inc(&fs->users);
106353 spin_unlock(&fs->lock);
106354 return 0;
106355 }
106356 tsk->fs = copy_fs_struct(fs);
106357 if (!tsk->fs)
106358 return -ENOMEM;
106359+ /* Carry through gr_chroot_dentry and is_chrooted instead
106360+ of recomputing it here. Already copied when the task struct
106361+ is duplicated. This allows pivot_root to not be treated as
106362+ a chroot
106363+ */
106364+ //gr_set_chroot_entries(tsk, &tsk->fs->root);
106365+
106366 return 0;
106367 }
106368
106369@@ -1238,7 +1341,7 @@ init_task_pid(struct task_struct *task, enum pid_type type, struct pid *pid)
106370 * parts of the process environment (as per the clone
106371 * flags). The actual kick-off is left to the caller.
106372 */
106373-static struct task_struct *copy_process(unsigned long clone_flags,
106374+static __latent_entropy struct task_struct *copy_process(unsigned long clone_flags,
106375 unsigned long stack_start,
106376 unsigned long stack_size,
106377 int __user *child_tidptr,
106378@@ -1310,6 +1413,9 @@ static struct task_struct *copy_process(unsigned long clone_flags,
106379 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
106380 #endif
106381 retval = -EAGAIN;
106382+
106383+ gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
106384+
106385 if (atomic_read(&p->real_cred->user->processes) >=
106386 task_rlimit(p, RLIMIT_NPROC)) {
106387 if (p->real_cred->user != INIT_USER &&
106388@@ -1560,6 +1666,11 @@ static struct task_struct *copy_process(unsigned long clone_flags,
106389 goto bad_fork_free_pid;
106390 }
106391
106392+ /* synchronizes with gr_set_acls()
106393+ we need to call this past the point of no return for fork()
106394+ */
106395+ gr_copy_label(p);
106396+
106397 if (likely(p->pid)) {
106398 ptrace_init_task(p, (clone_flags & CLONE_PTRACE) || trace);
106399
106400@@ -1649,6 +1760,8 @@ bad_fork_cleanup_count:
106401 bad_fork_free:
106402 free_task(p);
106403 fork_out:
106404+ gr_log_forkfail(retval);
106405+
106406 return ERR_PTR(retval);
106407 }
106408
106409@@ -1711,6 +1824,7 @@ long _do_fork(unsigned long clone_flags,
106410
106411 p = copy_process(clone_flags, stack_start, stack_size,
106412 child_tidptr, NULL, trace, tls);
106413+ add_latent_entropy();
106414 /*
106415 * Do this prior waking up the new thread - the thread pointer
106416 * might get invalid after that point, if the thread exits quickly.
106417@@ -1727,6 +1841,8 @@ long _do_fork(unsigned long clone_flags,
106418 if (clone_flags & CLONE_PARENT_SETTID)
106419 put_user(nr, parent_tidptr);
106420
106421+ gr_handle_brute_check();
106422+
106423 if (clone_flags & CLONE_VFORK) {
106424 p->vfork_done = &vfork;
106425 init_completion(&vfork);
106426@@ -1859,7 +1975,7 @@ void __init proc_caches_init(void)
106427 mm_cachep = kmem_cache_create("mm_struct",
106428 sizeof(struct mm_struct), ARCH_MIN_MMSTRUCT_ALIGN,
106429 SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_NOTRACK, NULL);
106430- vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC);
106431+ vm_area_cachep = KMEM_CACHE(vm_area_struct, SLAB_PANIC | SLAB_NO_SANITIZE);
106432 mmap_init();
106433 nsproxy_cache_init();
106434 }
106435@@ -1907,7 +2023,7 @@ static int unshare_fs(unsigned long unshare_flags, struct fs_struct **new_fsp)
106436 return 0;
106437
106438 /* don't need lock here; in the worst case we'll do useless copy */
106439- if (fs->users == 1)
106440+ if (atomic_read(&fs->users) == 1)
106441 return 0;
106442
106443 *new_fsp = copy_fs_struct(fs);
106444@@ -2019,7 +2135,8 @@ SYSCALL_DEFINE1(unshare, unsigned long, unshare_flags)
106445 fs = current->fs;
106446 spin_lock(&fs->lock);
106447 current->fs = new_fs;
106448- if (--fs->users)
106449+ gr_set_chroot_entries(current, &current->fs->root);
106450+ if (atomic_dec_return(&fs->users))
106451 new_fs = NULL;
106452 else
106453 new_fs = fs;
106454@@ -2083,7 +2200,7 @@ int unshare_files(struct files_struct **displaced)
106455 int sysctl_max_threads(struct ctl_table *table, int write,
106456 void __user *buffer, size_t *lenp, loff_t *ppos)
106457 {
106458- struct ctl_table t;
106459+ ctl_table_no_const t;
106460 int ret;
106461 int threads = max_threads;
106462 int min = MIN_THREADS;
106463diff --git a/kernel/futex.c b/kernel/futex.c
106464index c4a182f..e789324 100644
106465--- a/kernel/futex.c
106466+++ b/kernel/futex.c
106467@@ -201,7 +201,7 @@ struct futex_pi_state {
106468 atomic_t refcount;
106469
106470 union futex_key key;
106471-};
106472+} __randomize_layout;
106473
106474 /**
106475 * struct futex_q - The hashed futex queue entry, one per waiting task
106476@@ -235,7 +235,7 @@ struct futex_q {
106477 struct rt_mutex_waiter *rt_waiter;
106478 union futex_key *requeue_pi_key;
106479 u32 bitset;
106480-};
106481+} __randomize_layout;
106482
106483 static const struct futex_q futex_q_init = {
106484 /* list gets initialized in queue_me()*/
106485@@ -402,6 +402,11 @@ get_futex_key(u32 __user *uaddr, int fshared, union futex_key *key, int rw)
106486 struct page *page, *page_head;
106487 int err, ro = 0;
106488
106489+#ifdef CONFIG_PAX_SEGMEXEC
106490+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
106491+ return -EFAULT;
106492+#endif
106493+
106494 /*
106495 * The futex address must be "naturally" aligned.
106496 */
106497@@ -601,7 +606,7 @@ static int cmpxchg_futex_value_locked(u32 *curval, u32 __user *uaddr,
106498
106499 static int get_futex_value_locked(u32 *dest, u32 __user *from)
106500 {
106501- int ret;
106502+ unsigned long ret;
106503
106504 pagefault_disable();
106505 ret = __copy_from_user_inatomic(dest, from, sizeof(u32));
106506@@ -3030,6 +3035,7 @@ static void __init futex_detect_cmpxchg(void)
106507 {
106508 #ifndef CONFIG_HAVE_FUTEX_CMPXCHG
106509 u32 curval;
106510+ mm_segment_t oldfs;
106511
106512 /*
106513 * This will fail and we want it. Some arch implementations do
106514@@ -3041,8 +3047,11 @@ static void __init futex_detect_cmpxchg(void)
106515 * implementation, the non-functional ones will return
106516 * -ENOSYS.
106517 */
106518+ oldfs = get_fs();
106519+ set_fs(USER_DS);
106520 if (cmpxchg_futex_value_locked(&curval, NULL, 0, 0) == -EFAULT)
106521 futex_cmpxchg_enabled = 1;
106522+ set_fs(oldfs);
106523 #endif
106524 }
106525
106526diff --git a/kernel/futex_compat.c b/kernel/futex_compat.c
106527index 55c8c93..9ba7ad6 100644
106528--- a/kernel/futex_compat.c
106529+++ b/kernel/futex_compat.c
106530@@ -32,7 +32,7 @@ fetch_robust_entry(compat_uptr_t *uentry, struct robust_list __user **entry,
106531 return 0;
106532 }
106533
106534-static void __user *futex_uaddr(struct robust_list __user *entry,
106535+static void __user __intentional_overflow(-1) *futex_uaddr(struct robust_list __user *entry,
106536 compat_long_t futex_offset)
106537 {
106538 compat_uptr_t base = ptr_to_compat(entry);
106539diff --git a/kernel/gcov/base.c b/kernel/gcov/base.c
106540index 7080ae1..c9b3761 100644
106541--- a/kernel/gcov/base.c
106542+++ b/kernel/gcov/base.c
106543@@ -123,11 +123,6 @@ void gcov_enable_events(void)
106544 }
106545
106546 #ifdef CONFIG_MODULES
106547-static inline int within(void *addr, void *start, unsigned long size)
106548-{
106549- return ((addr >= start) && (addr < start + size));
106550-}
106551-
106552 /* Update list and generate events when modules are unloaded. */
106553 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
106554 void *data)
106555@@ -142,7 +137,7 @@ static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
106556
106557 /* Remove entries located in module from linked list. */
106558 while ((info = gcov_info_next(info))) {
106559- if (within(info, mod->module_core, mod->core_size)) {
106560+ if (within_module_core_rw((unsigned long)info, mod)) {
106561 gcov_info_unlink(prev, info);
106562 if (gcov_events_enabled)
106563 gcov_event(GCOV_REMOVE, info);
106564diff --git a/kernel/irq/manage.c b/kernel/irq/manage.c
106565index f974485..c5b8afd 100644
106566--- a/kernel/irq/manage.c
106567+++ b/kernel/irq/manage.c
106568@@ -937,7 +937,7 @@ static int irq_thread(void *data)
106569
106570 action_ret = handler_fn(desc, action);
106571 if (action_ret == IRQ_HANDLED)
106572- atomic_inc(&desc->threads_handled);
106573+ atomic_inc_unchecked(&desc->threads_handled);
106574
106575 wake_threads_waitq(desc);
106576 }
106577diff --git a/kernel/irq/msi.c b/kernel/irq/msi.c
106578index 7bf1f1b..d73e508 100644
106579--- a/kernel/irq/msi.c
106580+++ b/kernel/irq/msi.c
106581@@ -195,16 +195,18 @@ static void msi_domain_update_dom_ops(struct msi_domain_info *info)
106582 return;
106583 }
106584
106585+ pax_open_kernel();
106586 if (ops->get_hwirq == NULL)
106587- ops->get_hwirq = msi_domain_ops_default.get_hwirq;
106588+ *(void **)&ops->get_hwirq = msi_domain_ops_default.get_hwirq;
106589 if (ops->msi_init == NULL)
106590- ops->msi_init = msi_domain_ops_default.msi_init;
106591+ *(void **)&ops->msi_init = msi_domain_ops_default.msi_init;
106592 if (ops->msi_check == NULL)
106593- ops->msi_check = msi_domain_ops_default.msi_check;
106594+ *(void **)&ops->msi_check = msi_domain_ops_default.msi_check;
106595 if (ops->msi_prepare == NULL)
106596- ops->msi_prepare = msi_domain_ops_default.msi_prepare;
106597+ *(void **)&ops->msi_prepare = msi_domain_ops_default.msi_prepare;
106598 if (ops->set_desc == NULL)
106599- ops->set_desc = msi_domain_ops_default.set_desc;
106600+ *(void **)&ops->set_desc = msi_domain_ops_default.set_desc;
106601+ pax_close_kernel();
106602 }
106603
106604 static void msi_domain_update_chip_ops(struct msi_domain_info *info)
106605@@ -212,12 +214,14 @@ static void msi_domain_update_chip_ops(struct msi_domain_info *info)
106606 struct irq_chip *chip = info->chip;
106607
106608 BUG_ON(!chip);
106609+ pax_open_kernel();
106610 if (!chip->irq_mask)
106611- chip->irq_mask = pci_msi_mask_irq;
106612+ *(void **)&chip->irq_mask = pci_msi_mask_irq;
106613 if (!chip->irq_unmask)
106614- chip->irq_unmask = pci_msi_unmask_irq;
106615+ *(void **)&chip->irq_unmask = pci_msi_unmask_irq;
106616 if (!chip->irq_set_affinity)
106617- chip->irq_set_affinity = msi_domain_set_affinity;
106618+ *(void **)&chip->irq_set_affinity = msi_domain_set_affinity;
106619+ pax_close_kernel();
106620 }
106621
106622 /**
106623diff --git a/kernel/irq/spurious.c b/kernel/irq/spurious.c
106624index e2514b0..de3dfe0 100644
106625--- a/kernel/irq/spurious.c
106626+++ b/kernel/irq/spurious.c
106627@@ -337,7 +337,7 @@ void note_interrupt(unsigned int irq, struct irq_desc *desc,
106628 * count. We just care about the count being
106629 * different than the one we saw before.
106630 */
106631- handled = atomic_read(&desc->threads_handled);
106632+ handled = atomic_read_unchecked(&desc->threads_handled);
106633 handled |= SPURIOUS_DEFERRED;
106634 if (handled != desc->threads_handled_last) {
106635 action_ret = IRQ_HANDLED;
106636diff --git a/kernel/jump_label.c b/kernel/jump_label.c
106637index 52ebaca..ec6f5cb 100644
106638--- a/kernel/jump_label.c
106639+++ b/kernel/jump_label.c
106640@@ -14,6 +14,7 @@
106641 #include <linux/err.h>
106642 #include <linux/static_key.h>
106643 #include <linux/jump_label_ratelimit.h>
106644+#include <linux/mm.h>
106645
106646 #ifdef HAVE_JUMP_LABEL
106647
106648@@ -51,7 +52,9 @@ jump_label_sort_entries(struct jump_entry *start, struct jump_entry *stop)
106649
106650 size = (((unsigned long)stop - (unsigned long)start)
106651 / sizeof(struct jump_entry));
106652+ pax_open_kernel();
106653 sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
106654+ pax_close_kernel();
106655 }
106656
106657 static void jump_label_update(struct static_key *key, int enable);
106658@@ -363,10 +366,12 @@ static void jump_label_invalidate_module_init(struct module *mod)
106659 struct jump_entry *iter_stop = iter_start + mod->num_jump_entries;
106660 struct jump_entry *iter;
106661
106662+ pax_open_kernel();
106663 for (iter = iter_start; iter < iter_stop; iter++) {
106664 if (within_module_init(iter->code, mod))
106665 iter->code = 0;
106666 }
106667+ pax_close_kernel();
106668 }
106669
106670 static int
106671diff --git a/kernel/kallsyms.c b/kernel/kallsyms.c
106672index 5c5987f..bc502b0 100644
106673--- a/kernel/kallsyms.c
106674+++ b/kernel/kallsyms.c
106675@@ -11,6 +11,9 @@
106676 * Changed the compression method from stem compression to "table lookup"
106677 * compression (see scripts/kallsyms.c for a more complete description)
106678 */
106679+#ifdef CONFIG_GRKERNSEC_HIDESYM
106680+#define __INCLUDED_BY_HIDESYM 1
106681+#endif
106682 #include <linux/kallsyms.h>
106683 #include <linux/module.h>
106684 #include <linux/init.h>
106685@@ -54,12 +57,33 @@ extern const unsigned long kallsyms_markers[] __weak;
106686
106687 static inline int is_kernel_inittext(unsigned long addr)
106688 {
106689+ if (system_state != SYSTEM_BOOTING)
106690+ return 0;
106691+
106692 if (addr >= (unsigned long)_sinittext
106693 && addr <= (unsigned long)_einittext)
106694 return 1;
106695 return 0;
106696 }
106697
106698+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106699+#ifdef CONFIG_MODULES
106700+static inline int is_module_text(unsigned long addr)
106701+{
106702+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
106703+ return 1;
106704+
106705+ addr = ktla_ktva(addr);
106706+ return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
106707+}
106708+#else
106709+static inline int is_module_text(unsigned long addr)
106710+{
106711+ return 0;
106712+}
106713+#endif
106714+#endif
106715+
106716 static inline int is_kernel_text(unsigned long addr)
106717 {
106718 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
106719@@ -70,13 +94,28 @@ static inline int is_kernel_text(unsigned long addr)
106720
106721 static inline int is_kernel(unsigned long addr)
106722 {
106723+
106724+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106725+ if (is_kernel_text(addr) || is_kernel_inittext(addr))
106726+ return 1;
106727+
106728+ if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
106729+#else
106730 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
106731+#endif
106732+
106733 return 1;
106734 return in_gate_area_no_mm(addr);
106735 }
106736
106737 static int is_ksym_addr(unsigned long addr)
106738 {
106739+
106740+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
106741+ if (is_module_text(addr))
106742+ return 0;
106743+#endif
106744+
106745 if (all_var)
106746 return is_kernel(addr);
106747
106748@@ -481,7 +520,6 @@ static unsigned long get_ksymbol_core(struct kallsym_iter *iter)
106749
106750 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
106751 {
106752- iter->name[0] = '\0';
106753 iter->nameoff = get_symbol_offset(new_pos);
106754 iter->pos = new_pos;
106755 }
106756@@ -529,6 +567,11 @@ static int s_show(struct seq_file *m, void *p)
106757 {
106758 struct kallsym_iter *iter = m->private;
106759
106760+#ifdef CONFIG_GRKERNSEC_HIDESYM
106761+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID))
106762+ return 0;
106763+#endif
106764+
106765 /* Some debugging symbols have no name. Ignore them. */
106766 if (!iter->name[0])
106767 return 0;
106768@@ -542,6 +585,7 @@ static int s_show(struct seq_file *m, void *p)
106769 */
106770 type = iter->exported ? toupper(iter->type) :
106771 tolower(iter->type);
106772+
106773 seq_printf(m, "%pK %c %s\t[%s]\n", (void *)iter->value,
106774 type, iter->name, iter->module_name);
106775 } else
106776diff --git a/kernel/kcmp.c b/kernel/kcmp.c
106777index 0aa69ea..a7fcafb 100644
106778--- a/kernel/kcmp.c
106779+++ b/kernel/kcmp.c
106780@@ -100,6 +100,10 @@ SYSCALL_DEFINE5(kcmp, pid_t, pid1, pid_t, pid2, int, type,
106781 struct task_struct *task1, *task2;
106782 int ret;
106783
106784+#ifdef CONFIG_GRKERNSEC
106785+ return -ENOSYS;
106786+#endif
106787+
106788 rcu_read_lock();
106789
106790 /*
106791diff --git a/kernel/kexec.c b/kernel/kexec.c
106792index a785c10..6dbb06f 100644
106793--- a/kernel/kexec.c
106794+++ b/kernel/kexec.c
106795@@ -1243,7 +1243,7 @@ static int kimage_load_segment(struct kimage *image,
106796 */
106797 struct kimage *kexec_image;
106798 struct kimage *kexec_crash_image;
106799-int kexec_load_disabled;
106800+int kexec_load_disabled __read_only;
106801
106802 static DEFINE_MUTEX(kexec_mutex);
106803
106804@@ -1359,7 +1359,8 @@ COMPAT_SYSCALL_DEFINE4(kexec_load, compat_ulong_t, entry,
106805 compat_ulong_t, flags)
106806 {
106807 struct compat_kexec_segment in;
106808- struct kexec_segment out, __user *ksegments;
106809+ struct kexec_segment out;
106810+ struct kexec_segment __user *ksegments;
106811 unsigned long i, result;
106812
106813 /* Don't allow clients that don't understand the native
106814diff --git a/kernel/kmod.c b/kernel/kmod.c
106815index 2777f40..a689506 100644
106816--- a/kernel/kmod.c
106817+++ b/kernel/kmod.c
106818@@ -68,7 +68,7 @@ static void free_modprobe_argv(struct subprocess_info *info)
106819 kfree(info->argv);
106820 }
106821
106822-static int call_modprobe(char *module_name, int wait)
106823+static int call_modprobe(char *module_name, char *module_param, int wait)
106824 {
106825 struct subprocess_info *info;
106826 static char *envp[] = {
106827@@ -78,7 +78,7 @@ static int call_modprobe(char *module_name, int wait)
106828 NULL
106829 };
106830
106831- char **argv = kmalloc(sizeof(char *[5]), GFP_KERNEL);
106832+ char **argv = kmalloc(sizeof(char *[6]), GFP_KERNEL);
106833 if (!argv)
106834 goto out;
106835
106836@@ -90,7 +90,8 @@ static int call_modprobe(char *module_name, int wait)
106837 argv[1] = "-q";
106838 argv[2] = "--";
106839 argv[3] = module_name; /* check free_modprobe_argv() */
106840- argv[4] = NULL;
106841+ argv[4] = module_param;
106842+ argv[5] = NULL;
106843
106844 info = call_usermodehelper_setup(modprobe_path, argv, envp, GFP_KERNEL,
106845 NULL, free_modprobe_argv, NULL);
106846@@ -122,9 +123,8 @@ out:
106847 * If module auto-loading support is disabled then this function
106848 * becomes a no-operation.
106849 */
106850-int __request_module(bool wait, const char *fmt, ...)
106851+static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
106852 {
106853- va_list args;
106854 char module_name[MODULE_NAME_LEN];
106855 unsigned int max_modprobes;
106856 int ret;
106857@@ -143,9 +143,7 @@ int __request_module(bool wait, const char *fmt, ...)
106858 if (!modprobe_path[0])
106859 return 0;
106860
106861- va_start(args, fmt);
106862- ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
106863- va_end(args);
106864+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
106865 if (ret >= MODULE_NAME_LEN)
106866 return -ENAMETOOLONG;
106867
106868@@ -153,6 +151,20 @@ int __request_module(bool wait, const char *fmt, ...)
106869 if (ret)
106870 return ret;
106871
106872+#ifdef CONFIG_GRKERNSEC_MODHARDEN
106873+ if (uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
106874+ /* hack to workaround consolekit/udisks stupidity */
106875+ read_lock(&tasklist_lock);
106876+ if (!strcmp(current->comm, "mount") &&
106877+ current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
106878+ read_unlock(&tasklist_lock);
106879+ printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
106880+ return -EPERM;
106881+ }
106882+ read_unlock(&tasklist_lock);
106883+ }
106884+#endif
106885+
106886 /* If modprobe needs a service that is in a module, we get a recursive
106887 * loop. Limit the number of running kmod threads to max_threads/2 or
106888 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
106889@@ -181,16 +193,61 @@ int __request_module(bool wait, const char *fmt, ...)
106890
106891 trace_module_request(module_name, wait, _RET_IP_);
106892
106893- ret = call_modprobe(module_name, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
106894+ ret = call_modprobe(module_name, module_param, wait ? UMH_WAIT_PROC : UMH_WAIT_EXEC);
106895
106896 atomic_dec(&kmod_concurrent);
106897 return ret;
106898 }
106899+
106900+int ___request_module(bool wait, char *module_param, const char *fmt, ...)
106901+{
106902+ va_list args;
106903+ int ret;
106904+
106905+ va_start(args, fmt);
106906+ ret = ____request_module(wait, module_param, fmt, args);
106907+ va_end(args);
106908+
106909+ return ret;
106910+}
106911+
106912+int __request_module(bool wait, const char *fmt, ...)
106913+{
106914+ va_list args;
106915+ int ret;
106916+
106917+#ifdef CONFIG_GRKERNSEC_MODHARDEN
106918+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)) {
106919+ char module_param[MODULE_NAME_LEN];
106920+
106921+ memset(module_param, 0, sizeof(module_param));
106922+
106923+ snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", GR_GLOBAL_UID(current_uid()));
106924+
106925+ va_start(args, fmt);
106926+ ret = ____request_module(wait, module_param, fmt, args);
106927+ va_end(args);
106928+
106929+ return ret;
106930+ }
106931+#endif
106932+
106933+ va_start(args, fmt);
106934+ ret = ____request_module(wait, NULL, fmt, args);
106935+ va_end(args);
106936+
106937+ return ret;
106938+}
106939+
106940 EXPORT_SYMBOL(__request_module);
106941 #endif /* CONFIG_MODULES */
106942
106943 static void call_usermodehelper_freeinfo(struct subprocess_info *info)
106944 {
106945+#ifdef CONFIG_GRKERNSEC
106946+ kfree(info->path);
106947+ info->path = info->origpath;
106948+#endif
106949 if (info->cleanup)
106950 (*info->cleanup)(info);
106951 kfree(info);
106952@@ -232,6 +289,21 @@ static int ____call_usermodehelper(void *data)
106953 */
106954 set_user_nice(current, 0);
106955
106956+#ifdef CONFIG_GRKERNSEC
106957+ /* this is race-free as far as userland is concerned as we copied
106958+ out the path to be used prior to this point and are now operating
106959+ on that copy
106960+ */
106961+ if ((strncmp(sub_info->path, "/sbin/", 6) && strncmp(sub_info->path, "/usr/lib/", 9) &&
106962+ strncmp(sub_info->path, "/lib/", 5) && strncmp(sub_info->path, "/lib64/", 7) &&
106963+ strncmp(sub_info->path, "/usr/libexec/", 13) && strncmp(sub_info->path, "/usr/bin/", 9) &&
106964+ strcmp(sub_info->path, "/usr/share/apport/apport")) || strstr(sub_info->path, "..")) {
106965+ printk(KERN_ALERT "grsec: denied exec of usermode helper binary %.950s located outside of permitted system paths\n", sub_info->path);
106966+ retval = -EPERM;
106967+ goto out;
106968+ }
106969+#endif
106970+
106971 retval = -ENOMEM;
106972 new = prepare_kernel_cred(current);
106973 if (!new)
106974@@ -254,8 +326,8 @@ static int ____call_usermodehelper(void *data)
106975 commit_creds(new);
106976
106977 retval = do_execve(getname_kernel(sub_info->path),
106978- (const char __user *const __user *)sub_info->argv,
106979- (const char __user *const __user *)sub_info->envp);
106980+ (const char __user *const __force_user *)sub_info->argv,
106981+ (const char __user *const __force_user *)sub_info->envp);
106982 out:
106983 sub_info->retval = retval;
106984 /* wait_for_helper() will call umh_complete if UHM_WAIT_PROC. */
106985@@ -288,7 +360,7 @@ static int wait_for_helper(void *data)
106986 *
106987 * Thus the __user pointer cast is valid here.
106988 */
106989- sys_wait4(pid, (int __user *)&ret, 0, NULL);
106990+ sys_wait4(pid, (int __force_user *)&ret, 0, NULL);
106991
106992 /*
106993 * If ret is 0, either ____call_usermodehelper failed and the
106994@@ -510,7 +582,12 @@ struct subprocess_info *call_usermodehelper_setup(char *path, char **argv,
106995 goto out;
106996
106997 INIT_WORK(&sub_info->work, __call_usermodehelper);
106998+#ifdef CONFIG_GRKERNSEC
106999+ sub_info->origpath = path;
107000+ sub_info->path = kstrdup(path, gfp_mask);
107001+#else
107002 sub_info->path = path;
107003+#endif
107004 sub_info->argv = argv;
107005 sub_info->envp = envp;
107006
107007@@ -612,7 +689,7 @@ EXPORT_SYMBOL(call_usermodehelper);
107008 static int proc_cap_handler(struct ctl_table *table, int write,
107009 void __user *buffer, size_t *lenp, loff_t *ppos)
107010 {
107011- struct ctl_table t;
107012+ ctl_table_no_const t;
107013 unsigned long cap_array[_KERNEL_CAPABILITY_U32S];
107014 kernel_cap_t new_cap;
107015 int err, i;
107016diff --git a/kernel/kprobes.c b/kernel/kprobes.c
107017index c90e417..e6c515d 100644
107018--- a/kernel/kprobes.c
107019+++ b/kernel/kprobes.c
107020@@ -31,6 +31,9 @@
107021 * <jkenisto@us.ibm.com> and Prasanna S Panchamukhi
107022 * <prasanna@in.ibm.com> added function-return probes.
107023 */
107024+#ifdef CONFIG_GRKERNSEC_HIDESYM
107025+#define __INCLUDED_BY_HIDESYM 1
107026+#endif
107027 #include <linux/kprobes.h>
107028 #include <linux/hash.h>
107029 #include <linux/init.h>
107030@@ -122,12 +125,12 @@ enum kprobe_slot_state {
107031
107032 static void *alloc_insn_page(void)
107033 {
107034- return module_alloc(PAGE_SIZE);
107035+ return module_alloc_exec(PAGE_SIZE);
107036 }
107037
107038 static void free_insn_page(void *page)
107039 {
107040- module_memfree(page);
107041+ module_memfree_exec(page);
107042 }
107043
107044 struct kprobe_insn_cache kprobe_insn_slots = {
107045@@ -2198,11 +2201,11 @@ static void report_probe(struct seq_file *pi, struct kprobe *p,
107046 kprobe_type = "k";
107047
107048 if (sym)
107049- seq_printf(pi, "%p %s %s+0x%x %s ",
107050+ seq_printf(pi, "%pK %s %s+0x%x %s ",
107051 p->addr, kprobe_type, sym, offset,
107052 (modname ? modname : " "));
107053 else
107054- seq_printf(pi, "%p %s %p ",
107055+ seq_printf(pi, "%pK %s %pK ",
107056 p->addr, kprobe_type, p->addr);
107057
107058 if (!pp)
107059diff --git a/kernel/ksysfs.c b/kernel/ksysfs.c
107060index 6683cce..daf8999 100644
107061--- a/kernel/ksysfs.c
107062+++ b/kernel/ksysfs.c
107063@@ -50,6 +50,8 @@ static ssize_t uevent_helper_store(struct kobject *kobj,
107064 {
107065 if (count+1 > UEVENT_HELPER_PATH_LEN)
107066 return -ENOENT;
107067+ if (!capable(CAP_SYS_ADMIN))
107068+ return -EPERM;
107069 memcpy(uevent_helper, buf, count);
107070 uevent_helper[count] = '\0';
107071 if (count && uevent_helper[count-1] == '\n')
107072@@ -176,7 +178,7 @@ static ssize_t notes_read(struct file *filp, struct kobject *kobj,
107073 return count;
107074 }
107075
107076-static struct bin_attribute notes_attr = {
107077+static bin_attribute_no_const notes_attr __read_only = {
107078 .attr = {
107079 .name = "notes",
107080 .mode = S_IRUGO,
107081diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
107082index 8acfbf7..0c5a34a 100644
107083--- a/kernel/locking/lockdep.c
107084+++ b/kernel/locking/lockdep.c
107085@@ -613,6 +613,10 @@ static int static_obj(void *obj)
107086 end = (unsigned long) &_end,
107087 addr = (unsigned long) obj;
107088
107089+#ifdef CONFIG_PAX_KERNEXEC
107090+ start = ktla_ktva(start);
107091+#endif
107092+
107093 /*
107094 * static variable?
107095 */
107096@@ -757,6 +761,7 @@ register_lock_class(struct lockdep_map *lock, unsigned int subclass, int force)
107097 if (!static_obj(lock->key)) {
107098 debug_locks_off();
107099 printk("INFO: trying to register non-static key.\n");
107100+ printk("lock:%pS key:%pS.\n", lock, lock->key);
107101 printk("the code is fine but needs lockdep annotation.\n");
107102 printk("turning off the locking correctness validator.\n");
107103 dump_stack();
107104@@ -3102,7 +3107,7 @@ static int __lock_acquire(struct lockdep_map *lock, unsigned int subclass,
107105 if (!class)
107106 return 0;
107107 }
107108- atomic_inc((atomic_t *)&class->ops);
107109+ atomic_long_inc_unchecked((atomic_long_unchecked_t *)&class->ops);
107110 if (very_verbose(class)) {
107111 printk("\nacquire class [%p] %s", class->key, class->name);
107112 if (class->name_version > 1)
107113diff --git a/kernel/locking/lockdep_proc.c b/kernel/locking/lockdep_proc.c
107114index d83d798..ea3120d 100644
107115--- a/kernel/locking/lockdep_proc.c
107116+++ b/kernel/locking/lockdep_proc.c
107117@@ -65,7 +65,7 @@ static int l_show(struct seq_file *m, void *v)
107118 return 0;
107119 }
107120
107121- seq_printf(m, "%p", class->key);
107122+ seq_printf(m, "%pK", class->key);
107123 #ifdef CONFIG_DEBUG_LOCKDEP
107124 seq_printf(m, " OPS:%8ld", class->ops);
107125 #endif
107126@@ -83,7 +83,7 @@ static int l_show(struct seq_file *m, void *v)
107127
107128 list_for_each_entry(entry, &class->locks_after, entry) {
107129 if (entry->distance == 1) {
107130- seq_printf(m, " -> [%p] ", entry->class->key);
107131+ seq_printf(m, " -> [%pK] ", entry->class->key);
107132 print_name(m, entry->class);
107133 seq_puts(m, "\n");
107134 }
107135@@ -152,7 +152,7 @@ static int lc_show(struct seq_file *m, void *v)
107136 if (!class->key)
107137 continue;
107138
107139- seq_printf(m, "[%p] ", class->key);
107140+ seq_printf(m, "[%pK] ", class->key);
107141 print_name(m, class);
107142 seq_puts(m, "\n");
107143 }
107144@@ -508,7 +508,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
107145 if (!i)
107146 seq_line(m, '-', 40-namelen, namelen);
107147
107148- snprintf(ip, sizeof(ip), "[<%p>]",
107149+ snprintf(ip, sizeof(ip), "[<%pK>]",
107150 (void *)class->contention_point[i]);
107151 seq_printf(m, "%40s %14lu %29s %pS\n",
107152 name, stats->contention_point[i],
107153@@ -523,7 +523,7 @@ static void seq_stats(struct seq_file *m, struct lock_stat_data *data)
107154 if (!i)
107155 seq_line(m, '-', 40-namelen, namelen);
107156
107157- snprintf(ip, sizeof(ip), "[<%p>]",
107158+ snprintf(ip, sizeof(ip), "[<%pK>]",
107159 (void *)class->contending_point[i]);
107160 seq_printf(m, "%40s %14lu %29s %pS\n",
107161 name, stats->contending_point[i],
107162diff --git a/kernel/locking/mutex-debug.c b/kernel/locking/mutex-debug.c
107163index 3ef3736..9c951fa 100644
107164--- a/kernel/locking/mutex-debug.c
107165+++ b/kernel/locking/mutex-debug.c
107166@@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mutex_waiter *waiter)
107167 }
107168
107169 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
107170- struct thread_info *ti)
107171+ struct task_struct *task)
107172 {
107173 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
107174
107175 /* Mark the current thread as blocked on the lock: */
107176- ti->task->blocked_on = waiter;
107177+ task->blocked_on = waiter;
107178 }
107179
107180 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
107181- struct thread_info *ti)
107182+ struct task_struct *task)
107183 {
107184 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
107185- DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
107186- DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
107187- ti->task->blocked_on = NULL;
107188+ DEBUG_LOCKS_WARN_ON(waiter->task != task);
107189+ DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
107190+ task->blocked_on = NULL;
107191
107192 list_del_init(&waiter->list);
107193 waiter->task = NULL;
107194diff --git a/kernel/locking/mutex-debug.h b/kernel/locking/mutex-debug.h
107195index 0799fd3..d06ae3b 100644
107196--- a/kernel/locking/mutex-debug.h
107197+++ b/kernel/locking/mutex-debug.h
107198@@ -20,9 +20,9 @@ extern void debug_mutex_wake_waiter(struct mutex *lock,
107199 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
107200 extern void debug_mutex_add_waiter(struct mutex *lock,
107201 struct mutex_waiter *waiter,
107202- struct thread_info *ti);
107203+ struct task_struct *task);
107204 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
107205- struct thread_info *ti);
107206+ struct task_struct *task);
107207 extern void debug_mutex_unlock(struct mutex *lock);
107208 extern void debug_mutex_init(struct mutex *lock, const char *name,
107209 struct lock_class_key *key);
107210diff --git a/kernel/locking/mutex.c b/kernel/locking/mutex.c
107211index 4cccea6..4382db9 100644
107212--- a/kernel/locking/mutex.c
107213+++ b/kernel/locking/mutex.c
107214@@ -533,7 +533,7 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
107215 goto skip_wait;
107216
107217 debug_mutex_lock_common(lock, &waiter);
107218- debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
107219+ debug_mutex_add_waiter(lock, &waiter, task);
107220
107221 /* add waiting tasks to the end of the waitqueue (FIFO): */
107222 list_add_tail(&waiter.list, &lock->wait_list);
107223@@ -580,7 +580,7 @@ __mutex_lock_common(struct mutex *lock, long state, unsigned int subclass,
107224 }
107225 __set_task_state(task, TASK_RUNNING);
107226
107227- mutex_remove_waiter(lock, &waiter, current_thread_info());
107228+ mutex_remove_waiter(lock, &waiter, task);
107229 /* set it to 0 if there are no waiters left: */
107230 if (likely(list_empty(&lock->wait_list)))
107231 atomic_set(&lock->count, 0);
107232@@ -601,7 +601,7 @@ skip_wait:
107233 return 0;
107234
107235 err:
107236- mutex_remove_waiter(lock, &waiter, task_thread_info(task));
107237+ mutex_remove_waiter(lock, &waiter, task);
107238 spin_unlock_mutex(&lock->wait_lock, flags);
107239 debug_mutex_free_waiter(&waiter);
107240 mutex_release(&lock->dep_map, 1, ip);
107241diff --git a/kernel/locking/rtmutex-tester.c b/kernel/locking/rtmutex-tester.c
107242index 1d96dd0..994ff19 100644
107243--- a/kernel/locking/rtmutex-tester.c
107244+++ b/kernel/locking/rtmutex-tester.c
107245@@ -22,7 +22,7 @@
107246 #define MAX_RT_TEST_MUTEXES 8
107247
107248 static spinlock_t rttest_lock;
107249-static atomic_t rttest_event;
107250+static atomic_unchecked_t rttest_event;
107251
107252 struct test_thread_data {
107253 int opcode;
107254@@ -63,7 +63,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107255
107256 case RTTEST_LOCKCONT:
107257 td->mutexes[td->opdata] = 1;
107258- td->event = atomic_add_return(1, &rttest_event);
107259+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107260 return 0;
107261
107262 case RTTEST_RESET:
107263@@ -76,7 +76,7 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107264 return 0;
107265
107266 case RTTEST_RESETEVENT:
107267- atomic_set(&rttest_event, 0);
107268+ atomic_set_unchecked(&rttest_event, 0);
107269 return 0;
107270
107271 default:
107272@@ -93,9 +93,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107273 return ret;
107274
107275 td->mutexes[id] = 1;
107276- td->event = atomic_add_return(1, &rttest_event);
107277+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107278 rt_mutex_lock(&mutexes[id]);
107279- td->event = atomic_add_return(1, &rttest_event);
107280+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107281 td->mutexes[id] = 4;
107282 return 0;
107283
107284@@ -106,9 +106,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107285 return ret;
107286
107287 td->mutexes[id] = 1;
107288- td->event = atomic_add_return(1, &rttest_event);
107289+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107290 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
107291- td->event = atomic_add_return(1, &rttest_event);
107292+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107293 td->mutexes[id] = ret ? 0 : 4;
107294 return ret ? -EINTR : 0;
107295
107296@@ -117,9 +117,9 @@ static int handle_op(struct test_thread_data *td, int lockwakeup)
107297 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
107298 return ret;
107299
107300- td->event = atomic_add_return(1, &rttest_event);
107301+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107302 rt_mutex_unlock(&mutexes[id]);
107303- td->event = atomic_add_return(1, &rttest_event);
107304+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107305 td->mutexes[id] = 0;
107306 return 0;
107307
107308@@ -166,7 +166,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
107309 break;
107310
107311 td->mutexes[dat] = 2;
107312- td->event = atomic_add_return(1, &rttest_event);
107313+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107314 break;
107315
107316 default:
107317@@ -186,7 +186,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
107318 return;
107319
107320 td->mutexes[dat] = 3;
107321- td->event = atomic_add_return(1, &rttest_event);
107322+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107323 break;
107324
107325 case RTTEST_LOCKNOWAIT:
107326@@ -198,7 +198,7 @@ void schedule_rt_mutex_test(struct rt_mutex *mutex)
107327 return;
107328
107329 td->mutexes[dat] = 1;
107330- td->event = atomic_add_return(1, &rttest_event);
107331+ td->event = atomic_add_return_unchecked(1, &rttest_event);
107332 return;
107333
107334 default:
107335diff --git a/kernel/module.c b/kernel/module.c
107336index b86b7bf..f5eaa56 100644
107337--- a/kernel/module.c
107338+++ b/kernel/module.c
107339@@ -59,6 +59,7 @@
107340 #include <linux/jump_label.h>
107341 #include <linux/pfn.h>
107342 #include <linux/bsearch.h>
107343+#include <linux/grsecurity.h>
107344 #include <uapi/linux/module.h>
107345 #include "module-internal.h"
107346
107347@@ -108,7 +109,7 @@ static LIST_HEAD(modules);
107348 * Use a latched RB-tree for __module_address(); this allows us to use
107349 * RCU-sched lookups of the address from any context.
107350 *
107351- * Because modules have two address ranges: init and core, we need two
107352+ * Because modules have four address ranges: init_{rw,rx} and core_{rw,rx}, we need four
107353 * latch_tree_nodes entries. Therefore we need the back-pointer from
107354 * mod_tree_node.
107355 *
107356@@ -125,10 +126,14 @@ static __always_inline unsigned long __mod_tree_val(struct latch_tree_node *n)
107357 struct mod_tree_node *mtn = container_of(n, struct mod_tree_node, node);
107358 struct module *mod = mtn->mod;
107359
107360- if (unlikely(mtn == &mod->mtn_init))
107361- return (unsigned long)mod->module_init;
107362+ if (unlikely(mtn == &mod->mtn_init_rw))
107363+ return (unsigned long)mod->module_init_rw;
107364+ if (unlikely(mtn == &mod->mtn_init_rx))
107365+ return (unsigned long)mod->module_init_rx;
107366
107367- return (unsigned long)mod->module_core;
107368+ if (unlikely(mtn == &mod->mtn_core_rw))
107369+ return (unsigned long)mod->module_core_rw;
107370+ return (unsigned long)mod->module_core_rx;
107371 }
107372
107373 static __always_inline unsigned long __mod_tree_size(struct latch_tree_node *n)
107374@@ -136,10 +141,14 @@ static __always_inline unsigned long __mod_tree_size(struct latch_tree_node *n)
107375 struct mod_tree_node *mtn = container_of(n, struct mod_tree_node, node);
107376 struct module *mod = mtn->mod;
107377
107378- if (unlikely(mtn == &mod->mtn_init))
107379- return (unsigned long)mod->init_size;
107380+ if (unlikely(mtn == &mod->mtn_init_rw))
107381+ return (unsigned long)mod->init_size_rw;
107382+ if (unlikely(mtn == &mod->mtn_init_rx))
107383+ return (unsigned long)mod->init_size_rx;
107384
107385- return (unsigned long)mod->core_size;
107386+ if (unlikely(mtn == &mod->mtn_core_rw))
107387+ return (unsigned long)mod->core_size_rw;
107388+ return (unsigned long)mod->core_size_rx;
107389 }
107390
107391 static __always_inline bool
107392@@ -172,14 +181,19 @@ static const struct latch_tree_ops mod_tree_ops = {
107393
107394 static struct mod_tree_root {
107395 struct latch_tree_root root;
107396- unsigned long addr_min;
107397- unsigned long addr_max;
107398+ unsigned long addr_min_rw;
107399+ unsigned long addr_min_rx;
107400+ unsigned long addr_max_rw;
107401+ unsigned long addr_max_rx;
107402 } mod_tree __cacheline_aligned = {
107403- .addr_min = -1UL,
107404+ .addr_min_rw = -1UL,
107405+ .addr_min_rx = -1UL,
107406 };
107407
107408-#define module_addr_min mod_tree.addr_min
107409-#define module_addr_max mod_tree.addr_max
107410+#define module_addr_min_rw mod_tree.addr_min_rw
107411+#define module_addr_min_rx mod_tree.addr_min_rx
107412+#define module_addr_max_rw mod_tree.addr_max_rw
107413+#define module_addr_max_rx mod_tree.addr_max_rx
107414
107415 static noinline void __mod_tree_insert(struct mod_tree_node *node)
107416 {
107417@@ -197,23 +211,31 @@ static void __mod_tree_remove(struct mod_tree_node *node)
107418 */
107419 static void mod_tree_insert(struct module *mod)
107420 {
107421- mod->mtn_core.mod = mod;
107422- mod->mtn_init.mod = mod;
107423+ mod->mtn_core_rw.mod = mod;
107424+ mod->mtn_core_rx.mod = mod;
107425+ mod->mtn_init_rw.mod = mod;
107426+ mod->mtn_init_rx.mod = mod;
107427
107428- __mod_tree_insert(&mod->mtn_core);
107429- if (mod->init_size)
107430- __mod_tree_insert(&mod->mtn_init);
107431+ __mod_tree_insert(&mod->mtn_core_rw);
107432+ __mod_tree_insert(&mod->mtn_core_rx);
107433+ if (mod->init_size_rw)
107434+ __mod_tree_insert(&mod->mtn_init_rw);
107435+ if (mod->init_size_rx)
107436+ __mod_tree_insert(&mod->mtn_init_rx);
107437 }
107438
107439 static void mod_tree_remove_init(struct module *mod)
107440 {
107441- if (mod->init_size)
107442- __mod_tree_remove(&mod->mtn_init);
107443+ if (mod->init_size_rw)
107444+ __mod_tree_remove(&mod->mtn_init_rw);
107445+ if (mod->init_size_rx)
107446+ __mod_tree_remove(&mod->mtn_init_rx);
107447 }
107448
107449 static void mod_tree_remove(struct module *mod)
107450 {
107451- __mod_tree_remove(&mod->mtn_core);
107452+ __mod_tree_remove(&mod->mtn_core_rw);
107453+ __mod_tree_remove(&mod->mtn_core_rx);
107454 mod_tree_remove_init(mod);
107455 }
107456
107457@@ -230,7 +252,8 @@ static struct module *mod_find(unsigned long addr)
107458
107459 #else /* MODULES_TREE_LOOKUP */
107460
107461-static unsigned long module_addr_min = -1UL, module_addr_max = 0;
107462+static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
107463+static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
107464
107465 static void mod_tree_insert(struct module *mod) { }
107466 static void mod_tree_remove_init(struct module *mod) { }
107467@@ -254,22 +277,36 @@ static struct module *mod_find(unsigned long addr)
107468 * Bounds of module text, for speeding up __module_address.
107469 * Protected by module_mutex.
107470 */
107471-static void __mod_update_bounds(void *base, unsigned int size)
107472+static void __mod_update_bounds_rw(void *base, unsigned int size)
107473 {
107474 unsigned long min = (unsigned long)base;
107475 unsigned long max = min + size;
107476
107477- if (min < module_addr_min)
107478- module_addr_min = min;
107479- if (max > module_addr_max)
107480- module_addr_max = max;
107481+ if (min < module_addr_min_rw)
107482+ module_addr_min_rw = min;
107483+ if (max > module_addr_max_rw)
107484+ module_addr_max_rw = max;
107485+}
107486+
107487+static void __mod_update_bounds_rx(void *base, unsigned int size)
107488+{
107489+ unsigned long min = (unsigned long)base;
107490+ unsigned long max = min + size;
107491+
107492+ if (min < module_addr_min_rx)
107493+ module_addr_min_rx = min;
107494+ if (max > module_addr_max_rx)
107495+ module_addr_max_rx = max;
107496 }
107497
107498 static void mod_update_bounds(struct module *mod)
107499 {
107500- __mod_update_bounds(mod->module_core, mod->core_size);
107501- if (mod->init_size)
107502- __mod_update_bounds(mod->module_init, mod->init_size);
107503+ __mod_update_bounds_rw(mod->module_core_rw, mod->core_size_rw);
107504+ __mod_update_bounds_rx(mod->module_core_rx, mod->core_size_rx);
107505+ if (mod->init_size_rw)
107506+ __mod_update_bounds_rw(mod->module_init_rw, mod->init_size_rw);
107507+ if (mod->init_size_rx)
107508+ __mod_update_bounds_rx(mod->module_init_rx, mod->init_size_rx);
107509 }
107510
107511 #ifdef CONFIG_KGDB_KDB
107512@@ -298,7 +335,7 @@ module_param(sig_enforce, bool_enable_only, 0644);
107513 #endif /* !CONFIG_MODULE_SIG_FORCE */
107514
107515 /* Block module loading/unloading? */
107516-int modules_disabled = 0;
107517+int modules_disabled __read_only = 0;
107518 core_param(nomodule, modules_disabled, bint, 0);
107519
107520 /* Waiting for a module to finish initializing? */
107521@@ -473,7 +510,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
107522 return true;
107523
107524 list_for_each_entry_rcu(mod, &modules, list) {
107525- struct symsearch arr[] = {
107526+ struct symsearch modarr[] = {
107527 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
107528 NOT_GPL_ONLY, false },
107529 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
107530@@ -498,7 +535,7 @@ bool each_symbol_section(bool (*fn)(const struct symsearch *arr,
107531 if (mod->state == MODULE_STATE_UNFORMED)
107532 continue;
107533
107534- if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
107535+ if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
107536 return true;
107537 }
107538 return false;
107539@@ -644,7 +681,7 @@ static int percpu_modalloc(struct module *mod, struct load_info *info)
107540 if (!pcpusec->sh_size)
107541 return 0;
107542
107543- if (align > PAGE_SIZE) {
107544+ if (align-1 >= PAGE_SIZE) {
107545 pr_warn("%s: per-cpu alignment %li > %li\n",
107546 mod->name, align, PAGE_SIZE);
107547 align = PAGE_SIZE;
107548@@ -1210,7 +1247,7 @@ struct module_attribute module_uevent =
107549 static ssize_t show_coresize(struct module_attribute *mattr,
107550 struct module_kobject *mk, char *buffer)
107551 {
107552- return sprintf(buffer, "%u\n", mk->mod->core_size);
107553+ return sprintf(buffer, "%u\n", mk->mod->core_size_rx + mk->mod->core_size_rw);
107554 }
107555
107556 static struct module_attribute modinfo_coresize =
107557@@ -1219,7 +1256,7 @@ static struct module_attribute modinfo_coresize =
107558 static ssize_t show_initsize(struct module_attribute *mattr,
107559 struct module_kobject *mk, char *buffer)
107560 {
107561- return sprintf(buffer, "%u\n", mk->mod->init_size);
107562+ return sprintf(buffer, "%u\n", mk->mod->init_size_rx + mk->mod->init_size_rw);
107563 }
107564
107565 static struct module_attribute modinfo_initsize =
107566@@ -1311,12 +1348,29 @@ static int check_version(Elf_Shdr *sechdrs,
107567 goto bad_version;
107568 }
107569
107570+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107571+ /*
107572+ * avoid potentially printing jibberish on attempted load
107573+ * of a module randomized with a different seed
107574+ */
107575+ pr_warn("no symbol version for %s\n", symname);
107576+#else
107577 pr_warn("%s: no symbol version for %s\n", mod->name, symname);
107578+#endif
107579 return 0;
107580
107581 bad_version:
107582+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107583+ /*
107584+ * avoid potentially printing jibberish on attempted load
107585+ * of a module randomized with a different seed
107586+ */
107587+ pr_warn("attempted module disagrees about version of symbol %s\n",
107588+ symname);
107589+#else
107590 pr_warn("%s: disagrees about version of symbol %s\n",
107591 mod->name, symname);
107592+#endif
107593 return 0;
107594 }
107595
107596@@ -1444,7 +1498,7 @@ resolve_symbol_wait(struct module *mod,
107597 */
107598 #ifdef CONFIG_SYSFS
107599
107600-#ifdef CONFIG_KALLSYMS
107601+#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
107602 static inline bool sect_empty(const Elf_Shdr *sect)
107603 {
107604 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
107605@@ -1582,7 +1636,7 @@ static void add_notes_attrs(struct module *mod, const struct load_info *info)
107606 {
107607 unsigned int notes, loaded, i;
107608 struct module_notes_attrs *notes_attrs;
107609- struct bin_attribute *nattr;
107610+ bin_attribute_no_const *nattr;
107611
107612 /* failed to create section attributes, so can't create notes */
107613 if (!mod->sect_attrs)
107614@@ -1694,7 +1748,7 @@ static void del_usage_links(struct module *mod)
107615 static int module_add_modinfo_attrs(struct module *mod)
107616 {
107617 struct module_attribute *attr;
107618- struct module_attribute *temp_attr;
107619+ module_attribute_no_const *temp_attr;
107620 int error = 0;
107621 int i;
107622
107623@@ -1911,21 +1965,21 @@ static void set_section_ro_nx(void *base,
107624
107625 static void unset_module_core_ro_nx(struct module *mod)
107626 {
107627- set_page_attributes(mod->module_core + mod->core_text_size,
107628- mod->module_core + mod->core_size,
107629+ set_page_attributes(mod->module_core_rw,
107630+ mod->module_core_rw + mod->core_size_rw,
107631 set_memory_x);
107632- set_page_attributes(mod->module_core,
107633- mod->module_core + mod->core_ro_size,
107634+ set_page_attributes(mod->module_core_rx,
107635+ mod->module_core_rx + mod->core_size_rx,
107636 set_memory_rw);
107637 }
107638
107639 static void unset_module_init_ro_nx(struct module *mod)
107640 {
107641- set_page_attributes(mod->module_init + mod->init_text_size,
107642- mod->module_init + mod->init_size,
107643+ set_page_attributes(mod->module_init_rw,
107644+ mod->module_init_rw + mod->init_size_rw,
107645 set_memory_x);
107646- set_page_attributes(mod->module_init,
107647- mod->module_init + mod->init_ro_size,
107648+ set_page_attributes(mod->module_init_rx,
107649+ mod->module_init_rx + mod->init_size_rx,
107650 set_memory_rw);
107651 }
107652
107653@@ -1938,14 +1992,14 @@ void set_all_modules_text_rw(void)
107654 list_for_each_entry_rcu(mod, &modules, list) {
107655 if (mod->state == MODULE_STATE_UNFORMED)
107656 continue;
107657- if ((mod->module_core) && (mod->core_text_size)) {
107658- set_page_attributes(mod->module_core,
107659- mod->module_core + mod->core_text_size,
107660+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
107661+ set_page_attributes(mod->module_core_rx,
107662+ mod->module_core_rx + mod->core_size_rx,
107663 set_memory_rw);
107664 }
107665- if ((mod->module_init) && (mod->init_text_size)) {
107666- set_page_attributes(mod->module_init,
107667- mod->module_init + mod->init_text_size,
107668+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
107669+ set_page_attributes(mod->module_init_rx,
107670+ mod->module_init_rx + mod->init_size_rx,
107671 set_memory_rw);
107672 }
107673 }
107674@@ -1961,14 +2015,14 @@ void set_all_modules_text_ro(void)
107675 list_for_each_entry_rcu(mod, &modules, list) {
107676 if (mod->state == MODULE_STATE_UNFORMED)
107677 continue;
107678- if ((mod->module_core) && (mod->core_text_size)) {
107679- set_page_attributes(mod->module_core,
107680- mod->module_core + mod->core_text_size,
107681+ if ((mod->module_core_rx) && (mod->core_size_rx)) {
107682+ set_page_attributes(mod->module_core_rx,
107683+ mod->module_core_rx + mod->core_size_rx,
107684 set_memory_ro);
107685 }
107686- if ((mod->module_init) && (mod->init_text_size)) {
107687- set_page_attributes(mod->module_init,
107688- mod->module_init + mod->init_text_size,
107689+ if ((mod->module_init_rx) && (mod->init_size_rx)) {
107690+ set_page_attributes(mod->module_init_rx,
107691+ mod->module_init_rx + mod->init_size_rx,
107692 set_memory_ro);
107693 }
107694 }
107695@@ -1977,7 +2031,15 @@ void set_all_modules_text_ro(void)
107696 #else
107697 static inline void set_section_ro_nx(void *base, unsigned long text_size, unsigned long ro_size, unsigned long total_size) { }
107698 static void unset_module_core_ro_nx(struct module *mod) { }
107699-static void unset_module_init_ro_nx(struct module *mod) { }
107700+static void unset_module_init_ro_nx(struct module *mod)
107701+{
107702+
107703+#ifdef CONFIG_PAX_KERNEXEC
107704+ set_memory_nx((unsigned long)mod->module_init_rx, PFN_UP(mod->init_size_rx));
107705+ set_memory_rw((unsigned long)mod->module_init_rx, PFN_UP(mod->init_size_rx));
107706+#endif
107707+
107708+}
107709 #endif
107710
107711 void __weak module_memfree(void *module_region)
107712@@ -2032,16 +2094,19 @@ static void free_module(struct module *mod)
107713 /* This may be NULL, but that's OK */
107714 unset_module_init_ro_nx(mod);
107715 module_arch_freeing_init(mod);
107716- module_memfree(mod->module_init);
107717+ module_memfree(mod->module_init_rw);
107718+ module_memfree_exec(mod->module_init_rx);
107719 kfree(mod->args);
107720 percpu_modfree(mod);
107721
107722 /* Free lock-classes; relies on the preceding sync_rcu(). */
107723- lockdep_free_key_range(mod->module_core, mod->core_size);
107724+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
107725+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
107726
107727 /* Finally, free the core (containing the module structure) */
107728 unset_module_core_ro_nx(mod);
107729- module_memfree(mod->module_core);
107730+ module_memfree_exec(mod->module_core_rx);
107731+ module_memfree(mod->module_core_rw);
107732
107733 #ifdef CONFIG_MPU
107734 update_protections(current->mm);
107735@@ -2110,9 +2175,31 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107736 int ret = 0;
107737 const struct kernel_symbol *ksym;
107738
107739+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107740+ int is_fs_load = 0;
107741+ int register_filesystem_found = 0;
107742+ char *p;
107743+
107744+ p = strstr(mod->args, "grsec_modharden_fs");
107745+ if (p) {
107746+ char *endptr = p + sizeof("grsec_modharden_fs") - 1;
107747+ /* copy \0 as well */
107748+ memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
107749+ is_fs_load = 1;
107750+ }
107751+#endif
107752+
107753 for (i = 1; i < symsec->sh_size / sizeof(Elf_Sym); i++) {
107754 const char *name = info->strtab + sym[i].st_name;
107755
107756+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107757+ /* it's a real shame this will never get ripped and copied
107758+ upstream! ;(
107759+ */
107760+ if (is_fs_load && !strcmp(name, "register_filesystem"))
107761+ register_filesystem_found = 1;
107762+#endif
107763+
107764 switch (sym[i].st_shndx) {
107765 case SHN_COMMON:
107766 /* Ignore common symbols */
107767@@ -2137,7 +2224,9 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107768 ksym = resolve_symbol_wait(mod, info, name);
107769 /* Ok if resolved. */
107770 if (ksym && !IS_ERR(ksym)) {
107771+ pax_open_kernel();
107772 sym[i].st_value = ksym->value;
107773+ pax_close_kernel();
107774 break;
107775 }
107776
107777@@ -2156,11 +2245,20 @@ static int simplify_symbols(struct module *mod, const struct load_info *info)
107778 secbase = (unsigned long)mod_percpu(mod);
107779 else
107780 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
107781+ pax_open_kernel();
107782 sym[i].st_value += secbase;
107783+ pax_close_kernel();
107784 break;
107785 }
107786 }
107787
107788+#ifdef CONFIG_GRKERNSEC_MODHARDEN
107789+ if (is_fs_load && !register_filesystem_found) {
107790+ printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
107791+ ret = -EPERM;
107792+ }
107793+#endif
107794+
107795 return ret;
107796 }
107797
107798@@ -2244,22 +2342,12 @@ static void layout_sections(struct module *mod, struct load_info *info)
107799 || s->sh_entsize != ~0UL
107800 || strstarts(sname, ".init"))
107801 continue;
107802- s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
107803+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
107804+ s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
107805+ else
107806+ s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
107807 pr_debug("\t%s\n", sname);
107808 }
107809- switch (m) {
107810- case 0: /* executable */
107811- mod->core_size = debug_align(mod->core_size);
107812- mod->core_text_size = mod->core_size;
107813- break;
107814- case 1: /* RO: text and ro-data */
107815- mod->core_size = debug_align(mod->core_size);
107816- mod->core_ro_size = mod->core_size;
107817- break;
107818- case 3: /* whole core */
107819- mod->core_size = debug_align(mod->core_size);
107820- break;
107821- }
107822 }
107823
107824 pr_debug("Init section allocation order:\n");
107825@@ -2273,23 +2361,13 @@ static void layout_sections(struct module *mod, struct load_info *info)
107826 || s->sh_entsize != ~0UL
107827 || !strstarts(sname, ".init"))
107828 continue;
107829- s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
107830- | INIT_OFFSET_MASK);
107831+ if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
107832+ s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
107833+ else
107834+ s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
107835+ s->sh_entsize |= INIT_OFFSET_MASK;
107836 pr_debug("\t%s\n", sname);
107837 }
107838- switch (m) {
107839- case 0: /* executable */
107840- mod->init_size = debug_align(mod->init_size);
107841- mod->init_text_size = mod->init_size;
107842- break;
107843- case 1: /* RO: text and ro-data */
107844- mod->init_size = debug_align(mod->init_size);
107845- mod->init_ro_size = mod->init_size;
107846- break;
107847- case 3: /* whole init */
107848- mod->init_size = debug_align(mod->init_size);
107849- break;
107850- }
107851 }
107852 }
107853
107854@@ -2462,7 +2540,7 @@ static void layout_symtab(struct module *mod, struct load_info *info)
107855
107856 /* Put symbol section at end of init part of module. */
107857 symsect->sh_flags |= SHF_ALLOC;
107858- symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
107859+ symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
107860 info->index.sym) | INIT_OFFSET_MASK;
107861 pr_debug("\t%s\n", info->secstrings + symsect->sh_name);
107862
107863@@ -2479,16 +2557,16 @@ static void layout_symtab(struct module *mod, struct load_info *info)
107864 }
107865
107866 /* Append room for core symbols at end of core part. */
107867- info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
107868- info->stroffs = mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
107869- mod->core_size += strtab_size;
107870- mod->core_size = debug_align(mod->core_size);
107871+ info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
107872+ info->stroffs = mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
107873+ mod->core_size_rx += strtab_size;
107874+ mod->core_size_rx = debug_align(mod->core_size_rx);
107875
107876 /* Put string table section at end of init part of module. */
107877 strsect->sh_flags |= SHF_ALLOC;
107878- strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
107879+ strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
107880 info->index.str) | INIT_OFFSET_MASK;
107881- mod->init_size = debug_align(mod->init_size);
107882+ mod->init_size_rx = debug_align(mod->init_size_rx);
107883 pr_debug("\t%s\n", info->secstrings + strsect->sh_name);
107884 }
107885
107886@@ -2505,12 +2583,14 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
107887 /* Make sure we get permanent strtab: don't use info->strtab. */
107888 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
107889
107890+ pax_open_kernel();
107891+
107892 /* Set types up while we still have access to sections. */
107893 for (i = 0; i < mod->num_symtab; i++)
107894 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
107895
107896- mod->core_symtab = dst = mod->module_core + info->symoffs;
107897- mod->core_strtab = s = mod->module_core + info->stroffs;
107898+ mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
107899+ mod->core_strtab = s = mod->module_core_rx + info->stroffs;
107900 src = mod->symtab;
107901 for (ndst = i = 0; i < mod->num_symtab; i++) {
107902 if (i == 0 ||
107903@@ -2522,6 +2602,8 @@ static void add_kallsyms(struct module *mod, const struct load_info *info)
107904 }
107905 }
107906 mod->core_num_syms = ndst;
107907+
107908+ pax_close_kernel();
107909 }
107910 #else
107911 static inline void layout_symtab(struct module *mod, struct load_info *info)
107912@@ -2821,7 +2903,15 @@ static struct module *setup_load_info(struct load_info *info, int flags)
107913 mod = (void *)info->sechdrs[info->index.mod].sh_addr;
107914
107915 if (info->index.sym == 0) {
107916+#ifdef CONFIG_GRKERNSEC_RANDSTRUCT
107917+ /*
107918+ * avoid potentially printing jibberish on attempted load
107919+ * of a module randomized with a different seed
107920+ */
107921+ pr_warn("module has no symbols (stripped?)\n");
107922+#else
107923 pr_warn("%s: module has no symbols (stripped?)\n", mod->name);
107924+#endif
107925 return ERR_PTR(-ENOEXEC);
107926 }
107927
107928@@ -2837,8 +2927,14 @@ static struct module *setup_load_info(struct load_info *info, int flags)
107929 static int check_modinfo(struct module *mod, struct load_info *info, int flags)
107930 {
107931 const char *modmagic = get_modinfo(info, "vermagic");
107932+ const char *license = get_modinfo(info, "license");
107933 int err;
107934
107935+#ifdef CONFIG_PAX_KERNEXEC_PLUGIN_METHOD_OR
107936+ if (!license || !license_is_gpl_compatible(license))
107937+ return -ENOEXEC;
107938+#endif
107939+
107940 if (flags & MODULE_INIT_IGNORE_VERMAGIC)
107941 modmagic = NULL;
107942
107943@@ -2863,7 +2959,7 @@ static int check_modinfo(struct module *mod, struct load_info *info, int flags)
107944 }
107945
107946 /* Set up license info based on the info section */
107947- set_license(mod, get_modinfo(info, "license"));
107948+ set_license(mod, license);
107949
107950 return 0;
107951 }
107952@@ -2960,7 +3056,7 @@ static int move_module(struct module *mod, struct load_info *info)
107953 void *ptr;
107954
107955 /* Do the allocs. */
107956- ptr = module_alloc(mod->core_size);
107957+ ptr = module_alloc(mod->core_size_rw);
107958 /*
107959 * The pointer to this block is stored in the module structure
107960 * which is inside the block. Just mark it as not being a
107961@@ -2970,11 +3066,11 @@ static int move_module(struct module *mod, struct load_info *info)
107962 if (!ptr)
107963 return -ENOMEM;
107964
107965- memset(ptr, 0, mod->core_size);
107966- mod->module_core = ptr;
107967+ memset(ptr, 0, mod->core_size_rw);
107968+ mod->module_core_rw = ptr;
107969
107970- if (mod->init_size) {
107971- ptr = module_alloc(mod->init_size);
107972+ if (mod->init_size_rw) {
107973+ ptr = module_alloc(mod->init_size_rw);
107974 /*
107975 * The pointer to this block is stored in the module structure
107976 * which is inside the block. This block doesn't need to be
107977@@ -2983,13 +3079,45 @@ static int move_module(struct module *mod, struct load_info *info)
107978 */
107979 kmemleak_ignore(ptr);
107980 if (!ptr) {
107981- module_memfree(mod->module_core);
107982+ module_memfree(mod->module_core_rw);
107983 return -ENOMEM;
107984 }
107985- memset(ptr, 0, mod->init_size);
107986- mod->module_init = ptr;
107987+ memset(ptr, 0, mod->init_size_rw);
107988+ mod->module_init_rw = ptr;
107989 } else
107990- mod->module_init = NULL;
107991+ mod->module_init_rw = NULL;
107992+
107993+ ptr = module_alloc_exec(mod->core_size_rx);
107994+ kmemleak_not_leak(ptr);
107995+ if (!ptr) {
107996+ if (mod->module_init_rw)
107997+ module_memfree(mod->module_init_rw);
107998+ module_memfree(mod->module_core_rw);
107999+ return -ENOMEM;
108000+ }
108001+
108002+ pax_open_kernel();
108003+ memset(ptr, 0, mod->core_size_rx);
108004+ pax_close_kernel();
108005+ mod->module_core_rx = ptr;
108006+
108007+ if (mod->init_size_rx) {
108008+ ptr = module_alloc_exec(mod->init_size_rx);
108009+ kmemleak_ignore(ptr);
108010+ if (!ptr && mod->init_size_rx) {
108011+ module_memfree_exec(mod->module_core_rx);
108012+ if (mod->module_init_rw)
108013+ module_memfree(mod->module_init_rw);
108014+ module_memfree(mod->module_core_rw);
108015+ return -ENOMEM;
108016+ }
108017+
108018+ pax_open_kernel();
108019+ memset(ptr, 0, mod->init_size_rx);
108020+ pax_close_kernel();
108021+ mod->module_init_rx = ptr;
108022+ } else
108023+ mod->module_init_rx = NULL;
108024
108025 /* Transfer each section which specifies SHF_ALLOC */
108026 pr_debug("final section addresses:\n");
108027@@ -3000,16 +3128,45 @@ static int move_module(struct module *mod, struct load_info *info)
108028 if (!(shdr->sh_flags & SHF_ALLOC))
108029 continue;
108030
108031- if (shdr->sh_entsize & INIT_OFFSET_MASK)
108032- dest = mod->module_init
108033- + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
108034- else
108035- dest = mod->module_core + shdr->sh_entsize;
108036+ if (shdr->sh_entsize & INIT_OFFSET_MASK) {
108037+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
108038+ dest = mod->module_init_rw
108039+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
108040+ else
108041+ dest = mod->module_init_rx
108042+ + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
108043+ } else {
108044+ if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
108045+ dest = mod->module_core_rw + shdr->sh_entsize;
108046+ else
108047+ dest = mod->module_core_rx + shdr->sh_entsize;
108048+ }
108049+
108050+ if (shdr->sh_type != SHT_NOBITS) {
108051+
108052+#ifdef CONFIG_PAX_KERNEXEC
108053+#ifdef CONFIG_X86_64
108054+ if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
108055+ set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
108056+#endif
108057+ if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
108058+ pax_open_kernel();
108059+ memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
108060+ pax_close_kernel();
108061+ } else
108062+#endif
108063
108064- if (shdr->sh_type != SHT_NOBITS)
108065 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
108066+ }
108067 /* Update sh_addr to point to copy in image. */
108068- shdr->sh_addr = (unsigned long)dest;
108069+
108070+#ifdef CONFIG_PAX_KERNEXEC
108071+ if (shdr->sh_flags & SHF_EXECINSTR)
108072+ shdr->sh_addr = ktva_ktla((unsigned long)dest);
108073+ else
108074+#endif
108075+
108076+ shdr->sh_addr = (unsigned long)dest;
108077 pr_debug("\t0x%lx %s\n",
108078 (long)shdr->sh_addr, info->secstrings + shdr->sh_name);
108079 }
108080@@ -3066,12 +3223,12 @@ static void flush_module_icache(const struct module *mod)
108081 * Do it before processing of module parameters, so the module
108082 * can provide parameter accessor functions of its own.
108083 */
108084- if (mod->module_init)
108085- flush_icache_range((unsigned long)mod->module_init,
108086- (unsigned long)mod->module_init
108087- + mod->init_size);
108088- flush_icache_range((unsigned long)mod->module_core,
108089- (unsigned long)mod->module_core + mod->core_size);
108090+ if (mod->module_init_rx)
108091+ flush_icache_range((unsigned long)mod->module_init_rx,
108092+ (unsigned long)mod->module_init_rx
108093+ + mod->init_size_rx);
108094+ flush_icache_range((unsigned long)mod->module_core_rx,
108095+ (unsigned long)mod->module_core_rx + mod->core_size_rx);
108096
108097 set_fs(old_fs);
108098 }
108099@@ -3129,8 +3286,10 @@ static void module_deallocate(struct module *mod, struct load_info *info)
108100 {
108101 percpu_modfree(mod);
108102 module_arch_freeing_init(mod);
108103- module_memfree(mod->module_init);
108104- module_memfree(mod->module_core);
108105+ module_memfree_exec(mod->module_init_rx);
108106+ module_memfree_exec(mod->module_core_rx);
108107+ module_memfree(mod->module_init_rw);
108108+ module_memfree(mod->module_core_rw);
108109 }
108110
108111 int __weak module_finalize(const Elf_Ehdr *hdr,
108112@@ -3143,7 +3302,9 @@ int __weak module_finalize(const Elf_Ehdr *hdr,
108113 static int post_relocation(struct module *mod, const struct load_info *info)
108114 {
108115 /* Sort exception table now relocations are done. */
108116+ pax_open_kernel();
108117 sort_extable(mod->extable, mod->extable + mod->num_exentries);
108118+ pax_close_kernel();
108119
108120 /* Copy relocated percpu area over. */
108121 percpu_modcopy(mod, (void *)info->sechdrs[info->index.pcpu].sh_addr,
108122@@ -3191,13 +3352,15 @@ static void do_mod_ctors(struct module *mod)
108123 /* For freeing module_init on success, in case kallsyms traversing */
108124 struct mod_initfree {
108125 struct rcu_head rcu;
108126- void *module_init;
108127+ void *module_init_rw;
108128+ void *module_init_rx;
108129 };
108130
108131 static void do_free_init(struct rcu_head *head)
108132 {
108133 struct mod_initfree *m = container_of(head, struct mod_initfree, rcu);
108134- module_memfree(m->module_init);
108135+ module_memfree(m->module_init_rw);
108136+ module_memfree_exec(m->module_init_rx);
108137 kfree(m);
108138 }
108139
108140@@ -3217,7 +3380,8 @@ static noinline int do_init_module(struct module *mod)
108141 ret = -ENOMEM;
108142 goto fail;
108143 }
108144- freeinit->module_init = mod->module_init;
108145+ freeinit->module_init_rw = mod->module_init_rw;
108146+ freeinit->module_init_rx = mod->module_init_rx;
108147
108148 /*
108149 * We want to find out whether @mod uses async during init. Clear
108150@@ -3277,10 +3441,10 @@ static noinline int do_init_module(struct module *mod)
108151 mod_tree_remove_init(mod);
108152 unset_module_init_ro_nx(mod);
108153 module_arch_freeing_init(mod);
108154- mod->module_init = NULL;
108155- mod->init_size = 0;
108156- mod->init_ro_size = 0;
108157- mod->init_text_size = 0;
108158+ mod->module_init_rw = NULL;
108159+ mod->module_init_rx = NULL;
108160+ mod->init_size_rw = 0;
108161+ mod->init_size_rx = 0;
108162 /*
108163 * We want to free module_init, but be aware that kallsyms may be
108164 * walking this with preempt disabled. In all the failure paths, we
108165@@ -3370,16 +3534,16 @@ static int complete_formation(struct module *mod, struct load_info *info)
108166 module_bug_finalize(info->hdr, info->sechdrs, mod);
108167
108168 /* Set RO and NX regions for core */
108169- set_section_ro_nx(mod->module_core,
108170- mod->core_text_size,
108171- mod->core_ro_size,
108172- mod->core_size);
108173+ set_section_ro_nx(mod->module_core_rx,
108174+ mod->core_size_rx,
108175+ mod->core_size_rx,
108176+ mod->core_size_rx);
108177
108178 /* Set RO and NX regions for init */
108179- set_section_ro_nx(mod->module_init,
108180- mod->init_text_size,
108181- mod->init_ro_size,
108182- mod->init_size);
108183+ set_section_ro_nx(mod->module_init_rx,
108184+ mod->init_size_rx,
108185+ mod->init_size_rx,
108186+ mod->init_size_rx);
108187
108188 /* Mark state as coming so strong_try_module_get() ignores us,
108189 * but kallsyms etc. can see us. */
108190@@ -3474,9 +3638,38 @@ static int load_module(struct load_info *info, const char __user *uargs,
108191 if (err)
108192 goto free_unload;
108193
108194+ /* Now copy in args */
108195+ mod->args = strndup_user(uargs, ~0UL >> 1);
108196+ if (IS_ERR(mod->args)) {
108197+ err = PTR_ERR(mod->args);
108198+ goto free_unload;
108199+ }
108200+
108201 /* Set up MODINFO_ATTR fields */
108202 setup_modinfo(mod, info);
108203
108204+#ifdef CONFIG_GRKERNSEC_MODHARDEN
108205+ {
108206+ char *p, *p2;
108207+
108208+ if (strstr(mod->args, "grsec_modharden_netdev")) {
108209+ printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
108210+ err = -EPERM;
108211+ goto free_modinfo;
108212+ } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
108213+ p += sizeof("grsec_modharden_normal") - 1;
108214+ p2 = strstr(p, "_");
108215+ if (p2) {
108216+ *p2 = '\0';
108217+ printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
108218+ *p2 = '_';
108219+ }
108220+ err = -EPERM;
108221+ goto free_modinfo;
108222+ }
108223+ }
108224+#endif
108225+
108226 /* Fix up syms, so that st_value is a pointer to location. */
108227 err = simplify_symbols(mod, info);
108228 if (err < 0)
108229@@ -3492,13 +3685,6 @@ static int load_module(struct load_info *info, const char __user *uargs,
108230
108231 flush_module_icache(mod);
108232
108233- /* Now copy in args */
108234- mod->args = strndup_user(uargs, ~0UL >> 1);
108235- if (IS_ERR(mod->args)) {
108236- err = PTR_ERR(mod->args);
108237- goto free_arch_cleanup;
108238- }
108239-
108240 dynamic_debug_setup(info->debug, info->num_debug);
108241
108242 /* Ftrace init must be called in the MODULE_STATE_UNFORMED state */
108243@@ -3550,11 +3736,10 @@ static int load_module(struct load_info *info, const char __user *uargs,
108244 ddebug_cleanup:
108245 dynamic_debug_remove(info->debug);
108246 synchronize_sched();
108247- kfree(mod->args);
108248- free_arch_cleanup:
108249 module_arch_cleanup(mod);
108250 free_modinfo:
108251 free_modinfo(mod);
108252+ kfree(mod->args);
108253 free_unload:
108254 module_unload_free(mod);
108255 unlink_mod:
108256@@ -3568,7 +3753,8 @@ static int load_module(struct load_info *info, const char __user *uargs,
108257 mutex_unlock(&module_mutex);
108258 free_module:
108259 /* Free lock-classes; relies on the preceding sync_rcu() */
108260- lockdep_free_key_range(mod->module_core, mod->core_size);
108261+ lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
108262+ lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
108263
108264 module_deallocate(mod, info);
108265 free_copy:
108266@@ -3645,10 +3831,16 @@ static const char *get_ksymbol(struct module *mod,
108267 unsigned long nextval;
108268
108269 /* At worse, next value is at end of module */
108270- if (within_module_init(addr, mod))
108271- nextval = (unsigned long)mod->module_init+mod->init_text_size;
108272+ if (within_module_init_rx(addr, mod))
108273+ nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
108274+ else if (within_module_init_rw(addr, mod))
108275+ nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
108276+ else if (within_module_core_rx(addr, mod))
108277+ nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
108278+ else if (within_module_core_rw(addr, mod))
108279+ nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
108280 else
108281- nextval = (unsigned long)mod->module_core+mod->core_text_size;
108282+ return NULL;
108283
108284 /* Scan for closest preceding symbol, and next symbol. (ELF
108285 starts real symbols at 1). */
108286@@ -3895,7 +4087,7 @@ static int m_show(struct seq_file *m, void *p)
108287 return 0;
108288
108289 seq_printf(m, "%s %u",
108290- mod->name, mod->init_size + mod->core_size);
108291+ mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
108292 print_unload_info(m, mod);
108293
108294 /* Informative for users. */
108295@@ -3904,7 +4096,7 @@ static int m_show(struct seq_file *m, void *p)
108296 mod->state == MODULE_STATE_COMING ? "Loading" :
108297 "Live");
108298 /* Used by oprofile and other similar tools. */
108299- seq_printf(m, " 0x%pK", mod->module_core);
108300+ seq_printf(m, " 0x%pK 0x%pK", mod->module_core_rx, mod->module_core_rw);
108301
108302 /* Taints info */
108303 if (mod->taints)
108304@@ -3940,7 +4132,17 @@ static const struct file_operations proc_modules_operations = {
108305
108306 static int __init proc_modules_init(void)
108307 {
108308+#ifndef CONFIG_GRKERNSEC_HIDESYM
108309+#ifdef CONFIG_GRKERNSEC_PROC_USER
108310+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
108311+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
108312+ proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
108313+#else
108314 proc_create("modules", 0, NULL, &proc_modules_operations);
108315+#endif
108316+#else
108317+ proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
108318+#endif
108319 return 0;
108320 }
108321 module_init(proc_modules_init);
108322@@ -4001,7 +4203,8 @@ struct module *__module_address(unsigned long addr)
108323 {
108324 struct module *mod;
108325
108326- if (addr < module_addr_min || addr > module_addr_max)
108327+ if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
108328+ (addr < module_addr_min_rw || addr > module_addr_max_rw))
108329 return NULL;
108330
108331 module_assert_mutex_or_preempt();
108332@@ -4044,11 +4247,20 @@ bool is_module_text_address(unsigned long addr)
108333 */
108334 struct module *__module_text_address(unsigned long addr)
108335 {
108336- struct module *mod = __module_address(addr);
108337+ struct module *mod;
108338+
108339+#ifdef CONFIG_X86_32
108340+ addr = ktla_ktva(addr);
108341+#endif
108342+
108343+ if (addr < module_addr_min_rx || addr > module_addr_max_rx)
108344+ return NULL;
108345+
108346+ mod = __module_address(addr);
108347+
108348 if (mod) {
108349 /* Make sure it's within the text section. */
108350- if (!within(addr, mod->module_init, mod->init_text_size)
108351- && !within(addr, mod->module_core, mod->core_text_size))
108352+ if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
108353 mod = NULL;
108354 }
108355 return mod;
108356diff --git a/kernel/notifier.c b/kernel/notifier.c
108357index ae9fc7c..5085fbf 100644
108358--- a/kernel/notifier.c
108359+++ b/kernel/notifier.c
108360@@ -5,6 +5,7 @@
108361 #include <linux/rcupdate.h>
108362 #include <linux/vmalloc.h>
108363 #include <linux/reboot.h>
108364+#include <linux/mm.h>
108365
108366 /*
108367 * Notifier list for kernel code which wants to be called
108368@@ -24,10 +25,12 @@ static int notifier_chain_register(struct notifier_block **nl,
108369 while ((*nl) != NULL) {
108370 if (n->priority > (*nl)->priority)
108371 break;
108372- nl = &((*nl)->next);
108373+ nl = (struct notifier_block **)&((*nl)->next);
108374 }
108375- n->next = *nl;
108376+ pax_open_kernel();
108377+ *(const void **)&n->next = *nl;
108378 rcu_assign_pointer(*nl, n);
108379+ pax_close_kernel();
108380 return 0;
108381 }
108382
108383@@ -39,10 +42,12 @@ static int notifier_chain_cond_register(struct notifier_block **nl,
108384 return 0;
108385 if (n->priority > (*nl)->priority)
108386 break;
108387- nl = &((*nl)->next);
108388+ nl = (struct notifier_block **)&((*nl)->next);
108389 }
108390- n->next = *nl;
108391+ pax_open_kernel();
108392+ *(const void **)&n->next = *nl;
108393 rcu_assign_pointer(*nl, n);
108394+ pax_close_kernel();
108395 return 0;
108396 }
108397
108398@@ -51,10 +56,12 @@ static int notifier_chain_unregister(struct notifier_block **nl,
108399 {
108400 while ((*nl) != NULL) {
108401 if ((*nl) == n) {
108402+ pax_open_kernel();
108403 rcu_assign_pointer(*nl, n->next);
108404+ pax_close_kernel();
108405 return 0;
108406 }
108407- nl = &((*nl)->next);
108408+ nl = (struct notifier_block **)&((*nl)->next);
108409 }
108410 return -ENOENT;
108411 }
108412diff --git a/kernel/padata.c b/kernel/padata.c
108413index b38bea9..91acfbe 100644
108414--- a/kernel/padata.c
108415+++ b/kernel/padata.c
108416@@ -54,7 +54,7 @@ static int padata_cpu_hash(struct parallel_data *pd)
108417 * seq_nr mod. number of cpus in use.
108418 */
108419
108420- seq_nr = atomic_inc_return(&pd->seq_nr);
108421+ seq_nr = atomic_inc_return_unchecked(&pd->seq_nr);
108422 cpu_index = seq_nr % cpumask_weight(pd->cpumask.pcpu);
108423
108424 return padata_index_to_cpu(pd, cpu_index);
108425@@ -428,7 +428,7 @@ static struct parallel_data *padata_alloc_pd(struct padata_instance *pinst,
108426 padata_init_pqueues(pd);
108427 padata_init_squeues(pd);
108428 setup_timer(&pd->timer, padata_reorder_timer, (unsigned long)pd);
108429- atomic_set(&pd->seq_nr, -1);
108430+ atomic_set_unchecked(&pd->seq_nr, -1);
108431 atomic_set(&pd->reorder_objects, 0);
108432 atomic_set(&pd->refcnt, 0);
108433 pd->pinst = pinst;
108434diff --git a/kernel/panic.c b/kernel/panic.c
108435index 04e91ff..2419384 100644
108436--- a/kernel/panic.c
108437+++ b/kernel/panic.c
108438@@ -54,7 +54,7 @@ EXPORT_SYMBOL(panic_blink);
108439 /*
108440 * Stop ourself in panic -- architecture code may override this
108441 */
108442-void __weak panic_smp_self_stop(void)
108443+void __weak __noreturn panic_smp_self_stop(void)
108444 {
108445 while (1)
108446 cpu_relax();
108447@@ -426,7 +426,7 @@ static void warn_slowpath_common(const char *file, int line, void *caller,
108448 disable_trace_on_warning();
108449
108450 pr_warn("------------[ cut here ]------------\n");
108451- pr_warn("WARNING: CPU: %d PID: %d at %s:%d %pS()\n",
108452+ pr_warn("WARNING: CPU: %d PID: %d at %s:%d %pA()\n",
108453 raw_smp_processor_id(), current->pid, file, line, caller);
108454
108455 if (args)
108456@@ -491,7 +491,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
108457 */
108458 __visible void __stack_chk_fail(void)
108459 {
108460- panic("stack-protector: Kernel stack is corrupted in: %p\n",
108461+ dump_stack();
108462+ panic("stack-protector: Kernel stack is corrupted in: %pA\n",
108463 __builtin_return_address(0));
108464 }
108465 EXPORT_SYMBOL(__stack_chk_fail);
108466diff --git a/kernel/pid.c b/kernel/pid.c
108467index 4fd07d5..02bce4f 100644
108468--- a/kernel/pid.c
108469+++ b/kernel/pid.c
108470@@ -33,6 +33,7 @@
108471 #include <linux/rculist.h>
108472 #include <linux/bootmem.h>
108473 #include <linux/hash.h>
108474+#include <linux/security.h>
108475 #include <linux/pid_namespace.h>
108476 #include <linux/init_task.h>
108477 #include <linux/syscalls.h>
108478@@ -47,7 +48,7 @@ struct pid init_struct_pid = INIT_STRUCT_PID;
108479
108480 int pid_max = PID_MAX_DEFAULT;
108481
108482-#define RESERVED_PIDS 300
108483+#define RESERVED_PIDS 500
108484
108485 int pid_max_min = RESERVED_PIDS + 1;
108486 int pid_max_max = PID_MAX_LIMIT;
108487@@ -451,10 +452,18 @@ EXPORT_SYMBOL(pid_task);
108488 */
108489 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
108490 {
108491+ struct task_struct *task;
108492+
108493 rcu_lockdep_assert(rcu_read_lock_held(),
108494 "find_task_by_pid_ns() needs rcu_read_lock()"
108495 " protection");
108496- return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
108497+
108498+ task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
108499+
108500+ if (gr_pid_is_chrooted(task))
108501+ return NULL;
108502+
108503+ return task;
108504 }
108505
108506 struct task_struct *find_task_by_vpid(pid_t vnr)
108507@@ -462,6 +471,14 @@ struct task_struct *find_task_by_vpid(pid_t vnr)
108508 return find_task_by_pid_ns(vnr, task_active_pid_ns(current));
108509 }
108510
108511+struct task_struct *find_task_by_vpid_unrestricted(pid_t vnr)
108512+{
108513+ rcu_lockdep_assert(rcu_read_lock_held(),
108514+ "find_task_by_pid_ns() needs rcu_read_lock()"
108515+ " protection");
108516+ return pid_task(find_pid_ns(vnr, task_active_pid_ns(current)), PIDTYPE_PID);
108517+}
108518+
108519 struct pid *get_task_pid(struct task_struct *task, enum pid_type type)
108520 {
108521 struct pid *pid;
108522diff --git a/kernel/pid_namespace.c b/kernel/pid_namespace.c
108523index a65ba13..f600dbb 100644
108524--- a/kernel/pid_namespace.c
108525+++ b/kernel/pid_namespace.c
108526@@ -274,7 +274,7 @@ static int pid_ns_ctl_handler(struct ctl_table *table, int write,
108527 void __user *buffer, size_t *lenp, loff_t *ppos)
108528 {
108529 struct pid_namespace *pid_ns = task_active_pid_ns(current);
108530- struct ctl_table tmp = *table;
108531+ ctl_table_no_const tmp = *table;
108532
108533 if (write && !ns_capable(pid_ns->user_ns, CAP_SYS_ADMIN))
108534 return -EPERM;
108535diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig
108536index 9e30231..75a6d97 100644
108537--- a/kernel/power/Kconfig
108538+++ b/kernel/power/Kconfig
108539@@ -24,6 +24,8 @@ config HIBERNATE_CALLBACKS
108540 config HIBERNATION
108541 bool "Hibernation (aka 'suspend to disk')"
108542 depends on SWAP && ARCH_HIBERNATION_POSSIBLE
108543+ depends on !GRKERNSEC_KMEM
108544+ depends on !PAX_MEMORY_SANITIZE
108545 select HIBERNATE_CALLBACKS
108546 select LZO_COMPRESS
108547 select LZO_DECOMPRESS
108548diff --git a/kernel/power/process.c b/kernel/power/process.c
108549index 564f786..361a18e 100644
108550--- a/kernel/power/process.c
108551+++ b/kernel/power/process.c
108552@@ -35,6 +35,7 @@ static int try_to_freeze_tasks(bool user_only)
108553 unsigned int elapsed_msecs;
108554 bool wakeup = false;
108555 int sleep_usecs = USEC_PER_MSEC;
108556+ bool timedout = false;
108557
108558 do_gettimeofday(&start);
108559
108560@@ -45,13 +46,20 @@ static int try_to_freeze_tasks(bool user_only)
108561
108562 while (true) {
108563 todo = 0;
108564+ if (time_after(jiffies, end_time))
108565+ timedout = true;
108566 read_lock(&tasklist_lock);
108567 for_each_process_thread(g, p) {
108568 if (p == current || !freeze_task(p))
108569 continue;
108570
108571- if (!freezer_should_skip(p))
108572+ if (!freezer_should_skip(p)) {
108573 todo++;
108574+ if (timedout) {
108575+ printk(KERN_ERR "Task refusing to freeze:\n");
108576+ sched_show_task(p);
108577+ }
108578+ }
108579 }
108580 read_unlock(&tasklist_lock);
108581
108582@@ -60,7 +68,7 @@ static int try_to_freeze_tasks(bool user_only)
108583 todo += wq_busy;
108584 }
108585
108586- if (!todo || time_after(jiffies, end_time))
108587+ if (!todo || timedout)
108588 break;
108589
108590 if (pm_wakeup_pending()) {
108591diff --git a/kernel/printk/printk.c b/kernel/printk/printk.c
108592index cf8c242..84e7843 100644
108593--- a/kernel/printk/printk.c
108594+++ b/kernel/printk/printk.c
108595@@ -475,7 +475,7 @@ static int log_store(int facility, int level,
108596 return msg->text_len;
108597 }
108598
108599-int dmesg_restrict = IS_ENABLED(CONFIG_SECURITY_DMESG_RESTRICT);
108600+int dmesg_restrict __read_only = IS_ENABLED(CONFIG_SECURITY_DMESG_RESTRICT);
108601
108602 static int syslog_action_restricted(int type)
108603 {
108604@@ -498,6 +498,11 @@ int check_syslog_permissions(int type, int source)
108605 if (source == SYSLOG_FROM_PROC && type != SYSLOG_ACTION_OPEN)
108606 goto ok;
108607
108608+#ifdef CONFIG_GRKERNSEC_DMESG
108609+ if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
108610+ return -EPERM;
108611+#endif
108612+
108613 if (syslog_action_restricted(type)) {
108614 if (capable(CAP_SYSLOG))
108615 goto ok;
108616diff --git a/kernel/profile.c b/kernel/profile.c
108617index a7bcd28..5b368fa 100644
108618--- a/kernel/profile.c
108619+++ b/kernel/profile.c
108620@@ -37,7 +37,7 @@ struct profile_hit {
108621 #define NR_PROFILE_HIT (PAGE_SIZE/sizeof(struct profile_hit))
108622 #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ)
108623
108624-static atomic_t *prof_buffer;
108625+static atomic_unchecked_t *prof_buffer;
108626 static unsigned long prof_len, prof_shift;
108627
108628 int prof_on __read_mostly;
108629@@ -256,7 +256,7 @@ static void profile_flip_buffers(void)
108630 hits[i].pc = 0;
108631 continue;
108632 }
108633- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
108634+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
108635 hits[i].hits = hits[i].pc = 0;
108636 }
108637 }
108638@@ -317,9 +317,9 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
108639 * Add the current hit(s) and flush the write-queue out
108640 * to the global buffer:
108641 */
108642- atomic_add(nr_hits, &prof_buffer[pc]);
108643+ atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
108644 for (i = 0; i < NR_PROFILE_HIT; ++i) {
108645- atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
108646+ atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
108647 hits[i].pc = hits[i].hits = 0;
108648 }
108649 out:
108650@@ -394,7 +394,7 @@ static void do_profile_hits(int type, void *__pc, unsigned int nr_hits)
108651 {
108652 unsigned long pc;
108653 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
108654- atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
108655+ atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
108656 }
108657 #endif /* !CONFIG_SMP */
108658
108659@@ -489,7 +489,7 @@ read_profile(struct file *file, char __user *buf, size_t count, loff_t *ppos)
108660 return -EFAULT;
108661 buf++; p++; count--; read++;
108662 }
108663- pnt = (char *)prof_buffer + p - sizeof(atomic_t);
108664+ pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
108665 if (copy_to_user(buf, (void *)pnt, count))
108666 return -EFAULT;
108667 read += count;
108668@@ -520,7 +520,7 @@ static ssize_t write_profile(struct file *file, const char __user *buf,
108669 }
108670 #endif
108671 profile_discard_flip_buffers();
108672- memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
108673+ memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
108674 return count;
108675 }
108676
108677diff --git a/kernel/ptrace.c b/kernel/ptrace.c
108678index c8e0e05..2be5614 100644
108679--- a/kernel/ptrace.c
108680+++ b/kernel/ptrace.c
108681@@ -321,7 +321,7 @@ static int ptrace_attach(struct task_struct *task, long request,
108682 if (seize)
108683 flags |= PT_SEIZED;
108684 rcu_read_lock();
108685- if (ns_capable(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
108686+ if (ns_capable_nolog(__task_cred(task)->user_ns, CAP_SYS_PTRACE))
108687 flags |= PT_PTRACE_CAP;
108688 rcu_read_unlock();
108689 task->ptrace = flags;
108690@@ -514,7 +514,7 @@ int ptrace_readdata(struct task_struct *tsk, unsigned long src, char __user *dst
108691 break;
108692 return -EIO;
108693 }
108694- if (copy_to_user(dst, buf, retval))
108695+ if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
108696 return -EFAULT;
108697 copied += retval;
108698 src += retval;
108699@@ -802,7 +802,7 @@ int ptrace_request(struct task_struct *child, long request,
108700 bool seized = child->ptrace & PT_SEIZED;
108701 int ret = -EIO;
108702 siginfo_t siginfo, *si;
108703- void __user *datavp = (void __user *) data;
108704+ void __user *datavp = (__force void __user *) data;
108705 unsigned long __user *datalp = datavp;
108706 unsigned long flags;
108707
108708@@ -1048,14 +1048,21 @@ SYSCALL_DEFINE4(ptrace, long, request, long, pid, unsigned long, addr,
108709 goto out;
108710 }
108711
108712+ if (gr_handle_ptrace(child, request)) {
108713+ ret = -EPERM;
108714+ goto out_put_task_struct;
108715+ }
108716+
108717 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
108718 ret = ptrace_attach(child, request, addr, data);
108719 /*
108720 * Some architectures need to do book-keeping after
108721 * a ptrace attach.
108722 */
108723- if (!ret)
108724+ if (!ret) {
108725 arch_ptrace_attach(child);
108726+ gr_audit_ptrace(child);
108727+ }
108728 goto out_put_task_struct;
108729 }
108730
108731@@ -1083,7 +1090,7 @@ int generic_ptrace_peekdata(struct task_struct *tsk, unsigned long addr,
108732 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
108733 if (copied != sizeof(tmp))
108734 return -EIO;
108735- return put_user(tmp, (unsigned long __user *)data);
108736+ return put_user(tmp, (__force unsigned long __user *)data);
108737 }
108738
108739 int generic_ptrace_pokedata(struct task_struct *tsk, unsigned long addr,
108740@@ -1176,7 +1183,7 @@ int compat_ptrace_request(struct task_struct *child, compat_long_t request,
108741 }
108742
108743 COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
108744- compat_long_t, addr, compat_long_t, data)
108745+ compat_ulong_t, addr, compat_ulong_t, data)
108746 {
108747 struct task_struct *child;
108748 long ret;
108749@@ -1192,14 +1199,21 @@ COMPAT_SYSCALL_DEFINE4(ptrace, compat_long_t, request, compat_long_t, pid,
108750 goto out;
108751 }
108752
108753+ if (gr_handle_ptrace(child, request)) {
108754+ ret = -EPERM;
108755+ goto out_put_task_struct;
108756+ }
108757+
108758 if (request == PTRACE_ATTACH || request == PTRACE_SEIZE) {
108759 ret = ptrace_attach(child, request, addr, data);
108760 /*
108761 * Some architectures need to do book-keeping after
108762 * a ptrace attach.
108763 */
108764- if (!ret)
108765+ if (!ret) {
108766 arch_ptrace_attach(child);
108767+ gr_audit_ptrace(child);
108768+ }
108769 goto out_put_task_struct;
108770 }
108771
108772diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c
108773index 59e32684..d2eb3d9 100644
108774--- a/kernel/rcu/rcutorture.c
108775+++ b/kernel/rcu/rcutorture.c
108776@@ -134,12 +134,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1],
108777 rcu_torture_count) = { 0 };
108778 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1],
108779 rcu_torture_batch) = { 0 };
108780-static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
108781-static atomic_t n_rcu_torture_alloc;
108782-static atomic_t n_rcu_torture_alloc_fail;
108783-static atomic_t n_rcu_torture_free;
108784-static atomic_t n_rcu_torture_mberror;
108785-static atomic_t n_rcu_torture_error;
108786+static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
108787+static atomic_unchecked_t n_rcu_torture_alloc;
108788+static atomic_unchecked_t n_rcu_torture_alloc_fail;
108789+static atomic_unchecked_t n_rcu_torture_free;
108790+static atomic_unchecked_t n_rcu_torture_mberror;
108791+static atomic_unchecked_t n_rcu_torture_error;
108792 static long n_rcu_torture_barrier_error;
108793 static long n_rcu_torture_boost_ktrerror;
108794 static long n_rcu_torture_boost_rterror;
108795@@ -148,7 +148,7 @@ static long n_rcu_torture_boosts;
108796 static long n_rcu_torture_timers;
108797 static long n_barrier_attempts;
108798 static long n_barrier_successes;
108799-static atomic_long_t n_cbfloods;
108800+static atomic_long_unchecked_t n_cbfloods;
108801 static struct list_head rcu_torture_removed;
108802
108803 static int rcu_torture_writer_state;
108804@@ -211,11 +211,11 @@ rcu_torture_alloc(void)
108805
108806 spin_lock_bh(&rcu_torture_lock);
108807 if (list_empty(&rcu_torture_freelist)) {
108808- atomic_inc(&n_rcu_torture_alloc_fail);
108809+ atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
108810 spin_unlock_bh(&rcu_torture_lock);
108811 return NULL;
108812 }
108813- atomic_inc(&n_rcu_torture_alloc);
108814+ atomic_inc_unchecked(&n_rcu_torture_alloc);
108815 p = rcu_torture_freelist.next;
108816 list_del_init(p);
108817 spin_unlock_bh(&rcu_torture_lock);
108818@@ -228,7 +228,7 @@ rcu_torture_alloc(void)
108819 static void
108820 rcu_torture_free(struct rcu_torture *p)
108821 {
108822- atomic_inc(&n_rcu_torture_free);
108823+ atomic_inc_unchecked(&n_rcu_torture_free);
108824 spin_lock_bh(&rcu_torture_lock);
108825 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
108826 spin_unlock_bh(&rcu_torture_lock);
108827@@ -309,7 +309,7 @@ rcu_torture_pipe_update_one(struct rcu_torture *rp)
108828 i = rp->rtort_pipe_count;
108829 if (i > RCU_TORTURE_PIPE_LEN)
108830 i = RCU_TORTURE_PIPE_LEN;
108831- atomic_inc(&rcu_torture_wcount[i]);
108832+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
108833 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
108834 rp->rtort_mbtest = 0;
108835 return true;
108836@@ -830,7 +830,7 @@ rcu_torture_cbflood(void *arg)
108837 VERBOSE_TOROUT_STRING("rcu_torture_cbflood task started");
108838 do {
108839 schedule_timeout_interruptible(cbflood_inter_holdoff);
108840- atomic_long_inc(&n_cbfloods);
108841+ atomic_long_inc_unchecked(&n_cbfloods);
108842 WARN_ON(signal_pending(current));
108843 for (i = 0; i < cbflood_n_burst; i++) {
108844 for (j = 0; j < cbflood_n_per_burst; j++) {
108845@@ -957,7 +957,7 @@ rcu_torture_writer(void *arg)
108846 i = old_rp->rtort_pipe_count;
108847 if (i > RCU_TORTURE_PIPE_LEN)
108848 i = RCU_TORTURE_PIPE_LEN;
108849- atomic_inc(&rcu_torture_wcount[i]);
108850+ atomic_inc_unchecked(&rcu_torture_wcount[i]);
108851 old_rp->rtort_pipe_count++;
108852 switch (synctype[torture_random(&rand) % nsynctypes]) {
108853 case RTWS_DEF_FREE:
108854@@ -1095,7 +1095,7 @@ static void rcu_torture_timer(unsigned long unused)
108855 return;
108856 }
108857 if (p->rtort_mbtest == 0)
108858- atomic_inc(&n_rcu_torture_mberror);
108859+ atomic_inc_unchecked(&n_rcu_torture_mberror);
108860 spin_lock(&rand_lock);
108861 cur_ops->read_delay(&rand);
108862 n_rcu_torture_timers++;
108863@@ -1170,7 +1170,7 @@ rcu_torture_reader(void *arg)
108864 continue;
108865 }
108866 if (p->rtort_mbtest == 0)
108867- atomic_inc(&n_rcu_torture_mberror);
108868+ atomic_inc_unchecked(&n_rcu_torture_mberror);
108869 cur_ops->read_delay(&rand);
108870 preempt_disable();
108871 pipe_count = p->rtort_pipe_count;
108872@@ -1239,11 +1239,11 @@ rcu_torture_stats_print(void)
108873 rcu_torture_current,
108874 rcu_torture_current_version,
108875 list_empty(&rcu_torture_freelist),
108876- atomic_read(&n_rcu_torture_alloc),
108877- atomic_read(&n_rcu_torture_alloc_fail),
108878- atomic_read(&n_rcu_torture_free));
108879+ atomic_read_unchecked(&n_rcu_torture_alloc),
108880+ atomic_read_unchecked(&n_rcu_torture_alloc_fail),
108881+ atomic_read_unchecked(&n_rcu_torture_free));
108882 pr_cont("rtmbe: %d rtbke: %ld rtbre: %ld ",
108883- atomic_read(&n_rcu_torture_mberror),
108884+ atomic_read_unchecked(&n_rcu_torture_mberror),
108885 n_rcu_torture_boost_ktrerror,
108886 n_rcu_torture_boost_rterror);
108887 pr_cont("rtbf: %ld rtb: %ld nt: %ld ",
108888@@ -1255,17 +1255,17 @@ rcu_torture_stats_print(void)
108889 n_barrier_successes,
108890 n_barrier_attempts,
108891 n_rcu_torture_barrier_error);
108892- pr_cont("cbflood: %ld\n", atomic_long_read(&n_cbfloods));
108893+ pr_cont("cbflood: %ld\n", atomic_long_read_unchecked(&n_cbfloods));
108894
108895 pr_alert("%s%s ", torture_type, TORTURE_FLAG);
108896- if (atomic_read(&n_rcu_torture_mberror) != 0 ||
108897+ if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0 ||
108898 n_rcu_torture_barrier_error != 0 ||
108899 n_rcu_torture_boost_ktrerror != 0 ||
108900 n_rcu_torture_boost_rterror != 0 ||
108901 n_rcu_torture_boost_failure != 0 ||
108902 i > 1) {
108903 pr_cont("%s", "!!! ");
108904- atomic_inc(&n_rcu_torture_error);
108905+ atomic_inc_unchecked(&n_rcu_torture_error);
108906 WARN_ON_ONCE(1);
108907 }
108908 pr_cont("Reader Pipe: ");
108909@@ -1282,7 +1282,7 @@ rcu_torture_stats_print(void)
108910 pr_alert("%s%s ", torture_type, TORTURE_FLAG);
108911 pr_cont("Free-Block Circulation: ");
108912 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
108913- pr_cont(" %d", atomic_read(&rcu_torture_wcount[i]));
108914+ pr_cont(" %d", atomic_read_unchecked(&rcu_torture_wcount[i]));
108915 }
108916 pr_cont("\n");
108917
108918@@ -1636,7 +1636,7 @@ rcu_torture_cleanup(void)
108919
108920 rcu_torture_stats_print(); /* -After- the stats thread is stopped! */
108921
108922- if (atomic_read(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
108923+ if (atomic_read_unchecked(&n_rcu_torture_error) || n_rcu_torture_barrier_error)
108924 rcu_torture_print_module_parms(cur_ops, "End of test: FAILURE");
108925 else if (torture_onoff_failures())
108926 rcu_torture_print_module_parms(cur_ops,
108927@@ -1761,18 +1761,18 @@ rcu_torture_init(void)
108928
108929 rcu_torture_current = NULL;
108930 rcu_torture_current_version = 0;
108931- atomic_set(&n_rcu_torture_alloc, 0);
108932- atomic_set(&n_rcu_torture_alloc_fail, 0);
108933- atomic_set(&n_rcu_torture_free, 0);
108934- atomic_set(&n_rcu_torture_mberror, 0);
108935- atomic_set(&n_rcu_torture_error, 0);
108936+ atomic_set_unchecked(&n_rcu_torture_alloc, 0);
108937+ atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
108938+ atomic_set_unchecked(&n_rcu_torture_free, 0);
108939+ atomic_set_unchecked(&n_rcu_torture_mberror, 0);
108940+ atomic_set_unchecked(&n_rcu_torture_error, 0);
108941 n_rcu_torture_barrier_error = 0;
108942 n_rcu_torture_boost_ktrerror = 0;
108943 n_rcu_torture_boost_rterror = 0;
108944 n_rcu_torture_boost_failure = 0;
108945 n_rcu_torture_boosts = 0;
108946 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
108947- atomic_set(&rcu_torture_wcount[i], 0);
108948+ atomic_set_unchecked(&rcu_torture_wcount[i], 0);
108949 for_each_possible_cpu(cpu) {
108950 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
108951 per_cpu(rcu_torture_count, cpu)[i] = 0;
108952diff --git a/kernel/rcu/tiny.c b/kernel/rcu/tiny.c
108953index c291bd6..8a01679 100644
108954--- a/kernel/rcu/tiny.c
108955+++ b/kernel/rcu/tiny.c
108956@@ -42,7 +42,7 @@
108957 /* Forward declarations for tiny_plugin.h. */
108958 struct rcu_ctrlblk;
108959 static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp);
108960-static void rcu_process_callbacks(struct softirq_action *unused);
108961+static void rcu_process_callbacks(void);
108962 static void __call_rcu(struct rcu_head *head,
108963 void (*func)(struct rcu_head *rcu),
108964 struct rcu_ctrlblk *rcp);
108965@@ -170,7 +170,7 @@ static void __rcu_process_callbacks(struct rcu_ctrlblk *rcp)
108966 false));
108967 }
108968
108969-static void rcu_process_callbacks(struct softirq_action *unused)
108970+static __latent_entropy void rcu_process_callbacks(void)
108971 {
108972 __rcu_process_callbacks(&rcu_sched_ctrlblk);
108973 __rcu_process_callbacks(&rcu_bh_ctrlblk);
108974diff --git a/kernel/rcu/tree.c b/kernel/rcu/tree.c
108975index 65137bc..775d7ad 100644
108976--- a/kernel/rcu/tree.c
108977+++ b/kernel/rcu/tree.c
108978@@ -326,7 +326,7 @@ static void rcu_momentary_dyntick_idle(void)
108979 */
108980 rdtp = this_cpu_ptr(&rcu_dynticks);
108981 smp_mb__before_atomic(); /* Earlier stuff before QS. */
108982- atomic_add(2, &rdtp->dynticks); /* QS. */
108983+ atomic_add_unchecked(2, &rdtp->dynticks); /* QS. */
108984 smp_mb__after_atomic(); /* Later stuff after QS. */
108985 break;
108986 }
108987@@ -639,10 +639,10 @@ static void rcu_eqs_enter_common(long long oldval, bool user)
108988 rcu_prepare_for_idle();
108989 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
108990 smp_mb__before_atomic(); /* See above. */
108991- atomic_inc(&rdtp->dynticks);
108992+ atomic_inc_unchecked(&rdtp->dynticks);
108993 smp_mb__after_atomic(); /* Force ordering with next sojourn. */
108994 WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
108995- atomic_read(&rdtp->dynticks) & 0x1);
108996+ atomic_read_unchecked(&rdtp->dynticks) & 0x1);
108997 rcu_dynticks_task_enter();
108998
108999 /*
109000@@ -765,11 +765,11 @@ static void rcu_eqs_exit_common(long long oldval, int user)
109001
109002 rcu_dynticks_task_exit();
109003 smp_mb__before_atomic(); /* Force ordering w/previous sojourn. */
109004- atomic_inc(&rdtp->dynticks);
109005+ atomic_inc_unchecked(&rdtp->dynticks);
109006 /* CPUs seeing atomic_inc() must see later RCU read-side crit sects */
109007 smp_mb__after_atomic(); /* See above. */
109008 WARN_ON_ONCE(IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
109009- !(atomic_read(&rdtp->dynticks) & 0x1));
109010+ !(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
109011 rcu_cleanup_after_idle();
109012 trace_rcu_dyntick(TPS("End"), oldval, rdtp->dynticks_nesting);
109013 if (IS_ENABLED(CONFIG_RCU_EQS_DEBUG) &&
109014@@ -905,12 +905,12 @@ void rcu_nmi_enter(void)
109015 * to be in the outermost NMI handler that interrupted an RCU-idle
109016 * period (observation due to Andy Lutomirski).
109017 */
109018- if (!(atomic_read(&rdtp->dynticks) & 0x1)) {
109019+ if (!(atomic_read_unchecked(&rdtp->dynticks) & 0x1)) {
109020 smp_mb__before_atomic(); /* Force delay from prior write. */
109021- atomic_inc(&rdtp->dynticks);
109022+ atomic_inc_unchecked(&rdtp->dynticks);
109023 /* atomic_inc() before later RCU read-side crit sects */
109024 smp_mb__after_atomic(); /* See above. */
109025- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
109026+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
109027 incby = 1;
109028 }
109029 rdtp->dynticks_nmi_nesting += incby;
109030@@ -935,7 +935,7 @@ void rcu_nmi_exit(void)
109031 * to us!)
109032 */
109033 WARN_ON_ONCE(rdtp->dynticks_nmi_nesting <= 0);
109034- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks) & 0x1));
109035+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks) & 0x1));
109036
109037 /*
109038 * If the nesting level is not 1, the CPU wasn't RCU-idle, so
109039@@ -950,9 +950,9 @@ void rcu_nmi_exit(void)
109040 rdtp->dynticks_nmi_nesting = 0;
109041 /* CPUs seeing atomic_inc() must see prior RCU read-side crit sects */
109042 smp_mb__before_atomic(); /* See above. */
109043- atomic_inc(&rdtp->dynticks);
109044+ atomic_inc_unchecked(&rdtp->dynticks);
109045 smp_mb__after_atomic(); /* Force delay to next write. */
109046- WARN_ON_ONCE(atomic_read(&rdtp->dynticks) & 0x1);
109047+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks) & 0x1);
109048 }
109049
109050 /**
109051@@ -965,7 +965,7 @@ void rcu_nmi_exit(void)
109052 */
109053 bool notrace __rcu_is_watching(void)
109054 {
109055- return atomic_read(this_cpu_ptr(&rcu_dynticks.dynticks)) & 0x1;
109056+ return atomic_read_unchecked(this_cpu_ptr(&rcu_dynticks.dynticks)) & 0x1;
109057 }
109058
109059 /**
109060@@ -1048,7 +1048,7 @@ static int rcu_is_cpu_rrupt_from_idle(void)
109061 static int dyntick_save_progress_counter(struct rcu_data *rdp,
109062 bool *isidle, unsigned long *maxj)
109063 {
109064- rdp->dynticks_snap = atomic_add_return(0, &rdp->dynticks->dynticks);
109065+ rdp->dynticks_snap = atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
109066 rcu_sysidle_check_cpu(rdp, isidle, maxj);
109067 if ((rdp->dynticks_snap & 0x1) == 0) {
109068 trace_rcu_fqs(rdp->rsp->name, rdp->gpnum, rdp->cpu, TPS("dti"));
109069@@ -1074,7 +1074,7 @@ static int rcu_implicit_dynticks_qs(struct rcu_data *rdp,
109070 int *rcrmp;
109071 unsigned int snap;
109072
109073- curr = (unsigned int)atomic_add_return(0, &rdp->dynticks->dynticks);
109074+ curr = (unsigned int)atomic_add_return_unchecked(0, &rdp->dynticks->dynticks);
109075 snap = (unsigned int)rdp->dynticks_snap;
109076
109077 /*
109078@@ -2895,7 +2895,7 @@ __rcu_process_callbacks(struct rcu_state *rsp)
109079 /*
109080 * Do RCU core processing for the current CPU.
109081 */
109082-static void rcu_process_callbacks(struct softirq_action *unused)
109083+static void rcu_process_callbacks(void)
109084 {
109085 struct rcu_state *rsp;
109086
109087@@ -3319,11 +3319,11 @@ void synchronize_sched_expedited(void)
109088 * counter wrap on a 32-bit system. Quite a few more CPUs would of
109089 * course be required on a 64-bit system.
109090 */
109091- if (ULONG_CMP_GE((ulong)atomic_long_read(&rsp->expedited_start),
109092+ if (ULONG_CMP_GE((ulong)atomic_long_read_unchecked(&rsp->expedited_start),
109093 (ulong)atomic_long_read(&rsp->expedited_done) +
109094 ULONG_MAX / 8)) {
109095 wait_rcu_gp(call_rcu_sched);
109096- atomic_long_inc(&rsp->expedited_wrap);
109097+ atomic_long_inc_return_unchecked(&rsp->expedited_wrap);
109098 return;
109099 }
109100
109101@@ -3331,12 +3331,12 @@ void synchronize_sched_expedited(void)
109102 * Take a ticket. Note that atomic_inc_return() implies a
109103 * full memory barrier.
109104 */
109105- snap = atomic_long_inc_return(&rsp->expedited_start);
109106+ snap = atomic_long_inc_return_unchecked(&rsp->expedited_start);
109107 firstsnap = snap;
109108 if (!try_get_online_cpus()) {
109109 /* CPU hotplug operation in flight, fall back to normal GP. */
109110 wait_rcu_gp(call_rcu_sched);
109111- atomic_long_inc(&rsp->expedited_normal);
109112+ atomic_long_inc_unchecked(&rsp->expedited_normal);
109113 return;
109114 }
109115 WARN_ON_ONCE(cpu_is_offline(raw_smp_processor_id()));
109116@@ -3349,7 +3349,7 @@ void synchronize_sched_expedited(void)
109117 for_each_cpu(cpu, cm) {
109118 struct rcu_dynticks *rdtp = &per_cpu(rcu_dynticks, cpu);
109119
109120- if (!(atomic_add_return(0, &rdtp->dynticks) & 0x1))
109121+ if (!(atomic_add_return_unchecked(0, &rdtp->dynticks) & 0x1))
109122 cpumask_clear_cpu(cpu, cm);
109123 }
109124 if (cpumask_weight(cm) == 0)
109125@@ -3364,14 +3364,14 @@ void synchronize_sched_expedited(void)
109126 synchronize_sched_expedited_cpu_stop,
109127 NULL) == -EAGAIN) {
109128 put_online_cpus();
109129- atomic_long_inc(&rsp->expedited_tryfail);
109130+ atomic_long_inc_unchecked(&rsp->expedited_tryfail);
109131
109132 /* Check to see if someone else did our work for us. */
109133 s = atomic_long_read(&rsp->expedited_done);
109134 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
109135 /* ensure test happens before caller kfree */
109136 smp_mb__before_atomic(); /* ^^^ */
109137- atomic_long_inc(&rsp->expedited_workdone1);
109138+ atomic_long_inc_unchecked(&rsp->expedited_workdone1);
109139 free_cpumask_var(cm);
109140 return;
109141 }
109142@@ -3381,7 +3381,7 @@ void synchronize_sched_expedited(void)
109143 udelay(trycount * num_online_cpus());
109144 } else {
109145 wait_rcu_gp(call_rcu_sched);
109146- atomic_long_inc(&rsp->expedited_normal);
109147+ atomic_long_inc_unchecked(&rsp->expedited_normal);
109148 free_cpumask_var(cm);
109149 return;
109150 }
109151@@ -3391,7 +3391,7 @@ void synchronize_sched_expedited(void)
109152 if (ULONG_CMP_GE((ulong)s, (ulong)firstsnap)) {
109153 /* ensure test happens before caller kfree */
109154 smp_mb__before_atomic(); /* ^^^ */
109155- atomic_long_inc(&rsp->expedited_workdone2);
109156+ atomic_long_inc_unchecked(&rsp->expedited_workdone2);
109157 free_cpumask_var(cm);
109158 return;
109159 }
109160@@ -3406,14 +3406,14 @@ void synchronize_sched_expedited(void)
109161 if (!try_get_online_cpus()) {
109162 /* CPU hotplug operation in flight, use normal GP. */
109163 wait_rcu_gp(call_rcu_sched);
109164- atomic_long_inc(&rsp->expedited_normal);
109165+ atomic_long_inc_unchecked(&rsp->expedited_normal);
109166 free_cpumask_var(cm);
109167 return;
109168 }
109169- snap = atomic_long_read(&rsp->expedited_start);
109170+ snap = atomic_long_read_unchecked(&rsp->expedited_start);
109171 smp_mb(); /* ensure read is before try_stop_cpus(). */
109172 }
109173- atomic_long_inc(&rsp->expedited_stoppedcpus);
109174+ atomic_long_inc_unchecked(&rsp->expedited_stoppedcpus);
109175
109176 all_cpus_idle:
109177 free_cpumask_var(cm);
109178@@ -3425,16 +3425,16 @@ all_cpus_idle:
109179 * than we did already did their update.
109180 */
109181 do {
109182- atomic_long_inc(&rsp->expedited_done_tries);
109183+ atomic_long_inc_unchecked(&rsp->expedited_done_tries);
109184 s = atomic_long_read(&rsp->expedited_done);
109185 if (ULONG_CMP_GE((ulong)s, (ulong)snap)) {
109186 /* ensure test happens before caller kfree */
109187 smp_mb__before_atomic(); /* ^^^ */
109188- atomic_long_inc(&rsp->expedited_done_lost);
109189+ atomic_long_inc_unchecked(&rsp->expedited_done_lost);
109190 break;
109191 }
109192 } while (atomic_long_cmpxchg(&rsp->expedited_done, s, snap) != s);
109193- atomic_long_inc(&rsp->expedited_done_exit);
109194+ atomic_long_inc_unchecked(&rsp->expedited_done_exit);
109195
109196 put_online_cpus();
109197 }
109198@@ -3767,7 +3767,7 @@ rcu_boot_init_percpu_data(int cpu, struct rcu_state *rsp)
109199 rdp->grpmask = 1UL << (cpu - rdp->mynode->grplo);
109200 rdp->dynticks = &per_cpu(rcu_dynticks, cpu);
109201 WARN_ON_ONCE(rdp->dynticks->dynticks_nesting != DYNTICK_TASK_EXIT_IDLE);
109202- WARN_ON_ONCE(atomic_read(&rdp->dynticks->dynticks) != 1);
109203+ WARN_ON_ONCE(atomic_read_unchecked(&rdp->dynticks->dynticks) != 1);
109204 rdp->cpu = cpu;
109205 rdp->rsp = rsp;
109206 rcu_boot_init_nocb_percpu_data(rdp);
109207@@ -3798,8 +3798,8 @@ rcu_init_percpu_data(int cpu, struct rcu_state *rsp)
109208 init_callback_list(rdp); /* Re-enable callbacks on this CPU. */
109209 rdp->dynticks->dynticks_nesting = DYNTICK_TASK_EXIT_IDLE;
109210 rcu_sysidle_init_percpu_data(rdp->dynticks);
109211- atomic_set(&rdp->dynticks->dynticks,
109212- (atomic_read(&rdp->dynticks->dynticks) & ~0x1) + 1);
109213+ atomic_set_unchecked(&rdp->dynticks->dynticks,
109214+ (atomic_read_unchecked(&rdp->dynticks->dynticks) & ~0x1) + 1);
109215 raw_spin_unlock(&rnp->lock); /* irqs remain disabled. */
109216
109217 /*
109218diff --git a/kernel/rcu/tree.h b/kernel/rcu/tree.h
109219index 4adb7ca..20910e6 100644
109220--- a/kernel/rcu/tree.h
109221+++ b/kernel/rcu/tree.h
109222@@ -108,11 +108,11 @@ struct rcu_dynticks {
109223 long long dynticks_nesting; /* Track irq/process nesting level. */
109224 /* Process level is worth LLONG_MAX/2. */
109225 int dynticks_nmi_nesting; /* Track NMI nesting level. */
109226- atomic_t dynticks; /* Even value for idle, else odd. */
109227+ atomic_unchecked_t dynticks;/* Even value for idle, else odd. */
109228 #ifdef CONFIG_NO_HZ_FULL_SYSIDLE
109229 long long dynticks_idle_nesting;
109230 /* irq/process nesting level from idle. */
109231- atomic_t dynticks_idle; /* Even value for idle, else odd. */
109232+ atomic_unchecked_t dynticks_idle;/* Even value for idle, else odd. */
109233 /* "Idle" excludes userspace execution. */
109234 unsigned long dynticks_idle_jiffies;
109235 /* End of last non-NMI non-idle period. */
109236@@ -483,17 +483,17 @@ struct rcu_state {
109237 /* _rcu_barrier(). */
109238 /* End of fields guarded by barrier_mutex. */
109239
109240- atomic_long_t expedited_start; /* Starting ticket. */
109241- atomic_long_t expedited_done; /* Done ticket. */
109242- atomic_long_t expedited_wrap; /* # near-wrap incidents. */
109243- atomic_long_t expedited_tryfail; /* # acquisition failures. */
109244- atomic_long_t expedited_workdone1; /* # done by others #1. */
109245- atomic_long_t expedited_workdone2; /* # done by others #2. */
109246- atomic_long_t expedited_normal; /* # fallbacks to normal. */
109247- atomic_long_t expedited_stoppedcpus; /* # successful stop_cpus. */
109248- atomic_long_t expedited_done_tries; /* # tries to update _done. */
109249- atomic_long_t expedited_done_lost; /* # times beaten to _done. */
109250- atomic_long_t expedited_done_exit; /* # times exited _done loop. */
109251+ atomic_long_unchecked_t expedited_start; /* Starting ticket. */
109252+ atomic_long_t expedited_done; /* Done ticket. */
109253+ atomic_long_unchecked_t expedited_wrap; /* # near-wrap incidents. */
109254+ atomic_long_unchecked_t expedited_tryfail; /* # acquisition failures. */
109255+ atomic_long_unchecked_t expedited_workdone1; /* # done by others #1. */
109256+ atomic_long_unchecked_t expedited_workdone2; /* # done by others #2. */
109257+ atomic_long_unchecked_t expedited_normal; /* # fallbacks to normal. */
109258+ atomic_long_unchecked_t expedited_stoppedcpus; /* # successful stop_cpus. */
109259+ atomic_long_unchecked_t expedited_done_tries; /* # tries to update _done. */
109260+ atomic_long_unchecked_t expedited_done_lost; /* # times beaten to _done. */
109261+ atomic_long_unchecked_t expedited_done_exit; /* # times exited _done loop. */
109262
109263 unsigned long jiffies_force_qs; /* Time at which to invoke */
109264 /* force_quiescent_state(). */
109265diff --git a/kernel/rcu/tree_plugin.h b/kernel/rcu/tree_plugin.h
109266index 013485f..2e678db 100644
109267--- a/kernel/rcu/tree_plugin.h
109268+++ b/kernel/rcu/tree_plugin.h
109269@@ -1294,7 +1294,7 @@ static void rcu_boost_kthread_setaffinity(struct rcu_node *rnp, int outgoingcpu)
109270 free_cpumask_var(cm);
109271 }
109272
109273-static struct smp_hotplug_thread rcu_cpu_thread_spec = {
109274+static struct smp_hotplug_thread rcu_cpu_thread_spec __read_only = {
109275 .store = &rcu_cpu_kthread_task,
109276 .thread_should_run = rcu_cpu_kthread_should_run,
109277 .thread_fn = rcu_cpu_kthread,
109278@@ -1767,7 +1767,7 @@ static void print_cpu_stall_info(struct rcu_state *rsp, int cpu)
109279 print_cpu_stall_fast_no_hz(fast_no_hz, cpu);
109280 pr_err("\t%d: (%lu %s) idle=%03x/%llx/%d softirq=%u/%u fqs=%ld %s\n",
109281 cpu, ticks_value, ticks_title,
109282- atomic_read(&rdtp->dynticks) & 0xfff,
109283+ atomic_read_unchecked(&rdtp->dynticks) & 0xfff,
109284 rdtp->dynticks_nesting, rdtp->dynticks_nmi_nesting,
109285 rdp->softirq_snap, kstat_softirqs_cpu(RCU_SOFTIRQ, cpu),
109286 READ_ONCE(rsp->n_force_qs) - rsp->n_force_qs_gpstart,
109287@@ -2675,9 +2675,9 @@ static void rcu_sysidle_enter(int irq)
109288 j = jiffies;
109289 WRITE_ONCE(rdtp->dynticks_idle_jiffies, j);
109290 smp_mb__before_atomic();
109291- atomic_inc(&rdtp->dynticks_idle);
109292+ atomic_inc_unchecked(&rdtp->dynticks_idle);
109293 smp_mb__after_atomic();
109294- WARN_ON_ONCE(atomic_read(&rdtp->dynticks_idle) & 0x1);
109295+ WARN_ON_ONCE(atomic_read_unchecked(&rdtp->dynticks_idle) & 0x1);
109296 }
109297
109298 /*
109299@@ -2748,9 +2748,9 @@ static void rcu_sysidle_exit(int irq)
109300
109301 /* Record end of idle period. */
109302 smp_mb__before_atomic();
109303- atomic_inc(&rdtp->dynticks_idle);
109304+ atomic_inc_unchecked(&rdtp->dynticks_idle);
109305 smp_mb__after_atomic();
109306- WARN_ON_ONCE(!(atomic_read(&rdtp->dynticks_idle) & 0x1));
109307+ WARN_ON_ONCE(!(atomic_read_unchecked(&rdtp->dynticks_idle) & 0x1));
109308
109309 /*
109310 * If we are the timekeeping CPU, we are permitted to be non-idle
109311@@ -2796,7 +2796,7 @@ static void rcu_sysidle_check_cpu(struct rcu_data *rdp, bool *isidle,
109312 WARN_ON_ONCE(smp_processor_id() != tick_do_timer_cpu);
109313
109314 /* Pick up current idle and NMI-nesting counter and check. */
109315- cur = atomic_read(&rdtp->dynticks_idle);
109316+ cur = atomic_read_unchecked(&rdtp->dynticks_idle);
109317 if (cur & 0x1) {
109318 *isidle = false; /* We are not idle! */
109319 return;
109320diff --git a/kernel/rcu/tree_trace.c b/kernel/rcu/tree_trace.c
109321index 3ea7ffc..cb06f2d 100644
109322--- a/kernel/rcu/tree_trace.c
109323+++ b/kernel/rcu/tree_trace.c
109324@@ -125,7 +125,7 @@ static void print_one_rcu_data(struct seq_file *m, struct rcu_data *rdp)
109325 rdp->rcu_qs_ctr_snap == per_cpu(rcu_qs_ctr, rdp->cpu),
109326 rdp->qs_pending);
109327 seq_printf(m, " dt=%d/%llx/%d df=%lu",
109328- atomic_read(&rdp->dynticks->dynticks),
109329+ atomic_read_unchecked(&rdp->dynticks->dynticks),
109330 rdp->dynticks->dynticks_nesting,
109331 rdp->dynticks->dynticks_nmi_nesting,
109332 rdp->dynticks_fqs);
109333@@ -186,17 +186,17 @@ static int show_rcuexp(struct seq_file *m, void *v)
109334 struct rcu_state *rsp = (struct rcu_state *)m->private;
109335
109336 seq_printf(m, "s=%lu d=%lu w=%lu tf=%lu wd1=%lu wd2=%lu n=%lu sc=%lu dt=%lu dl=%lu dx=%lu\n",
109337- atomic_long_read(&rsp->expedited_start),
109338+ atomic_long_read_unchecked(&rsp->expedited_start),
109339 atomic_long_read(&rsp->expedited_done),
109340- atomic_long_read(&rsp->expedited_wrap),
109341- atomic_long_read(&rsp->expedited_tryfail),
109342- atomic_long_read(&rsp->expedited_workdone1),
109343- atomic_long_read(&rsp->expedited_workdone2),
109344- atomic_long_read(&rsp->expedited_normal),
109345- atomic_long_read(&rsp->expedited_stoppedcpus),
109346- atomic_long_read(&rsp->expedited_done_tries),
109347- atomic_long_read(&rsp->expedited_done_lost),
109348- atomic_long_read(&rsp->expedited_done_exit));
109349+ atomic_long_read_unchecked(&rsp->expedited_wrap),
109350+ atomic_long_read_unchecked(&rsp->expedited_tryfail),
109351+ atomic_long_read_unchecked(&rsp->expedited_workdone1),
109352+ atomic_long_read_unchecked(&rsp->expedited_workdone2),
109353+ atomic_long_read_unchecked(&rsp->expedited_normal),
109354+ atomic_long_read_unchecked(&rsp->expedited_stoppedcpus),
109355+ atomic_long_read_unchecked(&rsp->expedited_done_tries),
109356+ atomic_long_read_unchecked(&rsp->expedited_done_lost),
109357+ atomic_long_read_unchecked(&rsp->expedited_done_exit));
109358 return 0;
109359 }
109360
109361diff --git a/kernel/resource.c b/kernel/resource.c
109362index fed052a..ad13346 100644
109363--- a/kernel/resource.c
109364+++ b/kernel/resource.c
109365@@ -162,8 +162,18 @@ static const struct file_operations proc_iomem_operations = {
109366
109367 static int __init ioresources_init(void)
109368 {
109369+#ifdef CONFIG_GRKERNSEC_PROC_ADD
109370+#ifdef CONFIG_GRKERNSEC_PROC_USER
109371+ proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
109372+ proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
109373+#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
109374+ proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
109375+ proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
109376+#endif
109377+#else
109378 proc_create("ioports", 0, NULL, &proc_ioports_operations);
109379 proc_create("iomem", 0, NULL, &proc_iomem_operations);
109380+#endif
109381 return 0;
109382 }
109383 __initcall(ioresources_init);
109384diff --git a/kernel/sched/auto_group.c b/kernel/sched/auto_group.c
109385index 750ed60..eb01466 100644
109386--- a/kernel/sched/auto_group.c
109387+++ b/kernel/sched/auto_group.c
109388@@ -9,7 +9,7 @@
109389
109390 unsigned int __read_mostly sysctl_sched_autogroup_enabled = 1;
109391 static struct autogroup autogroup_default;
109392-static atomic_t autogroup_seq_nr;
109393+static atomic_unchecked_t autogroup_seq_nr;
109394
109395 void __init autogroup_init(struct task_struct *init_task)
109396 {
109397@@ -77,7 +77,7 @@ static inline struct autogroup *autogroup_create(void)
109398
109399 kref_init(&ag->kref);
109400 init_rwsem(&ag->lock);
109401- ag->id = atomic_inc_return(&autogroup_seq_nr);
109402+ ag->id = atomic_inc_return_unchecked(&autogroup_seq_nr);
109403 ag->tg = tg;
109404 #ifdef CONFIG_RT_GROUP_SCHED
109405 /*
109406diff --git a/kernel/sched/core.c b/kernel/sched/core.c
109407index 6776631..45eb6ee 100644
109408--- a/kernel/sched/core.c
109409+++ b/kernel/sched/core.c
109410@@ -2080,7 +2080,7 @@ void set_numabalancing_state(bool enabled)
109411 int sysctl_numa_balancing(struct ctl_table *table, int write,
109412 void __user *buffer, size_t *lenp, loff_t *ppos)
109413 {
109414- struct ctl_table t;
109415+ ctl_table_no_const t;
109416 int err;
109417 int state = numabalancing_enabled;
109418
109419@@ -2573,8 +2573,10 @@ context_switch(struct rq *rq, struct task_struct *prev,
109420 next->active_mm = oldmm;
109421 atomic_inc(&oldmm->mm_count);
109422 enter_lazy_tlb(oldmm, next);
109423- } else
109424+ } else {
109425 switch_mm(oldmm, mm, next);
109426+ populate_stack();
109427+ }
109428
109429 if (!prev->mm) {
109430 prev->active_mm = NULL;
109431@@ -3393,6 +3395,8 @@ int can_nice(const struct task_struct *p, const int nice)
109432 /* convert nice value [19,-20] to rlimit style value [1,40] */
109433 int nice_rlim = nice_to_rlimit(nice);
109434
109435+ gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
109436+
109437 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
109438 capable(CAP_SYS_NICE));
109439 }
109440@@ -3419,7 +3423,8 @@ SYSCALL_DEFINE1(nice, int, increment)
109441 nice = task_nice(current) + increment;
109442
109443 nice = clamp_val(nice, MIN_NICE, MAX_NICE);
109444- if (increment < 0 && !can_nice(current, nice))
109445+ if (increment < 0 && (!can_nice(current, nice) ||
109446+ gr_handle_chroot_nice()))
109447 return -EPERM;
109448
109449 retval = security_task_setnice(current, nice);
109450@@ -3731,6 +3736,7 @@ recheck:
109451 if (policy != p->policy && !rlim_rtprio)
109452 return -EPERM;
109453
109454+ gr_learn_resource(p, RLIMIT_RTPRIO, attr->sched_priority, 1);
109455 /* can't increase priority */
109456 if (attr->sched_priority > p->rt_priority &&
109457 attr->sched_priority > rlim_rtprio)
109458@@ -5055,6 +5061,7 @@ void idle_task_exit(void)
109459
109460 if (mm != &init_mm) {
109461 switch_mm(mm, &init_mm, current);
109462+ populate_stack();
109463 finish_arch_post_lock_switch();
109464 }
109465 mmdrop(mm);
109466@@ -5157,7 +5164,7 @@ static void migrate_tasks(struct rq *dead_rq)
109467
109468 #if defined(CONFIG_SCHED_DEBUG) && defined(CONFIG_SYSCTL)
109469
109470-static struct ctl_table sd_ctl_dir[] = {
109471+static ctl_table_no_const sd_ctl_dir[] __read_only = {
109472 {
109473 .procname = "sched_domain",
109474 .mode = 0555,
109475@@ -5174,17 +5181,17 @@ static struct ctl_table sd_ctl_root[] = {
109476 {}
109477 };
109478
109479-static struct ctl_table *sd_alloc_ctl_entry(int n)
109480+static ctl_table_no_const *sd_alloc_ctl_entry(int n)
109481 {
109482- struct ctl_table *entry =
109483+ ctl_table_no_const *entry =
109484 kcalloc(n, sizeof(struct ctl_table), GFP_KERNEL);
109485
109486 return entry;
109487 }
109488
109489-static void sd_free_ctl_entry(struct ctl_table **tablep)
109490+static void sd_free_ctl_entry(ctl_table_no_const *tablep)
109491 {
109492- struct ctl_table *entry;
109493+ ctl_table_no_const *entry;
109494
109495 /*
109496 * In the intermediate directories, both the child directory and
109497@@ -5192,22 +5199,25 @@ static void sd_free_ctl_entry(struct ctl_table **tablep)
109498 * will always be set. In the lowest directory the names are
109499 * static strings and all have proc handlers.
109500 */
109501- for (entry = *tablep; entry->mode; entry++) {
109502- if (entry->child)
109503- sd_free_ctl_entry(&entry->child);
109504+ for (entry = tablep; entry->mode; entry++) {
109505+ if (entry->child) {
109506+ sd_free_ctl_entry(entry->child);
109507+ pax_open_kernel();
109508+ entry->child = NULL;
109509+ pax_close_kernel();
109510+ }
109511 if (entry->proc_handler == NULL)
109512 kfree(entry->procname);
109513 }
109514
109515- kfree(*tablep);
109516- *tablep = NULL;
109517+ kfree(tablep);
109518 }
109519
109520 static int min_load_idx = 0;
109521 static int max_load_idx = CPU_LOAD_IDX_MAX-1;
109522
109523 static void
109524-set_table_entry(struct ctl_table *entry,
109525+set_table_entry(ctl_table_no_const *entry,
109526 const char *procname, void *data, int maxlen,
109527 umode_t mode, proc_handler *proc_handler,
109528 bool load_idx)
109529@@ -5227,7 +5237,7 @@ set_table_entry(struct ctl_table *entry,
109530 static struct ctl_table *
109531 sd_alloc_ctl_domain_table(struct sched_domain *sd)
109532 {
109533- struct ctl_table *table = sd_alloc_ctl_entry(14);
109534+ ctl_table_no_const *table = sd_alloc_ctl_entry(14);
109535
109536 if (table == NULL)
109537 return NULL;
109538@@ -5265,9 +5275,9 @@ sd_alloc_ctl_domain_table(struct sched_domain *sd)
109539 return table;
109540 }
109541
109542-static struct ctl_table *sd_alloc_ctl_cpu_table(int cpu)
109543+static ctl_table_no_const *sd_alloc_ctl_cpu_table(int cpu)
109544 {
109545- struct ctl_table *entry, *table;
109546+ ctl_table_no_const *entry, *table;
109547 struct sched_domain *sd;
109548 int domain_num = 0, i;
109549 char buf[32];
109550@@ -5294,11 +5304,13 @@ static struct ctl_table_header *sd_sysctl_header;
109551 static void register_sched_domain_sysctl(void)
109552 {
109553 int i, cpu_num = num_possible_cpus();
109554- struct ctl_table *entry = sd_alloc_ctl_entry(cpu_num + 1);
109555+ ctl_table_no_const *entry = sd_alloc_ctl_entry(cpu_num + 1);
109556 char buf[32];
109557
109558 WARN_ON(sd_ctl_dir[0].child);
109559+ pax_open_kernel();
109560 sd_ctl_dir[0].child = entry;
109561+ pax_close_kernel();
109562
109563 if (entry == NULL)
109564 return;
109565@@ -5321,8 +5333,12 @@ static void unregister_sched_domain_sysctl(void)
109566 if (sd_sysctl_header)
109567 unregister_sysctl_table(sd_sysctl_header);
109568 sd_sysctl_header = NULL;
109569- if (sd_ctl_dir[0].child)
109570- sd_free_ctl_entry(&sd_ctl_dir[0].child);
109571+ if (sd_ctl_dir[0].child) {
109572+ sd_free_ctl_entry(sd_ctl_dir[0].child);
109573+ pax_open_kernel();
109574+ sd_ctl_dir[0].child = NULL;
109575+ pax_close_kernel();
109576+ }
109577 }
109578 #else
109579 static void register_sched_domain_sysctl(void)
109580diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
109581index d113c3b..91a6fcc 100644
109582--- a/kernel/sched/fair.c
109583+++ b/kernel/sched/fair.c
109584@@ -7958,7 +7958,7 @@ static void nohz_idle_balance(struct rq *this_rq, enum cpu_idle_type idle) { }
109585 * run_rebalance_domains is triggered when needed from the scheduler tick.
109586 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
109587 */
109588-static void run_rebalance_domains(struct softirq_action *h)
109589+static __latent_entropy void run_rebalance_domains(void)
109590 {
109591 struct rq *this_rq = this_rq();
109592 enum cpu_idle_type idle = this_rq->idle_balance ?
109593diff --git a/kernel/sched/sched.h b/kernel/sched/sched.h
109594index 08ab96b..82ab34c 100644
109595--- a/kernel/sched/sched.h
109596+++ b/kernel/sched/sched.h
109597@@ -1242,7 +1242,7 @@ struct sched_class {
109598 #ifdef CONFIG_FAIR_GROUP_SCHED
109599 void (*task_move_group) (struct task_struct *p, int on_rq);
109600 #endif
109601-};
109602+} __do_const;
109603
109604 static inline void put_prev_task(struct rq *rq, struct task_struct *prev)
109605 {
109606diff --git a/kernel/signal.c b/kernel/signal.c
109607index 0f6bbbe..d77d2c3 100644
109608--- a/kernel/signal.c
109609+++ b/kernel/signal.c
109610@@ -53,12 +53,12 @@ static struct kmem_cache *sigqueue_cachep;
109611
109612 int print_fatal_signals __read_mostly;
109613
109614-static void __user *sig_handler(struct task_struct *t, int sig)
109615+static __sighandler_t sig_handler(struct task_struct *t, int sig)
109616 {
109617 return t->sighand->action[sig - 1].sa.sa_handler;
109618 }
109619
109620-static int sig_handler_ignored(void __user *handler, int sig)
109621+static int sig_handler_ignored(__sighandler_t handler, int sig)
109622 {
109623 /* Is it explicitly or implicitly ignored? */
109624 return handler == SIG_IGN ||
109625@@ -67,7 +67,7 @@ static int sig_handler_ignored(void __user *handler, int sig)
109626
109627 static int sig_task_ignored(struct task_struct *t, int sig, bool force)
109628 {
109629- void __user *handler;
109630+ __sighandler_t handler;
109631
109632 handler = sig_handler(t, sig);
109633
109634@@ -372,6 +372,9 @@ __sigqueue_alloc(int sig, struct task_struct *t, gfp_t flags, int override_rlimi
109635 atomic_inc(&user->sigpending);
109636 rcu_read_unlock();
109637
109638+ if (!override_rlimit)
109639+ gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
109640+
109641 if (override_rlimit ||
109642 atomic_read(&user->sigpending) <=
109643 task_rlimit(t, RLIMIT_SIGPENDING)) {
109644@@ -494,7 +497,7 @@ flush_signal_handlers(struct task_struct *t, int force_default)
109645
109646 int unhandled_signal(struct task_struct *tsk, int sig)
109647 {
109648- void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
109649+ __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
109650 if (is_global_init(tsk))
109651 return 1;
109652 if (handler != SIG_IGN && handler != SIG_DFL)
109653@@ -788,6 +791,13 @@ static int check_kill_permission(int sig, struct siginfo *info,
109654 }
109655 }
109656
109657+ /* allow glibc communication via tgkill to other threads in our
109658+ thread group */
109659+ if ((info == SEND_SIG_NOINFO || info->si_code != SI_TKILL ||
109660+ sig != (SIGRTMIN+1) || task_tgid_vnr(t) != info->si_pid)
109661+ && gr_handle_signal(t, sig))
109662+ return -EPERM;
109663+
109664 return security_task_kill(t, info, sig, 0);
109665 }
109666
109667@@ -1171,7 +1181,7 @@ __group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
109668 return send_signal(sig, info, p, 1);
109669 }
109670
109671-static int
109672+int
109673 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109674 {
109675 return send_signal(sig, info, t, 0);
109676@@ -1208,6 +1218,7 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109677 unsigned long int flags;
109678 int ret, blocked, ignored;
109679 struct k_sigaction *action;
109680+ int is_unhandled = 0;
109681
109682 spin_lock_irqsave(&t->sighand->siglock, flags);
109683 action = &t->sighand->action[sig-1];
109684@@ -1222,9 +1233,18 @@ force_sig_info(int sig, struct siginfo *info, struct task_struct *t)
109685 }
109686 if (action->sa.sa_handler == SIG_DFL)
109687 t->signal->flags &= ~SIGNAL_UNKILLABLE;
109688+ if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
109689+ is_unhandled = 1;
109690 ret = specific_send_sig_info(sig, info, t);
109691 spin_unlock_irqrestore(&t->sighand->siglock, flags);
109692
109693+ /* only deal with unhandled signals, java etc trigger SIGSEGV during
109694+ normal operation */
109695+ if (is_unhandled) {
109696+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
109697+ gr_handle_crash(t, sig);
109698+ }
109699+
109700 return ret;
109701 }
109702
109703@@ -1305,8 +1325,11 @@ int group_send_sig_info(int sig, struct siginfo *info, struct task_struct *p)
109704 ret = check_kill_permission(sig, info, p);
109705 rcu_read_unlock();
109706
109707- if (!ret && sig)
109708+ if (!ret && sig) {
109709 ret = do_send_sig_info(sig, info, p, true);
109710+ if (!ret)
109711+ gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
109712+ }
109713
109714 return ret;
109715 }
109716@@ -2913,7 +2936,15 @@ do_send_specific(pid_t tgid, pid_t pid, int sig, struct siginfo *info)
109717 int error = -ESRCH;
109718
109719 rcu_read_lock();
109720- p = find_task_by_vpid(pid);
109721+#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
109722+ /* allow glibc communication via tgkill to other threads in our
109723+ thread group */
109724+ if (grsec_enable_chroot_findtask && info->si_code == SI_TKILL &&
109725+ sig == (SIGRTMIN+1) && tgid == info->si_pid)
109726+ p = find_task_by_vpid_unrestricted(pid);
109727+ else
109728+#endif
109729+ p = find_task_by_vpid(pid);
109730 if (p && (tgid <= 0 || task_tgid_vnr(p) == tgid)) {
109731 error = check_kill_permission(sig, info, p);
109732 /*
109733@@ -3242,8 +3273,8 @@ COMPAT_SYSCALL_DEFINE2(sigaltstack,
109734 }
109735 seg = get_fs();
109736 set_fs(KERNEL_DS);
109737- ret = do_sigaltstack((stack_t __force __user *) (uss_ptr ? &uss : NULL),
109738- (stack_t __force __user *) &uoss,
109739+ ret = do_sigaltstack((stack_t __force_user *) (uss_ptr ? &uss : NULL),
109740+ (stack_t __force_user *) &uoss,
109741 compat_user_stack_pointer());
109742 set_fs(seg);
109743 if (ret >= 0 && uoss_ptr) {
109744diff --git a/kernel/smpboot.c b/kernel/smpboot.c
109745index 7c434c3..155d90a 100644
109746--- a/kernel/smpboot.c
109747+++ b/kernel/smpboot.c
109748@@ -305,7 +305,7 @@ int smpboot_register_percpu_thread(struct smp_hotplug_thread *plug_thread)
109749 }
109750 smpboot_unpark_thread(plug_thread, cpu);
109751 }
109752- list_add(&plug_thread->list, &hotplug_threads);
109753+ pax_list_add(&plug_thread->list, &hotplug_threads);
109754 out:
109755 mutex_unlock(&smpboot_threads_lock);
109756 put_online_cpus();
109757@@ -323,7 +323,7 @@ void smpboot_unregister_percpu_thread(struct smp_hotplug_thread *plug_thread)
109758 {
109759 get_online_cpus();
109760 mutex_lock(&smpboot_threads_lock);
109761- list_del(&plug_thread->list);
109762+ pax_list_del(&plug_thread->list);
109763 smpboot_destroy_threads(plug_thread);
109764 mutex_unlock(&smpboot_threads_lock);
109765 put_online_cpus();
109766diff --git a/kernel/softirq.c b/kernel/softirq.c
109767index 479e443..66d845e1 100644
109768--- a/kernel/softirq.c
109769+++ b/kernel/softirq.c
109770@@ -53,7 +53,7 @@ irq_cpustat_t irq_stat[NR_CPUS] ____cacheline_aligned;
109771 EXPORT_SYMBOL(irq_stat);
109772 #endif
109773
109774-static struct softirq_action softirq_vec[NR_SOFTIRQS] __cacheline_aligned_in_smp;
109775+static struct softirq_action softirq_vec[NR_SOFTIRQS] __read_only __aligned(PAGE_SIZE);
109776
109777 DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
109778
109779@@ -270,7 +270,7 @@ restart:
109780 kstat_incr_softirqs_this_cpu(vec_nr);
109781
109782 trace_softirq_entry(vec_nr);
109783- h->action(h);
109784+ h->action();
109785 trace_softirq_exit(vec_nr);
109786 if (unlikely(prev_count != preempt_count())) {
109787 pr_err("huh, entered softirq %u %s %p with preempt_count %08x, exited with %08x?\n",
109788@@ -430,7 +430,7 @@ void __raise_softirq_irqoff(unsigned int nr)
109789 or_softirq_pending(1UL << nr);
109790 }
109791
109792-void open_softirq(int nr, void (*action)(struct softirq_action *))
109793+void __init open_softirq(int nr, void (*action)(void))
109794 {
109795 softirq_vec[nr].action = action;
109796 }
109797@@ -482,7 +482,7 @@ void __tasklet_hi_schedule_first(struct tasklet_struct *t)
109798 }
109799 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
109800
109801-static void tasklet_action(struct softirq_action *a)
109802+static void tasklet_action(void)
109803 {
109804 struct tasklet_struct *list;
109805
109806@@ -518,7 +518,7 @@ static void tasklet_action(struct softirq_action *a)
109807 }
109808 }
109809
109810-static void tasklet_hi_action(struct softirq_action *a)
109811+static __latent_entropy void tasklet_hi_action(void)
109812 {
109813 struct tasklet_struct *list;
109814
109815@@ -744,7 +744,7 @@ static struct notifier_block cpu_nfb = {
109816 .notifier_call = cpu_callback
109817 };
109818
109819-static struct smp_hotplug_thread softirq_threads = {
109820+static struct smp_hotplug_thread softirq_threads __read_only = {
109821 .store = &ksoftirqd,
109822 .thread_should_run = ksoftirqd_should_run,
109823 .thread_fn = run_ksoftirqd,
109824diff --git a/kernel/sys.c b/kernel/sys.c
109825index 259fda2..e824a93 100644
109826--- a/kernel/sys.c
109827+++ b/kernel/sys.c
109828@@ -160,6 +160,12 @@ static int set_one_prio(struct task_struct *p, int niceval, int error)
109829 error = -EACCES;
109830 goto out;
109831 }
109832+
109833+ if (gr_handle_chroot_setpriority(p, niceval)) {
109834+ error = -EACCES;
109835+ goto out;
109836+ }
109837+
109838 no_nice = security_task_setnice(p, niceval);
109839 if (no_nice) {
109840 error = no_nice;
109841@@ -366,6 +372,20 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, gid_t, egid)
109842 goto error;
109843 }
109844
109845+ if (gr_check_group_change(new->gid, new->egid, INVALID_GID))
109846+ goto error;
109847+
109848+ if (!gid_eq(new->gid, old->gid)) {
109849+ /* make sure we generate a learn log for what will
109850+ end up being a role transition after a full-learning
109851+ policy is generated
109852+ CAP_SETGID is required to perform a transition
109853+ we may not log a CAP_SETGID check above, e.g.
109854+ in the case where new rgid = old egid
109855+ */
109856+ gr_learn_cap(current, new, CAP_SETGID);
109857+ }
109858+
109859 if (rgid != (gid_t) -1 ||
109860 (egid != (gid_t) -1 && !gid_eq(kegid, old->gid)))
109861 new->sgid = new->egid;
109862@@ -401,6 +421,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
109863 old = current_cred();
109864
109865 retval = -EPERM;
109866+
109867+ if (gr_check_group_change(kgid, kgid, kgid))
109868+ goto error;
109869+
109870 if (ns_capable(old->user_ns, CAP_SETGID))
109871 new->gid = new->egid = new->sgid = new->fsgid = kgid;
109872 else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))
109873@@ -418,7 +442,7 @@ error:
109874 /*
109875 * change the user struct in a credentials set to match the new UID
109876 */
109877-static int set_user(struct cred *new)
109878+int set_user(struct cred *new)
109879 {
109880 struct user_struct *new_user;
109881
109882@@ -498,7 +522,18 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, uid_t, euid)
109883 goto error;
109884 }
109885
109886+ if (gr_check_user_change(new->uid, new->euid, INVALID_UID))
109887+ goto error;
109888+
109889 if (!uid_eq(new->uid, old->uid)) {
109890+ /* make sure we generate a learn log for what will
109891+ end up being a role transition after a full-learning
109892+ policy is generated
109893+ CAP_SETUID is required to perform a transition
109894+ we may not log a CAP_SETUID check above, e.g.
109895+ in the case where new ruid = old euid
109896+ */
109897+ gr_learn_cap(current, new, CAP_SETUID);
109898 retval = set_user(new);
109899 if (retval < 0)
109900 goto error;
109901@@ -548,6 +583,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
109902 old = current_cred();
109903
109904 retval = -EPERM;
109905+
109906+ if (gr_check_crash_uid(kuid))
109907+ goto error;
109908+ if (gr_check_user_change(kuid, kuid, kuid))
109909+ goto error;
109910+
109911 if (ns_capable(old->user_ns, CAP_SETUID)) {
109912 new->suid = new->uid = kuid;
109913 if (!uid_eq(kuid, old->uid)) {
109914@@ -617,6 +658,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid, uid_t, euid, uid_t, suid)
109915 goto error;
109916 }
109917
109918+ if (gr_check_user_change(kruid, keuid, INVALID_UID))
109919+ goto error;
109920+
109921 if (ruid != (uid_t) -1) {
109922 new->uid = kruid;
109923 if (!uid_eq(kruid, old->uid)) {
109924@@ -701,6 +745,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid, gid_t, egid, gid_t, sgid)
109925 goto error;
109926 }
109927
109928+ if (gr_check_group_change(krgid, kegid, INVALID_GID))
109929+ goto error;
109930+
109931 if (rgid != (gid_t) -1)
109932 new->gid = krgid;
109933 if (egid != (gid_t) -1)
109934@@ -765,12 +812,16 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
109935 uid_eq(kuid, old->suid) || uid_eq(kuid, old->fsuid) ||
109936 ns_capable(old->user_ns, CAP_SETUID)) {
109937 if (!uid_eq(kuid, old->fsuid)) {
109938+ if (gr_check_user_change(INVALID_UID, INVALID_UID, kuid))
109939+ goto error;
109940+
109941 new->fsuid = kuid;
109942 if (security_task_fix_setuid(new, old, LSM_SETID_FS) == 0)
109943 goto change_okay;
109944 }
109945 }
109946
109947+error:
109948 abort_creds(new);
109949 return old_fsuid;
109950
109951@@ -803,12 +854,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
109952 if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->egid) ||
109953 gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||
109954 ns_capable(old->user_ns, CAP_SETGID)) {
109955+ if (gr_check_group_change(INVALID_GID, INVALID_GID, kgid))
109956+ goto error;
109957+
109958 if (!gid_eq(kgid, old->fsgid)) {
109959 new->fsgid = kgid;
109960 goto change_okay;
109961 }
109962 }
109963
109964+error:
109965 abort_creds(new);
109966 return old_fsgid;
109967
109968@@ -1187,19 +1242,19 @@ SYSCALL_DEFINE1(olduname, struct oldold_utsname __user *, name)
109969 return -EFAULT;
109970
109971 down_read(&uts_sem);
109972- error = __copy_to_user(&name->sysname, &utsname()->sysname,
109973+ error = __copy_to_user(name->sysname, &utsname()->sysname,
109974 __OLD_UTS_LEN);
109975 error |= __put_user(0, name->sysname + __OLD_UTS_LEN);
109976- error |= __copy_to_user(&name->nodename, &utsname()->nodename,
109977+ error |= __copy_to_user(name->nodename, &utsname()->nodename,
109978 __OLD_UTS_LEN);
109979 error |= __put_user(0, name->nodename + __OLD_UTS_LEN);
109980- error |= __copy_to_user(&name->release, &utsname()->release,
109981+ error |= __copy_to_user(name->release, &utsname()->release,
109982 __OLD_UTS_LEN);
109983 error |= __put_user(0, name->release + __OLD_UTS_LEN);
109984- error |= __copy_to_user(&name->version, &utsname()->version,
109985+ error |= __copy_to_user(name->version, &utsname()->version,
109986 __OLD_UTS_LEN);
109987 error |= __put_user(0, name->version + __OLD_UTS_LEN);
109988- error |= __copy_to_user(&name->machine, &utsname()->machine,
109989+ error |= __copy_to_user(name->machine, &utsname()->machine,
109990 __OLD_UTS_LEN);
109991 error |= __put_user(0, name->machine + __OLD_UTS_LEN);
109992 up_read(&uts_sem);
109993@@ -1400,6 +1455,13 @@ int do_prlimit(struct task_struct *tsk, unsigned int resource,
109994 */
109995 new_rlim->rlim_cur = 1;
109996 }
109997+ /* Handle the case where a fork and setuid occur and then RLIMIT_NPROC
109998+ is changed to a lower value. Since tasks can be created by the same
109999+ user in between this limit change and an execve by this task, force
110000+ a recheck only for this task by setting PF_NPROC_EXCEEDED
110001+ */
110002+ if (resource == RLIMIT_NPROC && tsk->real_cred->user != INIT_USER)
110003+ tsk->flags |= PF_NPROC_EXCEEDED;
110004 }
110005 if (!retval) {
110006 if (old_rlim)
110007diff --git a/kernel/sysctl.c b/kernel/sysctl.c
110008index 19b62b5..74cc287 100644
110009--- a/kernel/sysctl.c
110010+++ b/kernel/sysctl.c
110011@@ -94,7 +94,6 @@
110012 #endif
110013
110014 #if defined(CONFIG_SYSCTL)
110015-
110016 /* External variables not in a header file. */
110017 extern int suid_dumpable;
110018 #ifdef CONFIG_COREDUMP
110019@@ -111,22 +110,24 @@ extern int sysctl_nr_open_min, sysctl_nr_open_max;
110020 #ifndef CONFIG_MMU
110021 extern int sysctl_nr_trim_pages;
110022 #endif
110023+extern int sysctl_modify_ldt;
110024
110025 /* Constants used for minimum and maximum */
110026 #ifdef CONFIG_LOCKUP_DETECTOR
110027-static int sixty = 60;
110028+static int sixty __read_only = 60;
110029 #endif
110030
110031-static int __maybe_unused neg_one = -1;
110032+static int __maybe_unused neg_one __read_only = -1;
110033
110034-static int zero;
110035-static int __maybe_unused one = 1;
110036-static int __maybe_unused two = 2;
110037-static int __maybe_unused four = 4;
110038-static unsigned long one_ul = 1;
110039-static int one_hundred = 100;
110040+static int zero __read_only = 0;
110041+static int __maybe_unused one __read_only = 1;
110042+static int __maybe_unused two __read_only = 2;
110043+static int __maybe_unused three __read_only = 3;
110044+static int __maybe_unused four __read_only = 4;
110045+static unsigned long one_ul __read_only = 1;
110046+static int one_hundred __read_only = 100;
110047 #ifdef CONFIG_PRINTK
110048-static int ten_thousand = 10000;
110049+static int ten_thousand __read_only = 10000;
110050 #endif
110051
110052 /* this is needed for the proc_doulongvec_minmax of vm_dirty_bytes */
110053@@ -180,10 +181,8 @@ static int proc_taint(struct ctl_table *table, int write,
110054 void __user *buffer, size_t *lenp, loff_t *ppos);
110055 #endif
110056
110057-#ifdef CONFIG_PRINTK
110058-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
110059+static int proc_dointvec_minmax_secure_sysadmin(struct ctl_table *table, int write,
110060 void __user *buffer, size_t *lenp, loff_t *ppos);
110061-#endif
110062
110063 static int proc_dointvec_minmax_coredump(struct ctl_table *table, int write,
110064 void __user *buffer, size_t *lenp, loff_t *ppos);
110065@@ -214,6 +213,8 @@ static int sysrq_sysctl_handler(struct ctl_table *table, int write,
110066
110067 #endif
110068
110069+extern struct ctl_table grsecurity_table[];
110070+
110071 static struct ctl_table kern_table[];
110072 static struct ctl_table vm_table[];
110073 static struct ctl_table fs_table[];
110074@@ -228,6 +229,20 @@ extern struct ctl_table epoll_table[];
110075 int sysctl_legacy_va_layout;
110076 #endif
110077
110078+#ifdef CONFIG_PAX_SOFTMODE
110079+static struct ctl_table pax_table[] = {
110080+ {
110081+ .procname = "softmode",
110082+ .data = &pax_softmode,
110083+ .maxlen = sizeof(unsigned int),
110084+ .mode = 0600,
110085+ .proc_handler = &proc_dointvec,
110086+ },
110087+
110088+ { }
110089+};
110090+#endif
110091+
110092 /* The default sysctl tables: */
110093
110094 static struct ctl_table sysctl_base_table[] = {
110095@@ -276,6 +291,22 @@ static int max_extfrag_threshold = 1000;
110096 #endif
110097
110098 static struct ctl_table kern_table[] = {
110099+#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
110100+ {
110101+ .procname = "grsecurity",
110102+ .mode = 0500,
110103+ .child = grsecurity_table,
110104+ },
110105+#endif
110106+
110107+#ifdef CONFIG_PAX_SOFTMODE
110108+ {
110109+ .procname = "pax",
110110+ .mode = 0500,
110111+ .child = pax_table,
110112+ },
110113+#endif
110114+
110115 {
110116 .procname = "sched_child_runs_first",
110117 .data = &sysctl_sched_child_runs_first,
110118@@ -628,7 +659,7 @@ static struct ctl_table kern_table[] = {
110119 .maxlen = sizeof(int),
110120 .mode = 0644,
110121 /* only handle a transition from default "0" to "1" */
110122- .proc_handler = proc_dointvec_minmax,
110123+ .proc_handler = proc_dointvec_minmax_secure,
110124 .extra1 = &one,
110125 .extra2 = &one,
110126 },
110127@@ -639,7 +670,7 @@ static struct ctl_table kern_table[] = {
110128 .data = &modprobe_path,
110129 .maxlen = KMOD_PATH_LEN,
110130 .mode = 0644,
110131- .proc_handler = proc_dostring,
110132+ .proc_handler = proc_dostring_modpriv,
110133 },
110134 {
110135 .procname = "modules_disabled",
110136@@ -647,7 +678,7 @@ static struct ctl_table kern_table[] = {
110137 .maxlen = sizeof(int),
110138 .mode = 0644,
110139 /* only handle a transition from default "0" to "1" */
110140- .proc_handler = proc_dointvec_minmax,
110141+ .proc_handler = proc_dointvec_minmax_secure,
110142 .extra1 = &one,
110143 .extra2 = &one,
110144 },
110145@@ -802,20 +833,24 @@ static struct ctl_table kern_table[] = {
110146 .data = &dmesg_restrict,
110147 .maxlen = sizeof(int),
110148 .mode = 0644,
110149- .proc_handler = proc_dointvec_minmax_sysadmin,
110150+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110151 .extra1 = &zero,
110152 .extra2 = &one,
110153 },
110154+#endif
110155 {
110156 .procname = "kptr_restrict",
110157 .data = &kptr_restrict,
110158 .maxlen = sizeof(int),
110159 .mode = 0644,
110160- .proc_handler = proc_dointvec_minmax_sysadmin,
110161+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110162+#ifdef CONFIG_GRKERNSEC_HIDESYM
110163+ .extra1 = &two,
110164+#else
110165 .extra1 = &zero,
110166+#endif
110167 .extra2 = &two,
110168 },
110169-#endif
110170 {
110171 .procname = "ngroups_max",
110172 .data = &ngroups_max,
110173@@ -960,6 +995,15 @@ static struct ctl_table kern_table[] = {
110174 .mode = 0644,
110175 .proc_handler = proc_dointvec,
110176 },
110177+ {
110178+ .procname = "modify_ldt",
110179+ .data = &sysctl_modify_ldt,
110180+ .maxlen = sizeof(int),
110181+ .mode = 0644,
110182+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110183+ .extra1 = &zero,
110184+ .extra2 = &one,
110185+ },
110186 #endif
110187 #if defined(CONFIG_MMU)
110188 {
110189@@ -1082,10 +1126,17 @@ static struct ctl_table kern_table[] = {
110190 */
110191 {
110192 .procname = "perf_event_paranoid",
110193- .data = &sysctl_perf_event_paranoid,
110194- .maxlen = sizeof(sysctl_perf_event_paranoid),
110195+ .data = &sysctl_perf_event_legitimately_concerned,
110196+ .maxlen = sizeof(sysctl_perf_event_legitimately_concerned),
110197 .mode = 0644,
110198- .proc_handler = proc_dointvec,
110199+ /* go ahead, be a hero */
110200+ .proc_handler = proc_dointvec_minmax_secure_sysadmin,
110201+ .extra1 = &neg_one,
110202+#ifdef CONFIG_GRKERNSEC_PERF_HARDEN
110203+ .extra2 = &three,
110204+#else
110205+ .extra2 = &two,
110206+#endif
110207 },
110208 {
110209 .procname = "perf_event_mlock_kb",
110210@@ -1376,6 +1427,13 @@ static struct ctl_table vm_table[] = {
110211 .proc_handler = proc_dointvec_minmax,
110212 .extra1 = &zero,
110213 },
110214+ {
110215+ .procname = "heap_stack_gap",
110216+ .data = &sysctl_heap_stack_gap,
110217+ .maxlen = sizeof(sysctl_heap_stack_gap),
110218+ .mode = 0644,
110219+ .proc_handler = proc_doulongvec_minmax,
110220+ },
110221 #else
110222 {
110223 .procname = "nr_trim_pages",
110224@@ -1852,6 +1910,16 @@ int proc_dostring(struct ctl_table *table, int write,
110225 (char __user *)buffer, lenp, ppos);
110226 }
110227
110228+int proc_dostring_modpriv(struct ctl_table *table, int write,
110229+ void __user *buffer, size_t *lenp, loff_t *ppos)
110230+{
110231+ if (write && !capable(CAP_SYS_MODULE))
110232+ return -EPERM;
110233+
110234+ return _proc_do_string(table->data, table->maxlen, write,
110235+ buffer, lenp, ppos);
110236+}
110237+
110238 static size_t proc_skip_spaces(char **buf)
110239 {
110240 size_t ret;
110241@@ -1957,6 +2025,8 @@ static int proc_put_long(void __user **buf, size_t *size, unsigned long val,
110242 len = strlen(tmp);
110243 if (len > *size)
110244 len = *size;
110245+ if (len > sizeof(tmp))
110246+ len = sizeof(tmp);
110247 if (copy_to_user(*buf, tmp, len))
110248 return -EFAULT;
110249 *size -= len;
110250@@ -1995,7 +2065,7 @@ static int do_proc_dointvec_conv(bool *negp, unsigned long *lvalp,
110251 int val = *valp;
110252 if (val < 0) {
110253 *negp = true;
110254- *lvalp = (unsigned long)-val;
110255+ *lvalp = -(unsigned long)val;
110256 } else {
110257 *negp = false;
110258 *lvalp = (unsigned long)val;
110259@@ -2135,6 +2205,44 @@ int proc_dointvec(struct ctl_table *table, int write,
110260 NULL,NULL);
110261 }
110262
110263+static int do_proc_dointvec_conv_secure(bool *negp, unsigned long *lvalp,
110264+ int *valp,
110265+ int write, void *data)
110266+{
110267+ if (write) {
110268+ if (*negp) {
110269+ if (*lvalp > (unsigned long) INT_MAX + 1)
110270+ return -EINVAL;
110271+ pax_open_kernel();
110272+ *valp = -*lvalp;
110273+ pax_close_kernel();
110274+ } else {
110275+ if (*lvalp > (unsigned long) INT_MAX)
110276+ return -EINVAL;
110277+ pax_open_kernel();
110278+ *valp = *lvalp;
110279+ pax_close_kernel();
110280+ }
110281+ } else {
110282+ int val = *valp;
110283+ if (val < 0) {
110284+ *negp = true;
110285+ *lvalp = -(unsigned long)val;
110286+ } else {
110287+ *negp = false;
110288+ *lvalp = (unsigned long)val;
110289+ }
110290+ }
110291+ return 0;
110292+}
110293+
110294+int proc_dointvec_secure(struct ctl_table *table, int write,
110295+ void __user *buffer, size_t *lenp, loff_t *ppos)
110296+{
110297+ return do_proc_dointvec(table,write,buffer,lenp,ppos,
110298+ do_proc_dointvec_conv_secure,NULL);
110299+}
110300+
110301 /*
110302 * Taint values can only be increased
110303 * This means we can safely use a temporary.
110304@@ -2142,7 +2250,7 @@ int proc_dointvec(struct ctl_table *table, int write,
110305 static int proc_taint(struct ctl_table *table, int write,
110306 void __user *buffer, size_t *lenp, loff_t *ppos)
110307 {
110308- struct ctl_table t;
110309+ ctl_table_no_const t;
110310 unsigned long tmptaint = get_taint();
110311 int err;
110312
110313@@ -2170,16 +2278,14 @@ static int proc_taint(struct ctl_table *table, int write,
110314 return err;
110315 }
110316
110317-#ifdef CONFIG_PRINTK
110318-static int proc_dointvec_minmax_sysadmin(struct ctl_table *table, int write,
110319+static int proc_dointvec_minmax_secure_sysadmin(struct ctl_table *table, int write,
110320 void __user *buffer, size_t *lenp, loff_t *ppos)
110321 {
110322 if (write && !capable(CAP_SYS_ADMIN))
110323 return -EPERM;
110324
110325- return proc_dointvec_minmax(table, write, buffer, lenp, ppos);
110326+ return proc_dointvec_minmax_secure(table, write, buffer, lenp, ppos);
110327 }
110328-#endif
110329
110330 struct do_proc_dointvec_minmax_conv_param {
110331 int *min;
110332@@ -2201,7 +2307,33 @@ static int do_proc_dointvec_minmax_conv(bool *negp, unsigned long *lvalp,
110333 int val = *valp;
110334 if (val < 0) {
110335 *negp = true;
110336- *lvalp = (unsigned long)-val;
110337+ *lvalp = -(unsigned long)val;
110338+ } else {
110339+ *negp = false;
110340+ *lvalp = (unsigned long)val;
110341+ }
110342+ }
110343+ return 0;
110344+}
110345+
110346+static int do_proc_dointvec_minmax_conv_secure(bool *negp, unsigned long *lvalp,
110347+ int *valp,
110348+ int write, void *data)
110349+{
110350+ struct do_proc_dointvec_minmax_conv_param *param = data;
110351+ if (write) {
110352+ int val = *negp ? -*lvalp : *lvalp;
110353+ if ((param->min && *param->min > val) ||
110354+ (param->max && *param->max < val))
110355+ return -EINVAL;
110356+ pax_open_kernel();
110357+ *valp = val;
110358+ pax_close_kernel();
110359+ } else {
110360+ int val = *valp;
110361+ if (val < 0) {
110362+ *negp = true;
110363+ *lvalp = -(unsigned long)val;
110364 } else {
110365 *negp = false;
110366 *lvalp = (unsigned long)val;
110367@@ -2237,6 +2369,17 @@ int proc_dointvec_minmax(struct ctl_table *table, int write,
110368 do_proc_dointvec_minmax_conv, &param);
110369 }
110370
110371+int proc_dointvec_minmax_secure(struct ctl_table *table, int write,
110372+ void __user *buffer, size_t *lenp, loff_t *ppos)
110373+{
110374+ struct do_proc_dointvec_minmax_conv_param param = {
110375+ .min = (int *) table->extra1,
110376+ .max = (int *) table->extra2,
110377+ };
110378+ return do_proc_dointvec(table, write, buffer, lenp, ppos,
110379+ do_proc_dointvec_minmax_conv_secure, &param);
110380+}
110381+
110382 static void validate_coredump_safety(void)
110383 {
110384 #ifdef CONFIG_COREDUMP
110385@@ -2436,7 +2579,7 @@ static int do_proc_dointvec_jiffies_conv(bool *negp, unsigned long *lvalp,
110386 unsigned long lval;
110387 if (val < 0) {
110388 *negp = true;
110389- lval = (unsigned long)-val;
110390+ lval = -(unsigned long)val;
110391 } else {
110392 *negp = false;
110393 lval = (unsigned long)val;
110394@@ -2459,7 +2602,7 @@ static int do_proc_dointvec_userhz_jiffies_conv(bool *negp, unsigned long *lvalp
110395 unsigned long lval;
110396 if (val < 0) {
110397 *negp = true;
110398- lval = (unsigned long)-val;
110399+ lval = -(unsigned long)val;
110400 } else {
110401 *negp = false;
110402 lval = (unsigned long)val;
110403@@ -2484,7 +2627,7 @@ static int do_proc_dointvec_ms_jiffies_conv(bool *negp, unsigned long *lvalp,
110404 unsigned long lval;
110405 if (val < 0) {
110406 *negp = true;
110407- lval = (unsigned long)-val;
110408+ lval = -(unsigned long)val;
110409 } else {
110410 *negp = false;
110411 lval = (unsigned long)val;
110412@@ -2739,6 +2882,12 @@ int proc_dostring(struct ctl_table *table, int write,
110413 return -ENOSYS;
110414 }
110415
110416+int proc_dostring_modpriv(struct ctl_table *table, int write,
110417+ void __user *buffer, size_t *lenp, loff_t *ppos)
110418+{
110419+ return -ENOSYS;
110420+}
110421+
110422 int proc_dointvec(struct ctl_table *table, int write,
110423 void __user *buffer, size_t *lenp, loff_t *ppos)
110424 {
110425@@ -2795,5 +2944,6 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
110426 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
110427 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
110428 EXPORT_SYMBOL(proc_dostring);
110429+EXPORT_SYMBOL(proc_dostring_modpriv);
110430 EXPORT_SYMBOL(proc_doulongvec_minmax);
110431 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
110432diff --git a/kernel/taskstats.c b/kernel/taskstats.c
110433index 21f82c2..c1984e5 100644
110434--- a/kernel/taskstats.c
110435+++ b/kernel/taskstats.c
110436@@ -28,9 +28,12 @@
110437 #include <linux/fs.h>
110438 #include <linux/file.h>
110439 #include <linux/pid_namespace.h>
110440+#include <linux/grsecurity.h>
110441 #include <net/genetlink.h>
110442 #include <linux/atomic.h>
110443
110444+extern int gr_is_taskstats_denied(int pid);
110445+
110446 /*
110447 * Maximum length of a cpumask that can be specified in
110448 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
110449@@ -567,6 +570,9 @@ err:
110450
110451 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
110452 {
110453+ if (gr_is_taskstats_denied(current->pid))
110454+ return -EACCES;
110455+
110456 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
110457 return cmd_attr_register_cpumask(info);
110458 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
110459diff --git a/kernel/time/alarmtimer.c b/kernel/time/alarmtimer.c
110460index 7fbba635..7cc64ae 100644
110461--- a/kernel/time/alarmtimer.c
110462+++ b/kernel/time/alarmtimer.c
110463@@ -820,7 +820,7 @@ static int __init alarmtimer_init(void)
110464 struct platform_device *pdev;
110465 int error = 0;
110466 int i;
110467- struct k_clock alarm_clock = {
110468+ static struct k_clock alarm_clock = {
110469 .clock_getres = alarm_clock_getres,
110470 .clock_get = alarm_clock_get,
110471 .timer_create = alarm_timer_create,
110472diff --git a/kernel/time/posix-cpu-timers.c b/kernel/time/posix-cpu-timers.c
110473index 892e3da..cb71aa5 100644
110474--- a/kernel/time/posix-cpu-timers.c
110475+++ b/kernel/time/posix-cpu-timers.c
110476@@ -1470,14 +1470,14 @@ struct k_clock clock_posix_cpu = {
110477
110478 static __init int init_posix_cpu_timers(void)
110479 {
110480- struct k_clock process = {
110481+ static struct k_clock process = {
110482 .clock_getres = process_cpu_clock_getres,
110483 .clock_get = process_cpu_clock_get,
110484 .timer_create = process_cpu_timer_create,
110485 .nsleep = process_cpu_nsleep,
110486 .nsleep_restart = process_cpu_nsleep_restart,
110487 };
110488- struct k_clock thread = {
110489+ static struct k_clock thread = {
110490 .clock_getres = thread_cpu_clock_getres,
110491 .clock_get = thread_cpu_clock_get,
110492 .timer_create = thread_cpu_timer_create,
110493diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c
110494index 31d11ac..5a3bb13 100644
110495--- a/kernel/time/posix-timers.c
110496+++ b/kernel/time/posix-timers.c
110497@@ -43,6 +43,7 @@
110498 #include <linux/hash.h>
110499 #include <linux/posix-clock.h>
110500 #include <linux/posix-timers.h>
110501+#include <linux/grsecurity.h>
110502 #include <linux/syscalls.h>
110503 #include <linux/wait.h>
110504 #include <linux/workqueue.h>
110505@@ -124,7 +125,7 @@ static DEFINE_SPINLOCK(hash_lock);
110506 * which we beg off on and pass to do_sys_settimeofday().
110507 */
110508
110509-static struct k_clock posix_clocks[MAX_CLOCKS];
110510+static struct k_clock *posix_clocks[MAX_CLOCKS];
110511
110512 /*
110513 * These ones are defined below.
110514@@ -284,7 +285,7 @@ static int posix_get_hrtimer_res(clockid_t which_clock, struct timespec *tp)
110515 */
110516 static __init int init_posix_timers(void)
110517 {
110518- struct k_clock clock_realtime = {
110519+ static struct k_clock clock_realtime = {
110520 .clock_getres = posix_get_hrtimer_res,
110521 .clock_get = posix_clock_realtime_get,
110522 .clock_set = posix_clock_realtime_set,
110523@@ -296,7 +297,7 @@ static __init int init_posix_timers(void)
110524 .timer_get = common_timer_get,
110525 .timer_del = common_timer_del,
110526 };
110527- struct k_clock clock_monotonic = {
110528+ static struct k_clock clock_monotonic = {
110529 .clock_getres = posix_get_hrtimer_res,
110530 .clock_get = posix_ktime_get_ts,
110531 .nsleep = common_nsleep,
110532@@ -306,19 +307,19 @@ static __init int init_posix_timers(void)
110533 .timer_get = common_timer_get,
110534 .timer_del = common_timer_del,
110535 };
110536- struct k_clock clock_monotonic_raw = {
110537+ static struct k_clock clock_monotonic_raw = {
110538 .clock_getres = posix_get_hrtimer_res,
110539 .clock_get = posix_get_monotonic_raw,
110540 };
110541- struct k_clock clock_realtime_coarse = {
110542+ static struct k_clock clock_realtime_coarse = {
110543 .clock_getres = posix_get_coarse_res,
110544 .clock_get = posix_get_realtime_coarse,
110545 };
110546- struct k_clock clock_monotonic_coarse = {
110547+ static struct k_clock clock_monotonic_coarse = {
110548 .clock_getres = posix_get_coarse_res,
110549 .clock_get = posix_get_monotonic_coarse,
110550 };
110551- struct k_clock clock_tai = {
110552+ static struct k_clock clock_tai = {
110553 .clock_getres = posix_get_hrtimer_res,
110554 .clock_get = posix_get_tai,
110555 .nsleep = common_nsleep,
110556@@ -328,7 +329,7 @@ static __init int init_posix_timers(void)
110557 .timer_get = common_timer_get,
110558 .timer_del = common_timer_del,
110559 };
110560- struct k_clock clock_boottime = {
110561+ static struct k_clock clock_boottime = {
110562 .clock_getres = posix_get_hrtimer_res,
110563 .clock_get = posix_get_boottime,
110564 .nsleep = common_nsleep,
110565@@ -540,7 +541,7 @@ void posix_timers_register_clock(const clockid_t clock_id,
110566 return;
110567 }
110568
110569- posix_clocks[clock_id] = *new_clock;
110570+ posix_clocks[clock_id] = new_clock;
110571 }
110572 EXPORT_SYMBOL_GPL(posix_timers_register_clock);
110573
110574@@ -586,9 +587,9 @@ static struct k_clock *clockid_to_kclock(const clockid_t id)
110575 return (id & CLOCKFD_MASK) == CLOCKFD ?
110576 &clock_posix_dynamic : &clock_posix_cpu;
110577
110578- if (id >= MAX_CLOCKS || !posix_clocks[id].clock_getres)
110579+ if (id >= MAX_CLOCKS || !posix_clocks[id] || !posix_clocks[id]->clock_getres)
110580 return NULL;
110581- return &posix_clocks[id];
110582+ return posix_clocks[id];
110583 }
110584
110585 static int common_timer_create(struct k_itimer *new_timer)
110586@@ -606,7 +607,7 @@ SYSCALL_DEFINE3(timer_create, const clockid_t, which_clock,
110587 struct k_clock *kc = clockid_to_kclock(which_clock);
110588 struct k_itimer *new_timer;
110589 int error, new_timer_id;
110590- sigevent_t event;
110591+ sigevent_t event = { };
110592 int it_id_set = IT_ID_NOT_SET;
110593
110594 if (!kc)
110595@@ -1021,6 +1022,13 @@ SYSCALL_DEFINE2(clock_settime, const clockid_t, which_clock,
110596 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
110597 return -EFAULT;
110598
110599+ /* only the CLOCK_REALTIME clock can be set, all other clocks
110600+ have their clock_set fptr set to a nosettime dummy function
110601+ CLOCK_REALTIME has a NULL clock_set fptr which causes it to
110602+ call common_clock_set, which calls do_sys_settimeofday, which
110603+ we hook
110604+ */
110605+
110606 return kc->clock_set(which_clock, &new_tp);
110607 }
110608
110609diff --git a/kernel/time/time.c b/kernel/time/time.c
110610index 85d5bb1..aeca463 100644
110611--- a/kernel/time/time.c
110612+++ b/kernel/time/time.c
110613@@ -177,6 +177,11 @@ int do_sys_settimeofday(const struct timespec *tv, const struct timezone *tz)
110614 if (tz->tz_minuteswest > 15*60 || tz->tz_minuteswest < -15*60)
110615 return -EINVAL;
110616
110617+ /* we log in do_settimeofday called below, so don't log twice
110618+ */
110619+ if (!tv)
110620+ gr_log_timechange();
110621+
110622 sys_tz = *tz;
110623 update_vsyscall_tz();
110624 if (firsttime) {
110625diff --git a/kernel/time/timekeeping.c b/kernel/time/timekeeping.c
110626index 3688f1e..3dfea48 100644
110627--- a/kernel/time/timekeeping.c
110628+++ b/kernel/time/timekeeping.c
110629@@ -15,6 +15,7 @@
110630 #include <linux/init.h>
110631 #include <linux/mm.h>
110632 #include <linux/sched.h>
110633+#include <linux/grsecurity.h>
110634 #include <linux/syscore_ops.h>
110635 #include <linux/clocksource.h>
110636 #include <linux/jiffies.h>
110637@@ -915,6 +916,8 @@ int do_settimeofday64(const struct timespec64 *ts)
110638 if (!timespec64_valid_strict(ts))
110639 return -EINVAL;
110640
110641+ gr_log_timechange();
110642+
110643 raw_spin_lock_irqsave(&timekeeper_lock, flags);
110644 write_seqcount_begin(&tk_core.seq);
110645
110646diff --git a/kernel/time/timer.c b/kernel/time/timer.c
110647index 84190f0..6f4ccad 100644
110648--- a/kernel/time/timer.c
110649+++ b/kernel/time/timer.c
110650@@ -1406,7 +1406,7 @@ void update_process_times(int user_tick)
110651 /*
110652 * This function runs timers and the timer-tq in bottom half context.
110653 */
110654-static void run_timer_softirq(struct softirq_action *h)
110655+static __latent_entropy void run_timer_softirq(void)
110656 {
110657 struct tvec_base *base = this_cpu_ptr(&tvec_bases);
110658
110659diff --git a/kernel/time/timer_list.c b/kernel/time/timer_list.c
110660index a4536e1..5d8774c 100644
110661--- a/kernel/time/timer_list.c
110662+++ b/kernel/time/timer_list.c
110663@@ -50,12 +50,16 @@ static void SEQ_printf(struct seq_file *m, const char *fmt, ...)
110664
110665 static void print_name_offset(struct seq_file *m, void *sym)
110666 {
110667+#ifdef CONFIG_GRKERNSEC_HIDESYM
110668+ SEQ_printf(m, "<%p>", NULL);
110669+#else
110670 char symname[KSYM_NAME_LEN];
110671
110672 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
110673 SEQ_printf(m, "<%pK>", sym);
110674 else
110675 SEQ_printf(m, "%s", symname);
110676+#endif
110677 }
110678
110679 static void
110680@@ -124,11 +128,14 @@ next_one:
110681 static void
110682 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
110683 {
110684+#ifdef CONFIG_GRKERNSEC_HIDESYM
110685+ SEQ_printf(m, " .base: %p\n", NULL);
110686+#else
110687 SEQ_printf(m, " .base: %pK\n", base);
110688+#endif
110689 SEQ_printf(m, " .index: %d\n", base->index);
110690
110691 SEQ_printf(m, " .resolution: %u nsecs\n", (unsigned) hrtimer_resolution);
110692-
110693 SEQ_printf(m, " .get_time: ");
110694 print_name_offset(m, base->get_time);
110695 SEQ_printf(m, "\n");
110696@@ -399,7 +406,11 @@ static int __init init_timer_list_procfs(void)
110697 {
110698 struct proc_dir_entry *pe;
110699
110700+#ifdef CONFIG_GRKERNSEC_PROC_ADD
110701+ pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
110702+#else
110703 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
110704+#endif
110705 if (!pe)
110706 return -ENOMEM;
110707 return 0;
110708diff --git a/kernel/time/timer_stats.c b/kernel/time/timer_stats.c
110709index 1adecb4..b4fb631 100644
110710--- a/kernel/time/timer_stats.c
110711+++ b/kernel/time/timer_stats.c
110712@@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
110713 static unsigned long nr_entries;
110714 static struct entry entries[MAX_ENTRIES];
110715
110716-static atomic_t overflow_count;
110717+static atomic_unchecked_t overflow_count;
110718
110719 /*
110720 * The entries are in a hash-table, for fast lookup:
110721@@ -140,7 +140,7 @@ static void reset_entries(void)
110722 nr_entries = 0;
110723 memset(entries, 0, sizeof(entries));
110724 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
110725- atomic_set(&overflow_count, 0);
110726+ atomic_set_unchecked(&overflow_count, 0);
110727 }
110728
110729 static struct entry *alloc_entry(void)
110730@@ -261,7 +261,7 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
110731 if (likely(entry))
110732 entry->count++;
110733 else
110734- atomic_inc(&overflow_count);
110735+ atomic_inc_unchecked(&overflow_count);
110736
110737 out_unlock:
110738 raw_spin_unlock_irqrestore(lock, flags);
110739@@ -269,12 +269,16 @@ void timer_stats_update_stats(void *timer, pid_t pid, void *startf,
110740
110741 static void print_name_offset(struct seq_file *m, unsigned long addr)
110742 {
110743+#ifdef CONFIG_GRKERNSEC_HIDESYM
110744+ seq_printf(m, "<%p>", NULL);
110745+#else
110746 char symname[KSYM_NAME_LEN];
110747
110748 if (lookup_symbol_name(addr, symname) < 0)
110749- seq_printf(m, "<%p>", (void *)addr);
110750+ seq_printf(m, "<%pK>", (void *)addr);
110751 else
110752 seq_printf(m, "%s", symname);
110753+#endif
110754 }
110755
110756 static int tstats_show(struct seq_file *m, void *v)
110757@@ -300,8 +304,8 @@ static int tstats_show(struct seq_file *m, void *v)
110758
110759 seq_puts(m, "Timer Stats Version: v0.3\n");
110760 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
110761- if (atomic_read(&overflow_count))
110762- seq_printf(m, "Overflow: %d entries\n", atomic_read(&overflow_count));
110763+ if (atomic_read_unchecked(&overflow_count))
110764+ seq_printf(m, "Overflow: %d entries\n", atomic_read_unchecked(&overflow_count));
110765 seq_printf(m, "Collection: %s\n", timer_stats_active ? "active" : "inactive");
110766
110767 for (i = 0; i < nr_entries; i++) {
110768@@ -417,7 +421,11 @@ static int __init init_tstats_procfs(void)
110769 {
110770 struct proc_dir_entry *pe;
110771
110772+#ifdef CONFIG_GRKERNSEC_PROC_ADD
110773+ pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
110774+#else
110775 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
110776+#endif
110777 if (!pe)
110778 return -ENOMEM;
110779 return 0;
110780diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig
110781index 3b9a48a..6125816 100644
110782--- a/kernel/trace/Kconfig
110783+++ b/kernel/trace/Kconfig
110784@@ -120,6 +120,7 @@ config TRACING_SUPPORT
110785 # irqflags tracing for your architecture.
110786 depends on TRACE_IRQFLAGS_SUPPORT || PPC32
110787 depends on STACKTRACE_SUPPORT
110788+ depends on !GRKERNSEC_KMEM
110789 default y
110790
110791 if TRACING_SUPPORT
110792@@ -378,6 +379,7 @@ config BLK_DEV_IO_TRACE
110793 depends on BLOCK
110794 select RELAY
110795 select DEBUG_FS
110796+ depends on !GRKERNSEC_KMEM
110797 select TRACEPOINTS
110798 select GENERIC_TRACER
110799 select STACKTRACE
110800diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
110801index b3e6b39..719099b 100644
110802--- a/kernel/trace/blktrace.c
110803+++ b/kernel/trace/blktrace.c
110804@@ -328,7 +328,7 @@ static ssize_t blk_dropped_read(struct file *filp, char __user *buffer,
110805 struct blk_trace *bt = filp->private_data;
110806 char buf[16];
110807
110808- snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
110809+ snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
110810
110811 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
110812 }
110813@@ -386,7 +386,7 @@ static int blk_subbuf_start_callback(struct rchan_buf *buf, void *subbuf,
110814 return 1;
110815
110816 bt = buf->chan->private_data;
110817- atomic_inc(&bt->dropped);
110818+ atomic_inc_unchecked(&bt->dropped);
110819 return 0;
110820 }
110821
110822@@ -485,7 +485,7 @@ int do_blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
110823
110824 bt->dir = dir;
110825 bt->dev = dev;
110826- atomic_set(&bt->dropped, 0);
110827+ atomic_set_unchecked(&bt->dropped, 0);
110828 INIT_LIST_HEAD(&bt->running_list);
110829
110830 ret = -EIO;
110831diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c
110832index eb11011..43adc29 100644
110833--- a/kernel/trace/ftrace.c
110834+++ b/kernel/trace/ftrace.c
110835@@ -2413,12 +2413,17 @@ ftrace_code_disable(struct module *mod, struct dyn_ftrace *rec)
110836 if (unlikely(ftrace_disabled))
110837 return 0;
110838
110839+ ret = ftrace_arch_code_modify_prepare();
110840+ FTRACE_WARN_ON(ret);
110841+ if (ret)
110842+ return 0;
110843+
110844 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
110845+ FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
110846 if (ret) {
110847 ftrace_bug(ret, rec);
110848- return 0;
110849 }
110850- return 1;
110851+ return ret ? 0 : 1;
110852 }
110853
110854 /*
110855@@ -4807,8 +4812,10 @@ static int ftrace_process_locs(struct module *mod,
110856 if (!count)
110857 return 0;
110858
110859+ pax_open_kernel();
110860 sort(start, count, sizeof(*start),
110861 ftrace_cmp_ips, ftrace_swap_ips);
110862+ pax_close_kernel();
110863
110864 start_pg = ftrace_allocate_pages(count);
110865 if (!start_pg)
110866@@ -5675,7 +5682,7 @@ static int alloc_retstack_tasklist(struct ftrace_ret_stack **ret_stack_list)
110867
110868 if (t->ret_stack == NULL) {
110869 atomic_set(&t->tracing_graph_pause, 0);
110870- atomic_set(&t->trace_overrun, 0);
110871+ atomic_set_unchecked(&t->trace_overrun, 0);
110872 t->curr_ret_stack = -1;
110873 /* Make sure the tasks see the -1 first: */
110874 smp_wmb();
110875@@ -5898,7 +5905,7 @@ static void
110876 graph_init_task(struct task_struct *t, struct ftrace_ret_stack *ret_stack)
110877 {
110878 atomic_set(&t->tracing_graph_pause, 0);
110879- atomic_set(&t->trace_overrun, 0);
110880+ atomic_set_unchecked(&t->trace_overrun, 0);
110881 t->ftrace_timestamp = 0;
110882 /* make curr_ret_stack visible before we add the ret_stack */
110883 smp_wmb();
110884diff --git a/kernel/trace/ring_buffer.c b/kernel/trace/ring_buffer.c
110885index 6260717..b9bd83c 100644
110886--- a/kernel/trace/ring_buffer.c
110887+++ b/kernel/trace/ring_buffer.c
110888@@ -296,9 +296,9 @@ struct buffer_data_page {
110889 */
110890 struct buffer_page {
110891 struct list_head list; /* list of buffer pages */
110892- local_t write; /* index for next write */
110893+ local_unchecked_t write; /* index for next write */
110894 unsigned read; /* index for next read */
110895- local_t entries; /* entries on this page */
110896+ local_unchecked_t entries; /* entries on this page */
110897 unsigned long real_end; /* real end of data */
110898 struct buffer_data_page *page; /* Actual data page */
110899 };
110900@@ -437,11 +437,11 @@ struct ring_buffer_per_cpu {
110901 unsigned long last_overrun;
110902 local_t entries_bytes;
110903 local_t entries;
110904- local_t overrun;
110905- local_t commit_overrun;
110906- local_t dropped_events;
110907+ local_unchecked_t overrun;
110908+ local_unchecked_t commit_overrun;
110909+ local_unchecked_t dropped_events;
110910 local_t committing;
110911- local_t commits;
110912+ local_unchecked_t commits;
110913 unsigned long read;
110914 unsigned long read_bytes;
110915 u64 write_stamp;
110916@@ -1011,8 +1011,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
110917 *
110918 * We add a counter to the write field to denote this.
110919 */
110920- old_write = local_add_return(RB_WRITE_INTCNT, &next_page->write);
110921- old_entries = local_add_return(RB_WRITE_INTCNT, &next_page->entries);
110922+ old_write = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->write);
110923+ old_entries = local_add_return_unchecked(RB_WRITE_INTCNT, &next_page->entries);
110924
110925 /*
110926 * Just make sure we have seen our old_write and synchronize
110927@@ -1040,8 +1040,8 @@ static int rb_tail_page_update(struct ring_buffer_per_cpu *cpu_buffer,
110928 * cmpxchg to only update if an interrupt did not already
110929 * do it for us. If the cmpxchg fails, we don't care.
110930 */
110931- (void)local_cmpxchg(&next_page->write, old_write, val);
110932- (void)local_cmpxchg(&next_page->entries, old_entries, eval);
110933+ (void)local_cmpxchg_unchecked(&next_page->write, old_write, val);
110934+ (void)local_cmpxchg_unchecked(&next_page->entries, old_entries, eval);
110935
110936 /*
110937 * No need to worry about races with clearing out the commit.
110938@@ -1409,12 +1409,12 @@ static void rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer);
110939
110940 static inline unsigned long rb_page_entries(struct buffer_page *bpage)
110941 {
110942- return local_read(&bpage->entries) & RB_WRITE_MASK;
110943+ return local_read_unchecked(&bpage->entries) & RB_WRITE_MASK;
110944 }
110945
110946 static inline unsigned long rb_page_write(struct buffer_page *bpage)
110947 {
110948- return local_read(&bpage->write) & RB_WRITE_MASK;
110949+ return local_read_unchecked(&bpage->write) & RB_WRITE_MASK;
110950 }
110951
110952 static int
110953@@ -1509,7 +1509,7 @@ rb_remove_pages(struct ring_buffer_per_cpu *cpu_buffer, unsigned int nr_pages)
110954 * bytes consumed in ring buffer from here.
110955 * Increment overrun to account for the lost events.
110956 */
110957- local_add(page_entries, &cpu_buffer->overrun);
110958+ local_add_unchecked(page_entries, &cpu_buffer->overrun);
110959 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
110960 }
110961
110962@@ -2071,7 +2071,7 @@ rb_handle_head_page(struct ring_buffer_per_cpu *cpu_buffer,
110963 * it is our responsibility to update
110964 * the counters.
110965 */
110966- local_add(entries, &cpu_buffer->overrun);
110967+ local_add_unchecked(entries, &cpu_buffer->overrun);
110968 local_sub(BUF_PAGE_SIZE, &cpu_buffer->entries_bytes);
110969
110970 /*
110971@@ -2221,7 +2221,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
110972 if (tail == BUF_PAGE_SIZE)
110973 tail_page->real_end = 0;
110974
110975- local_sub(length, &tail_page->write);
110976+ local_sub_unchecked(length, &tail_page->write);
110977 return;
110978 }
110979
110980@@ -2256,7 +2256,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
110981 rb_event_set_padding(event);
110982
110983 /* Set the write back to the previous setting */
110984- local_sub(length, &tail_page->write);
110985+ local_sub_unchecked(length, &tail_page->write);
110986 return;
110987 }
110988
110989@@ -2268,7 +2268,7 @@ rb_reset_tail(struct ring_buffer_per_cpu *cpu_buffer,
110990
110991 /* Set write to end of buffer */
110992 length = (tail + length) - BUF_PAGE_SIZE;
110993- local_sub(length, &tail_page->write);
110994+ local_sub_unchecked(length, &tail_page->write);
110995 }
110996
110997 /*
110998@@ -2294,7 +2294,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
110999 * about it.
111000 */
111001 if (unlikely(next_page == commit_page)) {
111002- local_inc(&cpu_buffer->commit_overrun);
111003+ local_inc_unchecked(&cpu_buffer->commit_overrun);
111004 goto out_reset;
111005 }
111006
111007@@ -2324,7 +2324,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
111008 * this is easy, just stop here.
111009 */
111010 if (!(buffer->flags & RB_FL_OVERWRITE)) {
111011- local_inc(&cpu_buffer->dropped_events);
111012+ local_inc_unchecked(&cpu_buffer->dropped_events);
111013 goto out_reset;
111014 }
111015
111016@@ -2350,7 +2350,7 @@ rb_move_tail(struct ring_buffer_per_cpu *cpu_buffer,
111017 cpu_buffer->tail_page) &&
111018 (cpu_buffer->commit_page ==
111019 cpu_buffer->reader_page))) {
111020- local_inc(&cpu_buffer->commit_overrun);
111021+ local_inc_unchecked(&cpu_buffer->commit_overrun);
111022 goto out_reset;
111023 }
111024 }
111025@@ -2398,7 +2398,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
111026 length += RB_LEN_TIME_EXTEND;
111027
111028 tail_page = cpu_buffer->tail_page;
111029- write = local_add_return(length, &tail_page->write);
111030+ write = local_add_return_unchecked(length, &tail_page->write);
111031
111032 /* set write to only the index of the write */
111033 write &= RB_WRITE_MASK;
111034@@ -2422,7 +2422,7 @@ __rb_reserve_next(struct ring_buffer_per_cpu *cpu_buffer,
111035 kmemcheck_annotate_bitfield(event, bitfield);
111036 rb_update_event(cpu_buffer, event, length, add_timestamp, delta);
111037
111038- local_inc(&tail_page->entries);
111039+ local_inc_unchecked(&tail_page->entries);
111040
111041 /*
111042 * If this is the first commit on the page, then update
111043@@ -2455,7 +2455,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
111044
111045 if (bpage->page == (void *)addr && rb_page_write(bpage) == old_index) {
111046 unsigned long write_mask =
111047- local_read(&bpage->write) & ~RB_WRITE_MASK;
111048+ local_read_unchecked(&bpage->write) & ~RB_WRITE_MASK;
111049 unsigned long event_length = rb_event_length(event);
111050 /*
111051 * This is on the tail page. It is possible that
111052@@ -2465,7 +2465,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
111053 */
111054 old_index += write_mask;
111055 new_index += write_mask;
111056- index = local_cmpxchg(&bpage->write, old_index, new_index);
111057+ index = local_cmpxchg_unchecked(&bpage->write, old_index, new_index);
111058 if (index == old_index) {
111059 /* update counters */
111060 local_sub(event_length, &cpu_buffer->entries_bytes);
111061@@ -2480,7 +2480,7 @@ rb_try_to_discard(struct ring_buffer_per_cpu *cpu_buffer,
111062 static void rb_start_commit(struct ring_buffer_per_cpu *cpu_buffer)
111063 {
111064 local_inc(&cpu_buffer->committing);
111065- local_inc(&cpu_buffer->commits);
111066+ local_inc_unchecked(&cpu_buffer->commits);
111067 }
111068
111069 static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
111070@@ -2492,7 +2492,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
111071 return;
111072
111073 again:
111074- commits = local_read(&cpu_buffer->commits);
111075+ commits = local_read_unchecked(&cpu_buffer->commits);
111076 /* synchronize with interrupts */
111077 barrier();
111078 if (local_read(&cpu_buffer->committing) == 1)
111079@@ -2508,7 +2508,7 @@ static inline void rb_end_commit(struct ring_buffer_per_cpu *cpu_buffer)
111080 * updating of the commit page and the clearing of the
111081 * committing counter.
111082 */
111083- if (unlikely(local_read(&cpu_buffer->commits) != commits) &&
111084+ if (unlikely(local_read_unchecked(&cpu_buffer->commits) != commits) &&
111085 !local_read(&cpu_buffer->committing)) {
111086 local_inc(&cpu_buffer->committing);
111087 goto again;
111088@@ -2538,7 +2538,7 @@ rb_reserve_next_event(struct ring_buffer *buffer,
111089 barrier();
111090 if (unlikely(ACCESS_ONCE(cpu_buffer->buffer) != buffer)) {
111091 local_dec(&cpu_buffer->committing);
111092- local_dec(&cpu_buffer->commits);
111093+ local_dec_unchecked(&cpu_buffer->commits);
111094 return NULL;
111095 }
111096 #endif
111097@@ -2852,7 +2852,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
111098
111099 /* Do the likely case first */
111100 if (likely(bpage->page == (void *)addr)) {
111101- local_dec(&bpage->entries);
111102+ local_dec_unchecked(&bpage->entries);
111103 return;
111104 }
111105
111106@@ -2864,7 +2864,7 @@ rb_decrement_entry(struct ring_buffer_per_cpu *cpu_buffer,
111107 start = bpage;
111108 do {
111109 if (bpage->page == (void *)addr) {
111110- local_dec(&bpage->entries);
111111+ local_dec_unchecked(&bpage->entries);
111112 return;
111113 }
111114 rb_inc_page(cpu_buffer, &bpage);
111115@@ -3152,7 +3152,7 @@ static inline unsigned long
111116 rb_num_of_entries(struct ring_buffer_per_cpu *cpu_buffer)
111117 {
111118 return local_read(&cpu_buffer->entries) -
111119- (local_read(&cpu_buffer->overrun) + cpu_buffer->read);
111120+ (local_read_unchecked(&cpu_buffer->overrun) + cpu_buffer->read);
111121 }
111122
111123 /**
111124@@ -3241,7 +3241,7 @@ unsigned long ring_buffer_overrun_cpu(struct ring_buffer *buffer, int cpu)
111125 return 0;
111126
111127 cpu_buffer = buffer->buffers[cpu];
111128- ret = local_read(&cpu_buffer->overrun);
111129+ ret = local_read_unchecked(&cpu_buffer->overrun);
111130
111131 return ret;
111132 }
111133@@ -3264,7 +3264,7 @@ ring_buffer_commit_overrun_cpu(struct ring_buffer *buffer, int cpu)
111134 return 0;
111135
111136 cpu_buffer = buffer->buffers[cpu];
111137- ret = local_read(&cpu_buffer->commit_overrun);
111138+ ret = local_read_unchecked(&cpu_buffer->commit_overrun);
111139
111140 return ret;
111141 }
111142@@ -3286,7 +3286,7 @@ ring_buffer_dropped_events_cpu(struct ring_buffer *buffer, int cpu)
111143 return 0;
111144
111145 cpu_buffer = buffer->buffers[cpu];
111146- ret = local_read(&cpu_buffer->dropped_events);
111147+ ret = local_read_unchecked(&cpu_buffer->dropped_events);
111148
111149 return ret;
111150 }
111151@@ -3349,7 +3349,7 @@ unsigned long ring_buffer_overruns(struct ring_buffer *buffer)
111152 /* if you care about this being correct, lock the buffer */
111153 for_each_buffer_cpu(buffer, cpu) {
111154 cpu_buffer = buffer->buffers[cpu];
111155- overruns += local_read(&cpu_buffer->overrun);
111156+ overruns += local_read_unchecked(&cpu_buffer->overrun);
111157 }
111158
111159 return overruns;
111160@@ -3520,8 +3520,8 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
111161 /*
111162 * Reset the reader page to size zero.
111163 */
111164- local_set(&cpu_buffer->reader_page->write, 0);
111165- local_set(&cpu_buffer->reader_page->entries, 0);
111166+ local_set_unchecked(&cpu_buffer->reader_page->write, 0);
111167+ local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
111168 local_set(&cpu_buffer->reader_page->page->commit, 0);
111169 cpu_buffer->reader_page->real_end = 0;
111170
111171@@ -3555,7 +3555,7 @@ rb_get_reader_page(struct ring_buffer_per_cpu *cpu_buffer)
111172 * want to compare with the last_overrun.
111173 */
111174 smp_mb();
111175- overwrite = local_read(&(cpu_buffer->overrun));
111176+ overwrite = local_read_unchecked(&(cpu_buffer->overrun));
111177
111178 /*
111179 * Here's the tricky part.
111180@@ -4137,8 +4137,8 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
111181
111182 cpu_buffer->head_page
111183 = list_entry(cpu_buffer->pages, struct buffer_page, list);
111184- local_set(&cpu_buffer->head_page->write, 0);
111185- local_set(&cpu_buffer->head_page->entries, 0);
111186+ local_set_unchecked(&cpu_buffer->head_page->write, 0);
111187+ local_set_unchecked(&cpu_buffer->head_page->entries, 0);
111188 local_set(&cpu_buffer->head_page->page->commit, 0);
111189
111190 cpu_buffer->head_page->read = 0;
111191@@ -4148,18 +4148,18 @@ rb_reset_cpu(struct ring_buffer_per_cpu *cpu_buffer)
111192
111193 INIT_LIST_HEAD(&cpu_buffer->reader_page->list);
111194 INIT_LIST_HEAD(&cpu_buffer->new_pages);
111195- local_set(&cpu_buffer->reader_page->write, 0);
111196- local_set(&cpu_buffer->reader_page->entries, 0);
111197+ local_set_unchecked(&cpu_buffer->reader_page->write, 0);
111198+ local_set_unchecked(&cpu_buffer->reader_page->entries, 0);
111199 local_set(&cpu_buffer->reader_page->page->commit, 0);
111200 cpu_buffer->reader_page->read = 0;
111201
111202 local_set(&cpu_buffer->entries_bytes, 0);
111203- local_set(&cpu_buffer->overrun, 0);
111204- local_set(&cpu_buffer->commit_overrun, 0);
111205- local_set(&cpu_buffer->dropped_events, 0);
111206+ local_set_unchecked(&cpu_buffer->overrun, 0);
111207+ local_set_unchecked(&cpu_buffer->commit_overrun, 0);
111208+ local_set_unchecked(&cpu_buffer->dropped_events, 0);
111209 local_set(&cpu_buffer->entries, 0);
111210 local_set(&cpu_buffer->committing, 0);
111211- local_set(&cpu_buffer->commits, 0);
111212+ local_set_unchecked(&cpu_buffer->commits, 0);
111213 cpu_buffer->read = 0;
111214 cpu_buffer->read_bytes = 0;
111215
111216@@ -4549,8 +4549,8 @@ int ring_buffer_read_page(struct ring_buffer *buffer,
111217 rb_init_page(bpage);
111218 bpage = reader->page;
111219 reader->page = *data_page;
111220- local_set(&reader->write, 0);
111221- local_set(&reader->entries, 0);
111222+ local_set_unchecked(&reader->write, 0);
111223+ local_set_unchecked(&reader->entries, 0);
111224 reader->read = 0;
111225 *data_page = bpage;
111226
111227diff --git a/kernel/trace/trace.c b/kernel/trace/trace.c
111228index abcbf7f..ef8b6fe 100644
111229--- a/kernel/trace/trace.c
111230+++ b/kernel/trace/trace.c
111231@@ -3539,7 +3539,7 @@ int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set)
111232 return 0;
111233 }
111234
111235-int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled)
111236+int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled)
111237 {
111238 /* do nothing if flag is already set */
111239 if (!!(trace_flags & mask) == !!enabled)
111240diff --git a/kernel/trace/trace.h b/kernel/trace/trace.h
111241index 74bde81..f9abfd4 100644
111242--- a/kernel/trace/trace.h
111243+++ b/kernel/trace/trace.h
111244@@ -1272,7 +1272,7 @@ extern const char *__stop___tracepoint_str[];
111245 void trace_printk_init_buffers(void);
111246 void trace_printk_start_comm(void);
111247 int trace_keep_overwrite(struct tracer *tracer, u32 mask, int set);
111248-int set_tracer_flag(struct trace_array *tr, unsigned int mask, int enabled);
111249+int set_tracer_flag(struct trace_array *tr, unsigned long mask, int enabled);
111250
111251 /*
111252 * Normal trace_printk() and friends allocates special buffers
111253diff --git a/kernel/trace/trace_clock.c b/kernel/trace/trace_clock.c
111254index 0f06532..247c8e7 100644
111255--- a/kernel/trace/trace_clock.c
111256+++ b/kernel/trace/trace_clock.c
111257@@ -127,7 +127,7 @@ u64 notrace trace_clock_global(void)
111258 }
111259 EXPORT_SYMBOL_GPL(trace_clock_global);
111260
111261-static atomic64_t trace_counter;
111262+static atomic64_unchecked_t trace_counter;
111263
111264 /*
111265 * trace_clock_counter(): simply an atomic counter.
111266@@ -136,5 +136,5 @@ static atomic64_t trace_counter;
111267 */
111268 u64 notrace trace_clock_counter(void)
111269 {
111270- return atomic64_add_return(1, &trace_counter);
111271+ return atomic64_inc_return_unchecked(&trace_counter);
111272 }
111273diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
111274index 404a372..d9e5547 100644
111275--- a/kernel/trace/trace_events.c
111276+++ b/kernel/trace/trace_events.c
111277@@ -1887,7 +1887,6 @@ __trace_early_add_new_event(struct trace_event_call *call,
111278 return 0;
111279 }
111280
111281-struct ftrace_module_file_ops;
111282 static void __add_event_to_tracers(struct trace_event_call *call);
111283
111284 /* Add an additional event_call dynamically */
111285diff --git a/kernel/trace/trace_functions_graph.c b/kernel/trace/trace_functions_graph.c
111286index 8968bf7..e6623fc 100644
111287--- a/kernel/trace/trace_functions_graph.c
111288+++ b/kernel/trace/trace_functions_graph.c
111289@@ -132,7 +132,7 @@ ftrace_push_return_trace(unsigned long ret, unsigned long func, int *depth,
111290
111291 /* The return trace stack is full */
111292 if (current->curr_ret_stack == FTRACE_RETFUNC_DEPTH - 1) {
111293- atomic_inc(&current->trace_overrun);
111294+ atomic_inc_unchecked(&current->trace_overrun);
111295 return -EBUSY;
111296 }
111297
111298@@ -229,7 +229,7 @@ ftrace_pop_return_trace(struct ftrace_graph_ret *trace, unsigned long *ret,
111299 *ret = current->ret_stack[index].ret;
111300 trace->func = current->ret_stack[index].func;
111301 trace->calltime = current->ret_stack[index].calltime;
111302- trace->overrun = atomic_read(&current->trace_overrun);
111303+ trace->overrun = atomic_read_unchecked(&current->trace_overrun);
111304 trace->depth = index;
111305 }
111306
111307diff --git a/kernel/trace/trace_mmiotrace.c b/kernel/trace/trace_mmiotrace.c
111308index 638e110..99b73b2 100644
111309--- a/kernel/trace/trace_mmiotrace.c
111310+++ b/kernel/trace/trace_mmiotrace.c
111311@@ -24,7 +24,7 @@ struct header_iter {
111312 static struct trace_array *mmio_trace_array;
111313 static bool overrun_detected;
111314 static unsigned long prev_overruns;
111315-static atomic_t dropped_count;
111316+static atomic_unchecked_t dropped_count;
111317
111318 static void mmio_reset_data(struct trace_array *tr)
111319 {
111320@@ -124,7 +124,7 @@ static void mmio_close(struct trace_iterator *iter)
111321
111322 static unsigned long count_overruns(struct trace_iterator *iter)
111323 {
111324- unsigned long cnt = atomic_xchg(&dropped_count, 0);
111325+ unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
111326 unsigned long over = ring_buffer_overruns(iter->trace_buffer->buffer);
111327
111328 if (over > prev_overruns)
111329@@ -307,7 +307,7 @@ static void __trace_mmiotrace_rw(struct trace_array *tr,
111330 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
111331 sizeof(*entry), 0, pc);
111332 if (!event) {
111333- atomic_inc(&dropped_count);
111334+ atomic_inc_unchecked(&dropped_count);
111335 return;
111336 }
111337 entry = ring_buffer_event_data(event);
111338@@ -337,7 +337,7 @@ static void __trace_mmiotrace_map(struct trace_array *tr,
111339 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
111340 sizeof(*entry), 0, pc);
111341 if (!event) {
111342- atomic_inc(&dropped_count);
111343+ atomic_inc_unchecked(&dropped_count);
111344 return;
111345 }
111346 entry = ring_buffer_event_data(event);
111347diff --git a/kernel/trace/trace_output.c b/kernel/trace/trace_output.c
111348index dfab253..8e9b477 100644
111349--- a/kernel/trace/trace_output.c
111350+++ b/kernel/trace/trace_output.c
111351@@ -752,14 +752,16 @@ int register_trace_event(struct trace_event *event)
111352 goto out;
111353 }
111354
111355+ pax_open_kernel();
111356 if (event->funcs->trace == NULL)
111357- event->funcs->trace = trace_nop_print;
111358+ *(void **)&event->funcs->trace = trace_nop_print;
111359 if (event->funcs->raw == NULL)
111360- event->funcs->raw = trace_nop_print;
111361+ *(void **)&event->funcs->raw = trace_nop_print;
111362 if (event->funcs->hex == NULL)
111363- event->funcs->hex = trace_nop_print;
111364+ *(void **)&event->funcs->hex = trace_nop_print;
111365 if (event->funcs->binary == NULL)
111366- event->funcs->binary = trace_nop_print;
111367+ *(void **)&event->funcs->binary = trace_nop_print;
111368+ pax_close_kernel();
111369
111370 key = event->type & (EVENT_HASHSIZE - 1);
111371
111372diff --git a/kernel/trace/trace_seq.c b/kernel/trace/trace_seq.c
111373index e694c9f..6775a38 100644
111374--- a/kernel/trace/trace_seq.c
111375+++ b/kernel/trace/trace_seq.c
111376@@ -337,7 +337,7 @@ int trace_seq_path(struct trace_seq *s, const struct path *path)
111377 return 0;
111378 }
111379
111380- seq_buf_path(&s->seq, path, "\n");
111381+ seq_buf_path(&s->seq, path, "\n\\");
111382
111383 if (unlikely(seq_buf_has_overflowed(&s->seq))) {
111384 s->seq.len = save_len;
111385diff --git a/kernel/trace/trace_stack.c b/kernel/trace/trace_stack.c
111386index 3f34496..0492d95 100644
111387--- a/kernel/trace/trace_stack.c
111388+++ b/kernel/trace/trace_stack.c
111389@@ -88,7 +88,7 @@ check_stack(unsigned long ip, unsigned long *stack)
111390 return;
111391
111392 /* we do not handle interrupt stacks yet */
111393- if (!object_is_on_stack(stack))
111394+ if (!object_starts_on_stack(stack))
111395 return;
111396
111397 local_irq_save(flags);
111398diff --git a/kernel/trace/trace_syscalls.c b/kernel/trace/trace_syscalls.c
111399index 7d567a4..407a28d 100644
111400--- a/kernel/trace/trace_syscalls.c
111401+++ b/kernel/trace/trace_syscalls.c
111402@@ -590,6 +590,8 @@ static int perf_sysenter_enable(struct trace_event_call *call)
111403 int num;
111404
111405 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111406+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111407+ return -EINVAL;
111408
111409 mutex_lock(&syscall_trace_lock);
111410 if (!sys_perf_refcount_enter)
111411@@ -610,6 +612,8 @@ static void perf_sysenter_disable(struct trace_event_call *call)
111412 int num;
111413
111414 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111415+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111416+ return;
111417
111418 mutex_lock(&syscall_trace_lock);
111419 sys_perf_refcount_enter--;
111420@@ -662,6 +666,8 @@ static int perf_sysexit_enable(struct trace_event_call *call)
111421 int num;
111422
111423 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111424+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111425+ return -EINVAL;
111426
111427 mutex_lock(&syscall_trace_lock);
111428 if (!sys_perf_refcount_exit)
111429@@ -682,6 +688,8 @@ static void perf_sysexit_disable(struct trace_event_call *call)
111430 int num;
111431
111432 num = ((struct syscall_metadata *)call->data)->syscall_nr;
111433+ if (WARN_ON_ONCE(num < 0 || num >= NR_syscalls))
111434+ return;
111435
111436 mutex_lock(&syscall_trace_lock);
111437 sys_perf_refcount_exit--;
111438diff --git a/kernel/user_namespace.c b/kernel/user_namespace.c
111439index 4109f83..fe1f830 100644
111440--- a/kernel/user_namespace.c
111441+++ b/kernel/user_namespace.c
111442@@ -83,6 +83,21 @@ int create_user_ns(struct cred *new)
111443 !kgid_has_mapping(parent_ns, group))
111444 return -EPERM;
111445
111446+#ifdef CONFIG_GRKERNSEC
111447+ /*
111448+ * This doesn't really inspire confidence:
111449+ * http://marc.info/?l=linux-kernel&m=135543612731939&w=2
111450+ * http://marc.info/?l=linux-kernel&m=135545831607095&w=2
111451+ * Increases kernel attack surface in areas developers
111452+ * previously cared little about ("low importance due
111453+ * to requiring "root" capability")
111454+ * To be removed when this code receives *proper* review
111455+ */
111456+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_SETUID) ||
111457+ !capable(CAP_SETGID))
111458+ return -EPERM;
111459+#endif
111460+
111461 ns = kmem_cache_zalloc(user_ns_cachep, GFP_KERNEL);
111462 if (!ns)
111463 return -ENOMEM;
111464@@ -980,7 +995,7 @@ static int userns_install(struct nsproxy *nsproxy, struct ns_common *ns)
111465 if (atomic_read(&current->mm->mm_users) > 1)
111466 return -EINVAL;
111467
111468- if (current->fs->users != 1)
111469+ if (atomic_read(&current->fs->users) != 1)
111470 return -EINVAL;
111471
111472 if (!ns_capable(user_ns, CAP_SYS_ADMIN))
111473diff --git a/kernel/utsname_sysctl.c b/kernel/utsname_sysctl.c
111474index c8eac43..4b5f08f 100644
111475--- a/kernel/utsname_sysctl.c
111476+++ b/kernel/utsname_sysctl.c
111477@@ -47,7 +47,7 @@ static void put_uts(struct ctl_table *table, int write, void *which)
111478 static int proc_do_uts_string(struct ctl_table *table, int write,
111479 void __user *buffer, size_t *lenp, loff_t *ppos)
111480 {
111481- struct ctl_table uts_table;
111482+ ctl_table_no_const uts_table;
111483 int r;
111484 memcpy(&uts_table, table, sizeof(uts_table));
111485 uts_table.data = get_uts(table, write);
111486diff --git a/kernel/watchdog.c b/kernel/watchdog.c
111487index a6ffa43..e48103b 100644
111488--- a/kernel/watchdog.c
111489+++ b/kernel/watchdog.c
111490@@ -655,7 +655,7 @@ void watchdog_nmi_enable_all(void) {}
111491 void watchdog_nmi_disable_all(void) {}
111492 #endif /* CONFIG_HARDLOCKUP_DETECTOR */
111493
111494-static struct smp_hotplug_thread watchdog_threads = {
111495+static struct smp_hotplug_thread watchdog_threads __read_only = {
111496 .store = &softlockup_watchdog,
111497 .thread_should_run = watchdog_should_run,
111498 .thread_fn = watchdog,
111499diff --git a/kernel/workqueue.c b/kernel/workqueue.c
111500index 1de0f5fab..dbf1ec6 100644
111501--- a/kernel/workqueue.c
111502+++ b/kernel/workqueue.c
111503@@ -4452,7 +4452,7 @@ static void rebind_workers(struct worker_pool *pool)
111504 WARN_ON_ONCE(!(worker_flags & WORKER_UNBOUND));
111505 worker_flags |= WORKER_REBOUND;
111506 worker_flags &= ~WORKER_UNBOUND;
111507- ACCESS_ONCE(worker->flags) = worker_flags;
111508+ ACCESS_ONCE_RW(worker->flags) = worker_flags;
111509 }
111510
111511 spin_unlock_irq(&pool->lock);
111512diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug
111513index e2894b2..23751b3 100644
111514--- a/lib/Kconfig.debug
111515+++ b/lib/Kconfig.debug
111516@@ -242,6 +242,7 @@ config PAGE_OWNER
111517 bool "Track page owner"
111518 depends on DEBUG_KERNEL && STACKTRACE_SUPPORT
111519 select DEBUG_FS
111520+ depends on !GRKERNSEC_KMEM
111521 select STACKTRACE
111522 select PAGE_EXTENSION
111523 help
111524@@ -256,6 +257,7 @@ config PAGE_OWNER
111525
111526 config DEBUG_FS
111527 bool "Debug Filesystem"
111528+ depends on !GRKERNSEC_KMEM
111529 help
111530 debugfs is a virtual file system that kernel developers use to put
111531 debugging files into. Enable this option to be able to read and
111532@@ -488,6 +490,7 @@ config DEBUG_KMEMLEAK
111533 bool "Kernel memory leak detector"
111534 depends on DEBUG_KERNEL && HAVE_DEBUG_KMEMLEAK
111535 select DEBUG_FS
111536+ depends on !GRKERNSEC_KMEM
111537 select STACKTRACE if STACKTRACE_SUPPORT
111538 select KALLSYMS
111539 select CRC32
111540@@ -941,7 +944,7 @@ config DEBUG_MUTEXES
111541
111542 config DEBUG_WW_MUTEX_SLOWPATH
111543 bool "Wait/wound mutex debugging: Slowpath testing"
111544- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111545+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111546 select DEBUG_LOCK_ALLOC
111547 select DEBUG_SPINLOCK
111548 select DEBUG_MUTEXES
111549@@ -958,7 +961,7 @@ config DEBUG_WW_MUTEX_SLOWPATH
111550
111551 config DEBUG_LOCK_ALLOC
111552 bool "Lock debugging: detect incorrect freeing of live locks"
111553- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111554+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111555 select DEBUG_SPINLOCK
111556 select DEBUG_MUTEXES
111557 select LOCKDEP
111558@@ -972,7 +975,7 @@ config DEBUG_LOCK_ALLOC
111559
111560 config PROVE_LOCKING
111561 bool "Lock debugging: prove locking correctness"
111562- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111563+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111564 select LOCKDEP
111565 select DEBUG_SPINLOCK
111566 select DEBUG_MUTEXES
111567@@ -1023,7 +1026,7 @@ config LOCKDEP
111568
111569 config LOCK_STAT
111570 bool "Lock usage statistics"
111571- depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT
111572+ depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT && !PAX_CONSTIFY_PLUGIN
111573 select LOCKDEP
111574 select DEBUG_SPINLOCK
111575 select DEBUG_MUTEXES
111576@@ -1422,6 +1425,7 @@ config NOTIFIER_ERROR_INJECTION
111577 tristate "Notifier error injection"
111578 depends on DEBUG_KERNEL
111579 select DEBUG_FS
111580+ depends on !GRKERNSEC_KMEM
111581 help
111582 This option provides the ability to inject artificial errors to
111583 specified notifier chain callbacks. It is useful to test the error
111584@@ -1534,6 +1538,7 @@ config FAIL_IO_TIMEOUT
111585 config FAIL_MMC_REQUEST
111586 bool "Fault-injection capability for MMC IO"
111587 select DEBUG_FS
111588+ depends on !GRKERNSEC_KMEM
111589 depends on FAULT_INJECTION && MMC
111590 help
111591 Provide fault-injection capability for MMC IO.
111592@@ -1563,6 +1568,7 @@ config LATENCYTOP
111593 depends on DEBUG_KERNEL
111594 depends on STACKTRACE_SUPPORT
111595 depends on PROC_FS
111596+ depends on !GRKERNSEC_HIDESYM
111597 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM_UNWIND && !ARC
111598 select KALLSYMS
111599 select KALLSYMS_ALL
111600@@ -1579,7 +1585,7 @@ config ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
111601 config DEBUG_STRICT_USER_COPY_CHECKS
111602 bool "Strict user copy size checks"
111603 depends on ARCH_HAS_DEBUG_STRICT_USER_COPY_CHECKS
111604- depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING
111605+ depends on DEBUG_KERNEL && !TRACE_BRANCH_PROFILING && !PAX_SIZE_OVERFLOW
111606 help
111607 Enabling this option turns a certain set of sanity checks for user
111608 copy operations into compile time failures.
111609@@ -1710,7 +1716,7 @@ endmenu # runtime tests
111610
111611 config PROVIDE_OHCI1394_DMA_INIT
111612 bool "Remote debugging over FireWire early on boot"
111613- depends on PCI && X86
111614+ depends on PCI && X86 && !GRKERNSEC
111615 help
111616 If you want to debug problems which hang or crash the kernel early
111617 on boot and the crashing machine has a FireWire port, you can use
111618diff --git a/lib/Makefile b/lib/Makefile
111619index 6897b52..466bda9 100644
111620--- a/lib/Makefile
111621+++ b/lib/Makefile
111622@@ -62,7 +62,7 @@ obj-$(CONFIG_BTREE) += btree.o
111623 obj-$(CONFIG_INTERVAL_TREE) += interval_tree.o
111624 obj-$(CONFIG_ASSOCIATIVE_ARRAY) += assoc_array.o
111625 obj-$(CONFIG_DEBUG_PREEMPT) += smp_processor_id.o
111626-obj-$(CONFIG_DEBUG_LIST) += list_debug.o
111627+obj-y += list_debug.o
111628 obj-$(CONFIG_DEBUG_OBJECTS) += debugobjects.o
111629
111630 ifneq ($(CONFIG_HAVE_DEC_LOCK),y)
111631diff --git a/lib/average.c b/lib/average.c
111632index 114d1be..ab0350c 100644
111633--- a/lib/average.c
111634+++ b/lib/average.c
111635@@ -55,7 +55,7 @@ struct ewma *ewma_add(struct ewma *avg, unsigned long val)
111636 {
111637 unsigned long internal = ACCESS_ONCE(avg->internal);
111638
111639- ACCESS_ONCE(avg->internal) = internal ?
111640+ ACCESS_ONCE_RW(avg->internal) = internal ?
111641 (((internal << avg->weight) - internal) +
111642 (val << avg->factor)) >> avg->weight :
111643 (val << avg->factor);
111644diff --git a/lib/bitmap.c b/lib/bitmap.c
111645index a578a01..2198e50 100644
111646--- a/lib/bitmap.c
111647+++ b/lib/bitmap.c
111648@@ -361,7 +361,7 @@ int __bitmap_parse(const char *buf, unsigned int buflen,
111649 {
111650 int c, old_c, totaldigits, ndigits, nchunks, nbits;
111651 u32 chunk;
111652- const char __user __force *ubuf = (const char __user __force *)buf;
111653+ const char __user *ubuf = (const char __force_user *)buf;
111654
111655 bitmap_zero(maskp, nmaskbits);
111656
111657@@ -446,7 +446,7 @@ int bitmap_parse_user(const char __user *ubuf,
111658 {
111659 if (!access_ok(VERIFY_READ, ubuf, ulen))
111660 return -EFAULT;
111661- return __bitmap_parse((const char __force *)ubuf,
111662+ return __bitmap_parse((const char __force_kernel *)ubuf,
111663 ulen, 1, maskp, nmaskbits);
111664
111665 }
111666@@ -506,7 +506,7 @@ static int __bitmap_parselist(const char *buf, unsigned int buflen,
111667 {
111668 unsigned a, b;
111669 int c, old_c, totaldigits;
111670- const char __user __force *ubuf = (const char __user __force *)buf;
111671+ const char __user *ubuf = (const char __force_user *)buf;
111672 int at_start, in_range;
111673
111674 totaldigits = c = 0;
111675@@ -602,7 +602,7 @@ int bitmap_parselist_user(const char __user *ubuf,
111676 {
111677 if (!access_ok(VERIFY_READ, ubuf, ulen))
111678 return -EFAULT;
111679- return __bitmap_parselist((const char __force *)ubuf,
111680+ return __bitmap_parselist((const char __force_kernel *)ubuf,
111681 ulen, 1, maskp, nmaskbits);
111682 }
111683 EXPORT_SYMBOL(bitmap_parselist_user);
111684diff --git a/lib/bug.c b/lib/bug.c
111685index cff145f..724a0b8 100644
111686--- a/lib/bug.c
111687+++ b/lib/bug.c
111688@@ -148,6 +148,8 @@ enum bug_trap_type report_bug(unsigned long bugaddr, struct pt_regs *regs)
111689 return BUG_TRAP_TYPE_NONE;
111690
111691 bug = find_bug(bugaddr);
111692+ if (!bug)
111693+ return BUG_TRAP_TYPE_NONE;
111694
111695 file = NULL;
111696 line = 0;
111697diff --git a/lib/debugobjects.c b/lib/debugobjects.c
111698index 547f7f9..a6d4ba0 100644
111699--- a/lib/debugobjects.c
111700+++ b/lib/debugobjects.c
111701@@ -289,7 +289,7 @@ static void debug_object_is_on_stack(void *addr, int onstack)
111702 if (limit > 4)
111703 return;
111704
111705- is_on_stack = object_is_on_stack(addr);
111706+ is_on_stack = object_starts_on_stack(addr);
111707 if (is_on_stack == onstack)
111708 return;
111709
111710diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
111711index 0234361..41a411c 100644
111712--- a/lib/decompress_bunzip2.c
111713+++ b/lib/decompress_bunzip2.c
111714@@ -665,7 +665,8 @@ static int INIT start_bunzip(struct bunzip_data **bdp, void *inbuf, long len,
111715
111716 /* Fourth byte (ascii '1'-'9'), indicates block size in units of 100k of
111717 uncompressed data. Allocate intermediate buffer for block. */
111718- bd->dbufSize = 100000*(i-BZh0);
111719+ i -= BZh0;
111720+ bd->dbufSize = 100000 * i;
111721
111722 bd->dbuf = large_malloc(bd->dbufSize * sizeof(int));
111723 if (!bd->dbuf)
111724diff --git a/lib/decompress_unlzma.c b/lib/decompress_unlzma.c
111725index decb646..8d6441a 100644
111726--- a/lib/decompress_unlzma.c
111727+++ b/lib/decompress_unlzma.c
111728@@ -39,10 +39,10 @@
111729
111730 #define MIN(a, b) (((a) < (b)) ? (a) : (b))
111731
111732-static long long INIT read_int(unsigned char *ptr, int size)
111733+static unsigned long long INIT read_int(unsigned char *ptr, int size)
111734 {
111735 int i;
111736- long long ret = 0;
111737+ unsigned long long ret = 0;
111738
111739 for (i = 0; i < size; i++)
111740 ret = (ret << 8) | ptr[size-i-1];
111741diff --git a/lib/div64.c b/lib/div64.c
111742index 19ea7ed..20cac21 100644
111743--- a/lib/div64.c
111744+++ b/lib/div64.c
111745@@ -59,7 +59,7 @@ uint32_t __attribute__((weak)) __div64_32(uint64_t *n, uint32_t base)
111746 EXPORT_SYMBOL(__div64_32);
111747
111748 #ifndef div_s64_rem
111749-s64 div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
111750+s64 __intentional_overflow(-1) div_s64_rem(s64 dividend, s32 divisor, s32 *remainder)
111751 {
111752 u64 quotient;
111753
111754@@ -130,7 +130,7 @@ EXPORT_SYMBOL(div64_u64_rem);
111755 * 'http://www.hackersdelight.org/hdcodetxt/divDouble.c.txt'
111756 */
111757 #ifndef div64_u64
111758-u64 div64_u64(u64 dividend, u64 divisor)
111759+u64 __intentional_overflow(-1) div64_u64(u64 dividend, u64 divisor)
111760 {
111761 u32 high = divisor >> 32;
111762 u64 quot;
111763diff --git a/lib/dma-debug.c b/lib/dma-debug.c
111764index dace71f..13da37b 100644
111765--- a/lib/dma-debug.c
111766+++ b/lib/dma-debug.c
111767@@ -982,7 +982,7 @@ static int dma_debug_device_change(struct notifier_block *nb, unsigned long acti
111768
111769 void dma_debug_add_bus(struct bus_type *bus)
111770 {
111771- struct notifier_block *nb;
111772+ notifier_block_no_const *nb;
111773
111774 if (dma_debug_disabled())
111775 return;
111776@@ -1164,7 +1164,7 @@ static void check_unmap(struct dma_debug_entry *ref)
111777
111778 static void check_for_stack(struct device *dev, void *addr)
111779 {
111780- if (object_is_on_stack(addr))
111781+ if (object_starts_on_stack(addr))
111782 err_printk(dev, NULL, "DMA-API: device driver maps memory from "
111783 "stack [addr=%p]\n", addr);
111784 }
111785diff --git a/lib/inflate.c b/lib/inflate.c
111786index 013a761..c28f3fc 100644
111787--- a/lib/inflate.c
111788+++ b/lib/inflate.c
111789@@ -269,7 +269,7 @@ static void free(void *where)
111790 malloc_ptr = free_mem_ptr;
111791 }
111792 #else
111793-#define malloc(a) kmalloc(a, GFP_KERNEL)
111794+#define malloc(a) kmalloc((a), GFP_KERNEL)
111795 #define free(a) kfree(a)
111796 #endif
111797
111798diff --git a/lib/ioremap.c b/lib/ioremap.c
111799index 86c8911..f5bfc34 100644
111800--- a/lib/ioremap.c
111801+++ b/lib/ioremap.c
111802@@ -75,7 +75,7 @@ static inline int ioremap_pmd_range(pud_t *pud, unsigned long addr,
111803 unsigned long next;
111804
111805 phys_addr -= addr;
111806- pmd = pmd_alloc(&init_mm, pud, addr);
111807+ pmd = pmd_alloc_kernel(&init_mm, pud, addr);
111808 if (!pmd)
111809 return -ENOMEM;
111810 do {
111811@@ -101,7 +101,7 @@ static inline int ioremap_pud_range(pgd_t *pgd, unsigned long addr,
111812 unsigned long next;
111813
111814 phys_addr -= addr;
111815- pud = pud_alloc(&init_mm, pgd, addr);
111816+ pud = pud_alloc_kernel(&init_mm, pgd, addr);
111817 if (!pud)
111818 return -ENOMEM;
111819 do {
111820diff --git a/lib/is_single_threaded.c b/lib/is_single_threaded.c
111821index bd2bea9..6b3c95e 100644
111822--- a/lib/is_single_threaded.c
111823+++ b/lib/is_single_threaded.c
111824@@ -22,6 +22,9 @@ bool current_is_single_threaded(void)
111825 struct task_struct *p, *t;
111826 bool ret;
111827
111828+ if (!mm)
111829+ return true;
111830+
111831 if (atomic_read(&task->signal->live) != 1)
111832 return false;
111833
111834diff --git a/lib/kobject.c b/lib/kobject.c
111835index 3e3a5c3..4a12109 100644
111836--- a/lib/kobject.c
111837+++ b/lib/kobject.c
111838@@ -935,9 +935,9 @@ EXPORT_SYMBOL_GPL(kset_create_and_add);
111839
111840
111841 static DEFINE_SPINLOCK(kobj_ns_type_lock);
111842-static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES];
111843+static const struct kobj_ns_type_operations *kobj_ns_ops_tbl[KOBJ_NS_TYPES] __read_only;
111844
111845-int kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
111846+int __init kobj_ns_type_register(const struct kobj_ns_type_operations *ops)
111847 {
111848 enum kobj_ns_type type = ops->type;
111849 int error;
111850diff --git a/lib/list_debug.c b/lib/list_debug.c
111851index c24c2f7..f0296f4 100644
111852--- a/lib/list_debug.c
111853+++ b/lib/list_debug.c
111854@@ -11,7 +11,9 @@
111855 #include <linux/bug.h>
111856 #include <linux/kernel.h>
111857 #include <linux/rculist.h>
111858+#include <linux/mm.h>
111859
111860+#ifdef CONFIG_DEBUG_LIST
111861 /*
111862 * Insert a new entry between two known consecutive entries.
111863 *
111864@@ -19,21 +21,40 @@
111865 * the prev/next entries already!
111866 */
111867
111868+static bool __list_add_debug(struct list_head *new,
111869+ struct list_head *prev,
111870+ struct list_head *next)
111871+{
111872+ if (unlikely(next->prev != prev)) {
111873+ printk(KERN_ERR "list_add corruption. next->prev should be "
111874+ "prev (%p), but was %p. (next=%p).\n",
111875+ prev, next->prev, next);
111876+ BUG();
111877+ return false;
111878+ }
111879+ if (unlikely(prev->next != next)) {
111880+ printk(KERN_ERR "list_add corruption. prev->next should be "
111881+ "next (%p), but was %p. (prev=%p).\n",
111882+ next, prev->next, prev);
111883+ BUG();
111884+ return false;
111885+ }
111886+ if (unlikely(new == prev || new == next)) {
111887+ printk(KERN_ERR "list_add double add: new=%p, prev=%p, next=%p.\n",
111888+ new, prev, next);
111889+ BUG();
111890+ return false;
111891+ }
111892+ return true;
111893+}
111894+
111895 void __list_add(struct list_head *new,
111896- struct list_head *prev,
111897- struct list_head *next)
111898+ struct list_head *prev,
111899+ struct list_head *next)
111900 {
111901- WARN(next->prev != prev,
111902- "list_add corruption. next->prev should be "
111903- "prev (%p), but was %p. (next=%p).\n",
111904- prev, next->prev, next);
111905- WARN(prev->next != next,
111906- "list_add corruption. prev->next should be "
111907- "next (%p), but was %p. (prev=%p).\n",
111908- next, prev->next, prev);
111909- WARN(new == prev || new == next,
111910- "list_add double add: new=%p, prev=%p, next=%p.\n",
111911- new, prev, next);
111912+ if (!__list_add_debug(new, prev, next))
111913+ return;
111914+
111915 next->prev = new;
111916 new->next = next;
111917 new->prev = prev;
111918@@ -41,28 +62,46 @@ void __list_add(struct list_head *new,
111919 }
111920 EXPORT_SYMBOL(__list_add);
111921
111922-void __list_del_entry(struct list_head *entry)
111923+static bool __list_del_entry_debug(struct list_head *entry)
111924 {
111925 struct list_head *prev, *next;
111926
111927 prev = entry->prev;
111928 next = entry->next;
111929
111930- if (WARN(next == LIST_POISON1,
111931- "list_del corruption, %p->next is LIST_POISON1 (%p)\n",
111932- entry, LIST_POISON1) ||
111933- WARN(prev == LIST_POISON2,
111934- "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
111935- entry, LIST_POISON2) ||
111936- WARN(prev->next != entry,
111937- "list_del corruption. prev->next should be %p, "
111938- "but was %p\n", entry, prev->next) ||
111939- WARN(next->prev != entry,
111940- "list_del corruption. next->prev should be %p, "
111941- "but was %p\n", entry, next->prev))
111942+ if (unlikely(next == LIST_POISON1)) {
111943+ printk(KERN_ERR "list_del corruption, %p->next is LIST_POISON1 (%p)\n",
111944+ entry, LIST_POISON1);
111945+ BUG();
111946+ return false;
111947+ }
111948+ if (unlikely(prev == LIST_POISON2)) {
111949+ printk(KERN_ERR "list_del corruption, %p->prev is LIST_POISON2 (%p)\n",
111950+ entry, LIST_POISON2);
111951+ BUG();
111952+ return false;
111953+ }
111954+ if (unlikely(entry->prev->next != entry)) {
111955+ printk(KERN_ERR "list_del corruption. prev->next should be %p, "
111956+ "but was %p\n", entry, prev->next);
111957+ BUG();
111958+ return false;
111959+ }
111960+ if (unlikely(entry->next->prev != entry)) {
111961+ printk(KERN_ERR "list_del corruption. next->prev should be %p, "
111962+ "but was %p\n", entry, next->prev);
111963+ BUG();
111964+ return false;
111965+ }
111966+ return true;
111967+}
111968+
111969+void __list_del_entry(struct list_head *entry)
111970+{
111971+ if (!__list_del_entry_debug(entry))
111972 return;
111973
111974- __list_del(prev, next);
111975+ __list_del(entry->prev, entry->next);
111976 }
111977 EXPORT_SYMBOL(__list_del_entry);
111978
111979@@ -86,15 +125,85 @@ EXPORT_SYMBOL(list_del);
111980 void __list_add_rcu(struct list_head *new,
111981 struct list_head *prev, struct list_head *next)
111982 {
111983- WARN(next->prev != prev,
111984- "list_add_rcu corruption. next->prev should be prev (%p), but was %p. (next=%p).\n",
111985- prev, next->prev, next);
111986- WARN(prev->next != next,
111987- "list_add_rcu corruption. prev->next should be next (%p), but was %p. (prev=%p).\n",
111988- next, prev->next, prev);
111989+ if (!__list_add_debug(new, prev, next))
111990+ return;
111991+
111992 new->next = next;
111993 new->prev = prev;
111994 rcu_assign_pointer(list_next_rcu(prev), new);
111995 next->prev = new;
111996 }
111997 EXPORT_SYMBOL(__list_add_rcu);
111998+#endif
111999+
112000+void __pax_list_add(struct list_head *new, struct list_head *prev, struct list_head *next)
112001+{
112002+#ifdef CONFIG_DEBUG_LIST
112003+ if (!__list_add_debug(new, prev, next))
112004+ return;
112005+#endif
112006+
112007+ pax_open_kernel();
112008+ next->prev = new;
112009+ new->next = next;
112010+ new->prev = prev;
112011+ prev->next = new;
112012+ pax_close_kernel();
112013+}
112014+EXPORT_SYMBOL(__pax_list_add);
112015+
112016+void pax_list_del(struct list_head *entry)
112017+{
112018+#ifdef CONFIG_DEBUG_LIST
112019+ if (!__list_del_entry_debug(entry))
112020+ return;
112021+#endif
112022+
112023+ pax_open_kernel();
112024+ __list_del(entry->prev, entry->next);
112025+ entry->next = LIST_POISON1;
112026+ entry->prev = LIST_POISON2;
112027+ pax_close_kernel();
112028+}
112029+EXPORT_SYMBOL(pax_list_del);
112030+
112031+void pax_list_del_init(struct list_head *entry)
112032+{
112033+ pax_open_kernel();
112034+ __list_del(entry->prev, entry->next);
112035+ INIT_LIST_HEAD(entry);
112036+ pax_close_kernel();
112037+}
112038+EXPORT_SYMBOL(pax_list_del_init);
112039+
112040+void __pax_list_add_rcu(struct list_head *new,
112041+ struct list_head *prev, struct list_head *next)
112042+{
112043+#ifdef CONFIG_DEBUG_LIST
112044+ if (!__list_add_debug(new, prev, next))
112045+ return;
112046+#endif
112047+
112048+ pax_open_kernel();
112049+ new->next = next;
112050+ new->prev = prev;
112051+ rcu_assign_pointer(list_next_rcu(prev), new);
112052+ next->prev = new;
112053+ pax_close_kernel();
112054+}
112055+EXPORT_SYMBOL(__pax_list_add_rcu);
112056+
112057+void pax_list_del_rcu(struct list_head *entry)
112058+{
112059+#ifdef CONFIG_DEBUG_LIST
112060+ if (!__list_del_entry_debug(entry))
112061+ return;
112062+#endif
112063+
112064+ pax_open_kernel();
112065+ __list_del(entry->prev, entry->next);
112066+ entry->next = LIST_POISON1;
112067+ entry->prev = LIST_POISON2;
112068+ pax_close_kernel();
112069+}
112070+EXPORT_SYMBOL(pax_list_del_rcu);
112071diff --git a/lib/lockref.c b/lib/lockref.c
112072index 494994b..65caf94 100644
112073--- a/lib/lockref.c
112074+++ b/lib/lockref.c
112075@@ -48,13 +48,13 @@
112076 void lockref_get(struct lockref *lockref)
112077 {
112078 CMPXCHG_LOOP(
112079- new.count++;
112080+ __lockref_inc(&new);
112081 ,
112082 return;
112083 );
112084
112085 spin_lock(&lockref->lock);
112086- lockref->count++;
112087+ __lockref_inc(lockref);
112088 spin_unlock(&lockref->lock);
112089 }
112090 EXPORT_SYMBOL(lockref_get);
112091@@ -69,8 +69,8 @@ int lockref_get_not_zero(struct lockref *lockref)
112092 int retval;
112093
112094 CMPXCHG_LOOP(
112095- new.count++;
112096- if (old.count <= 0)
112097+ __lockref_inc(&new);
112098+ if (__lockref_read(&old) <= 0)
112099 return 0;
112100 ,
112101 return 1;
112102@@ -78,8 +78,8 @@ int lockref_get_not_zero(struct lockref *lockref)
112103
112104 spin_lock(&lockref->lock);
112105 retval = 0;
112106- if (lockref->count > 0) {
112107- lockref->count++;
112108+ if (__lockref_read(lockref) > 0) {
112109+ __lockref_inc(lockref);
112110 retval = 1;
112111 }
112112 spin_unlock(&lockref->lock);
112113@@ -96,17 +96,17 @@ EXPORT_SYMBOL(lockref_get_not_zero);
112114 int lockref_get_or_lock(struct lockref *lockref)
112115 {
112116 CMPXCHG_LOOP(
112117- new.count++;
112118- if (old.count <= 0)
112119+ __lockref_inc(&new);
112120+ if (__lockref_read(&old) <= 0)
112121 break;
112122 ,
112123 return 1;
112124 );
112125
112126 spin_lock(&lockref->lock);
112127- if (lockref->count <= 0)
112128+ if (__lockref_read(lockref) <= 0)
112129 return 0;
112130- lockref->count++;
112131+ __lockref_inc(lockref);
112132 spin_unlock(&lockref->lock);
112133 return 1;
112134 }
112135@@ -122,11 +122,11 @@ EXPORT_SYMBOL(lockref_get_or_lock);
112136 int lockref_put_return(struct lockref *lockref)
112137 {
112138 CMPXCHG_LOOP(
112139- new.count--;
112140- if (old.count <= 0)
112141+ __lockref_dec(&new);
112142+ if (__lockref_read(&old) <= 0)
112143 return -1;
112144 ,
112145- return new.count;
112146+ return __lockref_read(&new);
112147 );
112148 return -1;
112149 }
112150@@ -140,17 +140,17 @@ EXPORT_SYMBOL(lockref_put_return);
112151 int lockref_put_or_lock(struct lockref *lockref)
112152 {
112153 CMPXCHG_LOOP(
112154- new.count--;
112155- if (old.count <= 1)
112156+ __lockref_dec(&new);
112157+ if (__lockref_read(&old) <= 1)
112158 break;
112159 ,
112160 return 1;
112161 );
112162
112163 spin_lock(&lockref->lock);
112164- if (lockref->count <= 1)
112165+ if (__lockref_read(lockref) <= 1)
112166 return 0;
112167- lockref->count--;
112168+ __lockref_dec(lockref);
112169 spin_unlock(&lockref->lock);
112170 return 1;
112171 }
112172@@ -163,7 +163,7 @@ EXPORT_SYMBOL(lockref_put_or_lock);
112173 void lockref_mark_dead(struct lockref *lockref)
112174 {
112175 assert_spin_locked(&lockref->lock);
112176- lockref->count = -128;
112177+ __lockref_set(lockref, -128);
112178 }
112179 EXPORT_SYMBOL(lockref_mark_dead);
112180
112181@@ -177,8 +177,8 @@ int lockref_get_not_dead(struct lockref *lockref)
112182 int retval;
112183
112184 CMPXCHG_LOOP(
112185- new.count++;
112186- if (old.count < 0)
112187+ __lockref_inc(&new);
112188+ if (__lockref_read(&old) < 0)
112189 return 0;
112190 ,
112191 return 1;
112192@@ -186,8 +186,8 @@ int lockref_get_not_dead(struct lockref *lockref)
112193
112194 spin_lock(&lockref->lock);
112195 retval = 0;
112196- if (lockref->count >= 0) {
112197- lockref->count++;
112198+ if (__lockref_read(lockref) >= 0) {
112199+ __lockref_inc(lockref);
112200 retval = 1;
112201 }
112202 spin_unlock(&lockref->lock);
112203diff --git a/lib/nlattr.c b/lib/nlattr.c
112204index f5907d2..36072be 100644
112205--- a/lib/nlattr.c
112206+++ b/lib/nlattr.c
112207@@ -278,6 +278,8 @@ int nla_memcpy(void *dest, const struct nlattr *src, int count)
112208 {
112209 int minlen = min_t(int, count, nla_len(src));
112210
112211+ BUG_ON(minlen < 0);
112212+
112213 memcpy(dest, nla_data(src), minlen);
112214 if (count > minlen)
112215 memset(dest + minlen, 0, count - minlen);
112216diff --git a/lib/percpu-refcount.c b/lib/percpu-refcount.c
112217index 6111bcb..02e816b 100644
112218--- a/lib/percpu-refcount.c
112219+++ b/lib/percpu-refcount.c
112220@@ -31,7 +31,7 @@
112221 * atomic_long_t can't hit 0 before we've added up all the percpu refs.
112222 */
112223
112224-#define PERCPU_COUNT_BIAS (1LU << (BITS_PER_LONG - 1))
112225+#define PERCPU_COUNT_BIAS (1LU << (BITS_PER_LONG - 2))
112226
112227 static DECLARE_WAIT_QUEUE_HEAD(percpu_ref_switch_waitq);
112228
112229diff --git a/lib/radix-tree.c b/lib/radix-tree.c
112230index f9ebe1c..e985666 100644
112231--- a/lib/radix-tree.c
112232+++ b/lib/radix-tree.c
112233@@ -68,7 +68,7 @@ struct radix_tree_preload {
112234 /* nodes->private_data points to next preallocated node */
112235 struct radix_tree_node *nodes;
112236 };
112237-static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
112238+static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
112239
112240 static inline void *ptr_to_indirect(void *ptr)
112241 {
112242diff --git a/lib/random32.c b/lib/random32.c
112243index 0bee183..526f12f 100644
112244--- a/lib/random32.c
112245+++ b/lib/random32.c
112246@@ -47,7 +47,7 @@ static inline void prandom_state_selftest(void)
112247 }
112248 #endif
112249
112250-static DEFINE_PER_CPU(struct rnd_state, net_rand_state);
112251+static DEFINE_PER_CPU(struct rnd_state, net_rand_state) __latent_entropy;
112252
112253 /**
112254 * prandom_u32_state - seeded pseudo-random number generator.
112255diff --git a/lib/rbtree.c b/lib/rbtree.c
112256index 1356454..70ce6c6 100644
112257--- a/lib/rbtree.c
112258+++ b/lib/rbtree.c
112259@@ -412,7 +412,9 @@ static inline void dummy_copy(struct rb_node *old, struct rb_node *new) {}
112260 static inline void dummy_rotate(struct rb_node *old, struct rb_node *new) {}
112261
112262 static const struct rb_augment_callbacks dummy_callbacks = {
112263- dummy_propagate, dummy_copy, dummy_rotate
112264+ .propagate = dummy_propagate,
112265+ .copy = dummy_copy,
112266+ .rotate = dummy_rotate
112267 };
112268
112269 void rb_insert_color(struct rb_node *node, struct rb_root *root)
112270diff --git a/lib/show_mem.c b/lib/show_mem.c
112271index adc98e18..0ce83c2 100644
112272--- a/lib/show_mem.c
112273+++ b/lib/show_mem.c
112274@@ -49,6 +49,6 @@ void show_mem(unsigned int filter)
112275 quicklist_total_size());
112276 #endif
112277 #ifdef CONFIG_MEMORY_FAILURE
112278- printk("%lu pages hwpoisoned\n", atomic_long_read(&num_poisoned_pages));
112279+ printk("%lu pages hwpoisoned\n", atomic_long_read_unchecked(&num_poisoned_pages));
112280 #endif
112281 }
112282diff --git a/lib/strncpy_from_user.c b/lib/strncpy_from_user.c
112283index e0af6ff..fcc9f15 100644
112284--- a/lib/strncpy_from_user.c
112285+++ b/lib/strncpy_from_user.c
112286@@ -22,7 +22,7 @@
112287 */
112288 static inline long do_strncpy_from_user(char *dst, const char __user *src, long count, unsigned long max)
112289 {
112290- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112291+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112292 long res = 0;
112293
112294 /*
112295diff --git a/lib/strnlen_user.c b/lib/strnlen_user.c
112296index 3a5f2b3..102f1ff 100644
112297--- a/lib/strnlen_user.c
112298+++ b/lib/strnlen_user.c
112299@@ -26,7 +26,7 @@
112300 */
112301 static inline long do_strnlen_user(const char __user *src, unsigned long count, unsigned long max)
112302 {
112303- const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112304+ static const struct word_at_a_time constants = WORD_AT_A_TIME_CONSTANTS;
112305 long align, res = 0;
112306 unsigned long c;
112307
112308diff --git a/lib/swiotlb.c b/lib/swiotlb.c
112309index 76f29ec..1a5316f 100644
112310--- a/lib/swiotlb.c
112311+++ b/lib/swiotlb.c
112312@@ -690,7 +690,7 @@ EXPORT_SYMBOL(swiotlb_alloc_coherent);
112313
112314 void
112315 swiotlb_free_coherent(struct device *hwdev, size_t size, void *vaddr,
112316- dma_addr_t dev_addr)
112317+ dma_addr_t dev_addr, struct dma_attrs *attrs)
112318 {
112319 phys_addr_t paddr = dma_to_phys(hwdev, dev_addr);
112320
112321diff --git a/lib/usercopy.c b/lib/usercopy.c
112322index 4f5b1dd..7cab418 100644
112323--- a/lib/usercopy.c
112324+++ b/lib/usercopy.c
112325@@ -7,3 +7,9 @@ void copy_from_user_overflow(void)
112326 WARN(1, "Buffer overflow detected!\n");
112327 }
112328 EXPORT_SYMBOL(copy_from_user_overflow);
112329+
112330+void copy_to_user_overflow(void)
112331+{
112332+ WARN(1, "Buffer overflow detected!\n");
112333+}
112334+EXPORT_SYMBOL(copy_to_user_overflow);
112335diff --git a/lib/vsprintf.c b/lib/vsprintf.c
112336index da39c60..ac91239 100644
112337--- a/lib/vsprintf.c
112338+++ b/lib/vsprintf.c
112339@@ -16,6 +16,9 @@
112340 * - scnprintf and vscnprintf
112341 */
112342
112343+#ifdef CONFIG_GRKERNSEC_HIDESYM
112344+#define __INCLUDED_BY_HIDESYM 1
112345+#endif
112346 #include <stdarg.h>
112347 #include <linux/clk-provider.h>
112348 #include <linux/module.h> /* for KSYM_SYMBOL_LEN */
112349@@ -628,7 +631,7 @@ char *symbol_string(char *buf, char *end, void *ptr,
112350 #ifdef CONFIG_KALLSYMS
112351 if (*fmt == 'B')
112352 sprint_backtrace(sym, value);
112353- else if (*fmt != 'f' && *fmt != 's')
112354+ else if (*fmt != 'f' && *fmt != 's' && *fmt != 'X')
112355 sprint_symbol(sym, value);
112356 else
112357 sprint_symbol_no_offset(sym, value);
112358@@ -1360,7 +1363,11 @@ char *clock(char *buf, char *end, struct clk *clk, struct printf_spec spec,
112359 }
112360 }
112361
112362-int kptr_restrict __read_mostly;
112363+#ifdef CONFIG_GRKERNSEC_HIDESYM
112364+int kptr_restrict __read_only = 2;
112365+#else
112366+int kptr_restrict __read_only;
112367+#endif
112368
112369 /*
112370 * Show a '%p' thing. A kernel extension is that the '%p' is followed
112371@@ -1371,8 +1378,10 @@ int kptr_restrict __read_mostly;
112372 *
112373 * - 'F' For symbolic function descriptor pointers with offset
112374 * - 'f' For simple symbolic function names without offset
112375+ * - 'X' For simple symbolic function names without offset approved for use with GRKERNSEC_HIDESYM
112376 * - 'S' For symbolic direct pointers with offset
112377 * - 's' For symbolic direct pointers without offset
112378+ * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
112379 * - '[FfSs]R' as above with __builtin_extract_return_addr() translation
112380 * - 'B' For backtraced symbolic direct pointers with offset
112381 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
112382@@ -1460,12 +1469,12 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112383
112384 if (!ptr && *fmt != 'K') {
112385 /*
112386- * Print (null) with the same width as a pointer so it makes
112387+ * Print (nil) with the same width as a pointer so it makes
112388 * tabular output look nice.
112389 */
112390 if (spec.field_width == -1)
112391 spec.field_width = default_width;
112392- return string(buf, end, "(null)", spec);
112393+ return string(buf, end, "(nil)", spec);
112394 }
112395
112396 switch (*fmt) {
112397@@ -1475,6 +1484,14 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112398 /* Fallthrough */
112399 case 'S':
112400 case 's':
112401+#ifdef CONFIG_GRKERNSEC_HIDESYM
112402+ break;
112403+#else
112404+ return symbol_string(buf, end, ptr, spec, fmt);
112405+#endif
112406+ case 'X':
112407+ ptr = dereference_function_descriptor(ptr);
112408+ case 'A':
112409 case 'B':
112410 return symbol_string(buf, end, ptr, spec, fmt);
112411 case 'R':
112412@@ -1539,6 +1556,8 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112413 va_end(va);
112414 return buf;
112415 }
112416+ case 'P':
112417+ break;
112418 case 'K':
112419 /*
112420 * %pK cannot be used in IRQ context because its test
112421@@ -1598,6 +1617,22 @@ char *pointer(const char *fmt, char *buf, char *end, void *ptr,
112422 ((const struct file *)ptr)->f_path.dentry,
112423 spec, fmt);
112424 }
112425+
112426+#ifdef CONFIG_GRKERNSEC_HIDESYM
112427+ /* 'P' = approved pointers to copy to userland,
112428+ as in the /proc/kallsyms case, as we make it display nothing
112429+ for non-root users, and the real contents for root users
112430+ 'X' = approved simple symbols
112431+ Also ignore 'K' pointers, since we force their NULLing for non-root users
112432+ above
112433+ */
112434+ if ((unsigned long)ptr > TASK_SIZE && *fmt != 'P' && *fmt != 'X' && *fmt != 'K' && is_usercopy_object(buf)) {
112435+ printk(KERN_ALERT "grsec: kernel infoleak detected! Please report this log to spender@grsecurity.net.\n");
112436+ dump_stack();
112437+ ptr = NULL;
112438+ }
112439+#endif
112440+
112441 spec.flags |= SMALL;
112442 if (spec.field_width == -1) {
112443 spec.field_width = default_width;
112444@@ -2296,11 +2331,11 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
112445 typeof(type) value; \
112446 if (sizeof(type) == 8) { \
112447 args = PTR_ALIGN(args, sizeof(u32)); \
112448- *(u32 *)&value = *(u32 *)args; \
112449- *((u32 *)&value + 1) = *(u32 *)(args + 4); \
112450+ *(u32 *)&value = *(const u32 *)args; \
112451+ *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
112452 } else { \
112453 args = PTR_ALIGN(args, sizeof(type)); \
112454- value = *(typeof(type) *)args; \
112455+ value = *(const typeof(type) *)args; \
112456 } \
112457 args += sizeof(type); \
112458 value; \
112459@@ -2363,7 +2398,7 @@ int bstr_printf(char *buf, size_t size, const char *fmt, const u32 *bin_buf)
112460 case FORMAT_TYPE_STR: {
112461 const char *str_arg = args;
112462 args += strlen(str_arg) + 1;
112463- str = string(str, end, (char *)str_arg, spec);
112464+ str = string(str, end, str_arg, spec);
112465 break;
112466 }
112467
112468diff --git a/localversion-grsec b/localversion-grsec
112469new file mode 100644
112470index 0000000..7cd6065
112471--- /dev/null
112472+++ b/localversion-grsec
112473@@ -0,0 +1 @@
112474+-grsec
112475diff --git a/mm/Kconfig b/mm/Kconfig
112476index e79de2b..fba3116 100644
112477--- a/mm/Kconfig
112478+++ b/mm/Kconfig
112479@@ -342,10 +342,11 @@ config KSM
112480 root has set /sys/kernel/mm/ksm/run to 1 (if CONFIG_SYSFS is set).
112481
112482 config DEFAULT_MMAP_MIN_ADDR
112483- int "Low address space to protect from user allocation"
112484+ int "Low address space to protect from user allocation"
112485 depends on MMU
112486- default 4096
112487- help
112488+ default 32768 if ALPHA || ARM || PARISC || SPARC32
112489+ default 65536
112490+ help
112491 This is the portion of low virtual memory which should be protected
112492 from userspace allocation. Keeping a user from writing to low pages
112493 can help reduce the impact of kernel NULL pointer bugs.
112494@@ -377,8 +378,9 @@ config MEMORY_FAILURE
112495
112496 config HWPOISON_INJECT
112497 tristate "HWPoison pages injector"
112498- depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS
112499+ depends on MEMORY_FAILURE && DEBUG_KERNEL && PROC_FS && !GRKERNSEC
112500 select PROC_PAGE_MONITOR
112501+ depends on !GRKERNSEC
112502
112503 config NOMMU_INITIAL_TRIM_EXCESS
112504 int "Turn on mmap() excess space trimming before booting"
112505@@ -539,6 +541,7 @@ config MEM_SOFT_DIRTY
112506 bool "Track memory changes"
112507 depends on CHECKPOINT_RESTORE && HAVE_ARCH_SOFT_DIRTY && PROC_FS
112508 select PROC_PAGE_MONITOR
112509+ depends on !GRKERNSEC
112510 help
112511 This option enables memory changes tracking by introducing a
112512 soft-dirty bit on pte-s. This bit it set when someone writes
112513@@ -613,6 +616,7 @@ config ZSMALLOC_STAT
112514 bool "Export zsmalloc statistics"
112515 depends on ZSMALLOC
112516 select DEBUG_FS
112517+ depends on !GRKERNSEC_KMEM
112518 help
112519 This option enables code in the zsmalloc to collect various
112520 statistics about whats happening in zsmalloc and exports that
112521diff --git a/mm/Kconfig.debug b/mm/Kconfig.debug
112522index 957d3da..1d34e20 100644
112523--- a/mm/Kconfig.debug
112524+++ b/mm/Kconfig.debug
112525@@ -10,6 +10,7 @@ config PAGE_EXTENSION
112526 config DEBUG_PAGEALLOC
112527 bool "Debug page memory allocations"
112528 depends on DEBUG_KERNEL
112529+ depends on !PAX_MEMORY_SANITIZE
112530 depends on !HIBERNATION || ARCH_SUPPORTS_DEBUG_PAGEALLOC && !PPC && !SPARC
112531 depends on !KMEMCHECK
112532 select PAGE_EXTENSION
112533diff --git a/mm/backing-dev.c b/mm/backing-dev.c
112534index dac5bf5..d8c02ce 100644
112535--- a/mm/backing-dev.c
112536+++ b/mm/backing-dev.c
112537@@ -12,7 +12,7 @@
112538 #include <linux/device.h>
112539 #include <trace/events/writeback.h>
112540
112541-static atomic_long_t bdi_seq = ATOMIC_LONG_INIT(0);
112542+static atomic_long_unchecked_t bdi_seq = ATOMIC_LONG_INIT(0);
112543
112544 struct backing_dev_info noop_backing_dev_info = {
112545 .name = "noop",
112546@@ -855,7 +855,7 @@ int bdi_setup_and_register(struct backing_dev_info *bdi, char *name)
112547 return err;
112548
112549 err = bdi_register(bdi, NULL, "%.28s-%ld", name,
112550- atomic_long_inc_return(&bdi_seq));
112551+ atomic_long_inc_return_unchecked(&bdi_seq));
112552 if (err) {
112553 bdi_destroy(bdi);
112554 return err;
112555diff --git a/mm/dmapool.c b/mm/dmapool.c
112556index fd5fe43..39ea317 100644
112557--- a/mm/dmapool.c
112558+++ b/mm/dmapool.c
112559@@ -386,7 +386,7 @@ static struct dma_page *pool_find_page(struct dma_pool *pool, dma_addr_t dma)
112560 list_for_each_entry(page, &pool->page_list, page_list) {
112561 if (dma < page->dma)
112562 continue;
112563- if (dma < (page->dma + pool->allocation))
112564+ if ((dma - page->dma) < pool->allocation)
112565 return page;
112566 }
112567 return NULL;
112568diff --git a/mm/filemap.c b/mm/filemap.c
112569index 1283fc8..a0347d5 100644
112570--- a/mm/filemap.c
112571+++ b/mm/filemap.c
112572@@ -2122,7 +2122,7 @@ int generic_file_mmap(struct file * file, struct vm_area_struct * vma)
112573 struct address_space *mapping = file->f_mapping;
112574
112575 if (!mapping->a_ops->readpage)
112576- return -ENOEXEC;
112577+ return -ENODEV;
112578 file_accessed(file);
112579 vma->vm_ops = &generic_file_vm_ops;
112580 return 0;
112581@@ -2303,6 +2303,7 @@ inline ssize_t generic_write_checks(struct kiocb *iocb, struct iov_iter *from)
112582 pos = iocb->ki_pos;
112583
112584 if (limit != RLIM_INFINITY) {
112585+ gr_learn_resource(current, RLIMIT_FSIZE, iocb->ki_pos, 0);
112586 if (iocb->ki_pos >= limit) {
112587 send_sig(SIGXFSZ, current, 0);
112588 return -EFBIG;
112589diff --git a/mm/gup.c b/mm/gup.c
112590index 6297f6b..7652403 100644
112591--- a/mm/gup.c
112592+++ b/mm/gup.c
112593@@ -265,11 +265,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
112594 unsigned int fault_flags = 0;
112595 int ret;
112596
112597- /* For mm_populate(), just skip the stack guard page. */
112598- if ((*flags & FOLL_POPULATE) &&
112599- (stack_guard_page_start(vma, address) ||
112600- stack_guard_page_end(vma, address + PAGE_SIZE)))
112601- return -ENOENT;
112602 if (*flags & FOLL_WRITE)
112603 fault_flags |= FAULT_FLAG_WRITE;
112604 if (nonblocking)
112605@@ -435,14 +430,14 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
112606 if (!(gup_flags & FOLL_FORCE))
112607 gup_flags |= FOLL_NUMA;
112608
112609- do {
112610+ while (nr_pages) {
112611 struct page *page;
112612 unsigned int foll_flags = gup_flags;
112613 unsigned int page_increm;
112614
112615 /* first iteration or cross vma bound */
112616 if (!vma || start >= vma->vm_end) {
112617- vma = find_extend_vma(mm, start);
112618+ vma = find_vma(mm, start);
112619 if (!vma && in_gate_area(mm, start)) {
112620 int ret;
112621 ret = get_gate_page(mm, start & PAGE_MASK,
112622@@ -454,7 +449,7 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
112623 goto next_page;
112624 }
112625
112626- if (!vma || check_vma_flags(vma, gup_flags))
112627+ if (!vma || start < vma->vm_start || check_vma_flags(vma, gup_flags))
112628 return i ? : -EFAULT;
112629 if (is_vm_hugetlb_page(vma)) {
112630 i = follow_hugetlb_page(mm, vma, pages, vmas,
112631@@ -509,7 +504,7 @@ next_page:
112632 i += page_increm;
112633 start += page_increm * PAGE_SIZE;
112634 nr_pages -= page_increm;
112635- } while (nr_pages);
112636+ }
112637 return i;
112638 }
112639 EXPORT_SYMBOL(__get_user_pages);
112640diff --git a/mm/highmem.c b/mm/highmem.c
112641index 123bcd3..c2c85db 100644
112642--- a/mm/highmem.c
112643+++ b/mm/highmem.c
112644@@ -195,8 +195,9 @@ static void flush_all_zero_pkmaps(void)
112645 * So no dangers, even with speculative execution.
112646 */
112647 page = pte_page(pkmap_page_table[i]);
112648+ pax_open_kernel();
112649 pte_clear(&init_mm, PKMAP_ADDR(i), &pkmap_page_table[i]);
112650-
112651+ pax_close_kernel();
112652 set_page_address(page, NULL);
112653 need_flush = 1;
112654 }
112655@@ -259,8 +260,11 @@ start:
112656 }
112657 }
112658 vaddr = PKMAP_ADDR(last_pkmap_nr);
112659+
112660+ pax_open_kernel();
112661 set_pte_at(&init_mm, vaddr,
112662 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
112663+ pax_close_kernel();
112664
112665 pkmap_count[last_pkmap_nr] = 1;
112666 set_page_address(page, (void *)vaddr);
112667diff --git a/mm/hugetlb.c b/mm/hugetlb.c
112668index 62c1ec5..ec431dc 100644
112669--- a/mm/hugetlb.c
112670+++ b/mm/hugetlb.c
112671@@ -2442,6 +2442,7 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
112672 struct ctl_table *table, int write,
112673 void __user *buffer, size_t *length, loff_t *ppos)
112674 {
112675+ ctl_table_no_const t;
112676 struct hstate *h = &default_hstate;
112677 unsigned long tmp = h->max_huge_pages;
112678 int ret;
112679@@ -2449,9 +2450,10 @@ static int hugetlb_sysctl_handler_common(bool obey_mempolicy,
112680 if (!hugepages_supported())
112681 return -ENOTSUPP;
112682
112683- table->data = &tmp;
112684- table->maxlen = sizeof(unsigned long);
112685- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
112686+ t = *table;
112687+ t.data = &tmp;
112688+ t.maxlen = sizeof(unsigned long);
112689+ ret = proc_doulongvec_minmax(&t, write, buffer, length, ppos);
112690 if (ret)
112691 goto out;
112692
112693@@ -2486,6 +2488,7 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
112694 struct hstate *h = &default_hstate;
112695 unsigned long tmp;
112696 int ret;
112697+ ctl_table_no_const hugetlb_table;
112698
112699 if (!hugepages_supported())
112700 return -ENOTSUPP;
112701@@ -2495,9 +2498,10 @@ int hugetlb_overcommit_handler(struct ctl_table *table, int write,
112702 if (write && hstate_is_gigantic(h))
112703 return -EINVAL;
112704
112705- table->data = &tmp;
112706- table->maxlen = sizeof(unsigned long);
112707- ret = proc_doulongvec_minmax(table, write, buffer, length, ppos);
112708+ hugetlb_table = *table;
112709+ hugetlb_table.data = &tmp;
112710+ hugetlb_table.maxlen = sizeof(unsigned long);
112711+ ret = proc_doulongvec_minmax(&hugetlb_table, write, buffer, length, ppos);
112712 if (ret)
112713 goto out;
112714
112715@@ -2995,6 +2999,27 @@ static void unmap_ref_private(struct mm_struct *mm, struct vm_area_struct *vma,
112716 i_mmap_unlock_write(mapping);
112717 }
112718
112719+#ifdef CONFIG_PAX_SEGMEXEC
112720+static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
112721+{
112722+ struct mm_struct *mm = vma->vm_mm;
112723+ struct vm_area_struct *vma_m;
112724+ unsigned long address_m;
112725+ pte_t *ptep_m;
112726+
112727+ vma_m = pax_find_mirror_vma(vma);
112728+ if (!vma_m)
112729+ return;
112730+
112731+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
112732+ address_m = address + SEGMEXEC_TASK_SIZE;
112733+ ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
112734+ get_page(page_m);
112735+ hugepage_add_anon_rmap(page_m, vma_m, address_m);
112736+ set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
112737+}
112738+#endif
112739+
112740 /*
112741 * Hugetlb_cow() should be called with page lock of the original hugepage held.
112742 * Called with hugetlb_instantiation_mutex held and pte_page locked so we
112743@@ -3108,6 +3133,11 @@ retry_avoidcopy:
112744 make_huge_pte(vma, new_page, 1));
112745 page_remove_rmap(old_page);
112746 hugepage_add_new_anon_rmap(new_page, vma, address);
112747+
112748+#ifdef CONFIG_PAX_SEGMEXEC
112749+ pax_mirror_huge_pte(vma, address, new_page);
112750+#endif
112751+
112752 /* Make the old page be freed below */
112753 new_page = old_page;
112754 }
112755@@ -3269,6 +3299,10 @@ retry:
112756 && (vma->vm_flags & VM_SHARED)));
112757 set_huge_pte_at(mm, address, ptep, new_pte);
112758
112759+#ifdef CONFIG_PAX_SEGMEXEC
112760+ pax_mirror_huge_pte(vma, address, page);
112761+#endif
112762+
112763 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
112764 /* Optimization, do the COW without a second fault */
112765 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page, ptl);
112766@@ -3336,6 +3370,10 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
112767 struct address_space *mapping;
112768 int need_wait_lock = 0;
112769
112770+#ifdef CONFIG_PAX_SEGMEXEC
112771+ struct vm_area_struct *vma_m;
112772+#endif
112773+
112774 address &= huge_page_mask(h);
112775
112776 ptep = huge_pte_offset(mm, address);
112777@@ -3349,6 +3387,26 @@ int hugetlb_fault(struct mm_struct *mm, struct vm_area_struct *vma,
112778 VM_FAULT_SET_HINDEX(hstate_index(h));
112779 }
112780
112781+#ifdef CONFIG_PAX_SEGMEXEC
112782+ vma_m = pax_find_mirror_vma(vma);
112783+ if (vma_m) {
112784+ unsigned long address_m;
112785+
112786+ if (vma->vm_start > vma_m->vm_start) {
112787+ address_m = address;
112788+ address -= SEGMEXEC_TASK_SIZE;
112789+ vma = vma_m;
112790+ h = hstate_vma(vma);
112791+ } else
112792+ address_m = address + SEGMEXEC_TASK_SIZE;
112793+
112794+ if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
112795+ return VM_FAULT_OOM;
112796+ address_m &= HPAGE_MASK;
112797+ unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
112798+ }
112799+#endif
112800+
112801 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
112802 if (!ptep)
112803 return VM_FAULT_OOM;
112804diff --git a/mm/internal.h b/mm/internal.h
112805index 36b23f1..673a6c7 100644
112806--- a/mm/internal.h
112807+++ b/mm/internal.h
112808@@ -157,6 +157,7 @@ __find_buddy_index(unsigned long page_idx, unsigned int order)
112809 extern int __isolate_free_page(struct page *page, unsigned int order);
112810 extern void __free_pages_bootmem(struct page *page, unsigned long pfn,
112811 unsigned int order);
112812+extern void free_compound_page(struct page *page);
112813 extern void prep_compound_page(struct page *page, unsigned long order);
112814 #ifdef CONFIG_MEMORY_FAILURE
112815 extern bool is_free_buddy_page(struct page *page);
112816diff --git a/mm/kmemleak.c b/mm/kmemleak.c
112817index cf79f11..254224e 100644
112818--- a/mm/kmemleak.c
112819+++ b/mm/kmemleak.c
112820@@ -375,7 +375,7 @@ static void print_unreferenced(struct seq_file *seq,
112821
112822 for (i = 0; i < object->trace_len; i++) {
112823 void *ptr = (void *)object->trace[i];
112824- seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
112825+ seq_printf(seq, " [<%pP>] %pA\n", ptr, ptr);
112826 }
112827 }
112828
112829@@ -1966,7 +1966,7 @@ static int __init kmemleak_late_init(void)
112830 return -ENOMEM;
112831 }
112832
112833- dentry = debugfs_create_file("kmemleak", S_IRUGO, NULL, NULL,
112834+ dentry = debugfs_create_file("kmemleak", S_IRUSR, NULL, NULL,
112835 &kmemleak_fops);
112836 if (!dentry)
112837 pr_warning("Failed to create the debugfs kmemleak file\n");
112838diff --git a/mm/maccess.c b/mm/maccess.c
112839index d53adf9..03a24bf 100644
112840--- a/mm/maccess.c
112841+++ b/mm/maccess.c
112842@@ -26,7 +26,7 @@ long __probe_kernel_read(void *dst, const void *src, size_t size)
112843 set_fs(KERNEL_DS);
112844 pagefault_disable();
112845 ret = __copy_from_user_inatomic(dst,
112846- (__force const void __user *)src, size);
112847+ (const void __force_user *)src, size);
112848 pagefault_enable();
112849 set_fs(old_fs);
112850
112851@@ -53,7 +53,7 @@ long __probe_kernel_write(void *dst, const void *src, size_t size)
112852
112853 set_fs(KERNEL_DS);
112854 pagefault_disable();
112855- ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
112856+ ret = __copy_to_user_inatomic((void __force_user *)dst, src, size);
112857 pagefault_enable();
112858 set_fs(old_fs);
112859
112860diff --git a/mm/madvise.c b/mm/madvise.c
112861index 64bb8a2..68e4be5 100644
112862--- a/mm/madvise.c
112863+++ b/mm/madvise.c
112864@@ -52,6 +52,10 @@ static long madvise_behavior(struct vm_area_struct *vma,
112865 pgoff_t pgoff;
112866 unsigned long new_flags = vma->vm_flags;
112867
112868+#ifdef CONFIG_PAX_SEGMEXEC
112869+ struct vm_area_struct *vma_m;
112870+#endif
112871+
112872 switch (behavior) {
112873 case MADV_NORMAL:
112874 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
112875@@ -127,6 +131,13 @@ success:
112876 /*
112877 * vm_flags is protected by the mmap_sem held in write mode.
112878 */
112879+
112880+#ifdef CONFIG_PAX_SEGMEXEC
112881+ vma_m = pax_find_mirror_vma(vma);
112882+ if (vma_m)
112883+ vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
112884+#endif
112885+
112886 vma->vm_flags = new_flags;
112887
112888 out:
112889@@ -278,11 +289,27 @@ static long madvise_dontneed(struct vm_area_struct *vma,
112890 struct vm_area_struct **prev,
112891 unsigned long start, unsigned long end)
112892 {
112893+
112894+#ifdef CONFIG_PAX_SEGMEXEC
112895+ struct vm_area_struct *vma_m;
112896+#endif
112897+
112898 *prev = vma;
112899 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
112900 return -EINVAL;
112901
112902 zap_page_range(vma, start, end - start, NULL);
112903+
112904+#ifdef CONFIG_PAX_SEGMEXEC
112905+ vma_m = pax_find_mirror_vma(vma);
112906+ if (vma_m) {
112907+ if (vma_m->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
112908+ return -EINVAL;
112909+
112910+ zap_page_range(vma_m, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
112911+ }
112912+#endif
112913+
112914 return 0;
112915 }
112916
112917@@ -485,6 +512,16 @@ SYSCALL_DEFINE3(madvise, unsigned long, start, size_t, len_in, int, behavior)
112918 if (end < start)
112919 return error;
112920
112921+#ifdef CONFIG_PAX_SEGMEXEC
112922+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
112923+ if (end > SEGMEXEC_TASK_SIZE)
112924+ return error;
112925+ } else
112926+#endif
112927+
112928+ if (end > TASK_SIZE)
112929+ return error;
112930+
112931 error = 0;
112932 if (end == start)
112933 return error;
112934diff --git a/mm/memory-failure.c b/mm/memory-failure.c
112935index 1f4446a..47abb4e 100644
112936--- a/mm/memory-failure.c
112937+++ b/mm/memory-failure.c
112938@@ -63,7 +63,7 @@ int sysctl_memory_failure_early_kill __read_mostly = 0;
112939
112940 int sysctl_memory_failure_recovery __read_mostly = 1;
112941
112942-atomic_long_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
112943+atomic_long_unchecked_t num_poisoned_pages __read_mostly = ATOMIC_LONG_INIT(0);
112944
112945 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
112946
112947@@ -200,7 +200,7 @@ static int kill_proc(struct task_struct *t, unsigned long addr, int trapno,
112948 pfn, t->comm, t->pid);
112949 si.si_signo = SIGBUS;
112950 si.si_errno = 0;
112951- si.si_addr = (void *)addr;
112952+ si.si_addr = (void __user *)addr;
112953 #ifdef __ARCH_SI_TRAPNO
112954 si.si_trapno = trapno;
112955 #endif
112956@@ -797,7 +797,7 @@ static struct page_state {
112957 unsigned long res;
112958 enum mf_action_page_type type;
112959 int (*action)(struct page *p, unsigned long pfn);
112960-} error_states[] = {
112961+} __do_const error_states[] = {
112962 { reserved, reserved, MF_MSG_KERNEL, me_kernel },
112963 /*
112964 * free pages are specially detected outside this table:
112965@@ -1100,7 +1100,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112966 nr_pages = 1 << compound_order(hpage);
112967 else /* normal page or thp */
112968 nr_pages = 1;
112969- atomic_long_add(nr_pages, &num_poisoned_pages);
112970+ atomic_long_add_unchecked(nr_pages, &num_poisoned_pages);
112971
112972 /*
112973 * We need/can do nothing about count=0 pages.
112974@@ -1128,7 +1128,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112975 if (PageHWPoison(hpage)) {
112976 if ((hwpoison_filter(p) && TestClearPageHWPoison(p))
112977 || (p != hpage && TestSetPageHWPoison(hpage))) {
112978- atomic_long_sub(nr_pages, &num_poisoned_pages);
112979+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112980 unlock_page(hpage);
112981 return 0;
112982 }
112983@@ -1152,7 +1152,7 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112984 else
112985 pr_err("MCE: %#lx: thp split failed\n", pfn);
112986 if (TestClearPageHWPoison(p))
112987- atomic_long_sub(nr_pages, &num_poisoned_pages);
112988+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112989 put_page(p);
112990 if (p != hpage)
112991 put_page(hpage);
112992@@ -1214,14 +1214,14 @@ int memory_failure(unsigned long pfn, int trapno, int flags)
112993 */
112994 if (!PageHWPoison(p)) {
112995 printk(KERN_ERR "MCE %#lx: just unpoisoned\n", pfn);
112996- atomic_long_sub(nr_pages, &num_poisoned_pages);
112997+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
112998 unlock_page(hpage);
112999 put_page(hpage);
113000 return 0;
113001 }
113002 if (hwpoison_filter(p)) {
113003 if (TestClearPageHWPoison(p))
113004- atomic_long_sub(nr_pages, &num_poisoned_pages);
113005+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113006 unlock_page(hpage);
113007 put_page(hpage);
113008 return 0;
113009@@ -1450,7 +1450,7 @@ int unpoison_memory(unsigned long pfn)
113010 return 0;
113011 }
113012 if (TestClearPageHWPoison(p))
113013- atomic_long_dec(&num_poisoned_pages);
113014+ atomic_long_dec_unchecked(&num_poisoned_pages);
113015 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
113016 return 0;
113017 }
113018@@ -1464,7 +1464,7 @@ int unpoison_memory(unsigned long pfn)
113019 */
113020 if (TestClearPageHWPoison(page)) {
113021 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
113022- atomic_long_sub(nr_pages, &num_poisoned_pages);
113023+ atomic_long_sub_unchecked(nr_pages, &num_poisoned_pages);
113024 freeit = 1;
113025 if (PageHuge(page))
113026 clear_page_hwpoison_huge_page(page);
113027@@ -1600,11 +1600,11 @@ static int soft_offline_huge_page(struct page *page, int flags)
113028 if (PageHuge(page)) {
113029 set_page_hwpoison_huge_page(hpage);
113030 dequeue_hwpoisoned_huge_page(hpage);
113031- atomic_long_add(1 << compound_order(hpage),
113032+ atomic_long_add_unchecked(1 << compound_order(hpage),
113033 &num_poisoned_pages);
113034 } else {
113035 SetPageHWPoison(page);
113036- atomic_long_inc(&num_poisoned_pages);
113037+ atomic_long_inc_unchecked(&num_poisoned_pages);
113038 }
113039 }
113040 return ret;
113041@@ -1643,7 +1643,7 @@ static int __soft_offline_page(struct page *page, int flags)
113042 put_page(page);
113043 pr_info("soft_offline: %#lx: invalidated\n", pfn);
113044 SetPageHWPoison(page);
113045- atomic_long_inc(&num_poisoned_pages);
113046+ atomic_long_inc_unchecked(&num_poisoned_pages);
113047 return 0;
113048 }
113049
113050@@ -1664,7 +1664,7 @@ static int __soft_offline_page(struct page *page, int flags)
113051 page_is_file_cache(page));
113052 list_add(&page->lru, &pagelist);
113053 if (!TestSetPageHWPoison(page))
113054- atomic_long_inc(&num_poisoned_pages);
113055+ atomic_long_inc_unchecked(&num_poisoned_pages);
113056 ret = migrate_pages(&pagelist, new_page, NULL, MPOL_MF_MOVE_ALL,
113057 MIGRATE_SYNC, MR_MEMORY_FAILURE);
113058 if (ret) {
113059@@ -1680,7 +1680,7 @@ static int __soft_offline_page(struct page *page, int flags)
113060 if (ret > 0)
113061 ret = -EIO;
113062 if (TestClearPageHWPoison(page))
113063- atomic_long_dec(&num_poisoned_pages);
113064+ atomic_long_dec_unchecked(&num_poisoned_pages);
113065 }
113066 } else {
113067 pr_info("soft offline: %#lx: isolation failed: %d, page count %d, type %lx\n",
113068@@ -1742,11 +1742,11 @@ int soft_offline_page(struct page *page, int flags)
113069 if (PageHuge(page)) {
113070 set_page_hwpoison_huge_page(hpage);
113071 if (!dequeue_hwpoisoned_huge_page(hpage))
113072- atomic_long_add(1 << compound_order(hpage),
113073+ atomic_long_add_unchecked(1 << compound_order(hpage),
113074 &num_poisoned_pages);
113075 } else {
113076 if (!TestSetPageHWPoison(page))
113077- atomic_long_inc(&num_poisoned_pages);
113078+ atomic_long_inc_unchecked(&num_poisoned_pages);
113079 }
113080 }
113081 return ret;
113082diff --git a/mm/memory.c b/mm/memory.c
113083index 388dcf9..82aa351 100644
113084--- a/mm/memory.c
113085+++ b/mm/memory.c
113086@@ -414,6 +414,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
113087 free_pte_range(tlb, pmd, addr);
113088 } while (pmd++, addr = next, addr != end);
113089
113090+#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
113091 start &= PUD_MASK;
113092 if (start < floor)
113093 return;
113094@@ -429,6 +430,7 @@ static inline void free_pmd_range(struct mmu_gather *tlb, pud_t *pud,
113095 pud_clear(pud);
113096 pmd_free_tlb(tlb, pmd, start);
113097 mm_dec_nr_pmds(tlb->mm);
113098+#endif
113099 }
113100
113101 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
113102@@ -448,6 +450,7 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
113103 free_pmd_range(tlb, pud, addr, next, floor, ceiling);
113104 } while (pud++, addr = next, addr != end);
113105
113106+#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
113107 start &= PGDIR_MASK;
113108 if (start < floor)
113109 return;
113110@@ -462,6 +465,8 @@ static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
113111 pud = pud_offset(pgd, start);
113112 pgd_clear(pgd);
113113 pud_free_tlb(tlb, pud, start);
113114+#endif
113115+
113116 }
113117
113118 /*
113119@@ -690,7 +695,7 @@ static void print_bad_pte(struct vm_area_struct *vma, unsigned long addr,
113120 /*
113121 * Choose text because data symbols depend on CONFIG_KALLSYMS_ALL=y
113122 */
113123- pr_alert("file:%pD fault:%pf mmap:%pf readpage:%pf\n",
113124+ pr_alert("file:%pD fault:%pX mmap:%pX readpage:%pX\n",
113125 vma->vm_file,
113126 vma->vm_ops ? vma->vm_ops->fault : NULL,
113127 vma->vm_file ? vma->vm_file->f_op->mmap : NULL,
113128@@ -1463,6 +1468,10 @@ static int insert_page(struct vm_area_struct *vma, unsigned long addr,
113129 page_add_file_rmap(page);
113130 set_pte_at(mm, addr, pte, mk_pte(page, prot));
113131
113132+#ifdef CONFIG_PAX_SEGMEXEC
113133+ pax_mirror_file_pte(vma, addr, page, ptl);
113134+#endif
113135+
113136 retval = 0;
113137 pte_unmap_unlock(pte, ptl);
113138 return retval;
113139@@ -1507,9 +1516,21 @@ int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
113140 if (!page_count(page))
113141 return -EINVAL;
113142 if (!(vma->vm_flags & VM_MIXEDMAP)) {
113143+
113144+#ifdef CONFIG_PAX_SEGMEXEC
113145+ struct vm_area_struct *vma_m;
113146+#endif
113147+
113148 BUG_ON(down_read_trylock(&vma->vm_mm->mmap_sem));
113149 BUG_ON(vma->vm_flags & VM_PFNMAP);
113150 vma->vm_flags |= VM_MIXEDMAP;
113151+
113152+#ifdef CONFIG_PAX_SEGMEXEC
113153+ vma_m = pax_find_mirror_vma(vma);
113154+ if (vma_m)
113155+ vma_m->vm_flags |= VM_MIXEDMAP;
113156+#endif
113157+
113158 }
113159 return insert_page(vma, addr, page, vma->vm_page_prot);
113160 }
113161@@ -1592,6 +1613,7 @@ int vm_insert_mixed(struct vm_area_struct *vma, unsigned long addr,
113162 unsigned long pfn)
113163 {
113164 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
113165+ BUG_ON(vma->vm_mirror);
113166
113167 if (addr < vma->vm_start || addr >= vma->vm_end)
113168 return -EFAULT;
113169@@ -1839,7 +1861,9 @@ static int apply_to_pmd_range(struct mm_struct *mm, pud_t *pud,
113170
113171 BUG_ON(pud_huge(*pud));
113172
113173- pmd = pmd_alloc(mm, pud, addr);
113174+ pmd = (mm == &init_mm) ?
113175+ pmd_alloc_kernel(mm, pud, addr) :
113176+ pmd_alloc(mm, pud, addr);
113177 if (!pmd)
113178 return -ENOMEM;
113179 do {
113180@@ -1859,7 +1883,9 @@ static int apply_to_pud_range(struct mm_struct *mm, pgd_t *pgd,
113181 unsigned long next;
113182 int err;
113183
113184- pud = pud_alloc(mm, pgd, addr);
113185+ pud = (mm == &init_mm) ?
113186+ pud_alloc_kernel(mm, pgd, addr) :
113187+ pud_alloc(mm, pgd, addr);
113188 if (!pud)
113189 return -ENOMEM;
113190 do {
113191@@ -2040,6 +2066,196 @@ static inline int wp_page_reuse(struct mm_struct *mm,
113192 return VM_FAULT_WRITE;
113193 }
113194
113195+#ifdef CONFIG_PAX_SEGMEXEC
113196+static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
113197+{
113198+ struct mm_struct *mm = vma->vm_mm;
113199+ spinlock_t *ptl;
113200+ pte_t *pte, entry;
113201+
113202+ pte = pte_offset_map_lock(mm, pmd, address, &ptl);
113203+ entry = *pte;
113204+ if (pte_none(entry))
113205+ ;
113206+ else if (!pte_present(entry)) {
113207+ swp_entry_t swapentry;
113208+
113209+ swapentry = pte_to_swp_entry(entry);
113210+ if (!non_swap_entry(swapentry))
113211+ dec_mm_counter_fast(mm, MM_SWAPENTS);
113212+ else if (is_migration_entry(swapentry)) {
113213+ if (PageAnon(migration_entry_to_page(swapentry)))
113214+ dec_mm_counter_fast(mm, MM_ANONPAGES);
113215+ else
113216+ dec_mm_counter_fast(mm, MM_FILEPAGES);
113217+ }
113218+ free_swap_and_cache(swapentry);
113219+ pte_clear_not_present_full(mm, address, pte, 0);
113220+ } else {
113221+ struct page *page;
113222+
113223+ flush_cache_page(vma, address, pte_pfn(entry));
113224+ entry = ptep_clear_flush(vma, address, pte);
113225+ BUG_ON(pte_dirty(entry));
113226+ page = vm_normal_page(vma, address, entry);
113227+ if (page) {
113228+ update_hiwater_rss(mm);
113229+ if (PageAnon(page))
113230+ dec_mm_counter_fast(mm, MM_ANONPAGES);
113231+ else
113232+ dec_mm_counter_fast(mm, MM_FILEPAGES);
113233+ page_remove_rmap(page);
113234+ page_cache_release(page);
113235+ }
113236+ }
113237+ pte_unmap_unlock(pte, ptl);
113238+}
113239+
113240+/* PaX: if vma is mirrored, synchronize the mirror's PTE
113241+ *
113242+ * the ptl of the lower mapped page is held on entry and is not released on exit
113243+ * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
113244+ */
113245+static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
113246+{
113247+ struct mm_struct *mm = vma->vm_mm;
113248+ unsigned long address_m;
113249+ spinlock_t *ptl_m;
113250+ struct vm_area_struct *vma_m;
113251+ pmd_t *pmd_m;
113252+ pte_t *pte_m, entry_m;
113253+
113254+ BUG_ON(!page_m || !PageAnon(page_m));
113255+
113256+ vma_m = pax_find_mirror_vma(vma);
113257+ if (!vma_m)
113258+ return;
113259+
113260+ BUG_ON(!PageLocked(page_m));
113261+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
113262+ address_m = address + SEGMEXEC_TASK_SIZE;
113263+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
113264+ pte_m = pte_offset_map(pmd_m, address_m);
113265+ ptl_m = pte_lockptr(mm, pmd_m);
113266+ if (ptl != ptl_m) {
113267+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
113268+ if (!pte_none(*pte_m))
113269+ goto out;
113270+ }
113271+
113272+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
113273+ page_cache_get(page_m);
113274+ page_add_anon_rmap(page_m, vma_m, address_m);
113275+ inc_mm_counter_fast(mm, MM_ANONPAGES);
113276+ set_pte_at(mm, address_m, pte_m, entry_m);
113277+ update_mmu_cache(vma_m, address_m, pte_m);
113278+out:
113279+ if (ptl != ptl_m)
113280+ spin_unlock(ptl_m);
113281+ pte_unmap(pte_m);
113282+ unlock_page(page_m);
113283+}
113284+
113285+void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
113286+{
113287+ struct mm_struct *mm = vma->vm_mm;
113288+ unsigned long address_m;
113289+ spinlock_t *ptl_m;
113290+ struct vm_area_struct *vma_m;
113291+ pmd_t *pmd_m;
113292+ pte_t *pte_m, entry_m;
113293+
113294+ BUG_ON(!page_m || PageAnon(page_m));
113295+
113296+ vma_m = pax_find_mirror_vma(vma);
113297+ if (!vma_m)
113298+ return;
113299+
113300+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
113301+ address_m = address + SEGMEXEC_TASK_SIZE;
113302+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
113303+ pte_m = pte_offset_map(pmd_m, address_m);
113304+ ptl_m = pte_lockptr(mm, pmd_m);
113305+ if (ptl != ptl_m) {
113306+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
113307+ if (!pte_none(*pte_m))
113308+ goto out;
113309+ }
113310+
113311+ entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
113312+ page_cache_get(page_m);
113313+ page_add_file_rmap(page_m);
113314+ inc_mm_counter_fast(mm, MM_FILEPAGES);
113315+ set_pte_at(mm, address_m, pte_m, entry_m);
113316+ update_mmu_cache(vma_m, address_m, pte_m);
113317+out:
113318+ if (ptl != ptl_m)
113319+ spin_unlock(ptl_m);
113320+ pte_unmap(pte_m);
113321+}
113322+
113323+static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
113324+{
113325+ struct mm_struct *mm = vma->vm_mm;
113326+ unsigned long address_m;
113327+ spinlock_t *ptl_m;
113328+ struct vm_area_struct *vma_m;
113329+ pmd_t *pmd_m;
113330+ pte_t *pte_m, entry_m;
113331+
113332+ vma_m = pax_find_mirror_vma(vma);
113333+ if (!vma_m)
113334+ return;
113335+
113336+ BUG_ON(address >= SEGMEXEC_TASK_SIZE);
113337+ address_m = address + SEGMEXEC_TASK_SIZE;
113338+ pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
113339+ pte_m = pte_offset_map(pmd_m, address_m);
113340+ ptl_m = pte_lockptr(mm, pmd_m);
113341+ if (ptl != ptl_m) {
113342+ spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
113343+ if (!pte_none(*pte_m))
113344+ goto out;
113345+ }
113346+
113347+ entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
113348+ set_pte_at(mm, address_m, pte_m, entry_m);
113349+out:
113350+ if (ptl != ptl_m)
113351+ spin_unlock(ptl_m);
113352+ pte_unmap(pte_m);
113353+}
113354+
113355+static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
113356+{
113357+ struct page *page_m;
113358+ pte_t entry;
113359+
113360+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
113361+ goto out;
113362+
113363+ entry = *pte;
113364+ page_m = vm_normal_page(vma, address, entry);
113365+ if (!page_m)
113366+ pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
113367+ else if (PageAnon(page_m)) {
113368+ if (pax_find_mirror_vma(vma)) {
113369+ pte_unmap_unlock(pte, ptl);
113370+ lock_page(page_m);
113371+ pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
113372+ if (pte_same(entry, *pte))
113373+ pax_mirror_anon_pte(vma, address, page_m, ptl);
113374+ else
113375+ unlock_page(page_m);
113376+ }
113377+ } else
113378+ pax_mirror_file_pte(vma, address, page_m, ptl);
113379+
113380+out:
113381+ pte_unmap_unlock(pte, ptl);
113382+}
113383+#endif
113384+
113385 /*
113386 * Handle the case of a page which we actually need to copy to a new page.
113387 *
113388@@ -2094,6 +2310,12 @@ static int wp_page_copy(struct mm_struct *mm, struct vm_area_struct *vma,
113389 */
113390 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
113391 if (likely(pte_same(*page_table, orig_pte))) {
113392+
113393+#ifdef CONFIG_PAX_SEGMEXEC
113394+ if (pax_find_mirror_vma(vma))
113395+ BUG_ON(!trylock_page(new_page));
113396+#endif
113397+
113398 if (old_page) {
113399 if (!PageAnon(old_page)) {
113400 dec_mm_counter_fast(mm, MM_FILEPAGES);
113401@@ -2148,6 +2370,10 @@ static int wp_page_copy(struct mm_struct *mm, struct vm_area_struct *vma,
113402 page_remove_rmap(old_page);
113403 }
113404
113405+#ifdef CONFIG_PAX_SEGMEXEC
113406+ pax_mirror_anon_pte(vma, address, new_page, ptl);
113407+#endif
113408+
113409 /* Free the old page.. */
113410 new_page = old_page;
113411 page_copied = 1;
113412@@ -2579,6 +2805,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
113413 swap_free(entry);
113414 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
113415 try_to_free_swap(page);
113416+
113417+#ifdef CONFIG_PAX_SEGMEXEC
113418+ if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
113419+#endif
113420+
113421 unlock_page(page);
113422 if (page != swapcache) {
113423 /*
113424@@ -2602,6 +2833,11 @@ static int do_swap_page(struct mm_struct *mm, struct vm_area_struct *vma,
113425
113426 /* No need to invalidate - it was non-present before */
113427 update_mmu_cache(vma, address, page_table);
113428+
113429+#ifdef CONFIG_PAX_SEGMEXEC
113430+ pax_mirror_anon_pte(vma, address, page, ptl);
113431+#endif
113432+
113433 unlock:
113434 pte_unmap_unlock(page_table, ptl);
113435 out:
113436@@ -2621,40 +2857,6 @@ out_release:
113437 }
113438
113439 /*
113440- * This is like a special single-page "expand_{down|up}wards()",
113441- * except we must first make sure that 'address{-|+}PAGE_SIZE'
113442- * doesn't hit another vma.
113443- */
113444-static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
113445-{
113446- address &= PAGE_MASK;
113447- if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
113448- struct vm_area_struct *prev = vma->vm_prev;
113449-
113450- /*
113451- * Is there a mapping abutting this one below?
113452- *
113453- * That's only ok if it's the same stack mapping
113454- * that has gotten split..
113455- */
113456- if (prev && prev->vm_end == address)
113457- return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
113458-
113459- return expand_downwards(vma, address - PAGE_SIZE);
113460- }
113461- if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
113462- struct vm_area_struct *next = vma->vm_next;
113463-
113464- /* As VM_GROWSDOWN but s/below/above/ */
113465- if (next && next->vm_start == address + PAGE_SIZE)
113466- return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
113467-
113468- return expand_upwards(vma, address + PAGE_SIZE);
113469- }
113470- return 0;
113471-}
113472-
113473-/*
113474 * We enter with non-exclusive mmap_sem (to exclude vma changes,
113475 * but allow concurrent faults), and pte mapped but not yet locked.
113476 * We return with mmap_sem still held, but pte unmapped and unlocked.
113477@@ -2664,31 +2866,29 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
113478 unsigned int flags)
113479 {
113480 struct mem_cgroup *memcg;
113481- struct page *page;
113482+ struct page *page = NULL;
113483 spinlock_t *ptl;
113484 pte_t entry;
113485
113486- pte_unmap(page_table);
113487-
113488 /* File mapping without ->vm_ops ? */
113489- if (vma->vm_flags & VM_SHARED)
113490+ if (vma->vm_flags & VM_SHARED) {
113491+ pte_unmap(page_table);
113492 return VM_FAULT_SIGBUS;
113493+ }
113494
113495- /* Check if we need to add a guard page to the stack */
113496- if (check_stack_guard_page(vma, address) < 0)
113497- return VM_FAULT_SIGSEGV;
113498-
113499- /* Use the zero-page for reads */
113500 if (!(flags & FAULT_FLAG_WRITE) && !mm_forbids_zeropage(mm)) {
113501 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
113502 vma->vm_page_prot));
113503- page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
113504+ ptl = pte_lockptr(mm, pmd);
113505+ spin_lock(ptl);
113506 if (!pte_none(*page_table))
113507 goto unlock;
113508 goto setpte;
113509 }
113510
113511 /* Allocate our own private page. */
113512+ pte_unmap(page_table);
113513+
113514 if (unlikely(anon_vma_prepare(vma)))
113515 goto oom;
113516 page = alloc_zeroed_user_highpage_movable(vma, address);
113517@@ -2713,6 +2913,11 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma,
113518 if (!pte_none(*page_table))
113519 goto release;
113520
113521+#ifdef CONFIG_PAX_SEGMEXEC
113522+ if (pax_find_mirror_vma(vma))
113523+ BUG_ON(!trylock_page(page));
113524+#endif
113525+
113526 inc_mm_counter_fast(mm, MM_ANONPAGES);
113527 page_add_new_anon_rmap(page, vma, address);
113528 mem_cgroup_commit_charge(page, memcg, false);
113529@@ -2722,6 +2927,12 @@ setpte:
113530
113531 /* No need to invalidate - it was non-present before */
113532 update_mmu_cache(vma, address, page_table);
113533+
113534+#ifdef CONFIG_PAX_SEGMEXEC
113535+ if (page)
113536+ pax_mirror_anon_pte(vma, address, page, ptl);
113537+#endif
113538+
113539 unlock:
113540 pte_unmap_unlock(page_table, ptl);
113541 return 0;
113542@@ -2954,6 +3165,11 @@ static int do_read_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113543 return ret;
113544 }
113545 do_set_pte(vma, address, fault_page, pte, false, false);
113546+
113547+#ifdef CONFIG_PAX_SEGMEXEC
113548+ pax_mirror_file_pte(vma, address, fault_page, ptl);
113549+#endif
113550+
113551 unlock_page(fault_page);
113552 unlock_out:
113553 pte_unmap_unlock(pte, ptl);
113554@@ -3005,7 +3221,18 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113555 }
113556 goto uncharge_out;
113557 }
113558+
113559+#ifdef CONFIG_PAX_SEGMEXEC
113560+ if (pax_find_mirror_vma(vma))
113561+ BUG_ON(!trylock_page(new_page));
113562+#endif
113563+
113564 do_set_pte(vma, address, new_page, pte, true, true);
113565+
113566+#ifdef CONFIG_PAX_SEGMEXEC
113567+ pax_mirror_anon_pte(vma, address, new_page, ptl);
113568+#endif
113569+
113570 mem_cgroup_commit_charge(new_page, memcg, false);
113571 lru_cache_add_active_or_unevictable(new_page, vma);
113572 pte_unmap_unlock(pte, ptl);
113573@@ -3063,6 +3290,11 @@ static int do_shared_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113574 return ret;
113575 }
113576 do_set_pte(vma, address, fault_page, pte, true, false);
113577+
113578+#ifdef CONFIG_PAX_SEGMEXEC
113579+ pax_mirror_file_pte(vma, address, fault_page, ptl);
113580+#endif
113581+
113582 pte_unmap_unlock(pte, ptl);
113583
113584 if (set_page_dirty(fault_page))
113585@@ -3288,6 +3520,12 @@ static int handle_pte_fault(struct mm_struct *mm,
113586 if (flags & FAULT_FLAG_WRITE)
113587 flush_tlb_fix_spurious_fault(vma, address);
113588 }
113589+
113590+#ifdef CONFIG_PAX_SEGMEXEC
113591+ pax_mirror_pte(vma, address, pte, pmd, ptl);
113592+ return 0;
113593+#endif
113594+
113595 unlock:
113596 pte_unmap_unlock(pte, ptl);
113597 return 0;
113598@@ -3307,9 +3545,41 @@ static int __handle_mm_fault(struct mm_struct *mm, struct vm_area_struct *vma,
113599 pmd_t *pmd;
113600 pte_t *pte;
113601
113602+#ifdef CONFIG_PAX_SEGMEXEC
113603+ struct vm_area_struct *vma_m;
113604+#endif
113605+
113606 if (unlikely(is_vm_hugetlb_page(vma)))
113607 return hugetlb_fault(mm, vma, address, flags);
113608
113609+#ifdef CONFIG_PAX_SEGMEXEC
113610+ vma_m = pax_find_mirror_vma(vma);
113611+ if (vma_m) {
113612+ unsigned long address_m;
113613+ pgd_t *pgd_m;
113614+ pud_t *pud_m;
113615+ pmd_t *pmd_m;
113616+
113617+ if (vma->vm_start > vma_m->vm_start) {
113618+ address_m = address;
113619+ address -= SEGMEXEC_TASK_SIZE;
113620+ vma = vma_m;
113621+ } else
113622+ address_m = address + SEGMEXEC_TASK_SIZE;
113623+
113624+ pgd_m = pgd_offset(mm, address_m);
113625+ pud_m = pud_alloc(mm, pgd_m, address_m);
113626+ if (!pud_m)
113627+ return VM_FAULT_OOM;
113628+ pmd_m = pmd_alloc(mm, pud_m, address_m);
113629+ if (!pmd_m)
113630+ return VM_FAULT_OOM;
113631+ if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
113632+ return VM_FAULT_OOM;
113633+ pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
113634+ }
113635+#endif
113636+
113637 pgd = pgd_offset(mm, address);
113638 pud = pud_alloc(mm, pgd, address);
113639 if (!pud)
113640@@ -3444,6 +3714,23 @@ int __pud_alloc(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
113641 spin_unlock(&mm->page_table_lock);
113642 return 0;
113643 }
113644+
113645+int __pud_alloc_kernel(struct mm_struct *mm, pgd_t *pgd, unsigned long address)
113646+{
113647+ pud_t *new = pud_alloc_one(mm, address);
113648+ if (!new)
113649+ return -ENOMEM;
113650+
113651+ smp_wmb(); /* See comment in __pte_alloc */
113652+
113653+ spin_lock(&mm->page_table_lock);
113654+ if (pgd_present(*pgd)) /* Another has populated it */
113655+ pud_free(mm, new);
113656+ else
113657+ pgd_populate_kernel(mm, pgd, new);
113658+ spin_unlock(&mm->page_table_lock);
113659+ return 0;
113660+}
113661 #endif /* __PAGETABLE_PUD_FOLDED */
113662
113663 #ifndef __PAGETABLE_PMD_FOLDED
113664@@ -3476,6 +3763,32 @@ int __pmd_alloc(struct mm_struct *mm, pud_t *pud, unsigned long address)
113665 spin_unlock(&mm->page_table_lock);
113666 return 0;
113667 }
113668+
113669+int __pmd_alloc_kernel(struct mm_struct *mm, pud_t *pud, unsigned long address)
113670+{
113671+ pmd_t *new = pmd_alloc_one(mm, address);
113672+ if (!new)
113673+ return -ENOMEM;
113674+
113675+ smp_wmb(); /* See comment in __pte_alloc */
113676+
113677+ spin_lock(&mm->page_table_lock);
113678+#ifndef __ARCH_HAS_4LEVEL_HACK
113679+ if (!pud_present(*pud)) {
113680+ mm_inc_nr_pmds(mm);
113681+ pud_populate_kernel(mm, pud, new);
113682+ } else /* Another has populated it */
113683+ pmd_free(mm, new);
113684+#else
113685+ if (!pgd_present(*pud)) {
113686+ mm_inc_nr_pmds(mm);
113687+ pgd_populate_kernel(mm, pud, new);
113688+ } else /* Another has populated it */
113689+ pmd_free(mm, new);
113690+#endif /* __ARCH_HAS_4LEVEL_HACK */
113691+ spin_unlock(&mm->page_table_lock);
113692+ return 0;
113693+}
113694 #endif /* __PAGETABLE_PMD_FOLDED */
113695
113696 static int __follow_pte(struct mm_struct *mm, unsigned long address,
113697@@ -3585,8 +3898,8 @@ out:
113698 return ret;
113699 }
113700
113701-int generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
113702- void *buf, int len, int write)
113703+ssize_t generic_access_phys(struct vm_area_struct *vma, unsigned long addr,
113704+ void *buf, size_t len, int write)
113705 {
113706 resource_size_t phys_addr;
113707 unsigned long prot = 0;
113708@@ -3612,8 +3925,8 @@ EXPORT_SYMBOL_GPL(generic_access_phys);
113709 * Access another process' address space as given in mm. If non-NULL, use the
113710 * given task for page fault accounting.
113711 */
113712-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113713- unsigned long addr, void *buf, int len, int write)
113714+static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113715+ unsigned long addr, void *buf, size_t len, int write)
113716 {
113717 struct vm_area_struct *vma;
113718 void *old_buf = buf;
113719@@ -3621,7 +3934,7 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113720 down_read(&mm->mmap_sem);
113721 /* ignore errors, just check how much was successfully transferred */
113722 while (len) {
113723- int bytes, ret, offset;
113724+ ssize_t bytes, ret, offset;
113725 void *maddr;
113726 struct page *page = NULL;
113727
113728@@ -3682,8 +3995,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
113729 *
113730 * The caller must hold a reference on @mm.
113731 */
113732-int access_remote_vm(struct mm_struct *mm, unsigned long addr,
113733- void *buf, int len, int write)
113734+ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
113735+ void *buf, size_t len, int write)
113736 {
113737 return __access_remote_vm(NULL, mm, addr, buf, len, write);
113738 }
113739@@ -3693,11 +4006,11 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
113740 * Source/target buffer must be kernel space,
113741 * Do not walk the page table directly, use get_user_pages
113742 */
113743-int access_process_vm(struct task_struct *tsk, unsigned long addr,
113744- void *buf, int len, int write)
113745+ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr,
113746+ void *buf, size_t len, int write)
113747 {
113748 struct mm_struct *mm;
113749- int ret;
113750+ ssize_t ret;
113751
113752 mm = get_task_mm(tsk);
113753 if (!mm)
113754diff --git a/mm/mempolicy.c b/mm/mempolicy.c
113755index 99d4c1d..a577817 100644
113756--- a/mm/mempolicy.c
113757+++ b/mm/mempolicy.c
113758@@ -703,6 +703,10 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
113759 unsigned long vmstart;
113760 unsigned long vmend;
113761
113762+#ifdef CONFIG_PAX_SEGMEXEC
113763+ struct vm_area_struct *vma_m;
113764+#endif
113765+
113766 vma = find_vma(mm, start);
113767 if (!vma || vma->vm_start > start)
113768 return -EFAULT;
113769@@ -746,6 +750,16 @@ static int mbind_range(struct mm_struct *mm, unsigned long start,
113770 err = vma_replace_policy(vma, new_pol);
113771 if (err)
113772 goto out;
113773+
113774+#ifdef CONFIG_PAX_SEGMEXEC
113775+ vma_m = pax_find_mirror_vma(vma);
113776+ if (vma_m) {
113777+ err = vma_replace_policy(vma_m, new_pol);
113778+ if (err)
113779+ goto out;
113780+ }
113781+#endif
113782+
113783 }
113784
113785 out:
113786@@ -1161,6 +1175,17 @@ static long do_mbind(unsigned long start, unsigned long len,
113787
113788 if (end < start)
113789 return -EINVAL;
113790+
113791+#ifdef CONFIG_PAX_SEGMEXEC
113792+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
113793+ if (end > SEGMEXEC_TASK_SIZE)
113794+ return -EINVAL;
113795+ } else
113796+#endif
113797+
113798+ if (end > TASK_SIZE)
113799+ return -EINVAL;
113800+
113801 if (end == start)
113802 return 0;
113803
113804@@ -1386,8 +1411,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
113805 */
113806 tcred = __task_cred(task);
113807 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
113808- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
113809- !capable(CAP_SYS_NICE)) {
113810+ !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
113811 rcu_read_unlock();
113812 err = -EPERM;
113813 goto out_put;
113814@@ -1418,6 +1442,15 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pid, unsigned long, maxnode,
113815 goto out;
113816 }
113817
113818+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
113819+ if (mm != current->mm &&
113820+ (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
113821+ mmput(mm);
113822+ err = -EPERM;
113823+ goto out;
113824+ }
113825+#endif
113826+
113827 err = do_migrate_pages(mm, old, new,
113828 capable(CAP_SYS_NICE) ? MPOL_MF_MOVE_ALL : MPOL_MF_MOVE);
113829
113830diff --git a/mm/migrate.c b/mm/migrate.c
113831index fcb6204..b3f1a44 100644
113832--- a/mm/migrate.c
113833+++ b/mm/migrate.c
113834@@ -1501,8 +1501,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid, unsigned long, nr_pages,
113835 */
113836 tcred = __task_cred(task);
113837 if (!uid_eq(cred->euid, tcred->suid) && !uid_eq(cred->euid, tcred->uid) &&
113838- !uid_eq(cred->uid, tcred->suid) && !uid_eq(cred->uid, tcred->uid) &&
113839- !capable(CAP_SYS_NICE)) {
113840+ !uid_eq(cred->uid, tcred->suid) && !capable(CAP_SYS_NICE)) {
113841 rcu_read_unlock();
113842 err = -EPERM;
113843 goto out;
113844diff --git a/mm/mlock.c b/mm/mlock.c
113845index 6fd2cf1..cbae765 100644
113846--- a/mm/mlock.c
113847+++ b/mm/mlock.c
113848@@ -14,6 +14,7 @@
113849 #include <linux/pagevec.h>
113850 #include <linux/mempolicy.h>
113851 #include <linux/syscalls.h>
113852+#include <linux/security.h>
113853 #include <linux/sched.h>
113854 #include <linux/export.h>
113855 #include <linux/rmap.h>
113856@@ -557,7 +558,7 @@ static int do_mlock(unsigned long start, size_t len, int on)
113857 {
113858 unsigned long nstart, end, tmp;
113859 struct vm_area_struct * vma, * prev;
113860- int error;
113861+ int error = 0;
113862
113863 VM_BUG_ON(start & ~PAGE_MASK);
113864 VM_BUG_ON(len != PAGE_ALIGN(len));
113865@@ -566,6 +567,9 @@ static int do_mlock(unsigned long start, size_t len, int on)
113866 return -EINVAL;
113867 if (end == start)
113868 return 0;
113869+ if (end > TASK_SIZE)
113870+ return -EINVAL;
113871+
113872 vma = find_vma(current->mm, start);
113873 if (!vma || vma->vm_start > start)
113874 return -ENOMEM;
113875@@ -577,6 +581,11 @@ static int do_mlock(unsigned long start, size_t len, int on)
113876 for (nstart = start ; ; ) {
113877 vm_flags_t newflags;
113878
113879+#ifdef CONFIG_PAX_SEGMEXEC
113880+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
113881+ break;
113882+#endif
113883+
113884 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
113885
113886 newflags = vma->vm_flags & ~VM_LOCKED;
113887@@ -627,6 +636,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, start, size_t, len)
113888 locked += current->mm->locked_vm;
113889
113890 /* check against resource limits */
113891+ gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
113892 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
113893 error = do_mlock(start, len, 1);
113894
113895@@ -668,6 +678,11 @@ static int do_mlockall(int flags)
113896 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
113897 vm_flags_t newflags;
113898
113899+#ifdef CONFIG_PAX_SEGMEXEC
113900+ if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
113901+ break;
113902+#endif
113903+
113904 newflags = vma->vm_flags & ~VM_LOCKED;
113905 if (flags & MCL_CURRENT)
113906 newflags |= VM_LOCKED;
113907@@ -699,8 +714,10 @@ SYSCALL_DEFINE1(mlockall, int, flags)
113908 lock_limit >>= PAGE_SHIFT;
113909
113910 ret = -ENOMEM;
113911+
113912+ gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
113913+
113914 down_write(&current->mm->mmap_sem);
113915-
113916 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
113917 capable(CAP_IPC_LOCK))
113918 ret = do_mlockall(flags);
113919diff --git a/mm/mm_init.c b/mm/mm_init.c
113920index fdadf91..5f527d1 100644
113921--- a/mm/mm_init.c
113922+++ b/mm/mm_init.c
113923@@ -170,7 +170,7 @@ static int __meminit mm_compute_batch_notifier(struct notifier_block *self,
113924 return NOTIFY_OK;
113925 }
113926
113927-static struct notifier_block compute_batch_nb __meminitdata = {
113928+static struct notifier_block compute_batch_nb __meminitconst = {
113929 .notifier_call = mm_compute_batch_notifier,
113930 .priority = IPC_CALLBACK_PRI, /* use lowest priority */
113931 };
113932diff --git a/mm/mmap.c b/mm/mmap.c
113933index aa632ad..13456342 100644
113934--- a/mm/mmap.c
113935+++ b/mm/mmap.c
113936@@ -41,6 +41,7 @@
113937 #include <linux/notifier.h>
113938 #include <linux/memory.h>
113939 #include <linux/printk.h>
113940+#include <linux/random.h>
113941
113942 #include <asm/uaccess.h>
113943 #include <asm/cacheflush.h>
113944@@ -57,6 +58,16 @@
113945 #define arch_rebalance_pgtables(addr, len) (addr)
113946 #endif
113947
113948+static inline void verify_mm_writelocked(struct mm_struct *mm)
113949+{
113950+#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
113951+ if (unlikely(down_read_trylock(&mm->mmap_sem))) {
113952+ up_read(&mm->mmap_sem);
113953+ BUG();
113954+ }
113955+#endif
113956+}
113957+
113958 static void unmap_region(struct mm_struct *mm,
113959 struct vm_area_struct *vma, struct vm_area_struct *prev,
113960 unsigned long start, unsigned long end);
113961@@ -76,16 +87,25 @@ static void unmap_region(struct mm_struct *mm,
113962 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
113963 *
113964 */
113965-pgprot_t protection_map[16] = {
113966+pgprot_t protection_map[16] __read_only = {
113967 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
113968 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
113969 };
113970
113971-pgprot_t vm_get_page_prot(unsigned long vm_flags)
113972+pgprot_t vm_get_page_prot(vm_flags_t vm_flags)
113973 {
113974- return __pgprot(pgprot_val(protection_map[vm_flags &
113975+ pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
113976 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
113977 pgprot_val(arch_vm_get_page_prot(vm_flags)));
113978+
113979+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
113980+ if (!(__supported_pte_mask & _PAGE_NX) &&
113981+ (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
113982+ (vm_flags & (VM_READ | VM_WRITE)))
113983+ prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
113984+#endif
113985+
113986+ return prot;
113987 }
113988 EXPORT_SYMBOL(vm_get_page_prot);
113989
113990@@ -114,6 +134,7 @@ unsigned long sysctl_overcommit_kbytes __read_mostly;
113991 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
113992 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
113993 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
113994+unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
113995 /*
113996 * Make sure vm_committed_as in one cacheline and not cacheline shared with
113997 * other variables. It can be updated by several CPUs frequently.
113998@@ -271,6 +292,7 @@ static struct vm_area_struct *remove_vma(struct vm_area_struct *vma)
113999 struct vm_area_struct *next = vma->vm_next;
114000
114001 might_sleep();
114002+ BUG_ON(vma->vm_mirror);
114003 if (vma->vm_ops && vma->vm_ops->close)
114004 vma->vm_ops->close(vma);
114005 if (vma->vm_file)
114006@@ -284,6 +306,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len);
114007
114008 SYSCALL_DEFINE1(brk, unsigned long, brk)
114009 {
114010+ unsigned long rlim;
114011 unsigned long retval;
114012 unsigned long newbrk, oldbrk;
114013 struct mm_struct *mm = current->mm;
114014@@ -314,7 +337,13 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
114015 * segment grow beyond its set limit the in case where the limit is
114016 * not page aligned -Ram Gupta
114017 */
114018- if (check_data_rlimit(rlimit(RLIMIT_DATA), brk, mm->start_brk,
114019+ rlim = rlimit(RLIMIT_DATA);
114020+#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
114021+ /* force a minimum 16MB brk heap on setuid/setgid binaries */
114022+ if (rlim < PAGE_SIZE && (get_dumpable(mm) != SUID_DUMP_USER) && gr_is_global_nonroot(current_uid()))
114023+ rlim = 4096 * PAGE_SIZE;
114024+#endif
114025+ if (check_data_rlimit(rlim, brk, mm->start_brk,
114026 mm->end_data, mm->start_data))
114027 goto out;
114028
114029@@ -967,6 +996,12 @@ static int
114030 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
114031 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
114032 {
114033+
114034+#ifdef CONFIG_PAX_SEGMEXEC
114035+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
114036+ return 0;
114037+#endif
114038+
114039 if (is_mergeable_vma(vma, file, vm_flags) &&
114040 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
114041 if (vma->vm_pgoff == vm_pgoff)
114042@@ -986,6 +1021,12 @@ static int
114043 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
114044 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
114045 {
114046+
114047+#ifdef CONFIG_PAX_SEGMEXEC
114048+ if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
114049+ return 0;
114050+#endif
114051+
114052 if (is_mergeable_vma(vma, file, vm_flags) &&
114053 is_mergeable_anon_vma(anon_vma, vma->anon_vma, vma)) {
114054 pgoff_t vm_pglen;
114055@@ -1035,6 +1076,13 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114056 struct vm_area_struct *area, *next;
114057 int err;
114058
114059+#ifdef CONFIG_PAX_SEGMEXEC
114060+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
114061+ struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
114062+
114063+ BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
114064+#endif
114065+
114066 /*
114067 * We later require that vma->vm_flags == vm_flags,
114068 * so this tests vma->vm_flags & VM_SPECIAL, too.
114069@@ -1050,6 +1098,15 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114070 if (next && next->vm_end == end) /* cases 6, 7, 8 */
114071 next = next->vm_next;
114072
114073+#ifdef CONFIG_PAX_SEGMEXEC
114074+ if (prev)
114075+ prev_m = pax_find_mirror_vma(prev);
114076+ if (area)
114077+ area_m = pax_find_mirror_vma(area);
114078+ if (next)
114079+ next_m = pax_find_mirror_vma(next);
114080+#endif
114081+
114082 /*
114083 * Can it merge with the predecessor?
114084 */
114085@@ -1069,9 +1126,24 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114086 /* cases 1, 6 */
114087 err = vma_adjust(prev, prev->vm_start,
114088 next->vm_end, prev->vm_pgoff, NULL);
114089- } else /* cases 2, 5, 7 */
114090+
114091+#ifdef CONFIG_PAX_SEGMEXEC
114092+ if (!err && prev_m)
114093+ err = vma_adjust(prev_m, prev_m->vm_start,
114094+ next_m->vm_end, prev_m->vm_pgoff, NULL);
114095+#endif
114096+
114097+ } else { /* cases 2, 5, 7 */
114098 err = vma_adjust(prev, prev->vm_start,
114099 end, prev->vm_pgoff, NULL);
114100+
114101+#ifdef CONFIG_PAX_SEGMEXEC
114102+ if (!err && prev_m)
114103+ err = vma_adjust(prev_m, prev_m->vm_start,
114104+ end_m, prev_m->vm_pgoff, NULL);
114105+#endif
114106+
114107+ }
114108 if (err)
114109 return NULL;
114110 khugepaged_enter_vma_merge(prev, vm_flags);
114111@@ -1085,12 +1157,27 @@ struct vm_area_struct *vma_merge(struct mm_struct *mm,
114112 mpol_equal(policy, vma_policy(next)) &&
114113 can_vma_merge_before(next, vm_flags,
114114 anon_vma, file, pgoff+pglen)) {
114115- if (prev && addr < prev->vm_end) /* case 4 */
114116+ if (prev && addr < prev->vm_end) { /* case 4 */
114117 err = vma_adjust(prev, prev->vm_start,
114118 addr, prev->vm_pgoff, NULL);
114119- else /* cases 3, 8 */
114120+
114121+#ifdef CONFIG_PAX_SEGMEXEC
114122+ if (!err && prev_m)
114123+ err = vma_adjust(prev_m, prev_m->vm_start,
114124+ addr_m, prev_m->vm_pgoff, NULL);
114125+#endif
114126+
114127+ } else { /* cases 3, 8 */
114128 err = vma_adjust(area, addr, next->vm_end,
114129 next->vm_pgoff - pglen, NULL);
114130+
114131+#ifdef CONFIG_PAX_SEGMEXEC
114132+ if (!err && area_m)
114133+ err = vma_adjust(area_m, addr_m, next_m->vm_end,
114134+ next_m->vm_pgoff - pglen, NULL);
114135+#endif
114136+
114137+ }
114138 if (err)
114139 return NULL;
114140 khugepaged_enter_vma_merge(area, vm_flags);
114141@@ -1199,8 +1286,10 @@ none:
114142 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
114143 struct file *file, long pages)
114144 {
114145- const unsigned long stack_flags
114146- = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
114147+
114148+#ifdef CONFIG_PAX_RANDMMAP
114149+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
114150+#endif
114151
114152 mm->total_vm += pages;
114153
114154@@ -1208,7 +1297,7 @@ void vm_stat_account(struct mm_struct *mm, unsigned long flags,
114155 mm->shared_vm += pages;
114156 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
114157 mm->exec_vm += pages;
114158- } else if (flags & stack_flags)
114159+ } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
114160 mm->stack_vm += pages;
114161 }
114162 #endif /* CONFIG_PROC_FS */
114163@@ -1238,6 +1327,7 @@ static inline int mlock_future_check(struct mm_struct *mm,
114164 locked += mm->locked_vm;
114165 lock_limit = rlimit(RLIMIT_MEMLOCK);
114166 lock_limit >>= PAGE_SHIFT;
114167+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
114168 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
114169 return -EAGAIN;
114170 }
114171@@ -1267,7 +1357,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114172 * (the exception is when the underlying filesystem is noexec
114173 * mounted, in which case we dont add PROT_EXEC.)
114174 */
114175- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
114176+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
114177 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
114178 prot |= PROT_EXEC;
114179
114180@@ -1290,7 +1380,7 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114181 /* Obtain the address to map to. we verify (or select) it and ensure
114182 * that it represents a valid section of the address space.
114183 */
114184- addr = get_unmapped_area(file, addr, len, pgoff, flags);
114185+ addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
114186 if (addr & ~PAGE_MASK)
114187 return addr;
114188
114189@@ -1301,6 +1391,43 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114190 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
114191 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
114192
114193+#ifdef CONFIG_PAX_MPROTECT
114194+ if (mm->pax_flags & MF_PAX_MPROTECT) {
114195+
114196+#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
114197+ if (file && !pgoff && (vm_flags & VM_EXEC) && mm->binfmt &&
114198+ mm->binfmt->handle_mmap)
114199+ mm->binfmt->handle_mmap(file);
114200+#endif
114201+
114202+#ifndef CONFIG_PAX_MPROTECT_COMPAT
114203+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
114204+ gr_log_rwxmmap(file);
114205+
114206+#ifdef CONFIG_PAX_EMUPLT
114207+ vm_flags &= ~VM_EXEC;
114208+#else
114209+ return -EPERM;
114210+#endif
114211+
114212+ }
114213+
114214+ if (!(vm_flags & VM_EXEC))
114215+ vm_flags &= ~VM_MAYEXEC;
114216+#else
114217+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
114218+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
114219+#endif
114220+ else
114221+ vm_flags &= ~VM_MAYWRITE;
114222+ }
114223+#endif
114224+
114225+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
114226+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
114227+ vm_flags &= ~VM_PAGEEXEC;
114228+#endif
114229+
114230 if (flags & MAP_LOCKED)
114231 if (!can_do_mlock())
114232 return -EPERM;
114233@@ -1388,6 +1515,9 @@ unsigned long do_mmap_pgoff(struct file *file, unsigned long addr,
114234 vm_flags |= VM_NORESERVE;
114235 }
114236
114237+ if (!gr_acl_handle_mmap(file, prot))
114238+ return -EACCES;
114239+
114240 addr = mmap_region(file, addr, len, vm_flags, pgoff);
114241 if (!IS_ERR_VALUE(addr) &&
114242 ((vm_flags & VM_LOCKED) ||
114243@@ -1481,7 +1611,7 @@ int vma_wants_writenotify(struct vm_area_struct *vma)
114244 vm_flags_t vm_flags = vma->vm_flags;
114245
114246 /* If it was private or non-writable, the write bit is already clear */
114247- if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
114248+ if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
114249 return 0;
114250
114251 /* The backer wishes to know when pages are first written to? */
114252@@ -1532,7 +1662,22 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114253 struct rb_node **rb_link, *rb_parent;
114254 unsigned long charged = 0;
114255
114256+#ifdef CONFIG_PAX_SEGMEXEC
114257+ struct vm_area_struct *vma_m = NULL;
114258+#endif
114259+
114260+ /*
114261+ * mm->mmap_sem is required to protect against another thread
114262+ * changing the mappings in case we sleep.
114263+ */
114264+ verify_mm_writelocked(mm);
114265+
114266 /* Check against address space limit. */
114267+
114268+#ifdef CONFIG_PAX_RANDMMAP
114269+ if (!(mm->pax_flags & MF_PAX_RANDMMAP) || (vm_flags & (VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)))
114270+#endif
114271+
114272 if (!may_expand_vm(mm, len >> PAGE_SHIFT)) {
114273 unsigned long nr_pages;
114274
114275@@ -1555,6 +1700,7 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114276 &rb_parent)) {
114277 if (do_munmap(mm, addr, len))
114278 return -ENOMEM;
114279+ BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
114280 }
114281
114282 /*
114283@@ -1586,6 +1732,16 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114284 goto unacct_error;
114285 }
114286
114287+#ifdef CONFIG_PAX_SEGMEXEC
114288+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
114289+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
114290+ if (!vma_m) {
114291+ error = -ENOMEM;
114292+ goto free_vma;
114293+ }
114294+ }
114295+#endif
114296+
114297 vma->vm_mm = mm;
114298 vma->vm_start = addr;
114299 vma->vm_end = addr + len;
114300@@ -1616,6 +1772,13 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114301 if (error)
114302 goto unmap_and_free_vma;
114303
114304+#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
114305+ if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
114306+ vma->vm_flags |= VM_PAGEEXEC;
114307+ vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
114308+ }
114309+#endif
114310+
114311 /* Can addr have changed??
114312 *
114313 * Answer: Yes, several device drivers can do it in their
114314@@ -1634,6 +1797,12 @@ unsigned long mmap_region(struct file *file, unsigned long addr,
114315 }
114316
114317 vma_link(mm, vma, prev, rb_link, rb_parent);
114318+
114319+#ifdef CONFIG_PAX_SEGMEXEC
114320+ if (vma_m)
114321+ BUG_ON(pax_mirror_vma(vma_m, vma));
114322+#endif
114323+
114324 /* Once vma denies write, undo our temporary denial count */
114325 if (file) {
114326 if (vm_flags & VM_SHARED)
114327@@ -1646,6 +1815,7 @@ out:
114328 perf_event_mmap(vma);
114329
114330 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
114331+ track_exec_limit(mm, addr, addr + len, vm_flags);
114332 if (vm_flags & VM_LOCKED) {
114333 if (!((vm_flags & VM_SPECIAL) || is_vm_hugetlb_page(vma) ||
114334 vma == get_gate_vma(current->mm)))
114335@@ -1683,6 +1853,12 @@ allow_write_and_free_vma:
114336 if (vm_flags & VM_DENYWRITE)
114337 allow_write_access(file);
114338 free_vma:
114339+
114340+#ifdef CONFIG_PAX_SEGMEXEC
114341+ if (vma_m)
114342+ kmem_cache_free(vm_area_cachep, vma_m);
114343+#endif
114344+
114345 kmem_cache_free(vm_area_cachep, vma);
114346 unacct_error:
114347 if (charged)
114348@@ -1690,7 +1866,63 @@ unacct_error:
114349 return error;
114350 }
114351
114352-unsigned long unmapped_area(struct vm_unmapped_area_info *info)
114353+#ifdef CONFIG_GRKERNSEC_RAND_THREADSTACK
114354+unsigned long gr_rand_threadstack_offset(const struct mm_struct *mm, const struct file *filp, unsigned long flags)
114355+{
114356+ if ((mm->pax_flags & MF_PAX_RANDMMAP) && !filp && (flags & MAP_STACK))
114357+ return ((prandom_u32() & 0xFF) + 1) << PAGE_SHIFT;
114358+
114359+ return 0;
114360+}
114361+#endif
114362+
114363+bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len, unsigned long offset)
114364+{
114365+ if (!vma) {
114366+#ifdef CONFIG_STACK_GROWSUP
114367+ if (addr > sysctl_heap_stack_gap)
114368+ vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
114369+ else
114370+ vma = find_vma(current->mm, 0);
114371+ if (vma && (vma->vm_flags & VM_GROWSUP))
114372+ return false;
114373+#endif
114374+ return true;
114375+ }
114376+
114377+ if (addr + len > vma->vm_start)
114378+ return false;
114379+
114380+ if (vma->vm_flags & VM_GROWSDOWN)
114381+ return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
114382+#ifdef CONFIG_STACK_GROWSUP
114383+ else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
114384+ return addr - vma->vm_prev->vm_end >= sysctl_heap_stack_gap;
114385+#endif
114386+ else if (offset)
114387+ return offset <= vma->vm_start - addr - len;
114388+
114389+ return true;
114390+}
114391+
114392+unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len, unsigned long offset)
114393+{
114394+ if (vma->vm_start < len)
114395+ return -ENOMEM;
114396+
114397+ if (!(vma->vm_flags & VM_GROWSDOWN)) {
114398+ if (offset <= vma->vm_start - len)
114399+ return vma->vm_start - len - offset;
114400+ else
114401+ return -ENOMEM;
114402+ }
114403+
114404+ if (sysctl_heap_stack_gap <= vma->vm_start - len)
114405+ return vma->vm_start - len - sysctl_heap_stack_gap;
114406+ return -ENOMEM;
114407+}
114408+
114409+unsigned long unmapped_area(const struct vm_unmapped_area_info *info)
114410 {
114411 /*
114412 * We implement the search by looking for an rbtree node that
114413@@ -1738,11 +1970,29 @@ unsigned long unmapped_area(struct vm_unmapped_area_info *info)
114414 }
114415 }
114416
114417- gap_start = vma->vm_prev ? vma->vm_prev->vm_end : 0;
114418+ gap_start = vma->vm_prev ? vma->vm_prev->vm_end: 0;
114419 check_current:
114420 /* Check if current node has a suitable gap */
114421 if (gap_start > high_limit)
114422 return -ENOMEM;
114423+
114424+ if (gap_end - gap_start > info->threadstack_offset)
114425+ gap_start += info->threadstack_offset;
114426+ else
114427+ gap_start = gap_end;
114428+
114429+ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
114430+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114431+ gap_start += sysctl_heap_stack_gap;
114432+ else
114433+ gap_start = gap_end;
114434+ }
114435+ if (vma->vm_flags & VM_GROWSDOWN) {
114436+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114437+ gap_end -= sysctl_heap_stack_gap;
114438+ else
114439+ gap_end = gap_start;
114440+ }
114441 if (gap_end >= low_limit && gap_end - gap_start >= length)
114442 goto found;
114443
114444@@ -1792,7 +2042,7 @@ found:
114445 return gap_start;
114446 }
114447
114448-unsigned long unmapped_area_topdown(struct vm_unmapped_area_info *info)
114449+unsigned long unmapped_area_topdown(const struct vm_unmapped_area_info *info)
114450 {
114451 struct mm_struct *mm = current->mm;
114452 struct vm_area_struct *vma;
114453@@ -1846,6 +2096,24 @@ check_current:
114454 gap_end = vma->vm_start;
114455 if (gap_end < low_limit)
114456 return -ENOMEM;
114457+
114458+ if (gap_end - gap_start > info->threadstack_offset)
114459+ gap_end -= info->threadstack_offset;
114460+ else
114461+ gap_end = gap_start;
114462+
114463+ if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP)) {
114464+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114465+ gap_start += sysctl_heap_stack_gap;
114466+ else
114467+ gap_start = gap_end;
114468+ }
114469+ if (vma->vm_flags & VM_GROWSDOWN) {
114470+ if (gap_end - gap_start > sysctl_heap_stack_gap)
114471+ gap_end -= sysctl_heap_stack_gap;
114472+ else
114473+ gap_end = gap_start;
114474+ }
114475 if (gap_start <= high_limit && gap_end - gap_start >= length)
114476 goto found;
114477
114478@@ -1909,6 +2177,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
114479 struct mm_struct *mm = current->mm;
114480 struct vm_area_struct *vma;
114481 struct vm_unmapped_area_info info;
114482+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
114483
114484 if (len > TASK_SIZE - mmap_min_addr)
114485 return -ENOMEM;
114486@@ -1916,11 +2185,15 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
114487 if (flags & MAP_FIXED)
114488 return addr;
114489
114490+#ifdef CONFIG_PAX_RANDMMAP
114491+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
114492+#endif
114493+
114494 if (addr) {
114495 addr = PAGE_ALIGN(addr);
114496 vma = find_vma(mm, addr);
114497 if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
114498- (!vma || addr + len <= vma->vm_start))
114499+ check_heap_stack_gap(vma, addr, len, offset))
114500 return addr;
114501 }
114502
114503@@ -1929,6 +2202,7 @@ arch_get_unmapped_area(struct file *filp, unsigned long addr,
114504 info.low_limit = mm->mmap_base;
114505 info.high_limit = TASK_SIZE;
114506 info.align_mask = 0;
114507+ info.threadstack_offset = offset;
114508 return vm_unmapped_area(&info);
114509 }
114510 #endif
114511@@ -1947,6 +2221,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114512 struct mm_struct *mm = current->mm;
114513 unsigned long addr = addr0;
114514 struct vm_unmapped_area_info info;
114515+ unsigned long offset = gr_rand_threadstack_offset(mm, filp, flags);
114516
114517 /* requested length too big for entire address space */
114518 if (len > TASK_SIZE - mmap_min_addr)
114519@@ -1955,12 +2230,16 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114520 if (flags & MAP_FIXED)
114521 return addr;
114522
114523+#ifdef CONFIG_PAX_RANDMMAP
114524+ if (!(mm->pax_flags & MF_PAX_RANDMMAP))
114525+#endif
114526+
114527 /* requesting a specific address */
114528 if (addr) {
114529 addr = PAGE_ALIGN(addr);
114530 vma = find_vma(mm, addr);
114531 if (TASK_SIZE - len >= addr && addr >= mmap_min_addr &&
114532- (!vma || addr + len <= vma->vm_start))
114533+ check_heap_stack_gap(vma, addr, len, offset))
114534 return addr;
114535 }
114536
114537@@ -1969,6 +2248,7 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114538 info.low_limit = max(PAGE_SIZE, mmap_min_addr);
114539 info.high_limit = mm->mmap_base;
114540 info.align_mask = 0;
114541+ info.threadstack_offset = offset;
114542 addr = vm_unmapped_area(&info);
114543
114544 /*
114545@@ -1981,6 +2261,12 @@ arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
114546 VM_BUG_ON(addr != -ENOMEM);
114547 info.flags = 0;
114548 info.low_limit = TASK_UNMAPPED_BASE;
114549+
114550+#ifdef CONFIG_PAX_RANDMMAP
114551+ if (mm->pax_flags & MF_PAX_RANDMMAP)
114552+ info.low_limit += mm->delta_mmap;
114553+#endif
114554+
114555 info.high_limit = TASK_SIZE;
114556 addr = vm_unmapped_area(&info);
114557 }
114558@@ -2081,6 +2367,28 @@ find_vma_prev(struct mm_struct *mm, unsigned long addr,
114559 return vma;
114560 }
114561
114562+#ifdef CONFIG_PAX_SEGMEXEC
114563+struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
114564+{
114565+ struct vm_area_struct *vma_m;
114566+
114567+ BUG_ON(!vma || vma->vm_start >= vma->vm_end);
114568+ if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
114569+ BUG_ON(vma->vm_mirror);
114570+ return NULL;
114571+ }
114572+ BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
114573+ vma_m = vma->vm_mirror;
114574+ BUG_ON(!vma_m || vma_m->vm_mirror != vma);
114575+ BUG_ON(vma->vm_file != vma_m->vm_file);
114576+ BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
114577+ BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
114578+ BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
114579+ BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
114580+ return vma_m;
114581+}
114582+#endif
114583+
114584 /*
114585 * Verify that the stack growth is acceptable and
114586 * update accounting. This is shared with both the
114587@@ -2098,8 +2406,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114588
114589 /* Stack limit test */
114590 actual_size = size;
114591- if (size && (vma->vm_flags & (VM_GROWSUP | VM_GROWSDOWN)))
114592- actual_size -= PAGE_SIZE;
114593+ gr_learn_resource(current, RLIMIT_STACK, actual_size, 1);
114594 if (actual_size > READ_ONCE(rlim[RLIMIT_STACK].rlim_cur))
114595 return -ENOMEM;
114596
114597@@ -2110,6 +2417,7 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114598 locked = mm->locked_vm + grow;
114599 limit = READ_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
114600 limit >>= PAGE_SHIFT;
114601+ gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
114602 if (locked > limit && !capable(CAP_IPC_LOCK))
114603 return -ENOMEM;
114604 }
114605@@ -2139,37 +2447,48 @@ static int acct_stack_growth(struct vm_area_struct *vma, unsigned long size, uns
114606 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
114607 * vma is the last one with address > vma->vm_end. Have to extend vma.
114608 */
114609+#ifndef CONFIG_IA64
114610+static
114611+#endif
114612 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
114613 {
114614 int error;
114615+ bool locknext;
114616
114617 if (!(vma->vm_flags & VM_GROWSUP))
114618 return -EFAULT;
114619
114620+ /* Also guard against wrapping around to address 0. */
114621+ if (address < PAGE_ALIGN(address+1))
114622+ address = PAGE_ALIGN(address+1);
114623+ else
114624+ return -ENOMEM;
114625+
114626 /*
114627 * We must make sure the anon_vma is allocated
114628 * so that the anon_vma locking is not a noop.
114629 */
114630 if (unlikely(anon_vma_prepare(vma)))
114631 return -ENOMEM;
114632+ locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
114633+ if (locknext && anon_vma_prepare(vma->vm_next))
114634+ return -ENOMEM;
114635 vma_lock_anon_vma(vma);
114636+ if (locknext)
114637+ vma_lock_anon_vma(vma->vm_next);
114638
114639 /*
114640 * vma->vm_start/vm_end cannot change under us because the caller
114641 * is required to hold the mmap_sem in read mode. We need the
114642- * anon_vma lock to serialize against concurrent expand_stacks.
114643- * Also guard against wrapping around to address 0.
114644+ * anon_vma locks to serialize against concurrent expand_stacks
114645+ * and expand_upwards.
114646 */
114647- if (address < PAGE_ALIGN(address+4))
114648- address = PAGE_ALIGN(address+4);
114649- else {
114650- vma_unlock_anon_vma(vma);
114651- return -ENOMEM;
114652- }
114653 error = 0;
114654
114655 /* Somebody else might have raced and expanded it already */
114656- if (address > vma->vm_end) {
114657+ if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
114658+ error = -ENOMEM;
114659+ else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
114660 unsigned long size, grow;
114661
114662 size = address - vma->vm_start;
114663@@ -2204,6 +2523,8 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address)
114664 }
114665 }
114666 }
114667+ if (locknext)
114668+ vma_unlock_anon_vma(vma->vm_next);
114669 vma_unlock_anon_vma(vma);
114670 khugepaged_enter_vma_merge(vma, vma->vm_flags);
114671 validate_mm(vma->vm_mm);
114672@@ -2218,6 +2539,8 @@ int expand_downwards(struct vm_area_struct *vma,
114673 unsigned long address)
114674 {
114675 int error;
114676+ bool lockprev = false;
114677+ struct vm_area_struct *prev;
114678
114679 /*
114680 * We must make sure the anon_vma is allocated
114681@@ -2231,6 +2554,15 @@ int expand_downwards(struct vm_area_struct *vma,
114682 if (error)
114683 return error;
114684
114685+ prev = vma->vm_prev;
114686+#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
114687+ lockprev = prev && (prev->vm_flags & VM_GROWSUP);
114688+#endif
114689+ if (lockprev && anon_vma_prepare(prev))
114690+ return -ENOMEM;
114691+ if (lockprev)
114692+ vma_lock_anon_vma(prev);
114693+
114694 vma_lock_anon_vma(vma);
114695
114696 /*
114697@@ -2240,9 +2572,17 @@ int expand_downwards(struct vm_area_struct *vma,
114698 */
114699
114700 /* Somebody else might have raced and expanded it already */
114701- if (address < vma->vm_start) {
114702+ if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
114703+ error = -ENOMEM;
114704+ else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
114705 unsigned long size, grow;
114706
114707+#ifdef CONFIG_PAX_SEGMEXEC
114708+ struct vm_area_struct *vma_m;
114709+
114710+ vma_m = pax_find_mirror_vma(vma);
114711+#endif
114712+
114713 size = vma->vm_end - address;
114714 grow = (vma->vm_start - address) >> PAGE_SHIFT;
114715
114716@@ -2267,13 +2607,27 @@ int expand_downwards(struct vm_area_struct *vma,
114717 vma->vm_pgoff -= grow;
114718 anon_vma_interval_tree_post_update_vma(vma);
114719 vma_gap_update(vma);
114720+
114721+#ifdef CONFIG_PAX_SEGMEXEC
114722+ if (vma_m) {
114723+ anon_vma_interval_tree_pre_update_vma(vma_m);
114724+ vma_m->vm_start -= grow << PAGE_SHIFT;
114725+ vma_m->vm_pgoff -= grow;
114726+ anon_vma_interval_tree_post_update_vma(vma_m);
114727+ vma_gap_update(vma_m);
114728+ }
114729+#endif
114730+
114731 spin_unlock(&vma->vm_mm->page_table_lock);
114732
114733+ track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
114734 perf_event_mmap(vma);
114735 }
114736 }
114737 }
114738 vma_unlock_anon_vma(vma);
114739+ if (lockprev)
114740+ vma_unlock_anon_vma(prev);
114741 khugepaged_enter_vma_merge(vma, vma->vm_flags);
114742 validate_mm(vma->vm_mm);
114743 return error;
114744@@ -2373,6 +2727,13 @@ static void remove_vma_list(struct mm_struct *mm, struct vm_area_struct *vma)
114745 do {
114746 long nrpages = vma_pages(vma);
114747
114748+#ifdef CONFIG_PAX_SEGMEXEC
114749+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
114750+ vma = remove_vma(vma);
114751+ continue;
114752+ }
114753+#endif
114754+
114755 if (vma->vm_flags & VM_ACCOUNT)
114756 nr_accounted += nrpages;
114757 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
114758@@ -2417,6 +2778,16 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma,
114759 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
114760 vma->vm_prev = NULL;
114761 do {
114762+
114763+#ifdef CONFIG_PAX_SEGMEXEC
114764+ if (vma->vm_mirror) {
114765+ BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
114766+ vma->vm_mirror->vm_mirror = NULL;
114767+ vma->vm_mirror->vm_flags &= ~VM_EXEC;
114768+ vma->vm_mirror = NULL;
114769+ }
114770+#endif
114771+
114772 vma_rb_erase(vma, &mm->mm_rb);
114773 mm->map_count--;
114774 tail_vma = vma;
114775@@ -2444,14 +2815,33 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114776 struct vm_area_struct *new;
114777 int err = -ENOMEM;
114778
114779+#ifdef CONFIG_PAX_SEGMEXEC
114780+ struct vm_area_struct *vma_m, *new_m = NULL;
114781+ unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
114782+#endif
114783+
114784 if (is_vm_hugetlb_page(vma) && (addr &
114785 ~(huge_page_mask(hstate_vma(vma)))))
114786 return -EINVAL;
114787
114788+#ifdef CONFIG_PAX_SEGMEXEC
114789+ vma_m = pax_find_mirror_vma(vma);
114790+#endif
114791+
114792 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
114793 if (!new)
114794 goto out_err;
114795
114796+#ifdef CONFIG_PAX_SEGMEXEC
114797+ if (vma_m) {
114798+ new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
114799+ if (!new_m) {
114800+ kmem_cache_free(vm_area_cachep, new);
114801+ goto out_err;
114802+ }
114803+ }
114804+#endif
114805+
114806 /* most fields are the same, copy all, and then fixup */
114807 *new = *vma;
114808
114809@@ -2464,6 +2854,22 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114810 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
114811 }
114812
114813+#ifdef CONFIG_PAX_SEGMEXEC
114814+ if (vma_m) {
114815+ *new_m = *vma_m;
114816+ INIT_LIST_HEAD(&new_m->anon_vma_chain);
114817+ new_m->vm_mirror = new;
114818+ new->vm_mirror = new_m;
114819+
114820+ if (new_below)
114821+ new_m->vm_end = addr_m;
114822+ else {
114823+ new_m->vm_start = addr_m;
114824+ new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
114825+ }
114826+ }
114827+#endif
114828+
114829 err = vma_dup_policy(vma, new);
114830 if (err)
114831 goto out_free_vma;
114832@@ -2484,6 +2890,38 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114833 else
114834 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
114835
114836+#ifdef CONFIG_PAX_SEGMEXEC
114837+ if (!err && vma_m) {
114838+ struct mempolicy *pol = vma_policy(new);
114839+
114840+ if (anon_vma_clone(new_m, vma_m))
114841+ goto out_free_mpol;
114842+
114843+ mpol_get(pol);
114844+ set_vma_policy(new_m, pol);
114845+
114846+ if (new_m->vm_file)
114847+ get_file(new_m->vm_file);
114848+
114849+ if (new_m->vm_ops && new_m->vm_ops->open)
114850+ new_m->vm_ops->open(new_m);
114851+
114852+ if (new_below)
114853+ err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
114854+ ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
114855+ else
114856+ err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
114857+
114858+ if (err) {
114859+ if (new_m->vm_ops && new_m->vm_ops->close)
114860+ new_m->vm_ops->close(new_m);
114861+ if (new_m->vm_file)
114862+ fput(new_m->vm_file);
114863+ mpol_put(pol);
114864+ }
114865+ }
114866+#endif
114867+
114868 /* Success. */
114869 if (!err)
114870 return 0;
114871@@ -2493,10 +2931,18 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114872 new->vm_ops->close(new);
114873 if (new->vm_file)
114874 fput(new->vm_file);
114875- unlink_anon_vmas(new);
114876 out_free_mpol:
114877 mpol_put(vma_policy(new));
114878 out_free_vma:
114879+
114880+#ifdef CONFIG_PAX_SEGMEXEC
114881+ if (new_m) {
114882+ unlink_anon_vmas(new_m);
114883+ kmem_cache_free(vm_area_cachep, new_m);
114884+ }
114885+#endif
114886+
114887+ unlink_anon_vmas(new);
114888 kmem_cache_free(vm_area_cachep, new);
114889 out_err:
114890 return err;
114891@@ -2509,6 +2955,15 @@ static int __split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114892 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114893 unsigned long addr, int new_below)
114894 {
114895+
114896+#ifdef CONFIG_PAX_SEGMEXEC
114897+ if (mm->pax_flags & MF_PAX_SEGMEXEC) {
114898+ BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
114899+ if (mm->map_count >= sysctl_max_map_count-1)
114900+ return -ENOMEM;
114901+ } else
114902+#endif
114903+
114904 if (mm->map_count >= sysctl_max_map_count)
114905 return -ENOMEM;
114906
114907@@ -2520,11 +2975,30 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
114908 * work. This now handles partial unmappings.
114909 * Jeremy Fitzhardinge <jeremy@goop.org>
114910 */
114911+#ifdef CONFIG_PAX_SEGMEXEC
114912 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114913 {
114914+ int ret = __do_munmap(mm, start, len);
114915+ if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
114916+ return ret;
114917+
114918+ return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
114919+}
114920+
114921+int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114922+#else
114923+int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114924+#endif
114925+{
114926 unsigned long end;
114927 struct vm_area_struct *vma, *prev, *last;
114928
114929+ /*
114930+ * mm->mmap_sem is required to protect against another thread
114931+ * changing the mappings in case we sleep.
114932+ */
114933+ verify_mm_writelocked(mm);
114934+
114935 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
114936 return -EINVAL;
114937
114938@@ -2602,6 +3076,8 @@ int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
114939 /* Fix up all other VM information */
114940 remove_vma_list(mm, vma);
114941
114942+ track_exec_limit(mm, start, end, 0UL);
114943+
114944 return 0;
114945 }
114946
114947@@ -2610,6 +3086,13 @@ int vm_munmap(unsigned long start, size_t len)
114948 int ret;
114949 struct mm_struct *mm = current->mm;
114950
114951+
114952+#ifdef CONFIG_PAX_SEGMEXEC
114953+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
114954+ (len > SEGMEXEC_TASK_SIZE || start > SEGMEXEC_TASK_SIZE-len))
114955+ return -EINVAL;
114956+#endif
114957+
114958 down_write(&mm->mmap_sem);
114959 ret = do_munmap(mm, start, len);
114960 up_write(&mm->mmap_sem);
114961@@ -2656,6 +3139,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsigned long, start, unsigned long, size,
114962 down_write(&mm->mmap_sem);
114963 vma = find_vma(mm, start);
114964
114965+#ifdef CONFIG_PAX_SEGMEXEC
114966+ if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
114967+ goto out;
114968+#endif
114969+
114970 if (!vma || !(vma->vm_flags & VM_SHARED))
114971 goto out;
114972
114973@@ -2692,16 +3180,6 @@ out:
114974 return ret;
114975 }
114976
114977-static inline void verify_mm_writelocked(struct mm_struct *mm)
114978-{
114979-#ifdef CONFIG_DEBUG_VM
114980- if (unlikely(down_read_trylock(&mm->mmap_sem))) {
114981- WARN_ON(1);
114982- up_read(&mm->mmap_sem);
114983- }
114984-#endif
114985-}
114986-
114987 /*
114988 * this is really a simplified "do_mmap". it only handles
114989 * anonymous maps. eventually we may be able to do some
114990@@ -2715,6 +3193,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114991 struct rb_node **rb_link, *rb_parent;
114992 pgoff_t pgoff = addr >> PAGE_SHIFT;
114993 int error;
114994+ unsigned long charged;
114995
114996 len = PAGE_ALIGN(len);
114997 if (!len)
114998@@ -2722,10 +3201,24 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
114999
115000 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
115001
115002+#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
115003+ if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
115004+ flags &= ~VM_EXEC;
115005+
115006+#ifdef CONFIG_PAX_MPROTECT
115007+ if (mm->pax_flags & MF_PAX_MPROTECT)
115008+ flags &= ~VM_MAYEXEC;
115009+#endif
115010+
115011+ }
115012+#endif
115013+
115014 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
115015 if (error & ~PAGE_MASK)
115016 return error;
115017
115018+ charged = len >> PAGE_SHIFT;
115019+
115020 error = mlock_future_check(mm, mm->def_flags, len);
115021 if (error)
115022 return error;
115023@@ -2743,16 +3236,17 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115024 &rb_parent)) {
115025 if (do_munmap(mm, addr, len))
115026 return -ENOMEM;
115027+ BUG_ON(find_vma_links(mm, addr, addr + len, &prev, &rb_link, &rb_parent));
115028 }
115029
115030 /* Check against address space limits *after* clearing old maps... */
115031- if (!may_expand_vm(mm, len >> PAGE_SHIFT))
115032+ if (!may_expand_vm(mm, charged))
115033 return -ENOMEM;
115034
115035 if (mm->map_count > sysctl_max_map_count)
115036 return -ENOMEM;
115037
115038- if (security_vm_enough_memory_mm(mm, len >> PAGE_SHIFT))
115039+ if (security_vm_enough_memory_mm(mm, charged))
115040 return -ENOMEM;
115041
115042 /* Can we just expand an old private anonymous mapping? */
115043@@ -2766,7 +3260,7 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115044 */
115045 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
115046 if (!vma) {
115047- vm_unacct_memory(len >> PAGE_SHIFT);
115048+ vm_unacct_memory(charged);
115049 return -ENOMEM;
115050 }
115051
115052@@ -2780,10 +3274,11 @@ static unsigned long do_brk(unsigned long addr, unsigned long len)
115053 vma_link(mm, vma, prev, rb_link, rb_parent);
115054 out:
115055 perf_event_mmap(vma);
115056- mm->total_vm += len >> PAGE_SHIFT;
115057+ mm->total_vm += charged;
115058 if (flags & VM_LOCKED)
115059- mm->locked_vm += (len >> PAGE_SHIFT);
115060+ mm->locked_vm += charged;
115061 vma->vm_flags |= VM_SOFTDIRTY;
115062+ track_exec_limit(mm, addr, addr + len, flags);
115063 return addr;
115064 }
115065
115066@@ -2845,6 +3340,7 @@ void exit_mmap(struct mm_struct *mm)
115067 while (vma) {
115068 if (vma->vm_flags & VM_ACCOUNT)
115069 nr_accounted += vma_pages(vma);
115070+ vma->vm_mirror = NULL;
115071 vma = remove_vma(vma);
115072 }
115073 vm_unacct_memory(nr_accounted);
115074@@ -2859,6 +3355,13 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
115075 struct vm_area_struct *prev;
115076 struct rb_node **rb_link, *rb_parent;
115077
115078+#ifdef CONFIG_PAX_SEGMEXEC
115079+ struct vm_area_struct *vma_m = NULL;
115080+#endif
115081+
115082+ if (security_mmap_addr(vma->vm_start))
115083+ return -EPERM;
115084+
115085 /*
115086 * The vm_pgoff of a purely anonymous vma should be irrelevant
115087 * until its first write fault, when page's anon_vma and index
115088@@ -2882,7 +3385,21 @@ int insert_vm_struct(struct mm_struct *mm, struct vm_area_struct *vma)
115089 security_vm_enough_memory_mm(mm, vma_pages(vma)))
115090 return -ENOMEM;
115091
115092+#ifdef CONFIG_PAX_SEGMEXEC
115093+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
115094+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
115095+ if (!vma_m)
115096+ return -ENOMEM;
115097+ }
115098+#endif
115099+
115100 vma_link(mm, vma, prev, rb_link, rb_parent);
115101+
115102+#ifdef CONFIG_PAX_SEGMEXEC
115103+ if (vma_m)
115104+ BUG_ON(pax_mirror_vma(vma_m, vma));
115105+#endif
115106+
115107 return 0;
115108 }
115109
115110@@ -2901,6 +3418,8 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
115111 struct rb_node **rb_link, *rb_parent;
115112 bool faulted_in_anon_vma = true;
115113
115114+ BUG_ON(vma->vm_mirror);
115115+
115116 /*
115117 * If anonymous vma has not yet been faulted, update new pgoff
115118 * to match new location, to increase its chance of merging.
115119@@ -2965,6 +3484,39 @@ struct vm_area_struct *copy_vma(struct vm_area_struct **vmap,
115120 return NULL;
115121 }
115122
115123+#ifdef CONFIG_PAX_SEGMEXEC
115124+long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
115125+{
115126+ struct vm_area_struct *prev_m;
115127+ struct rb_node **rb_link_m, *rb_parent_m;
115128+ struct mempolicy *pol_m;
115129+
115130+ BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
115131+ BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
115132+ BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
115133+ *vma_m = *vma;
115134+ INIT_LIST_HEAD(&vma_m->anon_vma_chain);
115135+ if (anon_vma_clone(vma_m, vma))
115136+ return -ENOMEM;
115137+ pol_m = vma_policy(vma_m);
115138+ mpol_get(pol_m);
115139+ set_vma_policy(vma_m, pol_m);
115140+ vma_m->vm_start += SEGMEXEC_TASK_SIZE;
115141+ vma_m->vm_end += SEGMEXEC_TASK_SIZE;
115142+ vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
115143+ vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
115144+ if (vma_m->vm_file)
115145+ get_file(vma_m->vm_file);
115146+ if (vma_m->vm_ops && vma_m->vm_ops->open)
115147+ vma_m->vm_ops->open(vma_m);
115148+ BUG_ON(find_vma_links(vma->vm_mm, vma_m->vm_start, vma_m->vm_end, &prev_m, &rb_link_m, &rb_parent_m));
115149+ vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
115150+ vma_m->vm_mirror = vma;
115151+ vma->vm_mirror = vma_m;
115152+ return 0;
115153+}
115154+#endif
115155+
115156 /*
115157 * Return true if the calling process may expand its vm space by the passed
115158 * number of pages
115159@@ -2976,6 +3528,7 @@ int may_expand_vm(struct mm_struct *mm, unsigned long npages)
115160
115161 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
115162
115163+ gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
115164 if (cur + npages > lim)
115165 return 0;
115166 return 1;
115167@@ -3058,6 +3611,22 @@ static struct vm_area_struct *__install_special_mapping(
115168 vma->vm_start = addr;
115169 vma->vm_end = addr + len;
115170
115171+#ifdef CONFIG_PAX_MPROTECT
115172+ if (mm->pax_flags & MF_PAX_MPROTECT) {
115173+#ifndef CONFIG_PAX_MPROTECT_COMPAT
115174+ if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
115175+ return ERR_PTR(-EPERM);
115176+ if (!(vm_flags & VM_EXEC))
115177+ vm_flags &= ~VM_MAYEXEC;
115178+#else
115179+ if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
115180+ vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
115181+#endif
115182+ else
115183+ vm_flags &= ~VM_MAYWRITE;
115184+ }
115185+#endif
115186+
115187 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND | VM_SOFTDIRTY;
115188 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
115189
115190diff --git a/mm/mprotect.c b/mm/mprotect.c
115191index e7d6f11..6116007 100644
115192--- a/mm/mprotect.c
115193+++ b/mm/mprotect.c
115194@@ -24,10 +24,18 @@
115195 #include <linux/migrate.h>
115196 #include <linux/perf_event.h>
115197 #include <linux/ksm.h>
115198+#include <linux/sched/sysctl.h>
115199+
115200+#ifdef CONFIG_PAX_MPROTECT
115201+#include <linux/elf.h>
115202+#include <linux/binfmts.h>
115203+#endif
115204+
115205 #include <asm/uaccess.h>
115206 #include <asm/pgtable.h>
115207 #include <asm/cacheflush.h>
115208 #include <asm/tlbflush.h>
115209+#include <asm/mmu_context.h>
115210
115211 #include "internal.h"
115212
115213@@ -254,6 +262,48 @@ unsigned long change_protection(struct vm_area_struct *vma, unsigned long start,
115214 return pages;
115215 }
115216
115217+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
115218+/* called while holding the mmap semaphor for writing except stack expansion */
115219+void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
115220+{
115221+ unsigned long oldlimit, newlimit = 0UL;
115222+
115223+ if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
115224+ return;
115225+
115226+ spin_lock(&mm->page_table_lock);
115227+ oldlimit = mm->context.user_cs_limit;
115228+ if ((prot & VM_EXEC) && oldlimit < end)
115229+ /* USER_CS limit moved up */
115230+ newlimit = end;
115231+ else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
115232+ /* USER_CS limit moved down */
115233+ newlimit = start;
115234+
115235+ if (newlimit) {
115236+ mm->context.user_cs_limit = newlimit;
115237+
115238+#ifdef CONFIG_SMP
115239+ wmb();
115240+ cpumask_clear(&mm->context.cpu_user_cs_mask);
115241+ cpumask_set_cpu(smp_processor_id(), &mm->context.cpu_user_cs_mask);
115242+#endif
115243+
115244+ set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
115245+ }
115246+ spin_unlock(&mm->page_table_lock);
115247+ if (newlimit == end) {
115248+ struct vm_area_struct *vma = find_vma(mm, oldlimit);
115249+
115250+ for (; vma && vma->vm_start < end; vma = vma->vm_next)
115251+ if (is_vm_hugetlb_page(vma))
115252+ hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
115253+ else
115254+ change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma), 0);
115255+ }
115256+}
115257+#endif
115258+
115259 int
115260 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
115261 unsigned long start, unsigned long end, unsigned long newflags)
115262@@ -266,11 +316,29 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
115263 int error;
115264 int dirty_accountable = 0;
115265
115266+#ifdef CONFIG_PAX_SEGMEXEC
115267+ struct vm_area_struct *vma_m = NULL;
115268+ unsigned long start_m, end_m;
115269+
115270+ start_m = start + SEGMEXEC_TASK_SIZE;
115271+ end_m = end + SEGMEXEC_TASK_SIZE;
115272+#endif
115273+
115274 if (newflags == oldflags) {
115275 *pprev = vma;
115276 return 0;
115277 }
115278
115279+ if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
115280+ struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
115281+
115282+ if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
115283+ return -ENOMEM;
115284+
115285+ if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
115286+ return -ENOMEM;
115287+ }
115288+
115289 /*
115290 * If we make a private mapping writable we increase our commit;
115291 * but (without finer accounting) cannot reduce our commit if we
115292@@ -287,6 +355,42 @@ mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
115293 }
115294 }
115295
115296+#ifdef CONFIG_PAX_SEGMEXEC
115297+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
115298+ if (start != vma->vm_start) {
115299+ error = split_vma(mm, vma, start, 1);
115300+ if (error)
115301+ goto fail;
115302+ BUG_ON(!*pprev || (*pprev)->vm_next == vma);
115303+ *pprev = (*pprev)->vm_next;
115304+ }
115305+
115306+ if (end != vma->vm_end) {
115307+ error = split_vma(mm, vma, end, 0);
115308+ if (error)
115309+ goto fail;
115310+ }
115311+
115312+ if (pax_find_mirror_vma(vma)) {
115313+ error = __do_munmap(mm, start_m, end_m - start_m);
115314+ if (error)
115315+ goto fail;
115316+ } else {
115317+ vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
115318+ if (!vma_m) {
115319+ error = -ENOMEM;
115320+ goto fail;
115321+ }
115322+ vma->vm_flags = newflags;
115323+ error = pax_mirror_vma(vma_m, vma);
115324+ if (error) {
115325+ vma->vm_flags = oldflags;
115326+ goto fail;
115327+ }
115328+ }
115329+ }
115330+#endif
115331+
115332 /*
115333 * First try to merge with previous and/or next vma.
115334 */
115335@@ -317,7 +421,19 @@ success:
115336 * vm_flags and vm_page_prot are protected by the mmap_sem
115337 * held in write mode.
115338 */
115339+
115340+#ifdef CONFIG_PAX_SEGMEXEC
115341+ if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
115342+ pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
115343+#endif
115344+
115345 vma->vm_flags = newflags;
115346+
115347+#ifdef CONFIG_PAX_MPROTECT
115348+ if (mm->binfmt && mm->binfmt->handle_mprotect)
115349+ mm->binfmt->handle_mprotect(vma, newflags);
115350+#endif
115351+
115352 dirty_accountable = vma_wants_writenotify(vma);
115353 vma_set_page_prot(vma);
115354
115355@@ -362,6 +478,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115356 end = start + len;
115357 if (end <= start)
115358 return -ENOMEM;
115359+
115360+#ifdef CONFIG_PAX_SEGMEXEC
115361+ if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
115362+ if (end > SEGMEXEC_TASK_SIZE)
115363+ return -EINVAL;
115364+ } else
115365+#endif
115366+
115367+ if (end > TASK_SIZE)
115368+ return -EINVAL;
115369+
115370 if (!arch_validate_prot(prot))
115371 return -EINVAL;
115372
115373@@ -369,7 +496,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115374 /*
115375 * Does the application expect PROT_READ to imply PROT_EXEC:
115376 */
115377- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
115378+ if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
115379 prot |= PROT_EXEC;
115380
115381 vm_flags = calc_vm_prot_bits(prot);
115382@@ -401,6 +528,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115383 if (start > vma->vm_start)
115384 prev = vma;
115385
115386+#ifdef CONFIG_PAX_MPROTECT
115387+ if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
115388+ current->mm->binfmt->handle_mprotect(vma, vm_flags);
115389+#endif
115390+
115391 for (nstart = start ; ; ) {
115392 unsigned long newflags;
115393
115394@@ -411,6 +543,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115395
115396 /* newflags >> 4 shift VM_MAY% in place of VM_% */
115397 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
115398+ if (prot & (PROT_WRITE | PROT_EXEC))
115399+ gr_log_rwxmprotect(vma);
115400+
115401+ error = -EACCES;
115402+ goto out;
115403+ }
115404+
115405+ if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
115406 error = -EACCES;
115407 goto out;
115408 }
115409@@ -425,6 +565,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
115410 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
115411 if (error)
115412 goto out;
115413+
115414+ track_exec_limit(current->mm, nstart, tmp, vm_flags);
115415+
115416 nstart = tmp;
115417
115418 if (nstart < prev->vm_end)
115419diff --git a/mm/mremap.c b/mm/mremap.c
115420index a7c93ec..69c2949 100644
115421--- a/mm/mremap.c
115422+++ b/mm/mremap.c
115423@@ -143,6 +143,12 @@ static void move_ptes(struct vm_area_struct *vma, pmd_t *old_pmd,
115424 continue;
115425 pte = ptep_get_and_clear(mm, old_addr, old_pte);
115426 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
115427+
115428+#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
115429+ if (!(__supported_pte_mask & _PAGE_NX) && pte_present(pte) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
115430+ pte = pte_exprotect(pte);
115431+#endif
115432+
115433 pte = move_soft_dirty_pte(pte);
115434 set_pte_at(mm, new_addr, new_pte, pte);
115435 }
115436@@ -355,6 +361,11 @@ static struct vm_area_struct *vma_to_resize(unsigned long addr,
115437 if (is_vm_hugetlb_page(vma))
115438 return ERR_PTR(-EINVAL);
115439
115440+#ifdef CONFIG_PAX_SEGMEXEC
115441+ if (pax_find_mirror_vma(vma))
115442+ return ERR_PTR(-EINVAL);
115443+#endif
115444+
115445 /* We can't remap across vm area boundaries */
115446 if (old_len > vma->vm_end - addr)
115447 return ERR_PTR(-EFAULT);
115448@@ -401,20 +412,25 @@ static unsigned long mremap_to(unsigned long addr, unsigned long old_len,
115449 unsigned long ret = -EINVAL;
115450 unsigned long charged = 0;
115451 unsigned long map_flags;
115452+ unsigned long pax_task_size = TASK_SIZE;
115453
115454 if (new_addr & ~PAGE_MASK)
115455 goto out;
115456
115457- if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
115458+#ifdef CONFIG_PAX_SEGMEXEC
115459+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
115460+ pax_task_size = SEGMEXEC_TASK_SIZE;
115461+#endif
115462+
115463+ pax_task_size -= PAGE_SIZE;
115464+
115465+ if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
115466 goto out;
115467
115468 /* Check if the location we're moving into overlaps the
115469 * old location at all, and fail if it does.
115470 */
115471- if ((new_addr <= addr) && (new_addr+new_len) > addr)
115472- goto out;
115473-
115474- if ((addr <= new_addr) && (addr+old_len) > new_addr)
115475+ if (addr + old_len > new_addr && new_addr + new_len > addr)
115476 goto out;
115477
115478 ret = do_munmap(mm, new_addr, new_len);
115479@@ -483,6 +499,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115480 unsigned long ret = -EINVAL;
115481 unsigned long charged = 0;
115482 bool locked = false;
115483+ unsigned long pax_task_size = TASK_SIZE;
115484
115485 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
115486 return ret;
115487@@ -504,6 +521,17 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115488 if (!new_len)
115489 return ret;
115490
115491+#ifdef CONFIG_PAX_SEGMEXEC
115492+ if (mm->pax_flags & MF_PAX_SEGMEXEC)
115493+ pax_task_size = SEGMEXEC_TASK_SIZE;
115494+#endif
115495+
115496+ pax_task_size -= PAGE_SIZE;
115497+
115498+ if (new_len > pax_task_size || addr > pax_task_size-new_len ||
115499+ old_len > pax_task_size || addr > pax_task_size-old_len)
115500+ return ret;
115501+
115502 down_write(&current->mm->mmap_sem);
115503
115504 if (flags & MREMAP_FIXED) {
115505@@ -554,6 +582,7 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115506 new_addr = addr;
115507 }
115508 ret = addr;
115509+ track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
115510 goto out;
115511 }
115512 }
115513@@ -577,7 +606,12 @@ SYSCALL_DEFINE5(mremap, unsigned long, addr, unsigned long, old_len,
115514 goto out;
115515 }
115516
115517+ map_flags = vma->vm_flags;
115518 ret = move_vma(vma, addr, old_len, new_len, new_addr, &locked);
115519+ if (!(ret & ~PAGE_MASK)) {
115520+ track_exec_limit(current->mm, addr, addr + old_len, 0UL);
115521+ track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
115522+ }
115523 }
115524 out:
115525 if (ret & ~PAGE_MASK)
115526diff --git a/mm/nommu.c b/mm/nommu.c
115527index 58ea364..7b01d28 100644
115528--- a/mm/nommu.c
115529+++ b/mm/nommu.c
115530@@ -56,7 +56,6 @@ int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
115531 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
115532 unsigned long sysctl_user_reserve_kbytes __read_mostly = 1UL << 17; /* 128MB */
115533 unsigned long sysctl_admin_reserve_kbytes __read_mostly = 1UL << 13; /* 8MB */
115534-int heap_stack_gap = 0;
115535
115536 atomic_long_t mmap_pages_allocated;
115537
115538@@ -863,15 +862,6 @@ struct vm_area_struct *find_vma(struct mm_struct *mm, unsigned long addr)
115539 EXPORT_SYMBOL(find_vma);
115540
115541 /*
115542- * find a VMA
115543- * - we don't extend stack VMAs under NOMMU conditions
115544- */
115545-struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
115546-{
115547- return find_vma(mm, addr);
115548-}
115549-
115550-/*
115551 * expand a stack to a given address
115552 * - not supported under NOMMU conditions
115553 */
115554@@ -1535,6 +1525,7 @@ int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
115555
115556 /* most fields are the same, copy all, and then fixup */
115557 *new = *vma;
115558+ INIT_LIST_HEAD(&new->anon_vma_chain);
115559 *region = *vma->vm_region;
115560 new->vm_region = region;
115561
115562@@ -1935,8 +1926,8 @@ void filemap_map_pages(struct vm_area_struct *vma, struct vm_fault *vmf)
115563 }
115564 EXPORT_SYMBOL(filemap_map_pages);
115565
115566-static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115567- unsigned long addr, void *buf, int len, int write)
115568+static ssize_t __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115569+ unsigned long addr, void *buf, size_t len, int write)
115570 {
115571 struct vm_area_struct *vma;
115572
115573@@ -1977,8 +1968,8 @@ static int __access_remote_vm(struct task_struct *tsk, struct mm_struct *mm,
115574 *
115575 * The caller must hold a reference on @mm.
115576 */
115577-int access_remote_vm(struct mm_struct *mm, unsigned long addr,
115578- void *buf, int len, int write)
115579+ssize_t access_remote_vm(struct mm_struct *mm, unsigned long addr,
115580+ void *buf, size_t len, int write)
115581 {
115582 return __access_remote_vm(NULL, mm, addr, buf, len, write);
115583 }
115584@@ -1987,7 +1978,7 @@ int access_remote_vm(struct mm_struct *mm, unsigned long addr,
115585 * Access another process' address space.
115586 * - source/target buffer must be kernel space
115587 */
115588-int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, int len, int write)
115589+ssize_t access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, size_t len, int write)
115590 {
115591 struct mm_struct *mm;
115592
115593diff --git a/mm/page-writeback.c b/mm/page-writeback.c
115594index 5cccc12..1872e56 100644
115595--- a/mm/page-writeback.c
115596+++ b/mm/page-writeback.c
115597@@ -852,7 +852,7 @@ static long long pos_ratio_polynom(unsigned long setpoint,
115598 * card's wb_dirty may rush to many times higher than wb_setpoint.
115599 * - the wb dirty thresh drops quickly due to change of JBOD workload
115600 */
115601-static void wb_position_ratio(struct dirty_throttle_control *dtc)
115602+static void __intentional_overflow(-1) wb_position_ratio(struct dirty_throttle_control *dtc)
115603 {
115604 struct bdi_writeback *wb = dtc->wb;
115605 unsigned long write_bw = wb->avg_write_bandwidth;
115606diff --git a/mm/page_alloc.c b/mm/page_alloc.c
115607index 5b5240b..2bc0996 100644
115608--- a/mm/page_alloc.c
115609+++ b/mm/page_alloc.c
115610@@ -62,6 +62,7 @@
115611 #include <linux/sched/rt.h>
115612 #include <linux/page_owner.h>
115613 #include <linux/kthread.h>
115614+#include <linux/random.h>
115615
115616 #include <asm/sections.h>
115617 #include <asm/tlbflush.h>
115618@@ -427,7 +428,7 @@ out:
115619 * This usage means that zero-order pages may not be compound.
115620 */
115621
115622-static void free_compound_page(struct page *page)
115623+void free_compound_page(struct page *page)
115624 {
115625 __free_pages_ok(page, compound_order(page));
115626 }
115627@@ -536,7 +537,7 @@ static inline void clear_page_guard(struct zone *zone, struct page *page,
115628 __mod_zone_freepage_state(zone, (1 << order), migratetype);
115629 }
115630 #else
115631-struct page_ext_operations debug_guardpage_ops = { NULL, };
115632+struct page_ext_operations debug_guardpage_ops = { .need = NULL, .init = NULL };
115633 static inline void set_page_guard(struct zone *zone, struct page *page,
115634 unsigned int order, int migratetype) {}
115635 static inline void clear_page_guard(struct zone *zone, struct page *page,
115636@@ -908,6 +909,10 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
115637 bool compound = PageCompound(page);
115638 int i, bad = 0;
115639
115640+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115641+ unsigned long index = 1UL << order;
115642+#endif
115643+
115644 VM_BUG_ON_PAGE(PageTail(page), page);
115645 VM_BUG_ON_PAGE(compound && compound_order(page) != order, page);
115646
115647@@ -934,6 +939,12 @@ static bool free_pages_prepare(struct page *page, unsigned int order)
115648 debug_check_no_obj_freed(page_address(page),
115649 PAGE_SIZE << order);
115650 }
115651+
115652+#ifdef CONFIG_PAX_MEMORY_SANITIZE
115653+ for (; index; --index)
115654+ sanitize_highpage(page + index - 1);
115655+#endif
115656+
115657 arch_free_page(page, order);
115658 kernel_map_pages(page, 1 << order, 0);
115659
115660@@ -957,6 +968,20 @@ static void __free_pages_ok(struct page *page, unsigned int order)
115661 local_irq_restore(flags);
115662 }
115663
115664+#ifdef CONFIG_PAX_LATENT_ENTROPY
115665+bool __meminitdata extra_latent_entropy;
115666+
115667+static int __init setup_pax_extra_latent_entropy(char *str)
115668+{
115669+ extra_latent_entropy = true;
115670+ return 0;
115671+}
115672+early_param("pax_extra_latent_entropy", setup_pax_extra_latent_entropy);
115673+
115674+volatile u64 latent_entropy __latent_entropy;
115675+EXPORT_SYMBOL(latent_entropy);
115676+#endif
115677+
115678 static void __init __free_pages_boot_core(struct page *page,
115679 unsigned long pfn, unsigned int order)
115680 {
115681@@ -973,6 +998,19 @@ static void __init __free_pages_boot_core(struct page *page,
115682 __ClearPageReserved(p);
115683 set_page_count(p, 0);
115684
115685+#ifdef CONFIG_PAX_LATENT_ENTROPY
115686+ if (extra_latent_entropy && !PageHighMem(page) && page_to_pfn(page) < 0x100000) {
115687+ u64 hash = 0;
115688+ size_t index, end = PAGE_SIZE * nr_pages / sizeof hash;
115689+ const u64 *data = lowmem_page_address(page);
115690+
115691+ for (index = 0; index < end; index++)
115692+ hash ^= hash + data[index];
115693+ latent_entropy ^= hash;
115694+ add_device_randomness((const void *)&latent_entropy, sizeof(latent_entropy));
115695+ }
115696+#endif
115697+
115698 page_zone(page)->managed_pages += nr_pages;
115699 set_page_refcounted(page);
115700 __free_pages(page, order);
115701@@ -1029,7 +1067,6 @@ static inline bool __meminit meminit_pfn_in_nid(unsigned long pfn, int node,
115702 }
115703 #endif
115704
115705-
115706 void __init __free_pages_bootmem(struct page *page, unsigned long pfn,
115707 unsigned int order)
115708 {
115709@@ -1333,9 +1370,11 @@ static int prep_new_page(struct page *page, unsigned int order, gfp_t gfp_flags,
115710 kernel_map_pages(page, 1 << order, 1);
115711 kasan_alloc_pages(page, order);
115712
115713+#ifndef CONFIG_PAX_MEMORY_SANITIZE
115714 if (gfp_flags & __GFP_ZERO)
115715 for (i = 0; i < (1 << order); i++)
115716 clear_highpage(page + i);
115717+#endif
115718
115719 if (order && (gfp_flags & __GFP_COMP))
115720 prep_compound_page(page, order);
115721@@ -2116,7 +2155,7 @@ struct page *buffered_rmqueue(struct zone *preferred_zone,
115722 }
115723
115724 __mod_zone_page_state(zone, NR_ALLOC_BATCH, -(1 << order));
115725- if (atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0 &&
115726+ if (atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]) <= 0 &&
115727 !test_bit(ZONE_FAIR_DEPLETED, &zone->flags))
115728 set_bit(ZONE_FAIR_DEPLETED, &zone->flags);
115729
115730@@ -2435,7 +2474,7 @@ static void reset_alloc_batches(struct zone *preferred_zone)
115731 do {
115732 mod_zone_page_state(zone, NR_ALLOC_BATCH,
115733 high_wmark_pages(zone) - low_wmark_pages(zone) -
115734- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
115735+ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
115736 clear_bit(ZONE_FAIR_DEPLETED, &zone->flags);
115737 } while (zone++ != preferred_zone);
115738 }
115739@@ -6184,7 +6223,7 @@ static void __setup_per_zone_wmarks(void)
115740
115741 __mod_zone_page_state(zone, NR_ALLOC_BATCH,
115742 high_wmark_pages(zone) - low_wmark_pages(zone) -
115743- atomic_long_read(&zone->vm_stat[NR_ALLOC_BATCH]));
115744+ atomic_long_read_unchecked(&zone->vm_stat[NR_ALLOC_BATCH]));
115745
115746 setup_zone_migrate_reserve(zone);
115747 spin_unlock_irqrestore(&zone->lock, flags);
115748diff --git a/mm/percpu.c b/mm/percpu.c
115749index 2dd7448..9bb6305 100644
115750--- a/mm/percpu.c
115751+++ b/mm/percpu.c
115752@@ -131,7 +131,7 @@ static unsigned int pcpu_low_unit_cpu __read_mostly;
115753 static unsigned int pcpu_high_unit_cpu __read_mostly;
115754
115755 /* the address of the first chunk which starts with the kernel static area */
115756-void *pcpu_base_addr __read_mostly;
115757+void *pcpu_base_addr __read_only;
115758 EXPORT_SYMBOL_GPL(pcpu_base_addr);
115759
115760 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
115761diff --git a/mm/process_vm_access.c b/mm/process_vm_access.c
115762index e88d071..d80e01a 100644
115763--- a/mm/process_vm_access.c
115764+++ b/mm/process_vm_access.c
115765@@ -13,6 +13,7 @@
115766 #include <linux/uio.h>
115767 #include <linux/sched.h>
115768 #include <linux/highmem.h>
115769+#include <linux/security.h>
115770 #include <linux/ptrace.h>
115771 #include <linux/slab.h>
115772 #include <linux/syscalls.h>
115773@@ -154,19 +155,19 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
115774 ssize_t iov_len;
115775 size_t total_len = iov_iter_count(iter);
115776
115777+ return -ENOSYS; // PaX: until properly audited
115778+
115779 /*
115780 * Work out how many pages of struct pages we're going to need
115781 * when eventually calling get_user_pages
115782 */
115783 for (i = 0; i < riovcnt; i++) {
115784 iov_len = rvec[i].iov_len;
115785- if (iov_len > 0) {
115786- nr_pages_iov = ((unsigned long)rvec[i].iov_base
115787- + iov_len)
115788- / PAGE_SIZE - (unsigned long)rvec[i].iov_base
115789- / PAGE_SIZE + 1;
115790- nr_pages = max(nr_pages, nr_pages_iov);
115791- }
115792+ if (iov_len <= 0)
115793+ continue;
115794+ nr_pages_iov = ((unsigned long)rvec[i].iov_base + iov_len) / PAGE_SIZE -
115795+ (unsigned long)rvec[i].iov_base / PAGE_SIZE + 1;
115796+ nr_pages = max(nr_pages, nr_pages_iov);
115797 }
115798
115799 if (nr_pages == 0)
115800@@ -194,6 +195,11 @@ static ssize_t process_vm_rw_core(pid_t pid, struct iov_iter *iter,
115801 goto free_proc_pages;
115802 }
115803
115804+ if (gr_handle_ptrace(task, vm_write ? PTRACE_POKETEXT : PTRACE_ATTACH)) {
115805+ rc = -EPERM;
115806+ goto put_task_struct;
115807+ }
115808+
115809 mm = mm_access(task, PTRACE_MODE_ATTACH);
115810 if (!mm || IS_ERR(mm)) {
115811 rc = IS_ERR(mm) ? PTR_ERR(mm) : -ESRCH;
115812diff --git a/mm/rmap.c b/mm/rmap.c
115813index 171b687..1a4b7e8 100644
115814--- a/mm/rmap.c
115815+++ b/mm/rmap.c
115816@@ -168,6 +168,10 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115817 struct anon_vma *anon_vma = vma->anon_vma;
115818 struct anon_vma_chain *avc;
115819
115820+#ifdef CONFIG_PAX_SEGMEXEC
115821+ struct anon_vma_chain *avc_m = NULL;
115822+#endif
115823+
115824 might_sleep();
115825 if (unlikely(!anon_vma)) {
115826 struct mm_struct *mm = vma->vm_mm;
115827@@ -177,6 +181,12 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115828 if (!avc)
115829 goto out_enomem;
115830
115831+#ifdef CONFIG_PAX_SEGMEXEC
115832+ avc_m = anon_vma_chain_alloc(GFP_KERNEL);
115833+ if (!avc_m)
115834+ goto out_enomem_free_avc;
115835+#endif
115836+
115837 anon_vma = find_mergeable_anon_vma(vma);
115838 allocated = NULL;
115839 if (!anon_vma) {
115840@@ -190,6 +200,19 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115841 /* page_table_lock to protect against threads */
115842 spin_lock(&mm->page_table_lock);
115843 if (likely(!vma->anon_vma)) {
115844+
115845+#ifdef CONFIG_PAX_SEGMEXEC
115846+ struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
115847+
115848+ if (vma_m) {
115849+ BUG_ON(vma_m->anon_vma);
115850+ vma_m->anon_vma = anon_vma;
115851+ anon_vma_chain_link(vma_m, avc_m, anon_vma);
115852+ anon_vma->degree++;
115853+ avc_m = NULL;
115854+ }
115855+#endif
115856+
115857 vma->anon_vma = anon_vma;
115858 anon_vma_chain_link(vma, avc, anon_vma);
115859 /* vma reference or self-parent link for new root */
115860@@ -202,12 +225,24 @@ int anon_vma_prepare(struct vm_area_struct *vma)
115861
115862 if (unlikely(allocated))
115863 put_anon_vma(allocated);
115864+
115865+#ifdef CONFIG_PAX_SEGMEXEC
115866+ if (unlikely(avc_m))
115867+ anon_vma_chain_free(avc_m);
115868+#endif
115869+
115870 if (unlikely(avc))
115871 anon_vma_chain_free(avc);
115872 }
115873 return 0;
115874
115875 out_enomem_free_avc:
115876+
115877+#ifdef CONFIG_PAX_SEGMEXEC
115878+ if (avc_m)
115879+ anon_vma_chain_free(avc_m);
115880+#endif
115881+
115882 anon_vma_chain_free(avc);
115883 out_enomem:
115884 return -ENOMEM;
115885@@ -251,7 +286,7 @@ static inline void unlock_anon_vma_root(struct anon_vma *root)
115886 * good chance of avoiding scanning the whole hierarchy when it searches where
115887 * page is mapped.
115888 */
115889-int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
115890+int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
115891 {
115892 struct anon_vma_chain *avc, *pavc;
115893 struct anon_vma *root = NULL;
115894@@ -305,7 +340,7 @@ int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
115895 * the corresponding VMA in the parent process is attached to.
115896 * Returns 0 on success, non-zero on failure.
115897 */
115898-int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
115899+int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
115900 {
115901 struct anon_vma_chain *avc;
115902 struct anon_vma *anon_vma;
115903@@ -425,8 +460,10 @@ static void anon_vma_ctor(void *data)
115904 void __init anon_vma_init(void)
115905 {
115906 anon_vma_cachep = kmem_cache_create("anon_vma", sizeof(struct anon_vma),
115907- 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC, anon_vma_ctor);
115908- anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain, SLAB_PANIC);
115909+ 0, SLAB_DESTROY_BY_RCU|SLAB_PANIC|SLAB_NO_SANITIZE,
115910+ anon_vma_ctor);
115911+ anon_vma_chain_cachep = KMEM_CACHE(anon_vma_chain,
115912+ SLAB_PANIC|SLAB_NO_SANITIZE);
115913 }
115914
115915 /*
115916diff --git a/mm/shmem.c b/mm/shmem.c
115917index dbe0c1e..22c16c7 100644
115918--- a/mm/shmem.c
115919+++ b/mm/shmem.c
115920@@ -33,7 +33,7 @@
115921 #include <linux/swap.h>
115922 #include <linux/uio.h>
115923
115924-static struct vfsmount *shm_mnt;
115925+struct vfsmount *shm_mnt;
115926
115927 #ifdef CONFIG_SHMEM
115928 /*
115929@@ -80,7 +80,7 @@ static struct vfsmount *shm_mnt;
115930 #define BOGO_DIRENT_SIZE 20
115931
115932 /* Symlink up to this size is kmalloc'ed instead of using a swappable page */
115933-#define SHORT_SYMLINK_LEN 128
115934+#define SHORT_SYMLINK_LEN 64
115935
115936 /*
115937 * shmem_fallocate communicates with shmem_fault or shmem_writepage via
115938@@ -2549,6 +2549,11 @@ static const struct xattr_handler *shmem_xattr_handlers[] = {
115939 static int shmem_xattr_validate(const char *name)
115940 {
115941 struct { const char *prefix; size_t len; } arr[] = {
115942+
115943+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
115944+ { XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN},
115945+#endif
115946+
115947 { XATTR_SECURITY_PREFIX, XATTR_SECURITY_PREFIX_LEN },
115948 { XATTR_TRUSTED_PREFIX, XATTR_TRUSTED_PREFIX_LEN }
115949 };
115950@@ -2604,6 +2609,15 @@ static int shmem_setxattr(struct dentry *dentry, const char *name,
115951 if (err)
115952 return err;
115953
115954+#ifdef CONFIG_PAX_XATTR_PAX_FLAGS
115955+ if (!strncmp(name, XATTR_USER_PREFIX, XATTR_USER_PREFIX_LEN)) {
115956+ if (strcmp(name, XATTR_NAME_PAX_FLAGS))
115957+ return -EOPNOTSUPP;
115958+ if (size > 8)
115959+ return -EINVAL;
115960+ }
115961+#endif
115962+
115963 return simple_xattr_set(&info->xattrs, name, value, size, flags);
115964 }
115965
115966@@ -2987,8 +3001,7 @@ int shmem_fill_super(struct super_block *sb, void *data, int silent)
115967 int err = -ENOMEM;
115968
115969 /* Round up to L1_CACHE_BYTES to resist false sharing */
115970- sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
115971- L1_CACHE_BYTES), GFP_KERNEL);
115972+ sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
115973 if (!sbinfo)
115974 return -ENOMEM;
115975
115976diff --git a/mm/slab.c b/mm/slab.c
115977index ae36028..eb6af9e 100644
115978--- a/mm/slab.c
115979+++ b/mm/slab.c
115980@@ -116,6 +116,7 @@
115981 #include <linux/kmemcheck.h>
115982 #include <linux/memory.h>
115983 #include <linux/prefetch.h>
115984+#include <linux/vmalloc.h>
115985
115986 #include <net/sock.h>
115987
115988@@ -314,10 +315,12 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
115989 if ((x)->max_freeable < i) \
115990 (x)->max_freeable = i; \
115991 } while (0)
115992-#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
115993-#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
115994-#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
115995-#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
115996+#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
115997+#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
115998+#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
115999+#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
116000+#define STATS_INC_SANITIZED(x) atomic_inc_unchecked(&(x)->sanitized)
116001+#define STATS_INC_NOT_SANITIZED(x) atomic_inc_unchecked(&(x)->not_sanitized)
116002 #else
116003 #define STATS_INC_ACTIVE(x) do { } while (0)
116004 #define STATS_DEC_ACTIVE(x) do { } while (0)
116005@@ -334,6 +337,8 @@ static void kmem_cache_node_init(struct kmem_cache_node *parent)
116006 #define STATS_INC_ALLOCMISS(x) do { } while (0)
116007 #define STATS_INC_FREEHIT(x) do { } while (0)
116008 #define STATS_INC_FREEMISS(x) do { } while (0)
116009+#define STATS_INC_SANITIZED(x) do { } while (0)
116010+#define STATS_INC_NOT_SANITIZED(x) do { } while (0)
116011 #endif
116012
116013 #if DEBUG
116014@@ -450,7 +455,7 @@ static inline void *index_to_obj(struct kmem_cache *cache, struct page *page,
116015 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
116016 */
116017 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
116018- const struct page *page, void *obj)
116019+ const struct page *page, const void *obj)
116020 {
116021 u32 offset = (obj - page->s_mem);
116022 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
116023@@ -1452,7 +1457,7 @@ void __init kmem_cache_init(void)
116024 * structures first. Without this, further allocations will bug.
116025 */
116026 kmalloc_caches[INDEX_NODE] = create_kmalloc_cache("kmalloc-node",
116027- kmalloc_size(INDEX_NODE), ARCH_KMALLOC_FLAGS);
116028+ kmalloc_size(INDEX_NODE), SLAB_USERCOPY | ARCH_KMALLOC_FLAGS);
116029 slab_state = PARTIAL_NODE;
116030 setup_kmalloc_cache_index_table();
116031
116032@@ -2074,7 +2079,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
116033
116034 cachep = find_mergeable(size, align, flags, name, ctor);
116035 if (cachep) {
116036- cachep->refcount++;
116037+ atomic_inc(&cachep->refcount);
116038
116039 /*
116040 * Adjust the object sizes so that we clear
116041@@ -3379,6 +3384,20 @@ static inline void __cache_free(struct kmem_cache *cachep, void *objp,
116042 struct array_cache *ac = cpu_cache_get(cachep);
116043
116044 check_irq_off();
116045+
116046+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116047+ if (cachep->flags & (SLAB_POISON | SLAB_NO_SANITIZE))
116048+ STATS_INC_NOT_SANITIZED(cachep);
116049+ else {
116050+ memset(objp, PAX_MEMORY_SANITIZE_VALUE, cachep->object_size);
116051+
116052+ if (cachep->ctor)
116053+ cachep->ctor(objp);
116054+
116055+ STATS_INC_SANITIZED(cachep);
116056+ }
116057+#endif
116058+
116059 kmemleak_free_recursive(objp, cachep->flags);
116060 objp = cache_free_debugcheck(cachep, objp, caller);
116061
116062@@ -3491,7 +3510,7 @@ __do_kmalloc_node(size_t size, gfp_t flags, int node, unsigned long caller)
116063 return kmem_cache_alloc_node_trace(cachep, flags, node, size);
116064 }
116065
116066-void *__kmalloc_node(size_t size, gfp_t flags, int node)
116067+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
116068 {
116069 return __do_kmalloc_node(size, flags, node, _RET_IP_);
116070 }
116071@@ -3511,7 +3530,7 @@ EXPORT_SYMBOL(__kmalloc_node_track_caller);
116072 * @flags: the type of memory to allocate (see kmalloc).
116073 * @caller: function caller for debug tracking of the caller
116074 */
116075-static __always_inline void *__do_kmalloc(size_t size, gfp_t flags,
116076+static __always_inline void * __size_overflow(1) __do_kmalloc(size_t size, gfp_t flags,
116077 unsigned long caller)
116078 {
116079 struct kmem_cache *cachep;
116080@@ -3584,6 +3603,7 @@ void kfree(const void *objp)
116081
116082 if (unlikely(ZERO_OR_NULL_PTR(objp)))
116083 return;
116084+ VM_BUG_ON(!virt_addr_valid(objp));
116085 local_irq_save(flags);
116086 kfree_debugcheck(objp);
116087 c = virt_to_cache(objp);
116088@@ -4003,14 +4023,22 @@ void slabinfo_show_stats(struct seq_file *m, struct kmem_cache *cachep)
116089 }
116090 /* cpu stats */
116091 {
116092- unsigned long allochit = atomic_read(&cachep->allochit);
116093- unsigned long allocmiss = atomic_read(&cachep->allocmiss);
116094- unsigned long freehit = atomic_read(&cachep->freehit);
116095- unsigned long freemiss = atomic_read(&cachep->freemiss);
116096+ unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
116097+ unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
116098+ unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
116099+ unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
116100
116101 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
116102 allochit, allocmiss, freehit, freemiss);
116103 }
116104+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116105+ {
116106+ unsigned long sanitized = atomic_read_unchecked(&cachep->sanitized);
116107+ unsigned long not_sanitized = atomic_read_unchecked(&cachep->not_sanitized);
116108+
116109+ seq_printf(m, " : pax %6lu %6lu", sanitized, not_sanitized);
116110+ }
116111+#endif
116112 #endif
116113 }
116114
116115@@ -4218,13 +4246,80 @@ static const struct file_operations proc_slabstats_operations = {
116116 static int __init slab_proc_init(void)
116117 {
116118 #ifdef CONFIG_DEBUG_SLAB_LEAK
116119- proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
116120+ proc_create("slab_allocators", S_IRUSR, NULL, &proc_slabstats_operations);
116121 #endif
116122 return 0;
116123 }
116124 module_init(slab_proc_init);
116125 #endif
116126
116127+bool is_usercopy_object(const void *ptr)
116128+{
116129+ struct page *page;
116130+ struct kmem_cache *cachep;
116131+
116132+ if (ZERO_OR_NULL_PTR(ptr))
116133+ return false;
116134+
116135+ if (!slab_is_available())
116136+ return false;
116137+
116138+ if (is_vmalloc_addr(ptr)
116139+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116140+ && !object_starts_on_stack(ptr)
116141+#endif
116142+ ) {
116143+ struct vm_struct *vm = find_vm_area(ptr);
116144+ if (vm && (vm->flags & VM_USERCOPY))
116145+ return true;
116146+ return false;
116147+ }
116148+
116149+ if (!virt_addr_valid(ptr))
116150+ return false;
116151+
116152+ page = virt_to_head_page(ptr);
116153+
116154+ if (!PageSlab(page))
116155+ return false;
116156+
116157+ cachep = page->slab_cache;
116158+ return cachep->flags & SLAB_USERCOPY;
116159+}
116160+
116161+#ifdef CONFIG_PAX_USERCOPY
116162+const char *check_heap_object(const void *ptr, unsigned long n)
116163+{
116164+ struct page *page;
116165+ struct kmem_cache *cachep;
116166+ unsigned int objnr;
116167+ unsigned long offset;
116168+
116169+ if (ZERO_OR_NULL_PTR(ptr))
116170+ return "<null>";
116171+
116172+ if (!virt_addr_valid(ptr))
116173+ return NULL;
116174+
116175+ page = virt_to_head_page(ptr);
116176+
116177+ if (!PageSlab(page))
116178+ return NULL;
116179+
116180+ cachep = page->slab_cache;
116181+ if (!(cachep->flags & SLAB_USERCOPY))
116182+ return cachep->name;
116183+
116184+ objnr = obj_to_index(cachep, page, ptr);
116185+ BUG_ON(objnr >= cachep->num);
116186+ offset = ptr - index_to_obj(cachep, page, objnr) - obj_offset(cachep);
116187+ if (offset <= cachep->object_size && n <= cachep->object_size - offset)
116188+ return NULL;
116189+
116190+ return cachep->name;
116191+}
116192+#endif
116193+
116194 /**
116195 * ksize - get the actual amount of memory allocated for a given object
116196 * @objp: Pointer to the object
116197diff --git a/mm/slab.h b/mm/slab.h
116198index 8da63e4..50c423b 100644
116199--- a/mm/slab.h
116200+++ b/mm/slab.h
116201@@ -22,7 +22,7 @@ struct kmem_cache {
116202 unsigned int align; /* Alignment as calculated */
116203 unsigned long flags; /* Active flags on the slab */
116204 const char *name; /* Slab name for sysfs */
116205- int refcount; /* Use counter */
116206+ atomic_t refcount; /* Use counter */
116207 void (*ctor)(void *); /* Called on object slot creation */
116208 struct list_head list; /* List of all slab caches on the system */
116209 };
116210@@ -66,6 +66,20 @@ extern struct list_head slab_caches;
116211 /* The slab cache that manages slab cache information */
116212 extern struct kmem_cache *kmem_cache;
116213
116214+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116215+#ifdef CONFIG_X86_64
116216+#define PAX_MEMORY_SANITIZE_VALUE '\xfe'
116217+#else
116218+#define PAX_MEMORY_SANITIZE_VALUE '\xff'
116219+#endif
116220+enum pax_sanitize_mode {
116221+ PAX_SANITIZE_SLAB_OFF = 0,
116222+ PAX_SANITIZE_SLAB_FAST,
116223+ PAX_SANITIZE_SLAB_FULL,
116224+};
116225+extern enum pax_sanitize_mode pax_sanitize_slab;
116226+#endif
116227+
116228 unsigned long calculate_alignment(unsigned long flags,
116229 unsigned long align, unsigned long size);
116230
116231@@ -115,7 +129,8 @@ static inline unsigned long kmem_cache_flags(unsigned long object_size,
116232
116233 /* Legal flag mask for kmem_cache_create(), for various configurations */
116234 #define SLAB_CORE_FLAGS (SLAB_HWCACHE_ALIGN | SLAB_CACHE_DMA | SLAB_PANIC | \
116235- SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS )
116236+ SLAB_DESTROY_BY_RCU | SLAB_DEBUG_OBJECTS | \
116237+ SLAB_USERCOPY | SLAB_NO_SANITIZE)
116238
116239 #if defined(CONFIG_DEBUG_SLAB)
116240 #define SLAB_DEBUG_FLAGS (SLAB_RED_ZONE | SLAB_POISON | SLAB_STORE_USER)
116241@@ -316,6 +331,9 @@ static inline struct kmem_cache *cache_from_obj(struct kmem_cache *s, void *x)
116242 return s;
116243
116244 page = virt_to_head_page(x);
116245+
116246+ BUG_ON(!PageSlab(page));
116247+
116248 cachep = page->slab_cache;
116249 if (slab_equal_or_root(cachep, s))
116250 return cachep;
116251diff --git a/mm/slab_common.c b/mm/slab_common.c
116252index 8683110..916e2c5 100644
116253--- a/mm/slab_common.c
116254+++ b/mm/slab_common.c
116255@@ -25,11 +25,35 @@
116256
116257 #include "slab.h"
116258
116259-enum slab_state slab_state;
116260+enum slab_state slab_state __read_only;
116261 LIST_HEAD(slab_caches);
116262 DEFINE_MUTEX(slab_mutex);
116263 struct kmem_cache *kmem_cache;
116264
116265+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116266+enum pax_sanitize_mode pax_sanitize_slab __read_only = PAX_SANITIZE_SLAB_FAST;
116267+static int __init pax_sanitize_slab_setup(char *str)
116268+{
116269+ if (!str)
116270+ return 0;
116271+
116272+ if (!strcmp(str, "0") || !strcmp(str, "off")) {
116273+ pr_info("PaX slab sanitization: %s\n", "disabled");
116274+ pax_sanitize_slab = PAX_SANITIZE_SLAB_OFF;
116275+ } else if (!strcmp(str, "1") || !strcmp(str, "fast")) {
116276+ pr_info("PaX slab sanitization: %s\n", "fast");
116277+ pax_sanitize_slab = PAX_SANITIZE_SLAB_FAST;
116278+ } else if (!strcmp(str, "full")) {
116279+ pr_info("PaX slab sanitization: %s\n", "full");
116280+ pax_sanitize_slab = PAX_SANITIZE_SLAB_FULL;
116281+ } else
116282+ pr_err("PaX slab sanitization: unsupported option '%s'\n", str);
116283+
116284+ return 0;
116285+}
116286+early_param("pax_sanitize_slab", pax_sanitize_slab_setup);
116287+#endif
116288+
116289 /*
116290 * Set of flags that will prevent slab merging
116291 */
116292@@ -43,7 +67,7 @@ struct kmem_cache *kmem_cache;
116293 * Merge control. If this is set then no merging of slab caches will occur.
116294 * (Could be removed. This was introduced to pacify the merge skeptics.)
116295 */
116296-static int slab_nomerge;
116297+static int slab_nomerge = 1;
116298
116299 static int __init setup_slab_nomerge(char *str)
116300 {
116301@@ -216,7 +240,7 @@ int slab_unmergeable(struct kmem_cache *s)
116302 /*
116303 * We may have set a slab to be unmergeable during bootstrap.
116304 */
116305- if (s->refcount < 0)
116306+ if (atomic_read(&s->refcount) < 0)
116307 return 1;
116308
116309 return 0;
116310@@ -320,7 +344,7 @@ do_kmem_cache_create(const char *name, size_t object_size, size_t size,
116311 if (err)
116312 goto out_free_cache;
116313
116314- s->refcount = 1;
116315+ atomic_set(&s->refcount, 1);
116316 list_add(&s->list, &slab_caches);
116317 out:
116318 if (err)
116319@@ -385,6 +409,13 @@ kmem_cache_create(const char *name, size_t size, size_t align,
116320 */
116321 flags &= CACHE_CREATE_MASK;
116322
116323+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116324+ if (pax_sanitize_slab == PAX_SANITIZE_SLAB_OFF || (flags & SLAB_DESTROY_BY_RCU))
116325+ flags |= SLAB_NO_SANITIZE;
116326+ else if (pax_sanitize_slab == PAX_SANITIZE_SLAB_FULL)
116327+ flags &= ~SLAB_NO_SANITIZE;
116328+#endif
116329+
116330 s = __kmem_cache_alias(name, size, align, flags, ctor);
116331 if (s)
116332 goto out_unlock;
116333@@ -455,7 +486,7 @@ static void do_kmem_cache_release(struct list_head *release,
116334 rcu_barrier();
116335
116336 list_for_each_entry_safe(s, s2, release, list) {
116337-#ifdef SLAB_SUPPORTS_SYSFS
116338+#if defined(SLAB_SUPPORTS_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116339 sysfs_slab_remove(s);
116340 #else
116341 slab_kmem_cache_release(s);
116342@@ -624,8 +655,7 @@ void kmem_cache_destroy(struct kmem_cache *s)
116343
116344 mutex_lock(&slab_mutex);
116345
116346- s->refcount--;
116347- if (s->refcount)
116348+ if (!atomic_dec_and_test(&s->refcount))
116349 goto out_unlock;
116350
116351 for_each_memcg_cache_safe(c, c2, s) {
116352@@ -690,7 +720,7 @@ void __init create_boot_cache(struct kmem_cache *s, const char *name, size_t siz
116353 panic("Creation of kmalloc slab %s size=%zu failed. Reason %d\n",
116354 name, size, err);
116355
116356- s->refcount = -1; /* Exempt from merging for now */
116357+ atomic_set(&s->refcount, -1); /* Exempt from merging for now */
116358 }
116359
116360 struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
116361@@ -703,7 +733,7 @@ struct kmem_cache *__init create_kmalloc_cache(const char *name, size_t size,
116362
116363 create_boot_cache(s, name, size, flags);
116364 list_add(&s->list, &slab_caches);
116365- s->refcount = 1;
116366+ atomic_set(&s->refcount, 1);
116367 return s;
116368 }
116369
116370@@ -715,6 +745,11 @@ struct kmem_cache *kmalloc_dma_caches[KMALLOC_SHIFT_HIGH + 1];
116371 EXPORT_SYMBOL(kmalloc_dma_caches);
116372 #endif
116373
116374+#ifdef CONFIG_PAX_USERCOPY_SLABS
116375+struct kmem_cache *kmalloc_usercopy_caches[KMALLOC_SHIFT_HIGH + 1];
116376+EXPORT_SYMBOL(kmalloc_usercopy_caches);
116377+#endif
116378+
116379 /*
116380 * Conversion table for small slabs sizes / 8 to the index in the
116381 * kmalloc array. This is necessary for slabs < 192 since we have non power
116382@@ -779,6 +814,13 @@ struct kmem_cache *kmalloc_slab(size_t size, gfp_t flags)
116383 return kmalloc_dma_caches[index];
116384
116385 #endif
116386+
116387+#ifdef CONFIG_PAX_USERCOPY_SLABS
116388+ if (unlikely((flags & GFP_USERCOPY)))
116389+ return kmalloc_usercopy_caches[index];
116390+
116391+#endif
116392+
116393 return kmalloc_caches[index];
116394 }
116395
116396@@ -871,7 +913,7 @@ void __init create_kmalloc_caches(unsigned long flags)
116397
116398 for (i = KMALLOC_SHIFT_LOW; i <= KMALLOC_SHIFT_HIGH; i++) {
116399 if (!kmalloc_caches[i])
116400- new_kmalloc_cache(i, flags);
116401+ new_kmalloc_cache(i, SLAB_USERCOPY | flags);
116402
116403 /*
116404 * Caches that are not of the two-to-the-power-of size.
116405@@ -879,9 +921,9 @@ void __init create_kmalloc_caches(unsigned long flags)
116406 * earlier power of two caches
116407 */
116408 if (KMALLOC_MIN_SIZE <= 32 && !kmalloc_caches[1] && i == 6)
116409- new_kmalloc_cache(1, flags);
116410+ new_kmalloc_cache(1, SLAB_USERCOPY | flags);
116411 if (KMALLOC_MIN_SIZE <= 64 && !kmalloc_caches[2] && i == 7)
116412- new_kmalloc_cache(2, flags);
116413+ new_kmalloc_cache(2, SLAB_USERCOPY | flags);
116414 }
116415
116416 /* Kmalloc array is now usable */
116417@@ -902,6 +944,23 @@ void __init create_kmalloc_caches(unsigned long flags)
116418 }
116419 }
116420 #endif
116421+
116422+#ifdef CONFIG_PAX_USERCOPY_SLABS
116423+ for (i = 0; i <= KMALLOC_SHIFT_HIGH; i++) {
116424+ struct kmem_cache *s = kmalloc_caches[i];
116425+
116426+ if (s) {
116427+ int size = kmalloc_size(i);
116428+ char *n = kasprintf(GFP_NOWAIT,
116429+ "usercopy-kmalloc-%d", size);
116430+
116431+ BUG_ON(!n);
116432+ kmalloc_usercopy_caches[i] = create_kmalloc_cache(n,
116433+ size, SLAB_USERCOPY | flags);
116434+ }
116435+ }
116436+#endif
116437+
116438 }
116439 #endif /* !CONFIG_SLOB */
116440
116441@@ -961,6 +1020,9 @@ static void print_slabinfo_header(struct seq_file *m)
116442 seq_puts(m, " : globalstat <listallocs> <maxobjs> <grown> <reaped> "
116443 "<error> <maxfreeable> <nodeallocs> <remotefrees> <alienoverflow>");
116444 seq_puts(m, " : cpustat <allochit> <allocmiss> <freehit> <freemiss>");
116445+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116446+ seq_puts(m, " : pax <sanitized> <not_sanitized>");
116447+#endif
116448 #endif
116449 seq_putc(m, '\n');
116450 }
116451@@ -1090,7 +1152,7 @@ static int __init slab_proc_init(void)
116452 module_init(slab_proc_init);
116453 #endif /* CONFIG_SLABINFO */
116454
116455-static __always_inline void *__do_krealloc(const void *p, size_t new_size,
116456+static __always_inline void * __size_overflow(2) __do_krealloc(const void *p, size_t new_size,
116457 gfp_t flags)
116458 {
116459 void *ret;
116460diff --git a/mm/slob.c b/mm/slob.c
116461index 4765f65..5dec45e 100644
116462--- a/mm/slob.c
116463+++ b/mm/slob.c
116464@@ -67,6 +67,7 @@
116465 #include <linux/rcupdate.h>
116466 #include <linux/list.h>
116467 #include <linux/kmemleak.h>
116468+#include <linux/vmalloc.h>
116469
116470 #include <trace/events/kmem.h>
116471
116472@@ -157,7 +158,7 @@ static void set_slob(slob_t *s, slobidx_t size, slob_t *next)
116473 /*
116474 * Return the size of a slob block.
116475 */
116476-static slobidx_t slob_units(slob_t *s)
116477+static slobidx_t slob_units(const slob_t *s)
116478 {
116479 if (s->units > 0)
116480 return s->units;
116481@@ -167,7 +168,7 @@ static slobidx_t slob_units(slob_t *s)
116482 /*
116483 * Return the next free slob block pointer after this one.
116484 */
116485-static slob_t *slob_next(slob_t *s)
116486+static slob_t *slob_next(const slob_t *s)
116487 {
116488 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
116489 slobidx_t next;
116490@@ -182,14 +183,14 @@ static slob_t *slob_next(slob_t *s)
116491 /*
116492 * Returns true if s is the last free block in its page.
116493 */
116494-static int slob_last(slob_t *s)
116495+static int slob_last(const slob_t *s)
116496 {
116497 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
116498 }
116499
116500-static void *slob_new_pages(gfp_t gfp, int order, int node)
116501+static struct page *slob_new_pages(gfp_t gfp, unsigned int order, int node)
116502 {
116503- void *page;
116504+ struct page *page;
116505
116506 #ifdef CONFIG_NUMA
116507 if (node != NUMA_NO_NODE)
116508@@ -201,14 +202,18 @@ static void *slob_new_pages(gfp_t gfp, int order, int node)
116509 if (!page)
116510 return NULL;
116511
116512- return page_address(page);
116513+ __SetPageSlab(page);
116514+ return page;
116515 }
116516
116517-static void slob_free_pages(void *b, int order)
116518+static void slob_free_pages(struct page *sp, int order)
116519 {
116520 if (current->reclaim_state)
116521 current->reclaim_state->reclaimed_slab += 1 << order;
116522- free_pages((unsigned long)b, order);
116523+ __ClearPageSlab(sp);
116524+ page_mapcount_reset(sp);
116525+ sp->private = 0;
116526+ __free_pages(sp, order);
116527 }
116528
116529 /*
116530@@ -313,15 +318,15 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
116531
116532 /* Not enough space: must allocate a new page */
116533 if (!b) {
116534- b = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
116535- if (!b)
116536+ sp = slob_new_pages(gfp & ~__GFP_ZERO, 0, node);
116537+ if (!sp)
116538 return NULL;
116539- sp = virt_to_page(b);
116540- __SetPageSlab(sp);
116541+ b = page_address(sp);
116542
116543 spin_lock_irqsave(&slob_lock, flags);
116544 sp->units = SLOB_UNITS(PAGE_SIZE);
116545 sp->freelist = b;
116546+ sp->private = 0;
116547 INIT_LIST_HEAD(&sp->lru);
116548 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
116549 set_slob_page_free(sp, slob_list);
116550@@ -337,7 +342,7 @@ static void *slob_alloc(size_t size, gfp_t gfp, int align, int node)
116551 /*
116552 * slob_free: entry point into the slob allocator.
116553 */
116554-static void slob_free(void *block, int size)
116555+static void slob_free(struct kmem_cache *c, void *block, int size)
116556 {
116557 struct page *sp;
116558 slob_t *prev, *next, *b = (slob_t *)block;
116559@@ -359,12 +364,15 @@ static void slob_free(void *block, int size)
116560 if (slob_page_free(sp))
116561 clear_slob_page_free(sp);
116562 spin_unlock_irqrestore(&slob_lock, flags);
116563- __ClearPageSlab(sp);
116564- page_mapcount_reset(sp);
116565- slob_free_pages(b, 0);
116566+ slob_free_pages(sp, 0);
116567 return;
116568 }
116569
116570+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116571+ if (pax_sanitize_slab && !(c && (c->flags & SLAB_NO_SANITIZE)))
116572+ memset(block, PAX_MEMORY_SANITIZE_VALUE, size);
116573+#endif
116574+
116575 if (!slob_page_free(sp)) {
116576 /* This slob page is about to become partially free. Easy! */
116577 sp->units = units;
116578@@ -424,11 +432,10 @@ out:
116579 */
116580
116581 static __always_inline void *
116582-__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116583+__do_kmalloc_node_align(size_t size, gfp_t gfp, int node, unsigned long caller, int align)
116584 {
116585- unsigned int *m;
116586- int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116587- void *ret;
116588+ slob_t *m;
116589+ void *ret = NULL;
116590
116591 gfp &= gfp_allowed_mask;
116592
116593@@ -442,27 +449,45 @@ __do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116594
116595 if (!m)
116596 return NULL;
116597- *m = size;
116598+ BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
116599+ BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
116600+ m[0].units = size;
116601+ m[1].units = align;
116602 ret = (void *)m + align;
116603
116604 trace_kmalloc_node(caller, ret,
116605 size, size + align, gfp, node);
116606 } else {
116607 unsigned int order = get_order(size);
116608+ struct page *page;
116609
116610 if (likely(order))
116611 gfp |= __GFP_COMP;
116612- ret = slob_new_pages(gfp, order, node);
116613+ page = slob_new_pages(gfp, order, node);
116614+ if (page) {
116615+ ret = page_address(page);
116616+ page->private = size;
116617+ }
116618
116619 trace_kmalloc_node(caller, ret,
116620 size, PAGE_SIZE << order, gfp, node);
116621 }
116622
116623- kmemleak_alloc(ret, size, 1, gfp);
116624 return ret;
116625 }
116626
116627-void *__kmalloc(size_t size, gfp_t gfp)
116628+static __always_inline void *
116629+__do_kmalloc_node(size_t size, gfp_t gfp, int node, unsigned long caller)
116630+{
116631+ int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116632+ void *ret = __do_kmalloc_node_align(size, gfp, node, caller, align);
116633+
116634+ if (!ZERO_OR_NULL_PTR(ret))
116635+ kmemleak_alloc(ret, size, 1, gfp);
116636+ return ret;
116637+}
116638+
116639+void * __size_overflow(1) __kmalloc(size_t size, gfp_t gfp)
116640 {
116641 return __do_kmalloc_node(size, gfp, NUMA_NO_NODE, _RET_IP_);
116642 }
116643@@ -491,34 +516,123 @@ void kfree(const void *block)
116644 return;
116645 kmemleak_free(block);
116646
116647+ VM_BUG_ON(!virt_addr_valid(block));
116648 sp = virt_to_page(block);
116649- if (PageSlab(sp)) {
116650+ VM_BUG_ON(!PageSlab(sp));
116651+ if (!sp->private) {
116652 int align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116653- unsigned int *m = (unsigned int *)(block - align);
116654- slob_free(m, *m + align);
116655- } else
116656+ slob_t *m = (slob_t *)(block - align);
116657+ slob_free(NULL, m, m[0].units + align);
116658+ } else {
116659+ __ClearPageSlab(sp);
116660+ page_mapcount_reset(sp);
116661+ sp->private = 0;
116662 __free_pages(sp, compound_order(sp));
116663+ }
116664 }
116665 EXPORT_SYMBOL(kfree);
116666
116667+bool is_usercopy_object(const void *ptr)
116668+{
116669+ if (!slab_is_available())
116670+ return false;
116671+
116672+ if (is_vmalloc_addr(ptr)
116673+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116674+ && !object_starts_on_stack(ptr)
116675+#endif
116676+ ) {
116677+ struct vm_struct *vm = find_vm_area(ptr);
116678+ if (vm && (vm->flags & VM_USERCOPY))
116679+ return true;
116680+ return false;
116681+ }
116682+
116683+ // PAX: TODO
116684+
116685+ return false;
116686+}
116687+
116688+#ifdef CONFIG_PAX_USERCOPY
116689+const char *check_heap_object(const void *ptr, unsigned long n)
116690+{
116691+ struct page *page;
116692+ const slob_t *free;
116693+ const void *base;
116694+ unsigned long flags;
116695+
116696+ if (ZERO_OR_NULL_PTR(ptr))
116697+ return "<null>";
116698+
116699+ if (!virt_addr_valid(ptr))
116700+ return NULL;
116701+
116702+ page = virt_to_head_page(ptr);
116703+ if (!PageSlab(page))
116704+ return NULL;
116705+
116706+ if (page->private) {
116707+ base = page;
116708+ if (base <= ptr && n <= page->private - (ptr - base))
116709+ return NULL;
116710+ return "<slob>";
116711+ }
116712+
116713+ /* some tricky double walking to find the chunk */
116714+ spin_lock_irqsave(&slob_lock, flags);
116715+ base = (void *)((unsigned long)ptr & PAGE_MASK);
116716+ free = page->freelist;
116717+
116718+ while (!slob_last(free) && (void *)free <= ptr) {
116719+ base = free + slob_units(free);
116720+ free = slob_next(free);
116721+ }
116722+
116723+ while (base < (void *)free) {
116724+ slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
116725+ int size = SLOB_UNIT * SLOB_UNITS(m + align);
116726+ int offset;
116727+
116728+ if (ptr < base + align)
116729+ break;
116730+
116731+ offset = ptr - base - align;
116732+ if (offset >= m) {
116733+ base += size;
116734+ continue;
116735+ }
116736+
116737+ if (n > m - offset)
116738+ break;
116739+
116740+ spin_unlock_irqrestore(&slob_lock, flags);
116741+ return NULL;
116742+ }
116743+
116744+ spin_unlock_irqrestore(&slob_lock, flags);
116745+ return "<slob>";
116746+}
116747+#endif
116748+
116749 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
116750 size_t ksize(const void *block)
116751 {
116752 struct page *sp;
116753 int align;
116754- unsigned int *m;
116755+ slob_t *m;
116756
116757 BUG_ON(!block);
116758 if (unlikely(block == ZERO_SIZE_PTR))
116759 return 0;
116760
116761 sp = virt_to_page(block);
116762- if (unlikely(!PageSlab(sp)))
116763- return PAGE_SIZE << compound_order(sp);
116764+ VM_BUG_ON(!PageSlab(sp));
116765+ if (sp->private)
116766+ return sp->private;
116767
116768 align = max_t(size_t, ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
116769- m = (unsigned int *)(block - align);
116770- return SLOB_UNITS(*m) * SLOB_UNIT;
116771+ m = (slob_t *)(block - align);
116772+ return SLOB_UNITS(m[0].units) * SLOB_UNIT;
116773 }
116774 EXPORT_SYMBOL(ksize);
116775
116776@@ -534,23 +648,33 @@ int __kmem_cache_create(struct kmem_cache *c, unsigned long flags)
116777
116778 static void *slob_alloc_node(struct kmem_cache *c, gfp_t flags, int node)
116779 {
116780- void *b;
116781+ void *b = NULL;
116782
116783 flags &= gfp_allowed_mask;
116784
116785 lockdep_trace_alloc(flags);
116786
116787+#ifdef CONFIG_PAX_USERCOPY_SLABS
116788+ b = __do_kmalloc_node_align(c->size, flags, node, _RET_IP_, c->align);
116789+#else
116790 if (c->size < PAGE_SIZE) {
116791 b = slob_alloc(c->size, flags, c->align, node);
116792 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
116793 SLOB_UNITS(c->size) * SLOB_UNIT,
116794 flags, node);
116795 } else {
116796- b = slob_new_pages(flags, get_order(c->size), node);
116797+ struct page *sp;
116798+
116799+ sp = slob_new_pages(flags, get_order(c->size), node);
116800+ if (sp) {
116801+ b = page_address(sp);
116802+ sp->private = c->size;
116803+ }
116804 trace_kmem_cache_alloc_node(_RET_IP_, b, c->object_size,
116805 PAGE_SIZE << get_order(c->size),
116806 flags, node);
116807 }
116808+#endif
116809
116810 if (b && c->ctor)
116811 c->ctor(b);
116812@@ -566,7 +690,7 @@ void *kmem_cache_alloc(struct kmem_cache *cachep, gfp_t flags)
116813 EXPORT_SYMBOL(kmem_cache_alloc);
116814
116815 #ifdef CONFIG_NUMA
116816-void *__kmalloc_node(size_t size, gfp_t gfp, int node)
116817+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t gfp, int node)
116818 {
116819 return __do_kmalloc_node(size, gfp, node, _RET_IP_);
116820 }
116821@@ -579,12 +703,16 @@ void *kmem_cache_alloc_node(struct kmem_cache *cachep, gfp_t gfp, int node)
116822 EXPORT_SYMBOL(kmem_cache_alloc_node);
116823 #endif
116824
116825-static void __kmem_cache_free(void *b, int size)
116826+static void __kmem_cache_free(struct kmem_cache *c, void *b, int size)
116827 {
116828- if (size < PAGE_SIZE)
116829- slob_free(b, size);
116830+ struct page *sp;
116831+
116832+ sp = virt_to_page(b);
116833+ BUG_ON(!PageSlab(sp));
116834+ if (!sp->private)
116835+ slob_free(c, b, size);
116836 else
116837- slob_free_pages(b, get_order(size));
116838+ slob_free_pages(sp, get_order(size));
116839 }
116840
116841 static void kmem_rcu_free(struct rcu_head *head)
116842@@ -592,22 +720,36 @@ static void kmem_rcu_free(struct rcu_head *head)
116843 struct slob_rcu *slob_rcu = (struct slob_rcu *)head;
116844 void *b = (void *)slob_rcu - (slob_rcu->size - sizeof(struct slob_rcu));
116845
116846- __kmem_cache_free(b, slob_rcu->size);
116847+ __kmem_cache_free(NULL, b, slob_rcu->size);
116848 }
116849
116850 void kmem_cache_free(struct kmem_cache *c, void *b)
116851 {
116852+ int size = c->size;
116853+
116854+#ifdef CONFIG_PAX_USERCOPY_SLABS
116855+ if (size + c->align < PAGE_SIZE) {
116856+ size += c->align;
116857+ b -= c->align;
116858+ }
116859+#endif
116860+
116861 kmemleak_free_recursive(b, c->flags);
116862 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
116863 struct slob_rcu *slob_rcu;
116864- slob_rcu = b + (c->size - sizeof(struct slob_rcu));
116865- slob_rcu->size = c->size;
116866+ slob_rcu = b + (size - sizeof(struct slob_rcu));
116867+ slob_rcu->size = size;
116868 call_rcu(&slob_rcu->head, kmem_rcu_free);
116869 } else {
116870- __kmem_cache_free(b, c->size);
116871+ __kmem_cache_free(c, b, size);
116872 }
116873
116874+#ifdef CONFIG_PAX_USERCOPY_SLABS
116875+ trace_kfree(_RET_IP_, b);
116876+#else
116877 trace_kmem_cache_free(_RET_IP_, b);
116878+#endif
116879+
116880 }
116881 EXPORT_SYMBOL(kmem_cache_free);
116882
116883diff --git a/mm/slub.c b/mm/slub.c
116884index f68c0e5..eb77178 100644
116885--- a/mm/slub.c
116886+++ b/mm/slub.c
116887@@ -34,6 +34,7 @@
116888 #include <linux/stacktrace.h>
116889 #include <linux/prefetch.h>
116890 #include <linux/memcontrol.h>
116891+#include <linux/vmalloc.h>
116892
116893 #include <trace/events/kmem.h>
116894
116895@@ -198,7 +199,7 @@ struct track {
116896
116897 enum track_item { TRACK_ALLOC, TRACK_FREE };
116898
116899-#ifdef CONFIG_SYSFS
116900+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
116901 static int sysfs_slab_add(struct kmem_cache *);
116902 static int sysfs_slab_alias(struct kmem_cache *, const char *);
116903 static void memcg_propagate_slab_attrs(struct kmem_cache *s);
116904@@ -556,7 +557,7 @@ static void print_track(const char *s, struct track *t)
116905 if (!t->addr)
116906 return;
116907
116908- pr_err("INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
116909+ pr_err("INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
116910 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
116911 #ifdef CONFIG_STACKTRACE
116912 {
116913@@ -2707,6 +2708,14 @@ static __always_inline void slab_free(struct kmem_cache *s,
116914
116915 slab_free_hook(s, x);
116916
116917+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116918+ if (!(s->flags & SLAB_NO_SANITIZE)) {
116919+ memset(x, PAX_MEMORY_SANITIZE_VALUE, s->object_size);
116920+ if (s->ctor)
116921+ s->ctor(x);
116922+ }
116923+#endif
116924+
116925 redo:
116926 /*
116927 * Determine the currently cpus per cpu slab.
116928@@ -3048,6 +3057,9 @@ static int calculate_sizes(struct kmem_cache *s, int forced_order)
116929 s->inuse = size;
116930
116931 if (((flags & (SLAB_DESTROY_BY_RCU | SLAB_POISON)) ||
116932+#ifdef CONFIG_PAX_MEMORY_SANITIZE
116933+ (!(flags & SLAB_NO_SANITIZE)) ||
116934+#endif
116935 s->ctor)) {
116936 /*
116937 * Relocate free pointer after the object if it is not
116938@@ -3302,7 +3314,7 @@ static int __init setup_slub_min_objects(char *str)
116939
116940 __setup("slub_min_objects=", setup_slub_min_objects);
116941
116942-void *__kmalloc(size_t size, gfp_t flags)
116943+void * __size_overflow(1) __kmalloc(size_t size, gfp_t flags)
116944 {
116945 struct kmem_cache *s;
116946 void *ret;
116947@@ -3340,7 +3352,7 @@ static void *kmalloc_large_node(size_t size, gfp_t flags, int node)
116948 return ptr;
116949 }
116950
116951-void *__kmalloc_node(size_t size, gfp_t flags, int node)
116952+void * __size_overflow(1) __kmalloc_node(size_t size, gfp_t flags, int node)
116953 {
116954 struct kmem_cache *s;
116955 void *ret;
116956@@ -3388,6 +3400,70 @@ static size_t __ksize(const void *object)
116957 return slab_ksize(page->slab_cache);
116958 }
116959
116960+bool is_usercopy_object(const void *ptr)
116961+{
116962+ struct page *page;
116963+ struct kmem_cache *s;
116964+
116965+ if (ZERO_OR_NULL_PTR(ptr))
116966+ return false;
116967+
116968+ if (!slab_is_available())
116969+ return false;
116970+
116971+ if (is_vmalloc_addr(ptr)
116972+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
116973+ && !object_starts_on_stack(ptr)
116974+#endif
116975+ ) {
116976+ struct vm_struct *vm = find_vm_area(ptr);
116977+ if (vm && (vm->flags & VM_USERCOPY))
116978+ return true;
116979+ return false;
116980+ }
116981+
116982+ if (!virt_addr_valid(ptr))
116983+ return false;
116984+
116985+ page = virt_to_head_page(ptr);
116986+
116987+ if (!PageSlab(page))
116988+ return false;
116989+
116990+ s = page->slab_cache;
116991+ return s->flags & SLAB_USERCOPY;
116992+}
116993+
116994+#ifdef CONFIG_PAX_USERCOPY
116995+const char *check_heap_object(const void *ptr, unsigned long n)
116996+{
116997+ struct page *page;
116998+ struct kmem_cache *s;
116999+ unsigned long offset;
117000+
117001+ if (ZERO_OR_NULL_PTR(ptr))
117002+ return "<null>";
117003+
117004+ if (!virt_addr_valid(ptr))
117005+ return NULL;
117006+
117007+ page = virt_to_head_page(ptr);
117008+
117009+ if (!PageSlab(page))
117010+ return NULL;
117011+
117012+ s = page->slab_cache;
117013+ if (!(s->flags & SLAB_USERCOPY))
117014+ return s->name;
117015+
117016+ offset = (ptr - page_address(page)) % s->size;
117017+ if (offset <= s->object_size && n <= s->object_size - offset)
117018+ return NULL;
117019+
117020+ return s->name;
117021+}
117022+#endif
117023+
117024 size_t ksize(const void *object)
117025 {
117026 size_t size = __ksize(object);
117027@@ -3408,6 +3484,7 @@ void kfree(const void *x)
117028 if (unlikely(ZERO_OR_NULL_PTR(x)))
117029 return;
117030
117031+ VM_BUG_ON(!virt_addr_valid(x));
117032 page = virt_to_head_page(x);
117033 if (unlikely(!PageSlab(page))) {
117034 BUG_ON(!PageCompound(page));
117035@@ -3725,7 +3802,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
117036
117037 s = find_mergeable(size, align, flags, name, ctor);
117038 if (s) {
117039- s->refcount++;
117040+ atomic_inc(&s->refcount);
117041
117042 /*
117043 * Adjust the object sizes so that we clear
117044@@ -3741,7 +3818,7 @@ __kmem_cache_alias(const char *name, size_t size, size_t align,
117045 }
117046
117047 if (sysfs_slab_alias(s, name)) {
117048- s->refcount--;
117049+ atomic_dec(&s->refcount);
117050 s = NULL;
117051 }
117052 }
117053@@ -3858,7 +3935,7 @@ void *__kmalloc_node_track_caller(size_t size, gfp_t gfpflags,
117054 }
117055 #endif
117056
117057-#ifdef CONFIG_SYSFS
117058+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117059 static int count_inuse(struct page *page)
117060 {
117061 return page->inuse;
117062@@ -4139,7 +4216,11 @@ static int list_locations(struct kmem_cache *s, char *buf,
117063 len += sprintf(buf + len, "%7ld ", l->count);
117064
117065 if (l->addr)
117066+#ifdef CONFIG_GRKERNSEC_HIDESYM
117067+ len += sprintf(buf + len, "%pS", NULL);
117068+#else
117069 len += sprintf(buf + len, "%pS", (void *)l->addr);
117070+#endif
117071 else
117072 len += sprintf(buf + len, "<not-available>");
117073
117074@@ -4237,12 +4318,12 @@ static void __init resiliency_test(void)
117075 validate_slab_cache(kmalloc_caches[9]);
117076 }
117077 #else
117078-#ifdef CONFIG_SYSFS
117079+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117080 static void resiliency_test(void) {};
117081 #endif
117082 #endif
117083
117084-#ifdef CONFIG_SYSFS
117085+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117086 enum slab_stat_type {
117087 SL_ALL, /* All slabs */
117088 SL_PARTIAL, /* Only partially allocated slabs */
117089@@ -4479,13 +4560,17 @@ static ssize_t ctor_show(struct kmem_cache *s, char *buf)
117090 {
117091 if (!s->ctor)
117092 return 0;
117093+#ifdef CONFIG_GRKERNSEC_HIDESYM
117094+ return sprintf(buf, "%pS\n", NULL);
117095+#else
117096 return sprintf(buf, "%pS\n", s->ctor);
117097+#endif
117098 }
117099 SLAB_ATTR_RO(ctor);
117100
117101 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
117102 {
117103- return sprintf(buf, "%d\n", s->refcount < 0 ? 0 : s->refcount - 1);
117104+ return sprintf(buf, "%d\n", atomic_read(&s->refcount) < 0 ? 0 : atomic_read(&s->refcount) - 1);
117105 }
117106 SLAB_ATTR_RO(aliases);
117107
117108@@ -4573,6 +4658,22 @@ static ssize_t cache_dma_show(struct kmem_cache *s, char *buf)
117109 SLAB_ATTR_RO(cache_dma);
117110 #endif
117111
117112+#ifdef CONFIG_PAX_USERCOPY_SLABS
117113+static ssize_t usercopy_show(struct kmem_cache *s, char *buf)
117114+{
117115+ return sprintf(buf, "%d\n", !!(s->flags & SLAB_USERCOPY));
117116+}
117117+SLAB_ATTR_RO(usercopy);
117118+#endif
117119+
117120+#ifdef CONFIG_PAX_MEMORY_SANITIZE
117121+static ssize_t sanitize_show(struct kmem_cache *s, char *buf)
117122+{
117123+ return sprintf(buf, "%d\n", !(s->flags & SLAB_NO_SANITIZE));
117124+}
117125+SLAB_ATTR_RO(sanitize);
117126+#endif
117127+
117128 static ssize_t destroy_by_rcu_show(struct kmem_cache *s, char *buf)
117129 {
117130 return sprintf(buf, "%d\n", !!(s->flags & SLAB_DESTROY_BY_RCU));
117131@@ -4628,7 +4729,7 @@ static ssize_t trace_store(struct kmem_cache *s, const char *buf,
117132 * as well as cause other issues like converting a mergeable
117133 * cache into an umergeable one.
117134 */
117135- if (s->refcount > 1)
117136+ if (atomic_read(&s->refcount) > 1)
117137 return -EINVAL;
117138
117139 s->flags &= ~SLAB_TRACE;
117140@@ -4748,7 +4849,7 @@ static ssize_t failslab_show(struct kmem_cache *s, char *buf)
117141 static ssize_t failslab_store(struct kmem_cache *s, const char *buf,
117142 size_t length)
117143 {
117144- if (s->refcount > 1)
117145+ if (atomic_read(&s->refcount) > 1)
117146 return -EINVAL;
117147
117148 s->flags &= ~SLAB_FAILSLAB;
117149@@ -4915,6 +5016,12 @@ static struct attribute *slab_attrs[] = {
117150 #ifdef CONFIG_ZONE_DMA
117151 &cache_dma_attr.attr,
117152 #endif
117153+#ifdef CONFIG_PAX_USERCOPY_SLABS
117154+ &usercopy_attr.attr,
117155+#endif
117156+#ifdef CONFIG_PAX_MEMORY_SANITIZE
117157+ &sanitize_attr.attr,
117158+#endif
117159 #ifdef CONFIG_NUMA
117160 &remote_node_defrag_ratio_attr.attr,
117161 #endif
117162@@ -5156,6 +5263,7 @@ static char *create_unique_id(struct kmem_cache *s)
117163 return name;
117164 }
117165
117166+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117167 static int sysfs_slab_add(struct kmem_cache *s)
117168 {
117169 int err;
117170@@ -5229,6 +5337,7 @@ void sysfs_slab_remove(struct kmem_cache *s)
117171 kobject_del(&s->kobj);
117172 kobject_put(&s->kobj);
117173 }
117174+#endif
117175
117176 /*
117177 * Need to buffer aliases during bootup until sysfs becomes
117178@@ -5242,6 +5351,7 @@ struct saved_alias {
117179
117180 static struct saved_alias *alias_list;
117181
117182+#if defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_PROC_ADD)
117183 static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
117184 {
117185 struct saved_alias *al;
117186@@ -5264,6 +5374,7 @@ static int sysfs_slab_alias(struct kmem_cache *s, const char *name)
117187 alias_list = al;
117188 return 0;
117189 }
117190+#endif
117191
117192 static int __init slab_sysfs_init(void)
117193 {
117194diff --git a/mm/sparse-vmemmap.c b/mm/sparse-vmemmap.c
117195index 4cba9c2..b4f9fcc 100644
117196--- a/mm/sparse-vmemmap.c
117197+++ b/mm/sparse-vmemmap.c
117198@@ -131,7 +131,7 @@ pud_t * __meminit vmemmap_pud_populate(pgd_t *pgd, unsigned long addr, int node)
117199 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
117200 if (!p)
117201 return NULL;
117202- pud_populate(&init_mm, pud, p);
117203+ pud_populate_kernel(&init_mm, pud, p);
117204 }
117205 return pud;
117206 }
117207@@ -143,7 +143,7 @@ pgd_t * __meminit vmemmap_pgd_populate(unsigned long addr, int node)
117208 void *p = vmemmap_alloc_block(PAGE_SIZE, node);
117209 if (!p)
117210 return NULL;
117211- pgd_populate(&init_mm, pgd, p);
117212+ pgd_populate_kernel(&init_mm, pgd, p);
117213 }
117214 return pgd;
117215 }
117216diff --git a/mm/sparse.c b/mm/sparse.c
117217index d1b48b6..6e8590e 100644
117218--- a/mm/sparse.c
117219+++ b/mm/sparse.c
117220@@ -750,7 +750,7 @@ static void clear_hwpoisoned_pages(struct page *memmap, int nr_pages)
117221
117222 for (i = 0; i < PAGES_PER_SECTION; i++) {
117223 if (PageHWPoison(&memmap[i])) {
117224- atomic_long_sub(1, &num_poisoned_pages);
117225+ atomic_long_sub_unchecked(1, &num_poisoned_pages);
117226 ClearPageHWPoison(&memmap[i]);
117227 }
117228 }
117229diff --git a/mm/swap.c b/mm/swap.c
117230index a3a0a2f..915d436 100644
117231--- a/mm/swap.c
117232+++ b/mm/swap.c
117233@@ -85,6 +85,8 @@ static void __put_compound_page(struct page *page)
117234 if (!PageHuge(page))
117235 __page_cache_release(page);
117236 dtor = get_compound_page_dtor(page);
117237+ if (!PageHuge(page))
117238+ BUG_ON(dtor != free_compound_page);
117239 (*dtor)(page);
117240 }
117241
117242diff --git a/mm/swapfile.c b/mm/swapfile.c
117243index 41e4581..6c452c9 100644
117244--- a/mm/swapfile.c
117245+++ b/mm/swapfile.c
117246@@ -84,7 +84,7 @@ static DEFINE_MUTEX(swapon_mutex);
117247
117248 static DECLARE_WAIT_QUEUE_HEAD(proc_poll_wait);
117249 /* Activity counter to indicate that a swapon or swapoff has occurred */
117250-static atomic_t proc_poll_event = ATOMIC_INIT(0);
117251+static atomic_unchecked_t proc_poll_event = ATOMIC_INIT(0);
117252
117253 static inline unsigned char swap_count(unsigned char ent)
117254 {
117255@@ -1944,7 +1944,7 @@ SYSCALL_DEFINE1(swapoff, const char __user *, specialfile)
117256 spin_unlock(&swap_lock);
117257
117258 err = 0;
117259- atomic_inc(&proc_poll_event);
117260+ atomic_inc_unchecked(&proc_poll_event);
117261 wake_up_interruptible(&proc_poll_wait);
117262
117263 out_dput:
117264@@ -1961,8 +1961,8 @@ static unsigned swaps_poll(struct file *file, poll_table *wait)
117265
117266 poll_wait(file, &proc_poll_wait, wait);
117267
117268- if (seq->poll_event != atomic_read(&proc_poll_event)) {
117269- seq->poll_event = atomic_read(&proc_poll_event);
117270+ if (seq->poll_event != atomic_read_unchecked(&proc_poll_event)) {
117271+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
117272 return POLLIN | POLLRDNORM | POLLERR | POLLPRI;
117273 }
117274
117275@@ -2060,7 +2060,7 @@ static int swaps_open(struct inode *inode, struct file *file)
117276 return ret;
117277
117278 seq = file->private_data;
117279- seq->poll_event = atomic_read(&proc_poll_event);
117280+ seq->poll_event = atomic_read_unchecked(&proc_poll_event);
117281 return 0;
117282 }
117283
117284@@ -2520,7 +2520,7 @@ SYSCALL_DEFINE2(swapon, const char __user *, specialfile, int, swap_flags)
117285 (frontswap_map) ? "FS" : "");
117286
117287 mutex_unlock(&swapon_mutex);
117288- atomic_inc(&proc_poll_event);
117289+ atomic_inc_unchecked(&proc_poll_event);
117290 wake_up_interruptible(&proc_poll_wait);
117291
117292 if (S_ISREG(inode->i_mode))
117293diff --git a/mm/util.c b/mm/util.c
117294index 68ff8a5..40c7a70 100644
117295--- a/mm/util.c
117296+++ b/mm/util.c
117297@@ -233,6 +233,12 @@ struct task_struct *task_of_stack(struct task_struct *task,
117298 void arch_pick_mmap_layout(struct mm_struct *mm)
117299 {
117300 mm->mmap_base = TASK_UNMAPPED_BASE;
117301+
117302+#ifdef CONFIG_PAX_RANDMMAP
117303+ if (mm->pax_flags & MF_PAX_RANDMMAP)
117304+ mm->mmap_base += mm->delta_mmap;
117305+#endif
117306+
117307 mm->get_unmapped_area = arch_get_unmapped_area;
117308 }
117309 #endif
117310@@ -434,6 +440,9 @@ int get_cmdline(struct task_struct *task, char *buffer, int buflen)
117311 if (!mm->arg_end)
117312 goto out_mm; /* Shh! No looking before we're done */
117313
117314+ if (gr_acl_handle_procpidmem(task))
117315+ goto out_mm;
117316+
117317 len = mm->arg_end - mm->arg_start;
117318
117319 if (len > buflen)
117320diff --git a/mm/vmalloc.c b/mm/vmalloc.c
117321index 2faaa29..7ac7a6d 100644
117322--- a/mm/vmalloc.c
117323+++ b/mm/vmalloc.c
117324@@ -40,20 +40,65 @@ struct vfree_deferred {
117325 struct work_struct wq;
117326 };
117327 static DEFINE_PER_CPU(struct vfree_deferred, vfree_deferred);
117328+static DEFINE_PER_CPU(struct vfree_deferred, vunmap_deferred);
117329+
117330+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117331+struct stack_deferred_llist {
117332+ struct llist_head list;
117333+ void *stack;
117334+ void *lowmem_stack;
117335+};
117336+
117337+struct stack_deferred {
117338+ struct stack_deferred_llist list;
117339+ struct work_struct wq;
117340+};
117341+
117342+static DEFINE_PER_CPU(struct stack_deferred, stack_deferred);
117343+#endif
117344
117345 static void __vunmap(const void *, int);
117346
117347-static void free_work(struct work_struct *w)
117348+static void vfree_work(struct work_struct *w)
117349 {
117350 struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
117351 struct llist_node *llnode = llist_del_all(&p->list);
117352 while (llnode) {
117353- void *p = llnode;
117354+ void *x = llnode;
117355 llnode = llist_next(llnode);
117356- __vunmap(p, 1);
117357+ __vunmap(x, 1);
117358 }
117359 }
117360
117361+static void vunmap_work(struct work_struct *w)
117362+{
117363+ struct vfree_deferred *p = container_of(w, struct vfree_deferred, wq);
117364+ struct llist_node *llnode = llist_del_all(&p->list);
117365+ while (llnode) {
117366+ void *x = llnode;
117367+ llnode = llist_next(llnode);
117368+ __vunmap(x, 0);
117369+ }
117370+}
117371+
117372+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117373+static void unmap_work(struct work_struct *w)
117374+{
117375+ struct stack_deferred *p = container_of(w, struct stack_deferred, wq);
117376+ struct llist_node *llnode = llist_del_all(&p->list.list);
117377+ while (llnode) {
117378+ struct stack_deferred_llist *x =
117379+ llist_entry((struct llist_head *)llnode,
117380+ struct stack_deferred_llist, list);
117381+ void *stack = ACCESS_ONCE(x->stack);
117382+ void *lowmem_stack = ACCESS_ONCE(x->lowmem_stack);
117383+ llnode = llist_next(llnode);
117384+ __vunmap(stack, 0);
117385+ free_kmem_pages((unsigned long)lowmem_stack, THREAD_SIZE_ORDER);
117386+ }
117387+}
117388+#endif
117389+
117390 /*** Page table manipulation functions ***/
117391
117392 static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
117393@@ -61,10 +106,23 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
117394 pte_t *pte;
117395
117396 pte = pte_offset_kernel(pmd, addr);
117397+ pax_open_kernel();
117398 do {
117399- pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
117400- WARN_ON(!pte_none(ptent) && !pte_present(ptent));
117401+
117402+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
117403+ if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
117404+ BUG_ON(!pte_exec(*pte));
117405+ set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
117406+ continue;
117407+ }
117408+#endif
117409+
117410+ {
117411+ pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
117412+ WARN_ON(!pte_none(ptent) && !pte_present(ptent));
117413+ }
117414 } while (pte++, addr += PAGE_SIZE, addr != end);
117415+ pax_close_kernel();
117416 }
117417
117418 static void vunmap_pmd_range(pud_t *pud, unsigned long addr, unsigned long end)
117419@@ -127,16 +185,29 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr,
117420 pte = pte_alloc_kernel(pmd, addr);
117421 if (!pte)
117422 return -ENOMEM;
117423+
117424+ pax_open_kernel();
117425 do {
117426 struct page *page = pages[*nr];
117427
117428- if (WARN_ON(!pte_none(*pte)))
117429+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
117430+ if (pgprot_val(prot) & _PAGE_NX)
117431+#endif
117432+
117433+ if (!pte_none(*pte)) {
117434+ pax_close_kernel();
117435+ WARN_ON(1);
117436 return -EBUSY;
117437- if (WARN_ON(!page))
117438+ }
117439+ if (!page) {
117440+ pax_close_kernel();
117441+ WARN_ON(1);
117442 return -ENOMEM;
117443+ }
117444 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
117445 (*nr)++;
117446 } while (pte++, addr += PAGE_SIZE, addr != end);
117447+ pax_close_kernel();
117448 return 0;
117449 }
117450
117451@@ -146,7 +217,7 @@ static int vmap_pmd_range(pud_t *pud, unsigned long addr,
117452 pmd_t *pmd;
117453 unsigned long next;
117454
117455- pmd = pmd_alloc(&init_mm, pud, addr);
117456+ pmd = pmd_alloc_kernel(&init_mm, pud, addr);
117457 if (!pmd)
117458 return -ENOMEM;
117459 do {
117460@@ -163,7 +234,7 @@ static int vmap_pud_range(pgd_t *pgd, unsigned long addr,
117461 pud_t *pud;
117462 unsigned long next;
117463
117464- pud = pud_alloc(&init_mm, pgd, addr);
117465+ pud = pud_alloc_kernel(&init_mm, pgd, addr);
117466 if (!pud)
117467 return -ENOMEM;
117468 do {
117469@@ -223,6 +294,12 @@ int is_vmalloc_or_module_addr(const void *x)
117470 if (addr >= MODULES_VADDR && addr < MODULES_END)
117471 return 1;
117472 #endif
117473+
117474+#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
117475+ if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
117476+ return 1;
117477+#endif
117478+
117479 return is_vmalloc_addr(x);
117480 }
117481
117482@@ -243,8 +320,14 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
117483
117484 if (!pgd_none(*pgd)) {
117485 pud_t *pud = pud_offset(pgd, addr);
117486+#ifdef CONFIG_X86
117487+ if (!pud_large(*pud))
117488+#endif
117489 if (!pud_none(*pud)) {
117490 pmd_t *pmd = pmd_offset(pud, addr);
117491+#ifdef CONFIG_X86
117492+ if (!pmd_large(*pmd))
117493+#endif
117494 if (!pmd_none(*pmd)) {
117495 pte_t *ptep, pte;
117496
117497@@ -346,7 +429,7 @@ static void purge_vmap_area_lazy(void);
117498 * Allocate a region of KVA of the specified size and alignment, within the
117499 * vstart and vend.
117500 */
117501-static struct vmap_area *alloc_vmap_area(unsigned long size,
117502+static struct vmap_area * __size_overflow(1) alloc_vmap_area(unsigned long size,
117503 unsigned long align,
117504 unsigned long vstart, unsigned long vend,
117505 int node, gfp_t gfp_mask)
117506@@ -1202,13 +1285,27 @@ void __init vmalloc_init(void)
117507 for_each_possible_cpu(i) {
117508 struct vmap_block_queue *vbq;
117509 struct vfree_deferred *p;
117510+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117511+ struct stack_deferred *p2;
117512+#endif
117513
117514 vbq = &per_cpu(vmap_block_queue, i);
117515 spin_lock_init(&vbq->lock);
117516 INIT_LIST_HEAD(&vbq->free);
117517+
117518 p = &per_cpu(vfree_deferred, i);
117519 init_llist_head(&p->list);
117520- INIT_WORK(&p->wq, free_work);
117521+ INIT_WORK(&p->wq, vfree_work);
117522+
117523+ p = &per_cpu(vunmap_deferred, i);
117524+ init_llist_head(&p->list);
117525+ INIT_WORK(&p->wq, vunmap_work);
117526+
117527+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117528+ p2 = &per_cpu(stack_deferred, i);
117529+ init_llist_head(&p2->list.list);
117530+ INIT_WORK(&p2->wq, unmap_work);
117531+#endif
117532 }
117533
117534 /* Import existing vmlist entries. */
117535@@ -1333,6 +1430,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
117536 struct vm_struct *area;
117537
117538 BUG_ON(in_interrupt());
117539+
117540+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117541+ if (flags & VM_KERNEXEC) {
117542+ if (start != VMALLOC_START || end != VMALLOC_END)
117543+ return NULL;
117544+ start = (unsigned long)MODULES_EXEC_VADDR;
117545+ end = (unsigned long)MODULES_EXEC_END;
117546+ }
117547+#endif
117548+
117549 if (flags & VM_IOREMAP)
117550 align = 1ul << clamp_t(int, fls_long(size),
117551 PAGE_SHIFT, IOREMAP_MAX_ORDER);
117552@@ -1531,13 +1638,36 @@ EXPORT_SYMBOL(vfree);
117553 */
117554 void vunmap(const void *addr)
117555 {
117556- BUG_ON(in_interrupt());
117557- might_sleep();
117558- if (addr)
117559+ if (!addr)
117560+ return;
117561+ if (unlikely(in_interrupt())) {
117562+ struct vfree_deferred *p = this_cpu_ptr(&vunmap_deferred);
117563+ if (llist_add((struct llist_node *)addr, &p->list))
117564+ schedule_work(&p->wq);
117565+ } else {
117566+ might_sleep();
117567 __vunmap(addr, 0);
117568+ }
117569 }
117570 EXPORT_SYMBOL(vunmap);
117571
117572+#ifdef CONFIG_GRKERNSEC_KSTACKOVERFLOW
117573+void unmap_process_stacks(struct task_struct *task)
117574+{
117575+ if (unlikely(in_interrupt())) {
117576+ struct stack_deferred *p = this_cpu_ptr(&stack_deferred);
117577+ struct stack_deferred_llist *list = task->stack;
117578+ list->stack = task->stack;
117579+ list->lowmem_stack = task->lowmem_stack;
117580+ if (llist_add((struct llist_node *)&list->list, &p->list.list))
117581+ schedule_work(&p->wq);
117582+ } else {
117583+ __vunmap(task->stack, 0);
117584+ free_kmem_pages((unsigned long)task->lowmem_stack, THREAD_SIZE_ORDER);
117585+ }
117586+}
117587+#endif
117588+
117589 /**
117590 * vmap - map an array of pages into virtually contiguous space
117591 * @pages: array of page pointers
117592@@ -1558,6 +1688,11 @@ void *vmap(struct page **pages, unsigned int count,
117593 if (count > totalram_pages)
117594 return NULL;
117595
117596+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117597+ if (!(pgprot_val(prot) & _PAGE_NX))
117598+ flags |= VM_KERNEXEC;
117599+#endif
117600+
117601 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
117602 __builtin_return_address(0));
117603 if (!area)
117604@@ -1662,6 +1797,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
117605 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
117606 goto fail;
117607
117608+#if defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
117609+ if (!(pgprot_val(prot) & _PAGE_NX)) {
117610+ vm_flags |= VM_KERNEXEC;
117611+ start = VMALLOC_START;
117612+ end = VMALLOC_END;
117613+ }
117614+#endif
117615+
117616 area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED |
117617 vm_flags, start, end, node, gfp_mask, caller);
117618 if (!area)
117619@@ -1715,6 +1858,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
117620 gfp_mask, prot, 0, node, caller);
117621 }
117622
117623+void *vmalloc_usercopy(unsigned long size)
117624+{
117625+ return __vmalloc_node_range(size, 1, VMALLOC_START, VMALLOC_END,
117626+ GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
117627+ VM_USERCOPY, NUMA_NO_NODE,
117628+ __builtin_return_address(0));
117629+}
117630+
117631 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
117632 {
117633 return __vmalloc_node(size, 1, gfp_mask, prot, NUMA_NO_NODE,
117634@@ -1838,10 +1989,9 @@ EXPORT_SYMBOL(vzalloc_node);
117635 * For tight control over page level allocator and protection flags
117636 * use __vmalloc() instead.
117637 */
117638-
117639 void *vmalloc_exec(unsigned long size)
117640 {
117641- return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
117642+ return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
117643 NUMA_NO_NODE, __builtin_return_address(0));
117644 }
117645
117646@@ -2148,6 +2298,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
117647 {
117648 struct vm_struct *area;
117649
117650+ BUG_ON(vma->vm_mirror);
117651+
117652 size = PAGE_ALIGN(size);
117653
117654 if (!PAGE_ALIGNED(uaddr) || !PAGE_ALIGNED(kaddr))
117655@@ -2630,7 +2782,11 @@ static int s_show(struct seq_file *m, void *p)
117656 v->addr, v->addr + v->size, v->size);
117657
117658 if (v->caller)
117659+#ifdef CONFIG_GRKERNSEC_HIDESYM
117660+ seq_printf(m, " %pK", v->caller);
117661+#else
117662 seq_printf(m, " %pS", v->caller);
117663+#endif
117664
117665 if (v->nr_pages)
117666 seq_printf(m, " pages=%d", v->nr_pages);
117667@@ -2688,52 +2844,5 @@ static int __init proc_vmalloc_init(void)
117668 }
117669 module_init(proc_vmalloc_init);
117670
117671-void get_vmalloc_info(struct vmalloc_info *vmi)
117672-{
117673- struct vmap_area *va;
117674- unsigned long free_area_size;
117675- unsigned long prev_end;
117676-
117677- vmi->used = 0;
117678- vmi->largest_chunk = 0;
117679-
117680- prev_end = VMALLOC_START;
117681-
117682- rcu_read_lock();
117683-
117684- if (list_empty(&vmap_area_list)) {
117685- vmi->largest_chunk = VMALLOC_TOTAL;
117686- goto out;
117687- }
117688-
117689- list_for_each_entry_rcu(va, &vmap_area_list, list) {
117690- unsigned long addr = va->va_start;
117691-
117692- /*
117693- * Some archs keep another range for modules in vmalloc space
117694- */
117695- if (addr < VMALLOC_START)
117696- continue;
117697- if (addr >= VMALLOC_END)
117698- break;
117699-
117700- if (va->flags & (VM_LAZY_FREE | VM_LAZY_FREEING))
117701- continue;
117702-
117703- vmi->used += (va->va_end - va->va_start);
117704-
117705- free_area_size = addr - prev_end;
117706- if (vmi->largest_chunk < free_area_size)
117707- vmi->largest_chunk = free_area_size;
117708-
117709- prev_end = va->va_end;
117710- }
117711-
117712- if (VMALLOC_END - prev_end > vmi->largest_chunk)
117713- vmi->largest_chunk = VMALLOC_END - prev_end;
117714-
117715-out:
117716- rcu_read_unlock();
117717-}
117718 #endif
117719
117720diff --git a/mm/vmstat.c b/mm/vmstat.c
117721index 4f5cd97..9fb715a 100644
117722--- a/mm/vmstat.c
117723+++ b/mm/vmstat.c
117724@@ -27,6 +27,7 @@
117725 #include <linux/mm_inline.h>
117726 #include <linux/page_ext.h>
117727 #include <linux/page_owner.h>
117728+#include <linux/grsecurity.h>
117729
117730 #include "internal.h"
117731
117732@@ -86,7 +87,7 @@ void vm_events_fold_cpu(int cpu)
117733 *
117734 * vm_stat contains the global counters
117735 */
117736-atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
117737+atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS] __cacheline_aligned_in_smp;
117738 EXPORT_SYMBOL(vm_stat);
117739
117740 #ifdef CONFIG_SMP
117741@@ -438,7 +439,7 @@ static int fold_diff(int *diff)
117742
117743 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
117744 if (diff[i]) {
117745- atomic_long_add(diff[i], &vm_stat[i]);
117746+ atomic_long_add_unchecked(diff[i], &vm_stat[i]);
117747 changes++;
117748 }
117749 return changes;
117750@@ -476,7 +477,7 @@ static int refresh_cpu_vm_stats(void)
117751 v = this_cpu_xchg(p->vm_stat_diff[i], 0);
117752 if (v) {
117753
117754- atomic_long_add(v, &zone->vm_stat[i]);
117755+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117756 global_diff[i] += v;
117757 #ifdef CONFIG_NUMA
117758 /* 3 seconds idle till flush */
117759@@ -540,7 +541,7 @@ void cpu_vm_stats_fold(int cpu)
117760
117761 v = p->vm_stat_diff[i];
117762 p->vm_stat_diff[i] = 0;
117763- atomic_long_add(v, &zone->vm_stat[i]);
117764+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117765 global_diff[i] += v;
117766 }
117767 }
117768@@ -560,8 +561,8 @@ void drain_zonestat(struct zone *zone, struct per_cpu_pageset *pset)
117769 if (pset->vm_stat_diff[i]) {
117770 int v = pset->vm_stat_diff[i];
117771 pset->vm_stat_diff[i] = 0;
117772- atomic_long_add(v, &zone->vm_stat[i]);
117773- atomic_long_add(v, &vm_stat[i]);
117774+ atomic_long_add_unchecked(v, &zone->vm_stat[i]);
117775+ atomic_long_add_unchecked(v, &vm_stat[i]);
117776 }
117777 }
117778 #endif
117779@@ -1293,10 +1294,22 @@ static void *vmstat_start(struct seq_file *m, loff_t *pos)
117780 stat_items_size += sizeof(struct vm_event_state);
117781 #endif
117782
117783- v = kmalloc(stat_items_size, GFP_KERNEL);
117784+ v = kzalloc(stat_items_size, GFP_KERNEL);
117785 m->private = v;
117786 if (!v)
117787 return ERR_PTR(-ENOMEM);
117788+
117789+#ifdef CONFIG_GRKERNSEC_PROC_ADD
117790+#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
117791+ if (!uid_eq(current_uid(), GLOBAL_ROOT_UID)
117792+#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
117793+ && !in_group_p(grsec_proc_gid)
117794+#endif
117795+ )
117796+ return (unsigned long *)m->private + *pos;
117797+#endif
117798+#endif
117799+
117800 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
117801 v[i] = global_page_state(i);
117802 v += NR_VM_ZONE_STAT_ITEMS;
117803@@ -1528,10 +1541,16 @@ static int __init setup_vmstat(void)
117804 cpu_notifier_register_done();
117805 #endif
117806 #ifdef CONFIG_PROC_FS
117807- proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
117808- proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
117809- proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
117810- proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
117811+ {
117812+ mode_t gr_mode = S_IRUGO;
117813+#ifdef CONFIG_GRKERNSEC_PROC_ADD
117814+ gr_mode = S_IRUSR;
117815+#endif
117816+ proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
117817+ proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
117818+ proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
117819+ proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
117820+ }
117821 #endif
117822 return 0;
117823 }
117824diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c
117825index d2cd9de..501c186 100644
117826--- a/net/8021q/vlan.c
117827+++ b/net/8021q/vlan.c
117828@@ -491,7 +491,7 @@ out:
117829 return NOTIFY_DONE;
117830 }
117831
117832-static struct notifier_block vlan_notifier_block __read_mostly = {
117833+static struct notifier_block vlan_notifier_block = {
117834 .notifier_call = vlan_device_event,
117835 };
117836
117837@@ -566,8 +566,7 @@ static int vlan_ioctl_handler(struct net *net, void __user *arg)
117838 err = -EPERM;
117839 if (!ns_capable(net->user_ns, CAP_NET_ADMIN))
117840 break;
117841- if ((args.u.name_type >= 0) &&
117842- (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
117843+ if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
117844 struct vlan_net *vn;
117845
117846 vn = net_generic(net, vlan_net_id);
117847diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c
117848index c92b52f..006c052 100644
117849--- a/net/8021q/vlan_netlink.c
117850+++ b/net/8021q/vlan_netlink.c
117851@@ -245,7 +245,7 @@ static struct net *vlan_get_link_net(const struct net_device *dev)
117852 return dev_net(real_dev);
117853 }
117854
117855-struct rtnl_link_ops vlan_link_ops __read_mostly = {
117856+struct rtnl_link_ops vlan_link_ops = {
117857 .kind = "vlan",
117858 .maxtype = IFLA_VLAN_MAX,
117859 .policy = vlan_policy,
117860diff --git a/net/9p/mod.c b/net/9p/mod.c
117861index 6ab36ae..6f1841b 100644
117862--- a/net/9p/mod.c
117863+++ b/net/9p/mod.c
117864@@ -84,7 +84,7 @@ static LIST_HEAD(v9fs_trans_list);
117865 void v9fs_register_trans(struct p9_trans_module *m)
117866 {
117867 spin_lock(&v9fs_trans_lock);
117868- list_add_tail(&m->list, &v9fs_trans_list);
117869+ pax_list_add_tail((struct list_head *)&m->list, &v9fs_trans_list);
117870 spin_unlock(&v9fs_trans_lock);
117871 }
117872 EXPORT_SYMBOL(v9fs_register_trans);
117873@@ -97,7 +97,7 @@ EXPORT_SYMBOL(v9fs_register_trans);
117874 void v9fs_unregister_trans(struct p9_trans_module *m)
117875 {
117876 spin_lock(&v9fs_trans_lock);
117877- list_del_init(&m->list);
117878+ pax_list_del_init((struct list_head *)&m->list);
117879 spin_unlock(&v9fs_trans_lock);
117880 }
117881 EXPORT_SYMBOL(v9fs_unregister_trans);
117882diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
117883index bced8c0..ef253b7 100644
117884--- a/net/9p/trans_fd.c
117885+++ b/net/9p/trans_fd.c
117886@@ -428,7 +428,7 @@ static int p9_fd_write(struct p9_client *client, void *v, int len)
117887 oldfs = get_fs();
117888 set_fs(get_ds());
117889 /* The cast to a user pointer is valid due to the set_fs() */
117890- ret = vfs_write(ts->wr, (__force void __user *)v, len, &ts->wr->f_pos);
117891+ ret = vfs_write(ts->wr, (void __force_user *)v, len, &ts->wr->f_pos);
117892 set_fs(oldfs);
117893
117894 if (ret <= 0 && ret != -ERESTARTSYS && ret != -EAGAIN)
117895diff --git a/net/appletalk/atalk_proc.c b/net/appletalk/atalk_proc.c
117896index af46bc4..f9adfcd 100644
117897--- a/net/appletalk/atalk_proc.c
117898+++ b/net/appletalk/atalk_proc.c
117899@@ -256,7 +256,7 @@ int __init atalk_proc_init(void)
117900 struct proc_dir_entry *p;
117901 int rc = -ENOMEM;
117902
117903- atalk_proc_dir = proc_mkdir("atalk", init_net.proc_net);
117904+ atalk_proc_dir = proc_mkdir_restrict("atalk", init_net.proc_net);
117905 if (!atalk_proc_dir)
117906 goto out;
117907
117908diff --git a/net/atm/atm_misc.c b/net/atm/atm_misc.c
117909index 876fbe8..8bbea9f 100644
117910--- a/net/atm/atm_misc.c
117911+++ b/net/atm/atm_misc.c
117912@@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int truesize)
117913 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
117914 return 1;
117915 atm_return(vcc, truesize);
117916- atomic_inc(&vcc->stats->rx_drop);
117917+ atomic_inc_unchecked(&vcc->stats->rx_drop);
117918 return 0;
117919 }
117920 EXPORT_SYMBOL(atm_charge);
117921@@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct atm_vcc *vcc, int pdu_size,
117922 }
117923 }
117924 atm_return(vcc, guess);
117925- atomic_inc(&vcc->stats->rx_drop);
117926+ atomic_inc_unchecked(&vcc->stats->rx_drop);
117927 return NULL;
117928 }
117929 EXPORT_SYMBOL(atm_alloc_charge);
117930@@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
117931
117932 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
117933 {
117934-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
117935+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
117936 __SONET_ITEMS
117937 #undef __HANDLE_ITEM
117938 }
117939@@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
117940
117941 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
117942 {
117943-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
117944+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
117945 __SONET_ITEMS
117946 #undef __HANDLE_ITEM
117947 }
117948diff --git a/net/atm/lec.c b/net/atm/lec.c
117949index cd3b379..977a3c9 100644
117950--- a/net/atm/lec.c
117951+++ b/net/atm/lec.c
117952@@ -111,9 +111,9 @@ static inline void lec_arp_put(struct lec_arp_table *entry)
117953 }
117954
117955 static struct lane2_ops lane2_ops = {
117956- lane2_resolve, /* resolve, spec 3.1.3 */
117957- lane2_associate_req, /* associate_req, spec 3.1.4 */
117958- NULL /* associate indicator, spec 3.1.5 */
117959+ .resolve = lane2_resolve,
117960+ .associate_req = lane2_associate_req,
117961+ .associate_indicator = NULL
117962 };
117963
117964 static unsigned char bus_mac[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
117965diff --git a/net/atm/lec.h b/net/atm/lec.h
117966index 4149db1..f2ab682 100644
117967--- a/net/atm/lec.h
117968+++ b/net/atm/lec.h
117969@@ -48,7 +48,7 @@ struct lane2_ops {
117970 const u8 *tlvs, u32 sizeoftlvs);
117971 void (*associate_indicator) (struct net_device *dev, const u8 *mac_addr,
117972 const u8 *tlvs, u32 sizeoftlvs);
117973-};
117974+} __no_const;
117975
117976 /*
117977 * ATM LAN Emulation supports both LLC & Dix Ethernet EtherType
117978diff --git a/net/atm/mpoa_caches.c b/net/atm/mpoa_caches.c
117979index d1b2d9a..d549f7f 100644
117980--- a/net/atm/mpoa_caches.c
117981+++ b/net/atm/mpoa_caches.c
117982@@ -535,30 +535,30 @@ static void eg_destroy_cache(struct mpoa_client *mpc)
117983
117984
117985 static struct in_cache_ops ingress_ops = {
117986- in_cache_add_entry, /* add_entry */
117987- in_cache_get, /* get */
117988- in_cache_get_with_mask, /* get_with_mask */
117989- in_cache_get_by_vcc, /* get_by_vcc */
117990- in_cache_put, /* put */
117991- in_cache_remove_entry, /* remove_entry */
117992- cache_hit, /* cache_hit */
117993- clear_count_and_expired, /* clear_count */
117994- check_resolving_entries, /* check_resolving */
117995- refresh_entries, /* refresh */
117996- in_destroy_cache /* destroy_cache */
117997+ .add_entry = in_cache_add_entry,
117998+ .get = in_cache_get,
117999+ .get_with_mask = in_cache_get_with_mask,
118000+ .get_by_vcc = in_cache_get_by_vcc,
118001+ .put = in_cache_put,
118002+ .remove_entry = in_cache_remove_entry,
118003+ .cache_hit = cache_hit,
118004+ .clear_count = clear_count_and_expired,
118005+ .check_resolving = check_resolving_entries,
118006+ .refresh = refresh_entries,
118007+ .destroy_cache = in_destroy_cache
118008 };
118009
118010 static struct eg_cache_ops egress_ops = {
118011- eg_cache_add_entry, /* add_entry */
118012- eg_cache_get_by_cache_id, /* get_by_cache_id */
118013- eg_cache_get_by_tag, /* get_by_tag */
118014- eg_cache_get_by_vcc, /* get_by_vcc */
118015- eg_cache_get_by_src_ip, /* get_by_src_ip */
118016- eg_cache_put, /* put */
118017- eg_cache_remove_entry, /* remove_entry */
118018- update_eg_cache_entry, /* update */
118019- clear_expired, /* clear_expired */
118020- eg_destroy_cache /* destroy_cache */
118021+ .add_entry = eg_cache_add_entry,
118022+ .get_by_cache_id = eg_cache_get_by_cache_id,
118023+ .get_by_tag = eg_cache_get_by_tag,
118024+ .get_by_vcc = eg_cache_get_by_vcc,
118025+ .get_by_src_ip = eg_cache_get_by_src_ip,
118026+ .put = eg_cache_put,
118027+ .remove_entry = eg_cache_remove_entry,
118028+ .update = update_eg_cache_entry,
118029+ .clear_expired = clear_expired,
118030+ .destroy_cache = eg_destroy_cache
118031 };
118032
118033
118034diff --git a/net/atm/proc.c b/net/atm/proc.c
118035index bbb6461..cf04016 100644
118036--- a/net/atm/proc.c
118037+++ b/net/atm/proc.c
118038@@ -45,9 +45,9 @@ static void add_stats(struct seq_file *seq, const char *aal,
118039 const struct k_atm_aal_stats *stats)
118040 {
118041 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
118042- atomic_read(&stats->tx), atomic_read(&stats->tx_err),
118043- atomic_read(&stats->rx), atomic_read(&stats->rx_err),
118044- atomic_read(&stats->rx_drop));
118045+ atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
118046+ atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
118047+ atomic_read_unchecked(&stats->rx_drop));
118048 }
118049
118050 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
118051diff --git a/net/atm/resources.c b/net/atm/resources.c
118052index 0447d5d..3cf4728 100644
118053--- a/net/atm/resources.c
118054+++ b/net/atm/resources.c
118055@@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
118056 static void copy_aal_stats(struct k_atm_aal_stats *from,
118057 struct atm_aal_stats *to)
118058 {
118059-#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
118060+#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
118061 __AAL_STAT_ITEMS
118062 #undef __HANDLE_ITEM
118063 }
118064@@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_aal_stats *from,
118065 static void subtract_aal_stats(struct k_atm_aal_stats *from,
118066 struct atm_aal_stats *to)
118067 {
118068-#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
118069+#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
118070 __AAL_STAT_ITEMS
118071 #undef __HANDLE_ITEM
118072 }
118073diff --git a/net/ax25/sysctl_net_ax25.c b/net/ax25/sysctl_net_ax25.c
118074index 919a5ce..cc6b444 100644
118075--- a/net/ax25/sysctl_net_ax25.c
118076+++ b/net/ax25/sysctl_net_ax25.c
118077@@ -152,7 +152,7 @@ int ax25_register_dev_sysctl(ax25_dev *ax25_dev)
118078 {
118079 char path[sizeof("net/ax25/") + IFNAMSIZ];
118080 int k;
118081- struct ctl_table *table;
118082+ ctl_table_no_const *table;
118083
118084 table = kmemdup(ax25_param_table, sizeof(ax25_param_table), GFP_KERNEL);
118085 if (!table)
118086diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
118087index 753383c..32d12d9 100644
118088--- a/net/batman-adv/bat_iv_ogm.c
118089+++ b/net/batman-adv/bat_iv_ogm.c
118090@@ -343,7 +343,7 @@ static int batadv_iv_ogm_iface_enable(struct batadv_hard_iface *hard_iface)
118091
118092 /* randomize initial seqno to avoid collision */
118093 get_random_bytes(&random_seqno, sizeof(random_seqno));
118094- atomic_set(&hard_iface->bat_iv.ogm_seqno, random_seqno);
118095+ atomic_set_unchecked(&hard_iface->bat_iv.ogm_seqno, random_seqno);
118096
118097 hard_iface->bat_iv.ogm_buff_len = BATADV_OGM_HLEN;
118098 ogm_buff = kmalloc(hard_iface->bat_iv.ogm_buff_len, GFP_ATOMIC);
118099@@ -947,9 +947,9 @@ static void batadv_iv_ogm_schedule(struct batadv_hard_iface *hard_iface)
118100 batadv_ogm_packet->tvlv_len = htons(tvlv_len);
118101
118102 /* change sequence number to network order */
118103- seqno = (uint32_t)atomic_read(&hard_iface->bat_iv.ogm_seqno);
118104+ seqno = (uint32_t)atomic_read_unchecked(&hard_iface->bat_iv.ogm_seqno);
118105 batadv_ogm_packet->seqno = htonl(seqno);
118106- atomic_inc(&hard_iface->bat_iv.ogm_seqno);
118107+ atomic_inc_unchecked(&hard_iface->bat_iv.ogm_seqno);
118108
118109 batadv_iv_ogm_slide_own_bcast_window(hard_iface);
118110
118111@@ -1626,7 +1626,7 @@ static void batadv_iv_ogm_process(const struct sk_buff *skb, int ogm_offset,
118112 return;
118113
118114 /* could be changed by schedule_own_packet() */
118115- if_incoming_seqno = atomic_read(&if_incoming->bat_iv.ogm_seqno);
118116+ if_incoming_seqno = atomic_read_unchecked(&if_incoming->bat_iv.ogm_seqno);
118117
118118 if (ogm_packet->flags & BATADV_DIRECTLINK)
118119 has_directlink_flag = true;
118120diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
118121index c0f0d01..725928a 100644
118122--- a/net/batman-adv/fragmentation.c
118123+++ b/net/batman-adv/fragmentation.c
118124@@ -465,7 +465,7 @@ bool batadv_frag_send_packet(struct sk_buff *skb,
118125 frag_header.packet_type = BATADV_UNICAST_FRAG;
118126 frag_header.version = BATADV_COMPAT_VERSION;
118127 frag_header.ttl = BATADV_TTL;
118128- frag_header.seqno = htons(atomic_inc_return(&bat_priv->frag_seqno));
118129+ frag_header.seqno = htons(atomic_inc_return_unchecked(&bat_priv->frag_seqno));
118130 frag_header.reserved = 0;
118131 frag_header.no = 0;
118132 frag_header.total_size = htons(skb->len);
118133diff --git a/net/batman-adv/soft-interface.c b/net/batman-adv/soft-interface.c
118134index 51cda3a..a5db59e 100644
118135--- a/net/batman-adv/soft-interface.c
118136+++ b/net/batman-adv/soft-interface.c
118137@@ -330,7 +330,7 @@ send:
118138 primary_if->net_dev->dev_addr);
118139
118140 /* set broadcast sequence number */
118141- seqno = atomic_inc_return(&bat_priv->bcast_seqno);
118142+ seqno = atomic_inc_return_unchecked(&bat_priv->bcast_seqno);
118143 bcast_packet->seqno = htonl(seqno);
118144
118145 batadv_add_bcast_packet_to_list(bat_priv, skb, brd_delay);
118146@@ -798,7 +798,7 @@ static int batadv_softif_init_late(struct net_device *dev)
118147 atomic_set(&bat_priv->batman_queue_left, BATADV_BATMAN_QUEUE_LEN);
118148
118149 atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
118150- atomic_set(&bat_priv->bcast_seqno, 1);
118151+ atomic_set_unchecked(&bat_priv->bcast_seqno, 1);
118152 atomic_set(&bat_priv->tt.vn, 0);
118153 atomic_set(&bat_priv->tt.local_changes, 0);
118154 atomic_set(&bat_priv->tt.ogm_append_cnt, 0);
118155@@ -812,7 +812,7 @@ static int batadv_softif_init_late(struct net_device *dev)
118156
118157 /* randomize initial seqno to avoid collision */
118158 get_random_bytes(&random_seqno, sizeof(random_seqno));
118159- atomic_set(&bat_priv->frag_seqno, random_seqno);
118160+ atomic_set_unchecked(&bat_priv->frag_seqno, random_seqno);
118161
118162 bat_priv->primary_if = NULL;
118163 bat_priv->num_ifaces = 0;
118164@@ -1020,7 +1020,7 @@ int batadv_softif_is_valid(const struct net_device *net_dev)
118165 return 0;
118166 }
118167
118168-struct rtnl_link_ops batadv_link_ops __read_mostly = {
118169+struct rtnl_link_ops batadv_link_ops = {
118170 .kind = "batadv",
118171 .priv_size = sizeof(struct batadv_priv),
118172 .setup = batadv_softif_init_early,
118173diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
118174index 55610a8..aba2ae8 100644
118175--- a/net/batman-adv/types.h
118176+++ b/net/batman-adv/types.h
118177@@ -81,7 +81,7 @@ enum batadv_dhcp_recipient {
118178 struct batadv_hard_iface_bat_iv {
118179 unsigned char *ogm_buff;
118180 int ogm_buff_len;
118181- atomic_t ogm_seqno;
118182+ atomic_unchecked_t ogm_seqno;
118183 };
118184
118185 /**
118186@@ -786,7 +786,7 @@ struct batadv_priv {
118187 atomic_t bonding;
118188 atomic_t fragmentation;
118189 atomic_t packet_size_max;
118190- atomic_t frag_seqno;
118191+ atomic_unchecked_t frag_seqno;
118192 #ifdef CONFIG_BATMAN_ADV_BLA
118193 atomic_t bridge_loop_avoidance;
118194 #endif
118195@@ -805,7 +805,7 @@ struct batadv_priv {
118196 #endif
118197 uint32_t isolation_mark;
118198 uint32_t isolation_mark_mask;
118199- atomic_t bcast_seqno;
118200+ atomic_unchecked_t bcast_seqno;
118201 atomic_t bcast_queue_left;
118202 atomic_t batman_queue_left;
118203 char num_ifaces;
118204diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
118205index f2d30d1..0573933 100644
118206--- a/net/bluetooth/hci_sock.c
118207+++ b/net/bluetooth/hci_sock.c
118208@@ -1253,7 +1253,7 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
118209 uf.event_mask[1] = *((u32 *) f->event_mask + 1);
118210 }
118211
118212- len = min_t(unsigned int, len, sizeof(uf));
118213+ len = min((size_t)len, sizeof(uf));
118214 if (copy_from_user(&uf, optval, len)) {
118215 err = -EFAULT;
118216 break;
118217diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
118218index 45fffa4..c5ad848 100644
118219--- a/net/bluetooth/l2cap_core.c
118220+++ b/net/bluetooth/l2cap_core.c
118221@@ -3537,8 +3537,10 @@ static int l2cap_parse_conf_rsp(struct l2cap_chan *chan, void *rsp, int len,
118222 break;
118223
118224 case L2CAP_CONF_RFC:
118225- if (olen == sizeof(rfc))
118226- memcpy(&rfc, (void *)val, olen);
118227+ if (olen != sizeof(rfc))
118228+ break;
118229+
118230+ memcpy(&rfc, (void *)val, olen);
118231
118232 if (test_bit(CONF_STATE2_DEVICE, &chan->conf_state) &&
118233 rfc.mode != chan->mode)
118234diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
118235index 2442877..24ddcd1 100644
118236--- a/net/bluetooth/l2cap_sock.c
118237+++ b/net/bluetooth/l2cap_sock.c
118238@@ -633,7 +633,8 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
118239 struct sock *sk = sock->sk;
118240 struct l2cap_chan *chan = l2cap_pi(sk)->chan;
118241 struct l2cap_options opts;
118242- int len, err = 0;
118243+ int err = 0;
118244+ size_t len = optlen;
118245 u32 opt;
118246
118247 BT_DBG("sk %p", sk);
118248@@ -660,7 +661,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
118249 opts.max_tx = chan->max_tx;
118250 opts.txwin_size = chan->tx_win;
118251
118252- len = min_t(unsigned int, sizeof(opts), optlen);
118253+ len = min(sizeof(opts), len);
118254 if (copy_from_user((char *) &opts, optval, len)) {
118255 err = -EFAULT;
118256 break;
118257@@ -747,7 +748,8 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
118258 struct bt_security sec;
118259 struct bt_power pwr;
118260 struct l2cap_conn *conn;
118261- int len, err = 0;
118262+ int err = 0;
118263+ size_t len = optlen;
118264 u32 opt;
118265
118266 BT_DBG("sk %p", sk);
118267@@ -771,7 +773,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
118268
118269 sec.level = BT_SECURITY_LOW;
118270
118271- len = min_t(unsigned int, sizeof(sec), optlen);
118272+ len = min(sizeof(sec), len);
118273 if (copy_from_user((char *) &sec, optval, len)) {
118274 err = -EFAULT;
118275 break;
118276@@ -867,7 +869,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
118277
118278 pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
118279
118280- len = min_t(unsigned int, sizeof(pwr), optlen);
118281+ len = min(sizeof(pwr), len);
118282 if (copy_from_user((char *) &pwr, optval, len)) {
118283 err = -EFAULT;
118284 break;
118285diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c
118286index 7511df7..a670df3 100644
118287--- a/net/bluetooth/rfcomm/sock.c
118288+++ b/net/bluetooth/rfcomm/sock.c
118289@@ -690,7 +690,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
118290 struct sock *sk = sock->sk;
118291 struct bt_security sec;
118292 int err = 0;
118293- size_t len;
118294+ size_t len = optlen;
118295 u32 opt;
118296
118297 BT_DBG("sk %p", sk);
118298@@ -712,7 +712,7 @@ static int rfcomm_sock_setsockopt(struct socket *sock, int level, int optname, c
118299
118300 sec.level = BT_SECURITY_LOW;
118301
118302- len = min_t(unsigned int, sizeof(sec), optlen);
118303+ len = min(sizeof(sec), len);
118304 if (copy_from_user((char *) &sec, optval, len)) {
118305 err = -EFAULT;
118306 break;
118307diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
118308index 8e385a0..a5bdd8e 100644
118309--- a/net/bluetooth/rfcomm/tty.c
118310+++ b/net/bluetooth/rfcomm/tty.c
118311@@ -752,7 +752,7 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp)
118312 BT_DBG("tty %p id %d", tty, tty->index);
118313
118314 BT_DBG("dev %p dst %pMR channel %d opened %d", dev, &dev->dst,
118315- dev->channel, dev->port.count);
118316+ dev->channel, atomic_read(&dev->port.count));
118317
118318 err = tty_port_open(&dev->port, tty, filp);
118319 if (err)
118320@@ -775,7 +775,7 @@ static void rfcomm_tty_close(struct tty_struct *tty, struct file *filp)
118321 struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data;
118322
118323 BT_DBG("tty %p dev %p dlc %p opened %d", tty, dev, dev->dlc,
118324- dev->port.count);
118325+ atomic_read(&dev->port.count));
118326
118327 tty_port_close(&dev->port, tty, filp);
118328 }
118329diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
118330index 4d74a06..f37f9c2 100644
118331--- a/net/bridge/br_netlink.c
118332+++ b/net/bridge/br_netlink.c
118333@@ -835,7 +835,7 @@ static struct rtnl_af_ops br_af_ops __read_mostly = {
118334 .get_link_af_size = br_get_link_af_size,
118335 };
118336
118337-struct rtnl_link_ops br_link_ops __read_mostly = {
118338+struct rtnl_link_ops br_link_ops = {
118339 .kind = "bridge",
118340 .priv_size = sizeof(struct net_bridge),
118341 .setup = br_dev_setup,
118342diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
118343index 18ca4b2..7e8d731 100644
118344--- a/net/bridge/netfilter/ebtables.c
118345+++ b/net/bridge/netfilter/ebtables.c
118346@@ -1533,7 +1533,7 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
118347 tmp.valid_hooks = t->table->valid_hooks;
118348 }
118349 mutex_unlock(&ebt_mutex);
118350- if (copy_to_user(user, &tmp, *len) != 0) {
118351+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
118352 BUGPRINT("c2u Didn't work\n");
118353 ret = -EFAULT;
118354 break;
118355@@ -2339,7 +2339,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
118356 goto out;
118357 tmp.valid_hooks = t->valid_hooks;
118358
118359- if (copy_to_user(user, &tmp, *len) != 0) {
118360+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
118361 ret = -EFAULT;
118362 break;
118363 }
118364@@ -2350,7 +2350,7 @@ static int compat_do_ebt_get_ctl(struct sock *sk, int cmd,
118365 tmp.entries_size = t->table->entries_size;
118366 tmp.valid_hooks = t->table->valid_hooks;
118367
118368- if (copy_to_user(user, &tmp, *len) != 0) {
118369+ if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0) {
118370 ret = -EFAULT;
118371 break;
118372 }
118373diff --git a/net/caif/cfctrl.c b/net/caif/cfctrl.c
118374index f5afda1..dcf770a 100644
118375--- a/net/caif/cfctrl.c
118376+++ b/net/caif/cfctrl.c
118377@@ -10,6 +10,7 @@
118378 #include <linux/spinlock.h>
118379 #include <linux/slab.h>
118380 #include <linux/pkt_sched.h>
118381+#include <linux/sched.h>
118382 #include <net/caif/caif_layer.h>
118383 #include <net/caif/cfpkt.h>
118384 #include <net/caif/cfctrl.h>
118385@@ -43,8 +44,8 @@ struct cflayer *cfctrl_create(void)
118386 memset(&dev_info, 0, sizeof(dev_info));
118387 dev_info.id = 0xff;
118388 cfsrvl_init(&this->serv, 0, &dev_info, false);
118389- atomic_set(&this->req_seq_no, 1);
118390- atomic_set(&this->rsp_seq_no, 1);
118391+ atomic_set_unchecked(&this->req_seq_no, 1);
118392+ atomic_set_unchecked(&this->rsp_seq_no, 1);
118393 this->serv.layer.receive = cfctrl_recv;
118394 sprintf(this->serv.layer.name, "ctrl");
118395 this->serv.layer.ctrlcmd = cfctrl_ctrlcmd;
118396@@ -130,8 +131,8 @@ static void cfctrl_insert_req(struct cfctrl *ctrl,
118397 struct cfctrl_request_info *req)
118398 {
118399 spin_lock_bh(&ctrl->info_list_lock);
118400- atomic_inc(&ctrl->req_seq_no);
118401- req->sequence_no = atomic_read(&ctrl->req_seq_no);
118402+ atomic_inc_unchecked(&ctrl->req_seq_no);
118403+ req->sequence_no = atomic_read_unchecked(&ctrl->req_seq_no);
118404 list_add_tail(&req->list, &ctrl->list);
118405 spin_unlock_bh(&ctrl->info_list_lock);
118406 }
118407@@ -149,7 +150,7 @@ static struct cfctrl_request_info *cfctrl_remove_req(struct cfctrl *ctrl,
118408 if (p != first)
118409 pr_warn("Requests are not received in order\n");
118410
118411- atomic_set(&ctrl->rsp_seq_no,
118412+ atomic_set_unchecked(&ctrl->rsp_seq_no,
118413 p->sequence_no);
118414 list_del(&p->list);
118415 goto out;
118416diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c
118417index 67a4a36..8d28068 100644
118418--- a/net/caif/chnl_net.c
118419+++ b/net/caif/chnl_net.c
118420@@ -515,7 +515,7 @@ static const struct nla_policy ipcaif_policy[IFLA_CAIF_MAX + 1] = {
118421 };
118422
118423
118424-static struct rtnl_link_ops ipcaif_link_ops __read_mostly = {
118425+static struct rtnl_link_ops ipcaif_link_ops = {
118426 .kind = "caif",
118427 .priv_size = sizeof(struct chnl_net),
118428 .setup = ipcaif_net_setup,
118429diff --git a/net/can/af_can.c b/net/can/af_can.c
118430index 166d436..2920816 100644
118431--- a/net/can/af_can.c
118432+++ b/net/can/af_can.c
118433@@ -890,7 +890,7 @@ static const struct net_proto_family can_family_ops = {
118434 };
118435
118436 /* notifier block for netdevice event */
118437-static struct notifier_block can_netdev_notifier __read_mostly = {
118438+static struct notifier_block can_netdev_notifier = {
118439 .notifier_call = can_notifier,
118440 };
118441
118442diff --git a/net/can/bcm.c b/net/can/bcm.c
118443index a1ba687..aafaec5 100644
118444--- a/net/can/bcm.c
118445+++ b/net/can/bcm.c
118446@@ -1620,7 +1620,7 @@ static int __init bcm_module_init(void)
118447 }
118448
118449 /* create /proc/net/can-bcm directory */
118450- proc_dir = proc_mkdir("can-bcm", init_net.proc_net);
118451+ proc_dir = proc_mkdir_restrict("can-bcm", init_net.proc_net);
118452 return 0;
118453 }
118454
118455diff --git a/net/can/gw.c b/net/can/gw.c
118456index 4551687..4e82e9b 100644
118457--- a/net/can/gw.c
118458+++ b/net/can/gw.c
118459@@ -80,7 +80,6 @@ MODULE_PARM_DESC(max_hops,
118460 "default: " __stringify(CGW_DEFAULT_HOPS) ")");
118461
118462 static HLIST_HEAD(cgw_list);
118463-static struct notifier_block notifier;
118464
118465 static struct kmem_cache *cgw_cache __read_mostly;
118466
118467@@ -992,6 +991,10 @@ static int cgw_remove_job(struct sk_buff *skb, struct nlmsghdr *nlh)
118468 return err;
118469 }
118470
118471+static struct notifier_block notifier = {
118472+ .notifier_call = cgw_notifier
118473+};
118474+
118475 static __init int cgw_module_init(void)
118476 {
118477 /* sanitize given module parameter */
118478@@ -1007,7 +1010,6 @@ static __init int cgw_module_init(void)
118479 return -ENOMEM;
118480
118481 /* set notifier */
118482- notifier.notifier_call = cgw_notifier;
118483 register_netdevice_notifier(&notifier);
118484
118485 if (__rtnl_register(PF_CAN, RTM_GETROUTE, NULL, cgw_dump_jobs, NULL)) {
118486diff --git a/net/can/proc.c b/net/can/proc.c
118487index 1a19b98..df2b4ec 100644
118488--- a/net/can/proc.c
118489+++ b/net/can/proc.c
118490@@ -514,7 +514,7 @@ static void can_remove_proc_readentry(const char *name)
118491 void can_init_proc(void)
118492 {
118493 /* create /proc/net/can directory */
118494- can_dir = proc_mkdir("can", init_net.proc_net);
118495+ can_dir = proc_mkdir_restrict("can", init_net.proc_net);
118496
118497 if (!can_dir) {
118498 printk(KERN_INFO "can: failed to create /proc/net/can . "
118499diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
118500index e3be1d2..254c555 100644
118501--- a/net/ceph/messenger.c
118502+++ b/net/ceph/messenger.c
118503@@ -189,7 +189,7 @@ static void con_fault(struct ceph_connection *con);
118504 #define MAX_ADDR_STR_LEN 64 /* 54 is enough */
118505
118506 static char addr_str[ADDR_STR_COUNT][MAX_ADDR_STR_LEN];
118507-static atomic_t addr_str_seq = ATOMIC_INIT(0);
118508+static atomic_unchecked_t addr_str_seq = ATOMIC_INIT(0);
118509
118510 static struct page *zero_page; /* used in certain error cases */
118511
118512@@ -200,7 +200,7 @@ const char *ceph_pr_addr(const struct sockaddr_storage *ss)
118513 struct sockaddr_in *in4 = (struct sockaddr_in *) ss;
118514 struct sockaddr_in6 *in6 = (struct sockaddr_in6 *) ss;
118515
118516- i = atomic_inc_return(&addr_str_seq) & ADDR_STR_COUNT_MASK;
118517+ i = atomic_inc_return_unchecked(&addr_str_seq) & ADDR_STR_COUNT_MASK;
118518 s = addr_str[i];
118519
118520 switch (ss->ss_family) {
118521diff --git a/net/compat.c b/net/compat.c
118522index 5cfd26a..7e43828 100644
118523--- a/net/compat.c
118524+++ b/net/compat.c
118525@@ -98,20 +98,20 @@ int get_compat_msghdr(struct msghdr *kmsg,
118526
118527 #define CMSG_COMPAT_FIRSTHDR(msg) \
118528 (((msg)->msg_controllen) >= sizeof(struct compat_cmsghdr) ? \
118529- (struct compat_cmsghdr __user *)((msg)->msg_control) : \
118530+ (struct compat_cmsghdr __force_user *)((msg)->msg_control) : \
118531 (struct compat_cmsghdr __user *)NULL)
118532
118533 #define CMSG_COMPAT_OK(ucmlen, ucmsg, mhdr) \
118534 ((ucmlen) >= sizeof(struct compat_cmsghdr) && \
118535 (ucmlen) <= (unsigned long) \
118536 ((mhdr)->msg_controllen - \
118537- ((char *)(ucmsg) - (char *)(mhdr)->msg_control)))
118538+ ((char __force_kernel *)(ucmsg) - (char *)(mhdr)->msg_control)))
118539
118540 static inline struct compat_cmsghdr __user *cmsg_compat_nxthdr(struct msghdr *msg,
118541 struct compat_cmsghdr __user *cmsg, int cmsg_len)
118542 {
118543 char __user *ptr = (char __user *)cmsg + CMSG_COMPAT_ALIGN(cmsg_len);
118544- if ((unsigned long)(ptr + 1 - (char __user *)msg->msg_control) >
118545+ if ((unsigned long)(ptr + 1 - (char __force_user *)msg->msg_control) >
118546 msg->msg_controllen)
118547 return NULL;
118548 return (struct compat_cmsghdr __user *)ptr;
118549@@ -201,7 +201,7 @@ Efault:
118550
118551 int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *data)
118552 {
118553- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
118554+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
118555 struct compat_cmsghdr cmhdr;
118556 struct compat_timeval ctv;
118557 struct compat_timespec cts[3];
118558@@ -257,7 +257,7 @@ int put_cmsg_compat(struct msghdr *kmsg, int level, int type, int len, void *dat
118559
118560 void scm_detach_fds_compat(struct msghdr *kmsg, struct scm_cookie *scm)
118561 {
118562- struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __user *) kmsg->msg_control;
118563+ struct compat_cmsghdr __user *cm = (struct compat_cmsghdr __force_user *) kmsg->msg_control;
118564 int fdmax = (kmsg->msg_controllen - sizeof(struct compat_cmsghdr)) / sizeof(int);
118565 int fdnum = scm->fp->count;
118566 struct file **fp = scm->fp->fp;
118567@@ -345,7 +345,7 @@ static int do_set_sock_timeout(struct socket *sock, int level,
118568 return -EFAULT;
118569 old_fs = get_fs();
118570 set_fs(KERNEL_DS);
118571- err = sock_setsockopt(sock, level, optname, (char *)&ktime, sizeof(ktime));
118572+ err = sock_setsockopt(sock, level, optname, (char __force_user *)&ktime, sizeof(ktime));
118573 set_fs(old_fs);
118574
118575 return err;
118576@@ -406,7 +406,7 @@ static int do_get_sock_timeout(struct socket *sock, int level, int optname,
118577 len = sizeof(ktime);
118578 old_fs = get_fs();
118579 set_fs(KERNEL_DS);
118580- err = sock_getsockopt(sock, level, optname, (char *) &ktime, &len);
118581+ err = sock_getsockopt(sock, level, optname, (char __force_user *) &ktime, (int __force_user *)&len);
118582 set_fs(old_fs);
118583
118584 if (!err) {
118585@@ -549,7 +549,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118586 case MCAST_JOIN_GROUP:
118587 case MCAST_LEAVE_GROUP:
118588 {
118589- struct compat_group_req __user *gr32 = (void *)optval;
118590+ struct compat_group_req __user *gr32 = (void __user *)optval;
118591 struct group_req __user *kgr =
118592 compat_alloc_user_space(sizeof(struct group_req));
118593 u32 interface;
118594@@ -570,7 +570,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118595 case MCAST_BLOCK_SOURCE:
118596 case MCAST_UNBLOCK_SOURCE:
118597 {
118598- struct compat_group_source_req __user *gsr32 = (void *)optval;
118599+ struct compat_group_source_req __user *gsr32 = (void __user *)optval;
118600 struct group_source_req __user *kgsr = compat_alloc_user_space(
118601 sizeof(struct group_source_req));
118602 u32 interface;
118603@@ -591,7 +591,7 @@ int compat_mc_setsockopt(struct sock *sock, int level, int optname,
118604 }
118605 case MCAST_MSFILTER:
118606 {
118607- struct compat_group_filter __user *gf32 = (void *)optval;
118608+ struct compat_group_filter __user *gf32 = (void __user *)optval;
118609 struct group_filter __user *kgf;
118610 u32 interface, fmode, numsrc;
118611
118612@@ -629,7 +629,7 @@ int compat_mc_getsockopt(struct sock *sock, int level, int optname,
118613 char __user *optval, int __user *optlen,
118614 int (*getsockopt)(struct sock *, int, int, char __user *, int __user *))
118615 {
118616- struct compat_group_filter __user *gf32 = (void *)optval;
118617+ struct compat_group_filter __user *gf32 = (void __user *)optval;
118618 struct group_filter __user *kgf;
118619 int __user *koptlen;
118620 u32 interface, fmode, numsrc;
118621@@ -773,7 +773,7 @@ COMPAT_SYSCALL_DEFINE2(socketcall, int, call, u32 __user *, args)
118622
118623 if (call < SYS_SOCKET || call > SYS_SENDMMSG)
118624 return -EINVAL;
118625- if (copy_from_user(a, args, nas[call]))
118626+ if (nas[call] > sizeof a || copy_from_user(a, args, nas[call]))
118627 return -EFAULT;
118628 a0 = a[0];
118629 a1 = a[1];
118630diff --git a/net/core/datagram.c b/net/core/datagram.c
118631index 617088a..0364f4f 100644
118632--- a/net/core/datagram.c
118633+++ b/net/core/datagram.c
118634@@ -338,7 +338,7 @@ int skb_kill_datagram(struct sock *sk, struct sk_buff *skb, unsigned int flags)
118635 }
118636
118637 kfree_skb(skb);
118638- atomic_inc(&sk->sk_drops);
118639+ atomic_inc_unchecked(&sk->sk_drops);
118640 sk_mem_reclaim_partial(sk);
118641
118642 return err;
118643diff --git a/net/core/dev.c b/net/core/dev.c
118644index a8e4dd4..aab06f7 100644
118645--- a/net/core/dev.c
118646+++ b/net/core/dev.c
118647@@ -1721,7 +1721,7 @@ int __dev_forward_skb(struct net_device *dev, struct sk_buff *skb)
118648 {
118649 if (skb_orphan_frags(skb, GFP_ATOMIC) ||
118650 unlikely(!is_skb_forwardable(dev, skb))) {
118651- atomic_long_inc(&dev->rx_dropped);
118652+ atomic_long_inc_unchecked(&dev->rx_dropped);
118653 kfree_skb(skb);
118654 return NET_RX_DROP;
118655 }
118656@@ -3125,7 +3125,7 @@ recursion_alert:
118657 drop:
118658 rcu_read_unlock_bh();
118659
118660- atomic_long_inc(&dev->tx_dropped);
118661+ atomic_long_inc_unchecked(&dev->tx_dropped);
118662 kfree_skb_list(skb);
118663 return rc;
118664 out:
118665@@ -3477,7 +3477,7 @@ drop:
118666
118667 local_irq_restore(flags);
118668
118669- atomic_long_inc(&skb->dev->rx_dropped);
118670+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
118671 kfree_skb(skb);
118672 return NET_RX_DROP;
118673 }
118674@@ -3554,7 +3554,7 @@ int netif_rx_ni(struct sk_buff *skb)
118675 }
118676 EXPORT_SYMBOL(netif_rx_ni);
118677
118678-static void net_tx_action(struct softirq_action *h)
118679+static __latent_entropy void net_tx_action(void)
118680 {
118681 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
118682
118683@@ -3892,7 +3892,7 @@ ncls:
118684 ret = pt_prev->func(skb, skb->dev, pt_prev, orig_dev);
118685 } else {
118686 drop:
118687- atomic_long_inc(&skb->dev->rx_dropped);
118688+ atomic_long_inc_unchecked(&skb->dev->rx_dropped);
118689 kfree_skb(skb);
118690 /* Jamal, now you will not able to escape explaining
118691 * me how you were going to use this. :-)
118692@@ -4783,7 +4783,7 @@ out_unlock:
118693 return work;
118694 }
118695
118696-static void net_rx_action(struct softirq_action *h)
118697+static __latent_entropy void net_rx_action(void)
118698 {
118699 struct softnet_data *sd = this_cpu_ptr(&softnet_data);
118700 unsigned long time_limit = jiffies + 2;
118701@@ -6843,8 +6843,8 @@ struct rtnl_link_stats64 *dev_get_stats(struct net_device *dev,
118702 } else {
118703 netdev_stats_to_stats64(storage, &dev->stats);
118704 }
118705- storage->rx_dropped += atomic_long_read(&dev->rx_dropped);
118706- storage->tx_dropped += atomic_long_read(&dev->tx_dropped);
118707+ storage->rx_dropped += atomic_long_read_unchecked(&dev->rx_dropped);
118708+ storage->tx_dropped += atomic_long_read_unchecked(&dev->tx_dropped);
118709 return storage;
118710 }
118711 EXPORT_SYMBOL(dev_get_stats);
118712diff --git a/net/core/dev_ioctl.c b/net/core/dev_ioctl.c
118713index b94b1d2..da3ed7c 100644
118714--- a/net/core/dev_ioctl.c
118715+++ b/net/core/dev_ioctl.c
118716@@ -368,8 +368,13 @@ void dev_load(struct net *net, const char *name)
118717 no_module = !dev;
118718 if (no_module && capable(CAP_NET_ADMIN))
118719 no_module = request_module("netdev-%s", name);
118720- if (no_module && capable(CAP_SYS_MODULE))
118721+ if (no_module && capable(CAP_SYS_MODULE)) {
118722+#ifdef CONFIG_GRKERNSEC_MODHARDEN
118723+ ___request_module(true, "grsec_modharden_netdev", "%s", name);
118724+#else
118725 request_module("%s", name);
118726+#endif
118727+ }
118728 }
118729 EXPORT_SYMBOL(dev_load);
118730
118731diff --git a/net/core/filter.c b/net/core/filter.c
118732index 8dcdd86..a809731 100644
118733--- a/net/core/filter.c
118734+++ b/net/core/filter.c
118735@@ -582,7 +582,11 @@ do_pass:
118736
118737 /* Unknown instruction. */
118738 default:
118739- goto err;
118740+ WARN(1, KERN_ALERT "Unknown sock filter code:%u jt:%u tf:%u k:%u\n",
118741+ fp->code, fp->jt, fp->jf, fp->k);
118742+ kfree(addrs);
118743+ BUG();
118744+ return -EINVAL;
118745 }
118746
118747 insn++;
118748@@ -626,7 +630,7 @@ static int check_load_and_stores(const struct sock_filter *filter, int flen)
118749 u16 *masks, memvalid = 0; /* One bit per cell, 16 cells */
118750 int pc, ret = 0;
118751
118752- BUILD_BUG_ON(BPF_MEMWORDS > 16);
118753+ BUILD_BUG_ON(BPF_MEMWORDS != 16);
118754
118755 masks = kmalloc_array(flen, sizeof(*masks), GFP_KERNEL);
118756 if (!masks)
118757@@ -1055,7 +1059,7 @@ int bpf_prog_create(struct bpf_prog **pfp, struct sock_fprog_kern *fprog)
118758 if (!fp)
118759 return -ENOMEM;
118760
118761- memcpy(fp->insns, fprog->filter, fsize);
118762+ memcpy(fp->insns, (void __force_kernel *)fprog->filter, fsize);
118763
118764 fp->len = fprog->len;
118765 /* Since unattached filters are not copied back to user
118766diff --git a/net/core/flow.c b/net/core/flow.c
118767index 1033725..340f65d 100644
118768--- a/net/core/flow.c
118769+++ b/net/core/flow.c
118770@@ -65,7 +65,7 @@ static void flow_cache_new_hashrnd(unsigned long arg)
118771 static int flow_entry_valid(struct flow_cache_entry *fle,
118772 struct netns_xfrm *xfrm)
118773 {
118774- if (atomic_read(&xfrm->flow_cache_genid) != fle->genid)
118775+ if (atomic_read_unchecked(&xfrm->flow_cache_genid) != fle->genid)
118776 return 0;
118777 if (fle->object && !fle->object->ops->check(fle->object))
118778 return 0;
118779@@ -242,7 +242,7 @@ flow_cache_lookup(struct net *net, const struct flowi *key, u16 family, u8 dir,
118780 hlist_add_head(&fle->u.hlist, &fcp->hash_table[hash]);
118781 fcp->hash_count++;
118782 }
118783- } else if (likely(fle->genid == atomic_read(&net->xfrm.flow_cache_genid))) {
118784+ } else if (likely(fle->genid == atomic_read_unchecked(&net->xfrm.flow_cache_genid))) {
118785 flo = fle->object;
118786 if (!flo)
118787 goto ret_object;
118788@@ -263,7 +263,7 @@ nocache:
118789 }
118790 flo = resolver(net, key, family, dir, flo, ctx);
118791 if (fle) {
118792- fle->genid = atomic_read(&net->xfrm.flow_cache_genid);
118793+ fle->genid = atomic_read_unchecked(&net->xfrm.flow_cache_genid);
118794 if (!IS_ERR(flo))
118795 fle->object = flo;
118796 else
118797diff --git a/net/core/neighbour.c b/net/core/neighbour.c
118798index 84195da..035c7a7 100644
118799--- a/net/core/neighbour.c
118800+++ b/net/core/neighbour.c
118801@@ -2821,7 +2821,7 @@ static int proc_unres_qlen(struct ctl_table *ctl, int write,
118802 void __user *buffer, size_t *lenp, loff_t *ppos)
118803 {
118804 int size, ret;
118805- struct ctl_table tmp = *ctl;
118806+ ctl_table_no_const tmp = *ctl;
118807
118808 tmp.extra1 = &zero;
118809 tmp.extra2 = &unres_qlen_max;
118810@@ -2883,7 +2883,7 @@ static int neigh_proc_dointvec_zero_intmax(struct ctl_table *ctl, int write,
118811 void __user *buffer,
118812 size_t *lenp, loff_t *ppos)
118813 {
118814- struct ctl_table tmp = *ctl;
118815+ ctl_table_no_const tmp = *ctl;
118816 int ret;
118817
118818 tmp.extra1 = &zero;
118819diff --git a/net/core/net-procfs.c b/net/core/net-procfs.c
118820index 2bf8329..2eb1423 100644
118821--- a/net/core/net-procfs.c
118822+++ b/net/core/net-procfs.c
118823@@ -79,7 +79,13 @@ static void dev_seq_printf_stats(struct seq_file *seq, struct net_device *dev)
118824 struct rtnl_link_stats64 temp;
118825 const struct rtnl_link_stats64 *stats = dev_get_stats(dev, &temp);
118826
118827- seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
118828+ if (gr_proc_is_restricted())
118829+ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
118830+ "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
118831+ dev->name, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL,
118832+ 0ULL, 0ULL, 0ULL, 0ULL, 0ULL, 0ULL);
118833+ else
118834+ seq_printf(seq, "%6s: %7llu %7llu %4llu %4llu %4llu %5llu %10llu %9llu "
118835 "%8llu %7llu %4llu %4llu %4llu %5llu %7llu %10llu\n",
118836 dev->name, stats->rx_bytes, stats->rx_packets,
118837 stats->rx_errors,
118838@@ -166,7 +172,7 @@ static int softnet_seq_show(struct seq_file *seq, void *v)
118839 return 0;
118840 }
118841
118842-static const struct seq_operations dev_seq_ops = {
118843+const struct seq_operations dev_seq_ops = {
118844 .start = dev_seq_start,
118845 .next = dev_seq_next,
118846 .stop = dev_seq_stop,
118847@@ -196,7 +202,7 @@ static const struct seq_operations softnet_seq_ops = {
118848
118849 static int softnet_seq_open(struct inode *inode, struct file *file)
118850 {
118851- return seq_open(file, &softnet_seq_ops);
118852+ return seq_open_restrict(file, &softnet_seq_ops);
118853 }
118854
118855 static const struct file_operations softnet_seq_fops = {
118856@@ -283,8 +289,13 @@ static int ptype_seq_show(struct seq_file *seq, void *v)
118857 else
118858 seq_printf(seq, "%04x", ntohs(pt->type));
118859
118860+#ifdef CONFIG_GRKERNSEC_HIDESYM
118861+ seq_printf(seq, " %-8s %pf\n",
118862+ pt->dev ? pt->dev->name : "", NULL);
118863+#else
118864 seq_printf(seq, " %-8s %pf\n",
118865 pt->dev ? pt->dev->name : "", pt->func);
118866+#endif
118867 }
118868
118869 return 0;
118870diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
118871index 18b34d7..faecc1d 100644
118872--- a/net/core/net-sysfs.c
118873+++ b/net/core/net-sysfs.c
118874@@ -288,7 +288,7 @@ static ssize_t carrier_changes_show(struct device *dev,
118875 {
118876 struct net_device *netdev = to_net_dev(dev);
118877 return sprintf(buf, fmt_dec,
118878- atomic_read(&netdev->carrier_changes));
118879+ atomic_read_unchecked(&netdev->carrier_changes));
118880 }
118881 static DEVICE_ATTR_RO(carrier_changes);
118882
118883diff --git a/net/core/net_namespace.c b/net/core/net_namespace.c
118884index 2c2eb1b..a53be3e 100644
118885--- a/net/core/net_namespace.c
118886+++ b/net/core/net_namespace.c
118887@@ -775,7 +775,7 @@ static int __register_pernet_operations(struct list_head *list,
118888 int error;
118889 LIST_HEAD(net_exit_list);
118890
118891- list_add_tail(&ops->list, list);
118892+ pax_list_add_tail((struct list_head *)&ops->list, list);
118893 if (ops->init || (ops->id && ops->size)) {
118894 for_each_net(net) {
118895 error = ops_init(ops, net);
118896@@ -788,7 +788,7 @@ static int __register_pernet_operations(struct list_head *list,
118897
118898 out_undo:
118899 /* If I have an error cleanup all namespaces I initialized */
118900- list_del(&ops->list);
118901+ pax_list_del((struct list_head *)&ops->list);
118902 ops_exit_list(ops, &net_exit_list);
118903 ops_free_list(ops, &net_exit_list);
118904 return error;
118905@@ -799,7 +799,7 @@ static void __unregister_pernet_operations(struct pernet_operations *ops)
118906 struct net *net;
118907 LIST_HEAD(net_exit_list);
118908
118909- list_del(&ops->list);
118910+ pax_list_del((struct list_head *)&ops->list);
118911 for_each_net(net)
118912 list_add_tail(&net->exit_list, &net_exit_list);
118913 ops_exit_list(ops, &net_exit_list);
118914@@ -933,7 +933,7 @@ int register_pernet_device(struct pernet_operations *ops)
118915 mutex_lock(&net_mutex);
118916 error = register_pernet_operations(&pernet_list, ops);
118917 if (!error && (first_device == &pernet_list))
118918- first_device = &ops->list;
118919+ first_device = (struct list_head *)&ops->list;
118920 mutex_unlock(&net_mutex);
118921 return error;
118922 }
118923diff --git a/net/core/netpoll.c b/net/core/netpoll.c
118924index c126a87..10ad89d 100644
118925--- a/net/core/netpoll.c
118926+++ b/net/core/netpoll.c
118927@@ -377,7 +377,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
118928 struct udphdr *udph;
118929 struct iphdr *iph;
118930 struct ethhdr *eth;
118931- static atomic_t ip_ident;
118932+ static atomic_unchecked_t ip_ident;
118933 struct ipv6hdr *ip6h;
118934
118935 udp_len = len + sizeof(*udph);
118936@@ -448,7 +448,7 @@ void netpoll_send_udp(struct netpoll *np, const char *msg, int len)
118937 put_unaligned(0x45, (unsigned char *)iph);
118938 iph->tos = 0;
118939 put_unaligned(htons(ip_len), &(iph->tot_len));
118940- iph->id = htons(atomic_inc_return(&ip_ident));
118941+ iph->id = htons(atomic_inc_return_unchecked(&ip_ident));
118942 iph->frag_off = 0;
118943 iph->ttl = 64;
118944 iph->protocol = IPPROTO_UDP;
118945diff --git a/net/core/pktgen.c b/net/core/pktgen.c
118946index 1cbd209..9553598 100644
118947--- a/net/core/pktgen.c
118948+++ b/net/core/pktgen.c
118949@@ -3828,7 +3828,7 @@ static int __net_init pg_net_init(struct net *net)
118950 pn->net = net;
118951 INIT_LIST_HEAD(&pn->pktgen_threads);
118952 pn->pktgen_exiting = false;
118953- pn->proc_dir = proc_mkdir(PG_PROC_DIR, pn->net->proc_net);
118954+ pn->proc_dir = proc_mkdir_restrict(PG_PROC_DIR, pn->net->proc_net);
118955 if (!pn->proc_dir) {
118956 pr_warn("cannot create /proc/net/%s\n", PG_PROC_DIR);
118957 return -ENODEV;
118958diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
118959index 0861018..1fd388b 100644
118960--- a/net/core/rtnetlink.c
118961+++ b/net/core/rtnetlink.c
118962@@ -61,7 +61,7 @@ struct rtnl_link {
118963 rtnl_doit_func doit;
118964 rtnl_dumpit_func dumpit;
118965 rtnl_calcit_func calcit;
118966-};
118967+} __no_const;
118968
118969 static DEFINE_MUTEX(rtnl_mutex);
118970
118971@@ -307,10 +307,13 @@ int __rtnl_link_register(struct rtnl_link_ops *ops)
118972 * to use the ops for creating device. So do not
118973 * fill up dellink as well. That disables rtnl_dellink.
118974 */
118975- if (ops->setup && !ops->dellink)
118976- ops->dellink = unregister_netdevice_queue;
118977+ if (ops->setup && !ops->dellink) {
118978+ pax_open_kernel();
118979+ *(void **)&ops->dellink = unregister_netdevice_queue;
118980+ pax_close_kernel();
118981+ }
118982
118983- list_add_tail(&ops->list, &link_ops);
118984+ pax_list_add_tail((struct list_head *)&ops->list, &link_ops);
118985 return 0;
118986 }
118987 EXPORT_SYMBOL_GPL(__rtnl_link_register);
118988@@ -357,7 +360,7 @@ void __rtnl_link_unregister(struct rtnl_link_ops *ops)
118989 for_each_net(net) {
118990 __rtnl_kill_links(net, ops);
118991 }
118992- list_del(&ops->list);
118993+ pax_list_del((struct list_head *)&ops->list);
118994 }
118995 EXPORT_SYMBOL_GPL(__rtnl_link_unregister);
118996
118997@@ -1082,7 +1085,7 @@ static int rtnl_fill_ifinfo(struct sk_buff *skb, struct net_device *dev,
118998 (dev->ifalias &&
118999 nla_put_string(skb, IFLA_IFALIAS, dev->ifalias)) ||
119000 nla_put_u32(skb, IFLA_CARRIER_CHANGES,
119001- atomic_read(&dev->carrier_changes)))
119002+ atomic_read_unchecked(&dev->carrier_changes)))
119003 goto nla_put_failure;
119004
119005 if (1) {
119006diff --git a/net/core/scm.c b/net/core/scm.c
119007index 3b6899b..20d20e7 100644
119008--- a/net/core/scm.c
119009+++ b/net/core/scm.c
119010@@ -209,9 +209,9 @@ EXPORT_SYMBOL(__scm_send);
119011 int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
119012 {
119013 struct cmsghdr __user *cm
119014- = (__force struct cmsghdr __user *)msg->msg_control;
119015+ = (struct cmsghdr __force_user *)msg->msg_control;
119016 struct cmsghdr cmhdr;
119017- int cmlen = CMSG_LEN(len);
119018+ size_t cmlen = CMSG_LEN(len);
119019 int err;
119020
119021 if (MSG_CMSG_COMPAT & msg->msg_flags)
119022@@ -232,7 +232,7 @@ int put_cmsg(struct msghdr * msg, int level, int type, int len, void *data)
119023 err = -EFAULT;
119024 if (copy_to_user(cm, &cmhdr, sizeof cmhdr))
119025 goto out;
119026- if (copy_to_user(CMSG_DATA(cm), data, cmlen - sizeof(struct cmsghdr)))
119027+ if (copy_to_user((void __force_user *)CMSG_DATA((void __force_kernel *)cm), data, cmlen - sizeof(struct cmsghdr)))
119028 goto out;
119029 cmlen = CMSG_SPACE(len);
119030 if (msg->msg_controllen < cmlen)
119031@@ -248,7 +248,7 @@ EXPORT_SYMBOL(put_cmsg);
119032 void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
119033 {
119034 struct cmsghdr __user *cm
119035- = (__force struct cmsghdr __user*)msg->msg_control;
119036+ = (struct cmsghdr __force_user *)msg->msg_control;
119037
119038 int fdmax = 0;
119039 int fdnum = scm->fp->count;
119040@@ -268,7 +268,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
119041 if (fdnum < fdmax)
119042 fdmax = fdnum;
119043
119044- for (i=0, cmfptr=(__force int __user *)CMSG_DATA(cm); i<fdmax;
119045+ for (i=0, cmfptr=(int __force_user *)CMSG_DATA((void __force_kernel *)cm); i<fdmax;
119046 i++, cmfptr++)
119047 {
119048 struct socket *sock;
119049@@ -297,7 +297,7 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
119050
119051 if (i > 0)
119052 {
119053- int cmlen = CMSG_LEN(i*sizeof(int));
119054+ size_t cmlen = CMSG_LEN(i*sizeof(int));
119055 err = put_user(SOL_SOCKET, &cm->cmsg_level);
119056 if (!err)
119057 err = put_user(SCM_RIGHTS, &cm->cmsg_type);
119058@@ -305,6 +305,8 @@ void scm_detach_fds(struct msghdr *msg, struct scm_cookie *scm)
119059 err = put_user(cmlen, &cm->cmsg_len);
119060 if (!err) {
119061 cmlen = CMSG_SPACE(i*sizeof(int));
119062+ if (msg->msg_controllen < cmlen)
119063+ cmlen = msg->msg_controllen;
119064 msg->msg_control += cmlen;
119065 msg->msg_controllen -= cmlen;
119066 }
119067diff --git a/net/core/skbuff.c b/net/core/skbuff.c
119068index 7bfa187..032715a 100644
119069--- a/net/core/skbuff.c
119070+++ b/net/core/skbuff.c
119071@@ -2103,7 +2103,7 @@ EXPORT_SYMBOL(__skb_checksum);
119072 __wsum skb_checksum(const struct sk_buff *skb, int offset,
119073 int len, __wsum csum)
119074 {
119075- const struct skb_checksum_ops ops = {
119076+ static const struct skb_checksum_ops ops = {
119077 .update = csum_partial_ext,
119078 .combine = csum_block_add_ext,
119079 };
119080@@ -3318,12 +3318,14 @@ void __init skb_init(void)
119081 skbuff_head_cache = kmem_cache_create("skbuff_head_cache",
119082 sizeof(struct sk_buff),
119083 0,
119084- SLAB_HWCACHE_ALIGN|SLAB_PANIC,
119085+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|
119086+ SLAB_NO_SANITIZE,
119087 NULL);
119088 skbuff_fclone_cache = kmem_cache_create("skbuff_fclone_cache",
119089 sizeof(struct sk_buff_fclones),
119090 0,
119091- SLAB_HWCACHE_ALIGN|SLAB_PANIC,
119092+ SLAB_HWCACHE_ALIGN|SLAB_PANIC|
119093+ SLAB_NO_SANITIZE,
119094 NULL);
119095 }
119096
119097diff --git a/net/core/sock.c b/net/core/sock.c
119098index 193901d..33094ab 100644
119099--- a/net/core/sock.c
119100+++ b/net/core/sock.c
119101@@ -441,7 +441,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
119102 struct sk_buff_head *list = &sk->sk_receive_queue;
119103
119104 if (atomic_read(&sk->sk_rmem_alloc) >= sk->sk_rcvbuf) {
119105- atomic_inc(&sk->sk_drops);
119106+ atomic_inc_unchecked(&sk->sk_drops);
119107 trace_sock_rcvqueue_full(sk, skb);
119108 return -ENOMEM;
119109 }
119110@@ -451,7 +451,7 @@ int sock_queue_rcv_skb(struct sock *sk, struct sk_buff *skb)
119111 return err;
119112
119113 if (!sk_rmem_schedule(sk, skb, skb->truesize)) {
119114- atomic_inc(&sk->sk_drops);
119115+ atomic_inc_unchecked(&sk->sk_drops);
119116 return -ENOBUFS;
119117 }
119118
119119@@ -484,7 +484,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
119120 skb->dev = NULL;
119121
119122 if (sk_rcvqueues_full(sk, sk->sk_rcvbuf)) {
119123- atomic_inc(&sk->sk_drops);
119124+ atomic_inc_unchecked(&sk->sk_drops);
119125 goto discard_and_relse;
119126 }
119127 if (nested)
119128@@ -502,7 +502,7 @@ int sk_receive_skb(struct sock *sk, struct sk_buff *skb, const int nested)
119129 mutex_release(&sk->sk_lock.dep_map, 1, _RET_IP_);
119130 } else if (sk_add_backlog(sk, skb, sk->sk_rcvbuf)) {
119131 bh_unlock_sock(sk);
119132- atomic_inc(&sk->sk_drops);
119133+ atomic_inc_unchecked(&sk->sk_drops);
119134 goto discard_and_relse;
119135 }
119136
119137@@ -908,6 +908,7 @@ set_rcvbuf:
119138 }
119139 break;
119140
119141+#ifndef GRKERNSEC_BPF_HARDEN
119142 case SO_ATTACH_BPF:
119143 ret = -EINVAL;
119144 if (optlen == sizeof(u32)) {
119145@@ -920,7 +921,7 @@ set_rcvbuf:
119146 ret = sk_attach_bpf(ufd, sk);
119147 }
119148 break;
119149-
119150+#endif
119151 case SO_DETACH_FILTER:
119152 ret = sk_detach_filter(sk);
119153 break;
119154@@ -1022,12 +1023,12 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
119155 struct timeval tm;
119156 } v;
119157
119158- int lv = sizeof(int);
119159- int len;
119160+ unsigned int lv = sizeof(int);
119161+ unsigned int len;
119162
119163 if (get_user(len, optlen))
119164 return -EFAULT;
119165- if (len < 0)
119166+ if (len > INT_MAX)
119167 return -EINVAL;
119168
119169 memset(&v, 0, sizeof(v));
119170@@ -1165,11 +1166,11 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
119171
119172 case SO_PEERNAME:
119173 {
119174- char address[128];
119175+ char address[_K_SS_MAXSIZE];
119176
119177 if (sock->ops->getname(sock, (struct sockaddr *)address, &lv, 2))
119178 return -ENOTCONN;
119179- if (lv < len)
119180+ if (lv < len || sizeof address < len)
119181 return -EINVAL;
119182 if (copy_to_user(optval, address, len))
119183 return -EFAULT;
119184@@ -1257,7 +1258,7 @@ int sock_getsockopt(struct socket *sock, int level, int optname,
119185
119186 if (len > lv)
119187 len = lv;
119188- if (copy_to_user(optval, &v, len))
119189+ if (len > sizeof(v) || copy_to_user(optval, &v, len))
119190 return -EFAULT;
119191 lenout:
119192 if (put_user(len, optlen))
119193@@ -1550,7 +1551,7 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority)
119194 newsk->sk_err = 0;
119195 newsk->sk_priority = 0;
119196 newsk->sk_incoming_cpu = raw_smp_processor_id();
119197- atomic64_set(&newsk->sk_cookie, 0);
119198+ atomic64_set_unchecked(&newsk->sk_cookie, 0);
119199 /*
119200 * Before updating sk_refcnt, we must commit prior changes to memory
119201 * (Documentation/RCU/rculist_nulls.txt for details)
119202@@ -2359,7 +2360,7 @@ void sock_init_data(struct socket *sock, struct sock *sk)
119203 */
119204 smp_wmb();
119205 atomic_set(&sk->sk_refcnt, 1);
119206- atomic_set(&sk->sk_drops, 0);
119207+ atomic_set_unchecked(&sk->sk_drops, 0);
119208 }
119209 EXPORT_SYMBOL(sock_init_data);
119210
119211@@ -2487,6 +2488,7 @@ void sock_enable_timestamp(struct sock *sk, int flag)
119212 int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
119213 int level, int type)
119214 {
119215+ struct sock_extended_err ee;
119216 struct sock_exterr_skb *serr;
119217 struct sk_buff *skb;
119218 int copied, err;
119219@@ -2508,7 +2510,8 @@ int sock_recv_errqueue(struct sock *sk, struct msghdr *msg, int len,
119220 sock_recv_timestamp(msg, sk, skb);
119221
119222 serr = SKB_EXT_ERR(skb);
119223- put_cmsg(msg, level, type, sizeof(serr->ee), &serr->ee);
119224+ ee = serr->ee;
119225+ put_cmsg(msg, level, type, sizeof ee, &ee);
119226
119227 msg->msg_flags |= MSG_ERRQUEUE;
119228 err = copied;
119229diff --git a/net/core/sock_diag.c b/net/core/sock_diag.c
119230index 817622f..2577b26 100644
119231--- a/net/core/sock_diag.c
119232+++ b/net/core/sock_diag.c
119233@@ -12,7 +12,7 @@
119234 #include <linux/inet_diag.h>
119235 #include <linux/sock_diag.h>
119236
119237-static const struct sock_diag_handler *sock_diag_handlers[AF_MAX];
119238+static const struct sock_diag_handler *sock_diag_handlers[AF_MAX] __read_only;
119239 static int (*inet_rcv_compat)(struct sk_buff *skb, struct nlmsghdr *nlh);
119240 static DEFINE_MUTEX(sock_diag_table_mutex);
119241 static struct workqueue_struct *broadcast_wq;
119242@@ -20,12 +20,12 @@ static struct workqueue_struct *broadcast_wq;
119243 static u64 sock_gen_cookie(struct sock *sk)
119244 {
119245 while (1) {
119246- u64 res = atomic64_read(&sk->sk_cookie);
119247+ u64 res = atomic64_read_unchecked(&sk->sk_cookie);
119248
119249 if (res)
119250 return res;
119251- res = atomic64_inc_return(&sock_net(sk)->cookie_gen);
119252- atomic64_cmpxchg(&sk->sk_cookie, 0, res);
119253+ res = atomic64_inc_return_unchecked(&sock_net(sk)->cookie_gen);
119254+ atomic64_cmpxchg_unchecked(&sk->sk_cookie, 0, res);
119255 }
119256 }
119257
119258@@ -190,8 +190,11 @@ int sock_diag_register(const struct sock_diag_handler *hndl)
119259 mutex_lock(&sock_diag_table_mutex);
119260 if (sock_diag_handlers[hndl->family])
119261 err = -EBUSY;
119262- else
119263+ else {
119264+ pax_open_kernel();
119265 sock_diag_handlers[hndl->family] = hndl;
119266+ pax_close_kernel();
119267+ }
119268 mutex_unlock(&sock_diag_table_mutex);
119269
119270 return err;
119271@@ -207,7 +210,9 @@ void sock_diag_unregister(const struct sock_diag_handler *hnld)
119272
119273 mutex_lock(&sock_diag_table_mutex);
119274 BUG_ON(sock_diag_handlers[family] != hnld);
119275+ pax_open_kernel();
119276 sock_diag_handlers[family] = NULL;
119277+ pax_close_kernel();
119278 mutex_unlock(&sock_diag_table_mutex);
119279 }
119280 EXPORT_SYMBOL_GPL(sock_diag_unregister);
119281diff --git a/net/core/sysctl_net_core.c b/net/core/sysctl_net_core.c
119282index 95b6139..3048623 100644
119283--- a/net/core/sysctl_net_core.c
119284+++ b/net/core/sysctl_net_core.c
119285@@ -35,7 +35,7 @@ static int rps_sock_flow_sysctl(struct ctl_table *table, int write,
119286 {
119287 unsigned int orig_size, size;
119288 int ret, i;
119289- struct ctl_table tmp = {
119290+ ctl_table_no_const tmp = {
119291 .data = &size,
119292 .maxlen = sizeof(size),
119293 .mode = table->mode
119294@@ -203,7 +203,7 @@ static int set_default_qdisc(struct ctl_table *table, int write,
119295 void __user *buffer, size_t *lenp, loff_t *ppos)
119296 {
119297 char id[IFNAMSIZ];
119298- struct ctl_table tbl = {
119299+ ctl_table_no_const tbl = {
119300 .data = id,
119301 .maxlen = IFNAMSIZ,
119302 };
119303@@ -221,7 +221,7 @@ static int set_default_qdisc(struct ctl_table *table, int write,
119304 static int proc_do_rss_key(struct ctl_table *table, int write,
119305 void __user *buffer, size_t *lenp, loff_t *ppos)
119306 {
119307- struct ctl_table fake_table;
119308+ ctl_table_no_const fake_table;
119309 char buf[NETDEV_RSS_KEY_LEN * 3];
119310
119311 snprintf(buf, sizeof(buf), "%*phC", NETDEV_RSS_KEY_LEN, netdev_rss_key);
119312@@ -285,7 +285,7 @@ static struct ctl_table net_core_table[] = {
119313 .mode = 0444,
119314 .proc_handler = proc_do_rss_key,
119315 },
119316-#ifdef CONFIG_BPF_JIT
119317+#if defined(CONFIG_BPF_JIT) && !defined(CONFIG_GRKERNSEC_BPF_HARDEN)
119318 {
119319 .procname = "bpf_jit_enable",
119320 .data = &bpf_jit_enable,
119321@@ -409,13 +409,12 @@ static struct ctl_table netns_core_table[] = {
119322
119323 static __net_init int sysctl_core_net_init(struct net *net)
119324 {
119325- struct ctl_table *tbl;
119326+ ctl_table_no_const *tbl = NULL;
119327
119328 net->core.sysctl_somaxconn = SOMAXCONN;
119329
119330- tbl = netns_core_table;
119331 if (!net_eq(net, &init_net)) {
119332- tbl = kmemdup(tbl, sizeof(netns_core_table), GFP_KERNEL);
119333+ tbl = kmemdup(netns_core_table, sizeof(netns_core_table), GFP_KERNEL);
119334 if (tbl == NULL)
119335 goto err_dup;
119336
119337@@ -425,17 +424,16 @@ static __net_init int sysctl_core_net_init(struct net *net)
119338 if (net->user_ns != &init_user_ns) {
119339 tbl[0].procname = NULL;
119340 }
119341- }
119342-
119343- net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
119344+ net->core.sysctl_hdr = register_net_sysctl(net, "net/core", tbl);
119345+ } else
119346+ net->core.sysctl_hdr = register_net_sysctl(net, "net/core", netns_core_table);
119347 if (net->core.sysctl_hdr == NULL)
119348 goto err_reg;
119349
119350 return 0;
119351
119352 err_reg:
119353- if (tbl != netns_core_table)
119354- kfree(tbl);
119355+ kfree(tbl);
119356 err_dup:
119357 return -ENOMEM;
119358 }
119359@@ -450,7 +448,7 @@ static __net_exit void sysctl_core_net_exit(struct net *net)
119360 kfree(tbl);
119361 }
119362
119363-static __net_initdata struct pernet_operations sysctl_core_ops = {
119364+static __net_initconst struct pernet_operations sysctl_core_ops = {
119365 .init = sysctl_core_net_init,
119366 .exit = sysctl_core_net_exit,
119367 };
119368diff --git a/net/decnet/af_decnet.c b/net/decnet/af_decnet.c
119369index 675cf94..9279a75 100644
119370--- a/net/decnet/af_decnet.c
119371+++ b/net/decnet/af_decnet.c
119372@@ -466,6 +466,7 @@ static struct proto dn_proto = {
119373 .sysctl_rmem = sysctl_decnet_rmem,
119374 .max_header = DN_MAX_NSP_DATA_HEADER + 64,
119375 .obj_size = sizeof(struct dn_sock),
119376+ .slab_flags = SLAB_USERCOPY,
119377 };
119378
119379 static struct sock *dn_alloc_sock(struct net *net, struct socket *sock, gfp_t gfp, int kern)
119380diff --git a/net/decnet/dn_dev.c b/net/decnet/dn_dev.c
119381index b2c26b0..41f803e 100644
119382--- a/net/decnet/dn_dev.c
119383+++ b/net/decnet/dn_dev.c
119384@@ -201,7 +201,7 @@ static struct dn_dev_sysctl_table {
119385 .extra1 = &min_t3,
119386 .extra2 = &max_t3
119387 },
119388- {0}
119389+ { }
119390 },
119391 };
119392
119393diff --git a/net/decnet/sysctl_net_decnet.c b/net/decnet/sysctl_net_decnet.c
119394index 5325b54..a0d4d69 100644
119395--- a/net/decnet/sysctl_net_decnet.c
119396+++ b/net/decnet/sysctl_net_decnet.c
119397@@ -174,7 +174,7 @@ static int dn_node_address_handler(struct ctl_table *table, int write,
119398
119399 if (len > *lenp) len = *lenp;
119400
119401- if (copy_to_user(buffer, addr, len))
119402+ if (len > sizeof addr || copy_to_user(buffer, addr, len))
119403 return -EFAULT;
119404
119405 *lenp = len;
119406@@ -237,7 +237,7 @@ static int dn_def_dev_handler(struct ctl_table *table, int write,
119407
119408 if (len > *lenp) len = *lenp;
119409
119410- if (copy_to_user(buffer, devname, len))
119411+ if (len > sizeof devname || copy_to_user(buffer, devname, len))
119412 return -EFAULT;
119413
119414 *lenp = len;
119415diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c
119416index b445d49..13e8538 100644
119417--- a/net/dsa/dsa.c
119418+++ b/net/dsa/dsa.c
119419@@ -851,7 +851,7 @@ static struct packet_type dsa_pack_type __read_mostly = {
119420 .func = dsa_switch_rcv,
119421 };
119422
119423-static struct notifier_block dsa_netdevice_nb __read_mostly = {
119424+static struct notifier_block dsa_netdevice_nb = {
119425 .notifier_call = dsa_slave_netdevice_event,
119426 };
119427
119428diff --git a/net/hsr/hsr_netlink.c b/net/hsr/hsr_netlink.c
119429index a2c7e4c..3dc9f67 100644
119430--- a/net/hsr/hsr_netlink.c
119431+++ b/net/hsr/hsr_netlink.c
119432@@ -102,7 +102,7 @@ nla_put_failure:
119433 return -EMSGSIZE;
119434 }
119435
119436-static struct rtnl_link_ops hsr_link_ops __read_mostly = {
119437+static struct rtnl_link_ops hsr_link_ops = {
119438 .kind = "hsr",
119439 .maxtype = IFLA_HSR_MAX,
119440 .policy = hsr_policy,
119441diff --git a/net/ieee802154/6lowpan/core.c b/net/ieee802154/6lowpan/core.c
119442index f20a387..2058892 100644
119443--- a/net/ieee802154/6lowpan/core.c
119444+++ b/net/ieee802154/6lowpan/core.c
119445@@ -191,7 +191,7 @@ static void lowpan_dellink(struct net_device *dev, struct list_head *head)
119446 dev_put(real_dev);
119447 }
119448
119449-static struct rtnl_link_ops lowpan_link_ops __read_mostly = {
119450+static struct rtnl_link_ops lowpan_link_ops = {
119451 .kind = "lowpan",
119452 .priv_size = sizeof(struct lowpan_dev_info),
119453 .setup = lowpan_setup,
119454diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
119455index 214d44a..dcb7f86 100644
119456--- a/net/ieee802154/6lowpan/reassembly.c
119457+++ b/net/ieee802154/6lowpan/reassembly.c
119458@@ -435,14 +435,13 @@ static struct ctl_table lowpan_frags_ctl_table[] = {
119459
119460 static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
119461 {
119462- struct ctl_table *table;
119463+ ctl_table_no_const *table = NULL;
119464 struct ctl_table_header *hdr;
119465 struct netns_ieee802154_lowpan *ieee802154_lowpan =
119466 net_ieee802154_lowpan(net);
119467
119468- table = lowpan_frags_ns_ctl_table;
119469 if (!net_eq(net, &init_net)) {
119470- table = kmemdup(table, sizeof(lowpan_frags_ns_ctl_table),
119471+ table = kmemdup(lowpan_frags_ns_ctl_table, sizeof(lowpan_frags_ns_ctl_table),
119472 GFP_KERNEL);
119473 if (table == NULL)
119474 goto err_alloc;
119475@@ -457,9 +456,9 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
119476 /* Don't export sysctls to unprivileged users */
119477 if (net->user_ns != &init_user_ns)
119478 table[0].procname = NULL;
119479- }
119480-
119481- hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table);
119482+ hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", table);
119483+ } else
119484+ hdr = register_net_sysctl(net, "net/ieee802154/6lowpan", lowpan_frags_ns_ctl_table);
119485 if (hdr == NULL)
119486 goto err_reg;
119487
119488@@ -467,8 +466,7 @@ static int __net_init lowpan_frags_ns_sysctl_register(struct net *net)
119489 return 0;
119490
119491 err_reg:
119492- if (!net_eq(net, &init_net))
119493- kfree(table);
119494+ kfree(table);
119495 err_alloc:
119496 return -ENOMEM;
119497 }
119498diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
119499index 9532ee8..020410a 100644
119500--- a/net/ipv4/af_inet.c
119501+++ b/net/ipv4/af_inet.c
119502@@ -1392,7 +1392,7 @@ int inet_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len)
119503 return ip_recv_error(sk, msg, len, addr_len);
119504 #if IS_ENABLED(CONFIG_IPV6)
119505 if (sk->sk_family == AF_INET6)
119506- return pingv6_ops.ipv6_recv_error(sk, msg, len, addr_len);
119507+ return pingv6_ops->ipv6_recv_error(sk, msg, len, addr_len);
119508 #endif
119509 return -EINVAL;
119510 }
119511diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
119512index 2d9cb17..20ae904 100644
119513--- a/net/ipv4/devinet.c
119514+++ b/net/ipv4/devinet.c
119515@@ -69,7 +69,8 @@
119516
119517 static struct ipv4_devconf ipv4_devconf = {
119518 .data = {
119519- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
119520+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0,
119521+ [IPV4_DEVCONF_RP_FILTER - 1] = 1,
119522 [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1,
119523 [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1,
119524 [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1,
119525@@ -80,7 +81,8 @@ static struct ipv4_devconf ipv4_devconf = {
119526
119527 static struct ipv4_devconf ipv4_devconf_dflt = {
119528 .data = {
119529- [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 1,
119530+ [IPV4_DEVCONF_ACCEPT_REDIRECTS - 1] = 0,
119531+ [IPV4_DEVCONF_RP_FILTER - 1] = 1,
119532 [IPV4_DEVCONF_SEND_REDIRECTS - 1] = 1,
119533 [IPV4_DEVCONF_SECURE_REDIRECTS - 1] = 1,
119534 [IPV4_DEVCONF_SHARED_MEDIA - 1] = 1,
119535@@ -1579,7 +1581,7 @@ static int inet_dump_ifaddr(struct sk_buff *skb, struct netlink_callback *cb)
119536 idx = 0;
119537 head = &net->dev_index_head[h];
119538 rcu_read_lock();
119539- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
119540+ cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
119541 net->dev_base_seq;
119542 hlist_for_each_entry_rcu(dev, head, index_hlist) {
119543 if (idx < s_idx)
119544@@ -1905,7 +1907,7 @@ static int inet_netconf_dump_devconf(struct sk_buff *skb,
119545 idx = 0;
119546 head = &net->dev_index_head[h];
119547 rcu_read_lock();
119548- cb->seq = atomic_read(&net->ipv4.dev_addr_genid) ^
119549+ cb->seq = atomic_read_unchecked(&net->ipv4.dev_addr_genid) ^
119550 net->dev_base_seq;
119551 hlist_for_each_entry_rcu(dev, head, index_hlist) {
119552 if (idx < s_idx)
119553@@ -2146,7 +2148,7 @@ static int ipv4_doint_and_flush(struct ctl_table *ctl, int write,
119554 #define DEVINET_SYSCTL_FLUSHING_ENTRY(attr, name) \
119555 DEVINET_SYSCTL_COMPLEX_ENTRY(attr, name, ipv4_doint_and_flush)
119556
119557-static struct devinet_sysctl_table {
119558+static const struct devinet_sysctl_table {
119559 struct ctl_table_header *sysctl_header;
119560 struct ctl_table devinet_vars[__IPV4_DEVCONF_MAX];
119561 } devinet_sysctl = {
119562@@ -2280,7 +2282,7 @@ static __net_init int devinet_init_net(struct net *net)
119563 int err;
119564 struct ipv4_devconf *all, *dflt;
119565 #ifdef CONFIG_SYSCTL
119566- struct ctl_table *tbl = ctl_forward_entry;
119567+ ctl_table_no_const *tbl = NULL;
119568 struct ctl_table_header *forw_hdr;
119569 #endif
119570
119571@@ -2298,7 +2300,7 @@ static __net_init int devinet_init_net(struct net *net)
119572 goto err_alloc_dflt;
119573
119574 #ifdef CONFIG_SYSCTL
119575- tbl = kmemdup(tbl, sizeof(ctl_forward_entry), GFP_KERNEL);
119576+ tbl = kmemdup(ctl_forward_entry, sizeof(ctl_forward_entry), GFP_KERNEL);
119577 if (!tbl)
119578 goto err_alloc_ctl;
119579
119580@@ -2318,7 +2320,10 @@ static __net_init int devinet_init_net(struct net *net)
119581 goto err_reg_dflt;
119582
119583 err = -ENOMEM;
119584- forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
119585+ if (!net_eq(net, &init_net))
119586+ forw_hdr = register_net_sysctl(net, "net/ipv4", tbl);
119587+ else
119588+ forw_hdr = register_net_sysctl(net, "net/ipv4", ctl_forward_entry);
119589 if (!forw_hdr)
119590 goto err_reg_ctl;
119591 net->ipv4.forw_hdr = forw_hdr;
119592@@ -2334,8 +2339,7 @@ err_reg_ctl:
119593 err_reg_dflt:
119594 __devinet_sysctl_unregister(all);
119595 err_reg_all:
119596- if (tbl != ctl_forward_entry)
119597- kfree(tbl);
119598+ kfree(tbl);
119599 err_alloc_ctl:
119600 #endif
119601 if (dflt != &ipv4_devconf_dflt)
119602diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
119603index 6bbc549..28d74951 100644
119604--- a/net/ipv4/fib_frontend.c
119605+++ b/net/ipv4/fib_frontend.c
119606@@ -1083,12 +1083,12 @@ static int fib_inetaddr_event(struct notifier_block *this, unsigned long event,
119607 #ifdef CONFIG_IP_ROUTE_MULTIPATH
119608 fib_sync_up(dev, RTNH_F_DEAD);
119609 #endif
119610- atomic_inc(&net->ipv4.dev_addr_genid);
119611+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119612 rt_cache_flush(dev_net(dev));
119613 break;
119614 case NETDEV_DOWN:
119615 fib_del_ifaddr(ifa, NULL);
119616- atomic_inc(&net->ipv4.dev_addr_genid);
119617+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119618 if (!ifa->ifa_dev->ifa_list) {
119619 /* Last address was deleted from this interface.
119620 * Disable IP.
119621@@ -1127,7 +1127,7 @@ static int fib_netdev_event(struct notifier_block *this, unsigned long event, vo
119622 #ifdef CONFIG_IP_ROUTE_MULTIPATH
119623 fib_sync_up(dev, RTNH_F_DEAD);
119624 #endif
119625- atomic_inc(&net->ipv4.dev_addr_genid);
119626+ atomic_inc_unchecked(&net->ipv4.dev_addr_genid);
119627 rt_cache_flush(net);
119628 break;
119629 case NETDEV_DOWN:
119630diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
119631index 3a06586..1020c5b 100644
119632--- a/net/ipv4/fib_semantics.c
119633+++ b/net/ipv4/fib_semantics.c
119634@@ -755,7 +755,7 @@ __be32 fib_info_update_nh_saddr(struct net *net, struct fib_nh *nh)
119635 nh->nh_saddr = inet_select_addr(nh->nh_dev,
119636 nh->nh_gw,
119637 nh->nh_parent->fib_scope);
119638- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
119639+ nh->nh_saddr_genid = atomic_read_unchecked(&net->ipv4.dev_addr_genid);
119640
119641 return nh->nh_saddr;
119642 }
119643diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
119644index 61b45a1..2970363 100644
119645--- a/net/ipv4/inet_connection_sock.c
119646+++ b/net/ipv4/inet_connection_sock.c
119647@@ -729,8 +729,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
119648 newsk->sk_write_space = sk_stream_write_space;
119649
119650 newsk->sk_mark = inet_rsk(req)->ir_mark;
119651- atomic64_set(&newsk->sk_cookie,
119652- atomic64_read(&inet_rsk(req)->ir_cookie));
119653+ atomic64_set_unchecked(&newsk->sk_cookie,
119654+ atomic64_read_unchecked(&inet_rsk(req)->ir_cookie));
119655
119656 newicsk->icsk_retransmits = 0;
119657 newicsk->icsk_backoff = 0;
119658diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c
119659index 0cb9165..8589720 100644
119660--- a/net/ipv4/inet_hashtables.c
119661+++ b/net/ipv4/inet_hashtables.c
119662@@ -19,6 +19,7 @@
119663 #include <linux/slab.h>
119664 #include <linux/wait.h>
119665 #include <linux/vmalloc.h>
119666+#include <linux/security.h>
119667
119668 #include <net/inet_connection_sock.h>
119669 #include <net/inet_hashtables.h>
119670@@ -54,6 +55,8 @@ u32 sk_ehashfn(const struct sock *sk)
119671 sk->sk_daddr, sk->sk_dport);
119672 }
119673
119674+extern void gr_update_task_in_ip_table(const struct inet_sock *inet);
119675+
119676 /*
119677 * Allocate and initialize a new local port bind bucket.
119678 * The bindhash mutex for snum's hash chain must be held here.
119679@@ -566,6 +569,8 @@ ok:
119680 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
119681 spin_unlock(&head->lock);
119682
119683+ gr_update_task_in_ip_table(inet_sk(sk));
119684+
119685 if (tw) {
119686 inet_twsk_deschedule(tw);
119687 while (twrefcnt) {
119688diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
119689index 2ffbd16..6e94995 100644
119690--- a/net/ipv4/inet_timewait_sock.c
119691+++ b/net/ipv4/inet_timewait_sock.c
119692@@ -214,7 +214,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk,
119693 tw->tw_ipv6only = 0;
119694 tw->tw_transparent = inet->transparent;
119695 tw->tw_prot = sk->sk_prot_creator;
119696- atomic64_set(&tw->tw_cookie, atomic64_read(&sk->sk_cookie));
119697+ atomic64_set_unchecked(&tw->tw_cookie, atomic64_read_unchecked(&sk->sk_cookie));
119698 twsk_net_set(tw, sock_net(sk));
119699 setup_timer(&tw->tw_timer, tw_timer_handler, (unsigned long)tw);
119700 /*
119701diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
119702index 241afd7..31b95d5 100644
119703--- a/net/ipv4/inetpeer.c
119704+++ b/net/ipv4/inetpeer.c
119705@@ -461,7 +461,7 @@ relookup:
119706 if (p) {
119707 p->daddr = *daddr;
119708 atomic_set(&p->refcnt, 1);
119709- atomic_set(&p->rid, 0);
119710+ atomic_set_unchecked(&p->rid, 0);
119711 p->metrics[RTAX_LOCK-1] = INETPEER_METRICS_NEW;
119712 p->rate_tokens = 0;
119713 /* 60*HZ is arbitrary, but chosen enough high so that the first
119714diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
119715index 921138f..1e011ff 100644
119716--- a/net/ipv4/ip_fragment.c
119717+++ b/net/ipv4/ip_fragment.c
119718@@ -276,7 +276,7 @@ static int ip_frag_too_far(struct ipq *qp)
119719 return 0;
119720
119721 start = qp->rid;
119722- end = atomic_inc_return(&peer->rid);
119723+ end = atomic_inc_return_unchecked(&peer->rid);
119724 qp->rid = end;
119725
119726 rc = qp->q.fragments && (end - start) > max;
119727@@ -780,12 +780,11 @@ static struct ctl_table ip4_frags_ctl_table[] = {
119728
119729 static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119730 {
119731- struct ctl_table *table;
119732+ ctl_table_no_const *table = NULL;
119733 struct ctl_table_header *hdr;
119734
119735- table = ip4_frags_ns_ctl_table;
119736 if (!net_eq(net, &init_net)) {
119737- table = kmemdup(table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
119738+ table = kmemdup(ip4_frags_ns_ctl_table, sizeof(ip4_frags_ns_ctl_table), GFP_KERNEL);
119739 if (!table)
119740 goto err_alloc;
119741
119742@@ -799,9 +798,10 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119743 /* Don't export sysctls to unprivileged users */
119744 if (net->user_ns != &init_user_ns)
119745 table[0].procname = NULL;
119746- }
119747+ hdr = register_net_sysctl(net, "net/ipv4", table);
119748+ } else
119749+ hdr = register_net_sysctl(net, "net/ipv4", ip4_frags_ns_ctl_table);
119750
119751- hdr = register_net_sysctl(net, "net/ipv4", table);
119752 if (!hdr)
119753 goto err_reg;
119754
119755@@ -809,8 +809,7 @@ static int __net_init ip4_frags_ns_ctl_register(struct net *net)
119756 return 0;
119757
119758 err_reg:
119759- if (!net_eq(net, &init_net))
119760- kfree(table);
119761+ kfree(table);
119762 err_alloc:
119763 return -ENOMEM;
119764 }
119765diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
119766index 5fd7064..d13d75f 100644
119767--- a/net/ipv4/ip_gre.c
119768+++ b/net/ipv4/ip_gre.c
119769@@ -115,7 +115,7 @@ static bool log_ecn_error = true;
119770 module_param(log_ecn_error, bool, 0644);
119771 MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
119772
119773-static struct rtnl_link_ops ipgre_link_ops __read_mostly;
119774+static struct rtnl_link_ops ipgre_link_ops;
119775 static int ipgre_tunnel_init(struct net_device *dev);
119776
119777 static int ipgre_net_id __read_mostly;
119778@@ -819,7 +819,7 @@ static const struct nla_policy ipgre_policy[IFLA_GRE_MAX + 1] = {
119779 [IFLA_GRE_ENCAP_DPORT] = { .type = NLA_U16 },
119780 };
119781
119782-static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
119783+static struct rtnl_link_ops ipgre_link_ops = {
119784 .kind = "gre",
119785 .maxtype = IFLA_GRE_MAX,
119786 .policy = ipgre_policy,
119787@@ -834,7 +834,7 @@ static struct rtnl_link_ops ipgre_link_ops __read_mostly = {
119788 .get_link_net = ip_tunnel_get_link_net,
119789 };
119790
119791-static struct rtnl_link_ops ipgre_tap_ops __read_mostly = {
119792+static struct rtnl_link_ops ipgre_tap_ops = {
119793 .kind = "gretap",
119794 .maxtype = IFLA_GRE_MAX,
119795 .policy = ipgre_policy,
119796diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
119797index 2db4c87..4db9282 100644
119798--- a/net/ipv4/ip_input.c
119799+++ b/net/ipv4/ip_input.c
119800@@ -147,6 +147,10 @@
119801 #include <linux/mroute.h>
119802 #include <linux/netlink.h>
119803
119804+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119805+extern int grsec_enable_blackhole;
119806+#endif
119807+
119808 /*
119809 * Process Router Attention IP option (RFC 2113)
119810 */
119811@@ -223,6 +227,9 @@ static int ip_local_deliver_finish(struct sock *sk, struct sk_buff *skb)
119812 if (!raw) {
119813 if (xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) {
119814 IP_INC_STATS_BH(net, IPSTATS_MIB_INUNKNOWNPROTOS);
119815+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
119816+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
119817+#endif
119818 icmp_send(skb, ICMP_DEST_UNREACH,
119819 ICMP_PROT_UNREACH, 0);
119820 }
119821diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
119822index c3c359a..504edc6 100644
119823--- a/net/ipv4/ip_sockglue.c
119824+++ b/net/ipv4/ip_sockglue.c
119825@@ -1295,7 +1295,8 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
119826 len = min_t(unsigned int, len, opt->optlen);
119827 if (put_user(len, optlen))
119828 return -EFAULT;
119829- if (copy_to_user(optval, opt->__data, len))
119830+ if ((len > (sizeof(optbuf) - sizeof(struct ip_options))) ||
119831+ copy_to_user(optval, opt->__data, len))
119832 return -EFAULT;
119833 return 0;
119834 }
119835@@ -1432,7 +1433,7 @@ static int do_ip_getsockopt(struct sock *sk, int level, int optname,
119836 if (sk->sk_type != SOCK_STREAM)
119837 return -ENOPROTOOPT;
119838
119839- msg.msg_control = (__force void *) optval;
119840+ msg.msg_control = (__force_kernel void *) optval;
119841 msg.msg_controllen = len;
119842 msg.msg_flags = flags;
119843
119844diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c
119845index 0c15208..a3a76c5 100644
119846--- a/net/ipv4/ip_vti.c
119847+++ b/net/ipv4/ip_vti.c
119848@@ -45,7 +45,7 @@
119849 #include <net/net_namespace.h>
119850 #include <net/netns/generic.h>
119851
119852-static struct rtnl_link_ops vti_link_ops __read_mostly;
119853+static struct rtnl_link_ops vti_link_ops;
119854
119855 static int vti_net_id __read_mostly;
119856 static int vti_tunnel_init(struct net_device *dev);
119857@@ -525,7 +525,7 @@ static const struct nla_policy vti_policy[IFLA_VTI_MAX + 1] = {
119858 [IFLA_VTI_REMOTE] = { .len = FIELD_SIZEOF(struct iphdr, daddr) },
119859 };
119860
119861-static struct rtnl_link_ops vti_link_ops __read_mostly = {
119862+static struct rtnl_link_ops vti_link_ops = {
119863 .kind = "vti",
119864 .maxtype = IFLA_VTI_MAX,
119865 .policy = vti_policy,
119866diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
119867index 8e7328c..9bd7ed3 100644
119868--- a/net/ipv4/ipconfig.c
119869+++ b/net/ipv4/ipconfig.c
119870@@ -333,7 +333,7 @@ static int __init ic_devinet_ioctl(unsigned int cmd, struct ifreq *arg)
119871
119872 mm_segment_t oldfs = get_fs();
119873 set_fs(get_ds());
119874- res = devinet_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
119875+ res = devinet_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
119876 set_fs(oldfs);
119877 return res;
119878 }
119879@@ -344,7 +344,7 @@ static int __init ic_dev_ioctl(unsigned int cmd, struct ifreq *arg)
119880
119881 mm_segment_t oldfs = get_fs();
119882 set_fs(get_ds());
119883- res = dev_ioctl(&init_net, cmd, (struct ifreq __user *) arg);
119884+ res = dev_ioctl(&init_net, cmd, (struct ifreq __force_user *) arg);
119885 set_fs(oldfs);
119886 return res;
119887 }
119888@@ -355,7 +355,7 @@ static int __init ic_route_ioctl(unsigned int cmd, struct rtentry *arg)
119889
119890 mm_segment_t oldfs = get_fs();
119891 set_fs(get_ds());
119892- res = ip_rt_ioctl(&init_net, cmd, (void __user *) arg);
119893+ res = ip_rt_ioctl(&init_net, cmd, (void __force_user *) arg);
119894 set_fs(oldfs);
119895 return res;
119896 }
119897diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c
119898index 254238d..82c19a2 100644
119899--- a/net/ipv4/ipip.c
119900+++ b/net/ipv4/ipip.c
119901@@ -124,7 +124,7 @@ MODULE_PARM_DESC(log_ecn_error, "Log packets received with corrupted ECN");
119902 static int ipip_net_id __read_mostly;
119903
119904 static int ipip_tunnel_init(struct net_device *dev);
119905-static struct rtnl_link_ops ipip_link_ops __read_mostly;
119906+static struct rtnl_link_ops ipip_link_ops;
119907
119908 static int ipip_err(struct sk_buff *skb, u32 info)
119909 {
119910@@ -488,7 +488,7 @@ static const struct nla_policy ipip_policy[IFLA_IPTUN_MAX + 1] = {
119911 [IFLA_IPTUN_ENCAP_DPORT] = { .type = NLA_U16 },
119912 };
119913
119914-static struct rtnl_link_ops ipip_link_ops __read_mostly = {
119915+static struct rtnl_link_ops ipip_link_ops = {
119916 .kind = "ipip",
119917 .maxtype = IFLA_IPTUN_MAX,
119918 .policy = ipip_policy,
119919diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
119920index 92305a1..0a5b349 100644
119921--- a/net/ipv4/netfilter/arp_tables.c
119922+++ b/net/ipv4/netfilter/arp_tables.c
119923@@ -896,14 +896,14 @@ static int compat_table_info(const struct xt_table_info *info,
119924 #endif
119925
119926 static int get_info(struct net *net, void __user *user,
119927- const int *len, int compat)
119928+ int len, int compat)
119929 {
119930 char name[XT_TABLE_MAXNAMELEN];
119931 struct xt_table *t;
119932 int ret;
119933
119934- if (*len != sizeof(struct arpt_getinfo)) {
119935- duprintf("length %u != %Zu\n", *len,
119936+ if (len != sizeof(struct arpt_getinfo)) {
119937+ duprintf("length %u != %Zu\n", len,
119938 sizeof(struct arpt_getinfo));
119939 return -EINVAL;
119940 }
119941@@ -940,7 +940,7 @@ static int get_info(struct net *net, void __user *user,
119942 info.size = private->size;
119943 strcpy(info.name, name);
119944
119945- if (copy_to_user(user, &info, *len) != 0)
119946+ if (copy_to_user(user, &info, len) != 0)
119947 ret = -EFAULT;
119948 else
119949 ret = 0;
119950@@ -1705,7 +1705,7 @@ static int compat_do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user,
119951
119952 switch (cmd) {
119953 case ARPT_SO_GET_INFO:
119954- ret = get_info(sock_net(sk), user, len, 1);
119955+ ret = get_info(sock_net(sk), user, *len, 1);
119956 break;
119957 case ARPT_SO_GET_ENTRIES:
119958 ret = compat_get_entries(sock_net(sk), user, len);
119959@@ -1750,7 +1750,7 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
119960
119961 switch (cmd) {
119962 case ARPT_SO_GET_INFO:
119963- ret = get_info(sock_net(sk), user, len, 0);
119964+ ret = get_info(sock_net(sk), user, *len, 0);
119965 break;
119966
119967 case ARPT_SO_GET_ENTRIES:
119968diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
119969index 6c72fbb..ce47b05 100644
119970--- a/net/ipv4/netfilter/ip_tables.c
119971+++ b/net/ipv4/netfilter/ip_tables.c
119972@@ -1073,14 +1073,14 @@ static int compat_table_info(const struct xt_table_info *info,
119973 #endif
119974
119975 static int get_info(struct net *net, void __user *user,
119976- const int *len, int compat)
119977+ int len, int compat)
119978 {
119979 char name[XT_TABLE_MAXNAMELEN];
119980 struct xt_table *t;
119981 int ret;
119982
119983- if (*len != sizeof(struct ipt_getinfo)) {
119984- duprintf("length %u != %zu\n", *len,
119985+ if (len != sizeof(struct ipt_getinfo)) {
119986+ duprintf("length %u != %zu\n", len,
119987 sizeof(struct ipt_getinfo));
119988 return -EINVAL;
119989 }
119990@@ -1117,7 +1117,7 @@ static int get_info(struct net *net, void __user *user,
119991 info.size = private->size;
119992 strcpy(info.name, name);
119993
119994- if (copy_to_user(user, &info, *len) != 0)
119995+ if (copy_to_user(user, &info, len) != 0)
119996 ret = -EFAULT;
119997 else
119998 ret = 0;
119999@@ -1968,7 +1968,7 @@ compat_do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
120000
120001 switch (cmd) {
120002 case IPT_SO_GET_INFO:
120003- ret = get_info(sock_net(sk), user, len, 1);
120004+ ret = get_info(sock_net(sk), user, *len, 1);
120005 break;
120006 case IPT_SO_GET_ENTRIES:
120007 ret = compat_get_entries(sock_net(sk), user, len);
120008@@ -2015,7 +2015,7 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
120009
120010 switch (cmd) {
120011 case IPT_SO_GET_INFO:
120012- ret = get_info(sock_net(sk), user, len, 0);
120013+ ret = get_info(sock_net(sk), user, *len, 0);
120014 break;
120015
120016 case IPT_SO_GET_ENTRIES:
120017diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
120018index 45cb16a..cef4ecd 100644
120019--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
120020+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
120021@@ -730,7 +730,7 @@ static int clusterip_net_init(struct net *net)
120022 spin_lock_init(&cn->lock);
120023
120024 #ifdef CONFIG_PROC_FS
120025- cn->procdir = proc_mkdir("ipt_CLUSTERIP", net->proc_net);
120026+ cn->procdir = proc_mkdir_restrict("ipt_CLUSTERIP", net->proc_net);
120027 if (!cn->procdir) {
120028 pr_err("Unable to proc dir entry\n");
120029 return -ENOMEM;
120030diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
120031index 05ff44b..da00000 100644
120032--- a/net/ipv4/ping.c
120033+++ b/net/ipv4/ping.c
120034@@ -59,7 +59,7 @@ struct ping_table {
120035 };
120036
120037 static struct ping_table ping_table;
120038-struct pingv6_ops pingv6_ops;
120039+struct pingv6_ops *pingv6_ops;
120040 EXPORT_SYMBOL_GPL(pingv6_ops);
120041
120042 static u16 ping_port_rover;
120043@@ -359,7 +359,7 @@ static int ping_check_bind_addr(struct sock *sk, struct inet_sock *isk,
120044 return -ENODEV;
120045 }
120046 }
120047- has_addr = pingv6_ops.ipv6_chk_addr(net, &addr->sin6_addr, dev,
120048+ has_addr = pingv6_ops->ipv6_chk_addr(net, &addr->sin6_addr, dev,
120049 scoped);
120050 rcu_read_unlock();
120051
120052@@ -567,7 +567,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info)
120053 }
120054 #if IS_ENABLED(CONFIG_IPV6)
120055 } else if (skb->protocol == htons(ETH_P_IPV6)) {
120056- harderr = pingv6_ops.icmpv6_err_convert(type, code, &err);
120057+ harderr = pingv6_ops->icmpv6_err_convert(type, code, &err);
120058 #endif
120059 }
120060
120061@@ -585,7 +585,7 @@ void ping_err(struct sk_buff *skb, int offset, u32 info)
120062 info, (u8 *)icmph);
120063 #if IS_ENABLED(CONFIG_IPV6)
120064 } else if (family == AF_INET6) {
120065- pingv6_ops.ipv6_icmp_error(sk, skb, err, 0,
120066+ pingv6_ops->ipv6_icmp_error(sk, skb, err, 0,
120067 info, (u8 *)icmph);
120068 #endif
120069 }
120070@@ -918,10 +918,10 @@ int ping_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, int noblock,
120071 }
120072
120073 if (inet6_sk(sk)->rxopt.all)
120074- pingv6_ops.ip6_datagram_recv_common_ctl(sk, msg, skb);
120075+ pingv6_ops->ip6_datagram_recv_common_ctl(sk, msg, skb);
120076 if (skb->protocol == htons(ETH_P_IPV6) &&
120077 inet6_sk(sk)->rxopt.all)
120078- pingv6_ops.ip6_datagram_recv_specific_ctl(sk, msg, skb);
120079+ pingv6_ops->ip6_datagram_recv_specific_ctl(sk, msg, skb);
120080 else if (skb->protocol == htons(ETH_P_IP) && isk->cmsg_flags)
120081 ip_cmsg_recv(msg, skb);
120082 #endif
120083@@ -1116,7 +1116,7 @@ static void ping_v4_format_sock(struct sock *sp, struct seq_file *f,
120084 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
120085 0, sock_i_ino(sp),
120086 atomic_read(&sp->sk_refcnt), sp,
120087- atomic_read(&sp->sk_drops));
120088+ atomic_read_unchecked(&sp->sk_drops));
120089 }
120090
120091 static int ping_v4_seq_show(struct seq_file *seq, void *v)
120092diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
120093index 561cd4b..a32a155 100644
120094--- a/net/ipv4/raw.c
120095+++ b/net/ipv4/raw.c
120096@@ -323,7 +323,7 @@ static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
120097 int raw_rcv(struct sock *sk, struct sk_buff *skb)
120098 {
120099 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
120100- atomic_inc(&sk->sk_drops);
120101+ atomic_inc_unchecked(&sk->sk_drops);
120102 kfree_skb(skb);
120103 return NET_RX_DROP;
120104 }
120105@@ -771,16 +771,20 @@ static int raw_init(struct sock *sk)
120106
120107 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
120108 {
120109+ struct icmp_filter filter;
120110+
120111 if (optlen > sizeof(struct icmp_filter))
120112 optlen = sizeof(struct icmp_filter);
120113- if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
120114+ if (copy_from_user(&filter, optval, optlen))
120115 return -EFAULT;
120116+ raw_sk(sk)->filter = filter;
120117 return 0;
120118 }
120119
120120 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
120121 {
120122 int len, ret = -EFAULT;
120123+ struct icmp_filter filter;
120124
120125 if (get_user(len, optlen))
120126 goto out;
120127@@ -790,8 +794,8 @@ static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *o
120128 if (len > sizeof(struct icmp_filter))
120129 len = sizeof(struct icmp_filter);
120130 ret = -EFAULT;
120131- if (put_user(len, optlen) ||
120132- copy_to_user(optval, &raw_sk(sk)->filter, len))
120133+ filter = raw_sk(sk)->filter;
120134+ if (put_user(len, optlen) || len > sizeof filter || copy_to_user(optval, &filter, len))
120135 goto out;
120136 ret = 0;
120137 out: return ret;
120138@@ -1020,7 +1024,7 @@ static void raw_sock_seq_show(struct seq_file *seq, struct sock *sp, int i)
120139 0, 0L, 0,
120140 from_kuid_munged(seq_user_ns(seq), sock_i_uid(sp)),
120141 0, sock_i_ino(sp),
120142- atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
120143+ atomic_read(&sp->sk_refcnt), sp, atomic_read_unchecked(&sp->sk_drops));
120144 }
120145
120146 static int raw_seq_show(struct seq_file *seq, void *v)
120147diff --git a/net/ipv4/route.c b/net/ipv4/route.c
120148index e681b85..8a43a65 100644
120149--- a/net/ipv4/route.c
120150+++ b/net/ipv4/route.c
120151@@ -227,7 +227,7 @@ static const struct seq_operations rt_cache_seq_ops = {
120152
120153 static int rt_cache_seq_open(struct inode *inode, struct file *file)
120154 {
120155- return seq_open(file, &rt_cache_seq_ops);
120156+ return seq_open_restrict(file, &rt_cache_seq_ops);
120157 }
120158
120159 static const struct file_operations rt_cache_seq_fops = {
120160@@ -318,7 +318,7 @@ static const struct seq_operations rt_cpu_seq_ops = {
120161
120162 static int rt_cpu_seq_open(struct inode *inode, struct file *file)
120163 {
120164- return seq_open(file, &rt_cpu_seq_ops);
120165+ return seq_open_restrict(file, &rt_cpu_seq_ops);
120166 }
120167
120168 static const struct file_operations rt_cpu_seq_fops = {
120169@@ -356,7 +356,7 @@ static int rt_acct_proc_show(struct seq_file *m, void *v)
120170
120171 static int rt_acct_proc_open(struct inode *inode, struct file *file)
120172 {
120173- return single_open(file, rt_acct_proc_show, NULL);
120174+ return single_open_restrict(file, rt_acct_proc_show, NULL);
120175 }
120176
120177 static const struct file_operations rt_acct_proc_fops = {
120178@@ -458,7 +458,7 @@ static struct neighbour *ipv4_neigh_lookup(const struct dst_entry *dst,
120179
120180 #define IP_IDENTS_SZ 2048u
120181
120182-static atomic_t *ip_idents __read_mostly;
120183+static atomic_unchecked_t ip_idents[IP_IDENTS_SZ] __read_mostly;
120184 static u32 *ip_tstamps __read_mostly;
120185
120186 /* In order to protect privacy, we add a perturbation to identifiers
120187@@ -468,7 +468,7 @@ static u32 *ip_tstamps __read_mostly;
120188 u32 ip_idents_reserve(u32 hash, int segs)
120189 {
120190 u32 *p_tstamp = ip_tstamps + hash % IP_IDENTS_SZ;
120191- atomic_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
120192+ atomic_unchecked_t *p_id = ip_idents + hash % IP_IDENTS_SZ;
120193 u32 old = ACCESS_ONCE(*p_tstamp);
120194 u32 now = (u32)jiffies;
120195 u32 delta = 0;
120196@@ -476,7 +476,7 @@ u32 ip_idents_reserve(u32 hash, int segs)
120197 if (old != now && cmpxchg(p_tstamp, old, now) == old)
120198 delta = prandom_u32_max(now - old);
120199
120200- return atomic_add_return(segs + delta, p_id) - segs;
120201+ return atomic_add_return_unchecked(segs + delta, p_id) - segs;
120202 }
120203 EXPORT_SYMBOL(ip_idents_reserve);
120204
120205@@ -2640,34 +2640,34 @@ static struct ctl_table ipv4_route_flush_table[] = {
120206 .maxlen = sizeof(int),
120207 .mode = 0200,
120208 .proc_handler = ipv4_sysctl_rtcache_flush,
120209+ .extra1 = &init_net,
120210 },
120211 { },
120212 };
120213
120214 static __net_init int sysctl_route_net_init(struct net *net)
120215 {
120216- struct ctl_table *tbl;
120217+ ctl_table_no_const *tbl = NULL;
120218
120219- tbl = ipv4_route_flush_table;
120220 if (!net_eq(net, &init_net)) {
120221- tbl = kmemdup(tbl, sizeof(ipv4_route_flush_table), GFP_KERNEL);
120222+ tbl = kmemdup(ipv4_route_flush_table, sizeof(ipv4_route_flush_table), GFP_KERNEL);
120223 if (!tbl)
120224 goto err_dup;
120225
120226 /* Don't export sysctls to unprivileged users */
120227 if (net->user_ns != &init_user_ns)
120228 tbl[0].procname = NULL;
120229- }
120230- tbl[0].extra1 = net;
120231+ tbl[0].extra1 = net;
120232+ net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
120233+ } else
120234+ net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", ipv4_route_flush_table);
120235
120236- net->ipv4.route_hdr = register_net_sysctl(net, "net/ipv4/route", tbl);
120237 if (!net->ipv4.route_hdr)
120238 goto err_reg;
120239 return 0;
120240
120241 err_reg:
120242- if (tbl != ipv4_route_flush_table)
120243- kfree(tbl);
120244+ kfree(tbl);
120245 err_dup:
120246 return -ENOMEM;
120247 }
120248@@ -2690,8 +2690,8 @@ static __net_initdata struct pernet_operations sysctl_route_ops = {
120249
120250 static __net_init int rt_genid_init(struct net *net)
120251 {
120252- atomic_set(&net->ipv4.rt_genid, 0);
120253- atomic_set(&net->fnhe_genid, 0);
120254+ atomic_set_unchecked(&net->ipv4.rt_genid, 0);
120255+ atomic_set_unchecked(&net->fnhe_genid, 0);
120256 get_random_bytes(&net->ipv4.dev_addr_genid,
120257 sizeof(net->ipv4.dev_addr_genid));
120258 return 0;
120259@@ -2735,11 +2735,7 @@ int __init ip_rt_init(void)
120260 int rc = 0;
120261 int cpu;
120262
120263- ip_idents = kmalloc(IP_IDENTS_SZ * sizeof(*ip_idents), GFP_KERNEL);
120264- if (!ip_idents)
120265- panic("IP: failed to allocate ip_idents\n");
120266-
120267- prandom_bytes(ip_idents, IP_IDENTS_SZ * sizeof(*ip_idents));
120268+ prandom_bytes(ip_idents, sizeof(ip_idents));
120269
120270 ip_tstamps = kcalloc(IP_IDENTS_SZ, sizeof(*ip_tstamps), GFP_KERNEL);
120271 if (!ip_tstamps)
120272diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
120273index 0330ab2..4745d2c 100644
120274--- a/net/ipv4/sysctl_net_ipv4.c
120275+++ b/net/ipv4/sysctl_net_ipv4.c
120276@@ -66,7 +66,7 @@ static int ipv4_local_port_range(struct ctl_table *table, int write,
120277 container_of(table->data, struct net, ipv4.ip_local_ports.range);
120278 int ret;
120279 int range[2];
120280- struct ctl_table tmp = {
120281+ ctl_table_no_const tmp = {
120282 .data = &range,
120283 .maxlen = sizeof(range),
120284 .mode = table->mode,
120285@@ -124,7 +124,7 @@ static int ipv4_ping_group_range(struct ctl_table *table, int write,
120286 int ret;
120287 gid_t urange[2];
120288 kgid_t low, high;
120289- struct ctl_table tmp = {
120290+ ctl_table_no_const tmp = {
120291 .data = &urange,
120292 .maxlen = sizeof(urange),
120293 .mode = table->mode,
120294@@ -155,7 +155,7 @@ static int proc_tcp_congestion_control(struct ctl_table *ctl, int write,
120295 void __user *buffer, size_t *lenp, loff_t *ppos)
120296 {
120297 char val[TCP_CA_NAME_MAX];
120298- struct ctl_table tbl = {
120299+ ctl_table_no_const tbl = {
120300 .data = val,
120301 .maxlen = TCP_CA_NAME_MAX,
120302 };
120303@@ -174,7 +174,7 @@ static int proc_tcp_available_congestion_control(struct ctl_table *ctl,
120304 void __user *buffer, size_t *lenp,
120305 loff_t *ppos)
120306 {
120307- struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX, };
120308+ ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX, };
120309 int ret;
120310
120311 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
120312@@ -191,7 +191,7 @@ static int proc_allowed_congestion_control(struct ctl_table *ctl,
120313 void __user *buffer, size_t *lenp,
120314 loff_t *ppos)
120315 {
120316- struct ctl_table tbl = { .maxlen = TCP_CA_BUF_MAX };
120317+ ctl_table_no_const tbl = { .maxlen = TCP_CA_BUF_MAX };
120318 int ret;
120319
120320 tbl.data = kmalloc(tbl.maxlen, GFP_USER);
120321@@ -210,7 +210,7 @@ static int proc_tcp_fastopen_key(struct ctl_table *ctl, int write,
120322 void __user *buffer, size_t *lenp,
120323 loff_t *ppos)
120324 {
120325- struct ctl_table tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
120326+ ctl_table_no_const tbl = { .maxlen = (TCP_FASTOPEN_KEY_LENGTH * 2 + 10) };
120327 struct tcp_fastopen_context *ctxt;
120328 int ret;
120329 u32 user_key[4]; /* 16 bytes, matching TCP_FASTOPEN_KEY_LENGTH */
120330@@ -915,13 +915,12 @@ static struct ctl_table ipv4_net_table[] = {
120331
120332 static __net_init int ipv4_sysctl_init_net(struct net *net)
120333 {
120334- struct ctl_table *table;
120335+ ctl_table_no_const *table = NULL;
120336
120337- table = ipv4_net_table;
120338 if (!net_eq(net, &init_net)) {
120339 int i;
120340
120341- table = kmemdup(table, sizeof(ipv4_net_table), GFP_KERNEL);
120342+ table = kmemdup(ipv4_net_table, sizeof(ipv4_net_table), GFP_KERNEL);
120343 if (!table)
120344 goto err_alloc;
120345
120346@@ -930,7 +929,10 @@ static __net_init int ipv4_sysctl_init_net(struct net *net)
120347 table[i].data += (void *)net - (void *)&init_net;
120348 }
120349
120350- net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
120351+ if (!net_eq(net, &init_net))
120352+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", table);
120353+ else
120354+ net->ipv4.ipv4_hdr = register_net_sysctl(net, "net/ipv4", ipv4_net_table);
120355 if (!net->ipv4.ipv4_hdr)
120356 goto err_reg;
120357
120358diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
120359index 728f5b3..dc51cbe 100644
120360--- a/net/ipv4/tcp_input.c
120361+++ b/net/ipv4/tcp_input.c
120362@@ -767,7 +767,7 @@ static void tcp_update_pacing_rate(struct sock *sk)
120363 * without any lock. We want to make sure compiler wont store
120364 * intermediate values in this location.
120365 */
120366- ACCESS_ONCE(sk->sk_pacing_rate) = min_t(u64, rate,
120367+ ACCESS_ONCE_RW(sk->sk_pacing_rate) = min_t(u64, rate,
120368 sk->sk_max_pacing_rate);
120369 }
120370
120371@@ -4608,7 +4608,7 @@ static struct sk_buff *tcp_collapse_one(struct sock *sk, struct sk_buff *skb,
120372 * simplifies code)
120373 */
120374 static void
120375-tcp_collapse(struct sock *sk, struct sk_buff_head *list,
120376+__intentional_overflow(5,6) tcp_collapse(struct sock *sk, struct sk_buff_head *list,
120377 struct sk_buff *head, struct sk_buff *tail,
120378 u32 start, u32 end)
120379 {
120380@@ -5603,6 +5603,7 @@ discard:
120381 tcp_paws_reject(&tp->rx_opt, 0))
120382 goto discard_and_undo;
120383
120384+#ifndef CONFIG_GRKERNSEC_NO_SIMULT_CONNECT
120385 if (th->syn) {
120386 /* We see SYN without ACK. It is attempt of
120387 * simultaneous connect with crossed SYNs.
120388@@ -5653,6 +5654,7 @@ discard:
120389 goto discard;
120390 #endif
120391 }
120392+#endif
120393 /* "fifth, if neither of the SYN or RST bits is set then
120394 * drop the segment and return."
120395 */
120396@@ -5699,7 +5701,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb,
120397 goto discard;
120398
120399 if (th->syn) {
120400- if (th->fin)
120401+ if (th->fin || th->urg || th->psh)
120402 goto discard;
120403 if (icsk->icsk_af_ops->conn_request(sk, skb) < 0)
120404 return 1;
120405@@ -6026,7 +6028,7 @@ struct request_sock *inet_reqsk_alloc(const struct request_sock_ops *ops,
120406
120407 kmemcheck_annotate_bitfield(ireq, flags);
120408 ireq->opt = NULL;
120409- atomic64_set(&ireq->ir_cookie, 0);
120410+ atomic64_set_unchecked(&ireq->ir_cookie, 0);
120411 ireq->ireq_state = TCP_NEW_SYN_RECV;
120412 write_pnet(&ireq->ireq_net, sock_net(sk_listener));
120413 ireq->ireq_family = sk_listener->sk_family;
120414diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
120415index 0ea2e1c..a4d1c48 100644
120416--- a/net/ipv4/tcp_ipv4.c
120417+++ b/net/ipv4/tcp_ipv4.c
120418@@ -89,6 +89,10 @@ int sysctl_tcp_tw_reuse __read_mostly;
120419 int sysctl_tcp_low_latency __read_mostly;
120420 EXPORT_SYMBOL(sysctl_tcp_low_latency);
120421
120422+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120423+extern int grsec_enable_blackhole;
120424+#endif
120425+
120426 #ifdef CONFIG_TCP_MD5SIG
120427 static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
120428 __be32 daddr, __be32 saddr, const struct tcphdr *th);
120429@@ -1427,6 +1431,9 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
120430 return 0;
120431
120432 reset:
120433+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120434+ if (!grsec_enable_blackhole)
120435+#endif
120436 tcp_v4_send_reset(rsk, skb);
120437 discard:
120438 kfree_skb(skb);
120439@@ -1591,12 +1598,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
120440 TCP_SKB_CB(skb)->sacked = 0;
120441
120442 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
120443- if (!sk)
120444+ if (!sk) {
120445+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120446+ ret = 1;
120447+#endif
120448 goto no_tcp_socket;
120449-
120450+ }
120451 process:
120452- if (sk->sk_state == TCP_TIME_WAIT)
120453+ if (sk->sk_state == TCP_TIME_WAIT) {
120454+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120455+ ret = 2;
120456+#endif
120457 goto do_time_wait;
120458+ }
120459
120460 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
120461 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
120462@@ -1653,6 +1667,10 @@ csum_error:
120463 bad_packet:
120464 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
120465 } else {
120466+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120467+ if (!grsec_enable_blackhole || (ret == 1 &&
120468+ (skb->dev->flags & IFF_LOOPBACK)))
120469+#endif
120470 tcp_v4_send_reset(NULL, skb);
120471 }
120472
120473diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
120474index 4bc00cb..d024adf 100644
120475--- a/net/ipv4/tcp_minisocks.c
120476+++ b/net/ipv4/tcp_minisocks.c
120477@@ -27,6 +27,10 @@
120478 #include <net/inet_common.h>
120479 #include <net/xfrm.h>
120480
120481+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120482+extern int grsec_enable_blackhole;
120483+#endif
120484+
120485 int sysctl_tcp_syncookies __read_mostly = 1;
120486 EXPORT_SYMBOL(sysctl_tcp_syncookies);
120487
120488@@ -782,7 +786,10 @@ embryonic_reset:
120489 * avoid becoming vulnerable to outside attack aiming at
120490 * resetting legit local connections.
120491 */
120492- req->rsk_ops->send_reset(sk, skb);
120493+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120494+ if (!grsec_enable_blackhole)
120495+#endif
120496+ req->rsk_ops->send_reset(sk, skb);
120497 } else if (fastopen) { /* received a valid RST pkt */
120498 reqsk_fastopen_remove(sk, req, true);
120499 tcp_reset(sk);
120500diff --git a/net/ipv4/tcp_probe.c b/net/ipv4/tcp_probe.c
120501index ebf5ff5..4d1ff32 100644
120502--- a/net/ipv4/tcp_probe.c
120503+++ b/net/ipv4/tcp_probe.c
120504@@ -236,7 +236,7 @@ static ssize_t tcpprobe_read(struct file *file, char __user *buf,
120505 if (cnt + width >= len)
120506 break;
120507
120508- if (copy_to_user(buf + cnt, tbuf, width))
120509+ if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
120510 return -EFAULT;
120511 cnt += width;
120512 }
120513diff --git a/net/ipv4/tcp_timer.c b/net/ipv4/tcp_timer.c
120514index 5b752f5..9594bb2 100644
120515--- a/net/ipv4/tcp_timer.c
120516+++ b/net/ipv4/tcp_timer.c
120517@@ -22,6 +22,10 @@
120518 #include <linux/gfp.h>
120519 #include <net/tcp.h>
120520
120521+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120522+extern int grsec_lastack_retries;
120523+#endif
120524+
120525 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
120526 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
120527 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
120528@@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock *sk)
120529 }
120530 }
120531
120532+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120533+ if ((sk->sk_state == TCP_LAST_ACK) &&
120534+ (grsec_lastack_retries > 0) &&
120535+ (grsec_lastack_retries < retry_until))
120536+ retry_until = grsec_lastack_retries;
120537+#endif
120538+
120539 if (retransmits_timed_out(sk, retry_until,
120540 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
120541 /* Has it gone just too far? */
120542diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
120543index 1b8c5ba..e1f0542 100644
120544--- a/net/ipv4/udp.c
120545+++ b/net/ipv4/udp.c
120546@@ -87,6 +87,7 @@
120547 #include <linux/types.h>
120548 #include <linux/fcntl.h>
120549 #include <linux/module.h>
120550+#include <linux/security.h>
120551 #include <linux/socket.h>
120552 #include <linux/sockios.h>
120553 #include <linux/igmp.h>
120554@@ -115,6 +116,10 @@
120555 #include <net/busy_poll.h>
120556 #include "udp_impl.h"
120557
120558+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120559+extern int grsec_enable_blackhole;
120560+#endif
120561+
120562 struct udp_table udp_table __read_mostly;
120563 EXPORT_SYMBOL(udp_table);
120564
120565@@ -608,6 +613,9 @@ static inline bool __udp_is_mcast_sock(struct net *net, struct sock *sk,
120566 return true;
120567 }
120568
120569+extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
120570+extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
120571+
120572 /*
120573 * This routine is called by the ICMP module when it gets some
120574 * sort of error condition. If err < 0 then the socket should
120575@@ -944,9 +952,18 @@ int udp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len)
120576 dport = usin->sin_port;
120577 if (dport == 0)
120578 return -EINVAL;
120579+
120580+ err = gr_search_udp_sendmsg(sk, usin);
120581+ if (err)
120582+ return err;
120583 } else {
120584 if (sk->sk_state != TCP_ESTABLISHED)
120585 return -EDESTADDRREQ;
120586+
120587+ err = gr_search_udp_sendmsg(sk, NULL);
120588+ if (err)
120589+ return err;
120590+
120591 daddr = inet->inet_daddr;
120592 dport = inet->inet_dport;
120593 /* Open fast path for connected socket.
120594@@ -1193,7 +1210,7 @@ static unsigned int first_packet_length(struct sock *sk)
120595 IS_UDPLITE(sk));
120596 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120597 IS_UDPLITE(sk));
120598- atomic_inc(&sk->sk_drops);
120599+ atomic_inc_unchecked(&sk->sk_drops);
120600 __skb_unlink(skb, rcvq);
120601 __skb_queue_tail(&list_kill, skb);
120602 }
120603@@ -1273,6 +1290,10 @@ try_again:
120604 if (!skb)
120605 goto out;
120606
120607+ err = gr_search_udp_recvmsg(sk, skb);
120608+ if (err)
120609+ goto out_free;
120610+
120611 ulen = skb->len - sizeof(struct udphdr);
120612 copied = len;
120613 if (copied > ulen)
120614@@ -1305,7 +1326,7 @@ try_again:
120615 if (unlikely(err)) {
120616 trace_kfree_skb(skb, udp_recvmsg);
120617 if (!peeked) {
120618- atomic_inc(&sk->sk_drops);
120619+ atomic_inc_unchecked(&sk->sk_drops);
120620 UDP_INC_STATS_USER(sock_net(sk),
120621 UDP_MIB_INERRORS, is_udplite);
120622 }
120623@@ -1599,7 +1620,7 @@ csum_error:
120624 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
120625 drop:
120626 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
120627- atomic_inc(&sk->sk_drops);
120628+ atomic_inc_unchecked(&sk->sk_drops);
120629 kfree_skb(skb);
120630 return -1;
120631 }
120632@@ -1617,7 +1638,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
120633 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
120634
120635 if (!skb1) {
120636- atomic_inc(&sk->sk_drops);
120637+ atomic_inc_unchecked(&sk->sk_drops);
120638 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
120639 IS_UDPLITE(sk));
120640 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
120641@@ -1823,6 +1844,9 @@ int __udp4_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
120642 goto csum_error;
120643
120644 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
120645+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
120646+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
120647+#endif
120648 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
120649
120650 /*
120651@@ -2427,7 +2451,7 @@ static void udp4_format_sock(struct sock *sp, struct seq_file *f,
120652 from_kuid_munged(seq_user_ns(f), sock_i_uid(sp)),
120653 0, sock_i_ino(sp),
120654 atomic_read(&sp->sk_refcnt), sp,
120655- atomic_read(&sp->sk_drops));
120656+ atomic_read_unchecked(&sp->sk_drops));
120657 }
120658
120659 int udp4_seq_show(struct seq_file *seq, void *v)
120660diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c
120661index bff6974..c63736c 100644
120662--- a/net/ipv4/xfrm4_policy.c
120663+++ b/net/ipv4/xfrm4_policy.c
120664@@ -186,11 +186,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse)
120665 fl4->flowi4_tos = iph->tos;
120666 }
120667
120668-static inline int xfrm4_garbage_collect(struct dst_ops *ops)
120669+static int xfrm4_garbage_collect(struct dst_ops *ops)
120670 {
120671 struct net *net = container_of(ops, struct net, xfrm.xfrm4_dst_ops);
120672
120673- xfrm4_policy_afinfo.garbage_collect(net);
120674+ xfrm_garbage_collect_deferred(net);
120675 return (dst_entries_get_slow(ops) > ops->gc_thresh * 2);
120676 }
120677
120678@@ -268,19 +268,18 @@ static struct ctl_table xfrm4_policy_table[] = {
120679
120680 static int __net_init xfrm4_net_init(struct net *net)
120681 {
120682- struct ctl_table *table;
120683+ ctl_table_no_const *table = NULL;
120684 struct ctl_table_header *hdr;
120685
120686- table = xfrm4_policy_table;
120687 if (!net_eq(net, &init_net)) {
120688- table = kmemdup(table, sizeof(xfrm4_policy_table), GFP_KERNEL);
120689+ table = kmemdup(xfrm4_policy_table, sizeof(xfrm4_policy_table), GFP_KERNEL);
120690 if (!table)
120691 goto err_alloc;
120692
120693 table[0].data = &net->xfrm.xfrm4_dst_ops.gc_thresh;
120694- }
120695-
120696- hdr = register_net_sysctl(net, "net/ipv4", table);
120697+ hdr = register_net_sysctl(net, "net/ipv4", table);
120698+ } else
120699+ hdr = register_net_sysctl(net, "net/ipv4", xfrm4_policy_table);
120700 if (!hdr)
120701 goto err_reg;
120702
120703@@ -288,8 +287,7 @@ static int __net_init xfrm4_net_init(struct net *net)
120704 return 0;
120705
120706 err_reg:
120707- if (!net_eq(net, &init_net))
120708- kfree(table);
120709+ kfree(table);
120710 err_alloc:
120711 return -ENOMEM;
120712 }
120713diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
120714index 21c2c81..373c1ba 100644
120715--- a/net/ipv6/addrconf.c
120716+++ b/net/ipv6/addrconf.c
120717@@ -178,7 +178,7 @@ static struct ipv6_devconf ipv6_devconf __read_mostly = {
120718 .hop_limit = IPV6_DEFAULT_HOPLIMIT,
120719 .mtu6 = IPV6_MIN_MTU,
120720 .accept_ra = 1,
120721- .accept_redirects = 1,
120722+ .accept_redirects = 0,
120723 .autoconf = 1,
120724 .force_mld_version = 0,
120725 .mldv1_unsolicited_report_interval = 10 * HZ,
120726@@ -219,7 +219,7 @@ static struct ipv6_devconf ipv6_devconf_dflt __read_mostly = {
120727 .hop_limit = IPV6_DEFAULT_HOPLIMIT,
120728 .mtu6 = IPV6_MIN_MTU,
120729 .accept_ra = 1,
120730- .accept_redirects = 1,
120731+ .accept_redirects = 0,
120732 .autoconf = 1,
120733 .force_mld_version = 0,
120734 .mldv1_unsolicited_report_interval = 10 * HZ,
120735@@ -620,7 +620,7 @@ static int inet6_netconf_dump_devconf(struct sk_buff *skb,
120736 idx = 0;
120737 head = &net->dev_index_head[h];
120738 rcu_read_lock();
120739- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^
120740+ cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^
120741 net->dev_base_seq;
120742 hlist_for_each_entry_rcu(dev, head, index_hlist) {
120743 if (idx < s_idx)
120744@@ -2508,7 +2508,7 @@ int addrconf_set_dstaddr(struct net *net, void __user *arg)
120745 p.iph.ihl = 5;
120746 p.iph.protocol = IPPROTO_IPV6;
120747 p.iph.ttl = 64;
120748- ifr.ifr_ifru.ifru_data = (__force void __user *)&p;
120749+ ifr.ifr_ifru.ifru_data = (void __force_user *)&p;
120750
120751 if (ops->ndo_do_ioctl) {
120752 mm_segment_t oldfs = get_fs();
120753@@ -3774,16 +3774,23 @@ static const struct file_operations if6_fops = {
120754 .release = seq_release_net,
120755 };
120756
120757+extern void register_ipv6_seq_ops_addr(struct seq_operations *addr);
120758+extern void unregister_ipv6_seq_ops_addr(void);
120759+
120760 static int __net_init if6_proc_net_init(struct net *net)
120761 {
120762- if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops))
120763+ register_ipv6_seq_ops_addr(&if6_seq_ops);
120764+ if (!proc_create("if_inet6", S_IRUGO, net->proc_net, &if6_fops)) {
120765+ unregister_ipv6_seq_ops_addr();
120766 return -ENOMEM;
120767+ }
120768 return 0;
120769 }
120770
120771 static void __net_exit if6_proc_net_exit(struct net *net)
120772 {
120773 remove_proc_entry("if_inet6", net->proc_net);
120774+ unregister_ipv6_seq_ops_addr();
120775 }
120776
120777 static struct pernet_operations if6_proc_net_ops = {
120778@@ -4402,7 +4409,7 @@ static int inet6_dump_addr(struct sk_buff *skb, struct netlink_callback *cb,
120779 s_ip_idx = ip_idx = cb->args[2];
120780
120781 rcu_read_lock();
120782- cb->seq = atomic_read(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
120783+ cb->seq = atomic_read_unchecked(&net->ipv6.dev_addr_genid) ^ net->dev_base_seq;
120784 for (h = s_h; h < NETDEV_HASHENTRIES; h++, s_idx = 0) {
120785 idx = 0;
120786 head = &net->dev_index_head[h];
120787@@ -5059,7 +5066,7 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
120788 rt_genid_bump_ipv6(net);
120789 break;
120790 }
120791- atomic_inc(&net->ipv6.dev_addr_genid);
120792+ atomic_inc_unchecked(&net->ipv6.dev_addr_genid);
120793 }
120794
120795 static void ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
120796@@ -5079,7 +5086,7 @@ int addrconf_sysctl_forward(struct ctl_table *ctl, int write,
120797 int *valp = ctl->data;
120798 int val = *valp;
120799 loff_t pos = *ppos;
120800- struct ctl_table lctl;
120801+ ctl_table_no_const lctl;
120802 int ret;
120803
120804 /*
120805@@ -5104,7 +5111,7 @@ int addrconf_sysctl_mtu(struct ctl_table *ctl, int write,
120806 {
120807 struct inet6_dev *idev = ctl->extra1;
120808 int min_mtu = IPV6_MIN_MTU;
120809- struct ctl_table lctl;
120810+ ctl_table_no_const lctl;
120811
120812 lctl = *ctl;
120813 lctl.extra1 = &min_mtu;
120814@@ -5179,7 +5186,7 @@ int addrconf_sysctl_disable(struct ctl_table *ctl, int write,
120815 int *valp = ctl->data;
120816 int val = *valp;
120817 loff_t pos = *ppos;
120818- struct ctl_table lctl;
120819+ ctl_table_no_const lctl;
120820 int ret;
120821
120822 /*
120823@@ -5244,7 +5251,7 @@ static int addrconf_sysctl_stable_secret(struct ctl_table *ctl, int write,
120824 int err;
120825 struct in6_addr addr;
120826 char str[IPV6_MAX_STRLEN];
120827- struct ctl_table lctl = *ctl;
120828+ ctl_table_no_const lctl = *ctl;
120829 struct net *net = ctl->extra2;
120830 struct ipv6_stable_secret *secret = ctl->data;
120831
120832diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
120833index 7de52b6..ce7fb94 100644
120834--- a/net/ipv6/af_inet6.c
120835+++ b/net/ipv6/af_inet6.c
120836@@ -770,7 +770,7 @@ static int __net_init inet6_net_init(struct net *net)
120837 net->ipv6.sysctl.idgen_retries = 3;
120838 net->ipv6.sysctl.idgen_delay = 1 * HZ;
120839 net->ipv6.sysctl.flowlabel_state_ranges = 1;
120840- atomic_set(&net->ipv6.fib6_sernum, 1);
120841+ atomic_set_unchecked(&net->ipv6.fib6_sernum, 1);
120842
120843 err = ipv6_init_mibs(net);
120844 if (err)
120845diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c
120846index b10a889..e881e1f 100644
120847--- a/net/ipv6/datagram.c
120848+++ b/net/ipv6/datagram.c
120849@@ -977,5 +977,5 @@ void ip6_dgram_sock_seq_show(struct seq_file *seq, struct sock *sp,
120850 0,
120851 sock_i_ino(sp),
120852 atomic_read(&sp->sk_refcnt), sp,
120853- atomic_read(&sp->sk_drops));
120854+ atomic_read_unchecked(&sp->sk_drops));
120855 }
120856diff --git a/net/ipv6/icmp.c b/net/ipv6/icmp.c
120857index 713d743..8eec687 100644
120858--- a/net/ipv6/icmp.c
120859+++ b/net/ipv6/icmp.c
120860@@ -1004,7 +1004,7 @@ static struct ctl_table ipv6_icmp_table_template[] = {
120861
120862 struct ctl_table * __net_init ipv6_icmp_sysctl_init(struct net *net)
120863 {
120864- struct ctl_table *table;
120865+ ctl_table_no_const *table;
120866
120867 table = kmemdup(ipv6_icmp_table_template,
120868 sizeof(ipv6_icmp_table_template),
120869diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
120870index 548c623..bc8ec4f 100644
120871--- a/net/ipv6/ip6_fib.c
120872+++ b/net/ipv6/ip6_fib.c
120873@@ -99,9 +99,9 @@ static int fib6_new_sernum(struct net *net)
120874 int new, old;
120875
120876 do {
120877- old = atomic_read(&net->ipv6.fib6_sernum);
120878+ old = atomic_read_unchecked(&net->ipv6.fib6_sernum);
120879 new = old < INT_MAX ? old + 1 : 1;
120880- } while (atomic_cmpxchg(&net->ipv6.fib6_sernum,
120881+ } while (atomic_cmpxchg_unchecked(&net->ipv6.fib6_sernum,
120882 old, new) != old);
120883 return new;
120884 }
120885diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
120886index 69f4f68..1f97524 100644
120887--- a/net/ipv6/ip6_gre.c
120888+++ b/net/ipv6/ip6_gre.c
120889@@ -71,8 +71,8 @@ struct ip6gre_net {
120890 struct net_device *fb_tunnel_dev;
120891 };
120892
120893-static struct rtnl_link_ops ip6gre_link_ops __read_mostly;
120894-static struct rtnl_link_ops ip6gre_tap_ops __read_mostly;
120895+static struct rtnl_link_ops ip6gre_link_ops;
120896+static struct rtnl_link_ops ip6gre_tap_ops;
120897 static int ip6gre_tunnel_init(struct net_device *dev);
120898 static void ip6gre_tunnel_setup(struct net_device *dev);
120899 static void ip6gre_tunnel_link(struct ip6gre_net *ign, struct ip6_tnl *t);
120900@@ -1281,7 +1281,7 @@ static void ip6gre_fb_tunnel_init(struct net_device *dev)
120901 }
120902
120903
120904-static struct inet6_protocol ip6gre_protocol __read_mostly = {
120905+static struct inet6_protocol ip6gre_protocol = {
120906 .handler = ip6gre_rcv,
120907 .err_handler = ip6gre_err,
120908 .flags = INET6_PROTO_NOPOLICY|INET6_PROTO_FINAL,
120909@@ -1640,7 +1640,7 @@ static const struct nla_policy ip6gre_policy[IFLA_GRE_MAX + 1] = {
120910 [IFLA_GRE_FLAGS] = { .type = NLA_U32 },
120911 };
120912
120913-static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
120914+static struct rtnl_link_ops ip6gre_link_ops = {
120915 .kind = "ip6gre",
120916 .maxtype = IFLA_GRE_MAX,
120917 .policy = ip6gre_policy,
120918@@ -1655,7 +1655,7 @@ static struct rtnl_link_ops ip6gre_link_ops __read_mostly = {
120919 .get_link_net = ip6_tnl_get_link_net,
120920 };
120921
120922-static struct rtnl_link_ops ip6gre_tap_ops __read_mostly = {
120923+static struct rtnl_link_ops ip6gre_tap_ops = {
120924 .kind = "ip6gretap",
120925 .maxtype = IFLA_GRE_MAX,
120926 .policy = ip6gre_policy,
120927diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c
120928index d5f7716..7da025a 100644
120929--- a/net/ipv6/ip6_output.c
120930+++ b/net/ipv6/ip6_output.c
120931@@ -581,6 +581,8 @@ int ip6_fragment(struct sock *sk, struct sk_buff *skb,
120932 if (np->frag_size)
120933 mtu = np->frag_size;
120934 }
120935+ if (mtu < hlen + sizeof(struct frag_hdr) + 8)
120936+ goto fail_toobig;
120937 mtu -= hlen + sizeof(struct frag_hdr);
120938
120939 frag_id = ipv6_select_ident(net, &ipv6_hdr(skb)->daddr,
120940diff --git a/net/ipv6/ip6_tunnel.c b/net/ipv6/ip6_tunnel.c
120941index 2e67b66..b816b34 100644
120942--- a/net/ipv6/ip6_tunnel.c
120943+++ b/net/ipv6/ip6_tunnel.c
120944@@ -80,7 +80,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
120945
120946 static int ip6_tnl_dev_init(struct net_device *dev);
120947 static void ip6_tnl_dev_setup(struct net_device *dev);
120948-static struct rtnl_link_ops ip6_link_ops __read_mostly;
120949+static struct rtnl_link_ops ip6_link_ops;
120950
120951 static int ip6_tnl_net_id __read_mostly;
120952 struct ip6_tnl_net {
120953@@ -1776,7 +1776,7 @@ static const struct nla_policy ip6_tnl_policy[IFLA_IPTUN_MAX + 1] = {
120954 [IFLA_IPTUN_PROTO] = { .type = NLA_U8 },
120955 };
120956
120957-static struct rtnl_link_ops ip6_link_ops __read_mostly = {
120958+static struct rtnl_link_ops ip6_link_ops = {
120959 .kind = "ip6tnl",
120960 .maxtype = IFLA_IPTUN_MAX,
120961 .policy = ip6_tnl_policy,
120962diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
120963index 0224c03..c5ec3d9 100644
120964--- a/net/ipv6/ip6_vti.c
120965+++ b/net/ipv6/ip6_vti.c
120966@@ -62,7 +62,7 @@ static u32 HASH(const struct in6_addr *addr1, const struct in6_addr *addr2)
120967
120968 static int vti6_dev_init(struct net_device *dev);
120969 static void vti6_dev_setup(struct net_device *dev);
120970-static struct rtnl_link_ops vti6_link_ops __read_mostly;
120971+static struct rtnl_link_ops vti6_link_ops;
120972
120973 static int vti6_net_id __read_mostly;
120974 struct vti6_net {
120975@@ -1019,7 +1019,7 @@ static const struct nla_policy vti6_policy[IFLA_VTI_MAX + 1] = {
120976 [IFLA_VTI_OKEY] = { .type = NLA_U32 },
120977 };
120978
120979-static struct rtnl_link_ops vti6_link_ops __read_mostly = {
120980+static struct rtnl_link_ops vti6_link_ops = {
120981 .kind = "vti6",
120982 .maxtype = IFLA_VTI_MAX,
120983 .policy = vti6_policy,
120984diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
120985index 63e6956..ebbbcf6 100644
120986--- a/net/ipv6/ipv6_sockglue.c
120987+++ b/net/ipv6/ipv6_sockglue.c
120988@@ -1015,7 +1015,7 @@ static int do_ipv6_getsockopt(struct sock *sk, int level, int optname,
120989 if (sk->sk_type != SOCK_STREAM)
120990 return -ENOPROTOOPT;
120991
120992- msg.msg_control = optval;
120993+ msg.msg_control = (void __force_kernel *)optval;
120994 msg.msg_controllen = len;
120995 msg.msg_flags = flags;
120996
120997diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
120998index 3c35ced..2e6882f 100644
120999--- a/net/ipv6/netfilter/ip6_tables.c
121000+++ b/net/ipv6/netfilter/ip6_tables.c
121001@@ -1086,14 +1086,14 @@ static int compat_table_info(const struct xt_table_info *info,
121002 #endif
121003
121004 static int get_info(struct net *net, void __user *user,
121005- const int *len, int compat)
121006+ int len, int compat)
121007 {
121008 char name[XT_TABLE_MAXNAMELEN];
121009 struct xt_table *t;
121010 int ret;
121011
121012- if (*len != sizeof(struct ip6t_getinfo)) {
121013- duprintf("length %u != %zu\n", *len,
121014+ if (len != sizeof(struct ip6t_getinfo)) {
121015+ duprintf("length %u != %zu\n", len,
121016 sizeof(struct ip6t_getinfo));
121017 return -EINVAL;
121018 }
121019@@ -1130,7 +1130,7 @@ static int get_info(struct net *net, void __user *user,
121020 info.size = private->size;
121021 strcpy(info.name, name);
121022
121023- if (copy_to_user(user, &info, *len) != 0)
121024+ if (copy_to_user(user, &info, len) != 0)
121025 ret = -EFAULT;
121026 else
121027 ret = 0;
121028@@ -1978,7 +1978,7 @@ compat_do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
121029
121030 switch (cmd) {
121031 case IP6T_SO_GET_INFO:
121032- ret = get_info(sock_net(sk), user, len, 1);
121033+ ret = get_info(sock_net(sk), user, *len, 1);
121034 break;
121035 case IP6T_SO_GET_ENTRIES:
121036 ret = compat_get_entries(sock_net(sk), user, len);
121037@@ -2025,7 +2025,7 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
121038
121039 switch (cmd) {
121040 case IP6T_SO_GET_INFO:
121041- ret = get_info(sock_net(sk), user, len, 0);
121042+ ret = get_info(sock_net(sk), user, *len, 0);
121043 break;
121044
121045 case IP6T_SO_GET_ENTRIES:
121046diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
121047index 6d02498..55e564f 100644
121048--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
121049+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
121050@@ -96,12 +96,11 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
121051
121052 static int nf_ct_frag6_sysctl_register(struct net *net)
121053 {
121054- struct ctl_table *table;
121055+ ctl_table_no_const *table = NULL;
121056 struct ctl_table_header *hdr;
121057
121058- table = nf_ct_frag6_sysctl_table;
121059 if (!net_eq(net, &init_net)) {
121060- table = kmemdup(table, sizeof(nf_ct_frag6_sysctl_table),
121061+ table = kmemdup(nf_ct_frag6_sysctl_table, sizeof(nf_ct_frag6_sysctl_table),
121062 GFP_KERNEL);
121063 if (table == NULL)
121064 goto err_alloc;
121065@@ -112,9 +111,9 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
121066 table[2].data = &net->nf_frag.frags.high_thresh;
121067 table[2].extra1 = &net->nf_frag.frags.low_thresh;
121068 table[2].extra2 = &init_net.nf_frag.frags.high_thresh;
121069- }
121070-
121071- hdr = register_net_sysctl(net, "net/netfilter", table);
121072+ hdr = register_net_sysctl(net, "net/netfilter", table);
121073+ } else
121074+ hdr = register_net_sysctl(net, "net/netfilter", nf_ct_frag6_sysctl_table);
121075 if (hdr == NULL)
121076 goto err_reg;
121077
121078@@ -122,8 +121,7 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
121079 return 0;
121080
121081 err_reg:
121082- if (!net_eq(net, &init_net))
121083- kfree(table);
121084+ kfree(table);
121085 err_alloc:
121086 return -ENOMEM;
121087 }
121088diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c
121089index 263a516..692f738 100644
121090--- a/net/ipv6/ping.c
121091+++ b/net/ipv6/ping.c
121092@@ -240,6 +240,24 @@ static struct pernet_operations ping_v6_net_ops = {
121093 };
121094 #endif
121095
121096+static struct pingv6_ops real_pingv6_ops = {
121097+ .ipv6_recv_error = ipv6_recv_error,
121098+ .ip6_datagram_recv_common_ctl = ip6_datagram_recv_common_ctl,
121099+ .ip6_datagram_recv_specific_ctl = ip6_datagram_recv_specific_ctl,
121100+ .icmpv6_err_convert = icmpv6_err_convert,
121101+ .ipv6_icmp_error = ipv6_icmp_error,
121102+ .ipv6_chk_addr = ipv6_chk_addr,
121103+};
121104+
121105+static struct pingv6_ops dummy_pingv6_ops = {
121106+ .ipv6_recv_error = dummy_ipv6_recv_error,
121107+ .ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl,
121108+ .ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl,
121109+ .icmpv6_err_convert = dummy_icmpv6_err_convert,
121110+ .ipv6_icmp_error = dummy_ipv6_icmp_error,
121111+ .ipv6_chk_addr = dummy_ipv6_chk_addr,
121112+};
121113+
121114 int __init pingv6_init(void)
121115 {
121116 #ifdef CONFIG_PROC_FS
121117@@ -247,13 +265,7 @@ int __init pingv6_init(void)
121118 if (ret)
121119 return ret;
121120 #endif
121121- pingv6_ops.ipv6_recv_error = ipv6_recv_error;
121122- pingv6_ops.ip6_datagram_recv_common_ctl = ip6_datagram_recv_common_ctl;
121123- pingv6_ops.ip6_datagram_recv_specific_ctl =
121124- ip6_datagram_recv_specific_ctl;
121125- pingv6_ops.icmpv6_err_convert = icmpv6_err_convert;
121126- pingv6_ops.ipv6_icmp_error = ipv6_icmp_error;
121127- pingv6_ops.ipv6_chk_addr = ipv6_chk_addr;
121128+ pingv6_ops = &real_pingv6_ops;
121129 return inet6_register_protosw(&pingv6_protosw);
121130 }
121131
121132@@ -262,14 +274,9 @@ int __init pingv6_init(void)
121133 */
121134 void pingv6_exit(void)
121135 {
121136- pingv6_ops.ipv6_recv_error = dummy_ipv6_recv_error;
121137- pingv6_ops.ip6_datagram_recv_common_ctl = dummy_ip6_datagram_recv_ctl;
121138- pingv6_ops.ip6_datagram_recv_specific_ctl = dummy_ip6_datagram_recv_ctl;
121139- pingv6_ops.icmpv6_err_convert = dummy_icmpv6_err_convert;
121140- pingv6_ops.ipv6_icmp_error = dummy_ipv6_icmp_error;
121141- pingv6_ops.ipv6_chk_addr = dummy_ipv6_chk_addr;
121142 #ifdef CONFIG_PROC_FS
121143 unregister_pernet_subsys(&ping_v6_net_ops);
121144 #endif
121145+ pingv6_ops = &dummy_pingv6_ops;
121146 inet6_unregister_protosw(&pingv6_protosw);
121147 }
121148diff --git a/net/ipv6/proc.c b/net/ipv6/proc.c
121149index 679253d0..70b653c 100644
121150--- a/net/ipv6/proc.c
121151+++ b/net/ipv6/proc.c
121152@@ -310,7 +310,7 @@ static int __net_init ipv6_proc_init_net(struct net *net)
121153 if (!proc_create("snmp6", S_IRUGO, net->proc_net, &snmp6_seq_fops))
121154 goto proc_snmp6_fail;
121155
121156- net->mib.proc_net_devsnmp6 = proc_mkdir("dev_snmp6", net->proc_net);
121157+ net->mib.proc_net_devsnmp6 = proc_mkdir_restrict("dev_snmp6", net->proc_net);
121158 if (!net->mib.proc_net_devsnmp6)
121159 goto proc_dev_snmp6_fail;
121160 return 0;
121161diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c
121162index ca4700c..e44c0f9 100644
121163--- a/net/ipv6/raw.c
121164+++ b/net/ipv6/raw.c
121165@@ -388,7 +388,7 @@ static inline int rawv6_rcv_skb(struct sock *sk, struct sk_buff *skb)
121166 {
121167 if ((raw6_sk(sk)->checksum || rcu_access_pointer(sk->sk_filter)) &&
121168 skb_checksum_complete(skb)) {
121169- atomic_inc(&sk->sk_drops);
121170+ atomic_inc_unchecked(&sk->sk_drops);
121171 kfree_skb(skb);
121172 return NET_RX_DROP;
121173 }
121174@@ -416,7 +416,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
121175 struct raw6_sock *rp = raw6_sk(sk);
121176
121177 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
121178- atomic_inc(&sk->sk_drops);
121179+ atomic_inc_unchecked(&sk->sk_drops);
121180 kfree_skb(skb);
121181 return NET_RX_DROP;
121182 }
121183@@ -440,7 +440,7 @@ int rawv6_rcv(struct sock *sk, struct sk_buff *skb)
121184
121185 if (inet->hdrincl) {
121186 if (skb_checksum_complete(skb)) {
121187- atomic_inc(&sk->sk_drops);
121188+ atomic_inc_unchecked(&sk->sk_drops);
121189 kfree_skb(skb);
121190 return NET_RX_DROP;
121191 }
121192@@ -608,7 +608,7 @@ out:
121193 return err;
121194 }
121195
121196-static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, int length,
121197+static int rawv6_send_hdrinc(struct sock *sk, struct msghdr *msg, unsigned int length,
121198 struct flowi6 *fl6, struct dst_entry **dstp,
121199 unsigned int flags)
121200 {
121201@@ -916,12 +916,15 @@ do_confirm:
121202 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
121203 char __user *optval, int optlen)
121204 {
121205+ struct icmp6_filter filter;
121206+
121207 switch (optname) {
121208 case ICMPV6_FILTER:
121209 if (optlen > sizeof(struct icmp6_filter))
121210 optlen = sizeof(struct icmp6_filter);
121211- if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
121212+ if (copy_from_user(&filter, optval, optlen))
121213 return -EFAULT;
121214+ raw6_sk(sk)->filter = filter;
121215 return 0;
121216 default:
121217 return -ENOPROTOOPT;
121218@@ -934,6 +937,7 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
121219 char __user *optval, int __user *optlen)
121220 {
121221 int len;
121222+ struct icmp6_filter filter;
121223
121224 switch (optname) {
121225 case ICMPV6_FILTER:
121226@@ -945,7 +949,8 @@ static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
121227 len = sizeof(struct icmp6_filter);
121228 if (put_user(len, optlen))
121229 return -EFAULT;
121230- if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
121231+ filter = raw6_sk(sk)->filter;
121232+ if (len > sizeof filter || copy_to_user(optval, &filter, len))
121233 return -EFAULT;
121234 return 0;
121235 default:
121236diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
121237index f1159bb..0db5dad 100644
121238--- a/net/ipv6/reassembly.c
121239+++ b/net/ipv6/reassembly.c
121240@@ -626,12 +626,11 @@ static struct ctl_table ip6_frags_ctl_table[] = {
121241
121242 static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
121243 {
121244- struct ctl_table *table;
121245+ ctl_table_no_const *table = NULL;
121246 struct ctl_table_header *hdr;
121247
121248- table = ip6_frags_ns_ctl_table;
121249 if (!net_eq(net, &init_net)) {
121250- table = kmemdup(table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
121251+ table = kmemdup(ip6_frags_ns_ctl_table, sizeof(ip6_frags_ns_ctl_table), GFP_KERNEL);
121252 if (!table)
121253 goto err_alloc;
121254
121255@@ -645,9 +644,10 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
121256 /* Don't export sysctls to unprivileged users */
121257 if (net->user_ns != &init_user_ns)
121258 table[0].procname = NULL;
121259- }
121260+ hdr = register_net_sysctl(net, "net/ipv6", table);
121261+ } else
121262+ hdr = register_net_sysctl(net, "net/ipv6", ip6_frags_ns_ctl_table);
121263
121264- hdr = register_net_sysctl(net, "net/ipv6", table);
121265 if (!hdr)
121266 goto err_reg;
121267
121268@@ -655,8 +655,7 @@ static int __net_init ip6_frags_ns_sysctl_register(struct net *net)
121269 return 0;
121270
121271 err_reg:
121272- if (!net_eq(net, &init_net))
121273- kfree(table);
121274+ kfree(table);
121275 err_alloc:
121276 return -ENOMEM;
121277 }
121278diff --git a/net/ipv6/route.c b/net/ipv6/route.c
121279index dd6ebba..69d56e8 100644
121280--- a/net/ipv6/route.c
121281+++ b/net/ipv6/route.c
121282@@ -3432,7 +3432,7 @@ struct ctl_table ipv6_route_table_template[] = {
121283
121284 struct ctl_table * __net_init ipv6_route_sysctl_init(struct net *net)
121285 {
121286- struct ctl_table *table;
121287+ ctl_table_no_const *table;
121288
121289 table = kmemdup(ipv6_route_table_template,
121290 sizeof(ipv6_route_table_template),
121291diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
121292index ac35a28..070cc8c 100644
121293--- a/net/ipv6/sit.c
121294+++ b/net/ipv6/sit.c
121295@@ -74,7 +74,7 @@ static void ipip6_tunnel_setup(struct net_device *dev);
121296 static void ipip6_dev_free(struct net_device *dev);
121297 static bool check_6rd(struct ip_tunnel *tunnel, const struct in6_addr *v6dst,
121298 __be32 *v4dst);
121299-static struct rtnl_link_ops sit_link_ops __read_mostly;
121300+static struct rtnl_link_ops sit_link_ops;
121301
121302 static int sit_net_id __read_mostly;
121303 struct sit_net {
121304@@ -1749,7 +1749,7 @@ static void ipip6_dellink(struct net_device *dev, struct list_head *head)
121305 unregister_netdevice_queue(dev, head);
121306 }
121307
121308-static struct rtnl_link_ops sit_link_ops __read_mostly = {
121309+static struct rtnl_link_ops sit_link_ops = {
121310 .kind = "sit",
121311 .maxtype = IFLA_IPTUN_MAX,
121312 .policy = ipip6_policy,
121313diff --git a/net/ipv6/sysctl_net_ipv6.c b/net/ipv6/sysctl_net_ipv6.c
121314index 4e705ad..9ba8db8 100644
121315--- a/net/ipv6/sysctl_net_ipv6.c
121316+++ b/net/ipv6/sysctl_net_ipv6.c
121317@@ -99,7 +99,7 @@ static struct ctl_table ipv6_rotable[] = {
121318
121319 static int __net_init ipv6_sysctl_net_init(struct net *net)
121320 {
121321- struct ctl_table *ipv6_table;
121322+ ctl_table_no_const *ipv6_table;
121323 struct ctl_table *ipv6_route_table;
121324 struct ctl_table *ipv6_icmp_table;
121325 int err;
121326diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
121327index 7a6cea5..1a99e26 100644
121328--- a/net/ipv6/tcp_ipv6.c
121329+++ b/net/ipv6/tcp_ipv6.c
121330@@ -103,6 +103,10 @@ static void inet6_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
121331 }
121332 }
121333
121334+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121335+extern int grsec_enable_blackhole;
121336+#endif
121337+
121338 static __u32 tcp_v6_init_sequence(const struct sk_buff *skb)
121339 {
121340 return secure_tcpv6_sequence_number(ipv6_hdr(skb)->daddr.s6_addr32,
121341@@ -1280,6 +1284,9 @@ static int tcp_v6_do_rcv(struct sock *sk, struct sk_buff *skb)
121342 return 0;
121343
121344 reset:
121345+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121346+ if (!grsec_enable_blackhole)
121347+#endif
121348 tcp_v6_send_reset(sk, skb);
121349 discard:
121350 if (opt_skb)
121351@@ -1389,12 +1396,20 @@ static int tcp_v6_rcv(struct sk_buff *skb)
121352
121353 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest,
121354 inet6_iif(skb));
121355- if (!sk)
121356+ if (!sk) {
121357+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121358+ ret = 1;
121359+#endif
121360 goto no_tcp_socket;
121361+ }
121362
121363 process:
121364- if (sk->sk_state == TCP_TIME_WAIT)
121365+ if (sk->sk_state == TCP_TIME_WAIT) {
121366+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121367+ ret = 2;
121368+#endif
121369 goto do_time_wait;
121370+ }
121371
121372 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
121373 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
121374@@ -1446,6 +1461,10 @@ csum_error:
121375 bad_packet:
121376 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
121377 } else {
121378+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121379+ if (!grsec_enable_blackhole || (ret == 1 &&
121380+ (skb->dev->flags & IFF_LOOPBACK)))
121381+#endif
121382 tcp_v6_send_reset(NULL, skb);
121383 }
121384
121385diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c
121386index e51fc3e..8f04229 100644
121387--- a/net/ipv6/udp.c
121388+++ b/net/ipv6/udp.c
121389@@ -76,6 +76,10 @@ static u32 udp6_ehashfn(const struct net *net,
121390 udp_ipv6_hash_secret + net_hash_mix(net));
121391 }
121392
121393+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121394+extern int grsec_enable_blackhole;
121395+#endif
121396+
121397 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
121398 {
121399 const struct in6_addr *sk2_rcv_saddr6 = inet6_rcv_saddr(sk2);
121400@@ -445,7 +449,7 @@ try_again:
121401 if (unlikely(err)) {
121402 trace_kfree_skb(skb, udpv6_recvmsg);
121403 if (!peeked) {
121404- atomic_inc(&sk->sk_drops);
121405+ atomic_inc_unchecked(&sk->sk_drops);
121406 if (is_udp4)
121407 UDP_INC_STATS_USER(sock_net(sk),
121408 UDP_MIB_INERRORS,
121409@@ -709,7 +713,7 @@ csum_error:
121410 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_CSUMERRORS, is_udplite);
121411 drop:
121412 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS, is_udplite);
121413- atomic_inc(&sk->sk_drops);
121414+ atomic_inc_unchecked(&sk->sk_drops);
121415 kfree_skb(skb);
121416 return -1;
121417 }
121418@@ -750,7 +754,7 @@ static void flush_stack(struct sock **stack, unsigned int count,
121419 if (likely(!skb1))
121420 skb1 = (i == final) ? skb : skb_clone(skb, GFP_ATOMIC);
121421 if (!skb1) {
121422- atomic_inc(&sk->sk_drops);
121423+ atomic_inc_unchecked(&sk->sk_drops);
121424 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
121425 IS_UDPLITE(sk));
121426 UDP6_INC_STATS_BH(sock_net(sk), UDP_MIB_INERRORS,
121427@@ -934,6 +938,9 @@ int __udp6_lib_rcv(struct sk_buff *skb, struct udp_table *udptable,
121428 goto csum_error;
121429
121430 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
121431+#ifdef CONFIG_GRKERNSEC_BLACKHOLE
121432+ if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
121433+#endif
121434 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
121435
121436 kfree_skb(skb);
121437diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
121438index ed0583c..606962a 100644
121439--- a/net/ipv6/xfrm6_policy.c
121440+++ b/net/ipv6/xfrm6_policy.c
121441@@ -174,7 +174,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
121442 return;
121443
121444 case IPPROTO_ICMPV6:
121445- if (!onlyproto && pskb_may_pull(skb, nh + offset + 2 - skb->data)) {
121446+ if (!onlyproto && (nh + offset + 2 < skb->data ||
121447+ pskb_may_pull(skb, nh + offset + 2 - skb->data))) {
121448 u8 *icmp;
121449
121450 nh = skb_network_header(skb);
121451@@ -188,7 +189,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
121452 #if IS_ENABLED(CONFIG_IPV6_MIP6)
121453 case IPPROTO_MH:
121454 offset += ipv6_optlen(exthdr);
121455- if (!onlyproto && pskb_may_pull(skb, nh + offset + 3 - skb->data)) {
121456+ if (!onlyproto && (nh + offset + 3 < skb->data ||
121457+ pskb_may_pull(skb, nh + offset + 3 - skb->data))) {
121458 struct ip6_mh *mh;
121459
121460 nh = skb_network_header(skb);
121461@@ -211,11 +213,11 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
121462 }
121463 }
121464
121465-static inline int xfrm6_garbage_collect(struct dst_ops *ops)
121466+static int xfrm6_garbage_collect(struct dst_ops *ops)
121467 {
121468 struct net *net = container_of(ops, struct net, xfrm.xfrm6_dst_ops);
121469
121470- xfrm6_policy_afinfo.garbage_collect(net);
121471+ xfrm_garbage_collect_deferred(net);
121472 return dst_entries_get_fast(ops) > ops->gc_thresh * 2;
121473 }
121474
121475@@ -322,19 +324,19 @@ static struct ctl_table xfrm6_policy_table[] = {
121476
121477 static int __net_init xfrm6_net_init(struct net *net)
121478 {
121479- struct ctl_table *table;
121480+ ctl_table_no_const *table = NULL;
121481 struct ctl_table_header *hdr;
121482
121483- table = xfrm6_policy_table;
121484 if (!net_eq(net, &init_net)) {
121485- table = kmemdup(table, sizeof(xfrm6_policy_table), GFP_KERNEL);
121486+ table = kmemdup(xfrm6_policy_table, sizeof(xfrm6_policy_table), GFP_KERNEL);
121487 if (!table)
121488 goto err_alloc;
121489
121490 table[0].data = &net->xfrm.xfrm6_dst_ops.gc_thresh;
121491- }
121492+ hdr = register_net_sysctl(net, "net/ipv6", table);
121493+ } else
121494+ hdr = register_net_sysctl(net, "net/ipv6", xfrm6_policy_table);
121495
121496- hdr = register_net_sysctl(net, "net/ipv6", table);
121497 if (!hdr)
121498 goto err_reg;
121499
121500@@ -342,8 +344,7 @@ static int __net_init xfrm6_net_init(struct net *net)
121501 return 0;
121502
121503 err_reg:
121504- if (!net_eq(net, &init_net))
121505- kfree(table);
121506+ kfree(table);
121507 err_alloc:
121508 return -ENOMEM;
121509 }
121510diff --git a/net/ipx/ipx_proc.c b/net/ipx/ipx_proc.c
121511index c1d247e..9e5949d 100644
121512--- a/net/ipx/ipx_proc.c
121513+++ b/net/ipx/ipx_proc.c
121514@@ -289,7 +289,7 @@ int __init ipx_proc_init(void)
121515 struct proc_dir_entry *p;
121516 int rc = -ENOMEM;
121517
121518- ipx_proc_dir = proc_mkdir("ipx", init_net.proc_net);
121519+ ipx_proc_dir = proc_mkdir_restrict("ipx", init_net.proc_net);
121520
121521 if (!ipx_proc_dir)
121522 goto out;
121523diff --git a/net/irda/ircomm/ircomm_tty.c b/net/irda/ircomm/ircomm_tty.c
121524index 683346d..cb0e12d 100644
121525--- a/net/irda/ircomm/ircomm_tty.c
121526+++ b/net/irda/ircomm/ircomm_tty.c
121527@@ -310,10 +310,10 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
121528 add_wait_queue(&port->open_wait, &wait);
121529
121530 pr_debug("%s(%d):block_til_ready before block on %s open_count=%d\n",
121531- __FILE__, __LINE__, tty->driver->name, port->count);
121532+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
121533
121534 spin_lock_irqsave(&port->lock, flags);
121535- port->count--;
121536+ atomic_dec(&port->count);
121537 port->blocked_open++;
121538 spin_unlock_irqrestore(&port->lock, flags);
121539
121540@@ -348,7 +348,7 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
121541 }
121542
121543 pr_debug("%s(%d):block_til_ready blocking on %s open_count=%d\n",
121544- __FILE__, __LINE__, tty->driver->name, port->count);
121545+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
121546
121547 schedule();
121548 }
121549@@ -358,12 +358,12 @@ static int ircomm_tty_block_til_ready(struct ircomm_tty_cb *self,
121550
121551 spin_lock_irqsave(&port->lock, flags);
121552 if (!tty_hung_up_p(filp))
121553- port->count++;
121554+ atomic_inc(&port->count);
121555 port->blocked_open--;
121556 spin_unlock_irqrestore(&port->lock, flags);
121557
121558 pr_debug("%s(%d):block_til_ready after blocking on %s open_count=%d\n",
121559- __FILE__, __LINE__, tty->driver->name, port->count);
121560+ __FILE__, __LINE__, tty->driver->name, atomic_read(&port->count));
121561
121562 if (!retval)
121563 port->flags |= ASYNC_NORMAL_ACTIVE;
121564@@ -433,12 +433,12 @@ static int ircomm_tty_open(struct tty_struct *tty, struct file *filp)
121565
121566 /* ++ is not atomic, so this should be protected - Jean II */
121567 spin_lock_irqsave(&self->port.lock, flags);
121568- self->port.count++;
121569+ atomic_inc(&self->port.count);
121570 spin_unlock_irqrestore(&self->port.lock, flags);
121571 tty_port_tty_set(&self->port, tty);
121572
121573 pr_debug("%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
121574- self->line, self->port.count);
121575+ self->line, atomic_read(&self->port.count));
121576
121577 /* Not really used by us, but lets do it anyway */
121578 self->port.low_latency = (self->port.flags & ASYNC_LOW_LATENCY) ? 1 : 0;
121579@@ -961,7 +961,7 @@ static void ircomm_tty_hangup(struct tty_struct *tty)
121580 tty_kref_put(port->tty);
121581 }
121582 port->tty = NULL;
121583- port->count = 0;
121584+ atomic_set(&port->count, 0);
121585 spin_unlock_irqrestore(&port->lock, flags);
121586
121587 wake_up_interruptible(&port->open_wait);
121588@@ -1308,7 +1308,7 @@ static void ircomm_tty_line_info(struct ircomm_tty_cb *self, struct seq_file *m)
121589 seq_putc(m, '\n');
121590
121591 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
121592- seq_printf(m, "Open count: %d\n", self->port.count);
121593+ seq_printf(m, "Open count: %d\n", atomic_read(&self->port.count));
121594 seq_printf(m, "Max data size: %d\n", self->max_data_size);
121595 seq_printf(m, "Max header size: %d\n", self->max_header_size);
121596
121597diff --git a/net/irda/irlmp.c b/net/irda/irlmp.c
121598index a26c401..4396459 100644
121599--- a/net/irda/irlmp.c
121600+++ b/net/irda/irlmp.c
121601@@ -1839,7 +1839,7 @@ static void *irlmp_seq_hb_idx(struct irlmp_iter_state *iter, loff_t *off)
121602 for (element = hashbin_get_first(iter->hashbin);
121603 element != NULL;
121604 element = hashbin_get_next(iter->hashbin)) {
121605- if (!off || *off-- == 0) {
121606+ if (!off || (*off)-- == 0) {
121607 /* NB: hashbin left locked */
121608 return element;
121609 }
121610diff --git a/net/irda/irproc.c b/net/irda/irproc.c
121611index b9ac598..f88cc56 100644
121612--- a/net/irda/irproc.c
121613+++ b/net/irda/irproc.c
121614@@ -66,7 +66,7 @@ void __init irda_proc_register(void)
121615 {
121616 int i;
121617
121618- proc_irda = proc_mkdir("irda", init_net.proc_net);
121619+ proc_irda = proc_mkdir_restrict("irda", init_net.proc_net);
121620 if (proc_irda == NULL)
121621 return;
121622
121623diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
121624index 918151c..5bbe95a 100644
121625--- a/net/iucv/af_iucv.c
121626+++ b/net/iucv/af_iucv.c
121627@@ -686,10 +686,10 @@ static void __iucv_auto_name(struct iucv_sock *iucv)
121628 {
121629 char name[12];
121630
121631- sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
121632+ sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
121633 while (__iucv_get_sock_by_name(name)) {
121634 sprintf(name, "%08x",
121635- atomic_inc_return(&iucv_sk_list.autobind_name));
121636+ atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
121637 }
121638 memcpy(iucv->src_name, name, 8);
121639 }
121640diff --git a/net/iucv/iucv.c b/net/iucv/iucv.c
121641index 2a6a1fd..6c112b0 100644
121642--- a/net/iucv/iucv.c
121643+++ b/net/iucv/iucv.c
121644@@ -702,7 +702,7 @@ static int iucv_cpu_notify(struct notifier_block *self,
121645 return NOTIFY_OK;
121646 }
121647
121648-static struct notifier_block __refdata iucv_cpu_notifier = {
121649+static struct notifier_block iucv_cpu_notifier = {
121650 .notifier_call = iucv_cpu_notify,
121651 };
121652
121653diff --git a/net/key/af_key.c b/net/key/af_key.c
121654index 83a7068..facf2f0 100644
121655--- a/net/key/af_key.c
121656+++ b/net/key/af_key.c
121657@@ -3050,10 +3050,10 @@ static int pfkey_send_policy_notify(struct xfrm_policy *xp, int dir, const struc
121658 static u32 get_acqseq(void)
121659 {
121660 u32 res;
121661- static atomic_t acqseq;
121662+ static atomic_unchecked_t acqseq;
121663
121664 do {
121665- res = atomic_inc_return(&acqseq);
121666+ res = atomic_inc_return_unchecked(&acqseq);
121667 } while (!res);
121668 return res;
121669 }
121670diff --git a/net/l2tp/l2tp_eth.c b/net/l2tp/l2tp_eth.c
121671index 4b55287..bd247f7 100644
121672--- a/net/l2tp/l2tp_eth.c
121673+++ b/net/l2tp/l2tp_eth.c
121674@@ -42,12 +42,12 @@ struct l2tp_eth {
121675 struct sock *tunnel_sock;
121676 struct l2tp_session *session;
121677 struct list_head list;
121678- atomic_long_t tx_bytes;
121679- atomic_long_t tx_packets;
121680- atomic_long_t tx_dropped;
121681- atomic_long_t rx_bytes;
121682- atomic_long_t rx_packets;
121683- atomic_long_t rx_errors;
121684+ atomic_long_unchecked_t tx_bytes;
121685+ atomic_long_unchecked_t tx_packets;
121686+ atomic_long_unchecked_t tx_dropped;
121687+ atomic_long_unchecked_t rx_bytes;
121688+ atomic_long_unchecked_t rx_packets;
121689+ atomic_long_unchecked_t rx_errors;
121690 };
121691
121692 /* via l2tp_session_priv() */
121693@@ -98,10 +98,10 @@ static int l2tp_eth_dev_xmit(struct sk_buff *skb, struct net_device *dev)
121694 int ret = l2tp_xmit_skb(session, skb, session->hdr_len);
121695
121696 if (likely(ret == NET_XMIT_SUCCESS)) {
121697- atomic_long_add(len, &priv->tx_bytes);
121698- atomic_long_inc(&priv->tx_packets);
121699+ atomic_long_add_unchecked(len, &priv->tx_bytes);
121700+ atomic_long_inc_unchecked(&priv->tx_packets);
121701 } else {
121702- atomic_long_inc(&priv->tx_dropped);
121703+ atomic_long_inc_unchecked(&priv->tx_dropped);
121704 }
121705 return NETDEV_TX_OK;
121706 }
121707@@ -111,12 +111,12 @@ static struct rtnl_link_stats64 *l2tp_eth_get_stats64(struct net_device *dev,
121708 {
121709 struct l2tp_eth *priv = netdev_priv(dev);
121710
121711- stats->tx_bytes = atomic_long_read(&priv->tx_bytes);
121712- stats->tx_packets = atomic_long_read(&priv->tx_packets);
121713- stats->tx_dropped = atomic_long_read(&priv->tx_dropped);
121714- stats->rx_bytes = atomic_long_read(&priv->rx_bytes);
121715- stats->rx_packets = atomic_long_read(&priv->rx_packets);
121716- stats->rx_errors = atomic_long_read(&priv->rx_errors);
121717+ stats->tx_bytes = atomic_long_read_unchecked(&priv->tx_bytes);
121718+ stats->tx_packets = atomic_long_read_unchecked(&priv->tx_packets);
121719+ stats->tx_dropped = atomic_long_read_unchecked(&priv->tx_dropped);
121720+ stats->rx_bytes = atomic_long_read_unchecked(&priv->rx_bytes);
121721+ stats->rx_packets = atomic_long_read_unchecked(&priv->rx_packets);
121722+ stats->rx_errors = atomic_long_read_unchecked(&priv->rx_errors);
121723 return stats;
121724 }
121725
121726@@ -167,15 +167,15 @@ static void l2tp_eth_dev_recv(struct l2tp_session *session, struct sk_buff *skb,
121727 nf_reset(skb);
121728
121729 if (dev_forward_skb(dev, skb) == NET_RX_SUCCESS) {
121730- atomic_long_inc(&priv->rx_packets);
121731- atomic_long_add(data_len, &priv->rx_bytes);
121732+ atomic_long_inc_unchecked(&priv->rx_packets);
121733+ atomic_long_add_unchecked(data_len, &priv->rx_bytes);
121734 } else {
121735- atomic_long_inc(&priv->rx_errors);
121736+ atomic_long_inc_unchecked(&priv->rx_errors);
121737 }
121738 return;
121739
121740 error:
121741- atomic_long_inc(&priv->rx_errors);
121742+ atomic_long_inc_unchecked(&priv->rx_errors);
121743 kfree_skb(skb);
121744 }
121745
121746diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c
121747index 7964993..2c48a3a 100644
121748--- a/net/l2tp/l2tp_ip.c
121749+++ b/net/l2tp/l2tp_ip.c
121750@@ -608,7 +608,7 @@ static struct inet_protosw l2tp_ip_protosw = {
121751 .ops = &l2tp_ip_ops,
121752 };
121753
121754-static struct net_protocol l2tp_ip_protocol __read_mostly = {
121755+static const struct net_protocol l2tp_ip_protocol = {
121756 .handler = l2tp_ip_recv,
121757 .netns_ok = 1,
121758 };
121759diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c
121760index d1ded37..c0d1e49 100644
121761--- a/net/l2tp/l2tp_ip6.c
121762+++ b/net/l2tp/l2tp_ip6.c
121763@@ -755,7 +755,7 @@ static struct inet_protosw l2tp_ip6_protosw = {
121764 .ops = &l2tp_ip6_ops,
121765 };
121766
121767-static struct inet6_protocol l2tp_ip6_protocol __read_mostly = {
121768+static const struct inet6_protocol l2tp_ip6_protocol = {
121769 .handler = l2tp_ip6_recv,
121770 };
121771
121772diff --git a/net/llc/llc_proc.c b/net/llc/llc_proc.c
121773index 1a3c7e0..80f8b0c 100644
121774--- a/net/llc/llc_proc.c
121775+++ b/net/llc/llc_proc.c
121776@@ -247,7 +247,7 @@ int __init llc_proc_init(void)
121777 int rc = -ENOMEM;
121778 struct proc_dir_entry *p;
121779
121780- llc_proc_dir = proc_mkdir("llc", init_net.proc_net);
121781+ llc_proc_dir = proc_mkdir_restrict("llc", init_net.proc_net);
121782 if (!llc_proc_dir)
121783 goto out;
121784
121785diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
121786index bf7023f..86a5bc6 100644
121787--- a/net/mac80211/cfg.c
121788+++ b/net/mac80211/cfg.c
121789@@ -580,7 +580,7 @@ static int ieee80211_set_monitor_channel(struct wiphy *wiphy,
121790 ret = ieee80211_vif_use_channel(sdata, chandef,
121791 IEEE80211_CHANCTX_EXCLUSIVE);
121792 }
121793- } else if (local->open_count == local->monitors) {
121794+ } else if (local_read(&local->open_count) == local->monitors) {
121795 local->_oper_chandef = *chandef;
121796 ieee80211_hw_config(local, 0);
121797 }
121798@@ -3488,7 +3488,7 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
121799 else
121800 local->probe_req_reg--;
121801
121802- if (!local->open_count)
121803+ if (!local_read(&local->open_count))
121804 break;
121805
121806 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
121807@@ -3637,8 +3637,8 @@ static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
121808 if (chanctx_conf) {
121809 *chandef = sdata->vif.bss_conf.chandef;
121810 ret = 0;
121811- } else if (local->open_count > 0 &&
121812- local->open_count == local->monitors &&
121813+ } else if (local_read(&local->open_count) > 0 &&
121814+ local_read(&local->open_count) == local->monitors &&
121815 sdata->vif.type == NL80211_IFTYPE_MONITOR) {
121816 if (local->use_chanctx)
121817 *chandef = local->monitor_chandef;
121818diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
121819index b12f615..a264a60 100644
121820--- a/net/mac80211/ieee80211_i.h
121821+++ b/net/mac80211/ieee80211_i.h
121822@@ -30,6 +30,7 @@
121823 #include <net/ieee80211_radiotap.h>
121824 #include <net/cfg80211.h>
121825 #include <net/mac80211.h>
121826+#include <asm/local.h>
121827 #include "key.h"
121828 #include "sta_info.h"
121829 #include "debug.h"
121830@@ -1112,7 +1113,7 @@ struct ieee80211_local {
121831 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
121832 spinlock_t queue_stop_reason_lock;
121833
121834- int open_count;
121835+ local_t open_count;
121836 int monitors, cooked_mntrs;
121837 /* number of interfaces with corresponding FIF_ flags */
121838 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
121839diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
121840index 553ac6d..d2480da 100644
121841--- a/net/mac80211/iface.c
121842+++ b/net/mac80211/iface.c
121843@@ -550,7 +550,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121844 break;
121845 }
121846
121847- if (local->open_count == 0) {
121848+ if (local_read(&local->open_count) == 0) {
121849 res = drv_start(local);
121850 if (res)
121851 goto err_del_bss;
121852@@ -597,7 +597,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121853 res = drv_add_interface(local, sdata);
121854 if (res)
121855 goto err_stop;
121856- } else if (local->monitors == 0 && local->open_count == 0) {
121857+ } else if (local->monitors == 0 && local_read(&local->open_count) == 0) {
121858 res = ieee80211_add_virtual_monitor(local);
121859 if (res)
121860 goto err_stop;
121861@@ -704,7 +704,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121862 atomic_inc(&local->iff_allmultis);
121863
121864 if (coming_up)
121865- local->open_count++;
121866+ local_inc(&local->open_count);
121867
121868 if (hw_reconf_flags)
121869 ieee80211_hw_config(local, hw_reconf_flags);
121870@@ -742,7 +742,7 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up)
121871 err_del_interface:
121872 drv_remove_interface(local, sdata);
121873 err_stop:
121874- if (!local->open_count)
121875+ if (!local_read(&local->open_count))
121876 drv_stop(local);
121877 err_del_bss:
121878 sdata->bss = NULL;
121879@@ -909,7 +909,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121880 }
121881
121882 if (going_down)
121883- local->open_count--;
121884+ local_dec(&local->open_count);
121885
121886 switch (sdata->vif.type) {
121887 case NL80211_IFTYPE_AP_VLAN:
121888@@ -978,7 +978,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121889 atomic_set(&sdata->txqs_len[txqi->txq.ac], 0);
121890 }
121891
121892- if (local->open_count == 0)
121893+ if (local_read(&local->open_count) == 0)
121894 ieee80211_clear_tx_pending(local);
121895
121896 /*
121897@@ -1021,7 +1021,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121898 if (cancel_scan)
121899 flush_delayed_work(&local->scan_work);
121900
121901- if (local->open_count == 0) {
121902+ if (local_read(&local->open_count) == 0) {
121903 ieee80211_stop_device(local);
121904
121905 /* no reconfiguring after stop! */
121906@@ -1032,7 +1032,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
121907 ieee80211_configure_filter(local);
121908 ieee80211_hw_config(local, hw_reconf_flags);
121909
121910- if (local->monitors == local->open_count)
121911+ if (local->monitors == local_read(&local->open_count))
121912 ieee80211_add_virtual_monitor(local);
121913 }
121914
121915@@ -1884,8 +1884,8 @@ void ieee80211_remove_interfaces(struct ieee80211_local *local)
121916 */
121917 cfg80211_shutdown_all_interfaces(local->hw.wiphy);
121918
121919- WARN(local->open_count, "%s: open count remains %d\n",
121920- wiphy_name(local->hw.wiphy), local->open_count);
121921+ WARN(local_read(&local->open_count), "%s: open count remains %ld\n",
121922+ wiphy_name(local->hw.wiphy), local_read(&local->open_count));
121923
121924 mutex_lock(&local->iflist_mtx);
121925 list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
121926diff --git a/net/mac80211/main.c b/net/mac80211/main.c
121927index 3c63468..b5c285f 100644
121928--- a/net/mac80211/main.c
121929+++ b/net/mac80211/main.c
121930@@ -172,7 +172,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed)
121931 changed &= ~(IEEE80211_CONF_CHANGE_CHANNEL |
121932 IEEE80211_CONF_CHANGE_POWER);
121933
121934- if (changed && local->open_count) {
121935+ if (changed && local_read(&local->open_count)) {
121936 ret = drv_config(local, changed);
121937 /*
121938 * Goal:
121939diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c
121940index b676b9f..395dd95 100644
121941--- a/net/mac80211/pm.c
121942+++ b/net/mac80211/pm.c
121943@@ -12,7 +12,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
121944 struct ieee80211_sub_if_data *sdata;
121945 struct sta_info *sta;
121946
121947- if (!local->open_count)
121948+ if (!local_read(&local->open_count))
121949 goto suspend;
121950
121951 ieee80211_scan_cancel(local);
121952@@ -166,7 +166,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan)
121953 WARN_ON(!list_empty(&local->chanctx_list));
121954
121955 /* stop hardware - this must stop RX */
121956- if (local->open_count)
121957+ if (local_read(&local->open_count))
121958 ieee80211_stop_device(local);
121959
121960 suspend:
121961diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
121962index fda33f9..0e7d4c0 100644
121963--- a/net/mac80211/rate.c
121964+++ b/net/mac80211/rate.c
121965@@ -730,7 +730,7 @@ int ieee80211_init_rate_ctrl_alg(struct ieee80211_local *local,
121966
121967 ASSERT_RTNL();
121968
121969- if (local->open_count)
121970+ if (local_read(&local->open_count))
121971 return -EBUSY;
121972
121973 if (ieee80211_hw_check(&local->hw, HAS_RATE_CONTROL)) {
121974diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
121975index 666ddac..0cad93b 100644
121976--- a/net/mac80211/sta_info.c
121977+++ b/net/mac80211/sta_info.c
121978@@ -341,7 +341,7 @@ struct sta_info *sta_info_alloc(struct ieee80211_sub_if_data *sdata,
121979 int size = sizeof(struct txq_info) +
121980 ALIGN(hw->txq_data_size, sizeof(void *));
121981
121982- txq_data = kcalloc(ARRAY_SIZE(sta->sta.txq), size, gfp);
121983+ txq_data = kcalloc(size, ARRAY_SIZE(sta->sta.txq), gfp);
121984 if (!txq_data)
121985 goto free;
121986
121987diff --git a/net/mac80211/util.c b/net/mac80211/util.c
121988index 43e5aad..d117c3a 100644
121989--- a/net/mac80211/util.c
121990+++ b/net/mac80211/util.c
121991@@ -1761,7 +1761,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
121992 bool sched_scan_stopped = false;
121993
121994 /* nothing to do if HW shouldn't run */
121995- if (!local->open_count)
121996+ if (!local_read(&local->open_count))
121997 goto wake_up;
121998
121999 #ifdef CONFIG_PM
122000@@ -2033,7 +2033,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122001 local->in_reconfig = false;
122002 barrier();
122003
122004- if (local->monitors == local->open_count && local->monitors > 0)
122005+ if (local->monitors == local_read(&local->open_count) && local->monitors > 0)
122006 ieee80211_add_virtual_monitor(local);
122007
122008 /*
122009@@ -2088,7 +2088,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122010 * If this is for hw restart things are still running.
122011 * We may want to change that later, however.
122012 */
122013- if (local->open_count && (!local->suspended || reconfig_due_to_wowlan))
122014+ if (local_read(&local->open_count) && (!local->suspended || reconfig_due_to_wowlan))
122015 drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART);
122016
122017 if (!local->suspended)
122018@@ -2112,7 +2112,7 @@ int ieee80211_reconfig(struct ieee80211_local *local)
122019 flush_delayed_work(&local->scan_work);
122020 }
122021
122022- if (local->open_count && !reconfig_due_to_wowlan)
122023+ if (local_read(&local->open_count) && !reconfig_due_to_wowlan)
122024 drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_SUSPEND);
122025
122026 list_for_each_entry(sdata, &local->interfaces, list) {
122027diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
122028index 1f93a59..96faa29 100644
122029--- a/net/mpls/af_mpls.c
122030+++ b/net/mpls/af_mpls.c
122031@@ -456,7 +456,7 @@ static int mpls_dev_sysctl_register(struct net_device *dev,
122032 struct mpls_dev *mdev)
122033 {
122034 char path[sizeof("net/mpls/conf/") + IFNAMSIZ];
122035- struct ctl_table *table;
122036+ ctl_table_no_const *table;
122037 int i;
122038
122039 table = kmemdup(&mpls_dev_table, sizeof(mpls_dev_table), GFP_KERNEL);
122040@@ -1025,7 +1025,7 @@ static int mpls_platform_labels(struct ctl_table *table, int write,
122041 struct net *net = table->data;
122042 int platform_labels = net->mpls.platform_labels;
122043 int ret;
122044- struct ctl_table tmp = {
122045+ ctl_table_no_const tmp = {
122046 .procname = table->procname,
122047 .data = &platform_labels,
122048 .maxlen = sizeof(int),
122049@@ -1055,7 +1055,7 @@ static const struct ctl_table mpls_table[] = {
122050
122051 static int mpls_net_init(struct net *net)
122052 {
122053- struct ctl_table *table;
122054+ ctl_table_no_const *table;
122055
122056 net->mpls.platform_labels = 0;
122057 net->mpls.platform_label = NULL;
122058diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
122059index 6eae69a..ccccba8 100644
122060--- a/net/netfilter/Kconfig
122061+++ b/net/netfilter/Kconfig
122062@@ -1125,6 +1125,16 @@ config NETFILTER_XT_MATCH_ESP
122063
122064 To compile it as a module, choose M here. If unsure, say N.
122065
122066+config NETFILTER_XT_MATCH_GRADM
122067+ tristate '"gradm" match support'
122068+ depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
122069+ depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
122070+ ---help---
122071+ The gradm match allows to match on grsecurity RBAC being enabled.
122072+ It is useful when iptables rules are applied early on bootup to
122073+ prevent connections to the machine (except from a trusted host)
122074+ while the RBAC system is disabled.
122075+
122076 config NETFILTER_XT_MATCH_HASHLIMIT
122077 tristate '"hashlimit" match support'
122078 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
122079diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
122080index 70d026d..c400590 100644
122081--- a/net/netfilter/Makefile
122082+++ b/net/netfilter/Makefile
122083@@ -140,6 +140,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP) += xt_devgroup.o
122084 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
122085 obj-$(CONFIG_NETFILTER_XT_MATCH_ECN) += xt_ecn.o
122086 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
122087+obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
122088 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
122089 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
122090 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
122091diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
122092index 338b404..839dcb0 100644
122093--- a/net/netfilter/ipset/ip_set_core.c
122094+++ b/net/netfilter/ipset/ip_set_core.c
122095@@ -1998,7 +1998,7 @@ done:
122096 return ret;
122097 }
122098
122099-static struct nf_sockopt_ops so_set __read_mostly = {
122100+static struct nf_sockopt_ops so_set = {
122101 .pf = PF_INET,
122102 .get_optmin = SO_IP_SET,
122103 .get_optmax = SO_IP_SET + 1,
122104diff --git a/net/netfilter/ipvs/ip_vs_conn.c b/net/netfilter/ipvs/ip_vs_conn.c
122105index b0f7b62..0541842 100644
122106--- a/net/netfilter/ipvs/ip_vs_conn.c
122107+++ b/net/netfilter/ipvs/ip_vs_conn.c
122108@@ -572,7 +572,7 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, struct ip_vs_dest *dest)
122109 /* Increase the refcnt counter of the dest */
122110 ip_vs_dest_hold(dest);
122111
122112- conn_flags = atomic_read(&dest->conn_flags);
122113+ conn_flags = atomic_read_unchecked(&dest->conn_flags);
122114 if (cp->protocol != IPPROTO_UDP)
122115 conn_flags &= ~IP_VS_CONN_F_ONE_PACKET;
122116 flags = cp->flags;
122117@@ -922,7 +922,7 @@ ip_vs_conn_new(const struct ip_vs_conn_param *p, int dest_af,
122118
122119 cp->control = NULL;
122120 atomic_set(&cp->n_control, 0);
122121- atomic_set(&cp->in_pkts, 0);
122122+ atomic_set_unchecked(&cp->in_pkts, 0);
122123
122124 cp->packet_xmit = NULL;
122125 cp->app = NULL;
122126@@ -1229,7 +1229,7 @@ static inline int todrop_entry(struct ip_vs_conn *cp)
122127
122128 /* Don't drop the entry if its number of incoming packets is not
122129 located in [0, 8] */
122130- i = atomic_read(&cp->in_pkts);
122131+ i = atomic_read_unchecked(&cp->in_pkts);
122132 if (i > 8 || i < 0) return 0;
122133
122134 if (!todrop_rate[i]) return 0;
122135diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
122136index 38fbc19..4272cb4 100644
122137--- a/net/netfilter/ipvs/ip_vs_core.c
122138+++ b/net/netfilter/ipvs/ip_vs_core.c
122139@@ -586,7 +586,7 @@ int ip_vs_leave(struct ip_vs_service *svc, struct sk_buff *skb,
122140 ret = cp->packet_xmit(skb, cp, pd->pp, iph);
122141 /* do not touch skb anymore */
122142
122143- atomic_inc(&cp->in_pkts);
122144+ atomic_inc_unchecked(&cp->in_pkts);
122145 ip_vs_conn_put(cp);
122146 return ret;
122147 }
122148@@ -1762,7 +1762,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af)
122149 if (cp->flags & IP_VS_CONN_F_ONE_PACKET)
122150 pkts = sysctl_sync_threshold(ipvs);
122151 else
122152- pkts = atomic_add_return(1, &cp->in_pkts);
122153+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
122154
122155 if (ipvs->sync_state & IP_VS_STATE_MASTER)
122156 ip_vs_sync_conn(net, cp, pkts);
122157diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
122158index 24c5542..e9fd3e5 100644
122159--- a/net/netfilter/ipvs/ip_vs_ctl.c
122160+++ b/net/netfilter/ipvs/ip_vs_ctl.c
122161@@ -814,7 +814,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
122162 */
122163 ip_vs_rs_hash(ipvs, dest);
122164 }
122165- atomic_set(&dest->conn_flags, conn_flags);
122166+ atomic_set_unchecked(&dest->conn_flags, conn_flags);
122167
122168 /* bind the service */
122169 old_svc = rcu_dereference_protected(dest->svc, 1);
122170@@ -1694,7 +1694,7 @@ proc_do_sync_ports(struct ctl_table *table, int write,
122171 * align with netns init in ip_vs_control_net_init()
122172 */
122173
122174-static struct ctl_table vs_vars[] = {
122175+static ctl_table_no_const vs_vars[] __read_only = {
122176 {
122177 .procname = "amemthresh",
122178 .maxlen = sizeof(int),
122179@@ -2036,7 +2036,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
122180 " %-7s %-6d %-10d %-10d\n",
122181 &dest->addr.in6,
122182 ntohs(dest->port),
122183- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
122184+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
122185 atomic_read(&dest->weight),
122186 atomic_read(&dest->activeconns),
122187 atomic_read(&dest->inactconns));
122188@@ -2047,7 +2047,7 @@ static int ip_vs_info_seq_show(struct seq_file *seq, void *v)
122189 "%-7s %-6d %-10d %-10d\n",
122190 ntohl(dest->addr.ip),
122191 ntohs(dest->port),
122192- ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
122193+ ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
122194 atomic_read(&dest->weight),
122195 atomic_read(&dest->activeconns),
122196 atomic_read(&dest->inactconns));
122197@@ -2546,7 +2546,7 @@ __ip_vs_get_dest_entries(struct net *net, const struct ip_vs_get_dests *get,
122198
122199 entry.addr = dest->addr.ip;
122200 entry.port = dest->port;
122201- entry.conn_flags = atomic_read(&dest->conn_flags);
122202+ entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
122203 entry.weight = atomic_read(&dest->weight);
122204 entry.u_threshold = dest->u_threshold;
122205 entry.l_threshold = dest->l_threshold;
122206@@ -3121,7 +3121,7 @@ static int ip_vs_genl_fill_dest(struct sk_buff *skb, struct ip_vs_dest *dest)
122207 if (nla_put(skb, IPVS_DEST_ATTR_ADDR, sizeof(dest->addr), &dest->addr) ||
122208 nla_put_be16(skb, IPVS_DEST_ATTR_PORT, dest->port) ||
122209 nla_put_u32(skb, IPVS_DEST_ATTR_FWD_METHOD,
122210- (atomic_read(&dest->conn_flags) &
122211+ (atomic_read_unchecked(&dest->conn_flags) &
122212 IP_VS_CONN_F_FWD_MASK)) ||
122213 nla_put_u32(skb, IPVS_DEST_ATTR_WEIGHT,
122214 atomic_read(&dest->weight)) ||
122215@@ -3759,7 +3759,7 @@ static int __net_init ip_vs_control_net_init_sysctl(struct net *net)
122216 {
122217 int idx;
122218 struct netns_ipvs *ipvs = net_ipvs(net);
122219- struct ctl_table *tbl;
122220+ ctl_table_no_const *tbl;
122221
122222 atomic_set(&ipvs->dropentry, 0);
122223 spin_lock_init(&ipvs->dropentry_lock);
122224diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
122225index 127f140..553d652 100644
122226--- a/net/netfilter/ipvs/ip_vs_lblc.c
122227+++ b/net/netfilter/ipvs/ip_vs_lblc.c
122228@@ -118,7 +118,7 @@ struct ip_vs_lblc_table {
122229 * IPVS LBLC sysctl table
122230 */
122231 #ifdef CONFIG_SYSCTL
122232-static struct ctl_table vs_vars_table[] = {
122233+static ctl_table_no_const vs_vars_table[] __read_only = {
122234 {
122235 .procname = "lblc_expiration",
122236 .data = NULL,
122237diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
122238index 2229d2d..b32b785 100644
122239--- a/net/netfilter/ipvs/ip_vs_lblcr.c
122240+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
122241@@ -289,7 +289,7 @@ struct ip_vs_lblcr_table {
122242 * IPVS LBLCR sysctl table
122243 */
122244
122245-static struct ctl_table vs_vars_table[] = {
122246+static ctl_table_no_const vs_vars_table[] __read_only = {
122247 {
122248 .procname = "lblcr_expiration",
122249 .data = NULL,
122250diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
122251index d99ad93..09bd6dc 100644
122252--- a/net/netfilter/ipvs/ip_vs_sync.c
122253+++ b/net/netfilter/ipvs/ip_vs_sync.c
122254@@ -609,7 +609,7 @@ static void ip_vs_sync_conn_v0(struct net *net, struct ip_vs_conn *cp,
122255 cp = cp->control;
122256 if (cp) {
122257 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
122258- pkts = atomic_add_return(1, &cp->in_pkts);
122259+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
122260 else
122261 pkts = sysctl_sync_threshold(ipvs);
122262 ip_vs_sync_conn(net, cp, pkts);
122263@@ -771,7 +771,7 @@ control:
122264 if (!cp)
122265 return;
122266 if (cp->flags & IP_VS_CONN_F_TEMPLATE)
122267- pkts = atomic_add_return(1, &cp->in_pkts);
122268+ pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
122269 else
122270 pkts = sysctl_sync_threshold(ipvs);
122271 goto sloop;
122272@@ -919,7 +919,7 @@ static void ip_vs_proc_conn(struct net *net, struct ip_vs_conn_param *param,
122273
122274 if (opt)
122275 memcpy(&cp->in_seq, opt, sizeof(*opt));
122276- atomic_set(&cp->in_pkts, sysctl_sync_threshold(ipvs));
122277+ atomic_set_unchecked(&cp->in_pkts, sysctl_sync_threshold(ipvs));
122278 cp->state = state;
122279 cp->old_state = cp->state;
122280 /*
122281diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
122282index 258a0b0..2082f50 100644
122283--- a/net/netfilter/ipvs/ip_vs_xmit.c
122284+++ b/net/netfilter/ipvs/ip_vs_xmit.c
122285@@ -1259,7 +1259,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
122286 else
122287 rc = NF_ACCEPT;
122288 /* do not touch skb anymore */
122289- atomic_inc(&cp->in_pkts);
122290+ atomic_inc_unchecked(&cp->in_pkts);
122291 goto out;
122292 }
122293
122294@@ -1352,7 +1352,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
122295 else
122296 rc = NF_ACCEPT;
122297 /* do not touch skb anymore */
122298- atomic_inc(&cp->in_pkts);
122299+ atomic_inc_unchecked(&cp->in_pkts);
122300 goto out;
122301 }
122302
122303diff --git a/net/netfilter/nf_conntrack_acct.c b/net/netfilter/nf_conntrack_acct.c
122304index 45da11a..ef3e5dc 100644
122305--- a/net/netfilter/nf_conntrack_acct.c
122306+++ b/net/netfilter/nf_conntrack_acct.c
122307@@ -64,7 +64,7 @@ static struct nf_ct_ext_type acct_extend __read_mostly = {
122308 #ifdef CONFIG_SYSCTL
122309 static int nf_conntrack_acct_init_sysctl(struct net *net)
122310 {
122311- struct ctl_table *table;
122312+ ctl_table_no_const *table;
122313
122314 table = kmemdup(acct_sysctl_table, sizeof(acct_sysctl_table),
122315 GFP_KERNEL);
122316diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
122317index 0625a42..b2c15f4 100644
122318--- a/net/netfilter/nf_conntrack_core.c
122319+++ b/net/netfilter/nf_conntrack_core.c
122320@@ -1754,6 +1754,10 @@ void nf_conntrack_init_end(void)
122321 #define DYING_NULLS_VAL ((1<<30)+1)
122322 #define TEMPLATE_NULLS_VAL ((1<<30)+2)
122323
122324+#ifdef CONFIG_GRKERNSEC_HIDESYM
122325+static atomic_unchecked_t conntrack_cache_id = ATOMIC_INIT(0);
122326+#endif
122327+
122328 int nf_conntrack_init_net(struct net *net)
122329 {
122330 int ret = -ENOMEM;
122331@@ -1778,7 +1782,11 @@ int nf_conntrack_init_net(struct net *net)
122332 if (!net->ct.stat)
122333 goto err_pcpu_lists;
122334
122335+#ifdef CONFIG_GRKERNSEC_HIDESYM
122336+ net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%08x", atomic_inc_return_unchecked(&conntrack_cache_id));
122337+#else
122338 net->ct.slabname = kasprintf(GFP_KERNEL, "nf_conntrack_%p", net);
122339+#endif
122340 if (!net->ct.slabname)
122341 goto err_slabname;
122342
122343diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
122344index 4e78c57..ec8fb74 100644
122345--- a/net/netfilter/nf_conntrack_ecache.c
122346+++ b/net/netfilter/nf_conntrack_ecache.c
122347@@ -264,7 +264,7 @@ static struct nf_ct_ext_type event_extend __read_mostly = {
122348 #ifdef CONFIG_SYSCTL
122349 static int nf_conntrack_event_init_sysctl(struct net *net)
122350 {
122351- struct ctl_table *table;
122352+ ctl_table_no_const *table;
122353
122354 table = kmemdup(event_sysctl_table, sizeof(event_sysctl_table),
122355 GFP_KERNEL);
122356diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
122357index bd9d315..989947e 100644
122358--- a/net/netfilter/nf_conntrack_helper.c
122359+++ b/net/netfilter/nf_conntrack_helper.c
122360@@ -57,7 +57,7 @@ static struct ctl_table helper_sysctl_table[] = {
122361
122362 static int nf_conntrack_helper_init_sysctl(struct net *net)
122363 {
122364- struct ctl_table *table;
122365+ ctl_table_no_const *table;
122366
122367 table = kmemdup(helper_sysctl_table, sizeof(helper_sysctl_table),
122368 GFP_KERNEL);
122369diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
122370index b65d586..beec902 100644
122371--- a/net/netfilter/nf_conntrack_proto.c
122372+++ b/net/netfilter/nf_conntrack_proto.c
122373@@ -52,7 +52,7 @@ nf_ct_register_sysctl(struct net *net,
122374
122375 static void
122376 nf_ct_unregister_sysctl(struct ctl_table_header **header,
122377- struct ctl_table **table,
122378+ ctl_table_no_const **table,
122379 unsigned int users)
122380 {
122381 if (users > 0)
122382diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
122383index fc823fa..8311af3 100644
122384--- a/net/netfilter/nf_conntrack_standalone.c
122385+++ b/net/netfilter/nf_conntrack_standalone.c
122386@@ -468,7 +468,7 @@ static struct ctl_table nf_ct_netfilter_table[] = {
122387
122388 static int nf_conntrack_standalone_init_sysctl(struct net *net)
122389 {
122390- struct ctl_table *table;
122391+ ctl_table_no_const *table;
122392
122393 table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
122394 GFP_KERNEL);
122395diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
122396index 7a394df..bd91a8a 100644
122397--- a/net/netfilter/nf_conntrack_timestamp.c
122398+++ b/net/netfilter/nf_conntrack_timestamp.c
122399@@ -42,7 +42,7 @@ static struct nf_ct_ext_type tstamp_extend __read_mostly = {
122400 #ifdef CONFIG_SYSCTL
122401 static int nf_conntrack_tstamp_init_sysctl(struct net *net)
122402 {
122403- struct ctl_table *table;
122404+ ctl_table_no_const *table;
122405
122406 table = kmemdup(tstamp_sysctl_table, sizeof(tstamp_sysctl_table),
122407 GFP_KERNEL);
122408diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
122409index a5d41df..1ff49be 100644
122410--- a/net/netfilter/nf_log.c
122411+++ b/net/netfilter/nf_log.c
122412@@ -391,7 +391,7 @@ static const struct file_operations nflog_file_ops = {
122413
122414 #ifdef CONFIG_SYSCTL
122415 static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
122416-static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
122417+static ctl_table_no_const nf_log_sysctl_table[NFPROTO_NUMPROTO+1] __read_only;
122418
122419 static int nf_log_proc_dostring(struct ctl_table *table, int write,
122420 void __user *buffer, size_t *lenp, loff_t *ppos)
122421@@ -422,13 +422,15 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
122422 rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
122423 mutex_unlock(&nf_log_mutex);
122424 } else {
122425+ ctl_table_no_const nf_log_table = *table;
122426+
122427 mutex_lock(&nf_log_mutex);
122428 logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
122429 if (!logger)
122430- table->data = "NONE";
122431+ nf_log_table.data = "NONE";
122432 else
122433- table->data = logger->name;
122434- r = proc_dostring(table, write, buffer, lenp, ppos);
122435+ nf_log_table.data = logger->name;
122436+ r = proc_dostring(&nf_log_table, write, buffer, lenp, ppos);
122437 mutex_unlock(&nf_log_mutex);
122438 }
122439
122440diff --git a/net/netfilter/nf_sockopt.c b/net/netfilter/nf_sockopt.c
122441index c68c1e5..8b5d670 100644
122442--- a/net/netfilter/nf_sockopt.c
122443+++ b/net/netfilter/nf_sockopt.c
122444@@ -43,7 +43,7 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg)
122445 }
122446 }
122447
122448- list_add(&reg->list, &nf_sockopts);
122449+ pax_list_add((struct list_head *)&reg->list, &nf_sockopts);
122450 out:
122451 mutex_unlock(&nf_sockopt_mutex);
122452 return ret;
122453@@ -53,7 +53,7 @@ EXPORT_SYMBOL(nf_register_sockopt);
122454 void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
122455 {
122456 mutex_lock(&nf_sockopt_mutex);
122457- list_del(&reg->list);
122458+ pax_list_del((struct list_head *)&reg->list);
122459 mutex_unlock(&nf_sockopt_mutex);
122460 }
122461 EXPORT_SYMBOL(nf_unregister_sockopt);
122462diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
122463index 4670821..a6c3c47d 100644
122464--- a/net/netfilter/nfnetlink_log.c
122465+++ b/net/netfilter/nfnetlink_log.c
122466@@ -84,7 +84,7 @@ static int nfnl_log_net_id __read_mostly;
122467 struct nfnl_log_net {
122468 spinlock_t instances_lock;
122469 struct hlist_head instance_table[INSTANCE_BUCKETS];
122470- atomic_t global_seq;
122471+ atomic_unchecked_t global_seq;
122472 };
122473
122474 static struct nfnl_log_net *nfnl_log_pernet(struct net *net)
122475@@ -572,7 +572,7 @@ __build_packet_message(struct nfnl_log_net *log,
122476 /* global sequence number */
122477 if ((inst->flags & NFULNL_CFG_F_SEQ_GLOBAL) &&
122478 nla_put_be32(inst->skb, NFULA_SEQ_GLOBAL,
122479- htonl(atomic_inc_return(&log->global_seq))))
122480+ htonl(atomic_inc_return_unchecked(&log->global_seq))))
122481 goto nla_put_failure;
122482
122483 if (data_len) {
122484diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
122485index 9c8fab0..5080c7c 100644
122486--- a/net/netfilter/nft_compat.c
122487+++ b/net/netfilter/nft_compat.c
122488@@ -322,14 +322,7 @@ static void nft_match_eval(const struct nft_expr *expr,
122489 return;
122490 }
122491
122492- switch (ret ? 1 : 0) {
122493- case 1:
122494- regs->verdict.code = NFT_CONTINUE;
122495- break;
122496- case 0:
122497- regs->verdict.code = NFT_BREAK;
122498- break;
122499- }
122500+ regs->verdict.code = ret ? NFT_CONTINUE : NFT_BREAK;
122501 }
122502
122503 static const struct nla_policy nft_match_policy[NFTA_MATCH_MAX + 1] = {
122504diff --git a/net/netfilter/xt_gradm.c b/net/netfilter/xt_gradm.c
122505new file mode 100644
122506index 0000000..c566332
122507--- /dev/null
122508+++ b/net/netfilter/xt_gradm.c
122509@@ -0,0 +1,51 @@
122510+/*
122511+ * gradm match for netfilter
122512