1 diff -urNp linux-2.6.32.42/arch/alpha/include/asm/elf.h linux-2.6.32.42/arch/alpha/include/asm/elf.h
2 --- linux-2.6.32.42/arch/alpha/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3 +++ linux-2.6.32.42/arch/alpha/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
4 @@ -91,6 +91,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
6 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
8 +#ifdef CONFIG_PAX_ASLR
9 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
11 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
12 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
15 /* $0 is set by ld.so to a pointer to a function which might be
16 registered using atexit. This provides a mean for the dynamic
17 linker to call DT_FINI functions for shared libraries that have
18 diff -urNp linux-2.6.32.42/arch/alpha/include/asm/pgtable.h linux-2.6.32.42/arch/alpha/include/asm/pgtable.h
19 --- linux-2.6.32.42/arch/alpha/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
20 +++ linux-2.6.32.42/arch/alpha/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
21 @@ -101,6 +101,17 @@ struct vm_area_struct;
22 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
23 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
24 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
26 +#ifdef CONFIG_PAX_PAGEEXEC
27 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
28 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
29 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
31 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
32 +# define PAGE_COPY_NOEXEC PAGE_COPY
33 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
36 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
38 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
39 diff -urNp linux-2.6.32.42/arch/alpha/kernel/module.c linux-2.6.32.42/arch/alpha/kernel/module.c
40 --- linux-2.6.32.42/arch/alpha/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
41 +++ linux-2.6.32.42/arch/alpha/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
42 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
44 /* The small sections were sorted to the end of the segment.
45 The following should definitely cover them. */
46 - gp = (u64)me->module_core + me->core_size - 0x8000;
47 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
48 got = sechdrs[me->arch.gotsecindex].sh_addr;
50 for (i = 0; i < n; i++) {
51 diff -urNp linux-2.6.32.42/arch/alpha/kernel/osf_sys.c linux-2.6.32.42/arch/alpha/kernel/osf_sys.c
52 --- linux-2.6.32.42/arch/alpha/kernel/osf_sys.c 2011-03-27 14:31:47.000000000 -0400
53 +++ linux-2.6.32.42/arch/alpha/kernel/osf_sys.c 2011-06-13 17:19:47.000000000 -0400
54 @@ -431,7 +431,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char
63 @@ -618,7 +618,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, comman
65 res = sysinfo_table[offset];
68 + if ((unsigned long)len > (unsigned long)count)
70 if (copy_to_user(buf, res, len))
72 @@ -673,7 +673,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned
76 - if (nbytes < sizeof(*hwrpb))
77 + if (nbytes > sizeof(*hwrpb))
79 if (copy_to_user(buffer, hwrpb, nbytes) != 0)
81 @@ -1035,6 +1035,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
85 + unsigned int status = 0;
89 @@ -1043,13 +1044,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i
93 - ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r);
94 + ret = sys_wait4(pid, (unsigned int __user *) &status, options,
95 + (struct rusage __user *) &r);
98 if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur)))
102 + err |= put_user(status, ustatus);
103 err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec);
104 err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec);
105 err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec);
106 @@ -1169,7 +1172,7 @@ arch_get_unmapped_area_1(unsigned long a
107 /* At this point: (!vma || addr < vma->vm_end). */
108 if (limit - len < addr)
110 - if (!vma || addr + len <= vma->vm_start)
111 + if (check_heap_stack_gap(vma, addr, len))
115 @@ -1205,6 +1208,10 @@ arch_get_unmapped_area(struct file *filp
116 merely specific addresses, but regions of memory -- perhaps
117 this feature should be incorporated into all ports? */
119 +#ifdef CONFIG_PAX_RANDMMAP
120 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
124 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
125 if (addr != (unsigned long) -ENOMEM)
126 @@ -1212,8 +1219,8 @@ arch_get_unmapped_area(struct file *filp
129 /* Next, try allocating at TASK_UNMAPPED_BASE. */
130 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
132 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
134 if (addr != (unsigned long) -ENOMEM)
137 diff -urNp linux-2.6.32.42/arch/alpha/mm/fault.c linux-2.6.32.42/arch/alpha/mm/fault.c
138 --- linux-2.6.32.42/arch/alpha/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
139 +++ linux-2.6.32.42/arch/alpha/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
140 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
141 __reload_thread(pcb);
144 +#ifdef CONFIG_PAX_PAGEEXEC
146 + * PaX: decide what to do with offenders (regs->pc = fault address)
148 + * returns 1 when task should be killed
149 + * 2 when patched PLT trampoline was detected
150 + * 3 when unpatched PLT trampoline was detected
152 +static int pax_handle_fetch_fault(struct pt_regs *regs)
155 +#ifdef CONFIG_PAX_EMUPLT
158 + do { /* PaX: patched PLT emulation #1 */
159 + unsigned int ldah, ldq, jmp;
161 + err = get_user(ldah, (unsigned int *)regs->pc);
162 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
163 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
168 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
169 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
170 + jmp == 0x6BFB0000U)
172 + unsigned long r27, addr;
173 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
174 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
176 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
177 + err = get_user(r27, (unsigned long *)addr);
187 + do { /* PaX: patched PLT emulation #2 */
188 + unsigned int ldah, lda, br;
190 + err = get_user(ldah, (unsigned int *)regs->pc);
191 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
192 + err |= get_user(br, (unsigned int *)(regs->pc+8));
197 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
198 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
199 + (br & 0xFFE00000U) == 0xC3E00000U)
201 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
202 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
203 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
205 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
206 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
211 + do { /* PaX: unpatched PLT emulation */
214 + err = get_user(br, (unsigned int *)regs->pc);
216 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
217 + unsigned int br2, ldq, nop, jmp;
218 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
220 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
221 + err = get_user(br2, (unsigned int *)addr);
222 + err |= get_user(ldq, (unsigned int *)(addr+4));
223 + err |= get_user(nop, (unsigned int *)(addr+8));
224 + err |= get_user(jmp, (unsigned int *)(addr+12));
225 + err |= get_user(resolver, (unsigned long *)(addr+16));
230 + if (br2 == 0xC3600000U &&
231 + ldq == 0xA77B000CU &&
232 + nop == 0x47FF041FU &&
233 + jmp == 0x6B7B0000U)
235 + regs->r28 = regs->pc+4;
236 + regs->r27 = addr+16;
237 + regs->pc = resolver;
247 +void pax_report_insns(void *pc, void *sp)
251 + printk(KERN_ERR "PAX: bytes at PC: ");
252 + for (i = 0; i < 5; i++) {
254 + if (get_user(c, (unsigned int *)pc+i))
255 + printk(KERN_CONT "???????? ");
257 + printk(KERN_CONT "%08x ", c);
264 * This routine handles page faults. It determines the address,
265 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
267 si_code = SEGV_ACCERR;
269 - if (!(vma->vm_flags & VM_EXEC))
270 + if (!(vma->vm_flags & VM_EXEC)) {
272 +#ifdef CONFIG_PAX_PAGEEXEC
273 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
276 + up_read(&mm->mmap_sem);
277 + switch (pax_handle_fetch_fault(regs)) {
279 +#ifdef CONFIG_PAX_EMUPLT
286 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
287 + do_group_exit(SIGKILL);
294 /* Allow reads even for write-only mappings */
295 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
296 diff -urNp linux-2.6.32.42/arch/arm/include/asm/elf.h linux-2.6.32.42/arch/arm/include/asm/elf.h
297 --- linux-2.6.32.42/arch/arm/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
298 +++ linux-2.6.32.42/arch/arm/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
299 @@ -109,7 +109,14 @@ int dump_task_regs(struct task_struct *t
300 the loader. We need to make sure that it is out of the way of the program
301 that it will "exec", and that there is sufficient room for the brk. */
303 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
304 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
306 +#ifdef CONFIG_PAX_ASLR
307 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
309 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
310 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 /* When the program starts, a1 contains a pointer to a function to be
314 registered with atexit, as per the SVR4 ABI. A value of 0 means we
315 diff -urNp linux-2.6.32.42/arch/arm/include/asm/kmap_types.h linux-2.6.32.42/arch/arm/include/asm/kmap_types.h
316 --- linux-2.6.32.42/arch/arm/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
317 +++ linux-2.6.32.42/arch/arm/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
318 @@ -19,6 +19,7 @@ enum km_type {
326 diff -urNp linux-2.6.32.42/arch/arm/include/asm/uaccess.h linux-2.6.32.42/arch/arm/include/asm/uaccess.h
327 --- linux-2.6.32.42/arch/arm/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
328 +++ linux-2.6.32.42/arch/arm/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
329 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
331 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
336 if (access_ok(VERIFY_READ, from, n))
337 n = __copy_from_user(to, from, n);
338 else /* security hole - plug it */
339 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
341 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
346 if (access_ok(VERIFY_WRITE, to, n))
347 n = __copy_to_user(to, from, n);
349 diff -urNp linux-2.6.32.42/arch/arm/kernel/kgdb.c linux-2.6.32.42/arch/arm/kernel/kgdb.c
350 --- linux-2.6.32.42/arch/arm/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
351 +++ linux-2.6.32.42/arch/arm/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
352 @@ -190,7 +190,7 @@ void kgdb_arch_exit(void)
353 * and we handle the normal undef case within the do_undefinstr
356 -struct kgdb_arch arch_kgdb_ops = {
357 +const struct kgdb_arch arch_kgdb_ops = {
359 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
360 #else /* ! __ARMEB__ */
361 diff -urNp linux-2.6.32.42/arch/arm/kernel/traps.c linux-2.6.32.42/arch/arm/kernel/traps.c
362 --- linux-2.6.32.42/arch/arm/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
363 +++ linux-2.6.32.42/arch/arm/kernel/traps.c 2011-06-13 21:31:18.000000000 -0400
364 @@ -247,6 +247,8 @@ static void __die(const char *str, int e
366 DEFINE_SPINLOCK(die_lock);
368 +extern void gr_handle_kernel_exploit(void);
371 * This function is protected against re-entrancy.
373 @@ -271,6 +273,8 @@ NORET_TYPE void die(const char *str, str
375 panic("Fatal exception");
377 + gr_handle_kernel_exploit();
382 diff -urNp linux-2.6.32.42/arch/arm/mach-at91/pm.c linux-2.6.32.42/arch/arm/mach-at91/pm.c
383 --- linux-2.6.32.42/arch/arm/mach-at91/pm.c 2011-03-27 14:31:47.000000000 -0400
384 +++ linux-2.6.32.42/arch/arm/mach-at91/pm.c 2011-04-17 15:56:45.000000000 -0400
385 @@ -348,7 +348,7 @@ static void at91_pm_end(void)
389 -static struct platform_suspend_ops at91_pm_ops ={
390 +static const struct platform_suspend_ops at91_pm_ops ={
391 .valid = at91_pm_valid_state,
392 .begin = at91_pm_begin,
393 .enter = at91_pm_enter,
394 diff -urNp linux-2.6.32.42/arch/arm/mach-omap1/pm.c linux-2.6.32.42/arch/arm/mach-omap1/pm.c
395 --- linux-2.6.32.42/arch/arm/mach-omap1/pm.c 2011-03-27 14:31:47.000000000 -0400
396 +++ linux-2.6.32.42/arch/arm/mach-omap1/pm.c 2011-04-17 15:56:45.000000000 -0400
397 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
401 -static struct platform_suspend_ops omap_pm_ops ={
402 +static const struct platform_suspend_ops omap_pm_ops ={
403 .prepare = omap_pm_prepare,
404 .enter = omap_pm_enter,
405 .finish = omap_pm_finish,
406 diff -urNp linux-2.6.32.42/arch/arm/mach-omap2/pm24xx.c linux-2.6.32.42/arch/arm/mach-omap2/pm24xx.c
407 --- linux-2.6.32.42/arch/arm/mach-omap2/pm24xx.c 2011-03-27 14:31:47.000000000 -0400
408 +++ linux-2.6.32.42/arch/arm/mach-omap2/pm24xx.c 2011-04-17 15:56:45.000000000 -0400
409 @@ -326,7 +326,7 @@ static void omap2_pm_finish(void)
413 -static struct platform_suspend_ops omap_pm_ops = {
414 +static const struct platform_suspend_ops omap_pm_ops = {
415 .prepare = omap2_pm_prepare,
416 .enter = omap2_pm_enter,
417 .finish = omap2_pm_finish,
418 diff -urNp linux-2.6.32.42/arch/arm/mach-omap2/pm34xx.c linux-2.6.32.42/arch/arm/mach-omap2/pm34xx.c
419 --- linux-2.6.32.42/arch/arm/mach-omap2/pm34xx.c 2011-03-27 14:31:47.000000000 -0400
420 +++ linux-2.6.32.42/arch/arm/mach-omap2/pm34xx.c 2011-04-17 15:56:45.000000000 -0400
421 @@ -401,7 +401,7 @@ static void omap3_pm_end(void)
425 -static struct platform_suspend_ops omap_pm_ops = {
426 +static const struct platform_suspend_ops omap_pm_ops = {
427 .begin = omap3_pm_begin,
429 .prepare = omap3_pm_prepare,
430 diff -urNp linux-2.6.32.42/arch/arm/mach-pnx4008/pm.c linux-2.6.32.42/arch/arm/mach-pnx4008/pm.c
431 --- linux-2.6.32.42/arch/arm/mach-pnx4008/pm.c 2011-03-27 14:31:47.000000000 -0400
432 +++ linux-2.6.32.42/arch/arm/mach-pnx4008/pm.c 2011-04-17 15:56:45.000000000 -0400
433 @@ -116,7 +116,7 @@ static int pnx4008_pm_valid(suspend_stat
434 (state == PM_SUSPEND_MEM);
437 -static struct platform_suspend_ops pnx4008_pm_ops = {
438 +static const struct platform_suspend_ops pnx4008_pm_ops = {
439 .enter = pnx4008_pm_enter,
440 .valid = pnx4008_pm_valid,
442 diff -urNp linux-2.6.32.42/arch/arm/mach-pxa/pm.c linux-2.6.32.42/arch/arm/mach-pxa/pm.c
443 --- linux-2.6.32.42/arch/arm/mach-pxa/pm.c 2011-03-27 14:31:47.000000000 -0400
444 +++ linux-2.6.32.42/arch/arm/mach-pxa/pm.c 2011-04-17 15:56:45.000000000 -0400
445 @@ -95,7 +95,7 @@ void pxa_pm_finish(void)
446 pxa_cpu_pm_fns->finish();
449 -static struct platform_suspend_ops pxa_pm_ops = {
450 +static const struct platform_suspend_ops pxa_pm_ops = {
451 .valid = pxa_pm_valid,
452 .enter = pxa_pm_enter,
453 .prepare = pxa_pm_prepare,
454 diff -urNp linux-2.6.32.42/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.32.42/arch/arm/mach-pxa/sharpsl_pm.c
455 --- linux-2.6.32.42/arch/arm/mach-pxa/sharpsl_pm.c 2011-03-27 14:31:47.000000000 -0400
456 +++ linux-2.6.32.42/arch/arm/mach-pxa/sharpsl_pm.c 2011-04-17 15:56:45.000000000 -0400
457 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
461 -static struct platform_suspend_ops sharpsl_pm_ops = {
462 +static const struct platform_suspend_ops sharpsl_pm_ops = {
463 .prepare = pxa_pm_prepare,
464 .finish = pxa_pm_finish,
465 .enter = corgi_pxa_pm_enter,
466 diff -urNp linux-2.6.32.42/arch/arm/mach-sa1100/pm.c linux-2.6.32.42/arch/arm/mach-sa1100/pm.c
467 --- linux-2.6.32.42/arch/arm/mach-sa1100/pm.c 2011-03-27 14:31:47.000000000 -0400
468 +++ linux-2.6.32.42/arch/arm/mach-sa1100/pm.c 2011-04-17 15:56:45.000000000 -0400
469 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
470 return virt_to_phys(sp);
473 -static struct platform_suspend_ops sa11x0_pm_ops = {
474 +static const struct platform_suspend_ops sa11x0_pm_ops = {
475 .enter = sa11x0_pm_enter,
476 .valid = suspend_valid_only_mem,
478 diff -urNp linux-2.6.32.42/arch/arm/mm/fault.c linux-2.6.32.42/arch/arm/mm/fault.c
479 --- linux-2.6.32.42/arch/arm/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
480 +++ linux-2.6.32.42/arch/arm/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
481 @@ -166,6 +166,13 @@ __do_user_fault(struct task_struct *tsk,
485 +#ifdef CONFIG_PAX_PAGEEXEC
486 + if (fsr & FSR_LNX_PF) {
487 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
488 + do_group_exit(SIGKILL);
492 tsk->thread.address = addr;
493 tsk->thread.error_code = fsr;
494 tsk->thread.trap_no = 14;
495 @@ -357,6 +364,33 @@ do_page_fault(unsigned long addr, unsign
497 #endif /* CONFIG_MMU */
499 +#ifdef CONFIG_PAX_PAGEEXEC
500 +void pax_report_insns(void *pc, void *sp)
504 + printk(KERN_ERR "PAX: bytes at PC: ");
505 + for (i = 0; i < 20; i++) {
507 + if (get_user(c, (__force unsigned char __user *)pc+i))
508 + printk(KERN_CONT "?? ");
510 + printk(KERN_CONT "%02x ", c);
514 + printk(KERN_ERR "PAX: bytes at SP-4: ");
515 + for (i = -1; i < 20; i++) {
517 + if (get_user(c, (__force unsigned long __user *)sp+i))
518 + printk(KERN_CONT "???????? ");
520 + printk(KERN_CONT "%08lx ", c);
527 * First Level Translation Fault Handler
529 diff -urNp linux-2.6.32.42/arch/arm/mm/mmap.c linux-2.6.32.42/arch/arm/mm/mmap.c
530 --- linux-2.6.32.42/arch/arm/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
531 +++ linux-2.6.32.42/arch/arm/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
532 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
536 +#ifdef CONFIG_PAX_RANDMMAP
537 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
542 addr = COLOUR_ALIGN(addr, pgoff);
543 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
544 addr = PAGE_ALIGN(addr);
546 vma = find_vma(mm, addr);
547 - if (TASK_SIZE - len >= addr &&
548 - (!vma || addr + len <= vma->vm_start))
549 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
552 if (len > mm->cached_hole_size) {
553 - start_addr = addr = mm->free_area_cache;
554 + start_addr = addr = mm->free_area_cache;
556 - start_addr = addr = TASK_UNMAPPED_BASE;
557 - mm->cached_hole_size = 0;
558 + start_addr = addr = mm->mmap_base;
559 + mm->cached_hole_size = 0;
563 @@ -94,14 +97,14 @@ full_search:
564 * Start a new search - just in case we missed
567 - if (start_addr != TASK_UNMAPPED_BASE) {
568 - start_addr = addr = TASK_UNMAPPED_BASE;
569 + if (start_addr != mm->mmap_base) {
570 + start_addr = addr = mm->mmap_base;
571 mm->cached_hole_size = 0;
576 - if (!vma || addr + len <= vma->vm_start) {
577 + if (check_heap_stack_gap(vma, addr, len)) {
579 * Remember the place where we stopped the search:
581 diff -urNp linux-2.6.32.42/arch/arm/plat-s3c/pm.c linux-2.6.32.42/arch/arm/plat-s3c/pm.c
582 --- linux-2.6.32.42/arch/arm/plat-s3c/pm.c 2011-03-27 14:31:47.000000000 -0400
583 +++ linux-2.6.32.42/arch/arm/plat-s3c/pm.c 2011-04-17 15:56:45.000000000 -0400
584 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
585 s3c_pm_check_cleanup();
588 -static struct platform_suspend_ops s3c_pm_ops = {
589 +static const struct platform_suspend_ops s3c_pm_ops = {
590 .enter = s3c_pm_enter,
591 .prepare = s3c_pm_prepare,
592 .finish = s3c_pm_finish,
593 diff -urNp linux-2.6.32.42/arch/avr32/include/asm/elf.h linux-2.6.32.42/arch/avr32/include/asm/elf.h
594 --- linux-2.6.32.42/arch/avr32/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
595 +++ linux-2.6.32.42/arch/avr32/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
596 @@ -85,8 +85,14 @@ typedef struct user_fpu_struct elf_fpreg
597 the loader. We need to make sure that it is out of the way of the program
598 that it will "exec", and that there is sufficient room for the brk. */
600 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
601 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
603 +#ifdef CONFIG_PAX_ASLR
604 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
606 +#define PAX_DELTA_MMAP_LEN 15
607 +#define PAX_DELTA_STACK_LEN 15
610 /* This yields a mask that user programs can use to figure out what
611 instruction set this CPU supports. This could be done in user space,
612 diff -urNp linux-2.6.32.42/arch/avr32/include/asm/kmap_types.h linux-2.6.32.42/arch/avr32/include/asm/kmap_types.h
613 --- linux-2.6.32.42/arch/avr32/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
614 +++ linux-2.6.32.42/arch/avr32/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
615 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
625 diff -urNp linux-2.6.32.42/arch/avr32/mach-at32ap/pm.c linux-2.6.32.42/arch/avr32/mach-at32ap/pm.c
626 --- linux-2.6.32.42/arch/avr32/mach-at32ap/pm.c 2011-03-27 14:31:47.000000000 -0400
627 +++ linux-2.6.32.42/arch/avr32/mach-at32ap/pm.c 2011-04-17 15:56:45.000000000 -0400
628 @@ -176,7 +176,7 @@ out:
632 -static struct platform_suspend_ops avr32_pm_ops = {
633 +static const struct platform_suspend_ops avr32_pm_ops = {
634 .valid = avr32_pm_valid_state,
635 .enter = avr32_pm_enter,
637 diff -urNp linux-2.6.32.42/arch/avr32/mm/fault.c linux-2.6.32.42/arch/avr32/mm/fault.c
638 --- linux-2.6.32.42/arch/avr32/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
639 +++ linux-2.6.32.42/arch/avr32/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
640 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
642 int exception_trace = 1;
644 +#ifdef CONFIG_PAX_PAGEEXEC
645 +void pax_report_insns(void *pc, void *sp)
649 + printk(KERN_ERR "PAX: bytes at PC: ");
650 + for (i = 0; i < 20; i++) {
652 + if (get_user(c, (unsigned char *)pc+i))
653 + printk(KERN_CONT "???????? ");
655 + printk(KERN_CONT "%02x ", c);
662 * This routine handles page faults. It determines the address and the
663 * problem, and then passes it off to one of the appropriate routines.
664 @@ -157,6 +174,16 @@ bad_area:
665 up_read(&mm->mmap_sem);
667 if (user_mode(regs)) {
669 +#ifdef CONFIG_PAX_PAGEEXEC
670 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
671 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
672 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
673 + do_group_exit(SIGKILL);
678 if (exception_trace && printk_ratelimit())
679 printk("%s%s[%d]: segfault at %08lx pc %08lx "
680 "sp %08lx ecr %lu\n",
681 diff -urNp linux-2.6.32.42/arch/blackfin/kernel/kgdb.c linux-2.6.32.42/arch/blackfin/kernel/kgdb.c
682 --- linux-2.6.32.42/arch/blackfin/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
683 +++ linux-2.6.32.42/arch/blackfin/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
684 @@ -428,7 +428,7 @@ int kgdb_arch_handle_exception(int vecto
685 return -1; /* this means that we do not want to exit from the handler */
688 -struct kgdb_arch arch_kgdb_ops = {
689 +const struct kgdb_arch arch_kgdb_ops = {
690 .gdb_bpt_instr = {0xa1},
692 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
693 diff -urNp linux-2.6.32.42/arch/blackfin/mach-common/pm.c linux-2.6.32.42/arch/blackfin/mach-common/pm.c
694 --- linux-2.6.32.42/arch/blackfin/mach-common/pm.c 2011-03-27 14:31:47.000000000 -0400
695 +++ linux-2.6.32.42/arch/blackfin/mach-common/pm.c 2011-04-17 15:56:45.000000000 -0400
696 @@ -255,7 +255,7 @@ static int bfin_pm_enter(suspend_state_t
700 -struct platform_suspend_ops bfin_pm_ops = {
701 +const struct platform_suspend_ops bfin_pm_ops = {
702 .enter = bfin_pm_enter,
703 .valid = bfin_pm_valid,
705 diff -urNp linux-2.6.32.42/arch/frv/include/asm/kmap_types.h linux-2.6.32.42/arch/frv/include/asm/kmap_types.h
706 --- linux-2.6.32.42/arch/frv/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
707 +++ linux-2.6.32.42/arch/frv/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
708 @@ -23,6 +23,7 @@ enum km_type {
716 diff -urNp linux-2.6.32.42/arch/frv/mm/elf-fdpic.c linux-2.6.32.42/arch/frv/mm/elf-fdpic.c
717 --- linux-2.6.32.42/arch/frv/mm/elf-fdpic.c 2011-03-27 14:31:47.000000000 -0400
718 +++ linux-2.6.32.42/arch/frv/mm/elf-fdpic.c 2011-04-17 15:56:45.000000000 -0400
719 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
721 addr = PAGE_ALIGN(addr);
722 vma = find_vma(current->mm, addr);
723 - if (TASK_SIZE - len >= addr &&
724 - (!vma || addr + len <= vma->vm_start))
725 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
729 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
730 for (; vma; vma = vma->vm_next) {
733 - if (addr + len <= vma->vm_start)
734 + if (check_heap_stack_gap(vma, addr, len))
738 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
739 for (; vma; vma = vma->vm_next) {
742 - if (addr + len <= vma->vm_start)
743 + if (check_heap_stack_gap(vma, addr, len))
747 diff -urNp linux-2.6.32.42/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.32.42/arch/ia64/hp/common/hwsw_iommu.c
748 --- linux-2.6.32.42/arch/ia64/hp/common/hwsw_iommu.c 2011-03-27 14:31:47.000000000 -0400
749 +++ linux-2.6.32.42/arch/ia64/hp/common/hwsw_iommu.c 2011-04-17 15:56:45.000000000 -0400
751 #include <linux/swiotlb.h>
752 #include <asm/machvec.h>
754 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
755 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
757 /* swiotlb declarations & definitions: */
758 extern int swiotlb_late_init_with_default_size (size_t size);
759 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
760 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
763 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
764 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
766 if (use_swiotlb(dev))
767 return &swiotlb_dma_ops;
768 diff -urNp linux-2.6.32.42/arch/ia64/hp/common/sba_iommu.c linux-2.6.32.42/arch/ia64/hp/common/sba_iommu.c
769 --- linux-2.6.32.42/arch/ia64/hp/common/sba_iommu.c 2011-03-27 14:31:47.000000000 -0400
770 +++ linux-2.6.32.42/arch/ia64/hp/common/sba_iommu.c 2011-04-17 15:56:45.000000000 -0400
771 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
775 -extern struct dma_map_ops swiotlb_dma_ops;
776 +extern const struct dma_map_ops swiotlb_dma_ops;
780 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
782 __setup("sbapagesize=",sba_page_override);
784 -struct dma_map_ops sba_dma_ops = {
785 +const struct dma_map_ops sba_dma_ops = {
786 .alloc_coherent = sba_alloc_coherent,
787 .free_coherent = sba_free_coherent,
788 .map_page = sba_map_page,
789 diff -urNp linux-2.6.32.42/arch/ia64/ia32/binfmt_elf32.c linux-2.6.32.42/arch/ia64/ia32/binfmt_elf32.c
790 --- linux-2.6.32.42/arch/ia64/ia32/binfmt_elf32.c 2011-03-27 14:31:47.000000000 -0400
791 +++ linux-2.6.32.42/arch/ia64/ia32/binfmt_elf32.c 2011-04-17 15:56:45.000000000 -0400
792 @@ -45,6 +45,13 @@ randomize_stack_top(unsigned long stack_
794 #define elf_read_implies_exec(ex, have_pt_gnu_stack) (!(have_pt_gnu_stack))
796 +#ifdef CONFIG_PAX_ASLR
797 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
799 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
800 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
803 /* Ugly but avoids duplication */
804 #include "../../../fs/binfmt_elf.c"
806 diff -urNp linux-2.6.32.42/arch/ia64/ia32/ia32priv.h linux-2.6.32.42/arch/ia64/ia32/ia32priv.h
807 --- linux-2.6.32.42/arch/ia64/ia32/ia32priv.h 2011-03-27 14:31:47.000000000 -0400
808 +++ linux-2.6.32.42/arch/ia64/ia32/ia32priv.h 2011-04-17 15:56:45.000000000 -0400
809 @@ -296,7 +296,14 @@ typedef struct compat_siginfo {
810 #define ELF_DATA ELFDATA2LSB
811 #define ELF_ARCH EM_386
813 -#define IA32_STACK_TOP IA32_PAGE_OFFSET
814 +#ifdef CONFIG_PAX_RANDUSTACK
815 +#define __IA32_DELTA_STACK (current->mm->delta_stack)
817 +#define __IA32_DELTA_STACK 0UL
820 +#define IA32_STACK_TOP (IA32_PAGE_OFFSET - __IA32_DELTA_STACK)
822 #define IA32_GATE_OFFSET IA32_PAGE_OFFSET
823 #define IA32_GATE_END IA32_PAGE_OFFSET + PAGE_SIZE
825 diff -urNp linux-2.6.32.42/arch/ia64/include/asm/dma-mapping.h linux-2.6.32.42/arch/ia64/include/asm/dma-mapping.h
826 --- linux-2.6.32.42/arch/ia64/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
827 +++ linux-2.6.32.42/arch/ia64/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
830 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
832 -extern struct dma_map_ops *dma_ops;
833 +extern const struct dma_map_ops *dma_ops;
834 extern struct ia64_machine_vector ia64_mv;
835 extern void set_iommu_machvec(void);
837 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
838 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
839 dma_addr_t *daddr, gfp_t gfp)
841 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
842 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
845 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
846 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
847 static inline void dma_free_coherent(struct device *dev, size_t size,
848 void *caddr, dma_addr_t daddr)
850 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
851 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
852 debug_dma_free_coherent(dev, size, caddr, daddr);
853 ops->free_coherent(dev, size, caddr, daddr);
855 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
857 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
859 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
860 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
861 return ops->mapping_error(dev, daddr);
864 static inline int dma_supported(struct device *dev, u64 mask)
866 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
867 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
868 return ops->dma_supported(dev, mask);
871 diff -urNp linux-2.6.32.42/arch/ia64/include/asm/elf.h linux-2.6.32.42/arch/ia64/include/asm/elf.h
872 --- linux-2.6.32.42/arch/ia64/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
873 +++ linux-2.6.32.42/arch/ia64/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
876 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
878 +#ifdef CONFIG_PAX_ASLR
879 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
881 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
882 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
885 #define PT_IA_64_UNWIND 0x70000001
887 /* IA-64 relocations: */
888 diff -urNp linux-2.6.32.42/arch/ia64/include/asm/machvec.h linux-2.6.32.42/arch/ia64/include/asm/machvec.h
889 --- linux-2.6.32.42/arch/ia64/include/asm/machvec.h 2011-03-27 14:31:47.000000000 -0400
890 +++ linux-2.6.32.42/arch/ia64/include/asm/machvec.h 2011-04-17 15:56:45.000000000 -0400
891 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
892 /* DMA-mapping interface: */
893 typedef void ia64_mv_dma_init (void);
894 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
895 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
896 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
899 * WARNING: The legacy I/O space is _architected_. Platforms are
900 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
901 # endif /* CONFIG_IA64_GENERIC */
903 extern void swiotlb_dma_init(void);
904 -extern struct dma_map_ops *dma_get_ops(struct device *);
905 +extern const struct dma_map_ops *dma_get_ops(struct device *);
908 * Define default versions so we can extend machvec for new platforms without having
909 diff -urNp linux-2.6.32.42/arch/ia64/include/asm/pgtable.h linux-2.6.32.42/arch/ia64/include/asm/pgtable.h
910 --- linux-2.6.32.42/arch/ia64/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
911 +++ linux-2.6.32.42/arch/ia64/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
913 * David Mosberger-Tang <davidm@hpl.hp.com>
917 +#include <linux/const.h>
918 #include <asm/mman.h>
919 #include <asm/page.h>
920 #include <asm/processor.h>
922 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
923 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
924 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
926 +#ifdef CONFIG_PAX_PAGEEXEC
927 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
928 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
929 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
931 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
932 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
933 +# define PAGE_COPY_NOEXEC PAGE_COPY
936 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
937 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
938 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
939 diff -urNp linux-2.6.32.42/arch/ia64/include/asm/spinlock.h linux-2.6.32.42/arch/ia64/include/asm/spinlock.h
940 --- linux-2.6.32.42/arch/ia64/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
941 +++ linux-2.6.32.42/arch/ia64/include/asm/spinlock.h 2011-04-17 15:56:45.000000000 -0400
942 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
943 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
945 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
946 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
947 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
950 static __always_inline void __ticket_spin_unlock_wait(raw_spinlock_t *lock)
951 diff -urNp linux-2.6.32.42/arch/ia64/include/asm/uaccess.h linux-2.6.32.42/arch/ia64/include/asm/uaccess.h
952 --- linux-2.6.32.42/arch/ia64/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
953 +++ linux-2.6.32.42/arch/ia64/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
954 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
955 const void *__cu_from = (from); \
956 long __cu_len = (n); \
958 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
959 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
960 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
963 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
964 long __cu_len = (n); \
966 __chk_user_ptr(__cu_from); \
967 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
968 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
969 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
972 diff -urNp linux-2.6.32.42/arch/ia64/kernel/dma-mapping.c linux-2.6.32.42/arch/ia64/kernel/dma-mapping.c
973 --- linux-2.6.32.42/arch/ia64/kernel/dma-mapping.c 2011-03-27 14:31:47.000000000 -0400
974 +++ linux-2.6.32.42/arch/ia64/kernel/dma-mapping.c 2011-04-17 15:56:45.000000000 -0400
976 /* Set this to 1 if there is a HW IOMMU in the system */
977 int iommu_detected __read_mostly;
979 -struct dma_map_ops *dma_ops;
980 +const struct dma_map_ops *dma_ops;
981 EXPORT_SYMBOL(dma_ops);
983 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
984 @@ -16,7 +16,7 @@ static int __init dma_init(void)
986 fs_initcall(dma_init);
988 -struct dma_map_ops *dma_get_ops(struct device *dev)
989 +const struct dma_map_ops *dma_get_ops(struct device *dev)
993 diff -urNp linux-2.6.32.42/arch/ia64/kernel/module.c linux-2.6.32.42/arch/ia64/kernel/module.c
994 --- linux-2.6.32.42/arch/ia64/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
995 +++ linux-2.6.32.42/arch/ia64/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
996 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
998 module_free (struct module *mod, void *module_region)
1000 - if (mod && mod->arch.init_unw_table &&
1001 - module_region == mod->module_init) {
1002 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1003 unw_remove_unwind_table(mod->arch.init_unw_table);
1004 mod->arch.init_unw_table = NULL;
1006 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1010 +in_init_rx (const struct module *mod, uint64_t addr)
1012 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1016 +in_init_rw (const struct module *mod, uint64_t addr)
1018 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1022 in_init (const struct module *mod, uint64_t addr)
1024 - return addr - (uint64_t) mod->module_init < mod->init_size;
1025 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1029 +in_core_rx (const struct module *mod, uint64_t addr)
1031 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1035 +in_core_rw (const struct module *mod, uint64_t addr)
1037 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1041 in_core (const struct module *mod, uint64_t addr)
1043 - return addr - (uint64_t) mod->module_core < mod->core_size;
1044 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1048 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1052 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1053 + if (in_init_rx(mod, val))
1054 + val -= (uint64_t) mod->module_init_rx;
1055 + else if (in_init_rw(mod, val))
1056 + val -= (uint64_t) mod->module_init_rw;
1057 + else if (in_core_rx(mod, val))
1058 + val -= (uint64_t) mod->module_core_rx;
1059 + else if (in_core_rw(mod, val))
1060 + val -= (uint64_t) mod->module_core_rw;
1064 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1065 * addresses have been selected...
1068 - if (mod->core_size > MAX_LTOFF)
1069 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1071 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1072 * at the end of the module.
1074 - gp = mod->core_size - MAX_LTOFF / 2;
1075 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1077 - gp = mod->core_size / 2;
1078 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1079 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1080 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1082 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1084 diff -urNp linux-2.6.32.42/arch/ia64/kernel/pci-dma.c linux-2.6.32.42/arch/ia64/kernel/pci-dma.c
1085 --- linux-2.6.32.42/arch/ia64/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
1086 +++ linux-2.6.32.42/arch/ia64/kernel/pci-dma.c 2011-04-17 15:56:45.000000000 -0400
1087 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1088 .dma_mask = &fallback_dev.coherent_dma_mask,
1091 -extern struct dma_map_ops intel_dma_ops;
1092 +extern const struct dma_map_ops intel_dma_ops;
1094 static int __init pci_iommu_init(void)
1096 @@ -96,15 +96,34 @@ int iommu_dma_supported(struct device *d
1098 EXPORT_SYMBOL(iommu_dma_supported);
1100 +extern void *intel_alloc_coherent(struct device *hwdev, size_t size, dma_addr_t *dma_handle, gfp_t flags);
1101 +extern void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr, dma_addr_t dma_handle);
1102 +extern int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1103 +extern void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist, int nelems, enum dma_data_direction dir, struct dma_attrs *attrs);
1104 +extern dma_addr_t intel_map_page(struct device *dev, struct page *page, unsigned long offset, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1105 +extern void intel_unmap_page(struct device *dev, dma_addr_t dev_addr, size_t size, enum dma_data_direction dir, struct dma_attrs *attrs);
1106 +extern int intel_mapping_error(struct device *dev, dma_addr_t dma_addr);
1108 +static const struct dma_map_ops intel_iommu_dma_ops = {
1109 + /* from drivers/pci/intel-iommu.c:intel_dma_ops */
1110 + .alloc_coherent = intel_alloc_coherent,
1111 + .free_coherent = intel_free_coherent,
1112 + .map_sg = intel_map_sg,
1113 + .unmap_sg = intel_unmap_sg,
1114 + .map_page = intel_map_page,
1115 + .unmap_page = intel_unmap_page,
1116 + .mapping_error = intel_mapping_error,
1118 + .sync_single_for_cpu = machvec_dma_sync_single,
1119 + .sync_sg_for_cpu = machvec_dma_sync_sg,
1120 + .sync_single_for_device = machvec_dma_sync_single,
1121 + .sync_sg_for_device = machvec_dma_sync_sg,
1122 + .dma_supported = iommu_dma_supported,
1125 void __init pci_iommu_alloc(void)
1127 - dma_ops = &intel_dma_ops;
1129 - dma_ops->sync_single_for_cpu = machvec_dma_sync_single;
1130 - dma_ops->sync_sg_for_cpu = machvec_dma_sync_sg;
1131 - dma_ops->sync_single_for_device = machvec_dma_sync_single;
1132 - dma_ops->sync_sg_for_device = machvec_dma_sync_sg;
1133 - dma_ops->dma_supported = iommu_dma_supported;
1134 + dma_ops = &intel_iommu_dma_ops;
1137 * The order of these functions is important for
1138 diff -urNp linux-2.6.32.42/arch/ia64/kernel/pci-swiotlb.c linux-2.6.32.42/arch/ia64/kernel/pci-swiotlb.c
1139 --- linux-2.6.32.42/arch/ia64/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
1140 +++ linux-2.6.32.42/arch/ia64/kernel/pci-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
1141 @@ -21,7 +21,7 @@ static void *ia64_swiotlb_alloc_coherent
1142 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1145 -struct dma_map_ops swiotlb_dma_ops = {
1146 +const struct dma_map_ops swiotlb_dma_ops = {
1147 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1148 .free_coherent = swiotlb_free_coherent,
1149 .map_page = swiotlb_map_page,
1150 diff -urNp linux-2.6.32.42/arch/ia64/kernel/sys_ia64.c linux-2.6.32.42/arch/ia64/kernel/sys_ia64.c
1151 --- linux-2.6.32.42/arch/ia64/kernel/sys_ia64.c 2011-03-27 14:31:47.000000000 -0400
1152 +++ linux-2.6.32.42/arch/ia64/kernel/sys_ia64.c 2011-04-17 15:56:45.000000000 -0400
1153 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1154 if (REGION_NUMBER(addr) == RGN_HPAGE)
1158 +#ifdef CONFIG_PAX_RANDMMAP
1159 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1160 + addr = mm->free_area_cache;
1165 addr = mm->free_area_cache;
1167 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1168 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1169 /* At this point: (!vma || addr < vma->vm_end). */
1170 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1171 - if (start_addr != TASK_UNMAPPED_BASE) {
1172 + if (start_addr != mm->mmap_base) {
1173 /* Start a new search --- just in case we missed some holes. */
1174 - addr = TASK_UNMAPPED_BASE;
1175 + addr = mm->mmap_base;
1180 - if (!vma || addr + len <= vma->vm_start) {
1181 + if (check_heap_stack_gap(vma, addr, len)) {
1182 /* Remember the address where we stopped this search: */
1183 mm->free_area_cache = addr + len;
1185 diff -urNp linux-2.6.32.42/arch/ia64/kernel/topology.c linux-2.6.32.42/arch/ia64/kernel/topology.c
1186 --- linux-2.6.32.42/arch/ia64/kernel/topology.c 2011-03-27 14:31:47.000000000 -0400
1187 +++ linux-2.6.32.42/arch/ia64/kernel/topology.c 2011-04-17 15:56:45.000000000 -0400
1188 @@ -282,7 +282,7 @@ static ssize_t cache_show(struct kobject
1192 -static struct sysfs_ops cache_sysfs_ops = {
1193 +static const struct sysfs_ops cache_sysfs_ops = {
1197 diff -urNp linux-2.6.32.42/arch/ia64/kernel/vmlinux.lds.S linux-2.6.32.42/arch/ia64/kernel/vmlinux.lds.S
1198 --- linux-2.6.32.42/arch/ia64/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
1199 +++ linux-2.6.32.42/arch/ia64/kernel/vmlinux.lds.S 2011-04-17 15:56:45.000000000 -0400
1200 @@ -190,7 +190,7 @@ SECTIONS
1202 . = ALIGN(PERCPU_PAGE_SIZE);
1203 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1204 - __phys_per_cpu_start = __per_cpu_load;
1205 + __phys_per_cpu_start = per_cpu_load;
1206 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1207 * into percpu page size
1209 diff -urNp linux-2.6.32.42/arch/ia64/mm/fault.c linux-2.6.32.42/arch/ia64/mm/fault.c
1210 --- linux-2.6.32.42/arch/ia64/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1211 +++ linux-2.6.32.42/arch/ia64/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1212 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1213 return pte_present(pte);
1216 +#ifdef CONFIG_PAX_PAGEEXEC
1217 +void pax_report_insns(void *pc, void *sp)
1221 + printk(KERN_ERR "PAX: bytes at PC: ");
1222 + for (i = 0; i < 8; i++) {
1224 + if (get_user(c, (unsigned int *)pc+i))
1225 + printk(KERN_CONT "???????? ");
1227 + printk(KERN_CONT "%08x ", c);
1234 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1236 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1237 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1238 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1240 - if ((vma->vm_flags & mask) != mask)
1241 + if ((vma->vm_flags & mask) != mask) {
1243 +#ifdef CONFIG_PAX_PAGEEXEC
1244 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1245 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1248 + up_read(&mm->mmap_sem);
1249 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1250 + do_group_exit(SIGKILL);
1260 * If for any reason at all we couldn't handle the fault, make
1261 diff -urNp linux-2.6.32.42/arch/ia64/mm/hugetlbpage.c linux-2.6.32.42/arch/ia64/mm/hugetlbpage.c
1262 --- linux-2.6.32.42/arch/ia64/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
1263 +++ linux-2.6.32.42/arch/ia64/mm/hugetlbpage.c 2011-04-17 15:56:45.000000000 -0400
1264 @@ -172,7 +172,7 @@ unsigned long hugetlb_get_unmapped_area(
1265 /* At this point: (!vmm || addr < vmm->vm_end). */
1266 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1268 - if (!vmm || (addr + len) <= vmm->vm_start)
1269 + if (check_heap_stack_gap(vmm, addr, len))
1271 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1273 diff -urNp linux-2.6.32.42/arch/ia64/mm/init.c linux-2.6.32.42/arch/ia64/mm/init.c
1274 --- linux-2.6.32.42/arch/ia64/mm/init.c 2011-03-27 14:31:47.000000000 -0400
1275 +++ linux-2.6.32.42/arch/ia64/mm/init.c 2011-04-17 15:56:45.000000000 -0400
1276 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1277 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1278 vma->vm_end = vma->vm_start + PAGE_SIZE;
1279 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1281 +#ifdef CONFIG_PAX_PAGEEXEC
1282 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1283 + vma->vm_flags &= ~VM_EXEC;
1285 +#ifdef CONFIG_PAX_MPROTECT
1286 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1287 + vma->vm_flags &= ~VM_MAYEXEC;
1293 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1294 down_write(¤t->mm->mmap_sem);
1295 if (insert_vm_struct(current->mm, vma)) {
1296 diff -urNp linux-2.6.32.42/arch/ia64/sn/pci/pci_dma.c linux-2.6.32.42/arch/ia64/sn/pci/pci_dma.c
1297 --- linux-2.6.32.42/arch/ia64/sn/pci/pci_dma.c 2011-03-27 14:31:47.000000000 -0400
1298 +++ linux-2.6.32.42/arch/ia64/sn/pci/pci_dma.c 2011-04-17 15:56:45.000000000 -0400
1299 @@ -464,7 +464,7 @@ int sn_pci_legacy_write(struct pci_bus *
1303 -static struct dma_map_ops sn_dma_ops = {
1304 +static const struct dma_map_ops sn_dma_ops = {
1305 .alloc_coherent = sn_dma_alloc_coherent,
1306 .free_coherent = sn_dma_free_coherent,
1307 .map_page = sn_dma_map_page,
1308 diff -urNp linux-2.6.32.42/arch/m32r/lib/usercopy.c linux-2.6.32.42/arch/m32r/lib/usercopy.c
1309 --- linux-2.6.32.42/arch/m32r/lib/usercopy.c 2011-03-27 14:31:47.000000000 -0400
1310 +++ linux-2.6.32.42/arch/m32r/lib/usercopy.c 2011-04-17 15:56:45.000000000 -0400
1313 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1319 if (access_ok(VERIFY_WRITE, to, n))
1320 __copy_user(to,from,n);
1321 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1323 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1329 if (access_ok(VERIFY_READ, from, n))
1330 __copy_user_zeroing(to,from,n);
1331 diff -urNp linux-2.6.32.42/arch/mips/alchemy/devboards/pm.c linux-2.6.32.42/arch/mips/alchemy/devboards/pm.c
1332 --- linux-2.6.32.42/arch/mips/alchemy/devboards/pm.c 2011-03-27 14:31:47.000000000 -0400
1333 +++ linux-2.6.32.42/arch/mips/alchemy/devboards/pm.c 2011-04-17 15:56:45.000000000 -0400
1334 @@ -78,7 +78,7 @@ static void db1x_pm_end(void)
1338 -static struct platform_suspend_ops db1x_pm_ops = {
1339 +static const struct platform_suspend_ops db1x_pm_ops = {
1340 .valid = suspend_valid_only_mem,
1341 .begin = db1x_pm_begin,
1342 .enter = db1x_pm_enter,
1343 diff -urNp linux-2.6.32.42/arch/mips/include/asm/elf.h linux-2.6.32.42/arch/mips/include/asm/elf.h
1344 --- linux-2.6.32.42/arch/mips/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1345 +++ linux-2.6.32.42/arch/mips/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1346 @@ -368,4 +368,11 @@ extern int dump_task_fpu(struct task_str
1347 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1350 +#ifdef CONFIG_PAX_ASLR
1351 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1353 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1354 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1357 #endif /* _ASM_ELF_H */
1358 diff -urNp linux-2.6.32.42/arch/mips/include/asm/page.h linux-2.6.32.42/arch/mips/include/asm/page.h
1359 --- linux-2.6.32.42/arch/mips/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
1360 +++ linux-2.6.32.42/arch/mips/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
1361 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1362 #ifdef CONFIG_CPU_MIPS32
1363 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1364 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1365 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1366 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1368 typedef struct { unsigned long long pte; } pte_t;
1369 #define pte_val(x) ((x).pte)
1370 diff -urNp linux-2.6.32.42/arch/mips/include/asm/system.h linux-2.6.32.42/arch/mips/include/asm/system.h
1371 --- linux-2.6.32.42/arch/mips/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
1372 +++ linux-2.6.32.42/arch/mips/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
1373 @@ -230,6 +230,6 @@ extern void per_cpu_trap_init(void);
1375 #define __ARCH_WANT_UNLOCKED_CTXSW
1377 -extern unsigned long arch_align_stack(unsigned long sp);
1378 +#define arch_align_stack(x) ((x) & ~0xfUL)
1380 #endif /* _ASM_SYSTEM_H */
1381 diff -urNp linux-2.6.32.42/arch/mips/kernel/binfmt_elfn32.c linux-2.6.32.42/arch/mips/kernel/binfmt_elfn32.c
1382 --- linux-2.6.32.42/arch/mips/kernel/binfmt_elfn32.c 2011-03-27 14:31:47.000000000 -0400
1383 +++ linux-2.6.32.42/arch/mips/kernel/binfmt_elfn32.c 2011-04-17 15:56:45.000000000 -0400
1384 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1385 #undef ELF_ET_DYN_BASE
1386 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1388 +#ifdef CONFIG_PAX_ASLR
1389 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1391 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1392 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1395 #include <asm/processor.h>
1396 #include <linux/module.h>
1397 #include <linux/elfcore.h>
1398 diff -urNp linux-2.6.32.42/arch/mips/kernel/binfmt_elfo32.c linux-2.6.32.42/arch/mips/kernel/binfmt_elfo32.c
1399 --- linux-2.6.32.42/arch/mips/kernel/binfmt_elfo32.c 2011-03-27 14:31:47.000000000 -0400
1400 +++ linux-2.6.32.42/arch/mips/kernel/binfmt_elfo32.c 2011-04-17 15:56:45.000000000 -0400
1401 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1402 #undef ELF_ET_DYN_BASE
1403 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1405 +#ifdef CONFIG_PAX_ASLR
1406 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1408 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1409 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1412 #include <asm/processor.h>
1415 diff -urNp linux-2.6.32.42/arch/mips/kernel/kgdb.c linux-2.6.32.42/arch/mips/kernel/kgdb.c
1416 --- linux-2.6.32.42/arch/mips/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
1417 +++ linux-2.6.32.42/arch/mips/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
1418 @@ -245,6 +245,7 @@ int kgdb_arch_handle_exception(int vecto
1422 +/* cannot be const */
1423 struct kgdb_arch arch_kgdb_ops;
1426 diff -urNp linux-2.6.32.42/arch/mips/kernel/process.c linux-2.6.32.42/arch/mips/kernel/process.c
1427 --- linux-2.6.32.42/arch/mips/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
1428 +++ linux-2.6.32.42/arch/mips/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
1429 @@ -470,15 +470,3 @@ unsigned long get_wchan(struct task_stru
1435 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1436 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1438 -unsigned long arch_align_stack(unsigned long sp)
1440 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1441 - sp -= get_random_int() & ~PAGE_MASK;
1443 - return sp & ALMASK;
1445 diff -urNp linux-2.6.32.42/arch/mips/kernel/syscall.c linux-2.6.32.42/arch/mips/kernel/syscall.c
1446 --- linux-2.6.32.42/arch/mips/kernel/syscall.c 2011-03-27 14:31:47.000000000 -0400
1447 +++ linux-2.6.32.42/arch/mips/kernel/syscall.c 2011-04-17 15:56:45.000000000 -0400
1448 @@ -102,17 +102,21 @@ unsigned long arch_get_unmapped_area(str
1450 if (filp || (flags & MAP_SHARED))
1453 +#ifdef CONFIG_PAX_RANDMMAP
1454 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1459 addr = COLOUR_ALIGN(addr, pgoff);
1461 addr = PAGE_ALIGN(addr);
1462 vmm = find_vma(current->mm, addr);
1463 - if (task_size - len >= addr &&
1464 - (!vmm || addr + len <= vmm->vm_start))
1465 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1468 - addr = TASK_UNMAPPED_BASE;
1469 + addr = current->mm->mmap_base;
1471 addr = COLOUR_ALIGN(addr, pgoff);
1473 @@ -122,7 +126,7 @@ unsigned long arch_get_unmapped_area(str
1474 /* At this point: (!vmm || addr < vmm->vm_end). */
1475 if (task_size - len < addr)
1477 - if (!vmm || addr + len <= vmm->vm_start)
1478 + if (check_heap_stack_gap(vmm, addr, len))
1482 diff -urNp linux-2.6.32.42/arch/mips/mm/fault.c linux-2.6.32.42/arch/mips/mm/fault.c
1483 --- linux-2.6.32.42/arch/mips/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1484 +++ linux-2.6.32.42/arch/mips/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1486 #include <asm/ptrace.h>
1487 #include <asm/highmem.h> /* For VMALLOC_END */
1489 +#ifdef CONFIG_PAX_PAGEEXEC
1490 +void pax_report_insns(void *pc, void *sp)
1494 + printk(KERN_ERR "PAX: bytes at PC: ");
1495 + for (i = 0; i < 5; i++) {
1497 + if (get_user(c, (unsigned int *)pc+i))
1498 + printk(KERN_CONT "???????? ");
1500 + printk(KERN_CONT "%08x ", c);
1507 * This routine handles page faults. It determines the address,
1508 * and the problem, and then passes it off to one of the appropriate
1509 diff -urNp linux-2.6.32.42/arch/parisc/include/asm/elf.h linux-2.6.32.42/arch/parisc/include/asm/elf.h
1510 --- linux-2.6.32.42/arch/parisc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1511 +++ linux-2.6.32.42/arch/parisc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1512 @@ -343,6 +343,13 @@ struct pt_regs; /* forward declaration..
1514 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1516 +#ifdef CONFIG_PAX_ASLR
1517 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1519 +#define PAX_DELTA_MMAP_LEN 16
1520 +#define PAX_DELTA_STACK_LEN 16
1523 /* This yields a mask that user programs can use to figure out what
1524 instruction set this CPU supports. This could be done in user space,
1525 but it's not easy, and we've already done it here. */
1526 diff -urNp linux-2.6.32.42/arch/parisc/include/asm/pgtable.h linux-2.6.32.42/arch/parisc/include/asm/pgtable.h
1527 --- linux-2.6.32.42/arch/parisc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
1528 +++ linux-2.6.32.42/arch/parisc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
1529 @@ -207,6 +207,17 @@
1530 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1531 #define PAGE_COPY PAGE_EXECREAD
1532 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1534 +#ifdef CONFIG_PAX_PAGEEXEC
1535 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1536 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1537 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1539 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1540 +# define PAGE_COPY_NOEXEC PAGE_COPY
1541 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1544 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1545 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1546 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1547 diff -urNp linux-2.6.32.42/arch/parisc/kernel/module.c linux-2.6.32.42/arch/parisc/kernel/module.c
1548 --- linux-2.6.32.42/arch/parisc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
1549 +++ linux-2.6.32.42/arch/parisc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
1552 /* three functions to determine where in the module core
1553 * or init pieces the location is */
1554 +static inline int in_init_rx(struct module *me, void *loc)
1556 + return (loc >= me->module_init_rx &&
1557 + loc < (me->module_init_rx + me->init_size_rx));
1560 +static inline int in_init_rw(struct module *me, void *loc)
1562 + return (loc >= me->module_init_rw &&
1563 + loc < (me->module_init_rw + me->init_size_rw));
1566 static inline int in_init(struct module *me, void *loc)
1568 - return (loc >= me->module_init &&
1569 - loc <= (me->module_init + me->init_size));
1570 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1573 +static inline int in_core_rx(struct module *me, void *loc)
1575 + return (loc >= me->module_core_rx &&
1576 + loc < (me->module_core_rx + me->core_size_rx));
1579 +static inline int in_core_rw(struct module *me, void *loc)
1581 + return (loc >= me->module_core_rw &&
1582 + loc < (me->module_core_rw + me->core_size_rw));
1585 static inline int in_core(struct module *me, void *loc)
1587 - return (loc >= me->module_core &&
1588 - loc <= (me->module_core + me->core_size));
1589 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1592 static inline int in_local(struct module *me, void *loc)
1593 @@ -364,13 +386,13 @@ int module_frob_arch_sections(CONST Elf_
1596 /* align things a bit */
1597 - me->core_size = ALIGN(me->core_size, 16);
1598 - me->arch.got_offset = me->core_size;
1599 - me->core_size += gots * sizeof(struct got_entry);
1601 - me->core_size = ALIGN(me->core_size, 16);
1602 - me->arch.fdesc_offset = me->core_size;
1603 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1604 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1605 + me->arch.got_offset = me->core_size_rw;
1606 + me->core_size_rw += gots * sizeof(struct got_entry);
1608 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1609 + me->arch.fdesc_offset = me->core_size_rw;
1610 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1612 me->arch.got_max = gots;
1613 me->arch.fdesc_max = fdescs;
1614 @@ -388,7 +410,7 @@ static Elf64_Word get_got(struct module
1618 - got = me->module_core + me->arch.got_offset;
1619 + got = me->module_core_rw + me->arch.got_offset;
1620 for (i = 0; got[i].addr; i++)
1621 if (got[i].addr == value)
1623 @@ -406,7 +428,7 @@ static Elf64_Word get_got(struct module
1625 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1627 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1628 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1631 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1632 @@ -424,7 +446,7 @@ static Elf_Addr get_fdesc(struct module
1634 /* Create new one */
1635 fdesc->addr = value;
1636 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1637 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1638 return (Elf_Addr)fdesc;
1640 #endif /* CONFIG_64BIT */
1641 @@ -848,7 +870,7 @@ register_unwind_table(struct module *me,
1643 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1644 end = table + sechdrs[me->arch.unwind_section].sh_size;
1645 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1646 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1648 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1649 me->arch.unwind_section, table, end, gp);
1650 diff -urNp linux-2.6.32.42/arch/parisc/kernel/sys_parisc.c linux-2.6.32.42/arch/parisc/kernel/sys_parisc.c
1651 --- linux-2.6.32.42/arch/parisc/kernel/sys_parisc.c 2011-03-27 14:31:47.000000000 -0400
1652 +++ linux-2.6.32.42/arch/parisc/kernel/sys_parisc.c 2011-04-17 15:56:45.000000000 -0400
1653 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1654 /* At this point: (!vma || addr < vma->vm_end). */
1655 if (TASK_SIZE - len < addr)
1657 - if (!vma || addr + len <= vma->vm_start)
1658 + if (check_heap_stack_gap(vma, addr, len))
1662 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1663 /* At this point: (!vma || addr < vma->vm_end). */
1664 if (TASK_SIZE - len < addr)
1666 - if (!vma || addr + len <= vma->vm_start)
1667 + if (check_heap_stack_gap(vma, addr, len))
1669 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1670 if (addr < vma->vm_end) /* handle wraparound */
1671 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1672 if (flags & MAP_FIXED)
1675 - addr = TASK_UNMAPPED_BASE;
1676 + addr = current->mm->mmap_base;
1679 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1680 diff -urNp linux-2.6.32.42/arch/parisc/kernel/traps.c linux-2.6.32.42/arch/parisc/kernel/traps.c
1681 --- linux-2.6.32.42/arch/parisc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
1682 +++ linux-2.6.32.42/arch/parisc/kernel/traps.c 2011-04-17 15:56:45.000000000 -0400
1683 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1685 down_read(¤t->mm->mmap_sem);
1686 vma = find_vma(current->mm,regs->iaoq[0]);
1687 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1688 - && (vma->vm_flags & VM_EXEC)) {
1690 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1691 fault_address = regs->iaoq[0];
1692 fault_space = regs->iasq[0];
1694 diff -urNp linux-2.6.32.42/arch/parisc/mm/fault.c linux-2.6.32.42/arch/parisc/mm/fault.c
1695 --- linux-2.6.32.42/arch/parisc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
1696 +++ linux-2.6.32.42/arch/parisc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
1698 #include <linux/sched.h>
1699 #include <linux/interrupt.h>
1700 #include <linux/module.h>
1701 +#include <linux/unistd.h>
1703 #include <asm/uaccess.h>
1704 #include <asm/traps.h>
1705 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1706 static unsigned long
1707 parisc_acctyp(unsigned long code, unsigned int inst)
1709 - if (code == 6 || code == 16)
1710 + if (code == 6 || code == 7 || code == 16)
1713 switch (inst & 0xf0000000) {
1714 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1718 +#ifdef CONFIG_PAX_PAGEEXEC
1720 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1722 + * returns 1 when task should be killed
1723 + * 2 when rt_sigreturn trampoline was detected
1724 + * 3 when unpatched PLT trampoline was detected
1726 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1729 +#ifdef CONFIG_PAX_EMUPLT
1732 + do { /* PaX: unpatched PLT emulation */
1733 + unsigned int bl, depwi;
1735 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1736 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1741 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1742 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1744 + err = get_user(ldw, (unsigned int *)addr);
1745 + err |= get_user(bv, (unsigned int *)(addr+4));
1746 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1751 + if (ldw == 0x0E801096U &&
1752 + bv == 0xEAC0C000U &&
1753 + ldw2 == 0x0E881095U)
1755 + unsigned int resolver, map;
1757 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1758 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1762 + regs->gr[20] = instruction_pointer(regs)+8;
1763 + regs->gr[21] = map;
1764 + regs->gr[22] = resolver;
1765 + regs->iaoq[0] = resolver | 3UL;
1766 + regs->iaoq[1] = regs->iaoq[0] + 4;
1773 +#ifdef CONFIG_PAX_EMUTRAMP
1775 +#ifndef CONFIG_PAX_EMUSIGRT
1776 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1780 + do { /* PaX: rt_sigreturn emulation */
1781 + unsigned int ldi1, ldi2, bel, nop;
1783 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1784 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1785 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1786 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1791 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1792 + ldi2 == 0x3414015AU &&
1793 + bel == 0xE4008200U &&
1794 + nop == 0x08000240U)
1796 + regs->gr[25] = (ldi1 & 2) >> 1;
1797 + regs->gr[20] = __NR_rt_sigreturn;
1798 + regs->gr[31] = regs->iaoq[1] + 16;
1799 + regs->sr[0] = regs->iasq[1];
1800 + regs->iaoq[0] = 0x100UL;
1801 + regs->iaoq[1] = regs->iaoq[0] + 4;
1802 + regs->iasq[0] = regs->sr[2];
1803 + regs->iasq[1] = regs->sr[2];
1812 +void pax_report_insns(void *pc, void *sp)
1816 + printk(KERN_ERR "PAX: bytes at PC: ");
1817 + for (i = 0; i < 5; i++) {
1819 + if (get_user(c, (unsigned int *)pc+i))
1820 + printk(KERN_CONT "???????? ");
1822 + printk(KERN_CONT "%08x ", c);
1828 int fixup_exception(struct pt_regs *regs)
1830 const struct exception_table_entry *fix;
1831 @@ -192,8 +303,33 @@ good_area:
1833 acc_type = parisc_acctyp(code,regs->iir);
1835 - if ((vma->vm_flags & acc_type) != acc_type)
1836 + if ((vma->vm_flags & acc_type) != acc_type) {
1838 +#ifdef CONFIG_PAX_PAGEEXEC
1839 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1840 + (address & ~3UL) == instruction_pointer(regs))
1842 + up_read(&mm->mmap_sem);
1843 + switch (pax_handle_fetch_fault(regs)) {
1845 +#ifdef CONFIG_PAX_EMUPLT
1850 +#ifdef CONFIG_PAX_EMUTRAMP
1856 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1857 + do_group_exit(SIGKILL);
1865 * If for any reason at all we couldn't handle the fault, make
1866 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/device.h linux-2.6.32.42/arch/powerpc/include/asm/device.h
1867 --- linux-2.6.32.42/arch/powerpc/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
1868 +++ linux-2.6.32.42/arch/powerpc/include/asm/device.h 2011-04-17 15:56:45.000000000 -0400
1869 @@ -14,7 +14,7 @@ struct dev_archdata {
1870 struct device_node *of_node;
1872 /* DMA operations on that device */
1873 - struct dma_map_ops *dma_ops;
1874 + const struct dma_map_ops *dma_ops;
1877 * When an iommu is in use, dma_data is used as a ptr to the base of the
1878 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/dma-mapping.h linux-2.6.32.42/arch/powerpc/include/asm/dma-mapping.h
1879 --- linux-2.6.32.42/arch/powerpc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
1880 +++ linux-2.6.32.42/arch/powerpc/include/asm/dma-mapping.h 2011-04-17 15:56:45.000000000 -0400
1881 @@ -69,9 +69,9 @@ static inline unsigned long device_to_ma
1883 extern struct dma_map_ops dma_iommu_ops;
1885 -extern struct dma_map_ops dma_direct_ops;
1886 +extern const struct dma_map_ops dma_direct_ops;
1888 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1889 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1891 /* We don't handle the NULL dev case for ISA for now. We could
1892 * do it via an out of line call but it is not needed for now. The
1893 @@ -84,7 +84,7 @@ static inline struct dma_map_ops *get_dm
1894 return dev->archdata.dma_ops;
1897 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1898 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1900 dev->archdata.dma_ops = ops;
1902 @@ -118,7 +118,7 @@ static inline void set_dma_offset(struct
1904 static inline int dma_supported(struct device *dev, u64 mask)
1906 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1907 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1909 if (unlikely(dma_ops == NULL))
1911 @@ -132,7 +132,7 @@ static inline int dma_supported(struct d
1913 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1915 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1916 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1918 if (unlikely(dma_ops == NULL))
1920 @@ -147,7 +147,7 @@ static inline int dma_set_mask(struct de
1921 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1922 dma_addr_t *dma_handle, gfp_t flag)
1924 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1925 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1929 @@ -162,7 +162,7 @@ static inline void *dma_alloc_coherent(s
1930 static inline void dma_free_coherent(struct device *dev, size_t size,
1931 void *cpu_addr, dma_addr_t dma_handle)
1933 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1934 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1938 @@ -173,7 +173,7 @@ static inline void dma_free_coherent(str
1940 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1942 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1943 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1945 if (dma_ops->mapping_error)
1946 return dma_ops->mapping_error(dev, dma_addr);
1947 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/elf.h linux-2.6.32.42/arch/powerpc/include/asm/elf.h
1948 --- linux-2.6.32.42/arch/powerpc/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
1949 +++ linux-2.6.32.42/arch/powerpc/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
1950 @@ -179,8 +179,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
1951 the loader. We need to make sure that it is out of the way of the program
1952 that it will "exec", and that there is sufficient room for the brk. */
1954 -extern unsigned long randomize_et_dyn(unsigned long base);
1955 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
1956 +#define ELF_ET_DYN_BASE (0x20000000)
1958 +#ifdef CONFIG_PAX_ASLR
1959 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
1961 +#ifdef __powerpc64__
1962 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1963 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
1965 +#define PAX_DELTA_MMAP_LEN 15
1966 +#define PAX_DELTA_STACK_LEN 15
1971 * Our registers are always unsigned longs, whether we're a 32 bit
1972 @@ -275,9 +286,6 @@ extern int arch_setup_additional_pages(s
1973 (0x7ff >> (PAGE_SHIFT - 12)) : \
1974 (0x3ffff >> (PAGE_SHIFT - 12)))
1976 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1977 -#define arch_randomize_brk arch_randomize_brk
1979 #endif /* __KERNEL__ */
1982 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/iommu.h linux-2.6.32.42/arch/powerpc/include/asm/iommu.h
1983 --- linux-2.6.32.42/arch/powerpc/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
1984 +++ linux-2.6.32.42/arch/powerpc/include/asm/iommu.h 2011-04-17 15:56:45.000000000 -0400
1985 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
1986 extern void iommu_init_early_dart(void);
1987 extern void iommu_init_early_pasemi(void);
1990 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
1993 extern void pci_iommu_init(void);
1994 extern void pci_direct_iommu_init(void);
1995 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/kmap_types.h linux-2.6.32.42/arch/powerpc/include/asm/kmap_types.h
1996 --- linux-2.6.32.42/arch/powerpc/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
1997 +++ linux-2.6.32.42/arch/powerpc/include/asm/kmap_types.h 2011-04-17 15:56:45.000000000 -0400
1998 @@ -26,6 +26,7 @@ enum km_type {
2006 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/page_64.h linux-2.6.32.42/arch/powerpc/include/asm/page_64.h
2007 --- linux-2.6.32.42/arch/powerpc/include/asm/page_64.h 2011-03-27 14:31:47.000000000 -0400
2008 +++ linux-2.6.32.42/arch/powerpc/include/asm/page_64.h 2011-04-17 15:56:45.000000000 -0400
2009 @@ -180,15 +180,18 @@ do { \
2010 * stack by default, so in the absense of a PT_GNU_STACK program header
2011 * we turn execute permission off.
2013 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2014 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2015 +#define VM_STACK_DEFAULT_FLAGS32 \
2016 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2017 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2019 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2020 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2022 +#ifndef CONFIG_PAX_PAGEEXEC
2023 #define VM_STACK_DEFAULT_FLAGS \
2024 (test_thread_flag(TIF_32BIT) ? \
2025 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2028 #include <asm-generic/getorder.h>
2030 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/page.h linux-2.6.32.42/arch/powerpc/include/asm/page.h
2031 --- linux-2.6.32.42/arch/powerpc/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
2032 +++ linux-2.6.32.42/arch/powerpc/include/asm/page.h 2011-04-17 15:56:45.000000000 -0400
2033 @@ -116,8 +116,9 @@ extern phys_addr_t kernstart_addr;
2034 * and needs to be executable. This means the whole heap ends
2035 * up being executable.
2037 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2038 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2039 +#define VM_DATA_DEFAULT_FLAGS32 \
2040 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2041 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2043 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2044 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2045 @@ -145,6 +146,9 @@ extern phys_addr_t kernstart_addr;
2046 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2049 +#define ktla_ktva(addr) (addr)
2050 +#define ktva_ktla(addr) (addr)
2052 #ifndef __ASSEMBLY__
2054 #undef STRICT_MM_TYPECHECKS
2055 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/pci.h linux-2.6.32.42/arch/powerpc/include/asm/pci.h
2056 --- linux-2.6.32.42/arch/powerpc/include/asm/pci.h 2011-03-27 14:31:47.000000000 -0400
2057 +++ linux-2.6.32.42/arch/powerpc/include/asm/pci.h 2011-04-17 15:56:45.000000000 -0400
2058 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2062 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2063 -extern struct dma_map_ops *get_pci_dma_ops(void);
2064 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2065 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2066 #else /* CONFIG_PCI */
2067 #define set_pci_dma_ops(d)
2068 #define get_pci_dma_ops() NULL
2069 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/pgtable.h linux-2.6.32.42/arch/powerpc/include/asm/pgtable.h
2070 --- linux-2.6.32.42/arch/powerpc/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
2071 +++ linux-2.6.32.42/arch/powerpc/include/asm/pgtable.h 2011-04-17 15:56:45.000000000 -0400
2073 #define _ASM_POWERPC_PGTABLE_H
2076 +#include <linux/const.h>
2077 #ifndef __ASSEMBLY__
2078 #include <asm/processor.h> /* For TASK_SIZE */
2079 #include <asm/mmu.h>
2080 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/pte-hash32.h linux-2.6.32.42/arch/powerpc/include/asm/pte-hash32.h
2081 --- linux-2.6.32.42/arch/powerpc/include/asm/pte-hash32.h 2011-03-27 14:31:47.000000000 -0400
2082 +++ linux-2.6.32.42/arch/powerpc/include/asm/pte-hash32.h 2011-04-17 15:56:45.000000000 -0400
2084 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2085 #define _PAGE_USER 0x004 /* usermode access allowed */
2086 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2087 +#define _PAGE_EXEC _PAGE_GUARDED
2088 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2089 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2090 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2091 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/reg.h linux-2.6.32.42/arch/powerpc/include/asm/reg.h
2092 --- linux-2.6.32.42/arch/powerpc/include/asm/reg.h 2011-03-27 14:31:47.000000000 -0400
2093 +++ linux-2.6.32.42/arch/powerpc/include/asm/reg.h 2011-04-17 15:56:45.000000000 -0400
2095 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2096 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2097 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2098 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2099 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2100 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2101 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2102 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/swiotlb.h linux-2.6.32.42/arch/powerpc/include/asm/swiotlb.h
2103 --- linux-2.6.32.42/arch/powerpc/include/asm/swiotlb.h 2011-03-27 14:31:47.000000000 -0400
2104 +++ linux-2.6.32.42/arch/powerpc/include/asm/swiotlb.h 2011-04-17 15:56:45.000000000 -0400
2107 #include <linux/swiotlb.h>
2109 -extern struct dma_map_ops swiotlb_dma_ops;
2110 +extern const struct dma_map_ops swiotlb_dma_ops;
2112 static inline void dma_mark_clean(void *addr, size_t size) {}
2114 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/system.h linux-2.6.32.42/arch/powerpc/include/asm/system.h
2115 --- linux-2.6.32.42/arch/powerpc/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
2116 +++ linux-2.6.32.42/arch/powerpc/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
2117 @@ -531,7 +531,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2118 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2121 -extern unsigned long arch_align_stack(unsigned long sp);
2122 +#define arch_align_stack(x) ((x) & ~0xfUL)
2124 /* Used in very early kernel initialization. */
2125 extern unsigned long reloc_offset(void);
2126 diff -urNp linux-2.6.32.42/arch/powerpc/include/asm/uaccess.h linux-2.6.32.42/arch/powerpc/include/asm/uaccess.h
2127 --- linux-2.6.32.42/arch/powerpc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
2128 +++ linux-2.6.32.42/arch/powerpc/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
2130 #define VERIFY_READ 0
2131 #define VERIFY_WRITE 1
2133 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2136 * The fs value determines whether argument validity checking should be
2137 * performed or not. If get_fs() == USER_DS, checking is performed, with
2138 @@ -327,52 +329,6 @@ do { \
2139 extern unsigned long __copy_tofrom_user(void __user *to,
2140 const void __user *from, unsigned long size);
2142 -#ifndef __powerpc64__
2144 -static inline unsigned long copy_from_user(void *to,
2145 - const void __user *from, unsigned long n)
2147 - unsigned long over;
2149 - if (access_ok(VERIFY_READ, from, n))
2150 - return __copy_tofrom_user((__force void __user *)to, from, n);
2151 - if ((unsigned long)from < TASK_SIZE) {
2152 - over = (unsigned long)from + n - TASK_SIZE;
2153 - return __copy_tofrom_user((__force void __user *)to, from,
2159 -static inline unsigned long copy_to_user(void __user *to,
2160 - const void *from, unsigned long n)
2162 - unsigned long over;
2164 - if (access_ok(VERIFY_WRITE, to, n))
2165 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2166 - if ((unsigned long)to < TASK_SIZE) {
2167 - over = (unsigned long)to + n - TASK_SIZE;
2168 - return __copy_tofrom_user(to, (__force void __user *)from,
2174 -#else /* __powerpc64__ */
2176 -#define __copy_in_user(to, from, size) \
2177 - __copy_tofrom_user((to), (from), (size))
2179 -extern unsigned long copy_from_user(void *to, const void __user *from,
2181 -extern unsigned long copy_to_user(void __user *to, const void *from,
2183 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2186 -#endif /* __powerpc64__ */
2188 static inline unsigned long __copy_from_user_inatomic(void *to,
2189 const void __user *from, unsigned long n)
2191 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2196 + if (!__builtin_constant_p(n))
2197 + check_object_size(to, n, false);
2199 return __copy_tofrom_user((__force void __user *)to, from, n);
2202 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2207 + if (!__builtin_constant_p(n))
2208 + check_object_size(from, n, true);
2210 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2213 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2214 return __copy_to_user_inatomic(to, from, size);
2217 +#ifndef __powerpc64__
2219 +static inline unsigned long __must_check copy_from_user(void *to,
2220 + const void __user *from, unsigned long n)
2222 + unsigned long over;
2227 + if (access_ok(VERIFY_READ, from, n)) {
2228 + if (!__builtin_constant_p(n))
2229 + check_object_size(to, n, false);
2230 + return __copy_tofrom_user((__force void __user *)to, from, n);
2232 + if ((unsigned long)from < TASK_SIZE) {
2233 + over = (unsigned long)from + n - TASK_SIZE;
2234 + if (!__builtin_constant_p(n - over))
2235 + check_object_size(to, n - over, false);
2236 + return __copy_tofrom_user((__force void __user *)to, from,
2242 +static inline unsigned long __must_check copy_to_user(void __user *to,
2243 + const void *from, unsigned long n)
2245 + unsigned long over;
2250 + if (access_ok(VERIFY_WRITE, to, n)) {
2251 + if (!__builtin_constant_p(n))
2252 + check_object_size(from, n, true);
2253 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2255 + if ((unsigned long)to < TASK_SIZE) {
2256 + over = (unsigned long)to + n - TASK_SIZE;
2257 + if (!__builtin_constant_p(n))
2258 + check_object_size(from, n - over, true);
2259 + return __copy_tofrom_user(to, (__force void __user *)from,
2265 +#else /* __powerpc64__ */
2267 +#define __copy_in_user(to, from, size) \
2268 + __copy_tofrom_user((to), (from), (size))
2270 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2272 + if ((long)n < 0 || n > INT_MAX)
2275 + if (!__builtin_constant_p(n))
2276 + check_object_size(to, n, false);
2278 + if (likely(access_ok(VERIFY_READ, from, n)))
2279 + n = __copy_from_user(to, from, n);
2285 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2287 + if ((long)n < 0 || n > INT_MAX)
2290 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2291 + if (!__builtin_constant_p(n))
2292 + check_object_size(from, n, true);
2293 + n = __copy_to_user(to, from, n);
2298 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2301 +#endif /* __powerpc64__ */
2303 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2305 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2306 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/cacheinfo.c linux-2.6.32.42/arch/powerpc/kernel/cacheinfo.c
2307 --- linux-2.6.32.42/arch/powerpc/kernel/cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
2308 +++ linux-2.6.32.42/arch/powerpc/kernel/cacheinfo.c 2011-04-17 15:56:45.000000000 -0400
2309 @@ -642,7 +642,7 @@ static struct kobj_attribute *cache_inde
2313 -static struct sysfs_ops cache_index_ops = {
2314 +static const struct sysfs_ops cache_index_ops = {
2315 .show = cache_index_show,
2318 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/dma.c linux-2.6.32.42/arch/powerpc/kernel/dma.c
2319 --- linux-2.6.32.42/arch/powerpc/kernel/dma.c 2011-03-27 14:31:47.000000000 -0400
2320 +++ linux-2.6.32.42/arch/powerpc/kernel/dma.c 2011-04-17 15:56:45.000000000 -0400
2321 @@ -134,7 +134,7 @@ static inline void dma_direct_sync_singl
2325 -struct dma_map_ops dma_direct_ops = {
2326 +const struct dma_map_ops dma_direct_ops = {
2327 .alloc_coherent = dma_direct_alloc_coherent,
2328 .free_coherent = dma_direct_free_coherent,
2329 .map_sg = dma_direct_map_sg,
2330 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/dma-iommu.c linux-2.6.32.42/arch/powerpc/kernel/dma-iommu.c
2331 --- linux-2.6.32.42/arch/powerpc/kernel/dma-iommu.c 2011-03-27 14:31:47.000000000 -0400
2332 +++ linux-2.6.32.42/arch/powerpc/kernel/dma-iommu.c 2011-04-17 15:56:45.000000000 -0400
2333 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2336 /* We support DMA to/from any memory page via the iommu */
2337 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2338 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2340 struct iommu_table *tbl = get_iommu_table_base(dev);
2342 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.32.42/arch/powerpc/kernel/dma-swiotlb.c
2343 --- linux-2.6.32.42/arch/powerpc/kernel/dma-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
2344 +++ linux-2.6.32.42/arch/powerpc/kernel/dma-swiotlb.c 2011-04-17 15:56:45.000000000 -0400
2345 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2346 * map_page, and unmap_page on highmem, use normal dma_ops
2347 * for everything else.
2349 -struct dma_map_ops swiotlb_dma_ops = {
2350 +const struct dma_map_ops swiotlb_dma_ops = {
2351 .alloc_coherent = dma_direct_alloc_coherent,
2352 .free_coherent = dma_direct_free_coherent,
2353 .map_sg = swiotlb_map_sg_attrs,
2354 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/exceptions-64e.S linux-2.6.32.42/arch/powerpc/kernel/exceptions-64e.S
2355 --- linux-2.6.32.42/arch/powerpc/kernel/exceptions-64e.S 2011-03-27 14:31:47.000000000 -0400
2356 +++ linux-2.6.32.42/arch/powerpc/kernel/exceptions-64e.S 2011-04-17 15:56:45.000000000 -0400
2357 @@ -455,6 +455,7 @@ storage_fault_common:
2360 addi r3,r1,STACK_FRAME_OVERHEAD
2364 ld r14,PACA_EXGEN+EX_R14(r13)
2365 @@ -464,8 +465,7 @@ storage_fault_common:
2368 b .ret_from_except_lite
2372 addi r3,r1,STACK_FRAME_OVERHEAD
2375 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/exceptions-64s.S linux-2.6.32.42/arch/powerpc/kernel/exceptions-64s.S
2376 --- linux-2.6.32.42/arch/powerpc/kernel/exceptions-64s.S 2011-03-27 14:31:47.000000000 -0400
2377 +++ linux-2.6.32.42/arch/powerpc/kernel/exceptions-64s.S 2011-04-17 15:56:45.000000000 -0400
2378 @@ -818,10 +818,10 @@ handle_page_fault:
2381 addi r3,r1,STACK_FRAME_OVERHEAD
2388 addi r3,r1,STACK_FRAME_OVERHEAD
2390 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/ibmebus.c linux-2.6.32.42/arch/powerpc/kernel/ibmebus.c
2391 --- linux-2.6.32.42/arch/powerpc/kernel/ibmebus.c 2011-03-27 14:31:47.000000000 -0400
2392 +++ linux-2.6.32.42/arch/powerpc/kernel/ibmebus.c 2011-04-17 15:56:45.000000000 -0400
2393 @@ -127,7 +127,7 @@ static int ibmebus_dma_supported(struct
2397 -static struct dma_map_ops ibmebus_dma_ops = {
2398 +static const struct dma_map_ops ibmebus_dma_ops = {
2399 .alloc_coherent = ibmebus_alloc_coherent,
2400 .free_coherent = ibmebus_free_coherent,
2401 .map_sg = ibmebus_map_sg,
2402 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/kgdb.c linux-2.6.32.42/arch/powerpc/kernel/kgdb.c
2403 --- linux-2.6.32.42/arch/powerpc/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
2404 +++ linux-2.6.32.42/arch/powerpc/kernel/kgdb.c 2011-04-17 15:56:45.000000000 -0400
2405 @@ -126,7 +126,7 @@ static int kgdb_handle_breakpoint(struct
2406 if (kgdb_handle_exception(0, SIGTRAP, 0, regs) != 0)
2409 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2410 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2414 @@ -353,7 +353,7 @@ int kgdb_arch_handle_exception(int vecto
2418 -struct kgdb_arch arch_kgdb_ops = {
2419 +const struct kgdb_arch arch_kgdb_ops = {
2420 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2423 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/module_32.c linux-2.6.32.42/arch/powerpc/kernel/module_32.c
2424 --- linux-2.6.32.42/arch/powerpc/kernel/module_32.c 2011-03-27 14:31:47.000000000 -0400
2425 +++ linux-2.6.32.42/arch/powerpc/kernel/module_32.c 2011-04-17 15:56:45.000000000 -0400
2426 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2427 me->arch.core_plt_section = i;
2429 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2430 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2431 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2435 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2437 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2438 /* Init, or core PLT? */
2439 - if (location >= mod->module_core
2440 - && location < mod->module_core + mod->core_size)
2441 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2442 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2443 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2445 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2446 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2447 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2449 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2453 /* Find this entry, or if that fails, the next avail. entry */
2454 while (entry->jump[0]) {
2455 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/module.c linux-2.6.32.42/arch/powerpc/kernel/module.c
2456 --- linux-2.6.32.42/arch/powerpc/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
2457 +++ linux-2.6.32.42/arch/powerpc/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
2460 LIST_HEAD(module_bug_list);
2462 +#ifdef CONFIG_PAX_KERNEXEC
2463 void *module_alloc(unsigned long size)
2468 + return vmalloc(size);
2471 +void *module_alloc_exec(unsigned long size)
2473 +void *module_alloc(unsigned long size)
2480 return vmalloc_exec(size);
2483 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2484 vfree(module_region);
2487 +#ifdef CONFIG_PAX_KERNEXEC
2488 +void module_free_exec(struct module *mod, void *module_region)
2490 + module_free(mod, module_region);
2494 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2495 const Elf_Shdr *sechdrs,
2497 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/pci-common.c linux-2.6.32.42/arch/powerpc/kernel/pci-common.c
2498 --- linux-2.6.32.42/arch/powerpc/kernel/pci-common.c 2011-03-27 14:31:47.000000000 -0400
2499 +++ linux-2.6.32.42/arch/powerpc/kernel/pci-common.c 2011-04-17 15:56:45.000000000 -0400
2500 @@ -50,14 +50,14 @@ resource_size_t isa_mem_base;
2501 unsigned int ppc_pci_flags = 0;
2504 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2505 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2507 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2508 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2510 pci_dma_ops = dma_ops;
2513 -struct dma_map_ops *get_pci_dma_ops(void)
2514 +const struct dma_map_ops *get_pci_dma_ops(void)
2518 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/process.c linux-2.6.32.42/arch/powerpc/kernel/process.c
2519 --- linux-2.6.32.42/arch/powerpc/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
2520 +++ linux-2.6.32.42/arch/powerpc/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
2521 @@ -539,8 +539,8 @@ void show_regs(struct pt_regs * regs)
2522 * Lookup NIP late so we have the best change of getting the
2523 * above info out without failing
2525 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2526 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2527 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2528 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2530 show_stack(current, (unsigned long *) regs->gpr[1]);
2531 if (!user_mode(regs))
2532 @@ -1034,10 +1034,10 @@ void show_stack(struct task_struct *tsk,
2534 ip = stack[STACK_FRAME_LR_SAVE];
2535 if (!firstframe || ip != lr) {
2536 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2537 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2538 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2539 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2542 (void *)current->ret_stack[curr_frame].ret);
2545 @@ -1057,7 +1057,7 @@ void show_stack(struct task_struct *tsk,
2546 struct pt_regs *regs = (struct pt_regs *)
2547 (sp + STACK_FRAME_OVERHEAD);
2549 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2550 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2551 regs->trap, (void *)regs->nip, (void *)lr);
2554 @@ -1134,58 +1134,3 @@ void thread_info_cache_init(void)
2557 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2559 -unsigned long arch_align_stack(unsigned long sp)
2561 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2562 - sp -= get_random_int() & ~PAGE_MASK;
2566 -static inline unsigned long brk_rnd(void)
2568 - unsigned long rnd = 0;
2570 - /* 8MB for 32bit, 1GB for 64bit */
2571 - if (is_32bit_task())
2572 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2574 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2576 - return rnd << PAGE_SHIFT;
2579 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2581 - unsigned long base = mm->brk;
2582 - unsigned long ret;
2584 -#ifdef CONFIG_PPC_STD_MMU_64
2586 - * If we are using 1TB segments and we are allowed to randomise
2587 - * the heap, we can put it above 1TB so it is backed by a 1TB
2588 - * segment. Otherwise the heap will be in the bottom 1TB
2589 - * which always uses 256MB segments and this may result in a
2590 - * performance penalty.
2592 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2593 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2596 - ret = PAGE_ALIGN(base + brk_rnd());
2598 - if (ret < mm->brk)
2604 -unsigned long randomize_et_dyn(unsigned long base)
2606 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2613 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/signal_32.c linux-2.6.32.42/arch/powerpc/kernel/signal_32.c
2614 --- linux-2.6.32.42/arch/powerpc/kernel/signal_32.c 2011-03-27 14:31:47.000000000 -0400
2615 +++ linux-2.6.32.42/arch/powerpc/kernel/signal_32.c 2011-04-17 15:56:45.000000000 -0400
2616 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2617 /* Save user registers on the stack */
2618 frame = &rt_sf->uc.uc_mcontext;
2620 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2621 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2622 if (save_user_regs(regs, frame, 0, 1))
2624 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2625 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/signal_64.c linux-2.6.32.42/arch/powerpc/kernel/signal_64.c
2626 --- linux-2.6.32.42/arch/powerpc/kernel/signal_64.c 2011-03-27 14:31:47.000000000 -0400
2627 +++ linux-2.6.32.42/arch/powerpc/kernel/signal_64.c 2011-04-17 15:56:45.000000000 -0400
2628 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2629 current->thread.fpscr.val = 0;
2631 /* Set up to return from userspace. */
2632 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2633 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2634 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2636 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2637 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/sys_ppc32.c linux-2.6.32.42/arch/powerpc/kernel/sys_ppc32.c
2638 --- linux-2.6.32.42/arch/powerpc/kernel/sys_ppc32.c 2011-03-27 14:31:47.000000000 -0400
2639 +++ linux-2.6.32.42/arch/powerpc/kernel/sys_ppc32.c 2011-04-17 15:56:45.000000000 -0400
2640 @@ -563,10 +563,10 @@ asmlinkage long compat_sys_sysctl(struct
2643 if (get_user(oldlen, oldlenp) ||
2644 - put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)))
2645 + put_user(oldlen, (compat_size_t __user *)compat_ptr(tmp.oldlenp)) ||
2646 + copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused)))
2649 - copy_to_user(args->__unused, tmp.__unused, sizeof(tmp.__unused));
2653 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/traps.c linux-2.6.32.42/arch/powerpc/kernel/traps.c
2654 --- linux-2.6.32.42/arch/powerpc/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
2655 +++ linux-2.6.32.42/arch/powerpc/kernel/traps.c 2011-06-13 21:33:37.000000000 -0400
2656 @@ -99,6 +99,8 @@ static void pmac_backlight_unblank(void)
2657 static inline void pmac_backlight_unblank(void) { }
2660 +extern void gr_handle_kernel_exploit(void);
2662 int die(const char *str, struct pt_regs *regs, long err)
2665 @@ -168,6 +170,8 @@ int die(const char *str, struct pt_regs
2667 panic("Fatal exception");
2669 + gr_handle_kernel_exploit();
2674 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/vdso.c linux-2.6.32.42/arch/powerpc/kernel/vdso.c
2675 --- linux-2.6.32.42/arch/powerpc/kernel/vdso.c 2011-03-27 14:31:47.000000000 -0400
2676 +++ linux-2.6.32.42/arch/powerpc/kernel/vdso.c 2011-04-17 15:56:45.000000000 -0400
2678 #include <asm/firmware.h>
2679 #include <asm/vdso.h>
2680 #include <asm/vdso_datapage.h>
2681 +#include <asm/mman.h>
2685 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2686 vdso_base = VDSO32_MBASE;
2689 - current->mm->context.vdso_base = 0;
2690 + current->mm->context.vdso_base = ~0UL;
2692 /* vDSO has a problem and was disabled, just don't "enable" it for the
2694 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2695 vdso_base = get_unmapped_area(NULL, vdso_base,
2696 (vdso_pages << PAGE_SHIFT) +
2697 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2699 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2700 if (IS_ERR_VALUE(vdso_base)) {
2703 diff -urNp linux-2.6.32.42/arch/powerpc/kernel/vio.c linux-2.6.32.42/arch/powerpc/kernel/vio.c
2704 --- linux-2.6.32.42/arch/powerpc/kernel/vio.c 2011-03-27 14:31:47.000000000 -0400
2705 +++ linux-2.6.32.42/arch/powerpc/kernel/vio.c 2011-04-17 15:56:45.000000000 -0400
2706 @@ -601,11 +601,12 @@ static void vio_dma_iommu_unmap_sg(struc
2707 vio_cmo_dealloc(viodev, alloc_size);
2710 -struct dma_map_ops vio_dma_mapping_ops = {
2711 +static const struct dma_map_ops vio_dma_mapping_ops = {
2712 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2713 .free_coherent = vio_dma_iommu_free_coherent,
2714 .map_sg = vio_dma_iommu_map_sg,
2715 .unmap_sg = vio_dma_iommu_unmap_sg,
2716 + .dma_supported = dma_iommu_dma_supported,
2717 .map_page = vio_dma_iommu_map_page,
2718 .unmap_page = vio_dma_iommu_unmap_page,
2720 @@ -857,7 +858,6 @@ static void vio_cmo_bus_remove(struct vi
2722 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2724 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2725 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2728 diff -urNp linux-2.6.32.42/arch/powerpc/lib/usercopy_64.c linux-2.6.32.42/arch/powerpc/lib/usercopy_64.c
2729 --- linux-2.6.32.42/arch/powerpc/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
2730 +++ linux-2.6.32.42/arch/powerpc/lib/usercopy_64.c 2011-04-17 15:56:45.000000000 -0400
2732 #include <linux/module.h>
2733 #include <asm/uaccess.h>
2735 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2737 - if (likely(access_ok(VERIFY_READ, from, n)))
2738 - n = __copy_from_user(to, from, n);
2744 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2746 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2747 - n = __copy_to_user(to, from, n);
2751 unsigned long copy_in_user(void __user *to, const void __user *from,
2754 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2758 -EXPORT_SYMBOL(copy_from_user);
2759 -EXPORT_SYMBOL(copy_to_user);
2760 EXPORT_SYMBOL(copy_in_user);
2762 diff -urNp linux-2.6.32.42/arch/powerpc/mm/fault.c linux-2.6.32.42/arch/powerpc/mm/fault.c
2763 --- linux-2.6.32.42/arch/powerpc/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
2764 +++ linux-2.6.32.42/arch/powerpc/mm/fault.c 2011-04-17 15:56:45.000000000 -0400
2766 #include <linux/kprobes.h>
2767 #include <linux/kdebug.h>
2768 #include <linux/perf_event.h>
2769 +#include <linux/slab.h>
2770 +#include <linux/pagemap.h>
2771 +#include <linux/compiler.h>
2772 +#include <linux/unistd.h>
2774 #include <asm/firmware.h>
2775 #include <asm/page.h>
2777 #include <asm/uaccess.h>
2778 #include <asm/tlbflush.h>
2779 #include <asm/siginfo.h>
2780 +#include <asm/ptrace.h>
2783 #ifdef CONFIG_KPROBES
2784 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2788 +#ifdef CONFIG_PAX_PAGEEXEC
2790 + * PaX: decide what to do with offenders (regs->nip = fault address)
2792 + * returns 1 when task should be killed
2794 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2799 +void pax_report_insns(void *pc, void *sp)
2803 + printk(KERN_ERR "PAX: bytes at PC: ");
2804 + for (i = 0; i < 5; i++) {
2806 + if (get_user(c, (unsigned int __user *)pc+i))
2807 + printk(KERN_CONT "???????? ");
2809 + printk(KERN_CONT "%08x ", c);
2816 * Check whether the instruction at regs->nip is a store using
2817 * an update addressing form which will update r1.
2818 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2819 * indicate errors in DSISR but can validly be set in SRR1.
2822 - error_code &= 0x48200000;
2823 + error_code &= 0x58200000;
2825 is_write = error_code & DSISR_ISSTORE;
2827 @@ -250,7 +282,7 @@ good_area:
2828 * "undefined". Of those that can be set, this is the only
2829 * one which seems bad.
2831 - if (error_code & 0x10000000)
2832 + if (error_code & DSISR_GUARDED)
2833 /* Guarded storage error. */
2835 #endif /* CONFIG_8xx */
2836 @@ -265,7 +297,7 @@ good_area:
2837 * processors use the same I/D cache coherency mechanism
2840 - if (error_code & DSISR_PROTFAULT)
2841 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2843 #endif /* CONFIG_PPC_STD_MMU */
2845 @@ -335,6 +367,23 @@ bad_area:
2846 bad_area_nosemaphore:
2847 /* User mode accesses cause a SIGSEGV */
2848 if (user_mode(regs)) {
2850 +#ifdef CONFIG_PAX_PAGEEXEC
2851 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2852 +#ifdef CONFIG_PPC_STD_MMU
2853 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2855 + if (is_exec && regs->nip == address) {
2857 + switch (pax_handle_fetch_fault(regs)) {
2860 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2861 + do_group_exit(SIGKILL);
2866 _exception(SIGSEGV, regs, code, address);
2869 diff -urNp linux-2.6.32.42/arch/powerpc/mm/mmap_64.c linux-2.6.32.42/arch/powerpc/mm/mmap_64.c
2870 --- linux-2.6.32.42/arch/powerpc/mm/mmap_64.c 2011-03-27 14:31:47.000000000 -0400
2871 +++ linux-2.6.32.42/arch/powerpc/mm/mmap_64.c 2011-04-17 15:56:45.000000000 -0400
2872 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2874 if (mmap_is_legacy()) {
2875 mm->mmap_base = TASK_UNMAPPED_BASE;
2877 +#ifdef CONFIG_PAX_RANDMMAP
2878 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2879 + mm->mmap_base += mm->delta_mmap;
2882 mm->get_unmapped_area = arch_get_unmapped_area;
2883 mm->unmap_area = arch_unmap_area;
2885 mm->mmap_base = mmap_base();
2887 +#ifdef CONFIG_PAX_RANDMMAP
2888 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2889 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2892 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2893 mm->unmap_area = arch_unmap_area_topdown;
2895 diff -urNp linux-2.6.32.42/arch/powerpc/mm/slice.c linux-2.6.32.42/arch/powerpc/mm/slice.c
2896 --- linux-2.6.32.42/arch/powerpc/mm/slice.c 2011-03-27 14:31:47.000000000 -0400
2897 +++ linux-2.6.32.42/arch/powerpc/mm/slice.c 2011-04-17 15:56:45.000000000 -0400
2898 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2899 if ((mm->task_size - len) < addr)
2901 vma = find_vma(mm, addr);
2902 - return (!vma || (addr + len) <= vma->vm_start);
2903 + return check_heap_stack_gap(vma, addr, len);
2906 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2907 @@ -256,7 +256,7 @@ full_search:
2908 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2911 - if (!vma || addr + len <= vma->vm_start) {
2912 + if (check_heap_stack_gap(vma, addr, len)) {
2914 * Remember the place where we stopped the search:
2916 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2920 - addr = mm->mmap_base;
2921 - while (addr > len) {
2922 + if (mm->mmap_base < len)
2925 + addr = mm->mmap_base - len;
2927 + while (!IS_ERR_VALUE(addr)) {
2928 /* Go down by chunk size */
2929 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
2930 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
2932 /* Check for hit with different page size */
2933 mask = slice_range_to_mask(addr, len);
2934 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
2935 * return with success:
2937 vma = find_vma(mm, addr);
2938 - if (!vma || (addr + len) <= vma->vm_start) {
2939 + if (check_heap_stack_gap(vma, addr, len)) {
2940 /* remember the address as a hint for next time */
2942 mm->free_area_cache = addr;
2943 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
2944 mm->cached_hole_size = vma->vm_start - addr;
2946 /* try just below the current vma->vm_start */
2947 - addr = vma->vm_start;
2948 + addr = skip_heap_stack_gap(vma, len);
2952 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
2953 if (fixed && addr > (mm->task_size - len))
2956 +#ifdef CONFIG_PAX_RANDMMAP
2957 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2961 /* If hint, make sure it matches our alignment restrictions */
2962 if (!fixed && addr) {
2963 addr = _ALIGN_UP(addr, 1ul << pshift);
2964 diff -urNp linux-2.6.32.42/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.32.42/arch/powerpc/platforms/52xx/lite5200_pm.c
2965 --- linux-2.6.32.42/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-03-27 14:31:47.000000000 -0400
2966 +++ linux-2.6.32.42/arch/powerpc/platforms/52xx/lite5200_pm.c 2011-04-17 15:56:45.000000000 -0400
2967 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2968 lite5200_pm_target_state = PM_SUSPEND_ON;
2971 -static struct platform_suspend_ops lite5200_pm_ops = {
2972 +static const struct platform_suspend_ops lite5200_pm_ops = {
2973 .valid = lite5200_pm_valid,
2974 .begin = lite5200_pm_begin,
2975 .prepare = lite5200_pm_prepare,
2976 diff -urNp linux-2.6.32.42/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.32.42/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2977 --- linux-2.6.32.42/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-03-27 14:31:47.000000000 -0400
2978 +++ linux-2.6.32.42/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2011-04-17 15:56:45.000000000 -0400
2979 @@ -180,7 +180,7 @@ void mpc52xx_pm_finish(void)
2983 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2984 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2985 .valid = mpc52xx_pm_valid,
2986 .prepare = mpc52xx_pm_prepare,
2987 .enter = mpc52xx_pm_enter,
2988 diff -urNp linux-2.6.32.42/arch/powerpc/platforms/83xx/suspend.c linux-2.6.32.42/arch/powerpc/platforms/83xx/suspend.c
2989 --- linux-2.6.32.42/arch/powerpc/platforms/83xx/suspend.c 2011-03-27 14:31:47.000000000 -0400
2990 +++ linux-2.6.32.42/arch/powerpc/platforms/83xx/suspend.c 2011-04-17 15:56:45.000000000 -0400
2991 @@ -273,7 +273,7 @@ static int mpc83xx_is_pci_agent(void)
2995 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2996 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2997 .valid = mpc83xx_suspend_valid,
2998 .begin = mpc83xx_suspend_begin,
2999 .enter = mpc83xx_suspend_enter,
3000 diff -urNp linux-2.6.32.42/arch/powerpc/platforms/cell/iommu.c linux-2.6.32.42/arch/powerpc/platforms/cell/iommu.c
3001 --- linux-2.6.32.42/arch/powerpc/platforms/cell/iommu.c 2011-03-27 14:31:47.000000000 -0400
3002 +++ linux-2.6.32.42/arch/powerpc/platforms/cell/iommu.c 2011-04-17 15:56:45.000000000 -0400
3003 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3005 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3007 -struct dma_map_ops dma_iommu_fixed_ops = {
3008 +const struct dma_map_ops dma_iommu_fixed_ops = {
3009 .alloc_coherent = dma_fixed_alloc_coherent,
3010 .free_coherent = dma_fixed_free_coherent,
3011 .map_sg = dma_fixed_map_sg,
3012 diff -urNp linux-2.6.32.42/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.32.42/arch/powerpc/platforms/ps3/system-bus.c
3013 --- linux-2.6.32.42/arch/powerpc/platforms/ps3/system-bus.c 2011-03-27 14:31:47.000000000 -0400
3014 +++ linux-2.6.32.42/arch/powerpc/platforms/ps3/system-bus.c 2011-04-17 15:56:45.000000000 -0400
3015 @@ -694,7 +694,7 @@ static int ps3_dma_supported(struct devi
3016 return mask >= DMA_BIT_MASK(32);
3019 -static struct dma_map_ops ps3_sb_dma_ops = {
3020 +static const struct dma_map_ops ps3_sb_dma_ops = {
3021 .alloc_coherent = ps3_alloc_coherent,
3022 .free_coherent = ps3_free_coherent,
3023 .map_sg = ps3_sb_map_sg,
3024 @@ -704,7 +704,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3025 .unmap_page = ps3_unmap_page,
3028 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3029 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3030 .alloc_coherent = ps3_alloc_coherent,
3031 .free_coherent = ps3_free_coherent,
3032 .map_sg = ps3_ioc0_map_sg,
3033 diff -urNp linux-2.6.32.42/arch/powerpc/platforms/pseries/Kconfig linux-2.6.32.42/arch/powerpc/platforms/pseries/Kconfig
3034 --- linux-2.6.32.42/arch/powerpc/platforms/pseries/Kconfig 2011-03-27 14:31:47.000000000 -0400
3035 +++ linux-2.6.32.42/arch/powerpc/platforms/pseries/Kconfig 2011-04-17 15:56:45.000000000 -0400
3036 @@ -2,6 +2,8 @@ config PPC_PSERIES
3037 depends on PPC64 && PPC_BOOK3S
3038 bool "IBM pSeries & new (POWER5-based) iSeries"
3044 select RTAS_ERROR_LOGGING
3045 diff -urNp linux-2.6.32.42/arch/s390/include/asm/elf.h linux-2.6.32.42/arch/s390/include/asm/elf.h
3046 --- linux-2.6.32.42/arch/s390/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
3047 +++ linux-2.6.32.42/arch/s390/include/asm/elf.h 2011-04-17 15:56:45.000000000 -0400
3048 @@ -164,6 +164,13 @@ extern unsigned int vdso_enabled;
3049 that it will "exec", and that there is sufficient room for the brk. */
3050 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3052 +#ifdef CONFIG_PAX_ASLR
3053 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3055 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3056 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3059 /* This yields a mask that user programs can use to figure out what
3060 instruction set this CPU supports. */
3062 diff -urNp linux-2.6.32.42/arch/s390/include/asm/setup.h linux-2.6.32.42/arch/s390/include/asm/setup.h
3063 --- linux-2.6.32.42/arch/s390/include/asm/setup.h 2011-03-27 14:31:47.000000000 -0400
3064 +++ linux-2.6.32.42/arch/s390/include/asm/setup.h 2011-04-17 15:56:45.000000000 -0400
3065 @@ -50,13 +50,13 @@ extern unsigned long memory_end;
3066 void detect_memory_layout(struct mem_chunk chunk[]);
3068 #ifdef CONFIG_S390_SWITCH_AMODE
3069 -extern unsigned int switch_amode;
3070 +#define switch_amode (1)
3072 #define switch_amode (0)
3075 #ifdef CONFIG_S390_EXEC_PROTECT
3076 -extern unsigned int s390_noexec;
3077 +#define s390_noexec (1)
3079 #define s390_noexec (0)
3081 diff -urNp linux-2.6.32.42/arch/s390/include/asm/uaccess.h linux-2.6.32.42/arch/s390/include/asm/uaccess.h
3082 --- linux-2.6.32.42/arch/s390/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
3083 +++ linux-2.6.32.42/arch/s390/include/asm/uaccess.h 2011-04-17 15:56:45.000000000 -0400
3084 @@ -232,6 +232,10 @@ static inline unsigned long __must_check
3085 copy_to_user(void __user *to, const void *from, unsigned long n)
3092 if (access_ok(VERIFY_WRITE, to, n))
3093 n = __copy_to_user(to, from, n);
3095 @@ -257,6 +261,9 @@ copy_to_user(void __user *to, const void
3096 static inline unsigned long __must_check
3097 __copy_from_user(void *to, const void __user *from, unsigned long n)
3102 if (__builtin_constant_p(n) && (n <= 256))
3103 return uaccess.copy_from_user_small(n, from, to);
3105 @@ -283,6 +290,10 @@ static inline unsigned long __must_check
3106 copy_from_user(void *to, const void __user *from, unsigned long n)
3113 if (access_ok(VERIFY_READ, from, n))
3114 n = __copy_from_user(to, from, n);
3116 diff -urNp linux-2.6.32.42/arch/s390/Kconfig linux-2.6.32.42/arch/s390/Kconfig
3117 --- linux-2.6.32.42/arch/s390/Kconfig 2011-03-27 14:31:47.000000000 -0400
3118 +++ linux-2.6.32.42/arch/s390/Kconfig 2011-04-17 15:56:45.000000000 -0400
3119 @@ -194,28 +194,26 @@ config AUDIT_ARCH
3121 config S390_SWITCH_AMODE
3122 bool "Switch kernel/user addressing modes"
3125 This option allows to switch the addressing modes of kernel and user
3126 - space. The kernel parameter switch_amode=on will enable this feature,
3127 - default is disabled. Enabling this (via kernel parameter) on machines
3128 - earlier than IBM System z9-109 EC/BC will reduce system performance.
3129 + space. Enabling this on machines earlier than IBM System z9-109 EC/BC
3130 + will reduce system performance.
3132 Note that this option will also be selected by selecting the execute
3133 - protection option below. Enabling the execute protection via the
3134 - noexec kernel parameter will also switch the addressing modes,
3135 - independent of the switch_amode kernel parameter.
3136 + protection option below. Enabling the execute protection will also
3137 + switch the addressing modes, independent of this option.
3140 config S390_EXEC_PROTECT
3141 bool "Data execute protection"
3143 select S390_SWITCH_AMODE
3145 This option allows to enable a buffer overflow protection for user
3146 space programs and it also selects the addressing mode option above.
3147 - The kernel parameter noexec=on will enable this feature and also
3148 - switch the addressing modes, default is disabled. Enabling this (via
3149 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3150 - will reduce system performance.
3151 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3152 + reduce system performance.
3154 comment "Code generation options"
3156 diff -urNp linux-2.6.32.42/arch/s390/kernel/module.c linux-2.6.32.42/arch/s390/kernel/module.c
3157 --- linux-2.6.32.42/arch/s390/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
3158 +++ linux-2.6.32.42/arch/s390/kernel/module.c 2011-04-17 15:56:45.000000000 -0400
3159 @@ -166,11 +166,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3161 /* Increase core size by size of got & plt and set start
3162 offsets for got and plt. */
3163 - me->core_size = ALIGN(me->core_size, 4);
3164 - me->arch.got_offset = me->core_size;
3165 - me->core_size += me->arch.got_size;
3166 - me->arch.plt_offset = me->core_size;
3167 - me->core_size += me->arch.plt_size;
3168 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3169 + me->arch.got_offset = me->core_size_rw;
3170 + me->core_size_rw += me->arch.got_size;
3171 + me->arch.plt_offset = me->core_size_rx;
3172 + me->core_size_rx += me->arch.plt_size;
3176 @@ -256,7 +256,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3177 if (info->got_initialized == 0) {
3180 - gotent = me->module_core + me->arch.got_offset +
3181 + gotent = me->module_core_rw + me->arch.got_offset +
3184 info->got_initialized = 1;
3185 @@ -280,7 +280,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3186 else if (r_type == R_390_GOTENT ||
3187 r_type == R_390_GOTPLTENT)
3188 *(unsigned int *) loc =
3189 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3190 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3191 else if (r_type == R_390_GOT64 ||
3192 r_type == R_390_GOTPLT64)
3193 *(unsigned long *) loc = val;
3194 @@ -294,7 +294,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3195 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3196 if (info->plt_initialized == 0) {
3198 - ip = me->module_core + me->arch.plt_offset +
3199 + ip = me->module_core_rx + me->arch.plt_offset +
3201 #ifndef CONFIG_64BIT
3202 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3203 @@ -319,7 +319,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3204 val - loc + 0xffffUL < 0x1ffffeUL) ||
3205 (r_type == R_390_PLT32DBL &&
3206 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3207 - val = (Elf_Addr) me->module_core +
3208 + val = (Elf_Addr) me->module_core_rx +
3209 me->arch.plt_offset +
3211 val += rela->r_addend - loc;
3212 @@ -341,7 +341,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3213 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3214 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3215 val = val + rela->r_addend -
3216 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3217 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3218 if (r_type == R_390_GOTOFF16)
3219 *(unsigned short *) loc = val;
3220 else if (r_type == R_390_GOTOFF32)
3221 @@ -351,7 +351,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3223 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3224 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3225 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3226 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3227 rela->r_addend - loc;
3228 if (r_type == R_390_GOTPC)
3229 *(unsigned int *) loc = val;
3230 diff -urNp linux-2.6.32.42/arch/s390/kernel/setup.c linux-2.6.32.42/arch/s390/kernel/setup.c
3231 --- linux-2.6.32.42/arch/s390/kernel/setup.c 2011-03-27 14:31:47.000000000 -0400
3232 +++ linux-2.6.32.42/arch/s390/kernel/setup.c 2011-04-17 15:56:45.000000000 -0400
3233 @@ -306,9 +306,6 @@ static int __init early_parse_mem(char *
3234 early_param("mem", early_parse_mem);
3236 #ifdef CONFIG_S390_SWITCH_AMODE
3237 -unsigned int switch_amode = 0;
3238 -EXPORT_SYMBOL_GPL(switch_amode);
3240 static int set_amode_and_uaccess(unsigned long user_amode,
3241 unsigned long user32_amode)
3243 @@ -334,17 +331,6 @@ static int set_amode_and_uaccess(unsigne
3249 - * Switch kernel/user addressing modes?
3251 -static int __init early_parse_switch_amode(char *p)
3256 -early_param("switch_amode", early_parse_switch_amode);
3258 #else /* CONFIG_S390_SWITCH_AMODE */
3259 static inline int set_amode_and_uaccess(unsigned long user_amode,
3260 unsigned long user32_amode)
3261 @@ -353,24 +339,6 @@ static inline int set_amode_and_uaccess(
3263 #endif /* CONFIG_S390_SWITCH_AMODE */
3265 -#ifdef CONFIG_S390_EXEC_PROTECT
3266 -unsigned int s390_noexec = 0;
3267 -EXPORT_SYMBOL_GPL(s390_noexec);
3270 - * Enable execute protection?
3272 -static int __init early_parse_noexec(char *p)
3274 - if (!strncmp(p, "off", 3))
3280 -early_param("noexec", early_parse_noexec);
3281 -#endif /* CONFIG_S390_EXEC_PROTECT */
3283 static void setup_addressing_mode(void)
3286 diff -urNp linux-2.6.32.42/arch/s390/mm/mmap.c linux-2.6.32.42/arch/s390/mm/mmap.c
3287 --- linux-2.6.32.42/arch/s390/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3288 +++ linux-2.6.32.42/arch/s390/mm/mmap.c 2011-04-17 15:56:45.000000000 -0400
3289 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3291 if (mmap_is_legacy()) {
3292 mm->mmap_base = TASK_UNMAPPED_BASE;
3294 +#ifdef CONFIG_PAX_RANDMMAP
3295 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3296 + mm->mmap_base += mm->delta_mmap;
3299 mm->get_unmapped_area = arch_get_unmapped_area;
3300 mm->unmap_area = arch_unmap_area;
3302 mm->mmap_base = mmap_base();
3304 +#ifdef CONFIG_PAX_RANDMMAP
3305 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3306 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3309 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3310 mm->unmap_area = arch_unmap_area_topdown;
3312 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3314 if (mmap_is_legacy()) {
3315 mm->mmap_base = TASK_UNMAPPED_BASE;
3317 +#ifdef CONFIG_PAX_RANDMMAP
3318 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3319 + mm->mmap_base += mm->delta_mmap;
3322 mm->get_unmapped_area = s390_get_unmapped_area;
3323 mm->unmap_area = arch_unmap_area;
3325 mm->mmap_base = mmap_base();
3327 +#ifdef CONFIG_PAX_RANDMMAP
3328 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3329 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3332 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3333 mm->unmap_area = arch_unmap_area_topdown;
3335 diff -urNp linux-2.6.32.42/arch/score/include/asm/system.h linux-2.6.32.42/arch/score/include/asm/system.h
3336 --- linux-2.6.32.42/arch/score/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
3337 +++ linux-2.6.32.42/arch/score/include/asm/system.h 2011-04-17 15:56:45.000000000 -0400
3338 @@ -17,7 +17,7 @@ do { \
3339 #define finish_arch_switch(prev) do {} while (0)
3341 typedef void (*vi_handler_t)(void);
3342 -extern unsigned long arch_align_stack(unsigned long sp);
3343 +#define arch_align_stack(x) (x)
3345 #define mb() barrier()
3346 #define rmb() barrier()
3347 diff -urNp linux-2.6.32.42/arch/score/kernel/process.c linux-2.6.32.42/arch/score/kernel/process.c
3348 --- linux-2.6.32.42/arch/score/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
3349 +++ linux-2.6.32.42/arch/score/kernel/process.c 2011-04-17 15:56:45.000000000 -0400
3350 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3352 return task_pt_regs(task)->cp0_epc;
3355 -unsigned long arch_align_stack(unsigned long sp)
3359 diff -urNp linux-2.6.32.42/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.32.42/arch/sh/boards/mach-hp6xx/pm.c
3360 --- linux-2.6.32.42/arch/sh/boards/mach-hp6xx/pm.c 2011-03-27 14:31:47.000000000 -0400
3361 +++ linux-2.6.32.42/arch/sh/boards/mach-hp6xx/pm.c 2011-04-17 15:56:45.000000000 -0400
3362 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3366 -static struct platform_suspend_ops hp6x0_pm_ops = {
3367 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3368 .enter = hp6x0_pm_enter,
3369 .valid = suspend_valid_only_mem,
3371 diff -urNp linux-2.6.32.42/arch/sh/kernel/cpu/sh4/sq.c linux-2.6.32.42/arch/sh/kernel/cpu/sh4/sq.c
3372 --- linux-2.6.32.42/arch/sh/kernel/cpu/sh4/sq.c 2011-03-27 14:31:47.000000000 -0400
3373 +++ linux-2.6.32.42/arch/sh/kernel/cpu/sh4/sq.c 2011-04-17 15:56:46.000000000 -0400
3374 @@ -327,7 +327,7 @@ static struct attribute *sq_sysfs_attrs[
3378 -static struct sysfs_ops sq_sysfs_ops = {
3379 +static const struct sysfs_ops sq_sysfs_ops = {
3380 .show = sq_sysfs_show,
3381 .store = sq_sysfs_store,
3383 diff -urNp linux-2.6.32.42/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.32.42/arch/sh/kernel/cpu/shmobile/pm.c
3384 --- linux-2.6.32.42/arch/sh/kernel/cpu/shmobile/pm.c 2011-03-27 14:31:47.000000000 -0400
3385 +++ linux-2.6.32.42/arch/sh/kernel/cpu/shmobile/pm.c 2011-04-17 15:56:46.000000000 -0400
3386 @@ -58,7 +58,7 @@ static int sh_pm_enter(suspend_state_t s
3390 -static struct platform_suspend_ops sh_pm_ops = {
3391 +static const struct platform_suspend_ops sh_pm_ops = {
3392 .enter = sh_pm_enter,
3393 .valid = suspend_valid_only_mem,
3395 diff -urNp linux-2.6.32.42/arch/sh/kernel/kgdb.c linux-2.6.32.42/arch/sh/kernel/kgdb.c
3396 --- linux-2.6.32.42/arch/sh/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
3397 +++ linux-2.6.32.42/arch/sh/kernel/kgdb.c 2011-04-17 15:56:46.000000000 -0400
3398 @@ -271,7 +271,7 @@ void kgdb_arch_exit(void)
3402 -struct kgdb_arch arch_kgdb_ops = {
3403 +const struct kgdb_arch arch_kgdb_ops = {
3404 /* Breakpoint instruction: trapa #0x3c */
3405 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3406 .gdb_bpt_instr = { 0x3c, 0xc3 },
3407 diff -urNp linux-2.6.32.42/arch/sh/mm/mmap.c linux-2.6.32.42/arch/sh/mm/mmap.c
3408 --- linux-2.6.32.42/arch/sh/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
3409 +++ linux-2.6.32.42/arch/sh/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
3410 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3411 addr = PAGE_ALIGN(addr);
3413 vma = find_vma(mm, addr);
3414 - if (TASK_SIZE - len >= addr &&
3415 - (!vma || addr + len <= vma->vm_start))
3416 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3420 @@ -106,7 +105,7 @@ full_search:
3424 - if (likely(!vma || addr + len <= vma->vm_start)) {
3425 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3427 * Remember the place where we stopped the search:
3429 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3430 addr = PAGE_ALIGN(addr);
3432 vma = find_vma(mm, addr);
3433 - if (TASK_SIZE - len >= addr &&
3434 - (!vma || addr + len <= vma->vm_start))
3435 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3439 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3440 /* make sure it can fit in the remaining address space */
3441 if (likely(addr > len)) {
3442 vma = find_vma(mm, addr-len);
3443 - if (!vma || addr <= vma->vm_start) {
3444 + if (check_heap_stack_gap(vma, addr - len, len)) {
3445 /* remember the address as a hint for next time */
3446 return (mm->free_area_cache = addr-len);
3448 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3449 if (unlikely(mm->mmap_base < len))
3452 - addr = mm->mmap_base-len;
3453 - if (do_colour_align)
3454 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3455 + addr = mm->mmap_base - len;
3458 + if (do_colour_align)
3459 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3461 * Lookup failure means no vma is above this address,
3462 * else if new region fits below vma->vm_start,
3463 * return with success:
3465 vma = find_vma(mm, addr);
3466 - if (likely(!vma || addr+len <= vma->vm_start)) {
3467 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3468 /* remember the address as a hint for next time */
3469 return (mm->free_area_cache = addr);
3471 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3472 mm->cached_hole_size = vma->vm_start - addr;
3474 /* try just below the current vma->vm_start */
3475 - addr = vma->vm_start-len;
3476 - if (do_colour_align)
3477 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3478 - } while (likely(len < vma->vm_start));
3479 + addr = skip_heap_stack_gap(vma, len);
3480 + } while (!IS_ERR_VALUE(addr));
3484 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/atomic_64.h linux-2.6.32.42/arch/sparc/include/asm/atomic_64.h
3485 --- linux-2.6.32.42/arch/sparc/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
3486 +++ linux-2.6.32.42/arch/sparc/include/asm/atomic_64.h 2011-05-04 17:56:20.000000000 -0400
3488 #define ATOMIC64_INIT(i) { (i) }
3490 #define atomic_read(v) ((v)->counter)
3491 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3493 + return v->counter;
3495 #define atomic64_read(v) ((v)->counter)
3496 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3498 + return v->counter;
3501 #define atomic_set(v, i) (((v)->counter) = i)
3502 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3506 #define atomic64_set(v, i) (((v)->counter) = i)
3507 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3512 extern void atomic_add(int, atomic_t *);
3513 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3514 extern void atomic64_add(long, atomic64_t *);
3515 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3516 extern void atomic_sub(int, atomic_t *);
3517 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3518 extern void atomic64_sub(long, atomic64_t *);
3519 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3521 extern int atomic_add_ret(int, atomic_t *);
3522 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3523 extern long atomic64_add_ret(long, atomic64_t *);
3524 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3525 extern int atomic_sub_ret(int, atomic_t *);
3526 extern long atomic64_sub_ret(long, atomic64_t *);
3528 @@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi
3529 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3531 #define atomic_inc_return(v) atomic_add_ret(1, v)
3532 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3534 + return atomic_add_ret_unchecked(1, v);
3536 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3537 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3539 + return atomic64_add_ret_unchecked(1, v);
3542 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3543 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3544 @@ -50,6 +80,7 @@ extern long atomic64_sub_ret(long, atomi
3547 #define atomic_inc_and_test(v) (atomic_inc_return(v) == 0)
3548 +#define atomic_inc_and_test_unchecked(v) (atomic_inc_return_unchecked(v) == 0)
3549 #define atomic64_inc_and_test(v) (atomic64_inc_return(v) == 0)
3551 #define atomic_sub_and_test(i, v) (atomic_sub_ret(i, v) == 0)
3552 @@ -59,30 +90,59 @@ extern long atomic64_sub_ret(long, atomi
3553 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3555 #define atomic_inc(v) atomic_add(1, v)
3556 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3558 + atomic_add_unchecked(1, v);
3560 #define atomic64_inc(v) atomic64_add(1, v)
3561 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3563 + atomic64_add_unchecked(1, v);
3566 #define atomic_dec(v) atomic_sub(1, v)
3567 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3569 + atomic_sub_unchecked(1, v);
3571 #define atomic64_dec(v) atomic64_sub(1, v)
3572 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3574 + atomic64_sub_unchecked(1, v);
3577 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3578 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3580 #define atomic_cmpxchg(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3581 +#define atomic_cmpxchg_unchecked(v, o, n) (cmpxchg(&((v)->counter), (o), (n)))
3582 #define atomic_xchg(v, new) (xchg(&((v)->counter), new))
3583 +#define atomic_xchg_unchecked(v, new) (xchg(&((v)->counter), new))
3585 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3591 - if (unlikely(c == (u)))
3592 + if (unlikely(c == u))
3594 - old = atomic_cmpxchg((v), c, c + (a));
3596 + asm volatile("addcc %2, %0, %0\n"
3598 +#ifdef CONFIG_PAX_REFCOUNT
3603 + : "0" (c), "ir" (a)
3606 + old = atomic_cmpxchg(v, c, new);
3607 if (likely(old == c))
3615 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3616 @@ -93,17 +153,28 @@ static inline int atomic_add_unless(atom
3618 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3622 c = atomic64_read(v);
3624 - if (unlikely(c == (u)))
3625 + if (unlikely(c == u))
3627 - old = atomic64_cmpxchg((v), c, c + (a));
3629 + asm volatile("addcc %2, %0, %0\n"
3631 +#ifdef CONFIG_PAX_REFCOUNT
3636 + : "0" (c), "ir" (a)
3639 + old = atomic64_cmpxchg(v, c, new);
3640 if (likely(old == c))
3648 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3649 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/cache.h linux-2.6.32.42/arch/sparc/include/asm/cache.h
3650 --- linux-2.6.32.42/arch/sparc/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
3651 +++ linux-2.6.32.42/arch/sparc/include/asm/cache.h 2011-05-17 19:26:34.000000000 -0400
3653 #define _SPARC_CACHE_H
3655 #define L1_CACHE_SHIFT 5
3656 -#define L1_CACHE_BYTES 32
3657 +#define L1_CACHE_BYTES 32U
3658 #define L1_CACHE_ALIGN(x) ((((x)+(L1_CACHE_BYTES-1))&~(L1_CACHE_BYTES-1)))
3660 #ifdef CONFIG_SPARC32
3661 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/dma-mapping.h linux-2.6.32.42/arch/sparc/include/asm/dma-mapping.h
3662 --- linux-2.6.32.42/arch/sparc/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
3663 +++ linux-2.6.32.42/arch/sparc/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
3664 @@ -14,10 +14,10 @@ extern int dma_set_mask(struct device *d
3665 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3666 #define dma_is_consistent(d, h) (1)
3668 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3669 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3670 extern struct bus_type pci_bus_type;
3672 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3673 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3675 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3676 if (dev->bus == &pci_bus_type)
3677 @@ -31,7 +31,7 @@ static inline struct dma_map_ops *get_dm
3678 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3679 dma_addr_t *dma_handle, gfp_t flag)
3681 - struct dma_map_ops *ops = get_dma_ops(dev);
3682 + const struct dma_map_ops *ops = get_dma_ops(dev);
3685 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3686 @@ -42,7 +42,7 @@ static inline void *dma_alloc_coherent(s
3687 static inline void dma_free_coherent(struct device *dev, size_t size,
3688 void *cpu_addr, dma_addr_t dma_handle)
3690 - struct dma_map_ops *ops = get_dma_ops(dev);
3691 + const struct dma_map_ops *ops = get_dma_ops(dev);
3693 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3694 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3695 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/elf_32.h linux-2.6.32.42/arch/sparc/include/asm/elf_32.h
3696 --- linux-2.6.32.42/arch/sparc/include/asm/elf_32.h 2011-03-27 14:31:47.000000000 -0400
3697 +++ linux-2.6.32.42/arch/sparc/include/asm/elf_32.h 2011-04-17 15:56:46.000000000 -0400
3698 @@ -116,6 +116,13 @@ typedef struct {
3700 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3702 +#ifdef CONFIG_PAX_ASLR
3703 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3705 +#define PAX_DELTA_MMAP_LEN 16
3706 +#define PAX_DELTA_STACK_LEN 16
3709 /* This yields a mask that user programs can use to figure out what
3710 instruction set this cpu supports. This can NOT be done in userspace
3712 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/elf_64.h linux-2.6.32.42/arch/sparc/include/asm/elf_64.h
3713 --- linux-2.6.32.42/arch/sparc/include/asm/elf_64.h 2011-03-27 14:31:47.000000000 -0400
3714 +++ linux-2.6.32.42/arch/sparc/include/asm/elf_64.h 2011-04-17 15:56:46.000000000 -0400
3715 @@ -163,6 +163,12 @@ typedef struct {
3716 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3717 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3719 +#ifdef CONFIG_PAX_ASLR
3720 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3722 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3723 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3726 /* This yields a mask that user programs can use to figure out what
3727 instruction set this cpu supports. */
3728 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/pgtable_32.h linux-2.6.32.42/arch/sparc/include/asm/pgtable_32.h
3729 --- linux-2.6.32.42/arch/sparc/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
3730 +++ linux-2.6.32.42/arch/sparc/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
3731 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3732 BTFIXUPDEF_INT(page_none)
3733 BTFIXUPDEF_INT(page_copy)
3734 BTFIXUPDEF_INT(page_readonly)
3736 +#ifdef CONFIG_PAX_PAGEEXEC
3737 +BTFIXUPDEF_INT(page_shared_noexec)
3738 +BTFIXUPDEF_INT(page_copy_noexec)
3739 +BTFIXUPDEF_INT(page_readonly_noexec)
3742 BTFIXUPDEF_INT(page_kernel)
3744 #define PMD_SHIFT SUN4C_PMD_SHIFT
3745 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3746 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3747 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3749 +#ifdef CONFIG_PAX_PAGEEXEC
3750 +extern pgprot_t PAGE_SHARED_NOEXEC;
3751 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3752 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3754 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3755 +# define PAGE_COPY_NOEXEC PAGE_COPY
3756 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3759 extern unsigned long page_kernel;
3762 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.32.42/arch/sparc/include/asm/pgtsrmmu.h
3763 --- linux-2.6.32.42/arch/sparc/include/asm/pgtsrmmu.h 2011-03-27 14:31:47.000000000 -0400
3764 +++ linux-2.6.32.42/arch/sparc/include/asm/pgtsrmmu.h 2011-04-17 15:56:46.000000000 -0400
3765 @@ -115,6 +115,13 @@
3766 SRMMU_EXEC | SRMMU_REF)
3767 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3768 SRMMU_EXEC | SRMMU_REF)
3770 +#ifdef CONFIG_PAX_PAGEEXEC
3771 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3772 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3773 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3776 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3777 SRMMU_DIRTY | SRMMU_REF)
3779 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/spinlock_64.h linux-2.6.32.42/arch/sparc/include/asm/spinlock_64.h
3780 --- linux-2.6.32.42/arch/sparc/include/asm/spinlock_64.h 2011-03-27 14:31:47.000000000 -0400
3781 +++ linux-2.6.32.42/arch/sparc/include/asm/spinlock_64.h 2011-05-04 17:56:20.000000000 -0400
3782 @@ -92,14 +92,19 @@ static inline void __raw_spin_lock_flags
3784 /* Multi-reader locks, these are much saner than the 32-bit Sparc ones... */
3786 -static void inline arch_read_lock(raw_rwlock_t *lock)
3787 +static inline void arch_read_lock(raw_rwlock_t *lock)
3789 unsigned long tmp1, tmp2;
3791 __asm__ __volatile__ (
3792 "1: ldsw [%2], %0\n"
3794 -"4: add %0, 1, %1\n"
3795 +"4: addcc %0, 1, %1\n"
3797 +#ifdef CONFIG_PAX_REFCOUNT
3801 " cas [%2], %0, %1\n"
3803 " bne,pn %%icc, 1b\n"
3804 @@ -112,7 +117,7 @@ static void inline arch_read_lock(raw_rw
3806 : "=&r" (tmp1), "=&r" (tmp2)
3809 + : "memory", "cc");
3812 static int inline arch_read_trylock(raw_rwlock_t *lock)
3813 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(raw_
3814 "1: ldsw [%2], %0\n"
3815 " brlz,a,pn %0, 2f\n"
3818 +" addcc %0, 1, %1\n"
3820 +#ifdef CONFIG_PAX_REFCOUNT
3824 " cas [%2], %0, %1\n"
3826 " bne,pn %%icc, 1b\n"
3827 @@ -136,13 +146,18 @@ static int inline arch_read_trylock(raw_
3831 -static void inline arch_read_unlock(raw_rwlock_t *lock)
3832 +static inline void arch_read_unlock(raw_rwlock_t *lock)
3834 unsigned long tmp1, tmp2;
3836 __asm__ __volatile__(
3837 "1: lduw [%2], %0\n"
3839 +" subcc %0, 1, %1\n"
3841 +#ifdef CONFIG_PAX_REFCOUNT
3845 " cas [%2], %0, %1\n"
3847 " bne,pn %%xcc, 1b\n"
3848 @@ -152,7 +167,7 @@ static void inline arch_read_unlock(raw_
3852 -static void inline arch_write_lock(raw_rwlock_t *lock)
3853 +static inline void arch_write_lock(raw_rwlock_t *lock)
3855 unsigned long mask, tmp1, tmp2;
3857 @@ -177,7 +192,7 @@ static void inline arch_write_lock(raw_r
3861 -static void inline arch_write_unlock(raw_rwlock_t *lock)
3862 +static inline void arch_write_unlock(raw_rwlock_t *lock)
3864 __asm__ __volatile__(
3866 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/thread_info_32.h linux-2.6.32.42/arch/sparc/include/asm/thread_info_32.h
3867 --- linux-2.6.32.42/arch/sparc/include/asm/thread_info_32.h 2011-03-27 14:31:47.000000000 -0400
3868 +++ linux-2.6.32.42/arch/sparc/include/asm/thread_info_32.h 2011-06-04 20:46:01.000000000 -0400
3869 @@ -50,6 +50,8 @@ struct thread_info {
3870 unsigned long w_saved;
3872 struct restart_block restart_block;
3874 + unsigned long lowest_stack;
3878 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/thread_info_64.h linux-2.6.32.42/arch/sparc/include/asm/thread_info_64.h
3879 --- linux-2.6.32.42/arch/sparc/include/asm/thread_info_64.h 2011-03-27 14:31:47.000000000 -0400
3880 +++ linux-2.6.32.42/arch/sparc/include/asm/thread_info_64.h 2011-06-04 20:46:21.000000000 -0400
3881 @@ -68,6 +68,8 @@ struct thread_info {
3882 struct pt_regs *kern_una_regs;
3883 unsigned int kern_una_insn;
3885 + unsigned long lowest_stack;
3887 unsigned long fpregs[0] __attribute__ ((aligned(64)));
3890 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/uaccess_32.h linux-2.6.32.42/arch/sparc/include/asm/uaccess_32.h
3891 --- linux-2.6.32.42/arch/sparc/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
3892 +++ linux-2.6.32.42/arch/sparc/include/asm/uaccess_32.h 2011-04-17 15:56:46.000000000 -0400
3893 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3895 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3897 - if (n && __access_ok((unsigned long) to, n))
3901 + if (n && __access_ok((unsigned long) to, n)) {
3902 + if (!__builtin_constant_p(n))
3903 + check_object_size(from, n, true);
3904 return __copy_user(to, (__force void __user *) from, n);
3910 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3915 + if (!__builtin_constant_p(n))
3916 + check_object_size(from, n, true);
3918 return __copy_user(to, (__force void __user *) from, n);
3921 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3923 - if (n && __access_ok((unsigned long) from, n))
3927 + if (n && __access_ok((unsigned long) from, n)) {
3928 + if (!__builtin_constant_p(n))
3929 + check_object_size(to, n, false);
3930 return __copy_user((__force void __user *) to, from, n);
3936 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3941 return __copy_user((__force void __user *) to, from, n);
3944 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/uaccess_64.h linux-2.6.32.42/arch/sparc/include/asm/uaccess_64.h
3945 --- linux-2.6.32.42/arch/sparc/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
3946 +++ linux-2.6.32.42/arch/sparc/include/asm/uaccess_64.h 2011-04-17 15:56:46.000000000 -0400
3948 #include <linux/compiler.h>
3949 #include <linux/string.h>
3950 #include <linux/thread_info.h>
3951 +#include <linux/kernel.h>
3952 #include <asm/asi.h>
3953 #include <asm/system.h>
3954 #include <asm/spitfire.h>
3955 @@ -212,8 +213,15 @@ extern unsigned long copy_from_user_fixu
3956 static inline unsigned long __must_check
3957 copy_from_user(void *to, const void __user *from, unsigned long size)
3959 - unsigned long ret = ___copy_from_user(to, from, size);
3960 + unsigned long ret;
3962 + if ((long)size < 0 || size > INT_MAX)
3965 + if (!__builtin_constant_p(size))
3966 + check_object_size(to, size, false);
3968 + ret = ___copy_from_user(to, from, size);
3970 ret = copy_from_user_fixup(to, from, size);
3972 @@ -228,8 +236,15 @@ extern unsigned long copy_to_user_fixup(
3973 static inline unsigned long __must_check
3974 copy_to_user(void __user *to, const void *from, unsigned long size)
3976 - unsigned long ret = ___copy_to_user(to, from, size);
3977 + unsigned long ret;
3979 + if ((long)size < 0 || size > INT_MAX)
3982 + if (!__builtin_constant_p(size))
3983 + check_object_size(from, size, true);
3985 + ret = ___copy_to_user(to, from, size);
3987 ret = copy_to_user_fixup(to, from, size);
3989 diff -urNp linux-2.6.32.42/arch/sparc/include/asm/uaccess.h linux-2.6.32.42/arch/sparc/include/asm/uaccess.h
3990 --- linux-2.6.32.42/arch/sparc/include/asm/uaccess.h 2011-03-27 14:31:47.000000000 -0400
3991 +++ linux-2.6.32.42/arch/sparc/include/asm/uaccess.h 2011-04-17 15:56:46.000000000 -0400
3993 #ifndef ___ASM_SPARC_UACCESS_H
3994 #define ___ASM_SPARC_UACCESS_H
3997 +#ifndef __ASSEMBLY__
3998 +#include <linux/types.h>
3999 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4003 #if defined(__sparc__) && defined(__arch64__)
4004 #include <asm/uaccess_64.h>
4006 diff -urNp linux-2.6.32.42/arch/sparc/kernel/iommu.c linux-2.6.32.42/arch/sparc/kernel/iommu.c
4007 --- linux-2.6.32.42/arch/sparc/kernel/iommu.c 2011-03-27 14:31:47.000000000 -0400
4008 +++ linux-2.6.32.42/arch/sparc/kernel/iommu.c 2011-04-17 15:56:46.000000000 -0400
4009 @@ -826,7 +826,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4010 spin_unlock_irqrestore(&iommu->lock, flags);
4013 -static struct dma_map_ops sun4u_dma_ops = {
4014 +static const struct dma_map_ops sun4u_dma_ops = {
4015 .alloc_coherent = dma_4u_alloc_coherent,
4016 .free_coherent = dma_4u_free_coherent,
4017 .map_page = dma_4u_map_page,
4018 @@ -837,7 +837,7 @@ static struct dma_map_ops sun4u_dma_ops
4019 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4022 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4023 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4024 EXPORT_SYMBOL(dma_ops);
4026 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4027 diff -urNp linux-2.6.32.42/arch/sparc/kernel/ioport.c linux-2.6.32.42/arch/sparc/kernel/ioport.c
4028 --- linux-2.6.32.42/arch/sparc/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
4029 +++ linux-2.6.32.42/arch/sparc/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
4030 @@ -392,7 +392,7 @@ static void sbus_sync_sg_for_device(stru
4034 -struct dma_map_ops sbus_dma_ops = {
4035 +const struct dma_map_ops sbus_dma_ops = {
4036 .alloc_coherent = sbus_alloc_coherent,
4037 .free_coherent = sbus_free_coherent,
4038 .map_page = sbus_map_page,
4039 @@ -403,7 +403,7 @@ struct dma_map_ops sbus_dma_ops = {
4040 .sync_sg_for_device = sbus_sync_sg_for_device,
4043 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4044 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4045 EXPORT_SYMBOL(dma_ops);
4047 static int __init sparc_register_ioport(void)
4048 @@ -640,7 +640,7 @@ static void pci32_sync_sg_for_device(str
4052 -struct dma_map_ops pci32_dma_ops = {
4053 +const struct dma_map_ops pci32_dma_ops = {
4054 .alloc_coherent = pci32_alloc_coherent,
4055 .free_coherent = pci32_free_coherent,
4056 .map_page = pci32_map_page,
4057 diff -urNp linux-2.6.32.42/arch/sparc/kernel/kgdb_32.c linux-2.6.32.42/arch/sparc/kernel/kgdb_32.c
4058 --- linux-2.6.32.42/arch/sparc/kernel/kgdb_32.c 2011-03-27 14:31:47.000000000 -0400
4059 +++ linux-2.6.32.42/arch/sparc/kernel/kgdb_32.c 2011-04-17 15:56:46.000000000 -0400
4060 @@ -158,7 +158,7 @@ void kgdb_arch_exit(void)
4064 -struct kgdb_arch arch_kgdb_ops = {
4065 +const struct kgdb_arch arch_kgdb_ops = {
4066 /* Breakpoint instruction: ta 0x7d */
4067 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4069 diff -urNp linux-2.6.32.42/arch/sparc/kernel/kgdb_64.c linux-2.6.32.42/arch/sparc/kernel/kgdb_64.c
4070 --- linux-2.6.32.42/arch/sparc/kernel/kgdb_64.c 2011-03-27 14:31:47.000000000 -0400
4071 +++ linux-2.6.32.42/arch/sparc/kernel/kgdb_64.c 2011-04-17 15:56:46.000000000 -0400
4072 @@ -180,7 +180,7 @@ void kgdb_arch_exit(void)
4076 -struct kgdb_arch arch_kgdb_ops = {
4077 +const struct kgdb_arch arch_kgdb_ops = {
4078 /* Breakpoint instruction: ta 0x72 */
4079 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4081 diff -urNp linux-2.6.32.42/arch/sparc/kernel/Makefile linux-2.6.32.42/arch/sparc/kernel/Makefile
4082 --- linux-2.6.32.42/arch/sparc/kernel/Makefile 2011-03-27 14:31:47.000000000 -0400
4083 +++ linux-2.6.32.42/arch/sparc/kernel/Makefile 2011-04-17 15:56:46.000000000 -0400
4088 -ccflags-y := -Werror
4089 +#ccflags-y := -Werror
4091 extra-y := head_$(BITS).o
4092 extra-y += init_task.o
4093 diff -urNp linux-2.6.32.42/arch/sparc/kernel/pci_sun4v.c linux-2.6.32.42/arch/sparc/kernel/pci_sun4v.c
4094 --- linux-2.6.32.42/arch/sparc/kernel/pci_sun4v.c 2011-03-27 14:31:47.000000000 -0400
4095 +++ linux-2.6.32.42/arch/sparc/kernel/pci_sun4v.c 2011-04-17 15:56:46.000000000 -0400
4096 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4097 spin_unlock_irqrestore(&iommu->lock, flags);
4100 -static struct dma_map_ops sun4v_dma_ops = {
4101 +static const struct dma_map_ops sun4v_dma_ops = {
4102 .alloc_coherent = dma_4v_alloc_coherent,
4103 .free_coherent = dma_4v_free_coherent,
4104 .map_page = dma_4v_map_page,
4105 diff -urNp linux-2.6.32.42/arch/sparc/kernel/process_32.c linux-2.6.32.42/arch/sparc/kernel/process_32.c
4106 --- linux-2.6.32.42/arch/sparc/kernel/process_32.c 2011-03-27 14:31:47.000000000 -0400
4107 +++ linux-2.6.32.42/arch/sparc/kernel/process_32.c 2011-04-17 15:56:46.000000000 -0400
4108 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4109 rw->ins[4], rw->ins[5],
4112 - printk("%pS\n", (void *) rw->ins[7]);
4113 + printk("%pA\n", (void *) rw->ins[7]);
4114 rw = (struct reg_window32 *) rw->ins[6];
4116 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4117 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4119 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4120 r->psr, r->pc, r->npc, r->y, print_tainted());
4121 - printk("PC: <%pS>\n", (void *) r->pc);
4122 + printk("PC: <%pA>\n", (void *) r->pc);
4123 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4124 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4125 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4126 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4127 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4128 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4129 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4130 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4132 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4133 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4134 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4135 rw = (struct reg_window32 *) fp;
4137 printk("[%08lx : ", pc);
4138 - printk("%pS ] ", (void *) pc);
4139 + printk("%pA ] ", (void *) pc);
4141 } while (++count < 16);
4143 diff -urNp linux-2.6.32.42/arch/sparc/kernel/process_64.c linux-2.6.32.42/arch/sparc/kernel/process_64.c
4144 --- linux-2.6.32.42/arch/sparc/kernel/process_64.c 2011-03-27 14:31:47.000000000 -0400
4145 +++ linux-2.6.32.42/arch/sparc/kernel/process_64.c 2011-04-17 15:56:46.000000000 -0400
4146 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4147 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4148 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4149 if (regs->tstate & TSTATE_PRIV)
4150 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4151 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4154 void show_regs(struct pt_regs *regs)
4156 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4157 regs->tpc, regs->tnpc, regs->y, print_tainted());
4158 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4159 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4160 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4161 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4163 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4164 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4165 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4167 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4168 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4169 show_regwindow(regs);
4172 @@ -284,7 +284,7 @@ void arch_trigger_all_cpu_backtrace(void
4173 ((tp && tp->task) ? tp->task->pid : -1));
4175 if (gp->tstate & TSTATE_PRIV) {
4176 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4177 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4181 diff -urNp linux-2.6.32.42/arch/sparc/kernel/sys_sparc_32.c linux-2.6.32.42/arch/sparc/kernel/sys_sparc_32.c
4182 --- linux-2.6.32.42/arch/sparc/kernel/sys_sparc_32.c 2011-03-27 14:31:47.000000000 -0400
4183 +++ linux-2.6.32.42/arch/sparc/kernel/sys_sparc_32.c 2011-04-17 15:56:46.000000000 -0400
4184 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4185 if (ARCH_SUN4C && len > 0x20000000)
4188 - addr = TASK_UNMAPPED_BASE;
4189 + addr = current->mm->mmap_base;
4191 if (flags & MAP_SHARED)
4192 addr = COLOUR_ALIGN(addr);
4193 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4195 if (TASK_SIZE - PAGE_SIZE - len < addr)
4197 - if (!vmm || addr + len <= vmm->vm_start)
4198 + if (check_heap_stack_gap(vmm, addr, len))
4201 if (flags & MAP_SHARED)
4202 diff -urNp linux-2.6.32.42/arch/sparc/kernel/sys_sparc_64.c linux-2.6.32.42/arch/sparc/kernel/sys_sparc_64.c
4203 --- linux-2.6.32.42/arch/sparc/kernel/sys_sparc_64.c 2011-03-27 14:31:47.000000000 -0400
4204 +++ linux-2.6.32.42/arch/sparc/kernel/sys_sparc_64.c 2011-04-17 15:56:46.000000000 -0400
4205 @@ -125,7 +125,7 @@ unsigned long arch_get_unmapped_area(str
4206 /* We do not accept a shared mapping if it would violate
4207 * cache aliasing constraints.
4209 - if ((flags & MAP_SHARED) &&
4210 + if ((filp || (flags & MAP_SHARED)) &&
4211 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4214 @@ -140,6 +140,10 @@ unsigned long arch_get_unmapped_area(str
4215 if (filp || (flags & MAP_SHARED))
4218 +#ifdef CONFIG_PAX_RANDMMAP
4219 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4224 addr = COLOUR_ALIGN(addr, pgoff);
4225 @@ -147,15 +151,14 @@ unsigned long arch_get_unmapped_area(str
4226 addr = PAGE_ALIGN(addr);
4228 vma = find_vma(mm, addr);
4229 - if (task_size - len >= addr &&
4230 - (!vma || addr + len <= vma->vm_start))
4231 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4235 if (len > mm->cached_hole_size) {
4236 - start_addr = addr = mm->free_area_cache;
4237 + start_addr = addr = mm->free_area_cache;
4239 - start_addr = addr = TASK_UNMAPPED_BASE;
4240 + start_addr = addr = mm->mmap_base;
4241 mm->cached_hole_size = 0;
4244 @@ -175,14 +178,14 @@ full_search:
4245 vma = find_vma(mm, VA_EXCLUDE_END);
4247 if (unlikely(task_size < addr)) {
4248 - if (start_addr != TASK_UNMAPPED_BASE) {
4249 - start_addr = addr = TASK_UNMAPPED_BASE;
4250 + if (start_addr != mm->mmap_base) {
4251 + start_addr = addr = mm->mmap_base;
4252 mm->cached_hole_size = 0;
4257 - if (likely(!vma || addr + len <= vma->vm_start)) {
4258 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4260 * Remember the place where we stopped the search:
4262 @@ -216,7 +219,7 @@ arch_get_unmapped_area_topdown(struct fi
4263 /* We do not accept a shared mapping if it would violate
4264 * cache aliasing constraints.
4266 - if ((flags & MAP_SHARED) &&
4267 + if ((filp || (flags & MAP_SHARED)) &&
4268 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4271 @@ -237,8 +240,7 @@ arch_get_unmapped_area_topdown(struct fi
4272 addr = PAGE_ALIGN(addr);
4274 vma = find_vma(mm, addr);
4275 - if (task_size - len >= addr &&
4276 - (!vma || addr + len <= vma->vm_start))
4277 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4281 @@ -259,7 +261,7 @@ arch_get_unmapped_area_topdown(struct fi
4282 /* make sure it can fit in the remaining address space */
4283 if (likely(addr > len)) {
4284 vma = find_vma(mm, addr-len);
4285 - if (!vma || addr <= vma->vm_start) {
4286 + if (check_heap_stack_gap(vma, addr - len, len)) {
4287 /* remember the address as a hint for next time */
4288 return (mm->free_area_cache = addr-len);
4290 @@ -268,18 +270,18 @@ arch_get_unmapped_area_topdown(struct fi
4291 if (unlikely(mm->mmap_base < len))
4294 - addr = mm->mmap_base-len;
4295 - if (do_color_align)
4296 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4297 + addr = mm->mmap_base - len;
4300 + if (do_color_align)
4301 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4303 * Lookup failure means no vma is above this address,
4304 * else if new region fits below vma->vm_start,
4305 * return with success:
4307 vma = find_vma(mm, addr);
4308 - if (likely(!vma || addr+len <= vma->vm_start)) {
4309 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4310 /* remember the address as a hint for next time */
4311 return (mm->free_area_cache = addr);
4313 @@ -289,10 +291,8 @@ arch_get_unmapped_area_topdown(struct fi
4314 mm->cached_hole_size = vma->vm_start - addr;
4316 /* try just below the current vma->vm_start */
4317 - addr = vma->vm_start-len;
4318 - if (do_color_align)
4319 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4320 - } while (likely(len < vma->vm_start));
4321 + addr = skip_heap_stack_gap(vma, len);
4322 + } while (!IS_ERR_VALUE(addr));
4326 @@ -384,6 +384,12 @@ void arch_pick_mmap_layout(struct mm_str
4327 current->signal->rlim[RLIMIT_STACK].rlim_cur == RLIM_INFINITY ||
4328 sysctl_legacy_va_layout) {
4329 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4331 +#ifdef CONFIG_PAX_RANDMMAP
4332 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4333 + mm->mmap_base += mm->delta_mmap;
4336 mm->get_unmapped_area = arch_get_unmapped_area;
4337 mm->unmap_area = arch_unmap_area;
4339 @@ -398,6 +404,12 @@ void arch_pick_mmap_layout(struct mm_str
4340 gap = (task_size / 6 * 5);
4342 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4344 +#ifdef CONFIG_PAX_RANDMMAP
4345 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4346 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4349 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4350 mm->unmap_area = arch_unmap_area_topdown;
4352 diff -urNp linux-2.6.32.42/arch/sparc/kernel/traps_32.c linux-2.6.32.42/arch/sparc/kernel/traps_32.c
4353 --- linux-2.6.32.42/arch/sparc/kernel/traps_32.c 2011-03-27 14:31:47.000000000 -0400
4354 +++ linux-2.6.32.42/arch/sparc/kernel/traps_32.c 2011-06-13 21:25:39.000000000 -0400
4355 @@ -44,6 +44,8 @@ static void instruction_dump(unsigned lo
4356 #define __SAVE __asm__ __volatile__("save %sp, -0x40, %sp\n\t")
4357 #define __RESTORE __asm__ __volatile__("restore %g0, %g0, %g0\n\t")
4359 +extern void gr_handle_kernel_exploit(void);
4361 void die_if_kernel(char *str, struct pt_regs *regs)
4363 static int die_counter;
4364 @@ -76,15 +78,17 @@ void die_if_kernel(char *str, struct pt_
4366 (((unsigned long) rw) >= PAGE_OFFSET) &&
4367 !(((unsigned long) rw) & 0x7)) {
4368 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4369 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4370 (void *) rw->ins[7]);
4371 rw = (struct reg_window32 *)rw->ins[6];
4374 printk("Instruction DUMP:");
4375 instruction_dump ((unsigned long *) regs->pc);
4376 - if(regs->psr & PSR_PS)
4377 + if(regs->psr & PSR_PS) {
4378 + gr_handle_kernel_exploit();
4384 diff -urNp linux-2.6.32.42/arch/sparc/kernel/traps_64.c linux-2.6.32.42/arch/sparc/kernel/traps_64.c
4385 --- linux-2.6.32.42/arch/sparc/kernel/traps_64.c 2011-03-27 14:31:47.000000000 -0400
4386 +++ linux-2.6.32.42/arch/sparc/kernel/traps_64.c 2011-06-13 21:24:11.000000000 -0400
4387 @@ -73,7 +73,7 @@ static void dump_tl1_traplog(struct tl1_
4389 p->trapstack[i].tstate, p->trapstack[i].tpc,
4390 p->trapstack[i].tnpc, p->trapstack[i].tt);
4391 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4392 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4396 @@ -93,6 +93,12 @@ void bad_trap(struct pt_regs *regs, long
4399 if (regs->tstate & TSTATE_PRIV) {
4401 +#ifdef CONFIG_PAX_REFCOUNT
4403 + pax_report_refcount_overflow(regs);
4406 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4407 die_if_kernel(buffer, regs);
4409 @@ -111,11 +117,16 @@ void bad_trap(struct pt_regs *regs, long
4410 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4415 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4416 0, lvl, SIGTRAP) == NOTIFY_STOP)
4419 +#ifdef CONFIG_PAX_REFCOUNT
4421 + pax_report_refcount_overflow(regs);
4424 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4426 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4427 @@ -1139,7 +1150,7 @@ static void cheetah_log_errors(struct pt
4428 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4429 printk("%s" "ERROR(%d): ",
4430 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4431 - printk("TPC<%pS>\n", (void *) regs->tpc);
4432 + printk("TPC<%pA>\n", (void *) regs->tpc);
4433 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4434 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4435 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4436 @@ -1746,7 +1757,7 @@ void cheetah_plus_parity_error(int type,
4438 (type & 0x1) ? 'I' : 'D',
4440 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4441 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4442 panic("Irrecoverable Cheetah+ parity error.");
4445 @@ -1754,7 +1765,7 @@ void cheetah_plus_parity_error(int type,
4447 (type & 0x1) ? 'I' : 'D',
4449 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4450 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4453 struct sun4v_error_entry {
4454 @@ -1961,9 +1972,9 @@ void sun4v_itlb_error_report(struct pt_r
4456 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4458 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4459 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4460 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4461 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4462 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4463 (void *) regs->u_regs[UREG_I7]);
4464 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4465 "pte[%lx] error[%lx]\n",
4466 @@ -1985,9 +1996,9 @@ void sun4v_dtlb_error_report(struct pt_r
4468 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4470 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4471 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4472 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4473 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4474 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4475 (void *) regs->u_regs[UREG_I7]);
4476 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4477 "pte[%lx] error[%lx]\n",
4478 @@ -2191,7 +2202,7 @@ void show_stack(struct task_struct *tsk,
4479 fp = (unsigned long)sf->fp + STACK_BIAS;
4482 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4483 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4484 } while (++count < 16);
4487 @@ -2233,6 +2244,8 @@ static inline struct reg_window *kernel_
4488 return (struct reg_window *) (fp + STACK_BIAS);
4491 +extern void gr_handle_kernel_exploit(void);
4493 void die_if_kernel(char *str, struct pt_regs *regs)
4495 static int die_counter;
4496 @@ -2260,7 +2273,7 @@ void die_if_kernel(char *str, struct pt_
4499 is_kernel_stack(current, rw)) {
4500 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4501 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4502 (void *) rw->ins[7]);
4504 rw = kernel_stack_up(rw);
4505 @@ -2273,8 +2286,11 @@ void die_if_kernel(char *str, struct pt_
4507 user_instruction_dump ((unsigned int __user *) regs->tpc);
4509 - if (regs->tstate & TSTATE_PRIV)
4510 + if (regs->tstate & TSTATE_PRIV) {
4511 + gr_handle_kernel_exploit();
4517 EXPORT_SYMBOL(die_if_kernel);
4518 diff -urNp linux-2.6.32.42/arch/sparc/kernel/unaligned_64.c linux-2.6.32.42/arch/sparc/kernel/unaligned_64.c
4519 --- linux-2.6.32.42/arch/sparc/kernel/unaligned_64.c 2011-03-27 14:31:47.000000000 -0400
4520 +++ linux-2.6.32.42/arch/sparc/kernel/unaligned_64.c 2011-04-17 15:56:46.000000000 -0400
4521 @@ -288,7 +288,7 @@ static void log_unaligned(struct pt_regs
4523 last_time = jiffies;
4525 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4526 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4527 regs->tpc, (void *) regs->tpc);
4530 diff -urNp linux-2.6.32.42/arch/sparc/lib/atomic_64.S linux-2.6.32.42/arch/sparc/lib/atomic_64.S
4531 --- linux-2.6.32.42/arch/sparc/lib/atomic_64.S 2011-03-27 14:31:47.000000000 -0400
4532 +++ linux-2.6.32.42/arch/sparc/lib/atomic_64.S 2011-04-17 15:56:46.000000000 -0400
4534 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4538 + addcc %g1, %o0, %g7
4540 +#ifdef CONFIG_PAX_REFCOUNT
4547 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4548 2: BACKOFF_SPIN(%o2, %o3, 1b)
4549 .size atomic_add, .-atomic_add
4551 + .globl atomic_add_unchecked
4552 + .type atomic_add_unchecked,#function
4553 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4554 + BACKOFF_SETUP(%o2)
4557 + cas [%o1], %g1, %g7
4563 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4564 + .size atomic_add_unchecked, .-atomic_add_unchecked
4567 .type atomic_sub,#function
4568 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4572 + subcc %g1, %o0, %g7
4574 +#ifdef CONFIG_PAX_REFCOUNT
4581 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4582 2: BACKOFF_SPIN(%o2, %o3, 1b)
4583 .size atomic_sub, .-atomic_sub
4585 + .globl atomic_sub_unchecked
4586 + .type atomic_sub_unchecked,#function
4587 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4588 + BACKOFF_SETUP(%o2)
4591 + cas [%o1], %g1, %g7
4597 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4598 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4600 .globl atomic_add_ret
4601 .type atomic_add_ret,#function
4602 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4606 + addcc %g1, %o0, %g7
4608 +#ifdef CONFIG_PAX_REFCOUNT
4615 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4616 2: BACKOFF_SPIN(%o2, %o3, 1b)
4617 .size atomic_add_ret, .-atomic_add_ret
4619 + .globl atomic_add_ret_unchecked
4620 + .type atomic_add_ret_unchecked,#function
4621 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4622 + BACKOFF_SETUP(%o2)
4624 + addcc %g1, %o0, %g7
4625 + cas [%o1], %g1, %g7
4632 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4633 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4635 .globl atomic_sub_ret
4636 .type atomic_sub_ret,#function
4637 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4641 + subcc %g1, %o0, %g7
4643 +#ifdef CONFIG_PAX_REFCOUNT
4650 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4651 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4655 + addcc %g1, %o0, %g7
4657 +#ifdef CONFIG_PAX_REFCOUNT
4661 casx [%o1], %g1, %g7
4664 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4665 2: BACKOFF_SPIN(%o2, %o3, 1b)
4666 .size atomic64_add, .-atomic64_add
4668 + .globl atomic64_add_unchecked
4669 + .type atomic64_add_unchecked,#function
4670 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4671 + BACKOFF_SETUP(%o2)
4673 + addcc %g1, %o0, %g7
4674 + casx [%o1], %g1, %g7
4680 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4681 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4684 .type atomic64_sub,#function
4685 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4689 + subcc %g1, %o0, %g7
4691 +#ifdef CONFIG_PAX_REFCOUNT
4695 casx [%o1], %g1, %g7
4698 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4699 2: BACKOFF_SPIN(%o2, %o3, 1b)
4700 .size atomic64_sub, .-atomic64_sub
4702 + .globl atomic64_sub_unchecked
4703 + .type atomic64_sub_unchecked,#function
4704 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4705 + BACKOFF_SETUP(%o2)
4707 + subcc %g1, %o0, %g7
4708 + casx [%o1], %g1, %g7
4714 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4715 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4717 .globl atomic64_add_ret
4718 .type atomic64_add_ret,#function
4719 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4723 + addcc %g1, %o0, %g7
4725 +#ifdef CONFIG_PAX_REFCOUNT
4729 casx [%o1], %g1, %g7
4732 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4733 2: BACKOFF_SPIN(%o2, %o3, 1b)
4734 .size atomic64_add_ret, .-atomic64_add_ret
4736 + .globl atomic64_add_ret_unchecked
4737 + .type atomic64_add_ret_unchecked,#function
4738 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4739 + BACKOFF_SETUP(%o2)
4741 + addcc %g1, %o0, %g7
4742 + casx [%o1], %g1, %g7
4749 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4750 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4752 .globl atomic64_sub_ret
4753 .type atomic64_sub_ret,#function
4754 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4758 + subcc %g1, %o0, %g7
4760 +#ifdef CONFIG_PAX_REFCOUNT
4764 casx [%o1], %g1, %g7
4767 diff -urNp linux-2.6.32.42/arch/sparc/lib/ksyms.c linux-2.6.32.42/arch/sparc/lib/ksyms.c
4768 --- linux-2.6.32.42/arch/sparc/lib/ksyms.c 2011-03-27 14:31:47.000000000 -0400
4769 +++ linux-2.6.32.42/arch/sparc/lib/ksyms.c 2011-04-17 15:56:46.000000000 -0400
4770 @@ -144,12 +144,17 @@ EXPORT_SYMBOL(__downgrade_write);
4772 /* Atomic counter implementation. */
4773 EXPORT_SYMBOL(atomic_add);
4774 +EXPORT_SYMBOL(atomic_add_unchecked);
4775 EXPORT_SYMBOL(atomic_add_ret);
4776 EXPORT_SYMBOL(atomic_sub);
4777 +EXPORT_SYMBOL(atomic_sub_unchecked);
4778 EXPORT_SYMBOL(atomic_sub_ret);
4779 EXPORT_SYMBOL(atomic64_add);
4780 +EXPORT_SYMBOL(atomic64_add_unchecked);
4781 EXPORT_SYMBOL(atomic64_add_ret);
4782 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4783 EXPORT_SYMBOL(atomic64_sub);
4784 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4785 EXPORT_SYMBOL(atomic64_sub_ret);
4787 /* Atomic bit operations. */
4788 diff -urNp linux-2.6.32.42/arch/sparc/lib/Makefile linux-2.6.32.42/arch/sparc/lib/Makefile
4789 --- linux-2.6.32.42/arch/sparc/lib/Makefile 2011-03-27 14:31:47.000000000 -0400
4790 +++ linux-2.6.32.42/arch/sparc/lib/Makefile 2011-05-17 19:26:34.000000000 -0400
4794 asflags-y := -ansi -DST_DIV0=0x02
4795 -ccflags-y := -Werror
4796 +#ccflags-y := -Werror
4798 lib-$(CONFIG_SPARC32) += mul.o rem.o sdiv.o udiv.o umul.o urem.o ashrdi3.o
4799 lib-$(CONFIG_SPARC32) += memcpy.o memset.o
4800 diff -urNp linux-2.6.32.42/arch/sparc/lib/rwsem_64.S linux-2.6.32.42/arch/sparc/lib/rwsem_64.S
4801 --- linux-2.6.32.42/arch/sparc/lib/rwsem_64.S 2011-03-27 14:31:47.000000000 -0400
4802 +++ linux-2.6.32.42/arch/sparc/lib/rwsem_64.S 2011-04-17 15:56:46.000000000 -0400
4810 +#ifdef CONFIG_PAX_REFCOUNT
4817 @@ -33,7 +38,12 @@ __down_read:
4818 .globl __down_read_trylock
4819 __down_read_trylock:
4824 +#ifdef CONFIG_PAX_REFCOUNT
4831 @@ -51,7 +61,12 @@ __down_write:
4832 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4836 + addcc %g3, %g1, %g7
4838 +#ifdef CONFIG_PAX_REFCOUNT
4845 @@ -77,7 +92,12 @@ __down_write_trylock:
4850 + addcc %g3, %g1, %g7
4852 +#ifdef CONFIG_PAX_REFCOUNT
4859 @@ -90,7 +110,12 @@ __down_write_trylock:
4866 +#ifdef CONFIG_PAX_REFCOUNT
4873 @@ -118,7 +143,12 @@ __up_write:
4874 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4878 + subcc %g3, %g1, %g7
4880 +#ifdef CONFIG_PAX_REFCOUNT
4887 @@ -143,7 +173,12 @@ __downgrade_write:
4888 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4892 + subcc %g3, %g1, %g7
4894 +#ifdef CONFIG_PAX_REFCOUNT
4901 diff -urNp linux-2.6.32.42/arch/sparc/Makefile linux-2.6.32.42/arch/sparc/Makefile
4902 --- linux-2.6.32.42/arch/sparc/Makefile 2011-03-27 14:31:47.000000000 -0400
4903 +++ linux-2.6.32.42/arch/sparc/Makefile 2011-04-17 15:56:46.000000000 -0400
4904 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4905 # Export what is needed by arch/sparc/boot/Makefile
4906 export VMLINUX_INIT VMLINUX_MAIN
4907 VMLINUX_INIT := $(head-y) $(init-y)
4908 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4909 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4910 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4911 VMLINUX_MAIN += $(drivers-y) $(net-y)
4913 diff -urNp linux-2.6.32.42/arch/sparc/mm/fault_32.c linux-2.6.32.42/arch/sparc/mm/fault_32.c
4914 --- linux-2.6.32.42/arch/sparc/mm/fault_32.c 2011-03-27 14:31:47.000000000 -0400
4915 +++ linux-2.6.32.42/arch/sparc/mm/fault_32.c 2011-04-17 15:56:46.000000000 -0400
4917 #include <linux/interrupt.h>
4918 #include <linux/module.h>
4919 #include <linux/kdebug.h>
4920 +#include <linux/slab.h>
4921 +#include <linux/pagemap.h>
4922 +#include <linux/compiler.h>
4924 #include <asm/system.h>
4925 #include <asm/page.h>
4926 @@ -167,6 +170,267 @@ static unsigned long compute_si_addr(str
4927 return safe_compute_effective_address(regs, insn);
4930 +#ifdef CONFIG_PAX_PAGEEXEC
4931 +#ifdef CONFIG_PAX_DLRESOLVE
4932 +static void pax_emuplt_close(struct vm_area_struct *vma)
4934 + vma->vm_mm->call_dl_resolve = 0UL;
4937 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4939 + unsigned int *kaddr;
4941 + vmf->page = alloc_page(GFP_HIGHUSER);
4943 + return VM_FAULT_OOM;
4945 + kaddr = kmap(vmf->page);
4946 + memset(kaddr, 0, PAGE_SIZE);
4947 + kaddr[0] = 0x9DE3BFA8U; /* save */
4948 + flush_dcache_page(vmf->page);
4949 + kunmap(vmf->page);
4950 + return VM_FAULT_MAJOR;
4953 +static const struct vm_operations_struct pax_vm_ops = {
4954 + .close = pax_emuplt_close,
4955 + .fault = pax_emuplt_fault
4958 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4962 + vma->vm_mm = current->mm;
4963 + vma->vm_start = addr;
4964 + vma->vm_end = addr + PAGE_SIZE;
4965 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4966 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4967 + vma->vm_ops = &pax_vm_ops;
4969 + ret = insert_vm_struct(current->mm, vma);
4973 + ++current->mm->total_vm;
4979 + * PaX: decide what to do with offenders (regs->pc = fault address)
4981 + * returns 1 when task should be killed
4982 + * 2 when patched PLT trampoline was detected
4983 + * 3 when unpatched PLT trampoline was detected
4985 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4988 +#ifdef CONFIG_PAX_EMUPLT
4991 + do { /* PaX: patched PLT emulation #1 */
4992 + unsigned int sethi1, sethi2, jmpl;
4994 + err = get_user(sethi1, (unsigned int *)regs->pc);
4995 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4996 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
5001 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5002 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5003 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5005 + unsigned int addr;
5007 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5008 + addr = regs->u_regs[UREG_G1];
5009 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5011 + regs->npc = addr+4;
5016 + { /* PaX: patched PLT emulation #2 */
5019 + err = get_user(ba, (unsigned int *)regs->pc);
5021 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5022 + unsigned int addr;
5024 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5026 + regs->npc = addr+4;
5031 + do { /* PaX: patched PLT emulation #3 */
5032 + unsigned int sethi, jmpl, nop;
5034 + err = get_user(sethi, (unsigned int *)regs->pc);
5035 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
5036 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5041 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5042 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5043 + nop == 0x01000000U)
5045 + unsigned int addr;
5047 + addr = (sethi & 0x003FFFFFU) << 10;
5048 + regs->u_regs[UREG_G1] = addr;
5049 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5051 + regs->npc = addr+4;
5056 + do { /* PaX: unpatched PLT emulation step 1 */
5057 + unsigned int sethi, ba, nop;
5059 + err = get_user(sethi, (unsigned int *)regs->pc);
5060 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
5061 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
5066 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5067 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5068 + nop == 0x01000000U)
5070 + unsigned int addr, save, call;
5072 + if ((ba & 0xFFC00000U) == 0x30800000U)
5073 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
5075 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
5077 + err = get_user(save, (unsigned int *)addr);
5078 + err |= get_user(call, (unsigned int *)(addr+4));
5079 + err |= get_user(nop, (unsigned int *)(addr+8));
5083 +#ifdef CONFIG_PAX_DLRESOLVE
5084 + if (save == 0x9DE3BFA8U &&
5085 + (call & 0xC0000000U) == 0x40000000U &&
5086 + nop == 0x01000000U)
5088 + struct vm_area_struct *vma;
5089 + unsigned long call_dl_resolve;
5091 + down_read(¤t->mm->mmap_sem);
5092 + call_dl_resolve = current->mm->call_dl_resolve;
5093 + up_read(¤t->mm->mmap_sem);
5094 + if (likely(call_dl_resolve))
5097 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5099 + down_write(¤t->mm->mmap_sem);
5100 + if (current->mm->call_dl_resolve) {
5101 + call_dl_resolve = current->mm->call_dl_resolve;
5102 + up_write(¤t->mm->mmap_sem);
5104 + kmem_cache_free(vm_area_cachep, vma);
5108 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5109 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5110 + up_write(¤t->mm->mmap_sem);
5112 + kmem_cache_free(vm_area_cachep, vma);
5116 + if (pax_insert_vma(vma, call_dl_resolve)) {
5117 + up_write(¤t->mm->mmap_sem);
5118 + kmem_cache_free(vm_area_cachep, vma);
5122 + current->mm->call_dl_resolve = call_dl_resolve;
5123 + up_write(¤t->mm->mmap_sem);
5126 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5127 + regs->pc = call_dl_resolve;
5128 + regs->npc = addr+4;
5133 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5134 + if ((save & 0xFFC00000U) == 0x05000000U &&
5135 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5136 + nop == 0x01000000U)
5138 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5139 + regs->u_regs[UREG_G2] = addr + 4;
5140 + addr = (save & 0x003FFFFFU) << 10;
5141 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5143 + regs->npc = addr+4;
5149 + do { /* PaX: unpatched PLT emulation step 2 */
5150 + unsigned int save, call, nop;
5152 + err = get_user(save, (unsigned int *)(regs->pc-4));
5153 + err |= get_user(call, (unsigned int *)regs->pc);
5154 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5158 + if (save == 0x9DE3BFA8U &&
5159 + (call & 0xC0000000U) == 0x40000000U &&
5160 + nop == 0x01000000U)
5162 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5164 + regs->u_regs[UREG_RETPC] = regs->pc;
5165 + regs->pc = dl_resolve;
5166 + regs->npc = dl_resolve+4;
5175 +void pax_report_insns(void *pc, void *sp)
5179 + printk(KERN_ERR "PAX: bytes at PC: ");
5180 + for (i = 0; i < 8; i++) {
5182 + if (get_user(c, (unsigned int *)pc+i))
5183 + printk(KERN_CONT "???????? ");
5185 + printk(KERN_CONT "%08x ", c);
5191 asmlinkage void do_sparc_fault(struct pt_regs *regs, int text_fault, int write,
5192 unsigned long address)
5194 @@ -231,6 +495,24 @@ good_area:
5195 if(!(vma->vm_flags & VM_WRITE))
5199 +#ifdef CONFIG_PAX_PAGEEXEC
5200 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5201 + up_read(&mm->mmap_sem);
5202 + switch (pax_handle_fetch_fault(regs)) {
5204 +#ifdef CONFIG_PAX_EMUPLT
5211 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5212 + do_group_exit(SIGKILL);
5216 /* Allow reads even for write-only mappings */
5217 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5219 diff -urNp linux-2.6.32.42/arch/sparc/mm/fault_64.c linux-2.6.32.42/arch/sparc/mm/fault_64.c
5220 --- linux-2.6.32.42/arch/sparc/mm/fault_64.c 2011-03-27 14:31:47.000000000 -0400
5221 +++ linux-2.6.32.42/arch/sparc/mm/fault_64.c 2011-04-17 15:56:46.000000000 -0400
5223 #include <linux/kprobes.h>
5224 #include <linux/kdebug.h>
5225 #include <linux/percpu.h>
5226 +#include <linux/slab.h>
5227 +#include <linux/pagemap.h>
5228 +#include <linux/compiler.h>
5230 #include <asm/page.h>
5231 #include <asm/pgtable.h>
5232 @@ -78,7 +81,7 @@ static void bad_kernel_pc(struct pt_regs
5233 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5235 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5236 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5237 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5238 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5240 unhandled_fault(regs->tpc, current, regs);
5241 @@ -249,6 +252,456 @@ static void noinline bogus_32bit_fault_a
5245 +#ifdef CONFIG_PAX_PAGEEXEC
5246 +#ifdef CONFIG_PAX_DLRESOLVE
5247 +static void pax_emuplt_close(struct vm_area_struct *vma)
5249 + vma->vm_mm->call_dl_resolve = 0UL;
5252 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5254 + unsigned int *kaddr;
5256 + vmf->page = alloc_page(GFP_HIGHUSER);
5258 + return VM_FAULT_OOM;
5260 + kaddr = kmap(vmf->page);
5261 + memset(kaddr, 0, PAGE_SIZE);
5262 + kaddr[0] = 0x9DE3BFA8U; /* save */
5263 + flush_dcache_page(vmf->page);
5264 + kunmap(vmf->page);
5265 + return VM_FAULT_MAJOR;
5268 +static const struct vm_operations_struct pax_vm_ops = {
5269 + .close = pax_emuplt_close,
5270 + .fault = pax_emuplt_fault
5273 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5277 + vma->vm_mm = current->mm;
5278 + vma->vm_start = addr;
5279 + vma->vm_end = addr + PAGE_SIZE;
5280 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5281 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5282 + vma->vm_ops = &pax_vm_ops;
5284 + ret = insert_vm_struct(current->mm, vma);
5288 + ++current->mm->total_vm;
5294 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5296 + * returns 1 when task should be killed
5297 + * 2 when patched PLT trampoline was detected
5298 + * 3 when unpatched PLT trampoline was detected
5300 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5303 +#ifdef CONFIG_PAX_EMUPLT
5306 + do { /* PaX: patched PLT emulation #1 */
5307 + unsigned int sethi1, sethi2, jmpl;
5309 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5310 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5311 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5316 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5317 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5318 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5320 + unsigned long addr;
5322 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5323 + addr = regs->u_regs[UREG_G1];
5324 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5326 + if (test_thread_flag(TIF_32BIT))
5327 + addr &= 0xFFFFFFFFUL;
5330 + regs->tnpc = addr+4;
5335 + { /* PaX: patched PLT emulation #2 */
5338 + err = get_user(ba, (unsigned int *)regs->tpc);
5340 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5341 + unsigned long addr;
5343 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5345 + if (test_thread_flag(TIF_32BIT))
5346 + addr &= 0xFFFFFFFFUL;
5349 + regs->tnpc = addr+4;
5354 + do { /* PaX: patched PLT emulation #3 */
5355 + unsigned int sethi, jmpl, nop;
5357 + err = get_user(sethi, (unsigned int *)regs->tpc);
5358 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5359 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5364 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5365 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5366 + nop == 0x01000000U)
5368 + unsigned long addr;
5370 + addr = (sethi & 0x003FFFFFU) << 10;
5371 + regs->u_regs[UREG_G1] = addr;
5372 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5374 + if (test_thread_flag(TIF_32BIT))
5375 + addr &= 0xFFFFFFFFUL;
5378 + regs->tnpc = addr+4;
5383 + do { /* PaX: patched PLT emulation #4 */
5384 + unsigned int sethi, mov1, call, mov2;
5386 + err = get_user(sethi, (unsigned int *)regs->tpc);
5387 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5388 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5389 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5394 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5395 + mov1 == 0x8210000FU &&
5396 + (call & 0xC0000000U) == 0x40000000U &&
5397 + mov2 == 0x9E100001U)
5399 + unsigned long addr;
5401 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5402 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5404 + if (test_thread_flag(TIF_32BIT))
5405 + addr &= 0xFFFFFFFFUL;
5408 + regs->tnpc = addr+4;
5413 + do { /* PaX: patched PLT emulation #5 */
5414 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5416 + err = get_user(sethi, (unsigned int *)regs->tpc);
5417 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5418 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5419 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5420 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5421 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5422 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5423 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5428 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5429 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5430 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5431 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5432 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5433 + sllx == 0x83287020U &&
5434 + jmpl == 0x81C04005U &&
5435 + nop == 0x01000000U)
5437 + unsigned long addr;
5439 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5440 + regs->u_regs[UREG_G1] <<= 32;
5441 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5442 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5444 + regs->tnpc = addr+4;
5449 + do { /* PaX: patched PLT emulation #6 */
5450 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5452 + err = get_user(sethi, (unsigned int *)regs->tpc);
5453 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5454 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5455 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5456 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5457 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5458 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5463 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5464 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5465 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5466 + sllx == 0x83287020U &&
5467 + (or & 0xFFFFE000U) == 0x8A116000U &&
5468 + jmpl == 0x81C04005U &&
5469 + nop == 0x01000000U)
5471 + unsigned long addr;
5473 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5474 + regs->u_regs[UREG_G1] <<= 32;
5475 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5476 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5478 + regs->tnpc = addr+4;
5483 + do { /* PaX: unpatched PLT emulation step 1 */
5484 + unsigned int sethi, ba, nop;
5486 + err = get_user(sethi, (unsigned int *)regs->tpc);
5487 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5488 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5493 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5494 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5495 + nop == 0x01000000U)
5497 + unsigned long addr;
5498 + unsigned int save, call;
5499 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5501 + if ((ba & 0xFFC00000U) == 0x30800000U)
5502 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5504 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5506 + if (test_thread_flag(TIF_32BIT))
5507 + addr &= 0xFFFFFFFFUL;
5509 + err = get_user(save, (unsigned int *)addr);
5510 + err |= get_user(call, (unsigned int *)(addr+4));
5511 + err |= get_user(nop, (unsigned int *)(addr+8));
5515 +#ifdef CONFIG_PAX_DLRESOLVE
5516 + if (save == 0x9DE3BFA8U &&
5517 + (call & 0xC0000000U) == 0x40000000U &&
5518 + nop == 0x01000000U)
5520 + struct vm_area_struct *vma;
5521 + unsigned long call_dl_resolve;
5523 + down_read(¤t->mm->mmap_sem);
5524 + call_dl_resolve = current->mm->call_dl_resolve;
5525 + up_read(¤t->mm->mmap_sem);
5526 + if (likely(call_dl_resolve))
5529 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5531 + down_write(¤t->mm->mmap_sem);
5532 + if (current->mm->call_dl_resolve) {
5533 + call_dl_resolve = current->mm->call_dl_resolve;
5534 + up_write(¤t->mm->mmap_sem);
5536 + kmem_cache_free(vm_area_cachep, vma);
5540 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5541 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5542 + up_write(¤t->mm->mmap_sem);
5544 + kmem_cache_free(vm_area_cachep, vma);
5548 + if (pax_insert_vma(vma, call_dl_resolve)) {
5549 + up_write(¤t->mm->mmap_sem);
5550 + kmem_cache_free(vm_area_cachep, vma);
5554 + current->mm->call_dl_resolve = call_dl_resolve;
5555 + up_write(¤t->mm->mmap_sem);
5558 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5559 + regs->tpc = call_dl_resolve;
5560 + regs->tnpc = addr+4;
5565 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5566 + if ((save & 0xFFC00000U) == 0x05000000U &&
5567 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5568 + nop == 0x01000000U)
5570 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5571 + regs->u_regs[UREG_G2] = addr + 4;
5572 + addr = (save & 0x003FFFFFU) << 10;
5573 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5575 + if (test_thread_flag(TIF_32BIT))
5576 + addr &= 0xFFFFFFFFUL;
5579 + regs->tnpc = addr+4;
5583 + /* PaX: 64-bit PLT stub */
5584 + err = get_user(sethi1, (unsigned int *)addr);
5585 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5586 + err |= get_user(or1, (unsigned int *)(addr+8));
5587 + err |= get_user(or2, (unsigned int *)(addr+12));
5588 + err |= get_user(sllx, (unsigned int *)(addr+16));
5589 + err |= get_user(add, (unsigned int *)(addr+20));
5590 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5591 + err |= get_user(nop, (unsigned int *)(addr+28));
5595 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5596 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5597 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5598 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5599 + sllx == 0x89293020U &&
5600 + add == 0x8A010005U &&
5601 + jmpl == 0x89C14000U &&
5602 + nop == 0x01000000U)
5604 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5605 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5606 + regs->u_regs[UREG_G4] <<= 32;
5607 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5608 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5609 + regs->u_regs[UREG_G4] = addr + 24;
5610 + addr = regs->u_regs[UREG_G5];
5612 + regs->tnpc = addr+4;
5618 +#ifdef CONFIG_PAX_DLRESOLVE
5619 + do { /* PaX: unpatched PLT emulation step 2 */
5620 + unsigned int save, call, nop;
5622 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5623 + err |= get_user(call, (unsigned int *)regs->tpc);
5624 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5628 + if (save == 0x9DE3BFA8U &&
5629 + (call & 0xC0000000U) == 0x40000000U &&
5630 + nop == 0x01000000U)
5632 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5634 + if (test_thread_flag(TIF_32BIT))
5635 + dl_resolve &= 0xFFFFFFFFUL;
5637 + regs->u_regs[UREG_RETPC] = regs->tpc;
5638 + regs->tpc = dl_resolve;
5639 + regs->tnpc = dl_resolve+4;
5645 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5646 + unsigned int sethi, ba, nop;
5648 + err = get_user(sethi, (unsigned int *)regs->tpc);
5649 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5650 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5655 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5656 + (ba & 0xFFF00000U) == 0x30600000U &&
5657 + nop == 0x01000000U)
5659 + unsigned long addr;
5661 + addr = (sethi & 0x003FFFFFU) << 10;
5662 + regs->u_regs[UREG_G1] = addr;
5663 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5665 + if (test_thread_flag(TIF_32BIT))
5666 + addr &= 0xFFFFFFFFUL;
5669 + regs->tnpc = addr+4;
5679 +void pax_report_insns(void *pc, void *sp)
5683 + printk(KERN_ERR "PAX: bytes at PC: ");
5684 + for (i = 0; i < 8; i++) {
5686 + if (get_user(c, (unsigned int *)pc+i))
5687 + printk(KERN_CONT "???????? ");
5689 + printk(KERN_CONT "%08x ", c);
5695 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5697 struct mm_struct *mm = current->mm;
5698 @@ -315,6 +768,29 @@ asmlinkage void __kprobes do_sparc64_fau
5702 +#ifdef CONFIG_PAX_PAGEEXEC
5703 + /* PaX: detect ITLB misses on non-exec pages */
5704 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5705 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5707 + if (address != regs->tpc)
5710 + up_read(&mm->mmap_sem);
5711 + switch (pax_handle_fetch_fault(regs)) {
5713 +#ifdef CONFIG_PAX_EMUPLT
5720 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5721 + do_group_exit(SIGKILL);
5725 /* Pure DTLB misses do not tell us whether the fault causing
5726 * load/store/atomic was a write or not, it only says that there
5727 * was no match. So in such a case we (carefully) read the
5728 diff -urNp linux-2.6.32.42/arch/sparc/mm/hugetlbpage.c linux-2.6.32.42/arch/sparc/mm/hugetlbpage.c
5729 --- linux-2.6.32.42/arch/sparc/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
5730 +++ linux-2.6.32.42/arch/sparc/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
5731 @@ -69,7 +69,7 @@ full_search:
5735 - if (likely(!vma || addr + len <= vma->vm_start)) {
5736 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5738 * Remember the place where we stopped the search:
5740 @@ -108,7 +108,7 @@ hugetlb_get_unmapped_area_topdown(struct
5741 /* make sure it can fit in the remaining address space */
5742 if (likely(addr > len)) {
5743 vma = find_vma(mm, addr-len);
5744 - if (!vma || addr <= vma->vm_start) {
5745 + if (check_heap_stack_gap(vma, addr - len, len)) {
5746 /* remember the address as a hint for next time */
5747 return (mm->free_area_cache = addr-len);
5749 @@ -117,16 +117,17 @@ hugetlb_get_unmapped_area_topdown(struct
5750 if (unlikely(mm->mmap_base < len))
5753 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5754 + addr = mm->mmap_base - len;
5757 + addr &= HPAGE_MASK;
5759 * Lookup failure means no vma is above this address,
5760 * else if new region fits below vma->vm_start,
5761 * return with success:
5763 vma = find_vma(mm, addr);
5764 - if (likely(!vma || addr+len <= vma->vm_start)) {
5765 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5766 /* remember the address as a hint for next time */
5767 return (mm->free_area_cache = addr);
5769 @@ -136,8 +137,8 @@ hugetlb_get_unmapped_area_topdown(struct
5770 mm->cached_hole_size = vma->vm_start - addr;
5772 /* try just below the current vma->vm_start */
5773 - addr = (vma->vm_start-len) & HPAGE_MASK;
5774 - } while (likely(len < vma->vm_start));
5775 + addr = skip_heap_stack_gap(vma, len);
5776 + } while (!IS_ERR_VALUE(addr));
5780 @@ -183,8 +184,7 @@ hugetlb_get_unmapped_area(struct file *f
5782 addr = ALIGN(addr, HPAGE_SIZE);
5783 vma = find_vma(mm, addr);
5784 - if (task_size - len >= addr &&
5785 - (!vma || addr + len <= vma->vm_start))
5786 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5789 if (mm->get_unmapped_area == arch_get_unmapped_area)
5790 diff -urNp linux-2.6.32.42/arch/sparc/mm/init_32.c linux-2.6.32.42/arch/sparc/mm/init_32.c
5791 --- linux-2.6.32.42/arch/sparc/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
5792 +++ linux-2.6.32.42/arch/sparc/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
5793 @@ -317,6 +317,9 @@ extern void device_scan(void);
5794 pgprot_t PAGE_SHARED __read_mostly;
5795 EXPORT_SYMBOL(PAGE_SHARED);
5797 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5798 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5800 void __init paging_init(void)
5802 switch(sparc_cpu_model) {
5803 @@ -345,17 +348,17 @@ void __init paging_init(void)
5805 /* Initialize the protection map with non-constant, MMU dependent values. */
5806 protection_map[0] = PAGE_NONE;
5807 - protection_map[1] = PAGE_READONLY;
5808 - protection_map[2] = PAGE_COPY;
5809 - protection_map[3] = PAGE_COPY;
5810 + protection_map[1] = PAGE_READONLY_NOEXEC;
5811 + protection_map[2] = PAGE_COPY_NOEXEC;
5812 + protection_map[3] = PAGE_COPY_NOEXEC;
5813 protection_map[4] = PAGE_READONLY;
5814 protection_map[5] = PAGE_READONLY;
5815 protection_map[6] = PAGE_COPY;
5816 protection_map[7] = PAGE_COPY;
5817 protection_map[8] = PAGE_NONE;
5818 - protection_map[9] = PAGE_READONLY;
5819 - protection_map[10] = PAGE_SHARED;
5820 - protection_map[11] = PAGE_SHARED;
5821 + protection_map[9] = PAGE_READONLY_NOEXEC;
5822 + protection_map[10] = PAGE_SHARED_NOEXEC;
5823 + protection_map[11] = PAGE_SHARED_NOEXEC;
5824 protection_map[12] = PAGE_READONLY;
5825 protection_map[13] = PAGE_READONLY;
5826 protection_map[14] = PAGE_SHARED;
5827 diff -urNp linux-2.6.32.42/arch/sparc/mm/Makefile linux-2.6.32.42/arch/sparc/mm/Makefile
5828 --- linux-2.6.32.42/arch/sparc/mm/Makefile 2011-03-27 14:31:47.000000000 -0400
5829 +++ linux-2.6.32.42/arch/sparc/mm/Makefile 2011-04-17 15:56:46.000000000 -0400
5834 -ccflags-y := -Werror
5835 +#ccflags-y := -Werror
5837 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5838 obj-y += fault_$(BITS).o
5839 diff -urNp linux-2.6.32.42/arch/sparc/mm/srmmu.c linux-2.6.32.42/arch/sparc/mm/srmmu.c
5840 --- linux-2.6.32.42/arch/sparc/mm/srmmu.c 2011-03-27 14:31:47.000000000 -0400
5841 +++ linux-2.6.32.42/arch/sparc/mm/srmmu.c 2011-04-17 15:56:46.000000000 -0400
5842 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5843 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5844 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5845 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5847 +#ifdef CONFIG_PAX_PAGEEXEC
5848 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5849 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5850 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5853 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5854 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5856 diff -urNp linux-2.6.32.42/arch/um/include/asm/kmap_types.h linux-2.6.32.42/arch/um/include/asm/kmap_types.h
5857 --- linux-2.6.32.42/arch/um/include/asm/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
5858 +++ linux-2.6.32.42/arch/um/include/asm/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
5859 @@ -23,6 +23,7 @@ enum km_type {
5867 diff -urNp linux-2.6.32.42/arch/um/include/asm/page.h linux-2.6.32.42/arch/um/include/asm/page.h
5868 --- linux-2.6.32.42/arch/um/include/asm/page.h 2011-03-27 14:31:47.000000000 -0400
5869 +++ linux-2.6.32.42/arch/um/include/asm/page.h 2011-04-17 15:56:46.000000000 -0400
5871 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5872 #define PAGE_MASK (~(PAGE_SIZE-1))
5874 +#define ktla_ktva(addr) (addr)
5875 +#define ktva_ktla(addr) (addr)
5877 #ifndef __ASSEMBLY__
5880 diff -urNp linux-2.6.32.42/arch/um/kernel/process.c linux-2.6.32.42/arch/um/kernel/process.c
5881 --- linux-2.6.32.42/arch/um/kernel/process.c 2011-03-27 14:31:47.000000000 -0400
5882 +++ linux-2.6.32.42/arch/um/kernel/process.c 2011-04-17 15:56:46.000000000 -0400
5883 @@ -393,22 +393,6 @@ int singlestepping(void * t)
5888 - * Only x86 and x86_64 have an arch_align_stack().
5889 - * All other arches have "#define arch_align_stack(x) (x)"
5890 - * in their asm/system.h
5891 - * As this is included in UML from asm-um/system-generic.h,
5892 - * we can use it to behave as the subarch does.
5894 -#ifndef arch_align_stack
5895 -unsigned long arch_align_stack(unsigned long sp)
5897 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5898 - sp -= get_random_int() % 8192;
5903 unsigned long get_wchan(struct task_struct *p)
5905 unsigned long stack_page, sp, ip;
5906 diff -urNp linux-2.6.32.42/arch/um/sys-i386/syscalls.c linux-2.6.32.42/arch/um/sys-i386/syscalls.c
5907 --- linux-2.6.32.42/arch/um/sys-i386/syscalls.c 2011-03-27 14:31:47.000000000 -0400
5908 +++ linux-2.6.32.42/arch/um/sys-i386/syscalls.c 2011-04-17 15:56:46.000000000 -0400
5910 #include "asm/uaccess.h"
5911 #include "asm/unistd.h"
5913 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5915 + unsigned long pax_task_size = TASK_SIZE;
5917 +#ifdef CONFIG_PAX_SEGMEXEC
5918 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5919 + pax_task_size = SEGMEXEC_TASK_SIZE;
5922 + if (len > pax_task_size || addr > pax_task_size - len)
5929 * Perform the select(nd, in, out, ex, tv) and mmap() system
5930 * calls. Linux/i386 didn't use to be able to handle more than
5931 diff -urNp linux-2.6.32.42/arch/x86/boot/bitops.h linux-2.6.32.42/arch/x86/boot/bitops.h
5932 --- linux-2.6.32.42/arch/x86/boot/bitops.h 2011-03-27 14:31:47.000000000 -0400
5933 +++ linux-2.6.32.42/arch/x86/boot/bitops.h 2011-04-17 15:56:46.000000000 -0400
5934 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5936 const u32 *p = (const u32 *)addr;
5938 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5939 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5943 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5945 static inline void set_bit(int nr, void *addr)
5947 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5948 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5951 #endif /* BOOT_BITOPS_H */
5952 diff -urNp linux-2.6.32.42/arch/x86/boot/boot.h linux-2.6.32.42/arch/x86/boot/boot.h
5953 --- linux-2.6.32.42/arch/x86/boot/boot.h 2011-03-27 14:31:47.000000000 -0400
5954 +++ linux-2.6.32.42/arch/x86/boot/boot.h 2011-04-17 15:56:46.000000000 -0400
5955 @@ -82,7 +82,7 @@ static inline void io_delay(void)
5956 static inline u16 ds(void)
5959 - asm("movw %%ds,%0" : "=rm" (seg));
5960 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5964 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5965 static inline int memcmp(const void *s1, const void *s2, size_t len)
5968 - asm("repe; cmpsb; setnz %0"
5969 + asm volatile("repe; cmpsb; setnz %0"
5970 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5973 diff -urNp linux-2.6.32.42/arch/x86/boot/compressed/head_32.S linux-2.6.32.42/arch/x86/boot/compressed/head_32.S
5974 --- linux-2.6.32.42/arch/x86/boot/compressed/head_32.S 2011-03-27 14:31:47.000000000 -0400
5975 +++ linux-2.6.32.42/arch/x86/boot/compressed/head_32.S 2011-04-17 15:56:46.000000000 -0400
5976 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5980 - movl $LOAD_PHYSICAL_ADDR, %ebx
5981 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5984 /* Target address to relocate to for decompression */
5985 @@ -149,7 +149,7 @@ relocated:
5986 * and where it was actually loaded.
5989 - subl $LOAD_PHYSICAL_ADDR, %ebx
5990 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5991 jz 2f /* Nothing to be done if loaded at compiled addr. */
5993 * Process relocations.
5994 @@ -157,8 +157,7 @@ relocated:
6001 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
6004 diff -urNp linux-2.6.32.42/arch/x86/boot/compressed/head_64.S linux-2.6.32.42/arch/x86/boot/compressed/head_64.S
6005 --- linux-2.6.32.42/arch/x86/boot/compressed/head_64.S 2011-03-27 14:31:47.000000000 -0400
6006 +++ linux-2.6.32.42/arch/x86/boot/compressed/head_64.S 2011-04-17 15:56:46.000000000 -0400
6007 @@ -91,7 +91,7 @@ ENTRY(startup_32)
6011 - movl $LOAD_PHYSICAL_ADDR, %ebx
6012 + movl $____LOAD_PHYSICAL_ADDR, %ebx
6015 /* Target address to relocate to for decompression */
6016 @@ -234,7 +234,7 @@ ENTRY(startup_64)
6020 - movq $LOAD_PHYSICAL_ADDR, %rbp
6021 + movq $____LOAD_PHYSICAL_ADDR, %rbp
6024 /* Target address to relocate to for decompression */
6025 diff -urNp linux-2.6.32.42/arch/x86/boot/compressed/misc.c linux-2.6.32.42/arch/x86/boot/compressed/misc.c
6026 --- linux-2.6.32.42/arch/x86/boot/compressed/misc.c 2011-03-27 14:31:47.000000000 -0400
6027 +++ linux-2.6.32.42/arch/x86/boot/compressed/misc.c 2011-04-17 15:56:46.000000000 -0400
6028 @@ -288,7 +288,7 @@ static void parse_elf(void *output)
6030 #ifdef CONFIG_RELOCATABLE
6032 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
6033 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
6035 dest = (void *)(phdr->p_paddr);
6037 @@ -335,7 +335,7 @@ asmlinkage void decompress_kernel(void *
6038 error("Destination address too large");
6040 #ifndef CONFIG_RELOCATABLE
6041 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
6042 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
6043 error("Wrong destination address");
6046 diff -urNp linux-2.6.32.42/arch/x86/boot/compressed/mkpiggy.c linux-2.6.32.42/arch/x86/boot/compressed/mkpiggy.c
6047 --- linux-2.6.32.42/arch/x86/boot/compressed/mkpiggy.c 2011-03-27 14:31:47.000000000 -0400
6048 +++ linux-2.6.32.42/arch/x86/boot/compressed/mkpiggy.c 2011-04-17 15:56:46.000000000 -0400
6049 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
6051 offs = (olen > ilen) ? olen - ilen : 0;
6052 offs += olen >> 12; /* Add 8 bytes for each 32K block */
6053 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
6054 + offs += 64*1024; /* Add 64K bytes slack */
6055 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
6057 printf(".section \".rodata.compressed\",\"a\",@progbits\n");
6058 diff -urNp linux-2.6.32.42/arch/x86/boot/compressed/relocs.c linux-2.6.32.42/arch/x86/boot/compressed/relocs.c
6059 --- linux-2.6.32.42/arch/x86/boot/compressed/relocs.c 2011-03-27 14:31:47.000000000 -0400
6060 +++ linux-2.6.32.42/arch/x86/boot/compressed/relocs.c 2011-04-17 15:56:46.000000000 -0400
6065 +#include "../../../../include/linux/autoconf.h"
6067 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
6068 static Elf32_Ehdr ehdr;
6069 +static Elf32_Phdr *phdr;
6070 static unsigned long reloc_count, reloc_idx;
6071 static unsigned long *relocs;
6073 @@ -37,7 +40,7 @@ static const char* safe_abs_relocs[] = {
6075 static int is_safe_abs_reloc(const char* sym_name)
6080 for (i = 0; i < ARRAY_SIZE(safe_abs_relocs); i++) {
6081 if (!strcmp(sym_name, safe_abs_relocs[i]))
6082 @@ -245,9 +248,39 @@ static void read_ehdr(FILE *fp)
6086 +static void read_phdrs(FILE *fp)
6090 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
6092 + die("Unable to allocate %d program headers\n",
6095 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
6096 + die("Seek to %d failed: %s\n",
6097 + ehdr.e_phoff, strerror(errno));
6099 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
6100 + die("Cannot read ELF program headers: %s\n",
6103 + for(i = 0; i < ehdr.e_phnum; i++) {
6104 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
6105 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
6106 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
6107 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
6108 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
6109 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
6110 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
6111 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
6116 static void read_shdrs(FILE *fp)
6122 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6123 @@ -282,7 +315,7 @@ static void read_shdrs(FILE *fp)
6125 static void read_strtabs(FILE *fp)
6129 for (i = 0; i < ehdr.e_shnum; i++) {
6130 struct section *sec = &secs[i];
6131 if (sec->shdr.sh_type != SHT_STRTAB) {
6132 @@ -307,7 +340,7 @@ static void read_strtabs(FILE *fp)
6134 static void read_symtabs(FILE *fp)
6138 for (i = 0; i < ehdr.e_shnum; i++) {
6139 struct section *sec = &secs[i];
6140 if (sec->shdr.sh_type != SHT_SYMTAB) {
6141 @@ -340,7 +373,9 @@ static void read_symtabs(FILE *fp)
6143 static void read_relocs(FILE *fp)
6149 for (i = 0; i < ehdr.e_shnum; i++) {
6150 struct section *sec = &secs[i];
6151 if (sec->shdr.sh_type != SHT_REL) {
6152 @@ -360,9 +395,18 @@ static void read_relocs(FILE *fp)
6153 die("Cannot read symbol table: %s\n",
6157 + for (j = 0; j < ehdr.e_phnum; j++) {
6158 + if (phdr[j].p_type != PT_LOAD )
6160 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6162 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6165 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6166 Elf32_Rel *rel = &sec->reltab[j];
6167 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6168 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6169 rel->r_info = elf32_to_cpu(rel->r_info);
6172 @@ -371,14 +415,14 @@ static void read_relocs(FILE *fp)
6174 static void print_absolute_symbols(void)
6178 printf("Absolute symbols\n");
6179 printf(" Num: Value Size Type Bind Visibility Name\n");
6180 for (i = 0; i < ehdr.e_shnum; i++) {
6181 struct section *sec = &secs[i];
6183 Elf32_Sym *sh_symtab;
6187 if (sec->shdr.sh_type != SHT_SYMTAB) {
6189 @@ -406,14 +450,14 @@ static void print_absolute_symbols(void)
6191 static void print_absolute_relocs(void)
6193 - int i, printed = 0;
6194 + unsigned int i, printed = 0;
6196 for (i = 0; i < ehdr.e_shnum; i++) {
6197 struct section *sec = &secs[i];
6198 struct section *sec_applies, *sec_symtab;
6200 Elf32_Sym *sh_symtab;
6203 if (sec->shdr.sh_type != SHT_REL) {
6206 @@ -474,13 +518,13 @@ static void print_absolute_relocs(void)
6208 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6212 /* Walk through the relocations */
6213 for (i = 0; i < ehdr.e_shnum; i++) {
6215 Elf32_Sym *sh_symtab;
6216 struct section *sec_applies, *sec_symtab;
6219 struct section *sec = &secs[i];
6221 if (sec->shdr.sh_type != SHT_REL) {
6222 @@ -504,6 +548,21 @@ static void walk_relocs(void (*visit)(El
6223 if (sym->st_shndx == SHN_ABS) {
6226 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6227 + if (!strcmp(sec_name(sym->st_shndx), ".data.percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6230 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6231 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6232 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6234 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6236 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6238 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6241 if (r_type == R_386_NONE || r_type == R_386_PC32) {
6243 * NONE can be ignored and and PC relative
6244 @@ -541,7 +600,7 @@ static int cmp_relocs(const void *va, co
6246 static void emit_relocs(int as_text)
6250 /* Count how many relocations I have and allocate space for them. */
6252 walk_relocs(count_reloc);
6253 @@ -634,6 +693,7 @@ int main(int argc, char **argv)
6254 fname, strerror(errno));
6261 diff -urNp linux-2.6.32.42/arch/x86/boot/cpucheck.c linux-2.6.32.42/arch/x86/boot/cpucheck.c
6262 --- linux-2.6.32.42/arch/x86/boot/cpucheck.c 2011-03-27 14:31:47.000000000 -0400
6263 +++ linux-2.6.32.42/arch/x86/boot/cpucheck.c 2011-04-17 15:56:46.000000000 -0400
6264 @@ -74,7 +74,7 @@ static int has_fpu(void)
6265 u16 fcw = -1, fsw = -1;
6268 - asm("movl %%cr0,%0" : "=r" (cr0));
6269 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6270 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6271 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6272 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6273 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6278 + asm volatile("pushfl ; "
6282 @@ -115,7 +115,7 @@ static void get_flags(void)
6283 set_bit(X86_FEATURE_FPU, cpu.flags);
6285 if (has_eflag(X86_EFLAGS_ID)) {
6287 + asm volatile("cpuid"
6288 : "=a" (max_intel_level),
6289 "=b" (cpu_vendor[0]),
6290 "=d" (cpu_vendor[1]),
6291 @@ -124,7 +124,7 @@ static void get_flags(void)
6293 if (max_intel_level >= 0x00000001 &&
6294 max_intel_level <= 0x0000ffff) {
6296 + asm volatile("cpuid"
6298 "=c" (cpu.flags[4]),
6300 @@ -136,7 +136,7 @@ static void get_flags(void)
6301 cpu.model += ((tfms >> 16) & 0xf) << 4;
6305 + asm volatile("cpuid"
6306 : "=a" (max_amd_level)
6308 : "ebx", "ecx", "edx");
6309 @@ -144,7 +144,7 @@ static void get_flags(void)
6310 if (max_amd_level >= 0x80000001 &&
6311 max_amd_level <= 0x8000ffff) {
6312 u32 eax = 0x80000001;
6314 + asm volatile("cpuid"
6316 "=c" (cpu.flags[6]),
6318 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6319 u32 ecx = MSR_K7_HWCR;
6322 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6323 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6325 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6326 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6328 get_flags(); /* Make sure it really did something */
6329 err = check_flags();
6330 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6331 u32 ecx = MSR_VIA_FCR;
6334 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6335 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6336 eax |= (1<<1)|(1<<7);
6337 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6338 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6340 set_bit(X86_FEATURE_CX8, cpu.flags);
6341 err = check_flags();
6342 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6346 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6347 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6349 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6350 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6351 + asm volatile("cpuid"
6352 : "+a" (level), "=d" (cpu.flags[0])
6354 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6355 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6357 err = check_flags();
6359 diff -urNp linux-2.6.32.42/arch/x86/boot/header.S linux-2.6.32.42/arch/x86/boot/header.S
6360 --- linux-2.6.32.42/arch/x86/boot/header.S 2011-03-27 14:31:47.000000000 -0400
6361 +++ linux-2.6.32.42/arch/x86/boot/header.S 2011-04-17 15:56:46.000000000 -0400
6362 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6363 # single linked list of
6366 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6367 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6369 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6370 #define VO_INIT_SIZE (VO__end - VO__text)
6371 diff -urNp linux-2.6.32.42/arch/x86/boot/memory.c linux-2.6.32.42/arch/x86/boot/memory.c
6372 --- linux-2.6.32.42/arch/x86/boot/memory.c 2011-03-27 14:31:47.000000000 -0400
6373 +++ linux-2.6.32.42/arch/x86/boot/memory.c 2011-04-17 15:56:46.000000000 -0400
6376 static int detect_memory_e820(void)
6379 + unsigned int count = 0;
6380 struct biosregs ireg, oreg;
6381 struct e820entry *desc = boot_params.e820_map;
6382 static struct e820entry buf; /* static so it is zeroed */
6383 diff -urNp linux-2.6.32.42/arch/x86/boot/video.c linux-2.6.32.42/arch/x86/boot/video.c
6384 --- linux-2.6.32.42/arch/x86/boot/video.c 2011-03-27 14:31:47.000000000 -0400
6385 +++ linux-2.6.32.42/arch/x86/boot/video.c 2011-04-17 15:56:46.000000000 -0400
6386 @@ -90,7 +90,7 @@ static void store_mode_params(void)
6387 static unsigned int get_entry(void)
6391 + unsigned int i, len = 0;
6395 diff -urNp linux-2.6.32.42/arch/x86/boot/video-vesa.c linux-2.6.32.42/arch/x86/boot/video-vesa.c
6396 --- linux-2.6.32.42/arch/x86/boot/video-vesa.c 2011-03-27 14:31:47.000000000 -0400
6397 +++ linux-2.6.32.42/arch/x86/boot/video-vesa.c 2011-04-17 15:56:46.000000000 -0400
6398 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6400 boot_params.screen_info.vesapm_seg = oreg.es;
6401 boot_params.screen_info.vesapm_off = oreg.di;
6402 + boot_params.screen_info.vesapm_size = oreg.cx;
6406 diff -urNp linux-2.6.32.42/arch/x86/ia32/ia32_aout.c linux-2.6.32.42/arch/x86/ia32/ia32_aout.c
6407 --- linux-2.6.32.42/arch/x86/ia32/ia32_aout.c 2011-03-27 14:31:47.000000000 -0400
6408 +++ linux-2.6.32.42/arch/x86/ia32/ia32_aout.c 2011-04-17 15:56:46.000000000 -0400
6409 @@ -169,6 +169,8 @@ static int aout_core_dump(long signr, st
6410 unsigned long dump_start, dump_size;
6413 + memset(&dump, 0, sizeof(dump));
6418 @@ -218,12 +220,6 @@ static int aout_core_dump(long signr, st
6419 dump_size = dump.u_ssize << PAGE_SHIFT;
6420 DUMP_WRITE(dump_start, dump_size);
6423 - * Finally dump the task struct. Not be used by gdb, but
6426 - set_fs(KERNEL_DS);
6427 - DUMP_WRITE(current, sizeof(*current));
6431 diff -urNp linux-2.6.32.42/arch/x86/ia32/ia32entry.S linux-2.6.32.42/arch/x86/ia32/ia32entry.S
6432 --- linux-2.6.32.42/arch/x86/ia32/ia32entry.S 2011-03-27 14:31:47.000000000 -0400
6433 +++ linux-2.6.32.42/arch/x86/ia32/ia32entry.S 2011-06-04 20:29:52.000000000 -0400
6435 #include <asm/thread_info.h>
6436 #include <asm/segment.h>
6437 #include <asm/irqflags.h>
6438 +#include <asm/pgtable.h>
6439 #include <linux/linkage.h>
6441 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6442 @@ -93,6 +94,30 @@ ENTRY(native_irq_enable_sysexit)
6443 ENDPROC(native_irq_enable_sysexit)
6446 + .macro pax_enter_kernel_user
6447 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6448 + call pax_enter_kernel_user
6452 + .macro pax_exit_kernel_user
6453 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6454 + call pax_exit_kernel_user
6456 +#ifdef CONFIG_PAX_RANDKSTACK
6458 + call pax_randomize_kstack
6464 +.macro pax_erase_kstack
6465 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
6466 + call pax_erase_kstack
6471 * 32bit SYSENTER instruction entry.
6473 @@ -119,7 +144,7 @@ ENTRY(ia32_sysenter_target)
6474 CFI_REGISTER rsp,rbp
6476 movq PER_CPU_VAR(kernel_stack), %rsp
6477 - addq $(KERNEL_STACK_OFFSET),%rsp
6478 + pax_enter_kernel_user
6480 * No need to follow this irqs on/off section: the syscall
6481 * disabled irqs, here we enable it straight after entry:
6482 @@ -135,7 +160,8 @@ ENTRY(ia32_sysenter_target)
6484 CFI_ADJUST_CFA_OFFSET 8
6485 /*CFI_REL_OFFSET rflags,0*/
6486 - movl 8*3-THREAD_SIZE+TI_sysenter_return(%rsp), %r10d
6487 + GET_THREAD_INFO(%r10)
6488 + movl TI_sysenter_return(%r10), %r10d
6489 CFI_REGISTER rip,r10
6491 CFI_ADJUST_CFA_OFFSET 8
6492 @@ -150,6 +176,12 @@ ENTRY(ia32_sysenter_target)
6494 /* no need to do an access_ok check here because rbp has been
6495 32bit zero extended */
6497 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6498 + mov $PAX_USER_SHADOW_BASE,%r10
6503 .section __ex_table,"a"
6504 .quad 1b,ia32_badarg
6505 @@ -172,6 +204,7 @@ sysenter_dispatch:
6506 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6508 sysexit_from_sys_call:
6509 + pax_exit_kernel_user
6510 andl $~TS_COMPAT,TI_status(%r10)
6511 /* clear IF, that popfq doesn't enable interrupts early */
6512 andl $~0x200,EFLAGS-R11(%rsp)
6513 @@ -200,6 +233,9 @@ sysexit_from_sys_call:
6514 movl %eax,%esi /* 2nd arg: syscall number */
6515 movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */
6516 call audit_syscall_entry
6520 movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */
6521 cmpq $(IA32_NR_syscalls-1),%rax
6523 @@ -252,6 +288,9 @@ sysenter_tracesys:
6524 movq $-ENOSYS,RAX(%rsp)/* ptrace can change this for a bad syscall */
6525 movq %rsp,%rdi /* &pt_regs -> arg1 */
6526 call syscall_trace_enter
6530 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6532 cmpq $(IA32_NR_syscalls-1),%rax
6533 @@ -283,19 +322,24 @@ ENDPROC(ia32_sysenter_target)
6534 ENTRY(ia32_cstar_target)
6535 CFI_STARTPROC32 simple
6537 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
6539 CFI_REGISTER rip,rcx
6540 /*CFI_REGISTER rflags,r11*/
6544 movq PER_CPU_VAR(kernel_stack),%rsp
6546 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6547 + pax_enter_kernel_user
6551 * No need to follow this irqs on/off section: the syscall
6552 * disabled irqs and here we enable it straight after entry:
6554 ENABLE_INTERRUPTS(CLBR_NONE)
6557 movl %eax,%eax /* zero extension */
6558 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
6559 movq %rcx,RIP-ARGOFFSET(%rsp)
6560 @@ -311,6 +355,12 @@ ENTRY(ia32_cstar_target)
6561 /* no need to do an access_ok check here because r8 has been
6562 32bit zero extended */
6563 /* hardware stack frame is complete now */
6565 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6566 + mov $PAX_USER_SHADOW_BASE,%r10
6571 .section __ex_table,"a"
6572 .quad 1b,ia32_badarg
6573 @@ -333,6 +383,7 @@ cstar_dispatch:
6574 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6576 sysretl_from_sys_call:
6577 + pax_exit_kernel_user
6578 andl $~TS_COMPAT,TI_status(%r10)
6579 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6580 movl RIP-ARGOFFSET(%rsp),%ecx
6581 @@ -370,6 +421,9 @@ cstar_tracesys:
6582 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6583 movq %rsp,%rdi /* &pt_regs -> arg1 */
6584 call syscall_trace_enter
6588 LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */
6591 @@ -415,6 +469,7 @@ ENTRY(ia32_syscall)
6592 CFI_REL_OFFSET rip,RIP-RIP
6593 PARAVIRT_ADJUST_EXCEPTION_FRAME
6595 + pax_enter_kernel_user
6597 * No need to follow this irqs on/off section: the syscall
6598 * disabled irqs and here we enable it straight after entry:
6599 @@ -448,6 +503,9 @@ ia32_tracesys:
6600 movq $-ENOSYS,RAX(%rsp) /* ptrace can change this for a bad syscall */
6601 movq %rsp,%rdi /* &pt_regs -> arg1 */
6602 call syscall_trace_enter
6606 LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */
6608 cmpq $(IA32_NR_syscalls-1),%rax
6609 diff -urNp linux-2.6.32.42/arch/x86/ia32/ia32_signal.c linux-2.6.32.42/arch/x86/ia32/ia32_signal.c
6610 --- linux-2.6.32.42/arch/x86/ia32/ia32_signal.c 2011-03-27 14:31:47.000000000 -0400
6611 +++ linux-2.6.32.42/arch/x86/ia32/ia32_signal.c 2011-04-17 15:56:46.000000000 -0400
6612 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6614 /* Align the stack pointer according to the i386 ABI,
6615 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6616 - sp = ((sp + 4) & -16ul) - 4;
6617 + sp = ((sp - 12) & -16ul) - 4;
6618 return (void __user *) sp;
6621 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6622 * These are actually not used anymore, but left because some
6623 * gdb versions depend on them as a marker.
6625 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6626 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6627 } put_user_catch(err);
6630 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6632 __NR_ia32_rt_sigreturn,
6638 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6639 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6641 if (ka->sa.sa_flags & SA_RESTORER)
6642 restorer = ka->sa.sa_restorer;
6643 + else if (current->mm->context.vdso)
6644 + /* Return stub is in 32bit vsyscall page */
6645 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6647 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6649 + restorer = &frame->retcode;
6650 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6653 * Not actually used anymore, but left because some gdb
6656 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6657 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6658 } put_user_catch(err);
6661 diff -urNp linux-2.6.32.42/arch/x86/include/asm/alternative.h linux-2.6.32.42/arch/x86/include/asm/alternative.h
6662 --- linux-2.6.32.42/arch/x86/include/asm/alternative.h 2011-03-27 14:31:47.000000000 -0400
6663 +++ linux-2.6.32.42/arch/x86/include/asm/alternative.h 2011-04-17 15:56:46.000000000 -0400
6664 @@ -85,7 +85,7 @@ static inline void alternatives_smp_swit
6665 " .byte 662b-661b\n" /* sourcelen */ \
6666 " .byte 664f-663f\n" /* replacementlen */ \
6668 - ".section .altinstr_replacement, \"ax\"\n" \
6669 + ".section .altinstr_replacement, \"a\"\n" \
6670 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6673 diff -urNp linux-2.6.32.42/arch/x86/include/asm/apm.h linux-2.6.32.42/arch/x86/include/asm/apm.h
6674 --- linux-2.6.32.42/arch/x86/include/asm/apm.h 2011-03-27 14:31:47.000000000 -0400
6675 +++ linux-2.6.32.42/arch/x86/include/asm/apm.h 2011-04-17 15:56:46.000000000 -0400
6676 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6677 __asm__ __volatile__(APM_DO_ZERO_SEGS
6680 - "lcall *%%cs:apm_bios_entry\n\t"
6681 + "lcall *%%ss:apm_bios_entry\n\t"
6685 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6686 __asm__ __volatile__(APM_DO_ZERO_SEGS
6689 - "lcall *%%cs:apm_bios_entry\n\t"
6690 + "lcall *%%ss:apm_bios_entry\n\t"
6694 diff -urNp linux-2.6.32.42/arch/x86/include/asm/atomic_32.h linux-2.6.32.42/arch/x86/include/asm/atomic_32.h
6695 --- linux-2.6.32.42/arch/x86/include/asm/atomic_32.h 2011-03-27 14:31:47.000000000 -0400
6696 +++ linux-2.6.32.42/arch/x86/include/asm/atomic_32.h 2011-05-04 17:56:20.000000000 -0400
6697 @@ -25,6 +25,17 @@ static inline int atomic_read(const atom
6701 + * atomic_read_unchecked - read atomic variable
6702 + * @v: pointer of type atomic_unchecked_t
6704 + * Atomically reads the value of @v.
6706 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6708 + return v->counter;
6712 * atomic_set - set atomic variable
6713 * @v: pointer of type atomic_t
6714 * @i: required value
6715 @@ -37,6 +48,18 @@ static inline void atomic_set(atomic_t *
6719 + * atomic_set_unchecked - set atomic variable
6720 + * @v: pointer of type atomic_unchecked_t
6721 + * @i: required value
6723 + * Atomically sets the value of @v to @i.
6725 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6731 * atomic_add - add integer to atomic variable
6732 * @i: integer value to add
6733 * @v: pointer of type atomic_t
6734 @@ -45,7 +68,29 @@ static inline void atomic_set(atomic_t *
6736 static inline void atomic_add(int i, atomic_t *v)
6738 - asm volatile(LOCK_PREFIX "addl %1,%0"
6739 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6741 +#ifdef CONFIG_PAX_REFCOUNT
6743 + LOCK_PREFIX "subl %1,%0\n"
6745 + _ASM_EXTABLE(0b, 0b)
6748 + : "+m" (v->counter)
6753 + * atomic_add_unchecked - add integer to atomic variable
6754 + * @i: integer value to add
6755 + * @v: pointer of type atomic_unchecked_t
6757 + * Atomically adds @i to @v.
6759 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6761 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6765 @@ -59,7 +104,29 @@ static inline void atomic_add(int i, ato
6767 static inline void atomic_sub(int i, atomic_t *v)
6769 - asm volatile(LOCK_PREFIX "subl %1,%0"
6770 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6772 +#ifdef CONFIG_PAX_REFCOUNT
6774 + LOCK_PREFIX "addl %1,%0\n"
6776 + _ASM_EXTABLE(0b, 0b)
6779 + : "+m" (v->counter)
6784 + * atomic_sub_unchecked - subtract integer from atomic variable
6785 + * @i: integer value to subtract
6786 + * @v: pointer of type atomic_unchecked_t
6788 + * Atomically subtracts @i from @v.
6790 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6792 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6796 @@ -77,7 +144,16 @@ static inline int atomic_sub_and_test(in
6800 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6801 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6803 +#ifdef CONFIG_PAX_REFCOUNT
6805 + LOCK_PREFIX "addl %2,%0\n"
6807 + _ASM_EXTABLE(0b, 0b)
6811 : "+m" (v->counter), "=qm" (c)
6812 : "ir" (i) : "memory");
6814 @@ -91,7 +167,27 @@ static inline int atomic_sub_and_test(in
6816 static inline void atomic_inc(atomic_t *v)
6818 - asm volatile(LOCK_PREFIX "incl %0"
6819 + asm volatile(LOCK_PREFIX "incl %0\n"
6821 +#ifdef CONFIG_PAX_REFCOUNT
6823 + LOCK_PREFIX "decl %0\n"
6825 + _ASM_EXTABLE(0b, 0b)
6828 + : "+m" (v->counter));
6832 + * atomic_inc_unchecked - increment atomic variable
6833 + * @v: pointer of type atomic_unchecked_t
6835 + * Atomically increments @v by 1.
6837 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6839 + asm volatile(LOCK_PREFIX "incl %0\n"
6840 : "+m" (v->counter));
6843 @@ -103,7 +199,27 @@ static inline void atomic_inc(atomic_t *
6845 static inline void atomic_dec(atomic_t *v)
6847 - asm volatile(LOCK_PREFIX "decl %0"
6848 + asm volatile(LOCK_PREFIX "decl %0\n"
6850 +#ifdef CONFIG_PAX_REFCOUNT
6852 + LOCK_PREFIX "incl %0\n"
6854 + _ASM_EXTABLE(0b, 0b)
6857 + : "+m" (v->counter));
6861 + * atomic_dec_unchecked - decrement atomic variable
6862 + * @v: pointer of type atomic_unchecked_t
6864 + * Atomically decrements @v by 1.
6866 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6868 + asm volatile(LOCK_PREFIX "decl %0\n"
6869 : "+m" (v->counter));
6872 @@ -119,7 +235,16 @@ static inline int atomic_dec_and_test(at
6876 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6877 + asm volatile(LOCK_PREFIX "decl %0\n"
6879 +#ifdef CONFIG_PAX_REFCOUNT
6881 + LOCK_PREFIX "incl %0\n"
6883 + _ASM_EXTABLE(0b, 0b)
6887 : "+m" (v->counter), "=qm" (c)
6890 @@ -137,7 +262,35 @@ static inline int atomic_inc_and_test(at
6894 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6895 + asm volatile(LOCK_PREFIX "incl %0\n"
6897 +#ifdef CONFIG_PAX_REFCOUNT
6899 + LOCK_PREFIX "decl %0\n"
6901 + _ASM_EXTABLE(0b, 0b)
6905 + : "+m" (v->counter), "=qm" (c)
6911 + * atomic_inc_and_test_unchecked - increment and test
6912 + * @v: pointer of type atomic_unchecked_t
6914 + * Atomically increments @v by 1
6915 + * and returns true if the result is zero, or false for all
6918 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
6922 + asm volatile(LOCK_PREFIX "incl %0\n"
6924 : "+m" (v->counter), "=qm" (c)
6927 @@ -156,7 +309,16 @@ static inline int atomic_add_negative(in
6931 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6932 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6934 +#ifdef CONFIG_PAX_REFCOUNT
6936 + LOCK_PREFIX "subl %2,%0\n"
6938 + _ASM_EXTABLE(0b, 0b)
6942 : "+m" (v->counter), "=qm" (c)
6943 : "ir" (i) : "memory");
6945 @@ -179,6 +341,46 @@ static inline int atomic_add_return(int
6947 /* Modern 486+ processor */
6949 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6951 +#ifdef CONFIG_PAX_REFCOUNT
6955 + _ASM_EXTABLE(0b, 0b)
6958 + : "+r" (i), "+m" (v->counter)
6963 +no_xadd: /* Legacy 386 processor */
6964 + local_irq_save(flags);
6965 + __i = atomic_read(v);
6966 + atomic_set(v, i + __i);
6967 + local_irq_restore(flags);
6973 + * atomic_add_return_unchecked - add integer and return
6974 + * @v: pointer of type atomic_unchecked_t
6975 + * @i: integer value to add
6977 + * Atomically adds @i to @v and returns @i + @v
6979 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6983 + unsigned long flags;
6984 + if (unlikely(boot_cpu_data.x86 <= 3))
6987 + /* Modern 486+ processor */
6989 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6990 : "+r" (i), "+m" (v->counter)
6992 @@ -211,11 +413,21 @@ static inline int atomic_cmpxchg(atomic_
6993 return cmpxchg(&v->counter, old, new);
6996 +static inline int atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
6998 + return cmpxchg(&v->counter, old, new);
7001 static inline int atomic_xchg(atomic_t *v, int new)
7003 return xchg(&v->counter, new);
7006 +static inline int atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7008 + return xchg(&v->counter, new);
7012 * atomic_add_unless - add unless the number is already a given value
7013 * @v: pointer of type atomic_t
7014 @@ -227,22 +439,39 @@ static inline int atomic_xchg(atomic_t *
7016 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7022 - if (unlikely(c == (u)))
7023 + if (unlikely(c == u))
7025 - old = atomic_cmpxchg((v), c, c + (a));
7027 + asm volatile("addl %2,%0\n"
7029 +#ifdef CONFIG_PAX_REFCOUNT
7033 + _ASM_EXTABLE(0b, 0b)
7037 + : "0" (c), "ir" (a));
7039 + old = atomic_cmpxchg(v, c, new);
7040 if (likely(old == c))
7048 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7050 #define atomic_inc_return(v) (atomic_add_return(1, v))
7051 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7053 + return atomic_add_return_unchecked(1, v);
7055 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7057 /* These are x86-specific, used by some header files */
7058 @@ -266,9 +495,18 @@ typedef struct {
7059 u64 __aligned(8) counter;
7062 +#ifdef CONFIG_PAX_REFCOUNT
7064 + u64 __aligned(8) counter;
7065 +} atomic64_unchecked_t;
7067 +typedef atomic64_t atomic64_unchecked_t;
7070 #define ATOMIC64_INIT(val) { (val) }
7072 extern u64 atomic64_cmpxchg(atomic64_t *ptr, u64 old_val, u64 new_val);
7073 +extern u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val);
7076 * atomic64_xchg - xchg atomic64 variable
7077 @@ -279,6 +517,7 @@ extern u64 atomic64_cmpxchg(atomic64_t *
7080 extern u64 atomic64_xchg(atomic64_t *ptr, u64 new_val);
7081 +extern u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7084 * atomic64_set - set atomic64 variable
7085 @@ -290,6 +529,15 @@ extern u64 atomic64_xchg(atomic64_t *ptr
7086 extern void atomic64_set(atomic64_t *ptr, u64 new_val);
7089 + * atomic64_unchecked_set - set atomic64 variable
7090 + * @ptr: pointer to type atomic64_unchecked_t
7091 + * @new_val: value to assign
7093 + * Atomically sets the value of @ptr to @new_val.
7095 +extern void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val);
7098 * atomic64_read - read atomic64 variable
7099 * @ptr: pointer to type atomic64_t
7101 @@ -317,7 +565,33 @@ static inline u64 atomic64_read(atomic64
7105 -extern u64 atomic64_read(atomic64_t *ptr);
7107 + * atomic64_read_unchecked - read atomic64 variable
7108 + * @ptr: pointer to type atomic64_unchecked_t
7110 + * Atomically reads the value of @ptr and returns it.
7112 +static inline u64 atomic64_read_unchecked(atomic64_unchecked_t *ptr)
7117 + * Note, we inline this atomic64_unchecked_t primitive because
7118 + * it only clobbers EAX/EDX and leaves the others
7119 + * untouched. We also (somewhat subtly) rely on the
7120 + * fact that cmpxchg8b returns the current 64-bit value
7121 + * of the memory location we are touching:
7124 + "mov %%ebx, %%eax\n\t"
7125 + "mov %%ecx, %%edx\n\t"
7126 + LOCK_PREFIX "cmpxchg8b %1\n"
7135 * atomic64_add_return - add and return
7136 @@ -332,8 +606,11 @@ extern u64 atomic64_add_return(u64 delta
7137 * Other variants with different arithmetic operators:
7139 extern u64 atomic64_sub_return(u64 delta, atomic64_t *ptr);
7140 +extern u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7141 extern u64 atomic64_inc_return(atomic64_t *ptr);
7142 +extern u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr);
7143 extern u64 atomic64_dec_return(atomic64_t *ptr);
7144 +extern u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr);
7147 * atomic64_add - add integer to atomic64 variable
7148 @@ -345,6 +622,15 @@ extern u64 atomic64_dec_return(atomic64_
7149 extern void atomic64_add(u64 delta, atomic64_t *ptr);
7152 + * atomic64_add_unchecked - add integer to atomic64 variable
7153 + * @delta: integer value to add
7154 + * @ptr: pointer to type atomic64_unchecked_t
7156 + * Atomically adds @delta to @ptr.
7158 +extern void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7161 * atomic64_sub - subtract the atomic64 variable
7162 * @delta: integer value to subtract
7163 * @ptr: pointer to type atomic64_t
7164 @@ -354,6 +640,15 @@ extern void atomic64_add(u64 delta, atom
7165 extern void atomic64_sub(u64 delta, atomic64_t *ptr);
7168 + * atomic64_sub_unchecked - subtract the atomic64 variable
7169 + * @delta: integer value to subtract
7170 + * @ptr: pointer to type atomic64_unchecked_t
7172 + * Atomically subtracts @delta from @ptr.
7174 +extern void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr);
7177 * atomic64_sub_and_test - subtract value from variable and test result
7178 * @delta: integer value to subtract
7179 * @ptr: pointer to type atomic64_t
7180 @@ -373,6 +668,14 @@ extern int atomic64_sub_and_test(u64 del
7181 extern void atomic64_inc(atomic64_t *ptr);
7184 + * atomic64_inc_unchecked - increment atomic64 variable
7185 + * @ptr: pointer to type atomic64_unchecked_t
7187 + * Atomically increments @ptr by 1.
7189 +extern void atomic64_inc_unchecked(atomic64_unchecked_t *ptr);
7192 * atomic64_dec - decrement atomic64 variable
7193 * @ptr: pointer to type atomic64_t
7195 @@ -381,6 +684,14 @@ extern void atomic64_inc(atomic64_t *ptr
7196 extern void atomic64_dec(atomic64_t *ptr);
7199 + * atomic64_dec_unchecked - decrement atomic64 variable
7200 + * @ptr: pointer to type atomic64_unchecked_t
7202 + * Atomically decrements @ptr by 1.
7204 +extern void atomic64_dec_unchecked(atomic64_unchecked_t *ptr);
7207 * atomic64_dec_and_test - decrement and test
7208 * @ptr: pointer to type atomic64_t
7210 diff -urNp linux-2.6.32.42/arch/x86/include/asm/atomic_64.h linux-2.6.32.42/arch/x86/include/asm/atomic_64.h
7211 --- linux-2.6.32.42/arch/x86/include/asm/atomic_64.h 2011-03-27 14:31:47.000000000 -0400
7212 +++ linux-2.6.32.42/arch/x86/include/asm/atomic_64.h 2011-05-04 18:35:31.000000000 -0400
7213 @@ -24,6 +24,17 @@ static inline int atomic_read(const atom
7217 + * atomic_read_unchecked - read atomic variable
7218 + * @v: pointer of type atomic_unchecked_t
7220 + * Atomically reads the value of @v.
7222 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
7224 + return v->counter;
7228 * atomic_set - set atomic variable
7229 * @v: pointer of type atomic_t
7230 * @i: required value
7231 @@ -36,6 +47,18 @@ static inline void atomic_set(atomic_t *
7235 + * atomic_set_unchecked - set atomic variable
7236 + * @v: pointer of type atomic_unchecked_t
7237 + * @i: required value
7239 + * Atomically sets the value of @v to @i.
7241 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
7247 * atomic_add - add integer to atomic variable
7248 * @i: integer value to add
7249 * @v: pointer of type atomic_t
7250 @@ -44,7 +67,29 @@ static inline void atomic_set(atomic_t *
7252 static inline void atomic_add(int i, atomic_t *v)
7254 - asm volatile(LOCK_PREFIX "addl %1,%0"
7255 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7257 +#ifdef CONFIG_PAX_REFCOUNT
7259 + LOCK_PREFIX "subl %1,%0\n"
7261 + _ASM_EXTABLE(0b, 0b)
7264 + : "=m" (v->counter)
7265 + : "ir" (i), "m" (v->counter));
7269 + * atomic_add_unchecked - add integer to atomic variable
7270 + * @i: integer value to add
7271 + * @v: pointer of type atomic_unchecked_t
7273 + * Atomically adds @i to @v.
7275 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
7277 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
7279 : "ir" (i), "m" (v->counter));
7281 @@ -58,7 +103,29 @@ static inline void atomic_add(int i, ato
7283 static inline void atomic_sub(int i, atomic_t *v)
7285 - asm volatile(LOCK_PREFIX "subl %1,%0"
7286 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7288 +#ifdef CONFIG_PAX_REFCOUNT
7290 + LOCK_PREFIX "addl %1,%0\n"
7292 + _ASM_EXTABLE(0b, 0b)
7295 + : "=m" (v->counter)
7296 + : "ir" (i), "m" (v->counter));
7300 + * atomic_sub_unchecked - subtract the atomic variable
7301 + * @i: integer value to subtract
7302 + * @v: pointer of type atomic_unchecked_t
7304 + * Atomically subtracts @i from @v.
7306 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
7308 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
7310 : "ir" (i), "m" (v->counter));
7312 @@ -76,7 +143,16 @@ static inline int atomic_sub_and_test(in
7316 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
7317 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
7319 +#ifdef CONFIG_PAX_REFCOUNT
7321 + LOCK_PREFIX "addl %2,%0\n"
7323 + _ASM_EXTABLE(0b, 0b)
7327 : "=m" (v->counter), "=qm" (c)
7328 : "ir" (i), "m" (v->counter) : "memory");
7330 @@ -90,7 +166,28 @@ static inline int atomic_sub_and_test(in
7332 static inline void atomic_inc(atomic_t *v)
7334 - asm volatile(LOCK_PREFIX "incl %0"
7335 + asm volatile(LOCK_PREFIX "incl %0\n"
7337 +#ifdef CONFIG_PAX_REFCOUNT
7339 + LOCK_PREFIX "decl %0\n"
7341 + _ASM_EXTABLE(0b, 0b)
7344 + : "=m" (v->counter)
7345 + : "m" (v->counter));
7349 + * atomic_inc_unchecked - increment atomic variable
7350 + * @v: pointer of type atomic_unchecked_t
7352 + * Atomically increments @v by 1.
7354 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
7356 + asm volatile(LOCK_PREFIX "incl %0\n"
7358 : "m" (v->counter));
7360 @@ -103,7 +200,28 @@ static inline void atomic_inc(atomic_t *
7362 static inline void atomic_dec(atomic_t *v)
7364 - asm volatile(LOCK_PREFIX "decl %0"
7365 + asm volatile(LOCK_PREFIX "decl %0\n"
7367 +#ifdef CONFIG_PAX_REFCOUNT
7369 + LOCK_PREFIX "incl %0\n"
7371 + _ASM_EXTABLE(0b, 0b)
7374 + : "=m" (v->counter)
7375 + : "m" (v->counter));
7379 + * atomic_dec_unchecked - decrement atomic variable
7380 + * @v: pointer of type atomic_unchecked_t
7382 + * Atomically decrements @v by 1.
7384 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
7386 + asm volatile(LOCK_PREFIX "decl %0\n"
7388 : "m" (v->counter));
7390 @@ -120,7 +238,16 @@ static inline int atomic_dec_and_test(at
7394 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
7395 + asm volatile(LOCK_PREFIX "decl %0\n"
7397 +#ifdef CONFIG_PAX_REFCOUNT
7399 + LOCK_PREFIX "incl %0\n"
7401 + _ASM_EXTABLE(0b, 0b)
7405 : "=m" (v->counter), "=qm" (c)
7406 : "m" (v->counter) : "memory");
7408 @@ -138,7 +265,35 @@ static inline int atomic_inc_and_test(at
7412 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7413 + asm volatile(LOCK_PREFIX "incl %0\n"
7415 +#ifdef CONFIG_PAX_REFCOUNT
7417 + LOCK_PREFIX "decl %0\n"
7419 + _ASM_EXTABLE(0b, 0b)
7423 + : "=m" (v->counter), "=qm" (c)
7424 + : "m" (v->counter) : "memory");
7429 + * atomic_inc_and_test_unchecked - increment and test
7430 + * @v: pointer of type atomic_unchecked_t
7432 + * Atomically increments @v by 1
7433 + * and returns true if the result is zero, or false for all
7436 +static inline int atomic_inc_and_test_unchecked(atomic_unchecked_t *v)
7440 + asm volatile(LOCK_PREFIX "incl %0\n"
7442 : "=m" (v->counter), "=qm" (c)
7443 : "m" (v->counter) : "memory");
7445 @@ -157,7 +312,16 @@ static inline int atomic_add_negative(in
7449 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7450 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7452 +#ifdef CONFIG_PAX_REFCOUNT
7454 + LOCK_PREFIX "subl %2,%0\n"
7456 + _ASM_EXTABLE(0b, 0b)
7460 : "=m" (v->counter), "=qm" (c)
7461 : "ir" (i), "m" (v->counter) : "memory");
7463 @@ -173,7 +337,31 @@ static inline int atomic_add_negative(in
7464 static inline int atomic_add_return(int i, atomic_t *v)
7467 - asm volatile(LOCK_PREFIX "xaddl %0, %1"
7468 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7470 +#ifdef CONFIG_PAX_REFCOUNT
7474 + _ASM_EXTABLE(0b, 0b)
7477 + : "+r" (i), "+m" (v->counter)
7483 + * atomic_add_return_unchecked - add and return
7484 + * @i: integer value to add
7485 + * @v: pointer of type atomic_unchecked_t
7487 + * Atomically adds @i to @v and returns @i + @v
7489 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7492 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7493 : "+r" (i), "+m" (v->counter)
7496 @@ -185,6 +373,10 @@ static inline int atomic_sub_return(int
7499 #define atomic_inc_return(v) (atomic_add_return(1, v))
7500 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7502 + return atomic_add_return_unchecked(1, v);
7504 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7506 /* The 64-bit atomic type */
7507 @@ -204,6 +396,18 @@ static inline long atomic64_read(const a
7511 + * atomic64_read_unchecked - read atomic64 variable
7512 + * @v: pointer of type atomic64_unchecked_t
7514 + * Atomically reads the value of @v.
7515 + * Doesn't imply a read memory barrier.
7517 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
7519 + return v->counter;
7523 * atomic64_set - set atomic64 variable
7524 * @v: pointer to type atomic64_t
7525 * @i: required value
7526 @@ -216,6 +420,18 @@ static inline void atomic64_set(atomic64
7530 + * atomic64_set_unchecked - set atomic64 variable
7531 + * @v: pointer to type atomic64_unchecked_t
7532 + * @i: required value
7534 + * Atomically sets the value of @v to @i.
7536 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
7542 * atomic64_add - add integer to atomic64 variable
7543 * @i: integer value to add
7544 * @v: pointer to type atomic64_t
7545 @@ -224,6 +440,28 @@ static inline void atomic64_set(atomic64
7547 static inline void atomic64_add(long i, atomic64_t *v)
7549 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
7551 +#ifdef CONFIG_PAX_REFCOUNT
7553 + LOCK_PREFIX "subq %1,%0\n"
7555 + _ASM_EXTABLE(0b, 0b)
7558 + : "=m" (v->counter)
7559 + : "er" (i), "m" (v->counter));
7563 + * atomic64_add_unchecked - add integer to atomic64 variable
7564 + * @i: integer value to add
7565 + * @v: pointer to type atomic64_unchecked_t
7567 + * Atomically adds @i to @v.
7569 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
7571 asm volatile(LOCK_PREFIX "addq %1,%0"
7573 : "er" (i), "m" (v->counter));
7574 @@ -238,7 +476,15 @@ static inline void atomic64_add(long i,
7576 static inline void atomic64_sub(long i, atomic64_t *v)
7578 - asm volatile(LOCK_PREFIX "subq %1,%0"
7579 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
7581 +#ifdef CONFIG_PAX_REFCOUNT
7583 + LOCK_PREFIX "addq %1,%0\n"
7585 + _ASM_EXTABLE(0b, 0b)
7589 : "er" (i), "m" (v->counter));
7591 @@ -256,7 +502,16 @@ static inline int atomic64_sub_and_test(
7595 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
7596 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
7598 +#ifdef CONFIG_PAX_REFCOUNT
7600 + LOCK_PREFIX "addq %2,%0\n"
7602 + _ASM_EXTABLE(0b, 0b)
7606 : "=m" (v->counter), "=qm" (c)
7607 : "er" (i), "m" (v->counter) : "memory");
7609 @@ -270,6 +525,27 @@ static inline int atomic64_sub_and_test(
7611 static inline void atomic64_inc(atomic64_t *v)
7613 + asm volatile(LOCK_PREFIX "incq %0\n"
7615 +#ifdef CONFIG_PAX_REFCOUNT
7617 + LOCK_PREFIX "decq %0\n"
7619 + _ASM_EXTABLE(0b, 0b)
7622 + : "=m" (v->counter)
7623 + : "m" (v->counter));
7627 + * atomic64_inc_unchecked - increment atomic64 variable
7628 + * @v: pointer to type atomic64_unchecked_t
7630 + * Atomically increments @v by 1.
7632 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
7634 asm volatile(LOCK_PREFIX "incq %0"
7636 : "m" (v->counter));
7637 @@ -283,7 +559,28 @@ static inline void atomic64_inc(atomic64
7639 static inline void atomic64_dec(atomic64_t *v)
7641 - asm volatile(LOCK_PREFIX "decq %0"
7642 + asm volatile(LOCK_PREFIX "decq %0\n"
7644 +#ifdef CONFIG_PAX_REFCOUNT
7646 + LOCK_PREFIX "incq %0\n"
7648 + _ASM_EXTABLE(0b, 0b)
7651 + : "=m" (v->counter)
7652 + : "m" (v->counter));
7656 + * atomic64_dec_unchecked - decrement atomic64 variable
7657 + * @v: pointer to type atomic64_t
7659 + * Atomically decrements @v by 1.
7661 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
7663 + asm volatile(LOCK_PREFIX "decq %0\n"
7665 : "m" (v->counter));
7667 @@ -300,7 +597,16 @@ static inline int atomic64_dec_and_test(
7671 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
7672 + asm volatile(LOCK_PREFIX "decq %0\n"
7674 +#ifdef CONFIG_PAX_REFCOUNT
7676 + LOCK_PREFIX "incq %0\n"
7678 + _ASM_EXTABLE(0b, 0b)
7682 : "=m" (v->counter), "=qm" (c)
7683 : "m" (v->counter) : "memory");
7685 @@ -318,7 +624,16 @@ static inline int atomic64_inc_and_test(
7689 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
7690 + asm volatile(LOCK_PREFIX "incq %0\n"
7692 +#ifdef CONFIG_PAX_REFCOUNT
7694 + LOCK_PREFIX "decq %0\n"
7696 + _ASM_EXTABLE(0b, 0b)
7700 : "=m" (v->counter), "=qm" (c)
7701 : "m" (v->counter) : "memory");
7703 @@ -337,7 +652,16 @@ static inline int atomic64_add_negative(
7707 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
7708 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
7710 +#ifdef CONFIG_PAX_REFCOUNT
7712 + LOCK_PREFIX "subq %2,%0\n"
7714 + _ASM_EXTABLE(0b, 0b)
7718 : "=m" (v->counter), "=qm" (c)
7719 : "er" (i), "m" (v->counter) : "memory");
7721 @@ -353,7 +677,31 @@ static inline int atomic64_add_negative(
7722 static inline long atomic64_add_return(long i, atomic64_t *v)
7725 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
7726 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
7728 +#ifdef CONFIG_PAX_REFCOUNT
7732 + _ASM_EXTABLE(0b, 0b)
7735 + : "+r" (i), "+m" (v->counter)
7741 + * atomic64_add_return_unchecked - add and return
7742 + * @i: integer value to add
7743 + * @v: pointer to type atomic64_unchecked_t
7745 + * Atomically adds @i to @v and returns @i + @v
7747 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
7750 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
7751 : "+r" (i), "+m" (v->counter)
7754 @@ -365,6 +713,10 @@ static inline long atomic64_sub_return(l
7757 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
7758 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
7760 + return atomic64_add_return_unchecked(1, v);
7762 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
7764 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
7765 @@ -372,21 +724,41 @@ static inline long atomic64_cmpxchg(atom
7766 return cmpxchg(&v->counter, old, new);
7769 +static inline long atomic64_cmpxchg_unchecked(atomic64_unchecked_t *v, long old, long new)
7771 + return cmpxchg(&v->counter, old, new);
7774 static inline long atomic64_xchg(atomic64_t *v, long new)
7776 return xchg(&v->counter, new);
7779 +static inline long atomic64_xchg_unchecked(atomic64_unchecked_t *v, long new)
7781 + return xchg(&v->counter, new);
7784 static inline long atomic_cmpxchg(atomic_t *v, int old, int new)
7786 return cmpxchg(&v->counter, old, new);
7789 +static inline long atomic_cmpxchg_unchecked(atomic_unchecked_t *v, int old, int new)
7791 + return cmpxchg(&v->counter, old, new);
7794 static inline long atomic_xchg(atomic_t *v, int new)
7796 return xchg(&v->counter, new);
7799 +static inline long atomic_xchg_unchecked(atomic_unchecked_t *v, int new)
7801 + return xchg(&v->counter, new);
7805 * atomic_add_unless - add unless the number is a given value
7806 * @v: pointer of type atomic_t
7807 @@ -398,17 +770,30 @@ static inline long atomic_xchg(atomic_t
7809 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7815 - if (unlikely(c == (u)))
7816 + if (unlikely(c == u))
7818 - old = atomic_cmpxchg((v), c, c + (a));
7820 + asm volatile("addl %2,%0\n"
7822 +#ifdef CONFIG_PAX_REFCOUNT
7826 + _ASM_EXTABLE(0b, 0b)
7830 + : "0" (c), "ir" (a));
7832 + old = atomic_cmpxchg(v, c, new);
7833 if (likely(old == c))
7841 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7842 @@ -424,17 +809,30 @@ static inline int atomic_add_unless(atom
7844 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
7848 c = atomic64_read(v);
7850 - if (unlikely(c == (u)))
7851 + if (unlikely(c == u))
7853 - old = atomic64_cmpxchg((v), c, c + (a));
7855 + asm volatile("addq %2,%0\n"
7857 +#ifdef CONFIG_PAX_REFCOUNT
7861 + _ASM_EXTABLE(0b, 0b)
7865 + : "0" (c), "er" (a));
7867 + old = atomic64_cmpxchg(v, c, new);
7868 if (likely(old == c))
7877 diff -urNp linux-2.6.32.42/arch/x86/include/asm/bitops.h linux-2.6.32.42/arch/x86/include/asm/bitops.h
7878 --- linux-2.6.32.42/arch/x86/include/asm/bitops.h 2011-03-27 14:31:47.000000000 -0400
7879 +++ linux-2.6.32.42/arch/x86/include/asm/bitops.h 2011-04-17 15:56:46.000000000 -0400
7881 * a mask operation on a byte.
7883 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7884 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7885 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7886 #define CONST_MASK(nr) (1 << ((nr) & 7))
7889 diff -urNp linux-2.6.32.42/arch/x86/include/asm/boot.h linux-2.6.32.42/arch/x86/include/asm/boot.h
7890 --- linux-2.6.32.42/arch/x86/include/asm/boot.h 2011-03-27 14:31:47.000000000 -0400
7891 +++ linux-2.6.32.42/arch/x86/include/asm/boot.h 2011-04-17 15:56:46.000000000 -0400
7893 #include <asm/pgtable_types.h>
7895 /* Physical address where kernel should be loaded. */
7896 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7897 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7898 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7899 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7901 +#ifndef __ASSEMBLY__
7902 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7903 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7906 /* Minimum kernel alignment, as a power of two */
7907 #ifdef CONFIG_X86_64
7908 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7909 diff -urNp linux-2.6.32.42/arch/x86/include/asm/cacheflush.h linux-2.6.32.42/arch/x86/include/asm/cacheflush.h
7910 --- linux-2.6.32.42/arch/x86/include/asm/cacheflush.h 2011-03-27 14:31:47.000000000 -0400
7911 +++ linux-2.6.32.42/arch/x86/include/asm/cacheflush.h 2011-04-17 15:56:46.000000000 -0400
7912 @@ -60,7 +60,7 @@ PAGEFLAG(WC, WC)
7913 static inline unsigned long get_page_memtype(struct page *pg)
7915 if (!PageUncached(pg) && !PageWC(pg))
7918 else if (!PageUncached(pg) && PageWC(pg))
7919 return _PAGE_CACHE_WC;
7920 else if (PageUncached(pg) && !PageWC(pg))
7921 @@ -85,7 +85,7 @@ static inline void set_page_memtype(stru
7927 ClearPageUncached(pg);
7930 diff -urNp linux-2.6.32.42/arch/x86/include/asm/cache.h linux-2.6.32.42/arch/x86/include/asm/cache.h
7931 --- linux-2.6.32.42/arch/x86/include/asm/cache.h 2011-03-27 14:31:47.000000000 -0400
7932 +++ linux-2.6.32.42/arch/x86/include/asm/cache.h 2011-05-04 17:56:20.000000000 -0400
7935 /* L1 cache line size */
7936 #define L1_CACHE_SHIFT (CONFIG_X86_L1_CACHE_SHIFT)
7937 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7938 +#define L1_CACHE_BYTES (_AC(1,U) << L1_CACHE_SHIFT)
7940 #define __read_mostly __attribute__((__section__(".data.read_mostly")))
7941 +#define __read_only __attribute__((__section__(".data.read_only")))
7943 #ifdef CONFIG_X86_VSMP
7944 /* vSMP Internode cacheline shift */
7945 diff -urNp linux-2.6.32.42/arch/x86/include/asm/checksum_32.h linux-2.6.32.42/arch/x86/include/asm/checksum_32.h
7946 --- linux-2.6.32.42/arch/x86/include/asm/checksum_32.h 2011-03-27 14:31:47.000000000 -0400
7947 +++ linux-2.6.32.42/arch/x86/include/asm/checksum_32.h 2011-04-17 15:56:46.000000000 -0400
7948 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7949 int len, __wsum sum,
7950 int *src_err_ptr, int *dst_err_ptr);
7952 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7953 + int len, __wsum sum,
7954 + int *src_err_ptr, int *dst_err_ptr);
7956 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7957 + int len, __wsum sum,
7958 + int *src_err_ptr, int *dst_err_ptr);
7961 * Note: when you get a NULL pointer exception here this means someone
7962 * passed in an incorrect kernel address to one of these functions.
7963 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7967 - return csum_partial_copy_generic((__force void *)src, dst,
7968 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7969 len, sum, err_ptr, NULL);
7972 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7975 if (access_ok(VERIFY_WRITE, dst, len))
7976 - return csum_partial_copy_generic(src, (__force void *)dst,
7977 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7978 len, sum, NULL, err_ptr);
7981 diff -urNp linux-2.6.32.42/arch/x86/include/asm/desc_defs.h linux-2.6.32.42/arch/x86/include/asm/desc_defs.h
7982 --- linux-2.6.32.42/arch/x86/include/asm/desc_defs.h 2011-03-27 14:31:47.000000000 -0400
7983 +++ linux-2.6.32.42/arch/x86/include/asm/desc_defs.h 2011-04-17 15:56:46.000000000 -0400
7984 @@ -31,6 +31,12 @@ struct desc_struct {
7985 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7986 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7991 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7992 + unsigned offset_high: 16;
7995 } __attribute__((packed));
7997 diff -urNp linux-2.6.32.42/arch/x86/include/asm/desc.h linux-2.6.32.42/arch/x86/include/asm/desc.h
7998 --- linux-2.6.32.42/arch/x86/include/asm/desc.h 2011-03-27 14:31:47.000000000 -0400
7999 +++ linux-2.6.32.42/arch/x86/include/asm/desc.h 2011-04-23 12:56:10.000000000 -0400
8001 #include <asm/desc_defs.h>
8002 #include <asm/ldt.h>
8003 #include <asm/mmu.h>
8004 +#include <asm/pgtable.h>
8005 #include <linux/smp.h>
8007 static inline void fill_ldt(struct desc_struct *desc,
8008 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
8009 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
8010 desc->type = (info->read_exec_only ^ 1) << 1;
8011 desc->type |= info->contents << 2;
8012 + desc->type |= info->seg_not_present ^ 1;
8015 desc->p = info->seg_not_present ^ 1;
8016 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
8019 extern struct desc_ptr idt_descr;
8020 -extern gate_desc idt_table[];
8023 - struct desc_struct gdt[GDT_ENTRIES];
8024 -} __attribute__((aligned(PAGE_SIZE)));
8025 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
8026 +extern gate_desc idt_table[256];
8028 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
8029 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
8031 - return per_cpu(gdt_page, cpu).gdt;
8032 + return cpu_gdt_table[cpu];
8035 #ifdef CONFIG_X86_64
8036 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
8037 unsigned long base, unsigned dpl, unsigned flags,
8040 - gate->a = (seg << 16) | (base & 0xffff);
8041 - gate->b = (base & 0xffff0000) |
8042 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
8043 + gate->gate.offset_low = base;
8044 + gate->gate.seg = seg;
8045 + gate->gate.reserved = 0;
8046 + gate->gate.type = type;
8048 + gate->gate.dpl = dpl;
8050 + gate->gate.offset_high = base >> 16;
8054 @@ -115,13 +118,17 @@ static inline void paravirt_free_ldt(str
8055 static inline void native_write_idt_entry(gate_desc *idt, int entry,
8056 const gate_desc *gate)
8058 + pax_open_kernel();
8059 memcpy(&idt[entry], gate, sizeof(*gate));
8060 + pax_close_kernel();
8063 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
8066 + pax_open_kernel();
8067 memcpy(&ldt[entry], desc, 8);
8068 + pax_close_kernel();
8071 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
8072 @@ -139,7 +146,10 @@ static inline void native_write_gdt_entr
8073 size = sizeof(struct desc_struct);
8077 + pax_open_kernel();
8078 memcpy(&gdt[entry], desc, size);
8079 + pax_close_kernel();
8082 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
8083 @@ -211,7 +221,9 @@ static inline void native_set_ldt(const
8085 static inline void native_load_tr_desc(void)
8087 + pax_open_kernel();
8088 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
8089 + pax_close_kernel();
8092 static inline void native_load_gdt(const struct desc_ptr *dtr)
8093 @@ -246,8 +258,10 @@ static inline void native_load_tls(struc
8095 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
8097 + pax_open_kernel();
8098 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
8099 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
8100 + pax_close_kernel();
8103 #define _LDT_empty(info) \
8104 @@ -309,7 +323,7 @@ static inline void set_desc_limit(struct
8105 desc->limit = (limit >> 16) & 0xf;
8108 -static inline void _set_gate(int gate, unsigned type, void *addr,
8109 +static inline void _set_gate(int gate, unsigned type, const void *addr,
8110 unsigned dpl, unsigned ist, unsigned seg)
8113 @@ -327,7 +341,7 @@ static inline void _set_gate(int gate, u
8114 * Pentium F0 0F bugfix can have resulted in the mapped
8115 * IDT being write-protected.
8117 -static inline void set_intr_gate(unsigned int n, void *addr)
8118 +static inline void set_intr_gate(unsigned int n, const void *addr)
8120 BUG_ON((unsigned)n > 0xFF);
8121 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
8122 @@ -356,19 +370,19 @@ static inline void alloc_intr_gate(unsig
8124 * This routine sets up an interrupt gate at directory privilege level 3.
8126 -static inline void set_system_intr_gate(unsigned int n, void *addr)
8127 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
8129 BUG_ON((unsigned)n > 0xFF);
8130 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
8133 -static inline void set_system_trap_gate(unsigned int n, void *addr)
8134 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
8136 BUG_ON((unsigned)n > 0xFF);
8137 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
8140 -static inline void set_trap_gate(unsigned int n, void *addr)
8141 +static inline void set_trap_gate(unsigned int n, const void *addr)
8143 BUG_ON((unsigned)n > 0xFF);
8144 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
8145 @@ -377,19 +391,31 @@ static inline void set_trap_gate(unsigne
8146 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
8148 BUG_ON((unsigned)n > 0xFF);
8149 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
8150 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
8153 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
8154 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
8156 BUG_ON((unsigned)n > 0xFF);
8157 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
8160 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
8161 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
8163 BUG_ON((unsigned)n > 0xFF);
8164 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
8167 +#ifdef CONFIG_X86_32
8168 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
8170 + struct desc_struct d;
8172 + if (likely(limit))
8173 + limit = (limit - 1UL) >> PAGE_SHIFT;
8174 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
8175 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
8179 #endif /* _ASM_X86_DESC_H */
8180 diff -urNp linux-2.6.32.42/arch/x86/include/asm/device.h linux-2.6.32.42/arch/x86/include/asm/device.h
8181 --- linux-2.6.32.42/arch/x86/include/asm/device.h 2011-03-27 14:31:47.000000000 -0400
8182 +++ linux-2.6.32.42/arch/x86/include/asm/device.h 2011-04-17 15:56:46.000000000 -0400
8183 @@ -6,7 +6,7 @@ struct dev_archdata {
8186 #ifdef CONFIG_X86_64
8187 -struct dma_map_ops *dma_ops;
8188 + const struct dma_map_ops *dma_ops;
8191 void *iommu; /* hook for IOMMU specific extension */
8192 diff -urNp linux-2.6.32.42/arch/x86/include/asm/dma-mapping.h linux-2.6.32.42/arch/x86/include/asm/dma-mapping.h
8193 --- linux-2.6.32.42/arch/x86/include/asm/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
8194 +++ linux-2.6.32.42/arch/x86/include/asm/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
8195 @@ -25,9 +25,9 @@ extern int iommu_merge;
8196 extern struct device x86_dma_fallback_dev;
8197 extern int panic_on_overflow;
8199 -extern struct dma_map_ops *dma_ops;
8200 +extern const struct dma_map_ops *dma_ops;
8202 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
8203 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
8205 #ifdef CONFIG_X86_32
8207 @@ -44,7 +44,7 @@ static inline struct dma_map_ops *get_dm
8208 /* Make sure we keep the same behaviour */
8209 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
8211 - struct dma_map_ops *ops = get_dma_ops(dev);
8212 + const struct dma_map_ops *ops = get_dma_ops(dev);
8213 if (ops->mapping_error)
8214 return ops->mapping_error(dev, dma_addr);
8216 @@ -122,7 +122,7 @@ static inline void *
8217 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
8220 - struct dma_map_ops *ops = get_dma_ops(dev);
8221 + const struct dma_map_ops *ops = get_dma_ops(dev);
8224 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
8225 @@ -149,7 +149,7 @@ dma_alloc_coherent(struct device *dev, s
8226 static inline void dma_free_coherent(struct device *dev, size_t size,
8227 void *vaddr, dma_addr_t bus)
8229 - struct dma_map_ops *ops = get_dma_ops(dev);
8230 + const struct dma_map_ops *ops = get_dma_ops(dev);
8232 WARN_ON(irqs_disabled()); /* for portability */
8234 diff -urNp linux-2.6.32.42/arch/x86/include/asm/e820.h linux-2.6.32.42/arch/x86/include/asm/e820.h
8235 --- linux-2.6.32.42/arch/x86/include/asm/e820.h 2011-03-27 14:31:47.000000000 -0400
8236 +++ linux-2.6.32.42/arch/x86/include/asm/e820.h 2011-04-17 15:56:46.000000000 -0400
8237 @@ -133,7 +133,7 @@ extern char *default_machine_specific_me
8238 #define ISA_END_ADDRESS 0x100000
8239 #define is_ISA_range(s, e) ((s) >= ISA_START_ADDRESS && (e) < ISA_END_ADDRESS)
8241 -#define BIOS_BEGIN 0x000a0000
8242 +#define BIOS_BEGIN 0x000c0000
8243 #define BIOS_END 0x00100000
8246 diff -urNp linux-2.6.32.42/arch/x86/include/asm/elf.h linux-2.6.32.42/arch/x86/include/asm/elf.h
8247 --- linux-2.6.32.42/arch/x86/include/asm/elf.h 2011-03-27 14:31:47.000000000 -0400
8248 +++ linux-2.6.32.42/arch/x86/include/asm/elf.h 2011-04-17 15:56:46.000000000 -0400
8249 @@ -257,7 +257,25 @@ extern int force_personality32;
8250 the loader. We need to make sure that it is out of the way of the program
8251 that it will "exec", and that there is sufficient room for the brk. */
8253 +#ifdef CONFIG_PAX_SEGMEXEC
8254 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
8256 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
8259 +#ifdef CONFIG_PAX_ASLR
8260 +#ifdef CONFIG_X86_32
8261 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
8263 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8264 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
8266 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
8268 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8269 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
8273 /* This yields a mask that user programs can use to figure out what
8274 instruction set this CPU supports. This could be done in user space,
8275 @@ -311,8 +329,7 @@ do { \
8276 #define ARCH_DLINFO \
8279 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
8280 - (unsigned long)current->mm->context.vdso); \
8281 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
8284 #define AT_SYSINFO 32
8285 @@ -323,7 +340,7 @@ do { \
8287 #endif /* !CONFIG_X86_32 */
8289 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
8290 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
8292 #define VDSO_ENTRY \
8293 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
8294 @@ -337,7 +354,4 @@ extern int arch_setup_additional_pages(s
8295 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
8296 #define compat_arch_setup_additional_pages syscall32_setup_pages
8298 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
8299 -#define arch_randomize_brk arch_randomize_brk
8301 #endif /* _ASM_X86_ELF_H */
8302 diff -urNp linux-2.6.32.42/arch/x86/include/asm/emergency-restart.h linux-2.6.32.42/arch/x86/include/asm/emergency-restart.h
8303 --- linux-2.6.32.42/arch/x86/include/asm/emergency-restart.h 2011-03-27 14:31:47.000000000 -0400
8304 +++ linux-2.6.32.42/arch/x86/include/asm/emergency-restart.h 2011-05-22 23:02:06.000000000 -0400
8305 @@ -15,6 +15,6 @@ enum reboot_type {
8307 extern enum reboot_type reboot_type;
8309 -extern void machine_emergency_restart(void);
8310 +extern void machine_emergency_restart(void) __noreturn;
8312 #endif /* _ASM_X86_EMERGENCY_RESTART_H */
8313 diff -urNp linux-2.6.32.42/arch/x86/include/asm/futex.h linux-2.6.32.42/arch/x86/include/asm/futex.h
8314 --- linux-2.6.32.42/arch/x86/include/asm/futex.h 2011-03-27 14:31:47.000000000 -0400
8315 +++ linux-2.6.32.42/arch/x86/include/asm/futex.h 2011-04-17 15:56:46.000000000 -0400
8317 #include <asm/system.h>
8319 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
8320 + typecheck(u32 *, uaddr); \
8321 asm volatile("1:\t" insn "\n" \
8322 "2:\t.section .fixup,\"ax\"\n" \
8323 "3:\tmov\t%3, %1\n" \
8326 _ASM_EXTABLE(1b, 3b) \
8327 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
8328 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
8329 : "i" (-EFAULT), "0" (oparg), "1" (0))
8331 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
8332 + typecheck(u32 *, uaddr); \
8333 asm volatile("1:\tmovl %2, %0\n" \
8334 "\tmovl\t%0, %3\n" \
8337 _ASM_EXTABLE(1b, 4b) \
8338 _ASM_EXTABLE(2b, 4b) \
8339 : "=&a" (oldval), "=&r" (ret), \
8340 - "+m" (*uaddr), "=&r" (tem) \
8341 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
8342 : "r" (oparg), "i" (-EFAULT), "1" (0))
8344 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
8345 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
8347 int op = (encoded_op >> 28) & 7;
8348 int cmp = (encoded_op >> 24) & 15;
8349 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
8353 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
8354 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
8357 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
8358 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
8362 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
8366 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
8367 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
8371 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
8375 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
8376 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
8379 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
8380 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
8381 "2:\t.section .fixup, \"ax\"\n"
8385 _ASM_EXTABLE(1b, 3b)
8386 - : "=a" (oldval), "+m" (*uaddr)
8387 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
8388 : "i" (-EFAULT), "r" (newval), "0" (oldval)
8391 diff -urNp linux-2.6.32.42/arch/x86/include/asm/hw_irq.h linux-2.6.32.42/arch/x86/include/asm/hw_irq.h
8392 --- linux-2.6.32.42/arch/x86/include/asm/hw_irq.h 2011-03-27 14:31:47.000000000 -0400
8393 +++ linux-2.6.32.42/arch/x86/include/asm/hw_irq.h 2011-05-04 17:56:28.000000000 -0400
8394 @@ -92,8 +92,8 @@ extern void setup_ioapic_dest(void);
8395 extern void enable_IO_APIC(void);
8398 -extern atomic_t irq_err_count;
8399 -extern atomic_t irq_mis_count;
8400 +extern atomic_unchecked_t irq_err_count;
8401 +extern atomic_unchecked_t irq_mis_count;
8404 extern void eisa_set_level_irq(unsigned int irq);
8405 diff -urNp linux-2.6.32.42/arch/x86/include/asm/i387.h linux-2.6.32.42/arch/x86/include/asm/i387.h
8406 --- linux-2.6.32.42/arch/x86/include/asm/i387.h 2011-03-27 14:31:47.000000000 -0400
8407 +++ linux-2.6.32.42/arch/x86/include/asm/i387.h 2011-04-17 15:56:46.000000000 -0400
8408 @@ -60,6 +60,11 @@ static inline int fxrstor_checking(struc
8412 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8413 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8414 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
8417 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
8419 ".section .fixup,\"ax\"\n"
8420 @@ -105,6 +110,11 @@ static inline int fxsave_user(struct i38
8424 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8425 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
8426 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
8429 asm volatile("1: rex64/fxsave (%[fx])\n\t"
8431 ".section .fixup,\"ax\"\n"
8432 @@ -195,13 +205,8 @@ static inline int fxrstor_checking(struc
8435 /* We need a safe address that is cheap to find and that is already
8436 - in L1 during context switch. The best choices are unfortunately
8437 - different for UP and SMP */
8439 -#define safe_address (__per_cpu_offset[0])
8441 -#define safe_address (kstat_cpu(0).cpustat.user)
8443 + in L1 during context switch. */
8444 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
8447 * These must be called with preempt disabled
8448 @@ -291,7 +296,7 @@ static inline void kernel_fpu_begin(void
8449 struct thread_info *me = current_thread_info();
8451 if (me->status & TS_USEDFPU)
8452 - __save_init_fpu(me->task);
8453 + __save_init_fpu(current);
8457 diff -urNp linux-2.6.32.42/arch/x86/include/asm/io_32.h linux-2.6.32.42/arch/x86/include/asm/io_32.h
8458 --- linux-2.6.32.42/arch/x86/include/asm/io_32.h 2011-03-27 14:31:47.000000000 -0400
8459 +++ linux-2.6.32.42/arch/x86/include/asm/io_32.h 2011-04-17 15:56:46.000000000 -0400
8462 #include <linux/string.h>
8463 #include <linux/compiler.h>
8464 +#include <asm/processor.h>
8467 * This file contains the definitions for the x86 IO instructions
8472 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8473 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8475 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8478 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8480 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8483 #include <asm-generic/iomap.h>
8485 #include <linux/vmalloc.h>
8486 diff -urNp linux-2.6.32.42/arch/x86/include/asm/io_64.h linux-2.6.32.42/arch/x86/include/asm/io_64.h
8487 --- linux-2.6.32.42/arch/x86/include/asm/io_64.h 2011-03-27 14:31:47.000000000 -0400
8488 +++ linux-2.6.32.42/arch/x86/include/asm/io_64.h 2011-04-17 15:56:46.000000000 -0400
8489 @@ -140,6 +140,17 @@ __OUTS(l)
8491 #include <linux/vmalloc.h>
8493 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
8494 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
8496 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8499 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
8501 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
8504 #include <asm-generic/iomap.h>
8506 void __memcpy_fromio(void *, unsigned long, unsigned);
8507 diff -urNp linux-2.6.32.42/arch/x86/include/asm/iommu.h linux-2.6.32.42/arch/x86/include/asm/iommu.h
8508 --- linux-2.6.32.42/arch/x86/include/asm/iommu.h 2011-03-27 14:31:47.000000000 -0400
8509 +++ linux-2.6.32.42/arch/x86/include/asm/iommu.h 2011-04-17 15:56:46.000000000 -0400
8512 extern void pci_iommu_shutdown(void);
8513 extern void no_iommu_init(void);
8514 -extern struct dma_map_ops nommu_dma_ops;
8515 +extern const struct dma_map_ops nommu_dma_ops;
8516 extern int force_iommu, no_iommu;
8517 extern int iommu_detected;
8518 extern int iommu_pass_through;
8519 diff -urNp linux-2.6.32.42/arch/x86/include/asm/irqflags.h linux-2.6.32.42/arch/x86/include/asm/irqflags.h
8520 --- linux-2.6.32.42/arch/x86/include/asm/irqflags.h 2011-03-27 14:31:47.000000000 -0400
8521 +++ linux-2.6.32.42/arch/x86/include/asm/irqflags.h 2011-04-17 15:56:46.000000000 -0400
8522 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
8526 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
8527 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
8528 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
8529 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
8532 #define INTERRUPT_RETURN iret
8533 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
8534 diff -urNp linux-2.6.32.42/arch/x86/include/asm/kprobes.h linux-2.6.32.42/arch/x86/include/asm/kprobes.h
8535 --- linux-2.6.32.42/arch/x86/include/asm/kprobes.h 2011-03-27 14:31:47.000000000 -0400
8536 +++ linux-2.6.32.42/arch/x86/include/asm/kprobes.h 2011-04-23 12:56:12.000000000 -0400
8537 @@ -34,13 +34,8 @@ typedef u8 kprobe_opcode_t;
8538 #define BREAKPOINT_INSTRUCTION 0xcc
8539 #define RELATIVEJUMP_INSTRUCTION 0xe9
8540 #define MAX_INSN_SIZE 16
8541 -#define MAX_STACK_SIZE 64
8542 -#define MIN_STACK_SIZE(ADDR) \
8543 - (((MAX_STACK_SIZE) < (((unsigned long)current_thread_info()) + \
8544 - THREAD_SIZE - (unsigned long)(ADDR))) \
8545 - ? (MAX_STACK_SIZE) \
8546 - : (((unsigned long)current_thread_info()) + \
8547 - THREAD_SIZE - (unsigned long)(ADDR)))
8548 +#define MAX_STACK_SIZE 64UL
8549 +#define MIN_STACK_SIZE(ADDR) min(MAX_STACK_SIZE, current->thread.sp0 - (unsigned long)(ADDR))
8551 #define flush_insn_slot(p) do { } while (0)
8553 diff -urNp linux-2.6.32.42/arch/x86/include/asm/kvm_host.h linux-2.6.32.42/arch/x86/include/asm/kvm_host.h
8554 --- linux-2.6.32.42/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:01.000000000 -0400
8555 +++ linux-2.6.32.42/arch/x86/include/asm/kvm_host.h 2011-05-10 22:12:26.000000000 -0400
8556 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
8557 const struct trace_print_flags *exit_reasons_str;
8560 -extern struct kvm_x86_ops *kvm_x86_ops;
8561 +extern const struct kvm_x86_ops *kvm_x86_ops;
8563 int kvm_mmu_module_init(void);
8564 void kvm_mmu_module_exit(void);
8565 diff -urNp linux-2.6.32.42/arch/x86/include/asm/local.h linux-2.6.32.42/arch/x86/include/asm/local.h
8566 --- linux-2.6.32.42/arch/x86/include/asm/local.h 2011-03-27 14:31:47.000000000 -0400
8567 +++ linux-2.6.32.42/arch/x86/include/asm/local.h 2011-04-17 15:56:46.000000000 -0400
8568 @@ -18,26 +18,58 @@ typedef struct {
8570 static inline void local_inc(local_t *l)
8572 - asm volatile(_ASM_INC "%0"
8573 + asm volatile(_ASM_INC "%0\n"
8575 +#ifdef CONFIG_PAX_REFCOUNT
8579 + _ASM_EXTABLE(0b, 0b)
8582 : "+m" (l->a.counter));
8585 static inline void local_dec(local_t *l)
8587 - asm volatile(_ASM_DEC "%0"
8588 + asm volatile(_ASM_DEC "%0\n"
8590 +#ifdef CONFIG_PAX_REFCOUNT
8594 + _ASM_EXTABLE(0b, 0b)
8597 : "+m" (l->a.counter));
8600 static inline void local_add(long i, local_t *l)
8602 - asm volatile(_ASM_ADD "%1,%0"
8603 + asm volatile(_ASM_ADD "%1,%0\n"
8605 +#ifdef CONFIG_PAX_REFCOUNT
8607 + _ASM_SUB "%1,%0\n"
8609 + _ASM_EXTABLE(0b, 0b)
8612 : "+m" (l->a.counter)
8616 static inline void local_sub(long i, local_t *l)
8618 - asm volatile(_ASM_SUB "%1,%0"
8619 + asm volatile(_ASM_SUB "%1,%0\n"
8621 +#ifdef CONFIG_PAX_REFCOUNT
8623 + _ASM_ADD "%1,%0\n"
8625 + _ASM_EXTABLE(0b, 0b)
8628 : "+m" (l->a.counter)
8631 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
8635 - asm volatile(_ASM_SUB "%2,%0; sete %1"
8636 + asm volatile(_ASM_SUB "%2,%0\n"
8638 +#ifdef CONFIG_PAX_REFCOUNT
8640 + _ASM_ADD "%2,%0\n"
8642 + _ASM_EXTABLE(0b, 0b)
8646 : "+m" (l->a.counter), "=qm" (c)
8647 : "ir" (i) : "memory");
8649 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
8653 - asm volatile(_ASM_DEC "%0; sete %1"
8654 + asm volatile(_ASM_DEC "%0\n"
8656 +#ifdef CONFIG_PAX_REFCOUNT
8660 + _ASM_EXTABLE(0b, 0b)
8664 : "+m" (l->a.counter), "=qm" (c)
8667 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
8671 - asm volatile(_ASM_INC "%0; sete %1"
8672 + asm volatile(_ASM_INC "%0\n"
8674 +#ifdef CONFIG_PAX_REFCOUNT
8678 + _ASM_EXTABLE(0b, 0b)
8682 : "+m" (l->a.counter), "=qm" (c)
8685 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
8689 - asm volatile(_ASM_ADD "%2,%0; sets %1"
8690 + asm volatile(_ASM_ADD "%2,%0\n"
8692 +#ifdef CONFIG_PAX_REFCOUNT
8694 + _ASM_SUB "%2,%0\n"
8696 + _ASM_EXTABLE(0b, 0b)
8700 : "+m" (l->a.counter), "=qm" (c)
8701 : "ir" (i) : "memory");
8703 @@ -133,7 +201,15 @@ static inline long local_add_return(long
8705 /* Modern 486+ processor */
8707 - asm volatile(_ASM_XADD "%0, %1;"
8708 + asm volatile(_ASM_XADD "%0, %1\n"
8710 +#ifdef CONFIG_PAX_REFCOUNT
8712 + _ASM_MOV "%0,%1\n"
8714 + _ASM_EXTABLE(0b, 0b)
8717 : "+r" (i), "+m" (l->a.counter)
8720 diff -urNp linux-2.6.32.42/arch/x86/include/asm/microcode.h linux-2.6.32.42/arch/x86/include/asm/microcode.h
8721 --- linux-2.6.32.42/arch/x86/include/asm/microcode.h 2011-03-27 14:31:47.000000000 -0400
8722 +++ linux-2.6.32.42/arch/x86/include/asm/microcode.h 2011-04-17 15:56:46.000000000 -0400
8723 @@ -12,13 +12,13 @@ struct device;
8724 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
8726 struct microcode_ops {
8727 - enum ucode_state (*request_microcode_user) (int cpu,
8728 + enum ucode_state (* const request_microcode_user) (int cpu,
8729 const void __user *buf, size_t size);
8731 - enum ucode_state (*request_microcode_fw) (int cpu,
8732 + enum ucode_state (* const request_microcode_fw) (int cpu,
8733 struct device *device);
8735 - void (*microcode_fini_cpu) (int cpu);
8736 + void (* const microcode_fini_cpu) (int cpu);
8739 * The generic 'microcode_core' part guarantees that
8740 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
8741 extern struct ucode_cpu_info ucode_cpu_info[];
8743 #ifdef CONFIG_MICROCODE_INTEL
8744 -extern struct microcode_ops * __init init_intel_microcode(void);
8745 +extern const struct microcode_ops * __init init_intel_microcode(void);
8747 -static inline struct microcode_ops * __init init_intel_microcode(void)
8748 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8752 #endif /* CONFIG_MICROCODE_INTEL */
8754 #ifdef CONFIG_MICROCODE_AMD
8755 -extern struct microcode_ops * __init init_amd_microcode(void);
8756 +extern const struct microcode_ops * __init init_amd_microcode(void);
8758 -static inline struct microcode_ops * __init init_amd_microcode(void)
8759 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8763 diff -urNp linux-2.6.32.42/arch/x86/include/asm/mman.h linux-2.6.32.42/arch/x86/include/asm/mman.h
8764 --- linux-2.6.32.42/arch/x86/include/asm/mman.h 2011-03-27 14:31:47.000000000 -0400
8765 +++ linux-2.6.32.42/arch/x86/include/asm/mman.h 2011-04-17 15:56:46.000000000 -0400
8768 #include <asm-generic/mman.h>
8771 +#ifndef __ASSEMBLY__
8772 +#ifdef CONFIG_X86_32
8773 +#define arch_mmap_check i386_mmap_check
8774 +int i386_mmap_check(unsigned long addr, unsigned long len,
8775 + unsigned long flags);
8780 #endif /* _ASM_X86_MMAN_H */
8781 diff -urNp linux-2.6.32.42/arch/x86/include/asm/mmu_context.h linux-2.6.32.42/arch/x86/include/asm/mmu_context.h
8782 --- linux-2.6.32.42/arch/x86/include/asm/mmu_context.h 2011-03-27 14:31:47.000000000 -0400
8783 +++ linux-2.6.32.42/arch/x86/include/asm/mmu_context.h 2011-04-17 15:56:46.000000000 -0400
8784 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8786 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8789 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8793 + pax_open_kernel();
8794 + pgd = get_cpu_pgd(smp_processor_id());
8795 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8796 + if (paravirt_enabled())
8797 + set_pgd(pgd+i, native_make_pgd(0));
8799 + pgd[i] = native_make_pgd(0);
8800 + pax_close_kernel();
8804 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8805 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8806 @@ -34,16 +49,30 @@ static inline void switch_mm(struct mm_s
8807 struct task_struct *tsk)
8809 unsigned cpu = smp_processor_id();
8810 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8811 + int tlbstate = TLBSTATE_OK;
8814 if (likely(prev != next)) {
8816 +#ifdef CONFIG_X86_32
8817 + tlbstate = percpu_read(cpu_tlbstate.state);
8819 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8820 percpu_write(cpu_tlbstate.active_mm, next);
8822 cpumask_set_cpu(cpu, mm_cpumask(next));
8824 /* Re-load page tables */
8825 +#ifdef CONFIG_PAX_PER_CPU_PGD
8826 + pax_open_kernel();
8827 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8828 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8829 + pax_close_kernel();
8830 + load_cr3(get_cpu_pgd(cpu));
8832 load_cr3(next->pgd);
8835 /* stop flush ipis for the previous mm */
8836 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8837 @@ -53,9 +82,38 @@ static inline void switch_mm(struct mm_s
8839 if (unlikely(prev->context.ldt != next->context.ldt))
8840 load_LDT_nolock(&next->context);
8843 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8844 + if (!nx_enabled) {
8845 + smp_mb__before_clear_bit();
8846 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8847 + smp_mb__after_clear_bit();
8848 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8852 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8853 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8854 + prev->context.user_cs_limit != next->context.user_cs_limit))
8855 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8857 + else if (unlikely(tlbstate != TLBSTATE_OK))
8858 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8865 +#ifdef CONFIG_PAX_PER_CPU_PGD
8866 + pax_open_kernel();
8867 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8868 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8869 + pax_close_kernel();
8870 + load_cr3(get_cpu_pgd(cpu));
8874 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8875 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8877 @@ -64,11 +122,28 @@ static inline void switch_mm(struct mm_s
8878 * tlb flush IPI delivery. We must reload CR3
8879 * to make sure to use no freed page tables.
8882 +#ifndef CONFIG_PAX_PER_CPU_PGD
8883 load_cr3(next->pgd);
8886 load_LDT_nolock(&next->context);
8888 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8890 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8893 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8894 +#ifdef CONFIG_PAX_PAGEEXEC
8895 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && nx_enabled))
8897 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8906 #define activate_mm(prev, next) \
8907 diff -urNp linux-2.6.32.42/arch/x86/include/asm/mmu.h linux-2.6.32.42/arch/x86/include/asm/mmu.h
8908 --- linux-2.6.32.42/arch/x86/include/asm/mmu.h 2011-03-27 14:31:47.000000000 -0400
8909 +++ linux-2.6.32.42/arch/x86/include/asm/mmu.h 2011-04-17 15:56:46.000000000 -0400
8911 * we put the segment information here.
8915 + struct desc_struct *ldt;
8919 + unsigned long vdso;
8921 +#ifdef CONFIG_X86_32
8922 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8923 + unsigned long user_cs_base;
8924 + unsigned long user_cs_limit;
8926 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8927 + cpumask_t cpu_user_cs_mask;
8936 diff -urNp linux-2.6.32.42/arch/x86/include/asm/module.h linux-2.6.32.42/arch/x86/include/asm/module.h
8937 --- linux-2.6.32.42/arch/x86/include/asm/module.h 2011-03-27 14:31:47.000000000 -0400
8938 +++ linux-2.6.32.42/arch/x86/include/asm/module.h 2011-04-23 13:18:57.000000000 -0400
8941 #ifdef CONFIG_X86_64
8942 /* X86_64 does not define MODULE_PROC_FAMILY */
8943 +#define MODULE_PROC_FAMILY ""
8944 #elif defined CONFIG_M386
8945 #define MODULE_PROC_FAMILY "386 "
8946 #elif defined CONFIG_M486
8948 #error unknown processor family
8951 -#ifdef CONFIG_X86_32
8952 -# ifdef CONFIG_4KSTACKS
8953 -# define MODULE_STACKSIZE "4KSTACKS "
8955 -# define MODULE_STACKSIZE ""
8957 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
8958 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8959 +#define MODULE_PAX_UDEREF "UDEREF "
8961 +#define MODULE_PAX_UDEREF ""
8964 +#ifdef CONFIG_PAX_KERNEXEC
8965 +#define MODULE_PAX_KERNEXEC "KERNEXEC "
8967 +#define MODULE_PAX_KERNEXEC ""
8970 +#ifdef CONFIG_PAX_REFCOUNT
8971 +#define MODULE_PAX_REFCOUNT "REFCOUNT "
8973 +#define MODULE_PAX_REFCOUNT ""
8976 +#if defined(CONFIG_X86_32) && defined(CONFIG_4KSTACKS)
8977 +#define MODULE_STACKSIZE "4KSTACKS "
8979 +#define MODULE_STACKSIZE ""
8982 +#ifdef CONFIG_GRKERNSEC
8983 +#define MODULE_GRSEC "GRSECURITY "
8985 +#define MODULE_GRSEC ""
8988 +#define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF MODULE_PAX_REFCOUNT
8990 #endif /* _ASM_X86_MODULE_H */
8991 diff -urNp linux-2.6.32.42/arch/x86/include/asm/page_64_types.h linux-2.6.32.42/arch/x86/include/asm/page_64_types.h
8992 --- linux-2.6.32.42/arch/x86/include/asm/page_64_types.h 2011-03-27 14:31:47.000000000 -0400
8993 +++ linux-2.6.32.42/arch/x86/include/asm/page_64_types.h 2011-04-17 15:56:46.000000000 -0400
8994 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8996 /* duplicated to the one in bootmem.h */
8997 extern unsigned long max_pfn;
8998 -extern unsigned long phys_base;
8999 +extern const unsigned long phys_base;
9001 extern unsigned long __phys_addr(unsigned long);
9002 #define __phys_reloc_hide(x) (x)
9003 diff -urNp linux-2.6.32.42/arch/x86/include/asm/paravirt.h linux-2.6.32.42/arch/x86/include/asm/paravirt.h
9004 --- linux-2.6.32.42/arch/x86/include/asm/paravirt.h 2011-03-27 14:31:47.000000000 -0400
9005 +++ linux-2.6.32.42/arch/x86/include/asm/paravirt.h 2011-04-17 15:56:46.000000000 -0400
9006 @@ -729,6 +729,21 @@ static inline void __set_fixmap(unsigned
9007 pv_mmu_ops.set_fixmap(idx, phys, flags);
9010 +#ifdef CONFIG_PAX_KERNEXEC
9011 +static inline unsigned long pax_open_kernel(void)
9013 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
9016 +static inline unsigned long pax_close_kernel(void)
9018 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
9021 +static inline unsigned long pax_open_kernel(void) { return 0; }
9022 +static inline unsigned long pax_close_kernel(void) { return 0; }
9025 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
9027 static inline int __raw_spin_is_locked(struct raw_spinlock *lock)
9028 @@ -945,7 +960,7 @@ extern void default_banner(void);
9030 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
9031 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
9032 -#define PARA_INDIRECT(addr) *%cs:addr
9033 +#define PARA_INDIRECT(addr) *%ss:addr
9036 #define INTERRUPT_RETURN \
9037 @@ -1022,6 +1037,21 @@ extern void default_banner(void);
9038 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
9040 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
9042 +#define GET_CR0_INTO_RDI \
9043 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
9046 +#define SET_RDI_INTO_CR0 \
9047 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
9049 +#define GET_CR3_INTO_RDI \
9050 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
9053 +#define SET_RDI_INTO_CR3 \
9054 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
9056 #endif /* CONFIG_X86_32 */
9058 #endif /* __ASSEMBLY__ */
9059 diff -urNp linux-2.6.32.42/arch/x86/include/asm/paravirt_types.h linux-2.6.32.42/arch/x86/include/asm/paravirt_types.h
9060 --- linux-2.6.32.42/arch/x86/include/asm/paravirt_types.h 2011-03-27 14:31:47.000000000 -0400
9061 +++ linux-2.6.32.42/arch/x86/include/asm/paravirt_types.h 2011-04-17 15:56:46.000000000 -0400
9062 @@ -316,6 +316,12 @@ struct pv_mmu_ops {
9063 an mfn. We can tell which is which from the index. */
9064 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
9065 phys_addr_t phys, pgprot_t flags);
9067 +#ifdef CONFIG_PAX_KERNEXEC
9068 + unsigned long (*pax_open_kernel)(void);
9069 + unsigned long (*pax_close_kernel)(void);
9074 struct raw_spinlock;
9075 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pci_x86.h linux-2.6.32.42/arch/x86/include/asm/pci_x86.h
9076 --- linux-2.6.32.42/arch/x86/include/asm/pci_x86.h 2011-03-27 14:31:47.000000000 -0400
9077 +++ linux-2.6.32.42/arch/x86/include/asm/pci_x86.h 2011-04-17 15:56:46.000000000 -0400
9078 @@ -89,16 +89,16 @@ extern int (*pcibios_enable_irq)(struct
9079 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
9081 struct pci_raw_ops {
9082 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9083 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
9084 int reg, int len, u32 *val);
9085 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9086 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
9087 int reg, int len, u32 val);
9090 -extern struct pci_raw_ops *raw_pci_ops;
9091 -extern struct pci_raw_ops *raw_pci_ext_ops;
9092 +extern const struct pci_raw_ops *raw_pci_ops;
9093 +extern const struct pci_raw_ops *raw_pci_ext_ops;
9095 -extern struct pci_raw_ops pci_direct_conf1;
9096 +extern const struct pci_raw_ops pci_direct_conf1;
9097 extern bool port_cf9_safe;
9099 /* arch_initcall level */
9100 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgalloc.h linux-2.6.32.42/arch/x86/include/asm/pgalloc.h
9101 --- linux-2.6.32.42/arch/x86/include/asm/pgalloc.h 2011-03-27 14:31:47.000000000 -0400
9102 +++ linux-2.6.32.42/arch/x86/include/asm/pgalloc.h 2011-04-17 15:56:46.000000000 -0400
9103 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
9104 pmd_t *pmd, pte_t *pte)
9106 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9107 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
9110 +static inline void pmd_populate_user(struct mm_struct *mm,
9111 + pmd_t *pmd, pte_t *pte)
9113 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
9114 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
9117 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable-2level.h linux-2.6.32.42/arch/x86/include/asm/pgtable-2level.h
9118 --- linux-2.6.32.42/arch/x86/include/asm/pgtable-2level.h 2011-03-27 14:31:47.000000000 -0400
9119 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable-2level.h 2011-04-17 15:56:46.000000000 -0400
9120 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
9122 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9124 + pax_open_kernel();
9126 + pax_close_kernel();
9129 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
9130 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable_32.h linux-2.6.32.42/arch/x86/include/asm/pgtable_32.h
9131 --- linux-2.6.32.42/arch/x86/include/asm/pgtable_32.h 2011-03-27 14:31:47.000000000 -0400
9132 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable_32.h 2011-04-17 15:56:46.000000000 -0400
9135 struct vm_area_struct;
9137 -extern pgd_t swapper_pg_dir[1024];
9138 -extern pgd_t trampoline_pg_dir[1024];
9140 static inline void pgtable_cache_init(void) { }
9141 static inline void check_pgt_cache(void) { }
9142 void paging_init(void);
9143 @@ -49,6 +46,12 @@ extern void set_pmd_pfn(unsigned long, u
9144 # include <asm/pgtable-2level.h>
9147 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
9148 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
9149 +#ifdef CONFIG_X86_PAE
9150 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
9153 #if defined(CONFIG_HIGHPTE)
9155 (in_nmi() ? KM_NMI_PTE : \
9156 @@ -73,7 +76,9 @@ extern void set_pmd_pfn(unsigned long, u
9157 /* Clear a kernel PTE and flush it from the TLB */
9158 #define kpte_clear_flush(ptep, vaddr) \
9160 + pax_open_kernel(); \
9161 pte_clear(&init_mm, (vaddr), (ptep)); \
9162 + pax_close_kernel(); \
9163 __flush_tlb_one((vaddr)); \
9166 @@ -85,6 +90,9 @@ do { \
9168 #endif /* !__ASSEMBLY__ */
9170 +#define HAVE_ARCH_UNMAPPED_AREA
9171 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
9174 * kern_addr_valid() is (1) for FLATMEM and (0) for
9175 * SPARSEMEM and DISCONTIGMEM
9176 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable_32_types.h linux-2.6.32.42/arch/x86/include/asm/pgtable_32_types.h
9177 --- linux-2.6.32.42/arch/x86/include/asm/pgtable_32_types.h 2011-03-27 14:31:47.000000000 -0400
9178 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable_32_types.h 2011-04-17 15:56:46.000000000 -0400
9181 #ifdef CONFIG_X86_PAE
9182 # include <asm/pgtable-3level_types.h>
9183 -# define PMD_SIZE (1UL << PMD_SHIFT)
9184 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
9185 # define PMD_MASK (~(PMD_SIZE - 1))
9187 # include <asm/pgtable-2level_types.h>
9188 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
9189 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
9192 +#ifdef CONFIG_PAX_KERNEXEC
9193 +#ifndef __ASSEMBLY__
9194 +extern unsigned char MODULES_EXEC_VADDR[];
9195 +extern unsigned char MODULES_EXEC_END[];
9197 +#include <asm/boot.h>
9198 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
9199 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
9201 +#define ktla_ktva(addr) (addr)
9202 +#define ktva_ktla(addr) (addr)
9205 #define MODULES_VADDR VMALLOC_START
9206 #define MODULES_END VMALLOC_END
9207 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
9208 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable-3level.h linux-2.6.32.42/arch/x86/include/asm/pgtable-3level.h
9209 --- linux-2.6.32.42/arch/x86/include/asm/pgtable-3level.h 2011-03-27 14:31:47.000000000 -0400
9210 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable-3level.h 2011-04-17 15:56:46.000000000 -0400
9211 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
9213 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9215 + pax_open_kernel();
9216 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
9217 + pax_close_kernel();
9220 static inline void native_set_pud(pud_t *pudp, pud_t pud)
9222 + pax_open_kernel();
9223 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
9224 + pax_close_kernel();
9228 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable_64.h linux-2.6.32.42/arch/x86/include/asm/pgtable_64.h
9229 --- linux-2.6.32.42/arch/x86/include/asm/pgtable_64.h 2011-03-27 14:31:47.000000000 -0400
9230 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable_64.h 2011-04-17 15:56:46.000000000 -0400
9233 extern pud_t level3_kernel_pgt[512];
9234 extern pud_t level3_ident_pgt[512];
9235 +extern pud_t level3_vmalloc_pgt[512];
9236 +extern pud_t level3_vmemmap_pgt[512];
9237 +extern pud_t level2_vmemmap_pgt[512];
9238 extern pmd_t level2_kernel_pgt[512];
9239 extern pmd_t level2_fixmap_pgt[512];
9240 -extern pmd_t level2_ident_pgt[512];
9241 -extern pgd_t init_level4_pgt[];
9242 +extern pmd_t level2_ident_pgt[512*2];
9243 +extern pgd_t init_level4_pgt[512];
9245 #define swapper_pg_dir init_level4_pgt
9247 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
9249 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
9251 + pax_open_kernel();
9253 + pax_close_kernel();
9256 static inline void native_pmd_clear(pmd_t *pmd)
9257 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
9259 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
9261 + pax_open_kernel();
9263 + pax_close_kernel();
9266 static inline void native_pgd_clear(pgd_t *pgd)
9267 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable_64_types.h linux-2.6.32.42/arch/x86/include/asm/pgtable_64_types.h
9268 --- linux-2.6.32.42/arch/x86/include/asm/pgtable_64_types.h 2011-03-27 14:31:47.000000000 -0400
9269 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable_64_types.h 2011-04-17 15:56:46.000000000 -0400
9270 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
9271 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
9272 #define MODULES_END _AC(0xffffffffff000000, UL)
9273 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
9274 +#define MODULES_EXEC_VADDR MODULES_VADDR
9275 +#define MODULES_EXEC_END MODULES_END
9277 +#define ktla_ktva(addr) (addr)
9278 +#define ktva_ktla(addr) (addr)
9280 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
9281 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable.h linux-2.6.32.42/arch/x86/include/asm/pgtable.h
9282 --- linux-2.6.32.42/arch/x86/include/asm/pgtable.h 2011-03-27 14:31:47.000000000 -0400
9283 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable.h 2011-04-17 15:56:46.000000000 -0400
9284 @@ -74,12 +74,51 @@ extern struct list_head pgd_list;
9286 #define arch_end_context_switch(prev) do {} while(0)
9288 +#define pax_open_kernel() native_pax_open_kernel()
9289 +#define pax_close_kernel() native_pax_close_kernel()
9290 #endif /* CONFIG_PARAVIRT */
9292 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
9293 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
9295 +#ifdef CONFIG_PAX_KERNEXEC
9296 +static inline unsigned long native_pax_open_kernel(void)
9298 + unsigned long cr0;
9300 + preempt_disable();
9302 + cr0 = read_cr0() ^ X86_CR0_WP;
9303 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
9305 + return cr0 ^ X86_CR0_WP;
9308 +static inline unsigned long native_pax_close_kernel(void)
9310 + unsigned long cr0;
9312 + cr0 = read_cr0() ^ X86_CR0_WP;
9313 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
9316 + preempt_enable_no_resched();
9317 + return cr0 ^ X86_CR0_WP;
9320 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
9321 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
9325 * The following only work if pte_present() is true.
9326 * Undefined behaviour if not..
9328 +static inline int pte_user(pte_t pte)
9330 + return pte_val(pte) & _PAGE_USER;
9333 static inline int pte_dirty(pte_t pte)
9335 return pte_flags(pte) & _PAGE_DIRTY;
9336 @@ -167,9 +206,29 @@ static inline pte_t pte_wrprotect(pte_t
9337 return pte_clear_flags(pte, _PAGE_RW);
9340 +static inline pte_t pte_mkread(pte_t pte)
9342 + return __pte(pte_val(pte) | _PAGE_USER);
9345 static inline pte_t pte_mkexec(pte_t pte)
9347 - return pte_clear_flags(pte, _PAGE_NX);
9348 +#ifdef CONFIG_X86_PAE
9349 + if (__supported_pte_mask & _PAGE_NX)
9350 + return pte_clear_flags(pte, _PAGE_NX);
9353 + return pte_set_flags(pte, _PAGE_USER);
9356 +static inline pte_t pte_exprotect(pte_t pte)
9358 +#ifdef CONFIG_X86_PAE
9359 + if (__supported_pte_mask & _PAGE_NX)
9360 + return pte_set_flags(pte, _PAGE_NX);
9363 + return pte_clear_flags(pte, _PAGE_USER);
9366 static inline pte_t pte_mkdirty(pte_t pte)
9367 @@ -302,6 +361,15 @@ pte_t *populate_extra_pte(unsigned long
9370 #ifndef __ASSEMBLY__
9372 +#ifdef CONFIG_PAX_PER_CPU_PGD
9373 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
9374 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
9376 + return cpu_pgd[cpu];
9380 #include <linux/mm_types.h>
9382 static inline int pte_none(pte_t pte)
9383 @@ -472,7 +540,7 @@ static inline pud_t *pud_offset(pgd_t *p
9385 static inline int pgd_bad(pgd_t pgd)
9387 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
9388 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
9391 static inline int pgd_none(pgd_t pgd)
9392 @@ -495,7 +563,12 @@ static inline int pgd_none(pgd_t pgd)
9393 * pgd_offset() returns a (pgd_t *)
9394 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
9396 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
9397 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
9399 +#ifdef CONFIG_PAX_PER_CPU_PGD
9400 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
9404 * a shortcut which implies the use of the kernel's pgd, instead
9406 @@ -506,6 +579,20 @@ static inline int pgd_none(pgd_t pgd)
9407 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
9408 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
9410 +#ifdef CONFIG_X86_32
9411 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
9413 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
9414 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
9416 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9417 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
9419 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
9424 #ifndef __ASSEMBLY__
9426 extern int direct_gbpages;
9427 @@ -611,11 +698,23 @@ static inline void ptep_set_wrprotect(st
9428 * dst and src can be on the same page, but the range must not overlap,
9429 * and must not cross a page boundary.
9431 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
9432 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
9434 - memcpy(dst, src, count * sizeof(pgd_t));
9435 + pax_open_kernel();
9438 + pax_close_kernel();
9441 +#ifdef CONFIG_PAX_PER_CPU_PGD
9442 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9445 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9446 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
9448 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
9451 #include <asm-generic/pgtable.h>
9452 #endif /* __ASSEMBLY__ */
9453 diff -urNp linux-2.6.32.42/arch/x86/include/asm/pgtable_types.h linux-2.6.32.42/arch/x86/include/asm/pgtable_types.h
9454 --- linux-2.6.32.42/arch/x86/include/asm/pgtable_types.h 2011-03-27 14:31:47.000000000 -0400
9455 +++ linux-2.6.32.42/arch/x86/include/asm/pgtable_types.h 2011-04-17 15:56:46.000000000 -0400
9457 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
9458 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
9459 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
9460 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
9461 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
9462 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
9463 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
9464 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
9465 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
9466 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
9467 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
9468 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
9470 /* If _PAGE_BIT_PRESENT is clear, we use these: */
9472 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
9473 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
9474 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
9475 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
9476 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
9477 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
9478 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
9481 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
9482 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
9484 +#elif defined(CONFIG_KMEMCHECK)
9485 #define _PAGE_NX (_AT(pteval_t, 0))
9487 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
9490 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
9492 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
9495 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
9496 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
9498 #define __PAGE_KERNEL_EXEC \
9499 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
9500 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
9502 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
9503 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
9504 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
9505 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
9506 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
9507 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
9508 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
9509 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
9510 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
9511 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
9513 * bits are combined, this will alow user to access the high address mapped
9514 * VDSO in the presence of CONFIG_COMPAT_VDSO
9516 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
9517 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
9518 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9519 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
9520 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
9523 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
9525 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
9529 +#if PAGETABLE_LEVELS == 3
9530 +#include <asm-generic/pgtable-nopud.h>
9533 +#if PAGETABLE_LEVELS == 2
9534 +#include <asm-generic/pgtable-nopmd.h>
9537 +#ifndef __ASSEMBLY__
9538 #if PAGETABLE_LEVELS > 3
9539 typedef struct { pudval_t pud; } pud_t;
9541 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
9545 -#include <asm-generic/pgtable-nopud.h>
9547 static inline pudval_t native_pud_val(pud_t pud)
9549 return native_pgd_val(pud.pgd);
9550 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
9554 -#include <asm-generic/pgtable-nopmd.h>
9556 static inline pmdval_t native_pmd_val(pmd_t pmd)
9558 return native_pgd_val(pmd.pud.pgd);
9559 @@ -278,7 +287,16 @@ typedef struct page *pgtable_t;
9561 extern pteval_t __supported_pte_mask;
9562 extern void set_nx(void);
9564 +#ifdef CONFIG_X86_32
9565 +#ifdef CONFIG_X86_PAE
9566 extern int nx_enabled;
9568 +#define nx_enabled (0)
9571 +#define nx_enabled (1)
9574 #define pgprot_writecombine pgprot_writecombine
9575 extern pgprot_t pgprot_writecombine(pgprot_t prot);
9576 diff -urNp linux-2.6.32.42/arch/x86/include/asm/processor.h linux-2.6.32.42/arch/x86/include/asm/processor.h
9577 --- linux-2.6.32.42/arch/x86/include/asm/processor.h 2011-04-22 19:16:29.000000000 -0400
9578 +++ linux-2.6.32.42/arch/x86/include/asm/processor.h 2011-05-11 18:25:15.000000000 -0400
9579 @@ -272,7 +272,7 @@ struct tss_struct {
9581 } ____cacheline_aligned;
9583 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
9584 +extern struct tss_struct init_tss[NR_CPUS];
9587 * Save the original ist values for checking stack pointers during debugging
9588 @@ -888,11 +888,18 @@ static inline void spin_lock_prefetch(co
9590 #define TASK_SIZE PAGE_OFFSET
9591 #define TASK_SIZE_MAX TASK_SIZE
9593 +#ifdef CONFIG_PAX_SEGMEXEC
9594 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
9595 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
9597 #define STACK_TOP TASK_SIZE
9598 -#define STACK_TOP_MAX STACK_TOP
9601 +#define STACK_TOP_MAX TASK_SIZE
9603 #define INIT_THREAD { \
9604 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
9605 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9606 .vm86_info = NULL, \
9607 .sysenter_cs = __KERNEL_CS, \
9608 .io_bitmap_ptr = NULL, \
9609 @@ -906,7 +913,7 @@ static inline void spin_lock_prefetch(co
9611 #define INIT_TSS { \
9613 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
9614 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
9615 .ss0 = __KERNEL_DS, \
9616 .ss1 = __KERNEL_CS, \
9617 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
9618 @@ -917,11 +924,7 @@ static inline void spin_lock_prefetch(co
9619 extern unsigned long thread_saved_pc(struct task_struct *tsk);
9621 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
9622 -#define KSTK_TOP(info) \
9624 - unsigned long *__ptr = (unsigned long *)(info); \
9625 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
9627 +#define KSTK_TOP(info) ((container_of(info, struct task_struct, tinfo))->thread.sp0)
9630 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
9631 @@ -936,7 +939,7 @@ extern unsigned long thread_saved_pc(str
9632 #define task_pt_regs(task) \
9634 struct pt_regs *__regs__; \
9635 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
9636 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
9640 @@ -946,13 +949,13 @@ extern unsigned long thread_saved_pc(str
9642 * User space process size. 47bits minus one guard page.
9644 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
9645 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
9647 /* This decides where the kernel will search for a free chunk of vm
9648 * space during mmap's.
9650 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
9651 - 0xc0000000 : 0xFFFFe000)
9652 + 0xc0000000 : 0xFFFFf000)
9654 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
9655 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
9656 @@ -963,11 +966,11 @@ extern unsigned long thread_saved_pc(str
9657 #define STACK_TOP_MAX TASK_SIZE_MAX
9659 #define INIT_THREAD { \
9660 - .sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9661 + .sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9664 #define INIT_TSS { \
9665 - .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) \
9666 + .x86_tss.sp0 = (unsigned long)&init_stack + sizeof(init_stack) - 16 \
9670 @@ -989,6 +992,10 @@ extern void start_thread(struct pt_regs
9672 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
9674 +#ifdef CONFIG_PAX_SEGMEXEC
9675 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
9678 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
9680 /* Get/set a process' ability to use the timestamp counter instruction */
9681 diff -urNp linux-2.6.32.42/arch/x86/include/asm/ptrace.h linux-2.6.32.42/arch/x86/include/asm/ptrace.h
9682 --- linux-2.6.32.42/arch/x86/include/asm/ptrace.h 2011-03-27 14:31:47.000000000 -0400
9683 +++ linux-2.6.32.42/arch/x86/include/asm/ptrace.h 2011-04-17 15:56:46.000000000 -0400
9684 @@ -151,28 +151,29 @@ static inline unsigned long regs_return_
9688 - * user_mode_vm(regs) determines whether a register set came from user mode.
9689 + * user_mode(regs) determines whether a register set came from user mode.
9690 * This is true if V8086 mode was enabled OR if the register set was from
9691 * protected mode with RPL-3 CS value. This tricky test checks that with
9692 * one comparison. Many places in the kernel can bypass this full check
9693 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
9694 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
9697 -static inline int user_mode(struct pt_regs *regs)
9698 +static inline int user_mode_novm(struct pt_regs *regs)
9700 #ifdef CONFIG_X86_32
9701 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
9703 - return !!(regs->cs & 3);
9704 + return !!(regs->cs & SEGMENT_RPL_MASK);
9708 -static inline int user_mode_vm(struct pt_regs *regs)
9709 +static inline int user_mode(struct pt_regs *regs)
9711 #ifdef CONFIG_X86_32
9712 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
9715 - return user_mode(regs);
9716 + return user_mode_novm(regs);
9720 diff -urNp linux-2.6.32.42/arch/x86/include/asm/reboot.h linux-2.6.32.42/arch/x86/include/asm/reboot.h
9721 --- linux-2.6.32.42/arch/x86/include/asm/reboot.h 2011-03-27 14:31:47.000000000 -0400
9722 +++ linux-2.6.32.42/arch/x86/include/asm/reboot.h 2011-05-22 23:02:03.000000000 -0400
9726 struct machine_ops {
9727 - void (*restart)(char *cmd);
9728 - void (*halt)(void);
9729 - void (*power_off)(void);
9730 + void (* __noreturn restart)(char *cmd);
9731 + void (* __noreturn halt)(void);
9732 + void (* __noreturn power_off)(void);
9733 void (*shutdown)(void);
9734 void (*crash_shutdown)(struct pt_regs *);
9735 - void (*emergency_restart)(void);
9736 + void (* __noreturn emergency_restart)(void);
9739 extern struct machine_ops machine_ops;
9741 void native_machine_crash_shutdown(struct pt_regs *regs);
9742 void native_machine_shutdown(void);
9743 -void machine_real_restart(const unsigned char *code, int length);
9744 +void machine_real_restart(const unsigned char *code, unsigned int length) __noreturn;
9746 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
9747 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
9748 diff -urNp linux-2.6.32.42/arch/x86/include/asm/rwsem.h linux-2.6.32.42/arch/x86/include/asm/rwsem.h
9749 --- linux-2.6.32.42/arch/x86/include/asm/rwsem.h 2011-03-27 14:31:47.000000000 -0400
9750 +++ linux-2.6.32.42/arch/x86/include/asm/rwsem.h 2011-04-17 15:56:46.000000000 -0400
9751 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
9753 asm volatile("# beginning down_read\n\t"
9754 LOCK_PREFIX _ASM_INC "(%1)\n\t"
9756 +#ifdef CONFIG_PAX_REFCOUNT
9758 + LOCK_PREFIX _ASM_DEC "(%1)\n\t"
9760 + _ASM_EXTABLE(0b, 0b)
9763 /* adds 0x00000001, returns the old value */
9765 " call call_rwsem_down_read_failed\n"
9766 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
9771 +#ifdef CONFIG_PAX_REFCOUNT
9775 + _ASM_EXTABLE(0b, 0b)
9779 LOCK_PREFIX " cmpxchg %2,%0\n\t"
9781 @@ -160,6 +176,14 @@ static inline void __down_write_nested(s
9782 tmp = RWSEM_ACTIVE_WRITE_BIAS;
9783 asm volatile("# beginning down_write\n\t"
9784 LOCK_PREFIX " xadd %1,(%2)\n\t"
9786 +#ifdef CONFIG_PAX_REFCOUNT
9790 + _ASM_EXTABLE(0b, 0b)
9793 /* subtract 0x0000ffff, returns the old value */
9795 /* was the count 0 before? */
9796 @@ -198,6 +222,14 @@ static inline void __up_read(struct rw_s
9797 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
9798 asm volatile("# beginning __up_read\n\t"
9799 LOCK_PREFIX " xadd %1,(%2)\n\t"
9801 +#ifdef CONFIG_PAX_REFCOUNT
9805 + _ASM_EXTABLE(0b, 0b)
9808 /* subtracts 1, returns the old value */
9810 " call call_rwsem_wake\n"
9811 @@ -216,6 +248,14 @@ static inline void __up_write(struct rw_
9813 asm volatile("# beginning __up_write\n\t"
9814 LOCK_PREFIX " xadd %1,(%2)\n\t"
9816 +#ifdef CONFIG_PAX_REFCOUNT
9820 + _ASM_EXTABLE(0b, 0b)
9823 /* tries to transition
9824 0xffff0001 -> 0x00000000 */
9826 @@ -234,6 +274,14 @@ static inline void __downgrade_write(str
9828 asm volatile("# beginning __downgrade_write\n\t"
9829 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9831 +#ifdef CONFIG_PAX_REFCOUNT
9833 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9835 + _ASM_EXTABLE(0b, 0b)
9839 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9840 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9841 @@ -253,7 +301,15 @@ static inline void __downgrade_write(str
9842 static inline void rwsem_atomic_add(rwsem_count_t delta,
9843 struct rw_semaphore *sem)
9845 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9846 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9848 +#ifdef CONFIG_PAX_REFCOUNT
9850 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9852 + _ASM_EXTABLE(0b, 0b)
9858 @@ -266,7 +322,15 @@ static inline rwsem_count_t rwsem_atomic
9860 rwsem_count_t tmp = delta;
9862 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9863 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9865 +#ifdef CONFIG_PAX_REFCOUNT
9869 + _ASM_EXTABLE(0b, 0b)
9872 : "+r" (tmp), "+m" (sem->count)
9875 diff -urNp linux-2.6.32.42/arch/x86/include/asm/segment.h linux-2.6.32.42/arch/x86/include/asm/segment.h
9876 --- linux-2.6.32.42/arch/x86/include/asm/segment.h 2011-03-27 14:31:47.000000000 -0400
9877 +++ linux-2.6.32.42/arch/x86/include/asm/segment.h 2011-04-17 15:56:46.000000000 -0400
9879 * 26 - ESPFIX small SS
9880 * 27 - per-cpu [ offset to per-cpu data area ]
9881 * 28 - stack_canary-20 [ for stack protector ]
9884 + * 29 - PCI BIOS CS
9885 + * 30 - PCI BIOS DS
9886 * 31 - TSS for double fault handler
9888 #define GDT_ENTRY_TLS_MIN 6
9891 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
9893 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9895 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
9897 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
9899 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
9900 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
9902 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9903 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9905 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
9907 @@ -102,6 +104,12 @@
9908 #define __KERNEL_STACK_CANARY 0
9911 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
9912 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9914 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
9915 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9917 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9923 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9924 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9925 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9930 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9931 #define __USER32_DS __USER_DS
9933 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9935 #define GDT_ENTRY_TSS 8 /* needs two entries */
9936 #define GDT_ENTRY_LDT 10 /* needs two entries */
9937 #define GDT_ENTRY_TLS_MIN 12
9941 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
9942 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
9943 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
9944 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
9945 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
9946 diff -urNp linux-2.6.32.42/arch/x86/include/asm/smp.h linux-2.6.32.42/arch/x86/include/asm/smp.h
9947 --- linux-2.6.32.42/arch/x86/include/asm/smp.h 2011-03-27 14:31:47.000000000 -0400
9948 +++ linux-2.6.32.42/arch/x86/include/asm/smp.h 2011-04-17 15:56:46.000000000 -0400
9949 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9950 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9951 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9952 DECLARE_PER_CPU(u16, cpu_llc_id);
9953 -DECLARE_PER_CPU(int, cpu_number);
9954 +DECLARE_PER_CPU(unsigned int, cpu_number);
9956 static inline struct cpumask *cpu_sibling_mask(int cpu)
9958 @@ -175,14 +175,8 @@ extern unsigned disabled_cpus __cpuinitd
9959 extern int safe_smp_processor_id(void);
9961 #elif defined(CONFIG_X86_64_SMP)
9962 -#define raw_smp_processor_id() (percpu_read(cpu_number))
9964 -#define stack_smp_processor_id() \
9966 - struct thread_info *ti; \
9967 - __asm__("andq %%rsp,%0; ":"=r" (ti) : "0" (CURRENT_MASK)); \
9970 +#define raw_smp_processor_id() (percpu_read(cpu_number))
9971 +#define stack_smp_processor_id() raw_smp_processor_id()
9972 #define safe_smp_processor_id() smp_processor_id()
9975 diff -urNp linux-2.6.32.42/arch/x86/include/asm/spinlock.h linux-2.6.32.42/arch/x86/include/asm/spinlock.h
9976 --- linux-2.6.32.42/arch/x86/include/asm/spinlock.h 2011-03-27 14:31:47.000000000 -0400
9977 +++ linux-2.6.32.42/arch/x86/include/asm/spinlock.h 2011-04-17 15:56:46.000000000 -0400
9978 @@ -249,6 +249,14 @@ static inline int __raw_write_can_lock(r
9979 static inline void __raw_read_lock(raw_rwlock_t *rw)
9981 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9983 +#ifdef CONFIG_PAX_REFCOUNT
9985 + LOCK_PREFIX " addl $1,(%0)\n"
9987 + _ASM_EXTABLE(0b, 0b)
9991 "call __read_lock_failed\n\t"
9993 @@ -258,6 +266,14 @@ static inline void __raw_read_lock(raw_r
9994 static inline void __raw_write_lock(raw_rwlock_t *rw)
9996 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9998 +#ifdef CONFIG_PAX_REFCOUNT
10000 + LOCK_PREFIX " addl %1,(%0)\n"
10002 + _ASM_EXTABLE(0b, 0b)
10006 "call __write_lock_failed\n\t"
10008 @@ -286,12 +302,29 @@ static inline int __raw_write_trylock(ra
10010 static inline void __raw_read_unlock(raw_rwlock_t *rw)
10012 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
10013 + asm volatile(LOCK_PREFIX "incl %0\n"
10015 +#ifdef CONFIG_PAX_REFCOUNT
10017 + LOCK_PREFIX "decl %0\n"
10019 + _ASM_EXTABLE(0b, 0b)
10022 + :"+m" (rw->lock) : : "memory");
10025 static inline void __raw_write_unlock(raw_rwlock_t *rw)
10027 - asm volatile(LOCK_PREFIX "addl %1, %0"
10028 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
10030 +#ifdef CONFIG_PAX_REFCOUNT
10032 + LOCK_PREFIX "subl %1, %0\n"
10034 + _ASM_EXTABLE(0b, 0b)
10037 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
10040 diff -urNp linux-2.6.32.42/arch/x86/include/asm/stackprotector.h linux-2.6.32.42/arch/x86/include/asm/stackprotector.h
10041 --- linux-2.6.32.42/arch/x86/include/asm/stackprotector.h 2011-03-27 14:31:47.000000000 -0400
10042 +++ linux-2.6.32.42/arch/x86/include/asm/stackprotector.h 2011-04-17 15:56:46.000000000 -0400
10043 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
10045 static inline void load_stack_canary_segment(void)
10047 -#ifdef CONFIG_X86_32
10048 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
10049 asm volatile ("mov %0, %%gs" : : "r" (0));
10052 diff -urNp linux-2.6.32.42/arch/x86/include/asm/system.h linux-2.6.32.42/arch/x86/include/asm/system.h
10053 --- linux-2.6.32.42/arch/x86/include/asm/system.h 2011-03-27 14:31:47.000000000 -0400
10054 +++ linux-2.6.32.42/arch/x86/include/asm/system.h 2011-05-22 23:02:03.000000000 -0400
10055 @@ -132,7 +132,7 @@ do { \
10056 "thread_return:\n\t" \
10057 "movq "__percpu_arg([current_task])",%%rsi\n\t" \
10059 - "movq %P[thread_info](%%rsi),%%r8\n\t" \
10060 + "movq "__percpu_arg([thread_info])",%%r8\n\t" \
10061 "movq %%rax,%%rdi\n\t" \
10062 "testl %[_tif_fork],%P[ti_flags](%%r8)\n\t" \
10063 "jnz ret_from_fork\n\t" \
10064 @@ -143,7 +143,7 @@ do { \
10065 [threadrsp] "i" (offsetof(struct task_struct, thread.sp)), \
10066 [ti_flags] "i" (offsetof(struct thread_info, flags)), \
10067 [_tif_fork] "i" (_TIF_FORK), \
10068 - [thread_info] "i" (offsetof(struct task_struct, stack)), \
10069 + [thread_info] "m" (per_cpu_var(current_tinfo)), \
10070 [current_task] "m" (per_cpu_var(current_task)) \
10071 __switch_canary_iparam \
10072 : "memory", "cc" __EXTRA_CLOBBER)
10073 @@ -200,7 +200,7 @@ static inline unsigned long get_limit(un
10075 unsigned long __limit;
10076 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
10077 - return __limit + 1;
10081 static inline void native_clts(void)
10082 @@ -340,12 +340,12 @@ void enable_hlt(void);
10084 void cpu_idle_wait(void);
10086 -extern unsigned long arch_align_stack(unsigned long sp);
10087 +#define arch_align_stack(x) ((x) & ~0xfUL)
10088 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
10090 void default_idle(void);
10092 -void stop_this_cpu(void *dummy);
10093 +void stop_this_cpu(void *dummy) __noreturn;
10096 * Force strict CPU ordering.
10097 diff -urNp linux-2.6.32.42/arch/x86/include/asm/thread_info.h linux-2.6.32.42/arch/x86/include/asm/thread_info.h
10098 --- linux-2.6.32.42/arch/x86/include/asm/thread_info.h 2011-03-27 14:31:47.000000000 -0400
10099 +++ linux-2.6.32.42/arch/x86/include/asm/thread_info.h 2011-05-17 19:26:34.000000000 -0400
10101 #include <linux/compiler.h>
10102 #include <asm/page.h>
10103 #include <asm/types.h>
10104 +#include <asm/percpu.h>
10107 * low level task data that entry.S needs immediate access to
10108 @@ -24,7 +25,6 @@ struct exec_domain;
10109 #include <asm/atomic.h>
10111 struct thread_info {
10112 - struct task_struct *task; /* main task structure */
10113 struct exec_domain *exec_domain; /* execution domain */
10114 __u32 flags; /* low level flags */
10115 __u32 status; /* thread synchronous flags */
10116 @@ -34,18 +34,12 @@ struct thread_info {
10117 mm_segment_t addr_limit;
10118 struct restart_block restart_block;
10119 void __user *sysenter_return;
10120 -#ifdef CONFIG_X86_32
10121 - unsigned long previous_esp; /* ESP of the previous stack in
10122 - case of nested (IRQ) stacks
10124 - __u8 supervisor_stack[0];
10126 + unsigned long lowest_stack;
10130 -#define INIT_THREAD_INFO(tsk) \
10131 +#define INIT_THREAD_INFO \
10134 .exec_domain = &default_exec_domain, \
10137 @@ -56,7 +50,7 @@ struct thread_info {
10141 -#define init_thread_info (init_thread_union.thread_info)
10142 +#define init_thread_info (init_thread_union.stack)
10143 #define init_stack (init_thread_union.stack)
10145 #else /* !__ASSEMBLY__ */
10146 @@ -163,6 +157,23 @@ struct thread_info {
10147 #define alloc_thread_info(tsk) \
10148 ((struct thread_info *)__get_free_pages(THREAD_FLAGS, THREAD_ORDER))
10150 +#ifdef __ASSEMBLY__
10151 +/* how to get the thread information struct from ASM */
10152 +#define GET_THREAD_INFO(reg) \
10153 + mov PER_CPU_VAR(current_tinfo), reg
10155 +/* use this one if reg already contains %esp */
10156 +#define GET_THREAD_INFO_WITH_ESP(reg) GET_THREAD_INFO(reg)
10158 +/* how to get the thread information struct from C */
10159 +DECLARE_PER_CPU(struct thread_info *, current_tinfo);
10161 +static __always_inline struct thread_info *current_thread_info(void)
10163 + return percpu_read_stable(current_tinfo);
10167 #ifdef CONFIG_X86_32
10169 #define STACK_WARN (THREAD_SIZE/8)
10170 @@ -173,35 +184,13 @@ struct thread_info {
10172 #ifndef __ASSEMBLY__
10175 /* how to get the current stack pointer from C */
10176 register unsigned long current_stack_pointer asm("esp") __used;
10178 -/* how to get the thread information struct from C */
10179 -static inline struct thread_info *current_thread_info(void)
10181 - return (struct thread_info *)
10182 - (current_stack_pointer & ~(THREAD_SIZE - 1));
10185 -#else /* !__ASSEMBLY__ */
10187 -/* how to get the thread information struct from ASM */
10188 -#define GET_THREAD_INFO(reg) \
10189 - movl $-THREAD_SIZE, reg; \
10192 -/* use this one if reg already contains %esp */
10193 -#define GET_THREAD_INFO_WITH_ESP(reg) \
10194 - andl $-THREAD_SIZE, reg
10200 -#include <asm/percpu.h>
10201 -#define KERNEL_STACK_OFFSET (5*8)
10204 * macros/functions for gaining access to the thread information structure
10205 * preempt_count needs to be 1 initially, until the scheduler is functional.
10206 @@ -209,21 +198,8 @@ static inline struct thread_info *curren
10207 #ifndef __ASSEMBLY__
10208 DECLARE_PER_CPU(unsigned long, kernel_stack);
10210 -static inline struct thread_info *current_thread_info(void)
10212 - struct thread_info *ti;
10213 - ti = (void *)(percpu_read_stable(kernel_stack) +
10214 - KERNEL_STACK_OFFSET - THREAD_SIZE);
10218 -#else /* !__ASSEMBLY__ */
10220 -/* how to get the thread information struct from ASM */
10221 -#define GET_THREAD_INFO(reg) \
10222 - movq PER_CPU_VAR(kernel_stack),reg ; \
10223 - subq $(THREAD_SIZE-KERNEL_STACK_OFFSET),reg
10225 +/* how to get the current stack pointer from C */
10226 +register unsigned long current_stack_pointer asm("rsp") __used;
10229 #endif /* !X86_32 */
10230 @@ -260,5 +236,16 @@ extern void arch_task_cache_init(void);
10231 extern void free_thread_info(struct thread_info *ti);
10232 extern int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src);
10233 #define arch_task_cache_init arch_task_cache_init
10235 +#define __HAVE_THREAD_FUNCTIONS
10236 +#define task_thread_info(task) (&(task)->tinfo)
10237 +#define task_stack_page(task) ((task)->stack)
10238 +#define setup_thread_stack(p, org) do {} while (0)
10239 +#define end_of_stack(p) ((unsigned long *)task_stack_page(p) + 1)
10241 +#define __HAVE_ARCH_TASK_STRUCT_ALLOCATOR
10242 +extern struct task_struct *alloc_task_struct(void);
10243 +extern void free_task_struct(struct task_struct *);
10246 #endif /* _ASM_X86_THREAD_INFO_H */
10247 diff -urNp linux-2.6.32.42/arch/x86/include/asm/uaccess_32.h linux-2.6.32.42/arch/x86/include/asm/uaccess_32.h
10248 --- linux-2.6.32.42/arch/x86/include/asm/uaccess_32.h 2011-03-27 14:31:47.000000000 -0400
10249 +++ linux-2.6.32.42/arch/x86/include/asm/uaccess_32.h 2011-05-16 21:46:57.000000000 -0400
10250 @@ -44,6 +44,11 @@ unsigned long __must_check __copy_from_u
10251 static __always_inline unsigned long __must_check
10252 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
10254 + pax_track_stack();
10259 if (__builtin_constant_p(n)) {
10262 @@ -62,6 +67,8 @@ __copy_to_user_inatomic(void __user *to,
10266 + if (!__builtin_constant_p(n))
10267 + check_object_size(from, n, true);
10268 return __copy_to_user_ll(to, from, n);
10271 @@ -83,12 +90,16 @@ static __always_inline unsigned long __m
10272 __copy_to_user(void __user *to, const void *from, unsigned long n)
10276 return __copy_to_user_inatomic(to, from, n);
10279 static __always_inline unsigned long
10280 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
10285 /* Avoid zeroing the tail if the copy fails..
10286 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
10287 * but as the zeroing behaviour is only significant when n is not
10288 @@ -138,6 +149,12 @@ static __always_inline unsigned long
10289 __copy_from_user(void *to, const void __user *from, unsigned long n)
10293 + pax_track_stack();
10298 if (__builtin_constant_p(n)) {
10301 @@ -153,6 +170,8 @@ __copy_from_user(void *to, const void __
10305 + if (!__builtin_constant_p(n))
10306 + check_object_size(to, n, false);
10307 return __copy_from_user_ll(to, from, n);
10310 @@ -160,6 +179,10 @@ static __always_inline unsigned long __c
10311 const void __user *from, unsigned long n)
10318 if (__builtin_constant_p(n)) {
10321 @@ -182,14 +205,62 @@ static __always_inline unsigned long
10322 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
10325 - return __copy_from_user_ll_nocache_nozero(to, from, n);
10329 + return __copy_from_user_ll_nocache_nozero(to, from, n);
10333 + * copy_to_user: - Copy a block of data into user space.
10334 + * @to: Destination address, in user space.
10335 + * @from: Source address, in kernel space.
10336 + * @n: Number of bytes to copy.
10338 + * Context: User context only. This function may sleep.
10340 + * Copy data from kernel space to user space.
10342 + * Returns number of bytes that could not be copied.
10343 + * On success, this will be zero.
10345 +static __always_inline unsigned long __must_check
10346 +copy_to_user(void __user *to, const void *from, unsigned long n)
10348 + if (access_ok(VERIFY_WRITE, to, n))
10349 + n = __copy_to_user(to, from, n);
10354 + * copy_from_user: - Copy a block of data from user space.
10355 + * @to: Destination address, in kernel space.
10356 + * @from: Source address, in user space.
10357 + * @n: Number of bytes to copy.
10359 + * Context: User context only. This function may sleep.
10361 + * Copy data from user space to kernel space.
10363 + * Returns number of bytes that could not be copied.
10364 + * On success, this will be zero.
10366 + * If some data could not be copied, this function will pad the copied
10367 + * data to the requested size using zero bytes.
10369 +static __always_inline unsigned long __must_check
10370 +copy_from_user(void *to, const void __user *from, unsigned long n)
10372 + if (access_ok(VERIFY_READ, from, n))
10373 + n = __copy_from_user(to, from, n);
10374 + else if ((long)n > 0) {
10375 + if (!__builtin_constant_p(n))
10376 + check_object_size(to, n, false);
10377 + memset(to, 0, n);
10382 -unsigned long __must_check copy_to_user(void __user *to,
10383 - const void *from, unsigned long n);
10384 -unsigned long __must_check copy_from_user(void *to,
10385 - const void __user *from,
10386 - unsigned long n);
10387 long __must_check strncpy_from_user(char *dst, const char __user *src,
10389 long __must_check __strncpy_from_user(char *dst,
10390 diff -urNp linux-2.6.32.42/arch/x86/include/asm/uaccess_64.h linux-2.6.32.42/arch/x86/include/asm/uaccess_64.h
10391 --- linux-2.6.32.42/arch/x86/include/asm/uaccess_64.h 2011-03-27 14:31:47.000000000 -0400
10392 +++ linux-2.6.32.42/arch/x86/include/asm/uaccess_64.h 2011-05-16 21:46:57.000000000 -0400
10394 #include <linux/prefetch.h>
10395 #include <linux/lockdep.h>
10396 #include <asm/page.h>
10397 +#include <asm/pgtable.h>
10399 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
10402 * Copy To/From Userspace
10403 @@ -19,113 +22,203 @@ __must_check unsigned long
10404 copy_user_generic(void *to, const void *from, unsigned len);
10406 __must_check unsigned long
10407 -copy_to_user(void __user *to, const void *from, unsigned len);
10408 -__must_check unsigned long
10409 -copy_from_user(void *to, const void __user *from, unsigned len);
10410 -__must_check unsigned long
10411 copy_in_user(void __user *to, const void __user *from, unsigned len);
10413 static __always_inline __must_check
10414 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
10415 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
10418 + unsigned ret = 0;
10421 - if (!__builtin_constant_p(size))
10422 - return copy_user_generic(dst, (__force void *)src, size);
10424 + if ((int)size < 0)
10427 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10428 + if (!__access_ok(VERIFY_READ, src, size))
10432 + if (!__builtin_constant_p(size)) {
10433 + check_object_size(dst, size, false);
10435 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10436 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10437 + src += PAX_USER_SHADOW_BASE;
10440 + return copy_user_generic(dst, (__force const void *)src, size);
10443 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
10444 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
10445 ret, "b", "b", "=q", 1);
10447 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
10448 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
10449 ret, "w", "w", "=r", 2);
10451 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
10452 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
10453 ret, "l", "k", "=r", 4);
10455 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
10456 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10457 ret, "q", "", "=r", 8);
10460 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10461 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10462 ret, "q", "", "=r", 10);
10465 __get_user_asm(*(u16 *)(8 + (char *)dst),
10466 - (u16 __user *)(8 + (char __user *)src),
10467 + (const u16 __user *)(8 + (const char __user *)src),
10468 ret, "w", "w", "=r", 2);
10471 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
10472 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
10473 ret, "q", "", "=r", 16);
10476 __get_user_asm(*(u64 *)(8 + (char *)dst),
10477 - (u64 __user *)(8 + (char __user *)src),
10478 + (const u64 __user *)(8 + (const char __user *)src),
10479 ret, "q", "", "=r", 8);
10482 - return copy_user_generic(dst, (__force void *)src, size);
10484 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10485 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10486 + src += PAX_USER_SHADOW_BASE;
10489 + return copy_user_generic(dst, (__force const void *)src, size);
10493 static __always_inline __must_check
10494 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
10495 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
10498 + unsigned ret = 0;
10501 - if (!__builtin_constant_p(size))
10503 + pax_track_stack();
10505 + if ((int)size < 0)
10508 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10509 + if (!__access_ok(VERIFY_WRITE, dst, size))
10513 + if (!__builtin_constant_p(size)) {
10514 + check_object_size(src, size, true);
10516 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10517 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10518 + dst += PAX_USER_SHADOW_BASE;
10521 return copy_user_generic((__force void *)dst, src, size);
10524 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
10525 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
10526 ret, "b", "b", "iq", 1);
10528 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
10529 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
10530 ret, "w", "w", "ir", 2);
10532 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
10533 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
10534 ret, "l", "k", "ir", 4);
10536 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
10537 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10538 ret, "q", "", "er", 8);
10541 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10542 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10543 ret, "q", "", "er", 10);
10546 asm("":::"memory");
10547 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
10548 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
10549 ret, "w", "w", "ir", 2);
10552 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
10553 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
10554 ret, "q", "", "er", 16);
10557 asm("":::"memory");
10558 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
10559 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
10560 ret, "q", "", "er", 8);
10564 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10565 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10566 + dst += PAX_USER_SHADOW_BASE;
10569 return copy_user_generic((__force void *)dst, src, size);
10573 static __always_inline __must_check
10574 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10575 +unsigned long copy_to_user(void __user *to, const void *from, unsigned len)
10577 + if (access_ok(VERIFY_WRITE, to, len))
10578 + len = __copy_to_user(to, from, len);
10582 +static __always_inline __must_check
10583 +unsigned long copy_from_user(void *to, const void __user *from, unsigned len)
10585 + if ((int)len < 0)
10588 + if (access_ok(VERIFY_READ, from, len))
10589 + len = __copy_from_user(to, from, len);
10590 + else if ((int)len > 0) {
10591 + if (!__builtin_constant_p(len))
10592 + check_object_size(to, len, false);
10593 + memset(to, 0, len);
10598 +static __always_inline __must_check
10599 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
10602 + unsigned ret = 0;
10605 - if (!__builtin_constant_p(size))
10607 + pax_track_stack();
10609 + if ((int)size < 0)
10612 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10613 + if (!__access_ok(VERIFY_READ, src, size))
10615 + if (!__access_ok(VERIFY_WRITE, dst, size))
10619 + if (!__builtin_constant_p(size)) {
10621 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10622 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10623 + src += PAX_USER_SHADOW_BASE;
10624 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10625 + dst += PAX_USER_SHADOW_BASE;
10628 return copy_user_generic((__force void *)dst,
10629 - (__force void *)src, size);
10630 + (__force const void *)src, size);
10635 - __get_user_asm(tmp, (u8 __user *)src,
10636 + __get_user_asm(tmp, (const u8 __user *)src,
10637 ret, "b", "b", "=q", 1);
10639 __put_user_asm(tmp, (u8 __user *)dst,
10640 @@ -134,7 +227,7 @@ int __copy_in_user(void __user *dst, con
10644 - __get_user_asm(tmp, (u16 __user *)src,
10645 + __get_user_asm(tmp, (const u16 __user *)src,
10646 ret, "w", "w", "=r", 2);
10648 __put_user_asm(tmp, (u16 __user *)dst,
10649 @@ -144,7 +237,7 @@ int __copy_in_user(void __user *dst, con
10653 - __get_user_asm(tmp, (u32 __user *)src,
10654 + __get_user_asm(tmp, (const u32 __user *)src,
10655 ret, "l", "k", "=r", 4);
10657 __put_user_asm(tmp, (u32 __user *)dst,
10658 @@ -153,7 +246,7 @@ int __copy_in_user(void __user *dst, con
10662 - __get_user_asm(tmp, (u64 __user *)src,
10663 + __get_user_asm(tmp, (const u64 __user *)src,
10664 ret, "q", "", "=r", 8);
10666 __put_user_asm(tmp, (u64 __user *)dst,
10667 @@ -161,8 +254,16 @@ int __copy_in_user(void __user *dst, con
10672 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10673 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10674 + src += PAX_USER_SHADOW_BASE;
10675 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10676 + dst += PAX_USER_SHADOW_BASE;
10679 return copy_user_generic((__force void *)dst,
10680 - (__force void *)src, size);
10681 + (__force const void *)src, size);
10685 @@ -176,33 +277,75 @@ __must_check long strlen_user(const char
10686 __must_check unsigned long clear_user(void __user *mem, unsigned long len);
10687 __must_check unsigned long __clear_user(void __user *mem, unsigned long len);
10689 -__must_check long __copy_from_user_inatomic(void *dst, const void __user *src,
10691 +static __must_check __always_inline unsigned long
10692 +__copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
10694 + pax_track_stack();
10696 + if ((int)size < 0)
10699 -static __must_check __always_inline int
10700 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10701 + if (!__access_ok(VERIFY_READ, src, size))
10704 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
10705 + src += PAX_USER_SHADOW_BASE;
10708 + return copy_user_generic(dst, (__force const void *)src, size);
10711 +static __must_check __always_inline unsigned long
10712 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
10714 + if ((int)size < 0)
10717 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10718 + if (!__access_ok(VERIFY_WRITE, dst, size))
10721 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
10722 + dst += PAX_USER_SHADOW_BASE;
10725 return copy_user_generic((__force void *)dst, src, size);
10728 -extern long __copy_user_nocache(void *dst, const void __user *src,
10729 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
10730 unsigned size, int zerorest);
10733 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10734 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
10738 + if ((int)size < 0)
10741 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10742 + if (!__access_ok(VERIFY_READ, src, size))
10746 return __copy_user_nocache(dst, src, size, 1);
10750 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10751 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
10754 + if ((int)size < 0)
10757 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10758 + if (!__access_ok(VERIFY_READ, src, size))
10762 return __copy_user_nocache(dst, src, size, 0);
10766 +extern unsigned long
10767 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
10769 #endif /* _ASM_X86_UACCESS_64_H */
10770 diff -urNp linux-2.6.32.42/arch/x86/include/asm/uaccess.h linux-2.6.32.42/arch/x86/include/asm/uaccess.h
10771 --- linux-2.6.32.42/arch/x86/include/asm/uaccess.h 2011-06-25 12:55:34.000000000 -0400
10772 +++ linux-2.6.32.42/arch/x86/include/asm/uaccess.h 2011-06-25 12:56:37.000000000 -0400
10774 #include <linux/thread_info.h>
10775 #include <linux/prefetch.h>
10776 #include <linux/string.h>
10777 +#include <linux/sched.h>
10778 #include <asm/asm.h>
10779 #include <asm/page.h>
10781 #define VERIFY_READ 0
10782 #define VERIFY_WRITE 1
10784 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
10787 * The fs value determines whether argument validity checking should be
10788 * performed or not. If get_fs() == USER_DS, checking is performed, with
10791 #define get_ds() (KERNEL_DS)
10792 #define get_fs() (current_thread_info()->addr_limit)
10793 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10794 +void __set_fs(mm_segment_t x);
10795 +void set_fs(mm_segment_t x);
10797 #define set_fs(x) (current_thread_info()->addr_limit = (x))
10800 #define segment_eq(a, b) ((a).seg == (b).seg)
10803 * checks that the pointer is in the user space range - after calling
10804 * this function, memory access functions may still return -EFAULT.
10806 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10807 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
10808 +#define access_ok(type, addr, size) \
10810 + long __size = size; \
10811 + unsigned long __addr = (unsigned long)addr; \
10812 + unsigned long __addr_ao = __addr & PAGE_MASK; \
10813 + unsigned long __end_ao = __addr + __size - 1; \
10814 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
10815 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
10816 + while(__addr_ao <= __end_ao) { \
10818 + __addr_ao += PAGE_SIZE; \
10819 + if (__size > PAGE_SIZE) \
10820 + cond_resched(); \
10821 + if (__get_user(__c_ao, (char __user *)__addr)) \
10823 + if (type != VERIFY_WRITE) { \
10824 + __addr = __addr_ao; \
10827 + if (__put_user(__c_ao, (char __user *)__addr)) \
10829 + __addr = __addr_ao; \
10836 * The exception table consists of pairs of addresses: the first is the
10837 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
10838 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
10839 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
10842 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
10843 +#define __copyuser_seg "gs;"
10844 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
10845 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
10847 +#define __copyuser_seg
10848 +#define __COPYUSER_SET_ES
10849 +#define __COPYUSER_RESTORE_ES
10852 #ifdef CONFIG_X86_32
10853 #define __put_user_asm_u64(x, addr, err, errret) \
10854 - asm volatile("1: movl %%eax,0(%2)\n" \
10855 - "2: movl %%edx,4(%2)\n" \
10856 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
10857 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
10859 ".section .fixup,\"ax\"\n" \
10860 "4: movl %3,%0\n" \
10861 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
10862 : "A" (x), "r" (addr), "i" (errret), "0" (err))
10864 #define __put_user_asm_ex_u64(x, addr) \
10865 - asm volatile("1: movl %%eax,0(%1)\n" \
10866 - "2: movl %%edx,4(%1)\n" \
10867 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
10868 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
10870 _ASM_EXTABLE(1b, 2b - 1b) \
10871 _ASM_EXTABLE(2b, 3b - 2b) \
10872 @@ -374,7 +416,7 @@ do { \
10875 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10876 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
10877 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
10879 ".section .fixup,\"ax\"\n" \
10881 @@ -382,7 +424,7 @@ do { \
10884 _ASM_EXTABLE(1b, 3b) \
10885 - : "=r" (err), ltype(x) \
10886 + : "=r" (err), ltype (x) \
10887 : "m" (__m(addr)), "i" (errret), "0" (err))
10889 #define __get_user_size_ex(x, ptr, size) \
10890 @@ -407,7 +449,7 @@ do { \
10893 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
10894 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
10895 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
10897 _ASM_EXTABLE(1b, 2b - 1b) \
10898 : ltype(x) : "m" (__m(addr)))
10899 @@ -424,13 +466,24 @@ do { \
10901 unsigned long __gu_val; \
10902 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
10903 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
10904 + (x) = (__typeof__(*(ptr)))__gu_val; \
10908 /* FIXME: this hack is definitely wrong -AK */
10909 struct __large_struct { unsigned long buf[100]; };
10910 -#define __m(x) (*(struct __large_struct __user *)(x))
10911 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10912 +#define ____m(x) \
10914 + unsigned long ____x = (unsigned long)(x); \
10915 + if (____x < PAX_USER_SHADOW_BASE) \
10916 + ____x += PAX_USER_SHADOW_BASE; \
10917 + (void __user *)____x; \
10920 +#define ____m(x) (x)
10922 +#define __m(x) (*(struct __large_struct __user *)____m(x))
10925 * Tell gcc we read from memory instead of writing: this is because
10926 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
10929 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
10930 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
10931 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
10933 ".section .fixup,\"ax\"\n" \
10935 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
10937 _ASM_EXTABLE(1b, 3b) \
10939 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
10940 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
10942 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
10943 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
10944 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
10946 _ASM_EXTABLE(1b, 2b - 1b) \
10947 : : ltype(x), "m" (__m(addr)))
10948 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
10949 * On error, the variable @x is set to zero.
10952 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10953 +#define __get_user(x, ptr) get_user((x), (ptr))
10955 #define __get_user(x, ptr) \
10956 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
10960 * __put_user: - Write a simple value into user space, with less checking.
10961 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
10962 * Returns zero on success, or -EFAULT on error.
10965 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10966 +#define __put_user(x, ptr) put_user((x), (ptr))
10968 #define __put_user(x, ptr) \
10969 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
10972 #define __get_user_unaligned __get_user
10973 #define __put_user_unaligned __put_user
10974 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
10975 #define get_user_ex(x, ptr) do { \
10976 unsigned long __gue_val; \
10977 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
10978 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
10979 + (x) = (__typeof__(*(ptr)))__gue_val; \
10982 #ifdef CONFIG_X86_WP_WORKS_OK
10983 @@ -567,6 +628,7 @@ extern struct movsl_mask {
10985 #define ARCH_HAS_NOCACHE_UACCESS 1
10987 +#define ARCH_HAS_SORT_EXTABLE
10988 #ifdef CONFIG_X86_32
10989 # include "uaccess_32.h"
10991 diff -urNp linux-2.6.32.42/arch/x86/include/asm/vgtod.h linux-2.6.32.42/arch/x86/include/asm/vgtod.h
10992 --- linux-2.6.32.42/arch/x86/include/asm/vgtod.h 2011-03-27 14:31:47.000000000 -0400
10993 +++ linux-2.6.32.42/arch/x86/include/asm/vgtod.h 2011-04-17 15:56:46.000000000 -0400
10994 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10995 int sysctl_enabled;
10996 struct timezone sys_tz;
10997 struct { /* extract of a clocksource struct */
10999 cycle_t (*vread)(void);
11000 cycle_t cycle_last;
11002 diff -urNp linux-2.6.32.42/arch/x86/include/asm/vmi.h linux-2.6.32.42/arch/x86/include/asm/vmi.h
11003 --- linux-2.6.32.42/arch/x86/include/asm/vmi.h 2011-03-27 14:31:47.000000000 -0400
11004 +++ linux-2.6.32.42/arch/x86/include/asm/vmi.h 2011-04-17 15:56:46.000000000 -0400
11005 @@ -191,6 +191,7 @@ struct vrom_header {
11006 u8 reserved[96]; /* Reserved for headers */
11007 char vmi_init[8]; /* VMI_Init jump point */
11008 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
11009 + char rom_data[8048]; /* rest of the option ROM */
11010 } __attribute__((packed));
11012 struct pnp_header {
11013 diff -urNp linux-2.6.32.42/arch/x86/include/asm/vsyscall.h linux-2.6.32.42/arch/x86/include/asm/vsyscall.h
11014 --- linux-2.6.32.42/arch/x86/include/asm/vsyscall.h 2011-03-27 14:31:47.000000000 -0400
11015 +++ linux-2.6.32.42/arch/x86/include/asm/vsyscall.h 2011-04-17 15:56:46.000000000 -0400
11016 @@ -15,9 +15,10 @@ enum vsyscall_num {
11019 #include <linux/seqlock.h>
11020 +#include <linux/getcpu.h>
11021 +#include <linux/time.h>
11023 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
11024 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
11026 /* Definitions for CONFIG_GENERIC_TIME definitions */
11027 #define __section_vsyscall_gtod_data __attribute__ \
11028 @@ -31,7 +32,6 @@ enum vsyscall_num {
11029 #define VGETCPU_LSL 2
11031 extern int __vgetcpu_mode;
11032 -extern volatile unsigned long __jiffies;
11034 /* kernel space (writeable) */
11035 extern int vgetcpu_mode;
11036 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
11038 extern void map_vsyscall(void);
11040 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
11041 +extern time_t vtime(time_t *t);
11042 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
11043 #endif /* __KERNEL__ */
11045 #endif /* _ASM_X86_VSYSCALL_H */
11046 diff -urNp linux-2.6.32.42/arch/x86/include/asm/xsave.h linux-2.6.32.42/arch/x86/include/asm/xsave.h
11047 --- linux-2.6.32.42/arch/x86/include/asm/xsave.h 2011-03-27 14:31:47.000000000 -0400
11048 +++ linux-2.6.32.42/arch/x86/include/asm/xsave.h 2011-04-17 15:56:46.000000000 -0400
11049 @@ -56,6 +56,12 @@ static inline int xrstor_checking(struct
11050 static inline int xsave_user(struct xsave_struct __user *buf)
11054 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11055 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
11056 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
11059 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
11061 ".section .fixup,\"ax\"\n"
11062 @@ -82,6 +88,11 @@ static inline int xrestore_user(struct x
11064 u32 hmask = mask >> 32;
11066 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
11067 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
11068 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
11071 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
11073 ".section .fixup,\"ax\"\n"
11074 diff -urNp linux-2.6.32.42/arch/x86/Kconfig linux-2.6.32.42/arch/x86/Kconfig
11075 --- linux-2.6.32.42/arch/x86/Kconfig 2011-03-27 14:31:47.000000000 -0400
11076 +++ linux-2.6.32.42/arch/x86/Kconfig 2011-04-17 15:56:46.000000000 -0400
11077 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
11079 config X86_32_LAZY_GS
11081 - depends on X86_32 && !CC_STACKPROTECTOR
11082 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
11084 config KTIME_SCALAR
11086 @@ -1008,7 +1008,7 @@ choice
11090 - depends on !X86_NUMAQ
11091 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11093 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
11094 However, the address space of 32-bit x86 processors is only 4
11095 @@ -1045,7 +1045,7 @@ config NOHIGHMEM
11099 - depends on !X86_NUMAQ
11100 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
11102 Select this if you have a 32-bit processor and between 1 and 4
11103 gigabytes of physical RAM.
11104 @@ -1099,7 +1099,7 @@ config PAGE_OFFSET
11106 default 0xB0000000 if VMSPLIT_3G_OPT
11107 default 0x80000000 if VMSPLIT_2G
11108 - default 0x78000000 if VMSPLIT_2G_OPT
11109 + default 0x70000000 if VMSPLIT_2G_OPT
11110 default 0x40000000 if VMSPLIT_1G
11113 @@ -1430,7 +1430,7 @@ config ARCH_USES_PG_UNCACHED
11116 bool "EFI runtime service support"
11118 + depends on ACPI && !PAX_KERNEXEC
11120 This enables the kernel to use EFI runtime services that are
11121 available (such as the EFI variable services).
11122 @@ -1460,6 +1460,7 @@ config SECCOMP
11124 config CC_STACKPROTECTOR
11125 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
11126 + depends on X86_64 || !PAX_MEMORY_UDEREF
11128 This option turns on the -fstack-protector GCC feature. This
11129 feature puts, at the beginning of functions, a canary value on
11130 @@ -1517,6 +1518,7 @@ config KEXEC_JUMP
11131 config PHYSICAL_START
11132 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
11133 default "0x1000000"
11134 + range 0x400000 0x40000000
11136 This gives the physical address where the kernel is loaded.
11138 @@ -1581,6 +1583,7 @@ config PHYSICAL_ALIGN
11140 prompt "Alignment value to which kernel should be aligned" if X86_32
11141 default "0x1000000"
11142 + range 0x400000 0x1000000 if PAX_KERNEXEC
11143 range 0x2000 0x1000000
11145 This value puts the alignment restrictions on physical address
11146 @@ -1612,9 +1615,10 @@ config HOTPLUG_CPU
11147 Say N if you want to disable CPU hotplug.
11152 prompt "Compat VDSO support"
11153 depends on X86_32 || IA32_EMULATION
11154 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
11156 Map the 32-bit VDSO to the predictable old-style address too.
11158 diff -urNp linux-2.6.32.42/arch/x86/Kconfig.cpu linux-2.6.32.42/arch/x86/Kconfig.cpu
11159 --- linux-2.6.32.42/arch/x86/Kconfig.cpu 2011-03-27 14:31:47.000000000 -0400
11160 +++ linux-2.6.32.42/arch/x86/Kconfig.cpu 2011-04-17 15:56:46.000000000 -0400
11161 @@ -340,7 +340,7 @@ config X86_PPRO_FENCE
11163 config X86_F00F_BUG
11165 - depends on M586MMX || M586TSC || M586 || M486 || M386
11166 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
11168 config X86_WP_WORKS_OK
11170 @@ -360,7 +360,7 @@ config X86_POPAD_OK
11172 config X86_ALIGNMENT_16
11174 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
11175 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
11177 config X86_INTEL_USERCOPY
11179 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
11183 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
11184 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM)
11186 config X86_MINIMUM_CPU_FAMILY
11188 diff -urNp linux-2.6.32.42/arch/x86/Kconfig.debug linux-2.6.32.42/arch/x86/Kconfig.debug
11189 --- linux-2.6.32.42/arch/x86/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
11190 +++ linux-2.6.32.42/arch/x86/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
11191 @@ -99,7 +99,7 @@ config X86_PTDUMP
11192 config DEBUG_RODATA
11193 bool "Write protect kernel read-only data structures"
11195 - depends on DEBUG_KERNEL
11196 + depends on DEBUG_KERNEL && BROKEN
11198 Mark the kernel read-only data as write-protected in the pagetables,
11199 in order to catch accidental (and incorrect) writes to such const
11200 diff -urNp linux-2.6.32.42/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.32.42/arch/x86/kernel/acpi/realmode/wakeup.S
11201 --- linux-2.6.32.42/arch/x86/kernel/acpi/realmode/wakeup.S 2011-03-27 14:31:47.000000000 -0400
11202 +++ linux-2.6.32.42/arch/x86/kernel/acpi/realmode/wakeup.S 2011-04-17 15:56:46.000000000 -0400
11203 @@ -104,7 +104,7 @@ _start:
11207 - movl $0xc0000080, %ecx
11208 + mov $MSR_EFER, %ecx
11212 diff -urNp linux-2.6.32.42/arch/x86/kernel/acpi/sleep.c linux-2.6.32.42/arch/x86/kernel/acpi/sleep.c
11213 --- linux-2.6.32.42/arch/x86/kernel/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
11214 +++ linux-2.6.32.42/arch/x86/kernel/acpi/sleep.c 2011-04-17 15:56:46.000000000 -0400
11215 @@ -11,11 +11,12 @@
11216 #include <linux/cpumask.h>
11217 #include <asm/segment.h>
11218 #include <asm/desc.h>
11219 +#include <asm/e820.h>
11221 #include "realmode/wakeup.h"
11224 -unsigned long acpi_wakeup_address;
11225 +unsigned long acpi_wakeup_address = 0x2000;
11226 unsigned long acpi_realmode_flags;
11228 /* address in low memory of the wakeup routine. */
11229 @@ -99,8 +100,12 @@ int acpi_save_state_mem(void)
11230 header->trampoline_segment = setup_trampoline() >> 4;
11232 stack_start.sp = temp_stack + sizeof(temp_stack);
11234 + pax_open_kernel();
11235 early_gdt_descr.address =
11236 (unsigned long)get_cpu_gdt_table(smp_processor_id());
11237 + pax_close_kernel();
11239 initial_gs = per_cpu_offset(smp_processor_id());
11241 initial_code = (unsigned long)wakeup_long64;
11242 @@ -134,14 +139,8 @@ void __init acpi_reserve_bootmem(void)
11246 - acpi_realmode = (unsigned long)alloc_bootmem_low(WAKEUP_SIZE);
11248 - if (!acpi_realmode) {
11249 - printk(KERN_ERR "ACPI: Cannot allocate lowmem, S3 disabled.\n");
11253 - acpi_wakeup_address = virt_to_phys((void *)acpi_realmode);
11254 + reserve_early(acpi_wakeup_address, acpi_wakeup_address + WAKEUP_SIZE, "ACPI Wakeup Code");
11255 + acpi_realmode = (unsigned long)__va(acpi_wakeup_address);;
11259 diff -urNp linux-2.6.32.42/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.32.42/arch/x86/kernel/acpi/wakeup_32.S
11260 --- linux-2.6.32.42/arch/x86/kernel/acpi/wakeup_32.S 2011-03-27 14:31:47.000000000 -0400
11261 +++ linux-2.6.32.42/arch/x86/kernel/acpi/wakeup_32.S 2011-04-17 15:56:46.000000000 -0400
11262 @@ -30,13 +30,11 @@ wakeup_pmode_return:
11263 # and restore the stack ... but you need gdt for this to work
11264 movl saved_context_esp, %esp
11266 - movl %cs:saved_magic, %eax
11267 - cmpl $0x12345678, %eax
11268 + cmpl $0x12345678, saved_magic
11271 # jump to place where we left off
11272 - movl saved_eip, %eax
11278 diff -urNp linux-2.6.32.42/arch/x86/kernel/alternative.c linux-2.6.32.42/arch/x86/kernel/alternative.c
11279 --- linux-2.6.32.42/arch/x86/kernel/alternative.c 2011-03-27 14:31:47.000000000 -0400
11280 +++ linux-2.6.32.42/arch/x86/kernel/alternative.c 2011-04-17 15:56:46.000000000 -0400
11281 @@ -407,7 +407,7 @@ void __init_or_module apply_paravirt(str
11283 BUG_ON(p->len > MAX_PATCH_LEN);
11284 /* prep the buffer with the original instructions */
11285 - memcpy(insnbuf, p->instr, p->len);
11286 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
11287 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
11288 (unsigned long)p->instr, p->len);
11290 @@ -475,7 +475,7 @@ void __init alternative_instructions(voi
11292 free_init_pages("SMP alternatives",
11293 (unsigned long)__smp_locks,
11294 - (unsigned long)__smp_locks_end);
11295 + PAGE_ALIGN((unsigned long)__smp_locks_end));
11299 @@ -492,13 +492,17 @@ void __init alternative_instructions(voi
11300 * instructions. And on the local CPU you need to be protected again NMI or MCE
11301 * handlers seeing an inconsistent instruction while you patch.
11303 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
11304 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
11307 unsigned long flags;
11308 local_irq_save(flags);
11309 - memcpy(addr, opcode, len);
11311 + pax_open_kernel();
11312 + memcpy(ktla_ktva(addr), opcode, len);
11314 + pax_close_kernel();
11316 local_irq_restore(flags);
11317 /* Could also do a CLFLUSH here to speed up CPU recovery; but
11318 that causes hangs on some VIA CPUs. */
11319 @@ -520,35 +524,21 @@ static void *__init_or_module text_poke_
11321 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
11323 - unsigned long flags;
11325 + unsigned char *vaddr = ktla_ktva(addr);
11326 struct page *pages[2];
11330 if (!core_kernel_text((unsigned long)addr)) {
11331 - pages[0] = vmalloc_to_page(addr);
11332 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
11333 + pages[0] = vmalloc_to_page(vaddr);
11334 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
11336 - pages[0] = virt_to_page(addr);
11337 + pages[0] = virt_to_page(vaddr);
11338 WARN_ON(!PageReserved(pages[0]));
11339 - pages[1] = virt_to_page(addr + PAGE_SIZE);
11340 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
11343 - local_irq_save(flags);
11344 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
11346 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
11347 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
11348 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
11349 - clear_fixmap(FIX_TEXT_POKE0);
11351 - clear_fixmap(FIX_TEXT_POKE1);
11352 - local_flush_tlb();
11354 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
11355 - that causes hangs on some VIA CPUs. */
11356 + text_poke_early(addr, opcode, len);
11357 for (i = 0; i < len; i++)
11358 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
11359 - local_irq_restore(flags);
11360 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
11363 diff -urNp linux-2.6.32.42/arch/x86/kernel/amd_iommu.c linux-2.6.32.42/arch/x86/kernel/amd_iommu.c
11364 --- linux-2.6.32.42/arch/x86/kernel/amd_iommu.c 2011-03-27 14:31:47.000000000 -0400
11365 +++ linux-2.6.32.42/arch/x86/kernel/amd_iommu.c 2011-04-17 15:56:46.000000000 -0400
11366 @@ -2076,7 +2076,7 @@ static void prealloc_protection_domains(
11370 -static struct dma_map_ops amd_iommu_dma_ops = {
11371 +static const struct dma_map_ops amd_iommu_dma_ops = {
11372 .alloc_coherent = alloc_coherent,
11373 .free_coherent = free_coherent,
11374 .map_page = map_page,
11375 diff -urNp linux-2.6.32.42/arch/x86/kernel/apic/apic.c linux-2.6.32.42/arch/x86/kernel/apic/apic.c
11376 --- linux-2.6.32.42/arch/x86/kernel/apic/apic.c 2011-03-27 14:31:47.000000000 -0400
11377 +++ linux-2.6.32.42/arch/x86/kernel/apic/apic.c 2011-05-16 21:46:57.000000000 -0400
11378 @@ -1794,7 +1794,7 @@ void smp_error_interrupt(struct pt_regs
11379 apic_write(APIC_ESR, 0);
11380 v1 = apic_read(APIC_ESR);
11382 - atomic_inc(&irq_err_count);
11383 + atomic_inc_unchecked(&irq_err_count);
11386 * Here is what the APIC error bits mean:
11387 @@ -2184,6 +2184,8 @@ static int __cpuinit apic_cluster_num(vo
11388 u16 *bios_cpu_apicid;
11389 DECLARE_BITMAP(clustermap, NUM_APIC_CLUSTERS);
11391 + pax_track_stack();
11393 bios_cpu_apicid = early_per_cpu_ptr(x86_bios_cpu_apicid);
11394 bitmap_zero(clustermap, NUM_APIC_CLUSTERS);
11396 diff -urNp linux-2.6.32.42/arch/x86/kernel/apic/io_apic.c linux-2.6.32.42/arch/x86/kernel/apic/io_apic.c
11397 --- linux-2.6.32.42/arch/x86/kernel/apic/io_apic.c 2011-03-27 14:31:47.000000000 -0400
11398 +++ linux-2.6.32.42/arch/x86/kernel/apic/io_apic.c 2011-05-04 17:56:20.000000000 -0400
11399 @@ -716,7 +716,7 @@ struct IO_APIC_route_entry **alloc_ioapi
11400 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
11402 if (!ioapic_entries)
11406 for (apic = 0; apic < nr_ioapics; apic++) {
11407 ioapic_entries[apic] =
11408 @@ -733,7 +733,7 @@ nomem:
11409 kfree(ioapic_entries[apic]);
11410 kfree(ioapic_entries);
11417 @@ -1150,7 +1150,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
11419 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
11421 -void lock_vector_lock(void)
11422 +void lock_vector_lock(void) __acquires(vector_lock)
11424 /* Used to the online set of cpus does not change
11425 * during assign_irq_vector.
11426 @@ -1158,7 +1158,7 @@ void lock_vector_lock(void)
11427 spin_lock(&vector_lock);
11430 -void unlock_vector_lock(void)
11431 +void unlock_vector_lock(void) __releases(vector_lock)
11433 spin_unlock(&vector_lock);
11435 @@ -2542,7 +2542,7 @@ static void ack_apic_edge(unsigned int i
11439 -atomic_t irq_mis_count;
11440 +atomic_unchecked_t irq_mis_count;
11442 static void ack_apic_level(unsigned int irq)
11444 @@ -2626,7 +2626,7 @@ static void ack_apic_level(unsigned int
11446 /* Tail end of version 0x11 I/O APIC bug workaround */
11447 if (!(v & (1 << (i & 0x1f)))) {
11448 - atomic_inc(&irq_mis_count);
11449 + atomic_inc_unchecked(&irq_mis_count);
11450 spin_lock(&ioapic_lock);
11451 __mask_and_edge_IO_APIC_irq(cfg);
11452 __unmask_and_level_IO_APIC_irq(cfg);
11453 diff -urNp linux-2.6.32.42/arch/x86/kernel/apm_32.c linux-2.6.32.42/arch/x86/kernel/apm_32.c
11454 --- linux-2.6.32.42/arch/x86/kernel/apm_32.c 2011-03-27 14:31:47.000000000 -0400
11455 +++ linux-2.6.32.42/arch/x86/kernel/apm_32.c 2011-04-23 12:56:10.000000000 -0400
11456 @@ -410,7 +410,7 @@ static DEFINE_SPINLOCK(user_list_lock);
11457 * This is for buggy BIOS's that refer to (real mode) segment 0x40
11458 * even though they are called in protected mode.
11460 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
11461 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
11462 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
11464 static const char driver_version[] = "1.16ac"; /* no spaces */
11465 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
11467 gdt = get_cpu_gdt_table(cpu);
11468 save_desc_40 = gdt[0x40 / 8];
11470 + pax_open_kernel();
11471 gdt[0x40 / 8] = bad_bios_desc;
11472 + pax_close_kernel();
11474 apm_irq_save(flags);
11476 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
11478 APM_DO_RESTORE_SEGS;
11479 apm_irq_restore(flags);
11481 + pax_open_kernel();
11482 gdt[0x40 / 8] = save_desc_40;
11483 + pax_close_kernel();
11487 return call->eax & 0xff;
11488 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
11490 gdt = get_cpu_gdt_table(cpu);
11491 save_desc_40 = gdt[0x40 / 8];
11493 + pax_open_kernel();
11494 gdt[0x40 / 8] = bad_bios_desc;
11495 + pax_close_kernel();
11497 apm_irq_save(flags);
11499 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
11501 APM_DO_RESTORE_SEGS;
11502 apm_irq_restore(flags);
11504 + pax_open_kernel();
11505 gdt[0x40 / 8] = save_desc_40;
11506 + pax_close_kernel();
11511 @@ -975,7 +989,7 @@ recalc:
11513 static void apm_power_off(void)
11515 - unsigned char po_bios_call[] = {
11516 + const unsigned char po_bios_call[] = {
11517 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
11518 0x8e, 0xd0, /* movw ax,ss */
11519 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
11520 @@ -2357,12 +2371,15 @@ static int __init apm_init(void)
11521 * code to that CPU.
11523 gdt = get_cpu_gdt_table(0);
11525 + pax_open_kernel();
11526 set_desc_base(&gdt[APM_CS >> 3],
11527 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
11528 set_desc_base(&gdt[APM_CS_16 >> 3],
11529 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
11530 set_desc_base(&gdt[APM_DS >> 3],
11531 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
11532 + pax_close_kernel();
11534 proc_create("apm", 0, NULL, &apm_file_ops);
11536 diff -urNp linux-2.6.32.42/arch/x86/kernel/asm-offsets_32.c linux-2.6.32.42/arch/x86/kernel/asm-offsets_32.c
11537 --- linux-2.6.32.42/arch/x86/kernel/asm-offsets_32.c 2011-03-27 14:31:47.000000000 -0400
11538 +++ linux-2.6.32.42/arch/x86/kernel/asm-offsets_32.c 2011-05-16 21:46:57.000000000 -0400
11539 @@ -51,7 +51,6 @@ void foo(void)
11540 OFFSET(CPUINFO_x86_vendor_id, cpuinfo_x86, x86_vendor_id);
11543 - OFFSET(TI_task, thread_info, task);
11544 OFFSET(TI_exec_domain, thread_info, exec_domain);
11545 OFFSET(TI_flags, thread_info, flags);
11546 OFFSET(TI_status, thread_info, status);
11547 @@ -60,6 +59,8 @@ void foo(void)
11548 OFFSET(TI_restart_block, thread_info, restart_block);
11549 OFFSET(TI_sysenter_return, thread_info, sysenter_return);
11550 OFFSET(TI_cpu, thread_info, cpu);
11551 + OFFSET(TI_lowest_stack, thread_info, lowest_stack);
11552 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
11555 OFFSET(GDS_size, desc_ptr, size);
11556 @@ -99,6 +100,7 @@ void foo(void)
11558 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
11559 DEFINE(PAGE_SHIFT_asm, PAGE_SHIFT);
11560 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
11561 DEFINE(PTRS_PER_PTE, PTRS_PER_PTE);
11562 DEFINE(PTRS_PER_PMD, PTRS_PER_PMD);
11563 DEFINE(PTRS_PER_PGD, PTRS_PER_PGD);
11564 @@ -115,6 +117,11 @@ void foo(void)
11565 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
11566 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
11567 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
11569 +#ifdef CONFIG_PAX_KERNEXEC
11570 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
11576 diff -urNp linux-2.6.32.42/arch/x86/kernel/asm-offsets_64.c linux-2.6.32.42/arch/x86/kernel/asm-offsets_64.c
11577 --- linux-2.6.32.42/arch/x86/kernel/asm-offsets_64.c 2011-03-27 14:31:47.000000000 -0400
11578 +++ linux-2.6.32.42/arch/x86/kernel/asm-offsets_64.c 2011-05-16 21:46:57.000000000 -0400
11579 @@ -44,6 +44,8 @@ int main(void)
11581 ENTRY(preempt_count);
11583 + ENTRY(lowest_stack);
11584 + DEFINE(TI_task_thread_sp0, offsetof(struct task_struct, thread.sp0) - offsetof(struct task_struct, tinfo));
11585 #ifdef CONFIG_IA32_EMULATION
11586 ENTRY(sysenter_return);
11588 @@ -63,6 +65,18 @@ int main(void)
11589 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
11590 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
11591 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
11593 +#ifdef CONFIG_PAX_KERNEXEC
11594 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
11595 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
11598 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11599 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
11600 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
11601 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
11607 @@ -115,6 +129,7 @@ int main(void)
11611 + DEFINE(TSS_size, sizeof(struct tss_struct));
11612 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
11614 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
11615 @@ -130,6 +145,7 @@ int main(void)
11618 DEFINE(PAGE_SIZE_asm, PAGE_SIZE);
11619 + DEFINE(THREAD_SIZE_asm, THREAD_SIZE);
11622 OFFSET(XEN_vcpu_info_mask, vcpu_info, evtchn_upcall_mask);
11623 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/amd.c linux-2.6.32.42/arch/x86/kernel/cpu/amd.c
11624 --- linux-2.6.32.42/arch/x86/kernel/cpu/amd.c 2011-06-25 12:55:34.000000000 -0400
11625 +++ linux-2.6.32.42/arch/x86/kernel/cpu/amd.c 2011-06-25 12:56:37.000000000 -0400
11626 @@ -602,7 +602,7 @@ static unsigned int __cpuinit amd_size_c
11629 /* AMD errata T13 (order #21922) */
11630 - if ((c->x86 == 6)) {
11631 + if (c->x86 == 6) {
11633 if (c->x86_model == 3 && c->x86_mask == 0)
11635 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/common.c linux-2.6.32.42/arch/x86/kernel/cpu/common.c
11636 --- linux-2.6.32.42/arch/x86/kernel/cpu/common.c 2011-03-27 14:31:47.000000000 -0400
11637 +++ linux-2.6.32.42/arch/x86/kernel/cpu/common.c 2011-05-11 18:25:15.000000000 -0400
11638 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
11640 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
11642 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
11643 -#ifdef CONFIG_X86_64
11645 - * We need valid kernel segments for data and code in long mode too
11646 - * IRET will check the segment types kkeil 2000/10/28
11647 - * Also sysret mandates a special GDT layout
11649 - * TLS descriptors are currently at a different place compared to i386.
11650 - * Hopefully nobody expects them at a fixed place (Wine?)
11652 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
11653 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
11654 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
11655 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
11656 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
11657 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
11659 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
11660 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11661 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
11662 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
11664 - * Segments used for calling PnP BIOS have byte granularity.
11665 - * They code segments and data segments have fixed 64k limits,
11666 - * the transfer segment sizes are set at run time.
11668 - /* 32-bit code */
11669 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
11670 - /* 16-bit code */
11671 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
11672 - /* 16-bit data */
11673 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
11674 - /* 16-bit data */
11675 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
11676 - /* 16-bit data */
11677 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
11679 - * The APM segments have byte granularity and their bases
11680 - * are set at run time. All have 64k limits.
11682 - /* 32-bit code */
11683 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
11684 - /* 16-bit code */
11685 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
11687 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
11689 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11690 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
11691 - GDT_STACK_CANARY_INIT
11694 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
11696 static int __init x86_xsave_setup(char *s)
11698 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
11699 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
11701 struct desc_ptr gdt_descr;
11703 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
11704 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
11705 gdt_descr.size = GDT_SIZE - 1;
11706 load_gdt(&gdt_descr);
11707 /* Reload the per-cpu base */
11708 @@ -798,6 +744,10 @@ static void __cpuinit identify_cpu(struc
11709 /* Filter out anything that depends on CPUID levels we don't have */
11710 filter_cpuid_features(c, true);
11712 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
11713 + setup_clear_cpu_cap(X86_FEATURE_SEP);
11716 /* If the model name is still unset, do table lookup. */
11717 if (!c->x86_model_id[0]) {
11719 @@ -980,6 +930,9 @@ static __init int setup_disablecpuid(cha
11721 __setup("clearcpuid=", setup_disablecpuid);
11723 +DEFINE_PER_CPU(struct thread_info *, current_tinfo) = &init_task.tinfo;
11724 +EXPORT_PER_CPU_SYMBOL(current_tinfo);
11726 #ifdef CONFIG_X86_64
11727 struct desc_ptr idt_descr = { NR_VECTORS * 16 - 1, (unsigned long) idt_table };
11729 @@ -995,7 +948,7 @@ DEFINE_PER_CPU(struct task_struct *, cur
11730 EXPORT_PER_CPU_SYMBOL(current_task);
11732 DEFINE_PER_CPU(unsigned long, kernel_stack) =
11733 - (unsigned long)&init_thread_union - KERNEL_STACK_OFFSET + THREAD_SIZE;
11734 + (unsigned long)&init_thread_union - 16 + THREAD_SIZE;
11735 EXPORT_PER_CPU_SYMBOL(kernel_stack);
11737 DEFINE_PER_CPU(char *, irq_stack_ptr) =
11738 @@ -1060,7 +1013,7 @@ struct pt_regs * __cpuinit idle_regs(str
11740 memset(regs, 0, sizeof(struct pt_regs));
11741 regs->fs = __KERNEL_PERCPU;
11742 - regs->gs = __KERNEL_STACK_CANARY;
11743 + savesegment(gs, regs->gs);
11747 @@ -1101,7 +1054,7 @@ void __cpuinit cpu_init(void)
11750 cpu = stack_smp_processor_id();
11751 - t = &per_cpu(init_tss, cpu);
11752 + t = init_tss + cpu;
11753 orig_ist = &per_cpu(orig_ist, cpu);
11756 @@ -1127,7 +1080,7 @@ void __cpuinit cpu_init(void)
11757 switch_to_new_gdt(cpu);
11758 loadsegment(fs, 0);
11760 - load_idt((const struct desc_ptr *)&idt_descr);
11761 + load_idt(&idt_descr);
11763 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
11765 @@ -1136,7 +1089,6 @@ void __cpuinit cpu_init(void)
11766 wrmsrl(MSR_KERNEL_GS_BASE, 0);
11773 @@ -1199,7 +1151,7 @@ void __cpuinit cpu_init(void)
11775 int cpu = smp_processor_id();
11776 struct task_struct *curr = current;
11777 - struct tss_struct *t = &per_cpu(init_tss, cpu);
11778 + struct tss_struct *t = init_tss + cpu;
11779 struct thread_struct *thread = &curr->thread;
11781 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
11782 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/intel.c linux-2.6.32.42/arch/x86/kernel/cpu/intel.c
11783 --- linux-2.6.32.42/arch/x86/kernel/cpu/intel.c 2011-03-27 14:31:47.000000000 -0400
11784 +++ linux-2.6.32.42/arch/x86/kernel/cpu/intel.c 2011-04-17 15:56:46.000000000 -0400
11785 @@ -162,7 +162,7 @@ static void __cpuinit trap_init_f00f_bug
11786 * Update the IDT descriptor and reload the IDT so that
11787 * it uses the read-only mapped virtual address.
11789 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
11790 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
11791 load_idt(&idt_descr);
11794 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/intel_cacheinfo.c linux-2.6.32.42/arch/x86/kernel/cpu/intel_cacheinfo.c
11795 --- linux-2.6.32.42/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-03-27 14:31:47.000000000 -0400
11796 +++ linux-2.6.32.42/arch/x86/kernel/cpu/intel_cacheinfo.c 2011-04-17 15:56:46.000000000 -0400
11797 @@ -921,7 +921,7 @@ static ssize_t store(struct kobject *kob
11801 -static struct sysfs_ops sysfs_ops = {
11802 +static const struct sysfs_ops sysfs_ops = {
11806 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/Makefile linux-2.6.32.42/arch/x86/kernel/cpu/Makefile
11807 --- linux-2.6.32.42/arch/x86/kernel/cpu/Makefile 2011-03-27 14:31:47.000000000 -0400
11808 +++ linux-2.6.32.42/arch/x86/kernel/cpu/Makefile 2011-04-17 15:56:46.000000000 -0400
11809 @@ -7,10 +7,6 @@ ifdef CONFIG_FUNCTION_TRACER
11810 CFLAGS_REMOVE_common.o = -pg
11813 -# Make sure load_percpu_segment has no stackprotector
11814 -nostackp := $(call cc-option, -fno-stack-protector)
11815 -CFLAGS_common.o := $(nostackp)
11817 obj-y := intel_cacheinfo.o addon_cpuid_features.o
11818 obj-y += proc.o capflags.o powerflags.o common.o
11819 obj-y += vmware.o hypervisor.o sched.o
11820 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce_amd.c linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce_amd.c
11821 --- linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:56:59.000000000 -0400
11822 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce_amd.c 2011-05-23 16:57:13.000000000 -0400
11823 @@ -385,7 +385,7 @@ static ssize_t store(struct kobject *kob
11827 -static struct sysfs_ops threshold_ops = {
11828 +static const struct sysfs_ops threshold_ops = {
11832 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce.c
11833 --- linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-27 14:31:47.000000000 -0400
11834 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mcheck/mce.c 2011-05-04 17:56:20.000000000 -0400
11836 #include <asm/ipi.h>
11837 #include <asm/mce.h>
11838 #include <asm/msr.h>
11839 +#include <asm/local.h>
11841 #include "mce-internal.h"
11843 @@ -187,7 +188,7 @@ static void print_mce(struct mce *m)
11844 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
11847 - if (m->cs == __KERNEL_CS)
11848 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
11849 print_symbol("{%s}", m->ip);
11852 @@ -221,10 +222,10 @@ static void print_mce_tail(void)
11854 #define PANIC_TIMEOUT 5 /* 5 seconds */
11856 -static atomic_t mce_paniced;
11857 +static atomic_unchecked_t mce_paniced;
11859 static int fake_panic;
11860 -static atomic_t mce_fake_paniced;
11861 +static atomic_unchecked_t mce_fake_paniced;
11863 /* Panic in progress. Enable interrupts and wait for final IPI */
11864 static void wait_for_panic(void)
11865 @@ -248,7 +249,7 @@ static void mce_panic(char *msg, struct
11867 * Make sure only one CPU runs in machine check panic
11869 - if (atomic_inc_return(&mce_paniced) > 1)
11870 + if (atomic_inc_return_unchecked(&mce_paniced) > 1)
11874 @@ -256,7 +257,7 @@ static void mce_panic(char *msg, struct
11877 /* Don't log too much for fake panic */
11878 - if (atomic_inc_return(&mce_fake_paniced) > 1)
11879 + if (atomic_inc_return_unchecked(&mce_fake_paniced) > 1)
11883 @@ -616,7 +617,7 @@ static int mce_timed_out(u64 *t)
11884 * might have been modified by someone else.
11887 - if (atomic_read(&mce_paniced))
11888 + if (atomic_read_unchecked(&mce_paniced))
11890 if (!monarch_timeout)
11892 @@ -1429,14 +1430,14 @@ void __cpuinit mcheck_init(struct cpuinf
11895 static DEFINE_SPINLOCK(mce_state_lock);
11896 -static int open_count; /* #times opened */
11897 +static local_t open_count; /* #times opened */
11898 static int open_exclu; /* already open exclusive? */
11900 static int mce_open(struct inode *inode, struct file *file)
11902 spin_lock(&mce_state_lock);
11904 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
11905 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
11906 spin_unlock(&mce_state_lock);
11909 @@ -1444,7 +1445,7 @@ static int mce_open(struct inode *inode,
11911 if (file->f_flags & O_EXCL)
11914 + local_inc(&open_count);
11916 spin_unlock(&mce_state_lock);
11918 @@ -1455,7 +1456,7 @@ static int mce_release(struct inode *ino
11920 spin_lock(&mce_state_lock);
11923 + local_dec(&open_count);
11926 spin_unlock(&mce_state_lock);
11927 @@ -2082,7 +2083,7 @@ struct dentry *mce_get_debugfs_dir(void)
11928 static void mce_reset(void)
11931 - atomic_set(&mce_fake_paniced, 0);
11932 + atomic_set_unchecked(&mce_fake_paniced, 0);
11933 atomic_set(&mce_executing, 0);
11934 atomic_set(&mce_callin, 0);
11935 atomic_set(&global_nwo, 0);
11936 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/amd.c linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/amd.c
11937 --- linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/amd.c 2011-03-27 14:31:47.000000000 -0400
11938 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/amd.c 2011-04-17 15:56:46.000000000 -0400
11939 @@ -108,7 +108,7 @@ amd_validate_add_page(unsigned long base
11943 -static struct mtrr_ops amd_mtrr_ops = {
11944 +static const struct mtrr_ops amd_mtrr_ops = {
11945 .vendor = X86_VENDOR_AMD,
11946 .set = amd_set_mtrr,
11947 .get = amd_get_mtrr,
11948 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/centaur.c linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/centaur.c
11949 --- linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/centaur.c 2011-03-27 14:31:47.000000000 -0400
11950 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/centaur.c 2011-04-17 15:56:46.000000000 -0400
11951 @@ -110,7 +110,7 @@ centaur_validate_add_page(unsigned long
11955 -static struct mtrr_ops centaur_mtrr_ops = {
11956 +static const struct mtrr_ops centaur_mtrr_ops = {
11957 .vendor = X86_VENDOR_CENTAUR,
11958 .set = centaur_set_mcr,
11959 .get = centaur_get_mcr,
11960 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/cyrix.c linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/cyrix.c
11961 --- linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-03-27 14:31:47.000000000 -0400
11962 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/cyrix.c 2011-04-17 15:56:46.000000000 -0400
11963 @@ -265,7 +265,7 @@ static void cyrix_set_all(void)
11967 -static struct mtrr_ops cyrix_mtrr_ops = {
11968 +static const struct mtrr_ops cyrix_mtrr_ops = {
11969 .vendor = X86_VENDOR_CYRIX,
11970 .set_all = cyrix_set_all,
11971 .set = cyrix_set_arr,
11972 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/generic.c
11973 --- linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-27 14:31:47.000000000 -0400
11974 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/generic.c 2011-04-23 12:56:10.000000000 -0400
11975 @@ -752,7 +752,7 @@ int positive_have_wrcomb(void)
11977 * Generic structure...
11979 -struct mtrr_ops generic_mtrr_ops = {
11980 +const struct mtrr_ops generic_mtrr_ops = {
11982 .set_all = generic_set_all,
11983 .get = generic_get_mtrr,
11984 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/main.c
11985 --- linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:00:52.000000000 -0400
11986 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/main.c 2011-04-17 17:03:05.000000000 -0400
11987 @@ -60,14 +60,14 @@ static DEFINE_MUTEX(mtrr_mutex);
11988 u64 size_or_mask, size_and_mask;
11989 static bool mtrr_aps_delayed_init;
11991 -static struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
11992 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
11994 -struct mtrr_ops *mtrr_if;
11995 +const struct mtrr_ops *mtrr_if;
11997 static void set_mtrr(unsigned int reg, unsigned long base,
11998 unsigned long size, mtrr_type type);
12000 -void set_mtrr_ops(struct mtrr_ops *ops)
12001 +void set_mtrr_ops(const struct mtrr_ops *ops)
12003 if (ops->vendor && ops->vendor < X86_VENDOR_NUM)
12004 mtrr_ops[ops->vendor] = ops;
12005 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/mtrr.h
12006 --- linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-27 14:31:47.000000000 -0400
12007 +++ linux-2.6.32.42/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-04-17 15:56:46.000000000 -0400
12008 @@ -12,19 +12,19 @@
12009 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
12013 - u32 use_intel_if;
12014 - void (*set)(unsigned int reg, unsigned long base,
12015 + const u32 vendor;
12016 + const u32 use_intel_if;
12017 + void (* const set)(unsigned int reg, unsigned long base,
12018 unsigned long size, mtrr_type type);
12019 - void (*set_all)(void);
12020 + void (* const set_all)(void);
12022 - void (*get)(unsigned int reg, unsigned long *base,
12023 + void (* const get)(unsigned int reg, unsigned long *base,
12024 unsigned long *size, mtrr_type *type);
12025 - int (*get_free_region)(unsigned long base, unsigned long size,
12026 + int (* const get_free_region)(unsigned long base, unsigned long size,
12028 - int (*validate_add_page)(unsigned long base, unsigned long size,
12029 + int (* const validate_add_page)(unsigned long base, unsigned long size,
12030 unsigned int type);
12031 - int (*have_wrcomb)(void);
12032 + int (* const have_wrcomb)(void);
12035 extern int generic_get_free_region(unsigned long base, unsigned long size,
12036 @@ -32,7 +32,7 @@ extern int generic_get_free_region(unsig
12037 extern int generic_validate_add_page(unsigned long base, unsigned long size,
12038 unsigned int type);
12040 -extern struct mtrr_ops generic_mtrr_ops;
12041 +extern const struct mtrr_ops generic_mtrr_ops;
12043 extern int positive_have_wrcomb(void);
12045 @@ -53,10 +53,10 @@ void fill_mtrr_var_range(unsigned int in
12046 u32 base_lo, u32 base_hi, u32 mask_lo, u32 mask_hi);
12047 void get_mtrr_state(void);
12049 -extern void set_mtrr_ops(struct mtrr_ops *ops);
12050 +extern void set_mtrr_ops(const struct mtrr_ops *ops);
12052 extern u64 size_or_mask, size_and_mask;
12053 -extern struct mtrr_ops *mtrr_if;
12054 +extern const struct mtrr_ops *mtrr_if;
12056 #define is_cpu(vnd) (mtrr_if && mtrr_if->vendor == X86_VENDOR_##vnd)
12057 #define use_intel() (mtrr_if && mtrr_if->use_intel_if == 1)
12058 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.32.42/arch/x86/kernel/cpu/perfctr-watchdog.c
12059 --- linux-2.6.32.42/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-03-27 14:31:47.000000000 -0400
12060 +++ linux-2.6.32.42/arch/x86/kernel/cpu/perfctr-watchdog.c 2011-04-17 15:56:46.000000000 -0400
12061 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
12063 /* Interface defining a CPU specific perfctr watchdog */
12065 - int (*reserve)(void);
12066 - void (*unreserve)(void);
12067 - int (*setup)(unsigned nmi_hz);
12068 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12069 - void (*stop)(void);
12070 + int (* const reserve)(void);
12071 + void (* const unreserve)(void);
12072 + int (* const setup)(unsigned nmi_hz);
12073 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
12074 + void (* const stop)(void);
12078 @@ -645,6 +645,7 @@ static const struct wd_ops p4_wd_ops = {
12079 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
12080 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
12082 +/* cannot be const */
12083 static struct wd_ops intel_arch_wd_ops;
12085 static int setup_intel_arch_watchdog(unsigned nmi_hz)
12086 @@ -697,6 +698,7 @@ static int setup_intel_arch_watchdog(uns
12090 +/* cannot be const */
12091 static struct wd_ops intel_arch_wd_ops __read_mostly = {
12092 .reserve = single_msr_reserve,
12093 .unreserve = single_msr_unreserve,
12094 diff -urNp linux-2.6.32.42/arch/x86/kernel/cpu/perf_event.c linux-2.6.32.42/arch/x86/kernel/cpu/perf_event.c
12095 --- linux-2.6.32.42/arch/x86/kernel/cpu/perf_event.c 2011-03-27 14:31:47.000000000 -0400
12096 +++ linux-2.6.32.42/arch/x86/kernel/cpu/perf_event.c 2011-05-04 17:56:20.000000000 -0400
12097 @@ -723,10 +723,10 @@ x86_perf_event_update(struct perf_event
12098 * count to the generic event atomically:
12101 - prev_raw_count = atomic64_read(&hwc->prev_count);
12102 + prev_raw_count = atomic64_read_unchecked(&hwc->prev_count);
12103 rdmsrl(hwc->event_base + idx, new_raw_count);
12105 - if (atomic64_cmpxchg(&hwc->prev_count, prev_raw_count,
12106 + if (atomic64_cmpxchg_unchecked(&hwc->prev_count, prev_raw_count,
12107 new_raw_count) != prev_raw_count)
12110 @@ -741,7 +741,7 @@ again:
12111 delta = (new_raw_count << shift) - (prev_raw_count << shift);
12114 - atomic64_add(delta, &event->count);
12115 + atomic64_add_unchecked(delta, &event->count);
12116 atomic64_sub(delta, &hwc->period_left);
12118 return new_raw_count;
12119 @@ -1353,7 +1353,7 @@ x86_perf_event_set_period(struct perf_ev
12120 * The hw event starts counting from this event offset,
12121 * mark it to be able to extra future deltas:
12123 - atomic64_set(&hwc->prev_count, (u64)-left);
12124 + atomic64_set_unchecked(&hwc->prev_count, (u64)-left);
12126 err = checking_wrmsrl(hwc->event_base + idx,
12127 (u64)(-left) & x86_pmu.event_mask);
12128 @@ -2357,7 +2357,7 @@ perf_callchain_user(struct pt_regs *regs
12131 callchain_store(entry, frame.return_address);
12132 - fp = frame.next_frame;
12133 + fp = (__force const void __user *)frame.next_frame;
12137 diff -urNp linux-2.6.32.42/arch/x86/kernel/crash.c linux-2.6.32.42/arch/x86/kernel/crash.c
12138 --- linux-2.6.32.42/arch/x86/kernel/crash.c 2011-03-27 14:31:47.000000000 -0400
12139 +++ linux-2.6.32.42/arch/x86/kernel/crash.c 2011-04-17 15:56:46.000000000 -0400
12140 @@ -41,7 +41,7 @@ static void kdump_nmi_callback(int cpu,
12143 #ifdef CONFIG_X86_32
12144 - if (!user_mode_vm(regs)) {
12145 + if (!user_mode(regs)) {
12146 crash_fixup_ss_esp(&fixed_regs, regs);
12147 regs = &fixed_regs;
12149 diff -urNp linux-2.6.32.42/arch/x86/kernel/doublefault_32.c linux-2.6.32.42/arch/x86/kernel/doublefault_32.c
12150 --- linux-2.6.32.42/arch/x86/kernel/doublefault_32.c 2011-03-27 14:31:47.000000000 -0400
12151 +++ linux-2.6.32.42/arch/x86/kernel/doublefault_32.c 2011-04-17 15:56:46.000000000 -0400
12154 #define DOUBLEFAULT_STACKSIZE (1024)
12155 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
12156 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
12157 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
12159 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
12161 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
12162 unsigned long gdt, tss;
12164 store_gdt(&gdt_desc);
12165 - gdt = gdt_desc.address;
12166 + gdt = (unsigned long)gdt_desc.address;
12168 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
12170 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
12171 /* 0x2 bit is always set */
12172 .flags = X86_EFLAGS_SF | 0x2,
12175 + .es = __KERNEL_DS,
12179 + .ds = __KERNEL_DS,
12180 .fs = __KERNEL_PERCPU,
12182 .__cr3 = __pa_nodebug(swapper_pg_dir),
12183 diff -urNp linux-2.6.32.42/arch/x86/kernel/dumpstack_32.c linux-2.6.32.42/arch/x86/kernel/dumpstack_32.c
12184 --- linux-2.6.32.42/arch/x86/kernel/dumpstack_32.c 2011-03-27 14:31:47.000000000 -0400
12185 +++ linux-2.6.32.42/arch/x86/kernel/dumpstack_32.c 2011-04-17 15:56:46.000000000 -0400
12186 @@ -53,16 +53,12 @@ void dump_trace(struct task_struct *task
12190 - struct thread_info *context;
12191 + void *stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
12192 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
12194 - context = (struct thread_info *)
12195 - ((unsigned long)stack & (~(THREAD_SIZE - 1)));
12196 - bp = print_context_stack(context, stack, bp, ops,
12197 - data, NULL, &graph);
12199 - stack = (unsigned long *)context->previous_esp;
12201 + if (stack_start == task_stack_page(task))
12203 + stack = *(unsigned long **)stack_start;
12204 if (ops->stack(data, "IRQ") < 0)
12206 touch_nmi_watchdog();
12207 @@ -112,11 +108,12 @@ void show_registers(struct pt_regs *regs
12208 * When in-kernel, we also print out the stack and code at the
12209 * time of the fault..
12211 - if (!user_mode_vm(regs)) {
12212 + if (!user_mode(regs)) {
12213 unsigned int code_prologue = code_bytes * 43 / 64;
12214 unsigned int code_len = code_bytes;
12217 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
12219 printk(KERN_EMERG "Stack:\n");
12220 show_stack_log_lvl(NULL, regs, ®s->sp,
12221 @@ -124,10 +121,10 @@ void show_registers(struct pt_regs *regs
12223 printk(KERN_EMERG "Code: ");
12225 - ip = (u8 *)regs->ip - code_prologue;
12226 + ip = (u8 *)regs->ip - code_prologue + cs_base;
12227 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
12228 /* try starting at IP */
12229 - ip = (u8 *)regs->ip;
12230 + ip = (u8 *)regs->ip + cs_base;
12231 code_len = code_len - code_prologue + 1;
12233 for (i = 0; i < code_len; i++, ip++) {
12234 @@ -136,7 +133,7 @@ void show_registers(struct pt_regs *regs
12235 printk(" Bad EIP value.");
12238 - if (ip == (u8 *)regs->ip)
12239 + if (ip == (u8 *)regs->ip + cs_base)
12240 printk("<%02x> ", c);
12242 printk("%02x ", c);
12243 @@ -149,6 +146,7 @@ int is_valid_bugaddr(unsigned long ip)
12245 unsigned short ud2;
12247 + ip = ktla_ktva(ip);
12248 if (ip < PAGE_OFFSET)
12250 if (probe_kernel_address((unsigned short *)ip, ud2))
12251 diff -urNp linux-2.6.32.42/arch/x86/kernel/dumpstack_64.c linux-2.6.32.42/arch/x86/kernel/dumpstack_64.c
12252 --- linux-2.6.32.42/arch/x86/kernel/dumpstack_64.c 2011-03-27 14:31:47.000000000 -0400
12253 +++ linux-2.6.32.42/arch/x86/kernel/dumpstack_64.c 2011-04-17 15:56:46.000000000 -0400
12254 @@ -116,8 +116,8 @@ void dump_trace(struct task_struct *task
12255 unsigned long *irq_stack_end =
12256 (unsigned long *)per_cpu(irq_stack_ptr, cpu);
12258 - struct thread_info *tinfo;
12260 + void *stack_start;
12264 @@ -146,10 +146,10 @@ void dump_trace(struct task_struct *task
12265 * current stack address. If the stacks consist of nested
12268 - tinfo = task_thread_info(task);
12271 unsigned long *estack_end;
12273 estack_end = in_exception_stack(cpu, (unsigned long)stack,
12276 @@ -157,7 +157,7 @@ void dump_trace(struct task_struct *task
12277 if (ops->stack(data, id) < 0)
12280 - bp = print_context_stack(tinfo, stack, bp, ops,
12281 + bp = print_context_stack(task, estack_end - EXCEPTION_STKSZ, stack, bp, ops,
12282 data, estack_end, &graph);
12283 ops->stack(data, "<EOE>");
12285 @@ -176,7 +176,7 @@ void dump_trace(struct task_struct *task
12286 if (stack >= irq_stack && stack < irq_stack_end) {
12287 if (ops->stack(data, "IRQ") < 0)
12289 - bp = print_context_stack(tinfo, stack, bp,
12290 + bp = print_context_stack(task, irq_stack, stack, bp,
12291 ops, data, irq_stack_end, &graph);
12293 * We link to the next stack (which would be
12294 @@ -195,7 +195,8 @@ void dump_trace(struct task_struct *task
12296 * This handles the process stack:
12298 - bp = print_context_stack(tinfo, stack, bp, ops, data, NULL, &graph);
12299 + stack_start = (void *)((unsigned long)stack & ~(THREAD_SIZE-1));
12300 + bp = print_context_stack(task, stack_start, stack, bp, ops, data, NULL, &graph);
12303 EXPORT_SYMBOL(dump_trace);
12304 diff -urNp linux-2.6.32.42/arch/x86/kernel/dumpstack.c linux-2.6.32.42/arch/x86/kernel/dumpstack.c
12305 --- linux-2.6.32.42/arch/x86/kernel/dumpstack.c 2011-03-27 14:31:47.000000000 -0400
12306 +++ linux-2.6.32.42/arch/x86/kernel/dumpstack.c 2011-04-17 15:56:46.000000000 -0400
12308 * Copyright (C) 1991, 1992 Linus Torvalds
12309 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
12311 +#ifdef CONFIG_GRKERNSEC_HIDESYM
12312 +#define __INCLUDED_BY_HIDESYM 1
12314 #include <linux/kallsyms.h>
12315 #include <linux/kprobes.h>
12316 #include <linux/uaccess.h>
12317 @@ -28,7 +31,7 @@ static int die_counter;
12319 void printk_address(unsigned long address, int reliable)
12321 - printk(" [<%p>] %s%pS\n", (void *) address,
12322 + printk(" [<%p>] %s%pA\n", (void *) address,
12323 reliable ? "" : "? ", (void *) address);
12326 @@ -36,9 +39,8 @@ void printk_address(unsigned long addres
12328 print_ftrace_graph_addr(unsigned long addr, void *data,
12329 const struct stacktrace_ops *ops,
12330 - struct thread_info *tinfo, int *graph)
12331 + struct task_struct *task, int *graph)
12333 - struct task_struct *task = tinfo->task;
12334 unsigned long ret_addr;
12335 int index = task->curr_ret_stack;
12337 @@ -59,7 +61,7 @@ print_ftrace_graph_addr(unsigned long ad
12339 print_ftrace_graph_addr(unsigned long addr, void *data,
12340 const struct stacktrace_ops *ops,
12341 - struct thread_info *tinfo, int *graph)
12342 + struct task_struct *task, int *graph)
12346 @@ -70,10 +72,8 @@ print_ftrace_graph_addr(unsigned long ad
12347 * severe exception (double fault, nmi, stack fault, debug, mce) hardware stack
12350 -static inline int valid_stack_ptr(struct thread_info *tinfo,
12351 - void *p, unsigned int size, void *end)
12352 +static inline int valid_stack_ptr(void *t, void *p, unsigned int size, void *end)
12356 if (p < end && p >= (end-THREAD_SIZE))
12358 @@ -84,14 +84,14 @@ static inline int valid_stack_ptr(struct
12362 -print_context_stack(struct thread_info *tinfo,
12363 +print_context_stack(struct task_struct *task, void *stack_start,
12364 unsigned long *stack, unsigned long bp,
12365 const struct stacktrace_ops *ops, void *data,
12366 unsigned long *end, int *graph)
12368 struct stack_frame *frame = (struct stack_frame *)bp;
12370 - while (valid_stack_ptr(tinfo, stack, sizeof(*stack), end)) {
12371 + while (valid_stack_ptr(stack_start, stack, sizeof(*stack), end)) {
12372 unsigned long addr;
12375 @@ -103,7 +103,7 @@ print_context_stack(struct thread_info *
12377 ops->address(data, addr, 0);
12379 - print_ftrace_graph_addr(addr, data, ops, tinfo, graph);
12380 + print_ftrace_graph_addr(addr, data, ops, task, graph);
12384 @@ -180,7 +180,7 @@ void dump_stack(void)
12387 printk("Pid: %d, comm: %.20s %s %s %.*s\n",
12388 - current->pid, current->comm, print_tainted(),
12389 + task_pid_nr(current), current->comm, print_tainted(),
12390 init_utsname()->release,
12391 (int)strcspn(init_utsname()->version, " "),
12392 init_utsname()->version);
12393 @@ -220,6 +220,8 @@ unsigned __kprobes long oops_begin(void)
12397 +extern void gr_handle_kernel_exploit(void);
12399 void __kprobes oops_end(unsigned long flags, struct pt_regs *regs, int signr)
12401 if (regs && kexec_should_crash(current))
12402 @@ -241,7 +243,10 @@ void __kprobes oops_end(unsigned long fl
12403 panic("Fatal exception in interrupt");
12405 panic("Fatal exception");
12408 + gr_handle_kernel_exploit();
12410 + do_group_exit(signr);
12413 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
12414 @@ -295,7 +300,7 @@ void die(const char *str, struct pt_regs
12415 unsigned long flags = oops_begin();
12418 - if (!user_mode_vm(regs))
12419 + if (!user_mode(regs))
12420 report_bug(regs->ip, regs);
12422 if (__die(str, regs, err))
12423 diff -urNp linux-2.6.32.42/arch/x86/kernel/dumpstack.h linux-2.6.32.42/arch/x86/kernel/dumpstack.h
12424 --- linux-2.6.32.42/arch/x86/kernel/dumpstack.h 2011-03-27 14:31:47.000000000 -0400
12425 +++ linux-2.6.32.42/arch/x86/kernel/dumpstack.h 2011-04-23 13:25:26.000000000 -0400
12429 extern unsigned long
12430 -print_context_stack(struct thread_info *tinfo,
12431 +print_context_stack(struct task_struct *task, void *stack_start,
12432 unsigned long *stack, unsigned long bp,
12433 const struct stacktrace_ops *ops, void *data,
12434 unsigned long *end, int *graph);
12435 diff -urNp linux-2.6.32.42/arch/x86/kernel/e820.c linux-2.6.32.42/arch/x86/kernel/e820.c
12436 --- linux-2.6.32.42/arch/x86/kernel/e820.c 2011-03-27 14:31:47.000000000 -0400
12437 +++ linux-2.6.32.42/arch/x86/kernel/e820.c 2011-04-17 15:56:46.000000000 -0400
12438 @@ -733,7 +733,7 @@ struct early_res {
12440 static struct early_res early_res[MAX_EARLY_RES] __initdata = {
12441 { 0, PAGE_SIZE, "BIOS data page" }, /* BIOS data page */
12446 static int __init find_overlapped_early(u64 start, u64 end)
12447 diff -urNp linux-2.6.32.42/arch/x86/kernel/early_printk.c linux-2.6.32.42/arch/x86/kernel/early_printk.c
12448 --- linux-2.6.32.42/arch/x86/kernel/early_printk.c 2011-03-27 14:31:47.000000000 -0400
12449 +++ linux-2.6.32.42/arch/x86/kernel/early_printk.c 2011-05-16 21:46:57.000000000 -0400
12451 #include <linux/pci_regs.h>
12452 #include <linux/pci_ids.h>
12453 #include <linux/errno.h>
12454 +#include <linux/sched.h>
12455 #include <asm/io.h>
12456 #include <asm/processor.h>
12457 #include <asm/fcntl.h>
12458 @@ -170,6 +171,8 @@ asmlinkage void early_printk(const char
12462 + pax_track_stack();
12465 n = vscnprintf(buf, sizeof(buf), fmt, ap);
12466 early_console->write(early_console, buf, n);
12467 diff -urNp linux-2.6.32.42/arch/x86/kernel/efi_32.c linux-2.6.32.42/arch/x86/kernel/efi_32.c
12468 --- linux-2.6.32.42/arch/x86/kernel/efi_32.c 2011-03-27 14:31:47.000000000 -0400
12469 +++ linux-2.6.32.42/arch/x86/kernel/efi_32.c 2011-04-17 15:56:46.000000000 -0400
12470 @@ -38,70 +38,38 @@
12473 static unsigned long efi_rt_eflags;
12474 -static pgd_t efi_bak_pg_dir_pointer[2];
12475 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
12477 -void efi_call_phys_prelog(void)
12478 +void __init efi_call_phys_prelog(void)
12480 - unsigned long cr4;
12481 - unsigned long temp;
12482 struct desc_ptr gdt_descr;
12484 local_irq_save(efi_rt_eflags);
12487 - * If I don't have PAE, I should just duplicate two entries in page
12488 - * directory. If I have PAE, I just need to duplicate one entry in
12489 - * page directory.
12491 - cr4 = read_cr4_safe();
12493 - if (cr4 & X86_CR4_PAE) {
12494 - efi_bak_pg_dir_pointer[0].pgd =
12495 - swapper_pg_dir[pgd_index(0)].pgd;
12496 - swapper_pg_dir[0].pgd =
12497 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
12499 - efi_bak_pg_dir_pointer[0].pgd =
12500 - swapper_pg_dir[pgd_index(0)].pgd;
12501 - efi_bak_pg_dir_pointer[1].pgd =
12502 - swapper_pg_dir[pgd_index(0x400000)].pgd;
12503 - swapper_pg_dir[pgd_index(0)].pgd =
12504 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
12505 - temp = PAGE_OFFSET + 0x400000;
12506 - swapper_pg_dir[pgd_index(0x400000)].pgd =
12507 - swapper_pg_dir[pgd_index(temp)].pgd;
12509 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
12510 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
12511 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
12514 * After the lock is released, the original page table is restored.
12518 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
12519 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
12520 gdt_descr.size = GDT_SIZE - 1;
12521 load_gdt(&gdt_descr);
12524 -void efi_call_phys_epilog(void)
12525 +void __init efi_call_phys_epilog(void)
12527 - unsigned long cr4;
12528 struct desc_ptr gdt_descr;
12530 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
12531 + gdt_descr.address = get_cpu_gdt_table(0);
12532 gdt_descr.size = GDT_SIZE - 1;
12533 load_gdt(&gdt_descr);
12535 - cr4 = read_cr4_safe();
12537 - if (cr4 & X86_CR4_PAE) {
12538 - swapper_pg_dir[pgd_index(0)].pgd =
12539 - efi_bak_pg_dir_pointer[0].pgd;
12541 - swapper_pg_dir[pgd_index(0)].pgd =
12542 - efi_bak_pg_dir_pointer[0].pgd;
12543 - swapper_pg_dir[pgd_index(0x400000)].pgd =
12544 - efi_bak_pg_dir_pointer[1].pgd;
12546 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
12549 * After the lock is released, the original page table is restored.
12550 diff -urNp linux-2.6.32.42/arch/x86/kernel/efi_stub_32.S linux-2.6.32.42/arch/x86/kernel/efi_stub_32.S
12551 --- linux-2.6.32.42/arch/x86/kernel/efi_stub_32.S 2011-03-27 14:31:47.000000000 -0400
12552 +++ linux-2.6.32.42/arch/x86/kernel/efi_stub_32.S 2011-04-17 15:56:46.000000000 -0400
12556 #include <linux/linkage.h>
12557 +#include <linux/init.h>
12558 #include <asm/page_types.h>
12562 * service functions will comply with gcc calling convention, too.
12567 ENTRY(efi_call_phys)
12569 * 0. The function can only be called in Linux kernel. So CS has been
12570 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
12571 * The mapping of lower virtual memory has been created in prelog and
12575 - subl $__PAGE_OFFSET, %edx
12577 + jmp 1f-__PAGE_OFFSET
12581 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
12582 * parameter 2, ..., param n. To make things easy, we save the return
12583 * address of efi_call_phys in a global variable.
12586 - movl %edx, saved_return_addr
12587 - /* get the function pointer into ECX*/
12589 - movl %ecx, efi_rt_function_ptr
12591 - subl $__PAGE_OFFSET, %edx
12593 + popl (saved_return_addr)
12594 + popl (efi_rt_function_ptr)
12597 * 3. Clear PG bit in %CR0.
12598 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
12600 * 5. Call the physical function.
12603 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
12607 * 6. After EFI runtime service returns, control will return to
12608 * following instruction. We'd better readjust stack pointer first.
12609 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
12611 orl $0x80000000, %edx
12617 * 8. Now restore the virtual mode from flat mode by
12618 * adding EIP with PAGE_OFFSET.
12622 + jmp 1f+__PAGE_OFFSET
12626 * 9. Balance the stack. And because EAX contain the return value,
12627 * we'd better not clobber it.
12629 - leal efi_rt_function_ptr, %edx
12630 - movl (%edx), %ecx
12632 + pushl (efi_rt_function_ptr)
12635 - * 10. Push the saved return address onto the stack and return.
12636 + * 10. Return to the saved return address.
12638 - leal saved_return_addr, %edx
12639 - movl (%edx), %ecx
12642 + jmpl *(saved_return_addr)
12643 ENDPROC(efi_call_phys)
12650 efi_rt_function_ptr:
12651 diff -urNp linux-2.6.32.42/arch/x86/kernel/entry_32.S linux-2.6.32.42/arch/x86/kernel/entry_32.S
12652 --- linux-2.6.32.42/arch/x86/kernel/entry_32.S 2011-03-27 14:31:47.000000000 -0400
12653 +++ linux-2.6.32.42/arch/x86/kernel/entry_32.S 2011-05-22 23:02:03.000000000 -0400
12654 @@ -185,13 +185,146 @@
12655 /*CFI_REL_OFFSET gs, PT_GS*/
12657 .macro SET_KERNEL_GS reg
12659 +#ifdef CONFIG_CC_STACKPROTECTOR
12660 movl $(__KERNEL_STACK_CANARY), \reg
12661 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12662 + movl $(__USER_DS), \reg
12670 #endif /* CONFIG_X86_32_LAZY_GS */
12673 +.macro pax_enter_kernel
12674 +#ifdef CONFIG_PAX_KERNEXEC
12675 + call pax_enter_kernel
12679 +.macro pax_exit_kernel
12680 +#ifdef CONFIG_PAX_KERNEXEC
12681 + call pax_exit_kernel
12685 +#ifdef CONFIG_PAX_KERNEXEC
12686 +ENTRY(pax_enter_kernel)
12687 +#ifdef CONFIG_PARAVIRT
12690 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
12698 + cmp $__KERNEL_CS, %esi
12700 + ljmp $__KERNEL_CS, $3f
12701 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
12703 +#ifdef CONFIG_PARAVIRT
12705 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
12710 +#ifdef CONFIG_PARAVIRT
12715 +ENDPROC(pax_enter_kernel)
12717 +ENTRY(pax_exit_kernel)
12718 +#ifdef CONFIG_PARAVIRT
12723 + cmp $__KERNEXEC_KERNEL_CS, %esi
12725 +#ifdef CONFIG_PARAVIRT
12726 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
12732 + ljmp $__KERNEL_CS, $1f
12734 +#ifdef CONFIG_PARAVIRT
12736 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
12741 +#ifdef CONFIG_PARAVIRT
12746 +ENDPROC(pax_exit_kernel)
12749 +.macro pax_erase_kstack
12750 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12751 + call pax_erase_kstack
12755 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
12757 + * ebp: thread_info
12758 + * ecx, edx: can be clobbered
12760 +ENTRY(pax_erase_kstack)
12764 + mov TI_lowest_stack(%ebp), %edi
12765 + mov $-0xBEEF, %eax
12769 + and $THREAD_SIZE_asm - 1, %ecx
12788 + mov TI_task_thread_sp0(%ebp), %edi
12790 + mov %edi, TI_lowest_stack(%ebp)
12795 +ENDPROC(pax_erase_kstack)
12798 +.macro __SAVE_ALL _DS
12802 @@ -224,7 +357,7 @@
12804 CFI_ADJUST_CFA_OFFSET 4
12805 CFI_REL_OFFSET ebx, 0
12806 - movl $(__USER_DS), %edx
12810 movl $(__KERNEL_PERCPU), %edx
12811 @@ -232,6 +365,15 @@
12816 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
12817 + __SAVE_ALL __KERNEL_DS
12820 + __SAVE_ALL __USER_DS
12824 .macro RESTORE_INT_REGS
12826 CFI_ADJUST_CFA_OFFSET -4
12827 @@ -352,7 +494,15 @@ check_userspace:
12828 movb PT_CS(%esp), %al
12829 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
12830 cmpl $USER_RPL, %eax
12832 +#ifdef CONFIG_PAX_KERNEXEC
12833 + jae resume_userspace
12836 + jmp resume_kernel
12838 jb resume_kernel # not returning to v8086 or userspace
12841 ENTRY(resume_userspace)
12843 @@ -364,7 +514,7 @@ ENTRY(resume_userspace)
12844 andl $_TIF_WORK_MASK, %ecx # is there any work to be done on
12845 # int/exception return?
12848 + jmp restore_all_pax
12849 END(ret_from_exception)
12851 #ifdef CONFIG_PREEMPT
12852 @@ -414,25 +564,36 @@ sysenter_past_esp:
12853 /*CFI_REL_OFFSET cs, 0*/
12855 * Push current_thread_info()->sysenter_return to the stack.
12856 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
12857 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
12859 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
12861 CFI_ADJUST_CFA_OFFSET 4
12862 CFI_REL_OFFSET eip, 0
12865 CFI_ADJUST_CFA_OFFSET 4
12867 + GET_THREAD_INFO(%ebp)
12868 + movl TI_sysenter_return(%ebp),%ebp
12869 + movl %ebp,PT_EIP(%esp)
12870 ENABLE_INTERRUPTS(CLBR_NONE)
12873 * Load the potential sixth argument from user stack.
12874 * Careful about security.
12876 + movl PT_OLDESP(%esp),%ebp
12878 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12879 + mov PT_OLDSS(%esp),%ds
12880 +1: movl %ds:(%ebp),%ebp
12884 cmpl $__PAGE_OFFSET-3,%ebp
12886 1: movl (%ebp),%ebp
12889 movl %ebp,PT_EBP(%esp)
12890 .section __ex_table,"a"
12892 @@ -455,12 +616,23 @@ sysenter_do_call:
12893 testl $_TIF_ALLWORK_MASK, %ecx
12897 +#ifdef CONFIG_PAX_RANDKSTACK
12899 + call pax_randomize_kstack
12905 /* if something modifies registers it must also disable sysexit */
12906 movl PT_EIP(%esp), %edx
12907 movl PT_OLDESP(%esp), %ecx
12910 1: mov PT_FS(%esp), %fs
12911 +2: mov PT_DS(%esp), %ds
12912 +3: mov PT_ES(%esp), %es
12914 ENABLE_INTERRUPTS_SYSEXIT
12916 @@ -477,6 +649,9 @@ sysenter_audit:
12917 movl %eax,%edx /* 2nd arg: syscall number */
12918 movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
12919 call audit_syscall_entry
12924 CFI_ADJUST_CFA_OFFSET 4
12925 movl PT_EAX(%esp),%eax /* reload syscall number */
12926 @@ -504,11 +679,17 @@ sysexit_audit:
12929 .pushsection .fixup,"ax"
12930 -2: movl $0,PT_FS(%esp)
12931 +4: movl $0,PT_FS(%esp)
12933 +5: movl $0,PT_DS(%esp)
12935 +6: movl $0,PT_ES(%esp)
12937 .section __ex_table,"a"
12945 ENDPROC(ia32_sysenter_target)
12946 @@ -538,6 +719,14 @@ syscall_exit:
12947 testl $_TIF_ALLWORK_MASK, %ecx # current->work
12948 jne syscall_exit_work
12952 +#ifdef CONFIG_PAX_RANDKSTACK
12953 + call pax_randomize_kstack
12960 restore_all_notrace:
12961 @@ -602,7 +791,13 @@ ldt_ss:
12962 mov PT_OLDESP(%esp), %eax /* load userspace esp */
12963 mov %dx, %ax /* eax: new kernel esp */
12964 sub %eax, %edx /* offset (low word is 0) */
12965 - PER_CPU(gdt_page, %ebx)
12967 + movl PER_CPU_VAR(cpu_number), %ebx
12968 + shll $PAGE_SHIFT_asm, %ebx
12969 + addl $cpu_gdt_table, %ebx
12971 + movl $cpu_gdt_table, %ebx
12974 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
12975 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
12976 @@ -636,31 +831,25 @@ work_resched:
12977 movl TI_flags(%ebp), %ecx
12978 andl $_TIF_WORK_MASK, %ecx # is there any work to be done other
12979 # than syscall tracing?
12981 + jz restore_all_pax
12982 testb $_TIF_NEED_RESCHED, %cl
12985 work_notifysig: # deal with pending signals and
12986 # notify-resume requests
12989 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
12991 - jne work_notifysig_v86 # returning to kernel-space or
12992 + jz 1f # returning to kernel-space or
12995 - call do_notify_resume
12996 - jmp resume_userspace_sig
12999 -work_notifysig_v86:
13000 pushl %ecx # save ti_flags for do_notify_resume
13001 CFI_ADJUST_CFA_OFFSET 4
13002 call save_v86_state # %eax contains pt_regs pointer
13004 CFI_ADJUST_CFA_OFFSET -4
13011 call do_notify_resume
13012 @@ -673,6 +862,9 @@ syscall_trace_entry:
13013 movl $-ENOSYS,PT_EAX(%esp)
13015 call syscall_trace_enter
13019 /* What it returned is what we'll actually use. */
13020 cmpl $(nr_syscalls), %eax
13022 @@ -695,6 +887,10 @@ END(syscall_exit_work)
13024 RING0_INT_FRAME # can't unwind into user space anyway
13026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13030 GET_THREAD_INFO(%ebp)
13031 movl $-EFAULT,PT_EAX(%esp)
13032 jmp resume_userspace
13033 @@ -726,6 +922,33 @@ PTREGSCALL(rt_sigreturn)
13035 PTREGSCALL(vm86old)
13038 +ENTRY(kernel_execve)
13040 + sub $PT_OLDSS+4,%esp
13044 + lea 3*4(%esp),%edi
13045 + mov $PT_OLDSS/4+1,%ecx
13051 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
13052 + mov %eax,PT_EBX(%esp)
13053 + mov %edx,PT_ECX(%esp)
13054 + mov %ecx,PT_EDX(%esp)
13057 + GET_THREAD_INFO(%ebp)
13060 + add $PT_OLDSS+4,%esp
13064 .macro FIXUP_ESPFIX_STACK
13066 * Switch back for ESPFIX stack to the normal zerobased stack
13067 @@ -735,7 +958,13 @@ PTREGSCALL(vm86old)
13068 * normal stack and adjusts ESP with the matching offset.
13070 /* fixup the stack */
13071 - PER_CPU(gdt_page, %ebx)
13073 + movl PER_CPU_VAR(cpu_number), %ebx
13074 + shll $PAGE_SHIFT_asm, %ebx
13075 + addl $cpu_gdt_table, %ebx
13077 + movl $cpu_gdt_table, %ebx
13079 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
13080 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
13082 @@ -1198,7 +1427,6 @@ return_to_handler:
13086 -.section .rodata,"a"
13087 #include "syscall_table_32.S"
13089 syscall_table_size=(.-sys_call_table)
13090 @@ -1255,9 +1483,12 @@ error_code:
13091 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
13094 - movl $(__USER_DS), %ecx
13095 + movl $(__KERNEL_DS), %ecx
13102 movl %esp,%eax # pt_regs pointer
13104 @@ -1351,6 +1582,9 @@ nmi_stack_correct:
13105 xorl %edx,%edx # zero error code
13106 movl %esp,%eax # pt_regs pointer
13111 jmp restore_all_notrace
13114 @@ -1391,6 +1625,9 @@ nmi_espfix_stack:
13115 FIXUP_ESPFIX_STACK # %eax == %esp
13116 xorl %edx,%edx # zero error code
13122 lss 12+4(%esp), %esp # back to espfix stack
13123 CFI_ADJUST_CFA_OFFSET -24
13124 diff -urNp linux-2.6.32.42/arch/x86/kernel/entry_64.S linux-2.6.32.42/arch/x86/kernel/entry_64.S
13125 --- linux-2.6.32.42/arch/x86/kernel/entry_64.S 2011-03-27 14:31:47.000000000 -0400
13126 +++ linux-2.6.32.42/arch/x86/kernel/entry_64.S 2011-06-04 20:30:53.000000000 -0400
13128 #include <asm/paravirt.h>
13129 #include <asm/ftrace.h>
13130 #include <asm/percpu.h>
13131 +#include <asm/pgtable.h>
13133 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
13134 #include <linux/elf-em.h>
13135 @@ -174,6 +175,257 @@ ENTRY(native_usergs_sysret64)
13136 ENDPROC(native_usergs_sysret64)
13137 #endif /* CONFIG_PARAVIRT */
13139 + .macro ljmpq sel, off
13140 +#if defined(CONFIG_MPSC) || defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
13141 + .byte 0x48; ljmp *1234f(%rip)
13142 + .pushsection .rodata
13144 + 1234: .quad \off; .word \sel
13153 + .macro pax_enter_kernel
13154 +#ifdef CONFIG_PAX_KERNEXEC
13155 + call pax_enter_kernel
13159 + .macro pax_exit_kernel
13160 +#ifdef CONFIG_PAX_KERNEXEC
13161 + call pax_exit_kernel
13165 +#ifdef CONFIG_PAX_KERNEXEC
13166 +ENTRY(pax_enter_kernel)
13169 +#ifdef CONFIG_PARAVIRT
13170 + PV_SAVE_REGS(CLBR_RDI)
13177 + cmp $__KERNEL_CS,%edi
13179 + ljmpq __KERNEL_CS,3f
13180 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
13181 +2: SET_RDI_INTO_CR0
13184 +#ifdef CONFIG_PARAVIRT
13185 + PV_RESTORE_REGS(CLBR_RDI)
13190 +ENDPROC(pax_enter_kernel)
13192 +ENTRY(pax_exit_kernel)
13195 +#ifdef CONFIG_PARAVIRT
13196 + PV_SAVE_REGS(CLBR_RDI)
13200 + cmp $__KERNEXEC_KERNEL_CS,%edi
13204 + ljmpq __KERNEL_CS,1f
13205 +1: SET_RDI_INTO_CR0
13208 +#ifdef CONFIG_PARAVIRT
13209 + PV_RESTORE_REGS(CLBR_RDI);
13214 +ENDPROC(pax_exit_kernel)
13217 + .macro pax_enter_kernel_user
13218 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13219 + call pax_enter_kernel_user
13223 + .macro pax_exit_kernel_user
13224 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13225 + call pax_exit_kernel_user
13227 +#ifdef CONFIG_PAX_RANDKSTACK
13229 + call pax_randomize_kstack
13235 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13236 +ENTRY(pax_enter_kernel_user)
13240 +#ifdef CONFIG_PARAVIRT
13241 + PV_SAVE_REGS(CLBR_RDI)
13246 + add $__START_KERNEL_map,%rbx
13247 + sub phys_base(%rip),%rbx
13249 +#ifdef CONFIG_PARAVIRT
13251 + cmpl $0, pv_info+PARAVIRT_enabled
13254 + .rept USER_PGD_PTRS
13255 + mov i*8(%rbx),%rsi
13257 + lea i*8(%rbx),%rdi
13258 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
13266 + .rept USER_PGD_PTRS
13267 + movb $0,i*8(%rbx)
13271 +#ifdef CONFIG_PARAVIRT
13276 +#ifdef CONFIG_PAX_KERNEXEC
13282 +#ifdef CONFIG_PARAVIRT
13283 + PV_RESTORE_REGS(CLBR_RDI)
13289 +ENDPROC(pax_enter_kernel_user)
13291 +ENTRY(pax_exit_kernel_user)
13294 +#ifdef CONFIG_PARAVIRT
13296 + PV_SAVE_REGS(CLBR_RDI)
13299 +#ifdef CONFIG_PAX_KERNEXEC
13306 + add $__START_KERNEL_map,%rdi
13307 + sub phys_base(%rip),%rdi
13309 +#ifdef CONFIG_PARAVIRT
13310 + cmpl $0, pv_info+PARAVIRT_enabled
13314 + .rept USER_PGD_PTRS
13315 + mov i*8(%rbx),%rsi
13317 + lea i*8(%rbx),%rdi
13318 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
13326 + .rept USER_PGD_PTRS
13327 + movb $0x67,i*8(%rdi)
13331 +#ifdef CONFIG_PARAVIRT
13332 +2: PV_RESTORE_REGS(CLBR_RDI)
13338 +ENDPROC(pax_exit_kernel_user)
13341 +.macro pax_erase_kstack
13342 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13343 + call pax_erase_kstack
13347 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
13349 + * r10: thread_info
13350 + * rcx, rdx: can be clobbered
13352 +ENTRY(pax_erase_kstack)
13356 + GET_THREAD_INFO(%r10)
13357 + mov TI_lowest_stack(%r10), %rdi
13358 + mov $-0xBEEF, %rax
13362 + and $THREAD_SIZE_asm - 1, %ecx
13381 + mov TI_task_thread_sp0(%r10), %rdi
13383 + mov %rdi, TI_lowest_stack(%r10)
13388 +ENDPROC(pax_erase_kstack)
13391 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
13392 #ifdef CONFIG_TRACE_IRQFLAGS
13393 @@ -317,7 +569,7 @@ ENTRY(save_args)
13394 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
13395 movq_cfi rbp, 8 /* push %rbp */
13396 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
13397 - testl $3, CS(%rdi)
13398 + testb $3, CS(%rdi)
13402 @@ -409,7 +661,7 @@ ENTRY(ret_from_fork)
13406 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
13407 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
13408 je int_ret_from_sys_call
13410 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
13411 @@ -455,7 +707,7 @@ END(ret_from_fork)
13413 CFI_STARTPROC simple
13415 - CFI_DEF_CFA rsp,KERNEL_STACK_OFFSET
13416 + CFI_DEF_CFA rsp,0
13417 CFI_REGISTER rip,rcx
13418 /*CFI_REGISTER rflags,r11*/
13419 SWAPGS_UNSAFE_STACK
13420 @@ -468,12 +720,13 @@ ENTRY(system_call_after_swapgs)
13422 movq %rsp,PER_CPU_VAR(old_rsp)
13423 movq PER_CPU_VAR(kernel_stack),%rsp
13424 + pax_enter_kernel_user
13426 * No need to follow this irqs off/on section - it's straight
13429 ENABLE_INTERRUPTS(CLBR_NONE)
13432 movq %rax,ORIG_RAX-ARGOFFSET(%rsp)
13433 movq %rcx,RIP-ARGOFFSET(%rsp)
13434 CFI_REL_OFFSET rip,RIP-ARGOFFSET
13435 @@ -502,6 +755,7 @@ sysret_check:
13439 + pax_exit_kernel_user
13441 * sysretq will re-enable interrupts:
13443 @@ -562,6 +816,9 @@ auditsys:
13444 movq %rax,%rsi /* 2nd arg: syscall number */
13445 movl $AUDIT_ARCH_X86_64,%edi /* 1st arg: audit arch */
13446 call audit_syscall_entry
13450 LOAD_ARGS 0 /* reload call-clobbered registers */
13451 jmp system_call_fastpath
13453 @@ -592,6 +849,9 @@ tracesys:
13454 FIXUP_TOP_OF_STACK %rdi
13456 call syscall_trace_enter
13461 * Reload arg registers from stack in case ptrace changed them.
13462 * We don't reload %rax because syscall_trace_enter() returned
13463 @@ -613,7 +873,7 @@ tracesys:
13464 GLOBAL(int_ret_from_sys_call)
13465 DISABLE_INTERRUPTS(CLBR_NONE)
13467 - testl $3,CS-ARGOFFSET(%rsp)
13468 + testb $3,CS-ARGOFFSET(%rsp)
13469 je retint_restore_args
13470 movl $_TIF_ALLWORK_MASK,%edi
13471 /* edi: mask to check */
13472 @@ -800,6 +1060,16 @@ END(interrupt)
13473 CFI_ADJUST_CFA_OFFSET 10*8
13476 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13477 + testb $3, CS(%rdi)
13481 +1: pax_enter_kernel_user
13489 @@ -822,7 +1092,7 @@ ret_from_intr:
13490 CFI_ADJUST_CFA_OFFSET -8
13492 GET_THREAD_INFO(%rcx)
13493 - testl $3,CS-ARGOFFSET(%rsp)
13494 + testb $3,CS-ARGOFFSET(%rsp)
13497 /* Interrupt came from user space */
13498 @@ -844,12 +1114,14 @@ retint_swapgs: /* return to user-space
13499 * The iretq could re-enable interrupts:
13501 DISABLE_INTERRUPTS(CLBR_ANY)
13502 + pax_exit_kernel_user
13507 retint_restore_args: /* return to kernel space */
13508 DISABLE_INTERRUPTS(CLBR_ANY)
13511 * The iretq could re-enable interrupts:
13513 @@ -1032,6 +1304,16 @@ ENTRY(\sym)
13514 CFI_ADJUST_CFA_OFFSET 15*8
13517 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13518 + testb $3, CS(%rsp)
13522 +1: pax_enter_kernel_user
13527 movq %rsp,%rdi /* pt_regs pointer */
13528 xorl %esi,%esi /* no error code */
13530 @@ -1049,6 +1331,16 @@ ENTRY(\sym)
13534 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13535 + testb $3, CS(%rsp)
13539 +1: pax_enter_kernel_user
13544 movq %rsp,%rdi /* pt_regs pointer */
13545 xorl %esi,%esi /* no error code */
13547 @@ -1066,9 +1358,24 @@ ENTRY(\sym)
13551 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13552 + testb $3, CS(%rsp)
13556 +1: pax_enter_kernel_user
13561 movq %rsp,%rdi /* pt_regs pointer */
13562 xorl %esi,%esi /* no error code */
13563 - PER_CPU(init_tss, %rbp)
13565 + imul $TSS_size, PER_CPU_VAR(cpu_number), %ebp
13566 + lea init_tss(%rbp), %rbp
13568 + lea init_tss(%rip), %rbp
13570 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
13572 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%rbp)
13573 @@ -1085,6 +1392,16 @@ ENTRY(\sym)
13574 CFI_ADJUST_CFA_OFFSET 15*8
13577 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13578 + testb $3, CS(%rsp)
13582 +1: pax_enter_kernel_user
13587 movq %rsp,%rdi /* pt_regs pointer */
13588 movq ORIG_RAX(%rsp),%rsi /* get error code */
13589 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
13590 @@ -1104,6 +1421,16 @@ ENTRY(\sym)
13594 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13595 + testb $3, CS(%rsp)
13599 +1: pax_enter_kernel_user
13604 movq %rsp,%rdi /* pt_regs pointer */
13605 movq ORIG_RAX(%rsp),%rsi /* get error code */
13606 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
13607 @@ -1405,14 +1732,27 @@ ENTRY(paranoid_exit)
13609 testl %ebx,%ebx /* swapgs needed? */
13610 jnz paranoid_restore
13611 - testl $3,CS(%rsp)
13612 + testb $3,CS(%rsp)
13613 jnz paranoid_userspace
13614 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13616 + TRACE_IRQS_IRETQ 0
13617 + SWAPGS_UNSAFE_STACK
13622 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13623 + pax_exit_kernel_user
13628 SWAPGS_UNSAFE_STACK
13636 @@ -1470,7 +1810,7 @@ ENTRY(error_entry)
13637 movq_cfi r14, R14+8
13638 movq_cfi r15, R15+8
13640 - testl $3,CS+8(%rsp)
13641 + testb $3,CS+8(%rsp)
13642 je error_kernelspace
13645 @@ -1529,6 +1869,16 @@ ENTRY(nmi)
13646 CFI_ADJUST_CFA_OFFSET 15*8
13649 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13650 + testb $3, CS(%rsp)
13654 +1: pax_enter_kernel_user
13659 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
13662 @@ -1539,11 +1889,25 @@ ENTRY(nmi)
13663 DISABLE_INTERRUPTS(CLBR_NONE)
13664 testl %ebx,%ebx /* swapgs needed? */
13666 - testl $3,CS(%rsp)
13667 + testb $3,CS(%rsp)
13669 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13671 + SWAPGS_UNSAFE_STACK
13676 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13677 + pax_exit_kernel_user
13681 SWAPGS_UNSAFE_STACK
13689 diff -urNp linux-2.6.32.42/arch/x86/kernel/ftrace.c linux-2.6.32.42/arch/x86/kernel/ftrace.c
13690 --- linux-2.6.32.42/arch/x86/kernel/ftrace.c 2011-03-27 14:31:47.000000000 -0400
13691 +++ linux-2.6.32.42/arch/x86/kernel/ftrace.c 2011-05-04 17:56:20.000000000 -0400
13692 @@ -103,7 +103,7 @@ static void *mod_code_ip; /* holds the
13693 static void *mod_code_newcode; /* holds the text to write to the IP */
13695 static unsigned nmi_wait_count;
13696 -static atomic_t nmi_update_count = ATOMIC_INIT(0);
13697 +static atomic_unchecked_t nmi_update_count = ATOMIC_INIT(0);
13699 int ftrace_arch_read_dyn_info(char *buf, int size)
13701 @@ -111,7 +111,7 @@ int ftrace_arch_read_dyn_info(char *buf,
13703 r = snprintf(buf, size, "%u %u",
13705 - atomic_read(&nmi_update_count));
13706 + atomic_read_unchecked(&nmi_update_count));
13710 @@ -149,8 +149,10 @@ void ftrace_nmi_enter(void)
13712 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
13714 + pax_open_kernel();
13716 - atomic_inc(&nmi_update_count);
13717 + pax_close_kernel();
13718 + atomic_inc_unchecked(&nmi_update_count);
13720 /* Must have previous changes seen before executions */
13722 @@ -215,7 +217,7 @@ do_ftrace_mod_code(unsigned long ip, voi
13726 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
13727 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
13729 static unsigned char *ftrace_nop_replace(void)
13731 @@ -228,6 +230,8 @@ ftrace_modify_code(unsigned long ip, uns
13733 unsigned char replaced[MCOUNT_INSN_SIZE];
13735 + ip = ktla_ktva(ip);
13738 * Note: Due to modules and __init, code can
13739 * disappear and change, we need to protect against faulting
13740 @@ -284,7 +288,7 @@ int ftrace_update_ftrace_func(ftrace_fun
13741 unsigned char old[MCOUNT_INSN_SIZE], *new;
13744 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
13745 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
13746 new = ftrace_call_replace(ip, (unsigned long)func);
13747 ret = ftrace_modify_code(ip, old, new);
13749 @@ -337,15 +341,15 @@ int __init ftrace_dyn_arch_init(void *da
13752 pr_info("ftrace: converting mcount calls to 0f 1f 44 00 00\n");
13753 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
13754 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
13757 pr_info("ftrace: converting mcount calls to 66 66 66 66 90\n");
13758 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
13759 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
13762 pr_info("ftrace: converting mcount calls to jmp . + 5\n");
13763 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
13764 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
13768 @@ -366,6 +370,8 @@ static int ftrace_mod_jmp(unsigned long
13770 unsigned char code[MCOUNT_INSN_SIZE];
13772 + ip = ktla_ktva(ip);
13774 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
13777 diff -urNp linux-2.6.32.42/arch/x86/kernel/head32.c linux-2.6.32.42/arch/x86/kernel/head32.c
13778 --- linux-2.6.32.42/arch/x86/kernel/head32.c 2011-03-27 14:31:47.000000000 -0400
13779 +++ linux-2.6.32.42/arch/x86/kernel/head32.c 2011-04-17 15:56:46.000000000 -0400
13781 #include <asm/apic.h>
13782 #include <asm/io_apic.h>
13783 #include <asm/bios_ebda.h>
13784 +#include <asm/boot.h>
13786 static void __init i386_default_early_setup(void)
13788 @@ -31,7 +32,7 @@ void __init i386_start_kernel(void)
13790 reserve_trampoline_memory();
13792 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13793 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
13795 #ifdef CONFIG_BLK_DEV_INITRD
13796 /* Reserve INITRD */
13797 diff -urNp linux-2.6.32.42/arch/x86/kernel/head_32.S linux-2.6.32.42/arch/x86/kernel/head_32.S
13798 --- linux-2.6.32.42/arch/x86/kernel/head_32.S 2011-03-27 14:31:47.000000000 -0400
13799 +++ linux-2.6.32.42/arch/x86/kernel/head_32.S 2011-04-17 15:56:46.000000000 -0400
13800 @@ -19,10 +19,17 @@
13801 #include <asm/setup.h>
13802 #include <asm/processor-flags.h>
13803 #include <asm/percpu.h>
13804 +#include <asm/msr-index.h>
13806 /* Physical address */
13807 #define pa(X) ((X) - __PAGE_OFFSET)
13809 +#ifdef CONFIG_PAX_KERNEXEC
13812 +#define ta(X) ((X) - __PAGE_OFFSET)
13816 * References to members of the new_cpu_data structure.
13819 * and small than max_low_pfn, otherwise will waste some page table entries
13822 -#if PTRS_PER_PMD > 1
13823 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
13825 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
13827 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
13829 /* Enough space to fit pagetables for the low memory linear map */
13830 MAPPING_BEYOND_END = \
13831 @@ -73,6 +76,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
13832 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13835 + * Real beginning of normal "text" segment
13841 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
13842 * %esi points to the real-mode code as a 32-bit pointer.
13843 * CS and DS must be 4 GB flat segments, but we don't depend on
13844 @@ -80,6 +89,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
13849 +#ifdef CONFIG_PAX_KERNEXEC
13851 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
13852 +.fill PAGE_SIZE-5,1,0xcc
13856 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
13857 us to not reload segments */
13858 @@ -97,6 +113,57 @@ ENTRY(startup_32)
13863 + movl $pa(cpu_gdt_table),%edi
13864 + movl $__per_cpu_load,%eax
13865 + movw %ax,__KERNEL_PERCPU + 2(%edi)
13867 + movb %al,__KERNEL_PERCPU + 4(%edi)
13868 + movb %ah,__KERNEL_PERCPU + 7(%edi)
13869 + movl $__per_cpu_end - 1,%eax
13870 + subl $__per_cpu_start,%eax
13871 + movw %ax,__KERNEL_PERCPU + 0(%edi)
13874 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13875 + movl $NR_CPUS,%ecx
13876 + movl $pa(cpu_gdt_table),%edi
13878 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
13879 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
13880 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
13881 + addl $PAGE_SIZE_asm,%edi
13885 +#ifdef CONFIG_PAX_KERNEXEC
13886 + movl $pa(boot_gdt),%edi
13887 + movl $__LOAD_PHYSICAL_ADDR,%eax
13888 + movw %ax,__BOOT_CS + 2(%edi)
13890 + movb %al,__BOOT_CS + 4(%edi)
13891 + movb %ah,__BOOT_CS + 7(%edi)
13894 + ljmp $(__BOOT_CS),$1f
13897 + movl $NR_CPUS,%ecx
13898 + movl $pa(cpu_gdt_table),%edi
13899 + addl $__PAGE_OFFSET,%eax
13901 + movw %ax,__KERNEL_CS + 2(%edi)
13902 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
13904 + movb %al,__KERNEL_CS + 4(%edi)
13905 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
13906 + movb %ah,__KERNEL_CS + 7(%edi)
13907 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
13909 + addl $PAGE_SIZE_asm,%edi
13914 * Clear BSS first so that there are no surprises...
13916 @@ -140,9 +207,7 @@ ENTRY(startup_32)
13917 cmpl $num_subarch_entries, %eax
13920 - movl pa(subarch_entries)(,%eax,4), %eax
13921 - subl $__PAGE_OFFSET, %eax
13923 + jmp *pa(subarch_entries)(,%eax,4)
13927 @@ -154,10 +219,10 @@ WEAK(xen_entry)
13931 - .long default_entry /* normal x86/PC */
13932 - .long lguest_entry /* lguest hypervisor */
13933 - .long xen_entry /* Xen hypervisor */
13934 - .long default_entry /* Moorestown MID */
13935 + .long ta(default_entry) /* normal x86/PC */
13936 + .long ta(lguest_entry) /* lguest hypervisor */
13937 + .long ta(xen_entry) /* Xen hypervisor */
13938 + .long ta(default_entry) /* Moorestown MID */
13939 num_subarch_entries = (. - subarch_entries) / 4
13941 #endif /* CONFIG_PARAVIRT */
13942 @@ -218,8 +283,11 @@ default_entry:
13943 movl %eax, pa(max_pfn_mapped)
13945 /* Do early initialization of the fixmap area */
13946 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
13947 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
13948 +#ifdef CONFIG_COMPAT_VDSO
13949 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
13951 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
13953 #else /* Not PAE */
13955 page_pde_offset = (__PAGE_OFFSET >> 20);
13956 @@ -249,8 +317,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
13957 movl %eax, pa(max_pfn_mapped)
13959 /* Do early initialization of the fixmap area */
13960 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
13961 - movl %eax,pa(swapper_pg_dir+0xffc)
13962 +#ifdef CONFIG_COMPAT_VDSO
13963 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
13965 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
13970 @@ -297,6 +368,7 @@ ENTRY(startup_32_smp)
13974 +#ifdef CONFIG_X86_PAE
13975 btl $5, %eax # check if PAE is enabled
13978 @@ -312,13 +384,17 @@ ENTRY(startup_32_smp)
13981 /* Setup EFER (Extended Feature Enable Register) */
13982 - movl $0xc0000080, %ecx
13983 + movl $MSR_EFER, %ecx
13987 /* Make changes effective */
13990 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
13991 + movl $1,pa(nx_enabled)
13997 @@ -344,9 +420,7 @@ ENTRY(startup_32_smp)
14001 - jz 1f /* Initial CPU cleans BSS */
14004 + jnz checkCPUtype /* Initial CPU cleans BSS */
14005 #endif /* CONFIG_SMP */
14008 @@ -424,7 +498,7 @@ is386: movl $2,%ecx # set MP
14009 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
14010 movl %eax,%ss # after changing gdt.
14012 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
14013 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
14017 @@ -438,15 +512,22 @@ is386: movl $2,%ecx # set MP
14021 - movl $per_cpu__gdt_page,%eax
14022 + movl $cpu_gdt_table,%eax
14023 movl $per_cpu__stack_canary,%ecx
14025 + addl $__per_cpu_load,%ecx
14027 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
14029 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
14030 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
14033 movl $(__KERNEL_STACK_CANARY),%eax
14034 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
14035 + movl $(__USER_DS),%eax
14041 xorl %eax,%eax # Clear LDT
14042 @@ -457,10 +538,6 @@ is386: movl $2,%ecx # set MP
14046 - cmpb $0,%cl # the first CPU calls start_kernel
14048 - movl (stack_start), %esp
14050 #endif /* CONFIG_SMP */
14051 jmp *(initial_code)
14053 @@ -546,22 +623,22 @@ early_page_fault:
14058 #ifdef CONFIG_PRINTK
14059 + cmpl $1,%ss:early_recursion_flag
14061 + incl %ss:early_recursion_flag
14064 movl $(__KERNEL_DS),%eax
14067 - cmpl $2,early_recursion_flag
14069 - incl early_recursion_flag
14072 pushl %edx /* trapno */
14081 @@ -569,8 +646,11 @@ hlt_loop:
14082 /* This is the default interrupt "handler" :-) */
14086 #ifdef CONFIG_PRINTK
14087 + cmpl $2,%ss:early_recursion_flag
14089 + incl %ss:early_recursion_flag
14094 @@ -579,9 +659,6 @@ ignore_int:
14095 movl $(__KERNEL_DS),%eax
14098 - cmpl $2,early_recursion_flag
14100 - incl early_recursion_flag
14104 @@ -610,31 +687,47 @@ ENTRY(initial_page_table)
14108 -__PAGE_ALIGNED_BSS
14109 - .align PAGE_SIZE_asm
14110 #ifdef CONFIG_X86_PAE
14111 +.section .swapper_pg_pmd,"a",@progbits
14113 .fill 1024*KPMDS,4,0
14115 +.section .swapper_pg_dir,"a",@progbits
14116 ENTRY(swapper_pg_dir)
14119 +.section .swapper_pg_fixmap,"a",@progbits
14122 #ifdef CONFIG_X86_TRAMPOLINE
14123 +.section .trampoline_pg_dir,"a",@progbits
14124 ENTRY(trampoline_pg_dir)
14125 +#ifdef CONFIG_X86_PAE
14132 +.section .empty_zero_page,"a",@progbits
14133 ENTRY(empty_zero_page)
14137 + * The IDT has to be page-aligned to simplify the Pentium
14138 + * F0 0F bug workaround.. We have a special link segment
14141 +.section .idt,"a",@progbits
14146 * This starts the data section.
14148 #ifdef CONFIG_X86_PAE
14149 -__PAGE_ALIGNED_DATA
14150 - /* Page-aligned for the benefit of paravirt? */
14151 - .align PAGE_SIZE_asm
14152 +.section .swapper_pg_dir,"a",@progbits
14154 ENTRY(swapper_pg_dir)
14155 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
14157 @@ -653,15 +746,24 @@ ENTRY(swapper_pg_dir)
14158 # error "Kernel PMDs should be 1, 2 or 3"
14160 .align PAGE_SIZE_asm /* needs to be page-sized too */
14162 +#ifdef CONFIG_PAX_PER_CPU_PGD
14173 - .long init_thread_union+THREAD_SIZE
14174 + .long init_thread_union+THREAD_SIZE-8
14179 +.section .rodata,"a",@progbits
14180 early_recursion_flag:
14183 @@ -697,7 +799,7 @@ fault_msg:
14184 .word 0 # 32 bit align gdt_desc.address
14187 - .long boot_gdt - __PAGE_OFFSET
14188 + .long pa(boot_gdt)
14190 .word 0 # 32-bit align idt_desc.address
14192 @@ -708,7 +810,7 @@ idt_descr:
14193 .word 0 # 32 bit align gdt_desc.address
14194 ENTRY(early_gdt_descr)
14195 .word GDT_ENTRIES*8-1
14196 - .long per_cpu__gdt_page /* Overwritten for secondary CPUs */
14197 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
14200 * The boot_gdt must mirror the equivalent in setup.S and is
14201 @@ -717,5 +819,65 @@ ENTRY(early_gdt_descr)
14202 .align L1_CACHE_BYTES
14204 .fill GDT_ENTRY_BOOT_CS,8,0
14205 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
14206 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
14207 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
14208 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
14210 + .align PAGE_SIZE_asm
14211 +ENTRY(cpu_gdt_table)
14213 + .quad 0x0000000000000000 /* NULL descriptor */
14214 + .quad 0x0000000000000000 /* 0x0b reserved */
14215 + .quad 0x0000000000000000 /* 0x13 reserved */
14216 + .quad 0x0000000000000000 /* 0x1b reserved */
14218 +#ifdef CONFIG_PAX_KERNEXEC
14219 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
14221 + .quad 0x0000000000000000 /* 0x20 unused */
14224 + .quad 0x0000000000000000 /* 0x28 unused */
14225 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
14226 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
14227 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
14228 + .quad 0x0000000000000000 /* 0x4b reserved */
14229 + .quad 0x0000000000000000 /* 0x53 reserved */
14230 + .quad 0x0000000000000000 /* 0x5b reserved */
14232 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
14233 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
14234 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
14235 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
14237 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
14238 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
14241 + * Segments used for calling PnP BIOS have byte granularity.
14242 + * The code segments and data segments have fixed 64k limits,
14243 + * the transfer segment sizes are set at run time.
14245 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
14246 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
14247 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
14248 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
14249 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
14252 + * The APM segments have byte granularity and their bases
14253 + * are set at run time. All have 64k limits.
14255 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
14256 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
14257 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
14259 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
14260 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
14261 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
14262 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
14263 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
14264 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
14266 + /* Be sure this is zeroed to avoid false validations in Xen */
14267 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
14269 diff -urNp linux-2.6.32.42/arch/x86/kernel/head_64.S linux-2.6.32.42/arch/x86/kernel/head_64.S
14270 --- linux-2.6.32.42/arch/x86/kernel/head_64.S 2011-03-27 14:31:47.000000000 -0400
14271 +++ linux-2.6.32.42/arch/x86/kernel/head_64.S 2011-04-17 15:56:46.000000000 -0400
14273 #include <asm/cache.h>
14274 #include <asm/processor-flags.h>
14275 #include <asm/percpu.h>
14276 +#include <asm/cpufeature.h>
14278 #ifdef CONFIG_PARAVIRT
14279 #include <asm/asm-offsets.h>
14280 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
14281 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
14282 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
14283 L3_START_KERNEL = pud_index(__START_KERNEL_map)
14284 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
14285 +L3_VMALLOC_START = pud_index(VMALLOC_START)
14286 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
14287 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
14291 @@ -85,35 +90,22 @@ startup_64:
14293 addq %rbp, init_level4_pgt + 0(%rip)
14294 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
14295 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
14296 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
14297 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
14299 addq %rbp, level3_ident_pgt + 0(%rip)
14300 +#ifndef CONFIG_XEN
14301 + addq %rbp, level3_ident_pgt + 8(%rip)
14304 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
14305 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
14306 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
14308 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
14309 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
14310 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
14312 - /* Add an Identity mapping if I am above 1G */
14313 - leaq _text(%rip), %rdi
14314 - andq $PMD_PAGE_MASK, %rdi
14317 - shrq $PUD_SHIFT, %rax
14318 - andq $(PTRS_PER_PUD - 1), %rax
14319 - jz ident_complete
14321 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
14322 - leaq level3_ident_pgt(%rip), %rbx
14323 - movq %rdx, 0(%rbx, %rax, 8)
14326 - shrq $PMD_SHIFT, %rax
14327 - andq $(PTRS_PER_PMD - 1), %rax
14328 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
14329 - leaq level2_spare_pgt(%rip), %rbx
14330 - movq %rdx, 0(%rbx, %rax, 8)
14332 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
14333 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
14336 * Fixup the kernel text+data virtual addresses. Note that
14337 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
14338 * after the boot processor executes this code.
14341 - /* Enable PAE mode and PGE */
14342 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
14343 + /* Enable PAE mode and PSE/PGE */
14344 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14347 /* Setup early boot stage 4 level pagetables. */
14348 @@ -184,9 +176,13 @@ ENTRY(secondary_startup_64)
14349 movl $MSR_EFER, %ecx
14351 btsl $_EFER_SCE, %eax /* Enable System Call */
14352 - btl $20,%edi /* No Execute supported? */
14353 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
14355 btsl $_EFER_NX, %eax
14356 + leaq init_level4_pgt(%rip), %rdi
14357 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
14358 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
14359 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
14360 1: wrmsr /* Make changes effective */
14363 @@ -262,16 +258,16 @@ ENTRY(secondary_startup_64)
14364 .quad x86_64_start_kernel
14366 .quad INIT_PER_CPU_VAR(irq_stack_union)
14370 .quad init_thread_union+THREAD_SIZE-8
14377 - .section ".init.text","ax"
14379 #ifdef CONFIG_EARLY_PRINTK
14380 .globl early_idt_handlers
14381 early_idt_handlers:
14382 @@ -316,18 +312,23 @@ ENTRY(early_idt_handler)
14383 #endif /* EARLY_PRINTK */
14388 #ifdef CONFIG_EARLY_PRINTK
14390 early_recursion_flag:
14394 + .section .rodata,"a",@progbits
14396 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
14399 -#endif /* CONFIG_EARLY_PRINTK */
14401 +#endif /* CONFIG_EARLY_PRINTK */
14403 + .section .rodata,"a",@progbits
14404 #define NEXT_PAGE(name) \
14405 .balign PAGE_SIZE; \
14407 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
14408 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
14409 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
14410 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
14411 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
14412 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
14413 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
14414 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
14415 .org init_level4_pgt + L4_START_KERNEL*8, 0
14416 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
14417 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
14419 +#ifdef CONFIG_PAX_PER_CPU_PGD
14420 +NEXT_PAGE(cpu_pgd)
14426 NEXT_PAGE(level3_ident_pgt)
14427 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
14431 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
14435 +NEXT_PAGE(level3_vmalloc_pgt)
14438 +NEXT_PAGE(level3_vmemmap_pgt)
14439 + .fill L3_VMEMMAP_START,8,0
14440 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
14442 NEXT_PAGE(level3_kernel_pgt)
14443 .fill L3_START_KERNEL,8,0
14444 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
14445 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
14446 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
14448 +NEXT_PAGE(level2_vmemmap_pgt)
14451 NEXT_PAGE(level2_fixmap_pgt)
14453 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
14454 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
14457 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
14458 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
14461 -NEXT_PAGE(level1_fixmap_pgt)
14462 +NEXT_PAGE(level1_vsyscall_pgt)
14465 -NEXT_PAGE(level2_ident_pgt)
14466 - /* Since I easily can, map the first 1G.
14467 + /* Since I easily can, map the first 2G.
14468 * Don't set NX because code runs from these pages.
14470 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
14471 +NEXT_PAGE(level2_ident_pgt)
14472 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
14474 NEXT_PAGE(level2_kernel_pgt)
14476 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
14477 * If you want to increase this then increase MODULES_VADDR
14480 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
14481 - KERNEL_IMAGE_SIZE/PMD_SIZE)
14483 -NEXT_PAGE(level2_spare_pgt)
14485 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
14492 +ENTRY(cpu_gdt_table)
14494 + .quad 0x0000000000000000 /* NULL descriptor */
14495 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
14496 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
14497 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
14498 + .quad 0x00cffb000000ffff /* __USER32_CS */
14499 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
14500 + .quad 0x00affb000000ffff /* __USER_CS */
14502 +#ifdef CONFIG_PAX_KERNEXEC
14503 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
14505 + .quad 0x0 /* unused */
14508 + .quad 0,0 /* TSS */
14509 + .quad 0,0 /* LDT */
14510 + .quad 0,0,0 /* three TLS descriptors */
14511 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
14512 + /* asm/segment.h:GDT_ENTRIES must match this */
14514 + /* zero the remaining page */
14515 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
14519 .globl early_gdt_descr
14521 .word GDT_ENTRIES*8-1
14522 early_gdt_descr_base:
14523 - .quad INIT_PER_CPU_VAR(gdt_page)
14524 + .quad cpu_gdt_table
14527 /* This must match the first entry in level2_kernel_pgt */
14528 .quad 0x0000000000000000
14530 #include "../../x86/xen/xen-head.S"
14532 - .section .bss, "aw", @nobits
14534 + .section .rodata,"a",@progbits
14535 .align L1_CACHE_BYTES
14537 - .skip IDT_ENTRIES * 16
14542 diff -urNp linux-2.6.32.42/arch/x86/kernel/i386_ksyms_32.c linux-2.6.32.42/arch/x86/kernel/i386_ksyms_32.c
14543 --- linux-2.6.32.42/arch/x86/kernel/i386_ksyms_32.c 2011-03-27 14:31:47.000000000 -0400
14544 +++ linux-2.6.32.42/arch/x86/kernel/i386_ksyms_32.c 2011-04-17 15:56:46.000000000 -0400
14545 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
14546 EXPORT_SYMBOL(cmpxchg8b_emu);
14549 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
14551 /* Networking helper routines. */
14552 EXPORT_SYMBOL(csum_partial_copy_generic);
14553 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
14554 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
14556 EXPORT_SYMBOL(__get_user_1);
14557 EXPORT_SYMBOL(__get_user_2);
14558 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
14560 EXPORT_SYMBOL(csum_partial);
14561 EXPORT_SYMBOL(empty_zero_page);
14563 +#ifdef CONFIG_PAX_KERNEXEC
14564 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
14566 diff -urNp linux-2.6.32.42/arch/x86/kernel/i8259.c linux-2.6.32.42/arch/x86/kernel/i8259.c
14567 --- linux-2.6.32.42/arch/x86/kernel/i8259.c 2011-03-27 14:31:47.000000000 -0400
14568 +++ linux-2.6.32.42/arch/x86/kernel/i8259.c 2011-05-04 17:56:28.000000000 -0400
14569 @@ -208,7 +208,7 @@ spurious_8259A_irq:
14570 "spurious 8259A interrupt: IRQ%d.\n", irq);
14571 spurious_irq_mask |= irqmask;
14573 - atomic_inc(&irq_err_count);
14574 + atomic_inc_unchecked(&irq_err_count);
14576 * Theoretically we do not have to handle this IRQ,
14577 * but in Linux this does not cause problems and is
14578 diff -urNp linux-2.6.32.42/arch/x86/kernel/init_task.c linux-2.6.32.42/arch/x86/kernel/init_task.c
14579 --- linux-2.6.32.42/arch/x86/kernel/init_task.c 2011-03-27 14:31:47.000000000 -0400
14580 +++ linux-2.6.32.42/arch/x86/kernel/init_task.c 2011-04-17 15:56:46.000000000 -0400
14581 @@ -20,8 +20,7 @@ static struct sighand_struct init_sighan
14582 * way process stacks are handled. This is done by having a special
14583 * "init_task" linker map entry..
14585 -union thread_union init_thread_union __init_task_data =
14586 - { INIT_THREAD_INFO(init_task) };
14587 +union thread_union init_thread_union __init_task_data;
14590 * Initial task structure.
14591 @@ -38,5 +37,5 @@ EXPORT_SYMBOL(init_task);
14592 * section. Since TSS's are completely CPU-local, we want them
14593 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
14595 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
14597 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
14598 +EXPORT_SYMBOL(init_tss);
14599 diff -urNp linux-2.6.32.42/arch/x86/kernel/ioport.c linux-2.6.32.42/arch/x86/kernel/ioport.c
14600 --- linux-2.6.32.42/arch/x86/kernel/ioport.c 2011-03-27 14:31:47.000000000 -0400
14601 +++ linux-2.6.32.42/arch/x86/kernel/ioport.c 2011-04-17 15:56:46.000000000 -0400
14603 #include <linux/sched.h>
14604 #include <linux/kernel.h>
14605 #include <linux/capability.h>
14606 +#include <linux/security.h>
14607 #include <linux/errno.h>
14608 #include <linux/types.h>
14609 #include <linux/ioport.h>
14610 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
14612 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
14614 +#ifdef CONFIG_GRKERNSEC_IO
14615 + if (turn_on && grsec_disable_privio) {
14616 + gr_handle_ioperm();
14620 if (turn_on && !capable(CAP_SYS_RAWIO))
14623 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
14624 * because the ->io_bitmap_max value must match the bitmap
14627 - tss = &per_cpu(init_tss, get_cpu());
14628 + tss = init_tss + get_cpu();
14630 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
14632 @@ -111,6 +118,12 @@ static int do_iopl(unsigned int level, s
14634 /* Trying to gain more privileges? */
14636 +#ifdef CONFIG_GRKERNSEC_IO
14637 + if (grsec_disable_privio) {
14638 + gr_handle_iopl();
14642 if (!capable(CAP_SYS_RAWIO))
14645 diff -urNp linux-2.6.32.42/arch/x86/kernel/irq_32.c linux-2.6.32.42/arch/x86/kernel/irq_32.c
14646 --- linux-2.6.32.42/arch/x86/kernel/irq_32.c 2011-03-27 14:31:47.000000000 -0400
14647 +++ linux-2.6.32.42/arch/x86/kernel/irq_32.c 2011-04-23 13:26:46.000000000 -0400
14648 @@ -35,7 +35,7 @@ static int check_stack_overflow(void)
14649 __asm__ __volatile__("andl %%esp,%0" :
14650 "=r" (sp) : "0" (THREAD_SIZE - 1));
14652 - return sp < (sizeof(struct thread_info) + STACK_WARN);
14653 + return sp < STACK_WARN;
14656 static void print_stack_overflow(void)
14657 @@ -54,9 +54,9 @@ static inline void print_stack_overflow(
14658 * per-CPU IRQ handling contexts (thread information and stack)
14661 - struct thread_info tinfo;
14662 - u32 stack[THREAD_SIZE/sizeof(u32)];
14663 -} __attribute__((aligned(PAGE_SIZE)));
14664 + unsigned long previous_esp;
14665 + u32 stack[THREAD_SIZE/sizeof(u32)];
14666 +} __attribute__((aligned(THREAD_SIZE)));
14668 static DEFINE_PER_CPU(union irq_ctx *, hardirq_ctx);
14669 static DEFINE_PER_CPU(union irq_ctx *, softirq_ctx);
14670 @@ -78,10 +78,9 @@ static void call_on_stack(void *func, vo
14672 execute_on_irq_stack(int overflow, struct irq_desc *desc, int irq)
14674 - union irq_ctx *curctx, *irqctx;
14675 + union irq_ctx *irqctx;
14676 u32 *isp, arg1, arg2;
14678 - curctx = (union irq_ctx *) current_thread_info();
14679 irqctx = __get_cpu_var(hardirq_ctx);
14682 @@ -90,21 +89,17 @@ execute_on_irq_stack(int overflow, struc
14683 * handler) we can't do that and just have to keep using the
14684 * current stack (which is the irq stack already after all)
14686 - if (unlikely(curctx == irqctx))
14687 + if (unlikely((void *)current_stack_pointer - (void *)irqctx < THREAD_SIZE))
14690 /* build the stack frame on the IRQ stack */
14691 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14692 - irqctx->tinfo.task = curctx->tinfo.task;
14693 - irqctx->tinfo.previous_esp = current_stack_pointer;
14694 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14695 + irqctx->previous_esp = current_stack_pointer;
14696 + add_preempt_count(HARDIRQ_OFFSET);
14699 - * Copy the softirq bits in preempt_count so that the
14700 - * softirq checks work in the hardirq context.
14702 - irqctx->tinfo.preempt_count =
14703 - (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
14704 - (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
14705 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14706 + __set_fs(MAKE_MM_SEG(0));
14709 if (unlikely(overflow))
14710 call_on_stack(print_stack_overflow, isp);
14711 @@ -116,6 +111,12 @@ execute_on_irq_stack(int overflow, struc
14712 : "0" (irq), "1" (desc), "2" (isp),
14713 "D" (desc->handle_irq)
14714 : "memory", "cc", "ecx");
14716 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14717 + __set_fs(current_thread_info()->addr_limit);
14720 + sub_preempt_count(HARDIRQ_OFFSET);
14724 @@ -124,28 +125,11 @@ execute_on_irq_stack(int overflow, struc
14726 void __cpuinit irq_ctx_init(int cpu)
14728 - union irq_ctx *irqctx;
14730 if (per_cpu(hardirq_ctx, cpu))
14733 - irqctx = &per_cpu(hardirq_stack, cpu);
14734 - irqctx->tinfo.task = NULL;
14735 - irqctx->tinfo.exec_domain = NULL;
14736 - irqctx->tinfo.cpu = cpu;
14737 - irqctx->tinfo.preempt_count = HARDIRQ_OFFSET;
14738 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14740 - per_cpu(hardirq_ctx, cpu) = irqctx;
14742 - irqctx = &per_cpu(softirq_stack, cpu);
14743 - irqctx->tinfo.task = NULL;
14744 - irqctx->tinfo.exec_domain = NULL;
14745 - irqctx->tinfo.cpu = cpu;
14746 - irqctx->tinfo.preempt_count = 0;
14747 - irqctx->tinfo.addr_limit = MAKE_MM_SEG(0);
14749 - per_cpu(softirq_ctx, cpu) = irqctx;
14750 + per_cpu(hardirq_ctx, cpu) = &per_cpu(hardirq_stack, cpu);
14751 + per_cpu(softirq_ctx, cpu) = &per_cpu(softirq_stack, cpu);
14753 printk(KERN_DEBUG "CPU %u irqstacks, hard=%p soft=%p\n",
14754 cpu, per_cpu(hardirq_ctx, cpu), per_cpu(softirq_ctx, cpu));
14755 @@ -159,7 +143,6 @@ void irq_ctx_exit(int cpu)
14756 asmlinkage void do_softirq(void)
14758 unsigned long flags;
14759 - struct thread_info *curctx;
14760 union irq_ctx *irqctx;
14763 @@ -169,15 +152,22 @@ asmlinkage void do_softirq(void)
14764 local_irq_save(flags);
14766 if (local_softirq_pending()) {
14767 - curctx = current_thread_info();
14768 irqctx = __get_cpu_var(softirq_ctx);
14769 - irqctx->tinfo.task = curctx->task;
14770 - irqctx->tinfo.previous_esp = current_stack_pointer;
14771 + irqctx->previous_esp = current_stack_pointer;
14773 /* build the stack frame on the softirq stack */
14774 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
14775 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
14777 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14778 + __set_fs(MAKE_MM_SEG(0));
14781 call_on_stack(__do_softirq, isp);
14783 +#ifdef CONFIG_PAX_MEMORY_UDEREF
14784 + __set_fs(current_thread_info()->addr_limit);
14788 * Shouldnt happen, we returned above if in_interrupt():
14790 diff -urNp linux-2.6.32.42/arch/x86/kernel/irq.c linux-2.6.32.42/arch/x86/kernel/irq.c
14791 --- linux-2.6.32.42/arch/x86/kernel/irq.c 2011-03-27 14:31:47.000000000 -0400
14792 +++ linux-2.6.32.42/arch/x86/kernel/irq.c 2011-05-04 17:56:28.000000000 -0400
14794 #include <asm/mce.h>
14795 #include <asm/hw_irq.h>
14797 -atomic_t irq_err_count;
14798 +atomic_unchecked_t irq_err_count;
14800 /* Function pointer for generic interrupt vector handling */
14801 void (*generic_interrupt_extension)(void) = NULL;
14802 @@ -114,9 +114,9 @@ static int show_other_interrupts(struct
14803 seq_printf(p, "%10u ", per_cpu(mce_poll_count, j));
14804 seq_printf(p, " Machine check polls\n");
14806 - seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read(&irq_err_count));
14807 + seq_printf(p, "%*s: %10u\n", prec, "ERR", atomic_read_unchecked(&irq_err_count));
14808 #if defined(CONFIG_X86_IO_APIC)
14809 - seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read(&irq_mis_count));
14810 + seq_printf(p, "%*s: %10u\n", prec, "MIS", atomic_read_unchecked(&irq_mis_count));
14814 @@ -209,10 +209,10 @@ u64 arch_irq_stat_cpu(unsigned int cpu)
14816 u64 arch_irq_stat(void)
14818 - u64 sum = atomic_read(&irq_err_count);
14819 + u64 sum = atomic_read_unchecked(&irq_err_count);
14821 #ifdef CONFIG_X86_IO_APIC
14822 - sum += atomic_read(&irq_mis_count);
14823 + sum += atomic_read_unchecked(&irq_mis_count);
14827 diff -urNp linux-2.6.32.42/arch/x86/kernel/kgdb.c linux-2.6.32.42/arch/x86/kernel/kgdb.c
14828 --- linux-2.6.32.42/arch/x86/kernel/kgdb.c 2011-03-27 14:31:47.000000000 -0400
14829 +++ linux-2.6.32.42/arch/x86/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
14830 @@ -390,13 +390,13 @@ int kgdb_arch_handle_exception(int e_vec
14832 /* clear the trace bit */
14833 linux_regs->flags &= ~X86_EFLAGS_TF;
14834 - atomic_set(&kgdb_cpu_doing_single_step, -1);
14835 + atomic_set_unchecked(&kgdb_cpu_doing_single_step, -1);
14837 /* set the trace bit if we're stepping */
14838 if (remcomInBuffer[0] == 's') {
14839 linux_regs->flags |= X86_EFLAGS_TF;
14840 kgdb_single_step = 1;
14841 - atomic_set(&kgdb_cpu_doing_single_step,
14842 + atomic_set_unchecked(&kgdb_cpu_doing_single_step,
14843 raw_smp_processor_id());
14846 @@ -476,7 +476,7 @@ static int __kgdb_notify(struct die_args
14850 - if (atomic_read(&kgdb_cpu_doing_single_step) ==
14851 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) ==
14852 raw_smp_processor_id()) {
14853 if (user_mode(regs))
14854 return single_step_cont(regs, args);
14855 @@ -573,7 +573,7 @@ unsigned long kgdb_arch_pc(int exception
14856 return instruction_pointer(regs);
14859 -struct kgdb_arch arch_kgdb_ops = {
14860 +const struct kgdb_arch arch_kgdb_ops = {
14861 /* Breakpoint instruction: */
14862 .gdb_bpt_instr = { 0xcc },
14863 .flags = KGDB_HW_BREAKPOINT,
14864 diff -urNp linux-2.6.32.42/arch/x86/kernel/kprobes.c linux-2.6.32.42/arch/x86/kernel/kprobes.c
14865 --- linux-2.6.32.42/arch/x86/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
14866 +++ linux-2.6.32.42/arch/x86/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
14867 @@ -166,9 +166,13 @@ static void __kprobes set_jmp_op(void *f
14870 } __attribute__((packed)) * jop;
14871 - jop = (struct __arch_jmp_op *)from;
14873 + jop = (struct __arch_jmp_op *)(ktla_ktva(from));
14875 + pax_open_kernel();
14876 jop->raddr = (s32)((long)(to) - ((long)(from) + 5));
14877 jop->op = RELATIVEJUMP_INSTRUCTION;
14878 + pax_close_kernel();
14882 @@ -193,7 +197,7 @@ static int __kprobes can_boost(kprobe_op
14883 kprobe_opcode_t opcode;
14884 kprobe_opcode_t *orig_opcodes = opcodes;
14886 - if (search_exception_tables((unsigned long)opcodes))
14887 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
14888 return 0; /* Page fault may occur on this address. */
14891 @@ -337,7 +341,9 @@ static void __kprobes fix_riprel(struct
14892 disp = (u8 *) p->addr + *((s32 *) insn) -
14893 (u8 *) p->ainsn.insn;
14894 BUG_ON((s64) (s32) disp != disp); /* Sanity check. */
14895 + pax_open_kernel();
14896 *(s32 *)insn = (s32) disp;
14897 + pax_close_kernel();
14901 @@ -345,16 +351,18 @@ static void __kprobes fix_riprel(struct
14903 static void __kprobes arch_copy_kprobe(struct kprobe *p)
14905 - memcpy(p->ainsn.insn, p->addr, MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
14906 + pax_open_kernel();
14907 + memcpy(p->ainsn.insn, ktla_ktva(p->addr), MAX_INSN_SIZE * sizeof(kprobe_opcode_t));
14908 + pax_close_kernel();
14912 - if (can_boost(p->addr))
14913 + if (can_boost(ktla_ktva(p->addr)))
14914 p->ainsn.boostable = 0;
14916 p->ainsn.boostable = -1;
14918 - p->opcode = *p->addr;
14919 + p->opcode = *(ktla_ktva(p->addr));
14922 int __kprobes arch_prepare_kprobe(struct kprobe *p)
14923 @@ -432,7 +440,7 @@ static void __kprobes prepare_singlestep
14924 if (p->opcode == BREAKPOINT_INSTRUCTION)
14925 regs->ip = (unsigned long)p->addr;
14927 - regs->ip = (unsigned long)p->ainsn.insn;
14928 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14931 void __kprobes arch_prepare_kretprobe(struct kretprobe_instance *ri,
14932 @@ -453,7 +461,7 @@ static void __kprobes setup_singlestep(s
14933 if (p->ainsn.boostable == 1 && !p->post_handler) {
14934 /* Boost up -- we can execute copied instructions directly */
14935 reset_current_kprobe();
14936 - regs->ip = (unsigned long)p->ainsn.insn;
14937 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
14938 preempt_enable_no_resched();
14941 @@ -523,7 +531,7 @@ static int __kprobes kprobe_handler(stru
14942 struct kprobe_ctlblk *kcb;
14944 addr = (kprobe_opcode_t *)(regs->ip - sizeof(kprobe_opcode_t));
14945 - if (*addr != BREAKPOINT_INSTRUCTION) {
14946 + if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
14948 * The breakpoint instruction was removed right
14949 * after we hit it. Another cpu has removed
14950 @@ -775,7 +783,7 @@ static void __kprobes resume_execution(s
14951 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
14953 unsigned long *tos = stack_addr(regs);
14954 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
14955 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
14956 unsigned long orig_ip = (unsigned long)p->addr;
14957 kprobe_opcode_t *insn = p->ainsn.insn;
14959 @@ -958,7 +966,7 @@ int __kprobes kprobe_exceptions_notify(s
14960 struct die_args *args = data;
14961 int ret = NOTIFY_DONE;
14963 - if (args->regs && user_mode_vm(args->regs))
14964 + if (args->regs && user_mode(args->regs))
14968 diff -urNp linux-2.6.32.42/arch/x86/kernel/ldt.c linux-2.6.32.42/arch/x86/kernel/ldt.c
14969 --- linux-2.6.32.42/arch/x86/kernel/ldt.c 2011-03-27 14:31:47.000000000 -0400
14970 +++ linux-2.6.32.42/arch/x86/kernel/ldt.c 2011-04-17 15:56:46.000000000 -0400
14971 @@ -66,13 +66,13 @@ static int alloc_ldt(mm_context_t *pc, i
14976 + load_LDT_nolock(pc);
14977 if (!cpumask_equal(mm_cpumask(current->mm),
14978 cpumask_of(smp_processor_id())))
14979 smp_call_function(flush_ldt, current->mm, 1);
14983 + load_LDT_nolock(pc);
14987 @@ -94,7 +94,7 @@ static inline int copy_ldt(mm_context_t
14990 for (i = 0; i < old->size; i++)
14991 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
14992 + write_ldt_entry(new->ldt, i, old->ldt + i);
14996 @@ -115,6 +115,24 @@ int init_new_context(struct task_struct
14997 retval = copy_ldt(&mm->context, &old_mm->context);
14998 mutex_unlock(&old_mm->context.lock);
15001 + if (tsk == current) {
15002 + mm->context.vdso = 0;
15004 +#ifdef CONFIG_X86_32
15005 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
15006 + mm->context.user_cs_base = 0UL;
15007 + mm->context.user_cs_limit = ~0UL;
15009 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
15010 + cpus_clear(mm->context.cpu_user_cs_mask);
15021 @@ -229,6 +247,13 @@ static int write_ldt(void __user *ptr, u
15025 +#ifdef CONFIG_PAX_SEGMEXEC
15026 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
15032 fill_ldt(&ldt, &ldt_info);
15035 diff -urNp linux-2.6.32.42/arch/x86/kernel/machine_kexec_32.c linux-2.6.32.42/arch/x86/kernel/machine_kexec_32.c
15036 --- linux-2.6.32.42/arch/x86/kernel/machine_kexec_32.c 2011-03-27 14:31:47.000000000 -0400
15037 +++ linux-2.6.32.42/arch/x86/kernel/machine_kexec_32.c 2011-04-17 15:56:46.000000000 -0400
15039 #include <asm/system.h>
15040 #include <asm/cacheflush.h>
15042 -static void set_idt(void *newidt, __u16 limit)
15043 +static void set_idt(struct desc_struct *newidt, __u16 limit)
15045 struct desc_ptr curidt;
15047 @@ -38,7 +38,7 @@ static void set_idt(void *newidt, __u16
15051 -static void set_gdt(void *newgdt, __u16 limit)
15052 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
15054 struct desc_ptr curgdt;
15056 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
15059 control_page = page_address(image->control_code_page);
15060 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
15061 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
15063 relocate_kernel_ptr = control_page;
15064 page_list[PA_CONTROL_PAGE] = __pa(control_page);
15065 diff -urNp linux-2.6.32.42/arch/x86/kernel/microcode_amd.c linux-2.6.32.42/arch/x86/kernel/microcode_amd.c
15066 --- linux-2.6.32.42/arch/x86/kernel/microcode_amd.c 2011-04-17 17:00:52.000000000 -0400
15067 +++ linux-2.6.32.42/arch/x86/kernel/microcode_amd.c 2011-04-17 17:03:05.000000000 -0400
15068 @@ -364,7 +364,7 @@ static void microcode_fini_cpu_amd(int c
15072 -static struct microcode_ops microcode_amd_ops = {
15073 +static const struct microcode_ops microcode_amd_ops = {
15074 .request_microcode_user = request_microcode_user,
15075 .request_microcode_fw = request_microcode_fw,
15076 .collect_cpu_info = collect_cpu_info_amd,
15077 @@ -372,7 +372,7 @@ static struct microcode_ops microcode_am
15078 .microcode_fini_cpu = microcode_fini_cpu_amd,
15081 -struct microcode_ops * __init init_amd_microcode(void)
15082 +const struct microcode_ops * __init init_amd_microcode(void)
15084 return µcode_amd_ops;
15086 diff -urNp linux-2.6.32.42/arch/x86/kernel/microcode_core.c linux-2.6.32.42/arch/x86/kernel/microcode_core.c
15087 --- linux-2.6.32.42/arch/x86/kernel/microcode_core.c 2011-03-27 14:31:47.000000000 -0400
15088 +++ linux-2.6.32.42/arch/x86/kernel/microcode_core.c 2011-04-17 15:56:46.000000000 -0400
15089 @@ -90,7 +90,7 @@ MODULE_LICENSE("GPL");
15091 #define MICROCODE_VERSION "2.00"
15093 -static struct microcode_ops *microcode_ops;
15094 +static const struct microcode_ops *microcode_ops;
15098 diff -urNp linux-2.6.32.42/arch/x86/kernel/microcode_intel.c linux-2.6.32.42/arch/x86/kernel/microcode_intel.c
15099 --- linux-2.6.32.42/arch/x86/kernel/microcode_intel.c 2011-03-27 14:31:47.000000000 -0400
15100 +++ linux-2.6.32.42/arch/x86/kernel/microcode_intel.c 2011-04-17 15:56:46.000000000 -0400
15101 @@ -443,13 +443,13 @@ static enum ucode_state request_microcod
15103 static int get_ucode_user(void *to, const void *from, size_t n)
15105 - return copy_from_user(to, from, n);
15106 + return copy_from_user(to, (__force const void __user *)from, n);
15109 static enum ucode_state
15110 request_microcode_user(int cpu, const void __user *buf, size_t size)
15112 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
15113 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
15116 static void microcode_fini_cpu(int cpu)
15117 @@ -460,7 +460,7 @@ static void microcode_fini_cpu(int cpu)
15121 -static struct microcode_ops microcode_intel_ops = {
15122 +static const struct microcode_ops microcode_intel_ops = {
15123 .request_microcode_user = request_microcode_user,
15124 .request_microcode_fw = request_microcode_fw,
15125 .collect_cpu_info = collect_cpu_info,
15126 @@ -468,7 +468,7 @@ static struct microcode_ops microcode_in
15127 .microcode_fini_cpu = microcode_fini_cpu,
15130 -struct microcode_ops * __init init_intel_microcode(void)
15131 +const struct microcode_ops * __init init_intel_microcode(void)
15133 return µcode_intel_ops;
15135 diff -urNp linux-2.6.32.42/arch/x86/kernel/module.c linux-2.6.32.42/arch/x86/kernel/module.c
15136 --- linux-2.6.32.42/arch/x86/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
15137 +++ linux-2.6.32.42/arch/x86/kernel/module.c 2011-04-17 15:56:46.000000000 -0400
15139 #define DEBUGP(fmt...)
15142 -void *module_alloc(unsigned long size)
15143 +static void *__module_alloc(unsigned long size, pgprot_t prot)
15145 struct vm_struct *area;
15147 @@ -48,8 +48,18 @@ void *module_alloc(unsigned long size)
15151 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
15152 - PAGE_KERNEL_EXEC);
15153 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
15156 +void *module_alloc(unsigned long size)
15159 +#ifdef CONFIG_PAX_KERNEXEC
15160 + return __module_alloc(size, PAGE_KERNEL);
15162 + return __module_alloc(size, PAGE_KERNEL_EXEC);
15167 /* Free memory returned from module_alloc */
15168 @@ -58,6 +68,40 @@ void module_free(struct module *mod, voi
15169 vfree(module_region);
15172 +#ifdef CONFIG_PAX_KERNEXEC
15173 +#ifdef CONFIG_X86_32
15174 +void *module_alloc_exec(unsigned long size)
15176 + struct vm_struct *area;
15181 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
15182 + return area ? area->addr : NULL;
15184 +EXPORT_SYMBOL(module_alloc_exec);
15186 +void module_free_exec(struct module *mod, void *module_region)
15188 + vunmap(module_region);
15190 +EXPORT_SYMBOL(module_free_exec);
15192 +void module_free_exec(struct module *mod, void *module_region)
15194 + module_free(mod, module_region);
15196 +EXPORT_SYMBOL(module_free_exec);
15198 +void *module_alloc_exec(unsigned long size)
15200 + return __module_alloc(size, PAGE_KERNEL_RX);
15202 +EXPORT_SYMBOL(module_alloc_exec);
15206 /* We don't need anything special. */
15207 int module_frob_arch_sections(Elf_Ehdr *hdr,
15209 @@ -77,14 +121,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
15211 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
15213 - uint32_t *location;
15214 + uint32_t *plocation, location;
15216 DEBUGP("Applying relocate section %u to %u\n", relsec,
15217 sechdrs[relsec].sh_info);
15218 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
15219 /* This is where to make the change */
15220 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
15221 - + rel[i].r_offset;
15222 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
15223 + location = (uint32_t)plocation;
15224 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
15225 + plocation = ktla_ktva((void *)plocation);
15226 /* This is the symbol it is referring to. Note that all
15227 undefined symbols have been resolved. */
15228 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
15229 @@ -93,11 +139,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
15230 switch (ELF32_R_TYPE(rel[i].r_info)) {
15232 /* We add the value into the location given */
15233 - *location += sym->st_value;
15234 + pax_open_kernel();
15235 + *plocation += sym->st_value;
15236 + pax_close_kernel();
15239 /* Add the value, subtract its postition */
15240 - *location += sym->st_value - (uint32_t)location;
15241 + pax_open_kernel();
15242 + *plocation += sym->st_value - location;
15243 + pax_close_kernel();
15246 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
15247 @@ -153,21 +203,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
15248 case R_X86_64_NONE:
15251 + pax_open_kernel();
15253 + pax_close_kernel();
15256 + pax_open_kernel();
15258 + pax_close_kernel();
15259 if (val != *(u32 *)loc)
15263 + pax_open_kernel();
15265 + pax_close_kernel();
15266 if ((s64)val != *(s32 *)loc)
15269 case R_X86_64_PC32:
15271 + pax_open_kernel();
15273 + pax_close_kernel();
15276 if ((s64)val != *(s32 *)loc)
15278 diff -urNp linux-2.6.32.42/arch/x86/kernel/paravirt.c linux-2.6.32.42/arch/x86/kernel/paravirt.c
15279 --- linux-2.6.32.42/arch/x86/kernel/paravirt.c 2011-03-27 14:31:47.000000000 -0400
15280 +++ linux-2.6.32.42/arch/x86/kernel/paravirt.c 2011-05-16 21:46:57.000000000 -0400
15281 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
15282 * corresponding structure. */
15283 static void *get_call_destination(u8 type)
15285 - struct paravirt_patch_template tmpl = {
15286 + const struct paravirt_patch_template tmpl = {
15287 .pv_init_ops = pv_init_ops,
15288 .pv_time_ops = pv_time_ops,
15289 .pv_cpu_ops = pv_cpu_ops,
15290 @@ -133,6 +133,9 @@ static void *get_call_destination(u8 typ
15291 .pv_lock_ops = pv_lock_ops,
15295 + pax_track_stack();
15297 return *((void **)&tmpl + type);
15300 @@ -145,14 +148,14 @@ unsigned paravirt_patch_default(u8 type,
15301 if (opfunc == NULL)
15302 /* If there's no function, patch it with a ud2a (BUG) */
15303 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
15304 - else if (opfunc == _paravirt_nop)
15305 + else if (opfunc == (void *)_paravirt_nop)
15306 /* If the operation is a nop, then nop the callsite */
15307 ret = paravirt_patch_nop();
15309 /* identity functions just return their single argument */
15310 - else if (opfunc == _paravirt_ident_32)
15311 + else if (opfunc == (void *)_paravirt_ident_32)
15312 ret = paravirt_patch_ident_32(insnbuf, len);
15313 - else if (opfunc == _paravirt_ident_64)
15314 + else if (opfunc == (void *)_paravirt_ident_64)
15315 ret = paravirt_patch_ident_64(insnbuf, len);
15317 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
15318 @@ -178,7 +181,7 @@ unsigned paravirt_patch_insns(void *insn
15319 if (insn_len > len || start == NULL)
15322 - memcpy(insnbuf, start, insn_len);
15323 + memcpy(insnbuf, ktla_ktva(start), insn_len);
15327 @@ -294,22 +297,22 @@ void arch_flush_lazy_mmu_mode(void)
15331 -struct pv_info pv_info = {
15332 +struct pv_info pv_info __read_only = {
15333 .name = "bare hardware",
15334 .paravirt_enabled = 0,
15336 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
15339 -struct pv_init_ops pv_init_ops = {
15340 +struct pv_init_ops pv_init_ops __read_only = {
15341 .patch = native_patch,
15344 -struct pv_time_ops pv_time_ops = {
15345 +struct pv_time_ops pv_time_ops __read_only = {
15346 .sched_clock = native_sched_clock,
15349 -struct pv_irq_ops pv_irq_ops = {
15350 +struct pv_irq_ops pv_irq_ops __read_only = {
15351 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
15352 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
15353 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
15354 @@ -321,7 +324,7 @@ struct pv_irq_ops pv_irq_ops = {
15358 -struct pv_cpu_ops pv_cpu_ops = {
15359 +struct pv_cpu_ops pv_cpu_ops __read_only = {
15360 .cpuid = native_cpuid,
15361 .get_debugreg = native_get_debugreg,
15362 .set_debugreg = native_set_debugreg,
15363 @@ -382,7 +385,7 @@ struct pv_cpu_ops pv_cpu_ops = {
15364 .end_context_switch = paravirt_nop,
15367 -struct pv_apic_ops pv_apic_ops = {
15368 +struct pv_apic_ops pv_apic_ops __read_only = {
15369 #ifdef CONFIG_X86_LOCAL_APIC
15370 .startup_ipi_hook = paravirt_nop,
15372 @@ -396,7 +399,7 @@ struct pv_apic_ops pv_apic_ops = {
15373 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
15376 -struct pv_mmu_ops pv_mmu_ops = {
15377 +struct pv_mmu_ops pv_mmu_ops __read_only = {
15379 .read_cr2 = native_read_cr2,
15380 .write_cr2 = native_write_cr2,
15381 @@ -467,6 +470,12 @@ struct pv_mmu_ops pv_mmu_ops = {
15384 .set_fixmap = native_set_fixmap,
15386 +#ifdef CONFIG_PAX_KERNEXEC
15387 + .pax_open_kernel = native_pax_open_kernel,
15388 + .pax_close_kernel = native_pax_close_kernel,
15393 EXPORT_SYMBOL_GPL(pv_time_ops);
15394 diff -urNp linux-2.6.32.42/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.32.42/arch/x86/kernel/paravirt-spinlocks.c
15395 --- linux-2.6.32.42/arch/x86/kernel/paravirt-spinlocks.c 2011-03-27 14:31:47.000000000 -0400
15396 +++ linux-2.6.32.42/arch/x86/kernel/paravirt-spinlocks.c 2011-04-17 15:56:46.000000000 -0400
15397 @@ -13,7 +13,7 @@ default_spin_lock_flags(raw_spinlock_t *
15398 __raw_spin_lock(lock);
15401 -struct pv_lock_ops pv_lock_ops = {
15402 +struct pv_lock_ops pv_lock_ops __read_only = {
15404 .spin_is_locked = __ticket_spin_is_locked,
15405 .spin_is_contended = __ticket_spin_is_contended,
15406 diff -urNp linux-2.6.32.42/arch/x86/kernel/pci-calgary_64.c linux-2.6.32.42/arch/x86/kernel/pci-calgary_64.c
15407 --- linux-2.6.32.42/arch/x86/kernel/pci-calgary_64.c 2011-03-27 14:31:47.000000000 -0400
15408 +++ linux-2.6.32.42/arch/x86/kernel/pci-calgary_64.c 2011-04-17 15:56:46.000000000 -0400
15409 @@ -477,7 +477,7 @@ static void calgary_free_coherent(struct
15410 free_pages((unsigned long)vaddr, get_order(size));
15413 -static struct dma_map_ops calgary_dma_ops = {
15414 +static const struct dma_map_ops calgary_dma_ops = {
15415 .alloc_coherent = calgary_alloc_coherent,
15416 .free_coherent = calgary_free_coherent,
15417 .map_sg = calgary_map_sg,
15418 diff -urNp linux-2.6.32.42/arch/x86/kernel/pci-dma.c linux-2.6.32.42/arch/x86/kernel/pci-dma.c
15419 --- linux-2.6.32.42/arch/x86/kernel/pci-dma.c 2011-03-27 14:31:47.000000000 -0400
15420 +++ linux-2.6.32.42/arch/x86/kernel/pci-dma.c 2011-04-17 15:56:46.000000000 -0400
15423 static int forbid_dac __read_mostly;
15425 -struct dma_map_ops *dma_ops;
15426 +const struct dma_map_ops *dma_ops;
15427 EXPORT_SYMBOL(dma_ops);
15429 static int iommu_sac_force __read_mostly;
15430 @@ -243,7 +243,7 @@ early_param("iommu", iommu_setup);
15432 int dma_supported(struct device *dev, u64 mask)
15434 - struct dma_map_ops *ops = get_dma_ops(dev);
15435 + const struct dma_map_ops *ops = get_dma_ops(dev);
15438 if (mask > 0xffffffff && forbid_dac > 0) {
15439 diff -urNp linux-2.6.32.42/arch/x86/kernel/pci-gart_64.c linux-2.6.32.42/arch/x86/kernel/pci-gart_64.c
15440 --- linux-2.6.32.42/arch/x86/kernel/pci-gart_64.c 2011-03-27 14:31:47.000000000 -0400
15441 +++ linux-2.6.32.42/arch/x86/kernel/pci-gart_64.c 2011-04-17 15:56:46.000000000 -0400
15442 @@ -682,7 +682,7 @@ static __init int init_k8_gatt(struct ag
15446 -static struct dma_map_ops gart_dma_ops = {
15447 +static const struct dma_map_ops gart_dma_ops = {
15448 .map_sg = gart_map_sg,
15449 .unmap_sg = gart_unmap_sg,
15450 .map_page = gart_map_page,
15451 diff -urNp linux-2.6.32.42/arch/x86/kernel/pci-nommu.c linux-2.6.32.42/arch/x86/kernel/pci-nommu.c
15452 --- linux-2.6.32.42/arch/x86/kernel/pci-nommu.c 2011-03-27 14:31:47.000000000 -0400
15453 +++ linux-2.6.32.42/arch/x86/kernel/pci-nommu.c 2011-04-17 15:56:46.000000000 -0400
15454 @@ -94,7 +94,7 @@ static void nommu_sync_sg_for_device(str
15455 flush_write_buffers();
15458 -struct dma_map_ops nommu_dma_ops = {
15459 +const struct dma_map_ops nommu_dma_ops = {
15460 .alloc_coherent = dma_generic_alloc_coherent,
15461 .free_coherent = nommu_free_coherent,
15462 .map_sg = nommu_map_sg,
15463 diff -urNp linux-2.6.32.42/arch/x86/kernel/pci-swiotlb.c linux-2.6.32.42/arch/x86/kernel/pci-swiotlb.c
15464 --- linux-2.6.32.42/arch/x86/kernel/pci-swiotlb.c 2011-03-27 14:31:47.000000000 -0400
15465 +++ linux-2.6.32.42/arch/x86/kernel/pci-swiotlb.c 2011-04-17 15:56:46.000000000 -0400
15466 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
15467 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
15470 -static struct dma_map_ops swiotlb_dma_ops = {
15471 +static const struct dma_map_ops swiotlb_dma_ops = {
15472 .mapping_error = swiotlb_dma_mapping_error,
15473 .alloc_coherent = x86_swiotlb_alloc_coherent,
15474 .free_coherent = swiotlb_free_coherent,
15475 diff -urNp linux-2.6.32.42/arch/x86/kernel/process_32.c linux-2.6.32.42/arch/x86/kernel/process_32.c
15476 --- linux-2.6.32.42/arch/x86/kernel/process_32.c 2011-06-25 12:55:34.000000000 -0400
15477 +++ linux-2.6.32.42/arch/x86/kernel/process_32.c 2011-06-25 12:56:37.000000000 -0400
15478 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
15479 unsigned long thread_saved_pc(struct task_struct *tsk)
15481 return ((unsigned long *)tsk->thread.sp)[3];
15482 +//XXX return tsk->thread.eip;
15486 @@ -129,15 +130,14 @@ void __show_regs(struct pt_regs *regs, i
15487 unsigned short ss, gs;
15490 - if (user_mode_vm(regs)) {
15491 + if (user_mode(regs)) {
15493 ss = regs->ss & 0xffff;
15494 - gs = get_user_gs(regs);
15496 sp = (unsigned long) (®s->sp);
15497 savesegment(ss, ss);
15498 - savesegment(gs, gs);
15500 + gs = get_user_gs(regs);
15504 @@ -210,10 +210,10 @@ int kernel_thread(int (*fn)(void *), voi
15505 regs.bx = (unsigned long) fn;
15506 regs.dx = (unsigned long) arg;
15508 - regs.ds = __USER_DS;
15509 - regs.es = __USER_DS;
15510 + regs.ds = __KERNEL_DS;
15511 + regs.es = __KERNEL_DS;
15512 regs.fs = __KERNEL_PERCPU;
15513 - regs.gs = __KERNEL_STACK_CANARY;
15514 + savesegment(gs, regs.gs);
15516 regs.ip = (unsigned long) kernel_thread_helper;
15517 regs.cs = __KERNEL_CS | get_kernel_rpl();
15518 @@ -247,13 +247,14 @@ int copy_thread(unsigned long clone_flag
15519 struct task_struct *tsk;
15522 - childregs = task_pt_regs(p);
15523 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
15524 *childregs = *regs;
15526 childregs->sp = sp;
15528 p->thread.sp = (unsigned long) childregs;
15529 p->thread.sp0 = (unsigned long) (childregs+1);
15530 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15532 p->thread.ip = (unsigned long) ret_from_fork;
15534 @@ -345,7 +346,7 @@ __switch_to(struct task_struct *prev_p,
15535 struct thread_struct *prev = &prev_p->thread,
15536 *next = &next_p->thread;
15537 int cpu = smp_processor_id();
15538 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
15539 + struct tss_struct *tss = init_tss + cpu;
15542 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
15543 @@ -380,6 +381,10 @@ __switch_to(struct task_struct *prev_p,
15545 lazy_save_gs(prev->gs);
15547 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15548 + __set_fs(task_thread_info(next_p)->addr_limit);
15552 * Load the per-thread Thread-Local Storage descriptor.
15554 @@ -415,6 +420,9 @@ __switch_to(struct task_struct *prev_p,
15556 arch_end_context_switch(next_p);
15558 + percpu_write(current_task, next_p);
15559 + percpu_write(current_tinfo, &next_p->tinfo);
15562 __math_state_restore();
15564 @@ -424,8 +432,6 @@ __switch_to(struct task_struct *prev_p,
15565 if (prev->gs | next->gs)
15566 lazy_load_gs(next->gs);
15568 - percpu_write(current_task, next_p);
15573 @@ -495,4 +501,3 @@ unsigned long get_wchan(struct task_stru
15574 } while (count++ < 16);
15578 diff -urNp linux-2.6.32.42/arch/x86/kernel/process_64.c linux-2.6.32.42/arch/x86/kernel/process_64.c
15579 --- linux-2.6.32.42/arch/x86/kernel/process_64.c 2011-06-25 12:55:34.000000000 -0400
15580 +++ linux-2.6.32.42/arch/x86/kernel/process_64.c 2011-06-25 12:56:37.000000000 -0400
15581 @@ -91,7 +91,7 @@ static void __exit_idle(void)
15582 void exit_idle(void)
15584 /* idle loop has pid 0 */
15585 - if (current->pid)
15586 + if (task_pid_nr(current))
15590 @@ -170,7 +170,7 @@ void __show_regs(struct pt_regs *regs, i
15593 printk(KERN_INFO "Pid: %d, comm: %.20s %s %s %.*s %s\n",
15594 - current->pid, current->comm, print_tainted(),
15595 + task_pid_nr(current), current->comm, print_tainted(),
15596 init_utsname()->release,
15597 (int)strcspn(init_utsname()->version, " "),
15598 init_utsname()->version, board);
15599 @@ -280,8 +280,7 @@ int copy_thread(unsigned long clone_flag
15600 struct pt_regs *childregs;
15601 struct task_struct *me = current;
15603 - childregs = ((struct pt_regs *)
15604 - (THREAD_SIZE + task_stack_page(p))) - 1;
15605 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 16;
15606 *childregs = *regs;
15609 @@ -292,6 +291,7 @@ int copy_thread(unsigned long clone_flag
15610 p->thread.sp = (unsigned long) childregs;
15611 p->thread.sp0 = (unsigned long) (childregs+1);
15612 p->thread.usersp = me->thread.usersp;
15613 + p->tinfo.lowest_stack = (unsigned long)task_stack_page(p);
15615 set_tsk_thread_flag(p, TIF_FORK);
15617 @@ -379,7 +379,7 @@ __switch_to(struct task_struct *prev_p,
15618 struct thread_struct *prev = &prev_p->thread;
15619 struct thread_struct *next = &next_p->thread;
15620 int cpu = smp_processor_id();
15621 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
15622 + struct tss_struct *tss = init_tss + cpu;
15623 unsigned fsindex, gsindex;
15626 @@ -475,10 +475,9 @@ __switch_to(struct task_struct *prev_p,
15627 prev->usersp = percpu_read(old_rsp);
15628 percpu_write(old_rsp, next->usersp);
15629 percpu_write(current_task, next_p);
15630 + percpu_write(current_tinfo, &next_p->tinfo);
15632 - percpu_write(kernel_stack,
15633 - (unsigned long)task_stack_page(next_p) +
15634 - THREAD_SIZE - KERNEL_STACK_OFFSET);
15635 + percpu_write(kernel_stack, next->sp0);
15638 * Now maybe reload the debug registers and handle I/O bitmaps
15639 @@ -559,12 +558,11 @@ unsigned long get_wchan(struct task_stru
15640 if (!p || p == current || p->state == TASK_RUNNING)
15642 stack = (unsigned long)task_stack_page(p);
15643 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
15644 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-16-sizeof(u64))
15646 fp = *(u64 *)(p->thread.sp);
15648 - if (fp < (unsigned long)stack ||
15649 - fp >= (unsigned long)stack+THREAD_SIZE)
15650 + if (fp < stack || fp > stack+THREAD_SIZE-16-sizeof(u64))
15652 ip = *(u64 *)(fp+8);
15653 if (!in_sched_functions(ip))
15654 diff -urNp linux-2.6.32.42/arch/x86/kernel/process.c linux-2.6.32.42/arch/x86/kernel/process.c
15655 --- linux-2.6.32.42/arch/x86/kernel/process.c 2011-04-22 19:16:29.000000000 -0400
15656 +++ linux-2.6.32.42/arch/x86/kernel/process.c 2011-05-22 23:02:03.000000000 -0400
15657 @@ -51,16 +51,33 @@ void free_thread_xstate(struct task_stru
15659 void free_thread_info(struct thread_info *ti)
15661 - free_thread_xstate(ti->task);
15662 free_pages((unsigned long)ti, get_order(THREAD_SIZE));
15665 +static struct kmem_cache *task_struct_cachep;
15667 void arch_task_cache_init(void)
15669 - task_xstate_cachep =
15670 - kmem_cache_create("task_xstate", xstate_size,
15671 + /* create a slab on which task_structs can be allocated */
15672 + task_struct_cachep =
15673 + kmem_cache_create("task_struct", sizeof(struct task_struct),
15674 + ARCH_MIN_TASKALIGN, SLAB_PANIC | SLAB_NOTRACK, NULL);
15676 + task_xstate_cachep =
15677 + kmem_cache_create("task_xstate", xstate_size,
15678 __alignof__(union thread_xstate),
15679 - SLAB_PANIC | SLAB_NOTRACK, NULL);
15680 + SLAB_PANIC | SLAB_NOTRACK | SLAB_USERCOPY, NULL);
15683 +struct task_struct *alloc_task_struct(void)
15685 + return kmem_cache_alloc(task_struct_cachep, GFP_KERNEL);
15688 +void free_task_struct(struct task_struct *task)
15690 + free_thread_xstate(task);
15691 + kmem_cache_free(task_struct_cachep, task);
15695 @@ -73,7 +90,7 @@ void exit_thread(void)
15696 unsigned long *bp = t->io_bitmap_ptr;
15699 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
15700 + struct tss_struct *tss = init_tss + get_cpu();
15702 t->io_bitmap_ptr = NULL;
15703 clear_thread_flag(TIF_IO_BITMAP);
15704 @@ -93,6 +110,9 @@ void flush_thread(void)
15706 clear_tsk_thread_flag(tsk, TIF_DEBUG);
15708 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
15709 + loadsegment(gs, 0);
15711 tsk->thread.debugreg0 = 0;
15712 tsk->thread.debugreg1 = 0;
15713 tsk->thread.debugreg2 = 0;
15714 @@ -307,7 +327,7 @@ void default_idle(void)
15715 EXPORT_SYMBOL(default_idle);
15718 -void stop_this_cpu(void *dummy)
15719 +__noreturn void stop_this_cpu(void *dummy)
15721 local_irq_disable();
15723 @@ -568,16 +588,35 @@ static int __init idle_setup(char *str)
15725 early_param("idle", idle_setup);
15727 -unsigned long arch_align_stack(unsigned long sp)
15728 +#ifdef CONFIG_PAX_RANDKSTACK
15729 +asmlinkage void pax_randomize_kstack(void)
15731 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
15732 - sp -= get_random_int() % 8192;
15733 - return sp & ~0xf;
15735 + struct thread_struct *thread = ¤t->thread;
15736 + unsigned long time;
15738 -unsigned long arch_randomize_brk(struct mm_struct *mm)
15740 - unsigned long range_end = mm->brk + 0x02000000;
15741 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
15742 + if (!randomize_va_space)
15747 + /* P4 seems to return a 0 LSB, ignore it */
15748 +#ifdef CONFIG_MPENTIUM4
15751 +#elif defined(CONFIG_X86_64)
15759 + thread->sp0 ^= time;
15760 + load_sp0(init_tss + smp_processor_id(), thread);
15762 +#ifdef CONFIG_X86_64
15763 + percpu_write(kernel_stack, thread->sp0);
15768 diff -urNp linux-2.6.32.42/arch/x86/kernel/ptrace.c linux-2.6.32.42/arch/x86/kernel/ptrace.c
15769 --- linux-2.6.32.42/arch/x86/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
15770 +++ linux-2.6.32.42/arch/x86/kernel/ptrace.c 2011-04-17 15:56:46.000000000 -0400
15771 @@ -925,7 +925,7 @@ static const struct user_regset_view use
15772 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
15775 - unsigned long __user *datap = (unsigned long __user *)data;
15776 + unsigned long __user *datap = (__force unsigned long __user *)data;
15779 /* read the word at location addr in the USER area. */
15780 @@ -1012,14 +1012,14 @@ long arch_ptrace(struct task_struct *chi
15783 ret = do_get_thread_area(child, addr,
15784 - (struct user_desc __user *) data);
15785 + (__force struct user_desc __user *) data);
15788 case PTRACE_SET_THREAD_AREA:
15791 ret = do_set_thread_area(child, addr,
15792 - (struct user_desc __user *) data, 0);
15793 + (__force struct user_desc __user *) data, 0);
15797 @@ -1038,12 +1038,12 @@ long arch_ptrace(struct task_struct *chi
15798 #ifdef CONFIG_X86_PTRACE_BTS
15799 case PTRACE_BTS_CONFIG:
15800 ret = ptrace_bts_config
15801 - (child, data, (struct ptrace_bts_config __user *)addr);
15802 + (child, data, (__force struct ptrace_bts_config __user *)addr);
15805 case PTRACE_BTS_STATUS:
15806 ret = ptrace_bts_status
15807 - (child, data, (struct ptrace_bts_config __user *)addr);
15808 + (child, data, (__force struct ptrace_bts_config __user *)addr);
15811 case PTRACE_BTS_SIZE:
15812 @@ -1052,7 +1052,7 @@ long arch_ptrace(struct task_struct *chi
15814 case PTRACE_BTS_GET:
15815 ret = ptrace_bts_read_record
15816 - (child, data, (struct bts_struct __user *) addr);
15817 + (child, data, (__force struct bts_struct __user *) addr);
15820 case PTRACE_BTS_CLEAR:
15821 @@ -1061,7 +1061,7 @@ long arch_ptrace(struct task_struct *chi
15823 case PTRACE_BTS_DRAIN:
15824 ret = ptrace_bts_drain
15825 - (child, data, (struct bts_struct __user *) addr);
15826 + (child, data, (__force struct bts_struct __user *) addr);
15828 #endif /* CONFIG_X86_PTRACE_BTS */
15830 @@ -1450,7 +1450,7 @@ void send_sigtrap(struct task_struct *ts
15831 info.si_code = si_code;
15833 /* User-mode ip? */
15834 - info.si_addr = user_mode_vm(regs) ? (void __user *) regs->ip : NULL;
15835 + info.si_addr = user_mode(regs) ? (__force void __user *) regs->ip : NULL;
15837 /* Send us the fake SIGTRAP */
15838 force_sig_info(SIGTRAP, &info, tsk);
15839 @@ -1469,7 +1469,7 @@ void send_sigtrap(struct task_struct *ts
15840 * We must return the syscall number to actually look up in the table.
15841 * This can be -1L to skip running any syscall at all.
15843 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
15844 +long syscall_trace_enter(struct pt_regs *regs)
15848 @@ -1514,7 +1514,7 @@ asmregparm long syscall_trace_enter(stru
15849 return ret ?: regs->orig_ax;
15852 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
15853 +void syscall_trace_leave(struct pt_regs *regs)
15855 if (unlikely(current->audit_context))
15856 audit_syscall_exit(AUDITSC_RESULT(regs->ax), regs->ax);
15857 diff -urNp linux-2.6.32.42/arch/x86/kernel/reboot.c linux-2.6.32.42/arch/x86/kernel/reboot.c
15858 --- linux-2.6.32.42/arch/x86/kernel/reboot.c 2011-03-27 14:31:47.000000000 -0400
15859 +++ linux-2.6.32.42/arch/x86/kernel/reboot.c 2011-05-22 23:02:03.000000000 -0400
15860 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
15861 EXPORT_SYMBOL(pm_power_off);
15863 static const struct desc_ptr no_idt = {};
15864 -static int reboot_mode;
15865 +static unsigned short reboot_mode;
15866 enum reboot_type reboot_type = BOOT_KBD;
15869 @@ -292,12 +292,12 @@ core_initcall(reboot_init);
15870 controller to pulse the CPU reset line, which is more thorough, but
15871 doesn't work with at least one type of 486 motherboard. It is easy
15872 to stop this code working; hence the copious comments. */
15873 -static const unsigned long long
15874 -real_mode_gdt_entries [3] =
15875 +static struct desc_struct
15876 +real_mode_gdt_entries [3] __read_only =
15878 - 0x0000000000000000ULL, /* Null descriptor */
15879 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
15880 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
15881 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
15882 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
15883 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
15886 static const struct desc_ptr
15887 @@ -346,7 +346,7 @@ static const unsigned char jump_to_bios
15888 * specified by the code and length parameters.
15889 * We assume that length will aways be less that 100!
15891 -void machine_real_restart(const unsigned char *code, int length)
15892 +__noreturn void machine_real_restart(const unsigned char *code, unsigned int length)
15894 local_irq_disable();
15896 @@ -366,8 +366,8 @@ void machine_real_restart(const unsigned
15897 /* Remap the kernel at virtual address zero, as well as offset zero
15898 from the kernel segment. This assumes the kernel segment starts at
15899 virtual address PAGE_OFFSET. */
15900 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15901 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
15902 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
15903 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
15906 * Use `swapper_pg_dir' as our page directory.
15907 @@ -379,16 +379,15 @@ void machine_real_restart(const unsigned
15908 boot)". This seems like a fairly standard thing that gets set by
15909 REBOOT.COM programs, and the previous reset routine did this
15911 - *((unsigned short *)0x472) = reboot_mode;
15912 + *(unsigned short *)(__va(0x472)) = reboot_mode;
15914 /* For the switch to real mode, copy some code to low memory. It has
15915 to be in the first 64k because it is running in 16-bit mode, and it
15916 has to have the same physical and virtual address, because it turns
15917 off paging. Copy it near the end of the first page, out of the way
15918 of BIOS variables. */
15919 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
15920 - real_mode_switch, sizeof (real_mode_switch));
15921 - memcpy((void *)(0x1000 - 100), code, length);
15922 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
15923 + memcpy(__va(0x1000 - 100), code, length);
15925 /* Set up the IDT for real mode. */
15926 load_idt(&real_mode_idt);
15927 @@ -416,6 +415,7 @@ void machine_real_restart(const unsigned
15928 __asm__ __volatile__ ("ljmp $0x0008,%0"
15930 : "i" ((void *)(0x1000 - sizeof (real_mode_switch) - 100)));
15931 + do { } while (1);
15933 #ifdef CONFIG_APM_MODULE
15934 EXPORT_SYMBOL(machine_real_restart);
15935 @@ -536,7 +536,7 @@ void __attribute__((weak)) mach_reboot_f
15939 -static void native_machine_emergency_restart(void)
15940 +__noreturn static void native_machine_emergency_restart(void)
15944 @@ -651,13 +651,13 @@ void native_machine_shutdown(void)
15948 -static void __machine_emergency_restart(int emergency)
15949 +static __noreturn void __machine_emergency_restart(int emergency)
15951 reboot_emergency = emergency;
15952 machine_ops.emergency_restart();
15955 -static void native_machine_restart(char *__unused)
15956 +static __noreturn void native_machine_restart(char *__unused)
15958 printk("machine restart\n");
15960 @@ -666,7 +666,7 @@ static void native_machine_restart(char
15961 __machine_emergency_restart(0);
15964 -static void native_machine_halt(void)
15965 +static __noreturn void native_machine_halt(void)
15967 /* stop other cpus and apics */
15968 machine_shutdown();
15969 @@ -677,7 +677,7 @@ static void native_machine_halt(void)
15970 stop_this_cpu(NULL);
15973 -static void native_machine_power_off(void)
15974 +__noreturn static void native_machine_power_off(void)
15976 if (pm_power_off) {
15978 @@ -686,6 +686,7 @@ static void native_machine_power_off(voi
15980 /* a fallback in case there is no PM info available */
15981 tboot_shutdown(TB_SHUTDOWN_HALT);
15982 + do { } while (1);
15985 struct machine_ops machine_ops = {
15986 diff -urNp linux-2.6.32.42/arch/x86/kernel/setup.c linux-2.6.32.42/arch/x86/kernel/setup.c
15987 --- linux-2.6.32.42/arch/x86/kernel/setup.c 2011-04-17 17:00:52.000000000 -0400
15988 +++ linux-2.6.32.42/arch/x86/kernel/setup.c 2011-04-17 17:03:05.000000000 -0400
15989 @@ -783,14 +783,14 @@ void __init setup_arch(char **cmdline_p)
15991 if (!boot_params.hdr.root_flags)
15992 root_mountflags &= ~MS_RDONLY;
15993 - init_mm.start_code = (unsigned long) _text;
15994 - init_mm.end_code = (unsigned long) _etext;
15995 + init_mm.start_code = ktla_ktva((unsigned long) _text);
15996 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
15997 init_mm.end_data = (unsigned long) _edata;
15998 init_mm.brk = _brk_end;
16000 - code_resource.start = virt_to_phys(_text);
16001 - code_resource.end = virt_to_phys(_etext)-1;
16002 - data_resource.start = virt_to_phys(_etext);
16003 + code_resource.start = virt_to_phys(ktla_ktva(_text));
16004 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
16005 + data_resource.start = virt_to_phys(_sdata);
16006 data_resource.end = virt_to_phys(_edata)-1;
16007 bss_resource.start = virt_to_phys(&__bss_start);
16008 bss_resource.end = virt_to_phys(&__bss_stop)-1;
16009 diff -urNp linux-2.6.32.42/arch/x86/kernel/setup_percpu.c linux-2.6.32.42/arch/x86/kernel/setup_percpu.c
16010 --- linux-2.6.32.42/arch/x86/kernel/setup_percpu.c 2011-03-27 14:31:47.000000000 -0400
16011 +++ linux-2.6.32.42/arch/x86/kernel/setup_percpu.c 2011-06-04 20:36:29.000000000 -0400
16012 @@ -25,19 +25,17 @@
16016 -DEFINE_PER_CPU(int, cpu_number);
16018 +DEFINE_PER_CPU(unsigned int, cpu_number);
16019 EXPORT_PER_CPU_SYMBOL(cpu_number);
16022 -#ifdef CONFIG_X86_64
16023 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
16025 -#define BOOT_PERCPU_OFFSET 0
16028 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
16029 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
16031 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
16032 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
16033 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
16035 EXPORT_SYMBOL(__per_cpu_offset);
16036 @@ -159,10 +157,10 @@ static inline void setup_percpu_segment(
16038 #ifdef CONFIG_X86_32
16039 struct desc_struct gdt;
16040 + unsigned long base = per_cpu_offset(cpu);
16042 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
16043 - 0x2 | DESCTYPE_S, 0x8);
16045 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
16046 + 0x83 | DESCTYPE_S, 0xC);
16047 write_gdt_entry(get_cpu_gdt_table(cpu),
16048 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
16050 @@ -212,6 +210,11 @@ void __init setup_per_cpu_areas(void)
16051 /* alrighty, percpu areas up and running */
16052 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
16053 for_each_possible_cpu(cpu) {
16054 +#ifdef CONFIG_CC_STACKPROTECTOR
16055 +#ifdef CONFIG_X86_32
16056 + unsigned long canary = per_cpu(stack_canary.canary, cpu);
16059 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
16060 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
16061 per_cpu(cpu_number, cpu) = cpu;
16062 @@ -239,6 +242,12 @@ void __init setup_per_cpu_areas(void)
16063 early_per_cpu_map(x86_cpu_to_node_map, cpu);
16066 +#ifdef CONFIG_CC_STACKPROTECTOR
16067 +#ifdef CONFIG_X86_32
16069 + per_cpu(stack_canary.canary, cpu) = canary;
16073 * Up to this point, the boot CPU has been using .data.init
16074 * area. Reload any changed state for the boot CPU.
16075 diff -urNp linux-2.6.32.42/arch/x86/kernel/signal.c linux-2.6.32.42/arch/x86/kernel/signal.c
16076 --- linux-2.6.32.42/arch/x86/kernel/signal.c 2011-03-27 14:31:47.000000000 -0400
16077 +++ linux-2.6.32.42/arch/x86/kernel/signal.c 2011-05-22 23:02:03.000000000 -0400
16078 @@ -197,7 +197,7 @@ static unsigned long align_sigframe(unsi
16079 * Align the stack pointer according to the i386 ABI,
16080 * i.e. so that on function entry ((sp + 4) & 15) == 0.
16082 - sp = ((sp + 4) & -16ul) - 4;
16083 + sp = ((sp - 12) & -16ul) - 4;
16084 #else /* !CONFIG_X86_32 */
16085 sp = round_down(sp, 16) - 8;
16087 @@ -248,11 +248,11 @@ get_sigframe(struct k_sigaction *ka, str
16088 * Return an always-bogus address instead so we will die with SIGSEGV.
16090 if (onsigstack && !likely(on_sig_stack(sp)))
16091 - return (void __user *)-1L;
16092 + return (__force void __user *)-1L;
16094 /* save i387 state */
16095 if (used_math() && save_i387_xstate(*fpstate) < 0)
16096 - return (void __user *)-1L;
16097 + return (__force void __user *)-1L;
16099 return (void __user *)sp;
16101 @@ -307,9 +307,9 @@ __setup_frame(int sig, struct k_sigactio
16104 if (current->mm->context.vdso)
16105 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
16106 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
16108 - restorer = &frame->retcode;
16109 + restorer = (void __user *)&frame->retcode;
16110 if (ka->sa.sa_flags & SA_RESTORER)
16111 restorer = ka->sa.sa_restorer;
16113 @@ -323,7 +323,7 @@ __setup_frame(int sig, struct k_sigactio
16114 * reasons and because gdb uses it as a signature to notice
16115 * signal handler stack frames.
16117 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
16118 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
16122 @@ -377,7 +377,10 @@ static int __setup_rt_frame(int sig, str
16123 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
16125 /* Set up to return from userspace. */
16126 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
16127 + if (current->mm->context.vdso)
16128 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
16130 + restorer = (void __user *)&frame->retcode;
16131 if (ka->sa.sa_flags & SA_RESTORER)
16132 restorer = ka->sa.sa_restorer;
16133 put_user_ex(restorer, &frame->pretcode);
16134 @@ -389,7 +392,7 @@ static int __setup_rt_frame(int sig, str
16135 * reasons and because gdb uses it as a signature to notice
16136 * signal handler stack frames.
16138 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
16139 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
16140 } put_user_catch(err);
16143 @@ -782,6 +785,8 @@ static void do_signal(struct pt_regs *re
16147 + pax_track_stack();
16150 * We want the common case to go fast, which is why we may in certain
16151 * cases get here from kernel mode. Just return without doing anything
16152 @@ -789,7 +794,7 @@ static void do_signal(struct pt_regs *re
16153 * X86_32: vm86 regs switched out by assembly code before reaching
16154 * here, so testing against kernel CS suffices.
16156 - if (!user_mode(regs))
16157 + if (!user_mode_novm(regs))
16160 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
16161 diff -urNp linux-2.6.32.42/arch/x86/kernel/smpboot.c linux-2.6.32.42/arch/x86/kernel/smpboot.c
16162 --- linux-2.6.32.42/arch/x86/kernel/smpboot.c 2011-03-27 14:31:47.000000000 -0400
16163 +++ linux-2.6.32.42/arch/x86/kernel/smpboot.c 2011-05-11 18:25:15.000000000 -0400
16164 @@ -94,14 +94,14 @@ static DEFINE_PER_CPU(struct task_struct
16166 static DEFINE_MUTEX(x86_cpu_hotplug_driver_mutex);
16168 -void cpu_hotplug_driver_lock()
16169 +void cpu_hotplug_driver_lock(void)
16171 - mutex_lock(&x86_cpu_hotplug_driver_mutex);
16172 + mutex_lock(&x86_cpu_hotplug_driver_mutex);
16175 -void cpu_hotplug_driver_unlock()
16176 +void cpu_hotplug_driver_unlock(void)
16178 - mutex_unlock(&x86_cpu_hotplug_driver_mutex);
16179 + mutex_unlock(&x86_cpu_hotplug_driver_mutex);
16182 ssize_t arch_cpu_probe(const char *buf, size_t count) { return -1; }
16183 @@ -743,6 +743,7 @@ static int __cpuinit do_boot_cpu(int api
16184 set_idle_for_cpu(cpu, c_idle.idle);
16186 per_cpu(current_task, cpu) = c_idle.idle;
16187 + per_cpu(current_tinfo, cpu) = &c_idle.idle->tinfo;
16188 #ifdef CONFIG_X86_32
16189 /* Stack for startup_32 can be just as for start_secondary onwards */
16191 @@ -750,11 +751,13 @@ do_rest:
16193 clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
16194 initial_gs = per_cpu_offset(cpu);
16195 - per_cpu(kernel_stack, cpu) =
16196 - (unsigned long)task_stack_page(c_idle.idle) -
16197 - KERNEL_STACK_OFFSET + THREAD_SIZE;
16198 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(c_idle.idle) - 16 + THREAD_SIZE;
16201 + pax_open_kernel();
16202 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
16203 + pax_close_kernel();
16205 initial_code = (unsigned long)start_secondary;
16206 stack_start.sp = (void *) c_idle.idle->thread.sp;
16208 @@ -891,6 +894,12 @@ int __cpuinit native_cpu_up(unsigned int
16210 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
16212 +#ifdef CONFIG_PAX_PER_CPU_PGD
16213 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
16214 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
16215 + KERNEL_PGD_PTRS);
16218 err = do_boot_cpu(apicid, cpu);
16221 diff -urNp linux-2.6.32.42/arch/x86/kernel/step.c linux-2.6.32.42/arch/x86/kernel/step.c
16222 --- linux-2.6.32.42/arch/x86/kernel/step.c 2011-03-27 14:31:47.000000000 -0400
16223 +++ linux-2.6.32.42/arch/x86/kernel/step.c 2011-04-17 15:56:46.000000000 -0400
16224 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
16225 struct desc_struct *desc;
16226 unsigned long base;
16231 mutex_lock(&child->mm->context.lock);
16232 - if (unlikely((seg >> 3) >= child->mm->context.size))
16233 + if (unlikely(seg >= child->mm->context.size))
16234 addr = -1L; /* bogus selector, access would fault */
16236 desc = child->mm->context.ldt + seg;
16237 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
16240 mutex_unlock(&child->mm->context.lock);
16242 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
16243 + addr = ktla_ktva(addr);
16247 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
16248 unsigned char opcode[15];
16249 unsigned long addr = convert_ip_to_linear(child, regs);
16251 + if (addr == -EINVAL)
16254 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
16255 for (i = 0; i < copied; i++) {
16256 switch (opcode[i]) {
16257 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
16259 #ifdef CONFIG_X86_64
16260 case 0x40 ... 0x4f:
16261 - if (regs->cs != __USER_CS)
16262 + if ((regs->cs & 0xffff) != __USER_CS)
16263 /* 32-bit mode: register increment */
16265 /* 64-bit mode: REX prefix */
16266 diff -urNp linux-2.6.32.42/arch/x86/kernel/syscall_table_32.S linux-2.6.32.42/arch/x86/kernel/syscall_table_32.S
16267 --- linux-2.6.32.42/arch/x86/kernel/syscall_table_32.S 2011-03-27 14:31:47.000000000 -0400
16268 +++ linux-2.6.32.42/arch/x86/kernel/syscall_table_32.S 2011-04-17 15:56:46.000000000 -0400
16270 +.section .rodata,"a",@progbits
16271 ENTRY(sys_call_table)
16272 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
16274 diff -urNp linux-2.6.32.42/arch/x86/kernel/sys_i386_32.c linux-2.6.32.42/arch/x86/kernel/sys_i386_32.c
16275 --- linux-2.6.32.42/arch/x86/kernel/sys_i386_32.c 2011-03-27 14:31:47.000000000 -0400
16276 +++ linux-2.6.32.42/arch/x86/kernel/sys_i386_32.c 2011-04-17 15:56:46.000000000 -0400
16279 #include <asm/syscalls.h>
16281 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
16283 + unsigned long pax_task_size = TASK_SIZE;
16285 +#ifdef CONFIG_PAX_SEGMEXEC
16286 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
16287 + pax_task_size = SEGMEXEC_TASK_SIZE;
16290 + if (len > pax_task_size || addr > pax_task_size - len)
16297 * Perform the select(nd, in, out, ex, tv) and mmap() system
16298 * calls. Linux/i386 didn't use to be able to handle more than
16299 @@ -58,6 +73,212 @@ out:
16304 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
16305 + unsigned long len, unsigned long pgoff, unsigned long flags)
16307 + struct mm_struct *mm = current->mm;
16308 + struct vm_area_struct *vma;
16309 + unsigned long start_addr, pax_task_size = TASK_SIZE;
16311 +#ifdef CONFIG_PAX_SEGMEXEC
16312 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16313 + pax_task_size = SEGMEXEC_TASK_SIZE;
16316 + pax_task_size -= PAGE_SIZE;
16318 + if (len > pax_task_size)
16321 + if (flags & MAP_FIXED)
16324 +#ifdef CONFIG_PAX_RANDMMAP
16325 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16329 + addr = PAGE_ALIGN(addr);
16330 + if (pax_task_size - len >= addr) {
16331 + vma = find_vma(mm, addr);
16332 + if (check_heap_stack_gap(vma, addr, len))
16336 + if (len > mm->cached_hole_size) {
16337 + start_addr = addr = mm->free_area_cache;
16339 + start_addr = addr = mm->mmap_base;
16340 + mm->cached_hole_size = 0;
16343 +#ifdef CONFIG_PAX_PAGEEXEC
16344 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
16345 + start_addr = 0x00110000UL;
16347 +#ifdef CONFIG_PAX_RANDMMAP
16348 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16349 + start_addr += mm->delta_mmap & 0x03FFF000UL;
16352 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
16353 + start_addr = addr = mm->mmap_base;
16355 + addr = start_addr;
16360 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
16361 + /* At this point: (!vma || addr < vma->vm_end). */
16362 + if (pax_task_size - len < addr) {
16364 + * Start a new search - just in case we missed
16367 + if (start_addr != mm->mmap_base) {
16368 + start_addr = addr = mm->mmap_base;
16369 + mm->cached_hole_size = 0;
16370 + goto full_search;
16374 + if (check_heap_stack_gap(vma, addr, len))
16376 + if (addr + mm->cached_hole_size < vma->vm_start)
16377 + mm->cached_hole_size = vma->vm_start - addr;
16378 + addr = vma->vm_end;
16379 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
16380 + start_addr = addr = mm->mmap_base;
16381 + mm->cached_hole_size = 0;
16382 + goto full_search;
16387 + * Remember the place where we stopped the search:
16389 + mm->free_area_cache = addr + len;
16394 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
16395 + const unsigned long len, const unsigned long pgoff,
16396 + const unsigned long flags)
16398 + struct vm_area_struct *vma;
16399 + struct mm_struct *mm = current->mm;
16400 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
16402 +#ifdef CONFIG_PAX_SEGMEXEC
16403 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16404 + pax_task_size = SEGMEXEC_TASK_SIZE;
16407 + pax_task_size -= PAGE_SIZE;
16409 + /* requested length too big for entire address space */
16410 + if (len > pax_task_size)
16413 + if (flags & MAP_FIXED)
16416 +#ifdef CONFIG_PAX_PAGEEXEC
16417 + if (!nx_enabled && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
16421 +#ifdef CONFIG_PAX_RANDMMAP
16422 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16425 + /* requesting a specific address */
16427 + addr = PAGE_ALIGN(addr);
16428 + if (pax_task_size - len >= addr) {
16429 + vma = find_vma(mm, addr);
16430 + if (check_heap_stack_gap(vma, addr, len))
16435 + /* check if free_area_cache is useful for us */
16436 + if (len <= mm->cached_hole_size) {
16437 + mm->cached_hole_size = 0;
16438 + mm->free_area_cache = mm->mmap_base;
16441 + /* either no address requested or can't fit in requested address hole */
16442 + addr = mm->free_area_cache;
16444 + /* make sure it can fit in the remaining address space */
16445 + if (addr > len) {
16446 + vma = find_vma(mm, addr-len);
16447 + if (check_heap_stack_gap(vma, addr - len, len))
16448 + /* remember the address as a hint for next time */
16449 + return (mm->free_area_cache = addr-len);
16452 + if (mm->mmap_base < len)
16455 + addr = mm->mmap_base-len;
16459 + * Lookup failure means no vma is above this address,
16460 + * else if new region fits below vma->vm_start,
16461 + * return with success:
16463 + vma = find_vma(mm, addr);
16464 + if (check_heap_stack_gap(vma, addr, len))
16465 + /* remember the address as a hint for next time */
16466 + return (mm->free_area_cache = addr);
16468 + /* remember the largest hole we saw so far */
16469 + if (addr + mm->cached_hole_size < vma->vm_start)
16470 + mm->cached_hole_size = vma->vm_start - addr;
16472 + /* try just below the current vma->vm_start */
16473 + addr = skip_heap_stack_gap(vma, len);
16474 + } while (!IS_ERR_VALUE(addr));
16478 + * A failed mmap() very likely causes application failure,
16479 + * so fall back to the bottom-up function here. This scenario
16480 + * can happen with large stack limits and large mmap()
16484 +#ifdef CONFIG_PAX_SEGMEXEC
16485 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
16486 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
16490 + mm->mmap_base = TASK_UNMAPPED_BASE;
16492 +#ifdef CONFIG_PAX_RANDMMAP
16493 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16494 + mm->mmap_base += mm->delta_mmap;
16497 + mm->free_area_cache = mm->mmap_base;
16498 + mm->cached_hole_size = ~0UL;
16499 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
16501 + * Restore the topdown base:
16503 + mm->mmap_base = base;
16504 + mm->free_area_cache = base;
16505 + mm->cached_hole_size = ~0UL;
16510 struct sel_arg_struct {
16512 @@ -93,7 +314,7 @@ asmlinkage int sys_ipc(uint call, int fi
16513 return sys_semtimedop(first, (struct sembuf __user *)ptr, second, NULL);
16515 return sys_semtimedop(first, (struct sembuf __user *)ptr, second,
16516 - (const struct timespec __user *)fifth);
16517 + (__force const struct timespec __user *)fifth);
16520 return sys_semget(first, second, third);
16521 @@ -140,7 +361,7 @@ asmlinkage int sys_ipc(uint call, int fi
16522 ret = do_shmat(first, (char __user *) ptr, second, &raddr);
16525 - return put_user(raddr, (ulong __user *) third);
16526 + return put_user(raddr, (__force ulong __user *) third);
16528 case 1: /* iBCS2 emulator entry point */
16529 if (!segment_eq(get_fs(), get_ds()))
16530 @@ -207,17 +428,3 @@ asmlinkage int sys_olduname(struct oldol
16537 - * Do a system call from kernel instead of calling sys_execve so we
16538 - * end up with proper pt_regs.
16540 -int kernel_execve(const char *filename, char *const argv[], char *const envp[])
16543 - asm volatile ("push %%ebx ; movl %2,%%ebx ; int $0x80 ; pop %%ebx"
16545 - : "0" (__NR_execve), "ri" (filename), "c" (argv), "d" (envp) : "memory");
16548 diff -urNp linux-2.6.32.42/arch/x86/kernel/sys_x86_64.c linux-2.6.32.42/arch/x86/kernel/sys_x86_64.c
16549 --- linux-2.6.32.42/arch/x86/kernel/sys_x86_64.c 2011-03-27 14:31:47.000000000 -0400
16550 +++ linux-2.6.32.42/arch/x86/kernel/sys_x86_64.c 2011-04-17 15:56:46.000000000 -0400
16551 @@ -32,8 +32,8 @@ out:
16555 -static void find_start_end(unsigned long flags, unsigned long *begin,
16556 - unsigned long *end)
16557 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
16558 + unsigned long *begin, unsigned long *end)
16560 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
16561 unsigned long new_begin;
16562 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
16563 *begin = new_begin;
16566 - *begin = TASK_UNMAPPED_BASE;
16567 + *begin = mm->mmap_base;
16571 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
16572 if (flags & MAP_FIXED)
16575 - find_start_end(flags, &begin, &end);
16576 + find_start_end(mm, flags, &begin, &end);
16581 +#ifdef CONFIG_PAX_RANDMMAP
16582 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16586 addr = PAGE_ALIGN(addr);
16587 vma = find_vma(mm, addr);
16588 - if (end - len >= addr &&
16589 - (!vma || addr + len <= vma->vm_start))
16590 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
16593 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
16594 @@ -106,7 +109,7 @@ full_search:
16598 - if (!vma || addr + len <= vma->vm_start) {
16599 + if (check_heap_stack_gap(vma, addr, len)) {
16601 * Remember the place where we stopped the search:
16603 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
16605 struct vm_area_struct *vma;
16606 struct mm_struct *mm = current->mm;
16607 - unsigned long addr = addr0;
16608 + unsigned long base = mm->mmap_base, addr = addr0;
16610 /* requested length too big for entire address space */
16611 if (len > TASK_SIZE)
16612 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
16613 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
16616 +#ifdef CONFIG_PAX_RANDMMAP
16617 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
16620 /* requesting a specific address */
16622 addr = PAGE_ALIGN(addr);
16623 - vma = find_vma(mm, addr);
16624 - if (TASK_SIZE - len >= addr &&
16625 - (!vma || addr + len <= vma->vm_start))
16627 + if (TASK_SIZE - len >= addr) {
16628 + vma = find_vma(mm, addr);
16629 + if (check_heap_stack_gap(vma, addr, len))
16634 /* check if free_area_cache is useful for us */
16635 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
16636 /* make sure it can fit in the remaining address space */
16638 vma = find_vma(mm, addr-len);
16639 - if (!vma || addr <= vma->vm_start)
16640 + if (check_heap_stack_gap(vma, addr - len, len))
16641 /* remember the address as a hint for next time */
16642 return mm->free_area_cache = addr-len;
16644 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
16645 * return with success:
16647 vma = find_vma(mm, addr);
16648 - if (!vma || addr+len <= vma->vm_start)
16649 + if (check_heap_stack_gap(vma, addr, len))
16650 /* remember the address as a hint for next time */
16651 return mm->free_area_cache = addr;
16653 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
16654 mm->cached_hole_size = vma->vm_start - addr;
16656 /* try just below the current vma->vm_start */
16657 - addr = vma->vm_start-len;
16658 - } while (len < vma->vm_start);
16659 + addr = skip_heap_stack_gap(vma, len);
16660 + } while (!IS_ERR_VALUE(addr));
16664 @@ -198,13 +206,21 @@ bottomup:
16665 * can happen with large stack limits and large mmap()
16668 + mm->mmap_base = TASK_UNMAPPED_BASE;
16670 +#ifdef CONFIG_PAX_RANDMMAP
16671 + if (mm->pax_flags & MF_PAX_RANDMMAP)
16672 + mm->mmap_base += mm->delta_mmap;
16675 + mm->free_area_cache = mm->mmap_base;
16676 mm->cached_hole_size = ~0UL;
16677 - mm->free_area_cache = TASK_UNMAPPED_BASE;
16678 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
16680 * Restore the topdown base:
16682 - mm->free_area_cache = mm->mmap_base;
16683 + mm->mmap_base = base;
16684 + mm->free_area_cache = base;
16685 mm->cached_hole_size = ~0UL;
16688 diff -urNp linux-2.6.32.42/arch/x86/kernel/tboot.c linux-2.6.32.42/arch/x86/kernel/tboot.c
16689 --- linux-2.6.32.42/arch/x86/kernel/tboot.c 2011-03-27 14:31:47.000000000 -0400
16690 +++ linux-2.6.32.42/arch/x86/kernel/tboot.c 2011-05-22 23:02:03.000000000 -0400
16691 @@ -216,7 +216,7 @@ static int tboot_setup_sleep(void)
16693 void tboot_shutdown(u32 shutdown_type)
16695 - void (*shutdown)(void);
16696 + void (* __noreturn shutdown)(void);
16698 if (!tboot_enabled())
16700 @@ -238,7 +238,7 @@ void tboot_shutdown(u32 shutdown_type)
16702 switch_to_tboot_pt();
16704 - shutdown = (void(*)(void))(unsigned long)tboot->shutdown_entry;
16705 + shutdown = (void *)tboot->shutdown_entry;
16708 /* should not reach here */
16709 @@ -295,7 +295,7 @@ void tboot_sleep(u8 sleep_state, u32 pm1
16710 tboot_shutdown(acpi_shutdown_map[sleep_state]);
16713 -static atomic_t ap_wfs_count;
16714 +static atomic_unchecked_t ap_wfs_count;
16716 static int tboot_wait_for_aps(int num_aps)
16718 @@ -319,9 +319,9 @@ static int __cpuinit tboot_cpu_callback(
16722 - atomic_inc(&ap_wfs_count);
16723 + atomic_inc_unchecked(&ap_wfs_count);
16724 if (num_online_cpus() == 1)
16725 - if (tboot_wait_for_aps(atomic_read(&ap_wfs_count)))
16726 + if (tboot_wait_for_aps(atomic_read_unchecked(&ap_wfs_count)))
16730 @@ -340,7 +340,7 @@ static __init int tboot_late_init(void)
16732 tboot_create_trampoline();
16734 - atomic_set(&ap_wfs_count, 0);
16735 + atomic_set_unchecked(&ap_wfs_count, 0);
16736 register_hotcpu_notifier(&tboot_cpu_notifier);
16739 diff -urNp linux-2.6.32.42/arch/x86/kernel/time.c linux-2.6.32.42/arch/x86/kernel/time.c
16740 --- linux-2.6.32.42/arch/x86/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
16741 +++ linux-2.6.32.42/arch/x86/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
16742 @@ -26,17 +26,13 @@
16746 -#ifdef CONFIG_X86_64
16747 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
16750 unsigned long profile_pc(struct pt_regs *regs)
16752 unsigned long pc = instruction_pointer(regs);
16754 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
16755 + if (!user_mode(regs) && in_lock_functions(pc)) {
16756 #ifdef CONFIG_FRAME_POINTER
16757 - return *(unsigned long *)(regs->bp + sizeof(long));
16758 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
16760 unsigned long *sp =
16761 (unsigned long *)kernel_stack_pointer(regs);
16762 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
16763 * or above a saved flags. Eflags has bits 22-31 zero,
16764 * kernel addresses don't.
16767 +#ifdef CONFIG_PAX_KERNEXEC
16768 + return ktla_ktva(sp[0]);
16780 diff -urNp linux-2.6.32.42/arch/x86/kernel/tls.c linux-2.6.32.42/arch/x86/kernel/tls.c
16781 --- linux-2.6.32.42/arch/x86/kernel/tls.c 2011-03-27 14:31:47.000000000 -0400
16782 +++ linux-2.6.32.42/arch/x86/kernel/tls.c 2011-04-17 15:56:46.000000000 -0400
16783 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
16784 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
16787 +#ifdef CONFIG_PAX_SEGMEXEC
16788 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
16792 set_tls_desc(p, idx, &info, 1);
16795 diff -urNp linux-2.6.32.42/arch/x86/kernel/trampoline_32.S linux-2.6.32.42/arch/x86/kernel/trampoline_32.S
16796 --- linux-2.6.32.42/arch/x86/kernel/trampoline_32.S 2011-03-27 14:31:47.000000000 -0400
16797 +++ linux-2.6.32.42/arch/x86/kernel/trampoline_32.S 2011-04-17 15:56:46.000000000 -0400
16799 #include <asm/segment.h>
16800 #include <asm/page_types.h>
16802 +#ifdef CONFIG_PAX_KERNEXEC
16805 +#define ta(X) ((X) - __PAGE_OFFSET)
16808 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
16811 @@ -60,7 +66,7 @@ r_base = .
16812 inc %ax # protected mode (PE) bit
16813 lmsw %ax # into protected mode
16814 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
16815 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
16816 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
16818 # These need to be in the same 64K segment as the above;
16819 # hence we don't use the boot_gdt_descr defined in head.S
16820 diff -urNp linux-2.6.32.42/arch/x86/kernel/trampoline_64.S linux-2.6.32.42/arch/x86/kernel/trampoline_64.S
16821 --- linux-2.6.32.42/arch/x86/kernel/trampoline_64.S 2011-03-27 14:31:47.000000000 -0400
16822 +++ linux-2.6.32.42/arch/x86/kernel/trampoline_64.S 2011-04-17 15:56:46.000000000 -0400
16823 @@ -91,7 +91,7 @@ startup_32:
16824 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
16827 - movl $X86_CR4_PAE, %eax
16828 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
16829 movl %eax, %cr4 # Enable PAE mode
16831 # Setup trampoline 4 level pagetables
16832 @@ -138,7 +138,7 @@ tidt:
16833 # so the kernel can live anywhere
16836 - .short tgdt_end - tgdt # gdt limit
16837 + .short tgdt_end - tgdt - 1 # gdt limit
16838 .long tgdt - r_base
16840 .quad 0x00cf9b000000ffff # __KERNEL32_CS
16841 diff -urNp linux-2.6.32.42/arch/x86/kernel/traps.c linux-2.6.32.42/arch/x86/kernel/traps.c
16842 --- linux-2.6.32.42/arch/x86/kernel/traps.c 2011-03-27 14:31:47.000000000 -0400
16843 +++ linux-2.6.32.42/arch/x86/kernel/traps.c 2011-04-17 15:56:46.000000000 -0400
16844 @@ -69,12 +69,6 @@ asmlinkage int system_call(void);
16846 /* Do we ignore FPU interrupts ? */
16847 char ignore_fpu_irq;
16850 - * The IDT has to be page-aligned to simplify the Pentium
16851 - * F0 0F bug workaround.
16853 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
16856 DECLARE_BITMAP(used_vectors, NR_VECTORS);
16857 @@ -112,19 +106,19 @@ static inline void preempt_conditional_c
16859 die_if_kernel(const char *str, struct pt_regs *regs, long err)
16861 - if (!user_mode_vm(regs))
16862 + if (!user_mode(regs))
16863 die(str, regs, err);
16867 static void __kprobes
16868 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
16869 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
16870 long error_code, siginfo_t *info)
16872 struct task_struct *tsk = current;
16874 #ifdef CONFIG_X86_32
16875 - if (regs->flags & X86_VM_MASK) {
16876 + if (v8086_mode(regs)) {
16878 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
16879 * On nmi (interrupt 2), do_trap should not be called.
16880 @@ -135,7 +129,7 @@ do_trap(int trapnr, int signr, char *str
16884 - if (!user_mode(regs))
16885 + if (!user_mode_novm(regs))
16888 #ifdef CONFIG_X86_32
16889 @@ -158,7 +152,7 @@ trap_signal:
16890 printk_ratelimit()) {
16892 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
16893 - tsk->comm, tsk->pid, str,
16894 + tsk->comm, task_pid_nr(tsk), str,
16895 regs->ip, regs->sp, error_code);
16896 print_vma_addr(" in ", regs->ip);
16898 @@ -175,8 +169,20 @@ kernel_trap:
16899 if (!fixup_exception(regs)) {
16900 tsk->thread.error_code = error_code;
16901 tsk->thread.trap_no = trapnr;
16903 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16904 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
16905 + str = "PAX: suspicious stack segment fault";
16908 die(str, regs, error_code);
16911 +#ifdef CONFIG_PAX_REFCOUNT
16913 + pax_report_refcount_overflow(regs);
16918 #ifdef CONFIG_X86_32
16919 @@ -265,14 +271,30 @@ do_general_protection(struct pt_regs *re
16920 conditional_sti(regs);
16922 #ifdef CONFIG_X86_32
16923 - if (regs->flags & X86_VM_MASK)
16924 + if (v8086_mode(regs))
16929 - if (!user_mode(regs))
16930 + if (!user_mode_novm(regs))
16933 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
16934 + if (!nx_enabled && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
16935 + struct mm_struct *mm = tsk->mm;
16936 + unsigned long limit;
16938 + down_write(&mm->mmap_sem);
16939 + limit = mm->context.user_cs_limit;
16940 + if (limit < TASK_SIZE) {
16941 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
16942 + up_write(&mm->mmap_sem);
16945 + up_write(&mm->mmap_sem);
16949 tsk->thread.error_code = error_code;
16950 tsk->thread.trap_no = 13;
16952 @@ -305,6 +327,13 @@ gp_in_kernel:
16953 if (notify_die(DIE_GPF, "general protection fault", regs,
16954 error_code, 13, SIGSEGV) == NOTIFY_STOP)
16957 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
16958 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
16959 + die("PAX: suspicious general protection fault", regs, error_code);
16963 die("general protection fault", regs, error_code);
16966 @@ -558,7 +587,7 @@ dotraplinkage void __kprobes do_debug(st
16969 #ifdef CONFIG_X86_32
16970 - if (regs->flags & X86_VM_MASK)
16971 + if (v8086_mode(regs))
16975 @@ -570,7 +599,7 @@ dotraplinkage void __kprobes do_debug(st
16976 * kernel space (but re-enable TF when returning to user mode).
16978 if (condition & DR_STEP) {
16979 - if (!user_mode(regs))
16980 + if (!user_mode_novm(regs))
16981 goto clear_TF_reenable;
16984 @@ -757,7 +786,7 @@ do_simd_coprocessor_error(struct pt_regs
16985 * Handle strange cache flush from user space exception
16986 * in all other cases. This is undocumented behaviour.
16988 - if (regs->flags & X86_VM_MASK) {
16989 + if (v8086_mode(regs)) {
16990 handle_vm86_fault((struct kernel_vm86_regs *)regs, error_code);
16993 @@ -798,7 +827,7 @@ asmlinkage void __attribute__((weak)) sm
16994 void __math_state_restore(void)
16996 struct thread_info *thread = current_thread_info();
16997 - struct task_struct *tsk = thread->task;
16998 + struct task_struct *tsk = current;
17001 * Paranoid restore. send a SIGSEGV if we fail to restore the state.
17002 @@ -825,8 +854,7 @@ void __math_state_restore(void)
17004 asmlinkage void math_state_restore(void)
17006 - struct thread_info *thread = current_thread_info();
17007 - struct task_struct *tsk = thread->task;
17008 + struct task_struct *tsk = current;
17010 if (!tsk_used_math(tsk)) {
17011 local_irq_enable();
17012 diff -urNp linux-2.6.32.42/arch/x86/kernel/vm86_32.c linux-2.6.32.42/arch/x86/kernel/vm86_32.c
17013 --- linux-2.6.32.42/arch/x86/kernel/vm86_32.c 2011-03-27 14:31:47.000000000 -0400
17014 +++ linux-2.6.32.42/arch/x86/kernel/vm86_32.c 2011-04-17 15:56:46.000000000 -0400
17016 #include <linux/ptrace.h>
17017 #include <linux/audit.h>
17018 #include <linux/stddef.h>
17019 +#include <linux/grsecurity.h>
17021 #include <asm/uaccess.h>
17022 #include <asm/io.h>
17023 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
17027 - tss = &per_cpu(init_tss, get_cpu());
17028 + tss = init_tss + get_cpu();
17029 current->thread.sp0 = current->thread.saved_sp0;
17030 current->thread.sysenter_cs = __KERNEL_CS;
17031 load_sp0(tss, ¤t->thread);
17032 @@ -208,6 +209,13 @@ int sys_vm86old(struct pt_regs *regs)
17033 struct task_struct *tsk;
17034 int tmp, ret = -EPERM;
17036 +#ifdef CONFIG_GRKERNSEC_VM86
17037 + if (!capable(CAP_SYS_RAWIO)) {
17038 + gr_handle_vm86();
17044 if (tsk->thread.saved_sp0)
17046 @@ -238,6 +246,14 @@ int sys_vm86(struct pt_regs *regs)
17048 struct vm86plus_struct __user *v86;
17050 +#ifdef CONFIG_GRKERNSEC_VM86
17051 + if (!capable(CAP_SYS_RAWIO)) {
17052 + gr_handle_vm86();
17059 switch (regs->bx) {
17060 case VM86_REQUEST_IRQ:
17061 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
17062 tsk->thread.saved_fs = info->regs32->fs;
17063 tsk->thread.saved_gs = get_user_gs(info->regs32);
17065 - tss = &per_cpu(init_tss, get_cpu());
17066 + tss = init_tss + get_cpu();
17067 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
17069 tsk->thread.sysenter_cs = 0;
17070 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
17071 goto cannot_handle;
17072 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
17073 goto cannot_handle;
17074 - intr_ptr = (unsigned long __user *) (i << 2);
17075 + intr_ptr = (__force unsigned long __user *) (i << 2);
17076 if (get_user(segoffs, intr_ptr))
17077 goto cannot_handle;
17078 if ((segoffs >> 16) == BIOSSEG)
17079 diff -urNp linux-2.6.32.42/arch/x86/kernel/vmi_32.c linux-2.6.32.42/arch/x86/kernel/vmi_32.c
17080 --- linux-2.6.32.42/arch/x86/kernel/vmi_32.c 2011-03-27 14:31:47.000000000 -0400
17081 +++ linux-2.6.32.42/arch/x86/kernel/vmi_32.c 2011-04-17 15:56:46.000000000 -0400
17082 @@ -44,12 +44,17 @@ typedef u32 __attribute__((regparm(1)))
17083 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
17085 #define call_vrom_func(rom,func) \
17086 - (((VROMFUNC *)(rom->func))())
17087 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
17089 #define call_vrom_long_func(rom,func,arg) \
17090 - (((VROMLONGFUNC *)(rom->func)) (arg))
17092 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
17093 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
17094 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
17098 -static struct vrom_header *vmi_rom;
17099 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
17100 static int disable_pge;
17101 static int disable_pse;
17102 static int disable_sep;
17103 @@ -76,10 +81,10 @@ static struct {
17104 void (*set_initial_ap_state)(int, int);
17105 void (*halt)(void);
17106 void (*set_lazy_mode)(int mode);
17108 +} vmi_ops __read_only;
17110 /* Cached VMI operations */
17111 -struct vmi_timer_ops vmi_timer_ops;
17112 +struct vmi_timer_ops vmi_timer_ops __read_only;
17115 * VMI patching routines.
17116 @@ -94,7 +99,7 @@ struct vmi_timer_ops vmi_timer_ops;
17117 static inline void patch_offset(void *insnbuf,
17118 unsigned long ip, unsigned long dest)
17120 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
17121 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
17124 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
17125 @@ -102,6 +107,7 @@ static unsigned patch_internal(int call,
17128 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
17130 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
17131 switch(rel->type) {
17132 case VMI_RELOCATION_CALL_REL:
17133 @@ -404,13 +410,13 @@ static void vmi_set_pud(pud_t *pudp, pud
17135 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
17137 - const pte_t pte = { .pte = 0 };
17138 + const pte_t pte = __pte(0ULL);
17139 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
17142 static void vmi_pmd_clear(pmd_t *pmd)
17144 - const pte_t pte = { .pte = 0 };
17145 + const pte_t pte = __pte(0ULL);
17146 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
17149 @@ -438,10 +444,10 @@ vmi_startup_ipi_hook(int phys_apicid, un
17150 ap.ss = __KERNEL_DS;
17151 ap.esp = (unsigned long) start_esp;
17153 - ap.ds = __USER_DS;
17154 - ap.es = __USER_DS;
17155 + ap.ds = __KERNEL_DS;
17156 + ap.es = __KERNEL_DS;
17157 ap.fs = __KERNEL_PERCPU;
17158 - ap.gs = __KERNEL_STACK_CANARY;
17159 + savesegment(gs, ap.gs);
17163 @@ -486,6 +492,18 @@ static void vmi_leave_lazy_mmu(void)
17164 paravirt_leave_lazy_mmu();
17167 +#ifdef CONFIG_PAX_KERNEXEC
17168 +static unsigned long vmi_pax_open_kernel(void)
17173 +static unsigned long vmi_pax_close_kernel(void)
17179 static inline int __init check_vmi_rom(struct vrom_header *rom)
17181 struct pci_header *pci;
17182 @@ -498,6 +516,10 @@ static inline int __init check_vmi_rom(s
17184 if (rom->vrom_signature != VMI_SIGNATURE)
17186 + if (rom->rom_length * 512 > sizeof(*rom)) {
17187 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
17190 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
17191 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
17192 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
17193 @@ -562,7 +584,7 @@ static inline int __init probe_vmi_rom(v
17194 struct vrom_header *romstart;
17195 romstart = (struct vrom_header *)isa_bus_to_virt(base);
17196 if (check_vmi_rom(romstart)) {
17197 - vmi_rom = romstart;
17198 + vmi_rom = *romstart;
17202 @@ -836,6 +858,11 @@ static inline int __init activate_vmi(vo
17204 para_fill(pv_irq_ops.safe_halt, Halt);
17206 +#ifdef CONFIG_PAX_KERNEXEC
17207 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
17208 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
17212 * Alternative instruction rewriting doesn't happen soon enough
17213 * to convert VMI_IRET to a call instead of a jump; so we have
17214 @@ -853,16 +880,16 @@ static inline int __init activate_vmi(vo
17216 void __init vmi_init(void)
17219 + if (!vmi_rom.rom_signature)
17222 - check_vmi_rom(vmi_rom);
17223 + check_vmi_rom(&vmi_rom);
17225 /* In case probing for or validating the ROM failed, basil */
17227 + if (!vmi_rom.rom_signature)
17230 - reserve_top_address(-vmi_rom->virtual_top);
17231 + reserve_top_address(-vmi_rom.virtual_top);
17233 #ifdef CONFIG_X86_IO_APIC
17234 /* This is virtual hardware; timer routing is wired correctly */
17235 @@ -874,7 +901,7 @@ void __init vmi_activate(void)
17237 unsigned long flags;
17240 + if (!vmi_rom.rom_signature)
17243 local_irq_save(flags);
17244 diff -urNp linux-2.6.32.42/arch/x86/kernel/vmlinux.lds.S linux-2.6.32.42/arch/x86/kernel/vmlinux.lds.S
17245 --- linux-2.6.32.42/arch/x86/kernel/vmlinux.lds.S 2011-03-27 14:31:47.000000000 -0400
17246 +++ linux-2.6.32.42/arch/x86/kernel/vmlinux.lds.S 2011-04-17 15:56:46.000000000 -0400
17248 #include <asm/page_types.h>
17249 #include <asm/cache.h>
17250 #include <asm/boot.h>
17251 +#include <asm/segment.h>
17253 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17254 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
17256 +#define __KERNEL_TEXT_OFFSET 0
17259 #undef i386 /* in case the preprocessor is a 32bit one */
17261 @@ -34,40 +41,53 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
17262 #ifdef CONFIG_X86_32
17264 ENTRY(phys_startup_32)
17265 -jiffies = jiffies_64;
17267 OUTPUT_ARCH(i386:x86-64)
17268 ENTRY(phys_startup_64)
17269 -jiffies_64 = jiffies;
17273 text PT_LOAD FLAGS(5); /* R_E */
17274 - data PT_LOAD FLAGS(7); /* RWE */
17275 +#ifdef CONFIG_X86_32
17276 + module PT_LOAD FLAGS(5); /* R_E */
17279 + rodata PT_LOAD FLAGS(5); /* R_E */
17281 + rodata PT_LOAD FLAGS(4); /* R__ */
17283 + data PT_LOAD FLAGS(6); /* RW_ */
17284 #ifdef CONFIG_X86_64
17285 user PT_LOAD FLAGS(5); /* R_E */
17287 + init.begin PT_LOAD FLAGS(6); /* RW_ */
17289 percpu PT_LOAD FLAGS(6); /* RW_ */
17291 + text.init PT_LOAD FLAGS(5); /* R_E */
17292 + text.exit PT_LOAD FLAGS(5); /* R_E */
17293 init PT_LOAD FLAGS(7); /* RWE */
17295 note PT_NOTE FLAGS(0); /* ___ */
17300 #ifdef CONFIG_X86_32
17301 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
17302 - phys_startup_32 = startup_32 - LOAD_OFFSET;
17303 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
17305 - . = __START_KERNEL;
17306 - phys_startup_64 = startup_64 - LOAD_OFFSET;
17307 + . = __START_KERNEL;
17310 /* Text and read-only data */
17311 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
17313 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
17314 /* bootstrapping code */
17315 +#ifdef CONFIG_X86_32
17316 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
17318 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
17320 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
17323 #ifdef CONFIG_X86_32
17324 . = ALIGN(PAGE_SIZE);
17325 @@ -82,28 +102,71 @@ SECTIONS
17329 - /* End of text section */
17333 - NOTES :text :note
17334 + . += __KERNEL_TEXT_OFFSET;
17336 +#ifdef CONFIG_X86_32
17337 + . = ALIGN(PAGE_SIZE);
17338 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
17342 + . = ALIGN(PAGE_SIZE);
17343 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
17345 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
17346 + MODULES_EXEC_VADDR = .;
17348 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
17349 + . = ALIGN(HPAGE_SIZE);
17350 + MODULES_EXEC_END = . - 1;
17356 - EXCEPTION_TABLE(16) :text = 0x9090
17357 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
17358 + /* End of text section */
17359 + _etext = . - __KERNEL_TEXT_OFFSET;
17362 +#ifdef CONFIG_X86_32
17363 + . = ALIGN(PAGE_SIZE);
17364 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
17366 + . = ALIGN(PAGE_SIZE);
17367 + *(.empty_zero_page)
17368 + *(.swapper_pg_fixmap)
17369 + *(.swapper_pg_pmd)
17370 + *(.swapper_pg_dir)
17371 + *(.trampoline_pg_dir)
17375 + . = ALIGN(PAGE_SIZE);
17376 + NOTES :rodata :note
17378 + EXCEPTION_TABLE(16) :rodata
17383 .data : AT(ADDR(.data) - LOAD_OFFSET) {
17385 +#ifdef CONFIG_PAX_KERNEXEC
17386 + . = ALIGN(HPAGE_SIZE);
17388 + . = ALIGN(PAGE_SIZE);
17391 /* Start of data section */
17395 INIT_TASK_DATA(THREAD_SIZE)
17397 -#ifdef CONFIG_X86_32
17398 - /* 32 bit has nosave before _edata */
17402 PAGE_ALIGNED_DATA(PAGE_SIZE)
17404 @@ -112,6 +175,8 @@ SECTIONS
17408 + jiffies = jiffies_64;
17410 /* rarely changed data like cpu maps */
17411 READ_MOSTLY_DATA(CONFIG_X86_INTERNODE_CACHE_BYTES)
17413 @@ -166,12 +231,6 @@ SECTIONS
17415 vgetcpu_mode = VVIRT(.vgetcpu_mode);
17417 - . = ALIGN(CONFIG_X86_L1_CACHE_BYTES);
17418 - .jiffies : AT(VLOAD(.jiffies)) {
17421 - jiffies = VVIRT(.jiffies);
17423 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
17426 @@ -187,12 +246,19 @@ SECTIONS
17427 #endif /* CONFIG_X86_64 */
17429 /* Init code and data - will be freed after init */
17430 - . = ALIGN(PAGE_SIZE);
17431 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
17434 +#ifdef CONFIG_PAX_KERNEXEC
17435 + . = ALIGN(HPAGE_SIZE);
17437 + . = ALIGN(PAGE_SIZE);
17440 __init_begin = .; /* paired with __init_end */
17444 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
17447 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
17448 * output PHDR, so the next output section - .init.text - should
17449 @@ -201,12 +267,27 @@ SECTIONS
17450 PERCPU_VADDR(0, :percpu)
17453 - INIT_TEXT_SECTION(PAGE_SIZE)
17454 -#ifdef CONFIG_X86_64
17457 + . = ALIGN(PAGE_SIZE);
17459 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
17460 + VMLINUX_SYMBOL(_sinittext) = .;
17462 + VMLINUX_SYMBOL(_einittext) = .;
17463 + . = ALIGN(PAGE_SIZE);
17466 - INIT_DATA_SECTION(16)
17468 + * .exit.text is discard at runtime, not link time, to deal with
17469 + * references from .altinstructions and .eh_frame
17471 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
17475 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
17477 + . = ALIGN(PAGE_SIZE);
17478 + INIT_DATA_SECTION(16) :init
17480 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
17481 __x86_cpu_dev_start = .;
17482 @@ -232,19 +313,11 @@ SECTIONS
17483 *(.altinstr_replacement)
17487 - * .exit.text is discard at runtime, not link time, to deal with
17488 - * references from .altinstructions and .eh_frame
17490 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
17494 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
17498 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
17499 +#ifndef CONFIG_SMP
17503 @@ -267,12 +340,6 @@ SECTIONS
17504 . = ALIGN(PAGE_SIZE);
17507 -#ifdef CONFIG_X86_64
17508 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
17514 . = ALIGN(PAGE_SIZE);
17515 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
17516 @@ -288,6 +355,7 @@ SECTIONS
17518 . += 64 * 1024; /* 64k alignment slop space */
17519 *(.brk_reservation) /* areas brk users have reserved */
17520 + . = ALIGN(HPAGE_SIZE);
17524 @@ -316,13 +384,12 @@ SECTIONS
17525 * for the boot processor.
17527 #define INIT_PER_CPU(x) init_per_cpu__##x = per_cpu__##x + __per_cpu_load
17528 -INIT_PER_CPU(gdt_page);
17529 INIT_PER_CPU(irq_stack_union);
17532 * Build-time check on the image size:
17534 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
17535 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
17536 "kernel image bigger than KERNEL_IMAGE_SIZE");
17539 diff -urNp linux-2.6.32.42/arch/x86/kernel/vsyscall_64.c linux-2.6.32.42/arch/x86/kernel/vsyscall_64.c
17540 --- linux-2.6.32.42/arch/x86/kernel/vsyscall_64.c 2011-03-27 14:31:47.000000000 -0400
17541 +++ linux-2.6.32.42/arch/x86/kernel/vsyscall_64.c 2011-04-23 12:56:10.000000000 -0400
17542 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
17544 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
17545 /* copy vsyscall data */
17546 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
17547 vsyscall_gtod_data.clock.vread = clock->vread;
17548 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
17549 vsyscall_gtod_data.clock.mask = clock->mask;
17550 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
17551 We do this here because otherwise user space would do it on
17552 its own in a likely inferior way (no access to jiffies).
17553 If you don't like it pass NULL. */
17554 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
17555 + if (tcache && tcache->blob[0] == (j = jiffies)) {
17556 p = tcache->blob[1];
17557 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
17558 /* Load per CPU data from RDTSCP */
17559 diff -urNp linux-2.6.32.42/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.32.42/arch/x86/kernel/x8664_ksyms_64.c
17560 --- linux-2.6.32.42/arch/x86/kernel/x8664_ksyms_64.c 2011-03-27 14:31:47.000000000 -0400
17561 +++ linux-2.6.32.42/arch/x86/kernel/x8664_ksyms_64.c 2011-04-17 15:56:46.000000000 -0400
17562 @@ -30,8 +30,6 @@ EXPORT_SYMBOL(__put_user_8);
17564 EXPORT_SYMBOL(copy_user_generic);
17565 EXPORT_SYMBOL(__copy_user_nocache);
17566 -EXPORT_SYMBOL(copy_from_user);
17567 -EXPORT_SYMBOL(copy_to_user);
17568 EXPORT_SYMBOL(__copy_from_user_inatomic);
17570 EXPORT_SYMBOL(copy_page);
17571 diff -urNp linux-2.6.32.42/arch/x86/kernel/xsave.c linux-2.6.32.42/arch/x86/kernel/xsave.c
17572 --- linux-2.6.32.42/arch/x86/kernel/xsave.c 2011-03-27 14:31:47.000000000 -0400
17573 +++ linux-2.6.32.42/arch/x86/kernel/xsave.c 2011-04-17 15:56:46.000000000 -0400
17574 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
17575 fx_sw_user->xstate_size > fx_sw_user->extended_size)
17578 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
17579 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
17580 fx_sw_user->extended_size -
17581 FP_XSTATE_MAGIC2_SIZE));
17583 @@ -196,7 +196,7 @@ fx_only:
17584 * the other extended state.
17586 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
17587 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
17588 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
17592 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
17593 if (task_thread_info(tsk)->status & TS_XSAVE)
17594 err = restore_user_xstate(buf);
17596 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
17597 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
17599 if (unlikely(err)) {
17601 diff -urNp linux-2.6.32.42/arch/x86/kvm/emulate.c linux-2.6.32.42/arch/x86/kvm/emulate.c
17602 --- linux-2.6.32.42/arch/x86/kvm/emulate.c 2011-03-27 14:31:47.000000000 -0400
17603 +++ linux-2.6.32.42/arch/x86/kvm/emulate.c 2011-04-17 15:56:46.000000000 -0400
17605 #define Src2CL (1<<29)
17606 #define Src2ImmByte (2<<29)
17607 #define Src2One (3<<29)
17608 -#define Src2Imm16 (4<<29)
17609 -#define Src2Mask (7<<29)
17610 +#define Src2Imm16 (4U<<29)
17611 +#define Src2Mask (7U<<29)
17614 Group1_80, Group1_81, Group1_82, Group1_83,
17615 @@ -411,6 +411,7 @@ static u32 group2_table[] = {
17617 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
17619 + unsigned long _tmp; \
17620 __asm__ __volatile__ ( \
17621 _PRE_EFLAGS("0", "4", "2") \
17622 _op _suffix " %"_x"3,%1; " \
17623 @@ -424,8 +425,6 @@ static u32 group2_table[] = {
17624 /* Raw emulation: instruction has two explicit operands. */
17625 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
17627 - unsigned long _tmp; \
17629 switch ((_dst).bytes) { \
17631 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
17632 @@ -441,7 +440,6 @@ static u32 group2_table[] = {
17634 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
17636 - unsigned long _tmp; \
17637 switch ((_dst).bytes) { \
17639 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
17640 diff -urNp linux-2.6.32.42/arch/x86/kvm/lapic.c linux-2.6.32.42/arch/x86/kvm/lapic.c
17641 --- linux-2.6.32.42/arch/x86/kvm/lapic.c 2011-03-27 14:31:47.000000000 -0400
17642 +++ linux-2.6.32.42/arch/x86/kvm/lapic.c 2011-04-17 15:56:46.000000000 -0400
17644 #define APIC_BUS_CYCLE_NS 1
17646 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
17647 -#define apic_debug(fmt, arg...)
17648 +#define apic_debug(fmt, arg...) do {} while (0)
17650 #define APIC_LVT_NUM 6
17651 /* 14 is the version for Xeon and Pentium 8.4.8*/
17652 diff -urNp linux-2.6.32.42/arch/x86/kvm/paging_tmpl.h linux-2.6.32.42/arch/x86/kvm/paging_tmpl.h
17653 --- linux-2.6.32.42/arch/x86/kvm/paging_tmpl.h 2011-03-27 14:31:47.000000000 -0400
17654 +++ linux-2.6.32.42/arch/x86/kvm/paging_tmpl.h 2011-05-16 21:46:57.000000000 -0400
17655 @@ -416,6 +416,8 @@ static int FNAME(page_fault)(struct kvm_
17656 int level = PT_PAGE_TABLE_LEVEL;
17657 unsigned long mmu_seq;
17659 + pax_track_stack();
17661 pgprintk("%s: addr %lx err %x\n", __func__, addr, error_code);
17662 kvm_mmu_audit(vcpu, "pre page fault");
17664 diff -urNp linux-2.6.32.42/arch/x86/kvm/svm.c linux-2.6.32.42/arch/x86/kvm/svm.c
17665 --- linux-2.6.32.42/arch/x86/kvm/svm.c 2011-03-27 14:31:47.000000000 -0400
17666 +++ linux-2.6.32.42/arch/x86/kvm/svm.c 2011-04-17 15:56:46.000000000 -0400
17667 @@ -2483,9 +2483,12 @@ static int handle_exit(struct kvm_run *k
17668 static void reload_tss(struct kvm_vcpu *vcpu)
17670 int cpu = raw_smp_processor_id();
17672 struct svm_cpu_data *svm_data = per_cpu(svm_data, cpu);
17674 + pax_open_kernel();
17675 svm_data->tss_desc->type = 9; /* available 32/64-bit TSS */
17676 + pax_close_kernel();
17681 @@ -2946,7 +2949,7 @@ static bool svm_gb_page_enable(void)
17685 -static struct kvm_x86_ops svm_x86_ops = {
17686 +static const struct kvm_x86_ops svm_x86_ops = {
17687 .cpu_has_kvm_support = has_svm,
17688 .disabled_by_bios = is_disabled,
17689 .hardware_setup = svm_hardware_setup,
17690 diff -urNp linux-2.6.32.42/arch/x86/kvm/vmx.c linux-2.6.32.42/arch/x86/kvm/vmx.c
17691 --- linux-2.6.32.42/arch/x86/kvm/vmx.c 2011-03-27 14:31:47.000000000 -0400
17692 +++ linux-2.6.32.42/arch/x86/kvm/vmx.c 2011-05-04 17:56:20.000000000 -0400
17693 @@ -570,7 +570,11 @@ static void reload_tss(void)
17696 descs = (void *)gdt.base;
17698 + pax_open_kernel();
17699 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
17700 + pax_close_kernel();
17705 @@ -1409,8 +1413,11 @@ static __init int hardware_setup(void)
17706 if (!cpu_has_vmx_flexpriority())
17707 flexpriority_enabled = 0;
17709 - if (!cpu_has_vmx_tpr_shadow())
17710 - kvm_x86_ops->update_cr8_intercept = NULL;
17711 + if (!cpu_has_vmx_tpr_shadow()) {
17712 + pax_open_kernel();
17713 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
17714 + pax_close_kernel();
17717 if (enable_ept && !cpu_has_vmx_ept_2m_page())
17718 kvm_disable_largepages();
17719 @@ -2361,7 +2368,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
17720 vmcs_writel(HOST_IDTR_BASE, dt.base); /* 22.2.4 */
17722 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
17723 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
17724 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
17725 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
17726 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
17727 vmcs_write32(VM_ENTRY_MSR_LOAD_COUNT, 0);
17728 @@ -3717,6 +3724,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
17729 "jmp .Lkvm_vmx_return \n\t"
17730 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
17731 ".Lkvm_vmx_return: "
17733 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17734 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
17735 + ".Lkvm_vmx_return2: "
17738 /* Save guest registers, load host registers, keep flags */
17739 "xchg %0, (%%"R"sp) \n\t"
17740 "mov %%"R"ax, %c[rax](%0) \n\t"
17741 @@ -3763,8 +3776,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
17742 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
17744 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
17746 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17747 + ,[cs]"i"(__KERNEL_CS)
17751 - , R"bx", R"di", R"si"
17752 + , R"ax", R"bx", R"di", R"si"
17753 #ifdef CONFIG_X86_64
17754 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
17756 @@ -3781,7 +3799,16 @@ static void vmx_vcpu_run(struct kvm_vcpu
17757 if (vmx->rmode.irq.pending)
17758 fixup_rmode_irq(vmx);
17760 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
17761 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
17763 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
17764 + loadsegment(fs, __KERNEL_PERCPU);
17767 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
17768 + __set_fs(current_thread_info()->addr_limit);
17773 vmx_complete_interrupts(vmx);
17774 @@ -3956,7 +3983,7 @@ static bool vmx_gb_page_enable(void)
17778 -static struct kvm_x86_ops vmx_x86_ops = {
17779 +static const struct kvm_x86_ops vmx_x86_ops = {
17780 .cpu_has_kvm_support = cpu_has_kvm_support,
17781 .disabled_by_bios = vmx_disabled_by_bios,
17782 .hardware_setup = hardware_setup,
17783 diff -urNp linux-2.6.32.42/arch/x86/kvm/x86.c linux-2.6.32.42/arch/x86/kvm/x86.c
17784 --- linux-2.6.32.42/arch/x86/kvm/x86.c 2011-05-10 22:12:01.000000000 -0400
17785 +++ linux-2.6.32.42/arch/x86/kvm/x86.c 2011-05-10 22:12:26.000000000 -0400
17786 @@ -82,7 +82,7 @@ static void update_cr8_intercept(struct
17787 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
17788 struct kvm_cpuid_entry2 __user *entries);
17790 -struct kvm_x86_ops *kvm_x86_ops;
17791 +const struct kvm_x86_ops *kvm_x86_ops;
17792 EXPORT_SYMBOL_GPL(kvm_x86_ops);
17794 int ignore_msrs = 0;
17795 @@ -1430,15 +1430,20 @@ static int kvm_vcpu_ioctl_set_cpuid2(str
17796 struct kvm_cpuid2 *cpuid,
17797 struct kvm_cpuid_entry2 __user *entries)
17803 if (cpuid->nent > KVM_MAX_CPUID_ENTRIES)
17806 - if (copy_from_user(&vcpu->arch.cpuid_entries, entries,
17807 - cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17808 + if (!access_ok(VERIFY_READ, entries, cpuid->nent * sizeof(struct kvm_cpuid_entry2)))
17810 + for (i = 0; i < cpuid->nent; ++i) {
17811 + struct kvm_cpuid_entry2 cpuid_entry;
17812 + if (__copy_from_user(&cpuid_entry, entries + i, sizeof(cpuid_entry)))
17814 + vcpu->arch.cpuid_entries[i] = cpuid_entry;
17816 vcpu->arch.cpuid_nent = cpuid->nent;
17817 kvm_apic_set_version(vcpu);
17819 @@ -1451,16 +1456,20 @@ static int kvm_vcpu_ioctl_get_cpuid2(str
17820 struct kvm_cpuid2 *cpuid,
17821 struct kvm_cpuid_entry2 __user *entries)
17828 if (cpuid->nent < vcpu->arch.cpuid_nent)
17831 - if (copy_to_user(entries, &vcpu->arch.cpuid_entries,
17832 - vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17833 + if (!access_ok(VERIFY_WRITE, entries, vcpu->arch.cpuid_nent * sizeof(struct kvm_cpuid_entry2)))
17835 + for (i = 0; i < vcpu->arch.cpuid_nent; ++i) {
17836 + struct kvm_cpuid_entry2 cpuid_entry = vcpu->arch.cpuid_entries[i];
17837 + if (__copy_to_user(entries + i, &cpuid_entry, sizeof(cpuid_entry)))
17843 @@ -1678,7 +1687,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
17844 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
17845 struct kvm_interrupt *irq)
17847 - if (irq->irq < 0 || irq->irq >= 256)
17848 + if (irq->irq >= 256)
17850 if (irqchip_in_kernel(vcpu->kvm))
17852 @@ -3260,10 +3269,10 @@ static struct notifier_block kvmclock_cp
17853 .notifier_call = kvmclock_cpufreq_notifier
17856 -int kvm_arch_init(void *opaque)
17857 +int kvm_arch_init(const void *opaque)
17860 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
17861 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
17864 printk(KERN_ERR "kvm: already loaded the other module\n");
17865 diff -urNp linux-2.6.32.42/arch/x86/lib/atomic64_32.c linux-2.6.32.42/arch/x86/lib/atomic64_32.c
17866 --- linux-2.6.32.42/arch/x86/lib/atomic64_32.c 2011-03-27 14:31:47.000000000 -0400
17867 +++ linux-2.6.32.42/arch/x86/lib/atomic64_32.c 2011-05-04 17:56:28.000000000 -0400
17868 @@ -25,6 +25,12 @@ u64 atomic64_cmpxchg(atomic64_t *ptr, u6
17870 EXPORT_SYMBOL(atomic64_cmpxchg);
17872 +u64 atomic64_cmpxchg_unchecked(atomic64_unchecked_t *ptr, u64 old_val, u64 new_val)
17874 + return cmpxchg8b(&ptr->counter, old_val, new_val);
17876 +EXPORT_SYMBOL(atomic64_cmpxchg_unchecked);
17879 * atomic64_xchg - xchg atomic64 variable
17880 * @ptr: pointer to type atomic64_t
17881 @@ -56,6 +62,36 @@ u64 atomic64_xchg(atomic64_t *ptr, u64 n
17882 EXPORT_SYMBOL(atomic64_xchg);
17885 + * atomic64_xchg_unchecked - xchg atomic64 variable
17886 + * @ptr: pointer to type atomic64_unchecked_t
17887 + * @new_val: value to assign
17889 + * Atomically xchgs the value of @ptr to @new_val and returns
17892 +u64 atomic64_xchg_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
17895 + * Try first with a (possibly incorrect) assumption about
17896 + * what we have there. We'll do two loops most likely,
17897 + * but we'll get an ownership MESI transaction straight away
17898 + * instead of a read transaction followed by a
17899 + * flush-for-ownership transaction:
17901 + u64 old_val, real_val = 0;
17904 + old_val = real_val;
17906 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
17908 + } while (real_val != old_val);
17912 +EXPORT_SYMBOL(atomic64_xchg_unchecked);
17915 * atomic64_set - set atomic64 variable
17916 * @ptr: pointer to type atomic64_t
17917 * @new_val: value to assign
17918 @@ -69,7 +105,19 @@ void atomic64_set(atomic64_t *ptr, u64 n
17919 EXPORT_SYMBOL(atomic64_set);
17922 -EXPORT_SYMBOL(atomic64_read);
17923 + * atomic64_unchecked_set - set atomic64 variable
17924 + * @ptr: pointer to type atomic64_unchecked_t
17925 + * @new_val: value to assign
17927 + * Atomically sets the value of @ptr to @new_val.
17929 +void atomic64_set_unchecked(atomic64_unchecked_t *ptr, u64 new_val)
17931 + atomic64_xchg_unchecked(ptr, new_val);
17933 +EXPORT_SYMBOL(atomic64_set_unchecked);
17936 * atomic64_add_return - add and return
17937 * @delta: integer value to add
17938 * @ptr: pointer to type atomic64_t
17939 @@ -99,24 +147,72 @@ noinline u64 atomic64_add_return(u64 del
17941 EXPORT_SYMBOL(atomic64_add_return);
17944 + * atomic64_add_return_unchecked - add and return
17945 + * @delta: integer value to add
17946 + * @ptr: pointer to type atomic64_unchecked_t
17948 + * Atomically adds @delta to @ptr and returns @delta + *@ptr
17950 +noinline u64 atomic64_add_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
17953 + * Try first with a (possibly incorrect) assumption about
17954 + * what we have there. We'll do two loops most likely,
17955 + * but we'll get an ownership MESI transaction straight away
17956 + * instead of a read transaction followed by a
17957 + * flush-for-ownership transaction:
17959 + u64 old_val, new_val, real_val = 0;
17962 + old_val = real_val;
17963 + new_val = old_val + delta;
17965 + real_val = atomic64_cmpxchg_unchecked(ptr, old_val, new_val);
17967 + } while (real_val != old_val);
17971 +EXPORT_SYMBOL(atomic64_add_return_unchecked);
17973 u64 atomic64_sub_return(u64 delta, atomic64_t *ptr)
17975 return atomic64_add_return(-delta, ptr);
17977 EXPORT_SYMBOL(atomic64_sub_return);
17979 +u64 atomic64_sub_return_unchecked(u64 delta, atomic64_unchecked_t *ptr)
17981 + return atomic64_add_return_unchecked(-delta, ptr);
17983 +EXPORT_SYMBOL(atomic64_sub_return_unchecked);
17985 u64 atomic64_inc_return(atomic64_t *ptr)
17987 return atomic64_add_return(1, ptr);
17989 EXPORT_SYMBOL(atomic64_inc_return);
17991 +u64 atomic64_inc_return_unchecked(atomic64_unchecked_t *ptr)
17993 + return atomic64_add_return_unchecked(1, ptr);
17995 +EXPORT_SYMBOL(atomic64_inc_return_unchecked);
17997 u64 atomic64_dec_return(atomic64_t *ptr)
17999 return atomic64_sub_return(1, ptr);
18001 EXPORT_SYMBOL(atomic64_dec_return);
18003 +u64 atomic64_dec_return_unchecked(atomic64_unchecked_t *ptr)
18005 + return atomic64_sub_return_unchecked(1, ptr);
18007 +EXPORT_SYMBOL(atomic64_dec_return_unchecked);
18010 * atomic64_add - add integer to atomic64 variable
18011 * @delta: integer value to add
18012 @@ -131,6 +227,19 @@ void atomic64_add(u64 delta, atomic64_t
18013 EXPORT_SYMBOL(atomic64_add);
18016 + * atomic64_add_unchecked - add integer to atomic64 variable
18017 + * @delta: integer value to add
18018 + * @ptr: pointer to type atomic64_unchecked_t
18020 + * Atomically adds @delta to @ptr.
18022 +void atomic64_add_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18024 + atomic64_add_return_unchecked(delta, ptr);
18026 +EXPORT_SYMBOL(atomic64_add_unchecked);
18029 * atomic64_sub - subtract the atomic64 variable
18030 * @delta: integer value to subtract
18031 * @ptr: pointer to type atomic64_t
18032 @@ -144,6 +253,19 @@ void atomic64_sub(u64 delta, atomic64_t
18033 EXPORT_SYMBOL(atomic64_sub);
18036 + * atomic64_sub_unchecked - subtract the atomic64 variable
18037 + * @delta: integer value to subtract
18038 + * @ptr: pointer to type atomic64_unchecked_t
18040 + * Atomically subtracts @delta from @ptr.
18042 +void atomic64_sub_unchecked(u64 delta, atomic64_unchecked_t *ptr)
18044 + atomic64_add_unchecked(-delta, ptr);
18046 +EXPORT_SYMBOL(atomic64_sub_unchecked);
18049 * atomic64_sub_and_test - subtract value from variable and test result
18050 * @delta: integer value to subtract
18051 * @ptr: pointer to type atomic64_t
18052 @@ -173,6 +295,18 @@ void atomic64_inc(atomic64_t *ptr)
18053 EXPORT_SYMBOL(atomic64_inc);
18056 + * atomic64_inc_unchecked - increment atomic64 variable
18057 + * @ptr: pointer to type atomic64_unchecked_t
18059 + * Atomically increments @ptr by 1.
18061 +void atomic64_inc_unchecked(atomic64_unchecked_t *ptr)
18063 + atomic64_add_unchecked(1, ptr);
18065 +EXPORT_SYMBOL(atomic64_inc_unchecked);
18068 * atomic64_dec - decrement atomic64 variable
18069 * @ptr: pointer to type atomic64_t
18071 @@ -185,6 +319,18 @@ void atomic64_dec(atomic64_t *ptr)
18072 EXPORT_SYMBOL(atomic64_dec);
18075 + * atomic64_dec_unchecked - decrement atomic64 variable
18076 + * @ptr: pointer to type atomic64_unchecked_t
18078 + * Atomically decrements @ptr by 1.
18080 +void atomic64_dec_unchecked(atomic64_unchecked_t *ptr)
18082 + atomic64_sub_unchecked(1, ptr);
18084 +EXPORT_SYMBOL(atomic64_dec_unchecked);
18087 * atomic64_dec_and_test - decrement and test
18088 * @ptr: pointer to type atomic64_t
18090 diff -urNp linux-2.6.32.42/arch/x86/lib/checksum_32.S linux-2.6.32.42/arch/x86/lib/checksum_32.S
18091 --- linux-2.6.32.42/arch/x86/lib/checksum_32.S 2011-03-27 14:31:47.000000000 -0400
18092 +++ linux-2.6.32.42/arch/x86/lib/checksum_32.S 2011-04-17 15:56:46.000000000 -0400
18094 #include <linux/linkage.h>
18095 #include <asm/dwarf2.h>
18096 #include <asm/errno.h>
18098 +#include <asm/segment.h>
18101 * computes a partial checksum, e.g. for TCP/UDP fragments
18103 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
18108 -ENTRY(csum_partial_copy_generic)
18110 +ENTRY(csum_partial_copy_generic_to_user)
18113 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18115 + CFI_ADJUST_CFA_OFFSET 4
18117 + CFI_ADJUST_CFA_OFFSET -4
18118 + jmp csum_partial_copy_generic
18121 +ENTRY(csum_partial_copy_generic_from_user)
18123 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18125 + CFI_ADJUST_CFA_OFFSET 4
18127 + CFI_ADJUST_CFA_OFFSET -4
18130 +ENTRY(csum_partial_copy_generic)
18132 CFI_ADJUST_CFA_OFFSET 4
18134 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
18136 SRC(1: movw (%esi), %bx )
18138 -DST( movw %bx, (%edi) )
18139 +DST( movw %bx, %es:(%edi) )
18143 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
18144 SRC(1: movl (%esi), %ebx )
18145 SRC( movl 4(%esi), %edx )
18147 -DST( movl %ebx, (%edi) )
18148 +DST( movl %ebx, %es:(%edi) )
18150 -DST( movl %edx, 4(%edi) )
18151 +DST( movl %edx, %es:4(%edi) )
18153 SRC( movl 8(%esi), %ebx )
18154 SRC( movl 12(%esi), %edx )
18156 -DST( movl %ebx, 8(%edi) )
18157 +DST( movl %ebx, %es:8(%edi) )
18159 -DST( movl %edx, 12(%edi) )
18160 +DST( movl %edx, %es:12(%edi) )
18162 SRC( movl 16(%esi), %ebx )
18163 SRC( movl 20(%esi), %edx )
18165 -DST( movl %ebx, 16(%edi) )
18166 +DST( movl %ebx, %es:16(%edi) )
18168 -DST( movl %edx, 20(%edi) )
18169 +DST( movl %edx, %es:20(%edi) )
18171 SRC( movl 24(%esi), %ebx )
18172 SRC( movl 28(%esi), %edx )
18174 -DST( movl %ebx, 24(%edi) )
18175 +DST( movl %ebx, %es:24(%edi) )
18177 -DST( movl %edx, 28(%edi) )
18178 +DST( movl %edx, %es:28(%edi) )
18182 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
18183 shrl $2, %edx # This clears CF
18184 SRC(3: movl (%esi), %ebx )
18186 -DST( movl %ebx, (%edi) )
18187 +DST( movl %ebx, %es:(%edi) )
18191 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
18193 SRC( movw (%esi), %cx )
18195 -DST( movw %cx, (%edi) )
18196 +DST( movw %cx, %es:(%edi) )
18200 SRC(5: movb (%esi), %cl )
18201 -DST( movb %cl, (%edi) )
18202 +DST( movb %cl, %es:(%edi) )
18206 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
18209 movl ARGBASE+20(%esp), %ebx # src_err_ptr
18210 - movl $-EFAULT, (%ebx)
18211 + movl $-EFAULT, %ss:(%ebx)
18213 # zero the complete destination - computing the rest
18215 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
18218 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
18219 - movl $-EFAULT,(%ebx)
18220 + movl $-EFAULT,%ss:(%ebx)
18226 + CFI_ADJUST_CFA_OFFSET 4
18228 + CFI_ADJUST_CFA_OFFSET -4
18230 + CFI_ADJUST_CFA_OFFSET 4
18232 + CFI_ADJUST_CFA_OFFSET -4
18234 CFI_ADJUST_CFA_OFFSET -4
18236 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
18237 CFI_ADJUST_CFA_OFFSET -4
18240 -ENDPROC(csum_partial_copy_generic)
18241 +ENDPROC(csum_partial_copy_generic_to_user)
18245 /* Version for PentiumII/PPro */
18247 #define ROUND1(x) \
18249 SRC(movl x(%esi), %ebx ) ; \
18250 addl %ebx, %eax ; \
18251 - DST(movl %ebx, x(%edi) ) ;
18252 + DST(movl %ebx, %es:x(%edi)) ;
18256 SRC(movl x(%esi), %ebx ) ; \
18257 adcl %ebx, %eax ; \
18258 - DST(movl %ebx, x(%edi) ) ;
18259 + DST(movl %ebx, %es:x(%edi)) ;
18263 -ENTRY(csum_partial_copy_generic)
18265 +ENTRY(csum_partial_copy_generic_to_user)
18268 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18270 + CFI_ADJUST_CFA_OFFSET 4
18272 + CFI_ADJUST_CFA_OFFSET -4
18273 + jmp csum_partial_copy_generic
18276 +ENTRY(csum_partial_copy_generic_from_user)
18278 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18280 + CFI_ADJUST_CFA_OFFSET 4
18282 + CFI_ADJUST_CFA_OFFSET -4
18285 +ENTRY(csum_partial_copy_generic)
18287 CFI_ADJUST_CFA_OFFSET 4
18288 CFI_REL_OFFSET ebx, 0
18289 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
18293 - lea 3f(%ebx,%ebx), %ebx
18294 + lea 3f(%ebx,%ebx,2), %ebx
18298 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
18300 SRC( movw (%esi), %dx )
18302 -DST( movw %dx, (%edi) )
18303 +DST( movw %dx, %es:(%edi) )
18308 SRC( movb (%esi), %dl )
18309 -DST( movb %dl, (%edi) )
18310 +DST( movb %dl, %es:(%edi) )
18314 .section .fixup, "ax"
18315 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
18316 - movl $-EFAULT, (%ebx)
18317 + movl $-EFAULT, %ss:(%ebx)
18318 # zero the complete destination (computing the rest is too much work)
18319 movl ARGBASE+8(%esp),%edi # dst
18320 movl ARGBASE+12(%esp),%ecx # len
18321 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
18324 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
18325 - movl $-EFAULT, (%ebx)
18326 + movl $-EFAULT, %ss:(%ebx)
18330 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18332 + CFI_ADJUST_CFA_OFFSET 4
18334 + CFI_ADJUST_CFA_OFFSET -4
18336 + CFI_ADJUST_CFA_OFFSET 4
18338 + CFI_ADJUST_CFA_OFFSET -4
18342 CFI_ADJUST_CFA_OFFSET -4
18344 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
18348 -ENDPROC(csum_partial_copy_generic)
18349 +ENDPROC(csum_partial_copy_generic_to_user)
18353 diff -urNp linux-2.6.32.42/arch/x86/lib/clear_page_64.S linux-2.6.32.42/arch/x86/lib/clear_page_64.S
18354 --- linux-2.6.32.42/arch/x86/lib/clear_page_64.S 2011-03-27 14:31:47.000000000 -0400
18355 +++ linux-2.6.32.42/arch/x86/lib/clear_page_64.S 2011-04-17 15:56:46.000000000 -0400
18356 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
18358 #include <asm/cpufeature.h>
18360 - .section .altinstr_replacement,"ax"
18361 + .section .altinstr_replacement,"a"
18362 1: .byte 0xeb /* jmp <disp8> */
18363 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
18365 diff -urNp linux-2.6.32.42/arch/x86/lib/copy_page_64.S linux-2.6.32.42/arch/x86/lib/copy_page_64.S
18366 --- linux-2.6.32.42/arch/x86/lib/copy_page_64.S 2011-03-27 14:31:47.000000000 -0400
18367 +++ linux-2.6.32.42/arch/x86/lib/copy_page_64.S 2011-04-17 15:56:46.000000000 -0400
18368 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
18370 #include <asm/cpufeature.h>
18372 - .section .altinstr_replacement,"ax"
18373 + .section .altinstr_replacement,"a"
18374 1: .byte 0xeb /* jmp <disp8> */
18375 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
18377 diff -urNp linux-2.6.32.42/arch/x86/lib/copy_user_64.S linux-2.6.32.42/arch/x86/lib/copy_user_64.S
18378 --- linux-2.6.32.42/arch/x86/lib/copy_user_64.S 2011-06-25 12:55:34.000000000 -0400
18379 +++ linux-2.6.32.42/arch/x86/lib/copy_user_64.S 2011-06-25 12:56:37.000000000 -0400
18380 @@ -15,13 +15,14 @@
18381 #include <asm/asm-offsets.h>
18382 #include <asm/thread_info.h>
18383 #include <asm/cpufeature.h>
18384 +#include <asm/pgtable.h>
18386 .macro ALTERNATIVE_JUMP feature,orig,alt
18388 .byte 0xe9 /* 32bit jump */
18389 .long \orig-1f /* by default jump to orig */
18391 - .section .altinstr_replacement,"ax"
18392 + .section .altinstr_replacement,"a"
18393 2: .byte 0xe9 /* near jump with 32bit immediate */
18394 .long \alt-1b /* offset */ /* or alternatively to alt */
18396 @@ -64,49 +65,19 @@
18400 -/* Standard copy_to_user with segment limit checking */
18401 -ENTRY(copy_to_user)
18403 - GET_THREAD_INFO(%rax)
18407 - cmpq TI_addr_limit(%rax),%rcx
18409 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
18411 -ENDPROC(copy_to_user)
18413 -/* Standard copy_from_user with segment limit checking */
18414 -ENTRY(copy_from_user)
18416 - GET_THREAD_INFO(%rax)
18420 - cmpq TI_addr_limit(%rax),%rcx
18422 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
18424 -ENDPROC(copy_from_user)
18426 ENTRY(copy_user_generic)
18428 ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
18430 ENDPROC(copy_user_generic)
18432 -ENTRY(__copy_from_user_inatomic)
18434 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
18436 -ENDPROC(__copy_from_user_inatomic)
18438 .section .fixup,"ax"
18439 /* must zero dest */
18440 ENTRY(bad_from_user)
18448 diff -urNp linux-2.6.32.42/arch/x86/lib/copy_user_nocache_64.S linux-2.6.32.42/arch/x86/lib/copy_user_nocache_64.S
18449 --- linux-2.6.32.42/arch/x86/lib/copy_user_nocache_64.S 2011-03-27 14:31:47.000000000 -0400
18450 +++ linux-2.6.32.42/arch/x86/lib/copy_user_nocache_64.S 2011-04-17 15:56:46.000000000 -0400
18452 #include <asm/current.h>
18453 #include <asm/asm-offsets.h>
18454 #include <asm/thread_info.h>
18455 +#include <asm/pgtable.h>
18457 .macro ALIGN_DESTINATION
18458 #ifdef FIX_ALIGNMENT
18461 ENTRY(__copy_user_nocache)
18464 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18465 + mov $PAX_USER_SHADOW_BASE,%rcx
18473 jb 20f /* less then 8 bytes, go to byte copy loop */
18475 diff -urNp linux-2.6.32.42/arch/x86/lib/csum-wrappers_64.c linux-2.6.32.42/arch/x86/lib/csum-wrappers_64.c
18476 --- linux-2.6.32.42/arch/x86/lib/csum-wrappers_64.c 2011-03-27 14:31:47.000000000 -0400
18477 +++ linux-2.6.32.42/arch/x86/lib/csum-wrappers_64.c 2011-05-04 17:56:20.000000000 -0400
18478 @@ -52,6 +52,12 @@ csum_partial_copy_from_user(const void _
18483 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18484 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
18485 + src += PAX_USER_SHADOW_BASE;
18488 isum = csum_partial_copy_generic((__force const void *)src,
18489 dst, len, isum, errp, NULL);
18490 if (unlikely(*errp))
18491 @@ -105,6 +111,12 @@ csum_partial_copy_to_user(const void *sr
18496 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18497 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
18498 + dst += PAX_USER_SHADOW_BASE;
18501 return csum_partial_copy_generic(src, (void __force *)dst,
18502 len, isum, NULL, errp);
18504 diff -urNp linux-2.6.32.42/arch/x86/lib/getuser.S linux-2.6.32.42/arch/x86/lib/getuser.S
18505 --- linux-2.6.32.42/arch/x86/lib/getuser.S 2011-03-27 14:31:47.000000000 -0400
18506 +++ linux-2.6.32.42/arch/x86/lib/getuser.S 2011-04-17 15:56:46.000000000 -0400
18507 @@ -33,14 +33,35 @@
18508 #include <asm/asm-offsets.h>
18509 #include <asm/thread_info.h>
18510 #include <asm/asm.h>
18511 +#include <asm/segment.h>
18512 +#include <asm/pgtable.h>
18514 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18515 +#define __copyuser_seg gs;
18517 +#define __copyuser_seg
18521 ENTRY(__get_user_1)
18524 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18525 GET_THREAD_INFO(%_ASM_DX)
18526 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18528 -1: movzb (%_ASM_AX),%edx
18530 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18531 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18532 + cmp %_ASM_DX,%_ASM_AX
18534 + add %_ASM_DX,%_ASM_AX
18540 +1: __copyuser_seg movzb (%_ASM_AX),%edx
18544 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
18545 ENTRY(__get_user_2)
18549 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18551 GET_THREAD_INFO(%_ASM_DX)
18552 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18554 -2: movzwl -1(%_ASM_AX),%edx
18556 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18557 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18558 + cmp %_ASM_DX,%_ASM_AX
18560 + add %_ASM_DX,%_ASM_AX
18566 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
18570 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
18571 ENTRY(__get_user_4)
18575 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18577 GET_THREAD_INFO(%_ASM_DX)
18578 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18580 -3: mov -3(%_ASM_AX),%edx
18582 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18583 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18584 + cmp %_ASM_DX,%_ASM_AX
18586 + add %_ASM_DX,%_ASM_AX
18592 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
18596 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
18597 GET_THREAD_INFO(%_ASM_DX)
18598 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
18601 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18602 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
18603 + cmp %_ASM_DX,%_ASM_AX
18605 + add %_ASM_DX,%_ASM_AX
18609 4: movq -7(%_ASM_AX),%_ASM_DX
18612 diff -urNp linux-2.6.32.42/arch/x86/lib/memcpy_64.S linux-2.6.32.42/arch/x86/lib/memcpy_64.S
18613 --- linux-2.6.32.42/arch/x86/lib/memcpy_64.S 2011-03-27 14:31:47.000000000 -0400
18614 +++ linux-2.6.32.42/arch/x86/lib/memcpy_64.S 2011-04-17 15:56:46.000000000 -0400
18615 @@ -128,7 +128,7 @@ ENDPROC(__memcpy)
18616 * It is also a lot simpler. Use this when possible:
18619 - .section .altinstr_replacement, "ax"
18620 + .section .altinstr_replacement, "a"
18621 1: .byte 0xeb /* jmp <disp8> */
18622 .byte (memcpy_c - memcpy) - (2f - 1b) /* offset */
18624 diff -urNp linux-2.6.32.42/arch/x86/lib/memset_64.S linux-2.6.32.42/arch/x86/lib/memset_64.S
18625 --- linux-2.6.32.42/arch/x86/lib/memset_64.S 2011-03-27 14:31:47.000000000 -0400
18626 +++ linux-2.6.32.42/arch/x86/lib/memset_64.S 2011-04-17 15:56:46.000000000 -0400
18627 @@ -118,7 +118,7 @@ ENDPROC(__memset)
18629 #include <asm/cpufeature.h>
18631 - .section .altinstr_replacement,"ax"
18632 + .section .altinstr_replacement,"a"
18633 1: .byte 0xeb /* jmp <disp8> */
18634 .byte (memset_c - memset) - (2f - 1b) /* offset */
18636 diff -urNp linux-2.6.32.42/arch/x86/lib/mmx_32.c linux-2.6.32.42/arch/x86/lib/mmx_32.c
18637 --- linux-2.6.32.42/arch/x86/lib/mmx_32.c 2011-03-27 14:31:47.000000000 -0400
18638 +++ linux-2.6.32.42/arch/x86/lib/mmx_32.c 2011-04-17 15:56:46.000000000 -0400
18639 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
18643 + unsigned long cr0;
18645 if (unlikely(in_interrupt()))
18646 return __memcpy(to, from, len);
18647 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
18648 kernel_fpu_begin();
18650 __asm__ __volatile__ (
18651 - "1: prefetch (%0)\n" /* This set is 28 bytes */
18652 - " prefetch 64(%0)\n"
18653 - " prefetch 128(%0)\n"
18654 - " prefetch 192(%0)\n"
18655 - " prefetch 256(%0)\n"
18656 + "1: prefetch (%1)\n" /* This set is 28 bytes */
18657 + " prefetch 64(%1)\n"
18658 + " prefetch 128(%1)\n"
18659 + " prefetch 192(%1)\n"
18660 + " prefetch 256(%1)\n"
18662 ".section .fixup, \"ax\"\n"
18663 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18666 +#ifdef CONFIG_PAX_KERNEXEC
18667 + " movl %%cr0, %0\n"
18668 + " movl %0, %%eax\n"
18669 + " andl $0xFFFEFFFF, %%eax\n"
18670 + " movl %%eax, %%cr0\n"
18673 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18675 +#ifdef CONFIG_PAX_KERNEXEC
18676 + " movl %0, %%cr0\n"
18681 _ASM_EXTABLE(1b, 3b)
18683 + : "=&r" (cr0) : "r" (from) : "ax");
18685 for ( ; i > 5; i--) {
18686 __asm__ __volatile__ (
18687 - "1: prefetch 320(%0)\n"
18688 - "2: movq (%0), %%mm0\n"
18689 - " movq 8(%0), %%mm1\n"
18690 - " movq 16(%0), %%mm2\n"
18691 - " movq 24(%0), %%mm3\n"
18692 - " movq %%mm0, (%1)\n"
18693 - " movq %%mm1, 8(%1)\n"
18694 - " movq %%mm2, 16(%1)\n"
18695 - " movq %%mm3, 24(%1)\n"
18696 - " movq 32(%0), %%mm0\n"
18697 - " movq 40(%0), %%mm1\n"
18698 - " movq 48(%0), %%mm2\n"
18699 - " movq 56(%0), %%mm3\n"
18700 - " movq %%mm0, 32(%1)\n"
18701 - " movq %%mm1, 40(%1)\n"
18702 - " movq %%mm2, 48(%1)\n"
18703 - " movq %%mm3, 56(%1)\n"
18704 + "1: prefetch 320(%1)\n"
18705 + "2: movq (%1), %%mm0\n"
18706 + " movq 8(%1), %%mm1\n"
18707 + " movq 16(%1), %%mm2\n"
18708 + " movq 24(%1), %%mm3\n"
18709 + " movq %%mm0, (%2)\n"
18710 + " movq %%mm1, 8(%2)\n"
18711 + " movq %%mm2, 16(%2)\n"
18712 + " movq %%mm3, 24(%2)\n"
18713 + " movq 32(%1), %%mm0\n"
18714 + " movq 40(%1), %%mm1\n"
18715 + " movq 48(%1), %%mm2\n"
18716 + " movq 56(%1), %%mm3\n"
18717 + " movq %%mm0, 32(%2)\n"
18718 + " movq %%mm1, 40(%2)\n"
18719 + " movq %%mm2, 48(%2)\n"
18720 + " movq %%mm3, 56(%2)\n"
18721 ".section .fixup, \"ax\"\n"
18722 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18725 +#ifdef CONFIG_PAX_KERNEXEC
18726 + " movl %%cr0, %0\n"
18727 + " movl %0, %%eax\n"
18728 + " andl $0xFFFEFFFF, %%eax\n"
18729 + " movl %%eax, %%cr0\n"
18732 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18734 +#ifdef CONFIG_PAX_KERNEXEC
18735 + " movl %0, %%cr0\n"
18740 _ASM_EXTABLE(1b, 3b)
18741 - : : "r" (from), "r" (to) : "memory");
18742 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18746 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
18747 static void fast_copy_page(void *to, void *from)
18750 + unsigned long cr0;
18752 kernel_fpu_begin();
18754 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
18755 * but that is for later. -AV
18757 __asm__ __volatile__(
18758 - "1: prefetch (%0)\n"
18759 - " prefetch 64(%0)\n"
18760 - " prefetch 128(%0)\n"
18761 - " prefetch 192(%0)\n"
18762 - " prefetch 256(%0)\n"
18763 + "1: prefetch (%1)\n"
18764 + " prefetch 64(%1)\n"
18765 + " prefetch 128(%1)\n"
18766 + " prefetch 192(%1)\n"
18767 + " prefetch 256(%1)\n"
18769 ".section .fixup, \"ax\"\n"
18770 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18773 +#ifdef CONFIG_PAX_KERNEXEC
18774 + " movl %%cr0, %0\n"
18775 + " movl %0, %%eax\n"
18776 + " andl $0xFFFEFFFF, %%eax\n"
18777 + " movl %%eax, %%cr0\n"
18780 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18782 +#ifdef CONFIG_PAX_KERNEXEC
18783 + " movl %0, %%cr0\n"
18788 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18789 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18791 for (i = 0; i < (4096-320)/64; i++) {
18792 __asm__ __volatile__ (
18793 - "1: prefetch 320(%0)\n"
18794 - "2: movq (%0), %%mm0\n"
18795 - " movntq %%mm0, (%1)\n"
18796 - " movq 8(%0), %%mm1\n"
18797 - " movntq %%mm1, 8(%1)\n"
18798 - " movq 16(%0), %%mm2\n"
18799 - " movntq %%mm2, 16(%1)\n"
18800 - " movq 24(%0), %%mm3\n"
18801 - " movntq %%mm3, 24(%1)\n"
18802 - " movq 32(%0), %%mm4\n"
18803 - " movntq %%mm4, 32(%1)\n"
18804 - " movq 40(%0), %%mm5\n"
18805 - " movntq %%mm5, 40(%1)\n"
18806 - " movq 48(%0), %%mm6\n"
18807 - " movntq %%mm6, 48(%1)\n"
18808 - " movq 56(%0), %%mm7\n"
18809 - " movntq %%mm7, 56(%1)\n"
18810 + "1: prefetch 320(%1)\n"
18811 + "2: movq (%1), %%mm0\n"
18812 + " movntq %%mm0, (%2)\n"
18813 + " movq 8(%1), %%mm1\n"
18814 + " movntq %%mm1, 8(%2)\n"
18815 + " movq 16(%1), %%mm2\n"
18816 + " movntq %%mm2, 16(%2)\n"
18817 + " movq 24(%1), %%mm3\n"
18818 + " movntq %%mm3, 24(%2)\n"
18819 + " movq 32(%1), %%mm4\n"
18820 + " movntq %%mm4, 32(%2)\n"
18821 + " movq 40(%1), %%mm5\n"
18822 + " movntq %%mm5, 40(%2)\n"
18823 + " movq 48(%1), %%mm6\n"
18824 + " movntq %%mm6, 48(%2)\n"
18825 + " movq 56(%1), %%mm7\n"
18826 + " movntq %%mm7, 56(%2)\n"
18827 ".section .fixup, \"ax\"\n"
18828 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18831 +#ifdef CONFIG_PAX_KERNEXEC
18832 + " movl %%cr0, %0\n"
18833 + " movl %0, %%eax\n"
18834 + " andl $0xFFFEFFFF, %%eax\n"
18835 + " movl %%eax, %%cr0\n"
18838 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18840 +#ifdef CONFIG_PAX_KERNEXEC
18841 + " movl %0, %%cr0\n"
18846 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
18847 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18851 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
18852 static void fast_copy_page(void *to, void *from)
18855 + unsigned long cr0;
18857 kernel_fpu_begin();
18859 __asm__ __volatile__ (
18860 - "1: prefetch (%0)\n"
18861 - " prefetch 64(%0)\n"
18862 - " prefetch 128(%0)\n"
18863 - " prefetch 192(%0)\n"
18864 - " prefetch 256(%0)\n"
18865 + "1: prefetch (%1)\n"
18866 + " prefetch 64(%1)\n"
18867 + " prefetch 128(%1)\n"
18868 + " prefetch 192(%1)\n"
18869 + " prefetch 256(%1)\n"
18871 ".section .fixup, \"ax\"\n"
18872 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18875 +#ifdef CONFIG_PAX_KERNEXEC
18876 + " movl %%cr0, %0\n"
18877 + " movl %0, %%eax\n"
18878 + " andl $0xFFFEFFFF, %%eax\n"
18879 + " movl %%eax, %%cr0\n"
18882 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
18884 +#ifdef CONFIG_PAX_KERNEXEC
18885 + " movl %0, %%cr0\n"
18890 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
18891 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
18893 for (i = 0; i < 4096/64; i++) {
18894 __asm__ __volatile__ (
18895 - "1: prefetch 320(%0)\n"
18896 - "2: movq (%0), %%mm0\n"
18897 - " movq 8(%0), %%mm1\n"
18898 - " movq 16(%0), %%mm2\n"
18899 - " movq 24(%0), %%mm3\n"
18900 - " movq %%mm0, (%1)\n"
18901 - " movq %%mm1, 8(%1)\n"
18902 - " movq %%mm2, 16(%1)\n"
18903 - " movq %%mm3, 24(%1)\n"
18904 - " movq 32(%0), %%mm0\n"
18905 - " movq 40(%0), %%mm1\n"
18906 - " movq 48(%0), %%mm2\n"
18907 - " movq 56(%0), %%mm3\n"
18908 - " movq %%mm0, 32(%1)\n"
18909 - " movq %%mm1, 40(%1)\n"
18910 - " movq %%mm2, 48(%1)\n"
18911 - " movq %%mm3, 56(%1)\n"
18912 + "1: prefetch 320(%1)\n"
18913 + "2: movq (%1), %%mm0\n"
18914 + " movq 8(%1), %%mm1\n"
18915 + " movq 16(%1), %%mm2\n"
18916 + " movq 24(%1), %%mm3\n"
18917 + " movq %%mm0, (%2)\n"
18918 + " movq %%mm1, 8(%2)\n"
18919 + " movq %%mm2, 16(%2)\n"
18920 + " movq %%mm3, 24(%2)\n"
18921 + " movq 32(%1), %%mm0\n"
18922 + " movq 40(%1), %%mm1\n"
18923 + " movq 48(%1), %%mm2\n"
18924 + " movq 56(%1), %%mm3\n"
18925 + " movq %%mm0, 32(%2)\n"
18926 + " movq %%mm1, 40(%2)\n"
18927 + " movq %%mm2, 48(%2)\n"
18928 + " movq %%mm3, 56(%2)\n"
18929 ".section .fixup, \"ax\"\n"
18930 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18933 +#ifdef CONFIG_PAX_KERNEXEC
18934 + " movl %%cr0, %0\n"
18935 + " movl %0, %%eax\n"
18936 + " andl $0xFFFEFFFF, %%eax\n"
18937 + " movl %%eax, %%cr0\n"
18940 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
18942 +#ifdef CONFIG_PAX_KERNEXEC
18943 + " movl %0, %%cr0\n"
18948 _ASM_EXTABLE(1b, 3b)
18949 - : : "r" (from), "r" (to) : "memory");
18950 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
18954 diff -urNp linux-2.6.32.42/arch/x86/lib/putuser.S linux-2.6.32.42/arch/x86/lib/putuser.S
18955 --- linux-2.6.32.42/arch/x86/lib/putuser.S 2011-03-27 14:31:47.000000000 -0400
18956 +++ linux-2.6.32.42/arch/x86/lib/putuser.S 2011-04-17 15:56:46.000000000 -0400
18958 #include <asm/thread_info.h>
18959 #include <asm/errno.h>
18960 #include <asm/asm.h>
18962 +#include <asm/segment.h>
18963 +#include <asm/pgtable.h>
18967 @@ -29,52 +30,119 @@
18968 * as they get called from within inline assembly.
18971 -#define ENTER CFI_STARTPROC ; \
18972 - GET_THREAD_INFO(%_ASM_BX)
18973 +#define ENTER CFI_STARTPROC
18974 #define EXIT ret ; \
18977 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18978 +#define _DEST %_ASM_CX,%_ASM_BX
18980 +#define _DEST %_ASM_CX
18983 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
18984 +#define __copyuser_seg gs;
18986 +#define __copyuser_seg
18990 ENTRY(__put_user_1)
18993 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
18994 + GET_THREAD_INFO(%_ASM_BX)
18995 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
18997 -1: movb %al,(%_ASM_CX)
18999 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19000 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19001 + cmp %_ASM_BX,%_ASM_CX
19009 +1: __copyuser_seg movb %al,(_DEST)
19012 ENDPROC(__put_user_1)
19014 ENTRY(__put_user_2)
19017 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19018 + GET_THREAD_INFO(%_ASM_BX)
19019 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19021 cmp %_ASM_BX,%_ASM_CX
19023 -2: movw %ax,(%_ASM_CX)
19025 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19026 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19027 + cmp %_ASM_BX,%_ASM_CX
19035 +2: __copyuser_seg movw %ax,(_DEST)
19038 ENDPROC(__put_user_2)
19040 ENTRY(__put_user_4)
19043 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19044 + GET_THREAD_INFO(%_ASM_BX)
19045 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19047 cmp %_ASM_BX,%_ASM_CX
19049 -3: movl %eax,(%_ASM_CX)
19051 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19052 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19053 + cmp %_ASM_BX,%_ASM_CX
19061 +3: __copyuser_seg movl %eax,(_DEST)
19064 ENDPROC(__put_user_4)
19066 ENTRY(__put_user_8)
19069 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
19070 + GET_THREAD_INFO(%_ASM_BX)
19071 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
19073 cmp %_ASM_BX,%_ASM_CX
19075 -4: mov %_ASM_AX,(%_ASM_CX)
19077 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19078 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
19079 + cmp %_ASM_BX,%_ASM_CX
19087 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
19088 #ifdef CONFIG_X86_32
19089 -5: movl %edx,4(%_ASM_CX)
19090 +5: __copyuser_seg movl %edx,4(_DEST)
19094 diff -urNp linux-2.6.32.42/arch/x86/lib/usercopy_32.c linux-2.6.32.42/arch/x86/lib/usercopy_32.c
19095 --- linux-2.6.32.42/arch/x86/lib/usercopy_32.c 2011-03-27 14:31:47.000000000 -0400
19096 +++ linux-2.6.32.42/arch/x86/lib/usercopy_32.c 2011-04-23 21:12:28.000000000 -0400
19097 @@ -43,7 +43,7 @@ do { \
19098 __asm__ __volatile__( \
19102 + "0: "__copyuser_seg"lodsb\n" \
19104 " testb %%al,%%al\n" \
19106 @@ -128,10 +128,12 @@ do { \
19109 __asm__ __volatile__( \
19110 + __COPYUSER_SET_ES \
19111 "0: rep; stosl\n" \
19113 "1: rep; stosb\n" \
19115 + __COPYUSER_RESTORE_ES \
19116 ".section .fixup,\"ax\"\n" \
19117 "3: lea 0(%2,%0,4),%0\n" \
19119 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
19122 __asm__ __volatile__(
19123 + __COPYUSER_SET_ES
19127 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
19131 + __COPYUSER_RESTORE_ES
19132 ".section .fixup,\"ax\"\n"
19133 "2: xorl %%eax,%%eax\n"
19135 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
19137 #ifdef CONFIG_X86_INTEL_USERCOPY
19138 static unsigned long
19139 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
19140 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
19143 __asm__ __volatile__(
19144 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
19146 "3: movl 0(%4), %%eax\n"
19147 "4: movl 4(%4), %%edx\n"
19148 - "5: movl %%eax, 0(%3)\n"
19149 - "6: movl %%edx, 4(%3)\n"
19150 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
19151 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
19152 "7: movl 8(%4), %%eax\n"
19153 "8: movl 12(%4),%%edx\n"
19154 - "9: movl %%eax, 8(%3)\n"
19155 - "10: movl %%edx, 12(%3)\n"
19156 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
19157 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
19158 "11: movl 16(%4), %%eax\n"
19159 "12: movl 20(%4), %%edx\n"
19160 - "13: movl %%eax, 16(%3)\n"
19161 - "14: movl %%edx, 20(%3)\n"
19162 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
19163 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
19164 "15: movl 24(%4), %%eax\n"
19165 "16: movl 28(%4), %%edx\n"
19166 - "17: movl %%eax, 24(%3)\n"
19167 - "18: movl %%edx, 28(%3)\n"
19168 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
19169 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
19170 "19: movl 32(%4), %%eax\n"
19171 "20: movl 36(%4), %%edx\n"
19172 - "21: movl %%eax, 32(%3)\n"
19173 - "22: movl %%edx, 36(%3)\n"
19174 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
19175 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
19176 "23: movl 40(%4), %%eax\n"
19177 "24: movl 44(%4), %%edx\n"
19178 - "25: movl %%eax, 40(%3)\n"
19179 - "26: movl %%edx, 44(%3)\n"
19180 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
19181 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
19182 "27: movl 48(%4), %%eax\n"
19183 "28: movl 52(%4), %%edx\n"
19184 - "29: movl %%eax, 48(%3)\n"
19185 - "30: movl %%edx, 52(%3)\n"
19186 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
19187 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
19188 "31: movl 56(%4), %%eax\n"
19189 "32: movl 60(%4), %%edx\n"
19190 - "33: movl %%eax, 56(%3)\n"
19191 - "34: movl %%edx, 60(%3)\n"
19192 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
19193 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
19197 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
19199 " andl $3, %%eax\n"
19201 + __COPYUSER_SET_ES
19203 "36: movl %%eax, %0\n"
19206 + __COPYUSER_RESTORE_ES
19207 + ".section .fixup,\"ax\"\n"
19208 + "101: lea 0(%%eax,%0,4),%0\n"
19211 + ".section __ex_table,\"a\"\n"
19213 + " .long 1b,100b\n"
19214 + " .long 2b,100b\n"
19215 + " .long 3b,100b\n"
19216 + " .long 4b,100b\n"
19217 + " .long 5b,100b\n"
19218 + " .long 6b,100b\n"
19219 + " .long 7b,100b\n"
19220 + " .long 8b,100b\n"
19221 + " .long 9b,100b\n"
19222 + " .long 10b,100b\n"
19223 + " .long 11b,100b\n"
19224 + " .long 12b,100b\n"
19225 + " .long 13b,100b\n"
19226 + " .long 14b,100b\n"
19227 + " .long 15b,100b\n"
19228 + " .long 16b,100b\n"
19229 + " .long 17b,100b\n"
19230 + " .long 18b,100b\n"
19231 + " .long 19b,100b\n"
19232 + " .long 20b,100b\n"
19233 + " .long 21b,100b\n"
19234 + " .long 22b,100b\n"
19235 + " .long 23b,100b\n"
19236 + " .long 24b,100b\n"
19237 + " .long 25b,100b\n"
19238 + " .long 26b,100b\n"
19239 + " .long 27b,100b\n"
19240 + " .long 28b,100b\n"
19241 + " .long 29b,100b\n"
19242 + " .long 30b,100b\n"
19243 + " .long 31b,100b\n"
19244 + " .long 32b,100b\n"
19245 + " .long 33b,100b\n"
19246 + " .long 34b,100b\n"
19247 + " .long 35b,100b\n"
19248 + " .long 36b,100b\n"
19249 + " .long 37b,100b\n"
19250 + " .long 99b,101b\n"
19252 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
19253 + : "1"(to), "2"(from), "0"(size)
19254 + : "eax", "edx", "memory");
19258 +static unsigned long
19259 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
19262 + __asm__ __volatile__(
19263 + " .align 2,0x90\n"
19264 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
19265 + " cmpl $67, %0\n"
19267 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
19268 + " .align 2,0x90\n"
19269 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
19270 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
19271 + "5: movl %%eax, 0(%3)\n"
19272 + "6: movl %%edx, 4(%3)\n"
19273 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
19274 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
19275 + "9: movl %%eax, 8(%3)\n"
19276 + "10: movl %%edx, 12(%3)\n"
19277 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
19278 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
19279 + "13: movl %%eax, 16(%3)\n"
19280 + "14: movl %%edx, 20(%3)\n"
19281 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
19282 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
19283 + "17: movl %%eax, 24(%3)\n"
19284 + "18: movl %%edx, 28(%3)\n"
19285 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
19286 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
19287 + "21: movl %%eax, 32(%3)\n"
19288 + "22: movl %%edx, 36(%3)\n"
19289 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
19290 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
19291 + "25: movl %%eax, 40(%3)\n"
19292 + "26: movl %%edx, 44(%3)\n"
19293 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
19294 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
19295 + "29: movl %%eax, 48(%3)\n"
19296 + "30: movl %%edx, 52(%3)\n"
19297 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
19298 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
19299 + "33: movl %%eax, 56(%3)\n"
19300 + "34: movl %%edx, 60(%3)\n"
19301 + " addl $-64, %0\n"
19302 + " addl $64, %4\n"
19303 + " addl $64, %3\n"
19304 + " cmpl $63, %0\n"
19306 + "35: movl %0, %%eax\n"
19308 + " andl $3, %%eax\n"
19310 + "99: rep; "__copyuser_seg" movsl\n"
19311 + "36: movl %%eax, %0\n"
19312 + "37: rep; "__copyuser_seg" movsb\n"
19314 ".section .fixup,\"ax\"\n"
19315 "101: lea 0(%%eax,%0,4),%0\n"
19317 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
19319 __asm__ __volatile__(
19321 - "0: movl 32(%4), %%eax\n"
19322 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19325 - "1: movl 64(%4), %%eax\n"
19326 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19328 - "2: movl 0(%4), %%eax\n"
19329 - "21: movl 4(%4), %%edx\n"
19330 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19331 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19332 " movl %%eax, 0(%3)\n"
19333 " movl %%edx, 4(%3)\n"
19334 - "3: movl 8(%4), %%eax\n"
19335 - "31: movl 12(%4),%%edx\n"
19336 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19337 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19338 " movl %%eax, 8(%3)\n"
19339 " movl %%edx, 12(%3)\n"
19340 - "4: movl 16(%4), %%eax\n"
19341 - "41: movl 20(%4), %%edx\n"
19342 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19343 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19344 " movl %%eax, 16(%3)\n"
19345 " movl %%edx, 20(%3)\n"
19346 - "10: movl 24(%4), %%eax\n"
19347 - "51: movl 28(%4), %%edx\n"
19348 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19349 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19350 " movl %%eax, 24(%3)\n"
19351 " movl %%edx, 28(%3)\n"
19352 - "11: movl 32(%4), %%eax\n"
19353 - "61: movl 36(%4), %%edx\n"
19354 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19355 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19356 " movl %%eax, 32(%3)\n"
19357 " movl %%edx, 36(%3)\n"
19358 - "12: movl 40(%4), %%eax\n"
19359 - "71: movl 44(%4), %%edx\n"
19360 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19361 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19362 " movl %%eax, 40(%3)\n"
19363 " movl %%edx, 44(%3)\n"
19364 - "13: movl 48(%4), %%eax\n"
19365 - "81: movl 52(%4), %%edx\n"
19366 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19367 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19368 " movl %%eax, 48(%3)\n"
19369 " movl %%edx, 52(%3)\n"
19370 - "14: movl 56(%4), %%eax\n"
19371 - "91: movl 60(%4), %%edx\n"
19372 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19373 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19374 " movl %%eax, 56(%3)\n"
19375 " movl %%edx, 60(%3)\n"
19377 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
19379 " andl $3, %%eax\n"
19381 - "6: rep; movsl\n"
19382 + "6: rep; "__copyuser_seg" movsl\n"
19384 - "7: rep; movsb\n"
19385 + "7: rep; "__copyuser_seg" movsb\n"
19387 ".section .fixup,\"ax\"\n"
19388 "9: lea 0(%%eax,%0,4),%0\n"
19389 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
19391 __asm__ __volatile__(
19393 - "0: movl 32(%4), %%eax\n"
19394 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19397 - "1: movl 64(%4), %%eax\n"
19398 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19400 - "2: movl 0(%4), %%eax\n"
19401 - "21: movl 4(%4), %%edx\n"
19402 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19403 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19404 " movnti %%eax, 0(%3)\n"
19405 " movnti %%edx, 4(%3)\n"
19406 - "3: movl 8(%4), %%eax\n"
19407 - "31: movl 12(%4),%%edx\n"
19408 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19409 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19410 " movnti %%eax, 8(%3)\n"
19411 " movnti %%edx, 12(%3)\n"
19412 - "4: movl 16(%4), %%eax\n"
19413 - "41: movl 20(%4), %%edx\n"
19414 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19415 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19416 " movnti %%eax, 16(%3)\n"
19417 " movnti %%edx, 20(%3)\n"
19418 - "10: movl 24(%4), %%eax\n"
19419 - "51: movl 28(%4), %%edx\n"
19420 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19421 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19422 " movnti %%eax, 24(%3)\n"
19423 " movnti %%edx, 28(%3)\n"
19424 - "11: movl 32(%4), %%eax\n"
19425 - "61: movl 36(%4), %%edx\n"
19426 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19427 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19428 " movnti %%eax, 32(%3)\n"
19429 " movnti %%edx, 36(%3)\n"
19430 - "12: movl 40(%4), %%eax\n"
19431 - "71: movl 44(%4), %%edx\n"
19432 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19433 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19434 " movnti %%eax, 40(%3)\n"
19435 " movnti %%edx, 44(%3)\n"
19436 - "13: movl 48(%4), %%eax\n"
19437 - "81: movl 52(%4), %%edx\n"
19438 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19439 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19440 " movnti %%eax, 48(%3)\n"
19441 " movnti %%edx, 52(%3)\n"
19442 - "14: movl 56(%4), %%eax\n"
19443 - "91: movl 60(%4), %%edx\n"
19444 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19445 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19446 " movnti %%eax, 56(%3)\n"
19447 " movnti %%edx, 60(%3)\n"
19449 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
19451 " andl $3, %%eax\n"
19453 - "6: rep; movsl\n"
19454 + "6: rep; "__copyuser_seg" movsl\n"
19456 - "7: rep; movsb\n"
19457 + "7: rep; "__copyuser_seg" movsb\n"
19459 ".section .fixup,\"ax\"\n"
19460 "9: lea 0(%%eax,%0,4),%0\n"
19461 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
19463 __asm__ __volatile__(
19465 - "0: movl 32(%4), %%eax\n"
19466 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
19469 - "1: movl 64(%4), %%eax\n"
19470 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
19472 - "2: movl 0(%4), %%eax\n"
19473 - "21: movl 4(%4), %%edx\n"
19474 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
19475 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
19476 " movnti %%eax, 0(%3)\n"
19477 " movnti %%edx, 4(%3)\n"
19478 - "3: movl 8(%4), %%eax\n"
19479 - "31: movl 12(%4),%%edx\n"
19480 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
19481 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
19482 " movnti %%eax, 8(%3)\n"
19483 " movnti %%edx, 12(%3)\n"
19484 - "4: movl 16(%4), %%eax\n"
19485 - "41: movl 20(%4), %%edx\n"
19486 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
19487 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
19488 " movnti %%eax, 16(%3)\n"
19489 " movnti %%edx, 20(%3)\n"
19490 - "10: movl 24(%4), %%eax\n"
19491 - "51: movl 28(%4), %%edx\n"
19492 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
19493 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
19494 " movnti %%eax, 24(%3)\n"
19495 " movnti %%edx, 28(%3)\n"
19496 - "11: movl 32(%4), %%eax\n"
19497 - "61: movl 36(%4), %%edx\n"
19498 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
19499 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
19500 " movnti %%eax, 32(%3)\n"
19501 " movnti %%edx, 36(%3)\n"
19502 - "12: movl 40(%4), %%eax\n"
19503 - "71: movl 44(%4), %%edx\n"
19504 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
19505 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
19506 " movnti %%eax, 40(%3)\n"
19507 " movnti %%edx, 44(%3)\n"
19508 - "13: movl 48(%4), %%eax\n"
19509 - "81: movl 52(%4), %%edx\n"
19510 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
19511 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
19512 " movnti %%eax, 48(%3)\n"
19513 " movnti %%edx, 52(%3)\n"
19514 - "14: movl 56(%4), %%eax\n"
19515 - "91: movl 60(%4), %%edx\n"
19516 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
19517 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
19518 " movnti %%eax, 56(%3)\n"
19519 " movnti %%edx, 60(%3)\n"
19521 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
19523 " andl $3, %%eax\n"
19525 - "6: rep; movsl\n"
19526 + "6: rep; "__copyuser_seg" movsl\n"
19528 - "7: rep; movsb\n"
19529 + "7: rep; "__copyuser_seg" movsb\n"
19531 ".section .fixup,\"ax\"\n"
19532 "9: lea 0(%%eax,%0,4),%0\n"
19533 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
19535 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
19536 unsigned long size);
19537 -unsigned long __copy_user_intel(void __user *to, const void *from,
19538 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
19539 + unsigned long size);
19540 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
19541 unsigned long size);
19542 unsigned long __copy_user_zeroing_intel_nocache(void *to,
19543 const void __user *from, unsigned long size);
19544 #endif /* CONFIG_X86_INTEL_USERCOPY */
19546 /* Generic arbitrary sized copy. */
19547 -#define __copy_user(to, from, size) \
19548 +#define __copy_user(to, from, size, prefix, set, restore) \
19550 int __d0, __d1, __d2; \
19551 __asm__ __volatile__( \
19559 - "4: rep; movsb\n" \
19560 + "4: rep; "prefix"movsb\n" \
19564 " .align 2,0x90\n" \
19565 - "0: rep; movsl\n" \
19566 + "0: rep; "prefix"movsl\n" \
19568 - "1: rep; movsb\n" \
19569 + "1: rep; "prefix"movsb\n" \
19572 ".section .fixup,\"ax\"\n" \
19573 "5: addl %3,%0\n" \
19575 @@ -682,14 +799,14 @@ do { \
19579 - "4: rep; movsb\n" \
19580 + "4: rep; "__copyuser_seg"movsb\n" \
19584 " .align 2,0x90\n" \
19585 - "0: rep; movsl\n" \
19586 + "0: rep; "__copyuser_seg"movsl\n" \
19588 - "1: rep; movsb\n" \
19589 + "1: rep; "__copyuser_seg"movsb\n" \
19591 ".section .fixup,\"ax\"\n" \
19592 "5: addl %3,%0\n" \
19593 @@ -775,9 +892,9 @@ survive:
19596 if (movsl_is_ok(to, from, n))
19597 - __copy_user(to, from, n);
19598 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
19600 - n = __copy_user_intel(to, from, n);
19601 + n = __generic_copy_to_user_intel(to, from, n);
19604 EXPORT_SYMBOL(__copy_to_user_ll);
19605 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
19608 if (movsl_is_ok(to, from, n))
19609 - __copy_user(to, from, n);
19610 + __copy_user(to, from, n, __copyuser_seg, "", "");
19612 - n = __copy_user_intel((void __user *)to,
19613 - (const void *)from, n);
19614 + n = __generic_copy_from_user_intel(to, from, n);
19617 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
19618 @@ -827,59 +943,38 @@ unsigned long __copy_from_user_ll_nocach
19619 if (n > 64 && cpu_has_xmm2)
19620 n = __copy_user_intel_nocache(to, from, n);
19622 - __copy_user(to, from, n);
19623 + __copy_user(to, from, n, __copyuser_seg, "", "");
19625 - __copy_user(to, from, n);
19626 + __copy_user(to, from, n, __copyuser_seg, "", "");
19630 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
19633 - * copy_to_user: - Copy a block of data into user space.
19634 - * @to: Destination address, in user space.
19635 - * @from: Source address, in kernel space.
19636 - * @n: Number of bytes to copy.
19638 - * Context: User context only. This function may sleep.
19640 - * Copy data from kernel space to user space.
19642 - * Returns number of bytes that could not be copied.
19643 - * On success, this will be zero.
19646 -copy_to_user(void __user *to, const void *from, unsigned long n)
19647 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19648 +void __set_fs(mm_segment_t x)
19650 - if (access_ok(VERIFY_WRITE, to, n))
19651 - n = __copy_to_user(to, from, n);
19655 + loadsegment(gs, 0);
19657 + case TASK_SIZE_MAX:
19658 + loadsegment(gs, __USER_DS);
19661 + loadsegment(gs, __KERNEL_DS);
19668 -EXPORT_SYMBOL(copy_to_user);
19669 +EXPORT_SYMBOL(__set_fs);
19672 - * copy_from_user: - Copy a block of data from user space.
19673 - * @to: Destination address, in kernel space.
19674 - * @from: Source address, in user space.
19675 - * @n: Number of bytes to copy.
19677 - * Context: User context only. This function may sleep.
19679 - * Copy data from user space to kernel space.
19681 - * Returns number of bytes that could not be copied.
19682 - * On success, this will be zero.
19684 - * If some data could not be copied, this function will pad the copied
19685 - * data to the requested size using zero bytes.
19688 -copy_from_user(void *to, const void __user *from, unsigned long n)
19689 +void set_fs(mm_segment_t x)
19691 - if (access_ok(VERIFY_READ, from, n))
19692 - n = __copy_from_user(to, from, n);
19694 - memset(to, 0, n);
19696 + current_thread_info()->addr_limit = x;
19699 -EXPORT_SYMBOL(copy_from_user);
19700 +EXPORT_SYMBOL(set_fs);
19702 diff -urNp linux-2.6.32.42/arch/x86/lib/usercopy_64.c linux-2.6.32.42/arch/x86/lib/usercopy_64.c
19703 --- linux-2.6.32.42/arch/x86/lib/usercopy_64.c 2011-03-27 14:31:47.000000000 -0400
19704 +++ linux-2.6.32.42/arch/x86/lib/usercopy_64.c 2011-05-04 17:56:20.000000000 -0400
19705 @@ -42,6 +42,12 @@ long
19706 __strncpy_from_user(char *dst, const char __user *src, long count)
19710 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19711 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
19712 + src += PAX_USER_SHADOW_BASE;
19715 __do_strncpy_from_user(dst, src, count, res);
19718 @@ -65,6 +71,12 @@ unsigned long __clear_user(void __user *
19723 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19724 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
19725 + addr += PAX_USER_SHADOW_BASE;
19728 /* no memory constraint because it doesn't change any memory gcc knows
19731 @@ -151,10 +163,18 @@ EXPORT_SYMBOL(strlen_user);
19733 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
19735 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19736 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
19738 +#ifdef CONFIG_PAX_MEMORY_UDEREF
19739 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
19740 + to += PAX_USER_SHADOW_BASE;
19741 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
19742 + from += PAX_USER_SHADOW_BASE;
19745 return copy_user_generic((__force void *)to, (__force void *)from, len);
19751 EXPORT_SYMBOL(copy_in_user);
19753 diff -urNp linux-2.6.32.42/arch/x86/Makefile linux-2.6.32.42/arch/x86/Makefile
19754 --- linux-2.6.32.42/arch/x86/Makefile 2011-03-27 14:31:47.000000000 -0400
19755 +++ linux-2.6.32.42/arch/x86/Makefile 2011-04-17 15:56:46.000000000 -0400
19756 @@ -189,3 +189,12 @@ define archhelp
19757 echo ' FDARGS="..." arguments for the booted kernel'
19758 echo ' FDINITRD=file initrd for the booted kernel'
19763 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
19764 +*** Please upgrade your binutils to 2.18 or newer
19768 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
19769 diff -urNp linux-2.6.32.42/arch/x86/mm/extable.c linux-2.6.32.42/arch/x86/mm/extable.c
19770 --- linux-2.6.32.42/arch/x86/mm/extable.c 2011-03-27 14:31:47.000000000 -0400
19771 +++ linux-2.6.32.42/arch/x86/mm/extable.c 2011-04-17 15:56:46.000000000 -0400
19773 #include <linux/module.h>
19774 #include <linux/spinlock.h>
19775 +#include <linux/sort.h>
19776 #include <asm/uaccess.h>
19777 +#include <asm/pgtable.h>
19780 + * The exception table needs to be sorted so that the binary
19781 + * search that we use to find entries in it works properly.
19782 + * This is used both for the kernel exception table and for
19783 + * the exception tables of modules that get loaded.
19785 +static int cmp_ex(const void *a, const void *b)
19787 + const struct exception_table_entry *x = a, *y = b;
19789 + /* avoid overflow */
19790 + if (x->insn > y->insn)
19792 + if (x->insn < y->insn)
19797 +static void swap_ex(void *a, void *b, int size)
19799 + struct exception_table_entry t, *x = a, *y = b;
19803 + pax_open_kernel();
19806 + pax_close_kernel();
19809 +void sort_extable(struct exception_table_entry *start,
19810 + struct exception_table_entry *finish)
19812 + sort(start, finish - start, sizeof(struct exception_table_entry),
19813 + cmp_ex, swap_ex);
19816 +#ifdef CONFIG_MODULES
19818 + * If the exception table is sorted, any referring to the module init
19819 + * will be at the beginning or the end.
19821 +void trim_init_extable(struct module *m)
19823 + /*trim the beginning*/
19824 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
19826 + m->num_exentries--;
19829 + while (m->num_exentries &&
19830 + within_module_init(m->extable[m->num_exentries-1].insn, m))
19831 + m->num_exentries--;
19833 +#endif /* CONFIG_MODULES */
19835 int fixup_exception(struct pt_regs *regs)
19837 const struct exception_table_entry *fixup;
19839 #ifdef CONFIG_PNPBIOS
19840 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
19841 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
19842 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
19843 extern u32 pnp_bios_is_utter_crap;
19844 pnp_bios_is_utter_crap = 1;
19845 diff -urNp linux-2.6.32.42/arch/x86/mm/fault.c linux-2.6.32.42/arch/x86/mm/fault.c
19846 --- linux-2.6.32.42/arch/x86/mm/fault.c 2011-03-27 14:31:47.000000000 -0400
19847 +++ linux-2.6.32.42/arch/x86/mm/fault.c 2011-06-06 17:35:16.000000000 -0400
19848 @@ -11,10 +11,19 @@
19849 #include <linux/kprobes.h> /* __kprobes, ... */
19850 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
19851 #include <linux/perf_event.h> /* perf_sw_event */
19852 +#include <linux/unistd.h>
19853 +#include <linux/compiler.h>
19855 #include <asm/traps.h> /* dotraplinkage, ... */
19856 #include <asm/pgalloc.h> /* pgd_*(), ... */
19857 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
19858 +#include <asm/vsyscall.h>
19859 +#include <asm/tlbflush.h>
19861 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19862 +#include <asm/stacktrace.h>
19863 +#include "../kernel/dumpstack.h"
19867 * Page fault error code bits:
19868 @@ -51,7 +60,7 @@ static inline int notify_page_fault(stru
19871 /* kprobe_running() needs smp_processor_id() */
19872 - if (kprobes_built_in() && !user_mode_vm(regs)) {
19873 + if (kprobes_built_in() && !user_mode(regs)) {
19875 if (kprobe_running() && kprobe_fault_handler(regs, 14))
19877 @@ -112,7 +121,10 @@ check_prefetch_opcode(struct pt_regs *re
19878 return !instr_lo || (instr_lo>>1) == 1;
19880 /* Prefetch instruction is 0x0F0D or 0x0F18 */
19881 - if (probe_kernel_address(instr, opcode))
19882 + if (user_mode(regs)) {
19883 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
19885 + } else if (probe_kernel_address(instr, opcode))
19888 *prefetch = (instr_lo == 0xF) &&
19889 @@ -146,7 +158,10 @@ is_prefetch(struct pt_regs *regs, unsign
19890 while (instr < max_instr) {
19891 unsigned char opcode;
19893 - if (probe_kernel_address(instr, opcode))
19894 + if (user_mode(regs)) {
19895 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
19897 + } else if (probe_kernel_address(instr, opcode))
19901 @@ -172,6 +187,30 @@ force_sig_info_fault(int si_signo, int s
19902 force_sig_info(si_signo, &info, tsk);
19905 +#ifdef CONFIG_PAX_EMUTRAMP
19906 +static int pax_handle_fetch_fault(struct pt_regs *regs);
19909 +#ifdef CONFIG_PAX_PAGEEXEC
19910 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
19916 + pgd = pgd_offset(mm, address);
19917 + if (!pgd_present(*pgd))
19919 + pud = pud_offset(pgd, address);
19920 + if (!pud_present(*pud))
19922 + pmd = pmd_offset(pud, address);
19923 + if (!pmd_present(*pmd))
19929 DEFINE_SPINLOCK(pgd_lock);
19930 LIST_HEAD(pgd_list);
19932 @@ -224,11 +263,24 @@ void vmalloc_sync_all(void)
19933 address += PMD_SIZE) {
19935 unsigned long flags;
19937 +#ifdef CONFIG_PAX_PER_CPU_PGD
19938 + unsigned long cpu;
19943 spin_lock_irqsave(&pgd_lock, flags);
19945 +#ifdef CONFIG_PAX_PER_CPU_PGD
19946 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19947 + pgd_t *pgd = get_cpu_pgd(cpu);
19949 list_for_each_entry(page, &pgd_list, lru) {
19950 - if (!vmalloc_sync_one(page_address(page), address))
19951 + pgd_t *pgd = page_address(page);
19954 + if (!vmalloc_sync_one(pgd, address))
19957 spin_unlock_irqrestore(&pgd_lock, flags);
19958 @@ -258,6 +310,11 @@ static noinline int vmalloc_fault(unsign
19959 * an interrupt in the middle of a task switch..
19961 pgd_paddr = read_cr3();
19963 +#ifdef CONFIG_PAX_PER_CPU_PGD
19964 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
19967 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
19970 @@ -332,15 +389,27 @@ void vmalloc_sync_all(void)
19972 const pgd_t *pgd_ref = pgd_offset_k(address);
19973 unsigned long flags;
19975 +#ifdef CONFIG_PAX_PER_CPU_PGD
19976 + unsigned long cpu;
19981 if (pgd_none(*pgd_ref))
19984 spin_lock_irqsave(&pgd_lock, flags);
19986 +#ifdef CONFIG_PAX_PER_CPU_PGD
19987 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19988 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
19990 list_for_each_entry(page, &pgd_list, lru) {
19992 pgd = (pgd_t *)page_address(page) + pgd_index(address);
19995 if (pgd_none(*pgd))
19996 set_pgd(pgd, *pgd_ref);
19998 @@ -373,7 +442,14 @@ static noinline int vmalloc_fault(unsign
19999 * happen within a race in page table update. In the later
20003 +#ifdef CONFIG_PAX_PER_CPU_PGD
20004 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
20005 + pgd = pgd_offset_cpu(smp_processor_id(), address);
20007 pgd = pgd_offset(current->active_mm, address);
20010 pgd_ref = pgd_offset_k(address);
20011 if (pgd_none(*pgd_ref))
20013 @@ -535,7 +611,7 @@ static int is_errata93(struct pt_regs *r
20014 static int is_errata100(struct pt_regs *regs, unsigned long address)
20016 #ifdef CONFIG_X86_64
20017 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
20018 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
20022 @@ -562,7 +638,7 @@ static int is_f00f_bug(struct pt_regs *r
20025 static const char nx_warning[] = KERN_CRIT
20026 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
20027 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
20030 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
20031 @@ -571,15 +647,26 @@ show_fault_oops(struct pt_regs *regs, un
20032 if (!oops_may_print())
20035 - if (error_code & PF_INSTR) {
20036 + if (nx_enabled && (error_code & PF_INSTR)) {
20037 unsigned int level;
20039 pte_t *pte = lookup_address(address, &level);
20041 if (pte && pte_present(*pte) && !pte_exec(*pte))
20042 - printk(nx_warning, current_uid());
20043 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
20046 +#ifdef CONFIG_PAX_KERNEXEC
20047 + if (init_mm.start_code <= address && address < init_mm.end_code) {
20048 + if (current->signal->curr_ip)
20049 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20050 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
20052 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
20053 + current->comm, task_pid_nr(current), current_uid(), current_euid());
20057 printk(KERN_ALERT "BUG: unable to handle kernel ");
20058 if (address < PAGE_SIZE)
20059 printk(KERN_CONT "NULL pointer dereference");
20060 @@ -704,6 +791,68 @@ __bad_area_nosemaphore(struct pt_regs *r
20061 unsigned long address, int si_code)
20063 struct task_struct *tsk = current;
20064 + struct mm_struct *mm = tsk->mm;
20066 +#ifdef CONFIG_X86_64
20067 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
20068 + if (regs->ip == (unsigned long)vgettimeofday) {
20069 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
20071 + } else if (regs->ip == (unsigned long)vtime) {
20072 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
20074 + } else if (regs->ip == (unsigned long)vgetcpu) {
20075 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
20081 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20082 + if (mm && (error_code & PF_USER)) {
20083 + unsigned long ip = regs->ip;
20085 + if (v8086_mode(regs))
20086 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
20089 + * It's possible to have interrupts off here:
20091 + local_irq_enable();
20093 +#ifdef CONFIG_PAX_PAGEEXEC
20094 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
20095 + ((nx_enabled && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
20097 +#ifdef CONFIG_PAX_EMUTRAMP
20098 + switch (pax_handle_fetch_fault(regs)) {
20104 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
20105 + do_group_exit(SIGKILL);
20109 +#ifdef CONFIG_PAX_SEGMEXEC
20110 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
20112 +#ifdef CONFIG_PAX_EMUTRAMP
20113 + switch (pax_handle_fetch_fault(regs)) {
20119 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
20120 + do_group_exit(SIGKILL);
20127 /* User mode accesses just cause a SIGSEGV */
20128 if (error_code & PF_USER) {
20129 @@ -857,6 +1006,99 @@ static int spurious_fault_check(unsigned
20133 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20134 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
20139 + unsigned char pte_mask;
20141 + if (nx_enabled || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
20142 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
20145 + /* PaX: it's our fault, let's handle it if we can */
20147 + /* PaX: take a look at read faults before acquiring any locks */
20148 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
20149 + /* instruction fetch attempt from a protected page in user mode */
20150 + up_read(&mm->mmap_sem);
20152 +#ifdef CONFIG_PAX_EMUTRAMP
20153 + switch (pax_handle_fetch_fault(regs)) {
20159 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
20160 + do_group_exit(SIGKILL);
20163 + pmd = pax_get_pmd(mm, address);
20164 + if (unlikely(!pmd))
20167 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
20168 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
20169 + pte_unmap_unlock(pte, ptl);
20173 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
20174 + /* write attempt to a protected page in user mode */
20175 + pte_unmap_unlock(pte, ptl);
20180 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
20182 + if (likely(address > get_limit(regs->cs)))
20185 + set_pte(pte, pte_mkread(*pte));
20186 + __flush_tlb_one(address);
20187 + pte_unmap_unlock(pte, ptl);
20188 + up_read(&mm->mmap_sem);
20192 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
20195 + * PaX: fill DTLB with user rights and retry
20197 + __asm__ __volatile__ (
20199 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
20201 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
20202 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
20203 + * page fault when examined during a TLB load attempt. this is true not only
20204 + * for PTEs holding a non-present entry but also present entries that will
20205 + * raise a page fault (such as those set up by PaX, or the copy-on-write
20206 + * mechanism). in effect it means that we do *not* need to flush the TLBs
20207 + * for our target pages since their PTEs are simply not in the TLBs at all.
20209 + * the best thing in omitting it is that we gain around 15-20% speed in the
20210 + * fast path of the page fault handler and can get rid of tracing since we
20211 + * can no longer flush unintended entries.
20215 + __copyuser_seg"testb $0,(%0)\n"
20218 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
20219 + : "memory", "cc");
20220 + pte_unmap_unlock(pte, ptl);
20221 + up_read(&mm->mmap_sem);
20227 * Handle a spurious fault caused by a stale TLB entry.
20229 @@ -923,6 +1165,9 @@ int show_unhandled_signals = 1;
20231 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
20233 + if (nx_enabled && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
20237 /* write, present and write, not present: */
20238 if (unlikely(!(vma->vm_flags & VM_WRITE)))
20239 @@ -956,17 +1201,31 @@ do_page_fault(struct pt_regs *regs, unsi
20241 struct vm_area_struct *vma;
20242 struct task_struct *tsk;
20243 - unsigned long address;
20244 struct mm_struct *mm;
20248 + /* Get the faulting address: */
20249 + unsigned long address = read_cr2();
20251 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
20252 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
20253 + if (!search_exception_tables(regs->ip)) {
20254 + bad_area_nosemaphore(regs, error_code, address);
20257 + if (address < PAX_USER_SHADOW_BASE) {
20258 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
20259 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
20260 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
20262 + address -= PAX_USER_SHADOW_BASE;
20269 - /* Get the faulting address: */
20270 - address = read_cr2();
20273 * Detect and handle instructions that would cause a page fault for
20274 * both a tracked kernel page and a userspace page.
20275 @@ -1026,7 +1285,7 @@ do_page_fault(struct pt_regs *regs, unsi
20276 * User-mode registers count as a user access even for any
20277 * potential system fault or CPU buglet:
20279 - if (user_mode_vm(regs)) {
20280 + if (user_mode(regs)) {
20281 local_irq_enable();
20282 error_code |= PF_USER;
20284 @@ -1080,6 +1339,11 @@ do_page_fault(struct pt_regs *regs, unsi
20288 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
20289 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
20293 vma = find_vma(mm, address);
20294 if (unlikely(!vma)) {
20295 bad_area(regs, error_code, address);
20296 @@ -1091,18 +1355,24 @@ do_page_fault(struct pt_regs *regs, unsi
20297 bad_area(regs, error_code, address);
20300 - if (error_code & PF_USER) {
20302 - * Accessing the stack below %sp is always a bug.
20303 - * The large cushion allows instructions like enter
20304 - * and pusha to work. ("enter $65535, $31" pushes
20305 - * 32 pointers and then decrements %sp by 65535.)
20307 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
20308 - bad_area(regs, error_code, address);
20312 + * Accessing the stack below %sp is always a bug.
20313 + * The large cushion allows instructions like enter
20314 + * and pusha to work. ("enter $65535, $31" pushes
20315 + * 32 pointers and then decrements %sp by 65535.)
20317 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
20318 + bad_area(regs, error_code, address);
20322 +#ifdef CONFIG_PAX_SEGMEXEC
20323 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
20324 + bad_area(regs, error_code, address);
20329 if (unlikely(expand_stack(vma, address))) {
20330 bad_area(regs, error_code, address);
20332 @@ -1146,3 +1416,199 @@ good_area:
20334 up_read(&mm->mmap_sem);
20337 +#ifdef CONFIG_PAX_EMUTRAMP
20338 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
20342 + do { /* PaX: gcc trampoline emulation #1 */
20343 + unsigned char mov1, mov2;
20344 + unsigned short jmp;
20345 + unsigned int addr1, addr2;
20347 +#ifdef CONFIG_X86_64
20348 + if ((regs->ip + 11) >> 32)
20352 + err = get_user(mov1, (unsigned char __user *)regs->ip);
20353 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20354 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
20355 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20356 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
20361 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
20362 + regs->cx = addr1;
20363 + regs->ax = addr2;
20364 + regs->ip = addr2;
20369 + do { /* PaX: gcc trampoline emulation #2 */
20370 + unsigned char mov, jmp;
20371 + unsigned int addr1, addr2;
20373 +#ifdef CONFIG_X86_64
20374 + if ((regs->ip + 9) >> 32)
20378 + err = get_user(mov, (unsigned char __user *)regs->ip);
20379 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
20380 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
20381 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
20386 + if (mov == 0xB9 && jmp == 0xE9) {
20387 + regs->cx = addr1;
20388 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
20393 + return 1; /* PaX in action */
20396 +#ifdef CONFIG_X86_64
20397 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
20401 + do { /* PaX: gcc trampoline emulation #1 */
20402 + unsigned short mov1, mov2, jmp1;
20403 + unsigned char jmp2;
20404 + unsigned int addr1;
20405 + unsigned long addr2;
20407 + err = get_user(mov1, (unsigned short __user *)regs->ip);
20408 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
20409 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
20410 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
20411 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
20412 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
20417 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20418 + regs->r11 = addr1;
20419 + regs->r10 = addr2;
20420 + regs->ip = addr1;
20425 + do { /* PaX: gcc trampoline emulation #2 */
20426 + unsigned short mov1, mov2, jmp1;
20427 + unsigned char jmp2;
20428 + unsigned long addr1, addr2;
20430 + err = get_user(mov1, (unsigned short __user *)regs->ip);
20431 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
20432 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
20433 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
20434 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
20435 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
20440 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
20441 + regs->r11 = addr1;
20442 + regs->r10 = addr2;
20443 + regs->ip = addr1;
20448 + return 1; /* PaX in action */
20453 + * PaX: decide what to do with offenders (regs->ip = fault address)
20455 + * returns 1 when task should be killed
20456 + * 2 when gcc trampoline was detected
20458 +static int pax_handle_fetch_fault(struct pt_regs *regs)
20460 + if (v8086_mode(regs))
20463 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
20466 +#ifdef CONFIG_X86_32
20467 + return pax_handle_fetch_fault_32(regs);
20469 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
20470 + return pax_handle_fetch_fault_32(regs);
20472 + return pax_handle_fetch_fault_64(regs);
20477 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20478 +void pax_report_insns(void *pc, void *sp)
20482 + printk(KERN_ERR "PAX: bytes at PC: ");
20483 + for (i = 0; i < 20; i++) {
20485 + if (get_user(c, (__force unsigned char __user *)pc+i))
20486 + printk(KERN_CONT "?? ");
20488 + printk(KERN_CONT "%02x ", c);
20492 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
20493 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
20495 + if (get_user(c, (__force unsigned long __user *)sp+i))
20496 +#ifdef CONFIG_X86_32
20497 + printk(KERN_CONT "???????? ");
20499 + printk(KERN_CONT "???????????????? ");
20502 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
20509 + * probe_kernel_write(): safely attempt to write to a location
20510 + * @dst: address to write to
20511 + * @src: pointer to the data that shall be written
20512 + * @size: size of the data chunk
20514 + * Safely write to address @dst from the buffer at @src. If a kernel fault
20515 + * happens, handle that and return -EFAULT.
20517 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
20520 + mm_segment_t old_fs = get_fs();
20522 + set_fs(KERNEL_DS);
20523 + pagefault_disable();
20524 + pax_open_kernel();
20525 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
20526 + pax_close_kernel();
20527 + pagefault_enable();
20530 + return ret ? -EFAULT : 0;
20532 diff -urNp linux-2.6.32.42/arch/x86/mm/gup.c linux-2.6.32.42/arch/x86/mm/gup.c
20533 --- linux-2.6.32.42/arch/x86/mm/gup.c 2011-03-27 14:31:47.000000000 -0400
20534 +++ linux-2.6.32.42/arch/x86/mm/gup.c 2011-04-17 15:56:46.000000000 -0400
20535 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
20537 len = (unsigned long) nr_pages << PAGE_SHIFT;
20539 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20540 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
20541 (void __user *)start, len)))
20544 diff -urNp linux-2.6.32.42/arch/x86/mm/highmem_32.c linux-2.6.32.42/arch/x86/mm/highmem_32.c
20545 --- linux-2.6.32.42/arch/x86/mm/highmem_32.c 2011-03-27 14:31:47.000000000 -0400
20546 +++ linux-2.6.32.42/arch/x86/mm/highmem_32.c 2011-04-17 15:56:46.000000000 -0400
20547 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
20548 idx = type + KM_TYPE_NR*smp_processor_id();
20549 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
20550 BUG_ON(!pte_none(*(kmap_pte-idx)));
20552 + pax_open_kernel();
20553 set_pte(kmap_pte-idx, mk_pte(page, prot));
20554 + pax_close_kernel();
20556 return (void *)vaddr;
20558 diff -urNp linux-2.6.32.42/arch/x86/mm/hugetlbpage.c linux-2.6.32.42/arch/x86/mm/hugetlbpage.c
20559 --- linux-2.6.32.42/arch/x86/mm/hugetlbpage.c 2011-03-27 14:31:47.000000000 -0400
20560 +++ linux-2.6.32.42/arch/x86/mm/hugetlbpage.c 2011-04-17 15:56:46.000000000 -0400
20561 @@ -267,13 +267,20 @@ static unsigned long hugetlb_get_unmappe
20562 struct hstate *h = hstate_file(file);
20563 struct mm_struct *mm = current->mm;
20564 struct vm_area_struct *vma;
20565 - unsigned long start_addr;
20566 + unsigned long start_addr, pax_task_size = TASK_SIZE;
20568 +#ifdef CONFIG_PAX_SEGMEXEC
20569 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20570 + pax_task_size = SEGMEXEC_TASK_SIZE;
20573 + pax_task_size -= PAGE_SIZE;
20575 if (len > mm->cached_hole_size) {
20576 - start_addr = mm->free_area_cache;
20577 + start_addr = mm->free_area_cache;
20579 - start_addr = TASK_UNMAPPED_BASE;
20580 - mm->cached_hole_size = 0;
20581 + start_addr = mm->mmap_base;
20582 + mm->cached_hole_size = 0;
20586 @@ -281,26 +288,27 @@ full_search:
20588 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
20589 /* At this point: (!vma || addr < vma->vm_end). */
20590 - if (TASK_SIZE - len < addr) {
20591 + if (pax_task_size - len < addr) {
20593 * Start a new search - just in case we missed
20596 - if (start_addr != TASK_UNMAPPED_BASE) {
20597 - start_addr = TASK_UNMAPPED_BASE;
20598 + if (start_addr != mm->mmap_base) {
20599 + start_addr = mm->mmap_base;
20600 mm->cached_hole_size = 0;
20605 - if (!vma || addr + len <= vma->vm_start) {
20606 - mm->free_area_cache = addr + len;
20609 + if (check_heap_stack_gap(vma, addr, len))
20611 if (addr + mm->cached_hole_size < vma->vm_start)
20612 mm->cached_hole_size = vma->vm_start - addr;
20613 addr = ALIGN(vma->vm_end, huge_page_size(h));
20616 + mm->free_area_cache = addr + len;
20620 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
20621 @@ -309,10 +317,9 @@ static unsigned long hugetlb_get_unmappe
20623 struct hstate *h = hstate_file(file);
20624 struct mm_struct *mm = current->mm;
20625 - struct vm_area_struct *vma, *prev_vma;
20626 - unsigned long base = mm->mmap_base, addr = addr0;
20627 + struct vm_area_struct *vma;
20628 + unsigned long base = mm->mmap_base, addr;
20629 unsigned long largest_hole = mm->cached_hole_size;
20630 - int first_time = 1;
20632 /* don't allow allocations above current base */
20633 if (mm->free_area_cache > base)
20634 @@ -322,64 +329,63 @@ static unsigned long hugetlb_get_unmappe
20636 mm->free_area_cache = base;
20640 /* make sure it can fit in the remaining address space */
20641 if (mm->free_area_cache < len)
20644 /* either no address requested or cant fit in requested address hole */
20645 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
20646 + addr = (mm->free_area_cache - len);
20648 + addr &= huge_page_mask(h);
20649 + vma = find_vma(mm, addr);
20651 * Lookup failure means no vma is above this address,
20652 * i.e. return with success:
20654 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
20658 * new region fits between prev_vma->vm_end and
20659 * vma->vm_start, use it:
20661 - if (addr + len <= vma->vm_start &&
20662 - (!prev_vma || (addr >= prev_vma->vm_end))) {
20663 + if (check_heap_stack_gap(vma, addr, len)) {
20664 /* remember the address as a hint for next time */
20665 - mm->cached_hole_size = largest_hole;
20666 - return (mm->free_area_cache = addr);
20668 - /* pull free_area_cache down to the first hole */
20669 - if (mm->free_area_cache == vma->vm_end) {
20670 - mm->free_area_cache = vma->vm_start;
20671 - mm->cached_hole_size = largest_hole;
20673 + mm->cached_hole_size = largest_hole;
20674 + return (mm->free_area_cache = addr);
20676 + /* pull free_area_cache down to the first hole */
20677 + if (mm->free_area_cache == vma->vm_end) {
20678 + mm->free_area_cache = vma->vm_start;
20679 + mm->cached_hole_size = largest_hole;
20682 /* remember the largest hole we saw so far */
20683 if (addr + largest_hole < vma->vm_start)
20684 - largest_hole = vma->vm_start - addr;
20685 + largest_hole = vma->vm_start - addr;
20687 /* try just below the current vma->vm_start */
20688 - addr = (vma->vm_start - len) & huge_page_mask(h);
20689 - } while (len <= vma->vm_start);
20690 + addr = skip_heap_stack_gap(vma, len);
20691 + } while (!IS_ERR_VALUE(addr));
20695 - * if hint left us with no space for the requested
20696 - * mapping then try again:
20698 - if (first_time) {
20699 - mm->free_area_cache = base;
20700 - largest_hole = 0;
20705 * A failed mmap() very likely causes application failure,
20706 * so fall back to the bottom-up function here. This scenario
20707 * can happen with large stack limits and large mmap()
20710 - mm->free_area_cache = TASK_UNMAPPED_BASE;
20712 +#ifdef CONFIG_PAX_SEGMEXEC
20713 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20714 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
20718 + mm->mmap_base = TASK_UNMAPPED_BASE;
20720 +#ifdef CONFIG_PAX_RANDMMAP
20721 + if (mm->pax_flags & MF_PAX_RANDMMAP)
20722 + mm->mmap_base += mm->delta_mmap;
20725 + mm->free_area_cache = mm->mmap_base;
20726 mm->cached_hole_size = ~0UL;
20727 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
20728 len, pgoff, flags);
20729 @@ -387,6 +393,7 @@ fail:
20731 * Restore the topdown base:
20733 + mm->mmap_base = base;
20734 mm->free_area_cache = base;
20735 mm->cached_hole_size = ~0UL;
20737 @@ -400,10 +407,19 @@ hugetlb_get_unmapped_area(struct file *f
20738 struct hstate *h = hstate_file(file);
20739 struct mm_struct *mm = current->mm;
20740 struct vm_area_struct *vma;
20741 + unsigned long pax_task_size = TASK_SIZE;
20743 if (len & ~huge_page_mask(h))
20745 - if (len > TASK_SIZE)
20747 +#ifdef CONFIG_PAX_SEGMEXEC
20748 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
20749 + pax_task_size = SEGMEXEC_TASK_SIZE;
20752 + pax_task_size -= PAGE_SIZE;
20754 + if (len > pax_task_size)
20757 if (flags & MAP_FIXED) {
20758 @@ -415,8 +431,7 @@ hugetlb_get_unmapped_area(struct file *f
20760 addr = ALIGN(addr, huge_page_size(h));
20761 vma = find_vma(mm, addr);
20762 - if (TASK_SIZE - len >= addr &&
20763 - (!vma || addr + len <= vma->vm_start))
20764 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
20767 if (mm->get_unmapped_area == arch_get_unmapped_area)
20768 diff -urNp linux-2.6.32.42/arch/x86/mm/init_32.c linux-2.6.32.42/arch/x86/mm/init_32.c
20769 --- linux-2.6.32.42/arch/x86/mm/init_32.c 2011-03-27 14:31:47.000000000 -0400
20770 +++ linux-2.6.32.42/arch/x86/mm/init_32.c 2011-04-17 15:56:46.000000000 -0400
20771 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
20775 - * Creates a middle page table and puts a pointer to it in the
20776 - * given global directory entry. This only returns the gd entry
20777 - * in non-PAE compilation mode, since the middle layer is folded.
20779 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
20782 - pmd_t *pmd_table;
20784 -#ifdef CONFIG_X86_PAE
20785 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
20786 - if (after_bootmem)
20787 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
20789 - pmd_table = (pmd_t *)alloc_low_page();
20790 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
20791 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
20792 - pud = pud_offset(pgd, 0);
20793 - BUG_ON(pmd_table != pmd_offset(pud, 0));
20795 - return pmd_table;
20798 - pud = pud_offset(pgd, 0);
20799 - pmd_table = pmd_offset(pud, 0);
20801 - return pmd_table;
20805 * Create a page table and place a pointer to it in a middle page
20808 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
20809 page_table = (pte_t *)alloc_low_page();
20811 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
20812 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
20813 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
20815 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
20817 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
20820 return pte_offset_kernel(pmd, 0);
20823 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
20826 + pmd_t *pmd_table;
20828 + pud = pud_offset(pgd, 0);
20829 + pmd_table = pmd_offset(pud, 0);
20831 + return pmd_table;
20834 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
20836 int pgd_idx = pgd_index(vaddr);
20837 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
20838 int pgd_idx, pmd_idx;
20839 unsigned long vaddr;
20845 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
20846 pgd = pgd_base + pgd_idx;
20848 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
20849 - pmd = one_md_table_init(pgd);
20850 - pmd = pmd + pmd_index(vaddr);
20851 + pud = pud_offset(pgd, vaddr);
20852 + pmd = pmd_offset(pud, vaddr);
20854 +#ifdef CONFIG_X86_PAE
20855 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20858 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
20859 pmd++, pmd_idx++) {
20860 pte = page_table_kmap_check(one_page_table_init(pmd),
20861 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
20865 -static inline int is_kernel_text(unsigned long addr)
20866 +static inline int is_kernel_text(unsigned long start, unsigned long end)
20868 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
20871 + if ((start > ktla_ktva((unsigned long)_etext) ||
20872 + end <= ktla_ktva((unsigned long)_stext)) &&
20873 + (start > ktla_ktva((unsigned long)_einittext) ||
20874 + end <= ktla_ktva((unsigned long)_sinittext)) &&
20876 +#ifdef CONFIG_ACPI_SLEEP
20877 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
20880 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
20886 @@ -243,9 +243,10 @@ kernel_physical_mapping_init(unsigned lo
20887 int use_pse = page_size_mask == (1<<PG_LEVEL_2M);
20888 unsigned long start_pfn, end_pfn;
20889 pgd_t *pgd_base = swapper_pg_dir;
20890 - int pgd_idx, pmd_idx, pte_ofs;
20891 + unsigned int pgd_idx, pmd_idx, pte_ofs;
20897 unsigned pages_2m, pages_4k;
20898 @@ -278,8 +279,13 @@ repeat:
20900 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20901 pgd = pgd_base + pgd_idx;
20902 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
20903 - pmd = one_md_table_init(pgd);
20904 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
20905 + pud = pud_offset(pgd, 0);
20906 + pmd = pmd_offset(pud, 0);
20908 +#ifdef CONFIG_X86_PAE
20909 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
20912 if (pfn >= end_pfn)
20914 @@ -291,14 +297,13 @@ repeat:
20916 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
20917 pmd++, pmd_idx++) {
20918 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
20919 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
20922 * Map with big pages if possible, otherwise
20923 * create normal page tables:
20926 - unsigned int addr2;
20927 pgprot_t prot = PAGE_KERNEL_LARGE;
20929 * first pass will use the same initial
20930 @@ -308,11 +313,7 @@ repeat:
20931 __pgprot(PTE_IDENT_ATTR |
20934 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
20935 - PAGE_OFFSET + PAGE_SIZE-1;
20937 - if (is_kernel_text(addr) ||
20938 - is_kernel_text(addr2))
20939 + if (is_kernel_text(address, address + PMD_SIZE))
20940 prot = PAGE_KERNEL_LARGE_EXEC;
20943 @@ -329,7 +330,7 @@ repeat:
20944 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
20946 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
20947 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
20948 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
20949 pgprot_t prot = PAGE_KERNEL;
20951 * first pass will use the same initial
20952 @@ -337,7 +338,7 @@ repeat:
20954 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
20956 - if (is_kernel_text(addr))
20957 + if (is_kernel_text(address, address + PAGE_SIZE))
20958 prot = PAGE_KERNEL_EXEC;
20961 @@ -489,7 +490,7 @@ void __init native_pagetable_setup_start
20963 pud = pud_offset(pgd, va);
20964 pmd = pmd_offset(pud, va);
20965 - if (!pmd_present(*pmd))
20966 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
20969 pte = pte_offset_kernel(pmd, va);
20970 @@ -541,9 +542,7 @@ void __init early_ioremap_page_table_ran
20972 static void __init pagetable_init(void)
20974 - pgd_t *pgd_base = swapper_pg_dir;
20976 - permanent_kmaps_init(pgd_base);
20977 + permanent_kmaps_init(swapper_pg_dir);
20980 #ifdef CONFIG_ACPI_SLEEP
20981 @@ -551,12 +550,12 @@ static void __init pagetable_init(void)
20982 * ACPI suspend needs this for resume, because things like the intel-agp
20983 * driver might have split up a kernel 4MB mapping.
20985 -char swsusp_pg_dir[PAGE_SIZE]
20986 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
20987 __attribute__ ((aligned(PAGE_SIZE)));
20989 static inline void save_pg_dir(void)
20991 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
20992 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
20994 #else /* !CONFIG_ACPI_SLEEP */
20995 static inline void save_pg_dir(void)
20996 @@ -588,7 +587,7 @@ void zap_low_mappings(bool early)
21000 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
21001 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
21002 EXPORT_SYMBOL_GPL(__supported_pte_mask);
21004 /* user-defined highmem size */
21005 @@ -777,7 +776,7 @@ void __init setup_bootmem_allocator(void
21006 * Initialize the boot-time allocator (with low memory only):
21008 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
21009 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
21010 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
21012 if (bootmap == -1L)
21013 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
21014 @@ -864,6 +863,12 @@ void __init mem_init(void)
21018 +#ifdef CONFIG_PAX_PER_CPU_PGD
21019 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21020 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21021 + KERNEL_PGD_PTRS);
21024 #ifdef CONFIG_FLATMEM
21027 @@ -881,7 +886,7 @@ void __init mem_init(void)
21028 set_highmem_pages_init();
21030 codesize = (unsigned long) &_etext - (unsigned long) &_text;
21031 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
21032 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
21033 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
21035 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
21036 @@ -923,10 +928,10 @@ void __init mem_init(void)
21037 ((unsigned long)&__init_end -
21038 (unsigned long)&__init_begin) >> 10,
21040 - (unsigned long)&_etext, (unsigned long)&_edata,
21041 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
21042 + (unsigned long)&_sdata, (unsigned long)&_edata,
21043 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
21045 - (unsigned long)&_text, (unsigned long)&_etext,
21046 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
21047 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
21050 @@ -1007,6 +1012,7 @@ void set_kernel_text_rw(void)
21051 if (!kernel_set_to_readonly)
21054 + start = ktla_ktva(start);
21055 pr_debug("Set kernel text: %lx - %lx for read write\n",
21056 start, start+size);
21058 @@ -1021,6 +1027,7 @@ void set_kernel_text_ro(void)
21059 if (!kernel_set_to_readonly)
21062 + start = ktla_ktva(start);
21063 pr_debug("Set kernel text: %lx - %lx for read only\n",
21064 start, start+size);
21066 @@ -1032,6 +1039,7 @@ void mark_rodata_ro(void)
21067 unsigned long start = PFN_ALIGN(_text);
21068 unsigned long size = PFN_ALIGN(_etext) - start;
21070 + start = ktla_ktva(start);
21071 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
21072 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
21074 diff -urNp linux-2.6.32.42/arch/x86/mm/init_64.c linux-2.6.32.42/arch/x86/mm/init_64.c
21075 --- linux-2.6.32.42/arch/x86/mm/init_64.c 2011-04-17 17:00:52.000000000 -0400
21076 +++ linux-2.6.32.42/arch/x86/mm/init_64.c 2011-04-17 17:03:05.000000000 -0400
21077 @@ -164,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
21078 pmd = fill_pmd(pud, vaddr);
21079 pte = fill_pte(pmd, vaddr);
21081 + pax_open_kernel();
21082 set_pte(pte, new_pte);
21083 + pax_close_kernel();
21086 * It's enough to flush this one mapping.
21087 @@ -223,14 +225,12 @@ static void __init __init_extra_mapping(
21088 pgd = pgd_offset_k((unsigned long)__va(phys));
21089 if (pgd_none(*pgd)) {
21090 pud = (pud_t *) spp_getpage();
21091 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
21093 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
21095 pud = pud_offset(pgd, (unsigned long)__va(phys));
21096 if (pud_none(*pud)) {
21097 pmd = (pmd_t *) spp_getpage();
21098 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
21100 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
21102 pmd = pmd_offset(pud, phys);
21103 BUG_ON(!pmd_none(*pmd));
21104 @@ -675,6 +675,12 @@ void __init mem_init(void)
21108 +#ifdef CONFIG_PAX_PER_CPU_PGD
21109 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
21110 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
21111 + KERNEL_PGD_PTRS);
21114 /* clear_bss() already clear the empty_zero_page */
21117 @@ -861,8 +867,8 @@ int kern_addr_valid(unsigned long addr)
21118 static struct vm_area_struct gate_vma = {
21119 .vm_start = VSYSCALL_START,
21120 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
21121 - .vm_page_prot = PAGE_READONLY_EXEC,
21122 - .vm_flags = VM_READ | VM_EXEC
21123 + .vm_page_prot = PAGE_READONLY,
21124 + .vm_flags = VM_READ
21127 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
21128 @@ -896,7 +902,7 @@ int in_gate_area_no_task(unsigned long a
21130 const char *arch_vma_name(struct vm_area_struct *vma)
21132 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
21133 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
21135 if (vma == &gate_vma)
21136 return "[vsyscall]";
21137 diff -urNp linux-2.6.32.42/arch/x86/mm/init.c linux-2.6.32.42/arch/x86/mm/init.c
21138 --- linux-2.6.32.42/arch/x86/mm/init.c 2011-04-17 17:00:52.000000000 -0400
21139 +++ linux-2.6.32.42/arch/x86/mm/init.c 2011-06-07 19:06:09.000000000 -0400
21140 @@ -69,11 +69,7 @@ static void __init find_early_table_spac
21141 * cause a hotspot and fill up ZONE_DMA. The page tables
21142 * need roughly 0.5KB per GB.
21144 -#ifdef CONFIG_X86_32
21149 + start = 0x100000;
21150 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
21151 tables, PAGE_SIZE);
21152 if (e820_table_start == -1UL)
21153 @@ -147,7 +143,7 @@ unsigned long __init_refok init_memory_m
21158 + if (nx_enabled && cpu_has_nx)
21159 printk(KERN_INFO "NX (Execute Disable) protection: active\n");
21161 /* Enable PSE if available */
21162 @@ -329,10 +325,27 @@ unsigned long __init_refok init_memory_m
21163 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
21164 * mmio resources as well as potential bios/acpi data regions.
21167 int devmem_is_allowed(unsigned long pagenr)
21169 +#ifdef CONFIG_GRKERNSEC_KMEM
21174 + if ((0x9f000 >> PAGE_SHIFT) == pagenr)
21176 + /* allow ISA/video mem */
21177 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
21179 + /* throw out everything else below 1MB */
21180 + if (pagenr <= 256)
21187 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
21189 if (!page_is_ram(pagenr))
21190 @@ -379,6 +392,86 @@ void free_init_pages(char *what, unsigne
21192 void free_initmem(void)
21195 +#ifdef CONFIG_PAX_KERNEXEC
21196 +#ifdef CONFIG_X86_32
21197 + /* PaX: limit KERNEL_CS to actual size */
21198 + unsigned long addr, limit;
21199 + struct desc_struct d;
21202 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
21203 + limit = (limit - 1UL) >> PAGE_SHIFT;
21205 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
21206 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
21207 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
21208 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
21211 + /* PaX: make KERNEL_CS read-only */
21212 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
21213 + if (!paravirt_enabled())
21214 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
21216 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
21217 + pgd = pgd_offset_k(addr);
21218 + pud = pud_offset(pgd, addr);
21219 + pmd = pmd_offset(pud, addr);
21220 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21223 +#ifdef CONFIG_X86_PAE
21224 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
21226 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
21227 + pgd = pgd_offset_k(addr);
21228 + pud = pud_offset(pgd, addr);
21229 + pmd = pmd_offset(pud, addr);
21230 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21235 +#ifdef CONFIG_MODULES
21236 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
21243 + unsigned long addr, end;
21245 + /* PaX: make kernel code/rodata read-only, rest non-executable */
21246 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
21247 + pgd = pgd_offset_k(addr);
21248 + pud = pud_offset(pgd, addr);
21249 + pmd = pmd_offset(pud, addr);
21250 + if (!pmd_present(*pmd))
21252 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
21253 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21255 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
21258 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
21259 + end = addr + KERNEL_IMAGE_SIZE;
21260 + for (; addr < end; addr += PMD_SIZE) {
21261 + pgd = pgd_offset_k(addr);
21262 + pud = pud_offset(pgd, addr);
21263 + pmd = pmd_offset(pud, addr);
21264 + if (!pmd_present(*pmd))
21266 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
21267 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
21274 free_init_pages("unused kernel memory",
21275 (unsigned long)(&__init_begin),
21276 (unsigned long)(&__init_end));
21277 diff -urNp linux-2.6.32.42/arch/x86/mm/iomap_32.c linux-2.6.32.42/arch/x86/mm/iomap_32.c
21278 --- linux-2.6.32.42/arch/x86/mm/iomap_32.c 2011-03-27 14:31:47.000000000 -0400
21279 +++ linux-2.6.32.42/arch/x86/mm/iomap_32.c 2011-04-17 15:56:46.000000000 -0400
21280 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
21281 debug_kmap_atomic(type);
21282 idx = type + KM_TYPE_NR * smp_processor_id();
21283 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
21285 + pax_open_kernel();
21286 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
21287 + pax_close_kernel();
21289 arch_flush_lazy_mmu_mode();
21291 return (void *)vaddr;
21292 diff -urNp linux-2.6.32.42/arch/x86/mm/ioremap.c linux-2.6.32.42/arch/x86/mm/ioremap.c
21293 --- linux-2.6.32.42/arch/x86/mm/ioremap.c 2011-03-27 14:31:47.000000000 -0400
21294 +++ linux-2.6.32.42/arch/x86/mm/ioremap.c 2011-04-17 15:56:46.000000000 -0400
21295 @@ -41,8 +41,8 @@ int page_is_ram(unsigned long pagenr)
21296 * Second special case: Some BIOSen report the PC BIOS
21297 * area (640->1Mb) as ram even though it is not.
21299 - if (pagenr >= (BIOS_BEGIN >> PAGE_SHIFT) &&
21300 - pagenr < (BIOS_END >> PAGE_SHIFT))
21301 + if (pagenr >= (ISA_START_ADDRESS >> PAGE_SHIFT) &&
21302 + pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
21305 for (i = 0; i < e820.nr_map; i++) {
21306 @@ -137,13 +137,10 @@ static void __iomem *__ioremap_caller(re
21308 * Don't allow anybody to remap normal RAM that we're using..
21310 - for (pfn = phys_addr >> PAGE_SHIFT;
21311 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
21314 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
21315 int is_ram = page_is_ram(pfn);
21317 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
21318 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
21320 WARN_ON_ONCE(is_ram);
21322 @@ -407,7 +404,7 @@ static int __init early_ioremap_debug_se
21323 early_param("early_ioremap_debug", early_ioremap_debug_setup);
21325 static __initdata int after_paging_init;
21326 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
21327 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
21329 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
21331 @@ -439,8 +436,7 @@ void __init early_ioremap_init(void)
21332 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
21334 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
21335 - memset(bm_pte, 0, sizeof(bm_pte));
21336 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
21337 + pmd_populate_user(&init_mm, pmd, bm_pte);
21340 * The boot-ioremap range spans multiple pmds, for which
21341 diff -urNp linux-2.6.32.42/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.32.42/arch/x86/mm/kmemcheck/kmemcheck.c
21342 --- linux-2.6.32.42/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-27 14:31:47.000000000 -0400
21343 +++ linux-2.6.32.42/arch/x86/mm/kmemcheck/kmemcheck.c 2011-04-17 15:56:46.000000000 -0400
21344 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
21345 * memory (e.g. tracked pages)? For now, we need this to avoid
21346 * invoking kmemcheck for PnP BIOS calls.
21348 - if (regs->flags & X86_VM_MASK)
21349 + if (v8086_mode(regs))
21351 - if (regs->cs != __KERNEL_CS)
21352 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
21355 pte = kmemcheck_pte_lookup(address);
21356 diff -urNp linux-2.6.32.42/arch/x86/mm/mmap.c linux-2.6.32.42/arch/x86/mm/mmap.c
21357 --- linux-2.6.32.42/arch/x86/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
21358 +++ linux-2.6.32.42/arch/x86/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
21359 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
21360 * Leave an at least ~128 MB hole with possible stack randomization.
21362 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
21363 -#define MAX_GAP (TASK_SIZE/6*5)
21364 +#define MAX_GAP (pax_task_size/6*5)
21367 * True on X86_32 or when emulating IA32 on X86_64
21368 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
21369 return rnd << PAGE_SHIFT;
21372 -static unsigned long mmap_base(void)
21373 +static unsigned long mmap_base(struct mm_struct *mm)
21375 unsigned long gap = current->signal->rlim[RLIMIT_STACK].rlim_cur;
21376 + unsigned long pax_task_size = TASK_SIZE;
21378 +#ifdef CONFIG_PAX_SEGMEXEC
21379 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21380 + pax_task_size = SEGMEXEC_TASK_SIZE;
21385 else if (gap > MAX_GAP)
21388 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
21389 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
21393 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
21394 * does, but not when emulating X86_32
21396 -static unsigned long mmap_legacy_base(void)
21397 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
21399 - if (mmap_is_ia32())
21400 + if (mmap_is_ia32()) {
21402 +#ifdef CONFIG_PAX_SEGMEXEC
21403 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
21404 + return SEGMEXEC_TASK_UNMAPPED_BASE;
21408 return TASK_UNMAPPED_BASE;
21411 return TASK_UNMAPPED_BASE + mmap_rnd();
21414 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
21415 void arch_pick_mmap_layout(struct mm_struct *mm)
21417 if (mmap_is_legacy()) {
21418 - mm->mmap_base = mmap_legacy_base();
21419 + mm->mmap_base = mmap_legacy_base(mm);
21421 +#ifdef CONFIG_PAX_RANDMMAP
21422 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21423 + mm->mmap_base += mm->delta_mmap;
21426 mm->get_unmapped_area = arch_get_unmapped_area;
21427 mm->unmap_area = arch_unmap_area;
21429 - mm->mmap_base = mmap_base();
21430 + mm->mmap_base = mmap_base(mm);
21432 +#ifdef CONFIG_PAX_RANDMMAP
21433 + if (mm->pax_flags & MF_PAX_RANDMMAP)
21434 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
21437 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
21438 mm->unmap_area = arch_unmap_area_topdown;
21440 diff -urNp linux-2.6.32.42/arch/x86/mm/mmio-mod.c linux-2.6.32.42/arch/x86/mm/mmio-mod.c
21441 --- linux-2.6.32.42/arch/x86/mm/mmio-mod.c 2011-03-27 14:31:47.000000000 -0400
21442 +++ linux-2.6.32.42/arch/x86/mm/mmio-mod.c 2011-05-04 17:56:28.000000000 -0400
21443 @@ -233,7 +233,7 @@ static void post(struct kmmio_probe *p,
21444 static void ioremap_trace_core(resource_size_t offset, unsigned long size,
21445 void __iomem *addr)
21447 - static atomic_t next_id;
21448 + static atomic_unchecked_t next_id;
21449 struct remap_trace *trace = kmalloc(sizeof(*trace), GFP_KERNEL);
21450 /* These are page-unaligned. */
21451 struct mmiotrace_map map = {
21452 @@ -257,7 +257,7 @@ static void ioremap_trace_core(resource_
21456 - .id = atomic_inc_return(&next_id)
21457 + .id = atomic_inc_return_unchecked(&next_id)
21459 map.map_id = trace->id;
21461 diff -urNp linux-2.6.32.42/arch/x86/mm/numa_32.c linux-2.6.32.42/arch/x86/mm/numa_32.c
21462 --- linux-2.6.32.42/arch/x86/mm/numa_32.c 2011-03-27 14:31:47.000000000 -0400
21463 +++ linux-2.6.32.42/arch/x86/mm/numa_32.c 2011-04-17 15:56:46.000000000 -0400
21464 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
21468 -extern unsigned long find_max_low_pfn(void);
21469 extern unsigned long highend_pfn, highstart_pfn;
21471 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
21472 diff -urNp linux-2.6.32.42/arch/x86/mm/pageattr.c linux-2.6.32.42/arch/x86/mm/pageattr.c
21473 --- linux-2.6.32.42/arch/x86/mm/pageattr.c 2011-03-27 14:31:47.000000000 -0400
21474 +++ linux-2.6.32.42/arch/x86/mm/pageattr.c 2011-04-17 15:56:46.000000000 -0400
21475 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
21476 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
21478 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
21479 - pgprot_val(forbidden) |= _PAGE_NX;
21480 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21483 * The kernel text needs to be executable for obvious reasons
21484 * Does not cover __inittext since that is gone later on. On
21485 * 64bit we do not enforce !NX on the low mapping
21487 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
21488 - pgprot_val(forbidden) |= _PAGE_NX;
21489 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
21490 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21492 +#ifdef CONFIG_DEBUG_RODATA
21494 * The .rodata section needs to be read-only. Using the pfn
21495 * catches all aliases.
21496 @@ -278,6 +279,14 @@ static inline pgprot_t static_protection
21497 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
21498 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
21499 pgprot_val(forbidden) |= _PAGE_RW;
21502 +#ifdef CONFIG_PAX_KERNEXEC
21503 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
21504 + pgprot_val(forbidden) |= _PAGE_RW;
21505 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
21509 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
21511 @@ -331,23 +340,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
21512 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
21514 /* change init_mm */
21515 + pax_open_kernel();
21516 set_pte_atomic(kpte, pte);
21518 #ifdef CONFIG_X86_32
21519 if (!SHARED_KERNEL_PMD) {
21521 +#ifdef CONFIG_PAX_PER_CPU_PGD
21522 + unsigned long cpu;
21527 +#ifdef CONFIG_PAX_PER_CPU_PGD
21528 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
21529 + pgd_t *pgd = get_cpu_pgd(cpu);
21531 list_for_each_entry(page, &pgd_list, lru) {
21533 + pgd_t *pgd = (pgd_t *)page_address(page);
21539 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
21540 + pgd += pgd_index(address);
21541 pud = pud_offset(pgd, address);
21542 pmd = pmd_offset(pud, address);
21543 set_pte_atomic((pte_t *)pmd, pte);
21547 + pax_close_kernel();
21551 diff -urNp linux-2.6.32.42/arch/x86/mm/pageattr-test.c linux-2.6.32.42/arch/x86/mm/pageattr-test.c
21552 --- linux-2.6.32.42/arch/x86/mm/pageattr-test.c 2011-03-27 14:31:47.000000000 -0400
21553 +++ linux-2.6.32.42/arch/x86/mm/pageattr-test.c 2011-04-17 15:56:46.000000000 -0400
21554 @@ -36,7 +36,7 @@ enum {
21556 static int pte_testbit(pte_t pte)
21558 - return pte_flags(pte) & _PAGE_UNUSED1;
21559 + return pte_flags(pte) & _PAGE_CPA_TEST;
21562 struct split_state {
21563 diff -urNp linux-2.6.32.42/arch/x86/mm/pat.c linux-2.6.32.42/arch/x86/mm/pat.c
21564 --- linux-2.6.32.42/arch/x86/mm/pat.c 2011-03-27 14:31:47.000000000 -0400
21565 +++ linux-2.6.32.42/arch/x86/mm/pat.c 2011-04-17 15:56:46.000000000 -0400
21566 @@ -258,7 +258,7 @@ chk_conflict(struct memtype *new, struct
21569 printk(KERN_INFO "%s:%d conflicting memory types "
21570 - "%Lx-%Lx %s<->%s\n", current->comm, current->pid, new->start,
21571 + "%Lx-%Lx %s<->%s\n", current->comm, task_pid_nr(current), new->start,
21572 new->end, cattr_name(new->type), cattr_name(entry->type));
21575 @@ -559,7 +559,7 @@ unlock_ret:
21578 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
21579 - current->comm, current->pid, start, end);
21580 + current->comm, task_pid_nr(current), start, end);
21583 dprintk("free_memtype request 0x%Lx-0x%Lx\n", start, end);
21584 @@ -689,8 +689,8 @@ static inline int range_is_allowed(unsig
21585 while (cursor < to) {
21586 if (!devmem_is_allowed(pfn)) {
21588 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
21589 - current->comm, from, to);
21590 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
21591 + current->comm, from, to, cursor);
21594 cursor += PAGE_SIZE;
21595 @@ -755,7 +755,7 @@ int kernel_map_sync_memtype(u64 base, un
21597 "%s:%d ioremap_change_attr failed %s "
21599 - current->comm, current->pid,
21600 + current->comm, task_pid_nr(current),
21602 base, (unsigned long long)(base + size));
21604 @@ -813,7 +813,7 @@ static int reserve_pfn_range(u64 paddr,
21605 free_memtype(paddr, paddr + size);
21606 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
21607 " for %Lx-%Lx, got %s\n",
21608 - current->comm, current->pid,
21609 + current->comm, task_pid_nr(current),
21610 cattr_name(want_flags),
21611 (unsigned long long)paddr,
21612 (unsigned long long)(paddr + size),
21613 diff -urNp linux-2.6.32.42/arch/x86/mm/pgtable_32.c linux-2.6.32.42/arch/x86/mm/pgtable_32.c
21614 --- linux-2.6.32.42/arch/x86/mm/pgtable_32.c 2011-03-27 14:31:47.000000000 -0400
21615 +++ linux-2.6.32.42/arch/x86/mm/pgtable_32.c 2011-04-17 15:56:46.000000000 -0400
21616 @@ -49,10 +49,13 @@ void set_pte_vaddr(unsigned long vaddr,
21619 pte = pte_offset_kernel(pmd, vaddr);
21621 + pax_open_kernel();
21622 if (pte_val(pteval))
21623 set_pte_at(&init_mm, vaddr, pte, pteval);
21625 pte_clear(&init_mm, vaddr, pte);
21626 + pax_close_kernel();
21629 * It's enough to flush this one mapping.
21630 diff -urNp linux-2.6.32.42/arch/x86/mm/pgtable.c linux-2.6.32.42/arch/x86/mm/pgtable.c
21631 --- linux-2.6.32.42/arch/x86/mm/pgtable.c 2011-03-27 14:31:47.000000000 -0400
21632 +++ linux-2.6.32.42/arch/x86/mm/pgtable.c 2011-05-11 18:25:15.000000000 -0400
21633 @@ -83,9 +83,52 @@ static inline void pgd_list_del(pgd_t *p
21634 list_del(&page->lru);
21637 -#define UNSHARED_PTRS_PER_PGD \
21638 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21639 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21640 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
21642 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21645 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
21649 +#ifdef CONFIG_PAX_PER_CPU_PGD
21650 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
21654 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
21655 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
21663 +#ifdef CONFIG_X86_64
21664 +#define pxd_t pud_t
21665 +#define pyd_t pgd_t
21666 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
21667 +#define pxd_free(mm, pud) pud_free((mm), (pud))
21668 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
21669 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
21670 +#define PYD_SIZE PGDIR_SIZE
21672 +#define pxd_t pmd_t
21673 +#define pyd_t pud_t
21674 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
21675 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
21676 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
21677 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
21678 +#define PYD_SIZE PUD_SIZE
21681 +#ifdef CONFIG_PAX_PER_CPU_PGD
21682 +static inline void pgd_ctor(pgd_t *pgd) {}
21683 +static inline void pgd_dtor(pgd_t *pgd) {}
21685 static void pgd_ctor(pgd_t *pgd)
21687 /* If the pgd points to a shared pagetable level (either the
21688 @@ -119,6 +162,7 @@ static void pgd_dtor(pgd_t *pgd)
21690 spin_unlock_irqrestore(&pgd_lock, flags);
21695 * List of all pgd's needed for non-PAE so it can invalidate entries
21696 @@ -131,7 +175,7 @@ static void pgd_dtor(pgd_t *pgd)
21700 -#ifdef CONFIG_X86_PAE
21701 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21703 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
21704 * updating the top-level pagetable entries to guarantee the
21705 @@ -143,7 +187,7 @@ static void pgd_dtor(pgd_t *pgd)
21706 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
21707 * and initialize the kernel pmds here.
21709 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
21710 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
21712 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
21714 @@ -161,36 +205,38 @@ void pud_populate(struct mm_struct *mm,
21718 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
21719 +#define PREALLOCATED_PXDS USER_PGD_PTRS
21720 #else /* !CONFIG_X86_PAE */
21722 /* No need to prepopulate any pagetable entries in non-PAE modes. */
21723 -#define PREALLOCATED_PMDS 0
21724 +#define PREALLOCATED_PXDS 0
21726 #endif /* CONFIG_X86_PAE */
21728 -static void free_pmds(pmd_t *pmds[])
21729 +static void free_pxds(pxd_t *pxds[])
21733 - for(i = 0; i < PREALLOCATED_PMDS; i++)
21735 - free_page((unsigned long)pmds[i]);
21736 + for(i = 0; i < PREALLOCATED_PXDS; i++)
21738 + free_page((unsigned long)pxds[i]);
21741 -static int preallocate_pmds(pmd_t *pmds[])
21742 +static int preallocate_pxds(pxd_t *pxds[])
21745 bool failed = false;
21747 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21748 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
21750 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21751 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
21764 @@ -203,51 +249,56 @@ static int preallocate_pmds(pmd_t *pmds[
21765 * preallocate which never got a corresponding vma will need to be
21768 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
21769 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
21773 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
21774 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
21775 pgd_t pgd = pgdp[i];
21777 if (pgd_val(pgd) != 0) {
21778 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
21779 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
21781 - pgdp[i] = native_make_pgd(0);
21782 + set_pgd(pgdp + i, native_make_pgd(0));
21784 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
21785 - pmd_free(mm, pmd);
21786 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
21787 + pxd_free(mm, pxd);
21792 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
21793 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
21797 unsigned long addr;
21800 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
21801 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
21804 - pud = pud_offset(pgd, 0);
21805 +#ifdef CONFIG_X86_64
21806 + pyd = pyd_offset(mm, 0L);
21808 + pyd = pyd_offset(pgd, 0L);
21811 - for (addr = i = 0; i < PREALLOCATED_PMDS;
21812 - i++, pud++, addr += PUD_SIZE) {
21813 - pmd_t *pmd = pmds[i];
21814 + for (addr = i = 0; i < PREALLOCATED_PXDS;
21815 + i++, pyd++, addr += PYD_SIZE) {
21816 + pxd_t *pxd = pxds[i];
21818 if (i >= KERNEL_PGD_BOUNDARY)
21819 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21820 - sizeof(pmd_t) * PTRS_PER_PMD);
21821 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
21822 + sizeof(pxd_t) * PTRS_PER_PMD);
21824 - pud_populate(mm, pud, pmd);
21825 + pyd_populate(mm, pyd, pxd);
21829 pgd_t *pgd_alloc(struct mm_struct *mm)
21832 - pmd_t *pmds[PREALLOCATED_PMDS];
21833 + pxd_t *pxds[PREALLOCATED_PXDS];
21835 unsigned long flags;
21837 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
21838 @@ -257,11 +308,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21842 - if (preallocate_pmds(pmds) != 0)
21843 + if (preallocate_pxds(pxds) != 0)
21846 if (paravirt_pgd_alloc(mm) != 0)
21847 - goto out_free_pmds;
21848 + goto out_free_pxds;
21851 * Make sure that pre-populating the pmds is atomic with
21852 @@ -271,14 +322,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
21853 spin_lock_irqsave(&pgd_lock, flags);
21856 - pgd_prepopulate_pmd(mm, pgd, pmds);
21857 + pgd_prepopulate_pxd(mm, pgd, pxds);
21859 spin_unlock_irqrestore(&pgd_lock, flags);
21868 free_page((unsigned long)pgd);
21870 @@ -287,7 +338,7 @@ out:
21872 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
21874 - pgd_mop_up_pmds(mm, pgd);
21875 + pgd_mop_up_pxds(mm, pgd);
21877 paravirt_pgd_free(mm, pgd);
21878 free_page((unsigned long)pgd);
21879 diff -urNp linux-2.6.32.42/arch/x86/mm/setup_nx.c linux-2.6.32.42/arch/x86/mm/setup_nx.c
21880 --- linux-2.6.32.42/arch/x86/mm/setup_nx.c 2011-03-27 14:31:47.000000000 -0400
21881 +++ linux-2.6.32.42/arch/x86/mm/setup_nx.c 2011-04-17 15:56:46.000000000 -0400
21884 #include <asm/pgtable.h>
21886 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
21889 -#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
21890 -static int disable_nx __cpuinitdata;
21892 +#ifndef CONFIG_PAX_PAGEEXEC
21896 @@ -22,32 +21,26 @@ static int __init noexec_setup(char *str
21899 if (!strncmp(str, "on", 2)) {
21900 - __supported_pte_mask |= _PAGE_NX;
21903 } else if (!strncmp(str, "off", 3)) {
21905 - __supported_pte_mask &= ~_PAGE_NX;
21910 early_param("noexec", noexec_setup);
21914 #ifdef CONFIG_X86_PAE
21915 void __init set_nx(void)
21917 - unsigned int v[4], l, h;
21918 + if (!nx_enabled && cpu_has_nx) {
21921 - if (cpu_has_pae && (cpuid_eax(0x80000000) > 0x80000001)) {
21922 - cpuid(0x80000001, &v[0], &v[1], &v[2], &v[3]);
21924 - if ((v[3] & (1 << 20)) && !disable_nx) {
21925 - rdmsr(MSR_EFER, l, h);
21927 - wrmsr(MSR_EFER, l, h);
21929 - __supported_pte_mask |= _PAGE_NX;
21931 + __supported_pte_mask &= ~_PAGE_NX;
21932 + rdmsr(MSR_EFER, l, h);
21934 + wrmsr(MSR_EFER, l, h);
21938 @@ -62,7 +55,7 @@ void __cpuinit check_efer(void)
21939 unsigned long efer;
21941 rdmsrl(MSR_EFER, efer);
21942 - if (!(efer & EFER_NX) || disable_nx)
21943 + if (!(efer & EFER_NX) || !nx_enabled)
21944 __supported_pte_mask &= ~_PAGE_NX;
21947 diff -urNp linux-2.6.32.42/arch/x86/mm/tlb.c linux-2.6.32.42/arch/x86/mm/tlb.c
21948 --- linux-2.6.32.42/arch/x86/mm/tlb.c 2011-03-27 14:31:47.000000000 -0400
21949 +++ linux-2.6.32.42/arch/x86/mm/tlb.c 2011-04-23 12:56:10.000000000 -0400
21950 @@ -61,7 +61,11 @@ void leave_mm(int cpu)
21952 cpumask_clear_cpu(cpu,
21953 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
21955 +#ifndef CONFIG_PAX_PER_CPU_PGD
21956 load_cr3(swapper_pg_dir);
21960 EXPORT_SYMBOL_GPL(leave_mm);
21962 diff -urNp linux-2.6.32.42/arch/x86/oprofile/backtrace.c linux-2.6.32.42/arch/x86/oprofile/backtrace.c
21963 --- linux-2.6.32.42/arch/x86/oprofile/backtrace.c 2011-03-27 14:31:47.000000000 -0400
21964 +++ linux-2.6.32.42/arch/x86/oprofile/backtrace.c 2011-04-17 15:56:46.000000000 -0400
21965 @@ -57,7 +57,7 @@ static struct frame_head *dump_user_back
21966 struct frame_head bufhead[2];
21968 /* Also check accessibility of one struct frame_head beyond */
21969 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
21970 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
21972 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
21974 @@ -77,7 +77,7 @@ x86_backtrace(struct pt_regs * const reg
21976 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
21978 - if (!user_mode_vm(regs)) {
21979 + if (!user_mode(regs)) {
21980 unsigned long stack = kernel_stack_pointer(regs);
21982 dump_trace(NULL, regs, (unsigned long *)stack, 0,
21983 diff -urNp linux-2.6.32.42/arch/x86/oprofile/op_model_p4.c linux-2.6.32.42/arch/x86/oprofile/op_model_p4.c
21984 --- linux-2.6.32.42/arch/x86/oprofile/op_model_p4.c 2011-03-27 14:31:47.000000000 -0400
21985 +++ linux-2.6.32.42/arch/x86/oprofile/op_model_p4.c 2011-04-17 15:56:46.000000000 -0400
21986 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
21990 -static int inline addr_increment(void)
21991 +static inline int addr_increment(void)
21994 return smp_num_siblings == 2 ? 2 : 1;
21995 diff -urNp linux-2.6.32.42/arch/x86/pci/common.c linux-2.6.32.42/arch/x86/pci/common.c
21996 --- linux-2.6.32.42/arch/x86/pci/common.c 2011-03-27 14:31:47.000000000 -0400
21997 +++ linux-2.6.32.42/arch/x86/pci/common.c 2011-04-23 12:56:10.000000000 -0400
21998 @@ -31,8 +31,8 @@ int noioapicreroute = 1;
21999 int pcibios_last_bus = -1;
22000 unsigned long pirq_table_addr;
22001 struct pci_bus *pci_root_bus;
22002 -struct pci_raw_ops *raw_pci_ops;
22003 -struct pci_raw_ops *raw_pci_ext_ops;
22004 +const struct pci_raw_ops *raw_pci_ops;
22005 +const struct pci_raw_ops *raw_pci_ext_ops;
22007 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
22008 int reg, int len, u32 *val)
22009 diff -urNp linux-2.6.32.42/arch/x86/pci/direct.c linux-2.6.32.42/arch/x86/pci/direct.c
22010 --- linux-2.6.32.42/arch/x86/pci/direct.c 2011-03-27 14:31:47.000000000 -0400
22011 +++ linux-2.6.32.42/arch/x86/pci/direct.c 2011-04-17 15:56:46.000000000 -0400
22012 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
22014 #undef PCI_CONF1_ADDRESS
22016 -struct pci_raw_ops pci_direct_conf1 = {
22017 +const struct pci_raw_ops pci_direct_conf1 = {
22018 .read = pci_conf1_read,
22019 .write = pci_conf1_write,
22021 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
22023 #undef PCI_CONF2_ADDRESS
22025 -struct pci_raw_ops pci_direct_conf2 = {
22026 +const struct pci_raw_ops pci_direct_conf2 = {
22027 .read = pci_conf2_read,
22028 .write = pci_conf2_write,
22030 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
22031 * This should be close to trivial, but it isn't, because there are buggy
22032 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
22034 -static int __init pci_sanity_check(struct pci_raw_ops *o)
22035 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
22039 diff -urNp linux-2.6.32.42/arch/x86/pci/mmconfig_32.c linux-2.6.32.42/arch/x86/pci/mmconfig_32.c
22040 --- linux-2.6.32.42/arch/x86/pci/mmconfig_32.c 2011-03-27 14:31:47.000000000 -0400
22041 +++ linux-2.6.32.42/arch/x86/pci/mmconfig_32.c 2011-04-17 15:56:46.000000000 -0400
22042 @@ -125,7 +125,7 @@ static int pci_mmcfg_write(unsigned int
22046 -static struct pci_raw_ops pci_mmcfg = {
22047 +static const struct pci_raw_ops pci_mmcfg = {
22048 .read = pci_mmcfg_read,
22049 .write = pci_mmcfg_write,
22051 diff -urNp linux-2.6.32.42/arch/x86/pci/mmconfig_64.c linux-2.6.32.42/arch/x86/pci/mmconfig_64.c
22052 --- linux-2.6.32.42/arch/x86/pci/mmconfig_64.c 2011-03-27 14:31:47.000000000 -0400
22053 +++ linux-2.6.32.42/arch/x86/pci/mmconfig_64.c 2011-04-17 15:56:46.000000000 -0400
22054 @@ -104,7 +104,7 @@ static int pci_mmcfg_write(unsigned int
22058 -static struct pci_raw_ops pci_mmcfg = {
22059 +static const struct pci_raw_ops pci_mmcfg = {
22060 .read = pci_mmcfg_read,
22061 .write = pci_mmcfg_write,
22063 diff -urNp linux-2.6.32.42/arch/x86/pci/numaq_32.c linux-2.6.32.42/arch/x86/pci/numaq_32.c
22064 --- linux-2.6.32.42/arch/x86/pci/numaq_32.c 2011-03-27 14:31:47.000000000 -0400
22065 +++ linux-2.6.32.42/arch/x86/pci/numaq_32.c 2011-04-17 15:56:46.000000000 -0400
22066 @@ -112,7 +112,7 @@ static int pci_conf1_mq_write(unsigned i
22068 #undef PCI_CONF1_MQ_ADDRESS
22070 -static struct pci_raw_ops pci_direct_conf1_mq = {
22071 +static const struct pci_raw_ops pci_direct_conf1_mq = {
22072 .read = pci_conf1_mq_read,
22073 .write = pci_conf1_mq_write
22075 diff -urNp linux-2.6.32.42/arch/x86/pci/olpc.c linux-2.6.32.42/arch/x86/pci/olpc.c
22076 --- linux-2.6.32.42/arch/x86/pci/olpc.c 2011-03-27 14:31:47.000000000 -0400
22077 +++ linux-2.6.32.42/arch/x86/pci/olpc.c 2011-04-17 15:56:46.000000000 -0400
22078 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
22082 -static struct pci_raw_ops pci_olpc_conf = {
22083 +static const struct pci_raw_ops pci_olpc_conf = {
22084 .read = pci_olpc_read,
22085 .write = pci_olpc_write,
22087 diff -urNp linux-2.6.32.42/arch/x86/pci/pcbios.c linux-2.6.32.42/arch/x86/pci/pcbios.c
22088 --- linux-2.6.32.42/arch/x86/pci/pcbios.c 2011-03-27 14:31:47.000000000 -0400
22089 +++ linux-2.6.32.42/arch/x86/pci/pcbios.c 2011-04-17 15:56:46.000000000 -0400
22090 @@ -56,50 +56,93 @@ union bios32 {
22092 unsigned long address;
22093 unsigned short segment;
22094 -} bios32_indirect = { 0, __KERNEL_CS };
22095 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
22098 * Returns the entry point for the given service, NULL on error
22101 -static unsigned long bios32_service(unsigned long service)
22102 +static unsigned long __devinit bios32_service(unsigned long service)
22104 unsigned char return_code; /* %al */
22105 unsigned long address; /* %ebx */
22106 unsigned long length; /* %ecx */
22107 unsigned long entry; /* %edx */
22108 unsigned long flags;
22109 + struct desc_struct d, *gdt;
22111 local_irq_save(flags);
22112 - __asm__("lcall *(%%edi); cld"
22114 + gdt = get_cpu_gdt_table(smp_processor_id());
22116 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
22117 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22118 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
22119 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22121 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
22122 : "=a" (return_code),
22128 - "D" (&bios32_indirect));
22129 + "D" (&bios32_indirect),
22130 + "r"(__PCIBIOS_DS)
22133 + pax_open_kernel();
22134 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
22135 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
22136 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
22137 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
22138 + pax_close_kernel();
22140 local_irq_restore(flags);
22142 switch (return_code) {
22144 - return address + entry;
22145 - case 0x80: /* Not present */
22146 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22148 - default: /* Shouldn't happen */
22149 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22150 - service, return_code);
22153 + unsigned char flags;
22155 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
22156 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
22157 + printk(KERN_WARNING "bios32_service: not valid\n");
22160 + address = address + PAGE_OFFSET;
22161 + length += 16UL; /* some BIOSs underreport this... */
22163 + if (length >= 64*1024*1024) {
22164 + length >>= PAGE_SHIFT;
22168 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
22169 + gdt = get_cpu_gdt_table(cpu);
22170 + pack_descriptor(&d, address, length, 0x9b, flags);
22171 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
22172 + pack_descriptor(&d, address, length, 0x93, flags);
22173 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
22177 + case 0x80: /* Not present */
22178 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
22180 + default: /* Shouldn't happen */
22181 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
22182 + service, return_code);
22188 unsigned long address;
22189 unsigned short segment;
22190 -} pci_indirect = { 0, __KERNEL_CS };
22191 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
22193 -static int pci_bios_present;
22194 +static int pci_bios_present __read_only;
22196 static int __devinit check_pcibios(void)
22198 @@ -108,11 +151,13 @@ static int __devinit check_pcibios(void)
22199 unsigned long flags, pcibios_entry;
22201 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
22202 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
22203 + pci_indirect.address = pcibios_entry;
22205 local_irq_save(flags);
22207 - "lcall *(%%edi); cld\n\t"
22208 + __asm__("movw %w6, %%ds\n\t"
22209 + "lcall *%%ss:(%%edi); cld\n\t"
22215 @@ -121,7 +166,8 @@ static int __devinit check_pcibios(void)
22218 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
22219 - "D" (&pci_indirect)
22220 + "D" (&pci_indirect),
22221 + "r" (__PCIBIOS_DS)
22223 local_irq_restore(flags);
22225 @@ -165,7 +211,10 @@ static int pci_bios_read(unsigned int se
22229 - __asm__("lcall *(%%esi); cld\n\t"
22230 + __asm__("movw %w6, %%ds\n\t"
22231 + "lcall *%%ss:(%%esi); cld\n\t"
22237 @@ -174,7 +223,8 @@ static int pci_bios_read(unsigned int se
22238 : "1" (PCIBIOS_READ_CONFIG_BYTE),
22241 - "S" (&pci_indirect));
22242 + "S" (&pci_indirect),
22243 + "r" (__PCIBIOS_DS));
22245 * Zero-extend the result beyond 8 bits, do not trust the
22246 * BIOS having done it:
22247 @@ -182,7 +232,10 @@ static int pci_bios_read(unsigned int se
22251 - __asm__("lcall *(%%esi); cld\n\t"
22252 + __asm__("movw %w6, %%ds\n\t"
22253 + "lcall *%%ss:(%%esi); cld\n\t"
22259 @@ -191,7 +244,8 @@ static int pci_bios_read(unsigned int se
22260 : "1" (PCIBIOS_READ_CONFIG_WORD),
22263 - "S" (&pci_indirect));
22264 + "S" (&pci_indirect),
22265 + "r" (__PCIBIOS_DS));
22267 * Zero-extend the result beyond 16 bits, do not trust the
22268 * BIOS having done it:
22269 @@ -199,7 +253,10 @@ static int pci_bios_read(unsigned int se
22273 - __asm__("lcall *(%%esi); cld\n\t"
22274 + __asm__("movw %w6, %%ds\n\t"
22275 + "lcall *%%ss:(%%esi); cld\n\t"
22281 @@ -208,7 +265,8 @@ static int pci_bios_read(unsigned int se
22282 : "1" (PCIBIOS_READ_CONFIG_DWORD),
22285 - "S" (&pci_indirect));
22286 + "S" (&pci_indirect),
22287 + "r" (__PCIBIOS_DS));
22291 @@ -231,7 +289,10 @@ static int pci_bios_write(unsigned int s
22295 - __asm__("lcall *(%%esi); cld\n\t"
22296 + __asm__("movw %w6, %%ds\n\t"
22297 + "lcall *%%ss:(%%esi); cld\n\t"
22303 @@ -240,10 +301,14 @@ static int pci_bios_write(unsigned int s
22307 - "S" (&pci_indirect));
22308 + "S" (&pci_indirect),
22309 + "r" (__PCIBIOS_DS));
22312 - __asm__("lcall *(%%esi); cld\n\t"
22313 + __asm__("movw %w6, %%ds\n\t"
22314 + "lcall *%%ss:(%%esi); cld\n\t"
22320 @@ -252,10 +317,14 @@ static int pci_bios_write(unsigned int s
22324 - "S" (&pci_indirect));
22325 + "S" (&pci_indirect),
22326 + "r" (__PCIBIOS_DS));
22329 - __asm__("lcall *(%%esi); cld\n\t"
22330 + __asm__("movw %w6, %%ds\n\t"
22331 + "lcall *%%ss:(%%esi); cld\n\t"
22337 @@ -264,7 +333,8 @@ static int pci_bios_write(unsigned int s
22341 - "S" (&pci_indirect));
22342 + "S" (&pci_indirect),
22343 + "r" (__PCIBIOS_DS));
22347 @@ -278,7 +348,7 @@ static int pci_bios_write(unsigned int s
22348 * Function table for BIOS32 access
22351 -static struct pci_raw_ops pci_bios_access = {
22352 +static const struct pci_raw_ops pci_bios_access = {
22353 .read = pci_bios_read,
22354 .write = pci_bios_write
22356 @@ -287,7 +357,7 @@ static struct pci_raw_ops pci_bios_acces
22357 * Try to find PCI BIOS.
22360 -static struct pci_raw_ops * __devinit pci_find_bios(void)
22361 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
22363 union bios32 *check;
22365 @@ -368,10 +438,13 @@ struct irq_routing_table * pcibios_get_i
22367 DBG("PCI: Fetching IRQ routing table... ");
22368 __asm__("push %%es\n\t"
22369 + "movw %w8, %%ds\n\t"
22372 - "lcall *(%%esi); cld\n\t"
22373 + "lcall *%%ss:(%%esi); cld\n\t"
22380 @@ -382,7 +455,8 @@ struct irq_routing_table * pcibios_get_i
22383 "S" (&pci_indirect),
22386 + "r" (__PCIBIOS_DS)
22388 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
22390 @@ -406,7 +480,10 @@ int pcibios_set_irq_routing(struct pci_d
22394 - __asm__("lcall *(%%esi); cld\n\t"
22395 + __asm__("movw %w5, %%ds\n\t"
22396 + "lcall *%%ss:(%%esi); cld\n\t"
22402 @@ -414,7 +491,8 @@ int pcibios_set_irq_routing(struct pci_d
22403 : "0" (PCIBIOS_SET_PCI_HW_INT),
22404 "b" ((dev->bus->number << 8) | dev->devfn),
22405 "c" ((irq << 8) | (pin + 10)),
22406 - "S" (&pci_indirect));
22407 + "S" (&pci_indirect),
22408 + "r" (__PCIBIOS_DS));
22409 return !(ret & 0xff00);
22411 EXPORT_SYMBOL(pcibios_set_irq_routing);
22412 diff -urNp linux-2.6.32.42/arch/x86/power/cpu.c linux-2.6.32.42/arch/x86/power/cpu.c
22413 --- linux-2.6.32.42/arch/x86/power/cpu.c 2011-03-27 14:31:47.000000000 -0400
22414 +++ linux-2.6.32.42/arch/x86/power/cpu.c 2011-04-17 15:56:46.000000000 -0400
22415 @@ -129,7 +129,7 @@ static void do_fpu_end(void)
22416 static void fix_processor_context(void)
22418 int cpu = smp_processor_id();
22419 - struct tss_struct *t = &per_cpu(init_tss, cpu);
22420 + struct tss_struct *t = init_tss + cpu;
22422 set_tss_desc(cpu, t); /*
22423 * This just modifies memory; should not be
22424 @@ -139,7 +139,9 @@ static void fix_processor_context(void)
22427 #ifdef CONFIG_X86_64
22428 + pax_open_kernel();
22429 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
22430 + pax_close_kernel();
22432 syscall_init(); /* This sets MSR_*STAR and related */
22434 diff -urNp linux-2.6.32.42/arch/x86/vdso/Makefile linux-2.6.32.42/arch/x86/vdso/Makefile
22435 --- linux-2.6.32.42/arch/x86/vdso/Makefile 2011-03-27 14:31:47.000000000 -0400
22436 +++ linux-2.6.32.42/arch/x86/vdso/Makefile 2011-04-17 15:56:46.000000000 -0400
22437 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
22438 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
22439 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
22441 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22442 +VDSO_LDFLAGS = -fPIC -shared -Wl,--no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
22446 diff -urNp linux-2.6.32.42/arch/x86/vdso/vclock_gettime.c linux-2.6.32.42/arch/x86/vdso/vclock_gettime.c
22447 --- linux-2.6.32.42/arch/x86/vdso/vclock_gettime.c 2011-03-27 14:31:47.000000000 -0400
22448 +++ linux-2.6.32.42/arch/x86/vdso/vclock_gettime.c 2011-04-17 15:56:46.000000000 -0400
22449 @@ -22,24 +22,48 @@
22450 #include <asm/hpet.h>
22451 #include <asm/unistd.h>
22452 #include <asm/io.h>
22453 +#include <asm/fixmap.h>
22454 #include "vextern.h"
22456 #define gtod vdso_vsyscall_gtod_data
22458 +notrace noinline long __vdso_fallback_time(long *t)
22461 + asm volatile("syscall"
22463 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
22467 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
22470 asm("syscall" : "=a" (ret) :
22471 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
22472 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
22476 +notrace static inline cycle_t __vdso_vread_hpet(void)
22478 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
22481 +notrace static inline cycle_t __vdso_vread_tsc(void)
22483 + cycle_t ret = (cycle_t)vget_cycles();
22485 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
22488 notrace static inline long vgetns(void)
22491 - cycles_t (*vread)(void);
22492 - vread = gtod->clock.vread;
22493 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
22494 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
22495 + v = __vdso_vread_tsc();
22497 + v = __vdso_vread_hpet();
22498 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
22499 return (v * gtod->clock.mult) >> gtod->clock.shift;
22502 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
22504 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
22506 - if (likely(gtod->sysctl_enabled))
22507 + if (likely(gtod->sysctl_enabled &&
22508 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
22509 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
22511 case CLOCK_REALTIME:
22512 if (likely(gtod->clock.vread))
22513 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
22514 int clock_gettime(clockid_t, struct timespec *)
22515 __attribute__((weak, alias("__vdso_clock_gettime")));
22517 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
22518 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
22521 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
22522 + asm("syscall" : "=a" (ret) :
22523 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
22527 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
22529 + if (likely(gtod->sysctl_enabled &&
22530 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
22531 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
22533 if (likely(tv != NULL)) {
22534 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
22535 offsetof(struct timespec, tv_nsec) ||
22536 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
22540 - asm("syscall" : "=a" (ret) :
22541 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
22543 + return __vdso_fallback_gettimeofday(tv, tz);
22545 int gettimeofday(struct timeval *, struct timezone *)
22546 __attribute__((weak, alias("__vdso_gettimeofday")));
22547 diff -urNp linux-2.6.32.42/arch/x86/vdso/vdso32-setup.c linux-2.6.32.42/arch/x86/vdso/vdso32-setup.c
22548 --- linux-2.6.32.42/arch/x86/vdso/vdso32-setup.c 2011-03-27 14:31:47.000000000 -0400
22549 +++ linux-2.6.32.42/arch/x86/vdso/vdso32-setup.c 2011-04-23 12:56:10.000000000 -0400
22551 #include <asm/tlbflush.h>
22552 #include <asm/vdso.h>
22553 #include <asm/proto.h>
22554 +#include <asm/mman.h>
22558 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
22559 void enable_sep_cpu(void)
22561 int cpu = get_cpu();
22562 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
22563 + struct tss_struct *tss = init_tss + cpu;
22565 if (!boot_cpu_has(X86_FEATURE_SEP)) {
22567 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
22568 gate_vma.vm_start = FIXADDR_USER_START;
22569 gate_vma.vm_end = FIXADDR_USER_END;
22570 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
22571 - gate_vma.vm_page_prot = __P101;
22572 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
22574 * Make sure the vDSO gets into every core dump.
22575 * Dumping its contents makes post-mortem fully interpretable later
22576 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
22578 addr = VDSO_HIGH_BASE;
22580 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
22581 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
22582 if (IS_ERR_VALUE(addr)) {
22588 - current->mm->context.vdso = (void *)addr;
22589 + current->mm->context.vdso = addr;
22591 if (compat_uses_vma || !compat) {
22593 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
22596 current_thread_info()->sysenter_return =
22597 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22598 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
22602 - current->mm->context.vdso = NULL;
22603 + current->mm->context.vdso = 0;
22605 up_write(&mm->mmap_sem);
22607 @@ -413,8 +414,14 @@ __initcall(ia32_binfmt_init);
22609 const char *arch_vma_name(struct vm_area_struct *vma)
22611 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
22612 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
22615 +#ifdef CONFIG_PAX_SEGMEXEC
22616 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
22623 @@ -423,7 +430,7 @@ struct vm_area_struct *get_gate_vma(stru
22624 struct mm_struct *mm = tsk->mm;
22626 /* Check to see if this task was created in compat vdso mode */
22627 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
22628 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
22632 diff -urNp linux-2.6.32.42/arch/x86/vdso/vdso.lds.S linux-2.6.32.42/arch/x86/vdso/vdso.lds.S
22633 --- linux-2.6.32.42/arch/x86/vdso/vdso.lds.S 2011-03-27 14:31:47.000000000 -0400
22634 +++ linux-2.6.32.42/arch/x86/vdso/vdso.lds.S 2011-06-06 17:35:35.000000000 -0400
22635 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
22636 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
22637 #include "vextern.h"
22640 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
22641 +VEXTERN(fallback_gettimeofday)
22642 +VEXTERN(fallback_time)
22645 diff -urNp linux-2.6.32.42/arch/x86/vdso/vextern.h linux-2.6.32.42/arch/x86/vdso/vextern.h
22646 --- linux-2.6.32.42/arch/x86/vdso/vextern.h 2011-03-27 14:31:47.000000000 -0400
22647 +++ linux-2.6.32.42/arch/x86/vdso/vextern.h 2011-04-17 15:56:46.000000000 -0400
22649 put into vextern.h and be referenced as a pointer with vdso prefix.
22650 The main kernel later fills in the values. */
22653 VEXTERN(vgetcpu_mode)
22654 VEXTERN(vsyscall_gtod_data)
22655 diff -urNp linux-2.6.32.42/arch/x86/vdso/vma.c linux-2.6.32.42/arch/x86/vdso/vma.c
22656 --- linux-2.6.32.42/arch/x86/vdso/vma.c 2011-03-27 14:31:47.000000000 -0400
22657 +++ linux-2.6.32.42/arch/x86/vdso/vma.c 2011-04-17 15:56:46.000000000 -0400
22658 @@ -57,7 +57,7 @@ static int __init init_vdso_vars(void)
22662 - if (memcmp(vbase, "\177ELF", 4)) {
22663 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
22664 printk("VDSO: I'm broken; not ELF\n");
22667 @@ -66,6 +66,7 @@ static int __init init_vdso_vars(void)
22668 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
22669 #include "vextern.h"
22675 @@ -116,7 +117,7 @@ int arch_setup_additional_pages(struct l
22679 - current->mm->context.vdso = (void *)addr;
22680 + current->mm->context.vdso = addr;
22682 ret = install_special_mapping(mm, addr, vdso_size,
22684 @@ -124,7 +125,7 @@ int arch_setup_additional_pages(struct l
22688 - current->mm->context.vdso = NULL;
22689 + current->mm->context.vdso = 0;
22693 @@ -132,10 +133,3 @@ up_fail:
22694 up_write(&mm->mmap_sem);
22698 -static __init int vdso_setup(char *s)
22700 - vdso_enabled = simple_strtoul(s, NULL, 0);
22703 -__setup("vdso=", vdso_setup);
22704 diff -urNp linux-2.6.32.42/arch/x86/xen/enlighten.c linux-2.6.32.42/arch/x86/xen/enlighten.c
22705 --- linux-2.6.32.42/arch/x86/xen/enlighten.c 2011-03-27 14:31:47.000000000 -0400
22706 +++ linux-2.6.32.42/arch/x86/xen/enlighten.c 2011-05-22 23:02:03.000000000 -0400
22707 @@ -71,8 +71,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
22709 struct shared_info xen_dummy_shared_info;
22711 -void *xen_initial_gdt;
22714 * Point at some empty memory to start with. We map the real shared_info
22715 * page as soon as fixmap is up and running.
22716 @@ -548,7 +546,7 @@ static void xen_write_idt_entry(gate_des
22720 - start = __get_cpu_var(idt_desc).address;
22721 + start = (unsigned long)__get_cpu_var(idt_desc).address;
22722 end = start + __get_cpu_var(idt_desc).size + 1;
22725 @@ -993,7 +991,7 @@ static const struct pv_apic_ops xen_apic
22729 -static void xen_reboot(int reason)
22730 +static __noreturn void xen_reboot(int reason)
22732 struct sched_shutdown r = { .reason = reason };
22734 @@ -1001,17 +999,17 @@ static void xen_reboot(int reason)
22738 -static void xen_restart(char *msg)
22739 +static __noreturn void xen_restart(char *msg)
22741 xen_reboot(SHUTDOWN_reboot);
22744 -static void xen_emergency_restart(void)
22745 +static __noreturn void xen_emergency_restart(void)
22747 xen_reboot(SHUTDOWN_reboot);
22750 -static void xen_machine_halt(void)
22751 +static __noreturn void xen_machine_halt(void)
22753 xen_reboot(SHUTDOWN_poweroff);
22755 @@ -1095,9 +1093,20 @@ asmlinkage void __init xen_start_kernel(
22757 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
22759 -#ifdef CONFIG_X86_64
22760 /* Work out if we support NX */
22762 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
22763 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
22764 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
22767 +#ifdef CONFIG_X86_PAE
22770 + __supported_pte_mask |= _PAGE_NX;
22771 + rdmsr(MSR_EFER, l, h);
22773 + wrmsr(MSR_EFER, l, h);
22777 xen_setup_features();
22778 @@ -1129,13 +1138,6 @@ asmlinkage void __init xen_start_kernel(
22780 machine_ops = xen_machine_ops;
22783 - * The only reliable way to retain the initial address of the
22784 - * percpu gdt_page is to remember it here, so we can go and
22785 - * mark it RW later, when the initial percpu area is freed.
22787 - xen_initial_gdt = &per_cpu(gdt_page, 0);
22791 pgd = (pgd_t *)xen_start_info->pt_base;
22792 diff -urNp linux-2.6.32.42/arch/x86/xen/mmu.c linux-2.6.32.42/arch/x86/xen/mmu.c
22793 --- linux-2.6.32.42/arch/x86/xen/mmu.c 2011-06-25 12:55:34.000000000 -0400
22794 +++ linux-2.6.32.42/arch/x86/xen/mmu.c 2011-06-25 12:56:37.000000000 -0400
22795 @@ -1714,6 +1714,8 @@ __init pgd_t *xen_setup_kernel_pagetable
22796 convert_pfn_mfn(init_level4_pgt);
22797 convert_pfn_mfn(level3_ident_pgt);
22798 convert_pfn_mfn(level3_kernel_pgt);
22799 + convert_pfn_mfn(level3_vmalloc_pgt);
22800 + convert_pfn_mfn(level3_vmemmap_pgt);
22802 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
22803 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
22804 @@ -1732,7 +1734,10 @@ __init pgd_t *xen_setup_kernel_pagetable
22805 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
22806 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
22807 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
22808 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
22809 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
22810 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
22811 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
22812 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
22813 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
22815 diff -urNp linux-2.6.32.42/arch/x86/xen/smp.c linux-2.6.32.42/arch/x86/xen/smp.c
22816 --- linux-2.6.32.42/arch/x86/xen/smp.c 2011-03-27 14:31:47.000000000 -0400
22817 +++ linux-2.6.32.42/arch/x86/xen/smp.c 2011-05-11 18:25:15.000000000 -0400
22818 @@ -167,11 +167,6 @@ static void __init xen_smp_prepare_boot_
22820 BUG_ON(smp_processor_id() != 0);
22821 native_smp_prepare_boot_cpu();
22823 - /* We've switched to the "real" per-cpu gdt, so make sure the
22824 - old memory can be recycled */
22825 - make_lowmem_page_readwrite(xen_initial_gdt);
22827 xen_setup_vcpu_info_placement();
22830 @@ -231,12 +226,12 @@ cpu_initialize_context(unsigned int cpu,
22831 gdt = get_cpu_gdt_table(cpu);
22833 ctxt->flags = VGCF_IN_KERNEL;
22834 - ctxt->user_regs.ds = __USER_DS;
22835 - ctxt->user_regs.es = __USER_DS;
22836 + ctxt->user_regs.ds = __KERNEL_DS;
22837 + ctxt->user_regs.es = __KERNEL_DS;
22838 ctxt->user_regs.ss = __KERNEL_DS;
22839 #ifdef CONFIG_X86_32
22840 ctxt->user_regs.fs = __KERNEL_PERCPU;
22841 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
22842 + savesegment(gs, ctxt->user_regs.gs);
22844 ctxt->gs_base_kernel = per_cpu_offset(cpu);
22846 @@ -287,13 +282,12 @@ static int __cpuinit xen_cpu_up(unsigned
22849 per_cpu(current_task, cpu) = idle;
22850 + per_cpu(current_tinfo, cpu) = &idle->tinfo;
22851 #ifdef CONFIG_X86_32
22854 clear_tsk_thread_flag(idle, TIF_FORK);
22855 - per_cpu(kernel_stack, cpu) =
22856 - (unsigned long)task_stack_page(idle) -
22857 - KERNEL_STACK_OFFSET + THREAD_SIZE;
22858 + per_cpu(kernel_stack, cpu) = (unsigned long)task_stack_page(idle) - 16 + THREAD_SIZE;
22860 xen_setup_runstate_info(cpu);
22861 xen_setup_timer(cpu);
22862 diff -urNp linux-2.6.32.42/arch/x86/xen/xen-asm_32.S linux-2.6.32.42/arch/x86/xen/xen-asm_32.S
22863 --- linux-2.6.32.42/arch/x86/xen/xen-asm_32.S 2011-03-27 14:31:47.000000000 -0400
22864 +++ linux-2.6.32.42/arch/x86/xen/xen-asm_32.S 2011-04-22 19:13:13.000000000 -0400
22865 @@ -83,14 +83,14 @@ ENTRY(xen_iret)
22866 ESP_OFFSET=4 # bytes pushed onto stack
22869 - * Store vcpu_info pointer for easy access. Do it this way to
22870 - * avoid having to reload %fs
22871 + * Store vcpu_info pointer for easy access.
22874 - GET_THREAD_INFO(%eax)
22875 - movl TI_cpu(%eax), %eax
22876 - movl __per_cpu_offset(,%eax,4), %eax
22877 - mov per_cpu__xen_vcpu(%eax), %eax
22879 + mov $(__KERNEL_PERCPU), %eax
22881 + mov PER_CPU_VAR(xen_vcpu), %eax
22884 movl per_cpu__xen_vcpu, %eax
22886 diff -urNp linux-2.6.32.42/arch/x86/xen/xen-head.S linux-2.6.32.42/arch/x86/xen/xen-head.S
22887 --- linux-2.6.32.42/arch/x86/xen/xen-head.S 2011-03-27 14:31:47.000000000 -0400
22888 +++ linux-2.6.32.42/arch/x86/xen/xen-head.S 2011-04-17 15:56:46.000000000 -0400
22889 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
22890 #ifdef CONFIG_X86_32
22891 mov %esi,xen_start_info
22892 mov $init_thread_union+THREAD_SIZE,%esp
22894 + movl $cpu_gdt_table,%edi
22895 + movl $__per_cpu_load,%eax
22896 + movw %ax,__KERNEL_PERCPU + 2(%edi)
22898 + movb %al,__KERNEL_PERCPU + 4(%edi)
22899 + movb %ah,__KERNEL_PERCPU + 7(%edi)
22900 + movl $__per_cpu_end - 1,%eax
22901 + subl $__per_cpu_start,%eax
22902 + movw %ax,__KERNEL_PERCPU + 0(%edi)
22905 mov %rsi,xen_start_info
22906 mov $init_thread_union+THREAD_SIZE,%rsp
22907 diff -urNp linux-2.6.32.42/arch/x86/xen/xen-ops.h linux-2.6.32.42/arch/x86/xen/xen-ops.h
22908 --- linux-2.6.32.42/arch/x86/xen/xen-ops.h 2011-03-27 14:31:47.000000000 -0400
22909 +++ linux-2.6.32.42/arch/x86/xen/xen-ops.h 2011-04-17 15:56:46.000000000 -0400
22911 extern const char xen_hypervisor_callback[];
22912 extern const char xen_failsafe_callback[];
22914 -extern void *xen_initial_gdt;
22917 void xen_copy_trap_info(struct trap_info *traps);
22919 diff -urNp linux-2.6.32.42/block/blk-integrity.c linux-2.6.32.42/block/blk-integrity.c
22920 --- linux-2.6.32.42/block/blk-integrity.c 2011-03-27 14:31:47.000000000 -0400
22921 +++ linux-2.6.32.42/block/blk-integrity.c 2011-04-17 15:56:46.000000000 -0400
22922 @@ -278,7 +278,7 @@ static struct attribute *integrity_attrs
22926 -static struct sysfs_ops integrity_ops = {
22927 +static const struct sysfs_ops integrity_ops = {
22928 .show = &integrity_attr_show,
22929 .store = &integrity_attr_store,
22931 diff -urNp linux-2.6.32.42/block/blk-iopoll.c linux-2.6.32.42/block/blk-iopoll.c
22932 --- linux-2.6.32.42/block/blk-iopoll.c 2011-03-27 14:31:47.000000000 -0400
22933 +++ linux-2.6.32.42/block/blk-iopoll.c 2011-04-17 15:56:46.000000000 -0400
22934 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
22936 EXPORT_SYMBOL(blk_iopoll_complete);
22938 -static void blk_iopoll_softirq(struct softirq_action *h)
22939 +static void blk_iopoll_softirq(void)
22941 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
22942 int rearm = 0, budget = blk_iopoll_budget;
22943 diff -urNp linux-2.6.32.42/block/blk-map.c linux-2.6.32.42/block/blk-map.c
22944 --- linux-2.6.32.42/block/blk-map.c 2011-03-27 14:31:47.000000000 -0400
22945 +++ linux-2.6.32.42/block/blk-map.c 2011-04-18 16:57:33.000000000 -0400
22946 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
22947 * direct dma. else, set up kernel bounce buffers
22949 uaddr = (unsigned long) ubuf;
22950 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
22951 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
22952 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
22954 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
22955 @@ -201,12 +201,13 @@ int blk_rq_map_user_iov(struct request_q
22956 for (i = 0; i < iov_count; i++) {
22957 unsigned long uaddr = (unsigned long)iov[i].iov_base;
22959 + if (!iov[i].iov_len)
22962 if (uaddr & queue_dma_alignment(q)) {
22966 - if (!iov[i].iov_len)
22970 if (unaligned || (q->dma_pad_mask & len) || map_data)
22971 @@ -299,7 +300,7 @@ int blk_rq_map_kern(struct request_queue
22975 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
22976 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
22978 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
22980 diff -urNp linux-2.6.32.42/block/blk-softirq.c linux-2.6.32.42/block/blk-softirq.c
22981 --- linux-2.6.32.42/block/blk-softirq.c 2011-03-27 14:31:47.000000000 -0400
22982 +++ linux-2.6.32.42/block/blk-softirq.c 2011-04-17 15:56:46.000000000 -0400
22983 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
22984 * Softirq action handler - move entries to local list and loop over them
22985 * while passing them to the queue registered handler.
22987 -static void blk_done_softirq(struct softirq_action *h)
22988 +static void blk_done_softirq(void)
22990 struct list_head *cpu_list, local_list;
22992 diff -urNp linux-2.6.32.42/block/blk-sysfs.c linux-2.6.32.42/block/blk-sysfs.c
22993 --- linux-2.6.32.42/block/blk-sysfs.c 2011-05-10 22:12:01.000000000 -0400
22994 +++ linux-2.6.32.42/block/blk-sysfs.c 2011-05-10 22:12:26.000000000 -0400
22995 @@ -414,7 +414,7 @@ static void blk_release_queue(struct kob
22996 kmem_cache_free(blk_requestq_cachep, q);
22999 -static struct sysfs_ops queue_sysfs_ops = {
23000 +static const struct sysfs_ops queue_sysfs_ops = {
23001 .show = queue_attr_show,
23002 .store = queue_attr_store,
23004 diff -urNp linux-2.6.32.42/block/bsg.c linux-2.6.32.42/block/bsg.c
23005 --- linux-2.6.32.42/block/bsg.c 2011-03-27 14:31:47.000000000 -0400
23006 +++ linux-2.6.32.42/block/bsg.c 2011-04-17 15:56:46.000000000 -0400
23007 @@ -175,16 +175,24 @@ static int blk_fill_sgv4_hdr_rq(struct r
23008 struct sg_io_v4 *hdr, struct bsg_device *bd,
23009 fmode_t has_write_perm)
23011 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23012 + unsigned char *cmdptr;
23014 if (hdr->request_len > BLK_MAX_CDB) {
23015 rq->cmd = kzalloc(hdr->request_len, GFP_KERNEL);
23019 + cmdptr = rq->cmd;
23023 - if (copy_from_user(rq->cmd, (void *)(unsigned long)hdr->request,
23024 + if (copy_from_user(cmdptr, (void *)(unsigned long)hdr->request,
23028 + if (cmdptr != rq->cmd)
23029 + memcpy(rq->cmd, cmdptr, hdr->request_len);
23031 if (hdr->subprotocol == BSG_SUB_PROTOCOL_SCSI_CMD) {
23032 if (blk_verify_command(rq->cmd, has_write_perm))
23034 diff -urNp linux-2.6.32.42/block/elevator.c linux-2.6.32.42/block/elevator.c
23035 --- linux-2.6.32.42/block/elevator.c 2011-03-27 14:31:47.000000000 -0400
23036 +++ linux-2.6.32.42/block/elevator.c 2011-04-17 15:56:46.000000000 -0400
23037 @@ -889,7 +889,7 @@ elv_attr_store(struct kobject *kobj, str
23041 -static struct sysfs_ops elv_sysfs_ops = {
23042 +static const struct sysfs_ops elv_sysfs_ops = {
23043 .show = elv_attr_show,
23044 .store = elv_attr_store,
23046 diff -urNp linux-2.6.32.42/block/scsi_ioctl.c linux-2.6.32.42/block/scsi_ioctl.c
23047 --- linux-2.6.32.42/block/scsi_ioctl.c 2011-03-27 14:31:47.000000000 -0400
23048 +++ linux-2.6.32.42/block/scsi_ioctl.c 2011-04-23 13:28:22.000000000 -0400
23049 @@ -220,8 +220,20 @@ EXPORT_SYMBOL(blk_verify_command);
23050 static int blk_fill_sghdr_rq(struct request_queue *q, struct request *rq,
23051 struct sg_io_hdr *hdr, fmode_t mode)
23053 - if (copy_from_user(rq->cmd, hdr->cmdp, hdr->cmd_len))
23054 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23055 + unsigned char *cmdptr;
23057 + if (rq->cmd != rq->__cmd)
23058 + cmdptr = rq->cmd;
23062 + if (copy_from_user(cmdptr, hdr->cmdp, hdr->cmd_len))
23065 + if (cmdptr != rq->cmd)
23066 + memcpy(rq->cmd, cmdptr, hdr->cmd_len);
23068 if (blk_verify_command(rq->cmd, mode & FMODE_WRITE))
23071 @@ -430,6 +442,8 @@ int sg_scsi_ioctl(struct request_queue *
23073 unsigned int in_len, out_len, bytes, opcode, cmdlen;
23074 char *buffer = NULL, sense[SCSI_SENSE_BUFFERSIZE];
23075 + unsigned char tmpcmd[sizeof(rq->__cmd)];
23076 + unsigned char *cmdptr;
23080 @@ -463,9 +477,18 @@ int sg_scsi_ioctl(struct request_queue *
23083 rq->cmd_len = cmdlen;
23084 - if (copy_from_user(rq->cmd, sic->data, cmdlen))
23086 + if (rq->cmd != rq->__cmd)
23087 + cmdptr = rq->cmd;
23091 + if (copy_from_user(cmdptr, sic->data, cmdlen))
23094 + if (rq->cmd != cmdptr)
23095 + memcpy(rq->cmd, cmdptr, cmdlen);
23097 if (in_len && copy_from_user(buffer, sic->data + cmdlen, in_len))
23100 diff -urNp linux-2.6.32.42/crypto/serpent.c linux-2.6.32.42/crypto/serpent.c
23101 --- linux-2.6.32.42/crypto/serpent.c 2011-03-27 14:31:47.000000000 -0400
23102 +++ linux-2.6.32.42/crypto/serpent.c 2011-05-16 21:46:57.000000000 -0400
23103 @@ -224,6 +224,8 @@ static int serpent_setkey(struct crypto_
23104 u32 r0,r1,r2,r3,r4;
23107 + pax_track_stack();
23109 /* Copy key, add padding */
23111 for (i = 0; i < keylen; ++i)
23112 diff -urNp linux-2.6.32.42/Documentation/dontdiff linux-2.6.32.42/Documentation/dontdiff
23113 --- linux-2.6.32.42/Documentation/dontdiff 2011-03-27 14:31:47.000000000 -0400
23114 +++ linux-2.6.32.42/Documentation/dontdiff 2011-05-18 20:09:36.000000000 -0400
23143 @@ -49,11 +54,16 @@
23160 @@ -76,7 +86,11 @@ btfixupprep
23164 +capability_names.h
23172 @@ -103,13 +117,14 @@ gen_crc32table
23179 initramfs_data.cpio
23180 +initramfs_data.cpio.bz2
23181 initramfs_data.cpio.gz
23188 @@ -133,7 +148,9 @@ mkboot
23198 @@ -149,6 +166,7 @@ patches*
23206 @@ -157,12 +175,15 @@ qconf
23222 @@ -186,14 +207,20 @@ version.h*
23243 diff -urNp linux-2.6.32.42/Documentation/kernel-parameters.txt linux-2.6.32.42/Documentation/kernel-parameters.txt
23244 --- linux-2.6.32.42/Documentation/kernel-parameters.txt 2011-03-27 14:31:47.000000000 -0400
23245 +++ linux-2.6.32.42/Documentation/kernel-parameters.txt 2011-04-17 15:56:45.000000000 -0400
23246 @@ -1837,6 +1837,13 @@ and is between 256 and 4096 characters.
23247 the specified number of seconds. This is to be used if
23248 your oopses keep scrolling off the screen.
23250 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
23251 + virtualization environments that don't cope well with the
23252 + expand down segment used by UDEREF on X86-32 or the frequent
23253 + page table updates on X86-64.
23255 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
23260 diff -urNp linux-2.6.32.42/drivers/acpi/acpi_pad.c linux-2.6.32.42/drivers/acpi/acpi_pad.c
23261 --- linux-2.6.32.42/drivers/acpi/acpi_pad.c 2011-03-27 14:31:47.000000000 -0400
23262 +++ linux-2.6.32.42/drivers/acpi/acpi_pad.c 2011-04-17 15:56:46.000000000 -0400
23264 #include <acpi/acpi_bus.h>
23265 #include <acpi/acpi_drivers.h>
23267 -#define ACPI_PROCESSOR_AGGREGATOR_CLASS "processor_aggregator"
23268 +#define ACPI_PROCESSOR_AGGREGATOR_CLASS "acpi_pad"
23269 #define ACPI_PROCESSOR_AGGREGATOR_DEVICE_NAME "Processor Aggregator"
23270 #define ACPI_PROCESSOR_AGGREGATOR_NOTIFY 0x80
23271 static DEFINE_MUTEX(isolated_cpus_lock);
23272 diff -urNp linux-2.6.32.42/drivers/acpi/battery.c linux-2.6.32.42/drivers/acpi/battery.c
23273 --- linux-2.6.32.42/drivers/acpi/battery.c 2011-03-27 14:31:47.000000000 -0400
23274 +++ linux-2.6.32.42/drivers/acpi/battery.c 2011-04-17 15:56:46.000000000 -0400
23275 @@ -763,7 +763,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
23278 static struct battery_file {
23279 - struct file_operations ops;
23280 + const struct file_operations ops;
23283 } acpi_battery_file[] = {
23284 diff -urNp linux-2.6.32.42/drivers/acpi/dock.c linux-2.6.32.42/drivers/acpi/dock.c
23285 --- linux-2.6.32.42/drivers/acpi/dock.c 2011-03-27 14:31:47.000000000 -0400
23286 +++ linux-2.6.32.42/drivers/acpi/dock.c 2011-04-17 15:56:46.000000000 -0400
23287 @@ -77,7 +77,7 @@ struct dock_dependent_device {
23288 struct list_head list;
23289 struct list_head hotplug_list;
23290 acpi_handle handle;
23291 - struct acpi_dock_ops *ops;
23292 + const struct acpi_dock_ops *ops;
23296 @@ -605,7 +605,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
23297 * the dock driver after _DCK is executed.
23300 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
23301 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
23304 struct dock_dependent_device *dd;
23305 diff -urNp linux-2.6.32.42/drivers/acpi/osl.c linux-2.6.32.42/drivers/acpi/osl.c
23306 --- linux-2.6.32.42/drivers/acpi/osl.c 2011-03-27 14:31:47.000000000 -0400
23307 +++ linux-2.6.32.42/drivers/acpi/osl.c 2011-04-17 15:56:46.000000000 -0400
23308 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
23309 void __iomem *virt_addr;
23311 virt_addr = ioremap(phys_addr, width);
23313 + return AE_NO_MEMORY;
23317 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
23318 void __iomem *virt_addr;
23320 virt_addr = ioremap(phys_addr, width);
23322 + return AE_NO_MEMORY;
23326 diff -urNp linux-2.6.32.42/drivers/acpi/power_meter.c linux-2.6.32.42/drivers/acpi/power_meter.c
23327 --- linux-2.6.32.42/drivers/acpi/power_meter.c 2011-03-27 14:31:47.000000000 -0400
23328 +++ linux-2.6.32.42/drivers/acpi/power_meter.c 2011-04-17 15:56:46.000000000 -0400
23329 @@ -315,8 +315,6 @@ static ssize_t set_trip(struct device *d
23336 mutex_lock(&resource->lock);
23337 resource->trip[attr->index - 7] = temp;
23338 diff -urNp linux-2.6.32.42/drivers/acpi/proc.c linux-2.6.32.42/drivers/acpi/proc.c
23339 --- linux-2.6.32.42/drivers/acpi/proc.c 2011-03-27 14:31:47.000000000 -0400
23340 +++ linux-2.6.32.42/drivers/acpi/proc.c 2011-04-17 15:56:46.000000000 -0400
23341 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
23342 size_t count, loff_t * ppos)
23344 struct list_head *node, *next;
23346 - char str[5] = "";
23347 - unsigned int len = count;
23348 + char strbuf[5] = {0};
23349 struct acpi_device *found_dev = NULL;
23358 - if (copy_from_user(strbuf, buffer, len))
23359 + if (copy_from_user(strbuf, buffer, count))
23361 - strbuf[len] = '\0';
23362 - sscanf(strbuf, "%s", str);
23363 + strbuf[count] = '\0';
23365 mutex_lock(&acpi_device_lock);
23366 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
23367 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
23368 if (!dev->wakeup.flags.valid)
23371 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
23372 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
23373 dev->wakeup.state.enabled =
23374 dev->wakeup.state.enabled ? 0 : 1;
23376 diff -urNp linux-2.6.32.42/drivers/acpi/processor_core.c linux-2.6.32.42/drivers/acpi/processor_core.c
23377 --- linux-2.6.32.42/drivers/acpi/processor_core.c 2011-03-27 14:31:47.000000000 -0400
23378 +++ linux-2.6.32.42/drivers/acpi/processor_core.c 2011-04-17 15:56:46.000000000 -0400
23379 @@ -790,7 +790,7 @@ static int __cpuinit acpi_processor_add(
23383 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
23384 + BUG_ON(pr->id >= nr_cpu_ids);
23388 diff -urNp linux-2.6.32.42/drivers/acpi/sbshc.c linux-2.6.32.42/drivers/acpi/sbshc.c
23389 --- linux-2.6.32.42/drivers/acpi/sbshc.c 2011-03-27 14:31:47.000000000 -0400
23390 +++ linux-2.6.32.42/drivers/acpi/sbshc.c 2011-04-17 15:56:46.000000000 -0400
23393 #define PREFIX "ACPI: "
23395 -#define ACPI_SMB_HC_CLASS "smbus_host_controller"
23396 +#define ACPI_SMB_HC_CLASS "smbus_host_ctl"
23397 #define ACPI_SMB_HC_DEVICE_NAME "ACPI SMBus HC"
23399 struct acpi_smb_hc {
23400 diff -urNp linux-2.6.32.42/drivers/acpi/sleep.c linux-2.6.32.42/drivers/acpi/sleep.c
23401 --- linux-2.6.32.42/drivers/acpi/sleep.c 2011-03-27 14:31:47.000000000 -0400
23402 +++ linux-2.6.32.42/drivers/acpi/sleep.c 2011-04-17 15:56:46.000000000 -0400
23403 @@ -283,7 +283,7 @@ static int acpi_suspend_state_valid(susp
23407 -static struct platform_suspend_ops acpi_suspend_ops = {
23408 +static const struct platform_suspend_ops acpi_suspend_ops = {
23409 .valid = acpi_suspend_state_valid,
23410 .begin = acpi_suspend_begin,
23411 .prepare_late = acpi_pm_prepare,
23412 @@ -311,7 +311,7 @@ static int acpi_suspend_begin_old(suspen
23413 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
23416 -static struct platform_suspend_ops acpi_suspend_ops_old = {
23417 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
23418 .valid = acpi_suspend_state_valid,
23419 .begin = acpi_suspend_begin_old,
23420 .prepare_late = acpi_pm_disable_gpes,
23421 @@ -460,7 +460,7 @@ static void acpi_pm_enable_gpes(void)
23422 acpi_enable_all_runtime_gpes();
23425 -static struct platform_hibernation_ops acpi_hibernation_ops = {
23426 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
23427 .begin = acpi_hibernation_begin,
23428 .end = acpi_pm_end,
23429 .pre_snapshot = acpi_hibernation_pre_snapshot,
23430 @@ -513,7 +513,7 @@ static int acpi_hibernation_pre_snapshot
23431 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
23434 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
23435 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
23436 .begin = acpi_hibernation_begin_old,
23437 .end = acpi_pm_end,
23438 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
23439 diff -urNp linux-2.6.32.42/drivers/acpi/video.c linux-2.6.32.42/drivers/acpi/video.c
23440 --- linux-2.6.32.42/drivers/acpi/video.c 2011-03-27 14:31:47.000000000 -0400
23441 +++ linux-2.6.32.42/drivers/acpi/video.c 2011-04-17 15:56:46.000000000 -0400
23442 @@ -359,7 +359,7 @@ static int acpi_video_set_brightness(str
23443 vd->brightness->levels[request_level]);
23446 -static struct backlight_ops acpi_backlight_ops = {
23447 +static const struct backlight_ops acpi_backlight_ops = {
23448 .get_brightness = acpi_video_get_brightness,
23449 .update_status = acpi_video_set_brightness,
23451 diff -urNp linux-2.6.32.42/drivers/ata/ahci.c linux-2.6.32.42/drivers/ata/ahci.c
23452 --- linux-2.6.32.42/drivers/ata/ahci.c 2011-03-27 14:31:47.000000000 -0400
23453 +++ linux-2.6.32.42/drivers/ata/ahci.c 2011-04-23 12:56:10.000000000 -0400
23454 @@ -387,7 +387,7 @@ static struct scsi_host_template ahci_sh
23455 .sdev_attrs = ahci_sdev_attrs,
23458 -static struct ata_port_operations ahci_ops = {
23459 +static const struct ata_port_operations ahci_ops = {
23460 .inherits = &sata_pmp_port_ops,
23462 .qc_defer = sata_pmp_qc_defer_cmd_switch,
23463 @@ -424,17 +424,17 @@ static struct ata_port_operations ahci_o
23464 .port_stop = ahci_port_stop,
23467 -static struct ata_port_operations ahci_vt8251_ops = {
23468 +static const struct ata_port_operations ahci_vt8251_ops = {
23469 .inherits = &ahci_ops,
23470 .hardreset = ahci_vt8251_hardreset,
23473 -static struct ata_port_operations ahci_p5wdh_ops = {
23474 +static const struct ata_port_operations ahci_p5wdh_ops = {
23475 .inherits = &ahci_ops,
23476 .hardreset = ahci_p5wdh_hardreset,
23479 -static struct ata_port_operations ahci_sb600_ops = {
23480 +static const struct ata_port_operations ahci_sb600_ops = {
23481 .inherits = &ahci_ops,
23482 .softreset = ahci_sb600_softreset,
23483 .pmp_softreset = ahci_sb600_softreset,
23484 diff -urNp linux-2.6.32.42/drivers/ata/ata_generic.c linux-2.6.32.42/drivers/ata/ata_generic.c
23485 --- linux-2.6.32.42/drivers/ata/ata_generic.c 2011-03-27 14:31:47.000000000 -0400
23486 +++ linux-2.6.32.42/drivers/ata/ata_generic.c 2011-04-17 15:56:46.000000000 -0400
23487 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
23488 ATA_BMDMA_SHT(DRV_NAME),
23491 -static struct ata_port_operations generic_port_ops = {
23492 +static const struct ata_port_operations generic_port_ops = {
23493 .inherits = &ata_bmdma_port_ops,
23494 .cable_detect = ata_cable_unknown,
23495 .set_mode = generic_set_mode,
23496 diff -urNp linux-2.6.32.42/drivers/ata/ata_piix.c linux-2.6.32.42/drivers/ata/ata_piix.c
23497 --- linux-2.6.32.42/drivers/ata/ata_piix.c 2011-03-27 14:31:47.000000000 -0400
23498 +++ linux-2.6.32.42/drivers/ata/ata_piix.c 2011-04-23 12:56:10.000000000 -0400
23499 @@ -318,7 +318,7 @@ static struct scsi_host_template piix_sh
23500 ATA_BMDMA_SHT(DRV_NAME),
23503 -static struct ata_port_operations piix_pata_ops = {
23504 +static const struct ata_port_operations piix_pata_ops = {
23505 .inherits = &ata_bmdma32_port_ops,
23506 .cable_detect = ata_cable_40wire,
23507 .set_piomode = piix_set_piomode,
23508 @@ -326,22 +326,22 @@ static struct ata_port_operations piix_p
23509 .prereset = piix_pata_prereset,
23512 -static struct ata_port_operations piix_vmw_ops = {
23513 +static const struct ata_port_operations piix_vmw_ops = {
23514 .inherits = &piix_pata_ops,
23515 .bmdma_status = piix_vmw_bmdma_status,
23518 -static struct ata_port_operations ich_pata_ops = {
23519 +static const struct ata_port_operations ich_pata_ops = {
23520 .inherits = &piix_pata_ops,
23521 .cable_detect = ich_pata_cable_detect,
23522 .set_dmamode = ich_set_dmamode,
23525 -static struct ata_port_operations piix_sata_ops = {
23526 +static const struct ata_port_operations piix_sata_ops = {
23527 .inherits = &ata_bmdma_port_ops,
23530 -static struct ata_port_operations piix_sidpr_sata_ops = {
23531 +static const struct ata_port_operations piix_sidpr_sata_ops = {
23532 .inherits = &piix_sata_ops,
23533 .hardreset = sata_std_hardreset,
23534 .scr_read = piix_sidpr_scr_read,
23535 diff -urNp linux-2.6.32.42/drivers/ata/libata-acpi.c linux-2.6.32.42/drivers/ata/libata-acpi.c
23536 --- linux-2.6.32.42/drivers/ata/libata-acpi.c 2011-03-27 14:31:47.000000000 -0400
23537 +++ linux-2.6.32.42/drivers/ata/libata-acpi.c 2011-04-17 15:56:46.000000000 -0400
23538 @@ -223,12 +223,12 @@ static void ata_acpi_dev_uevent(acpi_han
23539 ata_acpi_uevent(dev->link->ap, dev, event);
23542 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
23543 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
23544 .handler = ata_acpi_dev_notify_dock,
23545 .uevent = ata_acpi_dev_uevent,
23548 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
23549 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
23550 .handler = ata_acpi_ap_notify_dock,
23551 .uevent = ata_acpi_ap_uevent,
23553 diff -urNp linux-2.6.32.42/drivers/ata/libata-core.c linux-2.6.32.42/drivers/ata/libata-core.c
23554 --- linux-2.6.32.42/drivers/ata/libata-core.c 2011-03-27 14:31:47.000000000 -0400
23555 +++ linux-2.6.32.42/drivers/ata/libata-core.c 2011-04-23 12:56:10.000000000 -0400
23556 @@ -4954,7 +4954,7 @@ void ata_qc_free(struct ata_queued_cmd *
23557 struct ata_port *ap;
23560 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23561 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23565 @@ -4970,7 +4970,7 @@ void __ata_qc_complete(struct ata_queued
23566 struct ata_port *ap;
23567 struct ata_link *link;
23569 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23570 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
23571 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
23573 link = qc->dev->link;
23574 @@ -5987,7 +5987,7 @@ static void ata_host_stop(struct device
23578 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
23579 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
23581 static DEFINE_SPINLOCK(lock);
23582 const struct ata_port_operations *cur;
23583 @@ -5999,6 +5999,7 @@ static void ata_finalize_port_ops(struct
23587 + pax_open_kernel();
23589 for (cur = ops->inherits; cur; cur = cur->inherits) {
23590 void **inherit = (void **)cur;
23591 @@ -6012,8 +6013,9 @@ static void ata_finalize_port_ops(struct
23595 - ops->inherits = NULL;
23596 + ((struct ata_port_operations *)ops)->inherits = NULL;
23598 + pax_close_kernel();
23599 spin_unlock(&lock);
23602 @@ -6110,7 +6112,7 @@ int ata_host_start(struct ata_host *host
23604 /* KILLME - the only user left is ipr */
23605 void ata_host_init(struct ata_host *host, struct device *dev,
23606 - unsigned long flags, struct ata_port_operations *ops)
23607 + unsigned long flags, const struct ata_port_operations *ops)
23609 spin_lock_init(&host->lock);
23611 @@ -6773,7 +6775,7 @@ static void ata_dummy_error_handler(stru
23615 -struct ata_port_operations ata_dummy_port_ops = {
23616 +const struct ata_port_operations ata_dummy_port_ops = {
23617 .qc_prep = ata_noop_qc_prep,
23618 .qc_issue = ata_dummy_qc_issue,
23619 .error_handler = ata_dummy_error_handler,
23620 diff -urNp linux-2.6.32.42/drivers/ata/libata-eh.c linux-2.6.32.42/drivers/ata/libata-eh.c
23621 --- linux-2.6.32.42/drivers/ata/libata-eh.c 2011-03-27 14:31:47.000000000 -0400
23622 +++ linux-2.6.32.42/drivers/ata/libata-eh.c 2011-05-16 21:46:57.000000000 -0400
23623 @@ -2423,6 +2423,8 @@ void ata_eh_report(struct ata_port *ap)
23625 struct ata_link *link;
23627 + pax_track_stack();
23629 ata_for_each_link(link, ap, HOST_FIRST)
23630 ata_eh_link_report(link);
23632 @@ -3590,7 +3592,7 @@ void ata_do_eh(struct ata_port *ap, ata_
23634 void ata_std_error_handler(struct ata_port *ap)
23636 - struct ata_port_operations *ops = ap->ops;
23637 + const struct ata_port_operations *ops = ap->ops;
23638 ata_reset_fn_t hardreset = ops->hardreset;
23640 /* ignore built-in hardreset if SCR access is not available */
23641 diff -urNp linux-2.6.32.42/drivers/ata/libata-pmp.c linux-2.6.32.42/drivers/ata/libata-pmp.c
23642 --- linux-2.6.32.42/drivers/ata/libata-pmp.c 2011-03-27 14:31:47.000000000 -0400
23643 +++ linux-2.6.32.42/drivers/ata/libata-pmp.c 2011-04-17 15:56:46.000000000 -0400
23644 @@ -841,7 +841,7 @@ static int sata_pmp_handle_link_fail(str
23646 static int sata_pmp_eh_recover(struct ata_port *ap)
23648 - struct ata_port_operations *ops = ap->ops;
23649 + const struct ata_port_operations *ops = ap->ops;
23650 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
23651 struct ata_link *pmp_link = &ap->link;
23652 struct ata_device *pmp_dev = pmp_link->device;
23653 diff -urNp linux-2.6.32.42/drivers/ata/pata_acpi.c linux-2.6.32.42/drivers/ata/pata_acpi.c
23654 --- linux-2.6.32.42/drivers/ata/pata_acpi.c 2011-03-27 14:31:47.000000000 -0400
23655 +++ linux-2.6.32.42/drivers/ata/pata_acpi.c 2011-04-17 15:56:46.000000000 -0400
23656 @@ -215,7 +215,7 @@ static struct scsi_host_template pacpi_s
23657 ATA_BMDMA_SHT(DRV_NAME),
23660 -static struct ata_port_operations pacpi_ops = {
23661 +static const struct ata_port_operations pacpi_ops = {
23662 .inherits = &ata_bmdma_port_ops,
23663 .qc_issue = pacpi_qc_issue,
23664 .cable_detect = pacpi_cable_detect,
23665 diff -urNp linux-2.6.32.42/drivers/ata/pata_ali.c linux-2.6.32.42/drivers/ata/pata_ali.c
23666 --- linux-2.6.32.42/drivers/ata/pata_ali.c 2011-03-27 14:31:47.000000000 -0400
23667 +++ linux-2.6.32.42/drivers/ata/pata_ali.c 2011-04-17 15:56:46.000000000 -0400
23668 @@ -365,7 +365,7 @@ static struct scsi_host_template ali_sht
23669 * Port operations for PIO only ALi
23672 -static struct ata_port_operations ali_early_port_ops = {
23673 +static const struct ata_port_operations ali_early_port_ops = {
23674 .inherits = &ata_sff_port_ops,
23675 .cable_detect = ata_cable_40wire,
23676 .set_piomode = ali_set_piomode,
23677 @@ -382,7 +382,7 @@ static const struct ata_port_operations
23678 * Port operations for DMA capable ALi without cable
23681 -static struct ata_port_operations ali_20_port_ops = {
23682 +static const struct ata_port_operations ali_20_port_ops = {
23683 .inherits = &ali_dma_base_ops,
23684 .cable_detect = ata_cable_40wire,
23685 .mode_filter = ali_20_filter,
23686 @@ -393,7 +393,7 @@ static struct ata_port_operations ali_20
23688 * Port operations for DMA capable ALi with cable detect
23690 -static struct ata_port_operations ali_c2_port_ops = {
23691 +static const struct ata_port_operations ali_c2_port_ops = {
23692 .inherits = &ali_dma_base_ops,
23693 .check_atapi_dma = ali_check_atapi_dma,
23694 .cable_detect = ali_c2_cable_detect,
23695 @@ -404,7 +404,7 @@ static struct ata_port_operations ali_c2
23697 * Port operations for DMA capable ALi with cable detect
23699 -static struct ata_port_operations ali_c4_port_ops = {
23700 +static const struct ata_port_operations ali_c4_port_ops = {
23701 .inherits = &ali_dma_base_ops,
23702 .check_atapi_dma = ali_check_atapi_dma,
23703 .cable_detect = ali_c2_cable_detect,
23704 @@ -414,7 +414,7 @@ static struct ata_port_operations ali_c4
23706 * Port operations for DMA capable ALi with cable detect and LBA48
23708 -static struct ata_port_operations ali_c5_port_ops = {
23709 +static const struct ata_port_operations ali_c5_port_ops = {
23710 .inherits = &ali_dma_base_ops,
23711 .check_atapi_dma = ali_check_atapi_dma,
23712 .dev_config = ali_warn_atapi_dma,
23713 diff -urNp linux-2.6.32.42/drivers/ata/pata_amd.c linux-2.6.32.42/drivers/ata/pata_amd.c
23714 --- linux-2.6.32.42/drivers/ata/pata_amd.c 2011-03-27 14:31:47.000000000 -0400
23715 +++ linux-2.6.32.42/drivers/ata/pata_amd.c 2011-04-17 15:56:46.000000000 -0400
23716 @@ -397,28 +397,28 @@ static const struct ata_port_operations
23717 .prereset = amd_pre_reset,
23720 -static struct ata_port_operations amd33_port_ops = {
23721 +static const struct ata_port_operations amd33_port_ops = {
23722 .inherits = &amd_base_port_ops,
23723 .cable_detect = ata_cable_40wire,
23724 .set_piomode = amd33_set_piomode,
23725 .set_dmamode = amd33_set_dmamode,
23728 -static struct ata_port_operations amd66_port_ops = {
23729 +static const struct ata_port_operations amd66_port_ops = {
23730 .inherits = &amd_base_port_ops,
23731 .cable_detect = ata_cable_unknown,
23732 .set_piomode = amd66_set_piomode,
23733 .set_dmamode = amd66_set_dmamode,
23736 -static struct ata_port_operations amd100_port_ops = {
23737 +static const struct ata_port_operations amd100_port_ops = {
23738 .inherits = &amd_base_port_ops,
23739 .cable_detect = ata_cable_unknown,
23740 .set_piomode = amd100_set_piomode,
23741 .set_dmamode = amd100_set_dmamode,
23744 -static struct ata_port_operations amd133_port_ops = {
23745 +static const struct ata_port_operations amd133_port_ops = {
23746 .inherits = &amd_base_port_ops,
23747 .cable_detect = amd_cable_detect,
23748 .set_piomode = amd133_set_piomode,
23749 @@ -433,13 +433,13 @@ static const struct ata_port_operations
23750 .host_stop = nv_host_stop,
23753 -static struct ata_port_operations nv100_port_ops = {
23754 +static const struct ata_port_operations nv100_port_ops = {
23755 .inherits = &nv_base_port_ops,
23756 .set_piomode = nv100_set_piomode,
23757 .set_dmamode = nv100_set_dmamode,
23760 -static struct ata_port_operations nv133_port_ops = {
23761 +static const struct ata_port_operations nv133_port_ops = {
23762 .inherits = &nv_base_port_ops,
23763 .set_piomode = nv133_set_piomode,
23764 .set_dmamode = nv133_set_dmamode,
23765 diff -urNp linux-2.6.32.42/drivers/ata/pata_artop.c linux-2.6.32.42/drivers/ata/pata_artop.c
23766 --- linux-2.6.32.42/drivers/ata/pata_artop.c 2011-03-27 14:31:47.000000000 -0400
23767 +++ linux-2.6.32.42/drivers/ata/pata_artop.c 2011-04-17 15:56:46.000000000 -0400
23768 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
23769 ATA_BMDMA_SHT(DRV_NAME),
23772 -static struct ata_port_operations artop6210_ops = {
23773 +static const struct ata_port_operations artop6210_ops = {
23774 .inherits = &ata_bmdma_port_ops,
23775 .cable_detect = ata_cable_40wire,
23776 .set_piomode = artop6210_set_piomode,
23777 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
23778 .qc_defer = artop6210_qc_defer,
23781 -static struct ata_port_operations artop6260_ops = {
23782 +static const struct ata_port_operations artop6260_ops = {
23783 .inherits = &ata_bmdma_port_ops,
23784 .cable_detect = artop6260_cable_detect,
23785 .set_piomode = artop6260_set_piomode,
23786 diff -urNp linux-2.6.32.42/drivers/ata/pata_at32.c linux-2.6.32.42/drivers/ata/pata_at32.c
23787 --- linux-2.6.32.42/drivers/ata/pata_at32.c 2011-03-27 14:31:47.000000000 -0400
23788 +++ linux-2.6.32.42/drivers/ata/pata_at32.c 2011-04-17 15:56:46.000000000 -0400
23789 @@ -172,7 +172,7 @@ static struct scsi_host_template at32_sh
23790 ATA_PIO_SHT(DRV_NAME),
23793 -static struct ata_port_operations at32_port_ops = {
23794 +static const struct ata_port_operations at32_port_ops = {
23795 .inherits = &ata_sff_port_ops,
23796 .cable_detect = ata_cable_40wire,
23797 .set_piomode = pata_at32_set_piomode,
23798 diff -urNp linux-2.6.32.42/drivers/ata/pata_at91.c linux-2.6.32.42/drivers/ata/pata_at91.c
23799 --- linux-2.6.32.42/drivers/ata/pata_at91.c 2011-03-27 14:31:47.000000000 -0400
23800 +++ linux-2.6.32.42/drivers/ata/pata_at91.c 2011-04-17 15:56:46.000000000 -0400
23801 @@ -195,7 +195,7 @@ static struct scsi_host_template pata_at
23802 ATA_PIO_SHT(DRV_NAME),
23805 -static struct ata_port_operations pata_at91_port_ops = {
23806 +static const struct ata_port_operations pata_at91_port_ops = {
23807 .inherits = &ata_sff_port_ops,
23809 .sff_data_xfer = pata_at91_data_xfer_noirq,
23810 diff -urNp linux-2.6.32.42/drivers/ata/pata_atiixp.c linux-2.6.32.42/drivers/ata/pata_atiixp.c
23811 --- linux-2.6.32.42/drivers/ata/pata_atiixp.c 2011-03-27 14:31:47.000000000 -0400
23812 +++ linux-2.6.32.42/drivers/ata/pata_atiixp.c 2011-04-17 15:56:46.000000000 -0400
23813 @@ -205,7 +205,7 @@ static struct scsi_host_template atiixp_
23814 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
23817 -static struct ata_port_operations atiixp_port_ops = {
23818 +static const struct ata_port_operations atiixp_port_ops = {
23819 .inherits = &ata_bmdma_port_ops,
23821 .qc_prep = ata_sff_dumb_qc_prep,
23822 diff -urNp linux-2.6.32.42/drivers/ata/pata_atp867x.c linux-2.6.32.42/drivers/ata/pata_atp867x.c
23823 --- linux-2.6.32.42/drivers/ata/pata_atp867x.c 2011-03-27 14:31:47.000000000 -0400
23824 +++ linux-2.6.32.42/drivers/ata/pata_atp867x.c 2011-04-17 15:56:46.000000000 -0400
23825 @@ -274,7 +274,7 @@ static struct scsi_host_template atp867x
23826 ATA_BMDMA_SHT(DRV_NAME),
23829 -static struct ata_port_operations atp867x_ops = {
23830 +static const struct ata_port_operations atp867x_ops = {
23831 .inherits = &ata_bmdma_port_ops,
23832 .cable_detect = atp867x_cable_detect,
23833 .set_piomode = atp867x_set_piomode,
23834 diff -urNp linux-2.6.32.42/drivers/ata/pata_bf54x.c linux-2.6.32.42/drivers/ata/pata_bf54x.c
23835 --- linux-2.6.32.42/drivers/ata/pata_bf54x.c 2011-03-27 14:31:47.000000000 -0400
23836 +++ linux-2.6.32.42/drivers/ata/pata_bf54x.c 2011-04-17 15:56:46.000000000 -0400
23837 @@ -1464,7 +1464,7 @@ static struct scsi_host_template bfin_sh
23838 .dma_boundary = ATA_DMA_BOUNDARY,
23841 -static struct ata_port_operations bfin_pata_ops = {
23842 +static const struct ata_port_operations bfin_pata_ops = {
23843 .inherits = &ata_sff_port_ops,
23845 .set_piomode = bfin_set_piomode,
23846 diff -urNp linux-2.6.32.42/drivers/ata/pata_cmd640.c linux-2.6.32.42/drivers/ata/pata_cmd640.c
23847 --- linux-2.6.32.42/drivers/ata/pata_cmd640.c 2011-03-27 14:31:47.000000000 -0400
23848 +++ linux-2.6.32.42/drivers/ata/pata_cmd640.c 2011-04-17 15:56:46.000000000 -0400
23849 @@ -168,7 +168,7 @@ static struct scsi_host_template cmd640_
23850 ATA_BMDMA_SHT(DRV_NAME),
23853 -static struct ata_port_operations cmd640_port_ops = {
23854 +static const struct ata_port_operations cmd640_port_ops = {
23855 .inherits = &ata_bmdma_port_ops,
23856 /* In theory xfer_noirq is not needed once we kill the prefetcher */
23857 .sff_data_xfer = ata_sff_data_xfer_noirq,
23858 diff -urNp linux-2.6.32.42/drivers/ata/pata_cmd64x.c linux-2.6.32.42/drivers/ata/pata_cmd64x.c
23859 --- linux-2.6.32.42/drivers/ata/pata_cmd64x.c 2011-06-25 12:55:34.000000000 -0400
23860 +++ linux-2.6.32.42/drivers/ata/pata_cmd64x.c 2011-06-25 12:56:37.000000000 -0400
23861 @@ -271,18 +271,18 @@ static const struct ata_port_operations
23862 .set_dmamode = cmd64x_set_dmamode,
23865 -static struct ata_port_operations cmd64x_port_ops = {
23866 +static const struct ata_port_operations cmd64x_port_ops = {
23867 .inherits = &cmd64x_base_ops,
23868 .cable_detect = ata_cable_40wire,
23871 -static struct ata_port_operations cmd646r1_port_ops = {
23872 +static const struct ata_port_operations cmd646r1_port_ops = {
23873 .inherits = &cmd64x_base_ops,
23874 .bmdma_stop = cmd646r1_bmdma_stop,
23875 .cable_detect = ata_cable_40wire,
23878 -static struct ata_port_operations cmd648_port_ops = {
23879 +static const struct ata_port_operations cmd648_port_ops = {
23880 .inherits = &cmd64x_base_ops,
23881 .bmdma_stop = cmd648_bmdma_stop,
23882 .cable_detect = cmd648_cable_detect,
23883 diff -urNp linux-2.6.32.42/drivers/ata/pata_cs5520.c linux-2.6.32.42/drivers/ata/pata_cs5520.c
23884 --- linux-2.6.32.42/drivers/ata/pata_cs5520.c 2011-03-27 14:31:47.000000000 -0400
23885 +++ linux-2.6.32.42/drivers/ata/pata_cs5520.c 2011-04-17 15:56:46.000000000 -0400
23886 @@ -144,7 +144,7 @@ static struct scsi_host_template cs5520_
23887 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
23890 -static struct ata_port_operations cs5520_port_ops = {
23891 +static const struct ata_port_operations cs5520_port_ops = {
23892 .inherits = &ata_bmdma_port_ops,
23893 .qc_prep = ata_sff_dumb_qc_prep,
23894 .cable_detect = ata_cable_40wire,
23895 diff -urNp linux-2.6.32.42/drivers/ata/pata_cs5530.c linux-2.6.32.42/drivers/ata/pata_cs5530.c
23896 --- linux-2.6.32.42/drivers/ata/pata_cs5530.c 2011-03-27 14:31:47.000000000 -0400
23897 +++ linux-2.6.32.42/drivers/ata/pata_cs5530.c 2011-04-17 15:56:46.000000000 -0400
23898 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
23899 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
23902 -static struct ata_port_operations cs5530_port_ops = {
23903 +static const struct ata_port_operations cs5530_port_ops = {
23904 .inherits = &ata_bmdma_port_ops,
23906 .qc_prep = ata_sff_dumb_qc_prep,
23907 diff -urNp linux-2.6.32.42/drivers/ata/pata_cs5535.c linux-2.6.32.42/drivers/ata/pata_cs5535.c
23908 --- linux-2.6.32.42/drivers/ata/pata_cs5535.c 2011-03-27 14:31:47.000000000 -0400
23909 +++ linux-2.6.32.42/drivers/ata/pata_cs5535.c 2011-04-17 15:56:46.000000000 -0400
23910 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
23911 ATA_BMDMA_SHT(DRV_NAME),
23914 -static struct ata_port_operations cs5535_port_ops = {
23915 +static const struct ata_port_operations cs5535_port_ops = {
23916 .inherits = &ata_bmdma_port_ops,
23917 .cable_detect = cs5535_cable_detect,
23918 .set_piomode = cs5535_set_piomode,
23919 diff -urNp linux-2.6.32.42/drivers/ata/pata_cs5536.c linux-2.6.32.42/drivers/ata/pata_cs5536.c
23920 --- linux-2.6.32.42/drivers/ata/pata_cs5536.c 2011-03-27 14:31:47.000000000 -0400
23921 +++ linux-2.6.32.42/drivers/ata/pata_cs5536.c 2011-04-17 15:56:46.000000000 -0400
23922 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
23923 ATA_BMDMA_SHT(DRV_NAME),
23926 -static struct ata_port_operations cs5536_port_ops = {
23927 +static const struct ata_port_operations cs5536_port_ops = {
23928 .inherits = &ata_bmdma_port_ops,
23929 .cable_detect = cs5536_cable_detect,
23930 .set_piomode = cs5536_set_piomode,
23931 diff -urNp linux-2.6.32.42/drivers/ata/pata_cypress.c linux-2.6.32.42/drivers/ata/pata_cypress.c
23932 --- linux-2.6.32.42/drivers/ata/pata_cypress.c 2011-03-27 14:31:47.000000000 -0400
23933 +++ linux-2.6.32.42/drivers/ata/pata_cypress.c 2011-04-17 15:56:46.000000000 -0400
23934 @@ -113,7 +113,7 @@ static struct scsi_host_template cy82c69
23935 ATA_BMDMA_SHT(DRV_NAME),
23938 -static struct ata_port_operations cy82c693_port_ops = {
23939 +static const struct ata_port_operations cy82c693_port_ops = {
23940 .inherits = &ata_bmdma_port_ops,
23941 .cable_detect = ata_cable_40wire,
23942 .set_piomode = cy82c693_set_piomode,
23943 diff -urNp linux-2.6.32.42/drivers/ata/pata_efar.c linux-2.6.32.42/drivers/ata/pata_efar.c
23944 --- linux-2.6.32.42/drivers/ata/pata_efar.c 2011-03-27 14:31:47.000000000 -0400
23945 +++ linux-2.6.32.42/drivers/ata/pata_efar.c 2011-04-17 15:56:46.000000000 -0400
23946 @@ -222,7 +222,7 @@ static struct scsi_host_template efar_sh
23947 ATA_BMDMA_SHT(DRV_NAME),
23950 -static struct ata_port_operations efar_ops = {
23951 +static const struct ata_port_operations efar_ops = {
23952 .inherits = &ata_bmdma_port_ops,
23953 .cable_detect = efar_cable_detect,
23954 .set_piomode = efar_set_piomode,
23955 diff -urNp linux-2.6.32.42/drivers/ata/pata_hpt366.c linux-2.6.32.42/drivers/ata/pata_hpt366.c
23956 --- linux-2.6.32.42/drivers/ata/pata_hpt366.c 2011-06-25 12:55:34.000000000 -0400
23957 +++ linux-2.6.32.42/drivers/ata/pata_hpt366.c 2011-06-25 12:56:37.000000000 -0400
23958 @@ -282,7 +282,7 @@ static struct scsi_host_template hpt36x_
23959 * Configuration for HPT366/68
23962 -static struct ata_port_operations hpt366_port_ops = {
23963 +static const struct ata_port_operations hpt366_port_ops = {
23964 .inherits = &ata_bmdma_port_ops,
23965 .cable_detect = hpt36x_cable_detect,
23966 .mode_filter = hpt366_filter,
23967 diff -urNp linux-2.6.32.42/drivers/ata/pata_hpt37x.c linux-2.6.32.42/drivers/ata/pata_hpt37x.c
23968 --- linux-2.6.32.42/drivers/ata/pata_hpt37x.c 2011-06-25 12:55:34.000000000 -0400
23969 +++ linux-2.6.32.42/drivers/ata/pata_hpt37x.c 2011-06-25 12:56:37.000000000 -0400
23970 @@ -576,7 +576,7 @@ static struct scsi_host_template hpt37x_
23971 * Configuration for HPT370
23974 -static struct ata_port_operations hpt370_port_ops = {
23975 +static const struct ata_port_operations hpt370_port_ops = {
23976 .inherits = &ata_bmdma_port_ops,
23978 .bmdma_stop = hpt370_bmdma_stop,
23979 @@ -591,7 +591,7 @@ static struct ata_port_operations hpt370
23980 * Configuration for HPT370A. Close to 370 but less filters
23983 -static struct ata_port_operations hpt370a_port_ops = {
23984 +static const struct ata_port_operations hpt370a_port_ops = {
23985 .inherits = &hpt370_port_ops,
23986 .mode_filter = hpt370a_filter,
23988 @@ -601,7 +601,7 @@ static struct ata_port_operations hpt370
23989 * and DMA mode setting functionality.
23992 -static struct ata_port_operations hpt372_port_ops = {
23993 +static const struct ata_port_operations hpt372_port_ops = {
23994 .inherits = &ata_bmdma_port_ops,
23996 .bmdma_stop = hpt37x_bmdma_stop,
23997 @@ -616,7 +616,7 @@ static struct ata_port_operations hpt372
23998 * but we have a different cable detection procedure for function 1.
24001 -static struct ata_port_operations hpt374_fn1_port_ops = {
24002 +static const struct ata_port_operations hpt374_fn1_port_ops = {
24003 .inherits = &hpt372_port_ops,
24004 .prereset = hpt374_fn1_pre_reset,
24006 diff -urNp linux-2.6.32.42/drivers/ata/pata_hpt3x2n.c linux-2.6.32.42/drivers/ata/pata_hpt3x2n.c
24007 --- linux-2.6.32.42/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:55:34.000000000 -0400
24008 +++ linux-2.6.32.42/drivers/ata/pata_hpt3x2n.c 2011-06-25 12:56:37.000000000 -0400
24009 @@ -337,7 +337,7 @@ static struct scsi_host_template hpt3x2n
24010 * Configuration for HPT3x2n.
24013 -static struct ata_port_operations hpt3x2n_port_ops = {
24014 +static const struct ata_port_operations hpt3x2n_port_ops = {
24015 .inherits = &ata_bmdma_port_ops,
24017 .bmdma_stop = hpt3x2n_bmdma_stop,
24018 diff -urNp linux-2.6.32.42/drivers/ata/pata_hpt3x3.c linux-2.6.32.42/drivers/ata/pata_hpt3x3.c
24019 --- linux-2.6.32.42/drivers/ata/pata_hpt3x3.c 2011-03-27 14:31:47.000000000 -0400
24020 +++ linux-2.6.32.42/drivers/ata/pata_hpt3x3.c 2011-04-17 15:56:46.000000000 -0400
24021 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
24022 ATA_BMDMA_SHT(DRV_NAME),
24025 -static struct ata_port_operations hpt3x3_port_ops = {
24026 +static const struct ata_port_operations hpt3x3_port_ops = {
24027 .inherits = &ata_bmdma_port_ops,
24028 .cable_detect = ata_cable_40wire,
24029 .set_piomode = hpt3x3_set_piomode,
24030 diff -urNp linux-2.6.32.42/drivers/ata/pata_icside.c linux-2.6.32.42/drivers/ata/pata_icside.c
24031 --- linux-2.6.32.42/drivers/ata/pata_icside.c 2011-03-27 14:31:47.000000000 -0400
24032 +++ linux-2.6.32.42/drivers/ata/pata_icside.c 2011-04-17 15:56:46.000000000 -0400
24033 @@ -319,7 +319,7 @@ static void pata_icside_postreset(struct
24037 -static struct ata_port_operations pata_icside_port_ops = {
24038 +static const struct ata_port_operations pata_icside_port_ops = {
24039 .inherits = &ata_sff_port_ops,
24040 /* no need to build any PRD tables for DMA */
24041 .qc_prep = ata_noop_qc_prep,
24042 diff -urNp linux-2.6.32.42/drivers/ata/pata_isapnp.c linux-2.6.32.42/drivers/ata/pata_isapnp.c
24043 --- linux-2.6.32.42/drivers/ata/pata_isapnp.c 2011-03-27 14:31:47.000000000 -0400
24044 +++ linux-2.6.32.42/drivers/ata/pata_isapnp.c 2011-04-17 15:56:46.000000000 -0400
24045 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
24046 ATA_PIO_SHT(DRV_NAME),
24049 -static struct ata_port_operations isapnp_port_ops = {
24050 +static const struct ata_port_operations isapnp_port_ops = {
24051 .inherits = &ata_sff_port_ops,
24052 .cable_detect = ata_cable_40wire,
24055 -static struct ata_port_operations isapnp_noalt_port_ops = {
24056 +static const struct ata_port_operations isapnp_noalt_port_ops = {
24057 .inherits = &ata_sff_port_ops,
24058 .cable_detect = ata_cable_40wire,
24059 /* No altstatus so we don't want to use the lost interrupt poll */
24060 diff -urNp linux-2.6.32.42/drivers/ata/pata_it8213.c linux-2.6.32.42/drivers/ata/pata_it8213.c
24061 --- linux-2.6.32.42/drivers/ata/pata_it8213.c 2011-03-27 14:31:47.000000000 -0400
24062 +++ linux-2.6.32.42/drivers/ata/pata_it8213.c 2011-04-17 15:56:46.000000000 -0400
24063 @@ -234,7 +234,7 @@ static struct scsi_host_template it8213_
24067 -static struct ata_port_operations it8213_ops = {
24068 +static const struct ata_port_operations it8213_ops = {
24069 .inherits = &ata_bmdma_port_ops,
24070 .cable_detect = it8213_cable_detect,
24071 .set_piomode = it8213_set_piomode,
24072 diff -urNp linux-2.6.32.42/drivers/ata/pata_it821x.c linux-2.6.32.42/drivers/ata/pata_it821x.c
24073 --- linux-2.6.32.42/drivers/ata/pata_it821x.c 2011-03-27 14:31:47.000000000 -0400
24074 +++ linux-2.6.32.42/drivers/ata/pata_it821x.c 2011-04-17 15:56:46.000000000 -0400
24075 @@ -800,7 +800,7 @@ static struct scsi_host_template it821x_
24076 ATA_BMDMA_SHT(DRV_NAME),
24079 -static struct ata_port_operations it821x_smart_port_ops = {
24080 +static const struct ata_port_operations it821x_smart_port_ops = {
24081 .inherits = &ata_bmdma_port_ops,
24083 .check_atapi_dma= it821x_check_atapi_dma,
24084 @@ -814,7 +814,7 @@ static struct ata_port_operations it821x
24085 .port_start = it821x_port_start,
24088 -static struct ata_port_operations it821x_passthru_port_ops = {
24089 +static const struct ata_port_operations it821x_passthru_port_ops = {
24090 .inherits = &ata_bmdma_port_ops,
24092 .check_atapi_dma= it821x_check_atapi_dma,
24093 @@ -830,7 +830,7 @@ static struct ata_port_operations it821x
24094 .port_start = it821x_port_start,
24097 -static struct ata_port_operations it821x_rdc_port_ops = {
24098 +static const struct ata_port_operations it821x_rdc_port_ops = {
24099 .inherits = &ata_bmdma_port_ops,
24101 .check_atapi_dma= it821x_check_atapi_dma,
24102 diff -urNp linux-2.6.32.42/drivers/ata/pata_ixp4xx_cf.c linux-2.6.32.42/drivers/ata/pata_ixp4xx_cf.c
24103 --- linux-2.6.32.42/drivers/ata/pata_ixp4xx_cf.c 2011-03-27 14:31:47.000000000 -0400
24104 +++ linux-2.6.32.42/drivers/ata/pata_ixp4xx_cf.c 2011-04-17 15:56:46.000000000 -0400
24105 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
24106 ATA_PIO_SHT(DRV_NAME),
24109 -static struct ata_port_operations ixp4xx_port_ops = {
24110 +static const struct ata_port_operations ixp4xx_port_ops = {
24111 .inherits = &ata_sff_port_ops,
24112 .sff_data_xfer = ixp4xx_mmio_data_xfer,
24113 .cable_detect = ata_cable_40wire,
24114 diff -urNp linux-2.6.32.42/drivers/ata/pata_jmicron.c linux-2.6.32.42/drivers/ata/pata_jmicron.c
24115 --- linux-2.6.32.42/drivers/ata/pata_jmicron.c 2011-03-27 14:31:47.000000000 -0400
24116 +++ linux-2.6.32.42/drivers/ata/pata_jmicron.c 2011-04-17 15:56:46.000000000 -0400
24117 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
24118 ATA_BMDMA_SHT(DRV_NAME),
24121 -static struct ata_port_operations jmicron_ops = {
24122 +static const struct ata_port_operations jmicron_ops = {
24123 .inherits = &ata_bmdma_port_ops,
24124 .prereset = jmicron_pre_reset,
24126 diff -urNp linux-2.6.32.42/drivers/ata/pata_legacy.c linux-2.6.32.42/drivers/ata/pata_legacy.c
24127 --- linux-2.6.32.42/drivers/ata/pata_legacy.c 2011-03-27 14:31:47.000000000 -0400
24128 +++ linux-2.6.32.42/drivers/ata/pata_legacy.c 2011-04-17 15:56:46.000000000 -0400
24129 @@ -106,7 +106,7 @@ struct legacy_probe {
24131 struct legacy_controller {
24133 - struct ata_port_operations *ops;
24134 + const struct ata_port_operations *ops;
24135 unsigned int pio_mask;
24136 unsigned int flags;
24137 unsigned int pflags;
24138 @@ -223,12 +223,12 @@ static const struct ata_port_operations
24139 * pio_mask as well.
24142 -static struct ata_port_operations simple_port_ops = {
24143 +static const struct ata_port_operations simple_port_ops = {
24144 .inherits = &legacy_base_port_ops,
24145 .sff_data_xfer = ata_sff_data_xfer_noirq,
24148 -static struct ata_port_operations legacy_port_ops = {
24149 +static const struct ata_port_operations legacy_port_ops = {
24150 .inherits = &legacy_base_port_ops,
24151 .sff_data_xfer = ata_sff_data_xfer_noirq,
24152 .set_mode = legacy_set_mode,
24153 @@ -324,7 +324,7 @@ static unsigned int pdc_data_xfer_vlb(st
24157 -static struct ata_port_operations pdc20230_port_ops = {
24158 +static const struct ata_port_operations pdc20230_port_ops = {
24159 .inherits = &legacy_base_port_ops,
24160 .set_piomode = pdc20230_set_piomode,
24161 .sff_data_xfer = pdc_data_xfer_vlb,
24162 @@ -357,7 +357,7 @@ static void ht6560a_set_piomode(struct a
24163 ioread8(ap->ioaddr.status_addr);
24166 -static struct ata_port_operations ht6560a_port_ops = {
24167 +static const struct ata_port_operations ht6560a_port_ops = {
24168 .inherits = &legacy_base_port_ops,
24169 .set_piomode = ht6560a_set_piomode,
24171 @@ -400,7 +400,7 @@ static void ht6560b_set_piomode(struct a
24172 ioread8(ap->ioaddr.status_addr);
24175 -static struct ata_port_operations ht6560b_port_ops = {
24176 +static const struct ata_port_operations ht6560b_port_ops = {
24177 .inherits = &legacy_base_port_ops,
24178 .set_piomode = ht6560b_set_piomode,
24180 @@ -499,7 +499,7 @@ static void opti82c611a_set_piomode(stru
24184 -static struct ata_port_operations opti82c611a_port_ops = {
24185 +static const struct ata_port_operations opti82c611a_port_ops = {
24186 .inherits = &legacy_base_port_ops,
24187 .set_piomode = opti82c611a_set_piomode,
24189 @@ -609,7 +609,7 @@ static unsigned int opti82c46x_qc_issue(
24190 return ata_sff_qc_issue(qc);
24193 -static struct ata_port_operations opti82c46x_port_ops = {
24194 +static const struct ata_port_operations opti82c46x_port_ops = {
24195 .inherits = &legacy_base_port_ops,
24196 .set_piomode = opti82c46x_set_piomode,
24197 .qc_issue = opti82c46x_qc_issue,
24198 @@ -771,20 +771,20 @@ static int qdi_port(struct platform_devi
24202 -static struct ata_port_operations qdi6500_port_ops = {
24203 +static const struct ata_port_operations qdi6500_port_ops = {
24204 .inherits = &legacy_base_port_ops,
24205 .set_piomode = qdi6500_set_piomode,
24206 .qc_issue = qdi_qc_issue,
24207 .sff_data_xfer = vlb32_data_xfer,
24210 -static struct ata_port_operations qdi6580_port_ops = {
24211 +static const struct ata_port_operations qdi6580_port_ops = {
24212 .inherits = &legacy_base_port_ops,
24213 .set_piomode = qdi6580_set_piomode,
24214 .sff_data_xfer = vlb32_data_xfer,
24217 -static struct ata_port_operations qdi6580dp_port_ops = {
24218 +static const struct ata_port_operations qdi6580dp_port_ops = {
24219 .inherits = &legacy_base_port_ops,
24220 .set_piomode = qdi6580dp_set_piomode,
24221 .sff_data_xfer = vlb32_data_xfer,
24222 @@ -855,7 +855,7 @@ static int winbond_port(struct platform_
24226 -static struct ata_port_operations winbond_port_ops = {
24227 +static const struct ata_port_operations winbond_port_ops = {
24228 .inherits = &legacy_base_port_ops,
24229 .set_piomode = winbond_set_piomode,
24230 .sff_data_xfer = vlb32_data_xfer,
24231 @@ -978,7 +978,7 @@ static __init int legacy_init_one(struct
24232 int pio_modes = controller->pio_mask;
24233 unsigned long io = probe->port;
24234 u32 mask = (1 << probe->slot);
24235 - struct ata_port_operations *ops = controller->ops;
24236 + const struct ata_port_operations *ops = controller->ops;
24237 struct legacy_data *ld = &legacy_data[probe->slot];
24238 struct ata_host *host = NULL;
24239 struct ata_port *ap;
24240 diff -urNp linux-2.6.32.42/drivers/ata/pata_marvell.c linux-2.6.32.42/drivers/ata/pata_marvell.c
24241 --- linux-2.6.32.42/drivers/ata/pata_marvell.c 2011-03-27 14:31:47.000000000 -0400
24242 +++ linux-2.6.32.42/drivers/ata/pata_marvell.c 2011-04-17 15:56:46.000000000 -0400
24243 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
24244 ATA_BMDMA_SHT(DRV_NAME),
24247 -static struct ata_port_operations marvell_ops = {
24248 +static const struct ata_port_operations marvell_ops = {
24249 .inherits = &ata_bmdma_port_ops,
24250 .cable_detect = marvell_cable_detect,
24251 .prereset = marvell_pre_reset,
24252 diff -urNp linux-2.6.32.42/drivers/ata/pata_mpc52xx.c linux-2.6.32.42/drivers/ata/pata_mpc52xx.c
24253 --- linux-2.6.32.42/drivers/ata/pata_mpc52xx.c 2011-03-27 14:31:47.000000000 -0400
24254 +++ linux-2.6.32.42/drivers/ata/pata_mpc52xx.c 2011-04-17 15:56:46.000000000 -0400
24255 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
24256 ATA_PIO_SHT(DRV_NAME),
24259 -static struct ata_port_operations mpc52xx_ata_port_ops = {
24260 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
24261 .inherits = &ata_bmdma_port_ops,
24262 .sff_dev_select = mpc52xx_ata_dev_select,
24263 .set_piomode = mpc52xx_ata_set_piomode,
24264 diff -urNp linux-2.6.32.42/drivers/ata/pata_mpiix.c linux-2.6.32.42/drivers/ata/pata_mpiix.c
24265 --- linux-2.6.32.42/drivers/ata/pata_mpiix.c 2011-03-27 14:31:47.000000000 -0400
24266 +++ linux-2.6.32.42/drivers/ata/pata_mpiix.c 2011-04-17 15:56:46.000000000 -0400
24267 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
24268 ATA_PIO_SHT(DRV_NAME),
24271 -static struct ata_port_operations mpiix_port_ops = {
24272 +static const struct ata_port_operations mpiix_port_ops = {
24273 .inherits = &ata_sff_port_ops,
24274 .qc_issue = mpiix_qc_issue,
24275 .cable_detect = ata_cable_40wire,
24276 diff -urNp linux-2.6.32.42/drivers/ata/pata_netcell.c linux-2.6.32.42/drivers/ata/pata_netcell.c
24277 --- linux-2.6.32.42/drivers/ata/pata_netcell.c 2011-03-27 14:31:47.000000000 -0400
24278 +++ linux-2.6.32.42/drivers/ata/pata_netcell.c 2011-04-17 15:56:46.000000000 -0400
24279 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
24280 ATA_BMDMA_SHT(DRV_NAME),
24283 -static struct ata_port_operations netcell_ops = {
24284 +static const struct ata_port_operations netcell_ops = {
24285 .inherits = &ata_bmdma_port_ops,
24286 .cable_detect = ata_cable_80wire,
24287 .read_id = netcell_read_id,
24288 diff -urNp linux-2.6.32.42/drivers/ata/pata_ninja32.c linux-2.6.32.42/drivers/ata/pata_ninja32.c
24289 --- linux-2.6.32.42/drivers/ata/pata_ninja32.c 2011-03-27 14:31:47.000000000 -0400
24290 +++ linux-2.6.32.42/drivers/ata/pata_ninja32.c 2011-04-17 15:56:46.000000000 -0400
24291 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
24292 ATA_BMDMA_SHT(DRV_NAME),
24295 -static struct ata_port_operations ninja32_port_ops = {
24296 +static const struct ata_port_operations ninja32_port_ops = {
24297 .inherits = &ata_bmdma_port_ops,
24298 .sff_dev_select = ninja32_dev_select,
24299 .cable_detect = ata_cable_40wire,
24300 diff -urNp linux-2.6.32.42/drivers/ata/pata_ns87410.c linux-2.6.32.42/drivers/ata/pata_ns87410.c
24301 --- linux-2.6.32.42/drivers/ata/pata_ns87410.c 2011-03-27 14:31:47.000000000 -0400
24302 +++ linux-2.6.32.42/drivers/ata/pata_ns87410.c 2011-04-17 15:56:46.000000000 -0400
24303 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
24304 ATA_PIO_SHT(DRV_NAME),
24307 -static struct ata_port_operations ns87410_port_ops = {
24308 +static const struct ata_port_operations ns87410_port_ops = {
24309 .inherits = &ata_sff_port_ops,
24310 .qc_issue = ns87410_qc_issue,
24311 .cable_detect = ata_cable_40wire,
24312 diff -urNp linux-2.6.32.42/drivers/ata/pata_ns87415.c linux-2.6.32.42/drivers/ata/pata_ns87415.c
24313 --- linux-2.6.32.42/drivers/ata/pata_ns87415.c 2011-03-27 14:31:47.000000000 -0400
24314 +++ linux-2.6.32.42/drivers/ata/pata_ns87415.c 2011-04-17 15:56:46.000000000 -0400
24315 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
24317 #endif /* 87560 SuperIO Support */
24319 -static struct ata_port_operations ns87415_pata_ops = {
24320 +static const struct ata_port_operations ns87415_pata_ops = {
24321 .inherits = &ata_bmdma_port_ops,
24323 .check_atapi_dma = ns87415_check_atapi_dma,
24324 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
24327 #if defined(CONFIG_SUPERIO)
24328 -static struct ata_port_operations ns87560_pata_ops = {
24329 +static const struct ata_port_operations ns87560_pata_ops = {
24330 .inherits = &ns87415_pata_ops,
24331 .sff_tf_read = ns87560_tf_read,
24332 .sff_check_status = ns87560_check_status,
24333 diff -urNp linux-2.6.32.42/drivers/ata/pata_octeon_cf.c linux-2.6.32.42/drivers/ata/pata_octeon_cf.c
24334 --- linux-2.6.32.42/drivers/ata/pata_octeon_cf.c 2011-03-27 14:31:47.000000000 -0400
24335 +++ linux-2.6.32.42/drivers/ata/pata_octeon_cf.c 2011-04-17 15:56:46.000000000 -0400
24336 @@ -801,6 +801,7 @@ static unsigned int octeon_cf_qc_issue(s
24340 +/* cannot be const */
24341 static struct ata_port_operations octeon_cf_ops = {
24342 .inherits = &ata_sff_port_ops,
24343 .check_atapi_dma = octeon_cf_check_atapi_dma,
24344 diff -urNp linux-2.6.32.42/drivers/ata/pata_oldpiix.c linux-2.6.32.42/drivers/ata/pata_oldpiix.c
24345 --- linux-2.6.32.42/drivers/ata/pata_oldpiix.c 2011-03-27 14:31:47.000000000 -0400
24346 +++ linux-2.6.32.42/drivers/ata/pata_oldpiix.c 2011-04-17 15:56:46.000000000 -0400
24347 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
24348 ATA_BMDMA_SHT(DRV_NAME),
24351 -static struct ata_port_operations oldpiix_pata_ops = {
24352 +static const struct ata_port_operations oldpiix_pata_ops = {
24353 .inherits = &ata_bmdma_port_ops,
24354 .qc_issue = oldpiix_qc_issue,
24355 .cable_detect = ata_cable_40wire,
24356 diff -urNp linux-2.6.32.42/drivers/ata/pata_opti.c linux-2.6.32.42/drivers/ata/pata_opti.c
24357 --- linux-2.6.32.42/drivers/ata/pata_opti.c 2011-03-27 14:31:47.000000000 -0400
24358 +++ linux-2.6.32.42/drivers/ata/pata_opti.c 2011-04-17 15:56:46.000000000 -0400
24359 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
24360 ATA_PIO_SHT(DRV_NAME),
24363 -static struct ata_port_operations opti_port_ops = {
24364 +static const struct ata_port_operations opti_port_ops = {
24365 .inherits = &ata_sff_port_ops,
24366 .cable_detect = ata_cable_40wire,
24367 .set_piomode = opti_set_piomode,
24368 diff -urNp linux-2.6.32.42/drivers/ata/pata_optidma.c linux-2.6.32.42/drivers/ata/pata_optidma.c
24369 --- linux-2.6.32.42/drivers/ata/pata_optidma.c 2011-03-27 14:31:47.000000000 -0400
24370 +++ linux-2.6.32.42/drivers/ata/pata_optidma.c 2011-04-17 15:56:46.000000000 -0400
24371 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
24372 ATA_BMDMA_SHT(DRV_NAME),
24375 -static struct ata_port_operations optidma_port_ops = {
24376 +static const struct ata_port_operations optidma_port_ops = {
24377 .inherits = &ata_bmdma_port_ops,
24378 .cable_detect = ata_cable_40wire,
24379 .set_piomode = optidma_set_pio_mode,
24380 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
24381 .prereset = optidma_pre_reset,
24384 -static struct ata_port_operations optiplus_port_ops = {
24385 +static const struct ata_port_operations optiplus_port_ops = {
24386 .inherits = &optidma_port_ops,
24387 .set_piomode = optiplus_set_pio_mode,
24388 .set_dmamode = optiplus_set_dma_mode,
24389 diff -urNp linux-2.6.32.42/drivers/ata/pata_palmld.c linux-2.6.32.42/drivers/ata/pata_palmld.c
24390 --- linux-2.6.32.42/drivers/ata/pata_palmld.c 2011-03-27 14:31:47.000000000 -0400
24391 +++ linux-2.6.32.42/drivers/ata/pata_palmld.c 2011-04-17 15:56:46.000000000 -0400
24392 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
24393 ATA_PIO_SHT(DRV_NAME),
24396 -static struct ata_port_operations palmld_port_ops = {
24397 +static const struct ata_port_operations palmld_port_ops = {
24398 .inherits = &ata_sff_port_ops,
24399 .sff_data_xfer = ata_sff_data_xfer_noirq,
24400 .cable_detect = ata_cable_40wire,
24401 diff -urNp linux-2.6.32.42/drivers/ata/pata_pcmcia.c linux-2.6.32.42/drivers/ata/pata_pcmcia.c
24402 --- linux-2.6.32.42/drivers/ata/pata_pcmcia.c 2011-03-27 14:31:47.000000000 -0400
24403 +++ linux-2.6.32.42/drivers/ata/pata_pcmcia.c 2011-04-17 15:56:46.000000000 -0400
24404 @@ -162,14 +162,14 @@ static struct scsi_host_template pcmcia_
24405 ATA_PIO_SHT(DRV_NAME),
24408 -static struct ata_port_operations pcmcia_port_ops = {
24409 +static const struct ata_port_operations pcmcia_port_ops = {
24410 .inherits = &ata_sff_port_ops,
24411 .sff_data_xfer = ata_sff_data_xfer_noirq,
24412 .cable_detect = ata_cable_40wire,
24413 .set_mode = pcmcia_set_mode,
24416 -static struct ata_port_operations pcmcia_8bit_port_ops = {
24417 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
24418 .inherits = &ata_sff_port_ops,
24419 .sff_data_xfer = ata_data_xfer_8bit,
24420 .cable_detect = ata_cable_40wire,
24421 @@ -256,7 +256,7 @@ static int pcmcia_init_one(struct pcmcia
24422 unsigned long io_base, ctl_base;
24423 void __iomem *io_addr, *ctl_addr;
24425 - struct ata_port_operations *ops = &pcmcia_port_ops;
24426 + const struct ata_port_operations *ops = &pcmcia_port_ops;
24428 info = kzalloc(sizeof(*info), GFP_KERNEL);
24430 diff -urNp linux-2.6.32.42/drivers/ata/pata_pdc2027x.c linux-2.6.32.42/drivers/ata/pata_pdc2027x.c
24431 --- linux-2.6.32.42/drivers/ata/pata_pdc2027x.c 2011-03-27 14:31:47.000000000 -0400
24432 +++ linux-2.6.32.42/drivers/ata/pata_pdc2027x.c 2011-04-17 15:56:46.000000000 -0400
24433 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
24434 ATA_BMDMA_SHT(DRV_NAME),
24437 -static struct ata_port_operations pdc2027x_pata100_ops = {
24438 +static const struct ata_port_operations pdc2027x_pata100_ops = {
24439 .inherits = &ata_bmdma_port_ops,
24440 .check_atapi_dma = pdc2027x_check_atapi_dma,
24441 .cable_detect = pdc2027x_cable_detect,
24442 .prereset = pdc2027x_prereset,
24445 -static struct ata_port_operations pdc2027x_pata133_ops = {
24446 +static const struct ata_port_operations pdc2027x_pata133_ops = {
24447 .inherits = &pdc2027x_pata100_ops,
24448 .mode_filter = pdc2027x_mode_filter,
24449 .set_piomode = pdc2027x_set_piomode,
24450 diff -urNp linux-2.6.32.42/drivers/ata/pata_pdc202xx_old.c linux-2.6.32.42/drivers/ata/pata_pdc202xx_old.c
24451 --- linux-2.6.32.42/drivers/ata/pata_pdc202xx_old.c 2011-03-27 14:31:47.000000000 -0400
24452 +++ linux-2.6.32.42/drivers/ata/pata_pdc202xx_old.c 2011-04-17 15:56:46.000000000 -0400
24453 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
24454 ATA_BMDMA_SHT(DRV_NAME),
24457 -static struct ata_port_operations pdc2024x_port_ops = {
24458 +static const struct ata_port_operations pdc2024x_port_ops = {
24459 .inherits = &ata_bmdma_port_ops,
24461 .cable_detect = ata_cable_40wire,
24462 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
24463 .sff_exec_command = pdc202xx_exec_command,
24466 -static struct ata_port_operations pdc2026x_port_ops = {
24467 +static const struct ata_port_operations pdc2026x_port_ops = {
24468 .inherits = &pdc2024x_port_ops,
24470 .check_atapi_dma = pdc2026x_check_atapi_dma,
24471 diff -urNp linux-2.6.32.42/drivers/ata/pata_platform.c linux-2.6.32.42/drivers/ata/pata_platform.c
24472 --- linux-2.6.32.42/drivers/ata/pata_platform.c 2011-03-27 14:31:47.000000000 -0400
24473 +++ linux-2.6.32.42/drivers/ata/pata_platform.c 2011-04-17 15:56:46.000000000 -0400
24474 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
24475 ATA_PIO_SHT(DRV_NAME),
24478 -static struct ata_port_operations pata_platform_port_ops = {
24479 +static const struct ata_port_operations pata_platform_port_ops = {
24480 .inherits = &ata_sff_port_ops,
24481 .sff_data_xfer = ata_sff_data_xfer_noirq,
24482 .cable_detect = ata_cable_unknown,
24483 diff -urNp linux-2.6.32.42/drivers/ata/pata_qdi.c linux-2.6.32.42/drivers/ata/pata_qdi.c
24484 --- linux-2.6.32.42/drivers/ata/pata_qdi.c 2011-03-27 14:31:47.000000000 -0400
24485 +++ linux-2.6.32.42/drivers/ata/pata_qdi.c 2011-04-17 15:56:46.000000000 -0400
24486 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
24487 ATA_PIO_SHT(DRV_NAME),
24490 -static struct ata_port_operations qdi6500_port_ops = {
24491 +static const struct ata_port_operations qdi6500_port_ops = {
24492 .inherits = &ata_sff_port_ops,
24493 .qc_issue = qdi_qc_issue,
24494 .sff_data_xfer = qdi_data_xfer,
24495 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
24496 .set_piomode = qdi6500_set_piomode,
24499 -static struct ata_port_operations qdi6580_port_ops = {
24500 +static const struct ata_port_operations qdi6580_port_ops = {
24501 .inherits = &qdi6500_port_ops,
24502 .set_piomode = qdi6580_set_piomode,
24504 diff -urNp linux-2.6.32.42/drivers/ata/pata_radisys.c linux-2.6.32.42/drivers/ata/pata_radisys.c
24505 --- linux-2.6.32.42/drivers/ata/pata_radisys.c 2011-03-27 14:31:47.000000000 -0400
24506 +++ linux-2.6.32.42/drivers/ata/pata_radisys.c 2011-04-17 15:56:46.000000000 -0400
24507 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
24508 ATA_BMDMA_SHT(DRV_NAME),
24511 -static struct ata_port_operations radisys_pata_ops = {
24512 +static const struct ata_port_operations radisys_pata_ops = {
24513 .inherits = &ata_bmdma_port_ops,
24514 .qc_issue = radisys_qc_issue,
24515 .cable_detect = ata_cable_unknown,
24516 diff -urNp linux-2.6.32.42/drivers/ata/pata_rb532_cf.c linux-2.6.32.42/drivers/ata/pata_rb532_cf.c
24517 --- linux-2.6.32.42/drivers/ata/pata_rb532_cf.c 2011-03-27 14:31:47.000000000 -0400
24518 +++ linux-2.6.32.42/drivers/ata/pata_rb532_cf.c 2011-04-17 15:56:46.000000000 -0400
24519 @@ -68,7 +68,7 @@ static irqreturn_t rb532_pata_irq_handle
24520 return IRQ_HANDLED;
24523 -static struct ata_port_operations rb532_pata_port_ops = {
24524 +static const struct ata_port_operations rb532_pata_port_ops = {
24525 .inherits = &ata_sff_port_ops,
24526 .sff_data_xfer = ata_sff_data_xfer32,
24528 diff -urNp linux-2.6.32.42/drivers/ata/pata_rdc.c linux-2.6.32.42/drivers/ata/pata_rdc.c
24529 --- linux-2.6.32.42/drivers/ata/pata_rdc.c 2011-03-27 14:31:47.000000000 -0400
24530 +++ linux-2.6.32.42/drivers/ata/pata_rdc.c 2011-04-17 15:56:46.000000000 -0400
24531 @@ -272,7 +272,7 @@ static void rdc_set_dmamode(struct ata_p
24532 pci_write_config_byte(dev, 0x48, udma_enable);
24535 -static struct ata_port_operations rdc_pata_ops = {
24536 +static const struct ata_port_operations rdc_pata_ops = {
24537 .inherits = &ata_bmdma32_port_ops,
24538 .cable_detect = rdc_pata_cable_detect,
24539 .set_piomode = rdc_set_piomode,
24540 diff -urNp linux-2.6.32.42/drivers/ata/pata_rz1000.c linux-2.6.32.42/drivers/ata/pata_rz1000.c
24541 --- linux-2.6.32.42/drivers/ata/pata_rz1000.c 2011-03-27 14:31:47.000000000 -0400
24542 +++ linux-2.6.32.42/drivers/ata/pata_rz1000.c 2011-04-17 15:56:46.000000000 -0400
24543 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
24544 ATA_PIO_SHT(DRV_NAME),
24547 -static struct ata_port_operations rz1000_port_ops = {
24548 +static const struct ata_port_operations rz1000_port_ops = {
24549 .inherits = &ata_sff_port_ops,
24550 .cable_detect = ata_cable_40wire,
24551 .set_mode = rz1000_set_mode,
24552 diff -urNp linux-2.6.32.42/drivers/ata/pata_sc1200.c linux-2.6.32.42/drivers/ata/pata_sc1200.c
24553 --- linux-2.6.32.42/drivers/ata/pata_sc1200.c 2011-03-27 14:31:47.000000000 -0400
24554 +++ linux-2.6.32.42/drivers/ata/pata_sc1200.c 2011-04-17 15:56:46.000000000 -0400
24555 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
24556 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
24559 -static struct ata_port_operations sc1200_port_ops = {
24560 +static const struct ata_port_operations sc1200_port_ops = {
24561 .inherits = &ata_bmdma_port_ops,
24562 .qc_prep = ata_sff_dumb_qc_prep,
24563 .qc_issue = sc1200_qc_issue,
24564 diff -urNp linux-2.6.32.42/drivers/ata/pata_scc.c linux-2.6.32.42/drivers/ata/pata_scc.c
24565 --- linux-2.6.32.42/drivers/ata/pata_scc.c 2011-03-27 14:31:47.000000000 -0400
24566 +++ linux-2.6.32.42/drivers/ata/pata_scc.c 2011-04-17 15:56:46.000000000 -0400
24567 @@ -965,7 +965,7 @@ static struct scsi_host_template scc_sht
24568 ATA_BMDMA_SHT(DRV_NAME),
24571 -static struct ata_port_operations scc_pata_ops = {
24572 +static const struct ata_port_operations scc_pata_ops = {
24573 .inherits = &ata_bmdma_port_ops,
24575 .set_piomode = scc_set_piomode,
24576 diff -urNp linux-2.6.32.42/drivers/ata/pata_sch.c linux-2.6.32.42/drivers/ata/pata_sch.c
24577 --- linux-2.6.32.42/drivers/ata/pata_sch.c 2011-03-27 14:31:47.000000000 -0400
24578 +++ linux-2.6.32.42/drivers/ata/pata_sch.c 2011-04-17 15:56:46.000000000 -0400
24579 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
24580 ATA_BMDMA_SHT(DRV_NAME),
24583 -static struct ata_port_operations sch_pata_ops = {
24584 +static const struct ata_port_operations sch_pata_ops = {
24585 .inherits = &ata_bmdma_port_ops,
24586 .cable_detect = ata_cable_unknown,
24587 .set_piomode = sch_set_piomode,
24588 diff -urNp linux-2.6.32.42/drivers/ata/pata_serverworks.c linux-2.6.32.42/drivers/ata/pata_serverworks.c
24589 --- linux-2.6.32.42/drivers/ata/pata_serverworks.c 2011-03-27 14:31:47.000000000 -0400
24590 +++ linux-2.6.32.42/drivers/ata/pata_serverworks.c 2011-04-17 15:56:46.000000000 -0400
24591 @@ -299,7 +299,7 @@ static struct scsi_host_template serverw
24592 ATA_BMDMA_SHT(DRV_NAME),
24595 -static struct ata_port_operations serverworks_osb4_port_ops = {
24596 +static const struct ata_port_operations serverworks_osb4_port_ops = {
24597 .inherits = &ata_bmdma_port_ops,
24598 .cable_detect = serverworks_cable_detect,
24599 .mode_filter = serverworks_osb4_filter,
24600 @@ -307,7 +307,7 @@ static struct ata_port_operations server
24601 .set_dmamode = serverworks_set_dmamode,
24604 -static struct ata_port_operations serverworks_csb_port_ops = {
24605 +static const struct ata_port_operations serverworks_csb_port_ops = {
24606 .inherits = &serverworks_osb4_port_ops,
24607 .mode_filter = serverworks_csb_filter,
24609 diff -urNp linux-2.6.32.42/drivers/ata/pata_sil680.c linux-2.6.32.42/drivers/ata/pata_sil680.c
24610 --- linux-2.6.32.42/drivers/ata/pata_sil680.c 2011-06-25 12:55:34.000000000 -0400
24611 +++ linux-2.6.32.42/drivers/ata/pata_sil680.c 2011-06-25 12:56:37.000000000 -0400
24612 @@ -194,7 +194,7 @@ static struct scsi_host_template sil680_
24613 ATA_BMDMA_SHT(DRV_NAME),
24616 -static struct ata_port_operations sil680_port_ops = {
24617 +static const struct ata_port_operations sil680_port_ops = {
24618 .inherits = &ata_bmdma32_port_ops,
24619 .cable_detect = sil680_cable_detect,
24620 .set_piomode = sil680_set_piomode,
24621 diff -urNp linux-2.6.32.42/drivers/ata/pata_sis.c linux-2.6.32.42/drivers/ata/pata_sis.c
24622 --- linux-2.6.32.42/drivers/ata/pata_sis.c 2011-03-27 14:31:47.000000000 -0400
24623 +++ linux-2.6.32.42/drivers/ata/pata_sis.c 2011-04-17 15:56:46.000000000 -0400
24624 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
24625 ATA_BMDMA_SHT(DRV_NAME),
24628 -static struct ata_port_operations sis_133_for_sata_ops = {
24629 +static const struct ata_port_operations sis_133_for_sata_ops = {
24630 .inherits = &ata_bmdma_port_ops,
24631 .set_piomode = sis_133_set_piomode,
24632 .set_dmamode = sis_133_set_dmamode,
24633 .cable_detect = sis_133_cable_detect,
24636 -static struct ata_port_operations sis_base_ops = {
24637 +static const struct ata_port_operations sis_base_ops = {
24638 .inherits = &ata_bmdma_port_ops,
24639 .prereset = sis_pre_reset,
24642 -static struct ata_port_operations sis_133_ops = {
24643 +static const struct ata_port_operations sis_133_ops = {
24644 .inherits = &sis_base_ops,
24645 .set_piomode = sis_133_set_piomode,
24646 .set_dmamode = sis_133_set_dmamode,
24647 .cable_detect = sis_133_cable_detect,
24650 -static struct ata_port_operations sis_133_early_ops = {
24651 +static const struct ata_port_operations sis_133_early_ops = {
24652 .inherits = &sis_base_ops,
24653 .set_piomode = sis_100_set_piomode,
24654 .set_dmamode = sis_133_early_set_dmamode,
24655 .cable_detect = sis_66_cable_detect,
24658 -static struct ata_port_operations sis_100_ops = {
24659 +static const struct ata_port_operations sis_100_ops = {
24660 .inherits = &sis_base_ops,
24661 .set_piomode = sis_100_set_piomode,
24662 .set_dmamode = sis_100_set_dmamode,
24663 .cable_detect = sis_66_cable_detect,
24666 -static struct ata_port_operations sis_66_ops = {
24667 +static const struct ata_port_operations sis_66_ops = {
24668 .inherits = &sis_base_ops,
24669 .set_piomode = sis_old_set_piomode,
24670 .set_dmamode = sis_66_set_dmamode,
24671 .cable_detect = sis_66_cable_detect,
24674 -static struct ata_port_operations sis_old_ops = {
24675 +static const struct ata_port_operations sis_old_ops = {
24676 .inherits = &sis_base_ops,
24677 .set_piomode = sis_old_set_piomode,
24678 .set_dmamode = sis_old_set_dmamode,
24679 diff -urNp linux-2.6.32.42/drivers/ata/pata_sl82c105.c linux-2.6.32.42/drivers/ata/pata_sl82c105.c
24680 --- linux-2.6.32.42/drivers/ata/pata_sl82c105.c 2011-03-27 14:31:47.000000000 -0400
24681 +++ linux-2.6.32.42/drivers/ata/pata_sl82c105.c 2011-04-17 15:56:46.000000000 -0400
24682 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
24683 ATA_BMDMA_SHT(DRV_NAME),
24686 -static struct ata_port_operations sl82c105_port_ops = {
24687 +static const struct ata_port_operations sl82c105_port_ops = {
24688 .inherits = &ata_bmdma_port_ops,
24689 .qc_defer = sl82c105_qc_defer,
24690 .bmdma_start = sl82c105_bmdma_start,
24691 diff -urNp linux-2.6.32.42/drivers/ata/pata_triflex.c linux-2.6.32.42/drivers/ata/pata_triflex.c
24692 --- linux-2.6.32.42/drivers/ata/pata_triflex.c 2011-03-27 14:31:47.000000000 -0400
24693 +++ linux-2.6.32.42/drivers/ata/pata_triflex.c 2011-04-17 15:56:46.000000000 -0400
24694 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
24695 ATA_BMDMA_SHT(DRV_NAME),
24698 -static struct ata_port_operations triflex_port_ops = {
24699 +static const struct ata_port_operations triflex_port_ops = {
24700 .inherits = &ata_bmdma_port_ops,
24701 .bmdma_start = triflex_bmdma_start,
24702 .bmdma_stop = triflex_bmdma_stop,
24703 diff -urNp linux-2.6.32.42/drivers/ata/pata_via.c linux-2.6.32.42/drivers/ata/pata_via.c
24704 --- linux-2.6.32.42/drivers/ata/pata_via.c 2011-03-27 14:31:47.000000000 -0400
24705 +++ linux-2.6.32.42/drivers/ata/pata_via.c 2011-04-17 15:56:46.000000000 -0400
24706 @@ -419,7 +419,7 @@ static struct scsi_host_template via_sht
24707 ATA_BMDMA_SHT(DRV_NAME),
24710 -static struct ata_port_operations via_port_ops = {
24711 +static const struct ata_port_operations via_port_ops = {
24712 .inherits = &ata_bmdma_port_ops,
24713 .cable_detect = via_cable_detect,
24714 .set_piomode = via_set_piomode,
24715 @@ -429,7 +429,7 @@ static struct ata_port_operations via_po
24716 .port_start = via_port_start,
24719 -static struct ata_port_operations via_port_ops_noirq = {
24720 +static const struct ata_port_operations via_port_ops_noirq = {
24721 .inherits = &via_port_ops,
24722 .sff_data_xfer = ata_sff_data_xfer_noirq,
24724 diff -urNp linux-2.6.32.42/drivers/ata/pata_winbond.c linux-2.6.32.42/drivers/ata/pata_winbond.c
24725 --- linux-2.6.32.42/drivers/ata/pata_winbond.c 2011-03-27 14:31:47.000000000 -0400
24726 +++ linux-2.6.32.42/drivers/ata/pata_winbond.c 2011-04-17 15:56:46.000000000 -0400
24727 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
24728 ATA_PIO_SHT(DRV_NAME),
24731 -static struct ata_port_operations winbond_port_ops = {
24732 +static const struct ata_port_operations winbond_port_ops = {
24733 .inherits = &ata_sff_port_ops,
24734 .sff_data_xfer = winbond_data_xfer,
24735 .cable_detect = ata_cable_40wire,
24736 diff -urNp linux-2.6.32.42/drivers/ata/pdc_adma.c linux-2.6.32.42/drivers/ata/pdc_adma.c
24737 --- linux-2.6.32.42/drivers/ata/pdc_adma.c 2011-03-27 14:31:47.000000000 -0400
24738 +++ linux-2.6.32.42/drivers/ata/pdc_adma.c 2011-04-17 15:56:46.000000000 -0400
24739 @@ -145,7 +145,7 @@ static struct scsi_host_template adma_at
24740 .dma_boundary = ADMA_DMA_BOUNDARY,
24743 -static struct ata_port_operations adma_ata_ops = {
24744 +static const struct ata_port_operations adma_ata_ops = {
24745 .inherits = &ata_sff_port_ops,
24747 .lost_interrupt = ATA_OP_NULL,
24748 diff -urNp linux-2.6.32.42/drivers/ata/sata_fsl.c linux-2.6.32.42/drivers/ata/sata_fsl.c
24749 --- linux-2.6.32.42/drivers/ata/sata_fsl.c 2011-03-27 14:31:47.000000000 -0400
24750 +++ linux-2.6.32.42/drivers/ata/sata_fsl.c 2011-04-17 15:56:46.000000000 -0400
24751 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
24752 .dma_boundary = ATA_DMA_BOUNDARY,
24755 -static struct ata_port_operations sata_fsl_ops = {
24756 +static const struct ata_port_operations sata_fsl_ops = {
24757 .inherits = &sata_pmp_port_ops,
24759 .qc_defer = ata_std_qc_defer,
24760 diff -urNp linux-2.6.32.42/drivers/ata/sata_inic162x.c linux-2.6.32.42/drivers/ata/sata_inic162x.c
24761 --- linux-2.6.32.42/drivers/ata/sata_inic162x.c 2011-03-27 14:31:47.000000000 -0400
24762 +++ linux-2.6.32.42/drivers/ata/sata_inic162x.c 2011-04-17 15:56:46.000000000 -0400
24763 @@ -721,7 +721,7 @@ static int inic_port_start(struct ata_po
24767 -static struct ata_port_operations inic_port_ops = {
24768 +static const struct ata_port_operations inic_port_ops = {
24769 .inherits = &sata_port_ops,
24771 .check_atapi_dma = inic_check_atapi_dma,
24772 diff -urNp linux-2.6.32.42/drivers/ata/sata_mv.c linux-2.6.32.42/drivers/ata/sata_mv.c
24773 --- linux-2.6.32.42/drivers/ata/sata_mv.c 2011-03-27 14:31:47.000000000 -0400
24774 +++ linux-2.6.32.42/drivers/ata/sata_mv.c 2011-04-17 15:56:46.000000000 -0400
24775 @@ -656,7 +656,7 @@ static struct scsi_host_template mv6_sht
24776 .dma_boundary = MV_DMA_BOUNDARY,
24779 -static struct ata_port_operations mv5_ops = {
24780 +static const struct ata_port_operations mv5_ops = {
24781 .inherits = &ata_sff_port_ops,
24783 .lost_interrupt = ATA_OP_NULL,
24784 @@ -678,7 +678,7 @@ static struct ata_port_operations mv5_op
24785 .port_stop = mv_port_stop,
24788 -static struct ata_port_operations mv6_ops = {
24789 +static const struct ata_port_operations mv6_ops = {
24790 .inherits = &mv5_ops,
24791 .dev_config = mv6_dev_config,
24792 .scr_read = mv_scr_read,
24793 @@ -698,7 +698,7 @@ static struct ata_port_operations mv6_op
24794 .bmdma_status = mv_bmdma_status,
24797 -static struct ata_port_operations mv_iie_ops = {
24798 +static const struct ata_port_operations mv_iie_ops = {
24799 .inherits = &mv6_ops,
24800 .dev_config = ATA_OP_NULL,
24801 .qc_prep = mv_qc_prep_iie,
24802 diff -urNp linux-2.6.32.42/drivers/ata/sata_nv.c linux-2.6.32.42/drivers/ata/sata_nv.c
24803 --- linux-2.6.32.42/drivers/ata/sata_nv.c 2011-03-27 14:31:47.000000000 -0400
24804 +++ linux-2.6.32.42/drivers/ata/sata_nv.c 2011-04-17 15:56:46.000000000 -0400
24805 @@ -464,7 +464,7 @@ static struct scsi_host_template nv_swnc
24806 * cases. Define nv_hardreset() which only kicks in for post-boot
24807 * probing and use it for all variants.
24809 -static struct ata_port_operations nv_generic_ops = {
24810 +static const struct ata_port_operations nv_generic_ops = {
24811 .inherits = &ata_bmdma_port_ops,
24812 .lost_interrupt = ATA_OP_NULL,
24813 .scr_read = nv_scr_read,
24814 @@ -472,20 +472,20 @@ static struct ata_port_operations nv_gen
24815 .hardreset = nv_hardreset,
24818 -static struct ata_port_operations nv_nf2_ops = {
24819 +static const struct ata_port_operations nv_nf2_ops = {
24820 .inherits = &nv_generic_ops,
24821 .freeze = nv_nf2_freeze,
24822 .thaw = nv_nf2_thaw,
24825 -static struct ata_port_operations nv_ck804_ops = {
24826 +static const struct ata_port_operations nv_ck804_ops = {
24827 .inherits = &nv_generic_ops,
24828 .freeze = nv_ck804_freeze,
24829 .thaw = nv_ck804_thaw,
24830 .host_stop = nv_ck804_host_stop,
24833 -static struct ata_port_operations nv_adma_ops = {
24834 +static const struct ata_port_operations nv_adma_ops = {
24835 .inherits = &nv_ck804_ops,
24837 .check_atapi_dma = nv_adma_check_atapi_dma,
24838 @@ -509,7 +509,7 @@ static struct ata_port_operations nv_adm
24839 .host_stop = nv_adma_host_stop,
24842 -static struct ata_port_operations nv_swncq_ops = {
24843 +static const struct ata_port_operations nv_swncq_ops = {
24844 .inherits = &nv_generic_ops,
24846 .qc_defer = ata_std_qc_defer,
24847 diff -urNp linux-2.6.32.42/drivers/ata/sata_promise.c linux-2.6.32.42/drivers/ata/sata_promise.c
24848 --- linux-2.6.32.42/drivers/ata/sata_promise.c 2011-03-27 14:31:47.000000000 -0400
24849 +++ linux-2.6.32.42/drivers/ata/sata_promise.c 2011-04-17 15:56:46.000000000 -0400
24850 @@ -195,7 +195,7 @@ static const struct ata_port_operations
24851 .error_handler = pdc_error_handler,
24854 -static struct ata_port_operations pdc_sata_ops = {
24855 +static const struct ata_port_operations pdc_sata_ops = {
24856 .inherits = &pdc_common_ops,
24857 .cable_detect = pdc_sata_cable_detect,
24858 .freeze = pdc_sata_freeze,
24859 @@ -208,14 +208,14 @@ static struct ata_port_operations pdc_sa
24861 /* First-generation chips need a more restrictive ->check_atapi_dma op,
24862 and ->freeze/thaw that ignore the hotplug controls. */
24863 -static struct ata_port_operations pdc_old_sata_ops = {
24864 +static const struct ata_port_operations pdc_old_sata_ops = {
24865 .inherits = &pdc_sata_ops,
24866 .freeze = pdc_freeze,
24868 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
24871 -static struct ata_port_operations pdc_pata_ops = {
24872 +static const struct ata_port_operations pdc_pata_ops = {
24873 .inherits = &pdc_common_ops,
24874 .cable_detect = pdc_pata_cable_detect,
24875 .freeze = pdc_freeze,
24876 diff -urNp linux-2.6.32.42/drivers/ata/sata_qstor.c linux-2.6.32.42/drivers/ata/sata_qstor.c
24877 --- linux-2.6.32.42/drivers/ata/sata_qstor.c 2011-03-27 14:31:47.000000000 -0400
24878 +++ linux-2.6.32.42/drivers/ata/sata_qstor.c 2011-04-17 15:56:46.000000000 -0400
24879 @@ -132,7 +132,7 @@ static struct scsi_host_template qs_ata_
24880 .dma_boundary = QS_DMA_BOUNDARY,
24883 -static struct ata_port_operations qs_ata_ops = {
24884 +static const struct ata_port_operations qs_ata_ops = {
24885 .inherits = &ata_sff_port_ops,
24887 .check_atapi_dma = qs_check_atapi_dma,
24888 diff -urNp linux-2.6.32.42/drivers/ata/sata_sil24.c linux-2.6.32.42/drivers/ata/sata_sil24.c
24889 --- linux-2.6.32.42/drivers/ata/sata_sil24.c 2011-03-27 14:31:47.000000000 -0400
24890 +++ linux-2.6.32.42/drivers/ata/sata_sil24.c 2011-04-17 15:56:46.000000000 -0400
24891 @@ -388,7 +388,7 @@ static struct scsi_host_template sil24_s
24892 .dma_boundary = ATA_DMA_BOUNDARY,
24895 -static struct ata_port_operations sil24_ops = {
24896 +static const struct ata_port_operations sil24_ops = {
24897 .inherits = &sata_pmp_port_ops,
24899 .qc_defer = sil24_qc_defer,
24900 diff -urNp linux-2.6.32.42/drivers/ata/sata_sil.c linux-2.6.32.42/drivers/ata/sata_sil.c
24901 --- linux-2.6.32.42/drivers/ata/sata_sil.c 2011-03-27 14:31:47.000000000 -0400
24902 +++ linux-2.6.32.42/drivers/ata/sata_sil.c 2011-04-17 15:56:46.000000000 -0400
24903 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
24904 .sg_tablesize = ATA_MAX_PRD
24907 -static struct ata_port_operations sil_ops = {
24908 +static const struct ata_port_operations sil_ops = {
24909 .inherits = &ata_bmdma32_port_ops,
24910 .dev_config = sil_dev_config,
24911 .set_mode = sil_set_mode,
24912 diff -urNp linux-2.6.32.42/drivers/ata/sata_sis.c linux-2.6.32.42/drivers/ata/sata_sis.c
24913 --- linux-2.6.32.42/drivers/ata/sata_sis.c 2011-03-27 14:31:47.000000000 -0400
24914 +++ linux-2.6.32.42/drivers/ata/sata_sis.c 2011-04-17 15:56:46.000000000 -0400
24915 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
24916 ATA_BMDMA_SHT(DRV_NAME),
24919 -static struct ata_port_operations sis_ops = {
24920 +static const struct ata_port_operations sis_ops = {
24921 .inherits = &ata_bmdma_port_ops,
24922 .scr_read = sis_scr_read,
24923 .scr_write = sis_scr_write,
24924 diff -urNp linux-2.6.32.42/drivers/ata/sata_svw.c linux-2.6.32.42/drivers/ata/sata_svw.c
24925 --- linux-2.6.32.42/drivers/ata/sata_svw.c 2011-03-27 14:31:47.000000000 -0400
24926 +++ linux-2.6.32.42/drivers/ata/sata_svw.c 2011-04-17 15:56:46.000000000 -0400
24927 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
24931 -static struct ata_port_operations k2_sata_ops = {
24932 +static const struct ata_port_operations k2_sata_ops = {
24933 .inherits = &ata_bmdma_port_ops,
24934 .sff_tf_load = k2_sata_tf_load,
24935 .sff_tf_read = k2_sata_tf_read,
24936 diff -urNp linux-2.6.32.42/drivers/ata/sata_sx4.c linux-2.6.32.42/drivers/ata/sata_sx4.c
24937 --- linux-2.6.32.42/drivers/ata/sata_sx4.c 2011-03-27 14:31:47.000000000 -0400
24938 +++ linux-2.6.32.42/drivers/ata/sata_sx4.c 2011-04-17 15:56:46.000000000 -0400
24939 @@ -248,7 +248,7 @@ static struct scsi_host_template pdc_sat
24942 /* TODO: inherit from base port_ops after converting to new EH */
24943 -static struct ata_port_operations pdc_20621_ops = {
24944 +static const struct ata_port_operations pdc_20621_ops = {
24945 .inherits = &ata_sff_port_ops,
24947 .check_atapi_dma = pdc_check_atapi_dma,
24948 diff -urNp linux-2.6.32.42/drivers/ata/sata_uli.c linux-2.6.32.42/drivers/ata/sata_uli.c
24949 --- linux-2.6.32.42/drivers/ata/sata_uli.c 2011-03-27 14:31:47.000000000 -0400
24950 +++ linux-2.6.32.42/drivers/ata/sata_uli.c 2011-04-17 15:56:46.000000000 -0400
24951 @@ -79,7 +79,7 @@ static struct scsi_host_template uli_sht
24952 ATA_BMDMA_SHT(DRV_NAME),
24955 -static struct ata_port_operations uli_ops = {
24956 +static const struct ata_port_operations uli_ops = {
24957 .inherits = &ata_bmdma_port_ops,
24958 .scr_read = uli_scr_read,
24959 .scr_write = uli_scr_write,
24960 diff -urNp linux-2.6.32.42/drivers/ata/sata_via.c linux-2.6.32.42/drivers/ata/sata_via.c
24961 --- linux-2.6.32.42/drivers/ata/sata_via.c 2011-05-10 22:12:01.000000000 -0400
24962 +++ linux-2.6.32.42/drivers/ata/sata_via.c 2011-05-10 22:15:08.000000000 -0400
24963 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
24964 ATA_BMDMA_SHT(DRV_NAME),
24967 -static struct ata_port_operations svia_base_ops = {
24968 +static const struct ata_port_operations svia_base_ops = {
24969 .inherits = &ata_bmdma_port_ops,
24970 .sff_tf_load = svia_tf_load,
24973 -static struct ata_port_operations vt6420_sata_ops = {
24974 +static const struct ata_port_operations vt6420_sata_ops = {
24975 .inherits = &svia_base_ops,
24976 .freeze = svia_noop_freeze,
24977 .prereset = vt6420_prereset,
24978 .bmdma_start = vt6420_bmdma_start,
24981 -static struct ata_port_operations vt6421_pata_ops = {
24982 +static const struct ata_port_operations vt6421_pata_ops = {
24983 .inherits = &svia_base_ops,
24984 .cable_detect = vt6421_pata_cable_detect,
24985 .set_piomode = vt6421_set_pio_mode,
24986 .set_dmamode = vt6421_set_dma_mode,
24989 -static struct ata_port_operations vt6421_sata_ops = {
24990 +static const struct ata_port_operations vt6421_sata_ops = {
24991 .inherits = &svia_base_ops,
24992 .scr_read = svia_scr_read,
24993 .scr_write = svia_scr_write,
24996 -static struct ata_port_operations vt8251_ops = {
24997 +static const struct ata_port_operations vt8251_ops = {
24998 .inherits = &svia_base_ops,
24999 .hardreset = sata_std_hardreset,
25000 .scr_read = vt8251_scr_read,
25001 diff -urNp linux-2.6.32.42/drivers/ata/sata_vsc.c linux-2.6.32.42/drivers/ata/sata_vsc.c
25002 --- linux-2.6.32.42/drivers/ata/sata_vsc.c 2011-03-27 14:31:47.000000000 -0400
25003 +++ linux-2.6.32.42/drivers/ata/sata_vsc.c 2011-04-17 15:56:46.000000000 -0400
25004 @@ -306,7 +306,7 @@ static struct scsi_host_template vsc_sat
25008 -static struct ata_port_operations vsc_sata_ops = {
25009 +static const struct ata_port_operations vsc_sata_ops = {
25010 .inherits = &ata_bmdma_port_ops,
25011 /* The IRQ handling is not quite standard SFF behaviour so we
25012 cannot use the default lost interrupt handler */
25013 diff -urNp linux-2.6.32.42/drivers/atm/adummy.c linux-2.6.32.42/drivers/atm/adummy.c
25014 --- linux-2.6.32.42/drivers/atm/adummy.c 2011-03-27 14:31:47.000000000 -0400
25015 +++ linux-2.6.32.42/drivers/atm/adummy.c 2011-04-17 15:56:46.000000000 -0400
25016 @@ -77,7 +77,7 @@ adummy_send(struct atm_vcc *vcc, struct
25017 vcc->pop(vcc, skb);
25019 dev_kfree_skb_any(skb);
25020 - atomic_inc(&vcc->stats->tx);
25021 + atomic_inc_unchecked(&vcc->stats->tx);
25025 diff -urNp linux-2.6.32.42/drivers/atm/ambassador.c linux-2.6.32.42/drivers/atm/ambassador.c
25026 --- linux-2.6.32.42/drivers/atm/ambassador.c 2011-03-27 14:31:47.000000000 -0400
25027 +++ linux-2.6.32.42/drivers/atm/ambassador.c 2011-04-17 15:56:46.000000000 -0400
25028 @@ -453,7 +453,7 @@ static void tx_complete (amb_dev * dev,
25029 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
25032 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
25033 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
25035 // free the descriptor
25037 @@ -494,7 +494,7 @@ static void rx_complete (amb_dev * dev,
25038 dump_skb ("<<<", vc, skb);
25041 - atomic_inc(&atm_vcc->stats->rx);
25042 + atomic_inc_unchecked(&atm_vcc->stats->rx);
25043 __net_timestamp(skb);
25044 // end of our responsability
25045 atm_vcc->push (atm_vcc, skb);
25046 @@ -509,7 +509,7 @@ static void rx_complete (amb_dev * dev,
25048 PRINTK (KERN_INFO, "dropped over-size frame");
25049 // should we count this?
25050 - atomic_inc(&atm_vcc->stats->rx_drop);
25051 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
25055 @@ -1341,7 +1341,7 @@ static int amb_send (struct atm_vcc * at
25058 if (check_area (skb->data, skb->len)) {
25059 - atomic_inc(&atm_vcc->stats->tx_err);
25060 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
25061 return -ENOMEM; // ?
25064 diff -urNp linux-2.6.32.42/drivers/atm/atmtcp.c linux-2.6.32.42/drivers/atm/atmtcp.c
25065 --- linux-2.6.32.42/drivers/atm/atmtcp.c 2011-03-27 14:31:47.000000000 -0400
25066 +++ linux-2.6.32.42/drivers/atm/atmtcp.c 2011-04-17 15:56:46.000000000 -0400
25067 @@ -206,7 +206,7 @@ static int atmtcp_v_send(struct atm_vcc
25068 if (vcc->pop) vcc->pop(vcc,skb);
25069 else dev_kfree_skb(skb);
25070 if (dev_data) return 0;
25071 - atomic_inc(&vcc->stats->tx_err);
25072 + atomic_inc_unchecked(&vcc->stats->tx_err);
25075 size = skb->len+sizeof(struct atmtcp_hdr);
25076 @@ -214,7 +214,7 @@ static int atmtcp_v_send(struct atm_vcc
25078 if (vcc->pop) vcc->pop(vcc,skb);
25079 else dev_kfree_skb(skb);
25080 - atomic_inc(&vcc->stats->tx_err);
25081 + atomic_inc_unchecked(&vcc->stats->tx_err);
25084 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
25085 @@ -225,8 +225,8 @@ static int atmtcp_v_send(struct atm_vcc
25086 if (vcc->pop) vcc->pop(vcc,skb);
25087 else dev_kfree_skb(skb);
25088 out_vcc->push(out_vcc,new_skb);
25089 - atomic_inc(&vcc->stats->tx);
25090 - atomic_inc(&out_vcc->stats->rx);
25091 + atomic_inc_unchecked(&vcc->stats->tx);
25092 + atomic_inc_unchecked(&out_vcc->stats->rx);
25096 @@ -300,7 +300,7 @@ static int atmtcp_c_send(struct atm_vcc
25097 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
25098 read_unlock(&vcc_sklist_lock);
25100 - atomic_inc(&vcc->stats->tx_err);
25101 + atomic_inc_unchecked(&vcc->stats->tx_err);
25104 skb_pull(skb,sizeof(struct atmtcp_hdr));
25105 @@ -312,8 +312,8 @@ static int atmtcp_c_send(struct atm_vcc
25106 __net_timestamp(new_skb);
25107 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
25108 out_vcc->push(out_vcc,new_skb);
25109 - atomic_inc(&vcc->stats->tx);
25110 - atomic_inc(&out_vcc->stats->rx);
25111 + atomic_inc_unchecked(&vcc->stats->tx);
25112 + atomic_inc_unchecked(&out_vcc->stats->rx);
25114 if (vcc->pop) vcc->pop(vcc,skb);
25115 else dev_kfree_skb(skb);
25116 diff -urNp linux-2.6.32.42/drivers/atm/eni.c linux-2.6.32.42/drivers/atm/eni.c
25117 --- linux-2.6.32.42/drivers/atm/eni.c 2011-03-27 14:31:47.000000000 -0400
25118 +++ linux-2.6.32.42/drivers/atm/eni.c 2011-04-17 15:56:46.000000000 -0400
25119 @@ -525,7 +525,7 @@ static int rx_aal0(struct atm_vcc *vcc)
25120 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
25123 - atomic_inc(&vcc->stats->rx_err);
25124 + atomic_inc_unchecked(&vcc->stats->rx_err);
25127 length = ATM_CELL_SIZE-1; /* no HEC */
25128 @@ -580,7 +580,7 @@ static int rx_aal5(struct atm_vcc *vcc)
25132 - atomic_inc(&vcc->stats->rx_err);
25133 + atomic_inc_unchecked(&vcc->stats->rx_err);
25136 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
25137 @@ -597,7 +597,7 @@ static int rx_aal5(struct atm_vcc *vcc)
25138 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
25139 vcc->dev->number,vcc->vci,length,size << 2,descr);
25141 - atomic_inc(&vcc->stats->rx_err);
25142 + atomic_inc_unchecked(&vcc->stats->rx_err);
25145 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
25146 @@ -770,7 +770,7 @@ rx_dequeued++;
25147 vcc->push(vcc,skb);
25150 - atomic_inc(&vcc->stats->rx);
25151 + atomic_inc_unchecked(&vcc->stats->rx);
25153 wake_up(&eni_dev->rx_wait);
25155 @@ -1227,7 +1227,7 @@ static void dequeue_tx(struct atm_dev *d
25157 if (vcc->pop) vcc->pop(vcc,skb);
25158 else dev_kfree_skb_irq(skb);
25159 - atomic_inc(&vcc->stats->tx);
25160 + atomic_inc_unchecked(&vcc->stats->tx);
25161 wake_up(&eni_dev->tx_wait);
25164 diff -urNp linux-2.6.32.42/drivers/atm/firestream.c linux-2.6.32.42/drivers/atm/firestream.c
25165 --- linux-2.6.32.42/drivers/atm/firestream.c 2011-03-27 14:31:47.000000000 -0400
25166 +++ linux-2.6.32.42/drivers/atm/firestream.c 2011-04-17 15:56:46.000000000 -0400
25167 @@ -748,7 +748,7 @@ static void process_txdone_queue (struct
25171 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
25172 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
25174 fs_dprintk (FS_DEBUG_TXMEM, "i");
25175 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
25176 @@ -815,7 +815,7 @@ static void process_incoming (struct fs_
25178 skb_put (skb, qe->p1 & 0xffff);
25179 ATM_SKB(skb)->vcc = atm_vcc;
25180 - atomic_inc(&atm_vcc->stats->rx);
25181 + atomic_inc_unchecked(&atm_vcc->stats->rx);
25182 __net_timestamp(skb);
25183 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
25184 atm_vcc->push (atm_vcc, skb);
25185 @@ -836,12 +836,12 @@ static void process_incoming (struct fs_
25189 - atomic_inc(&atm_vcc->stats->rx_drop);
25190 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
25192 case 0x1f: /* Reassembly abort: no buffers. */
25193 /* Silently increment error counter. */
25195 - atomic_inc(&atm_vcc->stats->rx_drop);
25196 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
25198 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
25199 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
25200 diff -urNp linux-2.6.32.42/drivers/atm/fore200e.c linux-2.6.32.42/drivers/atm/fore200e.c
25201 --- linux-2.6.32.42/drivers/atm/fore200e.c 2011-03-27 14:31:47.000000000 -0400
25202 +++ linux-2.6.32.42/drivers/atm/fore200e.c 2011-04-17 15:56:46.000000000 -0400
25203 @@ -931,9 +931,9 @@ fore200e_tx_irq(struct fore200e* fore200
25205 /* check error condition */
25206 if (*entry->status & STATUS_ERROR)
25207 - atomic_inc(&vcc->stats->tx_err);
25208 + atomic_inc_unchecked(&vcc->stats->tx_err);
25210 - atomic_inc(&vcc->stats->tx);
25211 + atomic_inc_unchecked(&vcc->stats->tx);
25215 @@ -1082,7 +1082,7 @@ fore200e_push_rpd(struct fore200e* fore2
25217 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
25219 - atomic_inc(&vcc->stats->rx_drop);
25220 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25224 @@ -1125,14 +1125,14 @@ fore200e_push_rpd(struct fore200e* fore2
25226 dev_kfree_skb_any(skb);
25228 - atomic_inc(&vcc->stats->rx_drop);
25229 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25233 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
25235 vcc->push(vcc, skb);
25236 - atomic_inc(&vcc->stats->rx);
25237 + atomic_inc_unchecked(&vcc->stats->rx);
25239 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
25241 @@ -1210,7 +1210,7 @@ fore200e_rx_irq(struct fore200e* fore200
25242 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
25243 fore200e->atm_dev->number,
25244 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
25245 - atomic_inc(&vcc->stats->rx_err);
25246 + atomic_inc_unchecked(&vcc->stats->rx_err);
25250 @@ -1655,7 +1655,7 @@ fore200e_send(struct atm_vcc *vcc, struc
25254 - atomic_inc(&vcc->stats->tx_err);
25255 + atomic_inc_unchecked(&vcc->stats->tx_err);
25257 fore200e->tx_sat++;
25258 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
25259 diff -urNp linux-2.6.32.42/drivers/atm/he.c linux-2.6.32.42/drivers/atm/he.c
25260 --- linux-2.6.32.42/drivers/atm/he.c 2011-03-27 14:31:47.000000000 -0400
25261 +++ linux-2.6.32.42/drivers/atm/he.c 2011-04-17 15:56:46.000000000 -0400
25262 @@ -1769,7 +1769,7 @@ he_service_rbrq(struct he_dev *he_dev, i
25264 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
25265 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
25266 - atomic_inc(&vcc->stats->rx_drop);
25267 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25268 goto return_host_buffers;
25271 @@ -1802,7 +1802,7 @@ he_service_rbrq(struct he_dev *he_dev, i
25272 RBRQ_LEN_ERR(he_dev->rbrq_head)
25274 vcc->vpi, vcc->vci);
25275 - atomic_inc(&vcc->stats->rx_err);
25276 + atomic_inc_unchecked(&vcc->stats->rx_err);
25277 goto return_host_buffers;
25280 @@ -1861,7 +1861,7 @@ he_service_rbrq(struct he_dev *he_dev, i
25281 vcc->push(vcc, skb);
25282 spin_lock(&he_dev->global_lock);
25284 - atomic_inc(&vcc->stats->rx);
25285 + atomic_inc_unchecked(&vcc->stats->rx);
25287 return_host_buffers:
25289 @@ -2206,7 +2206,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
25290 tpd->vcc->pop(tpd->vcc, tpd->skb);
25292 dev_kfree_skb_any(tpd->skb);
25293 - atomic_inc(&tpd->vcc->stats->tx_err);
25294 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
25296 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
25298 @@ -2618,7 +2618,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
25299 vcc->pop(vcc, skb);
25301 dev_kfree_skb_any(skb);
25302 - atomic_inc(&vcc->stats->tx_err);
25303 + atomic_inc_unchecked(&vcc->stats->tx_err);
25307 @@ -2629,7 +2629,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
25308 vcc->pop(vcc, skb);
25310 dev_kfree_skb_any(skb);
25311 - atomic_inc(&vcc->stats->tx_err);
25312 + atomic_inc_unchecked(&vcc->stats->tx_err);
25316 @@ -2641,7 +2641,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
25317 vcc->pop(vcc, skb);
25319 dev_kfree_skb_any(skb);
25320 - atomic_inc(&vcc->stats->tx_err);
25321 + atomic_inc_unchecked(&vcc->stats->tx_err);
25322 spin_unlock_irqrestore(&he_dev->global_lock, flags);
25325 @@ -2683,7 +2683,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
25326 vcc->pop(vcc, skb);
25328 dev_kfree_skb_any(skb);
25329 - atomic_inc(&vcc->stats->tx_err);
25330 + atomic_inc_unchecked(&vcc->stats->tx_err);
25331 spin_unlock_irqrestore(&he_dev->global_lock, flags);
25334 @@ -2714,7 +2714,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
25335 __enqueue_tpd(he_dev, tpd, cid);
25336 spin_unlock_irqrestore(&he_dev->global_lock, flags);
25338 - atomic_inc(&vcc->stats->tx);
25339 + atomic_inc_unchecked(&vcc->stats->tx);
25343 diff -urNp linux-2.6.32.42/drivers/atm/horizon.c linux-2.6.32.42/drivers/atm/horizon.c
25344 --- linux-2.6.32.42/drivers/atm/horizon.c 2011-03-27 14:31:47.000000000 -0400
25345 +++ linux-2.6.32.42/drivers/atm/horizon.c 2011-04-17 15:56:46.000000000 -0400
25346 @@ -1033,7 +1033,7 @@ static void rx_schedule (hrz_dev * dev,
25348 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
25350 - atomic_inc(&vcc->stats->rx);
25351 + atomic_inc_unchecked(&vcc->stats->rx);
25352 __net_timestamp(skb);
25353 // end of our responsability
25354 vcc->push (vcc, skb);
25355 @@ -1185,7 +1185,7 @@ static void tx_schedule (hrz_dev * const
25356 dev->tx_iovec = NULL;
25359 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
25360 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
25363 hrz_kfree_skb (skb);
25364 diff -urNp linux-2.6.32.42/drivers/atm/idt77252.c linux-2.6.32.42/drivers/atm/idt77252.c
25365 --- linux-2.6.32.42/drivers/atm/idt77252.c 2011-03-27 14:31:47.000000000 -0400
25366 +++ linux-2.6.32.42/drivers/atm/idt77252.c 2011-04-17 15:56:46.000000000 -0400
25367 @@ -810,7 +810,7 @@ drain_scq(struct idt77252_dev *card, str
25369 dev_kfree_skb(skb);
25371 - atomic_inc(&vcc->stats->tx);
25372 + atomic_inc_unchecked(&vcc->stats->tx);
25375 atomic_dec(&scq->used);
25376 @@ -1073,13 +1073,13 @@ dequeue_rx(struct idt77252_dev *card, st
25377 if ((sb = dev_alloc_skb(64)) == NULL) {
25378 printk("%s: Can't allocate buffers for aal0.\n",
25380 - atomic_add(i, &vcc->stats->rx_drop);
25381 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
25384 if (!atm_charge(vcc, sb->truesize)) {
25385 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
25387 - atomic_add(i - 1, &vcc->stats->rx_drop);
25388 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
25392 @@ -1096,7 +1096,7 @@ dequeue_rx(struct idt77252_dev *card, st
25393 ATM_SKB(sb)->vcc = vcc;
25394 __net_timestamp(sb);
25395 vcc->push(vcc, sb);
25396 - atomic_inc(&vcc->stats->rx);
25397 + atomic_inc_unchecked(&vcc->stats->rx);
25399 cell += ATM_CELL_PAYLOAD;
25401 @@ -1133,13 +1133,13 @@ dequeue_rx(struct idt77252_dev *card, st
25403 card->name, len, rpp->len, readl(SAR_REG_CDC));
25404 recycle_rx_pool_skb(card, rpp);
25405 - atomic_inc(&vcc->stats->rx_err);
25406 + atomic_inc_unchecked(&vcc->stats->rx_err);
25409 if (stat & SAR_RSQE_CRC) {
25410 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
25411 recycle_rx_pool_skb(card, rpp);
25412 - atomic_inc(&vcc->stats->rx_err);
25413 + atomic_inc_unchecked(&vcc->stats->rx_err);
25416 if (skb_queue_len(&rpp->queue) > 1) {
25417 @@ -1150,7 +1150,7 @@ dequeue_rx(struct idt77252_dev *card, st
25418 RXPRINTK("%s: Can't alloc RX skb.\n",
25420 recycle_rx_pool_skb(card, rpp);
25421 - atomic_inc(&vcc->stats->rx_err);
25422 + atomic_inc_unchecked(&vcc->stats->rx_err);
25425 if (!atm_charge(vcc, skb->truesize)) {
25426 @@ -1169,7 +1169,7 @@ dequeue_rx(struct idt77252_dev *card, st
25427 __net_timestamp(skb);
25429 vcc->push(vcc, skb);
25430 - atomic_inc(&vcc->stats->rx);
25431 + atomic_inc_unchecked(&vcc->stats->rx);
25435 @@ -1191,7 +1191,7 @@ dequeue_rx(struct idt77252_dev *card, st
25436 __net_timestamp(skb);
25438 vcc->push(vcc, skb);
25439 - atomic_inc(&vcc->stats->rx);
25440 + atomic_inc_unchecked(&vcc->stats->rx);
25442 if (skb->truesize > SAR_FB_SIZE_3)
25443 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
25444 @@ -1303,14 +1303,14 @@ idt77252_rx_raw(struct idt77252_dev *car
25445 if (vcc->qos.aal != ATM_AAL0) {
25446 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
25447 card->name, vpi, vci);
25448 - atomic_inc(&vcc->stats->rx_drop);
25449 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25453 if ((sb = dev_alloc_skb(64)) == NULL) {
25454 printk("%s: Can't allocate buffers for AAL0.\n",
25456 - atomic_inc(&vcc->stats->rx_err);
25457 + atomic_inc_unchecked(&vcc->stats->rx_err);
25461 @@ -1329,7 +1329,7 @@ idt77252_rx_raw(struct idt77252_dev *car
25462 ATM_SKB(sb)->vcc = vcc;
25463 __net_timestamp(sb);
25464 vcc->push(vcc, sb);
25465 - atomic_inc(&vcc->stats->rx);
25466 + atomic_inc_unchecked(&vcc->stats->rx);
25469 skb_pull(queue, 64);
25470 @@ -1954,13 +1954,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
25473 printk("%s: NULL connection in send().\n", card->name);
25474 - atomic_inc(&vcc->stats->tx_err);
25475 + atomic_inc_unchecked(&vcc->stats->tx_err);
25476 dev_kfree_skb(skb);
25479 if (!test_bit(VCF_TX, &vc->flags)) {
25480 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
25481 - atomic_inc(&vcc->stats->tx_err);
25482 + atomic_inc_unchecked(&vcc->stats->tx_err);
25483 dev_kfree_skb(skb);
25486 @@ -1972,14 +1972,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
25489 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
25490 - atomic_inc(&vcc->stats->tx_err);
25491 + atomic_inc_unchecked(&vcc->stats->tx_err);
25492 dev_kfree_skb(skb);
25496 if (skb_shinfo(skb)->nr_frags != 0) {
25497 printk("%s: No scatter-gather yet.\n", card->name);
25498 - atomic_inc(&vcc->stats->tx_err);
25499 + atomic_inc_unchecked(&vcc->stats->tx_err);
25500 dev_kfree_skb(skb);
25503 @@ -1987,7 +1987,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
25505 err = queue_skb(card, vc, skb, oam);
25507 - atomic_inc(&vcc->stats->tx_err);
25508 + atomic_inc_unchecked(&vcc->stats->tx_err);
25509 dev_kfree_skb(skb);
25512 @@ -2010,7 +2010,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
25513 skb = dev_alloc_skb(64);
25515 printk("%s: Out of memory in send_oam().\n", card->name);
25516 - atomic_inc(&vcc->stats->tx_err);
25517 + atomic_inc_unchecked(&vcc->stats->tx_err);
25520 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
25521 diff -urNp linux-2.6.32.42/drivers/atm/iphase.c linux-2.6.32.42/drivers/atm/iphase.c
25522 --- linux-2.6.32.42/drivers/atm/iphase.c 2011-03-27 14:31:47.000000000 -0400
25523 +++ linux-2.6.32.42/drivers/atm/iphase.c 2011-04-17 15:56:46.000000000 -0400
25524 @@ -1123,7 +1123,7 @@ static int rx_pkt(struct atm_dev *dev)
25525 status = (u_short) (buf_desc_ptr->desc_mode);
25526 if (status & (RX_CER | RX_PTE | RX_OFL))
25528 - atomic_inc(&vcc->stats->rx_err);
25529 + atomic_inc_unchecked(&vcc->stats->rx_err);
25530 IF_ERR(printk("IA: bad packet, dropping it");)
25531 if (status & RX_CER) {
25532 IF_ERR(printk(" cause: packet CRC error\n");)
25533 @@ -1146,7 +1146,7 @@ static int rx_pkt(struct atm_dev *dev)
25534 len = dma_addr - buf_addr;
25535 if (len > iadev->rx_buf_sz) {
25536 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
25537 - atomic_inc(&vcc->stats->rx_err);
25538 + atomic_inc_unchecked(&vcc->stats->rx_err);
25539 goto out_free_desc;
25542 @@ -1296,7 +1296,7 @@ static void rx_dle_intr(struct atm_dev *
25543 ia_vcc = INPH_IA_VCC(vcc);
25544 if (ia_vcc == NULL)
25546 - atomic_inc(&vcc->stats->rx_err);
25547 + atomic_inc_unchecked(&vcc->stats->rx_err);
25548 dev_kfree_skb_any(skb);
25549 atm_return(vcc, atm_guess_pdu2truesize(len));
25551 @@ -1308,7 +1308,7 @@ static void rx_dle_intr(struct atm_dev *
25552 if ((length > iadev->rx_buf_sz) || (length >
25553 (skb->len - sizeof(struct cpcs_trailer))))
25555 - atomic_inc(&vcc->stats->rx_err);
25556 + atomic_inc_unchecked(&vcc->stats->rx_err);
25557 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
25558 length, skb->len);)
25559 dev_kfree_skb_any(skb);
25560 @@ -1324,7 +1324,7 @@ static void rx_dle_intr(struct atm_dev *
25562 IF_RX(printk("rx_dle_intr: skb push");)
25563 vcc->push(vcc,skb);
25564 - atomic_inc(&vcc->stats->rx);
25565 + atomic_inc_unchecked(&vcc->stats->rx);
25566 iadev->rx_pkt_cnt++;
25569 @@ -2806,15 +2806,15 @@ static int ia_ioctl(struct atm_dev *dev,
25571 struct k_sonet_stats *stats;
25572 stats = &PRIV(_ia_dev[board])->sonet_stats;
25573 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
25574 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
25575 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
25576 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
25577 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
25578 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
25579 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
25580 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
25581 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
25582 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
25583 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
25584 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
25585 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
25586 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
25587 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
25588 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
25589 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
25590 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
25592 ia_cmds.status = 0;
25594 @@ -2919,7 +2919,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
25595 if ((desc == 0) || (desc > iadev->num_tx_desc))
25597 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
25598 - atomic_inc(&vcc->stats->tx);
25599 + atomic_inc_unchecked(&vcc->stats->tx);
25601 vcc->pop(vcc, skb);
25603 @@ -3024,14 +3024,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
25604 ATM_DESC(skb) = vcc->vci;
25605 skb_queue_tail(&iadev->tx_dma_q, skb);
25607 - atomic_inc(&vcc->stats->tx);
25608 + atomic_inc_unchecked(&vcc->stats->tx);
25609 iadev->tx_pkt_cnt++;
25610 /* Increment transaction counter */
25611 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
25614 /* add flow control logic */
25615 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
25616 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
25617 if (iavcc->vc_desc_cnt > 10) {
25618 vcc->tx_quota = vcc->tx_quota * 3 / 4;
25619 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
25620 diff -urNp linux-2.6.32.42/drivers/atm/lanai.c linux-2.6.32.42/drivers/atm/lanai.c
25621 --- linux-2.6.32.42/drivers/atm/lanai.c 2011-03-27 14:31:47.000000000 -0400
25622 +++ linux-2.6.32.42/drivers/atm/lanai.c 2011-04-17 15:56:46.000000000 -0400
25623 @@ -1305,7 +1305,7 @@ static void lanai_send_one_aal5(struct l
25624 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
25625 lanai_endtx(lanai, lvcc);
25626 lanai_free_skb(lvcc->tx.atmvcc, skb);
25627 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
25628 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
25631 /* Try to fill the buffer - don't call unless there is backlog */
25632 @@ -1428,7 +1428,7 @@ static void vcc_rx_aal5(struct lanai_vcc
25633 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
25634 __net_timestamp(skb);
25635 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
25636 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
25637 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
25639 lvcc->rx.buf.ptr = end;
25640 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
25641 @@ -1670,7 +1670,7 @@ static int handle_service(struct lanai_d
25642 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
25643 "vcc %d\n", lanai->number, (unsigned int) s, vci);
25644 lanai->stats.service_rxnotaal5++;
25645 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25646 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25649 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
25650 @@ -1682,7 +1682,7 @@ static int handle_service(struct lanai_d
25652 read_unlock(&vcc_sklist_lock);
25653 DPRINTK("got trashed rx pdu on vci %d\n", vci);
25654 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25655 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25656 lvcc->stats.x.aal5.service_trash++;
25657 bytes = (SERVICE_GET_END(s) * 16) -
25658 (((unsigned long) lvcc->rx.buf.ptr) -
25659 @@ -1694,7 +1694,7 @@ static int handle_service(struct lanai_d
25661 if (s & SERVICE_STREAM) {
25662 read_unlock(&vcc_sklist_lock);
25663 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25664 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25665 lvcc->stats.x.aal5.service_stream++;
25666 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
25667 "PDU on VCI %d!\n", lanai->number, vci);
25668 @@ -1702,7 +1702,7 @@ static int handle_service(struct lanai_d
25671 DPRINTK("got rx crc error on vci %d\n", vci);
25672 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
25673 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
25674 lvcc->stats.x.aal5.service_rxcrc++;
25675 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
25676 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
25677 diff -urNp linux-2.6.32.42/drivers/atm/nicstar.c linux-2.6.32.42/drivers/atm/nicstar.c
25678 --- linux-2.6.32.42/drivers/atm/nicstar.c 2011-03-27 14:31:47.000000000 -0400
25679 +++ linux-2.6.32.42/drivers/atm/nicstar.c 2011-04-17 15:56:46.000000000 -0400
25680 @@ -1723,7 +1723,7 @@ static int ns_send(struct atm_vcc *vcc,
25681 if ((vc = (vc_map *) vcc->dev_data) == NULL)
25683 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
25684 - atomic_inc(&vcc->stats->tx_err);
25685 + atomic_inc_unchecked(&vcc->stats->tx_err);
25686 dev_kfree_skb_any(skb);
25689 @@ -1731,7 +1731,7 @@ static int ns_send(struct atm_vcc *vcc,
25692 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
25693 - atomic_inc(&vcc->stats->tx_err);
25694 + atomic_inc_unchecked(&vcc->stats->tx_err);
25695 dev_kfree_skb_any(skb);
25698 @@ -1739,7 +1739,7 @@ static int ns_send(struct atm_vcc *vcc,
25699 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
25701 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
25702 - atomic_inc(&vcc->stats->tx_err);
25703 + atomic_inc_unchecked(&vcc->stats->tx_err);
25704 dev_kfree_skb_any(skb);
25707 @@ -1747,7 +1747,7 @@ static int ns_send(struct atm_vcc *vcc,
25708 if (skb_shinfo(skb)->nr_frags != 0)
25710 printk("nicstar%d: No scatter-gather yet.\n", card->index);
25711 - atomic_inc(&vcc->stats->tx_err);
25712 + atomic_inc_unchecked(&vcc->stats->tx_err);
25713 dev_kfree_skb_any(skb);
25716 @@ -1792,11 +1792,11 @@ static int ns_send(struct atm_vcc *vcc,
25718 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
25720 - atomic_inc(&vcc->stats->tx_err);
25721 + atomic_inc_unchecked(&vcc->stats->tx_err);
25722 dev_kfree_skb_any(skb);
25725 - atomic_inc(&vcc->stats->tx);
25726 + atomic_inc_unchecked(&vcc->stats->tx);
25730 @@ -2111,14 +2111,14 @@ static void dequeue_rx(ns_dev *card, ns_
25732 printk("nicstar%d: Can't allocate buffers for aal0.\n",
25734 - atomic_add(i,&vcc->stats->rx_drop);
25735 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
25738 if (!atm_charge(vcc, sb->truesize))
25740 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
25742 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
25743 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
25744 dev_kfree_skb_any(sb);
25747 @@ -2133,7 +2133,7 @@ static void dequeue_rx(ns_dev *card, ns_
25748 ATM_SKB(sb)->vcc = vcc;
25749 __net_timestamp(sb);
25750 vcc->push(vcc, sb);
25751 - atomic_inc(&vcc->stats->rx);
25752 + atomic_inc_unchecked(&vcc->stats->rx);
25753 cell += ATM_CELL_PAYLOAD;
25756 @@ -2152,7 +2152,7 @@ static void dequeue_rx(ns_dev *card, ns_
25759 printk("nicstar%d: Out of iovec buffers.\n", card->index);
25760 - atomic_inc(&vcc->stats->rx_drop);
25761 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25762 recycle_rx_buf(card, skb);
25765 @@ -2182,7 +2182,7 @@ static void dequeue_rx(ns_dev *card, ns_
25766 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
25768 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
25769 - atomic_inc(&vcc->stats->rx_err);
25770 + atomic_inc_unchecked(&vcc->stats->rx_err);
25771 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
25772 NS_SKB(iovb)->iovcnt = 0;
25774 @@ -2202,7 +2202,7 @@ static void dequeue_rx(ns_dev *card, ns_
25775 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
25777 which_list(card, skb);
25778 - atomic_inc(&vcc->stats->rx_err);
25779 + atomic_inc_unchecked(&vcc->stats->rx_err);
25780 recycle_rx_buf(card, skb);
25782 recycle_iov_buf(card, iovb);
25783 @@ -2216,7 +2216,7 @@ static void dequeue_rx(ns_dev *card, ns_
25784 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
25786 which_list(card, skb);
25787 - atomic_inc(&vcc->stats->rx_err);
25788 + atomic_inc_unchecked(&vcc->stats->rx_err);
25789 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
25790 NS_SKB(iovb)->iovcnt);
25792 @@ -2240,7 +2240,7 @@ static void dequeue_rx(ns_dev *card, ns_
25793 printk(" - PDU size mismatch.\n");
25796 - atomic_inc(&vcc->stats->rx_err);
25797 + atomic_inc_unchecked(&vcc->stats->rx_err);
25798 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
25799 NS_SKB(iovb)->iovcnt);
25801 @@ -2256,7 +2256,7 @@ static void dequeue_rx(ns_dev *card, ns_
25802 if (!atm_charge(vcc, skb->truesize))
25804 push_rxbufs(card, skb);
25805 - atomic_inc(&vcc->stats->rx_drop);
25806 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25810 @@ -2268,7 +2268,7 @@ static void dequeue_rx(ns_dev *card, ns_
25811 ATM_SKB(skb)->vcc = vcc;
25812 __net_timestamp(skb);
25813 vcc->push(vcc, skb);
25814 - atomic_inc(&vcc->stats->rx);
25815 + atomic_inc_unchecked(&vcc->stats->rx);
25818 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
25819 @@ -2283,7 +2283,7 @@ static void dequeue_rx(ns_dev *card, ns_
25820 if (!atm_charge(vcc, sb->truesize))
25822 push_rxbufs(card, sb);
25823 - atomic_inc(&vcc->stats->rx_drop);
25824 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25828 @@ -2295,7 +2295,7 @@ static void dequeue_rx(ns_dev *card, ns_
25829 ATM_SKB(sb)->vcc = vcc;
25830 __net_timestamp(sb);
25831 vcc->push(vcc, sb);
25832 - atomic_inc(&vcc->stats->rx);
25833 + atomic_inc_unchecked(&vcc->stats->rx);
25836 push_rxbufs(card, skb);
25837 @@ -2306,7 +2306,7 @@ static void dequeue_rx(ns_dev *card, ns_
25838 if (!atm_charge(vcc, skb->truesize))
25840 push_rxbufs(card, skb);
25841 - atomic_inc(&vcc->stats->rx_drop);
25842 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25846 @@ -2320,7 +2320,7 @@ static void dequeue_rx(ns_dev *card, ns_
25847 ATM_SKB(skb)->vcc = vcc;
25848 __net_timestamp(skb);
25849 vcc->push(vcc, skb);
25850 - atomic_inc(&vcc->stats->rx);
25851 + atomic_inc_unchecked(&vcc->stats->rx);
25854 push_rxbufs(card, sb);
25855 @@ -2342,7 +2342,7 @@ static void dequeue_rx(ns_dev *card, ns_
25858 printk("nicstar%d: Out of huge buffers.\n", card->index);
25859 - atomic_inc(&vcc->stats->rx_drop);
25860 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25861 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
25862 NS_SKB(iovb)->iovcnt);
25864 @@ -2393,7 +2393,7 @@ static void dequeue_rx(ns_dev *card, ns_
25867 dev_kfree_skb_any(hb);
25868 - atomic_inc(&vcc->stats->rx_drop);
25869 + atomic_inc_unchecked(&vcc->stats->rx_drop);
25873 @@ -2427,7 +2427,7 @@ static void dequeue_rx(ns_dev *card, ns_
25874 #endif /* NS_USE_DESTRUCTORS */
25875 __net_timestamp(hb);
25876 vcc->push(vcc, hb);
25877 - atomic_inc(&vcc->stats->rx);
25878 + atomic_inc_unchecked(&vcc->stats->rx);
25882 diff -urNp linux-2.6.32.42/drivers/atm/solos-pci.c linux-2.6.32.42/drivers/atm/solos-pci.c
25883 --- linux-2.6.32.42/drivers/atm/solos-pci.c 2011-04-17 17:00:52.000000000 -0400
25884 +++ linux-2.6.32.42/drivers/atm/solos-pci.c 2011-05-16 21:46:57.000000000 -0400
25885 @@ -708,7 +708,7 @@ void solos_bh(unsigned long card_arg)
25887 atm_charge(vcc, skb->truesize);
25888 vcc->push(vcc, skb);
25889 - atomic_inc(&vcc->stats->rx);
25890 + atomic_inc_unchecked(&vcc->stats->rx);
25894 @@ -914,6 +914,8 @@ static int print_buffer(struct sk_buff *
25898 + pax_track_stack();
25901 for (i = 0; i < len; i++){
25903 @@ -1023,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
25904 vcc = SKB_CB(oldskb)->vcc;
25907 - atomic_inc(&vcc->stats->tx);
25908 + atomic_inc_unchecked(&vcc->stats->tx);
25909 solos_pop(vcc, oldskb);
25911 dev_kfree_skb_irq(oldskb);
25912 diff -urNp linux-2.6.32.42/drivers/atm/suni.c linux-2.6.32.42/drivers/atm/suni.c
25913 --- linux-2.6.32.42/drivers/atm/suni.c 2011-03-27 14:31:47.000000000 -0400
25914 +++ linux-2.6.32.42/drivers/atm/suni.c 2011-04-17 15:56:46.000000000 -0400
25915 @@ -49,8 +49,8 @@ static DEFINE_SPINLOCK(sunis_lock);
25918 #define ADD_LIMITED(s,v) \
25919 - atomic_add((v),&stats->s); \
25920 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
25921 + atomic_add_unchecked((v),&stats->s); \
25922 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
25925 static void suni_hz(unsigned long from_timer)
25926 diff -urNp linux-2.6.32.42/drivers/atm/uPD98402.c linux-2.6.32.42/drivers/atm/uPD98402.c
25927 --- linux-2.6.32.42/drivers/atm/uPD98402.c 2011-03-27 14:31:47.000000000 -0400
25928 +++ linux-2.6.32.42/drivers/atm/uPD98402.c 2011-04-17 15:56:46.000000000 -0400
25929 @@ -41,7 +41,7 @@ static int fetch_stats(struct atm_dev *d
25930 struct sonet_stats tmp;
25933 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
25934 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
25935 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
25936 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
25937 if (zero && !error) {
25938 @@ -160,9 +160,9 @@ static int uPD98402_ioctl(struct atm_dev
25941 #define ADD_LIMITED(s,v) \
25942 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
25943 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
25944 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
25945 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
25946 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
25947 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
25950 static void stat_event(struct atm_dev *dev)
25951 @@ -193,7 +193,7 @@ static void uPD98402_int(struct atm_dev
25952 if (reason & uPD98402_INT_PFM) stat_event(dev);
25953 if (reason & uPD98402_INT_PCO) {
25954 (void) GET(PCOCR); /* clear interrupt cause */
25955 - atomic_add(GET(HECCT),
25956 + atomic_add_unchecked(GET(HECCT),
25957 &PRIV(dev)->sonet_stats.uncorr_hcs);
25959 if ((reason & uPD98402_INT_RFO) &&
25960 @@ -221,9 +221,9 @@ static int uPD98402_start(struct atm_dev
25961 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
25962 uPD98402_INT_LOS),PIMR); /* enable them */
25963 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
25964 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
25965 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
25966 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
25967 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
25968 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
25969 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
25973 diff -urNp linux-2.6.32.42/drivers/atm/zatm.c linux-2.6.32.42/drivers/atm/zatm.c
25974 --- linux-2.6.32.42/drivers/atm/zatm.c 2011-03-27 14:31:47.000000000 -0400
25975 +++ linux-2.6.32.42/drivers/atm/zatm.c 2011-04-17 15:56:46.000000000 -0400
25976 @@ -458,7 +458,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
25979 dev_kfree_skb_irq(skb);
25980 - if (vcc) atomic_inc(&vcc->stats->rx_err);
25981 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
25984 if (!atm_charge(vcc,skb->truesize)) {
25985 @@ -468,7 +468,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
25987 ATM_SKB(skb)->vcc = vcc;
25988 vcc->push(vcc,skb);
25989 - atomic_inc(&vcc->stats->rx);
25990 + atomic_inc_unchecked(&vcc->stats->rx);
25992 zout(pos & 0xffff,MTA(mbx));
25993 #if 0 /* probably a stupid idea */
25994 @@ -732,7 +732,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
25995 skb_queue_head(&zatm_vcc->backlog,skb);
25998 - atomic_inc(&vcc->stats->tx);
25999 + atomic_inc_unchecked(&vcc->stats->tx);
26000 wake_up(&zatm_vcc->tx_wait);
26003 diff -urNp linux-2.6.32.42/drivers/base/bus.c linux-2.6.32.42/drivers/base/bus.c
26004 --- linux-2.6.32.42/drivers/base/bus.c 2011-03-27 14:31:47.000000000 -0400
26005 +++ linux-2.6.32.42/drivers/base/bus.c 2011-04-17 15:56:46.000000000 -0400
26006 @@ -70,7 +70,7 @@ static ssize_t drv_attr_store(struct kob
26010 -static struct sysfs_ops driver_sysfs_ops = {
26011 +static const struct sysfs_ops driver_sysfs_ops = {
26012 .show = drv_attr_show,
26013 .store = drv_attr_store,
26015 @@ -115,7 +115,7 @@ static ssize_t bus_attr_store(struct kob
26019 -static struct sysfs_ops bus_sysfs_ops = {
26020 +static const struct sysfs_ops bus_sysfs_ops = {
26021 .show = bus_attr_show,
26022 .store = bus_attr_store,
26024 @@ -154,7 +154,7 @@ static int bus_uevent_filter(struct kset
26028 -static struct kset_uevent_ops bus_uevent_ops = {
26029 +static const struct kset_uevent_ops bus_uevent_ops = {
26030 .filter = bus_uevent_filter,
26033 diff -urNp linux-2.6.32.42/drivers/base/class.c linux-2.6.32.42/drivers/base/class.c
26034 --- linux-2.6.32.42/drivers/base/class.c 2011-03-27 14:31:47.000000000 -0400
26035 +++ linux-2.6.32.42/drivers/base/class.c 2011-04-17 15:56:46.000000000 -0400
26036 @@ -63,7 +63,7 @@ static void class_release(struct kobject
26040 -static struct sysfs_ops class_sysfs_ops = {
26041 +static const struct sysfs_ops class_sysfs_ops = {
26042 .show = class_attr_show,
26043 .store = class_attr_store,
26045 diff -urNp linux-2.6.32.42/drivers/base/core.c linux-2.6.32.42/drivers/base/core.c
26046 --- linux-2.6.32.42/drivers/base/core.c 2011-03-27 14:31:47.000000000 -0400
26047 +++ linux-2.6.32.42/drivers/base/core.c 2011-04-17 15:56:46.000000000 -0400
26048 @@ -100,7 +100,7 @@ static ssize_t dev_attr_store(struct kob
26052 -static struct sysfs_ops dev_sysfs_ops = {
26053 +static const struct sysfs_ops dev_sysfs_ops = {
26054 .show = dev_attr_show,
26055 .store = dev_attr_store,
26057 @@ -252,7 +252,7 @@ static int dev_uevent(struct kset *kset,
26061 -static struct kset_uevent_ops device_uevent_ops = {
26062 +static const struct kset_uevent_ops device_uevent_ops = {
26063 .filter = dev_uevent_filter,
26064 .name = dev_uevent_name,
26065 .uevent = dev_uevent,
26066 diff -urNp linux-2.6.32.42/drivers/base/memory.c linux-2.6.32.42/drivers/base/memory.c
26067 --- linux-2.6.32.42/drivers/base/memory.c 2011-03-27 14:31:47.000000000 -0400
26068 +++ linux-2.6.32.42/drivers/base/memory.c 2011-04-17 15:56:46.000000000 -0400
26069 @@ -44,7 +44,7 @@ static int memory_uevent(struct kset *ks
26073 -static struct kset_uevent_ops memory_uevent_ops = {
26074 +static const struct kset_uevent_ops memory_uevent_ops = {
26075 .name = memory_uevent_name,
26076 .uevent = memory_uevent,
26078 diff -urNp linux-2.6.32.42/drivers/base/sys.c linux-2.6.32.42/drivers/base/sys.c
26079 --- linux-2.6.32.42/drivers/base/sys.c 2011-03-27 14:31:47.000000000 -0400
26080 +++ linux-2.6.32.42/drivers/base/sys.c 2011-04-17 15:56:46.000000000 -0400
26081 @@ -54,7 +54,7 @@ sysdev_store(struct kobject *kobj, struc
26085 -static struct sysfs_ops sysfs_ops = {
26086 +static const struct sysfs_ops sysfs_ops = {
26087 .show = sysdev_show,
26088 .store = sysdev_store,
26090 @@ -104,7 +104,7 @@ static ssize_t sysdev_class_store(struct
26094 -static struct sysfs_ops sysfs_class_ops = {
26095 +static const struct sysfs_ops sysfs_class_ops = {
26096 .show = sysdev_class_show,
26097 .store = sysdev_class_store,
26099 diff -urNp linux-2.6.32.42/drivers/block/cciss.c linux-2.6.32.42/drivers/block/cciss.c
26100 --- linux-2.6.32.42/drivers/block/cciss.c 2011-03-27 14:31:47.000000000 -0400
26101 +++ linux-2.6.32.42/drivers/block/cciss.c 2011-04-17 15:56:46.000000000 -0400
26102 @@ -1011,6 +1011,8 @@ static int cciss_ioctl32_passthru(struct
26106 + memset(&arg64, 0, sizeof(arg64));
26110 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
26111 diff -urNp linux-2.6.32.42/drivers/block/cpqarray.c linux-2.6.32.42/drivers/block/cpqarray.c
26112 --- linux-2.6.32.42/drivers/block/cpqarray.c 2011-03-27 14:31:47.000000000 -0400
26113 +++ linux-2.6.32.42/drivers/block/cpqarray.c 2011-05-16 21:46:57.000000000 -0400
26114 @@ -896,6 +896,8 @@ static void do_ida_request(struct reques
26115 struct scatterlist tmp_sg[SG_MAX];
26118 + pax_track_stack();
26120 if (blk_queue_plugged(q))
26123 diff -urNp linux-2.6.32.42/drivers/block/DAC960.c linux-2.6.32.42/drivers/block/DAC960.c
26124 --- linux-2.6.32.42/drivers/block/DAC960.c 2011-03-27 14:31:47.000000000 -0400
26125 +++ linux-2.6.32.42/drivers/block/DAC960.c 2011-05-16 21:46:57.000000000 -0400
26126 @@ -1973,6 +1973,8 @@ static bool DAC960_V1_ReadDeviceConfigur
26127 unsigned long flags;
26128 int Channel, TargetID;
26130 + pax_track_stack();
26132 if (!init_dma_loaf(Controller->PCIDevice, &local_dma,
26133 DAC960_V1_MaxChannels*(sizeof(DAC960_V1_DCDB_T) +
26134 sizeof(DAC960_SCSI_Inquiry_T) +
26135 diff -urNp linux-2.6.32.42/drivers/block/nbd.c linux-2.6.32.42/drivers/block/nbd.c
26136 --- linux-2.6.32.42/drivers/block/nbd.c 2011-06-25 12:55:34.000000000 -0400
26137 +++ linux-2.6.32.42/drivers/block/nbd.c 2011-06-25 12:56:37.000000000 -0400
26138 @@ -155,6 +155,8 @@ static int sock_xmit(struct nbd_device *
26140 sigset_t blocked, oldset;
26142 + pax_track_stack();
26144 if (unlikely(!sock)) {
26145 printk(KERN_ERR "%s: Attempted %s on closed socket in sock_xmit\n",
26146 lo->disk->disk_name, (send ? "send" : "recv"));
26147 @@ -569,6 +571,8 @@ static void do_nbd_request(struct reques
26148 static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *lo,
26149 unsigned int cmd, unsigned long arg)
26151 + pax_track_stack();
26154 case NBD_DISCONNECT: {
26155 struct request sreq;
26156 diff -urNp linux-2.6.32.42/drivers/block/pktcdvd.c linux-2.6.32.42/drivers/block/pktcdvd.c
26157 --- linux-2.6.32.42/drivers/block/pktcdvd.c 2011-03-27 14:31:47.000000000 -0400
26158 +++ linux-2.6.32.42/drivers/block/pktcdvd.c 2011-04-17 15:56:46.000000000 -0400
26159 @@ -284,7 +284,7 @@ static ssize_t kobj_pkt_store(struct kob
26163 -static struct sysfs_ops kobj_pkt_ops = {
26164 +static const struct sysfs_ops kobj_pkt_ops = {
26165 .show = kobj_pkt_show,
26166 .store = kobj_pkt_store
26168 diff -urNp linux-2.6.32.42/drivers/char/agp/frontend.c linux-2.6.32.42/drivers/char/agp/frontend.c
26169 --- linux-2.6.32.42/drivers/char/agp/frontend.c 2011-03-27 14:31:47.000000000 -0400
26170 +++ linux-2.6.32.42/drivers/char/agp/frontend.c 2011-04-17 15:56:46.000000000 -0400
26171 @@ -824,7 +824,7 @@ static int agpioc_reserve_wrap(struct ag
26172 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
26175 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
26176 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
26179 client = agp_find_client_by_pid(reserve.pid);
26180 diff -urNp linux-2.6.32.42/drivers/char/briq_panel.c linux-2.6.32.42/drivers/char/briq_panel.c
26181 --- linux-2.6.32.42/drivers/char/briq_panel.c 2011-03-27 14:31:47.000000000 -0400
26182 +++ linux-2.6.32.42/drivers/char/briq_panel.c 2011-04-18 19:48:57.000000000 -0400
26184 #include <linux/types.h>
26185 #include <linux/errno.h>
26186 #include <linux/tty.h>
26187 +#include <linux/mutex.h>
26188 #include <linux/timer.h>
26189 #include <linux/kernel.h>
26190 #include <linux/wait.h>
26191 @@ -36,6 +37,7 @@ static int vfd_is_open;
26192 static unsigned char vfd[40];
26193 static int vfd_cursor;
26194 static unsigned char ledpb, led;
26195 +static DEFINE_MUTEX(vfd_mutex);
26197 static void update_vfd(void)
26199 @@ -142,12 +144,15 @@ static ssize_t briq_panel_write(struct f
26203 + mutex_lock(&vfd_mutex);
26208 - if (get_user(c, buf))
26209 + if (get_user(c, buf)) {
26210 + mutex_unlock(&vfd_mutex);
26216 @@ -177,6 +182,7 @@ static ssize_t briq_panel_write(struct f
26220 + mutex_unlock(&vfd_mutex);
26224 diff -urNp linux-2.6.32.42/drivers/char/genrtc.c linux-2.6.32.42/drivers/char/genrtc.c
26225 --- linux-2.6.32.42/drivers/char/genrtc.c 2011-03-27 14:31:47.000000000 -0400
26226 +++ linux-2.6.32.42/drivers/char/genrtc.c 2011-04-18 19:45:42.000000000 -0400
26227 @@ -272,6 +272,7 @@ static int gen_rtc_ioctl(struct inode *i
26231 + memset(&pll, 0, sizeof(pll));
26232 if (get_rtc_pll(&pll))
26235 diff -urNp linux-2.6.32.42/drivers/char/hpet.c linux-2.6.32.42/drivers/char/hpet.c
26236 --- linux-2.6.32.42/drivers/char/hpet.c 2011-03-27 14:31:47.000000000 -0400
26237 +++ linux-2.6.32.42/drivers/char/hpet.c 2011-04-23 12:56:11.000000000 -0400
26238 @@ -430,7 +430,7 @@ static int hpet_release(struct inode *in
26242 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
26243 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
26246 hpet_ioctl(struct inode *inode, struct file *file, unsigned int cmd,
26247 @@ -565,7 +565,7 @@ static inline unsigned long hpet_time_di
26251 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
26252 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
26254 struct hpet_timer __iomem *timer;
26255 struct hpet __iomem *hpet;
26256 @@ -608,11 +608,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
26258 struct hpet_info info;
26260 + memset(&info, 0, sizeof(info));
26262 if (devp->hd_ireqfreq)
26264 hpet_time_div(hpetp, devp->hd_ireqfreq);
26266 - info.hi_ireqfreq = 0;
26268 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
26269 info.hi_hpet = hpetp->hp_which;
26270 diff -urNp linux-2.6.32.42/drivers/char/hvc_beat.c linux-2.6.32.42/drivers/char/hvc_beat.c
26271 --- linux-2.6.32.42/drivers/char/hvc_beat.c 2011-03-27 14:31:47.000000000 -0400
26272 +++ linux-2.6.32.42/drivers/char/hvc_beat.c 2011-04-17 15:56:46.000000000 -0400
26273 @@ -84,7 +84,7 @@ static int hvc_beat_put_chars(uint32_t v
26277 -static struct hv_ops hvc_beat_get_put_ops = {
26278 +static const struct hv_ops hvc_beat_get_put_ops = {
26279 .get_chars = hvc_beat_get_chars,
26280 .put_chars = hvc_beat_put_chars,
26282 diff -urNp linux-2.6.32.42/drivers/char/hvc_console.c linux-2.6.32.42/drivers/char/hvc_console.c
26283 --- linux-2.6.32.42/drivers/char/hvc_console.c 2011-03-27 14:31:47.000000000 -0400
26284 +++ linux-2.6.32.42/drivers/char/hvc_console.c 2011-04-17 15:56:46.000000000 -0400
26285 @@ -125,7 +125,7 @@ static struct hvc_struct *hvc_get_by_ind
26286 * console interfaces but can still be used as a tty device. This has to be
26287 * static because kmalloc will not work during early console init.
26289 -static struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
26290 +static const struct hv_ops *cons_ops[MAX_NR_HVC_CONSOLES];
26291 static uint32_t vtermnos[MAX_NR_HVC_CONSOLES] =
26292 {[0 ... MAX_NR_HVC_CONSOLES - 1] = -1};
26294 @@ -247,7 +247,7 @@ static void destroy_hvc_struct(struct kr
26295 * vty adapters do NOT get an hvc_instantiate() callback since they
26296 * appear after early console init.
26298 -int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops)
26299 +int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops)
26301 struct hvc_struct *hp;
26303 @@ -756,7 +756,7 @@ static const struct tty_operations hvc_o
26306 struct hvc_struct __devinit *hvc_alloc(uint32_t vtermno, int data,
26307 - struct hv_ops *ops, int outbuf_size)
26308 + const struct hv_ops *ops, int outbuf_size)
26310 struct hvc_struct *hp;
26312 diff -urNp linux-2.6.32.42/drivers/char/hvc_console.h linux-2.6.32.42/drivers/char/hvc_console.h
26313 --- linux-2.6.32.42/drivers/char/hvc_console.h 2011-03-27 14:31:47.000000000 -0400
26314 +++ linux-2.6.32.42/drivers/char/hvc_console.h 2011-04-17 15:56:46.000000000 -0400
26315 @@ -55,7 +55,7 @@ struct hvc_struct {
26319 - struct hv_ops *ops;
26320 + const struct hv_ops *ops;
26324 @@ -76,11 +76,11 @@ struct hv_ops {
26327 /* Register a vterm and a slot index for use as a console (console_init) */
26328 -extern int hvc_instantiate(uint32_t vtermno, int index, struct hv_ops *ops);
26329 +extern int hvc_instantiate(uint32_t vtermno, int index, const struct hv_ops *ops);
26331 /* register a vterm for hvc tty operation (module_init or hotplug add) */
26332 extern struct hvc_struct * __devinit hvc_alloc(uint32_t vtermno, int data,
26333 - struct hv_ops *ops, int outbuf_size);
26334 + const struct hv_ops *ops, int outbuf_size);
26335 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
26336 extern int hvc_remove(struct hvc_struct *hp);
26338 diff -urNp linux-2.6.32.42/drivers/char/hvc_iseries.c linux-2.6.32.42/drivers/char/hvc_iseries.c
26339 --- linux-2.6.32.42/drivers/char/hvc_iseries.c 2011-03-27 14:31:47.000000000 -0400
26340 +++ linux-2.6.32.42/drivers/char/hvc_iseries.c 2011-04-17 15:56:46.000000000 -0400
26341 @@ -197,7 +197,7 @@ done:
26345 -static struct hv_ops hvc_get_put_ops = {
26346 +static const struct hv_ops hvc_get_put_ops = {
26347 .get_chars = get_chars,
26348 .put_chars = put_chars,
26349 .notifier_add = notifier_add_irq,
26350 diff -urNp linux-2.6.32.42/drivers/char/hvc_iucv.c linux-2.6.32.42/drivers/char/hvc_iucv.c
26351 --- linux-2.6.32.42/drivers/char/hvc_iucv.c 2011-03-27 14:31:47.000000000 -0400
26352 +++ linux-2.6.32.42/drivers/char/hvc_iucv.c 2011-04-17 15:56:46.000000000 -0400
26353 @@ -924,7 +924,7 @@ static int hvc_iucv_pm_restore_thaw(stru
26356 /* HVC operations */
26357 -static struct hv_ops hvc_iucv_ops = {
26358 +static const struct hv_ops hvc_iucv_ops = {
26359 .get_chars = hvc_iucv_get_chars,
26360 .put_chars = hvc_iucv_put_chars,
26361 .notifier_add = hvc_iucv_notifier_add,
26362 diff -urNp linux-2.6.32.42/drivers/char/hvc_rtas.c linux-2.6.32.42/drivers/char/hvc_rtas.c
26363 --- linux-2.6.32.42/drivers/char/hvc_rtas.c 2011-03-27 14:31:47.000000000 -0400
26364 +++ linux-2.6.32.42/drivers/char/hvc_rtas.c 2011-04-17 15:56:46.000000000 -0400
26365 @@ -71,7 +71,7 @@ static int hvc_rtas_read_console(uint32_
26369 -static struct hv_ops hvc_rtas_get_put_ops = {
26370 +static const struct hv_ops hvc_rtas_get_put_ops = {
26371 .get_chars = hvc_rtas_read_console,
26372 .put_chars = hvc_rtas_write_console,
26374 diff -urNp linux-2.6.32.42/drivers/char/hvcs.c linux-2.6.32.42/drivers/char/hvcs.c
26375 --- linux-2.6.32.42/drivers/char/hvcs.c 2011-03-27 14:31:47.000000000 -0400
26376 +++ linux-2.6.32.42/drivers/char/hvcs.c 2011-04-17 15:56:46.000000000 -0400
26378 #include <asm/hvcserver.h>
26379 #include <asm/uaccess.h>
26380 #include <asm/vio.h>
26381 +#include <asm/local.h>
26384 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
26385 @@ -269,7 +270,7 @@ struct hvcs_struct {
26386 unsigned int index;
26388 struct tty_struct *tty;
26390 + local_t open_count;
26393 * Used to tell the driver kernel_thread what operations need to take
26394 @@ -419,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
26396 spin_lock_irqsave(&hvcsd->lock, flags);
26398 - if (hvcsd->open_count > 0) {
26399 + if (local_read(&hvcsd->open_count) > 0) {
26400 spin_unlock_irqrestore(&hvcsd->lock, flags);
26401 printk(KERN_INFO "HVCS: vterm state unchanged. "
26402 "The hvcs device node is still in use.\n");
26403 @@ -1135,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
26404 if ((retval = hvcs_partner_connect(hvcsd)))
26405 goto error_release;
26407 - hvcsd->open_count = 1;
26408 + local_set(&hvcsd->open_count, 1);
26410 tty->driver_data = hvcsd;
26412 @@ -1169,7 +1170,7 @@ fast_open:
26414 spin_lock_irqsave(&hvcsd->lock, flags);
26415 kref_get(&hvcsd->kref);
26416 - hvcsd->open_count++;
26417 + local_inc(&hvcsd->open_count);
26418 hvcsd->todo_mask |= HVCS_SCHED_READ;
26419 spin_unlock_irqrestore(&hvcsd->lock, flags);
26421 @@ -1213,7 +1214,7 @@ static void hvcs_close(struct tty_struct
26422 hvcsd = tty->driver_data;
26424 spin_lock_irqsave(&hvcsd->lock, flags);
26425 - if (--hvcsd->open_count == 0) {
26426 + if (local_dec_and_test(&hvcsd->open_count)) {
26428 vio_disable_interrupts(hvcsd->vdev);
26430 @@ -1239,10 +1240,10 @@ static void hvcs_close(struct tty_struct
26431 free_irq(irq, hvcsd);
26432 kref_put(&hvcsd->kref, destroy_hvcs_struct);
26434 - } else if (hvcsd->open_count < 0) {
26435 + } else if (local_read(&hvcsd->open_count) < 0) {
26436 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
26437 " is missmanaged.\n",
26438 - hvcsd->vdev->unit_address, hvcsd->open_count);
26439 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
26442 spin_unlock_irqrestore(&hvcsd->lock, flags);
26443 @@ -1258,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
26445 spin_lock_irqsave(&hvcsd->lock, flags);
26446 /* Preserve this so that we know how many kref refs to put */
26447 - temp_open_count = hvcsd->open_count;
26448 + temp_open_count = local_read(&hvcsd->open_count);
26451 * Don't kref put inside the spinlock because the destruction
26452 @@ -1273,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
26453 hvcsd->tty->driver_data = NULL;
26456 - hvcsd->open_count = 0;
26457 + local_set(&hvcsd->open_count, 0);
26459 /* This will drop any buffered data on the floor which is OK in a hangup
26461 @@ -1344,7 +1345,7 @@ static int hvcs_write(struct tty_struct
26462 * the middle of a write operation? This is a crummy place to do this
26463 * but we want to keep it all in the spinlock.
26465 - if (hvcsd->open_count <= 0) {
26466 + if (local_read(&hvcsd->open_count) <= 0) {
26467 spin_unlock_irqrestore(&hvcsd->lock, flags);
26470 @@ -1418,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
26472 struct hvcs_struct *hvcsd = tty->driver_data;
26474 - if (!hvcsd || hvcsd->open_count <= 0)
26475 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
26478 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
26479 diff -urNp linux-2.6.32.42/drivers/char/hvc_udbg.c linux-2.6.32.42/drivers/char/hvc_udbg.c
26480 --- linux-2.6.32.42/drivers/char/hvc_udbg.c 2011-03-27 14:31:47.000000000 -0400
26481 +++ linux-2.6.32.42/drivers/char/hvc_udbg.c 2011-04-17 15:56:46.000000000 -0400
26482 @@ -58,7 +58,7 @@ static int hvc_udbg_get(uint32_t vtermno
26486 -static struct hv_ops hvc_udbg_ops = {
26487 +static const struct hv_ops hvc_udbg_ops = {
26488 .get_chars = hvc_udbg_get,
26489 .put_chars = hvc_udbg_put,
26491 diff -urNp linux-2.6.32.42/drivers/char/hvc_vio.c linux-2.6.32.42/drivers/char/hvc_vio.c
26492 --- linux-2.6.32.42/drivers/char/hvc_vio.c 2011-03-27 14:31:47.000000000 -0400
26493 +++ linux-2.6.32.42/drivers/char/hvc_vio.c 2011-04-17 15:56:46.000000000 -0400
26494 @@ -77,7 +77,7 @@ static int filtered_get_chars(uint32_t v
26498 -static struct hv_ops hvc_get_put_ops = {
26499 +static const struct hv_ops hvc_get_put_ops = {
26500 .get_chars = filtered_get_chars,
26501 .put_chars = hvc_put_chars,
26502 .notifier_add = notifier_add_irq,
26503 diff -urNp linux-2.6.32.42/drivers/char/hvc_xen.c linux-2.6.32.42/drivers/char/hvc_xen.c
26504 --- linux-2.6.32.42/drivers/char/hvc_xen.c 2011-03-27 14:31:47.000000000 -0400
26505 +++ linux-2.6.32.42/drivers/char/hvc_xen.c 2011-04-17 15:56:46.000000000 -0400
26506 @@ -120,7 +120,7 @@ static int read_console(uint32_t vtermno
26510 -static struct hv_ops hvc_ops = {
26511 +static const struct hv_ops hvc_ops = {
26512 .get_chars = read_console,
26513 .put_chars = write_console,
26514 .notifier_add = notifier_add_irq,
26515 diff -urNp linux-2.6.32.42/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.32.42/drivers/char/ipmi/ipmi_msghandler.c
26516 --- linux-2.6.32.42/drivers/char/ipmi/ipmi_msghandler.c 2011-03-27 14:31:47.000000000 -0400
26517 +++ linux-2.6.32.42/drivers/char/ipmi/ipmi_msghandler.c 2011-05-16 21:46:57.000000000 -0400
26518 @@ -414,7 +414,7 @@ struct ipmi_smi {
26519 struct proc_dir_entry *proc_dir;
26520 char proc_dir_name[10];
26522 - atomic_t stats[IPMI_NUM_STATS];
26523 + atomic_unchecked_t stats[IPMI_NUM_STATS];
26526 * run_to_completion duplicate of smb_info, smi_info
26527 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
26530 #define ipmi_inc_stat(intf, stat) \
26531 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
26532 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
26533 #define ipmi_get_stat(intf, stat) \
26534 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
26535 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
26537 static int is_lan_addr(struct ipmi_addr *addr)
26539 @@ -2808,7 +2808,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
26540 INIT_LIST_HEAD(&intf->cmd_rcvrs);
26541 init_waitqueue_head(&intf->waitq);
26542 for (i = 0; i < IPMI_NUM_STATS; i++)
26543 - atomic_set(&intf->stats[i], 0);
26544 + atomic_set_unchecked(&intf->stats[i], 0);
26546 intf->proc_dir = NULL;
26548 @@ -4160,6 +4160,8 @@ static void send_panic_events(char *str)
26549 struct ipmi_smi_msg smi_msg;
26550 struct ipmi_recv_msg recv_msg;
26552 + pax_track_stack();
26554 si = (struct ipmi_system_interface_addr *) &addr;
26555 si->addr_type = IPMI_SYSTEM_INTERFACE_ADDR_TYPE;
26556 si->channel = IPMI_BMC_CHANNEL;
26557 diff -urNp linux-2.6.32.42/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.32.42/drivers/char/ipmi/ipmi_si_intf.c
26558 --- linux-2.6.32.42/drivers/char/ipmi/ipmi_si_intf.c 2011-03-27 14:31:47.000000000 -0400
26559 +++ linux-2.6.32.42/drivers/char/ipmi/ipmi_si_intf.c 2011-04-17 15:56:46.000000000 -0400
26560 @@ -277,7 +277,7 @@ struct smi_info {
26561 unsigned char slave_addr;
26563 /* Counters and things for the proc filesystem. */
26564 - atomic_t stats[SI_NUM_STATS];
26565 + atomic_unchecked_t stats[SI_NUM_STATS];
26567 struct task_struct *thread;
26569 @@ -285,9 +285,9 @@ struct smi_info {
26572 #define smi_inc_stat(smi, stat) \
26573 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
26574 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
26575 #define smi_get_stat(smi, stat) \
26576 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
26577 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
26579 #define SI_MAX_PARMS 4
26581 @@ -2931,7 +2931,7 @@ static int try_smi_init(struct smi_info
26582 atomic_set(&new_smi->req_events, 0);
26583 new_smi->run_to_completion = 0;
26584 for (i = 0; i < SI_NUM_STATS; i++)
26585 - atomic_set(&new_smi->stats[i], 0);
26586 + atomic_set_unchecked(&new_smi->stats[i], 0);
26588 new_smi->interrupt_disabled = 0;
26589 atomic_set(&new_smi->stop_operation, 0);
26590 diff -urNp linux-2.6.32.42/drivers/char/istallion.c linux-2.6.32.42/drivers/char/istallion.c
26591 --- linux-2.6.32.42/drivers/char/istallion.c 2011-03-27 14:31:47.000000000 -0400
26592 +++ linux-2.6.32.42/drivers/char/istallion.c 2011-05-16 21:46:57.000000000 -0400
26593 @@ -187,7 +187,6 @@ static struct ktermios stli_deftermios
26594 * re-used for each stats call.
26596 static comstats_t stli_comstats;
26597 -static combrd_t stli_brdstats;
26598 static struct asystats stli_cdkstats;
26600 /*****************************************************************************/
26601 @@ -4058,6 +4057,7 @@ static int stli_getbrdstats(combrd_t __u
26603 struct stlibrd *brdp;
26605 + combrd_t stli_brdstats;
26607 if (copy_from_user(&stli_brdstats, bp, sizeof(combrd_t)))
26609 @@ -4269,6 +4269,8 @@ static int stli_getportstruct(struct stl
26610 struct stliport stli_dummyport;
26611 struct stliport *portp;
26613 + pax_track_stack();
26615 if (copy_from_user(&stli_dummyport, arg, sizeof(struct stliport)))
26617 portp = stli_getport(stli_dummyport.brdnr, stli_dummyport.panelnr,
26618 @@ -4291,6 +4293,8 @@ static int stli_getbrdstruct(struct stli
26619 struct stlibrd stli_dummybrd;
26620 struct stlibrd *brdp;
26622 + pax_track_stack();
26624 if (copy_from_user(&stli_dummybrd, arg, sizeof(struct stlibrd)))
26626 if (stli_dummybrd.brdnr >= STL_MAXBRDS)
26627 diff -urNp linux-2.6.32.42/drivers/char/Kconfig linux-2.6.32.42/drivers/char/Kconfig
26628 --- linux-2.6.32.42/drivers/char/Kconfig 2011-03-27 14:31:47.000000000 -0400
26629 +++ linux-2.6.32.42/drivers/char/Kconfig 2011-04-18 19:20:15.000000000 -0400
26630 @@ -90,7 +90,8 @@ config VT_HW_CONSOLE_BINDING
26633 bool "/dev/kmem virtual device support"
26636 + depends on !GRKERNSEC_KMEM
26638 Say Y here if you want to support the /dev/kmem device. The
26639 /dev/kmem device is rarely used, but can be used for certain
26640 @@ -1114,6 +1115,7 @@ config DEVPORT
26643 depends on ISA || PCI
26644 + depends on !GRKERNSEC_KMEM
26647 source "drivers/s390/char/Kconfig"
26648 diff -urNp linux-2.6.32.42/drivers/char/keyboard.c linux-2.6.32.42/drivers/char/keyboard.c
26649 --- linux-2.6.32.42/drivers/char/keyboard.c 2011-03-27 14:31:47.000000000 -0400
26650 +++ linux-2.6.32.42/drivers/char/keyboard.c 2011-04-17 15:56:46.000000000 -0400
26651 @@ -635,6 +635,16 @@ static void k_spec(struct vc_data *vc, u
26652 kbd->kbdmode == VC_MEDIUMRAW) &&
26653 value != KVAL(K_SAK))
26654 return; /* SAK is allowed even in raw mode */
26656 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
26658 + void *func = fn_handler[value];
26659 + if (func == fn_show_state || func == fn_show_ptregs ||
26660 + func == fn_show_mem)
26665 fn_handler[value](vc);
26668 @@ -1386,7 +1396,7 @@ static const struct input_device_id kbd_
26669 .evbit = { BIT_MASK(EV_SND) },
26672 - { }, /* Terminating entry */
26673 + { 0 }, /* Terminating entry */
26676 MODULE_DEVICE_TABLE(input, kbd_ids);
26677 diff -urNp linux-2.6.32.42/drivers/char/mem.c linux-2.6.32.42/drivers/char/mem.c
26678 --- linux-2.6.32.42/drivers/char/mem.c 2011-03-27 14:31:47.000000000 -0400
26679 +++ linux-2.6.32.42/drivers/char/mem.c 2011-04-17 15:56:46.000000000 -0400
26681 #include <linux/raw.h>
26682 #include <linux/tty.h>
26683 #include <linux/capability.h>
26684 +#include <linux/security.h>
26685 #include <linux/ptrace.h>
26686 #include <linux/device.h>
26687 #include <linux/highmem.h>
26689 # include <linux/efi.h>
26692 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
26693 +extern struct file_operations grsec_fops;
26696 static inline unsigned long size_inside_page(unsigned long start,
26697 unsigned long size)
26699 @@ -102,9 +107,13 @@ static inline int range_is_allowed(unsig
26701 while (cursor < to) {
26702 if (!devmem_is_allowed(pfn)) {
26703 +#ifdef CONFIG_GRKERNSEC_KMEM
26704 + gr_handle_mem_readwrite(from, to);
26707 "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
26708 current->comm, from, to);
26712 cursor += PAGE_SIZE;
26713 @@ -112,6 +121,11 @@ static inline int range_is_allowed(unsig
26717 +#elif defined(CONFIG_GRKERNSEC_KMEM)
26718 +static inline int range_is_allowed(unsigned long pfn, unsigned long size)
26723 static inline int range_is_allowed(unsigned long pfn, unsigned long size)
26725 @@ -155,6 +169,8 @@ static ssize_t read_mem(struct file * fi
26728 while (count > 0) {
26732 * Handle first page in case it's not aligned
26734 @@ -177,11 +193,31 @@ static ssize_t read_mem(struct file * fi
26738 - if (copy_to_user(buf, ptr, sz)) {
26739 +#ifdef CONFIG_PAX_USERCOPY
26740 + temp = kmalloc(sz, GFP_KERNEL);
26742 + unxlate_dev_mem_ptr(p, ptr);
26745 + memcpy(temp, ptr, sz);
26750 + if (copy_to_user(buf, temp, sz)) {
26752 +#ifdef CONFIG_PAX_USERCOPY
26756 unxlate_dev_mem_ptr(p, ptr);
26760 +#ifdef CONFIG_PAX_USERCOPY
26764 unxlate_dev_mem_ptr(p, ptr);
26767 @@ -419,9 +455,8 @@ static ssize_t read_kmem(struct file *fi
26768 size_t count, loff_t *ppos)
26770 unsigned long p = *ppos;
26771 - ssize_t low_count, read, sz;
26772 + ssize_t low_count, read, sz, err = 0;
26773 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
26777 if (p < (unsigned long) high_memory) {
26778 @@ -444,6 +479,8 @@ static ssize_t read_kmem(struct file *fi
26781 while (low_count > 0) {
26784 sz = size_inside_page(p, low_count);
26787 @@ -453,7 +490,22 @@ static ssize_t read_kmem(struct file *fi
26789 kbuf = xlate_dev_kmem_ptr((char *)p);
26791 - if (copy_to_user(buf, kbuf, sz))
26792 +#ifdef CONFIG_PAX_USERCOPY
26793 + temp = kmalloc(sz, GFP_KERNEL);
26796 + memcpy(temp, kbuf, sz);
26801 + err = copy_to_user(buf, temp, sz);
26803 +#ifdef CONFIG_PAX_USERCOPY
26811 @@ -889,6 +941,9 @@ static const struct memdev {
26812 #ifdef CONFIG_CRASH_DUMP
26813 [12] = { "oldmem", 0, &oldmem_fops, NULL },
26815 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
26816 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
26820 static int memory_open(struct inode *inode, struct file *filp)
26821 diff -urNp linux-2.6.32.42/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.32.42/drivers/char/pcmcia/ipwireless/tty.c
26822 --- linux-2.6.32.42/drivers/char/pcmcia/ipwireless/tty.c 2011-03-27 14:31:47.000000000 -0400
26823 +++ linux-2.6.32.42/drivers/char/pcmcia/ipwireless/tty.c 2011-04-17 15:56:46.000000000 -0400
26825 #include <linux/tty_driver.h>
26826 #include <linux/tty_flip.h>
26827 #include <linux/uaccess.h>
26828 +#include <asm/local.h>
26831 #include "network.h"
26832 @@ -51,7 +52,7 @@ struct ipw_tty {
26834 struct ipw_network *network;
26835 struct tty_struct *linux_tty;
26837 + local_t open_count;
26838 unsigned int control_lines;
26839 struct mutex ipw_tty_mutex;
26840 int tx_bytes_queued;
26841 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
26842 mutex_unlock(&tty->ipw_tty_mutex);
26845 - if (tty->open_count == 0)
26846 + if (local_read(&tty->open_count) == 0)
26847 tty->tx_bytes_queued = 0;
26849 - tty->open_count++;
26850 + local_inc(&tty->open_count);
26852 tty->linux_tty = linux_tty;
26853 linux_tty->driver_data = tty;
26854 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
26856 static void do_ipw_close(struct ipw_tty *tty)
26858 - tty->open_count--;
26860 - if (tty->open_count == 0) {
26861 + if (local_dec_return(&tty->open_count) == 0) {
26862 struct tty_struct *linux_tty = tty->linux_tty;
26864 if (linux_tty != NULL) {
26865 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
26868 mutex_lock(&tty->ipw_tty_mutex);
26869 - if (tty->open_count == 0) {
26870 + if (local_read(&tty->open_count) == 0) {
26871 mutex_unlock(&tty->ipw_tty_mutex);
26874 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
26878 - if (!tty->open_count) {
26879 + if (!local_read(&tty->open_count)) {
26880 mutex_unlock(&tty->ipw_tty_mutex);
26883 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
26886 mutex_lock(&tty->ipw_tty_mutex);
26887 - if (!tty->open_count) {
26888 + if (!local_read(&tty->open_count)) {
26889 mutex_unlock(&tty->ipw_tty_mutex);
26892 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
26896 - if (!tty->open_count)
26897 + if (!local_read(&tty->open_count))
26900 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
26901 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
26905 - if (!tty->open_count)
26906 + if (!local_read(&tty->open_count))
26909 return tty->tx_bytes_queued;
26910 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
26914 - if (!tty->open_count)
26915 + if (!local_read(&tty->open_count))
26918 return get_control_lines(tty);
26919 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
26923 - if (!tty->open_count)
26924 + if (!local_read(&tty->open_count))
26927 return set_control_lines(tty, set, clear);
26928 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
26932 - if (!tty->open_count)
26933 + if (!local_read(&tty->open_count))
26936 /* FIXME: Exactly how is the tty object locked here .. */
26937 @@ -591,7 +590,7 @@ void ipwireless_tty_free(struct ipw_tty
26938 against a parallel ioctl etc */
26939 mutex_lock(&ttyj->ipw_tty_mutex);
26941 - while (ttyj->open_count)
26942 + while (local_read(&ttyj->open_count))
26943 do_ipw_close(ttyj);
26944 ipwireless_disassociate_network_ttys(network,
26945 ttyj->channel_idx);
26946 diff -urNp linux-2.6.32.42/drivers/char/pty.c linux-2.6.32.42/drivers/char/pty.c
26947 --- linux-2.6.32.42/drivers/char/pty.c 2011-03-27 14:31:47.000000000 -0400
26948 +++ linux-2.6.32.42/drivers/char/pty.c 2011-04-17 15:56:46.000000000 -0400
26949 @@ -682,7 +682,18 @@ static int ptmx_open(struct inode *inode
26953 -static struct file_operations ptmx_fops;
26954 +static const struct file_operations ptmx_fops = {
26955 + .llseek = no_llseek,
26956 + .read = tty_read,
26957 + .write = tty_write,
26958 + .poll = tty_poll,
26959 + .unlocked_ioctl = tty_ioctl,
26960 + .compat_ioctl = tty_compat_ioctl,
26961 + .open = ptmx_open,
26962 + .release = tty_release,
26963 + .fasync = tty_fasync,
26967 static void __init unix98_pty_init(void)
26969 @@ -736,9 +747,6 @@ static void __init unix98_pty_init(void)
26970 register_sysctl_table(pty_root_table);
26972 /* Now create the /dev/ptmx special device */
26973 - tty_default_fops(&ptmx_fops);
26974 - ptmx_fops.open = ptmx_open;
26976 cdev_init(&ptmx_cdev, &ptmx_fops);
26977 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
26978 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
26979 diff -urNp linux-2.6.32.42/drivers/char/random.c linux-2.6.32.42/drivers/char/random.c
26980 --- linux-2.6.32.42/drivers/char/random.c 2011-03-27 14:31:47.000000000 -0400
26981 +++ linux-2.6.32.42/drivers/char/random.c 2011-04-17 15:56:46.000000000 -0400
26982 @@ -254,8 +254,13 @@
26984 * Configuration information
26986 +#ifdef CONFIG_GRKERNSEC_RANDNET
26987 +#define INPUT_POOL_WORDS 512
26988 +#define OUTPUT_POOL_WORDS 128
26990 #define INPUT_POOL_WORDS 128
26991 #define OUTPUT_POOL_WORDS 32
26993 #define SEC_XFER_SIZE 512
26996 @@ -292,10 +297,17 @@ static struct poolinfo {
26998 int tap1, tap2, tap3, tap4, tap5;
26999 } poolinfo_table[] = {
27000 +#ifdef CONFIG_GRKERNSEC_RANDNET
27001 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
27002 + { 512, 411, 308, 208, 104, 1 },
27003 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
27004 + { 128, 103, 76, 51, 25, 1 },
27006 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
27007 { 128, 103, 76, 51, 25, 1 },
27008 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
27009 { 32, 26, 20, 14, 7, 1 },
27012 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
27013 { 2048, 1638, 1231, 819, 411, 1 },
27014 @@ -1209,7 +1221,7 @@ EXPORT_SYMBOL(generate_random_uuid);
27015 #include <linux/sysctl.h>
27017 static int min_read_thresh = 8, min_write_thresh;
27018 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
27019 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
27020 static int max_write_thresh = INPUT_POOL_WORDS * 32;
27021 static char sysctl_bootid[16];
27023 diff -urNp linux-2.6.32.42/drivers/char/rocket.c linux-2.6.32.42/drivers/char/rocket.c
27024 --- linux-2.6.32.42/drivers/char/rocket.c 2011-03-27 14:31:47.000000000 -0400
27025 +++ linux-2.6.32.42/drivers/char/rocket.c 2011-05-16 21:46:57.000000000 -0400
27026 @@ -1266,6 +1266,8 @@ static int get_ports(struct r_port *info
27027 struct rocket_ports tmp;
27030 + pax_track_stack();
27034 memset(&tmp, 0, sizeof (tmp));
27035 diff -urNp linux-2.6.32.42/drivers/char/sonypi.c linux-2.6.32.42/drivers/char/sonypi.c
27036 --- linux-2.6.32.42/drivers/char/sonypi.c 2011-03-27 14:31:47.000000000 -0400
27037 +++ linux-2.6.32.42/drivers/char/sonypi.c 2011-04-17 15:56:46.000000000 -0400
27039 #include <asm/uaccess.h>
27040 #include <asm/io.h>
27041 #include <asm/system.h>
27042 +#include <asm/local.h>
27044 #include <linux/sonypi.h>
27046 @@ -491,7 +492,7 @@ static struct sonypi_device {
27047 spinlock_t fifo_lock;
27048 wait_queue_head_t fifo_proc_list;
27049 struct fasync_struct *fifo_async;
27051 + local_t open_count;
27053 struct input_dev *input_jog_dev;
27054 struct input_dev *input_key_dev;
27055 @@ -895,7 +896,7 @@ static int sonypi_misc_fasync(int fd, st
27056 static int sonypi_misc_release(struct inode *inode, struct file *file)
27058 mutex_lock(&sonypi_device.lock);
27059 - sonypi_device.open_count--;
27060 + local_dec(&sonypi_device.open_count);
27061 mutex_unlock(&sonypi_device.lock);
27064 @@ -905,9 +906,9 @@ static int sonypi_misc_open(struct inode
27066 mutex_lock(&sonypi_device.lock);
27067 /* Flush input queue on first open */
27068 - if (!sonypi_device.open_count)
27069 + if (!local_read(&sonypi_device.open_count))
27070 kfifo_reset(sonypi_device.fifo);
27071 - sonypi_device.open_count++;
27072 + local_inc(&sonypi_device.open_count);
27073 mutex_unlock(&sonypi_device.lock);
27076 diff -urNp linux-2.6.32.42/drivers/char/stallion.c linux-2.6.32.42/drivers/char/stallion.c
27077 --- linux-2.6.32.42/drivers/char/stallion.c 2011-03-27 14:31:47.000000000 -0400
27078 +++ linux-2.6.32.42/drivers/char/stallion.c 2011-05-16 21:46:57.000000000 -0400
27079 @@ -2448,6 +2448,8 @@ static int stl_getportstruct(struct stlp
27080 struct stlport stl_dummyport;
27081 struct stlport *portp;
27083 + pax_track_stack();
27085 if (copy_from_user(&stl_dummyport, arg, sizeof(struct stlport)))
27087 portp = stl_getport(stl_dummyport.brdnr, stl_dummyport.panelnr,
27088 diff -urNp linux-2.6.32.42/drivers/char/tpm/tpm_bios.c linux-2.6.32.42/drivers/char/tpm/tpm_bios.c
27089 --- linux-2.6.32.42/drivers/char/tpm/tpm_bios.c 2011-03-27 14:31:47.000000000 -0400
27090 +++ linux-2.6.32.42/drivers/char/tpm/tpm_bios.c 2011-04-17 15:56:46.000000000 -0400
27091 @@ -172,7 +172,7 @@ static void *tpm_bios_measurements_start
27094 if ((event->event_type == 0 && event->event_size == 0) ||
27095 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
27096 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
27100 @@ -197,7 +197,7 @@ static void *tpm_bios_measurements_next(
27103 if ((event->event_type == 0 && event->event_size == 0) ||
27104 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
27105 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
27109 @@ -290,7 +290,8 @@ static int tpm_binary_bios_measurements_
27112 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
27113 - seq_putc(m, data[i]);
27114 + if (!seq_putc(m, data[i]))
27119 @@ -409,6 +410,11 @@ static int read_log(struct tpm_bios_log
27120 log->bios_event_log_end = log->bios_event_log + len;
27122 virt = acpi_os_map_memory(start, len);
27124 + kfree(log->bios_event_log);
27125 + log->bios_event_log = NULL;
27129 memcpy(log->bios_event_log, virt, len);
27131 diff -urNp linux-2.6.32.42/drivers/char/tpm/tpm.c linux-2.6.32.42/drivers/char/tpm/tpm.c
27132 --- linux-2.6.32.42/drivers/char/tpm/tpm.c 2011-04-17 17:00:52.000000000 -0400
27133 +++ linux-2.6.32.42/drivers/char/tpm/tpm.c 2011-05-16 21:46:57.000000000 -0400
27134 @@ -402,7 +402,7 @@ static ssize_t tpm_transmit(struct tpm_c
27135 chip->vendor.req_complete_val)
27138 - if ((status == chip->vendor.req_canceled)) {
27139 + if (status == chip->vendor.req_canceled) {
27140 dev_err(chip->dev, "Operation Canceled\n");
27143 @@ -821,6 +821,8 @@ ssize_t tpm_show_pubek(struct device *de
27145 struct tpm_chip *chip = dev_get_drvdata(dev);
27147 + pax_track_stack();
27149 tpm_cmd.header.in = tpm_readpubek_header;
27150 err = transmit_cmd(chip, &tpm_cmd, READ_PUBEK_RESULT_SIZE,
27151 "attempting to read the PUBEK");
27152 diff -urNp linux-2.6.32.42/drivers/char/tty_io.c linux-2.6.32.42/drivers/char/tty_io.c
27153 --- linux-2.6.32.42/drivers/char/tty_io.c 2011-03-27 14:31:47.000000000 -0400
27154 +++ linux-2.6.32.42/drivers/char/tty_io.c 2011-04-17 15:56:46.000000000 -0400
27155 @@ -136,21 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
27156 DEFINE_MUTEX(tty_mutex);
27157 EXPORT_SYMBOL(tty_mutex);
27159 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
27160 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
27161 ssize_t redirected_tty_write(struct file *, const char __user *,
27163 -static unsigned int tty_poll(struct file *, poll_table *);
27164 static int tty_open(struct inode *, struct file *);
27165 -static int tty_release(struct inode *, struct file *);
27166 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
27167 -#ifdef CONFIG_COMPAT
27168 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27169 - unsigned long arg);
27171 -#define tty_compat_ioctl NULL
27173 -static int tty_fasync(int fd, struct file *filp, int on);
27174 static void release_tty(struct tty_struct *tty, int idx);
27175 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27176 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27177 @@ -870,7 +859,7 @@ EXPORT_SYMBOL(start_tty);
27178 * read calls may be outstanding in parallel.
27181 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27182 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27186 @@ -898,6 +887,8 @@ static ssize_t tty_read(struct file *fil
27190 +EXPORT_SYMBOL(tty_read);
27192 void tty_write_unlock(struct tty_struct *tty)
27194 mutex_unlock(&tty->atomic_write_lock);
27195 @@ -1045,7 +1036,7 @@ void tty_write_message(struct tty_struct
27196 * write method will not be invoked in parallel for each device.
27199 -static ssize_t tty_write(struct file *file, const char __user *buf,
27200 +ssize_t tty_write(struct file *file, const char __user *buf,
27201 size_t count, loff_t *ppos)
27203 struct tty_struct *tty;
27204 @@ -1072,6 +1063,8 @@ static ssize_t tty_write(struct file *fi
27208 +EXPORT_SYMBOL(tty_write);
27210 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
27211 size_t count, loff_t *ppos)
27213 @@ -1867,7 +1860,7 @@ static int tty_open(struct inode *inode,
27214 * Takes bkl. See tty_release_dev
27217 -static int tty_release(struct inode *inode, struct file *filp)
27218 +int tty_release(struct inode *inode, struct file *filp)
27221 tty_release_dev(filp);
27222 @@ -1875,6 +1868,8 @@ static int tty_release(struct inode *ino
27226 +EXPORT_SYMBOL(tty_release);
27229 * tty_poll - check tty status
27230 * @filp: file being polled
27231 @@ -1887,7 +1882,7 @@ static int tty_release(struct inode *ino
27232 * may be re-entered freely by other callers.
27235 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
27236 +unsigned int tty_poll(struct file *filp, poll_table *wait)
27238 struct tty_struct *tty;
27239 struct tty_ldisc *ld;
27240 @@ -1904,7 +1899,9 @@ static unsigned int tty_poll(struct file
27244 -static int tty_fasync(int fd, struct file *filp, int on)
27245 +EXPORT_SYMBOL(tty_poll);
27247 +int tty_fasync(int fd, struct file *filp, int on)
27249 struct tty_struct *tty;
27250 unsigned long flags;
27251 @@ -1948,6 +1945,8 @@ out:
27255 +EXPORT_SYMBOL(tty_fasync);
27258 * tiocsti - fake input character
27259 * @tty: tty to fake input into
27260 @@ -2582,8 +2581,10 @@ long tty_ioctl(struct file *file, unsign
27264 +EXPORT_SYMBOL(tty_ioctl);
27266 #ifdef CONFIG_COMPAT
27267 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27268 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
27271 struct inode *inode = file->f_dentry->d_inode;
27272 @@ -2607,6 +2608,8 @@ static long tty_compat_ioctl(struct file
27277 +EXPORT_SYMBOL(tty_compat_ioctl);
27281 @@ -3050,11 +3053,6 @@ struct tty_struct *get_current_tty(void)
27283 EXPORT_SYMBOL_GPL(get_current_tty);
27285 -void tty_default_fops(struct file_operations *fops)
27287 - *fops = tty_fops;
27291 * Initialize the console device. This is called *early*, so
27292 * we can't necessarily depend on lots of kernel help here.
27293 diff -urNp linux-2.6.32.42/drivers/char/tty_ldisc.c linux-2.6.32.42/drivers/char/tty_ldisc.c
27294 --- linux-2.6.32.42/drivers/char/tty_ldisc.c 2011-03-27 14:31:47.000000000 -0400
27295 +++ linux-2.6.32.42/drivers/char/tty_ldisc.c 2011-04-17 15:56:46.000000000 -0400
27296 @@ -74,7 +74,7 @@ static void put_ldisc(struct tty_ldisc *
27297 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
27298 struct tty_ldisc_ops *ldo = ld->ops;
27301 + atomic_dec(&ldo->refcount);
27302 module_put(ldo->owner);
27303 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
27305 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
27306 spin_lock_irqsave(&tty_ldisc_lock, flags);
27307 tty_ldiscs[disc] = new_ldisc;
27308 new_ldisc->num = disc;
27309 - new_ldisc->refcount = 0;
27310 + atomic_set(&new_ldisc->refcount, 0);
27311 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
27314 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
27317 spin_lock_irqsave(&tty_ldisc_lock, flags);
27318 - if (tty_ldiscs[disc]->refcount)
27319 + if (atomic_read(&tty_ldiscs[disc]->refcount))
27322 tty_ldiscs[disc] = NULL;
27323 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
27325 ret = ERR_PTR(-EAGAIN);
27326 if (try_module_get(ldops->owner)) {
27327 - ldops->refcount++;
27328 + atomic_inc(&ldops->refcount);
27332 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
27333 unsigned long flags;
27335 spin_lock_irqsave(&tty_ldisc_lock, flags);
27336 - ldops->refcount--;
27337 + atomic_dec(&ldops->refcount);
27338 module_put(ldops->owner);
27339 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
27341 diff -urNp linux-2.6.32.42/drivers/char/virtio_console.c linux-2.6.32.42/drivers/char/virtio_console.c
27342 --- linux-2.6.32.42/drivers/char/virtio_console.c 2011-03-27 14:31:47.000000000 -0400
27343 +++ linux-2.6.32.42/drivers/char/virtio_console.c 2011-04-17 15:56:46.000000000 -0400
27344 @@ -44,6 +44,7 @@ static unsigned int in_len;
27345 static char *in, *inbuf;
27347 /* The operations for our console. */
27348 +/* cannot be const */
27349 static struct hv_ops virtio_cons;
27351 /* The hvc device */
27352 diff -urNp linux-2.6.32.42/drivers/char/vt.c linux-2.6.32.42/drivers/char/vt.c
27353 --- linux-2.6.32.42/drivers/char/vt.c 2011-03-27 14:31:47.000000000 -0400
27354 +++ linux-2.6.32.42/drivers/char/vt.c 2011-04-17 15:56:46.000000000 -0400
27355 @@ -243,7 +243,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
27357 static void notify_write(struct vc_data *vc, unsigned int unicode)
27359 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
27360 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
27361 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
27364 diff -urNp linux-2.6.32.42/drivers/char/vt_ioctl.c linux-2.6.32.42/drivers/char/vt_ioctl.c
27365 --- linux-2.6.32.42/drivers/char/vt_ioctl.c 2011-03-27 14:31:47.000000000 -0400
27366 +++ linux-2.6.32.42/drivers/char/vt_ioctl.c 2011-04-17 15:56:46.000000000 -0400
27367 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
27368 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
27371 - if (!capable(CAP_SYS_TTY_CONFIG))
27376 key_map = key_maps[s];
27377 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
27378 val = (i ? K_HOLE : K_NOSUCHMAP);
27379 return put_user(val, &user_kbe->kb_value);
27381 + if (!capable(CAP_SYS_TTY_CONFIG))
27387 if (!i && v == K_NOSUCHMAP) {
27388 /* deallocate map */
27389 key_map = key_maps[s];
27390 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
27394 - if (!capable(CAP_SYS_TTY_CONFIG))
27397 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
27400 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
27402 return ((p && *p) ? -EOVERFLOW : 0);
27404 + if (!capable(CAP_SYS_TTY_CONFIG))
27410 diff -urNp linux-2.6.32.42/drivers/connector/Kconfig linux-2.6.32.42/drivers/connector/Kconfig
27411 --- linux-2.6.32.42/drivers/connector/Kconfig 2011-03-27 14:31:47.000000000 -0400
27412 +++ linux-2.6.32.42/drivers/connector/Kconfig 2011-06-20 17:54:56.000000000 -0400
27415 menuconfig CONNECTOR
27416 tristate "Connector - unified userspace <-> kernelspace linker"
27418 + depends on NET && !GRKERNSEC
27420 This is unified userspace <-> kernelspace connector working on top
27421 of the netlink socket protocol.
27422 @@ -13,7 +13,7 @@ if CONNECTOR
27425 boolean "Report process events to userspace"
27426 - depends on CONNECTOR=y
27427 + depends on CONNECTOR=y && !GRKERNSEC
27430 Provide a connector that reports process events to userspace. Send
27431 diff -urNp linux-2.6.32.42/drivers/cpufreq/cpufreq.c linux-2.6.32.42/drivers/cpufreq/cpufreq.c
27432 --- linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:55:34.000000000 -0400
27433 +++ linux-2.6.32.42/drivers/cpufreq/cpufreq.c 2011-06-25 12:56:37.000000000 -0400
27434 @@ -750,7 +750,7 @@ static void cpufreq_sysfs_release(struct
27435 complete(&policy->kobj_unregister);
27438 -static struct sysfs_ops sysfs_ops = {
27439 +static const struct sysfs_ops sysfs_ops = {
27443 diff -urNp linux-2.6.32.42/drivers/cpuidle/sysfs.c linux-2.6.32.42/drivers/cpuidle/sysfs.c
27444 --- linux-2.6.32.42/drivers/cpuidle/sysfs.c 2011-03-27 14:31:47.000000000 -0400
27445 +++ linux-2.6.32.42/drivers/cpuidle/sysfs.c 2011-04-17 15:56:46.000000000 -0400
27446 @@ -191,7 +191,7 @@ static ssize_t cpuidle_store(struct kobj
27450 -static struct sysfs_ops cpuidle_sysfs_ops = {
27451 +static const struct sysfs_ops cpuidle_sysfs_ops = {
27452 .show = cpuidle_show,
27453 .store = cpuidle_store,
27455 @@ -277,7 +277,7 @@ static ssize_t cpuidle_state_show(struct
27459 -static struct sysfs_ops cpuidle_state_sysfs_ops = {
27460 +static const struct sysfs_ops cpuidle_state_sysfs_ops = {
27461 .show = cpuidle_state_show,
27464 @@ -294,7 +294,7 @@ static struct kobj_type ktype_state_cpui
27465 .release = cpuidle_state_sysfs_release,
27468 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
27469 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
27471 kobject_put(&device->kobjs[i]->kobj);
27472 wait_for_completion(&device->kobjs[i]->kobj_unregister);
27473 diff -urNp linux-2.6.32.42/drivers/crypto/hifn_795x.c linux-2.6.32.42/drivers/crypto/hifn_795x.c
27474 --- linux-2.6.32.42/drivers/crypto/hifn_795x.c 2011-03-27 14:31:47.000000000 -0400
27475 +++ linux-2.6.32.42/drivers/crypto/hifn_795x.c 2011-05-16 21:46:57.000000000 -0400
27476 @@ -1655,6 +1655,8 @@ static int hifn_test(struct hifn_device
27477 0xCA, 0x34, 0x2B, 0x2E};
27478 struct scatterlist sg;
27480 + pax_track_stack();
27482 memset(src, 0, sizeof(src));
27483 memset(ctx.key, 0, sizeof(ctx.key));
27485 diff -urNp linux-2.6.32.42/drivers/crypto/padlock-aes.c linux-2.6.32.42/drivers/crypto/padlock-aes.c
27486 --- linux-2.6.32.42/drivers/crypto/padlock-aes.c 2011-03-27 14:31:47.000000000 -0400
27487 +++ linux-2.6.32.42/drivers/crypto/padlock-aes.c 2011-05-16 21:46:57.000000000 -0400
27488 @@ -108,6 +108,8 @@ static int aes_set_key(struct crypto_tfm
27489 struct crypto_aes_ctx gen_aes;
27492 + pax_track_stack();
27495 *flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
27497 diff -urNp linux-2.6.32.42/drivers/dma/ioat/dma.c linux-2.6.32.42/drivers/dma/ioat/dma.c
27498 --- linux-2.6.32.42/drivers/dma/ioat/dma.c 2011-03-27 14:31:47.000000000 -0400
27499 +++ linux-2.6.32.42/drivers/dma/ioat/dma.c 2011-04-17 15:56:46.000000000 -0400
27500 @@ -1146,7 +1146,7 @@ ioat_attr_show(struct kobject *kobj, str
27501 return entry->show(&chan->common, page);
27504 -struct sysfs_ops ioat_sysfs_ops = {
27505 +const struct sysfs_ops ioat_sysfs_ops = {
27506 .show = ioat_attr_show,
27509 diff -urNp linux-2.6.32.42/drivers/dma/ioat/dma.h linux-2.6.32.42/drivers/dma/ioat/dma.h
27510 --- linux-2.6.32.42/drivers/dma/ioat/dma.h 2011-03-27 14:31:47.000000000 -0400
27511 +++ linux-2.6.32.42/drivers/dma/ioat/dma.h 2011-04-17 15:56:46.000000000 -0400
27512 @@ -347,7 +347,7 @@ bool ioat_cleanup_preamble(struct ioat_c
27513 unsigned long *phys_complete);
27514 void ioat_kobject_add(struct ioatdma_device *device, struct kobj_type *type);
27515 void ioat_kobject_del(struct ioatdma_device *device);
27516 -extern struct sysfs_ops ioat_sysfs_ops;
27517 +extern const struct sysfs_ops ioat_sysfs_ops;
27518 extern struct ioat_sysfs_entry ioat_version_attr;
27519 extern struct ioat_sysfs_entry ioat_cap_attr;
27520 #endif /* IOATDMA_H */
27521 diff -urNp linux-2.6.32.42/drivers/edac/edac_device_sysfs.c linux-2.6.32.42/drivers/edac/edac_device_sysfs.c
27522 --- linux-2.6.32.42/drivers/edac/edac_device_sysfs.c 2011-03-27 14:31:47.000000000 -0400
27523 +++ linux-2.6.32.42/drivers/edac/edac_device_sysfs.c 2011-04-17 15:56:46.000000000 -0400
27524 @@ -137,7 +137,7 @@ static ssize_t edac_dev_ctl_info_store(s
27527 /* edac_dev file operations for an 'ctl_info' */
27528 -static struct sysfs_ops device_ctl_info_ops = {
27529 +static const struct sysfs_ops device_ctl_info_ops = {
27530 .show = edac_dev_ctl_info_show,
27531 .store = edac_dev_ctl_info_store
27533 @@ -373,7 +373,7 @@ static ssize_t edac_dev_instance_store(s
27536 /* edac_dev file operations for an 'instance' */
27537 -static struct sysfs_ops device_instance_ops = {
27538 +static const struct sysfs_ops device_instance_ops = {
27539 .show = edac_dev_instance_show,
27540 .store = edac_dev_instance_store
27542 @@ -476,7 +476,7 @@ static ssize_t edac_dev_block_store(stru
27545 /* edac_dev file operations for a 'block' */
27546 -static struct sysfs_ops device_block_ops = {
27547 +static const struct sysfs_ops device_block_ops = {
27548 .show = edac_dev_block_show,
27549 .store = edac_dev_block_store
27551 diff -urNp linux-2.6.32.42/drivers/edac/edac_mc_sysfs.c linux-2.6.32.42/drivers/edac/edac_mc_sysfs.c
27552 --- linux-2.6.32.42/drivers/edac/edac_mc_sysfs.c 2011-03-27 14:31:47.000000000 -0400
27553 +++ linux-2.6.32.42/drivers/edac/edac_mc_sysfs.c 2011-04-17 15:56:46.000000000 -0400
27554 @@ -245,7 +245,7 @@ static ssize_t csrowdev_store(struct kob
27558 -static struct sysfs_ops csrowfs_ops = {
27559 +static const struct sysfs_ops csrowfs_ops = {
27560 .show = csrowdev_show,
27561 .store = csrowdev_store
27563 @@ -575,7 +575,7 @@ static ssize_t mcidev_store(struct kobje
27566 /* Intermediate show/store table */
27567 -static struct sysfs_ops mci_ops = {
27568 +static const struct sysfs_ops mci_ops = {
27569 .show = mcidev_show,
27570 .store = mcidev_store
27572 diff -urNp linux-2.6.32.42/drivers/edac/edac_pci_sysfs.c linux-2.6.32.42/drivers/edac/edac_pci_sysfs.c
27573 --- linux-2.6.32.42/drivers/edac/edac_pci_sysfs.c 2011-03-27 14:31:47.000000000 -0400
27574 +++ linux-2.6.32.42/drivers/edac/edac_pci_sysfs.c 2011-05-04 17:56:20.000000000 -0400
27575 @@ -25,8 +25,8 @@ static int edac_pci_log_pe = 1; /* log
27576 static int edac_pci_log_npe = 1; /* log PCI non-parity error errors */
27577 static int edac_pci_poll_msec = 1000; /* one second workq period */
27579 -static atomic_t pci_parity_count = ATOMIC_INIT(0);
27580 -static atomic_t pci_nonparity_count = ATOMIC_INIT(0);
27581 +static atomic_unchecked_t pci_parity_count = ATOMIC_INIT(0);
27582 +static atomic_unchecked_t pci_nonparity_count = ATOMIC_INIT(0);
27584 static struct kobject *edac_pci_top_main_kobj;
27585 static atomic_t edac_pci_sysfs_refcount = ATOMIC_INIT(0);
27586 @@ -121,7 +121,7 @@ static ssize_t edac_pci_instance_store(s
27590 -static struct sysfs_ops pci_instance_ops = {
27591 +static const struct sysfs_ops pci_instance_ops = {
27592 .show = edac_pci_instance_show,
27593 .store = edac_pci_instance_store
27595 @@ -261,7 +261,7 @@ static ssize_t edac_pci_dev_store(struct
27599 -static struct sysfs_ops edac_pci_sysfs_ops = {
27600 +static const struct sysfs_ops edac_pci_sysfs_ops = {
27601 .show = edac_pci_dev_show,
27602 .store = edac_pci_dev_store
27604 @@ -579,7 +579,7 @@ static void edac_pci_dev_parity_test(str
27605 edac_printk(KERN_CRIT, EDAC_PCI,
27606 "Signaled System Error on %s\n",
27608 - atomic_inc(&pci_nonparity_count);
27609 + atomic_inc_unchecked(&pci_nonparity_count);
27612 if (status & (PCI_STATUS_PARITY)) {
27613 @@ -587,7 +587,7 @@ static void edac_pci_dev_parity_test(str
27614 "Master Data Parity Error on %s\n",
27617 - atomic_inc(&pci_parity_count);
27618 + atomic_inc_unchecked(&pci_parity_count);
27621 if (status & (PCI_STATUS_DETECTED_PARITY)) {
27622 @@ -595,7 +595,7 @@ static void edac_pci_dev_parity_test(str
27623 "Detected Parity Error on %s\n",
27626 - atomic_inc(&pci_parity_count);
27627 + atomic_inc_unchecked(&pci_parity_count);
27631 @@ -616,7 +616,7 @@ static void edac_pci_dev_parity_test(str
27632 edac_printk(KERN_CRIT, EDAC_PCI, "Bridge "
27633 "Signaled System Error on %s\n",
27635 - atomic_inc(&pci_nonparity_count);
27636 + atomic_inc_unchecked(&pci_nonparity_count);
27639 if (status & (PCI_STATUS_PARITY)) {
27640 @@ -624,7 +624,7 @@ static void edac_pci_dev_parity_test(str
27641 "Master Data Parity Error on "
27642 "%s\n", pci_name(dev));
27644 - atomic_inc(&pci_parity_count);
27645 + atomic_inc_unchecked(&pci_parity_count);
27648 if (status & (PCI_STATUS_DETECTED_PARITY)) {
27649 @@ -632,7 +632,7 @@ static void edac_pci_dev_parity_test(str
27650 "Detected Parity Error on %s\n",
27653 - atomic_inc(&pci_parity_count);
27654 + atomic_inc_unchecked(&pci_parity_count);
27658 @@ -674,7 +674,7 @@ void edac_pci_do_parity_check(void)
27659 if (!check_pci_errors)
27662 - before_count = atomic_read(&pci_parity_count);
27663 + before_count = atomic_read_unchecked(&pci_parity_count);
27665 /* scan all PCI devices looking for a Parity Error on devices and
27667 @@ -686,7 +686,7 @@ void edac_pci_do_parity_check(void)
27668 /* Only if operator has selected panic on PCI Error */
27669 if (edac_pci_get_panic_on_pe()) {
27670 /* If the count is different 'after' from 'before' */
27671 - if (before_count != atomic_read(&pci_parity_count))
27672 + if (before_count != atomic_read_unchecked(&pci_parity_count))
27673 panic("EDAC: PCI Parity Error");
27676 diff -urNp linux-2.6.32.42/drivers/firewire/core-cdev.c linux-2.6.32.42/drivers/firewire/core-cdev.c
27677 --- linux-2.6.32.42/drivers/firewire/core-cdev.c 2011-03-27 14:31:47.000000000 -0400
27678 +++ linux-2.6.32.42/drivers/firewire/core-cdev.c 2011-04-17 15:56:46.000000000 -0400
27679 @@ -1141,8 +1141,7 @@ static int init_iso_resource(struct clie
27682 if ((request->channels == 0 && request->bandwidth == 0) ||
27683 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
27684 - request->bandwidth < 0)
27685 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
27688 r = kmalloc(sizeof(*r), GFP_KERNEL);
27689 diff -urNp linux-2.6.32.42/drivers/firewire/core-transaction.c linux-2.6.32.42/drivers/firewire/core-transaction.c
27690 --- linux-2.6.32.42/drivers/firewire/core-transaction.c 2011-03-27 14:31:47.000000000 -0400
27691 +++ linux-2.6.32.42/drivers/firewire/core-transaction.c 2011-05-16 21:46:57.000000000 -0400
27693 #include <linux/string.h>
27694 #include <linux/timer.h>
27695 #include <linux/types.h>
27696 +#include <linux/sched.h>
27698 #include <asm/byteorder.h>
27700 @@ -344,6 +345,8 @@ int fw_run_transaction(struct fw_card *c
27701 struct transaction_callback_data d;
27702 struct fw_transaction t;
27704 + pax_track_stack();
27706 init_completion(&d.done);
27707 d.payload = payload;
27708 fw_send_request(card, &t, tcode, destination_id, generation, speed,
27709 diff -urNp linux-2.6.32.42/drivers/firmware/dmi_scan.c linux-2.6.32.42/drivers/firmware/dmi_scan.c
27710 --- linux-2.6.32.42/drivers/firmware/dmi_scan.c 2011-03-27 14:31:47.000000000 -0400
27711 +++ linux-2.6.32.42/drivers/firmware/dmi_scan.c 2011-04-17 15:56:46.000000000 -0400
27712 @@ -391,11 +391,6 @@ void __init dmi_scan_machine(void)
27717 - * no iounmap() for that ioremap(); it would be a no-op, but
27718 - * it's so early in setup that sucker gets confused into doing
27719 - * what it shouldn't if we actually call it.
27721 p = dmi_ioremap(0xF0000, 0x10000);
27724 diff -urNp linux-2.6.32.42/drivers/firmware/edd.c linux-2.6.32.42/drivers/firmware/edd.c
27725 --- linux-2.6.32.42/drivers/firmware/edd.c 2011-03-27 14:31:47.000000000 -0400
27726 +++ linux-2.6.32.42/drivers/firmware/edd.c 2011-04-17 15:56:46.000000000 -0400
27727 @@ -122,7 +122,7 @@ edd_attr_show(struct kobject * kobj, str
27731 -static struct sysfs_ops edd_attr_ops = {
27732 +static const struct sysfs_ops edd_attr_ops = {
27733 .show = edd_attr_show,
27736 diff -urNp linux-2.6.32.42/drivers/firmware/efivars.c linux-2.6.32.42/drivers/firmware/efivars.c
27737 --- linux-2.6.32.42/drivers/firmware/efivars.c 2011-03-27 14:31:47.000000000 -0400
27738 +++ linux-2.6.32.42/drivers/firmware/efivars.c 2011-04-17 15:56:46.000000000 -0400
27739 @@ -362,7 +362,7 @@ static ssize_t efivar_attr_store(struct
27743 -static struct sysfs_ops efivar_attr_ops = {
27744 +static const struct sysfs_ops efivar_attr_ops = {
27745 .show = efivar_attr_show,
27746 .store = efivar_attr_store,
27748 diff -urNp linux-2.6.32.42/drivers/firmware/iscsi_ibft.c linux-2.6.32.42/drivers/firmware/iscsi_ibft.c
27749 --- linux-2.6.32.42/drivers/firmware/iscsi_ibft.c 2011-03-27 14:31:47.000000000 -0400
27750 +++ linux-2.6.32.42/drivers/firmware/iscsi_ibft.c 2011-04-17 15:56:46.000000000 -0400
27751 @@ -525,7 +525,7 @@ static ssize_t ibft_show_attribute(struc
27755 -static struct sysfs_ops ibft_attr_ops = {
27756 +static const struct sysfs_ops ibft_attr_ops = {
27757 .show = ibft_show_attribute,
27760 diff -urNp linux-2.6.32.42/drivers/firmware/memmap.c linux-2.6.32.42/drivers/firmware/memmap.c
27761 --- linux-2.6.32.42/drivers/firmware/memmap.c 2011-03-27 14:31:47.000000000 -0400
27762 +++ linux-2.6.32.42/drivers/firmware/memmap.c 2011-04-17 15:56:46.000000000 -0400
27763 @@ -74,7 +74,7 @@ static struct attribute *def_attrs[] = {
27767 -static struct sysfs_ops memmap_attr_ops = {
27768 +static const struct sysfs_ops memmap_attr_ops = {
27769 .show = memmap_attr_show,
27772 diff -urNp linux-2.6.32.42/drivers/gpio/vr41xx_giu.c linux-2.6.32.42/drivers/gpio/vr41xx_giu.c
27773 --- linux-2.6.32.42/drivers/gpio/vr41xx_giu.c 2011-03-27 14:31:47.000000000 -0400
27774 +++ linux-2.6.32.42/drivers/gpio/vr41xx_giu.c 2011-05-04 17:56:28.000000000 -0400
27775 @@ -204,7 +204,7 @@ static int giu_get_irq(unsigned int irq)
27776 printk(KERN_ERR "spurious GIU interrupt: %04x(%04x),%04x(%04x)\n",
27777 maskl, pendl, maskh, pendh);
27779 - atomic_inc(&irq_err_count);
27780 + atomic_inc_unchecked(&irq_err_count);
27784 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.32.42/drivers/gpu/drm/drm_crtc_helper.c
27785 --- linux-2.6.32.42/drivers/gpu/drm/drm_crtc_helper.c 2011-03-27 14:31:47.000000000 -0400
27786 +++ linux-2.6.32.42/drivers/gpu/drm/drm_crtc_helper.c 2011-05-16 21:46:57.000000000 -0400
27787 @@ -573,7 +573,7 @@ static bool drm_encoder_crtc_ok(struct d
27788 struct drm_crtc *tmp;
27791 - WARN(!crtc, "checking null crtc?");
27796 @@ -642,6 +642,8 @@ bool drm_crtc_helper_set_mode(struct drm
27798 adjusted_mode = drm_mode_duplicate(dev, mode);
27800 + pax_track_stack();
27802 crtc->enabled = drm_helper_crtc_in_use(crtc);
27804 if (!crtc->enabled)
27805 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_drv.c linux-2.6.32.42/drivers/gpu/drm/drm_drv.c
27806 --- linux-2.6.32.42/drivers/gpu/drm/drm_drv.c 2011-03-27 14:31:47.000000000 -0400
27807 +++ linux-2.6.32.42/drivers/gpu/drm/drm_drv.c 2011-04-17 15:56:46.000000000 -0400
27808 @@ -417,7 +417,7 @@ int drm_ioctl(struct inode *inode, struc
27809 char *kdata = NULL;
27811 atomic_inc(&dev->ioctl_count);
27812 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
27813 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
27814 ++file_priv->ioctl_count;
27816 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
27817 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_fops.c linux-2.6.32.42/drivers/gpu/drm/drm_fops.c
27818 --- linux-2.6.32.42/drivers/gpu/drm/drm_fops.c 2011-03-27 14:31:47.000000000 -0400
27819 +++ linux-2.6.32.42/drivers/gpu/drm/drm_fops.c 2011-04-17 15:56:46.000000000 -0400
27820 @@ -66,7 +66,7 @@ static int drm_setup(struct drm_device *
27823 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
27824 - atomic_set(&dev->counts[i], 0);
27825 + atomic_set_unchecked(&dev->counts[i], 0);
27827 dev->sigdata.lock = NULL;
27829 @@ -130,9 +130,9 @@ int drm_open(struct inode *inode, struct
27831 retcode = drm_open_helper(inode, filp, dev);
27833 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
27834 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
27835 spin_lock(&dev->count_lock);
27836 - if (!dev->open_count++) {
27837 + if (local_inc_return(&dev->open_count) == 1) {
27838 spin_unlock(&dev->count_lock);
27839 retcode = drm_setup(dev);
27841 @@ -435,7 +435,7 @@ int drm_release(struct inode *inode, str
27845 - DRM_DEBUG("open_count = %d\n", dev->open_count);
27846 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
27848 if (dev->driver->preclose)
27849 dev->driver->preclose(dev, file_priv);
27850 @@ -447,7 +447,7 @@ int drm_release(struct inode *inode, str
27851 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
27852 task_pid_nr(current),
27853 (long)old_encode_dev(file_priv->minor->device),
27854 - dev->open_count);
27855 + local_read(&dev->open_count));
27857 /* if the master has gone away we can't do anything with the lock */
27858 if (file_priv->minor->master)
27859 @@ -524,9 +524,9 @@ int drm_release(struct inode *inode, str
27860 * End inline drm_release
27863 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
27864 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
27865 spin_lock(&dev->count_lock);
27866 - if (!--dev->open_count) {
27867 + if (local_dec_and_test(&dev->open_count)) {
27868 if (atomic_read(&dev->ioctl_count)) {
27869 DRM_ERROR("Device busy: %d\n",
27870 atomic_read(&dev->ioctl_count));
27871 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_gem.c linux-2.6.32.42/drivers/gpu/drm/drm_gem.c
27872 --- linux-2.6.32.42/drivers/gpu/drm/drm_gem.c 2011-03-27 14:31:47.000000000 -0400
27873 +++ linux-2.6.32.42/drivers/gpu/drm/drm_gem.c 2011-04-17 15:56:46.000000000 -0400
27874 @@ -83,11 +83,11 @@ drm_gem_init(struct drm_device *dev)
27875 spin_lock_init(&dev->object_name_lock);
27876 idr_init(&dev->object_name_idr);
27877 atomic_set(&dev->object_count, 0);
27878 - atomic_set(&dev->object_memory, 0);
27879 + atomic_set_unchecked(&dev->object_memory, 0);
27880 atomic_set(&dev->pin_count, 0);
27881 - atomic_set(&dev->pin_memory, 0);
27882 + atomic_set_unchecked(&dev->pin_memory, 0);
27883 atomic_set(&dev->gtt_count, 0);
27884 - atomic_set(&dev->gtt_memory, 0);
27885 + atomic_set_unchecked(&dev->gtt_memory, 0);
27887 mm = kzalloc(sizeof(struct drm_gem_mm), GFP_KERNEL);
27889 @@ -150,7 +150,7 @@ drm_gem_object_alloc(struct drm_device *
27892 atomic_inc(&dev->object_count);
27893 - atomic_add(obj->size, &dev->object_memory);
27894 + atomic_add_unchecked(obj->size, &dev->object_memory);
27898 @@ -429,7 +429,7 @@ drm_gem_object_free(struct kref *kref)
27901 atomic_dec(&dev->object_count);
27902 - atomic_sub(obj->size, &dev->object_memory);
27903 + atomic_sub_unchecked(obj->size, &dev->object_memory);
27906 EXPORT_SYMBOL(drm_gem_object_free);
27907 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_info.c linux-2.6.32.42/drivers/gpu/drm/drm_info.c
27908 --- linux-2.6.32.42/drivers/gpu/drm/drm_info.c 2011-03-27 14:31:47.000000000 -0400
27909 +++ linux-2.6.32.42/drivers/gpu/drm/drm_info.c 2011-04-17 15:56:46.000000000 -0400
27910 @@ -75,10 +75,14 @@ int drm_vm_info(struct seq_file *m, void
27911 struct drm_local_map *map;
27912 struct drm_map_list *r_list;
27914 - /* Hardcoded from _DRM_FRAME_BUFFER,
27915 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
27916 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
27917 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
27918 + static const char * const types[] = {
27919 + [_DRM_FRAME_BUFFER] = "FB",
27920 + [_DRM_REGISTERS] = "REG",
27921 + [_DRM_SHM] = "SHM",
27922 + [_DRM_AGP] = "AGP",
27923 + [_DRM_SCATTER_GATHER] = "SG",
27924 + [_DRM_CONSISTENT] = "PCI",
27925 + [_DRM_GEM] = "GEM" };
27929 @@ -89,7 +93,7 @@ int drm_vm_info(struct seq_file *m, void
27933 - if (map->type < 0 || map->type > 5)
27934 + if (map->type >= ARRAY_SIZE(types))
27937 type = types[map->type];
27938 @@ -265,10 +269,10 @@ int drm_gem_object_info(struct seq_file
27939 struct drm_device *dev = node->minor->dev;
27941 seq_printf(m, "%d objects\n", atomic_read(&dev->object_count));
27942 - seq_printf(m, "%d object bytes\n", atomic_read(&dev->object_memory));
27943 + seq_printf(m, "%d object bytes\n", atomic_read_unchecked(&dev->object_memory));
27944 seq_printf(m, "%d pinned\n", atomic_read(&dev->pin_count));
27945 - seq_printf(m, "%d pin bytes\n", atomic_read(&dev->pin_memory));
27946 - seq_printf(m, "%d gtt bytes\n", atomic_read(&dev->gtt_memory));
27947 + seq_printf(m, "%d pin bytes\n", atomic_read_unchecked(&dev->pin_memory));
27948 + seq_printf(m, "%d gtt bytes\n", atomic_read_unchecked(&dev->gtt_memory));
27949 seq_printf(m, "%d gtt total\n", dev->gtt_total);
27952 @@ -288,7 +292,11 @@ int drm_vma_info(struct seq_file *m, voi
27953 mutex_lock(&dev->struct_mutex);
27954 seq_printf(m, "vma use count: %d, high_memory = %p, 0x%08llx\n",
27955 atomic_read(&dev->vma_count),
27956 +#ifdef CONFIG_GRKERNSEC_HIDESYM
27959 high_memory, (u64)virt_to_phys(high_memory));
27962 list_for_each_entry(pt, &dev->vmalist, head) {
27964 @@ -296,14 +304,23 @@ int drm_vma_info(struct seq_file *m, voi
27967 "\n%5d 0x%08lx-0x%08lx %c%c%c%c%c%c 0x%08lx000",
27968 - pt->pid, vma->vm_start, vma->vm_end,
27970 +#ifdef CONFIG_GRKERNSEC_HIDESYM
27973 + vma->vm_start, vma->vm_end,
27975 vma->vm_flags & VM_READ ? 'r' : '-',
27976 vma->vm_flags & VM_WRITE ? 'w' : '-',
27977 vma->vm_flags & VM_EXEC ? 'x' : '-',
27978 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
27979 vma->vm_flags & VM_LOCKED ? 'l' : '-',
27980 vma->vm_flags & VM_IO ? 'i' : '-',
27981 +#ifdef CONFIG_GRKERNSEC_HIDESYM
27987 #if defined(__i386__)
27988 pgprot = pgprot_val(vma->vm_page_prot);
27989 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_ioctl.c linux-2.6.32.42/drivers/gpu/drm/drm_ioctl.c
27990 --- linux-2.6.32.42/drivers/gpu/drm/drm_ioctl.c 2011-03-27 14:31:47.000000000 -0400
27991 +++ linux-2.6.32.42/drivers/gpu/drm/drm_ioctl.c 2011-04-17 15:56:46.000000000 -0400
27992 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
27993 stats->data[i].value =
27994 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
27996 - stats->data[i].value = atomic_read(&dev->counts[i]);
27997 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
27998 stats->data[i].type = dev->types[i];
28001 diff -urNp linux-2.6.32.42/drivers/gpu/drm/drm_lock.c linux-2.6.32.42/drivers/gpu/drm/drm_lock.c
28002 --- linux-2.6.32.42/drivers/gpu/drm/drm_lock.c 2011-03-27 14:31:47.000000000 -0400
28003 +++ linux-2.6.32.42/drivers/gpu/drm/drm_lock.c 2011-04-17 15:56:46.000000000 -0400
28004 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
28005 if (drm_lock_take(&master->lock, lock->context)) {
28006 master->lock.file_priv = file_priv;
28007 master->lock.lock_time = jiffies;
28008 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
28009 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
28010 break; /* Got lock */
28013 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
28017 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
28018 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
28020 /* kernel_context_switch isn't used by any of the x86 drm
28021 * modules but is required by the Sparc driver.
28022 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i810/i810_dma.c linux-2.6.32.42/drivers/gpu/drm/i810/i810_dma.c
28023 --- linux-2.6.32.42/drivers/gpu/drm/i810/i810_dma.c 2011-03-27 14:31:47.000000000 -0400
28024 +++ linux-2.6.32.42/drivers/gpu/drm/i810/i810_dma.c 2011-04-17 15:56:46.000000000 -0400
28025 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
28026 dma->buflist[vertex->idx],
28027 vertex->discard, vertex->used);
28029 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
28030 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
28031 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
28032 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
28033 sarea_priv->last_enqueue = dev_priv->counter - 1;
28034 sarea_priv->last_dispatch = (int)hw_status[5];
28036 @@ -1115,8 +1115,8 @@ static int i810_dma_mc(struct drm_device
28037 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
28040 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
28041 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
28042 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
28043 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
28044 sarea_priv->last_enqueue = dev_priv->counter - 1;
28045 sarea_priv->last_dispatch = (int)hw_status[5];
28047 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i810/i810_drv.h linux-2.6.32.42/drivers/gpu/drm/i810/i810_drv.h
28048 --- linux-2.6.32.42/drivers/gpu/drm/i810/i810_drv.h 2011-03-27 14:31:47.000000000 -0400
28049 +++ linux-2.6.32.42/drivers/gpu/drm/i810/i810_drv.h 2011-05-04 17:56:28.000000000 -0400
28050 @@ -108,8 +108,8 @@ typedef struct drm_i810_private {
28053 wait_queue_head_t irq_queue;
28054 - atomic_t irq_received;
28055 - atomic_t irq_emitted;
28056 + atomic_unchecked_t irq_received;
28057 + atomic_unchecked_t irq_emitted;
28060 } drm_i810_private_t;
28061 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i830/i830_drv.h linux-2.6.32.42/drivers/gpu/drm/i830/i830_drv.h
28062 --- linux-2.6.32.42/drivers/gpu/drm/i830/i830_drv.h 2011-03-27 14:31:47.000000000 -0400
28063 +++ linux-2.6.32.42/drivers/gpu/drm/i830/i830_drv.h 2011-05-04 17:56:28.000000000 -0400
28064 @@ -115,8 +115,8 @@ typedef struct drm_i830_private {
28067 wait_queue_head_t irq_queue;
28068 - atomic_t irq_received;
28069 - atomic_t irq_emitted;
28070 + atomic_unchecked_t irq_received;
28071 + atomic_unchecked_t irq_emitted;
28073 int use_mi_batchbuffer_start;
28075 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i830/i830_irq.c linux-2.6.32.42/drivers/gpu/drm/i830/i830_irq.c
28076 --- linux-2.6.32.42/drivers/gpu/drm/i830/i830_irq.c 2011-03-27 14:31:47.000000000 -0400
28077 +++ linux-2.6.32.42/drivers/gpu/drm/i830/i830_irq.c 2011-05-04 17:56:28.000000000 -0400
28078 @@ -47,7 +47,7 @@ irqreturn_t i830_driver_irq_handler(DRM_
28080 I830_WRITE16(I830REG_INT_IDENTITY_R, temp);
28082 - atomic_inc(&dev_priv->irq_received);
28083 + atomic_inc_unchecked(&dev_priv->irq_received);
28084 wake_up_interruptible(&dev_priv->irq_queue);
28086 return IRQ_HANDLED;
28087 @@ -60,14 +60,14 @@ static int i830_emit_irq(struct drm_devi
28089 DRM_DEBUG("%s\n", __func__);
28091 - atomic_inc(&dev_priv->irq_emitted);
28092 + atomic_inc_unchecked(&dev_priv->irq_emitted);
28096 OUT_RING(GFX_OP_USER_INTERRUPT);
28099 - return atomic_read(&dev_priv->irq_emitted);
28100 + return atomic_read_unchecked(&dev_priv->irq_emitted);
28103 static int i830_wait_irq(struct drm_device * dev, int irq_nr)
28104 @@ -79,7 +79,7 @@ static int i830_wait_irq(struct drm_devi
28106 DRM_DEBUG("%s\n", __func__);
28108 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
28109 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
28112 dev_priv->sarea_priv->perf_boxes |= I830_BOX_WAIT;
28113 @@ -88,7 +88,7 @@ static int i830_wait_irq(struct drm_devi
28116 __set_current_state(TASK_INTERRUPTIBLE);
28117 - if (atomic_read(&dev_priv->irq_received) >= irq_nr)
28118 + if (atomic_read_unchecked(&dev_priv->irq_received) >= irq_nr)
28120 if ((signed)(end - jiffies) <= 0) {
28121 DRM_ERROR("timeout iir %x imr %x ier %x hwstam %x\n",
28122 @@ -163,8 +163,8 @@ void i830_driver_irq_preinstall(struct d
28123 I830_WRITE16(I830REG_HWSTAM, 0xffff);
28124 I830_WRITE16(I830REG_INT_MASK_R, 0x0);
28125 I830_WRITE16(I830REG_INT_ENABLE_R, 0x0);
28126 - atomic_set(&dev_priv->irq_received, 0);
28127 - atomic_set(&dev_priv->irq_emitted, 0);
28128 + atomic_set_unchecked(&dev_priv->irq_received, 0);
28129 + atomic_set_unchecked(&dev_priv->irq_emitted, 0);
28130 init_waitqueue_head(&dev_priv->irq_queue);
28133 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7017.c
28134 --- linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-27 14:31:47.000000000 -0400
28135 +++ linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7017.c 2011-04-17 15:56:46.000000000 -0400
28136 @@ -443,7 +443,7 @@ static void ch7017_destroy(struct intel_
28140 -struct intel_dvo_dev_ops ch7017_ops = {
28141 +const struct intel_dvo_dev_ops ch7017_ops = {
28142 .init = ch7017_init,
28143 .detect = ch7017_detect,
28144 .mode_valid = ch7017_mode_valid,
28145 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7xxx.c
28146 --- linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-27 14:31:47.000000000 -0400
28147 +++ linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-04-17 15:56:46.000000000 -0400
28148 @@ -356,7 +356,7 @@ static void ch7xxx_destroy(struct intel_
28152 -struct intel_dvo_dev_ops ch7xxx_ops = {
28153 +const struct intel_dvo_dev_ops ch7xxx_ops = {
28154 .init = ch7xxx_init,
28155 .detect = ch7xxx_detect,
28156 .mode_valid = ch7xxx_mode_valid,
28157 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/dvo.h linux-2.6.32.42/drivers/gpu/drm/i915/dvo.h
28158 --- linux-2.6.32.42/drivers/gpu/drm/i915/dvo.h 2011-03-27 14:31:47.000000000 -0400
28159 +++ linux-2.6.32.42/drivers/gpu/drm/i915/dvo.h 2011-04-17 15:56:46.000000000 -0400
28160 @@ -135,23 +135,23 @@ struct intel_dvo_dev_ops {
28162 * \return singly-linked list of modes or NULL if no modes found.
28164 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
28165 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
28168 * Clean up driver-specific bits of the output
28170 - void (*destroy) (struct intel_dvo_device *dvo);
28171 + void (* const destroy) (struct intel_dvo_device *dvo);
28174 * Debugging hook to dump device registers to log file
28176 - void (*dump_regs)(struct intel_dvo_device *dvo);
28177 + void (* const dump_regs)(struct intel_dvo_device *dvo);
28180 -extern struct intel_dvo_dev_ops sil164_ops;
28181 -extern struct intel_dvo_dev_ops ch7xxx_ops;
28182 -extern struct intel_dvo_dev_ops ivch_ops;
28183 -extern struct intel_dvo_dev_ops tfp410_ops;
28184 -extern struct intel_dvo_dev_ops ch7017_ops;
28185 +extern const struct intel_dvo_dev_ops sil164_ops;
28186 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
28187 +extern const struct intel_dvo_dev_ops ivch_ops;
28188 +extern const struct intel_dvo_dev_ops tfp410_ops;
28189 +extern const struct intel_dvo_dev_ops ch7017_ops;
28191 #endif /* _INTEL_DVO_H */
28192 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ivch.c
28193 --- linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-27 14:31:47.000000000 -0400
28194 +++ linux-2.6.32.42/drivers/gpu/drm/i915/dvo_ivch.c 2011-04-17 15:56:46.000000000 -0400
28195 @@ -430,7 +430,7 @@ static void ivch_destroy(struct intel_dv
28199 -struct intel_dvo_dev_ops ivch_ops= {
28200 +const struct intel_dvo_dev_ops ivch_ops= {
28204 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.32.42/drivers/gpu/drm/i915/dvo_sil164.c
28205 --- linux-2.6.32.42/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-27 14:31:47.000000000 -0400
28206 +++ linux-2.6.32.42/drivers/gpu/drm/i915/dvo_sil164.c 2011-04-17 15:56:46.000000000 -0400
28207 @@ -290,7 +290,7 @@ static void sil164_destroy(struct intel_
28211 -struct intel_dvo_dev_ops sil164_ops = {
28212 +const struct intel_dvo_dev_ops sil164_ops = {
28213 .init = sil164_init,
28214 .detect = sil164_detect,
28215 .mode_valid = sil164_mode_valid,
28216 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.32.42/drivers/gpu/drm/i915/dvo_tfp410.c
28217 --- linux-2.6.32.42/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-27 14:31:47.000000000 -0400
28218 +++ linux-2.6.32.42/drivers/gpu/drm/i915/dvo_tfp410.c 2011-04-17 15:56:46.000000000 -0400
28219 @@ -323,7 +323,7 @@ static void tfp410_destroy(struct intel_
28223 -struct intel_dvo_dev_ops tfp410_ops = {
28224 +const struct intel_dvo_dev_ops tfp410_ops = {
28225 .init = tfp410_init,
28226 .detect = tfp410_detect,
28227 .mode_valid = tfp410_mode_valid,
28228 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/i915_debugfs.c linux-2.6.32.42/drivers/gpu/drm/i915/i915_debugfs.c
28229 --- linux-2.6.32.42/drivers/gpu/drm/i915/i915_debugfs.c 2011-03-27 14:31:47.000000000 -0400
28230 +++ linux-2.6.32.42/drivers/gpu/drm/i915/i915_debugfs.c 2011-05-04 17:56:28.000000000 -0400
28231 @@ -192,7 +192,7 @@ static int i915_interrupt_info(struct se
28234 seq_printf(m, "Interrupts received: %d\n",
28235 - atomic_read(&dev_priv->irq_received));
28236 + atomic_read_unchecked(&dev_priv->irq_received));
28237 if (dev_priv->hw_status_page != NULL) {
28238 seq_printf(m, "Current sequence: %d\n",
28239 i915_get_gem_seqno(dev));
28240 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.c linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.c
28241 --- linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.c 2011-03-27 14:31:47.000000000 -0400
28242 +++ linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.c 2011-04-17 15:56:46.000000000 -0400
28243 @@ -285,7 +285,7 @@ i915_pci_resume(struct pci_dev *pdev)
28244 return i915_resume(dev);
28247 -static struct vm_operations_struct i915_gem_vm_ops = {
28248 +static const struct vm_operations_struct i915_gem_vm_ops = {
28249 .fault = i915_gem_fault,
28250 .open = drm_gem_vm_open,
28251 .close = drm_gem_vm_close,
28252 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.h linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.h
28253 --- linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.h 2011-03-27 14:31:47.000000000 -0400
28254 +++ linux-2.6.32.42/drivers/gpu/drm/i915/i915_drv.h 2011-05-04 17:56:28.000000000 -0400
28255 @@ -197,7 +197,7 @@ typedef struct drm_i915_private {
28258 wait_queue_head_t irq_queue;
28259 - atomic_t irq_received;
28260 + atomic_unchecked_t irq_received;
28261 /** Protects user_irq_refcount and irq_mask_reg */
28262 spinlock_t user_irq_lock;
28263 /** Refcount for i915_user_irq_get() versus i915_user_irq_put(). */
28264 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/i915_gem.c linux-2.6.32.42/drivers/gpu/drm/i915/i915_gem.c
28265 --- linux-2.6.32.42/drivers/gpu/drm/i915/i915_gem.c 2011-03-27 14:31:47.000000000 -0400
28266 +++ linux-2.6.32.42/drivers/gpu/drm/i915/i915_gem.c 2011-04-17 15:56:46.000000000 -0400
28267 @@ -102,7 +102,7 @@ i915_gem_get_aperture_ioctl(struct drm_d
28269 args->aper_size = dev->gtt_total;
28270 args->aper_available_size = (args->aper_size -
28271 - atomic_read(&dev->pin_memory));
28272 + atomic_read_unchecked(&dev->pin_memory));
28276 @@ -492,6 +492,11 @@ i915_gem_pread_ioctl(struct drm_device *
28280 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
28281 + drm_gem_object_unreference(obj);
28285 if (i915_gem_object_needs_bit17_swizzle(obj)) {
28286 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
28288 @@ -965,6 +970,11 @@ i915_gem_pwrite_ioctl(struct drm_device
28292 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
28293 + drm_gem_object_unreference(obj);
28297 /* We can only do the GTT pwrite on untiled buffers, as otherwise
28298 * it would end up going through the fenced access, and we'll get
28299 * different detiling behavior between reading and writing.
28300 @@ -2054,7 +2064,7 @@ i915_gem_object_unbind(struct drm_gem_ob
28302 if (obj_priv->gtt_space) {
28303 atomic_dec(&dev->gtt_count);
28304 - atomic_sub(obj->size, &dev->gtt_memory);
28305 + atomic_sub_unchecked(obj->size, &dev->gtt_memory);
28307 drm_mm_put_block(obj_priv->gtt_space);
28308 obj_priv->gtt_space = NULL;
28309 @@ -2697,7 +2707,7 @@ i915_gem_object_bind_to_gtt(struct drm_g
28312 atomic_inc(&dev->gtt_count);
28313 - atomic_add(obj->size, &dev->gtt_memory);
28314 + atomic_add_unchecked(obj->size, &dev->gtt_memory);
28316 /* Assert that the object is not currently in any GPU domain. As it
28317 * wasn't in the GTT, there shouldn't be any way it could have been in
28318 @@ -3751,9 +3761,9 @@ i915_gem_execbuffer(struct drm_device *d
28319 "%d/%d gtt bytes\n",
28320 atomic_read(&dev->object_count),
28321 atomic_read(&dev->pin_count),
28322 - atomic_read(&dev->object_memory),
28323 - atomic_read(&dev->pin_memory),
28324 - atomic_read(&dev->gtt_memory),
28325 + atomic_read_unchecked(&dev->object_memory),
28326 + atomic_read_unchecked(&dev->pin_memory),
28327 + atomic_read_unchecked(&dev->gtt_memory),
28331 @@ -3985,7 +3995,7 @@ i915_gem_object_pin(struct drm_gem_objec
28333 if (obj_priv->pin_count == 1) {
28334 atomic_inc(&dev->pin_count);
28335 - atomic_add(obj->size, &dev->pin_memory);
28336 + atomic_add_unchecked(obj->size, &dev->pin_memory);
28337 if (!obj_priv->active &&
28338 (obj->write_domain & I915_GEM_GPU_DOMAINS) == 0 &&
28339 !list_empty(&obj_priv->list))
28340 @@ -4018,7 +4028,7 @@ i915_gem_object_unpin(struct drm_gem_obj
28341 list_move_tail(&obj_priv->list,
28342 &dev_priv->mm.inactive_list);
28343 atomic_dec(&dev->pin_count);
28344 - atomic_sub(obj->size, &dev->pin_memory);
28345 + atomic_sub_unchecked(obj->size, &dev->pin_memory);
28347 i915_verify_inactive(dev, __FILE__, __LINE__);
28349 diff -urNp linux-2.6.32.42/drivers/gpu/drm/i915/i915_irq.c linux-2.6.32.42/drivers/gpu/drm/i915/i915_irq.c
28350 --- linux-2.6.32.42/drivers/gpu/drm/i915/i915_irq.c 2011-03-27 14:31:47.000000000 -0400
28351 +++ linux-2.6.32.42/drivers/gpu/drm/i915/i915_irq.c 2011-05-04 17:56:28.000000000 -0400
28352 @@ -528,7 +528,7 @@ irqreturn_t i915_driver_irq_handler(DRM_
28354 int ret = IRQ_NONE;
28356 - atomic_inc(&dev_priv->irq_received);
28357 + atomic_inc_unchecked(&dev_priv->irq_received);
28360 return igdng_irq_handler(dev);
28361 @@ -1021,7 +1021,7 @@ void i915_driver_irq_preinstall(struct d
28363 drm_i915_private_t *dev_priv = (drm_i915_private_t *) dev->dev_private;
28365 - atomic_set(&dev_priv->irq_received, 0);
28366 + atomic_set_unchecked(&dev_priv->irq_received, 0);
28368 INIT_WORK(&dev_priv->hotplug_work, i915_hotplug_work_func);
28369 INIT_WORK(&dev_priv->error_work, i915_error_work_func);
28370 diff -urNp linux-2.6.32.42/drivers/gpu/drm/mga/mga_drv.h linux-2.6.32.42/drivers/gpu/drm/mga/mga_drv.h
28371 --- linux-2.6.32.42/drivers/gpu/drm/mga/mga_drv.h 2011-03-27 14:31:47.000000000 -0400
28372 +++ linux-2.6.32.42/drivers/gpu/drm/mga/mga_drv.h 2011-05-04 17:56:28.000000000 -0400
28373 @@ -120,9 +120,9 @@ typedef struct drm_mga_private {
28377 - atomic_t vbl_received; /**< Number of vblanks received. */
28378 + atomic_unchecked_t vbl_received; /**< Number of vblanks received. */
28379 wait_queue_head_t fence_queue;
28380 - atomic_t last_fence_retired;
28381 + atomic_unchecked_t last_fence_retired;
28382 u32 next_fence_to_post;
28384 unsigned int fb_cpp;
28385 diff -urNp linux-2.6.32.42/drivers/gpu/drm/mga/mga_irq.c linux-2.6.32.42/drivers/gpu/drm/mga/mga_irq.c
28386 --- linux-2.6.32.42/drivers/gpu/drm/mga/mga_irq.c 2011-03-27 14:31:47.000000000 -0400
28387 +++ linux-2.6.32.42/drivers/gpu/drm/mga/mga_irq.c 2011-05-04 17:56:28.000000000 -0400
28388 @@ -44,7 +44,7 @@ u32 mga_get_vblank_counter(struct drm_de
28392 - return atomic_read(&dev_priv->vbl_received);
28393 + return atomic_read_unchecked(&dev_priv->vbl_received);
28397 @@ -60,7 +60,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
28398 /* VBLANK interrupt */
28399 if (status & MGA_VLINEPEN) {
28400 MGA_WRITE(MGA_ICLEAR, MGA_VLINEICLR);
28401 - atomic_inc(&dev_priv->vbl_received);
28402 + atomic_inc_unchecked(&dev_priv->vbl_received);
28403 drm_handle_vblank(dev, 0);
28406 @@ -80,7 +80,7 @@ irqreturn_t mga_driver_irq_handler(DRM_I
28407 MGA_WRITE(MGA_PRIMEND, prim_end);
28410 - atomic_inc(&dev_priv->last_fence_retired);
28411 + atomic_inc_unchecked(&dev_priv->last_fence_retired);
28412 DRM_WAKEUP(&dev_priv->fence_queue);
28415 @@ -131,7 +131,7 @@ int mga_driver_fence_wait(struct drm_dev
28418 DRM_WAIT_ON(ret, dev_priv->fence_queue, 3 * DRM_HZ,
28419 - (((cur_fence = atomic_read(&dev_priv->last_fence_retired))
28420 + (((cur_fence = atomic_read_unchecked(&dev_priv->last_fence_retired))
28421 - *sequence) <= (1 << 23)));
28423 *sequence = cur_fence;
28424 diff -urNp linux-2.6.32.42/drivers/gpu/drm/r128/r128_cce.c linux-2.6.32.42/drivers/gpu/drm/r128/r128_cce.c
28425 --- linux-2.6.32.42/drivers/gpu/drm/r128/r128_cce.c 2011-03-27 14:31:47.000000000 -0400
28426 +++ linux-2.6.32.42/drivers/gpu/drm/r128/r128_cce.c 2011-05-04 17:56:28.000000000 -0400
28427 @@ -377,7 +377,7 @@ static int r128_do_init_cce(struct drm_d
28429 /* GH: Simple idle check.
28431 - atomic_set(&dev_priv->idle_count, 0);
28432 + atomic_set_unchecked(&dev_priv->idle_count, 0);
28434 /* We don't support anything other than bus-mastering ring mode,
28435 * but the ring can be in either AGP or PCI space for the ring
28436 diff -urNp linux-2.6.32.42/drivers/gpu/drm/r128/r128_drv.h linux-2.6.32.42/drivers/gpu/drm/r128/r128_drv.h
28437 --- linux-2.6.32.42/drivers/gpu/drm/r128/r128_drv.h 2011-03-27 14:31:47.000000000 -0400
28438 +++ linux-2.6.32.42/drivers/gpu/drm/r128/r128_drv.h 2011-05-04 17:56:28.000000000 -0400
28439 @@ -90,14 +90,14 @@ typedef struct drm_r128_private {
28441 unsigned long cce_buffers_offset;
28443 - atomic_t idle_count;
28444 + atomic_unchecked_t idle_count;
28449 u32 crtc_offset_cntl;
28451 - atomic_t vbl_received;
28452 + atomic_unchecked_t vbl_received;
28455 unsigned int front_offset;
28456 diff -urNp linux-2.6.32.42/drivers/gpu/drm/r128/r128_irq.c linux-2.6.32.42/drivers/gpu/drm/r128/r128_irq.c
28457 --- linux-2.6.32.42/drivers/gpu/drm/r128/r128_irq.c 2011-03-27 14:31:47.000000000 -0400
28458 +++ linux-2.6.32.42/drivers/gpu/drm/r128/r128_irq.c 2011-05-04 17:56:28.000000000 -0400
28459 @@ -42,7 +42,7 @@ u32 r128_get_vblank_counter(struct drm_d
28463 - return atomic_read(&dev_priv->vbl_received);
28464 + return atomic_read_unchecked(&dev_priv->vbl_received);
28467 irqreturn_t r128_driver_irq_handler(DRM_IRQ_ARGS)
28468 @@ -56,7 +56,7 @@ irqreturn_t r128_driver_irq_handler(DRM_
28469 /* VBLANK interrupt */
28470 if (status & R128_CRTC_VBLANK_INT) {
28471 R128_WRITE(R128_GEN_INT_STATUS, R128_CRTC_VBLANK_INT_AK);
28472 - atomic_inc(&dev_priv->vbl_received);
28473 + atomic_inc_unchecked(&dev_priv->vbl_received);
28474 drm_handle_vblank(dev, 0);
28475 return IRQ_HANDLED;
28477 diff -urNp linux-2.6.32.42/drivers/gpu/drm/r128/r128_state.c linux-2.6.32.42/drivers/gpu/drm/r128/r128_state.c
28478 --- linux-2.6.32.42/drivers/gpu/drm/r128/r128_state.c 2011-03-27 14:31:47.000000000 -0400
28479 +++ linux-2.6.32.42/drivers/gpu/drm/r128/r128_state.c 2011-05-04 17:56:28.000000000 -0400
28480 @@ -323,10 +323,10 @@ static void r128_clear_box(drm_r128_priv
28482 static void r128_cce_performance_boxes(drm_r128_private_t * dev_priv)
28484 - if (atomic_read(&dev_priv->idle_count) == 0) {
28485 + if (atomic_read_unchecked(&dev_priv->idle_count) == 0) {
28486 r128_clear_box(dev_priv, 64, 4, 8, 8, 0, 255, 0);
28488 - atomic_set(&dev_priv->idle_count, 0);
28489 + atomic_set_unchecked(&dev_priv->idle_count, 0);
28493 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/atom.c linux-2.6.32.42/drivers/gpu/drm/radeon/atom.c
28494 --- linux-2.6.32.42/drivers/gpu/drm/radeon/atom.c 2011-05-10 22:12:01.000000000 -0400
28495 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/atom.c 2011-05-16 21:46:57.000000000 -0400
28496 @@ -1115,6 +1115,8 @@ struct atom_context *atom_parse(struct c
28500 + pax_track_stack();
28505 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.32.42/drivers/gpu/drm/radeon/mkregtable.c
28506 --- linux-2.6.32.42/drivers/gpu/drm/radeon/mkregtable.c 2011-03-27 14:31:47.000000000 -0400
28507 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/mkregtable.c 2011-04-17 15:56:46.000000000 -0400
28508 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
28510 regmatch_t match[4];
28518 struct offset *offset;
28519 char last_reg_s[10];
28521 + unsigned long last_reg;
28524 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
28525 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_atombios.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_atombios.c
28526 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_atombios.c 2011-03-27 14:31:47.000000000 -0400
28527 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_atombios.c 2011-05-16 21:46:57.000000000 -0400
28528 @@ -275,6 +275,8 @@ bool radeon_get_atom_connector_info_from
28530 struct radeon_i2c_bus_rec ddc_bus;
28532 + pax_track_stack();
28534 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
28536 if (data_offset == 0)
28537 @@ -520,13 +522,13 @@ static uint16_t atombios_get_connector_o
28541 -struct bios_connector {
28542 +static struct bios_connector {
28546 int connector_type;
28547 struct radeon_i2c_bus_rec ddc_bus;
28549 +} bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
28551 bool radeon_get_atom_connector_info_from_supported_devices_table(struct
28553 @@ -542,7 +544,6 @@ bool radeon_get_atom_connector_info_from
28555 union atom_supported_devices *supported_devices;
28557 - struct bios_connector bios_connectors[ATOM_MAX_SUPPORTED_DEVICE];
28559 atom_parse_data_header(ctx, index, &size, &frev, &crev, &data_offset);
28561 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_display.c
28562 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_display.c 2011-03-27 14:31:47.000000000 -0400
28563 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_display.c 2011-04-17 15:56:46.000000000 -0400
28564 @@ -482,7 +482,7 @@ void radeon_compute_pll(struct radeon_pl
28566 if (flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
28567 error = freq - current_freq;
28568 - error = error < 0 ? 0xffffffff : error;
28569 + error = (int32_t)error < 0 ? 0xffffffff : error;
28571 error = abs(current_freq - freq);
28572 vco_diff = abs(vco - best_vco);
28573 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_drv.h linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_drv.h
28574 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_drv.h 2011-03-27 14:31:47.000000000 -0400
28575 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_drv.h 2011-05-04 17:56:28.000000000 -0400
28576 @@ -253,7 +253,7 @@ typedef struct drm_radeon_private {
28579 wait_queue_head_t swi_queue;
28580 - atomic_t swi_emitted;
28581 + atomic_unchecked_t swi_emitted;
28583 uint32_t irq_enable_reg;
28584 uint32_t r500_disp_irq_reg;
28585 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_fence.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_fence.c
28586 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_fence.c 2011-03-27 14:31:47.000000000 -0400
28587 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_fence.c 2011-05-04 17:56:28.000000000 -0400
28588 @@ -47,7 +47,7 @@ int radeon_fence_emit(struct radeon_devi
28589 write_unlock_irqrestore(&rdev->fence_drv.lock, irq_flags);
28592 - fence->seq = atomic_add_return(1, &rdev->fence_drv.seq);
28593 + fence->seq = atomic_add_return_unchecked(1, &rdev->fence_drv.seq);
28594 if (!rdev->cp.ready) {
28595 /* FIXME: cp is not running assume everythings is done right
28597 @@ -364,7 +364,7 @@ int radeon_fence_driver_init(struct rade
28600 WREG32(rdev->fence_drv.scratch_reg, 0);
28601 - atomic_set(&rdev->fence_drv.seq, 0);
28602 + atomic_set_unchecked(&rdev->fence_drv.seq, 0);
28603 INIT_LIST_HEAD(&rdev->fence_drv.created);
28604 INIT_LIST_HEAD(&rdev->fence_drv.emited);
28605 INIT_LIST_HEAD(&rdev->fence_drv.signaled);
28606 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon.h linux-2.6.32.42/drivers/gpu/drm/radeon/radeon.h
28607 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon.h 2011-03-27 14:31:47.000000000 -0400
28608 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon.h 2011-05-04 17:56:28.000000000 -0400
28609 @@ -149,7 +149,7 @@ int radeon_pm_init(struct radeon_device
28611 struct radeon_fence_driver {
28612 uint32_t scratch_reg;
28614 + atomic_unchecked_t seq;
28616 unsigned long count_timeout;
28617 wait_queue_head_t queue;
28618 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ioc32.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ioc32.c
28619 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-03-27 14:31:47.000000000 -0400
28620 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ioc32.c 2011-04-23 13:57:24.000000000 -0400
28621 @@ -368,7 +368,7 @@ static int compat_radeon_cp_setparam(str
28622 request = compat_alloc_user_space(sizeof(*request));
28623 if (!access_ok(VERIFY_WRITE, request, sizeof(*request))
28624 || __put_user(req32.param, &request->param)
28625 - || __put_user((void __user *)(unsigned long)req32.value,
28626 + || __put_user((unsigned long)req32.value,
28630 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_irq.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_irq.c
28631 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_irq.c 2011-03-27 14:31:47.000000000 -0400
28632 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_irq.c 2011-05-04 17:56:28.000000000 -0400
28633 @@ -225,8 +225,8 @@ static int radeon_emit_irq(struct drm_de
28637 - atomic_inc(&dev_priv->swi_emitted);
28638 - ret = atomic_read(&dev_priv->swi_emitted);
28639 + atomic_inc_unchecked(&dev_priv->swi_emitted);
28640 + ret = atomic_read_unchecked(&dev_priv->swi_emitted);
28643 OUT_RING_REG(RADEON_LAST_SWI_REG, ret);
28644 @@ -352,7 +352,7 @@ int radeon_driver_irq_postinstall(struct
28645 drm_radeon_private_t *dev_priv =
28646 (drm_radeon_private_t *) dev->dev_private;
28648 - atomic_set(&dev_priv->swi_emitted, 0);
28649 + atomic_set_unchecked(&dev_priv->swi_emitted, 0);
28650 DRM_INIT_WAITQUEUE(&dev_priv->swi_queue);
28652 dev->max_vblank_count = 0x001fffff;
28653 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_state.c
28654 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_state.c 2011-03-27 14:31:47.000000000 -0400
28655 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_state.c 2011-04-17 15:56:46.000000000 -0400
28656 @@ -3021,7 +3021,7 @@ static int radeon_cp_getparam(struct drm
28658 drm_radeon_private_t *dev_priv = dev->dev_private;
28659 drm_radeon_getparam_t *param = data;
28663 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
28665 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ttm.c
28666 --- linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-27 14:31:47.000000000 -0400
28667 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/radeon_ttm.c 2011-04-17 15:56:46.000000000 -0400
28668 @@ -535,27 +535,10 @@ void radeon_ttm_fini(struct radeon_devic
28669 DRM_INFO("radeon: ttm finalized\n");
28672 -static struct vm_operations_struct radeon_ttm_vm_ops;
28673 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
28675 -static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
28677 - struct ttm_buffer_object *bo;
28680 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
28681 - if (bo == NULL) {
28682 - return VM_FAULT_NOPAGE;
28684 - r = ttm_vm_ops->fault(vma, vmf);
28688 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
28690 struct drm_file *file_priv;
28691 struct radeon_device *rdev;
28694 if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) {
28695 return drm_mmap(filp, vma);
28696 @@ -563,20 +546,9 @@ int radeon_mmap(struct file *filp, struc
28698 file_priv = (struct drm_file *)filp->private_data;
28699 rdev = file_priv->minor->dev->dev_private;
28700 - if (rdev == NULL) {
28704 - r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
28705 - if (unlikely(r != 0)) {
28708 - if (unlikely(ttm_vm_ops == NULL)) {
28709 - ttm_vm_ops = vma->vm_ops;
28710 - radeon_ttm_vm_ops = *ttm_vm_ops;
28711 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
28713 - vma->vm_ops = &radeon_ttm_vm_ops;
28715 + return ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
28719 diff -urNp linux-2.6.32.42/drivers/gpu/drm/radeon/rs690.c linux-2.6.32.42/drivers/gpu/drm/radeon/rs690.c
28720 --- linux-2.6.32.42/drivers/gpu/drm/radeon/rs690.c 2011-03-27 14:31:47.000000000 -0400
28721 +++ linux-2.6.32.42/drivers/gpu/drm/radeon/rs690.c 2011-04-17 15:56:46.000000000 -0400
28722 @@ -302,9 +302,11 @@ void rs690_crtc_bandwidth_compute(struct
28723 if (rdev->pm.max_bandwidth.full > rdev->pm.sideport_bandwidth.full &&
28724 rdev->pm.sideport_bandwidth.full)
28725 rdev->pm.max_bandwidth = rdev->pm.sideport_bandwidth;
28726 - read_delay_latency.full = rfixed_const(370 * 800 * 1000);
28727 + read_delay_latency.full = rfixed_const(800 * 1000);
28728 read_delay_latency.full = rfixed_div(read_delay_latency,
28729 rdev->pm.igp_sideport_mclk);
28730 + a.full = rfixed_const(370);
28731 + read_delay_latency.full = rfixed_mul(read_delay_latency, a);
28733 if (rdev->pm.max_bandwidth.full > rdev->pm.k8_bandwidth.full &&
28734 rdev->pm.k8_bandwidth.full)
28735 diff -urNp linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo.c
28736 --- linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-27 14:31:47.000000000 -0400
28737 +++ linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo.c 2011-04-23 12:56:11.000000000 -0400
28738 @@ -67,7 +67,7 @@ static struct attribute *ttm_bo_global_a
28742 -static struct sysfs_ops ttm_bo_global_ops = {
28743 +static const struct sysfs_ops ttm_bo_global_ops = {
28744 .show = &ttm_bo_global_show
28747 diff -urNp linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo_vm.c
28748 --- linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-27 14:31:47.000000000 -0400
28749 +++ linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-04-17 15:56:46.000000000 -0400
28750 @@ -73,7 +73,7 @@ static int ttm_bo_vm_fault(struct vm_are
28752 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
28753 vma->vm_private_data;
28754 - struct ttm_bo_device *bdev = bo->bdev;
28755 + struct ttm_bo_device *bdev;
28756 unsigned long bus_base;
28757 unsigned long bus_offset;
28758 unsigned long bus_size;
28759 @@ -88,6 +88,10 @@ static int ttm_bo_vm_fault(struct vm_are
28760 unsigned long address = (unsigned long)vmf->virtual_address;
28761 int retval = VM_FAULT_NOPAGE;
28764 + return VM_FAULT_NOPAGE;
28768 * Work around locking order reversal in fault / nopfn
28769 * between mmap_sem and bo_reserve: Perform a trylock operation
28770 diff -urNp linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_global.c
28771 --- linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_global.c 2011-03-27 14:31:47.000000000 -0400
28772 +++ linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_global.c 2011-04-17 15:56:46.000000000 -0400
28774 struct ttm_global_item {
28775 struct mutex mutex;
28778 + atomic_t refcount;
28781 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
28782 @@ -49,7 +49,7 @@ void ttm_global_init(void)
28783 struct ttm_global_item *item = &glob[i];
28784 mutex_init(&item->mutex);
28785 item->object = NULL;
28786 - item->refcount = 0;
28787 + atomic_set(&item->refcount, 0);
28791 @@ -59,7 +59,7 @@ void ttm_global_release(void)
28792 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
28793 struct ttm_global_item *item = &glob[i];
28794 BUG_ON(item->object != NULL);
28795 - BUG_ON(item->refcount != 0);
28796 + BUG_ON(atomic_read(&item->refcount) != 0);
28800 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
28803 mutex_lock(&item->mutex);
28804 - if (item->refcount == 0) {
28805 + if (atomic_read(&item->refcount) == 0) {
28806 item->object = kzalloc(ref->size, GFP_KERNEL);
28807 if (unlikely(item->object == NULL)) {
28809 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
28813 - ++item->refcount;
28814 + atomic_inc(&item->refcount);
28815 ref->object = item->object;
28816 object = item->object;
28817 mutex_unlock(&item->mutex);
28818 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
28819 struct ttm_global_item *item = &glob[ref->global_type];
28821 mutex_lock(&item->mutex);
28822 - BUG_ON(item->refcount == 0);
28823 + BUG_ON(atomic_read(&item->refcount) == 0);
28824 BUG_ON(ref->object != item->object);
28825 - if (--item->refcount == 0) {
28826 + if (atomic_dec_and_test(&item->refcount)) {
28828 item->object = NULL;
28830 diff -urNp linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_memory.c linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_memory.c
28831 --- linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_memory.c 2011-03-27 14:31:47.000000000 -0400
28832 +++ linux-2.6.32.42/drivers/gpu/drm/ttm/ttm_memory.c 2011-04-17 15:56:46.000000000 -0400
28833 @@ -152,7 +152,7 @@ static struct attribute *ttm_mem_zone_at
28837 -static struct sysfs_ops ttm_mem_zone_ops = {
28838 +static const struct sysfs_ops ttm_mem_zone_ops = {
28839 .show = &ttm_mem_zone_show,
28840 .store = &ttm_mem_zone_store
28842 diff -urNp linux-2.6.32.42/drivers/gpu/drm/via/via_drv.h linux-2.6.32.42/drivers/gpu/drm/via/via_drv.h
28843 --- linux-2.6.32.42/drivers/gpu/drm/via/via_drv.h 2011-03-27 14:31:47.000000000 -0400
28844 +++ linux-2.6.32.42/drivers/gpu/drm/via/via_drv.h 2011-05-04 17:56:28.000000000 -0400
28845 @@ -51,7 +51,7 @@ typedef struct drm_via_ring_buffer {
28846 typedef uint32_t maskarray_t[5];
28848 typedef struct drm_via_irq {
28849 - atomic_t irq_received;
28850 + atomic_unchecked_t irq_received;
28851 uint32_t pending_mask;
28852 uint32_t enable_mask;
28853 wait_queue_head_t irq_queue;
28854 @@ -75,7 +75,7 @@ typedef struct drm_via_private {
28855 struct timeval last_vblank;
28856 int last_vblank_valid;
28857 unsigned usec_per_vblank;
28858 - atomic_t vbl_received;
28859 + atomic_unchecked_t vbl_received;
28860 drm_via_state_t hc_state;
28861 char pci_buf[VIA_PCI_BUF_SIZE];
28862 const uint32_t *fire_offsets[VIA_FIRE_BUF_SIZE];
28863 diff -urNp linux-2.6.32.42/drivers/gpu/drm/via/via_irq.c linux-2.6.32.42/drivers/gpu/drm/via/via_irq.c
28864 --- linux-2.6.32.42/drivers/gpu/drm/via/via_irq.c 2011-03-27 14:31:47.000000000 -0400
28865 +++ linux-2.6.32.42/drivers/gpu/drm/via/via_irq.c 2011-05-04 17:56:28.000000000 -0400
28866 @@ -102,7 +102,7 @@ u32 via_get_vblank_counter(struct drm_de
28870 - return atomic_read(&dev_priv->vbl_received);
28871 + return atomic_read_unchecked(&dev_priv->vbl_received);
28874 irqreturn_t via_driver_irq_handler(DRM_IRQ_ARGS)
28875 @@ -117,8 +117,8 @@ irqreturn_t via_driver_irq_handler(DRM_I
28877 status = VIA_READ(VIA_REG_INTERRUPT);
28878 if (status & VIA_IRQ_VBLANK_PENDING) {
28879 - atomic_inc(&dev_priv->vbl_received);
28880 - if (!(atomic_read(&dev_priv->vbl_received) & 0x0F)) {
28881 + atomic_inc_unchecked(&dev_priv->vbl_received);
28882 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0x0F)) {
28883 do_gettimeofday(&cur_vblank);
28884 if (dev_priv->last_vblank_valid) {
28885 dev_priv->usec_per_vblank =
28886 @@ -128,7 +128,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
28887 dev_priv->last_vblank = cur_vblank;
28888 dev_priv->last_vblank_valid = 1;
28890 - if (!(atomic_read(&dev_priv->vbl_received) & 0xFF)) {
28891 + if (!(atomic_read_unchecked(&dev_priv->vbl_received) & 0xFF)) {
28892 DRM_DEBUG("US per vblank is: %u\n",
28893 dev_priv->usec_per_vblank);
28895 @@ -138,7 +138,7 @@ irqreturn_t via_driver_irq_handler(DRM_I
28897 for (i = 0; i < dev_priv->num_irqs; ++i) {
28898 if (status & cur_irq->pending_mask) {
28899 - atomic_inc(&cur_irq->irq_received);
28900 + atomic_inc_unchecked(&cur_irq->irq_received);
28901 DRM_WAKEUP(&cur_irq->irq_queue);
28903 if (dev_priv->irq_map[drm_via_irq_dma0_td] == i) {
28904 @@ -244,11 +244,11 @@ via_driver_irq_wait(struct drm_device *
28905 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
28906 ((VIA_READ(masks[irq][2]) & masks[irq][3]) ==
28908 - cur_irq_sequence = atomic_read(&cur_irq->irq_received);
28909 + cur_irq_sequence = atomic_read_unchecked(&cur_irq->irq_received);
28911 DRM_WAIT_ON(ret, cur_irq->irq_queue, 3 * DRM_HZ,
28912 (((cur_irq_sequence =
28913 - atomic_read(&cur_irq->irq_received)) -
28914 + atomic_read_unchecked(&cur_irq->irq_received)) -
28915 *sequence) <= (1 << 23)));
28917 *sequence = cur_irq_sequence;
28918 @@ -286,7 +286,7 @@ void via_driver_irq_preinstall(struct dr
28921 for (i = 0; i < dev_priv->num_irqs; ++i) {
28922 - atomic_set(&cur_irq->irq_received, 0);
28923 + atomic_set_unchecked(&cur_irq->irq_received, 0);
28924 cur_irq->enable_mask = dev_priv->irq_masks[i][0];
28925 cur_irq->pending_mask = dev_priv->irq_masks[i][1];
28926 DRM_INIT_WAITQUEUE(&cur_irq->irq_queue);
28927 @@ -368,7 +368,7 @@ int via_wait_irq(struct drm_device *dev,
28928 switch (irqwait->request.type & ~VIA_IRQ_FLAGS_MASK) {
28929 case VIA_IRQ_RELATIVE:
28930 irqwait->request.sequence +=
28931 - atomic_read(&cur_irq->irq_received);
28932 + atomic_read_unchecked(&cur_irq->irq_received);
28933 irqwait->request.type &= ~_DRM_VBLANK_RELATIVE;
28934 case VIA_IRQ_ABSOLUTE:
28936 diff -urNp linux-2.6.32.42/drivers/hid/hid-core.c linux-2.6.32.42/drivers/hid/hid-core.c
28937 --- linux-2.6.32.42/drivers/hid/hid-core.c 2011-05-10 22:12:01.000000000 -0400
28938 +++ linux-2.6.32.42/drivers/hid/hid-core.c 2011-05-10 22:12:32.000000000 -0400
28939 @@ -1752,7 +1752,7 @@ static bool hid_ignore(struct hid_device
28941 int hid_add_device(struct hid_device *hdev)
28943 - static atomic_t id = ATOMIC_INIT(0);
28944 + static atomic_unchecked_t id = ATOMIC_INIT(0);
28947 if (WARN_ON(hdev->status & HID_STAT_ADDED))
28948 @@ -1766,7 +1766,7 @@ int hid_add_device(struct hid_device *hd
28949 /* XXX hack, any other cleaner solution after the driver core
28950 * is converted to allow more than 20 bytes as the device name? */
28951 dev_set_name(&hdev->dev, "%04X:%04X:%04X.%04X", hdev->bus,
28952 - hdev->vendor, hdev->product, atomic_inc_return(&id));
28953 + hdev->vendor, hdev->product, atomic_inc_return_unchecked(&id));
28955 ret = device_add(&hdev->dev);
28957 diff -urNp linux-2.6.32.42/drivers/hid/usbhid/hiddev.c linux-2.6.32.42/drivers/hid/usbhid/hiddev.c
28958 --- linux-2.6.32.42/drivers/hid/usbhid/hiddev.c 2011-03-27 14:31:47.000000000 -0400
28959 +++ linux-2.6.32.42/drivers/hid/usbhid/hiddev.c 2011-04-17 15:56:46.000000000 -0400
28960 @@ -617,7 +617,7 @@ static long hiddev_ioctl(struct file *fi
28961 return put_user(HID_VERSION, (int __user *)arg);
28963 case HIDIOCAPPLICATION:
28964 - if (arg < 0 || arg >= hid->maxapplication)
28965 + if (arg >= hid->maxapplication)
28968 for (i = 0; i < hid->maxcollection; i++)
28969 diff -urNp linux-2.6.32.42/drivers/hwmon/lis3lv02d.c linux-2.6.32.42/drivers/hwmon/lis3lv02d.c
28970 --- linux-2.6.32.42/drivers/hwmon/lis3lv02d.c 2011-03-27 14:31:47.000000000 -0400
28971 +++ linux-2.6.32.42/drivers/hwmon/lis3lv02d.c 2011-05-04 17:56:28.000000000 -0400
28972 @@ -146,7 +146,7 @@ static irqreturn_t lis302dl_interrupt(in
28973 * the lid is closed. This leads to interrupts as soon as a little move
28976 - atomic_inc(&lis3_dev.count);
28977 + atomic_inc_unchecked(&lis3_dev.count);
28979 wake_up_interruptible(&lis3_dev.misc_wait);
28980 kill_fasync(&lis3_dev.async_queue, SIGIO, POLL_IN);
28981 @@ -160,7 +160,7 @@ static int lis3lv02d_misc_open(struct in
28982 if (test_and_set_bit(0, &lis3_dev.misc_opened))
28983 return -EBUSY; /* already open */
28985 - atomic_set(&lis3_dev.count, 0);
28986 + atomic_set_unchecked(&lis3_dev.count, 0);
28989 * The sensor can generate interrupts for free-fall and direction
28990 @@ -206,7 +206,7 @@ static ssize_t lis3lv02d_misc_read(struc
28991 add_wait_queue(&lis3_dev.misc_wait, &wait);
28993 set_current_state(TASK_INTERRUPTIBLE);
28994 - data = atomic_xchg(&lis3_dev.count, 0);
28995 + data = atomic_xchg_unchecked(&lis3_dev.count, 0);
28999 @@ -244,7 +244,7 @@ out:
29000 static unsigned int lis3lv02d_misc_poll(struct file *file, poll_table *wait)
29002 poll_wait(file, &lis3_dev.misc_wait, wait);
29003 - if (atomic_read(&lis3_dev.count))
29004 + if (atomic_read_unchecked(&lis3_dev.count))
29005 return POLLIN | POLLRDNORM;
29008 diff -urNp linux-2.6.32.42/drivers/hwmon/lis3lv02d.h linux-2.6.32.42/drivers/hwmon/lis3lv02d.h
29009 --- linux-2.6.32.42/drivers/hwmon/lis3lv02d.h 2011-03-27 14:31:47.000000000 -0400
29010 +++ linux-2.6.32.42/drivers/hwmon/lis3lv02d.h 2011-05-04 17:56:28.000000000 -0400
29011 @@ -201,7 +201,7 @@ struct lis3lv02d {
29013 struct input_polled_dev *idev; /* input device */
29014 struct platform_device *pdev; /* platform device */
29015 - atomic_t count; /* interrupt count after last read */
29016 + atomic_unchecked_t count; /* interrupt count after last read */
29017 int xcalib; /* calibrated null value for x */
29018 int ycalib; /* calibrated null value for y */
29019 int zcalib; /* calibrated null value for z */
29020 diff -urNp linux-2.6.32.42/drivers/hwmon/sht15.c linux-2.6.32.42/drivers/hwmon/sht15.c
29021 --- linux-2.6.32.42/drivers/hwmon/sht15.c 2011-03-27 14:31:47.000000000 -0400
29022 +++ linux-2.6.32.42/drivers/hwmon/sht15.c 2011-05-04 17:56:28.000000000 -0400
29023 @@ -112,7 +112,7 @@ struct sht15_data {
29025 int supply_uV_valid;
29026 struct work_struct update_supply_work;
29027 - atomic_t interrupt_handled;
29028 + atomic_unchecked_t interrupt_handled;
29032 @@ -245,13 +245,13 @@ static inline int sht15_update_single_va
29035 gpio_direction_input(data->pdata->gpio_data);
29036 - atomic_set(&data->interrupt_handled, 0);
29037 + atomic_set_unchecked(&data->interrupt_handled, 0);
29039 enable_irq(gpio_to_irq(data->pdata->gpio_data));
29040 if (gpio_get_value(data->pdata->gpio_data) == 0) {
29041 disable_irq_nosync(gpio_to_irq(data->pdata->gpio_data));
29042 /* Only relevant if the interrupt hasn't occured. */
29043 - if (!atomic_read(&data->interrupt_handled))
29044 + if (!atomic_read_unchecked(&data->interrupt_handled))
29045 schedule_work(&data->read_work);
29047 ret = wait_event_timeout(data->wait_queue,
29048 @@ -398,7 +398,7 @@ static irqreturn_t sht15_interrupt_fired
29049 struct sht15_data *data = d;
29050 /* First disable the interrupt */
29051 disable_irq_nosync(irq);
29052 - atomic_inc(&data->interrupt_handled);
29053 + atomic_inc_unchecked(&data->interrupt_handled);
29054 /* Then schedule a reading work struct */
29055 if (data->flag != SHT15_READING_NOTHING)
29056 schedule_work(&data->read_work);
29057 @@ -449,11 +449,11 @@ static void sht15_bh_read_data(struct wo
29058 here as could have gone low in meantime so verify
29061 - atomic_set(&data->interrupt_handled, 0);
29062 + atomic_set_unchecked(&data->interrupt_handled, 0);
29063 enable_irq(gpio_to_irq(data->pdata->gpio_data));
29064 /* If still not occured or another handler has been scheduled */
29065 if (gpio_get_value(data->pdata->gpio_data)
29066 - || atomic_read(&data->interrupt_handled))
29067 + || atomic_read_unchecked(&data->interrupt_handled))
29070 /* Read the data back from the device */
29071 diff -urNp linux-2.6.32.42/drivers/hwmon/w83791d.c linux-2.6.32.42/drivers/hwmon/w83791d.c
29072 --- linux-2.6.32.42/drivers/hwmon/w83791d.c 2011-03-27 14:31:47.000000000 -0400
29073 +++ linux-2.6.32.42/drivers/hwmon/w83791d.c 2011-04-17 15:56:46.000000000 -0400
29074 @@ -330,8 +330,8 @@ static int w83791d_detect(struct i2c_cli
29075 struct i2c_board_info *info);
29076 static int w83791d_remove(struct i2c_client *client);
29078 -static int w83791d_read(struct i2c_client *client, u8 register);
29079 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
29080 +static int w83791d_read(struct i2c_client *client, u8 reg);
29081 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
29082 static struct w83791d_data *w83791d_update_device(struct device *dev);
29085 diff -urNp linux-2.6.32.42/drivers/ide/ide-cd.c linux-2.6.32.42/drivers/ide/ide-cd.c
29086 --- linux-2.6.32.42/drivers/ide/ide-cd.c 2011-03-27 14:31:47.000000000 -0400
29087 +++ linux-2.6.32.42/drivers/ide/ide-cd.c 2011-04-17 15:56:46.000000000 -0400
29088 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
29089 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
29090 if ((unsigned long)buf & alignment
29091 || blk_rq_bytes(rq) & q->dma_pad_mask
29092 - || object_is_on_stack(buf))
29093 + || object_starts_on_stack(buf))
29097 diff -urNp linux-2.6.32.42/drivers/ide/ide-floppy.c linux-2.6.32.42/drivers/ide/ide-floppy.c
29098 --- linux-2.6.32.42/drivers/ide/ide-floppy.c 2011-03-27 14:31:47.000000000 -0400
29099 +++ linux-2.6.32.42/drivers/ide/ide-floppy.c 2011-05-16 21:46:57.000000000 -0400
29100 @@ -373,6 +373,8 @@ static int ide_floppy_get_capacity(ide_d
29101 u8 pc_buf[256], header_len, desc_cnt;
29102 int i, rc = 1, blocks, length;
29104 + pax_track_stack();
29106 ide_debug_log(IDE_DBG_FUNC, "enter");
29108 drive->bios_cyl = 0;
29109 diff -urNp linux-2.6.32.42/drivers/ide/setup-pci.c linux-2.6.32.42/drivers/ide/setup-pci.c
29110 --- linux-2.6.32.42/drivers/ide/setup-pci.c 2011-03-27 14:31:47.000000000 -0400
29111 +++ linux-2.6.32.42/drivers/ide/setup-pci.c 2011-05-16 21:46:57.000000000 -0400
29112 @@ -542,6 +542,8 @@ int ide_pci_init_two(struct pci_dev *dev
29113 int ret, i, n_ports = dev2 ? 4 : 2;
29114 struct ide_hw hw[4], *hws[] = { NULL, NULL, NULL, NULL };
29116 + pax_track_stack();
29118 for (i = 0; i < n_ports / 2; i++) {
29119 ret = ide_setup_pci_controller(pdev[i], d, !i);
29121 diff -urNp linux-2.6.32.42/drivers/ieee1394/dv1394.c linux-2.6.32.42/drivers/ieee1394/dv1394.c
29122 --- linux-2.6.32.42/drivers/ieee1394/dv1394.c 2011-03-27 14:31:47.000000000 -0400
29123 +++ linux-2.6.32.42/drivers/ieee1394/dv1394.c 2011-04-23 12:56:11.000000000 -0400
29124 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
29125 based upon DIF section and sequence
29128 -static void inline
29129 +static inline void
29130 frame_put_packet (struct frame *f, struct packet *p)
29132 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
29133 diff -urNp linux-2.6.32.42/drivers/ieee1394/hosts.c linux-2.6.32.42/drivers/ieee1394/hosts.c
29134 --- linux-2.6.32.42/drivers/ieee1394/hosts.c 2011-03-27 14:31:47.000000000 -0400
29135 +++ linux-2.6.32.42/drivers/ieee1394/hosts.c 2011-04-17 15:56:46.000000000 -0400
29136 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
29139 static struct hpsb_host_driver dummy_driver = {
29141 .transmit_packet = dummy_transmit_packet,
29142 .devctl = dummy_devctl,
29143 .isoctl = dummy_isoctl
29144 diff -urNp linux-2.6.32.42/drivers/ieee1394/init_ohci1394_dma.c linux-2.6.32.42/drivers/ieee1394/init_ohci1394_dma.c
29145 --- linux-2.6.32.42/drivers/ieee1394/init_ohci1394_dma.c 2011-03-27 14:31:47.000000000 -0400
29146 +++ linux-2.6.32.42/drivers/ieee1394/init_ohci1394_dma.c 2011-04-17 15:56:46.000000000 -0400
29147 @@ -257,7 +257,7 @@ void __init init_ohci1394_dma_on_all_con
29148 for (func = 0; func < 8; func++) {
29149 u32 class = read_pci_config(num,slot,func,
29150 PCI_CLASS_REVISION);
29151 - if ((class == 0xffffffff))
29152 + if (class == 0xffffffff)
29153 continue; /* No device at this func */
29155 if (class>>8 != PCI_CLASS_SERIAL_FIREWIRE_OHCI)
29156 diff -urNp linux-2.6.32.42/drivers/ieee1394/ohci1394.c linux-2.6.32.42/drivers/ieee1394/ohci1394.c
29157 --- linux-2.6.32.42/drivers/ieee1394/ohci1394.c 2011-03-27 14:31:47.000000000 -0400
29158 +++ linux-2.6.32.42/drivers/ieee1394/ohci1394.c 2011-04-23 12:56:11.000000000 -0400
29159 @@ -147,9 +147,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
29160 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
29162 /* Module Parameters */
29163 -static int phys_dma = 1;
29164 +static int phys_dma;
29165 module_param(phys_dma, int, 0444);
29166 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
29167 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
29169 static void dma_trm_tasklet(unsigned long data);
29170 static void dma_trm_reset(struct dma_trm_ctx *d);
29171 diff -urNp linux-2.6.32.42/drivers/ieee1394/sbp2.c linux-2.6.32.42/drivers/ieee1394/sbp2.c
29172 --- linux-2.6.32.42/drivers/ieee1394/sbp2.c 2011-03-27 14:31:47.000000000 -0400
29173 +++ linux-2.6.32.42/drivers/ieee1394/sbp2.c 2011-04-23 12:56:11.000000000 -0400
29174 @@ -2111,7 +2111,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
29175 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
29176 MODULE_LICENSE("GPL");
29178 -static int sbp2_module_init(void)
29179 +static int __init sbp2_module_init(void)
29183 diff -urNp linux-2.6.32.42/drivers/infiniband/core/cm.c linux-2.6.32.42/drivers/infiniband/core/cm.c
29184 --- linux-2.6.32.42/drivers/infiniband/core/cm.c 2011-03-27 14:31:47.000000000 -0400
29185 +++ linux-2.6.32.42/drivers/infiniband/core/cm.c 2011-04-17 15:56:46.000000000 -0400
29186 @@ -112,7 +112,7 @@ static char const counter_group_names[CM
29188 struct cm_counter_group {
29189 struct kobject obj;
29190 - atomic_long_t counter[CM_ATTR_COUNT];
29191 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
29194 struct cm_counter_attribute {
29195 @@ -1386,7 +1386,7 @@ static void cm_dup_req_handler(struct cm
29196 struct ib_mad_send_buf *msg = NULL;
29199 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29200 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29201 counter[CM_REQ_COUNTER]);
29203 /* Quick state check to discard duplicate REQs. */
29204 @@ -1764,7 +1764,7 @@ static void cm_dup_rep_handler(struct cm
29208 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29209 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29210 counter[CM_REP_COUNTER]);
29211 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
29213 @@ -1931,7 +1931,7 @@ static int cm_rtu_handler(struct cm_work
29214 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
29215 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
29216 spin_unlock_irq(&cm_id_priv->lock);
29217 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29218 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29219 counter[CM_RTU_COUNTER]);
29222 @@ -2110,7 +2110,7 @@ static int cm_dreq_handler(struct cm_wor
29223 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
29224 dreq_msg->local_comm_id);
29226 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29227 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29228 counter[CM_DREQ_COUNTER]);
29229 cm_issue_drep(work->port, work->mad_recv_wc);
29231 @@ -2131,7 +2131,7 @@ static int cm_dreq_handler(struct cm_wor
29232 case IB_CM_MRA_REP_RCVD:
29234 case IB_CM_TIMEWAIT:
29235 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29236 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29237 counter[CM_DREQ_COUNTER]);
29238 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
29240 @@ -2145,7 +2145,7 @@ static int cm_dreq_handler(struct cm_wor
29243 case IB_CM_DREQ_RCVD:
29244 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29245 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29246 counter[CM_DREQ_COUNTER]);
29249 @@ -2501,7 +2501,7 @@ static int cm_mra_handler(struct cm_work
29250 ib_modify_mad(cm_id_priv->av.port->mad_agent,
29251 cm_id_priv->msg, timeout)) {
29252 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
29253 - atomic_long_inc(&work->port->
29254 + atomic_long_inc_unchecked(&work->port->
29255 counter_group[CM_RECV_DUPLICATES].
29256 counter[CM_MRA_COUNTER]);
29258 @@ -2510,7 +2510,7 @@ static int cm_mra_handler(struct cm_work
29260 case IB_CM_MRA_REQ_RCVD:
29261 case IB_CM_MRA_REP_RCVD:
29262 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29263 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29264 counter[CM_MRA_COUNTER]);
29267 @@ -2672,7 +2672,7 @@ static int cm_lap_handler(struct cm_work
29268 case IB_CM_LAP_IDLE:
29270 case IB_CM_MRA_LAP_SENT:
29271 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29272 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29273 counter[CM_LAP_COUNTER]);
29274 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
29276 @@ -2688,7 +2688,7 @@ static int cm_lap_handler(struct cm_work
29279 case IB_CM_LAP_RCVD:
29280 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29281 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29282 counter[CM_LAP_COUNTER]);
29285 @@ -2972,7 +2972,7 @@ static int cm_sidr_req_handler(struct cm
29286 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
29287 if (cur_cm_id_priv) {
29288 spin_unlock_irq(&cm.lock);
29289 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
29290 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
29291 counter[CM_SIDR_REQ_COUNTER]);
29292 goto out; /* Duplicate message. */
29294 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
29295 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
29298 - atomic_long_add(1 + msg->retries,
29299 + atomic_long_add_unchecked(1 + msg->retries,
29300 &port->counter_group[CM_XMIT].counter[attr_index]);
29302 - atomic_long_add(msg->retries,
29303 + atomic_long_add_unchecked(msg->retries,
29304 &port->counter_group[CM_XMIT_RETRIES].
29305 counter[attr_index]);
29307 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
29310 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
29311 - atomic_long_inc(&port->counter_group[CM_RECV].
29312 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
29313 counter[attr_id - CM_ATTR_ID_OFFSET]);
29315 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
29316 @@ -3595,10 +3595,10 @@ static ssize_t cm_show_counter(struct ko
29317 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
29319 return sprintf(buf, "%ld\n",
29320 - atomic_long_read(&group->counter[cm_attr->index]));
29321 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
29324 -static struct sysfs_ops cm_counter_ops = {
29325 +static const struct sysfs_ops cm_counter_ops = {
29326 .show = cm_show_counter
29329 diff -urNp linux-2.6.32.42/drivers/infiniband/core/fmr_pool.c linux-2.6.32.42/drivers/infiniband/core/fmr_pool.c
29330 --- linux-2.6.32.42/drivers/infiniband/core/fmr_pool.c 2011-03-27 14:31:47.000000000 -0400
29331 +++ linux-2.6.32.42/drivers/infiniband/core/fmr_pool.c 2011-05-04 17:56:28.000000000 -0400
29332 @@ -97,8 +97,8 @@ struct ib_fmr_pool {
29334 struct task_struct *thread;
29336 - atomic_t req_ser;
29337 - atomic_t flush_ser;
29338 + atomic_unchecked_t req_ser;
29339 + atomic_unchecked_t flush_ser;
29341 wait_queue_head_t force_wait;
29343 @@ -179,10 +179,10 @@ static int ib_fmr_cleanup_thread(void *p
29344 struct ib_fmr_pool *pool = pool_ptr;
29347 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) < 0) {
29348 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) < 0) {
29349 ib_fmr_batch_release(pool);
29351 - atomic_inc(&pool->flush_ser);
29352 + atomic_inc_unchecked(&pool->flush_ser);
29353 wake_up_interruptible(&pool->force_wait);
29355 if (pool->flush_function)
29356 @@ -190,7 +190,7 @@ static int ib_fmr_cleanup_thread(void *p
29359 set_current_state(TASK_INTERRUPTIBLE);
29360 - if (atomic_read(&pool->flush_ser) - atomic_read(&pool->req_ser) >= 0 &&
29361 + if (atomic_read_unchecked(&pool->flush_ser) - atomic_read_unchecked(&pool->req_ser) >= 0 &&
29362 !kthread_should_stop())
29364 __set_current_state(TASK_RUNNING);
29365 @@ -282,8 +282,8 @@ struct ib_fmr_pool *ib_create_fmr_pool(s
29366 pool->dirty_watermark = params->dirty_watermark;
29367 pool->dirty_len = 0;
29368 spin_lock_init(&pool->pool_lock);
29369 - atomic_set(&pool->req_ser, 0);
29370 - atomic_set(&pool->flush_ser, 0);
29371 + atomic_set_unchecked(&pool->req_ser, 0);
29372 + atomic_set_unchecked(&pool->flush_ser, 0);
29373 init_waitqueue_head(&pool->force_wait);
29375 pool->thread = kthread_run(ib_fmr_cleanup_thread,
29376 @@ -411,11 +411,11 @@ int ib_flush_fmr_pool(struct ib_fmr_pool
29378 spin_unlock_irq(&pool->pool_lock);
29380 - serial = atomic_inc_return(&pool->req_ser);
29381 + serial = atomic_inc_return_unchecked(&pool->req_ser);
29382 wake_up_process(pool->thread);
29384 if (wait_event_interruptible(pool->force_wait,
29385 - atomic_read(&pool->flush_ser) - serial >= 0))
29386 + atomic_read_unchecked(&pool->flush_ser) - serial >= 0))
29390 @@ -525,7 +525,7 @@ int ib_fmr_pool_unmap(struct ib_pool_fmr
29392 list_add_tail(&fmr->list, &pool->dirty_list);
29393 if (++pool->dirty_len >= pool->dirty_watermark) {
29394 - atomic_inc(&pool->req_ser);
29395 + atomic_inc_unchecked(&pool->req_ser);
29396 wake_up_process(pool->thread);
29399 diff -urNp linux-2.6.32.42/drivers/infiniband/core/sysfs.c linux-2.6.32.42/drivers/infiniband/core/sysfs.c
29400 --- linux-2.6.32.42/drivers/infiniband/core/sysfs.c 2011-03-27 14:31:47.000000000 -0400
29401 +++ linux-2.6.32.42/drivers/infiniband/core/sysfs.c 2011-04-17 15:56:46.000000000 -0400
29402 @@ -79,7 +79,7 @@ static ssize_t port_attr_show(struct kob
29403 return port_attr->show(p, port_attr, buf);
29406 -static struct sysfs_ops port_sysfs_ops = {
29407 +static const struct sysfs_ops port_sysfs_ops = {
29408 .show = port_attr_show
29411 diff -urNp linux-2.6.32.42/drivers/infiniband/core/uverbs_marshall.c linux-2.6.32.42/drivers/infiniband/core/uverbs_marshall.c
29412 --- linux-2.6.32.42/drivers/infiniband/core/uverbs_marshall.c 2011-03-27 14:31:47.000000000 -0400
29413 +++ linux-2.6.32.42/drivers/infiniband/core/uverbs_marshall.c 2011-04-17 15:56:46.000000000 -0400
29414 @@ -40,18 +40,21 @@ void ib_copy_ah_attr_to_user(struct ib_u
29415 dst->grh.sgid_index = src->grh.sgid_index;
29416 dst->grh.hop_limit = src->grh.hop_limit;
29417 dst->grh.traffic_class = src->grh.traffic_class;
29418 + memset(&dst->grh.reserved, 0, sizeof(dst->grh.reserved));
29419 dst->dlid = src->dlid;
29421 dst->src_path_bits = src->src_path_bits;
29422 dst->static_rate = src->static_rate;
29423 dst->is_global = src->ah_flags & IB_AH_GRH ? 1 : 0;
29424 dst->port_num = src->port_num;
29425 + dst->reserved = 0;
29427 EXPORT_SYMBOL(ib_copy_ah_attr_to_user);
29429 void ib_copy_qp_attr_to_user(struct ib_uverbs_qp_attr *dst,
29430 struct ib_qp_attr *src)
29432 + dst->qp_state = src->qp_state;
29433 dst->cur_qp_state = src->cur_qp_state;
29434 dst->path_mtu = src->path_mtu;
29435 dst->path_mig_state = src->path_mig_state;
29436 @@ -83,6 +86,7 @@ void ib_copy_qp_attr_to_user(struct ib_u
29437 dst->rnr_retry = src->rnr_retry;
29438 dst->alt_port_num = src->alt_port_num;
29439 dst->alt_timeout = src->alt_timeout;
29440 + memset(dst->reserved, 0, sizeof(dst->reserved));
29442 EXPORT_SYMBOL(ib_copy_qp_attr_to_user);
29444 diff -urNp linux-2.6.32.42/drivers/infiniband/hw/ipath/ipath_fs.c linux-2.6.32.42/drivers/infiniband/hw/ipath/ipath_fs.c
29445 --- linux-2.6.32.42/drivers/infiniband/hw/ipath/ipath_fs.c 2011-03-27 14:31:47.000000000 -0400
29446 +++ linux-2.6.32.42/drivers/infiniband/hw/ipath/ipath_fs.c 2011-05-16 21:46:57.000000000 -0400
29447 @@ -110,6 +110,8 @@ static ssize_t atomic_counters_read(stru
29448 struct infinipath_counters counters;
29449 struct ipath_devdata *dd;
29451 + pax_track_stack();
29453 dd = file->f_path.dentry->d_inode->i_private;
29454 dd->ipath_f_read_counters(dd, &counters);
29456 diff -urNp linux-2.6.32.42/drivers/infiniband/hw/nes/nes.c linux-2.6.32.42/drivers/infiniband/hw/nes/nes.c
29457 --- linux-2.6.32.42/drivers/infiniband/hw/nes/nes.c 2011-03-27 14:31:47.000000000 -0400
29458 +++ linux-2.6.32.42/drivers/infiniband/hw/nes/nes.c 2011-05-04 17:56:28.000000000 -0400
29459 @@ -102,7 +102,7 @@ MODULE_PARM_DESC(limit_maxrdreqsz, "Limi
29460 LIST_HEAD(nes_adapter_list);
29461 static LIST_HEAD(nes_dev_list);
29463 -atomic_t qps_destroyed;
29464 +atomic_unchecked_t qps_destroyed;
29466 static unsigned int ee_flsh_adapter;
29467 static unsigned int sysfs_nonidx_addr;
29468 @@ -259,7 +259,7 @@ static void nes_cqp_rem_ref_callback(str
29469 struct nes_adapter *nesadapter = nesdev->nesadapter;
29472 - atomic_inc(&qps_destroyed);
29473 + atomic_inc_unchecked(&qps_destroyed);
29475 /* Free the control structures */
29477 diff -urNp linux-2.6.32.42/drivers/infiniband/hw/nes/nes_cm.c linux-2.6.32.42/drivers/infiniband/hw/nes/nes_cm.c
29478 --- linux-2.6.32.42/drivers/infiniband/hw/nes/nes_cm.c 2011-03-27 14:31:47.000000000 -0400
29479 +++ linux-2.6.32.42/drivers/infiniband/hw/nes/nes_cm.c 2011-05-04 17:56:28.000000000 -0400
29480 @@ -69,11 +69,11 @@ u32 cm_packets_received;
29481 u32 cm_listens_created;
29482 u32 cm_listens_destroyed;
29483 u32 cm_backlog_drops;
29484 -atomic_t cm_loopbacks;
29485 -atomic_t cm_nodes_created;
29486 -atomic_t cm_nodes_destroyed;
29487 -atomic_t cm_accel_dropped_pkts;
29488 -atomic_t cm_resets_recvd;
29489 +atomic_unchecked_t cm_loopbacks;
29490 +atomic_unchecked_t cm_nodes_created;
29491 +atomic_unchecked_t cm_nodes_destroyed;
29492 +atomic_unchecked_t cm_accel_dropped_pkts;
29493 +atomic_unchecked_t cm_resets_recvd;
29495 static inline int mini_cm_accelerated(struct nes_cm_core *,
29496 struct nes_cm_node *);
29497 @@ -149,13 +149,13 @@ static struct nes_cm_ops nes_cm_api = {
29499 static struct nes_cm_core *g_cm_core;
29501 -atomic_t cm_connects;
29502 -atomic_t cm_accepts;
29503 -atomic_t cm_disconnects;
29504 -atomic_t cm_closes;
29505 -atomic_t cm_connecteds;
29506 -atomic_t cm_connect_reqs;
29507 -atomic_t cm_rejects;
29508 +atomic_unchecked_t cm_connects;
29509 +atomic_unchecked_t cm_accepts;
29510 +atomic_unchecked_t cm_disconnects;
29511 +atomic_unchecked_t cm_closes;
29512 +atomic_unchecked_t cm_connecteds;
29513 +atomic_unchecked_t cm_connect_reqs;
29514 +atomic_unchecked_t cm_rejects;
29518 @@ -1195,7 +1195,7 @@ static struct nes_cm_node *make_cm_node(
29521 add_hte_node(cm_core, cm_node);
29522 - atomic_inc(&cm_nodes_created);
29523 + atomic_inc_unchecked(&cm_nodes_created);
29527 @@ -1253,7 +1253,7 @@ static int rem_ref_cm_node(struct nes_cm
29530 atomic_dec(&cm_core->node_cnt);
29531 - atomic_inc(&cm_nodes_destroyed);
29532 + atomic_inc_unchecked(&cm_nodes_destroyed);
29533 nesqp = cm_node->nesqp;
29535 nesqp->cm_node = NULL;
29536 @@ -1320,7 +1320,7 @@ static int process_options(struct nes_cm
29538 static void drop_packet(struct sk_buff *skb)
29540 - atomic_inc(&cm_accel_dropped_pkts);
29541 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
29542 dev_kfree_skb_any(skb);
29545 @@ -1377,7 +1377,7 @@ static void handle_rst_pkt(struct nes_cm
29547 int reset = 0; /* whether to send reset in case of err.. */
29549 - atomic_inc(&cm_resets_recvd);
29550 + atomic_inc_unchecked(&cm_resets_recvd);
29551 nes_debug(NES_DBG_CM, "Received Reset, cm_node = %p, state = %u."
29552 " refcnt=%d\n", cm_node, cm_node->state,
29553 atomic_read(&cm_node->ref_count));
29554 @@ -2000,7 +2000,7 @@ static struct nes_cm_node *mini_cm_conne
29555 rem_ref_cm_node(cm_node->cm_core, cm_node);
29558 - atomic_inc(&cm_loopbacks);
29559 + atomic_inc_unchecked(&cm_loopbacks);
29560 loopbackremotenode->loopbackpartner = cm_node;
29561 loopbackremotenode->tcp_cntxt.rcv_wscale =
29562 NES_CM_DEFAULT_RCV_WND_SCALE;
29563 @@ -2262,7 +2262,7 @@ static int mini_cm_recv_pkt(struct nes_c
29564 add_ref_cm_node(cm_node);
29565 } else if (cm_node->state == NES_CM_STATE_TSA) {
29566 rem_ref_cm_node(cm_core, cm_node);
29567 - atomic_inc(&cm_accel_dropped_pkts);
29568 + atomic_inc_unchecked(&cm_accel_dropped_pkts);
29569 dev_kfree_skb_any(skb);
29572 @@ -2568,7 +2568,7 @@ static int nes_cm_disconn_true(struct ne
29574 if ((cm_id) && (cm_id->event_handler)) {
29575 if (issue_disconn) {
29576 - atomic_inc(&cm_disconnects);
29577 + atomic_inc_unchecked(&cm_disconnects);
29578 cm_event.event = IW_CM_EVENT_DISCONNECT;
29579 cm_event.status = disconn_status;
29580 cm_event.local_addr = cm_id->local_addr;
29581 @@ -2590,7 +2590,7 @@ static int nes_cm_disconn_true(struct ne
29585 - atomic_inc(&cm_closes);
29586 + atomic_inc_unchecked(&cm_closes);
29587 nes_disconnect(nesqp, 1);
29589 cm_id->provider_data = nesqp;
29590 @@ -2710,7 +2710,7 @@ int nes_accept(struct iw_cm_id *cm_id, s
29592 nes_debug(NES_DBG_CM, "QP%u, cm_node=%p, jiffies = %lu listener = %p\n",
29593 nesqp->hwqp.qp_id, cm_node, jiffies, cm_node->listener);
29594 - atomic_inc(&cm_accepts);
29595 + atomic_inc_unchecked(&cm_accepts);
29597 nes_debug(NES_DBG_CM, "netdev refcnt = %u.\n",
29598 atomic_read(&nesvnic->netdev->refcnt));
29599 @@ -2919,7 +2919,7 @@ int nes_reject(struct iw_cm_id *cm_id, c
29601 struct nes_cm_core *cm_core;
29603 - atomic_inc(&cm_rejects);
29604 + atomic_inc_unchecked(&cm_rejects);
29605 cm_node = (struct nes_cm_node *) cm_id->provider_data;
29606 loopback = cm_node->loopbackpartner;
29607 cm_core = cm_node->cm_core;
29608 @@ -2982,7 +2982,7 @@ int nes_connect(struct iw_cm_id *cm_id,
29609 ntohl(cm_id->local_addr.sin_addr.s_addr),
29610 ntohs(cm_id->local_addr.sin_port));
29612 - atomic_inc(&cm_connects);
29613 + atomic_inc_unchecked(&cm_connects);
29614 nesqp->active_conn = 1;
29616 /* cache the cm_id in the qp */
29617 @@ -3195,7 +3195,7 @@ static void cm_event_connected(struct ne
29618 if (nesqp->destroyed) {
29621 - atomic_inc(&cm_connecteds);
29622 + atomic_inc_unchecked(&cm_connecteds);
29623 nes_debug(NES_DBG_CM, "QP%u attempting to connect to 0x%08X:0x%04X on"
29624 " local port 0x%04X. jiffies = %lu.\n",
29626 @@ -3403,7 +3403,7 @@ static void cm_event_reset(struct nes_cm
29628 ret = cm_id->event_handler(cm_id, &cm_event);
29629 cm_id->add_ref(cm_id);
29630 - atomic_inc(&cm_closes);
29631 + atomic_inc_unchecked(&cm_closes);
29632 cm_event.event = IW_CM_EVENT_CLOSE;
29633 cm_event.status = IW_CM_EVENT_STATUS_OK;
29634 cm_event.provider_data = cm_id->provider_data;
29635 @@ -3439,7 +3439,7 @@ static void cm_event_mpa_req(struct nes_
29637 cm_id = cm_node->cm_id;
29639 - atomic_inc(&cm_connect_reqs);
29640 + atomic_inc_unchecked(&cm_connect_reqs);
29641 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
29642 cm_node, cm_id, jiffies);
29644 @@ -3477,7 +3477,7 @@ static void cm_event_mpa_reject(struct n
29646 cm_id = cm_node->cm_id;
29648 - atomic_inc(&cm_connect_reqs);
29649 + atomic_inc_unchecked(&cm_connect_reqs);
29650 nes_debug(NES_DBG_CM, "cm_node = %p - cm_id = %p, jiffies = %lu\n",
29651 cm_node, cm_id, jiffies);
29653 diff -urNp linux-2.6.32.42/drivers/infiniband/hw/nes/nes.h linux-2.6.32.42/drivers/infiniband/hw/nes/nes.h
29654 --- linux-2.6.32.42/drivers/infiniband/hw/nes/nes.h 2011-03-27 14:31:47.000000000 -0400
29655 +++ linux-2.6.32.42/drivers/infiniband/hw/nes/nes.h 2011-05-04 17:56:28.000000000 -0400
29656 @@ -174,17 +174,17 @@ extern unsigned int nes_debug_level;
29657 extern unsigned int wqm_quanta;
29658 extern struct list_head nes_adapter_list;
29660 -extern atomic_t cm_connects;
29661 -extern atomic_t cm_accepts;
29662 -extern atomic_t cm_disconnects;
29663 -extern atomic_t cm_closes;
29664 -extern atomic_t cm_connecteds;
29665 -extern atomic_t cm_connect_reqs;
29666 -extern atomic_t cm_rejects;
29667 -extern atomic_t mod_qp_timouts;
29668 -extern atomic_t qps_created;
29669 -extern atomic_t qps_destroyed;
29670 -extern atomic_t sw_qps_destroyed;
29671 +extern atomic_unchecked_t cm_connects;
29672 +extern atomic_unchecked_t cm_accepts;
29673 +extern atomic_unchecked_t cm_disconnects;
29674 +extern atomic_unchecked_t cm_closes;
29675 +extern atomic_unchecked_t cm_connecteds;
29676 +extern atomic_unchecked_t cm_connect_reqs;
29677 +extern atomic_unchecked_t cm_rejects;
29678 +extern atomic_unchecked_t mod_qp_timouts;
29679 +extern atomic_unchecked_t qps_created;
29680 +extern atomic_unchecked_t qps_destroyed;
29681 +extern atomic_unchecked_t sw_qps_destroyed;
29682 extern u32 mh_detected;
29683 extern u32 mh_pauses_sent;
29684 extern u32 cm_packets_sent;
29685 @@ -196,11 +196,11 @@ extern u32 cm_packets_retrans;
29686 extern u32 cm_listens_created;
29687 extern u32 cm_listens_destroyed;
29688 extern u32 cm_backlog_drops;
29689 -extern atomic_t cm_loopbacks;
29690 -extern atomic_t cm_nodes_created;
29691 -extern atomic_t cm_nodes_destroyed;
29692 -extern atomic_t cm_accel_dropped_pkts;
29693 -extern atomic_t cm_resets_recvd;
29694 +extern atomic_unchecked_t cm_loopbacks;
29695 +extern atomic_unchecked_t cm_nodes_created;
29696 +extern atomic_unchecked_t cm_nodes_destroyed;
29697 +extern atomic_unchecked_t cm_accel_dropped_pkts;
29698 +extern atomic_unchecked_t cm_resets_recvd;
29700 extern u32 int_mod_timer_init;
29701 extern u32 int_mod_cq_depth_256;
29702 diff -urNp linux-2.6.32.42/drivers/infiniband/hw/nes/nes_nic.c linux-2.6.32.42/drivers/infiniband/hw/nes/nes_nic.c
29703 --- linux-2.6.32.42/drivers/infiniband/hw/nes/nes_nic.c 2011-03-27 14:31:47.000000000 -0400
29704 +++ linux-2.6.32.42/drivers/infiniband/hw/nes/nes_nic.c 2011-05-04 17:56:28.000000000 -0400
29705 @@ -1210,17 +1210,17 @@ static void nes_netdev_get_ethtool_stats
29706 target_stat_values[++index] = mh_detected;
29707 target_stat_values[++index] = mh_pauses_sent;
29708 target_stat_values[++index] = nesvnic->endnode_ipv4_tcp_retransmits;
29709 - target_stat_values[++index] = atomic_read(&cm_connects);
29710 - target_stat_values[++index] = atomic_read(&cm_accepts);
29711 - target_stat_values[++index] = atomic_read(&cm_disconnects);
29712 - target_stat_values[++index] = atomic_read(&cm_connecteds);
29713 - target_stat_values[++index] = atomic_read(&cm_connect_reqs);
29714 - target_stat_values[++index] = atomic_read(&cm_rejects);
29715 - target_stat_values[++index] = atomic_read(&mod_qp_timouts);
29716 - target_stat_values[++index] = atomic_read(&qps_created);
29717 - target_stat_values[++index] = atomic_read(&sw_qps_destroyed);
29718 - target_stat_values[++index] = atomic_read(&qps_destroyed);
29719 - target_stat_values[++index] = atomic_read(&cm_closes);
29720 + target_stat_values[++index] = atomic_read_unchecked(&cm_connects);
29721 + target_stat_values[++index] = atomic_read_unchecked(&cm_accepts);
29722 + target_stat_values[++index] = atomic_read_unchecked(&cm_disconnects);
29723 + target_stat_values[++index] = atomic_read_unchecked(&cm_connecteds);
29724 + target_stat_values[++index] = atomic_read_unchecked(&cm_connect_reqs);
29725 + target_stat_values[++index] = atomic_read_unchecked(&cm_rejects);
29726 + target_stat_values[++index] = atomic_read_unchecked(&mod_qp_timouts);
29727 + target_stat_values[++index] = atomic_read_unchecked(&qps_created);
29728 + target_stat_values[++index] = atomic_read_unchecked(&sw_qps_destroyed);
29729 + target_stat_values[++index] = atomic_read_unchecked(&qps_destroyed);
29730 + target_stat_values[++index] = atomic_read_unchecked(&cm_closes);
29731 target_stat_values[++index] = cm_packets_sent;
29732 target_stat_values[++index] = cm_packets_bounced;
29733 target_stat_values[++index] = cm_packets_created;
29734 @@ -1230,11 +1230,11 @@ static void nes_netdev_get_ethtool_stats
29735 target_stat_values[++index] = cm_listens_created;
29736 target_stat_values[++index] = cm_listens_destroyed;
29737 target_stat_values[++index] = cm_backlog_drops;
29738 - target_stat_values[++index] = atomic_read(&cm_loopbacks);
29739 - target_stat_values[++index] = atomic_read(&cm_nodes_created);
29740 - target_stat_values[++index] = atomic_read(&cm_nodes_destroyed);
29741 - target_stat_values[++index] = atomic_read(&cm_accel_dropped_pkts);
29742 - target_stat_values[++index] = atomic_read(&cm_resets_recvd);
29743 + target_stat_values[++index] = atomic_read_unchecked(&cm_loopbacks);
29744 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_created);
29745 + target_stat_values[++index] = atomic_read_unchecked(&cm_nodes_destroyed);
29746 + target_stat_values[++index] = atomic_read_unchecked(&cm_accel_dropped_pkts);
29747 + target_stat_values[++index] = atomic_read_unchecked(&cm_resets_recvd);
29748 target_stat_values[++index] = int_mod_timer_init;
29749 target_stat_values[++index] = int_mod_cq_depth_1;
29750 target_stat_values[++index] = int_mod_cq_depth_4;
29751 diff -urNp linux-2.6.32.42/drivers/infiniband/hw/nes/nes_verbs.c linux-2.6.32.42/drivers/infiniband/hw/nes/nes_verbs.c
29752 --- linux-2.6.32.42/drivers/infiniband/hw/nes/nes_verbs.c 2011-03-27 14:31:47.000000000 -0400
29753 +++ linux-2.6.32.42/drivers/infiniband/hw/nes/nes_verbs.c 2011-05-04 17:56:28.000000000 -0400
29756 #include <rdma/ib_umem.h>
29758 -atomic_t mod_qp_timouts;
29759 -atomic_t qps_created;
29760 -atomic_t sw_qps_destroyed;
29761 +atomic_unchecked_t mod_qp_timouts;
29762 +atomic_unchecked_t qps_created;
29763 +atomic_unchecked_t sw_qps_destroyed;
29765 static void nes_unregister_ofa_device(struct nes_ib_device *nesibdev);
29767 @@ -1240,7 +1240,7 @@ static struct ib_qp *nes_create_qp(struc
29768 if (init_attr->create_flags)
29769 return ERR_PTR(-EINVAL);
29771 - atomic_inc(&qps_created);
29772 + atomic_inc_unchecked(&qps_created);
29773 switch (init_attr->qp_type) {
29775 if (nes_drv_opt & NES_DRV_OPT_NO_INLINE_DATA) {
29776 @@ -1568,7 +1568,7 @@ static int nes_destroy_qp(struct ib_qp *
29777 struct iw_cm_event cm_event;
29780 - atomic_inc(&sw_qps_destroyed);
29781 + atomic_inc_unchecked(&sw_qps_destroyed);
29782 nesqp->destroyed = 1;
29784 /* Blow away the connection if it exists. */
29785 diff -urNp linux-2.6.32.42/drivers/input/gameport/gameport.c linux-2.6.32.42/drivers/input/gameport/gameport.c
29786 --- linux-2.6.32.42/drivers/input/gameport/gameport.c 2011-03-27 14:31:47.000000000 -0400
29787 +++ linux-2.6.32.42/drivers/input/gameport/gameport.c 2011-05-04 17:56:28.000000000 -0400
29788 @@ -515,13 +515,13 @@ EXPORT_SYMBOL(gameport_set_phys);
29790 static void gameport_init_port(struct gameport *gameport)
29792 - static atomic_t gameport_no = ATOMIC_INIT(0);
29793 + static atomic_unchecked_t gameport_no = ATOMIC_INIT(0);
29795 __module_get(THIS_MODULE);
29797 mutex_init(&gameport->drv_mutex);
29798 device_initialize(&gameport->dev);
29799 - dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return(&gameport_no) - 1);
29800 + dev_set_name(&gameport->dev, "gameport%lu", (unsigned long)atomic_inc_return_unchecked(&gameport_no) - 1);
29801 gameport->dev.bus = &gameport_bus;
29802 gameport->dev.release = gameport_release_port;
29803 if (gameport->parent)
29804 diff -urNp linux-2.6.32.42/drivers/input/input.c linux-2.6.32.42/drivers/input/input.c
29805 --- linux-2.6.32.42/drivers/input/input.c 2011-03-27 14:31:47.000000000 -0400
29806 +++ linux-2.6.32.42/drivers/input/input.c 2011-05-04 17:56:28.000000000 -0400
29807 @@ -1558,7 +1558,7 @@ EXPORT_SYMBOL(input_set_capability);
29809 int input_register_device(struct input_dev *dev)
29811 - static atomic_t input_no = ATOMIC_INIT(0);
29812 + static atomic_unchecked_t input_no = ATOMIC_INIT(0);
29813 struct input_handler *handler;
29816 @@ -1585,7 +1585,7 @@ int input_register_device(struct input_d
29817 dev->setkeycode = input_default_setkeycode;
29819 dev_set_name(&dev->dev, "input%ld",
29820 - (unsigned long) atomic_inc_return(&input_no) - 1);
29821 + (unsigned long) atomic_inc_return_unchecked(&input_no) - 1);
29823 error = device_add(&dev->dev);
29825 diff -urNp linux-2.6.32.42/drivers/input/joystick/sidewinder.c linux-2.6.32.42/drivers/input/joystick/sidewinder.c
29826 --- linux-2.6.32.42/drivers/input/joystick/sidewinder.c 2011-03-27 14:31:47.000000000 -0400
29827 +++ linux-2.6.32.42/drivers/input/joystick/sidewinder.c 2011-05-18 20:09:36.000000000 -0400
29829 #include <linux/kernel.h>
29830 #include <linux/module.h>
29831 #include <linux/slab.h>
29832 +#include <linux/sched.h>
29833 #include <linux/init.h>
29834 #include <linux/input.h>
29835 #include <linux/gameport.h>
29836 @@ -428,6 +429,8 @@ static int sw_read(struct sw *sw)
29837 unsigned char buf[SW_LENGTH];
29840 + pax_track_stack();
29842 i = sw_read_packet(sw->gameport, buf, sw->length, 0);
29844 if (sw->type == SW_ID_3DP && sw->length == 66 && i != 66) { /* Broken packet, try to fix */
29845 diff -urNp linux-2.6.32.42/drivers/input/joystick/xpad.c linux-2.6.32.42/drivers/input/joystick/xpad.c
29846 --- linux-2.6.32.42/drivers/input/joystick/xpad.c 2011-03-27 14:31:47.000000000 -0400
29847 +++ linux-2.6.32.42/drivers/input/joystick/xpad.c 2011-05-04 17:56:28.000000000 -0400
29848 @@ -621,7 +621,7 @@ static void xpad_led_set(struct led_clas
29850 static int xpad_led_probe(struct usb_xpad *xpad)
29852 - static atomic_t led_seq = ATOMIC_INIT(0);
29853 + static atomic_unchecked_t led_seq = ATOMIC_INIT(0);
29855 struct xpad_led *led;
29856 struct led_classdev *led_cdev;
29857 @@ -634,7 +634,7 @@ static int xpad_led_probe(struct usb_xpa
29861 - led_no = (long)atomic_inc_return(&led_seq) - 1;
29862 + led_no = (long)atomic_inc_return_unchecked(&led_seq) - 1;
29864 snprintf(led->name, sizeof(led->name), "xpad%ld", led_no);
29866 diff -urNp linux-2.6.32.42/drivers/input/serio/serio.c linux-2.6.32.42/drivers/input/serio/serio.c
29867 --- linux-2.6.32.42/drivers/input/serio/serio.c 2011-03-27 14:31:47.000000000 -0400
29868 +++ linux-2.6.32.42/drivers/input/serio/serio.c 2011-05-04 17:56:28.000000000 -0400
29869 @@ -527,7 +527,7 @@ static void serio_release_port(struct de
29871 static void serio_init_port(struct serio *serio)
29873 - static atomic_t serio_no = ATOMIC_INIT(0);
29874 + static atomic_unchecked_t serio_no = ATOMIC_INIT(0);
29876 __module_get(THIS_MODULE);
29878 @@ -536,7 +536,7 @@ static void serio_init_port(struct serio
29879 mutex_init(&serio->drv_mutex);
29880 device_initialize(&serio->dev);
29881 dev_set_name(&serio->dev, "serio%ld",
29882 - (long)atomic_inc_return(&serio_no) - 1);
29883 + (long)atomic_inc_return_unchecked(&serio_no) - 1);
29884 serio->dev.bus = &serio_bus;
29885 serio->dev.release = serio_release_port;
29886 if (serio->parent) {
29887 diff -urNp linux-2.6.32.42/drivers/isdn/gigaset/common.c linux-2.6.32.42/drivers/isdn/gigaset/common.c
29888 --- linux-2.6.32.42/drivers/isdn/gigaset/common.c 2011-03-27 14:31:47.000000000 -0400
29889 +++ linux-2.6.32.42/drivers/isdn/gigaset/common.c 2011-04-17 15:56:46.000000000 -0400
29890 @@ -712,7 +712,7 @@ struct cardstate *gigaset_initcs(struct
29891 cs->commands_pending = 0;
29892 cs->cur_at_seq = 0;
29894 - cs->open_count = 0;
29895 + local_set(&cs->open_count, 0);
29898 cs->tty_dev = NULL;
29899 diff -urNp linux-2.6.32.42/drivers/isdn/gigaset/gigaset.h linux-2.6.32.42/drivers/isdn/gigaset/gigaset.h
29900 --- linux-2.6.32.42/drivers/isdn/gigaset/gigaset.h 2011-03-27 14:31:47.000000000 -0400
29901 +++ linux-2.6.32.42/drivers/isdn/gigaset/gigaset.h 2011-04-17 15:56:46.000000000 -0400
29903 #include <linux/tty_driver.h>
29904 #include <linux/list.h>
29905 #include <asm/atomic.h>
29906 +#include <asm/local.h>
29908 #define GIG_VERSION {0,5,0,0}
29909 #define GIG_COMPAT {0,4,0,0}
29910 @@ -446,7 +447,7 @@ struct cardstate {
29911 spinlock_t cmdlock;
29912 unsigned curlen, cmdbytes;
29914 - unsigned open_count;
29915 + local_t open_count;
29916 struct tty_struct *tty;
29917 struct tasklet_struct if_wake_tasklet;
29918 unsigned control_state;
29919 diff -urNp linux-2.6.32.42/drivers/isdn/gigaset/interface.c linux-2.6.32.42/drivers/isdn/gigaset/interface.c
29920 --- linux-2.6.32.42/drivers/isdn/gigaset/interface.c 2011-03-27 14:31:47.000000000 -0400
29921 +++ linux-2.6.32.42/drivers/isdn/gigaset/interface.c 2011-04-17 15:56:46.000000000 -0400
29922 @@ -165,9 +165,7 @@ static int if_open(struct tty_struct *tt
29923 return -ERESTARTSYS; // FIXME -EINTR?
29924 tty->driver_data = cs;
29926 - ++cs->open_count;
29928 - if (cs->open_count == 1) {
29929 + if (local_inc_return(&cs->open_count) == 1) {
29930 spin_lock_irqsave(&cs->lock, flags);
29932 spin_unlock_irqrestore(&cs->lock, flags);
29933 @@ -195,10 +193,10 @@ static void if_close(struct tty_struct *
29935 if (!cs->connected)
29936 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29937 - else if (!cs->open_count)
29938 + else if (!local_read(&cs->open_count))
29939 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29941 - if (!--cs->open_count) {
29942 + if (!local_dec_return(&cs->open_count)) {
29943 spin_lock_irqsave(&cs->lock, flags);
29945 spin_unlock_irqrestore(&cs->lock, flags);
29946 @@ -233,7 +231,7 @@ static int if_ioctl(struct tty_struct *t
29947 if (!cs->connected) {
29948 gig_dbg(DEBUG_IF, "not connected");
29950 - } else if (!cs->open_count)
29951 + } else if (!local_read(&cs->open_count))
29952 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29955 @@ -361,7 +359,7 @@ static int if_write(struct tty_struct *t
29956 if (!cs->connected) {
29957 gig_dbg(DEBUG_IF, "not connected");
29959 - } else if (!cs->open_count)
29960 + } else if (!local_read(&cs->open_count))
29961 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29962 else if (cs->mstate != MS_LOCKED) {
29963 dev_warn(cs->dev, "can't write to unlocked device\n");
29964 @@ -395,7 +393,7 @@ static int if_write_room(struct tty_stru
29965 if (!cs->connected) {
29966 gig_dbg(DEBUG_IF, "not connected");
29968 - } else if (!cs->open_count)
29969 + } else if (!local_read(&cs->open_count))
29970 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29971 else if (cs->mstate != MS_LOCKED) {
29972 dev_warn(cs->dev, "can't write to unlocked device\n");
29973 @@ -425,7 +423,7 @@ static int if_chars_in_buffer(struct tty
29975 if (!cs->connected)
29976 gig_dbg(DEBUG_IF, "not connected");
29977 - else if (!cs->open_count)
29978 + else if (!local_read(&cs->open_count))
29979 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29980 else if (cs->mstate != MS_LOCKED)
29981 dev_warn(cs->dev, "can't write to unlocked device\n");
29982 @@ -453,7 +451,7 @@ static void if_throttle(struct tty_struc
29984 if (!cs->connected)
29985 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29986 - else if (!cs->open_count)
29987 + else if (!local_read(&cs->open_count))
29988 dev_warn(cs->dev, "%s: device not opened\n", __func__);
29991 @@ -478,7 +476,7 @@ static void if_unthrottle(struct tty_str
29993 if (!cs->connected)
29994 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
29995 - else if (!cs->open_count)
29996 + else if (!local_read(&cs->open_count))
29997 dev_warn(cs->dev, "%s: device not opened\n", __func__);
30000 @@ -510,7 +508,7 @@ static void if_set_termios(struct tty_st
30004 - if (!cs->open_count) {
30005 + if (!local_read(&cs->open_count)) {
30006 dev_warn(cs->dev, "%s: device not opened\n", __func__);
30009 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/avm/b1.c linux-2.6.32.42/drivers/isdn/hardware/avm/b1.c
30010 --- linux-2.6.32.42/drivers/isdn/hardware/avm/b1.c 2011-03-27 14:31:47.000000000 -0400
30011 +++ linux-2.6.32.42/drivers/isdn/hardware/avm/b1.c 2011-04-17 15:56:46.000000000 -0400
30012 @@ -173,7 +173,7 @@ int b1_load_t4file(avmcard *card, capilo
30015 if (t4file->user) {
30016 - if (copy_from_user(buf, dp, left))
30017 + if (left > sizeof buf || copy_from_user(buf, dp, left))
30020 memcpy(buf, dp, left);
30021 @@ -221,7 +221,7 @@ int b1_load_config(avmcard *card, capilo
30024 if (config->user) {
30025 - if (copy_from_user(buf, dp, left))
30026 + if (left > sizeof buf || copy_from_user(buf, dp, left))
30029 memcpy(buf, dp, left);
30030 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/capidtmf.c linux-2.6.32.42/drivers/isdn/hardware/eicon/capidtmf.c
30031 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/capidtmf.c 2011-03-27 14:31:47.000000000 -0400
30032 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/capidtmf.c 2011-05-16 21:46:57.000000000 -0400
30033 @@ -498,6 +498,7 @@ void capidtmf_recv_block (t_capidtmf_sta
30034 byte goertzel_result_buffer[CAPIDTMF_RECV_TOTAL_FREQUENCY_COUNT];
30035 short windowed_sample_buffer[CAPIDTMF_RECV_WINDOWED_SAMPLES];
30037 + pax_track_stack();
30039 if (p_state->recv.state & CAPIDTMF_RECV_STATE_DTMF_ACTIVE)
30041 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/capifunc.c linux-2.6.32.42/drivers/isdn/hardware/eicon/capifunc.c
30042 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/capifunc.c 2011-03-27 14:31:47.000000000 -0400
30043 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/capifunc.c 2011-05-16 21:46:57.000000000 -0400
30044 @@ -1055,6 +1055,8 @@ static int divacapi_connect_didd(void)
30046 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
30048 + pax_track_stack();
30050 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
30052 for (x = 0; x < MAX_DESCRIPTORS; x++) {
30053 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/diddfunc.c linux-2.6.32.42/drivers/isdn/hardware/eicon/diddfunc.c
30054 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/diddfunc.c 2011-03-27 14:31:47.000000000 -0400
30055 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/diddfunc.c 2011-05-16 21:46:57.000000000 -0400
30056 @@ -54,6 +54,8 @@ static int DIVA_INIT_FUNCTION connect_di
30058 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
30060 + pax_track_stack();
30062 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
30064 for (x = 0; x < MAX_DESCRIPTORS; x++) {
30065 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/divasfunc.c linux-2.6.32.42/drivers/isdn/hardware/eicon/divasfunc.c
30066 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/divasfunc.c 2011-03-27 14:31:47.000000000 -0400
30067 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/divasfunc.c 2011-05-16 21:46:57.000000000 -0400
30068 @@ -161,6 +161,8 @@ static int DIVA_INIT_FUNCTION connect_di
30070 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
30072 + pax_track_stack();
30074 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
30076 for (x = 0; x < MAX_DESCRIPTORS; x++) {
30077 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/idifunc.c linux-2.6.32.42/drivers/isdn/hardware/eicon/idifunc.c
30078 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/idifunc.c 2011-03-27 14:31:47.000000000 -0400
30079 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/idifunc.c 2011-05-16 21:46:57.000000000 -0400
30080 @@ -188,6 +188,8 @@ static int DIVA_INIT_FUNCTION connect_di
30082 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
30084 + pax_track_stack();
30086 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
30088 for (x = 0; x < MAX_DESCRIPTORS; x++) {
30089 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/message.c linux-2.6.32.42/drivers/isdn/hardware/eicon/message.c
30090 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/message.c 2011-03-27 14:31:47.000000000 -0400
30091 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/message.c 2011-05-16 21:46:57.000000000 -0400
30092 @@ -4889,6 +4889,8 @@ static void sig_ind(PLCI *plci)
30096 + pax_track_stack();
30099 Id = ((word)plci->Id<<8)|a->Id;
30100 PUT_WORD(&SS_Ind[4],0x0000);
30101 @@ -7484,6 +7486,8 @@ static word add_b1(PLCI *plci, API_PARSE
30105 + pax_track_stack();
30108 for(i=0;i<8;i++) bp_parms[i].length = 0;
30109 for(i=0;i<2;i++) global_config[i].length = 0;
30110 @@ -7958,6 +7962,8 @@ static word add_b23(PLCI *plci, API_PARS
30111 const byte llc3[] = {4,3,2,2,6,6,0};
30112 const byte header[] = {0,2,3,3,0,0,0};
30114 + pax_track_stack();
30116 for(i=0;i<8;i++) bp_parms[i].length = 0;
30117 for(i=0;i<6;i++) b2_config_parms[i].length = 0;
30118 for(i=0;i<5;i++) b3_config_parms[i].length = 0;
30119 @@ -14761,6 +14767,8 @@ static void group_optimization(DIVA_CAPI
30120 word appl_number_group_type[MAX_APPL];
30123 + pax_track_stack();
30125 set_group_ind_mask (plci); /* all APPLs within this inc. call are allowed to dial in */
30127 if(!a->group_optimization_enabled)
30128 diff -urNp linux-2.6.32.42/drivers/isdn/hardware/eicon/mntfunc.c linux-2.6.32.42/drivers/isdn/hardware/eicon/mntfunc.c
30129 --- linux-2.6.32.42/drivers/isdn/hardware/eicon/mntfunc.c 2011-03-27 14:31:47.000000000 -0400
30130 +++ linux-2.6.32.42/drivers/isdn/hardware/eicon/mntfunc.c 2011-05-16 21:46:57.000000000 -0400
30131 @@ -79,6 +79,8 @@ static int DIVA_INIT_FUNCTION connect_di
30133 DESCRIPTOR DIDD_Table[MAX_DESCRIPTORS];
30135 + pax_track_stack();
30137 DIVA_DIDD_Read(DIDD_Table, sizeof(DIDD_Table));
30139 for (x = 0; x < MAX_DESCRIPTORS; x++) {
30140 diff -urNp linux-2.6.32.42/drivers/isdn/i4l/isdn_common.c linux-2.6.32.42/drivers/isdn/i4l/isdn_common.c
30141 --- linux-2.6.32.42/drivers/isdn/i4l/isdn_common.c 2011-03-27 14:31:47.000000000 -0400
30142 +++ linux-2.6.32.42/drivers/isdn/i4l/isdn_common.c 2011-05-16 21:46:57.000000000 -0400
30143 @@ -1290,6 +1290,8 @@ isdn_ioctl(struct inode *inode, struct f
30145 void __user *argp = (void __user *)arg;
30147 + pax_track_stack();
30149 #define name iocpar.name
30150 #define bname iocpar.bname
30151 #define iocts iocpar.iocts
30152 diff -urNp linux-2.6.32.42/drivers/isdn/icn/icn.c linux-2.6.32.42/drivers/isdn/icn/icn.c
30153 --- linux-2.6.32.42/drivers/isdn/icn/icn.c 2011-03-27 14:31:47.000000000 -0400
30154 +++ linux-2.6.32.42/drivers/isdn/icn/icn.c 2011-04-17 15:56:46.000000000 -0400
30155 @@ -1044,7 +1044,7 @@ icn_writecmd(const u_char * buf, int len
30159 - if (copy_from_user(msg, buf, count))
30160 + if (count > sizeof msg || copy_from_user(msg, buf, count))
30163 memcpy(msg, buf, count);
30164 diff -urNp linux-2.6.32.42/drivers/isdn/mISDN/socket.c linux-2.6.32.42/drivers/isdn/mISDN/socket.c
30165 --- linux-2.6.32.42/drivers/isdn/mISDN/socket.c 2011-03-27 14:31:47.000000000 -0400
30166 +++ linux-2.6.32.42/drivers/isdn/mISDN/socket.c 2011-04-17 15:56:46.000000000 -0400
30167 @@ -391,6 +391,7 @@ data_sock_ioctl(struct socket *sock, uns
30169 struct mISDN_devinfo di;
30171 + memset(&di, 0, sizeof(di));
30173 di.Dprotocols = dev->Dprotocols;
30174 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
30175 @@ -671,6 +672,7 @@ base_sock_ioctl(struct socket *sock, uns
30177 struct mISDN_devinfo di;
30179 + memset(&di, 0, sizeof(di));
30181 di.Dprotocols = dev->Dprotocols;
30182 di.Bprotocols = dev->Bprotocols | get_all_Bprotocols();
30183 diff -urNp linux-2.6.32.42/drivers/isdn/sc/interrupt.c linux-2.6.32.42/drivers/isdn/sc/interrupt.c
30184 --- linux-2.6.32.42/drivers/isdn/sc/interrupt.c 2011-03-27 14:31:47.000000000 -0400
30185 +++ linux-2.6.32.42/drivers/isdn/sc/interrupt.c 2011-04-17 15:56:46.000000000 -0400
30186 @@ -112,11 +112,19 @@ irqreturn_t interrupt_handler(int dummy,
30188 else if(callid>=0x0000 && callid<=0x7FFF)
30192 pr_debug("%s: Got Incoming Call\n",
30193 sc_adapter[card]->devicename);
30194 - strcpy(setup.phone,&(rcvmsg.msg_data.byte_array[4]));
30195 - strcpy(setup.eazmsn,
30196 - sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn);
30197 + len = strlcpy(setup.phone, &(rcvmsg.msg_data.byte_array[4]),
30198 + sizeof(setup.phone));
30199 + if (len >= sizeof(setup.phone))
30201 + len = strlcpy(setup.eazmsn,
30202 + sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
30203 + sizeof(setup.eazmsn));
30204 + if (len >= sizeof(setup.eazmsn))
30209 @@ -176,7 +184,9 @@ irqreturn_t interrupt_handler(int dummy,
30210 * Handle a GetMyNumber Rsp
30212 if (IS_CE_MESSAGE(rcvmsg,Call,0,GetMyNumber)){
30213 - strcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no-1].dn,rcvmsg.msg_data.byte_array);
30214 + strlcpy(sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn,
30215 + rcvmsg.msg_data.byte_array,
30216 + sizeof(rcvmsg.msg_data.byte_array));
30220 diff -urNp linux-2.6.32.42/drivers/lguest/core.c linux-2.6.32.42/drivers/lguest/core.c
30221 --- linux-2.6.32.42/drivers/lguest/core.c 2011-03-27 14:31:47.000000000 -0400
30222 +++ linux-2.6.32.42/drivers/lguest/core.c 2011-04-17 15:56:46.000000000 -0400
30223 @@ -91,9 +91,17 @@ static __init int map_switcher(void)
30224 * it's worked so far. The end address needs +1 because __get_vm_area
30225 * allocates an extra guard page, so we need space for that.
30228 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
30229 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
30230 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
30231 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
30233 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
30234 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
30235 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
30238 if (!switcher_vma) {
30240 printk("lguest: could not map switcher pages high\n");
30241 @@ -118,7 +126,7 @@ static __init int map_switcher(void)
30242 * Now the Switcher is mapped at the right address, we can't fail!
30243 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
30245 - memcpy(switcher_vma->addr, start_switcher_text,
30246 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
30247 end_switcher_text - start_switcher_text);
30249 printk(KERN_INFO "lguest: mapped switcher at %p\n",
30250 diff -urNp linux-2.6.32.42/drivers/lguest/x86/core.c linux-2.6.32.42/drivers/lguest/x86/core.c
30251 --- linux-2.6.32.42/drivers/lguest/x86/core.c 2011-03-27 14:31:47.000000000 -0400
30252 +++ linux-2.6.32.42/drivers/lguest/x86/core.c 2011-04-17 15:56:46.000000000 -0400
30253 @@ -59,7 +59,7 @@ static struct {
30254 /* Offset from where switcher.S was compiled to where we've copied it */
30255 static unsigned long switcher_offset(void)
30257 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
30258 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
30261 /* This cpu's struct lguest_pages. */
30262 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
30263 * These copies are pretty cheap, so we do them unconditionally: */
30264 /* Save the current Host top-level page directory.
30267 +#ifdef CONFIG_PAX_PER_CPU_PGD
30268 + pages->state.host_cr3 = read_cr3();
30270 pages->state.host_cr3 = __pa(current->mm->pgd);
30274 * Set up the Guest's page tables to see this CPU's pages (and no
30275 * other CPU's pages).
30276 @@ -535,7 +541,7 @@ void __init lguest_arch_host_init(void)
30277 * compiled-in switcher code and the high-mapped copy we just made.
30279 for (i = 0; i < IDT_ENTRIES; i++)
30280 - default_idt_entries[i] += switcher_offset();
30281 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
30284 * Set up the Switcher's per-cpu areas.
30285 @@ -618,7 +624,7 @@ void __init lguest_arch_host_init(void)
30286 * it will be undisturbed when we switch. To change %cs and jump we
30287 * need this structure to feed to Intel's "lcall" instruction.
30289 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
30290 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
30291 lguest_entry.segment = LGUEST_CS;
30294 diff -urNp linux-2.6.32.42/drivers/lguest/x86/switcher_32.S linux-2.6.32.42/drivers/lguest/x86/switcher_32.S
30295 --- linux-2.6.32.42/drivers/lguest/x86/switcher_32.S 2011-03-27 14:31:47.000000000 -0400
30296 +++ linux-2.6.32.42/drivers/lguest/x86/switcher_32.S 2011-04-17 15:56:46.000000000 -0400
30298 #include <asm/page.h>
30299 #include <asm/segment.h>
30300 #include <asm/lguest.h>
30301 +#include <asm/processor-flags.h>
30303 // We mark the start of the code to copy
30304 // It's placed in .text tho it's never run here
30305 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
30306 // Changes type when we load it: damn Intel!
30307 // For after we switch over our page tables
30308 // That entry will be read-only: we'd crash.
30310 +#ifdef CONFIG_PAX_KERNEXEC
30312 + xor $X86_CR0_WP, %edx
30316 movl $(GDT_ENTRY_TSS*8), %edx
30319 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
30320 // Let's clear it again for our return.
30321 // The GDT descriptor of the Host
30322 // Points to the table after two "size" bytes
30323 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
30324 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
30325 // Clear "used" from type field (byte 5, bit 2)
30326 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
30327 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
30329 +#ifdef CONFIG_PAX_KERNEXEC
30331 + xor $X86_CR0_WP, %eax
30335 // Once our page table's switched, the Guest is live!
30336 // The Host fades as we run this final step.
30337 @@ -295,13 +309,12 @@ deliver_to_host:
30338 // I consulted gcc, and it gave
30339 // These instructions, which I gladly credit:
30340 leal (%edx,%ebx,8), %eax
30341 - movzwl (%eax),%edx
30342 - movl 4(%eax), %eax
30345 + movl 4(%eax), %edx
30347 // Now the address of the handler's in %edx
30348 // We call it now: its "iret" drops us home.
30350 + ljmp $__KERNEL_CS, $1f
30353 // Every interrupt can come to us here
30354 // But we must truly tell each apart.
30355 diff -urNp linux-2.6.32.42/drivers/macintosh/via-pmu-backlight.c linux-2.6.32.42/drivers/macintosh/via-pmu-backlight.c
30356 --- linux-2.6.32.42/drivers/macintosh/via-pmu-backlight.c 2011-03-27 14:31:47.000000000 -0400
30357 +++ linux-2.6.32.42/drivers/macintosh/via-pmu-backlight.c 2011-04-17 15:56:46.000000000 -0400
30360 #define MAX_PMU_LEVEL 0xFF
30362 -static struct backlight_ops pmu_backlight_data;
30363 +static const struct backlight_ops pmu_backlight_data;
30364 static DEFINE_SPINLOCK(pmu_backlight_lock);
30365 static int sleeping, uses_pmu_bl;
30366 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
30367 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
30368 return bd->props.brightness;
30371 -static struct backlight_ops pmu_backlight_data = {
30372 +static const struct backlight_ops pmu_backlight_data = {
30373 .get_brightness = pmu_backlight_get_brightness,
30374 .update_status = pmu_backlight_update_status,
30376 diff -urNp linux-2.6.32.42/drivers/macintosh/via-pmu.c linux-2.6.32.42/drivers/macintosh/via-pmu.c
30377 --- linux-2.6.32.42/drivers/macintosh/via-pmu.c 2011-03-27 14:31:47.000000000 -0400
30378 +++ linux-2.6.32.42/drivers/macintosh/via-pmu.c 2011-04-17 15:56:46.000000000 -0400
30379 @@ -2232,7 +2232,7 @@ static int pmu_sleep_valid(suspend_state
30380 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
30383 -static struct platform_suspend_ops pmu_pm_ops = {
30384 +static const struct platform_suspend_ops pmu_pm_ops = {
30385 .enter = powerbook_sleep,
30386 .valid = pmu_sleep_valid,
30388 diff -urNp linux-2.6.32.42/drivers/md/dm.c linux-2.6.32.42/drivers/md/dm.c
30389 --- linux-2.6.32.42/drivers/md/dm.c 2011-03-27 14:31:47.000000000 -0400
30390 +++ linux-2.6.32.42/drivers/md/dm.c 2011-05-04 17:56:28.000000000 -0400
30391 @@ -163,9 +163,9 @@ struct mapped_device {
30395 - atomic_t event_nr;
30396 + atomic_unchecked_t event_nr;
30397 wait_queue_head_t eventq;
30398 - atomic_t uevent_seq;
30399 + atomic_unchecked_t uevent_seq;
30400 struct list_head uevent_list;
30401 spinlock_t uevent_lock; /* Protect access to uevent_list */
30403 @@ -1770,8 +1770,8 @@ static struct mapped_device *alloc_dev(i
30404 rwlock_init(&md->map_lock);
30405 atomic_set(&md->holders, 1);
30406 atomic_set(&md->open_count, 0);
30407 - atomic_set(&md->event_nr, 0);
30408 - atomic_set(&md->uevent_seq, 0);
30409 + atomic_set_unchecked(&md->event_nr, 0);
30410 + atomic_set_unchecked(&md->uevent_seq, 0);
30411 INIT_LIST_HEAD(&md->uevent_list);
30412 spin_lock_init(&md->uevent_lock);
30414 @@ -1921,7 +1921,7 @@ static void event_callback(void *context
30416 dm_send_uevents(&uevents, &disk_to_dev(md->disk)->kobj);
30418 - atomic_inc(&md->event_nr);
30419 + atomic_inc_unchecked(&md->event_nr);
30420 wake_up(&md->eventq);
30423 @@ -2556,18 +2556,18 @@ void dm_kobject_uevent(struct mapped_dev
30425 uint32_t dm_next_uevent_seq(struct mapped_device *md)
30427 - return atomic_add_return(1, &md->uevent_seq);
30428 + return atomic_add_return_unchecked(1, &md->uevent_seq);
30431 uint32_t dm_get_event_nr(struct mapped_device *md)
30433 - return atomic_read(&md->event_nr);
30434 + return atomic_read_unchecked(&md->event_nr);
30437 int dm_wait_event(struct mapped_device *md, int event_nr)
30439 return wait_event_interruptible(md->eventq,
30440 - (event_nr != atomic_read(&md->event_nr)));
30441 + (event_nr != atomic_read_unchecked(&md->event_nr)));
30444 void dm_uevent_add(struct mapped_device *md, struct list_head *elist)
30445 diff -urNp linux-2.6.32.42/drivers/md/dm-ioctl.c linux-2.6.32.42/drivers/md/dm-ioctl.c
30446 --- linux-2.6.32.42/drivers/md/dm-ioctl.c 2011-03-27 14:31:47.000000000 -0400
30447 +++ linux-2.6.32.42/drivers/md/dm-ioctl.c 2011-04-17 15:56:46.000000000 -0400
30448 @@ -1437,7 +1437,7 @@ static int validate_params(uint cmd, str
30449 cmd == DM_LIST_VERSIONS_CMD)
30452 - if ((cmd == DM_DEV_CREATE_CMD)) {
30453 + if (cmd == DM_DEV_CREATE_CMD) {
30454 if (!*param->name) {
30455 DMWARN("name not supplied when creating device");
30457 diff -urNp linux-2.6.32.42/drivers/md/dm-raid1.c linux-2.6.32.42/drivers/md/dm-raid1.c
30458 --- linux-2.6.32.42/drivers/md/dm-raid1.c 2011-03-27 14:31:47.000000000 -0400
30459 +++ linux-2.6.32.42/drivers/md/dm-raid1.c 2011-05-04 17:56:28.000000000 -0400
30460 @@ -41,7 +41,7 @@ enum dm_raid1_error {
30463 struct mirror_set *ms;
30464 - atomic_t error_count;
30465 + atomic_unchecked_t error_count;
30466 unsigned long error_type;
30467 struct dm_dev *dev;
30469 @@ -203,7 +203,7 @@ static void fail_mirror(struct mirror *m
30470 * simple way to tell if a device has encountered
30473 - atomic_inc(&m->error_count);
30474 + atomic_inc_unchecked(&m->error_count);
30476 if (test_and_set_bit(error_type, &m->error_type))
30478 @@ -225,7 +225,7 @@ static void fail_mirror(struct mirror *m
30481 for (new = ms->mirror; new < ms->mirror + ms->nr_mirrors; new++)
30482 - if (!atomic_read(&new->error_count)) {
30483 + if (!atomic_read_unchecked(&new->error_count)) {
30484 set_default_mirror(new);
30487 @@ -363,7 +363,7 @@ static struct mirror *choose_mirror(stru
30488 struct mirror *m = get_default_mirror(ms);
30491 - if (likely(!atomic_read(&m->error_count)))
30492 + if (likely(!atomic_read_unchecked(&m->error_count)))
30495 if (m-- == ms->mirror)
30496 @@ -377,7 +377,7 @@ static int default_ok(struct mirror *m)
30498 struct mirror *default_mirror = get_default_mirror(m->ms);
30500 - return !atomic_read(&default_mirror->error_count);
30501 + return !atomic_read_unchecked(&default_mirror->error_count);
30504 static int mirror_available(struct mirror_set *ms, struct bio *bio)
30505 @@ -484,7 +484,7 @@ static void do_reads(struct mirror_set *
30507 if (likely(region_in_sync(ms, region, 1)))
30508 m = choose_mirror(ms, bio->bi_sector);
30509 - else if (m && atomic_read(&m->error_count))
30510 + else if (m && atomic_read_unchecked(&m->error_count))
30514 @@ -855,7 +855,7 @@ static int get_mirror(struct mirror_set
30517 ms->mirror[mirror].ms = ms;
30518 - atomic_set(&(ms->mirror[mirror].error_count), 0);
30519 + atomic_set_unchecked(&(ms->mirror[mirror].error_count), 0);
30520 ms->mirror[mirror].error_type = 0;
30521 ms->mirror[mirror].offset = offset;
30523 @@ -1241,7 +1241,7 @@ static void mirror_resume(struct dm_targ
30525 static char device_status_char(struct mirror *m)
30527 - if (!atomic_read(&(m->error_count)))
30528 + if (!atomic_read_unchecked(&(m->error_count)))
30531 return (test_bit(DM_RAID1_WRITE_ERROR, &(m->error_type))) ? 'D' :
30532 diff -urNp linux-2.6.32.42/drivers/md/dm-stripe.c linux-2.6.32.42/drivers/md/dm-stripe.c
30533 --- linux-2.6.32.42/drivers/md/dm-stripe.c 2011-03-27 14:31:47.000000000 -0400
30534 +++ linux-2.6.32.42/drivers/md/dm-stripe.c 2011-05-04 17:56:28.000000000 -0400
30535 @@ -20,7 +20,7 @@ struct stripe {
30536 struct dm_dev *dev;
30537 sector_t physical_start;
30539 - atomic_t error_count;
30540 + atomic_unchecked_t error_count;
30544 @@ -188,7 +188,7 @@ static int stripe_ctr(struct dm_target *
30548 - atomic_set(&(sc->stripe[i].error_count), 0);
30549 + atomic_set_unchecked(&(sc->stripe[i].error_count), 0);
30553 @@ -257,7 +257,7 @@ static int stripe_status(struct dm_targe
30554 DMEMIT("%d ", sc->stripes);
30555 for (i = 0; i < sc->stripes; i++) {
30556 DMEMIT("%s ", sc->stripe[i].dev->name);
30557 - buffer[i] = atomic_read(&(sc->stripe[i].error_count)) ?
30558 + buffer[i] = atomic_read_unchecked(&(sc->stripe[i].error_count)) ?
30562 @@ -304,8 +304,8 @@ static int stripe_end_io(struct dm_targe
30564 for (i = 0; i < sc->stripes; i++)
30565 if (!strcmp(sc->stripe[i].dev->name, major_minor)) {
30566 - atomic_inc(&(sc->stripe[i].error_count));
30567 - if (atomic_read(&(sc->stripe[i].error_count)) <
30568 + atomic_inc_unchecked(&(sc->stripe[i].error_count));
30569 + if (atomic_read_unchecked(&(sc->stripe[i].error_count)) <
30570 DM_IO_ERROR_THRESHOLD)
30571 queue_work(kstriped, &sc->kstriped_ws);
30573 diff -urNp linux-2.6.32.42/drivers/md/dm-sysfs.c linux-2.6.32.42/drivers/md/dm-sysfs.c
30574 --- linux-2.6.32.42/drivers/md/dm-sysfs.c 2011-03-27 14:31:47.000000000 -0400
30575 +++ linux-2.6.32.42/drivers/md/dm-sysfs.c 2011-04-17 15:56:46.000000000 -0400
30576 @@ -75,7 +75,7 @@ static struct attribute *dm_attrs[] = {
30580 -static struct sysfs_ops dm_sysfs_ops = {
30581 +static const struct sysfs_ops dm_sysfs_ops = {
30582 .show = dm_attr_show,
30585 diff -urNp linux-2.6.32.42/drivers/md/dm-table.c linux-2.6.32.42/drivers/md/dm-table.c
30586 --- linux-2.6.32.42/drivers/md/dm-table.c 2011-06-25 12:55:34.000000000 -0400
30587 +++ linux-2.6.32.42/drivers/md/dm-table.c 2011-06-25 12:56:37.000000000 -0400
30588 @@ -376,7 +376,7 @@ static int device_area_is_invalid(struct
30592 - if ((start >= dev_size) || (start + len > dev_size)) {
30593 + if ((start >= dev_size) || (len > dev_size - start)) {
30594 DMWARN("%s: %s too small for target: "
30595 "start=%llu, len=%llu, dev_size=%llu",
30596 dm_device_name(ti->table->md), bdevname(bdev, b),
30597 diff -urNp linux-2.6.32.42/drivers/md/md.c linux-2.6.32.42/drivers/md/md.c
30598 --- linux-2.6.32.42/drivers/md/md.c 2011-06-25 12:55:34.000000000 -0400
30599 +++ linux-2.6.32.42/drivers/md/md.c 2011-06-25 12:56:37.000000000 -0400
30600 @@ -153,10 +153,10 @@ static int start_readonly;
30601 * start build, activate spare
30603 static DECLARE_WAIT_QUEUE_HEAD(md_event_waiters);
30604 -static atomic_t md_event_count;
30605 +static atomic_unchecked_t md_event_count;
30606 void md_new_event(mddev_t *mddev)
30608 - atomic_inc(&md_event_count);
30609 + atomic_inc_unchecked(&md_event_count);
30610 wake_up(&md_event_waiters);
30612 EXPORT_SYMBOL_GPL(md_new_event);
30613 @@ -166,7 +166,7 @@ EXPORT_SYMBOL_GPL(md_new_event);
30615 static void md_new_event_inintr(mddev_t *mddev)
30617 - atomic_inc(&md_event_count);
30618 + atomic_inc_unchecked(&md_event_count);
30619 wake_up(&md_event_waiters);
30622 @@ -1218,7 +1218,7 @@ static int super_1_load(mdk_rdev_t *rdev
30624 rdev->preferred_minor = 0xffff;
30625 rdev->data_offset = le64_to_cpu(sb->data_offset);
30626 - atomic_set(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
30627 + atomic_set_unchecked(&rdev->corrected_errors, le32_to_cpu(sb->cnt_corrected_read));
30629 rdev->sb_size = le32_to_cpu(sb->max_dev) * 2 + 256;
30630 bmask = queue_logical_block_size(rdev->bdev->bd_disk->queue)-1;
30631 @@ -1392,7 +1392,7 @@ static void super_1_sync(mddev_t *mddev,
30633 sb->resync_offset = cpu_to_le64(0);
30635 - sb->cnt_corrected_read = cpu_to_le32(atomic_read(&rdev->corrected_errors));
30636 + sb->cnt_corrected_read = cpu_to_le32(atomic_read_unchecked(&rdev->corrected_errors));
30638 sb->raid_disks = cpu_to_le32(mddev->raid_disks);
30639 sb->size = cpu_to_le64(mddev->dev_sectors);
30640 @@ -2214,7 +2214,7 @@ __ATTR(state, S_IRUGO|S_IWUSR, state_sho
30642 errors_show(mdk_rdev_t *rdev, char *page)
30644 - return sprintf(page, "%d\n", atomic_read(&rdev->corrected_errors));
30645 + return sprintf(page, "%d\n", atomic_read_unchecked(&rdev->corrected_errors));
30649 @@ -2223,7 +2223,7 @@ errors_store(mdk_rdev_t *rdev, const cha
30651 unsigned long n = simple_strtoul(buf, &e, 10);
30652 if (*buf && (*e == 0 || *e == '\n')) {
30653 - atomic_set(&rdev->corrected_errors, n);
30654 + atomic_set_unchecked(&rdev->corrected_errors, n);
30658 @@ -2517,7 +2517,7 @@ static void rdev_free(struct kobject *ko
30659 mdk_rdev_t *rdev = container_of(ko, mdk_rdev_t, kobj);
30662 -static struct sysfs_ops rdev_sysfs_ops = {
30663 +static const struct sysfs_ops rdev_sysfs_ops = {
30664 .show = rdev_attr_show,
30665 .store = rdev_attr_store,
30667 @@ -2566,8 +2566,8 @@ static mdk_rdev_t *md_import_device(dev_
30668 rdev->data_offset = 0;
30669 rdev->sb_events = 0;
30670 atomic_set(&rdev->nr_pending, 0);
30671 - atomic_set(&rdev->read_errors, 0);
30672 - atomic_set(&rdev->corrected_errors, 0);
30673 + atomic_set_unchecked(&rdev->read_errors, 0);
30674 + atomic_set_unchecked(&rdev->corrected_errors, 0);
30676 size = rdev->bdev->bd_inode->i_size >> BLOCK_SIZE_BITS;
30678 @@ -3887,7 +3887,7 @@ static void md_free(struct kobject *ko)
30682 -static struct sysfs_ops md_sysfs_ops = {
30683 +static const struct sysfs_ops md_sysfs_ops = {
30684 .show = md_attr_show,
30685 .store = md_attr_store,
30687 @@ -4474,7 +4474,8 @@ out:
30689 blk_integrity_unregister(disk);
30690 md_new_event(mddev);
30691 - sysfs_notify_dirent(mddev->sysfs_state);
30692 + if (mddev->sysfs_state)
30693 + sysfs_notify_dirent(mddev->sysfs_state);
30697 @@ -5954,7 +5955,7 @@ static int md_seq_show(struct seq_file *
30699 spin_unlock(&pers_lock);
30700 seq_printf(seq, "\n");
30701 - mi->event = atomic_read(&md_event_count);
30702 + mi->event = atomic_read_unchecked(&md_event_count);
30705 if (v == (void*)2) {
30706 @@ -6043,7 +6044,7 @@ static int md_seq_show(struct seq_file *
30707 chunk_kb ? "KB" : "B");
30708 if (bitmap->file) {
30709 seq_printf(seq, ", file: ");
30710 - seq_path(seq, &bitmap->file->f_path, " \t\n");
30711 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
30714 seq_printf(seq, "\n");
30715 @@ -6077,7 +6078,7 @@ static int md_seq_open(struct inode *ino
30717 struct seq_file *p = file->private_data;
30719 - mi->event = atomic_read(&md_event_count);
30720 + mi->event = atomic_read_unchecked(&md_event_count);
30724 @@ -6093,7 +6094,7 @@ static unsigned int mdstat_poll(struct f
30725 /* always allow read */
30726 mask = POLLIN | POLLRDNORM;
30728 - if (mi->event != atomic_read(&md_event_count))
30729 + if (mi->event != atomic_read_unchecked(&md_event_count))
30730 mask |= POLLERR | POLLPRI;
30733 @@ -6137,7 +6138,7 @@ static int is_mddev_idle(mddev_t *mddev,
30734 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
30735 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
30736 (int)part_stat_read(&disk->part0, sectors[1]) -
30737 - atomic_read(&disk->sync_io);
30738 + atomic_read_unchecked(&disk->sync_io);
30739 /* sync IO will cause sync_io to increase before the disk_stats
30740 * as sync_io is counted when a request starts, and
30741 * disk_stats is counted when it completes.
30742 diff -urNp linux-2.6.32.42/drivers/md/md.h linux-2.6.32.42/drivers/md/md.h
30743 --- linux-2.6.32.42/drivers/md/md.h 2011-03-27 14:31:47.000000000 -0400
30744 +++ linux-2.6.32.42/drivers/md/md.h 2011-05-04 17:56:20.000000000 -0400
30745 @@ -94,10 +94,10 @@ struct mdk_rdev_s
30746 * only maintained for arrays that
30747 * support hot removal
30749 - atomic_t read_errors; /* number of consecutive read errors that
30750 + atomic_unchecked_t read_errors; /* number of consecutive read errors that
30751 * we have tried to ignore.
30753 - atomic_t corrected_errors; /* number of corrected read errors,
30754 + atomic_unchecked_t corrected_errors; /* number of corrected read errors,
30755 * for reporting to userspace and storing
30758 @@ -304,7 +304,7 @@ static inline void rdev_dec_pending(mdk_
30760 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
30762 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
30763 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
30766 struct mdk_personality
30767 diff -urNp linux-2.6.32.42/drivers/md/raid10.c linux-2.6.32.42/drivers/md/raid10.c
30768 --- linux-2.6.32.42/drivers/md/raid10.c 2011-03-27 14:31:47.000000000 -0400
30769 +++ linux-2.6.32.42/drivers/md/raid10.c 2011-05-04 17:56:28.000000000 -0400
30770 @@ -1255,7 +1255,7 @@ static void end_sync_read(struct bio *bi
30771 if (test_bit(BIO_UPTODATE, &bio->bi_flags))
30772 set_bit(R10BIO_Uptodate, &r10_bio->state);
30774 - atomic_add(r10_bio->sectors,
30775 + atomic_add_unchecked(r10_bio->sectors,
30776 &conf->mirrors[d].rdev->corrected_errors);
30777 if (!test_bit(MD_RECOVERY_SYNC, &conf->mddev->recovery))
30778 md_error(r10_bio->mddev,
30779 @@ -1520,7 +1520,7 @@ static void fix_read_error(conf_t *conf,
30780 test_bit(In_sync, &rdev->flags)) {
30781 atomic_inc(&rdev->nr_pending);
30783 - atomic_add(s, &rdev->corrected_errors);
30784 + atomic_add_unchecked(s, &rdev->corrected_errors);
30785 if (sync_page_io(rdev->bdev,
30786 r10_bio->devs[sl].addr +
30787 sect + rdev->data_offset,
30788 diff -urNp linux-2.6.32.42/drivers/md/raid1.c linux-2.6.32.42/drivers/md/raid1.c
30789 --- linux-2.6.32.42/drivers/md/raid1.c 2011-03-27 14:31:47.000000000 -0400
30790 +++ linux-2.6.32.42/drivers/md/raid1.c 2011-05-04 17:56:28.000000000 -0400
30791 @@ -1415,7 +1415,7 @@ static void sync_request_write(mddev_t *
30792 if (r1_bio->bios[d]->bi_end_io != end_sync_read)
30794 rdev = conf->mirrors[d].rdev;
30795 - atomic_add(s, &rdev->corrected_errors);
30796 + atomic_add_unchecked(s, &rdev->corrected_errors);
30797 if (sync_page_io(rdev->bdev,
30798 sect + rdev->data_offset,
30800 @@ -1564,7 +1564,7 @@ static void fix_read_error(conf_t *conf,
30801 /* Well, this device is dead */
30802 md_error(mddev, rdev);
30804 - atomic_add(s, &rdev->corrected_errors);
30805 + atomic_add_unchecked(s, &rdev->corrected_errors);
30807 "raid1:%s: read error corrected "
30808 "(%d sectors at %llu on %s)\n",
30809 diff -urNp linux-2.6.32.42/drivers/md/raid5.c linux-2.6.32.42/drivers/md/raid5.c
30810 --- linux-2.6.32.42/drivers/md/raid5.c 2011-06-25 12:55:34.000000000 -0400
30811 +++ linux-2.6.32.42/drivers/md/raid5.c 2011-06-25 12:58:39.000000000 -0400
30812 @@ -482,7 +482,7 @@ static void ops_run_io(struct stripe_hea
30813 bi->bi_next = NULL;
30814 if ((rw & WRITE) &&
30815 test_bit(R5_ReWrite, &sh->dev[i].flags))
30816 - atomic_add(STRIPE_SECTORS,
30817 + atomic_add_unchecked(STRIPE_SECTORS,
30818 &rdev->corrected_errors);
30819 generic_make_request(bi);
30821 @@ -1517,15 +1517,15 @@ static void raid5_end_read_request(struc
30822 clear_bit(R5_ReadError, &sh->dev[i].flags);
30823 clear_bit(R5_ReWrite, &sh->dev[i].flags);
30825 - if (atomic_read(&conf->disks[i].rdev->read_errors))
30826 - atomic_set(&conf->disks[i].rdev->read_errors, 0);
30827 + if (atomic_read_unchecked(&conf->disks[i].rdev->read_errors))
30828 + atomic_set_unchecked(&conf->disks[i].rdev->read_errors, 0);
30830 const char *bdn = bdevname(conf->disks[i].rdev->bdev, b);
30832 rdev = conf->disks[i].rdev;
30834 clear_bit(R5_UPTODATE, &sh->dev[i].flags);
30835 - atomic_inc(&rdev->read_errors);
30836 + atomic_inc_unchecked(&rdev->read_errors);
30837 if (conf->mddev->degraded >= conf->max_degraded)
30838 printk_rl(KERN_WARNING
30839 "raid5:%s: read error not correctable "
30840 @@ -1543,7 +1543,7 @@ static void raid5_end_read_request(struc
30841 (unsigned long long)(sh->sector
30842 + rdev->data_offset),
30844 - else if (atomic_read(&rdev->read_errors)
30845 + else if (atomic_read_unchecked(&rdev->read_errors)
30846 > conf->max_nr_stripes)
30847 printk(KERN_WARNING
30848 "raid5:%s: Too many read errors, failing device %s.\n",
30849 @@ -1870,6 +1870,7 @@ static sector_t compute_blocknr(struct s
30851 struct stripe_head sh2;
30853 + pax_track_stack();
30855 chunk_offset = sector_div(new_sector, sectors_per_chunk);
30856 stripe = new_sector;
30857 diff -urNp linux-2.6.32.42/drivers/media/common/saa7146_hlp.c linux-2.6.32.42/drivers/media/common/saa7146_hlp.c
30858 --- linux-2.6.32.42/drivers/media/common/saa7146_hlp.c 2011-03-27 14:31:47.000000000 -0400
30859 +++ linux-2.6.32.42/drivers/media/common/saa7146_hlp.c 2011-05-16 21:46:57.000000000 -0400
30860 @@ -353,6 +353,8 @@ static void calculate_clipping_registers
30862 int x[32], y[32], w[32], h[32];
30864 + pax_track_stack();
30866 /* clear out memory */
30867 memset(&line_list[0], 0x00, sizeof(u32)*32);
30868 memset(&pixel_list[0], 0x00, sizeof(u32)*32);
30869 diff -urNp linux-2.6.32.42/drivers/media/dvb/dvb-core/dvb_ca_en50221.c linux-2.6.32.42/drivers/media/dvb/dvb-core/dvb_ca_en50221.c
30870 --- linux-2.6.32.42/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-03-27 14:31:47.000000000 -0400
30871 +++ linux-2.6.32.42/drivers/media/dvb/dvb-core/dvb_ca_en50221.c 2011-05-16 21:46:57.000000000 -0400
30872 @@ -590,6 +590,8 @@ static int dvb_ca_en50221_read_data(stru
30873 u8 buf[HOST_LINK_BUF_SIZE];
30876 + pax_track_stack();
30878 dprintk("%s\n", __func__);
30880 /* check if we have space for a link buf in the rx_buffer */
30881 @@ -1285,6 +1287,8 @@ static ssize_t dvb_ca_en50221_io_write(s
30882 unsigned long timeout;
30885 + pax_track_stack();
30887 dprintk("%s\n", __func__);
30889 /* Incoming packet has a 2 byte header. hdr[0] = slot_id, hdr[1] = connection_id */
30890 diff -urNp linux-2.6.32.42/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.32.42/drivers/media/dvb/dvb-core/dvbdev.c
30891 --- linux-2.6.32.42/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-27 14:31:47.000000000 -0400
30892 +++ linux-2.6.32.42/drivers/media/dvb/dvb-core/dvbdev.c 2011-04-17 15:56:46.000000000 -0400
30893 @@ -191,6 +191,7 @@ int dvb_register_device(struct dvb_adapt
30894 const struct dvb_device *template, void *priv, int type)
30896 struct dvb_device *dvbdev;
30897 + /* cannot be const */
30898 struct file_operations *dvbdevfops;
30899 struct device *clsdev;
30901 diff -urNp linux-2.6.32.42/drivers/media/dvb/dvb-usb/dib0700_core.c linux-2.6.32.42/drivers/media/dvb/dvb-usb/dib0700_core.c
30902 --- linux-2.6.32.42/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-03-27 14:31:47.000000000 -0400
30903 +++ linux-2.6.32.42/drivers/media/dvb/dvb-usb/dib0700_core.c 2011-05-16 21:46:57.000000000 -0400
30904 @@ -332,6 +332,8 @@ int dib0700_download_firmware(struct usb
30908 + pax_track_stack();
30910 while ((ret = dvb_usb_get_hexline(fw, &hx, &pos)) > 0) {
30911 deb_fwdata("writing to address 0x%08x (buffer: 0x%02x %02x)\n",hx.addr, hx.len, hx.chk);
30913 diff -urNp linux-2.6.32.42/drivers/media/dvb/frontends/or51211.c linux-2.6.32.42/drivers/media/dvb/frontends/or51211.c
30914 --- linux-2.6.32.42/drivers/media/dvb/frontends/or51211.c 2011-03-27 14:31:47.000000000 -0400
30915 +++ linux-2.6.32.42/drivers/media/dvb/frontends/or51211.c 2011-05-16 21:46:57.000000000 -0400
30916 @@ -113,6 +113,8 @@ static int or51211_load_firmware (struct
30920 + pax_track_stack();
30922 dprintk("Firmware is %zd bytes\n",fw->size);
30924 /* Get eprom data */
30925 diff -urNp linux-2.6.32.42/drivers/media/radio/radio-cadet.c linux-2.6.32.42/drivers/media/radio/radio-cadet.c
30926 --- linux-2.6.32.42/drivers/media/radio/radio-cadet.c 2011-03-27 14:31:47.000000000 -0400
30927 +++ linux-2.6.32.42/drivers/media/radio/radio-cadet.c 2011-04-17 15:56:46.000000000 -0400
30928 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
30929 while (i < count && dev->rdsin != dev->rdsout)
30930 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
30932 - if (copy_to_user(data, readbuf, i))
30933 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
30937 diff -urNp linux-2.6.32.42/drivers/media/video/cx18/cx18-driver.c linux-2.6.32.42/drivers/media/video/cx18/cx18-driver.c
30938 --- linux-2.6.32.42/drivers/media/video/cx18/cx18-driver.c 2011-03-27 14:31:47.000000000 -0400
30939 +++ linux-2.6.32.42/drivers/media/video/cx18/cx18-driver.c 2011-05-16 21:46:57.000000000 -0400
30940 @@ -56,7 +56,7 @@ static struct pci_device_id cx18_pci_tbl
30942 MODULE_DEVICE_TABLE(pci, cx18_pci_tbl);
30944 -static atomic_t cx18_instance = ATOMIC_INIT(0);
30945 +static atomic_unchecked_t cx18_instance = ATOMIC_INIT(0);
30947 /* Parameter declarations */
30948 static int cardtype[CX18_MAX_CARDS];
30949 @@ -288,6 +288,8 @@ void cx18_read_eeprom(struct cx18 *cx, s
30950 struct i2c_client c;
30953 + pax_track_stack();
30955 memset(&c, 0, sizeof(c));
30956 strlcpy(c.name, "cx18 tveeprom tmp", sizeof(c.name));
30957 c.adapter = &cx->i2c_adap[0];
30958 @@ -800,7 +802,7 @@ static int __devinit cx18_probe(struct p
30961 /* FIXME - module parameter arrays constrain max instances */
30962 - i = atomic_inc_return(&cx18_instance) - 1;
30963 + i = atomic_inc_return_unchecked(&cx18_instance) - 1;
30964 if (i >= CX18_MAX_CARDS) {
30965 printk(KERN_ERR "cx18: cannot manage card %d, driver has a "
30966 "limit of 0 - %d\n", i, CX18_MAX_CARDS - 1);
30967 diff -urNp linux-2.6.32.42/drivers/media/video/ivtv/ivtv-driver.c linux-2.6.32.42/drivers/media/video/ivtv/ivtv-driver.c
30968 --- linux-2.6.32.42/drivers/media/video/ivtv/ivtv-driver.c 2011-03-27 14:31:47.000000000 -0400
30969 +++ linux-2.6.32.42/drivers/media/video/ivtv/ivtv-driver.c 2011-05-04 17:56:28.000000000 -0400
30970 @@ -79,7 +79,7 @@ static struct pci_device_id ivtv_pci_tbl
30971 MODULE_DEVICE_TABLE(pci,ivtv_pci_tbl);
30973 /* ivtv instance counter */
30974 -static atomic_t ivtv_instance = ATOMIC_INIT(0);
30975 +static atomic_unchecked_t ivtv_instance = ATOMIC_INIT(0);
30977 /* Parameter declarations */
30978 static int cardtype[IVTV_MAX_CARDS];
30979 diff -urNp linux-2.6.32.42/drivers/media/video/omap24xxcam.c linux-2.6.32.42/drivers/media/video/omap24xxcam.c
30980 --- linux-2.6.32.42/drivers/media/video/omap24xxcam.c 2011-03-27 14:31:47.000000000 -0400
30981 +++ linux-2.6.32.42/drivers/media/video/omap24xxcam.c 2011-05-04 17:56:28.000000000 -0400
30982 @@ -401,7 +401,7 @@ static void omap24xxcam_vbq_complete(str
30983 spin_unlock_irqrestore(&cam->core_enable_disable_lock, flags);
30985 do_gettimeofday(&vb->ts);
30986 - vb->field_count = atomic_add_return(2, &fh->field_count);
30987 + vb->field_count = atomic_add_return_unchecked(2, &fh->field_count);
30988 if (csr & csr_error) {
30989 vb->state = VIDEOBUF_ERROR;
30990 if (!atomic_read(&fh->cam->in_reset)) {
30991 diff -urNp linux-2.6.32.42/drivers/media/video/omap24xxcam.h linux-2.6.32.42/drivers/media/video/omap24xxcam.h
30992 --- linux-2.6.32.42/drivers/media/video/omap24xxcam.h 2011-03-27 14:31:47.000000000 -0400
30993 +++ linux-2.6.32.42/drivers/media/video/omap24xxcam.h 2011-05-04 17:56:28.000000000 -0400
30994 @@ -533,7 +533,7 @@ struct omap24xxcam_fh {
30995 spinlock_t vbq_lock; /* spinlock for the videobuf queue */
30996 struct videobuf_queue vbq;
30997 struct v4l2_pix_format pix; /* serialise pix by vbq->lock */
30998 - atomic_t field_count; /* field counter for videobuf_buffer */
30999 + atomic_unchecked_t field_count; /* field counter for videobuf_buffer */
31000 /* accessing cam here doesn't need serialisation: it's constant */
31001 struct omap24xxcam_device *cam;
31003 diff -urNp linux-2.6.32.42/drivers/media/video/pvrusb2/pvrusb2-eeprom.c linux-2.6.32.42/drivers/media/video/pvrusb2/pvrusb2-eeprom.c
31004 --- linux-2.6.32.42/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-03-27 14:31:47.000000000 -0400
31005 +++ linux-2.6.32.42/drivers/media/video/pvrusb2/pvrusb2-eeprom.c 2011-05-16 21:46:57.000000000 -0400
31006 @@ -119,6 +119,8 @@ int pvr2_eeprom_analyze(struct pvr2_hdw
31008 struct tveeprom tvdata;
31010 + pax_track_stack();
31012 memset(&tvdata,0,sizeof(tvdata));
31014 eeprom = pvr2_eeprom_fetch(hdw);
31015 diff -urNp linux-2.6.32.42/drivers/media/video/saa7134/saa6752hs.c linux-2.6.32.42/drivers/media/video/saa7134/saa6752hs.c
31016 --- linux-2.6.32.42/drivers/media/video/saa7134/saa6752hs.c 2011-03-27 14:31:47.000000000 -0400
31017 +++ linux-2.6.32.42/drivers/media/video/saa7134/saa6752hs.c 2011-05-16 21:46:57.000000000 -0400
31018 @@ -683,6 +683,8 @@ static int saa6752hs_init(struct v4l2_su
31019 unsigned char localPAT[256];
31020 unsigned char localPMT[256];
31022 + pax_track_stack();
31024 /* Set video format - must be done first as it resets other settings */
31025 set_reg8(client, 0x41, h->video_format);
31027 diff -urNp linux-2.6.32.42/drivers/media/video/saa7164/saa7164-cmd.c linux-2.6.32.42/drivers/media/video/saa7164/saa7164-cmd.c
31028 --- linux-2.6.32.42/drivers/media/video/saa7164/saa7164-cmd.c 2011-03-27 14:31:47.000000000 -0400
31029 +++ linux-2.6.32.42/drivers/media/video/saa7164/saa7164-cmd.c 2011-05-16 21:46:57.000000000 -0400
31030 @@ -87,6 +87,8 @@ int saa7164_irq_dequeue(struct saa7164_d
31031 wait_queue_head_t *q = 0;
31032 dprintk(DBGLVL_CMD, "%s()\n", __func__);
31034 + pax_track_stack();
31036 /* While any outstand message on the bus exists... */
31039 @@ -126,6 +128,8 @@ int saa7164_cmd_dequeue(struct saa7164_d
31041 dprintk(DBGLVL_CMD, "%s()\n", __func__);
31043 + pax_track_stack();
31047 tmComResInfo_t tRsp = { 0, 0, 0, 0, 0, 0 };
31048 diff -urNp linux-2.6.32.42/drivers/media/video/usbvideo/konicawc.c linux-2.6.32.42/drivers/media/video/usbvideo/konicawc.c
31049 --- linux-2.6.32.42/drivers/media/video/usbvideo/konicawc.c 2011-03-27 14:31:47.000000000 -0400
31050 +++ linux-2.6.32.42/drivers/media/video/usbvideo/konicawc.c 2011-04-17 15:56:46.000000000 -0400
31051 @@ -225,7 +225,7 @@ static void konicawc_register_input(stru
31054 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
31055 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
31056 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
31058 cam->input = input_dev = input_allocate_device();
31060 diff -urNp linux-2.6.32.42/drivers/media/video/usbvideo/quickcam_messenger.c linux-2.6.32.42/drivers/media/video/usbvideo/quickcam_messenger.c
31061 --- linux-2.6.32.42/drivers/media/video/usbvideo/quickcam_messenger.c 2011-03-27 14:31:47.000000000 -0400
31062 +++ linux-2.6.32.42/drivers/media/video/usbvideo/quickcam_messenger.c 2011-04-17 15:56:46.000000000 -0400
31063 @@ -89,7 +89,7 @@ static void qcm_register_input(struct qc
31066 usb_make_path(dev, cam->input_physname, sizeof(cam->input_physname));
31067 - strncat(cam->input_physname, "/input0", sizeof(cam->input_physname));
31068 + strlcat(cam->input_physname, "/input0", sizeof(cam->input_physname));
31070 cam->input = input_dev = input_allocate_device();
31072 diff -urNp linux-2.6.32.42/drivers/media/video/usbvision/usbvision-core.c linux-2.6.32.42/drivers/media/video/usbvision/usbvision-core.c
31073 --- linux-2.6.32.42/drivers/media/video/usbvision/usbvision-core.c 2011-03-27 14:31:47.000000000 -0400
31074 +++ linux-2.6.32.42/drivers/media/video/usbvision/usbvision-core.c 2011-05-16 21:46:57.000000000 -0400
31075 @@ -820,6 +820,8 @@ static enum ParseState usbvision_parse_c
31076 unsigned char rv, gv, bv;
31077 static unsigned char *Y, *U, *V;
31079 + pax_track_stack();
31081 frame = usbvision->curFrame;
31082 imageSize = frame->frmwidth * frame->frmheight;
31083 if ( (frame->v4l2_format.format == V4L2_PIX_FMT_YUV422P) ||
31084 diff -urNp linux-2.6.32.42/drivers/media/video/v4l2-device.c linux-2.6.32.42/drivers/media/video/v4l2-device.c
31085 --- linux-2.6.32.42/drivers/media/video/v4l2-device.c 2011-03-27 14:31:47.000000000 -0400
31086 +++ linux-2.6.32.42/drivers/media/video/v4l2-device.c 2011-05-04 17:56:28.000000000 -0400
31087 @@ -50,9 +50,9 @@ int v4l2_device_register(struct device *
31088 EXPORT_SYMBOL_GPL(v4l2_device_register);
31090 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
31091 - atomic_t *instance)
31092 + atomic_unchecked_t *instance)
31094 - int num = atomic_inc_return(instance) - 1;
31095 + int num = atomic_inc_return_unchecked(instance) - 1;
31096 int len = strlen(basename);
31098 if (basename[len - 1] >= '0' && basename[len - 1] <= '9')
31099 diff -urNp linux-2.6.32.42/drivers/media/video/videobuf-dma-sg.c linux-2.6.32.42/drivers/media/video/videobuf-dma-sg.c
31100 --- linux-2.6.32.42/drivers/media/video/videobuf-dma-sg.c 2011-03-27 14:31:47.000000000 -0400
31101 +++ linux-2.6.32.42/drivers/media/video/videobuf-dma-sg.c 2011-05-16 21:46:57.000000000 -0400
31102 @@ -693,6 +693,8 @@ void *videobuf_sg_alloc(size_t size)
31104 struct videobuf_queue q;
31106 + pax_track_stack();
31108 /* Required to make generic handler to call __videobuf_alloc */
31109 q.int_ops = &sg_ops;
31111 diff -urNp linux-2.6.32.42/drivers/message/fusion/mptbase.c linux-2.6.32.42/drivers/message/fusion/mptbase.c
31112 --- linux-2.6.32.42/drivers/message/fusion/mptbase.c 2011-03-27 14:31:47.000000000 -0400
31113 +++ linux-2.6.32.42/drivers/message/fusion/mptbase.c 2011-04-17 15:56:46.000000000 -0400
31114 @@ -6709,8 +6709,14 @@ procmpt_iocinfo_read(char *buf, char **s
31115 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
31116 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
31118 +#ifdef CONFIG_GRKERNSEC_HIDESYM
31119 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
31122 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
31123 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
31127 * Rounding UP to nearest 4-kB boundary here...
31129 diff -urNp linux-2.6.32.42/drivers/message/fusion/mptsas.c linux-2.6.32.42/drivers/message/fusion/mptsas.c
31130 --- linux-2.6.32.42/drivers/message/fusion/mptsas.c 2011-03-27 14:31:47.000000000 -0400
31131 +++ linux-2.6.32.42/drivers/message/fusion/mptsas.c 2011-04-17 15:56:46.000000000 -0400
31132 @@ -436,6 +436,23 @@ mptsas_is_end_device(struct mptsas_devin
31136 +static inline void
31137 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
31139 + if (phy_info->port_details) {
31140 + phy_info->port_details->rphy = rphy;
31141 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
31142 + ioc->name, rphy));
31146 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
31147 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
31148 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
31149 + ioc->name, rphy, rphy->dev.release));
31155 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
31156 @@ -474,23 +491,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
31160 -static inline void
31161 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
31163 - if (phy_info->port_details) {
31164 - phy_info->port_details->rphy = rphy;
31165 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
31166 - ioc->name, rphy));
31170 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
31171 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
31172 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
31173 - ioc->name, rphy, rphy->dev.release));
31177 static inline struct sas_port *
31178 mptsas_get_port(struct mptsas_phyinfo *phy_info)
31180 diff -urNp linux-2.6.32.42/drivers/message/fusion/mptscsih.c linux-2.6.32.42/drivers/message/fusion/mptscsih.c
31181 --- linux-2.6.32.42/drivers/message/fusion/mptscsih.c 2011-03-27 14:31:47.000000000 -0400
31182 +++ linux-2.6.32.42/drivers/message/fusion/mptscsih.c 2011-04-17 15:56:46.000000000 -0400
31183 @@ -1248,15 +1248,16 @@ mptscsih_info(struct Scsi_Host *SChost)
31185 h = shost_priv(SChost);
31188 - if (h->info_kbuf == NULL)
31189 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
31190 - return h->info_kbuf;
31191 - h->info_kbuf[0] = '\0';
31195 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
31196 - h->info_kbuf[size-1] = '\0';
31198 + if (h->info_kbuf == NULL)
31199 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
31200 + return h->info_kbuf;
31201 + h->info_kbuf[0] = '\0';
31203 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
31204 + h->info_kbuf[size-1] = '\0';
31206 return h->info_kbuf;
31208 diff -urNp linux-2.6.32.42/drivers/message/i2o/i2o_config.c linux-2.6.32.42/drivers/message/i2o/i2o_config.c
31209 --- linux-2.6.32.42/drivers/message/i2o/i2o_config.c 2011-03-27 14:31:47.000000000 -0400
31210 +++ linux-2.6.32.42/drivers/message/i2o/i2o_config.c 2011-05-16 21:46:57.000000000 -0400
31211 @@ -787,6 +787,8 @@ static int i2o_cfg_passthru(unsigned lon
31212 struct i2o_message *msg;
31215 + pax_track_stack();
31217 if (get_user(iop, &cmd->iop) || get_user(user_msg, &cmd->msg))
31220 diff -urNp linux-2.6.32.42/drivers/message/i2o/i2o_proc.c linux-2.6.32.42/drivers/message/i2o/i2o_proc.c
31221 --- linux-2.6.32.42/drivers/message/i2o/i2o_proc.c 2011-03-27 14:31:47.000000000 -0400
31222 +++ linux-2.6.32.42/drivers/message/i2o/i2o_proc.c 2011-04-17 15:56:46.000000000 -0400
31223 @@ -259,13 +259,6 @@ static char *scsi_devices[] = {
31224 "Array Controller Device"
31227 -static char *chtostr(u8 * chars, int n)
31231 - return strncat(tmp, (char *)chars, n);
31234 static int i2o_report_query_status(struct seq_file *seq, int block_status,
31237 @@ -842,8 +835,7 @@ static int i2o_seq_show_ddm_table(struct
31239 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
31240 seq_printf(seq, "%-#8x", ddm_table.module_id);
31241 - seq_printf(seq, "%-29s",
31242 - chtostr(ddm_table.module_name_version, 28));
31243 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
31244 seq_printf(seq, "%9d ", ddm_table.data_size);
31245 seq_printf(seq, "%8d", ddm_table.code_size);
31247 @@ -944,8 +936,8 @@ static int i2o_seq_show_drivers_stored(s
31249 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
31250 seq_printf(seq, "%-#8x", dst->module_id);
31251 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
31252 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
31253 + seq_printf(seq, "%-.28s", dst->module_name_version);
31254 + seq_printf(seq, "%-.8s", dst->date);
31255 seq_printf(seq, "%8d ", dst->module_size);
31256 seq_printf(seq, "%8d ", dst->mpb_size);
31257 seq_printf(seq, "0x%04x", dst->module_flags);
31258 @@ -1276,14 +1268,10 @@ static int i2o_seq_show_dev_identity(str
31259 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
31260 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
31261 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
31262 - seq_printf(seq, "Vendor info : %s\n",
31263 - chtostr((u8 *) (work32 + 2), 16));
31264 - seq_printf(seq, "Product info : %s\n",
31265 - chtostr((u8 *) (work32 + 6), 16));
31266 - seq_printf(seq, "Description : %s\n",
31267 - chtostr((u8 *) (work32 + 10), 16));
31268 - seq_printf(seq, "Product rev. : %s\n",
31269 - chtostr((u8 *) (work32 + 14), 8));
31270 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
31271 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
31272 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
31273 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
31275 seq_printf(seq, "Serial number : ");
31276 print_serial_number(seq, (u8 *) (work32 + 16),
31277 @@ -1328,10 +1316,8 @@ static int i2o_seq_show_ddm_identity(str
31280 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
31281 - seq_printf(seq, "Module name : %s\n",
31282 - chtostr(result.module_name, 24));
31283 - seq_printf(seq, "Module revision : %s\n",
31284 - chtostr(result.module_rev, 8));
31285 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
31286 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
31288 seq_printf(seq, "Serial number : ");
31289 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
31290 @@ -1362,14 +1348,10 @@ static int i2o_seq_show_uinfo(struct seq
31294 - seq_printf(seq, "Device name : %s\n",
31295 - chtostr(result.device_name, 64));
31296 - seq_printf(seq, "Service name : %s\n",
31297 - chtostr(result.service_name, 64));
31298 - seq_printf(seq, "Physical name : %s\n",
31299 - chtostr(result.physical_location, 64));
31300 - seq_printf(seq, "Instance number : %s\n",
31301 - chtostr(result.instance_number, 4));
31302 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
31303 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
31304 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
31305 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
31309 diff -urNp linux-2.6.32.42/drivers/message/i2o/iop.c linux-2.6.32.42/drivers/message/i2o/iop.c
31310 --- linux-2.6.32.42/drivers/message/i2o/iop.c 2011-03-27 14:31:47.000000000 -0400
31311 +++ linux-2.6.32.42/drivers/message/i2o/iop.c 2011-05-04 17:56:28.000000000 -0400
31312 @@ -110,10 +110,10 @@ u32 i2o_cntxt_list_add(struct i2o_contro
31314 spin_lock_irqsave(&c->context_list_lock, flags);
31316 - if (unlikely(atomic_inc_and_test(&c->context_list_counter)))
31317 - atomic_inc(&c->context_list_counter);
31318 + if (unlikely(atomic_inc_and_test_unchecked(&c->context_list_counter)))
31319 + atomic_inc_unchecked(&c->context_list_counter);
31321 - entry->context = atomic_read(&c->context_list_counter);
31322 + entry->context = atomic_read_unchecked(&c->context_list_counter);
31324 list_add(&entry->list, &c->context_list);
31326 @@ -1076,7 +1076,7 @@ struct i2o_controller *i2o_iop_alloc(voi
31328 #if BITS_PER_LONG == 64
31329 spin_lock_init(&c->context_list_lock);
31330 - atomic_set(&c->context_list_counter, 0);
31331 + atomic_set_unchecked(&c->context_list_counter, 0);
31332 INIT_LIST_HEAD(&c->context_list);
31335 diff -urNp linux-2.6.32.42/drivers/mfd/wm8350-i2c.c linux-2.6.32.42/drivers/mfd/wm8350-i2c.c
31336 --- linux-2.6.32.42/drivers/mfd/wm8350-i2c.c 2011-03-27 14:31:47.000000000 -0400
31337 +++ linux-2.6.32.42/drivers/mfd/wm8350-i2c.c 2011-05-16 21:46:57.000000000 -0400
31338 @@ -43,6 +43,8 @@ static int wm8350_i2c_write_device(struc
31339 u8 msg[(WM8350_MAX_REGISTER << 1) + 1];
31342 + pax_track_stack();
31344 if (bytes > ((WM8350_MAX_REGISTER << 1) + 1))
31347 diff -urNp linux-2.6.32.42/drivers/misc/kgdbts.c linux-2.6.32.42/drivers/misc/kgdbts.c
31348 --- linux-2.6.32.42/drivers/misc/kgdbts.c 2011-03-27 14:31:47.000000000 -0400
31349 +++ linux-2.6.32.42/drivers/misc/kgdbts.c 2011-04-17 15:56:46.000000000 -0400
31350 @@ -118,7 +118,7 @@
31352 #define MAX_CONFIG_LEN 40
31354 -static struct kgdb_io kgdbts_io_ops;
31355 +static const struct kgdb_io kgdbts_io_ops;
31356 static char get_buf[BUFMAX];
31357 static int get_buf_cnt;
31358 static char put_buf[BUFMAX];
31359 @@ -1102,7 +1102,7 @@ static void kgdbts_post_exp_handler(void
31360 module_put(THIS_MODULE);
31363 -static struct kgdb_io kgdbts_io_ops = {
31364 +static const struct kgdb_io kgdbts_io_ops = {
31366 .read_char = kgdbts_get_char,
31367 .write_char = kgdbts_put_char,
31368 diff -urNp linux-2.6.32.42/drivers/misc/sgi-gru/gruhandles.c linux-2.6.32.42/drivers/misc/sgi-gru/gruhandles.c
31369 --- linux-2.6.32.42/drivers/misc/sgi-gru/gruhandles.c 2011-03-27 14:31:47.000000000 -0400
31370 +++ linux-2.6.32.42/drivers/misc/sgi-gru/gruhandles.c 2011-04-17 15:56:46.000000000 -0400
31371 @@ -39,8 +39,8 @@ struct mcs_op_statistic mcs_op_statistic
31373 static void update_mcs_stats(enum mcs_op op, unsigned long clks)
31375 - atomic_long_inc(&mcs_op_statistics[op].count);
31376 - atomic_long_add(clks, &mcs_op_statistics[op].total);
31377 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
31378 + atomic_long_add_unchecked(clks, &mcs_op_statistics[op].total);
31379 if (mcs_op_statistics[op].max < clks)
31380 mcs_op_statistics[op].max = clks;
31382 diff -urNp linux-2.6.32.42/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.32.42/drivers/misc/sgi-gru/gruprocfs.c
31383 --- linux-2.6.32.42/drivers/misc/sgi-gru/gruprocfs.c 2011-03-27 14:31:47.000000000 -0400
31384 +++ linux-2.6.32.42/drivers/misc/sgi-gru/gruprocfs.c 2011-04-17 15:56:46.000000000 -0400
31387 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
31389 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
31390 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
31392 - unsigned long val = atomic_long_read(v);
31393 + unsigned long val = atomic_long_read_unchecked(v);
31396 seq_printf(s, "%16lu %s\n", val, id);
31397 @@ -136,8 +136,8 @@ static int mcs_statistics_show(struct se
31398 "cch_interrupt_sync", "cch_deallocate", "tgh_invalidate"};
31400 for (op = 0; op < mcsop_last; op++) {
31401 - count = atomic_long_read(&mcs_op_statistics[op].count);
31402 - total = atomic_long_read(&mcs_op_statistics[op].total);
31403 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
31404 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
31405 max = mcs_op_statistics[op].max;
31406 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
31407 count ? total / count : 0, max);
31408 diff -urNp linux-2.6.32.42/drivers/misc/sgi-gru/grutables.h linux-2.6.32.42/drivers/misc/sgi-gru/grutables.h
31409 --- linux-2.6.32.42/drivers/misc/sgi-gru/grutables.h 2011-03-27 14:31:47.000000000 -0400
31410 +++ linux-2.6.32.42/drivers/misc/sgi-gru/grutables.h 2011-04-17 15:56:46.000000000 -0400
31411 @@ -167,84 +167,84 @@ extern unsigned int gru_max_gids;
31414 struct gru_stats_s {
31415 - atomic_long_t vdata_alloc;
31416 - atomic_long_t vdata_free;
31417 - atomic_long_t gts_alloc;
31418 - atomic_long_t gts_free;
31419 - atomic_long_t vdata_double_alloc;
31420 - atomic_long_t gts_double_allocate;
31421 - atomic_long_t assign_context;
31422 - atomic_long_t assign_context_failed;
31423 - atomic_long_t free_context;
31424 - atomic_long_t load_user_context;
31425 - atomic_long_t load_kernel_context;
31426 - atomic_long_t lock_kernel_context;
31427 - atomic_long_t unlock_kernel_context;
31428 - atomic_long_t steal_user_context;
31429 - atomic_long_t steal_kernel_context;
31430 - atomic_long_t steal_context_failed;
31431 - atomic_long_t nopfn;
31432 - atomic_long_t break_cow;
31433 - atomic_long_t asid_new;
31434 - atomic_long_t asid_next;
31435 - atomic_long_t asid_wrap;
31436 - atomic_long_t asid_reuse;
31437 - atomic_long_t intr;
31438 - atomic_long_t intr_mm_lock_failed;
31439 - atomic_long_t call_os;
31440 - atomic_long_t call_os_offnode_reference;
31441 - atomic_long_t call_os_check_for_bug;
31442 - atomic_long_t call_os_wait_queue;
31443 - atomic_long_t user_flush_tlb;
31444 - atomic_long_t user_unload_context;
31445 - atomic_long_t user_exception;
31446 - atomic_long_t set_context_option;
31447 - atomic_long_t migrate_check;
31448 - atomic_long_t migrated_retarget;
31449 - atomic_long_t migrated_unload;
31450 - atomic_long_t migrated_unload_delay;
31451 - atomic_long_t migrated_nopfn_retarget;
31452 - atomic_long_t migrated_nopfn_unload;
31453 - atomic_long_t tlb_dropin;
31454 - atomic_long_t tlb_dropin_fail_no_asid;
31455 - atomic_long_t tlb_dropin_fail_upm;
31456 - atomic_long_t tlb_dropin_fail_invalid;
31457 - atomic_long_t tlb_dropin_fail_range_active;
31458 - atomic_long_t tlb_dropin_fail_idle;
31459 - atomic_long_t tlb_dropin_fail_fmm;
31460 - atomic_long_t tlb_dropin_fail_no_exception;
31461 - atomic_long_t tlb_dropin_fail_no_exception_war;
31462 - atomic_long_t tfh_stale_on_fault;
31463 - atomic_long_t mmu_invalidate_range;
31464 - atomic_long_t mmu_invalidate_page;
31465 - atomic_long_t mmu_clear_flush_young;
31466 - atomic_long_t flush_tlb;
31467 - atomic_long_t flush_tlb_gru;
31468 - atomic_long_t flush_tlb_gru_tgh;
31469 - atomic_long_t flush_tlb_gru_zero_asid;
31471 - atomic_long_t copy_gpa;
31473 - atomic_long_t mesq_receive;
31474 - atomic_long_t mesq_receive_none;
31475 - atomic_long_t mesq_send;
31476 - atomic_long_t mesq_send_failed;
31477 - atomic_long_t mesq_noop;
31478 - atomic_long_t mesq_send_unexpected_error;
31479 - atomic_long_t mesq_send_lb_overflow;
31480 - atomic_long_t mesq_send_qlimit_reached;
31481 - atomic_long_t mesq_send_amo_nacked;
31482 - atomic_long_t mesq_send_put_nacked;
31483 - atomic_long_t mesq_qf_not_full;
31484 - atomic_long_t mesq_qf_locked;
31485 - atomic_long_t mesq_qf_noop_not_full;
31486 - atomic_long_t mesq_qf_switch_head_failed;
31487 - atomic_long_t mesq_qf_unexpected_error;
31488 - atomic_long_t mesq_noop_unexpected_error;
31489 - atomic_long_t mesq_noop_lb_overflow;
31490 - atomic_long_t mesq_noop_qlimit_reached;
31491 - atomic_long_t mesq_noop_amo_nacked;
31492 - atomic_long_t mesq_noop_put_nacked;
31493 + atomic_long_unchecked_t vdata_alloc;
31494 + atomic_long_unchecked_t vdata_free;
31495 + atomic_long_unchecked_t gts_alloc;
31496 + atomic_long_unchecked_t gts_free;
31497 + atomic_long_unchecked_t vdata_double_alloc;
31498 + atomic_long_unchecked_t gts_double_allocate;
31499 + atomic_long_unchecked_t assign_context;
31500 + atomic_long_unchecked_t assign_context_failed;
31501 + atomic_long_unchecked_t free_context;
31502 + atomic_long_unchecked_t load_user_context;
31503 + atomic_long_unchecked_t load_kernel_context;
31504 + atomic_long_unchecked_t lock_kernel_context;
31505 + atomic_long_unchecked_t unlock_kernel_context;
31506 + atomic_long_unchecked_t steal_user_context;
31507 + atomic_long_unchecked_t steal_kernel_context;
31508 + atomic_long_unchecked_t steal_context_failed;
31509 + atomic_long_unchecked_t nopfn;
31510 + atomic_long_unchecked_t break_cow;
31511 + atomic_long_unchecked_t asid_new;
31512 + atomic_long_unchecked_t asid_next;
31513 + atomic_long_unchecked_t asid_wrap;
31514 + atomic_long_unchecked_t asid_reuse;
31515 + atomic_long_unchecked_t intr;
31516 + atomic_long_unchecked_t intr_mm_lock_failed;
31517 + atomic_long_unchecked_t call_os;
31518 + atomic_long_unchecked_t call_os_offnode_reference;
31519 + atomic_long_unchecked_t call_os_check_for_bug;
31520 + atomic_long_unchecked_t call_os_wait_queue;
31521 + atomic_long_unchecked_t user_flush_tlb;
31522 + atomic_long_unchecked_t user_unload_context;
31523 + atomic_long_unchecked_t user_exception;
31524 + atomic_long_unchecked_t set_context_option;
31525 + atomic_long_unchecked_t migrate_check;
31526 + atomic_long_unchecked_t migrated_retarget;
31527 + atomic_long_unchecked_t migrated_unload;
31528 + atomic_long_unchecked_t migrated_unload_delay;
31529 + atomic_long_unchecked_t migrated_nopfn_retarget;
31530 + atomic_long_unchecked_t migrated_nopfn_unload;
31531 + atomic_long_unchecked_t tlb_dropin;
31532 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
31533 + atomic_long_unchecked_t tlb_dropin_fail_upm;
31534 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
31535 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
31536 + atomic_long_unchecked_t tlb_dropin_fail_idle;
31537 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
31538 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
31539 + atomic_long_unchecked_t tlb_dropin_fail_no_exception_war;
31540 + atomic_long_unchecked_t tfh_stale_on_fault;
31541 + atomic_long_unchecked_t mmu_invalidate_range;
31542 + atomic_long_unchecked_t mmu_invalidate_page;
31543 + atomic_long_unchecked_t mmu_clear_flush_young;
31544 + atomic_long_unchecked_t flush_tlb;
31545 + atomic_long_unchecked_t flush_tlb_gru;
31546 + atomic_long_unchecked_t flush_tlb_gru_tgh;
31547 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
31549 + atomic_long_unchecked_t copy_gpa;
31551 + atomic_long_unchecked_t mesq_receive;
31552 + atomic_long_unchecked_t mesq_receive_none;
31553 + atomic_long_unchecked_t mesq_send;
31554 + atomic_long_unchecked_t mesq_send_failed;
31555 + atomic_long_unchecked_t mesq_noop;
31556 + atomic_long_unchecked_t mesq_send_unexpected_error;
31557 + atomic_long_unchecked_t mesq_send_lb_overflow;
31558 + atomic_long_unchecked_t mesq_send_qlimit_reached;
31559 + atomic_long_unchecked_t mesq_send_amo_nacked;
31560 + atomic_long_unchecked_t mesq_send_put_nacked;
31561 + atomic_long_unchecked_t mesq_qf_not_full;
31562 + atomic_long_unchecked_t mesq_qf_locked;
31563 + atomic_long_unchecked_t mesq_qf_noop_not_full;
31564 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
31565 + atomic_long_unchecked_t mesq_qf_unexpected_error;
31566 + atomic_long_unchecked_t mesq_noop_unexpected_error;
31567 + atomic_long_unchecked_t mesq_noop_lb_overflow;
31568 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
31569 + atomic_long_unchecked_t mesq_noop_amo_nacked;
31570 + atomic_long_unchecked_t mesq_noop_put_nacked;
31574 @@ -252,8 +252,8 @@ enum mcs_op {cchop_allocate, cchop_start
31575 cchop_deallocate, tghop_invalidate, mcsop_last};
31577 struct mcs_op_statistic {
31578 - atomic_long_t count;
31579 - atomic_long_t total;
31580 + atomic_long_unchecked_t count;
31581 + atomic_long_unchecked_t total;
31585 @@ -276,7 +276,7 @@ extern struct mcs_op_statistic mcs_op_st
31587 #define STAT(id) do { \
31588 if (gru_options & OPT_STATS) \
31589 - atomic_long_inc(&gru_stats.id); \
31590 + atomic_long_inc_unchecked(&gru_stats.id); \
31593 #ifdef CONFIG_SGI_GRU_DEBUG
31594 diff -urNp linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0001.c linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0001.c
31595 --- linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0001.c 2011-03-27 14:31:47.000000000 -0400
31596 +++ linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0001.c 2011-05-16 21:46:57.000000000 -0400
31597 @@ -743,6 +743,8 @@ static int chip_ready (struct map_info *
31598 struct cfi_pri_intelext *cfip = cfi->cmdset_priv;
31599 unsigned long timeo = jiffies + HZ;
31601 + pax_track_stack();
31603 /* Prevent setting state FL_SYNCING for chip in suspended state. */
31604 if (mode == FL_SYNCING && chip->oldstate != FL_READY)
31606 @@ -1642,6 +1644,8 @@ static int __xipram do_write_buffer(stru
31607 unsigned long initial_adr;
31608 int initial_len = len;
31610 + pax_track_stack();
31612 wbufsize = cfi_interleave(cfi) << cfi->cfiq->MaxBufWriteSize;
31613 adr += chip->start;
31615 @@ -1860,6 +1864,8 @@ static int __xipram do_erase_oneblock(st
31619 + pax_track_stack();
31621 adr += chip->start;
31624 diff -urNp linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0020.c linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0020.c
31625 --- linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0020.c 2011-03-27 14:31:47.000000000 -0400
31626 +++ linux-2.6.32.42/drivers/mtd/chips/cfi_cmdset_0020.c 2011-05-16 21:46:57.000000000 -0400
31627 @@ -255,6 +255,8 @@ static inline int do_read_onechip(struct
31628 unsigned long cmd_addr;
31629 struct cfi_private *cfi = map->fldrv_priv;
31631 + pax_track_stack();
31633 adr += chip->start;
31635 /* Ensure cmd read/writes are aligned. */
31636 @@ -428,6 +430,8 @@ static inline int do_write_buffer(struct
31637 DECLARE_WAITQUEUE(wait, current);
31640 + pax_track_stack();
31642 /* M58LW064A requires bus alignment for buffer wriets -- saw */
31643 if (adr & (map_bankwidth(map)-1))
31645 @@ -742,6 +746,8 @@ static inline int do_erase_oneblock(stru
31646 DECLARE_WAITQUEUE(wait, current);
31649 + pax_track_stack();
31651 adr += chip->start;
31653 /* Let's determine this according to the interleave only once */
31654 @@ -1047,6 +1053,8 @@ static inline int do_lock_oneblock(struc
31655 unsigned long timeo = jiffies + HZ;
31656 DECLARE_WAITQUEUE(wait, current);
31658 + pax_track_stack();
31660 adr += chip->start;
31662 /* Let's determine this according to the interleave only once */
31663 @@ -1196,6 +1204,8 @@ static inline int do_unlock_oneblock(str
31664 unsigned long timeo = jiffies + HZ;
31665 DECLARE_WAITQUEUE(wait, current);
31667 + pax_track_stack();
31669 adr += chip->start;
31671 /* Let's determine this according to the interleave only once */
31672 diff -urNp linux-2.6.32.42/drivers/mtd/devices/doc2000.c linux-2.6.32.42/drivers/mtd/devices/doc2000.c
31673 --- linux-2.6.32.42/drivers/mtd/devices/doc2000.c 2011-03-27 14:31:47.000000000 -0400
31674 +++ linux-2.6.32.42/drivers/mtd/devices/doc2000.c 2011-04-17 15:56:46.000000000 -0400
31675 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
31677 /* The ECC will not be calculated correctly if less than 512 is written */
31679 - if (len != 0x200 && eccbuf)
31680 + if (len != 0x200)
31681 printk(KERN_WARNING
31682 "ECC needs a full sector write (adr: %lx size %lx)\n",
31683 (long) to, (long) len);
31684 diff -urNp linux-2.6.32.42/drivers/mtd/devices/doc2001.c linux-2.6.32.42/drivers/mtd/devices/doc2001.c
31685 --- linux-2.6.32.42/drivers/mtd/devices/doc2001.c 2011-03-27 14:31:47.000000000 -0400
31686 +++ linux-2.6.32.42/drivers/mtd/devices/doc2001.c 2011-04-17 15:56:46.000000000 -0400
31687 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
31688 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
31690 /* Don't allow read past end of device */
31691 - if (from >= this->totlen)
31692 + if (from >= this->totlen || !len)
31695 /* Don't allow a single read to cross a 512-byte block boundary */
31696 diff -urNp linux-2.6.32.42/drivers/mtd/ftl.c linux-2.6.32.42/drivers/mtd/ftl.c
31697 --- linux-2.6.32.42/drivers/mtd/ftl.c 2011-03-27 14:31:47.000000000 -0400
31698 +++ linux-2.6.32.42/drivers/mtd/ftl.c 2011-05-16 21:46:57.000000000 -0400
31699 @@ -474,6 +474,8 @@ static int copy_erase_unit(partition_t *
31701 uint16_t srcunitswap = cpu_to_le16(srcunit);
31703 + pax_track_stack();
31705 eun = &part->EUNInfo[srcunit];
31706 xfer = &part->XferInfo[xferunit];
31707 DEBUG(2, "ftl_cs: copying block 0x%x to 0x%x\n",
31708 diff -urNp linux-2.6.32.42/drivers/mtd/inftlcore.c linux-2.6.32.42/drivers/mtd/inftlcore.c
31709 --- linux-2.6.32.42/drivers/mtd/inftlcore.c 2011-03-27 14:31:47.000000000 -0400
31710 +++ linux-2.6.32.42/drivers/mtd/inftlcore.c 2011-05-16 21:46:57.000000000 -0400
31711 @@ -260,6 +260,8 @@ static u16 INFTL_foldchain(struct INFTLr
31712 struct inftl_oob oob;
31715 + pax_track_stack();
31717 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: INFTL_foldchain(inftl=%p,thisVUC=%d,"
31718 "pending=%d)\n", inftl, thisVUC, pendingblock);
31720 diff -urNp linux-2.6.32.42/drivers/mtd/inftlmount.c linux-2.6.32.42/drivers/mtd/inftlmount.c
31721 --- linux-2.6.32.42/drivers/mtd/inftlmount.c 2011-03-27 14:31:47.000000000 -0400
31722 +++ linux-2.6.32.42/drivers/mtd/inftlmount.c 2011-05-16 21:46:57.000000000 -0400
31723 @@ -54,6 +54,8 @@ static int find_boot_record(struct INFTL
31724 struct INFTLPartition *ip;
31727 + pax_track_stack();
31729 DEBUG(MTD_DEBUG_LEVEL3, "INFTL: find_boot_record(inftl=%p)\n", inftl);
31732 diff -urNp linux-2.6.32.42/drivers/mtd/lpddr/qinfo_probe.c linux-2.6.32.42/drivers/mtd/lpddr/qinfo_probe.c
31733 --- linux-2.6.32.42/drivers/mtd/lpddr/qinfo_probe.c 2011-03-27 14:31:47.000000000 -0400
31734 +++ linux-2.6.32.42/drivers/mtd/lpddr/qinfo_probe.c 2011-05-16 21:46:57.000000000 -0400
31735 @@ -106,6 +106,8 @@ static int lpddr_pfow_present(struct map
31737 map_word pfow_val[4];
31739 + pax_track_stack();
31741 /* Check identification string */
31742 pfow_val[0] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_P);
31743 pfow_val[1] = map_read(map, map->pfow_base + PFOW_QUERY_STRING_F);
31744 diff -urNp linux-2.6.32.42/drivers/mtd/mtdchar.c linux-2.6.32.42/drivers/mtd/mtdchar.c
31745 --- linux-2.6.32.42/drivers/mtd/mtdchar.c 2011-03-27 14:31:47.000000000 -0400
31746 +++ linux-2.6.32.42/drivers/mtd/mtdchar.c 2011-05-16 21:46:57.000000000 -0400
31747 @@ -460,6 +460,8 @@ static int mtd_ioctl(struct inode *inode
31749 struct mtd_info_user info;
31751 + pax_track_stack();
31753 DEBUG(MTD_DEBUG_LEVEL0, "MTD_ioctl\n");
31755 size = (cmd & IOCSIZE_MASK) >> IOCSIZE_SHIFT;
31756 diff -urNp linux-2.6.32.42/drivers/mtd/nftlcore.c linux-2.6.32.42/drivers/mtd/nftlcore.c
31757 --- linux-2.6.32.42/drivers/mtd/nftlcore.c 2011-03-27 14:31:47.000000000 -0400
31758 +++ linux-2.6.32.42/drivers/mtd/nftlcore.c 2011-05-16 21:46:57.000000000 -0400
31759 @@ -254,6 +254,8 @@ static u16 NFTL_foldchain (struct NFTLre
31763 + pax_track_stack();
31765 memset(BlockMap, 0xff, sizeof(BlockMap));
31766 memset(BlockFreeFound, 0, sizeof(BlockFreeFound));
31768 diff -urNp linux-2.6.32.42/drivers/mtd/nftlmount.c linux-2.6.32.42/drivers/mtd/nftlmount.c
31769 --- linux-2.6.32.42/drivers/mtd/nftlmount.c 2011-03-27 14:31:47.000000000 -0400
31770 +++ linux-2.6.32.42/drivers/mtd/nftlmount.c 2011-05-18 20:09:37.000000000 -0400
31772 #include <asm/errno.h>
31773 #include <linux/delay.h>
31774 #include <linux/slab.h>
31775 +#include <linux/sched.h>
31776 #include <linux/mtd/mtd.h>
31777 #include <linux/mtd/nand.h>
31778 #include <linux/mtd/nftl.h>
31779 @@ -44,6 +45,8 @@ static int find_boot_record(struct NFTLr
31780 struct mtd_info *mtd = nftl->mbd.mtd;
31783 + pax_track_stack();
31785 /* Assume logical EraseSize == physical erasesize for starting the scan.
31786 We'll sort it out later if we find a MediaHeader which says otherwise */
31787 /* Actually, we won't. The new DiskOnChip driver has already scanned
31788 diff -urNp linux-2.6.32.42/drivers/mtd/ubi/build.c linux-2.6.32.42/drivers/mtd/ubi/build.c
31789 --- linux-2.6.32.42/drivers/mtd/ubi/build.c 2011-03-27 14:31:47.000000000 -0400
31790 +++ linux-2.6.32.42/drivers/mtd/ubi/build.c 2011-04-17 15:56:46.000000000 -0400
31791 @@ -1255,7 +1255,7 @@ module_exit(ubi_exit);
31792 static int __init bytes_str_to_int(const char *str)
31795 - unsigned long result;
31796 + unsigned long result, scale = 1;
31798 result = simple_strtoul(str, &endp, 0);
31799 if (str == endp || result >= INT_MAX) {
31800 @@ -1266,11 +1266,11 @@ static int __init bytes_str_to_int(const
31812 if (endp[1] == 'i' && endp[2] == 'B')
31815 @@ -1281,7 +1281,13 @@ static int __init bytes_str_to_int(const
31820 + if ((intoverflow_t)result*scale >= INT_MAX) {
31821 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
31826 + return result*scale;
31830 diff -urNp linux-2.6.32.42/drivers/net/bnx2.c linux-2.6.32.42/drivers/net/bnx2.c
31831 --- linux-2.6.32.42/drivers/net/bnx2.c 2011-03-27 14:31:47.000000000 -0400
31832 +++ linux-2.6.32.42/drivers/net/bnx2.c 2011-05-16 21:46:57.000000000 -0400
31833 @@ -5809,6 +5809,8 @@ bnx2_test_nvram(struct bnx2 *bp)
31837 + pax_track_stack();
31839 if ((rc = bnx2_nvram_read(bp, 0, data, 4)) != 0)
31840 goto test_nvram_done;
31842 diff -urNp linux-2.6.32.42/drivers/net/cxgb3/t3_hw.c linux-2.6.32.42/drivers/net/cxgb3/t3_hw.c
31843 --- linux-2.6.32.42/drivers/net/cxgb3/t3_hw.c 2011-03-27 14:31:47.000000000 -0400
31844 +++ linux-2.6.32.42/drivers/net/cxgb3/t3_hw.c 2011-05-16 21:46:57.000000000 -0400
31845 @@ -699,6 +699,8 @@ static int get_vpd_params(struct adapter
31849 + pax_track_stack();
31852 * Card information is normally at VPD_BASE but some early cards had
31854 diff -urNp linux-2.6.32.42/drivers/net/e1000e/82571.c linux-2.6.32.42/drivers/net/e1000e/82571.c
31855 --- linux-2.6.32.42/drivers/net/e1000e/82571.c 2011-03-27 14:31:47.000000000 -0400
31856 +++ linux-2.6.32.42/drivers/net/e1000e/82571.c 2011-04-17 15:56:46.000000000 -0400
31857 @@ -212,6 +212,7 @@ static s32 e1000_init_mac_params_82571(s
31859 struct e1000_hw *hw = &adapter->hw;
31860 struct e1000_mac_info *mac = &hw->mac;
31861 + /* cannot be const */
31862 struct e1000_mac_operations *func = &mac->ops;
31865 @@ -1656,7 +1657,7 @@ static void e1000_clear_hw_cntrs_82571(s
31866 temp = er32(ICRXDMTC);
31869 -static struct e1000_mac_operations e82571_mac_ops = {
31870 +static const struct e1000_mac_operations e82571_mac_ops = {
31871 /* .check_mng_mode: mac type dependent */
31872 /* .check_for_link: media type dependent */
31873 .id_led_init = e1000e_id_led_init,
31874 @@ -1674,7 +1675,7 @@ static struct e1000_mac_operations e8257
31875 .setup_led = e1000e_setup_led_generic,
31878 -static struct e1000_phy_operations e82_phy_ops_igp = {
31879 +static const struct e1000_phy_operations e82_phy_ops_igp = {
31880 .acquire_phy = e1000_get_hw_semaphore_82571,
31881 .check_reset_block = e1000e_check_reset_block_generic,
31882 .commit_phy = NULL,
31883 @@ -1691,7 +1692,7 @@ static struct e1000_phy_operations e82_p
31884 .cfg_on_link_up = NULL,
31887 -static struct e1000_phy_operations e82_phy_ops_m88 = {
31888 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
31889 .acquire_phy = e1000_get_hw_semaphore_82571,
31890 .check_reset_block = e1000e_check_reset_block_generic,
31891 .commit_phy = e1000e_phy_sw_reset,
31892 @@ -1708,7 +1709,7 @@ static struct e1000_phy_operations e82_p
31893 .cfg_on_link_up = NULL,
31896 -static struct e1000_phy_operations e82_phy_ops_bm = {
31897 +static const struct e1000_phy_operations e82_phy_ops_bm = {
31898 .acquire_phy = e1000_get_hw_semaphore_82571,
31899 .check_reset_block = e1000e_check_reset_block_generic,
31900 .commit_phy = e1000e_phy_sw_reset,
31901 @@ -1725,7 +1726,7 @@ static struct e1000_phy_operations e82_p
31902 .cfg_on_link_up = NULL,
31905 -static struct e1000_nvm_operations e82571_nvm_ops = {
31906 +static const struct e1000_nvm_operations e82571_nvm_ops = {
31907 .acquire_nvm = e1000_acquire_nvm_82571,
31908 .read_nvm = e1000e_read_nvm_eerd,
31909 .release_nvm = e1000_release_nvm_82571,
31910 diff -urNp linux-2.6.32.42/drivers/net/e1000e/e1000.h linux-2.6.32.42/drivers/net/e1000e/e1000.h
31911 --- linux-2.6.32.42/drivers/net/e1000e/e1000.h 2011-03-27 14:31:47.000000000 -0400
31912 +++ linux-2.6.32.42/drivers/net/e1000e/e1000.h 2011-04-17 15:56:46.000000000 -0400
31913 @@ -375,9 +375,9 @@ struct e1000_info {
31915 u32 max_hw_frame_size;
31916 s32 (*get_variants)(struct e1000_adapter *);
31917 - struct e1000_mac_operations *mac_ops;
31918 - struct e1000_phy_operations *phy_ops;
31919 - struct e1000_nvm_operations *nvm_ops;
31920 + const struct e1000_mac_operations *mac_ops;
31921 + const struct e1000_phy_operations *phy_ops;
31922 + const struct e1000_nvm_operations *nvm_ops;
31925 /* hardware capability, feature, and workaround flags */
31926 diff -urNp linux-2.6.32.42/drivers/net/e1000e/es2lan.c linux-2.6.32.42/drivers/net/e1000e/es2lan.c
31927 --- linux-2.6.32.42/drivers/net/e1000e/es2lan.c 2011-03-27 14:31:47.000000000 -0400
31928 +++ linux-2.6.32.42/drivers/net/e1000e/es2lan.c 2011-04-17 15:56:46.000000000 -0400
31929 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_80003es
31931 struct e1000_hw *hw = &adapter->hw;
31932 struct e1000_mac_info *mac = &hw->mac;
31933 + /* cannot be const */
31934 struct e1000_mac_operations *func = &mac->ops;
31936 /* Set media type */
31937 @@ -1365,7 +1366,7 @@ static void e1000_clear_hw_cntrs_80003es
31938 temp = er32(ICRXDMTC);
31941 -static struct e1000_mac_operations es2_mac_ops = {
31942 +static const struct e1000_mac_operations es2_mac_ops = {
31943 .id_led_init = e1000e_id_led_init,
31944 .check_mng_mode = e1000e_check_mng_mode_generic,
31945 /* check_for_link dependent on media type */
31946 @@ -1383,7 +1384,7 @@ static struct e1000_mac_operations es2_m
31947 .setup_led = e1000e_setup_led_generic,
31950 -static struct e1000_phy_operations es2_phy_ops = {
31951 +static const struct e1000_phy_operations es2_phy_ops = {
31952 .acquire_phy = e1000_acquire_phy_80003es2lan,
31953 .check_reset_block = e1000e_check_reset_block_generic,
31954 .commit_phy = e1000e_phy_sw_reset,
31955 @@ -1400,7 +1401,7 @@ static struct e1000_phy_operations es2_p
31956 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
31959 -static struct e1000_nvm_operations es2_nvm_ops = {
31960 +static const struct e1000_nvm_operations es2_nvm_ops = {
31961 .acquire_nvm = e1000_acquire_nvm_80003es2lan,
31962 .read_nvm = e1000e_read_nvm_eerd,
31963 .release_nvm = e1000_release_nvm_80003es2lan,
31964 diff -urNp linux-2.6.32.42/drivers/net/e1000e/hw.h linux-2.6.32.42/drivers/net/e1000e/hw.h
31965 --- linux-2.6.32.42/drivers/net/e1000e/hw.h 2011-03-27 14:31:47.000000000 -0400
31966 +++ linux-2.6.32.42/drivers/net/e1000e/hw.h 2011-04-17 15:56:46.000000000 -0400
31967 @@ -756,34 +756,34 @@ struct e1000_mac_operations {
31969 /* Function pointers for the PHY. */
31970 struct e1000_phy_operations {
31971 - s32 (*acquire_phy)(struct e1000_hw *);
31972 - s32 (*check_polarity)(struct e1000_hw *);
31973 - s32 (*check_reset_block)(struct e1000_hw *);
31974 - s32 (*commit_phy)(struct e1000_hw *);
31975 - s32 (*force_speed_duplex)(struct e1000_hw *);
31976 - s32 (*get_cfg_done)(struct e1000_hw *hw);
31977 - s32 (*get_cable_length)(struct e1000_hw *);
31978 - s32 (*get_phy_info)(struct e1000_hw *);
31979 - s32 (*read_phy_reg)(struct e1000_hw *, u32, u16 *);
31980 - s32 (*read_phy_reg_locked)(struct e1000_hw *, u32, u16 *);
31981 - void (*release_phy)(struct e1000_hw *);
31982 - s32 (*reset_phy)(struct e1000_hw *);
31983 - s32 (*set_d0_lplu_state)(struct e1000_hw *, bool);
31984 - s32 (*set_d3_lplu_state)(struct e1000_hw *, bool);
31985 - s32 (*write_phy_reg)(struct e1000_hw *, u32, u16);
31986 - s32 (*write_phy_reg_locked)(struct e1000_hw *, u32, u16);
31987 - s32 (*cfg_on_link_up)(struct e1000_hw *);
31988 + s32 (* acquire_phy)(struct e1000_hw *);
31989 + s32 (* check_polarity)(struct e1000_hw *);
31990 + s32 (* check_reset_block)(struct e1000_hw *);
31991 + s32 (* commit_phy)(struct e1000_hw *);
31992 + s32 (* force_speed_duplex)(struct e1000_hw *);
31993 + s32 (* get_cfg_done)(struct e1000_hw *hw);
31994 + s32 (* get_cable_length)(struct e1000_hw *);
31995 + s32 (* get_phy_info)(struct e1000_hw *);
31996 + s32 (* read_phy_reg)(struct e1000_hw *, u32, u16 *);
31997 + s32 (* read_phy_reg_locked)(struct e1000_hw *, u32, u16 *);
31998 + void (* release_phy)(struct e1000_hw *);
31999 + s32 (* reset_phy)(struct e1000_hw *);
32000 + s32 (* set_d0_lplu_state)(struct e1000_hw *, bool);
32001 + s32 (* set_d3_lplu_state)(struct e1000_hw *, bool);
32002 + s32 (* write_phy_reg)(struct e1000_hw *, u32, u16);
32003 + s32 (* write_phy_reg_locked)(struct e1000_hw *, u32, u16);
32004 + s32 (* cfg_on_link_up)(struct e1000_hw *);
32007 /* Function pointers for the NVM. */
32008 struct e1000_nvm_operations {
32009 - s32 (*acquire_nvm)(struct e1000_hw *);
32010 - s32 (*read_nvm)(struct e1000_hw *, u16, u16, u16 *);
32011 - void (*release_nvm)(struct e1000_hw *);
32012 - s32 (*update_nvm)(struct e1000_hw *);
32013 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
32014 - s32 (*validate_nvm)(struct e1000_hw *);
32015 - s32 (*write_nvm)(struct e1000_hw *, u16, u16, u16 *);
32016 + s32 (* const acquire_nvm)(struct e1000_hw *);
32017 + s32 (* const read_nvm)(struct e1000_hw *, u16, u16, u16 *);
32018 + void (* const release_nvm)(struct e1000_hw *);
32019 + s32 (* const update_nvm)(struct e1000_hw *);
32020 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
32021 + s32 (* const validate_nvm)(struct e1000_hw *);
32022 + s32 (* const write_nvm)(struct e1000_hw *, u16, u16, u16 *);
32025 struct e1000_mac_info {
32026 diff -urNp linux-2.6.32.42/drivers/net/e1000e/ich8lan.c linux-2.6.32.42/drivers/net/e1000e/ich8lan.c
32027 --- linux-2.6.32.42/drivers/net/e1000e/ich8lan.c 2011-05-10 22:12:01.000000000 -0400
32028 +++ linux-2.6.32.42/drivers/net/e1000e/ich8lan.c 2011-05-10 22:12:32.000000000 -0400
32029 @@ -3463,7 +3463,7 @@ static void e1000_clear_hw_cntrs_ich8lan
32033 -static struct e1000_mac_operations ich8_mac_ops = {
32034 +static const struct e1000_mac_operations ich8_mac_ops = {
32035 .id_led_init = e1000e_id_led_init,
32036 .check_mng_mode = e1000_check_mng_mode_ich8lan,
32037 .check_for_link = e1000_check_for_copper_link_ich8lan,
32038 @@ -3481,7 +3481,7 @@ static struct e1000_mac_operations ich8_
32039 /* id_led_init dependent on mac type */
32042 -static struct e1000_phy_operations ich8_phy_ops = {
32043 +static const struct e1000_phy_operations ich8_phy_ops = {
32044 .acquire_phy = e1000_acquire_swflag_ich8lan,
32045 .check_reset_block = e1000_check_reset_block_ich8lan,
32046 .commit_phy = NULL,
32047 @@ -3497,7 +3497,7 @@ static struct e1000_phy_operations ich8_
32048 .write_phy_reg = e1000e_write_phy_reg_igp,
32051 -static struct e1000_nvm_operations ich8_nvm_ops = {
32052 +static const struct e1000_nvm_operations ich8_nvm_ops = {
32053 .acquire_nvm = e1000_acquire_nvm_ich8lan,
32054 .read_nvm = e1000_read_nvm_ich8lan,
32055 .release_nvm = e1000_release_nvm_ich8lan,
32056 diff -urNp linux-2.6.32.42/drivers/net/hamradio/6pack.c linux-2.6.32.42/drivers/net/hamradio/6pack.c
32057 --- linux-2.6.32.42/drivers/net/hamradio/6pack.c 2011-03-27 14:31:47.000000000 -0400
32058 +++ linux-2.6.32.42/drivers/net/hamradio/6pack.c 2011-05-16 21:46:57.000000000 -0400
32059 @@ -461,6 +461,8 @@ static void sixpack_receive_buf(struct t
32060 unsigned char buf[512];
32063 + pax_track_stack();
32068 diff -urNp linux-2.6.32.42/drivers/net/ibmveth.c linux-2.6.32.42/drivers/net/ibmveth.c
32069 --- linux-2.6.32.42/drivers/net/ibmveth.c 2011-03-27 14:31:47.000000000 -0400
32070 +++ linux-2.6.32.42/drivers/net/ibmveth.c 2011-04-17 15:56:46.000000000 -0400
32071 @@ -1577,7 +1577,7 @@ static struct attribute * veth_pool_attr
32075 -static struct sysfs_ops veth_pool_ops = {
32076 +static const struct sysfs_ops veth_pool_ops = {
32077 .show = veth_pool_show,
32078 .store = veth_pool_store,
32080 diff -urNp linux-2.6.32.42/drivers/net/igb/e1000_82575.c linux-2.6.32.42/drivers/net/igb/e1000_82575.c
32081 --- linux-2.6.32.42/drivers/net/igb/e1000_82575.c 2011-03-27 14:31:47.000000000 -0400
32082 +++ linux-2.6.32.42/drivers/net/igb/e1000_82575.c 2011-04-17 15:56:46.000000000 -0400
32083 @@ -1410,7 +1410,7 @@ void igb_vmdq_set_replication_pf(struct
32084 wr32(E1000_VT_CTL, vt_ctl);
32087 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
32088 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
32089 .reset_hw = igb_reset_hw_82575,
32090 .init_hw = igb_init_hw_82575,
32091 .check_for_link = igb_check_for_link_82575,
32092 @@ -1419,13 +1419,13 @@ static struct e1000_mac_operations e1000
32093 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
32096 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
32097 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
32098 .acquire = igb_acquire_phy_82575,
32099 .get_cfg_done = igb_get_cfg_done_82575,
32100 .release = igb_release_phy_82575,
32103 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
32104 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
32105 .acquire = igb_acquire_nvm_82575,
32106 .read = igb_read_nvm_eerd,
32107 .release = igb_release_nvm_82575,
32108 diff -urNp linux-2.6.32.42/drivers/net/igb/e1000_hw.h linux-2.6.32.42/drivers/net/igb/e1000_hw.h
32109 --- linux-2.6.32.42/drivers/net/igb/e1000_hw.h 2011-03-27 14:31:47.000000000 -0400
32110 +++ linux-2.6.32.42/drivers/net/igb/e1000_hw.h 2011-04-17 15:56:46.000000000 -0400
32111 @@ -305,17 +305,17 @@ struct e1000_phy_operations {
32114 struct e1000_nvm_operations {
32115 - s32 (*acquire)(struct e1000_hw *);
32116 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
32117 - void (*release)(struct e1000_hw *);
32118 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
32119 + s32 (* const acquire)(struct e1000_hw *);
32120 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
32121 + void (* const release)(struct e1000_hw *);
32122 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
32125 struct e1000_info {
32126 s32 (*get_invariants)(struct e1000_hw *);
32127 - struct e1000_mac_operations *mac_ops;
32128 - struct e1000_phy_operations *phy_ops;
32129 - struct e1000_nvm_operations *nvm_ops;
32130 + const struct e1000_mac_operations *mac_ops;
32131 + const struct e1000_phy_operations *phy_ops;
32132 + const struct e1000_nvm_operations *nvm_ops;
32135 extern const struct e1000_info e1000_82575_info;
32136 diff -urNp linux-2.6.32.42/drivers/net/iseries_veth.c linux-2.6.32.42/drivers/net/iseries_veth.c
32137 --- linux-2.6.32.42/drivers/net/iseries_veth.c 2011-03-27 14:31:47.000000000 -0400
32138 +++ linux-2.6.32.42/drivers/net/iseries_veth.c 2011-04-17 15:56:46.000000000 -0400
32139 @@ -384,7 +384,7 @@ static struct attribute *veth_cnx_defaul
32143 -static struct sysfs_ops veth_cnx_sysfs_ops = {
32144 +static const struct sysfs_ops veth_cnx_sysfs_ops = {
32145 .show = veth_cnx_attribute_show
32148 @@ -441,7 +441,7 @@ static struct attribute *veth_port_defau
32152 -static struct sysfs_ops veth_port_sysfs_ops = {
32153 +static const struct sysfs_ops veth_port_sysfs_ops = {
32154 .show = veth_port_attribute_show
32157 diff -urNp linux-2.6.32.42/drivers/net/ixgb/ixgb_main.c linux-2.6.32.42/drivers/net/ixgb/ixgb_main.c
32158 --- linux-2.6.32.42/drivers/net/ixgb/ixgb_main.c 2011-03-27 14:31:47.000000000 -0400
32159 +++ linux-2.6.32.42/drivers/net/ixgb/ixgb_main.c 2011-05-16 21:46:57.000000000 -0400
32160 @@ -1052,6 +1052,8 @@ ixgb_set_multi(struct net_device *netdev
32164 + pax_track_stack();
32166 /* Check for Promiscuous and All Multicast modes */
32168 rctl = IXGB_READ_REG(hw, RCTL);
32169 diff -urNp linux-2.6.32.42/drivers/net/ixgb/ixgb_param.c linux-2.6.32.42/drivers/net/ixgb/ixgb_param.c
32170 --- linux-2.6.32.42/drivers/net/ixgb/ixgb_param.c 2011-03-27 14:31:47.000000000 -0400
32171 +++ linux-2.6.32.42/drivers/net/ixgb/ixgb_param.c 2011-05-16 21:46:57.000000000 -0400
32172 @@ -260,6 +260,9 @@ void __devinit
32173 ixgb_check_options(struct ixgb_adapter *adapter)
32175 int bd = adapter->bd_number;
32177 + pax_track_stack();
32179 if (bd >= IXGB_MAX_NIC) {
32181 "Warning: no configuration for board #%i\n", bd);
32182 diff -urNp linux-2.6.32.42/drivers/net/mlx4/main.c linux-2.6.32.42/drivers/net/mlx4/main.c
32183 --- linux-2.6.32.42/drivers/net/mlx4/main.c 2011-03-27 14:31:47.000000000 -0400
32184 +++ linux-2.6.32.42/drivers/net/mlx4/main.c 2011-05-18 20:09:37.000000000 -0400
32186 #include <linux/errno.h>
32187 #include <linux/pci.h>
32188 #include <linux/dma-mapping.h>
32189 +#include <linux/sched.h>
32191 #include <linux/mlx4/device.h>
32192 #include <linux/mlx4/doorbell.h>
32193 @@ -730,6 +731,8 @@ static int mlx4_init_hca(struct mlx4_dev
32197 + pax_track_stack();
32199 err = mlx4_QUERY_FW(dev);
32201 if (err == -EACCES)
32202 diff -urNp linux-2.6.32.42/drivers/net/niu.c linux-2.6.32.42/drivers/net/niu.c
32203 --- linux-2.6.32.42/drivers/net/niu.c 2011-05-10 22:12:01.000000000 -0400
32204 +++ linux-2.6.32.42/drivers/net/niu.c 2011-05-16 21:46:57.000000000 -0400
32205 @@ -9128,6 +9128,8 @@ static void __devinit niu_try_msix(struc
32206 int i, num_irqs, err;
32209 + pax_track_stack();
32211 first_ldg = (NIU_NUM_LDG / parent->num_ports) * np->port;
32212 for (i = 0; i < (NIU_NUM_LDG / parent->num_ports); i++)
32213 ldg_num_map[i] = first_ldg + i;
32214 diff -urNp linux-2.6.32.42/drivers/net/pcnet32.c linux-2.6.32.42/drivers/net/pcnet32.c
32215 --- linux-2.6.32.42/drivers/net/pcnet32.c 2011-03-27 14:31:47.000000000 -0400
32216 +++ linux-2.6.32.42/drivers/net/pcnet32.c 2011-04-17 15:56:46.000000000 -0400
32217 @@ -79,7 +79,7 @@ static int cards_found;
32219 * VLB I/O addresses
32221 -static unsigned int pcnet32_portlist[] __initdata =
32222 +static unsigned int pcnet32_portlist[] __devinitdata =
32223 { 0x300, 0x320, 0x340, 0x360, 0 };
32225 static int pcnet32_debug = 0;
32226 diff -urNp linux-2.6.32.42/drivers/net/tg3.h linux-2.6.32.42/drivers/net/tg3.h
32227 --- linux-2.6.32.42/drivers/net/tg3.h 2011-03-27 14:31:47.000000000 -0400
32228 +++ linux-2.6.32.42/drivers/net/tg3.h 2011-04-17 15:56:46.000000000 -0400
32230 #define CHIPREV_ID_5750_A0 0x4000
32231 #define CHIPREV_ID_5750_A1 0x4001
32232 #define CHIPREV_ID_5750_A3 0x4003
32233 +#define CHIPREV_ID_5750_C1 0x4201
32234 #define CHIPREV_ID_5750_C2 0x4202
32235 #define CHIPREV_ID_5752_A0_HW 0x5000
32236 #define CHIPREV_ID_5752_A0 0x6000
32237 diff -urNp linux-2.6.32.42/drivers/net/tulip/de2104x.c linux-2.6.32.42/drivers/net/tulip/de2104x.c
32238 --- linux-2.6.32.42/drivers/net/tulip/de2104x.c 2011-03-27 14:31:47.000000000 -0400
32239 +++ linux-2.6.32.42/drivers/net/tulip/de2104x.c 2011-05-16 21:46:57.000000000 -0400
32240 @@ -1785,6 +1785,8 @@ static void __devinit de21041_get_srom_i
32241 struct de_srom_info_leaf *il;
32244 + pax_track_stack();
32246 /* download entire eeprom */
32247 for (i = 0; i < DE_EEPROM_WORDS; i++)
32248 ((__le16 *)ee_data)[i] =
32249 diff -urNp linux-2.6.32.42/drivers/net/tulip/de4x5.c linux-2.6.32.42/drivers/net/tulip/de4x5.c
32250 --- linux-2.6.32.42/drivers/net/tulip/de4x5.c 2011-03-27 14:31:47.000000000 -0400
32251 +++ linux-2.6.32.42/drivers/net/tulip/de4x5.c 2011-04-17 15:56:46.000000000 -0400
32252 @@ -5472,7 +5472,7 @@ de4x5_ioctl(struct net_device *dev, stru
32253 for (i=0; i<ETH_ALEN; i++) {
32254 tmp.addr[i] = dev->dev_addr[i];
32256 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32257 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
32260 case DE4X5_SET_HWADDR: /* Set the hardware address */
32261 @@ -5512,7 +5512,7 @@ de4x5_ioctl(struct net_device *dev, stru
32262 spin_lock_irqsave(&lp->lock, flags);
32263 memcpy(&statbuf, &lp->pktStats, ioc->len);
32264 spin_unlock_irqrestore(&lp->lock, flags);
32265 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
32266 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
32270 diff -urNp linux-2.6.32.42/drivers/net/usb/hso.c linux-2.6.32.42/drivers/net/usb/hso.c
32271 --- linux-2.6.32.42/drivers/net/usb/hso.c 2011-03-27 14:31:47.000000000 -0400
32272 +++ linux-2.6.32.42/drivers/net/usb/hso.c 2011-04-17 15:56:46.000000000 -0400
32274 #include <asm/byteorder.h>
32275 #include <linux/serial_core.h>
32276 #include <linux/serial.h>
32278 +#include <asm/local.h>
32280 #define DRIVER_VERSION "1.2"
32281 #define MOD_AUTHOR "Option Wireless"
32282 @@ -258,7 +258,7 @@ struct hso_serial {
32284 /* from usb_serial_port */
32285 struct tty_struct *tty;
32287 + local_t open_count;
32288 spinlock_t serial_lock;
32290 int (*write_data) (struct hso_serial *serial);
32291 @@ -1180,7 +1180,7 @@ static void put_rxbuf_data_and_resubmit_
32294 urb = serial->rx_urb[0];
32295 - if (serial->open_count > 0) {
32296 + if (local_read(&serial->open_count) > 0) {
32297 count = put_rxbuf_data(urb, serial);
32300 @@ -1216,7 +1216,7 @@ static void hso_std_serial_read_bulk_cal
32301 DUMP1(urb->transfer_buffer, urb->actual_length);
32303 /* Anyone listening? */
32304 - if (serial->open_count == 0)
32305 + if (local_read(&serial->open_count) == 0)
32309 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
32310 spin_unlock_irq(&serial->serial_lock);
32312 /* check for port already opened, if not set the termios */
32313 - serial->open_count++;
32314 - if (serial->open_count == 1) {
32315 + if (local_inc_return(&serial->open_count) == 1) {
32316 tty->low_latency = 1;
32317 serial->rx_state = RX_IDLE;
32318 /* Force default termio settings */
32319 @@ -1325,7 +1324,7 @@ static int hso_serial_open(struct tty_st
32320 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
32322 hso_stop_serial_device(serial->parent);
32323 - serial->open_count--;
32324 + local_dec(&serial->open_count);
32325 kref_put(&serial->parent->ref, hso_serial_ref_free);
32328 @@ -1362,10 +1361,10 @@ static void hso_serial_close(struct tty_
32330 /* reset the rts and dtr */
32331 /* do the actual close */
32332 - serial->open_count--;
32333 + local_dec(&serial->open_count);
32335 - if (serial->open_count <= 0) {
32336 - serial->open_count = 0;
32337 + if (local_read(&serial->open_count) <= 0) {
32338 + local_set(&serial->open_count, 0);
32339 spin_lock_irq(&serial->serial_lock);
32340 if (serial->tty == tty) {
32341 serial->tty->driver_data = NULL;
32342 @@ -1447,7 +1446,7 @@ static void hso_serial_set_termios(struc
32344 /* the actual setup */
32345 spin_lock_irqsave(&serial->serial_lock, flags);
32346 - if (serial->open_count)
32347 + if (local_read(&serial->open_count))
32348 _hso_serial_set_termios(tty, old);
32350 tty->termios = old;
32351 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
32352 /* Start all serial ports */
32353 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
32354 if (serial_table[i] && (serial_table[i]->interface == iface)) {
32355 - if (dev2ser(serial_table[i])->open_count) {
32356 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
32358 hso_start_serial_device(serial_table[i], GFP_NOIO);
32359 hso_kick_transmit(dev2ser(serial_table[i]));
32360 diff -urNp linux-2.6.32.42/drivers/net/vxge/vxge-main.c linux-2.6.32.42/drivers/net/vxge/vxge-main.c
32361 --- linux-2.6.32.42/drivers/net/vxge/vxge-main.c 2011-03-27 14:31:47.000000000 -0400
32362 +++ linux-2.6.32.42/drivers/net/vxge/vxge-main.c 2011-05-16 21:46:57.000000000 -0400
32363 @@ -93,6 +93,8 @@ static inline void VXGE_COMPLETE_VPATH_T
32364 struct sk_buff *completed[NR_SKB_COMPLETED];
32367 + pax_track_stack();
32371 skb_ptr = completed;
32372 @@ -1779,6 +1781,8 @@ static enum vxge_hw_status vxge_rth_conf
32373 u8 mtable[256] = {0}; /* CPU to vpath mapping */
32376 + pax_track_stack();
32380 * - itable with bucket numbers
32381 diff -urNp linux-2.6.32.42/drivers/net/wan/cycx_x25.c linux-2.6.32.42/drivers/net/wan/cycx_x25.c
32382 --- linux-2.6.32.42/drivers/net/wan/cycx_x25.c 2011-03-27 14:31:47.000000000 -0400
32383 +++ linux-2.6.32.42/drivers/net/wan/cycx_x25.c 2011-05-16 21:46:57.000000000 -0400
32384 @@ -1017,6 +1017,8 @@ static void hex_dump(char *msg, unsigned
32385 unsigned char hex[1024],
32388 + pax_track_stack();
32390 if (len >= (sizeof(hex) / 2))
32391 len = (sizeof(hex) / 2) - 1;
32393 diff -urNp linux-2.6.32.42/drivers/net/wimax/i2400m/usb-fw.c linux-2.6.32.42/drivers/net/wimax/i2400m/usb-fw.c
32394 --- linux-2.6.32.42/drivers/net/wimax/i2400m/usb-fw.c 2011-03-27 14:31:47.000000000 -0400
32395 +++ linux-2.6.32.42/drivers/net/wimax/i2400m/usb-fw.c 2011-05-16 21:46:57.000000000 -0400
32396 @@ -263,6 +263,8 @@ ssize_t i2400mu_bus_bm_wait_for_ack(stru
32398 DECLARE_COMPLETION_ONSTACK(notif_completion);
32400 + pax_track_stack();
32402 d_fnstart(8, dev, "(i2400m %p ack %p size %zu)\n",
32403 i2400m, ack, ack_size);
32404 BUG_ON(_ack == i2400m->bm_ack_buf);
32405 diff -urNp linux-2.6.32.42/drivers/net/wireless/airo.c linux-2.6.32.42/drivers/net/wireless/airo.c
32406 --- linux-2.6.32.42/drivers/net/wireless/airo.c 2011-03-27 14:31:47.000000000 -0400
32407 +++ linux-2.6.32.42/drivers/net/wireless/airo.c 2011-05-16 21:46:57.000000000 -0400
32408 @@ -3003,6 +3003,8 @@ static void airo_process_scan_results (s
32409 BSSListElement * loop_net;
32410 BSSListElement * tmp_net;
32412 + pax_track_stack();
32414 /* Blow away current list of scan results */
32415 list_for_each_entry_safe (loop_net, tmp_net, &ai->network_list, list) {
32416 list_move_tail (&loop_net->list, &ai->network_free_list);
32417 @@ -3783,6 +3785,8 @@ static u16 setup_card(struct airo_info *
32421 + pax_track_stack();
32423 memset( &mySsid, 0, sizeof( mySsid ) );
32426 @@ -4758,6 +4762,8 @@ static int proc_stats_rid_open( struct i
32427 __le32 *vals = stats.vals;
32430 + pax_track_stack();
32432 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32434 data = (struct proc_data *)file->private_data;
32435 @@ -5487,6 +5493,8 @@ static int proc_BSSList_open( struct ino
32436 /* If doLoseSync is not 1, we won't do a Lose Sync */
32437 int doLoseSync = -1;
32439 + pax_track_stack();
32441 if ((file->private_data = kzalloc(sizeof(struct proc_data ), GFP_KERNEL)) == NULL)
32443 data = (struct proc_data *)file->private_data;
32444 @@ -7193,6 +7201,8 @@ static int airo_get_aplist(struct net_de
32446 int loseSync = capable(CAP_NET_ADMIN) ? 1: -1;
32448 + pax_track_stack();
32450 qual = kmalloc(IW_MAX_AP * sizeof(*qual), GFP_KERNEL);
32453 @@ -7753,6 +7763,8 @@ static void airo_read_wireless_stats(str
32454 CapabilityRid cap_rid;
32455 __le32 *vals = stats_rid.vals;
32457 + pax_track_stack();
32459 /* Get stats out of the card */
32460 clear_bit(JOB_WSTATS, &local->jobs);
32461 if (local->power.event) {
32462 diff -urNp linux-2.6.32.42/drivers/net/wireless/ath/ath5k/debug.c linux-2.6.32.42/drivers/net/wireless/ath/ath5k/debug.c
32463 --- linux-2.6.32.42/drivers/net/wireless/ath/ath5k/debug.c 2011-03-27 14:31:47.000000000 -0400
32464 +++ linux-2.6.32.42/drivers/net/wireless/ath/ath5k/debug.c 2011-05-16 21:46:57.000000000 -0400
32465 @@ -205,6 +205,8 @@ static ssize_t read_file_beacon(struct f
32469 + pax_track_stack();
32471 v = ath5k_hw_reg_read(sc->ah, AR5K_BEACON);
32472 len += snprintf(buf+len, sizeof(buf)-len,
32473 "%-24s0x%08x\tintval: %d\tTIM: 0x%x\n",
32474 @@ -318,6 +320,8 @@ static ssize_t read_file_debug(struct fi
32475 unsigned int len = 0;
32478 + pax_track_stack();
32480 len += snprintf(buf+len, sizeof(buf)-len,
32481 "DEBUG LEVEL: 0x%08x\n\n", sc->debug.level);
32483 diff -urNp linux-2.6.32.42/drivers/net/wireless/ath/ath9k/debug.c linux-2.6.32.42/drivers/net/wireless/ath/ath9k/debug.c
32484 --- linux-2.6.32.42/drivers/net/wireless/ath/ath9k/debug.c 2011-03-27 14:31:47.000000000 -0400
32485 +++ linux-2.6.32.42/drivers/net/wireless/ath/ath9k/debug.c 2011-05-16 21:46:57.000000000 -0400
32486 @@ -220,6 +220,8 @@ static ssize_t read_file_interrupt(struc
32488 unsigned int len = 0;
32490 + pax_track_stack();
32492 len += snprintf(buf + len, sizeof(buf) - len,
32493 "%8s: %10u\n", "RX", sc->debug.stats.istats.rxok);
32494 len += snprintf(buf + len, sizeof(buf) - len,
32495 @@ -360,6 +362,8 @@ static ssize_t read_file_wiphy(struct fi
32499 + pax_track_stack();
32501 len += snprintf(buf + len, sizeof(buf) - len,
32502 "primary: %s (%s chan=%d ht=%d)\n",
32503 wiphy_name(sc->pri_wiphy->hw->wiphy),
32504 diff -urNp linux-2.6.32.42/drivers/net/wireless/b43/debugfs.c linux-2.6.32.42/drivers/net/wireless/b43/debugfs.c
32505 --- linux-2.6.32.42/drivers/net/wireless/b43/debugfs.c 2011-03-27 14:31:47.000000000 -0400
32506 +++ linux-2.6.32.42/drivers/net/wireless/b43/debugfs.c 2011-04-17 15:56:46.000000000 -0400
32507 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
32508 struct b43_debugfs_fops {
32509 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
32510 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
32511 - struct file_operations fops;
32512 + const struct file_operations fops;
32513 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
32514 size_t file_struct_offset;
32516 diff -urNp linux-2.6.32.42/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.32.42/drivers/net/wireless/b43legacy/debugfs.c
32517 --- linux-2.6.32.42/drivers/net/wireless/b43legacy/debugfs.c 2011-03-27 14:31:47.000000000 -0400
32518 +++ linux-2.6.32.42/drivers/net/wireless/b43legacy/debugfs.c 2011-04-17 15:56:46.000000000 -0400
32519 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
32520 struct b43legacy_debugfs_fops {
32521 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
32522 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
32523 - struct file_operations fops;
32524 + const struct file_operations fops;
32525 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
32526 size_t file_struct_offset;
32527 /* Take wl->irq_lock before calling read/write? */
32528 diff -urNp linux-2.6.32.42/drivers/net/wireless/ipw2x00/ipw2100.c linux-2.6.32.42/drivers/net/wireless/ipw2x00/ipw2100.c
32529 --- linux-2.6.32.42/drivers/net/wireless/ipw2x00/ipw2100.c 2011-03-27 14:31:47.000000000 -0400
32530 +++ linux-2.6.32.42/drivers/net/wireless/ipw2x00/ipw2100.c 2011-05-16 21:46:57.000000000 -0400
32531 @@ -2014,6 +2014,8 @@ static int ipw2100_set_essid(struct ipw2
32533 DECLARE_SSID_BUF(ssid);
32535 + pax_track_stack();
32537 IPW_DEBUG_HC("SSID: '%s'\n", print_ssid(ssid, essid, ssid_len));
32540 @@ -5380,6 +5382,8 @@ static int ipw2100_set_key(struct ipw210
32541 struct ipw2100_wep_key *wep_key = (void *)cmd.host_command_parameters;
32544 + pax_track_stack();
32546 IPW_DEBUG_HC("WEP_KEY_INFO: index = %d, len = %d/%d\n",
32549 diff -urNp linux-2.6.32.42/drivers/net/wireless/ipw2x00/libipw_rx.c linux-2.6.32.42/drivers/net/wireless/ipw2x00/libipw_rx.c
32550 --- linux-2.6.32.42/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-03-27 14:31:47.000000000 -0400
32551 +++ linux-2.6.32.42/drivers/net/wireless/ipw2x00/libipw_rx.c 2011-05-16 21:46:57.000000000 -0400
32552 @@ -1566,6 +1566,8 @@ static void libipw_process_probe_respons
32553 unsigned long flags;
32554 DECLARE_SSID_BUF(ssid);
32556 + pax_track_stack();
32558 LIBIPW_DEBUG_SCAN("'%s' (%pM"
32559 "): %c%c%c%c %c%c%c%c-%c%c%c%c %c%c%c%c\n",
32560 print_ssid(ssid, info_element->data, info_element->len),
32561 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-1000.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-1000.c
32562 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-03-27 14:31:47.000000000 -0400
32563 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-1000.c 2011-04-17 15:56:46.000000000 -0400
32564 @@ -137,7 +137,7 @@ static struct iwl_lib_ops iwl1000_lib =
32568 -static struct iwl_ops iwl1000_ops = {
32569 +static const struct iwl_ops iwl1000_ops = {
32570 .ucode = &iwl5000_ucode,
32571 .lib = &iwl1000_lib,
32572 .hcmd = &iwl5000_hcmd,
32573 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-3945.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-3945.c
32574 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-03-27 14:31:47.000000000 -0400
32575 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-3945.c 2011-04-17 15:56:46.000000000 -0400
32576 @@ -2874,7 +2874,7 @@ static struct iwl_hcmd_utils_ops iwl3945
32577 .build_addsta_hcmd = iwl3945_build_addsta_hcmd,
32580 -static struct iwl_ops iwl3945_ops = {
32581 +static const struct iwl_ops iwl3945_ops = {
32582 .ucode = &iwl3945_ucode,
32583 .lib = &iwl3945_lib,
32584 .hcmd = &iwl3945_hcmd,
32585 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-4965.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-4965.c
32586 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-03-27 14:31:47.000000000 -0400
32587 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-4965.c 2011-04-17 15:56:46.000000000 -0400
32588 @@ -2345,7 +2345,7 @@ static struct iwl_lib_ops iwl4965_lib =
32592 -static struct iwl_ops iwl4965_ops = {
32593 +static const struct iwl_ops iwl4965_ops = {
32594 .ucode = &iwl4965_ucode,
32595 .lib = &iwl4965_lib,
32596 .hcmd = &iwl4965_hcmd,
32597 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-5000.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-5000.c
32598 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:55:34.000000000 -0400
32599 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-5000.c 2011-06-25 12:56:37.000000000 -0400
32600 @@ -1633,14 +1633,14 @@ static struct iwl_lib_ops iwl5150_lib =
32604 -struct iwl_ops iwl5000_ops = {
32605 +const struct iwl_ops iwl5000_ops = {
32606 .ucode = &iwl5000_ucode,
32607 .lib = &iwl5000_lib,
32608 .hcmd = &iwl5000_hcmd,
32609 .utils = &iwl5000_hcmd_utils,
32612 -static struct iwl_ops iwl5150_ops = {
32613 +static const struct iwl_ops iwl5150_ops = {
32614 .ucode = &iwl5000_ucode,
32615 .lib = &iwl5150_lib,
32616 .hcmd = &iwl5000_hcmd,
32617 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-6000.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-6000.c
32618 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-03-27 14:31:47.000000000 -0400
32619 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-6000.c 2011-04-17 15:56:46.000000000 -0400
32620 @@ -146,7 +146,7 @@ static struct iwl_hcmd_utils_ops iwl6000
32621 .calc_rssi = iwl5000_calc_rssi,
32624 -static struct iwl_ops iwl6000_ops = {
32625 +static const struct iwl_ops iwl6000_ops = {
32626 .ucode = &iwl5000_ucode,
32627 .lib = &iwl6000_lib,
32628 .hcmd = &iwl5000_hcmd,
32629 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-agn-rs.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-agn-rs.c
32630 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-03-27 14:31:47.000000000 -0400
32631 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-agn-rs.c 2011-05-16 21:46:57.000000000 -0400
32632 @@ -857,6 +857,8 @@ static void rs_tx_status(void *priv_r, s
32633 u8 active_index = 0;
32636 + pax_track_stack();
32638 IWL_DEBUG_RATE_LIMIT(priv, "get frame ack response, update rate scale window\n");
32640 if (!ieee80211_is_data(hdr->frame_control) ||
32641 @@ -2722,6 +2724,8 @@ static void rs_fill_link_cmd(struct iwl_
32642 u8 valid_tx_ant = 0;
32643 struct iwl_link_quality_cmd *lq_cmd = &lq_sta->lq;
32645 + pax_track_stack();
32647 /* Override starting rate (index 0) if needed for debug purposes */
32648 rs_dbgfs_set_mcs(lq_sta, &new_rate, index);
32650 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debugfs.c linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debugfs.c
32651 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-03-27 14:31:47.000000000 -0400
32652 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debugfs.c 2011-05-16 21:46:57.000000000 -0400
32653 @@ -524,6 +524,8 @@ static ssize_t iwl_dbgfs_status_read(str
32655 const size_t bufsz = sizeof(buf);
32657 + pax_track_stack();
32659 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_ACTIVE:\t %d\n",
32660 test_bit(STATUS_HCMD_ACTIVE, &priv->status));
32661 pos += scnprintf(buf + pos, bufsz - pos, "STATUS_HCMD_SYNC_ACTIVE: %d\n",
32662 @@ -658,6 +660,8 @@ static ssize_t iwl_dbgfs_qos_read(struct
32663 const size_t bufsz = sizeof(buf);
32666 + pax_track_stack();
32668 for (i = 0; i < AC_NUM; i++) {
32669 pos += scnprintf(buf + pos, bufsz - pos,
32670 "\tcw_min\tcw_max\taifsn\ttxop\n");
32671 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debug.h
32672 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-27 14:31:47.000000000 -0400
32673 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-04-17 15:56:46.000000000 -0400
32674 @@ -118,8 +118,8 @@ void iwl_dbgfs_unregister(struct iwl_pri
32678 -#define IWL_DEBUG(__priv, level, fmt, args...)
32679 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
32680 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
32681 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
32682 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
32685 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-dev.h linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-dev.h
32686 --- linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-03-27 14:31:47.000000000 -0400
32687 +++ linux-2.6.32.42/drivers/net/wireless/iwlwifi/iwl-dev.h 2011-04-17 15:56:46.000000000 -0400
32688 @@ -68,7 +68,7 @@ struct iwl_tx_queue;
32690 /* shared structures from iwl-5000.c */
32691 extern struct iwl_mod_params iwl50_mod_params;
32692 -extern struct iwl_ops iwl5000_ops;
32693 +extern const struct iwl_ops iwl5000_ops;
32694 extern struct iwl_ucode_ops iwl5000_ucode;
32695 extern struct iwl_lib_ops iwl5000_lib;
32696 extern struct iwl_hcmd_ops iwl5000_hcmd;
32697 diff -urNp linux-2.6.32.42/drivers/net/wireless/iwmc3200wifi/debugfs.c linux-2.6.32.42/drivers/net/wireless/iwmc3200wifi/debugfs.c
32698 --- linux-2.6.32.42/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-03-27 14:31:47.000000000 -0400
32699 +++ linux-2.6.32.42/drivers/net/wireless/iwmc3200wifi/debugfs.c 2011-05-16 21:46:57.000000000 -0400
32700 @@ -299,6 +299,8 @@ static ssize_t iwm_debugfs_fw_err_read(s
32704 + pax_track_stack();
32708 if (count < sizeof(buf))
32709 diff -urNp linux-2.6.32.42/drivers/net/wireless/libertas/debugfs.c linux-2.6.32.42/drivers/net/wireless/libertas/debugfs.c
32710 --- linux-2.6.32.42/drivers/net/wireless/libertas/debugfs.c 2011-03-27 14:31:47.000000000 -0400
32711 +++ linux-2.6.32.42/drivers/net/wireless/libertas/debugfs.c 2011-04-17 15:56:46.000000000 -0400
32712 @@ -708,7 +708,7 @@ out_unlock:
32713 struct lbs_debugfs_files {
32716 - struct file_operations fops;
32717 + const struct file_operations fops;
32720 static const struct lbs_debugfs_files debugfs_files[] = {
32721 diff -urNp linux-2.6.32.42/drivers/net/wireless/rndis_wlan.c linux-2.6.32.42/drivers/net/wireless/rndis_wlan.c
32722 --- linux-2.6.32.42/drivers/net/wireless/rndis_wlan.c 2011-03-27 14:31:47.000000000 -0400
32723 +++ linux-2.6.32.42/drivers/net/wireless/rndis_wlan.c 2011-04-17 15:56:46.000000000 -0400
32724 @@ -1176,7 +1176,7 @@ static int set_rts_threshold(struct usbn
32726 devdbg(usbdev, "set_rts_threshold %i", rts_threshold);
32728 - if (rts_threshold < 0 || rts_threshold > 2347)
32729 + if (rts_threshold > 2347)
32730 rts_threshold = 2347;
32732 tmp = cpu_to_le32(rts_threshold);
32733 diff -urNp linux-2.6.32.42/drivers/oprofile/buffer_sync.c linux-2.6.32.42/drivers/oprofile/buffer_sync.c
32734 --- linux-2.6.32.42/drivers/oprofile/buffer_sync.c 2011-03-27 14:31:47.000000000 -0400
32735 +++ linux-2.6.32.42/drivers/oprofile/buffer_sync.c 2011-04-17 15:56:46.000000000 -0400
32736 @@ -341,7 +341,7 @@ static void add_data(struct op_entry *en
32737 if (cookie == NO_COOKIE)
32739 if (cookie == INVALID_COOKIE) {
32740 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
32741 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
32744 if (cookie != last_cookie) {
32745 @@ -385,14 +385,14 @@ add_sample(struct mm_struct *mm, struct
32746 /* add userspace sample */
32749 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
32750 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
32754 cookie = lookup_dcookie(mm, s->eip, &offset);
32756 if (cookie == INVALID_COOKIE) {
32757 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
32758 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
32762 @@ -561,7 +561,7 @@ void sync_buffer(int cpu)
32763 /* ignore backtraces if failed to add a sample */
32764 if (state == sb_bt_start) {
32765 state = sb_bt_ignore;
32766 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
32767 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
32771 diff -urNp linux-2.6.32.42/drivers/oprofile/event_buffer.c linux-2.6.32.42/drivers/oprofile/event_buffer.c
32772 --- linux-2.6.32.42/drivers/oprofile/event_buffer.c 2011-03-27 14:31:47.000000000 -0400
32773 +++ linux-2.6.32.42/drivers/oprofile/event_buffer.c 2011-04-17 15:56:46.000000000 -0400
32774 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
32777 if (buffer_pos == buffer_size) {
32778 - atomic_inc(&oprofile_stats.event_lost_overflow);
32779 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
32783 diff -urNp linux-2.6.32.42/drivers/oprofile/oprof.c linux-2.6.32.42/drivers/oprofile/oprof.c
32784 --- linux-2.6.32.42/drivers/oprofile/oprof.c 2011-03-27 14:31:47.000000000 -0400
32785 +++ linux-2.6.32.42/drivers/oprofile/oprof.c 2011-04-17 15:56:46.000000000 -0400
32786 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
32787 if (oprofile_ops.switch_events())
32790 - atomic_inc(&oprofile_stats.multiplex_counter);
32791 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
32792 start_switch_worker();
32795 diff -urNp linux-2.6.32.42/drivers/oprofile/oprofilefs.c linux-2.6.32.42/drivers/oprofile/oprofilefs.c
32796 --- linux-2.6.32.42/drivers/oprofile/oprofilefs.c 2011-03-27 14:31:47.000000000 -0400
32797 +++ linux-2.6.32.42/drivers/oprofile/oprofilefs.c 2011-04-17 15:56:46.000000000 -0400
32798 @@ -187,7 +187,7 @@ static const struct file_operations atom
32801 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
32802 - char const *name, atomic_t *val)
32803 + char const *name, atomic_unchecked_t *val)
32805 struct dentry *d = __oprofilefs_create_file(sb, root, name,
32806 &atomic_ro_fops, 0444);
32807 diff -urNp linux-2.6.32.42/drivers/oprofile/oprofile_stats.c linux-2.6.32.42/drivers/oprofile/oprofile_stats.c
32808 --- linux-2.6.32.42/drivers/oprofile/oprofile_stats.c 2011-03-27 14:31:47.000000000 -0400
32809 +++ linux-2.6.32.42/drivers/oprofile/oprofile_stats.c 2011-04-17 15:56:46.000000000 -0400
32810 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
32811 cpu_buf->sample_invalid_eip = 0;
32814 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
32815 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
32816 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
32817 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
32818 - atomic_set(&oprofile_stats.multiplex_counter, 0);
32819 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
32820 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
32821 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
32822 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
32823 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
32827 diff -urNp linux-2.6.32.42/drivers/oprofile/oprofile_stats.h linux-2.6.32.42/drivers/oprofile/oprofile_stats.h
32828 --- linux-2.6.32.42/drivers/oprofile/oprofile_stats.h 2011-03-27 14:31:47.000000000 -0400
32829 +++ linux-2.6.32.42/drivers/oprofile/oprofile_stats.h 2011-04-17 15:56:46.000000000 -0400
32830 @@ -13,11 +13,11 @@
32831 #include <asm/atomic.h>
32833 struct oprofile_stat_struct {
32834 - atomic_t sample_lost_no_mm;
32835 - atomic_t sample_lost_no_mapping;
32836 - atomic_t bt_lost_no_mapping;
32837 - atomic_t event_lost_overflow;
32838 - atomic_t multiplex_counter;
32839 + atomic_unchecked_t sample_lost_no_mm;
32840 + atomic_unchecked_t sample_lost_no_mapping;
32841 + atomic_unchecked_t bt_lost_no_mapping;
32842 + atomic_unchecked_t event_lost_overflow;
32843 + atomic_unchecked_t multiplex_counter;
32846 extern struct oprofile_stat_struct oprofile_stats;
32847 diff -urNp linux-2.6.32.42/drivers/parisc/pdc_stable.c linux-2.6.32.42/drivers/parisc/pdc_stable.c
32848 --- linux-2.6.32.42/drivers/parisc/pdc_stable.c 2011-03-27 14:31:47.000000000 -0400
32849 +++ linux-2.6.32.42/drivers/parisc/pdc_stable.c 2011-04-17 15:56:46.000000000 -0400
32850 @@ -481,7 +481,7 @@ pdcspath_attr_store(struct kobject *kobj
32854 -static struct sysfs_ops pdcspath_attr_ops = {
32855 +static const struct sysfs_ops pdcspath_attr_ops = {
32856 .show = pdcspath_attr_show,
32857 .store = pdcspath_attr_store,
32859 diff -urNp linux-2.6.32.42/drivers/parport/procfs.c linux-2.6.32.42/drivers/parport/procfs.c
32860 --- linux-2.6.32.42/drivers/parport/procfs.c 2011-03-27 14:31:47.000000000 -0400
32861 +++ linux-2.6.32.42/drivers/parport/procfs.c 2011-04-17 15:56:46.000000000 -0400
32862 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
32866 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
32867 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
32870 #ifdef CONFIG_PARPORT_1284
32871 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
32875 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
32876 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
32878 #endif /* IEEE1284.3 support. */
32880 diff -urNp linux-2.6.32.42/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.32.42/drivers/pci/hotplug/acpiphp_glue.c
32881 --- linux-2.6.32.42/drivers/pci/hotplug/acpiphp_glue.c 2011-03-27 14:31:47.000000000 -0400
32882 +++ linux-2.6.32.42/drivers/pci/hotplug/acpiphp_glue.c 2011-04-17 15:56:46.000000000 -0400
32883 @@ -111,7 +111,7 @@ static int post_dock_fixups(struct notif
32887 -static struct acpi_dock_ops acpiphp_dock_ops = {
32888 +static const struct acpi_dock_ops acpiphp_dock_ops = {
32889 .handler = handle_hotplug_event_func,
32892 diff -urNp linux-2.6.32.42/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.32.42/drivers/pci/hotplug/cpqphp_nvram.c
32893 --- linux-2.6.32.42/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-27 14:31:47.000000000 -0400
32894 +++ linux-2.6.32.42/drivers/pci/hotplug/cpqphp_nvram.c 2011-04-17 15:56:46.000000000 -0400
32895 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
32897 void compaq_nvram_init (void __iomem *rom_start)
32900 +#ifndef CONFIG_PAX_KERNEXEC
32902 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
32906 dbg("int15 entry = %p\n", compaq_int15_entry_point);
32908 /* initialize our int15 lock */
32909 diff -urNp linux-2.6.32.42/drivers/pci/hotplug/fakephp.c linux-2.6.32.42/drivers/pci/hotplug/fakephp.c
32910 --- linux-2.6.32.42/drivers/pci/hotplug/fakephp.c 2011-03-27 14:31:47.000000000 -0400
32911 +++ linux-2.6.32.42/drivers/pci/hotplug/fakephp.c 2011-04-17 15:56:46.000000000 -0400
32912 @@ -73,7 +73,7 @@ static void legacy_release(struct kobjec
32915 static struct kobj_type legacy_ktype = {
32916 - .sysfs_ops = &(struct sysfs_ops){
32917 + .sysfs_ops = &(const struct sysfs_ops){
32918 .store = legacy_store, .show = legacy_show
32920 .release = &legacy_release,
32921 diff -urNp linux-2.6.32.42/drivers/pci/intel-iommu.c linux-2.6.32.42/drivers/pci/intel-iommu.c
32922 --- linux-2.6.32.42/drivers/pci/intel-iommu.c 2011-05-10 22:12:01.000000000 -0400
32923 +++ linux-2.6.32.42/drivers/pci/intel-iommu.c 2011-05-10 22:12:33.000000000 -0400
32924 @@ -2643,7 +2643,7 @@ error:
32928 -static dma_addr_t intel_map_page(struct device *dev, struct page *page,
32929 +dma_addr_t intel_map_page(struct device *dev, struct page *page,
32930 unsigned long offset, size_t size,
32931 enum dma_data_direction dir,
32932 struct dma_attrs *attrs)
32933 @@ -2719,7 +2719,7 @@ static void add_unmap(struct dmar_domain
32934 spin_unlock_irqrestore(&async_umap_flush_lock, flags);
32937 -static void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
32938 +void intel_unmap_page(struct device *dev, dma_addr_t dev_addr,
32939 size_t size, enum dma_data_direction dir,
32940 struct dma_attrs *attrs)
32942 @@ -2768,7 +2768,7 @@ static void intel_unmap_page(struct devi
32946 -static void *intel_alloc_coherent(struct device *hwdev, size_t size,
32947 +void *intel_alloc_coherent(struct device *hwdev, size_t size,
32948 dma_addr_t *dma_handle, gfp_t flags)
32951 @@ -2800,7 +2800,7 @@ static void *intel_alloc_coherent(struct
32955 -static void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
32956 +void intel_free_coherent(struct device *hwdev, size_t size, void *vaddr,
32957 dma_addr_t dma_handle)
32960 @@ -2812,7 +2812,7 @@ static void intel_free_coherent(struct d
32961 free_pages((unsigned long)vaddr, order);
32964 -static void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
32965 +void intel_unmap_sg(struct device *hwdev, struct scatterlist *sglist,
32966 int nelems, enum dma_data_direction dir,
32967 struct dma_attrs *attrs)
32969 @@ -2872,7 +2872,7 @@ static int intel_nontranslate_map_sg(str
32973 -static int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
32974 +int intel_map_sg(struct device *hwdev, struct scatterlist *sglist, int nelems,
32975 enum dma_data_direction dir, struct dma_attrs *attrs)
32978 @@ -2941,12 +2941,12 @@ static int intel_map_sg(struct device *h
32982 -static int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
32983 +int intel_mapping_error(struct device *dev, dma_addr_t dma_addr)
32988 -struct dma_map_ops intel_dma_ops = {
32989 +const struct dma_map_ops intel_dma_ops = {
32990 .alloc_coherent = intel_alloc_coherent,
32991 .free_coherent = intel_free_coherent,
32992 .map_sg = intel_map_sg,
32993 diff -urNp linux-2.6.32.42/drivers/pci/pcie/aspm.c linux-2.6.32.42/drivers/pci/pcie/aspm.c
32994 --- linux-2.6.32.42/drivers/pci/pcie/aspm.c 2011-03-27 14:31:47.000000000 -0400
32995 +++ linux-2.6.32.42/drivers/pci/pcie/aspm.c 2011-04-17 15:56:46.000000000 -0400
32997 #define MODULE_PARAM_PREFIX "pcie_aspm."
32999 /* Note: those are not register definitions */
33000 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
33001 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
33002 -#define ASPM_STATE_L1 (4) /* L1 state */
33003 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
33004 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
33005 +#define ASPM_STATE_L1 (4U) /* L1 state */
33006 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
33007 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
33009 diff -urNp linux-2.6.32.42/drivers/pci/probe.c linux-2.6.32.42/drivers/pci/probe.c
33010 --- linux-2.6.32.42/drivers/pci/probe.c 2011-03-27 14:31:47.000000000 -0400
33011 +++ linux-2.6.32.42/drivers/pci/probe.c 2011-04-17 15:56:46.000000000 -0400
33012 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
33016 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
33017 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
33018 struct device_attribute *attr,
33021 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
33024 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
33025 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
33026 struct device_attribute *attr,
33029 diff -urNp linux-2.6.32.42/drivers/pci/proc.c linux-2.6.32.42/drivers/pci/proc.c
33030 --- linux-2.6.32.42/drivers/pci/proc.c 2011-03-27 14:31:47.000000000 -0400
33031 +++ linux-2.6.32.42/drivers/pci/proc.c 2011-04-17 15:56:46.000000000 -0400
33032 @@ -480,7 +480,16 @@ static const struct file_operations proc
33033 static int __init pci_proc_init(void)
33035 struct pci_dev *dev = NULL;
33037 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33038 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33039 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
33040 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33041 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33044 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
33046 proc_create("devices", 0, proc_bus_pci_dir,
33047 &proc_bus_pci_dev_operations);
33048 proc_initialized = 1;
33049 diff -urNp linux-2.6.32.42/drivers/pci/slot.c linux-2.6.32.42/drivers/pci/slot.c
33050 --- linux-2.6.32.42/drivers/pci/slot.c 2011-03-27 14:31:47.000000000 -0400
33051 +++ linux-2.6.32.42/drivers/pci/slot.c 2011-04-17 15:56:46.000000000 -0400
33052 @@ -29,7 +29,7 @@ static ssize_t pci_slot_attr_store(struc
33053 return attribute->store ? attribute->store(slot, buf, len) : -EIO;
33056 -static struct sysfs_ops pci_slot_sysfs_ops = {
33057 +static const struct sysfs_ops pci_slot_sysfs_ops = {
33058 .show = pci_slot_attr_show,
33059 .store = pci_slot_attr_store,
33061 diff -urNp linux-2.6.32.42/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.32.42/drivers/pcmcia/pcmcia_ioctl.c
33062 --- linux-2.6.32.42/drivers/pcmcia/pcmcia_ioctl.c 2011-03-27 14:31:47.000000000 -0400
33063 +++ linux-2.6.32.42/drivers/pcmcia/pcmcia_ioctl.c 2011-04-17 15:56:46.000000000 -0400
33064 @@ -819,7 +819,7 @@ static int ds_ioctl(struct inode * inode
33068 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
33069 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
33073 diff -urNp linux-2.6.32.42/drivers/platform/x86/acer-wmi.c linux-2.6.32.42/drivers/platform/x86/acer-wmi.c
33074 --- linux-2.6.32.42/drivers/platform/x86/acer-wmi.c 2011-03-27 14:31:47.000000000 -0400
33075 +++ linux-2.6.32.42/drivers/platform/x86/acer-wmi.c 2011-04-17 15:56:46.000000000 -0400
33076 @@ -918,7 +918,7 @@ static int update_bl_status(struct backl
33080 -static struct backlight_ops acer_bl_ops = {
33081 +static const struct backlight_ops acer_bl_ops = {
33082 .get_brightness = read_brightness,
33083 .update_status = update_bl_status,
33085 diff -urNp linux-2.6.32.42/drivers/platform/x86/asus_acpi.c linux-2.6.32.42/drivers/platform/x86/asus_acpi.c
33086 --- linux-2.6.32.42/drivers/platform/x86/asus_acpi.c 2011-03-27 14:31:47.000000000 -0400
33087 +++ linux-2.6.32.42/drivers/platform/x86/asus_acpi.c 2011-04-17 15:56:46.000000000 -0400
33088 @@ -1396,7 +1396,7 @@ static int asus_hotk_remove(struct acpi_
33092 -static struct backlight_ops asus_backlight_data = {
33093 +static const struct backlight_ops asus_backlight_data = {
33094 .get_brightness = read_brightness,
33095 .update_status = set_brightness_status,
33097 diff -urNp linux-2.6.32.42/drivers/platform/x86/asus-laptop.c linux-2.6.32.42/drivers/platform/x86/asus-laptop.c
33098 --- linux-2.6.32.42/drivers/platform/x86/asus-laptop.c 2011-03-27 14:31:47.000000000 -0400
33099 +++ linux-2.6.32.42/drivers/platform/x86/asus-laptop.c 2011-04-17 15:56:46.000000000 -0400
33100 @@ -250,7 +250,7 @@ static struct backlight_device *asus_bac
33102 static int read_brightness(struct backlight_device *bd);
33103 static int update_bl_status(struct backlight_device *bd);
33104 -static struct backlight_ops asusbl_ops = {
33105 +static const struct backlight_ops asusbl_ops = {
33106 .get_brightness = read_brightness,
33107 .update_status = update_bl_status,
33109 diff -urNp linux-2.6.32.42/drivers/platform/x86/compal-laptop.c linux-2.6.32.42/drivers/platform/x86/compal-laptop.c
33110 --- linux-2.6.32.42/drivers/platform/x86/compal-laptop.c 2011-03-27 14:31:47.000000000 -0400
33111 +++ linux-2.6.32.42/drivers/platform/x86/compal-laptop.c 2011-04-17 15:56:46.000000000 -0400
33112 @@ -163,7 +163,7 @@ static int bl_update_status(struct backl
33113 return set_lcd_level(b->props.brightness);
33116 -static struct backlight_ops compalbl_ops = {
33117 +static const struct backlight_ops compalbl_ops = {
33118 .get_brightness = bl_get_brightness,
33119 .update_status = bl_update_status,
33121 diff -urNp linux-2.6.32.42/drivers/platform/x86/dell-laptop.c linux-2.6.32.42/drivers/platform/x86/dell-laptop.c
33122 --- linux-2.6.32.42/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:01.000000000 -0400
33123 +++ linux-2.6.32.42/drivers/platform/x86/dell-laptop.c 2011-05-10 22:12:33.000000000 -0400
33124 @@ -318,7 +318,7 @@ static int dell_get_intensity(struct bac
33125 return buffer.output[1];
33128 -static struct backlight_ops dell_ops = {
33129 +static const struct backlight_ops dell_ops = {
33130 .get_brightness = dell_get_intensity,
33131 .update_status = dell_send_intensity,
33133 diff -urNp linux-2.6.32.42/drivers/platform/x86/eeepc-laptop.c linux-2.6.32.42/drivers/platform/x86/eeepc-laptop.c
33134 --- linux-2.6.32.42/drivers/platform/x86/eeepc-laptop.c 2011-03-27 14:31:47.000000000 -0400
33135 +++ linux-2.6.32.42/drivers/platform/x86/eeepc-laptop.c 2011-04-17 15:56:46.000000000 -0400
33136 @@ -245,7 +245,7 @@ static struct device *eeepc_hwmon_device
33138 static int read_brightness(struct backlight_device *bd);
33139 static int update_bl_status(struct backlight_device *bd);
33140 -static struct backlight_ops eeepcbl_ops = {
33141 +static const struct backlight_ops eeepcbl_ops = {
33142 .get_brightness = read_brightness,
33143 .update_status = update_bl_status,
33145 diff -urNp linux-2.6.32.42/drivers/platform/x86/fujitsu-laptop.c linux-2.6.32.42/drivers/platform/x86/fujitsu-laptop.c
33146 --- linux-2.6.32.42/drivers/platform/x86/fujitsu-laptop.c 2011-03-27 14:31:47.000000000 -0400
33147 +++ linux-2.6.32.42/drivers/platform/x86/fujitsu-laptop.c 2011-04-17 15:56:46.000000000 -0400
33148 @@ -436,7 +436,7 @@ static int bl_update_status(struct backl
33152 -static struct backlight_ops fujitsubl_ops = {
33153 +static const struct backlight_ops fujitsubl_ops = {
33154 .get_brightness = bl_get_brightness,
33155 .update_status = bl_update_status,
33157 diff -urNp linux-2.6.32.42/drivers/platform/x86/msi-laptop.c linux-2.6.32.42/drivers/platform/x86/msi-laptop.c
33158 --- linux-2.6.32.42/drivers/platform/x86/msi-laptop.c 2011-03-27 14:31:47.000000000 -0400
33159 +++ linux-2.6.32.42/drivers/platform/x86/msi-laptop.c 2011-04-17 15:56:46.000000000 -0400
33160 @@ -161,7 +161,7 @@ static int bl_update_status(struct backl
33161 return set_lcd_level(b->props.brightness);
33164 -static struct backlight_ops msibl_ops = {
33165 +static const struct backlight_ops msibl_ops = {
33166 .get_brightness = bl_get_brightness,
33167 .update_status = bl_update_status,
33169 diff -urNp linux-2.6.32.42/drivers/platform/x86/panasonic-laptop.c linux-2.6.32.42/drivers/platform/x86/panasonic-laptop.c
33170 --- linux-2.6.32.42/drivers/platform/x86/panasonic-laptop.c 2011-03-27 14:31:47.000000000 -0400
33171 +++ linux-2.6.32.42/drivers/platform/x86/panasonic-laptop.c 2011-04-17 15:56:46.000000000 -0400
33172 @@ -352,7 +352,7 @@ static int bl_set_status(struct backligh
33173 return acpi_pcc_write_sset(pcc, SINF_DC_CUR_BRIGHT, bright);
33176 -static struct backlight_ops pcc_backlight_ops = {
33177 +static const struct backlight_ops pcc_backlight_ops = {
33178 .get_brightness = bl_get,
33179 .update_status = bl_set_status,
33181 diff -urNp linux-2.6.32.42/drivers/platform/x86/sony-laptop.c linux-2.6.32.42/drivers/platform/x86/sony-laptop.c
33182 --- linux-2.6.32.42/drivers/platform/x86/sony-laptop.c 2011-03-27 14:31:47.000000000 -0400
33183 +++ linux-2.6.32.42/drivers/platform/x86/sony-laptop.c 2011-04-17 15:56:46.000000000 -0400
33184 @@ -850,7 +850,7 @@ static int sony_backlight_get_brightness
33187 static struct backlight_device *sony_backlight_device;
33188 -static struct backlight_ops sony_backlight_ops = {
33189 +static const struct backlight_ops sony_backlight_ops = {
33190 .update_status = sony_backlight_update_status,
33191 .get_brightness = sony_backlight_get_brightness,
33193 diff -urNp linux-2.6.32.42/drivers/platform/x86/thinkpad_acpi.c linux-2.6.32.42/drivers/platform/x86/thinkpad_acpi.c
33194 --- linux-2.6.32.42/drivers/platform/x86/thinkpad_acpi.c 2011-03-27 14:31:47.000000000 -0400
33195 +++ linux-2.6.32.42/drivers/platform/x86/thinkpad_acpi.c 2011-04-17 15:56:46.000000000 -0400
33196 @@ -6122,7 +6122,7 @@ static void tpacpi_brightness_notify_cha
33197 BACKLIGHT_UPDATE_HOTKEY);
33200 -static struct backlight_ops ibm_backlight_data = {
33201 +static const struct backlight_ops ibm_backlight_data = {
33202 .get_brightness = brightness_get,
33203 .update_status = brightness_update_status,
33205 diff -urNp linux-2.6.32.42/drivers/platform/x86/toshiba_acpi.c linux-2.6.32.42/drivers/platform/x86/toshiba_acpi.c
33206 --- linux-2.6.32.42/drivers/platform/x86/toshiba_acpi.c 2011-03-27 14:31:47.000000000 -0400
33207 +++ linux-2.6.32.42/drivers/platform/x86/toshiba_acpi.c 2011-04-17 15:56:46.000000000 -0400
33208 @@ -671,7 +671,7 @@ static acpi_status remove_device(void)
33212 -static struct backlight_ops toshiba_backlight_data = {
33213 +static const struct backlight_ops toshiba_backlight_data = {
33214 .get_brightness = get_lcd,
33215 .update_status = set_lcd_status,
33217 diff -urNp linux-2.6.32.42/drivers/pnp/pnpbios/bioscalls.c linux-2.6.32.42/drivers/pnp/pnpbios/bioscalls.c
33218 --- linux-2.6.32.42/drivers/pnp/pnpbios/bioscalls.c 2011-03-27 14:31:47.000000000 -0400
33219 +++ linux-2.6.32.42/drivers/pnp/pnpbios/bioscalls.c 2011-04-17 15:56:46.000000000 -0400
33220 @@ -60,7 +60,7 @@ do { \
33221 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
33224 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
33225 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
33226 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
33229 @@ -97,7 +97,10 @@ static inline u16 call_pnp_bios(u16 func
33232 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
33234 + pax_open_kernel();
33235 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
33236 + pax_close_kernel();
33238 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
33239 spin_lock_irqsave(&pnp_bios_lock, flags);
33240 @@ -135,7 +138,10 @@ static inline u16 call_pnp_bios(u16 func
33242 spin_unlock_irqrestore(&pnp_bios_lock, flags);
33244 + pax_open_kernel();
33245 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
33246 + pax_close_kernel();
33250 /* If we get here and this is set then the PnP BIOS faulted on us. */
33251 @@ -469,7 +475,7 @@ int pnp_bios_read_escd(char *data, u32 n
33255 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
33256 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
33260 @@ -477,6 +483,8 @@ void pnpbios_calls_init(union pnp_bios_i
33261 pnp_bios_callpoint.offset = header->fields.pm16offset;
33262 pnp_bios_callpoint.segment = PNP_CS16;
33264 + pax_open_kernel();
33266 for_each_possible_cpu(i) {
33267 struct desc_struct *gdt = get_cpu_gdt_table(i);
33269 @@ -488,4 +496,6 @@ void pnpbios_calls_init(union pnp_bios_i
33270 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
33271 (unsigned long)__va(header->fields.pm16dseg));
33274 + pax_close_kernel();
33276 diff -urNp linux-2.6.32.42/drivers/pnp/resource.c linux-2.6.32.42/drivers/pnp/resource.c
33277 --- linux-2.6.32.42/drivers/pnp/resource.c 2011-03-27 14:31:47.000000000 -0400
33278 +++ linux-2.6.32.42/drivers/pnp/resource.c 2011-04-17 15:56:46.000000000 -0400
33279 @@ -355,7 +355,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
33282 /* check if the resource is valid */
33283 - if (*irq < 0 || *irq > 15)
33287 /* check if the resource is reserved */
33288 @@ -419,7 +419,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
33291 /* check if the resource is valid */
33292 - if (*dma < 0 || *dma == 4 || *dma > 7)
33293 + if (*dma == 4 || *dma > 7)
33296 /* check if the resource is reserved */
33297 diff -urNp linux-2.6.32.42/drivers/rtc/rtc-dev.c linux-2.6.32.42/drivers/rtc/rtc-dev.c
33298 --- linux-2.6.32.42/drivers/rtc/rtc-dev.c 2011-03-27 14:31:47.000000000 -0400
33299 +++ linux-2.6.32.42/drivers/rtc/rtc-dev.c 2011-04-17 15:56:46.000000000 -0400
33301 #include <linux/module.h>
33302 #include <linux/rtc.h>
33303 #include <linux/sched.h>
33304 +#include <linux/grsecurity.h>
33305 #include "rtc-core.h"
33307 static dev_t rtc_devt;
33308 @@ -357,6 +358,8 @@ static long rtc_dev_ioctl(struct file *f
33309 if (copy_from_user(&tm, uarg, sizeof(tm)))
33312 + gr_log_timechange();
33314 return rtc_set_time(rtc, &tm);
33317 diff -urNp linux-2.6.32.42/drivers/s390/cio/qdio_perf.c linux-2.6.32.42/drivers/s390/cio/qdio_perf.c
33318 --- linux-2.6.32.42/drivers/s390/cio/qdio_perf.c 2011-03-27 14:31:47.000000000 -0400
33319 +++ linux-2.6.32.42/drivers/s390/cio/qdio_perf.c 2011-04-17 15:56:46.000000000 -0400
33320 @@ -31,51 +31,51 @@ static struct proc_dir_entry *qdio_perf_
33321 static int qdio_perf_proc_show(struct seq_file *m, void *v)
33323 seq_printf(m, "Number of qdio interrupts\t\t\t: %li\n",
33324 - (long)atomic_long_read(&perf_stats.qdio_int));
33325 + (long)atomic_long_read_unchecked(&perf_stats.qdio_int));
33326 seq_printf(m, "Number of PCI interrupts\t\t\t: %li\n",
33327 - (long)atomic_long_read(&perf_stats.pci_int));
33328 + (long)atomic_long_read_unchecked(&perf_stats.pci_int));
33329 seq_printf(m, "Number of adapter interrupts\t\t\t: %li\n",
33330 - (long)atomic_long_read(&perf_stats.thin_int));
33331 + (long)atomic_long_read_unchecked(&perf_stats.thin_int));
33332 seq_printf(m, "\n");
33333 seq_printf(m, "Inbound tasklet runs\t\t\t\t: %li\n",
33334 - (long)atomic_long_read(&perf_stats.tasklet_inbound));
33335 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_inbound));
33336 seq_printf(m, "Outbound tasklet runs\t\t\t\t: %li\n",
33337 - (long)atomic_long_read(&perf_stats.tasklet_outbound));
33338 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_outbound));
33339 seq_printf(m, "Adapter interrupt tasklet runs/loops\t\t: %li/%li\n",
33340 - (long)atomic_long_read(&perf_stats.tasklet_thinint),
33341 - (long)atomic_long_read(&perf_stats.tasklet_thinint_loop));
33342 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint),
33343 + (long)atomic_long_read_unchecked(&perf_stats.tasklet_thinint_loop));
33344 seq_printf(m, "Adapter interrupt inbound tasklet runs/loops\t: %li/%li\n",
33345 - (long)atomic_long_read(&perf_stats.thinint_inbound),
33346 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop));
33347 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound),
33348 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop));
33349 seq_printf(m, "\n");
33350 seq_printf(m, "Number of SIGA In issued\t\t\t: %li\n",
33351 - (long)atomic_long_read(&perf_stats.siga_in));
33352 + (long)atomic_long_read_unchecked(&perf_stats.siga_in));
33353 seq_printf(m, "Number of SIGA Out issued\t\t\t: %li\n",
33354 - (long)atomic_long_read(&perf_stats.siga_out));
33355 + (long)atomic_long_read_unchecked(&perf_stats.siga_out));
33356 seq_printf(m, "Number of SIGA Sync issued\t\t\t: %li\n",
33357 - (long)atomic_long_read(&perf_stats.siga_sync));
33358 + (long)atomic_long_read_unchecked(&perf_stats.siga_sync));
33359 seq_printf(m, "\n");
33360 seq_printf(m, "Number of inbound transfers\t\t\t: %li\n",
33361 - (long)atomic_long_read(&perf_stats.inbound_handler));
33362 + (long)atomic_long_read_unchecked(&perf_stats.inbound_handler));
33363 seq_printf(m, "Number of outbound transfers\t\t\t: %li\n",
33364 - (long)atomic_long_read(&perf_stats.outbound_handler));
33365 + (long)atomic_long_read_unchecked(&perf_stats.outbound_handler));
33366 seq_printf(m, "\n");
33367 seq_printf(m, "Number of fast requeues (outg. SBAL w/o SIGA)\t: %li\n",
33368 - (long)atomic_long_read(&perf_stats.fast_requeue));
33369 + (long)atomic_long_read_unchecked(&perf_stats.fast_requeue));
33370 seq_printf(m, "Number of outbound target full condition\t: %li\n",
33371 - (long)atomic_long_read(&perf_stats.outbound_target_full));
33372 + (long)atomic_long_read_unchecked(&perf_stats.outbound_target_full));
33373 seq_printf(m, "Number of outbound tasklet mod_timer calls\t: %li\n",
33374 - (long)atomic_long_read(&perf_stats.debug_tl_out_timer));
33375 + (long)atomic_long_read_unchecked(&perf_stats.debug_tl_out_timer));
33376 seq_printf(m, "Number of stop polling calls\t\t\t: %li\n",
33377 - (long)atomic_long_read(&perf_stats.debug_stop_polling));
33378 + (long)atomic_long_read_unchecked(&perf_stats.debug_stop_polling));
33379 seq_printf(m, "AI inbound tasklet loops after stop polling\t: %li\n",
33380 - (long)atomic_long_read(&perf_stats.thinint_inbound_loop2));
33381 + (long)atomic_long_read_unchecked(&perf_stats.thinint_inbound_loop2));
33382 seq_printf(m, "QEBSM EQBS total/incomplete\t\t\t: %li/%li\n",
33383 - (long)atomic_long_read(&perf_stats.debug_eqbs_all),
33384 - (long)atomic_long_read(&perf_stats.debug_eqbs_incomplete));
33385 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_all),
33386 + (long)atomic_long_read_unchecked(&perf_stats.debug_eqbs_incomplete));
33387 seq_printf(m, "QEBSM SQBS total/incomplete\t\t\t: %li/%li\n",
33388 - (long)atomic_long_read(&perf_stats.debug_sqbs_all),
33389 - (long)atomic_long_read(&perf_stats.debug_sqbs_incomplete));
33390 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_all),
33391 + (long)atomic_long_read_unchecked(&perf_stats.debug_sqbs_incomplete));
33392 seq_printf(m, "\n");
33395 diff -urNp linux-2.6.32.42/drivers/s390/cio/qdio_perf.h linux-2.6.32.42/drivers/s390/cio/qdio_perf.h
33396 --- linux-2.6.32.42/drivers/s390/cio/qdio_perf.h 2011-03-27 14:31:47.000000000 -0400
33397 +++ linux-2.6.32.42/drivers/s390/cio/qdio_perf.h 2011-04-17 15:56:46.000000000 -0400
33398 @@ -13,46 +13,46 @@
33400 struct qdio_perf_stats {
33401 /* interrupt handler calls */
33402 - atomic_long_t qdio_int;
33403 - atomic_long_t pci_int;
33404 - atomic_long_t thin_int;
33405 + atomic_long_unchecked_t qdio_int;
33406 + atomic_long_unchecked_t pci_int;
33407 + atomic_long_unchecked_t thin_int;
33410 - atomic_long_t tasklet_inbound;
33411 - atomic_long_t tasklet_outbound;
33412 - atomic_long_t tasklet_thinint;
33413 - atomic_long_t tasklet_thinint_loop;
33414 - atomic_long_t thinint_inbound;
33415 - atomic_long_t thinint_inbound_loop;
33416 - atomic_long_t thinint_inbound_loop2;
33417 + atomic_long_unchecked_t tasklet_inbound;
33418 + atomic_long_unchecked_t tasklet_outbound;
33419 + atomic_long_unchecked_t tasklet_thinint;
33420 + atomic_long_unchecked_t tasklet_thinint_loop;
33421 + atomic_long_unchecked_t thinint_inbound;
33422 + atomic_long_unchecked_t thinint_inbound_loop;
33423 + atomic_long_unchecked_t thinint_inbound_loop2;
33425 /* signal adapter calls */
33426 - atomic_long_t siga_out;
33427 - atomic_long_t siga_in;
33428 - atomic_long_t siga_sync;
33429 + atomic_long_unchecked_t siga_out;
33430 + atomic_long_unchecked_t siga_in;
33431 + atomic_long_unchecked_t siga_sync;
33434 - atomic_long_t inbound_handler;
33435 - atomic_long_t outbound_handler;
33436 - atomic_long_t fast_requeue;
33437 - atomic_long_t outbound_target_full;
33438 + atomic_long_unchecked_t inbound_handler;
33439 + atomic_long_unchecked_t outbound_handler;
33440 + atomic_long_unchecked_t fast_requeue;
33441 + atomic_long_unchecked_t outbound_target_full;
33443 /* for debugging */
33444 - atomic_long_t debug_tl_out_timer;
33445 - atomic_long_t debug_stop_polling;
33446 - atomic_long_t debug_eqbs_all;
33447 - atomic_long_t debug_eqbs_incomplete;
33448 - atomic_long_t debug_sqbs_all;
33449 - atomic_long_t debug_sqbs_incomplete;
33450 + atomic_long_unchecked_t debug_tl_out_timer;
33451 + atomic_long_unchecked_t debug_stop_polling;
33452 + atomic_long_unchecked_t debug_eqbs_all;
33453 + atomic_long_unchecked_t debug_eqbs_incomplete;
33454 + atomic_long_unchecked_t debug_sqbs_all;
33455 + atomic_long_unchecked_t debug_sqbs_incomplete;
33458 extern struct qdio_perf_stats perf_stats;
33459 extern int qdio_performance_stats;
33461 -static inline void qdio_perf_stat_inc(atomic_long_t *count)
33462 +static inline void qdio_perf_stat_inc(atomic_long_unchecked_t *count)
33464 if (qdio_performance_stats)
33465 - atomic_long_inc(count);
33466 + atomic_long_inc_unchecked(count);
33469 int qdio_setup_perf_stats(void);
33470 diff -urNp linux-2.6.32.42/drivers/scsi/aacraid/commctrl.c linux-2.6.32.42/drivers/scsi/aacraid/commctrl.c
33471 --- linux-2.6.32.42/drivers/scsi/aacraid/commctrl.c 2011-03-27 14:31:47.000000000 -0400
33472 +++ linux-2.6.32.42/drivers/scsi/aacraid/commctrl.c 2011-05-16 21:46:57.000000000 -0400
33473 @@ -481,6 +481,7 @@ static int aac_send_raw_srb(struct aac_d
33474 u32 actual_fibsize64, actual_fibsize = 0;
33477 + pax_track_stack();
33479 if (dev->in_reset) {
33480 dprintk((KERN_DEBUG"aacraid: send raw srb -EBUSY\n"));
33481 diff -urNp linux-2.6.32.42/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.32.42/drivers/scsi/aic94xx/aic94xx_init.c
33482 --- linux-2.6.32.42/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-27 14:31:47.000000000 -0400
33483 +++ linux-2.6.32.42/drivers/scsi/aic94xx/aic94xx_init.c 2011-04-17 15:56:46.000000000 -0400
33484 @@ -485,7 +485,7 @@ static ssize_t asd_show_update_bios(stru
33485 flash_error_table[i].reason);
33488 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
33489 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
33490 asd_show_update_bios, asd_store_update_bios);
33492 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
33493 diff -urNp linux-2.6.32.42/drivers/scsi/BusLogic.c linux-2.6.32.42/drivers/scsi/BusLogic.c
33494 --- linux-2.6.32.42/drivers/scsi/BusLogic.c 2011-03-27 14:31:47.000000000 -0400
33495 +++ linux-2.6.32.42/drivers/scsi/BusLogic.c 2011-05-16 21:46:57.000000000 -0400
33496 @@ -961,6 +961,8 @@ static int __init BusLogic_InitializeFla
33497 static void __init BusLogic_InitializeProbeInfoList(struct BusLogic_HostAdapter
33498 *PrototypeHostAdapter)
33500 + pax_track_stack();
33503 If a PCI BIOS is present, interrogate it for MultiMaster and FlashPoint
33504 Host Adapters; otherwise, default to the standard ISA MultiMaster probe.
33505 diff -urNp linux-2.6.32.42/drivers/scsi/dpt_i2o.c linux-2.6.32.42/drivers/scsi/dpt_i2o.c
33506 --- linux-2.6.32.42/drivers/scsi/dpt_i2o.c 2011-03-27 14:31:47.000000000 -0400
33507 +++ linux-2.6.32.42/drivers/scsi/dpt_i2o.c 2011-05-16 21:46:57.000000000 -0400
33508 @@ -1804,6 +1804,8 @@ static int adpt_i2o_passthru(adpt_hba* p
33512 + pax_track_stack();
33514 memset(&msg, 0, MAX_MESSAGE_SIZE*4);
33515 // get user msg size in u32s
33516 if(get_user(size, &user_msg[0])){
33517 @@ -2297,6 +2299,8 @@ static s32 adpt_scsi_to_i2o(adpt_hba* pH
33521 + pax_track_stack();
33523 memset(msg, 0 , sizeof(msg));
33524 len = scsi_bufflen(cmd);
33525 direction = 0x00000000;
33526 diff -urNp linux-2.6.32.42/drivers/scsi/eata.c linux-2.6.32.42/drivers/scsi/eata.c
33527 --- linux-2.6.32.42/drivers/scsi/eata.c 2011-03-27 14:31:47.000000000 -0400
33528 +++ linux-2.6.32.42/drivers/scsi/eata.c 2011-05-16 21:46:57.000000000 -0400
33529 @@ -1087,6 +1087,8 @@ static int port_detect(unsigned long por
33530 struct hostdata *ha;
33533 + pax_track_stack();
33535 sprintf(name, "%s%d", driver_name, j);
33537 if (!request_region(port_base, REGION_SIZE, driver_name)) {
33538 diff -urNp linux-2.6.32.42/drivers/scsi/fcoe/libfcoe.c linux-2.6.32.42/drivers/scsi/fcoe/libfcoe.c
33539 --- linux-2.6.32.42/drivers/scsi/fcoe/libfcoe.c 2011-03-27 14:31:47.000000000 -0400
33540 +++ linux-2.6.32.42/drivers/scsi/fcoe/libfcoe.c 2011-05-16 21:46:57.000000000 -0400
33541 @@ -809,6 +809,8 @@ static void fcoe_ctlr_recv_els(struct fc
33545 + pax_track_stack();
33547 fiph = (struct fip_header *)skb->data;
33548 sub = fiph->fip_subcode;
33549 if (sub != FIP_SC_REQ && sub != FIP_SC_REP)
33550 diff -urNp linux-2.6.32.42/drivers/scsi/gdth.c linux-2.6.32.42/drivers/scsi/gdth.c
33551 --- linux-2.6.32.42/drivers/scsi/gdth.c 2011-03-27 14:31:47.000000000 -0400
33552 +++ linux-2.6.32.42/drivers/scsi/gdth.c 2011-05-16 21:46:57.000000000 -0400
33553 @@ -4102,6 +4102,8 @@ static int ioc_lockdrv(void __user *arg)
33557 + pax_track_stack();
33559 if (copy_from_user(&ldrv, arg, sizeof(gdth_ioctl_lockdrv)))
33561 ha = gdth_find_ha(ldrv.ionode);
33562 @@ -4134,6 +4136,8 @@ static int ioc_resetdrv(void __user *arg
33566 + pax_track_stack();
33568 if (copy_from_user(&res, arg, sizeof(gdth_ioctl_reset)) ||
33569 res.number >= MAX_HDRIVES)
33571 @@ -4169,6 +4173,8 @@ static int ioc_general(void __user *arg,
33575 + pax_track_stack();
33577 if (copy_from_user(&gen, arg, sizeof(gdth_ioctl_general)))
33579 ha = gdth_find_ha(gen.ionode);
33580 @@ -4625,6 +4631,9 @@ static void gdth_flush(gdth_ha_str *ha)
33582 gdth_cmd_str gdtcmd;
33583 char cmnd[MAX_COMMAND_SIZE];
33585 + pax_track_stack();
33587 memset(cmnd, 0xff, MAX_COMMAND_SIZE);
33589 TRACE2(("gdth_flush() hanum %d\n", ha->hanum));
33590 diff -urNp linux-2.6.32.42/drivers/scsi/gdth_proc.c linux-2.6.32.42/drivers/scsi/gdth_proc.c
33591 --- linux-2.6.32.42/drivers/scsi/gdth_proc.c 2011-03-27 14:31:47.000000000 -0400
33592 +++ linux-2.6.32.42/drivers/scsi/gdth_proc.c 2011-05-16 21:46:57.000000000 -0400
33593 @@ -46,6 +46,9 @@ static int gdth_set_asc_info(struct Scsi
33596 char cmnd[MAX_COMMAND_SIZE];
33598 + pax_track_stack();
33600 memset(cmnd, 0xff, 12);
33601 memset(&gdtcmd, 0, sizeof(gdth_cmd_str));
33603 @@ -174,6 +177,8 @@ static int gdth_get_info(char *buffer,ch
33604 gdth_hget_str *phg;
33605 char cmnd[MAX_COMMAND_SIZE];
33607 + pax_track_stack();
33609 gdtcmd = kmalloc(sizeof(*gdtcmd), GFP_KERNEL);
33610 estr = kmalloc(sizeof(*estr), GFP_KERNEL);
33611 if (!gdtcmd || !estr)
33612 diff -urNp linux-2.6.32.42/drivers/scsi/hosts.c linux-2.6.32.42/drivers/scsi/hosts.c
33613 --- linux-2.6.32.42/drivers/scsi/hosts.c 2011-03-27 14:31:47.000000000 -0400
33614 +++ linux-2.6.32.42/drivers/scsi/hosts.c 2011-05-04 17:56:28.000000000 -0400
33616 #include "scsi_logging.h"
33619 -static atomic_t scsi_host_next_hn; /* host_no for next new host */
33620 +static atomic_unchecked_t scsi_host_next_hn; /* host_no for next new host */
33623 static void scsi_host_cls_release(struct device *dev)
33624 @@ -344,7 +344,7 @@ struct Scsi_Host *scsi_host_alloc(struct
33625 * subtract one because we increment first then return, but we need to
33626 * know what the next host number was before increment
33628 - shost->host_no = atomic_inc_return(&scsi_host_next_hn) - 1;
33629 + shost->host_no = atomic_inc_return_unchecked(&scsi_host_next_hn) - 1;
33630 shost->dma_channel = 0xff;
33632 /* These three are default values which can be overridden */
33633 diff -urNp linux-2.6.32.42/drivers/scsi/ipr.c linux-2.6.32.42/drivers/scsi/ipr.c
33634 --- linux-2.6.32.42/drivers/scsi/ipr.c 2011-03-27 14:31:47.000000000 -0400
33635 +++ linux-2.6.32.42/drivers/scsi/ipr.c 2011-04-17 15:56:46.000000000 -0400
33636 @@ -5286,7 +5286,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
33640 -static struct ata_port_operations ipr_sata_ops = {
33641 +static const struct ata_port_operations ipr_sata_ops = {
33642 .phy_reset = ipr_ata_phy_reset,
33643 .hardreset = ipr_sata_reset,
33644 .post_internal_cmd = ipr_ata_post_internal,
33645 diff -urNp linux-2.6.32.42/drivers/scsi/libfc/fc_exch.c linux-2.6.32.42/drivers/scsi/libfc/fc_exch.c
33646 --- linux-2.6.32.42/drivers/scsi/libfc/fc_exch.c 2011-03-27 14:31:47.000000000 -0400
33647 +++ linux-2.6.32.42/drivers/scsi/libfc/fc_exch.c 2011-04-17 15:56:46.000000000 -0400
33648 @@ -86,12 +86,12 @@ struct fc_exch_mgr {
33649 * all together if not used XXX
33652 - atomic_t no_free_exch;
33653 - atomic_t no_free_exch_xid;
33654 - atomic_t xid_not_found;
33655 - atomic_t xid_busy;
33656 - atomic_t seq_not_found;
33657 - atomic_t non_bls_resp;
33658 + atomic_unchecked_t no_free_exch;
33659 + atomic_unchecked_t no_free_exch_xid;
33660 + atomic_unchecked_t xid_not_found;
33661 + atomic_unchecked_t xid_busy;
33662 + atomic_unchecked_t seq_not_found;
33663 + atomic_unchecked_t non_bls_resp;
33666 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
33667 @@ -510,7 +510,7 @@ static struct fc_exch *fc_exch_em_alloc(
33668 /* allocate memory for exchange */
33669 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
33671 - atomic_inc(&mp->stats.no_free_exch);
33672 + atomic_inc_unchecked(&mp->stats.no_free_exch);
33675 memset(ep, 0, sizeof(*ep));
33676 @@ -557,7 +557,7 @@ out:
33679 spin_unlock_bh(&pool->lock);
33680 - atomic_inc(&mp->stats.no_free_exch_xid);
33681 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
33682 mempool_free(ep, mp->ep_pool);
33685 @@ -690,7 +690,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33686 xid = ntohs(fh->fh_ox_id); /* we originated exch */
33687 ep = fc_exch_find(mp, xid);
33689 - atomic_inc(&mp->stats.xid_not_found);
33690 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33691 reject = FC_RJT_OX_ID;
33694 @@ -720,7 +720,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33695 ep = fc_exch_find(mp, xid);
33696 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
33698 - atomic_inc(&mp->stats.xid_busy);
33699 + atomic_inc_unchecked(&mp->stats.xid_busy);
33700 reject = FC_RJT_RX_ID;
33703 @@ -731,7 +731,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33705 xid = ep->xid; /* get our XID */
33707 - atomic_inc(&mp->stats.xid_not_found);
33708 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33709 reject = FC_RJT_RX_ID; /* XID not found */
33712 @@ -752,7 +752,7 @@ static enum fc_pf_rjt_reason fc_seq_look
33715 if (sp->id != fh->fh_seq_id) {
33716 - atomic_inc(&mp->stats.seq_not_found);
33717 + atomic_inc_unchecked(&mp->stats.seq_not_found);
33718 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
33721 @@ -1163,22 +1163,22 @@ static void fc_exch_recv_seq_resp(struct
33723 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
33725 - atomic_inc(&mp->stats.xid_not_found);
33726 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33729 if (ep->esb_stat & ESB_ST_COMPLETE) {
33730 - atomic_inc(&mp->stats.xid_not_found);
33731 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33734 if (ep->rxid == FC_XID_UNKNOWN)
33735 ep->rxid = ntohs(fh->fh_rx_id);
33736 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
33737 - atomic_inc(&mp->stats.xid_not_found);
33738 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33741 if (ep->did != ntoh24(fh->fh_s_id) &&
33742 ep->did != FC_FID_FLOGI) {
33743 - atomic_inc(&mp->stats.xid_not_found);
33744 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33748 @@ -1189,7 +1189,7 @@ static void fc_exch_recv_seq_resp(struct
33751 if (sp->id != fh->fh_seq_id) {
33752 - atomic_inc(&mp->stats.seq_not_found);
33753 + atomic_inc_unchecked(&mp->stats.seq_not_found);
33757 @@ -1249,9 +1249,9 @@ static void fc_exch_recv_resp(struct fc_
33758 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
33761 - atomic_inc(&mp->stats.xid_not_found);
33762 + atomic_inc_unchecked(&mp->stats.xid_not_found);
33764 - atomic_inc(&mp->stats.non_bls_resp);
33765 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
33769 diff -urNp linux-2.6.32.42/drivers/scsi/libsas/sas_ata.c linux-2.6.32.42/drivers/scsi/libsas/sas_ata.c
33770 --- linux-2.6.32.42/drivers/scsi/libsas/sas_ata.c 2011-03-27 14:31:47.000000000 -0400
33771 +++ linux-2.6.32.42/drivers/scsi/libsas/sas_ata.c 2011-04-23 12:56:11.000000000 -0400
33772 @@ -343,7 +343,7 @@ static int sas_ata_scr_read(struct ata_l
33776 -static struct ata_port_operations sas_sata_ops = {
33777 +static const struct ata_port_operations sas_sata_ops = {
33778 .phy_reset = sas_ata_phy_reset,
33779 .post_internal_cmd = sas_ata_post_internal,
33780 .qc_defer = ata_std_qc_defer,
33781 diff -urNp linux-2.6.32.42/drivers/scsi/lpfc/lpfc_debugfs.c linux-2.6.32.42/drivers/scsi/lpfc/lpfc_debugfs.c
33782 --- linux-2.6.32.42/drivers/scsi/lpfc/lpfc_debugfs.c 2011-03-27 14:31:47.000000000 -0400
33783 +++ linux-2.6.32.42/drivers/scsi/lpfc/lpfc_debugfs.c 2011-05-16 21:46:57.000000000 -0400
33784 @@ -124,7 +124,7 @@ struct lpfc_debug {
33788 -static atomic_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
33789 +static atomic_unchecked_t lpfc_debugfs_seq_trc_cnt = ATOMIC_INIT(0);
33790 static unsigned long lpfc_debugfs_start_time = 0L;
33793 @@ -158,7 +158,7 @@ lpfc_debugfs_disc_trc_data(struct lpfc_v
33794 lpfc_debugfs_enable = 0;
33797 - index = (atomic_read(&vport->disc_trc_cnt) + 1) &
33798 + index = (atomic_read_unchecked(&vport->disc_trc_cnt) + 1) &
33799 (lpfc_debugfs_max_disc_trc - 1);
33800 for (i = index; i < lpfc_debugfs_max_disc_trc; i++) {
33801 dtp = vport->disc_trc + i;
33802 @@ -219,7 +219,7 @@ lpfc_debugfs_slow_ring_trc_data(struct l
33803 lpfc_debugfs_enable = 0;
33806 - index = (atomic_read(&phba->slow_ring_trc_cnt) + 1) &
33807 + index = (atomic_read_unchecked(&phba->slow_ring_trc_cnt) + 1) &
33808 (lpfc_debugfs_max_slow_ring_trc - 1);
33809 for (i = index; i < lpfc_debugfs_max_slow_ring_trc; i++) {
33810 dtp = phba->slow_ring_trc + i;
33811 @@ -397,6 +397,8 @@ lpfc_debugfs_dumpHBASlim_data(struct lpf
33815 + pax_track_stack();
33818 spin_lock_irq(&phba->hbalock);
33820 @@ -634,14 +636,14 @@ lpfc_debugfs_disc_trc(struct lpfc_vport
33821 !vport || !vport->disc_trc)
33824 - index = atomic_inc_return(&vport->disc_trc_cnt) &
33825 + index = atomic_inc_return_unchecked(&vport->disc_trc_cnt) &
33826 (lpfc_debugfs_max_disc_trc - 1);
33827 dtp = vport->disc_trc + index;
33829 dtp->data1 = data1;
33830 dtp->data2 = data2;
33831 dtp->data3 = data3;
33832 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
33833 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
33834 dtp->jif = jiffies;
33837 @@ -672,14 +674,14 @@ lpfc_debugfs_slow_ring_trc(struct lpfc_h
33838 !phba || !phba->slow_ring_trc)
33841 - index = atomic_inc_return(&phba->slow_ring_trc_cnt) &
33842 + index = atomic_inc_return_unchecked(&phba->slow_ring_trc_cnt) &
33843 (lpfc_debugfs_max_slow_ring_trc - 1);
33844 dtp = phba->slow_ring_trc + index;
33846 dtp->data1 = data1;
33847 dtp->data2 = data2;
33848 dtp->data3 = data3;
33849 - dtp->seq_cnt = atomic_inc_return(&lpfc_debugfs_seq_trc_cnt);
33850 + dtp->seq_cnt = atomic_inc_return_unchecked(&lpfc_debugfs_seq_trc_cnt);
33851 dtp->jif = jiffies;
33854 @@ -1364,7 +1366,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
33855 "slow_ring buffer\n");
33858 - atomic_set(&phba->slow_ring_trc_cnt, 0);
33859 + atomic_set_unchecked(&phba->slow_ring_trc_cnt, 0);
33860 memset(phba->slow_ring_trc, 0,
33861 (sizeof(struct lpfc_debugfs_trc) *
33862 lpfc_debugfs_max_slow_ring_trc));
33863 @@ -1410,7 +1412,7 @@ lpfc_debugfs_initialize(struct lpfc_vpor
33867 - atomic_set(&vport->disc_trc_cnt, 0);
33868 + atomic_set_unchecked(&vport->disc_trc_cnt, 0);
33870 snprintf(name, sizeof(name), "discovery_trace");
33871 vport->debug_disc_trc =
33872 diff -urNp linux-2.6.32.42/drivers/scsi/lpfc/lpfc.h linux-2.6.32.42/drivers/scsi/lpfc/lpfc.h
33873 --- linux-2.6.32.42/drivers/scsi/lpfc/lpfc.h 2011-03-27 14:31:47.000000000 -0400
33874 +++ linux-2.6.32.42/drivers/scsi/lpfc/lpfc.h 2011-05-04 17:56:28.000000000 -0400
33875 @@ -400,7 +400,7 @@ struct lpfc_vport {
33876 struct dentry *debug_nodelist;
33877 struct dentry *vport_debugfs_root;
33878 struct lpfc_debugfs_trc *disc_trc;
33879 - atomic_t disc_trc_cnt;
33880 + atomic_unchecked_t disc_trc_cnt;
33882 uint8_t stat_data_enabled;
33883 uint8_t stat_data_blocked;
33884 @@ -725,8 +725,8 @@ struct lpfc_hba {
33885 struct timer_list fabric_block_timer;
33886 unsigned long bit_flags;
33887 #define FABRIC_COMANDS_BLOCKED 0
33888 - atomic_t num_rsrc_err;
33889 - atomic_t num_cmd_success;
33890 + atomic_unchecked_t num_rsrc_err;
33891 + atomic_unchecked_t num_cmd_success;
33892 unsigned long last_rsrc_error_time;
33893 unsigned long last_ramp_down_time;
33894 unsigned long last_ramp_up_time;
33895 @@ -740,7 +740,7 @@ struct lpfc_hba {
33896 struct dentry *debug_dumpDif; /* BlockGuard BPL*/
33897 struct dentry *debug_slow_ring_trc;
33898 struct lpfc_debugfs_trc *slow_ring_trc;
33899 - atomic_t slow_ring_trc_cnt;
33900 + atomic_unchecked_t slow_ring_trc_cnt;
33903 /* Used for deferred freeing of ELS data buffers */
33904 diff -urNp linux-2.6.32.42/drivers/scsi/lpfc/lpfc_scsi.c linux-2.6.32.42/drivers/scsi/lpfc/lpfc_scsi.c
33905 --- linux-2.6.32.42/drivers/scsi/lpfc/lpfc_scsi.c 2011-03-27 14:31:47.000000000 -0400
33906 +++ linux-2.6.32.42/drivers/scsi/lpfc/lpfc_scsi.c 2011-05-04 17:56:28.000000000 -0400
33907 @@ -259,7 +259,7 @@ lpfc_rampdown_queue_depth(struct lpfc_hb
33908 uint32_t evt_posted;
33910 spin_lock_irqsave(&phba->hbalock, flags);
33911 - atomic_inc(&phba->num_rsrc_err);
33912 + atomic_inc_unchecked(&phba->num_rsrc_err);
33913 phba->last_rsrc_error_time = jiffies;
33915 if ((phba->last_ramp_down_time + QUEUE_RAMP_DOWN_INTERVAL) > jiffies) {
33916 @@ -300,7 +300,7 @@ lpfc_rampup_queue_depth(struct lpfc_vpor
33917 unsigned long flags;
33918 struct lpfc_hba *phba = vport->phba;
33919 uint32_t evt_posted;
33920 - atomic_inc(&phba->num_cmd_success);
33921 + atomic_inc_unchecked(&phba->num_cmd_success);
33923 if (vport->cfg_lun_queue_depth <= queue_depth)
33925 @@ -343,8 +343,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
33927 struct lpfc_rport_data *rdata;
33929 - num_rsrc_err = atomic_read(&phba->num_rsrc_err);
33930 - num_cmd_success = atomic_read(&phba->num_cmd_success);
33931 + num_rsrc_err = atomic_read_unchecked(&phba->num_rsrc_err);
33932 + num_cmd_success = atomic_read_unchecked(&phba->num_cmd_success);
33934 vports = lpfc_create_vport_work_array(phba);
33935 if (vports != NULL)
33936 @@ -378,8 +378,8 @@ lpfc_ramp_down_queue_handler(struct lpfc
33939 lpfc_destroy_vport_work_array(phba, vports);
33940 - atomic_set(&phba->num_rsrc_err, 0);
33941 - atomic_set(&phba->num_cmd_success, 0);
33942 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
33943 + atomic_set_unchecked(&phba->num_cmd_success, 0);
33947 @@ -427,8 +427,8 @@ lpfc_ramp_up_queue_handler(struct lpfc_h
33950 lpfc_destroy_vport_work_array(phba, vports);
33951 - atomic_set(&phba->num_rsrc_err, 0);
33952 - atomic_set(&phba->num_cmd_success, 0);
33953 + atomic_set_unchecked(&phba->num_rsrc_err, 0);
33954 + atomic_set_unchecked(&phba->num_cmd_success, 0);
33958 diff -urNp linux-2.6.32.42/drivers/scsi/megaraid/megaraid_mbox.c linux-2.6.32.42/drivers/scsi/megaraid/megaraid_mbox.c
33959 --- linux-2.6.32.42/drivers/scsi/megaraid/megaraid_mbox.c 2011-03-27 14:31:47.000000000 -0400
33960 +++ linux-2.6.32.42/drivers/scsi/megaraid/megaraid_mbox.c 2011-05-16 21:46:57.000000000 -0400
33961 @@ -3503,6 +3503,8 @@ megaraid_cmm_register(adapter_t *adapter
33965 + pax_track_stack();
33967 // Allocate memory for the base list of scb for management module.
33968 adapter->uscb_list = kcalloc(MBOX_MAX_USER_CMDS, sizeof(scb_t), GFP_KERNEL);
33970 diff -urNp linux-2.6.32.42/drivers/scsi/osd/osd_initiator.c linux-2.6.32.42/drivers/scsi/osd/osd_initiator.c
33971 --- linux-2.6.32.42/drivers/scsi/osd/osd_initiator.c 2011-03-27 14:31:47.000000000 -0400
33972 +++ linux-2.6.32.42/drivers/scsi/osd/osd_initiator.c 2011-05-16 21:46:57.000000000 -0400
33973 @@ -94,6 +94,8 @@ static int _osd_print_system_info(struct
33974 int nelem = ARRAY_SIZE(get_attrs), a = 0;
33977 + pax_track_stack();
33979 or = osd_start_request(od, GFP_KERNEL);
33982 diff -urNp linux-2.6.32.42/drivers/scsi/pmcraid.c linux-2.6.32.42/drivers/scsi/pmcraid.c
33983 --- linux-2.6.32.42/drivers/scsi/pmcraid.c 2011-05-10 22:12:01.000000000 -0400
33984 +++ linux-2.6.32.42/drivers/scsi/pmcraid.c 2011-05-10 22:12:33.000000000 -0400
33985 @@ -189,8 +189,8 @@ static int pmcraid_slave_alloc(struct sc
33986 res->scsi_dev = scsi_dev;
33987 scsi_dev->hostdata = res;
33988 res->change_detected = 0;
33989 - atomic_set(&res->read_failures, 0);
33990 - atomic_set(&res->write_failures, 0);
33991 + atomic_set_unchecked(&res->read_failures, 0);
33992 + atomic_set_unchecked(&res->write_failures, 0);
33995 spin_unlock_irqrestore(&pinstance->resource_lock, lock_flags);
33996 @@ -2396,9 +2396,9 @@ static int pmcraid_error_handler(struct
33998 /* If this was a SCSI read/write command keep count of errors */
33999 if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_READ_CMD)
34000 - atomic_inc(&res->read_failures);
34001 + atomic_inc_unchecked(&res->read_failures);
34002 else if (SCSI_CMD_TYPE(scsi_cmd->cmnd[0]) == SCSI_WRITE_CMD)
34003 - atomic_inc(&res->write_failures);
34004 + atomic_inc_unchecked(&res->write_failures);
34006 if (!RES_IS_GSCSI(res->cfg_entry) &&
34007 masked_ioasc != PMCRAID_IOASC_HW_DEVICE_BUS_STATUS_ERROR) {
34008 @@ -4113,7 +4113,7 @@ static void pmcraid_worker_function(stru
34010 pinstance = container_of(workp, struct pmcraid_instance, worker_q);
34011 /* add resources only after host is added into system */
34012 - if (!atomic_read(&pinstance->expose_resources))
34013 + if (!atomic_read_unchecked(&pinstance->expose_resources))
34016 spin_lock_irqsave(&pinstance->resource_lock, lock_flags);
34017 @@ -4847,7 +4847,7 @@ static int __devinit pmcraid_init_instan
34018 init_waitqueue_head(&pinstance->reset_wait_q);
34020 atomic_set(&pinstance->outstanding_cmds, 0);
34021 - atomic_set(&pinstance->expose_resources, 0);
34022 + atomic_set_unchecked(&pinstance->expose_resources, 0);
34024 INIT_LIST_HEAD(&pinstance->free_res_q);
34025 INIT_LIST_HEAD(&pinstance->used_res_q);
34026 @@ -5499,7 +5499,7 @@ static int __devinit pmcraid_probe(
34027 /* Schedule worker thread to handle CCN and take care of adding and
34028 * removing devices to OS
34030 - atomic_set(&pinstance->expose_resources, 1);
34031 + atomic_set_unchecked(&pinstance->expose_resources, 1);
34032 schedule_work(&pinstance->worker_q);
34035 diff -urNp linux-2.6.32.42/drivers/scsi/pmcraid.h linux-2.6.32.42/drivers/scsi/pmcraid.h
34036 --- linux-2.6.32.42/drivers/scsi/pmcraid.h 2011-03-27 14:31:47.000000000 -0400
34037 +++ linux-2.6.32.42/drivers/scsi/pmcraid.h 2011-05-04 17:56:28.000000000 -0400
34038 @@ -690,7 +690,7 @@ struct pmcraid_instance {
34039 atomic_t outstanding_cmds;
34041 /* should add/delete resources to mid-layer now ?*/
34042 - atomic_t expose_resources;
34043 + atomic_unchecked_t expose_resources;
34045 /* Tasklet to handle deferred processing */
34046 struct tasklet_struct isr_tasklet[PMCRAID_NUM_MSIX_VECTORS];
34047 @@ -727,8 +727,8 @@ struct pmcraid_resource_entry {
34048 struct list_head queue; /* link to "to be exposed" resources */
34049 struct pmcraid_config_table_entry cfg_entry;
34050 struct scsi_device *scsi_dev; /* Link scsi_device structure */
34051 - atomic_t read_failures; /* count of failed READ commands */
34052 - atomic_t write_failures; /* count of failed WRITE commands */
34053 + atomic_unchecked_t read_failures; /* count of failed READ commands */
34054 + atomic_unchecked_t write_failures; /* count of failed WRITE commands */
34056 /* To indicate add/delete/modify during CCN */
34057 u8 change_detected;
34058 diff -urNp linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_def.h linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_def.h
34059 --- linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_def.h 2011-03-27 14:31:47.000000000 -0400
34060 +++ linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_def.h 2011-05-04 17:56:28.000000000 -0400
34061 @@ -240,7 +240,7 @@ struct ddb_entry {
34062 atomic_t retry_relogin_timer; /* Min Time between relogins
34064 atomic_t relogin_timer; /* Max Time to wait for relogin to complete */
34065 - atomic_t relogin_retry_count; /* Num of times relogin has been
34066 + atomic_unchecked_t relogin_retry_count; /* Num of times relogin has been
34070 diff -urNp linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_init.c linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_init.c
34071 --- linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_init.c 2011-03-27 14:31:47.000000000 -0400
34072 +++ linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_init.c 2011-05-04 17:56:28.000000000 -0400
34073 @@ -482,7 +482,7 @@ static struct ddb_entry * qla4xxx_alloc_
34074 atomic_set(&ddb_entry->port_down_timer, ha->port_down_retry_count);
34075 atomic_set(&ddb_entry->retry_relogin_timer, INVALID_ENTRY);
34076 atomic_set(&ddb_entry->relogin_timer, 0);
34077 - atomic_set(&ddb_entry->relogin_retry_count, 0);
34078 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34079 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34080 list_add_tail(&ddb_entry->list, &ha->ddb_list);
34081 ha->fw_ddb_index_map[fw_ddb_index] = ddb_entry;
34082 @@ -1308,7 +1308,7 @@ int qla4xxx_process_ddb_changed(struct s
34083 atomic_set(&ddb_entry->state, DDB_STATE_ONLINE);
34084 atomic_set(&ddb_entry->port_down_timer,
34085 ha->port_down_retry_count);
34086 - atomic_set(&ddb_entry->relogin_retry_count, 0);
34087 + atomic_set_unchecked(&ddb_entry->relogin_retry_count, 0);
34088 atomic_set(&ddb_entry->relogin_timer, 0);
34089 clear_bit(DF_RELOGIN, &ddb_entry->flags);
34090 clear_bit(DF_NO_RELOGIN, &ddb_entry->flags);
34091 diff -urNp linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_os.c linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_os.c
34092 --- linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_os.c 2011-03-27 14:31:47.000000000 -0400
34093 +++ linux-2.6.32.42/drivers/scsi/qla4xxx/ql4_os.c 2011-05-04 17:56:28.000000000 -0400
34094 @@ -641,13 +641,13 @@ static void qla4xxx_timer(struct scsi_ql
34095 ddb_entry->fw_ddb_device_state ==
34096 DDB_DS_SESSION_FAILED) {
34097 /* Reset retry relogin timer */
34098 - atomic_inc(&ddb_entry->relogin_retry_count);
34099 + atomic_inc_unchecked(&ddb_entry->relogin_retry_count);
34100 DEBUG2(printk("scsi%ld: index[%d] relogin"
34101 " timed out-retrying"
34104 ddb_entry->fw_ddb_index,
34105 - atomic_read(&ddb_entry->
34106 + atomic_read_unchecked(&ddb_entry->
34107 relogin_retry_count))
34110 diff -urNp linux-2.6.32.42/drivers/scsi/scsi.c linux-2.6.32.42/drivers/scsi/scsi.c
34111 --- linux-2.6.32.42/drivers/scsi/scsi.c 2011-03-27 14:31:47.000000000 -0400
34112 +++ linux-2.6.32.42/drivers/scsi/scsi.c 2011-05-04 17:56:28.000000000 -0400
34113 @@ -652,7 +652,7 @@ int scsi_dispatch_cmd(struct scsi_cmnd *
34114 unsigned long timeout;
34117 - atomic_inc(&cmd->device->iorequest_cnt);
34118 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34120 /* check if the device is still usable */
34121 if (unlikely(cmd->device->sdev_state == SDEV_DEL)) {
34122 diff -urNp linux-2.6.32.42/drivers/scsi/scsi_debug.c linux-2.6.32.42/drivers/scsi/scsi_debug.c
34123 --- linux-2.6.32.42/drivers/scsi/scsi_debug.c 2011-03-27 14:31:47.000000000 -0400
34124 +++ linux-2.6.32.42/drivers/scsi/scsi_debug.c 2011-05-16 21:46:57.000000000 -0400
34125 @@ -1395,6 +1395,8 @@ static int resp_mode_select(struct scsi_
34126 unsigned char arr[SDEBUG_MAX_MSELECT_SZ];
34127 unsigned char *cmd = (unsigned char *)scp->cmnd;
34129 + pax_track_stack();
34131 if ((errsts = check_readiness(scp, 1, devip)))
34133 memset(arr, 0, sizeof(arr));
34134 @@ -1492,6 +1494,8 @@ static int resp_log_sense(struct scsi_cm
34135 unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
34136 unsigned char *cmd = (unsigned char *)scp->cmnd;
34138 + pax_track_stack();
34140 if ((errsts = check_readiness(scp, 1, devip)))
34142 memset(arr, 0, sizeof(arr));
34143 diff -urNp linux-2.6.32.42/drivers/scsi/scsi_lib.c linux-2.6.32.42/drivers/scsi/scsi_lib.c
34144 --- linux-2.6.32.42/drivers/scsi/scsi_lib.c 2011-05-10 22:12:01.000000000 -0400
34145 +++ linux-2.6.32.42/drivers/scsi/scsi_lib.c 2011-05-10 22:12:33.000000000 -0400
34146 @@ -1384,7 +1384,7 @@ static void scsi_kill_request(struct req
34148 scsi_init_cmd_errh(cmd);
34149 cmd->result = DID_NO_CONNECT << 16;
34150 - atomic_inc(&cmd->device->iorequest_cnt);
34151 + atomic_inc_unchecked(&cmd->device->iorequest_cnt);
34154 * SCSI request completion path will do scsi_device_unbusy(),
34155 @@ -1415,9 +1415,9 @@ static void scsi_softirq_done(struct req
34157 cmd->serial_number = 0;
34159 - atomic_inc(&cmd->device->iodone_cnt);
34160 + atomic_inc_unchecked(&cmd->device->iodone_cnt);
34162 - atomic_inc(&cmd->device->ioerr_cnt);
34163 + atomic_inc_unchecked(&cmd->device->ioerr_cnt);
34165 disposition = scsi_decide_disposition(cmd);
34166 if (disposition != SUCCESS &&
34167 diff -urNp linux-2.6.32.42/drivers/scsi/scsi_sysfs.c linux-2.6.32.42/drivers/scsi/scsi_sysfs.c
34168 --- linux-2.6.32.42/drivers/scsi/scsi_sysfs.c 2011-06-25 12:55:34.000000000 -0400
34169 +++ linux-2.6.32.42/drivers/scsi/scsi_sysfs.c 2011-06-25 12:56:37.000000000 -0400
34170 @@ -662,7 +662,7 @@ show_iostat_##field(struct device *dev,
34173 struct scsi_device *sdev = to_scsi_device(dev); \
34174 - unsigned long long count = atomic_read(&sdev->field); \
34175 + unsigned long long count = atomic_read_unchecked(&sdev->field); \
34176 return snprintf(buf, 20, "0x%llx\n", count); \
34178 static DEVICE_ATTR(field, S_IRUGO, show_iostat_##field, NULL)
34179 diff -urNp linux-2.6.32.42/drivers/scsi/scsi_transport_fc.c linux-2.6.32.42/drivers/scsi/scsi_transport_fc.c
34180 --- linux-2.6.32.42/drivers/scsi/scsi_transport_fc.c 2011-03-27 14:31:47.000000000 -0400
34181 +++ linux-2.6.32.42/drivers/scsi/scsi_transport_fc.c 2011-05-04 17:56:28.000000000 -0400
34182 @@ -480,7 +480,7 @@ MODULE_PARM_DESC(dev_loss_tmo,
34183 * Netlink Infrastructure
34186 -static atomic_t fc_event_seq;
34187 +static atomic_unchecked_t fc_event_seq;
34190 * fc_get_event_number - Obtain the next sequential FC event number
34191 @@ -493,7 +493,7 @@ static atomic_t fc_event_seq;
34193 fc_get_event_number(void)
34195 - return atomic_add_return(1, &fc_event_seq);
34196 + return atomic_add_return_unchecked(1, &fc_event_seq);
34198 EXPORT_SYMBOL(fc_get_event_number);
34200 @@ -641,7 +641,7 @@ static __init int fc_transport_init(void
34204 - atomic_set(&fc_event_seq, 0);
34205 + atomic_set_unchecked(&fc_event_seq, 0);
34207 error = transport_class_register(&fc_host_class);
34209 diff -urNp linux-2.6.32.42/drivers/scsi/scsi_transport_iscsi.c linux-2.6.32.42/drivers/scsi/scsi_transport_iscsi.c
34210 --- linux-2.6.32.42/drivers/scsi/scsi_transport_iscsi.c 2011-03-27 14:31:47.000000000 -0400
34211 +++ linux-2.6.32.42/drivers/scsi/scsi_transport_iscsi.c 2011-05-04 17:56:28.000000000 -0400
34212 @@ -81,7 +81,7 @@ struct iscsi_internal {
34213 struct device_attribute *session_attrs[ISCSI_SESSION_ATTRS + 1];
34216 -static atomic_t iscsi_session_nr; /* sysfs session id for next new session */
34217 +static atomic_unchecked_t iscsi_session_nr; /* sysfs session id for next new session */
34218 static struct workqueue_struct *iscsi_eh_timer_workq;
34221 @@ -728,7 +728,7 @@ int iscsi_add_session(struct iscsi_cls_s
34224 ihost = shost->shost_data;
34225 - session->sid = atomic_add_return(1, &iscsi_session_nr);
34226 + session->sid = atomic_add_return_unchecked(1, &iscsi_session_nr);
34228 if (id == ISCSI_MAX_TARGET) {
34229 for (id = 0; id < ISCSI_MAX_TARGET; id++) {
34230 @@ -2060,7 +2060,7 @@ static __init int iscsi_transport_init(v
34231 printk(KERN_INFO "Loading iSCSI transport class v%s.\n",
34232 ISCSI_TRANSPORT_VERSION);
34234 - atomic_set(&iscsi_session_nr, 0);
34235 + atomic_set_unchecked(&iscsi_session_nr, 0);
34237 err = class_register(&iscsi_transport_class);
34239 diff -urNp linux-2.6.32.42/drivers/scsi/scsi_transport_srp.c linux-2.6.32.42/drivers/scsi/scsi_transport_srp.c
34240 --- linux-2.6.32.42/drivers/scsi/scsi_transport_srp.c 2011-03-27 14:31:47.000000000 -0400
34241 +++ linux-2.6.32.42/drivers/scsi/scsi_transport_srp.c 2011-05-04 17:56:28.000000000 -0400
34243 #include "scsi_transport_srp_internal.h"
34245 struct srp_host_attrs {
34246 - atomic_t next_port_id;
34247 + atomic_unchecked_t next_port_id;
34249 #define to_srp_host_attrs(host) ((struct srp_host_attrs *)(host)->shost_data)
34251 @@ -62,7 +62,7 @@ static int srp_host_setup(struct transpo
34252 struct Scsi_Host *shost = dev_to_shost(dev);
34253 struct srp_host_attrs *srp_host = to_srp_host_attrs(shost);
34255 - atomic_set(&srp_host->next_port_id, 0);
34256 + atomic_set_unchecked(&srp_host->next_port_id, 0);
34260 @@ -211,7 +211,7 @@ struct srp_rport *srp_rport_add(struct S
34261 memcpy(rport->port_id, ids->port_id, sizeof(rport->port_id));
34262 rport->roles = ids->roles;
34264 - id = atomic_inc_return(&to_srp_host_attrs(shost)->next_port_id);
34265 + id = atomic_inc_return_unchecked(&to_srp_host_attrs(shost)->next_port_id);
34266 dev_set_name(&rport->dev, "port-%d:%d", shost->host_no, id);
34268 transport_setup_device(&rport->dev);
34269 diff -urNp linux-2.6.32.42/drivers/scsi/sg.c linux-2.6.32.42/drivers/scsi/sg.c
34270 --- linux-2.6.32.42/drivers/scsi/sg.c 2011-03-27 14:31:47.000000000 -0400
34271 +++ linux-2.6.32.42/drivers/scsi/sg.c 2011-04-17 15:56:46.000000000 -0400
34272 @@ -2292,7 +2292,7 @@ struct sg_proc_leaf {
34273 const struct file_operations * fops;
34276 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
34277 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
34278 {"allow_dio", &adio_fops},
34279 {"debug", &debug_fops},
34280 {"def_reserved_size", &dressz_fops},
34281 @@ -2307,7 +2307,7 @@ sg_proc_init(void)
34284 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
34285 - struct sg_proc_leaf * leaf;
34286 + const struct sg_proc_leaf * leaf;
34288 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
34290 diff -urNp linux-2.6.32.42/drivers/scsi/sym53c8xx_2/sym_glue.c linux-2.6.32.42/drivers/scsi/sym53c8xx_2/sym_glue.c
34291 --- linux-2.6.32.42/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-03-27 14:31:47.000000000 -0400
34292 +++ linux-2.6.32.42/drivers/scsi/sym53c8xx_2/sym_glue.c 2011-05-16 21:46:57.000000000 -0400
34293 @@ -1754,6 +1754,8 @@ static int __devinit sym2_probe(struct p
34294 int do_iounmap = 0;
34295 int do_disable_device = 1;
34297 + pax_track_stack();
34299 memset(&sym_dev, 0, sizeof(sym_dev));
34300 memset(&nvram, 0, sizeof(nvram));
34301 sym_dev.pdev = pdev;
34302 diff -urNp linux-2.6.32.42/drivers/serial/kgdboc.c linux-2.6.32.42/drivers/serial/kgdboc.c
34303 --- linux-2.6.32.42/drivers/serial/kgdboc.c 2011-03-27 14:31:47.000000000 -0400
34304 +++ linux-2.6.32.42/drivers/serial/kgdboc.c 2011-04-17 15:56:46.000000000 -0400
34307 #define MAX_CONFIG_LEN 40
34309 -static struct kgdb_io kgdboc_io_ops;
34310 +static const struct kgdb_io kgdboc_io_ops;
34312 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
34313 static int configured = -1;
34314 @@ -154,7 +154,7 @@ static void kgdboc_post_exp_handler(void
34315 module_put(THIS_MODULE);
34318 -static struct kgdb_io kgdboc_io_ops = {
34319 +static const struct kgdb_io kgdboc_io_ops = {
34321 .read_char = kgdboc_get_char,
34322 .write_char = kgdboc_put_char,
34323 diff -urNp linux-2.6.32.42/drivers/spi/spi.c linux-2.6.32.42/drivers/spi/spi.c
34324 --- linux-2.6.32.42/drivers/spi/spi.c 2011-03-27 14:31:47.000000000 -0400
34325 +++ linux-2.6.32.42/drivers/spi/spi.c 2011-05-04 17:56:28.000000000 -0400
34326 @@ -774,7 +774,7 @@ int spi_sync(struct spi_device *spi, str
34327 EXPORT_SYMBOL_GPL(spi_sync);
34329 /* portable code must never pass more than 32 bytes */
34330 -#define SPI_BUFSIZ max(32,SMP_CACHE_BYTES)
34331 +#define SPI_BUFSIZ max(32U,SMP_CACHE_BYTES)
34335 diff -urNp linux-2.6.32.42/drivers/staging/android/binder.c linux-2.6.32.42/drivers/staging/android/binder.c
34336 --- linux-2.6.32.42/drivers/staging/android/binder.c 2011-03-27 14:31:47.000000000 -0400
34337 +++ linux-2.6.32.42/drivers/staging/android/binder.c 2011-04-17 15:56:46.000000000 -0400
34338 @@ -2756,7 +2756,7 @@ static void binder_vma_close(struct vm_a
34339 binder_defer_work(proc, BINDER_DEFERRED_PUT_FILES);
34342 -static struct vm_operations_struct binder_vm_ops = {
34343 +static const struct vm_operations_struct binder_vm_ops = {
34344 .open = binder_vma_open,
34345 .close = binder_vma_close,
34347 diff -urNp linux-2.6.32.42/drivers/staging/b3dfg/b3dfg.c linux-2.6.32.42/drivers/staging/b3dfg/b3dfg.c
34348 --- linux-2.6.32.42/drivers/staging/b3dfg/b3dfg.c 2011-03-27 14:31:47.000000000 -0400
34349 +++ linux-2.6.32.42/drivers/staging/b3dfg/b3dfg.c 2011-04-17 15:56:46.000000000 -0400
34350 @@ -455,7 +455,7 @@ static int b3dfg_vma_fault(struct vm_are
34351 return VM_FAULT_NOPAGE;
34354 -static struct vm_operations_struct b3dfg_vm_ops = {
34355 +static const struct vm_operations_struct b3dfg_vm_ops = {
34356 .fault = b3dfg_vma_fault,
34359 @@ -848,7 +848,7 @@ static int b3dfg_mmap(struct file *filp,
34363 -static struct file_operations b3dfg_fops = {
34364 +static const struct file_operations b3dfg_fops = {
34365 .owner = THIS_MODULE,
34366 .open = b3dfg_open,
34367 .release = b3dfg_release,
34368 diff -urNp linux-2.6.32.42/drivers/staging/comedi/comedi_fops.c linux-2.6.32.42/drivers/staging/comedi/comedi_fops.c
34369 --- linux-2.6.32.42/drivers/staging/comedi/comedi_fops.c 2011-03-27 14:31:47.000000000 -0400
34370 +++ linux-2.6.32.42/drivers/staging/comedi/comedi_fops.c 2011-04-17 15:56:46.000000000 -0400
34371 @@ -1389,7 +1389,7 @@ void comedi_unmap(struct vm_area_struct
34372 mutex_unlock(&dev->mutex);
34375 -static struct vm_operations_struct comedi_vm_ops = {
34376 +static const struct vm_operations_struct comedi_vm_ops = {
34377 .close = comedi_unmap,
34380 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.32.42/drivers/staging/dream/qdsp5/adsp_driver.c
34381 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/adsp_driver.c 2011-03-27 14:31:47.000000000 -0400
34382 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/adsp_driver.c 2011-04-17 15:56:46.000000000 -0400
34383 @@ -576,7 +576,7 @@ static struct adsp_device *inode_to_devi
34384 static dev_t adsp_devno;
34385 static struct class *adsp_class;
34387 -static struct file_operations adsp_fops = {
34388 +static const struct file_operations adsp_fops = {
34389 .owner = THIS_MODULE,
34391 .unlocked_ioctl = adsp_ioctl,
34392 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_aac.c
34393 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_aac.c 2011-03-27 14:31:47.000000000 -0400
34394 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_aac.c 2011-04-17 15:56:46.000000000 -0400
34395 @@ -1022,7 +1022,7 @@ done:
34399 -static struct file_operations audio_aac_fops = {
34400 +static const struct file_operations audio_aac_fops = {
34401 .owner = THIS_MODULE,
34402 .open = audio_open,
34403 .release = audio_release,
34404 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_amrnb.c
34405 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-03-27 14:31:47.000000000 -0400
34406 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_amrnb.c 2011-04-17 15:56:46.000000000 -0400
34407 @@ -833,7 +833,7 @@ done:
34411 -static struct file_operations audio_amrnb_fops = {
34412 +static const struct file_operations audio_amrnb_fops = {
34413 .owner = THIS_MODULE,
34414 .open = audamrnb_open,
34415 .release = audamrnb_release,
34416 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_evrc.c
34417 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_evrc.c 2011-03-27 14:31:47.000000000 -0400
34418 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_evrc.c 2011-04-17 15:56:46.000000000 -0400
34419 @@ -805,7 +805,7 @@ dma_fail:
34423 -static struct file_operations audio_evrc_fops = {
34424 +static const struct file_operations audio_evrc_fops = {
34425 .owner = THIS_MODULE,
34426 .open = audevrc_open,
34427 .release = audevrc_release,
34428 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_in.c
34429 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_in.c 2011-03-27 14:31:47.000000000 -0400
34430 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_in.c 2011-04-17 15:56:46.000000000 -0400
34431 @@ -913,7 +913,7 @@ static int audpre_open(struct inode *ino
34435 -static struct file_operations audio_fops = {
34436 +static const struct file_operations audio_fops = {
34437 .owner = THIS_MODULE,
34438 .open = audio_in_open,
34439 .release = audio_in_release,
34440 @@ -922,7 +922,7 @@ static struct file_operations audio_fops
34441 .unlocked_ioctl = audio_in_ioctl,
34444 -static struct file_operations audpre_fops = {
34445 +static const struct file_operations audpre_fops = {
34446 .owner = THIS_MODULE,
34447 .open = audpre_open,
34448 .unlocked_ioctl = audpre_ioctl,
34449 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_mp3.c
34450 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_mp3.c 2011-03-27 14:31:47.000000000 -0400
34451 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_mp3.c 2011-04-17 15:56:46.000000000 -0400
34452 @@ -941,7 +941,7 @@ done:
34456 -static struct file_operations audio_mp3_fops = {
34457 +static const struct file_operations audio_mp3_fops = {
34458 .owner = THIS_MODULE,
34459 .open = audio_open,
34460 .release = audio_release,
34461 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_out.c
34462 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_out.c 2011-03-27 14:31:47.000000000 -0400
34463 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_out.c 2011-04-17 15:56:46.000000000 -0400
34464 @@ -810,7 +810,7 @@ static int audpp_open(struct inode *inod
34468 -static struct file_operations audio_fops = {
34469 +static const struct file_operations audio_fops = {
34470 .owner = THIS_MODULE,
34471 .open = audio_open,
34472 .release = audio_release,
34473 @@ -819,7 +819,7 @@ static struct file_operations audio_fops
34474 .unlocked_ioctl = audio_ioctl,
34477 -static struct file_operations audpp_fops = {
34478 +static const struct file_operations audpp_fops = {
34479 .owner = THIS_MODULE,
34480 .open = audpp_open,
34481 .unlocked_ioctl = audpp_ioctl,
34482 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_qcelp.c
34483 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-03-27 14:31:47.000000000 -0400
34484 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/audio_qcelp.c 2011-04-17 15:56:46.000000000 -0400
34485 @@ -816,7 +816,7 @@ err:
34489 -static struct file_operations audio_qcelp_fops = {
34490 +static const struct file_operations audio_qcelp_fops = {
34491 .owner = THIS_MODULE,
34492 .open = audqcelp_open,
34493 .release = audqcelp_release,
34494 diff -urNp linux-2.6.32.42/drivers/staging/dream/qdsp5/snd.c linux-2.6.32.42/drivers/staging/dream/qdsp5/snd.c
34495 --- linux-2.6.32.42/drivers/staging/dream/qdsp5/snd.c 2011-03-27 14:31:47.000000000 -0400
34496 +++ linux-2.6.32.42/drivers/staging/dream/qdsp5/snd.c 2011-04-17 15:56:46.000000000 -0400
34497 @@ -242,7 +242,7 @@ err:
34501 -static struct file_operations snd_fops = {
34502 +static const struct file_operations snd_fops = {
34503 .owner = THIS_MODULE,
34505 .release = snd_release,
34506 diff -urNp linux-2.6.32.42/drivers/staging/dream/smd/smd_qmi.c linux-2.6.32.42/drivers/staging/dream/smd/smd_qmi.c
34507 --- linux-2.6.32.42/drivers/staging/dream/smd/smd_qmi.c 2011-03-27 14:31:47.000000000 -0400
34508 +++ linux-2.6.32.42/drivers/staging/dream/smd/smd_qmi.c 2011-04-17 15:56:46.000000000 -0400
34509 @@ -793,7 +793,7 @@ static int qmi_release(struct inode *ip,
34513 -static struct file_operations qmi_fops = {
34514 +static const struct file_operations qmi_fops = {
34515 .owner = THIS_MODULE,
34517 .write = qmi_write,
34518 diff -urNp linux-2.6.32.42/drivers/staging/dream/smd/smd_rpcrouter_device.c linux-2.6.32.42/drivers/staging/dream/smd/smd_rpcrouter_device.c
34519 --- linux-2.6.32.42/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-03-27 14:31:47.000000000 -0400
34520 +++ linux-2.6.32.42/drivers/staging/dream/smd/smd_rpcrouter_device.c 2011-04-17 15:56:46.000000000 -0400
34521 @@ -214,7 +214,7 @@ static long rpcrouter_ioctl(struct file
34525 -static struct file_operations rpcrouter_server_fops = {
34526 +static const struct file_operations rpcrouter_server_fops = {
34527 .owner = THIS_MODULE,
34528 .open = rpcrouter_open,
34529 .release = rpcrouter_release,
34530 @@ -224,7 +224,7 @@ static struct file_operations rpcrouter_
34531 .unlocked_ioctl = rpcrouter_ioctl,
34534 -static struct file_operations rpcrouter_router_fops = {
34535 +static const struct file_operations rpcrouter_router_fops = {
34536 .owner = THIS_MODULE,
34537 .open = rpcrouter_open,
34538 .release = rpcrouter_release,
34539 diff -urNp linux-2.6.32.42/drivers/staging/dst/dcore.c linux-2.6.32.42/drivers/staging/dst/dcore.c
34540 --- linux-2.6.32.42/drivers/staging/dst/dcore.c 2011-03-27 14:31:47.000000000 -0400
34541 +++ linux-2.6.32.42/drivers/staging/dst/dcore.c 2011-04-17 15:56:46.000000000 -0400
34542 @@ -149,7 +149,7 @@ static int dst_bdev_release(struct gendi
34546 -static struct block_device_operations dst_blk_ops = {
34547 +static const struct block_device_operations dst_blk_ops = {
34548 .open = dst_bdev_open,
34549 .release = dst_bdev_release,
34550 .owner = THIS_MODULE,
34551 @@ -588,7 +588,7 @@ static struct dst_node *dst_alloc_node(s
34552 n->size = ctl->size;
34554 atomic_set(&n->refcnt, 1);
34555 - atomic_long_set(&n->gen, 0);
34556 + atomic_long_set_unchecked(&n->gen, 0);
34557 snprintf(n->name, sizeof(n->name), "%s", ctl->name);
34559 err = dst_node_sysfs_init(n);
34560 diff -urNp linux-2.6.32.42/drivers/staging/dst/trans.c linux-2.6.32.42/drivers/staging/dst/trans.c
34561 --- linux-2.6.32.42/drivers/staging/dst/trans.c 2011-03-27 14:31:47.000000000 -0400
34562 +++ linux-2.6.32.42/drivers/staging/dst/trans.c 2011-04-17 15:56:46.000000000 -0400
34563 @@ -169,7 +169,7 @@ int dst_process_bio(struct dst_node *n,
34566 atomic_set(&t->refcnt, 1);
34567 - t->gen = atomic_long_inc_return(&n->gen);
34568 + t->gen = atomic_long_inc_return_unchecked(&n->gen);
34570 t->enc = bio_data_dir(bio);
34571 dst_bio_to_cmd(bio, &t->cmd, DST_IO, t->gen);
34572 diff -urNp linux-2.6.32.42/drivers/staging/et131x/et1310_tx.c linux-2.6.32.42/drivers/staging/et131x/et1310_tx.c
34573 --- linux-2.6.32.42/drivers/staging/et131x/et1310_tx.c 2011-03-27 14:31:47.000000000 -0400
34574 +++ linux-2.6.32.42/drivers/staging/et131x/et1310_tx.c 2011-05-04 17:56:28.000000000 -0400
34575 @@ -710,11 +710,11 @@ inline void et131x_free_send_packet(stru
34576 struct net_device_stats *stats = &etdev->net_stats;
34578 if (pMpTcb->Flags & fMP_DEST_BROAD)
34579 - atomic_inc(&etdev->Stats.brdcstxmt);
34580 + atomic_inc_unchecked(&etdev->Stats.brdcstxmt);
34581 else if (pMpTcb->Flags & fMP_DEST_MULTI)
34582 - atomic_inc(&etdev->Stats.multixmt);
34583 + atomic_inc_unchecked(&etdev->Stats.multixmt);
34585 - atomic_inc(&etdev->Stats.unixmt);
34586 + atomic_inc_unchecked(&etdev->Stats.unixmt);
34588 if (pMpTcb->Packet) {
34589 stats->tx_bytes += pMpTcb->Packet->len;
34590 diff -urNp linux-2.6.32.42/drivers/staging/et131x/et131x_adapter.h linux-2.6.32.42/drivers/staging/et131x/et131x_adapter.h
34591 --- linux-2.6.32.42/drivers/staging/et131x/et131x_adapter.h 2011-03-27 14:31:47.000000000 -0400
34592 +++ linux-2.6.32.42/drivers/staging/et131x/et131x_adapter.h 2011-05-04 17:56:28.000000000 -0400
34593 @@ -145,11 +145,11 @@ typedef struct _ce_stats_t {
34596 u32 unircv; /* # multicast packets received */
34597 - atomic_t unixmt; /* # multicast packets for Tx */
34598 + atomic_unchecked_t unixmt; /* # multicast packets for Tx */
34599 u32 multircv; /* # multicast packets received */
34600 - atomic_t multixmt; /* # multicast packets for Tx */
34601 + atomic_unchecked_t multixmt; /* # multicast packets for Tx */
34602 u32 brdcstrcv; /* # broadcast packets received */
34603 - atomic_t brdcstxmt; /* # broadcast packets for Tx */
34604 + atomic_unchecked_t brdcstxmt; /* # broadcast packets for Tx */
34605 u32 norcvbuf; /* # Rx packets discarded */
34606 u32 noxmtbuf; /* # Tx packets discarded */
34608 diff -urNp linux-2.6.32.42/drivers/staging/go7007/go7007-v4l2.c linux-2.6.32.42/drivers/staging/go7007/go7007-v4l2.c
34609 --- linux-2.6.32.42/drivers/staging/go7007/go7007-v4l2.c 2011-03-27 14:31:47.000000000 -0400
34610 +++ linux-2.6.32.42/drivers/staging/go7007/go7007-v4l2.c 2011-04-17 15:56:46.000000000 -0400
34611 @@ -1700,7 +1700,7 @@ static int go7007_vm_fault(struct vm_are
34615 -static struct vm_operations_struct go7007_vm_ops = {
34616 +static const struct vm_operations_struct go7007_vm_ops = {
34617 .open = go7007_vm_open,
34618 .close = go7007_vm_close,
34619 .fault = go7007_vm_fault,
34620 diff -urNp linux-2.6.32.42/drivers/staging/hv/blkvsc_drv.c linux-2.6.32.42/drivers/staging/hv/blkvsc_drv.c
34621 --- linux-2.6.32.42/drivers/staging/hv/blkvsc_drv.c 2011-03-27 14:31:47.000000000 -0400
34622 +++ linux-2.6.32.42/drivers/staging/hv/blkvsc_drv.c 2011-04-17 15:56:46.000000000 -0400
34623 @@ -153,7 +153,7 @@ static int blkvsc_ringbuffer_size = BLKV
34624 /* The one and only one */
34625 static struct blkvsc_driver_context g_blkvsc_drv;
34627 -static struct block_device_operations block_ops = {
34628 +static const struct block_device_operations block_ops = {
34629 .owner = THIS_MODULE,
34630 .open = blkvsc_open,
34631 .release = blkvsc_release,
34632 diff -urNp linux-2.6.32.42/drivers/staging/hv/Channel.c linux-2.6.32.42/drivers/staging/hv/Channel.c
34633 --- linux-2.6.32.42/drivers/staging/hv/Channel.c 2011-04-17 17:00:52.000000000 -0400
34634 +++ linux-2.6.32.42/drivers/staging/hv/Channel.c 2011-05-04 17:56:28.000000000 -0400
34635 @@ -464,8 +464,8 @@ int VmbusChannelEstablishGpadl(struct vm
34637 DPRINT_ENTER(VMBUS);
34639 - nextGpadlHandle = atomic_read(&gVmbusConnection.NextGpadlHandle);
34640 - atomic_inc(&gVmbusConnection.NextGpadlHandle);
34641 + nextGpadlHandle = atomic_read_unchecked(&gVmbusConnection.NextGpadlHandle);
34642 + atomic_inc_unchecked(&gVmbusConnection.NextGpadlHandle);
34644 VmbusChannelCreateGpadlHeader(Kbuffer, Size, &msgInfo, &msgCount);
34645 ASSERT(msgInfo != NULL);
34646 diff -urNp linux-2.6.32.42/drivers/staging/hv/Hv.c linux-2.6.32.42/drivers/staging/hv/Hv.c
34647 --- linux-2.6.32.42/drivers/staging/hv/Hv.c 2011-03-27 14:31:47.000000000 -0400
34648 +++ linux-2.6.32.42/drivers/staging/hv/Hv.c 2011-04-17 15:56:46.000000000 -0400
34649 @@ -161,7 +161,7 @@ static u64 HvDoHypercall(u64 Control, vo
34650 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
34651 u32 outputAddressHi = outputAddress >> 32;
34652 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
34653 - volatile void *hypercallPage = gHvContext.HypercallPage;
34654 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
34656 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
34657 Control, Input, Output);
34658 diff -urNp linux-2.6.32.42/drivers/staging/hv/vmbus_drv.c linux-2.6.32.42/drivers/staging/hv/vmbus_drv.c
34659 --- linux-2.6.32.42/drivers/staging/hv/vmbus_drv.c 2011-03-27 14:31:47.000000000 -0400
34660 +++ linux-2.6.32.42/drivers/staging/hv/vmbus_drv.c 2011-05-04 17:56:28.000000000 -0400
34661 @@ -532,7 +532,7 @@ static int vmbus_child_device_register(s
34662 to_device_context(root_device_obj);
34663 struct device_context *child_device_ctx =
34664 to_device_context(child_device_obj);
34665 - static atomic_t device_num = ATOMIC_INIT(0);
34666 + static atomic_unchecked_t device_num = ATOMIC_INIT(0);
34668 DPRINT_ENTER(VMBUS_DRV);
34670 @@ -541,7 +541,7 @@ static int vmbus_child_device_register(s
34672 /* Set the device name. Otherwise, device_register() will fail. */
34673 dev_set_name(&child_device_ctx->device, "vmbus_0_%d",
34674 - atomic_inc_return(&device_num));
34675 + atomic_inc_return_unchecked(&device_num));
34677 /* The new device belongs to this bus */
34678 child_device_ctx->device.bus = &g_vmbus_drv.bus; /* device->dev.bus; */
34679 diff -urNp linux-2.6.32.42/drivers/staging/hv/VmbusPrivate.h linux-2.6.32.42/drivers/staging/hv/VmbusPrivate.h
34680 --- linux-2.6.32.42/drivers/staging/hv/VmbusPrivate.h 2011-04-17 17:00:52.000000000 -0400
34681 +++ linux-2.6.32.42/drivers/staging/hv/VmbusPrivate.h 2011-05-04 17:56:28.000000000 -0400
34682 @@ -59,7 +59,7 @@ enum VMBUS_CONNECT_STATE {
34683 struct VMBUS_CONNECTION {
34684 enum VMBUS_CONNECT_STATE ConnectState;
34686 - atomic_t NextGpadlHandle;
34687 + atomic_unchecked_t NextGpadlHandle;
34690 * Represents channel interrupts. Each bit position represents a
34691 diff -urNp linux-2.6.32.42/drivers/staging/octeon/ethernet.c linux-2.6.32.42/drivers/staging/octeon/ethernet.c
34692 --- linux-2.6.32.42/drivers/staging/octeon/ethernet.c 2011-03-27 14:31:47.000000000 -0400
34693 +++ linux-2.6.32.42/drivers/staging/octeon/ethernet.c 2011-05-04 17:56:28.000000000 -0400
34694 @@ -294,11 +294,11 @@ static struct net_device_stats *cvm_oct_
34695 * since the RX tasklet also increments it.
34697 #ifdef CONFIG_64BIT
34698 - atomic64_add(rx_status.dropped_packets,
34699 - (atomic64_t *)&priv->stats.rx_dropped);
34700 + atomic64_add_unchecked(rx_status.dropped_packets,
34701 + (atomic64_unchecked_t *)&priv->stats.rx_dropped);
34703 - atomic_add(rx_status.dropped_packets,
34704 - (atomic_t *)&priv->stats.rx_dropped);
34705 + atomic_add_unchecked(rx_status.dropped_packets,
34706 + (atomic_unchecked_t *)&priv->stats.rx_dropped);
34710 diff -urNp linux-2.6.32.42/drivers/staging/octeon/ethernet-rx.c linux-2.6.32.42/drivers/staging/octeon/ethernet-rx.c
34711 --- linux-2.6.32.42/drivers/staging/octeon/ethernet-rx.c 2011-03-27 14:31:47.000000000 -0400
34712 +++ linux-2.6.32.42/drivers/staging/octeon/ethernet-rx.c 2011-05-04 17:56:28.000000000 -0400
34713 @@ -406,11 +406,11 @@ void cvm_oct_tasklet_rx(unsigned long un
34714 /* Increment RX stats for virtual ports */
34715 if (work->ipprt >= CVMX_PIP_NUM_INPUT_PORTS) {
34716 #ifdef CONFIG_64BIT
34717 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_packets);
34718 - atomic64_add(skb->len, (atomic64_t *)&priv->stats.rx_bytes);
34719 + atomic64_add_unchecked(1, (atomic64_unchecked_t *)&priv->stats.rx_packets);
34720 + atomic64_add_unchecked(skb->len, (atomic64_unchecked_t *)&priv->stats.rx_bytes);
34722 - atomic_add(1, (atomic_t *)&priv->stats.rx_packets);
34723 - atomic_add(skb->len, (atomic_t *)&priv->stats.rx_bytes);
34724 + atomic_add_unchecked(1, (atomic_unchecked_t *)&priv->stats.rx_packets);
34725 + atomic_add_unchecked(skb->len, (atomic_unchecked_t *)&priv->stats.rx_bytes);
34728 netif_receive_skb(skb);
34729 @@ -424,9 +424,9 @@ void cvm_oct_tasklet_rx(unsigned long un
34732 #ifdef CONFIG_64BIT
34733 - atomic64_add(1, (atomic64_t *)&priv->stats.rx_dropped);
34734 + atomic64_add_unchecked(1, (atomic64_t *)&priv->stats.rx_dropped);
34736 - atomic_add(1, (atomic_t *)&priv->stats.rx_dropped);
34737 + atomic_add_unchecked(1, (atomic_t *)&priv->stats.rx_dropped);
34739 dev_kfree_skb_irq(skb);
34741 diff -urNp linux-2.6.32.42/drivers/staging/panel/panel.c linux-2.6.32.42/drivers/staging/panel/panel.c
34742 --- linux-2.6.32.42/drivers/staging/panel/panel.c 2011-03-27 14:31:47.000000000 -0400
34743 +++ linux-2.6.32.42/drivers/staging/panel/panel.c 2011-04-17 15:56:46.000000000 -0400
34744 @@ -1305,7 +1305,7 @@ static int lcd_release(struct inode *ino
34748 -static struct file_operations lcd_fops = {
34749 +static const struct file_operations lcd_fops = {
34750 .write = lcd_write,
34752 .release = lcd_release,
34753 @@ -1565,7 +1565,7 @@ static int keypad_release(struct inode *
34757 -static struct file_operations keypad_fops = {
34758 +static const struct file_operations keypad_fops = {
34759 .read = keypad_read, /* read */
34760 .open = keypad_open, /* open */
34761 .release = keypad_release, /* close */
34762 diff -urNp linux-2.6.32.42/drivers/staging/phison/phison.c linux-2.6.32.42/drivers/staging/phison/phison.c
34763 --- linux-2.6.32.42/drivers/staging/phison/phison.c 2011-03-27 14:31:47.000000000 -0400
34764 +++ linux-2.6.32.42/drivers/staging/phison/phison.c 2011-04-17 15:56:46.000000000 -0400
34765 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
34766 ATA_BMDMA_SHT(DRV_NAME),
34769 -static struct ata_port_operations phison_ops = {
34770 +static const struct ata_port_operations phison_ops = {
34771 .inherits = &ata_bmdma_port_ops,
34772 .prereset = phison_pre_reset,
34774 diff -urNp linux-2.6.32.42/drivers/staging/poch/poch.c linux-2.6.32.42/drivers/staging/poch/poch.c
34775 --- linux-2.6.32.42/drivers/staging/poch/poch.c 2011-03-27 14:31:47.000000000 -0400
34776 +++ linux-2.6.32.42/drivers/staging/poch/poch.c 2011-04-17 15:56:46.000000000 -0400
34777 @@ -1057,7 +1057,7 @@ static int poch_ioctl(struct inode *inod
34781 -static struct file_operations poch_fops = {
34782 +static const struct file_operations poch_fops = {
34783 .owner = THIS_MODULE,
34785 .release = poch_release,
34786 diff -urNp linux-2.6.32.42/drivers/staging/pohmelfs/inode.c linux-2.6.32.42/drivers/staging/pohmelfs/inode.c
34787 --- linux-2.6.32.42/drivers/staging/pohmelfs/inode.c 2011-03-27 14:31:47.000000000 -0400
34788 +++ linux-2.6.32.42/drivers/staging/pohmelfs/inode.c 2011-05-04 17:56:20.000000000 -0400
34789 @@ -1850,7 +1850,7 @@ static int pohmelfs_fill_super(struct su
34790 mutex_init(&psb->mcache_lock);
34791 psb->mcache_root = RB_ROOT;
34792 psb->mcache_timeout = msecs_to_jiffies(5000);
34793 - atomic_long_set(&psb->mcache_gen, 0);
34794 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
34796 psb->trans_max_pages = 100;
34798 @@ -1865,7 +1865,7 @@ static int pohmelfs_fill_super(struct su
34799 INIT_LIST_HEAD(&psb->crypto_ready_list);
34800 INIT_LIST_HEAD(&psb->crypto_active_list);
34802 - atomic_set(&psb->trans_gen, 1);
34803 + atomic_set_unchecked(&psb->trans_gen, 1);
34804 atomic_long_set(&psb->total_inodes, 0);
34806 mutex_init(&psb->state_lock);
34807 diff -urNp linux-2.6.32.42/drivers/staging/pohmelfs/mcache.c linux-2.6.32.42/drivers/staging/pohmelfs/mcache.c
34808 --- linux-2.6.32.42/drivers/staging/pohmelfs/mcache.c 2011-03-27 14:31:47.000000000 -0400
34809 +++ linux-2.6.32.42/drivers/staging/pohmelfs/mcache.c 2011-04-17 15:56:46.000000000 -0400
34810 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
34814 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
34815 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
34817 mutex_lock(&psb->mcache_lock);
34818 err = pohmelfs_mcache_insert(psb, m);
34819 diff -urNp linux-2.6.32.42/drivers/staging/pohmelfs/netfs.h linux-2.6.32.42/drivers/staging/pohmelfs/netfs.h
34820 --- linux-2.6.32.42/drivers/staging/pohmelfs/netfs.h 2011-03-27 14:31:47.000000000 -0400
34821 +++ linux-2.6.32.42/drivers/staging/pohmelfs/netfs.h 2011-05-04 17:56:20.000000000 -0400
34822 @@ -570,14 +570,14 @@ struct pohmelfs_config;
34823 struct pohmelfs_sb {
34824 struct rb_root mcache_root;
34825 struct mutex mcache_lock;
34826 - atomic_long_t mcache_gen;
34827 + atomic_long_unchecked_t mcache_gen;
34828 unsigned long mcache_timeout;
34832 unsigned int trans_retries;
34834 - atomic_t trans_gen;
34835 + atomic_unchecked_t trans_gen;
34837 unsigned int crypto_attached_size;
34838 unsigned int crypto_align_size;
34839 diff -urNp linux-2.6.32.42/drivers/staging/pohmelfs/trans.c linux-2.6.32.42/drivers/staging/pohmelfs/trans.c
34840 --- linux-2.6.32.42/drivers/staging/pohmelfs/trans.c 2011-03-27 14:31:47.000000000 -0400
34841 +++ linux-2.6.32.42/drivers/staging/pohmelfs/trans.c 2011-05-04 17:56:28.000000000 -0400
34842 @@ -492,7 +492,7 @@ int netfs_trans_finish(struct netfs_tran
34844 struct netfs_cmd *cmd = t->iovec.iov_base;
34846 - t->gen = atomic_inc_return(&psb->trans_gen);
34847 + t->gen = atomic_inc_return_unchecked(&psb->trans_gen);
34849 cmd->size = t->iovec.iov_len - sizeof(struct netfs_cmd) +
34850 t->attached_size + t->attached_pages * sizeof(struct netfs_cmd);
34851 diff -urNp linux-2.6.32.42/drivers/staging/sep/sep_driver.c linux-2.6.32.42/drivers/staging/sep/sep_driver.c
34852 --- linux-2.6.32.42/drivers/staging/sep/sep_driver.c 2011-03-27 14:31:47.000000000 -0400
34853 +++ linux-2.6.32.42/drivers/staging/sep/sep_driver.c 2011-04-17 15:56:46.000000000 -0400
34854 @@ -2603,7 +2603,7 @@ static struct pci_driver sep_pci_driver
34855 static dev_t sep_devno;
34857 /* the files operations structure of the driver */
34858 -static struct file_operations sep_file_operations = {
34859 +static const struct file_operations sep_file_operations = {
34860 .owner = THIS_MODULE,
34861 .ioctl = sep_ioctl,
34863 diff -urNp linux-2.6.32.42/drivers/staging/usbip/vhci.h linux-2.6.32.42/drivers/staging/usbip/vhci.h
34864 --- linux-2.6.32.42/drivers/staging/usbip/vhci.h 2011-03-27 14:31:47.000000000 -0400
34865 +++ linux-2.6.32.42/drivers/staging/usbip/vhci.h 2011-05-04 17:56:28.000000000 -0400
34866 @@ -92,7 +92,7 @@ struct vhci_hcd {
34867 unsigned resuming:1;
34868 unsigned long re_timeout;
34871 + atomic_unchecked_t seqnum;
34875 diff -urNp linux-2.6.32.42/drivers/staging/usbip/vhci_hcd.c linux-2.6.32.42/drivers/staging/usbip/vhci_hcd.c
34876 --- linux-2.6.32.42/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:01.000000000 -0400
34877 +++ linux-2.6.32.42/drivers/staging/usbip/vhci_hcd.c 2011-05-10 22:12:33.000000000 -0400
34878 @@ -534,7 +534,7 @@ static void vhci_tx_urb(struct urb *urb)
34882 - priv->seqnum = atomic_inc_return(&the_controller->seqnum);
34883 + priv->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
34884 if (priv->seqnum == 0xffff)
34885 usbip_uinfo("seqnum max\n");
34887 @@ -793,7 +793,7 @@ static int vhci_urb_dequeue(struct usb_h
34891 - unlink->seqnum = atomic_inc_return(&the_controller->seqnum);
34892 + unlink->seqnum = atomic_inc_return_unchecked(&the_controller->seqnum);
34893 if (unlink->seqnum == 0xffff)
34894 usbip_uinfo("seqnum max\n");
34896 @@ -988,7 +988,7 @@ static int vhci_start(struct usb_hcd *hc
34897 vdev->rhport = rhport;
34900 - atomic_set(&vhci->seqnum, 0);
34901 + atomic_set_unchecked(&vhci->seqnum, 0);
34902 spin_lock_init(&vhci->lock);
34905 diff -urNp linux-2.6.32.42/drivers/staging/usbip/vhci_rx.c linux-2.6.32.42/drivers/staging/usbip/vhci_rx.c
34906 --- linux-2.6.32.42/drivers/staging/usbip/vhci_rx.c 2011-04-17 17:00:52.000000000 -0400
34907 +++ linux-2.6.32.42/drivers/staging/usbip/vhci_rx.c 2011-05-04 17:56:28.000000000 -0400
34908 @@ -78,7 +78,7 @@ static void vhci_recv_ret_submit(struct
34909 usbip_uerr("cannot find a urb of seqnum %u\n",
34911 usbip_uinfo("max seqnum %d\n",
34912 - atomic_read(&the_controller->seqnum));
34913 + atomic_read_unchecked(&the_controller->seqnum));
34914 usbip_event_add(ud, VDEV_EVENT_ERROR_TCP);
34917 diff -urNp linux-2.6.32.42/drivers/staging/vme/devices/vme_user.c linux-2.6.32.42/drivers/staging/vme/devices/vme_user.c
34918 --- linux-2.6.32.42/drivers/staging/vme/devices/vme_user.c 2011-03-27 14:31:47.000000000 -0400
34919 +++ linux-2.6.32.42/drivers/staging/vme/devices/vme_user.c 2011-04-17 15:56:46.000000000 -0400
34920 @@ -136,7 +136,7 @@ static int vme_user_ioctl(struct inode *
34921 static int __init vme_user_probe(struct device *, int, int);
34922 static int __exit vme_user_remove(struct device *, int, int);
34924 -static struct file_operations vme_user_fops = {
34925 +static const struct file_operations vme_user_fops = {
34926 .open = vme_user_open,
34927 .release = vme_user_release,
34928 .read = vme_user_read,
34929 diff -urNp linux-2.6.32.42/drivers/telephony/ixj.c linux-2.6.32.42/drivers/telephony/ixj.c
34930 --- linux-2.6.32.42/drivers/telephony/ixj.c 2011-03-27 14:31:47.000000000 -0400
34931 +++ linux-2.6.32.42/drivers/telephony/ixj.c 2011-05-16 21:46:57.000000000 -0400
34932 @@ -4976,6 +4976,8 @@ static int ixj_daa_cid_read(IXJ *j)
34936 + pax_track_stack();
34938 if (!SCI_Prepare(j))
34941 diff -urNp linux-2.6.32.42/drivers/uio/uio.c linux-2.6.32.42/drivers/uio/uio.c
34942 --- linux-2.6.32.42/drivers/uio/uio.c 2011-03-27 14:31:47.000000000 -0400
34943 +++ linux-2.6.32.42/drivers/uio/uio.c 2011-05-04 17:56:20.000000000 -0400
34945 #include <linux/string.h>
34946 #include <linux/kobject.h>
34947 #include <linux/uio_driver.h>
34948 +#include <asm/local.h>
34950 #define UIO_MAX_DEVICES 255
34952 @@ -30,10 +31,10 @@ struct uio_device {
34953 struct module *owner;
34954 struct device *dev;
34957 + atomic_unchecked_t event;
34958 struct fasync_struct *async_queue;
34959 wait_queue_head_t wait;
34961 + local_t vma_count;
34962 struct uio_info *info;
34963 struct kobject *map_dir;
34964 struct kobject *portio_dir;
34965 @@ -129,7 +130,7 @@ static ssize_t map_type_show(struct kobj
34966 return entry->show(mem, buf);
34969 -static struct sysfs_ops map_sysfs_ops = {
34970 +static const struct sysfs_ops map_sysfs_ops = {
34971 .show = map_type_show,
34974 @@ -217,7 +218,7 @@ static ssize_t portio_type_show(struct k
34975 return entry->show(port, buf);
34978 -static struct sysfs_ops portio_sysfs_ops = {
34979 +static const struct sysfs_ops portio_sysfs_ops = {
34980 .show = portio_type_show,
34983 @@ -255,7 +256,7 @@ static ssize_t show_event(struct device
34984 struct uio_device *idev = dev_get_drvdata(dev);
34986 return sprintf(buf, "%u\n",
34987 - (unsigned int)atomic_read(&idev->event));
34988 + (unsigned int)atomic_read_unchecked(&idev->event));
34992 @@ -424,7 +425,7 @@ void uio_event_notify(struct uio_info *i
34994 struct uio_device *idev = info->uio_dev;
34996 - atomic_inc(&idev->event);
34997 + atomic_inc_unchecked(&idev->event);
34998 wake_up_interruptible(&idev->wait);
34999 kill_fasync(&idev->async_queue, SIGIO, POLL_IN);
35001 @@ -477,7 +478,7 @@ static int uio_open(struct inode *inode,
35004 listener->dev = idev;
35005 - listener->event_count = atomic_read(&idev->event);
35006 + listener->event_count = atomic_read_unchecked(&idev->event);
35007 filep->private_data = listener;
35009 if (idev->info->open) {
35010 @@ -528,7 +529,7 @@ static unsigned int uio_poll(struct file
35013 poll_wait(filep, &idev->wait, wait);
35014 - if (listener->event_count != atomic_read(&idev->event))
35015 + if (listener->event_count != atomic_read_unchecked(&idev->event))
35016 return POLLIN | POLLRDNORM;
35019 @@ -553,7 +554,7 @@ static ssize_t uio_read(struct file *fil
35021 set_current_state(TASK_INTERRUPTIBLE);
35023 - event_count = atomic_read(&idev->event);
35024 + event_count = atomic_read_unchecked(&idev->event);
35025 if (event_count != listener->event_count) {
35026 if (copy_to_user(buf, &event_count, count))
35028 @@ -624,13 +625,13 @@ static int uio_find_mem_index(struct vm_
35029 static void uio_vma_open(struct vm_area_struct *vma)
35031 struct uio_device *idev = vma->vm_private_data;
35032 - idev->vma_count++;
35033 + local_inc(&idev->vma_count);
35036 static void uio_vma_close(struct vm_area_struct *vma)
35038 struct uio_device *idev = vma->vm_private_data;
35039 - idev->vma_count--;
35040 + local_dec(&idev->vma_count);
35043 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
35044 @@ -840,7 +841,7 @@ int __uio_register_device(struct module
35045 idev->owner = owner;
35047 init_waitqueue_head(&idev->wait);
35048 - atomic_set(&idev->event, 0);
35049 + atomic_set_unchecked(&idev->event, 0);
35051 ret = uio_get_minor(idev);
35053 diff -urNp linux-2.6.32.42/drivers/usb/atm/usbatm.c linux-2.6.32.42/drivers/usb/atm/usbatm.c
35054 --- linux-2.6.32.42/drivers/usb/atm/usbatm.c 2011-03-27 14:31:47.000000000 -0400
35055 +++ linux-2.6.32.42/drivers/usb/atm/usbatm.c 2011-04-17 15:56:46.000000000 -0400
35056 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
35057 if (printk_ratelimit())
35058 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
35059 __func__, vpi, vci);
35060 - atomic_inc(&vcc->stats->rx_err);
35061 + atomic_inc_unchecked(&vcc->stats->rx_err);
35065 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
35066 if (length > ATM_MAX_AAL5_PDU) {
35067 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
35068 __func__, length, vcc);
35069 - atomic_inc(&vcc->stats->rx_err);
35070 + atomic_inc_unchecked(&vcc->stats->rx_err);
35074 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
35075 if (sarb->len < pdu_length) {
35076 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
35077 __func__, pdu_length, sarb->len, vcc);
35078 - atomic_inc(&vcc->stats->rx_err);
35079 + atomic_inc_unchecked(&vcc->stats->rx_err);
35083 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
35084 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
35086 - atomic_inc(&vcc->stats->rx_err);
35087 + atomic_inc_unchecked(&vcc->stats->rx_err);
35091 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
35092 if (printk_ratelimit())
35093 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
35095 - atomic_inc(&vcc->stats->rx_drop);
35096 + atomic_inc_unchecked(&vcc->stats->rx_drop);
35100 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
35102 vcc->push(vcc, skb);
35104 - atomic_inc(&vcc->stats->rx);
35105 + atomic_inc_unchecked(&vcc->stats->rx);
35109 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
35110 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
35112 usbatm_pop(vcc, skb);
35113 - atomic_inc(&vcc->stats->tx);
35114 + atomic_inc_unchecked(&vcc->stats->tx);
35116 skb = skb_dequeue(&instance->sndqueue);
35118 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
35120 return sprintf(page,
35121 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
35122 - atomic_read(&atm_dev->stats.aal5.tx),
35123 - atomic_read(&atm_dev->stats.aal5.tx_err),
35124 - atomic_read(&atm_dev->stats.aal5.rx),
35125 - atomic_read(&atm_dev->stats.aal5.rx_err),
35126 - atomic_read(&atm_dev->stats.aal5.rx_drop));
35127 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
35128 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
35129 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
35130 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
35131 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
35134 if (instance->disconnected)
35135 diff -urNp linux-2.6.32.42/drivers/usb/class/cdc-wdm.c linux-2.6.32.42/drivers/usb/class/cdc-wdm.c
35136 --- linux-2.6.32.42/drivers/usb/class/cdc-wdm.c 2011-03-27 14:31:47.000000000 -0400
35137 +++ linux-2.6.32.42/drivers/usb/class/cdc-wdm.c 2011-04-17 15:56:46.000000000 -0400
35138 @@ -314,7 +314,7 @@ static ssize_t wdm_write
35142 - if (!file->f_flags && O_NONBLOCK)
35143 + if (!(file->f_flags & O_NONBLOCK))
35144 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
35147 diff -urNp linux-2.6.32.42/drivers/usb/core/hcd.c linux-2.6.32.42/drivers/usb/core/hcd.c
35148 --- linux-2.6.32.42/drivers/usb/core/hcd.c 2011-03-27 14:31:47.000000000 -0400
35149 +++ linux-2.6.32.42/drivers/usb/core/hcd.c 2011-04-17 15:56:46.000000000 -0400
35150 @@ -2216,7 +2216,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
35152 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
35154 -struct usb_mon_operations *mon_ops;
35155 +const struct usb_mon_operations *mon_ops;
35158 * The registration is unlocked.
35159 @@ -2226,7 +2226,7 @@ struct usb_mon_operations *mon_ops;
35160 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
35163 -int usb_mon_register (struct usb_mon_operations *ops)
35164 +int usb_mon_register (const struct usb_mon_operations *ops)
35168 diff -urNp linux-2.6.32.42/drivers/usb/core/hcd.h linux-2.6.32.42/drivers/usb/core/hcd.h
35169 --- linux-2.6.32.42/drivers/usb/core/hcd.h 2011-03-27 14:31:47.000000000 -0400
35170 +++ linux-2.6.32.42/drivers/usb/core/hcd.h 2011-04-17 15:56:46.000000000 -0400
35171 @@ -486,13 +486,13 @@ static inline void usbfs_cleanup(void) {
35172 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
35174 struct usb_mon_operations {
35175 - void (*urb_submit)(struct usb_bus *bus, struct urb *urb);
35176 - void (*urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
35177 - void (*urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
35178 + void (* const urb_submit)(struct usb_bus *bus, struct urb *urb);
35179 + void (* const urb_submit_error)(struct usb_bus *bus, struct urb *urb, int err);
35180 + void (* const urb_complete)(struct usb_bus *bus, struct urb *urb, int status);
35181 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
35184 -extern struct usb_mon_operations *mon_ops;
35185 +extern const struct usb_mon_operations *mon_ops;
35187 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
35189 @@ -514,7 +514,7 @@ static inline void usbmon_urb_complete(s
35190 (*mon_ops->urb_complete)(bus, urb, status);
35193 -int usb_mon_register(struct usb_mon_operations *ops);
35194 +int usb_mon_register(const struct usb_mon_operations *ops);
35195 void usb_mon_deregister(void);
35198 diff -urNp linux-2.6.32.42/drivers/usb/core/message.c linux-2.6.32.42/drivers/usb/core/message.c
35199 --- linux-2.6.32.42/drivers/usb/core/message.c 2011-03-27 14:31:47.000000000 -0400
35200 +++ linux-2.6.32.42/drivers/usb/core/message.c 2011-04-17 15:56:46.000000000 -0400
35201 @@ -914,8 +914,8 @@ char *usb_cache_string(struct usb_device
35202 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
35204 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
35206 - smallbuf = kmalloc(++len, GFP_NOIO);
35208 + smallbuf = kmalloc(len, GFP_NOIO);
35211 memcpy(smallbuf, buf, len);
35212 diff -urNp linux-2.6.32.42/drivers/usb/misc/appledisplay.c linux-2.6.32.42/drivers/usb/misc/appledisplay.c
35213 --- linux-2.6.32.42/drivers/usb/misc/appledisplay.c 2011-03-27 14:31:47.000000000 -0400
35214 +++ linux-2.6.32.42/drivers/usb/misc/appledisplay.c 2011-04-17 15:56:46.000000000 -0400
35215 @@ -178,7 +178,7 @@ static int appledisplay_bl_get_brightnes
35216 return pdata->msgdata[1];
35219 -static struct backlight_ops appledisplay_bl_data = {
35220 +static const struct backlight_ops appledisplay_bl_data = {
35221 .get_brightness = appledisplay_bl_get_brightness,
35222 .update_status = appledisplay_bl_update_status,
35224 diff -urNp linux-2.6.32.42/drivers/usb/mon/mon_main.c linux-2.6.32.42/drivers/usb/mon/mon_main.c
35225 --- linux-2.6.32.42/drivers/usb/mon/mon_main.c 2011-03-27 14:31:47.000000000 -0400
35226 +++ linux-2.6.32.42/drivers/usb/mon/mon_main.c 2011-04-17 15:56:46.000000000 -0400
35227 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
35231 -static struct usb_mon_operations mon_ops_0 = {
35232 +static const struct usb_mon_operations mon_ops_0 = {
35233 .urb_submit = mon_submit,
35234 .urb_submit_error = mon_submit_error,
35235 .urb_complete = mon_complete,
35236 diff -urNp linux-2.6.32.42/drivers/usb/wusbcore/wa-hc.h linux-2.6.32.42/drivers/usb/wusbcore/wa-hc.h
35237 --- linux-2.6.32.42/drivers/usb/wusbcore/wa-hc.h 2011-03-27 14:31:47.000000000 -0400
35238 +++ linux-2.6.32.42/drivers/usb/wusbcore/wa-hc.h 2011-05-04 17:56:28.000000000 -0400
35239 @@ -192,7 +192,7 @@ struct wahc {
35240 struct list_head xfer_delayed_list;
35241 spinlock_t xfer_list_lock;
35242 struct work_struct xfer_work;
35243 - atomic_t xfer_id_count;
35244 + atomic_unchecked_t xfer_id_count;
35248 @@ -246,7 +246,7 @@ static inline void wa_init(struct wahc *
35249 INIT_LIST_HEAD(&wa->xfer_delayed_list);
35250 spin_lock_init(&wa->xfer_list_lock);
35251 INIT_WORK(&wa->xfer_work, wa_urb_enqueue_run);
35252 - atomic_set(&wa->xfer_id_count, 1);
35253 + atomic_set_unchecked(&wa->xfer_id_count, 1);
35257 diff -urNp linux-2.6.32.42/drivers/usb/wusbcore/wa-xfer.c linux-2.6.32.42/drivers/usb/wusbcore/wa-xfer.c
35258 --- linux-2.6.32.42/drivers/usb/wusbcore/wa-xfer.c 2011-03-27 14:31:47.000000000 -0400
35259 +++ linux-2.6.32.42/drivers/usb/wusbcore/wa-xfer.c 2011-05-04 17:56:28.000000000 -0400
35260 @@ -293,7 +293,7 @@ out:
35262 static void wa_xfer_id_init(struct wa_xfer *xfer)
35264 - xfer->id = atomic_add_return(1, &xfer->wa->xfer_id_count);
35265 + xfer->id = atomic_add_return_unchecked(1, &xfer->wa->xfer_id_count);
35269 diff -urNp linux-2.6.32.42/drivers/uwb/wlp/messages.c linux-2.6.32.42/drivers/uwb/wlp/messages.c
35270 --- linux-2.6.32.42/drivers/uwb/wlp/messages.c 2011-03-27 14:31:47.000000000 -0400
35271 +++ linux-2.6.32.42/drivers/uwb/wlp/messages.c 2011-04-17 15:56:46.000000000 -0400
35272 @@ -903,7 +903,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
35273 size_t len = skb->len;
35276 - struct wlp_nonce enonce, rnonce;
35277 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
35278 enum wlp_assc_error assc_err;
35279 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
35280 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
35281 diff -urNp linux-2.6.32.42/drivers/uwb/wlp/sysfs.c linux-2.6.32.42/drivers/uwb/wlp/sysfs.c
35282 --- linux-2.6.32.42/drivers/uwb/wlp/sysfs.c 2011-03-27 14:31:47.000000000 -0400
35283 +++ linux-2.6.32.42/drivers/uwb/wlp/sysfs.c 2011-04-17 15:56:46.000000000 -0400
35284 @@ -615,8 +615,7 @@ ssize_t wlp_wss_attr_store(struct kobjec
35289 -struct sysfs_ops wss_sysfs_ops = {
35290 +static const struct sysfs_ops wss_sysfs_ops = {
35291 .show = wlp_wss_attr_show,
35292 .store = wlp_wss_attr_store,
35294 diff -urNp linux-2.6.32.42/drivers/video/atmel_lcdfb.c linux-2.6.32.42/drivers/video/atmel_lcdfb.c
35295 --- linux-2.6.32.42/drivers/video/atmel_lcdfb.c 2011-03-27 14:31:47.000000000 -0400
35296 +++ linux-2.6.32.42/drivers/video/atmel_lcdfb.c 2011-04-17 15:56:46.000000000 -0400
35297 @@ -110,7 +110,7 @@ static int atmel_bl_get_brightness(struc
35298 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
35301 -static struct backlight_ops atmel_lcdc_bl_ops = {
35302 +static const struct backlight_ops atmel_lcdc_bl_ops = {
35303 .update_status = atmel_bl_update_status,
35304 .get_brightness = atmel_bl_get_brightness,
35306 diff -urNp linux-2.6.32.42/drivers/video/aty/aty128fb.c linux-2.6.32.42/drivers/video/aty/aty128fb.c
35307 --- linux-2.6.32.42/drivers/video/aty/aty128fb.c 2011-03-27 14:31:47.000000000 -0400
35308 +++ linux-2.6.32.42/drivers/video/aty/aty128fb.c 2011-04-17 15:56:46.000000000 -0400
35309 @@ -1787,7 +1787,7 @@ static int aty128_bl_get_brightness(stru
35310 return bd->props.brightness;
35313 -static struct backlight_ops aty128_bl_data = {
35314 +static const struct backlight_ops aty128_bl_data = {
35315 .get_brightness = aty128_bl_get_brightness,
35316 .update_status = aty128_bl_update_status,
35318 diff -urNp linux-2.6.32.42/drivers/video/aty/atyfb_base.c linux-2.6.32.42/drivers/video/aty/atyfb_base.c
35319 --- linux-2.6.32.42/drivers/video/aty/atyfb_base.c 2011-03-27 14:31:47.000000000 -0400
35320 +++ linux-2.6.32.42/drivers/video/aty/atyfb_base.c 2011-04-17 15:56:46.000000000 -0400
35321 @@ -2225,7 +2225,7 @@ static int aty_bl_get_brightness(struct
35322 return bd->props.brightness;
35325 -static struct backlight_ops aty_bl_data = {
35326 +static const struct backlight_ops aty_bl_data = {
35327 .get_brightness = aty_bl_get_brightness,
35328 .update_status = aty_bl_update_status,
35330 diff -urNp linux-2.6.32.42/drivers/video/aty/radeon_backlight.c linux-2.6.32.42/drivers/video/aty/radeon_backlight.c
35331 --- linux-2.6.32.42/drivers/video/aty/radeon_backlight.c 2011-03-27 14:31:47.000000000 -0400
35332 +++ linux-2.6.32.42/drivers/video/aty/radeon_backlight.c 2011-04-17 15:56:46.000000000 -0400
35333 @@ -127,7 +127,7 @@ static int radeon_bl_get_brightness(stru
35334 return bd->props.brightness;
35337 -static struct backlight_ops radeon_bl_data = {
35338 +static const struct backlight_ops radeon_bl_data = {
35339 .get_brightness = radeon_bl_get_brightness,
35340 .update_status = radeon_bl_update_status,
35342 diff -urNp linux-2.6.32.42/drivers/video/backlight/adp5520_bl.c linux-2.6.32.42/drivers/video/backlight/adp5520_bl.c
35343 --- linux-2.6.32.42/drivers/video/backlight/adp5520_bl.c 2011-03-27 14:31:47.000000000 -0400
35344 +++ linux-2.6.32.42/drivers/video/backlight/adp5520_bl.c 2011-04-17 15:56:46.000000000 -0400
35345 @@ -84,7 +84,7 @@ static int adp5520_bl_get_brightness(str
35346 return error ? data->current_brightness : reg_val;
35349 -static struct backlight_ops adp5520_bl_ops = {
35350 +static const struct backlight_ops adp5520_bl_ops = {
35351 .update_status = adp5520_bl_update_status,
35352 .get_brightness = adp5520_bl_get_brightness,
35354 diff -urNp linux-2.6.32.42/drivers/video/backlight/adx_bl.c linux-2.6.32.42/drivers/video/backlight/adx_bl.c
35355 --- linux-2.6.32.42/drivers/video/backlight/adx_bl.c 2011-03-27 14:31:47.000000000 -0400
35356 +++ linux-2.6.32.42/drivers/video/backlight/adx_bl.c 2011-04-17 15:56:46.000000000 -0400
35357 @@ -61,7 +61,7 @@ static int adx_backlight_check_fb(struct
35361 -static struct backlight_ops adx_backlight_ops = {
35362 +static const struct backlight_ops adx_backlight_ops = {
35364 .update_status = adx_backlight_update_status,
35365 .get_brightness = adx_backlight_get_brightness,
35366 diff -urNp linux-2.6.32.42/drivers/video/backlight/atmel-pwm-bl.c linux-2.6.32.42/drivers/video/backlight/atmel-pwm-bl.c
35367 --- linux-2.6.32.42/drivers/video/backlight/atmel-pwm-bl.c 2011-03-27 14:31:47.000000000 -0400
35368 +++ linux-2.6.32.42/drivers/video/backlight/atmel-pwm-bl.c 2011-04-17 15:56:46.000000000 -0400
35369 @@ -113,7 +113,7 @@ static int atmel_pwm_bl_init_pwm(struct
35370 return pwm_channel_enable(&pwmbl->pwmc);
35373 -static struct backlight_ops atmel_pwm_bl_ops = {
35374 +static const struct backlight_ops atmel_pwm_bl_ops = {
35375 .get_brightness = atmel_pwm_bl_get_intensity,
35376 .update_status = atmel_pwm_bl_set_intensity,
35378 diff -urNp linux-2.6.32.42/drivers/video/backlight/backlight.c linux-2.6.32.42/drivers/video/backlight/backlight.c
35379 --- linux-2.6.32.42/drivers/video/backlight/backlight.c 2011-03-27 14:31:47.000000000 -0400
35380 +++ linux-2.6.32.42/drivers/video/backlight/backlight.c 2011-04-17 15:56:46.000000000 -0400
35381 @@ -269,7 +269,7 @@ EXPORT_SYMBOL(backlight_force_update);
35382 * ERR_PTR() or a pointer to the newly allocated device.
35384 struct backlight_device *backlight_device_register(const char *name,
35385 - struct device *parent, void *devdata, struct backlight_ops *ops)
35386 + struct device *parent, void *devdata, const struct backlight_ops *ops)
35388 struct backlight_device *new_bd;
35390 diff -urNp linux-2.6.32.42/drivers/video/backlight/corgi_lcd.c linux-2.6.32.42/drivers/video/backlight/corgi_lcd.c
35391 --- linux-2.6.32.42/drivers/video/backlight/corgi_lcd.c 2011-03-27 14:31:47.000000000 -0400
35392 +++ linux-2.6.32.42/drivers/video/backlight/corgi_lcd.c 2011-04-17 15:56:46.000000000 -0400
35393 @@ -451,7 +451,7 @@ void corgi_lcd_limit_intensity(int limit
35395 EXPORT_SYMBOL(corgi_lcd_limit_intensity);
35397 -static struct backlight_ops corgi_bl_ops = {
35398 +static const struct backlight_ops corgi_bl_ops = {
35399 .get_brightness = corgi_bl_get_intensity,
35400 .update_status = corgi_bl_update_status,
35402 diff -urNp linux-2.6.32.42/drivers/video/backlight/cr_bllcd.c linux-2.6.32.42/drivers/video/backlight/cr_bllcd.c
35403 --- linux-2.6.32.42/drivers/video/backlight/cr_bllcd.c 2011-03-27 14:31:47.000000000 -0400
35404 +++ linux-2.6.32.42/drivers/video/backlight/cr_bllcd.c 2011-04-17 15:56:46.000000000 -0400
35405 @@ -108,7 +108,7 @@ static int cr_backlight_get_intensity(st
35409 -static struct backlight_ops cr_backlight_ops = {
35410 +static const struct backlight_ops cr_backlight_ops = {
35411 .get_brightness = cr_backlight_get_intensity,
35412 .update_status = cr_backlight_set_intensity,
35414 diff -urNp linux-2.6.32.42/drivers/video/backlight/da903x_bl.c linux-2.6.32.42/drivers/video/backlight/da903x_bl.c
35415 --- linux-2.6.32.42/drivers/video/backlight/da903x_bl.c 2011-03-27 14:31:47.000000000 -0400
35416 +++ linux-2.6.32.42/drivers/video/backlight/da903x_bl.c 2011-04-17 15:56:46.000000000 -0400
35417 @@ -94,7 +94,7 @@ static int da903x_backlight_get_brightne
35418 return data->current_brightness;
35421 -static struct backlight_ops da903x_backlight_ops = {
35422 +static const struct backlight_ops da903x_backlight_ops = {
35423 .update_status = da903x_backlight_update_status,
35424 .get_brightness = da903x_backlight_get_brightness,
35426 diff -urNp linux-2.6.32.42/drivers/video/backlight/generic_bl.c linux-2.6.32.42/drivers/video/backlight/generic_bl.c
35427 --- linux-2.6.32.42/drivers/video/backlight/generic_bl.c 2011-03-27 14:31:47.000000000 -0400
35428 +++ linux-2.6.32.42/drivers/video/backlight/generic_bl.c 2011-04-17 15:56:46.000000000 -0400
35429 @@ -70,7 +70,7 @@ void corgibl_limit_intensity(int limit)
35431 EXPORT_SYMBOL(corgibl_limit_intensity);
35433 -static struct backlight_ops genericbl_ops = {
35434 +static const struct backlight_ops genericbl_ops = {
35435 .options = BL_CORE_SUSPENDRESUME,
35436 .get_brightness = genericbl_get_intensity,
35437 .update_status = genericbl_send_intensity,
35438 diff -urNp linux-2.6.32.42/drivers/video/backlight/hp680_bl.c linux-2.6.32.42/drivers/video/backlight/hp680_bl.c
35439 --- linux-2.6.32.42/drivers/video/backlight/hp680_bl.c 2011-03-27 14:31:47.000000000 -0400
35440 +++ linux-2.6.32.42/drivers/video/backlight/hp680_bl.c 2011-04-17 15:56:46.000000000 -0400
35441 @@ -98,7 +98,7 @@ static int hp680bl_get_intensity(struct
35442 return current_intensity;
35445 -static struct backlight_ops hp680bl_ops = {
35446 +static const struct backlight_ops hp680bl_ops = {
35447 .get_brightness = hp680bl_get_intensity,
35448 .update_status = hp680bl_set_intensity,
35450 diff -urNp linux-2.6.32.42/drivers/video/backlight/jornada720_bl.c linux-2.6.32.42/drivers/video/backlight/jornada720_bl.c
35451 --- linux-2.6.32.42/drivers/video/backlight/jornada720_bl.c 2011-03-27 14:31:47.000000000 -0400
35452 +++ linux-2.6.32.42/drivers/video/backlight/jornada720_bl.c 2011-04-17 15:56:46.000000000 -0400
35453 @@ -93,7 +93,7 @@ out:
35457 -static struct backlight_ops jornada_bl_ops = {
35458 +static const struct backlight_ops jornada_bl_ops = {
35459 .get_brightness = jornada_bl_get_brightness,
35460 .update_status = jornada_bl_update_status,
35461 .options = BL_CORE_SUSPENDRESUME,
35462 diff -urNp linux-2.6.32.42/drivers/video/backlight/kb3886_bl.c linux-2.6.32.42/drivers/video/backlight/kb3886_bl.c
35463 --- linux-2.6.32.42/drivers/video/backlight/kb3886_bl.c 2011-03-27 14:31:47.000000000 -0400
35464 +++ linux-2.6.32.42/drivers/video/backlight/kb3886_bl.c 2011-04-17 15:56:46.000000000 -0400
35465 @@ -134,7 +134,7 @@ static int kb3886bl_get_intensity(struct
35466 return kb3886bl_intensity;
35469 -static struct backlight_ops kb3886bl_ops = {
35470 +static const struct backlight_ops kb3886bl_ops = {
35471 .get_brightness = kb3886bl_get_intensity,
35472 .update_status = kb3886bl_send_intensity,
35474 diff -urNp linux-2.6.32.42/drivers/video/backlight/locomolcd.c linux-2.6.32.42/drivers/video/backlight/locomolcd.c
35475 --- linux-2.6.32.42/drivers/video/backlight/locomolcd.c 2011-03-27 14:31:47.000000000 -0400
35476 +++ linux-2.6.32.42/drivers/video/backlight/locomolcd.c 2011-04-17 15:56:46.000000000 -0400
35477 @@ -141,7 +141,7 @@ static int locomolcd_get_intensity(struc
35478 return current_intensity;
35481 -static struct backlight_ops locomobl_data = {
35482 +static const struct backlight_ops locomobl_data = {
35483 .get_brightness = locomolcd_get_intensity,
35484 .update_status = locomolcd_set_intensity,
35486 diff -urNp linux-2.6.32.42/drivers/video/backlight/mbp_nvidia_bl.c linux-2.6.32.42/drivers/video/backlight/mbp_nvidia_bl.c
35487 --- linux-2.6.32.42/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:01.000000000 -0400
35488 +++ linux-2.6.32.42/drivers/video/backlight/mbp_nvidia_bl.c 2011-05-10 22:12:33.000000000 -0400
35489 @@ -33,7 +33,7 @@ struct dmi_match_data {
35490 unsigned long iostart;
35491 unsigned long iolen;
35492 /* Backlight operations structure. */
35493 - struct backlight_ops backlight_ops;
35494 + const struct backlight_ops backlight_ops;
35497 /* Module parameters. */
35498 diff -urNp linux-2.6.32.42/drivers/video/backlight/omap1_bl.c linux-2.6.32.42/drivers/video/backlight/omap1_bl.c
35499 --- linux-2.6.32.42/drivers/video/backlight/omap1_bl.c 2011-03-27 14:31:47.000000000 -0400
35500 +++ linux-2.6.32.42/drivers/video/backlight/omap1_bl.c 2011-04-17 15:56:46.000000000 -0400
35501 @@ -125,7 +125,7 @@ static int omapbl_get_intensity(struct b
35502 return bl->current_intensity;
35505 -static struct backlight_ops omapbl_ops = {
35506 +static const struct backlight_ops omapbl_ops = {
35507 .get_brightness = omapbl_get_intensity,
35508 .update_status = omapbl_update_status,
35510 diff -urNp linux-2.6.32.42/drivers/video/backlight/progear_bl.c linux-2.6.32.42/drivers/video/backlight/progear_bl.c
35511 --- linux-2.6.32.42/drivers/video/backlight/progear_bl.c 2011-03-27 14:31:47.000000000 -0400
35512 +++ linux-2.6.32.42/drivers/video/backlight/progear_bl.c 2011-04-17 15:56:46.000000000 -0400
35513 @@ -54,7 +54,7 @@ static int progearbl_get_intensity(struc
35514 return intensity - HW_LEVEL_MIN;
35517 -static struct backlight_ops progearbl_ops = {
35518 +static const struct backlight_ops progearbl_ops = {
35519 .get_brightness = progearbl_get_intensity,
35520 .update_status = progearbl_set_intensity,
35522 diff -urNp linux-2.6.32.42/drivers/video/backlight/pwm_bl.c linux-2.6.32.42/drivers/video/backlight/pwm_bl.c
35523 --- linux-2.6.32.42/drivers/video/backlight/pwm_bl.c 2011-03-27 14:31:47.000000000 -0400
35524 +++ linux-2.6.32.42/drivers/video/backlight/pwm_bl.c 2011-04-17 15:56:46.000000000 -0400
35525 @@ -56,7 +56,7 @@ static int pwm_backlight_get_brightness(
35526 return bl->props.brightness;
35529 -static struct backlight_ops pwm_backlight_ops = {
35530 +static const struct backlight_ops pwm_backlight_ops = {
35531 .update_status = pwm_backlight_update_status,
35532 .get_brightness = pwm_backlight_get_brightness,
35534 diff -urNp linux-2.6.32.42/drivers/video/backlight/tosa_bl.c linux-2.6.32.42/drivers/video/backlight/tosa_bl.c
35535 --- linux-2.6.32.42/drivers/video/backlight/tosa_bl.c 2011-03-27 14:31:47.000000000 -0400
35536 +++ linux-2.6.32.42/drivers/video/backlight/tosa_bl.c 2011-04-17 15:56:46.000000000 -0400
35537 @@ -72,7 +72,7 @@ static int tosa_bl_get_brightness(struct
35538 return props->brightness;
35541 -static struct backlight_ops bl_ops = {
35542 +static const struct backlight_ops bl_ops = {
35543 .get_brightness = tosa_bl_get_brightness,
35544 .update_status = tosa_bl_update_status,
35546 diff -urNp linux-2.6.32.42/drivers/video/backlight/wm831x_bl.c linux-2.6.32.42/drivers/video/backlight/wm831x_bl.c
35547 --- linux-2.6.32.42/drivers/video/backlight/wm831x_bl.c 2011-03-27 14:31:47.000000000 -0400
35548 +++ linux-2.6.32.42/drivers/video/backlight/wm831x_bl.c 2011-04-17 15:56:46.000000000 -0400
35549 @@ -112,7 +112,7 @@ static int wm831x_backlight_get_brightne
35550 return data->current_brightness;
35553 -static struct backlight_ops wm831x_backlight_ops = {
35554 +static const struct backlight_ops wm831x_backlight_ops = {
35555 .options = BL_CORE_SUSPENDRESUME,
35556 .update_status = wm831x_backlight_update_status,
35557 .get_brightness = wm831x_backlight_get_brightness,
35558 diff -urNp linux-2.6.32.42/drivers/video/bf54x-lq043fb.c linux-2.6.32.42/drivers/video/bf54x-lq043fb.c
35559 --- linux-2.6.32.42/drivers/video/bf54x-lq043fb.c 2011-03-27 14:31:47.000000000 -0400
35560 +++ linux-2.6.32.42/drivers/video/bf54x-lq043fb.c 2011-04-17 15:56:46.000000000 -0400
35561 @@ -463,7 +463,7 @@ static int bl_get_brightness(struct back
35565 -static struct backlight_ops bfin_lq043fb_bl_ops = {
35566 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
35567 .get_brightness = bl_get_brightness,
35570 diff -urNp linux-2.6.32.42/drivers/video/bfin-t350mcqb-fb.c linux-2.6.32.42/drivers/video/bfin-t350mcqb-fb.c
35571 --- linux-2.6.32.42/drivers/video/bfin-t350mcqb-fb.c 2011-03-27 14:31:47.000000000 -0400
35572 +++ linux-2.6.32.42/drivers/video/bfin-t350mcqb-fb.c 2011-04-17 15:56:46.000000000 -0400
35573 @@ -381,7 +381,7 @@ static int bl_get_brightness(struct back
35577 -static struct backlight_ops bfin_lq043fb_bl_ops = {
35578 +static const struct backlight_ops bfin_lq043fb_bl_ops = {
35579 .get_brightness = bl_get_brightness,
35582 diff -urNp linux-2.6.32.42/drivers/video/fbcmap.c linux-2.6.32.42/drivers/video/fbcmap.c
35583 --- linux-2.6.32.42/drivers/video/fbcmap.c 2011-03-27 14:31:47.000000000 -0400
35584 +++ linux-2.6.32.42/drivers/video/fbcmap.c 2011-04-17 15:56:46.000000000 -0400
35585 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
35589 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
35590 - !info->fbops->fb_setcmap)) {
35591 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
35595 diff -urNp linux-2.6.32.42/drivers/video/fbmem.c linux-2.6.32.42/drivers/video/fbmem.c
35596 --- linux-2.6.32.42/drivers/video/fbmem.c 2011-03-27 14:31:47.000000000 -0400
35597 +++ linux-2.6.32.42/drivers/video/fbmem.c 2011-05-16 21:46:57.000000000 -0400
35598 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
35599 image->dx += image->width + 8;
35601 } else if (rotate == FB_ROTATE_UD) {
35602 - for (x = 0; x < num && image->dx >= 0; x++) {
35603 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
35604 info->fbops->fb_imageblit(info, image);
35605 image->dx -= image->width + 8;
35607 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
35608 image->dy += image->height + 8;
35610 } else if (rotate == FB_ROTATE_CCW) {
35611 - for (x = 0; x < num && image->dy >= 0; x++) {
35612 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
35613 info->fbops->fb_imageblit(info, image);
35614 image->dy -= image->height + 8;
35616 @@ -915,6 +915,8 @@ fb_set_var(struct fb_info *info, struct
35617 int flags = info->flags;
35620 + pax_track_stack();
35622 if (var->activate & FB_ACTIVATE_INV_MODE) {
35623 struct fb_videomode mode1, mode2;
35625 @@ -1040,6 +1042,8 @@ static long do_fb_ioctl(struct fb_info *
35626 void __user *argp = (void __user *)arg;
35629 + pax_track_stack();
35632 case FBIOGET_VSCREENINFO:
35633 if (!lock_fb_info(info))
35634 @@ -1119,7 +1123,7 @@ static long do_fb_ioctl(struct fb_info *
35636 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
35638 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
35639 + if (con2fb.framebuffer >= FB_MAX)
35641 if (!registered_fb[con2fb.framebuffer])
35642 request_module("fb%d", con2fb.framebuffer);
35643 diff -urNp linux-2.6.32.42/drivers/video/i810/i810_accel.c linux-2.6.32.42/drivers/video/i810/i810_accel.c
35644 --- linux-2.6.32.42/drivers/video/i810/i810_accel.c 2011-03-27 14:31:47.000000000 -0400
35645 +++ linux-2.6.32.42/drivers/video/i810/i810_accel.c 2011-04-17 15:56:46.000000000 -0400
35646 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
35649 printk("ringbuffer lockup!!!\n");
35650 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
35651 i810_report_error(mmio);
35652 par->dev_flags |= LOCKUP;
35653 info->pixmap.scan_align = 1;
35654 diff -urNp linux-2.6.32.42/drivers/video/nvidia/nv_backlight.c linux-2.6.32.42/drivers/video/nvidia/nv_backlight.c
35655 --- linux-2.6.32.42/drivers/video/nvidia/nv_backlight.c 2011-03-27 14:31:47.000000000 -0400
35656 +++ linux-2.6.32.42/drivers/video/nvidia/nv_backlight.c 2011-04-17 15:56:46.000000000 -0400
35657 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
35658 return bd->props.brightness;
35661 -static struct backlight_ops nvidia_bl_ops = {
35662 +static const struct backlight_ops nvidia_bl_ops = {
35663 .get_brightness = nvidia_bl_get_brightness,
35664 .update_status = nvidia_bl_update_status,
35666 diff -urNp linux-2.6.32.42/drivers/video/riva/fbdev.c linux-2.6.32.42/drivers/video/riva/fbdev.c
35667 --- linux-2.6.32.42/drivers/video/riva/fbdev.c 2011-03-27 14:31:47.000000000 -0400
35668 +++ linux-2.6.32.42/drivers/video/riva/fbdev.c 2011-04-17 15:56:46.000000000 -0400
35669 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
35670 return bd->props.brightness;
35673 -static struct backlight_ops riva_bl_ops = {
35674 +static const struct backlight_ops riva_bl_ops = {
35675 .get_brightness = riva_bl_get_brightness,
35676 .update_status = riva_bl_update_status,
35678 diff -urNp linux-2.6.32.42/drivers/video/uvesafb.c linux-2.6.32.42/drivers/video/uvesafb.c
35679 --- linux-2.6.32.42/drivers/video/uvesafb.c 2011-03-27 14:31:47.000000000 -0400
35680 +++ linux-2.6.32.42/drivers/video/uvesafb.c 2011-04-17 15:56:46.000000000 -0400
35682 #include <linux/fb.h>
35683 #include <linux/io.h>
35684 #include <linux/mutex.h>
35685 +#include <linux/moduleloader.h>
35686 #include <video/edid.h>
35687 #include <video/uvesafb.h>
35689 @@ -120,7 +121,7 @@ static int uvesafb_helper_start(void)
35693 - return call_usermodehelper(v86d_path, argv, envp, 1);
35694 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
35698 @@ -568,10 +569,32 @@ static int __devinit uvesafb_vbe_getpmi(
35699 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
35700 par->pmi_setpal = par->ypan = 0;
35703 +#ifdef CONFIG_PAX_KERNEXEC
35704 +#ifdef CONFIG_MODULES
35705 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
35707 + if (!par->pmi_code) {
35708 + par->pmi_setpal = par->ypan = 0;
35713 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
35714 + task->t.regs.edi);
35716 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35717 + pax_open_kernel();
35718 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
35719 + pax_close_kernel();
35721 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
35722 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
35724 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
35725 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
35728 printk(KERN_INFO "uvesafb: protected mode interface info at "
35730 (u16)task->t.regs.es, (u16)task->t.regs.edi);
35731 @@ -1799,6 +1822,11 @@ out:
35732 if (par->vbe_modes)
35733 kfree(par->vbe_modes);
35735 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35736 + if (par->pmi_code)
35737 + module_free_exec(NULL, par->pmi_code);
35740 framebuffer_release(info);
35743 @@ -1825,6 +1853,12 @@ static int uvesafb_remove(struct platfor
35744 kfree(par->vbe_state_orig);
35745 if (par->vbe_state_saved)
35746 kfree(par->vbe_state_saved);
35748 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35749 + if (par->pmi_code)
35750 + module_free_exec(NULL, par->pmi_code);
35755 framebuffer_release(info);
35756 diff -urNp linux-2.6.32.42/drivers/video/vesafb.c linux-2.6.32.42/drivers/video/vesafb.c
35757 --- linux-2.6.32.42/drivers/video/vesafb.c 2011-03-27 14:31:47.000000000 -0400
35758 +++ linux-2.6.32.42/drivers/video/vesafb.c 2011-04-17 15:56:46.000000000 -0400
35762 #include <linux/module.h>
35763 +#include <linux/moduleloader.h>
35764 #include <linux/kernel.h>
35765 #include <linux/errno.h>
35766 #include <linux/string.h>
35767 @@ -53,8 +54,8 @@ static int vram_remap __initdata; /*
35768 static int vram_total __initdata; /* Set total amount of memory */
35769 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
35770 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
35771 -static void (*pmi_start)(void) __read_mostly;
35772 -static void (*pmi_pal) (void) __read_mostly;
35773 +static void (*pmi_start)(void) __read_only;
35774 +static void (*pmi_pal) (void) __read_only;
35775 static int depth __read_mostly;
35776 static int vga_compat __read_mostly;
35777 /* --------------------------------------------------------------------- */
35778 @@ -233,6 +234,7 @@ static int __init vesafb_probe(struct pl
35779 unsigned int size_vmode;
35780 unsigned int size_remap;
35781 unsigned int size_total;
35782 + void *pmi_code = NULL;
35784 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
35786 @@ -275,10 +277,6 @@ static int __init vesafb_probe(struct pl
35787 size_remap = size_total;
35788 vesafb_fix.smem_len = size_remap;
35791 - screen_info.vesapm_seg = 0;
35794 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
35795 printk(KERN_WARNING
35796 "vesafb: cannot reserve video memory at 0x%lx\n",
35797 @@ -315,9 +313,21 @@ static int __init vesafb_probe(struct pl
35798 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
35799 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
35803 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35804 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
35806 +#elif !defined(CONFIG_PAX_KERNEXEC)
35811 + screen_info.vesapm_seg = 0;
35813 if (screen_info.vesapm_seg) {
35814 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
35815 - screen_info.vesapm_seg,screen_info.vesapm_off);
35816 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
35817 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
35820 if (screen_info.vesapm_seg < 0xc000)
35821 @@ -325,9 +335,25 @@ static int __init vesafb_probe(struct pl
35823 if (ypan || pmi_setpal) {
35824 unsigned short *pmi_base;
35825 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
35826 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
35827 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
35829 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
35831 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35832 + pax_open_kernel();
35833 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
35835 + pmi_code = pmi_base;
35838 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
35839 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
35841 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35842 + pmi_start = ktva_ktla(pmi_start);
35843 + pmi_pal = ktva_ktla(pmi_pal);
35844 + pax_close_kernel();
35847 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
35849 printk(KERN_INFO "vesafb: pmi: ports = ");
35850 @@ -469,6 +495,11 @@ static int __init vesafb_probe(struct pl
35851 info->node, info->fix.id);
35855 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
35856 + module_free_exec(NULL, pmi_code);
35859 if (info->screen_base)
35860 iounmap(info->screen_base);
35861 framebuffer_release(info);
35862 diff -urNp linux-2.6.32.42/drivers/xen/sys-hypervisor.c linux-2.6.32.42/drivers/xen/sys-hypervisor.c
35863 --- linux-2.6.32.42/drivers/xen/sys-hypervisor.c 2011-03-27 14:31:47.000000000 -0400
35864 +++ linux-2.6.32.42/drivers/xen/sys-hypervisor.c 2011-04-17 15:56:46.000000000 -0400
35865 @@ -425,7 +425,7 @@ static ssize_t hyp_sysfs_store(struct ko
35869 -static struct sysfs_ops hyp_sysfs_ops = {
35870 +static const struct sysfs_ops hyp_sysfs_ops = {
35871 .show = hyp_sysfs_show,
35872 .store = hyp_sysfs_store,
35874 diff -urNp linux-2.6.32.42/fs/9p/vfs_inode.c linux-2.6.32.42/fs/9p/vfs_inode.c
35875 --- linux-2.6.32.42/fs/9p/vfs_inode.c 2011-03-27 14:31:47.000000000 -0400
35876 +++ linux-2.6.32.42/fs/9p/vfs_inode.c 2011-04-17 15:56:46.000000000 -0400
35877 @@ -1079,7 +1079,7 @@ static void *v9fs_vfs_follow_link(struct
35879 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
35881 - char *s = nd_get_link(nd);
35882 + const char *s = nd_get_link(nd);
35884 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
35885 IS_ERR(s) ? "<error>" : s);
35886 diff -urNp linux-2.6.32.42/fs/aio.c linux-2.6.32.42/fs/aio.c
35887 --- linux-2.6.32.42/fs/aio.c 2011-03-27 14:31:47.000000000 -0400
35888 +++ linux-2.6.32.42/fs/aio.c 2011-06-04 20:40:21.000000000 -0400
35889 @@ -115,7 +115,7 @@ static int aio_setup_ring(struct kioctx
35890 size += sizeof(struct io_event) * nr_events;
35891 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
35893 - if (nr_pages < 0)
35894 + if (nr_pages <= 0)
35897 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
35898 @@ -1089,6 +1089,8 @@ static int read_events(struct kioctx *ct
35899 struct aio_timeout to;
35902 + pax_track_stack();
35904 /* needed to zero any padding within an entry (there shouldn't be
35905 * any, but C is fun!
35907 @@ -1382,13 +1384,18 @@ static ssize_t aio_fsync(struct kiocb *i
35908 static ssize_t aio_setup_vectored_rw(int type, struct kiocb *kiocb)
35911 + struct iovec iovstack;
35913 ret = rw_copy_check_uvector(type, (struct iovec __user *)kiocb->ki_buf,
35914 kiocb->ki_nbytes, 1,
35915 - &kiocb->ki_inline_vec, &kiocb->ki_iovec);
35916 + &iovstack, &kiocb->ki_iovec);
35920 + if (kiocb->ki_iovec == &iovstack) {
35921 + kiocb->ki_inline_vec = iovstack;
35922 + kiocb->ki_iovec = &kiocb->ki_inline_vec;
35924 kiocb->ki_nr_segs = kiocb->ki_nbytes;
35925 kiocb->ki_cur_seg = 0;
35926 /* ki_nbytes/left now reflect bytes instead of segs */
35927 diff -urNp linux-2.6.32.42/fs/attr.c linux-2.6.32.42/fs/attr.c
35928 --- linux-2.6.32.42/fs/attr.c 2011-03-27 14:31:47.000000000 -0400
35929 +++ linux-2.6.32.42/fs/attr.c 2011-04-17 15:56:46.000000000 -0400
35930 @@ -83,6 +83,7 @@ int inode_newsize_ok(const struct inode
35931 unsigned long limit;
35933 limit = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
35934 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
35935 if (limit != RLIM_INFINITY && offset > limit)
35937 if (offset > inode->i_sb->s_maxbytes)
35938 diff -urNp linux-2.6.32.42/fs/autofs/root.c linux-2.6.32.42/fs/autofs/root.c
35939 --- linux-2.6.32.42/fs/autofs/root.c 2011-03-27 14:31:47.000000000 -0400
35940 +++ linux-2.6.32.42/fs/autofs/root.c 2011-04-17 15:56:46.000000000 -0400
35941 @@ -299,7 +299,8 @@ static int autofs_root_symlink(struct in
35942 set_bit(n,sbi->symlink_bitmap);
35943 sl = &sbi->symlink[n];
35944 sl->len = strlen(symname);
35945 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
35946 + slsize = sl->len+1;
35947 + sl->data = kmalloc(slsize, GFP_KERNEL);
35949 clear_bit(n,sbi->symlink_bitmap);
35951 diff -urNp linux-2.6.32.42/fs/autofs4/symlink.c linux-2.6.32.42/fs/autofs4/symlink.c
35952 --- linux-2.6.32.42/fs/autofs4/symlink.c 2011-03-27 14:31:47.000000000 -0400
35953 +++ linux-2.6.32.42/fs/autofs4/symlink.c 2011-04-17 15:56:46.000000000 -0400
35955 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
35957 struct autofs_info *ino = autofs4_dentry_ino(dentry);
35958 - nd_set_link(nd, (char *)ino->u.symlink);
35959 + nd_set_link(nd, ino->u.symlink);
35963 diff -urNp linux-2.6.32.42/fs/befs/linuxvfs.c linux-2.6.32.42/fs/befs/linuxvfs.c
35964 --- linux-2.6.32.42/fs/befs/linuxvfs.c 2011-03-27 14:31:47.000000000 -0400
35965 +++ linux-2.6.32.42/fs/befs/linuxvfs.c 2011-04-17 15:56:46.000000000 -0400
35966 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
35968 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
35969 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
35970 - char *link = nd_get_link(nd);
35971 + const char *link = nd_get_link(nd);
35975 diff -urNp linux-2.6.32.42/fs/binfmt_aout.c linux-2.6.32.42/fs/binfmt_aout.c
35976 --- linux-2.6.32.42/fs/binfmt_aout.c 2011-03-27 14:31:47.000000000 -0400
35977 +++ linux-2.6.32.42/fs/binfmt_aout.c 2011-04-17 15:56:46.000000000 -0400
35979 #include <linux/string.h>
35980 #include <linux/fs.h>
35981 #include <linux/file.h>
35982 +#include <linux/security.h>
35983 #include <linux/stat.h>
35984 #include <linux/fcntl.h>
35985 #include <linux/ptrace.h>
35986 @@ -102,6 +103,8 @@ static int aout_core_dump(long signr, st
35988 # define START_STACK(u) (u.start_stack)
35990 + memset(&dump, 0, sizeof(dump));
35995 @@ -113,10 +116,12 @@ static int aout_core_dump(long signr, st
35997 /* If the size of the dump file exceeds the rlimit, then see what would happen
35998 if we wrote the stack, but not the data area. */
35999 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
36000 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > limit)
36003 /* Make sure we have enough room to write the stack and data areas. */
36004 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
36005 if ((dump.u_ssize + 1) * PAGE_SIZE > limit)
36008 @@ -146,9 +151,7 @@ static int aout_core_dump(long signr, st
36009 dump_size = dump.u_ssize << PAGE_SHIFT;
36010 DUMP_WRITE(dump_start,dump_size);
36012 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
36013 - set_fs(KERNEL_DS);
36014 - DUMP_WRITE(current,sizeof(*current));
36015 +/* Finally, let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
36019 @@ -249,6 +252,8 @@ static int load_aout_binary(struct linux
36020 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
36021 if (rlim >= RLIM_INFINITY)
36024 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
36025 if (ex.a_data + ex.a_bss > rlim)
36028 @@ -277,6 +282,27 @@ static int load_aout_binary(struct linux
36029 install_exec_creds(bprm);
36030 current->flags &= ~PF_FORKNOEXEC;
36032 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
36033 + current->mm->pax_flags = 0UL;
36036 +#ifdef CONFIG_PAX_PAGEEXEC
36037 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
36038 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
36040 +#ifdef CONFIG_PAX_EMUTRAMP
36041 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
36042 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
36045 +#ifdef CONFIG_PAX_MPROTECT
36046 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
36047 + current->mm->pax_flags |= MF_PAX_MPROTECT;
36053 if (N_MAGIC(ex) == OMAGIC) {
36054 unsigned long text_addr, map_size;
36056 @@ -349,7 +375,7 @@ static int load_aout_binary(struct linux
36058 down_write(¤t->mm->mmap_sem);
36059 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
36060 - PROT_READ | PROT_WRITE | PROT_EXEC,
36061 + PROT_READ | PROT_WRITE,
36062 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
36063 fd_offset + ex.a_text);
36064 up_write(¤t->mm->mmap_sem);
36065 diff -urNp linux-2.6.32.42/fs/binfmt_elf.c linux-2.6.32.42/fs/binfmt_elf.c
36066 --- linux-2.6.32.42/fs/binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
36067 +++ linux-2.6.32.42/fs/binfmt_elf.c 2011-05-16 21:46:57.000000000 -0400
36068 @@ -50,6 +50,10 @@ static int elf_core_dump(long signr, str
36069 #define elf_core_dump NULL
36072 +#ifdef CONFIG_PAX_MPROTECT
36073 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
36076 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
36077 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
36079 @@ -69,6 +73,11 @@ static struct linux_binfmt elf_format =
36080 .load_binary = load_elf_binary,
36081 .load_shlib = load_elf_library,
36082 .core_dump = elf_core_dump,
36084 +#ifdef CONFIG_PAX_MPROTECT
36085 + .handle_mprotect= elf_handle_mprotect,
36088 .min_coredump = ELF_EXEC_PAGESIZE,
36091 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
36093 static int set_brk(unsigned long start, unsigned long end)
36095 + unsigned long e = end;
36097 start = ELF_PAGEALIGN(start);
36098 end = ELF_PAGEALIGN(end);
36100 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
36101 if (BAD_ADDR(addr))
36104 - current->mm->start_brk = current->mm->brk = end;
36105 + current->mm->start_brk = current->mm->brk = e;
36109 @@ -148,12 +159,15 @@ create_elf_tables(struct linux_binprm *b
36110 elf_addr_t __user *u_rand_bytes;
36111 const char *k_platform = ELF_PLATFORM;
36112 const char *k_base_platform = ELF_BASE_PLATFORM;
36113 - unsigned char k_rand_bytes[16];
36114 + u32 k_rand_bytes[4];
36116 elf_addr_t *elf_info;
36118 const struct cred *cred = current_cred();
36119 struct vm_area_struct *vma;
36120 + unsigned long saved_auxv[AT_VECTOR_SIZE];
36122 + pax_track_stack();
36125 * In some cases (e.g. Hyper-Threading), we want to avoid L1
36126 @@ -195,8 +209,12 @@ create_elf_tables(struct linux_binprm *b
36127 * Generate 16 random bytes for userspace PRNG seeding.
36129 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
36130 - u_rand_bytes = (elf_addr_t __user *)
36131 - STACK_ALLOC(p, sizeof(k_rand_bytes));
36132 + srandom32(k_rand_bytes[0] ^ random32());
36133 + srandom32(k_rand_bytes[1] ^ random32());
36134 + srandom32(k_rand_bytes[2] ^ random32());
36135 + srandom32(k_rand_bytes[3] ^ random32());
36136 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
36137 + u_rand_bytes = (elf_addr_t __user *) p;
36138 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
36141 @@ -308,9 +326,11 @@ create_elf_tables(struct linux_binprm *b
36143 current->mm->env_end = p;
36145 + memcpy(saved_auxv, elf_info, ei_index * sizeof(elf_addr_t));
36147 /* Put the elf_info on the stack in the right place. */
36148 sp = (elf_addr_t __user *)envp + 1;
36149 - if (copy_to_user(sp, elf_info, ei_index * sizeof(elf_addr_t)))
36150 + if (copy_to_user(sp, saved_auxv, ei_index * sizeof(elf_addr_t)))
36154 @@ -385,10 +405,10 @@ static unsigned long load_elf_interp(str
36156 struct elf_phdr *elf_phdata;
36157 struct elf_phdr *eppnt;
36158 - unsigned long load_addr = 0;
36159 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
36160 int load_addr_set = 0;
36161 unsigned long last_bss = 0, elf_bss = 0;
36162 - unsigned long error = ~0UL;
36163 + unsigned long error = -EINVAL;
36164 unsigned long total_size;
36165 int retval, i, size;
36167 @@ -434,6 +454,11 @@ static unsigned long load_elf_interp(str
36171 +#ifdef CONFIG_PAX_SEGMEXEC
36172 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
36173 + pax_task_size = SEGMEXEC_TASK_SIZE;
36176 eppnt = elf_phdata;
36177 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
36178 if (eppnt->p_type == PT_LOAD) {
36179 @@ -477,8 +502,8 @@ static unsigned long load_elf_interp(str
36180 k = load_addr + eppnt->p_vaddr;
36182 eppnt->p_filesz > eppnt->p_memsz ||
36183 - eppnt->p_memsz > TASK_SIZE ||
36184 - TASK_SIZE - eppnt->p_memsz < k) {
36185 + eppnt->p_memsz > pax_task_size ||
36186 + pax_task_size - eppnt->p_memsz < k) {
36190 @@ -532,6 +557,194 @@ out:
36194 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
36195 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
36197 + unsigned long pax_flags = 0UL;
36199 +#ifdef CONFIG_PAX_PAGEEXEC
36200 + if (elf_phdata->p_flags & PF_PAGEEXEC)
36201 + pax_flags |= MF_PAX_PAGEEXEC;
36204 +#ifdef CONFIG_PAX_SEGMEXEC
36205 + if (elf_phdata->p_flags & PF_SEGMEXEC)
36206 + pax_flags |= MF_PAX_SEGMEXEC;
36209 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
36210 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
36212 + pax_flags &= ~MF_PAX_SEGMEXEC;
36214 + pax_flags &= ~MF_PAX_PAGEEXEC;
36218 +#ifdef CONFIG_PAX_EMUTRAMP
36219 + if (elf_phdata->p_flags & PF_EMUTRAMP)
36220 + pax_flags |= MF_PAX_EMUTRAMP;
36223 +#ifdef CONFIG_PAX_MPROTECT
36224 + if (elf_phdata->p_flags & PF_MPROTECT)
36225 + pax_flags |= MF_PAX_MPROTECT;
36228 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
36229 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
36230 + pax_flags |= MF_PAX_RANDMMAP;
36233 + return pax_flags;
36237 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
36238 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
36240 + unsigned long pax_flags = 0UL;
36242 +#ifdef CONFIG_PAX_PAGEEXEC
36243 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
36244 + pax_flags |= MF_PAX_PAGEEXEC;
36247 +#ifdef CONFIG_PAX_SEGMEXEC
36248 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
36249 + pax_flags |= MF_PAX_SEGMEXEC;
36252 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
36253 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
36255 + pax_flags &= ~MF_PAX_SEGMEXEC;
36257 + pax_flags &= ~MF_PAX_PAGEEXEC;
36261 +#ifdef CONFIG_PAX_EMUTRAMP
36262 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
36263 + pax_flags |= MF_PAX_EMUTRAMP;
36266 +#ifdef CONFIG_PAX_MPROTECT
36267 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
36268 + pax_flags |= MF_PAX_MPROTECT;
36271 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
36272 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
36273 + pax_flags |= MF_PAX_RANDMMAP;
36276 + return pax_flags;
36280 +#ifdef CONFIG_PAX_EI_PAX
36281 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
36283 + unsigned long pax_flags = 0UL;
36285 +#ifdef CONFIG_PAX_PAGEEXEC
36286 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
36287 + pax_flags |= MF_PAX_PAGEEXEC;
36290 +#ifdef CONFIG_PAX_SEGMEXEC
36291 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
36292 + pax_flags |= MF_PAX_SEGMEXEC;
36295 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
36296 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
36298 + pax_flags &= ~MF_PAX_SEGMEXEC;
36300 + pax_flags &= ~MF_PAX_PAGEEXEC;
36304 +#ifdef CONFIG_PAX_EMUTRAMP
36305 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
36306 + pax_flags |= MF_PAX_EMUTRAMP;
36309 +#ifdef CONFIG_PAX_MPROTECT
36310 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
36311 + pax_flags |= MF_PAX_MPROTECT;
36314 +#ifdef CONFIG_PAX_ASLR
36315 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
36316 + pax_flags |= MF_PAX_RANDMMAP;
36319 + return pax_flags;
36323 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
36324 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
36326 + unsigned long pax_flags = 0UL;
36328 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
36330 + int found_flags = 0;
36333 +#ifdef CONFIG_PAX_EI_PAX
36334 + pax_flags = pax_parse_ei_pax(elf_ex);
36337 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
36338 + for (i = 0UL; i < elf_ex->e_phnum; i++)
36339 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
36340 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
36341 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
36342 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
36343 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
36344 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
36347 +#ifdef CONFIG_PAX_SOFTMODE
36348 + if (pax_softmode)
36349 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
36353 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
36359 +#if !defined(CONFIG_PAX_EI_PAX) && defined(CONFIG_PAX_PT_PAX_FLAGS)
36360 + if (found_flags == 0) {
36361 + struct elf_phdr phdr;
36362 + memset(&phdr, 0, sizeof(phdr));
36363 + phdr.p_flags = PF_NOEMUTRAMP;
36364 +#ifdef CONFIG_PAX_SOFTMODE
36365 + if (pax_softmode)
36366 + pax_flags = pax_parse_softmode(&phdr);
36369 + pax_flags = pax_parse_hardmode(&phdr);
36374 + if (0 > pax_check_flags(&pax_flags))
36377 + current->mm->pax_flags = pax_flags;
36383 * These are the functions used to load ELF style executables and shared
36384 * libraries. There is no binary dependent code anywhere else.
36385 @@ -548,6 +761,11 @@ static unsigned long randomize_stack_top
36387 unsigned int random_variable = 0;
36389 +#ifdef CONFIG_PAX_RANDUSTACK
36390 + if (randomize_va_space)
36391 + return stack_top - current->mm->delta_stack;
36394 if ((current->flags & PF_RANDOMIZE) &&
36395 !(current->personality & ADDR_NO_RANDOMIZE)) {
36396 random_variable = get_random_int() & STACK_RND_MASK;
36397 @@ -566,7 +784,7 @@ static int load_elf_binary(struct linux_
36398 unsigned long load_addr = 0, load_bias = 0;
36399 int load_addr_set = 0;
36400 char * elf_interpreter = NULL;
36401 - unsigned long error;
36402 + unsigned long error = 0;
36403 struct elf_phdr *elf_ppnt, *elf_phdata;
36404 unsigned long elf_bss, elf_brk;
36406 @@ -576,11 +794,11 @@ static int load_elf_binary(struct linux_
36407 unsigned long start_code, end_code, start_data, end_data;
36408 unsigned long reloc_func_desc = 0;
36409 int executable_stack = EXSTACK_DEFAULT;
36410 - unsigned long def_flags = 0;
36412 struct elfhdr elf_ex;
36413 struct elfhdr interp_elf_ex;
36415 + unsigned long pax_task_size = TASK_SIZE;
36417 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
36419 @@ -718,11 +936,80 @@ static int load_elf_binary(struct linux_
36421 /* OK, This is the point of no return */
36422 current->flags &= ~PF_FORKNOEXEC;
36423 - current->mm->def_flags = def_flags;
36425 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
36426 + current->mm->pax_flags = 0UL;
36429 +#ifdef CONFIG_PAX_DLRESOLVE
36430 + current->mm->call_dl_resolve = 0UL;
36433 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
36434 + current->mm->call_syscall = 0UL;
36437 +#ifdef CONFIG_PAX_ASLR
36438 + current->mm->delta_mmap = 0UL;
36439 + current->mm->delta_stack = 0UL;
36442 + current->mm->def_flags = 0;
36444 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
36445 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
36446 + send_sig(SIGKILL, current, 0);
36447 + goto out_free_dentry;
36451 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
36452 + pax_set_initial_flags(bprm);
36453 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
36454 + if (pax_set_initial_flags_func)
36455 + (pax_set_initial_flags_func)(bprm);
36458 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
36459 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !nx_enabled) {
36460 + current->mm->context.user_cs_limit = PAGE_SIZE;
36461 + current->mm->def_flags |= VM_PAGEEXEC;
36465 +#ifdef CONFIG_PAX_SEGMEXEC
36466 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
36467 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
36468 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
36469 + pax_task_size = SEGMEXEC_TASK_SIZE;
36473 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
36474 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
36475 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
36480 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
36481 may depend on the personality. */
36482 SET_PERSONALITY(loc->elf_ex);
36484 +#ifdef CONFIG_PAX_ASLR
36485 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
36486 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
36487 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
36491 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
36492 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
36493 + executable_stack = EXSTACK_DISABLE_X;
36494 + current->personality &= ~READ_IMPLIES_EXEC;
36498 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
36499 current->personality |= READ_IMPLIES_EXEC;
36501 @@ -804,6 +1091,20 @@ static int load_elf_binary(struct linux_
36503 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
36506 +#ifdef CONFIG_PAX_RANDMMAP
36507 + /* PaX: randomize base address at the default exe base if requested */
36508 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
36509 +#ifdef CONFIG_SPARC64
36510 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
36512 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
36514 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
36515 + elf_flags |= MAP_FIXED;
36521 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
36522 @@ -836,9 +1137,9 @@ static int load_elf_binary(struct linux_
36523 * allowed task size. Note that p_filesz must always be
36524 * <= p_memsz so it is only necessary to check p_memsz.
36526 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
36527 - elf_ppnt->p_memsz > TASK_SIZE ||
36528 - TASK_SIZE - elf_ppnt->p_memsz < k) {
36529 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
36530 + elf_ppnt->p_memsz > pax_task_size ||
36531 + pax_task_size - elf_ppnt->p_memsz < k) {
36532 /* set_brk can never work. Avoid overflows. */
36533 send_sig(SIGKILL, current, 0);
36535 @@ -866,6 +1167,11 @@ static int load_elf_binary(struct linux_
36536 start_data += load_bias;
36537 end_data += load_bias;
36539 +#ifdef CONFIG_PAX_RANDMMAP
36540 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
36541 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
36544 /* Calling set_brk effectively mmaps the pages that we need
36545 * for the bss and break sections. We must do this before
36546 * mapping in the interpreter, to make sure it doesn't wind
36547 @@ -877,9 +1183,11 @@ static int load_elf_binary(struct linux_
36548 goto out_free_dentry;
36550 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
36551 - send_sig(SIGSEGV, current, 0);
36552 - retval = -EFAULT; /* Nobody gets to see this, but.. */
36553 - goto out_free_dentry;
36555 + * This bss-zeroing can fail if the ELF
36556 + * file specifies odd protections. So
36557 + * we don't check the return value
36561 if (elf_interpreter) {
36562 @@ -1112,8 +1420,10 @@ static int dump_seek(struct file *file,
36563 unsigned long n = off;
36566 - if (!dump_write(file, buf, n))
36567 + if (!dump_write(file, buf, n)) {
36568 + free_page((unsigned long)buf);
36573 free_page((unsigned long)buf);
36574 @@ -1125,7 +1435,7 @@ static int dump_seek(struct file *file,
36575 * Decide what to dump of a segment, part, all or none.
36577 static unsigned long vma_dump_size(struct vm_area_struct *vma,
36578 - unsigned long mm_flags)
36579 + unsigned long mm_flags, long signr)
36581 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
36583 @@ -1159,7 +1469,7 @@ static unsigned long vma_dump_size(struc
36584 if (vma->vm_file == NULL)
36587 - if (FILTER(MAPPED_PRIVATE))
36588 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
36592 @@ -1255,8 +1565,11 @@ static int writenote(struct memelfnote *
36595 #define DUMP_WRITE(addr, nr) \
36597 + gr_learn_resource(current, RLIMIT_CORE, size + (nr), 1); \
36598 if ((size += (nr)) > limit || !dump_write(file, (addr), (nr))) \
36599 - goto end_coredump;
36600 + goto end_coredump; \
36603 static void fill_elf_header(struct elfhdr *elf, int segs,
36604 u16 machine, u32 flags, u8 osabi)
36605 @@ -1385,9 +1698,9 @@ static void fill_auxv_note(struct memelf
36607 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
36612 - while (auxv[i - 2] != AT_NULL);
36613 + } while (auxv[i - 2] != AT_NULL);
36614 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
36617 @@ -1973,7 +2286,7 @@ static int elf_core_dump(long signr, str
36618 phdr.p_offset = offset;
36619 phdr.p_vaddr = vma->vm_start;
36621 - phdr.p_filesz = vma_dump_size(vma, mm_flags);
36622 + phdr.p_filesz = vma_dump_size(vma, mm_flags, signr);
36623 phdr.p_memsz = vma->vm_end - vma->vm_start;
36624 offset += phdr.p_filesz;
36625 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
36626 @@ -2006,7 +2319,7 @@ static int elf_core_dump(long signr, str
36627 unsigned long addr;
36630 - end = vma->vm_start + vma_dump_size(vma, mm_flags);
36631 + end = vma->vm_start + vma_dump_size(vma, mm_flags, signr);
36633 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
36635 @@ -2015,6 +2328,7 @@ static int elf_core_dump(long signr, str
36636 page = get_dump_page(addr);
36638 void *kaddr = kmap(page);
36639 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
36640 stop = ((size += PAGE_SIZE) > limit) ||
36641 !dump_write(file, kaddr, PAGE_SIZE);
36643 @@ -2042,6 +2356,97 @@ out:
36645 #endif /* USE_ELF_CORE_DUMP */
36647 +#ifdef CONFIG_PAX_MPROTECT
36648 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
36649 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
36650 + * we'll remove VM_MAYWRITE for good on RELRO segments.
36652 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
36653 + * basis because we want to allow the common case and not the special ones.
36655 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
36657 + struct elfhdr elf_h;
36658 + struct elf_phdr elf_p;
36660 + unsigned long oldflags;
36661 + bool is_textrel_rw, is_textrel_rx, is_relro;
36663 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
36666 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
36667 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
36669 +#ifdef CONFIG_PAX_ELFRELOCS
36670 + /* possible TEXTREL */
36671 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
36672 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
36674 + is_textrel_rw = false;
36675 + is_textrel_rx = false;
36678 + /* possible RELRO */
36679 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
36681 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
36684 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
36685 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
36687 +#ifdef CONFIG_PAX_ETEXECRELOCS
36688 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
36690 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
36693 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
36694 + !elf_check_arch(&elf_h) ||
36695 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
36696 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
36699 + for (i = 0UL; i < elf_h.e_phnum; i++) {
36700 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
36702 + switch (elf_p.p_type) {
36704 + if (!is_textrel_rw && !is_textrel_rx)
36707 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
36710 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
36712 + if (dyn.d_tag == DT_NULL)
36714 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
36715 + gr_log_textrel(vma);
36716 + if (is_textrel_rw)
36717 + vma->vm_flags |= VM_MAYWRITE;
36719 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
36720 + vma->vm_flags &= ~VM_MAYWRITE;
36727 + case PT_GNU_RELRO:
36730 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
36731 + vma->vm_flags &= ~VM_MAYWRITE;
36738 static int __init init_elf_binfmt(void)
36740 return register_binfmt(&elf_format);
36741 diff -urNp linux-2.6.32.42/fs/binfmt_flat.c linux-2.6.32.42/fs/binfmt_flat.c
36742 --- linux-2.6.32.42/fs/binfmt_flat.c 2011-03-27 14:31:47.000000000 -0400
36743 +++ linux-2.6.32.42/fs/binfmt_flat.c 2011-04-17 15:56:46.000000000 -0400
36744 @@ -564,7 +564,9 @@ static int load_flat_file(struct linux_b
36745 realdatastart = (unsigned long) -ENOMEM;
36746 printk("Unable to allocate RAM for process data, errno %d\n",
36747 (int)-realdatastart);
36748 + down_write(¤t->mm->mmap_sem);
36749 do_munmap(current->mm, textpos, text_len);
36750 + up_write(¤t->mm->mmap_sem);
36751 ret = realdatastart;
36754 @@ -588,8 +590,10 @@ static int load_flat_file(struct linux_b
36756 if (IS_ERR_VALUE(result)) {
36757 printk("Unable to read data+bss, errno %d\n", (int)-result);
36758 + down_write(¤t->mm->mmap_sem);
36759 do_munmap(current->mm, textpos, text_len);
36760 do_munmap(current->mm, realdatastart, data_len + extra);
36761 + up_write(¤t->mm->mmap_sem);
36765 @@ -658,8 +662,10 @@ static int load_flat_file(struct linux_b
36767 if (IS_ERR_VALUE(result)) {
36768 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
36769 + down_write(¤t->mm->mmap_sem);
36770 do_munmap(current->mm, textpos, text_len + data_len + extra +
36771 MAX_SHARED_LIBS * sizeof(unsigned long));
36772 + up_write(¤t->mm->mmap_sem);
36776 diff -urNp linux-2.6.32.42/fs/bio.c linux-2.6.32.42/fs/bio.c
36777 --- linux-2.6.32.42/fs/bio.c 2011-03-27 14:31:47.000000000 -0400
36778 +++ linux-2.6.32.42/fs/bio.c 2011-04-17 15:56:46.000000000 -0400
36779 @@ -78,7 +78,7 @@ static struct kmem_cache *bio_find_or_cr
36782 while (i < bio_slab_nr) {
36783 - struct bio_slab *bslab = &bio_slabs[i];
36784 + bslab = &bio_slabs[i];
36786 if (!bslab->slab && entry == -1)
36788 @@ -1236,7 +1236,7 @@ static void bio_copy_kern_endio(struct b
36789 const int read = bio_data_dir(bio) == READ;
36790 struct bio_map_data *bmd = bio->bi_private;
36792 - char *p = bmd->sgvecs[0].iov_base;
36793 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
36795 __bio_for_each_segment(bvec, bio, i, 0) {
36796 char *addr = page_address(bvec->bv_page);
36797 diff -urNp linux-2.6.32.42/fs/block_dev.c linux-2.6.32.42/fs/block_dev.c
36798 --- linux-2.6.32.42/fs/block_dev.c 2011-06-25 12:55:34.000000000 -0400
36799 +++ linux-2.6.32.42/fs/block_dev.c 2011-06-25 12:56:37.000000000 -0400
36800 @@ -664,7 +664,7 @@ int bd_claim(struct block_device *bdev,
36801 else if (bdev->bd_contains == bdev)
36802 res = 0; /* is a whole device which isn't held */
36804 - else if (bdev->bd_contains->bd_holder == bd_claim)
36805 + else if (bdev->bd_contains->bd_holder == (void *)bd_claim)
36806 res = 0; /* is a partition of a device that is being partitioned */
36807 else if (bdev->bd_contains->bd_holder != NULL)
36808 res = -EBUSY; /* is a partition of a held device */
36809 diff -urNp linux-2.6.32.42/fs/btrfs/ctree.c linux-2.6.32.42/fs/btrfs/ctree.c
36810 --- linux-2.6.32.42/fs/btrfs/ctree.c 2011-03-27 14:31:47.000000000 -0400
36811 +++ linux-2.6.32.42/fs/btrfs/ctree.c 2011-04-17 15:56:46.000000000 -0400
36812 @@ -461,9 +461,12 @@ static noinline int __btrfs_cow_block(st
36813 free_extent_buffer(buf);
36814 add_root_to_dirty_list(root);
36816 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
36817 - parent_start = parent->start;
36819 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
36821 + parent_start = parent->start;
36823 + parent_start = 0;
36827 WARN_ON(trans->transid != btrfs_header_generation(parent));
36828 @@ -3645,7 +3648,6 @@ setup_items_for_insert(struct btrfs_tran
36832 - struct btrfs_disk_key disk_key;
36833 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
36834 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
36836 diff -urNp linux-2.6.32.42/fs/btrfs/disk-io.c linux-2.6.32.42/fs/btrfs/disk-io.c
36837 --- linux-2.6.32.42/fs/btrfs/disk-io.c 2011-04-17 17:00:52.000000000 -0400
36838 +++ linux-2.6.32.42/fs/btrfs/disk-io.c 2011-04-17 17:03:11.000000000 -0400
36840 #include "tree-log.h"
36841 #include "free-space-cache.h"
36843 -static struct extent_io_ops btree_extent_io_ops;
36844 +static const struct extent_io_ops btree_extent_io_ops;
36845 static void end_workqueue_fn(struct btrfs_work *work);
36846 static void free_fs_root(struct btrfs_root *root);
36848 @@ -2607,7 +2607,7 @@ out:
36852 -static struct extent_io_ops btree_extent_io_ops = {
36853 +static const struct extent_io_ops btree_extent_io_ops = {
36854 .write_cache_pages_lock_hook = btree_lock_page_hook,
36855 .readpage_end_io_hook = btree_readpage_end_io_hook,
36856 .submit_bio_hook = btree_submit_bio_hook,
36857 diff -urNp linux-2.6.32.42/fs/btrfs/extent_io.h linux-2.6.32.42/fs/btrfs/extent_io.h
36858 --- linux-2.6.32.42/fs/btrfs/extent_io.h 2011-03-27 14:31:47.000000000 -0400
36859 +++ linux-2.6.32.42/fs/btrfs/extent_io.h 2011-04-17 15:56:46.000000000 -0400
36860 @@ -49,36 +49,36 @@ typedef int (extent_submit_bio_hook_t)(s
36861 struct bio *bio, int mirror_num,
36862 unsigned long bio_flags);
36863 struct extent_io_ops {
36864 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
36865 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
36866 u64 start, u64 end, int *page_started,
36867 unsigned long *nr_written);
36868 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
36869 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
36870 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
36871 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
36872 extent_submit_bio_hook_t *submit_bio_hook;
36873 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
36874 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
36875 size_t size, struct bio *bio,
36876 unsigned long bio_flags);
36877 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
36878 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
36879 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
36880 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
36881 u64 start, u64 end,
36882 struct extent_state *state);
36883 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
36884 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
36885 u64 start, u64 end,
36886 struct extent_state *state);
36887 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
36888 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
36889 struct extent_state *state);
36890 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
36891 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
36892 struct extent_state *state, int uptodate);
36893 - int (*set_bit_hook)(struct inode *inode, u64 start, u64 end,
36894 + int (* const set_bit_hook)(struct inode *inode, u64 start, u64 end,
36895 unsigned long old, unsigned long bits);
36896 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
36897 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
36898 unsigned long bits);
36899 - int (*merge_extent_hook)(struct inode *inode,
36900 + int (* const merge_extent_hook)(struct inode *inode,
36901 struct extent_state *new,
36902 struct extent_state *other);
36903 - int (*split_extent_hook)(struct inode *inode,
36904 + int (* const split_extent_hook)(struct inode *inode,
36905 struct extent_state *orig, u64 split);
36906 - int (*write_cache_pages_lock_hook)(struct page *page);
36907 + int (* const write_cache_pages_lock_hook)(struct page *page);
36910 struct extent_io_tree {
36911 @@ -88,7 +88,7 @@ struct extent_io_tree {
36914 spinlock_t buffer_lock;
36915 - struct extent_io_ops *ops;
36916 + const struct extent_io_ops *ops;
36919 struct extent_state {
36920 diff -urNp linux-2.6.32.42/fs/btrfs/extent-tree.c linux-2.6.32.42/fs/btrfs/extent-tree.c
36921 --- linux-2.6.32.42/fs/btrfs/extent-tree.c 2011-03-27 14:31:47.000000000 -0400
36922 +++ linux-2.6.32.42/fs/btrfs/extent-tree.c 2011-06-12 06:39:08.000000000 -0400
36923 @@ -7141,6 +7141,10 @@ static noinline int relocate_one_extent(
36924 u64 group_start = group->key.objectid;
36925 new_extents = kmalloc(sizeof(*new_extents),
36927 + if (!new_extents) {
36932 ret = get_new_locations(reloc_inode,
36934 diff -urNp linux-2.6.32.42/fs/btrfs/free-space-cache.c linux-2.6.32.42/fs/btrfs/free-space-cache.c
36935 --- linux-2.6.32.42/fs/btrfs/free-space-cache.c 2011-03-27 14:31:47.000000000 -0400
36936 +++ linux-2.6.32.42/fs/btrfs/free-space-cache.c 2011-04-17 15:56:46.000000000 -0400
36937 @@ -1074,8 +1074,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
36940 if (entry->bytes < bytes || entry->offset < min_start) {
36941 - struct rb_node *node;
36943 node = rb_next(&entry->offset_index);
36946 @@ -1226,7 +1224,7 @@ again:
36948 while (entry->bitmap || found_bitmap ||
36949 (!entry->bitmap && entry->bytes < min_bytes)) {
36950 - struct rb_node *node = rb_next(&entry->offset_index);
36951 + node = rb_next(&entry->offset_index);
36953 if (entry->bitmap && entry->bytes > bytes + empty_size) {
36954 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
36955 diff -urNp linux-2.6.32.42/fs/btrfs/inode.c linux-2.6.32.42/fs/btrfs/inode.c
36956 --- linux-2.6.32.42/fs/btrfs/inode.c 2011-03-27 14:31:47.000000000 -0400
36957 +++ linux-2.6.32.42/fs/btrfs/inode.c 2011-06-12 06:39:58.000000000 -0400
36958 @@ -63,7 +63,7 @@ static const struct inode_operations btr
36959 static const struct address_space_operations btrfs_aops;
36960 static const struct address_space_operations btrfs_symlink_aops;
36961 static const struct file_operations btrfs_dir_file_operations;
36962 -static struct extent_io_ops btrfs_extent_io_ops;
36963 +static const struct extent_io_ops btrfs_extent_io_ops;
36965 static struct kmem_cache *btrfs_inode_cachep;
36966 struct kmem_cache *btrfs_trans_handle_cachep;
36967 @@ -925,6 +925,7 @@ static int cow_file_range_async(struct i
36968 1, 0, NULL, GFP_NOFS);
36969 while (start < end) {
36970 async_cow = kmalloc(sizeof(*async_cow), GFP_NOFS);
36971 + BUG_ON(!async_cow);
36972 async_cow->inode = inode;
36973 async_cow->root = root;
36974 async_cow->locked_page = locked_page;
36975 @@ -4591,6 +4592,8 @@ static noinline int uncompress_inline(st
36976 inline_size = btrfs_file_extent_inline_item_len(leaf,
36977 btrfs_item_nr(leaf, path->slots[0]));
36978 tmp = kmalloc(inline_size, GFP_NOFS);
36981 ptr = btrfs_file_extent_inline_start(item);
36983 read_extent_buffer(leaf, tmp, ptr, inline_size);
36984 @@ -5410,7 +5413,7 @@ fail:
36988 -static int btrfs_getattr(struct vfsmount *mnt,
36989 +int btrfs_getattr(struct vfsmount *mnt,
36990 struct dentry *dentry, struct kstat *stat)
36992 struct inode *inode = dentry->d_inode;
36993 @@ -5422,6 +5425,14 @@ static int btrfs_getattr(struct vfsmount
36997 +EXPORT_SYMBOL(btrfs_getattr);
36999 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
37001 + return BTRFS_I(inode)->root->anon_super.s_dev;
37003 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
37005 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
37006 struct inode *new_dir, struct dentry *new_dentry)
37008 @@ -5972,7 +5983,7 @@ static const struct file_operations btrf
37009 .fsync = btrfs_sync_file,
37012 -static struct extent_io_ops btrfs_extent_io_ops = {
37013 +static const struct extent_io_ops btrfs_extent_io_ops = {
37014 .fill_delalloc = run_delalloc_range,
37015 .submit_bio_hook = btrfs_submit_bio_hook,
37016 .merge_bio_hook = btrfs_merge_bio_hook,
37017 diff -urNp linux-2.6.32.42/fs/btrfs/relocation.c linux-2.6.32.42/fs/btrfs/relocation.c
37018 --- linux-2.6.32.42/fs/btrfs/relocation.c 2011-03-27 14:31:47.000000000 -0400
37019 +++ linux-2.6.32.42/fs/btrfs/relocation.c 2011-04-17 15:56:46.000000000 -0400
37020 @@ -884,7 +884,7 @@ static int __update_reloc_root(struct bt
37022 spin_unlock(&rc->reloc_root_tree.lock);
37024 - BUG_ON((struct btrfs_root *)node->data != root);
37025 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
37028 spin_lock(&rc->reloc_root_tree.lock);
37029 diff -urNp linux-2.6.32.42/fs/btrfs/sysfs.c linux-2.6.32.42/fs/btrfs/sysfs.c
37030 --- linux-2.6.32.42/fs/btrfs/sysfs.c 2011-03-27 14:31:47.000000000 -0400
37031 +++ linux-2.6.32.42/fs/btrfs/sysfs.c 2011-04-17 15:56:46.000000000 -0400
37032 @@ -164,12 +164,12 @@ static void btrfs_root_release(struct ko
37033 complete(&root->kobj_unregister);
37036 -static struct sysfs_ops btrfs_super_attr_ops = {
37037 +static const struct sysfs_ops btrfs_super_attr_ops = {
37038 .show = btrfs_super_attr_show,
37039 .store = btrfs_super_attr_store,
37042 -static struct sysfs_ops btrfs_root_attr_ops = {
37043 +static const struct sysfs_ops btrfs_root_attr_ops = {
37044 .show = btrfs_root_attr_show,
37045 .store = btrfs_root_attr_store,
37047 diff -urNp linux-2.6.32.42/fs/buffer.c linux-2.6.32.42/fs/buffer.c
37048 --- linux-2.6.32.42/fs/buffer.c 2011-03-27 14:31:47.000000000 -0400
37049 +++ linux-2.6.32.42/fs/buffer.c 2011-04-17 15:56:46.000000000 -0400
37051 #include <linux/percpu.h>
37052 #include <linux/slab.h>
37053 #include <linux/capability.h>
37054 +#include <linux/security.h>
37055 #include <linux/blkdev.h>
37056 #include <linux/file.h>
37057 #include <linux/quotaops.h>
37058 diff -urNp linux-2.6.32.42/fs/cachefiles/bind.c linux-2.6.32.42/fs/cachefiles/bind.c
37059 --- linux-2.6.32.42/fs/cachefiles/bind.c 2011-03-27 14:31:47.000000000 -0400
37060 +++ linux-2.6.32.42/fs/cachefiles/bind.c 2011-04-17 15:56:46.000000000 -0400
37061 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
37064 /* start by checking things over */
37065 - ASSERT(cache->fstop_percent >= 0 &&
37066 - cache->fstop_percent < cache->fcull_percent &&
37067 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
37068 cache->fcull_percent < cache->frun_percent &&
37069 cache->frun_percent < 100);
37071 - ASSERT(cache->bstop_percent >= 0 &&
37072 - cache->bstop_percent < cache->bcull_percent &&
37073 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
37074 cache->bcull_percent < cache->brun_percent &&
37075 cache->brun_percent < 100);
37077 diff -urNp linux-2.6.32.42/fs/cachefiles/daemon.c linux-2.6.32.42/fs/cachefiles/daemon.c
37078 --- linux-2.6.32.42/fs/cachefiles/daemon.c 2011-03-27 14:31:47.000000000 -0400
37079 +++ linux-2.6.32.42/fs/cachefiles/daemon.c 2011-04-17 15:56:46.000000000 -0400
37080 @@ -220,7 +220,7 @@ static ssize_t cachefiles_daemon_write(s
37081 if (test_bit(CACHEFILES_DEAD, &cache->flags))
37084 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
37085 + if (datalen > PAGE_SIZE - 1)
37086 return -EOPNOTSUPP;
37088 /* drag the command string into the kernel so we can parse it */
37089 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
37090 if (args[0] != '%' || args[1] != '\0')
37093 - if (fstop < 0 || fstop >= cache->fcull_percent)
37094 + if (fstop >= cache->fcull_percent)
37095 return cachefiles_daemon_range_error(cache, args);
37097 cache->fstop_percent = fstop;
37098 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
37099 if (args[0] != '%' || args[1] != '\0')
37102 - if (bstop < 0 || bstop >= cache->bcull_percent)
37103 + if (bstop >= cache->bcull_percent)
37104 return cachefiles_daemon_range_error(cache, args);
37106 cache->bstop_percent = bstop;
37107 diff -urNp linux-2.6.32.42/fs/cachefiles/internal.h linux-2.6.32.42/fs/cachefiles/internal.h
37108 --- linux-2.6.32.42/fs/cachefiles/internal.h 2011-03-27 14:31:47.000000000 -0400
37109 +++ linux-2.6.32.42/fs/cachefiles/internal.h 2011-05-04 17:56:28.000000000 -0400
37110 @@ -56,7 +56,7 @@ struct cachefiles_cache {
37111 wait_queue_head_t daemon_pollwq; /* poll waitqueue for daemon */
37112 struct rb_root active_nodes; /* active nodes (can't be culled) */
37113 rwlock_t active_lock; /* lock for active_nodes */
37114 - atomic_t gravecounter; /* graveyard uniquifier */
37115 + atomic_unchecked_t gravecounter; /* graveyard uniquifier */
37116 unsigned frun_percent; /* when to stop culling (% files) */
37117 unsigned fcull_percent; /* when to start culling (% files) */
37118 unsigned fstop_percent; /* when to stop allocating (% files) */
37119 @@ -168,19 +168,19 @@ extern int cachefiles_check_in_use(struc
37122 #ifdef CONFIG_CACHEFILES_HISTOGRAM
37123 -extern atomic_t cachefiles_lookup_histogram[HZ];
37124 -extern atomic_t cachefiles_mkdir_histogram[HZ];
37125 -extern atomic_t cachefiles_create_histogram[HZ];
37126 +extern atomic_unchecked_t cachefiles_lookup_histogram[HZ];
37127 +extern atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
37128 +extern atomic_unchecked_t cachefiles_create_histogram[HZ];
37130 extern int __init cachefiles_proc_init(void);
37131 extern void cachefiles_proc_cleanup(void);
37133 -void cachefiles_hist(atomic_t histogram[], unsigned long start_jif)
37134 +void cachefiles_hist(atomic_unchecked_t histogram[], unsigned long start_jif)
37136 unsigned long jif = jiffies - start_jif;
37139 - atomic_inc(&histogram[jif]);
37140 + atomic_inc_unchecked(&histogram[jif]);
37144 diff -urNp linux-2.6.32.42/fs/cachefiles/namei.c linux-2.6.32.42/fs/cachefiles/namei.c
37145 --- linux-2.6.32.42/fs/cachefiles/namei.c 2011-03-27 14:31:47.000000000 -0400
37146 +++ linux-2.6.32.42/fs/cachefiles/namei.c 2011-05-04 17:56:28.000000000 -0400
37147 @@ -250,7 +250,7 @@ try_again:
37148 /* first step is to make up a grave dentry in the graveyard */
37149 sprintf(nbuffer, "%08x%08x",
37150 (uint32_t) get_seconds(),
37151 - (uint32_t) atomic_inc_return(&cache->gravecounter));
37152 + (uint32_t) atomic_inc_return_unchecked(&cache->gravecounter));
37154 /* do the multiway lock magic */
37155 trap = lock_rename(cache->graveyard, dir);
37156 diff -urNp linux-2.6.32.42/fs/cachefiles/proc.c linux-2.6.32.42/fs/cachefiles/proc.c
37157 --- linux-2.6.32.42/fs/cachefiles/proc.c 2011-03-27 14:31:47.000000000 -0400
37158 +++ linux-2.6.32.42/fs/cachefiles/proc.c 2011-05-04 17:56:28.000000000 -0400
37160 #include <linux/seq_file.h>
37161 #include "internal.h"
37163 -atomic_t cachefiles_lookup_histogram[HZ];
37164 -atomic_t cachefiles_mkdir_histogram[HZ];
37165 -atomic_t cachefiles_create_histogram[HZ];
37166 +atomic_unchecked_t cachefiles_lookup_histogram[HZ];
37167 +atomic_unchecked_t cachefiles_mkdir_histogram[HZ];
37168 +atomic_unchecked_t cachefiles_create_histogram[HZ];
37171 * display the latency histogram
37172 @@ -35,9 +35,9 @@ static int cachefiles_histogram_show(str
37175 index = (unsigned long) v - 3;
37176 - x = atomic_read(&cachefiles_lookup_histogram[index]);
37177 - y = atomic_read(&cachefiles_mkdir_histogram[index]);
37178 - z = atomic_read(&cachefiles_create_histogram[index]);
37179 + x = atomic_read_unchecked(&cachefiles_lookup_histogram[index]);
37180 + y = atomic_read_unchecked(&cachefiles_mkdir_histogram[index]);
37181 + z = atomic_read_unchecked(&cachefiles_create_histogram[index]);
37182 if (x == 0 && y == 0 && z == 0)
37185 diff -urNp linux-2.6.32.42/fs/cachefiles/rdwr.c linux-2.6.32.42/fs/cachefiles/rdwr.c
37186 --- linux-2.6.32.42/fs/cachefiles/rdwr.c 2011-03-27 14:31:47.000000000 -0400
37187 +++ linux-2.6.32.42/fs/cachefiles/rdwr.c 2011-04-17 15:56:46.000000000 -0400
37188 @@ -946,7 +946,7 @@ int cachefiles_write_page(struct fscache
37191 ret = file->f_op->write(
37192 - file, (const void __user *) data, len, &pos);
37193 + file, (__force const void __user *) data, len, &pos);
37197 diff -urNp linux-2.6.32.42/fs/cifs/cifs_debug.c linux-2.6.32.42/fs/cifs/cifs_debug.c
37198 --- linux-2.6.32.42/fs/cifs/cifs_debug.c 2011-03-27 14:31:47.000000000 -0400
37199 +++ linux-2.6.32.42/fs/cifs/cifs_debug.c 2011-05-04 17:56:28.000000000 -0400
37200 @@ -256,25 +256,25 @@ static ssize_t cifs_stats_proc_write(str
37201 tcon = list_entry(tmp3,
37202 struct cifsTconInfo,
37204 - atomic_set(&tcon->num_smbs_sent, 0);
37205 - atomic_set(&tcon->num_writes, 0);
37206 - atomic_set(&tcon->num_reads, 0);
37207 - atomic_set(&tcon->num_oplock_brks, 0);
37208 - atomic_set(&tcon->num_opens, 0);
37209 - atomic_set(&tcon->num_posixopens, 0);
37210 - atomic_set(&tcon->num_posixmkdirs, 0);
37211 - atomic_set(&tcon->num_closes, 0);
37212 - atomic_set(&tcon->num_deletes, 0);
37213 - atomic_set(&tcon->num_mkdirs, 0);
37214 - atomic_set(&tcon->num_rmdirs, 0);
37215 - atomic_set(&tcon->num_renames, 0);
37216 - atomic_set(&tcon->num_t2renames, 0);
37217 - atomic_set(&tcon->num_ffirst, 0);
37218 - atomic_set(&tcon->num_fnext, 0);
37219 - atomic_set(&tcon->num_fclose, 0);
37220 - atomic_set(&tcon->num_hardlinks, 0);
37221 - atomic_set(&tcon->num_symlinks, 0);
37222 - atomic_set(&tcon->num_locks, 0);
37223 + atomic_set_unchecked(&tcon->num_smbs_sent, 0);
37224 + atomic_set_unchecked(&tcon->num_writes, 0);
37225 + atomic_set_unchecked(&tcon->num_reads, 0);
37226 + atomic_set_unchecked(&tcon->num_oplock_brks, 0);
37227 + atomic_set_unchecked(&tcon->num_opens, 0);
37228 + atomic_set_unchecked(&tcon->num_posixopens, 0);
37229 + atomic_set_unchecked(&tcon->num_posixmkdirs, 0);
37230 + atomic_set_unchecked(&tcon->num_closes, 0);
37231 + atomic_set_unchecked(&tcon->num_deletes, 0);
37232 + atomic_set_unchecked(&tcon->num_mkdirs, 0);
37233 + atomic_set_unchecked(&tcon->num_rmdirs, 0);
37234 + atomic_set_unchecked(&tcon->num_renames, 0);
37235 + atomic_set_unchecked(&tcon->num_t2renames, 0);
37236 + atomic_set_unchecked(&tcon->num_ffirst, 0);
37237 + atomic_set_unchecked(&tcon->num_fnext, 0);
37238 + atomic_set_unchecked(&tcon->num_fclose, 0);
37239 + atomic_set_unchecked(&tcon->num_hardlinks, 0);
37240 + atomic_set_unchecked(&tcon->num_symlinks, 0);
37241 + atomic_set_unchecked(&tcon->num_locks, 0);
37245 @@ -334,41 +334,41 @@ static int cifs_stats_proc_show(struct s
37246 if (tcon->need_reconnect)
37247 seq_puts(m, "\tDISCONNECTED ");
37248 seq_printf(m, "\nSMBs: %d Oplock Breaks: %d",
37249 - atomic_read(&tcon->num_smbs_sent),
37250 - atomic_read(&tcon->num_oplock_brks));
37251 + atomic_read_unchecked(&tcon->num_smbs_sent),
37252 + atomic_read_unchecked(&tcon->num_oplock_brks));
37253 seq_printf(m, "\nReads: %d Bytes: %lld",
37254 - atomic_read(&tcon->num_reads),
37255 + atomic_read_unchecked(&tcon->num_reads),
37256 (long long)(tcon->bytes_read));
37257 seq_printf(m, "\nWrites: %d Bytes: %lld",
37258 - atomic_read(&tcon->num_writes),
37259 + atomic_read_unchecked(&tcon->num_writes),
37260 (long long)(tcon->bytes_written));
37261 seq_printf(m, "\nFlushes: %d",
37262 - atomic_read(&tcon->num_flushes));
37263 + atomic_read_unchecked(&tcon->num_flushes));
37264 seq_printf(m, "\nLocks: %d HardLinks: %d "
37266 - atomic_read(&tcon->num_locks),
37267 - atomic_read(&tcon->num_hardlinks),
37268 - atomic_read(&tcon->num_symlinks));
37269 + atomic_read_unchecked(&tcon->num_locks),
37270 + atomic_read_unchecked(&tcon->num_hardlinks),
37271 + atomic_read_unchecked(&tcon->num_symlinks));
37272 seq_printf(m, "\nOpens: %d Closes: %d "
37274 - atomic_read(&tcon->num_opens),
37275 - atomic_read(&tcon->num_closes),
37276 - atomic_read(&tcon->num_deletes));
37277 + atomic_read_unchecked(&tcon->num_opens),
37278 + atomic_read_unchecked(&tcon->num_closes),
37279 + atomic_read_unchecked(&tcon->num_deletes));
37280 seq_printf(m, "\nPosix Opens: %d "
37281 "Posix Mkdirs: %d",
37282 - atomic_read(&tcon->num_posixopens),
37283 - atomic_read(&tcon->num_posixmkdirs));
37284 + atomic_read_unchecked(&tcon->num_posixopens),
37285 + atomic_read_unchecked(&tcon->num_posixmkdirs));
37286 seq_printf(m, "\nMkdirs: %d Rmdirs: %d",
37287 - atomic_read(&tcon->num_mkdirs),
37288 - atomic_read(&tcon->num_rmdirs));
37289 + atomic_read_unchecked(&tcon->num_mkdirs),
37290 + atomic_read_unchecked(&tcon->num_rmdirs));
37291 seq_printf(m, "\nRenames: %d T2 Renames %d",
37292 - atomic_read(&tcon->num_renames),
37293 - atomic_read(&tcon->num_t2renames));
37294 + atomic_read_unchecked(&tcon->num_renames),
37295 + atomic_read_unchecked(&tcon->num_t2renames));
37296 seq_printf(m, "\nFindFirst: %d FNext %d "
37298 - atomic_read(&tcon->num_ffirst),
37299 - atomic_read(&tcon->num_fnext),
37300 - atomic_read(&tcon->num_fclose));
37301 + atomic_read_unchecked(&tcon->num_ffirst),
37302 + atomic_read_unchecked(&tcon->num_fnext),
37303 + atomic_read_unchecked(&tcon->num_fclose));
37307 diff -urNp linux-2.6.32.42/fs/cifs/cifsglob.h linux-2.6.32.42/fs/cifs/cifsglob.h
37308 --- linux-2.6.32.42/fs/cifs/cifsglob.h 2011-03-27 14:31:47.000000000 -0400
37309 +++ linux-2.6.32.42/fs/cifs/cifsglob.h 2011-05-04 17:56:28.000000000 -0400
37310 @@ -252,28 +252,28 @@ struct cifsTconInfo {
37311 __u16 Flags; /* optional support bits */
37312 enum statusEnum tidStatus;
37313 #ifdef CONFIG_CIFS_STATS
37314 - atomic_t num_smbs_sent;
37315 - atomic_t num_writes;
37316 - atomic_t num_reads;
37317 - atomic_t num_flushes;
37318 - atomic_t num_oplock_brks;
37319 - atomic_t num_opens;
37320 - atomic_t num_closes;
37321 - atomic_t num_deletes;
37322 - atomic_t num_mkdirs;
37323 - atomic_t num_posixopens;
37324 - atomic_t num_posixmkdirs;
37325 - atomic_t num_rmdirs;
37326 - atomic_t num_renames;
37327 - atomic_t num_t2renames;
37328 - atomic_t num_ffirst;
37329 - atomic_t num_fnext;
37330 - atomic_t num_fclose;
37331 - atomic_t num_hardlinks;
37332 - atomic_t num_symlinks;
37333 - atomic_t num_locks;
37334 - atomic_t num_acl_get;
37335 - atomic_t num_acl_set;
37336 + atomic_unchecked_t num_smbs_sent;
37337 + atomic_unchecked_t num_writes;
37338 + atomic_unchecked_t num_reads;
37339 + atomic_unchecked_t num_flushes;
37340 + atomic_unchecked_t num_oplock_brks;
37341 + atomic_unchecked_t num_opens;
37342 + atomic_unchecked_t num_closes;
37343 + atomic_unchecked_t num_deletes;
37344 + atomic_unchecked_t num_mkdirs;
37345 + atomic_unchecked_t num_posixopens;
37346 + atomic_unchecked_t num_posixmkdirs;
37347 + atomic_unchecked_t num_rmdirs;
37348 + atomic_unchecked_t num_renames;
37349 + atomic_unchecked_t num_t2renames;
37350 + atomic_unchecked_t num_ffirst;
37351 + atomic_unchecked_t num_fnext;
37352 + atomic_unchecked_t num_fclose;
37353 + atomic_unchecked_t num_hardlinks;
37354 + atomic_unchecked_t num_symlinks;
37355 + atomic_unchecked_t num_locks;
37356 + atomic_unchecked_t num_acl_get;
37357 + atomic_unchecked_t num_acl_set;
37358 #ifdef CONFIG_CIFS_STATS2
37359 unsigned long long time_writes;
37360 unsigned long long time_reads;
37361 @@ -414,7 +414,7 @@ static inline char CIFS_DIR_SEP(const st
37364 #ifdef CONFIG_CIFS_STATS
37365 -#define cifs_stats_inc atomic_inc
37366 +#define cifs_stats_inc atomic_inc_unchecked
37368 static inline void cifs_stats_bytes_written(struct cifsTconInfo *tcon,
37369 unsigned int bytes)
37370 diff -urNp linux-2.6.32.42/fs/cifs/link.c linux-2.6.32.42/fs/cifs/link.c
37371 --- linux-2.6.32.42/fs/cifs/link.c 2011-03-27 14:31:47.000000000 -0400
37372 +++ linux-2.6.32.42/fs/cifs/link.c 2011-04-17 15:56:46.000000000 -0400
37373 @@ -215,7 +215,7 @@ cifs_symlink(struct inode *inode, struct
37375 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
37377 - char *p = nd_get_link(nd);
37378 + const char *p = nd_get_link(nd);
37382 diff -urNp linux-2.6.32.42/fs/coda/cache.c linux-2.6.32.42/fs/coda/cache.c
37383 --- linux-2.6.32.42/fs/coda/cache.c 2011-03-27 14:31:47.000000000 -0400
37384 +++ linux-2.6.32.42/fs/coda/cache.c 2011-05-04 17:56:28.000000000 -0400
37385 @@ -24,14 +24,14 @@
37386 #include <linux/coda_fs_i.h>
37387 #include <linux/coda_cache.h>
37389 -static atomic_t permission_epoch = ATOMIC_INIT(0);
37390 +static atomic_unchecked_t permission_epoch = ATOMIC_INIT(0);
37392 /* replace or extend an acl cache hit */
37393 void coda_cache_enter(struct inode *inode, int mask)
37395 struct coda_inode_info *cii = ITOC(inode);
37397 - cii->c_cached_epoch = atomic_read(&permission_epoch);
37398 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch);
37399 if (cii->c_uid != current_fsuid()) {
37400 cii->c_uid = current_fsuid();
37401 cii->c_cached_perm = mask;
37402 @@ -43,13 +43,13 @@ void coda_cache_enter(struct inode *inod
37403 void coda_cache_clear_inode(struct inode *inode)
37405 struct coda_inode_info *cii = ITOC(inode);
37406 - cii->c_cached_epoch = atomic_read(&permission_epoch) - 1;
37407 + cii->c_cached_epoch = atomic_read_unchecked(&permission_epoch) - 1;
37410 /* remove all acl caches */
37411 void coda_cache_clear_all(struct super_block *sb)
37413 - atomic_inc(&permission_epoch);
37414 + atomic_inc_unchecked(&permission_epoch);
37418 @@ -61,7 +61,7 @@ int coda_cache_check(struct inode *inode
37420 hit = (mask & cii->c_cached_perm) == mask &&
37421 cii->c_uid == current_fsuid() &&
37422 - cii->c_cached_epoch == atomic_read(&permission_epoch);
37423 + cii->c_cached_epoch == atomic_read_unchecked(&permission_epoch);
37427 diff -urNp linux-2.6.32.42/fs/compat_binfmt_elf.c linux-2.6.32.42/fs/compat_binfmt_elf.c
37428 --- linux-2.6.32.42/fs/compat_binfmt_elf.c 2011-03-27 14:31:47.000000000 -0400
37429 +++ linux-2.6.32.42/fs/compat_binfmt_elf.c 2011-04-17 15:56:46.000000000 -0400
37430 @@ -29,10 +29,12 @@
37436 #define elfhdr elf32_hdr
37437 #define elf_phdr elf32_phdr
37438 #define elf_note elf32_note
37439 +#define elf_dyn Elf32_Dyn
37440 #define elf_addr_t Elf32_Addr
37443 diff -urNp linux-2.6.32.42/fs/compat.c linux-2.6.32.42/fs/compat.c
37444 --- linux-2.6.32.42/fs/compat.c 2011-04-17 17:00:52.000000000 -0400
37445 +++ linux-2.6.32.42/fs/compat.c 2011-05-16 21:46:57.000000000 -0400
37446 @@ -830,6 +830,7 @@ struct compat_old_linux_dirent {
37448 struct compat_readdir_callback {
37449 struct compat_old_linux_dirent __user *dirent;
37450 + struct file * file;
37454 @@ -847,6 +848,10 @@ static int compat_fillonedir(void *__buf
37455 buf->result = -EOVERFLOW;
37459 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
37463 dirent = buf->dirent;
37464 if (!access_ok(VERIFY_WRITE, dirent,
37465 @@ -879,6 +884,7 @@ asmlinkage long compat_sys_old_readdir(u
37468 buf.dirent = dirent;
37471 error = vfs_readdir(file, compat_fillonedir, &buf);
37473 @@ -899,6 +905,7 @@ struct compat_linux_dirent {
37474 struct compat_getdents_callback {
37475 struct compat_linux_dirent __user *current_dir;
37476 struct compat_linux_dirent __user *previous;
37477 + struct file * file;
37481 @@ -919,6 +926,10 @@ static int compat_filldir(void *__buf, c
37482 buf->error = -EOVERFLOW;
37486 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
37489 dirent = buf->previous;
37491 if (__put_user(offset, &dirent->d_off))
37492 @@ -966,6 +977,7 @@ asmlinkage long compat_sys_getdents(unsi
37493 buf.previous = NULL;
37498 error = vfs_readdir(file, compat_filldir, &buf);
37500 @@ -987,6 +999,7 @@ out:
37501 struct compat_getdents_callback64 {
37502 struct linux_dirent64 __user *current_dir;
37503 struct linux_dirent64 __user *previous;
37504 + struct file * file;
37508 @@ -1003,6 +1016,10 @@ static int compat_filldir64(void * __buf
37509 buf->error = -EINVAL; /* only used if we fail.. */
37510 if (reclen > buf->count)
37513 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
37516 dirent = buf->previous;
37519 @@ -1054,6 +1071,7 @@ asmlinkage long compat_sys_getdents64(un
37520 buf.previous = NULL;
37525 error = vfs_readdir(file, compat_filldir64, &buf);
37527 @@ -1098,7 +1116,7 @@ static ssize_t compat_do_readv_writev(in
37528 * verify all the pointers
37531 - if ((nr_segs > UIO_MAXIOV) || (nr_segs <= 0))
37532 + if (nr_segs > UIO_MAXIOV)
37536 @@ -1463,6 +1481,11 @@ int compat_do_execve(char * filename,
37537 compat_uptr_t __user *envp,
37538 struct pt_regs * regs)
37540 +#ifdef CONFIG_GRKERNSEC
37541 + struct file *old_exec_file;
37542 + struct acl_subject_label *old_acl;
37543 + struct rlimit old_rlim[RLIM_NLIMITS];
37545 struct linux_binprm *bprm;
37547 struct files_struct *displaced;
37548 @@ -1499,6 +1522,19 @@ int compat_do_execve(char * filename,
37549 bprm->filename = filename;
37550 bprm->interp = filename;
37552 + if (gr_process_user_ban()) {
37557 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
37558 + retval = -EAGAIN;
37559 + if (gr_handle_nproc())
37561 + retval = -EACCES;
37562 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
37565 retval = bprm_mm_init(bprm);
37568 @@ -1528,9 +1564,40 @@ int compat_do_execve(char * filename,
37572 + if (!gr_tpe_allow(file)) {
37573 + retval = -EACCES;
37577 + if (gr_check_crash_exec(file)) {
37578 + retval = -EACCES;
37582 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
37584 + gr_handle_exec_args_compat(bprm, argv);
37586 +#ifdef CONFIG_GRKERNSEC
37587 + old_acl = current->acl;
37588 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
37589 + old_exec_file = current->exec_file;
37591 + current->exec_file = file;
37594 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
37595 + bprm->unsafe & LSM_UNSAFE_SHARE);
37599 retval = search_binary_handler(bprm, regs);
37603 +#ifdef CONFIG_GRKERNSEC
37604 + if (old_exec_file)
37605 + fput(old_exec_file);
37608 /* execve succeeded */
37609 current->fs->in_exec = 0;
37610 @@ -1541,6 +1608,14 @@ int compat_do_execve(char * filename,
37611 put_files_struct(displaced);
37615 +#ifdef CONFIG_GRKERNSEC
37616 + current->acl = old_acl;
37617 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
37618 + fput(current->exec_file);
37619 + current->exec_file = old_exec_file;
37624 acct_arg_size(bprm, 0);
37625 @@ -1711,6 +1786,8 @@ int compat_core_sys_select(int n, compat
37626 struct fdtable *fdt;
37627 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
37629 + pax_track_stack();
37634 diff -urNp linux-2.6.32.42/fs/compat_ioctl.c linux-2.6.32.42/fs/compat_ioctl.c
37635 --- linux-2.6.32.42/fs/compat_ioctl.c 2011-03-27 14:31:47.000000000 -0400
37636 +++ linux-2.6.32.42/fs/compat_ioctl.c 2011-04-23 12:56:11.000000000 -0400
37637 @@ -234,6 +234,8 @@ static int do_video_set_spu_palette(unsi
37638 up = (struct compat_video_spu_palette __user *) arg;
37639 err = get_user(palp, &up->palette);
37640 err |= get_user(length, &up->length);
37644 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
37645 err = put_user(compat_ptr(palp), &up_native->palette);
37646 diff -urNp linux-2.6.32.42/fs/configfs/dir.c linux-2.6.32.42/fs/configfs/dir.c
37647 --- linux-2.6.32.42/fs/configfs/dir.c 2011-03-27 14:31:47.000000000 -0400
37648 +++ linux-2.6.32.42/fs/configfs/dir.c 2011-05-11 18:25:15.000000000 -0400
37649 @@ -1572,7 +1572,8 @@ static int configfs_readdir(struct file
37651 for (p=q->next; p!= &parent_sd->s_children; p=p->next) {
37652 struct configfs_dirent *next;
37653 - const char * name;
37654 + const unsigned char * name;
37655 + char d_name[sizeof(next->s_dentry->d_iname)];
37658 next = list_entry(p, struct configfs_dirent,
37659 @@ -1581,7 +1582,12 @@ static int configfs_readdir(struct file
37662 name = configfs_get_name(next);
37663 - len = strlen(name);
37664 + if (next->s_dentry && name == next->s_dentry->d_iname) {
37665 + len = next->s_dentry->d_name.len;
37666 + memcpy(d_name, name, len);
37669 + len = strlen(name);
37670 if (next->s_dentry)
37671 ino = next->s_dentry->d_inode->i_ino;
37673 diff -urNp linux-2.6.32.42/fs/dcache.c linux-2.6.32.42/fs/dcache.c
37674 --- linux-2.6.32.42/fs/dcache.c 2011-03-27 14:31:47.000000000 -0400
37675 +++ linux-2.6.32.42/fs/dcache.c 2011-04-23 13:32:21.000000000 -0400
37676 @@ -45,8 +45,6 @@ EXPORT_SYMBOL(dcache_lock);
37678 static struct kmem_cache *dentry_cache __read_mostly;
37680 -#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
37683 * This is the single most critical data structure when it comes
37684 * to the dcache: the hashtable for lookups. Somebody should try
37685 @@ -2319,7 +2317,7 @@ void __init vfs_caches_init(unsigned lon
37686 mempages -= reserve;
37688 names_cachep = kmem_cache_create("names_cache", PATH_MAX, 0,
37689 - SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
37690 + SLAB_HWCACHE_ALIGN|SLAB_PANIC|SLAB_USERCOPY, NULL);
37694 diff -urNp linux-2.6.32.42/fs/dlm/lockspace.c linux-2.6.32.42/fs/dlm/lockspace.c
37695 --- linux-2.6.32.42/fs/dlm/lockspace.c 2011-03-27 14:31:47.000000000 -0400
37696 +++ linux-2.6.32.42/fs/dlm/lockspace.c 2011-04-17 15:56:46.000000000 -0400
37697 @@ -148,7 +148,7 @@ static void lockspace_kobj_release(struc
37701 -static struct sysfs_ops dlm_attr_ops = {
37702 +static const struct sysfs_ops dlm_attr_ops = {
37703 .show = dlm_attr_show,
37704 .store = dlm_attr_store,
37706 diff -urNp linux-2.6.32.42/fs/ecryptfs/inode.c linux-2.6.32.42/fs/ecryptfs/inode.c
37707 --- linux-2.6.32.42/fs/ecryptfs/inode.c 2011-03-27 14:31:47.000000000 -0400
37708 +++ linux-2.6.32.42/fs/ecryptfs/inode.c 2011-04-17 15:56:46.000000000 -0400
37709 @@ -660,7 +660,7 @@ static int ecryptfs_readlink_lower(struc
37712 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
37713 - (char __user *)lower_buf,
37714 + (__force char __user *)lower_buf,
37718 @@ -706,7 +706,7 @@ static void *ecryptfs_follow_link(struct
37722 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
37723 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
37727 diff -urNp linux-2.6.32.42/fs/exec.c linux-2.6.32.42/fs/exec.c
37728 --- linux-2.6.32.42/fs/exec.c 2011-06-25 12:55:34.000000000 -0400
37729 +++ linux-2.6.32.42/fs/exec.c 2011-06-25 12:56:37.000000000 -0400
37730 @@ -56,12 +56,24 @@
37731 #include <linux/fsnotify.h>
37732 #include <linux/fs_struct.h>
37733 #include <linux/pipe_fs_i.h>
37734 +#include <linux/random.h>
37735 +#include <linux/seq_file.h>
37737 +#ifdef CONFIG_PAX_REFCOUNT
37738 +#include <linux/kallsyms.h>
37739 +#include <linux/kdebug.h>
37742 #include <asm/uaccess.h>
37743 #include <asm/mmu_context.h>
37744 #include <asm/tlb.h>
37745 #include "internal.h"
37747 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
37748 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
37749 +EXPORT_SYMBOL(pax_set_initial_flags_func);
37753 char core_pattern[CORENAME_MAX_SIZE] = "core";
37754 unsigned int core_pipe_limit;
37755 @@ -115,7 +127,7 @@ SYSCALL_DEFINE1(uselib, const char __use
37758 file = do_filp_open(AT_FDCWD, tmp,
37759 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
37760 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
37761 MAY_READ | MAY_EXEC | MAY_OPEN);
37763 error = PTR_ERR(file);
37764 @@ -178,18 +190,10 @@ struct page *get_arg_page(struct linux_b
37770 -#ifdef CONFIG_STACK_GROWSUP
37772 - ret = expand_stack_downwards(bprm->vma, pos);
37777 - ret = get_user_pages(current, bprm->mm, pos,
37778 - 1, write, 1, &page, NULL);
37780 + if (0 > expand_stack_downwards(bprm->vma, pos))
37782 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
37786 @@ -263,6 +267,11 @@ static int __bprm_mm_init(struct linux_b
37787 vma->vm_end = STACK_TOP_MAX;
37788 vma->vm_start = vma->vm_end - PAGE_SIZE;
37789 vma->vm_flags = VM_STACK_FLAGS;
37791 +#ifdef CONFIG_PAX_SEGMEXEC
37792 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
37795 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
37797 err = security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1);
37798 @@ -276,6 +285,12 @@ static int __bprm_mm_init(struct linux_b
37799 mm->stack_vm = mm->total_vm = 1;
37800 up_write(&mm->mmap_sem);
37801 bprm->p = vma->vm_end - sizeof(void *);
37803 +#ifdef CONFIG_PAX_RANDUSTACK
37804 + if (randomize_va_space)
37805 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
37810 up_write(&mm->mmap_sem);
37811 @@ -510,7 +525,7 @@ int copy_strings_kernel(int argc,char **
37813 mm_segment_t oldfs = get_fs();
37815 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
37816 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
37820 @@ -540,7 +555,8 @@ static int shift_arg_pages(struct vm_are
37821 unsigned long new_end = old_end - shift;
37822 struct mmu_gather *tlb;
37824 - BUG_ON(new_start > new_end);
37825 + if (new_start >= new_end || new_start < mmap_min_addr)
37829 * ensure there are no vmas between where we want to go
37830 @@ -549,6 +565,10 @@ static int shift_arg_pages(struct vm_are
37831 if (vma != find_vma(mm, new_start))
37834 +#ifdef CONFIG_PAX_SEGMEXEC
37835 + BUG_ON(pax_find_mirror_vma(vma));
37839 * cover the whole range: [new_start, old_end)
37841 @@ -630,10 +650,6 @@ int setup_arg_pages(struct linux_binprm
37842 stack_top = arch_align_stack(stack_top);
37843 stack_top = PAGE_ALIGN(stack_top);
37845 - if (unlikely(stack_top < mmap_min_addr) ||
37846 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
37849 stack_shift = vma->vm_end - stack_top;
37851 bprm->p -= stack_shift;
37852 @@ -645,6 +661,14 @@ int setup_arg_pages(struct linux_binprm
37853 bprm->exec -= stack_shift;
37855 down_write(&mm->mmap_sem);
37857 + /* Move stack pages down in memory. */
37858 + if (stack_shift) {
37859 + ret = shift_arg_pages(vma, stack_shift);
37864 vm_flags = VM_STACK_FLAGS;
37867 @@ -658,19 +682,24 @@ int setup_arg_pages(struct linux_binprm
37868 vm_flags &= ~VM_EXEC;
37869 vm_flags |= mm->def_flags;
37871 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
37872 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
37873 + vm_flags &= ~VM_EXEC;
37875 +#ifdef CONFIG_PAX_MPROTECT
37876 + if (mm->pax_flags & MF_PAX_MPROTECT)
37877 + vm_flags &= ~VM_MAYEXEC;
37883 ret = mprotect_fixup(vma, &prev, vma->vm_start, vma->vm_end,
37887 BUG_ON(prev != vma);
37889 - /* Move stack pages down in memory. */
37890 - if (stack_shift) {
37891 - ret = shift_arg_pages(vma, stack_shift);
37896 stack_expand = EXTRA_STACK_VM_PAGES * PAGE_SIZE;
37897 stack_size = vma->vm_end - vma->vm_start;
37899 @@ -707,7 +736,7 @@ struct file *open_exec(const char *name)
37902 file = do_filp_open(AT_FDCWD, name,
37903 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
37904 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
37905 MAY_EXEC | MAY_OPEN);
37908 @@ -744,7 +773,7 @@ int kernel_read(struct file *file, loff_
37911 /* The cast to a user pointer is valid due to the set_fs() */
37912 - result = vfs_read(file, (void __user *)addr, count, &pos);
37913 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
37917 @@ -1152,7 +1181,7 @@ int check_unsafe_exec(struct linux_binpr
37921 - if (p->fs->users > n_fs) {
37922 + if (atomic_read(&p->fs->users) > n_fs) {
37923 bprm->unsafe |= LSM_UNSAFE_SHARE;
37926 @@ -1347,6 +1376,11 @@ int do_execve(char * filename,
37927 char __user *__user *envp,
37928 struct pt_regs * regs)
37930 +#ifdef CONFIG_GRKERNSEC
37931 + struct file *old_exec_file;
37932 + struct acl_subject_label *old_acl;
37933 + struct rlimit old_rlim[RLIM_NLIMITS];
37935 struct linux_binprm *bprm;
37937 struct files_struct *displaced;
37938 @@ -1383,6 +1417,23 @@ int do_execve(char * filename,
37939 bprm->filename = filename;
37940 bprm->interp = filename;
37942 + if (gr_process_user_ban()) {
37947 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
37949 + if (gr_handle_nproc()) {
37950 + retval = -EAGAIN;
37954 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
37955 + retval = -EACCES;
37959 retval = bprm_mm_init(bprm);
37962 @@ -1412,10 +1463,41 @@ int do_execve(char * filename,
37966 + if (!gr_tpe_allow(file)) {
37967 + retval = -EACCES;
37971 + if (gr_check_crash_exec(file)) {
37972 + retval = -EACCES;
37976 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
37978 + gr_handle_exec_args(bprm, (const char __user *const __user *)argv);
37980 +#ifdef CONFIG_GRKERNSEC
37981 + old_acl = current->acl;
37982 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
37983 + old_exec_file = current->exec_file;
37985 + current->exec_file = file;
37988 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
37989 + bprm->unsafe & LSM_UNSAFE_SHARE);
37993 current->flags &= ~PF_KTHREAD;
37994 retval = search_binary_handler(bprm,regs);
37998 +#ifdef CONFIG_GRKERNSEC
37999 + if (old_exec_file)
38000 + fput(old_exec_file);
38003 /* execve succeeded */
38004 current->fs->in_exec = 0;
38005 @@ -1426,6 +1508,14 @@ int do_execve(char * filename,
38006 put_files_struct(displaced);
38010 +#ifdef CONFIG_GRKERNSEC
38011 + current->acl = old_acl;
38012 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
38013 + fput(current->exec_file);
38014 + current->exec_file = old_exec_file;
38019 acct_arg_size(bprm, 0);
38020 @@ -1591,6 +1681,220 @@ out:
38024 +int pax_check_flags(unsigned long *flags)
38028 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
38029 + if (*flags & MF_PAX_SEGMEXEC)
38031 + *flags &= ~MF_PAX_SEGMEXEC;
38032 + retval = -EINVAL;
38036 + if ((*flags & MF_PAX_PAGEEXEC)
38038 +#ifdef CONFIG_PAX_PAGEEXEC
38039 + && (*flags & MF_PAX_SEGMEXEC)
38044 + *flags &= ~MF_PAX_PAGEEXEC;
38045 + retval = -EINVAL;
38048 + if ((*flags & MF_PAX_MPROTECT)
38050 +#ifdef CONFIG_PAX_MPROTECT
38051 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
38056 + *flags &= ~MF_PAX_MPROTECT;
38057 + retval = -EINVAL;
38060 + if ((*flags & MF_PAX_EMUTRAMP)
38062 +#ifdef CONFIG_PAX_EMUTRAMP
38063 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
38068 + *flags &= ~MF_PAX_EMUTRAMP;
38069 + retval = -EINVAL;
38075 +EXPORT_SYMBOL(pax_check_flags);
38077 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
38078 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
38080 + struct task_struct *tsk = current;
38081 + struct mm_struct *mm = current->mm;
38082 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
38083 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
38084 + char *path_exec = NULL;
38085 + char *path_fault = NULL;
38086 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
38088 + if (buffer_exec && buffer_fault) {
38089 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
38091 + down_read(&mm->mmap_sem);
38093 + while (vma && (!vma_exec || !vma_fault)) {
38094 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
38096 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
38098 + vma = vma->vm_next;
38101 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
38102 + if (IS_ERR(path_exec))
38103 + path_exec = "<path too long>";
38105 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
38108 + path_exec = buffer_exec;
38110 + path_exec = "<path too long>";
38114 + start = vma_fault->vm_start;
38115 + end = vma_fault->vm_end;
38116 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
38117 + if (vma_fault->vm_file) {
38118 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
38119 + if (IS_ERR(path_fault))
38120 + path_fault = "<path too long>";
38122 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
38123 + if (path_fault) {
38125 + path_fault = buffer_fault;
38127 + path_fault = "<path too long>";
38130 + path_fault = "<anonymous mapping>";
38132 + up_read(&mm->mmap_sem);
38134 + if (tsk->signal->curr_ip)
38135 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
38137 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
38138 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
38139 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
38140 + task_uid(tsk), task_euid(tsk), pc, sp);
38141 + free_page((unsigned long)buffer_exec);
38142 + free_page((unsigned long)buffer_fault);
38143 + pax_report_insns(pc, sp);
38144 + do_coredump(SIGKILL, SIGKILL, regs);
38148 +#ifdef CONFIG_PAX_REFCOUNT
38149 +void pax_report_refcount_overflow(struct pt_regs *regs)
38151 + if (current->signal->curr_ip)
38152 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
38153 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
38155 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
38156 + current->comm, task_pid_nr(current), current_uid(), current_euid());
38157 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
38159 + force_sig_specific(SIGKILL, current);
38163 +#ifdef CONFIG_PAX_USERCOPY
38164 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
38165 +int object_is_on_stack(const void *obj, unsigned long len)
38167 + const void * const stack = task_stack_page(current);
38168 + const void * const stackend = stack + THREAD_SIZE;
38170 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
38171 + const void *frame = NULL;
38172 + const void *oldframe;
38175 + if (obj + len < obj)
38178 + if (obj + len <= stack || stackend <= obj)
38181 + if (obj < stack || stackend < obj + len)
38184 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
38185 + oldframe = __builtin_frame_address(1);
38187 + frame = __builtin_frame_address(2);
38189 + low ----------------------------------------------> high
38190 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
38191 + ^----------------^
38192 + allow copies only within here
38194 + while (stack <= frame && frame < stackend) {
38195 + /* if obj + len extends past the last frame, this
38196 + check won't pass and the next frame will be 0,
38197 + causing us to bail out and correctly report
38198 + the copy as invalid
38200 + if (obj + len <= frame)
38201 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
38202 + oldframe = frame;
38203 + frame = *(const void * const *)frame;
38212 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type)
38214 + if (current->signal->curr_ip)
38215 + printk(KERN_ERR "PAX: From %pI4: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
38216 + ¤t->signal->curr_ip, to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
38218 + printk(KERN_ERR "PAX: kernel memory %s attempt detected %s %p (%s) (%lu bytes)\n",
38219 + to ? "leak" : "overwrite", to ? "from" : "to", ptr, type ? : "unknown", len);
38222 + gr_handle_kernel_exploit();
38223 + do_group_exit(SIGKILL);
38227 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
38228 +void pax_track_stack(void)
38230 + unsigned long sp = (unsigned long)&sp;
38231 + if (sp < current_thread_info()->lowest_stack &&
38232 + sp > (unsigned long)task_stack_page(current))
38233 + current_thread_info()->lowest_stack = sp;
38235 +EXPORT_SYMBOL(pax_track_stack);
38238 static int zap_process(struct task_struct *start)
38240 struct task_struct *t;
38241 @@ -1793,17 +2097,17 @@ static void wait_for_dump_helpers(struct
38242 pipe = file->f_path.dentry->d_inode->i_pipe;
38247 + atomic_inc(&pipe->readers);
38248 + atomic_dec(&pipe->writers);
38250 - while ((pipe->readers > 1) && (!signal_pending(current))) {
38251 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
38252 wake_up_interruptible_sync(&pipe->wait);
38253 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
38259 + atomic_dec(&pipe->readers);
38260 + atomic_inc(&pipe->writers);
38264 @@ -1826,10 +2130,13 @@ void do_coredump(long signr, int exit_co
38265 char **helper_argv = NULL;
38266 int helper_argc = 0;
38267 int dump_count = 0;
38268 - static atomic_t core_dump_count = ATOMIC_INIT(0);
38269 + static atomic_unchecked_t core_dump_count = ATOMIC_INIT(0);
38271 audit_core_dumps(signr);
38273 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
38274 + gr_handle_brute_attach(current, mm->flags);
38276 binfmt = mm->binfmt;
38277 if (!binfmt || !binfmt->core_dump)
38279 @@ -1874,6 +2181,8 @@ void do_coredump(long signr, int exit_co
38281 clear_thread_flag(TIF_SIGPENDING);
38283 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
38286 * lock_kernel() because format_corename() is controlled by sysctl, which
38287 * uses lock_kernel()
38288 @@ -1908,7 +2217,7 @@ void do_coredump(long signr, int exit_co
38292 - dump_count = atomic_inc_return(&core_dump_count);
38293 + dump_count = atomic_inc_return_unchecked(&core_dump_count);
38294 if (core_pipe_limit && (core_pipe_limit < dump_count)) {
38295 printk(KERN_WARNING "Pid %d(%s) over core_pipe_limit\n",
38296 task_tgid_vnr(current), current->comm);
38297 @@ -1972,7 +2281,7 @@ close_fail:
38298 filp_close(file, NULL);
38301 - atomic_dec(&core_dump_count);
38302 + atomic_dec_unchecked(&core_dump_count);
38305 argv_free(helper_argv);
38306 diff -urNp linux-2.6.32.42/fs/ext2/balloc.c linux-2.6.32.42/fs/ext2/balloc.c
38307 --- linux-2.6.32.42/fs/ext2/balloc.c 2011-03-27 14:31:47.000000000 -0400
38308 +++ linux-2.6.32.42/fs/ext2/balloc.c 2011-04-17 15:56:46.000000000 -0400
38309 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
38311 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
38312 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
38313 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
38314 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
38315 sbi->s_resuid != current_fsuid() &&
38316 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
38318 diff -urNp linux-2.6.32.42/fs/ext3/balloc.c linux-2.6.32.42/fs/ext3/balloc.c
38319 --- linux-2.6.32.42/fs/ext3/balloc.c 2011-03-27 14:31:47.000000000 -0400
38320 +++ linux-2.6.32.42/fs/ext3/balloc.c 2011-04-17 15:56:46.000000000 -0400
38321 @@ -1421,7 +1421,7 @@ static int ext3_has_free_blocks(struct e
38323 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
38324 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
38325 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
38326 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
38327 sbi->s_resuid != current_fsuid() &&
38328 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
38330 diff -urNp linux-2.6.32.42/fs/ext4/balloc.c linux-2.6.32.42/fs/ext4/balloc.c
38331 --- linux-2.6.32.42/fs/ext4/balloc.c 2011-03-27 14:31:47.000000000 -0400
38332 +++ linux-2.6.32.42/fs/ext4/balloc.c 2011-04-17 15:56:46.000000000 -0400
38333 @@ -570,7 +570,7 @@ int ext4_has_free_blocks(struct ext4_sb_
38334 /* Hm, nope. Are (enough) root reserved blocks available? */
38335 if (sbi->s_resuid == current_fsuid() ||
38336 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
38337 - capable(CAP_SYS_RESOURCE)) {
38338 + capable_nolog(CAP_SYS_RESOURCE)) {
38339 if (free_blocks >= (nblocks + dirty_blocks))
38342 diff -urNp linux-2.6.32.42/fs/ext4/ext4.h linux-2.6.32.42/fs/ext4/ext4.h
38343 --- linux-2.6.32.42/fs/ext4/ext4.h 2011-03-27 14:31:47.000000000 -0400
38344 +++ linux-2.6.32.42/fs/ext4/ext4.h 2011-04-17 15:56:46.000000000 -0400
38345 @@ -1078,19 +1078,19 @@ struct ext4_sb_info {
38347 /* stats for buddy allocator */
38348 spinlock_t s_mb_pa_lock;
38349 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
38350 - atomic_t s_bal_success; /* we found long enough chunks */
38351 - atomic_t s_bal_allocated; /* in blocks */
38352 - atomic_t s_bal_ex_scanned; /* total extents scanned */
38353 - atomic_t s_bal_goals; /* goal hits */
38354 - atomic_t s_bal_breaks; /* too long searches */
38355 - atomic_t s_bal_2orders; /* 2^order hits */
38356 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
38357 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
38358 + atomic_unchecked_t s_bal_allocated; /* in blocks */
38359 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
38360 + atomic_unchecked_t s_bal_goals; /* goal hits */
38361 + atomic_unchecked_t s_bal_breaks; /* too long searches */
38362 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
38363 spinlock_t s_bal_lock;
38364 unsigned long s_mb_buddies_generated;
38365 unsigned long long s_mb_generation_time;
38366 - atomic_t s_mb_lost_chunks;
38367 - atomic_t s_mb_preallocated;
38368 - atomic_t s_mb_discarded;
38369 + atomic_unchecked_t s_mb_lost_chunks;
38370 + atomic_unchecked_t s_mb_preallocated;
38371 + atomic_unchecked_t s_mb_discarded;
38372 atomic_t s_lock_busy;
38374 /* locality groups */
38375 diff -urNp linux-2.6.32.42/fs/ext4/mballoc.c linux-2.6.32.42/fs/ext4/mballoc.c
38376 --- linux-2.6.32.42/fs/ext4/mballoc.c 2011-06-25 12:55:34.000000000 -0400
38377 +++ linux-2.6.32.42/fs/ext4/mballoc.c 2011-06-25 12:56:37.000000000 -0400
38378 @@ -1755,7 +1755,7 @@ void ext4_mb_simple_scan_group(struct ex
38379 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
38381 if (EXT4_SB(sb)->s_mb_stats)
38382 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
38383 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
38387 @@ -2131,7 +2131,7 @@ repeat:
38388 ac->ac_status = AC_STATUS_CONTINUE;
38389 ac->ac_flags |= EXT4_MB_HINT_FIRST;
38391 - atomic_inc(&sbi->s_mb_lost_chunks);
38392 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
38396 @@ -2174,6 +2174,8 @@ static int ext4_mb_seq_groups_show(struc
38397 ext4_grpblk_t counters[16];
38400 + pax_track_stack();
38404 seq_printf(seq, "#%-5s: %-5s %-5s %-5s "
38405 @@ -2534,25 +2536,25 @@ int ext4_mb_release(struct super_block *
38406 if (sbi->s_mb_stats) {
38408 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
38409 - atomic_read(&sbi->s_bal_allocated),
38410 - atomic_read(&sbi->s_bal_reqs),
38411 - atomic_read(&sbi->s_bal_success));
38412 + atomic_read_unchecked(&sbi->s_bal_allocated),
38413 + atomic_read_unchecked(&sbi->s_bal_reqs),
38414 + atomic_read_unchecked(&sbi->s_bal_success));
38416 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
38417 "%u 2^N hits, %u breaks, %u lost\n",
38418 - atomic_read(&sbi->s_bal_ex_scanned),
38419 - atomic_read(&sbi->s_bal_goals),
38420 - atomic_read(&sbi->s_bal_2orders),
38421 - atomic_read(&sbi->s_bal_breaks),
38422 - atomic_read(&sbi->s_mb_lost_chunks));
38423 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
38424 + atomic_read_unchecked(&sbi->s_bal_goals),
38425 + atomic_read_unchecked(&sbi->s_bal_2orders),
38426 + atomic_read_unchecked(&sbi->s_bal_breaks),
38427 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
38429 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
38430 sbi->s_mb_buddies_generated++,
38431 sbi->s_mb_generation_time);
38433 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
38434 - atomic_read(&sbi->s_mb_preallocated),
38435 - atomic_read(&sbi->s_mb_discarded));
38436 + atomic_read_unchecked(&sbi->s_mb_preallocated),
38437 + atomic_read_unchecked(&sbi->s_mb_discarded));
38440 free_percpu(sbi->s_locality_groups);
38441 @@ -3034,16 +3036,16 @@ static void ext4_mb_collect_stats(struct
38442 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
38444 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
38445 - atomic_inc(&sbi->s_bal_reqs);
38446 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
38447 + atomic_inc_unchecked(&sbi->s_bal_reqs);
38448 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
38449 if (ac->ac_o_ex.fe_len >= ac->ac_g_ex.fe_len)
38450 - atomic_inc(&sbi->s_bal_success);
38451 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
38452 + atomic_inc_unchecked(&sbi->s_bal_success);
38453 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
38454 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
38455 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
38456 - atomic_inc(&sbi->s_bal_goals);
38457 + atomic_inc_unchecked(&sbi->s_bal_goals);
38458 if (ac->ac_found > sbi->s_mb_max_to_scan)
38459 - atomic_inc(&sbi->s_bal_breaks);
38460 + atomic_inc_unchecked(&sbi->s_bal_breaks);
38463 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
38464 @@ -3443,7 +3445,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
38465 trace_ext4_mb_new_inode_pa(ac, pa);
38467 ext4_mb_use_inode_pa(ac, pa);
38468 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
38469 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
38471 ei = EXT4_I(ac->ac_inode);
38472 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
38473 @@ -3503,7 +3505,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
38474 trace_ext4_mb_new_group_pa(ac, pa);
38476 ext4_mb_use_group_pa(ac, pa);
38477 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
38478 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
38480 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
38482 @@ -3607,7 +3609,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
38483 * from the bitmap and continue.
38486 - atomic_add(free, &sbi->s_mb_discarded);
38487 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
38491 @@ -3626,7 +3628,7 @@ ext4_mb_release_group_pa(struct ext4_bud
38492 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
38493 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
38494 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
38495 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
38496 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
38500 diff -urNp linux-2.6.32.42/fs/ext4/super.c linux-2.6.32.42/fs/ext4/super.c
38501 --- linux-2.6.32.42/fs/ext4/super.c 2011-03-27 14:31:47.000000000 -0400
38502 +++ linux-2.6.32.42/fs/ext4/super.c 2011-04-17 15:56:46.000000000 -0400
38503 @@ -2287,7 +2287,7 @@ static void ext4_sb_release(struct kobje
38507 -static struct sysfs_ops ext4_attr_ops = {
38508 +static const struct sysfs_ops ext4_attr_ops = {
38509 .show = ext4_attr_show,
38510 .store = ext4_attr_store,
38512 diff -urNp linux-2.6.32.42/fs/fcntl.c linux-2.6.32.42/fs/fcntl.c
38513 --- linux-2.6.32.42/fs/fcntl.c 2011-03-27 14:31:47.000000000 -0400
38514 +++ linux-2.6.32.42/fs/fcntl.c 2011-04-17 15:56:46.000000000 -0400
38515 @@ -223,6 +223,11 @@ int __f_setown(struct file *filp, struct
38519 + if (gr_handle_chroot_fowner(pid, type))
38521 + if (gr_check_protected_task_fowner(pid, type))
38524 f_modown(filp, pid, type, force);
38527 @@ -344,6 +349,7 @@ static long do_fcntl(int fd, unsigned in
38530 case F_DUPFD_CLOEXEC:
38531 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
38532 if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
38534 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
38535 diff -urNp linux-2.6.32.42/fs/fifo.c linux-2.6.32.42/fs/fifo.c
38536 --- linux-2.6.32.42/fs/fifo.c 2011-03-27 14:31:47.000000000 -0400
38537 +++ linux-2.6.32.42/fs/fifo.c 2011-04-17 15:56:46.000000000 -0400
38538 @@ -59,10 +59,10 @@ static int fifo_open(struct inode *inode
38540 filp->f_op = &read_pipefifo_fops;
38542 - if (pipe->readers++ == 0)
38543 + if (atomic_inc_return(&pipe->readers) == 1)
38544 wake_up_partner(inode);
38546 - if (!pipe->writers) {
38547 + if (!atomic_read(&pipe->writers)) {
38548 if ((filp->f_flags & O_NONBLOCK)) {
38549 /* suppress POLLHUP until we have
38551 @@ -83,15 +83,15 @@ static int fifo_open(struct inode *inode
38552 * errno=ENXIO when there is no process reading the FIFO.
38555 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
38556 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
38559 filp->f_op = &write_pipefifo_fops;
38561 - if (!pipe->writers++)
38562 + if (atomic_inc_return(&pipe->writers) == 1)
38563 wake_up_partner(inode);
38565 - if (!pipe->readers) {
38566 + if (!atomic_read(&pipe->readers)) {
38567 wait_for_partner(inode, &pipe->r_counter);
38568 if (signal_pending(current))
38570 @@ -107,11 +107,11 @@ static int fifo_open(struct inode *inode
38572 filp->f_op = &rdwr_pipefifo_fops;
38576 + atomic_inc(&pipe->readers);
38577 + atomic_inc(&pipe->writers);
38580 - if (pipe->readers == 1 || pipe->writers == 1)
38581 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
38582 wake_up_partner(inode);
38585 @@ -125,19 +125,19 @@ static int fifo_open(struct inode *inode
38589 - if (!--pipe->readers)
38590 + if (atomic_dec_and_test(&pipe->readers))
38591 wake_up_interruptible(&pipe->wait);
38592 ret = -ERESTARTSYS;
38596 - if (!--pipe->writers)
38597 + if (atomic_dec_and_test(&pipe->writers))
38598 wake_up_interruptible(&pipe->wait);
38599 ret = -ERESTARTSYS;
38603 - if (!pipe->readers && !pipe->writers)
38604 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
38605 free_pipe_info(inode);
38608 diff -urNp linux-2.6.32.42/fs/file.c linux-2.6.32.42/fs/file.c
38609 --- linux-2.6.32.42/fs/file.c 2011-03-27 14:31:47.000000000 -0400
38610 +++ linux-2.6.32.42/fs/file.c 2011-04-17 15:56:46.000000000 -0400
38612 #include <linux/slab.h>
38613 #include <linux/vmalloc.h>
38614 #include <linux/file.h>
38615 +#include <linux/security.h>
38616 #include <linux/fdtable.h>
38617 #include <linux/bitops.h>
38618 #include <linux/interrupt.h>
38619 @@ -257,6 +258,8 @@ int expand_files(struct files_struct *fi
38620 * N.B. For clone tasks sharing a files structure, this test
38621 * will limit the total number of files that can be opened.
38624 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
38625 if (nr >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
38628 diff -urNp linux-2.6.32.42/fs/filesystems.c linux-2.6.32.42/fs/filesystems.c
38629 --- linux-2.6.32.42/fs/filesystems.c 2011-03-27 14:31:47.000000000 -0400
38630 +++ linux-2.6.32.42/fs/filesystems.c 2011-04-17 15:56:46.000000000 -0400
38631 @@ -272,7 +272,12 @@ struct file_system_type *get_fs_type(con
38632 int len = dot ? dot - name : strlen(name);
38634 fs = __get_fs_type(name, len);
38636 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
38637 + if (!fs && (___request_module(true, "grsec_modharden_fs", "%.*s", len, name) == 0))
38639 if (!fs && (request_module("%.*s", len, name) == 0))
38641 fs = __get_fs_type(name, len);
38643 if (dot && fs && !(fs->fs_flags & FS_HAS_SUBTYPE)) {
38644 diff -urNp linux-2.6.32.42/fs/fscache/cookie.c linux-2.6.32.42/fs/fscache/cookie.c
38645 --- linux-2.6.32.42/fs/fscache/cookie.c 2011-03-27 14:31:47.000000000 -0400
38646 +++ linux-2.6.32.42/fs/fscache/cookie.c 2011-05-04 17:56:28.000000000 -0400
38647 @@ -68,11 +68,11 @@ struct fscache_cookie *__fscache_acquire
38648 parent ? (char *) parent->def->name : "<no-parent>",
38649 def->name, netfs_data);
38651 - fscache_stat(&fscache_n_acquires);
38652 + fscache_stat_unchecked(&fscache_n_acquires);
38654 /* if there's no parent cookie, then we don't create one here either */
38656 - fscache_stat(&fscache_n_acquires_null);
38657 + fscache_stat_unchecked(&fscache_n_acquires_null);
38658 _leave(" [no parent]");
38661 @@ -87,7 +87,7 @@ struct fscache_cookie *__fscache_acquire
38662 /* allocate and initialise a cookie */
38663 cookie = kmem_cache_alloc(fscache_cookie_jar, GFP_KERNEL);
38665 - fscache_stat(&fscache_n_acquires_oom);
38666 + fscache_stat_unchecked(&fscache_n_acquires_oom);
38667 _leave(" [ENOMEM]");
38670 @@ -109,13 +109,13 @@ struct fscache_cookie *__fscache_acquire
38672 switch (cookie->def->type) {
38673 case FSCACHE_COOKIE_TYPE_INDEX:
38674 - fscache_stat(&fscache_n_cookie_index);
38675 + fscache_stat_unchecked(&fscache_n_cookie_index);
38677 case FSCACHE_COOKIE_TYPE_DATAFILE:
38678 - fscache_stat(&fscache_n_cookie_data);
38679 + fscache_stat_unchecked(&fscache_n_cookie_data);
38682 - fscache_stat(&fscache_n_cookie_special);
38683 + fscache_stat_unchecked(&fscache_n_cookie_special);
38687 @@ -126,13 +126,13 @@ struct fscache_cookie *__fscache_acquire
38688 if (fscache_acquire_non_index_cookie(cookie) < 0) {
38689 atomic_dec(&parent->n_children);
38690 __fscache_cookie_put(cookie);
38691 - fscache_stat(&fscache_n_acquires_nobufs);
38692 + fscache_stat_unchecked(&fscache_n_acquires_nobufs);
38698 - fscache_stat(&fscache_n_acquires_ok);
38699 + fscache_stat_unchecked(&fscache_n_acquires_ok);
38700 _leave(" = %p", cookie);
38703 @@ -168,7 +168,7 @@ static int fscache_acquire_non_index_coo
38704 cache = fscache_select_cache_for_object(cookie->parent);
38706 up_read(&fscache_addremove_sem);
38707 - fscache_stat(&fscache_n_acquires_no_cache);
38708 + fscache_stat_unchecked(&fscache_n_acquires_no_cache);
38709 _leave(" = -ENOMEDIUM [no cache]");
38712 @@ -256,12 +256,12 @@ static int fscache_alloc_object(struct f
38713 object = cache->ops->alloc_object(cache, cookie);
38714 fscache_stat_d(&fscache_n_cop_alloc_object);
38715 if (IS_ERR(object)) {
38716 - fscache_stat(&fscache_n_object_no_alloc);
38717 + fscache_stat_unchecked(&fscache_n_object_no_alloc);
38718 ret = PTR_ERR(object);
38722 - fscache_stat(&fscache_n_object_alloc);
38723 + fscache_stat_unchecked(&fscache_n_object_alloc);
38725 object->debug_id = atomic_inc_return(&fscache_object_debug_id);
38727 @@ -377,10 +377,10 @@ void __fscache_update_cookie(struct fsca
38728 struct fscache_object *object;
38729 struct hlist_node *_p;
38731 - fscache_stat(&fscache_n_updates);
38732 + fscache_stat_unchecked(&fscache_n_updates);
38735 - fscache_stat(&fscache_n_updates_null);
38736 + fscache_stat_unchecked(&fscache_n_updates_null);
38737 _leave(" [no cookie]");
38740 @@ -414,12 +414,12 @@ void __fscache_relinquish_cookie(struct
38741 struct fscache_object *object;
38742 unsigned long event;
38744 - fscache_stat(&fscache_n_relinquishes);
38745 + fscache_stat_unchecked(&fscache_n_relinquishes);
38747 - fscache_stat(&fscache_n_relinquishes_retire);
38748 + fscache_stat_unchecked(&fscache_n_relinquishes_retire);
38751 - fscache_stat(&fscache_n_relinquishes_null);
38752 + fscache_stat_unchecked(&fscache_n_relinquishes_null);
38753 _leave(" [no cookie]");
38756 @@ -435,7 +435,7 @@ void __fscache_relinquish_cookie(struct
38758 /* wait for the cookie to finish being instantiated (or to fail) */
38759 if (test_bit(FSCACHE_COOKIE_CREATING, &cookie->flags)) {
38760 - fscache_stat(&fscache_n_relinquishes_waitcrt);
38761 + fscache_stat_unchecked(&fscache_n_relinquishes_waitcrt);
38762 wait_on_bit(&cookie->flags, FSCACHE_COOKIE_CREATING,
38763 fscache_wait_bit, TASK_UNINTERRUPTIBLE);
38765 diff -urNp linux-2.6.32.42/fs/fscache/internal.h linux-2.6.32.42/fs/fscache/internal.h
38766 --- linux-2.6.32.42/fs/fscache/internal.h 2011-03-27 14:31:47.000000000 -0400
38767 +++ linux-2.6.32.42/fs/fscache/internal.h 2011-05-04 17:56:28.000000000 -0400
38768 @@ -136,94 +136,94 @@ extern void fscache_proc_cleanup(void);
38769 extern atomic_t fscache_n_ops_processed[FSCACHE_MAX_THREADS];
38770 extern atomic_t fscache_n_objs_processed[FSCACHE_MAX_THREADS];
38772 -extern atomic_t fscache_n_op_pend;
38773 -extern atomic_t fscache_n_op_run;
38774 -extern atomic_t fscache_n_op_enqueue;
38775 -extern atomic_t fscache_n_op_deferred_release;
38776 -extern atomic_t fscache_n_op_release;
38777 -extern atomic_t fscache_n_op_gc;
38778 -extern atomic_t fscache_n_op_cancelled;
38779 -extern atomic_t fscache_n_op_rejected;
38781 -extern atomic_t fscache_n_attr_changed;
38782 -extern atomic_t fscache_n_attr_changed_ok;
38783 -extern atomic_t fscache_n_attr_changed_nobufs;
38784 -extern atomic_t fscache_n_attr_changed_nomem;
38785 -extern atomic_t fscache_n_attr_changed_calls;
38787 -extern atomic_t fscache_n_allocs;
38788 -extern atomic_t fscache_n_allocs_ok;
38789 -extern atomic_t fscache_n_allocs_wait;
38790 -extern atomic_t fscache_n_allocs_nobufs;
38791 -extern atomic_t fscache_n_allocs_intr;
38792 -extern atomic_t fscache_n_allocs_object_dead;
38793 -extern atomic_t fscache_n_alloc_ops;
38794 -extern atomic_t fscache_n_alloc_op_waits;
38796 -extern atomic_t fscache_n_retrievals;
38797 -extern atomic_t fscache_n_retrievals_ok;
38798 -extern atomic_t fscache_n_retrievals_wait;
38799 -extern atomic_t fscache_n_retrievals_nodata;
38800 -extern atomic_t fscache_n_retrievals_nobufs;
38801 -extern atomic_t fscache_n_retrievals_intr;
38802 -extern atomic_t fscache_n_retrievals_nomem;
38803 -extern atomic_t fscache_n_retrievals_object_dead;
38804 -extern atomic_t fscache_n_retrieval_ops;
38805 -extern atomic_t fscache_n_retrieval_op_waits;
38807 -extern atomic_t fscache_n_stores;
38808 -extern atomic_t fscache_n_stores_ok;
38809 -extern atomic_t fscache_n_stores_again;
38810 -extern atomic_t fscache_n_stores_nobufs;
38811 -extern atomic_t fscache_n_stores_oom;
38812 -extern atomic_t fscache_n_store_ops;
38813 -extern atomic_t fscache_n_store_calls;
38814 -extern atomic_t fscache_n_store_pages;
38815 -extern atomic_t fscache_n_store_radix_deletes;
38816 -extern atomic_t fscache_n_store_pages_over_limit;
38818 -extern atomic_t fscache_n_store_vmscan_not_storing;
38819 -extern atomic_t fscache_n_store_vmscan_gone;
38820 -extern atomic_t fscache_n_store_vmscan_busy;
38821 -extern atomic_t fscache_n_store_vmscan_cancelled;
38823 -extern atomic_t fscache_n_marks;
38824 -extern atomic_t fscache_n_uncaches;
38826 -extern atomic_t fscache_n_acquires;
38827 -extern atomic_t fscache_n_acquires_null;
38828 -extern atomic_t fscache_n_acquires_no_cache;
38829 -extern atomic_t fscache_n_acquires_ok;
38830 -extern atomic_t fscache_n_acquires_nobufs;
38831 -extern atomic_t fscache_n_acquires_oom;
38833 -extern atomic_t fscache_n_updates;
38834 -extern atomic_t fscache_n_updates_null;
38835 -extern atomic_t fscache_n_updates_run;
38837 -extern atomic_t fscache_n_relinquishes;
38838 -extern atomic_t fscache_n_relinquishes_null;
38839 -extern atomic_t fscache_n_relinquishes_waitcrt;
38840 -extern atomic_t fscache_n_relinquishes_retire;
38842 -extern atomic_t fscache_n_cookie_index;
38843 -extern atomic_t fscache_n_cookie_data;
38844 -extern atomic_t fscache_n_cookie_special;
38846 -extern atomic_t fscache_n_object_alloc;
38847 -extern atomic_t fscache_n_object_no_alloc;
38848 -extern atomic_t fscache_n_object_lookups;
38849 -extern atomic_t fscache_n_object_lookups_negative;
38850 -extern atomic_t fscache_n_object_lookups_positive;
38851 -extern atomic_t fscache_n_object_lookups_timed_out;
38852 -extern atomic_t fscache_n_object_created;
38853 -extern atomic_t fscache_n_object_avail;
38854 -extern atomic_t fscache_n_object_dead;
38856 -extern atomic_t fscache_n_checkaux_none;
38857 -extern atomic_t fscache_n_checkaux_okay;
38858 -extern atomic_t fscache_n_checkaux_update;
38859 -extern atomic_t fscache_n_checkaux_obsolete;
38860 +extern atomic_unchecked_t fscache_n_op_pend;
38861 +extern atomic_unchecked_t fscache_n_op_run;
38862 +extern atomic_unchecked_t fscache_n_op_enqueue;
38863 +extern atomic_unchecked_t fscache_n_op_deferred_release;
38864 +extern atomic_unchecked_t fscache_n_op_release;
38865 +extern atomic_unchecked_t fscache_n_op_gc;
38866 +extern atomic_unchecked_t fscache_n_op_cancelled;
38867 +extern atomic_unchecked_t fscache_n_op_rejected;
38869 +extern atomic_unchecked_t fscache_n_attr_changed;
38870 +extern atomic_unchecked_t fscache_n_attr_changed_ok;
38871 +extern atomic_unchecked_t fscache_n_attr_changed_nobufs;
38872 +extern atomic_unchecked_t fscache_n_attr_changed_nomem;
38873 +extern atomic_unchecked_t fscache_n_attr_changed_calls;
38875 +extern atomic_unchecked_t fscache_n_allocs;
38876 +extern atomic_unchecked_t fscache_n_allocs_ok;
38877 +extern atomic_unchecked_t fscache_n_allocs_wait;
38878 +extern atomic_unchecked_t fscache_n_allocs_nobufs;
38879 +extern atomic_unchecked_t fscache_n_allocs_intr;
38880 +extern atomic_unchecked_t fscache_n_allocs_object_dead;
38881 +extern atomic_unchecked_t fscache_n_alloc_ops;
38882 +extern atomic_unchecked_t fscache_n_alloc_op_waits;
38884 +extern atomic_unchecked_t fscache_n_retrievals;
38885 +extern atomic_unchecked_t fscache_n_retrievals_ok;
38886 +extern atomic_unchecked_t fscache_n_retrievals_wait;
38887 +extern atomic_unchecked_t fscache_n_retrievals_nodata;
38888 +extern atomic_unchecked_t fscache_n_retrievals_nobufs;
38889 +extern atomic_unchecked_t fscache_n_retrievals_intr;
38890 +extern atomic_unchecked_t fscache_n_retrievals_nomem;
38891 +extern atomic_unchecked_t fscache_n_retrievals_object_dead;
38892 +extern atomic_unchecked_t fscache_n_retrieval_ops;
38893 +extern atomic_unchecked_t fscache_n_retrieval_op_waits;
38895 +extern atomic_unchecked_t fscache_n_stores;
38896 +extern atomic_unchecked_t fscache_n_stores_ok;
38897 +extern atomic_unchecked_t fscache_n_stores_again;
38898 +extern atomic_unchecked_t fscache_n_stores_nobufs;
38899 +extern atomic_unchecked_t fscache_n_stores_oom;
38900 +extern atomic_unchecked_t fscache_n_store_ops;
38901 +extern atomic_unchecked_t fscache_n_store_calls;
38902 +extern atomic_unchecked_t fscache_n_store_pages;
38903 +extern atomic_unchecked_t fscache_n_store_radix_deletes;
38904 +extern atomic_unchecked_t fscache_n_store_pages_over_limit;
38906 +extern atomic_unchecked_t fscache_n_store_vmscan_not_storing;
38907 +extern atomic_unchecked_t fscache_n_store_vmscan_gone;
38908 +extern atomic_unchecked_t fscache_n_store_vmscan_busy;
38909 +extern atomic_unchecked_t fscache_n_store_vmscan_cancelled;
38911 +extern atomic_unchecked_t fscache_n_marks;
38912 +extern atomic_unchecked_t fscache_n_uncaches;
38914 +extern atomic_unchecked_t fscache_n_acquires;
38915 +extern atomic_unchecked_t fscache_n_acquires_null;
38916 +extern atomic_unchecked_t fscache_n_acquires_no_cache;
38917 +extern atomic_unchecked_t fscache_n_acquires_ok;
38918 +extern atomic_unchecked_t fscache_n_acquires_nobufs;
38919 +extern atomic_unchecked_t fscache_n_acquires_oom;
38921 +extern atomic_unchecked_t fscache_n_updates;
38922 +extern atomic_unchecked_t fscache_n_updates_null;
38923 +extern atomic_unchecked_t fscache_n_updates_run;
38925 +extern atomic_unchecked_t fscache_n_relinquishes;
38926 +extern atomic_unchecked_t fscache_n_relinquishes_null;
38927 +extern atomic_unchecked_t fscache_n_relinquishes_waitcrt;
38928 +extern atomic_unchecked_t fscache_n_relinquishes_retire;
38930 +extern atomic_unchecked_t fscache_n_cookie_index;
38931 +extern atomic_unchecked_t fscache_n_cookie_data;
38932 +extern atomic_unchecked_t fscache_n_cookie_special;
38934 +extern atomic_unchecked_t fscache_n_object_alloc;
38935 +extern atomic_unchecked_t fscache_n_object_no_alloc;
38936 +extern atomic_unchecked_t fscache_n_object_lookups;
38937 +extern atomic_unchecked_t fscache_n_object_lookups_negative;
38938 +extern atomic_unchecked_t fscache_n_object_lookups_positive;
38939 +extern atomic_unchecked_t fscache_n_object_lookups_timed_out;
38940 +extern atomic_unchecked_t fscache_n_object_created;
38941 +extern atomic_unchecked_t fscache_n_object_avail;
38942 +extern atomic_unchecked_t fscache_n_object_dead;
38944 +extern atomic_unchecked_t fscache_n_checkaux_none;
38945 +extern atomic_unchecked_t fscache_n_checkaux_okay;
38946 +extern atomic_unchecked_t fscache_n_checkaux_update;
38947 +extern atomic_unchecked_t fscache_n_checkaux_obsolete;
38949 extern atomic_t fscache_n_cop_alloc_object;
38950 extern atomic_t fscache_n_cop_lookup_object;
38951 @@ -247,6 +247,11 @@ static inline void fscache_stat(atomic_t
38955 +static inline void fscache_stat_unchecked(atomic_unchecked_t *stat)
38957 + atomic_inc_unchecked(stat);
38960 static inline void fscache_stat_d(atomic_t *stat)
38963 @@ -259,6 +264,7 @@ extern const struct file_operations fsca
38965 #define __fscache_stat(stat) (NULL)
38966 #define fscache_stat(stat) do {} while (0)
38967 +#define fscache_stat_unchecked(stat) do {} while (0)
38968 #define fscache_stat_d(stat) do {} while (0)
38971 diff -urNp linux-2.6.32.42/fs/fscache/object.c linux-2.6.32.42/fs/fscache/object.c
38972 --- linux-2.6.32.42/fs/fscache/object.c 2011-03-27 14:31:47.000000000 -0400
38973 +++ linux-2.6.32.42/fs/fscache/object.c 2011-05-04 17:56:28.000000000 -0400
38974 @@ -144,7 +144,7 @@ static void fscache_object_state_machine
38975 /* update the object metadata on disk */
38976 case FSCACHE_OBJECT_UPDATING:
38977 clear_bit(FSCACHE_OBJECT_EV_UPDATE, &object->events);
38978 - fscache_stat(&fscache_n_updates_run);
38979 + fscache_stat_unchecked(&fscache_n_updates_run);
38980 fscache_stat(&fscache_n_cop_update_object);
38981 object->cache->ops->update_object(object);
38982 fscache_stat_d(&fscache_n_cop_update_object);
38983 @@ -233,7 +233,7 @@ static void fscache_object_state_machine
38984 spin_lock(&object->lock);
38985 object->state = FSCACHE_OBJECT_DEAD;
38986 spin_unlock(&object->lock);
38987 - fscache_stat(&fscache_n_object_dead);
38988 + fscache_stat_unchecked(&fscache_n_object_dead);
38989 goto terminal_transit;
38991 /* handle the parent cache of this object being withdrawn from
38992 @@ -248,7 +248,7 @@ static void fscache_object_state_machine
38993 spin_lock(&object->lock);
38994 object->state = FSCACHE_OBJECT_DEAD;
38995 spin_unlock(&object->lock);
38996 - fscache_stat(&fscache_n_object_dead);
38997 + fscache_stat_unchecked(&fscache_n_object_dead);
38998 goto terminal_transit;
39000 /* complain about the object being woken up once it is
39001 @@ -492,7 +492,7 @@ static void fscache_lookup_object(struct
39002 parent->cookie->def->name, cookie->def->name,
39003 object->cache->tag->name);
39005 - fscache_stat(&fscache_n_object_lookups);
39006 + fscache_stat_unchecked(&fscache_n_object_lookups);
39007 fscache_stat(&fscache_n_cop_lookup_object);
39008 ret = object->cache->ops->lookup_object(object);
39009 fscache_stat_d(&fscache_n_cop_lookup_object);
39010 @@ -503,7 +503,7 @@ static void fscache_lookup_object(struct
39011 if (ret == -ETIMEDOUT) {
39012 /* probably stuck behind another object, so move this one to
39013 * the back of the queue */
39014 - fscache_stat(&fscache_n_object_lookups_timed_out);
39015 + fscache_stat_unchecked(&fscache_n_object_lookups_timed_out);
39016 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
39019 @@ -526,7 +526,7 @@ void fscache_object_lookup_negative(stru
39021 spin_lock(&object->lock);
39022 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
39023 - fscache_stat(&fscache_n_object_lookups_negative);
39024 + fscache_stat_unchecked(&fscache_n_object_lookups_negative);
39026 /* transit here to allow write requests to begin stacking up
39027 * and read requests to begin returning ENODATA */
39028 @@ -572,7 +572,7 @@ void fscache_obtained_object(struct fsca
39029 * result, in which case there may be data available */
39030 spin_lock(&object->lock);
39031 if (object->state == FSCACHE_OBJECT_LOOKING_UP) {
39032 - fscache_stat(&fscache_n_object_lookups_positive);
39033 + fscache_stat_unchecked(&fscache_n_object_lookups_positive);
39035 clear_bit(FSCACHE_COOKIE_NO_DATA_YET, &cookie->flags);
39037 @@ -586,7 +586,7 @@ void fscache_obtained_object(struct fsca
39038 set_bit(FSCACHE_OBJECT_EV_REQUEUE, &object->events);
39040 ASSERTCMP(object->state, ==, FSCACHE_OBJECT_CREATING);
39041 - fscache_stat(&fscache_n_object_created);
39042 + fscache_stat_unchecked(&fscache_n_object_created);
39044 object->state = FSCACHE_OBJECT_AVAILABLE;
39045 spin_unlock(&object->lock);
39046 @@ -633,7 +633,7 @@ static void fscache_object_available(str
39047 fscache_enqueue_dependents(object);
39049 fscache_hist(fscache_obj_instantiate_histogram, object->lookup_jif);
39050 - fscache_stat(&fscache_n_object_avail);
39051 + fscache_stat_unchecked(&fscache_n_object_avail);
39055 @@ -861,7 +861,7 @@ enum fscache_checkaux fscache_check_aux(
39056 enum fscache_checkaux result;
39058 if (!object->cookie->def->check_aux) {
39059 - fscache_stat(&fscache_n_checkaux_none);
39060 + fscache_stat_unchecked(&fscache_n_checkaux_none);
39061 return FSCACHE_CHECKAUX_OKAY;
39064 @@ -870,17 +870,17 @@ enum fscache_checkaux fscache_check_aux(
39066 /* entry okay as is */
39067 case FSCACHE_CHECKAUX_OKAY:
39068 - fscache_stat(&fscache_n_checkaux_okay);
39069 + fscache_stat_unchecked(&fscache_n_checkaux_okay);
39072 /* entry requires update */
39073 case FSCACHE_CHECKAUX_NEEDS_UPDATE:
39074 - fscache_stat(&fscache_n_checkaux_update);
39075 + fscache_stat_unchecked(&fscache_n_checkaux_update);
39078 /* entry requires deletion */
39079 case FSCACHE_CHECKAUX_OBSOLETE:
39080 - fscache_stat(&fscache_n_checkaux_obsolete);
39081 + fscache_stat_unchecked(&fscache_n_checkaux_obsolete);
39085 diff -urNp linux-2.6.32.42/fs/fscache/operation.c linux-2.6.32.42/fs/fscache/operation.c
39086 --- linux-2.6.32.42/fs/fscache/operation.c 2011-03-27 14:31:47.000000000 -0400
39087 +++ linux-2.6.32.42/fs/fscache/operation.c 2011-05-04 17:56:28.000000000 -0400
39089 #include <linux/seq_file.h>
39090 #include "internal.h"
39092 -atomic_t fscache_op_debug_id;
39093 +atomic_unchecked_t fscache_op_debug_id;
39094 EXPORT_SYMBOL(fscache_op_debug_id);
39097 @@ -39,7 +39,7 @@ void fscache_enqueue_operation(struct fs
39098 ASSERTCMP(op->object->state, >=, FSCACHE_OBJECT_AVAILABLE);
39099 ASSERTCMP(atomic_read(&op->usage), >, 0);
39101 - fscache_stat(&fscache_n_op_enqueue);
39102 + fscache_stat_unchecked(&fscache_n_op_enqueue);
39103 switch (op->flags & FSCACHE_OP_TYPE) {
39104 case FSCACHE_OP_FAST:
39105 _debug("queue fast");
39106 @@ -76,7 +76,7 @@ static void fscache_run_op(struct fscach
39107 wake_up_bit(&op->flags, FSCACHE_OP_WAITING);
39109 fscache_enqueue_operation(op);
39110 - fscache_stat(&fscache_n_op_run);
39111 + fscache_stat_unchecked(&fscache_n_op_run);
39115 @@ -107,11 +107,11 @@ int fscache_submit_exclusive_op(struct f
39116 if (object->n_ops > 0) {
39117 atomic_inc(&op->usage);
39118 list_add_tail(&op->pend_link, &object->pending_ops);
39119 - fscache_stat(&fscache_n_op_pend);
39120 + fscache_stat_unchecked(&fscache_n_op_pend);
39121 } else if (!list_empty(&object->pending_ops)) {
39122 atomic_inc(&op->usage);
39123 list_add_tail(&op->pend_link, &object->pending_ops);
39124 - fscache_stat(&fscache_n_op_pend);
39125 + fscache_stat_unchecked(&fscache_n_op_pend);
39126 fscache_start_operations(object);
39128 ASSERTCMP(object->n_in_progress, ==, 0);
39129 @@ -127,7 +127,7 @@ int fscache_submit_exclusive_op(struct f
39130 object->n_exclusive++; /* reads and writes must wait */
39131 atomic_inc(&op->usage);
39132 list_add_tail(&op->pend_link, &object->pending_ops);
39133 - fscache_stat(&fscache_n_op_pend);
39134 + fscache_stat_unchecked(&fscache_n_op_pend);
39137 /* not allowed to submit ops in any other state */
39138 @@ -214,11 +214,11 @@ int fscache_submit_op(struct fscache_obj
39139 if (object->n_exclusive > 0) {
39140 atomic_inc(&op->usage);
39141 list_add_tail(&op->pend_link, &object->pending_ops);
39142 - fscache_stat(&fscache_n_op_pend);
39143 + fscache_stat_unchecked(&fscache_n_op_pend);
39144 } else if (!list_empty(&object->pending_ops)) {
39145 atomic_inc(&op->usage);
39146 list_add_tail(&op->pend_link, &object->pending_ops);
39147 - fscache_stat(&fscache_n_op_pend);
39148 + fscache_stat_unchecked(&fscache_n_op_pend);
39149 fscache_start_operations(object);
39151 ASSERTCMP(object->n_exclusive, ==, 0);
39152 @@ -230,12 +230,12 @@ int fscache_submit_op(struct fscache_obj
39154 atomic_inc(&op->usage);
39155 list_add_tail(&op->pend_link, &object->pending_ops);
39156 - fscache_stat(&fscache_n_op_pend);
39157 + fscache_stat_unchecked(&fscache_n_op_pend);
39159 } else if (object->state == FSCACHE_OBJECT_DYING ||
39160 object->state == FSCACHE_OBJECT_LC_DYING ||
39161 object->state == FSCACHE_OBJECT_WITHDRAWING) {
39162 - fscache_stat(&fscache_n_op_rejected);
39163 + fscache_stat_unchecked(&fscache_n_op_rejected);
39165 } else if (!test_bit(FSCACHE_IOERROR, &object->cache->flags)) {
39166 fscache_report_unexpected_submission(object, op, ostate);
39167 @@ -305,7 +305,7 @@ int fscache_cancel_op(struct fscache_ope
39170 if (!list_empty(&op->pend_link)) {
39171 - fscache_stat(&fscache_n_op_cancelled);
39172 + fscache_stat_unchecked(&fscache_n_op_cancelled);
39173 list_del_init(&op->pend_link);
39175 if (test_bit(FSCACHE_OP_EXCLUSIVE, &op->flags))
39176 @@ -344,7 +344,7 @@ void fscache_put_operation(struct fscach
39177 if (test_and_set_bit(FSCACHE_OP_DEAD, &op->flags))
39180 - fscache_stat(&fscache_n_op_release);
39181 + fscache_stat_unchecked(&fscache_n_op_release);
39185 @@ -361,7 +361,7 @@ void fscache_put_operation(struct fscach
39186 * lock, and defer it otherwise */
39187 if (!spin_trylock(&object->lock)) {
39188 _debug("defer put");
39189 - fscache_stat(&fscache_n_op_deferred_release);
39190 + fscache_stat_unchecked(&fscache_n_op_deferred_release);
39192 cache = object->cache;
39193 spin_lock(&cache->op_gc_list_lock);
39194 @@ -423,7 +423,7 @@ void fscache_operation_gc(struct work_st
39196 _debug("GC DEFERRED REL OBJ%x OP%x",
39197 object->debug_id, op->debug_id);
39198 - fscache_stat(&fscache_n_op_gc);
39199 + fscache_stat_unchecked(&fscache_n_op_gc);
39201 ASSERTCMP(atomic_read(&op->usage), ==, 0);
39203 diff -urNp linux-2.6.32.42/fs/fscache/page.c linux-2.6.32.42/fs/fscache/page.c
39204 --- linux-2.6.32.42/fs/fscache/page.c 2011-03-27 14:31:47.000000000 -0400
39205 +++ linux-2.6.32.42/fs/fscache/page.c 2011-05-04 17:56:28.000000000 -0400
39206 @@ -59,7 +59,7 @@ bool __fscache_maybe_release_page(struct
39207 val = radix_tree_lookup(&cookie->stores, page->index);
39210 - fscache_stat(&fscache_n_store_vmscan_not_storing);
39211 + fscache_stat_unchecked(&fscache_n_store_vmscan_not_storing);
39212 __fscache_uncache_page(cookie, page);
39215 @@ -89,11 +89,11 @@ bool __fscache_maybe_release_page(struct
39216 spin_unlock(&cookie->stores_lock);
39219 - fscache_stat(&fscache_n_store_vmscan_cancelled);
39220 - fscache_stat(&fscache_n_store_radix_deletes);
39221 + fscache_stat_unchecked(&fscache_n_store_vmscan_cancelled);
39222 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
39223 ASSERTCMP(xpage, ==, page);
39225 - fscache_stat(&fscache_n_store_vmscan_gone);
39226 + fscache_stat_unchecked(&fscache_n_store_vmscan_gone);
39229 wake_up_bit(&cookie->flags, 0);
39230 @@ -106,7 +106,7 @@ page_busy:
39231 /* we might want to wait here, but that could deadlock the allocator as
39232 * the slow-work threads writing to the cache may all end up sleeping
39233 * on memory allocation */
39234 - fscache_stat(&fscache_n_store_vmscan_busy);
39235 + fscache_stat_unchecked(&fscache_n_store_vmscan_busy);
39238 EXPORT_SYMBOL(__fscache_maybe_release_page);
39239 @@ -130,7 +130,7 @@ static void fscache_end_page_write(struc
39240 FSCACHE_COOKIE_STORING_TAG);
39241 if (!radix_tree_tag_get(&cookie->stores, page->index,
39242 FSCACHE_COOKIE_PENDING_TAG)) {
39243 - fscache_stat(&fscache_n_store_radix_deletes);
39244 + fscache_stat_unchecked(&fscache_n_store_radix_deletes);
39245 xpage = radix_tree_delete(&cookie->stores, page->index);
39247 spin_unlock(&cookie->stores_lock);
39248 @@ -151,7 +151,7 @@ static void fscache_attr_changed_op(stru
39250 _enter("{OBJ%x OP%x}", object->debug_id, op->debug_id);
39252 - fscache_stat(&fscache_n_attr_changed_calls);
39253 + fscache_stat_unchecked(&fscache_n_attr_changed_calls);
39255 if (fscache_object_is_active(object)) {
39256 fscache_set_op_state(op, "CallFS");
39257 @@ -178,11 +178,11 @@ int __fscache_attr_changed(struct fscach
39259 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
39261 - fscache_stat(&fscache_n_attr_changed);
39262 + fscache_stat_unchecked(&fscache_n_attr_changed);
39264 op = kzalloc(sizeof(*op), GFP_KERNEL);
39266 - fscache_stat(&fscache_n_attr_changed_nomem);
39267 + fscache_stat_unchecked(&fscache_n_attr_changed_nomem);
39268 _leave(" = -ENOMEM");
39271 @@ -202,7 +202,7 @@ int __fscache_attr_changed(struct fscach
39272 if (fscache_submit_exclusive_op(object, op) < 0)
39274 spin_unlock(&cookie->lock);
39275 - fscache_stat(&fscache_n_attr_changed_ok);
39276 + fscache_stat_unchecked(&fscache_n_attr_changed_ok);
39277 fscache_put_operation(op);
39280 @@ -210,7 +210,7 @@ int __fscache_attr_changed(struct fscach
39282 spin_unlock(&cookie->lock);
39284 - fscache_stat(&fscache_n_attr_changed_nobufs);
39285 + fscache_stat_unchecked(&fscache_n_attr_changed_nobufs);
39286 _leave(" = %d", -ENOBUFS);
39289 @@ -264,7 +264,7 @@ static struct fscache_retrieval *fscache
39290 /* allocate a retrieval operation and attempt to submit it */
39291 op = kzalloc(sizeof(*op), GFP_NOIO);
39293 - fscache_stat(&fscache_n_retrievals_nomem);
39294 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
39298 @@ -294,13 +294,13 @@ static int fscache_wait_for_deferred_loo
39302 - fscache_stat(&fscache_n_retrievals_wait);
39303 + fscache_stat_unchecked(&fscache_n_retrievals_wait);
39306 if (wait_on_bit(&cookie->flags, FSCACHE_COOKIE_LOOKING_UP,
39307 fscache_wait_bit_interruptible,
39308 TASK_INTERRUPTIBLE) != 0) {
39309 - fscache_stat(&fscache_n_retrievals_intr);
39310 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
39311 _leave(" = -ERESTARTSYS");
39312 return -ERESTARTSYS;
39314 @@ -318,8 +318,8 @@ static int fscache_wait_for_deferred_loo
39316 static int fscache_wait_for_retrieval_activation(struct fscache_object *object,
39317 struct fscache_retrieval *op,
39318 - atomic_t *stat_op_waits,
39319 - atomic_t *stat_object_dead)
39320 + atomic_unchecked_t *stat_op_waits,
39321 + atomic_unchecked_t *stat_object_dead)
39325 @@ -327,7 +327,7 @@ static int fscache_wait_for_retrieval_ac
39326 goto check_if_dead;
39329 - fscache_stat(stat_op_waits);
39330 + fscache_stat_unchecked(stat_op_waits);
39331 if (wait_on_bit(&op->op.flags, FSCACHE_OP_WAITING,
39332 fscache_wait_bit_interruptible,
39333 TASK_INTERRUPTIBLE) < 0) {
39334 @@ -344,7 +344,7 @@ static int fscache_wait_for_retrieval_ac
39337 if (unlikely(fscache_object_is_dead(object))) {
39338 - fscache_stat(stat_object_dead);
39339 + fscache_stat_unchecked(stat_object_dead);
39343 @@ -371,7 +371,7 @@ int __fscache_read_or_alloc_page(struct
39345 _enter("%p,%p,,,", cookie, page);
39347 - fscache_stat(&fscache_n_retrievals);
39348 + fscache_stat_unchecked(&fscache_n_retrievals);
39350 if (hlist_empty(&cookie->backing_objects))
39352 @@ -405,7 +405,7 @@ int __fscache_read_or_alloc_page(struct
39353 goto nobufs_unlock;
39354 spin_unlock(&cookie->lock);
39356 - fscache_stat(&fscache_n_retrieval_ops);
39357 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
39359 /* pin the netfs read context in case we need to do the actual netfs
39360 * read because we've encountered a cache read failure */
39361 @@ -435,15 +435,15 @@ int __fscache_read_or_alloc_page(struct
39364 if (ret == -ENOMEM)
39365 - fscache_stat(&fscache_n_retrievals_nomem);
39366 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
39367 else if (ret == -ERESTARTSYS)
39368 - fscache_stat(&fscache_n_retrievals_intr);
39369 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
39370 else if (ret == -ENODATA)
39371 - fscache_stat(&fscache_n_retrievals_nodata);
39372 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
39374 - fscache_stat(&fscache_n_retrievals_nobufs);
39375 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
39377 - fscache_stat(&fscache_n_retrievals_ok);
39378 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
39380 fscache_put_retrieval(op);
39381 _leave(" = %d", ret);
39382 @@ -453,7 +453,7 @@ nobufs_unlock:
39383 spin_unlock(&cookie->lock);
39386 - fscache_stat(&fscache_n_retrievals_nobufs);
39387 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
39388 _leave(" = -ENOBUFS");
39391 @@ -491,7 +491,7 @@ int __fscache_read_or_alloc_pages(struct
39393 _enter("%p,,%d,,,", cookie, *nr_pages);
39395 - fscache_stat(&fscache_n_retrievals);
39396 + fscache_stat_unchecked(&fscache_n_retrievals);
39398 if (hlist_empty(&cookie->backing_objects))
39400 @@ -522,7 +522,7 @@ int __fscache_read_or_alloc_pages(struct
39401 goto nobufs_unlock;
39402 spin_unlock(&cookie->lock);
39404 - fscache_stat(&fscache_n_retrieval_ops);
39405 + fscache_stat_unchecked(&fscache_n_retrieval_ops);
39407 /* pin the netfs read context in case we need to do the actual netfs
39408 * read because we've encountered a cache read failure */
39409 @@ -552,15 +552,15 @@ int __fscache_read_or_alloc_pages(struct
39412 if (ret == -ENOMEM)
39413 - fscache_stat(&fscache_n_retrievals_nomem);
39414 + fscache_stat_unchecked(&fscache_n_retrievals_nomem);
39415 else if (ret == -ERESTARTSYS)
39416 - fscache_stat(&fscache_n_retrievals_intr);
39417 + fscache_stat_unchecked(&fscache_n_retrievals_intr);
39418 else if (ret == -ENODATA)
39419 - fscache_stat(&fscache_n_retrievals_nodata);
39420 + fscache_stat_unchecked(&fscache_n_retrievals_nodata);
39422 - fscache_stat(&fscache_n_retrievals_nobufs);
39423 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
39425 - fscache_stat(&fscache_n_retrievals_ok);
39426 + fscache_stat_unchecked(&fscache_n_retrievals_ok);
39428 fscache_put_retrieval(op);
39429 _leave(" = %d", ret);
39430 @@ -570,7 +570,7 @@ nobufs_unlock:
39431 spin_unlock(&cookie->lock);
39434 - fscache_stat(&fscache_n_retrievals_nobufs);
39435 + fscache_stat_unchecked(&fscache_n_retrievals_nobufs);
39436 _leave(" = -ENOBUFS");
39439 @@ -594,7 +594,7 @@ int __fscache_alloc_page(struct fscache_
39441 _enter("%p,%p,,,", cookie, page);
39443 - fscache_stat(&fscache_n_allocs);
39444 + fscache_stat_unchecked(&fscache_n_allocs);
39446 if (hlist_empty(&cookie->backing_objects))
39448 @@ -621,7 +621,7 @@ int __fscache_alloc_page(struct fscache_
39449 goto nobufs_unlock;
39450 spin_unlock(&cookie->lock);
39452 - fscache_stat(&fscache_n_alloc_ops);
39453 + fscache_stat_unchecked(&fscache_n_alloc_ops);
39455 ret = fscache_wait_for_retrieval_activation(
39457 @@ -637,11 +637,11 @@ int __fscache_alloc_page(struct fscache_
39460 if (ret == -ERESTARTSYS)
39461 - fscache_stat(&fscache_n_allocs_intr);
39462 + fscache_stat_unchecked(&fscache_n_allocs_intr);
39464 - fscache_stat(&fscache_n_allocs_nobufs);
39465 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
39467 - fscache_stat(&fscache_n_allocs_ok);
39468 + fscache_stat_unchecked(&fscache_n_allocs_ok);
39470 fscache_put_retrieval(op);
39471 _leave(" = %d", ret);
39472 @@ -651,7 +651,7 @@ nobufs_unlock:
39473 spin_unlock(&cookie->lock);
39476 - fscache_stat(&fscache_n_allocs_nobufs);
39477 + fscache_stat_unchecked(&fscache_n_allocs_nobufs);
39478 _leave(" = -ENOBUFS");
39481 @@ -694,7 +694,7 @@ static void fscache_write_op(struct fsca
39483 spin_lock(&cookie->stores_lock);
39485 - fscache_stat(&fscache_n_store_calls);
39486 + fscache_stat_unchecked(&fscache_n_store_calls);
39488 /* find a page to store */
39490 @@ -705,7 +705,7 @@ static void fscache_write_op(struct fsca
39492 _debug("gang %d [%lx]", n, page->index);
39493 if (page->index > op->store_limit) {
39494 - fscache_stat(&fscache_n_store_pages_over_limit);
39495 + fscache_stat_unchecked(&fscache_n_store_pages_over_limit);
39499 @@ -721,7 +721,7 @@ static void fscache_write_op(struct fsca
39502 fscache_set_op_state(&op->op, "Store");
39503 - fscache_stat(&fscache_n_store_pages);
39504 + fscache_stat_unchecked(&fscache_n_store_pages);
39505 fscache_stat(&fscache_n_cop_write_page);
39506 ret = object->cache->ops->write_page(op, page);
39507 fscache_stat_d(&fscache_n_cop_write_page);
39508 @@ -792,7 +792,7 @@ int __fscache_write_page(struct fscache_
39509 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
39510 ASSERT(PageFsCache(page));
39512 - fscache_stat(&fscache_n_stores);
39513 + fscache_stat_unchecked(&fscache_n_stores);
39515 op = kzalloc(sizeof(*op), GFP_NOIO);
39517 @@ -844,7 +844,7 @@ int __fscache_write_page(struct fscache_
39518 spin_unlock(&cookie->stores_lock);
39519 spin_unlock(&object->lock);
39521 - op->op.debug_id = atomic_inc_return(&fscache_op_debug_id);
39522 + op->op.debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
39523 op->store_limit = object->store_limit;
39525 if (fscache_submit_op(object, &op->op) < 0)
39526 @@ -852,8 +852,8 @@ int __fscache_write_page(struct fscache_
39528 spin_unlock(&cookie->lock);
39529 radix_tree_preload_end();
39530 - fscache_stat(&fscache_n_store_ops);
39531 - fscache_stat(&fscache_n_stores_ok);
39532 + fscache_stat_unchecked(&fscache_n_store_ops);
39533 + fscache_stat_unchecked(&fscache_n_stores_ok);
39535 /* the slow work queue now carries its own ref on the object */
39536 fscache_put_operation(&op->op);
39537 @@ -861,14 +861,14 @@ int __fscache_write_page(struct fscache_
39541 - fscache_stat(&fscache_n_stores_again);
39542 + fscache_stat_unchecked(&fscache_n_stores_again);
39544 spin_unlock(&cookie->stores_lock);
39545 spin_unlock(&object->lock);
39546 spin_unlock(&cookie->lock);
39547 radix_tree_preload_end();
39549 - fscache_stat(&fscache_n_stores_ok);
39550 + fscache_stat_unchecked(&fscache_n_stores_ok);
39554 @@ -886,14 +886,14 @@ nobufs:
39555 spin_unlock(&cookie->lock);
39556 radix_tree_preload_end();
39558 - fscache_stat(&fscache_n_stores_nobufs);
39559 + fscache_stat_unchecked(&fscache_n_stores_nobufs);
39560 _leave(" = -ENOBUFS");
39566 - fscache_stat(&fscache_n_stores_oom);
39567 + fscache_stat_unchecked(&fscache_n_stores_oom);
39568 _leave(" = -ENOMEM");
39571 @@ -911,7 +911,7 @@ void __fscache_uncache_page(struct fscac
39572 ASSERTCMP(cookie->def->type, !=, FSCACHE_COOKIE_TYPE_INDEX);
39573 ASSERTCMP(page, !=, NULL);
39575 - fscache_stat(&fscache_n_uncaches);
39576 + fscache_stat_unchecked(&fscache_n_uncaches);
39578 /* cache withdrawal may beat us to it */
39579 if (!PageFsCache(page))
39580 @@ -964,7 +964,7 @@ void fscache_mark_pages_cached(struct fs
39581 unsigned long loop;
39583 #ifdef CONFIG_FSCACHE_STATS
39584 - atomic_add(pagevec->nr, &fscache_n_marks);
39585 + atomic_add_unchecked(pagevec->nr, &fscache_n_marks);
39588 for (loop = 0; loop < pagevec->nr; loop++) {
39589 diff -urNp linux-2.6.32.42/fs/fscache/stats.c linux-2.6.32.42/fs/fscache/stats.c
39590 --- linux-2.6.32.42/fs/fscache/stats.c 2011-03-27 14:31:47.000000000 -0400
39591 +++ linux-2.6.32.42/fs/fscache/stats.c 2011-05-04 17:56:28.000000000 -0400
39592 @@ -18,95 +18,95 @@
39594 * operation counters
39596 -atomic_t fscache_n_op_pend;
39597 -atomic_t fscache_n_op_run;
39598 -atomic_t fscache_n_op_enqueue;
39599 -atomic_t fscache_n_op_requeue;
39600 -atomic_t fscache_n_op_deferred_release;
39601 -atomic_t fscache_n_op_release;
39602 -atomic_t fscache_n_op_gc;
39603 -atomic_t fscache_n_op_cancelled;
39604 -atomic_t fscache_n_op_rejected;
39606 -atomic_t fscache_n_attr_changed;
39607 -atomic_t fscache_n_attr_changed_ok;
39608 -atomic_t fscache_n_attr_changed_nobufs;
39609 -atomic_t fscache_n_attr_changed_nomem;
39610 -atomic_t fscache_n_attr_changed_calls;
39612 -atomic_t fscache_n_allocs;
39613 -atomic_t fscache_n_allocs_ok;
39614 -atomic_t fscache_n_allocs_wait;
39615 -atomic_t fscache_n_allocs_nobufs;
39616 -atomic_t fscache_n_allocs_intr;
39617 -atomic_t fscache_n_allocs_object_dead;
39618 -atomic_t fscache_n_alloc_ops;
39619 -atomic_t fscache_n_alloc_op_waits;
39621 -atomic_t fscache_n_retrievals;
39622 -atomic_t fscache_n_retrievals_ok;
39623 -atomic_t fscache_n_retrievals_wait;
39624 -atomic_t fscache_n_retrievals_nodata;
39625 -atomic_t fscache_n_retrievals_nobufs;
39626 -atomic_t fscache_n_retrievals_intr;
39627 -atomic_t fscache_n_retrievals_nomem;
39628 -atomic_t fscache_n_retrievals_object_dead;
39629 -atomic_t fscache_n_retrieval_ops;
39630 -atomic_t fscache_n_retrieval_op_waits;
39632 -atomic_t fscache_n_stores;
39633 -atomic_t fscache_n_stores_ok;
39634 -atomic_t fscache_n_stores_again;
39635 -atomic_t fscache_n_stores_nobufs;
39636 -atomic_t fscache_n_stores_oom;
39637 -atomic_t fscache_n_store_ops;
39638 -atomic_t fscache_n_store_calls;
39639 -atomic_t fscache_n_store_pages;
39640 -atomic_t fscache_n_store_radix_deletes;
39641 -atomic_t fscache_n_store_pages_over_limit;
39643 -atomic_t fscache_n_store_vmscan_not_storing;
39644 -atomic_t fscache_n_store_vmscan_gone;
39645 -atomic_t fscache_n_store_vmscan_busy;
39646 -atomic_t fscache_n_store_vmscan_cancelled;
39648 -atomic_t fscache_n_marks;
39649 -atomic_t fscache_n_uncaches;
39651 -atomic_t fscache_n_acquires;
39652 -atomic_t fscache_n_acquires_null;
39653 -atomic_t fscache_n_acquires_no_cache;
39654 -atomic_t fscache_n_acquires_ok;
39655 -atomic_t fscache_n_acquires_nobufs;
39656 -atomic_t fscache_n_acquires_oom;
39658 -atomic_t fscache_n_updates;
39659 -atomic_t fscache_n_updates_null;
39660 -atomic_t fscache_n_updates_run;
39662 -atomic_t fscache_n_relinquishes;
39663 -atomic_t fscache_n_relinquishes_null;
39664 -atomic_t fscache_n_relinquishes_waitcrt;
39665 -atomic_t fscache_n_relinquishes_retire;
39667 -atomic_t fscache_n_cookie_index;
39668 -atomic_t fscache_n_cookie_data;
39669 -atomic_t fscache_n_cookie_special;
39671 -atomic_t fscache_n_object_alloc;
39672 -atomic_t fscache_n_object_no_alloc;
39673 -atomic_t fscache_n_object_lookups;
39674 -atomic_t fscache_n_object_lookups_negative;
39675 -atomic_t fscache_n_object_lookups_positive;
39676 -atomic_t fscache_n_object_lookups_timed_out;
39677 -atomic_t fscache_n_object_created;
39678 -atomic_t fscache_n_object_avail;
39679 -atomic_t fscache_n_object_dead;
39681 -atomic_t fscache_n_checkaux_none;
39682 -atomic_t fscache_n_checkaux_okay;
39683 -atomic_t fscache_n_checkaux_update;
39684 -atomic_t fscache_n_checkaux_obsolete;
39685 +atomic_unchecked_t fscache_n_op_pend;
39686 +atomic_unchecked_t fscache_n_op_run;
39687 +atomic_unchecked_t fscache_n_op_enqueue;
39688 +atomic_unchecked_t fscache_n_op_requeue;
39689 +atomic_unchecked_t fscache_n_op_deferred_release;
39690 +atomic_unchecked_t fscache_n_op_release;
39691 +atomic_unchecked_t fscache_n_op_gc;
39692 +atomic_unchecked_t fscache_n_op_cancelled;
39693 +atomic_unchecked_t fscache_n_op_rejected;
39695 +atomic_unchecked_t fscache_n_attr_changed;
39696 +atomic_unchecked_t fscache_n_attr_changed_ok;
39697 +atomic_unchecked_t fscache_n_attr_changed_nobufs;
39698 +atomic_unchecked_t fscache_n_attr_changed_nomem;
39699 +atomic_unchecked_t fscache_n_attr_changed_calls;
39701 +atomic_unchecked_t fscache_n_allocs;
39702 +atomic_unchecked_t fscache_n_allocs_ok;
39703 +atomic_unchecked_t fscache_n_allocs_wait;
39704 +atomic_unchecked_t fscache_n_allocs_nobufs;
39705 +atomic_unchecked_t fscache_n_allocs_intr;
39706 +atomic_unchecked_t fscache_n_allocs_object_dead;
39707 +atomic_unchecked_t fscache_n_alloc_ops;
39708 +atomic_unchecked_t fscache_n_alloc_op_waits;
39710 +atomic_unchecked_t fscache_n_retrievals;
39711 +atomic_unchecked_t fscache_n_retrievals_ok;
39712 +atomic_unchecked_t fscache_n_retrievals_wait;
39713 +atomic_unchecked_t fscache_n_retrievals_nodata;
39714 +atomic_unchecked_t fscache_n_retrievals_nobufs;
39715 +atomic_unchecked_t fscache_n_retrievals_intr;
39716 +atomic_unchecked_t fscache_n_retrievals_nomem;
39717 +atomic_unchecked_t fscache_n_retrievals_object_dead;
39718 +atomic_unchecked_t fscache_n_retrieval_ops;
39719 +atomic_unchecked_t fscache_n_retrieval_op_waits;
39721 +atomic_unchecked_t fscache_n_stores;
39722 +atomic_unchecked_t fscache_n_stores_ok;
39723 +atomic_unchecked_t fscache_n_stores_again;
39724 +atomic_unchecked_t fscache_n_stores_nobufs;
39725 +atomic_unchecked_t fscache_n_stores_oom;
39726 +atomic_unchecked_t fscache_n_store_ops;
39727 +atomic_unchecked_t fscache_n_store_calls;
39728 +atomic_unchecked_t fscache_n_store_pages;
39729 +atomic_unchecked_t fscache_n_store_radix_deletes;
39730 +atomic_unchecked_t fscache_n_store_pages_over_limit;
39732 +atomic_unchecked_t fscache_n_store_vmscan_not_storing;
39733 +atomic_unchecked_t fscache_n_store_vmscan_gone;
39734 +atomic_unchecked_t fscache_n_store_vmscan_busy;
39735 +atomic_unchecked_t fscache_n_store_vmscan_cancelled;
39737 +atomic_unchecked_t fscache_n_marks;
39738 +atomic_unchecked_t fscache_n_uncaches;
39740 +atomic_unchecked_t fscache_n_acquires;
39741 +atomic_unchecked_t fscache_n_acquires_null;
39742 +atomic_unchecked_t fscache_n_acquires_no_cache;
39743 +atomic_unchecked_t fscache_n_acquires_ok;
39744 +atomic_unchecked_t fscache_n_acquires_nobufs;
39745 +atomic_unchecked_t fscache_n_acquires_oom;
39747 +atomic_unchecked_t fscache_n_updates;
39748 +atomic_unchecked_t fscache_n_updates_null;
39749 +atomic_unchecked_t fscache_n_updates_run;
39751 +atomic_unchecked_t fscache_n_relinquishes;
39752 +atomic_unchecked_t fscache_n_relinquishes_null;
39753 +atomic_unchecked_t fscache_n_relinquishes_waitcrt;
39754 +atomic_unchecked_t fscache_n_relinquishes_retire;
39756 +atomic_unchecked_t fscache_n_cookie_index;
39757 +atomic_unchecked_t fscache_n_cookie_data;
39758 +atomic_unchecked_t fscache_n_cookie_special;
39760 +atomic_unchecked_t fscache_n_object_alloc;
39761 +atomic_unchecked_t fscache_n_object_no_alloc;
39762 +atomic_unchecked_t fscache_n_object_lookups;
39763 +atomic_unchecked_t fscache_n_object_lookups_negative;
39764 +atomic_unchecked_t fscache_n_object_lookups_positive;
39765 +atomic_unchecked_t fscache_n_object_lookups_timed_out;
39766 +atomic_unchecked_t fscache_n_object_created;
39767 +atomic_unchecked_t fscache_n_object_avail;
39768 +atomic_unchecked_t fscache_n_object_dead;
39770 +atomic_unchecked_t fscache_n_checkaux_none;
39771 +atomic_unchecked_t fscache_n_checkaux_okay;
39772 +atomic_unchecked_t fscache_n_checkaux_update;
39773 +atomic_unchecked_t fscache_n_checkaux_obsolete;
39775 atomic_t fscache_n_cop_alloc_object;
39776 atomic_t fscache_n_cop_lookup_object;
39777 @@ -133,113 +133,113 @@ static int fscache_stats_show(struct seq
39778 seq_puts(m, "FS-Cache statistics\n");
39780 seq_printf(m, "Cookies: idx=%u dat=%u spc=%u\n",
39781 - atomic_read(&fscache_n_cookie_index),
39782 - atomic_read(&fscache_n_cookie_data),
39783 - atomic_read(&fscache_n_cookie_special));
39784 + atomic_read_unchecked(&fscache_n_cookie_index),
39785 + atomic_read_unchecked(&fscache_n_cookie_data),
39786 + atomic_read_unchecked(&fscache_n_cookie_special));
39788 seq_printf(m, "Objects: alc=%u nal=%u avl=%u ded=%u\n",
39789 - atomic_read(&fscache_n_object_alloc),
39790 - atomic_read(&fscache_n_object_no_alloc),
39791 - atomic_read(&fscache_n_object_avail),
39792 - atomic_read(&fscache_n_object_dead));
39793 + atomic_read_unchecked(&fscache_n_object_alloc),
39794 + atomic_read_unchecked(&fscache_n_object_no_alloc),
39795 + atomic_read_unchecked(&fscache_n_object_avail),
39796 + atomic_read_unchecked(&fscache_n_object_dead));
39797 seq_printf(m, "ChkAux : non=%u ok=%u upd=%u obs=%u\n",
39798 - atomic_read(&fscache_n_checkaux_none),
39799 - atomic_read(&fscache_n_checkaux_okay),
39800 - atomic_read(&fscache_n_checkaux_update),
39801 - atomic_read(&fscache_n_checkaux_obsolete));
39802 + atomic_read_unchecked(&fscache_n_checkaux_none),
39803 + atomic_read_unchecked(&fscache_n_checkaux_okay),
39804 + atomic_read_unchecked(&fscache_n_checkaux_update),
39805 + atomic_read_unchecked(&fscache_n_checkaux_obsolete));
39807 seq_printf(m, "Pages : mrk=%u unc=%u\n",
39808 - atomic_read(&fscache_n_marks),
39809 - atomic_read(&fscache_n_uncaches));
39810 + atomic_read_unchecked(&fscache_n_marks),
39811 + atomic_read_unchecked(&fscache_n_uncaches));
39813 seq_printf(m, "Acquire: n=%u nul=%u noc=%u ok=%u nbf=%u"
39815 - atomic_read(&fscache_n_acquires),
39816 - atomic_read(&fscache_n_acquires_null),
39817 - atomic_read(&fscache_n_acquires_no_cache),
39818 - atomic_read(&fscache_n_acquires_ok),
39819 - atomic_read(&fscache_n_acquires_nobufs),
39820 - atomic_read(&fscache_n_acquires_oom));
39821 + atomic_read_unchecked(&fscache_n_acquires),
39822 + atomic_read_unchecked(&fscache_n_acquires_null),
39823 + atomic_read_unchecked(&fscache_n_acquires_no_cache),
39824 + atomic_read_unchecked(&fscache_n_acquires_ok),
39825 + atomic_read_unchecked(&fscache_n_acquires_nobufs),
39826 + atomic_read_unchecked(&fscache_n_acquires_oom));
39828 seq_printf(m, "Lookups: n=%u neg=%u pos=%u crt=%u tmo=%u\n",
39829 - atomic_read(&fscache_n_object_lookups),
39830 - atomic_read(&fscache_n_object_lookups_negative),
39831 - atomic_read(&fscache_n_object_lookups_positive),
39832 - atomic_read(&fscache_n_object_lookups_timed_out),
39833 - atomic_read(&fscache_n_object_created));
39834 + atomic_read_unchecked(&fscache_n_object_lookups),
39835 + atomic_read_unchecked(&fscache_n_object_lookups_negative),
39836 + atomic_read_unchecked(&fscache_n_object_lookups_positive),
39837 + atomic_read_unchecked(&fscache_n_object_lookups_timed_out),
39838 + atomic_read_unchecked(&fscache_n_object_created));
39840 seq_printf(m, "Updates: n=%u nul=%u run=%u\n",
39841 - atomic_read(&fscache_n_updates),
39842 - atomic_read(&fscache_n_updates_null),
39843 - atomic_read(&fscache_n_updates_run));
39844 + atomic_read_unchecked(&fscache_n_updates),
39845 + atomic_read_unchecked(&fscache_n_updates_null),
39846 + atomic_read_unchecked(&fscache_n_updates_run));
39848 seq_printf(m, "Relinqs: n=%u nul=%u wcr=%u rtr=%u\n",
39849 - atomic_read(&fscache_n_relinquishes),
39850 - atomic_read(&fscache_n_relinquishes_null),
39851 - atomic_read(&fscache_n_relinquishes_waitcrt),
39852 - atomic_read(&fscache_n_relinquishes_retire));
39853 + atomic_read_unchecked(&fscache_n_relinquishes),
39854 + atomic_read_unchecked(&fscache_n_relinquishes_null),
39855 + atomic_read_unchecked(&fscache_n_relinquishes_waitcrt),
39856 + atomic_read_unchecked(&fscache_n_relinquishes_retire));
39858 seq_printf(m, "AttrChg: n=%u ok=%u nbf=%u oom=%u run=%u\n",
39859 - atomic_read(&fscache_n_attr_changed),
39860 - atomic_read(&fscache_n_attr_changed_ok),
39861 - atomic_read(&fscache_n_attr_changed_nobufs),
39862 - atomic_read(&fscache_n_attr_changed_nomem),
39863 - atomic_read(&fscache_n_attr_changed_calls));
39864 + atomic_read_unchecked(&fscache_n_attr_changed),
39865 + atomic_read_unchecked(&fscache_n_attr_changed_ok),
39866 + atomic_read_unchecked(&fscache_n_attr_changed_nobufs),
39867 + atomic_read_unchecked(&fscache_n_attr_changed_nomem),
39868 + atomic_read_unchecked(&fscache_n_attr_changed_calls));
39870 seq_printf(m, "Allocs : n=%u ok=%u wt=%u nbf=%u int=%u\n",
39871 - atomic_read(&fscache_n_allocs),
39872 - atomic_read(&fscache_n_allocs_ok),
39873 - atomic_read(&fscache_n_allocs_wait),
39874 - atomic_read(&fscache_n_allocs_nobufs),
39875 - atomic_read(&fscache_n_allocs_intr));
39876 + atomic_read_unchecked(&fscache_n_allocs),
39877 + atomic_read_unchecked(&fscache_n_allocs_ok),
39878 + atomic_read_unchecked(&fscache_n_allocs_wait),
39879 + atomic_read_unchecked(&fscache_n_allocs_nobufs),
39880 + atomic_read_unchecked(&fscache_n_allocs_intr));
39881 seq_printf(m, "Allocs : ops=%u owt=%u abt=%u\n",
39882 - atomic_read(&fscache_n_alloc_ops),
39883 - atomic_read(&fscache_n_alloc_op_waits),
39884 - atomic_read(&fscache_n_allocs_object_dead));
39885 + atomic_read_unchecked(&fscache_n_alloc_ops),
39886 + atomic_read_unchecked(&fscache_n_alloc_op_waits),
39887 + atomic_read_unchecked(&fscache_n_allocs_object_dead));
39889 seq_printf(m, "Retrvls: n=%u ok=%u wt=%u nod=%u nbf=%u"
39890 " int=%u oom=%u\n",
39891 - atomic_read(&fscache_n_retrievals),
39892 - atomic_read(&fscache_n_retrievals_ok),
39893 - atomic_read(&fscache_n_retrievals_wait),
39894 - atomic_read(&fscache_n_retrievals_nodata),
39895 - atomic_read(&fscache_n_retrievals_nobufs),
39896 - atomic_read(&fscache_n_retrievals_intr),
39897 - atomic_read(&fscache_n_retrievals_nomem));
39898 + atomic_read_unchecked(&fscache_n_retrievals),
39899 + atomic_read_unchecked(&fscache_n_retrievals_ok),
39900 + atomic_read_unchecked(&fscache_n_retrievals_wait),
39901 + atomic_read_unchecked(&fscache_n_retrievals_nodata),
39902 + atomic_read_unchecked(&fscache_n_retrievals_nobufs),
39903 + atomic_read_unchecked(&fscache_n_retrievals_intr),
39904 + atomic_read_unchecked(&fscache_n_retrievals_nomem));
39905 seq_printf(m, "Retrvls: ops=%u owt=%u abt=%u\n",
39906 - atomic_read(&fscache_n_retrieval_ops),
39907 - atomic_read(&fscache_n_retrieval_op_waits),
39908 - atomic_read(&fscache_n_retrievals_object_dead));
39909 + atomic_read_unchecked(&fscache_n_retrieval_ops),
39910 + atomic_read_unchecked(&fscache_n_retrieval_op_waits),
39911 + atomic_read_unchecked(&fscache_n_retrievals_object_dead));
39913 seq_printf(m, "Stores : n=%u ok=%u agn=%u nbf=%u oom=%u\n",
39914 - atomic_read(&fscache_n_stores),
39915 - atomic_read(&fscache_n_stores_ok),
39916 - atomic_read(&fscache_n_stores_again),
39917 - atomic_read(&fscache_n_stores_nobufs),
39918 - atomic_read(&fscache_n_stores_oom));
39919 + atomic_read_unchecked(&fscache_n_stores),
39920 + atomic_read_unchecked(&fscache_n_stores_ok),
39921 + atomic_read_unchecked(&fscache_n_stores_again),
39922 + atomic_read_unchecked(&fscache_n_stores_nobufs),
39923 + atomic_read_unchecked(&fscache_n_stores_oom));
39924 seq_printf(m, "Stores : ops=%u run=%u pgs=%u rxd=%u olm=%u\n",
39925 - atomic_read(&fscache_n_store_ops),
39926 - atomic_read(&fscache_n_store_calls),
39927 - atomic_read(&fscache_n_store_pages),
39928 - atomic_read(&fscache_n_store_radix_deletes),
39929 - atomic_read(&fscache_n_store_pages_over_limit));
39930 + atomic_read_unchecked(&fscache_n_store_ops),
39931 + atomic_read_unchecked(&fscache_n_store_calls),
39932 + atomic_read_unchecked(&fscache_n_store_pages),
39933 + atomic_read_unchecked(&fscache_n_store_radix_deletes),
39934 + atomic_read_unchecked(&fscache_n_store_pages_over_limit));
39936 seq_printf(m, "VmScan : nos=%u gon=%u bsy=%u can=%u\n",
39937 - atomic_read(&fscache_n_store_vmscan_not_storing),
39938 - atomic_read(&fscache_n_store_vmscan_gone),
39939 - atomic_read(&fscache_n_store_vmscan_busy),
39940 - atomic_read(&fscache_n_store_vmscan_cancelled));
39941 + atomic_read_unchecked(&fscache_n_store_vmscan_not_storing),
39942 + atomic_read_unchecked(&fscache_n_store_vmscan_gone),
39943 + atomic_read_unchecked(&fscache_n_store_vmscan_busy),
39944 + atomic_read_unchecked(&fscache_n_store_vmscan_cancelled));
39946 seq_printf(m, "Ops : pend=%u run=%u enq=%u can=%u rej=%u\n",
39947 - atomic_read(&fscache_n_op_pend),
39948 - atomic_read(&fscache_n_op_run),
39949 - atomic_read(&fscache_n_op_enqueue),
39950 - atomic_read(&fscache_n_op_cancelled),
39951 - atomic_read(&fscache_n_op_rejected));
39952 + atomic_read_unchecked(&fscache_n_op_pend),
39953 + atomic_read_unchecked(&fscache_n_op_run),
39954 + atomic_read_unchecked(&fscache_n_op_enqueue),
39955 + atomic_read_unchecked(&fscache_n_op_cancelled),
39956 + atomic_read_unchecked(&fscache_n_op_rejected));
39957 seq_printf(m, "Ops : dfr=%u rel=%u gc=%u\n",
39958 - atomic_read(&fscache_n_op_deferred_release),
39959 - atomic_read(&fscache_n_op_release),
39960 - atomic_read(&fscache_n_op_gc));
39961 + atomic_read_unchecked(&fscache_n_op_deferred_release),
39962 + atomic_read_unchecked(&fscache_n_op_release),
39963 + atomic_read_unchecked(&fscache_n_op_gc));
39965 seq_printf(m, "CacheOp: alo=%d luo=%d luc=%d gro=%d\n",
39966 atomic_read(&fscache_n_cop_alloc_object),
39967 diff -urNp linux-2.6.32.42/fs/fs_struct.c linux-2.6.32.42/fs/fs_struct.c
39968 --- linux-2.6.32.42/fs/fs_struct.c 2011-03-27 14:31:47.000000000 -0400
39969 +++ linux-2.6.32.42/fs/fs_struct.c 2011-04-17 15:56:46.000000000 -0400
39971 #include <linux/path.h>
39972 #include <linux/slab.h>
39973 #include <linux/fs_struct.h>
39974 +#include <linux/grsecurity.h>
39977 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
39978 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
39979 old_root = fs->root;
39982 + gr_set_chroot_entries(current, path);
39983 write_unlock(&fs->lock);
39984 if (old_root.dentry)
39985 path_put(&old_root);
39986 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
39987 && fs->root.mnt == old_root->mnt) {
39988 path_get(new_root);
39989 fs->root = *new_root;
39990 + gr_set_chroot_entries(p, new_root);
39993 if (fs->pwd.dentry == old_root->dentry
39994 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
39996 write_lock(&fs->lock);
39998 - kill = !--fs->users;
39999 + gr_clear_chroot_entries(tsk);
40000 + kill = !atomic_dec_return(&fs->users);
40001 write_unlock(&fs->lock);
40004 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
40005 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
40006 /* We don't need to lock fs - think why ;-) */
40009 + atomic_set(&fs->users, 1);
40011 rwlock_init(&fs->lock);
40012 fs->umask = old->umask;
40013 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
40015 task_lock(current);
40016 write_lock(&fs->lock);
40017 - kill = !--fs->users;
40018 + kill = !atomic_dec_return(&fs->users);
40019 current->fs = new_fs;
40020 + gr_set_chroot_entries(current, &new_fs->root);
40021 write_unlock(&fs->lock);
40022 task_unlock(current);
40024 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
40026 /* to be mentioned only in INIT_TASK */
40027 struct fs_struct init_fs = {
40029 + .users = ATOMIC_INIT(1),
40030 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
40033 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
40034 task_lock(current);
40036 write_lock(&init_fs.lock);
40038 + atomic_inc(&init_fs.users);
40039 write_unlock(&init_fs.lock);
40041 write_lock(&fs->lock);
40042 current->fs = &init_fs;
40043 - kill = !--fs->users;
40044 + gr_set_chroot_entries(current, ¤t->fs->root);
40045 + kill = !atomic_dec_return(&fs->users);
40046 write_unlock(&fs->lock);
40048 task_unlock(current);
40049 diff -urNp linux-2.6.32.42/fs/fuse/cuse.c linux-2.6.32.42/fs/fuse/cuse.c
40050 --- linux-2.6.32.42/fs/fuse/cuse.c 2011-03-27 14:31:47.000000000 -0400
40051 +++ linux-2.6.32.42/fs/fuse/cuse.c 2011-04-17 15:56:46.000000000 -0400
40052 @@ -528,8 +528,18 @@ static int cuse_channel_release(struct i
40056 -static struct file_operations cuse_channel_fops; /* initialized during init */
40058 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
40059 + .owner = THIS_MODULE,
40060 + .llseek = no_llseek,
40061 + .read = do_sync_read,
40062 + .aio_read = fuse_dev_read,
40063 + .write = do_sync_write,
40064 + .aio_write = fuse_dev_write,
40065 + .poll = fuse_dev_poll,
40066 + .open = cuse_channel_open,
40067 + .release = cuse_channel_release,
40068 + .fasync = fuse_dev_fasync,
40071 /**************************************************************************
40072 * Misc stuff and module initializatiion
40073 @@ -575,12 +585,6 @@ static int __init cuse_init(void)
40074 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
40075 INIT_LIST_HEAD(&cuse_conntbl[i]);
40077 - /* inherit and extend fuse_dev_operations */
40078 - cuse_channel_fops = fuse_dev_operations;
40079 - cuse_channel_fops.owner = THIS_MODULE;
40080 - cuse_channel_fops.open = cuse_channel_open;
40081 - cuse_channel_fops.release = cuse_channel_release;
40083 cuse_class = class_create(THIS_MODULE, "cuse");
40084 if (IS_ERR(cuse_class))
40085 return PTR_ERR(cuse_class);
40086 diff -urNp linux-2.6.32.42/fs/fuse/dev.c linux-2.6.32.42/fs/fuse/dev.c
40087 --- linux-2.6.32.42/fs/fuse/dev.c 2011-03-27 14:31:47.000000000 -0400
40088 +++ linux-2.6.32.42/fs/fuse/dev.c 2011-04-17 15:56:46.000000000 -0400
40089 @@ -745,7 +745,7 @@ __releases(&fc->lock)
40090 * request_end(). Otherwise add it to the processing list, and set
40093 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
40094 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
40095 unsigned long nr_segs, loff_t pos)
40098 @@ -827,6 +827,7 @@ static ssize_t fuse_dev_read(struct kioc
40099 spin_unlock(&fc->lock);
40102 +EXPORT_SYMBOL_GPL(fuse_dev_read);
40104 static int fuse_notify_poll(struct fuse_conn *fc, unsigned int size,
40105 struct fuse_copy_state *cs)
40106 @@ -885,7 +886,7 @@ static int fuse_notify_inval_entry(struc
40108 struct fuse_notify_inval_entry_out outarg;
40110 - char buf[FUSE_NAME_MAX+1];
40111 + char *buf = NULL;
40114 if (size < sizeof(outarg))
40115 @@ -899,6 +900,11 @@ static int fuse_notify_inval_entry(struc
40116 if (outarg.namelen > FUSE_NAME_MAX)
40120 + buf = kmalloc(FUSE_NAME_MAX+1, GFP_KERNEL);
40125 name.len = outarg.namelen;
40126 err = fuse_copy_one(cs, buf, outarg.namelen + 1);
40127 @@ -910,17 +916,15 @@ static int fuse_notify_inval_entry(struc
40129 down_read(&fc->killsb);
40134 - err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
40138 + err = fuse_reverse_inval_entry(fc->sb, outarg.parent, &name);
40139 up_read(&fc->killsb);
40144 fuse_copy_finish(cs);
40149 @@ -987,7 +991,7 @@ static int copy_out_args(struct fuse_cop
40150 * it from the list and copy the rest of the buffer to the request.
40151 * The request is finished by calling request_end()
40153 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
40154 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
40155 unsigned long nr_segs, loff_t pos)
40158 @@ -1083,8 +1087,9 @@ static ssize_t fuse_dev_write(struct kio
40159 fuse_copy_finish(&cs);
40162 +EXPORT_SYMBOL_GPL(fuse_dev_write);
40164 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
40165 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
40167 unsigned mask = POLLOUT | POLLWRNORM;
40168 struct fuse_conn *fc = fuse_get_conn(file);
40169 @@ -1102,6 +1107,7 @@ static unsigned fuse_dev_poll(struct fil
40173 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
40176 * Abort all requests on the given list (pending or processing)
40177 @@ -1218,7 +1224,7 @@ int fuse_dev_release(struct inode *inode
40179 EXPORT_SYMBOL_GPL(fuse_dev_release);
40181 -static int fuse_dev_fasync(int fd, struct file *file, int on)
40182 +int fuse_dev_fasync(int fd, struct file *file, int on)
40184 struct fuse_conn *fc = fuse_get_conn(file);
40186 @@ -1227,6 +1233,7 @@ static int fuse_dev_fasync(int fd, struc
40187 /* No locking - fasync_helper does its own locking */
40188 return fasync_helper(fd, file, on, &fc->fasync);
40190 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
40192 const struct file_operations fuse_dev_operations = {
40193 .owner = THIS_MODULE,
40194 diff -urNp linux-2.6.32.42/fs/fuse/dir.c linux-2.6.32.42/fs/fuse/dir.c
40195 --- linux-2.6.32.42/fs/fuse/dir.c 2011-03-27 14:31:47.000000000 -0400
40196 +++ linux-2.6.32.42/fs/fuse/dir.c 2011-04-17 15:56:46.000000000 -0400
40197 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
40201 -static void free_link(char *link)
40202 +static void free_link(const char *link)
40205 free_page((unsigned long) link);
40206 diff -urNp linux-2.6.32.42/fs/fuse/fuse_i.h linux-2.6.32.42/fs/fuse/fuse_i.h
40207 --- linux-2.6.32.42/fs/fuse/fuse_i.h 2011-03-27 14:31:47.000000000 -0400
40208 +++ linux-2.6.32.42/fs/fuse/fuse_i.h 2011-04-17 15:56:46.000000000 -0400
40209 @@ -525,6 +525,16 @@ extern const struct file_operations fuse
40211 extern const struct dentry_operations fuse_dentry_operations;
40213 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
40214 + unsigned long nr_segs, loff_t pos);
40216 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
40217 + unsigned long nr_segs, loff_t pos);
40219 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
40221 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
40224 * Inode to nodeid comparison.
40226 diff -urNp linux-2.6.32.42/fs/gfs2/ops_inode.c linux-2.6.32.42/fs/gfs2/ops_inode.c
40227 --- linux-2.6.32.42/fs/gfs2/ops_inode.c 2011-03-27 14:31:47.000000000 -0400
40228 +++ linux-2.6.32.42/fs/gfs2/ops_inode.c 2011-05-16 21:46:57.000000000 -0400
40229 @@ -752,6 +752,8 @@ static int gfs2_rename(struct inode *odi
40233 + pax_track_stack();
40235 if (ndentry->d_inode) {
40236 nip = GFS2_I(ndentry->d_inode);
40238 diff -urNp linux-2.6.32.42/fs/gfs2/sys.c linux-2.6.32.42/fs/gfs2/sys.c
40239 --- linux-2.6.32.42/fs/gfs2/sys.c 2011-03-27 14:31:47.000000000 -0400
40240 +++ linux-2.6.32.42/fs/gfs2/sys.c 2011-04-17 15:56:46.000000000 -0400
40241 @@ -49,7 +49,7 @@ static ssize_t gfs2_attr_store(struct ko
40242 return a->store ? a->store(sdp, buf, len) : len;
40245 -static struct sysfs_ops gfs2_attr_ops = {
40246 +static const struct sysfs_ops gfs2_attr_ops = {
40247 .show = gfs2_attr_show,
40248 .store = gfs2_attr_store,
40250 @@ -584,7 +584,7 @@ static int gfs2_uevent(struct kset *kset
40254 -static struct kset_uevent_ops gfs2_uevent_ops = {
40255 +static const struct kset_uevent_ops gfs2_uevent_ops = {
40256 .uevent = gfs2_uevent,
40259 diff -urNp linux-2.6.32.42/fs/hfsplus/catalog.c linux-2.6.32.42/fs/hfsplus/catalog.c
40260 --- linux-2.6.32.42/fs/hfsplus/catalog.c 2011-03-27 14:31:47.000000000 -0400
40261 +++ linux-2.6.32.42/fs/hfsplus/catalog.c 2011-05-16 21:46:57.000000000 -0400
40262 @@ -157,6 +157,8 @@ int hfsplus_find_cat(struct super_block
40266 + pax_track_stack();
40268 hfsplus_cat_build_key(sb, fd->search_key, cnid, NULL);
40269 err = hfs_brec_read(fd, &tmp, sizeof(hfsplus_cat_entry));
40271 @@ -186,6 +188,8 @@ int hfsplus_create_cat(u32 cnid, struct
40275 + pax_track_stack();
40277 dprint(DBG_CAT_MOD, "create_cat: %s,%u(%d)\n", str->name, cnid, inode->i_nlink);
40279 hfs_find_init(HFSPLUS_SB(sb).cat_tree, &fd);
40280 @@ -318,6 +322,8 @@ int hfsplus_rename_cat(u32 cnid,
40281 int entry_size, type;
40284 + pax_track_stack();
40286 dprint(DBG_CAT_MOD, "rename_cat: %u - %lu,%s - %lu,%s\n", cnid, src_dir->i_ino, src_name->name,
40287 dst_dir->i_ino, dst_name->name);
40288 sb = src_dir->i_sb;
40289 diff -urNp linux-2.6.32.42/fs/hfsplus/dir.c linux-2.6.32.42/fs/hfsplus/dir.c
40290 --- linux-2.6.32.42/fs/hfsplus/dir.c 2011-03-27 14:31:47.000000000 -0400
40291 +++ linux-2.6.32.42/fs/hfsplus/dir.c 2011-05-16 21:46:57.000000000 -0400
40292 @@ -121,6 +121,8 @@ static int hfsplus_readdir(struct file *
40293 struct hfsplus_readdir_data *rd;
40296 + pax_track_stack();
40298 if (filp->f_pos >= inode->i_size)
40301 diff -urNp linux-2.6.32.42/fs/hfsplus/inode.c linux-2.6.32.42/fs/hfsplus/inode.c
40302 --- linux-2.6.32.42/fs/hfsplus/inode.c 2011-03-27 14:31:47.000000000 -0400
40303 +++ linux-2.6.32.42/fs/hfsplus/inode.c 2011-05-16 21:46:57.000000000 -0400
40304 @@ -399,6 +399,8 @@ int hfsplus_cat_read_inode(struct inode
40308 + pax_track_stack();
40310 type = hfs_bnode_read_u16(fd->bnode, fd->entryoffset);
40312 HFSPLUS_I(inode).dev = 0;
40313 @@ -461,6 +463,8 @@ int hfsplus_cat_write_inode(struct inode
40314 struct hfs_find_data fd;
40315 hfsplus_cat_entry entry;
40317 + pax_track_stack();
40319 if (HFSPLUS_IS_RSRC(inode))
40320 main_inode = HFSPLUS_I(inode).rsrc_inode;
40322 diff -urNp linux-2.6.32.42/fs/hfsplus/ioctl.c linux-2.6.32.42/fs/hfsplus/ioctl.c
40323 --- linux-2.6.32.42/fs/hfsplus/ioctl.c 2011-03-27 14:31:47.000000000 -0400
40324 +++ linux-2.6.32.42/fs/hfsplus/ioctl.c 2011-05-16 21:46:57.000000000 -0400
40325 @@ -101,6 +101,8 @@ int hfsplus_setxattr(struct dentry *dent
40326 struct hfsplus_cat_file *file;
40329 + pax_track_stack();
40331 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
40332 return -EOPNOTSUPP;
40334 @@ -143,6 +145,8 @@ ssize_t hfsplus_getxattr(struct dentry *
40335 struct hfsplus_cat_file *file;
40338 + pax_track_stack();
40340 if (!S_ISREG(inode->i_mode) || HFSPLUS_IS_RSRC(inode))
40341 return -EOPNOTSUPP;
40343 diff -urNp linux-2.6.32.42/fs/hfsplus/super.c linux-2.6.32.42/fs/hfsplus/super.c
40344 --- linux-2.6.32.42/fs/hfsplus/super.c 2011-03-27 14:31:47.000000000 -0400
40345 +++ linux-2.6.32.42/fs/hfsplus/super.c 2011-05-16 21:46:57.000000000 -0400
40346 @@ -312,6 +312,8 @@ static int hfsplus_fill_super(struct sup
40347 struct nls_table *nls = NULL;
40350 + pax_track_stack();
40352 sbi = kzalloc(sizeof(*sbi), GFP_KERNEL);
40355 diff -urNp linux-2.6.32.42/fs/hugetlbfs/inode.c linux-2.6.32.42/fs/hugetlbfs/inode.c
40356 --- linux-2.6.32.42/fs/hugetlbfs/inode.c 2011-03-27 14:31:47.000000000 -0400
40357 +++ linux-2.6.32.42/fs/hugetlbfs/inode.c 2011-04-17 15:56:46.000000000 -0400
40358 @@ -909,7 +909,7 @@ static struct file_system_type hugetlbfs
40359 .kill_sb = kill_litter_super,
40362 -static struct vfsmount *hugetlbfs_vfsmount;
40363 +struct vfsmount *hugetlbfs_vfsmount;
40365 static int can_do_hugetlb_shm(void)
40367 diff -urNp linux-2.6.32.42/fs/ioctl.c linux-2.6.32.42/fs/ioctl.c
40368 --- linux-2.6.32.42/fs/ioctl.c 2011-03-27 14:31:47.000000000 -0400
40369 +++ linux-2.6.32.42/fs/ioctl.c 2011-04-17 15:56:46.000000000 -0400
40370 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
40371 u64 phys, u64 len, u32 flags)
40373 struct fiemap_extent extent;
40374 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
40375 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
40377 /* only count the extents */
40378 if (fieinfo->fi_extents_max == 0) {
40379 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
40381 fieinfo.fi_flags = fiemap.fm_flags;
40382 fieinfo.fi_extents_max = fiemap.fm_extent_count;
40383 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
40384 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
40386 if (fiemap.fm_extent_count != 0 &&
40387 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
40388 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
40389 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
40390 fiemap.fm_flags = fieinfo.fi_flags;
40391 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
40392 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
40393 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
40397 diff -urNp linux-2.6.32.42/fs/jbd/checkpoint.c linux-2.6.32.42/fs/jbd/checkpoint.c
40398 --- linux-2.6.32.42/fs/jbd/checkpoint.c 2011-03-27 14:31:47.000000000 -0400
40399 +++ linux-2.6.32.42/fs/jbd/checkpoint.c 2011-05-16 21:46:57.000000000 -0400
40400 @@ -348,6 +348,8 @@ int log_do_checkpoint(journal_t *journal
40404 + pax_track_stack();
40406 jbd_debug(1, "Start checkpoint\n");
40409 diff -urNp linux-2.6.32.42/fs/jffs2/compr_rtime.c linux-2.6.32.42/fs/jffs2/compr_rtime.c
40410 --- linux-2.6.32.42/fs/jffs2/compr_rtime.c 2011-03-27 14:31:47.000000000 -0400
40411 +++ linux-2.6.32.42/fs/jffs2/compr_rtime.c 2011-05-16 21:46:57.000000000 -0400
40412 @@ -37,6 +37,8 @@ static int jffs2_rtime_compress(unsigned
40416 + pax_track_stack();
40418 memset(positions,0,sizeof(positions));
40420 while (pos < (*sourcelen) && outpos <= (*dstlen)-2) {
40421 @@ -79,6 +81,8 @@ static int jffs2_rtime_decompress(unsign
40425 + pax_track_stack();
40427 memset(positions,0,sizeof(positions));
40429 while (outpos<destlen) {
40430 diff -urNp linux-2.6.32.42/fs/jffs2/compr_rubin.c linux-2.6.32.42/fs/jffs2/compr_rubin.c
40431 --- linux-2.6.32.42/fs/jffs2/compr_rubin.c 2011-03-27 14:31:47.000000000 -0400
40432 +++ linux-2.6.32.42/fs/jffs2/compr_rubin.c 2011-05-16 21:46:57.000000000 -0400
40433 @@ -314,6 +314,8 @@ static int jffs2_dynrubin_compress(unsig
40435 uint32_t mysrclen, mydstlen;
40437 + pax_track_stack();
40439 mysrclen = *sourcelen;
40440 mydstlen = *dstlen - 8;
40442 diff -urNp linux-2.6.32.42/fs/jffs2/erase.c linux-2.6.32.42/fs/jffs2/erase.c
40443 --- linux-2.6.32.42/fs/jffs2/erase.c 2011-03-27 14:31:47.000000000 -0400
40444 +++ linux-2.6.32.42/fs/jffs2/erase.c 2011-04-17 15:56:46.000000000 -0400
40445 @@ -434,7 +434,8 @@ static void jffs2_mark_erased_block(stru
40446 struct jffs2_unknown_node marker = {
40447 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
40448 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
40449 - .totlen = cpu_to_je32(c->cleanmarker_size)
40450 + .totlen = cpu_to_je32(c->cleanmarker_size),
40451 + .hdr_crc = cpu_to_je32(0)
40454 jffs2_prealloc_raw_node_refs(c, jeb, 1);
40455 diff -urNp linux-2.6.32.42/fs/jffs2/wbuf.c linux-2.6.32.42/fs/jffs2/wbuf.c
40456 --- linux-2.6.32.42/fs/jffs2/wbuf.c 2011-03-27 14:31:47.000000000 -0400
40457 +++ linux-2.6.32.42/fs/jffs2/wbuf.c 2011-04-17 15:56:46.000000000 -0400
40458 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
40460 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
40461 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
40462 - .totlen = constant_cpu_to_je32(8)
40463 + .totlen = constant_cpu_to_je32(8),
40464 + .hdr_crc = constant_cpu_to_je32(0)
40468 diff -urNp linux-2.6.32.42/fs/jffs2/xattr.c linux-2.6.32.42/fs/jffs2/xattr.c
40469 --- linux-2.6.32.42/fs/jffs2/xattr.c 2011-03-27 14:31:47.000000000 -0400
40470 +++ linux-2.6.32.42/fs/jffs2/xattr.c 2011-05-16 21:46:57.000000000 -0400
40471 @@ -773,6 +773,8 @@ void jffs2_build_xattr_subsystem(struct
40473 BUG_ON(!(c->flags & JFFS2_SB_FLAG_BUILDING));
40475 + pax_track_stack();
40477 /* Phase.1 : Merge same xref */
40478 for (i=0; i < XREF_TMPHASH_SIZE; i++)
40479 xref_tmphash[i] = NULL;
40480 diff -urNp linux-2.6.32.42/fs/jfs/super.c linux-2.6.32.42/fs/jfs/super.c
40481 --- linux-2.6.32.42/fs/jfs/super.c 2011-03-27 14:31:47.000000000 -0400
40482 +++ linux-2.6.32.42/fs/jfs/super.c 2011-06-07 18:06:04.000000000 -0400
40483 @@ -793,7 +793,7 @@ static int __init init_jfs_fs(void)
40486 kmem_cache_create("jfs_ip", sizeof(struct jfs_inode_info), 0,
40487 - SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD,
40488 + SLAB_RECLAIM_ACCOUNT|SLAB_MEM_SPREAD|SLAB_USERCOPY,
40490 if (jfs_inode_cachep == NULL)
40492 diff -urNp linux-2.6.32.42/fs/Kconfig.binfmt linux-2.6.32.42/fs/Kconfig.binfmt
40493 --- linux-2.6.32.42/fs/Kconfig.binfmt 2011-03-27 14:31:47.000000000 -0400
40494 +++ linux-2.6.32.42/fs/Kconfig.binfmt 2011-04-17 15:56:46.000000000 -0400
40495 @@ -86,7 +86,7 @@ config HAVE_AOUT
40498 tristate "Kernel support for a.out and ECOFF binaries"
40499 - depends on HAVE_AOUT
40500 + depends on HAVE_AOUT && BROKEN
40502 A.out (Assembler.OUTput) is a set of formats for libraries and
40503 executables used in the earliest versions of UNIX. Linux used
40504 diff -urNp linux-2.6.32.42/fs/libfs.c linux-2.6.32.42/fs/libfs.c
40505 --- linux-2.6.32.42/fs/libfs.c 2011-03-27 14:31:47.000000000 -0400
40506 +++ linux-2.6.32.42/fs/libfs.c 2011-05-11 18:25:15.000000000 -0400
40507 @@ -157,12 +157,20 @@ int dcache_readdir(struct file * filp, v
40509 for (p=q->next; p != &dentry->d_subdirs; p=p->next) {
40510 struct dentry *next;
40511 + char d_name[sizeof(next->d_iname)];
40512 + const unsigned char *name;
40514 next = list_entry(p, struct dentry, d_u.d_child);
40515 if (d_unhashed(next) || !next->d_inode)
40518 spin_unlock(&dcache_lock);
40519 - if (filldir(dirent, next->d_name.name,
40520 + name = next->d_name.name;
40521 + if (name == next->d_iname) {
40522 + memcpy(d_name, name, next->d_name.len);
40525 + if (filldir(dirent, name,
40526 next->d_name.len, filp->f_pos,
40527 next->d_inode->i_ino,
40528 dt_type(next->d_inode)) < 0)
40529 diff -urNp linux-2.6.32.42/fs/lockd/clntproc.c linux-2.6.32.42/fs/lockd/clntproc.c
40530 --- linux-2.6.32.42/fs/lockd/clntproc.c 2011-03-27 14:31:47.000000000 -0400
40531 +++ linux-2.6.32.42/fs/lockd/clntproc.c 2011-05-16 21:46:57.000000000 -0400
40532 @@ -36,11 +36,11 @@ static const struct rpc_call_ops nlmclnt
40534 * Cookie counter for NLM requests
40536 -static atomic_t nlm_cookie = ATOMIC_INIT(0x1234);
40537 +static atomic_unchecked_t nlm_cookie = ATOMIC_INIT(0x1234);
40539 void nlmclnt_next_cookie(struct nlm_cookie *c)
40541 - u32 cookie = atomic_inc_return(&nlm_cookie);
40542 + u32 cookie = atomic_inc_return_unchecked(&nlm_cookie);
40544 memcpy(c->data, &cookie, 4);
40546 @@ -621,6 +621,8 @@ nlmclnt_reclaim(struct nlm_host *host, s
40547 struct nlm_rqst reqst, *req;
40550 + pax_track_stack();
40553 memset(req, 0, sizeof(*req));
40554 locks_init_lock(&req->a_args.lock.fl);
40555 diff -urNp linux-2.6.32.42/fs/lockd/svc.c linux-2.6.32.42/fs/lockd/svc.c
40556 --- linux-2.6.32.42/fs/lockd/svc.c 2011-03-27 14:31:47.000000000 -0400
40557 +++ linux-2.6.32.42/fs/lockd/svc.c 2011-04-17 15:56:46.000000000 -0400
40560 static struct svc_program nlmsvc_program;
40562 -struct nlmsvc_binding * nlmsvc_ops;
40563 +const struct nlmsvc_binding * nlmsvc_ops;
40564 EXPORT_SYMBOL_GPL(nlmsvc_ops);
40566 static DEFINE_MUTEX(nlmsvc_mutex);
40567 diff -urNp linux-2.6.32.42/fs/locks.c linux-2.6.32.42/fs/locks.c
40568 --- linux-2.6.32.42/fs/locks.c 2011-03-27 14:31:47.000000000 -0400
40569 +++ linux-2.6.32.42/fs/locks.c 2011-04-17 15:56:46.000000000 -0400
40570 @@ -2007,16 +2007,16 @@ void locks_remove_flock(struct file *fil
40573 if (filp->f_op && filp->f_op->flock) {
40574 - struct file_lock fl = {
40575 + struct file_lock flock = {
40576 .fl_pid = current->tgid,
40578 .fl_flags = FL_FLOCK,
40579 .fl_type = F_UNLCK,
40580 .fl_end = OFFSET_MAX,
40582 - filp->f_op->flock(filp, F_SETLKW, &fl);
40583 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
40584 - fl.fl_ops->fl_release_private(&fl);
40585 + filp->f_op->flock(filp, F_SETLKW, &flock);
40586 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
40587 + flock.fl_ops->fl_release_private(&flock);
40591 diff -urNp linux-2.6.32.42/fs/namei.c linux-2.6.32.42/fs/namei.c
40592 --- linux-2.6.32.42/fs/namei.c 2011-03-27 14:31:47.000000000 -0400
40593 +++ linux-2.6.32.42/fs/namei.c 2011-05-16 21:46:57.000000000 -0400
40594 @@ -224,14 +224,6 @@ int generic_permission(struct inode *ino
40598 - * Read/write DACs are always overridable.
40599 - * Executable DACs are overridable if at least one exec bit is set.
40601 - if (!(mask & MAY_EXEC) || execute_ok(inode))
40602 - if (capable(CAP_DAC_OVERRIDE))
40606 * Searching includes executable on directories, else just read.
40608 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
40609 @@ -239,6 +231,14 @@ int generic_permission(struct inode *ino
40610 if (capable(CAP_DAC_READ_SEARCH))
40614 + * Read/write DACs are always overridable.
40615 + * Executable DACs are overridable if at least one exec bit is set.
40617 + if (!(mask & MAY_EXEC) || execute_ok(inode))
40618 + if (capable(CAP_DAC_OVERRIDE))
40624 @@ -458,7 +458,8 @@ static int exec_permission_lite(struct i
40628 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
40629 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
40630 + capable(CAP_DAC_OVERRIDE))
40634 @@ -638,7 +639,7 @@ static __always_inline int __do_follow_l
40635 cookie = dentry->d_inode->i_op->follow_link(dentry, nd);
40636 error = PTR_ERR(cookie);
40637 if (!IS_ERR(cookie)) {
40638 - char *s = nd_get_link(nd);
40639 + const char *s = nd_get_link(nd);
40642 error = __vfs_follow_link(nd, s);
40643 @@ -669,6 +670,13 @@ static inline int do_follow_link(struct
40644 err = security_inode_follow_link(path->dentry, nd);
40648 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
40649 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
40654 current->link_count++;
40655 current->total_link_count++;
40657 @@ -1016,11 +1024,18 @@ return_reval:
40661 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
40662 + path_put(&nd->path);
40667 path_put_conditional(&next, nd);
40670 + if (!gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
40673 path_put(&nd->path);
40676 @@ -1091,13 +1106,20 @@ static int do_path_lookup(int dfd, const
40677 int retval = path_init(dfd, name, flags, nd);
40679 retval = path_walk(name, nd);
40680 - if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
40681 - nd->path.dentry->d_inode))
40682 - audit_inode(name, nd->path.dentry);
40684 + if (likely(!retval)) {
40685 + if (nd->path.dentry && nd->path.dentry->d_inode) {
40686 + if (*name != '/' && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
40687 + retval = -ENOENT;
40688 + if (!audit_dummy_context())
40689 + audit_inode(name, nd->path.dentry);
40692 if (nd->root.mnt) {
40693 path_put(&nd->root);
40694 nd->root.mnt = NULL;
40700 @@ -1576,6 +1598,20 @@ int may_open(struct path *path, int acc_
40705 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
40709 + if (gr_handle_rawio(inode)) {
40713 + if (!gr_acl_handle_open(dentry, path->mnt, flag)) {
40718 if (flag & O_TRUNC) {
40719 error = get_write_access(inode);
40721 @@ -1621,12 +1657,19 @@ static int __open_namei_create(struct na
40723 struct dentry *dir = nd->path.dentry;
40725 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
40730 if (!IS_POSIXACL(dir->d_inode))
40731 mode &= ~current_umask();
40732 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
40735 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
40737 + gr_handle_create(path->dentry, nd->path.mnt);
40739 mutex_unlock(&dir->d_inode->i_mutex);
40740 dput(nd->path.dentry);
40741 @@ -1709,6 +1752,22 @@ struct file *do_filp_open(int dfd, const
40744 return ERR_PTR(error);
40746 + if (gr_handle_rofs_blockwrite(nd.path.dentry, nd.path.mnt, acc_mode)) {
40751 + if (gr_handle_rawio(nd.path.dentry->d_inode)) {
40756 + if (!gr_acl_handle_open(nd.path.dentry, nd.path.mnt, flag)) {
40764 @@ -1795,6 +1854,14 @@ do_last:
40766 * It already exists.
40769 + /* only check if O_CREAT is specified, all other checks need
40770 + to go into may_open */
40771 + if (gr_handle_fifo(path.dentry, path.mnt, dir, flag, acc_mode)) {
40773 + goto exit_mutex_unlock;
40776 mutex_unlock(&dir->d_inode->i_mutex);
40777 audit_inode(pathname, path.dentry);
40779 @@ -1887,6 +1954,13 @@ do_link:
40780 error = security_inode_follow_link(path.dentry, &nd);
40784 + if (gr_handle_follow_link(path.dentry->d_parent->d_inode, path.dentry->d_inode,
40785 + path.dentry, nd.path.mnt)) {
40790 error = __do_follow_link(&path, &nd);
40792 /* Does someone understand code flow here? Or it is only
40793 @@ -2061,6 +2135,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
40794 error = may_mknod(mode);
40798 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
40803 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
40808 error = mnt_want_write(nd.path.mnt);
40811 @@ -2081,6 +2166,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
40814 mnt_drop_write(nd.path.mnt);
40817 + gr_handle_create(dentry, nd.path.mnt);
40821 @@ -2134,6 +2222,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
40822 if (IS_ERR(dentry))
40825 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
40830 if (!IS_POSIXACL(nd.path.dentry->d_inode))
40831 mode &= ~current_umask();
40832 error = mnt_want_write(nd.path.mnt);
40833 @@ -2145,6 +2238,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
40834 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
40836 mnt_drop_write(nd.path.mnt);
40839 + gr_handle_create(dentry, nd.path.mnt);
40844 @@ -2226,6 +2323,8 @@ static long do_rmdir(int dfd, const char
40846 struct dentry *dentry;
40847 struct nameidata nd;
40848 + ino_t saved_ino = 0;
40849 + dev_t saved_dev = 0;
40851 error = user_path_parent(dfd, pathname, &nd, &name);
40853 @@ -2250,6 +2349,19 @@ static long do_rmdir(int dfd, const char
40854 error = PTR_ERR(dentry);
40855 if (IS_ERR(dentry))
40858 + if (dentry->d_inode != NULL) {
40859 + if (dentry->d_inode->i_nlink <= 1) {
40860 + saved_ino = dentry->d_inode->i_ino;
40861 + saved_dev = gr_get_dev_from_dentry(dentry);
40864 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
40870 error = mnt_want_write(nd.path.mnt);
40873 @@ -2257,6 +2369,8 @@ static long do_rmdir(int dfd, const char
40876 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
40877 + if (!error && (saved_dev || saved_ino))
40878 + gr_handle_delete(saved_ino, saved_dev);
40880 mnt_drop_write(nd.path.mnt);
40882 @@ -2318,6 +2432,8 @@ static long do_unlinkat(int dfd, const c
40883 struct dentry *dentry;
40884 struct nameidata nd;
40885 struct inode *inode = NULL;
40886 + ino_t saved_ino = 0;
40887 + dev_t saved_dev = 0;
40889 error = user_path_parent(dfd, pathname, &nd, &name);
40891 @@ -2337,8 +2453,19 @@ static long do_unlinkat(int dfd, const c
40892 if (nd.last.name[nd.last.len])
40894 inode = dentry->d_inode;
40897 + if (inode->i_nlink <= 1) {
40898 + saved_ino = inode->i_ino;
40899 + saved_dev = gr_get_dev_from_dentry(dentry);
40902 atomic_inc(&inode->i_count);
40904 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
40909 error = mnt_want_write(nd.path.mnt);
40912 @@ -2346,6 +2473,8 @@ static long do_unlinkat(int dfd, const c
40915 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
40916 + if (!error && (saved_ino || saved_dev))
40917 + gr_handle_delete(saved_ino, saved_dev);
40919 mnt_drop_write(nd.path.mnt);
40921 @@ -2424,6 +2553,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
40922 if (IS_ERR(dentry))
40925 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
40930 error = mnt_want_write(nd.path.mnt);
40933 @@ -2431,6 +2565,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
40935 goto out_drop_write;
40936 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
40938 + gr_handle_create(dentry, nd.path.mnt);
40940 mnt_drop_write(nd.path.mnt);
40942 @@ -2524,6 +2660,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
40943 error = PTR_ERR(new_dentry);
40944 if (IS_ERR(new_dentry))
40947 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
40948 + old_path.dentry->d_inode,
40949 + old_path.dentry->d_inode->i_mode, to)) {
40954 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
40955 + old_path.dentry, old_path.mnt, to)) {
40960 error = mnt_want_write(nd.path.mnt);
40963 @@ -2531,6 +2681,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
40965 goto out_drop_write;
40966 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
40968 + gr_handle_create(new_dentry, nd.path.mnt);
40970 mnt_drop_write(nd.path.mnt);
40972 @@ -2708,6 +2860,8 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
40976 + pax_track_stack();
40978 error = user_path_parent(olddfd, oldname, &oldnd, &from);
40981 @@ -2764,6 +2918,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
40982 if (new_dentry == trap)
40985 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
40986 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
40991 error = mnt_want_write(oldnd.path.mnt);
40994 @@ -2773,6 +2933,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
40996 error = vfs_rename(old_dir->d_inode, old_dentry,
40997 new_dir->d_inode, new_dentry);
40999 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
41000 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
41002 mnt_drop_write(oldnd.path.mnt);
41004 @@ -2798,6 +2961,8 @@ SYSCALL_DEFINE2(rename, const char __use
41006 int vfs_readlink(struct dentry *dentry, char __user *buffer, int buflen, const char *link)
41009 + const char *newlink;
41012 len = PTR_ERR(link);
41013 @@ -2807,7 +2972,14 @@ int vfs_readlink(struct dentry *dentry,
41014 len = strlen(link);
41015 if (len > (unsigned) buflen)
41017 - if (copy_to_user(buffer, link, len))
41019 + if (len < sizeof(tmpbuf)) {
41020 + memcpy(tmpbuf, link, len);
41021 + newlink = tmpbuf;
41025 + if (copy_to_user(buffer, newlink, len))
41029 diff -urNp linux-2.6.32.42/fs/namespace.c linux-2.6.32.42/fs/namespace.c
41030 --- linux-2.6.32.42/fs/namespace.c 2011-03-27 14:31:47.000000000 -0400
41031 +++ linux-2.6.32.42/fs/namespace.c 2011-04-17 15:56:46.000000000 -0400
41032 @@ -1083,6 +1083,9 @@ static int do_umount(struct vfsmount *mn
41033 if (!(sb->s_flags & MS_RDONLY))
41034 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
41035 up_write(&sb->s_umount);
41037 + gr_log_remount(mnt->mnt_devname, retval);
41042 @@ -1104,6 +1107,9 @@ static int do_umount(struct vfsmount *mn
41043 security_sb_umount_busy(mnt);
41044 up_write(&namespace_sem);
41045 release_mounts(&umount_list);
41047 + gr_log_unmount(mnt->mnt_devname, retval);
41052 @@ -1962,6 +1968,16 @@ long do_mount(char *dev_name, char *dir_
41056 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
41061 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
41066 if (flags & MS_REMOUNT)
41067 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
41069 @@ -1976,6 +1992,9 @@ long do_mount(char *dev_name, char *dir_
41070 dev_name, data_page);
41074 + gr_log_mount(dev_name, dir_name, retval);
41079 @@ -2182,6 +2201,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
41083 + if (gr_handle_chroot_pivot()) {
41089 read_lock(¤t->fs->lock);
41090 root = current->fs->root;
41091 path_get(¤t->fs->root);
41092 diff -urNp linux-2.6.32.42/fs/ncpfs/dir.c linux-2.6.32.42/fs/ncpfs/dir.c
41093 --- linux-2.6.32.42/fs/ncpfs/dir.c 2011-03-27 14:31:47.000000000 -0400
41094 +++ linux-2.6.32.42/fs/ncpfs/dir.c 2011-05-16 21:46:57.000000000 -0400
41095 @@ -275,6 +275,8 @@ __ncp_lookup_validate(struct dentry *den
41096 int res, val = 0, len;
41097 __u8 __name[NCP_MAXPATHLEN + 1];
41099 + pax_track_stack();
41101 parent = dget_parent(dentry);
41102 dir = parent->d_inode;
41104 @@ -799,6 +801,8 @@ static struct dentry *ncp_lookup(struct
41105 int error, res, len;
41106 __u8 __name[NCP_MAXPATHLEN + 1];
41108 + pax_track_stack();
41112 if (!ncp_conn_valid(server))
41113 @@ -883,10 +887,12 @@ int ncp_create_new(struct inode *dir, st
41114 int error, result, len;
41116 __u8 __name[NCP_MAXPATHLEN + 1];
41119 PPRINTK("ncp_create_new: creating %s/%s, mode=%x\n",
41120 dentry->d_parent->d_name.name, dentry->d_name.name, mode);
41122 + pax_track_stack();
41126 if (!ncp_conn_valid(server))
41127 @@ -952,6 +958,8 @@ static int ncp_mkdir(struct inode *dir,
41129 __u8 __name[NCP_MAXPATHLEN + 1];
41131 + pax_track_stack();
41133 DPRINTK("ncp_mkdir: making %s/%s\n",
41134 dentry->d_parent->d_name.name, dentry->d_name.name);
41136 @@ -960,6 +968,8 @@ static int ncp_mkdir(struct inode *dir,
41137 if (!ncp_conn_valid(server))
41140 + pax_track_stack();
41142 ncp_age_dentry(server, dentry);
41143 len = sizeof(__name);
41144 error = ncp_io2vol(server, __name, &len, dentry->d_name.name,
41145 @@ -1114,6 +1124,8 @@ static int ncp_rename(struct inode *old_
41146 int old_len, new_len;
41147 __u8 __old_name[NCP_MAXPATHLEN + 1], __new_name[NCP_MAXPATHLEN + 1];
41149 + pax_track_stack();
41151 DPRINTK("ncp_rename: %s/%s to %s/%s\n",
41152 old_dentry->d_parent->d_name.name, old_dentry->d_name.name,
41153 new_dentry->d_parent->d_name.name, new_dentry->d_name.name);
41154 diff -urNp linux-2.6.32.42/fs/ncpfs/inode.c linux-2.6.32.42/fs/ncpfs/inode.c
41155 --- linux-2.6.32.42/fs/ncpfs/inode.c 2011-03-27 14:31:47.000000000 -0400
41156 +++ linux-2.6.32.42/fs/ncpfs/inode.c 2011-05-16 21:46:57.000000000 -0400
41157 @@ -445,6 +445,8 @@ static int ncp_fill_super(struct super_b
41159 struct ncp_entry_info finfo;
41161 + pax_track_stack();
41163 data.wdog_pid = NULL;
41164 server = kzalloc(sizeof(struct ncp_server), GFP_KERNEL);
41166 diff -urNp linux-2.6.32.42/fs/nfs/inode.c linux-2.6.32.42/fs/nfs/inode.c
41167 --- linux-2.6.32.42/fs/nfs/inode.c 2011-05-10 22:12:01.000000000 -0400
41168 +++ linux-2.6.32.42/fs/nfs/inode.c 2011-05-10 22:12:33.000000000 -0400
41169 @@ -973,16 +973,16 @@ static int nfs_size_need_update(const st
41170 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
41173 -static atomic_long_t nfs_attr_generation_counter;
41174 +static atomic_long_unchecked_t nfs_attr_generation_counter;
41176 static unsigned long nfs_read_attr_generation_counter(void)
41178 - return atomic_long_read(&nfs_attr_generation_counter);
41179 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
41182 unsigned long nfs_inc_attr_generation_counter(void)
41184 - return atomic_long_inc_return(&nfs_attr_generation_counter);
41185 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
41188 void nfs_fattr_init(struct nfs_fattr *fattr)
41189 diff -urNp linux-2.6.32.42/fs/nfsd/lockd.c linux-2.6.32.42/fs/nfsd/lockd.c
41190 --- linux-2.6.32.42/fs/nfsd/lockd.c 2011-04-17 17:00:52.000000000 -0400
41191 +++ linux-2.6.32.42/fs/nfsd/lockd.c 2011-04-17 17:03:15.000000000 -0400
41192 @@ -66,7 +66,7 @@ nlm_fclose(struct file *filp)
41196 -static struct nlmsvc_binding nfsd_nlm_ops = {
41197 +static const struct nlmsvc_binding nfsd_nlm_ops = {
41198 .fopen = nlm_fopen, /* open file for locking */
41199 .fclose = nlm_fclose, /* close file */
41201 diff -urNp linux-2.6.32.42/fs/nfsd/nfs4state.c linux-2.6.32.42/fs/nfsd/nfs4state.c
41202 --- linux-2.6.32.42/fs/nfsd/nfs4state.c 2011-03-27 14:31:47.000000000 -0400
41203 +++ linux-2.6.32.42/fs/nfsd/nfs4state.c 2011-05-16 21:46:57.000000000 -0400
41204 @@ -3457,6 +3457,8 @@ nfsd4_lock(struct svc_rqst *rqstp, struc
41208 + pax_track_stack();
41210 dprintk("NFSD: nfsd4_lock: start=%Ld length=%Ld\n",
41211 (long long) lock->lk_offset,
41212 (long long) lock->lk_length);
41213 diff -urNp linux-2.6.32.42/fs/nfsd/nfs4xdr.c linux-2.6.32.42/fs/nfsd/nfs4xdr.c
41214 --- linux-2.6.32.42/fs/nfsd/nfs4xdr.c 2011-03-27 14:31:47.000000000 -0400
41215 +++ linux-2.6.32.42/fs/nfsd/nfs4xdr.c 2011-05-16 21:46:57.000000000 -0400
41216 @@ -1751,6 +1751,8 @@ nfsd4_encode_fattr(struct svc_fh *fhp, s
41217 struct nfsd4_compoundres *resp = rqstp->rq_resp;
41218 u32 minorversion = resp->cstate.minorversion;
41220 + pax_track_stack();
41222 BUG_ON(bmval1 & NFSD_WRITEONLY_ATTRS_WORD1);
41223 BUG_ON(bmval0 & ~nfsd_suppattrs0(minorversion));
41224 BUG_ON(bmval1 & ~nfsd_suppattrs1(minorversion));
41225 diff -urNp linux-2.6.32.42/fs/nfsd/vfs.c linux-2.6.32.42/fs/nfsd/vfs.c
41226 --- linux-2.6.32.42/fs/nfsd/vfs.c 2011-05-10 22:12:01.000000000 -0400
41227 +++ linux-2.6.32.42/fs/nfsd/vfs.c 2011-05-10 22:12:33.000000000 -0400
41228 @@ -937,7 +937,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
41232 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
41233 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
41237 @@ -1060,7 +1060,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
41239 /* Write the data. */
41240 oldfs = get_fs(); set_fs(KERNEL_DS);
41241 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
41242 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
41246 @@ -1542,7 +1542,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
41249 oldfs = get_fs(); set_fs(KERNEL_DS);
41250 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
41251 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
41255 diff -urNp linux-2.6.32.42/fs/nilfs2/ioctl.c linux-2.6.32.42/fs/nilfs2/ioctl.c
41256 --- linux-2.6.32.42/fs/nilfs2/ioctl.c 2011-03-27 14:31:47.000000000 -0400
41257 +++ linux-2.6.32.42/fs/nilfs2/ioctl.c 2011-05-04 17:56:28.000000000 -0400
41258 @@ -480,7 +480,7 @@ static int nilfs_ioctl_clean_segments(st
41259 unsigned int cmd, void __user *argp)
41261 struct nilfs_argv argv[5];
41262 - const static size_t argsz[5] = {
41263 + static const size_t argsz[5] = {
41264 sizeof(struct nilfs_vdesc),
41265 sizeof(struct nilfs_period),
41267 diff -urNp linux-2.6.32.42/fs/notify/dnotify/dnotify.c linux-2.6.32.42/fs/notify/dnotify/dnotify.c
41268 --- linux-2.6.32.42/fs/notify/dnotify/dnotify.c 2011-03-27 14:31:47.000000000 -0400
41269 +++ linux-2.6.32.42/fs/notify/dnotify/dnotify.c 2011-04-17 15:56:46.000000000 -0400
41270 @@ -173,7 +173,7 @@ static void dnotify_free_mark(struct fsn
41271 kmem_cache_free(dnotify_mark_entry_cache, dnentry);
41274 -static struct fsnotify_ops dnotify_fsnotify_ops = {
41275 +static const struct fsnotify_ops dnotify_fsnotify_ops = {
41276 .handle_event = dnotify_handle_event,
41277 .should_send_event = dnotify_should_send_event,
41278 .free_group_priv = NULL,
41279 diff -urNp linux-2.6.32.42/fs/notify/notification.c linux-2.6.32.42/fs/notify/notification.c
41280 --- linux-2.6.32.42/fs/notify/notification.c 2011-03-27 14:31:47.000000000 -0400
41281 +++ linux-2.6.32.42/fs/notify/notification.c 2011-05-04 17:56:28.000000000 -0400
41282 @@ -57,7 +57,7 @@ static struct kmem_cache *fsnotify_event
41283 * get set to 0 so it will never get 'freed'
41285 static struct fsnotify_event q_overflow_event;
41286 -static atomic_t fsnotify_sync_cookie = ATOMIC_INIT(0);
41287 +static atomic_unchecked_t fsnotify_sync_cookie = ATOMIC_INIT(0);
41290 * fsnotify_get_cookie - return a unique cookie for use in synchronizing events.
41291 @@ -65,7 +65,7 @@ static atomic_t fsnotify_sync_cookie = A
41293 u32 fsnotify_get_cookie(void)
41295 - return atomic_inc_return(&fsnotify_sync_cookie);
41296 + return atomic_inc_return_unchecked(&fsnotify_sync_cookie);
41298 EXPORT_SYMBOL_GPL(fsnotify_get_cookie);
41300 diff -urNp linux-2.6.32.42/fs/ntfs/dir.c linux-2.6.32.42/fs/ntfs/dir.c
41301 --- linux-2.6.32.42/fs/ntfs/dir.c 2011-03-27 14:31:47.000000000 -0400
41302 +++ linux-2.6.32.42/fs/ntfs/dir.c 2011-04-17 15:56:46.000000000 -0400
41303 @@ -1328,7 +1328,7 @@ find_next_index_buffer:
41304 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
41305 ~(s64)(ndir->itype.index.block_size - 1)));
41306 /* Bounds checks. */
41307 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
41308 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
41309 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
41310 "inode 0x%lx or driver bug.", vdir->i_ino);
41312 diff -urNp linux-2.6.32.42/fs/ntfs/file.c linux-2.6.32.42/fs/ntfs/file.c
41313 --- linux-2.6.32.42/fs/ntfs/file.c 2011-03-27 14:31:47.000000000 -0400
41314 +++ linux-2.6.32.42/fs/ntfs/file.c 2011-04-17 15:56:46.000000000 -0400
41315 @@ -2243,6 +2243,6 @@ const struct inode_operations ntfs_file_
41316 #endif /* NTFS_RW */
41319 -const struct file_operations ntfs_empty_file_ops = {};
41320 +const struct file_operations ntfs_empty_file_ops __read_only;
41322 -const struct inode_operations ntfs_empty_inode_ops = {};
41323 +const struct inode_operations ntfs_empty_inode_ops __read_only;
41324 diff -urNp linux-2.6.32.42/fs/ocfs2/cluster/masklog.c linux-2.6.32.42/fs/ocfs2/cluster/masklog.c
41325 --- linux-2.6.32.42/fs/ocfs2/cluster/masklog.c 2011-03-27 14:31:47.000000000 -0400
41326 +++ linux-2.6.32.42/fs/ocfs2/cluster/masklog.c 2011-04-17 15:56:46.000000000 -0400
41327 @@ -135,7 +135,7 @@ static ssize_t mlog_store(struct kobject
41328 return mlog_mask_store(mlog_attr->mask, buf, count);
41331 -static struct sysfs_ops mlog_attr_ops = {
41332 +static const struct sysfs_ops mlog_attr_ops = {
41334 .store = mlog_store,
41336 diff -urNp linux-2.6.32.42/fs/ocfs2/localalloc.c linux-2.6.32.42/fs/ocfs2/localalloc.c
41337 --- linux-2.6.32.42/fs/ocfs2/localalloc.c 2011-03-27 14:31:47.000000000 -0400
41338 +++ linux-2.6.32.42/fs/ocfs2/localalloc.c 2011-04-17 15:56:46.000000000 -0400
41339 @@ -1188,7 +1188,7 @@ static int ocfs2_local_alloc_slide_windo
41343 - atomic_inc(&osb->alloc_stats.moves);
41344 + atomic_inc_unchecked(&osb->alloc_stats.moves);
41348 diff -urNp linux-2.6.32.42/fs/ocfs2/namei.c linux-2.6.32.42/fs/ocfs2/namei.c
41349 --- linux-2.6.32.42/fs/ocfs2/namei.c 2011-03-27 14:31:47.000000000 -0400
41350 +++ linux-2.6.32.42/fs/ocfs2/namei.c 2011-05-16 21:46:57.000000000 -0400
41351 @@ -1043,6 +1043,8 @@ static int ocfs2_rename(struct inode *ol
41352 struct ocfs2_dir_lookup_result orphan_insert = { NULL, };
41353 struct ocfs2_dir_lookup_result target_insert = { NULL, };
41355 + pax_track_stack();
41357 /* At some point it might be nice to break this function up a
41360 diff -urNp linux-2.6.32.42/fs/ocfs2/ocfs2.h linux-2.6.32.42/fs/ocfs2/ocfs2.h
41361 --- linux-2.6.32.42/fs/ocfs2/ocfs2.h 2011-03-27 14:31:47.000000000 -0400
41362 +++ linux-2.6.32.42/fs/ocfs2/ocfs2.h 2011-04-17 15:56:46.000000000 -0400
41363 @@ -217,11 +217,11 @@ enum ocfs2_vol_state
41365 struct ocfs2_alloc_stats
41368 - atomic_t local_data;
41369 - atomic_t bitmap_data;
41370 - atomic_t bg_allocs;
41371 - atomic_t bg_extends;
41372 + atomic_unchecked_t moves;
41373 + atomic_unchecked_t local_data;
41374 + atomic_unchecked_t bitmap_data;
41375 + atomic_unchecked_t bg_allocs;
41376 + atomic_unchecked_t bg_extends;
41379 enum ocfs2_local_alloc_state
41380 diff -urNp linux-2.6.32.42/fs/ocfs2/suballoc.c linux-2.6.32.42/fs/ocfs2/suballoc.c
41381 --- linux-2.6.32.42/fs/ocfs2/suballoc.c 2011-03-27 14:31:47.000000000 -0400
41382 +++ linux-2.6.32.42/fs/ocfs2/suballoc.c 2011-04-17 15:56:46.000000000 -0400
41383 @@ -623,7 +623,7 @@ static int ocfs2_reserve_suballoc_bits(s
41384 mlog_errno(status);
41387 - atomic_inc(&osb->alloc_stats.bg_extends);
41388 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
41390 /* You should never ask for this much metadata */
41391 BUG_ON(bits_wanted >
41392 @@ -1654,7 +1654,7 @@ int ocfs2_claim_metadata(struct ocfs2_su
41393 mlog_errno(status);
41396 - atomic_inc(&osb->alloc_stats.bg_allocs);
41397 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
41399 *blkno_start = bg_blkno + (u64) *suballoc_bit_start;
41400 ac->ac_bits_given += (*num_bits);
41401 @@ -1728,7 +1728,7 @@ int ocfs2_claim_new_inode(struct ocfs2_s
41402 mlog_errno(status);
41405 - atomic_inc(&osb->alloc_stats.bg_allocs);
41406 + atomic_inc_unchecked(&osb->alloc_stats.bg_allocs);
41408 BUG_ON(num_bits != 1);
41410 @@ -1830,7 +1830,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
41414 - atomic_inc(&osb->alloc_stats.local_data);
41415 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
41417 if (min_clusters > (osb->bitmap_cpg - 1)) {
41418 /* The only paths asking for contiguousness
41419 @@ -1858,7 +1858,7 @@ int __ocfs2_claim_clusters(struct ocfs2_
41420 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
41423 - atomic_inc(&osb->alloc_stats.bitmap_data);
41424 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
41428 diff -urNp linux-2.6.32.42/fs/ocfs2/super.c linux-2.6.32.42/fs/ocfs2/super.c
41429 --- linux-2.6.32.42/fs/ocfs2/super.c 2011-03-27 14:31:47.000000000 -0400
41430 +++ linux-2.6.32.42/fs/ocfs2/super.c 2011-04-17 15:56:46.000000000 -0400
41431 @@ -284,11 +284,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
41432 "%10s => GlobalAllocs: %d LocalAllocs: %d "
41433 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
41435 - atomic_read(&osb->alloc_stats.bitmap_data),
41436 - atomic_read(&osb->alloc_stats.local_data),
41437 - atomic_read(&osb->alloc_stats.bg_allocs),
41438 - atomic_read(&osb->alloc_stats.moves),
41439 - atomic_read(&osb->alloc_stats.bg_extends));
41440 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
41441 + atomic_read_unchecked(&osb->alloc_stats.local_data),
41442 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
41443 + atomic_read_unchecked(&osb->alloc_stats.moves),
41444 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
41446 out += snprintf(buf + out, len - out,
41447 "%10s => State: %u Descriptor: %llu Size: %u bits "
41448 @@ -2002,11 +2002,11 @@ static int ocfs2_initialize_super(struct
41449 spin_lock_init(&osb->osb_xattr_lock);
41450 ocfs2_init_inode_steal_slot(osb);
41452 - atomic_set(&osb->alloc_stats.moves, 0);
41453 - atomic_set(&osb->alloc_stats.local_data, 0);
41454 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
41455 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
41456 - atomic_set(&osb->alloc_stats.bg_extends, 0);
41457 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
41458 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
41459 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
41460 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
41461 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
41463 /* Copy the blockcheck stats from the superblock probe */
41464 osb->osb_ecc_stats = *stats;
41465 diff -urNp linux-2.6.32.42/fs/open.c linux-2.6.32.42/fs/open.c
41466 --- linux-2.6.32.42/fs/open.c 2011-03-27 14:31:47.000000000 -0400
41467 +++ linux-2.6.32.42/fs/open.c 2011-04-17 15:56:46.000000000 -0400
41468 @@ -275,6 +275,10 @@ static long do_sys_truncate(const char _
41469 error = locks_verify_truncate(inode, NULL, length);
41471 error = security_path_truncate(&path, length, 0);
41473 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
41477 vfs_dq_init(inode);
41478 error = do_truncate(path.dentry, length, 0, NULL);
41479 @@ -511,6 +515,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
41480 if (__mnt_is_readonly(path.mnt))
41483 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
41489 @@ -537,6 +544,8 @@ SYSCALL_DEFINE1(chdir, const char __user
41493 + gr_log_chdir(path.dentry, path.mnt);
41495 set_fs_pwd(current->fs, &path);
41498 @@ -563,6 +572,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
41501 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
41503 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
41507 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
41510 set_fs_pwd(current->fs, &file->f_path);
41512 @@ -588,7 +604,18 @@ SYSCALL_DEFINE1(chroot, const char __use
41513 if (!capable(CAP_SYS_CHROOT))
41516 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
41517 + goto dput_and_out;
41519 + if (gr_handle_chroot_caps(&path)) {
41521 + goto dput_and_out;
41524 set_fs_root(current->fs, &path);
41526 + gr_handle_chroot_chdir(&path);
41531 @@ -616,12 +643,27 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
41532 err = mnt_want_write_file(file);
41536 mutex_lock(&inode->i_mutex);
41538 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
41543 if (mode == (mode_t) -1)
41544 mode = inode->i_mode;
41546 + if (gr_handle_chroot_chmod(dentry, file->f_path.mnt, mode)) {
41551 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
41552 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
41553 err = notify_change(dentry, &newattrs);
41556 mutex_unlock(&inode->i_mutex);
41557 mnt_drop_write(file->f_path.mnt);
41559 @@ -645,12 +687,27 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
41560 error = mnt_want_write(path.mnt);
41564 mutex_lock(&inode->i_mutex);
41566 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
41571 if (mode == (mode_t) -1)
41572 mode = inode->i_mode;
41574 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
41579 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
41580 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
41581 error = notify_change(path.dentry, &newattrs);
41584 mutex_unlock(&inode->i_mutex);
41585 mnt_drop_write(path.mnt);
41587 @@ -664,12 +721,15 @@ SYSCALL_DEFINE2(chmod, const char __user
41588 return sys_fchmodat(AT_FDCWD, filename, mode);
41591 -static int chown_common(struct dentry * dentry, uid_t user, gid_t group)
41592 +static int chown_common(struct dentry * dentry, uid_t user, gid_t group, struct vfsmount *mnt)
41594 struct inode *inode = dentry->d_inode;
41596 struct iattr newattrs;
41598 + if (!gr_acl_handle_chown(dentry, mnt))
41601 newattrs.ia_valid = ATTR_CTIME;
41602 if (user != (uid_t) -1) {
41603 newattrs.ia_valid |= ATTR_UID;
41604 @@ -700,7 +760,7 @@ SYSCALL_DEFINE3(chown, const char __user
41605 error = mnt_want_write(path.mnt);
41608 - error = chown_common(path.dentry, user, group);
41609 + error = chown_common(path.dentry, user, group, path.mnt);
41610 mnt_drop_write(path.mnt);
41613 @@ -725,7 +785,7 @@ SYSCALL_DEFINE5(fchownat, int, dfd, cons
41614 error = mnt_want_write(path.mnt);
41617 - error = chown_common(path.dentry, user, group);
41618 + error = chown_common(path.dentry, user, group, path.mnt);
41619 mnt_drop_write(path.mnt);
41622 @@ -744,7 +804,7 @@ SYSCALL_DEFINE3(lchown, const char __use
41623 error = mnt_want_write(path.mnt);
41626 - error = chown_common(path.dentry, user, group);
41627 + error = chown_common(path.dentry, user, group, path.mnt);
41628 mnt_drop_write(path.mnt);
41631 @@ -767,7 +827,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd
41633 dentry = file->f_path.dentry;
41634 audit_inode(NULL, dentry);
41635 - error = chown_common(dentry, user, group);
41636 + error = chown_common(dentry, user, group, file->f_path.mnt);
41637 mnt_drop_write(file->f_path.mnt);
41640 @@ -1036,7 +1096,10 @@ long do_sys_open(int dfd, const char __u
41641 if (!IS_ERR(tmp)) {
41642 fd = get_unused_fd_flags(flags);
41644 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
41646 + /* don't allow to be set by userland */
41647 + flags &= ~FMODE_GREXEC;
41648 + f = do_filp_open(dfd, tmp, flags, mode, 0);
41652 diff -urNp linux-2.6.32.42/fs/partitions/ldm.c linux-2.6.32.42/fs/partitions/ldm.c
41653 --- linux-2.6.32.42/fs/partitions/ldm.c 2011-06-25 12:55:34.000000000 -0400
41654 +++ linux-2.6.32.42/fs/partitions/ldm.c 2011-06-25 12:56:37.000000000 -0400
41655 @@ -1311,6 +1311,7 @@ static bool ldm_frag_add (const u8 *data
41656 ldm_error ("A VBLK claims to have %d parts.", num);
41661 ldm_error("REC value (%d) exceeds NUM value (%d)", rec, num);
41663 @@ -1322,7 +1323,7 @@ static bool ldm_frag_add (const u8 *data
41667 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
41668 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
41670 ldm_crit ("Out of memory.");
41672 diff -urNp linux-2.6.32.42/fs/partitions/mac.c linux-2.6.32.42/fs/partitions/mac.c
41673 --- linux-2.6.32.42/fs/partitions/mac.c 2011-03-27 14:31:47.000000000 -0400
41674 +++ linux-2.6.32.42/fs/partitions/mac.c 2011-04-17 15:56:46.000000000 -0400
41675 @@ -59,11 +59,11 @@ int mac_partition(struct parsed_partitio
41676 return 0; /* not a MacOS disk */
41678 blocks_in_map = be32_to_cpu(part->map_count);
41679 + printk(" [mac]");
41680 if (blocks_in_map < 0 || blocks_in_map >= DISK_MAX_PARTS) {
41681 put_dev_sector(sect);
41684 - printk(" [mac]");
41685 for (slot = 1; slot <= blocks_in_map; ++slot) {
41686 int pos = slot * secsize;
41687 put_dev_sector(sect);
41688 diff -urNp linux-2.6.32.42/fs/pipe.c linux-2.6.32.42/fs/pipe.c
41689 --- linux-2.6.32.42/fs/pipe.c 2011-03-27 14:31:47.000000000 -0400
41690 +++ linux-2.6.32.42/fs/pipe.c 2011-04-23 13:37:17.000000000 -0400
41691 @@ -401,9 +401,9 @@ redo:
41693 if (bufs) /* More to do? */
41695 - if (!pipe->writers)
41696 + if (!atomic_read(&pipe->writers))
41698 - if (!pipe->waiting_writers) {
41699 + if (!atomic_read(&pipe->waiting_writers)) {
41700 /* syscall merging: Usually we must not sleep
41701 * if O_NONBLOCK is set, or if we got some data.
41702 * But if a writer sleeps in kernel space, then
41703 @@ -462,7 +462,7 @@ pipe_write(struct kiocb *iocb, const str
41704 mutex_lock(&inode->i_mutex);
41705 pipe = inode->i_pipe;
41707 - if (!pipe->readers) {
41708 + if (!atomic_read(&pipe->readers)) {
41709 send_sig(SIGPIPE, current, 0);
41712 @@ -511,7 +511,7 @@ redo1:
41716 - if (!pipe->readers) {
41717 + if (!atomic_read(&pipe->readers)) {
41718 send_sig(SIGPIPE, current, 0);
41721 @@ -597,9 +597,9 @@ redo2:
41722 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
41725 - pipe->waiting_writers++;
41726 + atomic_inc(&pipe->waiting_writers);
41728 - pipe->waiting_writers--;
41729 + atomic_dec(&pipe->waiting_writers);
41732 mutex_unlock(&inode->i_mutex);
41733 @@ -666,7 +666,7 @@ pipe_poll(struct file *filp, poll_table
41735 if (filp->f_mode & FMODE_READ) {
41736 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
41737 - if (!pipe->writers && filp->f_version != pipe->w_counter)
41738 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
41742 @@ -676,7 +676,7 @@ pipe_poll(struct file *filp, poll_table
41743 * Most Unices do not set POLLERR for FIFOs but on Linux they
41744 * behave exactly like pipes for poll().
41746 - if (!pipe->readers)
41747 + if (!atomic_read(&pipe->readers))
41751 @@ -690,10 +690,10 @@ pipe_release(struct inode *inode, int de
41753 mutex_lock(&inode->i_mutex);
41754 pipe = inode->i_pipe;
41755 - pipe->readers -= decr;
41756 - pipe->writers -= decw;
41757 + atomic_sub(decr, &pipe->readers);
41758 + atomic_sub(decw, &pipe->writers);
41760 - if (!pipe->readers && !pipe->writers) {
41761 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
41762 free_pipe_info(inode);
41764 wake_up_interruptible_sync(&pipe->wait);
41765 @@ -783,7 +783,7 @@ pipe_read_open(struct inode *inode, stru
41767 if (inode->i_pipe) {
41769 - inode->i_pipe->readers++;
41770 + atomic_inc(&inode->i_pipe->readers);
41773 mutex_unlock(&inode->i_mutex);
41774 @@ -800,7 +800,7 @@ pipe_write_open(struct inode *inode, str
41776 if (inode->i_pipe) {
41778 - inode->i_pipe->writers++;
41779 + atomic_inc(&inode->i_pipe->writers);
41782 mutex_unlock(&inode->i_mutex);
41783 @@ -818,9 +818,9 @@ pipe_rdwr_open(struct inode *inode, stru
41784 if (inode->i_pipe) {
41786 if (filp->f_mode & FMODE_READ)
41787 - inode->i_pipe->readers++;
41788 + atomic_inc(&inode->i_pipe->readers);
41789 if (filp->f_mode & FMODE_WRITE)
41790 - inode->i_pipe->writers++;
41791 + atomic_inc(&inode->i_pipe->writers);
41794 mutex_unlock(&inode->i_mutex);
41795 @@ -905,7 +905,7 @@ void free_pipe_info(struct inode *inode)
41796 inode->i_pipe = NULL;
41799 -static struct vfsmount *pipe_mnt __read_mostly;
41800 +struct vfsmount *pipe_mnt __read_mostly;
41801 static int pipefs_delete_dentry(struct dentry *dentry)
41804 @@ -945,7 +945,8 @@ static struct inode * get_pipe_inode(voi
41806 inode->i_pipe = pipe;
41808 - pipe->readers = pipe->writers = 1;
41809 + atomic_set(&pipe->readers, 1);
41810 + atomic_set(&pipe->writers, 1);
41811 inode->i_fop = &rdwr_pipefifo_fops;
41814 diff -urNp linux-2.6.32.42/fs/proc/array.c linux-2.6.32.42/fs/proc/array.c
41815 --- linux-2.6.32.42/fs/proc/array.c 2011-03-27 14:31:47.000000000 -0400
41816 +++ linux-2.6.32.42/fs/proc/array.c 2011-05-16 21:46:57.000000000 -0400
41818 #include <linux/tty.h>
41819 #include <linux/string.h>
41820 #include <linux/mman.h>
41821 +#include <linux/grsecurity.h>
41822 #include <linux/proc_fs.h>
41823 #include <linux/ioport.h>
41824 #include <linux/uaccess.h>
41825 @@ -321,6 +322,21 @@ static inline void task_context_switch_c
41829 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
41830 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
41833 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
41834 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
41835 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
41836 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
41837 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
41838 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
41840 + seq_printf(m, "PaX:\t-----\n");
41844 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
41845 struct pid *pid, struct task_struct *task)
41847 @@ -337,9 +353,24 @@ int proc_pid_status(struct seq_file *m,
41849 cpuset_task_status_allowed(m, task);
41850 task_context_switch_counts(m, task);
41852 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
41853 + task_pax(m, task);
41856 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
41857 + task_grsec_rbac(m, task);
41863 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41864 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
41865 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
41866 + _mm->pax_flags & MF_PAX_SEGMEXEC))
41869 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
41870 struct pid *pid, struct task_struct *task, int whole)
41872 @@ -358,9 +389,11 @@ static int do_task_stat(struct seq_file
41873 cputime_t cutime, cstime, utime, stime;
41874 cputime_t cgtime, gtime;
41875 unsigned long rsslim = 0;
41876 - char tcomm[sizeof(task->comm)];
41877 + char tcomm[sizeof(task->comm)] = { 0 };
41878 unsigned long flags;
41880 + pax_track_stack();
41882 state = *get_task_state(task);
41883 vsize = eip = esp = 0;
41884 permitted = ptrace_may_access(task, PTRACE_MODE_READ);
41885 @@ -433,6 +466,19 @@ static int do_task_stat(struct seq_file
41886 gtime = task_gtime(task);
41889 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41890 + if (PAX_RAND_FLAGS(mm)) {
41896 +#ifdef CONFIG_GRKERNSEC_HIDESYM
41902 /* scale priority and nice values from timeslices to -20..20 */
41903 /* to make it look like a "normal" Unix priority/nice value */
41904 priority = task_prio(task);
41905 @@ -473,9 +519,15 @@ static int do_task_stat(struct seq_file
41907 mm ? get_mm_rss(mm) : 0,
41909 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41910 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->start_code : 1) : 0),
41911 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? (permitted ? mm->end_code : 1) : 0),
41912 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
41914 mm ? (permitted ? mm->start_code : 1) : 0,
41915 mm ? (permitted ? mm->end_code : 1) : 0,
41916 (permitted && mm) ? mm->start_stack : 0,
41920 /* The signal information here is obsolete.
41921 @@ -528,3 +580,18 @@ int proc_pid_statm(struct seq_file *m, s
41926 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
41927 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
41930 + unsigned long flags;
41932 + if (lock_task_sighand(task, &flags)) {
41933 + curr_ip = task->signal->curr_ip;
41934 + unlock_task_sighand(task, &flags);
41937 + return sprintf(buffer, "%pI4\n", &curr_ip);
41940 diff -urNp linux-2.6.32.42/fs/proc/base.c linux-2.6.32.42/fs/proc/base.c
41941 --- linux-2.6.32.42/fs/proc/base.c 2011-04-22 19:16:29.000000000 -0400
41942 +++ linux-2.6.32.42/fs/proc/base.c 2011-06-04 21:20:50.000000000 -0400
41943 @@ -102,6 +102,22 @@ struct pid_entry {
41947 +struct getdents_callback {
41948 + struct linux_dirent __user * current_dir;
41949 + struct linux_dirent __user * previous;
41950 + struct file * file;
41955 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
41956 + loff_t offset, u64 ino, unsigned int d_type)
41958 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
41959 + buf->error = -EINVAL;
41963 #define NOD(NAME, MODE, IOP, FOP, OP) { \
41965 .len = sizeof(NAME) - 1, \
41966 @@ -213,6 +229,9 @@ static int check_mem_permission(struct t
41967 if (task == current)
41970 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
41974 * If current is actively ptrace'ing, and would also be
41975 * permitted to freshly attach with ptrace now, permit it.
41976 @@ -260,6 +279,9 @@ static int proc_pid_cmdline(struct task_
41978 goto out_mm; /* Shh! No looking before we're done */
41980 + if (gr_acl_handle_procpidmem(task))
41983 len = mm->arg_end - mm->arg_start;
41985 if (len > PAGE_SIZE)
41986 @@ -287,12 +309,28 @@ out:
41990 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
41991 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
41992 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
41993 + _mm->pax_flags & MF_PAX_SEGMEXEC))
41996 static int proc_pid_auxv(struct task_struct *task, char *buffer)
41999 struct mm_struct *mm = get_task_mm(task);
42001 unsigned int nwords = 0;
42003 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42004 + /* allow if we're currently ptracing this task */
42005 + if (PAX_RAND_FLAGS(mm) &&
42006 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
42014 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
42015 @@ -306,7 +344,7 @@ static int proc_pid_auxv(struct task_str
42019 -#ifdef CONFIG_KALLSYMS
42020 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
42022 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
42023 * Returns the resolved symbol. If that fails, simply return the address.
42024 @@ -328,7 +366,7 @@ static int proc_pid_wchan(struct task_st
42026 #endif /* CONFIG_KALLSYMS */
42028 -#ifdef CONFIG_STACKTRACE
42029 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
42031 #define MAX_STACK_TRACE_DEPTH 64
42033 @@ -522,7 +560,7 @@ static int proc_pid_limits(struct task_s
42037 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
42038 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42039 static int proc_pid_syscall(struct task_struct *task, char *buffer)
42042 @@ -547,7 +585,7 @@ static int proc_pid_syscall(struct task_
42043 /************************************************************************/
42045 /* permission checks */
42046 -static int proc_fd_access_allowed(struct inode *inode)
42047 +static int proc_fd_access_allowed(struct inode *inode, unsigned int log)
42049 struct task_struct *task;
42051 @@ -557,7 +595,10 @@ static int proc_fd_access_allowed(struct
42053 task = get_proc_task(inode);
42055 - allowed = ptrace_may_access(task, PTRACE_MODE_READ);
42057 + allowed = ptrace_may_access_log(task, PTRACE_MODE_READ);
42059 + allowed = ptrace_may_access(task, PTRACE_MODE_READ);
42060 put_task_struct(task);
42063 @@ -936,6 +977,9 @@ static ssize_t environ_read(struct file
42067 + if (gr_acl_handle_procpidmem(task))
42070 if (!ptrace_may_access(task, PTRACE_MODE_READ))
42073 @@ -1350,7 +1394,7 @@ static void *proc_pid_follow_link(struct
42074 path_put(&nd->path);
42076 /* Are we allowed to snoop on the tasks file descriptors? */
42077 - if (!proc_fd_access_allowed(inode))
42078 + if (!proc_fd_access_allowed(inode,0))
42081 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path);
42082 @@ -1390,8 +1434,18 @@ static int proc_pid_readlink(struct dent
42085 /* Are we allowed to snoop on the tasks file descriptors? */
42086 - if (!proc_fd_access_allowed(inode))
42088 + /* logging this is needed for learning on chromium to work properly,
42089 + but we don't want to flood the logs from 'ps' which does a readlink
42090 + on /proc/fd/2 of tasks in the listing, nor do we want 'ps' to learn
42091 + CAP_SYS_PTRACE as it's not necessary for its basic functionality
42093 + if (dentry->d_name.name[0] == '2' && dentry->d_name.name[1] == '\0') {
42094 + if (!proc_fd_access_allowed(inode,0))
42097 + if (!proc_fd_access_allowed(inode,1))
42101 error = PROC_I(inode)->op.proc_get_link(inode, &path);
42103 @@ -1456,7 +1510,11 @@ static struct inode *proc_pid_make_inode
42105 cred = __task_cred(task);
42106 inode->i_uid = cred->euid;
42107 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
42108 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
42110 inode->i_gid = cred->egid;
42114 security_task_to_inode(task, inode);
42115 @@ -1474,6 +1532,9 @@ static int pid_getattr(struct vfsmount *
42116 struct inode *inode = dentry->d_inode;
42117 struct task_struct *task;
42118 const struct cred *cred;
42119 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42120 + const struct cred *tmpcred = current_cred();
42123 generic_fillattr(inode, stat);
42125 @@ -1481,13 +1542,41 @@ static int pid_getattr(struct vfsmount *
42128 task = pid_task(proc_pid(inode), PIDTYPE_PID);
42130 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
42131 + rcu_read_unlock();
42136 + cred = __task_cred(task);
42137 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42138 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
42139 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
42140 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
42144 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
42145 +#ifdef CONFIG_GRKERNSEC_PROC_USER
42146 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
42147 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42148 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
42150 task_dumpable(task)) {
42151 - cred = __task_cred(task);
42152 stat->uid = cred->euid;
42153 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
42154 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
42156 stat->gid = cred->egid;
42159 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42161 + rcu_read_unlock();
42168 @@ -1518,11 +1607,20 @@ static int pid_revalidate(struct dentry
42171 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
42172 +#ifdef CONFIG_GRKERNSEC_PROC_USER
42173 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
42174 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42175 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
42177 task_dumpable(task)) {
42179 cred = __task_cred(task);
42180 inode->i_uid = cred->euid;
42181 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
42182 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
42184 inode->i_gid = cred->egid;
42189 @@ -1643,7 +1741,8 @@ static int proc_fd_info(struct inode *in
42190 int fd = proc_fd(inode);
42193 - files = get_files_struct(task);
42194 + if (!gr_acl_handle_procpidmem(task))
42195 + files = get_files_struct(task);
42196 put_task_struct(task);
42199 @@ -1895,12 +1994,22 @@ static const struct file_operations proc
42200 static int proc_fd_permission(struct inode *inode, int mask)
42203 + struct task_struct *task;
42205 rv = generic_permission(inode, mask, NULL);
42209 if (task_pid(current) == proc_pid(inode))
42212 + task = get_proc_task(inode);
42213 + if (task == NULL)
42216 + if (gr_acl_handle_procpidmem(task))
42219 + put_task_struct(task);
42224 @@ -2009,6 +2118,9 @@ static struct dentry *proc_pident_lookup
42228 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
42232 * Yes, it does not scale. And it should not. Don't add
42233 * new entries into /proc/<tgid>/ without very good reasons.
42234 @@ -2053,6 +2165,9 @@ static int proc_pident_readdir(struct fi
42238 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
42244 @@ -2320,7 +2435,7 @@ static void *proc_self_follow_link(struc
42245 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
42248 - char *s = nd_get_link(nd);
42249 + const char *s = nd_get_link(nd);
42253 @@ -2519,7 +2634,7 @@ static const struct pid_entry tgid_base_
42254 #ifdef CONFIG_SCHED_DEBUG
42255 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
42257 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
42258 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42259 INF("syscall", S_IRUSR, proc_pid_syscall),
42261 INF("cmdline", S_IRUGO, proc_pid_cmdline),
42262 @@ -2544,10 +2659,10 @@ static const struct pid_entry tgid_base_
42263 #ifdef CONFIG_SECURITY
42264 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
42266 -#ifdef CONFIG_KALLSYMS
42267 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
42268 INF("wchan", S_IRUGO, proc_pid_wchan),
42270 -#ifdef CONFIG_STACKTRACE
42271 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
42272 ONE("stack", S_IRUSR, proc_pid_stack),
42274 #ifdef CONFIG_SCHEDSTATS
42275 @@ -2577,6 +2692,9 @@ static const struct pid_entry tgid_base_
42276 #ifdef CONFIG_TASK_IO_ACCOUNTING
42277 INF("io", S_IRUGO, proc_tgid_io_accounting),
42279 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
42280 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
42284 static int proc_tgid_base_readdir(struct file * filp,
42285 @@ -2701,7 +2819,14 @@ static struct dentry *proc_pid_instantia
42289 +#ifdef CONFIG_GRKERNSEC_PROC_USER
42290 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
42291 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42292 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
42293 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
42295 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
42297 inode->i_op = &proc_tgid_base_inode_operations;
42298 inode->i_fop = &proc_tgid_base_operations;
42299 inode->i_flags|=S_IMMUTABLE;
42300 @@ -2743,7 +2868,11 @@ struct dentry *proc_pid_lookup(struct in
42304 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
42305 + goto out_put_task;
42307 result = proc_pid_instantiate(dir, dentry, task, NULL);
42309 put_task_struct(task);
42312 @@ -2808,6 +2937,11 @@ int proc_pid_readdir(struct file * filp,
42315 struct task_struct *reaper;
42316 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42317 + const struct cred *tmpcred = current_cred();
42318 + const struct cred *itercred;
42320 + filldir_t __filldir = filldir;
42321 struct tgid_iter iter;
42322 struct pid_namespace *ns;
42324 @@ -2831,8 +2965,27 @@ int proc_pid_readdir(struct file * filp,
42325 for (iter = next_tgid(ns, iter);
42327 iter.tgid += 1, iter = next_tgid(ns, iter)) {
42328 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42330 + itercred = __task_cred(iter.task);
42332 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
42333 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42334 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
42335 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
42336 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
42341 + __filldir = &gr_fake_filldir;
42343 + __filldir = filldir;
42344 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42345 + rcu_read_unlock();
42347 filp->f_pos = iter.tgid + TGID_OFFSET;
42348 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
42349 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
42350 put_task_struct(iter.task);
42353 @@ -2858,7 +3011,7 @@ static const struct pid_entry tid_base_s
42354 #ifdef CONFIG_SCHED_DEBUG
42355 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
42357 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
42358 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
42359 INF("syscall", S_IRUSR, proc_pid_syscall),
42361 INF("cmdline", S_IRUGO, proc_pid_cmdline),
42362 @@ -2882,10 +3035,10 @@ static const struct pid_entry tid_base_s
42363 #ifdef CONFIG_SECURITY
42364 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
42366 -#ifdef CONFIG_KALLSYMS
42367 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
42368 INF("wchan", S_IRUGO, proc_pid_wchan),
42370 -#ifdef CONFIG_STACKTRACE
42371 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
42372 ONE("stack", S_IRUSR, proc_pid_stack),
42374 #ifdef CONFIG_SCHEDSTATS
42375 diff -urNp linux-2.6.32.42/fs/proc/cmdline.c linux-2.6.32.42/fs/proc/cmdline.c
42376 --- linux-2.6.32.42/fs/proc/cmdline.c 2011-03-27 14:31:47.000000000 -0400
42377 +++ linux-2.6.32.42/fs/proc/cmdline.c 2011-04-17 15:56:46.000000000 -0400
42378 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
42380 static int __init proc_cmdline_init(void)
42382 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
42383 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
42385 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
42389 module_init(proc_cmdline_init);
42390 diff -urNp linux-2.6.32.42/fs/proc/devices.c linux-2.6.32.42/fs/proc/devices.c
42391 --- linux-2.6.32.42/fs/proc/devices.c 2011-03-27 14:31:47.000000000 -0400
42392 +++ linux-2.6.32.42/fs/proc/devices.c 2011-04-17 15:56:46.000000000 -0400
42393 @@ -64,7 +64,11 @@ static const struct file_operations proc
42395 static int __init proc_devices_init(void)
42397 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
42398 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
42400 proc_create("devices", 0, NULL, &proc_devinfo_operations);
42404 module_init(proc_devices_init);
42405 diff -urNp linux-2.6.32.42/fs/proc/inode.c linux-2.6.32.42/fs/proc/inode.c
42406 --- linux-2.6.32.42/fs/proc/inode.c 2011-03-27 14:31:47.000000000 -0400
42407 +++ linux-2.6.32.42/fs/proc/inode.c 2011-04-17 15:56:46.000000000 -0400
42408 @@ -457,7 +457,11 @@ struct inode *proc_get_inode(struct supe
42410 inode->i_mode = de->mode;
42411 inode->i_uid = de->uid;
42412 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
42413 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
42415 inode->i_gid = de->gid;
42419 inode->i_size = de->size;
42420 diff -urNp linux-2.6.32.42/fs/proc/internal.h linux-2.6.32.42/fs/proc/internal.h
42421 --- linux-2.6.32.42/fs/proc/internal.h 2011-03-27 14:31:47.000000000 -0400
42422 +++ linux-2.6.32.42/fs/proc/internal.h 2011-04-17 15:56:46.000000000 -0400
42423 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
42424 struct pid *pid, struct task_struct *task);
42425 extern int proc_pid_statm(struct seq_file *m, struct pid_namespace *ns,
42426 struct pid *pid, struct task_struct *task);
42427 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
42428 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
42430 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
42432 extern const struct file_operations proc_maps_operations;
42433 diff -urNp linux-2.6.32.42/fs/proc/Kconfig linux-2.6.32.42/fs/proc/Kconfig
42434 --- linux-2.6.32.42/fs/proc/Kconfig 2011-03-27 14:31:47.000000000 -0400
42435 +++ linux-2.6.32.42/fs/proc/Kconfig 2011-04-17 15:56:46.000000000 -0400
42436 @@ -30,12 +30,12 @@ config PROC_FS
42439 bool "/proc/kcore support" if !ARM
42440 - depends on PROC_FS && MMU
42441 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
42444 bool "/proc/vmcore support (EXPERIMENTAL)"
42445 - depends on PROC_FS && CRASH_DUMP
42447 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
42450 Exports the dump image of crashed kernel in ELF format.
42452 @@ -59,8 +59,8 @@ config PROC_SYSCTL
42455 config PROC_PAGE_MONITOR
42457 - depends on PROC_FS && MMU
42459 + depends on PROC_FS && MMU && !GRKERNSEC
42460 bool "Enable /proc page monitoring" if EMBEDDED
42462 Various /proc files exist to monitor process memory utilization:
42463 diff -urNp linux-2.6.32.42/fs/proc/kcore.c linux-2.6.32.42/fs/proc/kcore.c
42464 --- linux-2.6.32.42/fs/proc/kcore.c 2011-03-27 14:31:47.000000000 -0400
42465 +++ linux-2.6.32.42/fs/proc/kcore.c 2011-05-16 21:46:57.000000000 -0400
42466 @@ -320,6 +320,8 @@ static void elf_kcore_store_hdr(char *bu
42468 struct kcore_list *m;
42470 + pax_track_stack();
42472 /* setup ELF header */
42473 elf = (struct elfhdr *) bufp;
42474 bufp += sizeof(struct elfhdr);
42475 @@ -477,9 +479,10 @@ read_kcore(struct file *file, char __use
42476 * the addresses in the elf_phdr on our list.
42478 start = kc_offset_to_vaddr(*fpos - elf_buflen);
42479 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
42480 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
42481 + if (tsz > buflen)
42486 struct kcore_list *m;
42488 @@ -508,20 +511,23 @@ read_kcore(struct file *file, char __use
42491 if (kern_addr_valid(start)) {
42494 + mm_segment_t oldfs;
42496 - n = copy_to_user(buffer, (char *)start, tsz);
42498 - * We cannot distingush between fault on source
42499 - * and fault on destination. When this happens
42500 - * we clear too and hope it will trigger the
42504 - if (clear_user(buffer + tsz - n,
42506 + elf_buf = kmalloc(tsz, GFP_KERNEL);
42509 + oldfs = get_fs();
42510 + set_fs(KERNEL_DS);
42511 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
42513 + if (copy_to_user(buffer, elf_buf, tsz)) {
42521 if (clear_user(buffer, tsz))
42523 @@ -541,6 +547,9 @@ read_kcore(struct file *file, char __use
42525 static int open_kcore(struct inode *inode, struct file *filp)
42527 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
42530 if (!capable(CAP_SYS_RAWIO))
42532 if (kcore_need_update)
42533 diff -urNp linux-2.6.32.42/fs/proc/meminfo.c linux-2.6.32.42/fs/proc/meminfo.c
42534 --- linux-2.6.32.42/fs/proc/meminfo.c 2011-03-27 14:31:47.000000000 -0400
42535 +++ linux-2.6.32.42/fs/proc/meminfo.c 2011-05-16 21:46:57.000000000 -0400
42536 @@ -29,6 +29,8 @@ static int meminfo_proc_show(struct seq_
42537 unsigned long pages[NR_LRU_LISTS];
42540 + pax_track_stack();
42543 * display in kilobytes.
42545 @@ -149,7 +151,7 @@ static int meminfo_proc_show(struct seq_
42547 vmi.largest_chunk >> 10
42548 #ifdef CONFIG_MEMORY_FAILURE
42549 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
42550 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
42554 diff -urNp linux-2.6.32.42/fs/proc/nommu.c linux-2.6.32.42/fs/proc/nommu.c
42555 --- linux-2.6.32.42/fs/proc/nommu.c 2011-03-27 14:31:47.000000000 -0400
42556 +++ linux-2.6.32.42/fs/proc/nommu.c 2011-04-17 15:56:46.000000000 -0400
42557 @@ -67,7 +67,7 @@ static int nommu_region_show(struct seq_
42560 seq_printf(m, "%*c", len, ' ');
42561 - seq_path(m, &file->f_path, "");
42562 + seq_path(m, &file->f_path, "\n\\");
42566 diff -urNp linux-2.6.32.42/fs/proc/proc_net.c linux-2.6.32.42/fs/proc/proc_net.c
42567 --- linux-2.6.32.42/fs/proc/proc_net.c 2011-03-27 14:31:47.000000000 -0400
42568 +++ linux-2.6.32.42/fs/proc/proc_net.c 2011-04-17 15:56:46.000000000 -0400
42569 @@ -104,6 +104,17 @@ static struct net *get_proc_task_net(str
42570 struct task_struct *task;
42571 struct nsproxy *ns;
42572 struct net *net = NULL;
42573 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42574 + const struct cred *cred = current_cred();
42577 +#ifdef CONFIG_GRKERNSEC_PROC_USER
42580 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42581 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
42586 task = pid_task(proc_pid(dir), PIDTYPE_PID);
42587 diff -urNp linux-2.6.32.42/fs/proc/proc_sysctl.c linux-2.6.32.42/fs/proc/proc_sysctl.c
42588 --- linux-2.6.32.42/fs/proc/proc_sysctl.c 2011-03-27 14:31:47.000000000 -0400
42589 +++ linux-2.6.32.42/fs/proc/proc_sysctl.c 2011-04-17 15:56:46.000000000 -0400
42591 #include <linux/security.h>
42592 #include "internal.h"
42594 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
42596 static const struct dentry_operations proc_sys_dentry_operations;
42597 static const struct file_operations proc_sys_file_operations;
42598 static const struct inode_operations proc_sys_inode_operations;
42599 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
42603 + if (gr_handle_sysctl(p, MAY_EXEC))
42606 err = ERR_PTR(-ENOMEM);
42607 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
42609 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
42610 if (*pos < file->f_pos)
42613 + if (gr_handle_sysctl(table, 0))
42616 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
42619 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
42621 return PTR_ERR(head);
42623 + if (table && gr_handle_sysctl(table, MAY_EXEC))
42626 generic_fillattr(inode, stat);
42628 stat->mode = (stat->mode & S_IFMT) | table->mode;
42629 diff -urNp linux-2.6.32.42/fs/proc/root.c linux-2.6.32.42/fs/proc/root.c
42630 --- linux-2.6.32.42/fs/proc/root.c 2011-03-27 14:31:47.000000000 -0400
42631 +++ linux-2.6.32.42/fs/proc/root.c 2011-04-17 15:56:46.000000000 -0400
42632 @@ -134,7 +134,15 @@ void __init proc_root_init(void)
42633 #ifdef CONFIG_PROC_DEVICETREE
42634 proc_device_tree_init();
42636 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
42637 +#ifdef CONFIG_GRKERNSEC_PROC_USER
42638 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
42639 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
42640 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
42643 proc_mkdir("bus", NULL);
42648 diff -urNp linux-2.6.32.42/fs/proc/task_mmu.c linux-2.6.32.42/fs/proc/task_mmu.c
42649 --- linux-2.6.32.42/fs/proc/task_mmu.c 2011-03-27 14:31:47.000000000 -0400
42650 +++ linux-2.6.32.42/fs/proc/task_mmu.c 2011-04-23 13:38:09.000000000 -0400
42651 @@ -46,15 +46,26 @@ void task_mem(struct seq_file *m, struct
42652 "VmStk:\t%8lu kB\n"
42653 "VmExe:\t%8lu kB\n"
42654 "VmLib:\t%8lu kB\n"
42655 - "VmPTE:\t%8lu kB\n",
42656 - hiwater_vm << (PAGE_SHIFT-10),
42657 + "VmPTE:\t%8lu kB\n"
42659 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
42660 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
42663 + ,hiwater_vm << (PAGE_SHIFT-10),
42664 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
42665 mm->locked_vm << (PAGE_SHIFT-10),
42666 hiwater_rss << (PAGE_SHIFT-10),
42667 total_rss << (PAGE_SHIFT-10),
42668 data << (PAGE_SHIFT-10),
42669 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
42670 - (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10);
42671 + (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10
42673 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
42674 + , mm->context.user_cs_base, mm->context.user_cs_limit
42680 unsigned long task_vsize(struct mm_struct *mm)
42681 @@ -175,7 +186,8 @@ static void m_stop(struct seq_file *m, v
42682 struct proc_maps_private *priv = m->private;
42683 struct vm_area_struct *vma = v;
42685 - vma_stop(priv, vma);
42686 + if (!IS_ERR(vma))
42687 + vma_stop(priv, vma);
42689 put_task_struct(priv->task);
42691 @@ -199,6 +211,12 @@ static int do_maps_open(struct inode *in
42695 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42696 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
42697 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
42698 + _mm->pax_flags & MF_PAX_SEGMEXEC))
42701 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
42703 struct mm_struct *mm = vma->vm_mm;
42704 @@ -206,7 +224,6 @@ static void show_map_vma(struct seq_file
42705 int flags = vma->vm_flags;
42706 unsigned long ino = 0;
42707 unsigned long long pgoff = 0;
42708 - unsigned long start;
42712 @@ -217,20 +234,23 @@ static void show_map_vma(struct seq_file
42713 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
42716 - /* We don't show the stack guard page in /proc/maps */
42717 - start = vma->vm_start;
42718 - if (vma->vm_flags & VM_GROWSDOWN)
42719 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
42720 - start += PAGE_SIZE;
42722 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
42724 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42725 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
42726 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
42731 flags & VM_READ ? 'r' : '-',
42732 flags & VM_WRITE ? 'w' : '-',
42733 flags & VM_EXEC ? 'x' : '-',
42734 flags & VM_MAYSHARE ? 's' : 'p',
42735 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42736 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
42740 MAJOR(dev), MINOR(dev), ino, &len);
42743 @@ -239,7 +259,7 @@ static void show_map_vma(struct seq_file
42746 pad_len_spaces(m, len);
42747 - seq_path(m, &file->f_path, "\n");
42748 + seq_path(m, &file->f_path, "\n\\");
42750 const char *name = arch_vma_name(vma);
42752 @@ -247,8 +267,9 @@ static void show_map_vma(struct seq_file
42753 if (vma->vm_start <= mm->brk &&
42754 vma->vm_end >= mm->start_brk) {
42756 - } else if (vma->vm_start <= mm->start_stack &&
42757 - vma->vm_end >= mm->start_stack) {
42758 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
42759 + (vma->vm_start <= mm->start_stack &&
42760 + vma->vm_end >= mm->start_stack)) {
42764 @@ -391,9 +412,16 @@ static int show_smap(struct seq_file *m,
42767 memset(&mss, 0, sizeof mss);
42769 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
42770 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
42772 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42773 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
42776 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
42777 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
42778 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42782 show_map_vma(m, vma);
42784 @@ -409,7 +437,11 @@ static int show_smap(struct seq_file *m,
42786 "KernelPageSize: %8lu kB\n"
42787 "MMUPageSize: %8lu kB\n",
42788 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
42789 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
42791 (vma->vm_end - vma->vm_start) >> 10,
42793 mss.resident >> 10,
42794 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
42795 mss.shared_clean >> 10,
42796 diff -urNp linux-2.6.32.42/fs/proc/task_nommu.c linux-2.6.32.42/fs/proc/task_nommu.c
42797 --- linux-2.6.32.42/fs/proc/task_nommu.c 2011-03-27 14:31:47.000000000 -0400
42798 +++ linux-2.6.32.42/fs/proc/task_nommu.c 2011-04-17 15:56:46.000000000 -0400
42799 @@ -50,7 +50,7 @@ void task_mem(struct seq_file *m, struct
42801 bytes += kobjsize(mm);
42803 - if (current->fs && current->fs->users > 1)
42804 + if (current->fs && atomic_read(¤t->fs->users) > 1)
42805 sbytes += kobjsize(current->fs);
42807 bytes += kobjsize(current->fs);
42808 @@ -154,7 +154,7 @@ static int nommu_vma_show(struct seq_fil
42811 seq_printf(m, "%*c", len, ' ');
42812 - seq_path(m, &file->f_path, "");
42813 + seq_path(m, &file->f_path, "\n\\");
42817 diff -urNp linux-2.6.32.42/fs/readdir.c linux-2.6.32.42/fs/readdir.c
42818 --- linux-2.6.32.42/fs/readdir.c 2011-03-27 14:31:47.000000000 -0400
42819 +++ linux-2.6.32.42/fs/readdir.c 2011-04-17 15:56:46.000000000 -0400
42821 #include <linux/security.h>
42822 #include <linux/syscalls.h>
42823 #include <linux/unistd.h>
42824 +#include <linux/namei.h>
42826 #include <asm/uaccess.h>
42828 @@ -67,6 +68,7 @@ struct old_linux_dirent {
42830 struct readdir_callback {
42831 struct old_linux_dirent __user * dirent;
42832 + struct file * file;
42836 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
42837 buf->result = -EOVERFLOW;
42841 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42845 dirent = buf->dirent;
42846 if (!access_ok(VERIFY_WRITE, dirent,
42847 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
42850 buf.dirent = dirent;
42853 error = vfs_readdir(file, fillonedir, &buf);
42855 @@ -142,6 +149,7 @@ struct linux_dirent {
42856 struct getdents_callback {
42857 struct linux_dirent __user * current_dir;
42858 struct linux_dirent __user * previous;
42859 + struct file * file;
42863 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
42864 buf->error = -EOVERFLOW;
42868 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42871 dirent = buf->previous;
42873 if (__put_user(offset, &dirent->d_off))
42874 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
42875 buf.previous = NULL;
42880 error = vfs_readdir(file, filldir, &buf);
42882 @@ -228,6 +241,7 @@ out:
42883 struct getdents_callback64 {
42884 struct linux_dirent64 __user * current_dir;
42885 struct linux_dirent64 __user * previous;
42886 + struct file *file;
42890 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
42891 buf->error = -EINVAL; /* only used if we fail.. */
42892 if (reclen > buf->count)
42895 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
42898 dirent = buf->previous;
42900 if (__put_user(offset, &dirent->d_off))
42901 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
42903 buf.current_dir = dirent;
42904 buf.previous = NULL;
42909 diff -urNp linux-2.6.32.42/fs/reiserfs/dir.c linux-2.6.32.42/fs/reiserfs/dir.c
42910 --- linux-2.6.32.42/fs/reiserfs/dir.c 2011-03-27 14:31:47.000000000 -0400
42911 +++ linux-2.6.32.42/fs/reiserfs/dir.c 2011-05-16 21:46:57.000000000 -0400
42912 @@ -66,6 +66,8 @@ int reiserfs_readdir_dentry(struct dentr
42913 struct reiserfs_dir_entry de;
42916 + pax_track_stack();
42918 reiserfs_write_lock(inode->i_sb);
42920 reiserfs_check_lock_depth(inode->i_sb, "readdir");
42921 diff -urNp linux-2.6.32.42/fs/reiserfs/do_balan.c linux-2.6.32.42/fs/reiserfs/do_balan.c
42922 --- linux-2.6.32.42/fs/reiserfs/do_balan.c 2011-03-27 14:31:47.000000000 -0400
42923 +++ linux-2.6.32.42/fs/reiserfs/do_balan.c 2011-04-17 15:56:46.000000000 -0400
42924 @@ -2058,7 +2058,7 @@ void do_balance(struct tree_balance *tb,
42928 - atomic_inc(&(fs_generation(tb->tb_sb)));
42929 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
42930 do_balance_starts(tb);
42932 /* balance leaf returns 0 except if combining L R and S into
42933 diff -urNp linux-2.6.32.42/fs/reiserfs/item_ops.c linux-2.6.32.42/fs/reiserfs/item_ops.c
42934 --- linux-2.6.32.42/fs/reiserfs/item_ops.c 2011-03-27 14:31:47.000000000 -0400
42935 +++ linux-2.6.32.42/fs/reiserfs/item_ops.c 2011-04-17 15:56:46.000000000 -0400
42936 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
42937 vi->vi_index, vi->vi_type, vi->vi_ih);
42940 -static struct item_operations stat_data_ops = {
42941 +static const struct item_operations stat_data_ops = {
42942 .bytes_number = sd_bytes_number,
42943 .decrement_key = sd_decrement_key,
42944 .is_left_mergeable = sd_is_left_mergeable,
42945 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
42946 vi->vi_index, vi->vi_type, vi->vi_ih);
42949 -static struct item_operations direct_ops = {
42950 +static const struct item_operations direct_ops = {
42951 .bytes_number = direct_bytes_number,
42952 .decrement_key = direct_decrement_key,
42953 .is_left_mergeable = direct_is_left_mergeable,
42954 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
42955 vi->vi_index, vi->vi_type, vi->vi_ih);
42958 -static struct item_operations indirect_ops = {
42959 +static const struct item_operations indirect_ops = {
42960 .bytes_number = indirect_bytes_number,
42961 .decrement_key = indirect_decrement_key,
42962 .is_left_mergeable = indirect_is_left_mergeable,
42963 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
42967 -static struct item_operations direntry_ops = {
42968 +static const struct item_operations direntry_ops = {
42969 .bytes_number = direntry_bytes_number,
42970 .decrement_key = direntry_decrement_key,
42971 .is_left_mergeable = direntry_is_left_mergeable,
42972 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
42973 "Invalid item type observed, run fsck ASAP");
42976 -static struct item_operations errcatch_ops = {
42977 +static const struct item_operations errcatch_ops = {
42978 errcatch_bytes_number,
42979 errcatch_decrement_key,
42980 errcatch_is_left_mergeable,
42981 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
42982 #error Item types must use disk-format assigned values.
42985 -struct item_operations *item_ops[TYPE_ANY + 1] = {
42986 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
42990 diff -urNp linux-2.6.32.42/fs/reiserfs/journal.c linux-2.6.32.42/fs/reiserfs/journal.c
42991 --- linux-2.6.32.42/fs/reiserfs/journal.c 2011-03-27 14:31:47.000000000 -0400
42992 +++ linux-2.6.32.42/fs/reiserfs/journal.c 2011-05-16 21:46:57.000000000 -0400
42993 @@ -2329,6 +2329,8 @@ static struct buffer_head *reiserfs_brea
42994 struct buffer_head *bh;
42997 + pax_track_stack();
42999 bh = __getblk(dev, block, bufsize);
43000 if (buffer_uptodate(bh))
43002 diff -urNp linux-2.6.32.42/fs/reiserfs/namei.c linux-2.6.32.42/fs/reiserfs/namei.c
43003 --- linux-2.6.32.42/fs/reiserfs/namei.c 2011-03-27 14:31:47.000000000 -0400
43004 +++ linux-2.6.32.42/fs/reiserfs/namei.c 2011-05-16 21:46:57.000000000 -0400
43005 @@ -1214,6 +1214,8 @@ static int reiserfs_rename(struct inode
43006 unsigned long savelink = 1;
43007 struct timespec ctime;
43009 + pax_track_stack();
43011 /* three balancings: (1) old name removal, (2) new name insertion
43012 and (3) maybe "save" link insertion
43013 stat data updates: (1) old directory,
43014 diff -urNp linux-2.6.32.42/fs/reiserfs/procfs.c linux-2.6.32.42/fs/reiserfs/procfs.c
43015 --- linux-2.6.32.42/fs/reiserfs/procfs.c 2011-03-27 14:31:47.000000000 -0400
43016 +++ linux-2.6.32.42/fs/reiserfs/procfs.c 2011-05-16 21:46:57.000000000 -0400
43017 @@ -123,7 +123,7 @@ static int show_super(struct seq_file *m
43018 "SMALL_TAILS " : "NO_TAILS ",
43019 replay_only(sb) ? "REPLAY_ONLY " : "",
43020 convert_reiserfs(sb) ? "CONV " : "",
43021 - atomic_read(&r->s_generation_counter),
43022 + atomic_read_unchecked(&r->s_generation_counter),
43023 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
43024 SF(s_do_balance), SF(s_unneeded_left_neighbor),
43025 SF(s_good_search_by_key_reada), SF(s_bmaps),
43026 @@ -309,6 +309,8 @@ static int show_journal(struct seq_file
43027 struct journal_params *jp = &rs->s_v1.s_journal;
43028 char b[BDEVNAME_SIZE];
43030 + pax_track_stack();
43032 seq_printf(m, /* on-disk fields */
43033 "jp_journal_1st_block: \t%i\n"
43034 "jp_journal_dev: \t%s[%x]\n"
43035 diff -urNp linux-2.6.32.42/fs/reiserfs/stree.c linux-2.6.32.42/fs/reiserfs/stree.c
43036 --- linux-2.6.32.42/fs/reiserfs/stree.c 2011-03-27 14:31:47.000000000 -0400
43037 +++ linux-2.6.32.42/fs/reiserfs/stree.c 2011-05-16 21:46:57.000000000 -0400
43038 @@ -1159,6 +1159,8 @@ int reiserfs_delete_item(struct reiserfs
43042 + pax_track_stack();
43044 BUG_ON(!th->t_trans_id);
43046 init_tb_struct(th, &s_del_balance, sb, path,
43047 @@ -1296,6 +1298,8 @@ void reiserfs_delete_solid_item(struct r
43049 int quota_cut_bytes = 0;
43051 + pax_track_stack();
43053 BUG_ON(!th->t_trans_id);
43055 le_key2cpu_key(&cpu_key, key);
43056 @@ -1525,6 +1529,8 @@ int reiserfs_cut_from_item(struct reiser
43057 int quota_cut_bytes;
43058 loff_t tail_pos = 0;
43060 + pax_track_stack();
43062 BUG_ON(!th->t_trans_id);
43064 init_tb_struct(th, &s_cut_balance, inode->i_sb, path,
43065 @@ -1920,6 +1926,8 @@ int reiserfs_paste_into_item(struct reis
43069 + pax_track_stack();
43071 BUG_ON(!th->t_trans_id);
43073 fs_gen = get_generation(inode->i_sb);
43074 @@ -2007,6 +2015,8 @@ int reiserfs_insert_item(struct reiserfs
43076 int quota_bytes = 0;
43078 + pax_track_stack();
43080 BUG_ON(!th->t_trans_id);
43082 if (inode) { /* Do we count quotas for item? */
43083 diff -urNp linux-2.6.32.42/fs/reiserfs/super.c linux-2.6.32.42/fs/reiserfs/super.c
43084 --- linux-2.6.32.42/fs/reiserfs/super.c 2011-03-27 14:31:47.000000000 -0400
43085 +++ linux-2.6.32.42/fs/reiserfs/super.c 2011-05-16 21:46:57.000000000 -0400
43086 @@ -912,6 +912,8 @@ static int reiserfs_parse_options(struct
43087 {.option_name = NULL}
43090 + pax_track_stack();
43093 if (!options || !*options)
43094 /* use default configuration: create tails, journaling on, no
43095 diff -urNp linux-2.6.32.42/fs/select.c linux-2.6.32.42/fs/select.c
43096 --- linux-2.6.32.42/fs/select.c 2011-03-27 14:31:47.000000000 -0400
43097 +++ linux-2.6.32.42/fs/select.c 2011-05-16 21:46:57.000000000 -0400
43099 #include <linux/module.h>
43100 #include <linux/slab.h>
43101 #include <linux/poll.h>
43102 +#include <linux/security.h>
43103 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
43104 #include <linux/file.h>
43105 #include <linux/fdtable.h>
43106 @@ -401,6 +402,8 @@ int do_select(int n, fd_set_bits *fds, s
43107 int retval, i, timed_out = 0;
43108 unsigned long slack = 0;
43110 + pax_track_stack();
43113 retval = max_select_fd(n, fds);
43115 @@ -529,6 +532,8 @@ int core_sys_select(int n, fd_set __user
43116 /* Allocate small arguments on the stack to save memory and be faster */
43117 long stack_fds[SELECT_STACK_ALLOC/sizeof(long)];
43119 + pax_track_stack();
43124 @@ -821,6 +826,9 @@ int do_sys_poll(struct pollfd __user *uf
43125 struct poll_list *walk = head;
43126 unsigned long todo = nfds;
43128 + pax_track_stack();
43130 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
43131 if (nfds > current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
43134 diff -urNp linux-2.6.32.42/fs/seq_file.c linux-2.6.32.42/fs/seq_file.c
43135 --- linux-2.6.32.42/fs/seq_file.c 2011-03-27 14:31:47.000000000 -0400
43136 +++ linux-2.6.32.42/fs/seq_file.c 2011-04-17 15:56:46.000000000 -0400
43137 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
43141 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
43142 + m->size = PAGE_SIZE;
43143 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
43147 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
43151 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
43153 + m->buf = kmalloc(m->size, GFP_KERNEL);
43154 return !m->buf ? -ENOMEM : -EAGAIN;
43157 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
43158 m->version = file->f_version;
43159 /* grab buffer if we didn't have one */
43161 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
43162 + m->size = PAGE_SIZE;
43163 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
43167 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
43171 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
43173 + m->buf = kmalloc(m->size, GFP_KERNEL);
43177 diff -urNp linux-2.6.32.42/fs/smbfs/symlink.c linux-2.6.32.42/fs/smbfs/symlink.c
43178 --- linux-2.6.32.42/fs/smbfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
43179 +++ linux-2.6.32.42/fs/smbfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
43180 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
43182 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
43184 - char *s = nd_get_link(nd);
43185 + const char *s = nd_get_link(nd);
43189 diff -urNp linux-2.6.32.42/fs/splice.c linux-2.6.32.42/fs/splice.c
43190 --- linux-2.6.32.42/fs/splice.c 2011-03-27 14:31:47.000000000 -0400
43191 +++ linux-2.6.32.42/fs/splice.c 2011-05-16 21:46:57.000000000 -0400
43192 @@ -185,7 +185,7 @@ ssize_t splice_to_pipe(struct pipe_inode
43196 - if (!pipe->readers) {
43197 + if (!atomic_read(&pipe->readers)) {
43198 send_sig(SIGPIPE, current, 0);
43201 @@ -239,9 +239,9 @@ ssize_t splice_to_pipe(struct pipe_inode
43205 - pipe->waiting_writers++;
43206 + atomic_inc(&pipe->waiting_writers);
43208 - pipe->waiting_writers--;
43209 + atomic_dec(&pipe->waiting_writers);
43213 @@ -285,6 +285,8 @@ __generic_file_splice_read(struct file *
43214 .spd_release = spd_release_page,
43217 + pax_track_stack();
43219 index = *ppos >> PAGE_CACHE_SHIFT;
43220 loff = *ppos & ~PAGE_CACHE_MASK;
43221 req_pages = (len + loff + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
43222 @@ -521,7 +523,7 @@ static ssize_t kernel_readv(struct file
43225 /* The cast to a user pointer is valid due to the set_fs() */
43226 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
43227 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
43231 @@ -536,7 +538,7 @@ static ssize_t kernel_write(struct file
43234 /* The cast to a user pointer is valid due to the set_fs() */
43235 - res = vfs_write(file, (const char __user *)buf, count, &pos);
43236 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
43240 @@ -565,6 +567,8 @@ ssize_t default_file_splice_read(struct
43241 .spd_release = spd_release_page,
43244 + pax_track_stack();
43246 index = *ppos >> PAGE_CACHE_SHIFT;
43247 offset = *ppos & ~PAGE_CACHE_MASK;
43248 nr_pages = (len + offset + PAGE_CACHE_SIZE - 1) >> PAGE_CACHE_SHIFT;
43249 @@ -578,7 +582,7 @@ ssize_t default_file_splice_read(struct
43252 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
43253 - vec[i].iov_base = (void __user *) page_address(page);
43254 + vec[i].iov_base = (__force void __user *) page_address(page);
43255 vec[i].iov_len = this_len;
43258 @@ -800,10 +804,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
43259 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
43261 while (!pipe->nrbufs) {
43262 - if (!pipe->writers)
43263 + if (!atomic_read(&pipe->writers))
43266 - if (!pipe->waiting_writers && sd->num_spliced)
43267 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
43270 if (sd->flags & SPLICE_F_NONBLOCK)
43271 @@ -1140,7 +1144,7 @@ ssize_t splice_direct_to_actor(struct fi
43272 * out of the pipe right after the splice_to_pipe(). So set
43273 * PIPE_READERS appropriately.
43275 - pipe->readers = 1;
43276 + atomic_set(&pipe->readers, 1);
43278 current->splice_pipe = pipe;
43280 @@ -1592,6 +1596,8 @@ static long vmsplice_to_pipe(struct file
43281 .spd_release = spd_release_page,
43284 + pax_track_stack();
43286 pipe = pipe_info(file->f_path.dentry->d_inode);
43289 @@ -1700,9 +1706,9 @@ static int ipipe_prep(struct pipe_inode_
43290 ret = -ERESTARTSYS;
43293 - if (!pipe->writers)
43294 + if (!atomic_read(&pipe->writers))
43296 - if (!pipe->waiting_writers) {
43297 + if (!atomic_read(&pipe->waiting_writers)) {
43298 if (flags & SPLICE_F_NONBLOCK) {
43301 @@ -1734,7 +1740,7 @@ static int opipe_prep(struct pipe_inode_
43304 while (pipe->nrbufs >= PIPE_BUFFERS) {
43305 - if (!pipe->readers) {
43306 + if (!atomic_read(&pipe->readers)) {
43307 send_sig(SIGPIPE, current, 0);
43310 @@ -1747,9 +1753,9 @@ static int opipe_prep(struct pipe_inode_
43311 ret = -ERESTARTSYS;
43314 - pipe->waiting_writers++;
43315 + atomic_inc(&pipe->waiting_writers);
43317 - pipe->waiting_writers--;
43318 + atomic_dec(&pipe->waiting_writers);
43322 @@ -1785,14 +1791,14 @@ retry:
43323 pipe_double_lock(ipipe, opipe);
43326 - if (!opipe->readers) {
43327 + if (!atomic_read(&opipe->readers)) {
43328 send_sig(SIGPIPE, current, 0);
43334 - if (!ipipe->nrbufs && !ipipe->writers)
43335 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
43339 @@ -1892,7 +1898,7 @@ static int link_pipe(struct pipe_inode_i
43340 pipe_double_lock(ipipe, opipe);
43343 - if (!opipe->readers) {
43344 + if (!atomic_read(&opipe->readers)) {
43345 send_sig(SIGPIPE, current, 0);
43348 @@ -1937,7 +1943,7 @@ static int link_pipe(struct pipe_inode_i
43349 * return EAGAIN if we have the potential of some data in the
43350 * future, otherwise just return 0
43352 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
43353 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
43356 pipe_unlock(ipipe);
43357 diff -urNp linux-2.6.32.42/fs/sysfs/file.c linux-2.6.32.42/fs/sysfs/file.c
43358 --- linux-2.6.32.42/fs/sysfs/file.c 2011-03-27 14:31:47.000000000 -0400
43359 +++ linux-2.6.32.42/fs/sysfs/file.c 2011-05-04 17:56:20.000000000 -0400
43360 @@ -44,7 +44,7 @@ static DEFINE_SPINLOCK(sysfs_open_dirent
43362 struct sysfs_open_dirent {
43365 + atomic_unchecked_t event;
43366 wait_queue_head_t poll;
43367 struct list_head buffers; /* goes through sysfs_buffer.list */
43369 @@ -53,7 +53,7 @@ struct sysfs_buffer {
43373 - struct sysfs_ops * ops;
43374 + const struct sysfs_ops * ops;
43375 struct mutex mutex;
43376 int needs_read_fill;
43378 @@ -75,7 +75,7 @@ static int fill_read_buffer(struct dentr
43380 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
43381 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
43382 - struct sysfs_ops * ops = buffer->ops;
43383 + const struct sysfs_ops * ops = buffer->ops;
43387 @@ -88,7 +88,7 @@ static int fill_read_buffer(struct dentr
43388 if (!sysfs_get_active_two(attr_sd))
43391 - buffer->event = atomic_read(&attr_sd->s_attr.open->event);
43392 + buffer->event = atomic_read_unchecked(&attr_sd->s_attr.open->event);
43393 count = ops->show(kobj, attr_sd->s_attr.attr, buffer->page);
43395 sysfs_put_active_two(attr_sd);
43396 @@ -199,7 +199,7 @@ flush_write_buffer(struct dentry * dentr
43398 struct sysfs_dirent *attr_sd = dentry->d_fsdata;
43399 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
43400 - struct sysfs_ops * ops = buffer->ops;
43401 + const struct sysfs_ops * ops = buffer->ops;
43404 /* need attr_sd for attr and ops, its parent for kobj */
43405 @@ -294,7 +294,7 @@ static int sysfs_get_open_dirent(struct
43408 atomic_set(&new_od->refcnt, 0);
43409 - atomic_set(&new_od->event, 1);
43410 + atomic_set_unchecked(&new_od->event, 1);
43411 init_waitqueue_head(&new_od->poll);
43412 INIT_LIST_HEAD(&new_od->buffers);
43414 @@ -335,7 +335,7 @@ static int sysfs_open_file(struct inode
43415 struct sysfs_dirent *attr_sd = file->f_path.dentry->d_fsdata;
43416 struct kobject *kobj = attr_sd->s_parent->s_dir.kobj;
43417 struct sysfs_buffer *buffer;
43418 - struct sysfs_ops *ops;
43419 + const struct sysfs_ops *ops;
43420 int error = -EACCES;
43423 @@ -444,7 +444,7 @@ static unsigned int sysfs_poll(struct fi
43425 sysfs_put_active_two(attr_sd);
43427 - if (buffer->event != atomic_read(&od->event))
43428 + if (buffer->event != atomic_read_unchecked(&od->event))
43431 return DEFAULT_POLLMASK;
43432 @@ -463,7 +463,7 @@ void sysfs_notify_dirent(struct sysfs_di
43434 od = sd->s_attr.open;
43436 - atomic_inc(&od->event);
43437 + atomic_inc_unchecked(&od->event);
43438 wake_up_interruptible(&od->poll);
43441 diff -urNp linux-2.6.32.42/fs/sysfs/mount.c linux-2.6.32.42/fs/sysfs/mount.c
43442 --- linux-2.6.32.42/fs/sysfs/mount.c 2011-03-27 14:31:47.000000000 -0400
43443 +++ linux-2.6.32.42/fs/sysfs/mount.c 2011-04-17 15:56:46.000000000 -0400
43444 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
43446 .s_count = ATOMIC_INIT(1),
43447 .s_flags = SYSFS_DIR,
43448 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
43449 + .s_mode = S_IFDIR | S_IRWXU,
43451 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
43456 diff -urNp linux-2.6.32.42/fs/sysfs/symlink.c linux-2.6.32.42/fs/sysfs/symlink.c
43457 --- linux-2.6.32.42/fs/sysfs/symlink.c 2011-03-27 14:31:47.000000000 -0400
43458 +++ linux-2.6.32.42/fs/sysfs/symlink.c 2011-04-17 15:56:46.000000000 -0400
43459 @@ -204,7 +204,7 @@ static void *sysfs_follow_link(struct de
43461 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
43463 - char *page = nd_get_link(nd);
43464 + const char *page = nd_get_link(nd);
43466 free_page((unsigned long)page);
43468 diff -urNp linux-2.6.32.42/fs/udf/balloc.c linux-2.6.32.42/fs/udf/balloc.c
43469 --- linux-2.6.32.42/fs/udf/balloc.c 2011-03-27 14:31:47.000000000 -0400
43470 +++ linux-2.6.32.42/fs/udf/balloc.c 2011-04-17 15:56:46.000000000 -0400
43471 @@ -172,9 +172,7 @@ static void udf_bitmap_free_blocks(struc
43473 mutex_lock(&sbi->s_alloc_mutex);
43474 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
43475 - if (bloc->logicalBlockNum < 0 ||
43476 - (bloc->logicalBlockNum + count) >
43477 - partmap->s_partition_len) {
43478 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
43479 udf_debug("%d < %d || %d + %d > %d\n",
43480 bloc->logicalBlockNum, 0, bloc->logicalBlockNum,
43481 count, partmap->s_partition_len);
43482 @@ -436,9 +434,7 @@ static void udf_table_free_blocks(struct
43484 mutex_lock(&sbi->s_alloc_mutex);
43485 partmap = &sbi->s_partmaps[bloc->partitionReferenceNum];
43486 - if (bloc->logicalBlockNum < 0 ||
43487 - (bloc->logicalBlockNum + count) >
43488 - partmap->s_partition_len) {
43489 + if ((bloc->logicalBlockNum + count) > partmap->s_partition_len) {
43490 udf_debug("%d < %d || %d + %d > %d\n",
43491 bloc.logicalBlockNum, 0, bloc.logicalBlockNum, count,
43492 partmap->s_partition_len);
43493 diff -urNp linux-2.6.32.42/fs/udf/inode.c linux-2.6.32.42/fs/udf/inode.c
43494 --- linux-2.6.32.42/fs/udf/inode.c 2011-03-27 14:31:47.000000000 -0400
43495 +++ linux-2.6.32.42/fs/udf/inode.c 2011-05-16 21:46:57.000000000 -0400
43496 @@ -484,6 +484,8 @@ static struct buffer_head *inode_getblk(
43497 int goal = 0, pgoal = iinfo->i_location.logicalBlockNum;
43500 + pax_track_stack();
43502 prev_epos.offset = udf_file_entry_alloc_offset(inode);
43503 prev_epos.block = iinfo->i_location;
43504 prev_epos.bh = NULL;
43505 diff -urNp linux-2.6.32.42/fs/udf/misc.c linux-2.6.32.42/fs/udf/misc.c
43506 --- linux-2.6.32.42/fs/udf/misc.c 2011-03-27 14:31:47.000000000 -0400
43507 +++ linux-2.6.32.42/fs/udf/misc.c 2011-04-23 12:56:11.000000000 -0400
43508 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
43510 u8 udf_tag_checksum(const struct tag *t)
43512 - u8 *data = (u8 *)t;
43513 + const u8 *data = (const u8 *)t;
43516 for (i = 0; i < sizeof(struct tag); ++i)
43517 diff -urNp linux-2.6.32.42/fs/utimes.c linux-2.6.32.42/fs/utimes.c
43518 --- linux-2.6.32.42/fs/utimes.c 2011-03-27 14:31:47.000000000 -0400
43519 +++ linux-2.6.32.42/fs/utimes.c 2011-04-17 15:56:46.000000000 -0400
43521 #include <linux/compiler.h>
43522 #include <linux/file.h>
43523 #include <linux/fs.h>
43524 +#include <linux/security.h>
43525 #include <linux/linkage.h>
43526 #include <linux/mount.h>
43527 #include <linux/namei.h>
43528 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
43529 goto mnt_drop_write_and_out;
43533 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
43535 + goto mnt_drop_write_and_out;
43538 mutex_lock(&inode->i_mutex);
43539 error = notify_change(path->dentry, &newattrs);
43540 mutex_unlock(&inode->i_mutex);
43541 diff -urNp linux-2.6.32.42/fs/xattr_acl.c linux-2.6.32.42/fs/xattr_acl.c
43542 --- linux-2.6.32.42/fs/xattr_acl.c 2011-03-27 14:31:47.000000000 -0400
43543 +++ linux-2.6.32.42/fs/xattr_acl.c 2011-04-17 15:56:46.000000000 -0400
43546 posix_acl_from_xattr(const void *value, size_t size)
43548 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
43549 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
43550 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
43551 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
43553 struct posix_acl *acl;
43554 struct posix_acl_entry *acl_e;
43555 diff -urNp linux-2.6.32.42/fs/xattr.c linux-2.6.32.42/fs/xattr.c
43556 --- linux-2.6.32.42/fs/xattr.c 2011-03-27 14:31:47.000000000 -0400
43557 +++ linux-2.6.32.42/fs/xattr.c 2011-04-17 15:56:46.000000000 -0400
43558 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
43559 * Extended attribute SET operations
43562 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
43563 +setxattr(struct path *path, const char __user *name, const void __user *value,
43564 size_t size, int flags)
43567 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
43568 return PTR_ERR(kvalue);
43571 - error = vfs_setxattr(d, kname, kvalue, size, flags);
43572 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
43577 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
43582 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
43584 error = mnt_want_write(path.mnt);
43586 - error = setxattr(path.dentry, name, value, size, flags);
43587 + error = setxattr(&path, name, value, size, flags);
43588 mnt_drop_write(path.mnt);
43591 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
43593 error = mnt_want_write(path.mnt);
43595 - error = setxattr(path.dentry, name, value, size, flags);
43596 + error = setxattr(&path, name, value, size, flags);
43597 mnt_drop_write(path.mnt);
43600 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
43601 const void __user *,value, size_t, size, int, flags)
43604 - struct dentry *dentry;
43605 int error = -EBADF;
43610 - dentry = f->f_path.dentry;
43611 - audit_inode(NULL, dentry);
43612 + audit_inode(NULL, f->f_path.dentry);
43613 error = mnt_want_write_file(f);
43615 - error = setxattr(dentry, name, value, size, flags);
43616 + error = setxattr(&f->f_path, name, value, size, flags);
43617 mnt_drop_write(f->f_path.mnt);
43620 diff -urNp linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl32.c
43621 --- linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-27 14:31:47.000000000 -0400
43622 +++ linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-04-17 15:56:46.000000000 -0400
43623 @@ -75,6 +75,7 @@ xfs_compat_ioc_fsgeometry_v1(
43624 xfs_fsop_geom_t fsgeo;
43627 + memset(&fsgeo, 0, sizeof(fsgeo));
43628 error = xfs_fs_geometry(mp, &fsgeo, 3);
43631 diff -urNp linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl.c
43632 --- linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 17:00:52.000000000 -0400
43633 +++ linux-2.6.32.42/fs/xfs/linux-2.6/xfs_ioctl.c 2011-04-17 20:07:09.000000000 -0400
43634 @@ -134,7 +134,7 @@ xfs_find_handle(
43638 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
43639 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
43640 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
43643 @@ -423,7 +423,7 @@ xfs_attrlist_by_handle(
43644 if (IS_ERR(dentry))
43645 return PTR_ERR(dentry);
43647 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
43648 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
43652 @@ -697,7 +697,7 @@ xfs_ioc_fsgeometry_v1(
43656 - xfs_fsop_geom_t fsgeo;
43657 + xfs_fsop_geom_t fsgeo;
43660 error = xfs_fs_geometry(mp, &fsgeo, 3);
43661 diff -urNp linux-2.6.32.42/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.32.42/fs/xfs/linux-2.6/xfs_iops.c
43662 --- linux-2.6.32.42/fs/xfs/linux-2.6/xfs_iops.c 2011-03-27 14:31:47.000000000 -0400
43663 +++ linux-2.6.32.42/fs/xfs/linux-2.6/xfs_iops.c 2011-04-17 15:56:46.000000000 -0400
43664 @@ -468,7 +468,7 @@ xfs_vn_put_link(
43665 struct nameidata *nd,
43668 - char *s = nd_get_link(nd);
43669 + const char *s = nd_get_link(nd);
43673 diff -urNp linux-2.6.32.42/fs/xfs/xfs_bmap.c linux-2.6.32.42/fs/xfs/xfs_bmap.c
43674 --- linux-2.6.32.42/fs/xfs/xfs_bmap.c 2011-03-27 14:31:47.000000000 -0400
43675 +++ linux-2.6.32.42/fs/xfs/xfs_bmap.c 2011-04-17 15:56:46.000000000 -0400
43676 @@ -360,7 +360,7 @@ xfs_bmap_validate_ret(
43680 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
43681 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
43684 #if defined(XFS_RW_TRACE)
43685 diff -urNp linux-2.6.32.42/fs/xfs/xfs_dir2_sf.c linux-2.6.32.42/fs/xfs/xfs_dir2_sf.c
43686 --- linux-2.6.32.42/fs/xfs/xfs_dir2_sf.c 2011-03-27 14:31:47.000000000 -0400
43687 +++ linux-2.6.32.42/fs/xfs/xfs_dir2_sf.c 2011-04-18 22:07:30.000000000 -0400
43688 @@ -779,7 +779,15 @@ xfs_dir2_sf_getdents(
43691 ino = xfs_dir2_sf_get_inumber(sfp, xfs_dir2_sf_inumberp(sfep));
43692 - if (filldir(dirent, sfep->name, sfep->namelen,
43693 + if (dp->i_df.if_u1.if_data == dp->i_df.if_u2.if_inline_data) {
43694 + char name[sfep->namelen];
43695 + memcpy(name, sfep->name, sfep->namelen);
43696 + if (filldir(dirent, name, sfep->namelen,
43697 + off & 0x7fffffff, ino, DT_UNKNOWN)) {
43698 + *offset = off & 0x7fffffff;
43701 + } else if (filldir(dirent, sfep->name, sfep->namelen,
43702 off & 0x7fffffff, ino, DT_UNKNOWN)) {
43703 *offset = off & 0x7fffffff;
43705 diff -urNp linux-2.6.32.42/grsecurity/gracl_alloc.c linux-2.6.32.42/grsecurity/gracl_alloc.c
43706 --- linux-2.6.32.42/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
43707 +++ linux-2.6.32.42/grsecurity/gracl_alloc.c 2011-04-17 15:56:46.000000000 -0400
43709 +#include <linux/kernel.h>
43710 +#include <linux/mm.h>
43711 +#include <linux/slab.h>
43712 +#include <linux/vmalloc.h>
43713 +#include <linux/gracl.h>
43714 +#include <linux/grsecurity.h>
43716 +static unsigned long alloc_stack_next = 1;
43717 +static unsigned long alloc_stack_size = 1;
43718 +static void **alloc_stack;
43720 +static __inline__ int
43723 + if (alloc_stack_next == 1)
43726 + kfree(alloc_stack[alloc_stack_next - 2]);
43728 + alloc_stack_next--;
43733 +static __inline__ int
43734 +alloc_push(void *buf)
43736 + if (alloc_stack_next >= alloc_stack_size)
43739 + alloc_stack[alloc_stack_next - 1] = buf;
43741 + alloc_stack_next++;
43747 +acl_alloc(unsigned long len)
43749 + void *ret = NULL;
43751 + if (!len || len > PAGE_SIZE)
43754 + ret = kmalloc(len, GFP_KERNEL);
43757 + if (alloc_push(ret)) {
43768 +acl_alloc_num(unsigned long num, unsigned long len)
43770 + if (!len || (num > (PAGE_SIZE / len)))
43773 + return acl_alloc(num * len);
43777 +acl_free_all(void)
43779 + if (gr_acl_is_enabled() || !alloc_stack)
43782 + while (alloc_pop()) ;
43784 + if (alloc_stack) {
43785 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
43786 + kfree(alloc_stack);
43788 + vfree(alloc_stack);
43791 + alloc_stack = NULL;
43792 + alloc_stack_size = 1;
43793 + alloc_stack_next = 1;
43799 +acl_alloc_stack_init(unsigned long size)
43801 + if ((size * sizeof (void *)) <= PAGE_SIZE)
43803 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
43805 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
43807 + alloc_stack_size = size;
43809 + if (!alloc_stack)
43814 diff -urNp linux-2.6.32.42/grsecurity/gracl.c linux-2.6.32.42/grsecurity/gracl.c
43815 --- linux-2.6.32.42/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
43816 +++ linux-2.6.32.42/grsecurity/gracl.c 2011-06-11 16:24:26.000000000 -0400
43818 +#include <linux/kernel.h>
43819 +#include <linux/module.h>
43820 +#include <linux/sched.h>
43821 +#include <linux/mm.h>
43822 +#include <linux/file.h>
43823 +#include <linux/fs.h>
43824 +#include <linux/namei.h>
43825 +#include <linux/mount.h>
43826 +#include <linux/tty.h>
43827 +#include <linux/proc_fs.h>
43828 +#include <linux/smp_lock.h>
43829 +#include <linux/slab.h>
43830 +#include <linux/vmalloc.h>
43831 +#include <linux/types.h>
43832 +#include <linux/sysctl.h>
43833 +#include <linux/netdevice.h>
43834 +#include <linux/ptrace.h>
43835 +#include <linux/gracl.h>
43836 +#include <linux/gralloc.h>
43837 +#include <linux/grsecurity.h>
43838 +#include <linux/grinternal.h>
43839 +#include <linux/pid_namespace.h>
43840 +#include <linux/fdtable.h>
43841 +#include <linux/percpu.h>
43843 +#include <asm/uaccess.h>
43844 +#include <asm/errno.h>
43845 +#include <asm/mman.h>
43847 +static struct acl_role_db acl_role_set;
43848 +static struct name_db name_set;
43849 +static struct inodev_db inodev_set;
43851 +/* for keeping track of userspace pointers used for subjects, so we
43852 + can share references in the kernel as well
43855 +static struct dentry *real_root;
43856 +static struct vfsmount *real_root_mnt;
43858 +static struct acl_subj_map_db subj_map_set;
43860 +static struct acl_role_label *default_role;
43862 +static struct acl_role_label *role_list;
43864 +static u16 acl_sp_role_value;
43866 +extern char *gr_shared_page[4];
43867 +static DEFINE_MUTEX(gr_dev_mutex);
43868 +DEFINE_RWLOCK(gr_inode_lock);
43870 +struct gr_arg *gr_usermode;
43872 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
43874 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
43875 +extern void gr_clear_learn_entries(void);
43877 +#ifdef CONFIG_GRKERNSEC_RESLOG
43878 +extern void gr_log_resource(const struct task_struct *task,
43879 + const int res, const unsigned long wanted, const int gt);
43882 +unsigned char *gr_system_salt;
43883 +unsigned char *gr_system_sum;
43885 +static struct sprole_pw **acl_special_roles = NULL;
43886 +static __u16 num_sprole_pws = 0;
43888 +static struct acl_role_label *kernel_role = NULL;
43890 +static unsigned int gr_auth_attempts = 0;
43891 +static unsigned long gr_auth_expires = 0UL;
43894 +extern struct vfsmount *sock_mnt;
43896 +extern struct vfsmount *pipe_mnt;
43897 +extern struct vfsmount *shm_mnt;
43898 +#ifdef CONFIG_HUGETLBFS
43899 +extern struct vfsmount *hugetlbfs_vfsmount;
43902 +static struct acl_object_label *fakefs_obj_rw;
43903 +static struct acl_object_label *fakefs_obj_rwx;
43905 +extern int gr_init_uidset(void);
43906 +extern void gr_free_uidset(void);
43907 +extern void gr_remove_uid(uid_t uid);
43908 +extern int gr_find_uid(uid_t uid);
43911 +gr_acl_is_enabled(void)
43913 + return (gr_status & GR_READY);
43916 +#ifdef CONFIG_BTRFS_FS
43917 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
43918 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
43921 +static inline dev_t __get_dev(const struct dentry *dentry)
43923 +#ifdef CONFIG_BTRFS_FS
43924 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
43925 + return get_btrfs_dev_from_inode(dentry->d_inode);
43928 + return dentry->d_inode->i_sb->s_dev;
43931 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
43933 + return __get_dev(dentry);
43936 +static char gr_task_roletype_to_char(struct task_struct *task)
43938 + switch (task->role->roletype &
43939 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
43940 + GR_ROLE_SPECIAL)) {
43941 + case GR_ROLE_DEFAULT:
43943 + case GR_ROLE_USER:
43945 + case GR_ROLE_GROUP:
43947 + case GR_ROLE_SPECIAL:
43954 +char gr_roletype_to_char(void)
43956 + return gr_task_roletype_to_char(current);
43960 +gr_acl_tpe_check(void)
43962 + if (unlikely(!(gr_status & GR_READY)))
43964 + if (current->role->roletype & GR_ROLE_TPE)
43971 +gr_handle_rawio(const struct inode *inode)
43973 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43974 + if (inode && S_ISBLK(inode->i_mode) &&
43975 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
43976 + !capable(CAP_SYS_RAWIO))
43983 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
43985 + if (likely(lena != lenb))
43988 + return !memcmp(a, b, lena);
43991 +/* this must be called with vfsmount_lock and dcache_lock held */
43993 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
43994 + struct dentry *root, struct vfsmount *rootmnt,
43995 + char *buffer, int buflen)
43997 + char * end = buffer+buflen;
44006 + /* Get '/' right */
44011 + struct dentry * parent;
44013 + if (dentry == root && vfsmnt == rootmnt)
44015 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
44016 + /* Global root? */
44017 + if (vfsmnt->mnt_parent == vfsmnt)
44018 + goto global_root;
44019 + dentry = vfsmnt->mnt_mountpoint;
44020 + vfsmnt = vfsmnt->mnt_parent;
44023 + parent = dentry->d_parent;
44024 + prefetch(parent);
44025 + namelen = dentry->d_name.len;
44026 + buflen -= namelen + 1;
44030 + memcpy(end, dentry->d_name.name, namelen);
44040 + namelen = dentry->d_name.len;
44041 + buflen -= namelen;
44044 + retval -= namelen-1; /* hit the slash */
44045 + memcpy(retval, dentry->d_name.name, namelen);
44048 + retval = ERR_PTR(-ENAMETOOLONG);
44053 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
44054 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
44058 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
44059 + if (unlikely(IS_ERR(retval)))
44060 + retval = strcpy(buf, "<path too long>");
44061 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
44062 + retval[1] = '\0';
44068 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
44069 + char *buf, int buflen)
44073 + /* we can use real_root, real_root_mnt, because this is only called
44074 + by the RBAC system */
44075 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
44081 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
44082 + char *buf, int buflen)
44085 + struct dentry *root;
44086 + struct vfsmount *rootmnt;
44087 + struct task_struct *reaper = &init_task;
44089 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
44090 + read_lock(&reaper->fs->lock);
44091 + root = dget(reaper->fs->root.dentry);
44092 + rootmnt = mntget(reaper->fs->root.mnt);
44093 + read_unlock(&reaper->fs->lock);
44095 + spin_lock(&dcache_lock);
44096 + spin_lock(&vfsmount_lock);
44097 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
44098 + spin_unlock(&vfsmount_lock);
44099 + spin_unlock(&dcache_lock);
44107 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
44110 + spin_lock(&dcache_lock);
44111 + spin_lock(&vfsmount_lock);
44112 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
44114 + spin_unlock(&vfsmount_lock);
44115 + spin_unlock(&dcache_lock);
44120 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
44122 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
44127 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
44129 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
44134 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
44136 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
44141 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
44143 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
44148 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
44150 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
44155 +to_gr_audit(const __u32 reqmode)
44157 + /* masks off auditable permission flags, then shifts them to create
44158 + auditing flags, and adds the special case of append auditing if
44159 + we're requesting write */
44160 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
44163 +struct acl_subject_label *
44164 +lookup_subject_map(const struct acl_subject_label *userp)
44166 + unsigned int index = shash(userp, subj_map_set.s_size);
44167 + struct subject_map *match;
44169 + match = subj_map_set.s_hash[index];
44171 + while (match && match->user != userp)
44172 + match = match->next;
44174 + if (match != NULL)
44175 + return match->kernel;
44181 +insert_subj_map_entry(struct subject_map *subjmap)
44183 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
44184 + struct subject_map **curr;
44186 + subjmap->prev = NULL;
44188 + curr = &subj_map_set.s_hash[index];
44189 + if (*curr != NULL)
44190 + (*curr)->prev = subjmap;
44192 + subjmap->next = *curr;
44198 +static struct acl_role_label *
44199 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
44202 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
44203 + struct acl_role_label *match;
44204 + struct role_allowed_ip *ipp;
44206 + u32 curr_ip = task->signal->curr_ip;
44208 + task->signal->saved_ip = curr_ip;
44210 + match = acl_role_set.r_hash[index];
44213 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
44214 + for (x = 0; x < match->domain_child_num; x++) {
44215 + if (match->domain_children[x] == uid)
44218 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
44220 + match = match->next;
44223 + if (match == NULL) {
44225 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
44226 + match = acl_role_set.r_hash[index];
44229 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
44230 + for (x = 0; x < match->domain_child_num; x++) {
44231 + if (match->domain_children[x] == gid)
44234 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
44236 + match = match->next;
44239 + if (match == NULL)
44240 + match = default_role;
44241 + if (match->allowed_ips == NULL)
44244 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
44246 + ((ntohl(curr_ip) & ipp->netmask) ==
44247 + (ntohl(ipp->addr) & ipp->netmask)))
44250 + match = default_role;
44252 + } else if (match->allowed_ips == NULL) {
44255 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
44257 + ((ntohl(curr_ip) & ipp->netmask) ==
44258 + (ntohl(ipp->addr) & ipp->netmask)))
44267 +struct acl_subject_label *
44268 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
44269 + const struct acl_role_label *role)
44271 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
44272 + struct acl_subject_label *match;
44274 + match = role->subj_hash[index];
44276 + while (match && (match->inode != ino || match->device != dev ||
44277 + (match->mode & GR_DELETED))) {
44278 + match = match->next;
44281 + if (match && !(match->mode & GR_DELETED))
44287 +struct acl_subject_label *
44288 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
44289 + const struct acl_role_label *role)
44291 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
44292 + struct acl_subject_label *match;
44294 + match = role->subj_hash[index];
44296 + while (match && (match->inode != ino || match->device != dev ||
44297 + !(match->mode & GR_DELETED))) {
44298 + match = match->next;
44301 + if (match && (match->mode & GR_DELETED))
44307 +static struct acl_object_label *
44308 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
44309 + const struct acl_subject_label *subj)
44311 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
44312 + struct acl_object_label *match;
44314 + match = subj->obj_hash[index];
44316 + while (match && (match->inode != ino || match->device != dev ||
44317 + (match->mode & GR_DELETED))) {
44318 + match = match->next;
44321 + if (match && !(match->mode & GR_DELETED))
44327 +static struct acl_object_label *
44328 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
44329 + const struct acl_subject_label *subj)
44331 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
44332 + struct acl_object_label *match;
44334 + match = subj->obj_hash[index];
44336 + while (match && (match->inode != ino || match->device != dev ||
44337 + !(match->mode & GR_DELETED))) {
44338 + match = match->next;
44341 + if (match && (match->mode & GR_DELETED))
44344 + match = subj->obj_hash[index];
44346 + while (match && (match->inode != ino || match->device != dev ||
44347 + (match->mode & GR_DELETED))) {
44348 + match = match->next;
44351 + if (match && !(match->mode & GR_DELETED))
44357 +static struct name_entry *
44358 +lookup_name_entry(const char *name)
44360 + unsigned int len = strlen(name);
44361 + unsigned int key = full_name_hash(name, len);
44362 + unsigned int index = key % name_set.n_size;
44363 + struct name_entry *match;
44365 + match = name_set.n_hash[index];
44367 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
44368 + match = match->next;
44373 +static struct name_entry *
44374 +lookup_name_entry_create(const char *name)
44376 + unsigned int len = strlen(name);
44377 + unsigned int key = full_name_hash(name, len);
44378 + unsigned int index = key % name_set.n_size;
44379 + struct name_entry *match;
44381 + match = name_set.n_hash[index];
44383 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
44384 + !match->deleted))
44385 + match = match->next;
44387 + if (match && match->deleted)
44390 + match = name_set.n_hash[index];
44392 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
44394 + match = match->next;
44396 + if (match && !match->deleted)
44402 +static struct inodev_entry *
44403 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
44405 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
44406 + struct inodev_entry *match;
44408 + match = inodev_set.i_hash[index];
44410 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
44411 + match = match->next;
44417 +insert_inodev_entry(struct inodev_entry *entry)
44419 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
44420 + inodev_set.i_size);
44421 + struct inodev_entry **curr;
44423 + entry->prev = NULL;
44425 + curr = &inodev_set.i_hash[index];
44426 + if (*curr != NULL)
44427 + (*curr)->prev = entry;
44429 + entry->next = *curr;
44436 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
44438 + unsigned int index =
44439 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
44440 + struct acl_role_label **curr;
44441 + struct acl_role_label *tmp;
44443 + curr = &acl_role_set.r_hash[index];
44445 + /* if role was already inserted due to domains and already has
44446 + a role in the same bucket as it attached, then we need to
44447 + combine these two buckets
44449 + if (role->next) {
44450 + tmp = role->next;
44451 + while (tmp->next)
44453 + tmp->next = *curr;
44455 + role->next = *curr;
44462 +insert_acl_role_label(struct acl_role_label *role)
44466 + if (role_list == NULL) {
44467 + role_list = role;
44468 + role->prev = NULL;
44470 + role->prev = role_list;
44471 + role_list = role;
44474 + /* used for hash chains */
44475 + role->next = NULL;
44477 + if (role->roletype & GR_ROLE_DOMAIN) {
44478 + for (i = 0; i < role->domain_child_num; i++)
44479 + __insert_acl_role_label(role, role->domain_children[i]);
44481 + __insert_acl_role_label(role, role->uidgid);
44485 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
44487 + struct name_entry **curr, *nentry;
44488 + struct inodev_entry *ientry;
44489 + unsigned int len = strlen(name);
44490 + unsigned int key = full_name_hash(name, len);
44491 + unsigned int index = key % name_set.n_size;
44493 + curr = &name_set.n_hash[index];
44495 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
44496 + curr = &((*curr)->next);
44498 + if (*curr != NULL)
44501 + nentry = acl_alloc(sizeof (struct name_entry));
44502 + if (nentry == NULL)
44504 + ientry = acl_alloc(sizeof (struct inodev_entry));
44505 + if (ientry == NULL)
44507 + ientry->nentry = nentry;
44509 + nentry->key = key;
44510 + nentry->name = name;
44511 + nentry->inode = inode;
44512 + nentry->device = device;
44513 + nentry->len = len;
44514 + nentry->deleted = deleted;
44516 + nentry->prev = NULL;
44517 + curr = &name_set.n_hash[index];
44518 + if (*curr != NULL)
44519 + (*curr)->prev = nentry;
44520 + nentry->next = *curr;
44523 + /* insert us into the table searchable by inode/dev */
44524 + insert_inodev_entry(ientry);
44530 +insert_acl_obj_label(struct acl_object_label *obj,
44531 + struct acl_subject_label *subj)
44533 + unsigned int index =
44534 + fhash(obj->inode, obj->device, subj->obj_hash_size);
44535 + struct acl_object_label **curr;
44538 + obj->prev = NULL;
44540 + curr = &subj->obj_hash[index];
44541 + if (*curr != NULL)
44542 + (*curr)->prev = obj;
44544 + obj->next = *curr;
44551 +insert_acl_subj_label(struct acl_subject_label *obj,
44552 + struct acl_role_label *role)
44554 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
44555 + struct acl_subject_label **curr;
44557 + obj->prev = NULL;
44559 + curr = &role->subj_hash[index];
44560 + if (*curr != NULL)
44561 + (*curr)->prev = obj;
44563 + obj->next = *curr;
44569 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
44572 +create_table(__u32 * len, int elementsize)
44574 + unsigned int table_sizes[] = {
44575 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
44576 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
44577 + 4194301, 8388593, 16777213, 33554393, 67108859
44579 + void *newtable = NULL;
44580 + unsigned int pwr = 0;
44582 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
44583 + table_sizes[pwr] <= *len)
44586 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
44589 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
44591 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
44593 + newtable = vmalloc(table_sizes[pwr] * elementsize);
44595 + *len = table_sizes[pwr];
44601 +init_variables(const struct gr_arg *arg)
44603 + struct task_struct *reaper = &init_task;
44604 + unsigned int stacksize;
44606 + subj_map_set.s_size = arg->role_db.num_subjects;
44607 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
44608 + name_set.n_size = arg->role_db.num_objects;
44609 + inodev_set.i_size = arg->role_db.num_objects;
44611 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
44612 + !name_set.n_size || !inodev_set.i_size)
44615 + if (!gr_init_uidset())
44618 + /* set up the stack that holds allocation info */
44620 + stacksize = arg->role_db.num_pointers + 5;
44622 + if (!acl_alloc_stack_init(stacksize))
44625 + /* grab reference for the real root dentry and vfsmount */
44626 + read_lock(&reaper->fs->lock);
44627 + real_root = dget(reaper->fs->root.dentry);
44628 + real_root_mnt = mntget(reaper->fs->root.mnt);
44629 + read_unlock(&reaper->fs->lock);
44631 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
44632 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root), real_root->d_inode->i_ino);
44635 + fakefs_obj_rw = acl_alloc(sizeof(struct acl_object_label));
44636 + if (fakefs_obj_rw == NULL)
44638 + fakefs_obj_rw->mode = GR_FIND | GR_READ | GR_WRITE;
44640 + fakefs_obj_rwx = acl_alloc(sizeof(struct acl_object_label));
44641 + if (fakefs_obj_rwx == NULL)
44643 + fakefs_obj_rwx->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
44645 + subj_map_set.s_hash =
44646 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
44647 + acl_role_set.r_hash =
44648 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
44649 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
44650 + inodev_set.i_hash =
44651 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
44653 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
44654 + !name_set.n_hash || !inodev_set.i_hash)
44657 + memset(subj_map_set.s_hash, 0,
44658 + sizeof(struct subject_map *) * subj_map_set.s_size);
44659 + memset(acl_role_set.r_hash, 0,
44660 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
44661 + memset(name_set.n_hash, 0,
44662 + sizeof (struct name_entry *) * name_set.n_size);
44663 + memset(inodev_set.i_hash, 0,
44664 + sizeof (struct inodev_entry *) * inodev_set.i_size);
44669 +/* free information not needed after startup
44670 + currently contains user->kernel pointer mappings for subjects
44674 +free_init_variables(void)
44678 + if (subj_map_set.s_hash) {
44679 + for (i = 0; i < subj_map_set.s_size; i++) {
44680 + if (subj_map_set.s_hash[i]) {
44681 + kfree(subj_map_set.s_hash[i]);
44682 + subj_map_set.s_hash[i] = NULL;
44686 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
44688 + kfree(subj_map_set.s_hash);
44690 + vfree(subj_map_set.s_hash);
44697 +free_variables(void)
44699 + struct acl_subject_label *s;
44700 + struct acl_role_label *r;
44701 + struct task_struct *task, *task2;
44704 + gr_clear_learn_entries();
44706 + read_lock(&tasklist_lock);
44707 + do_each_thread(task2, task) {
44708 + task->acl_sp_role = 0;
44709 + task->acl_role_id = 0;
44710 + task->acl = NULL;
44711 + task->role = NULL;
44712 + } while_each_thread(task2, task);
44713 + read_unlock(&tasklist_lock);
44715 + /* release the reference to the real root dentry and vfsmount */
44718 + real_root = NULL;
44719 + if (real_root_mnt)
44720 + mntput(real_root_mnt);
44721 + real_root_mnt = NULL;
44723 + /* free all object hash tables */
44725 + FOR_EACH_ROLE_START(r)
44726 + if (r->subj_hash == NULL)
44728 + FOR_EACH_SUBJECT_START(r, s, x)
44729 + if (s->obj_hash == NULL)
44731 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
44732 + kfree(s->obj_hash);
44734 + vfree(s->obj_hash);
44735 + FOR_EACH_SUBJECT_END(s, x)
44736 + FOR_EACH_NESTED_SUBJECT_START(r, s)
44737 + if (s->obj_hash == NULL)
44739 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
44740 + kfree(s->obj_hash);
44742 + vfree(s->obj_hash);
44743 + FOR_EACH_NESTED_SUBJECT_END(s)
44744 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
44745 + kfree(r->subj_hash);
44747 + vfree(r->subj_hash);
44748 + r->subj_hash = NULL;
44750 + FOR_EACH_ROLE_END(r)
44754 + if (acl_role_set.r_hash) {
44755 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
44757 + kfree(acl_role_set.r_hash);
44759 + vfree(acl_role_set.r_hash);
44761 + if (name_set.n_hash) {
44762 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
44764 + kfree(name_set.n_hash);
44766 + vfree(name_set.n_hash);
44769 + if (inodev_set.i_hash) {
44770 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
44772 + kfree(inodev_set.i_hash);
44774 + vfree(inodev_set.i_hash);
44777 + gr_free_uidset();
44779 + memset(&name_set, 0, sizeof (struct name_db));
44780 + memset(&inodev_set, 0, sizeof (struct inodev_db));
44781 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
44782 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
44784 + default_role = NULL;
44785 + role_list = NULL;
44791 +count_user_objs(struct acl_object_label *userp)
44793 + struct acl_object_label o_tmp;
44797 + if (copy_from_user(&o_tmp, userp,
44798 + sizeof (struct acl_object_label)))
44801 + userp = o_tmp.prev;
44808 +static struct acl_subject_label *
44809 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
44812 +copy_user_glob(struct acl_object_label *obj)
44814 + struct acl_object_label *g_tmp, **guser;
44815 + unsigned int len;
44818 + if (obj->globbed == NULL)
44821 + guser = &obj->globbed;
44823 + g_tmp = (struct acl_object_label *)
44824 + acl_alloc(sizeof (struct acl_object_label));
44825 + if (g_tmp == NULL)
44828 + if (copy_from_user(g_tmp, *guser,
44829 + sizeof (struct acl_object_label)))
44832 + len = strnlen_user(g_tmp->filename, PATH_MAX);
44834 + if (!len || len >= PATH_MAX)
44837 + if ((tmp = (char *) acl_alloc(len)) == NULL)
44840 + if (copy_from_user(tmp, g_tmp->filename, len))
44842 + tmp[len-1] = '\0';
44843 + g_tmp->filename = tmp;
44846 + guser = &(g_tmp->next);
44853 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
44854 + struct acl_role_label *role)
44856 + struct acl_object_label *o_tmp;
44857 + unsigned int len;
44862 + if ((o_tmp = (struct acl_object_label *)
44863 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
44866 + if (copy_from_user(o_tmp, userp,
44867 + sizeof (struct acl_object_label)))
44870 + userp = o_tmp->prev;
44872 + len = strnlen_user(o_tmp->filename, PATH_MAX);
44874 + if (!len || len >= PATH_MAX)
44877 + if ((tmp = (char *) acl_alloc(len)) == NULL)
44880 + if (copy_from_user(tmp, o_tmp->filename, len))
44882 + tmp[len-1] = '\0';
44883 + o_tmp->filename = tmp;
44885 + insert_acl_obj_label(o_tmp, subj);
44886 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
44887 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
44890 + ret = copy_user_glob(o_tmp);
44894 + if (o_tmp->nested) {
44895 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
44896 + if (IS_ERR(o_tmp->nested))
44897 + return PTR_ERR(o_tmp->nested);
44899 + /* insert into nested subject list */
44900 + o_tmp->nested->next = role->hash->first;
44901 + role->hash->first = o_tmp->nested;
44909 +count_user_subjs(struct acl_subject_label *userp)
44911 + struct acl_subject_label s_tmp;
44915 + if (copy_from_user(&s_tmp, userp,
44916 + sizeof (struct acl_subject_label)))
44919 + userp = s_tmp.prev;
44920 + /* do not count nested subjects against this count, since
44921 + they are not included in the hash table, but are
44922 + attached to objects. We have already counted
44923 + the subjects in userspace for the allocation
44926 + if (!(s_tmp.mode & GR_NESTED))
44934 +copy_user_allowedips(struct acl_role_label *rolep)
44936 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
44938 + ruserip = rolep->allowed_ips;
44940 + while (ruserip) {
44943 + if ((rtmp = (struct role_allowed_ip *)
44944 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
44947 + if (copy_from_user(rtmp, ruserip,
44948 + sizeof (struct role_allowed_ip)))
44951 + ruserip = rtmp->prev;
44954 + rtmp->prev = NULL;
44955 + rolep->allowed_ips = rtmp;
44957 + rlast->next = rtmp;
44958 + rtmp->prev = rlast;
44962 + rtmp->next = NULL;
44969 +copy_user_transitions(struct acl_role_label *rolep)
44971 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
44973 + unsigned int len;
44976 + rusertp = rolep->transitions;
44978 + while (rusertp) {
44981 + if ((rtmp = (struct role_transition *)
44982 + acl_alloc(sizeof (struct role_transition))) == NULL)
44985 + if (copy_from_user(rtmp, rusertp,
44986 + sizeof (struct role_transition)))
44989 + rusertp = rtmp->prev;
44991 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
44993 + if (!len || len >= GR_SPROLE_LEN)
44996 + if ((tmp = (char *) acl_alloc(len)) == NULL)
44999 + if (copy_from_user(tmp, rtmp->rolename, len))
45001 + tmp[len-1] = '\0';
45002 + rtmp->rolename = tmp;
45005 + rtmp->prev = NULL;
45006 + rolep->transitions = rtmp;
45008 + rlast->next = rtmp;
45009 + rtmp->prev = rlast;
45013 + rtmp->next = NULL;
45019 +static struct acl_subject_label *
45020 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
45022 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
45023 + unsigned int len;
45026 + struct acl_ip_label **i_tmp, *i_utmp2;
45027 + struct gr_hash_struct ghash;
45028 + struct subject_map *subjmap;
45029 + unsigned int i_num;
45032 + s_tmp = lookup_subject_map(userp);
45034 + /* we've already copied this subject into the kernel, just return
45035 + the reference to it, and don't copy it over again
45040 + if ((s_tmp = (struct acl_subject_label *)
45041 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
45042 + return ERR_PTR(-ENOMEM);
45044 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
45045 + if (subjmap == NULL)
45046 + return ERR_PTR(-ENOMEM);
45048 + subjmap->user = userp;
45049 + subjmap->kernel = s_tmp;
45050 + insert_subj_map_entry(subjmap);
45052 + if (copy_from_user(s_tmp, userp,
45053 + sizeof (struct acl_subject_label)))
45054 + return ERR_PTR(-EFAULT);
45056 + len = strnlen_user(s_tmp->filename, PATH_MAX);
45058 + if (!len || len >= PATH_MAX)
45059 + return ERR_PTR(-EINVAL);
45061 + if ((tmp = (char *) acl_alloc(len)) == NULL)
45062 + return ERR_PTR(-ENOMEM);
45064 + if (copy_from_user(tmp, s_tmp->filename, len))
45065 + return ERR_PTR(-EFAULT);
45066 + tmp[len-1] = '\0';
45067 + s_tmp->filename = tmp;
45069 + if (!strcmp(s_tmp->filename, "/"))
45070 + role->root_label = s_tmp;
45072 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
45073 + return ERR_PTR(-EFAULT);
45075 + /* copy user and group transition tables */
45077 + if (s_tmp->user_trans_num) {
45080 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
45081 + if (uidlist == NULL)
45082 + return ERR_PTR(-ENOMEM);
45083 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
45084 + return ERR_PTR(-EFAULT);
45086 + s_tmp->user_transitions = uidlist;
45089 + if (s_tmp->group_trans_num) {
45092 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
45093 + if (gidlist == NULL)
45094 + return ERR_PTR(-ENOMEM);
45095 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
45096 + return ERR_PTR(-EFAULT);
45098 + s_tmp->group_transitions = gidlist;
45101 + /* set up object hash table */
45102 + num_objs = count_user_objs(ghash.first);
45104 + s_tmp->obj_hash_size = num_objs;
45105 + s_tmp->obj_hash =
45106 + (struct acl_object_label **)
45107 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
45109 + if (!s_tmp->obj_hash)
45110 + return ERR_PTR(-ENOMEM);
45112 + memset(s_tmp->obj_hash, 0,
45113 + s_tmp->obj_hash_size *
45114 + sizeof (struct acl_object_label *));
45116 + /* add in objects */
45117 + err = copy_user_objs(ghash.first, s_tmp, role);
45120 + return ERR_PTR(err);
45122 + /* set pointer for parent subject */
45123 + if (s_tmp->parent_subject) {
45124 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
45126 + if (IS_ERR(s_tmp2))
45129 + s_tmp->parent_subject = s_tmp2;
45132 + /* add in ip acls */
45134 + if (!s_tmp->ip_num) {
45135 + s_tmp->ips = NULL;
45140 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
45141 + sizeof (struct acl_ip_label *));
45144 + return ERR_PTR(-ENOMEM);
45146 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
45147 + *(i_tmp + i_num) =
45148 + (struct acl_ip_label *)
45149 + acl_alloc(sizeof (struct acl_ip_label));
45150 + if (!*(i_tmp + i_num))
45151 + return ERR_PTR(-ENOMEM);
45153 + if (copy_from_user
45154 + (&i_utmp2, s_tmp->ips + i_num,
45155 + sizeof (struct acl_ip_label *)))
45156 + return ERR_PTR(-EFAULT);
45158 + if (copy_from_user
45159 + (*(i_tmp + i_num), i_utmp2,
45160 + sizeof (struct acl_ip_label)))
45161 + return ERR_PTR(-EFAULT);
45163 + if ((*(i_tmp + i_num))->iface == NULL)
45166 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
45167 + if (!len || len >= IFNAMSIZ)
45168 + return ERR_PTR(-EINVAL);
45169 + tmp = acl_alloc(len);
45171 + return ERR_PTR(-ENOMEM);
45172 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
45173 + return ERR_PTR(-EFAULT);
45174 + (*(i_tmp + i_num))->iface = tmp;
45177 + s_tmp->ips = i_tmp;
45180 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
45181 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
45182 + return ERR_PTR(-ENOMEM);
45188 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
45190 + struct acl_subject_label s_pre;
45191 + struct acl_subject_label * ret;
45195 + if (copy_from_user(&s_pre, userp,
45196 + sizeof (struct acl_subject_label)))
45199 + /* do not add nested subjects here, add
45200 + while parsing objects
45203 + if (s_pre.mode & GR_NESTED) {
45204 + userp = s_pre.prev;
45208 + ret = do_copy_user_subj(userp, role);
45210 + err = PTR_ERR(ret);
45214 + insert_acl_subj_label(ret, role);
45216 + userp = s_pre.prev;
45223 +copy_user_acl(struct gr_arg *arg)
45225 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
45226 + struct sprole_pw *sptmp;
45227 + struct gr_hash_struct *ghash;
45228 + uid_t *domainlist;
45229 + unsigned int r_num;
45230 + unsigned int len;
45236 + /* we need a default and kernel role */
45237 + if (arg->role_db.num_roles < 2)
45240 + /* copy special role authentication info from userspace */
45242 + num_sprole_pws = arg->num_sprole_pws;
45243 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
45245 + if (!acl_special_roles) {
45250 + for (i = 0; i < num_sprole_pws; i++) {
45251 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
45256 + if (copy_from_user(sptmp, arg->sprole_pws + i,
45257 + sizeof (struct sprole_pw))) {
45263 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
45265 + if (!len || len >= GR_SPROLE_LEN) {
45270 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
45275 + if (copy_from_user(tmp, sptmp->rolename, len)) {
45279 + tmp[len-1] = '\0';
45280 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
45281 + printk(KERN_ALERT "Copying special role %s\n", tmp);
45283 + sptmp->rolename = tmp;
45284 + acl_special_roles[i] = sptmp;
45287 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
45289 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
45290 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
45297 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
45298 + sizeof (struct acl_role_label *))) {
45303 + if (copy_from_user(r_tmp, r_utmp2,
45304 + sizeof (struct acl_role_label))) {
45309 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
45311 + if (!len || len >= PATH_MAX) {
45316 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
45320 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
45324 + tmp[len-1] = '\0';
45325 + r_tmp->rolename = tmp;
45327 + if (!strcmp(r_tmp->rolename, "default")
45328 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
45329 + default_role = r_tmp;
45330 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
45331 + kernel_role = r_tmp;
45334 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
45338 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
45343 + r_tmp->hash = ghash;
45345 + num_subjs = count_user_subjs(r_tmp->hash->first);
45347 + r_tmp->subj_hash_size = num_subjs;
45348 + r_tmp->subj_hash =
45349 + (struct acl_subject_label **)
45350 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
45352 + if (!r_tmp->subj_hash) {
45357 + err = copy_user_allowedips(r_tmp);
45361 + /* copy domain info */
45362 + if (r_tmp->domain_children != NULL) {
45363 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
45364 + if (domainlist == NULL) {
45368 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
45372 + r_tmp->domain_children = domainlist;
45375 + err = copy_user_transitions(r_tmp);
45379 + memset(r_tmp->subj_hash, 0,
45380 + r_tmp->subj_hash_size *
45381 + sizeof (struct acl_subject_label *));
45383 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
45388 + /* set nested subject list to null */
45389 + r_tmp->hash->first = NULL;
45391 + insert_acl_role_label(r_tmp);
45396 + free_variables();
45403 +gracl_init(struct gr_arg *args)
45407 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
45408 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
45410 + if (init_variables(args)) {
45411 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
45413 + free_variables();
45417 + error = copy_user_acl(args);
45418 + free_init_variables();
45420 + free_variables();
45424 + if ((error = gr_set_acls(0))) {
45425 + free_variables();
45429 + pax_open_kernel();
45430 + gr_status |= GR_READY;
45431 + pax_close_kernel();
45437 +/* derived from glibc fnmatch() 0: match, 1: no match*/
45440 +glob_match(const char *p, const char *n)
45444 + while ((c = *p++) != '\0') {
45449 + else if (*n == '/')
45457 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
45460 + else if (c == '?') {
45470 + const char *endp;
45472 + if ((endp = strchr(n, '/')) == NULL)
45473 + endp = n + strlen(n);
45476 + for (--p; n < endp; ++n)
45477 + if (!glob_match(p, n))
45479 + } else if (c == '/') {
45480 + while (*n != '\0' && *n != '/')
45482 + if (*n == '/' && !glob_match(p, n + 1))
45485 + for (--p; n < endp; ++n)
45486 + if (*n == c && !glob_match(p, n))
45497 + if (*n == '\0' || *n == '/')
45500 + not = (*p == '!' || *p == '^');
45506 + unsigned char fn = (unsigned char)*n;
45516 + if (c == '-' && *p != ']') {
45517 + unsigned char cend = *p++;
45519 + if (cend == '\0')
45522 + if (cold <= fn && fn <= cend)
45536 + while (c != ']') {
45563 +static struct acl_object_label *
45564 +chk_glob_label(struct acl_object_label *globbed,
45565 + struct dentry *dentry, struct vfsmount *mnt, char **path)
45567 + struct acl_object_label *tmp;
45569 + if (*path == NULL)
45570 + *path = gr_to_filename_nolock(dentry, mnt);
45575 + if (!glob_match(tmp->filename, *path))
45583 +static struct acl_object_label *
45584 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
45585 + const ino_t curr_ino, const dev_t curr_dev,
45586 + const struct acl_subject_label *subj, char **path, const int checkglob)
45588 + struct acl_subject_label *tmpsubj;
45589 + struct acl_object_label *retval;
45590 + struct acl_object_label *retval2;
45592 + tmpsubj = (struct acl_subject_label *) subj;
45593 + read_lock(&gr_inode_lock);
45595 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
45597 + if (checkglob && retval->globbed) {
45598 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
45599 + (struct vfsmount *)orig_mnt, path);
45601 + retval = retval2;
45605 + } while ((tmpsubj = tmpsubj->parent_subject));
45606 + read_unlock(&gr_inode_lock);
45611 +static __inline__ struct acl_object_label *
45612 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
45613 + const struct dentry *curr_dentry,
45614 + const struct acl_subject_label *subj, char **path, const int checkglob)
45616 + int newglob = checkglob;
45618 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
45619 + as we don't want a / * rule to match instead of the / object
45620 + don't do this for create lookups that call this function though, since they're looking up
45621 + on the parent and thus need globbing checks on all paths
45623 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
45624 + newglob = GR_NO_GLOB;
45626 + return __full_lookup(orig_dentry, orig_mnt,
45627 + curr_dentry->d_inode->i_ino,
45628 + __get_dev(curr_dentry), subj, path, newglob);
45631 +static struct acl_object_label *
45632 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
45633 + const struct acl_subject_label *subj, char *path, const int checkglob)
45635 + struct dentry *dentry = (struct dentry *) l_dentry;
45636 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
45637 + struct acl_object_label *retval;
45639 + spin_lock(&dcache_lock);
45640 + spin_lock(&vfsmount_lock);
45642 + if (unlikely((mnt == shm_mnt && dentry->d_inode->i_nlink == 0) || mnt == pipe_mnt ||
45644 + mnt == sock_mnt ||
45646 +#ifdef CONFIG_HUGETLBFS
45647 + (mnt == hugetlbfs_vfsmount && dentry->d_inode->i_nlink == 0) ||
45649 + /* ignore Eric Biederman */
45650 + IS_PRIVATE(l_dentry->d_inode))) {
45651 + retval = (subj->mode & GR_SHMEXEC) ? fakefs_obj_rwx : fakefs_obj_rw;
45656 + if (dentry == real_root && mnt == real_root_mnt)
45659 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
45660 + if (mnt->mnt_parent == mnt)
45663 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
45664 + if (retval != NULL)
45667 + dentry = mnt->mnt_mountpoint;
45668 + mnt = mnt->mnt_parent;
45672 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
45673 + if (retval != NULL)
45676 + dentry = dentry->d_parent;
45679 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
45681 + if (retval == NULL)
45682 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
45684 + spin_unlock(&vfsmount_lock);
45685 + spin_unlock(&dcache_lock);
45687 + BUG_ON(retval == NULL);
45692 +static __inline__ struct acl_object_label *
45693 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
45694 + const struct acl_subject_label *subj)
45696 + char *path = NULL;
45697 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
45700 +static __inline__ struct acl_object_label *
45701 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
45702 + const struct acl_subject_label *subj)
45704 + char *path = NULL;
45705 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
45708 +static __inline__ struct acl_object_label *
45709 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
45710 + const struct acl_subject_label *subj, char *path)
45712 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
45715 +static struct acl_subject_label *
45716 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
45717 + const struct acl_role_label *role)
45719 + struct dentry *dentry = (struct dentry *) l_dentry;
45720 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
45721 + struct acl_subject_label *retval;
45723 + spin_lock(&dcache_lock);
45724 + spin_lock(&vfsmount_lock);
45727 + if (dentry == real_root && mnt == real_root_mnt)
45729 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
45730 + if (mnt->mnt_parent == mnt)
45733 + read_lock(&gr_inode_lock);
45735 + lookup_acl_subj_label(dentry->d_inode->i_ino,
45736 + __get_dev(dentry), role);
45737 + read_unlock(&gr_inode_lock);
45738 + if (retval != NULL)
45741 + dentry = mnt->mnt_mountpoint;
45742 + mnt = mnt->mnt_parent;
45746 + read_lock(&gr_inode_lock);
45747 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
45748 + __get_dev(dentry), role);
45749 + read_unlock(&gr_inode_lock);
45750 + if (retval != NULL)
45753 + dentry = dentry->d_parent;
45756 + read_lock(&gr_inode_lock);
45757 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
45758 + __get_dev(dentry), role);
45759 + read_unlock(&gr_inode_lock);
45761 + if (unlikely(retval == NULL)) {
45762 + read_lock(&gr_inode_lock);
45763 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
45764 + __get_dev(real_root), role);
45765 + read_unlock(&gr_inode_lock);
45768 + spin_unlock(&vfsmount_lock);
45769 + spin_unlock(&dcache_lock);
45771 + BUG_ON(retval == NULL);
45777 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
45779 + struct task_struct *task = current;
45780 + const struct cred *cred = current_cred();
45782 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
45783 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
45784 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
45785 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
45791 +gr_log_learn_sysctl(const char *path, const __u32 mode)
45793 + struct task_struct *task = current;
45794 + const struct cred *cred = current_cred();
45796 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
45797 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
45798 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
45799 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
45805 +gr_log_learn_id_change(const char type, const unsigned int real,
45806 + const unsigned int effective, const unsigned int fs)
45808 + struct task_struct *task = current;
45809 + const struct cred *cred = current_cred();
45811 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
45812 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
45813 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
45814 + type, real, effective, fs, &task->signal->saved_ip);
45820 +gr_check_link(const struct dentry * new_dentry,
45821 + const struct dentry * parent_dentry,
45822 + const struct vfsmount * parent_mnt,
45823 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
45825 + struct acl_object_label *obj;
45826 + __u32 oldmode, newmode;
45829 + if (unlikely(!(gr_status & GR_READY)))
45830 + return (GR_CREATE | GR_LINK);
45832 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
45833 + oldmode = obj->mode;
45835 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
45836 + oldmode |= (GR_CREATE | GR_LINK);
45838 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
45839 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
45840 + needmode |= GR_SETID | GR_AUDIT_SETID;
45843 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
45844 + oldmode | needmode);
45846 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
45847 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
45848 + GR_INHERIT | GR_AUDIT_INHERIT);
45850 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
45853 + if ((oldmode & needmode) != needmode)
45856 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
45857 + if ((newmode & needmode) != needmode)
45860 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
45863 + needmode = oldmode;
45864 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
45865 + needmode |= GR_SETID;
45867 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
45868 + gr_log_learn(old_dentry, old_mnt, needmode);
45869 + return (GR_CREATE | GR_LINK);
45870 + } else if (newmode & GR_SUPPRESS)
45871 + return GR_SUPPRESS;
45877 +gr_search_file(const struct dentry * dentry, const __u32 mode,
45878 + const struct vfsmount * mnt)
45880 + __u32 retval = mode;
45881 + struct acl_subject_label *curracl;
45882 + struct acl_object_label *currobj;
45884 + if (unlikely(!(gr_status & GR_READY)))
45885 + return (mode & ~GR_AUDITS);
45887 + curracl = current->acl;
45889 + currobj = chk_obj_label(dentry, mnt, curracl);
45890 + retval = currobj->mode & mode;
45892 + /* if we're opening a specified transfer file for writing
45893 + (e.g. /dev/initctl), then transfer our role to init
45895 + if (unlikely(currobj->mode & GR_INIT_TRANSFER && retval & GR_WRITE &&
45896 + current->role->roletype & GR_ROLE_PERSIST)) {
45897 + struct task_struct *task = init_pid_ns.child_reaper;
45899 + if (task->role != current->role) {
45900 + task->acl_sp_role = 0;
45901 + task->acl_role_id = current->acl_role_id;
45902 + task->role = current->role;
45904 + read_lock(&grsec_exec_file_lock);
45905 + gr_apply_subject_to_task(task);
45906 + read_unlock(&grsec_exec_file_lock);
45907 + rcu_read_unlock();
45908 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_INIT_TRANSFER_MSG);
45913 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
45914 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
45915 + __u32 new_mode = mode;
45917 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
45919 + retval = new_mode;
45921 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
45922 + new_mode |= GR_INHERIT;
45924 + if (!(mode & GR_NOLEARN))
45925 + gr_log_learn(dentry, mnt, new_mode);
45932 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
45933 + const struct vfsmount * mnt, const __u32 mode)
45935 + struct name_entry *match;
45936 + struct acl_object_label *matchpo;
45937 + struct acl_subject_label *curracl;
45941 + if (unlikely(!(gr_status & GR_READY)))
45942 + return (mode & ~GR_AUDITS);
45944 + preempt_disable();
45945 + path = gr_to_filename_rbac(new_dentry, mnt);
45946 + match = lookup_name_entry_create(path);
45949 + goto check_parent;
45951 + curracl = current->acl;
45953 + read_lock(&gr_inode_lock);
45954 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
45955 + read_unlock(&gr_inode_lock);
45958 + if ((matchpo->mode & mode) !=
45959 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
45960 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
45961 + __u32 new_mode = mode;
45963 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
45965 + gr_log_learn(new_dentry, mnt, new_mode);
45967 + preempt_enable();
45970 + preempt_enable();
45971 + return (matchpo->mode & mode);
45975 + curracl = current->acl;
45977 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
45978 + retval = matchpo->mode & mode;
45980 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
45981 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
45982 + __u32 new_mode = mode;
45984 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
45986 + gr_log_learn(new_dentry, mnt, new_mode);
45987 + preempt_enable();
45991 + preempt_enable();
45996 +gr_check_hidden_task(const struct task_struct *task)
45998 + if (unlikely(!(gr_status & GR_READY)))
46001 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
46008 +gr_check_protected_task(const struct task_struct *task)
46010 + if (unlikely(!(gr_status & GR_READY) || !task))
46013 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
46014 + task->acl != current->acl)
46021 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
46023 + struct task_struct *p;
46026 + if (unlikely(!(gr_status & GR_READY) || !pid))
46029 + read_lock(&tasklist_lock);
46030 + do_each_pid_task(pid, type, p) {
46031 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
46032 + p->acl != current->acl) {
46036 + } while_each_pid_task(pid, type, p);
46038 + read_unlock(&tasklist_lock);
46044 +gr_copy_label(struct task_struct *tsk)
46046 + tsk->signal->used_accept = 0;
46047 + tsk->acl_sp_role = 0;
46048 + tsk->acl_role_id = current->acl_role_id;
46049 + tsk->acl = current->acl;
46050 + tsk->role = current->role;
46051 + tsk->signal->curr_ip = current->signal->curr_ip;
46052 + tsk->signal->saved_ip = current->signal->saved_ip;
46053 + if (current->exec_file)
46054 + get_file(current->exec_file);
46055 + tsk->exec_file = current->exec_file;
46056 + tsk->is_writable = current->is_writable;
46057 + if (unlikely(current->signal->used_accept)) {
46058 + current->signal->curr_ip = 0;
46059 + current->signal->saved_ip = 0;
46066 +gr_set_proc_res(struct task_struct *task)
46068 + struct acl_subject_label *proc;
46069 + unsigned short i;
46071 + proc = task->acl;
46073 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
46076 + for (i = 0; i < RLIM_NLIMITS; i++) {
46077 + if (!(proc->resmask & (1 << i)))
46080 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
46081 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
46087 +extern int __gr_process_user_ban(struct user_struct *user);
46090 +gr_check_user_change(int real, int effective, int fs)
46097 + int effectiveok = 0;
46100 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
46101 + struct user_struct *user;
46106 + user = find_user(real);
46107 + if (user == NULL)
46110 + if (__gr_process_user_ban(user)) {
46111 + /* for find_user */
46116 + /* for find_user */
46122 + if (unlikely(!(gr_status & GR_READY)))
46125 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
46126 + gr_log_learn_id_change('u', real, effective, fs);
46128 + num = current->acl->user_trans_num;
46129 + uidlist = current->acl->user_transitions;
46131 + if (uidlist == NULL)
46136 + if (effective == -1)
46141 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
46142 + for (i = 0; i < num; i++) {
46143 + curuid = (int)uidlist[i];
46144 + if (real == curuid)
46146 + if (effective == curuid)
46148 + if (fs == curuid)
46151 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
46152 + for (i = 0; i < num; i++) {
46153 + curuid = (int)uidlist[i];
46154 + if (real == curuid)
46156 + if (effective == curuid)
46158 + if (fs == curuid)
46161 + /* not in deny list */
46169 + if (realok && effectiveok && fsok)
46172 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
46178 +gr_check_group_change(int real, int effective, int fs)
46185 + int effectiveok = 0;
46188 + if (unlikely(!(gr_status & GR_READY)))
46191 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
46192 + gr_log_learn_id_change('g', real, effective, fs);
46194 + num = current->acl->group_trans_num;
46195 + gidlist = current->acl->group_transitions;
46197 + if (gidlist == NULL)
46202 + if (effective == -1)
46207 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
46208 + for (i = 0; i < num; i++) {
46209 + curgid = (int)gidlist[i];
46210 + if (real == curgid)
46212 + if (effective == curgid)
46214 + if (fs == curgid)
46217 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
46218 + for (i = 0; i < num; i++) {
46219 + curgid = (int)gidlist[i];
46220 + if (real == curgid)
46222 + if (effective == curgid)
46224 + if (fs == curgid)
46227 + /* not in deny list */
46235 + if (realok && effectiveok && fsok)
46238 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
46244 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
46246 + struct acl_role_label *role = task->role;
46247 + struct acl_subject_label *subj = NULL;
46248 + struct acl_object_label *obj;
46249 + struct file *filp;
46251 + if (unlikely(!(gr_status & GR_READY)))
46254 + filp = task->exec_file;
46256 + /* kernel process, we'll give them the kernel role */
46257 + if (unlikely(!filp)) {
46258 + task->role = kernel_role;
46259 + task->acl = kernel_role->root_label;
46261 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
46262 + role = lookup_acl_role_label(task, uid, gid);
46264 + /* perform subject lookup in possibly new role
46265 + we can use this result below in the case where role == task->role
46267 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
46269 + /* if we changed uid/gid, but result in the same role
46270 + and are using inheritance, don't lose the inherited subject
46271 + if current subject is other than what normal lookup
46272 + would result in, we arrived via inheritance, don't
46275 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
46276 + (subj == task->acl)))
46277 + task->acl = subj;
46279 + task->role = role;
46281 + task->is_writable = 0;
46283 + /* ignore additional mmap checks for processes that are writable
46284 + by the default ACL */
46285 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
46286 + if (unlikely(obj->mode & GR_WRITE))
46287 + task->is_writable = 1;
46288 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
46289 + if (unlikely(obj->mode & GR_WRITE))
46290 + task->is_writable = 1;
46292 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
46293 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
46296 + gr_set_proc_res(task);
46302 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
46303 + const int unsafe_share)
46305 + struct task_struct *task = current;
46306 + struct acl_subject_label *newacl;
46307 + struct acl_object_label *obj;
46310 + if (unlikely(!(gr_status & GR_READY)))
46313 + newacl = chk_subj_label(dentry, mnt, task->role);
46316 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
46317 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
46318 + !(task->role->roletype & GR_ROLE_GOD) &&
46319 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
46320 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
46321 + task_unlock(task);
46322 + if (unsafe_share)
46323 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
46325 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
46328 + task_unlock(task);
46330 + obj = chk_obj_label(dentry, mnt, task->acl);
46331 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
46333 + if (!(task->acl->mode & GR_INHERITLEARN) &&
46334 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
46336 + task->acl = obj->nested;
46338 + task->acl = newacl;
46339 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
46340 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
46342 + task->is_writable = 0;
46344 + /* ignore additional mmap checks for processes that are writable
46345 + by the default ACL */
46346 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
46347 + if (unlikely(obj->mode & GR_WRITE))
46348 + task->is_writable = 1;
46349 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
46350 + if (unlikely(obj->mode & GR_WRITE))
46351 + task->is_writable = 1;
46353 + gr_set_proc_res(task);
46355 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
46356 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
46361 +/* always called with valid inodev ptr */
46363 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
46365 + struct acl_object_label *matchpo;
46366 + struct acl_subject_label *matchps;
46367 + struct acl_subject_label *subj;
46368 + struct acl_role_label *role;
46371 + FOR_EACH_ROLE_START(role)
46372 + FOR_EACH_SUBJECT_START(role, subj, x)
46373 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
46374 + matchpo->mode |= GR_DELETED;
46375 + FOR_EACH_SUBJECT_END(subj,x)
46376 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
46377 + if (subj->inode == ino && subj->device == dev)
46378 + subj->mode |= GR_DELETED;
46379 + FOR_EACH_NESTED_SUBJECT_END(subj)
46380 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
46381 + matchps->mode |= GR_DELETED;
46382 + FOR_EACH_ROLE_END(role)
46384 + inodev->nentry->deleted = 1;
46390 +gr_handle_delete(const ino_t ino, const dev_t dev)
46392 + struct inodev_entry *inodev;
46394 + if (unlikely(!(gr_status & GR_READY)))
46397 + write_lock(&gr_inode_lock);
46398 + inodev = lookup_inodev_entry(ino, dev);
46399 + if (inodev != NULL)
46400 + do_handle_delete(inodev, ino, dev);
46401 + write_unlock(&gr_inode_lock);
46407 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
46408 + const ino_t newinode, const dev_t newdevice,
46409 + struct acl_subject_label *subj)
46411 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
46412 + struct acl_object_label *match;
46414 + match = subj->obj_hash[index];
46416 + while (match && (match->inode != oldinode ||
46417 + match->device != olddevice ||
46418 + !(match->mode & GR_DELETED)))
46419 + match = match->next;
46421 + if (match && (match->inode == oldinode)
46422 + && (match->device == olddevice)
46423 + && (match->mode & GR_DELETED)) {
46424 + if (match->prev == NULL) {
46425 + subj->obj_hash[index] = match->next;
46426 + if (match->next != NULL)
46427 + match->next->prev = NULL;
46429 + match->prev->next = match->next;
46430 + if (match->next != NULL)
46431 + match->next->prev = match->prev;
46433 + match->prev = NULL;
46434 + match->next = NULL;
46435 + match->inode = newinode;
46436 + match->device = newdevice;
46437 + match->mode &= ~GR_DELETED;
46439 + insert_acl_obj_label(match, subj);
46446 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
46447 + const ino_t newinode, const dev_t newdevice,
46448 + struct acl_role_label *role)
46450 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
46451 + struct acl_subject_label *match;
46453 + match = role->subj_hash[index];
46455 + while (match && (match->inode != oldinode ||
46456 + match->device != olddevice ||
46457 + !(match->mode & GR_DELETED)))
46458 + match = match->next;
46460 + if (match && (match->inode == oldinode)
46461 + && (match->device == olddevice)
46462 + && (match->mode & GR_DELETED)) {
46463 + if (match->prev == NULL) {
46464 + role->subj_hash[index] = match->next;
46465 + if (match->next != NULL)
46466 + match->next->prev = NULL;
46468 + match->prev->next = match->next;
46469 + if (match->next != NULL)
46470 + match->next->prev = match->prev;
46472 + match->prev = NULL;
46473 + match->next = NULL;
46474 + match->inode = newinode;
46475 + match->device = newdevice;
46476 + match->mode &= ~GR_DELETED;
46478 + insert_acl_subj_label(match, role);
46485 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
46486 + const ino_t newinode, const dev_t newdevice)
46488 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
46489 + struct inodev_entry *match;
46491 + match = inodev_set.i_hash[index];
46493 + while (match && (match->nentry->inode != oldinode ||
46494 + match->nentry->device != olddevice || !match->nentry->deleted))
46495 + match = match->next;
46497 + if (match && (match->nentry->inode == oldinode)
46498 + && (match->nentry->device == olddevice) &&
46499 + match->nentry->deleted) {
46500 + if (match->prev == NULL) {
46501 + inodev_set.i_hash[index] = match->next;
46502 + if (match->next != NULL)
46503 + match->next->prev = NULL;
46505 + match->prev->next = match->next;
46506 + if (match->next != NULL)
46507 + match->next->prev = match->prev;
46509 + match->prev = NULL;
46510 + match->next = NULL;
46511 + match->nentry->inode = newinode;
46512 + match->nentry->device = newdevice;
46513 + match->nentry->deleted = 0;
46515 + insert_inodev_entry(match);
46522 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
46523 + const struct vfsmount *mnt)
46525 + struct acl_subject_label *subj;
46526 + struct acl_role_label *role;
46528 + ino_t inode = dentry->d_inode->i_ino;
46529 + dev_t dev = __get_dev(dentry);
46531 + FOR_EACH_ROLE_START(role)
46532 + update_acl_subj_label(matchn->inode, matchn->device,
46533 + inode, dev, role);
46535 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
46536 + if ((subj->inode == inode) && (subj->device == dev)) {
46537 + subj->inode = inode;
46538 + subj->device = dev;
46540 + FOR_EACH_NESTED_SUBJECT_END(subj)
46541 + FOR_EACH_SUBJECT_START(role, subj, x)
46542 + update_acl_obj_label(matchn->inode, matchn->device,
46543 + inode, dev, subj);
46544 + FOR_EACH_SUBJECT_END(subj,x)
46545 + FOR_EACH_ROLE_END(role)
46547 + update_inodev_entry(matchn->inode, matchn->device, inode, dev);
46553 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
46555 + struct name_entry *matchn;
46557 + if (unlikely(!(gr_status & GR_READY)))
46560 + preempt_disable();
46561 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
46563 + if (unlikely((unsigned long)matchn)) {
46564 + write_lock(&gr_inode_lock);
46565 + do_handle_create(matchn, dentry, mnt);
46566 + write_unlock(&gr_inode_lock);
46568 + preempt_enable();
46574 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46575 + struct dentry *old_dentry,
46576 + struct dentry *new_dentry,
46577 + struct vfsmount *mnt, const __u8 replace)
46579 + struct name_entry *matchn;
46580 + struct inodev_entry *inodev;
46581 + ino_t oldinode = old_dentry->d_inode->i_ino;
46582 + dev_t olddev = __get_dev(old_dentry);
46584 + /* vfs_rename swaps the name and parent link for old_dentry and
46586 + at this point, old_dentry has the new name, parent link, and inode
46587 + for the renamed file
46588 + if a file is being replaced by a rename, new_dentry has the inode
46589 + and name for the replaced file
46592 + if (unlikely(!(gr_status & GR_READY)))
46595 + preempt_disable();
46596 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
46598 + /* we wouldn't have to check d_inode if it weren't for
46599 + NFS silly-renaming
46602 + write_lock(&gr_inode_lock);
46603 + if (unlikely(replace && new_dentry->d_inode)) {
46604 + ino_t newinode = new_dentry->d_inode->i_ino;
46605 + dev_t newdev = __get_dev(new_dentry);
46606 + inodev = lookup_inodev_entry(newinode, newdev);
46607 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
46608 + do_handle_delete(inodev, newinode, newdev);
46611 + inodev = lookup_inodev_entry(oldinode, olddev);
46612 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
46613 + do_handle_delete(inodev, oldinode, olddev);
46615 + if (unlikely((unsigned long)matchn))
46616 + do_handle_create(matchn, old_dentry, mnt);
46618 + write_unlock(&gr_inode_lock);
46619 + preempt_enable();
46625 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
46626 + unsigned char **sum)
46628 + struct acl_role_label *r;
46629 + struct role_allowed_ip *ipp;
46630 + struct role_transition *trans;
46633 + u32 curr_ip = current->signal->curr_ip;
46635 + current->signal->saved_ip = curr_ip;
46637 + /* check transition table */
46639 + for (trans = current->role->transitions; trans; trans = trans->next) {
46640 + if (!strcmp(rolename, trans->rolename)) {
46649 + /* handle special roles that do not require authentication
46652 + FOR_EACH_ROLE_START(r)
46653 + if (!strcmp(rolename, r->rolename) &&
46654 + (r->roletype & GR_ROLE_SPECIAL)) {
46656 + if (r->allowed_ips != NULL) {
46657 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
46658 + if ((ntohl(curr_ip) & ipp->netmask) ==
46659 + (ntohl(ipp->addr) & ipp->netmask))
46667 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
46668 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
46674 + FOR_EACH_ROLE_END(r)
46676 + for (i = 0; i < num_sprole_pws; i++) {
46677 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
46678 + *salt = acl_special_roles[i]->salt;
46679 + *sum = acl_special_roles[i]->sum;
46688 +assign_special_role(char *rolename)
46690 + struct acl_object_label *obj;
46691 + struct acl_role_label *r;
46692 + struct acl_role_label *assigned = NULL;
46693 + struct task_struct *tsk;
46694 + struct file *filp;
46696 + FOR_EACH_ROLE_START(r)
46697 + if (!strcmp(rolename, r->rolename) &&
46698 + (r->roletype & GR_ROLE_SPECIAL)) {
46702 + FOR_EACH_ROLE_END(r)
46707 + read_lock(&tasklist_lock);
46708 + read_lock(&grsec_exec_file_lock);
46710 + tsk = current->real_parent;
46714 + filp = tsk->exec_file;
46715 + if (filp == NULL)
46718 + tsk->is_writable = 0;
46720 + tsk->acl_sp_role = 1;
46721 + tsk->acl_role_id = ++acl_sp_role_value;
46722 + tsk->role = assigned;
46723 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
46725 + /* ignore additional mmap checks for processes that are writable
46726 + by the default ACL */
46727 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
46728 + if (unlikely(obj->mode & GR_WRITE))
46729 + tsk->is_writable = 1;
46730 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
46731 + if (unlikely(obj->mode & GR_WRITE))
46732 + tsk->is_writable = 1;
46734 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
46735 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
46739 + read_unlock(&grsec_exec_file_lock);
46740 + read_unlock(&tasklist_lock);
46744 +int gr_check_secure_terminal(struct task_struct *task)
46746 + struct task_struct *p, *p2, *p3;
46747 + struct files_struct *files;
46748 + struct fdtable *fdt;
46749 + struct file *our_file = NULL, *file;
46752 + if (task->signal->tty == NULL)
46755 + files = get_files_struct(task);
46756 + if (files != NULL) {
46758 + fdt = files_fdtable(files);
46759 + for (i=0; i < fdt->max_fds; i++) {
46760 + file = fcheck_files(files, i);
46761 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
46766 + rcu_read_unlock();
46767 + put_files_struct(files);
46770 + if (our_file == NULL)
46773 + read_lock(&tasklist_lock);
46774 + do_each_thread(p2, p) {
46775 + files = get_files_struct(p);
46776 + if (files == NULL ||
46777 + (p->signal && p->signal->tty == task->signal->tty)) {
46778 + if (files != NULL)
46779 + put_files_struct(files);
46783 + fdt = files_fdtable(files);
46784 + for (i=0; i < fdt->max_fds; i++) {
46785 + file = fcheck_files(files, i);
46786 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
46787 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
46789 + while (p3->pid > 0) {
46792 + p3 = p3->real_parent;
46796 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
46797 + gr_handle_alertkill(p);
46798 + rcu_read_unlock();
46799 + put_files_struct(files);
46800 + read_unlock(&tasklist_lock);
46805 + rcu_read_unlock();
46806 + put_files_struct(files);
46807 + } while_each_thread(p2, p);
46808 + read_unlock(&tasklist_lock);
46815 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
46817 + struct gr_arg_wrapper uwrap;
46818 + unsigned char *sprole_salt = NULL;
46819 + unsigned char *sprole_sum = NULL;
46820 + int error = sizeof (struct gr_arg_wrapper);
46823 + mutex_lock(&gr_dev_mutex);
46825 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
46830 + if (count != sizeof (struct gr_arg_wrapper)) {
46831 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
46837 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
46838 + gr_auth_expires = 0;
46839 + gr_auth_attempts = 0;
46842 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
46847 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
46852 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
46857 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
46858 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
46859 + time_after(gr_auth_expires, get_seconds())) {
46864 + /* if non-root trying to do anything other than use a special role,
46865 + do not attempt authentication, do not count towards authentication
46869 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
46870 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
46876 + /* ensure pw and special role name are null terminated */
46878 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
46879 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
46882 + * We have our enough of the argument structure..(we have yet
46883 + * to copy_from_user the tables themselves) . Copy the tables
46884 + * only if we need them, i.e. for loading operations. */
46886 + switch (gr_usermode->mode) {
46888 + if (gr_status & GR_READY) {
46890 + if (!gr_check_secure_terminal(current))
46895 + case GR_SHUTDOWN:
46896 + if ((gr_status & GR_READY)
46897 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
46898 + pax_open_kernel();
46899 + gr_status &= ~GR_READY;
46900 + pax_close_kernel();
46902 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
46903 + free_variables();
46904 + memset(gr_usermode, 0, sizeof (struct gr_arg));
46905 + memset(gr_system_salt, 0, GR_SALT_LEN);
46906 + memset(gr_system_sum, 0, GR_SHA_LEN);
46907 + } else if (gr_status & GR_READY) {
46908 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
46911 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
46916 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
46917 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
46919 + if (gr_status & GR_READY)
46923 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
46927 + if (!(gr_status & GR_READY)) {
46928 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
46930 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
46933 + pax_open_kernel();
46934 + gr_status &= ~GR_READY;
46935 + pax_close_kernel();
46937 + free_variables();
46938 + if (!(error2 = gracl_init(gr_usermode))) {
46940 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
46944 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
46947 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
46952 + if (unlikely(!(gr_status & GR_READY))) {
46953 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
46958 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
46959 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
46960 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
46961 + struct acl_subject_label *segvacl;
46963 + lookup_acl_subj_label(gr_usermode->segv_inode,
46964 + gr_usermode->segv_device,
46967 + segvacl->crashes = 0;
46968 + segvacl->expires = 0;
46970 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
46971 + gr_remove_uid(gr_usermode->segv_uid);
46974 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
46979 + case GR_SPROLEPAM:
46980 + if (unlikely(!(gr_status & GR_READY))) {
46981 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
46986 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
46987 + current->role->expires = 0;
46988 + current->role->auth_attempts = 0;
46991 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
46992 + time_after(current->role->expires, get_seconds())) {
46997 + if (lookup_special_role_auth
46998 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
46999 + && ((!sprole_salt && !sprole_sum)
47000 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
47002 + assign_special_role(gr_usermode->sp_role);
47003 + read_lock(&tasklist_lock);
47004 + if (current->real_parent)
47005 + p = current->real_parent->role->rolename;
47006 + read_unlock(&tasklist_lock);
47007 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
47008 + p, acl_sp_role_value);
47010 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
47012 + if(!(current->role->auth_attempts++))
47013 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
47018 + case GR_UNSPROLE:
47019 + if (unlikely(!(gr_status & GR_READY))) {
47020 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
47025 + if (current->role->roletype & GR_ROLE_SPECIAL) {
47029 + read_lock(&tasklist_lock);
47030 + if (current->real_parent) {
47031 + p = current->real_parent->role->rolename;
47032 + i = current->real_parent->acl_role_id;
47034 + read_unlock(&tasklist_lock);
47036 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
47044 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
47049 + if (error != -EPERM)
47052 + if(!(gr_auth_attempts++))
47053 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
47056 + mutex_unlock(&gr_dev_mutex);
47060 +/* must be called with
47062 + read_lock(&tasklist_lock);
47063 + read_lock(&grsec_exec_file_lock);
47065 +int gr_apply_subject_to_task(struct task_struct *task)
47067 + struct acl_object_label *obj;
47069 + struct acl_subject_label *tmpsubj;
47070 + struct file *filp;
47071 + struct name_entry *nmatch;
47073 + filp = task->exec_file;
47074 + if (filp == NULL)
47077 + /* the following is to apply the correct subject
47078 + on binaries running when the RBAC system
47079 + is enabled, when the binaries have been
47080 + replaced or deleted since their execution
47082 + when the RBAC system starts, the inode/dev
47083 + from exec_file will be one the RBAC system
47084 + is unaware of. It only knows the inode/dev
47085 + of the present file on disk, or the absence
47088 + preempt_disable();
47089 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
47091 + nmatch = lookup_name_entry(tmpname);
47092 + preempt_enable();
47095 + if (nmatch->deleted)
47096 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
47098 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
47099 + if (tmpsubj != NULL)
47100 + task->acl = tmpsubj;
47102 + if (tmpsubj == NULL)
47103 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
47106 + struct acl_subject_label *curr;
47107 + curr = task->acl;
47109 + task->is_writable = 0;
47110 + /* ignore additional mmap checks for processes that are writable
47111 + by the default ACL */
47112 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
47113 + if (unlikely(obj->mode & GR_WRITE))
47114 + task->is_writable = 1;
47115 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
47116 + if (unlikely(obj->mode & GR_WRITE))
47117 + task->is_writable = 1;
47119 + gr_set_proc_res(task);
47121 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
47122 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
47132 +gr_set_acls(const int type)
47134 + struct task_struct *task, *task2;
47135 + struct acl_role_label *role = current->role;
47136 + __u16 acl_role_id = current->acl_role_id;
47137 + const struct cred *cred;
47141 + read_lock(&tasklist_lock);
47142 + read_lock(&grsec_exec_file_lock);
47143 + do_each_thread(task2, task) {
47144 + /* check to see if we're called from the exit handler,
47145 + if so, only replace ACLs that have inherited the admin
47148 + if (type && (task->role != role ||
47149 + task->acl_role_id != acl_role_id))
47152 + task->acl_role_id = 0;
47153 + task->acl_sp_role = 0;
47155 + if (task->exec_file) {
47156 + cred = __task_cred(task);
47157 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
47159 + ret = gr_apply_subject_to_task(task);
47161 + read_unlock(&grsec_exec_file_lock);
47162 + read_unlock(&tasklist_lock);
47163 + rcu_read_unlock();
47164 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
47168 + // it's a kernel process
47169 + task->role = kernel_role;
47170 + task->acl = kernel_role->root_label;
47171 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
47172 + task->acl->mode &= ~GR_PROCFIND;
47175 + } while_each_thread(task2, task);
47176 + read_unlock(&grsec_exec_file_lock);
47177 + read_unlock(&tasklist_lock);
47178 + rcu_read_unlock();
47184 +gr_learn_resource(const struct task_struct *task,
47185 + const int res, const unsigned long wanted, const int gt)
47187 + struct acl_subject_label *acl;
47188 + const struct cred *cred;
47190 + if (unlikely((gr_status & GR_READY) &&
47191 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
47192 + goto skip_reslog;
47194 +#ifdef CONFIG_GRKERNSEC_RESLOG
47195 + gr_log_resource(task, res, wanted, gt);
47199 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
47204 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
47205 + !(acl->resmask & (1 << (unsigned short) res))))
47208 + if (wanted >= acl->res[res].rlim_cur) {
47209 + unsigned long res_add;
47211 + res_add = wanted;
47214 + res_add += GR_RLIM_CPU_BUMP;
47216 + case RLIMIT_FSIZE:
47217 + res_add += GR_RLIM_FSIZE_BUMP;
47219 + case RLIMIT_DATA:
47220 + res_add += GR_RLIM_DATA_BUMP;
47222 + case RLIMIT_STACK:
47223 + res_add += GR_RLIM_STACK_BUMP;
47225 + case RLIMIT_CORE:
47226 + res_add += GR_RLIM_CORE_BUMP;
47229 + res_add += GR_RLIM_RSS_BUMP;
47231 + case RLIMIT_NPROC:
47232 + res_add += GR_RLIM_NPROC_BUMP;
47234 + case RLIMIT_NOFILE:
47235 + res_add += GR_RLIM_NOFILE_BUMP;
47237 + case RLIMIT_MEMLOCK:
47238 + res_add += GR_RLIM_MEMLOCK_BUMP;
47241 + res_add += GR_RLIM_AS_BUMP;
47243 + case RLIMIT_LOCKS:
47244 + res_add += GR_RLIM_LOCKS_BUMP;
47246 + case RLIMIT_SIGPENDING:
47247 + res_add += GR_RLIM_SIGPENDING_BUMP;
47249 + case RLIMIT_MSGQUEUE:
47250 + res_add += GR_RLIM_MSGQUEUE_BUMP;
47252 + case RLIMIT_NICE:
47253 + res_add += GR_RLIM_NICE_BUMP;
47255 + case RLIMIT_RTPRIO:
47256 + res_add += GR_RLIM_RTPRIO_BUMP;
47258 + case RLIMIT_RTTIME:
47259 + res_add += GR_RLIM_RTTIME_BUMP;
47263 + acl->res[res].rlim_cur = res_add;
47265 + if (wanted > acl->res[res].rlim_max)
47266 + acl->res[res].rlim_max = res_add;
47268 + /* only log the subject filename, since resource logging is supported for
47269 + single-subject learning only */
47271 + cred = __task_cred(task);
47272 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
47273 + task->role->roletype, cred->uid, cred->gid, acl->filename,
47274 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
47275 + "", (unsigned long) res, &task->signal->saved_ip);
47276 + rcu_read_unlock();
47282 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
47284 +pax_set_initial_flags(struct linux_binprm *bprm)
47286 + struct task_struct *task = current;
47287 + struct acl_subject_label *proc;
47288 + unsigned long flags;
47290 + if (unlikely(!(gr_status & GR_READY)))
47293 + flags = pax_get_flags(task);
47295 + proc = task->acl;
47297 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
47298 + flags &= ~MF_PAX_PAGEEXEC;
47299 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
47300 + flags &= ~MF_PAX_SEGMEXEC;
47301 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
47302 + flags &= ~MF_PAX_RANDMMAP;
47303 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
47304 + flags &= ~MF_PAX_EMUTRAMP;
47305 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
47306 + flags &= ~MF_PAX_MPROTECT;
47308 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
47309 + flags |= MF_PAX_PAGEEXEC;
47310 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
47311 + flags |= MF_PAX_SEGMEXEC;
47312 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
47313 + flags |= MF_PAX_RANDMMAP;
47314 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
47315 + flags |= MF_PAX_EMUTRAMP;
47316 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
47317 + flags |= MF_PAX_MPROTECT;
47319 + pax_set_flags(task, flags);
47325 +#ifdef CONFIG_SYSCTL
47326 +/* Eric Biederman likes breaking userland ABI and every inode-based security
47327 + system to save 35kb of memory */
47329 +/* we modify the passed in filename, but adjust it back before returning */
47330 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
47332 + struct name_entry *nmatch;
47333 + char *p, *lastp = NULL;
47334 + struct acl_object_label *obj = NULL, *tmp;
47335 + struct acl_subject_label *tmpsubj;
47338 + read_lock(&gr_inode_lock);
47340 + p = name + len - 1;
47342 + nmatch = lookup_name_entry(name);
47343 + if (lastp != NULL)
47346 + if (nmatch == NULL)
47347 + goto next_component;
47348 + tmpsubj = current->acl;
47350 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
47351 + if (obj != NULL) {
47352 + tmp = obj->globbed;
47354 + if (!glob_match(tmp->filename, name)) {
47362 + } while ((tmpsubj = tmpsubj->parent_subject));
47368 + while (*p != '/')
47380 + read_unlock(&gr_inode_lock);
47381 + /* obj returned will always be non-null */
47385 +/* returns 0 when allowing, non-zero on error
47386 + op of 0 is used for readdir, so we don't log the names of hidden files
47389 +gr_handle_sysctl(const struct ctl_table *table, const int op)
47392 + const char *proc_sys = "/proc/sys";
47394 + struct acl_object_label *obj;
47395 + unsigned short len = 0, pos = 0, depth = 0, i;
47399 + if (unlikely(!(gr_status & GR_READY)))
47402 + /* for now, ignore operations on non-sysctl entries if it's not a
47404 + if (table->child != NULL && op != 0)
47408 + /* it's only a read if it's an entry, read on dirs is for readdir */
47409 + if (op & MAY_READ)
47411 + if (op & MAY_WRITE)
47412 + mode |= GR_WRITE;
47414 + preempt_disable();
47416 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
47418 + /* it's only a read/write if it's an actual entry, not a dir
47419 + (which are opened for readdir)
47422 + /* convert the requested sysctl entry into a pathname */
47424 + for (tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
47425 + len += strlen(tmp->procname);
47430 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
47435 + memset(path, 0, PAGE_SIZE);
47437 + memcpy(path, proc_sys, strlen(proc_sys));
47439 + pos += strlen(proc_sys);
47441 + for (; depth > 0; depth--) {
47444 + for (i = 1, tmp = (ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
47445 + if (depth == i) {
47446 + memcpy(path + pos, tmp->procname,
47447 + strlen(tmp->procname));
47448 + pos += strlen(tmp->procname);
47454 + obj = gr_lookup_by_name(path, pos);
47455 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
47457 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
47458 + ((err & mode) != mode))) {
47459 + __u32 new_mode = mode;
47461 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
47464 + gr_log_learn_sysctl(path, new_mode);
47465 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
47466 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
47468 + } else if (!(err & GR_FIND)) {
47470 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
47471 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
47472 + path, (mode & GR_READ) ? " reading" : "",
47473 + (mode & GR_WRITE) ? " writing" : "");
47475 + } else if ((err & mode) != mode) {
47477 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
47478 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
47479 + path, (mode & GR_READ) ? " reading" : "",
47480 + (mode & GR_WRITE) ? " writing" : "");
47486 + preempt_enable();
47493 +gr_handle_proc_ptrace(struct task_struct *task)
47495 + struct file *filp;
47496 + struct task_struct *tmp = task;
47497 + struct task_struct *curtemp = current;
47500 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
47501 + if (unlikely(!(gr_status & GR_READY)))
47505 + read_lock(&tasklist_lock);
47506 + read_lock(&grsec_exec_file_lock);
47507 + filp = task->exec_file;
47509 + while (tmp->pid > 0) {
47510 + if (tmp == curtemp)
47512 + tmp = tmp->real_parent;
47515 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
47516 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
47517 + read_unlock(&grsec_exec_file_lock);
47518 + read_unlock(&tasklist_lock);
47522 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
47523 + if (!(gr_status & GR_READY)) {
47524 + read_unlock(&grsec_exec_file_lock);
47525 + read_unlock(&tasklist_lock);
47530 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
47531 + read_unlock(&grsec_exec_file_lock);
47532 + read_unlock(&tasklist_lock);
47534 + if (retmode & GR_NOPTRACE)
47537 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
47538 + && (current->acl != task->acl || (current->acl != current->role->root_label
47539 + && current->pid != task->pid)))
47545 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
47547 + if (unlikely(!(gr_status & GR_READY)))
47550 + if (!(current->role->roletype & GR_ROLE_GOD))
47553 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
47554 + p->role->rolename, gr_task_roletype_to_char(p),
47555 + p->acl->filename);
47559 +gr_handle_ptrace(struct task_struct *task, const long request)
47561 + struct task_struct *tmp = task;
47562 + struct task_struct *curtemp = current;
47565 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
47566 + if (unlikely(!(gr_status & GR_READY)))
47570 + read_lock(&tasklist_lock);
47571 + while (tmp->pid > 0) {
47572 + if (tmp == curtemp)
47574 + tmp = tmp->real_parent;
47577 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
47578 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
47579 + read_unlock(&tasklist_lock);
47580 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
47583 + read_unlock(&tasklist_lock);
47585 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
47586 + if (!(gr_status & GR_READY))
47590 + read_lock(&grsec_exec_file_lock);
47591 + if (unlikely(!task->exec_file)) {
47592 + read_unlock(&grsec_exec_file_lock);
47596 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
47597 + read_unlock(&grsec_exec_file_lock);
47599 + if (retmode & GR_NOPTRACE) {
47600 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
47604 + if (retmode & GR_PTRACERD) {
47605 + switch (request) {
47606 + case PTRACE_POKETEXT:
47607 + case PTRACE_POKEDATA:
47608 + case PTRACE_POKEUSR:
47609 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
47610 + case PTRACE_SETREGS:
47611 + case PTRACE_SETFPREGS:
47614 + case PTRACE_SETFPXREGS:
47616 +#ifdef CONFIG_ALTIVEC
47617 + case PTRACE_SETVRREGS:
47623 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
47624 + !(current->role->roletype & GR_ROLE_GOD) &&
47625 + (current->acl != task->acl)) {
47626 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
47633 +static int is_writable_mmap(const struct file *filp)
47635 + struct task_struct *task = current;
47636 + struct acl_object_label *obj, *obj2;
47638 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
47639 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && (filp->f_path.mnt != shm_mnt || (filp->f_path.dentry->d_inode->i_nlink > 0))) {
47640 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
47641 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
47642 + task->role->root_label);
47643 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
47644 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
47652 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
47656 + if (unlikely(!file || !(prot & PROT_EXEC)))
47659 + if (is_writable_mmap(file))
47663 + gr_search_file(file->f_path.dentry,
47664 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
47665 + file->f_path.mnt);
47667 + if (!gr_tpe_allow(file))
47670 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
47671 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
47673 + } else if (unlikely(!(mode & GR_EXEC))) {
47675 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
47676 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
47684 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
47688 + if (unlikely(!file || !(prot & PROT_EXEC)))
47691 + if (is_writable_mmap(file))
47695 + gr_search_file(file->f_path.dentry,
47696 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
47697 + file->f_path.mnt);
47699 + if (!gr_tpe_allow(file))
47702 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
47703 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
47705 + } else if (unlikely(!(mode & GR_EXEC))) {
47707 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
47708 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
47716 +gr_acl_handle_psacct(struct task_struct *task, const long code)
47718 + unsigned long runtime;
47719 + unsigned long cputime;
47720 + unsigned int wday, cday;
47724 + struct timespec timeval;
47726 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
47727 + !(task->acl->mode & GR_PROCACCT)))
47730 + do_posix_clock_monotonic_gettime(&timeval);
47731 + runtime = timeval.tv_sec - task->start_time.tv_sec;
47732 + wday = runtime / (3600 * 24);
47733 + runtime -= wday * (3600 * 24);
47734 + whr = runtime / 3600;
47735 + runtime -= whr * 3600;
47736 + wmin = runtime / 60;
47737 + runtime -= wmin * 60;
47740 + cputime = (task->utime + task->stime) / HZ;
47741 + cday = cputime / (3600 * 24);
47742 + cputime -= cday * (3600 * 24);
47743 + chr = cputime / 3600;
47744 + cputime -= chr * 3600;
47745 + cmin = cputime / 60;
47746 + cputime -= cmin * 60;
47749 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
47754 +void gr_set_kernel_label(struct task_struct *task)
47756 + if (gr_status & GR_READY) {
47757 + task->role = kernel_role;
47758 + task->acl = kernel_role->root_label;
47763 +#ifdef CONFIG_TASKSTATS
47764 +int gr_is_taskstats_denied(int pid)
47766 + struct task_struct *task;
47767 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47768 + const struct cred *cred;
47772 + /* restrict taskstats viewing to un-chrooted root users
47773 + who have the 'view' subject flag if the RBAC system is enabled
47777 + read_lock(&tasklist_lock);
47778 + task = find_task_by_vpid(pid);
47780 +#ifdef CONFIG_GRKERNSEC_CHROOT
47781 + if (proc_is_chrooted(task))
47784 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47785 + cred = __task_cred(task);
47786 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47787 + if (cred->uid != 0)
47789 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47790 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
47794 + if (gr_status & GR_READY) {
47795 + if (!(task->acl->mode & GR_VIEW))
47801 + read_unlock(&tasklist_lock);
47802 + rcu_read_unlock();
47808 +/* AUXV entries are filled via a descendant of search_binary_handler
47809 + after we've already applied the subject for the target
47811 +int gr_acl_enable_at_secure(void)
47813 + if (unlikely(!(gr_status & GR_READY)))
47816 + if (current->acl->mode & GR_ATSECURE)
47822 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
47824 + struct task_struct *task = current;
47825 + struct dentry *dentry = file->f_path.dentry;
47826 + struct vfsmount *mnt = file->f_path.mnt;
47827 + struct acl_object_label *obj, *tmp;
47828 + struct acl_subject_label *subj;
47829 + unsigned int bufsize;
47832 + dev_t dev = __get_dev(dentry);
47834 + if (unlikely(!(gr_status & GR_READY)))
47837 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
47840 + /* ignore Eric Biederman */
47841 + if (IS_PRIVATE(dentry->d_inode))
47844 + subj = task->acl;
47846 + obj = lookup_acl_obj_label(ino, dev, subj);
47848 + return (obj->mode & GR_FIND) ? 1 : 0;
47849 + } while ((subj = subj->parent_subject));
47851 + /* this is purely an optimization since we're looking for an object
47852 + for the directory we're doing a readdir on
47853 + if it's possible for any globbed object to match the entry we're
47854 + filling into the directory, then the object we find here will be
47855 + an anchor point with attached globbed objects
47857 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
47858 + if (obj->globbed == NULL)
47859 + return (obj->mode & GR_FIND) ? 1 : 0;
47861 + is_not_root = ((obj->filename[0] == '/') &&
47862 + (obj->filename[1] == '\0')) ? 0 : 1;
47863 + bufsize = PAGE_SIZE - namelen - is_not_root;
47865 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
47866 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
47869 + preempt_disable();
47870 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
47873 + bufsize = strlen(path);
47875 + /* if base is "/", don't append an additional slash */
47877 + *(path + bufsize) = '/';
47878 + memcpy(path + bufsize + is_not_root, name, namelen);
47879 + *(path + bufsize + namelen + is_not_root) = '\0';
47881 + tmp = obj->globbed;
47883 + if (!glob_match(tmp->filename, path)) {
47884 + preempt_enable();
47885 + return (tmp->mode & GR_FIND) ? 1 : 0;
47889 + preempt_enable();
47890 + return (obj->mode & GR_FIND) ? 1 : 0;
47893 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
47894 +EXPORT_SYMBOL(gr_acl_is_enabled);
47896 +EXPORT_SYMBOL(gr_learn_resource);
47897 +EXPORT_SYMBOL(gr_set_kernel_label);
47898 +#ifdef CONFIG_SECURITY
47899 +EXPORT_SYMBOL(gr_check_user_change);
47900 +EXPORT_SYMBOL(gr_check_group_change);
47903 diff -urNp linux-2.6.32.42/grsecurity/gracl_cap.c linux-2.6.32.42/grsecurity/gracl_cap.c
47904 --- linux-2.6.32.42/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
47905 +++ linux-2.6.32.42/grsecurity/gracl_cap.c 2011-04-17 15:56:46.000000000 -0400
47907 +#include <linux/kernel.h>
47908 +#include <linux/module.h>
47909 +#include <linux/sched.h>
47910 +#include <linux/gracl.h>
47911 +#include <linux/grsecurity.h>
47912 +#include <linux/grinternal.h>
47914 +static const char *captab_log[] = {
47916 + "CAP_DAC_OVERRIDE",
47917 + "CAP_DAC_READ_SEARCH",
47924 + "CAP_LINUX_IMMUTABLE",
47925 + "CAP_NET_BIND_SERVICE",
47926 + "CAP_NET_BROADCAST",
47931 + "CAP_SYS_MODULE",
47933 + "CAP_SYS_CHROOT",
47934 + "CAP_SYS_PTRACE",
47939 + "CAP_SYS_RESOURCE",
47941 + "CAP_SYS_TTY_CONFIG",
47944 + "CAP_AUDIT_WRITE",
47945 + "CAP_AUDIT_CONTROL",
47947 + "CAP_MAC_OVERRIDE",
47951 +EXPORT_SYMBOL(gr_is_capable);
47952 +EXPORT_SYMBOL(gr_is_capable_nolog);
47955 +gr_is_capable(const int cap)
47957 + struct task_struct *task = current;
47958 + const struct cred *cred = current_cred();
47959 + struct acl_subject_label *curracl;
47960 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
47961 + kernel_cap_t cap_audit = __cap_empty_set;
47963 + if (!gr_acl_is_enabled())
47966 + curracl = task->acl;
47968 + cap_drop = curracl->cap_lower;
47969 + cap_mask = curracl->cap_mask;
47970 + cap_audit = curracl->cap_invert_audit;
47972 + while ((curracl = curracl->parent_subject)) {
47973 + /* if the cap isn't specified in the current computed mask but is specified in the
47974 + current level subject, and is lowered in the current level subject, then add
47975 + it to the set of dropped capabilities
47976 + otherwise, add the current level subject's mask to the current computed mask
47978 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
47979 + cap_raise(cap_mask, cap);
47980 + if (cap_raised(curracl->cap_lower, cap))
47981 + cap_raise(cap_drop, cap);
47982 + if (cap_raised(curracl->cap_invert_audit, cap))
47983 + cap_raise(cap_audit, cap);
47987 + if (!cap_raised(cap_drop, cap)) {
47988 + if (cap_raised(cap_audit, cap))
47989 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
47993 + curracl = task->acl;
47995 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
47996 + && cap_raised(cred->cap_effective, cap)) {
47997 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
47998 + task->role->roletype, cred->uid,
47999 + cred->gid, task->exec_file ?
48000 + gr_to_filename(task->exec_file->f_path.dentry,
48001 + task->exec_file->f_path.mnt) : curracl->filename,
48002 + curracl->filename, 0UL,
48003 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
48007 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
48008 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
48013 +gr_is_capable_nolog(const int cap)
48015 + struct acl_subject_label *curracl;
48016 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
48018 + if (!gr_acl_is_enabled())
48021 + curracl = current->acl;
48023 + cap_drop = curracl->cap_lower;
48024 + cap_mask = curracl->cap_mask;
48026 + while ((curracl = curracl->parent_subject)) {
48027 + /* if the cap isn't specified in the current computed mask but is specified in the
48028 + current level subject, and is lowered in the current level subject, then add
48029 + it to the set of dropped capabilities
48030 + otherwise, add the current level subject's mask to the current computed mask
48032 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
48033 + cap_raise(cap_mask, cap);
48034 + if (cap_raised(curracl->cap_lower, cap))
48035 + cap_raise(cap_drop, cap);
48039 + if (!cap_raised(cap_drop, cap))
48045 diff -urNp linux-2.6.32.42/grsecurity/gracl_fs.c linux-2.6.32.42/grsecurity/gracl_fs.c
48046 --- linux-2.6.32.42/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
48047 +++ linux-2.6.32.42/grsecurity/gracl_fs.c 2011-04-17 15:56:46.000000000 -0400
48049 +#include <linux/kernel.h>
48050 +#include <linux/sched.h>
48051 +#include <linux/types.h>
48052 +#include <linux/fs.h>
48053 +#include <linux/file.h>
48054 +#include <linux/stat.h>
48055 +#include <linux/grsecurity.h>
48056 +#include <linux/grinternal.h>
48057 +#include <linux/gracl.h>
48060 +gr_acl_handle_hidden_file(const struct dentry * dentry,
48061 + const struct vfsmount * mnt)
48065 + if (unlikely(!dentry->d_inode))
48069 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
48071 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
48072 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
48074 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
48075 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
48077 + } else if (unlikely(!(mode & GR_FIND)))
48084 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
48087 + __u32 reqmode = GR_FIND;
48090 + if (unlikely(!dentry->d_inode))
48093 + if (unlikely(fmode & O_APPEND))
48094 + reqmode |= GR_APPEND;
48095 + else if (unlikely(fmode & FMODE_WRITE))
48096 + reqmode |= GR_WRITE;
48097 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
48098 + reqmode |= GR_READ;
48099 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
48100 + reqmode &= ~GR_READ;
48102 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
48105 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
48106 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
48107 + reqmode & GR_READ ? " reading" : "",
48108 + reqmode & GR_WRITE ? " writing" : reqmode &
48109 + GR_APPEND ? " appending" : "");
48112 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
48114 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
48115 + reqmode & GR_READ ? " reading" : "",
48116 + reqmode & GR_WRITE ? " writing" : reqmode &
48117 + GR_APPEND ? " appending" : "");
48119 + } else if (unlikely((mode & reqmode) != reqmode))
48126 +gr_acl_handle_creat(const struct dentry * dentry,
48127 + const struct dentry * p_dentry,
48128 + const struct vfsmount * p_mnt, const int fmode,
48131 + __u32 reqmode = GR_WRITE | GR_CREATE;
48134 + if (unlikely(fmode & O_APPEND))
48135 + reqmode |= GR_APPEND;
48136 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
48137 + reqmode |= GR_READ;
48138 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
48139 + reqmode |= GR_SETID;
48142 + gr_check_create(dentry, p_dentry, p_mnt,
48143 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
48145 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
48146 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
48147 + reqmode & GR_READ ? " reading" : "",
48148 + reqmode & GR_WRITE ? " writing" : reqmode &
48149 + GR_APPEND ? " appending" : "");
48152 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
48154 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
48155 + reqmode & GR_READ ? " reading" : "",
48156 + reqmode & GR_WRITE ? " writing" : reqmode &
48157 + GR_APPEND ? " appending" : "");
48159 + } else if (unlikely((mode & reqmode) != reqmode))
48166 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
48169 + __u32 mode, reqmode = GR_FIND;
48171 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
48172 + reqmode |= GR_EXEC;
48173 + if (fmode & S_IWOTH)
48174 + reqmode |= GR_WRITE;
48175 + if (fmode & S_IROTH)
48176 + reqmode |= GR_READ;
48179 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
48182 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
48183 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
48184 + reqmode & GR_READ ? " reading" : "",
48185 + reqmode & GR_WRITE ? " writing" : "",
48186 + reqmode & GR_EXEC ? " executing" : "");
48189 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
48191 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
48192 + reqmode & GR_READ ? " reading" : "",
48193 + reqmode & GR_WRITE ? " writing" : "",
48194 + reqmode & GR_EXEC ? " executing" : "");
48196 + } else if (unlikely((mode & reqmode) != reqmode))
48202 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
48206 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
48208 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
48209 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
48211 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
48212 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
48214 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
48217 + return (reqmode);
48221 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
48223 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
48227 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
48229 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
48233 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
48235 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
48239 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
48241 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
48245 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
48248 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
48251 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
48252 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
48253 + GR_FCHMOD_ACL_MSG);
48255 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
48260 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
48263 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
48264 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
48265 + GR_CHMOD_ACL_MSG);
48267 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
48272 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
48274 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
48278 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
48280 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
48284 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
48286 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
48290 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
48292 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
48293 + GR_UNIXCONNECT_ACL_MSG);
48296 +/* hardlinks require at minimum create permission,
48297 + any additional privilege required is based on the
48298 + privilege of the file being linked to
48301 +gr_acl_handle_link(const struct dentry * new_dentry,
48302 + const struct dentry * parent_dentry,
48303 + const struct vfsmount * parent_mnt,
48304 + const struct dentry * old_dentry,
48305 + const struct vfsmount * old_mnt, const char *to)
48308 + __u32 needmode = GR_CREATE | GR_LINK;
48309 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
48312 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
48315 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
48316 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
48318 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
48319 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
48321 + } else if (unlikely((mode & needmode) != needmode))
48328 +gr_acl_handle_symlink(const struct dentry * new_dentry,
48329 + const struct dentry * parent_dentry,
48330 + const struct vfsmount * parent_mnt, const char *from)
48332 + __u32 needmode = GR_WRITE | GR_CREATE;
48336 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
48337 + GR_CREATE | GR_AUDIT_CREATE |
48338 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
48340 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
48341 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
48343 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
48344 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
48346 + } else if (unlikely((mode & needmode) != needmode))
48349 + return (GR_WRITE | GR_CREATE);
48352 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
48356 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
48358 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
48359 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
48361 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
48362 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
48364 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
48367 + return (reqmode);
48371 +gr_acl_handle_mknod(const struct dentry * new_dentry,
48372 + const struct dentry * parent_dentry,
48373 + const struct vfsmount * parent_mnt,
48376 + __u32 reqmode = GR_WRITE | GR_CREATE;
48377 + if (unlikely(mode & (S_ISUID | S_ISGID)))
48378 + reqmode |= GR_SETID;
48380 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
48381 + reqmode, GR_MKNOD_ACL_MSG);
48385 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
48386 + const struct dentry *parent_dentry,
48387 + const struct vfsmount *parent_mnt)
48389 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
48390 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
48393 +#define RENAME_CHECK_SUCCESS(old, new) \
48394 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
48395 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
48398 +gr_acl_handle_rename(struct dentry *new_dentry,
48399 + struct dentry *parent_dentry,
48400 + const struct vfsmount *parent_mnt,
48401 + struct dentry *old_dentry,
48402 + struct inode *old_parent_inode,
48403 + struct vfsmount *old_mnt, const char *newname)
48405 + __u32 comp1, comp2;
48408 + if (unlikely(!gr_acl_is_enabled()))
48411 + if (!new_dentry->d_inode) {
48412 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
48413 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
48414 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
48415 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
48416 + GR_DELETE | GR_AUDIT_DELETE |
48417 + GR_AUDIT_READ | GR_AUDIT_WRITE |
48418 + GR_SUPPRESS, old_mnt);
48420 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
48421 + GR_CREATE | GR_DELETE |
48422 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
48423 + GR_AUDIT_READ | GR_AUDIT_WRITE |
48424 + GR_SUPPRESS, parent_mnt);
48426 + gr_search_file(old_dentry,
48427 + GR_READ | GR_WRITE | GR_AUDIT_READ |
48428 + GR_DELETE | GR_AUDIT_DELETE |
48429 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
48432 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
48433 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
48434 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
48435 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
48436 + && !(comp2 & GR_SUPPRESS)) {
48437 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
48439 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
48446 +gr_acl_handle_exit(void)
48450 + struct file *exec_file;
48452 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled() &&
48453 + !(current->role->roletype & GR_ROLE_PERSIST))) {
48454 + id = current->acl_role_id;
48455 + rolename = current->role->rolename;
48457 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
48460 + write_lock(&grsec_exec_file_lock);
48461 + exec_file = current->exec_file;
48462 + current->exec_file = NULL;
48463 + write_unlock(&grsec_exec_file_lock);
48470 +gr_acl_handle_procpidmem(const struct task_struct *task)
48472 + if (unlikely(!gr_acl_is_enabled()))
48475 + if (task != current && task->acl->mode & GR_PROTPROCFD)
48480 diff -urNp linux-2.6.32.42/grsecurity/gracl_ip.c linux-2.6.32.42/grsecurity/gracl_ip.c
48481 --- linux-2.6.32.42/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
48482 +++ linux-2.6.32.42/grsecurity/gracl_ip.c 2011-04-17 15:56:46.000000000 -0400
48484 +#include <linux/kernel.h>
48485 +#include <asm/uaccess.h>
48486 +#include <asm/errno.h>
48487 +#include <net/sock.h>
48488 +#include <linux/file.h>
48489 +#include <linux/fs.h>
48490 +#include <linux/net.h>
48491 +#include <linux/in.h>
48492 +#include <linux/skbuff.h>
48493 +#include <linux/ip.h>
48494 +#include <linux/udp.h>
48495 +#include <linux/smp_lock.h>
48496 +#include <linux/types.h>
48497 +#include <linux/sched.h>
48498 +#include <linux/netdevice.h>
48499 +#include <linux/inetdevice.h>
48500 +#include <linux/gracl.h>
48501 +#include <linux/grsecurity.h>
48502 +#include <linux/grinternal.h>
48504 +#define GR_BIND 0x01
48505 +#define GR_CONNECT 0x02
48506 +#define GR_INVERT 0x04
48507 +#define GR_BINDOVERRIDE 0x08
48508 +#define GR_CONNECTOVERRIDE 0x10
48509 +#define GR_SOCK_FAMILY 0x20
48511 +static const char * gr_protocols[IPPROTO_MAX] = {
48512 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
48513 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
48514 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
48515 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
48516 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
48517 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
48518 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
48519 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
48520 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
48521 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
48522 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
48523 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
48524 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
48525 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
48526 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
48527 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
48528 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
48529 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
48530 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
48531 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
48532 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
48533 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
48534 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
48535 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
48536 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
48537 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
48538 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
48539 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
48540 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
48541 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
48542 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
48543 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
48546 +static const char * gr_socktypes[SOCK_MAX] = {
48547 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
48548 + "unknown:7", "unknown:8", "unknown:9", "packet"
48551 +static const char * gr_sockfamilies[AF_MAX+1] = {
48552 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
48553 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
48554 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
48555 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154"
48559 +gr_proto_to_name(unsigned char proto)
48561 + return gr_protocols[proto];
48565 +gr_socktype_to_name(unsigned char type)
48567 + return gr_socktypes[type];
48571 +gr_sockfamily_to_name(unsigned char family)
48573 + return gr_sockfamilies[family];
48577 +gr_search_socket(const int domain, const int type, const int protocol)
48579 + struct acl_subject_label *curr;
48580 + const struct cred *cred = current_cred();
48582 + if (unlikely(!gr_acl_is_enabled()))
48585 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
48586 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
48587 + goto exit; // let the kernel handle it
48589 + curr = current->acl;
48591 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
48592 + /* the family is allowed, if this is PF_INET allow it only if
48593 + the extra sock type/protocol checks pass */
48594 + if (domain == PF_INET)
48598 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
48599 + __u32 fakeip = 0;
48600 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
48601 + current->role->roletype, cred->uid,
48602 + cred->gid, current->exec_file ?
48603 + gr_to_filename(current->exec_file->f_path.dentry,
48604 + current->exec_file->f_path.mnt) :
48605 + curr->filename, curr->filename,
48606 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
48607 + ¤t->signal->saved_ip);
48614 + /* the rest of this checking is for IPv4 only */
48618 + if ((curr->ip_type & (1 << type)) &&
48619 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
48622 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
48623 + /* we don't place acls on raw sockets , and sometimes
48624 + dgram/ip sockets are opened for ioctl and not
48625 + bind/connect, so we'll fake a bind learn log */
48626 + if (type == SOCK_RAW || type == SOCK_PACKET) {
48627 + __u32 fakeip = 0;
48628 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
48629 + current->role->roletype, cred->uid,
48630 + cred->gid, current->exec_file ?
48631 + gr_to_filename(current->exec_file->f_path.dentry,
48632 + current->exec_file->f_path.mnt) :
48633 + curr->filename, curr->filename,
48634 + &fakeip, 0, type,
48635 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
48636 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
48637 + __u32 fakeip = 0;
48638 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
48639 + current->role->roletype, cred->uid,
48640 + cred->gid, current->exec_file ?
48641 + gr_to_filename(current->exec_file->f_path.dentry,
48642 + current->exec_file->f_path.mnt) :
48643 + curr->filename, curr->filename,
48644 + &fakeip, 0, type,
48645 + protocol, GR_BIND, ¤t->signal->saved_ip);
48647 + /* we'll log when they use connect or bind */
48652 + if (domain == PF_INET)
48653 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
48654 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
48656 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
48657 + gr_socktype_to_name(type), protocol);
48664 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
48666 + if ((ip->mode & mode) &&
48667 + (ip_port >= ip->low) &&
48668 + (ip_port <= ip->high) &&
48669 + ((ntohl(ip_addr) & our_netmask) ==
48670 + (ntohl(our_addr) & our_netmask))
48671 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
48672 + && (ip->type & (1 << type))) {
48673 + if (ip->mode & GR_INVERT)
48674 + return 2; // specifically denied
48676 + return 1; // allowed
48679 + return 0; // not specifically allowed, may continue parsing
48683 +gr_search_connectbind(const int full_mode, struct sock *sk,
48684 + struct sockaddr_in *addr, const int type)
48686 + char iface[IFNAMSIZ] = {0};
48687 + struct acl_subject_label *curr;
48688 + struct acl_ip_label *ip;
48689 + struct inet_sock *isk;
48690 + struct net_device *dev;
48691 + struct in_device *idev;
48694 + int mode = full_mode & (GR_BIND | GR_CONNECT);
48695 + __u32 ip_addr = 0;
48697 + __u32 our_netmask;
48699 + __u16 ip_port = 0;
48700 + const struct cred *cred = current_cred();
48702 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
48705 + curr = current->acl;
48706 + isk = inet_sk(sk);
48708 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
48709 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
48710 + addr->sin_addr.s_addr = curr->inaddr_any_override;
48711 + if ((full_mode & GR_CONNECT) && isk->saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
48712 + struct sockaddr_in saddr;
48715 + saddr.sin_family = AF_INET;
48716 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
48717 + saddr.sin_port = isk->sport;
48719 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
48723 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
48731 + ip_addr = addr->sin_addr.s_addr;
48732 + ip_port = ntohs(addr->sin_port);
48734 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
48735 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
48736 + current->role->roletype, cred->uid,
48737 + cred->gid, current->exec_file ?
48738 + gr_to_filename(current->exec_file->f_path.dentry,
48739 + current->exec_file->f_path.mnt) :
48740 + curr->filename, curr->filename,
48741 + &ip_addr, ip_port, type,
48742 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
48746 + for (i = 0; i < curr->ip_num; i++) {
48747 + ip = *(curr->ips + i);
48748 + if (ip->iface != NULL) {
48749 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
48750 + p = strchr(iface, ':');
48753 + dev = dev_get_by_name(sock_net(sk), iface);
48756 + idev = in_dev_get(dev);
48757 + if (idev == NULL) {
48763 + if (!strcmp(ip->iface, ifa->ifa_label)) {
48764 + our_addr = ifa->ifa_address;
48765 + our_netmask = 0xffffffff;
48766 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
48768 + rcu_read_unlock();
48769 + in_dev_put(idev);
48772 + } else if (ret == 2) {
48773 + rcu_read_unlock();
48774 + in_dev_put(idev);
48779 + } endfor_ifa(idev);
48780 + rcu_read_unlock();
48781 + in_dev_put(idev);
48784 + our_addr = ip->addr;
48785 + our_netmask = ip->netmask;
48786 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
48789 + else if (ret == 2)
48795 + if (mode == GR_BIND)
48796 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
48797 + else if (mode == GR_CONNECT)
48798 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
48804 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
48806 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
48810 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
48812 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
48815 +int gr_search_listen(struct socket *sock)
48817 + struct sock *sk = sock->sk;
48818 + struct sockaddr_in addr;
48820 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
48821 + addr.sin_port = inet_sk(sk)->sport;
48823 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
48826 +int gr_search_accept(struct socket *sock)
48828 + struct sock *sk = sock->sk;
48829 + struct sockaddr_in addr;
48831 + addr.sin_addr.s_addr = inet_sk(sk)->saddr;
48832 + addr.sin_port = inet_sk(sk)->sport;
48834 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
48838 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
48841 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
48843 + struct sockaddr_in sin;
48844 + const struct inet_sock *inet = inet_sk(sk);
48846 + sin.sin_addr.s_addr = inet->daddr;
48847 + sin.sin_port = inet->dport;
48849 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
48854 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
48856 + struct sockaddr_in sin;
48858 + if (unlikely(skb->len < sizeof (struct udphdr)))
48859 + return 0; // skip this packet
48861 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
48862 + sin.sin_port = udp_hdr(skb)->source;
48864 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
48866 diff -urNp linux-2.6.32.42/grsecurity/gracl_learn.c linux-2.6.32.42/grsecurity/gracl_learn.c
48867 --- linux-2.6.32.42/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
48868 +++ linux-2.6.32.42/grsecurity/gracl_learn.c 2011-04-17 15:56:46.000000000 -0400
48870 +#include <linux/kernel.h>
48871 +#include <linux/mm.h>
48872 +#include <linux/sched.h>
48873 +#include <linux/poll.h>
48874 +#include <linux/smp_lock.h>
48875 +#include <linux/string.h>
48876 +#include <linux/file.h>
48877 +#include <linux/types.h>
48878 +#include <linux/vmalloc.h>
48879 +#include <linux/grinternal.h>
48881 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
48882 + size_t count, loff_t *ppos);
48883 +extern int gr_acl_is_enabled(void);
48885 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
48886 +static int gr_learn_attached;
48888 +/* use a 512k buffer */
48889 +#define LEARN_BUFFER_SIZE (512 * 1024)
48891 +static DEFINE_SPINLOCK(gr_learn_lock);
48892 +static DEFINE_MUTEX(gr_learn_user_mutex);
48894 +/* we need to maintain two buffers, so that the kernel context of grlearn
48895 + uses a semaphore around the userspace copying, and the other kernel contexts
48896 + use a spinlock when copying into the buffer, since they cannot sleep
48898 +static char *learn_buffer;
48899 +static char *learn_buffer_user;
48900 +static int learn_buffer_len;
48901 +static int learn_buffer_user_len;
48904 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
48906 + DECLARE_WAITQUEUE(wait, current);
48907 + ssize_t retval = 0;
48909 + add_wait_queue(&learn_wait, &wait);
48910 + set_current_state(TASK_INTERRUPTIBLE);
48912 + mutex_lock(&gr_learn_user_mutex);
48913 + spin_lock(&gr_learn_lock);
48914 + if (learn_buffer_len)
48916 + spin_unlock(&gr_learn_lock);
48917 + mutex_unlock(&gr_learn_user_mutex);
48918 + if (file->f_flags & O_NONBLOCK) {
48919 + retval = -EAGAIN;
48922 + if (signal_pending(current)) {
48923 + retval = -ERESTARTSYS;
48930 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
48931 + learn_buffer_user_len = learn_buffer_len;
48932 + retval = learn_buffer_len;
48933 + learn_buffer_len = 0;
48935 + spin_unlock(&gr_learn_lock);
48937 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
48938 + retval = -EFAULT;
48940 + mutex_unlock(&gr_learn_user_mutex);
48942 + set_current_state(TASK_RUNNING);
48943 + remove_wait_queue(&learn_wait, &wait);
48947 +static unsigned int
48948 +poll_learn(struct file * file, poll_table * wait)
48950 + poll_wait(file, &learn_wait, wait);
48952 + if (learn_buffer_len)
48953 + return (POLLIN | POLLRDNORM);
48959 +gr_clear_learn_entries(void)
48963 + mutex_lock(&gr_learn_user_mutex);
48964 + if (learn_buffer != NULL) {
48965 + spin_lock(&gr_learn_lock);
48966 + tmp = learn_buffer;
48967 + learn_buffer = NULL;
48968 + spin_unlock(&gr_learn_lock);
48969 + vfree(learn_buffer);
48971 + if (learn_buffer_user != NULL) {
48972 + vfree(learn_buffer_user);
48973 + learn_buffer_user = NULL;
48975 + learn_buffer_len = 0;
48976 + mutex_unlock(&gr_learn_user_mutex);
48982 +gr_add_learn_entry(const char *fmt, ...)
48985 + unsigned int len;
48987 + if (!gr_learn_attached)
48990 + spin_lock(&gr_learn_lock);
48992 + /* leave a gap at the end so we know when it's "full" but don't have to
48993 + compute the exact length of the string we're trying to append
48995 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
48996 + spin_unlock(&gr_learn_lock);
48997 + wake_up_interruptible(&learn_wait);
49000 + if (learn_buffer == NULL) {
49001 + spin_unlock(&gr_learn_lock);
49005 + va_start(args, fmt);
49006 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
49009 + learn_buffer_len += len + 1;
49011 + spin_unlock(&gr_learn_lock);
49012 + wake_up_interruptible(&learn_wait);
49018 +open_learn(struct inode *inode, struct file *file)
49020 + if (file->f_mode & FMODE_READ && gr_learn_attached)
49022 + if (file->f_mode & FMODE_READ) {
49024 + mutex_lock(&gr_learn_user_mutex);
49025 + if (learn_buffer == NULL)
49026 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
49027 + if (learn_buffer_user == NULL)
49028 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
49029 + if (learn_buffer == NULL) {
49030 + retval = -ENOMEM;
49033 + if (learn_buffer_user == NULL) {
49034 + retval = -ENOMEM;
49037 + learn_buffer_len = 0;
49038 + learn_buffer_user_len = 0;
49039 + gr_learn_attached = 1;
49041 + mutex_unlock(&gr_learn_user_mutex);
49048 +close_learn(struct inode *inode, struct file *file)
49052 + if (file->f_mode & FMODE_READ) {
49053 + mutex_lock(&gr_learn_user_mutex);
49054 + if (learn_buffer != NULL) {
49055 + spin_lock(&gr_learn_lock);
49056 + tmp = learn_buffer;
49057 + learn_buffer = NULL;
49058 + spin_unlock(&gr_learn_lock);
49061 + if (learn_buffer_user != NULL) {
49062 + vfree(learn_buffer_user);
49063 + learn_buffer_user = NULL;
49065 + learn_buffer_len = 0;
49066 + learn_buffer_user_len = 0;
49067 + gr_learn_attached = 0;
49068 + mutex_unlock(&gr_learn_user_mutex);
49074 +const struct file_operations grsec_fops = {
49075 + .read = read_learn,
49076 + .write = write_grsec_handler,
49077 + .open = open_learn,
49078 + .release = close_learn,
49079 + .poll = poll_learn,
49081 diff -urNp linux-2.6.32.42/grsecurity/gracl_res.c linux-2.6.32.42/grsecurity/gracl_res.c
49082 --- linux-2.6.32.42/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
49083 +++ linux-2.6.32.42/grsecurity/gracl_res.c 2011-04-17 15:56:46.000000000 -0400
49085 +#include <linux/kernel.h>
49086 +#include <linux/sched.h>
49087 +#include <linux/gracl.h>
49088 +#include <linux/grinternal.h>
49090 +static const char *restab_log[] = {
49091 + [RLIMIT_CPU] = "RLIMIT_CPU",
49092 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
49093 + [RLIMIT_DATA] = "RLIMIT_DATA",
49094 + [RLIMIT_STACK] = "RLIMIT_STACK",
49095 + [RLIMIT_CORE] = "RLIMIT_CORE",
49096 + [RLIMIT_RSS] = "RLIMIT_RSS",
49097 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
49098 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
49099 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
49100 + [RLIMIT_AS] = "RLIMIT_AS",
49101 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
49102 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
49103 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
49104 + [RLIMIT_NICE] = "RLIMIT_NICE",
49105 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
49106 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
49107 + [GR_CRASH_RES] = "RLIMIT_CRASH"
49111 +gr_log_resource(const struct task_struct *task,
49112 + const int res, const unsigned long wanted, const int gt)
49114 + const struct cred *cred;
49115 + unsigned long rlim;
49117 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
49120 + // not yet supported resource
49121 + if (unlikely(!restab_log[res]))
49124 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
49125 + rlim = task->signal->rlim[res].rlim_max;
49127 + rlim = task->signal->rlim[res].rlim_cur;
49128 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
49132 + cred = __task_cred(task);
49134 + if (res == RLIMIT_NPROC &&
49135 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
49136 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
49137 + goto out_rcu_unlock;
49138 + else if (res == RLIMIT_MEMLOCK &&
49139 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
49140 + goto out_rcu_unlock;
49141 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
49142 + goto out_rcu_unlock;
49143 + rcu_read_unlock();
49145 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
49149 + rcu_read_unlock();
49152 diff -urNp linux-2.6.32.42/grsecurity/gracl_segv.c linux-2.6.32.42/grsecurity/gracl_segv.c
49153 --- linux-2.6.32.42/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
49154 +++ linux-2.6.32.42/grsecurity/gracl_segv.c 2011-04-17 15:56:46.000000000 -0400
49156 +#include <linux/kernel.h>
49157 +#include <linux/mm.h>
49158 +#include <asm/uaccess.h>
49159 +#include <asm/errno.h>
49160 +#include <asm/mman.h>
49161 +#include <net/sock.h>
49162 +#include <linux/file.h>
49163 +#include <linux/fs.h>
49164 +#include <linux/net.h>
49165 +#include <linux/in.h>
49166 +#include <linux/smp_lock.h>
49167 +#include <linux/slab.h>
49168 +#include <linux/types.h>
49169 +#include <linux/sched.h>
49170 +#include <linux/timer.h>
49171 +#include <linux/gracl.h>
49172 +#include <linux/grsecurity.h>
49173 +#include <linux/grinternal.h>
49175 +static struct crash_uid *uid_set;
49176 +static unsigned short uid_used;
49177 +static DEFINE_SPINLOCK(gr_uid_lock);
49178 +extern rwlock_t gr_inode_lock;
49179 +extern struct acl_subject_label *
49180 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
49181 + struct acl_role_label *role);
49182 +extern int gr_fake_force_sig(int sig, struct task_struct *t);
49185 +gr_init_uidset(void)
49188 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
49191 + return uid_set ? 1 : 0;
49195 +gr_free_uidset(void)
49204 +gr_find_uid(const uid_t uid)
49206 + struct crash_uid *tmp = uid_set;
49208 + int low = 0, high = uid_used - 1, mid;
49210 + while (high >= low) {
49211 + mid = (low + high) >> 1;
49212 + buid = tmp[mid].uid;
49224 +static __inline__ void
49225 +gr_insertsort(void)
49227 + unsigned short i, j;
49228 + struct crash_uid index;
49230 + for (i = 1; i < uid_used; i++) {
49231 + index = uid_set[i];
49233 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
49234 + uid_set[j] = uid_set[j - 1];
49237 + uid_set[j] = index;
49243 +static __inline__ void
49244 +gr_insert_uid(const uid_t uid, const unsigned long expires)
49248 + if (uid_used == GR_UIDTABLE_MAX)
49251 + loc = gr_find_uid(uid);
49254 + uid_set[loc].expires = expires;
49258 + uid_set[uid_used].uid = uid;
49259 + uid_set[uid_used].expires = expires;
49268 +gr_remove_uid(const unsigned short loc)
49270 + unsigned short i;
49272 + for (i = loc + 1; i < uid_used; i++)
49273 + uid_set[i - 1] = uid_set[i];
49281 +gr_check_crash_uid(const uid_t uid)
49286 + if (unlikely(!gr_acl_is_enabled()))
49289 + spin_lock(&gr_uid_lock);
49290 + loc = gr_find_uid(uid);
49295 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
49296 + gr_remove_uid(loc);
49301 + spin_unlock(&gr_uid_lock);
49305 +static __inline__ int
49306 +proc_is_setxid(const struct cred *cred)
49308 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
49309 + cred->uid != cred->fsuid)
49311 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
49312 + cred->gid != cred->fsgid)
49319 +gr_handle_crash(struct task_struct *task, const int sig)
49321 + struct acl_subject_label *curr;
49322 + struct acl_subject_label *curr2;
49323 + struct task_struct *tsk, *tsk2;
49324 + const struct cred *cred;
49325 + const struct cred *cred2;
49327 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
49330 + if (unlikely(!gr_acl_is_enabled()))
49333 + curr = task->acl;
49335 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
49338 + if (time_before_eq(curr->expires, get_seconds())) {
49339 + curr->expires = 0;
49340 + curr->crashes = 0;
49345 + if (!curr->expires)
49346 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
49348 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
49349 + time_after(curr->expires, get_seconds())) {
49351 + cred = __task_cred(task);
49352 + if (cred->uid && proc_is_setxid(cred)) {
49353 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
49354 + spin_lock(&gr_uid_lock);
49355 + gr_insert_uid(cred->uid, curr->expires);
49356 + spin_unlock(&gr_uid_lock);
49357 + curr->expires = 0;
49358 + curr->crashes = 0;
49359 + read_lock(&tasklist_lock);
49360 + do_each_thread(tsk2, tsk) {
49361 + cred2 = __task_cred(tsk);
49362 + if (tsk != task && cred2->uid == cred->uid)
49363 + gr_fake_force_sig(SIGKILL, tsk);
49364 + } while_each_thread(tsk2, tsk);
49365 + read_unlock(&tasklist_lock);
49367 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
49368 + read_lock(&tasklist_lock);
49369 + do_each_thread(tsk2, tsk) {
49370 + if (likely(tsk != task)) {
49371 + curr2 = tsk->acl;
49373 + if (curr2->device == curr->device &&
49374 + curr2->inode == curr->inode)
49375 + gr_fake_force_sig(SIGKILL, tsk);
49377 + } while_each_thread(tsk2, tsk);
49378 + read_unlock(&tasklist_lock);
49380 + rcu_read_unlock();
49387 +gr_check_crash_exec(const struct file *filp)
49389 + struct acl_subject_label *curr;
49391 + if (unlikely(!gr_acl_is_enabled()))
49394 + read_lock(&gr_inode_lock);
49395 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
49396 + filp->f_path.dentry->d_inode->i_sb->s_dev,
49398 + read_unlock(&gr_inode_lock);
49400 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
49401 + (!curr->crashes && !curr->expires))
49404 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
49405 + time_after(curr->expires, get_seconds()))
49407 + else if (time_before_eq(curr->expires, get_seconds())) {
49408 + curr->crashes = 0;
49409 + curr->expires = 0;
49416 +gr_handle_alertkill(struct task_struct *task)
49418 + struct acl_subject_label *curracl;
49420 + struct task_struct *p, *p2;
49422 + if (unlikely(!gr_acl_is_enabled()))
49425 + curracl = task->acl;
49426 + curr_ip = task->signal->curr_ip;
49428 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
49429 + read_lock(&tasklist_lock);
49430 + do_each_thread(p2, p) {
49431 + if (p->signal->curr_ip == curr_ip)
49432 + gr_fake_force_sig(SIGKILL, p);
49433 + } while_each_thread(p2, p);
49434 + read_unlock(&tasklist_lock);
49435 + } else if (curracl->mode & GR_KILLPROC)
49436 + gr_fake_force_sig(SIGKILL, task);
49440 diff -urNp linux-2.6.32.42/grsecurity/gracl_shm.c linux-2.6.32.42/grsecurity/gracl_shm.c
49441 --- linux-2.6.32.42/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
49442 +++ linux-2.6.32.42/grsecurity/gracl_shm.c 2011-04-17 15:56:46.000000000 -0400
49444 +#include <linux/kernel.h>
49445 +#include <linux/mm.h>
49446 +#include <linux/sched.h>
49447 +#include <linux/file.h>
49448 +#include <linux/ipc.h>
49449 +#include <linux/gracl.h>
49450 +#include <linux/grsecurity.h>
49451 +#include <linux/grinternal.h>
49454 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49455 + const time_t shm_createtime, const uid_t cuid, const int shmid)
49457 + struct task_struct *task;
49459 + if (!gr_acl_is_enabled())
49463 + read_lock(&tasklist_lock);
49465 + task = find_task_by_vpid(shm_cprid);
49467 + if (unlikely(!task))
49468 + task = find_task_by_vpid(shm_lapid);
49470 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
49471 + (task->pid == shm_lapid)) &&
49472 + (task->acl->mode & GR_PROTSHM) &&
49473 + (task->acl != current->acl))) {
49474 + read_unlock(&tasklist_lock);
49475 + rcu_read_unlock();
49476 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
49479 + read_unlock(&tasklist_lock);
49480 + rcu_read_unlock();
49484 diff -urNp linux-2.6.32.42/grsecurity/grsec_chdir.c linux-2.6.32.42/grsecurity/grsec_chdir.c
49485 --- linux-2.6.32.42/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
49486 +++ linux-2.6.32.42/grsecurity/grsec_chdir.c 2011-04-17 15:56:46.000000000 -0400
49488 +#include <linux/kernel.h>
49489 +#include <linux/sched.h>
49490 +#include <linux/fs.h>
49491 +#include <linux/file.h>
49492 +#include <linux/grsecurity.h>
49493 +#include <linux/grinternal.h>
49496 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
49498 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
49499 + if ((grsec_enable_chdir && grsec_enable_group &&
49500 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
49501 + !grsec_enable_group)) {
49502 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
49507 diff -urNp linux-2.6.32.42/grsecurity/grsec_chroot.c linux-2.6.32.42/grsecurity/grsec_chroot.c
49508 --- linux-2.6.32.42/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
49509 +++ linux-2.6.32.42/grsecurity/grsec_chroot.c 2011-06-20 19:44:00.000000000 -0400
49511 +#include <linux/kernel.h>
49512 +#include <linux/module.h>
49513 +#include <linux/sched.h>
49514 +#include <linux/file.h>
49515 +#include <linux/fs.h>
49516 +#include <linux/mount.h>
49517 +#include <linux/types.h>
49518 +#include <linux/pid_namespace.h>
49519 +#include <linux/grsecurity.h>
49520 +#include <linux/grinternal.h>
49522 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
49524 +#ifdef CONFIG_GRKERNSEC
49525 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
49526 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
49527 + task->gr_is_chrooted = 1;
49529 + task->gr_is_chrooted = 0;
49531 + task->gr_chroot_dentry = path->dentry;
49536 +void gr_clear_chroot_entries(struct task_struct *task)
49538 +#ifdef CONFIG_GRKERNSEC
49539 + task->gr_is_chrooted = 0;
49540 + task->gr_chroot_dentry = NULL;
49546 +gr_handle_chroot_unix(const pid_t pid)
49548 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
49549 + struct pid *spid = NULL;
49551 + if (unlikely(!grsec_enable_chroot_unix))
49554 + if (likely(!proc_is_chrooted(current)))
49558 + read_lock(&tasklist_lock);
49560 + spid = find_vpid(pid);
49562 + struct task_struct *p;
49563 + p = pid_task(spid, PIDTYPE_PID);
49564 + if (unlikely(p && !have_same_root(current, p))) {
49565 + read_unlock(&tasklist_lock);
49566 + rcu_read_unlock();
49567 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
49571 + read_unlock(&tasklist_lock);
49572 + rcu_read_unlock();
49578 +gr_handle_chroot_nice(void)
49580 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
49581 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
49582 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
49590 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
49592 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
49593 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
49594 + && proc_is_chrooted(current)) {
49595 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
49603 +gr_handle_chroot_rawio(const struct inode *inode)
49605 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
49606 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
49607 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
49614 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
49616 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
49617 + struct task_struct *p;
49619 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
49622 + read_lock(&tasklist_lock);
49623 + do_each_pid_task(pid, type, p) {
49624 + if (!have_same_root(current, p)) {
49628 + } while_each_pid_task(pid, type, p);
49630 + read_unlock(&tasklist_lock);
49637 +gr_pid_is_chrooted(struct task_struct *p)
49639 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
49640 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
49643 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
49644 + !have_same_root(current, p)) {
49651 +EXPORT_SYMBOL(gr_pid_is_chrooted);
49653 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
49654 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
49656 + struct dentry *dentry = (struct dentry *)u_dentry;
49657 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
49658 + struct dentry *realroot;
49659 + struct vfsmount *realrootmnt;
49660 + struct dentry *currentroot;
49661 + struct vfsmount *currentmnt;
49662 + struct task_struct *reaper = &init_task;
49665 + read_lock(&reaper->fs->lock);
49666 + realrootmnt = mntget(reaper->fs->root.mnt);
49667 + realroot = dget(reaper->fs->root.dentry);
49668 + read_unlock(&reaper->fs->lock);
49670 + read_lock(¤t->fs->lock);
49671 + currentmnt = mntget(current->fs->root.mnt);
49672 + currentroot = dget(current->fs->root.dentry);
49673 + read_unlock(¤t->fs->lock);
49675 + spin_lock(&dcache_lock);
49677 + if (unlikely((dentry == realroot && mnt == realrootmnt)
49678 + || (dentry == currentroot && mnt == currentmnt)))
49680 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
49681 + if (mnt->mnt_parent == mnt)
49683 + dentry = mnt->mnt_mountpoint;
49684 + mnt = mnt->mnt_parent;
49687 + dentry = dentry->d_parent;
49689 + spin_unlock(&dcache_lock);
49691 + dput(currentroot);
49692 + mntput(currentmnt);
49694 + /* access is outside of chroot */
49695 + if (dentry == realroot && mnt == realrootmnt)
49699 + mntput(realrootmnt);
49705 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
49707 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
49708 + if (!grsec_enable_chroot_fchdir)
49711 + if (!proc_is_chrooted(current))
49713 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
49714 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
49722 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49723 + const time_t shm_createtime)
49725 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
49726 + struct pid *pid = NULL;
49727 + time_t starttime;
49729 + if (unlikely(!grsec_enable_chroot_shmat))
49732 + if (likely(!proc_is_chrooted(current)))
49736 + read_lock(&tasklist_lock);
49738 + pid = find_vpid(shm_cprid);
49740 + struct task_struct *p;
49741 + p = pid_task(pid, PIDTYPE_PID);
49744 + starttime = p->start_time.tv_sec;
49745 + if (unlikely(!have_same_root(current, p) &&
49746 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
49747 + read_unlock(&tasklist_lock);
49748 + rcu_read_unlock();
49749 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
49753 + pid = find_vpid(shm_lapid);
49755 + struct task_struct *p;
49756 + p = pid_task(pid, PIDTYPE_PID);
49759 + if (unlikely(!have_same_root(current, p))) {
49760 + read_unlock(&tasklist_lock);
49761 + rcu_read_unlock();
49762 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
49769 + read_unlock(&tasklist_lock);
49770 + rcu_read_unlock();
49776 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
49778 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
49779 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
49780 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
49786 +gr_handle_chroot_mknod(const struct dentry *dentry,
49787 + const struct vfsmount *mnt, const int mode)
49789 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
49790 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
49791 + proc_is_chrooted(current)) {
49792 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
49800 +gr_handle_chroot_mount(const struct dentry *dentry,
49801 + const struct vfsmount *mnt, const char *dev_name)
49803 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
49804 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
49805 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name ? dev_name : "none" , dentry, mnt);
49813 +gr_handle_chroot_pivot(void)
49815 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
49816 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
49817 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
49825 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
49827 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
49828 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
49829 + !gr_is_outside_chroot(dentry, mnt)) {
49830 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
49838 +gr_handle_chroot_caps(struct path *path)
49840 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
49841 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
49842 + (init_task.fs->root.dentry != path->dentry) &&
49843 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
49845 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
49846 + const struct cred *old = current_cred();
49847 + struct cred *new = prepare_creds();
49851 + new->cap_permitted = cap_drop(old->cap_permitted,
49853 + new->cap_inheritable = cap_drop(old->cap_inheritable,
49855 + new->cap_effective = cap_drop(old->cap_effective,
49858 + commit_creds(new);
49867 +gr_handle_chroot_sysctl(const int op)
49869 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
49870 + if (grsec_enable_chroot_sysctl && proc_is_chrooted(current)
49871 + && (op & MAY_WRITE))
49878 +gr_handle_chroot_chdir(struct path *path)
49880 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
49881 + if (grsec_enable_chroot_chdir)
49882 + set_fs_pwd(current->fs, path);
49888 +gr_handle_chroot_chmod(const struct dentry *dentry,
49889 + const struct vfsmount *mnt, const int mode)
49891 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
49892 + /* allow chmod +s on directories, but not on files */
49893 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
49894 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
49895 + proc_is_chrooted(current)) {
49896 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
49903 +#ifdef CONFIG_SECURITY
49904 +EXPORT_SYMBOL(gr_handle_chroot_caps);
49906 diff -urNp linux-2.6.32.42/grsecurity/grsec_disabled.c linux-2.6.32.42/grsecurity/grsec_disabled.c
49907 --- linux-2.6.32.42/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
49908 +++ linux-2.6.32.42/grsecurity/grsec_disabled.c 2011-04-17 15:56:46.000000000 -0400
49910 +#include <linux/kernel.h>
49911 +#include <linux/module.h>
49912 +#include <linux/sched.h>
49913 +#include <linux/file.h>
49914 +#include <linux/fs.h>
49915 +#include <linux/kdev_t.h>
49916 +#include <linux/net.h>
49917 +#include <linux/in.h>
49918 +#include <linux/ip.h>
49919 +#include <linux/skbuff.h>
49920 +#include <linux/sysctl.h>
49922 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
49924 +pax_set_initial_flags(struct linux_binprm *bprm)
49930 +#ifdef CONFIG_SYSCTL
49932 +gr_handle_sysctl(const struct ctl_table * table, const int op)
49938 +#ifdef CONFIG_TASKSTATS
49939 +int gr_is_taskstats_denied(int pid)
49946 +gr_acl_is_enabled(void)
49952 +gr_handle_rawio(const struct inode *inode)
49958 +gr_acl_handle_psacct(struct task_struct *task, const long code)
49964 +gr_handle_ptrace(struct task_struct *task, const long request)
49970 +gr_handle_proc_ptrace(struct task_struct *task)
49976 +gr_learn_resource(const struct task_struct *task,
49977 + const int res, const unsigned long wanted, const int gt)
49983 +gr_set_acls(const int type)
49989 +gr_check_hidden_task(const struct task_struct *tsk)
49995 +gr_check_protected_task(const struct task_struct *task)
50001 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
50007 +gr_copy_label(struct task_struct *tsk)
50013 +gr_set_pax_flags(struct task_struct *task)
50019 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
50020 + const int unsafe_share)
50026 +gr_handle_delete(const ino_t ino, const dev_t dev)
50032 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
50038 +gr_handle_crash(struct task_struct *task, const int sig)
50044 +gr_check_crash_exec(const struct file *filp)
50050 +gr_check_crash_uid(const uid_t uid)
50056 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
50057 + struct dentry *old_dentry,
50058 + struct dentry *new_dentry,
50059 + struct vfsmount *mnt, const __u8 replace)
50065 +gr_search_socket(const int family, const int type, const int protocol)
50071 +gr_search_connectbind(const int mode, const struct socket *sock,
50072 + const struct sockaddr_in *addr)
50078 +gr_is_capable(const int cap)
50084 +gr_is_capable_nolog(const int cap)
50090 +gr_handle_alertkill(struct task_struct *task)
50096 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
50102 +gr_acl_handle_hidden_file(const struct dentry * dentry,
50103 + const struct vfsmount * mnt)
50109 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
50116 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
50122 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
50128 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
50129 + unsigned int *vm_flags)
50135 +gr_acl_handle_truncate(const struct dentry * dentry,
50136 + const struct vfsmount * mnt)
50142 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
50148 +gr_acl_handle_access(const struct dentry * dentry,
50149 + const struct vfsmount * mnt, const int fmode)
50155 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
50162 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
50169 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
50175 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
50181 +grsecurity_init(void)
50187 +gr_acl_handle_mknod(const struct dentry * new_dentry,
50188 + const struct dentry * parent_dentry,
50189 + const struct vfsmount * parent_mnt,
50196 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
50197 + const struct dentry * parent_dentry,
50198 + const struct vfsmount * parent_mnt)
50204 +gr_acl_handle_symlink(const struct dentry * new_dentry,
50205 + const struct dentry * parent_dentry,
50206 + const struct vfsmount * parent_mnt, const char *from)
50212 +gr_acl_handle_link(const struct dentry * new_dentry,
50213 + const struct dentry * parent_dentry,
50214 + const struct vfsmount * parent_mnt,
50215 + const struct dentry * old_dentry,
50216 + const struct vfsmount * old_mnt, const char *to)
50222 +gr_acl_handle_rename(const struct dentry *new_dentry,
50223 + const struct dentry *parent_dentry,
50224 + const struct vfsmount *parent_mnt,
50225 + const struct dentry *old_dentry,
50226 + const struct inode *old_parent_inode,
50227 + const struct vfsmount *old_mnt, const char *newname)
50233 +gr_acl_handle_filldir(const struct file *file, const char *name,
50234 + const int namelen, const ino_t ino)
50240 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
50241 + const time_t shm_createtime, const uid_t cuid, const int shmid)
50247 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
50253 +gr_search_accept(const struct socket *sock)
50259 +gr_search_listen(const struct socket *sock)
50265 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
50271 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
50277 +gr_acl_handle_creat(const struct dentry * dentry,
50278 + const struct dentry * p_dentry,
50279 + const struct vfsmount * p_mnt, const int fmode,
50286 +gr_acl_handle_exit(void)
50292 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
50298 +gr_set_role_label(const uid_t uid, const gid_t gid)
50304 +gr_acl_handle_procpidmem(const struct task_struct *task)
50310 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
50316 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
50322 +gr_set_kernel_label(struct task_struct *task)
50328 +gr_check_user_change(int real, int effective, int fs)
50334 +gr_check_group_change(int real, int effective, int fs)
50339 +int gr_acl_enable_at_secure(void)
50344 +dev_t gr_get_dev_from_dentry(struct dentry *dentry)
50346 + return dentry->d_inode->i_sb->s_dev;
50349 +EXPORT_SYMBOL(gr_is_capable);
50350 +EXPORT_SYMBOL(gr_is_capable_nolog);
50351 +EXPORT_SYMBOL(gr_learn_resource);
50352 +EXPORT_SYMBOL(gr_set_kernel_label);
50353 +#ifdef CONFIG_SECURITY
50354 +EXPORT_SYMBOL(gr_check_user_change);
50355 +EXPORT_SYMBOL(gr_check_group_change);
50357 diff -urNp linux-2.6.32.42/grsecurity/grsec_exec.c linux-2.6.32.42/grsecurity/grsec_exec.c
50358 --- linux-2.6.32.42/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
50359 +++ linux-2.6.32.42/grsecurity/grsec_exec.c 2011-04-17 15:56:46.000000000 -0400
50361 +#include <linux/kernel.h>
50362 +#include <linux/sched.h>
50363 +#include <linux/file.h>
50364 +#include <linux/binfmts.h>
50365 +#include <linux/smp_lock.h>
50366 +#include <linux/fs.h>
50367 +#include <linux/types.h>
50368 +#include <linux/grdefs.h>
50369 +#include <linux/grinternal.h>
50370 +#include <linux/capability.h>
50371 +#include <linux/compat.h>
50373 +#include <asm/uaccess.h>
50375 +#ifdef CONFIG_GRKERNSEC_EXECLOG
50376 +static char gr_exec_arg_buf[132];
50377 +static DEFINE_MUTEX(gr_exec_arg_mutex);
50381 +gr_handle_nproc(void)
50383 +#ifdef CONFIG_GRKERNSEC_EXECVE
50384 + const struct cred *cred = current_cred();
50385 + if (grsec_enable_execve && cred->user &&
50386 + (atomic_read(&cred->user->processes) >
50387 + current->signal->rlim[RLIMIT_NPROC].rlim_cur) &&
50388 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
50389 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
50397 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
50399 +#ifdef CONFIG_GRKERNSEC_EXECLOG
50400 + char *grarg = gr_exec_arg_buf;
50401 + unsigned int i, x, execlen = 0;
50404 + if (!((grsec_enable_execlog && grsec_enable_group &&
50405 + in_group_p(grsec_audit_gid))
50406 + || (grsec_enable_execlog && !grsec_enable_group)))
50409 + mutex_lock(&gr_exec_arg_mutex);
50410 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
50412 + if (unlikely(argv == NULL))
50415 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
50416 + const char __user *p;
50417 + unsigned int len;
50419 + if (copy_from_user(&p, argv + i, sizeof(p)))
50423 + len = strnlen_user(p, 128 - execlen);
50424 + if (len > 128 - execlen)
50425 + len = 128 - execlen;
50426 + else if (len > 0)
50428 + if (copy_from_user(grarg + execlen, p, len))
50431 + /* rewrite unprintable characters */
50432 + for (x = 0; x < len; x++) {
50433 + c = *(grarg + execlen + x);
50434 + if (c < 32 || c > 126)
50435 + *(grarg + execlen + x) = ' ';
50439 + *(grarg + execlen) = ' ';
50440 + *(grarg + execlen + 1) = '\0';
50445 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
50446 + bprm->file->f_path.mnt, grarg);
50447 + mutex_unlock(&gr_exec_arg_mutex);
50452 +#ifdef CONFIG_COMPAT
50454 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
50456 +#ifdef CONFIG_GRKERNSEC_EXECLOG
50457 + char *grarg = gr_exec_arg_buf;
50458 + unsigned int i, x, execlen = 0;
50461 + if (!((grsec_enable_execlog && grsec_enable_group &&
50462 + in_group_p(grsec_audit_gid))
50463 + || (grsec_enable_execlog && !grsec_enable_group)))
50466 + mutex_lock(&gr_exec_arg_mutex);
50467 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
50469 + if (unlikely(argv == NULL))
50472 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
50474 + unsigned int len;
50476 + if (get_user(p, argv + i))
50478 + len = strnlen_user(compat_ptr(p), 128 - execlen);
50479 + if (len > 128 - execlen)
50480 + len = 128 - execlen;
50481 + else if (len > 0)
50485 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
50488 + /* rewrite unprintable characters */
50489 + for (x = 0; x < len; x++) {
50490 + c = *(grarg + execlen + x);
50491 + if (c < 32 || c > 126)
50492 + *(grarg + execlen + x) = ' ';
50496 + *(grarg + execlen) = ' ';
50497 + *(grarg + execlen + 1) = '\0';
50502 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
50503 + bprm->file->f_path.mnt, grarg);
50504 + mutex_unlock(&gr_exec_arg_mutex);
50509 diff -urNp linux-2.6.32.42/grsecurity/grsec_fifo.c linux-2.6.32.42/grsecurity/grsec_fifo.c
50510 --- linux-2.6.32.42/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
50511 +++ linux-2.6.32.42/grsecurity/grsec_fifo.c 2011-04-17 15:56:46.000000000 -0400
50513 +#include <linux/kernel.h>
50514 +#include <linux/sched.h>
50515 +#include <linux/fs.h>
50516 +#include <linux/file.h>
50517 +#include <linux/grinternal.h>
50520 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
50521 + const struct dentry *dir, const int flag, const int acc_mode)
50523 +#ifdef CONFIG_GRKERNSEC_FIFO
50524 + const struct cred *cred = current_cred();
50526 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
50527 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
50528 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
50529 + (cred->fsuid != dentry->d_inode->i_uid)) {
50530 + if (!inode_permission(dentry->d_inode, acc_mode))
50531 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
50537 diff -urNp linux-2.6.32.42/grsecurity/grsec_fork.c linux-2.6.32.42/grsecurity/grsec_fork.c
50538 --- linux-2.6.32.42/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
50539 +++ linux-2.6.32.42/grsecurity/grsec_fork.c 2011-04-17 15:56:46.000000000 -0400
50541 +#include <linux/kernel.h>
50542 +#include <linux/sched.h>
50543 +#include <linux/grsecurity.h>
50544 +#include <linux/grinternal.h>
50545 +#include <linux/errno.h>
50548 +gr_log_forkfail(const int retval)
50550 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
50551 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
50552 + switch (retval) {
50554 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
50557 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
50564 diff -urNp linux-2.6.32.42/grsecurity/grsec_init.c linux-2.6.32.42/grsecurity/grsec_init.c
50565 --- linux-2.6.32.42/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
50566 +++ linux-2.6.32.42/grsecurity/grsec_init.c 2011-04-17 15:56:46.000000000 -0400
50568 +#include <linux/kernel.h>
50569 +#include <linux/sched.h>
50570 +#include <linux/mm.h>
50571 +#include <linux/smp_lock.h>
50572 +#include <linux/gracl.h>
50573 +#include <linux/slab.h>
50574 +#include <linux/vmalloc.h>
50575 +#include <linux/percpu.h>
50576 +#include <linux/module.h>
50578 +int grsec_enable_link;
50579 +int grsec_enable_dmesg;
50580 +int grsec_enable_harden_ptrace;
50581 +int grsec_enable_fifo;
50582 +int grsec_enable_execve;
50583 +int grsec_enable_execlog;
50584 +int grsec_enable_signal;
50585 +int grsec_enable_forkfail;
50586 +int grsec_enable_audit_ptrace;
50587 +int grsec_enable_time;
50588 +int grsec_enable_audit_textrel;
50589 +int grsec_enable_group;
50590 +int grsec_audit_gid;
50591 +int grsec_enable_chdir;
50592 +int grsec_enable_mount;
50593 +int grsec_enable_rofs;
50594 +int grsec_enable_chroot_findtask;
50595 +int grsec_enable_chroot_mount;
50596 +int grsec_enable_chroot_shmat;
50597 +int grsec_enable_chroot_fchdir;
50598 +int grsec_enable_chroot_double;
50599 +int grsec_enable_chroot_pivot;
50600 +int grsec_enable_chroot_chdir;
50601 +int grsec_enable_chroot_chmod;
50602 +int grsec_enable_chroot_mknod;
50603 +int grsec_enable_chroot_nice;
50604 +int grsec_enable_chroot_execlog;
50605 +int grsec_enable_chroot_caps;
50606 +int grsec_enable_chroot_sysctl;
50607 +int grsec_enable_chroot_unix;
50608 +int grsec_enable_tpe;
50609 +int grsec_tpe_gid;
50610 +int grsec_enable_blackhole;
50611 +#ifdef CONFIG_IPV6_MODULE
50612 +EXPORT_SYMBOL(grsec_enable_blackhole);
50614 +int grsec_lastack_retries;
50615 +int grsec_enable_tpe_all;
50616 +int grsec_enable_tpe_invert;
50617 +int grsec_enable_socket_all;
50618 +int grsec_socket_all_gid;
50619 +int grsec_enable_socket_client;
50620 +int grsec_socket_client_gid;
50621 +int grsec_enable_socket_server;
50622 +int grsec_socket_server_gid;
50623 +int grsec_resource_logging;
50624 +int grsec_disable_privio;
50625 +int grsec_enable_log_rwxmaps;
50628 +DEFINE_SPINLOCK(grsec_alert_lock);
50629 +unsigned long grsec_alert_wtime = 0;
50630 +unsigned long grsec_alert_fyet = 0;
50632 +DEFINE_SPINLOCK(grsec_audit_lock);
50634 +DEFINE_RWLOCK(grsec_exec_file_lock);
50636 +char *gr_shared_page[4];
50638 +char *gr_alert_log_fmt;
50639 +char *gr_audit_log_fmt;
50640 +char *gr_alert_log_buf;
50641 +char *gr_audit_log_buf;
50643 +extern struct gr_arg *gr_usermode;
50644 +extern unsigned char *gr_system_salt;
50645 +extern unsigned char *gr_system_sum;
50648 +grsecurity_init(void)
50651 + /* create the per-cpu shared pages */
50654 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
50657 + for (j = 0; j < 4; j++) {
50658 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
50659 + if (gr_shared_page[j] == NULL) {
50660 + panic("Unable to allocate grsecurity shared page");
50665 + /* allocate log buffers */
50666 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
50667 + if (!gr_alert_log_fmt) {
50668 + panic("Unable to allocate grsecurity alert log format buffer");
50671 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
50672 + if (!gr_audit_log_fmt) {
50673 + panic("Unable to allocate grsecurity audit log format buffer");
50676 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
50677 + if (!gr_alert_log_buf) {
50678 + panic("Unable to allocate grsecurity alert log buffer");
50681 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
50682 + if (!gr_audit_log_buf) {
50683 + panic("Unable to allocate grsecurity audit log buffer");
50687 + /* allocate memory for authentication structure */
50688 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
50689 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
50690 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
50692 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
50693 + panic("Unable to allocate grsecurity authentication structure");
50698 +#ifdef CONFIG_GRKERNSEC_IO
50699 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
50700 + grsec_disable_privio = 1;
50701 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
50702 + grsec_disable_privio = 1;
50704 + grsec_disable_privio = 0;
50708 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
50709 + /* for backward compatibility, tpe_invert always defaults to on if
50710 + enabled in the kernel
50712 + grsec_enable_tpe_invert = 1;
50715 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
50716 +#ifndef CONFIG_GRKERNSEC_SYSCTL
50720 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
50721 + grsec_enable_audit_textrel = 1;
50723 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
50724 + grsec_enable_log_rwxmaps = 1;
50726 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
50727 + grsec_enable_group = 1;
50728 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
50730 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
50731 + grsec_enable_chdir = 1;
50733 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
50734 + grsec_enable_harden_ptrace = 1;
50736 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
50737 + grsec_enable_mount = 1;
50739 +#ifdef CONFIG_GRKERNSEC_LINK
50740 + grsec_enable_link = 1;
50742 +#ifdef CONFIG_GRKERNSEC_DMESG
50743 + grsec_enable_dmesg = 1;
50745 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
50746 + grsec_enable_blackhole = 1;
50747 + grsec_lastack_retries = 4;
50749 +#ifdef CONFIG_GRKERNSEC_FIFO
50750 + grsec_enable_fifo = 1;
50752 +#ifdef CONFIG_GRKERNSEC_EXECVE
50753 + grsec_enable_execve = 1;
50755 +#ifdef CONFIG_GRKERNSEC_EXECLOG
50756 + grsec_enable_execlog = 1;
50758 +#ifdef CONFIG_GRKERNSEC_SIGNAL
50759 + grsec_enable_signal = 1;
50761 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
50762 + grsec_enable_forkfail = 1;
50764 +#ifdef CONFIG_GRKERNSEC_TIME
50765 + grsec_enable_time = 1;
50767 +#ifdef CONFIG_GRKERNSEC_RESLOG
50768 + grsec_resource_logging = 1;
50770 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
50771 + grsec_enable_chroot_findtask = 1;
50773 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
50774 + grsec_enable_chroot_unix = 1;
50776 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
50777 + grsec_enable_chroot_mount = 1;
50779 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
50780 + grsec_enable_chroot_fchdir = 1;
50782 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
50783 + grsec_enable_chroot_shmat = 1;
50785 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
50786 + grsec_enable_audit_ptrace = 1;
50788 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
50789 + grsec_enable_chroot_double = 1;
50791 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
50792 + grsec_enable_chroot_pivot = 1;
50794 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
50795 + grsec_enable_chroot_chdir = 1;
50797 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
50798 + grsec_enable_chroot_chmod = 1;
50800 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
50801 + grsec_enable_chroot_mknod = 1;
50803 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
50804 + grsec_enable_chroot_nice = 1;
50806 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
50807 + grsec_enable_chroot_execlog = 1;
50809 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
50810 + grsec_enable_chroot_caps = 1;
50812 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
50813 + grsec_enable_chroot_sysctl = 1;
50815 +#ifdef CONFIG_GRKERNSEC_TPE
50816 + grsec_enable_tpe = 1;
50817 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
50818 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
50819 + grsec_enable_tpe_all = 1;
50822 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
50823 + grsec_enable_socket_all = 1;
50824 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
50826 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
50827 + grsec_enable_socket_client = 1;
50828 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
50830 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
50831 + grsec_enable_socket_server = 1;
50832 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
50838 diff -urNp linux-2.6.32.42/grsecurity/grsec_link.c linux-2.6.32.42/grsecurity/grsec_link.c
50839 --- linux-2.6.32.42/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
50840 +++ linux-2.6.32.42/grsecurity/grsec_link.c 2011-04-17 15:56:46.000000000 -0400
50842 +#include <linux/kernel.h>
50843 +#include <linux/sched.h>
50844 +#include <linux/fs.h>
50845 +#include <linux/file.h>
50846 +#include <linux/grinternal.h>
50849 +gr_handle_follow_link(const struct inode *parent,
50850 + const struct inode *inode,
50851 + const struct dentry *dentry, const struct vfsmount *mnt)
50853 +#ifdef CONFIG_GRKERNSEC_LINK
50854 + const struct cred *cred = current_cred();
50856 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
50857 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
50858 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
50859 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
50867 +gr_handle_hardlink(const struct dentry *dentry,
50868 + const struct vfsmount *mnt,
50869 + struct inode *inode, const int mode, const char *to)
50871 +#ifdef CONFIG_GRKERNSEC_LINK
50872 + const struct cred *cred = current_cred();
50874 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
50875 + (!S_ISREG(mode) || (mode & S_ISUID) ||
50876 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
50877 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
50878 + !capable(CAP_FOWNER) && cred->uid) {
50879 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
50885 diff -urNp linux-2.6.32.42/grsecurity/grsec_log.c linux-2.6.32.42/grsecurity/grsec_log.c
50886 --- linux-2.6.32.42/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
50887 +++ linux-2.6.32.42/grsecurity/grsec_log.c 2011-05-10 21:58:49.000000000 -0400
50889 +#include <linux/kernel.h>
50890 +#include <linux/sched.h>
50891 +#include <linux/file.h>
50892 +#include <linux/tty.h>
50893 +#include <linux/fs.h>
50894 +#include <linux/grinternal.h>
50896 +#ifdef CONFIG_TREE_PREEMPT_RCU
50897 +#define DISABLE_PREEMPT() preempt_disable()
50898 +#define ENABLE_PREEMPT() preempt_enable()
50900 +#define DISABLE_PREEMPT()
50901 +#define ENABLE_PREEMPT()
50904 +#define BEGIN_LOCKS(x) \
50905 + DISABLE_PREEMPT(); \
50906 + rcu_read_lock(); \
50907 + read_lock(&tasklist_lock); \
50908 + read_lock(&grsec_exec_file_lock); \
50909 + if (x != GR_DO_AUDIT) \
50910 + spin_lock(&grsec_alert_lock); \
50912 + spin_lock(&grsec_audit_lock)
50914 +#define END_LOCKS(x) \
50915 + if (x != GR_DO_AUDIT) \
50916 + spin_unlock(&grsec_alert_lock); \
50918 + spin_unlock(&grsec_audit_lock); \
50919 + read_unlock(&grsec_exec_file_lock); \
50920 + read_unlock(&tasklist_lock); \
50921 + rcu_read_unlock(); \
50922 + ENABLE_PREEMPT(); \
50923 + if (x == GR_DONT_AUDIT) \
50924 + gr_handle_alertkill(current)
50931 +extern char *gr_alert_log_fmt;
50932 +extern char *gr_audit_log_fmt;
50933 +extern char *gr_alert_log_buf;
50934 +extern char *gr_audit_log_buf;
50936 +static int gr_log_start(int audit)
50938 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
50939 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
50940 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50942 + if (audit == GR_DO_AUDIT)
50945 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
50946 + grsec_alert_wtime = jiffies;
50947 + grsec_alert_fyet = 0;
50948 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
50949 + grsec_alert_fyet++;
50950 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
50951 + grsec_alert_wtime = jiffies;
50952 + grsec_alert_fyet++;
50953 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
50955 + } else return FLOODING;
50958 + memset(buf, 0, PAGE_SIZE);
50959 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
50960 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
50961 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
50962 + } else if (current->signal->curr_ip) {
50963 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
50964 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
50965 + } else if (gr_acl_is_enabled()) {
50966 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
50967 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
50969 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
50970 + strcpy(buf, fmt);
50973 + return NO_FLOODING;
50976 +static void gr_log_middle(int audit, const char *msg, va_list ap)
50977 + __attribute__ ((format (printf, 2, 0)));
50979 +static void gr_log_middle(int audit, const char *msg, va_list ap)
50981 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50982 + unsigned int len = strlen(buf);
50984 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
50989 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
50990 + __attribute__ ((format (printf, 2, 3)));
50992 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
50994 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
50995 + unsigned int len = strlen(buf);
50998 + va_start(ap, msg);
50999 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
51005 +static void gr_log_end(int audit)
51007 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
51008 + unsigned int len = strlen(buf);
51010 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
51011 + printk("%s\n", buf);
51016 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
51019 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
51020 + char *str1 = NULL, *str2 = NULL, *str3 = NULL;
51021 + void *voidptr = NULL;
51022 + int num1 = 0, num2 = 0;
51023 + unsigned long ulong1 = 0, ulong2 = 0;
51024 + struct dentry *dentry = NULL;
51025 + struct vfsmount *mnt = NULL;
51026 + struct file *file = NULL;
51027 + struct task_struct *task = NULL;
51028 + const struct cred *cred, *pcred;
51031 + BEGIN_LOCKS(audit);
51032 + logtype = gr_log_start(audit);
51033 + if (logtype == FLOODING) {
51034 + END_LOCKS(audit);
51037 + va_start(ap, argtypes);
51038 + switch (argtypes) {
51039 + case GR_TTYSNIFF:
51040 + task = va_arg(ap, struct task_struct *);
51041 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
51043 + case GR_SYSCTL_HIDDEN:
51044 + str1 = va_arg(ap, char *);
51045 + gr_log_middle_varargs(audit, msg, result, str1);
51048 + dentry = va_arg(ap, struct dentry *);
51049 + mnt = va_arg(ap, struct vfsmount *);
51050 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
51052 + case GR_RBAC_STR:
51053 + dentry = va_arg(ap, struct dentry *);
51054 + mnt = va_arg(ap, struct vfsmount *);
51055 + str1 = va_arg(ap, char *);
51056 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
51058 + case GR_STR_RBAC:
51059 + str1 = va_arg(ap, char *);
51060 + dentry = va_arg(ap, struct dentry *);
51061 + mnt = va_arg(ap, struct vfsmount *);
51062 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
51064 + case GR_RBAC_MODE2:
51065 + dentry = va_arg(ap, struct dentry *);
51066 + mnt = va_arg(ap, struct vfsmount *);
51067 + str1 = va_arg(ap, char *);
51068 + str2 = va_arg(ap, char *);
51069 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
51071 + case GR_RBAC_MODE3:
51072 + dentry = va_arg(ap, struct dentry *);
51073 + mnt = va_arg(ap, struct vfsmount *);
51074 + str1 = va_arg(ap, char *);
51075 + str2 = va_arg(ap, char *);
51076 + str3 = va_arg(ap, char *);
51077 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
51079 + case GR_FILENAME:
51080 + dentry = va_arg(ap, struct dentry *);
51081 + mnt = va_arg(ap, struct vfsmount *);
51082 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
51084 + case GR_STR_FILENAME:
51085 + str1 = va_arg(ap, char *);
51086 + dentry = va_arg(ap, struct dentry *);
51087 + mnt = va_arg(ap, struct vfsmount *);
51088 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
51090 + case GR_FILENAME_STR:
51091 + dentry = va_arg(ap, struct dentry *);
51092 + mnt = va_arg(ap, struct vfsmount *);
51093 + str1 = va_arg(ap, char *);
51094 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
51096 + case GR_FILENAME_TWO_INT:
51097 + dentry = va_arg(ap, struct dentry *);
51098 + mnt = va_arg(ap, struct vfsmount *);
51099 + num1 = va_arg(ap, int);
51100 + num2 = va_arg(ap, int);
51101 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
51103 + case GR_FILENAME_TWO_INT_STR:
51104 + dentry = va_arg(ap, struct dentry *);
51105 + mnt = va_arg(ap, struct vfsmount *);
51106 + num1 = va_arg(ap, int);
51107 + num2 = va_arg(ap, int);
51108 + str1 = va_arg(ap, char *);
51109 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
51112 + file = va_arg(ap, struct file *);
51113 + ulong1 = va_arg(ap, unsigned long);
51114 + ulong2 = va_arg(ap, unsigned long);
51115 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
51118 + task = va_arg(ap, struct task_struct *);
51119 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
51121 + case GR_RESOURCE:
51122 + task = va_arg(ap, struct task_struct *);
51123 + cred = __task_cred(task);
51124 + pcred = __task_cred(task->real_parent);
51125 + ulong1 = va_arg(ap, unsigned long);
51126 + str1 = va_arg(ap, char *);
51127 + ulong2 = va_arg(ap, unsigned long);
51128 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
51131 + task = va_arg(ap, struct task_struct *);
51132 + cred = __task_cred(task);
51133 + pcred = __task_cred(task->real_parent);
51134 + str1 = va_arg(ap, char *);
51135 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
51138 + str1 = va_arg(ap, char *);
51139 + voidptr = va_arg(ap, void *);
51140 + gr_log_middle_varargs(audit, msg, str1, voidptr);
51143 + task = va_arg(ap, struct task_struct *);
51144 + cred = __task_cred(task);
51145 + pcred = __task_cred(task->real_parent);
51146 + num1 = va_arg(ap, int);
51147 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
51150 + task = va_arg(ap, struct task_struct *);
51151 + cred = __task_cred(task);
51152 + pcred = __task_cred(task->real_parent);
51153 + ulong1 = va_arg(ap, unsigned long);
51154 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
51157 + task = va_arg(ap, struct task_struct *);
51158 + cred = __task_cred(task);
51159 + pcred = __task_cred(task->real_parent);
51160 + ulong1 = va_arg(ap, unsigned long);
51161 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
51164 + file = va_arg(ap, struct file *);
51165 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
51169 + unsigned int wday, cday;
51173 + char cur_tty[64] = { 0 };
51174 + char parent_tty[64] = { 0 };
51176 + task = va_arg(ap, struct task_struct *);
51177 + wday = va_arg(ap, unsigned int);
51178 + cday = va_arg(ap, unsigned int);
51179 + whr = va_arg(ap, int);
51180 + chr = va_arg(ap, int);
51181 + wmin = va_arg(ap, int);
51182 + cmin = va_arg(ap, int);
51183 + wsec = va_arg(ap, int);
51184 + csec = va_arg(ap, int);
51185 + ulong1 = va_arg(ap, unsigned long);
51186 + cred = __task_cred(task);
51187 + pcred = __task_cred(task->real_parent);
51189 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
51193 + gr_log_middle(audit, msg, ap);
51196 + gr_log_end(audit);
51197 + END_LOCKS(audit);
51199 diff -urNp linux-2.6.32.42/grsecurity/grsec_mem.c linux-2.6.32.42/grsecurity/grsec_mem.c
51200 --- linux-2.6.32.42/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
51201 +++ linux-2.6.32.42/grsecurity/grsec_mem.c 2011-04-17 15:56:46.000000000 -0400
51203 +#include <linux/kernel.h>
51204 +#include <linux/sched.h>
51205 +#include <linux/mm.h>
51206 +#include <linux/mman.h>
51207 +#include <linux/grinternal.h>
51210 +gr_handle_ioperm(void)
51212 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
51217 +gr_handle_iopl(void)
51219 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
51224 +gr_handle_mem_readwrite(u64 from, u64 to)
51226 + gr_log_two_u64(GR_DONT_AUDIT, GR_MEM_READWRITE_MSG, from, to);
51231 +gr_handle_vm86(void)
51233 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
51236 diff -urNp linux-2.6.32.42/grsecurity/grsec_mount.c linux-2.6.32.42/grsecurity/grsec_mount.c
51237 --- linux-2.6.32.42/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
51238 +++ linux-2.6.32.42/grsecurity/grsec_mount.c 2011-06-20 19:47:03.000000000 -0400
51240 +#include <linux/kernel.h>
51241 +#include <linux/sched.h>
51242 +#include <linux/mount.h>
51243 +#include <linux/grsecurity.h>
51244 +#include <linux/grinternal.h>
51247 +gr_log_remount(const char *devname, const int retval)
51249 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
51250 + if (grsec_enable_mount && (retval >= 0))
51251 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
51257 +gr_log_unmount(const char *devname, const int retval)
51259 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
51260 + if (grsec_enable_mount && (retval >= 0))
51261 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
51267 +gr_log_mount(const char *from, const char *to, const int retval)
51269 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
51270 + if (grsec_enable_mount && (retval >= 0))
51271 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from ? from : "none", to);
51277 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
51279 +#ifdef CONFIG_GRKERNSEC_ROFS
51280 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
51281 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
51290 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
51292 +#ifdef CONFIG_GRKERNSEC_ROFS
51293 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
51294 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
51295 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
51302 diff -urNp linux-2.6.32.42/grsecurity/grsec_pax.c linux-2.6.32.42/grsecurity/grsec_pax.c
51303 --- linux-2.6.32.42/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
51304 +++ linux-2.6.32.42/grsecurity/grsec_pax.c 2011-04-17 15:56:46.000000000 -0400
51306 +#include <linux/kernel.h>
51307 +#include <linux/sched.h>
51308 +#include <linux/mm.h>
51309 +#include <linux/file.h>
51310 +#include <linux/grinternal.h>
51311 +#include <linux/grsecurity.h>
51314 +gr_log_textrel(struct vm_area_struct * vma)
51316 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
51317 + if (grsec_enable_audit_textrel)
51318 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
51324 +gr_log_rwxmmap(struct file *file)
51326 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
51327 + if (grsec_enable_log_rwxmaps)
51328 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
51334 +gr_log_rwxmprotect(struct file *file)
51336 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
51337 + if (grsec_enable_log_rwxmaps)
51338 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
51342 diff -urNp linux-2.6.32.42/grsecurity/grsec_ptrace.c linux-2.6.32.42/grsecurity/grsec_ptrace.c
51343 --- linux-2.6.32.42/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
51344 +++ linux-2.6.32.42/grsecurity/grsec_ptrace.c 2011-04-17 15:56:46.000000000 -0400
51346 +#include <linux/kernel.h>
51347 +#include <linux/sched.h>
51348 +#include <linux/grinternal.h>
51349 +#include <linux/grsecurity.h>
51352 +gr_audit_ptrace(struct task_struct *task)
51354 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
51355 + if (grsec_enable_audit_ptrace)
51356 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
51360 diff -urNp linux-2.6.32.42/grsecurity/grsec_sig.c linux-2.6.32.42/grsecurity/grsec_sig.c
51361 --- linux-2.6.32.42/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
51362 +++ linux-2.6.32.42/grsecurity/grsec_sig.c 2011-05-17 17:30:04.000000000 -0400
51364 +#include <linux/kernel.h>
51365 +#include <linux/sched.h>
51366 +#include <linux/delay.h>
51367 +#include <linux/grsecurity.h>
51368 +#include <linux/grinternal.h>
51369 +#include <linux/hardirq.h>
51371 +char *signames[] = {
51372 + [SIGSEGV] = "Segmentation fault",
51373 + [SIGILL] = "Illegal instruction",
51374 + [SIGABRT] = "Abort",
51375 + [SIGBUS] = "Invalid alignment/Bus error"
51379 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
51381 +#ifdef CONFIG_GRKERNSEC_SIGNAL
51382 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
51383 + (sig == SIGABRT) || (sig == SIGBUS))) {
51384 + if (t->pid == current->pid) {
51385 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
51387 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
51395 +gr_handle_signal(const struct task_struct *p, const int sig)
51397 +#ifdef CONFIG_GRKERNSEC
51398 + if (current->pid > 1 && gr_check_protected_task(p)) {
51399 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
51401 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
51408 +#ifdef CONFIG_GRKERNSEC
51409 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
51411 +int gr_fake_force_sig(int sig, struct task_struct *t)
51413 + unsigned long int flags;
51414 + int ret, blocked, ignored;
51415 + struct k_sigaction *action;
51417 + spin_lock_irqsave(&t->sighand->siglock, flags);
51418 + action = &t->sighand->action[sig-1];
51419 + ignored = action->sa.sa_handler == SIG_IGN;
51420 + blocked = sigismember(&t->blocked, sig);
51421 + if (blocked || ignored) {
51422 + action->sa.sa_handler = SIG_DFL;
51424 + sigdelset(&t->blocked, sig);
51425 + recalc_sigpending_and_wake(t);
51428 + if (action->sa.sa_handler == SIG_DFL)
51429 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
51430 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
51432 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
51438 +#ifdef CONFIG_GRKERNSEC_BRUTE
51439 +#define GR_USER_BAN_TIME (15 * 60)
51441 +static int __get_dumpable(unsigned long mm_flags)
51445 + ret = mm_flags & MMF_DUMPABLE_MASK;
51446 + return (ret >= 2) ? 2 : ret;
51450 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags)
51452 +#ifdef CONFIG_GRKERNSEC_BRUTE
51456 + read_lock(&tasklist_lock);
51457 + read_lock(&grsec_exec_file_lock);
51458 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
51459 + p->real_parent->brute = 1;
51461 + const struct cred *cred = __task_cred(p), *cred2;
51462 + struct task_struct *tsk, *tsk2;
51464 + if (!__get_dumpable(mm_flags) && cred->uid) {
51465 + struct user_struct *user;
51469 + /* this is put upon execution past expiration */
51470 + user = find_user(uid);
51471 + if (user == NULL)
51473 + user->banned = 1;
51474 + user->ban_expires = get_seconds() + GR_USER_BAN_TIME;
51475 + if (user->ban_expires == ~0UL)
51476 + user->ban_expires--;
51478 + do_each_thread(tsk2, tsk) {
51479 + cred2 = __task_cred(tsk);
51480 + if (tsk != p && cred2->uid == uid)
51481 + gr_fake_force_sig(SIGKILL, tsk);
51482 + } while_each_thread(tsk2, tsk);
51486 + read_unlock(&grsec_exec_file_lock);
51487 + read_unlock(&tasklist_lock);
51488 + rcu_read_unlock();
51491 + printk(KERN_ALERT "grsec: bruteforce prevention initiated against uid %u, banning for %d minutes\n", uid, GR_USER_BAN_TIME / 60);
51496 +void gr_handle_brute_check(void)
51498 +#ifdef CONFIG_GRKERNSEC_BRUTE
51499 + if (current->brute)
51500 + msleep(30 * 1000);
51505 +void gr_handle_kernel_exploit(void)
51507 +#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
51508 + const struct cred *cred;
51509 + struct task_struct *tsk, *tsk2;
51510 + struct user_struct *user;
51513 + if (in_irq() || in_serving_softirq() || in_nmi())
51514 + panic("grsec: halting the system due to suspicious kernel crash caused in interrupt context");
51516 + uid = current_uid();
51519 + panic("grsec: halting the system due to suspicious kernel crash caused by root");
51521 + /* kill all the processes of this user, hold a reference
51522 + to their creds struct, and prevent them from creating
51523 + another process until system reset
51525 + printk(KERN_ALERT "grsec: banning user with uid %u until system restart for suspicious kernel crash\n", uid);
51526 + /* we intentionally leak this ref */
51527 + user = get_uid(current->cred->user);
51529 + user->banned = 1;
51530 + user->ban_expires = ~0UL;
51533 + read_lock(&tasklist_lock);
51534 + do_each_thread(tsk2, tsk) {
51535 + cred = __task_cred(tsk);
51536 + if (cred->uid == uid)
51537 + gr_fake_force_sig(SIGKILL, tsk);
51538 + } while_each_thread(tsk2, tsk);
51539 + read_unlock(&tasklist_lock);
51544 +int __gr_process_user_ban(struct user_struct *user)
51546 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
51547 + if (unlikely(user->banned)) {
51548 + if (user->ban_expires != ~0UL && time_after_eq(get_seconds(), user->ban_expires)) {
51549 + user->banned = 0;
51550 + user->ban_expires = 0;
51559 +int gr_process_user_ban(void)
51561 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
51562 + return __gr_process_user_ban(current->cred->user);
51566 diff -urNp linux-2.6.32.42/grsecurity/grsec_sock.c linux-2.6.32.42/grsecurity/grsec_sock.c
51567 --- linux-2.6.32.42/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
51568 +++ linux-2.6.32.42/grsecurity/grsec_sock.c 2011-04-17 15:56:46.000000000 -0400
51570 +#include <linux/kernel.h>
51571 +#include <linux/module.h>
51572 +#include <linux/sched.h>
51573 +#include <linux/file.h>
51574 +#include <linux/net.h>
51575 +#include <linux/in.h>
51576 +#include <linux/ip.h>
51577 +#include <net/sock.h>
51578 +#include <net/inet_sock.h>
51579 +#include <linux/grsecurity.h>
51580 +#include <linux/grinternal.h>
51581 +#include <linux/gracl.h>
51583 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
51584 +EXPORT_SYMBOL(gr_cap_rtnetlink);
51586 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
51587 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
51589 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
51590 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
51592 +#ifdef CONFIG_UNIX_MODULE
51593 +EXPORT_SYMBOL(gr_acl_handle_unix);
51594 +EXPORT_SYMBOL(gr_acl_handle_mknod);
51595 +EXPORT_SYMBOL(gr_handle_chroot_unix);
51596 +EXPORT_SYMBOL(gr_handle_create);
51599 +#ifdef CONFIG_GRKERNSEC
51600 +#define gr_conn_table_size 32749
51601 +struct conn_table_entry {
51602 + struct conn_table_entry *next;
51603 + struct signal_struct *sig;
51606 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
51607 +DEFINE_SPINLOCK(gr_conn_table_lock);
51609 +extern const char * gr_socktype_to_name(unsigned char type);
51610 +extern const char * gr_proto_to_name(unsigned char proto);
51611 +extern const char * gr_sockfamily_to_name(unsigned char family);
51613 +static __inline__ int
51614 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
51616 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
51619 +static __inline__ int
51620 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
51621 + __u16 sport, __u16 dport)
51623 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
51624 + sig->gr_sport == sport && sig->gr_dport == dport))
51630 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
51632 + struct conn_table_entry **match;
51633 + unsigned int index;
51635 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
51636 + sig->gr_sport, sig->gr_dport,
51637 + gr_conn_table_size);
51639 + newent->sig = sig;
51641 + match = &gr_conn_table[index];
51642 + newent->next = *match;
51648 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
51650 + struct conn_table_entry *match, *last = NULL;
51651 + unsigned int index;
51653 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
51654 + sig->gr_sport, sig->gr_dport,
51655 + gr_conn_table_size);
51657 + match = gr_conn_table[index];
51658 + while (match && !conn_match(match->sig,
51659 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
51660 + sig->gr_dport)) {
51662 + match = match->next;
51667 + last->next = match->next;
51669 + gr_conn_table[index] = NULL;
51676 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
51677 + __u16 sport, __u16 dport)
51679 + struct conn_table_entry *match;
51680 + unsigned int index;
51682 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
51684 + match = gr_conn_table[index];
51685 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
51686 + match = match->next;
51689 + return match->sig;
51696 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
51698 +#ifdef CONFIG_GRKERNSEC
51699 + struct signal_struct *sig = task->signal;
51700 + struct conn_table_entry *newent;
51702 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
51703 + if (newent == NULL)
51705 + /* no bh lock needed since we are called with bh disabled */
51706 + spin_lock(&gr_conn_table_lock);
51707 + gr_del_task_from_ip_table_nolock(sig);
51708 + sig->gr_saddr = inet->rcv_saddr;
51709 + sig->gr_daddr = inet->daddr;
51710 + sig->gr_sport = inet->sport;
51711 + sig->gr_dport = inet->dport;
51712 + gr_add_to_task_ip_table_nolock(sig, newent);
51713 + spin_unlock(&gr_conn_table_lock);
51718 +void gr_del_task_from_ip_table(struct task_struct *task)
51720 +#ifdef CONFIG_GRKERNSEC
51721 + spin_lock_bh(&gr_conn_table_lock);
51722 + gr_del_task_from_ip_table_nolock(task->signal);
51723 + spin_unlock_bh(&gr_conn_table_lock);
51729 +gr_attach_curr_ip(const struct sock *sk)
51731 +#ifdef CONFIG_GRKERNSEC
51732 + struct signal_struct *p, *set;
51733 + const struct inet_sock *inet = inet_sk(sk);
51735 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
51738 + set = current->signal;
51740 + spin_lock_bh(&gr_conn_table_lock);
51741 + p = gr_lookup_task_ip_table(inet->daddr, inet->rcv_saddr,
51742 + inet->dport, inet->sport);
51743 + if (unlikely(p != NULL)) {
51744 + set->curr_ip = p->curr_ip;
51745 + set->used_accept = 1;
51746 + gr_del_task_from_ip_table_nolock(p);
51747 + spin_unlock_bh(&gr_conn_table_lock);
51750 + spin_unlock_bh(&gr_conn_table_lock);
51752 + set->curr_ip = inet->daddr;
51753 + set->used_accept = 1;
51759 +gr_handle_sock_all(const int family, const int type, const int protocol)
51761 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
51762 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
51763 + (family != AF_UNIX)) {
51764 + if (family == AF_INET)
51765 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
51767 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
51775 +gr_handle_sock_server(const struct sockaddr *sck)
51777 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
51778 + if (grsec_enable_socket_server &&
51779 + in_group_p(grsec_socket_server_gid) &&
51780 + sck && (sck->sa_family != AF_UNIX) &&
51781 + (sck->sa_family != AF_LOCAL)) {
51782 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
51790 +gr_handle_sock_server_other(const struct sock *sck)
51792 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
51793 + if (grsec_enable_socket_server &&
51794 + in_group_p(grsec_socket_server_gid) &&
51795 + sck && (sck->sk_family != AF_UNIX) &&
51796 + (sck->sk_family != AF_LOCAL)) {
51797 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
51805 +gr_handle_sock_client(const struct sockaddr *sck)
51807 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
51808 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
51809 + sck && (sck->sa_family != AF_UNIX) &&
51810 + (sck->sa_family != AF_LOCAL)) {
51811 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
51819 +gr_cap_rtnetlink(struct sock *sock)
51821 +#ifdef CONFIG_GRKERNSEC
51822 + if (!gr_acl_is_enabled())
51823 + return current_cap();
51824 + else if (sock->sk_protocol == NETLINK_ISCSI &&
51825 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
51826 + gr_is_capable(CAP_SYS_ADMIN))
51827 + return current_cap();
51828 + else if (sock->sk_protocol == NETLINK_AUDIT &&
51829 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
51830 + gr_is_capable(CAP_AUDIT_WRITE) &&
51831 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
51832 + gr_is_capable(CAP_AUDIT_CONTROL))
51833 + return current_cap();
51834 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
51835 + ((sock->sk_protocol == NETLINK_ROUTE) ?
51836 + gr_is_capable_nolog(CAP_NET_ADMIN) :
51837 + gr_is_capable(CAP_NET_ADMIN)))
51838 + return current_cap();
51840 + return __cap_empty_set;
51842 + return current_cap();
51845 diff -urNp linux-2.6.32.42/grsecurity/grsec_sysctl.c linux-2.6.32.42/grsecurity/grsec_sysctl.c
51846 --- linux-2.6.32.42/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
51847 +++ linux-2.6.32.42/grsecurity/grsec_sysctl.c 2011-04-17 15:56:46.000000000 -0400
51849 +#include <linux/kernel.h>
51850 +#include <linux/sched.h>
51851 +#include <linux/sysctl.h>
51852 +#include <linux/grsecurity.h>
51853 +#include <linux/grinternal.h>
51856 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
51858 +#ifdef CONFIG_GRKERNSEC_SYSCTL
51859 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
51860 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
51867 +#ifdef CONFIG_GRKERNSEC_ROFS
51868 +static int __maybe_unused one = 1;
51871 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51872 +ctl_table grsecurity_table[] = {
51873 +#ifdef CONFIG_GRKERNSEC_SYSCTL
51874 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
51875 +#ifdef CONFIG_GRKERNSEC_IO
51877 + .ctl_name = CTL_UNNUMBERED,
51878 + .procname = "disable_priv_io",
51879 + .data = &grsec_disable_privio,
51880 + .maxlen = sizeof(int),
51882 + .proc_handler = &proc_dointvec,
51886 +#ifdef CONFIG_GRKERNSEC_LINK
51888 + .ctl_name = CTL_UNNUMBERED,
51889 + .procname = "linking_restrictions",
51890 + .data = &grsec_enable_link,
51891 + .maxlen = sizeof(int),
51893 + .proc_handler = &proc_dointvec,
51896 +#ifdef CONFIG_GRKERNSEC_FIFO
51898 + .ctl_name = CTL_UNNUMBERED,
51899 + .procname = "fifo_restrictions",
51900 + .data = &grsec_enable_fifo,
51901 + .maxlen = sizeof(int),
51903 + .proc_handler = &proc_dointvec,
51906 +#ifdef CONFIG_GRKERNSEC_EXECVE
51908 + .ctl_name = CTL_UNNUMBERED,
51909 + .procname = "execve_limiting",
51910 + .data = &grsec_enable_execve,
51911 + .maxlen = sizeof(int),
51913 + .proc_handler = &proc_dointvec,
51916 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
51918 + .ctl_name = CTL_UNNUMBERED,
51919 + .procname = "ip_blackhole",
51920 + .data = &grsec_enable_blackhole,
51921 + .maxlen = sizeof(int),
51923 + .proc_handler = &proc_dointvec,
51926 + .ctl_name = CTL_UNNUMBERED,
51927 + .procname = "lastack_retries",
51928 + .data = &grsec_lastack_retries,
51929 + .maxlen = sizeof(int),
51931 + .proc_handler = &proc_dointvec,
51934 +#ifdef CONFIG_GRKERNSEC_EXECLOG
51936 + .ctl_name = CTL_UNNUMBERED,
51937 + .procname = "exec_logging",
51938 + .data = &grsec_enable_execlog,
51939 + .maxlen = sizeof(int),
51941 + .proc_handler = &proc_dointvec,
51944 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
51946 + .ctl_name = CTL_UNNUMBERED,
51947 + .procname = "rwxmap_logging",
51948 + .data = &grsec_enable_log_rwxmaps,
51949 + .maxlen = sizeof(int),
51951 + .proc_handler = &proc_dointvec,
51954 +#ifdef CONFIG_GRKERNSEC_SIGNAL
51956 + .ctl_name = CTL_UNNUMBERED,
51957 + .procname = "signal_logging",
51958 + .data = &grsec_enable_signal,
51959 + .maxlen = sizeof(int),
51961 + .proc_handler = &proc_dointvec,
51964 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
51966 + .ctl_name = CTL_UNNUMBERED,
51967 + .procname = "forkfail_logging",
51968 + .data = &grsec_enable_forkfail,
51969 + .maxlen = sizeof(int),
51971 + .proc_handler = &proc_dointvec,
51974 +#ifdef CONFIG_GRKERNSEC_TIME
51976 + .ctl_name = CTL_UNNUMBERED,
51977 + .procname = "timechange_logging",
51978 + .data = &grsec_enable_time,
51979 + .maxlen = sizeof(int),
51981 + .proc_handler = &proc_dointvec,
51984 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
51986 + .ctl_name = CTL_UNNUMBERED,
51987 + .procname = "chroot_deny_shmat",
51988 + .data = &grsec_enable_chroot_shmat,
51989 + .maxlen = sizeof(int),
51991 + .proc_handler = &proc_dointvec,
51994 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
51996 + .ctl_name = CTL_UNNUMBERED,
51997 + .procname = "chroot_deny_unix",
51998 + .data = &grsec_enable_chroot_unix,
51999 + .maxlen = sizeof(int),
52001 + .proc_handler = &proc_dointvec,
52004 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
52006 + .ctl_name = CTL_UNNUMBERED,
52007 + .procname = "chroot_deny_mount",
52008 + .data = &grsec_enable_chroot_mount,
52009 + .maxlen = sizeof(int),
52011 + .proc_handler = &proc_dointvec,
52014 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
52016 + .ctl_name = CTL_UNNUMBERED,
52017 + .procname = "chroot_deny_fchdir",
52018 + .data = &grsec_enable_chroot_fchdir,
52019 + .maxlen = sizeof(int),
52021 + .proc_handler = &proc_dointvec,
52024 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
52026 + .ctl_name = CTL_UNNUMBERED,
52027 + .procname = "chroot_deny_chroot",
52028 + .data = &grsec_enable_chroot_double,
52029 + .maxlen = sizeof(int),
52031 + .proc_handler = &proc_dointvec,
52034 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
52036 + .ctl_name = CTL_UNNUMBERED,
52037 + .procname = "chroot_deny_pivot",
52038 + .data = &grsec_enable_chroot_pivot,
52039 + .maxlen = sizeof(int),
52041 + .proc_handler = &proc_dointvec,
52044 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
52046 + .ctl_name = CTL_UNNUMBERED,
52047 + .procname = "chroot_enforce_chdir",
52048 + .data = &grsec_enable_chroot_chdir,
52049 + .maxlen = sizeof(int),
52051 + .proc_handler = &proc_dointvec,
52054 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
52056 + .ctl_name = CTL_UNNUMBERED,
52057 + .procname = "chroot_deny_chmod",
52058 + .data = &grsec_enable_chroot_chmod,
52059 + .maxlen = sizeof(int),
52061 + .proc_handler = &proc_dointvec,
52064 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
52066 + .ctl_name = CTL_UNNUMBERED,
52067 + .procname = "chroot_deny_mknod",
52068 + .data = &grsec_enable_chroot_mknod,
52069 + .maxlen = sizeof(int),
52071 + .proc_handler = &proc_dointvec,
52074 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
52076 + .ctl_name = CTL_UNNUMBERED,
52077 + .procname = "chroot_restrict_nice",
52078 + .data = &grsec_enable_chroot_nice,
52079 + .maxlen = sizeof(int),
52081 + .proc_handler = &proc_dointvec,
52084 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
52086 + .ctl_name = CTL_UNNUMBERED,
52087 + .procname = "chroot_execlog",
52088 + .data = &grsec_enable_chroot_execlog,
52089 + .maxlen = sizeof(int),
52091 + .proc_handler = &proc_dointvec,
52094 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
52096 + .ctl_name = CTL_UNNUMBERED,
52097 + .procname = "chroot_caps",
52098 + .data = &grsec_enable_chroot_caps,
52099 + .maxlen = sizeof(int),
52101 + .proc_handler = &proc_dointvec,
52104 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
52106 + .ctl_name = CTL_UNNUMBERED,
52107 + .procname = "chroot_deny_sysctl",
52108 + .data = &grsec_enable_chroot_sysctl,
52109 + .maxlen = sizeof(int),
52111 + .proc_handler = &proc_dointvec,
52114 +#ifdef CONFIG_GRKERNSEC_TPE
52116 + .ctl_name = CTL_UNNUMBERED,
52117 + .procname = "tpe",
52118 + .data = &grsec_enable_tpe,
52119 + .maxlen = sizeof(int),
52121 + .proc_handler = &proc_dointvec,
52124 + .ctl_name = CTL_UNNUMBERED,
52125 + .procname = "tpe_gid",
52126 + .data = &grsec_tpe_gid,
52127 + .maxlen = sizeof(int),
52129 + .proc_handler = &proc_dointvec,
52132 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
52134 + .ctl_name = CTL_UNNUMBERED,
52135 + .procname = "tpe_invert",
52136 + .data = &grsec_enable_tpe_invert,
52137 + .maxlen = sizeof(int),
52139 + .proc_handler = &proc_dointvec,
52142 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
52144 + .ctl_name = CTL_UNNUMBERED,
52145 + .procname = "tpe_restrict_all",
52146 + .data = &grsec_enable_tpe_all,
52147 + .maxlen = sizeof(int),
52149 + .proc_handler = &proc_dointvec,
52152 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
52154 + .ctl_name = CTL_UNNUMBERED,
52155 + .procname = "socket_all",
52156 + .data = &grsec_enable_socket_all,
52157 + .maxlen = sizeof(int),
52159 + .proc_handler = &proc_dointvec,
52162 + .ctl_name = CTL_UNNUMBERED,
52163 + .procname = "socket_all_gid",
52164 + .data = &grsec_socket_all_gid,
52165 + .maxlen = sizeof(int),
52167 + .proc_handler = &proc_dointvec,
52170 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
52172 + .ctl_name = CTL_UNNUMBERED,
52173 + .procname = "socket_client",
52174 + .data = &grsec_enable_socket_client,
52175 + .maxlen = sizeof(int),
52177 + .proc_handler = &proc_dointvec,
52180 + .ctl_name = CTL_UNNUMBERED,
52181 + .procname = "socket_client_gid",
52182 + .data = &grsec_socket_client_gid,
52183 + .maxlen = sizeof(int),
52185 + .proc_handler = &proc_dointvec,
52188 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
52190 + .ctl_name = CTL_UNNUMBERED,
52191 + .procname = "socket_server",
52192 + .data = &grsec_enable_socket_server,
52193 + .maxlen = sizeof(int),
52195 + .proc_handler = &proc_dointvec,
52198 + .ctl_name = CTL_UNNUMBERED,
52199 + .procname = "socket_server_gid",
52200 + .data = &grsec_socket_server_gid,
52201 + .maxlen = sizeof(int),
52203 + .proc_handler = &proc_dointvec,
52206 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
52208 + .ctl_name = CTL_UNNUMBERED,
52209 + .procname = "audit_group",
52210 + .data = &grsec_enable_group,
52211 + .maxlen = sizeof(int),
52213 + .proc_handler = &proc_dointvec,
52216 + .ctl_name = CTL_UNNUMBERED,
52217 + .procname = "audit_gid",
52218 + .data = &grsec_audit_gid,
52219 + .maxlen = sizeof(int),
52221 + .proc_handler = &proc_dointvec,
52224 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
52226 + .ctl_name = CTL_UNNUMBERED,
52227 + .procname = "audit_chdir",
52228 + .data = &grsec_enable_chdir,
52229 + .maxlen = sizeof(int),
52231 + .proc_handler = &proc_dointvec,
52234 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
52236 + .ctl_name = CTL_UNNUMBERED,
52237 + .procname = "audit_mount",
52238 + .data = &grsec_enable_mount,
52239 + .maxlen = sizeof(int),
52241 + .proc_handler = &proc_dointvec,
52244 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
52246 + .ctl_name = CTL_UNNUMBERED,
52247 + .procname = "audit_textrel",
52248 + .data = &grsec_enable_audit_textrel,
52249 + .maxlen = sizeof(int),
52251 + .proc_handler = &proc_dointvec,
52254 +#ifdef CONFIG_GRKERNSEC_DMESG
52256 + .ctl_name = CTL_UNNUMBERED,
52257 + .procname = "dmesg",
52258 + .data = &grsec_enable_dmesg,
52259 + .maxlen = sizeof(int),
52261 + .proc_handler = &proc_dointvec,
52264 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
52266 + .ctl_name = CTL_UNNUMBERED,
52267 + .procname = "chroot_findtask",
52268 + .data = &grsec_enable_chroot_findtask,
52269 + .maxlen = sizeof(int),
52271 + .proc_handler = &proc_dointvec,
52274 +#ifdef CONFIG_GRKERNSEC_RESLOG
52276 + .ctl_name = CTL_UNNUMBERED,
52277 + .procname = "resource_logging",
52278 + .data = &grsec_resource_logging,
52279 + .maxlen = sizeof(int),
52281 + .proc_handler = &proc_dointvec,
52284 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
52286 + .ctl_name = CTL_UNNUMBERED,
52287 + .procname = "audit_ptrace",
52288 + .data = &grsec_enable_audit_ptrace,
52289 + .maxlen = sizeof(int),
52291 + .proc_handler = &proc_dointvec,
52294 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
52296 + .ctl_name = CTL_UNNUMBERED,
52297 + .procname = "harden_ptrace",
52298 + .data = &grsec_enable_harden_ptrace,
52299 + .maxlen = sizeof(int),
52301 + .proc_handler = &proc_dointvec,
52305 + .ctl_name = CTL_UNNUMBERED,
52306 + .procname = "grsec_lock",
52307 + .data = &grsec_lock,
52308 + .maxlen = sizeof(int),
52310 + .proc_handler = &proc_dointvec,
52313 +#ifdef CONFIG_GRKERNSEC_ROFS
52315 + .ctl_name = CTL_UNNUMBERED,
52316 + .procname = "romount_protect",
52317 + .data = &grsec_enable_rofs,
52318 + .maxlen = sizeof(int),
52320 + .proc_handler = &proc_dointvec_minmax,
52325 + { .ctl_name = 0 }
52328 diff -urNp linux-2.6.32.42/grsecurity/grsec_time.c linux-2.6.32.42/grsecurity/grsec_time.c
52329 --- linux-2.6.32.42/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
52330 +++ linux-2.6.32.42/grsecurity/grsec_time.c 2011-04-17 15:56:46.000000000 -0400
52332 +#include <linux/kernel.h>
52333 +#include <linux/sched.h>
52334 +#include <linux/grinternal.h>
52335 +#include <linux/module.h>
52338 +gr_log_timechange(void)
52340 +#ifdef CONFIG_GRKERNSEC_TIME
52341 + if (grsec_enable_time)
52342 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
52347 +EXPORT_SYMBOL(gr_log_timechange);
52348 diff -urNp linux-2.6.32.42/grsecurity/grsec_tpe.c linux-2.6.32.42/grsecurity/grsec_tpe.c
52349 --- linux-2.6.32.42/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
52350 +++ linux-2.6.32.42/grsecurity/grsec_tpe.c 2011-04-17 15:56:46.000000000 -0400
52352 +#include <linux/kernel.h>
52353 +#include <linux/sched.h>
52354 +#include <linux/file.h>
52355 +#include <linux/fs.h>
52356 +#include <linux/grinternal.h>
52358 +extern int gr_acl_tpe_check(void);
52361 +gr_tpe_allow(const struct file *file)
52363 +#ifdef CONFIG_GRKERNSEC
52364 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
52365 + const struct cred *cred = current_cred();
52367 + if (cred->uid && ((grsec_enable_tpe &&
52368 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
52369 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
52370 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
52372 + in_group_p(grsec_tpe_gid)
52374 + ) || gr_acl_tpe_check()) &&
52375 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
52376 + (inode->i_mode & S_IWOTH))))) {
52377 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
52380 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
52381 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
52382 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
52383 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
52384 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
52391 diff -urNp linux-2.6.32.42/grsecurity/grsum.c linux-2.6.32.42/grsecurity/grsum.c
52392 --- linux-2.6.32.42/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
52393 +++ linux-2.6.32.42/grsecurity/grsum.c 2011-04-17 15:56:46.000000000 -0400
52395 +#include <linux/err.h>
52396 +#include <linux/kernel.h>
52397 +#include <linux/sched.h>
52398 +#include <linux/mm.h>
52399 +#include <linux/scatterlist.h>
52400 +#include <linux/crypto.h>
52401 +#include <linux/gracl.h>
52404 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
52405 +#error "crypto and sha256 must be built into the kernel"
52409 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
52412 + struct crypto_hash *tfm;
52413 + struct hash_desc desc;
52414 + struct scatterlist sg;
52415 + unsigned char temp_sum[GR_SHA_LEN];
52416 + volatile int retval = 0;
52417 + volatile int dummy = 0;
52420 + sg_init_table(&sg, 1);
52422 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
52423 + if (IS_ERR(tfm)) {
52424 + /* should never happen, since sha256 should be built in */
52431 + crypto_hash_init(&desc);
52434 + sg_set_buf(&sg, p, GR_SALT_LEN);
52435 + crypto_hash_update(&desc, &sg, sg.length);
52438 + sg_set_buf(&sg, p, strlen(p));
52440 + crypto_hash_update(&desc, &sg, sg.length);
52442 + crypto_hash_final(&desc, temp_sum);
52444 + memset(entry->pw, 0, GR_PW_LEN);
52446 + for (i = 0; i < GR_SHA_LEN; i++)
52447 + if (sum[i] != temp_sum[i])
52450 + dummy = 1; // waste a cycle
52452 + crypto_free_hash(tfm);
52456 diff -urNp linux-2.6.32.42/grsecurity/Kconfig linux-2.6.32.42/grsecurity/Kconfig
52457 --- linux-2.6.32.42/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
52458 +++ linux-2.6.32.42/grsecurity/Kconfig 2011-06-13 21:34:09.000000000 -0400
52461 +# grecurity configuration
52467 + bool "Grsecurity"
52469 + select CRYPTO_SHA256
52471 + If you say Y here, you will be able to configure many features
52472 + that will enhance the security of your system. It is highly
52473 + recommended that you say Y here and read through the help
52474 + for each option so that you fully understand the features and
52475 + can evaluate their usefulness for your machine.
52478 + prompt "Security Level"
52479 + depends on GRKERNSEC
52480 + default GRKERNSEC_CUSTOM
52482 +config GRKERNSEC_LOW
52484 + select GRKERNSEC_LINK
52485 + select GRKERNSEC_FIFO
52486 + select GRKERNSEC_EXECVE
52487 + select GRKERNSEC_RANDNET
52488 + select GRKERNSEC_DMESG
52489 + select GRKERNSEC_CHROOT
52490 + select GRKERNSEC_CHROOT_CHDIR
52493 + If you choose this option, several of the grsecurity options will
52494 + be enabled that will give you greater protection against a number
52495 + of attacks, while assuring that none of your software will have any
52496 + conflicts with the additional security measures. If you run a lot
52497 + of unusual software, or you are having problems with the higher
52498 + security levels, you should say Y here. With this option, the
52499 + following features are enabled:
52501 + - Linking restrictions
52502 + - FIFO restrictions
52503 + - Enforcing RLIMIT_NPROC on execve
52504 + - Restricted dmesg
52505 + - Enforced chdir("/") on chroot
52506 + - Runtime module disabling
52508 +config GRKERNSEC_MEDIUM
52511 + select PAX_EI_PAX
52512 + select PAX_PT_PAX_FLAGS
52513 + select PAX_HAVE_ACL_FLAGS
52514 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
52515 + select GRKERNSEC_CHROOT
52516 + select GRKERNSEC_CHROOT_SYSCTL
52517 + select GRKERNSEC_LINK
52518 + select GRKERNSEC_FIFO
52519 + select GRKERNSEC_EXECVE
52520 + select GRKERNSEC_DMESG
52521 + select GRKERNSEC_RANDNET
52522 + select GRKERNSEC_FORKFAIL
52523 + select GRKERNSEC_TIME
52524 + select GRKERNSEC_SIGNAL
52525 + select GRKERNSEC_CHROOT
52526 + select GRKERNSEC_CHROOT_UNIX
52527 + select GRKERNSEC_CHROOT_MOUNT
52528 + select GRKERNSEC_CHROOT_PIVOT
52529 + select GRKERNSEC_CHROOT_DOUBLE
52530 + select GRKERNSEC_CHROOT_CHDIR
52531 + select GRKERNSEC_CHROOT_MKNOD
52532 + select GRKERNSEC_PROC
52533 + select GRKERNSEC_PROC_USERGROUP
52534 + select PAX_RANDUSTACK
52536 + select PAX_RANDMMAP
52537 + select PAX_REFCOUNT if (X86 || SPARC64)
52538 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
52541 + If you say Y here, several features in addition to those included
52542 + in the low additional security level will be enabled. These
52543 + features provide even more security to your system, though in rare
52544 + cases they may be incompatible with very old or poorly written
52545 + software. If you enable this option, make sure that your auth
52546 + service (identd) is running as gid 1001. With this option,
52547 + the following features (in addition to those provided in the
52548 + low additional security level) will be enabled:
52550 + - Failed fork logging
52551 + - Time change logging
52553 + - Deny mounts in chroot
52554 + - Deny double chrooting
52555 + - Deny sysctl writes in chroot
52556 + - Deny mknod in chroot
52557 + - Deny access to abstract AF_UNIX sockets out of chroot
52558 + - Deny pivot_root in chroot
52559 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
52560 + - /proc restrictions with special GID set to 10 (usually wheel)
52561 + - Address Space Layout Randomization (ASLR)
52562 + - Prevent exploitation of most refcount overflows
52563 + - Bounds checking of copying between the kernel and userland
52565 +config GRKERNSEC_HIGH
52567 + select GRKERNSEC_LINK
52568 + select GRKERNSEC_FIFO
52569 + select GRKERNSEC_EXECVE
52570 + select GRKERNSEC_DMESG
52571 + select GRKERNSEC_FORKFAIL
52572 + select GRKERNSEC_TIME
52573 + select GRKERNSEC_SIGNAL
52574 + select GRKERNSEC_CHROOT
52575 + select GRKERNSEC_CHROOT_SHMAT
52576 + select GRKERNSEC_CHROOT_UNIX
52577 + select GRKERNSEC_CHROOT_MOUNT
52578 + select GRKERNSEC_CHROOT_FCHDIR
52579 + select GRKERNSEC_CHROOT_PIVOT
52580 + select GRKERNSEC_CHROOT_DOUBLE
52581 + select GRKERNSEC_CHROOT_CHDIR
52582 + select GRKERNSEC_CHROOT_MKNOD
52583 + select GRKERNSEC_CHROOT_CAPS
52584 + select GRKERNSEC_CHROOT_SYSCTL
52585 + select GRKERNSEC_CHROOT_FINDTASK
52586 + select GRKERNSEC_SYSFS_RESTRICT
52587 + select GRKERNSEC_PROC
52588 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
52589 + select GRKERNSEC_HIDESYM
52590 + select GRKERNSEC_BRUTE
52591 + select GRKERNSEC_PROC_USERGROUP
52592 + select GRKERNSEC_KMEM
52593 + select GRKERNSEC_RESLOG
52594 + select GRKERNSEC_RANDNET
52595 + select GRKERNSEC_PROC_ADD
52596 + select GRKERNSEC_CHROOT_CHMOD
52597 + select GRKERNSEC_CHROOT_NICE
52598 + select GRKERNSEC_AUDIT_MOUNT
52599 + select GRKERNSEC_MODHARDEN if (MODULES)
52600 + select GRKERNSEC_HARDEN_PTRACE
52601 + select GRKERNSEC_VM86 if (X86_32)
52602 + select GRKERNSEC_KERN_LOCKOUT if (X86 || ARM || PPC || SPARC32 || SPARC64)
52604 + select PAX_RANDUSTACK
52606 + select PAX_RANDMMAP
52607 + select PAX_NOEXEC
52608 + select PAX_MPROTECT
52609 + select PAX_EI_PAX
52610 + select PAX_PT_PAX_FLAGS
52611 + select PAX_HAVE_ACL_FLAGS
52612 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
52613 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
52614 + select PAX_RANDKSTACK if (X86_TSC && X86)
52615 + select PAX_SEGMEXEC if (X86_32)
52616 + select PAX_PAGEEXEC
52617 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
52618 + select PAX_EMUTRAMP if (PARISC)
52619 + select PAX_EMUSIGRT if (PARISC)
52620 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
52621 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
52622 + select PAX_REFCOUNT if (X86 || SPARC64)
52623 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
52625 + If you say Y here, many of the features of grsecurity will be
52626 + enabled, which will protect you against many kinds of attacks
52627 + against your system. The heightened security comes at a cost
52628 + of an increased chance of incompatibilities with rare software
52629 + on your machine. Since this security level enables PaX, you should
52630 + view <http://pax.grsecurity.net> and read about the PaX
52631 + project. While you are there, download chpax and run it on
52632 + binaries that cause problems with PaX. Also remember that
52633 + since the /proc restrictions are enabled, you must run your
52634 + identd as gid 1001. This security level enables the following
52635 + features in addition to those listed in the low and medium
52638 + - Additional /proc restrictions
52639 + - Chmod restrictions in chroot
52640 + - No signals, ptrace, or viewing of processes outside of chroot
52641 + - Capability restrictions in chroot
52642 + - Deny fchdir out of chroot
52643 + - Priority restrictions in chroot
52644 + - Segmentation-based implementation of PaX
52645 + - Mprotect restrictions
52646 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
52647 + - Kernel stack randomization
52648 + - Mount/unmount/remount logging
52649 + - Kernel symbol hiding
52650 + - Prevention of memory exhaustion-based exploits
52651 + - Hardening of module auto-loading
52652 + - Ptrace restrictions
52653 + - Restricted vm86 mode
52654 + - Restricted sysfs/debugfs
52655 + - Active kernel exploit response
52657 +config GRKERNSEC_CUSTOM
52660 + If you say Y here, you will be able to configure every grsecurity
52661 + option, which allows you to enable many more features that aren't
52662 + covered in the basic security levels. These additional features
52663 + include TPE, socket restrictions, and the sysctl system for
52664 + grsecurity. It is advised that you read through the help for
52665 + each option to determine its usefulness in your situation.
52669 +menu "Address Space Protection"
52670 +depends on GRKERNSEC
52672 +config GRKERNSEC_KMEM
52673 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
52674 + select STRICT_DEVMEM if (X86 || ARM || TILE || S390)
52676 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
52677 + be written to via mmap or otherwise to modify the running kernel.
52678 + /dev/port will also not be allowed to be opened. If you have module
52679 + support disabled, enabling this will close up four ways that are
52680 + currently used to insert malicious code into the running kernel.
52681 + Even with all these features enabled, we still highly recommend that
52682 + you use the RBAC system, as it is still possible for an attacker to
52683 + modify the running kernel through privileged I/O granted by ioperm/iopl.
52684 + If you are not using XFree86, you may be able to stop this additional
52685 + case by enabling the 'Disable privileged I/O' option. Though nothing
52686 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
52687 + but only to video memory, which is the only writing we allow in this
52688 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
52689 + not be allowed to mprotect it with PROT_WRITE later.
52690 + It is highly recommended that you say Y here if you meet all the
52691 + conditions above.
52693 +config GRKERNSEC_VM86
52694 + bool "Restrict VM86 mode"
52695 + depends on X86_32
52698 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
52699 + make use of a special execution mode on 32bit x86 processors called
52700 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
52701 + video cards and will still work with this option enabled. The purpose
52702 + of the option is to prevent exploitation of emulation errors in
52703 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
52704 + Nearly all users should be able to enable this option.
52706 +config GRKERNSEC_IO
52707 + bool "Disable privileged I/O"
52710 + select RTC_INTF_DEV
52711 + select RTC_DRV_CMOS
52714 + If you say Y here, all ioperm and iopl calls will return an error.
52715 + Ioperm and iopl can be used to modify the running kernel.
52716 + Unfortunately, some programs need this access to operate properly,
52717 + the most notable of which are XFree86 and hwclock. hwclock can be
52718 + remedied by having RTC support in the kernel, so real-time
52719 + clock support is enabled if this option is enabled, to ensure
52720 + that hwclock operates correctly. XFree86 still will not
52721 + operate correctly with this option enabled, so DO NOT CHOOSE Y
52722 + IF YOU USE XFree86. If you use XFree86 and you still want to
52723 + protect your kernel against modification, use the RBAC system.
52725 +config GRKERNSEC_PROC_MEMMAP
52726 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
52727 + default y if (PAX_NOEXEC || PAX_ASLR)
52728 + depends on PAX_NOEXEC || PAX_ASLR
52730 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
52731 + give no information about the addresses of its mappings if
52732 + PaX features that rely on random addresses are enabled on the task.
52733 + If you use PaX it is greatly recommended that you say Y here as it
52734 + closes up a hole that makes the full ASLR useless for suid
52737 +config GRKERNSEC_BRUTE
52738 + bool "Deter exploit bruteforcing"
52740 + If you say Y here, attempts to bruteforce exploits against forking
52741 + daemons such as apache or sshd, as well as against suid/sgid binaries
52742 + will be deterred. When a child of a forking daemon is killed by PaX
52743 + or crashes due to an illegal instruction or other suspicious signal,
52744 + the parent process will be delayed 30 seconds upon every subsequent
52745 + fork until the administrator is able to assess the situation and
52746 + restart the daemon.
52747 + In the suid/sgid case, the attempt is logged, the user has all their
52748 + processes terminated, and they are prevented from executing any further
52749 + processes for 15 minutes.
52750 + It is recommended that you also enable signal logging in the auditing
52751 + section so that logs are generated when a process triggers a suspicious
52754 +config GRKERNSEC_MODHARDEN
52755 + bool "Harden module auto-loading"
52756 + depends on MODULES
52758 + If you say Y here, module auto-loading in response to use of some
52759 + feature implemented by an unloaded module will be restricted to
52760 + root users. Enabling this option helps defend against attacks
52761 + by unprivileged users who abuse the auto-loading behavior to
52762 + cause a vulnerable module to load that is then exploited.
52764 + If this option prevents a legitimate use of auto-loading for a
52765 + non-root user, the administrator can execute modprobe manually
52766 + with the exact name of the module mentioned in the alert log.
52767 + Alternatively, the administrator can add the module to the list
52768 + of modules loaded at boot by modifying init scripts.
52770 + Modification of init scripts will most likely be needed on
52771 + Ubuntu servers with encrypted home directory support enabled,
52772 + as the first non-root user logging in will cause the ecb(aes),
52773 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
52775 +config GRKERNSEC_HIDESYM
52776 + bool "Hide kernel symbols"
52778 + If you say Y here, getting information on loaded modules, and
52779 + displaying all kernel symbols through a syscall will be restricted
52780 + to users with CAP_SYS_MODULE. For software compatibility reasons,
52781 + /proc/kallsyms will be restricted to the root user. The RBAC
52782 + system can hide that entry even from root.
52784 + This option also prevents leaking of kernel addresses through
52785 + several /proc entries.
52787 + Note that this option is only effective provided the following
52788 + conditions are met:
52789 + 1) The kernel using grsecurity is not precompiled by some distribution
52790 + 2) You have also enabled GRKERNSEC_DMESG
52791 + 3) You are using the RBAC system and hiding other files such as your
52792 + kernel image and System.map. Alternatively, enabling this option
52793 + causes the permissions on /boot, /lib/modules, and the kernel
52794 + source directory to change at compile time to prevent
52795 + reading by non-root users.
52796 + If the above conditions are met, this option will aid in providing a
52797 + useful protection against local kernel exploitation of overflows
52798 + and arbitrary read/write vulnerabilities.
52800 +config GRKERNSEC_KERN_LOCKOUT
52801 + bool "Active kernel exploit response"
52802 + depends on X86 || ARM || PPC || SPARC32 || SPARC64
52804 + If you say Y here, when a PaX alert is triggered due to suspicious
52805 + activity in the kernel (from KERNEXEC/UDEREF/USERCOPY)
52806 + or an OOPs occurs due to bad memory accesses, instead of just
52807 + terminating the offending process (and potentially allowing
52808 + a subsequent exploit from the same user), we will take one of two
52810 + If the user was root, we will panic the system
52811 + If the user was non-root, we will log the attempt, terminate
52812 + all processes owned by the user, then prevent them from creating
52813 + any new processes until the system is restarted
52814 + This deters repeated kernel exploitation/bruteforcing attempts
52815 + and is useful for later forensics.
52818 +menu "Role Based Access Control Options"
52819 +depends on GRKERNSEC
52821 +config GRKERNSEC_RBAC_DEBUG
52824 +config GRKERNSEC_NO_RBAC
52825 + bool "Disable RBAC system"
52827 + If you say Y here, the /dev/grsec device will be removed from the kernel,
52828 + preventing the RBAC system from being enabled. You should only say Y
52829 + here if you have no intention of using the RBAC system, so as to prevent
52830 + an attacker with root access from misusing the RBAC system to hide files
52831 + and processes when loadable module support and /dev/[k]mem have been
52834 +config GRKERNSEC_ACL_HIDEKERN
52835 + bool "Hide kernel processes"
52837 + If you say Y here, all kernel threads will be hidden to all
52838 + processes but those whose subject has the "view hidden processes"
52841 +config GRKERNSEC_ACL_MAXTRIES
52842 + int "Maximum tries before password lockout"
52845 + This option enforces the maximum number of times a user can attempt
52846 + to authorize themselves with the grsecurity RBAC system before being
52847 + denied the ability to attempt authorization again for a specified time.
52848 + The lower the number, the harder it will be to brute-force a password.
52850 +config GRKERNSEC_ACL_TIMEOUT
52851 + int "Time to wait after max password tries, in seconds"
52854 + This option specifies the time the user must wait after attempting to
52855 + authorize to the RBAC system with the maximum number of invalid
52856 + passwords. The higher the number, the harder it will be to brute-force
52860 +menu "Filesystem Protections"
52861 +depends on GRKERNSEC
52863 +config GRKERNSEC_PROC
52864 + bool "Proc restrictions"
52866 + If you say Y here, the permissions of the /proc filesystem
52867 + will be altered to enhance system security and privacy. You MUST
52868 + choose either a user only restriction or a user and group restriction.
52869 + Depending upon the option you choose, you can either restrict users to
52870 + see only the processes they themselves run, or choose a group that can
52871 + view all processes and files normally restricted to root if you choose
52872 + the "restrict to user only" option. NOTE: If you're running identd as
52873 + a non-root user, you will have to run it as the group you specify here.
52875 +config GRKERNSEC_PROC_USER
52876 + bool "Restrict /proc to user only"
52877 + depends on GRKERNSEC_PROC
52879 + If you say Y here, non-root users will only be able to view their own
52880 + processes, and restricts them from viewing network-related information,
52881 + and viewing kernel symbol and module information.
52883 +config GRKERNSEC_PROC_USERGROUP
52884 + bool "Allow special group"
52885 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
52887 + If you say Y here, you will be able to select a group that will be
52888 + able to view all processes and network-related information. If you've
52889 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
52890 + remain hidden. This option is useful if you want to run identd as
52893 +config GRKERNSEC_PROC_GID
52894 + int "GID for special group"
52895 + depends on GRKERNSEC_PROC_USERGROUP
52898 +config GRKERNSEC_PROC_ADD
52899 + bool "Additional restrictions"
52900 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
52902 + If you say Y here, additional restrictions will be placed on
52903 + /proc that keep normal users from viewing device information and
52904 + slabinfo information that could be useful for exploits.
52906 +config GRKERNSEC_LINK
52907 + bool "Linking restrictions"
52909 + If you say Y here, /tmp race exploits will be prevented, since users
52910 + will no longer be able to follow symlinks owned by other users in
52911 + world-writable +t directories (e.g. /tmp), unless the owner of the
52912 + symlink is the owner of the directory. users will also not be
52913 + able to hardlink to files they do not own. If the sysctl option is
52914 + enabled, a sysctl option with name "linking_restrictions" is created.
52916 +config GRKERNSEC_FIFO
52917 + bool "FIFO restrictions"
52919 + If you say Y here, users will not be able to write to FIFOs they don't
52920 + own in world-writable +t directories (e.g. /tmp), unless the owner of
52921 + the FIFO is the same owner of the directory it's held in. If the sysctl
52922 + option is enabled, a sysctl option with name "fifo_restrictions" is
52925 +config GRKERNSEC_SYSFS_RESTRICT
52926 + bool "Sysfs/debugfs restriction"
52929 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
52930 + any filesystem normally mounted under it (e.g. debugfs) will only
52931 + be accessible by root. These filesystems generally provide access
52932 + to hardware and debug information that isn't appropriate for unprivileged
52933 + users of the system. Sysfs and debugfs have also become a large source
52934 + of new vulnerabilities, ranging from infoleaks to local compromise.
52935 + There has been very little oversight with an eye toward security involved
52936 + in adding new exporters of information to these filesystems, so their
52937 + use is discouraged.
52938 + This option is equivalent to a chmod 0700 of the mount paths.
52940 +config GRKERNSEC_ROFS
52941 + bool "Runtime read-only mount protection"
52943 + If you say Y here, a sysctl option with name "romount_protect" will
52944 + be created. By setting this option to 1 at runtime, filesystems
52945 + will be protected in the following ways:
52946 + * No new writable mounts will be allowed
52947 + * Existing read-only mounts won't be able to be remounted read/write
52948 + * Write operations will be denied on all block devices
52949 + This option acts independently of grsec_lock: once it is set to 1,
52950 + it cannot be turned off. Therefore, please be mindful of the resulting
52951 + behavior if this option is enabled in an init script on a read-only
52952 + filesystem. This feature is mainly intended for secure embedded systems.
52954 +config GRKERNSEC_CHROOT
52955 + bool "Chroot jail restrictions"
52957 + If you say Y here, you will be able to choose several options that will
52958 + make breaking out of a chrooted jail much more difficult. If you
52959 + encounter no software incompatibilities with the following options, it
52960 + is recommended that you enable each one.
52962 +config GRKERNSEC_CHROOT_MOUNT
52963 + bool "Deny mounts"
52964 + depends on GRKERNSEC_CHROOT
52966 + If you say Y here, processes inside a chroot will not be able to
52967 + mount or remount filesystems. If the sysctl option is enabled, a
52968 + sysctl option with name "chroot_deny_mount" is created.
52970 +config GRKERNSEC_CHROOT_DOUBLE
52971 + bool "Deny double-chroots"
52972 + depends on GRKERNSEC_CHROOT
52974 + If you say Y here, processes inside a chroot will not be able to chroot
52975 + again outside the chroot. This is a widely used method of breaking
52976 + out of a chroot jail and should not be allowed. If the sysctl
52977 + option is enabled, a sysctl option with name
52978 + "chroot_deny_chroot" is created.
52980 +config GRKERNSEC_CHROOT_PIVOT
52981 + bool "Deny pivot_root in chroot"
52982 + depends on GRKERNSEC_CHROOT
52984 + If you say Y here, processes inside a chroot will not be able to use
52985 + a function called pivot_root() that was introduced in Linux 2.3.41. It
52986 + works similar to chroot in that it changes the root filesystem. This
52987 + function could be misused in a chrooted process to attempt to break out
52988 + of the chroot, and therefore should not be allowed. If the sysctl
52989 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
52992 +config GRKERNSEC_CHROOT_CHDIR
52993 + bool "Enforce chdir(\"/\") on all chroots"
52994 + depends on GRKERNSEC_CHROOT
52996 + If you say Y here, the current working directory of all newly-chrooted
52997 + applications will be set to the the root directory of the chroot.
52998 + The man page on chroot(2) states:
52999 + Note that this call does not change the current working
53000 + directory, so that `.' can be outside the tree rooted at
53001 + `/'. In particular, the super-user can escape from a
53002 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
53004 + It is recommended that you say Y here, since it's not known to break
53005 + any software. If the sysctl option is enabled, a sysctl option with
53006 + name "chroot_enforce_chdir" is created.
53008 +config GRKERNSEC_CHROOT_CHMOD
53009 + bool "Deny (f)chmod +s"
53010 + depends on GRKERNSEC_CHROOT
53012 + If you say Y here, processes inside a chroot will not be able to chmod
53013 + or fchmod files to make them have suid or sgid bits. This protects
53014 + against another published method of breaking a chroot. If the sysctl
53015 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
53018 +config GRKERNSEC_CHROOT_FCHDIR
53019 + bool "Deny fchdir out of chroot"
53020 + depends on GRKERNSEC_CHROOT
53022 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
53023 + to a file descriptor of the chrooting process that points to a directory
53024 + outside the filesystem will be stopped. If the sysctl option
53025 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
53027 +config GRKERNSEC_CHROOT_MKNOD
53028 + bool "Deny mknod"
53029 + depends on GRKERNSEC_CHROOT
53031 + If you say Y here, processes inside a chroot will not be allowed to
53032 + mknod. The problem with using mknod inside a chroot is that it
53033 + would allow an attacker to create a device entry that is the same
53034 + as one on the physical root of your system, which could range from
53035 + anything from the console device to a device for your harddrive (which
53036 + they could then use to wipe the drive or steal data). It is recommended
53037 + that you say Y here, unless you run into software incompatibilities.
53038 + If the sysctl option is enabled, a sysctl option with name
53039 + "chroot_deny_mknod" is created.
53041 +config GRKERNSEC_CHROOT_SHMAT
53042 + bool "Deny shmat() out of chroot"
53043 + depends on GRKERNSEC_CHROOT
53045 + If you say Y here, processes inside a chroot will not be able to attach
53046 + to shared memory segments that were created outside of the chroot jail.
53047 + It is recommended that you say Y here. If the sysctl option is enabled,
53048 + a sysctl option with name "chroot_deny_shmat" is created.
53050 +config GRKERNSEC_CHROOT_UNIX
53051 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
53052 + depends on GRKERNSEC_CHROOT
53054 + If you say Y here, processes inside a chroot will not be able to
53055 + connect to abstract (meaning not belonging to a filesystem) Unix
53056 + domain sockets that were bound outside of a chroot. It is recommended
53057 + that you say Y here. If the sysctl option is enabled, a sysctl option
53058 + with name "chroot_deny_unix" is created.
53060 +config GRKERNSEC_CHROOT_FINDTASK
53061 + bool "Protect outside processes"
53062 + depends on GRKERNSEC_CHROOT
53064 + If you say Y here, processes inside a chroot will not be able to
53065 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
53066 + getsid, or view any process outside of the chroot. If the sysctl
53067 + option is enabled, a sysctl option with name "chroot_findtask" is
53070 +config GRKERNSEC_CHROOT_NICE
53071 + bool "Restrict priority changes"
53072 + depends on GRKERNSEC_CHROOT
53074 + If you say Y here, processes inside a chroot will not be able to raise
53075 + the priority of processes in the chroot, or alter the priority of
53076 + processes outside the chroot. This provides more security than simply
53077 + removing CAP_SYS_NICE from the process' capability set. If the
53078 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
53081 +config GRKERNSEC_CHROOT_SYSCTL
53082 + bool "Deny sysctl writes"
53083 + depends on GRKERNSEC_CHROOT
53085 + If you say Y here, an attacker in a chroot will not be able to
53086 + write to sysctl entries, either by sysctl(2) or through a /proc
53087 + interface. It is strongly recommended that you say Y here. If the
53088 + sysctl option is enabled, a sysctl option with name
53089 + "chroot_deny_sysctl" is created.
53091 +config GRKERNSEC_CHROOT_CAPS
53092 + bool "Capability restrictions"
53093 + depends on GRKERNSEC_CHROOT
53095 + If you say Y here, the capabilities on all root processes within a
53096 + chroot jail will be lowered to stop module insertion, raw i/o,
53097 + system and net admin tasks, rebooting the system, modifying immutable
53098 + files, modifying IPC owned by another, and changing the system time.
53099 + This is left an option because it can break some apps. Disable this
53100 + if your chrooted apps are having problems performing those kinds of
53101 + tasks. If the sysctl option is enabled, a sysctl option with
53102 + name "chroot_caps" is created.
53105 +menu "Kernel Auditing"
53106 +depends on GRKERNSEC
53108 +config GRKERNSEC_AUDIT_GROUP
53109 + bool "Single group for auditing"
53111 + If you say Y here, the exec, chdir, and (un)mount logging features
53112 + will only operate on a group you specify. This option is recommended
53113 + if you only want to watch certain users instead of having a large
53114 + amount of logs from the entire system. If the sysctl option is enabled,
53115 + a sysctl option with name "audit_group" is created.
53117 +config GRKERNSEC_AUDIT_GID
53118 + int "GID for auditing"
53119 + depends on GRKERNSEC_AUDIT_GROUP
53122 +config GRKERNSEC_EXECLOG
53123 + bool "Exec logging"
53125 + If you say Y here, all execve() calls will be logged (since the
53126 + other exec*() calls are frontends to execve(), all execution
53127 + will be logged). Useful for shell-servers that like to keep track
53128 + of their users. If the sysctl option is enabled, a sysctl option with
53129 + name "exec_logging" is created.
53130 + WARNING: This option when enabled will produce a LOT of logs, especially
53131 + on an active system.
53133 +config GRKERNSEC_RESLOG
53134 + bool "Resource logging"
53136 + If you say Y here, all attempts to overstep resource limits will
53137 + be logged with the resource name, the requested size, and the current
53138 + limit. It is highly recommended that you say Y here. If the sysctl
53139 + option is enabled, a sysctl option with name "resource_logging" is
53140 + created. If the RBAC system is enabled, the sysctl value is ignored.
53142 +config GRKERNSEC_CHROOT_EXECLOG
53143 + bool "Log execs within chroot"
53145 + If you say Y here, all executions inside a chroot jail will be logged
53146 + to syslog. This can cause a large amount of logs if certain
53147 + applications (eg. djb's daemontools) are installed on the system, and
53148 + is therefore left as an option. If the sysctl option is enabled, a
53149 + sysctl option with name "chroot_execlog" is created.
53151 +config GRKERNSEC_AUDIT_PTRACE
53152 + bool "Ptrace logging"
53154 + If you say Y here, all attempts to attach to a process via ptrace
53155 + will be logged. If the sysctl option is enabled, a sysctl option
53156 + with name "audit_ptrace" is created.
53158 +config GRKERNSEC_AUDIT_CHDIR
53159 + bool "Chdir logging"
53161 + If you say Y here, all chdir() calls will be logged. If the sysctl
53162 + option is enabled, a sysctl option with name "audit_chdir" is created.
53164 +config GRKERNSEC_AUDIT_MOUNT
53165 + bool "(Un)Mount logging"
53167 + If you say Y here, all mounts and unmounts will be logged. If the
53168 + sysctl option is enabled, a sysctl option with name "audit_mount" is
53171 +config GRKERNSEC_SIGNAL
53172 + bool "Signal logging"
53174 + If you say Y here, certain important signals will be logged, such as
53175 + SIGSEGV, which will as a result inform you of when a error in a program
53176 + occurred, which in some cases could mean a possible exploit attempt.
53177 + If the sysctl option is enabled, a sysctl option with name
53178 + "signal_logging" is created.
53180 +config GRKERNSEC_FORKFAIL
53181 + bool "Fork failure logging"
53183 + If you say Y here, all failed fork() attempts will be logged.
53184 + This could suggest a fork bomb, or someone attempting to overstep
53185 + their process limit. If the sysctl option is enabled, a sysctl option
53186 + with name "forkfail_logging" is created.
53188 +config GRKERNSEC_TIME
53189 + bool "Time change logging"
53191 + If you say Y here, any changes of the system clock will be logged.
53192 + If the sysctl option is enabled, a sysctl option with name
53193 + "timechange_logging" is created.
53195 +config GRKERNSEC_PROC_IPADDR
53196 + bool "/proc/<pid>/ipaddr support"
53198 + If you say Y here, a new entry will be added to each /proc/<pid>
53199 + directory that contains the IP address of the person using the task.
53200 + The IP is carried across local TCP and AF_UNIX stream sockets.
53201 + This information can be useful for IDS/IPSes to perform remote response
53202 + to a local attack. The entry is readable by only the owner of the
53203 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
53204 + the RBAC system), and thus does not create privacy concerns.
53206 +config GRKERNSEC_RWXMAP_LOG
53207 + bool 'Denied RWX mmap/mprotect logging'
53208 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
53210 + If you say Y here, calls to mmap() and mprotect() with explicit
53211 + usage of PROT_WRITE and PROT_EXEC together will be logged when
53212 + denied by the PAX_MPROTECT feature. If the sysctl option is
53213 + enabled, a sysctl option with name "rwxmap_logging" is created.
53215 +config GRKERNSEC_AUDIT_TEXTREL
53216 + bool 'ELF text relocations logging (READ HELP)'
53217 + depends on PAX_MPROTECT
53219 + If you say Y here, text relocations will be logged with the filename
53220 + of the offending library or binary. The purpose of the feature is
53221 + to help Linux distribution developers get rid of libraries and
53222 + binaries that need text relocations which hinder the future progress
53223 + of PaX. Only Linux distribution developers should say Y here, and
53224 + never on a production machine, as this option creates an information
53225 + leak that could aid an attacker in defeating the randomization of
53226 + a single memory region. If the sysctl option is enabled, a sysctl
53227 + option with name "audit_textrel" is created.
53231 +menu "Executable Protections"
53232 +depends on GRKERNSEC
53234 +config GRKERNSEC_EXECVE
53235 + bool "Enforce RLIMIT_NPROC on execs"
53237 + If you say Y here, users with a resource limit on processes will
53238 + have the value checked during execve() calls. The current system
53239 + only checks the system limit during fork() calls. If the sysctl option
53240 + is enabled, a sysctl option with name "execve_limiting" is created.
53242 +config GRKERNSEC_DMESG
53243 + bool "Dmesg(8) restriction"
53245 + If you say Y here, non-root users will not be able to use dmesg(8)
53246 + to view up to the last 4kb of messages in the kernel's log buffer.
53247 + The kernel's log buffer often contains kernel addresses and other
53248 + identifying information useful to an attacker in fingerprinting a
53249 + system for a targeted exploit.
53250 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
53253 +config GRKERNSEC_HARDEN_PTRACE
53254 + bool "Deter ptrace-based process snooping"
53256 + If you say Y here, TTY sniffers and other malicious monitoring
53257 + programs implemented through ptrace will be defeated. If you
53258 + have been using the RBAC system, this option has already been
53259 + enabled for several years for all users, with the ability to make
53260 + fine-grained exceptions.
53262 + This option only affects the ability of non-root users to ptrace
53263 + processes that are not a descendent of the ptracing process.
53264 + This means that strace ./binary and gdb ./binary will still work,
53265 + but attaching to arbitrary processes will not. If the sysctl
53266 + option is enabled, a sysctl option with name "harden_ptrace" is
53269 +config GRKERNSEC_TPE
53270 + bool "Trusted Path Execution (TPE)"
53272 + If you say Y here, you will be able to choose a gid to add to the
53273 + supplementary groups of users you want to mark as "untrusted."
53274 + These users will not be able to execute any files that are not in
53275 + root-owned directories writable only by root. If the sysctl option
53276 + is enabled, a sysctl option with name "tpe" is created.
53278 +config GRKERNSEC_TPE_ALL
53279 + bool "Partially restrict all non-root users"
53280 + depends on GRKERNSEC_TPE
53282 + If you say Y here, all non-root users will be covered under
53283 + a weaker TPE restriction. This is separate from, and in addition to,
53284 + the main TPE options that you have selected elsewhere. Thus, if a
53285 + "trusted" GID is chosen, this restriction applies to even that GID.
53286 + Under this restriction, all non-root users will only be allowed to
53287 + execute files in directories they own that are not group or
53288 + world-writable, or in directories owned by root and writable only by
53289 + root. If the sysctl option is enabled, a sysctl option with name
53290 + "tpe_restrict_all" is created.
53292 +config GRKERNSEC_TPE_INVERT
53293 + bool "Invert GID option"
53294 + depends on GRKERNSEC_TPE
53296 + If you say Y here, the group you specify in the TPE configuration will
53297 + decide what group TPE restrictions will be *disabled* for. This
53298 + option is useful if you want TPE restrictions to be applied to most
53299 + users on the system. If the sysctl option is enabled, a sysctl option
53300 + with name "tpe_invert" is created. Unlike other sysctl options, this
53301 + entry will default to on for backward-compatibility.
53303 +config GRKERNSEC_TPE_GID
53304 + int "GID for untrusted users"
53305 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
53308 + Setting this GID determines what group TPE restrictions will be
53309 + *enabled* for. If the sysctl option is enabled, a sysctl option
53310 + with name "tpe_gid" is created.
53312 +config GRKERNSEC_TPE_GID
53313 + int "GID for trusted users"
53314 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
53317 + Setting this GID determines what group TPE restrictions will be
53318 + *disabled* for. If the sysctl option is enabled, a sysctl option
53319 + with name "tpe_gid" is created.
53322 +menu "Network Protections"
53323 +depends on GRKERNSEC
53325 +config GRKERNSEC_RANDNET
53326 + bool "Larger entropy pools"
53328 + If you say Y here, the entropy pools used for many features of Linux
53329 + and grsecurity will be doubled in size. Since several grsecurity
53330 + features use additional randomness, it is recommended that you say Y
53331 + here. Saying Y here has a similar effect as modifying
53332 + /proc/sys/kernel/random/poolsize.
53334 +config GRKERNSEC_BLACKHOLE
53335 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
53337 + If you say Y here, neither TCP resets nor ICMP
53338 + destination-unreachable packets will be sent in response to packets
53339 + sent to ports for which no associated listening process exists.
53340 + This feature supports both IPV4 and IPV6 and exempts the
53341 + loopback interface from blackholing. Enabling this feature
53342 + makes a host more resilient to DoS attacks and reduces network
53343 + visibility against scanners.
53345 + The blackhole feature as-implemented is equivalent to the FreeBSD
53346 + blackhole feature, as it prevents RST responses to all packets, not
53347 + just SYNs. Under most application behavior this causes no
53348 + problems, but applications (like haproxy) may not close certain
53349 + connections in a way that cleanly terminates them on the remote
53350 + end, leaving the remote host in LAST_ACK state. Because of this
53351 + side-effect and to prevent intentional LAST_ACK DoSes, this
53352 + feature also adds automatic mitigation against such attacks.
53353 + The mitigation drastically reduces the amount of time a socket
53354 + can spend in LAST_ACK state. If you're using haproxy and not
53355 + all servers it connects to have this option enabled, consider
53356 + disabling this feature on the haproxy host.
53358 + If the sysctl option is enabled, two sysctl options with names
53359 + "ip_blackhole" and "lastack_retries" will be created.
53360 + While "ip_blackhole" takes the standard zero/non-zero on/off
53361 + toggle, "lastack_retries" uses the same kinds of values as
53362 + "tcp_retries1" and "tcp_retries2". The default value of 4
53363 + prevents a socket from lasting more than 45 seconds in LAST_ACK
53366 +config GRKERNSEC_SOCKET
53367 + bool "Socket restrictions"
53369 + If you say Y here, you will be able to choose from several options.
53370 + If you assign a GID on your system and add it to the supplementary
53371 + groups of users you want to restrict socket access to, this patch
53372 + will perform up to three things, based on the option(s) you choose.
53374 +config GRKERNSEC_SOCKET_ALL
53375 + bool "Deny any sockets to group"
53376 + depends on GRKERNSEC_SOCKET
53378 + If you say Y here, you will be able to choose a GID of whose users will
53379 + be unable to connect to other hosts from your machine or run server
53380 + applications from your machine. If the sysctl option is enabled, a
53381 + sysctl option with name "socket_all" is created.
53383 +config GRKERNSEC_SOCKET_ALL_GID
53384 + int "GID to deny all sockets for"
53385 + depends on GRKERNSEC_SOCKET_ALL
53388 + Here you can choose the GID to disable socket access for. Remember to
53389 + add the users you want socket access disabled for to the GID
53390 + specified here. If the sysctl option is enabled, a sysctl option
53391 + with name "socket_all_gid" is created.
53393 +config GRKERNSEC_SOCKET_CLIENT
53394 + bool "Deny client sockets to group"
53395 + depends on GRKERNSEC_SOCKET
53397 + If you say Y here, you will be able to choose a GID of whose users will
53398 + be unable to connect to other hosts from your machine, but will be
53399 + able to run servers. If this option is enabled, all users in the group
53400 + you specify will have to use passive mode when initiating ftp transfers
53401 + from the shell on your machine. If the sysctl option is enabled, a
53402 + sysctl option with name "socket_client" is created.
53404 +config GRKERNSEC_SOCKET_CLIENT_GID
53405 + int "GID to deny client sockets for"
53406 + depends on GRKERNSEC_SOCKET_CLIENT
53409 + Here you can choose the GID to disable client socket access for.
53410 + Remember to add the users you want client socket access disabled for to
53411 + the GID specified here. If the sysctl option is enabled, a sysctl
53412 + option with name "socket_client_gid" is created.
53414 +config GRKERNSEC_SOCKET_SERVER
53415 + bool "Deny server sockets to group"
53416 + depends on GRKERNSEC_SOCKET
53418 + If you say Y here, you will be able to choose a GID of whose users will
53419 + be unable to run server applications from your machine. If the sysctl
53420 + option is enabled, a sysctl option with name "socket_server" is created.
53422 +config GRKERNSEC_SOCKET_SERVER_GID
53423 + int "GID to deny server sockets for"
53424 + depends on GRKERNSEC_SOCKET_SERVER
53427 + Here you can choose the GID to disable server socket access for.
53428 + Remember to add the users you want server socket access disabled for to
53429 + the GID specified here. If the sysctl option is enabled, a sysctl
53430 + option with name "socket_server_gid" is created.
53433 +menu "Sysctl support"
53434 +depends on GRKERNSEC && SYSCTL
53436 +config GRKERNSEC_SYSCTL
53437 + bool "Sysctl support"
53439 + If you say Y here, you will be able to change the options that
53440 + grsecurity runs with at bootup, without having to recompile your
53441 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
53442 + to enable (1) or disable (0) various features. All the sysctl entries
53443 + are mutable until the "grsec_lock" entry is set to a non-zero value.
53444 + All features enabled in the kernel configuration are disabled at boot
53445 + if you do not say Y to the "Turn on features by default" option.
53446 + All options should be set at startup, and the grsec_lock entry should
53447 + be set to a non-zero value after all the options are set.
53448 + *THIS IS EXTREMELY IMPORTANT*
53450 +config GRKERNSEC_SYSCTL_DISTRO
53451 + bool "Extra sysctl support for distro makers (READ HELP)"
53452 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
53454 + If you say Y here, additional sysctl options will be created
53455 + for features that affect processes running as root. Therefore,
53456 + it is critical when using this option that the grsec_lock entry be
53457 + enabled after boot. Only distros with prebuilt kernel packages
53458 + with this option enabled that can ensure grsec_lock is enabled
53459 + after boot should use this option.
53460 + *Failure to set grsec_lock after boot makes all grsec features
53461 + this option covers useless*
53463 + Currently this option creates the following sysctl entries:
53464 + "Disable Privileged I/O": "disable_priv_io"
53466 +config GRKERNSEC_SYSCTL_ON
53467 + bool "Turn on features by default"
53468 + depends on GRKERNSEC_SYSCTL
53470 + If you say Y here, instead of having all features enabled in the
53471 + kernel configuration disabled at boot time, the features will be
53472 + enabled at boot time. It is recommended you say Y here unless
53473 + there is some reason you would want all sysctl-tunable features to
53474 + be disabled by default. As mentioned elsewhere, it is important
53475 + to enable the grsec_lock entry once you have finished modifying
53476 + the sysctl entries.
53479 +menu "Logging Options"
53480 +depends on GRKERNSEC
53482 +config GRKERNSEC_FLOODTIME
53483 + int "Seconds in between log messages (minimum)"
53486 + This option allows you to enforce the number of seconds between
53487 + grsecurity log messages. The default should be suitable for most
53488 + people, however, if you choose to change it, choose a value small enough
53489 + to allow informative logs to be produced, but large enough to
53490 + prevent flooding.
53492 +config GRKERNSEC_FLOODBURST
53493 + int "Number of messages in a burst (maximum)"
53496 + This option allows you to choose the maximum number of messages allowed
53497 + within the flood time interval you chose in a separate option. The
53498 + default should be suitable for most people, however if you find that
53499 + many of your logs are being interpreted as flooding, you may want to
53500 + raise this value.
53505 diff -urNp linux-2.6.32.42/grsecurity/Makefile linux-2.6.32.42/grsecurity/Makefile
53506 --- linux-2.6.32.42/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
53507 +++ linux-2.6.32.42/grsecurity/Makefile 2011-05-24 20:27:46.000000000 -0400
53509 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
53510 +# during 2001-2009 it has been completely redesigned by Brad Spengler
53511 +# into an RBAC system
53513 +# All code in this directory and various hooks inserted throughout the kernel
53514 +# are copyright Brad Spengler - Open Source Security, Inc., and released
53515 +# under the GPL v2 or higher
53517 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
53518 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
53519 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
53521 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_segv.o \
53522 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
53523 + gracl_learn.o grsec_log.o
53524 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
53527 +obj-$(CONFIG_GRKERNSEC) += gracl_ip.o
53530 +ifndef CONFIG_GRKERNSEC
53531 +obj-y += grsec_disabled.o
53534 +ifdef CONFIG_GRKERNSEC_HIDESYM
53535 +extra-y := grsec_hidesym.o
53536 +$(obj)/grsec_hidesym.o:
53537 + @-chmod -f 500 /boot
53538 + @-chmod -f 500 /lib/modules
53540 + @echo ' grsec: protected kernel image paths'
53542 diff -urNp linux-2.6.32.42/include/acpi/acpi_drivers.h linux-2.6.32.42/include/acpi/acpi_drivers.h
53543 --- linux-2.6.32.42/include/acpi/acpi_drivers.h 2011-03-27 14:31:47.000000000 -0400
53544 +++ linux-2.6.32.42/include/acpi/acpi_drivers.h 2011-04-17 15:56:46.000000000 -0400
53545 @@ -119,8 +119,8 @@ int acpi_processor_set_thermal_limit(acp
53547 -------------------------------------------------------------------------- */
53548 struct acpi_dock_ops {
53549 - acpi_notify_handler handler;
53550 - acpi_notify_handler uevent;
53551 + const acpi_notify_handler handler;
53552 + const acpi_notify_handler uevent;
53555 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
53556 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
53557 extern int register_dock_notifier(struct notifier_block *nb);
53558 extern void unregister_dock_notifier(struct notifier_block *nb);
53559 extern int register_hotplug_dock_device(acpi_handle handle,
53560 - struct acpi_dock_ops *ops,
53561 + const struct acpi_dock_ops *ops,
53563 extern void unregister_hotplug_dock_device(acpi_handle handle);
53565 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
53568 static inline int register_hotplug_dock_device(acpi_handle handle,
53569 - struct acpi_dock_ops *ops,
53570 + const struct acpi_dock_ops *ops,
53574 diff -urNp linux-2.6.32.42/include/asm-generic/atomic-long.h linux-2.6.32.42/include/asm-generic/atomic-long.h
53575 --- linux-2.6.32.42/include/asm-generic/atomic-long.h 2011-03-27 14:31:47.000000000 -0400
53576 +++ linux-2.6.32.42/include/asm-generic/atomic-long.h 2011-05-16 21:46:57.000000000 -0400
53579 typedef atomic64_t atomic_long_t;
53581 +#ifdef CONFIG_PAX_REFCOUNT
53582 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
53584 +typedef atomic64_t atomic_long_unchecked_t;
53587 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
53589 static inline long atomic_long_read(atomic_long_t *l)
53590 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
53591 return (long)atomic64_read(v);
53594 +#ifdef CONFIG_PAX_REFCOUNT
53595 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
53597 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
53599 + return (long)atomic64_read_unchecked(v);
53603 static inline void atomic_long_set(atomic_long_t *l, long i)
53605 atomic64_t *v = (atomic64_t *)l;
53606 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
53607 atomic64_set(v, i);
53610 +#ifdef CONFIG_PAX_REFCOUNT
53611 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
53613 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
53615 + atomic64_set_unchecked(v, i);
53619 static inline void atomic_long_inc(atomic_long_t *l)
53621 atomic64_t *v = (atomic64_t *)l;
53622 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
53626 +#ifdef CONFIG_PAX_REFCOUNT
53627 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
53629 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
53631 + atomic64_inc_unchecked(v);
53635 static inline void atomic_long_dec(atomic_long_t *l)
53637 atomic64_t *v = (atomic64_t *)l;
53638 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
53642 +#ifdef CONFIG_PAX_REFCOUNT
53643 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
53645 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
53647 + atomic64_dec_unchecked(v);
53651 static inline void atomic_long_add(long i, atomic_long_t *l)
53653 atomic64_t *v = (atomic64_t *)l;
53654 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
53655 atomic64_add(i, v);
53658 +#ifdef CONFIG_PAX_REFCOUNT
53659 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
53661 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
53663 + atomic64_add_unchecked(i, v);
53667 static inline void atomic_long_sub(long i, atomic_long_t *l)
53669 atomic64_t *v = (atomic64_t *)l;
53670 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
53671 return (long)atomic64_inc_return(v);
53674 +#ifdef CONFIG_PAX_REFCOUNT
53675 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
53677 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
53679 + return (long)atomic64_inc_return_unchecked(v);
53683 static inline long atomic_long_dec_return(atomic_long_t *l)
53685 atomic64_t *v = (atomic64_t *)l;
53686 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
53688 typedef atomic_t atomic_long_t;
53690 +#ifdef CONFIG_PAX_REFCOUNT
53691 +typedef atomic_unchecked_t atomic_long_unchecked_t;
53693 +typedef atomic_t atomic_long_unchecked_t;
53696 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
53697 static inline long atomic_long_read(atomic_long_t *l)
53699 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
53700 return (long)atomic_read(v);
53703 +#ifdef CONFIG_PAX_REFCOUNT
53704 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
53706 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
53708 + return (long)atomic_read_unchecked(v);
53712 static inline void atomic_long_set(atomic_long_t *l, long i)
53714 atomic_t *v = (atomic_t *)l;
53715 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
53719 +#ifdef CONFIG_PAX_REFCOUNT
53720 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
53722 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
53724 + atomic_set_unchecked(v, i);
53728 static inline void atomic_long_inc(atomic_long_t *l)
53730 atomic_t *v = (atomic_t *)l;
53731 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
53735 +#ifdef CONFIG_PAX_REFCOUNT
53736 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
53738 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
53740 + atomic_inc_unchecked(v);
53744 static inline void atomic_long_dec(atomic_long_t *l)
53746 atomic_t *v = (atomic_t *)l;
53747 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
53751 +#ifdef CONFIG_PAX_REFCOUNT
53752 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
53754 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
53756 + atomic_dec_unchecked(v);
53760 static inline void atomic_long_add(long i, atomic_long_t *l)
53762 atomic_t *v = (atomic_t *)l;
53763 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
53767 +#ifdef CONFIG_PAX_REFCOUNT
53768 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
53770 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
53772 + atomic_add_unchecked(i, v);
53776 static inline void atomic_long_sub(long i, atomic_long_t *l)
53778 atomic_t *v = (atomic_t *)l;
53779 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
53780 return (long)atomic_inc_return(v);
53783 +#ifdef CONFIG_PAX_REFCOUNT
53784 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
53786 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
53788 + return (long)atomic_inc_return_unchecked(v);
53792 static inline long atomic_long_dec_return(atomic_long_t *l)
53794 atomic_t *v = (atomic_t *)l;
53795 @@ -255,4 +375,47 @@ static inline long atomic_long_add_unles
53797 #endif /* BITS_PER_LONG == 64 */
53799 +#ifdef CONFIG_PAX_REFCOUNT
53800 +static inline void pax_refcount_needs_these_functions(void)
53802 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
53803 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
53804 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
53805 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
53806 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
53807 + atomic_inc_and_test_unchecked((atomic_unchecked_t *)NULL);
53808 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
53809 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
53810 + atomic_dec_unchecked((atomic_unchecked_t *)NULL);
53811 + atomic_cmpxchg_unchecked((atomic_unchecked_t *)NULL, 0, 0);
53812 + atomic_xchg_unchecked((atomic_unchecked_t *)NULL, 0);
53814 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
53815 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
53816 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
53817 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
53818 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
53819 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
53822 +#define atomic_read_unchecked(v) atomic_read(v)
53823 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
53824 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
53825 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
53826 +#define atomic_inc_unchecked(v) atomic_inc(v)
53827 +#define atomic_inc_and_test_unchecked(v) atomic_inc_and_test(v)
53828 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
53829 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
53830 +#define atomic_dec_unchecked(v) atomic_dec(v)
53831 +#define atomic_cmpxchg_unchecked(v, o, n) atomic_cmpxchg((v), (o), (n))
53832 +#define atomic_xchg_unchecked(v, i) atomic_xchg((v), (i))
53834 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
53835 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
53836 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
53837 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
53838 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
53839 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
53842 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
53843 diff -urNp linux-2.6.32.42/include/asm-generic/cache.h linux-2.6.32.42/include/asm-generic/cache.h
53844 --- linux-2.6.32.42/include/asm-generic/cache.h 2011-03-27 14:31:47.000000000 -0400
53845 +++ linux-2.6.32.42/include/asm-generic/cache.h 2011-05-04 17:56:28.000000000 -0400
53847 * cache lines need to provide their own cache.h.
53850 -#define L1_CACHE_SHIFT 5
53851 -#define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
53852 +#define L1_CACHE_SHIFT 5U
53853 +#define L1_CACHE_BYTES (1U << L1_CACHE_SHIFT)
53855 #endif /* __ASM_GENERIC_CACHE_H */
53856 diff -urNp linux-2.6.32.42/include/asm-generic/dma-mapping-common.h linux-2.6.32.42/include/asm-generic/dma-mapping-common.h
53857 --- linux-2.6.32.42/include/asm-generic/dma-mapping-common.h 2011-03-27 14:31:47.000000000 -0400
53858 +++ linux-2.6.32.42/include/asm-generic/dma-mapping-common.h 2011-04-17 15:56:46.000000000 -0400
53859 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
53860 enum dma_data_direction dir,
53861 struct dma_attrs *attrs)
53863 - struct dma_map_ops *ops = get_dma_ops(dev);
53864 + const struct dma_map_ops *ops = get_dma_ops(dev);
53867 kmemcheck_mark_initialized(ptr, size);
53868 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
53869 enum dma_data_direction dir,
53870 struct dma_attrs *attrs)
53872 - struct dma_map_ops *ops = get_dma_ops(dev);
53873 + const struct dma_map_ops *ops = get_dma_ops(dev);
53875 BUG_ON(!valid_dma_direction(dir));
53876 if (ops->unmap_page)
53877 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
53878 int nents, enum dma_data_direction dir,
53879 struct dma_attrs *attrs)
53881 - struct dma_map_ops *ops = get_dma_ops(dev);
53882 + const struct dma_map_ops *ops = get_dma_ops(dev);
53884 struct scatterlist *s;
53886 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
53887 int nents, enum dma_data_direction dir,
53888 struct dma_attrs *attrs)
53890 - struct dma_map_ops *ops = get_dma_ops(dev);
53891 + const struct dma_map_ops *ops = get_dma_ops(dev);
53893 BUG_ON(!valid_dma_direction(dir));
53894 debug_dma_unmap_sg(dev, sg, nents, dir);
53895 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
53896 size_t offset, size_t size,
53897 enum dma_data_direction dir)
53899 - struct dma_map_ops *ops = get_dma_ops(dev);
53900 + const struct dma_map_ops *ops = get_dma_ops(dev);
53903 kmemcheck_mark_initialized(page_address(page) + offset, size);
53904 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
53905 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
53906 size_t size, enum dma_data_direction dir)
53908 - struct dma_map_ops *ops = get_dma_ops(dev);
53909 + const struct dma_map_ops *ops = get_dma_ops(dev);
53911 BUG_ON(!valid_dma_direction(dir));
53912 if (ops->unmap_page)
53913 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
53915 enum dma_data_direction dir)
53917 - struct dma_map_ops *ops = get_dma_ops(dev);
53918 + const struct dma_map_ops *ops = get_dma_ops(dev);
53920 BUG_ON(!valid_dma_direction(dir));
53921 if (ops->sync_single_for_cpu)
53922 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
53923 dma_addr_t addr, size_t size,
53924 enum dma_data_direction dir)
53926 - struct dma_map_ops *ops = get_dma_ops(dev);
53927 + const struct dma_map_ops *ops = get_dma_ops(dev);
53929 BUG_ON(!valid_dma_direction(dir));
53930 if (ops->sync_single_for_device)
53931 @@ -123,7 +123,7 @@ static inline void dma_sync_single_range
53933 enum dma_data_direction dir)
53935 - struct dma_map_ops *ops = get_dma_ops(dev);
53936 + const struct dma_map_ops *ops = get_dma_ops(dev);
53938 BUG_ON(!valid_dma_direction(dir));
53939 if (ops->sync_single_range_for_cpu) {
53940 @@ -140,7 +140,7 @@ static inline void dma_sync_single_range
53942 enum dma_data_direction dir)
53944 - struct dma_map_ops *ops = get_dma_ops(dev);
53945 + const struct dma_map_ops *ops = get_dma_ops(dev);
53947 BUG_ON(!valid_dma_direction(dir));
53948 if (ops->sync_single_range_for_device) {
53949 @@ -155,7 +155,7 @@ static inline void
53950 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
53951 int nelems, enum dma_data_direction dir)
53953 - struct dma_map_ops *ops = get_dma_ops(dev);
53954 + const struct dma_map_ops *ops = get_dma_ops(dev);
53956 BUG_ON(!valid_dma_direction(dir));
53957 if (ops->sync_sg_for_cpu)
53958 @@ -167,7 +167,7 @@ static inline void
53959 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
53960 int nelems, enum dma_data_direction dir)
53962 - struct dma_map_ops *ops = get_dma_ops(dev);
53963 + const struct dma_map_ops *ops = get_dma_ops(dev);
53965 BUG_ON(!valid_dma_direction(dir));
53966 if (ops->sync_sg_for_device)
53967 diff -urNp linux-2.6.32.42/include/asm-generic/futex.h linux-2.6.32.42/include/asm-generic/futex.h
53968 --- linux-2.6.32.42/include/asm-generic/futex.h 2011-03-27 14:31:47.000000000 -0400
53969 +++ linux-2.6.32.42/include/asm-generic/futex.h 2011-04-17 15:56:46.000000000 -0400
53971 #include <asm/errno.h>
53974 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
53975 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
53977 int op = (encoded_op >> 28) & 7;
53978 int cmp = (encoded_op >> 24) & 15;
53979 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
53983 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
53984 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
53988 diff -urNp linux-2.6.32.42/include/asm-generic/int-l64.h linux-2.6.32.42/include/asm-generic/int-l64.h
53989 --- linux-2.6.32.42/include/asm-generic/int-l64.h 2011-03-27 14:31:47.000000000 -0400
53990 +++ linux-2.6.32.42/include/asm-generic/int-l64.h 2011-04-17 15:56:46.000000000 -0400
53991 @@ -46,6 +46,8 @@ typedef unsigned int u32;
53992 typedef signed long s64;
53993 typedef unsigned long u64;
53995 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
53998 #define U8_C(x) x ## U
54000 diff -urNp linux-2.6.32.42/include/asm-generic/int-ll64.h linux-2.6.32.42/include/asm-generic/int-ll64.h
54001 --- linux-2.6.32.42/include/asm-generic/int-ll64.h 2011-03-27 14:31:47.000000000 -0400
54002 +++ linux-2.6.32.42/include/asm-generic/int-ll64.h 2011-04-17 15:56:46.000000000 -0400
54003 @@ -51,6 +51,8 @@ typedef unsigned int u32;
54004 typedef signed long long s64;
54005 typedef unsigned long long u64;
54007 +typedef unsigned long long intoverflow_t;
54010 #define U8_C(x) x ## U
54012 diff -urNp linux-2.6.32.42/include/asm-generic/kmap_types.h linux-2.6.32.42/include/asm-generic/kmap_types.h
54013 --- linux-2.6.32.42/include/asm-generic/kmap_types.h 2011-03-27 14:31:47.000000000 -0400
54014 +++ linux-2.6.32.42/include/asm-generic/kmap_types.h 2011-04-17 15:56:46.000000000 -0400
54015 @@ -28,7 +28,8 @@ KMAP_D(15) KM_UML_USERCOPY,
54016 KMAP_D(16) KM_IRQ_PTE,
54018 KMAP_D(18) KM_NMI_PTE,
54019 -KMAP_D(19) KM_TYPE_NR
54020 +KMAP_D(19) KM_CLEARPAGE,
54021 +KMAP_D(20) KM_TYPE_NR
54025 diff -urNp linux-2.6.32.42/include/asm-generic/pgtable.h linux-2.6.32.42/include/asm-generic/pgtable.h
54026 --- linux-2.6.32.42/include/asm-generic/pgtable.h 2011-03-27 14:31:47.000000000 -0400
54027 +++ linux-2.6.32.42/include/asm-generic/pgtable.h 2011-04-17 15:56:46.000000000 -0400
54028 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
54029 unsigned long size);
54032 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
54033 +static inline unsigned long pax_open_kernel(void) { return 0; }
54036 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
54037 +static inline unsigned long pax_close_kernel(void) { return 0; }
54040 #endif /* !__ASSEMBLY__ */
54042 #endif /* _ASM_GENERIC_PGTABLE_H */
54043 diff -urNp linux-2.6.32.42/include/asm-generic/pgtable-nopmd.h linux-2.6.32.42/include/asm-generic/pgtable-nopmd.h
54044 --- linux-2.6.32.42/include/asm-generic/pgtable-nopmd.h 2011-03-27 14:31:47.000000000 -0400
54045 +++ linux-2.6.32.42/include/asm-generic/pgtable-nopmd.h 2011-04-17 15:56:46.000000000 -0400
54047 #ifndef _PGTABLE_NOPMD_H
54048 #define _PGTABLE_NOPMD_H
54050 -#ifndef __ASSEMBLY__
54052 #include <asm-generic/pgtable-nopud.h>
54056 #define __PAGETABLE_PMD_FOLDED
54058 +#define PMD_SHIFT PUD_SHIFT
54059 +#define PTRS_PER_PMD 1
54060 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
54061 +#define PMD_MASK (~(PMD_SIZE-1))
54063 +#ifndef __ASSEMBLY__
54068 * Having the pmd type consist of a pud gets the size right, and allows
54069 * us to conceptually access the pud entry that this pmd is folded into
54070 @@ -16,11 +21,6 @@ struct mm_struct;
54072 typedef struct { pud_t pud; } pmd_t;
54074 -#define PMD_SHIFT PUD_SHIFT
54075 -#define PTRS_PER_PMD 1
54076 -#define PMD_SIZE (1UL << PMD_SHIFT)
54077 -#define PMD_MASK (~(PMD_SIZE-1))
54080 * The "pud_xxx()" functions here are trivial for a folded two-level
54081 * setup: the pmd is never bad, and a pmd always exists (as it's folded
54082 diff -urNp linux-2.6.32.42/include/asm-generic/pgtable-nopud.h linux-2.6.32.42/include/asm-generic/pgtable-nopud.h
54083 --- linux-2.6.32.42/include/asm-generic/pgtable-nopud.h 2011-03-27 14:31:47.000000000 -0400
54084 +++ linux-2.6.32.42/include/asm-generic/pgtable-nopud.h 2011-04-17 15:56:46.000000000 -0400
54086 #ifndef _PGTABLE_NOPUD_H
54087 #define _PGTABLE_NOPUD_H
54089 -#ifndef __ASSEMBLY__
54091 #define __PAGETABLE_PUD_FOLDED
54093 +#define PUD_SHIFT PGDIR_SHIFT
54094 +#define PTRS_PER_PUD 1
54095 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
54096 +#define PUD_MASK (~(PUD_SIZE-1))
54098 +#ifndef __ASSEMBLY__
54101 * Having the pud type consist of a pgd gets the size right, and allows
54102 * us to conceptually access the pgd entry that this pud is folded into
54105 typedef struct { pgd_t pgd; } pud_t;
54107 -#define PUD_SHIFT PGDIR_SHIFT
54108 -#define PTRS_PER_PUD 1
54109 -#define PUD_SIZE (1UL << PUD_SHIFT)
54110 -#define PUD_MASK (~(PUD_SIZE-1))
54113 * The "pgd_xxx()" functions here are trivial for a folded two-level
54114 * setup: the pud is never bad, and a pud always exists (as it's folded
54115 diff -urNp linux-2.6.32.42/include/asm-generic/vmlinux.lds.h linux-2.6.32.42/include/asm-generic/vmlinux.lds.h
54116 --- linux-2.6.32.42/include/asm-generic/vmlinux.lds.h 2011-03-27 14:31:47.000000000 -0400
54117 +++ linux-2.6.32.42/include/asm-generic/vmlinux.lds.h 2011-04-17 15:56:46.000000000 -0400
54118 @@ -199,6 +199,7 @@
54119 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
54120 VMLINUX_SYMBOL(__start_rodata) = .; \
54121 *(.rodata) *(.rodata.*) \
54122 + *(.data.read_only) \
54123 *(__vermagic) /* Kernel version magic */ \
54124 *(__markers_strings) /* Markers: strings */ \
54125 *(__tracepoints_strings)/* Tracepoints: strings */ \
54126 @@ -656,22 +657,24 @@
54127 * section in the linker script will go there too. @phdr should have
54130 - * Note that this macros defines __per_cpu_load as an absolute symbol.
54131 + * Note that this macros defines per_cpu_load as an absolute symbol.
54132 * If there is no need to put the percpu section at a predetermined
54133 * address, use PERCPU().
54135 #define PERCPU_VADDR(vaddr, phdr) \
54136 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
54137 - .data.percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
54138 + per_cpu_load = .; \
54139 + .data.percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
54141 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
54142 VMLINUX_SYMBOL(__per_cpu_start) = .; \
54143 *(.data.percpu.first) \
54144 - *(.data.percpu.page_aligned) \
54146 + . = ALIGN(PAGE_SIZE); \
54147 + *(.data.percpu.page_aligned) \
54148 *(.data.percpu.shared_aligned) \
54149 VMLINUX_SYMBOL(__per_cpu_end) = .; \
54151 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data.percpu);
54152 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data.percpu);
54155 * PERCPU - define output section for percpu area, simple version
54156 diff -urNp linux-2.6.32.42/include/drm/drmP.h linux-2.6.32.42/include/drm/drmP.h
54157 --- linux-2.6.32.42/include/drm/drmP.h 2011-03-27 14:31:47.000000000 -0400
54158 +++ linux-2.6.32.42/include/drm/drmP.h 2011-04-17 15:56:46.000000000 -0400
54160 #include <linux/workqueue.h>
54161 #include <linux/poll.h>
54162 #include <asm/pgalloc.h>
54163 +#include <asm/local.h>
54166 #include <linux/idr.h>
54167 @@ -814,7 +815,7 @@ struct drm_driver {
54168 void (*vgaarb_irq)(struct drm_device *dev, bool state);
54170 /* Driver private ops for this object */
54171 - struct vm_operations_struct *gem_vm_ops;
54172 + const struct vm_operations_struct *gem_vm_ops;
54176 @@ -917,7 +918,7 @@ struct drm_device {
54178 /** \name Usage Counters */
54180 - int open_count; /**< Outstanding files open */
54181 + local_t open_count; /**< Outstanding files open */
54182 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
54183 atomic_t vma_count; /**< Outstanding vma areas open */
54184 int buf_use; /**< Buffers in use -- cannot alloc */
54185 @@ -928,7 +929,7 @@ struct drm_device {
54187 unsigned long counters;
54188 enum drm_stat_type types[15];
54189 - atomic_t counts[15];
54190 + atomic_unchecked_t counts[15];
54193 struct list_head filelist;
54194 @@ -1016,7 +1017,7 @@ struct drm_device {
54195 struct pci_controller *hose;
54197 struct drm_sg_mem *sg; /**< Scatter gather memory */
54198 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
54199 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
54200 void *dev_private; /**< device private data */
54202 struct address_space *dev_mapping;
54203 @@ -1042,11 +1043,11 @@ struct drm_device {
54204 spinlock_t object_name_lock;
54205 struct idr object_name_idr;
54206 atomic_t object_count;
54207 - atomic_t object_memory;
54208 + atomic_unchecked_t object_memory;
54209 atomic_t pin_count;
54210 - atomic_t pin_memory;
54211 + atomic_unchecked_t pin_memory;
54212 atomic_t gtt_count;
54213 - atomic_t gtt_memory;
54214 + atomic_unchecked_t gtt_memory;
54215 uint32_t gtt_total;
54216 uint32_t invalidate_domains; /* domains pending invalidation */
54217 uint32_t flush_domains; /* domains pending flush */
54218 diff -urNp linux-2.6.32.42/include/linux/a.out.h linux-2.6.32.42/include/linux/a.out.h
54219 --- linux-2.6.32.42/include/linux/a.out.h 2011-03-27 14:31:47.000000000 -0400
54220 +++ linux-2.6.32.42/include/linux/a.out.h 2011-04-17 15:56:46.000000000 -0400
54221 @@ -39,6 +39,14 @@ enum machine_type {
54222 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
54225 +/* Constants for the N_FLAGS field */
54226 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
54227 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
54228 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
54229 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
54230 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
54231 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
54233 #if !defined (N_MAGIC)
54234 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
54236 diff -urNp linux-2.6.32.42/include/linux/atmdev.h linux-2.6.32.42/include/linux/atmdev.h
54237 --- linux-2.6.32.42/include/linux/atmdev.h 2011-03-27 14:31:47.000000000 -0400
54238 +++ linux-2.6.32.42/include/linux/atmdev.h 2011-04-17 15:56:46.000000000 -0400
54239 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
54242 struct k_atm_aal_stats {
54243 -#define __HANDLE_ITEM(i) atomic_t i
54244 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
54246 #undef __HANDLE_ITEM
54248 diff -urNp linux-2.6.32.42/include/linux/backlight.h linux-2.6.32.42/include/linux/backlight.h
54249 --- linux-2.6.32.42/include/linux/backlight.h 2011-03-27 14:31:47.000000000 -0400
54250 +++ linux-2.6.32.42/include/linux/backlight.h 2011-04-17 15:56:46.000000000 -0400
54251 @@ -36,18 +36,18 @@ struct backlight_device;
54254 struct backlight_ops {
54255 - unsigned int options;
54256 + const unsigned int options;
54258 #define BL_CORE_SUSPENDRESUME (1 << 0)
54260 /* Notify the backlight driver some property has changed */
54261 - int (*update_status)(struct backlight_device *);
54262 + int (* const update_status)(struct backlight_device *);
54263 /* Return the current backlight brightness (accounting for power,
54265 - int (*get_brightness)(struct backlight_device *);
54266 + int (* const get_brightness)(struct backlight_device *);
54267 /* Check if given framebuffer device is the one bound to this backlight;
54268 return 0 if not, !=0 if it is. If NULL, backlight always matches the fb. */
54269 - int (*check_fb)(struct fb_info *);
54270 + int (* const check_fb)(struct fb_info *);
54273 /* This structure defines all the properties of a backlight */
54274 @@ -86,7 +86,7 @@ struct backlight_device {
54275 registered this device has been unloaded, and if class_get_devdata()
54276 points to something in the body of that driver, it is also invalid. */
54277 struct mutex ops_lock;
54278 - struct backlight_ops *ops;
54279 + const struct backlight_ops *ops;
54281 /* The framebuffer notifier block */
54282 struct notifier_block fb_notif;
54283 @@ -103,7 +103,7 @@ static inline void backlight_update_stat
54286 extern struct backlight_device *backlight_device_register(const char *name,
54287 - struct device *dev, void *devdata, struct backlight_ops *ops);
54288 + struct device *dev, void *devdata, const struct backlight_ops *ops);
54289 extern void backlight_device_unregister(struct backlight_device *bd);
54290 extern void backlight_force_update(struct backlight_device *bd,
54291 enum backlight_update_reason reason);
54292 diff -urNp linux-2.6.32.42/include/linux/binfmts.h linux-2.6.32.42/include/linux/binfmts.h
54293 --- linux-2.6.32.42/include/linux/binfmts.h 2011-04-17 17:00:52.000000000 -0400
54294 +++ linux-2.6.32.42/include/linux/binfmts.h 2011-04-17 15:56:46.000000000 -0400
54295 @@ -83,6 +83,7 @@ struct linux_binfmt {
54296 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
54297 int (*load_shlib)(struct file *);
54298 int (*core_dump)(long signr, struct pt_regs *regs, struct file *file, unsigned long limit);
54299 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
54300 unsigned long min_coredump; /* minimal dump size */
54303 diff -urNp linux-2.6.32.42/include/linux/blkdev.h linux-2.6.32.42/include/linux/blkdev.h
54304 --- linux-2.6.32.42/include/linux/blkdev.h 2011-03-27 14:31:47.000000000 -0400
54305 +++ linux-2.6.32.42/include/linux/blkdev.h 2011-04-17 15:56:46.000000000 -0400
54306 @@ -1265,19 +1265,19 @@ static inline int blk_integrity_rq(struc
54307 #endif /* CONFIG_BLK_DEV_INTEGRITY */
54309 struct block_device_operations {
54310 - int (*open) (struct block_device *, fmode_t);
54311 - int (*release) (struct gendisk *, fmode_t);
54312 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
54313 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
54314 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
54315 - int (*direct_access) (struct block_device *, sector_t,
54316 + int (* const open) (struct block_device *, fmode_t);
54317 + int (* const release) (struct gendisk *, fmode_t);
54318 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
54319 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
54320 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
54321 + int (* const direct_access) (struct block_device *, sector_t,
54322 void **, unsigned long *);
54323 - int (*media_changed) (struct gendisk *);
54324 - unsigned long long (*set_capacity) (struct gendisk *,
54325 + int (* const media_changed) (struct gendisk *);
54326 + unsigned long long (* const set_capacity) (struct gendisk *,
54327 unsigned long long);
54328 - int (*revalidate_disk) (struct gendisk *);
54329 - int (*getgeo)(struct block_device *, struct hd_geometry *);
54330 - struct module *owner;
54331 + int (* const revalidate_disk) (struct gendisk *);
54332 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
54333 + struct module * const owner;
54336 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
54337 diff -urNp linux-2.6.32.42/include/linux/blktrace_api.h linux-2.6.32.42/include/linux/blktrace_api.h
54338 --- linux-2.6.32.42/include/linux/blktrace_api.h 2011-03-27 14:31:47.000000000 -0400
54339 +++ linux-2.6.32.42/include/linux/blktrace_api.h 2011-05-04 17:56:28.000000000 -0400
54340 @@ -160,7 +160,7 @@ struct blk_trace {
54341 struct dentry *dir;
54342 struct dentry *dropped_file;
54343 struct dentry *msg_file;
54344 - atomic_t dropped;
54345 + atomic_unchecked_t dropped;
54348 extern int blk_trace_ioctl(struct block_device *, unsigned, char __user *);
54349 diff -urNp linux-2.6.32.42/include/linux/byteorder/little_endian.h linux-2.6.32.42/include/linux/byteorder/little_endian.h
54350 --- linux-2.6.32.42/include/linux/byteorder/little_endian.h 2011-03-27 14:31:47.000000000 -0400
54351 +++ linux-2.6.32.42/include/linux/byteorder/little_endian.h 2011-04-17 15:56:46.000000000 -0400
54352 @@ -42,51 +42,51 @@
54354 static inline __le64 __cpu_to_le64p(const __u64 *p)
54356 - return (__force __le64)*p;
54357 + return (__force const __le64)*p;
54359 static inline __u64 __le64_to_cpup(const __le64 *p)
54361 - return (__force __u64)*p;
54362 + return (__force const __u64)*p;
54364 static inline __le32 __cpu_to_le32p(const __u32 *p)
54366 - return (__force __le32)*p;
54367 + return (__force const __le32)*p;
54369 static inline __u32 __le32_to_cpup(const __le32 *p)
54371 - return (__force __u32)*p;
54372 + return (__force const __u32)*p;
54374 static inline __le16 __cpu_to_le16p(const __u16 *p)
54376 - return (__force __le16)*p;
54377 + return (__force const __le16)*p;
54379 static inline __u16 __le16_to_cpup(const __le16 *p)
54381 - return (__force __u16)*p;
54382 + return (__force const __u16)*p;
54384 static inline __be64 __cpu_to_be64p(const __u64 *p)
54386 - return (__force __be64)__swab64p(p);
54387 + return (__force const __be64)__swab64p(p);
54389 static inline __u64 __be64_to_cpup(const __be64 *p)
54391 - return __swab64p((__u64 *)p);
54392 + return __swab64p((const __u64 *)p);
54394 static inline __be32 __cpu_to_be32p(const __u32 *p)
54396 - return (__force __be32)__swab32p(p);
54397 + return (__force const __be32)__swab32p(p);
54399 static inline __u32 __be32_to_cpup(const __be32 *p)
54401 - return __swab32p((__u32 *)p);
54402 + return __swab32p((const __u32 *)p);
54404 static inline __be16 __cpu_to_be16p(const __u16 *p)
54406 - return (__force __be16)__swab16p(p);
54407 + return (__force const __be16)__swab16p(p);
54409 static inline __u16 __be16_to_cpup(const __be16 *p)
54411 - return __swab16p((__u16 *)p);
54412 + return __swab16p((const __u16 *)p);
54414 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
54415 #define __le64_to_cpus(x) do { (void)(x); } while (0)
54416 diff -urNp linux-2.6.32.42/include/linux/cache.h linux-2.6.32.42/include/linux/cache.h
54417 --- linux-2.6.32.42/include/linux/cache.h 2011-03-27 14:31:47.000000000 -0400
54418 +++ linux-2.6.32.42/include/linux/cache.h 2011-04-17 15:56:46.000000000 -0400
54420 #define __read_mostly
54423 +#ifndef __read_only
54424 +#define __read_only __read_mostly
54427 #ifndef ____cacheline_aligned
54428 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
54430 diff -urNp linux-2.6.32.42/include/linux/capability.h linux-2.6.32.42/include/linux/capability.h
54431 --- linux-2.6.32.42/include/linux/capability.h 2011-03-27 14:31:47.000000000 -0400
54432 +++ linux-2.6.32.42/include/linux/capability.h 2011-04-17 15:56:46.000000000 -0400
54433 @@ -563,6 +563,7 @@ extern const kernel_cap_t __cap_init_eff
54434 (security_real_capable_noaudit((t), (cap)) == 0)
54436 extern int capable(int cap);
54437 +int capable_nolog(int cap);
54439 /* audit system wants to get cap info from files as well */
54441 diff -urNp linux-2.6.32.42/include/linux/compiler-gcc4.h linux-2.6.32.42/include/linux/compiler-gcc4.h
54442 --- linux-2.6.32.42/include/linux/compiler-gcc4.h 2011-03-27 14:31:47.000000000 -0400
54443 +++ linux-2.6.32.42/include/linux/compiler-gcc4.h 2011-04-17 15:56:46.000000000 -0400
54445 the kernel context */
54446 #define __cold __attribute__((__cold__))
54448 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
54449 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
54450 +#define __bos0(ptr) __bos((ptr), 0)
54451 +#define __bos1(ptr) __bos((ptr), 1)
54453 diff -urNp linux-2.6.32.42/include/linux/compiler.h linux-2.6.32.42/include/linux/compiler.h
54454 --- linux-2.6.32.42/include/linux/compiler.h 2011-03-27 14:31:47.000000000 -0400
54455 +++ linux-2.6.32.42/include/linux/compiler.h 2011-04-17 15:56:46.000000000 -0400
54456 @@ -256,6 +256,22 @@ void ftrace_likely_update(struct ftrace_
54460 +#ifndef __alloc_size
54461 +#define __alloc_size
54476 /* Simple shorthand for a section definition */
54478 # define __section(S) __attribute__ ((__section__(#S)))
54479 @@ -278,6 +294,7 @@ void ftrace_likely_update(struct ftrace_
54480 * use is to mediate communication between process-level code and irq/NMI
54481 * handlers, all running on the same CPU.
54483 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
54484 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
54485 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
54487 #endif /* __LINUX_COMPILER_H */
54488 diff -urNp linux-2.6.32.42/include/linux/dcache.h linux-2.6.32.42/include/linux/dcache.h
54489 --- linux-2.6.32.42/include/linux/dcache.h 2011-03-27 14:31:47.000000000 -0400
54490 +++ linux-2.6.32.42/include/linux/dcache.h 2011-04-23 13:34:46.000000000 -0400
54491 @@ -119,6 +119,8 @@ struct dentry {
54492 unsigned char d_iname[DNAME_INLINE_LEN_MIN]; /* small names */
54495 +#define DNAME_INLINE_LEN (sizeof(struct dentry)-offsetof(struct dentry,d_iname))
54498 * dentry->d_lock spinlock nesting subclasses:
54500 diff -urNp linux-2.6.32.42/include/linux/decompress/mm.h linux-2.6.32.42/include/linux/decompress/mm.h
54501 --- linux-2.6.32.42/include/linux/decompress/mm.h 2011-03-27 14:31:47.000000000 -0400
54502 +++ linux-2.6.32.42/include/linux/decompress/mm.h 2011-04-17 15:56:46.000000000 -0400
54503 @@ -78,7 +78,7 @@ static void free(void *where)
54504 * warnings when not needed (indeed large_malloc / large_free are not
54505 * needed by inflate */
54507 -#define malloc(a) kmalloc(a, GFP_KERNEL)
54508 +#define malloc(a) kmalloc((a), GFP_KERNEL)
54509 #define free(a) kfree(a)
54511 #define large_malloc(a) vmalloc(a)
54512 diff -urNp linux-2.6.32.42/include/linux/dma-mapping.h linux-2.6.32.42/include/linux/dma-mapping.h
54513 --- linux-2.6.32.42/include/linux/dma-mapping.h 2011-03-27 14:31:47.000000000 -0400
54514 +++ linux-2.6.32.42/include/linux/dma-mapping.h 2011-04-17 15:56:46.000000000 -0400
54515 @@ -16,50 +16,50 @@ enum dma_data_direction {
54518 struct dma_map_ops {
54519 - void* (*alloc_coherent)(struct device *dev, size_t size,
54520 + void* (* const alloc_coherent)(struct device *dev, size_t size,
54521 dma_addr_t *dma_handle, gfp_t gfp);
54522 - void (*free_coherent)(struct device *dev, size_t size,
54523 + void (* const free_coherent)(struct device *dev, size_t size,
54524 void *vaddr, dma_addr_t dma_handle);
54525 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
54526 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
54527 unsigned long offset, size_t size,
54528 enum dma_data_direction dir,
54529 struct dma_attrs *attrs);
54530 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
54531 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
54532 size_t size, enum dma_data_direction dir,
54533 struct dma_attrs *attrs);
54534 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
54535 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
54536 int nents, enum dma_data_direction dir,
54537 struct dma_attrs *attrs);
54538 - void (*unmap_sg)(struct device *dev,
54539 + void (* const unmap_sg)(struct device *dev,
54540 struct scatterlist *sg, int nents,
54541 enum dma_data_direction dir,
54542 struct dma_attrs *attrs);
54543 - void (*sync_single_for_cpu)(struct device *dev,
54544 + void (* const sync_single_for_cpu)(struct device *dev,
54545 dma_addr_t dma_handle, size_t size,
54546 enum dma_data_direction dir);
54547 - void (*sync_single_for_device)(struct device *dev,
54548 + void (* const sync_single_for_device)(struct device *dev,
54549 dma_addr_t dma_handle, size_t size,
54550 enum dma_data_direction dir);
54551 - void (*sync_single_range_for_cpu)(struct device *dev,
54552 + void (* const sync_single_range_for_cpu)(struct device *dev,
54553 dma_addr_t dma_handle,
54554 unsigned long offset,
54556 enum dma_data_direction dir);
54557 - void (*sync_single_range_for_device)(struct device *dev,
54558 + void (* const sync_single_range_for_device)(struct device *dev,
54559 dma_addr_t dma_handle,
54560 unsigned long offset,
54562 enum dma_data_direction dir);
54563 - void (*sync_sg_for_cpu)(struct device *dev,
54564 + void (* const sync_sg_for_cpu)(struct device *dev,
54565 struct scatterlist *sg, int nents,
54566 enum dma_data_direction dir);
54567 - void (*sync_sg_for_device)(struct device *dev,
54568 + void (* const sync_sg_for_device)(struct device *dev,
54569 struct scatterlist *sg, int nents,
54570 enum dma_data_direction dir);
54571 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
54572 - int (*dma_supported)(struct device *dev, u64 mask);
54573 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
54574 + int (* const dma_supported)(struct device *dev, u64 mask);
54575 int (*set_dma_mask)(struct device *dev, u64 mask);
54577 + const int is_phys;
54580 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
54581 diff -urNp linux-2.6.32.42/include/linux/dst.h linux-2.6.32.42/include/linux/dst.h
54582 --- linux-2.6.32.42/include/linux/dst.h 2011-03-27 14:31:47.000000000 -0400
54583 +++ linux-2.6.32.42/include/linux/dst.h 2011-04-17 15:56:46.000000000 -0400
54584 @@ -380,7 +380,7 @@ struct dst_node
54585 struct thread_pool *pool;
54587 /* Transaction IDs live here */
54588 - atomic_long_t gen;
54589 + atomic_long_unchecked_t gen;
54592 * How frequently and how many times transaction
54593 diff -urNp linux-2.6.32.42/include/linux/elf.h linux-2.6.32.42/include/linux/elf.h
54594 --- linux-2.6.32.42/include/linux/elf.h 2011-03-27 14:31:47.000000000 -0400
54595 +++ linux-2.6.32.42/include/linux/elf.h 2011-04-17 15:56:46.000000000 -0400
54596 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
54597 #define PT_GNU_EH_FRAME 0x6474e550
54599 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
54600 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
54602 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
54604 +/* Constants for the e_flags field */
54605 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
54606 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
54607 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
54608 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
54609 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
54610 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
54612 /* These constants define the different elf file types */
54614 @@ -84,6 +95,8 @@ typedef __s64 Elf64_Sxword;
54615 #define DT_DEBUG 21
54616 #define DT_TEXTREL 22
54617 #define DT_JMPREL 23
54618 +#define DT_FLAGS 30
54619 + #define DF_TEXTREL 0x00000004
54620 #define DT_ENCODING 32
54621 #define OLD_DT_LOOS 0x60000000
54622 #define DT_LOOS 0x6000000d
54623 @@ -230,6 +243,19 @@ typedef struct elf64_hdr {
54627 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
54628 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
54629 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
54630 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
54631 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
54632 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
54633 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
54634 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
54635 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
54636 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
54637 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
54638 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
54640 typedef struct elf32_phdr{
54642 Elf32_Off p_offset;
54643 @@ -322,6 +348,8 @@ typedef struct elf64_shdr {
54649 #define ELFMAG0 0x7f /* EI_MAG */
54650 #define ELFMAG1 'E'
54651 #define ELFMAG2 'L'
54652 @@ -386,6 +414,7 @@ extern Elf32_Dyn _DYNAMIC [];
54653 #define elf_phdr elf32_phdr
54654 #define elf_note elf32_note
54655 #define elf_addr_t Elf32_Off
54656 +#define elf_dyn Elf32_Dyn
54660 @@ -394,6 +423,7 @@ extern Elf64_Dyn _DYNAMIC [];
54661 #define elf_phdr elf64_phdr
54662 #define elf_note elf64_note
54663 #define elf_addr_t Elf64_Off
54664 +#define elf_dyn Elf64_Dyn
54668 diff -urNp linux-2.6.32.42/include/linux/fscache-cache.h linux-2.6.32.42/include/linux/fscache-cache.h
54669 --- linux-2.6.32.42/include/linux/fscache-cache.h 2011-03-27 14:31:47.000000000 -0400
54670 +++ linux-2.6.32.42/include/linux/fscache-cache.h 2011-05-04 17:56:28.000000000 -0400
54671 @@ -116,7 +116,7 @@ struct fscache_operation {
54675 -extern atomic_t fscache_op_debug_id;
54676 +extern atomic_unchecked_t fscache_op_debug_id;
54677 extern const struct slow_work_ops fscache_op_slow_work_ops;
54679 extern void fscache_enqueue_operation(struct fscache_operation *);
54680 @@ -134,7 +134,7 @@ static inline void fscache_operation_ini
54681 fscache_operation_release_t release)
54683 atomic_set(&op->usage, 1);
54684 - op->debug_id = atomic_inc_return(&fscache_op_debug_id);
54685 + op->debug_id = atomic_inc_return_unchecked(&fscache_op_debug_id);
54686 op->release = release;
54687 INIT_LIST_HEAD(&op->pend_link);
54688 fscache_set_op_state(op, "Init");
54689 diff -urNp linux-2.6.32.42/include/linux/fs.h linux-2.6.32.42/include/linux/fs.h
54690 --- linux-2.6.32.42/include/linux/fs.h 2011-03-27 14:31:47.000000000 -0400
54691 +++ linux-2.6.32.42/include/linux/fs.h 2011-04-17 15:56:46.000000000 -0400
54692 @@ -90,6 +90,11 @@ struct inodes_stat_t {
54693 /* Expect random access pattern */
54694 #define FMODE_RANDOM ((__force fmode_t)4096)
54696 +/* Hack for grsec so as not to require read permission simply to execute
54699 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
54702 * The below are the various read and write types that we support. Some of
54703 * them include behavioral modifiers that send information down to the
54704 @@ -568,41 +573,41 @@ typedef int (*read_actor_t)(read_descrip
54705 unsigned long, unsigned long);
54707 struct address_space_operations {
54708 - int (*writepage)(struct page *page, struct writeback_control *wbc);
54709 - int (*readpage)(struct file *, struct page *);
54710 - void (*sync_page)(struct page *);
54711 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
54712 + int (* const readpage)(struct file *, struct page *);
54713 + void (* const sync_page)(struct page *);
54715 /* Write back some dirty pages from this mapping. */
54716 - int (*writepages)(struct address_space *, struct writeback_control *);
54717 + int (* const writepages)(struct address_space *, struct writeback_control *);
54719 /* Set a page dirty. Return true if this dirtied it */
54720 - int (*set_page_dirty)(struct page *page);
54721 + int (* const set_page_dirty)(struct page *page);
54723 - int (*readpages)(struct file *filp, struct address_space *mapping,
54724 + int (* const readpages)(struct file *filp, struct address_space *mapping,
54725 struct list_head *pages, unsigned nr_pages);
54727 - int (*write_begin)(struct file *, struct address_space *mapping,
54728 + int (* const write_begin)(struct file *, struct address_space *mapping,
54729 loff_t pos, unsigned len, unsigned flags,
54730 struct page **pagep, void **fsdata);
54731 - int (*write_end)(struct file *, struct address_space *mapping,
54732 + int (* const write_end)(struct file *, struct address_space *mapping,
54733 loff_t pos, unsigned len, unsigned copied,
54734 struct page *page, void *fsdata);
54736 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
54737 - sector_t (*bmap)(struct address_space *, sector_t);
54738 - void (*invalidatepage) (struct page *, unsigned long);
54739 - int (*releasepage) (struct page *, gfp_t);
54740 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
54741 + sector_t (* const bmap)(struct address_space *, sector_t);
54742 + void (* const invalidatepage) (struct page *, unsigned long);
54743 + int (* const releasepage) (struct page *, gfp_t);
54744 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
54745 loff_t offset, unsigned long nr_segs);
54746 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
54747 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
54748 void **, unsigned long *);
54749 /* migrate the contents of a page to the specified target */
54750 - int (*migratepage) (struct address_space *,
54751 + int (* const migratepage) (struct address_space *,
54752 struct page *, struct page *);
54753 - int (*launder_page) (struct page *);
54754 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
54755 + int (* const launder_page) (struct page *);
54756 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
54758 - int (*error_remove_page)(struct address_space *, struct page *);
54759 + int (* const error_remove_page)(struct address_space *, struct page *);
54763 @@ -1030,19 +1035,19 @@ static inline int file_check_writeable(s
54764 typedef struct files_struct *fl_owner_t;
54766 struct file_lock_operations {
54767 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
54768 - void (*fl_release_private)(struct file_lock *);
54769 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
54770 + void (* const fl_release_private)(struct file_lock *);
54773 struct lock_manager_operations {
54774 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
54775 - void (*fl_notify)(struct file_lock *); /* unblock callback */
54776 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
54777 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
54778 - void (*fl_release_private)(struct file_lock *);
54779 - void (*fl_break)(struct file_lock *);
54780 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
54781 - int (*fl_change)(struct file_lock **, int);
54782 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
54783 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
54784 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
54785 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
54786 + void (* const fl_release_private)(struct file_lock *);
54787 + void (* const fl_break)(struct file_lock *);
54788 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
54789 + int (* const fl_change)(struct file_lock **, int);
54792 struct lock_manager {
54793 @@ -1441,7 +1446,7 @@ struct fiemap_extent_info {
54794 unsigned int fi_flags; /* Flags as passed from user */
54795 unsigned int fi_extents_mapped; /* Number of mapped extents */
54796 unsigned int fi_extents_max; /* Size of fiemap_extent array */
54797 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
54798 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
54801 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
54802 @@ -1558,30 +1563,30 @@ extern ssize_t vfs_writev(struct file *,
54803 unsigned long, loff_t *);
54805 struct super_operations {
54806 - struct inode *(*alloc_inode)(struct super_block *sb);
54807 - void (*destroy_inode)(struct inode *);
54808 + struct inode *(* const alloc_inode)(struct super_block *sb);
54809 + void (* const destroy_inode)(struct inode *);
54811 - void (*dirty_inode) (struct inode *);
54812 - int (*write_inode) (struct inode *, int);
54813 - void (*drop_inode) (struct inode *);
54814 - void (*delete_inode) (struct inode *);
54815 - void (*put_super) (struct super_block *);
54816 - void (*write_super) (struct super_block *);
54817 - int (*sync_fs)(struct super_block *sb, int wait);
54818 - int (*freeze_fs) (struct super_block *);
54819 - int (*unfreeze_fs) (struct super_block *);
54820 - int (*statfs) (struct dentry *, struct kstatfs *);
54821 - int (*remount_fs) (struct super_block *, int *, char *);
54822 - void (*clear_inode) (struct inode *);
54823 - void (*umount_begin) (struct super_block *);
54824 + void (* const dirty_inode) (struct inode *);
54825 + int (* const write_inode) (struct inode *, int);
54826 + void (* const drop_inode) (struct inode *);
54827 + void (* const delete_inode) (struct inode *);
54828 + void (* const put_super) (struct super_block *);
54829 + void (* const write_super) (struct super_block *);
54830 + int (* const sync_fs)(struct super_block *sb, int wait);
54831 + int (* const freeze_fs) (struct super_block *);
54832 + int (* const unfreeze_fs) (struct super_block *);
54833 + int (* const statfs) (struct dentry *, struct kstatfs *);
54834 + int (* const remount_fs) (struct super_block *, int *, char *);
54835 + void (* const clear_inode) (struct inode *);
54836 + void (* const umount_begin) (struct super_block *);
54838 - int (*show_options)(struct seq_file *, struct vfsmount *);
54839 - int (*show_stats)(struct seq_file *, struct vfsmount *);
54840 + int (* const show_options)(struct seq_file *, struct vfsmount *);
54841 + int (* const show_stats)(struct seq_file *, struct vfsmount *);
54842 #ifdef CONFIG_QUOTA
54843 - ssize_t (*quota_read)(struct super_block *, int, char *, size_t, loff_t);
54844 - ssize_t (*quota_write)(struct super_block *, int, const char *, size_t, loff_t);
54845 + ssize_t (* const quota_read)(struct super_block *, int, char *, size_t, loff_t);
54846 + ssize_t (* const quota_write)(struct super_block *, int, const char *, size_t, loff_t);
54848 - int (*bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
54849 + int (* const bdev_try_to_free_page)(struct super_block*, struct page*, gfp_t);
54853 diff -urNp linux-2.6.32.42/include/linux/fs_struct.h linux-2.6.32.42/include/linux/fs_struct.h
54854 --- linux-2.6.32.42/include/linux/fs_struct.h 2011-03-27 14:31:47.000000000 -0400
54855 +++ linux-2.6.32.42/include/linux/fs_struct.h 2011-04-17 15:56:46.000000000 -0400
54857 #include <linux/path.h>
54865 diff -urNp linux-2.6.32.42/include/linux/ftrace_event.h linux-2.6.32.42/include/linux/ftrace_event.h
54866 --- linux-2.6.32.42/include/linux/ftrace_event.h 2011-03-27 14:31:47.000000000 -0400
54867 +++ linux-2.6.32.42/include/linux/ftrace_event.h 2011-05-04 17:56:28.000000000 -0400
54868 @@ -163,7 +163,7 @@ extern int trace_define_field(struct ftr
54870 extern int trace_define_common_fields(struct ftrace_event_call *call);
54872 -#define is_signed_type(type) (((type)(-1)) < 0)
54873 +#define is_signed_type(type) (((type)(-1)) < (type)1)
54875 int trace_set_clr_event(const char *system, const char *event, int set);
54877 diff -urNp linux-2.6.32.42/include/linux/genhd.h linux-2.6.32.42/include/linux/genhd.h
54878 --- linux-2.6.32.42/include/linux/genhd.h 2011-03-27 14:31:47.000000000 -0400
54879 +++ linux-2.6.32.42/include/linux/genhd.h 2011-04-17 15:56:46.000000000 -0400
54880 @@ -161,7 +161,7 @@ struct gendisk {
54882 struct timer_rand_state *random;
54884 - atomic_t sync_io; /* RAID */
54885 + atomic_unchecked_t sync_io; /* RAID */
54886 struct work_struct async_notify;
54887 #ifdef CONFIG_BLK_DEV_INTEGRITY
54888 struct blk_integrity *integrity;
54889 diff -urNp linux-2.6.32.42/include/linux/gracl.h linux-2.6.32.42/include/linux/gracl.h
54890 --- linux-2.6.32.42/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
54891 +++ linux-2.6.32.42/include/linux/gracl.h 2011-04-17 15:56:46.000000000 -0400
54896 +#include <linux/grdefs.h>
54897 +#include <linux/resource.h>
54898 +#include <linux/capability.h>
54899 +#include <linux/dcache.h>
54900 +#include <asm/resource.h>
54902 +/* Major status information */
54904 +#define GR_VERSION "grsecurity 2.2.2"
54905 +#define GRSECURITY_VERSION 0x2202
54916 + GR_SPROLEPAM = 8,
54919 +/* Password setup definitions
54920 + * kernel/grhash.c */
54923 + GR_SALT_LEN = 16,
54928 + GR_SPROLE_LEN = 64,
54937 +#define GR_NLIMITS 32
54939 +/* Begin Data Structures */
54941 +struct sprole_pw {
54942 + unsigned char *rolename;
54943 + unsigned char salt[GR_SALT_LEN];
54944 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
54947 +struct name_entry {
54954 + struct name_entry *prev;
54955 + struct name_entry *next;
54958 +struct inodev_entry {
54959 + struct name_entry *nentry;
54960 + struct inodev_entry *prev;
54961 + struct inodev_entry *next;
54964 +struct acl_role_db {
54965 + struct acl_role_label **r_hash;
54969 +struct inodev_db {
54970 + struct inodev_entry **i_hash;
54975 + struct name_entry **n_hash;
54979 +struct crash_uid {
54981 + unsigned long expires;
54984 +struct gr_hash_struct {
54986 + void **nametable;
54988 + __u32 table_size;
54993 +/* Userspace Grsecurity ACL data structures */
54995 +struct acl_subject_label {
55000 + kernel_cap_t cap_mask;
55001 + kernel_cap_t cap_lower;
55002 + kernel_cap_t cap_invert_audit;
55004 + struct rlimit res[GR_NLIMITS];
55007 + __u8 user_trans_type;
55008 + __u8 group_trans_type;
55009 + uid_t *user_transitions;
55010 + gid_t *group_transitions;
55011 + __u16 user_trans_num;
55012 + __u16 group_trans_num;
55014 + __u32 sock_families[2];
55015 + __u32 ip_proto[8];
55017 + struct acl_ip_label **ips;
55019 + __u32 inaddr_any_override;
55022 + unsigned long expires;
55024 + struct acl_subject_label *parent_subject;
55025 + struct gr_hash_struct *hash;
55026 + struct acl_subject_label *prev;
55027 + struct acl_subject_label *next;
55029 + struct acl_object_label **obj_hash;
55030 + __u32 obj_hash_size;
55034 +struct role_allowed_ip {
55038 + struct role_allowed_ip *prev;
55039 + struct role_allowed_ip *next;
55042 +struct role_transition {
55045 + struct role_transition *prev;
55046 + struct role_transition *next;
55049 +struct acl_role_label {
55054 + __u16 auth_attempts;
55055 + unsigned long expires;
55057 + struct acl_subject_label *root_label;
55058 + struct gr_hash_struct *hash;
55060 + struct acl_role_label *prev;
55061 + struct acl_role_label *next;
55063 + struct role_transition *transitions;
55064 + struct role_allowed_ip *allowed_ips;
55065 + uid_t *domain_children;
55066 + __u16 domain_child_num;
55068 + struct acl_subject_label **subj_hash;
55069 + __u32 subj_hash_size;
55072 +struct user_acl_role_db {
55073 + struct acl_role_label **r_table;
55074 + __u32 num_pointers; /* Number of allocations to track */
55075 + __u32 num_roles; /* Number of roles */
55076 + __u32 num_domain_children; /* Number of domain children */
55077 + __u32 num_subjects; /* Number of subjects */
55078 + __u32 num_objects; /* Number of objects */
55081 +struct acl_object_label {
55087 + struct acl_subject_label *nested;
55088 + struct acl_object_label *globbed;
55090 + /* next two structures not used */
55092 + struct acl_object_label *prev;
55093 + struct acl_object_label *next;
55096 +struct acl_ip_label {
55105 + /* next two structures not used */
55107 + struct acl_ip_label *prev;
55108 + struct acl_ip_label *next;
55112 + struct user_acl_role_db role_db;
55113 + unsigned char pw[GR_PW_LEN];
55114 + unsigned char salt[GR_SALT_LEN];
55115 + unsigned char sum[GR_SHA_LEN];
55116 + unsigned char sp_role[GR_SPROLE_LEN];
55117 + struct sprole_pw *sprole_pws;
55118 + dev_t segv_device;
55119 + ino_t segv_inode;
55121 + __u16 num_sprole_pws;
55125 +struct gr_arg_wrapper {
55126 + struct gr_arg *arg;
55131 +struct subject_map {
55132 + struct acl_subject_label *user;
55133 + struct acl_subject_label *kernel;
55134 + struct subject_map *prev;
55135 + struct subject_map *next;
55138 +struct acl_subj_map_db {
55139 + struct subject_map **s_hash;
55143 +/* End Data Structures Section */
55145 +/* Hash functions generated by empirical testing by Brad Spengler
55146 + Makes good use of the low bits of the inode. Generally 0-1 times
55147 + in loop for successful match. 0-3 for unsuccessful match.
55148 + Shift/add algorithm with modulus of table size and an XOR*/
55150 +static __inline__ unsigned int
55151 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
55153 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
55156 + static __inline__ unsigned int
55157 +shash(const struct acl_subject_label *userp, const unsigned int sz)
55159 + return ((const unsigned long)userp % sz);
55162 +static __inline__ unsigned int
55163 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
55165 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
55168 +static __inline__ unsigned int
55169 +nhash(const char *name, const __u16 len, const unsigned int sz)
55171 + return full_name_hash((const unsigned char *)name, len) % sz;
55174 +#define FOR_EACH_ROLE_START(role) \
55175 + role = role_list; \
55178 +#define FOR_EACH_ROLE_END(role) \
55179 + role = role->prev; \
55182 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
55185 + while (iter < role->subj_hash_size) { \
55186 + if (subj == NULL) \
55187 + subj = role->subj_hash[iter]; \
55188 + if (subj == NULL) { \
55193 +#define FOR_EACH_SUBJECT_END(subj,iter) \
55194 + subj = subj->next; \
55195 + if (subj == NULL) \
55200 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
55201 + subj = role->hash->first; \
55202 + while (subj != NULL) {
55204 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
55205 + subj = subj->next; \
55210 diff -urNp linux-2.6.32.42/include/linux/gralloc.h linux-2.6.32.42/include/linux/gralloc.h
55211 --- linux-2.6.32.42/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
55212 +++ linux-2.6.32.42/include/linux/gralloc.h 2011-04-17 15:56:46.000000000 -0400
55214 +#ifndef __GRALLOC_H
55215 +#define __GRALLOC_H
55217 +void acl_free_all(void);
55218 +int acl_alloc_stack_init(unsigned long size);
55219 +void *acl_alloc(unsigned long len);
55220 +void *acl_alloc_num(unsigned long num, unsigned long len);
55223 diff -urNp linux-2.6.32.42/include/linux/grdefs.h linux-2.6.32.42/include/linux/grdefs.h
55224 --- linux-2.6.32.42/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
55225 +++ linux-2.6.32.42/include/linux/grdefs.h 2011-06-11 16:20:26.000000000 -0400
55230 +/* Begin grsecurity status declarations */
55234 + GR_STATUS_INIT = 0x00 // disabled state
55237 +/* Begin ACL declarations */
55242 + GR_ROLE_USER = 0x0001,
55243 + GR_ROLE_GROUP = 0x0002,
55244 + GR_ROLE_DEFAULT = 0x0004,
55245 + GR_ROLE_SPECIAL = 0x0008,
55246 + GR_ROLE_AUTH = 0x0010,
55247 + GR_ROLE_NOPW = 0x0020,
55248 + GR_ROLE_GOD = 0x0040,
55249 + GR_ROLE_LEARN = 0x0080,
55250 + GR_ROLE_TPE = 0x0100,
55251 + GR_ROLE_DOMAIN = 0x0200,
55252 + GR_ROLE_PAM = 0x0400,
55253 + GR_ROLE_PERSIST = 0x800
55256 +/* ACL Subject and Object mode flags */
55258 + GR_DELETED = 0x80000000
55261 +/* ACL Object-only mode flags */
55263 + GR_READ = 0x00000001,
55264 + GR_APPEND = 0x00000002,
55265 + GR_WRITE = 0x00000004,
55266 + GR_EXEC = 0x00000008,
55267 + GR_FIND = 0x00000010,
55268 + GR_INHERIT = 0x00000020,
55269 + GR_SETID = 0x00000040,
55270 + GR_CREATE = 0x00000080,
55271 + GR_DELETE = 0x00000100,
55272 + GR_LINK = 0x00000200,
55273 + GR_AUDIT_READ = 0x00000400,
55274 + GR_AUDIT_APPEND = 0x00000800,
55275 + GR_AUDIT_WRITE = 0x00001000,
55276 + GR_AUDIT_EXEC = 0x00002000,
55277 + GR_AUDIT_FIND = 0x00004000,
55278 + GR_AUDIT_INHERIT= 0x00008000,
55279 + GR_AUDIT_SETID = 0x00010000,
55280 + GR_AUDIT_CREATE = 0x00020000,
55281 + GR_AUDIT_DELETE = 0x00040000,
55282 + GR_AUDIT_LINK = 0x00080000,
55283 + GR_PTRACERD = 0x00100000,
55284 + GR_NOPTRACE = 0x00200000,
55285 + GR_SUPPRESS = 0x00400000,
55286 + GR_NOLEARN = 0x00800000,
55287 + GR_INIT_TRANSFER= 0x01000000
55290 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
55291 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
55292 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
55294 +/* ACL subject-only mode flags */
55296 + GR_KILL = 0x00000001,
55297 + GR_VIEW = 0x00000002,
55298 + GR_PROTECTED = 0x00000004,
55299 + GR_LEARN = 0x00000008,
55300 + GR_OVERRIDE = 0x00000010,
55301 + /* just a placeholder, this mode is only used in userspace */
55302 + GR_DUMMY = 0x00000020,
55303 + GR_PROTSHM = 0x00000040,
55304 + GR_KILLPROC = 0x00000080,
55305 + GR_KILLIPPROC = 0x00000100,
55306 + /* just a placeholder, this mode is only used in userspace */
55307 + GR_NOTROJAN = 0x00000200,
55308 + GR_PROTPROCFD = 0x00000400,
55309 + GR_PROCACCT = 0x00000800,
55310 + GR_RELAXPTRACE = 0x00001000,
55311 + GR_NESTED = 0x00002000,
55312 + GR_INHERITLEARN = 0x00004000,
55313 + GR_PROCFIND = 0x00008000,
55314 + GR_POVERRIDE = 0x00010000,
55315 + GR_KERNELAUTH = 0x00020000,
55316 + GR_ATSECURE = 0x00040000,
55317 + GR_SHMEXEC = 0x00080000
55321 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
55322 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
55323 + GR_PAX_ENABLE_MPROTECT = 0x0004,
55324 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
55325 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
55326 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
55327 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
55328 + GR_PAX_DISABLE_MPROTECT = 0x0400,
55329 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
55330 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
55334 + GR_ID_USER = 0x01,
55335 + GR_ID_GROUP = 0x02,
55339 + GR_ID_ALLOW = 0x01,
55340 + GR_ID_DENY = 0x02,
55343 +#define GR_CRASH_RES 31
55344 +#define GR_UIDTABLE_MAX 500
55346 +/* begin resource learning section */
55348 + GR_RLIM_CPU_BUMP = 60,
55349 + GR_RLIM_FSIZE_BUMP = 50000,
55350 + GR_RLIM_DATA_BUMP = 10000,
55351 + GR_RLIM_STACK_BUMP = 1000,
55352 + GR_RLIM_CORE_BUMP = 10000,
55353 + GR_RLIM_RSS_BUMP = 500000,
55354 + GR_RLIM_NPROC_BUMP = 1,
55355 + GR_RLIM_NOFILE_BUMP = 5,
55356 + GR_RLIM_MEMLOCK_BUMP = 50000,
55357 + GR_RLIM_AS_BUMP = 500000,
55358 + GR_RLIM_LOCKS_BUMP = 2,
55359 + GR_RLIM_SIGPENDING_BUMP = 5,
55360 + GR_RLIM_MSGQUEUE_BUMP = 10000,
55361 + GR_RLIM_NICE_BUMP = 1,
55362 + GR_RLIM_RTPRIO_BUMP = 1,
55363 + GR_RLIM_RTTIME_BUMP = 1000000
55367 diff -urNp linux-2.6.32.42/include/linux/grinternal.h linux-2.6.32.42/include/linux/grinternal.h
55368 --- linux-2.6.32.42/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
55369 +++ linux-2.6.32.42/include/linux/grinternal.h 2011-04-17 15:56:46.000000000 -0400
55371 +#ifndef __GRINTERNAL_H
55372 +#define __GRINTERNAL_H
55374 +#ifdef CONFIG_GRKERNSEC
55376 +#include <linux/fs.h>
55377 +#include <linux/mnt_namespace.h>
55378 +#include <linux/nsproxy.h>
55379 +#include <linux/gracl.h>
55380 +#include <linux/grdefs.h>
55381 +#include <linux/grmsg.h>
55383 +void gr_add_learn_entry(const char *fmt, ...)
55384 + __attribute__ ((format (printf, 1, 2)));
55385 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
55386 + const struct vfsmount *mnt);
55387 +__u32 gr_check_create(const struct dentry *new_dentry,
55388 + const struct dentry *parent,
55389 + const struct vfsmount *mnt, const __u32 mode);
55390 +int gr_check_protected_task(const struct task_struct *task);
55391 +__u32 to_gr_audit(const __u32 reqmode);
55392 +int gr_set_acls(const int type);
55393 +int gr_apply_subject_to_task(struct task_struct *task);
55394 +int gr_acl_is_enabled(void);
55395 +char gr_roletype_to_char(void);
55397 +void gr_handle_alertkill(struct task_struct *task);
55398 +char *gr_to_filename(const struct dentry *dentry,
55399 + const struct vfsmount *mnt);
55400 +char *gr_to_filename1(const struct dentry *dentry,
55401 + const struct vfsmount *mnt);
55402 +char *gr_to_filename2(const struct dentry *dentry,
55403 + const struct vfsmount *mnt);
55404 +char *gr_to_filename3(const struct dentry *dentry,
55405 + const struct vfsmount *mnt);
55407 +extern int grsec_enable_harden_ptrace;
55408 +extern int grsec_enable_link;
55409 +extern int grsec_enable_fifo;
55410 +extern int grsec_enable_execve;
55411 +extern int grsec_enable_shm;
55412 +extern int grsec_enable_execlog;
55413 +extern int grsec_enable_signal;
55414 +extern int grsec_enable_audit_ptrace;
55415 +extern int grsec_enable_forkfail;
55416 +extern int grsec_enable_time;
55417 +extern int grsec_enable_rofs;
55418 +extern int grsec_enable_chroot_shmat;
55419 +extern int grsec_enable_chroot_findtask;
55420 +extern int grsec_enable_chroot_mount;
55421 +extern int grsec_enable_chroot_double;
55422 +extern int grsec_enable_chroot_pivot;
55423 +extern int grsec_enable_chroot_chdir;
55424 +extern int grsec_enable_chroot_chmod;
55425 +extern int grsec_enable_chroot_mknod;
55426 +extern int grsec_enable_chroot_fchdir;
55427 +extern int grsec_enable_chroot_nice;
55428 +extern int grsec_enable_chroot_execlog;
55429 +extern int grsec_enable_chroot_caps;
55430 +extern int grsec_enable_chroot_sysctl;
55431 +extern int grsec_enable_chroot_unix;
55432 +extern int grsec_enable_tpe;
55433 +extern int grsec_tpe_gid;
55434 +extern int grsec_enable_tpe_all;
55435 +extern int grsec_enable_tpe_invert;
55436 +extern int grsec_enable_socket_all;
55437 +extern int grsec_socket_all_gid;
55438 +extern int grsec_enable_socket_client;
55439 +extern int grsec_socket_client_gid;
55440 +extern int grsec_enable_socket_server;
55441 +extern int grsec_socket_server_gid;
55442 +extern int grsec_audit_gid;
55443 +extern int grsec_enable_group;
55444 +extern int grsec_enable_audit_textrel;
55445 +extern int grsec_enable_log_rwxmaps;
55446 +extern int grsec_enable_mount;
55447 +extern int grsec_enable_chdir;
55448 +extern int grsec_resource_logging;
55449 +extern int grsec_enable_blackhole;
55450 +extern int grsec_lastack_retries;
55451 +extern int grsec_lock;
55453 +extern spinlock_t grsec_alert_lock;
55454 +extern unsigned long grsec_alert_wtime;
55455 +extern unsigned long grsec_alert_fyet;
55457 +extern spinlock_t grsec_audit_lock;
55459 +extern rwlock_t grsec_exec_file_lock;
55461 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
55462 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
55463 + (tsk)->exec_file->f_vfsmnt) : "/")
55465 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
55466 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
55467 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
55469 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
55470 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
55471 + (tsk)->exec_file->f_vfsmnt) : "/")
55473 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
55474 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
55475 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
55477 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
55479 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
55481 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
55482 + (task)->pid, (cred)->uid, \
55483 + (cred)->euid, (cred)->gid, (cred)->egid, \
55484 + gr_parent_task_fullpath(task), \
55485 + (task)->real_parent->comm, (task)->real_parent->pid, \
55486 + (pcred)->uid, (pcred)->euid, \
55487 + (pcred)->gid, (pcred)->egid
55489 +#define GR_CHROOT_CAPS {{ \
55490 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
55491 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
55492 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
55493 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
55494 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
55495 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
55497 +#define security_learn(normal_msg,args...) \
55499 + read_lock(&grsec_exec_file_lock); \
55500 + gr_add_learn_entry(normal_msg "\n", ## args); \
55501 + read_unlock(&grsec_exec_file_lock); \
55507 + GR_DONT_AUDIT_GOOD
55518 + GR_SYSCTL_HIDDEN,
55521 + GR_ONE_INT_TWO_STR,
55528 + GR_FIVE_INT_TWO_STR,
55534 + GR_FILENAME_TWO_INT,
55535 + GR_FILENAME_TWO_INT_STR,
55548 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
55549 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
55550 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
55551 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
55552 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
55553 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
55554 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
55555 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
55556 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
55557 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
55558 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
55559 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
55560 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
55561 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
55562 +#define gr_log_two_u64(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_U64, num1, num2)
55563 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
55564 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
55565 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
55566 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
55567 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
55568 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
55569 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
55570 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
55571 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
55572 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
55573 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
55574 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
55575 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
55576 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
55577 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
55578 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
55579 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
55580 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
55581 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
55582 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
55584 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
55589 diff -urNp linux-2.6.32.42/include/linux/grmsg.h linux-2.6.32.42/include/linux/grmsg.h
55590 --- linux-2.6.32.42/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
55591 +++ linux-2.6.32.42/include/linux/grmsg.h 2011-04-17 15:56:46.000000000 -0400
55593 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
55594 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
55595 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
55596 +#define GR_STOPMOD_MSG "denied modification of module state by "
55597 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
55598 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
55599 +#define GR_IOPERM_MSG "denied use of ioperm() by "
55600 +#define GR_IOPL_MSG "denied use of iopl() by "
55601 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
55602 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
55603 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
55604 +#define GR_MEM_READWRITE_MSG "denied access of range %Lx -> %Lx in /dev/mem by "
55605 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
55606 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
55607 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
55608 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
55609 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
55610 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
55611 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
55612 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
55613 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
55614 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
55615 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
55616 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
55617 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
55618 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
55619 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
55620 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
55621 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
55622 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
55623 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
55624 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
55625 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
55626 +#define GR_NPROC_MSG "denied overstep of process limit by "
55627 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
55628 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
55629 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
55630 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
55631 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
55632 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
55633 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
55634 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
55635 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
55636 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
55637 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
55638 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
55639 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
55640 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
55641 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
55642 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
55643 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
55644 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
55645 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
55646 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
55647 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
55648 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
55649 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
55650 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
55651 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
55652 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
55653 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
55654 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
55655 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
55656 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
55657 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
55658 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
55659 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
55660 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
55661 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
55662 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
55663 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
55664 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
55665 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
55666 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
55667 +#define GR_NICE_CHROOT_MSG "denied priority change by "
55668 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
55669 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
55670 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
55671 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
55672 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
55673 +#define GR_TIME_MSG "time set by "
55674 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
55675 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
55676 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
55677 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
55678 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
55679 +#define GR_BIND_MSG "denied bind() by "
55680 +#define GR_CONNECT_MSG "denied connect() by "
55681 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
55682 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
55683 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
55684 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
55685 +#define GR_CAP_ACL_MSG "use of %s denied for "
55686 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
55687 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
55688 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
55689 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
55690 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
55691 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
55692 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
55693 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
55694 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
55695 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
55696 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
55697 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
55698 +#define GR_VM86_MSG "denied use of vm86 by "
55699 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
55700 +#define GR_INIT_TRANSFER_MSG "persistent special role transferred privilege to init by "
55701 diff -urNp linux-2.6.32.42/include/linux/grsecurity.h linux-2.6.32.42/include/linux/grsecurity.h
55702 --- linux-2.6.32.42/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
55703 +++ linux-2.6.32.42/include/linux/grsecurity.h 2011-04-17 15:56:46.000000000 -0400
55705 +#ifndef GR_SECURITY_H
55706 +#define GR_SECURITY_H
55707 +#include <linux/fs.h>
55708 +#include <linux/fs_struct.h>
55709 +#include <linux/binfmts.h>
55710 +#include <linux/gracl.h>
55711 +#include <linux/compat.h>
55713 +/* notify of brain-dead configs */
55714 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
55715 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
55717 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
55718 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
55720 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
55721 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
55723 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
55724 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
55726 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
55727 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
55730 +void gr_handle_brute_attach(struct task_struct *p, unsigned long mm_flags);
55731 +void gr_handle_brute_check(void);
55732 +void gr_handle_kernel_exploit(void);
55733 +int gr_process_user_ban(void);
55735 +char gr_roletype_to_char(void);
55737 +int gr_acl_enable_at_secure(void);
55739 +int gr_check_user_change(int real, int effective, int fs);
55740 +int gr_check_group_change(int real, int effective, int fs);
55742 +void gr_del_task_from_ip_table(struct task_struct *p);
55744 +int gr_pid_is_chrooted(struct task_struct *p);
55745 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
55746 +int gr_handle_chroot_nice(void);
55747 +int gr_handle_chroot_sysctl(const int op);
55748 +int gr_handle_chroot_setpriority(struct task_struct *p,
55749 + const int niceval);
55750 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
55751 +int gr_handle_chroot_chroot(const struct dentry *dentry,
55752 + const struct vfsmount *mnt);
55753 +int gr_handle_chroot_caps(struct path *path);
55754 +void gr_handle_chroot_chdir(struct path *path);
55755 +int gr_handle_chroot_chmod(const struct dentry *dentry,
55756 + const struct vfsmount *mnt, const int mode);
55757 +int gr_handle_chroot_mknod(const struct dentry *dentry,
55758 + const struct vfsmount *mnt, const int mode);
55759 +int gr_handle_chroot_mount(const struct dentry *dentry,
55760 + const struct vfsmount *mnt,
55761 + const char *dev_name);
55762 +int gr_handle_chroot_pivot(void);
55763 +int gr_handle_chroot_unix(const pid_t pid);
55765 +int gr_handle_rawio(const struct inode *inode);
55766 +int gr_handle_nproc(void);
55768 +void gr_handle_ioperm(void);
55769 +void gr_handle_iopl(void);
55771 +int gr_tpe_allow(const struct file *file);
55773 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
55774 +void gr_clear_chroot_entries(struct task_struct *task);
55776 +void gr_log_forkfail(const int retval);
55777 +void gr_log_timechange(void);
55778 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
55779 +void gr_log_chdir(const struct dentry *dentry,
55780 + const struct vfsmount *mnt);
55781 +void gr_log_chroot_exec(const struct dentry *dentry,
55782 + const struct vfsmount *mnt);
55783 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
55784 +#ifdef CONFIG_COMPAT
55785 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
55787 +void gr_log_remount(const char *devname, const int retval);
55788 +void gr_log_unmount(const char *devname, const int retval);
55789 +void gr_log_mount(const char *from, const char *to, const int retval);
55790 +void gr_log_textrel(struct vm_area_struct *vma);
55791 +void gr_log_rwxmmap(struct file *file);
55792 +void gr_log_rwxmprotect(struct file *file);
55794 +int gr_handle_follow_link(const struct inode *parent,
55795 + const struct inode *inode,
55796 + const struct dentry *dentry,
55797 + const struct vfsmount *mnt);
55798 +int gr_handle_fifo(const struct dentry *dentry,
55799 + const struct vfsmount *mnt,
55800 + const struct dentry *dir, const int flag,
55801 + const int acc_mode);
55802 +int gr_handle_hardlink(const struct dentry *dentry,
55803 + const struct vfsmount *mnt,
55804 + struct inode *inode,
55805 + const int mode, const char *to);
55807 +int gr_is_capable(const int cap);
55808 +int gr_is_capable_nolog(const int cap);
55809 +void gr_learn_resource(const struct task_struct *task, const int limit,
55810 + const unsigned long wanted, const int gt);
55811 +void gr_copy_label(struct task_struct *tsk);
55812 +void gr_handle_crash(struct task_struct *task, const int sig);
55813 +int gr_handle_signal(const struct task_struct *p, const int sig);
55814 +int gr_check_crash_uid(const uid_t uid);
55815 +int gr_check_protected_task(const struct task_struct *task);
55816 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
55817 +int gr_acl_handle_mmap(const struct file *file,
55818 + const unsigned long prot);
55819 +int gr_acl_handle_mprotect(const struct file *file,
55820 + const unsigned long prot);
55821 +int gr_check_hidden_task(const struct task_struct *tsk);
55822 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
55823 + const struct vfsmount *mnt);
55824 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
55825 + const struct vfsmount *mnt);
55826 +__u32 gr_acl_handle_access(const struct dentry *dentry,
55827 + const struct vfsmount *mnt, const int fmode);
55828 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
55829 + const struct vfsmount *mnt, mode_t mode);
55830 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
55831 + const struct vfsmount *mnt, mode_t mode);
55832 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
55833 + const struct vfsmount *mnt);
55834 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
55835 + const struct vfsmount *mnt);
55836 +int gr_handle_ptrace(struct task_struct *task, const long request);
55837 +int gr_handle_proc_ptrace(struct task_struct *task);
55838 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
55839 + const struct vfsmount *mnt);
55840 +int gr_check_crash_exec(const struct file *filp);
55841 +int gr_acl_is_enabled(void);
55842 +void gr_set_kernel_label(struct task_struct *task);
55843 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
55844 + const gid_t gid);
55845 +int gr_set_proc_label(const struct dentry *dentry,
55846 + const struct vfsmount *mnt,
55847 + const int unsafe_share);
55848 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
55849 + const struct vfsmount *mnt);
55850 +__u32 gr_acl_handle_open(const struct dentry *dentry,
55851 + const struct vfsmount *mnt, const int fmode);
55852 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
55853 + const struct dentry *p_dentry,
55854 + const struct vfsmount *p_mnt, const int fmode,
55855 + const int imode);
55856 +void gr_handle_create(const struct dentry *dentry,
55857 + const struct vfsmount *mnt);
55858 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
55859 + const struct dentry *parent_dentry,
55860 + const struct vfsmount *parent_mnt,
55862 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
55863 + const struct dentry *parent_dentry,
55864 + const struct vfsmount *parent_mnt);
55865 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
55866 + const struct vfsmount *mnt);
55867 +void gr_handle_delete(const ino_t ino, const dev_t dev);
55868 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
55869 + const struct vfsmount *mnt);
55870 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
55871 + const struct dentry *parent_dentry,
55872 + const struct vfsmount *parent_mnt,
55873 + const char *from);
55874 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
55875 + const struct dentry *parent_dentry,
55876 + const struct vfsmount *parent_mnt,
55877 + const struct dentry *old_dentry,
55878 + const struct vfsmount *old_mnt, const char *to);
55879 +int gr_acl_handle_rename(struct dentry *new_dentry,
55880 + struct dentry *parent_dentry,
55881 + const struct vfsmount *parent_mnt,
55882 + struct dentry *old_dentry,
55883 + struct inode *old_parent_inode,
55884 + struct vfsmount *old_mnt, const char *newname);
55885 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
55886 + struct dentry *old_dentry,
55887 + struct dentry *new_dentry,
55888 + struct vfsmount *mnt, const __u8 replace);
55889 +__u32 gr_check_link(const struct dentry *new_dentry,
55890 + const struct dentry *parent_dentry,
55891 + const struct vfsmount *parent_mnt,
55892 + const struct dentry *old_dentry,
55893 + const struct vfsmount *old_mnt);
55894 +int gr_acl_handle_filldir(const struct file *file, const char *name,
55895 + const unsigned int namelen, const ino_t ino);
55897 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
55898 + const struct vfsmount *mnt);
55899 +void gr_acl_handle_exit(void);
55900 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
55901 +int gr_acl_handle_procpidmem(const struct task_struct *task);
55902 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
55903 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
55904 +void gr_audit_ptrace(struct task_struct *task);
55905 +dev_t gr_get_dev_from_dentry(struct dentry *dentry);
55907 +#ifdef CONFIG_GRKERNSEC
55908 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
55909 +void gr_handle_vm86(void);
55910 +void gr_handle_mem_readwrite(u64 from, u64 to);
55912 +extern int grsec_enable_dmesg;
55913 +extern int grsec_disable_privio;
55917 diff -urNp linux-2.6.32.42/include/linux/hdpu_features.h linux-2.6.32.42/include/linux/hdpu_features.h
55918 --- linux-2.6.32.42/include/linux/hdpu_features.h 2011-03-27 14:31:47.000000000 -0400
55919 +++ linux-2.6.32.42/include/linux/hdpu_features.h 2011-04-17 15:56:46.000000000 -0400
55921 struct cpustate_t {
55925 + atomic_t open_count;
55926 unsigned char cached_val;
55928 unsigned long *set_addr;
55929 diff -urNp linux-2.6.32.42/include/linux/highmem.h linux-2.6.32.42/include/linux/highmem.h
55930 --- linux-2.6.32.42/include/linux/highmem.h 2011-03-27 14:31:47.000000000 -0400
55931 +++ linux-2.6.32.42/include/linux/highmem.h 2011-04-17 15:56:46.000000000 -0400
55932 @@ -137,6 +137,18 @@ static inline void clear_highpage(struct
55933 kunmap_atomic(kaddr, KM_USER0);
55936 +static inline void sanitize_highpage(struct page *page)
55939 + unsigned long flags;
55941 + local_irq_save(flags);
55942 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
55943 + clear_page(kaddr);
55944 + kunmap_atomic(kaddr, KM_CLEARPAGE);
55945 + local_irq_restore(flags);
55948 static inline void zero_user_segments(struct page *page,
55949 unsigned start1, unsigned end1,
55950 unsigned start2, unsigned end2)
55951 diff -urNp linux-2.6.32.42/include/linux/i2o.h linux-2.6.32.42/include/linux/i2o.h
55952 --- linux-2.6.32.42/include/linux/i2o.h 2011-03-27 14:31:47.000000000 -0400
55953 +++ linux-2.6.32.42/include/linux/i2o.h 2011-05-04 17:56:28.000000000 -0400
55954 @@ -564,7 +564,7 @@ struct i2o_controller {
55955 struct i2o_device *exec; /* Executive */
55956 #if BITS_PER_LONG == 64
55957 spinlock_t context_list_lock; /* lock for context_list */
55958 - atomic_t context_list_counter; /* needed for unique contexts */
55959 + atomic_unchecked_t context_list_counter; /* needed for unique contexts */
55960 struct list_head context_list; /* list of context id's
55963 diff -urNp linux-2.6.32.42/include/linux/init_task.h linux-2.6.32.42/include/linux/init_task.h
55964 --- linux-2.6.32.42/include/linux/init_task.h 2011-03-27 14:31:47.000000000 -0400
55965 +++ linux-2.6.32.42/include/linux/init_task.h 2011-05-18 20:44:59.000000000 -0400
55966 @@ -83,6 +83,12 @@ extern struct group_info init_groups;
55971 +#define INIT_TASK_THREAD_INFO .tinfo = INIT_THREAD_INFO,
55973 +#define INIT_TASK_THREAD_INFO
55976 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
55978 * Because of the reduced scope of CAP_SETPCAP when filesystem
55979 @@ -156,6 +162,7 @@ extern struct cred init_cred;
55980 __MUTEX_INITIALIZER(tsk.cred_guard_mutex), \
55981 .comm = "swapper", \
55982 .thread = INIT_THREAD, \
55983 + INIT_TASK_THREAD_INFO \
55985 .files = &init_files, \
55986 .signal = &init_signals, \
55987 diff -urNp linux-2.6.32.42/include/linux/interrupt.h linux-2.6.32.42/include/linux/interrupt.h
55988 --- linux-2.6.32.42/include/linux/interrupt.h 2011-06-25 12:55:35.000000000 -0400
55989 +++ linux-2.6.32.42/include/linux/interrupt.h 2011-06-25 12:56:37.000000000 -0400
55990 @@ -363,7 +363,7 @@ enum
55991 /* map softirq index to softirq name. update 'softirq_to_name' in
55992 * kernel/softirq.c when adding a new softirq.
55994 -extern char *softirq_to_name[NR_SOFTIRQS];
55995 +extern const char * const softirq_to_name[NR_SOFTIRQS];
55997 /* softirq mask and active fields moved to irq_cpustat_t in
55998 * asm/hardirq.h to get better cache usage. KAO
55999 @@ -371,12 +371,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
56001 struct softirq_action
56003 - void (*action)(struct softirq_action *);
56004 + void (*action)(void);
56007 asmlinkage void do_softirq(void);
56008 asmlinkage void __do_softirq(void);
56009 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
56010 +extern void open_softirq(int nr, void (*action)(void));
56011 extern void softirq_init(void);
56012 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
56013 extern void raise_softirq_irqoff(unsigned int nr);
56014 diff -urNp linux-2.6.32.42/include/linux/irq.h linux-2.6.32.42/include/linux/irq.h
56015 --- linux-2.6.32.42/include/linux/irq.h 2011-03-27 14:31:47.000000000 -0400
56016 +++ linux-2.6.32.42/include/linux/irq.h 2011-04-17 15:56:46.000000000 -0400
56017 @@ -438,12 +438,12 @@ extern int set_irq_msi(unsigned int irq,
56018 static inline bool alloc_desc_masks(struct irq_desc *desc, int node,
56021 +#ifdef CONFIG_CPUMASK_OFFSTACK
56022 gfp_t gfp = GFP_ATOMIC;
56027 -#ifdef CONFIG_CPUMASK_OFFSTACK
56028 if (!alloc_cpumask_var_node(&desc->affinity, gfp, node))
56031 diff -urNp linux-2.6.32.42/include/linux/kallsyms.h linux-2.6.32.42/include/linux/kallsyms.h
56032 --- linux-2.6.32.42/include/linux/kallsyms.h 2011-03-27 14:31:47.000000000 -0400
56033 +++ linux-2.6.32.42/include/linux/kallsyms.h 2011-04-17 15:56:46.000000000 -0400
56038 -#ifdef CONFIG_KALLSYMS
56039 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
56040 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
56041 /* Lookup the address for a symbol. Returns 0 if not found. */
56042 unsigned long kallsyms_lookup_name(const char *name);
56044 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
56045 /* Stupid that this does nothing, but I didn't create this mess. */
56046 #define __print_symbol(fmt, addr)
56047 #endif /*CONFIG_KALLSYMS*/
56048 +#else /* when included by kallsyms.c, vsnprintf.c, or
56049 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
56050 +extern void __print_symbol(const char *fmt, unsigned long address);
56051 +extern int sprint_symbol(char *buffer, unsigned long address);
56052 +const char *kallsyms_lookup(unsigned long addr,
56053 + unsigned long *symbolsize,
56054 + unsigned long *offset,
56055 + char **modname, char *namebuf);
56058 /* This macro allows us to keep printk typechecking */
56059 static void __check_printsym_format(const char *fmt, ...)
56060 diff -urNp linux-2.6.32.42/include/linux/kgdb.h linux-2.6.32.42/include/linux/kgdb.h
56061 --- linux-2.6.32.42/include/linux/kgdb.h 2011-03-27 14:31:47.000000000 -0400
56062 +++ linux-2.6.32.42/include/linux/kgdb.h 2011-05-04 17:56:20.000000000 -0400
56063 @@ -74,8 +74,8 @@ void kgdb_breakpoint(void);
56065 extern int kgdb_connected;
56067 -extern atomic_t kgdb_setting_breakpoint;
56068 -extern atomic_t kgdb_cpu_doing_single_step;
56069 +extern atomic_unchecked_t kgdb_setting_breakpoint;
56070 +extern atomic_unchecked_t kgdb_cpu_doing_single_step;
56072 extern struct task_struct *kgdb_usethread;
56073 extern struct task_struct *kgdb_contthread;
56074 @@ -251,20 +251,20 @@ struct kgdb_arch {
56078 - int (*read_char) (void);
56079 - void (*write_char) (u8);
56080 - void (*flush) (void);
56081 - int (*init) (void);
56082 - void (*pre_exception) (void);
56083 - void (*post_exception) (void);
56084 + int (* const read_char) (void);
56085 + void (* const write_char) (u8);
56086 + void (* const flush) (void);
56087 + int (* const init) (void);
56088 + void (* const pre_exception) (void);
56089 + void (* const post_exception) (void);
56092 -extern struct kgdb_arch arch_kgdb_ops;
56093 +extern const struct kgdb_arch arch_kgdb_ops;
56095 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
56097 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
56098 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
56099 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
56100 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
56102 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
56103 extern int kgdb_mem2hex(char *mem, char *buf, int count);
56104 diff -urNp linux-2.6.32.42/include/linux/kmod.h linux-2.6.32.42/include/linux/kmod.h
56105 --- linux-2.6.32.42/include/linux/kmod.h 2011-03-27 14:31:47.000000000 -0400
56106 +++ linux-2.6.32.42/include/linux/kmod.h 2011-04-17 15:56:46.000000000 -0400
56108 * usually useless though. */
56109 extern int __request_module(bool wait, const char *name, ...) \
56110 __attribute__((format(printf, 2, 3)));
56111 +extern int ___request_module(bool wait, char *param_name, const char *name, ...) \
56112 + __attribute__((format(printf, 3, 4)));
56113 #define request_module(mod...) __request_module(true, mod)
56114 #define request_module_nowait(mod...) __request_module(false, mod)
56115 #define try_then_request_module(x, mod...) \
56116 diff -urNp linux-2.6.32.42/include/linux/kobject.h linux-2.6.32.42/include/linux/kobject.h
56117 --- linux-2.6.32.42/include/linux/kobject.h 2011-03-27 14:31:47.000000000 -0400
56118 +++ linux-2.6.32.42/include/linux/kobject.h 2011-04-17 15:56:46.000000000 -0400
56119 @@ -106,7 +106,7 @@ extern char *kobject_get_path(struct kob
56122 void (*release)(struct kobject *kobj);
56123 - struct sysfs_ops *sysfs_ops;
56124 + const struct sysfs_ops *sysfs_ops;
56125 struct attribute **default_attrs;
56128 @@ -118,9 +118,9 @@ struct kobj_uevent_env {
56131 struct kset_uevent_ops {
56132 - int (*filter)(struct kset *kset, struct kobject *kobj);
56133 - const char *(*name)(struct kset *kset, struct kobject *kobj);
56134 - int (*uevent)(struct kset *kset, struct kobject *kobj,
56135 + int (* const filter)(struct kset *kset, struct kobject *kobj);
56136 + const char *(* const name)(struct kset *kset, struct kobject *kobj);
56137 + int (* const uevent)(struct kset *kset, struct kobject *kobj,
56138 struct kobj_uevent_env *env);
56141 @@ -132,7 +132,7 @@ struct kobj_attribute {
56142 const char *buf, size_t count);
56145 -extern struct sysfs_ops kobj_sysfs_ops;
56146 +extern const struct sysfs_ops kobj_sysfs_ops;
56149 * struct kset - a set of kobjects of a specific type, belonging to a specific subsystem.
56150 @@ -155,14 +155,14 @@ struct kset {
56151 struct list_head list;
56152 spinlock_t list_lock;
56153 struct kobject kobj;
56154 - struct kset_uevent_ops *uevent_ops;
56155 + const struct kset_uevent_ops *uevent_ops;
56158 extern void kset_init(struct kset *kset);
56159 extern int __must_check kset_register(struct kset *kset);
56160 extern void kset_unregister(struct kset *kset);
56161 extern struct kset * __must_check kset_create_and_add(const char *name,
56162 - struct kset_uevent_ops *u,
56163 + const struct kset_uevent_ops *u,
56164 struct kobject *parent_kobj);
56166 static inline struct kset *to_kset(struct kobject *kobj)
56167 diff -urNp linux-2.6.32.42/include/linux/kvm_host.h linux-2.6.32.42/include/linux/kvm_host.h
56168 --- linux-2.6.32.42/include/linux/kvm_host.h 2011-03-27 14:31:47.000000000 -0400
56169 +++ linux-2.6.32.42/include/linux/kvm_host.h 2011-04-17 15:56:46.000000000 -0400
56170 @@ -210,7 +210,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
56171 void vcpu_load(struct kvm_vcpu *vcpu);
56172 void vcpu_put(struct kvm_vcpu *vcpu);
56174 -int kvm_init(void *opaque, unsigned int vcpu_size,
56175 +int kvm_init(const void *opaque, unsigned int vcpu_size,
56176 struct module *module);
56177 void kvm_exit(void);
56179 @@ -316,7 +316,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
56180 struct kvm_guest_debug *dbg);
56181 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
56183 -int kvm_arch_init(void *opaque);
56184 +int kvm_arch_init(const void *opaque);
56185 void kvm_arch_exit(void);
56187 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
56188 diff -urNp linux-2.6.32.42/include/linux/libata.h linux-2.6.32.42/include/linux/libata.h
56189 --- linux-2.6.32.42/include/linux/libata.h 2011-03-27 14:31:47.000000000 -0400
56190 +++ linux-2.6.32.42/include/linux/libata.h 2011-04-23 12:56:11.000000000 -0400
56191 @@ -525,11 +525,11 @@ struct ata_ioports {
56195 - struct device *dev;
56196 + struct device *dev;
56197 void __iomem * const *iomap;
56198 unsigned int n_ports;
56199 void *private_data;
56200 - struct ata_port_operations *ops;
56201 + const struct ata_port_operations *ops;
56202 unsigned long flags;
56203 #ifdef CONFIG_ATA_ACPI
56204 acpi_handle acpi_handle;
56205 @@ -710,7 +710,7 @@ struct ata_link {
56208 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
56209 - struct ata_port_operations *ops;
56210 + const struct ata_port_operations *ops;
56212 /* Flags owned by the EH context. Only EH should touch these once the
56214 @@ -892,7 +892,7 @@ struct ata_port_info {
56215 unsigned long pio_mask;
56216 unsigned long mwdma_mask;
56217 unsigned long udma_mask;
56218 - struct ata_port_operations *port_ops;
56219 + const struct ata_port_operations *port_ops;
56220 void *private_data;
56223 @@ -916,7 +916,7 @@ extern const unsigned long sata_deb_timi
56224 extern const unsigned long sata_deb_timing_hotplug[];
56225 extern const unsigned long sata_deb_timing_long[];
56227 -extern struct ata_port_operations ata_dummy_port_ops;
56228 +extern const struct ata_port_operations ata_dummy_port_ops;
56229 extern const struct ata_port_info ata_dummy_port_info;
56231 static inline const unsigned long *
56232 @@ -962,7 +962,7 @@ extern int ata_host_activate(struct ata_
56233 struct scsi_host_template *sht);
56234 extern void ata_host_detach(struct ata_host *host);
56235 extern void ata_host_init(struct ata_host *, struct device *,
56236 - unsigned long, struct ata_port_operations *);
56237 + unsigned long, const struct ata_port_operations *);
56238 extern int ata_scsi_detect(struct scsi_host_template *sht);
56239 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
56240 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
56241 diff -urNp linux-2.6.32.42/include/linux/lockd/bind.h linux-2.6.32.42/include/linux/lockd/bind.h
56242 --- linux-2.6.32.42/include/linux/lockd/bind.h 2011-03-27 14:31:47.000000000 -0400
56243 +++ linux-2.6.32.42/include/linux/lockd/bind.h 2011-04-17 15:56:46.000000000 -0400
56244 @@ -23,13 +23,13 @@ struct svc_rqst;
56245 * This is the set of functions for lockd->nfsd communication
56247 struct nlmsvc_binding {
56248 - __be32 (*fopen)(struct svc_rqst *,
56249 + __be32 (* const fopen)(struct svc_rqst *,
56252 - void (*fclose)(struct file *);
56253 + void (* const fclose)(struct file *);
56256 -extern struct nlmsvc_binding * nlmsvc_ops;
56257 +extern const struct nlmsvc_binding * nlmsvc_ops;
56260 * Similar to nfs_client_initdata, but without the NFS-specific
56261 diff -urNp linux-2.6.32.42/include/linux/mm.h linux-2.6.32.42/include/linux/mm.h
56262 --- linux-2.6.32.42/include/linux/mm.h 2011-03-27 14:31:47.000000000 -0400
56263 +++ linux-2.6.32.42/include/linux/mm.h 2011-04-17 15:56:46.000000000 -0400
56264 @@ -106,7 +106,14 @@ extern unsigned int kobjsize(const void
56266 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
56267 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
56269 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
56270 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
56271 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
56273 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
56276 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
56277 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
56279 @@ -841,12 +848,6 @@ int set_page_dirty(struct page *page);
56280 int set_page_dirty_lock(struct page *page);
56281 int clear_page_dirty_for_io(struct page *page);
56283 -/* Is the vma a continuation of the stack vma above it? */
56284 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
56286 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
56289 extern unsigned long move_page_tables(struct vm_area_struct *vma,
56290 unsigned long old_addr, struct vm_area_struct *new_vma,
56291 unsigned long new_addr, unsigned long len);
56292 @@ -890,6 +891,8 @@ struct shrinker {
56293 extern void register_shrinker(struct shrinker *);
56294 extern void unregister_shrinker(struct shrinker *);
56296 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
56298 int vma_wants_writenotify(struct vm_area_struct *vma);
56300 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
56301 @@ -1162,6 +1165,7 @@ out:
56304 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
56305 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
56307 extern unsigned long do_brk(unsigned long, unsigned long);
56309 @@ -1218,6 +1222,10 @@ extern struct vm_area_struct * find_vma(
56310 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
56311 struct vm_area_struct **pprev);
56313 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
56314 +extern void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
56315 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
56317 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
56318 NULL if none. Assume start_addr < end_addr. */
56319 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
56320 @@ -1234,7 +1242,6 @@ static inline unsigned long vma_pages(st
56321 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
56324 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
56325 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
56326 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
56327 unsigned long pfn, unsigned long size, pgprot_t);
56328 @@ -1332,7 +1339,13 @@ extern void memory_failure(unsigned long
56329 extern int __memory_failure(unsigned long pfn, int trapno, int ref);
56330 extern int sysctl_memory_failure_early_kill;
56331 extern int sysctl_memory_failure_recovery;
56332 -extern atomic_long_t mce_bad_pages;
56333 +extern atomic_long_unchecked_t mce_bad_pages;
56335 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
56336 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
56338 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
56341 #endif /* __KERNEL__ */
56342 #endif /* _LINUX_MM_H */
56343 diff -urNp linux-2.6.32.42/include/linux/mm_types.h linux-2.6.32.42/include/linux/mm_types.h
56344 --- linux-2.6.32.42/include/linux/mm_types.h 2011-03-27 14:31:47.000000000 -0400
56345 +++ linux-2.6.32.42/include/linux/mm_types.h 2011-04-17 15:56:46.000000000 -0400
56346 @@ -186,6 +186,8 @@ struct vm_area_struct {
56348 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
56351 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
56354 struct core_thread {
56355 @@ -287,6 +289,24 @@ struct mm_struct {
56356 #ifdef CONFIG_MMU_NOTIFIER
56357 struct mmu_notifier_mm *mmu_notifier_mm;
56360 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
56361 + unsigned long pax_flags;
56364 +#ifdef CONFIG_PAX_DLRESOLVE
56365 + unsigned long call_dl_resolve;
56368 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
56369 + unsigned long call_syscall;
56372 +#ifdef CONFIG_PAX_ASLR
56373 + unsigned long delta_mmap; /* randomized offset */
56374 + unsigned long delta_stack; /* randomized offset */
56379 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
56380 diff -urNp linux-2.6.32.42/include/linux/mmu_notifier.h linux-2.6.32.42/include/linux/mmu_notifier.h
56381 --- linux-2.6.32.42/include/linux/mmu_notifier.h 2011-03-27 14:31:47.000000000 -0400
56382 +++ linux-2.6.32.42/include/linux/mmu_notifier.h 2011-04-17 15:56:46.000000000 -0400
56383 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
56385 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
56389 struct vm_area_struct *___vma = __vma; \
56390 unsigned long ___address = __address; \
56391 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
56392 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
56393 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
56398 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
56399 diff -urNp linux-2.6.32.42/include/linux/mmzone.h linux-2.6.32.42/include/linux/mmzone.h
56400 --- linux-2.6.32.42/include/linux/mmzone.h 2011-03-27 14:31:47.000000000 -0400
56401 +++ linux-2.6.32.42/include/linux/mmzone.h 2011-04-17 15:56:46.000000000 -0400
56402 @@ -350,7 +350,7 @@ struct zone {
56403 unsigned long flags; /* zone flags, see below */
56405 /* Zone statistics */
56406 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
56407 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
56410 * prev_priority holds the scanning priority for this zone. It is
56411 diff -urNp linux-2.6.32.42/include/linux/mod_devicetable.h linux-2.6.32.42/include/linux/mod_devicetable.h
56412 --- linux-2.6.32.42/include/linux/mod_devicetable.h 2011-03-27 14:31:47.000000000 -0400
56413 +++ linux-2.6.32.42/include/linux/mod_devicetable.h 2011-04-17 15:56:46.000000000 -0400
56415 typedef unsigned long kernel_ulong_t;
56418 -#define PCI_ANY_ID (~0)
56419 +#define PCI_ANY_ID ((__u16)~0)
56421 struct pci_device_id {
56422 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
56423 @@ -131,7 +131,7 @@ struct usb_device_id {
56424 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
56425 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
56427 -#define HID_ANY_ID (~0)
56428 +#define HID_ANY_ID (~0U)
56430 struct hid_device_id {
56432 diff -urNp linux-2.6.32.42/include/linux/module.h linux-2.6.32.42/include/linux/module.h
56433 --- linux-2.6.32.42/include/linux/module.h 2011-03-27 14:31:47.000000000 -0400
56434 +++ linux-2.6.32.42/include/linux/module.h 2011-04-17 15:56:46.000000000 -0400
56435 @@ -287,16 +287,16 @@ struct module
56438 /* If this is non-NULL, vfree after init() returns */
56439 - void *module_init;
56440 + void *module_init_rx, *module_init_rw;
56442 /* Here is the actual code + data, vfree'd on unload. */
56443 - void *module_core;
56444 + void *module_core_rx, *module_core_rw;
56446 /* Here are the sizes of the init and core sections */
56447 - unsigned int init_size, core_size;
56448 + unsigned int init_size_rw, core_size_rw;
56450 /* The size of the executable code in each section. */
56451 - unsigned int init_text_size, core_text_size;
56452 + unsigned int init_size_rx, core_size_rx;
56454 /* Arch-specific module values */
56455 struct mod_arch_specific arch;
56456 @@ -393,16 +393,46 @@ struct module *__module_address(unsigned
56457 bool is_module_address(unsigned long addr);
56458 bool is_module_text_address(unsigned long addr);
56460 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
56463 +#ifdef CONFIG_PAX_KERNEXEC
56464 + if (ktla_ktva(addr) >= (unsigned long)start &&
56465 + ktla_ktva(addr) < (unsigned long)start + size)
56469 + return ((void *)addr >= start && (void *)addr < start + size);
56472 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
56474 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
56477 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
56479 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
56482 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
56484 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
56487 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
56489 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
56492 static inline int within_module_core(unsigned long addr, struct module *mod)
56494 - return (unsigned long)mod->module_core <= addr &&
56495 - addr < (unsigned long)mod->module_core + mod->core_size;
56496 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
56499 static inline int within_module_init(unsigned long addr, struct module *mod)
56501 - return (unsigned long)mod->module_init <= addr &&
56502 - addr < (unsigned long)mod->module_init + mod->init_size;
56503 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
56506 /* Search for module by name: must hold module_mutex. */
56507 diff -urNp linux-2.6.32.42/include/linux/moduleloader.h linux-2.6.32.42/include/linux/moduleloader.h
56508 --- linux-2.6.32.42/include/linux/moduleloader.h 2011-03-27 14:31:47.000000000 -0400
56509 +++ linux-2.6.32.42/include/linux/moduleloader.h 2011-04-17 15:56:46.000000000 -0400
56510 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
56511 sections. Returns NULL on failure. */
56512 void *module_alloc(unsigned long size);
56514 +#ifdef CONFIG_PAX_KERNEXEC
56515 +void *module_alloc_exec(unsigned long size);
56517 +#define module_alloc_exec(x) module_alloc(x)
56520 /* Free memory returned from module_alloc. */
56521 void module_free(struct module *mod, void *module_region);
56523 +#ifdef CONFIG_PAX_KERNEXEC
56524 +void module_free_exec(struct module *mod, void *module_region);
56526 +#define module_free_exec(x, y) module_free((x), (y))
56529 /* Apply the given relocation to the (simplified) ELF. Return -error
56531 int apply_relocate(Elf_Shdr *sechdrs,
56532 diff -urNp linux-2.6.32.42/include/linux/moduleparam.h linux-2.6.32.42/include/linux/moduleparam.h
56533 --- linux-2.6.32.42/include/linux/moduleparam.h 2011-03-27 14:31:47.000000000 -0400
56534 +++ linux-2.6.32.42/include/linux/moduleparam.h 2011-04-17 15:56:46.000000000 -0400
56535 @@ -132,7 +132,7 @@ struct kparam_array
56537 /* Actually copy string: maxlen param is usually sizeof(string). */
56538 #define module_param_string(name, string, len, perm) \
56539 - static const struct kparam_string __param_string_##name \
56540 + static const struct kparam_string __param_string_##name __used \
56541 = { len, string }; \
56542 __module_param_call(MODULE_PARAM_PREFIX, name, \
56543 param_set_copystring, param_get_string, \
56544 @@ -211,7 +211,7 @@ extern int param_get_invbool(char *buffe
56546 /* Comma-separated array: *nump is set to number they actually specified. */
56547 #define module_param_array_named(name, array, type, nump, perm) \
56548 - static const struct kparam_array __param_arr_##name \
56549 + static const struct kparam_array __param_arr_##name __used \
56550 = { ARRAY_SIZE(array), nump, param_set_##type, param_get_##type,\
56551 sizeof(array[0]), array }; \
56552 __module_param_call(MODULE_PARAM_PREFIX, name, \
56553 diff -urNp linux-2.6.32.42/include/linux/mutex.h linux-2.6.32.42/include/linux/mutex.h
56554 --- linux-2.6.32.42/include/linux/mutex.h 2011-03-27 14:31:47.000000000 -0400
56555 +++ linux-2.6.32.42/include/linux/mutex.h 2011-04-17 15:56:46.000000000 -0400
56556 @@ -51,7 +51,7 @@ struct mutex {
56557 spinlock_t wait_lock;
56558 struct list_head wait_list;
56559 #if defined(CONFIG_DEBUG_MUTEXES) || defined(CONFIG_SMP)
56560 - struct thread_info *owner;
56561 + struct task_struct *owner;
56563 #ifdef CONFIG_DEBUG_MUTEXES
56565 diff -urNp linux-2.6.32.42/include/linux/namei.h linux-2.6.32.42/include/linux/namei.h
56566 --- linux-2.6.32.42/include/linux/namei.h 2011-03-27 14:31:47.000000000 -0400
56567 +++ linux-2.6.32.42/include/linux/namei.h 2011-04-17 15:56:46.000000000 -0400
56568 @@ -22,7 +22,7 @@ struct nameidata {
56569 unsigned int flags;
56572 - char *saved_names[MAX_NESTED_LINKS + 1];
56573 + const char *saved_names[MAX_NESTED_LINKS + 1];
56577 @@ -84,12 +84,12 @@ extern int follow_up(struct path *);
56578 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
56579 extern void unlock_rename(struct dentry *, struct dentry *);
56581 -static inline void nd_set_link(struct nameidata *nd, char *path)
56582 +static inline void nd_set_link(struct nameidata *nd, const char *path)
56584 nd->saved_names[nd->depth] = path;
56587 -static inline char *nd_get_link(struct nameidata *nd)
56588 +static inline const char *nd_get_link(const struct nameidata *nd)
56590 return nd->saved_names[nd->depth];
56592 diff -urNp linux-2.6.32.42/include/linux/netfilter/xt_gradm.h linux-2.6.32.42/include/linux/netfilter/xt_gradm.h
56593 --- linux-2.6.32.42/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
56594 +++ linux-2.6.32.42/include/linux/netfilter/xt_gradm.h 2011-04-17 15:56:46.000000000 -0400
56596 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
56597 +#define _LINUX_NETFILTER_XT_GRADM_H 1
56599 +struct xt_gradm_mtinfo {
56605 diff -urNp linux-2.6.32.42/include/linux/nodemask.h linux-2.6.32.42/include/linux/nodemask.h
56606 --- linux-2.6.32.42/include/linux/nodemask.h 2011-03-27 14:31:47.000000000 -0400
56607 +++ linux-2.6.32.42/include/linux/nodemask.h 2011-04-17 15:56:46.000000000 -0400
56608 @@ -464,11 +464,11 @@ static inline int num_node_state(enum no
56610 #define any_online_node(mask) \
56613 - for_each_node_mask(node, (mask)) \
56614 - if (node_online(node)) \
56616 + for_each_node_mask(__node, (mask)) \
56617 + if (node_online(__node)) \
56623 #define num_online_nodes() num_node_state(N_ONLINE)
56624 diff -urNp linux-2.6.32.42/include/linux/oprofile.h linux-2.6.32.42/include/linux/oprofile.h
56625 --- linux-2.6.32.42/include/linux/oprofile.h 2011-03-27 14:31:47.000000000 -0400
56626 +++ linux-2.6.32.42/include/linux/oprofile.h 2011-04-17 15:56:46.000000000 -0400
56627 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
56628 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
56629 char const * name, ulong * val);
56631 -/** Create a file for read-only access to an atomic_t. */
56632 +/** Create a file for read-only access to an atomic_unchecked_t. */
56633 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
56634 - char const * name, atomic_t * val);
56635 + char const * name, atomic_unchecked_t * val);
56637 /** create a directory */
56638 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
56639 diff -urNp linux-2.6.32.42/include/linux/perf_event.h linux-2.6.32.42/include/linux/perf_event.h
56640 --- linux-2.6.32.42/include/linux/perf_event.h 2011-03-27 14:31:47.000000000 -0400
56641 +++ linux-2.6.32.42/include/linux/perf_event.h 2011-05-04 17:56:28.000000000 -0400
56642 @@ -476,7 +476,7 @@ struct hw_perf_event {
56643 struct hrtimer hrtimer;
56646 - atomic64_t prev_count;
56647 + atomic64_unchecked_t prev_count;
56650 atomic64_t period_left;
56651 @@ -557,7 +557,7 @@ struct perf_event {
56652 const struct pmu *pmu;
56654 enum perf_event_active_state state;
56655 - atomic64_t count;
56656 + atomic64_unchecked_t count;
56659 * These are the total time in nanoseconds that the event
56660 @@ -595,8 +595,8 @@ struct perf_event {
56661 * These accumulate total time (in nanoseconds) that children
56662 * events have been enabled and running, respectively.
56664 - atomic64_t child_total_time_enabled;
56665 - atomic64_t child_total_time_running;
56666 + atomic64_unchecked_t child_total_time_enabled;
56667 + atomic64_unchecked_t child_total_time_running;
56670 * Protect attach/detach and child_list:
56671 diff -urNp linux-2.6.32.42/include/linux/pipe_fs_i.h linux-2.6.32.42/include/linux/pipe_fs_i.h
56672 --- linux-2.6.32.42/include/linux/pipe_fs_i.h 2011-03-27 14:31:47.000000000 -0400
56673 +++ linux-2.6.32.42/include/linux/pipe_fs_i.h 2011-04-17 15:56:46.000000000 -0400
56674 @@ -46,9 +46,9 @@ struct pipe_inode_info {
56675 wait_queue_head_t wait;
56676 unsigned int nrbufs, curbuf;
56677 struct page *tmp_page;
56678 - unsigned int readers;
56679 - unsigned int writers;
56680 - unsigned int waiting_writers;
56681 + atomic_t readers;
56682 + atomic_t writers;
56683 + atomic_t waiting_writers;
56684 unsigned int r_counter;
56685 unsigned int w_counter;
56686 struct fasync_struct *fasync_readers;
56687 diff -urNp linux-2.6.32.42/include/linux/poison.h linux-2.6.32.42/include/linux/poison.h
56688 --- linux-2.6.32.42/include/linux/poison.h 2011-03-27 14:31:47.000000000 -0400
56689 +++ linux-2.6.32.42/include/linux/poison.h 2011-04-17 15:56:46.000000000 -0400
56691 * under normal circumstances, used to verify that nobody uses
56692 * non-initialized list entries.
56694 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
56695 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
56696 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
56697 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
56699 /********** include/linux/timer.h **********/
56701 diff -urNp linux-2.6.32.42/include/linux/proc_fs.h linux-2.6.32.42/include/linux/proc_fs.h
56702 --- linux-2.6.32.42/include/linux/proc_fs.h 2011-03-27 14:31:47.000000000 -0400
56703 +++ linux-2.6.32.42/include/linux/proc_fs.h 2011-04-17 15:56:46.000000000 -0400
56704 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
56705 return proc_create_data(name, mode, parent, proc_fops, NULL);
56708 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
56709 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
56711 +#ifdef CONFIG_GRKERNSEC_PROC_USER
56712 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
56713 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
56714 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
56716 + return proc_create_data(name, mode, parent, proc_fops, NULL);
56721 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
56722 mode_t mode, struct proc_dir_entry *base,
56723 read_proc_t *read_proc, void * data)
56724 diff -urNp linux-2.6.32.42/include/linux/ptrace.h linux-2.6.32.42/include/linux/ptrace.h
56725 --- linux-2.6.32.42/include/linux/ptrace.h 2011-03-27 14:31:47.000000000 -0400
56726 +++ linux-2.6.32.42/include/linux/ptrace.h 2011-04-17 15:56:46.000000000 -0400
56727 @@ -96,10 +96,10 @@ extern void __ptrace_unlink(struct task_
56728 extern void exit_ptrace(struct task_struct *tracer);
56729 #define PTRACE_MODE_READ 1
56730 #define PTRACE_MODE_ATTACH 2
56731 -/* Returns 0 on success, -errno on denial. */
56732 -extern int __ptrace_may_access(struct task_struct *task, unsigned int mode);
56733 /* Returns true on success, false on denial. */
56734 extern bool ptrace_may_access(struct task_struct *task, unsigned int mode);
56735 +/* Returns true on success, false on denial. */
56736 +extern bool ptrace_may_access_log(struct task_struct *task, unsigned int mode);
56738 static inline int ptrace_reparented(struct task_struct *child)
56740 diff -urNp linux-2.6.32.42/include/linux/random.h linux-2.6.32.42/include/linux/random.h
56741 --- linux-2.6.32.42/include/linux/random.h 2011-03-27 14:31:47.000000000 -0400
56742 +++ linux-2.6.32.42/include/linux/random.h 2011-04-17 15:56:46.000000000 -0400
56743 @@ -74,6 +74,11 @@ unsigned long randomize_range(unsigned l
56744 u32 random32(void);
56745 void srandom32(u32 seed);
56747 +static inline unsigned long pax_get_random_long(void)
56749 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
56752 #endif /* __KERNEL___ */
56754 #endif /* _LINUX_RANDOM_H */
56755 diff -urNp linux-2.6.32.42/include/linux/reboot.h linux-2.6.32.42/include/linux/reboot.h
56756 --- linux-2.6.32.42/include/linux/reboot.h 2011-03-27 14:31:47.000000000 -0400
56757 +++ linux-2.6.32.42/include/linux/reboot.h 2011-05-22 23:02:06.000000000 -0400
56758 @@ -47,9 +47,9 @@ extern int unregister_reboot_notifier(st
56759 * Architecture-specific implementations of sys_reboot commands.
56762 -extern void machine_restart(char *cmd);
56763 -extern void machine_halt(void);
56764 -extern void machine_power_off(void);
56765 +extern void machine_restart(char *cmd) __noreturn;
56766 +extern void machine_halt(void) __noreturn;
56767 +extern void machine_power_off(void) __noreturn;
56769 extern void machine_shutdown(void);
56771 @@ -60,9 +60,9 @@ extern void machine_crash_shutdown(struc
56774 extern void kernel_restart_prepare(char *cmd);
56775 -extern void kernel_restart(char *cmd);
56776 -extern void kernel_halt(void);
56777 -extern void kernel_power_off(void);
56778 +extern void kernel_restart(char *cmd) __noreturn;
56779 +extern void kernel_halt(void) __noreturn;
56780 +extern void kernel_power_off(void) __noreturn;
56782 void ctrl_alt_del(void);
56784 @@ -75,7 +75,7 @@ extern int orderly_poweroff(bool force);
56785 * Emergency restart, callable from an interrupt handler.
56788 -extern void emergency_restart(void);
56789 +extern void emergency_restart(void) __noreturn;
56790 #include <asm/emergency-restart.h>
56793 diff -urNp linux-2.6.32.42/include/linux/reiserfs_fs.h linux-2.6.32.42/include/linux/reiserfs_fs.h
56794 --- linux-2.6.32.42/include/linux/reiserfs_fs.h 2011-03-27 14:31:47.000000000 -0400
56795 +++ linux-2.6.32.42/include/linux/reiserfs_fs.h 2011-04-17 15:56:46.000000000 -0400
56796 @@ -1326,7 +1326,7 @@ static inline loff_t max_reiserfs_offset
56797 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
56799 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
56800 -#define get_generation(s) atomic_read (&fs_generation(s))
56801 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
56802 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
56803 #define __fs_changed(gen,s) (gen != get_generation (s))
56804 #define fs_changed(gen,s) ({cond_resched(); __fs_changed(gen, s);})
56805 @@ -1534,24 +1534,24 @@ static inline struct super_block *sb_fro
56808 struct item_operations {
56809 - int (*bytes_number) (struct item_head * ih, int block_size);
56810 - void (*decrement_key) (struct cpu_key *);
56811 - int (*is_left_mergeable) (struct reiserfs_key * ih,
56812 + int (* const bytes_number) (struct item_head * ih, int block_size);
56813 + void (* const decrement_key) (struct cpu_key *);
56814 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
56815 unsigned long bsize);
56816 - void (*print_item) (struct item_head *, char *item);
56817 - void (*check_item) (struct item_head *, char *item);
56818 + void (* const print_item) (struct item_head *, char *item);
56819 + void (* const check_item) (struct item_head *, char *item);
56821 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
56822 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
56823 int is_affected, int insert_size);
56824 - int (*check_left) (struct virtual_item * vi, int free,
56825 + int (* const check_left) (struct virtual_item * vi, int free,
56826 int start_skip, int end_skip);
56827 - int (*check_right) (struct virtual_item * vi, int free);
56828 - int (*part_size) (struct virtual_item * vi, int from, int to);
56829 - int (*unit_num) (struct virtual_item * vi);
56830 - void (*print_vi) (struct virtual_item * vi);
56831 + int (* const check_right) (struct virtual_item * vi, int free);
56832 + int (* const part_size) (struct virtual_item * vi, int from, int to);
56833 + int (* const unit_num) (struct virtual_item * vi);
56834 + void (* const print_vi) (struct virtual_item * vi);
56837 -extern struct item_operations *item_ops[TYPE_ANY + 1];
56838 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
56840 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
56841 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
56842 diff -urNp linux-2.6.32.42/include/linux/reiserfs_fs_sb.h linux-2.6.32.42/include/linux/reiserfs_fs_sb.h
56843 --- linux-2.6.32.42/include/linux/reiserfs_fs_sb.h 2011-03-27 14:31:47.000000000 -0400
56844 +++ linux-2.6.32.42/include/linux/reiserfs_fs_sb.h 2011-04-17 15:56:46.000000000 -0400
56845 @@ -377,7 +377,7 @@ struct reiserfs_sb_info {
56846 /* Comment? -Hans */
56847 wait_queue_head_t s_wait;
56848 /* To be obsoleted soon by per buffer seals.. -Hans */
56849 - atomic_t s_generation_counter; // increased by one every time the
56850 + atomic_unchecked_t s_generation_counter; // increased by one every time the
56851 // tree gets re-balanced
56852 unsigned long s_properties; /* File system properties. Currently holds
56853 on-disk FS format */
56854 diff -urNp linux-2.6.32.42/include/linux/sched.h linux-2.6.32.42/include/linux/sched.h
56855 --- linux-2.6.32.42/include/linux/sched.h 2011-03-27 14:31:47.000000000 -0400
56856 +++ linux-2.6.32.42/include/linux/sched.h 2011-06-04 20:42:54.000000000 -0400
56857 @@ -101,6 +101,7 @@ struct bio;
56859 struct bts_context;
56860 struct perf_event_context;
56861 +struct linux_binprm;
56864 * List of flags we want to share for kernel threads,
56865 @@ -350,7 +351,7 @@ extern signed long schedule_timeout_kill
56866 extern signed long schedule_timeout_uninterruptible(signed long timeout);
56867 asmlinkage void __schedule(void);
56868 asmlinkage void schedule(void);
56869 -extern int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner);
56870 +extern int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner);
56873 struct user_namespace;
56874 @@ -371,9 +372,12 @@ struct user_namespace;
56875 #define DEFAULT_MAX_MAP_COUNT (USHORT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
56877 extern int sysctl_max_map_count;
56878 +extern unsigned long sysctl_heap_stack_gap;
56880 #include <linux/aio.h>
56882 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
56883 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
56884 extern unsigned long
56885 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
56886 unsigned long, unsigned long);
56887 @@ -666,6 +670,16 @@ struct signal_struct {
56888 struct tty_audit_buf *tty_audit_buf;
56891 +#ifdef CONFIG_GRKERNSEC
56898 + u8 used_accept:1;
56901 int oom_adj; /* OOM kill score adjustment (bit shift) */
56904 @@ -723,6 +737,11 @@ struct user_struct {
56905 struct key *session_keyring; /* UID's default session keyring */
56908 +#if defined(CONFIG_GRKERNSEC_KERN_LOCKOUT) || defined(CONFIG_GRKERNSEC_BRUTE)
56909 + unsigned int banned;
56910 + unsigned long ban_expires;
56913 /* Hash table maintenance information */
56914 struct hlist_node uidhash_node;
56916 @@ -1328,8 +1347,8 @@ struct task_struct {
56917 struct list_head thread_group;
56919 struct completion *vfork_done; /* for vfork() */
56920 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
56921 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
56922 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
56923 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
56925 cputime_t utime, stime, utimescaled, stimescaled;
56927 @@ -1343,16 +1362,6 @@ struct task_struct {
56928 struct task_cputime cputime_expires;
56929 struct list_head cpu_timers[3];
56931 -/* process credentials */
56932 - const struct cred *real_cred; /* objective and real subjective task
56933 - * credentials (COW) */
56934 - const struct cred *cred; /* effective (overridable) subjective task
56935 - * credentials (COW) */
56936 - struct mutex cred_guard_mutex; /* guard against foreign influences on
56937 - * credential calculations
56938 - * (notably. ptrace) */
56939 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
56941 char comm[TASK_COMM_LEN]; /* executable name excluding path
56942 - access with [gs]et_task_comm (which lock
56943 it with task_lock())
56944 @@ -1369,6 +1378,10 @@ struct task_struct {
56946 /* CPU-specific state of this task */
56947 struct thread_struct thread;
56948 +/* thread_info moved to task_struct */
56950 + struct thread_info tinfo;
56952 /* filesystem information */
56953 struct fs_struct *fs;
56954 /* open file information */
56955 @@ -1436,6 +1449,15 @@ struct task_struct {
56956 int hardirq_context;
56957 int softirq_context;
56960 +/* process credentials */
56961 + const struct cred *real_cred; /* objective and real subjective task
56962 + * credentials (COW) */
56963 + struct mutex cred_guard_mutex; /* guard against foreign influences on
56964 + * credential calculations
56965 + * (notably. ptrace) */
56966 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
56968 #ifdef CONFIG_LOCKDEP
56969 # define MAX_LOCK_DEPTH 48UL
56970 u64 curr_chain_key;
56971 @@ -1456,6 +1478,9 @@ struct task_struct {
56973 struct backing_dev_info *backing_dev_info;
56975 + const struct cred *cred; /* effective (overridable) subjective task
56976 + * credentials (COW) */
56978 struct io_context *io_context;
56980 unsigned long ptrace_message;
56981 @@ -1519,6 +1544,21 @@ struct task_struct {
56982 unsigned long default_timer_slack_ns;
56984 struct list_head *scm_work_list;
56986 +#ifdef CONFIG_GRKERNSEC
56988 + struct dentry *gr_chroot_dentry;
56989 + struct acl_subject_label *acl;
56990 + struct acl_role_label *role;
56991 + struct file *exec_file;
56993 + /* is this the task that authenticated to the special role */
56997 + u8 gr_is_chrooted;
57000 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
57001 /* Index of current stored adress in ret_stack */
57002 int curr_ret_stack;
57003 @@ -1542,6 +1582,57 @@ struct task_struct {
57004 #endif /* CONFIG_TRACING */
57007 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
57008 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
57009 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
57010 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
57011 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
57012 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
57014 +#ifdef CONFIG_PAX_SOFTMODE
57015 +extern unsigned int pax_softmode;
57018 +extern int pax_check_flags(unsigned long *);
57020 +/* if tsk != current then task_lock must be held on it */
57021 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
57022 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
57024 + if (likely(tsk->mm))
57025 + return tsk->mm->pax_flags;
57030 +/* if tsk != current then task_lock must be held on it */
57031 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
57033 + if (likely(tsk->mm)) {
57034 + tsk->mm->pax_flags = flags;
57041 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
57042 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
57043 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
57044 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
57047 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
57048 +void pax_report_insns(void *pc, void *sp);
57049 +void pax_report_refcount_overflow(struct pt_regs *regs);
57050 +void pax_report_usercopy(const void *ptr, unsigned long len, bool to, const char *type);
57052 +#ifdef CONFIG_PAX_MEMORY_STACKLEAK
57053 +extern void pax_track_stack(void);
57055 +static inline void pax_track_stack(void) {}
57058 /* Future-safe accessor for struct task_struct's cpus_allowed. */
57059 #define tsk_cpumask(tsk) (&(tsk)->cpus_allowed)
57061 @@ -1978,7 +2069,9 @@ void yield(void);
57062 extern struct exec_domain default_exec_domain;
57064 union thread_union {
57065 +#ifndef CONFIG_X86
57066 struct thread_info thread_info;
57068 unsigned long stack[THREAD_SIZE/sizeof(long)];
57071 @@ -2155,7 +2248,7 @@ extern void __cleanup_sighand(struct sig
57072 extern void exit_itimers(struct signal_struct *);
57073 extern void flush_itimer_signals(void);
57075 -extern NORET_TYPE void do_group_exit(int);
57076 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
57078 extern void daemonize(const char *, ...);
57079 extern int allow_signal(int);
57080 @@ -2284,13 +2377,17 @@ static inline unsigned long *end_of_stac
57084 -static inline int object_is_on_stack(void *obj)
57085 +static inline int object_starts_on_stack(void *obj)
57087 - void *stack = task_stack_page(current);
57088 + const void *stack = task_stack_page(current);
57090 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
57093 +#ifdef CONFIG_PAX_USERCOPY
57094 +extern int object_is_on_stack(const void *obj, unsigned long len);
57097 extern void thread_info_cache_init(void);
57099 #ifdef CONFIG_DEBUG_STACK_USAGE
57100 diff -urNp linux-2.6.32.42/include/linux/screen_info.h linux-2.6.32.42/include/linux/screen_info.h
57101 --- linux-2.6.32.42/include/linux/screen_info.h 2011-03-27 14:31:47.000000000 -0400
57102 +++ linux-2.6.32.42/include/linux/screen_info.h 2011-04-17 15:56:46.000000000 -0400
57103 @@ -42,7 +42,8 @@ struct screen_info {
57104 __u16 pages; /* 0x32 */
57105 __u16 vesa_attributes; /* 0x34 */
57106 __u32 capabilities; /* 0x36 */
57107 - __u8 _reserved[6]; /* 0x3a */
57108 + __u16 vesapm_size; /* 0x3a */
57109 + __u8 _reserved[4]; /* 0x3c */
57110 } __attribute__((packed));
57112 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
57113 diff -urNp linux-2.6.32.42/include/linux/security.h linux-2.6.32.42/include/linux/security.h
57114 --- linux-2.6.32.42/include/linux/security.h 2011-03-27 14:31:47.000000000 -0400
57115 +++ linux-2.6.32.42/include/linux/security.h 2011-04-17 15:56:46.000000000 -0400
57117 #include <linux/key.h>
57118 #include <linux/xfrm.h>
57119 #include <linux/gfp.h>
57120 +#include <linux/grsecurity.h>
57121 #include <net/flow.h>
57123 /* Maximum number of letters for an LSM name string */
57124 diff -urNp linux-2.6.32.42/include/linux/shm.h linux-2.6.32.42/include/linux/shm.h
57125 --- linux-2.6.32.42/include/linux/shm.h 2011-03-27 14:31:47.000000000 -0400
57126 +++ linux-2.6.32.42/include/linux/shm.h 2011-04-17 15:56:46.000000000 -0400
57127 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
57130 struct user_struct *mlock_user;
57131 +#ifdef CONFIG_GRKERNSEC
57132 + time_t shm_createtime;
57137 /* shm_mode upper byte flags */
57138 diff -urNp linux-2.6.32.42/include/linux/skbuff.h linux-2.6.32.42/include/linux/skbuff.h
57139 --- linux-2.6.32.42/include/linux/skbuff.h 2011-03-27 14:31:47.000000000 -0400
57140 +++ linux-2.6.32.42/include/linux/skbuff.h 2011-05-04 17:56:20.000000000 -0400
57141 @@ -544,7 +544,7 @@ static inline union skb_shared_tx *skb_t
57143 static inline int skb_queue_empty(const struct sk_buff_head *list)
57145 - return list->next == (struct sk_buff *)list;
57146 + return list->next == (const struct sk_buff *)list;
57150 @@ -557,7 +557,7 @@ static inline int skb_queue_empty(const
57151 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
57152 const struct sk_buff *skb)
57154 - return (skb->next == (struct sk_buff *) list);
57155 + return (skb->next == (const struct sk_buff *) list);
57159 @@ -570,7 +570,7 @@ static inline bool skb_queue_is_last(con
57160 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
57161 const struct sk_buff *skb)
57163 - return (skb->prev == (struct sk_buff *) list);
57164 + return (skb->prev == (const struct sk_buff *) list);
57168 @@ -1367,7 +1367,7 @@ static inline int skb_network_offset(con
57169 * headroom, you should not reduce this.
57171 #ifndef NET_SKB_PAD
57172 -#define NET_SKB_PAD 32
57173 +#define NET_SKB_PAD (_AC(32,U))
57176 extern int ___pskb_trim(struct sk_buff *skb, unsigned int len);
57177 diff -urNp linux-2.6.32.42/include/linux/slab_def.h linux-2.6.32.42/include/linux/slab_def.h
57178 --- linux-2.6.32.42/include/linux/slab_def.h 2011-03-27 14:31:47.000000000 -0400
57179 +++ linux-2.6.32.42/include/linux/slab_def.h 2011-05-04 17:56:28.000000000 -0400
57180 @@ -69,10 +69,10 @@ struct kmem_cache {
57181 unsigned long node_allocs;
57182 unsigned long node_frees;
57183 unsigned long node_overflow;
57184 - atomic_t allochit;
57185 - atomic_t allocmiss;
57186 - atomic_t freehit;
57187 - atomic_t freemiss;
57188 + atomic_unchecked_t allochit;
57189 + atomic_unchecked_t allocmiss;
57190 + atomic_unchecked_t freehit;
57191 + atomic_unchecked_t freemiss;
57194 * If debugging is enabled, then the allocator can add additional
57195 diff -urNp linux-2.6.32.42/include/linux/slab.h linux-2.6.32.42/include/linux/slab.h
57196 --- linux-2.6.32.42/include/linux/slab.h 2011-03-27 14:31:47.000000000 -0400
57197 +++ linux-2.6.32.42/include/linux/slab.h 2011-04-17 15:56:46.000000000 -0400
57198 @@ -11,12 +11,20 @@
57200 #include <linux/gfp.h>
57201 #include <linux/types.h>
57202 +#include <linux/err.h>
57205 * Flags to pass to kmem_cache_create().
57206 * The ones marked DEBUG are only valid if CONFIG_SLAB_DEBUG is set.
57208 #define SLAB_DEBUG_FREE 0x00000100UL /* DEBUG: Perform (expensive) checks on free */
57210 +#ifdef CONFIG_PAX_USERCOPY
57211 +#define SLAB_USERCOPY 0x00000200UL /* PaX: Allow copying objs to/from userland */
57213 +#define SLAB_USERCOPY 0x00000000UL
57216 #define SLAB_RED_ZONE 0x00000400UL /* DEBUG: Red zone objs in a cache */
57217 #define SLAB_POISON 0x00000800UL /* DEBUG: Poison objects */
57218 #define SLAB_HWCACHE_ALIGN 0x00002000UL /* Align objs on cache lines */
57219 @@ -82,10 +90,13 @@
57220 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
57221 * Both make kfree a no-op.
57223 -#define ZERO_SIZE_PTR ((void *)16)
57224 +#define ZERO_SIZE_PTR \
57226 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
57227 + (void *)(-MAX_ERRNO-1L); \
57230 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
57231 - (unsigned long)ZERO_SIZE_PTR)
57232 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
57235 * struct kmem_cache related prototypes
57236 @@ -138,6 +149,7 @@ void * __must_check krealloc(const void
57237 void kfree(const void *);
57238 void kzfree(const void *);
57239 size_t ksize(const void *);
57240 +void check_object_size(const void *ptr, unsigned long n, bool to);
57243 * Allocator specific definitions. These are mainly used to establish optimized
57244 @@ -328,4 +340,37 @@ static inline void *kzalloc_node(size_t
57246 void __init kmem_cache_init_late(void);
57248 +#define kmalloc(x, y) \
57250 + void *___retval; \
57251 + intoverflow_t ___x = (intoverflow_t)x; \
57252 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
57253 + ___retval = NULL; \
57255 + ___retval = kmalloc((size_t)___x, (y)); \
57259 +#define kmalloc_node(x, y, z) \
57261 + void *___retval; \
57262 + intoverflow_t ___x = (intoverflow_t)x; \
57263 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
57264 + ___retval = NULL; \
57266 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
57270 +#define kzalloc(x, y) \
57272 + void *___retval; \
57273 + intoverflow_t ___x = (intoverflow_t)x; \
57274 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
57275 + ___retval = NULL; \
57277 + ___retval = kzalloc((size_t)___x, (y)); \
57281 #endif /* _LINUX_SLAB_H */
57282 diff -urNp linux-2.6.32.42/include/linux/slub_def.h linux-2.6.32.42/include/linux/slub_def.h
57283 --- linux-2.6.32.42/include/linux/slub_def.h 2011-03-27 14:31:47.000000000 -0400
57284 +++ linux-2.6.32.42/include/linux/slub_def.h 2011-04-17 15:56:46.000000000 -0400
57285 @@ -86,7 +86,7 @@ struct kmem_cache {
57286 struct kmem_cache_order_objects max;
57287 struct kmem_cache_order_objects min;
57288 gfp_t allocflags; /* gfp flags to use on each alloc */
57289 - int refcount; /* Refcount for slab cache destroy */
57290 + atomic_t refcount; /* Refcount for slab cache destroy */
57291 void (*ctor)(void *);
57292 int inuse; /* Offset to metadata */
57293 int align; /* Alignment */
57294 diff -urNp linux-2.6.32.42/include/linux/sonet.h linux-2.6.32.42/include/linux/sonet.h
57295 --- linux-2.6.32.42/include/linux/sonet.h 2011-03-27 14:31:47.000000000 -0400
57296 +++ linux-2.6.32.42/include/linux/sonet.h 2011-04-17 15:56:46.000000000 -0400
57297 @@ -61,7 +61,7 @@ struct sonet_stats {
57298 #include <asm/atomic.h>
57300 struct k_sonet_stats {
57301 -#define __HANDLE_ITEM(i) atomic_t i
57302 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
57304 #undef __HANDLE_ITEM
57306 diff -urNp linux-2.6.32.42/include/linux/sunrpc/clnt.h linux-2.6.32.42/include/linux/sunrpc/clnt.h
57307 --- linux-2.6.32.42/include/linux/sunrpc/clnt.h 2011-03-27 14:31:47.000000000 -0400
57308 +++ linux-2.6.32.42/include/linux/sunrpc/clnt.h 2011-04-17 15:56:46.000000000 -0400
57309 @@ -167,9 +167,9 @@ static inline unsigned short rpc_get_por
57311 switch (sap->sa_family) {
57313 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
57314 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
57316 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
57317 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
57321 @@ -202,7 +202,7 @@ static inline bool __rpc_cmp_addr4(const
57322 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
57323 const struct sockaddr *src)
57325 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
57326 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
57327 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
57329 dsin->sin_family = ssin->sin_family;
57330 @@ -299,7 +299,7 @@ static inline u32 rpc_get_scope_id(const
57331 if (sa->sa_family != AF_INET6)
57334 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
57335 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
57338 #endif /* __KERNEL__ */
57339 diff -urNp linux-2.6.32.42/include/linux/sunrpc/svc_rdma.h linux-2.6.32.42/include/linux/sunrpc/svc_rdma.h
57340 --- linux-2.6.32.42/include/linux/sunrpc/svc_rdma.h 2011-03-27 14:31:47.000000000 -0400
57341 +++ linux-2.6.32.42/include/linux/sunrpc/svc_rdma.h 2011-05-04 17:56:28.000000000 -0400
57342 @@ -53,15 +53,15 @@ extern unsigned int svcrdma_ord;
57343 extern unsigned int svcrdma_max_requests;
57344 extern unsigned int svcrdma_max_req_size;
57346 -extern atomic_t rdma_stat_recv;
57347 -extern atomic_t rdma_stat_read;
57348 -extern atomic_t rdma_stat_write;
57349 -extern atomic_t rdma_stat_sq_starve;
57350 -extern atomic_t rdma_stat_rq_starve;
57351 -extern atomic_t rdma_stat_rq_poll;
57352 -extern atomic_t rdma_stat_rq_prod;
57353 -extern atomic_t rdma_stat_sq_poll;
57354 -extern atomic_t rdma_stat_sq_prod;
57355 +extern atomic_unchecked_t rdma_stat_recv;
57356 +extern atomic_unchecked_t rdma_stat_read;
57357 +extern atomic_unchecked_t rdma_stat_write;
57358 +extern atomic_unchecked_t rdma_stat_sq_starve;
57359 +extern atomic_unchecked_t rdma_stat_rq_starve;
57360 +extern atomic_unchecked_t rdma_stat_rq_poll;
57361 +extern atomic_unchecked_t rdma_stat_rq_prod;
57362 +extern atomic_unchecked_t rdma_stat_sq_poll;
57363 +extern atomic_unchecked_t rdma_stat_sq_prod;
57365 #define RPCRDMA_VERSION 1
57367 diff -urNp linux-2.6.32.42/include/linux/suspend.h linux-2.6.32.42/include/linux/suspend.h
57368 --- linux-2.6.32.42/include/linux/suspend.h 2011-03-27 14:31:47.000000000 -0400
57369 +++ linux-2.6.32.42/include/linux/suspend.h 2011-04-17 15:56:46.000000000 -0400
57370 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
57371 * which require special recovery actions in that situation.
57373 struct platform_suspend_ops {
57374 - int (*valid)(suspend_state_t state);
57375 - int (*begin)(suspend_state_t state);
57376 - int (*prepare)(void);
57377 - int (*prepare_late)(void);
57378 - int (*enter)(suspend_state_t state);
57379 - void (*wake)(void);
57380 - void (*finish)(void);
57381 - void (*end)(void);
57382 - void (*recover)(void);
57383 + int (* const valid)(suspend_state_t state);
57384 + int (* const begin)(suspend_state_t state);
57385 + int (* const prepare)(void);
57386 + int (* const prepare_late)(void);
57387 + int (* const enter)(suspend_state_t state);
57388 + void (* const wake)(void);
57389 + void (* const finish)(void);
57390 + void (* const end)(void);
57391 + void (* const recover)(void);
57394 #ifdef CONFIG_SUSPEND
57395 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
57396 * suspend_set_ops - set platform dependent suspend operations
57397 * @ops: The new suspend operations to set.
57399 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
57400 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
57401 extern int suspend_valid_only_mem(suspend_state_t state);
57404 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
57405 #else /* !CONFIG_SUSPEND */
57406 #define suspend_valid_only_mem NULL
57408 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
57409 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
57410 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
57411 #endif /* !CONFIG_SUSPEND */
57413 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
57414 * platforms which require special recovery actions in that situation.
57416 struct platform_hibernation_ops {
57417 - int (*begin)(void);
57418 - void (*end)(void);
57419 - int (*pre_snapshot)(void);
57420 - void (*finish)(void);
57421 - int (*prepare)(void);
57422 - int (*enter)(void);
57423 - void (*leave)(void);
57424 - int (*pre_restore)(void);
57425 - void (*restore_cleanup)(void);
57426 - void (*recover)(void);
57427 + int (* const begin)(void);
57428 + void (* const end)(void);
57429 + int (* const pre_snapshot)(void);
57430 + void (* const finish)(void);
57431 + int (* const prepare)(void);
57432 + int (* const enter)(void);
57433 + void (* const leave)(void);
57434 + int (* const pre_restore)(void);
57435 + void (* const restore_cleanup)(void);
57436 + void (* const recover)(void);
57439 #ifdef CONFIG_HIBERNATION
57440 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
57441 extern void swsusp_unset_page_free(struct page *);
57442 extern unsigned long get_safe_page(gfp_t gfp_mask);
57444 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
57445 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
57446 extern int hibernate(void);
57447 extern bool system_entering_hibernation(void);
57448 #else /* CONFIG_HIBERNATION */
57449 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
57450 static inline void swsusp_set_page_free(struct page *p) {}
57451 static inline void swsusp_unset_page_free(struct page *p) {}
57453 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
57454 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
57455 static inline int hibernate(void) { return -ENOSYS; }
57456 static inline bool system_entering_hibernation(void) { return false; }
57457 #endif /* CONFIG_HIBERNATION */
57458 diff -urNp linux-2.6.32.42/include/linux/sysctl.h linux-2.6.32.42/include/linux/sysctl.h
57459 --- linux-2.6.32.42/include/linux/sysctl.h 2011-03-27 14:31:47.000000000 -0400
57460 +++ linux-2.6.32.42/include/linux/sysctl.h 2011-04-17 15:56:46.000000000 -0400
57461 @@ -164,7 +164,11 @@ enum
57462 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
57466 +#ifdef CONFIG_PAX_SOFTMODE
57468 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
57472 /* CTL_VM names: */
57474 @@ -982,6 +986,8 @@ typedef int proc_handler (struct ctl_tab
57476 extern int proc_dostring(struct ctl_table *, int,
57477 void __user *, size_t *, loff_t *);
57478 +extern int proc_dostring_modpriv(struct ctl_table *, int,
57479 + void __user *, size_t *, loff_t *);
57480 extern int proc_dointvec(struct ctl_table *, int,
57481 void __user *, size_t *, loff_t *);
57482 extern int proc_dointvec_minmax(struct ctl_table *, int,
57483 @@ -1003,6 +1009,7 @@ extern int do_sysctl (int __user *name,
57485 extern ctl_handler sysctl_data;
57486 extern ctl_handler sysctl_string;
57487 +extern ctl_handler sysctl_string_modpriv;
57488 extern ctl_handler sysctl_intvec;
57489 extern ctl_handler sysctl_jiffies;
57490 extern ctl_handler sysctl_ms_jiffies;
57491 diff -urNp linux-2.6.32.42/include/linux/sysfs.h linux-2.6.32.42/include/linux/sysfs.h
57492 --- linux-2.6.32.42/include/linux/sysfs.h 2011-03-27 14:31:47.000000000 -0400
57493 +++ linux-2.6.32.42/include/linux/sysfs.h 2011-04-17 15:56:46.000000000 -0400
57494 @@ -75,8 +75,8 @@ struct bin_attribute {
57498 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
57499 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
57500 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
57501 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
57504 struct sysfs_dirent;
57505 diff -urNp linux-2.6.32.42/include/linux/thread_info.h linux-2.6.32.42/include/linux/thread_info.h
57506 --- linux-2.6.32.42/include/linux/thread_info.h 2011-03-27 14:31:47.000000000 -0400
57507 +++ linux-2.6.32.42/include/linux/thread_info.h 2011-04-17 15:56:46.000000000 -0400
57508 @@ -23,7 +23,7 @@ struct restart_block {
57510 /* For futex_wait and futex_wait_requeue_pi */
57513 + u32 __user *uaddr;
57517 diff -urNp linux-2.6.32.42/include/linux/tty.h linux-2.6.32.42/include/linux/tty.h
57518 --- linux-2.6.32.42/include/linux/tty.h 2011-03-27 14:31:47.000000000 -0400
57519 +++ linux-2.6.32.42/include/linux/tty.h 2011-04-17 15:56:46.000000000 -0400
57521 #include <linux/tty_driver.h>
57522 #include <linux/tty_ldisc.h>
57523 #include <linux/mutex.h>
57524 +#include <linux/poll.h>
57526 #include <asm/system.h>
57528 @@ -443,7 +444,6 @@ extern int tty_perform_flush(struct tty_
57529 extern dev_t tty_devnum(struct tty_struct *tty);
57530 extern void proc_clear_tty(struct task_struct *p);
57531 extern struct tty_struct *get_current_tty(void);
57532 -extern void tty_default_fops(struct file_operations *fops);
57533 extern struct tty_struct *alloc_tty_struct(void);
57534 extern void free_tty_struct(struct tty_struct *tty);
57535 extern void initialize_tty_struct(struct tty_struct *tty,
57536 @@ -493,6 +493,18 @@ extern void tty_ldisc_begin(void);
57537 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
57538 extern void tty_ldisc_enable(struct tty_struct *tty);
57541 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
57542 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
57543 +extern unsigned int tty_poll(struct file *, poll_table *);
57544 +#ifdef CONFIG_COMPAT
57545 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
57546 + unsigned long arg);
57548 +#define tty_compat_ioctl NULL
57550 +extern int tty_release(struct inode *, struct file *);
57551 +extern int tty_fasync(int fd, struct file *filp, int on);
57554 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
57555 diff -urNp linux-2.6.32.42/include/linux/tty_ldisc.h linux-2.6.32.42/include/linux/tty_ldisc.h
57556 --- linux-2.6.32.42/include/linux/tty_ldisc.h 2011-03-27 14:31:47.000000000 -0400
57557 +++ linux-2.6.32.42/include/linux/tty_ldisc.h 2011-04-17 15:56:46.000000000 -0400
57558 @@ -139,7 +139,7 @@ struct tty_ldisc_ops {
57560 struct module *owner;
57563 + atomic_t refcount;
57567 diff -urNp linux-2.6.32.42/include/linux/types.h linux-2.6.32.42/include/linux/types.h
57568 --- linux-2.6.32.42/include/linux/types.h 2011-03-27 14:31:47.000000000 -0400
57569 +++ linux-2.6.32.42/include/linux/types.h 2011-04-17 15:56:46.000000000 -0400
57570 @@ -191,10 +191,26 @@ typedef struct {
57571 volatile int counter;
57574 +#ifdef CONFIG_PAX_REFCOUNT
57576 + volatile int counter;
57577 +} atomic_unchecked_t;
57579 +typedef atomic_t atomic_unchecked_t;
57582 #ifdef CONFIG_64BIT
57584 volatile long counter;
57587 +#ifdef CONFIG_PAX_REFCOUNT
57589 + volatile long counter;
57590 +} atomic64_unchecked_t;
57592 +typedef atomic64_t atomic64_unchecked_t;
57597 diff -urNp linux-2.6.32.42/include/linux/uaccess.h linux-2.6.32.42/include/linux/uaccess.h
57598 --- linux-2.6.32.42/include/linux/uaccess.h 2011-03-27 14:31:47.000000000 -0400
57599 +++ linux-2.6.32.42/include/linux/uaccess.h 2011-04-17 15:56:46.000000000 -0400
57600 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
57602 mm_segment_t old_fs = get_fs(); \
57604 - set_fs(KERNEL_DS); \
57605 pagefault_disable(); \
57606 + set_fs(KERNEL_DS); \
57607 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
57608 - pagefault_enable(); \
57610 + pagefault_enable(); \
57614 @@ -93,7 +93,7 @@ static inline unsigned long __copy_from_
57615 * Safely read from address @src to the buffer at @dst. If a kernel fault
57616 * happens, handle that and return -EFAULT.
57618 -extern long probe_kernel_read(void *dst, void *src, size_t size);
57619 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
57622 * probe_kernel_write(): safely attempt to write to a location
57623 @@ -104,6 +104,6 @@ extern long probe_kernel_read(void *dst,
57624 * Safely write to address @dst from the buffer at @src. If a kernel fault
57625 * happens, handle that and return -EFAULT.
57627 -extern long probe_kernel_write(void *dst, void *src, size_t size);
57628 +extern long probe_kernel_write(void *dst, const void *src, size_t size);
57630 #endif /* __LINUX_UACCESS_H__ */
57631 diff -urNp linux-2.6.32.42/include/linux/unaligned/access_ok.h linux-2.6.32.42/include/linux/unaligned/access_ok.h
57632 --- linux-2.6.32.42/include/linux/unaligned/access_ok.h 2011-03-27 14:31:47.000000000 -0400
57633 +++ linux-2.6.32.42/include/linux/unaligned/access_ok.h 2011-04-17 15:56:46.000000000 -0400
57636 static inline u16 get_unaligned_le16(const void *p)
57638 - return le16_to_cpup((__le16 *)p);
57639 + return le16_to_cpup((const __le16 *)p);
57642 static inline u32 get_unaligned_le32(const void *p)
57644 - return le32_to_cpup((__le32 *)p);
57645 + return le32_to_cpup((const __le32 *)p);
57648 static inline u64 get_unaligned_le64(const void *p)
57650 - return le64_to_cpup((__le64 *)p);
57651 + return le64_to_cpup((const __le64 *)p);
57654 static inline u16 get_unaligned_be16(const void *p)
57656 - return be16_to_cpup((__be16 *)p);
57657 + return be16_to_cpup((const __be16 *)p);
57660 static inline u32 get_unaligned_be32(const void *p)
57662 - return be32_to_cpup((__be32 *)p);
57663 + return be32_to_cpup((const __be32 *)p);
57666 static inline u64 get_unaligned_be64(const void *p)
57668 - return be64_to_cpup((__be64 *)p);
57669 + return be64_to_cpup((const __be64 *)p);
57672 static inline void put_unaligned_le16(u16 val, void *p)
57673 diff -urNp linux-2.6.32.42/include/linux/vmalloc.h linux-2.6.32.42/include/linux/vmalloc.h
57674 --- linux-2.6.32.42/include/linux/vmalloc.h 2011-03-27 14:31:47.000000000 -0400
57675 +++ linux-2.6.32.42/include/linux/vmalloc.h 2011-04-17 15:56:46.000000000 -0400
57676 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
57677 #define VM_MAP 0x00000004 /* vmap()ed pages */
57678 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
57679 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
57681 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
57682 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
57685 /* bits [20..32] reserved for arch specific ioremap internals */
57688 @@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
57690 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
57692 +#define vmalloc(x) \
57694 + void *___retval; \
57695 + intoverflow_t ___x = (intoverflow_t)x; \
57696 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
57697 + ___retval = NULL; \
57699 + ___retval = vmalloc((unsigned long)___x); \
57703 +#define __vmalloc(x, y, z) \
57705 + void *___retval; \
57706 + intoverflow_t ___x = (intoverflow_t)x; \
57707 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
57708 + ___retval = NULL; \
57710 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
57714 +#define vmalloc_user(x) \
57716 + void *___retval; \
57717 + intoverflow_t ___x = (intoverflow_t)x; \
57718 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
57719 + ___retval = NULL; \
57721 + ___retval = vmalloc_user((unsigned long)___x); \
57725 +#define vmalloc_exec(x) \
57727 + void *___retval; \
57728 + intoverflow_t ___x = (intoverflow_t)x; \
57729 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
57730 + ___retval = NULL; \
57732 + ___retval = vmalloc_exec((unsigned long)___x); \
57736 +#define vmalloc_node(x, y) \
57738 + void *___retval; \
57739 + intoverflow_t ___x = (intoverflow_t)x; \
57740 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
57741 + ___retval = NULL; \
57743 + ___retval = vmalloc_node((unsigned long)___x, (y));\
57747 +#define vmalloc_32(x) \
57749 + void *___retval; \
57750 + intoverflow_t ___x = (intoverflow_t)x; \
57751 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
57752 + ___retval = NULL; \
57754 + ___retval = vmalloc_32((unsigned long)___x); \
57758 +#define vmalloc_32_user(x) \
57760 + void *___retval; \
57761 + intoverflow_t ___x = (intoverflow_t)x; \
57762 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
57763 + ___retval = NULL; \
57765 + ___retval = vmalloc_32_user((unsigned long)___x);\
57769 #endif /* _LINUX_VMALLOC_H */
57770 diff -urNp linux-2.6.32.42/include/linux/vmstat.h linux-2.6.32.42/include/linux/vmstat.h
57771 --- linux-2.6.32.42/include/linux/vmstat.h 2011-03-27 14:31:47.000000000 -0400
57772 +++ linux-2.6.32.42/include/linux/vmstat.h 2011-04-17 15:56:46.000000000 -0400
57773 @@ -136,18 +136,18 @@ static inline void vm_events_fold_cpu(in
57775 * Zone based page accounting with per cpu differentials.
57777 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
57778 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
57780 static inline void zone_page_state_add(long x, struct zone *zone,
57781 enum zone_stat_item item)
57783 - atomic_long_add(x, &zone->vm_stat[item]);
57784 - atomic_long_add(x, &vm_stat[item]);
57785 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
57786 + atomic_long_add_unchecked(x, &vm_stat[item]);
57789 static inline unsigned long global_page_state(enum zone_stat_item item)
57791 - long x = atomic_long_read(&vm_stat[item]);
57792 + long x = atomic_long_read_unchecked(&vm_stat[item]);
57796 @@ -158,7 +158,7 @@ static inline unsigned long global_page_
57797 static inline unsigned long zone_page_state(struct zone *zone,
57798 enum zone_stat_item item)
57800 - long x = atomic_long_read(&zone->vm_stat[item]);
57801 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
57805 @@ -175,7 +175,7 @@ static inline unsigned long zone_page_st
57806 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
57807 enum zone_stat_item item)
57809 - long x = atomic_long_read(&zone->vm_stat[item]);
57810 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
57814 @@ -264,8 +264,8 @@ static inline void __mod_zone_page_state
57816 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
57818 - atomic_long_inc(&zone->vm_stat[item]);
57819 - atomic_long_inc(&vm_stat[item]);
57820 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
57821 + atomic_long_inc_unchecked(&vm_stat[item]);
57824 static inline void __inc_zone_page_state(struct page *page,
57825 @@ -276,8 +276,8 @@ static inline void __inc_zone_page_state
57827 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
57829 - atomic_long_dec(&zone->vm_stat[item]);
57830 - atomic_long_dec(&vm_stat[item]);
57831 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
57832 + atomic_long_dec_unchecked(&vm_stat[item]);
57835 static inline void __dec_zone_page_state(struct page *page,
57836 diff -urNp linux-2.6.32.42/include/media/v4l2-device.h linux-2.6.32.42/include/media/v4l2-device.h
57837 --- linux-2.6.32.42/include/media/v4l2-device.h 2011-03-27 14:31:47.000000000 -0400
57838 +++ linux-2.6.32.42/include/media/v4l2-device.h 2011-05-04 17:56:28.000000000 -0400
57839 @@ -71,7 +71,7 @@ int __must_check v4l2_device_register(st
57840 this function returns 0. If the name ends with a digit (e.g. cx18),
57841 then the name will be set to cx18-0 since cx180 looks really odd. */
57842 int v4l2_device_set_name(struct v4l2_device *v4l2_dev, const char *basename,
57843 - atomic_t *instance);
57844 + atomic_unchecked_t *instance);
57846 /* Set v4l2_dev->dev to NULL. Call when the USB parent disconnects.
57847 Since the parent disappears this ensures that v4l2_dev doesn't have an
57848 diff -urNp linux-2.6.32.42/include/net/flow.h linux-2.6.32.42/include/net/flow.h
57849 --- linux-2.6.32.42/include/net/flow.h 2011-03-27 14:31:47.000000000 -0400
57850 +++ linux-2.6.32.42/include/net/flow.h 2011-05-04 17:56:28.000000000 -0400
57851 @@ -92,7 +92,7 @@ typedef int (*flow_resolve_t)(struct net
57852 extern void *flow_cache_lookup(struct net *net, struct flowi *key, u16 family,
57853 u8 dir, flow_resolve_t resolver);
57854 extern void flow_cache_flush(void);
57855 -extern atomic_t flow_cache_genid;
57856 +extern atomic_unchecked_t flow_cache_genid;
57858 static inline int flow_cache_uli_match(struct flowi *fl1, struct flowi *fl2)
57860 diff -urNp linux-2.6.32.42/include/net/inetpeer.h linux-2.6.32.42/include/net/inetpeer.h
57861 --- linux-2.6.32.42/include/net/inetpeer.h 2011-03-27 14:31:47.000000000 -0400
57862 +++ linux-2.6.32.42/include/net/inetpeer.h 2011-04-17 15:56:46.000000000 -0400
57863 @@ -24,7 +24,7 @@ struct inet_peer
57864 __u32 dtime; /* the time of last use of not
57865 * referenced entries */
57867 - atomic_t rid; /* Frag reception counter */
57868 + atomic_unchecked_t rid; /* Frag reception counter */
57870 unsigned long tcp_ts_stamp;
57872 diff -urNp linux-2.6.32.42/include/net/ip_vs.h linux-2.6.32.42/include/net/ip_vs.h
57873 --- linux-2.6.32.42/include/net/ip_vs.h 2011-03-27 14:31:47.000000000 -0400
57874 +++ linux-2.6.32.42/include/net/ip_vs.h 2011-05-04 17:56:28.000000000 -0400
57875 @@ -365,7 +365,7 @@ struct ip_vs_conn {
57876 struct ip_vs_conn *control; /* Master control connection */
57877 atomic_t n_control; /* Number of controlled ones */
57878 struct ip_vs_dest *dest; /* real server */
57879 - atomic_t in_pkts; /* incoming packet counter */
57880 + atomic_unchecked_t in_pkts; /* incoming packet counter */
57882 /* packet transmitter for different forwarding methods. If it
57883 mangles the packet, it must return NF_DROP or better NF_STOLEN,
57884 @@ -466,7 +466,7 @@ struct ip_vs_dest {
57885 union nf_inet_addr addr; /* IP address of the server */
57886 __be16 port; /* port number of the server */
57887 volatile unsigned flags; /* dest status flags */
57888 - atomic_t conn_flags; /* flags to copy to conn */
57889 + atomic_unchecked_t conn_flags; /* flags to copy to conn */
57890 atomic_t weight; /* server weight */
57892 atomic_t refcnt; /* reference counter */
57893 diff -urNp linux-2.6.32.42/include/net/irda/ircomm_tty.h linux-2.6.32.42/include/net/irda/ircomm_tty.h
57894 --- linux-2.6.32.42/include/net/irda/ircomm_tty.h 2011-03-27 14:31:47.000000000 -0400
57895 +++ linux-2.6.32.42/include/net/irda/ircomm_tty.h 2011-04-17 15:56:46.000000000 -0400
57897 #include <linux/termios.h>
57898 #include <linux/timer.h>
57899 #include <linux/tty.h> /* struct tty_struct */
57900 +#include <asm/local.h>
57902 #include <net/irda/irias_object.h>
57903 #include <net/irda/ircomm_core.h>
57904 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
57905 unsigned short close_delay;
57906 unsigned short closing_wait; /* time to wait before closing */
57909 - int blocked_open; /* # of blocked opens */
57910 + local_t open_count;
57911 + local_t blocked_open; /* # of blocked opens */
57913 /* Protect concurent access to :
57914 * o self->open_count
57915 diff -urNp linux-2.6.32.42/include/net/iucv/af_iucv.h linux-2.6.32.42/include/net/iucv/af_iucv.h
57916 --- linux-2.6.32.42/include/net/iucv/af_iucv.h 2011-03-27 14:31:47.000000000 -0400
57917 +++ linux-2.6.32.42/include/net/iucv/af_iucv.h 2011-05-04 17:56:28.000000000 -0400
57918 @@ -87,7 +87,7 @@ struct iucv_sock {
57919 struct iucv_sock_list {
57920 struct hlist_head head;
57922 - atomic_t autobind_name;
57923 + atomic_unchecked_t autobind_name;
57926 unsigned int iucv_sock_poll(struct file *file, struct socket *sock,
57927 diff -urNp linux-2.6.32.42/include/net/neighbour.h linux-2.6.32.42/include/net/neighbour.h
57928 --- linux-2.6.32.42/include/net/neighbour.h 2011-03-27 14:31:47.000000000 -0400
57929 +++ linux-2.6.32.42/include/net/neighbour.h 2011-04-17 15:56:46.000000000 -0400
57930 @@ -125,12 +125,12 @@ struct neighbour
57934 - void (*solicit)(struct neighbour *, struct sk_buff*);
57935 - void (*error_report)(struct neighbour *, struct sk_buff*);
57936 - int (*output)(struct sk_buff*);
57937 - int (*connected_output)(struct sk_buff*);
57938 - int (*hh_output)(struct sk_buff*);
57939 - int (*queue_xmit)(struct sk_buff*);
57940 + void (* const solicit)(struct neighbour *, struct sk_buff*);
57941 + void (* const error_report)(struct neighbour *, struct sk_buff*);
57942 + int (* const output)(struct sk_buff*);
57943 + int (* const connected_output)(struct sk_buff*);
57944 + int (* const hh_output)(struct sk_buff*);
57945 + int (* const queue_xmit)(struct sk_buff*);
57948 struct pneigh_entry
57949 diff -urNp linux-2.6.32.42/include/net/netlink.h linux-2.6.32.42/include/net/netlink.h
57950 --- linux-2.6.32.42/include/net/netlink.h 2011-03-27 14:31:47.000000000 -0400
57951 +++ linux-2.6.32.42/include/net/netlink.h 2011-04-17 15:56:46.000000000 -0400
57952 @@ -558,7 +558,7 @@ static inline void *nlmsg_get_pos(struct
57953 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
57956 - skb_trim(skb, (unsigned char *) mark - skb->data);
57957 + skb_trim(skb, (const unsigned char *) mark - skb->data);
57961 diff -urNp linux-2.6.32.42/include/net/netns/ipv4.h linux-2.6.32.42/include/net/netns/ipv4.h
57962 --- linux-2.6.32.42/include/net/netns/ipv4.h 2011-03-27 14:31:47.000000000 -0400
57963 +++ linux-2.6.32.42/include/net/netns/ipv4.h 2011-05-04 17:56:28.000000000 -0400
57964 @@ -54,7 +54,7 @@ struct netns_ipv4 {
57965 int current_rt_cache_rebuild_count;
57967 struct timer_list rt_secret_timer;
57968 - atomic_t rt_genid;
57969 + atomic_unchecked_t rt_genid;
57971 #ifdef CONFIG_IP_MROUTE
57972 struct sock *mroute_sk;
57973 diff -urNp linux-2.6.32.42/include/net/sctp/sctp.h linux-2.6.32.42/include/net/sctp/sctp.h
57974 --- linux-2.6.32.42/include/net/sctp/sctp.h 2011-03-27 14:31:47.000000000 -0400
57975 +++ linux-2.6.32.42/include/net/sctp/sctp.h 2011-04-17 15:56:46.000000000 -0400
57976 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
57978 #else /* SCTP_DEBUG */
57980 -#define SCTP_DEBUG_PRINTK(whatever...)
57981 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
57982 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
57983 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
57984 #define SCTP_ENABLE_DEBUG
57985 #define SCTP_DISABLE_DEBUG
57986 #define SCTP_ASSERT(expr, str, func)
57987 diff -urNp linux-2.6.32.42/include/net/sock.h linux-2.6.32.42/include/net/sock.h
57988 --- linux-2.6.32.42/include/net/sock.h 2011-03-27 14:31:47.000000000 -0400
57989 +++ linux-2.6.32.42/include/net/sock.h 2011-05-04 17:56:28.000000000 -0400
57990 @@ -272,7 +272,7 @@ struct sock {
57991 rwlock_t sk_callback_lock;
57994 - atomic_t sk_drops;
57995 + atomic_unchecked_t sk_drops;
57996 unsigned short sk_ack_backlog;
57997 unsigned short sk_max_ack_backlog;
57999 diff -urNp linux-2.6.32.42/include/net/tcp.h linux-2.6.32.42/include/net/tcp.h
58000 --- linux-2.6.32.42/include/net/tcp.h 2011-03-27 14:31:47.000000000 -0400
58001 +++ linux-2.6.32.42/include/net/tcp.h 2011-04-17 15:56:46.000000000 -0400
58002 @@ -1444,6 +1444,7 @@ enum tcp_seq_states {
58003 struct tcp_seq_afinfo {
58005 sa_family_t family;
58006 + /* cannot be const */
58007 struct file_operations seq_fops;
58008 struct seq_operations seq_ops;
58010 diff -urNp linux-2.6.32.42/include/net/udp.h linux-2.6.32.42/include/net/udp.h
58011 --- linux-2.6.32.42/include/net/udp.h 2011-03-27 14:31:47.000000000 -0400
58012 +++ linux-2.6.32.42/include/net/udp.h 2011-04-17 15:56:46.000000000 -0400
58013 @@ -187,6 +187,7 @@ struct udp_seq_afinfo {
58015 sa_family_t family;
58016 struct udp_table *udp_table;
58017 + /* cannot be const */
58018 struct file_operations seq_fops;
58019 struct seq_operations seq_ops;
58021 diff -urNp linux-2.6.32.42/include/scsi/scsi_device.h linux-2.6.32.42/include/scsi/scsi_device.h
58022 --- linux-2.6.32.42/include/scsi/scsi_device.h 2011-04-17 17:00:52.000000000 -0400
58023 +++ linux-2.6.32.42/include/scsi/scsi_device.h 2011-05-04 17:56:28.000000000 -0400
58024 @@ -156,9 +156,9 @@ struct scsi_device {
58025 unsigned int max_device_blocked; /* what device_blocked counts down from */
58026 #define SCSI_DEFAULT_DEVICE_BLOCKED 3
58028 - atomic_t iorequest_cnt;
58029 - atomic_t iodone_cnt;
58030 - atomic_t ioerr_cnt;
58031 + atomic_unchecked_t iorequest_cnt;
58032 + atomic_unchecked_t iodone_cnt;
58033 + atomic_unchecked_t ioerr_cnt;
58035 struct device sdev_gendev,
58037 diff -urNp linux-2.6.32.42/include/sound/ac97_codec.h linux-2.6.32.42/include/sound/ac97_codec.h
58038 --- linux-2.6.32.42/include/sound/ac97_codec.h 2011-03-27 14:31:47.000000000 -0400
58039 +++ linux-2.6.32.42/include/sound/ac97_codec.h 2011-04-17 15:56:46.000000000 -0400
58040 @@ -419,15 +419,15 @@
58043 struct snd_ac97_build_ops {
58044 - int (*build_3d) (struct snd_ac97 *ac97);
58045 - int (*build_specific) (struct snd_ac97 *ac97);
58046 - int (*build_spdif) (struct snd_ac97 *ac97);
58047 - int (*build_post_spdif) (struct snd_ac97 *ac97);
58048 + int (* const build_3d) (struct snd_ac97 *ac97);
58049 + int (* const build_specific) (struct snd_ac97 *ac97);
58050 + int (* const build_spdif) (struct snd_ac97 *ac97);
58051 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
58053 - void (*suspend) (struct snd_ac97 *ac97);
58054 - void (*resume) (struct snd_ac97 *ac97);
58055 + void (* const suspend) (struct snd_ac97 *ac97);
58056 + void (* const resume) (struct snd_ac97 *ac97);
58058 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
58059 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
58062 struct snd_ac97_bus_ops {
58063 @@ -477,7 +477,7 @@ struct snd_ac97_template {
58066 /* -- lowlevel (hardware) driver specific -- */
58067 - struct snd_ac97_build_ops * build_ops;
58068 + const struct snd_ac97_build_ops * build_ops;
58069 void *private_data;
58070 void (*private_free) (struct snd_ac97 *ac97);
58072 diff -urNp linux-2.6.32.42/include/sound/ymfpci.h linux-2.6.32.42/include/sound/ymfpci.h
58073 --- linux-2.6.32.42/include/sound/ymfpci.h 2011-03-27 14:31:47.000000000 -0400
58074 +++ linux-2.6.32.42/include/sound/ymfpci.h 2011-05-04 17:56:28.000000000 -0400
58075 @@ -358,7 +358,7 @@ struct snd_ymfpci {
58076 spinlock_t reg_lock;
58077 spinlock_t voice_lock;
58078 wait_queue_head_t interrupt_sleep;
58079 - atomic_t interrupt_sleep_count;
58080 + atomic_unchecked_t interrupt_sleep_count;
58081 struct snd_info_entry *proc_entry;
58082 const struct firmware *dsp_microcode;
58083 const struct firmware *controller_microcode;
58084 diff -urNp linux-2.6.32.42/include/trace/events/irq.h linux-2.6.32.42/include/trace/events/irq.h
58085 --- linux-2.6.32.42/include/trace/events/irq.h 2011-03-27 14:31:47.000000000 -0400
58086 +++ linux-2.6.32.42/include/trace/events/irq.h 2011-04-17 15:56:46.000000000 -0400
58089 TRACE_EVENT(irq_handler_entry,
58091 - TP_PROTO(int irq, struct irqaction *action),
58092 + TP_PROTO(int irq, const struct irqaction *action),
58094 TP_ARGS(irq, action),
58096 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
58098 TRACE_EVENT(irq_handler_exit,
58100 - TP_PROTO(int irq, struct irqaction *action, int ret),
58101 + TP_PROTO(int irq, const struct irqaction *action, int ret),
58103 TP_ARGS(irq, action, ret),
58105 @@ -95,7 +95,7 @@ TRACE_EVENT(irq_handler_exit,
58107 TRACE_EVENT(softirq_entry,
58109 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
58110 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
58114 @@ -124,7 +124,7 @@ TRACE_EVENT(softirq_entry,
58116 TRACE_EVENT(softirq_exit,
58118 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
58119 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
58123 diff -urNp linux-2.6.32.42/include/video/uvesafb.h linux-2.6.32.42/include/video/uvesafb.h
58124 --- linux-2.6.32.42/include/video/uvesafb.h 2011-03-27 14:31:47.000000000 -0400
58125 +++ linux-2.6.32.42/include/video/uvesafb.h 2011-04-17 15:56:46.000000000 -0400
58126 @@ -177,6 +177,7 @@ struct uvesafb_par {
58127 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
58128 u8 pmi_setpal; /* PMI for palette changes */
58129 u16 *pmi_base; /* protected mode interface location */
58130 + u8 *pmi_code; /* protected mode code location */
58133 u8 *vbe_state_orig; /*
58134 diff -urNp linux-2.6.32.42/init/do_mounts.c linux-2.6.32.42/init/do_mounts.c
58135 --- linux-2.6.32.42/init/do_mounts.c 2011-03-27 14:31:47.000000000 -0400
58136 +++ linux-2.6.32.42/init/do_mounts.c 2011-04-17 15:56:46.000000000 -0400
58137 @@ -216,11 +216,11 @@ static void __init get_fs_names(char *pa
58139 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
58141 - int err = sys_mount(name, "/root", fs, flags, data);
58142 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
58146 - sys_chdir("/root");
58147 + sys_chdir((__force const char __user *)"/root");
58148 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
58149 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
58150 current->fs->pwd.mnt->mnt_sb->s_type->name,
58151 @@ -311,18 +311,18 @@ void __init change_floppy(char *fmt, ...
58152 va_start(args, fmt);
58153 vsprintf(buf, fmt, args);
58155 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
58156 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
58158 sys_ioctl(fd, FDEJECT, 0);
58161 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
58162 - fd = sys_open("/dev/console", O_RDWR, 0);
58163 + fd = sys_open((char __user *)"/dev/console", O_RDWR, 0);
58165 sys_ioctl(fd, TCGETS, (long)&termios);
58166 termios.c_lflag &= ~ICANON;
58167 sys_ioctl(fd, TCSETSF, (long)&termios);
58168 - sys_read(fd, &c, 1);
58169 + sys_read(fd, (char __user *)&c, 1);
58170 termios.c_lflag |= ICANON;
58171 sys_ioctl(fd, TCSETSF, (long)&termios);
58173 @@ -416,6 +416,6 @@ void __init prepare_namespace(void)
58176 devtmpfs_mount("dev");
58177 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
58179 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
58180 + sys_chroot((__force char __user *)".");
58182 diff -urNp linux-2.6.32.42/init/do_mounts.h linux-2.6.32.42/init/do_mounts.h
58183 --- linux-2.6.32.42/init/do_mounts.h 2011-03-27 14:31:47.000000000 -0400
58184 +++ linux-2.6.32.42/init/do_mounts.h 2011-04-17 15:56:46.000000000 -0400
58185 @@ -15,15 +15,15 @@ extern int root_mountflags;
58187 static inline int create_dev(char *name, dev_t dev)
58189 - sys_unlink(name);
58190 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
58191 + sys_unlink((__force char __user *)name);
58192 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
58195 #if BITS_PER_LONG == 32
58196 static inline u32 bstat(char *name)
58198 struct stat64 stat;
58199 - if (sys_stat64(name, &stat) != 0)
58200 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
58202 if (!S_ISBLK(stat.st_mode))
58204 diff -urNp linux-2.6.32.42/init/do_mounts_initrd.c linux-2.6.32.42/init/do_mounts_initrd.c
58205 --- linux-2.6.32.42/init/do_mounts_initrd.c 2011-03-27 14:31:47.000000000 -0400
58206 +++ linux-2.6.32.42/init/do_mounts_initrd.c 2011-04-17 15:56:46.000000000 -0400
58207 @@ -32,7 +32,7 @@ static int __init do_linuxrc(void * shel
58208 sys_close(old_fd);sys_close(root_fd);
58209 sys_close(0);sys_close(1);sys_close(2);
58211 - (void) sys_open("/dev/console",O_RDWR,0);
58212 + (void) sys_open((__force const char __user *)"/dev/console",O_RDWR,0);
58215 return kernel_execve(shell, argv, envp_init);
58216 @@ -47,13 +47,13 @@ static void __init handle_initrd(void)
58217 create_dev("/dev/root.old", Root_RAM0);
58218 /* mount initrd on rootfs' /root */
58219 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
58220 - sys_mkdir("/old", 0700);
58221 - root_fd = sys_open("/", 0, 0);
58222 - old_fd = sys_open("/old", 0, 0);
58223 + sys_mkdir((__force const char __user *)"/old", 0700);
58224 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
58225 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
58226 /* move initrd over / and chdir/chroot in initrd root */
58227 - sys_chdir("/root");
58228 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
58230 + sys_chdir((__force const char __user *)"/root");
58231 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
58232 + sys_chroot((__force const char __user *)".");
58235 * In case that a resume from disk is carried out by linuxrc or one of
58236 @@ -70,15 +70,15 @@ static void __init handle_initrd(void)
58238 /* move initrd to rootfs' /old */
58239 sys_fchdir(old_fd);
58240 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
58241 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
58242 /* switch root and cwd back to / of rootfs */
58243 sys_fchdir(root_fd);
58245 + sys_chroot((__force const char __user *)".");
58247 sys_close(root_fd);
58249 if (new_decode_dev(real_root_dev) == Root_RAM0) {
58250 - sys_chdir("/old");
58251 + sys_chdir((__force const char __user *)"/old");
58255 @@ -86,17 +86,17 @@ static void __init handle_initrd(void)
58258 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
58259 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
58260 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
58264 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
58265 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
58266 if (error == -ENOENT)
58267 printk("/initrd does not exist. Ignored.\n");
58269 printk("failed\n");
58270 printk(KERN_NOTICE "Unmounting old root\n");
58271 - sys_umount("/old", MNT_DETACH);
58272 + sys_umount((__force char __user *)"/old", MNT_DETACH);
58273 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
58276 @@ -119,11 +119,11 @@ int __init initrd_load(void)
58277 * mounted in the normal path.
58279 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
58280 - sys_unlink("/initrd.image");
58281 + sys_unlink((__force const char __user *)"/initrd.image");
58286 - sys_unlink("/initrd.image");
58287 + sys_unlink((__force const char __user *)"/initrd.image");
58290 diff -urNp linux-2.6.32.42/init/do_mounts_md.c linux-2.6.32.42/init/do_mounts_md.c
58291 --- linux-2.6.32.42/init/do_mounts_md.c 2011-03-27 14:31:47.000000000 -0400
58292 +++ linux-2.6.32.42/init/do_mounts_md.c 2011-04-17 15:56:46.000000000 -0400
58293 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
58294 partitioned ? "_d" : "", minor,
58295 md_setup_args[ent].device_names);
58297 - fd = sys_open(name, 0, 0);
58298 + fd = sys_open((__force char __user *)name, 0, 0);
58300 printk(KERN_ERR "md: open failed - cannot start "
58301 "array %s\n", name);
58302 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
58306 - fd = sys_open(name, 0, 0);
58307 + fd = sys_open((__force char __user *)name, 0, 0);
58308 sys_ioctl(fd, BLKRRPART, 0);
58311 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
58313 wait_for_device_probe();
58315 - fd = sys_open("/dev/md0", 0, 0);
58316 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
58318 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
58320 diff -urNp linux-2.6.32.42/init/initramfs.c linux-2.6.32.42/init/initramfs.c
58321 --- linux-2.6.32.42/init/initramfs.c 2011-03-27 14:31:47.000000000 -0400
58322 +++ linux-2.6.32.42/init/initramfs.c 2011-04-17 15:56:46.000000000 -0400
58323 @@ -74,7 +74,7 @@ static void __init free_hash(void)
58327 -static long __init do_utime(char __user *filename, time_t mtime)
58328 +static long __init do_utime(__force char __user *filename, time_t mtime)
58330 struct timespec t[2];
58332 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
58333 struct dir_entry *de, *tmp;
58334 list_for_each_entry_safe(de, tmp, &dir_list, list) {
58335 list_del(&de->list);
58336 - do_utime(de->name, de->mtime);
58337 + do_utime((__force char __user *)de->name, de->mtime);
58341 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
58343 char *old = find_link(major, minor, ino, mode, collected);
58345 - return (sys_link(old, collected) < 0) ? -1 : 1;
58346 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
58350 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
58354 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
58355 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
58356 if (S_ISDIR(st.st_mode))
58358 + sys_rmdir((__force char __user *)path);
58360 - sys_unlink(path);
58361 + sys_unlink((__force char __user *)path);
58365 @@ -305,7 +305,7 @@ static int __init do_name(void)
58366 int openflags = O_WRONLY|O_CREAT;
58368 openflags |= O_TRUNC;
58369 - wfd = sys_open(collected, openflags, mode);
58370 + wfd = sys_open((__force char __user *)collected, openflags, mode);
58373 sys_fchown(wfd, uid, gid);
58374 @@ -317,17 +317,17 @@ static int __init do_name(void)
58377 } else if (S_ISDIR(mode)) {
58378 - sys_mkdir(collected, mode);
58379 - sys_chown(collected, uid, gid);
58380 - sys_chmod(collected, mode);
58381 + sys_mkdir((__force char __user *)collected, mode);
58382 + sys_chown((__force char __user *)collected, uid, gid);
58383 + sys_chmod((__force char __user *)collected, mode);
58384 dir_add(collected, mtime);
58385 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
58386 S_ISFIFO(mode) || S_ISSOCK(mode)) {
58387 if (maybe_link() == 0) {
58388 - sys_mknod(collected, mode, rdev);
58389 - sys_chown(collected, uid, gid);
58390 - sys_chmod(collected, mode);
58391 - do_utime(collected, mtime);
58392 + sys_mknod((__force char __user *)collected, mode, rdev);
58393 + sys_chown((__force char __user *)collected, uid, gid);
58394 + sys_chmod((__force char __user *)collected, mode);
58395 + do_utime((__force char __user *)collected, mtime);
58399 @@ -336,15 +336,15 @@ static int __init do_name(void)
58400 static int __init do_copy(void)
58402 if (count >= body_len) {
58403 - sys_write(wfd, victim, body_len);
58404 + sys_write(wfd, (__force char __user *)victim, body_len);
58406 - do_utime(vcollected, mtime);
58407 + do_utime((__force char __user *)vcollected, mtime);
58413 - sys_write(wfd, victim, count);
58414 + sys_write(wfd, (__force char __user *)victim, count);
58418 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
58420 collected[N_ALIGN(name_len) + body_len] = '\0';
58421 clean_path(collected, 0);
58422 - sys_symlink(collected + N_ALIGN(name_len), collected);
58423 - sys_lchown(collected, uid, gid);
58424 - do_utime(collected, mtime);
58425 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
58426 + sys_lchown((__force char __user *)collected, uid, gid);
58427 + do_utime((__force char __user *)collected, mtime);
58429 next_state = Reset;
58431 diff -urNp linux-2.6.32.42/init/Kconfig linux-2.6.32.42/init/Kconfig
58432 --- linux-2.6.32.42/init/Kconfig 2011-05-10 22:12:01.000000000 -0400
58433 +++ linux-2.6.32.42/init/Kconfig 2011-05-10 22:12:34.000000000 -0400
58434 @@ -1004,7 +1004,7 @@ config SLUB_DEBUG
58437 bool "Disable heap randomization"
58441 Randomizing heap placement makes heap exploits harder, but it
58442 also breaks ancient binaries (including anything libc5 based).
58443 diff -urNp linux-2.6.32.42/init/main.c linux-2.6.32.42/init/main.c
58444 --- linux-2.6.32.42/init/main.c 2011-05-10 22:12:01.000000000 -0400
58445 +++ linux-2.6.32.42/init/main.c 2011-05-22 23:02:06.000000000 -0400
58446 @@ -97,6 +97,7 @@ static inline void mark_rodata_ro(void)
58448 extern void tc_init(void);
58450 +extern void grsecurity_init(void);
58452 enum system_states system_state __read_mostly;
58453 EXPORT_SYMBOL(system_state);
58454 @@ -183,6 +184,49 @@ static int __init set_reset_devices(char
58456 __setup("reset_devices", set_reset_devices);
58458 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
58459 +extern char pax_enter_kernel_user[];
58460 +extern char pax_exit_kernel_user[];
58461 +extern pgdval_t clone_pgd_mask;
58464 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
58465 +static int __init setup_pax_nouderef(char *str)
58467 +#ifdef CONFIG_X86_32
58468 + unsigned int cpu;
58469 + struct desc_struct *gdt;
58471 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
58472 + gdt = get_cpu_gdt_table(cpu);
58473 + gdt[GDT_ENTRY_KERNEL_DS].type = 3;
58474 + gdt[GDT_ENTRY_KERNEL_DS].limit = 0xf;
58475 + gdt[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
58476 + gdt[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
58478 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
58480 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
58481 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
58482 + clone_pgd_mask = ~(pgdval_t)0UL;
58487 +early_param("pax_nouderef", setup_pax_nouderef);
58490 +#ifdef CONFIG_PAX_SOFTMODE
58491 +unsigned int pax_softmode;
58493 +static int __init setup_pax_softmode(char *str)
58495 + get_option(&str, &pax_softmode);
58498 +__setup("pax_softmode=", setup_pax_softmode);
58501 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
58502 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
58503 static const char *panic_later, *panic_param;
58504 @@ -705,52 +749,53 @@ int initcall_debug;
58505 core_param(initcall_debug, initcall_debug, bool, 0644);
58507 static char msgbuf[64];
58508 -static struct boot_trace_call call;
58509 -static struct boot_trace_ret ret;
58510 +static struct boot_trace_call trace_call;
58511 +static struct boot_trace_ret trace_ret;
58513 int do_one_initcall(initcall_t fn)
58515 int count = preempt_count();
58516 ktime_t calltime, delta, rettime;
58517 + const char *msg1 = "", *msg2 = "";
58519 if (initcall_debug) {
58520 - call.caller = task_pid_nr(current);
58521 - printk("calling %pF @ %i\n", fn, call.caller);
58522 + trace_call.caller = task_pid_nr(current);
58523 + printk("calling %pF @ %i\n", fn, trace_call.caller);
58524 calltime = ktime_get();
58525 - trace_boot_call(&call, fn);
58526 + trace_boot_call(&trace_call, fn);
58527 enable_boot_trace();
58530 - ret.result = fn();
58531 + trace_ret.result = fn();
58533 if (initcall_debug) {
58534 disable_boot_trace();
58535 rettime = ktime_get();
58536 delta = ktime_sub(rettime, calltime);
58537 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
58538 - trace_boot_ret(&ret, fn);
58539 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
58540 + trace_boot_ret(&trace_ret, fn);
58541 printk("initcall %pF returned %d after %Ld usecs\n", fn,
58542 - ret.result, ret.duration);
58543 + trace_ret.result, trace_ret.duration);
58548 - if (ret.result && ret.result != -ENODEV && initcall_debug)
58549 - sprintf(msgbuf, "error code %d ", ret.result);
58550 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
58551 + sprintf(msgbuf, "error code %d ", trace_ret.result);
58553 if (preempt_count() != count) {
58554 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
58555 + msg1 = " preemption imbalance";
58556 preempt_count() = count;
58558 if (irqs_disabled()) {
58559 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
58560 + msg2 = " disabled interrupts";
58561 local_irq_enable();
58564 - printk("initcall %pF returned with %s\n", fn, msgbuf);
58565 + if (msgbuf[0] || *msg1 || *msg2) {
58566 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
58569 - return ret.result;
58570 + return trace_ret.result;
58574 @@ -893,11 +938,13 @@ static int __init kernel_init(void * unu
58575 if (!ramdisk_execute_command)
58576 ramdisk_execute_command = "/init";
58578 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
58579 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
58580 ramdisk_execute_command = NULL;
58581 prepare_namespace();
58584 + grsecurity_init();
58587 * Ok, we have completed the initial bootup, and
58588 * we're essentially up and running. Get rid of the
58589 diff -urNp linux-2.6.32.42/init/noinitramfs.c linux-2.6.32.42/init/noinitramfs.c
58590 --- linux-2.6.32.42/init/noinitramfs.c 2011-03-27 14:31:47.000000000 -0400
58591 +++ linux-2.6.32.42/init/noinitramfs.c 2011-04-17 15:56:46.000000000 -0400
58592 @@ -29,7 +29,7 @@ static int __init default_rootfs(void)
58596 - err = sys_mkdir("/dev", 0755);
58597 + err = sys_mkdir((const char __user *)"/dev", 0755);
58601 @@ -39,7 +39,7 @@ static int __init default_rootfs(void)
58605 - err = sys_mkdir("/root", 0700);
58606 + err = sys_mkdir((const char __user *)"/root", 0700);
58610 diff -urNp linux-2.6.32.42/ipc/mqueue.c linux-2.6.32.42/ipc/mqueue.c
58611 --- linux-2.6.32.42/ipc/mqueue.c 2011-03-27 14:31:47.000000000 -0400
58612 +++ linux-2.6.32.42/ipc/mqueue.c 2011-04-17 15:56:46.000000000 -0400
58613 @@ -150,6 +150,7 @@ static struct inode *mqueue_get_inode(st
58614 mq_bytes = (mq_msg_tblsz +
58615 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
58617 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
58618 spin_lock(&mq_lock);
58619 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
58620 u->mq_bytes + mq_bytes >
58621 diff -urNp linux-2.6.32.42/ipc/sem.c linux-2.6.32.42/ipc/sem.c
58622 --- linux-2.6.32.42/ipc/sem.c 2011-03-27 14:31:47.000000000 -0400
58623 +++ linux-2.6.32.42/ipc/sem.c 2011-05-16 21:46:57.000000000 -0400
58624 @@ -671,6 +671,8 @@ static int semctl_main(struct ipc_namesp
58625 ushort* sem_io = fast_sem_io;
58628 + pax_track_stack();
58630 sma = sem_lock_check(ns, semid);
58632 return PTR_ERR(sma);
58633 @@ -1071,6 +1073,8 @@ SYSCALL_DEFINE4(semtimedop, int, semid,
58634 unsigned long jiffies_left = 0;
58635 struct ipc_namespace *ns;
58637 + pax_track_stack();
58639 ns = current->nsproxy->ipc_ns;
58641 if (nsops < 1 || semid < 0)
58642 diff -urNp linux-2.6.32.42/ipc/shm.c linux-2.6.32.42/ipc/shm.c
58643 --- linux-2.6.32.42/ipc/shm.c 2011-03-27 14:31:47.000000000 -0400
58644 +++ linux-2.6.32.42/ipc/shm.c 2011-04-17 15:56:46.000000000 -0400
58645 @@ -70,6 +70,14 @@ static void shm_destroy (struct ipc_name
58646 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
58649 +#ifdef CONFIG_GRKERNSEC
58650 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58651 + const time_t shm_createtime, const uid_t cuid,
58652 + const int shmid);
58653 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
58654 + const time_t shm_createtime);
58657 void shm_init_ns(struct ipc_namespace *ns)
58659 ns->shm_ctlmax = SHMMAX;
58660 @@ -396,6 +404,14 @@ static int newseg(struct ipc_namespace *
58661 shp->shm_lprid = 0;
58662 shp->shm_atim = shp->shm_dtim = 0;
58663 shp->shm_ctim = get_seconds();
58664 +#ifdef CONFIG_GRKERNSEC
58666 + struct timespec timeval;
58667 + do_posix_clock_monotonic_gettime(&timeval);
58669 + shp->shm_createtime = timeval.tv_sec;
58672 shp->shm_segsz = size;
58673 shp->shm_nattch = 0;
58674 shp->shm_file = file;
58675 @@ -880,9 +896,21 @@ long do_shmat(int shmid, char __user *sh
58679 +#ifdef CONFIG_GRKERNSEC
58680 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
58681 + shp->shm_perm.cuid, shmid) ||
58682 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
58688 path.dentry = dget(shp->shm_file->f_path.dentry);
58689 path.mnt = shp->shm_file->f_path.mnt;
58691 +#ifdef CONFIG_GRKERNSEC
58692 + shp->shm_lapid = current->pid;
58694 size = i_size_read(path.dentry->d_inode);
58697 diff -urNp linux-2.6.32.42/kernel/acct.c linux-2.6.32.42/kernel/acct.c
58698 --- linux-2.6.32.42/kernel/acct.c 2011-03-27 14:31:47.000000000 -0400
58699 +++ linux-2.6.32.42/kernel/acct.c 2011-04-17 15:56:46.000000000 -0400
58700 @@ -579,7 +579,7 @@ static void do_acct_process(struct bsd_a
58702 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
58703 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
58704 - file->f_op->write(file, (char *)&ac,
58705 + file->f_op->write(file, (__force char __user *)&ac,
58706 sizeof(acct_t), &file->f_pos);
58707 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
58709 diff -urNp linux-2.6.32.42/kernel/audit.c linux-2.6.32.42/kernel/audit.c
58710 --- linux-2.6.32.42/kernel/audit.c 2011-03-27 14:31:47.000000000 -0400
58711 +++ linux-2.6.32.42/kernel/audit.c 2011-05-04 17:56:28.000000000 -0400
58712 @@ -110,7 +110,7 @@ u32 audit_sig_sid = 0;
58713 3) suppressed due to audit_rate_limit
58714 4) suppressed due to audit_backlog_limit
58716 -static atomic_t audit_lost = ATOMIC_INIT(0);
58717 +static atomic_unchecked_t audit_lost = ATOMIC_INIT(0);
58719 /* The netlink socket. */
58720 static struct sock *audit_sock;
58721 @@ -232,7 +232,7 @@ void audit_log_lost(const char *message)
58725 - atomic_inc(&audit_lost);
58726 + atomic_inc_unchecked(&audit_lost);
58728 print = (audit_failure == AUDIT_FAIL_PANIC || !audit_rate_limit);
58730 @@ -251,7 +251,7 @@ void audit_log_lost(const char *message)
58731 printk(KERN_WARNING
58732 "audit: audit_lost=%d audit_rate_limit=%d "
58733 "audit_backlog_limit=%d\n",
58734 - atomic_read(&audit_lost),
58735 + atomic_read_unchecked(&audit_lost),
58737 audit_backlog_limit);
58738 audit_panic(message);
58739 @@ -691,7 +691,7 @@ static int audit_receive_msg(struct sk_b
58740 status_set.pid = audit_pid;
58741 status_set.rate_limit = audit_rate_limit;
58742 status_set.backlog_limit = audit_backlog_limit;
58743 - status_set.lost = atomic_read(&audit_lost);
58744 + status_set.lost = atomic_read_unchecked(&audit_lost);
58745 status_set.backlog = skb_queue_len(&audit_skb_queue);
58746 audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_GET, 0, 0,
58747 &status_set, sizeof(status_set));
58748 @@ -891,8 +891,10 @@ static int audit_receive_msg(struct sk_b
58749 spin_unlock_irq(&tsk->sighand->siglock);
58751 read_unlock(&tasklist_lock);
58752 - audit_send_reply(NETLINK_CB(skb).pid, seq, AUDIT_TTY_GET, 0, 0,
58756 + audit_send_reply(NETLINK_CB(skb).pid, seq,
58757 + AUDIT_TTY_GET, 0, 0, &s, sizeof(s));
58760 case AUDIT_TTY_SET: {
58761 diff -urNp linux-2.6.32.42/kernel/auditsc.c linux-2.6.32.42/kernel/auditsc.c
58762 --- linux-2.6.32.42/kernel/auditsc.c 2011-03-27 14:31:47.000000000 -0400
58763 +++ linux-2.6.32.42/kernel/auditsc.c 2011-05-04 17:56:28.000000000 -0400
58764 @@ -2113,7 +2113,7 @@ int auditsc_get_stamp(struct audit_conte
58767 /* global counter which is incremented every time something logs in */
58768 -static atomic_t session_id = ATOMIC_INIT(0);
58769 +static atomic_unchecked_t session_id = ATOMIC_INIT(0);
58772 * audit_set_loginuid - set a task's audit_context loginuid
58773 @@ -2126,7 +2126,7 @@ static atomic_t session_id = ATOMIC_INIT
58775 int audit_set_loginuid(struct task_struct *task, uid_t loginuid)
58777 - unsigned int sessionid = atomic_inc_return(&session_id);
58778 + unsigned int sessionid = atomic_inc_return_unchecked(&session_id);
58779 struct audit_context *context = task->audit_context;
58781 if (context && context->in_syscall) {
58782 diff -urNp linux-2.6.32.42/kernel/capability.c linux-2.6.32.42/kernel/capability.c
58783 --- linux-2.6.32.42/kernel/capability.c 2011-03-27 14:31:47.000000000 -0400
58784 +++ linux-2.6.32.42/kernel/capability.c 2011-04-17 15:56:46.000000000 -0400
58785 @@ -305,10 +305,26 @@ int capable(int cap)
58789 - if (security_capable(cap) == 0) {
58790 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
58791 current->flags |= PF_SUPERPRIV;
58797 +int capable_nolog(int cap)
58799 + if (unlikely(!cap_valid(cap))) {
58800 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
58804 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
58805 + current->flags |= PF_SUPERPRIV;
58811 EXPORT_SYMBOL(capable);
58812 +EXPORT_SYMBOL(capable_nolog);
58813 diff -urNp linux-2.6.32.42/kernel/cgroup.c linux-2.6.32.42/kernel/cgroup.c
58814 --- linux-2.6.32.42/kernel/cgroup.c 2011-03-27 14:31:47.000000000 -0400
58815 +++ linux-2.6.32.42/kernel/cgroup.c 2011-05-16 21:46:57.000000000 -0400
58816 @@ -536,6 +536,8 @@ static struct css_set *find_css_set(
58817 struct hlist_head *hhead;
58818 struct cg_cgroup_link *link;
58820 + pax_track_stack();
58822 /* First see if we already have a cgroup group that matches
58823 * the desired set */
58824 read_lock(&css_set_lock);
58825 diff -urNp linux-2.6.32.42/kernel/configs.c linux-2.6.32.42/kernel/configs.c
58826 --- linux-2.6.32.42/kernel/configs.c 2011-03-27 14:31:47.000000000 -0400
58827 +++ linux-2.6.32.42/kernel/configs.c 2011-04-17 15:56:46.000000000 -0400
58828 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
58829 struct proc_dir_entry *entry;
58831 /* create the current config file */
58832 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
58833 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
58834 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
58835 + &ikconfig_file_ops);
58836 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
58837 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
58838 + &ikconfig_file_ops);
58841 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
58842 &ikconfig_file_ops);
58848 diff -urNp linux-2.6.32.42/kernel/cpu.c linux-2.6.32.42/kernel/cpu.c
58849 --- linux-2.6.32.42/kernel/cpu.c 2011-03-27 14:31:47.000000000 -0400
58850 +++ linux-2.6.32.42/kernel/cpu.c 2011-04-17 15:56:46.000000000 -0400
58852 /* Serializes the updates to cpu_online_mask, cpu_present_mask */
58853 static DEFINE_MUTEX(cpu_add_remove_lock);
58855 -static __cpuinitdata RAW_NOTIFIER_HEAD(cpu_chain);
58856 +static RAW_NOTIFIER_HEAD(cpu_chain);
58858 /* If set, cpu_up and cpu_down will return -EBUSY and do nothing.
58859 * Should always be manipulated under cpu_add_remove_lock
58860 diff -urNp linux-2.6.32.42/kernel/cred.c linux-2.6.32.42/kernel/cred.c
58861 --- linux-2.6.32.42/kernel/cred.c 2011-03-27 14:31:47.000000000 -0400
58862 +++ linux-2.6.32.42/kernel/cred.c 2011-05-17 19:26:34.000000000 -0400
58863 @@ -160,6 +160,8 @@ static void put_cred_rcu(struct rcu_head
58865 void __put_cred(struct cred *cred)
58867 + pax_track_stack();
58869 kdebug("__put_cred(%p{%d,%d})", cred,
58870 atomic_read(&cred->usage),
58871 read_cred_subscribers(cred));
58872 @@ -184,6 +186,8 @@ void exit_creds(struct task_struct *tsk)
58876 + pax_track_stack();
58878 kdebug("exit_creds(%u,%p,%p,{%d,%d})", tsk->pid, tsk->real_cred, tsk->cred,
58879 atomic_read(&tsk->cred->usage),
58880 read_cred_subscribers(tsk->cred));
58881 @@ -222,6 +226,8 @@ const struct cred *get_task_cred(struct
58883 const struct cred *cred;
58885 + pax_track_stack();
58890 @@ -241,6 +247,8 @@ struct cred *cred_alloc_blank(void)
58894 + pax_track_stack();
58896 new = kmem_cache_zalloc(cred_jar, GFP_KERNEL);
58899 @@ -289,6 +297,8 @@ struct cred *prepare_creds(void)
58900 const struct cred *old;
58903 + pax_track_stack();
58905 validate_process_creds();
58907 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
58908 @@ -335,6 +345,8 @@ struct cred *prepare_exec_creds(void)
58909 struct thread_group_cred *tgcred = NULL;
58912 + pax_track_stack();
58915 tgcred = kmalloc(sizeof(*tgcred), GFP_KERNEL);
58917 @@ -441,6 +453,8 @@ int copy_creds(struct task_struct *p, un
58921 + pax_track_stack();
58923 mutex_init(&p->cred_guard_mutex);
58926 @@ -528,6 +542,8 @@ int commit_creds(struct cred *new)
58927 struct task_struct *task = current;
58928 const struct cred *old = task->real_cred;
58930 + pax_track_stack();
58932 kdebug("commit_creds(%p{%d,%d})", new,
58933 atomic_read(&new->usage),
58934 read_cred_subscribers(new));
58935 @@ -544,6 +560,8 @@ int commit_creds(struct cred *new)
58937 get_cred(new); /* we will require a ref for the subj creds too */
58939 + gr_set_role_label(task, new->uid, new->gid);
58941 /* dumpability changes */
58942 if (old->euid != new->euid ||
58943 old->egid != new->egid ||
58944 @@ -606,6 +624,8 @@ EXPORT_SYMBOL(commit_creds);
58946 void abort_creds(struct cred *new)
58948 + pax_track_stack();
58950 kdebug("abort_creds(%p{%d,%d})", new,
58951 atomic_read(&new->usage),
58952 read_cred_subscribers(new));
58953 @@ -629,6 +649,8 @@ const struct cred *override_creds(const
58955 const struct cred *old = current->cred;
58957 + pax_track_stack();
58959 kdebug("override_creds(%p{%d,%d})", new,
58960 atomic_read(&new->usage),
58961 read_cred_subscribers(new));
58962 @@ -658,6 +680,8 @@ void revert_creds(const struct cred *old
58964 const struct cred *override = current->cred;
58966 + pax_track_stack();
58968 kdebug("revert_creds(%p{%d,%d})", old,
58969 atomic_read(&old->usage),
58970 read_cred_subscribers(old));
58971 @@ -704,6 +728,8 @@ struct cred *prepare_kernel_cred(struct
58972 const struct cred *old;
58975 + pax_track_stack();
58977 new = kmem_cache_alloc(cred_jar, GFP_KERNEL);
58980 @@ -758,6 +784,8 @@ EXPORT_SYMBOL(prepare_kernel_cred);
58982 int set_security_override(struct cred *new, u32 secid)
58984 + pax_track_stack();
58986 return security_kernel_act_as(new, secid);
58988 EXPORT_SYMBOL(set_security_override);
58989 @@ -777,6 +805,8 @@ int set_security_override_from_ctx(struc
58993 + pax_track_stack();
58995 ret = security_secctx_to_secid(secctx, strlen(secctx), &secid);
58998 diff -urNp linux-2.6.32.42/kernel/exit.c linux-2.6.32.42/kernel/exit.c
58999 --- linux-2.6.32.42/kernel/exit.c 2011-03-27 14:31:47.000000000 -0400
59000 +++ linux-2.6.32.42/kernel/exit.c 2011-04-17 15:56:46.000000000 -0400
59002 #include <asm/pgtable.h>
59003 #include <asm/mmu_context.h>
59005 +#ifdef CONFIG_GRKERNSEC
59006 +extern rwlock_t grsec_exec_file_lock;
59009 static void exit_mm(struct task_struct * tsk);
59011 static void __unhash_process(struct task_struct *p)
59012 @@ -174,6 +178,8 @@ void release_task(struct task_struct * p
59013 struct task_struct *leader;
59016 + gr_del_task_from_ip_table(p);
59018 tracehook_prepare_release_task(p);
59019 /* don't need to get the RCU readlock here - the process is dead and
59020 * can't be modifying its own credentials */
59021 @@ -341,11 +347,22 @@ static void reparent_to_kthreadd(void)
59023 write_lock_irq(&tasklist_lock);
59025 +#ifdef CONFIG_GRKERNSEC
59026 + write_lock(&grsec_exec_file_lock);
59027 + if (current->exec_file) {
59028 + fput(current->exec_file);
59029 + current->exec_file = NULL;
59031 + write_unlock(&grsec_exec_file_lock);
59034 ptrace_unlink(current);
59035 /* Reparent to init */
59036 current->real_parent = current->parent = kthreadd_task;
59037 list_move_tail(¤t->sibling, ¤t->real_parent->children);
59039 + gr_set_kernel_label(current);
59041 /* Set the exit signal to SIGCHLD so we signal init on exit */
59042 current->exit_signal = SIGCHLD;
59044 @@ -397,7 +414,7 @@ int allow_signal(int sig)
59045 * know it'll be handled, so that they don't get converted to
59046 * SIGKILL or just silently dropped.
59048 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
59049 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
59050 recalc_sigpending();
59051 spin_unlock_irq(¤t->sighand->siglock);
59053 @@ -433,6 +450,17 @@ void daemonize(const char *name, ...)
59054 vsnprintf(current->comm, sizeof(current->comm), name, args);
59057 +#ifdef CONFIG_GRKERNSEC
59058 + write_lock(&grsec_exec_file_lock);
59059 + if (current->exec_file) {
59060 + fput(current->exec_file);
59061 + current->exec_file = NULL;
59063 + write_unlock(&grsec_exec_file_lock);
59066 + gr_set_kernel_label(current);
59069 * If we were started as result of loading a module, close all of the
59070 * user space pages. We don't need them, and if we didn't close them
59071 @@ -897,17 +925,17 @@ NORET_TYPE void do_exit(long code)
59072 struct task_struct *tsk = current;
59075 - profile_task_exit(tsk);
59077 - WARN_ON(atomic_read(&tsk->fs_excl));
59080 + * Check this first since set_fs() below depends on
59081 + * current_thread_info(), which we better not access when we're in
59082 + * interrupt context. Other than that, we want to do the set_fs()
59083 + * as early as possible.
59085 if (unlikely(in_interrupt()))
59086 panic("Aiee, killing interrupt handler!");
59087 - if (unlikely(!tsk->pid))
59088 - panic("Attempted to kill the idle task!");
59091 - * If do_exit is called because this processes oopsed, it's possible
59092 + * If do_exit is called because this processes Oops'ed, it's possible
59093 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
59094 * continuing. Amongst other possible reasons, this is to prevent
59095 * mm_release()->clear_child_tid() from writing to a user-controlled
59096 @@ -915,6 +943,13 @@ NORET_TYPE void do_exit(long code)
59100 + profile_task_exit(tsk);
59102 + WARN_ON(atomic_read(&tsk->fs_excl));
59104 + if (unlikely(!tsk->pid))
59105 + panic("Attempted to kill the idle task!");
59107 tracehook_report_exit(&code);
59109 validate_creds_for_do_exit(tsk);
59110 @@ -973,6 +1008,9 @@ NORET_TYPE void do_exit(long code)
59111 tsk->exit_code = code;
59112 taskstats_exit(tsk, group_dead);
59114 + gr_acl_handle_psacct(tsk, code);
59115 + gr_acl_handle_exit();
59120 @@ -1188,7 +1226,7 @@ static int wait_task_zombie(struct wait_
59122 if (unlikely(wo->wo_flags & WNOWAIT)) {
59123 int exit_code = p->exit_code;
59127 get_task_struct(p);
59128 read_unlock(&tasklist_lock);
59129 diff -urNp linux-2.6.32.42/kernel/fork.c linux-2.6.32.42/kernel/fork.c
59130 --- linux-2.6.32.42/kernel/fork.c 2011-03-27 14:31:47.000000000 -0400
59131 +++ linux-2.6.32.42/kernel/fork.c 2011-04-17 15:56:46.000000000 -0400
59132 @@ -253,7 +253,7 @@ static struct task_struct *dup_task_stru
59133 *stackend = STACK_END_MAGIC; /* for overflow detection */
59135 #ifdef CONFIG_CC_STACKPROTECTOR
59136 - tsk->stack_canary = get_random_int();
59137 + tsk->stack_canary = pax_get_random_long();
59140 /* One for us, one for whoever does the "release_task()" (usually parent) */
59141 @@ -293,8 +293,8 @@ static int dup_mmap(struct mm_struct *mm
59144 mm->mmap_cache = NULL;
59145 - mm->free_area_cache = oldmm->mmap_base;
59146 - mm->cached_hole_size = ~0UL;
59147 + mm->free_area_cache = oldmm->free_area_cache;
59148 + mm->cached_hole_size = oldmm->cached_hole_size;
59150 cpumask_clear(mm_cpumask(mm));
59151 mm->mm_rb = RB_ROOT;
59152 @@ -335,6 +335,7 @@ static int dup_mmap(struct mm_struct *mm
59153 tmp->vm_flags &= ~VM_LOCKED;
59155 tmp->vm_next = tmp->vm_prev = NULL;
59156 + tmp->vm_mirror = NULL;
59157 anon_vma_link(tmp);
59158 file = tmp->vm_file;
59160 @@ -384,6 +385,31 @@ static int dup_mmap(struct mm_struct *mm
59165 +#ifdef CONFIG_PAX_SEGMEXEC
59166 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
59167 + struct vm_area_struct *mpnt_m;
59169 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
59170 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
59172 + if (!mpnt->vm_mirror)
59175 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
59176 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
59177 + mpnt->vm_mirror = mpnt_m;
59179 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
59180 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
59181 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
59182 + mpnt->vm_mirror->vm_mirror = mpnt;
59189 /* a new mm has just been created */
59190 arch_dup_mmap(oldmm, mm);
59192 @@ -734,13 +760,14 @@ static int copy_fs(unsigned long clone_f
59193 write_unlock(&fs->lock);
59197 + atomic_inc(&fs->users);
59198 write_unlock(&fs->lock);
59201 tsk->fs = copy_fs_struct(fs);
59204 + gr_set_chroot_entries(tsk, &tsk->fs->root);
59208 @@ -1033,10 +1060,13 @@ static struct task_struct *copy_process(
59209 DEBUG_LOCKS_WARN_ON(!p->softirqs_enabled);
59213 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
59215 if (atomic_read(&p->real_cred->user->processes) >=
59216 p->signal->rlim[RLIMIT_NPROC].rlim_cur) {
59217 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
59218 - p->real_cred->user != INIT_USER)
59219 + if (p->real_cred->user != INIT_USER &&
59220 + !capable(CAP_SYS_RESOURCE) && !capable(CAP_SYS_ADMIN))
59221 goto bad_fork_free;
59224 @@ -1183,6 +1213,8 @@ static struct task_struct *copy_process(
59225 goto bad_fork_free_pid;
59228 + gr_copy_label(p);
59230 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
59232 * Clear TID on mm_release()?
59233 @@ -1333,6 +1365,8 @@ bad_fork_cleanup_count:
59237 + gr_log_forkfail(retval);
59239 return ERR_PTR(retval);
59242 @@ -1426,6 +1460,8 @@ long do_fork(unsigned long clone_flags,
59243 if (clone_flags & CLONE_PARENT_SETTID)
59244 put_user(nr, parent_tidptr);
59246 + gr_handle_brute_check();
59248 if (clone_flags & CLONE_VFORK) {
59249 p->vfork_done = &vfork;
59250 init_completion(&vfork);
59251 @@ -1558,7 +1594,7 @@ static int unshare_fs(unsigned long unsh
59254 /* don't need lock here; in the worst case we'll do useless copy */
59255 - if (fs->users == 1)
59256 + if (atomic_read(&fs->users) == 1)
59259 *new_fsp = copy_fs_struct(fs);
59260 @@ -1681,7 +1717,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
59262 write_lock(&fs->lock);
59263 current->fs = new_fs;
59265 + gr_set_chroot_entries(current, ¤t->fs->root);
59266 + if (atomic_dec_return(&fs->users))
59270 diff -urNp linux-2.6.32.42/kernel/futex.c linux-2.6.32.42/kernel/futex.c
59271 --- linux-2.6.32.42/kernel/futex.c 2011-03-27 14:31:47.000000000 -0400
59272 +++ linux-2.6.32.42/kernel/futex.c 2011-05-16 21:46:57.000000000 -0400
59274 #include <linux/mount.h>
59275 #include <linux/pagemap.h>
59276 #include <linux/syscalls.h>
59277 +#include <linux/ptrace.h>
59278 #include <linux/signal.h>
59279 #include <linux/module.h>
59280 #include <linux/magic.h>
59281 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
59285 +#ifdef CONFIG_PAX_SEGMEXEC
59286 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
59291 * The futex address must be "naturally" aligned.
59293 @@ -1789,6 +1795,8 @@ static int futex_wait(u32 __user *uaddr,
59297 + pax_track_stack();
59302 @@ -1841,7 +1849,7 @@ retry:
59304 restart = ¤t_thread_info()->restart_block;
59305 restart->fn = futex_wait_restart;
59306 - restart->futex.uaddr = (u32 *)uaddr;
59307 + restart->futex.uaddr = uaddr;
59308 restart->futex.val = val;
59309 restart->futex.time = abs_time->tv64;
59310 restart->futex.bitset = bitset;
59311 @@ -2203,6 +2211,8 @@ static int futex_wait_requeue_pi(u32 __u
59315 + pax_track_stack();
59320 @@ -2377,7 +2387,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
59322 struct robust_list_head __user *head;
59324 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
59325 const struct cred *cred = current_cred(), *pcred;
59328 if (!futex_cmpxchg_enabled)
59330 @@ -2393,11 +2405,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
59334 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
59335 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
59338 pcred = __task_cred(p);
59339 if (cred->euid != pcred->euid &&
59340 cred->euid != pcred->uid &&
59341 !capable(CAP_SYS_PTRACE))
59344 head = p->robust_list;
59347 @@ -2459,7 +2476,7 @@ retry:
59349 static inline int fetch_robust_entry(struct robust_list __user **entry,
59350 struct robust_list __user * __user *head,
59352 + unsigned int *pi)
59354 unsigned long uentry;
59356 @@ -2640,6 +2657,7 @@ static int __init futex_init(void)
59360 + mm_segment_t oldfs;
59363 * This will fail and we want it. Some arch implementations do
59364 @@ -2651,7 +2669,10 @@ static int __init futex_init(void)
59365 * implementation, the non functional ones will return
59368 + oldfs = get_fs();
59370 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
59372 if (curval == -EFAULT)
59373 futex_cmpxchg_enabled = 1;
59375 diff -urNp linux-2.6.32.42/kernel/futex_compat.c linux-2.6.32.42/kernel/futex_compat.c
59376 --- linux-2.6.32.42/kernel/futex_compat.c 2011-03-27 14:31:47.000000000 -0400
59377 +++ linux-2.6.32.42/kernel/futex_compat.c 2011-04-17 15:56:46.000000000 -0400
59379 #include <linux/compat.h>
59380 #include <linux/nsproxy.h>
59381 #include <linux/futex.h>
59382 +#include <linux/ptrace.h>
59384 #include <asm/uaccess.h>
59386 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
59388 struct compat_robust_list_head __user *head;
59390 - const struct cred *cred = current_cred(), *pcred;
59391 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
59392 + const struct cred *cred = current_cred();
59393 + const struct cred *pcred;
59396 if (!futex_cmpxchg_enabled)
59398 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
59402 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
59403 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
59406 pcred = __task_cred(p);
59407 if (cred->euid != pcred->euid &&
59408 cred->euid != pcred->uid &&
59409 !capable(CAP_SYS_PTRACE))
59412 head = p->compat_robust_list;
59413 read_unlock(&tasklist_lock);
59415 diff -urNp linux-2.6.32.42/kernel/gcov/base.c linux-2.6.32.42/kernel/gcov/base.c
59416 --- linux-2.6.32.42/kernel/gcov/base.c 2011-03-27 14:31:47.000000000 -0400
59417 +++ linux-2.6.32.42/kernel/gcov/base.c 2011-04-17 15:56:46.000000000 -0400
59418 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
59421 #ifdef CONFIG_MODULES
59422 -static inline int within(void *addr, void *start, unsigned long size)
59424 - return ((addr >= start) && (addr < start + size));
59427 /* Update list and generate events when modules are unloaded. */
59428 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
59430 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
59432 /* Remove entries located in module from linked list. */
59433 for (info = gcov_info_head; info; info = info->next) {
59434 - if (within(info, mod->module_core, mod->core_size)) {
59435 + if (within_module_core_rw((unsigned long)info, mod)) {
59437 prev->next = info->next;
59439 diff -urNp linux-2.6.32.42/kernel/hrtimer.c linux-2.6.32.42/kernel/hrtimer.c
59440 --- linux-2.6.32.42/kernel/hrtimer.c 2011-03-27 14:31:47.000000000 -0400
59441 +++ linux-2.6.32.42/kernel/hrtimer.c 2011-04-17 15:56:46.000000000 -0400
59442 @@ -1391,7 +1391,7 @@ void hrtimer_peek_ahead_timers(void)
59443 local_irq_restore(flags);
59446 -static void run_hrtimer_softirq(struct softirq_action *h)
59447 +static void run_hrtimer_softirq(void)
59449 hrtimer_peek_ahead_timers();
59451 diff -urNp linux-2.6.32.42/kernel/kallsyms.c linux-2.6.32.42/kernel/kallsyms.c
59452 --- linux-2.6.32.42/kernel/kallsyms.c 2011-03-27 14:31:47.000000000 -0400
59453 +++ linux-2.6.32.42/kernel/kallsyms.c 2011-04-17 15:56:46.000000000 -0400
59455 * Changed the compression method from stem compression to "table lookup"
59456 * compression (see scripts/kallsyms.c for a more complete description)
59458 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59459 +#define __INCLUDED_BY_HIDESYM 1
59461 #include <linux/kallsyms.h>
59462 #include <linux/module.h>
59463 #include <linux/init.h>
59464 @@ -51,12 +54,33 @@ extern const unsigned long kallsyms_mark
59466 static inline int is_kernel_inittext(unsigned long addr)
59468 + if (system_state != SYSTEM_BOOTING)
59471 if (addr >= (unsigned long)_sinittext
59472 && addr <= (unsigned long)_einittext)
59477 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
59478 +#ifdef CONFIG_MODULES
59479 +static inline int is_module_text(unsigned long addr)
59481 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
59484 + addr = ktla_ktva(addr);
59485 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
59488 +static inline int is_module_text(unsigned long addr)
59495 static inline int is_kernel_text(unsigned long addr)
59497 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
59498 @@ -67,13 +91,28 @@ static inline int is_kernel_text(unsigne
59500 static inline int is_kernel(unsigned long addr)
59503 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
59504 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
59507 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
59509 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
59513 return in_gate_area_no_task(addr);
59516 static int is_ksym_addr(unsigned long addr)
59519 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
59520 + if (is_module_text(addr))
59525 return is_kernel(addr);
59527 @@ -413,7 +452,6 @@ static unsigned long get_ksymbol_core(st
59529 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
59531 - iter->name[0] = '\0';
59532 iter->nameoff = get_symbol_offset(new_pos);
59533 iter->pos = new_pos;
59535 @@ -461,6 +499,11 @@ static int s_show(struct seq_file *m, vo
59537 struct kallsym_iter *iter = m->private;
59539 +#ifdef CONFIG_GRKERNSEC_HIDESYM
59540 + if (current_uid())
59544 /* Some debugging symbols have no name. Ignore them. */
59545 if (!iter->name[0])
59547 @@ -501,7 +544,7 @@ static int kallsyms_open(struct inode *i
59548 struct kallsym_iter *iter;
59551 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
59552 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
59555 reset_iter(iter, 0);
59556 diff -urNp linux-2.6.32.42/kernel/kgdb.c linux-2.6.32.42/kernel/kgdb.c
59557 --- linux-2.6.32.42/kernel/kgdb.c 2011-04-17 17:00:52.000000000 -0400
59558 +++ linux-2.6.32.42/kernel/kgdb.c 2011-05-04 17:56:20.000000000 -0400
59559 @@ -86,7 +86,7 @@ static int kgdb_io_module_registered;
59560 /* Guard for recursive entry */
59561 static int exception_level;
59563 -static struct kgdb_io *kgdb_io_ops;
59564 +static const struct kgdb_io *kgdb_io_ops;
59565 static DEFINE_SPINLOCK(kgdb_registration_lock);
59567 /* kgdb console driver is loaded */
59568 @@ -123,7 +123,7 @@ atomic_t kgdb_active = ATOMIC_INIT(-1)
59570 static atomic_t passive_cpu_wait[NR_CPUS];
59571 static atomic_t cpu_in_kgdb[NR_CPUS];
59572 -atomic_t kgdb_setting_breakpoint;
59573 +atomic_unchecked_t kgdb_setting_breakpoint;
59575 struct task_struct *kgdb_usethread;
59576 struct task_struct *kgdb_contthread;
59577 @@ -140,7 +140,7 @@ static unsigned long gdb_regs[(NUMREGBY
59578 sizeof(unsigned long)];
59580 /* to keep track of the CPU which is doing the single stepping*/
59581 -atomic_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
59582 +atomic_unchecked_t kgdb_cpu_doing_single_step = ATOMIC_INIT(-1);
59585 * If you are debugging a problem where roundup (the collection of
59586 @@ -815,7 +815,7 @@ static int kgdb_io_ready(int print_wait)
59588 if (kgdb_connected)
59590 - if (atomic_read(&kgdb_setting_breakpoint))
59591 + if (atomic_read_unchecked(&kgdb_setting_breakpoint))
59594 printk(KERN_CRIT "KGDB: Waiting for remote debugger\n");
59595 @@ -1426,8 +1426,8 @@ acquirelock:
59596 * instance of the exception handler wanted to come into the
59597 * debugger on a different CPU via a single step
59599 - if (atomic_read(&kgdb_cpu_doing_single_step) != -1 &&
59600 - atomic_read(&kgdb_cpu_doing_single_step) != cpu) {
59601 + if (atomic_read_unchecked(&kgdb_cpu_doing_single_step) != -1 &&
59602 + atomic_read_unchecked(&kgdb_cpu_doing_single_step) != cpu) {
59604 atomic_set(&kgdb_active, -1);
59605 touch_softlockup_watchdog();
59606 @@ -1634,7 +1634,7 @@ static void kgdb_initial_breakpoint(void
59608 * Register it with the KGDB core.
59610 -int kgdb_register_io_module(struct kgdb_io *new_kgdb_io_ops)
59611 +int kgdb_register_io_module(const struct kgdb_io *new_kgdb_io_ops)
59615 @@ -1679,7 +1679,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
59617 * Unregister it with the KGDB core.
59619 -void kgdb_unregister_io_module(struct kgdb_io *old_kgdb_io_ops)
59620 +void kgdb_unregister_io_module(const struct kgdb_io *old_kgdb_io_ops)
59622 BUG_ON(kgdb_connected);
59624 @@ -1712,11 +1712,11 @@ EXPORT_SYMBOL_GPL(kgdb_unregister_io_mod
59626 void kgdb_breakpoint(void)
59628 - atomic_set(&kgdb_setting_breakpoint, 1);
59629 + atomic_set_unchecked(&kgdb_setting_breakpoint, 1);
59630 wmb(); /* Sync point before breakpoint */
59631 arch_kgdb_breakpoint();
59632 wmb(); /* Sync point after breakpoint */
59633 - atomic_set(&kgdb_setting_breakpoint, 0);
59634 + atomic_set_unchecked(&kgdb_setting_breakpoint, 0);
59636 EXPORT_SYMBOL_GPL(kgdb_breakpoint);
59638 diff -urNp linux-2.6.32.42/kernel/kmod.c linux-2.6.32.42/kernel/kmod.c
59639 --- linux-2.6.32.42/kernel/kmod.c 2011-03-27 14:31:47.000000000 -0400
59640 +++ linux-2.6.32.42/kernel/kmod.c 2011-04-17 15:56:46.000000000 -0400
59641 @@ -65,13 +65,12 @@ char modprobe_path[KMOD_PATH_LEN] = "/sb
59642 * If module auto-loading support is disabled then this function
59643 * becomes a no-operation.
59645 -int __request_module(bool wait, const char *fmt, ...)
59646 +static int ____request_module(bool wait, char *module_param, const char *fmt, va_list ap)
59649 char module_name[MODULE_NAME_LEN];
59650 unsigned int max_modprobes;
59652 - char *argv[] = { modprobe_path, "-q", "--", module_name, NULL };
59653 + char *argv[] = { modprobe_path, "-q", "--", module_name, module_param, NULL };
59654 static char *envp[] = { "HOME=/",
59656 "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
59657 @@ -84,12 +83,24 @@ int __request_module(bool wait, const ch
59661 - va_start(args, fmt);
59662 - ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
59664 + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, ap);
59665 if (ret >= MODULE_NAME_LEN)
59666 return -ENAMETOOLONG;
59668 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59669 + if (!current_uid()) {
59670 + /* hack to workaround consolekit/udisks stupidity */
59671 + read_lock(&tasklist_lock);
59672 + if (!strcmp(current->comm, "mount") &&
59673 + current->real_parent && !strncmp(current->real_parent->comm, "udisk", 5)) {
59674 + read_unlock(&tasklist_lock);
59675 + printk(KERN_ALERT "grsec: denied attempt to auto-load fs module %.64s by udisks\n", module_name);
59678 + read_unlock(&tasklist_lock);
59682 /* If modprobe needs a service that is in a module, we get a recursive
59683 * loop. Limit the number of running kmod threads to max_threads/2 or
59684 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
59685 @@ -121,6 +132,48 @@ int __request_module(bool wait, const ch
59686 atomic_dec(&kmod_concurrent);
59690 +int ___request_module(bool wait, char *module_param, const char *fmt, ...)
59695 + va_start(args, fmt);
59696 + ret = ____request_module(wait, module_param, fmt, args);
59702 +int __request_module(bool wait, const char *fmt, ...)
59707 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59708 + if (current_uid()) {
59709 + char module_param[MODULE_NAME_LEN];
59711 + memset(module_param, 0, sizeof(module_param));
59713 + snprintf(module_param, sizeof(module_param) - 1, "grsec_modharden_normal%u_", current_uid());
59715 + va_start(args, fmt);
59716 + ret = ____request_module(wait, module_param, fmt, args);
59723 + va_start(args, fmt);
59724 + ret = ____request_module(wait, NULL, fmt, args);
59731 EXPORT_SYMBOL(__request_module);
59732 #endif /* CONFIG_MODULES */
59734 diff -urNp linux-2.6.32.42/kernel/kprobes.c linux-2.6.32.42/kernel/kprobes.c
59735 --- linux-2.6.32.42/kernel/kprobes.c 2011-03-27 14:31:47.000000000 -0400
59736 +++ linux-2.6.32.42/kernel/kprobes.c 2011-04-17 15:56:46.000000000 -0400
59737 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
59738 * kernel image and loaded module images reside. This is required
59739 * so x86_64 can correctly handle the %rip-relative fixups.
59741 - kip->insns = module_alloc(PAGE_SIZE);
59742 + kip->insns = module_alloc_exec(PAGE_SIZE);
59746 @@ -220,7 +220,7 @@ static int __kprobes collect_one_slot(st
59748 if (!list_is_singular(&kprobe_insn_pages)) {
59749 list_del(&kip->list);
59750 - module_free(NULL, kip->insns);
59751 + module_free_exec(NULL, kip->insns);
59755 @@ -1189,7 +1189,7 @@ static int __init init_kprobes(void)
59758 unsigned long offset = 0, size = 0;
59759 - char *modname, namebuf[128];
59760 + char *modname, namebuf[KSYM_NAME_LEN];
59761 const char *symbol_name;
59763 struct kprobe_blackpoint *kb;
59764 @@ -1304,7 +1304,7 @@ static int __kprobes show_kprobe_addr(st
59765 const char *sym = NULL;
59766 unsigned int i = *(loff_t *) v;
59767 unsigned long offset = 0;
59768 - char *modname, namebuf[128];
59769 + char *modname, namebuf[KSYM_NAME_LEN];
59771 head = &kprobe_table[i];
59773 diff -urNp linux-2.6.32.42/kernel/lockdep.c linux-2.6.32.42/kernel/lockdep.c
59774 --- linux-2.6.32.42/kernel/lockdep.c 2011-06-25 12:55:35.000000000 -0400
59775 +++ linux-2.6.32.42/kernel/lockdep.c 2011-06-25 12:56:37.000000000 -0400
59776 @@ -421,20 +421,20 @@ static struct stack_trace lockdep_init_t
59778 * Various lockdep statistics:
59780 -atomic_t chain_lookup_hits;
59781 -atomic_t chain_lookup_misses;
59782 -atomic_t hardirqs_on_events;
59783 -atomic_t hardirqs_off_events;
59784 -atomic_t redundant_hardirqs_on;
59785 -atomic_t redundant_hardirqs_off;
59786 -atomic_t softirqs_on_events;
59787 -atomic_t softirqs_off_events;
59788 -atomic_t redundant_softirqs_on;
59789 -atomic_t redundant_softirqs_off;
59790 -atomic_t nr_unused_locks;
59791 -atomic_t nr_cyclic_checks;
59792 -atomic_t nr_find_usage_forwards_checks;
59793 -atomic_t nr_find_usage_backwards_checks;
59794 +atomic_unchecked_t chain_lookup_hits;
59795 +atomic_unchecked_t chain_lookup_misses;
59796 +atomic_unchecked_t hardirqs_on_events;
59797 +atomic_unchecked_t hardirqs_off_events;
59798 +atomic_unchecked_t redundant_hardirqs_on;
59799 +atomic_unchecked_t redundant_hardirqs_off;
59800 +atomic_unchecked_t softirqs_on_events;
59801 +atomic_unchecked_t softirqs_off_events;
59802 +atomic_unchecked_t redundant_softirqs_on;
59803 +atomic_unchecked_t redundant_softirqs_off;
59804 +atomic_unchecked_t nr_unused_locks;
59805 +atomic_unchecked_t nr_cyclic_checks;
59806 +atomic_unchecked_t nr_find_usage_forwards_checks;
59807 +atomic_unchecked_t nr_find_usage_backwards_checks;
59811 @@ -577,6 +577,10 @@ static int static_obj(void *obj)
59815 +#ifdef CONFIG_PAX_KERNEXEC
59816 + start = ktla_ktva(start);
59822 @@ -592,8 +596,7 @@ static int static_obj(void *obj)
59824 for_each_possible_cpu(i) {
59825 start = (unsigned long) &__per_cpu_start + per_cpu_offset(i);
59826 - end = (unsigned long) &__per_cpu_start + PERCPU_ENOUGH_ROOM
59827 - + per_cpu_offset(i);
59828 + end = start + PERCPU_ENOUGH_ROOM;
59830 if ((addr >= start) && (addr < end))
59832 @@ -710,6 +713,7 @@ register_lock_class(struct lockdep_map *
59833 if (!static_obj(lock->key)) {
59835 printk("INFO: trying to register non-static key.\n");
59836 + printk("lock:%pS key:%pS.\n", lock, lock->key);
59837 printk("the code is fine but needs lockdep annotation.\n");
59838 printk("turning off the locking correctness validator.\n");
59840 @@ -2751,7 +2755,7 @@ static int __lock_acquire(struct lockdep
59844 - debug_atomic_inc((atomic_t *)&class->ops);
59845 + debug_atomic_inc((atomic_unchecked_t *)&class->ops);
59846 if (very_verbose(class)) {
59847 printk("\nacquire class [%p] %s", class->key, class->name);
59848 if (class->name_version > 1)
59849 diff -urNp linux-2.6.32.42/kernel/lockdep_internals.h linux-2.6.32.42/kernel/lockdep_internals.h
59850 --- linux-2.6.32.42/kernel/lockdep_internals.h 2011-03-27 14:31:47.000000000 -0400
59851 +++ linux-2.6.32.42/kernel/lockdep_internals.h 2011-04-17 15:56:46.000000000 -0400
59852 @@ -113,26 +113,26 @@ lockdep_count_backward_deps(struct lock_
59854 * Various lockdep statistics:
59856 -extern atomic_t chain_lookup_hits;
59857 -extern atomic_t chain_lookup_misses;
59858 -extern atomic_t hardirqs_on_events;
59859 -extern atomic_t hardirqs_off_events;
59860 -extern atomic_t redundant_hardirqs_on;
59861 -extern atomic_t redundant_hardirqs_off;
59862 -extern atomic_t softirqs_on_events;
59863 -extern atomic_t softirqs_off_events;
59864 -extern atomic_t redundant_softirqs_on;
59865 -extern atomic_t redundant_softirqs_off;
59866 -extern atomic_t nr_unused_locks;
59867 -extern atomic_t nr_cyclic_checks;
59868 -extern atomic_t nr_cyclic_check_recursions;
59869 -extern atomic_t nr_find_usage_forwards_checks;
59870 -extern atomic_t nr_find_usage_forwards_recursions;
59871 -extern atomic_t nr_find_usage_backwards_checks;
59872 -extern atomic_t nr_find_usage_backwards_recursions;
59873 -# define debug_atomic_inc(ptr) atomic_inc(ptr)
59874 -# define debug_atomic_dec(ptr) atomic_dec(ptr)
59875 -# define debug_atomic_read(ptr) atomic_read(ptr)
59876 +extern atomic_unchecked_t chain_lookup_hits;
59877 +extern atomic_unchecked_t chain_lookup_misses;
59878 +extern atomic_unchecked_t hardirqs_on_events;
59879 +extern atomic_unchecked_t hardirqs_off_events;
59880 +extern atomic_unchecked_t redundant_hardirqs_on;
59881 +extern atomic_unchecked_t redundant_hardirqs_off;
59882 +extern atomic_unchecked_t softirqs_on_events;
59883 +extern atomic_unchecked_t softirqs_off_events;
59884 +extern atomic_unchecked_t redundant_softirqs_on;
59885 +extern atomic_unchecked_t redundant_softirqs_off;
59886 +extern atomic_unchecked_t nr_unused_locks;
59887 +extern atomic_unchecked_t nr_cyclic_checks;
59888 +extern atomic_unchecked_t nr_cyclic_check_recursions;
59889 +extern atomic_unchecked_t nr_find_usage_forwards_checks;
59890 +extern atomic_unchecked_t nr_find_usage_forwards_recursions;
59891 +extern atomic_unchecked_t nr_find_usage_backwards_checks;
59892 +extern atomic_unchecked_t nr_find_usage_backwards_recursions;
59893 +# define debug_atomic_inc(ptr) atomic_inc_unchecked(ptr)
59894 +# define debug_atomic_dec(ptr) atomic_dec_unchecked(ptr)
59895 +# define debug_atomic_read(ptr) atomic_read_unchecked(ptr)
59897 # define debug_atomic_inc(ptr) do { } while (0)
59898 # define debug_atomic_dec(ptr) do { } while (0)
59899 diff -urNp linux-2.6.32.42/kernel/lockdep_proc.c linux-2.6.32.42/kernel/lockdep_proc.c
59900 --- linux-2.6.32.42/kernel/lockdep_proc.c 2011-03-27 14:31:47.000000000 -0400
59901 +++ linux-2.6.32.42/kernel/lockdep_proc.c 2011-04-17 15:56:46.000000000 -0400
59902 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
59904 static void print_name(struct seq_file *m, struct lock_class *class)
59907 + char str[KSYM_NAME_LEN];
59908 const char *name = class->name;
59911 diff -urNp linux-2.6.32.42/kernel/module.c linux-2.6.32.42/kernel/module.c
59912 --- linux-2.6.32.42/kernel/module.c 2011-03-27 14:31:47.000000000 -0400
59913 +++ linux-2.6.32.42/kernel/module.c 2011-04-29 18:52:40.000000000 -0400
59915 #include <linux/async.h>
59916 #include <linux/percpu.h>
59917 #include <linux/kmemleak.h>
59918 +#include <linux/grsecurity.h>
59920 #define CREATE_TRACE_POINTS
59921 #include <trace/events/module.h>
59922 @@ -89,7 +90,8 @@ static DECLARE_WAIT_QUEUE_HEAD(module_wq
59923 static BLOCKING_NOTIFIER_HEAD(module_notify_list);
59925 /* Bounds of module allocation, for speeding __module_address */
59926 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
59927 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
59928 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
59930 int register_module_notifier(struct notifier_block * nb)
59932 @@ -245,7 +247,7 @@ bool each_symbol(bool (*fn)(const struct
59935 list_for_each_entry_rcu(mod, &modules, list) {
59936 - struct symsearch arr[] = {
59937 + struct symsearch modarr[] = {
59938 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
59939 NOT_GPL_ONLY, false },
59940 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
59941 @@ -267,7 +269,7 @@ bool each_symbol(bool (*fn)(const struct
59945 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
59946 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
59950 @@ -442,7 +444,7 @@ static void *percpu_modalloc(unsigned lo
59954 - if (align > PAGE_SIZE) {
59955 + if (align-1 >= PAGE_SIZE) {
59956 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
59957 name, align, PAGE_SIZE);
59959 @@ -1158,7 +1160,7 @@ static const struct kernel_symbol *resol
59960 * /sys/module/foo/sections stuff
59961 * J. Corbet <corbet@lwn.net>
59963 -#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS)
59964 +#if defined(CONFIG_KALLSYMS) && defined(CONFIG_SYSFS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
59966 static inline bool sect_empty(const Elf_Shdr *sect)
59968 @@ -1545,7 +1547,8 @@ static void free_module(struct module *m
59969 destroy_params(mod->kp, mod->num_kp);
59971 /* This may be NULL, but that's OK */
59972 - module_free(mod, mod->module_init);
59973 + module_free(mod, mod->module_init_rw);
59974 + module_free_exec(mod, mod->module_init_rx);
59977 percpu_modfree(mod->percpu);
59978 @@ -1554,10 +1557,12 @@ static void free_module(struct module *m
59979 percpu_modfree(mod->refptr);
59981 /* Free lock-classes: */
59982 - lockdep_free_key_range(mod->module_core, mod->core_size);
59983 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
59984 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
59986 /* Finally, free the core (containing the module structure) */
59987 - module_free(mod, mod->module_core);
59988 + module_free_exec(mod, mod->module_core_rx);
59989 + module_free(mod, mod->module_core_rw);
59992 update_protections(current->mm);
59993 @@ -1628,8 +1633,32 @@ static int simplify_symbols(Elf_Shdr *se
59994 unsigned int i, n = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
59996 const struct kernel_symbol *ksym;
59997 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
59998 + int is_fs_load = 0;
59999 + int register_filesystem_found = 0;
60002 + p = strstr(mod->args, "grsec_modharden_fs");
60005 + char *endptr = p + strlen("grsec_modharden_fs");
60006 + /* copy \0 as well */
60007 + memmove(p, endptr, strlen(mod->args) - (unsigned int)(endptr - mod->args) + 1);
60013 for (i = 1; i < n; i++) {
60014 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
60015 + const char *name = strtab + sym[i].st_name;
60017 + /* it's a real shame this will never get ripped and copied
60020 + if (is_fs_load && !strcmp(name, "register_filesystem"))
60021 + register_filesystem_found = 1;
60023 switch (sym[i].st_shndx) {
60025 /* We compiled with -fno-common. These are not
60026 @@ -1651,7 +1680,9 @@ static int simplify_symbols(Elf_Shdr *se
60027 strtab + sym[i].st_name, mod);
60028 /* Ok if resolved. */
60030 + pax_open_kernel();
60031 sym[i].st_value = ksym->value;
60032 + pax_close_kernel();
60036 @@ -1670,11 +1701,20 @@ static int simplify_symbols(Elf_Shdr *se
60037 secbase = (unsigned long)mod->percpu;
60039 secbase = sechdrs[sym[i].st_shndx].sh_addr;
60040 + pax_open_kernel();
60041 sym[i].st_value += secbase;
60042 + pax_close_kernel();
60047 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
60048 + if (is_fs_load && !register_filesystem_found) {
60049 + printk(KERN_ALERT "grsec: Denied attempt to load non-fs module %.64s through mount\n", mod->name);
60057 @@ -1731,11 +1771,12 @@ static void layout_sections(struct modul
60058 || s->sh_entsize != ~0UL
60059 || strstarts(secstrings + s->sh_name, ".init"))
60061 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
60062 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
60063 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
60065 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
60066 DEBUGP("\t%s\n", secstrings + s->sh_name);
60069 - mod->core_text_size = mod->core_size;
60072 DEBUGP("Init section allocation order:\n");
60073 @@ -1748,12 +1789,13 @@ static void layout_sections(struct modul
60074 || s->sh_entsize != ~0UL
60075 || !strstarts(secstrings + s->sh_name, ".init"))
60077 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
60078 - | INIT_OFFSET_MASK);
60079 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
60080 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
60082 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
60083 + s->sh_entsize |= INIT_OFFSET_MASK;
60084 DEBUGP("\t%s\n", secstrings + s->sh_name);
60087 - mod->init_text_size = mod->init_size;
60091 @@ -1857,9 +1899,8 @@ static int is_exported(const char *name,
60094 static char elf_type(const Elf_Sym *sym,
60095 - Elf_Shdr *sechdrs,
60096 - const char *secstrings,
60097 - struct module *mod)
60098 + const Elf_Shdr *sechdrs,
60099 + const char *secstrings)
60101 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
60102 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
60103 @@ -1934,7 +1975,7 @@ static unsigned long layout_symtab(struc
60105 /* Put symbol section at end of init part of module. */
60106 symsect->sh_flags |= SHF_ALLOC;
60107 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
60108 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
60109 symindex) | INIT_OFFSET_MASK;
60110 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
60112 @@ -1951,19 +1992,19 @@ static unsigned long layout_symtab(struc
60115 /* Append room for core symbols at end of core part. */
60116 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
60117 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
60118 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
60119 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
60121 /* Put string table section at end of init part of module. */
60122 strsect->sh_flags |= SHF_ALLOC;
60123 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
60124 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
60125 strindex) | INIT_OFFSET_MASK;
60126 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
60128 /* Append room for core symbols' strings at end of core part. */
60129 - *pstroffs = mod->core_size;
60130 + *pstroffs = mod->core_size_rx;
60131 __set_bit(0, strmap);
60132 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
60133 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
60137 @@ -1987,12 +2028,14 @@ static void add_kallsyms(struct module *
60138 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
60139 mod->strtab = (void *)sechdrs[strindex].sh_addr;
60141 + pax_open_kernel();
60143 /* Set types up while we still have access to sections. */
60144 for (i = 0; i < mod->num_symtab; i++)
60145 mod->symtab[i].st_info
60146 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
60147 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
60149 - mod->core_symtab = dst = mod->module_core + symoffs;
60150 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
60153 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
60154 @@ -2004,10 +2047,12 @@ static void add_kallsyms(struct module *
60156 mod->core_num_syms = ndst;
60158 - mod->core_strtab = s = mod->module_core + stroffs;
60159 + mod->core_strtab = s = mod->module_core_rx + stroffs;
60160 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
60161 if (test_bit(i, strmap))
60162 *++s = mod->strtab[i];
60164 + pax_close_kernel();
60167 static inline unsigned long layout_symtab(struct module *mod,
60168 @@ -2044,16 +2089,30 @@ static void dynamic_debug_setup(struct _
60172 -static void *module_alloc_update_bounds(unsigned long size)
60173 +static void *module_alloc_update_bounds_rw(unsigned long size)
60175 void *ret = module_alloc(size);
60178 /* Update module bounds. */
60179 - if ((unsigned long)ret < module_addr_min)
60180 - module_addr_min = (unsigned long)ret;
60181 - if ((unsigned long)ret + size > module_addr_max)
60182 - module_addr_max = (unsigned long)ret + size;
60183 + if ((unsigned long)ret < module_addr_min_rw)
60184 + module_addr_min_rw = (unsigned long)ret;
60185 + if ((unsigned long)ret + size > module_addr_max_rw)
60186 + module_addr_max_rw = (unsigned long)ret + size;
60191 +static void *module_alloc_update_bounds_rx(unsigned long size)
60193 + void *ret = module_alloc_exec(size);
60196 + /* Update module bounds. */
60197 + if ((unsigned long)ret < module_addr_min_rx)
60198 + module_addr_min_rx = (unsigned long)ret;
60199 + if ((unsigned long)ret + size > module_addr_max_rx)
60200 + module_addr_max_rx = (unsigned long)ret + size;
60204 @@ -2065,8 +2124,8 @@ static void kmemleak_load_module(struct
60207 /* only scan the sections containing data */
60208 - kmemleak_scan_area(mod->module_core, (unsigned long)mod -
60209 - (unsigned long)mod->module_core,
60210 + kmemleak_scan_area(mod->module_core_rw, (unsigned long)mod -
60211 + (unsigned long)mod->module_core_rw,
60212 sizeof(struct module), GFP_KERNEL);
60214 for (i = 1; i < hdr->e_shnum; i++) {
60215 @@ -2076,8 +2135,8 @@ static void kmemleak_load_module(struct
60216 && strncmp(secstrings + sechdrs[i].sh_name, ".bss", 4) != 0)
60219 - kmemleak_scan_area(mod->module_core, sechdrs[i].sh_addr -
60220 - (unsigned long)mod->module_core,
60221 + kmemleak_scan_area(mod->module_core_rw, sechdrs[i].sh_addr -
60222 + (unsigned long)mod->module_core_rw,
60223 sechdrs[i].sh_size, GFP_KERNEL);
60226 @@ -2263,7 +2322,7 @@ static noinline struct module *load_modu
60227 secstrings, &stroffs, strmap);
60229 /* Do the allocs. */
60230 - ptr = module_alloc_update_bounds(mod->core_size);
60231 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
60233 * The pointer to this block is stored in the module structure
60234 * which is inside the block. Just mark it as not being a
60235 @@ -2274,23 +2333,47 @@ static noinline struct module *load_modu
60239 - memset(ptr, 0, mod->core_size);
60240 - mod->module_core = ptr;
60241 + memset(ptr, 0, mod->core_size_rw);
60242 + mod->module_core_rw = ptr;
60244 - ptr = module_alloc_update_bounds(mod->init_size);
60245 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
60247 * The pointer to this block is stored in the module structure
60248 * which is inside the block. This block doesn't need to be
60249 * scanned as it contains data and code that will be freed
60250 * after the module is initialized.
60252 - kmemleak_ignore(ptr);
60253 - if (!ptr && mod->init_size) {
60254 + kmemleak_not_leak(ptr);
60255 + if (!ptr && mod->init_size_rw) {
60257 + goto free_core_rw;
60259 + memset(ptr, 0, mod->init_size_rw);
60260 + mod->module_init_rw = ptr;
60262 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
60263 + kmemleak_not_leak(ptr);
60267 + goto free_init_rw;
60269 - memset(ptr, 0, mod->init_size);
60270 - mod->module_init = ptr;
60272 + pax_open_kernel();
60273 + memset(ptr, 0, mod->core_size_rx);
60274 + pax_close_kernel();
60275 + mod->module_core_rx = ptr;
60277 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
60278 + kmemleak_not_leak(ptr);
60279 + if (!ptr && mod->init_size_rx) {
60281 + goto free_core_rx;
60284 + pax_open_kernel();
60285 + memset(ptr, 0, mod->init_size_rx);
60286 + pax_close_kernel();
60287 + mod->module_init_rx = ptr;
60289 /* Transfer each section which specifies SHF_ALLOC */
60290 DEBUGP("final section addresses:\n");
60291 @@ -2300,17 +2383,45 @@ static noinline struct module *load_modu
60292 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
60295 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
60296 - dest = mod->module_init
60297 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
60299 - dest = mod->module_core + sechdrs[i].sh_entsize;
60300 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
60301 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
60302 + dest = mod->module_init_rw
60303 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
60305 + dest = mod->module_init_rx
60306 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
60308 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
60309 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
60311 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
60314 + if (sechdrs[i].sh_type != SHT_NOBITS) {
60316 - if (sechdrs[i].sh_type != SHT_NOBITS)
60317 - memcpy(dest, (void *)sechdrs[i].sh_addr,
60318 - sechdrs[i].sh_size);
60319 +#ifdef CONFIG_PAX_KERNEXEC
60320 +#ifdef CONFIG_X86_64
60321 + if ((sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_EXECINSTR))
60322 + set_memory_x((unsigned long)dest, (sechdrs[i].sh_size + PAGE_SIZE) >> PAGE_SHIFT);
60324 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
60325 + pax_open_kernel();
60326 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
60327 + pax_close_kernel();
60331 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
60333 /* Update sh_addr to point to copy in image. */
60334 - sechdrs[i].sh_addr = (unsigned long)dest;
60336 +#ifdef CONFIG_PAX_KERNEXEC
60337 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
60338 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
60342 + sechdrs[i].sh_addr = (unsigned long)dest;
60343 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
60345 /* Module has been moved. */
60346 @@ -2322,7 +2433,7 @@ static noinline struct module *load_modu
60348 if (!mod->refptr) {
60351 + goto free_init_rx;
60354 /* Now we've moved module, initialize linked lists, etc. */
60355 @@ -2351,6 +2462,31 @@ static noinline struct module *load_modu
60356 /* Set up MODINFO_ATTR fields */
60357 setup_modinfo(mod, sechdrs, infoindex);
60359 + mod->args = args;
60361 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
60365 + if (strstr(mod->args, "grsec_modharden_netdev")) {
60366 + printk(KERN_ALERT "grsec: denied auto-loading kernel module for a network device with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%.64s instead.", mod->name);
60369 + } else if ((p = strstr(mod->args, "grsec_modharden_normal"))) {
60370 + p += strlen("grsec_modharden_normal");
60371 + p2 = strstr(p, "_");
60374 + printk(KERN_ALERT "grsec: denied kernel module auto-load of %.64s by uid %.9s\n", mod->name, p);
60384 /* Fix up syms, so that st_value is a pointer to location. */
60385 err = simplify_symbols(sechdrs, symindex, strtab, versindex, pcpuindex,
60387 @@ -2431,8 +2567,8 @@ static noinline struct module *load_modu
60389 /* Now do relocations. */
60390 for (i = 1; i < hdr->e_shnum; i++) {
60391 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
60392 unsigned int info = sechdrs[i].sh_info;
60393 + strtab = (char *)sechdrs[strindex].sh_addr;
60395 /* Not a valid relocation section? */
60396 if (info >= hdr->e_shnum)
60397 @@ -2493,16 +2629,15 @@ static noinline struct module *load_modu
60398 * Do it before processing of module parameters, so the module
60399 * can provide parameter accessor functions of its own.
60401 - if (mod->module_init)
60402 - flush_icache_range((unsigned long)mod->module_init,
60403 - (unsigned long)mod->module_init
60404 - + mod->init_size);
60405 - flush_icache_range((unsigned long)mod->module_core,
60406 - (unsigned long)mod->module_core + mod->core_size);
60407 + if (mod->module_init_rx)
60408 + flush_icache_range((unsigned long)mod->module_init_rx,
60409 + (unsigned long)mod->module_init_rx
60410 + + mod->init_size_rx);
60411 + flush_icache_range((unsigned long)mod->module_core_rx,
60412 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
60416 - mod->args = args;
60417 if (section_addr(hdr, sechdrs, secstrings, "__obsparm"))
60418 printk(KERN_WARNING "%s: Ignoring obsolete parameters\n",
60420 @@ -2546,12 +2681,16 @@ static noinline struct module *load_modu
60422 module_unload_free(mod);
60423 #if defined(CONFIG_MODULE_UNLOAD) && defined(CONFIG_SMP)
60425 percpu_modfree(mod->refptr);
60428 - module_free(mod, mod->module_init);
60430 - module_free(mod, mod->module_core);
60431 + module_free_exec(mod, mod->module_init_rx);
60433 + module_free_exec(mod, mod->module_core_rx);
60435 + module_free(mod, mod->module_init_rw);
60437 + module_free(mod, mod->module_core_rw);
60438 /* mod will be freed with core. Don't access it beyond this line! */
60441 @@ -2653,10 +2792,12 @@ SYSCALL_DEFINE3(init_module, void __user
60442 mod->symtab = mod->core_symtab;
60443 mod->strtab = mod->core_strtab;
60445 - module_free(mod, mod->module_init);
60446 - mod->module_init = NULL;
60447 - mod->init_size = 0;
60448 - mod->init_text_size = 0;
60449 + module_free(mod, mod->module_init_rw);
60450 + module_free_exec(mod, mod->module_init_rx);
60451 + mod->module_init_rw = NULL;
60452 + mod->module_init_rx = NULL;
60453 + mod->init_size_rw = 0;
60454 + mod->init_size_rx = 0;
60455 mutex_unlock(&module_mutex);
60458 @@ -2687,10 +2828,16 @@ static const char *get_ksymbol(struct mo
60459 unsigned long nextval;
60461 /* At worse, next value is at end of module */
60462 - if (within_module_init(addr, mod))
60463 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
60464 + if (within_module_init_rx(addr, mod))
60465 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
60466 + else if (within_module_init_rw(addr, mod))
60467 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
60468 + else if (within_module_core_rx(addr, mod))
60469 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
60470 + else if (within_module_core_rw(addr, mod))
60471 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
60473 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
60476 /* Scan for closest preceeding symbol, and next symbol. (ELF
60477 starts real symbols at 1). */
60478 @@ -2936,7 +3083,7 @@ static int m_show(struct seq_file *m, vo
60481 seq_printf(m, "%s %u",
60482 - mod->name, mod->init_size + mod->core_size);
60483 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
60484 print_unload_info(m, mod);
60486 /* Informative for users. */
60487 @@ -2945,7 +3092,7 @@ static int m_show(struct seq_file *m, vo
60488 mod->state == MODULE_STATE_COMING ? "Loading":
60490 /* Used by oprofile and other similar tools. */
60491 - seq_printf(m, " 0x%p", mod->module_core);
60492 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
60496 @@ -2981,7 +3128,17 @@ static const struct file_operations proc
60498 static int __init proc_modules_init(void)
60500 +#ifndef CONFIG_GRKERNSEC_HIDESYM
60501 +#ifdef CONFIG_GRKERNSEC_PROC_USER
60502 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
60503 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
60504 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
60506 proc_create("modules", 0, NULL, &proc_modules_operations);
60509 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
60513 module_init(proc_modules_init);
60514 @@ -3040,12 +3197,12 @@ struct module *__module_address(unsigned
60516 struct module *mod;
60518 - if (addr < module_addr_min || addr > module_addr_max)
60519 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
60520 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
60523 list_for_each_entry_rcu(mod, &modules, list)
60524 - if (within_module_core(addr, mod)
60525 - || within_module_init(addr, mod))
60526 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
60530 @@ -3079,11 +3236,20 @@ bool is_module_text_address(unsigned lon
60532 struct module *__module_text_address(unsigned long addr)
60534 - struct module *mod = __module_address(addr);
60535 + struct module *mod;
60537 +#ifdef CONFIG_X86_32
60538 + addr = ktla_ktva(addr);
60541 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
60544 + mod = __module_address(addr);
60547 /* Make sure it's within the text section. */
60548 - if (!within(addr, mod->module_init, mod->init_text_size)
60549 - && !within(addr, mod->module_core, mod->core_text_size))
60550 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
60554 diff -urNp linux-2.6.32.42/kernel/mutex.c linux-2.6.32.42/kernel/mutex.c
60555 --- linux-2.6.32.42/kernel/mutex.c 2011-03-27 14:31:47.000000000 -0400
60556 +++ linux-2.6.32.42/kernel/mutex.c 2011-04-17 15:56:46.000000000 -0400
60557 @@ -169,7 +169,7 @@ __mutex_lock_common(struct mutex *lock,
60561 - struct thread_info *owner;
60562 + struct task_struct *owner;
60565 * If we own the BKL, then don't spin. The owner of
60566 @@ -214,7 +214,7 @@ __mutex_lock_common(struct mutex *lock,
60567 spin_lock_mutex(&lock->wait_lock, flags);
60569 debug_mutex_lock_common(lock, &waiter);
60570 - debug_mutex_add_waiter(lock, &waiter, task_thread_info(task));
60571 + debug_mutex_add_waiter(lock, &waiter, task);
60573 /* add waiting tasks to the end of the waitqueue (FIFO): */
60574 list_add_tail(&waiter.list, &lock->wait_list);
60575 @@ -243,8 +243,7 @@ __mutex_lock_common(struct mutex *lock,
60576 * TASK_UNINTERRUPTIBLE case.)
60578 if (unlikely(signal_pending_state(state, task))) {
60579 - mutex_remove_waiter(lock, &waiter,
60580 - task_thread_info(task));
60581 + mutex_remove_waiter(lock, &waiter, task);
60582 mutex_release(&lock->dep_map, 1, ip);
60583 spin_unlock_mutex(&lock->wait_lock, flags);
60585 @@ -265,7 +264,7 @@ __mutex_lock_common(struct mutex *lock,
60587 lock_acquired(&lock->dep_map, ip);
60588 /* got the lock - rejoice! */
60589 - mutex_remove_waiter(lock, &waiter, current_thread_info());
60590 + mutex_remove_waiter(lock, &waiter, task);
60591 mutex_set_owner(lock);
60593 /* set it to 0 if there are no waiters left: */
60594 diff -urNp linux-2.6.32.42/kernel/mutex-debug.c linux-2.6.32.42/kernel/mutex-debug.c
60595 --- linux-2.6.32.42/kernel/mutex-debug.c 2011-03-27 14:31:47.000000000 -0400
60596 +++ linux-2.6.32.42/kernel/mutex-debug.c 2011-04-17 15:56:46.000000000 -0400
60597 @@ -49,21 +49,21 @@ void debug_mutex_free_waiter(struct mute
60600 void debug_mutex_add_waiter(struct mutex *lock, struct mutex_waiter *waiter,
60601 - struct thread_info *ti)
60602 + struct task_struct *task)
60604 SMP_DEBUG_LOCKS_WARN_ON(!spin_is_locked(&lock->wait_lock));
60606 /* Mark the current thread as blocked on the lock: */
60607 - ti->task->blocked_on = waiter;
60608 + task->blocked_on = waiter;
60611 void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
60612 - struct thread_info *ti)
60613 + struct task_struct *task)
60615 DEBUG_LOCKS_WARN_ON(list_empty(&waiter->list));
60616 - DEBUG_LOCKS_WARN_ON(waiter->task != ti->task);
60617 - DEBUG_LOCKS_WARN_ON(ti->task->blocked_on != waiter);
60618 - ti->task->blocked_on = NULL;
60619 + DEBUG_LOCKS_WARN_ON(waiter->task != task);
60620 + DEBUG_LOCKS_WARN_ON(task->blocked_on != waiter);
60621 + task->blocked_on = NULL;
60623 list_del_init(&waiter->list);
60624 waiter->task = NULL;
60625 @@ -75,7 +75,7 @@ void debug_mutex_unlock(struct mutex *lo
60628 DEBUG_LOCKS_WARN_ON(lock->magic != lock);
60629 - DEBUG_LOCKS_WARN_ON(lock->owner != current_thread_info());
60630 + DEBUG_LOCKS_WARN_ON(lock->owner != current);
60631 DEBUG_LOCKS_WARN_ON(!lock->wait_list.prev && !lock->wait_list.next);
60632 mutex_clear_owner(lock);
60634 diff -urNp linux-2.6.32.42/kernel/mutex-debug.h linux-2.6.32.42/kernel/mutex-debug.h
60635 --- linux-2.6.32.42/kernel/mutex-debug.h 2011-03-27 14:31:47.000000000 -0400
60636 +++ linux-2.6.32.42/kernel/mutex-debug.h 2011-04-17 15:56:46.000000000 -0400
60637 @@ -20,16 +20,16 @@ extern void debug_mutex_wake_waiter(stru
60638 extern void debug_mutex_free_waiter(struct mutex_waiter *waiter);
60639 extern void debug_mutex_add_waiter(struct mutex *lock,
60640 struct mutex_waiter *waiter,
60641 - struct thread_info *ti);
60642 + struct task_struct *task);
60643 extern void mutex_remove_waiter(struct mutex *lock, struct mutex_waiter *waiter,
60644 - struct thread_info *ti);
60645 + struct task_struct *task);
60646 extern void debug_mutex_unlock(struct mutex *lock);
60647 extern void debug_mutex_init(struct mutex *lock, const char *name,
60648 struct lock_class_key *key);
60650 static inline void mutex_set_owner(struct mutex *lock)
60652 - lock->owner = current_thread_info();
60653 + lock->owner = current;
60656 static inline void mutex_clear_owner(struct mutex *lock)
60657 diff -urNp linux-2.6.32.42/kernel/mutex.h linux-2.6.32.42/kernel/mutex.h
60658 --- linux-2.6.32.42/kernel/mutex.h 2011-03-27 14:31:47.000000000 -0400
60659 +++ linux-2.6.32.42/kernel/mutex.h 2011-04-17 15:56:46.000000000 -0400
60662 static inline void mutex_set_owner(struct mutex *lock)
60664 - lock->owner = current_thread_info();
60665 + lock->owner = current;
60668 static inline void mutex_clear_owner(struct mutex *lock)
60669 diff -urNp linux-2.6.32.42/kernel/panic.c linux-2.6.32.42/kernel/panic.c
60670 --- linux-2.6.32.42/kernel/panic.c 2011-03-27 14:31:47.000000000 -0400
60671 +++ linux-2.6.32.42/kernel/panic.c 2011-04-17 15:56:46.000000000 -0400
60672 @@ -352,7 +352,7 @@ static void warn_slowpath_common(const c
60675 printk(KERN_WARNING "------------[ cut here ]------------\n");
60676 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
60677 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
60678 board = dmi_get_system_info(DMI_PRODUCT_NAME);
60680 printk(KERN_WARNING "Hardware name: %s\n", board);
60681 @@ -392,7 +392,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
60683 void __stack_chk_fail(void)
60685 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
60687 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
60688 __builtin_return_address(0));
60690 EXPORT_SYMBOL(__stack_chk_fail);
60691 diff -urNp linux-2.6.32.42/kernel/params.c linux-2.6.32.42/kernel/params.c
60692 --- linux-2.6.32.42/kernel/params.c 2011-03-27 14:31:47.000000000 -0400
60693 +++ linux-2.6.32.42/kernel/params.c 2011-04-17 15:56:46.000000000 -0400
60694 @@ -725,7 +725,7 @@ static ssize_t module_attr_store(struct
60698 -static struct sysfs_ops module_sysfs_ops = {
60699 +static const struct sysfs_ops module_sysfs_ops = {
60700 .show = module_attr_show,
60701 .store = module_attr_store,
60703 @@ -739,7 +739,7 @@ static int uevent_filter(struct kset *ks
60707 -static struct kset_uevent_ops module_uevent_ops = {
60708 +static const struct kset_uevent_ops module_uevent_ops = {
60709 .filter = uevent_filter,
60712 diff -urNp linux-2.6.32.42/kernel/perf_event.c linux-2.6.32.42/kernel/perf_event.c
60713 --- linux-2.6.32.42/kernel/perf_event.c 2011-04-17 17:00:52.000000000 -0400
60714 +++ linux-2.6.32.42/kernel/perf_event.c 2011-05-04 17:56:28.000000000 -0400
60715 @@ -77,7 +77,7 @@ int sysctl_perf_event_mlock __read_mostl
60717 int sysctl_perf_event_sample_rate __read_mostly = 100000;
60719 -static atomic64_t perf_event_id;
60720 +static atomic64_unchecked_t perf_event_id;
60723 * Lock for (sysadmin-configurable) event reservations:
60724 @@ -1094,9 +1094,9 @@ static void __perf_event_sync_stat(struc
60725 * In order to keep per-task stats reliable we need to flip the event
60726 * values when we flip the contexts.
60728 - value = atomic64_read(&next_event->count);
60729 - value = atomic64_xchg(&event->count, value);
60730 - atomic64_set(&next_event->count, value);
60731 + value = atomic64_read_unchecked(&next_event->count);
60732 + value = atomic64_xchg_unchecked(&event->count, value);
60733 + atomic64_set_unchecked(&next_event->count, value);
60735 swap(event->total_time_enabled, next_event->total_time_enabled);
60736 swap(event->total_time_running, next_event->total_time_running);
60737 @@ -1552,7 +1552,7 @@ static u64 perf_event_read(struct perf_e
60738 update_event_times(event);
60741 - return atomic64_read(&event->count);
60742 + return atomic64_read_unchecked(&event->count);
60746 @@ -1790,11 +1790,11 @@ static int perf_event_read_group(struct
60747 values[n++] = 1 + leader->nr_siblings;
60748 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
60749 values[n++] = leader->total_time_enabled +
60750 - atomic64_read(&leader->child_total_time_enabled);
60751 + atomic64_read_unchecked(&leader->child_total_time_enabled);
60753 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
60754 values[n++] = leader->total_time_running +
60755 - atomic64_read(&leader->child_total_time_running);
60756 + atomic64_read_unchecked(&leader->child_total_time_running);
60759 size = n * sizeof(u64);
60760 @@ -1829,11 +1829,11 @@ static int perf_event_read_one(struct pe
60761 values[n++] = perf_event_read_value(event);
60762 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
60763 values[n++] = event->total_time_enabled +
60764 - atomic64_read(&event->child_total_time_enabled);
60765 + atomic64_read_unchecked(&event->child_total_time_enabled);
60767 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
60768 values[n++] = event->total_time_running +
60769 - atomic64_read(&event->child_total_time_running);
60770 + atomic64_read_unchecked(&event->child_total_time_running);
60772 if (read_format & PERF_FORMAT_ID)
60773 values[n++] = primary_event_id(event);
60774 @@ -1903,7 +1903,7 @@ static unsigned int perf_poll(struct fil
60775 static void perf_event_reset(struct perf_event *event)
60777 (void)perf_event_read(event);
60778 - atomic64_set(&event->count, 0);
60779 + atomic64_set_unchecked(&event->count, 0);
60780 perf_event_update_userpage(event);
60783 @@ -2079,15 +2079,15 @@ void perf_event_update_userpage(struct p
60786 userpg->index = perf_event_index(event);
60787 - userpg->offset = atomic64_read(&event->count);
60788 + userpg->offset = atomic64_read_unchecked(&event->count);
60789 if (event->state == PERF_EVENT_STATE_ACTIVE)
60790 - userpg->offset -= atomic64_read(&event->hw.prev_count);
60791 + userpg->offset -= atomic64_read_unchecked(&event->hw.prev_count);
60793 userpg->time_enabled = event->total_time_enabled +
60794 - atomic64_read(&event->child_total_time_enabled);
60795 + atomic64_read_unchecked(&event->child_total_time_enabled);
60797 userpg->time_running = event->total_time_running +
60798 - atomic64_read(&event->child_total_time_running);
60799 + atomic64_read_unchecked(&event->child_total_time_running);
60803 @@ -2903,14 +2903,14 @@ static void perf_output_read_one(struct
60807 - values[n++] = atomic64_read(&event->count);
60808 + values[n++] = atomic64_read_unchecked(&event->count);
60809 if (read_format & PERF_FORMAT_TOTAL_TIME_ENABLED) {
60810 values[n++] = event->total_time_enabled +
60811 - atomic64_read(&event->child_total_time_enabled);
60812 + atomic64_read_unchecked(&event->child_total_time_enabled);
60814 if (read_format & PERF_FORMAT_TOTAL_TIME_RUNNING) {
60815 values[n++] = event->total_time_running +
60816 - atomic64_read(&event->child_total_time_running);
60817 + atomic64_read_unchecked(&event->child_total_time_running);
60819 if (read_format & PERF_FORMAT_ID)
60820 values[n++] = primary_event_id(event);
60821 @@ -2940,7 +2940,7 @@ static void perf_output_read_group(struc
60822 if (leader != event)
60823 leader->pmu->read(leader);
60825 - values[n++] = atomic64_read(&leader->count);
60826 + values[n++] = atomic64_read_unchecked(&leader->count);
60827 if (read_format & PERF_FORMAT_ID)
60828 values[n++] = primary_event_id(leader);
60830 @@ -2952,7 +2952,7 @@ static void perf_output_read_group(struc
60832 sub->pmu->read(sub);
60834 - values[n++] = atomic64_read(&sub->count);
60835 + values[n++] = atomic64_read_unchecked(&sub->count);
60836 if (read_format & PERF_FORMAT_ID)
60837 values[n++] = primary_event_id(sub);
60839 @@ -3787,7 +3787,7 @@ static void perf_swevent_add(struct perf
60841 struct hw_perf_event *hwc = &event->hw;
60843 - atomic64_add(nr, &event->count);
60844 + atomic64_add_unchecked(nr, &event->count);
60846 if (!hwc->sample_period)
60848 @@ -4044,9 +4044,9 @@ static void cpu_clock_perf_event_update(
60851 now = cpu_clock(cpu);
60852 - prev = atomic64_read(&event->hw.prev_count);
60853 - atomic64_set(&event->hw.prev_count, now);
60854 - atomic64_add(now - prev, &event->count);
60855 + prev = atomic64_read_unchecked(&event->hw.prev_count);
60856 + atomic64_set_unchecked(&event->hw.prev_count, now);
60857 + atomic64_add_unchecked(now - prev, &event->count);
60860 static int cpu_clock_perf_event_enable(struct perf_event *event)
60861 @@ -4054,7 +4054,7 @@ static int cpu_clock_perf_event_enable(s
60862 struct hw_perf_event *hwc = &event->hw;
60863 int cpu = raw_smp_processor_id();
60865 - atomic64_set(&hwc->prev_count, cpu_clock(cpu));
60866 + atomic64_set_unchecked(&hwc->prev_count, cpu_clock(cpu));
60867 perf_swevent_start_hrtimer(event);
60870 @@ -4086,9 +4086,9 @@ static void task_clock_perf_event_update
60874 - prev = atomic64_xchg(&event->hw.prev_count, now);
60875 + prev = atomic64_xchg_unchecked(&event->hw.prev_count, now);
60876 delta = now - prev;
60877 - atomic64_add(delta, &event->count);
60878 + atomic64_add_unchecked(delta, &event->count);
60881 static int task_clock_perf_event_enable(struct perf_event *event)
60882 @@ -4098,7 +4098,7 @@ static int task_clock_perf_event_enable(
60884 now = event->ctx->time;
60886 - atomic64_set(&hwc->prev_count, now);
60887 + atomic64_set_unchecked(&hwc->prev_count, now);
60889 perf_swevent_start_hrtimer(event);
60891 @@ -4293,7 +4293,7 @@ perf_event_alloc(struct perf_event_attr
60892 event->parent = parent_event;
60894 event->ns = get_pid_ns(current->nsproxy->pid_ns);
60895 - event->id = atomic64_inc_return(&perf_event_id);
60896 + event->id = atomic64_inc_return_unchecked(&perf_event_id);
60898 event->state = PERF_EVENT_STATE_INACTIVE;
60900 @@ -4724,15 +4724,15 @@ static void sync_child_event(struct perf
60901 if (child_event->attr.inherit_stat)
60902 perf_event_read_event(child_event, child);
60904 - child_val = atomic64_read(&child_event->count);
60905 + child_val = atomic64_read_unchecked(&child_event->count);
60908 * Add back the child's count to the parent's count:
60910 - atomic64_add(child_val, &parent_event->count);
60911 - atomic64_add(child_event->total_time_enabled,
60912 + atomic64_add_unchecked(child_val, &parent_event->count);
60913 + atomic64_add_unchecked(child_event->total_time_enabled,
60914 &parent_event->child_total_time_enabled);
60915 - atomic64_add(child_event->total_time_running,
60916 + atomic64_add_unchecked(child_event->total_time_running,
60917 &parent_event->child_total_time_running);
60920 diff -urNp linux-2.6.32.42/kernel/pid.c linux-2.6.32.42/kernel/pid.c
60921 --- linux-2.6.32.42/kernel/pid.c 2011-04-22 19:16:29.000000000 -0400
60922 +++ linux-2.6.32.42/kernel/pid.c 2011-04-18 19:22:38.000000000 -0400
60924 #include <linux/rculist.h>
60925 #include <linux/bootmem.h>
60926 #include <linux/hash.h>
60927 +#include <linux/security.h>
60928 #include <linux/pid_namespace.h>
60929 #include <linux/init_task.h>
60930 #include <linux/syscalls.h>
60931 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
60933 int pid_max = PID_MAX_DEFAULT;
60935 -#define RESERVED_PIDS 300
60936 +#define RESERVED_PIDS 500
60938 int pid_max_min = RESERVED_PIDS + 1;
60939 int pid_max_max = PID_MAX_LIMIT;
60940 @@ -383,7 +384,14 @@ EXPORT_SYMBOL(pid_task);
60942 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
60944 - return pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
60945 + struct task_struct *task;
60947 + task = pid_task(find_pid_ns(nr, ns), PIDTYPE_PID);
60949 + if (gr_pid_is_chrooted(task))
60955 struct task_struct *find_task_by_vpid(pid_t vnr)
60956 diff -urNp linux-2.6.32.42/kernel/posix-cpu-timers.c linux-2.6.32.42/kernel/posix-cpu-timers.c
60957 --- linux-2.6.32.42/kernel/posix-cpu-timers.c 2011-03-27 14:31:47.000000000 -0400
60958 +++ linux-2.6.32.42/kernel/posix-cpu-timers.c 2011-04-17 15:56:46.000000000 -0400
60960 #include <linux/posix-timers.h>
60961 #include <linux/errno.h>
60962 #include <linux/math64.h>
60963 +#include <linux/security.h>
60964 #include <asm/uaccess.h>
60965 #include <linux/kernel_stat.h>
60966 #include <trace/events/timer.h>
60967 diff -urNp linux-2.6.32.42/kernel/posix-timers.c linux-2.6.32.42/kernel/posix-timers.c
60968 --- linux-2.6.32.42/kernel/posix-timers.c 2011-03-27 14:31:47.000000000 -0400
60969 +++ linux-2.6.32.42/kernel/posix-timers.c 2011-05-16 21:46:57.000000000 -0400
60971 #include <linux/compiler.h>
60972 #include <linux/idr.h>
60973 #include <linux/posix-timers.h>
60974 +#include <linux/grsecurity.h>
60975 #include <linux/syscalls.h>
60976 #include <linux/wait.h>
60977 #include <linux/workqueue.h>
60978 @@ -296,6 +297,8 @@ static __init int init_posix_timers(void
60979 .nsleep = no_nsleep,
60982 + pax_track_stack();
60984 register_posix_clock(CLOCK_REALTIME, &clock_realtime);
60985 register_posix_clock(CLOCK_MONOTONIC, &clock_monotonic);
60986 register_posix_clock(CLOCK_MONOTONIC_RAW, &clock_monotonic_raw);
60987 @@ -948,6 +951,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
60988 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
60991 + /* only the CLOCK_REALTIME clock can be set, all other clocks
60992 + have their clock_set fptr set to a nosettime dummy function
60993 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
60994 + call common_clock_set, which calls do_sys_settimeofday, which
60998 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
61001 diff -urNp linux-2.6.32.42/kernel/power/hibernate.c linux-2.6.32.42/kernel/power/hibernate.c
61002 --- linux-2.6.32.42/kernel/power/hibernate.c 2011-03-27 14:31:47.000000000 -0400
61003 +++ linux-2.6.32.42/kernel/power/hibernate.c 2011-04-17 15:56:46.000000000 -0400
61004 @@ -48,14 +48,14 @@ enum {
61006 static int hibernation_mode = HIBERNATION_SHUTDOWN;
61008 -static struct platform_hibernation_ops *hibernation_ops;
61009 +static const struct platform_hibernation_ops *hibernation_ops;
61012 * hibernation_set_ops - set the global hibernate operations
61013 * @ops: the hibernation operations to use in subsequent hibernation transitions
61016 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
61017 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
61019 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
61020 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
61021 diff -urNp linux-2.6.32.42/kernel/power/poweroff.c linux-2.6.32.42/kernel/power/poweroff.c
61022 --- linux-2.6.32.42/kernel/power/poweroff.c 2011-03-27 14:31:47.000000000 -0400
61023 +++ linux-2.6.32.42/kernel/power/poweroff.c 2011-04-17 15:56:46.000000000 -0400
61024 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
61025 .enable_mask = SYSRQ_ENABLE_BOOT,
61028 -static int pm_sysrq_init(void)
61029 +static int __init pm_sysrq_init(void)
61031 register_sysrq_key('o', &sysrq_poweroff_op);
61033 diff -urNp linux-2.6.32.42/kernel/power/process.c linux-2.6.32.42/kernel/power/process.c
61034 --- linux-2.6.32.42/kernel/power/process.c 2011-03-27 14:31:47.000000000 -0400
61035 +++ linux-2.6.32.42/kernel/power/process.c 2011-04-17 15:56:46.000000000 -0400
61036 @@ -37,12 +37,15 @@ static int try_to_freeze_tasks(bool sig_
61037 struct timeval start, end;
61038 u64 elapsed_csecs64;
61039 unsigned int elapsed_csecs;
61040 + bool timedout = false;
61042 do_gettimeofday(&start);
61044 end_time = jiffies + TIMEOUT;
61047 + if (time_after(jiffies, end_time))
61049 read_lock(&tasklist_lock);
61050 do_each_thread(g, p) {
61051 if (frozen(p) || !freezeable(p))
61052 @@ -57,15 +60,17 @@ static int try_to_freeze_tasks(bool sig_
61053 * It is "frozen enough". If the task does wake
61054 * up, it will immediately call try_to_freeze.
61056 - if (!task_is_stopped_or_traced(p) &&
61057 - !freezer_should_skip(p))
61058 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
61061 + printk(KERN_ERR "Task refusing to freeze:\n");
61062 + sched_show_task(p);
61065 } while_each_thread(g, p);
61066 read_unlock(&tasklist_lock);
61067 yield(); /* Yield is okay here */
61068 - if (time_after(jiffies, end_time))
61071 + } while (todo && !timedout);
61073 do_gettimeofday(&end);
61074 elapsed_csecs64 = timeval_to_ns(&end) - timeval_to_ns(&start);
61075 diff -urNp linux-2.6.32.42/kernel/power/suspend.c linux-2.6.32.42/kernel/power/suspend.c
61076 --- linux-2.6.32.42/kernel/power/suspend.c 2011-03-27 14:31:47.000000000 -0400
61077 +++ linux-2.6.32.42/kernel/power/suspend.c 2011-04-17 15:56:46.000000000 -0400
61078 @@ -23,13 +23,13 @@ const char *const pm_states[PM_SUSPEND_M
61079 [PM_SUSPEND_MEM] = "mem",
61082 -static struct platform_suspend_ops *suspend_ops;
61083 +static const struct platform_suspend_ops *suspend_ops;
61086 * suspend_set_ops - Set the global suspend method table.
61087 * @ops: Pointer to ops structure.
61089 -void suspend_set_ops(struct platform_suspend_ops *ops)
61090 +void suspend_set_ops(const struct platform_suspend_ops *ops)
61092 mutex_lock(&pm_mutex);
61094 diff -urNp linux-2.6.32.42/kernel/printk.c linux-2.6.32.42/kernel/printk.c
61095 --- linux-2.6.32.42/kernel/printk.c 2011-03-27 14:31:47.000000000 -0400
61096 +++ linux-2.6.32.42/kernel/printk.c 2011-04-17 15:56:46.000000000 -0400
61097 @@ -278,6 +278,11 @@ int do_syslog(int type, char __user *buf
61101 +#ifdef CONFIG_GRKERNSEC_DMESG
61102 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
61106 error = security_syslog(type);
61109 diff -urNp linux-2.6.32.42/kernel/profile.c linux-2.6.32.42/kernel/profile.c
61110 --- linux-2.6.32.42/kernel/profile.c 2011-03-27 14:31:47.000000000 -0400
61111 +++ linux-2.6.32.42/kernel/profile.c 2011-05-04 17:56:28.000000000 -0400
61112 @@ -39,7 +39,7 @@ struct profile_hit {
61113 /* Oprofile timer tick hook */
61114 static int (*timer_hook)(struct pt_regs *) __read_mostly;
61116 -static atomic_t *prof_buffer;
61117 +static atomic_unchecked_t *prof_buffer;
61118 static unsigned long prof_len, prof_shift;
61120 int prof_on __read_mostly;
61121 @@ -283,7 +283,7 @@ static void profile_flip_buffers(void)
61125 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
61126 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
61127 hits[i].hits = hits[i].pc = 0;
61130 @@ -346,9 +346,9 @@ void profile_hits(int type, void *__pc,
61131 * Add the current hit(s) and flush the write-queue out
61132 * to the global buffer:
61134 - atomic_add(nr_hits, &prof_buffer[pc]);
61135 + atomic_add_unchecked(nr_hits, &prof_buffer[pc]);
61136 for (i = 0; i < NR_PROFILE_HIT; ++i) {
61137 - atomic_add(hits[i].hits, &prof_buffer[hits[i].pc]);
61138 + atomic_add_unchecked(hits[i].hits, &prof_buffer[hits[i].pc]);
61139 hits[i].pc = hits[i].hits = 0;
61142 @@ -426,7 +426,7 @@ void profile_hits(int type, void *__pc,
61143 if (prof_on != type || !prof_buffer)
61145 pc = ((unsigned long)__pc - (unsigned long)_stext) >> prof_shift;
61146 - atomic_add(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
61147 + atomic_add_unchecked(nr_hits, &prof_buffer[min(pc, prof_len - 1)]);
61149 #endif /* !CONFIG_SMP */
61150 EXPORT_SYMBOL_GPL(profile_hits);
61151 @@ -517,7 +517,7 @@ read_profile(struct file *file, char __u
61153 buf++; p++; count--; read++;
61155 - pnt = (char *)prof_buffer + p - sizeof(atomic_t);
61156 + pnt = (char *)prof_buffer + p - sizeof(atomic_unchecked_t);
61157 if (copy_to_user(buf, (void *)pnt, count))
61160 @@ -548,7 +548,7 @@ static ssize_t write_profile(struct file
61163 profile_discard_flip_buffers();
61164 - memset(prof_buffer, 0, prof_len * sizeof(atomic_t));
61165 + memset(prof_buffer, 0, prof_len * sizeof(atomic_unchecked_t));
61169 diff -urNp linux-2.6.32.42/kernel/ptrace.c linux-2.6.32.42/kernel/ptrace.c
61170 --- linux-2.6.32.42/kernel/ptrace.c 2011-03-27 14:31:47.000000000 -0400
61171 +++ linux-2.6.32.42/kernel/ptrace.c 2011-05-22 23:02:06.000000000 -0400
61172 @@ -117,7 +117,8 @@ int ptrace_check_attach(struct task_stru
61176 -int __ptrace_may_access(struct task_struct *task, unsigned int mode)
61177 +static int __ptrace_may_access(struct task_struct *task, unsigned int mode,
61178 + unsigned int log)
61180 const struct cred *cred = current_cred(), *tcred;
61182 @@ -141,7 +142,9 @@ int __ptrace_may_access(struct task_stru
61183 cred->gid != tcred->egid ||
61184 cred->gid != tcred->sgid ||
61185 cred->gid != tcred->gid) &&
61186 - !capable(CAP_SYS_PTRACE)) {
61187 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
61188 + (log && !capable(CAP_SYS_PTRACE)))
61193 @@ -149,7 +152,9 @@ int __ptrace_may_access(struct task_stru
61196 dumpable = get_dumpable(task->mm);
61197 - if (!dumpable && !capable(CAP_SYS_PTRACE))
61199 + ((!log && !capable_nolog(CAP_SYS_PTRACE)) ||
61200 + (log && !capable(CAP_SYS_PTRACE))))
61203 return security_ptrace_access_check(task, mode);
61204 @@ -159,7 +164,16 @@ bool ptrace_may_access(struct task_struc
61208 - err = __ptrace_may_access(task, mode);
61209 + err = __ptrace_may_access(task, mode, 0);
61210 + task_unlock(task);
61214 +bool ptrace_may_access_log(struct task_struct *task, unsigned int mode)
61218 + err = __ptrace_may_access(task, mode, 1);
61222 @@ -186,7 +200,7 @@ int ptrace_attach(struct task_struct *ta
61226 - retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH);
61227 + retval = __ptrace_may_access(task, PTRACE_MODE_ATTACH, 1);
61231 @@ -199,7 +213,7 @@ int ptrace_attach(struct task_struct *ta
61232 goto unlock_tasklist;
61234 task->ptrace = PT_PTRACED;
61235 - if (capable(CAP_SYS_PTRACE))
61236 + if (capable_nolog(CAP_SYS_PTRACE))
61237 task->ptrace |= PT_PTRACE_CAP;
61239 __ptrace_link(task, current);
61240 @@ -351,6 +365,8 @@ int ptrace_readdata(struct task_struct *
61244 + pax_track_stack();
61248 int this_len, retval;
61249 @@ -376,6 +392,8 @@ int ptrace_writedata(struct task_struct
61253 + pax_track_stack();
61257 int this_len, retval;
61258 @@ -517,6 +535,8 @@ int ptrace_request(struct task_struct *c
61262 + pax_track_stack();
61265 case PTRACE_PEEKTEXT:
61266 case PTRACE_PEEKDATA:
61267 @@ -532,18 +552,18 @@ int ptrace_request(struct task_struct *c
61268 ret = ptrace_setoptions(child, data);
61270 case PTRACE_GETEVENTMSG:
61271 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
61272 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
61275 case PTRACE_GETSIGINFO:
61276 ret = ptrace_getsiginfo(child, &siginfo);
61278 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
61279 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
61283 case PTRACE_SETSIGINFO:
61284 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
61285 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
61289 @@ -621,14 +641,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
61293 + if (gr_handle_ptrace(child, request)) {
61295 + goto out_put_task_struct;
61298 if (request == PTRACE_ATTACH) {
61299 ret = ptrace_attach(child);
61301 * Some architectures need to do book-keeping after
61306 arch_ptrace_attach(child);
61307 + gr_audit_ptrace(child);
61309 goto out_put_task_struct;
61312 @@ -653,7 +680,7 @@ int generic_ptrace_peekdata(struct task_
61313 copied = access_process_vm(tsk, addr, &tmp, sizeof(tmp), 0);
61314 if (copied != sizeof(tmp))
61316 - return put_user(tmp, (unsigned long __user *)data);
61317 + return put_user(tmp, (__force unsigned long __user *)data);
61320 int generic_ptrace_pokedata(struct task_struct *tsk, long addr, long data)
61321 @@ -675,6 +702,8 @@ int compat_ptrace_request(struct task_st
61325 + pax_track_stack();
61328 case PTRACE_PEEKTEXT:
61329 case PTRACE_PEEKDATA:
61330 @@ -740,14 +769,21 @@ asmlinkage long compat_sys_ptrace(compat
61334 + if (gr_handle_ptrace(child, request)) {
61336 + goto out_put_task_struct;
61339 if (request == PTRACE_ATTACH) {
61340 ret = ptrace_attach(child);
61342 * Some architectures need to do book-keeping after
61347 arch_ptrace_attach(child);
61348 + gr_audit_ptrace(child);
61350 goto out_put_task_struct;
61353 diff -urNp linux-2.6.32.42/kernel/rcutorture.c linux-2.6.32.42/kernel/rcutorture.c
61354 --- linux-2.6.32.42/kernel/rcutorture.c 2011-03-27 14:31:47.000000000 -0400
61355 +++ linux-2.6.32.42/kernel/rcutorture.c 2011-05-04 17:56:28.000000000 -0400
61356 @@ -118,12 +118,12 @@ static DEFINE_PER_CPU(long [RCU_TORTURE_
61358 static DEFINE_PER_CPU(long [RCU_TORTURE_PIPE_LEN + 1], rcu_torture_batch) =
61360 -static atomic_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
61361 -static atomic_t n_rcu_torture_alloc;
61362 -static atomic_t n_rcu_torture_alloc_fail;
61363 -static atomic_t n_rcu_torture_free;
61364 -static atomic_t n_rcu_torture_mberror;
61365 -static atomic_t n_rcu_torture_error;
61366 +static atomic_unchecked_t rcu_torture_wcount[RCU_TORTURE_PIPE_LEN + 1];
61367 +static atomic_unchecked_t n_rcu_torture_alloc;
61368 +static atomic_unchecked_t n_rcu_torture_alloc_fail;
61369 +static atomic_unchecked_t n_rcu_torture_free;
61370 +static atomic_unchecked_t n_rcu_torture_mberror;
61371 +static atomic_unchecked_t n_rcu_torture_error;
61372 static long n_rcu_torture_timers;
61373 static struct list_head rcu_torture_removed;
61374 static cpumask_var_t shuffle_tmp_mask;
61375 @@ -187,11 +187,11 @@ rcu_torture_alloc(void)
61377 spin_lock_bh(&rcu_torture_lock);
61378 if (list_empty(&rcu_torture_freelist)) {
61379 - atomic_inc(&n_rcu_torture_alloc_fail);
61380 + atomic_inc_unchecked(&n_rcu_torture_alloc_fail);
61381 spin_unlock_bh(&rcu_torture_lock);
61384 - atomic_inc(&n_rcu_torture_alloc);
61385 + atomic_inc_unchecked(&n_rcu_torture_alloc);
61386 p = rcu_torture_freelist.next;
61388 spin_unlock_bh(&rcu_torture_lock);
61389 @@ -204,7 +204,7 @@ rcu_torture_alloc(void)
61391 rcu_torture_free(struct rcu_torture *p)
61393 - atomic_inc(&n_rcu_torture_free);
61394 + atomic_inc_unchecked(&n_rcu_torture_free);
61395 spin_lock_bh(&rcu_torture_lock);
61396 list_add_tail(&p->rtort_free, &rcu_torture_freelist);
61397 spin_unlock_bh(&rcu_torture_lock);
61398 @@ -319,7 +319,7 @@ rcu_torture_cb(struct rcu_head *p)
61399 i = rp->rtort_pipe_count;
61400 if (i > RCU_TORTURE_PIPE_LEN)
61401 i = RCU_TORTURE_PIPE_LEN;
61402 - atomic_inc(&rcu_torture_wcount[i]);
61403 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
61404 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
61405 rp->rtort_mbtest = 0;
61406 rcu_torture_free(rp);
61407 @@ -359,7 +359,7 @@ static void rcu_sync_torture_deferred_fr
61408 i = rp->rtort_pipe_count;
61409 if (i > RCU_TORTURE_PIPE_LEN)
61410 i = RCU_TORTURE_PIPE_LEN;
61411 - atomic_inc(&rcu_torture_wcount[i]);
61412 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
61413 if (++rp->rtort_pipe_count >= RCU_TORTURE_PIPE_LEN) {
61414 rp->rtort_mbtest = 0;
61415 list_del(&rp->rtort_free);
61416 @@ -653,7 +653,7 @@ rcu_torture_writer(void *arg)
61417 i = old_rp->rtort_pipe_count;
61418 if (i > RCU_TORTURE_PIPE_LEN)
61419 i = RCU_TORTURE_PIPE_LEN;
61420 - atomic_inc(&rcu_torture_wcount[i]);
61421 + atomic_inc_unchecked(&rcu_torture_wcount[i]);
61422 old_rp->rtort_pipe_count++;
61423 cur_ops->deferred_free(old_rp);
61425 @@ -718,7 +718,7 @@ static void rcu_torture_timer(unsigned l
61428 if (p->rtort_mbtest == 0)
61429 - atomic_inc(&n_rcu_torture_mberror);
61430 + atomic_inc_unchecked(&n_rcu_torture_mberror);
61431 spin_lock(&rand_lock);
61432 cur_ops->read_delay(&rand);
61433 n_rcu_torture_timers++;
61434 @@ -776,7 +776,7 @@ rcu_torture_reader(void *arg)
61437 if (p->rtort_mbtest == 0)
61438 - atomic_inc(&n_rcu_torture_mberror);
61439 + atomic_inc_unchecked(&n_rcu_torture_mberror);
61440 cur_ops->read_delay(&rand);
61442 pipe_count = p->rtort_pipe_count;
61443 @@ -834,17 +834,17 @@ rcu_torture_printk(char *page)
61444 rcu_torture_current,
61445 rcu_torture_current_version,
61446 list_empty(&rcu_torture_freelist),
61447 - atomic_read(&n_rcu_torture_alloc),
61448 - atomic_read(&n_rcu_torture_alloc_fail),
61449 - atomic_read(&n_rcu_torture_free),
61450 - atomic_read(&n_rcu_torture_mberror),
61451 + atomic_read_unchecked(&n_rcu_torture_alloc),
61452 + atomic_read_unchecked(&n_rcu_torture_alloc_fail),
61453 + atomic_read_unchecked(&n_rcu_torture_free),
61454 + atomic_read_unchecked(&n_rcu_torture_mberror),
61455 n_rcu_torture_timers);
61456 - if (atomic_read(&n_rcu_torture_mberror) != 0)
61457 + if (atomic_read_unchecked(&n_rcu_torture_mberror) != 0)
61458 cnt += sprintf(&page[cnt], " !!!");
61459 cnt += sprintf(&page[cnt], "\n%s%s ", torture_type, TORTURE_FLAG);
61461 cnt += sprintf(&page[cnt], "!!! ");
61462 - atomic_inc(&n_rcu_torture_error);
61463 + atomic_inc_unchecked(&n_rcu_torture_error);
61466 cnt += sprintf(&page[cnt], "Reader Pipe: ");
61467 @@ -858,7 +858,7 @@ rcu_torture_printk(char *page)
61468 cnt += sprintf(&page[cnt], "Free-Block Circulation: ");
61469 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
61470 cnt += sprintf(&page[cnt], " %d",
61471 - atomic_read(&rcu_torture_wcount[i]));
61472 + atomic_read_unchecked(&rcu_torture_wcount[i]));
61474 cnt += sprintf(&page[cnt], "\n");
61475 if (cur_ops->stats)
61476 @@ -1084,7 +1084,7 @@ rcu_torture_cleanup(void)
61478 if (cur_ops->cleanup)
61479 cur_ops->cleanup();
61480 - if (atomic_read(&n_rcu_torture_error))
61481 + if (atomic_read_unchecked(&n_rcu_torture_error))
61482 rcu_torture_print_module_parms("End of test: FAILURE");
61484 rcu_torture_print_module_parms("End of test: SUCCESS");
61485 @@ -1138,13 +1138,13 @@ rcu_torture_init(void)
61487 rcu_torture_current = NULL;
61488 rcu_torture_current_version = 0;
61489 - atomic_set(&n_rcu_torture_alloc, 0);
61490 - atomic_set(&n_rcu_torture_alloc_fail, 0);
61491 - atomic_set(&n_rcu_torture_free, 0);
61492 - atomic_set(&n_rcu_torture_mberror, 0);
61493 - atomic_set(&n_rcu_torture_error, 0);
61494 + atomic_set_unchecked(&n_rcu_torture_alloc, 0);
61495 + atomic_set_unchecked(&n_rcu_torture_alloc_fail, 0);
61496 + atomic_set_unchecked(&n_rcu_torture_free, 0);
61497 + atomic_set_unchecked(&n_rcu_torture_mberror, 0);
61498 + atomic_set_unchecked(&n_rcu_torture_error, 0);
61499 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++)
61500 - atomic_set(&rcu_torture_wcount[i], 0);
61501 + atomic_set_unchecked(&rcu_torture_wcount[i], 0);
61502 for_each_possible_cpu(cpu) {
61503 for (i = 0; i < RCU_TORTURE_PIPE_LEN + 1; i++) {
61504 per_cpu(rcu_torture_count, cpu)[i] = 0;
61505 diff -urNp linux-2.6.32.42/kernel/rcutree.c linux-2.6.32.42/kernel/rcutree.c
61506 --- linux-2.6.32.42/kernel/rcutree.c 2011-03-27 14:31:47.000000000 -0400
61507 +++ linux-2.6.32.42/kernel/rcutree.c 2011-04-17 15:56:46.000000000 -0400
61508 @@ -1303,7 +1303,7 @@ __rcu_process_callbacks(struct rcu_state
61510 * Do softirq processing for the current CPU.
61512 -static void rcu_process_callbacks(struct softirq_action *unused)
61513 +static void rcu_process_callbacks(void)
61516 * Memory references from any prior RCU read-side critical sections
61517 diff -urNp linux-2.6.32.42/kernel/rcutree_plugin.h linux-2.6.32.42/kernel/rcutree_plugin.h
61518 --- linux-2.6.32.42/kernel/rcutree_plugin.h 2011-03-27 14:31:47.000000000 -0400
61519 +++ linux-2.6.32.42/kernel/rcutree_plugin.h 2011-04-17 15:56:46.000000000 -0400
61520 @@ -145,7 +145,7 @@ static void rcu_preempt_note_context_swi
61522 void __rcu_read_lock(void)
61524 - ACCESS_ONCE(current->rcu_read_lock_nesting)++;
61525 + ACCESS_ONCE_RW(current->rcu_read_lock_nesting)++;
61526 barrier(); /* needed if we ever invoke rcu_read_lock in rcutree.c */
61528 EXPORT_SYMBOL_GPL(__rcu_read_lock);
61529 @@ -251,7 +251,7 @@ void __rcu_read_unlock(void)
61530 struct task_struct *t = current;
61532 barrier(); /* needed if we ever invoke rcu_read_unlock in rcutree.c */
61533 - if (--ACCESS_ONCE(t->rcu_read_lock_nesting) == 0 &&
61534 + if (--ACCESS_ONCE_RW(t->rcu_read_lock_nesting) == 0 &&
61535 unlikely(ACCESS_ONCE(t->rcu_read_unlock_special)))
61536 rcu_read_unlock_special(t);
61538 diff -urNp linux-2.6.32.42/kernel/relay.c linux-2.6.32.42/kernel/relay.c
61539 --- linux-2.6.32.42/kernel/relay.c 2011-03-27 14:31:47.000000000 -0400
61540 +++ linux-2.6.32.42/kernel/relay.c 2011-05-16 21:46:57.000000000 -0400
61541 @@ -1222,7 +1222,7 @@ static int subbuf_splice_actor(struct fi
61542 unsigned int flags,
61545 - unsigned int pidx, poff, total_len, subbuf_pages, nr_pages, ret;
61546 + unsigned int pidx, poff, total_len, subbuf_pages, nr_pages;
61547 struct rchan_buf *rbuf = in->private_data;
61548 unsigned int subbuf_size = rbuf->chan->subbuf_size;
61549 uint64_t pos = (uint64_t) *ppos;
61550 @@ -1241,6 +1241,9 @@ static int subbuf_splice_actor(struct fi
61551 .ops = &relay_pipe_buf_ops,
61552 .spd_release = relay_page_release,
61556 + pax_track_stack();
61558 if (rbuf->subbufs_produced == rbuf->subbufs_consumed)
61560 diff -urNp linux-2.6.32.42/kernel/resource.c linux-2.6.32.42/kernel/resource.c
61561 --- linux-2.6.32.42/kernel/resource.c 2011-03-27 14:31:47.000000000 -0400
61562 +++ linux-2.6.32.42/kernel/resource.c 2011-04-17 15:56:46.000000000 -0400
61563 @@ -132,8 +132,18 @@ static const struct file_operations proc
61565 static int __init ioresources_init(void)
61567 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
61568 +#ifdef CONFIG_GRKERNSEC_PROC_USER
61569 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
61570 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
61571 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
61572 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
61573 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
61576 proc_create("ioports", 0, NULL, &proc_ioports_operations);
61577 proc_create("iomem", 0, NULL, &proc_iomem_operations);
61581 __initcall(ioresources_init);
61582 diff -urNp linux-2.6.32.42/kernel/rtmutex.c linux-2.6.32.42/kernel/rtmutex.c
61583 --- linux-2.6.32.42/kernel/rtmutex.c 2011-03-27 14:31:47.000000000 -0400
61584 +++ linux-2.6.32.42/kernel/rtmutex.c 2011-04-17 15:56:46.000000000 -0400
61585 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
61587 spin_lock_irqsave(&pendowner->pi_lock, flags);
61589 - WARN_ON(!pendowner->pi_blocked_on);
61590 + BUG_ON(!pendowner->pi_blocked_on);
61591 WARN_ON(pendowner->pi_blocked_on != waiter);
61592 WARN_ON(pendowner->pi_blocked_on->lock != lock);
61594 diff -urNp linux-2.6.32.42/kernel/rtmutex-tester.c linux-2.6.32.42/kernel/rtmutex-tester.c
61595 --- linux-2.6.32.42/kernel/rtmutex-tester.c 2011-03-27 14:31:47.000000000 -0400
61596 +++ linux-2.6.32.42/kernel/rtmutex-tester.c 2011-05-04 17:56:28.000000000 -0400
61598 #define MAX_RT_TEST_MUTEXES 8
61600 static spinlock_t rttest_lock;
61601 -static atomic_t rttest_event;
61602 +static atomic_unchecked_t rttest_event;
61604 struct test_thread_data {
61606 @@ -64,7 +64,7 @@ static int handle_op(struct test_thread_
61608 case RTTEST_LOCKCONT:
61609 td->mutexes[td->opdata] = 1;
61610 - td->event = atomic_add_return(1, &rttest_event);
61611 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61615 @@ -82,7 +82,7 @@ static int handle_op(struct test_thread_
61618 case RTTEST_RESETEVENT:
61619 - atomic_set(&rttest_event, 0);
61620 + atomic_set_unchecked(&rttest_event, 0);
61624 @@ -99,9 +99,9 @@ static int handle_op(struct test_thread_
61627 td->mutexes[id] = 1;
61628 - td->event = atomic_add_return(1, &rttest_event);
61629 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61630 rt_mutex_lock(&mutexes[id]);
61631 - td->event = atomic_add_return(1, &rttest_event);
61632 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61633 td->mutexes[id] = 4;
61636 @@ -112,9 +112,9 @@ static int handle_op(struct test_thread_
61639 td->mutexes[id] = 1;
61640 - td->event = atomic_add_return(1, &rttest_event);
61641 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61642 ret = rt_mutex_lock_interruptible(&mutexes[id], 0);
61643 - td->event = atomic_add_return(1, &rttest_event);
61644 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61645 td->mutexes[id] = ret ? 0 : 4;
61646 return ret ? -EINTR : 0;
61648 @@ -123,9 +123,9 @@ static int handle_op(struct test_thread_
61649 if (id < 0 || id >= MAX_RT_TEST_MUTEXES || td->mutexes[id] != 4)
61652 - td->event = atomic_add_return(1, &rttest_event);
61653 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61654 rt_mutex_unlock(&mutexes[id]);
61655 - td->event = atomic_add_return(1, &rttest_event);
61656 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61657 td->mutexes[id] = 0;
61660 @@ -187,7 +187,7 @@ void schedule_rt_mutex_test(struct rt_mu
61663 td->mutexes[dat] = 2;
61664 - td->event = atomic_add_return(1, &rttest_event);
61665 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61668 case RTTEST_LOCKBKL:
61669 @@ -208,7 +208,7 @@ void schedule_rt_mutex_test(struct rt_mu
61672 td->mutexes[dat] = 3;
61673 - td->event = atomic_add_return(1, &rttest_event);
61674 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61677 case RTTEST_LOCKNOWAIT:
61678 @@ -220,7 +220,7 @@ void schedule_rt_mutex_test(struct rt_mu
61681 td->mutexes[dat] = 1;
61682 - td->event = atomic_add_return(1, &rttest_event);
61683 + td->event = atomic_add_return_unchecked(1, &rttest_event);
61686 case RTTEST_LOCKBKL:
61687 diff -urNp linux-2.6.32.42/kernel/sched.c linux-2.6.32.42/kernel/sched.c
61688 --- linux-2.6.32.42/kernel/sched.c 2011-03-27 14:31:47.000000000 -0400
61689 +++ linux-2.6.32.42/kernel/sched.c 2011-05-22 23:02:06.000000000 -0400
61690 @@ -5043,7 +5043,7 @@ out:
61691 * In CONFIG_NO_HZ case, the idle load balance owner will do the
61692 * rebalancing for all the cpus for whom scheduler ticks are stopped.
61694 -static void run_rebalance_domains(struct softirq_action *h)
61695 +static void run_rebalance_domains(void)
61697 int this_cpu = smp_processor_id();
61698 struct rq *this_rq = cpu_rq(this_cpu);
61699 @@ -5700,6 +5700,8 @@ asmlinkage void __sched schedule(void)
61703 + pax_track_stack();
61707 cpu = smp_processor_id();
61708 @@ -5770,7 +5772,7 @@ EXPORT_SYMBOL(schedule);
61709 * Look out! "owner" is an entirely speculative pointer
61710 * access and not reliable.
61712 -int mutex_spin_on_owner(struct mutex *lock, struct thread_info *owner)
61713 +int mutex_spin_on_owner(struct mutex *lock, struct task_struct *owner)
61717 @@ -5784,10 +5786,10 @@ int mutex_spin_on_owner(struct mutex *lo
61718 * DEBUG_PAGEALLOC could have unmapped it if
61719 * the mutex owner just released it and exited.
61721 - if (probe_kernel_address(&owner->cpu, cpu))
61722 + if (probe_kernel_address(&task_thread_info(owner)->cpu, cpu))
61725 - cpu = owner->cpu;
61726 + cpu = task_thread_info(owner)->cpu;
61730 @@ -5816,7 +5818,7 @@ int mutex_spin_on_owner(struct mutex *lo
61732 * Is that owner really running on that cpu?
61734 - if (task_thread_info(rq->curr) != owner || need_resched())
61735 + if (rq->curr != owner || need_resched())
61739 @@ -6359,6 +6361,8 @@ int can_nice(const struct task_struct *p
61740 /* convert nice value [19,-20] to rlimit style value [1,40] */
61741 int nice_rlim = 20 - nice;
61743 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
61745 return (nice_rlim <= p->signal->rlim[RLIMIT_NICE].rlim_cur ||
61746 capable(CAP_SYS_NICE));
61748 @@ -6392,7 +6396,8 @@ SYSCALL_DEFINE1(nice, int, increment)
61752 - if (increment < 0 && !can_nice(current, nice))
61753 + if (increment < 0 && (!can_nice(current, nice) ||
61754 + gr_handle_chroot_nice()))
61757 retval = security_task_setnice(current, nice);
61758 @@ -8774,7 +8779,7 @@ static void init_sched_groups_power(int
61762 - WARN_ON(!sd || !sd->groups);
61763 + BUG_ON(!sd || !sd->groups);
61765 if (cpu != group_first_cpu(sd->groups))
61767 diff -urNp linux-2.6.32.42/kernel/signal.c linux-2.6.32.42/kernel/signal.c
61768 --- linux-2.6.32.42/kernel/signal.c 2011-04-17 17:00:52.000000000 -0400
61769 +++ linux-2.6.32.42/kernel/signal.c 2011-05-22 23:02:06.000000000 -0400
61770 @@ -41,12 +41,12 @@
61772 static struct kmem_cache *sigqueue_cachep;
61774 -static void __user *sig_handler(struct task_struct *t, int sig)
61775 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
61777 return t->sighand->action[sig - 1].sa.sa_handler;
61780 -static int sig_handler_ignored(void __user *handler, int sig)
61781 +static int sig_handler_ignored(__sighandler_t handler, int sig)
61783 /* Is it explicitly or implicitly ignored? */
61784 return handler == SIG_IGN ||
61785 @@ -56,7 +56,7 @@ static int sig_handler_ignored(void __us
61786 static int sig_task_ignored(struct task_struct *t, int sig,
61787 int from_ancestor_ns)
61789 - void __user *handler;
61790 + __sighandler_t handler;
61792 handler = sig_handler(t, sig);
61794 @@ -207,6 +207,9 @@ static struct sigqueue *__sigqueue_alloc
61796 user = get_uid(__task_cred(t)->user);
61797 atomic_inc(&user->sigpending);
61799 + if (!override_rlimit)
61800 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
61801 if (override_rlimit ||
61802 atomic_read(&user->sigpending) <=
61803 t->signal->rlim[RLIMIT_SIGPENDING].rlim_cur)
61804 @@ -327,7 +330,7 @@ flush_signal_handlers(struct task_struct
61806 int unhandled_signal(struct task_struct *tsk, int sig)
61808 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
61809 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
61810 if (is_global_init(tsk))
61812 if (handler != SIG_IGN && handler != SIG_DFL)
61813 @@ -627,6 +630,9 @@ static int check_kill_permission(int sig
61817 + if (gr_handle_signal(t, sig))
61820 return security_task_kill(t, info, sig, 0);
61823 @@ -968,7 +974,7 @@ __group_send_sig_info(int sig, struct si
61824 return send_signal(sig, info, p, 1);
61829 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
61831 return send_signal(sig, info, t, 0);
61832 @@ -1005,6 +1011,7 @@ force_sig_info(int sig, struct siginfo *
61833 unsigned long int flags;
61834 int ret, blocked, ignored;
61835 struct k_sigaction *action;
61836 + int is_unhandled = 0;
61838 spin_lock_irqsave(&t->sighand->siglock, flags);
61839 action = &t->sighand->action[sig-1];
61840 @@ -1019,9 +1026,18 @@ force_sig_info(int sig, struct siginfo *
61842 if (action->sa.sa_handler == SIG_DFL)
61843 t->signal->flags &= ~SIGNAL_UNKILLABLE;
61844 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
61845 + is_unhandled = 1;
61846 ret = specific_send_sig_info(sig, info, t);
61847 spin_unlock_irqrestore(&t->sighand->siglock, flags);
61849 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
61850 + normal operation */
61851 + if (is_unhandled) {
61852 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
61853 + gr_handle_crash(t, sig);
61859 @@ -1081,8 +1097,11 @@ int group_send_sig_info(int sig, struct
61861 int ret = check_kill_permission(sig, info, p);
61864 + if (!ret && sig) {
61865 ret = do_send_sig_info(sig, info, p, true);
61867 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
61872 @@ -1644,6 +1663,8 @@ void ptrace_notify(int exit_code)
61876 + pax_track_stack();
61878 BUG_ON((exit_code & (0x7f | ~0xffff)) != SIGTRAP);
61880 memset(&info, 0, sizeof info);
61881 diff -urNp linux-2.6.32.42/kernel/smp.c linux-2.6.32.42/kernel/smp.c
61882 --- linux-2.6.32.42/kernel/smp.c 2011-03-27 14:31:47.000000000 -0400
61883 +++ linux-2.6.32.42/kernel/smp.c 2011-04-17 15:56:46.000000000 -0400
61884 @@ -522,22 +522,22 @@ int smp_call_function(void (*func)(void
61886 EXPORT_SYMBOL(smp_call_function);
61888 -void ipi_call_lock(void)
61889 +void ipi_call_lock(void) __acquires(call_function.lock)
61891 spin_lock(&call_function.lock);
61894 -void ipi_call_unlock(void)
61895 +void ipi_call_unlock(void) __releases(call_function.lock)
61897 spin_unlock(&call_function.lock);
61900 -void ipi_call_lock_irq(void)
61901 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
61903 spin_lock_irq(&call_function.lock);
61906 -void ipi_call_unlock_irq(void)
61907 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
61909 spin_unlock_irq(&call_function.lock);
61911 diff -urNp linux-2.6.32.42/kernel/softirq.c linux-2.6.32.42/kernel/softirq.c
61912 --- linux-2.6.32.42/kernel/softirq.c 2011-03-27 14:31:47.000000000 -0400
61913 +++ linux-2.6.32.42/kernel/softirq.c 2011-04-17 15:56:46.000000000 -0400
61914 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
61916 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
61918 -char *softirq_to_name[NR_SOFTIRQS] = {
61919 +const char * const softirq_to_name[NR_SOFTIRQS] = {
61920 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
61921 "TASKLET", "SCHED", "HRTIMER", "RCU"
61923 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
61925 asmlinkage void __do_softirq(void)
61927 - struct softirq_action *h;
61928 + const struct softirq_action *h;
61930 int max_restart = MAX_SOFTIRQ_RESTART;
61932 @@ -233,7 +233,7 @@ restart:
61933 kstat_incr_softirqs_this_cpu(h - softirq_vec);
61935 trace_softirq_entry(h, softirq_vec);
61938 trace_softirq_exit(h, softirq_vec);
61939 if (unlikely(prev_count != preempt_count())) {
61940 printk(KERN_ERR "huh, entered softirq %td %s %p"
61941 @@ -363,7 +363,7 @@ void raise_softirq(unsigned int nr)
61942 local_irq_restore(flags);
61945 -void open_softirq(int nr, void (*action)(struct softirq_action *))
61946 +void open_softirq(int nr, void (*action)(void))
61948 softirq_vec[nr].action = action;
61950 @@ -419,7 +419,7 @@ void __tasklet_hi_schedule_first(struct
61952 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
61954 -static void tasklet_action(struct softirq_action *a)
61955 +static void tasklet_action(void)
61957 struct tasklet_struct *list;
61959 @@ -454,7 +454,7 @@ static void tasklet_action(struct softir
61963 -static void tasklet_hi_action(struct softirq_action *a)
61964 +static void tasklet_hi_action(void)
61966 struct tasklet_struct *list;
61968 diff -urNp linux-2.6.32.42/kernel/sys.c linux-2.6.32.42/kernel/sys.c
61969 --- linux-2.6.32.42/kernel/sys.c 2011-03-27 14:31:47.000000000 -0400
61970 +++ linux-2.6.32.42/kernel/sys.c 2011-04-17 15:56:46.000000000 -0400
61971 @@ -133,6 +133,12 @@ static int set_one_prio(struct task_stru
61976 + if (gr_handle_chroot_setpriority(p, niceval)) {
61981 no_nice = security_task_setnice(p, niceval);
61984 @@ -190,10 +196,10 @@ SYSCALL_DEFINE3(setpriority, int, which,
61985 !(user = find_user(who)))
61986 goto out_unlock; /* No processes for this user */
61988 - do_each_thread(g, p)
61989 + do_each_thread(g, p) {
61990 if (__task_cred(p)->uid == who)
61991 error = set_one_prio(p, niceval, error);
61992 - while_each_thread(g, p);
61993 + } while_each_thread(g, p);
61994 if (who != cred->uid)
61995 free_uid(user); /* For find_user() */
61997 @@ -253,13 +259,13 @@ SYSCALL_DEFINE2(getpriority, int, which,
61998 !(user = find_user(who)))
61999 goto out_unlock; /* No processes for this user */
62001 - do_each_thread(g, p)
62002 + do_each_thread(g, p) {
62003 if (__task_cred(p)->uid == who) {
62004 niceval = 20 - task_nice(p);
62005 if (niceval > retval)
62008 - while_each_thread(g, p);
62009 + } while_each_thread(g, p);
62010 if (who != cred->uid)
62011 free_uid(user); /* for find_user() */
62013 @@ -509,6 +515,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
62017 + if (gr_check_group_change(new->gid, new->egid, -1))
62020 if (rgid != (gid_t) -1 ||
62021 (egid != (gid_t) -1 && egid != old->gid))
62022 new->sgid = new->egid;
62023 @@ -542,6 +551,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
62028 + if (gr_check_group_change(gid, gid, gid))
62031 if (capable(CAP_SETGID))
62032 new->gid = new->egid = new->sgid = new->fsgid = gid;
62033 else if (gid == old->gid || gid == old->sgid)
62034 @@ -627,6 +640,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
62038 + if (gr_check_user_change(new->uid, new->euid, -1))
62041 if (new->uid != old->uid) {
62042 retval = set_user(new);
62044 @@ -675,6 +691,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
62049 + if (gr_check_crash_uid(uid))
62051 + if (gr_check_user_change(uid, uid, uid))
62054 if (capable(CAP_SETUID)) {
62055 new->suid = new->uid = uid;
62056 if (uid != old->uid) {
62057 @@ -732,6 +754,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
62061 + if (gr_check_user_change(ruid, euid, -1))
62064 if (ruid != (uid_t) -1) {
62066 if (ruid != old->uid) {
62067 @@ -800,6 +825,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
62071 + if (gr_check_group_change(rgid, egid, -1))
62074 if (rgid != (gid_t) -1)
62076 if (egid != (gid_t) -1)
62077 @@ -849,6 +877,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
62078 if (security_task_setuid(uid, (uid_t)-1, (uid_t)-1, LSM_SETID_FS) < 0)
62081 + if (gr_check_user_change(-1, -1, uid))
62084 if (uid == old->uid || uid == old->euid ||
62085 uid == old->suid || uid == old->fsuid ||
62086 capable(CAP_SETUID)) {
62087 @@ -889,6 +920,9 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
62088 if (gid == old->gid || gid == old->egid ||
62089 gid == old->sgid || gid == old->fsgid ||
62090 capable(CAP_SETGID)) {
62091 + if (gr_check_group_change(-1, -1, gid))
62094 if (gid != old_fsgid) {
62097 @@ -1454,7 +1488,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
62098 error = get_dumpable(me->mm);
62100 case PR_SET_DUMPABLE:
62101 - if (arg2 < 0 || arg2 > 1) {
62106 diff -urNp linux-2.6.32.42/kernel/sysctl.c linux-2.6.32.42/kernel/sysctl.c
62107 --- linux-2.6.32.42/kernel/sysctl.c 2011-03-27 14:31:47.000000000 -0400
62108 +++ linux-2.6.32.42/kernel/sysctl.c 2011-04-17 15:56:46.000000000 -0400
62110 static int deprecated_sysctl_warning(struct __sysctl_args *args);
62112 #if defined(CONFIG_SYSCTL)
62113 +#include <linux/grsecurity.h>
62114 +#include <linux/grinternal.h>
62116 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
62117 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
62119 +extern int gr_handle_chroot_sysctl(const int op);
62121 /* External variables not in a header file. */
62123 @@ -168,6 +175,7 @@ static int proc_do_cad_pid(struct ctl_ta
62124 static int proc_taint(struct ctl_table *table, int write,
62125 void __user *buffer, size_t *lenp, loff_t *ppos);
62127 +extern ctl_table grsecurity_table[];
62129 static struct ctl_table root_table[];
62130 static struct ctl_table_root sysctl_table_root;
62131 @@ -200,6 +208,21 @@ extern struct ctl_table epoll_table[];
62132 int sysctl_legacy_va_layout;
62135 +#ifdef CONFIG_PAX_SOFTMODE
62136 +static ctl_table pax_table[] = {
62138 + .ctl_name = CTL_UNNUMBERED,
62139 + .procname = "softmode",
62140 + .data = &pax_softmode,
62141 + .maxlen = sizeof(unsigned int),
62143 + .proc_handler = &proc_dointvec,
62146 + { .ctl_name = 0 }
62150 extern int prove_locking;
62151 extern int lock_stat;
62153 @@ -251,6 +274,24 @@ static int max_wakeup_granularity_ns = N
62156 static struct ctl_table kern_table[] = {
62157 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
62159 + .ctl_name = CTL_UNNUMBERED,
62160 + .procname = "grsecurity",
62162 + .child = grsecurity_table,
62166 +#ifdef CONFIG_PAX_SOFTMODE
62168 + .ctl_name = CTL_UNNUMBERED,
62169 + .procname = "pax",
62171 + .child = pax_table,
62176 .ctl_name = CTL_UNNUMBERED,
62177 .procname = "sched_child_runs_first",
62178 @@ -567,8 +608,8 @@ static struct ctl_table kern_table[] = {
62179 .data = &modprobe_path,
62180 .maxlen = KMOD_PATH_LEN,
62182 - .proc_handler = &proc_dostring,
62183 - .strategy = &sysctl_string,
62184 + .proc_handler = &proc_dostring_modpriv,
62185 + .strategy = &sysctl_string_modpriv,
62188 .ctl_name = CTL_UNNUMBERED,
62189 @@ -1247,6 +1288,13 @@ static struct ctl_table vm_table[] = {
62191 .proc_handler = &proc_dointvec
62194 + .procname = "heap_stack_gap",
62195 + .data = &sysctl_heap_stack_gap,
62196 + .maxlen = sizeof(sysctl_heap_stack_gap),
62198 + .proc_handler = proc_doulongvec_minmax,
62202 .ctl_name = CTL_UNNUMBERED,
62203 @@ -1803,6 +1851,8 @@ static int do_sysctl_strategy(struct ctl
62207 +static int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op);
62209 static int parse_table(int __user *name, int nlen,
62210 void __user *oldval, size_t __user *oldlenp,
62211 void __user *newval, size_t newlen,
62212 @@ -1821,7 +1871,7 @@ repeat:
62213 if (n == table->ctl_name) {
62215 if (table->child) {
62216 - if (sysctl_perm(root, table, MAY_EXEC))
62217 + if (sysctl_perm_nochk(root, table, MAY_EXEC))
62221 @@ -1906,6 +1956,33 @@ int sysctl_perm(struct ctl_table_root *r
62225 + if (table->parent != NULL && table->parent->procname != NULL &&
62226 + table->procname != NULL &&
62227 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
62229 + if (gr_handle_chroot_sysctl(op))
62231 + error = gr_handle_sysctl(table, op);
62235 + error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
62239 + if (root->permissions)
62240 + mode = root->permissions(root, current->nsproxy, table);
62242 + mode = table->mode;
62244 + return test_perm(mode, op);
62247 +int sysctl_perm_nochk(struct ctl_table_root *root, struct ctl_table *table, int op)
62252 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
62255 @@ -2335,6 +2412,16 @@ int proc_dostring(struct ctl_table *tabl
62256 buffer, lenp, ppos);
62259 +int proc_dostring_modpriv(struct ctl_table *table, int write,
62260 + void __user *buffer, size_t *lenp, loff_t *ppos)
62262 + if (write && !capable(CAP_SYS_MODULE))
62265 + return _proc_do_string(table->data, table->maxlen, write,
62266 + buffer, lenp, ppos);
62270 static int do_proc_dointvec_conv(int *negp, unsigned long *lvalp,
62272 @@ -2609,7 +2696,7 @@ static int __do_proc_doulongvec_minmax(v
62273 vleft = table->maxlen / sizeof(unsigned long);
62276 - for (; left && vleft--; i++, min++, max++, first=0) {
62277 + for (; left && vleft--; i++, first=0) {
62281 @@ -2910,6 +2997,12 @@ int proc_dostring(struct ctl_table *tabl
62285 +int proc_dostring_modpriv(struct ctl_table *table, int write,
62286 + void __user *buffer, size_t *lenp, loff_t *ppos)
62291 int proc_dointvec(struct ctl_table *table, int write,
62292 void __user *buffer, size_t *lenp, loff_t *ppos)
62294 @@ -3038,6 +3131,16 @@ int sysctl_string(struct ctl_table *tabl
62298 +int sysctl_string_modpriv(struct ctl_table *table,
62299 + void __user *oldval, size_t __user *oldlenp,
62300 + void __user *newval, size_t newlen)
62302 + if (newval && newlen && !capable(CAP_SYS_MODULE))
62305 + return sysctl_string(table, oldval, oldlenp, newval, newlen);
62309 * This function makes sure that all of the integers in the vector
62310 * are between the minimum and maximum values given in the arrays
62311 @@ -3182,6 +3285,13 @@ int sysctl_string(struct ctl_table *tabl
62315 +int sysctl_string_modpriv(struct ctl_table *table,
62316 + void __user *oldval, size_t __user *oldlenp,
62317 + void __user *newval, size_t newlen)
62322 int sysctl_intvec(struct ctl_table *table,
62323 void __user *oldval, size_t __user *oldlenp,
62324 void __user *newval, size_t newlen)
62325 @@ -3246,6 +3356,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
62326 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
62327 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
62328 EXPORT_SYMBOL(proc_dostring);
62329 +EXPORT_SYMBOL(proc_dostring_modpriv);
62330 EXPORT_SYMBOL(proc_doulongvec_minmax);
62331 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
62332 EXPORT_SYMBOL(register_sysctl_table);
62333 @@ -3254,5 +3365,6 @@ EXPORT_SYMBOL(sysctl_intvec);
62334 EXPORT_SYMBOL(sysctl_jiffies);
62335 EXPORT_SYMBOL(sysctl_ms_jiffies);
62336 EXPORT_SYMBOL(sysctl_string);
62337 +EXPORT_SYMBOL(sysctl_string_modpriv);
62338 EXPORT_SYMBOL(sysctl_data);
62339 EXPORT_SYMBOL(unregister_sysctl_table);
62340 diff -urNp linux-2.6.32.42/kernel/sysctl_check.c linux-2.6.32.42/kernel/sysctl_check.c
62341 --- linux-2.6.32.42/kernel/sysctl_check.c 2011-03-27 14:31:47.000000000 -0400
62342 +++ linux-2.6.32.42/kernel/sysctl_check.c 2011-04-17 15:56:46.000000000 -0400
62343 @@ -1489,10 +1489,12 @@ int sysctl_check_table(struct nsproxy *n
62345 if ((table->strategy == sysctl_data) ||
62346 (table->strategy == sysctl_string) ||
62347 + (table->strategy == sysctl_string_modpriv) ||
62348 (table->strategy == sysctl_intvec) ||
62349 (table->strategy == sysctl_jiffies) ||
62350 (table->strategy == sysctl_ms_jiffies) ||
62351 (table->proc_handler == proc_dostring) ||
62352 + (table->proc_handler == proc_dostring_modpriv) ||
62353 (table->proc_handler == proc_dointvec) ||
62354 (table->proc_handler == proc_dointvec_minmax) ||
62355 (table->proc_handler == proc_dointvec_jiffies) ||
62356 diff -urNp linux-2.6.32.42/kernel/taskstats.c linux-2.6.32.42/kernel/taskstats.c
62357 --- linux-2.6.32.42/kernel/taskstats.c 2011-03-27 14:31:47.000000000 -0400
62358 +++ linux-2.6.32.42/kernel/taskstats.c 2011-04-17 15:56:46.000000000 -0400
62360 #include <linux/cgroup.h>
62361 #include <linux/fs.h>
62362 #include <linux/file.h>
62363 +#include <linux/grsecurity.h>
62364 #include <net/genetlink.h>
62365 #include <asm/atomic.h>
62367 +extern int gr_is_taskstats_denied(int pid);
62370 * Maximum length of a cpumask that can be specified in
62371 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
62372 @@ -433,6 +436,9 @@ static int taskstats_user_cmd(struct sk_
62374 cpumask_var_t mask;
62376 + if (gr_is_taskstats_denied(current->pid))
62379 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
62382 diff -urNp linux-2.6.32.42/kernel/time/tick-broadcast.c linux-2.6.32.42/kernel/time/tick-broadcast.c
62383 --- linux-2.6.32.42/kernel/time/tick-broadcast.c 2011-05-23 16:56:59.000000000 -0400
62384 +++ linux-2.6.32.42/kernel/time/tick-broadcast.c 2011-05-23 16:57:13.000000000 -0400
62385 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
62386 * then clear the broadcast bit.
62388 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
62389 - int cpu = smp_processor_id();
62390 + cpu = smp_processor_id();
62392 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
62393 tick_broadcast_clear_oneshot(cpu);
62394 diff -urNp linux-2.6.32.42/kernel/time/timekeeping.c linux-2.6.32.42/kernel/time/timekeeping.c
62395 --- linux-2.6.32.42/kernel/time/timekeeping.c 2011-06-25 12:55:35.000000000 -0400
62396 +++ linux-2.6.32.42/kernel/time/timekeeping.c 2011-06-25 12:56:37.000000000 -0400
62398 #include <linux/init.h>
62399 #include <linux/mm.h>
62400 #include <linux/sched.h>
62401 +#include <linux/grsecurity.h>
62402 #include <linux/sysdev.h>
62403 #include <linux/clocksource.h>
62404 #include <linux/jiffies.h>
62405 @@ -180,7 +181,7 @@ void update_xtime_cache(u64 nsec)
62407 struct timespec ts = xtime;
62408 timespec_add_ns(&ts, nsec);
62409 - ACCESS_ONCE(xtime_cache) = ts;
62410 + ACCESS_ONCE_RW(xtime_cache) = ts;
62413 /* must hold xtime_lock */
62414 @@ -333,6 +334,8 @@ int do_settimeofday(struct timespec *tv)
62415 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
62418 + gr_log_timechange();
62420 write_seqlock_irqsave(&xtime_lock, flags);
62422 timekeeping_forward_now();
62423 diff -urNp linux-2.6.32.42/kernel/time/timer_list.c linux-2.6.32.42/kernel/time/timer_list.c
62424 --- linux-2.6.32.42/kernel/time/timer_list.c 2011-03-27 14:31:47.000000000 -0400
62425 +++ linux-2.6.32.42/kernel/time/timer_list.c 2011-04-17 15:56:46.000000000 -0400
62426 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
62428 static void print_name_offset(struct seq_file *m, void *sym)
62430 +#ifdef CONFIG_GRKERNSEC_HIDESYM
62431 + SEQ_printf(m, "<%p>", NULL);
62433 char symname[KSYM_NAME_LEN];
62435 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
62436 SEQ_printf(m, "<%p>", sym);
62438 SEQ_printf(m, "%s", symname);
62443 @@ -112,7 +116,11 @@ next_one:
62445 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
62447 +#ifdef CONFIG_GRKERNSEC_HIDESYM
62448 + SEQ_printf(m, " .base: %p\n", NULL);
62450 SEQ_printf(m, " .base: %p\n", base);
62452 SEQ_printf(m, " .index: %d\n",
62454 SEQ_printf(m, " .resolution: %Lu nsecs\n",
62455 @@ -289,7 +297,11 @@ static int __init init_timer_list_procfs
62457 struct proc_dir_entry *pe;
62459 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
62460 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
62462 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
62467 diff -urNp linux-2.6.32.42/kernel/time/timer_stats.c linux-2.6.32.42/kernel/time/timer_stats.c
62468 --- linux-2.6.32.42/kernel/time/timer_stats.c 2011-03-27 14:31:47.000000000 -0400
62469 +++ linux-2.6.32.42/kernel/time/timer_stats.c 2011-05-04 17:56:28.000000000 -0400
62470 @@ -116,7 +116,7 @@ static ktime_t time_start, time_stop;
62471 static unsigned long nr_entries;
62472 static struct entry entries[MAX_ENTRIES];
62474 -static atomic_t overflow_count;
62475 +static atomic_unchecked_t overflow_count;
62478 * The entries are in a hash-table, for fast lookup:
62479 @@ -140,7 +140,7 @@ static void reset_entries(void)
62481 memset(entries, 0, sizeof(entries));
62482 memset(tstat_hash_table, 0, sizeof(tstat_hash_table));
62483 - atomic_set(&overflow_count, 0);
62484 + atomic_set_unchecked(&overflow_count, 0);
62487 static struct entry *alloc_entry(void)
62488 @@ -261,7 +261,7 @@ void timer_stats_update_stats(void *time
62492 - atomic_inc(&overflow_count);
62493 + atomic_inc_unchecked(&overflow_count);
62496 spin_unlock_irqrestore(lock, flags);
62497 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
62499 static void print_name_offset(struct seq_file *m, unsigned long addr)
62501 +#ifdef CONFIG_GRKERNSEC_HIDESYM
62502 + seq_printf(m, "<%p>", NULL);
62504 char symname[KSYM_NAME_LEN];
62506 if (lookup_symbol_name(addr, symname) < 0)
62507 seq_printf(m, "<%p>", (void *)addr);
62509 seq_printf(m, "%s", symname);
62513 static int tstats_show(struct seq_file *m, void *v)
62514 @@ -300,9 +304,9 @@ static int tstats_show(struct seq_file *
62516 seq_puts(m, "Timer Stats Version: v0.2\n");
62517 seq_printf(m, "Sample period: %ld.%03ld s\n", period.tv_sec, ms);
62518 - if (atomic_read(&overflow_count))
62519 + if (atomic_read_unchecked(&overflow_count))
62520 seq_printf(m, "Overflow: %d entries\n",
62521 - atomic_read(&overflow_count));
62522 + atomic_read_unchecked(&overflow_count));
62524 for (i = 0; i < nr_entries; i++) {
62525 entry = entries + i;
62526 @@ -415,7 +419,11 @@ static int __init init_tstats_procfs(voi
62528 struct proc_dir_entry *pe;
62530 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
62531 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
62533 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
62538 diff -urNp linux-2.6.32.42/kernel/time.c linux-2.6.32.42/kernel/time.c
62539 --- linux-2.6.32.42/kernel/time.c 2011-03-27 14:31:47.000000000 -0400
62540 +++ linux-2.6.32.42/kernel/time.c 2011-04-17 15:56:46.000000000 -0400
62541 @@ -165,6 +165,11 @@ int do_sys_settimeofday(struct timespec
62545 + /* we log in do_settimeofday called below, so don't log twice
62548 + gr_log_timechange();
62550 /* SMP safe, global irq locking makes it work. */
62552 update_vsyscall_tz();
62553 @@ -240,7 +245,7 @@ EXPORT_SYMBOL(current_fs_time);
62554 * Avoid unnecessary multiplications/divisions in the
62555 * two most common HZ cases:
62557 -unsigned int inline jiffies_to_msecs(const unsigned long j)
62558 +inline unsigned int jiffies_to_msecs(const unsigned long j)
62560 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
62561 return (MSEC_PER_SEC / HZ) * j;
62562 @@ -256,7 +261,7 @@ unsigned int inline jiffies_to_msecs(con
62564 EXPORT_SYMBOL(jiffies_to_msecs);
62566 -unsigned int inline jiffies_to_usecs(const unsigned long j)
62567 +inline unsigned int jiffies_to_usecs(const unsigned long j)
62569 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
62570 return (USEC_PER_SEC / HZ) * j;
62571 diff -urNp linux-2.6.32.42/kernel/timer.c linux-2.6.32.42/kernel/timer.c
62572 --- linux-2.6.32.42/kernel/timer.c 2011-03-27 14:31:47.000000000 -0400
62573 +++ linux-2.6.32.42/kernel/timer.c 2011-04-17 15:56:46.000000000 -0400
62574 @@ -1213,7 +1213,7 @@ void update_process_times(int user_tick)
62576 * This function runs timers and the timer-tq in bottom half context.
62578 -static void run_timer_softirq(struct softirq_action *h)
62579 +static void run_timer_softirq(void)
62581 struct tvec_base *base = __get_cpu_var(tvec_bases);
62583 diff -urNp linux-2.6.32.42/kernel/trace/blktrace.c linux-2.6.32.42/kernel/trace/blktrace.c
62584 --- linux-2.6.32.42/kernel/trace/blktrace.c 2011-03-27 14:31:47.000000000 -0400
62585 +++ linux-2.6.32.42/kernel/trace/blktrace.c 2011-05-04 17:56:28.000000000 -0400
62586 @@ -313,7 +313,7 @@ static ssize_t blk_dropped_read(struct f
62587 struct blk_trace *bt = filp->private_data;
62590 - snprintf(buf, sizeof(buf), "%u\n", atomic_read(&bt->dropped));
62591 + snprintf(buf, sizeof(buf), "%u\n", atomic_read_unchecked(&bt->dropped));
62593 return simple_read_from_buffer(buffer, count, ppos, buf, strlen(buf));
62595 @@ -376,7 +376,7 @@ static int blk_subbuf_start_callback(str
62598 bt = buf->chan->private_data;
62599 - atomic_inc(&bt->dropped);
62600 + atomic_inc_unchecked(&bt->dropped);
62604 @@ -477,7 +477,7 @@ int do_blk_trace_setup(struct request_qu
62608 - atomic_set(&bt->dropped, 0);
62609 + atomic_set_unchecked(&bt->dropped, 0);
62612 bt->dropped_file = debugfs_create_file("dropped", 0444, dir, bt,
62613 diff -urNp linux-2.6.32.42/kernel/trace/ftrace.c linux-2.6.32.42/kernel/trace/ftrace.c
62614 --- linux-2.6.32.42/kernel/trace/ftrace.c 2011-06-25 12:55:35.000000000 -0400
62615 +++ linux-2.6.32.42/kernel/trace/ftrace.c 2011-06-25 12:56:37.000000000 -0400
62616 @@ -1100,13 +1100,18 @@ ftrace_code_disable(struct module *mod,
62620 + ret = ftrace_arch_code_modify_prepare();
62621 + FTRACE_WARN_ON(ret);
62625 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
62626 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
62628 ftrace_bug(ret, ip);
62629 rec->flags |= FTRACE_FL_FAILED;
62633 + return ret ? 0 : 1;
62637 diff -urNp linux-2.6.32.42/kernel/trace/ring_buffer.c linux-2.6.32.42/kernel/trace/ring_buffer.c
62638 --- linux-2.6.32.42/kernel/trace/ring_buffer.c 2011-03-27 14:31:47.000000000 -0400
62639 +++ linux-2.6.32.42/kernel/trace/ring_buffer.c 2011-04-17 15:56:46.000000000 -0400
62640 @@ -606,7 +606,7 @@ static struct list_head *rb_list_head(st
62641 * the reader page). But if the next page is a header page,
62642 * its flags will be non zero.
62646 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
62647 struct buffer_page *page, struct list_head *list)
62649 diff -urNp linux-2.6.32.42/kernel/trace/trace.c linux-2.6.32.42/kernel/trace/trace.c
62650 --- linux-2.6.32.42/kernel/trace/trace.c 2011-03-27 14:31:47.000000000 -0400
62651 +++ linux-2.6.32.42/kernel/trace/trace.c 2011-05-16 21:46:57.000000000 -0400
62652 @@ -3193,6 +3193,8 @@ static ssize_t tracing_splice_read_pipe(
62656 + pax_track_stack();
62658 /* copy the tracer to avoid using a global lock all around */
62659 mutex_lock(&trace_types_lock);
62660 if (unlikely(old_tracer != current_trace && current_trace)) {
62661 @@ -3659,6 +3661,8 @@ tracing_buffers_splice_read(struct file
62662 int entries, size, i;
62665 + pax_track_stack();
62667 if (*ppos & (PAGE_SIZE - 1)) {
62668 WARN_ONCE(1, "Ftrace: previous read must page-align\n");
62670 @@ -3816,10 +3820,9 @@ static const struct file_operations trac
62674 -static struct dentry *d_tracer;
62676 struct dentry *tracing_init_dentry(void)
62678 + static struct dentry *d_tracer;
62682 @@ -3839,10 +3842,9 @@ struct dentry *tracing_init_dentry(void)
62686 -static struct dentry *d_percpu;
62688 struct dentry *tracing_dentry_percpu(void)
62690 + static struct dentry *d_percpu;
62692 struct dentry *d_tracer;
62694 diff -urNp linux-2.6.32.42/kernel/trace/trace_events.c linux-2.6.32.42/kernel/trace/trace_events.c
62695 --- linux-2.6.32.42/kernel/trace/trace_events.c 2011-03-27 14:31:47.000000000 -0400
62696 +++ linux-2.6.32.42/kernel/trace/trace_events.c 2011-04-17 15:56:46.000000000 -0400
62697 @@ -951,6 +951,8 @@ static LIST_HEAD(ftrace_module_file_list
62698 * Modules must own their file_operations to keep up with
62699 * reference counting.
62702 +/* cannot be const */
62703 struct ftrace_module_file_ops {
62704 struct list_head list;
62705 struct module *mod;
62706 diff -urNp linux-2.6.32.42/kernel/trace/trace_mmiotrace.c linux-2.6.32.42/kernel/trace/trace_mmiotrace.c
62707 --- linux-2.6.32.42/kernel/trace/trace_mmiotrace.c 2011-03-27 14:31:47.000000000 -0400
62708 +++ linux-2.6.32.42/kernel/trace/trace_mmiotrace.c 2011-05-04 17:56:28.000000000 -0400
62709 @@ -23,7 +23,7 @@ struct header_iter {
62710 static struct trace_array *mmio_trace_array;
62711 static bool overrun_detected;
62712 static unsigned long prev_overruns;
62713 -static atomic_t dropped_count;
62714 +static atomic_unchecked_t dropped_count;
62716 static void mmio_reset_data(struct trace_array *tr)
62718 @@ -126,7 +126,7 @@ static void mmio_close(struct trace_iter
62720 static unsigned long count_overruns(struct trace_iterator *iter)
62722 - unsigned long cnt = atomic_xchg(&dropped_count, 0);
62723 + unsigned long cnt = atomic_xchg_unchecked(&dropped_count, 0);
62724 unsigned long over = ring_buffer_overruns(iter->tr->buffer);
62726 if (over > prev_overruns)
62727 @@ -316,7 +316,7 @@ static void __trace_mmiotrace_rw(struct
62728 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_RW,
62729 sizeof(*entry), 0, pc);
62731 - atomic_inc(&dropped_count);
62732 + atomic_inc_unchecked(&dropped_count);
62735 entry = ring_buffer_event_data(event);
62736 @@ -346,7 +346,7 @@ static void __trace_mmiotrace_map(struct
62737 event = trace_buffer_lock_reserve(buffer, TRACE_MMIO_MAP,
62738 sizeof(*entry), 0, pc);
62740 - atomic_inc(&dropped_count);
62741 + atomic_inc_unchecked(&dropped_count);
62744 entry = ring_buffer_event_data(event);
62745 diff -urNp linux-2.6.32.42/kernel/trace/trace_output.c linux-2.6.32.42/kernel/trace/trace_output.c
62746 --- linux-2.6.32.42/kernel/trace/trace_output.c 2011-03-27 14:31:47.000000000 -0400
62747 +++ linux-2.6.32.42/kernel/trace/trace_output.c 2011-04-17 15:56:46.000000000 -0400
62748 @@ -237,7 +237,7 @@ int trace_seq_path(struct trace_seq *s,
62750 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
62752 - p = mangle_path(s->buffer + s->len, p, "\n");
62753 + p = mangle_path(s->buffer + s->len, p, "\n\\");
62755 s->len = p - s->buffer;
62757 diff -urNp linux-2.6.32.42/kernel/trace/trace_stack.c linux-2.6.32.42/kernel/trace/trace_stack.c
62758 --- linux-2.6.32.42/kernel/trace/trace_stack.c 2011-03-27 14:31:47.000000000 -0400
62759 +++ linux-2.6.32.42/kernel/trace/trace_stack.c 2011-04-17 15:56:46.000000000 -0400
62760 @@ -50,7 +50,7 @@ static inline void check_stack(void)
62763 /* we do not handle interrupt stacks yet */
62764 - if (!object_is_on_stack(&this_size))
62765 + if (!object_starts_on_stack(&this_size))
62768 local_irq_save(flags);
62769 diff -urNp linux-2.6.32.42/kernel/trace/trace_workqueue.c linux-2.6.32.42/kernel/trace/trace_workqueue.c
62770 --- linux-2.6.32.42/kernel/trace/trace_workqueue.c 2011-03-27 14:31:47.000000000 -0400
62771 +++ linux-2.6.32.42/kernel/trace/trace_workqueue.c 2011-04-17 15:56:46.000000000 -0400
62772 @@ -21,7 +21,7 @@ struct cpu_workqueue_stats {
62775 /* Can be inserted from interrupt or user context, need to be atomic */
62776 - atomic_t inserted;
62777 + atomic_unchecked_t inserted;
62779 * Don't need to be atomic, works are serialized in a single workqueue thread
62781 @@ -58,7 +58,7 @@ probe_workqueue_insertion(struct task_st
62782 spin_lock_irqsave(&workqueue_cpu_stat(cpu)->lock, flags);
62783 list_for_each_entry(node, &workqueue_cpu_stat(cpu)->list, list) {
62784 if (node->pid == wq_thread->pid) {
62785 - atomic_inc(&node->inserted);
62786 + atomic_inc_unchecked(&node->inserted);
62790 @@ -205,7 +205,7 @@ static int workqueue_stat_show(struct se
62791 tsk = get_pid_task(pid, PIDTYPE_PID);
62793 seq_printf(s, "%3d %6d %6u %s\n", cws->cpu,
62794 - atomic_read(&cws->inserted), cws->executed,
62795 + atomic_read_unchecked(&cws->inserted), cws->executed,
62797 put_task_struct(tsk);
62799 diff -urNp linux-2.6.32.42/kernel/user.c linux-2.6.32.42/kernel/user.c
62800 --- linux-2.6.32.42/kernel/user.c 2011-03-27 14:31:47.000000000 -0400
62801 +++ linux-2.6.32.42/kernel/user.c 2011-04-17 15:56:46.000000000 -0400
62802 @@ -159,6 +159,7 @@ struct user_struct *alloc_uid(struct use
62803 spin_lock_irq(&uidhash_lock);
62804 up = uid_hash_find(uid, hashent);
62807 key_put(new->uid_keyring);
62808 key_put(new->session_keyring);
62809 kmem_cache_free(uid_cachep, new);
62810 diff -urNp linux-2.6.32.42/lib/bug.c linux-2.6.32.42/lib/bug.c
62811 --- linux-2.6.32.42/lib/bug.c 2011-03-27 14:31:47.000000000 -0400
62812 +++ linux-2.6.32.42/lib/bug.c 2011-04-17 15:56:46.000000000 -0400
62813 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
62814 return BUG_TRAP_TYPE_NONE;
62816 bug = find_bug(bugaddr);
62818 + return BUG_TRAP_TYPE_NONE;
62820 printk(KERN_EMERG "------------[ cut here ]------------\n");
62822 diff -urNp linux-2.6.32.42/lib/debugobjects.c linux-2.6.32.42/lib/debugobjects.c
62823 --- linux-2.6.32.42/lib/debugobjects.c 2011-03-27 14:31:47.000000000 -0400
62824 +++ linux-2.6.32.42/lib/debugobjects.c 2011-04-17 15:56:46.000000000 -0400
62825 @@ -277,7 +277,7 @@ static void debug_object_is_on_stack(voi
62829 - is_on_stack = object_is_on_stack(addr);
62830 + is_on_stack = object_starts_on_stack(addr);
62831 if (is_on_stack == onstack)
62834 diff -urNp linux-2.6.32.42/lib/dma-debug.c linux-2.6.32.42/lib/dma-debug.c
62835 --- linux-2.6.32.42/lib/dma-debug.c 2011-03-27 14:31:47.000000000 -0400
62836 +++ linux-2.6.32.42/lib/dma-debug.c 2011-04-17 15:56:46.000000000 -0400
62837 @@ -861,7 +861,7 @@ out:
62839 static void check_for_stack(struct device *dev, void *addr)
62841 - if (object_is_on_stack(addr))
62842 + if (object_starts_on_stack(addr))
62843 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
62844 "stack [addr=%p]\n", addr);
62846 diff -urNp linux-2.6.32.42/lib/idr.c linux-2.6.32.42/lib/idr.c
62847 --- linux-2.6.32.42/lib/idr.c 2011-03-27 14:31:47.000000000 -0400
62848 +++ linux-2.6.32.42/lib/idr.c 2011-04-17 15:56:46.000000000 -0400
62849 @@ -156,7 +156,7 @@ static int sub_alloc(struct idr *idp, in
62850 id = (id | ((1 << (IDR_BITS * l)) - 1)) + 1;
62852 /* if already at the top layer, we need to grow */
62853 - if (id >= 1 << (idp->layers * IDR_BITS)) {
62854 + if (id >= (1 << (idp->layers * IDR_BITS))) {
62856 return IDR_NEED_TO_GROW;
62858 diff -urNp linux-2.6.32.42/lib/inflate.c linux-2.6.32.42/lib/inflate.c
62859 --- linux-2.6.32.42/lib/inflate.c 2011-03-27 14:31:47.000000000 -0400
62860 +++ linux-2.6.32.42/lib/inflate.c 2011-04-17 15:56:46.000000000 -0400
62861 @@ -266,7 +266,7 @@ static void free(void *where)
62862 malloc_ptr = free_mem_ptr;
62865 -#define malloc(a) kmalloc(a, GFP_KERNEL)
62866 +#define malloc(a) kmalloc((a), GFP_KERNEL)
62867 #define free(a) kfree(a)
62870 diff -urNp linux-2.6.32.42/lib/Kconfig.debug linux-2.6.32.42/lib/Kconfig.debug
62871 --- linux-2.6.32.42/lib/Kconfig.debug 2011-03-27 14:31:47.000000000 -0400
62872 +++ linux-2.6.32.42/lib/Kconfig.debug 2011-04-17 15:56:46.000000000 -0400
62873 @@ -905,7 +905,7 @@ config LATENCYTOP
62877 - depends on HAVE_LATENCYTOP_SUPPORT
62878 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
62880 Enable this option if you want to use the LatencyTOP tool
62881 to find out which userspace is blocking on what kernel operations.
62882 diff -urNp linux-2.6.32.42/lib/kobject.c linux-2.6.32.42/lib/kobject.c
62883 --- linux-2.6.32.42/lib/kobject.c 2011-03-27 14:31:47.000000000 -0400
62884 +++ linux-2.6.32.42/lib/kobject.c 2011-04-17 15:56:46.000000000 -0400
62885 @@ -700,7 +700,7 @@ static ssize_t kobj_attr_store(struct ko
62889 -struct sysfs_ops kobj_sysfs_ops = {
62890 +const struct sysfs_ops kobj_sysfs_ops = {
62891 .show = kobj_attr_show,
62892 .store = kobj_attr_store,
62894 @@ -789,7 +789,7 @@ static struct kobj_type kset_ktype = {
62895 * If the kset was not able to be created, NULL will be returned.
62897 static struct kset *kset_create(const char *name,
62898 - struct kset_uevent_ops *uevent_ops,
62899 + const struct kset_uevent_ops *uevent_ops,
62900 struct kobject *parent_kobj)
62903 @@ -832,7 +832,7 @@ static struct kset *kset_create(const ch
62904 * If the kset was not able to be created, NULL will be returned.
62906 struct kset *kset_create_and_add(const char *name,
62907 - struct kset_uevent_ops *uevent_ops,
62908 + const struct kset_uevent_ops *uevent_ops,
62909 struct kobject *parent_kobj)
62912 diff -urNp linux-2.6.32.42/lib/kobject_uevent.c linux-2.6.32.42/lib/kobject_uevent.c
62913 --- linux-2.6.32.42/lib/kobject_uevent.c 2011-03-27 14:31:47.000000000 -0400
62914 +++ linux-2.6.32.42/lib/kobject_uevent.c 2011-04-17 15:56:46.000000000 -0400
62915 @@ -95,7 +95,7 @@ int kobject_uevent_env(struct kobject *k
62916 const char *subsystem;
62917 struct kobject *top_kobj;
62919 - struct kset_uevent_ops *uevent_ops;
62920 + const struct kset_uevent_ops *uevent_ops;
62924 diff -urNp linux-2.6.32.42/lib/kref.c linux-2.6.32.42/lib/kref.c
62925 --- linux-2.6.32.42/lib/kref.c 2011-03-27 14:31:47.000000000 -0400
62926 +++ linux-2.6.32.42/lib/kref.c 2011-04-17 15:56:46.000000000 -0400
62927 @@ -61,7 +61,7 @@ void kref_get(struct kref *kref)
62929 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
62931 - WARN_ON(release == NULL);
62932 + BUG_ON(release == NULL);
62933 WARN_ON(release == (void (*)(struct kref *))kfree);
62935 if (atomic_dec_and_test(&kref->refcount)) {
62936 diff -urNp linux-2.6.32.42/lib/parser.c linux-2.6.32.42/lib/parser.c
62937 --- linux-2.6.32.42/lib/parser.c 2011-03-27 14:31:47.000000000 -0400
62938 +++ linux-2.6.32.42/lib/parser.c 2011-04-17 15:56:46.000000000 -0400
62939 @@ -126,7 +126,7 @@ static int match_number(substring_t *s,
62943 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
62944 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
62947 memcpy(buf, s->from, s->to - s->from);
62948 diff -urNp linux-2.6.32.42/lib/radix-tree.c linux-2.6.32.42/lib/radix-tree.c
62949 --- linux-2.6.32.42/lib/radix-tree.c 2011-03-27 14:31:47.000000000 -0400
62950 +++ linux-2.6.32.42/lib/radix-tree.c 2011-04-17 15:56:46.000000000 -0400
62951 @@ -81,7 +81,7 @@ struct radix_tree_preload {
62953 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
62955 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
62956 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
62958 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
62960 diff -urNp linux-2.6.32.42/lib/random32.c linux-2.6.32.42/lib/random32.c
62961 --- linux-2.6.32.42/lib/random32.c 2011-03-27 14:31:47.000000000 -0400
62962 +++ linux-2.6.32.42/lib/random32.c 2011-04-17 15:56:46.000000000 -0400
62963 @@ -61,7 +61,7 @@ static u32 __random32(struct rnd_state *
62965 static inline u32 __seed(u32 x, u32 m)
62967 - return (x < m) ? x + m : x;
62968 + return (x <= m) ? x + m + 1 : x;
62972 diff -urNp linux-2.6.32.42/lib/vsprintf.c linux-2.6.32.42/lib/vsprintf.c
62973 --- linux-2.6.32.42/lib/vsprintf.c 2011-03-27 14:31:47.000000000 -0400
62974 +++ linux-2.6.32.42/lib/vsprintf.c 2011-04-17 15:56:46.000000000 -0400
62976 * - scnprintf and vscnprintf
62979 +#ifdef CONFIG_GRKERNSEC_HIDESYM
62980 +#define __INCLUDED_BY_HIDESYM 1
62982 #include <stdarg.h>
62983 #include <linux/module.h>
62984 #include <linux/types.h>
62985 @@ -546,12 +549,12 @@ static char *number(char *buf, char *end
62989 -static char *string(char *buf, char *end, char *s, struct printf_spec spec)
62990 +static char *string(char *buf, char *end, const char *s, struct printf_spec spec)
62994 if ((unsigned long)s < PAGE_SIZE)
62998 len = strnlen(s, spec.precision);
63000 @@ -581,7 +584,7 @@ static char *symbol_string(char *buf, ch
63001 unsigned long value = (unsigned long) ptr;
63002 #ifdef CONFIG_KALLSYMS
63003 char sym[KSYM_SYMBOL_LEN];
63004 - if (ext != 'f' && ext != 's')
63005 + if (ext != 'f' && ext != 's' && ext != 'a')
63006 sprint_symbol(sym, value);
63008 kallsyms_lookup(value, NULL, NULL, NULL, sym);
63009 @@ -801,6 +804,8 @@ static char *ip4_addr_string(char *buf,
63010 * - 'f' For simple symbolic function names without offset
63011 * - 'S' For symbolic direct pointers with offset
63012 * - 's' For symbolic direct pointers without offset
63013 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
63014 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
63015 * - 'R' For a struct resource pointer, it prints the range of
63016 * addresses (not the name nor the flags)
63017 * - 'M' For a 6-byte MAC address, it prints the address in the
63018 @@ -822,7 +827,7 @@ static char *pointer(const char *fmt, ch
63019 struct printf_spec spec)
63022 - return string(buf, end, "(null)", spec);
63023 + return string(buf, end, "(nil)", spec);
63027 @@ -831,6 +836,14 @@ static char *pointer(const char *fmt, ch
63031 +#ifdef CONFIG_GRKERNSEC_HIDESYM
63034 + return symbol_string(buf, end, ptr, spec, *fmt);
63037 + /* Fallthrough */
63039 return symbol_string(buf, end, ptr, spec, *fmt);
63041 return resource_string(buf, end, ptr, spec);
63042 @@ -1445,7 +1458,7 @@ do { \
63044 if ((unsigned long)save_str > (unsigned long)-PAGE_SIZE
63045 || (unsigned long)save_str < PAGE_SIZE)
63046 - save_str = "<NULL>";
63047 + save_str = "(null)";
63048 len = strlen(save_str);
63049 if (str + len + 1 < end)
63050 memcpy(str, save_str, len + 1);
63051 @@ -1555,11 +1568,11 @@ int bstr_printf(char *buf, size_t size,
63052 typeof(type) value; \
63053 if (sizeof(type) == 8) { \
63054 args = PTR_ALIGN(args, sizeof(u32)); \
63055 - *(u32 *)&value = *(u32 *)args; \
63056 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
63057 + *(u32 *)&value = *(const u32 *)args; \
63058 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
63060 args = PTR_ALIGN(args, sizeof(type)); \
63061 - value = *(typeof(type) *)args; \
63062 + value = *(const typeof(type) *)args; \
63064 args += sizeof(type); \
63066 @@ -1622,7 +1635,7 @@ int bstr_printf(char *buf, size_t size,
63067 const char *str_arg = args;
63068 size_t len = strlen(str_arg);
63070 - str = string(str, end, (char *)str_arg, spec);
63071 + str = string(str, end, str_arg, spec);
63075 diff -urNp linux-2.6.32.42/localversion-grsec linux-2.6.32.42/localversion-grsec
63076 --- linux-2.6.32.42/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
63077 +++ linux-2.6.32.42/localversion-grsec 2011-04-17 15:56:46.000000000 -0400
63080 diff -urNp linux-2.6.32.42/Makefile linux-2.6.32.42/Makefile
63081 --- linux-2.6.32.42/Makefile 2011-06-25 12:55:34.000000000 -0400
63082 +++ linux-2.6.32.42/Makefile 2011-06-25 12:56:37.000000000 -0400
63083 @@ -221,8 +221,9 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
63087 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
63088 -HOSTCXXFLAGS = -O2
63089 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -Wno-unused-parameter -Wno-missing-field-initializers -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
63090 +HOSTCFLAGS += $(call cc-option, -Wno-empty-body)
63091 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
63093 # Decide whether to build built-in, modular, or both.
63094 # Normally, just do built-in.
63095 @@ -342,10 +343,12 @@ LINUXINCLUDE := -Iinclude \
63096 KBUILD_CPPFLAGS := -D__KERNEL__
63098 KBUILD_CFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
63099 + -W -Wno-unused-parameter -Wno-missing-field-initializers \
63100 -fno-strict-aliasing -fno-common \
63101 -Werror-implicit-function-declaration \
63102 -Wno-format-security \
63103 -fno-delete-null-pointer-checks
63104 +KBUILD_CFLAGS += $(call cc-option, -Wno-empty-body)
63105 KBUILD_AFLAGS := -D__ASSEMBLY__
63107 # Read KERNELRELEASE from include/config/kernel.release (if it exists)
63108 @@ -403,7 +406,7 @@ endif
63109 # of make so .config is not included in this case either (for *config).
63111 no-dot-config-targets := clean mrproper distclean \
63112 - cscope TAGS tags help %docs check% \
63113 + cscope gtags TAGS tags help %docs check% \
63114 include/linux/version.h headers_% \
63115 kernelrelease kernelversion
63117 @@ -644,7 +647,7 @@ export mod_strip_cmd
63120 ifeq ($(KBUILD_EXTMOD),)
63121 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
63122 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
63124 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
63125 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
63126 @@ -949,7 +952,19 @@ include/config/kernel.release: include/c
63127 # version.h and scripts_basic is processed / created.
63129 # Listed in dependency order
63130 -PHONY += prepare archprepare prepare0 prepare1 prepare2 prepare3
63131 +PHONY += prepare archprepare prepare0 prepare1 prepare2 prepare3 pax-plugin
63133 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
63134 +KBUILD_CFLAGS += $(call cc-ifversion, -ge, 0405, -fplugin=$(objtree)/tools/gcc/pax_plugin.so -fplugin-arg-pax_plugin-track-lowest-sp=100)
63137 +ifneq (,$(findstring pax_plugin, $(KBUILD_CFLAGS)))
63138 + $(Q)$(MAKE) $(build)=tools/gcc
63140 +ifeq ($(CONFIG_PAX_MEMORY_STACKLEAK),y)
63141 + $(Q)echo "warning, your gcc does not support plugins, PAX_MEMORY_STACKLEAK will be less secure"
63145 # prepare3 is used to check if we are building in a separate output directory,
63147 @@ -970,7 +985,7 @@ ifneq ($(KBUILD_SRC),)
63150 # prepare2 creates a makefile if using a separate output directory
63151 -prepare2: prepare3 outputmakefile
63152 +prepare2: prepare3 outputmakefile pax-plugin
63154 prepare1: prepare2 include/linux/version.h include/linux/utsrelease.h \
63155 include/asm include/config/auto.conf
63156 @@ -1198,7 +1213,7 @@ MRPROPER_FILES += .config .config.old in
63157 include/linux/autoconf.h include/linux/version.h \
63158 include/linux/utsrelease.h \
63159 include/linux/bounds.h include/asm*/asm-offsets.h \
63160 - Module.symvers Module.markers tags TAGS cscope*
63161 + Module.symvers Module.markers tags TAGS cscope* GPATH GTAGS GRTAGS GSYMS
63163 # clean - Delete most, but leave enough to build external modules
63165 @@ -1289,6 +1304,7 @@ help:
63166 @echo ' modules_prepare - Set up for building external modules'
63167 @echo ' tags/TAGS - Generate tags file for editors'
63168 @echo ' cscope - Generate cscope index'
63169 + @echo ' gtags - Generate GNU GLOBAL index'
63170 @echo ' kernelrelease - Output the release version string'
63171 @echo ' kernelversion - Output the version stored in Makefile'
63172 @echo ' headers_install - Install sanitised kernel headers to INSTALL_HDR_PATH'; \
63173 @@ -1445,7 +1461,7 @@ endif # KBUILD_EXTMOD
63174 quiet_cmd_tags = GEN $@
63175 cmd_tags = $(CONFIG_SHELL) $(srctree)/scripts/tags.sh $@
63177 -tags TAGS cscope: FORCE
63178 +tags TAGS cscope gtags: FORCE
63181 # Scripts to check various things for consistency
63182 diff -urNp linux-2.6.32.42/mm/backing-dev.c linux-2.6.32.42/mm/backing-dev.c
63183 --- linux-2.6.32.42/mm/backing-dev.c 2011-03-27 14:31:47.000000000 -0400
63184 +++ linux-2.6.32.42/mm/backing-dev.c 2011-05-04 17:56:28.000000000 -0400
63185 @@ -484,7 +484,7 @@ static void bdi_add_to_pending(struct rc
63186 * Add the default flusher task that gets created for any bdi
63187 * that has dirty data pending writeout
63189 -void static bdi_add_default_flusher_task(struct backing_dev_info *bdi)
63190 +static void bdi_add_default_flusher_task(struct backing_dev_info *bdi)
63192 if (!bdi_cap_writeback_dirty(bdi))
63194 diff -urNp linux-2.6.32.42/mm/filemap.c linux-2.6.32.42/mm/filemap.c
63195 --- linux-2.6.32.42/mm/filemap.c 2011-03-27 14:31:47.000000000 -0400
63196 +++ linux-2.6.32.42/mm/filemap.c 2011-04-17 15:56:46.000000000 -0400
63197 @@ -1631,7 +1631,7 @@ int generic_file_mmap(struct file * file
63198 struct address_space *mapping = file->f_mapping;
63200 if (!mapping->a_ops->readpage)
63203 file_accessed(file);
63204 vma->vm_ops = &generic_file_vm_ops;
63205 vma->vm_flags |= VM_CAN_NONLINEAR;
63206 @@ -2027,6 +2027,7 @@ inline int generic_write_checks(struct f
63207 *pos = i_size_read(inode);
63209 if (limit != RLIM_INFINITY) {
63210 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
63211 if (*pos >= limit) {
63212 send_sig(SIGXFSZ, current, 0);
63214 diff -urNp linux-2.6.32.42/mm/fremap.c linux-2.6.32.42/mm/fremap.c
63215 --- linux-2.6.32.42/mm/fremap.c 2011-03-27 14:31:47.000000000 -0400
63216 +++ linux-2.6.32.42/mm/fremap.c 2011-04-17 15:56:46.000000000 -0400
63217 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
63219 vma = find_vma(mm, start);
63221 +#ifdef CONFIG_PAX_SEGMEXEC
63222 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
63227 * Make sure the vma is shared, that it supports prefaulting,
63228 * and that the remapped range is valid and fully within
63229 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
63231 * drop PG_Mlocked flag for over-mapped range
63233 - unsigned int saved_flags = vma->vm_flags;
63234 + unsigned long saved_flags = vma->vm_flags;
63235 munlock_vma_pages_range(vma, start, start + size);
63236 vma->vm_flags = saved_flags;
63238 diff -urNp linux-2.6.32.42/mm/highmem.c linux-2.6.32.42/mm/highmem.c
63239 --- linux-2.6.32.42/mm/highmem.c 2011-03-27 14:31:47.000000000 -0400
63240 +++ linux-2.6.32.42/mm/highmem.c 2011-04-17 15:56:46.000000000 -0400
63241 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
63242 * So no dangers, even with speculative execution.
63244 page = pte_page(pkmap_page_table[i]);
63245 + pax_open_kernel();
63246 pte_clear(&init_mm, (unsigned long)page_address(page),
63247 &pkmap_page_table[i]);
63249 + pax_close_kernel();
63250 set_page_address(page, NULL);
63253 @@ -177,9 +178,11 @@ start:
63256 vaddr = PKMAP_ADDR(last_pkmap_nr);
63258 + pax_open_kernel();
63259 set_pte_at(&init_mm, vaddr,
63260 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
63262 + pax_close_kernel();
63263 pkmap_count[last_pkmap_nr] = 1;
63264 set_page_address(page, (void *)vaddr);
63266 diff -urNp linux-2.6.32.42/mm/hugetlb.c linux-2.6.32.42/mm/hugetlb.c
63267 --- linux-2.6.32.42/mm/hugetlb.c 2011-06-25 12:55:35.000000000 -0400
63268 +++ linux-2.6.32.42/mm/hugetlb.c 2011-06-25 12:56:37.000000000 -0400
63269 @@ -1925,6 +1925,26 @@ static int unmap_ref_private(struct mm_s
63273 +#ifdef CONFIG_PAX_SEGMEXEC
63274 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
63276 + struct mm_struct *mm = vma->vm_mm;
63277 + struct vm_area_struct *vma_m;
63278 + unsigned long address_m;
63281 + vma_m = pax_find_mirror_vma(vma);
63285 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
63286 + address_m = address + SEGMEXEC_TASK_SIZE;
63287 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
63288 + get_page(page_m);
63289 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
63293 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
63294 unsigned long address, pte_t *ptep, pte_t pte,
63295 struct page *pagecache_page)
63296 @@ -1996,6 +2016,11 @@ retry_avoidcopy:
63297 huge_ptep_clear_flush(vma, address, ptep);
63298 set_huge_pte_at(mm, address, ptep,
63299 make_huge_pte(vma, new_page, 1));
63301 +#ifdef CONFIG_PAX_SEGMEXEC
63302 + pax_mirror_huge_pte(vma, address, new_page);
63305 /* Make the old page be freed below */
63306 new_page = old_page;
63308 @@ -2127,6 +2152,10 @@ retry:
63309 && (vma->vm_flags & VM_SHARED)));
63310 set_huge_pte_at(mm, address, ptep, new_pte);
63312 +#ifdef CONFIG_PAX_SEGMEXEC
63313 + pax_mirror_huge_pte(vma, address, page);
63316 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
63317 /* Optimization, do the COW without a second fault */
63318 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
63319 @@ -2155,6 +2184,28 @@ int hugetlb_fault(struct mm_struct *mm,
63320 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
63321 struct hstate *h = hstate_vma(vma);
63323 +#ifdef CONFIG_PAX_SEGMEXEC
63324 + struct vm_area_struct *vma_m;
63326 + vma_m = pax_find_mirror_vma(vma);
63328 + unsigned long address_m;
63330 + if (vma->vm_start > vma_m->vm_start) {
63331 + address_m = address;
63332 + address -= SEGMEXEC_TASK_SIZE;
63334 + h = hstate_vma(vma);
63336 + address_m = address + SEGMEXEC_TASK_SIZE;
63338 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
63339 + return VM_FAULT_OOM;
63340 + address_m &= HPAGE_MASK;
63341 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
63345 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
63347 return VM_FAULT_OOM;
63348 diff -urNp linux-2.6.32.42/mm/Kconfig linux-2.6.32.42/mm/Kconfig
63349 --- linux-2.6.32.42/mm/Kconfig 2011-03-27 14:31:47.000000000 -0400
63350 +++ linux-2.6.32.42/mm/Kconfig 2011-04-17 15:56:46.000000000 -0400
63351 @@ -228,7 +228,7 @@ config KSM
63352 config DEFAULT_MMAP_MIN_ADDR
63353 int "Low address space to protect from user allocation"
63358 This is the portion of low virtual memory which should be protected
63359 from userspace allocation. Keeping a user from writing to low pages
63360 diff -urNp linux-2.6.32.42/mm/kmemleak.c linux-2.6.32.42/mm/kmemleak.c
63361 --- linux-2.6.32.42/mm/kmemleak.c 2011-06-25 12:55:35.000000000 -0400
63362 +++ linux-2.6.32.42/mm/kmemleak.c 2011-06-25 12:56:37.000000000 -0400
63363 @@ -358,7 +358,7 @@ static void print_unreferenced(struct se
63365 for (i = 0; i < object->trace_len; i++) {
63366 void *ptr = (void *)object->trace[i];
63367 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
63368 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
63372 diff -urNp linux-2.6.32.42/mm/ksm.c linux-2.6.32.42/mm/ksm.c
63373 --- linux-2.6.32.42/mm/ksm.c 2011-03-27 14:31:47.000000000 -0400
63374 +++ linux-2.6.32.42/mm/ksm.c 2011-06-20 19:38:36.000000000 -0400
63375 @@ -1215,6 +1215,12 @@ static struct rmap_item *scan_get_next_r
63376 slot = list_entry(slot->mm_list.next, struct mm_slot, mm_list);
63377 ksm_scan.mm_slot = slot;
63378 spin_unlock(&ksm_mmlist_lock);
63380 + * Although we tested list_empty() above, a racing __ksm_exit
63381 + * of the last mm on the list may have removed it since then.
63383 + if (slot == &ksm_mm_head)
63386 ksm_scan.address = 0;
63387 ksm_scan.rmap_item = list_entry(&slot->rmap_list,
63388 diff -urNp linux-2.6.32.42/mm/maccess.c linux-2.6.32.42/mm/maccess.c
63389 --- linux-2.6.32.42/mm/maccess.c 2011-03-27 14:31:47.000000000 -0400
63390 +++ linux-2.6.32.42/mm/maccess.c 2011-04-17 15:56:46.000000000 -0400
63392 * Safely read from address @src to the buffer at @dst. If a kernel fault
63393 * happens, handle that and return -EFAULT.
63395 -long probe_kernel_read(void *dst, void *src, size_t size)
63396 +long probe_kernel_read(void *dst, const void *src, size_t size)
63399 mm_segment_t old_fs = get_fs();
63400 @@ -39,7 +39,7 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
63401 * Safely write to address @dst from the buffer at @src. If a kernel fault
63402 * happens, handle that and return -EFAULT.
63404 -long notrace __weak probe_kernel_write(void *dst, void *src, size_t size)
63405 +long notrace __weak probe_kernel_write(void *dst, const void *src, size_t size)
63408 mm_segment_t old_fs = get_fs();
63409 diff -urNp linux-2.6.32.42/mm/madvise.c linux-2.6.32.42/mm/madvise.c
63410 --- linux-2.6.32.42/mm/madvise.c 2011-03-27 14:31:47.000000000 -0400
63411 +++ linux-2.6.32.42/mm/madvise.c 2011-04-17 15:56:46.000000000 -0400
63412 @@ -44,6 +44,10 @@ static long madvise_behavior(struct vm_a
63414 unsigned long new_flags = vma->vm_flags;
63416 +#ifdef CONFIG_PAX_SEGMEXEC
63417 + struct vm_area_struct *vma_m;
63420 switch (behavior) {
63422 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
63423 @@ -103,6 +107,13 @@ success:
63425 * vm_flags is protected by the mmap_sem held in write mode.
63428 +#ifdef CONFIG_PAX_SEGMEXEC
63429 + vma_m = pax_find_mirror_vma(vma);
63431 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
63434 vma->vm_flags = new_flags;
63437 @@ -161,6 +172,11 @@ static long madvise_dontneed(struct vm_a
63438 struct vm_area_struct ** prev,
63439 unsigned long start, unsigned long end)
63442 +#ifdef CONFIG_PAX_SEGMEXEC
63443 + struct vm_area_struct *vma_m;
63447 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
63449 @@ -173,6 +189,21 @@ static long madvise_dontneed(struct vm_a
63450 zap_page_range(vma, start, end - start, &details);
63452 zap_page_range(vma, start, end - start, NULL);
63454 +#ifdef CONFIG_PAX_SEGMEXEC
63455 + vma_m = pax_find_mirror_vma(vma);
63457 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
63458 + struct zap_details details = {
63459 + .nonlinear_vma = vma_m,
63460 + .last_index = ULONG_MAX,
63462 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
63464 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
63471 @@ -359,6 +390,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
63475 +#ifdef CONFIG_PAX_SEGMEXEC
63476 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
63477 + if (end > SEGMEXEC_TASK_SIZE)
63482 + if (end > TASK_SIZE)
63488 diff -urNp linux-2.6.32.42/mm/memory.c linux-2.6.32.42/mm/memory.c
63489 --- linux-2.6.32.42/mm/memory.c 2011-03-27 14:31:47.000000000 -0400
63490 +++ linux-2.6.32.42/mm/memory.c 2011-04-17 15:56:46.000000000 -0400
63491 @@ -187,8 +187,12 @@ static inline void free_pmd_range(struct
63494 pmd = pmd_offset(pud, start);
63496 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
63498 pmd_free_tlb(tlb, pmd, start);
63503 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
63504 @@ -219,9 +223,12 @@ static inline void free_pud_range(struct
63505 if (end - 1 > ceiling - 1)
63508 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
63509 pud = pud_offset(pgd, start);
63511 pud_free_tlb(tlb, pud, start);
63517 @@ -1251,10 +1258,10 @@ int __get_user_pages(struct task_struct
63518 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
63522 + while (nr_pages) {
63523 struct vm_area_struct *vma;
63525 - vma = find_extend_vma(mm, start);
63526 + vma = find_vma(mm, start);
63527 if (!vma && in_gate_area(tsk, start)) {
63528 unsigned long pg = start & PAGE_MASK;
63529 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
63530 @@ -1306,7 +1313,7 @@ int __get_user_pages(struct task_struct
63535 + if (!vma || start < vma->vm_start ||
63536 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
63537 !(vm_flags & vma->vm_flags))
63538 return i ? : -EFAULT;
63539 @@ -1381,7 +1388,7 @@ int __get_user_pages(struct task_struct
63540 start += PAGE_SIZE;
63542 } while (nr_pages && start < vma->vm_end);
63543 - } while (nr_pages);
63548 @@ -1526,6 +1533,10 @@ static int insert_page(struct vm_area_st
63549 page_add_file_rmap(page);
63550 set_pte_at(mm, addr, pte, mk_pte(page, prot));
63552 +#ifdef CONFIG_PAX_SEGMEXEC
63553 + pax_mirror_file_pte(vma, addr, page, ptl);
63557 pte_unmap_unlock(pte, ptl);
63559 @@ -1560,10 +1571,22 @@ out:
63560 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
63564 +#ifdef CONFIG_PAX_SEGMEXEC
63565 + struct vm_area_struct *vma_m;
63568 if (addr < vma->vm_start || addr >= vma->vm_end)
63570 if (!page_count(page))
63573 +#ifdef CONFIG_PAX_SEGMEXEC
63574 + vma_m = pax_find_mirror_vma(vma);
63576 + vma_m->vm_flags |= VM_INSERTPAGE;
63579 vma->vm_flags |= VM_INSERTPAGE;
63580 return insert_page(vma, addr, page, vma->vm_page_prot);
63582 @@ -1649,6 +1672,7 @@ int vm_insert_mixed(struct vm_area_struc
63585 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
63586 + BUG_ON(vma->vm_mirror);
63588 if (addr < vma->vm_start || addr >= vma->vm_end)
63590 @@ -1977,6 +2001,186 @@ static inline void cow_user_page(struct
63591 copy_user_highpage(dst, src, va, vma);
63594 +#ifdef CONFIG_PAX_SEGMEXEC
63595 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
63597 + struct mm_struct *mm = vma->vm_mm;
63599 + pte_t *pte, entry;
63601 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
63603 + if (!pte_present(entry)) {
63604 + if (!pte_none(entry)) {
63605 + BUG_ON(pte_file(entry));
63606 + free_swap_and_cache(pte_to_swp_entry(entry));
63607 + pte_clear_not_present_full(mm, address, pte, 0);
63610 + struct page *page;
63612 + flush_cache_page(vma, address, pte_pfn(entry));
63613 + entry = ptep_clear_flush(vma, address, pte);
63614 + BUG_ON(pte_dirty(entry));
63615 + page = vm_normal_page(vma, address, entry);
63617 + update_hiwater_rss(mm);
63618 + if (PageAnon(page))
63619 + dec_mm_counter(mm, anon_rss);
63621 + dec_mm_counter(mm, file_rss);
63622 + page_remove_rmap(page);
63623 + page_cache_release(page);
63626 + pte_unmap_unlock(pte, ptl);
63629 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
63631 + * the ptl of the lower mapped page is held on entry and is not released on exit
63632 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
63634 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
63636 + struct mm_struct *mm = vma->vm_mm;
63637 + unsigned long address_m;
63638 + spinlock_t *ptl_m;
63639 + struct vm_area_struct *vma_m;
63641 + pte_t *pte_m, entry_m;
63643 + BUG_ON(!page_m || !PageAnon(page_m));
63645 + vma_m = pax_find_mirror_vma(vma);
63649 + BUG_ON(!PageLocked(page_m));
63650 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
63651 + address_m = address + SEGMEXEC_TASK_SIZE;
63652 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
63653 + pte_m = pte_offset_map_nested(pmd_m, address_m);
63654 + ptl_m = pte_lockptr(mm, pmd_m);
63655 + if (ptl != ptl_m) {
63656 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
63657 + if (!pte_none(*pte_m))
63661 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
63662 + page_cache_get(page_m);
63663 + page_add_anon_rmap(page_m, vma_m, address_m);
63664 + inc_mm_counter(mm, anon_rss);
63665 + set_pte_at(mm, address_m, pte_m, entry_m);
63666 + update_mmu_cache(vma_m, address_m, entry_m);
63668 + if (ptl != ptl_m)
63669 + spin_unlock(ptl_m);
63670 + pte_unmap_nested(pte_m);
63671 + unlock_page(page_m);
63674 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
63676 + struct mm_struct *mm = vma->vm_mm;
63677 + unsigned long address_m;
63678 + spinlock_t *ptl_m;
63679 + struct vm_area_struct *vma_m;
63681 + pte_t *pte_m, entry_m;
63683 + BUG_ON(!page_m || PageAnon(page_m));
63685 + vma_m = pax_find_mirror_vma(vma);
63689 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
63690 + address_m = address + SEGMEXEC_TASK_SIZE;
63691 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
63692 + pte_m = pte_offset_map_nested(pmd_m, address_m);
63693 + ptl_m = pte_lockptr(mm, pmd_m);
63694 + if (ptl != ptl_m) {
63695 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
63696 + if (!pte_none(*pte_m))
63700 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
63701 + page_cache_get(page_m);
63702 + page_add_file_rmap(page_m);
63703 + inc_mm_counter(mm, file_rss);
63704 + set_pte_at(mm, address_m, pte_m, entry_m);
63705 + update_mmu_cache(vma_m, address_m, entry_m);
63707 + if (ptl != ptl_m)
63708 + spin_unlock(ptl_m);
63709 + pte_unmap_nested(pte_m);
63712 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
63714 + struct mm_struct *mm = vma->vm_mm;
63715 + unsigned long address_m;
63716 + spinlock_t *ptl_m;
63717 + struct vm_area_struct *vma_m;
63719 + pte_t *pte_m, entry_m;
63721 + vma_m = pax_find_mirror_vma(vma);
63725 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
63726 + address_m = address + SEGMEXEC_TASK_SIZE;
63727 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
63728 + pte_m = pte_offset_map_nested(pmd_m, address_m);
63729 + ptl_m = pte_lockptr(mm, pmd_m);
63730 + if (ptl != ptl_m) {
63731 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
63732 + if (!pte_none(*pte_m))
63736 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
63737 + set_pte_at(mm, address_m, pte_m, entry_m);
63739 + if (ptl != ptl_m)
63740 + spin_unlock(ptl_m);
63741 + pte_unmap_nested(pte_m);
63744 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
63746 + struct page *page_m;
63749 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
63753 + page_m = vm_normal_page(vma, address, entry);
63755 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
63756 + else if (PageAnon(page_m)) {
63757 + if (pax_find_mirror_vma(vma)) {
63758 + pte_unmap_unlock(pte, ptl);
63759 + lock_page(page_m);
63760 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
63761 + if (pte_same(entry, *pte))
63762 + pax_mirror_anon_pte(vma, address, page_m, ptl);
63764 + unlock_page(page_m);
63767 + pax_mirror_file_pte(vma, address, page_m, ptl);
63770 + pte_unmap_unlock(pte, ptl);
63775 * This routine handles present pages, when users try to write
63776 * to a shared page. It is done by copying the page to a new address
63777 @@ -2156,6 +2360,12 @@ gotten:
63779 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
63780 if (likely(pte_same(*page_table, orig_pte))) {
63782 +#ifdef CONFIG_PAX_SEGMEXEC
63783 + if (pax_find_mirror_vma(vma))
63784 + BUG_ON(!trylock_page(new_page));
63788 if (!PageAnon(old_page)) {
63789 dec_mm_counter(mm, file_rss);
63790 @@ -2207,6 +2417,10 @@ gotten:
63791 page_remove_rmap(old_page);
63794 +#ifdef CONFIG_PAX_SEGMEXEC
63795 + pax_mirror_anon_pte(vma, address, new_page, ptl);
63798 /* Free the old page.. */
63799 new_page = old_page;
63800 ret |= VM_FAULT_WRITE;
63801 @@ -2604,6 +2818,11 @@ static int do_swap_page(struct mm_struct
63803 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
63804 try_to_free_swap(page);
63806 +#ifdef CONFIG_PAX_SEGMEXEC
63807 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
63812 if (flags & FAULT_FLAG_WRITE) {
63813 @@ -2615,6 +2834,11 @@ static int do_swap_page(struct mm_struct
63815 /* No need to invalidate - it was non-present before */
63816 update_mmu_cache(vma, address, pte);
63818 +#ifdef CONFIG_PAX_SEGMEXEC
63819 + pax_mirror_anon_pte(vma, address, page, ptl);
63823 pte_unmap_unlock(page_table, ptl);
63825 @@ -2630,40 +2854,6 @@ out_release:
63829 - * This is like a special single-page "expand_{down|up}wards()",
63830 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
63831 - * doesn't hit another vma.
63833 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
63835 - address &= PAGE_MASK;
63836 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
63837 - struct vm_area_struct *prev = vma->vm_prev;
63840 - * Is there a mapping abutting this one below?
63842 - * That's only ok if it's the same stack mapping
63843 - * that has gotten split..
63845 - if (prev && prev->vm_end == address)
63846 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
63848 - expand_stack(vma, address - PAGE_SIZE);
63850 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
63851 - struct vm_area_struct *next = vma->vm_next;
63853 - /* As VM_GROWSDOWN but s/below/above/ */
63854 - if (next && next->vm_start == address + PAGE_SIZE)
63855 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
63857 - expand_upwards(vma, address + PAGE_SIZE);
63863 * We enter with non-exclusive mmap_sem (to exclude vma changes,
63864 * but allow concurrent faults), and pte mapped but not yet locked.
63865 * We return with mmap_sem still held, but pte unmapped and unlocked.
63866 @@ -2672,27 +2862,23 @@ static int do_anonymous_page(struct mm_s
63867 unsigned long address, pte_t *page_table, pmd_t *pmd,
63868 unsigned int flags)
63870 - struct page *page;
63871 + struct page *page = NULL;
63875 - pte_unmap(page_table);
63877 - /* Check if we need to add a guard page to the stack */
63878 - if (check_stack_guard_page(vma, address) < 0)
63879 - return VM_FAULT_SIGBUS;
63881 - /* Use the zero-page for reads */
63882 if (!(flags & FAULT_FLAG_WRITE)) {
63883 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
63884 vma->vm_page_prot));
63885 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
63886 + ptl = pte_lockptr(mm, pmd);
63888 if (!pte_none(*page_table))
63893 /* Allocate our own private page. */
63894 + pte_unmap(page_table);
63896 if (unlikely(anon_vma_prepare(vma)))
63898 page = alloc_zeroed_user_highpage_movable(vma, address);
63899 @@ -2711,6 +2897,11 @@ static int do_anonymous_page(struct mm_s
63900 if (!pte_none(*page_table))
63903 +#ifdef CONFIG_PAX_SEGMEXEC
63904 + if (pax_find_mirror_vma(vma))
63905 + BUG_ON(!trylock_page(page));
63908 inc_mm_counter(mm, anon_rss);
63909 page_add_new_anon_rmap(page, vma, address);
63911 @@ -2718,6 +2909,12 @@ setpte:
63913 /* No need to invalidate - it was non-present before */
63914 update_mmu_cache(vma, address, entry);
63916 +#ifdef CONFIG_PAX_SEGMEXEC
63918 + pax_mirror_anon_pte(vma, address, page, ptl);
63922 pte_unmap_unlock(page_table, ptl);
63924 @@ -2860,6 +3057,12 @@ static int __do_fault(struct mm_struct *
63926 /* Only go through if we didn't race with anybody else... */
63927 if (likely(pte_same(*page_table, orig_pte))) {
63929 +#ifdef CONFIG_PAX_SEGMEXEC
63930 + if (anon && pax_find_mirror_vma(vma))
63931 + BUG_ON(!trylock_page(page));
63934 flush_icache_page(vma, page);
63935 entry = mk_pte(page, vma->vm_page_prot);
63936 if (flags & FAULT_FLAG_WRITE)
63937 @@ -2879,6 +3082,14 @@ static int __do_fault(struct mm_struct *
63939 /* no need to invalidate: a not-present page won't be cached */
63940 update_mmu_cache(vma, address, entry);
63942 +#ifdef CONFIG_PAX_SEGMEXEC
63944 + pax_mirror_anon_pte(vma, address, page, ptl);
63946 + pax_mirror_file_pte(vma, address, page, ptl);
63951 mem_cgroup_uncharge_page(page);
63952 @@ -3026,6 +3237,12 @@ static inline int handle_pte_fault(struc
63953 if (flags & FAULT_FLAG_WRITE)
63954 flush_tlb_page(vma, address);
63957 +#ifdef CONFIG_PAX_SEGMEXEC
63958 + pax_mirror_pte(vma, address, pte, pmd, ptl);
63963 pte_unmap_unlock(pte, ptl);
63965 @@ -3042,6 +3259,10 @@ int handle_mm_fault(struct mm_struct *mm
63969 +#ifdef CONFIG_PAX_SEGMEXEC
63970 + struct vm_area_struct *vma_m;
63973 __set_current_state(TASK_RUNNING);
63975 count_vm_event(PGFAULT);
63976 @@ -3049,6 +3270,34 @@ int handle_mm_fault(struct mm_struct *mm
63977 if (unlikely(is_vm_hugetlb_page(vma)))
63978 return hugetlb_fault(mm, vma, address, flags);
63980 +#ifdef CONFIG_PAX_SEGMEXEC
63981 + vma_m = pax_find_mirror_vma(vma);
63983 + unsigned long address_m;
63988 + if (vma->vm_start > vma_m->vm_start) {
63989 + address_m = address;
63990 + address -= SEGMEXEC_TASK_SIZE;
63993 + address_m = address + SEGMEXEC_TASK_SIZE;
63995 + pgd_m = pgd_offset(mm, address_m);
63996 + pud_m = pud_alloc(mm, pgd_m, address_m);
63998 + return VM_FAULT_OOM;
63999 + pmd_m = pmd_alloc(mm, pud_m, address_m);
64001 + return VM_FAULT_OOM;
64002 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
64003 + return VM_FAULT_OOM;
64004 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
64008 pgd = pgd_offset(mm, address);
64009 pud = pud_alloc(mm, pgd, address);
64011 @@ -3146,7 +3395,7 @@ static int __init gate_vma_init(void)
64012 gate_vma.vm_start = FIXADDR_USER_START;
64013 gate_vma.vm_end = FIXADDR_USER_END;
64014 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
64015 - gate_vma.vm_page_prot = __P101;
64016 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
64018 * Make sure the vDSO gets into every core dump.
64019 * Dumping its contents makes post-mortem fully interpretable later
64020 diff -urNp linux-2.6.32.42/mm/memory-failure.c linux-2.6.32.42/mm/memory-failure.c
64021 --- linux-2.6.32.42/mm/memory-failure.c 2011-03-27 14:31:47.000000000 -0400
64022 +++ linux-2.6.32.42/mm/memory-failure.c 2011-04-17 15:56:46.000000000 -0400
64023 @@ -46,7 +46,7 @@ int sysctl_memory_failure_early_kill __r
64025 int sysctl_memory_failure_recovery __read_mostly = 1;
64027 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
64028 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
64031 * Send all the processes who have the page mapped an ``action optional''
64032 @@ -745,7 +745,7 @@ int __memory_failure(unsigned long pfn,
64036 - atomic_long_add(1, &mce_bad_pages);
64037 + atomic_long_add_unchecked(1, &mce_bad_pages);
64040 * We need/can do nothing about count=0 pages.
64041 diff -urNp linux-2.6.32.42/mm/mempolicy.c linux-2.6.32.42/mm/mempolicy.c
64042 --- linux-2.6.32.42/mm/mempolicy.c 2011-03-27 14:31:47.000000000 -0400
64043 +++ linux-2.6.32.42/mm/mempolicy.c 2011-04-17 15:56:46.000000000 -0400
64044 @@ -573,6 +573,10 @@ static int mbind_range(struct vm_area_st
64045 struct vm_area_struct *next;
64048 +#ifdef CONFIG_PAX_SEGMEXEC
64049 + struct vm_area_struct *vma_m;
64053 for (; vma && vma->vm_start < end; vma = next) {
64054 next = vma->vm_next;
64055 @@ -584,6 +588,16 @@ static int mbind_range(struct vm_area_st
64056 err = policy_vma(vma, new);
64060 +#ifdef CONFIG_PAX_SEGMEXEC
64061 + vma_m = pax_find_mirror_vma(vma);
64063 + err = policy_vma(vma_m, new);
64072 @@ -1002,6 +1016,17 @@ static long do_mbind(unsigned long start
64077 +#ifdef CONFIG_PAX_SEGMEXEC
64078 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
64079 + if (end > SEGMEXEC_TASK_SIZE)
64084 + if (end > TASK_SIZE)
64090 @@ -1207,6 +1232,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
64094 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
64095 + if (mm != current->mm &&
64096 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
64103 * Check if this process has the right to modify the specified
64104 * process. The right exists if the process has administrative
64105 @@ -1216,8 +1249,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
64107 tcred = __task_cred(task);
64108 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
64109 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
64110 - !capable(CAP_SYS_NICE)) {
64111 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
64115 @@ -2396,7 +2428,7 @@ int show_numa_map(struct seq_file *m, vo
64118 seq_printf(m, " file=");
64119 - seq_path(m, &file->f_path, "\n\t= ");
64120 + seq_path(m, &file->f_path, "\n\t\\= ");
64121 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
64122 seq_printf(m, " heap");
64123 } else if (vma->vm_start <= mm->start_stack &&
64124 diff -urNp linux-2.6.32.42/mm/migrate.c linux-2.6.32.42/mm/migrate.c
64125 --- linux-2.6.32.42/mm/migrate.c 2011-03-27 14:31:47.000000000 -0400
64126 +++ linux-2.6.32.42/mm/migrate.c 2011-05-16 21:46:57.000000000 -0400
64127 @@ -916,6 +916,8 @@ static int do_pages_move(struct mm_struc
64128 unsigned long chunk_start;
64131 + pax_track_stack();
64133 task_nodes = cpuset_mems_allowed(task);
64136 @@ -1106,6 +1108,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
64140 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
64141 + if (mm != current->mm &&
64142 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
64149 * Check if this process has the right to modify the specified
64150 * process. The right exists if the process has administrative
64151 @@ -1115,8 +1125,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
64153 tcred = __task_cred(task);
64154 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
64155 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
64156 - !capable(CAP_SYS_NICE)) {
64157 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
64161 diff -urNp linux-2.6.32.42/mm/mlock.c linux-2.6.32.42/mm/mlock.c
64162 --- linux-2.6.32.42/mm/mlock.c 2011-03-27 14:31:47.000000000 -0400
64163 +++ linux-2.6.32.42/mm/mlock.c 2011-04-17 15:56:46.000000000 -0400
64165 #include <linux/pagemap.h>
64166 #include <linux/mempolicy.h>
64167 #include <linux/syscalls.h>
64168 +#include <linux/security.h>
64169 #include <linux/sched.h>
64170 #include <linux/module.h>
64171 #include <linux/rmap.h>
64172 @@ -138,13 +139,6 @@ void munlock_vma_page(struct page *page)
64176 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
64178 - return (vma->vm_flags & VM_GROWSDOWN) &&
64179 - (vma->vm_start == addr) &&
64180 - !vma_stack_continue(vma->vm_prev, addr);
64184 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
64186 @@ -177,12 +171,6 @@ static long __mlock_vma_pages_range(stru
64187 if (vma->vm_flags & VM_WRITE)
64188 gup_flags |= FOLL_WRITE;
64190 - /* We don't try to access the guard page of a stack vma */
64191 - if (stack_guard_page(vma, start)) {
64192 - addr += PAGE_SIZE;
64196 while (nr_pages > 0) {
64199 @@ -440,7 +428,7 @@ static int do_mlock(unsigned long start,
64201 unsigned long nstart, end, tmp;
64202 struct vm_area_struct * vma, * prev;
64204 + int error = -EINVAL;
64206 len = PAGE_ALIGN(len);
64208 @@ -448,6 +436,9 @@ static int do_mlock(unsigned long start,
64212 + if (end > TASK_SIZE)
64215 vma = find_vma_prev(current->mm, start, &prev);
64216 if (!vma || vma->vm_start > start)
64218 @@ -458,6 +449,11 @@ static int do_mlock(unsigned long start,
64219 for (nstart = start ; ; ) {
64220 unsigned int newflags;
64222 +#ifdef CONFIG_PAX_SEGMEXEC
64223 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
64227 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
64229 newflags = vma->vm_flags | VM_LOCKED;
64230 @@ -507,6 +503,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
64231 lock_limit >>= PAGE_SHIFT;
64233 /* check against resource limits */
64234 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
64235 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
64236 error = do_mlock(start, len, 1);
64237 up_write(¤t->mm->mmap_sem);
64238 @@ -528,17 +525,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
64239 static int do_mlockall(int flags)
64241 struct vm_area_struct * vma, * prev = NULL;
64242 - unsigned int def_flags = 0;
64244 if (flags & MCL_FUTURE)
64245 - def_flags = VM_LOCKED;
64246 - current->mm->def_flags = def_flags;
64247 + current->mm->def_flags |= VM_LOCKED;
64249 + current->mm->def_flags &= ~VM_LOCKED;
64250 if (flags == MCL_FUTURE)
64253 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
64254 - unsigned int newflags;
64255 + unsigned long newflags;
64257 +#ifdef CONFIG_PAX_SEGMEXEC
64258 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
64262 + BUG_ON(vma->vm_end > TASK_SIZE);
64263 newflags = vma->vm_flags | VM_LOCKED;
64264 if (!(flags & MCL_CURRENT))
64265 newflags &= ~VM_LOCKED;
64266 @@ -570,6 +573,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
64267 lock_limit >>= PAGE_SHIFT;
64270 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
64271 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
64272 capable(CAP_IPC_LOCK))
64273 ret = do_mlockall(flags);
64274 diff -urNp linux-2.6.32.42/mm/mmap.c linux-2.6.32.42/mm/mmap.c
64275 --- linux-2.6.32.42/mm/mmap.c 2011-03-27 14:31:47.000000000 -0400
64276 +++ linux-2.6.32.42/mm/mmap.c 2011-04-17 15:56:46.000000000 -0400
64278 #define arch_rebalance_pgtables(addr, len) (addr)
64281 +static inline void verify_mm_writelocked(struct mm_struct *mm)
64283 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
64284 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
64285 + up_read(&mm->mmap_sem);
64291 static void unmap_region(struct mm_struct *mm,
64292 struct vm_area_struct *vma, struct vm_area_struct *prev,
64293 unsigned long start, unsigned long end);
64294 @@ -70,22 +80,32 @@ static void unmap_region(struct mm_struc
64295 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
64298 -pgprot_t protection_map[16] = {
64299 +pgprot_t protection_map[16] __read_only = {
64300 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
64301 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
64304 pgprot_t vm_get_page_prot(unsigned long vm_flags)
64306 - return __pgprot(pgprot_val(protection_map[vm_flags &
64307 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
64308 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
64309 pgprot_val(arch_vm_get_page_prot(vm_flags)));
64311 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
64312 + if (!nx_enabled &&
64313 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
64314 + (vm_flags & (VM_READ | VM_WRITE)))
64315 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
64320 EXPORT_SYMBOL(vm_get_page_prot);
64322 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
64323 int sysctl_overcommit_ratio = 50; /* default is 50% */
64324 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
64325 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
64326 struct percpu_counter vm_committed_as;
64329 @@ -231,6 +251,7 @@ static struct vm_area_struct *remove_vma
64330 struct vm_area_struct *next = vma->vm_next;
64333 + BUG_ON(vma->vm_mirror);
64334 if (vma->vm_ops && vma->vm_ops->close)
64335 vma->vm_ops->close(vma);
64336 if (vma->vm_file) {
64337 @@ -267,6 +288,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
64338 * not page aligned -Ram Gupta
64340 rlim = current->signal->rlim[RLIMIT_DATA].rlim_cur;
64341 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
64342 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
64343 (mm->end_data - mm->start_data) > rlim)
64345 @@ -704,6 +726,12 @@ static int
64346 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
64347 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
64350 +#ifdef CONFIG_PAX_SEGMEXEC
64351 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
64355 if (is_mergeable_vma(vma, file, vm_flags) &&
64356 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
64357 if (vma->vm_pgoff == vm_pgoff)
64358 @@ -723,6 +751,12 @@ static int
64359 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
64360 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
64363 +#ifdef CONFIG_PAX_SEGMEXEC
64364 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
64368 if (is_mergeable_vma(vma, file, vm_flags) &&
64369 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
64371 @@ -765,12 +799,19 @@ can_vma_merge_after(struct vm_area_struc
64372 struct vm_area_struct *vma_merge(struct mm_struct *mm,
64373 struct vm_area_struct *prev, unsigned long addr,
64374 unsigned long end, unsigned long vm_flags,
64375 - struct anon_vma *anon_vma, struct file *file,
64376 + struct anon_vma *anon_vma, struct file *file,
64377 pgoff_t pgoff, struct mempolicy *policy)
64379 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
64380 struct vm_area_struct *area, *next;
64382 +#ifdef CONFIG_PAX_SEGMEXEC
64383 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
64384 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
64386 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
64390 * We later require that vma->vm_flags == vm_flags,
64391 * so this tests vma->vm_flags & VM_SPECIAL, too.
64392 @@ -786,6 +827,15 @@ struct vm_area_struct *vma_merge(struct
64393 if (next && next->vm_end == end) /* cases 6, 7, 8 */
64394 next = next->vm_next;
64396 +#ifdef CONFIG_PAX_SEGMEXEC
64398 + prev_m = pax_find_mirror_vma(prev);
64400 + area_m = pax_find_mirror_vma(area);
64402 + next_m = pax_find_mirror_vma(next);
64406 * Can it merge with the predecessor?
64408 @@ -805,9 +855,24 @@ struct vm_area_struct *vma_merge(struct
64410 vma_adjust(prev, prev->vm_start,
64411 next->vm_end, prev->vm_pgoff, NULL);
64412 - } else /* cases 2, 5, 7 */
64414 +#ifdef CONFIG_PAX_SEGMEXEC
64416 + vma_adjust(prev_m, prev_m->vm_start,
64417 + next_m->vm_end, prev_m->vm_pgoff, NULL);
64420 + } else { /* cases 2, 5, 7 */
64421 vma_adjust(prev, prev->vm_start,
64422 end, prev->vm_pgoff, NULL);
64424 +#ifdef CONFIG_PAX_SEGMEXEC
64426 + vma_adjust(prev_m, prev_m->vm_start,
64427 + end_m, prev_m->vm_pgoff, NULL);
64434 @@ -818,12 +883,27 @@ struct vm_area_struct *vma_merge(struct
64435 mpol_equal(policy, vma_policy(next)) &&
64436 can_vma_merge_before(next, vm_flags,
64437 anon_vma, file, pgoff+pglen)) {
64438 - if (prev && addr < prev->vm_end) /* case 4 */
64439 + if (prev && addr < prev->vm_end) { /* case 4 */
64440 vma_adjust(prev, prev->vm_start,
64441 addr, prev->vm_pgoff, NULL);
64442 - else /* cases 3, 8 */
64444 +#ifdef CONFIG_PAX_SEGMEXEC
64446 + vma_adjust(prev_m, prev_m->vm_start,
64447 + addr_m, prev_m->vm_pgoff, NULL);
64450 + } else { /* cases 3, 8 */
64451 vma_adjust(area, addr, next->vm_end,
64452 next->vm_pgoff - pglen, NULL);
64454 +#ifdef CONFIG_PAX_SEGMEXEC
64456 + vma_adjust(area_m, addr_m, next_m->vm_end,
64457 + next_m->vm_pgoff - pglen, NULL);
64464 @@ -898,14 +978,11 @@ none:
64465 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
64466 struct file *file, long pages)
64468 - const unsigned long stack_flags
64469 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
64472 mm->shared_vm += pages;
64473 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
64474 mm->exec_vm += pages;
64475 - } else if (flags & stack_flags)
64476 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
64477 mm->stack_vm += pages;
64478 if (flags & (VM_RESERVED|VM_IO))
64479 mm->reserved_vm += pages;
64480 @@ -932,7 +1009,7 @@ unsigned long do_mmap_pgoff(struct file
64481 * (the exception is when the underlying filesystem is noexec
64482 * mounted, in which case we dont add PROT_EXEC.)
64484 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
64485 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
64486 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
64489 @@ -958,7 +1035,7 @@ unsigned long do_mmap_pgoff(struct file
64490 /* Obtain the address to map to. we verify (or select) it and ensure
64491 * that it represents a valid section of the address space.
64493 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
64494 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
64495 if (addr & ~PAGE_MASK)
64498 @@ -969,6 +1046,36 @@ unsigned long do_mmap_pgoff(struct file
64499 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
64500 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
64502 +#ifdef CONFIG_PAX_MPROTECT
64503 + if (mm->pax_flags & MF_PAX_MPROTECT) {
64504 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
64505 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
64506 + gr_log_rwxmmap(file);
64508 +#ifdef CONFIG_PAX_EMUPLT
64509 + vm_flags &= ~VM_EXEC;
64516 + if (!(vm_flags & VM_EXEC))
64517 + vm_flags &= ~VM_MAYEXEC;
64519 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
64520 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
64523 + vm_flags &= ~VM_MAYWRITE;
64527 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
64528 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
64529 + vm_flags &= ~VM_PAGEEXEC;
64532 if (flags & MAP_LOCKED)
64533 if (!can_do_mlock())
64535 @@ -980,6 +1087,7 @@ unsigned long do_mmap_pgoff(struct file
64536 locked += mm->locked_vm;
64537 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
64538 lock_limit >>= PAGE_SHIFT;
64539 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
64540 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
64543 @@ -1053,6 +1161,9 @@ unsigned long do_mmap_pgoff(struct file
64547 + if (!gr_acl_handle_mmap(file, prot))
64550 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
64552 EXPORT_SYMBOL(do_mmap_pgoff);
64553 @@ -1065,10 +1176,10 @@ EXPORT_SYMBOL(do_mmap_pgoff);
64555 int vma_wants_writenotify(struct vm_area_struct *vma)
64557 - unsigned int vm_flags = vma->vm_flags;
64558 + unsigned long vm_flags = vma->vm_flags;
64560 /* If it was private or non-writable, the write bit is already clear */
64561 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
64562 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
64565 /* The backer wishes to know when pages are first written to? */
64566 @@ -1117,14 +1228,24 @@ unsigned long mmap_region(struct file *f
64567 unsigned long charged = 0;
64568 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
64570 +#ifdef CONFIG_PAX_SEGMEXEC
64571 + struct vm_area_struct *vma_m = NULL;
64575 + * mm->mmap_sem is required to protect against another thread
64576 + * changing the mappings in case we sleep.
64578 + verify_mm_writelocked(mm);
64580 /* Clear old maps */
64583 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
64584 if (vma && vma->vm_start < addr + len) {
64585 if (do_munmap(mm, addr, len))
64587 - goto munmap_back;
64588 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
64589 + BUG_ON(vma && vma->vm_start < addr + len);
64592 /* Check against address space limit. */
64593 @@ -1173,6 +1294,16 @@ munmap_back:
64597 +#ifdef CONFIG_PAX_SEGMEXEC
64598 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
64599 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
64608 vma->vm_start = addr;
64609 vma->vm_end = addr + len;
64610 @@ -1195,6 +1326,19 @@ munmap_back:
64611 error = file->f_op->mmap(file, vma);
64613 goto unmap_and_free_vma;
64615 +#ifdef CONFIG_PAX_SEGMEXEC
64616 + if (vma_m && (vm_flags & VM_EXECUTABLE))
64617 + added_exe_file_vma(mm);
64620 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
64621 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
64622 + vma->vm_flags |= VM_PAGEEXEC;
64623 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
64627 if (vm_flags & VM_EXECUTABLE)
64628 added_exe_file_vma(mm);
64630 @@ -1218,6 +1362,11 @@ munmap_back:
64631 vma_link(mm, vma, prev, rb_link, rb_parent);
64632 file = vma->vm_file;
64634 +#ifdef CONFIG_PAX_SEGMEXEC
64636 + pax_mirror_vma(vma_m, vma);
64639 /* Once vma denies write, undo our temporary denial count */
64640 if (correct_wcount)
64641 atomic_inc(&inode->i_writecount);
64642 @@ -1226,6 +1375,7 @@ out:
64644 mm->total_vm += len >> PAGE_SHIFT;
64645 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
64646 + track_exec_limit(mm, addr, addr + len, vm_flags);
64647 if (vm_flags & VM_LOCKED) {
64649 * makes pages present; downgrades, drops, reacquires mmap_sem
64650 @@ -1248,6 +1398,12 @@ unmap_and_free_vma:
64651 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
64655 +#ifdef CONFIG_PAX_SEGMEXEC
64657 + kmem_cache_free(vm_area_cachep, vma_m);
64660 kmem_cache_free(vm_area_cachep, vma);
64663 @@ -1255,6 +1411,44 @@ unacct_error:
64667 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
64670 +#ifdef CONFIG_STACK_GROWSUP
64671 + if (addr > sysctl_heap_stack_gap)
64672 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
64674 + vma = find_vma(current->mm, 0);
64675 + if (vma && (vma->vm_flags & VM_GROWSUP))
64681 + if (addr + len > vma->vm_start)
64684 + if (vma->vm_flags & VM_GROWSDOWN)
64685 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
64686 +#ifdef CONFIG_STACK_GROWSUP
64687 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
64688 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
64694 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
64696 + if (vma->vm_start < len)
64698 + if (!(vma->vm_flags & VM_GROWSDOWN))
64699 + return vma->vm_start - len;
64700 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
64701 + return vma->vm_start - len - sysctl_heap_stack_gap;
64705 /* Get an address range which is currently unmapped.
64706 * For shmat() with addr=0.
64708 @@ -1281,18 +1475,23 @@ arch_get_unmapped_area(struct file *filp
64709 if (flags & MAP_FIXED)
64712 +#ifdef CONFIG_PAX_RANDMMAP
64713 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
64717 addr = PAGE_ALIGN(addr);
64718 - vma = find_vma(mm, addr);
64719 - if (TASK_SIZE - len >= addr &&
64720 - (!vma || addr + len <= vma->vm_start))
64722 + if (TASK_SIZE - len >= addr) {
64723 + vma = find_vma(mm, addr);
64724 + if (check_heap_stack_gap(vma, addr, len))
64728 if (len > mm->cached_hole_size) {
64729 - start_addr = addr = mm->free_area_cache;
64730 + start_addr = addr = mm->free_area_cache;
64732 - start_addr = addr = TASK_UNMAPPED_BASE;
64733 - mm->cached_hole_size = 0;
64734 + start_addr = addr = mm->mmap_base;
64735 + mm->cached_hole_size = 0;
64739 @@ -1303,34 +1502,40 @@ full_search:
64740 * Start a new search - just in case we missed
64743 - if (start_addr != TASK_UNMAPPED_BASE) {
64744 - addr = TASK_UNMAPPED_BASE;
64745 - start_addr = addr;
64746 + if (start_addr != mm->mmap_base) {
64747 + start_addr = addr = mm->mmap_base;
64748 mm->cached_hole_size = 0;
64753 - if (!vma || addr + len <= vma->vm_start) {
64755 - * Remember the place where we stopped the search:
64757 - mm->free_area_cache = addr + len;
64760 + if (check_heap_stack_gap(vma, addr, len))
64762 if (addr + mm->cached_hole_size < vma->vm_start)
64763 mm->cached_hole_size = vma->vm_start - addr;
64764 addr = vma->vm_end;
64768 + * Remember the place where we stopped the search:
64770 + mm->free_area_cache = addr + len;
64775 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
64778 +#ifdef CONFIG_PAX_SEGMEXEC
64779 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
64784 * Is this a new hole at the lowest possible address?
64786 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
64787 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
64788 mm->free_area_cache = addr;
64789 mm->cached_hole_size = ~0UL;
64791 @@ -1348,7 +1553,7 @@ arch_get_unmapped_area_topdown(struct fi
64793 struct vm_area_struct *vma;
64794 struct mm_struct *mm = current->mm;
64795 - unsigned long addr = addr0;
64796 + unsigned long base = mm->mmap_base, addr = addr0;
64798 /* requested length too big for entire address space */
64799 if (len > TASK_SIZE)
64800 @@ -1357,13 +1562,18 @@ arch_get_unmapped_area_topdown(struct fi
64801 if (flags & MAP_FIXED)
64804 +#ifdef CONFIG_PAX_RANDMMAP
64805 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
64808 /* requesting a specific address */
64810 addr = PAGE_ALIGN(addr);
64811 - vma = find_vma(mm, addr);
64812 - if (TASK_SIZE - len >= addr &&
64813 - (!vma || addr + len <= vma->vm_start))
64815 + if (TASK_SIZE - len >= addr) {
64816 + vma = find_vma(mm, addr);
64817 + if (check_heap_stack_gap(vma, addr, len))
64822 /* check if free_area_cache is useful for us */
64823 @@ -1378,7 +1588,7 @@ arch_get_unmapped_area_topdown(struct fi
64824 /* make sure it can fit in the remaining address space */
64826 vma = find_vma(mm, addr-len);
64827 - if (!vma || addr <= vma->vm_start)
64828 + if (check_heap_stack_gap(vma, addr - len, len))
64829 /* remember the address as a hint for next time */
64830 return (mm->free_area_cache = addr-len);
64832 @@ -1395,7 +1605,7 @@ arch_get_unmapped_area_topdown(struct fi
64833 * return with success:
64835 vma = find_vma(mm, addr);
64836 - if (!vma || addr+len <= vma->vm_start)
64837 + if (check_heap_stack_gap(vma, addr, len))
64838 /* remember the address as a hint for next time */
64839 return (mm->free_area_cache = addr);
64841 @@ -1404,8 +1614,8 @@ arch_get_unmapped_area_topdown(struct fi
64842 mm->cached_hole_size = vma->vm_start - addr;
64844 /* try just below the current vma->vm_start */
64845 - addr = vma->vm_start-len;
64846 - } while (len < vma->vm_start);
64847 + addr = skip_heap_stack_gap(vma, len);
64848 + } while (!IS_ERR_VALUE(addr));
64852 @@ -1414,13 +1624,21 @@ bottomup:
64853 * can happen with large stack limits and large mmap()
64856 + mm->mmap_base = TASK_UNMAPPED_BASE;
64858 +#ifdef CONFIG_PAX_RANDMMAP
64859 + if (mm->pax_flags & MF_PAX_RANDMMAP)
64860 + mm->mmap_base += mm->delta_mmap;
64863 + mm->free_area_cache = mm->mmap_base;
64864 mm->cached_hole_size = ~0UL;
64865 - mm->free_area_cache = TASK_UNMAPPED_BASE;
64866 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
64868 * Restore the topdown base:
64870 - mm->free_area_cache = mm->mmap_base;
64871 + mm->mmap_base = base;
64872 + mm->free_area_cache = base;
64873 mm->cached_hole_size = ~0UL;
64876 @@ -1429,6 +1647,12 @@ bottomup:
64878 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
64881 +#ifdef CONFIG_PAX_SEGMEXEC
64882 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
64887 * Is this a new hole at the highest possible address?
64889 @@ -1436,8 +1660,10 @@ void arch_unmap_area_topdown(struct mm_s
64890 mm->free_area_cache = addr;
64892 /* dont allow allocations above current base */
64893 - if (mm->free_area_cache > mm->mmap_base)
64894 + if (mm->free_area_cache > mm->mmap_base) {
64895 mm->free_area_cache = mm->mmap_base;
64896 + mm->cached_hole_size = ~0UL;
64901 @@ -1545,6 +1771,27 @@ out:
64902 return prev ? prev->vm_next : vma;
64905 +#ifdef CONFIG_PAX_SEGMEXEC
64906 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
64908 + struct vm_area_struct *vma_m;
64910 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
64911 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
64912 + BUG_ON(vma->vm_mirror);
64915 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
64916 + vma_m = vma->vm_mirror;
64917 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
64918 + BUG_ON(vma->vm_file != vma_m->vm_file);
64919 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
64920 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff || vma->anon_vma != vma_m->anon_vma);
64921 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
64927 * Verify that the stack growth is acceptable and
64928 * update accounting. This is shared with both the
64929 @@ -1561,6 +1808,7 @@ static int acct_stack_growth(struct vm_a
64932 /* Stack limit test */
64933 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
64934 if (size > rlim[RLIMIT_STACK].rlim_cur)
64937 @@ -1570,6 +1818,7 @@ static int acct_stack_growth(struct vm_a
64938 unsigned long limit;
64939 locked = mm->locked_vm + grow;
64940 limit = rlim[RLIMIT_MEMLOCK].rlim_cur >> PAGE_SHIFT;
64941 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
64942 if (locked > limit && !capable(CAP_IPC_LOCK))
64945 @@ -1600,37 +1849,48 @@ static int acct_stack_growth(struct vm_a
64946 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
64947 * vma is the last one with address > vma->vm_end. Have to extend vma.
64949 +#ifndef CONFIG_IA64
64952 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
64957 if (!(vma->vm_flags & VM_GROWSUP))
64960 + /* Also guard against wrapping around to address 0. */
64961 + if (address < PAGE_ALIGN(address+1))
64962 + address = PAGE_ALIGN(address+1);
64967 * We must make sure the anon_vma is allocated
64968 * so that the anon_vma locking is not a noop.
64970 if (unlikely(anon_vma_prepare(vma)))
64972 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
64973 + if (locknext && anon_vma_prepare(vma->vm_next))
64975 anon_vma_lock(vma);
64977 + anon_vma_lock(vma->vm_next);
64980 * vma->vm_start/vm_end cannot change under us because the caller
64981 * is required to hold the mmap_sem in read mode. We need the
64982 - * anon_vma lock to serialize against concurrent expand_stacks.
64983 - * Also guard against wrapping around to address 0.
64984 + * anon_vma locks to serialize against concurrent expand_stacks
64985 + * and expand_upwards.
64987 - if (address < PAGE_ALIGN(address+4))
64988 - address = PAGE_ALIGN(address+4);
64990 - anon_vma_unlock(vma);
64995 /* Somebody else might have raced and expanded it already */
64996 - if (address > vma->vm_end) {
64997 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
64999 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
65000 unsigned long size, grow;
65002 size = address - vma->vm_start;
65003 @@ -1640,6 +1900,8 @@ int expand_upwards(struct vm_area_struct
65005 vma->vm_end = address;
65008 + anon_vma_unlock(vma->vm_next);
65009 anon_vma_unlock(vma);
65012 @@ -1652,6 +1914,8 @@ static int expand_downwards(struct vm_ar
65013 unsigned long address)
65016 + bool lockprev = false;
65017 + struct vm_area_struct *prev;
65020 * We must make sure the anon_vma is allocated
65021 @@ -1665,6 +1929,15 @@ static int expand_downwards(struct vm_ar
65025 + prev = vma->vm_prev;
65026 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
65027 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
65029 + if (lockprev && anon_vma_prepare(prev))
65032 + anon_vma_lock(prev);
65034 anon_vma_lock(vma);
65037 @@ -1674,9 +1947,17 @@ static int expand_downwards(struct vm_ar
65040 /* Somebody else might have raced and expanded it already */
65041 - if (address < vma->vm_start) {
65042 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
65044 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
65045 unsigned long size, grow;
65047 +#ifdef CONFIG_PAX_SEGMEXEC
65048 + struct vm_area_struct *vma_m;
65050 + vma_m = pax_find_mirror_vma(vma);
65053 size = vma->vm_end - address;
65054 grow = (vma->vm_start - address) >> PAGE_SHIFT;
65056 @@ -1684,9 +1965,20 @@ static int expand_downwards(struct vm_ar
65058 vma->vm_start = address;
65059 vma->vm_pgoff -= grow;
65060 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
65062 +#ifdef CONFIG_PAX_SEGMEXEC
65064 + vma_m->vm_start -= grow << PAGE_SHIFT;
65065 + vma_m->vm_pgoff -= grow;
65071 anon_vma_unlock(vma);
65073 + anon_vma_unlock(prev);
65077 @@ -1762,6 +2054,13 @@ static void remove_vma_list(struct mm_st
65079 long nrpages = vma_pages(vma);
65081 +#ifdef CONFIG_PAX_SEGMEXEC
65082 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
65083 + vma = remove_vma(vma);
65088 mm->total_vm -= nrpages;
65089 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
65090 vma = remove_vma(vma);
65091 @@ -1807,6 +2106,16 @@ detach_vmas_to_be_unmapped(struct mm_str
65092 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
65093 vma->vm_prev = NULL;
65096 +#ifdef CONFIG_PAX_SEGMEXEC
65097 + if (vma->vm_mirror) {
65098 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
65099 + vma->vm_mirror->vm_mirror = NULL;
65100 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
65101 + vma->vm_mirror = NULL;
65105 rb_erase(&vma->vm_rb, &mm->mm_rb);
65108 @@ -1834,10 +2143,25 @@ int split_vma(struct mm_struct * mm, str
65109 struct mempolicy *pol;
65110 struct vm_area_struct *new;
65112 +#ifdef CONFIG_PAX_SEGMEXEC
65113 + struct vm_area_struct *vma_m, *new_m = NULL;
65114 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
65117 if (is_vm_hugetlb_page(vma) && (addr &
65118 ~(huge_page_mask(hstate_vma(vma)))))
65121 +#ifdef CONFIG_PAX_SEGMEXEC
65122 + vma_m = pax_find_mirror_vma(vma);
65124 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
65125 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
65126 + if (mm->map_count >= sysctl_max_map_count-1)
65131 if (mm->map_count >= sysctl_max_map_count)
65134 @@ -1845,6 +2169,16 @@ int split_vma(struct mm_struct * mm, str
65138 +#ifdef CONFIG_PAX_SEGMEXEC
65140 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
65142 + kmem_cache_free(vm_area_cachep, new);
65148 /* most fields are the same, copy all, and then fixup */
65151 @@ -1855,8 +2189,29 @@ int split_vma(struct mm_struct * mm, str
65152 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
65155 +#ifdef CONFIG_PAX_SEGMEXEC
65158 + new_m->vm_mirror = new;
65159 + new->vm_mirror = new_m;
65162 + new_m->vm_end = addr_m;
65164 + new_m->vm_start = addr_m;
65165 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
65170 pol = mpol_dup(vma_policy(vma));
65173 +#ifdef CONFIG_PAX_SEGMEXEC
65175 + kmem_cache_free(vm_area_cachep, new_m);
65178 kmem_cache_free(vm_area_cachep, new);
65179 return PTR_ERR(pol);
65181 @@ -1877,6 +2232,28 @@ int split_vma(struct mm_struct * mm, str
65183 vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
65185 +#ifdef CONFIG_PAX_SEGMEXEC
65188 + vma_set_policy(new_m, pol);
65190 + if (new_m->vm_file) {
65191 + get_file(new_m->vm_file);
65192 + if (vma_m->vm_flags & VM_EXECUTABLE)
65193 + added_exe_file_vma(mm);
65196 + if (new_m->vm_ops && new_m->vm_ops->open)
65197 + new_m->vm_ops->open(new_m);
65200 + vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
65201 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
65203 + vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
65210 @@ -1885,11 +2262,30 @@ int split_vma(struct mm_struct * mm, str
65211 * work. This now handles partial unmappings.
65212 * Jeremy Fitzhardinge <jeremy@goop.org>
65214 +#ifdef CONFIG_PAX_SEGMEXEC
65215 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
65217 + int ret = __do_munmap(mm, start, len);
65218 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
65221 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
65224 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
65226 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
65230 struct vm_area_struct *vma, *prev, *last;
65233 + * mm->mmap_sem is required to protect against another thread
65234 + * changing the mappings in case we sleep.
65236 + verify_mm_writelocked(mm);
65238 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
65241 @@ -1953,6 +2349,8 @@ int do_munmap(struct mm_struct *mm, unsi
65242 /* Fix up all other VM information */
65243 remove_vma_list(mm, vma);
65245 + track_exec_limit(mm, start, end, 0UL);
65250 @@ -1965,22 +2363,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
65252 profile_munmap(addr);
65254 +#ifdef CONFIG_PAX_SEGMEXEC
65255 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
65256 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
65260 down_write(&mm->mmap_sem);
65261 ret = do_munmap(mm, addr, len);
65262 up_write(&mm->mmap_sem);
65266 -static inline void verify_mm_writelocked(struct mm_struct *mm)
65268 -#ifdef CONFIG_DEBUG_VM
65269 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
65271 - up_read(&mm->mmap_sem);
65277 * this is really a simplified "do_mmap". it only handles
65278 * anonymous maps. eventually we may be able to do some
65279 @@ -1994,6 +2388,7 @@ unsigned long do_brk(unsigned long addr,
65280 struct rb_node ** rb_link, * rb_parent;
65281 pgoff_t pgoff = addr >> PAGE_SHIFT;
65283 + unsigned long charged;
65285 len = PAGE_ALIGN(len);
65287 @@ -2005,16 +2400,30 @@ unsigned long do_brk(unsigned long addr,
65289 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
65291 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
65292 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
65293 + flags &= ~VM_EXEC;
65295 +#ifdef CONFIG_PAX_MPROTECT
65296 + if (mm->pax_flags & MF_PAX_MPROTECT)
65297 + flags &= ~VM_MAYEXEC;
65303 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
65304 if (error & ~PAGE_MASK)
65307 + charged = len >> PAGE_SHIFT;
65310 * mlock MCL_FUTURE?
65312 if (mm->def_flags & VM_LOCKED) {
65313 unsigned long locked, lock_limit;
65314 - locked = len >> PAGE_SHIFT;
65315 + locked = charged;
65316 locked += mm->locked_vm;
65317 lock_limit = current->signal->rlim[RLIMIT_MEMLOCK].rlim_cur;
65318 lock_limit >>= PAGE_SHIFT;
65319 @@ -2031,22 +2440,22 @@ unsigned long do_brk(unsigned long addr,
65321 * Clear old maps. this also does some error checking for us
65324 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
65325 if (vma && vma->vm_start < addr + len) {
65326 if (do_munmap(mm, addr, len))
65328 - goto munmap_back;
65329 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
65330 + BUG_ON(vma && vma->vm_start < addr + len);
65333 /* Check against address space limits *after* clearing old maps... */
65334 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
65335 + if (!may_expand_vm(mm, charged))
65338 if (mm->map_count > sysctl_max_map_count)
65341 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
65342 + if (security_vm_enough_memory(charged))
65345 /* Can we just expand an old private anonymous mapping? */
65346 @@ -2060,7 +2469,7 @@ unsigned long do_brk(unsigned long addr,
65348 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
65350 - vm_unacct_memory(len >> PAGE_SHIFT);
65351 + vm_unacct_memory(charged);
65355 @@ -2072,11 +2481,12 @@ unsigned long do_brk(unsigned long addr,
65356 vma->vm_page_prot = vm_get_page_prot(flags);
65357 vma_link(mm, vma, prev, rb_link, rb_parent);
65359 - mm->total_vm += len >> PAGE_SHIFT;
65360 + mm->total_vm += charged;
65361 if (flags & VM_LOCKED) {
65362 if (!mlock_vma_pages_range(vma, addr, addr + len))
65363 - mm->locked_vm += (len >> PAGE_SHIFT);
65364 + mm->locked_vm += charged;
65366 + track_exec_limit(mm, addr, addr + len, flags);
65370 @@ -2123,8 +2533,10 @@ void exit_mmap(struct mm_struct *mm)
65371 * Walk the list again, actually closing and freeing it,
65372 * with preemption enabled, without holding any MM locks.
65376 + vma->vm_mirror = NULL;
65377 vma = remove_vma(vma);
65380 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
65382 @@ -2138,6 +2550,10 @@ int insert_vm_struct(struct mm_struct *
65383 struct vm_area_struct * __vma, * prev;
65384 struct rb_node ** rb_link, * rb_parent;
65386 +#ifdef CONFIG_PAX_SEGMEXEC
65387 + struct vm_area_struct *vma_m = NULL;
65391 * The vm_pgoff of a purely anonymous vma should be irrelevant
65392 * until its first write fault, when page's anon_vma and index
65393 @@ -2160,7 +2576,22 @@ int insert_vm_struct(struct mm_struct *
65394 if ((vma->vm_flags & VM_ACCOUNT) &&
65395 security_vm_enough_memory_mm(mm, vma_pages(vma)))
65398 +#ifdef CONFIG_PAX_SEGMEXEC
65399 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
65400 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
65406 vma_link(mm, vma, prev, rb_link, rb_parent);
65408 +#ifdef CONFIG_PAX_SEGMEXEC
65410 + pax_mirror_vma(vma_m, vma);
65416 @@ -2178,6 +2609,8 @@ struct vm_area_struct *copy_vma(struct v
65417 struct rb_node **rb_link, *rb_parent;
65418 struct mempolicy *pol;
65420 + BUG_ON(vma->vm_mirror);
65423 * If anonymous vma has not yet been faulted, update new pgoff
65424 * to match new location, to increase its chance of merging.
65425 @@ -2221,6 +2654,35 @@ struct vm_area_struct *copy_vma(struct v
65429 +#ifdef CONFIG_PAX_SEGMEXEC
65430 +void pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
65432 + struct vm_area_struct *prev_m;
65433 + struct rb_node **rb_link_m, *rb_parent_m;
65434 + struct mempolicy *pol_m;
65436 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
65437 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
65438 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
65440 + pol_m = vma_policy(vma_m);
65442 + vma_set_policy(vma_m, pol_m);
65443 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
65444 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
65445 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
65446 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
65447 + if (vma_m->vm_file)
65448 + get_file(vma_m->vm_file);
65449 + if (vma_m->vm_ops && vma_m->vm_ops->open)
65450 + vma_m->vm_ops->open(vma_m);
65451 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
65452 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
65453 + vma_m->vm_mirror = vma;
65454 + vma->vm_mirror = vma_m;
65459 * Return true if the calling process may expand its vm space by the passed
65461 @@ -2231,7 +2693,7 @@ int may_expand_vm(struct mm_struct *mm,
65464 lim = current->signal->rlim[RLIMIT_AS].rlim_cur >> PAGE_SHIFT;
65466 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
65467 if (cur + npages > lim)
65470 @@ -2301,6 +2763,22 @@ int install_special_mapping(struct mm_st
65471 vma->vm_start = addr;
65472 vma->vm_end = addr + len;
65474 +#ifdef CONFIG_PAX_MPROTECT
65475 + if (mm->pax_flags & MF_PAX_MPROTECT) {
65476 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
65477 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
65479 + if (!(vm_flags & VM_EXEC))
65480 + vm_flags &= ~VM_MAYEXEC;
65482 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
65483 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
65486 + vm_flags &= ~VM_MAYWRITE;
65490 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
65491 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
65493 diff -urNp linux-2.6.32.42/mm/mprotect.c linux-2.6.32.42/mm/mprotect.c
65494 --- linux-2.6.32.42/mm/mprotect.c 2011-03-27 14:31:47.000000000 -0400
65495 +++ linux-2.6.32.42/mm/mprotect.c 2011-04-17 15:56:46.000000000 -0400
65496 @@ -24,10 +24,16 @@
65497 #include <linux/mmu_notifier.h>
65498 #include <linux/migrate.h>
65499 #include <linux/perf_event.h>
65501 +#ifdef CONFIG_PAX_MPROTECT
65502 +#include <linux/elf.h>
65505 #include <asm/uaccess.h>
65506 #include <asm/pgtable.h>
65507 #include <asm/cacheflush.h>
65508 #include <asm/tlbflush.h>
65509 +#include <asm/mmu_context.h>
65511 #ifndef pgprot_modify
65512 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
65513 @@ -132,6 +138,48 @@ static void change_protection(struct vm_
65514 flush_tlb_range(vma, start, end);
65517 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
65518 +/* called while holding the mmap semaphor for writing except stack expansion */
65519 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
65521 + unsigned long oldlimit, newlimit = 0UL;
65523 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || nx_enabled)
65526 + spin_lock(&mm->page_table_lock);
65527 + oldlimit = mm->context.user_cs_limit;
65528 + if ((prot & VM_EXEC) && oldlimit < end)
65529 + /* USER_CS limit moved up */
65531 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
65532 + /* USER_CS limit moved down */
65533 + newlimit = start;
65536 + mm->context.user_cs_limit = newlimit;
65540 + cpus_clear(mm->context.cpu_user_cs_mask);
65541 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
65544 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
65546 + spin_unlock(&mm->page_table_lock);
65547 + if (newlimit == end) {
65548 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
65550 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
65551 + if (is_vm_hugetlb_page(vma))
65552 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
65554 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
65560 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
65561 unsigned long start, unsigned long end, unsigned long newflags)
65562 @@ -144,11 +192,29 @@ mprotect_fixup(struct vm_area_struct *vm
65564 int dirty_accountable = 0;
65566 +#ifdef CONFIG_PAX_SEGMEXEC
65567 + struct vm_area_struct *vma_m = NULL;
65568 + unsigned long start_m, end_m;
65570 + start_m = start + SEGMEXEC_TASK_SIZE;
65571 + end_m = end + SEGMEXEC_TASK_SIZE;
65574 if (newflags == oldflags) {
65579 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
65580 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
65582 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
65585 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
65590 * If we make a private mapping writable we increase our commit;
65591 * but (without finer accounting) cannot reduce our commit if we
65592 @@ -165,6 +231,38 @@ mprotect_fixup(struct vm_area_struct *vm
65596 +#ifdef CONFIG_PAX_SEGMEXEC
65597 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
65598 + if (start != vma->vm_start) {
65599 + error = split_vma(mm, vma, start, 1);
65602 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
65603 + *pprev = (*pprev)->vm_next;
65606 + if (end != vma->vm_end) {
65607 + error = split_vma(mm, vma, end, 0);
65612 + if (pax_find_mirror_vma(vma)) {
65613 + error = __do_munmap(mm, start_m, end_m - start_m);
65617 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
65622 + vma->vm_flags = newflags;
65623 + pax_mirror_vma(vma_m, vma);
65629 * First try to merge with previous and/or next vma.
65631 @@ -195,9 +293,21 @@ success:
65632 * vm_flags and vm_page_prot are protected by the mmap_sem
65633 * held in write mode.
65636 +#ifdef CONFIG_PAX_SEGMEXEC
65637 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
65638 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
65641 vma->vm_flags = newflags;
65643 +#ifdef CONFIG_PAX_MPROTECT
65644 + if (mm->binfmt && mm->binfmt->handle_mprotect)
65645 + mm->binfmt->handle_mprotect(vma, newflags);
65648 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
65649 - vm_get_page_prot(newflags));
65650 + vm_get_page_prot(vma->vm_flags));
65652 if (vma_wants_writenotify(vma)) {
65653 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
65654 @@ -239,6 +349,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
65659 +#ifdef CONFIG_PAX_SEGMEXEC
65660 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
65661 + if (end > SEGMEXEC_TASK_SIZE)
65666 + if (end > TASK_SIZE)
65669 if (!arch_validate_prot(prot))
65672 @@ -246,7 +367,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
65674 * Does the application expect PROT_READ to imply PROT_EXEC:
65676 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
65677 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
65680 vm_flags = calc_vm_prot_bits(prot);
65681 @@ -278,6 +399,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
65682 if (start > vma->vm_start)
65685 +#ifdef CONFIG_PAX_MPROTECT
65686 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
65687 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
65690 for (nstart = start ; ; ) {
65691 unsigned long newflags;
65693 @@ -287,6 +413,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
65695 /* newflags >> 4 shift VM_MAY% in place of VM_% */
65696 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
65697 + if (prot & (PROT_WRITE | PROT_EXEC))
65698 + gr_log_rwxmprotect(vma->vm_file);
65704 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
65708 @@ -301,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
65709 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
65713 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
65717 if (nstart < prev->vm_end)
65718 diff -urNp linux-2.6.32.42/mm/mremap.c linux-2.6.32.42/mm/mremap.c
65719 --- linux-2.6.32.42/mm/mremap.c 2011-04-17 17:00:52.000000000 -0400
65720 +++ linux-2.6.32.42/mm/mremap.c 2011-04-17 17:03:58.000000000 -0400
65721 @@ -112,6 +112,12 @@ static void move_ptes(struct vm_area_str
65723 pte = ptep_clear_flush(vma, old_addr, old_pte);
65724 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
65726 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
65727 + if (!nx_enabled && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
65728 + pte = pte_exprotect(pte);
65731 set_pte_at(mm, new_addr, new_pte, pte);
65734 @@ -271,6 +277,11 @@ static struct vm_area_struct *vma_to_res
65735 if (is_vm_hugetlb_page(vma))
65738 +#ifdef CONFIG_PAX_SEGMEXEC
65739 + if (pax_find_mirror_vma(vma))
65743 /* We can't remap across vm area boundaries */
65744 if (old_len > vma->vm_end - addr)
65746 @@ -327,20 +338,25 @@ static unsigned long mremap_to(unsigned
65747 unsigned long ret = -EINVAL;
65748 unsigned long charged = 0;
65749 unsigned long map_flags;
65750 + unsigned long pax_task_size = TASK_SIZE;
65752 if (new_addr & ~PAGE_MASK)
65755 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
65756 +#ifdef CONFIG_PAX_SEGMEXEC
65757 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
65758 + pax_task_size = SEGMEXEC_TASK_SIZE;
65761 + pax_task_size -= PAGE_SIZE;
65763 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
65766 /* Check if the location we're moving into overlaps the
65767 * old location at all, and fail if it does.
65769 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
65772 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
65773 + if (addr + old_len > new_addr && new_addr + new_len > addr)
65776 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
65777 @@ -412,6 +428,7 @@ unsigned long do_mremap(unsigned long ad
65778 struct vm_area_struct *vma;
65779 unsigned long ret = -EINVAL;
65780 unsigned long charged = 0;
65781 + unsigned long pax_task_size = TASK_SIZE;
65783 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
65785 @@ -430,6 +447,17 @@ unsigned long do_mremap(unsigned long ad
65789 +#ifdef CONFIG_PAX_SEGMEXEC
65790 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
65791 + pax_task_size = SEGMEXEC_TASK_SIZE;
65794 + pax_task_size -= PAGE_SIZE;
65796 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
65797 + old_len > pax_task_size || addr > pax_task_size-old_len)
65800 if (flags & MREMAP_FIXED) {
65801 if (flags & MREMAP_MAYMOVE)
65802 ret = mremap_to(addr, old_len, new_addr, new_len);
65803 @@ -476,6 +504,7 @@ unsigned long do_mremap(unsigned long ad
65807 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
65811 @@ -502,7 +531,13 @@ unsigned long do_mremap(unsigned long ad
65812 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
65816 + map_flags = vma->vm_flags;
65817 ret = move_vma(vma, addr, old_len, new_len, new_addr);
65818 + if (!(ret & ~PAGE_MASK)) {
65819 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
65820 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
65824 if (ret & ~PAGE_MASK)
65825 diff -urNp linux-2.6.32.42/mm/nommu.c linux-2.6.32.42/mm/nommu.c
65826 --- linux-2.6.32.42/mm/nommu.c 2011-03-27 14:31:47.000000000 -0400
65827 +++ linux-2.6.32.42/mm/nommu.c 2011-04-17 15:56:46.000000000 -0400
65828 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
65829 int sysctl_overcommit_ratio = 50; /* default is 50% */
65830 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
65831 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
65832 -int heap_stack_gap = 0;
65834 atomic_long_t mmap_pages_allocated;
65836 @@ -761,15 +760,6 @@ struct vm_area_struct *find_vma(struct m
65837 EXPORT_SYMBOL(find_vma);
65841 - * - we don't extend stack VMAs under NOMMU conditions
65843 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
65845 - return find_vma(mm, addr);
65849 * expand a stack to a given address
65850 * - not supported under NOMMU conditions
65852 diff -urNp linux-2.6.32.42/mm/page_alloc.c linux-2.6.32.42/mm/page_alloc.c
65853 --- linux-2.6.32.42/mm/page_alloc.c 2011-06-25 12:55:35.000000000 -0400
65854 +++ linux-2.6.32.42/mm/page_alloc.c 2011-06-25 12:56:37.000000000 -0400
65855 @@ -587,6 +587,10 @@ static void __free_pages_ok(struct page
65857 int wasMlocked = __TestClearPageMlocked(page);
65859 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
65860 + unsigned long index = 1UL << order;
65863 kmemcheck_free_shadow(page, order);
65865 for (i = 0 ; i < (1 << order) ; ++i)
65866 @@ -599,6 +603,12 @@ static void __free_pages_ok(struct page
65867 debug_check_no_obj_freed(page_address(page),
65868 PAGE_SIZE << order);
65871 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
65872 + for (; index; --index)
65873 + sanitize_highpage(page + index - 1);
65876 arch_free_page(page, order);
65877 kernel_map_pages(page, 1 << order, 0);
65879 @@ -702,8 +712,10 @@ static int prep_new_page(struct page *pa
65880 arch_alloc_page(page, order);
65881 kernel_map_pages(page, 1 << order, 1);
65883 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
65884 if (gfp_flags & __GFP_ZERO)
65885 prep_zero_page(page, order, gfp_flags);
65888 if (order && (gfp_flags & __GFP_COMP))
65889 prep_compound_page(page, order);
65890 @@ -1097,6 +1109,11 @@ static void free_hot_cold_page(struct pa
65891 debug_check_no_locks_freed(page_address(page), PAGE_SIZE);
65892 debug_check_no_obj_freed(page_address(page), PAGE_SIZE);
65895 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
65896 + sanitize_highpage(page);
65899 arch_free_page(page, 0);
65900 kernel_map_pages(page, 1, 0);
65902 @@ -2179,6 +2196,8 @@ void show_free_areas(void)
65906 + pax_track_stack();
65908 for_each_populated_zone(zone) {
65910 printk("%s per-cpu:\n", zone->name);
65911 @@ -3736,7 +3755,7 @@ static void __init setup_usemap(struct p
65912 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
65915 -static void inline setup_usemap(struct pglist_data *pgdat,
65916 +static inline void setup_usemap(struct pglist_data *pgdat,
65917 struct zone *zone, unsigned long zonesize) {}
65918 #endif /* CONFIG_SPARSEMEM */
65920 diff -urNp linux-2.6.32.42/mm/percpu.c linux-2.6.32.42/mm/percpu.c
65921 --- linux-2.6.32.42/mm/percpu.c 2011-03-27 14:31:47.000000000 -0400
65922 +++ linux-2.6.32.42/mm/percpu.c 2011-04-17 15:56:46.000000000 -0400
65923 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
65924 static unsigned int pcpu_last_unit_cpu __read_mostly;
65926 /* the address of the first chunk which starts with the kernel static area */
65927 -void *pcpu_base_addr __read_mostly;
65928 +void *pcpu_base_addr __read_only;
65929 EXPORT_SYMBOL_GPL(pcpu_base_addr);
65931 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
65932 diff -urNp linux-2.6.32.42/mm/rmap.c linux-2.6.32.42/mm/rmap.c
65933 --- linux-2.6.32.42/mm/rmap.c 2011-03-27 14:31:47.000000000 -0400
65934 +++ linux-2.6.32.42/mm/rmap.c 2011-04-17 15:56:46.000000000 -0400
65935 @@ -121,6 +121,17 @@ int anon_vma_prepare(struct vm_area_stru
65936 /* page_table_lock to protect against threads */
65937 spin_lock(&mm->page_table_lock);
65938 if (likely(!vma->anon_vma)) {
65940 +#ifdef CONFIG_PAX_SEGMEXEC
65941 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
65944 + BUG_ON(vma_m->anon_vma);
65945 + vma_m->anon_vma = anon_vma;
65946 + list_add_tail(&vma_m->anon_vma_node, &anon_vma->head);
65950 vma->anon_vma = anon_vma;
65951 list_add_tail(&vma->anon_vma_node, &anon_vma->head);
65953 diff -urNp linux-2.6.32.42/mm/shmem.c linux-2.6.32.42/mm/shmem.c
65954 --- linux-2.6.32.42/mm/shmem.c 2011-03-27 14:31:47.000000000 -0400
65955 +++ linux-2.6.32.42/mm/shmem.c 2011-05-18 20:09:37.000000000 -0400
65957 #include <linux/swap.h>
65958 #include <linux/ima.h>
65960 -static struct vfsmount *shm_mnt;
65961 +struct vfsmount *shm_mnt;
65963 #ifdef CONFIG_SHMEM
65965 @@ -1061,6 +1061,8 @@ static int shmem_writepage(struct page *
65968 entry = shmem_swp_entry(info, index, NULL);
65973 * The more uptodate page coming down from a stacked
65974 @@ -1144,6 +1146,8 @@ static struct page *shmem_swapin(swp_ent
65975 struct vm_area_struct pvma;
65978 + pax_track_stack();
65980 spol = mpol_cond_copy(&mpol,
65981 mpol_shared_policy_lookup(&info->policy, idx));
65983 @@ -1962,7 +1966,7 @@ static int shmem_symlink(struct inode *d
65985 info = SHMEM_I(inode);
65986 inode->i_size = len-1;
65987 - if (len <= (char *)inode - (char *)info) {
65988 + if (len <= (char *)inode - (char *)info && len <= 64) {
65990 memcpy(info, symname, len);
65991 inode->i_op = &shmem_symlink_inline_operations;
65992 @@ -2310,8 +2314,7 @@ int shmem_fill_super(struct super_block
65995 /* Round up to L1_CACHE_BYTES to resist false sharing */
65996 - sbinfo = kzalloc(max((int)sizeof(struct shmem_sb_info),
65997 - L1_CACHE_BYTES), GFP_KERNEL);
65998 + sbinfo = kzalloc(max(sizeof(struct shmem_sb_info), L1_CACHE_BYTES), GFP_KERNEL);
66002 diff -urNp linux-2.6.32.42/mm/slab.c linux-2.6.32.42/mm/slab.c
66003 --- linux-2.6.32.42/mm/slab.c 2011-03-27 14:31:47.000000000 -0400
66004 +++ linux-2.6.32.42/mm/slab.c 2011-05-04 17:56:20.000000000 -0400
66005 @@ -174,7 +174,7 @@
66007 /* Legal flag mask for kmem_cache_create(). */
66009 -# define CREATE_MASK (SLAB_RED_ZONE | \
66010 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_RED_ZONE | \
66011 SLAB_POISON | SLAB_HWCACHE_ALIGN | \
66013 SLAB_STORE_USER | \
66014 @@ -182,7 +182,7 @@
66015 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
66016 SLAB_DEBUG_OBJECTS | SLAB_NOLEAKTRACE | SLAB_NOTRACK)
66018 -# define CREATE_MASK (SLAB_HWCACHE_ALIGN | \
66019 +# define CREATE_MASK (SLAB_USERCOPY | SLAB_HWCACHE_ALIGN | \
66021 SLAB_RECLAIM_ACCOUNT | SLAB_PANIC | \
66022 SLAB_DESTROY_BY_RCU | SLAB_MEM_SPREAD | \
66023 @@ -308,7 +308,7 @@ struct kmem_list3 {
66024 * Need this for bootstrapping a per node allocator.
66026 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
66027 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
66028 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
66029 #define CACHE_CACHE 0
66030 #define SIZE_AC MAX_NUMNODES
66031 #define SIZE_L3 (2 * MAX_NUMNODES)
66032 @@ -409,10 +409,10 @@ static void kmem_list3_init(struct kmem_
66033 if ((x)->max_freeable < i) \
66034 (x)->max_freeable = i; \
66036 -#define STATS_INC_ALLOCHIT(x) atomic_inc(&(x)->allochit)
66037 -#define STATS_INC_ALLOCMISS(x) atomic_inc(&(x)->allocmiss)
66038 -#define STATS_INC_FREEHIT(x) atomic_inc(&(x)->freehit)
66039 -#define STATS_INC_FREEMISS(x) atomic_inc(&(x)->freemiss)
66040 +#define STATS_INC_ALLOCHIT(x) atomic_inc_unchecked(&(x)->allochit)
66041 +#define STATS_INC_ALLOCMISS(x) atomic_inc_unchecked(&(x)->allocmiss)
66042 +#define STATS_INC_FREEHIT(x) atomic_inc_unchecked(&(x)->freehit)
66043 +#define STATS_INC_FREEMISS(x) atomic_inc_unchecked(&(x)->freemiss)
66045 #define STATS_INC_ACTIVE(x) do { } while (0)
66046 #define STATS_DEC_ACTIVE(x) do { } while (0)
66047 @@ -558,7 +558,7 @@ static inline void *index_to_obj(struct
66048 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
66050 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
66051 - const struct slab *slab, void *obj)
66052 + const struct slab *slab, const void *obj)
66054 u32 offset = (obj - slab->s_mem);
66055 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
66056 @@ -1453,7 +1453,7 @@ void __init kmem_cache_init(void)
66057 sizes[INDEX_AC].cs_cachep = kmem_cache_create(names[INDEX_AC].name,
66058 sizes[INDEX_AC].cs_size,
66059 ARCH_KMALLOC_MINALIGN,
66060 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
66061 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
66064 if (INDEX_AC != INDEX_L3) {
66065 @@ -1461,7 +1461,7 @@ void __init kmem_cache_init(void)
66066 kmem_cache_create(names[INDEX_L3].name,
66067 sizes[INDEX_L3].cs_size,
66068 ARCH_KMALLOC_MINALIGN,
66069 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
66070 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
66074 @@ -1479,7 +1479,7 @@ void __init kmem_cache_init(void)
66075 sizes->cs_cachep = kmem_cache_create(names->name,
66077 ARCH_KMALLOC_MINALIGN,
66078 - ARCH_KMALLOC_FLAGS|SLAB_PANIC,
66079 + ARCH_KMALLOC_FLAGS|SLAB_PANIC|SLAB_USERCOPY,
66082 #ifdef CONFIG_ZONE_DMA
66083 @@ -4211,10 +4211,10 @@ static int s_show(struct seq_file *m, vo
66087 - unsigned long allochit = atomic_read(&cachep->allochit);
66088 - unsigned long allocmiss = atomic_read(&cachep->allocmiss);
66089 - unsigned long freehit = atomic_read(&cachep->freehit);
66090 - unsigned long freemiss = atomic_read(&cachep->freemiss);
66091 + unsigned long allochit = atomic_read_unchecked(&cachep->allochit);
66092 + unsigned long allocmiss = atomic_read_unchecked(&cachep->allocmiss);
66093 + unsigned long freehit = atomic_read_unchecked(&cachep->freehit);
66094 + unsigned long freemiss = atomic_read_unchecked(&cachep->freemiss);
66096 seq_printf(m, " : cpustat %6lu %6lu %6lu %6lu",
66097 allochit, allocmiss, freehit, freemiss);
66098 @@ -4471,15 +4471,66 @@ static const struct file_operations proc
66100 static int __init slab_proc_init(void)
66102 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
66103 + mode_t gr_mode = S_IRUGO;
66105 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66106 + gr_mode = S_IRUSR;
66109 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
66110 #ifdef CONFIG_DEBUG_SLAB_LEAK
66111 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
66112 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
66116 module_init(slab_proc_init);
66119 +void check_object_size(const void *ptr, unsigned long n, bool to)
66122 +#ifdef CONFIG_PAX_USERCOPY
66123 + struct page *page;
66124 + struct kmem_cache *cachep = NULL;
66125 + struct slab *slabp;
66126 + unsigned int objnr;
66127 + unsigned long offset;
66132 + if (ZERO_OR_NULL_PTR(ptr))
66135 + if (!virt_addr_valid(ptr))
66138 + page = virt_to_head_page(ptr);
66140 + if (!PageSlab(page)) {
66141 + if (object_is_on_stack(ptr, n) == -1)
66146 + cachep = page_get_cache(page);
66147 + if (!(cachep->flags & SLAB_USERCOPY))
66150 + slabp = page_get_slab(page);
66151 + objnr = obj_to_index(cachep, slabp, ptr);
66152 + BUG_ON(objnr >= cachep->num);
66153 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
66154 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
66158 + pax_report_usercopy(ptr, n, to, cachep ? cachep->name : NULL);
66162 +EXPORT_SYMBOL(check_object_size);
66165 * ksize - get the actual amount of memory allocated for a given object
66166 * @objp: Pointer to the object
66167 diff -urNp linux-2.6.32.42/mm/slob.c linux-2.6.32.42/mm/slob.c
66168 --- linux-2.6.32.42/mm/slob.c 2011-03-27 14:31:47.000000000 -0400
66169 +++ linux-2.6.32.42/mm/slob.c 2011-04-17 15:56:46.000000000 -0400
66171 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
66172 * alloc_pages() directly, allocating compound pages so the page order
66173 * does not have to be separately tracked, and also stores the exact
66174 - * allocation size in page->private so that it can be used to accurately
66175 + * allocation size in slob_page->size so that it can be used to accurately
66176 * provide ksize(). These objects are detected in kfree() because slob_page()
66177 * is false for them.
66182 #include <linux/kernel.h>
66183 +#include <linux/sched.h>
66184 #include <linux/slab.h>
66185 #include <linux/mm.h>
66186 #include <linux/swap.h> /* struct reclaim_state */
66187 @@ -100,7 +101,8 @@ struct slob_page {
66188 unsigned long flags; /* mandatory */
66189 atomic_t _count; /* mandatory */
66190 slobidx_t units; /* free units left in page */
66191 - unsigned long pad[2];
66192 + unsigned long pad[1];
66193 + unsigned long size; /* size when >=PAGE_SIZE */
66194 slob_t *free; /* first free slob_t in page */
66195 struct list_head list; /* linked list of free pages */
66197 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
66199 static inline int is_slob_page(struct slob_page *sp)
66201 - return PageSlab((struct page *)sp);
66202 + return PageSlab((struct page *)sp) && !sp->size;
66205 static inline void set_slob_page(struct slob_page *sp)
66206 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
66208 static inline struct slob_page *slob_page(const void *addr)
66210 - return (struct slob_page *)virt_to_page(addr);
66211 + return (struct slob_page *)virt_to_head_page(addr);
66215 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
66217 * Return the size of a slob block.
66219 -static slobidx_t slob_units(slob_t *s)
66220 +static slobidx_t slob_units(const slob_t *s)
66224 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
66226 * Return the next free slob block pointer after this one.
66228 -static slob_t *slob_next(slob_t *s)
66229 +static slob_t *slob_next(const slob_t *s)
66231 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
66233 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
66235 * Returns true if s is the last free block in its page.
66237 -static int slob_last(slob_t *s)
66238 +static int slob_last(const slob_t *s)
66240 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
66242 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
66246 + set_slob_page(page);
66247 return page_address(page);
66250 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
66254 - set_slob_page(sp);
66256 spin_lock_irqsave(&slob_lock, flags);
66257 sp->units = SLOB_UNITS(PAGE_SIZE);
66260 INIT_LIST_HEAD(&sp->list);
66261 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
66262 set_slob_page_free(sp, slob_list);
66263 @@ -475,10 +478,9 @@ out:
66264 #define ARCH_SLAB_MINALIGN __alignof__(unsigned long)
66267 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
66268 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
66271 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
66275 lockdep_trace_alloc(gfp);
66276 @@ -491,7 +493,10 @@ void *__kmalloc_node(size_t size, gfp_t
66281 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
66282 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
66283 + m[0].units = size;
66284 + m[1].units = align;
66285 ret = (void *)m + align;
66287 trace_kmalloc_node(_RET_IP_, ret,
66288 @@ -501,9 +506,9 @@ void *__kmalloc_node(size_t size, gfp_t
66290 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
66292 - struct page *page;
66293 - page = virt_to_page(ret);
66294 - page->private = size;
66295 + struct slob_page *sp;
66296 + sp = slob_page(ret);
66300 trace_kmalloc_node(_RET_IP_, ret,
66301 @@ -513,6 +518,13 @@ void *__kmalloc_node(size_t size, gfp_t
66302 kmemleak_alloc(ret, size, 1, gfp);
66306 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
66308 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
66310 + return __kmalloc_node_align(size, gfp, node, align);
66312 EXPORT_SYMBOL(__kmalloc_node);
66314 void kfree(const void *block)
66315 @@ -528,13 +540,81 @@ void kfree(const void *block)
66316 sp = slob_page(block);
66317 if (is_slob_page(sp)) {
66318 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
66319 - unsigned int *m = (unsigned int *)(block - align);
66320 - slob_free(m, *m + align);
66322 + slob_t *m = (slob_t *)(block - align);
66323 + slob_free(m, m[0].units + align);
66325 + clear_slob_page(sp);
66326 + free_slob_page(sp);
66328 put_page(&sp->page);
66331 EXPORT_SYMBOL(kfree);
66333 +void check_object_size(const void *ptr, unsigned long n, bool to)
66336 +#ifdef CONFIG_PAX_USERCOPY
66337 + struct slob_page *sp;
66338 + const slob_t *free;
66339 + const void *base;
66344 + if (ZERO_OR_NULL_PTR(ptr))
66347 + if (!virt_addr_valid(ptr))
66350 + sp = slob_page(ptr);
66351 + if (!PageSlab((struct page*)sp)) {
66352 + if (object_is_on_stack(ptr, n) == -1)
66358 + base = page_address(&sp->page);
66359 + if (base <= ptr && n <= sp->size - (ptr - base))
66364 + /* some tricky double walking to find the chunk */
66365 + base = (void *)((unsigned long)ptr & PAGE_MASK);
66368 + while (!slob_last(free) && (void *)free <= ptr) {
66369 + base = free + slob_units(free);
66370 + free = slob_next(free);
66373 + while (base < (void *)free) {
66374 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
66375 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
66378 + if (ptr < base + align)
66381 + offset = ptr - base - align;
66382 + if (offset < m) {
66383 + if (n <= m - offset)
66391 + pax_report_usercopy(ptr, n, to, NULL);
66395 +EXPORT_SYMBOL(check_object_size);
66397 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
66398 size_t ksize(const void *block)
66400 @@ -547,10 +627,10 @@ size_t ksize(const void *block)
66401 sp = slob_page(block);
66402 if (is_slob_page(sp)) {
66403 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
66404 - unsigned int *m = (unsigned int *)(block - align);
66405 - return SLOB_UNITS(*m) * SLOB_UNIT;
66406 + slob_t *m = (slob_t *)(block - align);
66407 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
66409 - return sp->page.private;
66412 EXPORT_SYMBOL(ksize);
66414 @@ -605,17 +685,25 @@ void *kmem_cache_alloc_node(struct kmem_
66418 +#ifdef CONFIG_PAX_USERCOPY
66419 + b = __kmalloc_node_align(c->size, flags, node, c->align);
66421 if (c->size < PAGE_SIZE) {
66422 b = slob_alloc(c->size, flags, c->align, node);
66423 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
66424 SLOB_UNITS(c->size) * SLOB_UNIT,
66427 + struct slob_page *sp;
66429 b = slob_new_pages(flags, get_order(c->size), node);
66430 + sp = slob_page(b);
66431 + sp->size = c->size;
66432 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
66433 PAGE_SIZE << get_order(c->size),
66440 @@ -627,10 +715,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
66442 static void __kmem_cache_free(void *b, int size)
66444 - if (size < PAGE_SIZE)
66445 + struct slob_page *sp = slob_page(b);
66447 + if (is_slob_page(sp))
66448 slob_free(b, size);
66451 + clear_slob_page(sp);
66452 + free_slob_page(sp);
66454 slob_free_pages(b, get_order(size));
66458 static void kmem_rcu_free(struct rcu_head *head)
66459 @@ -643,15 +737,24 @@ static void kmem_rcu_free(struct rcu_hea
66461 void kmem_cache_free(struct kmem_cache *c, void *b)
66463 + int size = c->size;
66465 +#ifdef CONFIG_PAX_USERCOPY
66466 + if (size + c->align < PAGE_SIZE) {
66467 + size += c->align;
66472 kmemleak_free_recursive(b, c->flags);
66473 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
66474 struct slob_rcu *slob_rcu;
66475 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
66476 + slob_rcu = b + (size - sizeof(struct slob_rcu));
66477 INIT_RCU_HEAD(&slob_rcu->head);
66478 - slob_rcu->size = c->size;
66479 + slob_rcu->size = size;
66480 call_rcu(&slob_rcu->head, kmem_rcu_free);
66482 - __kmem_cache_free(b, c->size);
66483 + __kmem_cache_free(b, size);
66486 trace_kmem_cache_free(_RET_IP_, b);
66487 diff -urNp linux-2.6.32.42/mm/slub.c linux-2.6.32.42/mm/slub.c
66488 --- linux-2.6.32.42/mm/slub.c 2011-03-27 14:31:47.000000000 -0400
66489 +++ linux-2.6.32.42/mm/slub.c 2011-04-17 15:56:46.000000000 -0400
66490 @@ -410,7 +410,7 @@ static void print_track(const char *s, s
66494 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
66495 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
66496 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
66499 @@ -1893,6 +1893,8 @@ void kmem_cache_free(struct kmem_cache *
66501 page = virt_to_head_page(x);
66503 + BUG_ON(!PageSlab(page));
66505 slab_free(s, page, x, _RET_IP_);
66507 trace_kmem_cache_free(_RET_IP_, x);
66508 @@ -1937,7 +1939,7 @@ static int slub_min_objects;
66509 * Merge control. If this is set then no merging of slab caches will occur.
66510 * (Could be removed. This was introduced to pacify the merge skeptics.)
66512 -static int slub_nomerge;
66513 +static int slub_nomerge = 1;
66516 * Calculate the order of allocation given an slab object size.
66517 @@ -2493,7 +2495,7 @@ static int kmem_cache_open(struct kmem_c
66518 * list to avoid pounding the page allocator excessively.
66520 set_min_partial(s, ilog2(s->size));
66522 + atomic_set(&s->refcount, 1);
66524 s->remote_node_defrag_ratio = 1000;
66526 @@ -2630,8 +2632,7 @@ static inline int kmem_cache_close(struc
66527 void kmem_cache_destroy(struct kmem_cache *s)
66529 down_write(&slub_lock);
66531 - if (!s->refcount) {
66532 + if (atomic_dec_and_test(&s->refcount)) {
66533 list_del(&s->list);
66534 up_write(&slub_lock);
66535 if (kmem_cache_close(s)) {
66536 @@ -2691,12 +2692,10 @@ static int __init setup_slub_nomerge(cha
66537 __setup("slub_nomerge", setup_slub_nomerge);
66539 static struct kmem_cache *create_kmalloc_cache(struct kmem_cache *s,
66540 - const char *name, int size, gfp_t gfp_flags)
66541 + const char *name, int size, gfp_t gfp_flags, unsigned int flags)
66543 - unsigned int flags = 0;
66545 if (gfp_flags & SLUB_DMA)
66546 - flags = SLAB_CACHE_DMA;
66547 + flags |= SLAB_CACHE_DMA;
66550 * This function is called with IRQs disabled during early-boot on
66551 @@ -2915,6 +2914,46 @@ void *__kmalloc_node(size_t size, gfp_t
66552 EXPORT_SYMBOL(__kmalloc_node);
66555 +void check_object_size(const void *ptr, unsigned long n, bool to)
66558 +#ifdef CONFIG_PAX_USERCOPY
66559 + struct page *page;
66560 + struct kmem_cache *s = NULL;
66561 + unsigned long offset;
66566 + if (ZERO_OR_NULL_PTR(ptr))
66569 + if (!virt_addr_valid(ptr))
66572 + page = get_object_page(ptr);
66575 + if (object_is_on_stack(ptr, n) == -1)
66581 + if (!(s->flags & SLAB_USERCOPY))
66584 + offset = (ptr - page_address(page)) % s->size;
66585 + if (offset <= s->objsize && n <= s->objsize - offset)
66589 + pax_report_usercopy(ptr, n, to, s ? s->name : NULL);
66593 +EXPORT_SYMBOL(check_object_size);
66595 size_t ksize(const void *object)
66598 @@ -3185,8 +3224,8 @@ void __init kmem_cache_init(void)
66599 * kmem_cache_open for slab_state == DOWN.
66601 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
66602 - sizeof(struct kmem_cache_node), GFP_NOWAIT);
66603 - kmalloc_caches[0].refcount = -1;
66604 + sizeof(struct kmem_cache_node), GFP_NOWAIT, 0);
66605 + atomic_set(&kmalloc_caches[0].refcount, -1);
66608 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
66609 @@ -3198,18 +3237,18 @@ void __init kmem_cache_init(void)
66610 /* Caches that are not of the two-to-the-power-of size */
66611 if (KMALLOC_MIN_SIZE <= 32) {
66612 create_kmalloc_cache(&kmalloc_caches[1],
66613 - "kmalloc-96", 96, GFP_NOWAIT);
66614 + "kmalloc-96", 96, GFP_NOWAIT, SLAB_USERCOPY);
66617 if (KMALLOC_MIN_SIZE <= 64) {
66618 create_kmalloc_cache(&kmalloc_caches[2],
66619 - "kmalloc-192", 192, GFP_NOWAIT);
66620 + "kmalloc-192", 192, GFP_NOWAIT, SLAB_USERCOPY);
66624 for (i = KMALLOC_SHIFT_LOW; i < SLUB_PAGE_SHIFT; i++) {
66625 create_kmalloc_cache(&kmalloc_caches[i],
66626 - "kmalloc", 1 << i, GFP_NOWAIT);
66627 + "kmalloc", 1 << i, GFP_NOWAIT, SLAB_USERCOPY);
66631 @@ -3293,7 +3332,7 @@ static int slab_unmergeable(struct kmem_
66633 * We may have set a slab to be unmergeable during bootstrap.
66635 - if (s->refcount < 0)
66636 + if (atomic_read(&s->refcount) < 0)
66640 @@ -3353,7 +3392,7 @@ struct kmem_cache *kmem_cache_create(con
66645 + atomic_inc(&s->refcount);
66647 * Adjust the object sizes so that we clear
66648 * the complete object on kzalloc.
66649 @@ -3372,7 +3411,7 @@ struct kmem_cache *kmem_cache_create(con
66651 if (sysfs_slab_alias(s, name)) {
66652 down_write(&slub_lock);
66654 + atomic_dec(&s->refcount);
66655 up_write(&slub_lock);
66658 @@ -4101,7 +4140,7 @@ SLAB_ATTR_RO(ctor);
66660 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
66662 - return sprintf(buf, "%d\n", s->refcount - 1);
66663 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
66665 SLAB_ATTR_RO(aliases);
66667 @@ -4503,7 +4542,7 @@ static void kmem_cache_release(struct ko
66671 -static struct sysfs_ops slab_sysfs_ops = {
66672 +static const struct sysfs_ops slab_sysfs_ops = {
66673 .show = slab_attr_show,
66674 .store = slab_attr_store,
66676 @@ -4522,7 +4561,7 @@ static int uevent_filter(struct kset *ks
66680 -static struct kset_uevent_ops slab_uevent_ops = {
66681 +static const struct kset_uevent_ops slab_uevent_ops = {
66682 .filter = uevent_filter,
66685 @@ -4785,7 +4824,13 @@ static const struct file_operations proc
66687 static int __init slab_proc_init(void)
66689 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
66690 + mode_t gr_mode = S_IRUGO;
66692 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66693 + gr_mode = S_IRUSR;
66696 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
66699 module_init(slab_proc_init);
66700 diff -urNp linux-2.6.32.42/mm/util.c linux-2.6.32.42/mm/util.c
66701 --- linux-2.6.32.42/mm/util.c 2011-03-27 14:31:47.000000000 -0400
66702 +++ linux-2.6.32.42/mm/util.c 2011-04-17 15:56:46.000000000 -0400
66703 @@ -228,6 +228,12 @@ EXPORT_SYMBOL(strndup_user);
66704 void arch_pick_mmap_layout(struct mm_struct *mm)
66706 mm->mmap_base = TASK_UNMAPPED_BASE;
66708 +#ifdef CONFIG_PAX_RANDMMAP
66709 + if (mm->pax_flags & MF_PAX_RANDMMAP)
66710 + mm->mmap_base += mm->delta_mmap;
66713 mm->get_unmapped_area = arch_get_unmapped_area;
66714 mm->unmap_area = arch_unmap_area;
66716 diff -urNp linux-2.6.32.42/mm/vmalloc.c linux-2.6.32.42/mm/vmalloc.c
66717 --- linux-2.6.32.42/mm/vmalloc.c 2011-03-27 14:31:47.000000000 -0400
66718 +++ linux-2.6.32.42/mm/vmalloc.c 2011-04-17 15:56:46.000000000 -0400
66719 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
66721 pte = pte_offset_kernel(pmd, addr);
66723 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
66724 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
66726 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
66727 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
66728 + BUG_ON(!pte_exec(*pte));
66729 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
66735 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
66736 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
66738 } while (pte++, addr += PAGE_SIZE, addr != end);
66741 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
66742 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
66745 + int ret = -ENOMEM;
66748 * nr is a running index into the array which helps higher level
66749 @@ -101,17 +113,32 @@ static int vmap_pte_range(pmd_t *pmd, un
66750 pte = pte_alloc_kernel(pmd, addr);
66754 + pax_open_kernel();
66756 struct page *page = pages[*nr];
66758 - if (WARN_ON(!pte_none(*pte)))
66760 - if (WARN_ON(!page))
66762 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
66763 + if (!(pgprot_val(prot) & _PAGE_NX))
66764 + BUG_ON(!pte_exec(*pte) || pte_pfn(*pte) != __pa(addr) >> PAGE_SHIFT);
66768 + if (WARN_ON(!pte_none(*pte))) {
66772 + if (WARN_ON(!page)) {
66776 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
66778 } while (pte++, addr += PAGE_SIZE, addr != end);
66782 + pax_close_kernel();
66786 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
66787 @@ -192,11 +219,20 @@ int is_vmalloc_or_module_addr(const void
66788 * and fall back on vmalloc() if that fails. Others
66789 * just put it in the vmalloc space.
66791 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
66792 +#ifdef CONFIG_MODULES
66793 +#ifdef MODULES_VADDR
66794 unsigned long addr = (unsigned long)x;
66795 if (addr >= MODULES_VADDR && addr < MODULES_END)
66799 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
66800 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
66806 return is_vmalloc_addr(x);
66809 @@ -217,8 +253,14 @@ struct page *vmalloc_to_page(const void
66811 if (!pgd_none(*pgd)) {
66812 pud_t *pud = pud_offset(pgd, addr);
66814 + if (!pud_large(*pud))
66816 if (!pud_none(*pud)) {
66817 pmd_t *pmd = pmd_offset(pud, addr);
66819 + if (!pmd_large(*pmd))
66821 if (!pmd_none(*pmd)) {
66824 @@ -292,13 +334,13 @@ static void __insert_vmap_area(struct vm
66825 struct rb_node *tmp;
66828 - struct vmap_area *tmp;
66829 + struct vmap_area *varea;
66832 - tmp = rb_entry(parent, struct vmap_area, rb_node);
66833 - if (va->va_start < tmp->va_end)
66834 + varea = rb_entry(parent, struct vmap_area, rb_node);
66835 + if (va->va_start < varea->va_end)
66836 p = &(*p)->rb_left;
66837 - else if (va->va_end > tmp->va_start)
66838 + else if (va->va_end > varea->va_start)
66839 p = &(*p)->rb_right;
66842 @@ -1232,6 +1274,16 @@ static struct vm_struct *__get_vm_area_n
66843 struct vm_struct *area;
66845 BUG_ON(in_interrupt());
66847 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
66848 + if (flags & VM_KERNEXEC) {
66849 + if (start != VMALLOC_START || end != VMALLOC_END)
66851 + start = (unsigned long)MODULES_EXEC_VADDR;
66852 + end = (unsigned long)MODULES_EXEC_END;
66856 if (flags & VM_IOREMAP) {
66857 int bit = fls(size);
66859 @@ -1457,6 +1509,11 @@ void *vmap(struct page **pages, unsigned
66860 if (count > totalram_pages)
66863 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
66864 + if (!(pgprot_val(prot) & _PAGE_NX))
66865 + flags |= VM_KERNEXEC;
66868 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
66869 __builtin_return_address(0));
66871 @@ -1567,6 +1624,13 @@ static void *__vmalloc_node(unsigned lon
66872 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
66875 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
66876 + if (!(pgprot_val(prot) & _PAGE_NX))
66877 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
66878 + node, gfp_mask, caller);
66882 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
66883 VMALLOC_END, node, gfp_mask, caller);
66885 @@ -1585,6 +1649,7 @@ static void *__vmalloc_node(unsigned lon
66890 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
66892 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
66893 @@ -1601,6 +1666,7 @@ EXPORT_SYMBOL(__vmalloc);
66894 * For tight control over page level allocator and protection flags
66895 * use __vmalloc() instead.
66898 void *vmalloc(unsigned long size)
66900 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
66901 @@ -1615,6 +1681,7 @@ EXPORT_SYMBOL(vmalloc);
66902 * The resulting memory area is zeroed so it can be mapped to userspace
66903 * without leaking data.
66905 +#undef vmalloc_user
66906 void *vmalloc_user(unsigned long size)
66908 struct vm_struct *area;
66909 @@ -1642,6 +1709,7 @@ EXPORT_SYMBOL(vmalloc_user);
66910 * For tight control over page level allocator and protection flags
66911 * use __vmalloc() instead.
66913 +#undef vmalloc_node
66914 void *vmalloc_node(unsigned long size, int node)
66916 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
66917 @@ -1664,10 +1732,10 @@ EXPORT_SYMBOL(vmalloc_node);
66918 * For tight control over page level allocator and protection flags
66919 * use __vmalloc() instead.
66922 +#undef vmalloc_exec
66923 void *vmalloc_exec(unsigned long size)
66925 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
66926 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
66927 -1, __builtin_return_address(0));
66930 @@ -1686,6 +1754,7 @@ void *vmalloc_exec(unsigned long size)
66931 * Allocate enough 32bit PA addressable pages to cover @size from the
66932 * page level allocator and map them into contiguous kernel virtual space.
66935 void *vmalloc_32(unsigned long size)
66937 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
66938 @@ -1700,6 +1769,7 @@ EXPORT_SYMBOL(vmalloc_32);
66939 * The resulting memory area is 32bit addressable and zeroed so it can be
66940 * mapped to userspace without leaking data.
66942 +#undef vmalloc_32_user
66943 void *vmalloc_32_user(unsigned long size)
66945 struct vm_struct *area;
66946 @@ -1964,6 +2034,8 @@ int remap_vmalloc_range(struct vm_area_s
66947 unsigned long uaddr = vma->vm_start;
66948 unsigned long usize = vma->vm_end - vma->vm_start;
66950 + BUG_ON(vma->vm_mirror);
66952 if ((PAGE_SIZE-1) & (unsigned long)addr)
66955 diff -urNp linux-2.6.32.42/mm/vmstat.c linux-2.6.32.42/mm/vmstat.c
66956 --- linux-2.6.32.42/mm/vmstat.c 2011-03-27 14:31:47.000000000 -0400
66957 +++ linux-2.6.32.42/mm/vmstat.c 2011-04-17 15:56:46.000000000 -0400
66958 @@ -74,7 +74,7 @@ void vm_events_fold_cpu(int cpu)
66960 * vm_stat contains the global counters
66962 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66963 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
66964 EXPORT_SYMBOL(vm_stat);
66967 @@ -324,7 +324,7 @@ void refresh_cpu_vm_stats(int cpu)
66968 v = p->vm_stat_diff[i];
66969 p->vm_stat_diff[i] = 0;
66970 local_irq_restore(flags);
66971 - atomic_long_add(v, &zone->vm_stat[i]);
66972 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
66973 global_diff[i] += v;
66975 /* 3 seconds idle till flush */
66976 @@ -362,7 +362,7 @@ void refresh_cpu_vm_stats(int cpu)
66978 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
66979 if (global_diff[i])
66980 - atomic_long_add(global_diff[i], &vm_stat[i]);
66981 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
66985 @@ -953,10 +953,20 @@ static int __init setup_vmstat(void)
66986 start_cpu_timer(cpu);
66988 #ifdef CONFIG_PROC_FS
66989 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
66990 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
66991 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
66992 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
66994 + mode_t gr_mode = S_IRUGO;
66995 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
66996 + gr_mode = S_IRUSR;
66998 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
66999 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
67000 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
67001 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
67003 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
67005 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
67010 diff -urNp linux-2.6.32.42/net/8021q/vlan.c linux-2.6.32.42/net/8021q/vlan.c
67011 --- linux-2.6.32.42/net/8021q/vlan.c 2011-03-27 14:31:47.000000000 -0400
67012 +++ linux-2.6.32.42/net/8021q/vlan.c 2011-04-17 15:56:46.000000000 -0400
67013 @@ -622,8 +622,7 @@ static int vlan_ioctl_handler(struct net
67015 if (!capable(CAP_NET_ADMIN))
67017 - if ((args.u.name_type >= 0) &&
67018 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
67019 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
67020 struct vlan_net *vn;
67022 vn = net_generic(net, vlan_net_id);
67023 diff -urNp linux-2.6.32.42/net/atm/atm_misc.c linux-2.6.32.42/net/atm/atm_misc.c
67024 --- linux-2.6.32.42/net/atm/atm_misc.c 2011-03-27 14:31:47.000000000 -0400
67025 +++ linux-2.6.32.42/net/atm/atm_misc.c 2011-04-17 15:56:46.000000000 -0400
67026 @@ -19,7 +19,7 @@ int atm_charge(struct atm_vcc *vcc,int t
67027 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
67029 atm_return(vcc,truesize);
67030 - atomic_inc(&vcc->stats->rx_drop);
67031 + atomic_inc_unchecked(&vcc->stats->rx_drop);
67035 @@ -41,7 +41,7 @@ struct sk_buff *atm_alloc_charge(struct
67038 atm_return(vcc,guess);
67039 - atomic_inc(&vcc->stats->rx_drop);
67040 + atomic_inc_unchecked(&vcc->stats->rx_drop);
67044 @@ -88,7 +88,7 @@ int atm_pcr_goal(const struct atm_trafpr
67046 void sonet_copy_stats(struct k_sonet_stats *from,struct sonet_stats *to)
67048 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
67049 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
67051 #undef __HANDLE_ITEM
67053 @@ -96,7 +96,7 @@ void sonet_copy_stats(struct k_sonet_sta
67055 void sonet_subtract_stats(struct k_sonet_stats *from,struct sonet_stats *to)
67057 -#define __HANDLE_ITEM(i) atomic_sub(to->i,&from->i)
67058 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
67060 #undef __HANDLE_ITEM
67062 diff -urNp linux-2.6.32.42/net/atm/mpoa_caches.c linux-2.6.32.42/net/atm/mpoa_caches.c
67063 --- linux-2.6.32.42/net/atm/mpoa_caches.c 2011-03-27 14:31:47.000000000 -0400
67064 +++ linux-2.6.32.42/net/atm/mpoa_caches.c 2011-05-16 21:46:57.000000000 -0400
67065 @@ -498,6 +498,8 @@ static void clear_expired(struct mpoa_cl
67066 struct timeval now;
67067 struct k_message msg;
67069 + pax_track_stack();
67071 do_gettimeofday(&now);
67073 write_lock_irq(&client->egress_lock);
67074 diff -urNp linux-2.6.32.42/net/atm/proc.c linux-2.6.32.42/net/atm/proc.c
67075 --- linux-2.6.32.42/net/atm/proc.c 2011-03-27 14:31:47.000000000 -0400
67076 +++ linux-2.6.32.42/net/atm/proc.c 2011-04-17 15:56:46.000000000 -0400
67077 @@ -43,9 +43,9 @@ static void add_stats(struct seq_file *s
67078 const struct k_atm_aal_stats *stats)
67080 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
67081 - atomic_read(&stats->tx),atomic_read(&stats->tx_err),
67082 - atomic_read(&stats->rx),atomic_read(&stats->rx_err),
67083 - atomic_read(&stats->rx_drop));
67084 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
67085 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
67086 + atomic_read_unchecked(&stats->rx_drop));
67089 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
67090 @@ -188,7 +188,12 @@ static void vcc_info(struct seq_file *se
67092 struct sock *sk = sk_atm(vcc);
67094 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67095 + seq_printf(seq, "%p ", NULL);
67097 seq_printf(seq, "%p ", vcc);
67101 seq_printf(seq, "Unassigned ");
67103 @@ -214,7 +219,11 @@ static void svc_info(struct seq_file *se
67106 seq_printf(seq, sizeof(void *) == 4 ?
67107 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67108 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
67110 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
67113 seq_printf(seq, "%3d %3d %5d ",
67114 vcc->dev->number, vcc->vpi, vcc->vci);
67115 diff -urNp linux-2.6.32.42/net/atm/resources.c linux-2.6.32.42/net/atm/resources.c
67116 --- linux-2.6.32.42/net/atm/resources.c 2011-03-27 14:31:47.000000000 -0400
67117 +++ linux-2.6.32.42/net/atm/resources.c 2011-04-17 15:56:46.000000000 -0400
67118 @@ -161,7 +161,7 @@ void atm_dev_deregister(struct atm_dev *
67119 static void copy_aal_stats(struct k_atm_aal_stats *from,
67120 struct atm_aal_stats *to)
67122 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
67123 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
67125 #undef __HANDLE_ITEM
67127 @@ -170,7 +170,7 @@ static void copy_aal_stats(struct k_atm_
67128 static void subtract_aal_stats(struct k_atm_aal_stats *from,
67129 struct atm_aal_stats *to)
67131 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
67132 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
67134 #undef __HANDLE_ITEM
67136 diff -urNp linux-2.6.32.42/net/bluetooth/l2cap.c linux-2.6.32.42/net/bluetooth/l2cap.c
67137 --- linux-2.6.32.42/net/bluetooth/l2cap.c 2011-03-27 14:31:47.000000000 -0400
67138 +++ linux-2.6.32.42/net/bluetooth/l2cap.c 2011-06-12 06:34:08.000000000 -0400
67139 @@ -1885,7 +1885,7 @@ static int l2cap_sock_getsockopt_old(str
67144 + memset(&cinfo, 0, sizeof(cinfo));
67145 cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle;
67146 memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3);
67148 diff -urNp linux-2.6.32.42/net/bluetooth/rfcomm/sock.c linux-2.6.32.42/net/bluetooth/rfcomm/sock.c
67149 --- linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-03-27 14:31:47.000000000 -0400
67150 +++ linux-2.6.32.42/net/bluetooth/rfcomm/sock.c 2011-06-12 06:35:00.000000000 -0400
67151 @@ -878,6 +878,7 @@ static int rfcomm_sock_getsockopt_old(st
67153 l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk;
67155 + memset(&cinfo, 0, sizeof(cinfo));
67156 cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle;
67157 memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3);
67159 diff -urNp linux-2.6.32.42/net/bridge/br_private.h linux-2.6.32.42/net/bridge/br_private.h
67160 --- linux-2.6.32.42/net/bridge/br_private.h 2011-03-27 14:31:47.000000000 -0400
67161 +++ linux-2.6.32.42/net/bridge/br_private.h 2011-04-17 15:56:46.000000000 -0400
67162 @@ -254,7 +254,7 @@ extern void br_ifinfo_notify(int event,
67164 #ifdef CONFIG_SYSFS
67165 /* br_sysfs_if.c */
67166 -extern struct sysfs_ops brport_sysfs_ops;
67167 +extern const struct sysfs_ops brport_sysfs_ops;
67168 extern int br_sysfs_addif(struct net_bridge_port *p);
67170 /* br_sysfs_br.c */
67171 diff -urNp linux-2.6.32.42/net/bridge/br_stp_if.c linux-2.6.32.42/net/bridge/br_stp_if.c
67172 --- linux-2.6.32.42/net/bridge/br_stp_if.c 2011-03-27 14:31:47.000000000 -0400
67173 +++ linux-2.6.32.42/net/bridge/br_stp_if.c 2011-04-17 15:56:46.000000000 -0400
67174 @@ -146,7 +146,7 @@ static void br_stp_stop(struct net_bridg
67175 char *envp[] = { NULL };
67177 if (br->stp_enabled == BR_USER_STP) {
67178 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
67179 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
67180 printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
67183 diff -urNp linux-2.6.32.42/net/bridge/br_sysfs_if.c linux-2.6.32.42/net/bridge/br_sysfs_if.c
67184 --- linux-2.6.32.42/net/bridge/br_sysfs_if.c 2011-03-27 14:31:47.000000000 -0400
67185 +++ linux-2.6.32.42/net/bridge/br_sysfs_if.c 2011-04-17 15:56:46.000000000 -0400
67186 @@ -220,7 +220,7 @@ static ssize_t brport_store(struct kobje
67190 -struct sysfs_ops brport_sysfs_ops = {
67191 +const struct sysfs_ops brport_sysfs_ops = {
67192 .show = brport_show,
67193 .store = brport_store,
67195 diff -urNp linux-2.6.32.42/net/bridge/netfilter/ebtables.c linux-2.6.32.42/net/bridge/netfilter/ebtables.c
67196 --- linux-2.6.32.42/net/bridge/netfilter/ebtables.c 2011-04-17 17:00:52.000000000 -0400
67197 +++ linux-2.6.32.42/net/bridge/netfilter/ebtables.c 2011-05-16 21:46:57.000000000 -0400
67198 @@ -1337,6 +1337,8 @@ static int copy_everything_to_user(struc
67199 unsigned int entries_size, nentries;
67202 + pax_track_stack();
67204 if (cmd == EBT_SO_GET_ENTRIES) {
67205 entries_size = t->private->entries_size;
67206 nentries = t->private->nentries;
67207 diff -urNp linux-2.6.32.42/net/can/bcm.c linux-2.6.32.42/net/can/bcm.c
67208 --- linux-2.6.32.42/net/can/bcm.c 2011-05-10 22:12:01.000000000 -0400
67209 +++ linux-2.6.32.42/net/can/bcm.c 2011-05-10 22:12:34.000000000 -0400
67210 @@ -164,9 +164,15 @@ static int bcm_proc_show(struct seq_file
67211 struct bcm_sock *bo = bcm_sk(sk);
67214 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67215 + seq_printf(m, ">>> socket %p", NULL);
67216 + seq_printf(m, " / sk %p", NULL);
67217 + seq_printf(m, " / bo %p", NULL);
67219 seq_printf(m, ">>> socket %p", sk->sk_socket);
67220 seq_printf(m, " / sk %p", sk);
67221 seq_printf(m, " / bo %p", bo);
67223 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
67224 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
67225 seq_printf(m, " <<<\n");
67226 diff -urNp linux-2.6.32.42/net/core/dev.c linux-2.6.32.42/net/core/dev.c
67227 --- linux-2.6.32.42/net/core/dev.c 2011-04-17 17:00:52.000000000 -0400
67228 +++ linux-2.6.32.42/net/core/dev.c 2011-04-17 17:04:18.000000000 -0400
67229 @@ -1047,10 +1047,14 @@ void dev_load(struct net *net, const cha
67230 if (no_module && capable(CAP_NET_ADMIN))
67231 no_module = request_module("netdev-%s", name);
67232 if (no_module && capable(CAP_SYS_MODULE)) {
67233 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
67234 + ___request_module(true, "grsec_modharden_netdev", "%s", name);
67236 if (!request_module("%s", name))
67237 pr_err("Loading kernel module for a network device "
67238 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
67239 "instead\n", name);
67243 EXPORT_SYMBOL(dev_load);
67244 @@ -2063,7 +2067,7 @@ int netif_rx_ni(struct sk_buff *skb)
67246 EXPORT_SYMBOL(netif_rx_ni);
67248 -static void net_tx_action(struct softirq_action *h)
67249 +static void net_tx_action(void)
67251 struct softnet_data *sd = &__get_cpu_var(softnet_data);
67253 @@ -2826,7 +2830,7 @@ void netif_napi_del(struct napi_struct *
67254 EXPORT_SYMBOL(netif_napi_del);
67257 -static void net_rx_action(struct softirq_action *h)
67258 +static void net_rx_action(void)
67260 struct list_head *list = &__get_cpu_var(softnet_data).poll_list;
67261 unsigned long time_limit = jiffies + 2;
67262 diff -urNp linux-2.6.32.42/net/core/flow.c linux-2.6.32.42/net/core/flow.c
67263 --- linux-2.6.32.42/net/core/flow.c 2011-03-27 14:31:47.000000000 -0400
67264 +++ linux-2.6.32.42/net/core/flow.c 2011-05-04 17:56:20.000000000 -0400
67265 @@ -35,11 +35,11 @@ struct flow_cache_entry {
67266 atomic_t *object_ref;
67269 -atomic_t flow_cache_genid = ATOMIC_INIT(0);
67270 +atomic_unchecked_t flow_cache_genid = ATOMIC_INIT(0);
67272 static u32 flow_hash_shift;
67273 #define flow_hash_size (1 << flow_hash_shift)
67274 -static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables) = { NULL };
67275 +static DEFINE_PER_CPU(struct flow_cache_entry **, flow_tables);
67277 #define flow_table(cpu) (per_cpu(flow_tables, cpu))
67279 @@ -52,7 +52,7 @@ struct flow_percpu_info {
67283 -static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info) = { 0 };
67284 +static DEFINE_PER_CPU(struct flow_percpu_info, flow_hash_info);
67286 #define flow_hash_rnd_recalc(cpu) \
67287 (per_cpu(flow_hash_info, cpu).hash_rnd_recalc)
67288 @@ -69,7 +69,7 @@ struct flow_flush_info {
67290 struct completion completion;
67292 -static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets) = { NULL };
67293 +static DEFINE_PER_CPU(struct tasklet_struct, flow_flush_tasklets);
67295 #define flow_flush_tasklet(cpu) (&per_cpu(flow_flush_tasklets, cpu))
67297 @@ -190,7 +190,7 @@ void *flow_cache_lookup(struct net *net,
67298 if (fle->family == family &&
67300 flow_key_compare(key, &fle->key) == 0) {
67301 - if (fle->genid == atomic_read(&flow_cache_genid)) {
67302 + if (fle->genid == atomic_read_unchecked(&flow_cache_genid)) {
67303 void *ret = fle->object;
67306 @@ -228,7 +228,7 @@ nocache:
67307 err = resolver(net, key, family, dir, &obj, &obj_ref);
67310 - fle->genid = atomic_read(&flow_cache_genid);
67311 + fle->genid = atomic_read_unchecked(&flow_cache_genid);
67314 atomic_dec(fle->object_ref);
67315 @@ -258,7 +258,7 @@ static void flow_cache_flush_tasklet(uns
67317 fle = flow_table(cpu)[i];
67318 for (; fle; fle = fle->next) {
67319 - unsigned genid = atomic_read(&flow_cache_genid);
67320 + unsigned genid = atomic_read_unchecked(&flow_cache_genid);
67322 if (!fle->object || fle->genid == genid)
67324 diff -urNp linux-2.6.32.42/net/core/skbuff.c linux-2.6.32.42/net/core/skbuff.c
67325 --- linux-2.6.32.42/net/core/skbuff.c 2011-03-27 14:31:47.000000000 -0400
67326 +++ linux-2.6.32.42/net/core/skbuff.c 2011-05-16 21:46:57.000000000 -0400
67327 @@ -1544,6 +1544,8 @@ int skb_splice_bits(struct sk_buff *skb,
67328 struct sk_buff *frag_iter;
67329 struct sock *sk = skb->sk;
67331 + pax_track_stack();
67334 * __skb_splice_bits() only fails if the output has no room left,
67335 * so no point in going over the frag_list for the error case.
67336 diff -urNp linux-2.6.32.42/net/core/sock.c linux-2.6.32.42/net/core/sock.c
67337 --- linux-2.6.32.42/net/core/sock.c 2011-03-27 14:31:47.000000000 -0400
67338 +++ linux-2.6.32.42/net/core/sock.c 2011-05-04 17:56:20.000000000 -0400
67339 @@ -864,11 +864,15 @@ int sock_getsockopt(struct socket *sock,
67344 + struct ucred peercred;
67345 if (len > sizeof(sk->sk_peercred))
67346 len = sizeof(sk->sk_peercred);
67347 - if (copy_to_user(optval, &sk->sk_peercred, len))
67348 + peercred = sk->sk_peercred;
67349 + if (copy_to_user(optval, &peercred, len))
67356 @@ -1892,7 +1896,7 @@ void sock_init_data(struct socket *sock,
67359 atomic_set(&sk->sk_refcnt, 1);
67360 - atomic_set(&sk->sk_drops, 0);
67361 + atomic_set_unchecked(&sk->sk_drops, 0);
67363 EXPORT_SYMBOL(sock_init_data);
67365 diff -urNp linux-2.6.32.42/net/decnet/sysctl_net_decnet.c linux-2.6.32.42/net/decnet/sysctl_net_decnet.c
67366 --- linux-2.6.32.42/net/decnet/sysctl_net_decnet.c 2011-03-27 14:31:47.000000000 -0400
67367 +++ linux-2.6.32.42/net/decnet/sysctl_net_decnet.c 2011-04-17 15:56:46.000000000 -0400
67368 @@ -206,7 +206,7 @@ static int dn_node_address_handler(ctl_t
67370 if (len > *lenp) len = *lenp;
67372 - if (copy_to_user(buffer, addr, len))
67373 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
67377 @@ -327,7 +327,7 @@ static int dn_def_dev_handler(ctl_table
67379 if (len > *lenp) len = *lenp;
67381 - if (copy_to_user(buffer, devname, len))
67382 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
67386 diff -urNp linux-2.6.32.42/net/econet/Kconfig linux-2.6.32.42/net/econet/Kconfig
67387 --- linux-2.6.32.42/net/econet/Kconfig 2011-03-27 14:31:47.000000000 -0400
67388 +++ linux-2.6.32.42/net/econet/Kconfig 2011-04-17 15:56:46.000000000 -0400
67392 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
67393 - depends on EXPERIMENTAL && INET
67394 + depends on EXPERIMENTAL && INET && BROKEN
67396 Econet is a fairly old and slow networking protocol mainly used by
67397 Acorn computers to access file and print servers. It uses native
67398 diff -urNp linux-2.6.32.42/net/ieee802154/dgram.c linux-2.6.32.42/net/ieee802154/dgram.c
67399 --- linux-2.6.32.42/net/ieee802154/dgram.c 2011-03-27 14:31:47.000000000 -0400
67400 +++ linux-2.6.32.42/net/ieee802154/dgram.c 2011-05-04 17:56:28.000000000 -0400
67401 @@ -318,7 +318,7 @@ out:
67402 static int dgram_rcv_skb(struct sock *sk, struct sk_buff *skb)
67404 if (sock_queue_rcv_skb(sk, skb) < 0) {
67405 - atomic_inc(&sk->sk_drops);
67406 + atomic_inc_unchecked(&sk->sk_drops);
67408 return NET_RX_DROP;
67410 diff -urNp linux-2.6.32.42/net/ieee802154/raw.c linux-2.6.32.42/net/ieee802154/raw.c
67411 --- linux-2.6.32.42/net/ieee802154/raw.c 2011-03-27 14:31:47.000000000 -0400
67412 +++ linux-2.6.32.42/net/ieee802154/raw.c 2011-05-04 17:56:28.000000000 -0400
67413 @@ -206,7 +206,7 @@ out:
67414 static int raw_rcv_skb(struct sock *sk, struct sk_buff *skb)
67416 if (sock_queue_rcv_skb(sk, skb) < 0) {
67417 - atomic_inc(&sk->sk_drops);
67418 + atomic_inc_unchecked(&sk->sk_drops);
67420 return NET_RX_DROP;
67422 diff -urNp linux-2.6.32.42/net/ipv4/inet_diag.c linux-2.6.32.42/net/ipv4/inet_diag.c
67423 --- linux-2.6.32.42/net/ipv4/inet_diag.c 2011-04-17 17:00:52.000000000 -0400
67424 +++ linux-2.6.32.42/net/ipv4/inet_diag.c 2011-06-20 19:31:13.000000000 -0400
67425 @@ -113,8 +113,13 @@ static int inet_csk_diag_fill(struct soc
67426 r->idiag_retrans = 0;
67428 r->id.idiag_if = sk->sk_bound_dev_if;
67429 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67430 + r->id.idiag_cookie[0] = 0;
67431 + r->id.idiag_cookie[1] = 0;
67433 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
67434 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
67437 r->id.idiag_sport = inet->sport;
67438 r->id.idiag_dport = inet->dport;
67439 @@ -200,8 +205,15 @@ static int inet_twsk_diag_fill(struct in
67440 r->idiag_family = tw->tw_family;
67441 r->idiag_retrans = 0;
67442 r->id.idiag_if = tw->tw_bound_dev_if;
67444 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67445 + r->id.idiag_cookie[0] = 0;
67446 + r->id.idiag_cookie[1] = 0;
67448 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
67449 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
67452 r->id.idiag_sport = tw->tw_sport;
67453 r->id.idiag_dport = tw->tw_dport;
67454 r->id.idiag_src[0] = tw->tw_rcv_saddr;
67455 @@ -284,12 +296,14 @@ static int inet_diag_get_exact(struct sk
67459 +#ifndef CONFIG_GRKERNSEC_HIDESYM
67461 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
67462 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
67463 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
67464 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
67469 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
67470 @@ -436,7 +450,7 @@ static int valid_cc(const void *bc, int
67475 + if (op->yes < 4 || op->yes & 3)
67479 @@ -446,11 +460,11 @@ static int valid_cc(const void *bc, int
67481 static int inet_diag_bc_audit(const void *bytecode, int bytecode_len)
67483 - const unsigned char *bc = bytecode;
67484 + const void *bc = bytecode;
67485 int len = bytecode_len;
67488 - struct inet_diag_bc_op *op = (struct inet_diag_bc_op *)bc;
67489 + const struct inet_diag_bc_op *op = bc;
67491 //printk("BC: %d %d %d {%d} / %d\n", op->code, op->yes, op->no, op[1].no, len);
67492 switch (op->code) {
67493 @@ -461,22 +475,20 @@ static int inet_diag_bc_audit(const void
67494 case INET_DIAG_BC_S_LE:
67495 case INET_DIAG_BC_D_GE:
67496 case INET_DIAG_BC_D_LE:
67497 - if (op->yes < 4 || op->yes > len + 4)
67499 case INET_DIAG_BC_JMP:
67500 - if (op->no < 4 || op->no > len + 4)
67501 + if (op->no < 4 || op->no > len + 4 || op->no & 3)
67503 if (op->no < len &&
67504 !valid_cc(bytecode, bytecode_len, len - op->no))
67507 case INET_DIAG_BC_NOP:
67508 - if (op->yes < 4 || op->yes > len + 4)
67514 + if (op->yes < 4 || op->yes > len + 4 || op->yes & 3)
67519 @@ -581,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
67520 r->idiag_retrans = req->retrans;
67522 r->id.idiag_if = sk->sk_bound_dev_if;
67524 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67525 + r->id.idiag_cookie[0] = 0;
67526 + r->id.idiag_cookie[1] = 0;
67528 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
67529 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
67532 tmo = req->expires - jiffies;
67534 diff -urNp linux-2.6.32.42/net/ipv4/inet_hashtables.c linux-2.6.32.42/net/ipv4/inet_hashtables.c
67535 --- linux-2.6.32.42/net/ipv4/inet_hashtables.c 2011-03-27 14:31:47.000000000 -0400
67536 +++ linux-2.6.32.42/net/ipv4/inet_hashtables.c 2011-04-17 15:56:46.000000000 -0400
67537 @@ -18,11 +18,14 @@
67538 #include <linux/sched.h>
67539 #include <linux/slab.h>
67540 #include <linux/wait.h>
67541 +#include <linux/security.h>
67543 #include <net/inet_connection_sock.h>
67544 #include <net/inet_hashtables.h>
67545 #include <net/ip.h>
67547 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
67550 * Allocate and initialize a new local port bind bucket.
67551 * The bindhash mutex for snum's hash chain must be held here.
67552 @@ -490,6 +493,8 @@ ok:
67554 spin_unlock(&head->lock);
67556 + gr_update_task_in_ip_table(current, inet_sk(sk));
67559 inet_twsk_deschedule(tw, death_row);
67561 diff -urNp linux-2.6.32.42/net/ipv4/inetpeer.c linux-2.6.32.42/net/ipv4/inetpeer.c
67562 --- linux-2.6.32.42/net/ipv4/inetpeer.c 2011-03-27 14:31:47.000000000 -0400
67563 +++ linux-2.6.32.42/net/ipv4/inetpeer.c 2011-05-16 21:46:57.000000000 -0400
67564 @@ -366,6 +366,8 @@ struct inet_peer *inet_getpeer(__be32 da
67565 struct inet_peer *p, *n;
67566 struct inet_peer **stack[PEER_MAXDEPTH], ***stackptr;
67568 + pax_track_stack();
67570 /* Look up for the address quickly. */
67571 read_lock_bh(&peer_pool_lock);
67572 p = lookup(daddr, NULL);
67573 @@ -389,7 +391,7 @@ struct inet_peer *inet_getpeer(__be32 da
67575 n->v4daddr = daddr;
67576 atomic_set(&n->refcnt, 1);
67577 - atomic_set(&n->rid, 0);
67578 + atomic_set_unchecked(&n->rid, 0);
67579 n->ip_id_count = secure_ip_id(daddr);
67580 n->tcp_ts_stamp = 0;
67582 diff -urNp linux-2.6.32.42/net/ipv4/ip_fragment.c linux-2.6.32.42/net/ipv4/ip_fragment.c
67583 --- linux-2.6.32.42/net/ipv4/ip_fragment.c 2011-03-27 14:31:47.000000000 -0400
67584 +++ linux-2.6.32.42/net/ipv4/ip_fragment.c 2011-04-17 15:56:46.000000000 -0400
67585 @@ -255,7 +255,7 @@ static inline int ip_frag_too_far(struct
67589 - end = atomic_inc_return(&peer->rid);
67590 + end = atomic_inc_return_unchecked(&peer->rid);
67593 rc = qp->q.fragments && (end - start) > max;
67594 diff -urNp linux-2.6.32.42/net/ipv4/ip_sockglue.c linux-2.6.32.42/net/ipv4/ip_sockglue.c
67595 --- linux-2.6.32.42/net/ipv4/ip_sockglue.c 2011-03-27 14:31:47.000000000 -0400
67596 +++ linux-2.6.32.42/net/ipv4/ip_sockglue.c 2011-05-16 21:46:57.000000000 -0400
67597 @@ -1015,6 +1015,8 @@ static int do_ip_getsockopt(struct sock
67601 + pax_track_stack();
67603 if (level != SOL_IP)
67604 return -EOPNOTSUPP;
67606 diff -urNp linux-2.6.32.42/net/ipv4/netfilter/arp_tables.c linux-2.6.32.42/net/ipv4/netfilter/arp_tables.c
67607 --- linux-2.6.32.42/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:00:52.000000000 -0400
67608 +++ linux-2.6.32.42/net/ipv4/netfilter/arp_tables.c 2011-04-17 17:04:18.000000000 -0400
67609 @@ -934,6 +934,7 @@ static int get_info(struct net *net, voi
67613 + memset(&info, 0, sizeof(info));
67614 info.valid_hooks = t->valid_hooks;
67615 memcpy(info.hook_entry, private->hook_entry,
67616 sizeof(info.hook_entry));
67617 diff -urNp linux-2.6.32.42/net/ipv4/netfilter/ip_tables.c linux-2.6.32.42/net/ipv4/netfilter/ip_tables.c
67618 --- linux-2.6.32.42/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:00:52.000000000 -0400
67619 +++ linux-2.6.32.42/net/ipv4/netfilter/ip_tables.c 2011-04-17 17:04:18.000000000 -0400
67620 @@ -1141,6 +1141,7 @@ static int get_info(struct net *net, voi
67624 + memset(&info, 0, sizeof(info));
67625 info.valid_hooks = t->valid_hooks;
67626 memcpy(info.hook_entry, private->hook_entry,
67627 sizeof(info.hook_entry));
67628 diff -urNp linux-2.6.32.42/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.32.42/net/ipv4/netfilter/nf_nat_snmp_basic.c
67629 --- linux-2.6.32.42/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-27 14:31:47.000000000 -0400
67630 +++ linux-2.6.32.42/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-04-17 15:56:46.000000000 -0400
67631 @@ -397,7 +397,7 @@ static unsigned char asn1_octets_decode(
67635 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
67636 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
67637 if (*octets == NULL) {
67638 if (net_ratelimit())
67639 printk("OOM in bsalg (%d)\n", __LINE__);
67640 diff -urNp linux-2.6.32.42/net/ipv4/raw.c linux-2.6.32.42/net/ipv4/raw.c
67641 --- linux-2.6.32.42/net/ipv4/raw.c 2011-03-27 14:31:47.000000000 -0400
67642 +++ linux-2.6.32.42/net/ipv4/raw.c 2011-05-04 17:59:08.000000000 -0400
67643 @@ -292,7 +292,7 @@ static int raw_rcv_skb(struct sock * sk,
67644 /* Charge it to the socket. */
67646 if (sock_queue_rcv_skb(sk, skb) < 0) {
67647 - atomic_inc(&sk->sk_drops);
67648 + atomic_inc_unchecked(&sk->sk_drops);
67650 return NET_RX_DROP;
67652 @@ -303,7 +303,7 @@ static int raw_rcv_skb(struct sock * sk,
67653 int raw_rcv(struct sock *sk, struct sk_buff *skb)
67655 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) {
67656 - atomic_inc(&sk->sk_drops);
67657 + atomic_inc_unchecked(&sk->sk_drops);
67659 return NET_RX_DROP;
67661 @@ -724,15 +724,22 @@ static int raw_init(struct sock *sk)
67663 static int raw_seticmpfilter(struct sock *sk, char __user *optval, int optlen)
67665 + struct icmp_filter filter;
67669 if (optlen > sizeof(struct icmp_filter))
67670 optlen = sizeof(struct icmp_filter);
67671 - if (copy_from_user(&raw_sk(sk)->filter, optval, optlen))
67672 + if (copy_from_user(&filter, optval, optlen))
67674 + memcpy(&raw_sk(sk)->filter, &filter, optlen);
67679 static int raw_geticmpfilter(struct sock *sk, char __user *optval, int __user *optlen)
67681 + struct icmp_filter filter;
67682 int len, ret = -EFAULT;
67684 if (get_user(len, optlen))
67685 @@ -743,8 +750,9 @@ static int raw_geticmpfilter(struct sock
67686 if (len > sizeof(struct icmp_filter))
67687 len = sizeof(struct icmp_filter);
67689 + memcpy(&filter, &raw_sk(sk)->filter, len);
67690 if (put_user(len, optlen) ||
67691 - copy_to_user(optval, &raw_sk(sk)->filter, len))
67692 + copy_to_user(optval, &filter, len))
67696 @@ -954,7 +962,13 @@ static void raw_sock_seq_show(struct seq
67697 sk_wmem_alloc_get(sp),
67698 sk_rmem_alloc_get(sp),
67699 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
67700 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
67701 + atomic_read(&sp->sk_refcnt),
67702 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67707 + atomic_read_unchecked(&sp->sk_drops));
67710 static int raw_seq_show(struct seq_file *seq, void *v)
67711 diff -urNp linux-2.6.32.42/net/ipv4/route.c linux-2.6.32.42/net/ipv4/route.c
67712 --- linux-2.6.32.42/net/ipv4/route.c 2011-03-27 14:31:47.000000000 -0400
67713 +++ linux-2.6.32.42/net/ipv4/route.c 2011-05-04 17:56:28.000000000 -0400
67714 @@ -268,7 +268,7 @@ static inline unsigned int rt_hash(__be3
67716 static inline int rt_genid(struct net *net)
67718 - return atomic_read(&net->ipv4.rt_genid);
67719 + return atomic_read_unchecked(&net->ipv4.rt_genid);
67722 #ifdef CONFIG_PROC_FS
67723 @@ -888,7 +888,7 @@ static void rt_cache_invalidate(struct n
67724 unsigned char shuffle;
67726 get_random_bytes(&shuffle, sizeof(shuffle));
67727 - atomic_add(shuffle + 1U, &net->ipv4.rt_genid);
67728 + atomic_add_unchecked(shuffle + 1U, &net->ipv4.rt_genid);
67732 @@ -3356,7 +3356,7 @@ static __net_initdata struct pernet_oper
67734 static __net_init int rt_secret_timer_init(struct net *net)
67736 - atomic_set(&net->ipv4.rt_genid,
67737 + atomic_set_unchecked(&net->ipv4.rt_genid,
67738 (int) ((num_physpages ^ (num_physpages>>8)) ^
67739 (jiffies ^ (jiffies >> 7))));
67741 diff -urNp linux-2.6.32.42/net/ipv4/tcp.c linux-2.6.32.42/net/ipv4/tcp.c
67742 --- linux-2.6.32.42/net/ipv4/tcp.c 2011-03-27 14:31:47.000000000 -0400
67743 +++ linux-2.6.32.42/net/ipv4/tcp.c 2011-05-16 21:46:57.000000000 -0400
67744 @@ -2085,6 +2085,8 @@ static int do_tcp_setsockopt(struct sock
67748 + pax_track_stack();
67750 /* This is a string value all the others are int's */
67751 if (optname == TCP_CONGESTION) {
67752 char name[TCP_CA_NAME_MAX];
67753 @@ -2355,6 +2357,8 @@ static int do_tcp_getsockopt(struct sock
67754 struct tcp_sock *tp = tcp_sk(sk);
67757 + pax_track_stack();
67759 if (get_user(len, optlen))
67762 diff -urNp linux-2.6.32.42/net/ipv4/tcp_ipv4.c linux-2.6.32.42/net/ipv4/tcp_ipv4.c
67763 --- linux-2.6.32.42/net/ipv4/tcp_ipv4.c 2011-03-27 14:31:47.000000000 -0400
67764 +++ linux-2.6.32.42/net/ipv4/tcp_ipv4.c 2011-04-17 15:56:46.000000000 -0400
67766 int sysctl_tcp_tw_reuse __read_mostly;
67767 int sysctl_tcp_low_latency __read_mostly;
67769 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67770 +extern int grsec_enable_blackhole;
67773 #ifdef CONFIG_TCP_MD5SIG
67774 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
67775 @@ -1542,6 +1545,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
67779 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67780 + if (!grsec_enable_blackhole)
67782 tcp_v4_send_reset(rsk, skb);
67785 @@ -1603,12 +1609,20 @@ int tcp_v4_rcv(struct sk_buff *skb)
67786 TCP_SKB_CB(skb)->sacked = 0;
67788 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
67791 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67794 goto no_tcp_socket;
67798 - if (sk->sk_state == TCP_TIME_WAIT)
67799 + if (sk->sk_state == TCP_TIME_WAIT) {
67800 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67806 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb))
67807 goto discard_and_relse;
67808 @@ -1650,6 +1664,10 @@ no_tcp_socket:
67810 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
67812 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67813 + if (!grsec_enable_blackhole || (ret == 1 &&
67814 + (skb->dev->flags & IFF_LOOPBACK)))
67816 tcp_v4_send_reset(NULL, skb);
67819 @@ -2237,7 +2255,11 @@ static void get_openreq4(struct sock *sk
67820 0, /* non standard timer */
67821 0, /* open_requests have no inode */
67822 atomic_read(&sk->sk_refcnt),
67823 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67831 @@ -2279,7 +2301,12 @@ static void get_tcp4_sock(struct sock *s
67833 icsk->icsk_probes_out,
67835 - atomic_read(&sk->sk_refcnt), sk,
67836 + atomic_read(&sk->sk_refcnt),
67837 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67842 jiffies_to_clock_t(icsk->icsk_rto),
67843 jiffies_to_clock_t(icsk->icsk_ack.ato),
67844 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
67845 @@ -2307,7 +2334,13 @@ static void get_timewait4_sock(struct in
67846 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
67847 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
67848 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
67849 - atomic_read(&tw->tw_refcnt), tw, len);
67850 + atomic_read(&tw->tw_refcnt),
67851 +#ifdef CONFIG_GRKERNSEC_HIDESYM
67860 diff -urNp linux-2.6.32.42/net/ipv4/tcp_minisocks.c linux-2.6.32.42/net/ipv4/tcp_minisocks.c
67861 --- linux-2.6.32.42/net/ipv4/tcp_minisocks.c 2011-03-27 14:31:47.000000000 -0400
67862 +++ linux-2.6.32.42/net/ipv4/tcp_minisocks.c 2011-04-17 15:56:46.000000000 -0400
67864 #include <net/inet_common.h>
67865 #include <net/xfrm.h>
67867 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67868 +extern int grsec_enable_blackhole;
67871 #ifdef CONFIG_SYSCTL
67872 #define SYNC_INIT 0 /* let the user enable it */
67874 @@ -672,6 +676,10 @@ listen_overflow:
67877 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
67879 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67880 + if (!grsec_enable_blackhole)
67882 if (!(flg & TCP_FLAG_RST))
67883 req->rsk_ops->send_reset(sk, skb);
67885 diff -urNp linux-2.6.32.42/net/ipv4/tcp_output.c linux-2.6.32.42/net/ipv4/tcp_output.c
67886 --- linux-2.6.32.42/net/ipv4/tcp_output.c 2011-03-27 14:31:47.000000000 -0400
67887 +++ linux-2.6.32.42/net/ipv4/tcp_output.c 2011-05-16 21:46:57.000000000 -0400
67888 @@ -2234,6 +2234,8 @@ struct sk_buff *tcp_make_synack(struct s
67889 __u8 *md5_hash_location;
67892 + pax_track_stack();
67894 skb = sock_wmalloc(sk, MAX_TCP_HEADER + 15, 1, GFP_ATOMIC);
67897 diff -urNp linux-2.6.32.42/net/ipv4/tcp_probe.c linux-2.6.32.42/net/ipv4/tcp_probe.c
67898 --- linux-2.6.32.42/net/ipv4/tcp_probe.c 2011-03-27 14:31:47.000000000 -0400
67899 +++ linux-2.6.32.42/net/ipv4/tcp_probe.c 2011-04-17 15:56:46.000000000 -0400
67900 @@ -200,7 +200,7 @@ static ssize_t tcpprobe_read(struct file
67901 if (cnt + width >= len)
67904 - if (copy_to_user(buf + cnt, tbuf, width))
67905 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
67909 diff -urNp linux-2.6.32.42/net/ipv4/tcp_timer.c linux-2.6.32.42/net/ipv4/tcp_timer.c
67910 --- linux-2.6.32.42/net/ipv4/tcp_timer.c 2011-03-27 14:31:47.000000000 -0400
67911 +++ linux-2.6.32.42/net/ipv4/tcp_timer.c 2011-04-17 15:56:46.000000000 -0400
67913 #include <linux/module.h>
67914 #include <net/tcp.h>
67916 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67917 +extern int grsec_lastack_retries;
67920 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
67921 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
67922 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
67923 @@ -164,6 +168,13 @@ static int tcp_write_timeout(struct sock
67927 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67928 + if ((sk->sk_state == TCP_LAST_ACK) &&
67929 + (grsec_lastack_retries > 0) &&
67930 + (grsec_lastack_retries < retry_until))
67931 + retry_until = grsec_lastack_retries;
67934 if (retransmits_timed_out(sk, retry_until)) {
67935 /* Has it gone just too far? */
67937 diff -urNp linux-2.6.32.42/net/ipv4/udp.c linux-2.6.32.42/net/ipv4/udp.c
67938 --- linux-2.6.32.42/net/ipv4/udp.c 2011-03-27 14:31:47.000000000 -0400
67939 +++ linux-2.6.32.42/net/ipv4/udp.c 2011-05-04 17:57:28.000000000 -0400
67941 #include <linux/types.h>
67942 #include <linux/fcntl.h>
67943 #include <linux/module.h>
67944 +#include <linux/security.h>
67945 #include <linux/socket.h>
67946 #include <linux/sockios.h>
67947 #include <linux/igmp.h>
67948 @@ -106,6 +107,10 @@
67949 #include <net/xfrm.h>
67950 #include "udp_impl.h"
67952 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
67953 +extern int grsec_enable_blackhole;
67956 struct udp_table udp_table;
67957 EXPORT_SYMBOL(udp_table);
67959 @@ -371,6 +376,9 @@ found:
67963 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
67964 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
67967 * This routine is called by the ICMP module when it gets some
67968 * sort of error condition. If err < 0 then the socket should
67969 @@ -639,9 +647,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
67970 dport = usin->sin_port;
67974 + err = gr_search_udp_sendmsg(sk, usin);
67978 if (sk->sk_state != TCP_ESTABLISHED)
67979 return -EDESTADDRREQ;
67981 + err = gr_search_udp_sendmsg(sk, NULL);
67985 daddr = inet->daddr;
67986 dport = inet->dport;
67987 /* Open fast path for connected socket.
67988 @@ -945,6 +962,10 @@ try_again:
67992 + err = gr_search_udp_recvmsg(sk, skb);
67996 ulen = skb->len - sizeof(struct udphdr);
67999 @@ -1065,7 +1086,7 @@ static int __udp_queue_rcv_skb(struct so
68000 if (rc == -ENOMEM) {
68001 UDP_INC_STATS_BH(sock_net(sk), UDP_MIB_RCVBUFERRORS,
68003 - atomic_inc(&sk->sk_drops);
68004 + atomic_inc_unchecked(&sk->sk_drops);
68008 @@ -1335,6 +1356,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
68011 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
68012 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68013 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
68015 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
68018 @@ -1755,8 +1779,13 @@ static void udp4_format_sock(struct sock
68019 sk_wmem_alloc_get(sp),
68020 sk_rmem_alloc_get(sp),
68021 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
68022 - atomic_read(&sp->sk_refcnt), sp,
68023 - atomic_read(&sp->sk_drops), len);
68024 + atomic_read(&sp->sk_refcnt),
68025 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68030 + atomic_read_unchecked(&sp->sk_drops), len);
68033 int udp4_seq_show(struct seq_file *seq, void *v)
68034 diff -urNp linux-2.6.32.42/net/ipv6/inet6_connection_sock.c linux-2.6.32.42/net/ipv6/inet6_connection_sock.c
68035 --- linux-2.6.32.42/net/ipv6/inet6_connection_sock.c 2011-03-27 14:31:47.000000000 -0400
68036 +++ linux-2.6.32.42/net/ipv6/inet6_connection_sock.c 2011-05-04 17:56:28.000000000 -0400
68037 @@ -152,7 +152,7 @@ void __inet6_csk_dst_store(struct sock *
68040 struct rt6_info *rt = (struct rt6_info *)dst;
68041 - rt->rt6i_flow_cache_genid = atomic_read(&flow_cache_genid);
68042 + rt->rt6i_flow_cache_genid = atomic_read_unchecked(&flow_cache_genid);
68046 @@ -167,7 +167,7 @@ struct dst_entry *__inet6_csk_dst_check(
68049 struct rt6_info *rt = (struct rt6_info *)dst;
68050 - if (rt->rt6i_flow_cache_genid != atomic_read(&flow_cache_genid)) {
68051 + if (rt->rt6i_flow_cache_genid != atomic_read_unchecked(&flow_cache_genid)) {
68052 sk->sk_dst_cache = NULL;
68055 diff -urNp linux-2.6.32.42/net/ipv6/inet6_hashtables.c linux-2.6.32.42/net/ipv6/inet6_hashtables.c
68056 --- linux-2.6.32.42/net/ipv6/inet6_hashtables.c 2011-03-27 14:31:47.000000000 -0400
68057 +++ linux-2.6.32.42/net/ipv6/inet6_hashtables.c 2011-05-04 17:56:28.000000000 -0400
68058 @@ -118,7 +118,7 @@ out:
68060 EXPORT_SYMBOL(__inet6_lookup_established);
68062 -static int inline compute_score(struct sock *sk, struct net *net,
68063 +static inline int compute_score(struct sock *sk, struct net *net,
68064 const unsigned short hnum,
68065 const struct in6_addr *daddr,
68067 diff -urNp linux-2.6.32.42/net/ipv6/ipv6_sockglue.c linux-2.6.32.42/net/ipv6/ipv6_sockglue.c
68068 --- linux-2.6.32.42/net/ipv6/ipv6_sockglue.c 2011-03-27 14:31:47.000000000 -0400
68069 +++ linux-2.6.32.42/net/ipv6/ipv6_sockglue.c 2011-05-16 21:46:57.000000000 -0400
68070 @@ -130,6 +130,8 @@ static int do_ipv6_setsockopt(struct soc
68072 int retv = -ENOPROTOOPT;
68074 + pax_track_stack();
68076 if (optval == NULL)
68079 @@ -881,6 +883,8 @@ static int do_ipv6_getsockopt(struct soc
68083 + pax_track_stack();
68085 if (ip6_mroute_opt(optname))
68086 return ip6_mroute_getsockopt(sk, optname, optval, optlen);
68088 diff -urNp linux-2.6.32.42/net/ipv6/netfilter/ip6_tables.c linux-2.6.32.42/net/ipv6/netfilter/ip6_tables.c
68089 --- linux-2.6.32.42/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:00:52.000000000 -0400
68090 +++ linux-2.6.32.42/net/ipv6/netfilter/ip6_tables.c 2011-04-17 17:04:18.000000000 -0400
68091 @@ -1173,6 +1173,7 @@ static int get_info(struct net *net, voi
68095 + memset(&info, 0, sizeof(info));
68096 info.valid_hooks = t->valid_hooks;
68097 memcpy(info.hook_entry, private->hook_entry,
68098 sizeof(info.hook_entry));
68099 diff -urNp linux-2.6.32.42/net/ipv6/raw.c linux-2.6.32.42/net/ipv6/raw.c
68100 --- linux-2.6.32.42/net/ipv6/raw.c 2011-03-27 14:31:47.000000000 -0400
68101 +++ linux-2.6.32.42/net/ipv6/raw.c 2011-05-16 21:46:57.000000000 -0400
68102 @@ -375,14 +375,14 @@ static inline int rawv6_rcv_skb(struct s
68104 if ((raw6_sk(sk)->checksum || sk->sk_filter) &&
68105 skb_checksum_complete(skb)) {
68106 - atomic_inc(&sk->sk_drops);
68107 + atomic_inc_unchecked(&sk->sk_drops);
68109 return NET_RX_DROP;
68112 /* Charge it to the socket. */
68113 if (sock_queue_rcv_skb(sk,skb)<0) {
68114 - atomic_inc(&sk->sk_drops);
68115 + atomic_inc_unchecked(&sk->sk_drops);
68117 return NET_RX_DROP;
68119 @@ -403,7 +403,7 @@ int rawv6_rcv(struct sock *sk, struct sk
68120 struct raw6_sock *rp = raw6_sk(sk);
68122 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) {
68123 - atomic_inc(&sk->sk_drops);
68124 + atomic_inc_unchecked(&sk->sk_drops);
68126 return NET_RX_DROP;
68128 @@ -427,7 +427,7 @@ int rawv6_rcv(struct sock *sk, struct sk
68130 if (inet->hdrincl) {
68131 if (skb_checksum_complete(skb)) {
68132 - atomic_inc(&sk->sk_drops);
68133 + atomic_inc_unchecked(&sk->sk_drops);
68135 return NET_RX_DROP;
68137 @@ -518,7 +518,7 @@ csum_copy_err:
68138 as some normal condition.
68140 err = (flags&MSG_DONTWAIT) ? -EAGAIN : -EHOSTUNREACH;
68141 - atomic_inc(&sk->sk_drops);
68142 + atomic_inc_unchecked(&sk->sk_drops);
68146 @@ -600,7 +600,7 @@ out:
68150 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
68151 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
68152 struct flowi *fl, struct rt6_info *rt,
68153 unsigned int flags)
68155 @@ -738,6 +738,8 @@ static int rawv6_sendmsg(struct kiocb *i
68159 + pax_track_stack();
68161 /* Rough check on arithmetic overflow,
68162 better check is made in ip6_append_data().
68164 @@ -916,12 +918,17 @@ do_confirm:
68165 static int rawv6_seticmpfilter(struct sock *sk, int level, int optname,
68166 char __user *optval, int optlen)
68168 + struct icmp6_filter filter;
68171 case ICMPV6_FILTER:
68174 if (optlen > sizeof(struct icmp6_filter))
68175 optlen = sizeof(struct icmp6_filter);
68176 - if (copy_from_user(&raw6_sk(sk)->filter, optval, optlen))
68177 + if (copy_from_user(&filter, optval, optlen))
68179 + memcpy(&raw6_sk(sk)->filter, &filter, optlen);
68182 return -ENOPROTOOPT;
68183 @@ -933,6 +940,7 @@ static int rawv6_seticmpfilter(struct so
68184 static int rawv6_geticmpfilter(struct sock *sk, int level, int optname,
68185 char __user *optval, int __user *optlen)
68187 + struct icmp6_filter filter;
68191 @@ -945,7 +953,8 @@ static int rawv6_geticmpfilter(struct so
68192 len = sizeof(struct icmp6_filter);
68193 if (put_user(len, optlen))
68195 - if (copy_to_user(optval, &raw6_sk(sk)->filter, len))
68196 + memcpy(&filter, &raw6_sk(sk)->filter, len);
68197 + if (copy_to_user(optval, &filter, len))
68201 @@ -1241,7 +1250,13 @@ static void raw6_sock_seq_show(struct se
68205 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
68206 + atomic_read(&sp->sk_refcnt),
68207 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68212 + atomic_read_unchecked(&sp->sk_drops));
68215 static int raw6_seq_show(struct seq_file *seq, void *v)
68216 diff -urNp linux-2.6.32.42/net/ipv6/tcp_ipv6.c linux-2.6.32.42/net/ipv6/tcp_ipv6.c
68217 --- linux-2.6.32.42/net/ipv6/tcp_ipv6.c 2011-03-27 14:31:47.000000000 -0400
68218 +++ linux-2.6.32.42/net/ipv6/tcp_ipv6.c 2011-04-17 15:56:46.000000000 -0400
68219 @@ -88,6 +88,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
68223 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68224 +extern int grsec_enable_blackhole;
68227 static void tcp_v6_hash(struct sock *sk)
68229 if (sk->sk_state != TCP_CLOSE) {
68230 @@ -1578,6 +1582,9 @@ static int tcp_v6_do_rcv(struct sock *sk
68234 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68235 + if (!grsec_enable_blackhole)
68237 tcp_v6_send_reset(sk, skb);
68240 @@ -1655,12 +1662,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
68241 TCP_SKB_CB(skb)->sacked = 0;
68243 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
68246 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68249 goto no_tcp_socket;
68253 - if (sk->sk_state == TCP_TIME_WAIT)
68254 + if (sk->sk_state == TCP_TIME_WAIT) {
68255 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68261 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb))
68262 goto discard_and_relse;
68263 @@ -1700,6 +1715,10 @@ no_tcp_socket:
68265 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
68267 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68268 + if (!grsec_enable_blackhole || (ret == 1 &&
68269 + (skb->dev->flags & IFF_LOOPBACK)))
68271 tcp_v6_send_reset(NULL, skb);
68274 @@ -1915,7 +1934,13 @@ static void get_openreq6(struct seq_file
68276 0, /* non standard timer */
68277 0, /* open_requests have no inode */
68280 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68288 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
68289 @@ -1965,7 +1990,12 @@ static void get_tcp6_sock(struct seq_fil
68291 icsk->icsk_probes_out,
68293 - atomic_read(&sp->sk_refcnt), sp,
68294 + atomic_read(&sp->sk_refcnt),
68295 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68300 jiffies_to_clock_t(icsk->icsk_rto),
68301 jiffies_to_clock_t(icsk->icsk_ack.ato),
68302 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
68303 @@ -2000,7 +2030,13 @@ static void get_timewait6_sock(struct se
68304 dest->s6_addr32[2], dest->s6_addr32[3], destp,
68305 tw->tw_substate, 0, 0,
68306 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
68307 - atomic_read(&tw->tw_refcnt), tw);
68308 + atomic_read(&tw->tw_refcnt),
68309 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68317 static int tcp6_seq_show(struct seq_file *seq, void *v)
68318 diff -urNp linux-2.6.32.42/net/ipv6/udp.c linux-2.6.32.42/net/ipv6/udp.c
68319 --- linux-2.6.32.42/net/ipv6/udp.c 2011-03-27 14:31:47.000000000 -0400
68320 +++ linux-2.6.32.42/net/ipv6/udp.c 2011-05-04 17:58:16.000000000 -0400
68322 #include <linux/seq_file.h>
68323 #include "udp_impl.h"
68325 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68326 +extern int grsec_enable_blackhole;
68329 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
68331 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
68332 @@ -388,7 +392,7 @@ int udpv6_queue_rcv_skb(struct sock * sk
68333 if (rc == -ENOMEM) {
68334 UDP6_INC_STATS_BH(sock_net(sk),
68335 UDP_MIB_RCVBUFERRORS, is_udplite);
68336 - atomic_inc(&sk->sk_drops);
68337 + atomic_inc_unchecked(&sk->sk_drops);
68341 @@ -587,6 +591,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
68342 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
68343 proto == IPPROTO_UDPLITE);
68345 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
68346 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
68348 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0, dev);
68351 @@ -1206,8 +1213,13 @@ static void udp6_sock_seq_show(struct se
68355 - atomic_read(&sp->sk_refcnt), sp,
68356 - atomic_read(&sp->sk_drops));
68357 + atomic_read(&sp->sk_refcnt),
68358 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68363 + atomic_read_unchecked(&sp->sk_drops));
68366 int udp6_seq_show(struct seq_file *seq, void *v)
68367 diff -urNp linux-2.6.32.42/net/irda/ircomm/ircomm_tty.c linux-2.6.32.42/net/irda/ircomm/ircomm_tty.c
68368 --- linux-2.6.32.42/net/irda/ircomm/ircomm_tty.c 2011-03-27 14:31:47.000000000 -0400
68369 +++ linux-2.6.32.42/net/irda/ircomm/ircomm_tty.c 2011-04-17 15:56:46.000000000 -0400
68370 @@ -280,16 +280,16 @@ static int ircomm_tty_block_til_ready(st
68371 add_wait_queue(&self->open_wait, &wait);
68373 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
68374 - __FILE__,__LINE__, tty->driver->name, self->open_count );
68375 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
68377 /* As far as I can see, we protect open_count - Jean II */
68378 spin_lock_irqsave(&self->spinlock, flags);
68379 if (!tty_hung_up_p(filp)) {
68381 - self->open_count--;
68382 + local_dec(&self->open_count);
68384 spin_unlock_irqrestore(&self->spinlock, flags);
68385 - self->blocked_open++;
68386 + local_inc(&self->blocked_open);
68389 if (tty->termios->c_cflag & CBAUD) {
68390 @@ -329,7 +329,7 @@ static int ircomm_tty_block_til_ready(st
68393 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
68394 - __FILE__,__LINE__, tty->driver->name, self->open_count );
68395 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
68399 @@ -340,13 +340,13 @@ static int ircomm_tty_block_til_ready(st
68401 /* ++ is not atomic, so this should be protected - Jean II */
68402 spin_lock_irqsave(&self->spinlock, flags);
68403 - self->open_count++;
68404 + local_inc(&self->open_count);
68405 spin_unlock_irqrestore(&self->spinlock, flags);
68407 - self->blocked_open--;
68408 + local_dec(&self->blocked_open);
68410 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
68411 - __FILE__,__LINE__, tty->driver->name, self->open_count);
68412 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
68415 self->flags |= ASYNC_NORMAL_ACTIVE;
68416 @@ -415,14 +415,14 @@ static int ircomm_tty_open(struct tty_st
68418 /* ++ is not atomic, so this should be protected - Jean II */
68419 spin_lock_irqsave(&self->spinlock, flags);
68420 - self->open_count++;
68421 + local_inc(&self->open_count);
68423 tty->driver_data = self;
68425 spin_unlock_irqrestore(&self->spinlock, flags);
68427 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
68428 - self->line, self->open_count);
68429 + self->line, local_read(&self->open_count));
68431 /* Not really used by us, but lets do it anyway */
68432 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
68433 @@ -511,7 +511,7 @@ static void ircomm_tty_close(struct tty_
68437 - if ((tty->count == 1) && (self->open_count != 1)) {
68438 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
68440 * Uh, oh. tty->count is 1, which means that the tty
68441 * structure will be freed. state->count should always
68442 @@ -521,16 +521,16 @@ static void ircomm_tty_close(struct tty_
68444 IRDA_DEBUG(0, "%s(), bad serial port count; "
68445 "tty->count is 1, state->count is %d\n", __func__ ,
68446 - self->open_count);
68447 - self->open_count = 1;
68448 + local_read(&self->open_count));
68449 + local_set(&self->open_count, 1);
68452 - if (--self->open_count < 0) {
68453 + if (local_dec_return(&self->open_count) < 0) {
68454 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
68455 - __func__, self->line, self->open_count);
68456 - self->open_count = 0;
68457 + __func__, self->line, local_read(&self->open_count));
68458 + local_set(&self->open_count, 0);
68460 - if (self->open_count) {
68461 + if (local_read(&self->open_count)) {
68462 spin_unlock_irqrestore(&self->spinlock, flags);
68464 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
68465 @@ -562,7 +562,7 @@ static void ircomm_tty_close(struct tty_
68469 - if (self->blocked_open) {
68470 + if (local_read(&self->blocked_open)) {
68471 if (self->close_delay)
68472 schedule_timeout_interruptible(self->close_delay);
68473 wake_up_interruptible(&self->open_wait);
68474 @@ -1017,7 +1017,7 @@ static void ircomm_tty_hangup(struct tty
68475 spin_lock_irqsave(&self->spinlock, flags);
68476 self->flags &= ~ASYNC_NORMAL_ACTIVE;
68478 - self->open_count = 0;
68479 + local_set(&self->open_count, 0);
68480 spin_unlock_irqrestore(&self->spinlock, flags);
68482 wake_up_interruptible(&self->open_wait);
68483 @@ -1369,7 +1369,7 @@ static void ircomm_tty_line_info(struct
68486 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
68487 - seq_printf(m, "Open count: %d\n", self->open_count);
68488 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
68489 seq_printf(m, "Max data size: %d\n", self->max_data_size);
68490 seq_printf(m, "Max header size: %d\n", self->max_header_size);
68492 diff -urNp linux-2.6.32.42/net/iucv/af_iucv.c linux-2.6.32.42/net/iucv/af_iucv.c
68493 --- linux-2.6.32.42/net/iucv/af_iucv.c 2011-03-27 14:31:47.000000000 -0400
68494 +++ linux-2.6.32.42/net/iucv/af_iucv.c 2011-05-04 17:56:28.000000000 -0400
68495 @@ -651,10 +651,10 @@ static int iucv_sock_autobind(struct soc
68497 write_lock_bh(&iucv_sk_list.lock);
68499 - sprintf(name, "%08x", atomic_inc_return(&iucv_sk_list.autobind_name));
68500 + sprintf(name, "%08x", atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
68501 while (__iucv_get_sock_by_name(name)) {
68502 sprintf(name, "%08x",
68503 - atomic_inc_return(&iucv_sk_list.autobind_name));
68504 + atomic_inc_return_unchecked(&iucv_sk_list.autobind_name));
68507 write_unlock_bh(&iucv_sk_list.lock);
68508 diff -urNp linux-2.6.32.42/net/key/af_key.c linux-2.6.32.42/net/key/af_key.c
68509 --- linux-2.6.32.42/net/key/af_key.c 2011-03-27 14:31:47.000000000 -0400
68510 +++ linux-2.6.32.42/net/key/af_key.c 2011-05-16 21:46:57.000000000 -0400
68511 @@ -2489,6 +2489,8 @@ static int pfkey_migrate(struct sock *sk
68512 struct xfrm_migrate m[XFRM_MAX_DEPTH];
68513 struct xfrm_kmaddress k;
68515 + pax_track_stack();
68517 if (!present_and_same_family(ext_hdrs[SADB_EXT_ADDRESS_SRC - 1],
68518 ext_hdrs[SADB_EXT_ADDRESS_DST - 1]) ||
68519 !ext_hdrs[SADB_X_EXT_POLICY - 1]) {
68520 @@ -3660,7 +3662,11 @@ static int pfkey_seq_show(struct seq_fil
68521 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
68523 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
68524 +#ifdef CONFIG_GRKERNSEC_HIDESYM
68529 atomic_read(&s->sk_refcnt),
68530 sk_rmem_alloc_get(s),
68531 sk_wmem_alloc_get(s),
68532 diff -urNp linux-2.6.32.42/net/mac80211/cfg.c linux-2.6.32.42/net/mac80211/cfg.c
68533 --- linux-2.6.32.42/net/mac80211/cfg.c 2011-03-27 14:31:47.000000000 -0400
68534 +++ linux-2.6.32.42/net/mac80211/cfg.c 2011-04-17 15:56:46.000000000 -0400
68535 @@ -1369,7 +1369,7 @@ static int ieee80211_set_bitrate_mask(st
68539 -struct cfg80211_ops mac80211_config_ops = {
68540 +const struct cfg80211_ops mac80211_config_ops = {
68541 .add_virtual_intf = ieee80211_add_iface,
68542 .del_virtual_intf = ieee80211_del_iface,
68543 .change_virtual_intf = ieee80211_change_iface,
68544 diff -urNp linux-2.6.32.42/net/mac80211/cfg.h linux-2.6.32.42/net/mac80211/cfg.h
68545 --- linux-2.6.32.42/net/mac80211/cfg.h 2011-03-27 14:31:47.000000000 -0400
68546 +++ linux-2.6.32.42/net/mac80211/cfg.h 2011-04-17 15:56:46.000000000 -0400
68551 -extern struct cfg80211_ops mac80211_config_ops;
68552 +extern const struct cfg80211_ops mac80211_config_ops;
68554 #endif /* __CFG_H */
68555 diff -urNp linux-2.6.32.42/net/mac80211/debugfs_key.c linux-2.6.32.42/net/mac80211/debugfs_key.c
68556 --- linux-2.6.32.42/net/mac80211/debugfs_key.c 2011-03-27 14:31:47.000000000 -0400
68557 +++ linux-2.6.32.42/net/mac80211/debugfs_key.c 2011-04-17 15:56:46.000000000 -0400
68558 @@ -211,9 +211,13 @@ static ssize_t key_key_read(struct file
68559 size_t count, loff_t *ppos)
68561 struct ieee80211_key *key = file->private_data;
68562 - int i, res, bufsize = 2 * key->conf.keylen + 2;
68563 + int i, bufsize = 2 * key->conf.keylen + 2;
68564 char *buf = kmalloc(bufsize, GFP_KERNEL);
68571 for (i = 0; i < key->conf.keylen; i++)
68572 p += scnprintf(p, bufsize + buf - p, "%02x", key->conf.key[i]);
68573 diff -urNp linux-2.6.32.42/net/mac80211/debugfs_sta.c linux-2.6.32.42/net/mac80211/debugfs_sta.c
68574 --- linux-2.6.32.42/net/mac80211/debugfs_sta.c 2011-03-27 14:31:47.000000000 -0400
68575 +++ linux-2.6.32.42/net/mac80211/debugfs_sta.c 2011-05-16 21:46:57.000000000 -0400
68576 @@ -124,6 +124,8 @@ static ssize_t sta_agg_status_read(struc
68578 struct sta_info *sta = file->private_data;
68580 + pax_track_stack();
68582 spin_lock_bh(&sta->lock);
68583 p += scnprintf(p, sizeof(buf)+buf-p, "next dialog_token is %#02x\n",
68584 sta->ampdu_mlme.dialog_token_allocator + 1);
68585 diff -urNp linux-2.6.32.42/net/mac80211/ieee80211_i.h linux-2.6.32.42/net/mac80211/ieee80211_i.h
68586 --- linux-2.6.32.42/net/mac80211/ieee80211_i.h 2011-03-27 14:31:47.000000000 -0400
68587 +++ linux-2.6.32.42/net/mac80211/ieee80211_i.h 2011-04-17 15:56:46.000000000 -0400
68589 #include <linux/etherdevice.h>
68590 #include <net/cfg80211.h>
68591 #include <net/mac80211.h>
68592 +#include <asm/local.h>
68594 #include "sta_info.h"
68596 @@ -635,7 +636,7 @@ struct ieee80211_local {
68597 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
68598 spinlock_t queue_stop_reason_lock;
68601 + local_t open_count;
68602 int monitors, cooked_mntrs;
68603 /* number of interfaces with corresponding FIF_ flags */
68604 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
68605 diff -urNp linux-2.6.32.42/net/mac80211/iface.c linux-2.6.32.42/net/mac80211/iface.c
68606 --- linux-2.6.32.42/net/mac80211/iface.c 2011-03-27 14:31:47.000000000 -0400
68607 +++ linux-2.6.32.42/net/mac80211/iface.c 2011-04-17 15:56:46.000000000 -0400
68608 @@ -166,7 +166,7 @@ static int ieee80211_open(struct net_dev
68612 - if (local->open_count == 0) {
68613 + if (local_read(&local->open_count) == 0) {
68614 res = drv_start(local);
68617 @@ -196,7 +196,7 @@ static int ieee80211_open(struct net_dev
68618 * Validate the MAC address for this device.
68620 if (!is_valid_ether_addr(dev->dev_addr)) {
68621 - if (!local->open_count)
68622 + if (!local_read(&local->open_count))
68624 return -EADDRNOTAVAIL;
68626 @@ -292,7 +292,7 @@ static int ieee80211_open(struct net_dev
68628 hw_reconf_flags |= __ieee80211_recalc_idle(local);
68630 - local->open_count++;
68631 + local_inc(&local->open_count);
68632 if (hw_reconf_flags) {
68633 ieee80211_hw_config(local, hw_reconf_flags);
68635 @@ -320,7 +320,7 @@ static int ieee80211_open(struct net_dev
68637 drv_remove_interface(local, &conf);
68639 - if (!local->open_count)
68640 + if (!local_read(&local->open_count))
68644 @@ -420,7 +420,7 @@ static int ieee80211_stop(struct net_dev
68645 WARN_ON(!list_empty(&sdata->u.ap.vlans));
68648 - local->open_count--;
68649 + local_dec(&local->open_count);
68651 switch (sdata->vif.type) {
68652 case NL80211_IFTYPE_AP_VLAN:
68653 @@ -526,7 +526,7 @@ static int ieee80211_stop(struct net_dev
68655 ieee80211_recalc_ps(local, -1);
68657 - if (local->open_count == 0) {
68658 + if (local_read(&local->open_count) == 0) {
68659 ieee80211_clear_tx_pending(local);
68660 ieee80211_stop_device(local);
68662 diff -urNp linux-2.6.32.42/net/mac80211/main.c linux-2.6.32.42/net/mac80211/main.c
68663 --- linux-2.6.32.42/net/mac80211/main.c 2011-05-10 22:12:02.000000000 -0400
68664 +++ linux-2.6.32.42/net/mac80211/main.c 2011-05-10 22:12:34.000000000 -0400
68665 @@ -145,7 +145,7 @@ int ieee80211_hw_config(struct ieee80211
68666 local->hw.conf.power_level = power;
68669 - if (changed && local->open_count) {
68670 + if (changed && local_read(&local->open_count)) {
68671 ret = drv_config(local, changed);
68674 diff -urNp linux-2.6.32.42/net/mac80211/mlme.c linux-2.6.32.42/net/mac80211/mlme.c
68675 --- linux-2.6.32.42/net/mac80211/mlme.c 2011-03-27 14:31:47.000000000 -0400
68676 +++ linux-2.6.32.42/net/mac80211/mlme.c 2011-05-16 21:46:57.000000000 -0400
68677 @@ -1438,6 +1438,8 @@ ieee80211_rx_mgmt_assoc_resp(struct ieee
68678 bool have_higher_than_11mbit = false, newsta = false;
68679 u16 ap_ht_cap_flags;
68681 + pax_track_stack();
68684 * AssocResp and ReassocResp have identical structure, so process both
68685 * of them in this function.
68686 diff -urNp linux-2.6.32.42/net/mac80211/pm.c linux-2.6.32.42/net/mac80211/pm.c
68687 --- linux-2.6.32.42/net/mac80211/pm.c 2011-03-27 14:31:47.000000000 -0400
68688 +++ linux-2.6.32.42/net/mac80211/pm.c 2011-04-17 15:56:46.000000000 -0400
68689 @@ -107,7 +107,7 @@ int __ieee80211_suspend(struct ieee80211
68692 /* stop hardware - this must stop RX */
68693 - if (local->open_count)
68694 + if (local_read(&local->open_count))
68695 ieee80211_stop_device(local);
68697 local->suspended = true;
68698 diff -urNp linux-2.6.32.42/net/mac80211/rate.c linux-2.6.32.42/net/mac80211/rate.c
68699 --- linux-2.6.32.42/net/mac80211/rate.c 2011-03-27 14:31:47.000000000 -0400
68700 +++ linux-2.6.32.42/net/mac80211/rate.c 2011-04-17 15:56:46.000000000 -0400
68701 @@ -287,7 +287,7 @@ int ieee80211_init_rate_ctrl_alg(struct
68702 struct rate_control_ref *ref, *old;
68705 - if (local->open_count)
68706 + if (local_read(&local->open_count))
68709 ref = rate_control_alloc(name, local);
68710 diff -urNp linux-2.6.32.42/net/mac80211/tx.c linux-2.6.32.42/net/mac80211/tx.c
68711 --- linux-2.6.32.42/net/mac80211/tx.c 2011-03-27 14:31:47.000000000 -0400
68712 +++ linux-2.6.32.42/net/mac80211/tx.c 2011-04-17 15:56:46.000000000 -0400
68713 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
68714 return cpu_to_le16(dur);
68717 -static int inline is_ieee80211_device(struct ieee80211_local *local,
68718 +static inline int is_ieee80211_device(struct ieee80211_local *local,
68719 struct net_device *dev)
68721 return local == wdev_priv(dev->ieee80211_ptr);
68722 diff -urNp linux-2.6.32.42/net/mac80211/util.c linux-2.6.32.42/net/mac80211/util.c
68723 --- linux-2.6.32.42/net/mac80211/util.c 2011-03-27 14:31:47.000000000 -0400
68724 +++ linux-2.6.32.42/net/mac80211/util.c 2011-04-17 15:56:46.000000000 -0400
68725 @@ -1042,7 +1042,7 @@ int ieee80211_reconfig(struct ieee80211_
68726 local->resuming = true;
68728 /* restart hardware */
68729 - if (local->open_count) {
68730 + if (local_read(&local->open_count)) {
68732 * Upon resume hardware can sometimes be goofy due to
68733 * various platform / driver / bus issues, so restarting
68734 diff -urNp linux-2.6.32.42/net/netfilter/ipvs/ip_vs_app.c linux-2.6.32.42/net/netfilter/ipvs/ip_vs_app.c
68735 --- linux-2.6.32.42/net/netfilter/ipvs/ip_vs_app.c 2011-03-27 14:31:47.000000000 -0400
68736 +++ linux-2.6.32.42/net/netfilter/ipvs/ip_vs_app.c 2011-05-17 19:26:34.000000000 -0400
68737 @@ -564,7 +564,7 @@ static const struct file_operations ip_v
68738 .open = ip_vs_app_open,
68740 .llseek = seq_lseek,
68741 - .release = seq_release,
68742 + .release = seq_release_net,
68746 diff -urNp linux-2.6.32.42/net/netfilter/ipvs/ip_vs_conn.c linux-2.6.32.42/net/netfilter/ipvs/ip_vs_conn.c
68747 --- linux-2.6.32.42/net/netfilter/ipvs/ip_vs_conn.c 2011-03-27 14:31:47.000000000 -0400
68748 +++ linux-2.6.32.42/net/netfilter/ipvs/ip_vs_conn.c 2011-05-17 19:26:34.000000000 -0400
68749 @@ -453,10 +453,10 @@ ip_vs_bind_dest(struct ip_vs_conn *cp, s
68750 /* if the connection is not template and is created
68751 * by sync, preserve the activity flag.
68753 - cp->flags |= atomic_read(&dest->conn_flags) &
68754 + cp->flags |= atomic_read_unchecked(&dest->conn_flags) &
68755 (~IP_VS_CONN_F_INACTIVE);
68757 - cp->flags |= atomic_read(&dest->conn_flags);
68758 + cp->flags |= atomic_read_unchecked(&dest->conn_flags);
68761 IP_VS_DBG_BUF(7, "Bind-dest %s c:%s:%d v:%s:%d "
68762 @@ -723,7 +723,7 @@ ip_vs_conn_new(int af, int proto, const
68763 atomic_set(&cp->refcnt, 1);
68765 atomic_set(&cp->n_control, 0);
68766 - atomic_set(&cp->in_pkts, 0);
68767 + atomic_set_unchecked(&cp->in_pkts, 0);
68769 atomic_inc(&ip_vs_conn_count);
68770 if (flags & IP_VS_CONN_F_NO_CPORT)
68771 @@ -871,7 +871,7 @@ static const struct file_operations ip_v
68772 .open = ip_vs_conn_open,
68774 .llseek = seq_lseek,
68775 - .release = seq_release,
68776 + .release = seq_release_net,
68779 static const char *ip_vs_origin_name(unsigned flags)
68780 @@ -934,7 +934,7 @@ static const struct file_operations ip_v
68781 .open = ip_vs_conn_sync_open,
68783 .llseek = seq_lseek,
68784 - .release = seq_release,
68785 + .release = seq_release_net,
68789 @@ -961,7 +961,7 @@ static inline int todrop_entry(struct ip
68791 /* Don't drop the entry if its number of incoming packets is not
68792 located in [0, 8] */
68793 - i = atomic_read(&cp->in_pkts);
68794 + i = atomic_read_unchecked(&cp->in_pkts);
68795 if (i > 8 || i < 0) return 0;
68797 if (!todrop_rate[i]) return 0;
68798 diff -urNp linux-2.6.32.42/net/netfilter/ipvs/ip_vs_core.c linux-2.6.32.42/net/netfilter/ipvs/ip_vs_core.c
68799 --- linux-2.6.32.42/net/netfilter/ipvs/ip_vs_core.c 2011-03-27 14:31:47.000000000 -0400
68800 +++ linux-2.6.32.42/net/netfilter/ipvs/ip_vs_core.c 2011-05-04 17:56:28.000000000 -0400
68801 @@ -485,7 +485,7 @@ int ip_vs_leave(struct ip_vs_service *sv
68802 ret = cp->packet_xmit(skb, cp, pp);
68803 /* do not touch skb anymore */
68805 - atomic_inc(&cp->in_pkts);
68806 + atomic_inc_unchecked(&cp->in_pkts);
68807 ip_vs_conn_put(cp);
68810 @@ -1357,7 +1357,7 @@ ip_vs_in(unsigned int hooknum, struct sk
68811 * Sync connection if it is about to close to
68812 * encorage the standby servers to update the connections timeout
68814 - pkts = atomic_add_return(1, &cp->in_pkts);
68815 + pkts = atomic_add_return_unchecked(1, &cp->in_pkts);
68816 if (af == AF_INET &&
68817 (ip_vs_sync_state & IP_VS_STATE_MASTER) &&
68818 (((cp->protocol != IPPROTO_TCP ||
68819 diff -urNp linux-2.6.32.42/net/netfilter/ipvs/ip_vs_ctl.c linux-2.6.32.42/net/netfilter/ipvs/ip_vs_ctl.c
68820 --- linux-2.6.32.42/net/netfilter/ipvs/ip_vs_ctl.c 2011-03-27 14:31:47.000000000 -0400
68821 +++ linux-2.6.32.42/net/netfilter/ipvs/ip_vs_ctl.c 2011-05-17 19:26:34.000000000 -0400
68822 @@ -792,7 +792,7 @@ __ip_vs_update_dest(struct ip_vs_service
68823 ip_vs_rs_hash(dest);
68824 write_unlock_bh(&__ip_vs_rs_lock);
68826 - atomic_set(&dest->conn_flags, conn_flags);
68827 + atomic_set_unchecked(&dest->conn_flags, conn_flags);
68829 /* bind the service */
68831 @@ -1888,7 +1888,7 @@ static int ip_vs_info_seq_show(struct se
68832 " %-7s %-6d %-10d %-10d\n",
68835 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
68836 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
68837 atomic_read(&dest->weight),
68838 atomic_read(&dest->activeconns),
68839 atomic_read(&dest->inactconns));
68840 @@ -1899,7 +1899,7 @@ static int ip_vs_info_seq_show(struct se
68841 "%-7s %-6d %-10d %-10d\n",
68842 ntohl(dest->addr.ip),
68844 - ip_vs_fwd_name(atomic_read(&dest->conn_flags)),
68845 + ip_vs_fwd_name(atomic_read_unchecked(&dest->conn_flags)),
68846 atomic_read(&dest->weight),
68847 atomic_read(&dest->activeconns),
68848 atomic_read(&dest->inactconns));
68849 @@ -1927,7 +1927,7 @@ static const struct file_operations ip_v
68850 .open = ip_vs_info_open,
68852 .llseek = seq_lseek,
68853 - .release = seq_release_private,
68854 + .release = seq_release_net,
68858 @@ -1976,7 +1976,7 @@ static const struct file_operations ip_v
68859 .open = ip_vs_stats_seq_open,
68861 .llseek = seq_lseek,
68862 - .release = single_release,
68863 + .release = single_release_net,
68867 @@ -2292,7 +2292,7 @@ __ip_vs_get_dest_entries(const struct ip
68869 entry.addr = dest->addr.ip;
68870 entry.port = dest->port;
68871 - entry.conn_flags = atomic_read(&dest->conn_flags);
68872 + entry.conn_flags = atomic_read_unchecked(&dest->conn_flags);
68873 entry.weight = atomic_read(&dest->weight);
68874 entry.u_threshold = dest->u_threshold;
68875 entry.l_threshold = dest->l_threshold;
68876 @@ -2353,6 +2353,8 @@ do_ip_vs_get_ctl(struct sock *sk, int cm
68877 unsigned char arg[128];
68880 + pax_track_stack();
68882 if (!capable(CAP_NET_ADMIN))
68885 @@ -2802,7 +2804,7 @@ static int ip_vs_genl_fill_dest(struct s
68886 NLA_PUT_U16(skb, IPVS_DEST_ATTR_PORT, dest->port);
68888 NLA_PUT_U32(skb, IPVS_DEST_ATTR_FWD_METHOD,
68889 - atomic_read(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
68890 + atomic_read_unchecked(&dest->conn_flags) & IP_VS_CONN_F_FWD_MASK);
68891 NLA_PUT_U32(skb, IPVS_DEST_ATTR_WEIGHT, atomic_read(&dest->weight));
68892 NLA_PUT_U32(skb, IPVS_DEST_ATTR_U_THRESH, dest->u_threshold);
68893 NLA_PUT_U32(skb, IPVS_DEST_ATTR_L_THRESH, dest->l_threshold);
68894 diff -urNp linux-2.6.32.42/net/netfilter/ipvs/ip_vs_sync.c linux-2.6.32.42/net/netfilter/ipvs/ip_vs_sync.c
68895 --- linux-2.6.32.42/net/netfilter/ipvs/ip_vs_sync.c 2011-03-27 14:31:47.000000000 -0400
68896 +++ linux-2.6.32.42/net/netfilter/ipvs/ip_vs_sync.c 2011-05-04 17:56:28.000000000 -0400
68897 @@ -438,7 +438,7 @@ static void ip_vs_process_message(const
68900 memcpy(&cp->in_seq, opt, sizeof(*opt));
68901 - atomic_set(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
68902 + atomic_set_unchecked(&cp->in_pkts, sysctl_ip_vs_sync_threshold[0]);
68904 cp->old_state = cp->state;
68906 diff -urNp linux-2.6.32.42/net/netfilter/ipvs/ip_vs_xmit.c linux-2.6.32.42/net/netfilter/ipvs/ip_vs_xmit.c
68907 --- linux-2.6.32.42/net/netfilter/ipvs/ip_vs_xmit.c 2011-03-27 14:31:47.000000000 -0400
68908 +++ linux-2.6.32.42/net/netfilter/ipvs/ip_vs_xmit.c 2011-05-04 17:56:28.000000000 -0400
68909 @@ -875,7 +875,7 @@ ip_vs_icmp_xmit(struct sk_buff *skb, str
68912 /* do not touch skb anymore */
68913 - atomic_inc(&cp->in_pkts);
68914 + atomic_inc_unchecked(&cp->in_pkts);
68918 @@ -949,7 +949,7 @@ ip_vs_icmp_xmit_v6(struct sk_buff *skb,
68921 /* do not touch skb anymore */
68922 - atomic_inc(&cp->in_pkts);
68923 + atomic_inc_unchecked(&cp->in_pkts);
68927 diff -urNp linux-2.6.32.42/net/netfilter/Kconfig linux-2.6.32.42/net/netfilter/Kconfig
68928 --- linux-2.6.32.42/net/netfilter/Kconfig 2011-03-27 14:31:47.000000000 -0400
68929 +++ linux-2.6.32.42/net/netfilter/Kconfig 2011-04-17 15:56:46.000000000 -0400
68930 @@ -635,6 +635,16 @@ config NETFILTER_XT_MATCH_ESP
68932 To compile it as a module, choose M here. If unsure, say N.
68934 +config NETFILTER_XT_MATCH_GRADM
68935 + tristate '"gradm" match support'
68936 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
68937 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
68939 + The gradm match allows to match on grsecurity RBAC being enabled.
68940 + It is useful when iptables rules are applied early on bootup to
68941 + prevent connections to the machine (except from a trusted host)
68942 + while the RBAC system is disabled.
68944 config NETFILTER_XT_MATCH_HASHLIMIT
68945 tristate '"hashlimit" match support'
68946 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
68947 diff -urNp linux-2.6.32.42/net/netfilter/Makefile linux-2.6.32.42/net/netfilter/Makefile
68948 --- linux-2.6.32.42/net/netfilter/Makefile 2011-03-27 14:31:47.000000000 -0400
68949 +++ linux-2.6.32.42/net/netfilter/Makefile 2011-04-17 15:56:46.000000000 -0400
68950 @@ -68,6 +68,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRAC
68951 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
68952 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
68953 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
68954 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
68955 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
68956 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
68957 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
68958 diff -urNp linux-2.6.32.42/net/netfilter/nf_conntrack_netlink.c linux-2.6.32.42/net/netfilter/nf_conntrack_netlink.c
68959 --- linux-2.6.32.42/net/netfilter/nf_conntrack_netlink.c 2011-03-27 14:31:47.000000000 -0400
68960 +++ linux-2.6.32.42/net/netfilter/nf_conntrack_netlink.c 2011-04-17 15:56:46.000000000 -0400
68961 @@ -706,7 +706,7 @@ ctnetlink_parse_tuple_proto(struct nlatt
68963 ctnetlink_parse_tuple(const struct nlattr * const cda[],
68964 struct nf_conntrack_tuple *tuple,
68965 - enum ctattr_tuple type, u_int8_t l3num)
68966 + enum ctattr_type type, u_int8_t l3num)
68968 struct nlattr *tb[CTA_TUPLE_MAX+1];
68970 diff -urNp linux-2.6.32.42/net/netfilter/nfnetlink_log.c linux-2.6.32.42/net/netfilter/nfnetlink_log.c
68971 --- linux-2.6.32.42/net/netfilter/nfnetlink_log.c 2011-03-27 14:31:47.000000000 -0400
68972 +++ linux-2.6.32.42/net/netfilter/nfnetlink_log.c 2011-05-04 17:56:28.000000000 -0400
68973 @@ -68,7 +68,7 @@ struct nfulnl_instance {
68976 static DEFINE_RWLOCK(instances_lock);
68977 -static atomic_t global_seq;
68978 +static atomic_unchecked_t global_seq;
68980 #define INSTANCE_BUCKETS 16
68981 static struct hlist_head instance_table[INSTANCE_BUCKETS];
68982 @@ -493,7 +493,7 @@ __build_packet_message(struct nfulnl_ins
68983 /* global sequence number */
68984 if (inst->flags & NFULNL_CFG_F_SEQ_GLOBAL)
68985 NLA_PUT_BE32(inst->skb, NFULA_SEQ_GLOBAL,
68986 - htonl(atomic_inc_return(&global_seq)));
68987 + htonl(atomic_inc_return_unchecked(&global_seq)));
68990 struct nlattr *nla;
68991 diff -urNp linux-2.6.32.42/net/netfilter/xt_gradm.c linux-2.6.32.42/net/netfilter/xt_gradm.c
68992 --- linux-2.6.32.42/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
68993 +++ linux-2.6.32.42/net/netfilter/xt_gradm.c 2011-04-17 15:56:46.000000000 -0400
68996 + * gradm match for netfilter
68997 + * Copyright © Zbigniew Krzystolik, 2010
68999 + * This program is free software; you can redistribute it and/or modify
69000 + * it under the terms of the GNU General Public License; either version
69001 + * 2 or 3 as published by the Free Software Foundation.
69003 +#include <linux/module.h>
69004 +#include <linux/moduleparam.h>
69005 +#include <linux/skbuff.h>
69006 +#include <linux/netfilter/x_tables.h>
69007 +#include <linux/grsecurity.h>
69008 +#include <linux/netfilter/xt_gradm.h>
69011 +gradm_mt(const struct sk_buff *skb, const struct xt_match_param *par)
69013 + const struct xt_gradm_mtinfo *info = par->matchinfo;
69014 + bool retval = false;
69015 + if (gr_acl_is_enabled())
69017 + return retval ^ info->invflags;
69020 +static struct xt_match gradm_mt_reg __read_mostly = {
69023 + .family = NFPROTO_UNSPEC,
69024 + .match = gradm_mt,
69025 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
69026 + .me = THIS_MODULE,
69029 +static int __init gradm_mt_init(void)
69031 + return xt_register_match(&gradm_mt_reg);
69034 +static void __exit gradm_mt_exit(void)
69036 + xt_unregister_match(&gradm_mt_reg);
69039 +module_init(gradm_mt_init);
69040 +module_exit(gradm_mt_exit);
69041 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
69042 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
69043 +MODULE_LICENSE("GPL");
69044 +MODULE_ALIAS("ipt_gradm");
69045 +MODULE_ALIAS("ip6t_gradm");
69046 diff -urNp linux-2.6.32.42/net/netlink/af_netlink.c linux-2.6.32.42/net/netlink/af_netlink.c
69047 --- linux-2.6.32.42/net/netlink/af_netlink.c 2011-03-27 14:31:47.000000000 -0400
69048 +++ linux-2.6.32.42/net/netlink/af_netlink.c 2011-05-04 17:56:28.000000000 -0400
69049 @@ -733,7 +733,7 @@ static void netlink_overrun(struct sock
69050 sk->sk_error_report(sk);
69053 - atomic_inc(&sk->sk_drops);
69054 + atomic_inc_unchecked(&sk->sk_drops);
69057 static struct sock *netlink_getsockbypid(struct sock *ssk, u32 pid)
69058 @@ -1964,15 +1964,23 @@ static int netlink_seq_show(struct seq_f
69059 struct netlink_sock *nlk = nlk_sk(s);
69061 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d\n",
69062 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69069 nlk->groups ? (u32)nlk->groups[0] : 0,
69070 sk_rmem_alloc_get(s),
69071 sk_wmem_alloc_get(s),
69072 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69077 atomic_read(&s->sk_refcnt),
69078 - atomic_read(&s->sk_drops)
69079 + atomic_read_unchecked(&s->sk_drops)
69083 diff -urNp linux-2.6.32.42/net/netrom/af_netrom.c linux-2.6.32.42/net/netrom/af_netrom.c
69084 --- linux-2.6.32.42/net/netrom/af_netrom.c 2011-03-27 14:31:47.000000000 -0400
69085 +++ linux-2.6.32.42/net/netrom/af_netrom.c 2011-04-17 15:56:46.000000000 -0400
69086 @@ -838,6 +838,7 @@ static int nr_getname(struct socket *soc
69087 struct sock *sk = sock->sk;
69088 struct nr_sock *nr = nr_sk(sk);
69090 + memset(sax, 0, sizeof(*sax));
69093 if (sk->sk_state != TCP_ESTABLISHED) {
69094 @@ -852,7 +853,6 @@ static int nr_getname(struct socket *soc
69095 *uaddr_len = sizeof(struct full_sockaddr_ax25);
69097 sax->fsa_ax25.sax25_family = AF_NETROM;
69098 - sax->fsa_ax25.sax25_ndigis = 0;
69099 sax->fsa_ax25.sax25_call = nr->source_addr;
69100 *uaddr_len = sizeof(struct sockaddr_ax25);
69102 diff -urNp linux-2.6.32.42/net/packet/af_packet.c linux-2.6.32.42/net/packet/af_packet.c
69103 --- linux-2.6.32.42/net/packet/af_packet.c 2011-04-17 17:00:52.000000000 -0400
69104 +++ linux-2.6.32.42/net/packet/af_packet.c 2011-04-17 15:56:46.000000000 -0400
69105 @@ -2427,7 +2427,11 @@ static int packet_seq_show(struct seq_fi
69108 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
69109 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69114 atomic_read(&s->sk_refcnt),
69117 diff -urNp linux-2.6.32.42/net/phonet/af_phonet.c linux-2.6.32.42/net/phonet/af_phonet.c
69118 --- linux-2.6.32.42/net/phonet/af_phonet.c 2011-03-27 14:31:47.000000000 -0400
69119 +++ linux-2.6.32.42/net/phonet/af_phonet.c 2011-04-17 15:56:46.000000000 -0400
69120 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
69122 struct phonet_protocol *pp;
69124 - if (protocol >= PHONET_NPROTO)
69125 + if (protocol < 0 || protocol >= PHONET_NPROTO)
69128 spin_lock(&proto_tab_lock);
69129 @@ -402,7 +402,7 @@ int __init_or_module phonet_proto_regist
69133 - if (protocol >= PHONET_NPROTO)
69134 + if (protocol < 0 || protocol >= PHONET_NPROTO)
69137 err = proto_register(pp->prot, 1);
69138 diff -urNp linux-2.6.32.42/net/phonet/datagram.c linux-2.6.32.42/net/phonet/datagram.c
69139 --- linux-2.6.32.42/net/phonet/datagram.c 2011-03-27 14:31:47.000000000 -0400
69140 +++ linux-2.6.32.42/net/phonet/datagram.c 2011-05-04 17:56:28.000000000 -0400
69141 @@ -162,7 +162,7 @@ static int pn_backlog_rcv(struct sock *s
69144 if (err == -ENOMEM)
69145 - atomic_inc(&sk->sk_drops);
69146 + atomic_inc_unchecked(&sk->sk_drops);
69148 return err ? NET_RX_DROP : NET_RX_SUCCESS;
69150 diff -urNp linux-2.6.32.42/net/phonet/pep.c linux-2.6.32.42/net/phonet/pep.c
69151 --- linux-2.6.32.42/net/phonet/pep.c 2011-03-27 14:31:47.000000000 -0400
69152 +++ linux-2.6.32.42/net/phonet/pep.c 2011-05-04 17:56:28.000000000 -0400
69153 @@ -348,7 +348,7 @@ static int pipe_do_rcv(struct sock *sk,
69155 case PNS_PEP_CTRL_REQ:
69156 if (skb_queue_len(&pn->ctrlreq_queue) >= PNPIPE_CTRLREQ_MAX) {
69157 - atomic_inc(&sk->sk_drops);
69158 + atomic_inc_unchecked(&sk->sk_drops);
69161 __skb_pull(skb, 4);
69162 @@ -362,12 +362,12 @@ static int pipe_do_rcv(struct sock *sk,
69165 if (err == -ENOMEM)
69166 - atomic_inc(&sk->sk_drops);
69167 + atomic_inc_unchecked(&sk->sk_drops);
69171 if (pn->rx_credits == 0) {
69172 - atomic_inc(&sk->sk_drops);
69173 + atomic_inc_unchecked(&sk->sk_drops);
69177 diff -urNp linux-2.6.32.42/net/phonet/socket.c linux-2.6.32.42/net/phonet/socket.c
69178 --- linux-2.6.32.42/net/phonet/socket.c 2011-03-27 14:31:47.000000000 -0400
69179 +++ linux-2.6.32.42/net/phonet/socket.c 2011-05-04 17:57:07.000000000 -0400
69180 @@ -482,8 +482,13 @@ static int pn_sock_seq_show(struct seq_f
69182 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
69183 sock_i_uid(sk), sock_i_ino(sk),
69184 - atomic_read(&sk->sk_refcnt), sk,
69185 - atomic_read(&sk->sk_drops), &len);
69186 + atomic_read(&sk->sk_refcnt),
69187 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69192 + atomic_read_unchecked(&sk->sk_drops), &len);
69194 seq_printf(seq, "%*s\n", 127 - len, "");
69196 diff -urNp linux-2.6.32.42/net/rds/cong.c linux-2.6.32.42/net/rds/cong.c
69197 --- linux-2.6.32.42/net/rds/cong.c 2011-03-27 14:31:47.000000000 -0400
69198 +++ linux-2.6.32.42/net/rds/cong.c 2011-05-04 17:56:28.000000000 -0400
69200 * finds that the saved generation number is smaller than the global generation
69201 * number, it wakes up the process.
69203 -static atomic_t rds_cong_generation = ATOMIC_INIT(0);
69204 +static atomic_unchecked_t rds_cong_generation = ATOMIC_INIT(0);
69207 * Congestion monitoring
69208 @@ -232,7 +232,7 @@ void rds_cong_map_updated(struct rds_con
69209 rdsdebug("waking map %p for %pI4\n",
69210 map, &map->m_addr);
69211 rds_stats_inc(s_cong_update_received);
69212 - atomic_inc(&rds_cong_generation);
69213 + atomic_inc_unchecked(&rds_cong_generation);
69214 if (waitqueue_active(&map->m_waitq))
69215 wake_up(&map->m_waitq);
69216 if (waitqueue_active(&rds_poll_waitq))
69217 @@ -258,7 +258,7 @@ EXPORT_SYMBOL_GPL(rds_cong_map_updated);
69219 int rds_cong_updated_since(unsigned long *recent)
69221 - unsigned long gen = atomic_read(&rds_cong_generation);
69222 + unsigned long gen = atomic_read_unchecked(&rds_cong_generation);
69224 if (likely(*recent == gen))
69226 diff -urNp linux-2.6.32.42/net/rds/iw_rdma.c linux-2.6.32.42/net/rds/iw_rdma.c
69227 --- linux-2.6.32.42/net/rds/iw_rdma.c 2011-03-27 14:31:47.000000000 -0400
69228 +++ linux-2.6.32.42/net/rds/iw_rdma.c 2011-05-16 21:46:57.000000000 -0400
69229 @@ -181,6 +181,8 @@ int rds_iw_update_cm_id(struct rds_iw_de
69230 struct rdma_cm_id *pcm_id;
69233 + pax_track_stack();
69235 src_addr = (struct sockaddr_in *)&cm_id->route.addr.src_addr;
69236 dst_addr = (struct sockaddr_in *)&cm_id->route.addr.dst_addr;
69238 diff -urNp linux-2.6.32.42/net/rds/Kconfig linux-2.6.32.42/net/rds/Kconfig
69239 --- linux-2.6.32.42/net/rds/Kconfig 2011-03-27 14:31:47.000000000 -0400
69240 +++ linux-2.6.32.42/net/rds/Kconfig 2011-04-17 15:56:46.000000000 -0400
69244 tristate "The RDS Protocol (EXPERIMENTAL)"
69245 - depends on INET && EXPERIMENTAL
69246 + depends on INET && EXPERIMENTAL && BROKEN
69248 The RDS (Reliable Datagram Sockets) protocol provides reliable,
69249 sequenced delivery of datagrams over Infiniband, iWARP,
69250 diff -urNp linux-2.6.32.42/net/rxrpc/af_rxrpc.c linux-2.6.32.42/net/rxrpc/af_rxrpc.c
69251 --- linux-2.6.32.42/net/rxrpc/af_rxrpc.c 2011-03-27 14:31:47.000000000 -0400
69252 +++ linux-2.6.32.42/net/rxrpc/af_rxrpc.c 2011-05-04 17:56:28.000000000 -0400
69253 @@ -38,7 +38,7 @@ static const struct proto_ops rxrpc_rpc_
69254 __be32 rxrpc_epoch;
69256 /* current debugging ID */
69257 -atomic_t rxrpc_debug_id;
69258 +atomic_unchecked_t rxrpc_debug_id;
69260 /* count of skbs currently in use */
69261 atomic_t rxrpc_n_skbs;
69262 diff -urNp linux-2.6.32.42/net/rxrpc/ar-ack.c linux-2.6.32.42/net/rxrpc/ar-ack.c
69263 --- linux-2.6.32.42/net/rxrpc/ar-ack.c 2011-03-27 14:31:47.000000000 -0400
69264 +++ linux-2.6.32.42/net/rxrpc/ar-ack.c 2011-05-16 21:46:57.000000000 -0400
69265 @@ -174,7 +174,7 @@ static void rxrpc_resend(struct rxrpc_ca
69267 _enter("{%d,%d,%d,%d},",
69268 call->acks_hard, call->acks_unacked,
69269 - atomic_read(&call->sequence),
69270 + atomic_read_unchecked(&call->sequence),
69271 CIRC_CNT(call->acks_head, call->acks_tail, call->acks_winsz));
69274 @@ -198,7 +198,7 @@ static void rxrpc_resend(struct rxrpc_ca
69276 /* each Tx packet has a new serial number */
69278 - htonl(atomic_inc_return(&call->conn->serial));
69279 + htonl(atomic_inc_return_unchecked(&call->conn->serial));
69281 hdr = (struct rxrpc_header *) txb->head;
69282 hdr->serial = sp->hdr.serial;
69283 @@ -401,7 +401,7 @@ static void rxrpc_rotate_tx_window(struc
69285 static void rxrpc_clear_tx_window(struct rxrpc_call *call)
69287 - rxrpc_rotate_tx_window(call, atomic_read(&call->sequence));
69288 + rxrpc_rotate_tx_window(call, atomic_read_unchecked(&call->sequence));
69292 @@ -627,7 +627,7 @@ process_further:
69294 latest = ntohl(sp->hdr.serial);
69295 hard = ntohl(ack.firstPacket);
69296 - tx = atomic_read(&call->sequence);
69297 + tx = atomic_read_unchecked(&call->sequence);
69299 _proto("Rx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
69301 @@ -840,6 +840,8 @@ void rxrpc_process_call(struct work_stru
69302 u32 abort_code = RX_PROTOCOL_ERROR;
69305 + pax_track_stack();
69307 //printk("\n--------------------\n");
69308 _enter("{%d,%s,%lx} [%lu]",
69309 call->debug_id, rxrpc_call_states[call->state], call->events,
69310 @@ -1159,7 +1161,7 @@ void rxrpc_process_call(struct work_stru
69311 goto maybe_reschedule;
69313 send_ACK_with_skew:
69314 - ack.maxSkew = htons(atomic_read(&call->conn->hi_serial) -
69315 + ack.maxSkew = htons(atomic_read_unchecked(&call->conn->hi_serial) -
69316 ntohl(ack.serial));
69318 mtu = call->conn->trans->peer->if_mtu;
69319 @@ -1171,7 +1173,7 @@ send_ACK:
69320 ackinfo.rxMTU = htonl(5692);
69321 ackinfo.jumbo_max = htonl(4);
69323 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
69324 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
69325 _proto("Tx ACK %%%u { m=%hu f=#%u p=#%u s=%%%u r=%s n=%u }",
69327 ntohs(ack.maxSkew),
69328 @@ -1189,7 +1191,7 @@ send_ACK:
69330 _debug("send message");
69332 - hdr.serial = htonl(atomic_inc_return(&call->conn->serial));
69333 + hdr.serial = htonl(atomic_inc_return_unchecked(&call->conn->serial));
69334 _proto("Tx %s %%%u", rxrpc_pkts[hdr.type], ntohl(hdr.serial));
69337 diff -urNp linux-2.6.32.42/net/rxrpc/ar-call.c linux-2.6.32.42/net/rxrpc/ar-call.c
69338 --- linux-2.6.32.42/net/rxrpc/ar-call.c 2011-03-27 14:31:47.000000000 -0400
69339 +++ linux-2.6.32.42/net/rxrpc/ar-call.c 2011-05-04 17:56:28.000000000 -0400
69340 @@ -82,7 +82,7 @@ static struct rxrpc_call *rxrpc_alloc_ca
69341 spin_lock_init(&call->lock);
69342 rwlock_init(&call->state_lock);
69343 atomic_set(&call->usage, 1);
69344 - call->debug_id = atomic_inc_return(&rxrpc_debug_id);
69345 + call->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
69346 call->state = RXRPC_CALL_CLIENT_SEND_REQUEST;
69348 memset(&call->sock_node, 0xed, sizeof(call->sock_node));
69349 diff -urNp linux-2.6.32.42/net/rxrpc/ar-connection.c linux-2.6.32.42/net/rxrpc/ar-connection.c
69350 --- linux-2.6.32.42/net/rxrpc/ar-connection.c 2011-03-27 14:31:47.000000000 -0400
69351 +++ linux-2.6.32.42/net/rxrpc/ar-connection.c 2011-05-04 17:56:28.000000000 -0400
69352 @@ -205,7 +205,7 @@ static struct rxrpc_connection *rxrpc_al
69353 rwlock_init(&conn->lock);
69354 spin_lock_init(&conn->state_lock);
69355 atomic_set(&conn->usage, 1);
69356 - conn->debug_id = atomic_inc_return(&rxrpc_debug_id);
69357 + conn->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
69358 conn->avail_calls = RXRPC_MAXCALLS;
69359 conn->size_align = 4;
69360 conn->header_size = sizeof(struct rxrpc_header);
69361 diff -urNp linux-2.6.32.42/net/rxrpc/ar-connevent.c linux-2.6.32.42/net/rxrpc/ar-connevent.c
69362 --- linux-2.6.32.42/net/rxrpc/ar-connevent.c 2011-03-27 14:31:47.000000000 -0400
69363 +++ linux-2.6.32.42/net/rxrpc/ar-connevent.c 2011-05-04 17:56:28.000000000 -0400
69364 @@ -109,7 +109,7 @@ static int rxrpc_abort_connection(struct
69366 len = iov[0].iov_len + iov[1].iov_len;
69368 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
69369 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
69370 _proto("Tx CONN ABORT %%%u { %d }", ntohl(hdr.serial), abort_code);
69372 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
69373 diff -urNp linux-2.6.32.42/net/rxrpc/ar-input.c linux-2.6.32.42/net/rxrpc/ar-input.c
69374 --- linux-2.6.32.42/net/rxrpc/ar-input.c 2011-03-27 14:31:47.000000000 -0400
69375 +++ linux-2.6.32.42/net/rxrpc/ar-input.c 2011-05-04 17:56:28.000000000 -0400
69376 @@ -339,9 +339,9 @@ void rxrpc_fast_process_packet(struct rx
69377 /* track the latest serial number on this connection for ACK packet
69379 serial = ntohl(sp->hdr.serial);
69380 - hi_serial = atomic_read(&call->conn->hi_serial);
69381 + hi_serial = atomic_read_unchecked(&call->conn->hi_serial);
69382 while (serial > hi_serial)
69383 - hi_serial = atomic_cmpxchg(&call->conn->hi_serial, hi_serial,
69384 + hi_serial = atomic_cmpxchg_unchecked(&call->conn->hi_serial, hi_serial,
69387 /* request ACK generation for any ACK or DATA packet that requests
69388 diff -urNp linux-2.6.32.42/net/rxrpc/ar-internal.h linux-2.6.32.42/net/rxrpc/ar-internal.h
69389 --- linux-2.6.32.42/net/rxrpc/ar-internal.h 2011-03-27 14:31:47.000000000 -0400
69390 +++ linux-2.6.32.42/net/rxrpc/ar-internal.h 2011-05-04 17:56:28.000000000 -0400
69391 @@ -272,8 +272,8 @@ struct rxrpc_connection {
69392 int error; /* error code for local abort */
69393 int debug_id; /* debug ID for printks */
69394 unsigned call_counter; /* call ID counter */
69395 - atomic_t serial; /* packet serial number counter */
69396 - atomic_t hi_serial; /* highest serial number received */
69397 + atomic_unchecked_t serial; /* packet serial number counter */
69398 + atomic_unchecked_t hi_serial; /* highest serial number received */
69399 u8 avail_calls; /* number of calls available */
69400 u8 size_align; /* data size alignment (for security) */
69401 u8 header_size; /* rxrpc + security header size */
69402 @@ -346,7 +346,7 @@ struct rxrpc_call {
69404 rwlock_t state_lock; /* lock for state transition */
69406 - atomic_t sequence; /* Tx data packet sequence counter */
69407 + atomic_unchecked_t sequence; /* Tx data packet sequence counter */
69408 u32 abort_code; /* local/remote abort code */
69409 enum { /* current state of call */
69410 RXRPC_CALL_CLIENT_SEND_REQUEST, /* - client sending request phase */
69411 @@ -420,7 +420,7 @@ static inline void rxrpc_abort_call(stru
69413 extern atomic_t rxrpc_n_skbs;
69414 extern __be32 rxrpc_epoch;
69415 -extern atomic_t rxrpc_debug_id;
69416 +extern atomic_unchecked_t rxrpc_debug_id;
69417 extern struct workqueue_struct *rxrpc_workqueue;
69420 diff -urNp linux-2.6.32.42/net/rxrpc/ar-key.c linux-2.6.32.42/net/rxrpc/ar-key.c
69421 --- linux-2.6.32.42/net/rxrpc/ar-key.c 2011-03-27 14:31:47.000000000 -0400
69422 +++ linux-2.6.32.42/net/rxrpc/ar-key.c 2011-04-17 15:56:46.000000000 -0400
69423 @@ -88,11 +88,11 @@ static int rxrpc_instantiate_xdr_rxkad(s
69426 plen -= sizeof(*token);
69427 - token = kmalloc(sizeof(*token), GFP_KERNEL);
69428 + token = kzalloc(sizeof(*token), GFP_KERNEL);
69432 - token->kad = kmalloc(plen, GFP_KERNEL);
69433 + token->kad = kzalloc(plen, GFP_KERNEL);
69437 @@ -730,10 +730,10 @@ static int rxrpc_instantiate(struct key
69441 - token = kmalloc(sizeof(*token), GFP_KERNEL);
69442 + token = kzalloc(sizeof(*token), GFP_KERNEL);
69445 - token->kad = kmalloc(plen, GFP_KERNEL);
69446 + token->kad = kzalloc(plen, GFP_KERNEL);
69450 diff -urNp linux-2.6.32.42/net/rxrpc/ar-local.c linux-2.6.32.42/net/rxrpc/ar-local.c
69451 --- linux-2.6.32.42/net/rxrpc/ar-local.c 2011-03-27 14:31:47.000000000 -0400
69452 +++ linux-2.6.32.42/net/rxrpc/ar-local.c 2011-05-04 17:56:28.000000000 -0400
69453 @@ -44,7 +44,7 @@ struct rxrpc_local *rxrpc_alloc_local(st
69454 spin_lock_init(&local->lock);
69455 rwlock_init(&local->services_lock);
69456 atomic_set(&local->usage, 1);
69457 - local->debug_id = atomic_inc_return(&rxrpc_debug_id);
69458 + local->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
69459 memcpy(&local->srx, srx, sizeof(*srx));
69462 diff -urNp linux-2.6.32.42/net/rxrpc/ar-output.c linux-2.6.32.42/net/rxrpc/ar-output.c
69463 --- linux-2.6.32.42/net/rxrpc/ar-output.c 2011-03-27 14:31:47.000000000 -0400
69464 +++ linux-2.6.32.42/net/rxrpc/ar-output.c 2011-05-04 17:56:28.000000000 -0400
69465 @@ -680,9 +680,9 @@ static int rxrpc_send_data(struct kiocb
69466 sp->hdr.cid = call->cid;
69467 sp->hdr.callNumber = call->call_id;
69469 - htonl(atomic_inc_return(&call->sequence));
69470 + htonl(atomic_inc_return_unchecked(&call->sequence));
69472 - htonl(atomic_inc_return(&conn->serial));
69473 + htonl(atomic_inc_return_unchecked(&conn->serial));
69474 sp->hdr.type = RXRPC_PACKET_TYPE_DATA;
69475 sp->hdr.userStatus = 0;
69476 sp->hdr.securityIndex = conn->security_ix;
69477 diff -urNp linux-2.6.32.42/net/rxrpc/ar-peer.c linux-2.6.32.42/net/rxrpc/ar-peer.c
69478 --- linux-2.6.32.42/net/rxrpc/ar-peer.c 2011-03-27 14:31:47.000000000 -0400
69479 +++ linux-2.6.32.42/net/rxrpc/ar-peer.c 2011-05-04 17:56:28.000000000 -0400
69480 @@ -86,7 +86,7 @@ static struct rxrpc_peer *rxrpc_alloc_pe
69481 INIT_LIST_HEAD(&peer->error_targets);
69482 spin_lock_init(&peer->lock);
69483 atomic_set(&peer->usage, 1);
69484 - peer->debug_id = atomic_inc_return(&rxrpc_debug_id);
69485 + peer->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
69486 memcpy(&peer->srx, srx, sizeof(*srx));
69488 rxrpc_assess_MTU_size(peer);
69489 diff -urNp linux-2.6.32.42/net/rxrpc/ar-proc.c linux-2.6.32.42/net/rxrpc/ar-proc.c
69490 --- linux-2.6.32.42/net/rxrpc/ar-proc.c 2011-03-27 14:31:47.000000000 -0400
69491 +++ linux-2.6.32.42/net/rxrpc/ar-proc.c 2011-05-04 17:56:28.000000000 -0400
69492 @@ -164,8 +164,8 @@ static int rxrpc_connection_seq_show(str
69493 atomic_read(&conn->usage),
69494 rxrpc_conn_states[conn->state],
69495 key_serial(conn->key),
69496 - atomic_read(&conn->serial),
69497 - atomic_read(&conn->hi_serial));
69498 + atomic_read_unchecked(&conn->serial),
69499 + atomic_read_unchecked(&conn->hi_serial));
69503 diff -urNp linux-2.6.32.42/net/rxrpc/ar-transport.c linux-2.6.32.42/net/rxrpc/ar-transport.c
69504 --- linux-2.6.32.42/net/rxrpc/ar-transport.c 2011-03-27 14:31:47.000000000 -0400
69505 +++ linux-2.6.32.42/net/rxrpc/ar-transport.c 2011-05-04 17:56:28.000000000 -0400
69506 @@ -46,7 +46,7 @@ static struct rxrpc_transport *rxrpc_all
69507 spin_lock_init(&trans->client_lock);
69508 rwlock_init(&trans->conn_lock);
69509 atomic_set(&trans->usage, 1);
69510 - trans->debug_id = atomic_inc_return(&rxrpc_debug_id);
69511 + trans->debug_id = atomic_inc_return_unchecked(&rxrpc_debug_id);
69513 if (peer->srx.transport.family == AF_INET) {
69514 switch (peer->srx.transport_type) {
69515 diff -urNp linux-2.6.32.42/net/rxrpc/rxkad.c linux-2.6.32.42/net/rxrpc/rxkad.c
69516 --- linux-2.6.32.42/net/rxrpc/rxkad.c 2011-03-27 14:31:47.000000000 -0400
69517 +++ linux-2.6.32.42/net/rxrpc/rxkad.c 2011-05-16 21:46:57.000000000 -0400
69518 @@ -210,6 +210,8 @@ static int rxkad_secure_packet_encrypt(c
69522 + pax_track_stack();
69524 sp = rxrpc_skb(skb);
69527 @@ -337,6 +339,8 @@ static int rxkad_verify_packet_auth(cons
69531 + pax_track_stack();
69535 sp = rxrpc_skb(skb);
69536 @@ -609,7 +613,7 @@ static int rxkad_issue_challenge(struct
69538 len = iov[0].iov_len + iov[1].iov_len;
69540 - hdr.serial = htonl(atomic_inc_return(&conn->serial));
69541 + hdr.serial = htonl(atomic_inc_return_unchecked(&conn->serial));
69542 _proto("Tx CHALLENGE %%%u", ntohl(hdr.serial));
69544 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 2, len);
69545 @@ -659,7 +663,7 @@ static int rxkad_send_response(struct rx
69547 len = iov[0].iov_len + iov[1].iov_len + iov[2].iov_len;
69549 - hdr->serial = htonl(atomic_inc_return(&conn->serial));
69550 + hdr->serial = htonl(atomic_inc_return_unchecked(&conn->serial));
69551 _proto("Tx RESPONSE %%%u", ntohl(hdr->serial));
69553 ret = kernel_sendmsg(conn->trans->local->socket, &msg, iov, 3, len);
69554 diff -urNp linux-2.6.32.42/net/sctp/proc.c linux-2.6.32.42/net/sctp/proc.c
69555 --- linux-2.6.32.42/net/sctp/proc.c 2011-03-27 14:31:47.000000000 -0400
69556 +++ linux-2.6.32.42/net/sctp/proc.c 2011-04-17 15:56:46.000000000 -0400
69557 @@ -213,7 +213,12 @@ static int sctp_eps_seq_show(struct seq_
69558 sctp_for_each_hentry(epb, node, &head->chain) {
69561 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
69562 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
69563 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69568 sctp_sk(sk)->type, sk->sk_state, hash,
69569 epb->bind_addr.port,
69570 sock_i_uid(sk), sock_i_ino(sk));
69571 @@ -320,7 +325,12 @@ static int sctp_assocs_seq_show(struct s
69573 "%8p %8p %-3d %-3d %-2d %-4d "
69574 "%4d %8d %8d %7d %5lu %-5d %5d ",
69575 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
69576 +#ifdef CONFIG_GRKERNSEC_HIDESYM
69581 + sctp_sk(sk)->type, sk->sk_state,
69582 assoc->state, hash,
69584 assoc->sndbuf_used,
69585 diff -urNp linux-2.6.32.42/net/sctp/socket.c linux-2.6.32.42/net/sctp/socket.c
69586 --- linux-2.6.32.42/net/sctp/socket.c 2011-03-27 14:31:47.000000000 -0400
69587 +++ linux-2.6.32.42/net/sctp/socket.c 2011-04-23 12:56:11.000000000 -0400
69588 @@ -5802,7 +5802,6 @@ pp_found:
69590 int reuse = sk->sk_reuse;
69592 - struct hlist_node *node;
69594 SCTP_DEBUG_PRINTK("sctp_get_port() found a possible match\n");
69595 if (pp->fastreuse && sk->sk_reuse &&
69596 diff -urNp linux-2.6.32.42/net/socket.c linux-2.6.32.42/net/socket.c
69597 --- linux-2.6.32.42/net/socket.c 2011-03-27 14:31:47.000000000 -0400
69598 +++ linux-2.6.32.42/net/socket.c 2011-05-16 21:46:57.000000000 -0400
69600 #include <linux/wireless.h>
69601 #include <linux/nsproxy.h>
69602 #include <linux/magic.h>
69603 +#include <linux/in.h>
69605 #include <asm/uaccess.h>
69606 #include <asm/unistd.h>
69608 #include <net/sock.h>
69609 #include <linux/netfilter.h>
69611 +extern void gr_attach_curr_ip(const struct sock *sk);
69612 +extern int gr_handle_sock_all(const int family, const int type,
69613 + const int protocol);
69614 +extern int gr_handle_sock_server(const struct sockaddr *sck);
69615 +extern int gr_handle_sock_server_other(const struct sock *sck);
69616 +extern int gr_handle_sock_client(const struct sockaddr *sck);
69617 +extern int gr_search_connect(struct socket * sock,
69618 + struct sockaddr_in * addr);
69619 +extern int gr_search_bind(struct socket * sock,
69620 + struct sockaddr_in * addr);
69621 +extern int gr_search_listen(struct socket * sock);
69622 +extern int gr_search_accept(struct socket * sock);
69623 +extern int gr_search_socket(const int domain, const int type,
69624 + const int protocol);
69626 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
69627 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
69628 unsigned long nr_segs, loff_t pos);
69629 @@ -298,7 +314,7 @@ static int sockfs_get_sb(struct file_sys
69633 -static struct vfsmount *sock_mnt __read_mostly;
69634 +struct vfsmount *sock_mnt __read_mostly;
69636 static struct file_system_type sock_fs_type = {
69638 @@ -1154,6 +1170,8 @@ static int __sock_create(struct net *net
69639 return -EAFNOSUPPORT;
69640 if (type < 0 || type >= SOCK_MAX)
69642 + if (protocol < 0)
69647 @@ -1283,6 +1301,16 @@ SYSCALL_DEFINE3(socket, int, family, int
69648 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
69649 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
69651 + if(!gr_search_socket(family, type, protocol)) {
69652 + retval = -EACCES;
69656 + if (gr_handle_sock_all(family, type, protocol)) {
69657 + retval = -EACCES;
69661 retval = sock_create(family, type, protocol, &sock);
69664 @@ -1415,6 +1443,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
69666 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
69668 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
69672 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
69676 err = security_socket_bind(sock,
69677 (struct sockaddr *)&address,
69679 @@ -1423,6 +1459,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
69680 (struct sockaddr *)
69681 &address, addrlen);
69684 fput_light(sock->file, fput_needed);
69687 @@ -1446,10 +1483,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
69688 if ((unsigned)backlog > somaxconn)
69689 backlog = somaxconn;
69691 + if (gr_handle_sock_server_other(sock->sk)) {
69696 + err = gr_search_listen(sock);
69700 err = security_socket_listen(sock, backlog);
69702 err = sock->ops->listen(sock, backlog);
69705 fput_light(sock->file, fput_needed);
69708 @@ -1492,6 +1539,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
69709 newsock->type = sock->type;
69710 newsock->ops = sock->ops;
69712 + if (gr_handle_sock_server_other(sock->sk)) {
69714 + sock_release(newsock);
69718 + err = gr_search_accept(sock);
69720 + sock_release(newsock);
69725 * We don't need try_module_get here, as the listening socket (sock)
69726 * has the protocol module (sock->ops->owner) held.
69727 @@ -1534,6 +1593,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
69728 fd_install(newfd, newfile);
69731 + gr_attach_curr_ip(newsock->sk);
69734 fput_light(sock->file, fput_needed);
69736 @@ -1571,6 +1632,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
69739 struct socket *sock;
69740 + struct sockaddr *sck;
69741 struct sockaddr_storage address;
69742 int err, fput_needed;
69744 @@ -1581,6 +1643,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
69748 + sck = (struct sockaddr *)&address;
69750 + if (gr_handle_sock_client(sck)) {
69755 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
69760 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
69762 @@ -1882,6 +1955,8 @@ SYSCALL_DEFINE3(sendmsg, int, fd, struct
69763 int err, ctl_len, iov_size, total_len;
69766 + pax_track_stack();
69769 if (MSG_CMSG_COMPAT & flags) {
69770 if (get_compat_msghdr(&msg_sys, msg_compat))
69771 diff -urNp linux-2.6.32.42/net/sunrpc/sched.c linux-2.6.32.42/net/sunrpc/sched.c
69772 --- linux-2.6.32.42/net/sunrpc/sched.c 2011-03-27 14:31:47.000000000 -0400
69773 +++ linux-2.6.32.42/net/sunrpc/sched.c 2011-04-17 15:56:46.000000000 -0400
69774 @@ -234,10 +234,10 @@ static int rpc_wait_bit_killable(void *w
69776 static void rpc_task_set_debuginfo(struct rpc_task *task)
69778 - static atomic_t rpc_pid;
69779 + static atomic_unchecked_t rpc_pid;
69781 task->tk_magic = RPC_TASK_MAGIC_ID;
69782 - task->tk_pid = atomic_inc_return(&rpc_pid);
69783 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
69786 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
69787 diff -urNp linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma.c
69788 --- linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-27 14:31:47.000000000 -0400
69789 +++ linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma.c 2011-05-04 17:56:20.000000000 -0400
69790 @@ -59,15 +59,15 @@ unsigned int svcrdma_max_req_size = RPCR
69791 static unsigned int min_max_inline = 4096;
69792 static unsigned int max_max_inline = 65536;
69794 -atomic_t rdma_stat_recv;
69795 -atomic_t rdma_stat_read;
69796 -atomic_t rdma_stat_write;
69797 -atomic_t rdma_stat_sq_starve;
69798 -atomic_t rdma_stat_rq_starve;
69799 -atomic_t rdma_stat_rq_poll;
69800 -atomic_t rdma_stat_rq_prod;
69801 -atomic_t rdma_stat_sq_poll;
69802 -atomic_t rdma_stat_sq_prod;
69803 +atomic_unchecked_t rdma_stat_recv;
69804 +atomic_unchecked_t rdma_stat_read;
69805 +atomic_unchecked_t rdma_stat_write;
69806 +atomic_unchecked_t rdma_stat_sq_starve;
69807 +atomic_unchecked_t rdma_stat_rq_starve;
69808 +atomic_unchecked_t rdma_stat_rq_poll;
69809 +atomic_unchecked_t rdma_stat_rq_prod;
69810 +atomic_unchecked_t rdma_stat_sq_poll;
69811 +atomic_unchecked_t rdma_stat_sq_prod;
69813 /* Temporary NFS request map and context caches */
69814 struct kmem_cache *svc_rdma_map_cachep;
69815 @@ -105,7 +105,7 @@ static int read_reset_stat(ctl_table *ta
69819 - if (len && copy_to_user(buffer, str_buf, len))
69820 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
69824 @@ -149,63 +149,63 @@ static ctl_table svcrdma_parm_table[] =
69826 .procname = "rdma_stat_read",
69827 .data = &rdma_stat_read,
69828 - .maxlen = sizeof(atomic_t),
69829 + .maxlen = sizeof(atomic_unchecked_t),
69831 .proc_handler = &read_reset_stat,
69834 .procname = "rdma_stat_recv",
69835 .data = &rdma_stat_recv,
69836 - .maxlen = sizeof(atomic_t),
69837 + .maxlen = sizeof(atomic_unchecked_t),
69839 .proc_handler = &read_reset_stat,
69842 .procname = "rdma_stat_write",
69843 .data = &rdma_stat_write,
69844 - .maxlen = sizeof(atomic_t),
69845 + .maxlen = sizeof(atomic_unchecked_t),
69847 .proc_handler = &read_reset_stat,
69850 .procname = "rdma_stat_sq_starve",
69851 .data = &rdma_stat_sq_starve,
69852 - .maxlen = sizeof(atomic_t),
69853 + .maxlen = sizeof(atomic_unchecked_t),
69855 .proc_handler = &read_reset_stat,
69858 .procname = "rdma_stat_rq_starve",
69859 .data = &rdma_stat_rq_starve,
69860 - .maxlen = sizeof(atomic_t),
69861 + .maxlen = sizeof(atomic_unchecked_t),
69863 .proc_handler = &read_reset_stat,
69866 .procname = "rdma_stat_rq_poll",
69867 .data = &rdma_stat_rq_poll,
69868 - .maxlen = sizeof(atomic_t),
69869 + .maxlen = sizeof(atomic_unchecked_t),
69871 .proc_handler = &read_reset_stat,
69874 .procname = "rdma_stat_rq_prod",
69875 .data = &rdma_stat_rq_prod,
69876 - .maxlen = sizeof(atomic_t),
69877 + .maxlen = sizeof(atomic_unchecked_t),
69879 .proc_handler = &read_reset_stat,
69882 .procname = "rdma_stat_sq_poll",
69883 .data = &rdma_stat_sq_poll,
69884 - .maxlen = sizeof(atomic_t),
69885 + .maxlen = sizeof(atomic_unchecked_t),
69887 .proc_handler = &read_reset_stat,
69890 .procname = "rdma_stat_sq_prod",
69891 .data = &rdma_stat_sq_prod,
69892 - .maxlen = sizeof(atomic_t),
69893 + .maxlen = sizeof(atomic_unchecked_t),
69895 .proc_handler = &read_reset_stat,
69897 diff -urNp linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c
69898 --- linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-03-27 14:31:47.000000000 -0400
69899 +++ linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_recvfrom.c 2011-05-04 17:56:28.000000000 -0400
69900 @@ -495,7 +495,7 @@ next_sge:
69901 svc_rdma_put_context(ctxt, 0);
69904 - atomic_inc(&rdma_stat_read);
69905 + atomic_inc_unchecked(&rdma_stat_read);
69907 if (read_wr.num_sge < chl_map->ch[ch_no].count) {
69908 chl_map->ch[ch_no].count -= read_wr.num_sge;
69909 @@ -606,7 +606,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
69911 list_del_init(&ctxt->dto_q);
69913 - atomic_inc(&rdma_stat_rq_starve);
69914 + atomic_inc_unchecked(&rdma_stat_rq_starve);
69915 clear_bit(XPT_DATA, &xprt->xpt_flags);
69918 @@ -626,7 +626,7 @@ int svc_rdma_recvfrom(struct svc_rqst *r
69919 dprintk("svcrdma: processing ctxt=%p on xprt=%p, rqstp=%p, status=%d\n",
69920 ctxt, rdma_xprt, rqstp, ctxt->wc_status);
69921 BUG_ON(ctxt->wc_status != IB_WC_SUCCESS);
69922 - atomic_inc(&rdma_stat_recv);
69923 + atomic_inc_unchecked(&rdma_stat_recv);
69925 /* Build up the XDR from the receive buffers. */
69926 rdma_build_arg_xdr(rqstp, ctxt, ctxt->byte_len);
69927 diff -urNp linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_sendto.c linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_sendto.c
69928 --- linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-03-27 14:31:47.000000000 -0400
69929 +++ linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_sendto.c 2011-05-04 17:56:28.000000000 -0400
69930 @@ -328,7 +328,7 @@ static int send_write(struct svcxprt_rdm
69931 write_wr.wr.rdma.remote_addr = to;
69934 - atomic_inc(&rdma_stat_write);
69935 + atomic_inc_unchecked(&rdma_stat_write);
69936 if (svc_rdma_send(xprt, &write_wr))
69939 diff -urNp linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_transport.c linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_transport.c
69940 --- linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-03-27 14:31:47.000000000 -0400
69941 +++ linux-2.6.32.42/net/sunrpc/xprtrdma/svc_rdma_transport.c 2011-05-04 17:56:28.000000000 -0400
69942 @@ -292,7 +292,7 @@ static void rq_cq_reap(struct svcxprt_rd
69945 ib_req_notify_cq(xprt->sc_rq_cq, IB_CQ_NEXT_COMP);
69946 - atomic_inc(&rdma_stat_rq_poll);
69947 + atomic_inc_unchecked(&rdma_stat_rq_poll);
69949 while ((ret = ib_poll_cq(xprt->sc_rq_cq, 1, &wc)) > 0) {
69950 ctxt = (struct svc_rdma_op_ctxt *)(unsigned long)wc.wr_id;
69951 @@ -314,7 +314,7 @@ static void rq_cq_reap(struct svcxprt_rd
69955 - atomic_inc(&rdma_stat_rq_prod);
69956 + atomic_inc_unchecked(&rdma_stat_rq_prod);
69958 set_bit(XPT_DATA, &xprt->sc_xprt.xpt_flags);
69960 @@ -386,7 +386,7 @@ static void sq_cq_reap(struct svcxprt_rd
69963 ib_req_notify_cq(xprt->sc_sq_cq, IB_CQ_NEXT_COMP);
69964 - atomic_inc(&rdma_stat_sq_poll);
69965 + atomic_inc_unchecked(&rdma_stat_sq_poll);
69966 while ((ret = ib_poll_cq(cq, 1, &wc)) > 0) {
69967 if (wc.status != IB_WC_SUCCESS)
69968 /* Close the transport */
69969 @@ -404,7 +404,7 @@ static void sq_cq_reap(struct svcxprt_rd
69973 - atomic_inc(&rdma_stat_sq_prod);
69974 + atomic_inc_unchecked(&rdma_stat_sq_prod);
69977 static void sq_comp_handler(struct ib_cq *cq, void *cq_context)
69978 @@ -1260,7 +1260,7 @@ int svc_rdma_send(struct svcxprt_rdma *x
69979 spin_lock_bh(&xprt->sc_lock);
69980 if (xprt->sc_sq_depth < atomic_read(&xprt->sc_sq_count) + wr_count) {
69981 spin_unlock_bh(&xprt->sc_lock);
69982 - atomic_inc(&rdma_stat_sq_starve);
69983 + atomic_inc_unchecked(&rdma_stat_sq_starve);
69985 /* See if we can opportunistically reap SQ WR to make room */
69987 diff -urNp linux-2.6.32.42/net/sysctl_net.c linux-2.6.32.42/net/sysctl_net.c
69988 --- linux-2.6.32.42/net/sysctl_net.c 2011-03-27 14:31:47.000000000 -0400
69989 +++ linux-2.6.32.42/net/sysctl_net.c 2011-04-17 15:56:46.000000000 -0400
69990 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
69991 struct ctl_table *table)
69993 /* Allow network administrator to have same access as root. */
69994 - if (capable(CAP_NET_ADMIN)) {
69995 + if (capable_nolog(CAP_NET_ADMIN)) {
69996 int mode = (table->mode >> 6) & 7;
69997 return (mode << 6) | (mode << 3) | mode;
69999 diff -urNp linux-2.6.32.42/net/unix/af_unix.c linux-2.6.32.42/net/unix/af_unix.c
70000 --- linux-2.6.32.42/net/unix/af_unix.c 2011-05-10 22:12:02.000000000 -0400
70001 +++ linux-2.6.32.42/net/unix/af_unix.c 2011-05-10 22:12:34.000000000 -0400
70002 @@ -745,6 +745,12 @@ static struct sock *unix_find_other(stru
70003 err = -ECONNREFUSED;
70004 if (!S_ISSOCK(inode->i_mode))
70007 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
70012 u = unix_find_socket_byinode(net, inode);
70015 @@ -765,6 +771,13 @@ static struct sock *unix_find_other(stru
70017 struct dentry *dentry;
70018 dentry = unix_sk(u)->dentry;
70020 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
70027 touch_atime(unix_sk(u)->mnt, dentry);
70029 @@ -850,11 +863,18 @@ static int unix_bind(struct socket *sock
70030 err = security_path_mknod(&nd.path, dentry, mode, 0);
70032 goto out_mknod_drop_write;
70033 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
70035 + goto out_mknod_drop_write;
70037 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
70038 out_mknod_drop_write:
70039 mnt_drop_write(nd.path.mnt);
70041 goto out_mknod_dput;
70043 + gr_handle_create(dentry, nd.path.mnt);
70045 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
70046 dput(nd.path.dentry);
70047 nd.path.dentry = dentry;
70048 @@ -872,6 +892,10 @@ out_mknod_drop_write:
70052 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
70053 + sk->sk_peercred.pid = current->pid;
70056 list = &unix_socket_table[addr->hash];
70058 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
70059 @@ -2211,7 +2235,11 @@ static int unix_seq_show(struct seq_file
70060 unix_state_lock(s);
70062 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
70063 +#ifdef CONFIG_GRKERNSEC_HIDESYM
70068 atomic_read(&s->sk_refcnt),
70070 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
70071 diff -urNp linux-2.6.32.42/net/wireless/wext.c linux-2.6.32.42/net/wireless/wext.c
70072 --- linux-2.6.32.42/net/wireless/wext.c 2011-03-27 14:31:47.000000000 -0400
70073 +++ linux-2.6.32.42/net/wireless/wext.c 2011-04-17 15:56:46.000000000 -0400
70074 @@ -816,8 +816,7 @@ static int ioctl_standard_iw_point(struc
70077 /* Support for very large requests */
70078 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
70079 - (user_length > descr->max_tokens)) {
70080 + if (user_length > descr->max_tokens) {
70081 /* Allow userspace to GET more than max so
70082 * we can support any size GET requests.
70083 * There is still a limit : -ENOMEM.
70084 @@ -854,22 +853,6 @@ static int ioctl_standard_iw_point(struc
70088 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
70090 - * If this is a GET, but not NOMAX, it means that the extra
70091 - * data is not bounded by userspace, but by max_tokens. Thus
70092 - * set the length to max_tokens. This matches the extra data
70094 - * The driver should fill it with the number of tokens it
70095 - * provided, and it may check iwp->length rather than having
70096 - * knowledge of max_tokens. If the driver doesn't change the
70097 - * iwp->length, this ioctl just copies back max_token tokens
70098 - * filled with zeroes. Hopefully the driver isn't claiming
70099 - * them to be valid data.
70101 - iwp->length = descr->max_tokens;
70104 err = handler(dev, info, (union iwreq_data *) iwp, extra);
70106 iwp->length += essid_compat;
70107 diff -urNp linux-2.6.32.42/net/xfrm/xfrm_policy.c linux-2.6.32.42/net/xfrm/xfrm_policy.c
70108 --- linux-2.6.32.42/net/xfrm/xfrm_policy.c 2011-03-27 14:31:47.000000000 -0400
70109 +++ linux-2.6.32.42/net/xfrm/xfrm_policy.c 2011-05-04 17:56:20.000000000 -0400
70110 @@ -586,7 +586,7 @@ int xfrm_policy_insert(int dir, struct x
70111 hlist_add_head(&policy->bydst, chain);
70112 xfrm_pol_hold(policy);
70113 net->xfrm.policy_count[dir]++;
70114 - atomic_inc(&flow_cache_genid);
70115 + atomic_inc_unchecked(&flow_cache_genid);
70117 __xfrm_policy_unlink(delpol, dir);
70118 policy->index = delpol ? delpol->index : xfrm_gen_index(net, dir);
70119 @@ -669,7 +669,7 @@ struct xfrm_policy *xfrm_policy_bysel_ct
70120 write_unlock_bh(&xfrm_policy_lock);
70122 if (ret && delete) {
70123 - atomic_inc(&flow_cache_genid);
70124 + atomic_inc_unchecked(&flow_cache_genid);
70125 xfrm_policy_kill(ret);
70128 @@ -710,7 +710,7 @@ struct xfrm_policy *xfrm_policy_byid(str
70129 write_unlock_bh(&xfrm_policy_lock);
70131 if (ret && delete) {
70132 - atomic_inc(&flow_cache_genid);
70133 + atomic_inc_unchecked(&flow_cache_genid);
70134 xfrm_policy_kill(ret);
70137 @@ -824,7 +824,7 @@ int xfrm_policy_flush(struct net *net, u
70141 - atomic_inc(&flow_cache_genid);
70142 + atomic_inc_unchecked(&flow_cache_genid);
70144 write_unlock_bh(&xfrm_policy_lock);
70146 @@ -1088,7 +1088,7 @@ int xfrm_policy_delete(struct xfrm_polic
70147 write_unlock_bh(&xfrm_policy_lock);
70149 if (dir < XFRM_POLICY_MAX)
70150 - atomic_inc(&flow_cache_genid);
70151 + atomic_inc_unchecked(&flow_cache_genid);
70152 xfrm_policy_kill(pol);
70155 @@ -1477,7 +1477,7 @@ free_dst:
70161 xfrm_dst_alloc_copy(void **target, void *src, int size)
70164 @@ -1489,7 +1489,7 @@ xfrm_dst_alloc_copy(void **target, void
70170 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
70172 #ifdef CONFIG_XFRM_SUB_POLICY
70173 @@ -1501,7 +1501,7 @@ xfrm_dst_update_parent(struct dst_entry
70179 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
70181 #ifdef CONFIG_XFRM_SUB_POLICY
70182 @@ -1537,7 +1537,7 @@ int __xfrm_lookup(struct net *net, struc
70183 u8 dir = policy_to_flow_dir(XFRM_POLICY_OUT);
70186 - genid = atomic_read(&flow_cache_genid);
70187 + genid = atomic_read_unchecked(&flow_cache_genid);
70189 for (pi = 0; pi < ARRAY_SIZE(pols); pi++)
70191 @@ -1680,7 +1680,7 @@ restart:
70194 if (nx == -EAGAIN ||
70195 - genid != atomic_read(&flow_cache_genid)) {
70196 + genid != atomic_read_unchecked(&flow_cache_genid)) {
70197 xfrm_pols_put(pols, npols);
70200 diff -urNp linux-2.6.32.42/net/xfrm/xfrm_user.c linux-2.6.32.42/net/xfrm/xfrm_user.c
70201 --- linux-2.6.32.42/net/xfrm/xfrm_user.c 2011-03-27 14:31:47.000000000 -0400
70202 +++ linux-2.6.32.42/net/xfrm/xfrm_user.c 2011-05-16 21:46:57.000000000 -0400
70203 @@ -1169,6 +1169,8 @@ static int copy_to_user_tmpl(struct xfrm
70204 struct xfrm_user_tmpl vec[XFRM_MAX_DEPTH];
70207 + pax_track_stack();
70209 if (xp->xfrm_nr == 0)
70212 @@ -1784,6 +1786,8 @@ static int xfrm_do_migrate(struct sk_buf
70216 + pax_track_stack();
70218 if (attrs[XFRMA_MIGRATE] == NULL)
70221 diff -urNp linux-2.6.32.42/samples/kobject/kset-example.c linux-2.6.32.42/samples/kobject/kset-example.c
70222 --- linux-2.6.32.42/samples/kobject/kset-example.c 2011-03-27 14:31:47.000000000 -0400
70223 +++ linux-2.6.32.42/samples/kobject/kset-example.c 2011-04-17 15:56:46.000000000 -0400
70224 @@ -87,7 +87,7 @@ static ssize_t foo_attr_store(struct kob
70227 /* Our custom sysfs_ops that we will associate with our ktype later on */
70228 -static struct sysfs_ops foo_sysfs_ops = {
70229 +static const struct sysfs_ops foo_sysfs_ops = {
70230 .show = foo_attr_show,
70231 .store = foo_attr_store,
70233 diff -urNp linux-2.6.32.42/scripts/basic/fixdep.c linux-2.6.32.42/scripts/basic/fixdep.c
70234 --- linux-2.6.32.42/scripts/basic/fixdep.c 2011-03-27 14:31:47.000000000 -0400
70235 +++ linux-2.6.32.42/scripts/basic/fixdep.c 2011-04-17 15:56:46.000000000 -0400
70236 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
70238 static void parse_config_file(char *map, size_t len)
70240 - int *end = (int *) (map + len);
70241 + unsigned int *end = (unsigned int *) (map + len);
70242 /* start at +1, so that p can never be < map */
70243 - int *m = (int *) map + 1;
70244 + unsigned int *m = (unsigned int *) map + 1;
70247 for (; m < end; m++) {
70248 @@ -371,7 +371,7 @@ static void print_deps(void)
70249 static void traps(void)
70251 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
70252 - int *p = (int *)test;
70253 + unsigned int *p = (unsigned int *)test;
70255 if (*p != INT_CONF) {
70256 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
70257 diff -urNp linux-2.6.32.42/scripts/Makefile.build linux-2.6.32.42/scripts/Makefile.build
70258 --- linux-2.6.32.42/scripts/Makefile.build 2011-03-27 14:31:47.000000000 -0400
70259 +++ linux-2.6.32.42/scripts/Makefile.build 2011-06-04 20:46:51.000000000 -0400
70260 @@ -59,7 +59,7 @@ endif
70263 # Do not include host rules unless needed
70264 -ifneq ($(hostprogs-y)$(hostprogs-m),)
70265 +ifneq ($(hostprogs-y)$(hostprogs-m)$(hostlibs-y)$(hostlibs-m),)
70266 include scripts/Makefile.host
70269 diff -urNp linux-2.6.32.42/scripts/Makefile.clean linux-2.6.32.42/scripts/Makefile.clean
70270 --- linux-2.6.32.42/scripts/Makefile.clean 2011-03-27 14:31:47.000000000 -0400
70271 +++ linux-2.6.32.42/scripts/Makefile.clean 2011-06-04 20:47:19.000000000 -0400
70272 @@ -43,7 +43,8 @@ subdir-ymn := $(addprefix $(obj)/,$(subd
70273 __clean-files := $(extra-y) $(always) \
70274 $(targets) $(clean-files) \
70276 - $(hostprogs-y) $(hostprogs-m) $(hostprogs-)
70277 + $(hostprogs-y) $(hostprogs-m) $(hostprogs-) \
70278 + $(hostlibs-y) $(hostlibs-m) $(hostlibs-)
70280 # as clean-files is given relative to the current directory, this adds
70281 # a $(obj) prefix, except for absolute paths
70282 diff -urNp linux-2.6.32.42/scripts/Makefile.host linux-2.6.32.42/scripts/Makefile.host
70283 --- linux-2.6.32.42/scripts/Makefile.host 2011-03-27 14:31:47.000000000 -0400
70284 +++ linux-2.6.32.42/scripts/Makefile.host 2011-06-04 20:48:22.000000000 -0400
70286 # Note: Shared libraries consisting of C++ files are not supported
70288 __hostprogs := $(sort $(hostprogs-y) $(hostprogs-m))
70289 +__hostlibs := $(sort $(hostlibs-y) $(hostlibs-m))
70292 # Executables compiled from a single .c file
70293 @@ -54,6 +55,7 @@ host-cxxobjs := $(sort $(foreach m,$(hos
70294 # Shared libaries (only .c supported)
70295 # Shared libraries (.so) - all .so files referenced in "xxx-objs"
70296 host-cshlib := $(sort $(filter %.so, $(host-cobjs)))
70297 +host-cshlib += $(sort $(filter %.so, $(__hostlibs)))
70298 # Remove .so files from "xxx-objs"
70299 host-cobjs := $(filter-out %.so,$(host-cobjs))
70301 diff -urNp linux-2.6.32.42/scripts/mod/file2alias.c linux-2.6.32.42/scripts/mod/file2alias.c
70302 --- linux-2.6.32.42/scripts/mod/file2alias.c 2011-03-27 14:31:47.000000000 -0400
70303 +++ linux-2.6.32.42/scripts/mod/file2alias.c 2011-04-17 15:56:46.000000000 -0400
70304 @@ -72,7 +72,7 @@ static void device_id_check(const char *
70305 unsigned long size, unsigned long id_size,
70311 if (size % id_size || size < id_size) {
70312 if (cross_build != 0)
70313 @@ -102,7 +102,7 @@ static void device_id_check(const char *
70314 /* USB is special because the bcdDevice can be matched against a numeric range */
70315 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
70316 static void do_usb_entry(struct usb_device_id *id,
70317 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
70318 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
70319 unsigned char range_lo, unsigned char range_hi,
70320 struct module *mod)
70322 @@ -368,7 +368,7 @@ static void do_pnp_device_entry(void *sy
70323 for (i = 0; i < count; i++) {
70324 const char *id = (char *)devs[i].id;
70325 char acpi_id[sizeof(devs[0].id)];
70329 buf_printf(&mod->dev_table_buf,
70330 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
70331 @@ -398,7 +398,7 @@ static void do_pnp_card_entries(void *sy
70333 for (j = 0; j < PNP_MAX_DEVICES; j++) {
70334 const char *id = (char *)card->devs[j].id;
70336 + unsigned int i2, j2;
70340 @@ -424,7 +424,7 @@ static void do_pnp_card_entries(void *sy
70341 /* add an individual alias for every device entry */
70343 char acpi_id[sizeof(card->devs[0].id)];
70347 buf_printf(&mod->dev_table_buf,
70348 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
70349 @@ -699,7 +699,7 @@ static void dmi_ascii_filter(char *d, co
70350 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
70354 + unsigned int i, j;
70356 sprintf(alias, "dmi*");
70358 diff -urNp linux-2.6.32.42/scripts/mod/modpost.c linux-2.6.32.42/scripts/mod/modpost.c
70359 --- linux-2.6.32.42/scripts/mod/modpost.c 2011-03-27 14:31:47.000000000 -0400
70360 +++ linux-2.6.32.42/scripts/mod/modpost.c 2011-04-17 15:56:46.000000000 -0400
70361 @@ -835,6 +835,7 @@ enum mismatch {
70364 EXPORT_TO_INIT_EXIT,
70368 struct sectioncheck {
70369 @@ -920,6 +921,12 @@ const struct sectioncheck sectioncheck[]
70370 .fromsec = { "__ksymtab*", NULL },
70371 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
70372 .mismatch = EXPORT_TO_INIT_EXIT
70374 +/* Do not reference code from writable data */
70376 + .fromsec = { DATA_SECTIONS, NULL },
70377 + .tosec = { TEXT_SECTIONS, NULL },
70378 + .mismatch = DATA_TO_TEXT
70382 @@ -1024,10 +1031,10 @@ static Elf_Sym *find_elf_symbol(struct e
70384 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
70386 - if (sym->st_value == addr)
70388 /* Find a symbol nearby - addr are maybe negative */
70389 d = sym->st_value - addr;
70393 d = addr - sym->st_value;
70394 if (d < distance) {
70395 @@ -1268,6 +1275,14 @@ static void report_sec_mismatch(const ch
70396 "Fix this by removing the %sannotation of %s "
70397 "or drop the export.\n",
70398 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
70399 + case DATA_TO_TEXT:
70402 + "The variable %s references\n"
70403 + "the %s %s%s%s\n",
70404 + fromsym, to, sec2annotation(tosec), tosym, to_p);
70408 /* To get warnings on missing members */
70410 @@ -1651,7 +1666,7 @@ void __attribute__((format(printf, 2, 3)
70414 -void buf_write(struct buffer *buf, const char *s, int len)
70415 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
70417 if (buf->size - buf->pos < len) {
70418 buf->size += len + SZ;
70419 @@ -1863,7 +1878,7 @@ static void write_if_changed(struct buff
70420 if (fstat(fileno(file), &st) < 0)
70423 - if (st.st_size != b->pos)
70424 + if (st.st_size != (off_t)b->pos)
70427 tmp = NOFAIL(malloc(b->pos));
70428 diff -urNp linux-2.6.32.42/scripts/mod/modpost.h linux-2.6.32.42/scripts/mod/modpost.h
70429 --- linux-2.6.32.42/scripts/mod/modpost.h 2011-03-27 14:31:47.000000000 -0400
70430 +++ linux-2.6.32.42/scripts/mod/modpost.h 2011-04-17 15:56:46.000000000 -0400
70431 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
70437 + unsigned int pos;
70438 + unsigned int size;
70441 void __attribute__((format(printf, 2, 3)))
70442 buf_printf(struct buffer *buf, const char *fmt, ...);
70445 -buf_write(struct buffer *buf, const char *s, int len);
70446 +buf_write(struct buffer *buf, const char *s, unsigned int len);
70449 struct module *next;
70450 diff -urNp linux-2.6.32.42/scripts/mod/sumversion.c linux-2.6.32.42/scripts/mod/sumversion.c
70451 --- linux-2.6.32.42/scripts/mod/sumversion.c 2011-03-27 14:31:47.000000000 -0400
70452 +++ linux-2.6.32.42/scripts/mod/sumversion.c 2011-04-17 15:56:46.000000000 -0400
70453 @@ -455,7 +455,7 @@ static void write_version(const char *fi
70457 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
70458 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
70459 warn("writing sum in %s failed: %s\n",
70460 filename, strerror(errno));
70462 diff -urNp linux-2.6.32.42/scripts/pnmtologo.c linux-2.6.32.42/scripts/pnmtologo.c
70463 --- linux-2.6.32.42/scripts/pnmtologo.c 2011-03-27 14:31:47.000000000 -0400
70464 +++ linux-2.6.32.42/scripts/pnmtologo.c 2011-04-17 15:56:46.000000000 -0400
70465 @@ -237,14 +237,14 @@ static void write_header(void)
70466 fprintf(out, " * Linux logo %s\n", logoname);
70467 fputs(" */\n\n", out);
70468 fputs("#include <linux/linux_logo.h>\n\n", out);
70469 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
70470 + fprintf(out, "static unsigned char %s_data[] = {\n",
70474 static void write_footer(void)
70476 fputs("\n};\n\n", out);
70477 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
70478 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
70479 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
70480 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
70481 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
70482 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
70483 fputs("\n};\n\n", out);
70485 /* write logo clut */
70486 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
70487 + fprintf(out, "static unsigned char %s_clut[] = {\n",
70490 for (i = 0; i < logo_clutsize; i++) {
70491 diff -urNp linux-2.6.32.42/scripts/tags.sh linux-2.6.32.42/scripts/tags.sh
70492 --- linux-2.6.32.42/scripts/tags.sh 2011-03-27 14:31:47.000000000 -0400
70493 +++ linux-2.6.32.42/scripts/tags.sh 2011-06-07 18:06:04.000000000 -0400
70494 @@ -93,6 +93,11 @@ docscope()
70495 cscope -b -f cscope.out
70500 + all_sources | gtags -f -
70505 all_sources | xargs $1 -a \
70506 @@ -164,6 +169,10 @@ case "$1" in
70517 diff -urNp linux-2.6.32.42/security/capability.c linux-2.6.32.42/security/capability.c
70518 --- linux-2.6.32.42/security/capability.c 2011-03-27 14:31:47.000000000 -0400
70519 +++ linux-2.6.32.42/security/capability.c 2011-04-17 15:56:46.000000000 -0400
70520 @@ -890,7 +890,7 @@ static void cap_audit_rule_free(void *ls
70522 #endif /* CONFIG_AUDIT */
70524 -struct security_operations default_security_ops = {
70525 +struct security_operations default_security_ops __read_only = {
70529 diff -urNp linux-2.6.32.42/security/commoncap.c linux-2.6.32.42/security/commoncap.c
70530 --- linux-2.6.32.42/security/commoncap.c 2011-03-27 14:31:47.000000000 -0400
70531 +++ linux-2.6.32.42/security/commoncap.c 2011-04-17 15:56:46.000000000 -0400
70533 #include <linux/sched.h>
70534 #include <linux/prctl.h>
70535 #include <linux/securebits.h>
70537 +#include <net/sock.h>
70539 * If a non-root user executes a setuid-root binary in
70540 * !secure(SECURE_NOROOT) mode, then we raise capabilities.
70541 @@ -50,9 +50,11 @@ static void warn_setuid_and_fcaps_mixed(
70545 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
70547 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
70549 - NETLINK_CB(skb).eff_cap = current_cap();
70550 + NETLINK_CB(skb).eff_cap = gr_cap_rtnetlink(sk);
70554 @@ -582,6 +584,9 @@ int cap_bprm_secureexec(struct linux_bin
70556 const struct cred *cred = current_cred();
70558 + if (gr_acl_enable_at_secure())
70561 if (cred->uid != 0) {
70562 if (bprm->cap_effective)
70564 diff -urNp linux-2.6.32.42/security/integrity/ima/ima_api.c linux-2.6.32.42/security/integrity/ima/ima_api.c
70565 --- linux-2.6.32.42/security/integrity/ima/ima_api.c 2011-03-27 14:31:47.000000000 -0400
70566 +++ linux-2.6.32.42/security/integrity/ima/ima_api.c 2011-04-17 15:56:46.000000000 -0400
70567 @@ -74,7 +74,7 @@ void ima_add_violation(struct inode *ino
70570 /* can overflow, only indicator */
70571 - atomic_long_inc(&ima_htable.violations);
70572 + atomic_long_inc_unchecked(&ima_htable.violations);
70574 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
70576 diff -urNp linux-2.6.32.42/security/integrity/ima/ima_fs.c linux-2.6.32.42/security/integrity/ima/ima_fs.c
70577 --- linux-2.6.32.42/security/integrity/ima/ima_fs.c 2011-03-27 14:31:47.000000000 -0400
70578 +++ linux-2.6.32.42/security/integrity/ima/ima_fs.c 2011-04-17 15:56:46.000000000 -0400
70579 @@ -27,12 +27,12 @@
70580 static int valid_policy = 1;
70581 #define TMPBUFLEN 12
70582 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
70583 - loff_t *ppos, atomic_long_t *val)
70584 + loff_t *ppos, atomic_long_unchecked_t *val)
70586 char tmpbuf[TMPBUFLEN];
70589 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
70590 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
70591 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
70594 diff -urNp linux-2.6.32.42/security/integrity/ima/ima.h linux-2.6.32.42/security/integrity/ima/ima.h
70595 --- linux-2.6.32.42/security/integrity/ima/ima.h 2011-03-27 14:31:47.000000000 -0400
70596 +++ linux-2.6.32.42/security/integrity/ima/ima.h 2011-04-17 15:56:46.000000000 -0400
70597 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
70598 extern spinlock_t ima_queue_lock;
70600 struct ima_h_table {
70601 - atomic_long_t len; /* number of stored measurements in the list */
70602 - atomic_long_t violations;
70603 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
70604 + atomic_long_unchecked_t violations;
70605 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
70607 extern struct ima_h_table ima_htable;
70608 diff -urNp linux-2.6.32.42/security/integrity/ima/ima_queue.c linux-2.6.32.42/security/integrity/ima/ima_queue.c
70609 --- linux-2.6.32.42/security/integrity/ima/ima_queue.c 2011-03-27 14:31:47.000000000 -0400
70610 +++ linux-2.6.32.42/security/integrity/ima/ima_queue.c 2011-04-17 15:56:46.000000000 -0400
70611 @@ -78,7 +78,7 @@ static int ima_add_digest_entry(struct i
70612 INIT_LIST_HEAD(&qe->later);
70613 list_add_tail_rcu(&qe->later, &ima_measurements);
70615 - atomic_long_inc(&ima_htable.len);
70616 + atomic_long_inc_unchecked(&ima_htable.len);
70617 key = ima_hash_key(entry->digest);
70618 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
70620 diff -urNp linux-2.6.32.42/security/Kconfig linux-2.6.32.42/security/Kconfig
70621 --- linux-2.6.32.42/security/Kconfig 2011-03-27 14:31:47.000000000 -0400
70622 +++ linux-2.6.32.42/security/Kconfig 2011-06-04 20:45:36.000000000 -0400
70625 menu "Security options"
70627 +source grsecurity/Kconfig
70631 + config ARCH_TRACK_EXEC_LIMIT
70634 + config PAX_PER_CPU_PGD
70637 + config TASK_SIZE_MAX_SHIFT
70639 + depends on X86_64
70640 + default 47 if !PAX_PER_CPU_PGD
70641 + default 42 if PAX_PER_CPU_PGD
70643 + config PAX_ENABLE_PAE
70645 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
70648 + bool "Enable various PaX features"
70649 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
70651 + This allows you to enable various PaX features. PaX adds
70652 + intrusion prevention mechanisms to the kernel that reduce
70653 + the risks posed by exploitable memory corruption bugs.
70655 +menu "PaX Control"
70658 +config PAX_SOFTMODE
70659 + bool 'Support soft mode'
70660 + select PAX_PT_PAX_FLAGS
70662 + Enabling this option will allow you to run PaX in soft mode, that
70663 + is, PaX features will not be enforced by default, only on executables
70664 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
70665 + is the only way to mark executables for soft mode use.
70667 + Soft mode can be activated by using the "pax_softmode=1" kernel command
70668 + line option on boot. Furthermore you can control various PaX features
70669 + at runtime via the entries in /proc/sys/kernel/pax.
70672 + bool 'Use legacy ELF header marking'
70674 + Enabling this option will allow you to control PaX features on
70675 + a per executable basis via the 'chpax' utility available at
70676 + http://pax.grsecurity.net/. The control flags will be read from
70677 + an otherwise reserved part of the ELF header. This marking has
70678 + numerous drawbacks (no support for soft-mode, toolchain does not
70679 + know about the non-standard use of the ELF header) therefore it
70680 + has been deprecated in favour of PT_PAX_FLAGS support.
70682 + Note that if you enable PT_PAX_FLAGS marking support as well,
70683 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
70685 +config PAX_PT_PAX_FLAGS
70686 + bool 'Use ELF program header marking'
70688 + Enabling this option will allow you to control PaX features on
70689 + a per executable basis via the 'paxctl' utility available at
70690 + http://pax.grsecurity.net/. The control flags will be read from
70691 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
70692 + has the benefits of supporting both soft mode and being fully
70693 + integrated into the toolchain (the binutils patch is available
70694 + from http://pax.grsecurity.net).
70696 + If your toolchain does not support PT_PAX_FLAGS markings,
70697 + you can create one in most cases with 'paxctl -C'.
70699 + Note that if you enable the legacy EI_PAX marking support as well,
70700 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
70703 + prompt 'MAC system integration'
70704 + default PAX_HAVE_ACL_FLAGS
70706 + Mandatory Access Control systems have the option of controlling
70707 + PaX flags on a per executable basis, choose the method supported
70708 + by your particular system.
70710 + - "none": if your MAC system does not interact with PaX,
70711 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
70712 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
70714 + NOTE: this option is for developers/integrators only.
70716 + config PAX_NO_ACL_FLAGS
70719 + config PAX_HAVE_ACL_FLAGS
70722 + config PAX_HOOK_ACL_FLAGS
70728 +menu "Non-executable pages"
70732 + bool "Enforce non-executable pages"
70733 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
70735 + By design some architectures do not allow for protecting memory
70736 + pages against execution or even if they do, Linux does not make
70737 + use of this feature. In practice this means that if a page is
70738 + readable (such as the stack or heap) it is also executable.
70740 + There is a well known exploit technique that makes use of this
70741 + fact and a common programming mistake where an attacker can
70742 + introduce code of his choice somewhere in the attacked program's
70743 + memory (typically the stack or the heap) and then execute it.
70745 + If the attacked program was running with different (typically
70746 + higher) privileges than that of the attacker, then he can elevate
70747 + his own privilege level (e.g. get a root shell, write to files for
70748 + which he does not have write access to, etc).
70750 + Enabling this option will let you choose from various features
70751 + that prevent the injection and execution of 'foreign' code in
70754 + This will also break programs that rely on the old behaviour and
70755 + expect that dynamically allocated memory via the malloc() family
70756 + of functions is executable (which it is not). Notable examples
70757 + are the XFree86 4.x server, the java runtime and wine.
70759 +config PAX_PAGEEXEC
70760 + bool "Paging based non-executable pages"
70761 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
70762 + select S390_SWITCH_AMODE if S390
70763 + select S390_EXEC_PROTECT if S390
70764 + select ARCH_TRACK_EXEC_LIMIT if X86_32
70766 + This implementation is based on the paging feature of the CPU.
70767 + On i386 without hardware non-executable bit support there is a
70768 + variable but usually low performance impact, however on Intel's
70769 + P4 core based CPUs it is very high so you should not enable this
70770 + for kernels meant to be used on such CPUs.
70772 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
70773 + with hardware non-executable bit support there is no performance
70774 + impact, on ppc the impact is negligible.
70776 + Note that several architectures require various emulations due to
70777 + badly designed userland ABIs, this will cause a performance impact
70778 + but will disappear as soon as userland is fixed. For example, ppc
70779 + userland MUST have been built with secure-plt by a recent toolchain.
70781 +config PAX_SEGMEXEC
70782 + bool "Segmentation based non-executable pages"
70783 + depends on PAX_NOEXEC && X86_32
70785 + This implementation is based on the segmentation feature of the
70786 + CPU and has a very small performance impact, however applications
70787 + will be limited to a 1.5 GB address space instead of the normal
70790 +config PAX_EMUTRAMP
70791 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
70792 + default y if PARISC
70794 + There are some programs and libraries that for one reason or
70795 + another attempt to execute special small code snippets from
70796 + non-executable memory pages. Most notable examples are the
70797 + signal handler return code generated by the kernel itself and
70798 + the GCC trampolines.
70800 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
70801 + such programs will no longer work under your kernel.
70803 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
70804 + utilities to enable trampoline emulation for the affected programs
70805 + yet still have the protection provided by the non-executable pages.
70807 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
70808 + your system will not even boot.
70810 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
70811 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
70812 + for the affected files.
70814 + NOTE: enabling this feature *may* open up a loophole in the
70815 + protection provided by non-executable pages that an attacker
70816 + could abuse. Therefore the best solution is to not have any
70817 + files on your system that would require this option. This can
70818 + be achieved by not using libc5 (which relies on the kernel
70819 + signal handler return code) and not using or rewriting programs
70820 + that make use of the nested function implementation of GCC.
70821 + Skilled users can just fix GCC itself so that it implements
70822 + nested function calls in a way that does not interfere with PaX.
70824 +config PAX_EMUSIGRT
70825 + bool "Automatically emulate sigreturn trampolines"
70826 + depends on PAX_EMUTRAMP && PARISC
70829 + Enabling this option will have the kernel automatically detect
70830 + and emulate signal return trampolines executing on the stack
70831 + that would otherwise lead to task termination.
70833 + This solution is intended as a temporary one for users with
70834 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
70835 + Modula-3 runtime, etc) or executables linked to such, basically
70836 + everything that does not specify its own SA_RESTORER function in
70837 + normal executable memory like glibc 2.1+ does.
70839 + On parisc you MUST enable this option, otherwise your system will
70842 + NOTE: this feature cannot be disabled on a per executable basis
70843 + and since it *does* open up a loophole in the protection provided
70844 + by non-executable pages, the best solution is to not have any
70845 + files on your system that would require this option.
70847 +config PAX_MPROTECT
70848 + bool "Restrict mprotect()"
70849 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
70851 + Enabling this option will prevent programs from
70852 + - changing the executable status of memory pages that were
70853 + not originally created as executable,
70854 + - making read-only executable pages writable again,
70855 + - creating executable pages from anonymous memory,
70856 + - making read-only-after-relocations (RELRO) data pages writable again.
70858 + You should say Y here to complete the protection provided by
70859 + the enforcement of non-executable pages.
70861 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
70862 + this feature on a per file basis.
70864 +config PAX_MPROTECT_COMPAT
70865 + bool "Use legacy/compat protection demoting (read help)"
70866 + depends on PAX_MPROTECT
70869 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
70870 + by sending the proper error code to the application. For some broken
70871 + userland, this can cause problems with Python or other applications. The
70872 + current implementation however allows for applications like clamav to
70873 + detect if JIT compilation/execution is allowed and to fall back gracefully
70874 + to an interpreter-based mode if it does not. While we encourage everyone
70875 + to use the current implementation as-is and push upstream to fix broken
70876 + userland (note that the RWX logging option can assist with this), in some
70877 + environments this may not be possible. Having to disable MPROTECT
70878 + completely on certain binaries reduces the security benefit of PaX,
70879 + so this option is provided for those environments to revert to the old
70882 +config PAX_ELFRELOCS
70883 + bool "Allow ELF text relocations (read help)"
70884 + depends on PAX_MPROTECT
70887 + Non-executable pages and mprotect() restrictions are effective
70888 + in preventing the introduction of new executable code into an
70889 + attacked task's address space. There remain only two venues
70890 + for this kind of attack: if the attacker can execute already
70891 + existing code in the attacked task then he can either have it
70892 + create and mmap() a file containing his code or have it mmap()
70893 + an already existing ELF library that does not have position
70894 + independent code in it and use mprotect() on it to make it
70895 + writable and copy his code there. While protecting against
70896 + the former approach is beyond PaX, the latter can be prevented
70897 + by having only PIC ELF libraries on one's system (which do not
70898 + need to relocate their code). If you are sure this is your case,
70899 + as is the case with all modern Linux distributions, then leave
70900 + this option disabled. You should say 'n' here.
70902 +config PAX_ETEXECRELOCS
70903 + bool "Allow ELF ET_EXEC text relocations"
70904 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
70905 + select PAX_ELFRELOCS
70908 + On some architectures there are incorrectly created applications
70909 + that require text relocations and would not work without enabling
70910 + this option. If you are an alpha, ia64 or parisc user, you should
70911 + enable this option and disable it once you have made sure that
70912 + none of your applications need it.
70915 + bool "Automatically emulate ELF PLT"
70916 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
70919 + Enabling this option will have the kernel automatically detect
70920 + and emulate the Procedure Linkage Table entries in ELF files.
70921 + On some architectures such entries are in writable memory, and
70922 + become non-executable leading to task termination. Therefore
70923 + it is mandatory that you enable this option on alpha, parisc,
70924 + sparc and sparc64, otherwise your system would not even boot.
70926 + NOTE: this feature *does* open up a loophole in the protection
70927 + provided by the non-executable pages, therefore the proper
70928 + solution is to modify the toolchain to produce a PLT that does
70929 + not need to be writable.
70931 +config PAX_DLRESOLVE
70932 + bool 'Emulate old glibc resolver stub'
70933 + depends on PAX_EMUPLT && SPARC
70936 + This option is needed if userland has an old glibc (before 2.4)
70937 + that puts a 'save' instruction into the runtime generated resolver
70938 + stub that needs special emulation.
70940 +config PAX_KERNEXEC
70941 + bool "Enforce non-executable kernel pages"
70942 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
70943 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
70945 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
70946 + that is, enabling this option will make it harder to inject
70947 + and execute 'foreign' code in kernel memory itself.
70949 + Note that on x86_64 kernels there is a known regression when
70950 + this feature and KVM/VMX are both enabled in the host kernel.
70952 +config PAX_KERNEXEC_MODULE_TEXT
70953 + int "Minimum amount of memory reserved for module code"
70955 + depends on PAX_KERNEXEC && X86_32 && MODULES
70957 + Due to implementation details the kernel must reserve a fixed
70958 + amount of memory for module code at compile time that cannot be
70959 + changed at runtime. Here you can specify the minimum amount
70960 + in MB that will be reserved. Due to the same implementation
70961 + details this size will always be rounded up to the next 2/4 MB
70962 + boundary (depends on PAE) so the actually available memory for
70963 + module code will usually be more than this minimum.
70965 + The default 4 MB should be enough for most users but if you have
70966 + an excessive number of modules (e.g., most distribution configs
70967 + compile many drivers as modules) or use huge modules such as
70968 + nvidia's kernel driver, you will need to adjust this amount.
70969 + A good rule of thumb is to look at your currently loaded kernel
70970 + modules and add up their sizes.
70974 +menu "Address Space Layout Randomization"
70978 + bool "Address Space Layout Randomization"
70979 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
70981 + Many if not most exploit techniques rely on the knowledge of
70982 + certain addresses in the attacked program. The following options
70983 + will allow the kernel to apply a certain amount of randomization
70984 + to specific parts of the program thereby forcing an attacker to
70985 + guess them in most cases. Any failed guess will most likely crash
70986 + the attacked program which allows the kernel to detect such attempts
70987 + and react on them. PaX itself provides no reaction mechanisms,
70988 + instead it is strongly encouraged that you make use of Nergal's
70989 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
70990 + (http://www.grsecurity.net/) built-in crash detection features or
70991 + develop one yourself.
70993 + By saying Y here you can choose to randomize the following areas:
70994 + - top of the task's kernel stack
70995 + - top of the task's userland stack
70996 + - base address for mmap() requests that do not specify one
70997 + (this includes all libraries)
70998 + - base address of the main executable
71000 + It is strongly recommended to say Y here as address space layout
71001 + randomization has negligible impact on performance yet it provides
71002 + a very effective protection.
71004 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
71005 + this feature on a per file basis.
71007 +config PAX_RANDKSTACK
71008 + bool "Randomize kernel stack base"
71009 + depends on PAX_ASLR && X86_TSC && X86
71011 + By saying Y here the kernel will randomize every task's kernel
71012 + stack on every system call. This will not only force an attacker
71013 + to guess it but also prevent him from making use of possible
71014 + leaked information about it.
71016 + Since the kernel stack is a rather scarce resource, randomization
71017 + may cause unexpected stack overflows, therefore you should very
71018 + carefully test your system. Note that once enabled in the kernel
71019 + configuration, this feature cannot be disabled on a per file basis.
71021 +config PAX_RANDUSTACK
71022 + bool "Randomize user stack base"
71023 + depends on PAX_ASLR
71025 + By saying Y here the kernel will randomize every task's userland
71026 + stack. The randomization is done in two steps where the second
71027 + one may apply a big amount of shift to the top of the stack and
71028 + cause problems for programs that want to use lots of memory (more
71029 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
71030 + For this reason the second step can be controlled by 'chpax' or
71031 + 'paxctl' on a per file basis.
71033 +config PAX_RANDMMAP
71034 + bool "Randomize mmap() base"
71035 + depends on PAX_ASLR
71037 + By saying Y here the kernel will use a randomized base address for
71038 + mmap() requests that do not specify one themselves. As a result
71039 + all dynamically loaded libraries will appear at random addresses
71040 + and therefore be harder to exploit by a technique where an attacker
71041 + attempts to execute library code for his purposes (e.g. spawn a
71042 + shell from an exploited program that is running at an elevated
71043 + privilege level).
71045 + Furthermore, if a program is relinked as a dynamic ELF file, its
71046 + base address will be randomized as well, completing the full
71047 + randomization of the address space layout. Attacking such programs
71048 + becomes a guess game. You can find an example of doing this at
71049 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
71050 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
71052 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
71053 + feature on a per file basis.
71057 +menu "Miscellaneous hardening features"
71059 +config PAX_MEMORY_SANITIZE
71060 + bool "Sanitize all freed memory"
71062 + By saying Y here the kernel will erase memory pages as soon as they
71063 + are freed. This in turn reduces the lifetime of data stored in the
71064 + pages, making it less likely that sensitive information such as
71065 + passwords, cryptographic secrets, etc stay in memory for too long.
71067 + This is especially useful for programs whose runtime is short, long
71068 + lived processes and the kernel itself benefit from this as long as
71069 + they operate on whole memory pages and ensure timely freeing of pages
71070 + that may hold sensitive information.
71072 + The tradeoff is performance impact, on a single CPU system kernel
71073 + compilation sees a 3% slowdown, other systems and workloads may vary
71074 + and you are advised to test this feature on your expected workload
71075 + before deploying it.
71077 + Note that this feature does not protect data stored in live pages,
71078 + e.g., process memory swapped to disk may stay there for a long time.
71080 +config PAX_MEMORY_STACKLEAK
71081 + bool "Sanitize kernel stack"
71084 + By saying Y here the kernel will erase the kernel stack before it
71085 + returns from a system call. This in turn reduces the information
71086 + that a kernel stack leak bug can reveal.
71088 + Note that such a bug can still leak information that was put on
71089 + the stack by the current system call (the one eventually triggering
71090 + the bug) but traces of earlier system calls on the kernel stack
71091 + cannot leak anymore.
71093 + The tradeoff is performance impact, on a single CPU system kernel
71094 + compilation sees a 1% slowdown, other systems and workloads may vary
71095 + and you are advised to test this feature on your expected workload
71096 + before deploying it.
71098 + Note: full support for this feature requires gcc with plugin support
71099 + so make sure your compiler is at least gcc 4.5.0 (cross compilation
71100 + is not supported). Using older gcc versions means that functions
71101 + with large enough stack frames may leave uninitialized memory behind
71102 + that may be exposed to a later syscall leaking the stack.
71104 +config PAX_MEMORY_UDEREF
71105 + bool "Prevent invalid userland pointer dereference"
71106 + depends on X86 && !UML_X86 && !XEN
71107 + select PAX_PER_CPU_PGD if X86_64
71109 + By saying Y here the kernel will be prevented from dereferencing
71110 + userland pointers in contexts where the kernel expects only kernel
71111 + pointers. This is both a useful runtime debugging feature and a
71112 + security measure that prevents exploiting a class of kernel bugs.
71114 + The tradeoff is that some virtualization solutions may experience
71115 + a huge slowdown and therefore you should not enable this feature
71116 + for kernels meant to run in such environments. Whether a given VM
71117 + solution is affected or not is best determined by simply trying it
71118 + out, the performance impact will be obvious right on boot as this
71119 + mechanism engages from very early on. A good rule of thumb is that
71120 + VMs running on CPUs without hardware virtualization support (i.e.,
71121 + the majority of IA-32 CPUs) will likely experience the slowdown.
71123 +config PAX_REFCOUNT
71124 + bool "Prevent various kernel object reference counter overflows"
71125 + depends on GRKERNSEC && (X86 || SPARC64)
71127 + By saying Y here the kernel will detect and prevent overflowing
71128 + various (but not all) kinds of object reference counters. Such
71129 + overflows can normally occur due to bugs only and are often, if
71130 + not always, exploitable.
71132 + The tradeoff is that data structures protected by an overflowed
71133 + refcount will never be freed and therefore will leak memory. Note
71134 + that this leak also happens even without this protection but in
71135 + that case the overflow can eventually trigger the freeing of the
71136 + data structure while it is still being used elsewhere, resulting
71137 + in the exploitable situation that this feature prevents.
71139 + Since this has a negligible performance impact, you should enable
71142 +config PAX_USERCOPY
71143 + bool "Harden heap object copies between kernel and userland"
71144 + depends on X86 || PPC || SPARC
71145 + depends on GRKERNSEC && (SLAB || SLUB)
71147 + By saying Y here the kernel will enforce the size of heap objects
71148 + when they are copied in either direction between the kernel and
71149 + userland, even if only a part of the heap object is copied.
71151 + Specifically, this checking prevents information leaking from the
71152 + kernel heap during kernel to userland copies (if the kernel heap
71153 + object is otherwise fully initialized) and prevents kernel heap
71154 + overflows during userland to kernel copies.
71156 + Note that the current implementation provides the strictest bounds
71157 + checks for the SLUB allocator.
71159 + Enabling this option also enables per-slab cache protection against
71160 + data in a given cache being copied into/out of via userland
71161 + accessors. Though the whitelist of regions will be reduced over
71162 + time, it notably protects important data structures like task structs.
71165 + If frame pointers are enabled on x86, this option will also
71166 + restrict copies into and out of the kernel stack to local variables
71167 + within a single frame.
71169 + Since this has a negligible performance impact, you should enable
71177 bool "Enable access key retention support"
71179 @@ -146,7 +695,7 @@ config INTEL_TXT
71180 config LSM_MMAP_MIN_ADDR
71181 int "Low address space for LSM to protect from user allocation"
71182 depends on SECURITY && SECURITY_SELINUX
71186 This is the portion of low virtual memory which should be protected
71187 from userspace allocation. Keeping a user from writing to low pages
71188 diff -urNp linux-2.6.32.42/security/keys/keyring.c linux-2.6.32.42/security/keys/keyring.c
71189 --- linux-2.6.32.42/security/keys/keyring.c 2011-03-27 14:31:47.000000000 -0400
71190 +++ linux-2.6.32.42/security/keys/keyring.c 2011-04-18 22:03:00.000000000 -0400
71191 @@ -214,15 +214,15 @@ static long keyring_read(const struct ke
71194 for (loop = 0; loop < klist->nkeys; loop++) {
71195 + key_serial_t serial;
71196 key = klist->keys[loop];
71197 + serial = key->serial;
71199 tmp = sizeof(key_serial_t);
71203 - if (copy_to_user(buffer,
71206 + if (copy_to_user(buffer, &serial, tmp))
71210 diff -urNp linux-2.6.32.42/security/min_addr.c linux-2.6.32.42/security/min_addr.c
71211 --- linux-2.6.32.42/security/min_addr.c 2011-03-27 14:31:47.000000000 -0400
71212 +++ linux-2.6.32.42/security/min_addr.c 2011-04-17 15:56:46.000000000 -0400
71213 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
71215 static void update_mmap_min_addr(void)
71218 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
71219 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
71220 mmap_min_addr = dac_mmap_min_addr;
71221 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
71223 mmap_min_addr = dac_mmap_min_addr;
71229 diff -urNp linux-2.6.32.42/security/root_plug.c linux-2.6.32.42/security/root_plug.c
71230 --- linux-2.6.32.42/security/root_plug.c 2011-03-27 14:31:47.000000000 -0400
71231 +++ linux-2.6.32.42/security/root_plug.c 2011-04-17 15:56:46.000000000 -0400
71232 @@ -70,7 +70,7 @@ static int rootplug_bprm_check_security
71236 -static struct security_operations rootplug_security_ops = {
71237 +static struct security_operations rootplug_security_ops __read_only = {
71238 .bprm_check_security = rootplug_bprm_check_security,
71241 diff -urNp linux-2.6.32.42/security/security.c linux-2.6.32.42/security/security.c
71242 --- linux-2.6.32.42/security/security.c 2011-03-27 14:31:47.000000000 -0400
71243 +++ linux-2.6.32.42/security/security.c 2011-04-17 15:56:46.000000000 -0400
71244 @@ -24,7 +24,7 @@ static __initdata char chosen_lsm[SECURI
71245 extern struct security_operations default_security_ops;
71246 extern void security_fixup_ops(struct security_operations *ops);
71248 -struct security_operations *security_ops; /* Initialized to NULL */
71249 +struct security_operations *security_ops __read_only; /* Initialized to NULL */
71251 static inline int verify(struct security_operations *ops)
71253 @@ -106,7 +106,7 @@ int __init security_module_enable(struct
71254 * If there is already a security module registered with the kernel,
71255 * an error will be returned. Otherwise %0 is returned on success.
71257 -int register_security(struct security_operations *ops)
71258 +int __init register_security(struct security_operations *ops)
71261 printk(KERN_DEBUG "%s could not verify "
71262 diff -urNp linux-2.6.32.42/security/selinux/hooks.c linux-2.6.32.42/security/selinux/hooks.c
71263 --- linux-2.6.32.42/security/selinux/hooks.c 2011-03-27 14:31:47.000000000 -0400
71264 +++ linux-2.6.32.42/security/selinux/hooks.c 2011-04-17 15:56:46.000000000 -0400
71265 @@ -131,7 +131,7 @@ int selinux_enabled = 1;
71266 * Minimal support for a secondary security module,
71267 * just to allow the use of the capability module.
71269 -static struct security_operations *secondary_ops;
71270 +static struct security_operations *secondary_ops __read_only;
71272 /* Lists of inode and superblock security structures initialized
71273 before the policy was loaded. */
71274 @@ -5457,7 +5457,7 @@ static int selinux_key_getsecurity(struc
71278 -static struct security_operations selinux_ops = {
71279 +static struct security_operations selinux_ops __read_only = {
71282 .ptrace_access_check = selinux_ptrace_access_check,
71283 @@ -5841,7 +5841,9 @@ int selinux_disable(void)
71286 /* Reset security_ops to the secondary module, dummy or capability. */
71287 + pax_open_kernel();
71288 security_ops = secondary_ops;
71289 + pax_close_kernel();
71291 /* Unregister netfilter hooks. */
71292 selinux_nf_ip_exit();
71293 diff -urNp linux-2.6.32.42/security/selinux/include/xfrm.h linux-2.6.32.42/security/selinux/include/xfrm.h
71294 --- linux-2.6.32.42/security/selinux/include/xfrm.h 2011-03-27 14:31:47.000000000 -0400
71295 +++ linux-2.6.32.42/security/selinux/include/xfrm.h 2011-05-18 20:09:37.000000000 -0400
71296 @@ -48,7 +48,7 @@ int selinux_xfrm_decode_session(struct s
71298 static inline void selinux_xfrm_notify_policyload(void)
71300 - atomic_inc(&flow_cache_genid);
71301 + atomic_inc_unchecked(&flow_cache_genid);
71304 static inline int selinux_xfrm_enabled(void)
71305 diff -urNp linux-2.6.32.42/security/selinux/ss/services.c linux-2.6.32.42/security/selinux/ss/services.c
71306 --- linux-2.6.32.42/security/selinux/ss/services.c 2011-03-27 14:31:47.000000000 -0400
71307 +++ linux-2.6.32.42/security/selinux/ss/services.c 2011-05-16 21:46:57.000000000 -0400
71308 @@ -1715,6 +1715,8 @@ int security_load_policy(void *data, siz
71310 struct policy_file file = { data, len }, *fp = &file;
71312 + pax_track_stack();
71314 if (!ss_initialized) {
71315 avtab_cache_init();
71316 if (policydb_read(&policydb, fp)) {
71317 diff -urNp linux-2.6.32.42/security/smack/smack_lsm.c linux-2.6.32.42/security/smack/smack_lsm.c
71318 --- linux-2.6.32.42/security/smack/smack_lsm.c 2011-03-27 14:31:47.000000000 -0400
71319 +++ linux-2.6.32.42/security/smack/smack_lsm.c 2011-04-17 15:56:46.000000000 -0400
71320 @@ -3073,7 +3073,7 @@ static int smack_inode_getsecctx(struct
71324 -struct security_operations smack_ops = {
71325 +struct security_operations smack_ops __read_only = {
71328 .ptrace_access_check = smack_ptrace_access_check,
71329 diff -urNp linux-2.6.32.42/security/tomoyo/tomoyo.c linux-2.6.32.42/security/tomoyo/tomoyo.c
71330 --- linux-2.6.32.42/security/tomoyo/tomoyo.c 2011-03-27 14:31:47.000000000 -0400
71331 +++ linux-2.6.32.42/security/tomoyo/tomoyo.c 2011-04-17 15:56:46.000000000 -0400
71332 @@ -275,7 +275,7 @@ static int tomoyo_dentry_open(struct fil
71333 * tomoyo_security_ops is a "struct security_operations" which is used for
71334 * registering TOMOYO.
71336 -static struct security_operations tomoyo_security_ops = {
71337 +static struct security_operations tomoyo_security_ops __read_only = {
71339 .cred_alloc_blank = tomoyo_cred_alloc_blank,
71340 .cred_prepare = tomoyo_cred_prepare,
71341 diff -urNp linux-2.6.32.42/sound/aoa/codecs/onyx.c linux-2.6.32.42/sound/aoa/codecs/onyx.c
71342 --- linux-2.6.32.42/sound/aoa/codecs/onyx.c 2011-03-27 14:31:47.000000000 -0400
71343 +++ linux-2.6.32.42/sound/aoa/codecs/onyx.c 2011-04-17 15:56:46.000000000 -0400
71344 @@ -53,7 +53,7 @@ struct onyx {
71349 + local_t open_count;
71350 struct codec_info *codec_info;
71352 /* mutex serializes concurrent access to the device
71353 @@ -752,7 +752,7 @@ static int onyx_open(struct codec_info_i
71354 struct onyx *onyx = cii->codec_data;
71356 mutex_lock(&onyx->mutex);
71357 - onyx->open_count++;
71358 + local_inc(&onyx->open_count);
71359 mutex_unlock(&onyx->mutex);
71362 @@ -764,8 +764,7 @@ static int onyx_close(struct codec_info_
71363 struct onyx *onyx = cii->codec_data;
71365 mutex_lock(&onyx->mutex);
71366 - onyx->open_count--;
71367 - if (!onyx->open_count)
71368 + if (local_dec_and_test(&onyx->open_count))
71369 onyx->spdif_locked = onyx->analog_locked = 0;
71370 mutex_unlock(&onyx->mutex);
71372 diff -urNp linux-2.6.32.42/sound/aoa/codecs/onyx.h linux-2.6.32.42/sound/aoa/codecs/onyx.h
71373 --- linux-2.6.32.42/sound/aoa/codecs/onyx.h 2011-03-27 14:31:47.000000000 -0400
71374 +++ linux-2.6.32.42/sound/aoa/codecs/onyx.h 2011-04-17 15:56:46.000000000 -0400
71376 #include <linux/i2c.h>
71377 #include <asm/pmac_low_i2c.h>
71378 #include <asm/prom.h>
71379 +#include <asm/local.h>
71381 /* PCM3052 register definitions */
71383 diff -urNp linux-2.6.32.42/sound/drivers/mts64.c linux-2.6.32.42/sound/drivers/mts64.c
71384 --- linux-2.6.32.42/sound/drivers/mts64.c 2011-03-27 14:31:47.000000000 -0400
71385 +++ linux-2.6.32.42/sound/drivers/mts64.c 2011-04-17 15:56:46.000000000 -0400
71387 #include <sound/initval.h>
71388 #include <sound/rawmidi.h>
71389 #include <sound/control.h>
71390 +#include <asm/local.h>
71392 #define CARD_NAME "Miditerminal 4140"
71393 #define DRIVER_NAME "MTS64"
71394 @@ -65,7 +66,7 @@ struct mts64 {
71395 struct pardevice *pardev;
71396 int pardev_claimed;
71399 + local_t open_count;
71400 int current_midi_output_port;
71401 int current_midi_input_port;
71402 u8 mode[MTS64_NUM_INPUT_PORTS];
71403 @@ -695,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
71405 struct mts64 *mts = substream->rmidi->private_data;
71407 - if (mts->open_count == 0) {
71408 + if (local_read(&mts->open_count) == 0) {
71409 /* We don't need a spinlock here, because this is just called
71410 if the device has not been opened before.
71411 So there aren't any IRQs from the device */
71412 @@ -703,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
71416 - ++(mts->open_count);
71417 + local_inc(&mts->open_count);
71421 @@ -713,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
71422 struct mts64 *mts = substream->rmidi->private_data;
71423 unsigned long flags;
71425 - --(mts->open_count);
71426 - if (mts->open_count == 0) {
71427 + if (local_dec_return(&mts->open_count) == 0) {
71428 /* We need the spinlock_irqsave here because we can still
71429 have IRQs at this point */
71430 spin_lock_irqsave(&mts->lock, flags);
71431 @@ -723,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
71435 - } else if (mts->open_count < 0)
71436 - mts->open_count = 0;
71437 + } else if (local_read(&mts->open_count) < 0)
71438 + local_set(&mts->open_count, 0);
71442 diff -urNp linux-2.6.32.42/sound/drivers/portman2x4.c linux-2.6.32.42/sound/drivers/portman2x4.c
71443 --- linux-2.6.32.42/sound/drivers/portman2x4.c 2011-03-27 14:31:47.000000000 -0400
71444 +++ linux-2.6.32.42/sound/drivers/portman2x4.c 2011-04-17 15:56:46.000000000 -0400
71446 #include <sound/initval.h>
71447 #include <sound/rawmidi.h>
71448 #include <sound/control.h>
71449 +#include <asm/local.h>
71451 #define CARD_NAME "Portman 2x4"
71452 #define DRIVER_NAME "portman"
71453 @@ -83,7 +84,7 @@ struct portman {
71454 struct pardevice *pardev;
71455 int pardev_claimed;
71458 + local_t open_count;
71459 int mode[PORTMAN_NUM_INPUT_PORTS];
71460 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
71462 diff -urNp linux-2.6.32.42/sound/oss/sb_audio.c linux-2.6.32.42/sound/oss/sb_audio.c
71463 --- linux-2.6.32.42/sound/oss/sb_audio.c 2011-03-27 14:31:47.000000000 -0400
71464 +++ linux-2.6.32.42/sound/oss/sb_audio.c 2011-04-17 15:56:46.000000000 -0400
71465 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
71466 buf16 = (signed short *)(localbuf + localoffs);
71469 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
71470 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
71471 if (copy_from_user(lbuf8,
71472 userbuf+useroffs + p,
71474 diff -urNp linux-2.6.32.42/sound/oss/swarm_cs4297a.c linux-2.6.32.42/sound/oss/swarm_cs4297a.c
71475 --- linux-2.6.32.42/sound/oss/swarm_cs4297a.c 2011-03-27 14:31:47.000000000 -0400
71476 +++ linux-2.6.32.42/sound/oss/swarm_cs4297a.c 2011-04-17 15:56:46.000000000 -0400
71477 @@ -2577,7 +2577,6 @@ static int __init cs4297a_init(void)
71479 struct cs4297a_state *s;
71483 #ifndef CONFIG_BCM_CS4297A_CSWARM
71485 @@ -2667,22 +2666,23 @@ static int __init cs4297a_init(void)
71487 char *sb1250_duart_present;
71494 val = SOUND_MASK_LINE;
71495 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
71496 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
71497 val = initvol[i].vol;
71498 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
71501 // cs4297a_write_ac97(s, 0x18, 0x0808);
71503 // cs4297a_write_ac97(s, 0x5e, 0x180);
71504 cs4297a_write_ac97(s, 0x02, 0x0808);
71505 cs4297a_write_ac97(s, 0x18, 0x0808);
71509 list_add(&s->list, &cs4297a_devs);
71511 diff -urNp linux-2.6.32.42/sound/pci/ac97/ac97_codec.c linux-2.6.32.42/sound/pci/ac97/ac97_codec.c
71512 --- linux-2.6.32.42/sound/pci/ac97/ac97_codec.c 2011-03-27 14:31:47.000000000 -0400
71513 +++ linux-2.6.32.42/sound/pci/ac97/ac97_codec.c 2011-04-17 15:56:46.000000000 -0400
71514 @@ -1952,7 +1952,7 @@ static int snd_ac97_dev_disconnect(struc
71517 /* build_ops to do nothing */
71518 -static struct snd_ac97_build_ops null_build_ops;
71519 +static const struct snd_ac97_build_ops null_build_ops;
71521 #ifdef CONFIG_SND_AC97_POWER_SAVE
71522 static void do_update_power(struct work_struct *work)
71523 diff -urNp linux-2.6.32.42/sound/pci/ac97/ac97_patch.c linux-2.6.32.42/sound/pci/ac97/ac97_patch.c
71524 --- linux-2.6.32.42/sound/pci/ac97/ac97_patch.c 2011-03-27 14:31:47.000000000 -0400
71525 +++ linux-2.6.32.42/sound/pci/ac97/ac97_patch.c 2011-04-23 12:56:12.000000000 -0400
71526 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
71530 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
71531 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
71532 .build_spdif = patch_yamaha_ymf743_build_spdif,
71533 .build_3d = patch_yamaha_ymf7x3_3d,
71535 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
71539 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
71540 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
71541 .build_3d = patch_yamaha_ymf7x3_3d,
71542 .build_post_spdif = patch_yamaha_ymf753_post_spdif
71544 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
71548 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
71549 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
71550 .build_specific = patch_wolfson_wm9703_specific,
71553 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
71557 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
71558 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
71559 .build_specific = patch_wolfson_wm9704_specific,
71562 @@ -555,7 +555,7 @@ static int patch_wolfson_wm9705_specific
71566 -static struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
71567 +static const struct snd_ac97_build_ops patch_wolfson_wm9705_ops = {
71568 .build_specific = patch_wolfson_wm9705_specific,
71571 @@ -692,7 +692,7 @@ static int patch_wolfson_wm9711_specific
71575 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
71576 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
71577 .build_specific = patch_wolfson_wm9711_specific,
71580 @@ -886,7 +886,7 @@ static void patch_wolfson_wm9713_resume
71584 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
71585 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
71586 .build_specific = patch_wolfson_wm9713_specific,
71587 .build_3d = patch_wolfson_wm9713_3d,
71589 @@ -991,7 +991,7 @@ static int patch_sigmatel_stac97xx_speci
71593 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
71594 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
71595 .build_3d = patch_sigmatel_stac9700_3d,
71596 .build_specific = patch_sigmatel_stac97xx_specific
71598 @@ -1038,7 +1038,7 @@ static int patch_sigmatel_stac9708_speci
71599 return patch_sigmatel_stac97xx_specific(ac97);
71602 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
71603 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
71604 .build_3d = patch_sigmatel_stac9708_3d,
71605 .build_specific = patch_sigmatel_stac9708_specific
71607 @@ -1267,7 +1267,7 @@ static int patch_sigmatel_stac9758_speci
71611 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
71612 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
71613 .build_3d = patch_sigmatel_stac9700_3d,
71614 .build_specific = patch_sigmatel_stac9758_specific
71616 @@ -1342,7 +1342,7 @@ static int patch_cirrus_build_spdif(stru
71620 -static struct snd_ac97_build_ops patch_cirrus_ops = {
71621 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
71622 .build_spdif = patch_cirrus_build_spdif
71625 @@ -1399,7 +1399,7 @@ static int patch_conexant_build_spdif(st
71629 -static struct snd_ac97_build_ops patch_conexant_ops = {
71630 +static const struct snd_ac97_build_ops patch_conexant_ops = {
71631 .build_spdif = patch_conexant_build_spdif
71634 @@ -1575,7 +1575,7 @@ static void patch_ad1881_chained(struct
71638 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
71639 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
71641 .resume = ad18xx_resume
71643 @@ -1662,7 +1662,7 @@ static int patch_ad1885_specific(struct
71647 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
71648 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
71649 .build_specific = &patch_ad1885_specific,
71651 .resume = ad18xx_resume
71652 @@ -1689,7 +1689,7 @@ static int patch_ad1886_specific(struct
71656 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
71657 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
71658 .build_specific = &patch_ad1886_specific,
71660 .resume = ad18xx_resume
71661 @@ -1896,7 +1896,7 @@ static int patch_ad1981a_specific(struct
71662 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
71665 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
71666 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
71667 .build_post_spdif = patch_ad198x_post_spdif,
71668 .build_specific = patch_ad1981a_specific,
71670 @@ -1951,7 +1951,7 @@ static int patch_ad1981b_specific(struct
71671 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
71674 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
71675 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
71676 .build_post_spdif = patch_ad198x_post_spdif,
71677 .build_specific = patch_ad1981b_specific,
71679 @@ -2090,7 +2090,7 @@ static int patch_ad1888_specific(struct
71680 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
71683 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
71684 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
71685 .build_post_spdif = patch_ad198x_post_spdif,
71686 .build_specific = patch_ad1888_specific,
71688 @@ -2139,7 +2139,7 @@ static int patch_ad1980_specific(struct
71689 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
71692 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
71693 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
71694 .build_post_spdif = patch_ad198x_post_spdif,
71695 .build_specific = patch_ad1980_specific,
71697 @@ -2254,7 +2254,7 @@ static int patch_ad1985_specific(struct
71698 ARRAY_SIZE(snd_ac97_ad1985_controls));
71701 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
71702 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
71703 .build_post_spdif = patch_ad198x_post_spdif,
71704 .build_specific = patch_ad1985_specific,
71706 @@ -2546,7 +2546,7 @@ static int patch_ad1986_specific(struct
71707 ARRAY_SIZE(snd_ac97_ad1985_controls));
71710 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
71711 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
71712 .build_post_spdif = patch_ad198x_post_spdif,
71713 .build_specific = patch_ad1986_specific,
71715 @@ -2651,7 +2651,7 @@ static int patch_alc650_specific(struct
71719 -static struct snd_ac97_build_ops patch_alc650_ops = {
71720 +static const struct snd_ac97_build_ops patch_alc650_ops = {
71721 .build_specific = patch_alc650_specific,
71722 .update_jacks = alc650_update_jacks
71724 @@ -2803,7 +2803,7 @@ static int patch_alc655_specific(struct
71728 -static struct snd_ac97_build_ops patch_alc655_ops = {
71729 +static const struct snd_ac97_build_ops patch_alc655_ops = {
71730 .build_specific = patch_alc655_specific,
71731 .update_jacks = alc655_update_jacks
71733 @@ -2915,7 +2915,7 @@ static int patch_alc850_specific(struct
71737 -static struct snd_ac97_build_ops patch_alc850_ops = {
71738 +static const struct snd_ac97_build_ops patch_alc850_ops = {
71739 .build_specific = patch_alc850_specific,
71740 .update_jacks = alc850_update_jacks
71742 @@ -2977,7 +2977,7 @@ static int patch_cm9738_specific(struct
71743 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
71746 -static struct snd_ac97_build_ops patch_cm9738_ops = {
71747 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
71748 .build_specific = patch_cm9738_specific,
71749 .update_jacks = cm9738_update_jacks
71751 @@ -3068,7 +3068,7 @@ static int patch_cm9739_post_spdif(struc
71752 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
71755 -static struct snd_ac97_build_ops patch_cm9739_ops = {
71756 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
71757 .build_specific = patch_cm9739_specific,
71758 .build_post_spdif = patch_cm9739_post_spdif,
71759 .update_jacks = cm9739_update_jacks
71760 @@ -3242,7 +3242,7 @@ static int patch_cm9761_specific(struct
71761 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
71764 -static struct snd_ac97_build_ops patch_cm9761_ops = {
71765 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
71766 .build_specific = patch_cm9761_specific,
71767 .build_post_spdif = patch_cm9761_post_spdif,
71768 .update_jacks = cm9761_update_jacks
71769 @@ -3338,7 +3338,7 @@ static int patch_cm9780_specific(struct
71770 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
71773 -static struct snd_ac97_build_ops patch_cm9780_ops = {
71774 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
71775 .build_specific = patch_cm9780_specific,
71776 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
71778 @@ -3458,7 +3458,7 @@ static int patch_vt1616_specific(struct
71782 -static struct snd_ac97_build_ops patch_vt1616_ops = {
71783 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
71784 .build_specific = patch_vt1616_specific
71787 @@ -3812,7 +3812,7 @@ static int patch_it2646_specific(struct
71791 -static struct snd_ac97_build_ops patch_it2646_ops = {
71792 +static const struct snd_ac97_build_ops patch_it2646_ops = {
71793 .build_specific = patch_it2646_specific,
71794 .update_jacks = it2646_update_jacks
71796 @@ -3846,7 +3846,7 @@ static int patch_si3036_specific(struct
71800 -static struct snd_ac97_build_ops patch_si3036_ops = {
71801 +static const struct snd_ac97_build_ops patch_si3036_ops = {
71802 .build_specific = patch_si3036_specific,
71805 @@ -3913,7 +3913,7 @@ static int patch_ucb1400_specific(struct
71809 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
71810 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
71811 .build_specific = patch_ucb1400_specific,
71814 diff -urNp linux-2.6.32.42/sound/pci/hda/patch_intelhdmi.c linux-2.6.32.42/sound/pci/hda/patch_intelhdmi.c
71815 --- linux-2.6.32.42/sound/pci/hda/patch_intelhdmi.c 2011-03-27 14:31:47.000000000 -0400
71816 +++ linux-2.6.32.42/sound/pci/hda/patch_intelhdmi.c 2011-04-17 15:56:46.000000000 -0400
71817 @@ -511,10 +511,10 @@ static void hdmi_non_intrinsic_event(str
71832 diff -urNp linux-2.6.32.42/sound/pci/intel8x0m.c linux-2.6.32.42/sound/pci/intel8x0m.c
71833 --- linux-2.6.32.42/sound/pci/intel8x0m.c 2011-03-27 14:31:47.000000000 -0400
71834 +++ linux-2.6.32.42/sound/pci/intel8x0m.c 2011-04-23 12:56:12.000000000 -0400
71835 @@ -1264,7 +1264,7 @@ static struct shortname_table {
71836 { 0x5455, "ALi M5455" },
71837 { 0x746d, "AMD AMD8111" },
71843 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
71844 diff -urNp linux-2.6.32.42/sound/pci/ymfpci/ymfpci_main.c linux-2.6.32.42/sound/pci/ymfpci/ymfpci_main.c
71845 --- linux-2.6.32.42/sound/pci/ymfpci/ymfpci_main.c 2011-03-27 14:31:47.000000000 -0400
71846 +++ linux-2.6.32.42/sound/pci/ymfpci/ymfpci_main.c 2011-05-04 17:56:28.000000000 -0400
71847 @@ -202,8 +202,8 @@ static void snd_ymfpci_hw_stop(struct sn
71848 if ((snd_ymfpci_readl(chip, YDSXGR_STATUS) & 2) == 0)
71851 - if (atomic_read(&chip->interrupt_sleep_count)) {
71852 - atomic_set(&chip->interrupt_sleep_count, 0);
71853 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
71854 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
71855 wake_up(&chip->interrupt_sleep);
71858 @@ -787,7 +787,7 @@ static void snd_ymfpci_irq_wait(struct s
71860 init_waitqueue_entry(&wait, current);
71861 add_wait_queue(&chip->interrupt_sleep, &wait);
71862 - atomic_inc(&chip->interrupt_sleep_count);
71863 + atomic_inc_unchecked(&chip->interrupt_sleep_count);
71864 schedule_timeout_uninterruptible(msecs_to_jiffies(50));
71865 remove_wait_queue(&chip->interrupt_sleep, &wait);
71867 @@ -825,8 +825,8 @@ static irqreturn_t snd_ymfpci_interrupt(
71868 snd_ymfpci_writel(chip, YDSXGR_MODE, mode);
71869 spin_unlock(&chip->reg_lock);
71871 - if (atomic_read(&chip->interrupt_sleep_count)) {
71872 - atomic_set(&chip->interrupt_sleep_count, 0);
71873 + if (atomic_read_unchecked(&chip->interrupt_sleep_count)) {
71874 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
71875 wake_up(&chip->interrupt_sleep);
71878 @@ -2369,7 +2369,7 @@ int __devinit snd_ymfpci_create(struct s
71879 spin_lock_init(&chip->reg_lock);
71880 spin_lock_init(&chip->voice_lock);
71881 init_waitqueue_head(&chip->interrupt_sleep);
71882 - atomic_set(&chip->interrupt_sleep_count, 0);
71883 + atomic_set_unchecked(&chip->interrupt_sleep_count, 0);
71887 diff -urNp linux-2.6.32.42/tools/gcc/Makefile linux-2.6.32.42/tools/gcc/Makefile
71888 --- linux-2.6.32.42/tools/gcc/Makefile 1969-12-31 19:00:00.000000000 -0500
71889 +++ linux-2.6.32.42/tools/gcc/Makefile 2011-06-04 20:52:13.000000000 -0400
71892 +#PLUGIN_SOURCE_FILES := pax_plugin.c
71893 +#PLUGIN_OBJECT_FILES := $(patsubst %.c,%.o,$(PLUGIN_SOURCE_FILES))
71894 +GCCPLUGINS_DIR := $(shell $(HOSTCC) -print-file-name=plugin)
71895 +#CFLAGS += -I$(GCCPLUGINS_DIR)/include -fPIC -O2 -Wall -W
71897 +HOST_EXTRACFLAGS += -I$(GCCPLUGINS_DIR)/include
71899 +hostlibs-y := pax_plugin.so
71900 +always := $(hostlibs-y)
71901 +pax_plugin-objs := pax_plugin.o
71902 diff -urNp linux-2.6.32.42/tools/gcc/pax_plugin.c linux-2.6.32.42/tools/gcc/pax_plugin.c
71903 --- linux-2.6.32.42/tools/gcc/pax_plugin.c 1969-12-31 19:00:00.000000000 -0500
71904 +++ linux-2.6.32.42/tools/gcc/pax_plugin.c 2011-06-04 20:52:13.000000000 -0400
71907 + * Copyright 2011 by the PaX Team <pageexec@freemail.hu>
71908 + * Licensed under the GPL v2
71910 + * Note: the choice of the license means that the compilation process is
71911 + * NOT 'eligible' as defined by gcc's library exception to the GPL v3,
71912 + * but for the kernel it doesn't matter since it doesn't link against
71913 + * any of the gcc libraries
71915 + * gcc plugin to help implement various PaX features
71917 + * - track lowest stack pointer
71920 + * - initialize all local variables
71924 +#include "gcc-plugin.h"
71925 +#include "plugin-version.h"
71926 +#include "config.h"
71927 +#include "system.h"
71928 +#include "coretypes.h"
71930 +#include "toplev.h"
71931 +#include "basic-block.h"
71932 +#include "gimple.h"
71933 +//#include "expr.h" where are you...
71934 +#include "diagnostic.h"
71936 +#include "emit-rtl.h"
71937 +#include "function.h"
71939 +#include "tree-pass.h"
71942 +int plugin_is_GPL_compatible;
71944 +static int track_frame_size = -1;
71945 +static const char track_function[] = "pax_track_stack";
71946 +static bool init_locals;
71948 +static struct plugin_info pax_plugin_info = {
71949 + .version = "201106030000",
71950 + .help = "track-lowest-sp=nn\ttrack sp in functions whose frame size is at least nn bytes\n"
71951 +// "initialize-locals\t\tforcibly initialize all stack frames\n"
71954 +static bool gate_pax_track_stack(void);
71955 +static unsigned int execute_pax_tree_instrument(void);
71956 +static unsigned int execute_pax_final(void);
71958 +static struct gimple_opt_pass pax_tree_instrument_pass = {
71960 + .type = GIMPLE_PASS,
71961 + .name = "pax_tree_instrument",
71962 + .gate = gate_pax_track_stack,
71963 + .execute = execute_pax_tree_instrument,
71966 + .static_pass_number = 0,
71967 + .tv_id = TV_NONE,
71968 + .properties_required = PROP_gimple_leh | PROP_cfg,
71969 + .properties_provided = 0,
71970 + .properties_destroyed = 0,
71971 + .todo_flags_start = 0, //TODO_verify_ssa | TODO_verify_flow | TODO_verify_stmts,
71972 + .todo_flags_finish = TODO_verify_stmts // | TODO_dump_func
71976 +static struct rtl_opt_pass pax_final_rtl_opt_pass = {
71978 + .type = RTL_PASS,
71979 + .name = "pax_final",
71980 + .gate = gate_pax_track_stack,
71981 + .execute = execute_pax_final,
71984 + .static_pass_number = 0,
71985 + .tv_id = TV_NONE,
71986 + .properties_required = 0,
71987 + .properties_provided = 0,
71988 + .properties_destroyed = 0,
71989 + .todo_flags_start = 0,
71990 + .todo_flags_finish = 0
71994 +static bool gate_pax_track_stack(void)
71996 + return track_frame_size >= 0;
71999 +static void pax_add_instrumentation(gimple_stmt_iterator *gsi, bool before)
72004 + // insert call to void pax_track_stack(void)
72005 + type = build_function_type_list(void_type_node, NULL_TREE);
72006 + decl = build_fn_decl(track_function, type);
72007 + DECL_ASSEMBLER_NAME(decl); // for LTO
72008 + call = gimple_build_call(decl, 0);
72010 + gsi_insert_before(gsi, call, GSI_CONTINUE_LINKING);
72012 + gsi_insert_after(gsi, call, GSI_CONTINUE_LINKING);
72015 +static unsigned int execute_pax_tree_instrument(void)
72018 + gimple_stmt_iterator gsi;
72020 + // 1. loop through BBs and GIMPLE statements
72021 + FOR_EACH_BB(bb) {
72022 + for (gsi = gsi_start_bb(bb); !gsi_end_p(gsi); gsi_next(&gsi)) {
72023 + // gimple match: align 8 built-in BUILT_IN_NORMAL:BUILT_IN_ALLOCA attributes <tree_list 0xb7576450>
72025 + gimple stmt = gsi_stmt(gsi);
72027 + if (!is_gimple_call(stmt))
72029 + decl = gimple_call_fndecl(stmt);
72032 + if (TREE_CODE(decl) != FUNCTION_DECL)
72034 + if (!DECL_BUILT_IN(decl))
72036 + if (DECL_BUILT_IN_CLASS(decl) != BUILT_IN_NORMAL)
72038 + if (DECL_FUNCTION_CODE(decl) != BUILT_IN_ALLOCA)
72041 + // 2. insert track call after each __builtin_alloca call
72042 + pax_add_instrumentation(&gsi, false);
72043 +// print_node(stderr, "pax", decl, 4);
72047 + // 3. insert track call at the beginning
72048 + bb = ENTRY_BLOCK_PTR_FOR_FUNCTION(cfun)->next_bb;
72049 + gsi = gsi_start_bb(bb);
72050 + pax_add_instrumentation(&gsi, true);
72055 +static unsigned int execute_pax_final(void)
72059 + if (cfun->calls_alloca)
72062 + // 1. find pax_track_stack calls
72063 + for (insn = get_insns(); insn; insn = NEXT_INSN(insn)) {
72064 + // rtl match: (call_insn 8 7 9 3 (call (mem (symbol_ref ("pax_track_stack") [flags 0x41] <function_decl 0xb7470e80 pax_track_stack>) [0 S1 A8]) (4)) -1 (nil) (nil))
72067 + if (!CALL_P(insn))
72069 + body = PATTERN(insn);
72070 + if (GET_CODE(body) != CALL)
72072 + body = XEXP(body, 0);
72073 + if (GET_CODE(body) != MEM)
72075 + body = XEXP(body, 0);
72076 + if (GET_CODE(body) != SYMBOL_REF)
72078 + if (strcmp(XSTR(body, 0), track_function))
72080 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
72081 + // 2. delete call if function frame is not big enough
72082 + if (get_frame_size() >= track_frame_size)
72084 + delete_insn_and_edges(insn);
72087 +// print_simple_rtl(stderr, get_insns());
72088 +// print_rtl(stderr, get_insns());
72089 +// warning(0, "track_frame_size: %d %ld %d", cfun->calls_alloca, get_frame_size(), track_frame_size);
72094 +int plugin_init(struct plugin_name_args *plugin_info, struct plugin_gcc_version *version)
72096 + const char * const plugin_name = plugin_info->base_name;
72097 + const int argc = plugin_info->argc;
72098 + const struct plugin_argument * const argv = plugin_info->argv;
72100 + struct register_pass_info pax_tree_instrument_pass_info = {
72101 + .pass = &pax_tree_instrument_pass.pass,
72102 +// .reference_pass_name = "tree_profile",
72103 + .reference_pass_name = "optimized",
72104 + .ref_pass_instance_number = 0,
72105 + .pos_op = PASS_POS_INSERT_AFTER
72107 + struct register_pass_info pax_final_pass_info = {
72108 + .pass = &pax_final_rtl_opt_pass.pass,
72109 + .reference_pass_name = "final",
72110 + .ref_pass_instance_number = 0,
72111 + .pos_op = PASS_POS_INSERT_BEFORE
72114 + if (!plugin_default_version_check(version, &gcc_version)) {
72115 + error(G_("incompatible gcc/plugin versions"));
72119 + register_callback(plugin_name, PLUGIN_INFO, NULL, &pax_plugin_info);
72121 + for (i = 0; i < argc; ++i) {
72122 + if (!strcmp(argv[i].key, "track-lowest-sp")) {
72123 + if (!argv[i].value) {
72124 + error(G_("no value supplied for option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
72127 + track_frame_size = atoi(argv[i].value);
72128 + if (argv[i].value[0] < '0' || argv[i].value[0] > '9' || track_frame_size < 0)
72129 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
72132 + if (!strcmp(argv[i].key, "initialize-locals")) {
72133 + if (argv[i].value) {
72134 + error(G_("invalid option argument '-fplugin-arg-%s-%s=%s'"), plugin_name, argv[i].key, argv[i].value);
72137 + init_locals = true;
72140 + error(G_("unkown option '-fplugin-arg-%s-%s'"), plugin_name, argv[i].key);
72143 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_tree_instrument_pass_info);
72144 + register_callback(plugin_name, PLUGIN_PASS_MANAGER_SETUP, NULL, &pax_final_pass_info);
72148 Binary files linux-2.6.32.42/tools/gcc/pax_plugin.so and linux-2.6.32.42/tools/gcc/pax_plugin.so differ
72149 diff -urNp linux-2.6.32.42/usr/gen_init_cpio.c linux-2.6.32.42/usr/gen_init_cpio.c
72150 --- linux-2.6.32.42/usr/gen_init_cpio.c 2011-03-27 14:31:47.000000000 -0400
72151 +++ linux-2.6.32.42/usr/gen_init_cpio.c 2011-04-17 15:56:46.000000000 -0400
72152 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
72161 @@ -383,9 +383,10 @@ static char *cpio_replace_env(char *new_
72162 *env_var = *expanded = '\0';
72163 strncat(env_var, start + 2, end - start - 2);
72164 strncat(expanded, new_location, start - new_location);
72165 - strncat(expanded, getenv(env_var), PATH_MAX);
72166 - strncat(expanded, end + 1, PATH_MAX);
72167 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
72168 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
72169 strncpy(new_location, expanded, PATH_MAX);
72170 + new_location[PATH_MAX] = 0;
72174 diff -urNp linux-2.6.32.42/virt/kvm/kvm_main.c linux-2.6.32.42/virt/kvm/kvm_main.c
72175 --- linux-2.6.32.42/virt/kvm/kvm_main.c 2011-03-27 14:31:47.000000000 -0400
72176 +++ linux-2.6.32.42/virt/kvm/kvm_main.c 2011-04-23 21:41:37.000000000 -0400
72177 @@ -1748,6 +1748,7 @@ static int kvm_vcpu_release(struct inode
72181 +/* cannot be const */
72182 static struct file_operations kvm_vcpu_fops = {
72183 .release = kvm_vcpu_release,
72184 .unlocked_ioctl = kvm_vcpu_ioctl,
72185 @@ -2344,6 +2345,7 @@ static int kvm_vm_mmap(struct file *file
72189 +/* cannot be const */
72190 static struct file_operations kvm_vm_fops = {
72191 .release = kvm_vm_release,
72192 .unlocked_ioctl = kvm_vm_ioctl,
72193 @@ -2431,6 +2433,7 @@ out:
72197 +/* cannot be const */
72198 static struct file_operations kvm_chardev_ops = {
72199 .unlocked_ioctl = kvm_dev_ioctl,
72200 .compat_ioctl = kvm_dev_ioctl,
72201 @@ -2494,7 +2497,7 @@ asmlinkage void kvm_handle_fault_on_rebo
72203 /* spin while reset goes on */
72207 /* Fault while not rebooting. We want the trace. */
72210 @@ -2714,7 +2717,7 @@ static void kvm_sched_out(struct preempt
72211 kvm_arch_vcpu_put(vcpu);
72214 -int kvm_init(void *opaque, unsigned int vcpu_size,
72215 +int kvm_init(const void *opaque, unsigned int vcpu_size,
72216 struct module *module)
72219 @@ -2767,7 +2770,7 @@ int kvm_init(void *opaque, unsigned int
72220 /* A kmem cache lets us meet the alignment requirements of fx_save. */
72221 kvm_vcpu_cache = kmem_cache_create("kvm_vcpu", vcpu_size,
72222 __alignof__(struct kvm_vcpu),
72224 + SLAB_USERCOPY, NULL);
72225 if (!kvm_vcpu_cache) {